secure and practical lottery protocol using bank as a notary
DESCRIPTION
ICE 615 Network Security Term project Progressive Report. Secure and Practical lottery protocol using bank as a notary. Sep. 13, 2001 2001140 C&IS lab. Ham Woo Seok [email protected]. Contents. Overview Threats Requirement Pervious Work – KMHN00,GS98 Proposed scheme Further Works - PowerPoint PPT PresentationTRANSCRIPT
Secure and Practical lottery protocol Secure and Practical lottery protocol using bank as a notaryusing bank as a notary
Secure and Practical lottery protocol Secure and Practical lottery protocol using bank as a notaryusing bank as a notary
Sep. 13, 20012001140C&IS lab.
Ham Woo [email protected]
ICE 615 Network SecurityTerm project Progressive Report
--22-- by Charlie Hamby Charlie Ham
Lottery
Contents
1. Overview
2. Threats
3. Requirement
4. Pervious Work – KMHN00,GS98
5. Proposed scheme
6. Further Works
7. Reference
--33-- by Charlie Hamby Charlie Ham
Lottery
1. Overview
Sports TOTO Nationwide issue of tickets was launched Oct. 6
England (Football Pools,1923), France (Loto Foot), Italia (TotoCalcio, TotoGoal), Japan(TOTO) etc.
Target Soccer (K-league), Basket ball
Publisher Seoul Olympic Sports Promotion Foundation(SOSPF)
Consignee Tigerpools Korea
Game type Result-based (1X2)
Rate 1,000 won per an unit (maximum 96 units)
Available Up to 10 minutes before game
Restriction Less then 100,000 won a person
Over 19 years old
Annual Issue Less than 90 times
Prize 50% of the amount of sold tickets
If no winner, winning pool is rolled over to the next lottery
Current operation Fill out the ticket present ticket with money to vender receive a receipt
--44-- by Charlie Hamby Charlie Ham
Lottery
1. Overview
Real Ticket Image
--55-- by Charlie Hamby Charlie Ham
Lottery
2. Threats
Ticket Information manipulation Altering, Insertion, Deletion
Promoter’s misbehaviors Wrong winning computation, No payment of prize, etc
Collusion of lottery components User, Lottery organizer, Financial facility, Vendor, Audit authorities etc.
Phantom vendors Receive claims and disappear
Denial of service Hindrance of normal operation, penalization of server, etc
Disputes Winner arguments, refund etc
--66-- by Charlie Hamby Charlie Ham
Lottery
3. Requirement
Basic requirement Reduction of Computational complexity & communication data
Security requirement R1: Privacy
• Prize-winner’s privacy should be maintained
R2: Fairness• Every ticket has the same probability to win
R3: Publicly verifiability• Valid winnings could be verified publicly
R4: Reliability• Participants can verify lottery organizer’s misbehavior to update and add any data illegally
R5: Unforgeability• Lottery ticket cannot tampered
R6: Timeliness• A lottery should be terminated in the pre-defined period
R7: Traceability• Anyone can decide who made an injustice
--77-- by Charlie Hamby Charlie Ham
Lottery
4. Previous Work – KMHN00
K.Kobayashi, H.Morita, M.Hakuta, T.Nakanowatari, IEICE 2000
Soccer lottery protocol Based on Bit commitment & Hash functionBit commitment & Hash function
Notation h: hash function h*: partial information of hash value TLP: Target Lottery Pattern (=mark sheet) PID: Personal Identification information SID: Shop Identification n: total ticket number sold by a shop SLI: Concatenation of SID, Lottery number, n) || : concatenation Sig: Digital signature $M: Electronic money
--88-- by Charlie Hamby Charlie Ham
Lottery
Lottery Protocol
4. Previous Work – KMHN00
UserUser
PromoterPromoter
ShopShop
SIDh1h2TLP
)1||(2)5
)||)((1)1
hSIDhh
TLPPIDhhh
MhTLP ,$1,)2
SID)3
*2,)6 hTLP
2)7 h
)||()9 nSLISig
MhSIDTLP ,$1,,)3n)8
)1||(2)4 hSIDhh )7
)4
SigDigital)9
UserUser BankBank
)()1 PIDh
PID)2
Soccer Lottery Protocol
Payment Protocol
(Off-line)
prize)3
Database
--99-- by Charlie Hamby Charlie Ham
Lottery
4. Previous Work – KMHN00
Details Purchase protocol
• 1) User computes hash value h1 with the concatenation of hashed PID and TLP – Hashed PID: If original PID used, an malicious insider in bank can impersonate prize winners. Also, PID includes a r
andom number to hide PID itself.– TLP: it is generated by User according to specific rules
• 2) User sends TLP, h1, and fee (electronic money) for her betting• 3) User receives SID as a receipt and Shop transfer TLP, h1, $M and SID together• 4) Promoter yields h2 using SID and h1 and store TLP, h2, h1, SID
Inquiry protocol (To verify her betting information is registered)• 5) User calculates h2
– h2: prevent information difference between Promotor & Shop
• 6) User sends TLP and partial value of h2 (=h2*) to Promoter• 7) Promoter searches and extracts matching values with TLP & partial hash value from database and
send them to User
After closing (To detect the promoter’s injustice to update the database illegally) • 8) Promoter notifies Shop the number of lottery tickets which are from Shop• 9) Shop confirms the number, if right, she generates signature with SID, lottery number and n. And
Promoter generates digital signature on all TLPs and h2s
Payment protocol (Off-line operation)• 1) Winner sends her hash value of PID• 2) She visits the Bank(financial facility) and presents her real ID in person• 3) If correct, Bank delivers a prize to her
--1010-- by Charlie Hamby Charlie Ham
Lottery
4. Previous Work – KMHN00
Problems No reliability, unforgeability: Promoter can find possible partial combination of summation of
TLP and h2. • she can alter some information which does not match to one from shop after closing the period, since
there is no relationship between promotor and shop after bidding end.
No reliability and unforgeability: Collusion of Promoter and Shop might be occurred to get manipulate total lottery number and information
• Since Bank is dependent on promoter and her signature is simple summation of TLP and h2
No traceability• When fault occurred, one can not trace who made a fault.
Inconvenience: Prize-payment by off-line • In case of small prize, User feel inconvenience
No privacy: PID can not be secret information• Since all bidder know the type of PID, a disguising criminal is able to prove herself as a prize winner
--1111-- by Charlie Hamby Charlie Ham
Lottery
4. Previous Work – GS98
David M. Goldschlag, Stuart G. Stubblebine, IFCA 98
Drawing number type lottery based on delaying functiondelaying function Delaying function
• Function F is moderately hard to compute given a minimum operation time P, and probability that function is computable is arbitrarily small
• F preserves the information of its inputs. No information leakage• e.g) large number of rounds of DES in OFB mode
Notation L, C : Lottery server, Client respectively : Keyed one way hash function : Certification of client C Seq : Sequence number of lottery ticket Time: Time stamp Seed: betting information P : critical purchase period L : the total number of sold tickets
KX
cCert
--1212-- by Charlie Hamby Charlie Ham
Lottery
Phases Registration
• To make A certain collusion which can control lottery impossible, identification is needed• Mapping between client and client agent by certification• For anonymous, use bind certificate or lottery service own certificate
Purchase
• Sequence number: to supervise server’s injustice(double issue, non-registration, etc) by audit query • Time Stamp: To verify that Critical purchase period and time is correct and registration was processed
within the time
Critical Purchase period• It is published before a lottery game• Delaying function cannot yield result within this period
Winning Entry Calculation
4. Previous Work – GS98
PaymentCertSeed CKc,,
Lc KCLLK CertTimeSegSeed ,,,
ClientClient Server
Server
),...,,( 21 nP SSShh
All seed values within P
)(: phffunctionDelayingPh Winning
Number
--1313-- by Charlie Hamby Charlie Ham
Lottery
4. Previous Work – GS98
Problems Only applicable to simple lottery such as number based one Winning verification time is too long
• Needed the same time as total game period
Insider in server can forge or alter betting information Attacking method computationally, information-theoretically on current cryptosystem is
rapidly improving
--1414-- by Charlie Hamby Charlie Ham
Lottery
5. Proposed scheme – notation & assumption
Notation
Assumption Lottery ticket is generated by Users themselves along with pre-defined rules Lottery Organizer allows only allied Banks Operation period is chosen considering transaction time in every components User and Bank communication is secure (ex, SSL, Public key system)
prize Winning:
number)on registrati (ion registration Receipt :
]numberticketU,fromvaluesallSig[:
SignatureDigital:
onhashfunctiwayone:()
amout unit Betting :
number)Ticketn,informatiosecret sUser'Number,(Accout:
sheet)mark (n informatio betting:
Bank:
organizerlottery:
user:
WinP
)(i, SigRCT
Coup
Sig
h
BetUnit
AcctInfo
M
B
LO
U
i
--1515-- by Charlie Hamby Charlie Ham
Lottery
5. Proposed scheme - overview
UU
LOLO
BB
)||(
,
)1
AccInfoMhH
M
Generate
U
UHBetUnitAccInfo ,,)2
Coup)5
CoupHM U ,,)6
UHCoup,)7WinnPHU ,)12
Payoff)8
BIDHHMStoreand
BIDHMH
Generate
LOU
ULO
,,,
)||||(
)9
)||||(,
)3
UHUnitInfoAccInfoSigUnitInfoCoup
Generate
M HU BID HLO
),()11 iSigiRCT
Coup HU
Store)4
)()101
i
iLO
i HSigPublish
--1616-- by Charlie Hamby Charlie Ham
Lottery
5. Proposed scheme - details
Details Stage 1: Set up
1) User generates lottery ticket M and Hash value HU which is concatenation M and account information2) User send Account Information including user’s secret information (such as password), Betunit and H
ash value to Bank3) Bank checks user’s balance and then generates coupon,Coup, which guarantees user balance’s sou
ndness and describes the amount of betting units with bank’s signature (for it, both public key and secret key signature are possible)
4) Bank stores Coup and related hash value, HU to her own DB5) Bank returns Coup to user
Stage 2: Betting1) User bets her betting information M and HU with Coup
2) Lottery Organizer, LO sends the received Coup and HU to the designated bank on Coup3) Bank see if the Coup was issued by herself by checking her signature and the message is equal to ori
ginal one4) If 3) is correct, then Bank pay out the money as much as the amount of units
5) LO generates hash value HLO=(M||HU||BID) and stores HLO,M,HU, and BID in her DB
6) LO generates his signature on HLO, Sigi, whenever she stores each betting information and publishes (HLO, Sigi) on her bulletin board.
7) LO send receipt , RCT containing registration number and LO’s signature, to User8) When betting period is over, LO reveals all betting information which has been stored with signature
Stage 3: Winning prize Payment1) As soon as a match go to end, the result will be published. So, Anybody can verify how many winners
are. Then, LO pay back winning prize, WinP, with HU
2) Bank provide a prize to winner’s account which can be verified by comparison received HU and stored HU
--1717-- by Charlie Hamby Charlie Ham
Lottery
5. Proposed scheme – security & property
Security R1: Privacy
• Only Bank knows winner’s name and account number. Even the payment of winning prize is carried out between LO and Bank. We normally assume that Bank never disclose its customer’s account information
R2: Fairness• When betting period ended, LO open all betting information. So, every ticket has the same probability
to win
R3: Publicly verifiability• By information opening, it can be provided
R4: Reliability• Anyone can check LO’s signature on HLO
R5: Unforgeability• To compute HU, One should know account information including user’s secret information. The probab
ility of guessing this secret is negligibly small
R6: Timeliness• LO should published every information after pre-determined time period. By this, it can be held
R7: Traceability• One of characteristics of E-banking system is that all transaction is recorded. Furthermore, LO issues
receipt to user according to his acceptance. Hence, if any problem happens, User can trace which component made a mistake
--1818-- by Charlie Hamby Charlie Ham
Lottery
6. Further Work
More communication data & computational complexity reduction
Comparison with previous scheme
Detailed security analysis
Security requirement reconsideration Are these enough??
--1919-- by Charlie Hamby Charlie Ham
Lottery
7. Reference
Tigerpools Korea, http://www.tigerpools.co.kr Korea online lottery system co.ltd., http://www.korealotto.co.kr K.Kobayashi, H.Morita, M.Hakuta, and T.Nakanowatari, An Electronic Soccer Lottery Syste
m that Uses Bit Commitment, IEICE00, Vol.E83-D, pp.980-987,2000. D.M.goldschlag, S.G.Stubblebine, Publicly Verifiable Lotteries: Applications of Delaying Fun
ctions, Proc.of Financial Cryptography 98, LNCS 1465, pp.214-226, 1998. Ross Anderson, How to cheat at the lottery, Proc. of Computer Security Applications Confere
nce, 1999. Ronal L.Rivest, Electronic Lottery Tickets as Micropayments, Proc.of Financial Cryptography
97, LNCS 1318, pp.307-314, 1998. A.Shamir, How to share a secret, CACM 22, pp.612-613, 1979.