Pages:
Author

Topic: Bustabit.com Provably Fair Seeding Event - page 2. (Read 49515 times)

newbie
Activity: 14
Merit: 0
I just want to say that you guys seemed to have been advertising good or somethin'. I'm hearing 'Bustabit' mentioned more and more. Maybe because it's just a bit more innovative, it's a social experience, and all of you are betting on the exact same multiplier. Thanks.
hero member
Activity: 518
Merit: 500
If someone found the secret, they'd probably cash out and multiply it even more : )
hero member
Activity: 616
Merit: 500
To God Be The Glory!
This give sooo good ! Cheesy
legendary
Activity: 1876
Merit: 1005
January 19, 2015, 02:30:19 PM
#21
Wow, it is nice to see that this got implemented.

I like this site and especially free 2 tickets and I have won once 250x . Simply one of the best and a must try site. Keep up great work this is going to be big in future.
legendary
Activity: 1736
Merit: 1023
January 19, 2015, 01:55:52 PM
#20
Wow, it is nice to see that this got implemented.
legendary
Activity: 2940
Merit: 1333
January 15, 2015, 05:22:27 PM
#19
The implementation (containing information about the seeding event) is here: https://github.com/moneypot/gameserver/commit/bc1bffe32833a3f73046698677804c216607f952

For anyone wanting auditing the provably fair seeding, this is a great thing to backup.

This is the code that will be used once the miners have mined block 339300

I think that just quoting your post is enough. You can't change the content of that commit without changing its URL.
legendary
Activity: 2940
Merit: 1333
January 13, 2015, 05:56:51 PM
#18
Quote
So why not just say that you have generated a long chain of sha256 hashes, and omit the stuff about the private key of a Bitcoin address?

Because like you said, it doesn't matter. It's really just a trivia piece. Just like you can't verify how long the chain is, but it doesn't impact the ability to verify the distribution of game results.

I think clarity and simplicity are the most important properties here. Your scheme is relatively complex so it's good to prune as much as possible if doing so doesn't reduce the quality of the scheme as a whole.
legendary
Activity: 1512
Merit: 1012
January 13, 2015, 03:38:55 PM
#17
Improvements are always welcome Smiley Nice addition to a great game!
legendary
Activity: 2940
Merit: 1333
January 13, 2015, 02:52:47 PM
#16
I've also burnt 10k bits to record the terminating hash in the blockchain: https://blockchain.info/tx/dbfd4591639be96cdb2ad8077985734b368d1f4d3a8c7a45cbed2d3f3f96edfd?show_adv=true

I found OP pretty confusing, and I was partly responsible for coming up with the scheme in the first place.

I would recommend rewriting it so that a newcomer could understand what's going on.

I think the salient points are:

1) Ryan has generated a chain of 10 million sha256 hashes, starting with the private key of a Bitcoin address, and repeatedly feeding the output of sha256 back into itself 10 million times. He has published the final output of that chain.

2) Moneypot will play through that chain of hashes, in reverse order, and use the hashes to determine the crash point in a provably fair manner.

3) To avoid criticism that the Bitcoin address used in step 1 was carefully chosen to generate lots of "bad" crash points, each hash in the chain will be salted with a client seed, which Ryan has no control over. The client seed will be the block hash of a Bitcoin block that hasn't yet been mined.

Is that any clearer?

Once those three points have been stated, then it's time to delve into the actual code, long hex hashes, and the specific block number. I found I was getting lost in the detail and missing the big picture.

Edit: I have a concern:

How can I tell that your chain was actually generated from the private key of the address you published? I don't think I can, and I don't think it even matters. So why not just say that you have generated a long chain of sha256 hashes, and omit the stuff about the private key of a Bitcoin address? The important thing is that you have committed to a particular chain by publishing the final hash in the chain before the (client seed / bitcoin block hash) is known.

It would be nice to have a 10 BTC bounty be available as a tripwire and guaranteed reward, but there's no way I can know that you even used that private key anywhere in the process, so that bit comes back down to having to trust you.
member
Activity: 78
Merit: 10
January 13, 2015, 10:50:07 AM
#15
The server secret is a bitcoin private key, which corresponds to the address:
1J6qabbRQmxiii4j8mmAZ3XTvURZ8yzwfy, where a 10 bitcoin bounty awaits anyone who discovers the leaked server secret.

btw, are you saying there is a 10btc bounty for the compromisation of your scheme?
hero member
Activity: 868
Merit: 1000
January 13, 2015, 10:44:58 AM
#14
Welcome to the first provably fair seeding event. One of the most requested features of Money Pot has been to create a provably distribution of game crashes, to replace our provably predetermined multipliers.

The original scheme of turning a multiplayer game in which peers do not trust each other was first proposed by Dooglus, refined by Eric and solidified into code by Steve.

In order to ensure fairness, we need to select a client seed in a verifiable way, after we have publicised all details and cannot control the outcome of the client seed picking. This is where the seeding event comes in, we need you to witness the process to ensure nothing has changed. A good way to do this might be save the post, quote it somewhere, save a copy in some archiving services. If anyone wants me to email them a copy, PM me your email address.

Our plan is to use hash of the bitcoin block 339300 as the client seed. If anyone finds any flaws in the code or methodology, we will push the block back to accommodate.  

The technical details are as follows:

The method to create the hash chain is simply sha256:
Code:
function genGameHash(serverSeed) {
  return crypto.createHash('sha256').update(serverSeed).digest('hex');
}

The method to convert a game hash to a money pot multiplier is a bit more complex:

Code:
function crashPointFromHash(serverSeed, clientSeed) {
  function divisible(hash, mod) {
    // We will read in 4 hex at a time, but the first chunk might be a bit smaller
    // So ABCDEFGHIJ should be chunked like  AB CDEF GHIJ
    var val = 0;
    
    var o = hash.length % 4;
    for (var i = o > 0 ? o - 4 : 0; i < hash.length; i += 4) {
      val = ((val << 16) + parseInt(hash.substring(i, i+4), 16)) % mod;
    }

    return val === 0;
  }

  var hash = crypto.createHmac('sha256', serverSeed).update(clientSeed).digest('hex');

  /* In 1 of 101 games the game crashes instantly. */
  if (divisible(hash, 101))
     return 0;

  /* Use the most significant 52-bit from the hash
     to calculate the crash point */
  var h = parseInt(hash.slice(0,52/4),16);
  var e = Math.pow(2,52);

  return Math.floor((100 * e - h) / (e - h));
}

The chain could be generated with code such as:

Code:
var serverSecret =  'If you knew this, you could steal all my money';
var clientSeed = '0000examplehash';

var gamesToGenerate = 1e7;

var serverSeed = serverSecret;

for (var game = gamesToGenerate; game > 0; --game) {
  serverSeed = genGameHash(serverSeed);
  console.log('Game ' +  game + ' has a crash point of ' + (crashPointFromHash(serverSeed, clientSeed) / 100).toFixed(2) +'x', '\t\tHash: ' + serverSeed);
}

var terminatingHash = genGameHash(serverSeed);

console.log('The terminating hash is: ', terminatingHash);


Using our chosen starting serverSeed, the hash terminating the chain is c1cfa8e28fc38999eaa888487e443bad50a65e0b710f649affa6718cfbfada4d. That is to say, the first game's hash played under the new provably fair scheme, when hashed will be c1cfa8e28fc38999eaa888487e443bad50a65e0b710f649affa6718cfbfada4d.

The server secret is a bitcoin private key, which corresponds to the address:
1J6qabbRQmxiii4j8mmAZ3XTvURZ8yzwfy, where a 10 bitcoin bounty awaits anyone who discovers the leaked server secret.





got it.

quoted to prevent editing.



made it. i saved your reply to prevent major editing
member
Activity: 78
Merit: 10
January 13, 2015, 10:38:48 AM
#13
Welcome to the first provably fair seeding event. One of the most requested features of Money Pot has been to create a provably distribution of game crashes, to replace our provably predetermined multipliers.

The original scheme of turning a multiplayer game in which peers do not trust each other was first proposed by Dooglus, refined by Eric and solidified into code by Steve.

In order to ensure fairness, we need to select a client seed in a verifiable way, after we have publicised all details and cannot control the outcome of the client seed picking. This is where the seeding event comes in, we need you to witness the process to ensure nothing has changed. A good way to do this might be save the post, quote it somewhere, save a copy in some archiving services. If anyone wants me to email them a copy, PM me your email address.

Our plan is to use hash of the bitcoin block 339300 as the client seed. If anyone finds any flaws in the code or methodology, we will push the block back to accommodate.  

The technical details are as follows:

The method to create the hash chain is simply sha256:
Code:
function genGameHash(serverSeed) {
  return crypto.createHash('sha256').update(serverSeed).digest('hex');
}

The method to convert a game hash to a money pot multiplier is a bit more complex:

Code:
function crashPointFromHash(serverSeed, clientSeed) {
  function divisible(hash, mod) {
    // We will read in 4 hex at a time, but the first chunk might be a bit smaller
    // So ABCDEFGHIJ should be chunked like  AB CDEF GHIJ
    var val = 0;
    
    var o = hash.length % 4;
    for (var i = o > 0 ? o - 4 : 0; i < hash.length; i += 4) {
      val = ((val << 16) + parseInt(hash.substring(i, i+4), 16)) % mod;
    }

    return val === 0;
  }

  var hash = crypto.createHmac('sha256', serverSeed).update(clientSeed).digest('hex');

  /* In 1 of 101 games the game crashes instantly. */
  if (divisible(hash, 101))
     return 0;

  /* Use the most significant 52-bit from the hash
     to calculate the crash point */
  var h = parseInt(hash.slice(0,52/4),16);
  var e = Math.pow(2,52);

  return Math.floor((100 * e - h) / (e - h));
}

The chain could be generated with code such as:

Code:
var serverSecret =  'If you knew this, you could steal all my money';
var clientSeed = '0000examplehash';

var gamesToGenerate = 1e7;

var serverSeed = serverSecret;

for (var game = gamesToGenerate; game > 0; --game) {
  serverSeed = genGameHash(serverSeed);
  console.log('Game ' +  game + ' has a crash point of ' + (crashPointFromHash(serverSeed, clientSeed) / 100).toFixed(2) +'x', '\t\tHash: ' + serverSeed);
}

var terminatingHash = genGameHash(serverSeed);

console.log('The terminating hash is: ', terminatingHash);


Using our chosen starting serverSeed, the hash terminating the chain is c1cfa8e28fc38999eaa888487e443bad50a65e0b710f649affa6718cfbfada4d. That is to say, the first game's hash played under the new provably fair scheme, when hashed will be c1cfa8e28fc38999eaa888487e443bad50a65e0b710f649affa6718cfbfada4d.

The server secret is a bitcoin private key, which corresponds to the address:
1J6qabbRQmxiii4j8mmAZ3XTvURZ8yzwfy, where a 10 bitcoin bounty awaits anyone who discovers the leaked server secret.





got it.

quoted to prevent editing.
hero member
Activity: 868
Merit: 1000
January 13, 2015, 10:38:11 AM
#12
if bitcoin is still around at the end of the week, i'll check it out
member
Activity: 100
Merit: 10
Vires in numeris.
January 13, 2015, 10:30:03 AM
#11
Using our chosen starting serverSeed, the hash terminating the chain is c1cfa8e28fc38999eaa888487e443bad50a65e0b710f649affa6718cfbfada4d. That is to say, the first game played under the new provably fair scheme, will be played with this hash. The second money pot game played, when hashed will be this hash.

I don't like the wording. Was clearer before but fine with me. An offset of 1 doesn't really matter. But if you want to give everyone a free roll with a known hash, that's also fine with me Wink

I dont understand either.

please correct me where im wrong:
client seed: not yet known
server seed: priv. key of address

 hash terminating chain: c1cfa8e28fc38999eaa888487e443bad50a65e0b710f649affa6718cfbfada4d

^ how did you calculate that if you dont know the client seed?

OP updated the code. The server seed chain is calculated without the client seed as it's supposed to be. Look at the line in the for loop that updated the server seed variable:
Code:
  serverSeed = genGameHash(serverSeed);
member
Activity: 78
Merit: 10
January 13, 2015, 10:27:06 AM
#10
Using our chosen starting serverSeed, the hash terminating the chain is c1cfa8e28fc38999eaa888487e443bad50a65e0b710f649affa6718cfbfada4d. That is to say, the first game played under the new provably fair scheme, will be played with this hash. The second money pot game played, when hashed will be this hash.

I don't like the wording. Was clearer before but fine with me. An offset of 1 doesn't really matter. But if you want to give everyone a free roll with a known hash, that's also fine with me Wink

I dont understand either.

please correct me where im wrong:
client seed: not yet known
server seed: priv. key of address

 hash terminating chain: c1cfa8e28fc38999eaa888487e443bad50a65e0b710f649affa6718cfbfada4d

^ how did you calculate that if you dont know the client seed?

member
Activity: 100
Merit: 10
Vires in numeris.
January 13, 2015, 10:22:38 AM
#9
Using our chosen starting serverSeed, the hash terminating the chain is c1cfa8e28fc38999eaa888487e443bad50a65e0b710f649affa6718cfbfada4d. That is to say, the first game played under the new provably fair scheme, will be played with this hash. The second money pot game played, when hashed will be this hash.

I don't like the wording. Was clearer before but fine with me. An offset of 1 doesn't really matter. But if you want to give everyone a free roll with a known hash, that's also fine with me Wink
member
Activity: 100
Merit: 10
Vires in numeris.
January 13, 2015, 10:18:01 AM
#8
Thanks very much guys. I've updated the original post to address all the concerns and fix. Since we're well and truly before bitcoin block 339300 I have updated the final terminating hash and more tightly specified what it means.

Could you guys please give it a re-review, and generate another snapshot?

Ok looks good. Here is another snapshot http://web.archive.org/web/20150113151628/https://bitcointalk.org/index.php?topic=922898.0 and a new quote of OP:


Welcome to the first provably fair seeding event. One of the most requested features of Money Pot has been to create a provably distribution of game crashes, to replace our provably predetermined multipliers.

The original scheme of turning a multiplayer game in which peers do not trust each other was first proposed by Dooglus, refined by Eric and solidified into code by Steve.

In order to ensure fairness, we need to select a client seed in a verifiable way, after we have publicised all details and cannot control the outcome of the client seed picking. This is where the seeding event comes in, we need you to witness the process to ensure nothing has changed. A good way to do this might be save the post, quote it somewhere, save a copy in some archiving services. If anyone wants me to email them a copy, PM me your email address.

Our plan is to use hash of the bitcoin block 339300 as the client seed. If anyone finds any flaws in the code or methodology, we will push the block back to accommodate.  

The technical details are as follows:

The method to create the hash chain is simply sha256:
Code:
function genGameHash(serverSeed) {
  return crypto.createHash('sha256').update(serverSeed).digest('hex');
}

The method to convert a game hash to a money pot multiplier is a bit more complex:

Code:
function crashPointFromHash(serverSeed, clientSeed) {
  function divisible(hash, mod) {
    // We will read in 4 hex at a time, but the first chunk might be a bit smaller
    // So ABCDEFGHIJ should be chunked like  AB CDEF GHIJ
    var val = 0;
    
    var o = hash.length % 4;
    for (var i = o > 0 ? o - 4 : 0; i < hash.length; i += 4) {
      val = ((val << 16) + parseInt(hash.substring(i, i+4), 16)) % mod;
    }

    return val === 0;
  }

  var hash = crypto.createHmac('sha256', serverSeed).update(clientSeed).digest('hex');

  /* In 1 of 101 games the game crashes instantly. */
  if (divisible(hash, 101))
     return 0;

  /* Use the most significant 52-bit from the hash
     to calculate the crash point */
  var h = parseInt(hash.slice(0,52/4),16);
  var e = Math.pow(2,52);

  return Math.floor((100 * e - h) / (e - h));
}

The chain could be generated with code such as:

Code:
var serverSecret =  'If you knew this, you could steal all my money';
var clientSeed = '0000examplehash';

var gamesToGenerate = 1e7;

var serverSeed = serverSecret;

for (var game = gamesToGenerate; game > 0; --game) {
  serverSeed = genGameHash(serverSeed);
  console.log('Game ' +  game + ' has a crash point of ' + (crashPointFromHash(serverSeed, clientSeed) / 100).toFixed(2) +'x', '\t\tHash: ' + serverSeed);
}



Using our chosen starting serverSeed, the hash chain terminating with the hash c1cfa8e28fc38999eaa888487e443bad50a65e0b710f649affa6718cfbfada4d. That is to say, the first game played under the new provably fair scheme, will be played with this hash. The second money pot game played, when hashed will be this hash.

The server secret is a bitcoin private key, which corresponds to the address:
1J6qabbRQmxiii4j8mmAZ3XTvURZ8yzwfy, where a 10 bitcoin bounty awaits anyone who discovers the leaked server secret.

member
Activity: 78
Merit: 10
January 13, 2015, 09:59:48 AM
#7

The serverSeeds should be a pure sha256 chain without mixing the clientSeed in. Else you can't really give us the end of the chain ahead of the clientSeed Wink So

this is just false. there is no way to recover the serverseed from the chain, even with a known client.

edit:misunderstood. true, how can you be giving us the end value, if you yourself dont know the client seed OP?

Yes I noticed the misunderstanding. Terminology is not clear. I would call the start of the chain 'server secret' and then every element of the chain is a server seed for a specific game.

Anyway, OP, doesnt this mean you will need to generate such chains every week? seems unpractical, both to you and to players.  how many rolls did you pregenerate?

I think OP wanted to generate a chain of 10M seeds which would last ~6 years. OP obviously you already generated the chain, because you already told us the end. So what's 'gamesToGenerate' in reality?


i think that was the hash of the example case. he could not have created the real hash as he himself does not yet know the client seed - that block has not been mined yet!

op you need to comunicate more clearly if you want your system to be seen as transparent.
member
Activity: 100
Merit: 10
Vires in numeris.
January 13, 2015, 09:56:51 AM
#6

The serverSeeds should be a pure sha256 chain without mixing the clientSeed in. Else you can't really give us the end of the chain ahead of the clientSeed Wink So

this is just false. there is no way to recover the serverseed from the chain, even with a known client.

edit:misunderstood. true, how can you be giving us the end value, if you yourself dont know the client seed OP?

Yes I noticed the misunderstanding. Terminology is not clear. I would call the start of the chain 'server secret' and then every element of the chain is a server seed for a specific game.

Anyway, OP, doesnt this mean you will need to generate such chains every week? seems unpractical, both to you and to players.  how many rolls did you pregenerate?

I think OP wanted to generate a chain of 10M seeds which would last ~6 years. OP obviously you already generated the chain, because you already told us the end. So what's 'gamesToGenerate' in reality?
member
Activity: 78
Merit: 10
January 13, 2015, 09:50:07 AM
#5

The serverSeeds should be a pure sha256 chain without mixing the clientSeed in. Else you can't really give us the end of the chain ahead of the clientSeed Wink So

this is just false. there is no way to recover the serverseed from the chain, even with a known client.

edit:misunderstood. true, how can you be giving us the end value, if you yourself dont know the client seed OP?

Anyway, OP, doesnt this mean you will need to generate such chains every week? seems unpractical, both to you and to players.  how many rolls did you pregenerate?
Pages:
Jump to: