Bitcoin Forum

Hey there, well I suppose nearly everyone on this board has heard about provably fair and how it is user verifiable etc. The client seed is entered by user, nonce is "created" by adding 1 successively after every roll, but how is server seed created, which script/algorith does it use to create a random string of letters? Does it differ from site to site?

I think its created from the machine time based on the nano/microsecond or put thru a rand function kind of like what you see in Microsoft Excel.

Probably next to impossible to guess.

Both are exploitable so I'm going with no.

I am very interested in the correct answer

thank you for the question

Are they?
It doesn't matter how the server seed is created. That's the idea of provably fair.
Why doesn't it matter?
Because the combination of server and client seed are creating the result, not one of those independently.

You can enter your client seed, basically anything you like,
so the server seed can be exactly the same, anything they like.

They are exploitable by the player. Same thing as hufflepuff in a nutshell

But only if you know how they are created. If you know how things work, if you find an exploit in one specific situation.
So not knowing how exactly one site is creating their server seed is part of the process to prevent userside exploits, right?
Further, it doesn't matter how the site does it, as explained above. That's probably why most people don't know it/don't care.

The scripts can be coded in any back end server side programming language like php or node.is . These languages have random function which generates the randon number based on conditions .Example : generate random().integers<100 .This will allow to generate the numbers less than 100 randomly .When most of the wsbsitss say they are provably fair I never believe it because they can choose what to show and have hiding functions scamming the fuck outta you.

@Me, you're not supposed to argue with yourself(insider joke)
At any rate, my concern being, the numbers are random but the server seed can be exploitable if the function which creates them is weak(not secure) and known.
P.S: That and I have to create an algorithm for provably fair.

thats funny. thanks for the laugh :D
That the same for the "provably fair" casino in your sig?


I'd suggest a "Don't Ask. Don't Tell." attitude.
P.S.: Who the hell is crazy enough to let YOU take care of that. "(insider joke)"

Hufflepuff incident required the user to know the server seed beforehand and it wasn't due to a weak RNG for the server seed. Hufflepuff was able to get an active seed. The seed was used by multiple players and it was not guessed.

Unfortunately i cant really say how or which algorithm they use as i do not know but i can say that it does differ from site to site. Some sites have the same "basic formula" but some parts like secrets need to be different ect or one site could exploit the other.

I am aware of that, but considering no one has talked about how server seeds themselves are created, it got me curious(that and me having to create the algorithm). As for the hufflepuff incident, I meant, if someone knows/accurately guesses how server seeds are created and the algorithm is weak, say it creates variables like "1111111111a", then "111111111b" , or "ab" "al" "et" "eb"(XY, x is unchanged the first time, the second time increased by 4, Y changes by 8 variables) etc, they can know what the next/all server seeds will be.
At any rate, to rephrase my question, how would you make the random variable generator such that the RN(Variable)G in itself is secure.

As a user, you don't really care. That's because the only real point of the server seed is for the gambling server to protect itself against players who wish to cheat. So even if the server seed was always 0, the game would still be provably fair for you (but the casino would get robbed blind).


And yes, it does vary site to site. Some people even think using things based on the current time is a good idea. But the server seed is to protect the casino from gamblers, so it should be as unpredictable as possible. Using data from /dev/urandom is probably going to be your best bet most of the time, or you can look up some cryptographically random number generators which will also work fine.

We have an intern who moves the mouse all day to create enough entropy for the random generator.  ;D

It very much matters.

If the server seed is generated using a hash of the current time in millionths of a second then the player can easily cheat. He just needs to notice what the time is when the server seed is created, then hash a few million times in that neighbourhood until he gets the server seed hash that the site has shown him. Then he has the server seed and can predict all his future rolls.

The server seeds should be entirely unpredictable, to prevent such attacks. Collect entropy from wherever you can to make your RNG unpredictable.

My point as well.
What source, as a dice site owner ,would you suggest for a "unpredictable RNG".

Logically Its not necessary  ;) , but practically it depends on the software.
Every dice site is made DEVELOPERS , who develop codes , and person who invest or hold/own the bankroll make sure that the site uses unique software so that no person can cheat them.
Ex: when you wanna attend a party function of someone special then you look for single piece dress so that you have only that copy and that's guarantee that none of people will wear the same cloths at the party.

To answer OP's question, There are different types/kinds of  "scripts/algo" one can use to generate a random seed, and most of the time, it varies from site to site, depending on how it was programmed by their dev. But nowadays, devs stick to what is "common" therefor you might see different sites that uses same algo to generate a random seed. But ofcourse it doesn't mean both site will have the same server seed, (tho there is a very very slim chance it could happen).

You can program a computer to generate a random number, but that program is and will always be at the mercy of its programming. So you cannot actually say that it has given you a random number because the fact is, its just following the sequence of how it is programmed, it generally starts with something then follows a pattern. Tho the complexity of the result is enough to be called random, its never truly random since it is just ruled by a consistently repeating algorithm. This are called "pseudo-random number generators" (PRNG). And most of the site uses this kind of way to generate their seeds.

So any script/algo programmed on a computer is always a PRNG? Answer is No.. One can generate a True Random Number Generator (TRNG) on a computer, this is by use of different kinds of entropy. Some uses a device that relies on thermal, noise or any unpredictable environmental elements that we as humans have no control over. And this can be called a true random number generator. Like ryan said, one can use /dev/random, which uses environmental noise. Another example is, Random.org, which they claim, uses atmospheric noise to generate a true randomness.

So the fact is, most sites uses PRNG? Yes. So there is a possibility to crack it? YES and NO. If we talk of possibility, then yes there is always a possibility of something, but the probability of that happening is so low. Like i said above, the complexity of the results of a PRNG is enough to be called random, therefore the chance to crack a single seed is so low that if compared, you'd have better chance of winning the lottery than trying to crack it in a lifetime.

-uni

thank you very much for taking the time to explain your knowledge in a more detailed way.

as I know you are a coder so if all depends on you regarding the provably fair implementation nothing bad can happen to your bank roll. but you know what happened to Magical Dice :( how could they or any other non coder (like we) prevent this to happen?

In an online business, there is no 100% fool proof against this. Even big companies can get in trouble if their devs turn to rogue. But there are ways to prevent this. One example is a structural design of your system. One dev should only be assigned to a certain part of the system and not have access to everything. If the your system is project based, then one dev should have no access to the system at all once the project is finish.  Another is to hire a 3rd party security guy that will double check your site's code and integrity. There maybe other ways, but the fact is, it is doable.

But personally, my opinion is, an owner "MUST" atleast know the basic logic of his own system, you don't have to know how to code, but know how your system works is a must. Trust is a big word when it comes to this "pixelized" online world, but with proper preparation and strategy, an owner wont need this to have a successful site.

The issue with magicaldice is that, they hired a dev, and trusted the dev to run the site and have full access. When MD1 went live, the dev should no longer have access to their database, and only grant access to the dev on special occasions like fixing bugs etc..and then immediately revoke it once it is fixed. I know there maybe "holes" on my statement, but thats the basic. Owners already had this idea, what if their dev create an alt and play.. But they trusted their dev not to do it, which is totally wrong.

-uni

thank you again for the detailed answer very much appreciated

please let me ask you if there is a way to let someone code and implement the provably fair option and then close it like a safe that no one will have access and in case the safe is damaged we will see it and stop the game.

we can't code and don't have the provably fair knowledge to run a casino on our own we would always need coder.  the sharks would eat us alive :) like it happened with MD
that is mainly the reason why we are on moneypot

thanks again

Thank you very much for your explanation! It is written in simple language and at the same time is shedding light on such complicated and incomprehensible things that I can say nothing but WOW! Man, you should write books.

Yes there is a way. One example is, if you hire a dev to create a website for you, have it done on a test server. once it is done, the dev will give you the full source with installation instructions to your own server. Before installing, have a 3rd party check the code for you. Again this is before you install it on your live server, meaning, database names, database password and other critical variables are not yet set.

A good dev keeps notes, but a great dev gives detailed documentations. Have your dev give you a documentation, maybe a pdf or something that gives a detailed explanation on how the system works in a layman's term, documentation includes processes, every page's role, the logic on how the system works, the algorithm used, 3rd party scripts use if there are any, installation instructions, security modules or scripts used.. etc..

Once code has been checked, you then install it on your live server, and its the only time where you will be asked for database names, database passwords etc..

Doing this, you can be sure that only you knows the critical variables for your site..Some site open up a semi-production site which they call beta version of the site, which is open for public to check for bugs etc.  And if ever bugs occurs, the original dev has the original source code, therefor, he can have it fixed on his end without accessing the live server itself, then he can just give you an updated source to fix the bug, you can have a 3rd party check it again..All this depends on what is the agreement between you and the dev.

There are many ways on how one can prevent a dev from turning against the owner. Above is just one example i can think of.

-uni

thank you very much again :) this was very helpful for us because this could be a solution for us old men who cannot code.

btw I can't connect to your app :(

We had some issues regarding DDos, server was attacked while i was asleep, and my node crashed, It was unexpected, but its fixed now. Thanks