Wizard
• Posts: 26705
Joined: Oct 14, 2009
February 19th, 2020 at 6:29:08 AM permalink
This is a side-topic thread off of WIXIPLAY: A PROVABLY RIGGED ONLINE CASINO. I didn't want to hijack that thread with this tangent. That said, the purpose of this thread is to try to explain, hopefully correctly, how Internet casinos use cryptography to allegedly guarantee fair play.

Before explaining it, I have to explain what a "hash" is. Using a complicated mathematical algorithm, a string of text can be converted to a Hash. The same input will always result in the same Hash. However, knowing a Hash, one cannot determine the input that created it.

For example, if I always toss a salad in exactly the same way, then the same ingredients in the same initial configuration will always result in the same end salad after tossing it. However, an outsider can't look at the end product and know how the bowl looked before I started.

That said, here is how "guaranteed fair gaming" works in layman's terms.

1. The casino will pick a random 64-digit code in hexadecimal (a way of representing a number with 16 numerals: 0 to 9 and A to F). This code will not yet be shown to the player.
2. The casino will disclose the Hash of the code from step 1 to the player.
3. The player will also create a code, but may choose fewer characters or accept a random one provided by the casino.
4. The casino will combine the casino's secret code from step 1 and the player's code from step 2 to another 64-digit code in hexadecimal. Something called a "nonce" is thrown in, which I think is just one character separating the two.
5. The code in step 3 will be mapped to a game outcome. For example, if the game were single-zero roulette, it might take the first ten digits, convert them to base 10, divide that number by 37, and use the remainder as the winning number.
6. After the player clicks to make a bet, the game will show the winning outcome as well as the original code from step 1.
7. The player may use independent tools to take his own code from step 2 and the now-disclosed casino code from step 1, to generate the combined code. Knowing this code, the player can use yet other independent tools to ensure the game outcome was correct, given the two inputs, as well as the full hashes matching.

Let's use a very simplified example. Suppose, to determine the outcome in single-zero roulette, the following steps are followed:

1. Both player and dealer choose random integers with no maximum size.
2. The two integers are added together.
3. That number is divided by 37 and the remainder is declared the game outcome.
4. The game discloses the casino's random number, so the player can verify the outcome is fair.

However, where this breaks down is if the casino knows the algorithm is to add the two numbers, then it can easily cheat by choosing a random number resulting in a losing bet.

What actually happens is that instead of adding the two numbers, a complicated mathematical algorithm is used that neither party knows.

Here is a link to the explanation by the casino in question in the initial post on this topic: Provably Fair.

I welcome any and all corrections. I consider Scrooge to be the expert on this topic, so he should probably take on any advanced questions.
"For with much wisdom comes much sorrow." -- Ecclesiastes 1:18 (NIV)
AxelWolf
• Posts: 22296
Joined: Oct 10, 2012
February 19th, 2020 at 7:30:57 AM permalink
What would an online casino have to do to guarantee to the players everything's 100% random/provably fair that we can be verified by the public? Are there any online casinos that use a method like that?

I'll exclude online casinos that are in legal jurisdiction, even those I assume can't be verified by the players.
♪♪Now you swear and kick and beg us That you're not a gamblin' man Then you find you're back in Vegas With a handle in your hand♪♪ Your black cards can make you money So you hide them when you're able In the land of casinos and money You must put them on the table♪♪ You go back Jack do it again roulette wheels turinin' 'round and 'round♪♪ You go back Jack do it again♪♪
7craps
• Posts: 1977
Joined: Jan 23, 2010
February 19th, 2020 at 11:12:19 AM permalink
Quote: AxelWolf

What would an online casino have to do to guarantee to the players everything's 100% random/provably fair that we can be verified by the public?

super simple and will never happen.

Show the code (provide the actual code used) driving the game.

example: It was proven (shown) way back in the 1990s that the NGC 'code experts' were just not that, as some were way 'smarter' than those 'code experts'. (American Coin saga NOT told by the NGC or Ronald Dale Harris)
there will always be someone 'smarter than you' at what you are very smart at.
another 'fair' concept is with online poker sites. Many offer 'freerolls' to get your feet wet and see how things go. IF you see in no limit texas holdem games, for example, the flop having at least 1 Ace is about 2.5 in 5 or higher, is that considered 'fair' after 400k flops observed? most have NO clue as the math is too hard to do for many

show the actual code used and be careful

code can take a
simple rng result and do wonders with it... even make programmed decisions
that would not be considered 'fair'

you doubt that?
https://cardgames.io/yahtzee/
play against the computer and see when the computer player needs a 3 of a kind, it will throw away a small 3 of a kind trying for something worth more points. Really? That is just the tip of the iceberg.

The truth is, an online casino has NO \$\$\$ incentive to have all their games offered for play
to be 'fair'. Too much competition and too much negative publicity.
They need to get each \$ played and will do whatever it takes to get it.

some SAY they would (could, should, do) 'offer provably fair online games'
talk IS SO CHEAP

Why offer provably fair online games when it cuts into the bottom line?
Last edited by: 7craps on Feb 19, 2020
winsome johnny (not Win some johnny)
Wizard
• Posts: 26705
Joined: Oct 14, 2009
Thanked by
February 19th, 2020 at 1:57:30 PM permalink
Quote: AxelWolf

What would an online casino have to do to guarantee to the players everything's 100% random/provably fair that we can be verified by the public? Are there any online casinos that use a method like that? I'll exclude online casinos that are in legal jurisdiction, even those I assume can't be verified by the players.

I don't know how much trouble it is for the casino. In my opinion, it is more likely to be unlicensed casinos (or have a worthless license) that are more likely to offer guaranteed fair play.
"For with much wisdom comes much sorrow." -- Ecclesiastes 1:18 (NIV)
AxelWolf
• Posts: 22296
Joined: Oct 10, 2012
February 19th, 2020 at 2:02:28 PM permalink
A good reputation goes along way in the online casino business. Most all the one's I can remember that had/have a really solid reputation are doing well.
♪♪Now you swear and kick and beg us That you're not a gamblin' man Then you find you're back in Vegas With a handle in your hand♪♪ Your black cards can make you money So you hide them when you're able In the land of casinos and money You must put them on the table♪♪ You go back Jack do it again roulette wheels turinin' 'round and 'round♪♪ You go back Jack do it again♪♪
scrooge
• Posts: 39
Joined: Nov 22, 2016
February 20th, 2020 at 12:34:42 PM permalink
Quote: Wizard

I don't know how much trouble it is for the casino. In my opinion, it is more likely to be unlicensed casinos (or have a worthless license) that are more likely to offer guaranteed fair play.

Correct, provably fair casinos are usually unlicensed BTC casinos. Provable fairness is seen as a substitute for licensing.
scrooge
• Posts: 39
Joined: Nov 22, 2016
February 20th, 2020 at 12:59:06 PM permalink
Quote: Wizard

1. Both player and dealer choose random integers with no maximum size.
2. The two integers are added together.
3. That number is divided by 37 and the remainder is declared the game outcome.
4. The game discloses the casino's random number, so the player can verify the outcome is fair.

However, where this breaks down is if the casino knows the algorithm is to add the two numbers, then it can easily cheat by choosing a random number resulting in a losing bet.

What actually happens is that instead of adding the two numbers, a complicated mathematical algorithm is used that neither party knows.

Actually the outcome generating algorithm is known to both parties. But the dealer can only exploit that if it knows the player's choice before making its own choice. So we use hashes to prove the dealer chose before the player chose. The brick and mortar analog of this would be to have the dealer write his number on a piece of paper, fold it up, and put it in a box. Then the player does the same thing. Then they open the box together and add the numbers modulo 37 to determine the outcome of the game. If y is random, then x+y is random, as long as x isn't chosen using prior knowledge of y.
Wizard
• Posts: 26705
Joined: Oct 14, 2009
February 25th, 2020 at 4:40:53 PM permalink
Here is a preview of some text I plan to put in my expose on this. I welcome all comments.

Quote: Wizard

This video documents the Wixiplay.io casino cheating. The bets shown were made on Feb 19, 2020. I personally witnessed them.

It is hard to explain in layman's terms what is going on, but I will try. Wixiplay and many other crypto currency casinos use a "guaranteed fairness" process to show the outcome of a bet was predestined, before the player confirmed the bet.

This is done by a process called "hashing." In plain simple English, hashing takes a messages and scrambles it up. The scrambled output will look like a long string of random characters. Seeing the output, one will not be able to determine the input that made the hash. However, using the same hashing function, the same input will always result in the same output.

A simplistic way this might guarantee fairness is suppose I want to make a bet on roulette against an Internet casino I don't necessarily trust. Let's say the casino predestines the result to be the 23 red. It could hash the number 23 and give me the hash of the outcome before I make the bet. Let's say I bet on black, which will come back a loser. I can then ask for the original message and get back the number 23. I put the "23" message in the hashing program and get back the same hash as what was given to me before I made the bet.

However, the actual process is more complicated. Here is briefly how it works:

1. The casino will create a long string of characters. It will provide to the player the hash of this string before the player makes a bet.
2. The player will choose a string of characters of his own, known as a key. The player may choose to keep the same key bet after bet if he wishes, in the interests of saving time, but this is not as secure.
3. After the player initiates the bet, the players key will be used as input in hashing the string provided by the casino.
4. The first ten characters in the hash output of step 3 will be converted to a number. This will be a very large number.
5. The number from step 3 will be divided by 10,001.
6. The remainder from step 5 will used to determine the outcome of the bet.
7. After the bet, the casino will reveal it's string from step 1.
8. The player may use an independent hashing program to take the casino's string, his own key, to get the hash of the outcome. He may then do the same math in steps 4 to 6 to verify the outcome. The player will know the outcome was predestined if the hash of the casino string matches the hash provided before the bet was made.

The casino can still cheat and not get caught if the player doesn't check the casino string before making the bet or not test it after the bet. The casino can know if the player checks these things. The way the casino can cheat is to keep using different strings, knowing the player key, until it gets a losing outcome. It will then tell the player the key that caused the losing outcome. If the player doesn't hash it and compare it to the has provided before the bet, the cheating will go undetected.

I speculate very few players actually jump through all hoops to verify fairness. Even if the player does verify the hashes don't match, most crypto currency are unregulated so there is no regulator or authority to complain to. Complaining on gaming forums and making videos probably won't help get your money back, but at least serve as a way of warning other players.

"For with much wisdom comes much sorrow." -- Ecclesiastes 1:18 (NIV)