d32c1b65c1d8a3d38778f5dcb1b6cd94.ppt

- Количество слайдов: 23

Round Saving Bulletin-based Tripartite e-Lottery Protocol Dec. 18, 2001140 C&IS lab. Ham Woo Seok tarzan [email protected] ac. kr

Contents 1. Overview 2. Threats 3. Requirement 4. Pervious Work – KMHN 00, GS 98 5. Proposed scheme 6. Further Works 7. Reference 2

1. Overview n Sports TOTO Target Publisher Seoul Olympic Sports Promotion Foundation(SOSPF) Consignee Tigerpools Korea Game type Result-based (1 X 2) Rate 1, 000 won per an unit (maximum 96 units) Available Up to 10 minutes before game Restriction Less then 100, 000 won a person /Over 19 years old Annual Issue Less than 90 times Prize 50% of the amount of sold tickets If no winner, winning pool is rolled over to the next lottery Sequence l Soccer (K-league), Basket ball Fill out the ticket present ticket with money to vender receive a receipt England (Football Pools, 1923), France (Loto Foot), Italia (Toto. Calcio, Toto. Goal), Japan(TOTO) etc. 3

1. Overview n Real Ticket Image 4

2. Threats n Ticket Information manipulation l Altering, Insertion, Deletion n Promoter’s misbehaviors l Wrong winning computation, No payment of prize, etc n Collusion of lottery components l User, Lottery organizer, Financial facility, Vendor, Audit authorities etc. n Phantom vendors l Receive claims and disappear n Denial of service l Hindrance of normal operation, penalization of server, etc n Disputes l Winner arguments, refund etc 5

3. Requirement n Basic requirement l Reduction of Computational complexity & communication data n Security requirement l R 1: Privacy n l R 2: Fairness n l Lottery ticket cannot tampered R 6: Timeliness n l Participants can verify lottery organizer’s misbehavior to update and add any data illegally R 5: Unforgeability n l Valid winnings could be verified publicly R 4: Reliability n l Every ticket has the same probability to win R 3: Publicly verifiability n l Prize-winner’s privacy should be maintained A lottery should be terminated in the pre-defined period R 7: Traceability n Anyone can decide who made an injustice 6

4. Previous Work – GS 98 n David M. Goldschlag, Stuart G. Stubblebine, IFCA 98 n Drawing number type lottery based on delaying function l Delaying function n Function F is moderately hard to compute given a minimum operation time P, and probability that function is computable is arbitrarily small F preserves the information of its inputs. No information leakage e. g) large number of rounds of DES in OFB mode n Notation l L, C : Lottery server, Client respectively l [X]K : Keyed one way hash function l Cert. C : Certification of client C l Seq : Sequence number of lottery ticket l Time: Time stamp l Seed: betting information l P : critical purchase period l L : the total number of sold tickets 7

4. Previous Work – GS 98 n Phases l Registration n l To make a certain collusion which can control lottery impossible, identification is needed Mapping between client and client agent by certification For anonymous, use bind certificate or lottery service own certificate Purchase Client n n Server Sequence number: to supervise server’s injustice(double issue, nonregistration, etc) by audit query Time Stamp: To verify that Critical purchase period and time is correct and registration was processed within the time 8

4. Previous Work – GS 98 l Critical Purchase period n n l It is published before a lottery game Delaying function cannot yield result within this period Winning Entry Calculation Winning Number All seed values within P n Problems l Only applicable to simple lottery such as number based one l Winning verification time is too long n l l Needed the same time as total game period Insider in server can forge or alter betting information Attacking method computationally, information-theoretically on current cryptosystem is rapidly improving 9

4. Previous Work – KMHN 00 n K. Kobayashi, H. Morita, M. Hakuta, T. Nakanowatari, IEICE 2000 n Soccer lottery protocol Based on Bit commitment & Hash function n Notation l h: hash function l h*: partial information of hash value l TLP: Target Lottery Pattern (=mark sheet) l PID: Personal Identification information l SID: Shop Identification l n: total ticket number sold by a shop l SLI: Concatenation of SID, Lottery number, n) l || : concatenation l Sig: Digital signature l $M: Electronic money 10

4. Previous Work – KMHN 00 n Lottery Protocol : 3 main phases TLP h 2 h 1 SID Promoter Purchase Protocol Inquirty Protocol User Shop User Bank Payment Protocol (Off-line) 11

4. Previous Work – KMHN 00 n Details l Purchase protocol 1) User computes hash value h 1 with the concatenation of hashed PID, TLP n Hashed PID: If original PID used, an malicious insider in bank can impersonate prize winners. Also, PID includes a random number to hide PID itself. n TLP: it is generated by User according to specific rules 2) User sends TLP, h 1, and fee (electronic money) for her betting 3) User receives SID as a receipt and Shop transfer TLP, h 1, $M and SID together 4) Promoter yields h 2 using SID and h 1 and store TLP, h 2, h 1, SID l Inquiry protocol (To verify her betting information is registered) 5) User calculates h 2 n h 2: prevent information difference between Promotor & Shop 6) User sends TLP and partial value of h 2 (=h 2*) to Promoter 7) Promoter searches and extracts matching values with TLP & partial hash value from database and send them to User 12

4. Previous Work – KMHN 00 l After closing (To detect the promoter’s injustice to update the database illegally) 8) Promoter notifies Shop the number of lottery tickets which are from Shop 9) Shop confirms the number, if right, she generates signature with SID, lottery number and n. and Promoter generates digital signature on all TLPs and h 2 s l Payment protocol (Off-line operation) 1) Winner sends her hash value of PID 2) She visits the Bank(financial facility) and presents her real ID in person 3) If correct, Bank delivers a prize to her 13

4. Previous Work – KMHN 00 n Problems l No reliability, unforgeability: Promoter can find possible partial combination of summation of TLP and h 2. n l No reliability and unforgeability: Collusion of Promoter and Shop might be occurred to get manipulate total lottery number and information n l When fault occurred, one can not trace who made a fault. Inconvenience: Prize-payment by off-line n l Since Bank is dependent of promoter and her signature is simple summation of TLP and h 2 No traceability n l she can alter some information which does not match to one from shop after closing the period, since there is no relationship between promotor and shop after bidding end. In case of small prize, User feel inconvenience No privacy: PID can not be secret information n Since all bidder know the type of PID, a fake winner is able to prove herself as a prize winner 14

5. Proposed scheme: notation & assumption n Notation n Assumption l l l Lottery ticket is generated by Users themselves along with pre-defined rules Lottery Organizer allows only allied Banks Operation period is chosen considering transaction time among every components User and Bank communication is secure (ex, SSL, Public key system) Certification is effective in this lottery only 15

5. Proposed scheme n 1 -6. Pre-Preparation Phase P B n 2 -6. Pre-Betting Phase P B 16

5. Proposed scheme n 3 -6 Betting Phase P S P n 4 -6 Closing Phase l When the predetermined lottery operation period is over 17

5. Proposed scheme n 5 -6 Winner Selection Phase l When game is over, automatically selected n 6 -6 Claming of Winning S P B 18

5. Proposed scheme n Communication P B S P 19

6. Evaluation n R 1. Privacy l All data which SP received looks random, No information related player’s identity n R 2. Fairness l Independent ticket generation, No controlling in the sports game n R 3. Publicly verifiability l The result is announced in public media n R 4. Reliability l By Digital signature, Bulletin board , Hash chain n R 5. Unforgeability l By Hash chain and Certificate n R 6. Timeliness l Pre-determined period and Digital signature n R 7. Traceability l By bank’s normal operation and data storing (semi-TTP), interactive protocol 20

7. Comparison KMHN 00 Proposed Multiple choice # of Components 4 3 Winning Payment Off-line On-line (2 I + 1 O) * N + 1 I + 1 O + 1 I (Off/Post) + (inquiry) 2 I*N + 1 O (Pre) + 1 I (Post) R 1. Privacy Δ O R 2. Fairness O O R 3. Publicly verifiability O O R 4. Reliability X O R 5. Unforgeability X O R 6. Timeliness O O R 7. Traceability X O Lottery provider (2 Hash + LBI + SID) * N (1 Hash + LBI + Index)*N + (Hash chain) 1 H + LBI of Winners 1 H + Index Type General # of Communications (I : Interactive, O: One-way) Security Storage Bank 21

8. Conclusion n Proposed Round saving bulletin-board Tripartite electronic lottery protocol n Secure and practical protocol l 7 security requirements l Low Communication loads and reduced storage l No expensive computation n Primitives: Hash chain & Pay (a variant of Payword) n Bank as a semi-TTP 22

References n n n n [1] D. M. goldschlag and S. G. Stubblebine, Publicly Verifiable Lotteries: Applications of Delaying Functions, Proc. of Financial Cryptography 98, LNCS 1465, pp. 214 -226, 1998. [2] Eyal Kushilevitz and Tal Rabin, Fair e-Lotteries and e-Casinos, CT-RSA 2001, LNCS 2020, pp. 100 -109, 2001. [3] F. Bao, R. H. Deng and W. Mao, Efficient and practical fair exchange protocols with off-lint TTP. Proc. of IEEE Symposium on Security and Privacy, pp. 77 -85, 1998. [4] Jianying Zhou and Chunfu Tan, Playing Lottery on the Internet, ICICS 2001, LNCS 2229, pp. 189 -201, 2001. [5] K. Kobayashi, H. Morita, M. Hakuta, and T. Nakanowatari, An Electronic Soccer Lottery System that Uses Bit Commitment, IEICE 00, Vol. E 83 -D, pp. 980 -987, 2000. [6] R. L. Rivest, Electronic Lottery Tickets as Micropayments, Proc. of Financial Cryptography 97, LNCS 1318, pp. 307 -314, 1998. [7] R. L. Rivest and A. Shamir, Pay. Word and Micro. Mint: Two simple micropayment schemes, International workshop on Security Protocols, LNCS 1189, pp. 69 -87, 1997. [8] Ross Anderson, How to cheat at the lottery, Proc. of Computer Security Applications Conference, 1999. [9] available from www. tigerpools. co. kr. [10] available from home. netscape. com/eng/ssl 3. 23