Topic: Breaking: Shuffle-based Provably Fair Implementations Can Cheat Players (proof) - page 2. (Read 4715 times)

Thank you for the replies.

I don't know much about mining either particularly in this case on what the nonce is etc.


https://en.bitcoin.it/wiki/Nonce

So the nonce value is set by the miner. I was thinking it was automatically computed or something..




Yeah    Never thought of that.


So the block hash is the only reliable (or most reliable) string in a block that can be used for provably fair?

This is the same type of deflection Nitrogensports is infamous for. They have a clearly rigged Blackjack system but whenever anyone questions it they link to "provably fair". Good to see hard data out there that doesnt make the Casino skeptics looks crazy.

Disclaimer: I am not a mining expert, so anyone please correct me if I am wrong here....



satoshinonce would not be fair for investors and that site is technically not even provably fair for the player.

For player: if satoshinonce is also a miner, they could specify block-nonces (last 1 or 2 digits only) in their mining software which makes the incoming transactions/bets lose (or at least whichever is best for them.) So even if they have 2% mining power, players would most likely lose 2% more often. That's why I think for the player it's better to have TX+VOUT+SECRET like Luckyb.it (and SD before.) Might be tough to change it since.. well.. the site is called "Satoshi Nonce".

For investor: if satoshinonce is also a miner, they could adjust the mining software to only check nonces with 2 specific last digits and include some of those winning 98x transactions in it (and not even broadcast those transactions before finding the block!) Then if they find a correct block, they send it out including those winning transactions. It seems like a guaranteed way to win with no risk. So doesn't help investors much. Would be even worse for investors with TX id though obviously.

Also miners who like to attack/cheat satoshinonce can do this right now BTW. But I assume that adjusting the mining software to only use those specific nonces might take some work and I guess with the low max bet it's not worth it for them.



Ps, hope TrevorXavier doesn't mind we are going a bit off-topic here It's still somewhat on the same topic of faulty provably fair implementations though (:

You bring up a good point.

When I first published the side-channel attacks a couple years ago, some casino operators dismissed it by saying things like, "We would never cheat," or "if we did this, we'd get caught" or "if we were caught, we'd lose all our players," without addressing their implementations of provably fair. So, they are countering a cryptanalysis with a PR/marketing spin, which doesn't make sense.

By saying, "We would never cheat," without addressing their implementation, they are only offering a simple promise of fairness, which is no different than a non-provably fair casino.

Yeah, I read that. (just read don't think it is possible part too many times )

I wanted to know your opinion on everything except that part - If satoshinonce accepted investments, is such a risk entirely eliminated?




I think decentralized trust-less gambling/investing is very possible.




Er.. was saying, provably fair wouldn't be invented if we kept thinking - it will not solve all the problems and all we need to do is trust the casino owner.


(edited)

provably fair was invented for the player and imo the best invention in gambling business so why to do it away? please correct me if I am wrong

Yes, that's why I said "fast game"




I agree.

Although in theory in the future there could be true decentralized trust-less gambling/investing with sidechains and investors that run some program to sign transactions/bets on the fly (like JoinMarket.) That would mean all investors have to put their BR in a (own-controlled like their own computer) "hot wallet" though and it's not as fast as dice now. Also I am not sure how the random process would work (either dependent on miner or third-party like most ETH smart contract gambling atm.) So I am not sure how practical it will all be, but sounds like a technical interesting project when the time is there

If everyone is really going to trust the owners we could do away with the provably fair too.

let's say this problem is solved and investors can't be cheated by casino owners. it will not solve the hit n run option for a casino owner imo and this would mean that investors coins are always at risk

at the end the magic word will be trust (the casino owner)

This one http://satoshinonce.com/ (don't know if this is still running fine) appears provably fair to an investor?

I don't think it is impossible, it will just be slow. We need one variable that is not determined by the server or the client and cannot be influenced by either but becomes known soon-after like a block hash?

That's a great question. This is a common issue among crypto-developers. You may have heard the mantra from developers, "Write it, even if it breaks." Unfortunately, crypto-developers aren't afforded the luxury. If crypto is implemented and breaks, it can cause direct harm. Total losses, breached accounts, really bad stuff. Look at Meteor. They had SRP implemented but reverted back to bcrypt because maintaining the crypto code required far more resources that were best used elsewhere.

In a nutshell, I had penned an implementation a couple of years ago, had it in peer review but it quickly became cost prohibitive.

Granted, I can't speak for an organization that is interested in the research. It may end up being a benefit to all. Some time and resources to fully publish, maintain, and be there to actively improve the work.

I am pretty skeptical about that and I still don't think it's possible for a fast game like dice. But yeh, if you don't publish "how" then we cannot check it obviously (:

If the goal is to increase transparency and honesty, why would one hold it back?  Just curious. 

It's not like people are going to automatically jump at a new company that first introduces the method.

I have a fair method for investors – will publish in due time – but currently in talks with another group that wants to license it to be first-to-market.

Either way, it appears likely to be open-sourced.

Betting on sidechains (with 1s blocks) where investors are all part of each multi-sig ("smart contract") transaction(=bet) by running a program like JoinMarket.

Okay, no, currently that is not possible

Logs/code irrelevant tbh.

I once made an audit idea that was discussed again last month (here) but not really worth the effort.

Any suggestions on how to make this as transparent as possible?

Not a concrete solution, but what if trusted members were able to pop under the hood periodically and check the logs and back-end code?

It (Edit: Stunna's) is a valid point. There is no investor provably fair implementation yet. (I like the concept here. https://etherdice.io/ )



I always prefer nonce method except in Moneypot style cases.

Oh I see. I was thinking it was something else (to do with the shuffle thing).

I thought OP was making that point with:
when he was actually still talking about 30 and he fails to mention they don't need to track roll tendencies - just every single roll.

Just checking in with you, casinobitco, if RHavar provided enough information for you to examine shufflepuff in greater detail.


A Provably Unfair Blueprint

Here's what a malicious casino would do if they wanted to cheat.

#1: Take your standard roulette wheel and letter encoding.

0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15	16	17	18	19	20	21	22	23	24	25	26	27	28	29	30	31	32	33	34	35	36
0	1	2	3	4	5	6	7	8	9	a	b	c	d	e	f	g	h	i	j	k	l	m	n	o	p	q	r	s	t	u	v	w	x	y	z	A

#2: Convert the wheel to a point deck based on the desired optimization.

Here, we represent the wheel as a set of points. For illustration, we'll keep it simple and use a zero (0) as neutral and a one (1) for the wheel positions that favor the house. You could use weighted values, like -1 and 1 to show the exact deviation in favor of the house or player. I prefer 0s and 1s to stay aware of the count within a space (just a math thing).

Examples:

Optimize for Color (red/black)
0 000000 000000 000000 111111 111111 111111

Optimize for Green
1 000000 000000 000000 000000 000000 000000

Optimize for Third
0 111111 111111 000000 000000 000000 000000

For this example, I'll choose to optimize for color.

#3: Run shufflepuff with the desired seed space.

First, let's compare the seed space (2³² = 4,294,967,296) and the arrangement space (37! / 19! / 18! = 17,672,631,900). The seed space covers about 24.3% of the arrangement space (4,294,967,296 / 17,672,631,900). What does this mean? It means that there are some final shuffles that are unattainable if the house decides to optimize the deck. In roulette, we're drawing one "card" (number). To optimize, we want to push as many favorable shuffles for the house into the seed space, and push as many favorable shuffles for the player outside of the seed space (into the unattainable space). This seed space covers a relatively "large" portion of the arrangement space, so one would expect there to be optimization, but smaller optimization than in other games, such as blackjack.

Someone might say, "Wait, there are actually 37! possible initial decks in roulette." That's true, but since we're optimizing for color, we can cut down our search space by ignoring the order of the numbers and focus on the position of the colors. You'll see why in a bit.

As a toy example, let's reduce the seed space to something small, like 40. Fire up shufflepuff and you'll see this:

0000000000000000000111111111111111111: 16
0000000000000000001101111111111111111: 17
0000000000000000001111011111111111111: 18
0000000000000001000111011111111111111: 19
0000000000000001001101011111111111111: 20
0000000000000001001111011101111111111: 21
0000000000001001001101011101111111111: 22
0000000000001001001111011100111111111: 23
0000000000011001001111011100110111111: 24
0000000000111001001111011100110011111: 25
0000000001001001001101011100111111111: 26
0000000001001001001111011100110111111: 27
0000000001011001001111011100110011111: 28
0000000001111001001111011100110001111: 29
0000000011111001001111011100110001110: 30
...
0000111001001001001111011100110001110: 35

The last line indicates the arrangement and the number of seeds (out of 40) that are beaten. So, in this example, if we optimize for the house, the house will win 35/40, or 87.5% of the time.


#4: Partition the roulette encoding scheme and randomize.

For this instance, I'll optimize for black, meaning I want black to appear 87.5% of the time. So, I'll partition the encoding into red + green, and black:

Red + Green: "013579cegijlnpruwyA"
Black: "2468abdfhkmoqstvxz"

Now we randomize each encoding:

Red + Green: "Awp1yejr5c3ngi07u9l"
Black: "davhk4mtz82sbof6qx"


#5: Zip the shuffled encoding onto the optimized arrangement.

0000111001001001001111011100110001110 =
Awp1     ye  jr   5c  3n       g      i0     7u9      l
        dav   h   k    4   mtz8  2sb    of       6qx

Result: Awp1davyehjrk5c43nmtz8g2sbi0of7u96qxl

You can keep randomizing to create 19! * 18! = 7.788 x 10³² cold decks. Using this deck, or any under this optimization, results in black appearing 87.5% of the time, despite an expectation of 18/37 = 48.65%. There is no way for the client to randomize their seed enough to beat this optimization.

Granted, with a 2³² seed space, you're not going to get such a dramatic result. Additionally, even if you found a high optimization, you probably wouldn't play it often (tuck it away as your "nuclear" option).

Here's the big thing: You also have all the arrangements > 20 that also work well. They can also be randomized and used against the player. Again, the casino doesn't necessarily want to find the best deck, just a better deck.

It's also easy to optimize for red now. Just flip the red and black (leave green alone).


Let me know if you have more questions. Thanks for reading!

Addendum
Remember, the shufflepuff code does not adhere perfectly to any one particular casino, so while it will give you optimized decks for its configuration, the decks will fail if implemented. This is intentional.