The cryptographic primitive underneath every provably fair crypto casino. Publish a one-way hash before play, reveal the secret value after, anyone can verify the casino didn't change the seed.
TL;DR
A casino generates a secret seed, publishes SHA-256(seed), then later reveals the seed. Anyone can SHA-256 the revealed seed and check it matches the published hash. If it matches, the seed couldn't have been changed between commit and reveal — so any bet outcome derived from that seed is verifiable.
What is a commit-reveal scheme?
A commit-reveal scheme is a two-phase cryptographic protocol:
- Commit: Party publishes a cryptographic binding to a value, without revealing the value itself.
- Reveal: Party later publishes the actual value. Anyone can verify it matches the commit.
The point: between commit and reveal, the value is locked. The committing party cannot change it. The receiving party doesn't know it yet. This lets two parties agree on a value at time T1 that's only revealed at time T2 — useful for sealed-bid auctions, secret-sharing, and (in our case) gambling outcomes.
Why SHA-256 specifically
SHA-256 is a hash function with three security properties that matter here:
- Preimage resistance. Given a hash, you cannot find an input that produces it. So publishing the hash doesn't leak the seed.
- Second-preimage resistance. Given an input, you cannot find a different input that produces the same hash. So the casino can't swap seeds mid-game.
- Collision resistance. You cannot find any two inputs that produce the same hash. This generalizes #2 across all possible seeds.
SHA-256 has been deployed for two decades without a practical break. It's the same hash function Bitcoin uses for mining. It's a reasonable bet that it stays secure for the next two decades too.
The actual flow on AgentBet
When you create an account or rotate seeds:
- We generate a random 256-bit server seed using
random_bytes(32) (the OS-level CSPRNG).
- We compute
SHA-256(server_seed) and store both the seed and its hash in the fair_seeds table.
- We publish the hash to you (visible on the fairness page when logged in).
- You can change your client seed at any time. Default is a random 32-character hex string.
- Every bet uses
SHA-256(server_seed:client_seed:nonce). The bet result extracts specific bits of this hash. The nonce increments by 1 per bet.
- When you rotate seeds (or we force-rotate periodically), the old server seed is revealed. You can then re-derive every bet under that seed and verify.
From hash to bet outcome
Different games consume different parts of the hash:
- Coin Flip: The lowest bit of the hash — 0 or 1 — picks heads or tails.
- Dice: The leading 13 hex digits become a 52-bit integer, modulo 10000, divided by 100 → a number between 0.00 and 99.99.
- Plinko: 12 bits of the hash, one per row, decide left or right at each peg.
- Crash: Hash bits seed the multiplier function, which uses bucketed distribution to favor lower multipliers (per the published payout curve).
- Mines: Hash output is used to deterministically shuffle a 25-tile array; the first N tiles become mines.
- Keno: Hash output drives a sequence that picks 10 unique numbers between 1 and 40.
Each mapping is open in our code at includes/fair.php and the in-browser verifier implements all of them client-side using SubtleCrypto.
What commit-reveal does NOT do
- It does not enforce the house edge. The casino chooses the payout table; commit-reveal only guarantees the bet was decided fairly.
- It does not guarantee the casino pays out. You still need the casino to actually send your winnings — that's an off-chain trust assumption (AgentBet pays manually from a public BSC wallet, auditable on chain).
- It does not prevent the casino from refusing your withdrawal request. Provably fair is randomness assurance, not solvency assurance.
Common questions
How is commit-reveal different from on-chain RNG (like Chainlink VRF)?
On-chain RNG generates randomness on a blockchain so no off-chain party can influence it. Commit-reveal generates randomness off-chain but binds the casino to it via a published hash. Both are provably fair; on-chain VRF is more tamper-resistant (no off-chain logs to trust) but is also slower and more expensive per bet.
Could the casino reveal a different seed than the one they committed?
No. Anyone who has the committed hash can verify the revealed seed by hashing it — if the hash doesn't match, the reveal is invalid. The casino has nothing to gain by revealing a different seed because verification would fail and they'd be caught.
Why not just use Bitcoin block hashes as the seed?
Some casinos do this. The tradeoff: block hashes are public and adversarial miners could in theory influence the next block to favor specific outcomes (especially for high-value bets). Casino-generated seeds with SHA-256 commit are simpler and faster, at the cost of trusting that the casino generated the seed honestly (verified at reveal time).
What hash function will replace SHA-256?
Probably SHA-3 (Keccak) when computational cost considerations shift, or post-quantum hashes when large quantum computers exist. For now SHA-256 is the standard and shows no sign of being broken.