I know how provably fair works but...

[mexxer-2]

Hey there, well I suppose nearly everyone on this board has heard about provably fair and how it is user verifiable etc. The client seed is entered by user, nonce is "created" by adding 1 successively after every roll, but how is server seed created, which script/algorith does it use to create a random string of letters? Does it differ from site to site?

[adaseb]

Hey there, well I suppose nearly everyone on this board has heard about provably fair and how it is user verifiable etc. The client seed is entered by user, nonce is "created" by adding 1 successively after every roll, but how is server seed created, which script/algorith does it use to create a random string of letters? Does it differ from site to site?

I think its created from the machine time based on the nano/microsecond or put thru a rand function kind of like what you see in Microsoft Excel.

Probably next to impossible to guess.

[mexxer-2]

I think its created from the machine time based on the nano/microsecond or put thru a rand function kind of like what you see in Microsoft Excel.

Probably next to impossible to guess.

Both are exploitable so I'm going with no.

[JackpotRacer]

Hey there, well I suppose nearly everyone on this board has heard about provably fair and how it is user verifiable etc. The client seed is entered by user, nonce is "created" by adding 1 successively after every roll, but how is server seed created, which script/algorith does it use to create a random string of letters? Does it differ from site to site?

I am very interested in the correct answer

thank you for the question

[Lutpin]

Both are exploitable so I'm going with no.

Are they?
It doesn't matter how the server seed is created. That's the idea of provably fair.
Why doesn't it matter?
Because the combination of server and client seed are creating the result, not one of those independently.

You can enter your client seed, basically anything you like,
so the server seed can be exactly the same, anything they like.

[mexxer-2]

Both are exploitable so I'm going with no.

Are they?
It doesn't matter how the server seed is created. That's the idea of provably fair.
Why doesn't it matter?
Because the combination of server and client seed are creating the result, not one of those independently.

You can enter your client seed, basically anything you like,
so the server seed can be exactly the same, anything they like.

They are exploitable by the player. Same thing as hufflepuff in a nutshell

[Lutpin]

They are exploitable by the player. Same thing as hufflepuff in a nutshell

But only if you know how they are created. If you know how things work, if you find an exploit in one specific situation.
So not knowing how exactly one site is creating their server seed is part of the process to prevent userside exploits, right?
Further, it doesn't matter how the site does it, as explained above. That's probably why most people don't know it/don't care.

[Joel_Jantsen]

The scripts can be coded in any back end server side programming language like php or node.is . These languages have random function which generates the randon number based on conditions .Example : generate random().integers<100 .This will allow to generate the numbers less than 100 randomly .When most of the wsbsitss say they are provably fair I never believe it because they can choose what to show and have hiding functions scamming the fuck outta you.

[mexxer-2]

But only if you know how they are created. If you know how things work, if you find an exploit in one specific situation.
So not knowing how exactly one site is creating their server seed is part of the process to prevent userside exploits, right?
Further, it doesn't matter how the site does it, as explained above. That's probably why most people don't know it/don't care.

@Me, you're not supposed to argue with yourself(insider joke)
At any rate, my concern being, the numbers are random but the server seed can be exploitable if the function which creates them is weak(not secure) and known.
P.S: That and I have to create an algorithm for provably fair.

[Lutpin]

When most of the wsbsitss say they are provably fair I never believe it because they can choose what to show and have hiding functions scamming the fuck outta you.

thats funny. thanks for the laugh
That the same for the "provably fair" casino in your sig?

At any rate, my concern being, the numbers are random but the server seed can be exploitable if the function which creates them is weak(not secure) and known.
P.S: That and I have to create an algorithm for provably fair.

I'd suggest a "Don't Ask. Don't Tell." attitude.
P.S.: Who the hell is crazy enough to let YOU take care of that. "(insider joke)"

[ranochigo]

Both are exploitable so I'm going with no.

Are they?
It doesn't matter how the server seed is created. That's the idea of provably fair.
Why doesn't it matter?
Because the combination of server and client seed are creating the result, not one of those independently.

You can enter your client seed, basically anything you like,
so the server seed can be exactly the same, anything they like.

They are exploitable by the player. Same thing as hufflepuff in a nutshell

Hufflepuff incident required the user to know the server seed beforehand and it wasn't due to a weak RNG for the server seed. Hufflepuff was able to get an active seed. The seed was used by multiple players and it was not guessed.

[edmundduke]

Hey there, well I suppose nearly everyone on this board has heard about provably fair and how it is user verifiable etc. The client seed is entered by user, nonce is "created" by adding 1 successively after every roll, but how is server seed created, which script/algorith does it use to create a random string of letters? Does it differ from site to site?

Unfortunately i cant really say how or which algorithm they use as i do not know but i can say that it does differ from site to site. Some sites have the same "basic formula" but some parts like secrets need to be different ect or one site could exploit the other.

[mexxer-2]

Hufflepuff incident required the user to know the server seed beforehand and it wasn't due to a weak RNG for the server seed. Hufflepuff was able to get an active seed. The seed was used by multiple players and it was not guessed.

I am aware of that, but considering no one has talked about how server seeds themselves are created, it got me curious(that and me having to create the algorithm). As for the hufflepuff incident, I meant, if someone knows/accurately guesses how server seeds are created and the algorithm is weak, say it creates variables like "1111111111a", then "111111111b" , or "ab" "al" "et" "eb"(XY, x is unchanged the first time, the second time increased by 4, Y changes by 8 variables) etc, they can know what the next/all server seeds will be.
At any rate, to rephrase my question, how would you make the random variable generator such that the RN(Variable)G in itself is secure.

[vit1988]

We have an intern who moves the mouse all day to create enough entropy for the random generator. 

[dooglus]

It doesn't matter how the server seed is created. That's the idea of provably fair.
Why doesn't it matter?
Because the combination of server and client seed are creating the result, not one of those independently.

It very much matters.

If the server seed is generated using a hash of the current time in millionths of a second then the player can easily cheat. He just needs to notice what the time is when the server seed is created, then hash a few million times in that neighbourhood until he gets the server seed hash that the site has shown him. Then he has the server seed and can predict all his future rolls.

The server seeds should be entirely unpredictable, to prevent such attacks. Collect entropy from wherever you can to make your RNG unpredictable.

[mexxer-2]

It very much matters.

If the server seed is generated using a hash of the current time in millionths of a second then the player can easily cheat. He just needs to notice what the time is when the server seed is created, then hash a few million times in that neighbourhood until he gets the server seed hash that the site has shown him. Then he has the server seed and can predict all his future rolls.

My point as well.

The server seeds should be entirely unpredictable, to prevent such attacks. Collect entropy from wherever you can to make your RNG unpredictable.

What source, as a dice site owner ,would you suggest for a "unpredictable RNG".

[diodio1]

---Snip--- Does it differ from site to site?

Logically Its not necessary  , but practically it depends on the software.
Every dice site is made DEVELOPERS , who develop codes , and person who invest or hold/own the bankroll make sure that the site uses unique software so that no person can cheat them.
Ex: when you wanna attend a party function of someone special then you look for single piece dress so that you have only that copy and that's guarantee that none of people will wear the same cloths at the party.

[MillionsBTCdev]

To answer OP's question, There are different types/kinds of  "scripts/algo" one can use to generate a random seed, and most of the time, it varies from site to site, depending on how it was programmed by their dev. But nowadays, devs stick to what is "common" therefor you might see different sites that uses same algo to generate a random seed. But ofcourse it doesn't mean both site will have the same server seed, (tho there is a very very slim chance it could happen).

You can program a computer to generate a random number, but that program is and will always be at the mercy of its programming. So you cannot actually say that it has given you a random number because the fact is, its just following the sequence of how it is programmed, it generally starts with something then follows a pattern. Tho the complexity of the result is enough to be called random, its never truly random since it is just ruled by a consistently repeating algorithm. This are called "pseudo-random number generators" (PRNG). And most of the site uses this kind of way to generate their seeds.

So any script/algo programmed on a computer is always a PRNG? Answer is No.. One can generate a True Random Number Generator (TRNG) on a computer, this is by use of different kinds of entropy. Some uses a device that relies on thermal, noise or any unpredictable environmental elements that we as humans have no control over. And this can be called a true random number generator. Like ryan said, one can use /dev/random, which uses environmental noise. Another example is, Random.org, which they claim, uses atmospheric noise to generate a true randomness.

So the fact is, most sites uses PRNG? Yes. So there is a possibility to crack it? YES and NO. If we talk of possibility, then yes there is always a possibility of something, but the probability of that happening is so low. Like i said above, the complexity of the results of a PRNG is enough to be called random, therefore the chance to crack a single seed is so low that if compared, you'd have better chance of winning the lottery than trying to crack it in a lifetime.

-uni

[JackpotRacer]

To answer OP's question, There are different types/kinds of  "scripts/algo" one can use to generate a random seed, and most of the time, it varies from site to site, depending on how it was programmed by their dev. But nowadays, devs stick to what is "common" therefor you might see different sites that uses same algo to generate a random seed. But ofcourse it doesn't mean both site will have the same server seed, (tho there is a very very slim chance it could happen).

You can program a computer to generate a random number, but that program is and will always be at the mercy of its programming. So you cannot actually say that it has given you a random number because the fact is, its just following the sequence of how it is programmed, it generally starts with something then follows a pattern. Tho the complexity of the result is enough to be called random, its never truly random since it is just ruled by a consistently repeating algorithm. This are called "pseudo-random number generators" (PRNG). And most of the site uses this kind of way to generate their seeds.

So any script/algo programmed on a computer is always a PRNG? Answer is No.. One can generate a True Random Number Generator (TRNG) on a computer, this is by use of different kinds of entropy. Some uses a device that relies on thermal, noise or any unpredictable environmental elements that we as humans have no control over. And this can be called a true random number generator. Like ryan said, one can use /dev/random, which uses environmental noise. Another example is, Random.org, which they claim, uses atmospheric noise to generate a true randomness.

So the fact is, most sites uses PRNG? Yes. So there is a possibility to crack it? YES and NO. If we talk of possibility, then yes there is always a possibility of something, but the probability of that happening is so low. Like i said above, the complexity of the results of a PRNG is enough to be called random, therefore the chance to crack a single seed is so low that if compared, you'd have better chance of winning the lottery than trying to crack it in a lifetime.

-uni

thank you very much for taking the time to explain your knowledge in a more detailed way.

as I know you are a coder so if all depends on you regarding the provably fair implementation nothing bad can happen to your bank roll. but you know what happened to Magical Dice how could they or any other non coder (like we) prevent this to happen?

[MillionsBTCdev]

To answer OP's question, There are different types/kinds of  "scripts/algo" one can use to generate a random seed, and most of the time, it varies from site to site, depending on how it was programmed by their dev. But nowadays, devs stick to what is "common" therefor you might see different sites that uses same algo to generate a random seed. But ofcourse it doesn't mean both site will have the same server seed, (tho there is a very very slim chance it could happen).

You can program a computer to generate a random number, but that program is and will always be at the mercy of its programming. So you cannot actually say that it has given you a random number because the fact is, its just following the sequence of how it is programmed, it generally starts with something then follows a pattern. Tho the complexity of the result is enough to be called random, its never truly random since it is just ruled by a consistently repeating algorithm. This are called "pseudo-random number generators" (PRNG). And most of the site uses this kind of way to generate their seeds.

So any script/algo programmed on a computer is always a PRNG? Answer is No.. One can generate a True Random Number Generator (TRNG) on a computer, this is by use of different kinds of entropy. Some uses a device that relies on thermal, noise or any unpredictable environmental elements that we as humans have no control over. And this can be called a true random number generator. Like ryan said, one can use /dev/random, which uses environmental noise. Another example is, Random.org, which they claim, uses atmospheric noise to generate a true randomness.

So the fact is, most sites uses PRNG? Yes. So there is a possibility to crack it? YES and NO. If we talk of possibility, then yes there is always a possibility of something, but the probability of that happening is so low. Like i said above, the complexity of the results of a PRNG is enough to be called random, therefore the chance to crack a single seed is so low that if compared, you'd have better chance of winning the lottery than trying to crack it in a lifetime.

-uni

thank you very much for taking the time to explain your knowledge in a more detailed way.

as I know you are a coder so if all depends on you regarding the provably fair implementation nothing bad can happen to your bank roll. but you know what happened to Magical Dice how could they or any other non coder (like we) prevent this to happen?

In an online business, there is no 100% fool proof against this. Even big companies can get in trouble if their devs turn to rogue. But there are ways to prevent this. One example is a structural design of your system. One dev should only be assigned to a certain part of the system and not have access to everything. If the your system is project based, then one dev should have no access to the system at all once the project is finish.  Another is to hire a 3rd party security guy that will double check your site's code and integrity. There maybe other ways, but the fact is, it is doable.

But personally, my opinion is, an owner "MUST" atleast know the basic logic of his own system, you don't have to know how to code, but know how your system works is a must. Trust is a big word when it comes to this "pixelized" online world, but with proper preparation and strategy, an owner wont need this to have a successful site.

The issue with magicaldice is that, they hired a dev, and trusted the dev to run the site and have full access. When MD1 went live, the dev should no longer have access to their database, and only grant access to the dev on special occasions like fixing bugs etc..and then immediately revoke it once it is fixed. I know there maybe "holes" on my statement, but thats the basic. Owners already had this idea, what if their dev create an alt and play.. But they trusted their dev not to do it, which is totally wrong.

-uni