UVS: a draw's fairness as a fact you can recompute — not a certificate you trust

I've built casino slot machines and gaming systems for 15 years. I mostly stayed away from compliance, but once I had to write the official algorithm description for a certification lab. I made it technically precise, handed it over — and realized nobody read or verified it. The lab ticked the boxes, took the money, issued a paper certificate. Two hours later a hotfix could ship to production and void the certified hash, and nobody would notice. The industry runs on dead paper, not real-time verification. And it isn't only casinos: any draw, lottery, gacha banner, school-place allocation or event-ticket raffle has the same hole. There's a "✓ Provably Fair" badge, a server seed, a hash — and almost nobody ever checks it, often including the operator. UVS (Uncloned Verification Standard) moves the proof of fairness off trusted third-party certificates and onto something anyone can recompute themselves. The invariant: a tier derived from evidence, not claimed The core of the standard is one function, deriveTier . It assigns a draw a trust tier from the evidence actually attached , not from a badge: 🔴 — no anchor, bare seed; 🟡 — notary / self-anchor / a beacon binding without proof the commitment came first; 🟢 — a neutral-registry signature, or trail-immutability, or outcome-binding with a proven commitment. No evidence, no green. The code decides, not a promise. Honest scope first — the part most "provably fair" pitches skip UVS proves that the published rules were followed on the published inputs using the published randomness . It does NOT prove the inputs themselves were honest: an operator can still enter phantom tickets or publish a prize pool that differs from what players were promised. UVS secures one link — the outcome — and secures it completely; guarding the inputs (and KYC, licensing) is a separate control. Better to say it up front than oversell. Two branches, because randomness behaves differently by mechanic uvLottery (draws / gacha) — can reach 🟢 One seeded permutation. Hash a server seed with a public drand round (quicknet, 3s ticks), score every entrant, sort, deal the published pool onto that order: combinedSeed = SHA-256( serverSeed : drandRandomness ) score(id) = SHA-256( combinedSeed : id ) // per participant Sort by score (descending, ties by id), deal prizes top-down. Same inputs → the same list, on any machine, in any language, forever. No hidden state. To stop the operator grinding seeds, the outcome binds to a drand round whose randomness doesn't exist yet at commit time. drand rounds are a deterministic function of time: round = floor (( now − genesis ) / 3 ) + 1 // quicknet genesis = 1692803367 For 🟢 that isn't enough — you need a commitment anchor . The commitmentHash (without the round) is timestamped at two independent RFC-3161 TSAs (FreeTSA + DigiCert, different jurisdictions, in parallel), and the round is then derived from the proven stamp : R = roundAt(genTime)+1 — the first round strictly after the timestamp. So genTime < timeOfRound(R) holds by construction , and the operator never chooses R (nothing to grind). Verification is the spec's reference path: openssl ts -verify -digest <commitmentHash> -in token.tsr -CAfile <ca> "But a TSA is a trusted third party too." Yes — but a neutral one, and two in different jurisdictions make quiet collusion implausible. More importantly the whole chain is publicly re-derivable : refetch the round, re-run the permutation in any language, verify the token. You aren't asked to trust me; you're handed the inputs. uvGame (interactive physics) — honest ceiling is 🟡 Input-seeded commit-reveal: the outcome depends on a committed server seed plus the player's real-time moves. There's no external beacon in the physics loop, so outcome-binding (and 🟢) is impossible by construction. The "Uncloned" layer: a WASM engine built on the fly The word "Uncloned" comes from here. The verification logic isn't baked in statically: per session, the registrar