Provably fair

Commit, reveal, recompute

The crash multiplier for every round is fixed by a server seed that's committed (as a hash) before betting opens. After the round settles, the seed is revealed — so anyone can recompute the result and confirm nothing was changed mid-round.

  1. Commit. Before the round, the engine publishes a hash of the server seed (and links it into a per-tile hash chain). The outcome is now locked but hidden.
  2. Play. The round runs. The crash point is derived deterministically from the committed seed, the aggregated client seed, and the round nonce.
  3. Reveal. Once settled, the engine exposes the revealed seed and the full proof bundle at /rounds/{roundId}/verify.
  4. Recompute. Anyone re-hashes the revealed seed, walks the chain, and re-derives the multiplier — then checks the operator's RS256 attestation signature against the published /fairness/pubkey keys.
Verify it yourself

Catch a forgery, live

Pick a round — your browser fetches the proof, walks the hash chain, recomputes the crash multiplier, and checks the operator’s RS256 signature. Watch it confirm a fair round and reject a tampered one. Nothing to take on faith.

Runs entirely in your browser against the demo’s signed sample bundles — the same verifier that ships in the client.

The proof bundle

A settled round returns an Appendix-C proof bundle plus a non-authoritative recompute the engine ran itself. Illustrative shape:

// GET /rounds/{roundId}/verify  → 200 (settled round)
{
  "round_id": "0192f3a4-...-7c1e",
  "status": "verifiable",
  "bundle": {
    "terminalHash": "9b1f...c4",          // commitment C (pre-round)
    "revealedSeed": "a1f9c2...",          // revealed post-settlement
    "seedIndex": 48213,
    "clientSeedAggregate": "7d2b...e0",
    "nonce": "12",
    "houseEdge": "0.03",
    "expectedMultiplier": "2.41",     // operator-claimed
    "serverSeedHash": "e3b0c44298fc...",
    "committedPayload": "<base64 signed bytes>",
    "attestationSig": "<hex RS256>",
    "signingKeyId": "fairness-2026-01"
  },
  "recompute": {
    "computedMultiplier": "2.41",
    "matchesClaimed": true,
    "seedValid": true
  },
  "note": "Recompute is informational — verify independently."
}

Verification runs entirely in the browser — a hash-chain walk, the multiplier recompute, and an RS256 signature check against the JWKS. No trust in the server required. (Pre-settlement rounds never reveal the seed.)

Provably-fair is not a substitute for certification.

Provably-fair lets a player verify a single round. Third-party RNG/game-math certification (GLI-11/19, iTech Labs / ISO 17025, BMM) is what satisfies licensing in regulated markets. SSGames presents both: the live verifier above, and lab certification — currently in progress.