Trust, engineered

Provably fair dice

Every backgammon player has muttered it: “these dice are rigged.” On most apps you can never know. On Boardgammon you can — every online match uses a cryptographic commit-reveal protocol that makes the dice mathematically checkable after the game, by you or by anyone.

Provably fair dice Server-generated rolls Public audit pages

The problem with online dice

In over-the-board play you shake the cup yourself. Online, some computer produces the rolls — and you're asked to simply trust that it doesn't favor the house, the stronger player, or whoever pays. Trust is not a protocol. Cryptography is.

How commit-reveal works

  1. The server commits — before the first roll

    When your match is created, the server generates a secret random seed and immediately publishes its cryptographic hash (the commitment) to both players. A hash works one way: it proves the seed existed and was fixed at that moment, while revealing nothing about it. The server can no longer swap the seed — the published hash would stop matching.

  2. Every roll is derived, not invented

    Each roll of the game is computed deterministically from the committed seed and the roll's position in the game (via HMAC, a keyed hash). No human, no live tinkering, no “re-roll until the leader wins” — the whole game's dice were locked in by the commitment before your first checker moved. Your opponent never generates dice, and neither do you: the server is the referee, and even the referee's hands are tied.

  3. The seed is revealed after the game

    When the match ends, the server publishes the secret seed. Now everything is checkable: hash the seed and it must equal the pre-game commitment; recompute each roll's HMAC and it must reproduce exactly the dice you saw, roll by roll.

  4. Anyone can verify

    The Boardgammon app re-runs this verification automatically and shows a “verified fair” check on the match. Prefer not to take our word for it? Every match has a public audit pageapi.boardgammon.com/audit/<game-id> — with the commitment, the revealed seed, and every roll, so any player, spectator, or third-party script can redo the math independently.

Why this matters

  • No loaded dice — provably. Rigging the rolls would require breaking a cryptographic hash function, not just quiet code. If a single die had been altered after the commitment, verification fails loudly.
  • It protects you from us, too. The point of commit-reveal is that you don't have to trust the operator. Our incentives are irrelevant; the math holds either way.
  • Fair dice make ratings and analysis meaningful. Rated ladders, PR scores, and per-game luck metrics are only worth anything on dice nobody can bend. (Yes — the analysis will show you exactly how lucky your opponent got. With numbers.)
  • Server-authoritative play closes the other door. The server also validates every move against the rules, so a modified client can neither conjure rolls nor sneak illegal plays.

The whole protocol in one breath

Hash before the game (the promise) → HMAC-derived rolls during (the referee's tied hands) → seed revealed after (the receipts) → public audit page forever (the proof). That's what “provably fair” means here — not a slogan, a checkable claim.