provably-fair | PHP implementation of Bustabit 's Provably Fair system

The page you link to describes the process, however I will try to go in to more detail and provide a C# example.

First there are two hashings that happen. One general hash to prove that the server is not changing the server key as you gamble, this hash is not secret and is given to the player at the start of play. There is also a keyed hash (called a HMAC) to actually generate the dice rolls and uses a combination of the server key, the data the user provided, and a number that counts up.

Here is the process that happens:

1. The server generates a secret key for the play session and sets a counter to 0.
2. SHA256 is used on the key to generate a hash, this hash is given to the player. This hash is not used in any math to generate the dice rolls, it is only used for verification by the player.
3. The player requests a dice roll and provides a phrase to be used in the generation of the number.
4. The server uses a SHA512-HMAC using secret key as the key then the string the user provided plus "-" plus the number of the counter set in step 1 to generate a hash.
5. The server increments the counter by 1, this is done because the same server key is used every time and if the same user string was used it would just generate the same number over and over.
6. The server takes the first 21 bits of the hash generated, converts it to a int, it then checks to see if the int is larger than 999999 if it is it keeps repeating till it finds a number that is not over 999999.
7. It takes the number from step 6 and does number%(10000)/100.0 on it to get a floating point number.
8. That floating point number is returned to the user.
9. Either repeat starting at step 3 for a new roll or continue to step 10.
10. The player signals the play session is over. The server returns the secret key to the user and restarts at step 1.

The user once he gets the secret key from step 10 can hash it using SHA256 and check that he gets the same hash he was told at the start of the play session. He can then re-do all the steps the server did now that he has the secret key and verify that the server did not fake any dice rolls.

How to do this in code: