Guaranteed Fair Gaming for Dummies

This is a side-topic thread off of WIXIPLAY: A PROVABLY RIGGED ONLINE CASINO. I didn't want to hijack that thread with this tangent. That said, the purpose of this thread is to try to explain, hopefully correctly, how Internet casinos use cryptography to allegedly guarantee fair play.

Before explaining it, I have to explain what a "hash" is. Using a complicated mathematical algorithm, a string of text can be converted to a Hash. The same input will always result in the same Hash. However, knowing a Hash, one cannot determine the input that created it.

For example, if I always toss a salad in exactly the same way, then the same ingredients in the same initial configuration will always result in the same end salad after tossing it. However, an outsider can't look at the end product and know how the bowl looked before I started.

That said, here is how "guaranteed fair gaming" works in layman's terms.

1. The casino will pick a random 64-digit code in hexadecimal (a way of representing a number with 16 numerals: 0 to 9 and A to F). This code will not yet be shown to the player.
   
2. The casino will disclose the Hash of the code from step 1 to the player.
   
3. The player will also create a code, but may choose fewer characters or accept a random one provided by the casino.
   
4. The casino will combine the casino's secret code from step 1 and the player's code from step 2 to another 64-digit code in hexadecimal. Something called a "nonce" is thrown in, which I think is just one character separating the two.
   
5. The code in step 3 will be mapped to a game outcome. For example, if the game were single-zero roulette, it might take the first ten digits, convert them to base 10, divide that number by 37, and use the remainder as the winning number.
   
6. After the player clicks to make a bet, the game will show the winning outcome as well as the original code from step 1.
   
7. The player may use independent tools to take his own code from step 2 and the now-disclosed casino code from step 1, to generate the combined code. Knowing this code, the player can use yet other independent tools to ensure the game outcome was correct, given the two inputs, as well as the full hashes matching.
   

Let's use a very simplified example. Suppose, to determine the outcome in single-zero roulette, the following steps are followed:

1. Both player and dealer choose random integers with no maximum size.
   
2. The two integers are added together.
   
3. That number is divided by 37 and the remainder is declared the game outcome.
   
4. The game discloses the casino's random number, so the player can verify the outcome is fair.
   

However, where this breaks down is if the casino knows the algorithm is to add the two numbers, then it can easily cheat by choosing a random number resulting in a losing bet.

What actually happens is that instead of adding the two numbers, a complicated mathematical algorithm is used that neither party knows.

Here is a link to the explanation by the casino in question in the initial post on this topic: Provably Fair.

I welcome any and all corrections. I consider Scrooge to be the expert on this topic, so he should probably take on any advanced questions.

What would an online casino have to do to guarantee to the players everything's 100% random/provably fair that we can be verified by the public? Are there any online casinos that use a method like that?


I'll exclude online casinos that are in legal jurisdiction, even those I assume can't be verified by the players.

Quote: AxelWolf

What would an online casino have to do to guarantee to the players everything's 100% random/provably fair that we can be verified by the public?

super simple and will never happen.

Show the code (provide the actual code used) driving the game.

example: It was proven (shown) way back in the 1990s that the NGC 'code experts' were just not that, as some were way 'smarter' than those 'code experts'. (American Coin saga NOT told by the NGC or Ronald Dale Harris)
there will always be someone 'smarter than you' at what you are very smart at.

show the actual code used and be careful

code can take a
simple rng result and do wonders with it... even make programmed decisions
that would not be considered 'fair'

you doubt that?


The truth is, an online casino has NO $$$ incentive to have all their games offered for play
to be 'fair'. Too much competition and too much negative publicity.
They need to get each $ played and will do whatever it takes to get it.

some SAY they would (could, should, do) 'offer provably fair online games'
talk IS SO CHEAP

Why offer provably fair online games when it cuts into the bottom line?

Quote: AxelWolf

What would an online casino have to do to guarantee to the players everything's 100% random/provably fair that we can be verified by the public? Are there any online casinos that use a method like that? I'll exclude online casinos that are in legal jurisdiction, even those I assume can't be verified by the players.

I don't know how much trouble it is for the casino. In my opinion, it is more likely to be unlicensed casinos (or have a worthless license) that are more likely to offer guaranteed fair play.

A good reputation goes along way in the online casino business. Most all the one's I can remember that had/have a really solid reputation are doing well.

Quote: Wizard

I don't know how much trouble it is for the casino. In my opinion, it is more likely to be unlicensed casinos (or have a worthless license) that are more likely to offer guaranteed fair play.

Correct, provably fair casinos are usually unlicensed BTC casinos. Provable fairness is seen as a substitute for licensing.

Quote: Wizard

1. Both player and dealer choose random integers with no maximum size.
   
2. The two integers are added together.
   
3. That number is divided by 37 and the remainder is declared the game outcome.
   
4. The game discloses the casino's random number, so the player can verify the outcome is fair.
   

However, where this breaks down is if the casino knows the algorithm is to add the two numbers, then it can easily cheat by choosing a random number resulting in a losing bet.

What actually happens is that instead of adding the two numbers, a complicated mathematical algorithm is used that neither party knows.

Actually the outcome generating algorithm is known to both parties. But the dealer can only exploit that if it knows the player's choice before making its own choice. So we use hashes to prove the dealer chose before the player chose. The brick and mortar analog of this would be to have the dealer write his number on a piece of paper, fold it up, and put it in a box. Then the player does the same thing. Then they open the box together and add the numbers modulo 37 to determine the outcome of the game. If y is random, then x+y is random, as long as x isn't chosen using prior knowledge of y.

Here is a preview of some text I plan to put in my expose on this. I welcome all comments.

Quote: Wizard

This video documents the Wixiplay.io casino cheating. The bets shown were made on Feb 19, 2020. I personally witnessed them.

It is hard to explain in layman's terms what is going on, but I will try. Wixiplay and many other crypto currency casinos use a "guaranteed fairness" process to show the outcome of a bet was predestined, before the player confirmed the bet.

This is done by a process called "hashing." In plain simple English, hashing takes a messages and scrambles it up. The scrambled output will look like a long string of random characters. Seeing the output, one will not be able to determine the input that made the hash. However, using the same hashing function, the same input will always result in the same output.

A simplistic way this might guarantee fairness is suppose I want to make a bet on roulette against an Internet casino I don't necessarily trust. Let's say the casino predestines the result to be the 23 red. It could hash the number 23 and give me the hash of the outcome before I make the bet. Let's say I bet on black, which will come back a loser. I can then ask for the original message and get back the number 23. I put the "23" message in the hashing program and get back the same hash as what was given to me before I made the bet.

However, the actual process is more complicated. Here is briefly how it works:

1. The casino will create a long string of characters. It will provide to the player the hash of this string before the player makes a bet.
2. The player will choose a string of characters of his own, known as a key. The player may choose to keep the same key bet after bet if he wishes, in the interests of saving time, but this is not as secure.
3. After the player initiates the bet, the players key will be used as input in hashing the string provided by the casino.
4. The first ten characters in the hash output of step 3 will be converted to a number. This will be a very large number.
5. The number from step 3 will be divided by 10,001.
6. The remainder from step 5 will used to determine the outcome of the bet.
7. After the bet, the casino will reveal it's string from step 1.
8. The player may use an independent hashing program to take the casino's string, his own key, to get the hash of the outcome. He may then do the same math in steps 4 to 6 to verify the outcome. The player will know the outcome was predestined if the hash of the casino string matches the hash provided before the bet was made.


The casino can still cheat and not get caught if the player doesn't check the casino string before making the bet or not test it after the bet. The casino can know if the player checks these things. The way the casino can cheat is to keep using different strings, knowing the player key, until it gets a losing outcome. It will then tell the player the key that caused the losing outcome. If the player doesn't hash it and compare it to the has provided before the bet, the cheating will go undetected.

I speculate very few players actually jump through all hoops to verify fairness. Even if the player does verify the hashes don't match, most crypto currency are unregulated so there is no regulator or authority to complain to. Complaining on gaming forums and making videos probably won't help get your money back, but at least serve as a way of warning other players.