The problem with online dice
In over-the-board play you shake the cup yourself. Online, some computer produces the rolls — and you're asked to simply trust that it doesn't favor the house, the stronger player, or whoever pays. Trust is not a protocol. Cryptography is.
How commit-reveal works
-
The server commits — before the first roll
When your match is created, the server generates a secret random seed and immediately publishes its cryptographic hash (the commitment) to both players. A hash works one way: it proves the seed existed and was fixed at that moment, while revealing nothing about it. The server can no longer swap the seed — the published hash would stop matching.
-
Every roll is derived, not invented
Each roll of the game is computed deterministically from the committed seed and the roll's position in the game (via HMAC, a keyed hash). No human, no live tinkering, no “re-roll until the leader wins” — the whole game's dice were locked in by the commitment before your first checker moved. Your opponent never generates dice, and neither do you: the server is the referee, and even the referee's hands are tied.
-
The seed is revealed after the game
When the match ends, the server publishes the secret seed. Now everything is checkable: hash the seed and it must equal the pre-game commitment; recompute each roll's HMAC and it must reproduce exactly the dice you saw, roll by roll.
-
Anyone can verify
The Boardgammon app re-runs this verification automatically and shows a “verified fair” check on the match. Prefer not to take our word for it? Every match has a public audit page —
api.boardgammon.com/audit/<game-id>— with the commitment, the revealed seed, and every roll, so any player, spectator, or third-party script can redo the math independently.
Why this matters
- No loaded dice — provably. Rigging the rolls would require breaking a cryptographic hash function, not just quiet code. If a single die had been altered after the commitment, verification fails loudly.
- It protects you from us, too. The point of commit-reveal is that you don't have to trust the operator. Our incentives are irrelevant; the math holds either way.
- Fair dice make ratings and analysis meaningful. Rated ladders, PR scores, and per-game luck metrics are only worth anything on dice nobody can bend. (Yes — the analysis will show you exactly how lucky your opponent got. With numbers.)
- Server-authoritative play closes the other door. The server also validates every move against the rules, so a modified client can neither conjure rolls nor sneak illegal plays.
The whole protocol in one breath
Hash before the game (the promise) → HMAC-derived rolls during (the referee's tied hands) → seed revealed after (the receipts) → public audit page forever (the proof). That's what “provably fair” means here — not a slogan, a checkable claim.