Electronic National Lotteries

transcript

April 13, 2004 CS 551: CRyptography Applications Bistro

Electronic National LotteriesJessica Greer

Agenda

• Large-scale electronic lotteries: What are they good for? (absolutely nothin’?)

• Requirements for electronic lottery systems

• Lotteries vs. Casinos• Konstantinou’s protocol – does it

meet the requirements?

Large-scale E-Lotteries

Advantages over mechanical systems:

- Fast (high frequency)

- Dynamic

- Accessible

- Efficient micropayment scheme

Requirements

• Uniform distribution of generated numbers

• Unpredictable by anyone (even with access to history, audit logs)

• Unalterable – drawing and winner declaration

• Able to detect interference, errors (UK Lotto)

• Standardized, certifiable

Requirements, cont’d..

• Under regular scrutiny• Details publicly available• High availability• Scalability

Casinos vs. Lotteries

• Schneier’s solution: collaboration of gamblers for random number generation

• Lotteries: Users’ selections independent of one another

Protocol Overview

Initialization: Generator and verifier exchange keys for encryption, signature

Protocol Overview1. Generator draws sequence of bits from TRNG for seeding

Protocol Overview2. Generator executes bit-commitment protocol* on seed bit sequence

* Seed commitment based on RSA encryption & RIPEMD-160 hashing

1. Generator draws sequence of bits from TRNG for seeding

Protocol Overview2. Generator executes bit-commitment protocol* on seed bit sequence

* Seed commitment based on RSA encryption & RIPEMD-160 hashing

3. Resulting packet sent to Verifier, which signs the commitment

Protocol Overview

3. Resulting packet sent to Verifier, which signs the commitment

4. Verifier sends generator a hash of file containing the coupons

Protocol Overview

4. Verifier sends generator a hash of file containing the coupons

5. Generator concatenates seed with hash value from Verifier*

*State-stamping step – freezes coupons

Protocol Overview

5. Generator concatenates seed with hash value from Verifier

6. Generator feeds first part of original TRNG-generated bit sequence through Naor-Reingold function

Protocol Overview6. Generator feeds first part of original TRNG-generated bit sequence through Naor-Reingold function

7. Resulting bit stream XORed with 2nd part of initial seed; this result is sent through several pseudorandom number generators

Protocol Overview7. Resulting bit stream XORed with 2nd part of initial seed; this result is sent through several pseudorandom number generators

8. Generator opens initial random seed bits (de-commitment). Encrypts and signs seed & numbers; sends file to Verifier. Stops.

Protocol Overview8. Generator opens initial random seed bits (de-commitment). Encrypts and signs seed & numbers; sends file to Verifier. Stops.

9. Verifier authenticates file, decrypts it, recovers winning numbers + seed used to generate them

Protocol Overview9. Verifier authenticates file, decrypts it, recovers winning numbers + seed used to generate them

10. Verifier checks that Generator has committed to seed

Protocol Overview

10. Verifier checks that Generator has committed to seed

10. Verifier uses seed to duplicate Generator’s tasks. If results match, finalize; if not, restart with Gen2

Requirements

• Uniform distribution of generated numbers – TRNG’s + Naor-Reingold

• Unpredictable by anyone (even with access to history) - same

• Unalterable – drawing and winner declaration – Verifier auditing

• Able to detect interference, errors (UK Lotto) – Verifier auditing, audit logs

• Standardized, certifiable - ?

Requirements, cont’d..• Under periodic scrutiny – alert

function in case of discrepancies• Details publicly available – paper…• High availability – depends on

hardware; some redundancy built-in• Scalability - ?

UK’s versionhttp://www.national-lottery.co.uk/player/p/home/home.do

Electronic National Lotteries

Documents