Chun-I Fan, Chun-Liang Chang, Ming-Te Chen, Pei-Hsiu Ho

Department of Computer Science and Engineering National Sun Yat-sen University, Taiwan

Journal of Computers, 20(2), 2009, 58~68

The final publication is available at http://www.airitilibrary.com

Anonymous Electronic Lottery Protocol

Outline •  Introduction •  Security Requirements •  Basic Foundations •  The Two-Party Electronic Lottery Protocol •  Security Analysis •  The Three-Party Electronic Lottery Protocol •  Comparisons •  Conclusions •  Implementation

1

Introduction (1/3)

•  In order to match various types of lottery games, 2-party and 3-party lottery protocols are designed.

- The 2-party protocol has two parties: users and a Lottery Bank.

- The 3-party protocol has three parties: users, an Issuer, and a Bank.

•  A lottery game has three phases: purchasing a ticket, generation of winning numbers, and claiming the prize.

•  The total prize is determined by all sold tickets.

2

Introduction (2/3)

•  Drawbacks in the current lottery system:

- It is not convenient to users.

- The lottery issuer may modify the value of the prize.

- The large-prize winner's identity can be known by the bank.

- A winning ticket may be stolen.

3

Introduction (3/3)

•  Our goals:

- Make lottery games more convenient to users.

- Keep the fairness of transactions.

- Keep the anonymity of users/winners.

- Without publishing the winners' information, every one can be convinced that each winner can obtain the correct prize.

4

Security Requirements (1/4)

•  Possible attacks on an electronic lottery game:

- Illegal modifications on an electronic ticket.

- Electronic tickets may be intercepted.

- Winning tickets may be duplicated to claim the prizes.

- The lottery issuer modifies the amount of total or individual prize.

- The lottery issuer forges winning tickets.

5

Security Requirements (2/4)

•  The anonymity of users

- User: (ID, account number) is kept secret to anyone else.

- Winner: (ID, account number, IP address) is kept secret to anyone else.

•  The total prize and the number of winning tickets must be publicly verifiable

- The lottery issuer cannot modify the total prize.

- The prize for every winning ticket must be correct and verifiable.

6

Security Requirements (3/4)

•  The unforgeability of (winning) tickets

- No one except the lottery issuer can produce a valid electronic lottery ticket.

- The lottery issuer cannot produce a valid winning ticket after the generation of winning numbers.

•  The fairness on purchasing tickets and claiming prizes

- The transactions of purchasing tickets must be fair.

- All winners can get the correct prizes.

7

Security Requirements (4/4)

•  The generation of winning numbers must be randomized and publicly verifiable

- It is impossible to predict the winning numbers, and the result of winning numbers must be publicly verifiable.

8

Basic Foundations

•  Generic partially blind signature scheme

•  Untraceable electronic cash

•  Anonymous channel

9

Partially Blind Signature (1/4) User Signer

True / False

Signature on (m # W)

Blinding

Unblinding Partially Blind Signature

m, W m # W

Signing

Key

Signature Verifier

(m, W)

1. 2.

3.

4.

Signature on ( # W) m

« is the blinded m message of m .

10

Partially Blind Signature (2/4)

•  Only the user can perform the unblinding operation to get the signature.

•  All of the signatures with the same W are indistinguishable from the signer’s point of view.

11

Partially Blind Signature (3/4)

H(.) a secure one-way hash function B(.) a blinding function U(.) an unblinding function

S(.) a signing function

V(.) a verifying function

W a message which is not blinded by the user

•  Notations:

12

Partially Blind Signature (4/4)

User Signer

m : a plaintext r : a blinding factor

α= B(H(m), r) α, W

t = S(α, W) t s = U(t, r)

Verify V(s, H(m), W) = true? (s, m, W) is the signature triple

13

Untraceable electronic cash Customer Bank

identity

m, W

(s, m, W)

Verify identity

Withdrawing:

Paying:

Cash: (s, m, W) Correctness Checking

Sign on α.

Identification Protocol

Blind Signature Scheme

Account no.

Deduct W dollars from the account.

Payee B

2-Spending Checking

E-cash DB

Store the cash Add $W to B’s account 14

Anonymous Channel (1/2) •  Keep the sender's IP address secret to the receiver. •  Notations:

m a message

Addr the address of the receiver

rX, rY two numbers randomly chosen by the sender

EX(.), EY(.), ER(.) the encrypting functions of Agent X, Agent Y, and the receiver, respectively

DX(.), DY(.), DR(.) the decrypting functions of Agent X, Agent Y, and the receiver, respectively

15

Anonymous Channel (1/2)

Sender Receiver Agent X Agent Y

EX (EY (ER(m), Addr, rY), rX )

EY (ER(m), Addr, rY)

ER(m)

Decrypt the item.

Decrypt the item.

Get m.

16

The Two-Party Electronic Lottery Protocol

17

The 2-party Protocol (1/5)

Ek(.) an encrypting function with key k

Sk(.) a signing function with key k

Vk(.) a signature verification function with key k

B(.) a blinding function

U(.) an unblinding function

SBk(.) the signing function in a partially blind signature scheme with key k

VBk(.) the verifying function in a partially blind signature scheme with key k

H(.) a secure one-way hash function

(Notations)

18

The 2-party Protocol (2/5)

bank_pk, bank_sk the public-private key pair of the Lottery Bank

user_t_pk, user_t_sk

a temporal public-private key pair randomly chosen by the user

e-cash an electronic cash

W the period number of the current lotto session where every ticket has the same W in a lotto session

C the amount of the prize for a winning ticket

public board It is used to publish all of the sold lottery tickets and other critical items. It is managed by the Lottery Bank.

(Notations)

19

The 2-party Protocol (3/5)

(Purchasing a ticket)

Lottery Bank n : lottery number r : blinding factor m = (n || user_t_pk) α = B(H(m), r) Ebank_pk(α, e-cash)

Check e-cash

t = SBbank_sk(α, W) t , W

s = U(t, r) Check VBbank_pk(s, H(m), W) = true? =>(s, m, W) is an electronic ticket.

(s, m, W) (Anonymous Channel)

User

Check (s, m, W) Send (s, m, W) to the public board.

20

The 2-party Protocol (4/5)

(Claiming the prize)

User Lottery Bank

r' : blinding factor

m' : random string

α' = B(H(m'), r') A=Suser_t_sk(H(s||m||W||α'))

D = (s, m, W, α'), A 1. Check if (A, D) is firstly sent. 2. Check W, n. 3. Check if the ticket is on the public board. 4. VBbank_pk(s, H(m), W) = true? 5. Vuser_t_pk(A, H(s||m||W||α')) = true? 6. t' = SBbank_sk(α', C) 7. Send t' , α' and A to the public board.

The user downloads t'. s' = U(t', r') VBbank_pk(s', H(m'), C) = true? (s', m', C) is the rewarded e-cash.

(Anonymous Channel)

Calculate the prize C for every winning ticket and publish it.

21

•  Public board:

The 2-party Protocol (5/5)

All sold tickets

Amount of prize

User’s blinded

messages

User’s signatures

Blinded e-cash

( s1, m1, W ) C1 α1' Suser_t_sk1

(H(s1||m1||W||α1' ))

t1'

( s2, m2, W ) C2 α2' Suser_t_sk2

(H(s2||m2||W||α2' ))

t2'

… … … … … The number of all sold tickets is k. The amount of the total prize is P. The signature of all tickets.

22

Security Analysis (1/4) •  The anonymity of users

- Each user's ID is not revealed: => Each user uses a temporal public-private key pair. - Each user's lottery number is kept secret to anyone else: => Partially blind signatures - Every winner's IP address is kept secret to anyone else: => When purchasing a ticket: her/his lottery number is blinded. => When sending tickets to the Lottery Bank: anonymous channel is

used, so the her/his IP address is kept secret. - Each user's account number is never used: => untraceable electronic cash.

23

Security Analysis (2/4)

•  The total prize and the number of winning tickets can be publicly verifiable - The total prize is publicly verifiable: => Every ticket is signed and sent to the public board. => Users can search their tickets on the public board, and their signed

tickets are the evidences for coping with possible disputes. - The number of winning tickets is publicly verifiable: => Every winning ticket is signed and sent to the public board. - Any illegal modification of the public board is detectable: => The signature of all tickets is sent to the public board after the end of

selling tickets.

24

Security Analysis (3/4)

•  The unforgeability of (winning) tickets - Every ticket is not forgeable:

=> Every ticket is signed by the Lottery Bank.

- Only the real winner can claim the prize:

=> Each winner signs on her/his winning ticket by the temporal private key.

- The Lottery Bank cannot insert, delete, or replace any winning ticket:

=> Any illegal modification of the public board is detectable.

25

Security Analysis (4/4)

•  The fairness on purchasing tickets and claiming prizes

- A fair transaction protocol can be adopted when purchasing a ticket.

- Users can search their tickets on the public board, and their signed tickets are the evidences for coping with possible disputes. - Every winner can get her/his prize: => by verifying some items on the public board.

- (1) No one else can replace α' => Check α' by verifying the signature Suser_t_sk(H(s||m||W||α')). - (2) Every one can verify the correctness of the blinded e-cash prize. => Check t' by verifying if VBbank_pk(t', α', C) = true.

•  The generation of winning numbers can be random and publicly verifiable

=> Use a secure and publicly verifiable random function. 26

The Three-Party Electronic Lottery Protocol

27

The 3-party Protocol (1/5)

bank_pk, bank_sk the public-private key pair of the Bank

issuer_pk, issuer_sk the public-private key pair of the Issuer

IDI the identification of the Issuer

public board It is used to publish all of the sold lottery tickets and other critical items. It is managed by the Issuer.

(Additional Notations)

28

The 3-party Protocol (2/5) (Purchasing a ticket)

Bank n : lottery number r : blinding factor m = (n || user_t_pk) α = B(H(m), r)

Eissuer_pk(α, e-cash)

Check e-cash. Deposit e-cash to the Issuer's account. “fresh”

s = U(t, r) Check VBissuer_pk(s, H(m), W) = true? =>(s, m, W) is an electronic ticket.

User Issuer

Ebank_pk(IDI , e-cash)

t = SBissuer_sk(α, W)

t , W

(s, m, W)

(Anonymous Channel)

Check (s, m, W) Send (s, m, W) to the public board.

29

The 3-party Protocol (3/5) (Claiming the prize - part1)

Bank User Issuer

r' : blinding factor

m' : random string

α' = B(H(m'), r') A=Suser_t_sk(H(s||m||W||α'))

D = (s, m, W, α'), A

(Anonymous Channel) 1. Check if (A, D) is firstly sent. 2. Check W, n. 3. Check if the ticket is on the public board. 4. VBissuer_pk(s, H(m), W) = true? 5. Vuser_t_pk(A, H(s||m||W||α')) = true? 6. K = Sissuer_sk(H(IDI||α' ||C))

L = (IDI , α', C), K

Calculate the prize C for every winning ticket and publish it.

30

The 3-party Protocol (4/5)

Bank User Issuer

1. Check if (K, L) is firstly sent. 2. Vissuer_pk(K, H(IDI||α' ||C)) = true? 3. t' = SBbank_sk(α', C) 4. Deduct C dollars from the Issuer's account.

t'

Send t' , α' and A to the public board.

The user downloads t'. s' = U(t', r') VBbank_pk(s', H(m'), C) = true? (s', m', C) is the rewarded e-cash.

(Claiming the prize - part2)

31

•  Public board:

The 3-party Protocol (5/5)

All sold tickets

Amount of prize

User’s blinded

messages

User’s signatures

Blinded e-cash

( s1, m1, W ) C1 α1' Suser_t_sk1

(H(s1||m1||W||α1' ))

t1'

( s2, m2, W ) C2 α2' Suser_t_sk2

(H(s2||m2||W||α2' ))

t2'

… … … … … The number of all sold tickets is k. The amount of the total prize is P. The signature of all tickets.

32

Comparisons anonymity

total prize and winning tickets

verifiable

unforgeability of tickets

fairness of transactions

winning result verifiable

Chow’s N* Y Y Y* Y

Goldschlag’s N Y Y N Y

Ham’s N Y** Y Y*** Y**

Kobayashi’s N Y Y N Y

Kushilevitz’s N Y Y N Y

Zhou’s N Y Y Y**** Y

Ours Y Y Y Y Y***** * Chow’s claims that it can integrate the protocol of Zhou’s to achieve the requirement of anonymity and fairness. ** The prize for every winning ticket is assumed to be fixed and public. *** The protocol uses a Bank as a Notary to process the lottery game. **** A trusted third party (TTP) is used in the protocol. ***** We adopt any secure and publicly verifiable function to generate the winning numbers.

33

Conclusions •  The proposed scheme avoids the drawbacks in the current

lottery system.

•  The proposed scheme satisfies all the security requirements needed in an electronic lottery system.

•  Each winner is with anonymity. Anyone else cannot know the identity, the account number, and the IP address of every user/winner.

•  Each winner can be convinced that she/he can obtain the correct prize.

34

Implementation (2-Party protocol)

•  Language: Java(TM) 2 Runtime Environment, Standard Edition version 1.5.0_06

•  Server: Apache group (MySQL, Java Server Pages)

35

Purchasing a ticket: Set paths.

36

Purchasing a ticket: Send items to the Lottery Bank and get the ticket.

37

Purchasing a ticket: The figure of the Lottery Bank after purchasing a ticket.

38

Claiming the prize: Set paths and send items to the Lottery Bank.

39

Claiming the prize: The first page of the public board.

40

Claiming the prize: The public board.

41

Claiming the prize: Copy the signature in this ticket.

42

Claiming the prize: Find and copy the blinded prize on the public board.

43

Claiming the prize: Paste on the blinded prize and calculate the e-cash prize.

44

Claiming the prize: The figure of the Lottery Bank after claiming prizes.

45