What is Provably Fair?

[VII]

I've had a look at a lot of various different online Bitcoin Caisnos and most of them have a recurring theme being 'Provably Fair'. I've never seen this before on any other websites, but I am aware that it is very hard to achieve true randomness.

What makes something Provably Fair? Does it only apply for Bitcoins? Is it truly random?

[zippy_doo]

casinos are a rip - virtual or not. satoshicoin in particular is a big rip-off imho

[Rannasha]

Provably fair means that everyone can see and verify that the casino operates as it claims and that the odds of winning are as advertised. Basically: it means that it can be shown that the casino is not rigged.

Taking Satoshi Dice as example: The transaction ID makes for your "lottery ticket" and since your deposit, the tx-ID and the return payment are all viewable by the public with the use of a blockexplorer, the game is provably fair.

The term has very little to do with odds to win and the house cut. I can make a casino-game that gives you a 1% chance to double up and a 99% chance to lose all and I could make it provably fair.

[VII]

Okay so it uses the transaction id.
I've seen casinos that are different from SatoshiDice in that not every single wager placed is a new transaction. They deposit money onto the website first, and then play with that, making only 2 transactions total (deposit and withdraw) does that mean these casinos are not provably fair?

I don't get exactly how a transaction id confirms that an online casino is not rigged. 

[BitshireHashaway]

I have no idea what these things mean however I am guessing it probably isn't very reliable. It probably isn't provably fair, and that is just a new way of them trying to build up their reliability when they aren't really reliable at all.

[DannyHamilton]

I don't get exactly how a transaction id confirms that an online casino is not rigged.  

Let's use SatoshiDice (SD) as an example.

If they claimed to use a random number to determine if you won, it wouldn't be possible for you to know if the numbers they are using are truly random or not.  They could insert their own "losing" numbers whenever they want and you wouldn't know.  However, if they use your transactionID as the random number, then you know as soon as you submit your transaction whether or not you've won.  You don't need them to tell you, you can just look at your transactionID as see for yourself.  If your transactionID indicates that you won, but they don't pay out, then they aren't "fair".  So, it would seem that would be "provably fair".

However, there is a problem with that solution.  You could run your wallet offline and keep generating transactions without relaying them to peers until you see that you've "won".  Then you can delete all the "losing" transactions and submit only the winning ones when you bring the wallet back online.  So, while using a transactionID makes it impossible for SD to cheat, it makes it very easy for the player to cheat.

So, what SD does is they generate a "secret number" before the day begins (actually, I think they've pre-generated the next 10 years of secret numbers already).  SD doesn't know what your transactionID will be, and you don't know what SD's secret number is.  Now instead of using just your transactionID, SD calculates hmac_sha512(secret number,transactionID).  Since they don't have control over your transactionID, the results of the calculation are unpredictable and as such are essentially random to SD.  Since you don't know what the secret number is, you can't pre-calculate hmac_sha512(secret number,transactionID) to see if you'll win before you broadcast your transaction.

There is still one problem here.  Since the "secret number" is a secret, there is no way to know if SD is just changing the value of the secret number on each transaction to avoid paying big wins.  If they tell everyone what the secret was after the bets are all settled, then nobody will know if they changed the secret after receiving many bets.  If they tell everyone what the secret is before the bets are received, then everyone can once again pre-calculate and only submit the winners.

Instead what SD does is compute a sha256sum of each secret ahead of time and release publicly the value of that hash.  Since this hash value is known ahead of time, they can't change the value of the secret later (because it would result in a different hash value), but the players can't use the value of the hash to pre-calculate their transactions since it isn't possible to reverse the sha256sum algorithm to determine what the secret number is.  Then at the end of the day (after all bets have been settled), SD releases the actual secret number.  By calculating sha256sum on that secret number, you can verify that it results in the same hash value that was released ahead of time.

Now you have a "provably fair" system.  SD can't alter the secret number, and has no control over the transactionID that the players submit.  The player can't check to see if their bet will win before submitting it because they don't have the secret number.  It is impossible to predict the results of the hmac_sha512 calculation, so the resulting number is essentially random. And at the end of the day, everybody can verify that every bet anybody placed was payed appropriately.

[VII]

Ahh, I can understand SD's system clearly now thanks DannyHamilton. Still not convinced by other casinos who opt for the deposit once, withdraw later scheme as they're surely only getting one transactionID, so would they have to generate billions of secret numbers for each and every dice roll/card dealt/wheel spun? If so, surely they could manipulate that secret number?

[redlight]

I've had a look at a lot of various different online Bitcoin Caisnos and most of them have a recurring theme being 'Provably Fair'. I've never seen this before on any other websites, but I am aware that it is very hard to achieve true randomness.

What makes something Provably Fair? Does it only apply for Bitcoins? Is it truly random?

Provably..? Do you mean probably?

[Dabs]

I have a raffle style lottery that will end next week.

Dabs Lotto Number 1. Ends May 20, 2013. 95% payout

I consider it Provably Fair and Cryptographically Verifiable.

I state there how I will determine the winner as follows:

How I will compute your hashes:
1. Get your transaction id, appending a 10 digit number depending on how much you sent.
2. use my secret
3. hash them together as one string
4. sort the hashes

The secret is secret until I publish it, but the SHA-256 hash of that string is:
dcc369beedaba36b1f1b794b75228c16daa2adb9d8fb60b5cd2a3f68ea96a2da

So, I've already posted the hash of the secret. After May 20, 2013, I will post the secret itself. Then anyone and everyone can verify that I did not change the secret if it matches the hash.

Your transaction hash, is essentially random. The hash of your transaction and my secret will essentially be random, but verifiable.

The winner is the final hash that has the lowest value, most probably starting with one or more zeroes. And no player can cheat. They don't know what they are going to get.

The properties of a one way cryptographic hash function such as SHA256 makes the whole thing provably fair.