1. Secure and Practical lottery protocol using bank as a notary Sep. 13, 2001 2001140 C&IS lab. Ham Woo Seok tarzan92@icu.ac.kr ICE 615 Network Security Term project Progressive Report

2. by Charlie Ham Lottery -2- Contents 1.Overview 2.Threats 3.Requirement 4.Pervious Work – KMHN00,GS98 5.Proposed scheme 6.Further Works 7.Reference

3. by Charlie Ham Lottery -3- 1.Overview  Sports TOTO  Nationwide issue of tickets was launched Oct. 6  England (Football Pools,1923), France (Loto Foot), Italia (TotoCalcio, TotoGoal), Japan(TOTO) etc. TargetSoccer (K-league), Basket ball PublisherSeoul Olympic Sports Promotion Foundation(SOSPF) ConsigneeTigerpools Korea Game typeResult-based (1X2) Rate1,000 won per an unit (maximum 96 units) AvailableUp to 10 minutes before game RestrictionLess then 100,000 won a person Over 19 years old Annual IssueLess than 90 times Prize50% of the amount of sold tickets If no winner, winning pool is rolled over to the next lottery Current operationFill out the ticket  present ticket with money to vender  receive a receipt

4. by Charlie Ham Lottery -4- 1. Overview  Real Ticket Image

5. by Charlie Ham Lottery -5- 2. Threats  Ticket Information manipulation  Altering, Insertion, Deletion  Promoter’s misbehaviors  Wrong winning computation, No payment of prize, etc  Collusion of lottery components  User, Lottery organizer, Financial facility, Vendor, Audit authorities etc.  Phantom vendors  Receive claims and disappear  Denial of service  Hindrance of normal operation, penalization of server, etc  Disputes  Winner arguments, refund etc

6. by Charlie Ham Lottery -6- 3. Requirement  Basic requirement  Reduction of Computational complexity & communication data  Security requirement  R1: Privacy Prize-winner’s privacy should be maintained  R2: Fairness Every ticket has the same probability to win  R3: Publicly verifiability Valid winnings could be verified publicly  R4: Reliability Participants can verify lottery organizer’s misbehavior to update and add any data illegally  R5: Unforgeability Lottery ticket cannot tampered  R6: Timeliness A lottery should be terminated in the pre-defined period  R7: Traceability Anyone can decide who made an injustice

7. by Charlie Ham Lottery -7- 4. Previous Work – KMHN00  K.Kobayashi, H.Morita, M.Hakuta, T.Nakanowatari, IEICE 2000 Bit commitment & Hash function  Soccer lottery protocol Based on Bit commitment & Hash function  Notation  h: hash function  h*: partial information of hash value  TLP: Target Lottery Pattern (=mark sheet)  PID: Personal Identification information  SID: Shop Identification  n: total ticket number sold by a shop  SLI: Concatenation of SID, Lottery number, n)  || : concatenation  Sig: Digital signature  $M: Electronic money

8. by Charlie Ham Lottery -8-  Lottery Protocol 4. Previous Work – KMHN00 User Promoter Shop SIDh1h2TLP User Bank Soccer Lottery Protocol Payment Protocol (Off-line)

9. by Charlie Ham Lottery -9- 4. Previous Work – KMHN00  Details  Purchase protocol 1) User computes hash value h1 with the concatenation of hashed PID and TLP –Hashed PID: If original PID used, an malicious insider in bank can impersonate prize winners. Also, PID includes a random number to hide PID itself. –TLP: it is generated by User according to specific rules 2) User sends TLP, h1, and fee (electronic money) for her betting 3) User receives SID as a receipt and Shop transfer TLP, h1, $M and SID together 4) Promoter yields h2 using SID and h1 and store TLP, h2, h1, SID  Inquiry protocol (To verify her betting information is registered) 5) User calculates h2 –h2: prevent information difference between Promotor & Shop 6) User sends TLP and partial value of h2 (=h2*) to Promoter 7) Promoter searches and extracts matching values with TLP & partial hash value from database and send them to User  After closing (To detect the promoter’s injustice to update the database illegally) 8) Promoter notifies Shop the number of lottery tickets which are from Shop 9) Shop confirms the number, if right, she generates signature with SID, lottery number and n. And Promoter generates digital signature on all TLPs and h2s  Payment protocol (Off-line operation) 1) Winner sends her hash value of PID 2) She visits the Bank(financial facility) and presents her real ID in person 3) If correct, Bank delivers a prize to her

10. by Charlie Ham Lottery -10- 4. Previous Work – KMHN00  Problems  No reliability, unforgeability: Promoter can find possible partial combination of summation of TLP and h2. she can alter some information which does not match to one from shop after closing the period, since there is no relationship between promotor and shop after bidding end.  No reliability and unforgeability: Collusion of Promoter and Shop might be occurred to get manipulate total lottery number and information Since Bank is dependent on promoter and her signature is simple summation of TLP and h2  No traceability When fault occurred, one can not trace who made a fault.  Inconvenience: Prize-payment by off-line In case of small prize, User feel inconvenience  No privacy: PID can not be secret information Since all bidder know the type of PID, a disguising criminal is able to prove herself as a prize winner

11. by Charlie Ham Lottery -11- 4. Previous Work – GS98  David M. Goldschlag, Stuart G. Stubblebine, IFCA 98 delaying function  Drawing number type lottery based on delaying function  Delaying function Function F is moderately hard to compute given a minimum operation time P, and probability that function is computable is arbitrarily small F preserves the information of its inputs. No information leakage e.g) large number of rounds of DES in OFB mode  Notation  L, C : Lottery server, Client respectively  : Keyed one way hash function  : Certification of client C  Seq : Sequence number of lottery ticket  Time: Time stamp  Seed: betting information  P : critical purchase period  L : the total number of sold tickets

12. by Charlie Ham Lottery -12-  Phases  Registration To make A certain collusion which can control lottery impossible, identification is needed Mapping between client and client agent by certification For anonymous, use bind certificate or lottery service own certificate  Purchase Sequence number: to supervise server’s injustice(double issue, non-registration, etc) by audit query Time Stamp: To verify that Critical purchase period and time is correct and registration was processed within the time  Critical Purchase period It is published before a lottery game Delaying function cannot yield result within this period  Winning Entry Calculation 4. Previous Work – GS98 Client Server All seed values within P Winning Number

13. by Charlie Ham Lottery -13- 4. Previous Work – GS98  Problems  Only applicable to simple lottery such as number based one  Winning verification time is too long Needed the same time as total game period  Insider in server can forge or alter betting information  Attacking method computationally, information-theoretically on current cryptosystem is rapidly improving

14. by Charlie Ham Lottery -14- 5. Proposed scheme – notation & assumption  Notation  Assumption  Lottery ticket is generated by Users themselves along with pre-defined rules  Lottery Organizer allows only allied Banks  Operation period is chosen considering transaction time in every components  User and Bank communication is secure (ex, SSL, Public key system)

15. by Charlie Ham Lottery -15- 5. Proposed scheme - overview U U LO B B MHUHU BIDH LO CoupHUHU

16. by Charlie Ham Lottery -16- 5. Proposed scheme - details  Details  Stage 1: Set up 1)User generates lottery ticket M and Hash value H U which is concatenation M and account information 2)User send Account Information including user’s secret information (such as password), Betunit and Hash value to Bank 3)Bank checks user’s balance and then generates coupon,Coup, which guarantees user balance’s soundness and describes the amount of betting units with bank’s signature (for it, both public key and secret key signature are possible) 4)Bank stores Coup and related hash value, H U to her own DB 5)Bank returns Coup to user  Stage 2: Betting 1)User bets her betting information M and H U with Coup 2)Lottery Organizer, LO sends the received Coup and H U to the designated bank on Coup 3)Bank see if the Coup was issued by herself by checking her signature and the message is equal to original one 4)If 3) is correct, then Bank pay out the money as much as the amount of units 5)LO generates hash value H LO =(M||H U ||BID) and stores H LO, M,H U, and BID in her DB 6)LO generates his signature on H LO, Sig i, whenever she stores each betting information and publishes (H LO, Sig i ) on her bulletin board. 7)LO send receipt, RCT containing registration number and LO’s signature, to User 8)When betting period is over, LO reveals all betting information which has been stored with signature  Stage 3: Winning prize Payment 1)As soon as a match go to end, the result will be published. So, Anybody can verify how many winners are. Then, LO pay back winning prize, WinP, with H U 2)Bank provide a prize to winner’s account which can be verified by comparison received H U and stored H U

17. by Charlie Ham Lottery -17- 5. Proposed scheme – security & property  Security  R1: Privacy Only Bank knows winner’s name and account number. Even the payment of winning prize is carried out between LO and Bank. We normally assume that Bank never disclose its customer’s account information  R2: Fairness When betting period ended, LO open all betting information. So, every ticket has the same probability to win  R3: Publicly verifiability By information opening, it can be provided  R4: Reliability Anyone can check LO’s signature on H LO  R5: Unforgeability To compute H U, One should know account information including user’s secret information. The probability of guessing this secret is negligibly small  R6: Timeliness LO should published every information after pre-determined time period. By this, it can be held  R7: Traceability One of characteristics of E-banking system is that all transaction is recorded. Furthermore, LO issues receipt to user according to his acceptance. Hence, if any problem happens, User can trace which component made a mistake

18. by Charlie Ham Lottery -18- 6. Further Work  More communication data & computational complexity reduction  Comparison with previous scheme  Detailed security analysis  Security requirement reconsideration  Are these enough??

19. by Charlie Ham Lottery -19- 7. Reference  Tigerpools Korea, http://www.tigerpools.co.kr  Korea online lottery system co.ltd., http://www.korealotto.co.kr  K.Kobayashi, H.Morita, M.Hakuta, and T.Nakanowatari, An Electronic Soccer Lottery System that Uses Bit Commitment, IEICE00, Vol.E83-D, pp.980-987,2000.  D.M.goldschlag, S.G.Stubblebine, Publicly Verifiable Lotteries: Applications of Delaying Functions, Proc.of Financial Cryptography 98, LNCS 1465, pp.214-226, 1998.  Ross Anderson, How to cheat at the lottery, Proc. of Computer Security Applications Conference, 1999.  Ronal L.Rivest, Electronic Lottery Tickets as Micropayments, Proc.of Financial Cryptography 97, LNCS 1318, pp.307-314, 1998.  A.Shamir, How to share a secret, CACM 22, pp.612-613, 1979.