Bitcoin Forum

Economy => Gambling discussion => Topic started by: RHavar on January 12, 2015, 10:50:35 PM



Title: Bustabit.com Provably Fair Seeding Event
Post by: RHavar on January 12, 2015, 10:50:35 PM
Welcome to the first provably fair seeding event. One of the most requested features of bustabit (https://www.bustabit.com) has been to create a provably distribution of game crashes, to replace our provably predetermined multipliers.

The original scheme (https://bitcointalk.org/index.php?topic=709185.msg8528454#msg8528454) of turning a multiplayer game in which peers do not trust each other was first proposed by Dooglus, refined by Eric and solidified into code by Steve.

The high level of the scheme is as follows:

1) We have generated a chain of 10 million sha256 hashes, starting with a server secret that has been repeatedly fed the output of sha256 back into itself 10 million times. The sha256 of the final hash in the chain is: c1cfa8e28fc38999eaa888487e443bad50a65e0b710f649affa6718cfbfada4d, by publicising it here we are preventing any ability to pick an alternate sha256 chain.


2) Bustabit will play through that chain of hashes, in reverse order, and use the hashes to determine the crash point in a probably fair manner.

3) To avoid criticism that the Bitcoin address used in step 1 was carefully chosen to generate lots of "bad" crash points, each hash in the chain will be salted with a client seed, which we have no control of. The client seed will be the block hash of a Bitcoin block that hasn't yet been mined: block 339300.


The reference code (javascript) is as follows:

The method to create the hash chain is simply sha256:
Code:
function genGameHash(serverSeed) {
  return crypto.createHash('sha256').update(serverSeed).digest('hex');
}

The method to convert a game hash, mix it with the picked client seed to a money pot multiplier:

Code:
function crashPointFromHash(serverSeed, clientSeed) {
  function divisible(hash, mod) {
    // We will read in 4 hex at a time, but the first chunk might be a bit smaller
    // So ABCDEFGHIJ should be chunked like  AB CDEF GHIJ
    var val = 0;
    
    var o = hash.length % 4;
    for (var i = o > 0 ? o - 4 : 0; i < hash.length; i += 4) {
      val = ((val << 16) + parseInt(hash.substring(i, i+4), 16)) % mod;
    }

    return val === 0;
  }

  var hash = crypto.createHmac('sha256', serverSeed).update(clientSeed).digest('hex');

  /* In 1 of 101 games the game crashes instantly. */
  if (divisible(hash, 101))
     return 0;

  /* Use the most significant 52-bit from the hash
     to calculate the crash point */
  var h = parseInt(hash.slice(0,52/4),16);
  var e = Math.pow(2,52);

  return Math.floor((100 * e - h) / (e - h));
}

The chain could be generated with code such as:

Code:
var serverSecret =  'If you knew this, you could steal all my money';
var clientSeed = '0000examplehash';

var gamesToGenerate = 1e7;

var serverSeed = serverSecret;

for (var game = gamesToGenerate; game > 0; --game) {
  serverSeed = genGameHash(serverSeed);
  console.log('Game ' +  game + ' has a crash point of ' + (crashPointFromHash(serverSeed, clientSeed) / 100).toFixed(2) +'x', '\t\tHash: ' + serverSeed);
}

var terminatingHash = genGameHash(serverSeed);

console.log('The terminating hash is: ', terminatingHash);


Using our chosen starting serverSeed, the hash terminating the chain is c1cfa8e28fc38999eaa888487e443bad50a65e0b710f649affa6718cfbfada4d. That is to say, the first game's hash played under the new provably fair scheme, when hashed will be c1cfa8e28fc38999eaa888487e443bad50a65e0b710f649affa6718cfbfada4d.


Title: Re: MoneyPot.com Provably Fair Seeding Event
Post by: blockage on January 12, 2015, 11:01:44 PM
Welcome to the first provably fair seeding event. One of the most requested features of Money Pot (https://www.moneypot.com) has been to create a provably distribution of game crashes, to replace our provably predetermined multipliers.

The original scheme (https://bitcointalk.org/index.php?topic=709185.msg8528454#msg8528454) of turning a multiplayer game in which peers do not trust each other was first proposed by Dooglus, refined by Eric and solidified into code by Steve.

In order to ensure fairness, we need to select a client seed in a verifiable way, after we have publicised all details and cannot control the outcome of the client seed picking. This is where the seeding event comes in, we need you to witness the process to ensure nothing has changed. A good way to do this might be save the post, quote it somewhere, save a copy in some archiving services. If anyone wants me to email them a copy, PM me your email address.

Our plan is to use hash of the bitcoin block 339300 as the client seed. If anyone finds any flaws in the code or methodology, we will push the block back to accommodate.  

The technical details are as follows:

The method to convert a serverSeed and clientSeed to a game hash is quite simple:
Code:
function genGameHash(serverSeed, clientSeed) {
  return crypto.createHmac('sha256', serverSeed).update(clientSeed).digest('hex');
}

The method to convert a game hash to a money pot multiplier is a bit more complex:
Code:
function crashPointFromHash(hash) {
  // Returns an integers corresponding to the game crash. 123 = Game crashes at 1.23x

  function divisible(hash, mod) {
    // We will read in 4 hex at a time, but the first chunk might be a bit smaller
    // So ABCDEFGHIJ should be chunked like  AB CDEF GHIJ
    var val = 0;
    
    var o = hash.length % 4;
    for (var i = o > 0 ? o - inc : 0; i < hash.length; i += 4) {
      val = ((val << 16) + parseInt(hash.substring(i, i+4), 16)) % mod;
    }

    return val === 0;
  }

  /* In 1 of 101 games the game crashes instantly. */
  if (divisible(hash, 101))
    return 0;

  /* Use the most significant 52-bit from the hash
     to calculate the crash point */
  var h = parseInt(hash.slice(0,52/4),16);
  var e = Math.pow(2,52);

  /* Assuming the 52-bit prefix is uniformly distributed
     then r is uniformly distributed over [0,1). */
  var r = h / e;

  /* Perfect is the perfectly continuous distributed
     multiplier for a zero sum game. */
  var perfect    = 1 / (1 - r);

  /* Apply a house edge to the perfect distribution. */
  var houseEdge  = (perfect-1) * 0.01;
  var multiplier = perfect - houseEdge;

  // return Math.floor(multiplier * 100);

  /* Inlining and simplifying the above yields the following version
     which is slightly more numerically stable. The multiplication
     100 * e still leaves the exactly representable integers.
  */
  return Math.floor((100 * e - h) / (e - h));
}

The chain could be generated with code such as:

Code:
var serverSeed = 'If you knew this, you could steal all my money'; // example
var clientSeed = '000000000000000012e8c0efdff2b8f67282e211749cc5530bd6e709f70279e1'; // determined by this seeding event

var gamesToGenerate = 100; // It'll be much larger in reality

for (var game = gamesToGenerate; game > 0; --game) {
  serverSeed = genGameHash(serverSeed, clientSeed);
  console.log('Game ' +  game + ' has a crash point of ' + (crashPointFromHash(serverSeed) / 100).toFixed(2) +'x', '\t\tHash: ' + serverSeed);
}


Using our chosen starting serverSeed, the hash chain terminating with the hash 7ebfb0e6cbfbdb4de6940fb954f4c554f388de114e04caeb5a26144458b551c1


Just a quote to have a copy not editable by OP. Maybe somebody with higher trust can re-quote ;)


Title: Re: MoneyPot.com Provably Fair Seeding Event
Post by: RHavar on January 12, 2015, 11:44:21 PM
I generated a snapshot here: https://web.archive.org/web/20150112230357/https://bitcointalk.org/index.php?topic=922898.0

Also, made an inconsequential bug fix of the line:

Code:
for (var i = o > 0 ? o - inc : 0; i < hash.length; i += 4) {

to

Code:
for (var i = o > 0 ? o - 4 : 0; i < hash.length; i += 4) {


It doesn't matter, as o is always 0, but just for clarity sake I fixed it.


Title: Re: MoneyPot.com Provably Fair Seeding Event
Post by: gmannnnn on January 13, 2015, 10:17:03 AM
this seems really good. Has it already been implemented? If not, when does it start?



You need to give us a hash of the initial server seed.

For your own sake I hope you make this seed random / long enough ;)


Title: Re: MoneyPot.com Provably Fair Seeding Event
Post by: RHavar on January 13, 2015, 01:33:23 PM
this seems really good. Has it already been implemented? If not, when does it start?

Not yet, it will start after the drawing -- probably at the end of the week


Quote
You need to give us a hash of the initial server seed.

It's not actually required, but you it is the private key to the address: 1J6qabbRQmxiii4j8mmAZ3XTvURZ8yzwfy

Quote
For your own sake I hope you make this seed random / long enough ;)

If anyone does discover it, they are welcome to use it to make a spend ;D


Title: Re: MoneyPot.com Provably Fair Seeding Event
Post by: blockage on January 13, 2015, 02:43:50 PM
The chain could be generated with code such as:

Code:
var serverSeed = 'If you knew this, you could steal all my money'; // example
var clientSeed = '000000000000000012e8c0efdff2b8f67282e211749cc5530bd6e709f70279e1'; // determined by this seeding event

var gamesToGenerate = 100; // It'll be much larger in reality

for (var game = gamesToGenerate; game > 0; --game) {
  serverSeed = genGameHash(serverSeed, clientSeed);
  console.log('Game ' +  game + ' has a crash point of ' + (crashPointFromHash(serverSeed) / 100).toFixed(2) +'x', '\t\tHash: ' + serverSeed);
}


Using our chosen starting serverSeed, the hash chain terminating with the hash 7ebfb0e6cbfbdb4de6940fb954f4c554f388de114e04caeb5a26144458b551c1

The serverSeeds should be a pure sha256 chain without mixing the clientSeed in. Else you can't really give us the end of the chain ahead of the clientSeed ;) So
Code:
 serverSeed = genGameHash(serverSeed, clientSeed);
should in fact be
Code:
 serverSeed = sha256(serverSeed);

Also the end of the chain 7ebf.... is that the hash for determining the crashpoint of game 1 or is it the hash thereof? Please make that clear.


Title: Re: MoneyPot.com Provably Fair Seeding Event
Post by: gmannnnn on January 13, 2015, 02:50:07 PM

The serverSeeds should be a pure sha256 chain without mixing the clientSeed in. Else you can't really give us the end of the chain ahead of the clientSeed ;) So

this is just false. there is no way to recover the serverseed from the chain, even with a known client.

edit:misunderstood. true, how can you be giving us the end value, if you yourself dont know the client seed OP?

Anyway, OP, doesnt this mean you will need to generate such chains every week? seems unpractical, both to you and to players.  how many rolls did you pregenerate?


Title: Re: MoneyPot.com Provably Fair Seeding Event
Post by: blockage on January 13, 2015, 02:56:51 PM

The serverSeeds should be a pure sha256 chain without mixing the clientSeed in. Else you can't really give us the end of the chain ahead of the clientSeed ;) So

this is just false. there is no way to recover the serverseed from the chain, even with a known client.

edit:misunderstood. true, how can you be giving us the end value, if you yourself dont know the client seed OP?

Yes I noticed the misunderstanding. Terminology is not clear. I would call the start of the chain 'server secret' and then every element of the chain is a server seed for a specific game.

Anyway, OP, doesnt this mean you will need to generate such chains every week? seems unpractical, both to you and to players.  how many rolls did you pregenerate?

I think OP wanted to generate a chain of 10M seeds which would last ~6 years. OP obviously you already generated the chain, because you already told us the end. So what's 'gamesToGenerate' in reality?


Title: Re: MoneyPot.com Provably Fair Seeding Event
Post by: gmannnnn on January 13, 2015, 02:59:48 PM

The serverSeeds should be a pure sha256 chain without mixing the clientSeed in. Else you can't really give us the end of the chain ahead of the clientSeed ;) So

this is just false. there is no way to recover the serverseed from the chain, even with a known client.

edit:misunderstood. true, how can you be giving us the end value, if you yourself dont know the client seed OP?

Yes I noticed the misunderstanding. Terminology is not clear. I would call the start of the chain 'server secret' and then every element of the chain is a server seed for a specific game.

Anyway, OP, doesnt this mean you will need to generate such chains every week? seems unpractical, both to you and to players.  how many rolls did you pregenerate?

I think OP wanted to generate a chain of 10M seeds which would last ~6 years. OP obviously you already generated the chain, because you already told us the end. So what's 'gamesToGenerate' in reality?


i think that was the hash of the example case. he could not have created the real hash as he himself does not yet know the client seed - that block has not been mined yet!

op you need to comunicate more clearly if you want your system to be seen as transparent.


Title: Re: MoneyPot.com Provably Fair Seeding Event
Post by: RHavar on January 13, 2015, 03:14:15 PM
Thanks very much guys. I've updated the original post to address all the concerns and fix. Since we're well and truly before bitcoin block 339300 I have updated the final terminating hash and more tightly specified what it means.

Could you guys please give it a re-review, and generate another snapshot?


Title: Re: MoneyPot.com Provably Fair Seeding Event
Post by: blockage on January 13, 2015, 03:18:01 PM
Thanks very much guys. I've updated the original post to address all the concerns and fix. Since we're well and truly before bitcoin block 339300 I have updated the final terminating hash and more tightly specified what it means.

Could you guys please give it a re-review, and generate another snapshot?

Ok looks good. Here is another snapshot http://web.archive.org/web/20150113151628/https://bitcointalk.org/index.php?topic=922898.0 (http://web.archive.org/web/20150113151628/https://bitcointalk.org/index.php?topic=922898.0) and a new quote of OP:


Welcome to the first provably fair seeding event. One of the most requested features of Money Pot (https://www.moneypot.com) has been to create a provably distribution of game crashes, to replace our provably predetermined multipliers.

The original scheme (https://bitcointalk.org/index.php?topic=709185.msg8528454#msg8528454) of turning a multiplayer game in which peers do not trust each other was first proposed by Dooglus, refined by Eric and solidified into code by Steve.

In order to ensure fairness, we need to select a client seed in a verifiable way, after we have publicised all details and cannot control the outcome of the client seed picking. This is where the seeding event comes in, we need you to witness the process to ensure nothing has changed. A good way to do this might be save the post, quote it somewhere, save a copy in some archiving services. If anyone wants me to email them a copy, PM me your email address.

Our plan is to use hash of the bitcoin block 339300 as the client seed. If anyone finds any flaws in the code or methodology, we will push the block back to accommodate.  

The technical details are as follows:

The method to create the hash chain is simply sha256:
Code:
function genGameHash(serverSeed) {
  return crypto.createHash('sha256').update(serverSeed).digest('hex');
}

The method to convert a game hash to a money pot multiplier is a bit more complex:

Code:
function crashPointFromHash(serverSeed, clientSeed) {
  function divisible(hash, mod) {
    // We will read in 4 hex at a time, but the first chunk might be a bit smaller
    // So ABCDEFGHIJ should be chunked like  AB CDEF GHIJ
    var val = 0;
    
    var o = hash.length % 4;
    for (var i = o > 0 ? o - 4 : 0; i < hash.length; i += 4) {
      val = ((val << 16) + parseInt(hash.substring(i, i+4), 16)) % mod;
    }

    return val === 0;
  }

  var hash = crypto.createHmac('sha256', serverSeed).update(clientSeed).digest('hex');

  /* In 1 of 101 games the game crashes instantly. */
  if (divisible(hash, 101))
     return 0;

  /* Use the most significant 52-bit from the hash
     to calculate the crash point */
  var h = parseInt(hash.slice(0,52/4),16);
  var e = Math.pow(2,52);

  return Math.floor((100 * e - h) / (e - h));
}

The chain could be generated with code such as:

Code:
var serverSecret =  'If you knew this, you could steal all my money';
var clientSeed = '0000examplehash';

var gamesToGenerate = 1e7;

var serverSeed = serverSecret;

for (var game = gamesToGenerate; game > 0; --game) {
  serverSeed = genGameHash(serverSeed);
  console.log('Game ' +  game + ' has a crash point of ' + (crashPointFromHash(serverSeed, clientSeed) / 100).toFixed(2) +'x', '\t\tHash: ' + serverSeed);
}



Using our chosen starting serverSeed, the hash chain terminating with the hash c1cfa8e28fc38999eaa888487e443bad50a65e0b710f649affa6718cfbfada4d. That is to say, the first game played under the new provably fair scheme, will be played with this hash. The second money pot game played, when hashed will be this hash.

The server secret is a bitcoin private key, which corresponds to the address:
1J6qabbRQmxiii4j8mmAZ3XTvURZ8yzwfy (https://www.blockchain.info/address/1J6qabbRQmxiii4j8mmAZ3XTvURZ8yzwfy), where a 10 bitcoin bounty awaits anyone who discovers the leaked server secret.



Title: Re: MoneyPot.com Provably Fair Seeding Event
Post by: blockage on January 13, 2015, 03:22:38 PM
Using our chosen starting serverSeed, the hash terminating the chain is c1cfa8e28fc38999eaa888487e443bad50a65e0b710f649affa6718cfbfada4d. That is to say, the first game played under the new provably fair scheme, will be played with this hash. The second money pot game played, when hashed will be this hash.

I don't like the wording. Was clearer before but fine with me. An offset of 1 doesn't really matter. But if you want to give everyone a free roll with a known hash, that's also fine with me ;)


Title: Re: MoneyPot.com Provably Fair Seeding Event
Post by: RHavar on January 13, 2015, 03:25:59 PM
Using our chosen starting serverSeed, the hash terminating the chain is c1cfa8e28fc38999eaa888487e443bad50a65e0b710f649affa6718cfbfada4d. That is to say, the first game played under the new provably fair scheme, will be played with this hash. The second money pot game played, when hashed will be this hash.

I don't like the wording. Was clearer before but fine with me. An offset of 1 doesn't really matter. But if you want to give everyone a free roll with a known hash, that's also fine with me ;)

Yeah, it's not going to matter ( I doubt anyone will catch the first few games) but it's a bit icky. I changed the quote to:
Quote
That is to say, the first game's hash played under the new provably fair scheme, when hashed will be this hash.


Title: Re: MoneyPot.com Provably Fair Seeding Event
Post by: gmannnnn on January 13, 2015, 03:27:06 PM
Using our chosen starting serverSeed, the hash terminating the chain is c1cfa8e28fc38999eaa888487e443bad50a65e0b710f649affa6718cfbfada4d. That is to say, the first game played under the new provably fair scheme, will be played with this hash. The second money pot game played, when hashed will be this hash.

I don't like the wording. Was clearer before but fine with me. An offset of 1 doesn't really matter. But if you want to give everyone a free roll with a known hash, that's also fine with me ;)

I dont understand either.

please correct me where im wrong:
client seed: not yet known
server seed: priv. key of address

 hash terminating chain: c1cfa8e28fc38999eaa888487e443bad50a65e0b710f649affa6718cfbfada4d

^ how did you calculate that if you dont know the client seed?



Title: Re: MoneyPot.com Provably Fair Seeding Event
Post by: blockage on January 13, 2015, 03:30:03 PM
Using our chosen starting serverSeed, the hash terminating the chain is c1cfa8e28fc38999eaa888487e443bad50a65e0b710f649affa6718cfbfada4d. That is to say, the first game played under the new provably fair scheme, will be played with this hash. The second money pot game played, when hashed will be this hash.

I don't like the wording. Was clearer before but fine with me. An offset of 1 doesn't really matter. But if you want to give everyone a free roll with a known hash, that's also fine with me ;)

I dont understand either.

please correct me where im wrong:
client seed: not yet known
server seed: priv. key of address

 hash terminating chain: c1cfa8e28fc38999eaa888487e443bad50a65e0b710f649affa6718cfbfada4d

^ how did you calculate that if you dont know the client seed?

OP updated the code. The server seed chain is calculated without the client seed as it's supposed to be. Look at the line in the for loop that updated the server seed variable:
Code:
  serverSeed = genGameHash(serverSeed);


Title: Re: MoneyPot.com Provably Fair Seeding Event
Post by: RHavar on January 13, 2015, 03:35:05 PM
hash terminating chain: c1cfa8e28fc38999eaa888487e443bad50a65e0b710f649affa6718cfbfada4d

^ how did you calculate that if you dont know the client seed?

The point is I am proving I have calculated, and committed to using a particular a hash chain before the client seed is known. The client-seed is used in interpreting the hashes to create a game outcome, so there's no way I could have created a "bad" or "good" hash chain.


Title: Re: MoneyPot.com Provably Fair Seeding Event
Post by: omahapoker on January 13, 2015, 03:38:11 PM
if bitcoin is still around at the end of the week, i'll check it out


Title: Re: MoneyPot.com Provably Fair Seeding Event
Post by: gmannnnn on January 13, 2015, 03:38:48 PM
Welcome to the first provably fair seeding event. One of the most requested features of Money Pot (https://www.moneypot.com) has been to create a provably distribution of game crashes, to replace our provably predetermined multipliers.

The original scheme (https://bitcointalk.org/index.php?topic=709185.msg8528454#msg8528454) of turning a multiplayer game in which peers do not trust each other was first proposed by Dooglus, refined by Eric and solidified into code by Steve.

In order to ensure fairness, we need to select a client seed in a verifiable way, after we have publicised all details and cannot control the outcome of the client seed picking. This is where the seeding event comes in, we need you to witness the process to ensure nothing has changed. A good way to do this might be save the post, quote it somewhere, save a copy in some archiving services. If anyone wants me to email them a copy, PM me your email address.

Our plan is to use hash of the bitcoin block 339300 as the client seed. If anyone finds any flaws in the code or methodology, we will push the block back to accommodate.  

The technical details are as follows:

The method to create the hash chain is simply sha256:
Code:
function genGameHash(serverSeed) {
  return crypto.createHash('sha256').update(serverSeed).digest('hex');
}

The method to convert a game hash to a money pot multiplier is a bit more complex:

Code:
function crashPointFromHash(serverSeed, clientSeed) {
  function divisible(hash, mod) {
    // We will read in 4 hex at a time, but the first chunk might be a bit smaller
    // So ABCDEFGHIJ should be chunked like  AB CDEF GHIJ
    var val = 0;
    
    var o = hash.length % 4;
    for (var i = o > 0 ? o - 4 : 0; i < hash.length; i += 4) {
      val = ((val << 16) + parseInt(hash.substring(i, i+4), 16)) % mod;
    }

    return val === 0;
  }

  var hash = crypto.createHmac('sha256', serverSeed).update(clientSeed).digest('hex');

  /* In 1 of 101 games the game crashes instantly. */
  if (divisible(hash, 101))
     return 0;

  /* Use the most significant 52-bit from the hash
     to calculate the crash point */
  var h = parseInt(hash.slice(0,52/4),16);
  var e = Math.pow(2,52);

  return Math.floor((100 * e - h) / (e - h));
}

The chain could be generated with code such as:

Code:
var serverSecret =  'If you knew this, you could steal all my money';
var clientSeed = '0000examplehash';

var gamesToGenerate = 1e7;

var serverSeed = serverSecret;

for (var game = gamesToGenerate; game > 0; --game) {
  serverSeed = genGameHash(serverSeed);
  console.log('Game ' +  game + ' has a crash point of ' + (crashPointFromHash(serverSeed, clientSeed) / 100).toFixed(2) +'x', '\t\tHash: ' + serverSeed);
}

var terminatingHash = genGameHash(serverSeed);

console.log('The terminating hash is: ', terminatingHash);


Using our chosen starting serverSeed, the hash terminating the chain is c1cfa8e28fc38999eaa888487e443bad50a65e0b710f649affa6718cfbfada4d. That is to say, the first game's hash played under the new provably fair scheme, when hashed will be c1cfa8e28fc38999eaa888487e443bad50a65e0b710f649affa6718cfbfada4d.

The server secret is a bitcoin private key, which corresponds to the address:
1J6qabbRQmxiii4j8mmAZ3XTvURZ8yzwfy (https://www.blockchain.info/address/1J6qabbRQmxiii4j8mmAZ3XTvURZ8yzwfy), where a 10 bitcoin bounty awaits anyone who discovers the leaked server secret.





got it.

quoted to prevent editing.


Title: Re: MoneyPot.com Provably Fair Seeding Event
Post by: omahapoker on January 13, 2015, 03:44:58 PM
Welcome to the first provably fair seeding event. One of the most requested features of Money Pot (https://www.moneypot.com) has been to create a provably distribution of game crashes, to replace our provably predetermined multipliers.

The original scheme (https://bitcointalk.org/index.php?topic=709185.msg8528454#msg8528454) of turning a multiplayer game in which peers do not trust each other was first proposed by Dooglus, refined by Eric and solidified into code by Steve.

In order to ensure fairness, we need to select a client seed in a verifiable way, after we have publicised all details and cannot control the outcome of the client seed picking. This is where the seeding event comes in, we need you to witness the process to ensure nothing has changed. A good way to do this might be save the post, quote it somewhere, save a copy in some archiving services. If anyone wants me to email them a copy, PM me your email address.

Our plan is to use hash of the bitcoin block 339300 as the client seed. If anyone finds any flaws in the code or methodology, we will push the block back to accommodate.  

The technical details are as follows:

The method to create the hash chain is simply sha256:
Code:
function genGameHash(serverSeed) {
  return crypto.createHash('sha256').update(serverSeed).digest('hex');
}

The method to convert a game hash to a money pot multiplier is a bit more complex:

Code:
function crashPointFromHash(serverSeed, clientSeed) {
  function divisible(hash, mod) {
    // We will read in 4 hex at a time, but the first chunk might be a bit smaller
    // So ABCDEFGHIJ should be chunked like  AB CDEF GHIJ
    var val = 0;
    
    var o = hash.length % 4;
    for (var i = o > 0 ? o - 4 : 0; i < hash.length; i += 4) {
      val = ((val << 16) + parseInt(hash.substring(i, i+4), 16)) % mod;
    }

    return val === 0;
  }

  var hash = crypto.createHmac('sha256', serverSeed).update(clientSeed).digest('hex');

  /* In 1 of 101 games the game crashes instantly. */
  if (divisible(hash, 101))
     return 0;

  /* Use the most significant 52-bit from the hash
     to calculate the crash point */
  var h = parseInt(hash.slice(0,52/4),16);
  var e = Math.pow(2,52);

  return Math.floor((100 * e - h) / (e - h));
}

The chain could be generated with code such as:

Code:
var serverSecret =  'If you knew this, you could steal all my money';
var clientSeed = '0000examplehash';

var gamesToGenerate = 1e7;

var serverSeed = serverSecret;

for (var game = gamesToGenerate; game > 0; --game) {
  serverSeed = genGameHash(serverSeed);
  console.log('Game ' +  game + ' has a crash point of ' + (crashPointFromHash(serverSeed, clientSeed) / 100).toFixed(2) +'x', '\t\tHash: ' + serverSeed);
}

var terminatingHash = genGameHash(serverSeed);

console.log('The terminating hash is: ', terminatingHash);


Using our chosen starting serverSeed, the hash terminating the chain is c1cfa8e28fc38999eaa888487e443bad50a65e0b710f649affa6718cfbfada4d. That is to say, the first game's hash played under the new provably fair scheme, when hashed will be c1cfa8e28fc38999eaa888487e443bad50a65e0b710f649affa6718cfbfada4d.

The server secret is a bitcoin private key, which corresponds to the address:
1J6qabbRQmxiii4j8mmAZ3XTvURZ8yzwfy (https://www.blockchain.info/address/1J6qabbRQmxiii4j8mmAZ3XTvURZ8yzwfy), where a 10 bitcoin bounty awaits anyone who discovers the leaked server secret.





got it.

quoted to prevent editing.



made it. i saved your reply to prevent major editing


Title: Re: MoneyPot.com Provably Fair Seeding Event
Post by: gmannnnn on January 13, 2015, 03:50:07 PM
The server secret is a bitcoin private key, which corresponds to the address:
1J6qabbRQmxiii4j8mmAZ3XTvURZ8yzwfy (https://www.blockchain.info/address/1J6qabbRQmxiii4j8mmAZ3XTvURZ8yzwfy), where a 10 bitcoin bounty awaits anyone who discovers the leaked server secret.

btw, are you saying there is a 10btc bounty for the compromisation of your scheme?


Title: Re: MoneyPot.com Provably Fair Seeding Event
Post by: RHavar on January 13, 2015, 06:15:08 PM
btw, are you saying there is a 10btc bounty for the compromisation of your scheme?

There's a 10 BTC bounty for knowing the server secret. You can claim it by doing nothing more than just spending from it (it's a private key, for address with 10 BTC in it). That's because if you know the server secret, you could cheat the game anyway, so I would prefer if someone does discover it (it's stored in the database along with the hashes) you just take the 10 BTC, which will act as a bounty for you and a trip wire for me


Title: Re: MoneyPot.com Provably Fair Seeding Event
Post by: RHavar on January 13, 2015, 06:16:24 PM
I've also burnt 10k bits to record the terminating hash in the blockchain: https://blockchain.info/tx/dbfd4591639be96cdb2ad8077985734b368d1f4d3a8c7a45cbed2d3f3f96edfd?show_adv=true


Title: Re: MoneyPot.com Provably Fair Seeding Event
Post by: dooglus on January 13, 2015, 07:52:47 PM
I've also burnt 10k bits to record the terminating hash in the blockchain: https://blockchain.info/tx/dbfd4591639be96cdb2ad8077985734b368d1f4d3a8c7a45cbed2d3f3f96edfd?show_adv=true

I found OP pretty confusing, and I was partly responsible for coming up with the scheme in the first place.

I would recommend rewriting it so that a newcomer could understand what's going on.

I think the salient points are:

1) Ryan has generated a chain of 10 million sha256 hashes, starting with the private key of a Bitcoin address, and repeatedly feeding the output of sha256 back into itself 10 million times. He has published the final output of that chain.

2) Moneypot will play through that chain of hashes, in reverse order, and use the hashes to determine the crash point in a provably fair manner.

3) To avoid criticism that the Bitcoin address used in step 1 was carefully chosen to generate lots of "bad" crash points, each hash in the chain will be salted with a client seed, which Ryan has no control over. The client seed will be the block hash of a Bitcoin block that hasn't yet been mined.

Is that any clearer?

Once those three points have been stated, then it's time to delve into the actual code, long hex hashes, and the specific block number. I found I was getting lost in the detail and missing the big picture.

Edit: I have a concern:

How can I tell that your chain was actually generated from the private key of the address you published? I don't think I can, and I don't think it even matters. So why not just say that you have generated a long chain of sha256 hashes, and omit the stuff about the private key of a Bitcoin address? The important thing is that you have committed to a particular chain by publishing the final hash in the chain before the (client seed / bitcoin block hash) is known.

It would be nice to have a 10 BTC bounty be available as a tripwire and guaranteed reward, but there's no way I can know that you even used that private key anywhere in the process, so that bit comes back down to having to trust you.


Title: Re: MoneyPot.com Provably Fair Seeding Event
Post by: RHavar on January 13, 2015, 08:17:56 PM
Is that any clearer?

Thanks Dooglus, that's much clearer. I lifted that into the original post.



Quote
So why not just say that you have generated a long chain of sha256 hashes, and omit the stuff about the private key of a Bitcoin address?

Because like you said, it doesn't matter. It's really just a trivia piece. Just like you can't verify how long the chain is, but it doesn't impact the ability to verify the distribution of game results.


Quote
It would be nice to have a 10 BTC bounty be available as a tripwire and guaranteed reward, but there's no way I can know that you even used that private key anywhere in the process, so that bit comes back down to having to trust you.

When I need to generate a new chain, I'll reveal the initial server seed, and you can verify. Or if someone does find out the initial server seed, and it's not that private key, I'll be outed as a liar. But anyway, it doesn't effect the provably distribution.  But yeah, if you're a bug-bounty hunter, you'll need to trust me on that one.


Title: Re: MoneyPot.com Provably Fair Seeding Event
Post by: unamis76 on January 13, 2015, 08:38:55 PM
Improvements are always welcome :) Nice addition to a great game!


Title: Re: MoneyPot.com Provably Fair Seeding Event
Post by: dooglus on January 13, 2015, 10:56:51 PM
Quote
So why not just say that you have generated a long chain of sha256 hashes, and omit the stuff about the private key of a Bitcoin address?

Because like you said, it doesn't matter. It's really just a trivia piece. Just like you can't verify how long the chain is, but it doesn't impact the ability to verify the distribution of game results.

I think clarity and simplicity are the most important properties here. Your scheme is relatively complex so it's good to prune as much as possible if doing so doesn't reduce the quality of the scheme as a whole.


Title: Re: MoneyPot.com Provably Fair Seeding Event
Post by: RHavar on January 15, 2015, 10:05:10 PM
The implementation (containing information about the seeding event) is here: https://github.com/moneypot/gameserver/commit/bc1bffe32833a3f73046698677804c216607f952

For anyone wanting auditing the provably fair seeding, this is a great thing to backup.

This is the code that will be used once the miners have mined block 339300


Title: Re: MoneyPot.com Provably Fair Seeding Event
Post by: dooglus on January 15, 2015, 10:22:27 PM
The implementation (containing information about the seeding event) is here: https://github.com/moneypot/gameserver/commit/bc1bffe32833a3f73046698677804c216607f952

For anyone wanting auditing the provably fair seeding, this is a great thing to backup.

This is the code that will be used once the miners have mined block 339300

I think that just quoting your post is enough. You can't change the content of that commit without changing its URL.


Title: Re: MoneyPot.com Provably Fair Seeding Event
Post by: RHavar on January 17, 2015, 02:31:06 AM
Just 15 more blocks until block 339300, in which we'll know the client seed. I am just heading out the door right now to go out and have a few beers with old friends: So me pushing the prov branch to production will largely depend on my sobriety when I get back home.

I'm also going to delay the increase wager size until Monday or Tuesday, to give me more time to develop and test limits based on the site current bankroll. The plan now is to start with a bankroll of 150 BTC, max bet of 1 BTC and have a max-profit of 2%. While this is massively above a 1x kelly, extensive simulation proves it's still +EV


Title: Re: MoneyPot.com Provably Fair Seeding Event
Post by: RHavar on January 17, 2015, 06:43:02 AM
We now have a client seed: '000000000000000007a9a31ff7f07463d91af6b5454241d5faf282e5e0fe1b3a', thanks everyone who participated in this event.


Title: Re: MoneyPot.com Provably Fair Seeding Event
Post by: kolloh on January 19, 2015, 06:55:52 PM
Wow, it is nice to see that this got implemented.


Title: Re: MoneyPot.com Provably Fair Seeding Event
Post by: boopy265420 on January 19, 2015, 07:30:19 PM
Wow, it is nice to see that this got implemented.

I like this site and especially free 2 tickets and I have won once 250x . Simply one of the best and a must try site. Keep up great work this is going to be big in future.


Title: Re: MoneyPot.com Provably Fair Seeding Event
Post by: cjrosero on March 20, 2015, 10:05:13 PM
This give sooo good ! :D


Title: Re: Bustabit.com Provably Fair Seeding Event
Post by: Somekindabitcoin on April 11, 2015, 06:06:20 AM
If someone found the secret, they'd probably cash out and multiply it even more : )


Title: Re: Bustabit.com Provably Fair Seeding Event
Post by: Ging287 on June 21, 2015, 12:19:36 AM
I just want to say that you guys seemed to have been advertising good or somethin'. I'm hearing 'Bustabit' mentioned more and more. Maybe because it's just a bit more innovative, it's a social experience, and all of you are betting on the exact same multiplier. Thanks.


Title: Re: Bustabit.com Provably Fair Seeding Event
Post by: katerniko1 on June 21, 2015, 01:14:23 AM
i dont understand what exactly are you trying to do here :O.
your saying that there is possibility to cheat in bustabit??? im a bit confused here :P
regards.
-Katerniko1


Title: Re: Bustabit.com Provably Fair Seeding Event
Post by: RHavar on June 21, 2015, 05:08:23 PM
i dont understand what exactly are you trying to do here :O.
your saying that there is possibility to cheat in bustabit??? im a bit confused here :P
regards.
-Katerniko1

The point of this thread, is to prove that the game is fair. Or more specifically, the game sequence has been pre-determined and from a fair distribution, and can not be influenced by any players actions =)


Title: Re: Bustabit.com Provably Fair Seeding Event
Post by: katerniko1 on June 21, 2015, 06:29:13 PM
i dont understand what exactly are you trying to do here :O.
your saying that there is possibility to cheat in bustabit??? im a bit confused here :P
regards.
-Katerniko1

The point of this thread, is to prove that the game is fair. Or more specifically, the game sequence has been pre-determined and from a fair distribution, and can not be influenced by any players actions =)
how can anyone prove it :O? i still dont understand it how to prove that its pre-determined when it will crush?
explain a bit better for me xD
regards.
-Katerniko1


Title: Re: Bustabit.com Provably Fair Seeding Event
Post by: FastSlots on June 21, 2015, 10:35:06 PM
I'm wondering why the system used for dice games cannot be extended to multiplayer games in a straightforward way. Before the round the server would generate a server secret and publish the hash of the server secret. All players generate a client secret. When a player clicks on place bet, he submits his secret to the server. When the next round starts all submitted client secrets are concatenated with the server secret and used to compute the crash multiplier.

What am I missing?


Title: Re: Bustabit.com Provably Fair Seeding Event
Post by: RHavar on June 22, 2015, 12:10:57 AM
how can anyone prove it :O? i still dont understand it how to prove that its pre-determined when it will crush?
explain a bit better for me xD
regards.
-Katerniko1

Unfortunately, I don't think I can. The original post is my best attempt, but if you work through the original post with someone who knows the cryptographic primitives, it should make sense. =)


Title: Re: Bustabit.com Provably Fair Seeding Event
Post by: RHavar on June 22, 2015, 12:22:18 AM
Before the round the server would generate a server secret and publish the hash of the server secret. All players generate a client secret. When a player clicks on place bet, he submits his secret to the server. When the next round starts all submitted client secrets are concatenated with the server secret and used to compute the crash multiplier.

What am I missing?

There's a few flaws in that scheme, namely if the server and one of the (many) clients are conspiring they can totally control the outcome. And even if the server isn't controlling one of the clients, if it selectively dropped the connection of one of them, it could radically change the outcome as well.


Title: Re: Bustabit.com Provably Fair Seeding Event
Post by: RHavar on August 28, 2015, 02:07:40 PM
So, what if, Ryan generated tones list of 10m hashes from different serverSeed and then, waited for a particular block's id to be mined. Since the clientSeed seems to be predictable, Ryan could have waited for that block to be mined then start the game in the meaning to get the most profitable serverseed.

That's actually why we created this "event". We proved we did it before the block was mined, exactly to disprove this:

Quote from: Ryan
3) To avoid criticism that the Bitcoin address used in step 1 was carefully chosen to generate lots of "bad" crash points, each hash in the chain will be salted with a client seed, which we have no control of. The client seed will be the block hash of a Bitcoin block that hasn't yet been mined: block 339300.

if you don't trust the dates on this forum (which you might not, because I can edit the OP) you can check the critical details in a variety of ways, that all happened before that block was mined:
a) The fact people quoted me link (https://bitcointalk.org/index.php?topic=922898.msg10130715#msg10130715)
b) It was on reddit link (https://www.reddit.com/r/moneypot/comments/2sb7o5/moneypot_provably_fair_seeding_event/)
c) It was emailed to dooglus (you can ask him, and he can find it and get the date)
d) It's archived on archive.org  (link (https://web.archive.org/web/20150112230357/https://bitcointalk.org/index.php?topic=922898.0))

and if that's not enough, I actually timestamped it on the blockchain (before block 339300) which should be complete proof. I don't have the link on me right now, but can dig through my email and find it if you like.





Quote
I love that game, and got nothing against Ryan but maybe it would be nice to get an other provably fair system that will actually be fair?

it is =)

Quote
Also, that kind of thing isn't hard to make, I could make a script that will find a serverseed that will never bust higher than 2.0x.
It's pretty simple to do and it would takes me couple of weeks to get a cheated serverseed.

You could make a script that finds a "bad" server seed, but it's unlikely to be that bad. The probability of a server seed having no games > 2.0x is like 0.50990099^10e6 (making some generous assumptions about sha256), which is just gazillions of times harder than just finding bitcoin private keys, or my server seed


Title: Re: MoneyPot.com Provably Fair Seeding Event
Post by: kolloh on September 10, 2015, 06:46:36 PM
btw, are you saying there is a 10btc bounty for the compromisation of your scheme?

There's a 10 BTC bounty for knowing the server secret. You can claim it by doing nothing more than just spending from it (it's a private key, for address with 10 BTC in it). That's because if you know the server secret, you could cheat the game anyway, so I would prefer if someone does discover it (it's stored in the database along with the hashes) you just take the 10 BTC, which will act as a bounty for you and a trip wire for me

I saw that this 10 BTC was recently moved away last month. I assume this doesn't mean that someone was able to compromise the address and it was just moved after being satisfied that it was not compromised after this time?


Title: Re: MoneyPot.com Provably Fair Seeding Event
Post by: RHavar on September 10, 2015, 06:58:08 PM
I saw that this 10 BTC was recently moved away last month. I assume this doesn't mean that someone was able to compromised the address and it was just moved after being satisfied that it was not compromised after this time?

Yeah, I just moved as part of my on-going campaign to reconcile my finances.  If anyone does however know the private key, (or any of the future hashes) I'll more than happily give you a lot more than that in a bounty (i offered Dexon 50 btc if his brute force sha1 program actually does find it) as if someone did find it, it'd easily cost me more than that (as they would know the outcome of all future games)


Title: Re: Bustabit.com Provably Fair Seeding Event
Post by: dkee888 on December 05, 2015, 11:58:48 PM
Awesome site very addicting and IMO way better than the Hi-Lo dice games.. ;D


Title: Re: Bustabit.com Provably Fair Seeding Event
Post by: gullu on August 24, 2016, 04:01:56 PM
Welcome to the first provably fair seeding event. One of the most requested features of bustabit (https://www.bustabit.com) has been to create a provably distribution of game crashes, to replace our provably predetermined multipliers.

The original scheme (https://bitcointalk.org/index.php?topic=709185.msg8528454#msg8528454) of turning a multiplayer game in which peers do not trust each other was first proposed by Dooglus, refined by Eric and solidified into code by Steve.

The high level of the scheme is as follows:

1) We have generated a chain of 10 million sha256 hashes, starting with a server secret that has been repeatedly fed the output of sha256 back into itself 10 million times. The sha256 of the final hash in the chain is: c1cfa8e28fc38999eaa888487e443bad50a65e0b710f649affa6718cfbfada4d, by publicising it here we are preventing any ability to pick an alternate sha256 chain.


2) Bustabit will play through that chain of hashes, in reverse order, and use the hashes to determine the crash point in a probably fair manner.

3) To avoid criticism that the Bitcoin address used in step 1 was carefully chosen to generate lots of "bad" crash points, each hash in the chain will be salted with a client seed, which we have no control of. The client seed will be the block hash of a Bitcoin block that hasn't yet been mined: block 339300.


The reference code (javascript) is as follows:

The method to create the hash chain is simply sha256:
Code:
function genGameHash(serverSeed) {
  return crypto.createHash('sha256').update(serverSeed).digest('hex');
}

The method to convert a game hash, mix it with the picked client seed to a money pot multiplier:

Code:
function crashPointFromHash(serverSeed, clientSeed) {
  function divisible(hash, mod) {
    // We will read in 4 hex at a time, but the first chunk might be a bit smaller
    // So ABCDEFGHIJ should be chunked like  AB CDEF GHIJ
    var val = 0;
    
    var o = hash.length % 4;
    for (var i = o > 0 ? o - 4 : 0; i < hash.length; i += 4) {
      val = ((val << 16) + parseInt(hash.substring(i, i+4), 16)) % mod;
    }

    return val === 0;
  }

  var hash = crypto.createHmac('sha256', serverSeed).update(clientSeed).digest('hex');

  /* In 1 of 101 games the game crashes instantly. */
  if (divisible(hash, 101))
     return 0;

  /* Use the most significant 52-bit from the hash
     to calculate the crash point */
  var h = parseInt(hash.slice(0,52/4),16);
  var e = Math.pow(2,52);

  return Math.floor((100 * e - h) / (e - h));
}

The chain could be generated with code such as:

Code:
var serverSecret =  'If you knew this, you could steal all my money';
var clientSeed = '0000examplehash';

var gamesToGenerate = 1e7;

var serverSeed = serverSecret;

for (var game = gamesToGenerate; game > 0; --game) {
  serverSeed = genGameHash(serverSeed);
  console.log('Game ' +  game + ' has a crash point of ' + (crashPointFromHash(serverSeed, clientSeed) / 100).toFixed(2) +'x', '\t\tHash: ' + serverSeed);
}

var terminatingHash = genGameHash(serverSeed);

console.log('The terminating hash is: ', terminatingHash);


Using our chosen starting serverSeed, the hash terminating the chain is c1cfa8e28fc38999eaa888487e443bad50a65e0b710f649affa6718cfbfada4d. That is to say, the first game's hash played under the new provably fair scheme, when hashed will be c1cfa8e28fc38999eaa888487e443bad50a65e0b710f649affa6718cfbfada4d.

just to save the copy, if it gets edited..


Title: Re: MoneyPot.com Provably Fair Seeding Event
Post by: JasonXG on August 24, 2016, 05:16:15 PM
if bitcoin is still around at the end of the week, i'll check it out

Lol why do you say that ? Of coarse it will still be around silly :)

Its good to see vista bit doing this to renenforce the fairness factor. Personally I have never felt cheated. I just day "omg bs" lol but everyone in the room loses as well so ita not like its just me so in that way its actually great to prove fairness.

I dont know Ryan personally but he really doesn't seem the kind to steal. He knows how to conduct business and this is clearly demonstrated by the success of bustabit. People who run and only shooting the!selves in the foot. Why run why you can simply keep at it and create a lovely passive income in the long term.

Do not eat everything today for tomorrow is a new day. Runners eat everything in one day and forget about the future. They could have made much more but they have no foresight. Ryan knows this so he makes more then these runners. Well done Ryan. Also ita a very fun unique game.


Title: Re: Bustabit.com Provably Fair Seeding Event
Post by: A7mad1978 on December 20, 2016, 05:19:13 PM
do you call this scam FARE !!!!!!!
get real life site is the biggest scam site tell now this site running on to collect every body bitcoin it's not fair and it's 100% controlled by Ryan he run it and stop it as he wish it's not fare it's scam and every one can gave you a hash do you need hash's ?


Title: Re: Bustabit.com Provably Fair Seeding Event
Post by: rfisher1968 on December 22, 2016, 04:41:44 PM
Rayn

If I get the hash of a game, how do I determine what block hash(clientseed) was used? How do you get the block hash(clientseed), the timing of it being used is unknown?


Title: Re: Bustabit.com Provably Fair Seeding Event
Post by: dooglus on December 22, 2016, 05:22:02 PM
If I get the hash of a game, how do I determine what block hash(clientseed) was used? How do you get the block hash(clientseed), the timing of it being used is unknown?

There was only one seeding event. Only a single block hash was used.

The client seed is 000000000000000007a9a31ff7f07463d91af6b5454241d5faf282e5e0fe1b3a, as mentioned in this post (https://bitcointalk.org/index.php?topic=922898.msg10183468#msg10183468).

Did you read my post (https://bitcointalk.org/index.php?topic=922898.msg10141573#msg10141573) which tries to make the process clearer? Does it help?


Title: Re: Bustabit.com Provably Fair Seeding Event
Post by: RHavar on December 22, 2016, 05:41:27 PM
^ Yeah, what Dooglus said.

Basically the "client seed" is a single value which is used throughout the whole chain. It's there to prevent against an attack in which I unfairly picked a hash chain (as no one knows how I seeded the hash chain). In order to come up with a client seed, we had have a few options. One obvious option would be used a trusted third party (e.g. random.org) but we can do better, by using the bitcoin blockchain itself.

The way it was done (see: the start of this thread) was preannounce that what ever hash block 339300 is going to be, would be our client seed. As we conducted this well in advance of block 339300, there was absolutely no way I (or anyone) could have known what that hash would be.

Typically when you use bitcoin block hashes, you need to be careful against what is known as a "discarding attack" where a bitcoin miner can look at the hash and decide to not publish the block. However in this case, the attack isn't relevant because the low chance of conducting it (what ever hash power I control), and the cost of conducting would've been 25 BTC, and to significantly bias the results would take at least millions (or billions) of attempts.

So I think we can be quite confident that the seed was fairly picked and there's no issues with it =)


Title: Re: Bustabit.com Provably Fair Seeding Event
Post by: dooglus on December 22, 2016, 06:36:30 PM
So I think we can be quite confident that the seed was fairly picked

do you call this scam FARE !!!!!!!

(just kidding) ;)


Title: Re: Bustabit.com Provably Fair Seeding Event
Post by: Benchman on February 19, 2017, 02:27:52 AM
Hehe, funny to play but will small amounts.

Got recenty @ 20x. Sent $0,5, cashed about total $40. Enough for nice dinner with gf.


Title: Re: Bustabit.com Provably Fair Seeding Event
Post by: Keyoliver on July 19, 2017, 11:05:58 AM
Welcome to the first provably fair seeding event. One of the most requested features of bustabit (https://www.bustabit.com) has been to create a provably distribution of game crashes, to replace our provably predetermined multipliers.

The original scheme (https://bitcointalk.org/index.php?topic=709185.msg8528454#msg8528454) of turning a multiplayer game in which peers do not trust each other was first proposed by Dooglus, refined by Eric and solidified into code by Steve.

The high level of the scheme is as follows:

1) We have generated a chain of 10 million sha256 hashes, starting with a server secret that has been repeatedly fed the output of sha256 back into itself 10 million times. The sha256 of the final hash in the chain is: c1cfa8e28fc38999eaa888487e443bad50a65e0b710f649affa6718cfbfada4d, by publicising it here we are preventing any ability to pick an alternate sha256 chain.


2) Bustabit will play through that chain of hashes, in reverse order, and use the hashes to determine the crash point in a probably fair manner.

3) To avoid criticism that the Bitcoin address used in step 1 was carefully chosen to generate lots of "bad" crash points, each hash in the chain will be salted with a client seed, which we have no control of. The client seed will be the block hash of a Bitcoin block that hasn't yet been mined: block 339300.


The reference code (javascript) is as follows:

The method to create the hash chain is simply sha256:
Code:
function genGameHash(serverSeed) {
  return crypto.createHash('sha256').update(serverSeed).digest('hex');
}

The method to convert a game hash, mix it with the picked client seed to a money pot multiplier:

Code:
function crashPointFromHash(serverSeed, clientSeed) {
  function divisible(hash, mod) {
    // We will read in 4 hex at a time, but the first chunk might be a bit smaller
    // So ABCDEFGHIJ should be chunked like  AB CDEF GHIJ
    var val = 0;
    
    var o = hash.length % 4;
    for (var i = o > 0 ? o - 4 : 0; i < hash.length; i += 4) {
      val = ((val << 16) + parseInt(hash.substring(i, i+4), 16)) % mod;
    }

    return val === 0;
  }

  var hash = crypto.createHmac('sha256', serverSeed).update(clientSeed).digest('hex');

  /* In 1 of 101 games the game crashes instantly. */
  if (divisible(hash, 101))
     return 0;

  /* Use the most significant 52-bit from the hash
     to calculate the crash point */
  var h = parseInt(hash.slice(0,52/4),16);
  var e = Math.pow(2,52);

  return Math.floor((100 * e - h) / (e - h));
}

The chain could be generated with code such as:

Code:
var serverSecret =  'If you knew this, you could steal all my money';
var clientSeed = '0000examplehash';

var gamesToGenerate = 1e7;

var serverSeed = serverSecret;

for (var game = gamesToGenerate; game > 0; --game) {
  serverSeed = genGameHash(serverSeed);
  console.log('Game ' +  game + ' has a crash point of ' + (crashPointFromHash(serverSeed, clientSeed) / 100).toFixed(2) +'x', '\t\tHash: ' + serverSeed);
}

var terminatingHash = genGameHash(serverSeed);

console.log('The terminating hash is: ', terminatingHash);


Using our chosen starting serverSeed, the hash terminating the chain is c1cfa8e28fc38999eaa888487e443bad50a65e0b710f649affa6718cfbfada4d. That is to say, the first game's hash played under the new provably fair scheme, when hashed will be c1cfa8e28fc38999eaa888487e443bad50a65e0b710f649affa6718cfbfada4d.

hello are u mod in there i need help right now


Title: Re: Bustabit.com Provably Fair Seeding Event
Post by: adfaucet on January 12, 2019, 05:43:52 PM
Hi,

You can find a PHP implemetation of this code here: https://github.com/rogervila/provably-fair


Title: Re: Bustabit.com Provably Fair Seeding Event
Post by: Parisd2002 on September 04, 2020, 05:15:44 PM
Sorry if posting at wrong place, I can move the post

I read a post from 2018 I think that said the version 2 of bustabit will not crash anymore at 1.00, today in 2020 it does crash frequently at 1.00, so this part of V2 was chaged?

I also read that Should the game crash at 0x, all bets will be refunded which also does not seems to be the case today.

So why are things different than they were described in this forum in the past?

Thanks for any clarification


Title: Re: Bustabit.com Provably Fair Seeding Event
Post by: MFahad on September 04, 2020, 06:33:51 PM
Sorry if posting at wrong place, I can move the post

I read a post from 2018 I think that said the version 2 of bustabit will not crash anymore at 1.00, today in 2020 it does crash frequently at 1.00, so this part of V2 was chaged?

I also read that Should the game crash at 0x, all bets will be refunded which also does not seems to be the case today.

So why are things different than they were described in this forum in the past?

Thanks for any clarification

Can you share with us that post which shows that V2 of Bustabit will never crash on 1.00.
If this happens and i auto cash out on 1.01 always, then it would mean that i could not lose the bet and slowly my bankroll willl increase without any
risk  ???


Title: Re: Bustabit.com Provably Fair Seeding Event
Post by: Parisd2002 on September 05, 2020, 01:52:01 PM
I understand that and thats why I went to check on the live game and noticed that indeed it crash at 1.00 frequently.

I would have to read again all of one major Bustabit thread to find it, but it was at time of the announcement of the V2 version,

For the bets refunded when it crash at 1.00, I found that during a google search.


[/quote]

Can you share with us that post which shows that V2 of Bustabit will never crash on 1.00.
If this happens and i auto cash out on 1.01 always, then it would mean that i could not lose the bet and slowly my bankroll willl increase without any
risk  ???
[/quote]


Title: Re: Bustabit.com Provably Fair Seeding Event
Post by: xxjumperxx on September 08, 2020, 09:42:46 AM
Sorry if posting at wrong place, I can move the post

I read a post from 2018 I think that said the version 2 of bustabit will not crash anymore at 1.00, today in 2020 it does crash frequently at 1.00, so this part of V2 was chaged?

I also read that Should the game crash at 0x, all bets will be refunded which also does not seems to be the case today.

So why are things different than they were described in this forum in the past?

Thanks for any clarification

It was never said the BaB V2 cant crash at 1.0. It does and that was never up for a discussion.
I think the first BaB could crash at 0, which did something for the odds I thought.


Title: Re: Bustabit.com Provably Fair Seeding Event
Post by: Saint-loup on September 10, 2020, 07:28:45 PM
Sorry if posting at wrong place, I can move the post

I read a post from 2018 I think that said the version 2 of bustabit will not crash anymore at 1.00, today in 2020 it does crash frequently at 1.00, so this part of V2 was chaged?

I also read that Should the game crash at 0x, all bets will be refunded which also does not seems to be the case today.

So why are things different than they were described in this forum in the past?

Thanks for any clarification
As you can see in the provably fair algorithm

R = 99 / (1-X) with X uniformly distributed on [0;1]

R is then divided by 100 to get the crash multiplier but only the MAX between 1 and R/100 is taken.

That means every time X is =< 0.01 you will get a final crash multiplier equal to 1.

eg : 99/(1-0.01)=99/0.99=100

Code:
 // 3. X = r / 2^52
  let X = r / Math.pow(2, nBits) // uniformly distributed in [0; 1)

  // 4. X = 99 / (1-X)
  X = 99 / (1 - X)

  // 5. return max(trunc(X), 100)
  const result = Math.floor(X)
  return Math.max(1, result / 100)