Introduction

Provably fair is a term that describes a process in which the casino and the player both contribute a value (seed) that is unknown to the other party into a secure hashing algorithm (SHA) along with a round number (nonce). The SHA will combine the three values and output a hexadecimal string that is then used by casinos in their random number generator (RNG). This process is meant to ensure that all the bets were fair and can be verified by the player. If you are unfamiliar with the term and would like to know more about provably fair and why it is important in the online gaming industry, you can read up on the topic in some of our previous articles. I’ve listed them below. For those that are familiar and would like to know the truth that casinos don’t want you to know, read on.

Provably fair random number generation has been growing in popularity and is being used by more and more casinos as its popularity grows. Sadly, the intentions of some casino operators is not to be more transparent and they only want to be perceived as fair. This is unacceptable.

BC.Game is truly the most transparent casino online and continues to raise the bar for what is acceptable in terms of fairness. Click here for a recent example of that bar being raised.

The Alternatives To Provably Fair

The traditional RNG used by the first online casinos and is still used by the majority of the online casinos around the world is very effective in generating pseudo-random numbers. The only downfall is there is no way to prove that a player contributed to the randomness of the result. Trust plays a huge factor in this process. You should never trust a person, place, thing or organization that exists solely for the purpose of relieving you of your money.

Here is one example of how traditional random number generation can work. A system can use a value taken from the clock cycle of your computer’s processor and combine it with an integer created by your mouse movements to generate a random number. Whenever the mouse is clicked over a “bet” button the formula instantly creates a random number based on the predictable clock cycle and the unpredictable motions of the player’s mouse. (Does this sound similar to the relationship between server seeds and client seeds? Yup.)

This type of data collection is known as “entropy” and these numbers are very near to being true random numbers. The mouse movement is just one example. Other methods of entropy data collection can factor in things like atmospheric or white noise, the vibration of electricity from a light bulb, the pattern of a sound wave, etc.

It sounds great to me, except for the fact that so many of the casinos that use traditional RNG have fallen under suspicion of foul play. There is no way to prove it either because they could be doing whatever they want on the back end while presenting anything they want on the front end. That is why we need to reiterate provably fair. Because no matter how random traditional RNG is, the human greed factor will ruin it every time.

Casinos Can Misuse Provably Fair

It is not my intention to point fingers at individual casinos or to be the police of the online gaming industry. I will not tell you where it is or where it is not safe to play. My goal is to restore what it means to be a provably fair casino and to troubleshoot ways to improve upon its current state. As the title of this article reads, there are fundamental flaws that can currently be exploited by greedy, opportunistic casinos. The worst part of what I am about to tell you is, there is no actual way to “prove” that it even happened. It could easily be written off as gambler’s paranoia and anyone outspokenly suspicious could be labeled a sore loser.

Every provably fair online casino will go on and on about how fair and transparent they are. They will include multiple pages or FAQs with lengthy explanations of how they use provably fair RNG on their games as well as provide players with an in house tool for verifying fairness. (These always show that every bet was fair, by the way.) They lean on these tools and explanations like a crutch that is the only thing holding up their exaggerated transparency and perceived fairness. This can all just be smoke and mirrors used to gain trust and fool players that don’t know how they can actively participate in the fairness of their games.

The most common misconception of provably fair is that after a player manually changes their client seed, the casino can no longer change the outcome of the games without being caught and thus, has no opportunity to cheat. This is only partially true. It is not surprising to me that this is as far as most casinos will go with their descriptions, explanations and provably fair verification checkers. The process of generating a game result is much more complicated than the simple hashing of a server seed, client seed and nonce. That is only the first step of a more complicated mathematical process. If you’d like to know more about this specific process and how it could be used against you, click here.

Provably Fair’s Fundamental Flaw

So what, exactly, is the fundamental flaw of provably fair algorithms? The answer is, Too Much Information. There is only one bet that can be considered truly fair and random. That is the very first bet of a seed pair of which the player sets the client seed after the site gives a hashed version of the server seed. The result of EVERY bet after the first is known by the casino and only by the casino! This holds the supposed purpose of provably fair in total contempt.

Many players use the same seed pair for months or until the casino forces them to change it. On top of that, many players have very predictable gambling styles and use specific strategies every time they play. You might be wondering, if a casino were to manipulate the result of a truly provably fair bet, would you, the player be able to verify that the result was tampered with? Yes. But only if the casino has published the code for every game’s RNG. All of it. Not just the hash from the seed pairs but exactly how that hash string is converted from a hexadecimal value to decimal value, which piece of that converted decimal value is used and the mathematical equation that turns that piece of the converted value into the result you see on your screen. If a casino only allows you to verify that they did not change the server seed then you have to also ask yourself, how the hell do I verify the rest of the process? If the casino keeps their code in darkness then you can’t. Once again, completely undermining the purpose of a casino being provably fair.

I haven’t even gotten to the dirtiest part of how provably fair can be used against you, but let’s add up the facts we’ve gone over so far.

The casino knows the result of every game from the 2nd game to infinity
+
Most players are predictable and rarely change their client seed
+
Most casinos do not publish their complete RNG beyond the hexadecimal string that is created from the provably fair algorithm(server seed:client seed:nonce)
+
Every casino wants your money
+
A casino does not have to change the server seed to cheat
=
This is not looking good for provably fair

Now that you are armed with a little more knowledge of how improperly used provably fair RNG can be used maliciously to screw you out of money, you should be able to effectively choose a safe site to play at, right…..? WRONG! This article is about provably fair being flawed at its core. Even if a site is completely transparent with their RNG, has everything published and open source, provides peer reviewed third party verification tools, has had their RNG verified by third party code auditors and greets you with a smile emoji and a generous bonus every time you play, they can still get over on you.

How?

By deferring or deterring players from ever placing that winning bet in the first place. This dirty trick now has a name that was coined by the legendary player known as @drmethyl….. “Provably Determined Deferring Tactics.” I personally think the term would more accurately describe this scenario if it were called “Unprovable Predetermined Deferring Tactics” but honestly, who cares? A debate over semantics does not help shed light on this very important, highly overlooked problem with provably fair casinos. A casino operator could easily set up a system in which they receive notifications every time a potential big win is coming up. That is all the knowledge they need to decide if they want to interfere with that player’s session. How a casino operator chooses to interfere, if they choose to interfere, is completely up to them. The only limit is the imagination. Here are a few examples….

  • Downtime for that specific game until the winning nonce has passed.
  • Forced update followed by a forced seed change.
  • How about a surprise bonus or event on another game?
  • Error. Error. Please contact support.
  • Change of the game’s rules.
  • Change of the game’s payouts.
  • Skipping the nonce of that bet.
  • Altering the code that the provably fair hash string is used in for that bet. (example: removing the winning numbers as possible results from a keno draw, removing the winning cards from the shuffle of a digital deck of cards, increasing or decreasing the size of the converted decimal value so the result will always be too high or too low.)

That is a long list and I didn’t even have to put any thought into it. Imagine what a casino that has had several years to fine tune their provably determined deferring tactics could have built into their closed source code.

Proposed Solutions And New Standards

As bad as all that sounds, provably fair RNG is still, by far, the best iteration of RNG to date. But, only if it is used correctly and only if players are educated on the ways casinos can cheat them under the guise of transparency and fairness. If this article proves anything, it is the fact that we still have a ways to go before we have completely removed the need for trust from online casinos.

That is the goal of BC.game. To push the online gaming industry forward by setting new standards for fairness and transparency until we have totally eradicated the need to place trust into the casino that you are competing against for money. As of now, there is not even one scenario that I can think of in which provably fair does not still require some level of trust. Let’s change that.

Being the tightly knit community that we are, I know that solutions are always just a conversation away. I’ll propose a few options now to get the ball rolling. I challenge anyone reading this to improve on them or replace them with something better. Here are a few new standards of operation and best practices to expect from casinos.

  1. Each game should have its own seed pair rather than the most common method of using the same seed pair across all games.
  2. No sudden, forced seed changes. Especially after an update. Each seed pair should be used for no less than 2³² or 4,294,967,296 bets, or, until the player decides to change it. (That long number is not random. It is to protect the casino from a “nonce overflow attack” Explained below)
  3. Any changes to a game’s payout schemes or rules should be announced well in advance of the changes occurring. Again, this should never be a surprise.
  4. Players should never be allowed to use a house generated client seed.
  5. Onsite information on the benefits of provably fair as well as the potential deferring tactics that could be used against players.
  6. The entire code of each game’s RNG should be published in a non-techie, human readable format.

The “nonce overflow” I mentioned in standard #2 from the list above is the term for exceeding the maximum possible nonces that can be used in a 32-bit system. That number is 2³². In casino terms that is 4,294,967,296 bets. After the maximum number of nonces is reached, the system would reset the nonce to zero, making all of the 4,294,967,296 game results repeat. That would give the player the same information the casino has. All the future results could be generated in an instant by the player. If a casino operator is not aware of this, then their casino could be easily exploited by this flaw.

After performing a search on the topic of provably fair, I am surprised to see that all the information out there is the same information being parroted or reworded by hundreds of different casino blogs, casino ranking sites and casino information sites. Provably fair is praised across the board as the all powerful all knowing answer to transparency and fairness…. Really? Come on crypto community! What happened to your automatic skepticism and natural urge to rebel against the status quo? Acceptance of inferior methods of operation is not how we roll! Venturing down the path of disruption is pointless unless we, as a community and an industry, follow through with what we start.

Best Practices For Players

The effectiveness of provably fair goes only as far as the player’s participation in the process. We have the opportunity to truly disrupt an industry that has been plagued with corruption and deceit from the moment of its creation. As expected, the shady practitioners of the online gaming industry think they can use our weapons of mass disruption against us for their own gain. I won’t let that happen. Will you? Below and in no particular order, are some of the best practices that all players should use to protect themselves while disarming the aforementioned dirtbags.

  • Make sure the casino uses the formula [serve seed:client seed:nonce] to generate the hash string used in their RNG.
  • Always manually change your client seed AFTER the casino gives you the hashed version of their server seed.
  • Make sure the casino does not at any point change the server seed while keeping your client seed the same.
  • Verify bets….. Often.
  • Use third party, non gambling related tools to verify the hexadecimal strings that were created by the provably fair algorithm. The point of this is to make sure that the server seed the casino used has an output that matches the hashed version they gave you before you added your client seed and began placing bets. (I like https://www.tools4noobs.com/online_tools/hash/ but you can easily find one just by searching the term “hashing tools.”)
  • Make sure the casino has published the RNG for every game that you play. Meaning, that you can use the value created by the provably fair algorithm to reproduce the result of every game. Remember, the provably fair algorithm is only the first step of a longer, more complicated process.
  • Ask the casino admins and/or mods questions about their games and how they have integrated provably fair into them.
  • Verify bets….. Yes, I mentioned this twice because it is the single most important way a player can contribute to provable fairness. By proving it.
  • Do not accept random, unannounced and unexplained forced client seed changes. If this happens demand an explanation. If the casino will not give one, withdraw your funds and play somewhere else.
  • Before placing any large bets or making any large deposits, be sure that you can withdraw just as easily as you can deposit. I know this is a little off topic but I feel that it is important to mention.

In conclusion, provably fair still has a lot of wrinkles that must be ironed out. As of now, “fair” is an exaggeration at best. Most of the sites that claim to be provably fair can only really claim to have a provably unchanged server seed. While that may be sufficient on games with a simple rule set, such as dice, it doesn’t do much to prove fairness on more complicated games, like slots or keno. It is ultimately up to you, the player, to hold these casinos accountable and to make sure they are correctly using provably fair. If not you, then who? The casino? Not likely. I showed you mine. Now, you show me yours.