Nice work! But I think you're missing out the most interesting part, in a game of X how much can this exploit raise the house?
Also regarding the exploit, this type of attack was first noticed a while ago (although in the context of bustabit):
https://bitcointalksearch.org/topic/m.8535291 who was able to raise the house edge by 0.2%.
Anyway, I ended up solving by mixing in the hash of a yet-unmined bitcoin
block (see: https://www.bustabit.com/faq#fair).
Topic: Breaking: Shuffle-based Provably Fair Implementations Can Cheat Players (proof) - page 5. (Read 4659 times)
June 01, 2016, 10:53:14 AM
June 01, 2016, 10:47:04 AM
I guess that could work.
You could probably also loop all 52 cards and assign random numbers to them and sort it from high to low. The random number for each card would be calculated in same like seed/nonce way (with 1 more nonce), so a bit like 52 (unique) dice results.
You could probably also loop all 52 cards and assign random numbers to them and sort it from high to low. The random number for each card would be calculated in same like seed/nonce way (with 1 more nonce), so a bit like 52 (unique) dice results.
please let me state that I have no clue about the provably fair option and I see more and more that it is anyway not an easy task.
my point of view is that we as casino owners don't want to cheat the players and don't want to be cheated by players. therefore I asked for the perfect way or best solution to offer a provably fair card game like BJ, Baccarat, Poker etc?
NLNico mentioned now that it could be like unique dice results and I am not sure if I understand this because BJ or Baccarat is played with 6 or 8 decks (reshuffled after each game) and up to 10 + cards could be dealt in a game. real BJ and Baccarat players are interested in the cards they get dealt and not in dice decisions. my question is if it would be like provably fair shuffled 6 or 8 decks?
sorry for my english and I hope you could understand my question
thx
June 01, 2016, 10:19:27 AM
Wow, I have never considered this, but it makes sense.
So basically all the major casinos that offer card games are not PROVABLY fair...
I think betking is an exception, but I would love to hear from some of the other providers about how the intend to fix this situation...
So basically all the major casinos that offer card games are not PROVABLY fair...
I think betking is an exception, but I would love to hear from some of the other providers about how the intend to fix this situation...
June 01, 2016, 10:16:16 AM
I guess that could work. (Potentially modulo bias though?)
You could probably also loop all 52 cards and assign random numbers to them and sort it from high to low. The random number for each card would be calculated in same like seed/nonce way (with 1 more nonce), so a bit like 52 (unique) dice results.
You could probably also loop all 52 cards and assign random numbers to them and sort it from high to low. The random number for each card would be calculated in same like seed/nonce way (with 1 more nonce), so a bit like 52 (unique) dice results.
June 01, 2016, 10:04:58 AM
^ I am more curious about above. BitZino allows 32 "aZ09" characters (62^32?) as clientseed and the MT seed is a SHA256 based on that. Isn't that a lot more than 2^32? Maybe I misunderstand that part though.
Good catch, but sadly, the seed maxes out at 232 – 1.
bitZino combines the server seed and client seed, hashes it with SHA256, but then only uses the first 8 bytes of it. So, the range is 0x0 to 0xFFFFFFFF. (FFFFFFFF)16 = (4294967295)10. They write about this in their techblog: https://techblog.bitzino.com/2012-06-30-provably-fair-shuffling-through-cryptography.html
Like JackpotRacer I am wondering what "the best solution" would be to get a provably fair random card deck.
I can imagine something like the "dice nonce method" but adding an extra nonce so it could calculate more numbers (since a "duplicate card" cannot happen, so might need to loop a bit more.) But this might get a bit heavy in performance the more unique cards you need
How about something like this:
PseudoCode:
Code:
listUnshuffledDeck = new list ();
//Populate UnshuffledDeck from 1-52, where 1= ace of spades, 2=2 of spades etc etc.
listshuffleddeck = new list (); //empty list
string clientseed = "something"
string serverseed = "randomly generated server seed"
int nonce = 1 //or whatever your nonce should be
while (UnshuffledDeck.count>1)
{
int tmp = UnshuffledDeck [rng(clientseed,serverseed,nonce,unsuffledeck.count)]
shuffleddeck.add(unshuffledeck[tmp])
shuffleddeck.removeat(tmp);
}
shuffleddeck.add(unshuffleddeck[0])
unshuffleddeck.removeat(0)
function int RNG(string client, string server, int nonce, int max)
{
int randomnumber = Using a nonce based RNG system similar to Justdice or betking, generate a random number between 0 and 1 000 000.
return randomnumber%max
}
So take a "brand new" deck. Pick 1 card at random from the deck and put it at the top (or bottom) of a new deck. Continue doing this until there are no more cards left n the unruffled deck. The random card picked from the deck depends on the client seed and the nonce of the bet.
If you feel this isn't random enough, repeat the shuffle using the shuffled deck as the new unshuffled deck
June 01, 2016, 09:51:47 AM
^ I am more curious about above. BitZino allows 32 "aZ09" characters (62^32?) as clientseed and the MT seed is a SHA256 based on that. Isn't that a lot more than 2^32? Maybe I misunderstand that part though.
Good catch, but sadly, the seed maxes out at 232 – 1.
bitZino combines the server seed and client seed, hashes it with SHA256, but then only uses the first 8 bytes of it. So, the range is 0x0 to 0xFFFFFFFF. (FFFFFFFF)16 = (4294967295)10. They write about this in their techblog: https://techblog.bitzino.com/2012-06-30-provably-fair-shuffling-through-cryptography.html
Like JackpotRacer I am wondering what "the best solution" would be to get a provably fair random card deck.
I can imagine something like the "dice nonce method" but adding an extra nonce so it could calculate more numbers (since a "duplicate card" cannot happen, so might need to loop a bit more.) But this might get a bit heavy in performance the more unique cards you need
June 01, 2016, 08:58:32 AM
BetKing.io has a profit/ev of 140% so it strongly suggests that there is no cheating going on of investors.
Good job it's also provably fair so you can prove the house hasn't cheated players too
June 01, 2016, 07:52:23 AM
^ I am more curious about above. BitZino allows 32 "aZ09" characters (62^32?) as clientseed and the MT seed is a SHA256 based on that. Isn't that a lot more than 2^32? Maybe I misunderstand that part though.
Good catch, but sadly, the seed maxes out at 232 – 1.
bitZino combines the server seed and client seed, hashes it with SHA256, but then only uses the first 8 bytes of it. So, the range is 0x0 to 0xFFFFFFFF. (FFFFFFFF)16 = (4294967295)10. They write about this in their techblog: https://techblog.bitzino.com/2012-06-30-provably-fair-shuffling-through-cryptography.html
June 01, 2016, 07:21:56 AM
Another important threat in the bitcoin space is investment based sites, there's absolutely no way to know if the owners will play against the house and steal from investors in an undetectable manner.
Can't agree more. I am not sure if many investors are aware of this possibility especially the ones with relatively high Profit/EV.
Stunna always bashes crowdfunded bitcoin casinos.
I can see why but people are smarter now and no one is investing large amounts in new sites with questionable owners who are likely to scam (Dicebitco.in and dice.ninja).
I wonder what his honest opinion is on BetKing.io/me when it comes to trust and investing.
But your argument doesn't make much.
If the Profit/EV is high then it is far less likely that the owner has been cheating the investors. If the owner was cheating then the Profit/EV would be lower.
Of the 5 Bitcoin investment sites on dicesites.com only 2 are under EV and people could accuse them of playing against investors.
People think SafeDice is legit though and is just below EV because of their risky invest model and were unlucky.
I've never trusted Bitdice so I won't go into that.
BetKing.io has a profit/ev of 140% so it strongly suggests that there is no cheating going on of investors.
Good job it's also provably fair so you can prove the house hasn't cheated players too
I've proved over and over that your funds are safer in BetKing than any other crowdfunded casino and it is a fact that it is the most trusted.
Primedice is certainly more popular but Stunna doesn't secure as many Bitcoin of other users as BetKing does at one time.
Though he may very hold more than the whole of BetKing in his own personal wallet
Moneypot looks like it might be safe to invest in as a couple of their owners (not all) are respectable members of the community, though the owners have only had it for 5 months so who knows.
SatoshiDice you would think would be safe since they have been around a long time but it seems common knowledge that they have changed owners more than a few times.
In response to OP. That is an interesting claim and I will look in to it a bit more. It would be good to see some ideas of solutions to the problem.
June 01, 2016, 06:27:29 AM
Ps, there is actually one dice site "pocketdice" that uses "initial random numbers" which was proven to have a bad provably fair implementation (for more simple reasons than OP ) Unfortunately they still didn't improve this.
) Unfortunately they still didn't improve this.How the system works exactly is still beyond me but I can't see the logic on the relatively complex way it is implemented or the mystery behind the 30.
But how is this?
The client's seed is not really used to generate the random result.
OP says that even when the distribution of numbers in the "initial deck" is fair, the outcome can still be influenced to have a slightly bigger chance to have an outcome the house prefers. This could be done by calculating what the different client seeds do with a specific initial deck.
Quote
all possible Mersenne Twister seeds (which range from 0 to 2^32 – 1)
^ I am more curious about above. BitZino allows 32 "aZ09" characters (62^32?) as clientseed and the MT seed is a SHA256 based on that. Isn't that a lot more than 2^32? Maybe I misunderstand that part though. June 01, 2016, 06:25:48 AM
I always dislike those complicated shuffle-based provably fair methods anyway. For roulette/slots/whatever it should be easy to just use the "normal dice nonce method" and generate numbers/results based on that, right?
True. Straight forward provably fairness is always better than complicated provably fairness. June 01, 2016, 06:15:15 AM
For roulette/slots/whatever it should be easy to just use the "normal dice nonce method" and generate numbers/results based on that, right?
Thanks!
Yeah, that could work. Choosing multiple cards (i.e. blackjack) may have a couple of quirks. Roulette and slots should work fine.
this means that Black Jack, Baccarat, Poker etc are in danger to not be provably fair?
what would be the perfect provably fair implementation for those popular card games?
thx for the work you did
June 01, 2016, 05:14:15 AM
No wonder I always lost on online casinos 
June 01, 2016, 05:07:16 AM
Glad I am not a fan of table games 
Can't agree more. I am not sure if many investors are aware of this possibility especially the ones with relatively high Profit/EV.
How the system works exactly is still beyond me but I can't see the logic on the relatively complex way it is implemented or the mystery behind the 30.
But how is this?
Another important threat in the bitcoin space is investment based sites, there's absolutely no way to know if the owners will play against the house and steal from investors in an undetectable manner.
Can't agree more. I am not sure if many investors are aware of this possibility especially the ones with relatively high Profit/EV.
Ps, there is actually one dice site "pocketdice" that uses "initial random numbers" which was proven to have a bad provably fair implementation (for more simple reasons than OP ) Unfortunately they still didn't improve this.
) Unfortunately they still didn't improve this.How the system works exactly is still beyond me but I can't see the logic on the relatively complex way it is implemented or the mystery behind the 30.
But how is this?
The client's seed is not really used to generate the random result.
June 01, 2016, 04:10:49 AM
Quite interesting read. Hopefully this will spark a change in the way sites implement their provably fair schemes regarding decks shuffling but I doubt it.
Thanks for sharing your findings.
Thanks for sharing your findings.
June 01, 2016, 01:28:41 AM
For roulette/slots/whatever it should be easy to just use the "normal dice nonce method" and generate numbers/results based on that, right?
Thanks!
Edit: Thought about it some more... The answer is 'not exactly' (see new reply).
June 01, 2016, 01:18:21 AM
But with many bitcoin casinos the operator can claim an ultra low edge to drag in volume but the actual edge would be multiple times that if they aren't playing fair.
Totally right. You bring up another really good point. Using shufflepuff, we can feed it a truly fair roulette wheel (36 cards) playing red or black and still optimize the initial deck in a way that favors the house.
After a few minutes:
000000000000000000111111111111111111: 2496
000000000000000001111111111110111111: 2500
000000000000000010011111111111111111: 2526
000000000000000010111111011111111111: 2533
000000000000000010111111110111111111: 2538
000000000000000010111111111110111111: 2545
000000000000000011111111111110011111: 2546
000000000000000110111111110110111111: 2549
000000000000000110111111111110011111: 2553
000000000000001010111111011110111111: 2560
000000000000001010111111110110111111: 2565
000000000000001010111111111110011111: 2569
000000000000001110111111110110011111: 2573
000000000000010110111111110110011111: 2577
000000000000011010011111111110011111: 2581
000000000000011010111111010110111111: 2584
000000000000011010111111011110011111: 2588
000000000000011010111111110110011111: 2593
Anything above 2500 actually favors the house, despite the cards being in a "fair" distribution (18 red, 18 black).
Granted, advertising a 0% game would be silly and raise red flags, but an ultra-low edge would work well.
June 01, 2016, 01:16:01 AM
Pretty interesting
I always dislike those complicated shuffle-based provably fair methods anyway. For roulette/slots/whatever it should be easy to just use the "normal dice nonce method" and generate numbers/results based on that, right?
Ps, there is actually one dice site "pocketdice" that uses "initial random numbers" which was proven to have a bad provably fair implementation (for more simple reasons than OP) Unfortunately they still didn't improve this.
I always dislike those complicated shuffle-based provably fair methods anyway. For roulette/slots/whatever it should be easy to just use the "normal dice nonce method" and generate numbers/results based on that, right?
Ps, there is actually one dice site "pocketdice" that uses "initial random numbers" which was proven to have a bad provably fair implementation (for more simple reasons than OP
) Unfortunately they still didn't improve this. 
June 01, 2016, 01:08:09 AM
Hi Stunna! Thanks for the reply.
You're right, the post excludes dice sites.
For other casinos, however, there is no amount of randomization that the player can do to prevent the attack. Even entering their own seed won't help. The optimized shuffle will win more often than expected.
You're right, the post excludes dice sites.
For other casinos, however, there is no amount of randomization that the player can do to prevent the attack. Even entering their own seed won't help. The optimized shuffle will win more often than expected.
Very true, with normal online casinos I think this usually isn't as much of a threat as a 5-15% edge will simply rake in tons of profit for the owners. But with many bitcoin casinos the operator can claim an ultra low edge to drag in volume but the actual edge would be multiple times that if they aren't playing fair.
Another important threat in the bitcoin space is investment based sites, there's absolutely no way to know if the owners will play against the house and steal from investors in an undetectable manner. It's this type of theft along with what you outlined in your post that are major threats to this community because the sites that do this will never get caught. I'm sure many of us have known people in real life who we could trust in a room with a million dollars and a video camera and they wouldn't touch a single bill, but when you remove the camera from the equation you'd often get a different result.
June 01, 2016, 01:00:44 AM
Hi Stunna! Thanks for the reply.
You're right, the post excludes dice sites.
For other casinos, however, there is no amount of randomization that the player can do to prevent the attack. Even entering their own seed won't help. The optimized shuffle will win more often than expected.
A quick example of roulette using a pretend seed space of 5000 (0 - 4999) and running the code:
0000000000000000001111111111111111111: 2561
0000000000000000011111111111101111111: 2562
0000000000000000100111111111111111111: 2590
0000000000000000101111110111111111111: 2599
0000000000000000101111111101111111111: 2605
0000000000000000101111111111101111111: 2611
0000000000000001101111110111101111111: 2613
0000000000000001101111111101101111111: 2619
0000000000000001101111111111100111111: 2623
0000000000000010101111110111101111111: 2624
0000000000000010101111111101101111111: 2630
0000000000000010101111111111100111111: 2634
0000000000000011101111110111100111111: 2636
0000000000000011101111111101100111111: 2642
...
0000010111000110111110101111000011100: 2743
I stopped after a few moments. According to this setup, the probability of a win (for the house) is (19/37) = .5135. However, the last permutation wins 2743/5000, or .5486. We now have an arrangement that will always result in an average higher win rate. There is nothing the player can do (with this implementation) to overcome the optimized shuffle.
You're right, the post excludes dice sites.
For other casinos, however, there is no amount of randomization that the player can do to prevent the attack. Even entering their own seed won't help. The optimized shuffle will win more often than expected.
A quick example of roulette using a pretend seed space of 5000 (0 - 4999) and running the code:
0000000000000000001111111111111111111: 2561
0000000000000000011111111111101111111: 2562
0000000000000000100111111111111111111: 2590
0000000000000000101111110111111111111: 2599
0000000000000000101111111101111111111: 2605
0000000000000000101111111111101111111: 2611
0000000000000001101111110111101111111: 2613
0000000000000001101111111101101111111: 2619
0000000000000001101111111111100111111: 2623
0000000000000010101111110111101111111: 2624
0000000000000010101111111101101111111: 2630
0000000000000010101111111111100111111: 2634
0000000000000011101111110111100111111: 2636
0000000000000011101111111101100111111: 2642
...
0000010111000110111110101111000011100: 2743
I stopped after a few moments. According to this setup, the probability of a win (for the house) is (19/37) = .5135. However, the last permutation wins 2743/5000, or .5486. We now have an arrangement that will always result in an average higher win rate. There is nothing the player can do (with this implementation) to overcome the optimized shuffle.
Jump to: