Topic: Breaking: Shuffle-based Provably Fair Implementations Can Cheat Players (proof) (Read 4659 times)

i doubt bitzino cheats on their BJ, i played it constantly while at the same time playing live $1-3 NL on the riverboats here in shreveport. once, i turned $23 into $1200 over a few weeks. i liked the option to bet microscopic bets and martingale endlessly since u could bet 1 1 millionth of a bitcoin.

this morning, bitzino closed without notice, i would love to know why. no matter how much i search google this morning, i cannot find the reason for the closure. luckily i was able to withdraw my balance. its in coinbase now.

so--where else can those of us in Trump's USA play for microscopic units in BJ? for say like 1c or less worth of bitcoin instead of the min $1 bets on nonbitcoin sites? 15 millionths of a bitcoin was worth close to 1cent.

256 bits modulo 52 cards. Forget about the bias, let players gamble on it....

I also had this crazy idea of using 64k decks. Then let the player decide which deck to use. (This is for the poker game.) Reveal the order of all the other 65535 decks but keep secret the one deck. For poker purposes (because you're not supposed to reveal cards which are face down that others can not see.

If that is too much, just use any other power of 2 number of decks. 2, 4, 8, 16, ... 128, 256. I mean, there is a 1/256 chance that the house is going to rig your game, but you have a 254/256 chance of being fair, or something along those lines. So the house will simply not bother.

is that means in case of the possible output amount, not the power of 2, will be possibly tampered by adding special secret script? i mean, in a nutshell, the equivalent result can be shuffled again by order to manipulate the fairness, like 999dice?

regarding video poker

normal slot is different and maybe therefore easier as you are saying. video poker cause of the hold option a player could use an optimal strat. video poker is a 52 cards one deck game

yes I agree and would like to know what OP is thinking and if he has the solution

thx again

Yeh, with more decks it becomes a bit more difficult. For 8 decks I guess you will get something like this: card numbers will be 0-415, use 3 characters instead from final seed (= 0-65535), convert to number, then use the number if the number is 0-65311 (so skip 65312 and higher), with that number do a modulo of 416 so you will get a result of 0-415 = 1 card out of 8 decks. Again, if you got number already previously - skip it.

Video poker is like a slot reel where each reel is 52 cards, right? So I think that would be the same, but doesn't need the "check if double" thing because each reel can have exact same number than previous. After someone uses the "hold" option, it will use the 6th number, 7th, etc.

Normal slot reel is even easier, because it can just use 1 character instead of 2/3 (when you don't have more than 16 options per reel.) Crypto-Games also uses this for their slot games.





I wonder what OP, RHavar and others that participated in this thread think about above options rather than Fisher–Yates method. It seems easier to me because anyone can verify it with simple SHA256/512 and Hex-to-Decimal online tools - rather than running a Fisher–Yates and modulo-seed-loop-rng script.

thx again for explaining, very much appreciated cause I am not an expert but we love the provably fair option.

the reason I asked for more than a 4 deck game is that a 6 or 8 deck would have a slightly better HE for the OP and would give the option to offer some rules a player would like to have and again reduce the HE so the HE will not be to low. I hope you understand my point

am I right when assuming the same provably fair option could be used with video poker?

4-10 was example. In reality there are 64 sets of 2 characters in a SHA512 hash. Some of those 64 numbers will be out of reach (208-255) or double numbers, but it should be still enough. One could do the math of odds of running out of numbers in biggest blackjack game (depending on "split rules" too), but I am bit lazy to do that. I do assume its enough even with all the splits.

If you have a multi-player blackjack game, it would probably not be enough. It could still easily just add a nonce to further loop or just use the Fisher–Yates shuffle. Still IMO the simple hash without Fisher–Yates shuffle is easier / more clear. So I would only use Fisher–Yates shuffle if it's really needed (=need lots of cards selected.)

Unique card: I mean, that Crypto-Games has 4 deck of cards, but actually its just numbers from 0-207, see: https://www.crypto-games.net/blackjackcards.html We will just pick numbers between 0-207 and each number represents a card. So any card, like a King of Hearts, appears 4x in total (numbers: 23,75,127,180.) When I say "unique" I mean that the specific number 0-207, like "75" cannot be repeated, since normally a specific card cannot be repeated either. However, the king of hearts can appear up to 4 times with those 4 numbers (23,75,127,180.)



edit: I guess this method is mostly nice up to 4 decks, since 2 hexadecimal characters are between 0-255. If you want more decks, you would probably need some ugly modulo thing with 3 hex characters. So probably better just Fisher–Yates shuffle with "seed RNG" for more decks. I am not sure if there is a site already that implemented that?

Very interesting write-up! Thank you OP.

first of all thx for taking the time to explain it in more depth

4 - 10 cards imo is not enough depending on the rules an OP could offer. for example dealer hits soft 17 and resplit up to 4 hands

what does it mean when you are saying "unique cards" in a 4 deck game?

For Blackjack you can use the method I just described (which is used by Crypto-Games.) Blackjack only needs like 4 - 10 cards in normal game (even though 4 decks are used.) I like the way Crypto-Games does it, because it's very easy/understandable.

That method keeps looping looking for unique cards within those 4 decks. That's fine for like 10 cards, but if you would need like 40 cards, that probably gets pretty bad in performance (because it keeps looping for unique cards while not really discarding/removing them) and additionally that "final hash" would not provide enough characters.

So if you need to select more cards for other games:

hi

I am very interested in a provably fair option for Black Jack and that all cards of a 4 -8 decks are included

did I understand it right that the fisher yates shuffle would be fine to use and acceptable to be provably fair?

thx

It's not about the seeds used, but the MT RNG just has that seed input limitation. MT19937 is normally used and has a 32 bits limit, there is MT19937-64 which would be better with 64 bits but still not enough (although less feasible to brute-force results.)



Anyway for a lot of games, like blackjack, very easy solution can be possible. For example Crypto-Games.net does this:

1. Gets "final hash" (with "per roll" method but could be with "normal dice nonce" method.)
2. Has 4 decks so 208 cards: https://www.crypto-games.net/blackjackcards.html
3. Gets 2 characters from "final hash" and convert to decimal (= value of 0-255)
4. Use that as card (if within 0-207 range and not double.)
5. Repeat with next 2 characters till you have all the cards you need.

So that is easy/good imo?

For roulette it's even easier.. just loop those 2 characters from hash till its 0-36. (Crypto-Games does this too.) No need for "initial" stuff.



If you need more/all cards, I guess Fisher–Yates shuffle with proper simple RNG (not MT) is faster than that long loop though :p

Hey, it's you again. I missed this thread, and sorry for the 3 or 4 month bump. But my one comment is to simply not use the "reference implementation" and make sure your final shuffle has a space much bigger than 32 bits. This means both client and server seeds must be larger than 52! or whatever is the size of the deck.

Dice sites have been using SHA256 and SHA512 since forever.

My poker version is difficult and unwieldy but I believe it's the best way to shuffle a deck without revealing the cards to players who shouldn't know. (If you fold, no one else see's your cards.) It's also overkill, so I'm trying to see if there is a simpler implementation that would be just as effective, but that eludes me. (Go look for my "Provably Fair Poker" thread from 3 years ago.)

For all other normal card games where you can reveal the entire deck after the game, 256-bit client seed, 256-bit server, 256-bit "anything else needed/nonce" should be more than enough "provably fair".

I looked at BetKing's provably fair implementation and determined that they can use shufflepuff as an exploit AND their shuffle algorithm has a modulo bias. In general, for an eight deck blackjack game, the modulo bias occurs once every 200,000-400,000 hands. Not a lot, but easily fixable. To fix the modulo bias, BetKing would want to discard any number n where n >= MAX - MAX % modulus, where MAX = 2³² - 1.

A good thing about BetKing is that they keep their code simple and easy to read. This is in contrast to some casinos that have very complicated methods for similar functions.

Yeah, but still better than I thought.



They can't do that either.
Let us say, we have 5 of each. Each number appears once every six times.
It is shuffled and two numbers are selected.

Now the odds that the second number is "1" when the first number is "1" is less than the odds that the second number is "2" when the first number is "1". while it should be equal.
That is, if the first number is "x" there is only 4/30 chance that the second number is also "x". The probability should be 5/30.


I suggested this:

Well, it's not quite fool proof but it's better. The problem with block nonce for instance, is that miners can just set it to what ever they want (and it has 0 impact on their profitability). The block hash is a bit different, because lets say a miner finds block X  and then realize that would make them lose ... they have to decide between losing the bet, or throwing away the block reward (currently >= 25 BTC, soon to be >= 12.5) and having a redraw.

So now it's really expensive to do, and only worth it for very large values of money. Pevpot introduced a way to avoid that all together with "hash stretching" which was by applying a (very!) slow computation to the hash, in such a way that is impossible for miners to use it  (if they ran the computation before propagating the block, it would take so long they will almost guaranteed to have lost the block race)

I'll give you my take on bitcoinbetting.website's provably fair system, since TrevorXavier isn't going to comment. bitcoinbetting.website is for the most part, provably fair. For bitcoinbetting.website to cheat, they would need to own a large % of the network hashrate, and if a winning bet is in the block they just found, they could withhold the block and let another miner get a different block, with possibly a different last digit. This would be hard to do though, as the hashing power needed would cost a lot of BTC, and the payout has to be over 25 BTC for it to be worth it to withhold the block. I doubt they have that much money to get a large share of the network, and the bets are still pretty small so I am 99.99% sure they don't cheat. They can, but it is extremely unlikely.

TL:DR : They can cheat, but they probably won't unless they own a large amount of the network's hashing power and the payout for a bet is over 25 BTC, and is included in a block that they mine.

Thank you for writing, Angelina Jolie!

I'd love to, but I try not to comment on specific casinos unless I've taken a fairly deep look into how they operate. This takes a considerable amount of time. Hopefully, there are some sources where others have taken a look at these websites? Are the ones you're referring to on-chain betting?

I can make some general comments about shuffle-based provably fair systems, in case you encounter them. I know it may not be helpful for the specific casinos you're referring to, but you never know.

When I looked into the shuffle-based provably fair systems, many of them suffered from the following:

• Sole control over the initial arrangement of the cards. This is the basis of shufflepuff, which I believe "breaks" the provable aspect of "provably fair" for many of these casinos. Adapting shufflepuff to their provably fair method would allow a casino to take advantage of you.
• Modulo bias in the shuffling algorithm. This is normally not a big deal for most applications but a considerable gaffe for a casino (which markets fairness). It shouldn't exist, really. In general, depending on where the Fisher-Yates algorithm starts shuffling (the beginning or the end of the deck), a casino can favor cards in certain spots. Though rare, sophisticated usage of it can result in the player being denied a card (like an Ace in blackjack) or given a card (like a 5 or 6).

If you have any other questions, let me know!

I'd like to know your take on the provably fair system of www.luckyb.it & www.bitcoinbetting.website.

I can't render an opinion on Pocketdice, but it looks like NLNico and RHavar have seen obvious defects which would preclude it from being provably fair.



The way I see it, "provably fair" (the concept) is marketed by casino operators with several claims. Here's a sample (emphasis added in bold):







When presented with a viable weakness, however, casino operators seem to resort to a promise (which requires trust) or marketing (emphasis commentary added in bold):





From my perspective, if the provably fair system isn't "provable" then it can only degenerate into a simple promise of fairness. A promise requires that you trust the casino, which is contradictory to the casino's claims.

Many of these casinos have been around for some time, so they tend to be a little dismissive when an attack is presented. It's natural: they have established a base of players, some of whom might play regardless of provable fairness, some who don't verify anymore, some who may amplify claims, and so on. And they've likely received more than their fair share of claims from players about cheating.

Truly interesting responses. Thanks for the question, DarkStar_!