Commit, reveal, recompute
The crash multiplier for every round is fixed by a server seed that's committed (as a hash) before betting opens. After the round settles, the seed is revealed — so anyone can recompute the result and confirm nothing was changed mid-round.
- Commit. Before the round, the engine publishes a hash of the server seed (and links it into a per-tile hash chain). The outcome is now locked but hidden.
- Play. The round runs. The crash point is derived deterministically from the committed seed, the aggregated client seed, and the round nonce.
- Reveal. Once settled, the engine exposes the revealed seed and the full proof bundle at
/rounds/{roundId}/verify. - Recompute. Anyone re-hashes the revealed seed, walks the chain, and re-derives the multiplier — then checks the operator's RS256 attestation signature against the published
/fairness/pubkeykeys.
Catch a forgery, live
Pick a round — your browser fetches the proof, walks the hash chain, recomputes the crash multiplier, and checks the operator’s RS256 signature. Watch it confirm a fair round and reject a tampered one. Nothing to take on faith.
Runs entirely in your browser against the demo’s signed sample bundles — the same verifier that ships in the client.
The proof bundle
A settled round returns an Appendix-C proof bundle plus a non-authoritative recompute the engine ran itself. Illustrative shape:
// GET /rounds/{roundId}/verify → 200 (settled round)
{
"round_id": "0192f3a4-...-7c1e",
"status": "verifiable",
"bundle": {
"terminalHash": "9b1f...c4", // commitment C (pre-round)
"revealedSeed": "a1f9c2...", // revealed post-settlement
"seedIndex": 48213,
"clientSeedAggregate": "7d2b...e0",
"nonce": "12",
"houseEdge": "0.03",
"expectedMultiplier": "2.41", // operator-claimed
"serverSeedHash": "e3b0c44298fc...",
"committedPayload": "<base64 signed bytes>",
"attestationSig": "<hex RS256>",
"signingKeyId": "fairness-2026-01"
},
"recompute": {
"computedMultiplier": "2.41",
"matchesClaimed": true,
"seedValid": true
},
"note": "Recompute is informational — verify independently."
} Verification runs entirely in the browser — a hash-chain walk, the multiplier recompute, and an RS256 signature check against the JWKS. No trust in the server required. (Pre-settlement rounds never reveal the seed.)
Provably-fair lets a player verify a single round. Third-party RNG/game-math certification (GLI-11/19, iTech Labs / ISO 17025, BMM) is what satisfies licensing in regulated markets. SSGames presents both: the live verifier above, and lab certification — currently in progress.