17

Given the extremely high requirements for unpredictability to prevent casinos from going bankrupt, what random number generation algorithm and seeding scheme is typically used in devices like slot machines, video poker machines, etc.?

EDIT: Related questions:

Community
  • 1
  • 1
dsimcha
  • 67,514
  • 53
  • 213
  • 334
  • Interesting question - I'd have assumed that they would use hardware that provided true randomness (noise generators or whatever), but I imagine that even with those they might use them in conjunction with a PRNG. – Michael Burr Jan 09 '09 at 02:29

10 Answers10

14

There are many things that the gaming sites have to consider when choosing/implementing an RNG. Without due dilligence, it can go spectacularly wrong.

To get a licence to operate a gaming site in a particular jurisdiction usually requires that the RNG has been certified by an independent third-party. The third-party testers will analyse the source code and run statistical tests (e.g. Diehard) to ensure that the RNG behaves randomly. Reputable poker sites will usually include details of the certification that their RNG has undergone (for example: PokerStars's RNG page).

I've been involved in a few gaming projects, and for one of them I had to design and implement the RNG part, so I had to investigate all of these issues. Most poker sites will use some hardware device for entropy, but they won't rely on just hardware. Usually it will be used in conjunction with a pseudo-RNG (PRNG). There are two main reasons for this. Firstly, the hardware is slow, it can only extract a certain number of bits of entropy in a given time period from whatever physical process it is monitoring. Secondly, hardware fails in unpredictable ways that software PRNGs do not.

Fortuna is the state of the art in terms of cryptographically strong PRNGs. It can be fed entropy from one or more external sources (e.g. a hardware RNG) and is resilient in the face of attempted exploits or RNG hardware failure. It's a decent choice for gaming sites, though some might argue it is overkill.

Pokerroom.com used to just use Java's SecureRandom (they probably still do, but I couldn't find details on their site). This is mostly good enough, but it does suffer from the degrees of freedom problem.

Most stock RNG implementations (e.g. Mersenne Twister) do not have sufficient degrees of freedom to be able to generate every possible shuffle of a 52-card deck from a given initial state (this is something I tried to explain in a previous blog post).

EDIT: I've answered mostly in relation to online poker rooms and casinos, but the same considerations apply to physical video poker and video slots machines in real world casinos.

Dan Dyer
  • 53,737
  • 19
  • 129
  • 165
  • Read your blog. Very interesting although the degree of free argument is flawed. Mersenne has 2^64 different starting points, but it's sequences are 2^19937 numbers long. If you do not re-seed between shuffles you will eventually hit every deck combo. There is 2^64 starting decks not total decks. – Tall Jeff Jan 10 '09 at 14:13
  • In any case I definitely up-voted your answer and particularly appreciate the practical points and experience with the application. – Tall Jeff Jan 10 '09 at 14:14
  • @Jeff, you will eventually hit every combination, but from a given state the next shuffle can be only one of 2^64 possibilities. In practice it probably doesn't matter, but in theory it's nicer to have every shuffle to be possible. – Dan Dyer Jan 10 '09 at 14:20
  • The [2002 update to the original MT algorithm](http://www.math.sci.hiroshima-u.ac.jp/~m-mat/MT/efaq.html) lets you determine any arbitrary section of the internal state by allowing for seeds of up to 19968 bits, giving you 2^19937 degrees of freedom (31 of the internal state bits are not used to generate numbers), so the issue you mentioned only exists if you are using an ancient implementation (or a port based on one - of which there are surprisingly many). The real problem with MT is that given a relative small sample of outputs you can calculate the internal state. – JBentley Feb 18 '14 at 01:40
  • @DanDyer: Your first link redirects to a page which says "Not Found". (I know it has been a while ...) – Nobody moving away from SE Feb 17 '16 at 10:10
13

For a casino gaming applications, I think the seeding of the algorithm is the most important part to make sure all games "booted" up don't run through the same sequence or some small set of predictable sequences. That is, the source of entropy leading to the seed for the starting position is the critical thing. Beyond that, any good quality random number generator where each bit position as has a ~50/50 probability of being 1/0 and the period is relatively long would be sufficient. For example, something like the Mersenne twister PRNG has such properties.

Using cryptographically secure random generators only becomes important when the actual output of the random generator can be viewed directly. For example, if you were monitoring each number actually generated by the number generator - after viewing many numbers in the sequence - with a non-cryptographic generator information about that sequence can lead to establishing information about all the internal state of the generator. At this point, if you know what the algorithm looks like, you would be able to predict future numbers and that would be bad. The cryptographic generator prevents that reverse engineering back to the internal state so that predicting future numbers becomes "impossible".

However, in the case of a casino game, you would (or should) have no visibility to the actual numbers being generated under the hood. Each time a random number is generated - say a 32-bit number - that number will be used then, for example, mod 52 for a deck shuffling algorithm....no where in that process do you have any idea what numbers were being generated by the algorithm to shuffle that deck. That is, most of the bits of "randomness" is just being thrown out and even the ones being used you have no visibility to. Therefore, no way to reverse engineer the state.

Getting back to a true source of entropy to seed the whole process, that is the hard part. See the Wikipedia entry on entropy for some starting points on techniques.

As an aside, if you did want cryptographically sequence random numbers from a "regular" algorithm, a simple approach is to take a few random numbers in sequence, concatenate them together and then run something like MD5 or SHA-1 on them and the result is just as random and also cryptographically secure. That is, you just made your own "secure" random number generator.

Tall Jeff
  • 9,834
  • 7
  • 44
  • 61
  • 2
    Security by obscurity (i.e., hiding your algorithms and/or some system parameters) is generally not a good idea. An insider attack is all it takes to break the system. However, using fast hash functions makes sense if speed is a concern. – PolyThinker Jan 09 '09 at 04:55
  • 7
    From what I've read, slots and the like continually generate random numbers even when not being played. The number chosen is based on when the button is pressed; thus, the security of the RNG is relatively unimportant. – Nick Johnson Jan 09 '09 at 10:34
  • @Arachnid - that is a good add. Continually generating numbers and using button presses as the source of entropy makes the seeding [somewhat] less critical. – Tall Jeff Jan 09 '09 at 13:35
  • @PolyThinker - the issue is not obscuring the algorithms and such - The issue is whether or not standing in the casino if you will have access to the numbers or state information or not. You won't, so I'm saying the crypto part becomes unnecessary. – Tall Jeff Jan 09 '09 at 13:41
  • 2
    There was I video horse racing game in Australia a few years ago that suffered from bad seeding. During the time when the game was not in use it showed a "demo" version of a horse race. Except that the demo version turned out to be what was in use when you played the game. Thus you already knew which horse had won. – Peter M Jul 21 '10 at 10:23
  • 9
    How disappointing to see a highly up voted answer recommend Mersenne Twister. Mersenne Twister is *NOT SUITABLE* for this application. It is not cryptographically secure: given some of its outputs, you can predict future outputs. That's a serious problem for a gambling machine. Also, the claims about "no direct visibility" are baloney: they are witchcraft with no solid technical basis underlying them. Just because you have transformed the output of a non-secure PRNG somehow, does not necessarily make it secure. I hope no one will follow the advice in this answer. – D.W. Dec 19 '13 at 19:12
  • 3
    The mod example for bringing a random number generator result into a certain range is usually a bad idea, as it can introduce bias. – Adrian McCarthy Dec 19 '13 at 22:20
  • I recently contacted a government approved testing lab to look into getting a gaming random number generator certified. They told me the majority use Mersenne Twister. Which to my ears is a little concerning. Still I guess the argument about hiding the raw about probably holds true. Although I would prefer there was no weakness to hide in the first place! – Charlie M Sep 18 '14 at 19:15
5

We've been using the Protego R210-USB TRNG (and the non-usb version before that) as random seed generators in casino applications, with java.security.SecureRandom on top. We had The Swedish National Laboratory of Forensic Science perform a separate audit of the R210, and it passed without a flaw.

neu242
  • 15,796
  • 20
  • 79
  • 114
4

You probably need a cryptographically secure pseudo-random generator. There are a lot of variants. Google "Blum-Blum-Shub", for example.

The security properties of these pseudo-random generators will generally be that, even when the attacker can observe polynomially many outputs from such generators, it won't be feasible to guess the next output with a probability much better than random guessing. Also, it is not feasible to distinguish the output of such generators from truly random bits. The security holds even when all the algorithms and parameters are known by the attacker (except for the secret seed).

The security of the generators is often measured with respect to a security parameter. In the case of BBS, it is the size of the modulus. This is no different from other crypto stuff. For example, RSA is secure only when the key is long enough.

Note that, the output of such generators may not be uniform (in fact, can be far away from uniform in statistical sense). But since no one can distinguish the two distributions without infinite computing power, these generators will suffice in most applications that require truly random bits.

Bear in mind, however, that these cryptographically secure pseudo-random generators are usually slow. So if speed is indeed a concern, less rigorous approaches may be more relevant, such as using hash functions, as suggested by Jeff.

PolyThinker
  • 5,152
  • 21
  • 22
  • i've always loved that name :D – olliej Jan 09 '09 at 02:25
  • 1
    I don't think it is necessary for the PRNG to be cryptographically secure. The seeding is the more important part. I try to address this in more detail in my answer. – Tall Jeff Jan 09 '09 at 03:18
  • B-B-S is exactly what should not be used: "...use M=16873, and hence the period is much lesser than 16873. ... BBS failed all of the statistical tests we have conducted and is therefore not suitable for stochastic simulations." http://www.cs.dartmouth.edu/~akapadia/project2/node11.html – hughdbrown Jan 09 '09 at 03:44
  • @hughdbrown: of course, too small modulus doesn't give you anything. neither security nor statistical randomness. – PolyThinker Jan 09 '09 at 04:32
  • @Jeff, stuff like BBS has the advantage that their security can be proven (with proper assumptions) even when the algorithm itself is known. Your methods will rely more on adhoc assumptions or obscurity (by keeping algo/code secret). – PolyThinker Jan 09 '09 at 04:35
2

Casino slot machines generate random numbers continuously at very high speed and use the most recent result(s) when the user pulls the lever (or hits the button) to spin the reels.

Even a simplistic generator can be used. Even if you knew the algorithm used, you cannot observe where in the sequence it is because nearly all the results are discarded. If somehow you did know where it was in the sequence, you'd have to have millisecond or better timing to take advantage of it.

Modern "mechanical reel" machines use PRNGs and drive the reels with stepper motors to simulate the old style spin-and-brake.

Adrian McCarthy
  • 45,555
  • 16
  • 123
  • 175
1

I suppose anything goes for apps and offshore gambling nowadays, but all these other answers are incomplete, at least for Nevada Gaming Control Board licensed machines, which I believe the question is originally about.

The technical specifications for RNGs licensed in Nevada for gaming purposes are laid out in Regulation 14.040(2).

As of May 24, 2012, here is a summary of the rules a RNG must follow:

  1. Static seeds cannot be used. You have to seed the RNG using a millisecond time source or other true entropy source which has no external readout anywhere on the machine. (This helps to reduce the incidence of "magic number" attacks)
  2. The RNG must continue generating numbers in its sequence at least 100 times per second when the game is not being played. (This helps to avoid timing attacks)
  3. RNG outputs cannot be reused; they must be used exactly once if at all and then thrown away.
  4. Multi-system cabinets must use a separate RNG and separate seed for each game.
  5. Games that use RNGs for helping to choose numbers on behalf of the player (such as Lotto Quick Pick) must use a separate RNG for that process.
  6. Games must not roll RNGs until they are actually needed in a game. (i.e. you need to wait until the player chooses to deal or spin before generating RNGs)
  7. The RNG must pass a 95% confidence chi-squared test based on 10,000 trials as apart of a system test. It must display a warning if this test fails, and it must disable play if it fails twice in a row.
  8. It must remember, and be able to report on, the last 10 test results as described in 7.
  9. Every possible game outcome must be generatable by the RNG. As a pessimal example, linear congruential generators don't actually generate every possible output in their range, so they're not very useful for gaming.

Additionally, your machine design has to be submitted to the gaming commission and it has to be approved, which is expensive and takes lots of time. There are a few third-party companies that specialize in auditing your new RNG to make sure it's random. Gaming Laboratories publishes an even stricter set of standards than Nevada does. They go into much greater detail about the limitations of hardware RNGs, and Nevada in particular likes to see core RNGs that it's previously approved. This can all get very expensive, which is why many developers prefer to license an existing previously-approved RNG for new game projects.

Here is a fun list of random number generator attacks to keep you up late at night.

For super-nerds only: the source for most USB hardware RNGs is typically an avalanche diode. However, the thermal noise produced by this type of diode is not quantum-random, and it is possible to influence the randomness of an avalanche diode by significantly lowering the temperature.

As a final note, someone above recommended just using a Mersenne Twister for random number generation. This is a Bad Idea unless you are taking additional entropy from some other source. The plain vanilla Mersenne Twister is highly inappropriate for gaming and cryptographic applications, as described by its creator.

johnwbyrd
  • 3,432
  • 2
  • 29
  • 25
1

Casinos shouldn't be using Pseudo-random number generators, they should be using hardware ones: http://en.wikipedia.org/wiki/Hardware_random_number_generator

FryGuy
  • 8,614
  • 3
  • 33
  • 47
  • 3
    PRNGs are much faster and somewhat safer because they don't fail in the same way as hardware devices. A good solution is to use hardware devices to seed the PRNG. A PRNG design like Fortuna allows you to continuously mix in entropy from the hardware, but is still safe if the hardware fails. – Dan Dyer Jan 10 '09 at 13:18
  • They should be, but in practice that is definitely not the case, particularly on older machines. – johnwbyrd Feb 17 '16 at 09:28
0

Most poker sites use hardware random number generators. They will also modify the output to remove any scaling bias and often use 'pots' of numbers which can be 'stirred' using entropic events (user activity, serer i/o events etc). Quite often the resultant numbers just index pre-generated decks (starting off as a sorted list of cards).

Tim Ring
  • 1,845
  • 1
  • 20
  • 27
0

If you want to do it properly you have to get physical - ERNIE the UK national savings number picker uses a shot noise in Neon tubes.

Martin Beckett
  • 94,801
  • 28
  • 188
  • 263
0

I for sure have seen a german gambling machine that was not allowed to be ran commercially after a given date, so I suppose it was a PNRG with a looong one time pad seed list.

lImbus
  • 1,578
  • 3
  • 14
  • 25