A Secure and Fair Joint E-Lottery Protocol

The attractive huge prize causes people to adore lotteries. Due to the very small probability of winning prizes, the players can enhance their probability of winning by using the method of joint purchase. In spite of many lottery schemes having been proposed, most e-lottery schemes focus on the players' privacy or computation overhead rather than support a joint purchase protocol on the Internet. In this paper, we use the multisignature and verifiable random function to construct a secure and fair joint e-lottery scheme. The players can check the lottery integrity, and the winning numbers can be verified publicly.


Introduction
Gambling has the property of nonpredictability and attractive prizes. Players have the chance to obtain a huge prize but of course they cannot predict who the winner will be. Hence, gambling is very fascinating for many people, and the lottery is one kind of popular gambling [1-3]. The players must select their favorite numbers and pay money to purchase lottery tickets. After the deadline of the purchasing phase, the lottery organization (LO) randomly generates the winning numbers. If no one wins the lottery, the prize money will accumulate for the next round. The attractive huge prizes are an extremely powerful factor causing people to purchase lottery tickets and the main reason remains popular among players.
In past years, many lottery schemes were proposed. In 2006, Chow et al. [4] proposed practical electronic lotteries with an offline trusted third party (TTP); their scheme can satisfy all of the identified requirements without the presence of TTP for generating the winning numbers; the result of this generation is publicly verifiable.
Next, Lee and Chang [5] proposed an electronic -outof-lottery on the Internet in 2009. The scheme is based on the Chinese Remainder Theorem that allows lottery players to simultaneously select out of numbers in a ticket without iterative selection. The drawback of this scheme is that the computation overhead of players in purchasing lotteries is too heavy.
In the same year, Lee et al. [6] proposed noniterative privacy preservation for online lotteries. This scheme not only allows players to choose -out-of-numbers in lotteries without iterative selection but also preserves the privacy of players' choices. Nevertheless, the computation overhead in purchasing lotteries is still heavy for the player who accesses the Internet with mobile or wireless devices.
In an overview of the above schemes, we find that the majority of the schemes focus on the players' privacy or computation overhead but cannot support a joint purchase protocol on the Internet.
Due to the probability of winning prize being very small [7], the players can employ two strategies of purchase to enhance the probability of winning prizes as follows.
(i) The player invites other players to collect more cash, and then the player purchases the sequential numbers to increase the probability of obtaining a prize.
(ii) The player pays a small amount of money to purchase the lotteries in cooperation with other players.
To the best of our knowledge, there exist only two websites, called "e-Lottery Syndicates" [8] and "Myleto" [9], which provide a trading platform (TP) for purchases and a proxy purchase service. The difference between the above websites is that the former provides individual purchases while the latter provides joint purchases. Since our scheme 2 The Scientific World Journal focuses on joint purchases, we chose "Myleto" to discuss joint purchases.
The process for joint purchase in "Myleto" enables the players to bet their favorite numbers by using the "Myleto, " and then "Myleto" counts the preferred numbers of players to generate the popular numbers after the deadline of purchase phase. Then, "Myleto" takes the popular numbers to purchase the lottery for the trusted lottery organization (LO). Finally, LO generates the winning numbers and publishes them on the bulletin board. Then "Myleto" distributes the different prizes to the winning players according to the numbers they bet.
Even if the solution for the joint purchase lottery exists, according to our observations some drawbacks remain.
(1) From the user's viewpoint, the risks are as follows: (i) if the joint purchase players win the first prize, the person receiving the award has a chance to abscond with the funds; (ii) the player's lottery purchase evidence depends on the picture at the time of purchase and the credit card transaction receipt. However, the former lacks credibility because it is easy to fake, and the latter lacks immediacy since the credit card transaction receipt adopts a monthly settlement; (iii) if the player's purchase information is lost or the TP refuses to give out the prize, the player cannot proffer strong evidence to prove the winner is himself/herself.
(2) From the TP's viewpoint, the risk is as follows: (i) if a malicious player forges a picture and a credit card transaction receipt to claim the prize, the TP will find it hard to recognize whether the prize claim evidence is true or false.
At present, we have seen that the current TP of joint purchase exhibits some drawbacks, so determining how to implement a fair and secure joint purchase e-lottery protocol is still an open issue.
Hence, we propose a fair and secure joint e-lottery protocol to guarantee the rights and interests of the players and TP. Simultaneously, our proposed protocol also supports individual purchases.
The proposed scheme must be able to achieve the following requirements [4][5][6] such that the proposed scheme can be applied in actual practice.
(1) Public Verification. All the valid lottery tickets and the winning numbers must be verified via a verifiable random function.
(2) Fairness. No one can predict the winning result before the winning numbers are published.
(3) Security. No one can forge a winning lottery or impersonate a lottery winner to claim the prize.
(4) Correctness. The players can verify the public information of the bulletin board by themselves.
(5) Anonymity. Including lottery agents, no one can identify the participants by the lottery ticket.
(6) Convenience. The legitimate players should be able to purchase lottery via Internet.
(7) Without Preregistration. Players need not register at any lottery agent or drawing center in advance, as registration in advance is unnecessary; this requirement should conform to an electronic lottery to make it more realistic. (8) No Online Trusted Third Party (TTP). An electronic lottery is said to be impractical if the security of the entire mechanism depends on an online trusted third party.
(9) Participants' Legality. The scenario of the joint elottery scheme should ensure the participants' legality via a multisignature.
(10) Support Joint and Individual E-Lottery Service. The protocol must support joint and individual e-lottery service, respectively.
The remainder of this paper is organized to describe and analyze our joint e-lottery scheme as follows. Section 2 introduces related cryptographic techniques used in our scheme. Section 3 presents our proposed protocol, and the security requirements are analyzed in Section 4. Our conclusions are presented in the final section.

Preliminaries
In this section, we introduce three cryptographic techniques used in our scheme: a verifiable random function, an identitybased signature scheme, and an efficient identity-based RSA multisignature scheme.

Verifiable Random Function.
A verifiable random function (VRF) was first proposed by Micali et al. [10]. Essentially, it is a pseudorandom function [11] providing noninteractively verifiable proof of the output's correctness. Therefore, the above properties of VRF are suitable for our scheme.
On the basis of the notation in [12], a set of functions (1) Gen( ) is a probabilistic algorithm to generate a secret key SK that is generated by a random function and the corresponding public key PK that enables public verification; (2) Eval(SK, ) is an algorithm that computes the VRF's output = SK ( ); The Scientific World Journal 3 (3) Prove(SK, ) is an algorithm that computes the proof that = SK ( ); (4) Verify(PK, , , ) is an algorithm that verifies = SK ( ); (5) the VRF should satisfy the following properties.

Review of Shamir's Identity-Based Signature Scheme.
In 1985, in order to simplify the public key authentication problem, Shamir [13] first offered the concept of an identity-based (ID-based) cryptosystem. In this system, each signer needs to register with a private key generator (PKG) and identify himself/herself before accessing the network resource. Once the registration is completed, the PKG will use the signer's identity to generate the secret key. The signer's identity may include the signer's name, email, and address. The advantage of this scheme is that there is no need for a public key directory in the system. The communicating parties only need to know the "identity" of his/her communication partner and the public key of the PKG is able to verify the signature or send an encrypted message.
We first introduce the notations used to explain how Shamir's scheme was constructed: : a message; ? : comparing whether or not is equal to .

Private Key Generator (PKG)
Keys. The private key generator (PKG) chooses its public and private key pair as follows.
Step 1. Run the probabilistic polynomial algorithm RSA to generate two random large primes, PKG and PKG .

Signer Secret Key Generation.
In this algorithm, the signer gets a copy of his/her secret key from the PKG through a two-step process.
Step 1. A signer submits his/her identity to the PKG.
Step 2. The PKG uses its private key PKG to sign the signer's identity by generating the secret key such that = PKG mod PKG .

Message Signing.
To sign a message , the signer with the secret key and the corresponding public key PKG of the PKG signs a message by generating a signature pair = ( , ) as follows.
Step 1. Select a random number and compute = PKG mod PKG . (2) Step 2. For the same random number , compute is the complete signature of the message .

Message Verification.
The identity-based signature = ( , ) of a signer with identity is valid if and only if the following equality holds:

Review of Harn's Efficient Identity-Based RSA Multisignatures Scheme.
In the 2008, Harn and Ren [14] first proposed a digital signature of a message generated by multiple signers with multiple private keys based on Shamir's identity-based signature (IBS) scheme. This was a first efficient identitybased RSA multisignatures scheme with both fixed length and verification time. Harn and Ren's scheme is secure against forgeries under chosen-message attack, against multisigner collusion attack, and adaptive chosen-identity attack.

Private Key Generator (PKG) Keys.
The PKG chooses its public and private key pairs as follows.
Step 1. Runs the probabilistic polynomial algorithm RSA to generate two random large primes, PKG and PKG .

Signer Secret Key Generation.
In this algorithm, the signer gets a copy of his/her secret key from the PKG through a two-step process.
Step 1. A signer submits his/her identity to the PKG.
Step 2. The PKG uses its private key PKG to sign the message digest of the identity to generate the secret key , such that = PKG mod PKG . No one will be able to distinguish between the identity and its message digest .

Message Signing.
To generate an identity-based multisignature, each signer carries out the followings steps.
Step 1. Choose a random integer and compute = PKG mod PKG .
Step 2. Broadcast to other signers.

The Proposed Joint E-Lottery Protocol
The structure of our scheme is illustrated in Figure 1.
There are four participants involved in the proposed elottery scheme.
(1) Private Key Generator (PKG). The off-line trusted third party which generates private keys to all participants.
(2) Player (P). The player is a participator in the lottery gamble.
(3) Trading Platform (TP). The trading platform is a website to provide players for joining the e-lottery game.
(4) Lottery Originator (LO). The LO issues the lotteries, generates the winning numbers to sell lotteries to gain revenue, and gives out the prizes.
Step 1. P, TP, LO ↔ PKG: all participants must register to PKG to acquire their private key with his/her pseudoidentity.
Step 2. P ↔ TP: the players bet their favorite numbers to the TP.
Step 3. TP → LO: the TP gathers the statistics on the betting numbers to generate the majority of popular numbers and then purchases the popular numbers with the LO.
Step 4. LO → P: the LO issues lotteries to the players.
Step 5. P ↔ LO: after the winning numbers are announced, the winning players use their winning lotteries and private keys to claim the prizes won.
The following notations are used in our protocol: number : the favorite numbers of the th player; chain : the published hash chain set of the valid random seed generated by player, which is involved in generating the winning number, where chain 0 is the initial vector; the chain 0 = 0, chain 1 = (chain 0 , 1 ), chain 2 = (chain 1 , 2 ), and chain = (chain −1 , ); : the th ciphertext; : the identity-based signature of message ; req : the request message; : the message digest of the th player's identity; PL: the purchased list, where PL = ( , ); (⋅): one way hash function [15]; : the random number is selected by ; : the hash value, where = ( ); -: the session key between the and which is constructed by IETF [16,17]; ( -, ( )): an encryption function which uses the session keyto encrypt the message ; ( -, ( )): a decryption function which uses the session keyto decrypt the ciphertext .

Constructing the Session Key Model. Diffie and Hellman
proposed a key agreement protocol [18] in 1978. The RFC 2631 was drawn up for the key agreement protocol in 1999 by the IETF. Therefore, we use the RFC 2631 protocol to construct the session keys. The session keys are used in our protocol with three situations. First, when the purchase is individual, the player must share the session key to protect his/her favorite numbers. Second, the TP and LO are jointed to sign the multisignature; they must share a common secret key to encrypt the signature. Third, the LO issues the lotteries to players, and the winning players send the claim prize message to the LO; they must also share a session key to encrypt or decrypt the messages.

The Initialization Phase.
In this phase, the PKG performs the keys generating function to generate the public and private keys. On the other hand, the LO performs the VRF to generate the related functions and then publishes it.
Step 1. The PKG selects a random number and then performs Gen( ) to generate the public PKG and private PKG .

The Registration Phase.
In this phase, all of the roles submit their identities to the PKG to become legal participants. Notably, the players must submit their identities (including the players' name, email, and addresses) and a random number to PKG and then PKG signs the message digest of the identity by its PKG and PKG .
The PKG computes the participants' private keys with its PKG as in the following equations: = PKG mod PKG for = 1, 2, . . . , .
After that, the PKG publishes ID TP and ID LO on the bulletin board.

The Players Bet for Lottery Numbers Phase.
In this phase, the players can bet their favorite numbers via the TP and then the TP publishes the purchase information on the bulletin board. When this phase is finished, the TP will send bulletin board information to the LO. According to the received information, the LO publishes the winning numbers. Moreover, players, TP, and LO can use the published bulletin board information to check whether or not the following three information items are correct.
(1) The players' purchased lotteries are included in the hash chain.
(2) The players' bet numbers are valid or not.
(3) The players are legal or not. The individual purchase is also included in the hash chain and the purchased information (including identity information, hash chain value, and hash value of the random number) is also published on the bulletin board, except for the selected favorite numbers.
The players bet for lottery numbers phase is illustrated in Figure 2, and the bulletin board information is illustrated in Table 1.
If anyone questions the players' legality then they can use the signature of the players' identity of the bulletin board to verify the legality of the players by Step 1. If the purchase is individual then the player must compute session key -TP (refer to Section 3.1), using it to protect the individual's favorite number number as follows: The individual and joint purchases are both required to process (11)- (15).
Then, the th player selects a random number to compute The uses his/her private key to compute = ⋅ ( , ,number , ) Here, we denote the signature as follows: ,number , = ( , ) . 6 The Scientific World Journal Finally, the uses his/her private key to sign his/her identity as follows: We denote the signature as follows: The difference between the multisignature and ,number , is that the former is published on the bulletin board and all participants can use it to verify the player's legality, while the latter is used to achieve the message nonrepudiation for the TP. Afterward, if the purchase is individual then the request message req , signature ,number , , and related parameters ( , 1 , ) are sent to the TP.
If the purchase is joint, the request message req , signature ,number , , and related parameters ( , number , ) are sent to the TP.
Step 2. After receiving the message, if it comes from individual purchase then the TP must decrypt the ciphertext 1 to obtain number and then the following procedures are processed for individual and joint purchases.
First, the TP checks the validity of signature as follows: The TP links into the hash chain as follows: The Scientific World Journal Here, we denote the signature of req as follows: Finally, TP sends signature ( req , req ) to the .
Step 3. After receiving ( req , req ), checks the validity of signature as follows: If the signature is invalid, then the terminates the transaction.

The Purchase Phase.
After the purchase deadline, the TP gathers the statistics on numbers to generate the popular numbers. Subsequently, the TP sends the purchase message that includes purchase list and the partial signature to the LO. Note that the lottery's numbers of individual purchase are determined by individual buyers rather than through counting by TP; individual purchase is the same as joint purchase.
(1) The individual purchase is included in the purchase list.
(2) The TP also computes the partial signature for individual purchase.
The overview of the purchase phase is illustrated in Figure 3.
Step 1. After the purchase deadline, the TP counts the preferred numbers of all of the players to generate the popular 8 The Scientific World Journal numbers Num; then the TP selects a random number TP to compute the partial signature TP and TP as follows: Here, we denote the signature of Num as follows: Finally, the TP sends the request message req , signature Num , and the popular numbers Num to the LO.
Step 2. Before receiving the message ( req , Num , Num), the LO checks the signature validity as follows: Subsequently, the LO selects random number LO to compute LO uses the partial signature of the TP and LO to compute as follows: The TP and LO construct the session key TP-LO and then encrypt the partial signature as follows: The LO uses the private key LO to compute the partial signature of 2 as follows: Here, we denote the signature of 2 as Finally, the LO sends ( req , 2 , 2 ) to TP.
Step 3. After receiving ( 3 , req ), the TP checks the validity of signature as follows: The TP uses the session key TP-LO to decrypt the cipher text as follows: According to the purchased list PL, the TP uses its private key TP to compute the partial multisignatures TP of the player's lottery as in (31) as follows: To protect the message, the TP uses the session key TP-LO to encrypt parameters ( 1 TP , 2 TP , . . . , TP , PL) as follows: The TP uses its private key TP to compute the partial signature of 3 as Here, we denote the signature of 3 as follows: Afterward, the TP sends the request message req , signature 3 ,and cipher message 3 to the LO.
According to the purchase list PL, the LO uses its private key LO to compute the partial multisignatures LO of all players as follows: We denote the lottery lottery as lottery = ( , ) , for = 1, 2, . . . , .
3. 6. The Lottery Issue Phase. Upon receiving the purchase message, the LO issues the lotteries to all players (including the joint purchase and individual purchase) and then the players can apply the multisignature to verify the validity of the lottery. The lottery issue phase is illustrated in Figure 4. Step 1. The LO and construct the session key LO-and then encrypt the lottery as follows: Next, the LO selects random number LO to compute and uses its private key LO to compute the partial signature as follows: Here, we denote the signature of 4 as follows: Afterward, the LO sends the request message req , signature 4 , and ciphertext 4 to .
Step 2. When receiving the message ( req , 4 , 4 ), checks the validity of signature as follows: and then uses the session key LO-to decrypt ciphertext 4 as follows: Finally, checks the validity of signature as follows:

The Winning Numbers Generation and Verification Phase.
After the lottery purchase deadline, the LO uses the function of winning numbers generation with the value of final hash chain to generate the winning numbers and then publishes it on the bulletin board. The overview of the winning numbers generation and verification phase is illustrated in Figure 5. Simultaneously, if the players question whether or not the LO is honest, they can use the public verification function to verify the correctness of the winning numbers.
Step 1. The LO uses its private key LO and the value of final hash chain chain to calculate Finally, the LO publishes the WinNum and on the bulletin board.
Step 2. After the winning numbers are published, any player can checkthecorrectness of the winning numbers via the public verification function as follows: 10 The Scientific World Journal 3.8. The Claim Prize Phase. After the winning numbers are published, the winner of th player can submit his/her winning lottery and the random number to claim the prize. Simultaneously, the LO publishes the winning lotteries, random number of winning player selected, and identity digest of winners on the bulletin board. If the other players suspect the legality of winning lottery, they can use the public verification function to verify it. The overview of the claim prize phase is illustrated in Figure 6.
Step 1. The and LO construct the session key LO-. In order to claim the prize, the winning player presents the important evidences ( , , , lottery ) to prove his/her identity and then uses the session key LO-to encrypt that evidence as follows: 5 = ( LO-, ( , , , lottery )) . (49) Next, the computes as and uses its private key to compute the partial signature as follows: Here, we denote the signature of 5 as follows: Afterward, sends the request message req , signature 5 , and ciphertext 5 to LO.

Analysis
Here, we use many kinds of scenarios to analyze the proposed joint electronic lottery scheme and to verify whether or not it achieves the requirements. In order to simplify the explanation, suppose there exists an intruder Eve in the network system and she is capable of eavesdropping communications between the TP, LO, and players.

Public Verification.
All the valid lotteries and the winning numbers must be verified via a verifiable random function.
Scenario 1. Suppose that any player suspects the correctness of winning numbers.
Proof. The one suspecting can use (48) to verify the correctness of the winning numbers by (48).

Scenario 2.
Suppose that any player suspects the correctness of winning lotteries.
Proof. The one suspecting can use the related parameters (including random number of the winning player selected , the winning numbers WinNum, and the winning lottery ( , )) and (56) to verify the correctness of winning lotteries. The verification equation is as in (56), where = ( ).
The derivation of the verification is shown as follows: Because the multisignature of the winning numbers is valid, the winning lottery is correct.

Fairness.
No one can predict the winning result before the LO publishes the winning numbers.
Scenario 3. If a player wants to predict or bias the winning result, he or she will fail.
Proof. Since each purchasing behavior is random and occasional, the final value of hash chain chain is contributed by all of the lotteries. Hence, no one can learn the final value of the hash chain chain .

Security.
No one can forge winning lotteries or impersonate lottery winners to claim their prize.

Scenario 4.
If Eve tries to forge a winning lottery to claim the prize, she will fail.
Proof. In reviewing the purchase phase, the TP and LO used their private keys TP and LO to sign the lotteries. On the other hand, if Eve wants to fake the winning lottery, she must forge their private keys, respectively. In fact, she must solve the factorization problem in RSA cryptosystems [19].

Scenario 5.
If Eve tries to forge a winning player, she will fail.
Proof. In the prize claim phase, the lottery winner must submit his/her digest , random number and (where = ( )) to proof his/her identity. If Eve uses the fake random number to claim the prize, then LO can perceive the attempt via the following equation: On the other hand, if Eve wants to impersonate a winning player, she must find the . In fact, based on the secure one way hash function, it is computationally infeasible to obtain from .

Correctness.
The players can verify the public information via the bulletin board by themselves.

Scenario 6. The one suspecting questions
(1) the correctness of the player who bet numbers number , (2) the correctness of the value of final hash chain chain , (3) the correctness of popular numbers Num.
Proof. The one suspecting can use the published bulletin board information to verify the number , Num, and chain as (1) the players can check whether the bet numbers are equal to the public information number ; (2) they can recalculate all bet numbers of players to determine whether the popular numbers Num is equal to the recalculated value; (3) finally, the players can verify the validity of the value of final hash chain chain by using the public function hash chain as follows: Initial condition chain 0 = 0 chain 1 = (chain 0 , 1 ) . . .
where is the number of the sold lottery tickets so far.

12
The Scientific World Journal 4.5. Anonymity. Including the TP and LO, no one can identify the player from the lottery.

Scenario 7.
If Eve tries to distinguish between messages digest and real identity of player, she will fail.
Proof. In the registration phase, the players submit their personal information to the PKG and then PKG generates a message digest with personal information as = (players' personal information). The message digest is a well-known cryptographic assumption: the secure one way hash function has properties such that given a message , it is easy to compute ( ). On the other hand, it is computationally infeasible to obtain from ( ). And given ( ), it is infeasible to find to let ( ) = ( ). Hence Eve cannot find the real identity of the player from . 4.6. Convenience. Players are able to purchase lottery tickets if they can access the Internet. Clearly, the proposed joint elottery mechanism can achieve this requirement as indicated in the players betting for lottery numbers phase.

Without Preregistration.
Players need not register at any lottery organizations in advance. In our scheme, the players need not register at any lottery organizations except for the PKG. In fact, if the players want to join other ID-based applications, the players still need to register to PKG for any PKI applications.

No
Online Trusted Third Party. The proposed joint elottery mechanism does not require an online TTP.
In our scheme, no online TTP is used to participate in all of the transaction scenarios. Therefore, this requirement is completed in our scheme.

4.9.
Participants' Legality. The scenario of the proposed joint e-lottery mechanism should ensure participants' legality.
Scenario 8. Suppose that players suspect the legality of the TP and LO.
Proof. In the lottery issuing phase, upon the players receiving lotteries from the LO, players can use the multisignature of lotteries to confirm the legality of TP and LO by (46).
If the equation holds, the participants' legality can be authenticated.
That is, only the legitimate private key is able to sign the valid signature. From another viewpoint, the PKG uses its private key PKG to generate LO in the registration phase; if anyone attempts to forge LO he/she must solve the RSA public-key cryptosystem to acquire the private key PKG . In fact, it is an integer factorization problem [19].
Scenario 9. Suppose that the players, TP, or LO suspect the legality of player.
If the equation holds, the th player's legality can be authenticated; the derivation of the verification is shown as follows: From the above derivation of the verification, only the legitimate private key is able to sign the valid signature. On the other hand, the player is only able to sign the valid signature if he/she registers with the PKG as a legal participant and acquires the private key .

Support Joint and Individual E-Lottery Service.
The protocol can support joint and individual e-lottery service, respectively. In our proposed scheme, we propose two purchase models to satisfy the requirements. Hence, two purchase models have the same rights and protections making our proposed scheme more practical and attractive.

Discussions.
Our scheme focuses on proposing a secure and fair joint e-lottery, despite requiring more communication, more data transfer, and a higher computational complexity. We compare the functional properties between related works and ours in Table 2. Table 2 shows that our scheme achieves the two new functional properties in comparison with related works [4][5][6]: participant's legality and supporting joint and individual e-lottery service.
In addition, we compare mechanisms with the existed lottery websites [8,9] and ours in Table 3. Basically, [8,9] only support a lottery agent. So, the player should register with the TP; this differs from ours. Table 3 shows that our scheme adopted the ID-based multisignature to verify the legality of all participants while existing lottery websites lack effective mechanisms to achieve this requirement. On the other hand, the existing websites do not have remedial measures to prevent malicious behaviors by the lottery agent or players; for instance, the lottery agent refuses to give out the prize, a malicious player forges a picture to claim a prize, or the purchased lottery of a player is lost when the lottery agent's database crashes. Our scheme uses the ID-based multisignature to provide nonrepudiation evidence to prevent the above situations.

Conclusions
In this paper, we present a novel joint e-lottery protocol using the multisignature and verifiable random function. Having