Each round is deterministic: HMAC_SHA256(serverSeed, clientSeed:nonce) → uint32 → U ∈ [0,1) → crash multiplier. The server publishes SHA256(serverSeed) before the round and reveals the seed after. You can verify any past round.
HMAC_SHA256(serverSeed, clientSeed:nonce)
