Provable fairness good practices

[yogg]

Hello.

I was wondering about the different ways we can implement provable fairness to different games.
This is truly a great concept, but we have to make sure it can't be exploited by some smart player.

What would be the best way to do so ?

I mean, most of the dice sites use a combination of :
- Some <player secret> variable.
- a hidden and later revealed <server secret> variable. This variable should be changed regularly.
- Maybe a nonce like "Bet ID".

This solution seems pretty safe since no once can predict the result of some bet. The server secret in use is theoretically unknown from players so no one can calculate a bet outcome before it takes place.

What about blocks hashes ?

I remember http://www.bitmillions.com .. It was a lottery game. There was a draw every time there was a new block.
In this case, the block hash only was used to calculate and pick up the winning numbers.
Now, this site is down for about a year, I'm not sure why and when it went down.

I liked that website. It went down without notice and I never saw any more news about it.
What could possibly have happened ?

As far as I understand the provable fairness concept, they could have been exploited :
Some miner calculates a block but doesn't broadcast it right away. He first plays on bitmillions.com with the winning numbers (since he knows the block hash because he found one).
Then, when his participation is confirmed, he broadcasts the block and boom he gets the 1st prize.

The jackpots were progressive, and the top prize was about 1,400 BTC before it went down.

Maybe this is what happened ? I mean, if a game outcome is based only on the block hash, any miner can do the calculations to determine the outcome and bet accordingly.
Would that be doable ? Is it what happened ?

If yes, what would be the best way to prevent this ? Could we simply add some secret <server hash> that changes every 24h and use it with the block hash in the calculations ?
What would be the best way to implement provable fairness in a game based on the block hashes ?

I really understand how difficult it is to come up with a provably fair algorithm that won't be exploited.

Thanks for your answers.

[Alex194]

Yes the first option seems to be the most used and probably efficient even tho ''smart players'' can still find exploits in other things like the case on primedice where the guy won tons of btc with an exploit he found

[NLNico]

In yes, what would be the best way to prevent this ? Could we simply add some secret <server hash> that changes every 24h and use it with the block hash in the calculations ?
What would be the best way to implement provable fairness in a game based on the block hashes ?

Yes, if you are doing blockchain bets and use the blockchain hashes you must have some server secret for extra safety vs miners.

If you use "instant bets" so not on blockchain (also called "off-chain") you can just use a server seed and client seed + nonce only.

For a better understand of provably fair mechanism I recommend everyone to read my article about it: http://dicesites.com/provably-fair If you really understand the concept it is not too hard to see the weaknesses, which is mostly things like having an exploit that leeks the server seed (even a regular SQL injection can probably read the seed from the DB etc.) I am planning on writing some articles about these weaknesses.

[boopy265420]

In yes, what would be the best way to prevent this ? Could we simply add some secret <server hash> that changes every 24h and use it with the block hash in the calculations ?
What would be the best way to implement provable fairness in a game based on the block hashes ?

Yes, if you are doing blockchain bets and use the blockchain hashes you must have some server secret for extra safety vs miners.

If you use "instant bets" so not on blockchain (also called "off-chain") you can just use a server seed and client seed + nonce only.

For a better understand of provably fair mechanism I recommend everyone to read my article about it: http://dicesites.com/provably-fair If you really understand the concept it is not too hard to see the weaknesses, which is mostly things like having an exploit that leeks the server seed (even a regular SQL injection can probably read the seed from the DB etc.) I am planning on writing some articles about these weaknesses.

This article really explain all the aspects of provable fair systems. There are little hidden secrets in servers and seeds which are vulnerable or exploitable as happened few weeks ago. I would like to see what is about your next article and how these weaknesses can be covered.

[elm]

is it known how PrimeDice was cheated? thanks

[NLNico]

@boopy265420: thanks

@elm: Not yet. Stunna promised to write a blog post about it but didn't yet, you can keep a lookout at http://blog.primedice.com/ Personally I am definitely looking forward for the details about it as a hobby security researcher, although I definitely feel bad for Stunna (and rest of PD team) for the loss.

[duckydonald]

atually I been studying randomness with randomseed and Im starting to think there is a way to manipulate the rolls without harming the client seed or server seed, but I havent got to that point of testing yet.

If I can proove this then I can get all the dice sites shut down.

[elm]

@boopy265420: thanks

@elm: Not yet. Stunna promised to write a blog post about it but didn't yet, you can keep a lookout at http://blog.primedice.com/ Personally I am definitely looking forward for the details about it as a hobby security researcher, although I definitely feel bad for Stunna (and rest of PD team) for the loss.

@NLNico
thanks for explanation. do you have any explanation in mind? I was sure that PD's provably fair option is 100% secure.
is there a 100% secure provably option for the player and op?

[yogg]

@boopy265420: thanks

@elm: Not yet. Stunna promised to write a blog post about it but didn't yet, you can keep a lookout at http://blog.primedice.com/ Personally I am definitely looking forward for the details about it as a hobby security researcher, although I definitely feel bad for Stunna (and rest of PD team) for the loss.

@NLNico
thanks for explanation. do you have any explanation in mind? I was sure that PD's provably fair option is 100% secure.
is there a 100% secure provably option for the player and op?

I might be totally wrong, but from what I understand, the player secret was generated based on time.

That cheating player could have created 2 accounts at the same moment, and used one with small bets to see what was scheduled for this player secret.
When he found the right player secret he just went high stakes with it. Since he knew the outcome of the bets, he could roll max bet every time and be guaranteed to win.

It reminds me of the almanac in Back to the future.
I feel bad for Stunna tho.

To get back to the topic, I am more intrigued by provable fairness but using the different bitcoin block hashes to make the calculations.

What do you think of doing this ? => sha256("block_hash"+"server_secret") with server_secret being changed and revealed every 24hr to allow verification of previous bets ?
As long as the server_secret doesn't leak, no miner can calculate the outcome of a bet before broadcasting some block.

Also, does someone remember BitMillions ? (http://bitcoincasinopro.com/wp-content/uploads/2013/10/bit-millions-main-page.jpg)
I'm curious about what happened to them. I'm not sure their provable fairness algorithm used some kind of server secret so it could be exploited easily.

[duckydonald]

@boopy265420: thanks

@elm: Not yet. Stunna promised to write a blog post about it but didn't yet, you can keep a lookout at http://blog.primedice.com/ Personally I am definitely looking forward for the details about it as a hobby security researcher, although I definitely feel bad for Stunna (and rest of PD team) for the loss.

@NLNico
thanks for explanation. do you have any explanation in mind? I was sure that PD's provably fair option is 100% secure.
is there a 100% secure provably option for the player and op?

I might be totally wrong, but from what I understand, the player secret was generated based on time.

That cheating player could have created 2 accounts at the same moment, and used one with small bets to see what was scheduled for this player secret.
When he found the right player secret he just went high stakes with it. Since he knew the outcome of the bets, he could roll max bet every time and be guaranteed to win.

It reminds me of the almanac in Back to the future.
I feel bad for Stunna tho.

To get back to the topic, I am more intrigued by provable fairness but using the different bitcoin block hashes to make the calculations.

What do you think of doing this ? => sha256("block_hash"+"server_secret") with server_secret being changed and revealed every 24hr to allow verification of previous bets ?
As long as the server_secret doesn't leak, no miner can calculate the outcome of a bet before broadcasting some block.

Also, does someone remember BitMillions ? (http://bitcoincasinopro.com/wp-content/uploads/2013/10/bit-millions-main-page.jpg)
I'm curious about what happened to them. I'm not sure their provable fairness algorithm used some kind of server secret so it could be exploited easily.

Feel Bad?  did he feel bad for all the players that lost there money to not truly fair game?  "What goes around comes around"

[yogg]

Feel Bad?  did he feel bad for all the players that lost there money to not truly fair game?  "What goes around comes around"

This is not the topic of that thread. There are already countless accusation against Stunna for that reason.
I think their algorithm is fair. I don't recall that Stunna forced any player to deposit BTC on PD. However having someone to take advantage of a design flaw is always unpleasant...

[duckydonald]

Feel Bad?  did he feel bad for all the players that lost there money to not truly fair game?  "What goes around comes around"

This is not the topic of that thread. There are already countless accusation against Stunna for that reason.
I think their algorithm is fair. I don't recall that Stunna forced any player to deposit BTC on PD. However having someone to take advantage of a design flaw is always unpleasant...

well maybe he should pay higher bounties

[a1choi]

I might be totally wrong, but from what I understand, the player secret was generated based on time.

I believe this was just speculation from Dooglus on how something like this could have happened.  I don't think Stunna has said if this is correct or not.  Just a guess from doog.