The shuffles, dice rolls, and reels spins you see on a modern gaming platform are all the result of a function, and not luck. The animation is actually controlled by a Random Number Generator (RNG) that makes the decision in microseconds behind the scenes. For developers, knowing the inner workings of these systems is the key between relying on a black box and auditing one. This guide explains how RNGs work, and how they become provably fair.
What is an RNG?
The actual RNG is rarely used in production. Slow and expensive, hardware-based true RNGs (TRNGs) extract entropy from real-world sources, such as thermal noise, atmospheric jitter, photon arrival times. A Pseudo-Random Number Generator (PRNG) is a deterministic algorithm that, when supplied with a seed, generates a sequence of numbers that appear random when subjected to statistical analysis in 99% of the gaming platforms.
The trick: the same seed comes in and leaves the same way. That’s a problem for fairness, and the entire reason probably fair architectures exist.
Here are some of the common PRNGs you will find in use:
- Mersenne Twister (MT19937) — fast, long period (2^19937 − 1), but not cryptographically secure
- Xoshiro256++ — modern, fast, excellent statistical quality
- ChaCha20 / AES-CTR DRBG — cryptographically secure, slower, used where security is important
- OS-level CSPRNGs — /dev/urandom, getrandom(), crypto.randomBytes() in Node.js
If it’s a money or fairness audit, you need a CSPRNG. The NIST SP 800-90A standard specifies the approved deterministic RBGs that are used in regulated environments, and it’s this document that will be the one that auditors will refer to.
The Provably Fair Pattern
Now, that’s where it gets interesting. A regulated RNG is fair because it has been tested by a third party. A provably fair RNG is fair because you can check the results of each individual spin, after the fact, without relying on anyone. It is the norm that players are looking for when comparing casinos from one platform to another and that is why the RNG transparency and audit trails of the sites that are mentioned in a site such as this casino comparison for Canadian craps players is being given so much importance, apart from bonuses.
The basic scheme is a commit-reveal scheme, based on SHA-256:
- Server seed is generated server side and is hashed using SHA-256 and the hash is displayed to the player prior to the round.
- Seed provided by the player (or editable by the player).
- Nonce — a number that is increased by one for each round.
- Result — HMAC-SHA256(server_seed, client_seed:nonce) → mapped to the game outcome.
- Reveal — the original server seed is revealed after the round. The player repeats it, verifies it is the same as the original commitment, and re-computes HMAC to check it.
The server has published its hash before the player selects the client seed, so it cannot go back and select a server seed that will give it a house advantage. The math completes the circle.
Outcome Mapping: Where Bugs Hide
A 256-bit HMAC output is much more entropy than a dice roll requires. Naive implementations fail to be fair in the mapping step, and the classic example is modulo bias. A correct mapping pulls bytes and discards any number that falls in the bias zone and pulls again. This is ignored and your distribution is skewed, audits are not performed, and the “provably fair” term becomes a marketing term.
For a more detailed understanding of how RNG fits into the overall payment, session, and game logic, check out our detailed explanation of the complex code that makes a successful online casino.
TL;DR for Developers
|
Component |
Common Choice |
When to Use |
|
Statistical PRNG |
Mersenne Twister, Xoshiro256++ |
Simulations, non-financial games |
|
Cryptographic PRNG |
ChaCha20, AES-CTR DRBG |
Anything money-adjacent |
|
Hash for commit |
SHA-256 |
Industry standard |
|
Outcome derivation |
HMAC-SHA256(seed, client:nonce) |
Provably fair pattern |
|
Mapping |
Rejection sampling |
Avoids modulo bias |
Probably fair is not magic, it’s a CSPRNG, a hash commitment, and a clean mapping function. If those three are correct, the math will take care of the rest.
Gambling involves risk. Please play responsibly and only wager what you can afford to lose. If gambling is becoming a problem, visit BeGambleAware.org or call 1-800-GAMBLER.