UPDATE (31/08/20): BTCGOSU has launched a biggest third-party provably fair verifier tool where you can verify bets for over 25 casinos in single page. Check out now: https://www.btcgosu.com/tools/provably-fair-verifier/Provably Fair Script is one of the basic element of online gambling, especially for crypto based casinos. However, most of the gamblers don't give dime about it while some don't even know what is it and how it operates. I started crypto gambling in 2016 and didn't know about Provably Fair for most of my initial gambling days. But believe me in the absence of Provably Fair, you are not gambling, you are just being cheated by the house.
The basic idea of this thread is to share my views on PF script and how to make most out of it. I have spent few weeks developing unique logic for Provably Fair script for upcoming gambling site clubbing it with blockchain technology. While developing it, I visited around 20 casinos and tried their PF script to understand current practice. However, this thread is not about my script but about current practice.
If you are in this section, you probably have heard about Provably Fair script and may be verifying your bets too. But have you ever tried to understand the logic behind it? If not, let me give a brief explanation on how Provably Fair system works.
Different gambling sites use different Provably Fair implementation however the basic idea is to generate a random number based on three factors: client seed, server seed and nonce.
Client seed: It can be anything. It is up to player to choose anything as his client seed. For example, I can use 'webtricksClientSeed' as my client seed or 'thisIsMyRandomClientSeed'. However, while choosing client seed make sure three things:
(i) Always choose new seed for new bet (never try same client seed with new server seed).
(ii) Don't choose easily identifiable seeds like I mentioned above (close your eyes and type random numbers and alphabets. I do like this and it works
).
(iii) Site will generate random client seed for you but don't use it. Always choose your own.
Server Seed: It is generated by server. Server will choose random string of random length and convert it to sha256 hash which will provided to you. For example, if server picks 'thisIsRandomSeed' as server seed then this will be provide you: 45006cccc7e44ee0b6c0752469de2fe1ad6bff589fb789bfb60773224cf2cc0a.
Since sha256 is one-way hashing you will know sha256 hash before making bet but you cannot decipher server seed before betting. The site will show you unhashed server seed once you change your seeds. Then you can verify that the sha256 hash of server seed is similar to what was presented to you before bet.
Nonce: In context of Provably Fair, nonce is mostly regarded as the number of times you have made bet with the combination of same client and server seed. For example, if I make two bets with 'ClientSeed' as client seed and 'ServerSeed' as server seed then the result of bet will be generated on the basis of 'ClientSeed+1+ServerSeed' for first bet and 'ClientSeed+2+ServerSeed' for second bet.
Here is graphical illustration of what I just said:
(
Some people say my drawings are as good as Picasso's.)
Now coming to how results are driven from these seeds. As I said earlier, different sites use different logic to determine result. However, there is one basic logic which is being used by around 80% of the casinos, notably Fortunejack, PrimeDice, Bitsler etc. This is how it works:
Step 1: First of all let's assume three variables. Server seed = 'ServerSeed', client seed = 'ClientSeed' and nonce = 1. Now we have to use hmac authentication by hashing our variables using sha512 hashing algorithm. Server seed will serve as a secret key to generate hash while client seed and nonce will be used as an input like this: 'ClientSeed-1' or 'client seed - nonce'.
Step 2: So the hash of the above seeds will look like this: 671e7387e26fa724d089521805430866b29f6849ad2928a26e5ed01101f72f57883b972f20f9464
d99ab13c2adcf37bd955863c69697739628d70969adba1ab3
Step 3: Not going into technical term and by simply sticking to layman's language, we have to take first 5 characters of hash i.e. 671e7. Now we have to convert these 5 characters from hex value to integer value which will be: 422375.
Step 4: If the integer value is between 0 and 1million (1,000,000) then it's ok. But if it is more than or equal to 1M then we will use next 5 characters from hash. But since in our case, 422375 is less than 1000000 so this number will determine the result.
Step 5: In this step, we will simply divide the value with 10000 and take the remainder for next step. In our case, 422375 when divided by 10000 will leave 2375 in remainder which will be consider for final step.
Step 6: In this step, we will simply divide the remainder by 100 and this will determine the final result. In our case it will be 23.75. This should match the dice roll. If not then site is most probably cheating you.
Now coming to the most important part. Probably this part is the main reason why I created this thread. Although, the above system is foolproof but site owners can easily fool you if you ain't paying enough attention. So here are the few points you should consider while gambling:
(i) Always copy server seed hash shown to you before betting.
(ii) After bet is complete, create new client seed. Make sure server seed is also changed along with it.
(iii) Once new client seed is created, site will show you unhashed server seed of previous bet. Copy it and convert it to sha256 hash using some third party online tool.
(iv) Match the server seed hash that you copied in step (i) to the one generated in step (iii) and make sure both are exactly same.
Two days ago, I tested my code with few people. I shown them different server seed hash before bet and after bet I kept first 6 characters same, last 3 characters same and few similar characters in the middle. It took just 30-40 seconds for my machine to generate such hash. With more powerful machine, I can speed up the process and create more matching characters. To my surprise, none of the tester noticed that they were shown different server hash before and after bet. It is human tendency that they only consider few letters (probably starting and ending ones) when presented random word like hexadecimal hash. So with bare eyes, no one was able to notice the difference. So be safe and make sure you verify every bet you make. Being a coding enthusiast, I can assure you that it is very much possible that house can easily manipulate results without player even noticing.
Another thing you can do is to use cross-casinos verification. For example, Fortunejack and Bitsler use same script, you can verify your fortunejack bets using bitsler's verification script.