Posted by Synopsys Editorial Team on February 2, 2015
Synopsys has long certified the random number generators (RNGs) for online gaming sites. The role of random numbers in online gaming is simultaneously critical to the game’s integrity and poorly understood by most players. In this article we will take a look at the role of randomness, what certification can and cannot tell you about it, and what kinds of conclusions are supportable by certifying the RNG of an online game.
Chance plays a role in most online games. Whether it is a lottery, bingo, poker, slot machine, or other casino game online, there is some element of chance. We intuitively recognize that, if the chance element of the game was not truly random—and if some players had knowledge of the non-randomness—then informed players would have an unfair advantage over uninformed players.
Randomness refers to the distribution of outcomes. We want outcomes to be independent. One outcome should not depend on what came before it, nor should it influence what comes after. Random results also lack any predictable bias, cycles in the results, or other patterns. Often randomness is asserted through the results of statistical analysis. Software like Dieharder will take a sample of output from a supposedly random source and identify statistically improbable outcomes. The result is confidence (not proof) that a given result set is random.
Predictability has to do with whether or not the outcome of a random event can be known in advance (partially or completely). Because computers are terrible at behaving randomly, most computer software runs a predictable algorithm to produce a random series of numbers. That is, the series of results possesses all the properties of randomness we described above, but it is predictable. Given the same starting inputs, the same series of outputs will result.
Chance influences the winner a lot in some games, but not very much in others. Consider craps, lotteries, and slot machines: they are 100% luck. Winning or losing depends exclusively on the outcome of the random result. Betting strategies are not luck; but, they’re beyond the scope of this article. Consider poker: there is exactly one random event in a game of poker. The deck is shuffled randomly. That’s it. The rest of the game is down to the actions of the players. For many poker variants¹ the actions of the players cannot influence the cards that come up. Once it is shuffled it is the actions of the players that determine the winner or the loser of the game.
Because we have certified the random number generators for a number of prominent online gaming sites (including PokerStars), we receive a fair bit of email from people who are convinced that various online games are not random. They blame a lack of randomness for outcomes they see online. This is largely misplaced.
Blaming the RNG is virtually always wrong. One of the only times the RNG really was to blame was when Synopsys determined that a weak RNG was used and developed an exploit. Common complaints are things like:
There are also various conspiracy theories like the “cash out curse.” We cannot cover all of these in a single article, but there is probably a better explanation for these occurrences than a failing in the RNG.
Many players discount the advantages of technology. Good online players are a different breed from good in-person players. Virtually all successful online players have improved their game through technology. They use technology to make themselves a better player, and they use technology to assist them while they play.
There are lots of really good programs out there that analyse hand histories, highlight hands that statistically you play poorly, and help you improve your game. I can’t remember anyone sending me a statistical analysis of their play showing me where they played a large number of hands well consistently, but were seeing statistically improbable results. Many players willing to wager $100 on a single hand or in a single online session of poker have not yet spent $100 to get the analysis program that would analyse their play for weaknesses.
There are also various “heads-up” dashboards that can analyse a situation and give real-time information on a hand. They can tell an online player the number of outs, the probabilities of various good outcomes, and so on. Some of these are against the terms of service for the poker site (but you might be playing against someone using it anyways). Plenty are acceptable and they definitely provide an advantage versus not using them at all. This means that the person making decisions on their hand is getting a boost from technology.
Humans are prone to all sorts of cognitive biases². Those biases make the losses stand out and the wins recede into the background. This is the other reason why hand histories and statistical analysis are vital. Humans are notoriously bad at “gut feeling” judgments (such as “this site is cheating me”). Numbers, however, are not subject to biases like confirmation bias. Anyone experiencing enough statistically improbable hands that simply cannot be explained by player actions should be able to acquire evidence easily.
When one certifies software, there are limits to what can and cannot be certified. For example, Synopsys takes the unusual step of looking at the source code related to use of the RNG. We look beyond whether the numbers are random and we look at how they are used. We ensure that no bias is introduced by shuffling badly, rounding errors, or other mistakes. It’s actually possible to have a good source of random numbers and introduce bias or predictability through bad software programming. We look at source code to convince ourselves that isn’t happening. However, when we look at a file of program source code, we cannot prove that the code we review produced the executable file sitting on the server’s disk. In fact, even if we examined the bytes in RAM on a given server, it is essentially impossible to prove that the bytes in RAM are the ones put there by loading the binary off the server’s disk. And can a certifier prove that the company in question does not have a version they certify separate from the version they execute? If one considers that sort of duplicity to be likely, no level of certification will suffice. At some point, every certification of software relies on accepting the certified entity’s testimony about some part of the system.
There is an old saying: “People say that poker is a game of cards using money, but it’s actually a game of money using cards.” Anything about poker that can be proven can be proven with numbers. No anecdotes are necessary or even useful. If an RNG were truly biased, and biased in a way that some players were using to their advantage, it would be pretty obvious in the statistics. Attacking the RNG or its certification is blaming a well defined element of the game, when there are lots of other aspects at play that are harder to blame because they are harder to name. Failures in the RNG are not supportable with evidence. It is just easier to blame the RNG than to blame an uncertain mix of opponent behaviors, technological disadvantages, and confirmation bias.
¹ Draw poker variants are obvious exceptions.
² To get a good feel for cognitive biases and how they affect people’s decision making, take a look at David McRaney’s book You Are Now Less Dumb.
Get the latest AppSec news and trends sent directly to you.