Electronic National Lotteries

1
Electronic National Lotteries

• Jessica Greer

2
Agenda

• Large-scale electronic lotteries What are they
  good for? (absolutely nothin?)
• Requirements for electronic lottery systems
• Lotteries vs. Casinos
• Konstantinous protocol does it meet the
  requirements?

3
Large-scale E-Lotteries

• Advantages over mechanical systems
• Fast (high frequency)
• Dynamic
• Accessible
• Efficient micropayment scheme

4
Requirements

• Uniform distribution of generated numbers
• Unpredictable by anyone (even with access to
  history, audit logs)
• Unalterable drawing and winner declaration
• Able to detect interference, errors (UK Lotto)
• Standardized, certifiable

5
Requirements, contd..

• Under regular scrutiny
• Details publicly available
• High availability
• Scalability

6
Casinos vs. Lotteries

• Schneiers solution collaboration of gamblers
  for random number generation
• Lotteries Users selections independent of one
  another

7
Protocol Overview
Initialization Generator and verifier exchange
keys for encryption, signature
8
Protocol Overview
1. Generator draws sequence of bits from TRNG for
seeding
9
Protocol Overview
1. Generator draws sequence of bits from TRNG for
seeding
2. Generator executes bit-commitment protocol on
seed bit sequence
Seed commitment based on RSA encryption
RIPEMD-160 hashing
10
Protocol Overview
2. Generator executes bit-commitment protocol on
seed bit sequence
3. Resulting packet sent to Verifier, which signs
the commitment
Seed commitment based on RSA encryption
RIPEMD-160 hashing
11
Protocol Overview
4. Verifier sends generator a hash of file
containing the coupons
3. Resulting packet sent to Verifier, which signs
the commitment
12
Protocol Overview
4. Verifier sends generator a hash of file
containing the coupons
5. Generator concatenates seed with hash value
from Verifier
State-stamping step freezes coupons
13
Protocol Overview
6. Generator feeds first part of original
TRNG-generated bit sequence through Naor-Reingold
function
5. Generator concatenates seed with hash value
from Verifier
14
Protocol Overview
7. Resulting bit stream XORed with 2nd part of
initial seed this result is sent through several
pseudorandom number generators
6. Generator feeds first part of original
TRNG-generated bit sequence through Naor-Reingold
function
15
Protocol Overview
8. Generator opens initial random seed bits
(de-commitment). Encrypts and signs seed
numbers sends file to Verifier. Stops.
7. Resulting bit stream XORed with 2nd part of
initial seed this result is sent through several
pseudorandom number generators
16
Protocol Overview
8. Generator opens initial random seed bits
(de-commitment). Encrypts and signs seed
numbers sends file to Verifier. Stops.
9. Verifier authenticates file, decrypts it,
recovers winning numbers seed used to generate
them
17
Protocol Overview
9. Verifier authenticates file, decrypts it,
recovers winning numbers seed used to generate
them
10. Verifier checks that Generator has committed
to seed
18
Protocol Overview
10. Verifier uses seed to duplicate Generators
tasks. If results match, finalize if not,
restart with Gen2
10. Verifier checks that Generator has committed
to seed
19
Requirements

• Uniform distribution of generated numbers
  TRNGs Naor-Reingold
• Unpredictable by anyone (even with access to
  history) - same
• Unalterable drawing and winner declaration
  Verifier auditing
• Able to detect interference, errors (UK Lotto)
  Verifier auditing, audit logs
• Standardized, certifiable - ?

20
Requirements, contd..

• Under periodic scrutiny alert function in case
  of discrepancies
• Details publicly available paper
• High availability depends on hardware some
  redundancy built-in
• Scalability - ?

21
UKs version
http//www.national-lottery.co.uk/player/p/home/ho
me.do