Research Article Generalized Proxy Oblivious Signature and Its Mobile Application

. Oblivious signature ensures users select from the speciﬁed candidates. However, users can choose only one candidate. This paper proposes a generalized oblivious signature scheme with proxy function. The scheme can be applied to many applications such as multichoice e-voting or e-lottery. Since there have been many applied research studies on e-voting, in this paper, we decided to apply this scheme to e-lottery, which is fair, secure, eﬃcient, multiselect, and agent-based. In the lottery system, the server cannot cheat after a user makes a choice, and no one even the proxy can get any beneﬁts. The signature scheme along with the lottery system is proved secure in the random oracle model. The lottery system is also implemented on Android smartphones. To the best of our knowledge, this is the ﬁrst work done on a generalized proxy oblivious signature along with a fair and secure multiple-choice e-lottery system.


Introduction
In recent years, network transactions for applications such as Internet auctions and banking have increased greatly.Network and mobile security technologies play important roles in protecting users' privacy [1][2][3][4].In this regard, digital signatures have attracted considerable attention.By using public key cryptography, a signer can sign a message using his or her private key, which is owned only by the signer, to create a digital signature for the message.en, any verifier can validate the correctness of this signature by using the signer's public key.
However, it is necessary to protect the privacy of signature receivers in some situations, such as the contents of signed message in a digital cash system or the choices from candidates in an e-voting situation.In 1982, Chaum [5] introduced a blind signature scheme to offer blindness which protects the signee's privacy.In 2013, Nayak et al. [6] proposed a blind signature scheme based on an elliptic curve discrete logarithm problem.In 1981, Rabin [7] introduced the concept of oblivious transfer.In 1994, Chen [8] proposed the concept of oblivious signatures and considered two types of oblivious signature schemes.In 2008, Tso et al. [9] provided formal definitions and security requirements for an oblivious signature scheme.In 2012, Chou [10] proposed a more efficient and secure k-out-of-n oblivious transfer scheme.In 2018, Zhang et al. [11] proposed a new postquantum blind signature from lattice assumptions.In 2019, Wang et al. [12] introduced a new construction of blind signatures from braid groups.
In 1996, Mambo et al. [13] proposed the concept of proxy signature.Various proxy-based schemes have been proposed [14,15].In 2000, Lin et al. [16] proposed the first proxy blind signature scheme that combines the functionalities of both proxy signatures and blind signatures.In 2002, Tan et al. [17] proposed a proxy blind signature scheme; however, in 2003, Lal et al. [18] showed this scheme to be insecure and further proposed a new scheme that is secure and more efficient than Tan's scheme.In 2013, Yang et al. [19] proposed a new proxy blind signature scheme that allows revocation.
In 2017, Chiou et al. [20] proposed two novel 1-out-of-n blind (oblivious) and proxy signature schemes that combine the advantages of oblivious signatures and proxy signatures and satisfy the security properties of these two signature schemes.In 2018, Lin et al. [21] proposed a short linearly homomorphic proxy signature scheme, and Li et al. [22] proposed a blind proxy resignature scheme based on isomorphisms of polynomials.In 2019, Tso [23] proposed a two-in-one oblivious signature that combines message oblivious and signer oblivious into one scheme.
For electronic voting systems, in 2001, Ray et al. [24] introduced an online anonymous e-voting protocol that allows a voter to cast his or her ballot anonymously by exchanging untraceable authentic messages.In 2013, Pan et al. [25] proposed an e-voting scheme that is based on the ring signature and is resistant to a clash attack.Several schemes with delegated voting functionality have been proposed.In 2013, Zwattendorfer et al. [26] proposed a proxy voting scheme that allows a voter to delegate his or her voting power to a proxy who actually casts the ballots for all represented voters.Norway has used an Internet-based voting protocol for some years, and the vote privacy and correctness of this scheme have been demonstrated [27].In 2016, Kulyk et al. [28] proposed a new coercion-resistant proxy voting scheme by extending the coercion-resistant JCJ/Civitas theme, aiming to prevent direct voter coercion, delegation coercion, and proxy coercion.ey also proposed a new proxy voting scheme [29] and extended the Helios voting system [30] with delegated voting functionality.In 2017, Cohensius et al. [31] considered a social choice problem and demonstrated that the mechanism using proxy voting better approximates the optimal outcome.In the end of 2017, Chiou et al. [20] proposed an anonymous e-voting system with proxy signer based on their proposed 1-out-of-n blind and proxy signature schemes.
For electronic lottery systems, many scholars have proposed protocols [32][33][34][35][36][37] in attempts to achieve true fairness and satisfy security requirements.However, these measures suffer from security issues including insufficient fairness or privacy concerns.For example, in some protocols (e.g., [32,35,36]), the trusted third party mechanism is required to maintain system fairness.In other methods (e.g., [34]), one side can decide key parameters for determining the winner.Moreover, some schemes (e.g., [33]) fail to account for player privacy concerns.
Paper Motivation.Compared with a blind signature scheme, an oblivious signature scheme used in e-voting or e-lottery provides one more property: ambiguity in selected messages.A signer cannot find out which message a voter or a player has selected while signing the messages, but the signer can be certain that the message the voter/player chooses is one or some of the predetermined messages; otherwise, the signature would not be accepted by a verifier.erefore, in oblivious signature systems, which differ from blind signature schemes, the limited signed contents can prevent potential malicious users from obtaining valid signatures of some candidates for unauthorized purposes.
In addition, because each unit of a group (such as each state of a country, each county of a state, each campus of a school, or each approved bank of a group) may use different methods to authorize their members (using different keys), polling/betting booths with proxy ability are required.Additional benefits include reducing the load at voting centers or lottery owners and avoiding network jams.Moreover, the mobility of the voting/lottery functionality allows people to vote/play from anywhere using their mobile devices, thereby making the electronic voting/lottery system more convenient.e goal in this research is a design of a generalized oblivious signature scheme with proxy function and extend the designed schemes to applications such as e-voting and e-lottery systems.
Paper Contribution. is paper proposes a generalized tout-of-n proxy oblivious signature, which combines the advantages of proxy signature [13,38] and 1-out-of-n oblivious signature [8,9,38,39] and satisfies the security properties of the signature scheme.By using the concept proposed in [40], we conduct security analyses and proofs.
e performance comparisons show that our scheme is efficient.Our scheme can be easily applied to an anonymous t-out-of-n e-voting system with proxy signer using Chiou's method [20].Based on our scheme, we also design a proxy-based fair e-lottery system which provides a multiple-prize multiple-choice function and satisfies the fairness and security properties of a lottery.ere security analyses and feature comparisons are conducted, and the results showed that our scheme has better performance.Finally, the system is implemented on a smart phone to provide the player with a more convenient digital experience while participating in game activities which take place in a truly fair environment.
e user studies for college students indicate that most users think the e-lottery is convenient and more than half persons are willing to play the game again.To the best of our knowledge, this is the first work done on t-out-of-n proxy blind signature scheme and fair multiple-choice e-lottery system.

Paper Structure.
e rest of this paper is organized as follows.Section 2 reviews the relevant literature, and Sections 3 and 4 provide definitions of security and system requirements of the proposed signature algorithm and lottery scheme along with descriptions of the protocol and the systems.Section 4 provides a comparison analysis in terms of system security and fairness for the proposed protocol and our system and demonstrates their security features.Section 5 describes the system implementation, and Section 6 provides conclusions.

Proxy Signature Scheme.
e proxy signature method was first proposed by Mambo in 1996 [13].
e method includes three roles: original signer, proxy signer, and verifier.e original signer can authorize the proxy signer to represent him/her in signing public-facing documents.
Delegation [35] can be categorized as full delegation, partial delegation, and delegation by warrant, as follows: (1) Full Delegation.e proxy signer obtains a copy of the original signer's signature key to produce a proxy signature value identical to the signature of the original signer.[9] provided the first clear definition of oblivious signature security requirements as completeness, unforgeability, and ambiguity.
(1) Completeness.If the signer and recipient follow the protocol steps, the signature information received by the final recipient must be from the signer's valid signature (2) Unforgeability.Given a public signature algorithm, attackers will still have difficulty forging a usable signature in a reasonable or acceptable amount of time (3) Ambiguity.When the recipient requests the signer's signature, the signer is unable to determine the content of the signed plaintext message, thus maintaining the recipient's privacy In 2017, Chiou et al. [38] proposed a novel oblivious signature which is integrated with proxy signature.eir protocol defines seven security requirements: completeness, unforgeability, unlinkability, undeniability, verifiability, distinguishability, and ambiguity.Except completeness, unforgeability, and ambiguity, the other four requirements are shown as follows: (1) Unlinkability.e proxy signer can identify neither the message nor the proxy signature he or she generates associated with the scheme after the signature is revealed when necessary (2) Undeniability.Neither the original signer nor the proxy signer can deny the signature they have created after signature generation (3) Verifiability.e signature that the receiver receives should be able to convince the verifier of the agreement from the original signer and the proxy signer (4) Distinguishability.
e proxy signature is distinguishable from a normal one In 2018, Chiou and Chen [39] presented a novel t-out-ofn oblivious signature, which is applied to multiple-choice e-voting scheme on the mobile system.eir scheme satisfies not only the security requirements but also t-out-of-n selection restriction and nonreduplication making such scheme well suited for multiple-choice e-voting applications.
e added two requirements are shown as follows: (1) Selection Restriction.e recipient is unable to get a valid signature of any message except the n messages (2) Nonreduplication.
e recipient cannot get more than one signature on the same message in a signing process 2.3.Fair Online Game System.In the virtual world of digital communications, a wide range of security requirements has driven the continuous development of new digital signature techniques [41][42][43][44].e real-world equivalent of the game includes probability factors which impact winning conditions (e.g., luck) in competitive activities.With the rapid development of the Internet, electronic game environments [45][46][47][48][49] have gradually achieved mass market penetration, and the fairness of online games has received increased attention, prompting the development of many protocols since the 1990s.
Zhao et al. proposed a fair online game protocol [32] using the trusted third party (TTP) mechanism to maintain system fairness where the key parameters (banker vs. player) are entirely determined by the banker.In actual practice, however, this can potentially create an unfair situation for the Player.
Kushelevitz et al. proposed a fair lottery system [33] which does not require TTP, but the protocol does not take into account player privacy issues and only discusses factors impacting the generation of a winning random number in the context of one-on-one competitions, frequently raising fairness issues due to potential cheating on the part of the banker.
In 2004, Blundo et al. proposed a secure electronic game platform [34] featuring the comprehensive design of an online game system architecture including payment mechanisms between players, player anonymity, and player privacy options.However, the key parameters for determining the winner are decided exclusively by one side, thus again raising fairness issues in the practical application of the game.

Proxy Partially Blind Signature Scheme with Proxy
Revocation.Yang and Liang [19] indicated that Liu et al.'s scheme [50] is unable to provide untraceability and is susceptible to the attacks of counterfeit signatures.ey

Security and Communication Networks
proposed a new proxy blind signature scheme that improves Liu et al.'s scheme [50] and allows revocation.eir scheme combines the techniques of Schnorr signature [51], partially blind signature [52], and proxy signature [53] that can terminate proxy privileges and simultaneously provide untraceability, unforgeability, and the other security features required of proxy signatures.e scheme provides seven requirements: distinguishability, nonrepudiation, verifiability, unforgeability, identifiability, prevention of misuse, and unlinkability.

Proposed t-out-of-n Proxy Blind
Signature Protocol e proposed t-out-of-n proxy blind signature is based on the security requirement in Definition 1.

Attacker Model.
e proposed signature schemes consist of four entities: an original signer A, a proxy signer B, a receiver R, and a verifier V.In our scheme, we assume the channels between A and B are secure.Any identity (i.e., R or V) communicates with B via an insecure public channel, offering adversaries opportunities to intercept.In the following, we present the assumptions of the attacker model [54,55]: (1) An adversary may eavesdrop on all communications between protocol actors over the public channel (2) An attacker can modify, delete, resend, and reroute the eavesdropped message (3) An attacker cannot intercept a message over a secure channel (4) An attacker cannot be a legitimate original signer or proxy signer (5) e attacker knows the protocol description, which means the protocol is public 3.2.Security Requirements.System requirements [13,36,56] of the proposed signature system are described as Definition 1.
Definition 1 (system requirements of t-out-of-n proxy blind signature protocol).Assume an original signer, a proxy signer, a recipient, and a verifier interact in t-out-of-n proxy blind signature protocol.e protocol is secure if it achieves the following conditions.(1) Completeness: recipient obtains a signer's signature to verify the message completeness.
(2) Distinguishability: from the signature message, anyone can distinguish whether or not the signature is a proxy signature.
(3) Identifiability: from the signature information, anyone can determine the identity of the signer.(4) Verifiability: once they receive the signature information, anyone can test the signature's validity.( 5) Ambiguity: when the recipient requests the signature, the signer is unable to determine the content of the signed plaintext, thus ensuring the recipient's privacy.( 6) Nonrepudiation: once the proxy signer signs the plaintext authorization specification, it becomes valid and the original signer is unable to repudiate the proxy signer's authorization, while the proxy signer is unable to repudiate that he/she signed the document.( 7) Unforgeability: aside from the proxy signer specifically authorized by the original signer, no one can produce a verifiable signature, including the original signer him or herself.( 8) Prevention of misuse: once the proxy signer secures the original signers proxy authorization, the proxy authority cannot be used outside the specified use, and misuse of authorization should be clearly demonstrable.

Proposed Protocol.
e proposed t-out-of-n proxy blind signature protocol is based on RSA-FDH, RSA-based blind signatures, and certificate chains that follow the hash-andsign paradigm.It includes four roles (original signer O, proxy signer P, recipient R, and verifier V) and is divided into four phases (initialization, proxy, signing, and verification) (Figures 1-3). ( If both the equations hold, the signature is valid.

Security and System Requirements of the Proposed E-Lottery
System.e proposed lottery system satisfies the game fairness principle, and its security and security requirements are described as Definitions 2 and 3.
Definition 2 (security requirement of fair e-lottery system).Assume owner, banker, and player interact in the fair e-lottery system.
e system is secure if it achieves the following conditions.(1) Verifiability: After the lottery, player can verify the prize content announced by banker, thus protecting his own interests.Once the winning card is redeemed, anyone can verify its validity.(2) Privacy: Player's identifying information is never made available in the public lottery information, thus ensuring player's privacy.In the lottery process, player's selection must be kept secret to protect the privacy of the winning content.(3) Undeniability: After the lottery, banker is unable to repudiate the prize content or player's claim.(4) Unforgeability: Valid winning card information can only be produced through the valid protocol and cannot be forged.( 5) Fairness for all players: In the lottery, no player (including owner and banker) should have an unfair advantage over other players.Definition 3 (system requirement of our lottery system).Our lottery system is correct if it conforms the following characteristics: (1) no need for a trusted third party, (2) owner may not repudiate a legitimate lottery card, (3) the privacy of the player's selection content is protected, (4) the player is anonymous, (5) fairness for all players, and (6) multiple choices with multiple prizes.

Proposed System.
e proposed lottery system design is an electronic adaptation of popular "scratch card" type lotteries.In the system, all messages are presented digitally.Hereinafter, the proposed e-lottery system is referred to as "the game" and traditional scratch cards are referred to as "(digital) lottery."

Proxy signer
Receiver

Security and Communication Networks
Each game session includes one lottery card and three roles: owner O, banker B, and player.O holds the money for the game and bears responsibility for profits and losses.Under the owner, there can be multiple bankers who are primarily responsible for verifying game wins or losses.B is the agent for O and serves as the host of the game, providing a link between player and O. B is responsible for issuing a lottery card with a valid signature and for signing player's selection.Player is in competition with O and makes a request to participate in the game.
B provides a lottery card containing a total of n blind prizes.Player can select t prizes.Once his selection is confirmed, player can know the content of his own selection.He can then present his card to O as proof to receive his prize.Each game session includes four phases (initialization, lottery card production, player drawing, and prize redemption) (Figures 4-7).
(1) Initialization Phase.As shown in Figure 4 confirm and collect the prize content m k j .

Performance Comparison of the Proposed Signature
Protocol.
is section provides a comparison between the proposed signature protocol and the methods proposed by Yang et al. [19], Chen [8], Tso et al. [9], Chiou et al. [38], and Chiou and Chen [39], where Yang et al.'s [19] scheme is a blind signature scheme, Chiou and Chen's [39] scheme is a tn (t-out-of-n) OT scheme, and the others are 1-n (one-outof-n) OT schemes.
In Table 1, T ex indicates modular exponentiation operation time unit, which is the most significant computational operation while the other operations in the schemes are ignored.e results in Table 1 show that the proposed method outperforms other protocol in terms of computational analysis.
Table 2 shows that the proposed method provides improvement or similar performance in terms of communication cost, where q|p − 1 and (l N , l p , l q , l m , l H ) indicates the length of N, p, q, a message, and a hash function.
Table 3 shows that the proposed method provides more features than other protocols.erefore, compared with other related schemes, our scheme provides the most abilities with low computation cost.Furthermore, the communication cost is no higher than that of other oblivious signature schemes.

Functional Comparison of Lottery System.
is section compares the proposed online lottery system with systems proposed by Zhao [32], Kushilevitz [33], and Blundo [34] in terms of the system requirements in Definition 2, and the results are summarized in

Security and Communication Networks
and "multiple choices with multiple prizes."Zhao et al.'s method [32] requires a TTP to achieve fair online gambling, and Kushilevitz and Rabin's e-lottery and e-casino schemes [33] do not provide an anonymous-player function.

Security Analysis of the
via the signature Sig(M j ) � s c j , r j , SN, s O ,  m wr , e O , e P }.Moreover, the ownership of public keys can be verified using the public key of root CA from a PKI system.eorem 5 proves the property of verifiability.
(5) Ambiguity.In the signing phase, R selects t blind factors b j and calculates β j ≡ b e P j × M j mod N P , thus  [19] l q + l H l p + l q + l H l q l q + 2l H Chen (1-n) [8] -3nl p + nl q l q 7l p + l q + l H Tso (1-n) [9] n(l q + l H ) l p l q + l H Chiou (1-n) [38] l p + l q n(l q + l H ) l p l q + l H Chiou (1-n) [39] -

Scheme
Blindness Ambiguity Multichoice Proxy ability Chen [8] ✓ ✓ Mambo [13] ✓ Tso [9] ✓ ✓ Yang [19] ✓ ✓ Chiou [38] ✓ and m wr is used to verify the authentication to clearly document the proxy signer's signing capability, time, and usage conditions.e authorization certificate cannot be forged, thus the proxy signer is unable to use its proxy signature for unauthorized purposes, thus preventing misuse of the proposed protocol.eorem 9 proves the property of prevention of misuse.

Security Analysis of Proposed Lottery System.
In practice, each banker hosts one or multiple servers.Assuming that multiple bankers represent a single owner, then multiple servers jointly use a single private key.For the overall system, this is equivalent to putting all of one's eggs in a single basket, and thus the security of the overall system relies on a single key.On the other hand, using a proxy system can significantly reduce the potential risk to system security even if the banker's key or even the owner's key is stolen.is additional layer of protection greatly increases overall system security.
If the prize redemption involves actual money, it could be realized through anonymous and secure mechanisms which are commonly applied in online transactions [57][58][59][60].A user can register with a third party middleman (such as Paypal, Google Checkout, or Amazon Payment), providing required information, such as bank accounts and redemption certificates.e middleman presents the owner with a cash request based on these redemption certificates.Once the middleman receives the required payout and delivers a corresponding receipt to the owner, the middleman then transfers the money to the player's bank account.us, the identity of the prize winner is not revealed to the owner (thus achieving privacy).Moreover, this approach eliminates the possibility of the owner refusing to deliver the claimed prize.
To meet the game's fairness principle, this system satisfies the five security requirements as defined in Section 5.1: verifiability, privacy, undeniability, unforgeability, and fairness for all players.
(1) Verifiability.In the prize redemption phase, player uses the verification equation to inspect the card validity.eorem 10 proves the property of verifiability.(2) Privacy.Each lottery session does not require the use of player's identifying information, thus the public lottery card information will not leak the player's identity.In the lottery process, player's selection uses the random number b j plus blinding and thus B is unaware of the selection, ensuring the privacy of the prize content.eorem 11 proves the property of privacy.(3) Undeniability.Prizes are awarded through a one-way hash function algorithm.When the prizes are awarded, O is unable to change the prize content or otherwise deceives player.Player's selection is verified using O and B's public key, and thus O is unable to repudiate the lottery card's validity.eorem 12 proves the property of undeniability.(4) Unforgeability.Player's prize must be legitimately signed using B's private key.Following the signing phase, it will be impossible to forge another valid winning lottery card.eorem 13 proves the property of unforgeability.
(5) Fairness for All Players.At the outset, O uses a oneway hash function to blind the selected prize.Aside from O, no other parties know the prize content.en, B double blinds the prize item, at which time no one including O and B is able to determine which card has the prize.eorem 14 proves the property of fairness for all players.

Implementation
is section presents an implementation of the proposed e-lottery system on an Android platform, allowing the user to interact with the system through a mobile device to achieve a scratch game e-lottery.e implementation results are presented in two parts.First, we introduce the program flow chart and then show the user experience through the interface.
e program's related user interface is illustrated in Figure 8. e owner and banker roles operate on the server end, while the player role operates on the client-end mobile device, as shown in Figure 9. (please refer to http://youtu.be/9je3gt nTY for the full demonstration.).We use one personal computer and one android phones to implement two servers (banker and owner) and a player, where the player communicates to each other through WiFi wireless networks and the owner and the banker communicate to each other through wired networks.e personal computer implementation used Windows 10 with an Intel (R) Xeon (R) CPU E3-1230 v3 @ 3.30 GHz (8 CPUs) and 8G RAM.Android phone implementation used HTC Desire 816 based on Android 5.0 and Qualcomm S400 1.6 G Hz.

Security and Communication Networks
e owner and banker (server) programs are written in JAVA and run under Windows 10.
e RSA system parameters are generated through an official method with a module length of 1024 bits.e hash function used is SHA-256 [61].In this scenario, we set t � 2 and n � 5.Each time the program needs only 1∼3 seconds to finish all the processes (from initialization to prize redemption) excluding the user's operating time.Table 5 shows the average implementation time in each phase.
Table 6 shows the ranking result of user studies for 99 college students.e ranking score is from 1 (the lowest) to 10 (the highest), the ranking items include (1) trust before explanation, (2) convenience, (3) willing to play, and (4) trust after explanation, and the statistical information includes (1) average, (2) variable, (3) "≥5" (scores equal to or great than 5), and (4) "≥6." In the first phase, we let users play the mobile lottery and rank the scores of the first three items (i.e., trust before explanation, convenience, and willing to play).In the second phase, we let users rank the final item (i.e., trust after explanation) after the one-minute explanation of the security design on our mobile lottery scheme.Normally, a "sense of security" is remarkably increased after a slight explanation.Most users think the mobile lottery is convenient, and more than half persons are willing to play the game again.

Conclusion
is paper proposes a generalized t-out-of-n oblivious signature scheme with proxy function.A new mobile lottery system is then proposed based on the proposed signature protocol with the aim of providing a more complete fairness and more convenient security.Compared with other schemes, only our system provides the system property: fairness for all players and multiple choices with multiple prizes.Moreover, most signature schemes do not supply both multichoice and proxy ability while preserving the security properties (along with security proves via a formal security proving model), including blindness and ambiguity.
e proposed system is implemented on in Android smart phone, providing greater convenience for the user as compared with traditional game counter mechanisms.Based on the above analysis, the proposed signature protocol can also be used in applications outside lottery systems.Our future work will focus in this area, along with making further improvements to increase efficiency and security.

Appendix
e appendix provides 14 theorems along with definitions and proofs security analysis of the proposed signature protocol and e-lottery system using a formal proof method [40].Let (e, N) be the public key of a RSA cryptosystem,

A. Security Proofs of the Proposed Signature Protocol
mod N, and s ′ e ≡ H(r ) can be evaluated from given (s, m 1 , r 1 , r 2 , m 2 ), then we say the 2nd modified RSA signature forgery problem is solved (the probability of solving this problem is denoted as Pr(s Theorem 2 (message completeness).In our scheme, if an adversary can modify (s c , M j , r j , SN) to valid (s c ′ , M j ′ , r j ′ , SN ′ ) from given m wr , then the 2nd modified RSA signature forgery problem can be solved.

□
A.4. Verifiability Theorem 5 (verifiability).In our scheme, if an adversary can forge valid signatures (s O ′ , m wr ′ ) and (s c ′ , M j ′ , r j ′ , SN ′ ) from (s O , m wr ) and (s c , M j , r j , SN, m wr ) and pass the verification equations using public keys (e P , N P , e O , N O ), then both the 1st and 2nd modified RSA signature forgery problems can be solved. Proof.
e proofs are the same as the content of the proof of eorem 1 plus the proof of eorem 2.

A.5. Ambiguity
Definition 8 (entropy problem).Let (e, N) be the public key of a RSA cryptosystem, a, b ∈ Z, and α � b e × m mod N. If m can be evaluated from given (α, e, N) without given b, then we say the entropy problem is solved.e probability of solving this problem is denoted as Pr(m|α, e, N) � ε 5 .
Theorem 6 (ambiguity).In our scheme, if the proxy signer or an adversary can calculate M j from (β j , e P , N P ), then the entropy problem can be solved.Proof.In our scheme, assume the proxy signer or an adversary tries to calculate M j from (β j , e P , N P ) where β j � b e p × M j modN P .Let RO 5 be a random oracle: input (β j , e P , N P ) to output M j .In Definition 8, let (β j , e P , N P ), ←, (α, e, N) be input parameters of RO 5 and obtain output M j .Let m, ←, M j , then m is evaluated.erefore, Pr(M j |β j , e P , N P ) ≤ Pr(m|α, e, N) � ε 5 , which means the entropy problem can be solved if RO 5 exists.
A. 6 , M j ′ , r j ′ , SN ′ ) from (s c , M j , r j , SN, e P , N P ) without given d P , then the 2nd modified RSA signature forgery problem can be solved. Proof.
e proof is the same as the content of the proof of eorem 1 plus the proof of eorem 2.

A.7. Unforgeability
Theorem 8 (unforgeability).In our scheme, if an adversary can evaluate a forged warrant signature (s O ′ , m wr ′ ) from (s O , m wr , e O , e P , N O ), then the 1st modified RSA signature forgery problem can be solved.If an adversary can evaluate a forged message signature (s c ′ , M j ′ , r j ′ , SN ′ ) from (s c , M j , r j , SN, e P , N P ), then the 2nd modified RSA signature forgery problem can be solved. Proof.
e proof is the same as the content of the proof of eorem 1 plus the proof of eorem 2.

A.8. Prevention of Misuse
Theorem 9 (prevention of misuse).In our scheme, if an adversary can calculate valid signature (s O ′ , m wr ′ ) from (s O , m wr , e O , e P , N O ) without given d O , then the 1st modified RSA signature forgery problem can be solved.If an adversary can calculate valid signature (s c ′ , M j , r j ′ , SN ′ ) from (s c , M j , r j , SN, e P , N P ) without given d P , then the 2nd modified RSA signature forgery problem can be solved. Proof.
e proof is the same as the content of the proof of eorem 2.

B. Security Proofs of the Proposed Lottery System
B.1.Verifiability Theorem 10 (verifiability).In our scheme, if an adversary can forge valid (s O ′ , m wr ′ ) and (s c ′ , M j ′ , r j ′ , SN ′ ) from (s O ′ , m wr ′ ) and (s c j , M j , r j , SN), then both the 1st and 2nd modified RSA signature forgery problems can be solved.If an adversary can counterfeit valid (k j ′ , m k j ′ , r O ′ , e B ′ , t B ′ , r B ′ ) from (k j , m k j , r O , e B , t B , r B ), then both the 2nd RSA signature forgery problem and the hash problems can be solved.

B.2. Privacy
Theorem 11 (privacy).In our scheme, if the banker or an adversary can calculate M j from (β j , e B , N B ), then the entropy problem can be solved.
Proof. e proof is similar to the content of the proof of eorem 6.

B.3. Undeniability
Theorem 12 (undeniability).In our scheme, if an adversary can calculate a valid signature (s O ′ , m wr ′ ) from (s O , m wr , e O , e B , N O ) without given d O , then the 1st modified RSA signature forgery problem can be solved.If an adversary can calculate a valid signature (s c ′ , M j ′ , r j ′ , SN ′ ) from (s c j , M j , r j , SN, e B , N B ) without given d B , then the 2nd modified RSA signature forgery problem can be solved. Proof.
e proof is similar to the content of the proof of eorem 7.

B.4. Unforgeability
Theorem 13 (unforgeability).In our scheme, if an adversary can evaluate a forged warrant signature (s O ′ , m wr ′ ) from (s O , m wr , e O , e B , N O ), then the 1st modified RSA signature forgery problem can be solved.If an adversary can evaluate a forged message signature (s c ′ , M j ′ , r j ′ , SN ′ ) from (s c j , M j , r j , SN, e B , N B ), then the 2nd modified RSA signature forgery problem can be solved. Proof.
e proof is similar to the content of the proof of eorem 8.

B.5. Fairness for All Players
Security and Communication Networks Theorem 14 (fairness for all players).In our scheme, if any of players, bankers, or the owner can calculate m k in player drawing phase, then the RSA decryption problem or entropy problem can be solved.Proof

Figure 8 :
Figure 8: (a) Player receives the successful lottery card verification from cloud banker; (b) after choosing an option, player waits for banker's signature; (c) player verifies the prize; (d) following the successful verification, the game is concluded.

A. 1 .
Completeness Definition 4 (1st modified RSA signature forgery problem).Let (e, N) be the public key of a RSA cryptosystem, a, b, b ′ ∈ Z, s e � H(b‖a) mod N, and s ′ e � H(b ′ � � � �a) mod N. If (s ′ , b ′ ) can be evaluated from given (a, s, b), then we say the 1st modified RSA signature forgery problem is solved (the probability of solving this problem is denoted as Pr(s ′ , b ′ |, a, s, b) � ε 1 ).

Definition 6 (
RSA signature forgery problem).Let (e, N) be the public key of a RSA cryptosystem, a, b, a′ , b ′ ∈ Z, s e � H(b‖a) mod N, and s ′ e � H(b ′ � � � �a ′ ) mod N. If (s ′ , b ′ , a ′) can be evaluated from given (s, b, a, e, N), then we say the RSA signature forgery problem is solved (the probability of solving this problem is denoted as Pr(s ′ , b ′ , a ′ |s, b, a) � ε 3 ).

Proof. ( 1 )
e proofs about (s O ′ , m wr ′ ) and (s c ′ , M j ′ , r j ′ , SN ′ ) forgery are the same as the content of the proof of eorem 1 plus the proof of eorem 2. (2) About (k j ′ , m k j ′ , r O ′ , e B ′ , t B ′ , r B ′ ) counterfeit, the proof for uncounterfeiting e O ′ is the same as the content of the proof of eorem 4. (3) e value t B ′ is the banker's current time and cannot be forged because it can be verified by the play's current time.(4) e value r O ′ cannot be forged because it can be verified via SN ?≡ r ′e O O mod N O and counterfeiting a r O ′ faces to a RSA signature forgery problem.(4) Forging (k j ′ , m k j ′ ) directly faces hash problem because player verifies M j� ?H(H(k j � � � � � m k j � � � � � r O � � � �e B ) � � � � � r B � � � �t B ) to confirm (k j ′ , m k j ′ ).
, owner O authorizes the agent to create banker B's game as follows: (1) O calculates s O ≡ H(m wr � � � �e B ) d O mod N O and sends s O and m wr to B. SN and s SN to B, and stores (r O , h k , k, m k ) in the database.(3) Once B has received the lottery card, he/she verifies s 4) Player calculates s c j ≡ b −1 j s j s M j mod N B and obtains the valid signature value for M j : Sig(M j ) � s c j , r j , SN, s O , m wr , e O , e B  .(4) Prize Redemption Phase.As shown in Figure 7, player sends the signed content to O for verification, to check whether the lottery card is valid.O calculates r O ≡ SN d O mod N O and checks whether the value r O exists in the database.If it does, (r O , M j , r B , t B ) is used to find h k from M j � p j � H(h k � � � �r B � � � �t B ) and resolve k j and m k j and then M j data k j , m k j , r O are announced to player.Finally, the item about (r O , h k , k j , m k j ) is marked as "completed" in the database.(3) Player verifies M j � ? ≡ H(m wr � � � �e B ) mod N O to check O's B ) to blind prize m k (k � 1, 2, . . ., n), and calculates SN ≡ r e O O mod N O and s SN ≡ H(SN‖h 1 � � � �. . .‖h n ) d O mod N O .O then transmits the lottery card information h k  , ?≡ H(SN‖h 1 � � � �. . .‖h n ) mod N O to establish the card as accepted.B then selects a random number r B ∈ Z N B , extracts current time t B , and calculates j × M j mod N B , and sends β j to B. (3) B selects a random number r j ∈ Z N B , calculates s j ≡ [H(r j � � � � � SN) × β j ] d B mod N B , and sends s j , r j  , r B , t B to player.(? H(H(k j

Table 4 .
From Table4, only our proposed lottery scheme provides "fairness for all players" j ≡ [H (r j || SN) × β j ] d B mod N B {β j } SN, {p i , s p i },s o , m wr {s j , r j }, r B , t B s o e o ≡ ?H (m wr || e B ) mod N o s m i ≡ ?H (p i || m wr || SN ) mod N o e p
P is unable to determine the content of the signed message.en,R sends s j back to P, and P calculates b −1 j s j s M j to obtain the valid signature for M j , thus ensuring the privacy of R.is method implies another security feature in which each of the t signatures M j can be independently verified.Prevention of Misuse.e signature of m wr is verified,

Table 6 :
Ranking of user studies.′ and m wr ′ (i.e., RO 1 (m wr , e p , s O ) ⟶ (s O ′ , m wr ′ )).In Definition 4, let e p ←a, m wr ←b, and s O ←s be input parameters of RO 1 and obtain output s O ′ and m wr ′ .Let s ′ ←s O ′ and b ′ ←m wr ′ , then (s ′ , b ′ ) are evaluated.erefore, Pr(s O ′ , m wr ′ |e p , s O , m wr ) ≤ Pr(s ′ , b ′ |a, s, b) � ε 1 , which means the 1st modified RSA signature forgery problem can be solved if RO 1 exists.
Let RO 3 be a random oracle: input (s O , m wr , e P , e O , N O ) to output (s O , e O , N O )←(s, b, a, e, N) be input parameters of RO 3 and obtain output (s O ′ , m wr ′ , e P ′ ).Let (s ′ , b ′ , a ′ )←(s O ′ , m wr ′ , e P O ′ , m wr ′ , e P ′ |s O , m wr , e P , e O , N O ) ≤ Pr(s ′ , b ′ , a ′ |s, b, a) � ε 3 , which means the RSA signature forgery problem can be solved if RO 3 exists.(2nd RSA signature forgery problem).Let (e, N) be the public key of a RSA cryptosystem, m, m ′ ∈ Z, s e � H(m) mod N, and s ′ e � H(m ′ ) mod N. If (s ′ , m ′ ) can be evaluated from given (s, m, e, N), then we say the 2nd RSA signature forgery problem is solved (the probability of solving this problem is denoted as Pr(s ′ , m ′ |s, m, e, N) � ε 4 ).Root , N Root ).In our scheme, if an adversary can counterfeit valid (s e O ′ , e O ′ ) from (s e O , e O ) or counterfeit valid (s e p ′ , e P ′ ) from (s e p , e P ), such that s e i � H(e i ) mod N, where (s i , e i ) � (s e O , e O ), (s e p , e P ), In a PKI system, a signature s i on a public key e i is signed by root such that s e root i � H(e i ) mod N root , where (e Root , N Root ) are root public keys.Assume an adversary tries to counterfeit (s e O ′ , e O ′ ) from (s e O , e O ) or counterfeit (s e p ′ , e P ′ ) from (s e p , e P ).Let RO 4 be a random oracle: input (s e O , e O ) to output (s e O ← (s e O , e O , e Root , N Root ) be input parameters of RO 4 and obtain output (s ′ , m ′ ).Let (s e O Root , N Root ) ≤ Pr(s ′ , m ′ |s, m, e, N) � ε 4 , which means the 2nd RSA signature forgery problem can be solved if RO 4 exists.
′ , m wr ′ , e P ′ ) from (s O , m wr , e P , e O , N O ), where s p ) mod N O and s ′e O O � H(m wr ′ � � � � � e P ′ ) mod N O .′ , m wr ′ , e P ′ ).In Definition 6, let (s O , m wr , e P Theorem 4 (identifiability).Given (e ′ , e O ′ ).In Definition 7, let (s, m, e, N) ′ , e O ′ ) ← (s ′ , m ′ ), then (s ′ |s e O , e O , e . Nonrepudiation Theorem 7 (nonrepudiation).In our scheme, if an adversary can calculate a valid signature (s O ′ , m wr ′ ) from (s O , m wr , e O , e P , N O ) without given d O , then the 1st modified RSA signature forgery problem can be solved.If an adversary can calculate a valid signature (s c ′ . In our scheme, assume a banker tries to calculate m k from (h k , e B , SN, e O , N O ), where h k � H(k‖m k � � � �r O � � � �e B ) and mod N O .It faces RSA decryption problem.If the owner tries to get the connection between h k and p i from p i   and h k   without known (r B , t B ), where p i ≡ H(h k ||r B ||t B ), it faces entropy problem.If a player tries to calculate m k from p i without known (r B , t B ), it also faces entropy problem. O