# The Truth About RNG Poker Rooms

#### Introduction

In this article, you will learn about one of the most important components of online poker - a random number generator (RNG). The “honesty” of the RNG of various poker rooms is regularly questioned and must be discussed on any poker resource. Users constantly complain about the “twisted” generator, which allows the room to restrain stronger players so that the majority representing the category of “weaker players” remain loyal to the room. Let's see if everything is really so bad with randomness on poker sites.

You all know what a random number generator is and how it is implemented on a computer, but for completeness, I will describe the basic concepts. If you wish, you can skip the next section.

#### Definitions

The random number generator (RNG) should generate a completely random sequence of numbers. Such a sequence can be obtained if some physical natural processes are used, for example: physical noise, cosmic radiation, radiation background, etc. In computer systems, software and hardware RNGs are distinguished. The former are actually a pseudorandom number generator (PRNG) and are an algorithm that generates a sequence of numbers whose elements are almost independent of each other and obey a given distribution. Since the algorithm is predetermined, the sequence of numbers obtained is also predetermined. It turns out if you know the PRNG algorithm, then you can get a "random" sequence.

A hardware RNG is a device that uses any of the external sources of entropy to obtain sequences.

Now RNG is usually implemented by combining the RNG and an external source of entropy. In computers, such a source uses a processor clock counter, sound card noise, or original methods, for example, “ RNG from WiFi noise ”.

#### RNG in online poker

The generation of random sequences of cards along with their transfer from the server to the client is one of the poker room’s security fundamentals, therefore, much attention is paid to them. For such an important system, it is unacceptable to use a pseudo-random number generator, because it will be possible to crack it and get a sequence of numbers, and then decrypt the players' cards and unopened table cards.

All poker rooms receive various certificates to prove the viability of their RNG and software. Cigital is one of the largest companies in this field, engaged in, among other things, certification of poker software and RNG. The largest poker rooms Full Tilt Poker and PokerStars have a certificate for this company. The basis for testing any RNG is the NIST (National Institute of Standards and Technology) test suite based on the US FIPS 140-2 (Federal Information Processing Standard). It includes various tests, from a test for the ratio of 0 to 1 in the generated sequence, to a compression test by the LZO algorithm (a random sequence cannot be significantly compressed because it does not have to have many repeated sequences).

To generate random sequences, they use a system of one or more sources of entropy and the PRNG algorithm. For example, the largest poker room PokerStars uses data from users (mouse movement, reaction time for certain actions, etc.) as a random factor and a hardware Quantum RNG certified by the Swiss Federal Bureau of Metrology. Quantisuses physical processes to generate numerical sequences. He picks up photons and passes them through a translucent mirror. Two events: reflection and transmission of light are taken as 0 and 1. Quantis is available with different interfaces: USB, PCI, PCI-E with a stream of random numbers of 4 Mbps. There is also a 16 Mbps modification for PCI devices. The price of such a device is € 890 - € 1165 for 4 Mbit / s stream and € 2000 for 16 Mbit / s. PokerStars also has criteria for determining a sufficient degree of randomness. For example, if there is not enough data from users, then the distribution does not begin until sufficient generation of random bits by the RNG is ensured. The conversion of a stream of random bits into numbers takes place as follows: if you need a number from 0 to 25, then 5 bits are selected and converted to a number from 0 to 31; if the number is greater than 25, then the process repeats. To shuffle the deck, the original deck is selected and empty, a random card is selected from the first and transferred to the second. So, until all cards are transferred to the initially empty deck.

In general, poker rooms use two types of deck shuffling: single and permanent. In a single deck, it is shuffled once before the distribution, and in constant shuffle, the entire distribution continues. The second option provides additional protection against hacking, because the next table card is unknown until the last moment. A constant shuffle, for example, is used in the second largest poker room - FullTilt. The FullTilt RNG itself is built on a principle similar to PokerStars, 3 independent generators are used: a hardware RNG with a physical source of entropy and two independent RNGs (ISAAC and OpenSSL). In general, this option of combining several random number generators is now used everywhere, but at the dawn of the establishment of online poker, things with the RNG were much worse.

#### Story with Planet Poker and ASF Software Inc.

Planet Poker is the first poker room in the world to offer its users a money game on the Internet. It happened in January 1998. A little later, specialists from Reliable Software Tehnologies (now Cigital) became interested in its security. On the Planet Poker website, the sources of their RNG algorithm were discovered (the algorithm itself belonged to ASF Sowtware Inc.). By this they wanted to show their honesty and reliability, but the source code only helped specialists find gaps in it. Here is the shuffle function of cards from a published algorithm:
procedure TDeck.Shuffle;
var
ctr: Byte;
tmp: Byte;

random_number: Byte;
begin
{Fill the deck with unique cards}
for ctr: = 1 to 52 do
Card [ctr]: = ctr;

{Generate a new seed based on the system clock}
randomize;

{Randomly rearrange each card}
for ctr: = 1 to 52 do begin
random_number: = random (51) +1;
tmp: = card [random_number];
card [random_number]: = card [ctr];
card [ctr]: = tmp;
end;

CurrentCard: = 1;
JustShuffled: = True;
end;

In short, an unsorted deck of cards is taken and cards from 1 to 52 are swapped with any random card. To generate random numbers, Pascal functions random, randomize are used, which use the system timer and the PRNG algorithm to obtain random numbers.

The first error of the algorithm lies in the random (n) function - it, unlike most Pascal functions, returns a value from 0 to n-1. Those. "Random (51) +1" gives us a number from 1 to 51 - a classic off-by-one error. It turns out the current card will never change places with the last 52nd card, which already gives a deviation from the randomness of the deck.

Also, experts from Reliable Software Tehnologies have identified the inconsistency of the algorithm itself, even if the off-by-one error is corrected. To demonstrate this, they used the algorithm described above:
for (i is 1 to n)
Swap i with random position between 1 and n

For ease of calculation, a deck of 3 cards was used. As a result, decks 231, 213, and 132 met more often than 312, 321, and 123. It is clear that for a deck of 52 cards, some options for shuffling the deck should have been more common than others.

Another important omission was the number of possible decks in this RNG. With a real shuffle of cards, 52! = 8.06 * 1067 deck options are possible. Pascal functions generate random numbers based on the system clock. The basis for calculating a random number is the number of milliseconds since midnight. There are only 86,400,000 milliseconds per day, so we have only 86.4 million possible options for shuffling the deck, which is much less than possible.

And this is not all, the shortcomings found do not provide a particular advantage for the players, but the following vulnerability made it possible to fully recognize the sequence of cards in the deck. All again because of the PRNG, or rather its predictability. Researchers wrote an exploit that could exactly show all the cards of the players and the remaining cards of the table after 3 cards laid out on the table. Thus, it was based on 5 well-known cards: 2 players and 3 on the table. Using the RNG algorithm similar to Pascal and selecting a different number of milliseconds with a deviation from the current time (the time of card generation should be close to local time), the exploit found an exact match of 5 known cards and issued all the rest.

After that, the exploit additionally synchronized the local time with the server time, and the following searches took less than one second.

This story turned out well for the players - the exploit was in good hands, and Reliable Software Tehnologies immediately reported the vulnerabilities to ASF Sowtware Inc. (they also used purepoker.com, deltacasino.com in addition to Planet Poker) and later published their report . They estimated the damage if the program fell into bad hands at \$ 100,000 per day. Planet poker and generally online poker, this story caused serious damage, although it did not prevent the industry from actively developing. And “Reliable Software Tehnologies” was renamed “Cigital” and is now a very reputable company for audit and certification of programs.

#### Real Deal and Cut'N Shuffle Technology

We should also mention the poker room Real Deal with their innovative approach to the distribution of cards. The game for real money in it began on May 7, 2010. For shuffling, a real deck of cards and a special shuffle machine for mixing them are used.

This patented device is called Cut'N Shuffle. With it, you get real mixing of a real deck of cards. In addition, the distributing player is invited to cut the deck (he may refuse), which introduces an additional element of randomness. Videos of each shuffling of the deck are stored on the server and any player can get them if desired. This is a fairly young technology, let's see how successful it will be in the future.

#### Conclusion

In conclusion, I would like to speculate about possible fraud with the RNG. The profit of the poker room comes from the rake (the part of the bank that the casino takes away), so for them it does not matter who wins, they only care about the number of rake they play. The idea of ​​a profitable fraud flows from here: more often than not, to distribute good combinations to several players so that they try to play for all the money. It is quite feasible, but everything secret will someday become apparent, and the leak of such information is quite possible. And it is unlikely that a small increase in profit is worth a huge loss if such a fraud is revealed. Therefore, if you play poker and you are fatally unlucky, you should not blame the “twisted” RNG for everything, just wait out the streak of failures and continue playing.

In practice, most often, players try to shift their mistakes to the strengths of the RNG, blaming him for all his own failures. Always analyze your own actions and look for errors before throwing the blame on software developers. Pokeroff.ru

article specially for Habrahabr