fair event selection protocol - review requested

Tue Aug 31 15:12:10 EDT 2004

What is the best way to publish the specification of a protocol to
the crypto community or ask for reviews of/comments on it?

I tried posting to sci.crypt with no luck, and it was suggested
that this would be an appropriate place to ask.  Assuming that's
right, here are the approximate details of the Fairdice Protocol:

*******************
  BNF Definitions
*******************
MODULO     = 1*200(HEX)
           ; The number of events between which we are selecting.
           ; (eg The number of faces on the die.)
SHAREDTEXT = HOST_ID " ^ " GAME_ID " ^ " TIMESTAMP " ^ " PADDING " ^ "
PADDING    = *(HEX)
	   ; The length of the PADDING is selected to make the length
           ; of the SHAREDTEXT up to 250 characters long.
USERTEXT   = 250(HEX)
PLAINTEXT  = SHAREDTEXT USERTEXT
DIGEST     = <the tiger hash of PLAINTEXT, displayed as a HEX string>
INPUT      = <USERTEXT modulo MODULO displayed in HEX>
OUTPUT     = <the sum of the INPUTs from the host and players, modulo MODULO>

The participants are numbered 0..N where participant 0 is the Host and
participants 1..N are the Players.

*********
  Steps
*********
1. Host publishes MODULO and SHAREDTEXT
2. Players publish their DIGESTs
3. Host publishes Host's DIGEST (and N)
4. Players publish their USERTEXTs
5. Host makes use of the OUTPUT
   (for example, a game of roulette is played)
6. Host publishes the OUTPUT
7. Host publishes the Host's USERTEXT
   (at this stage the Players can verify that the OUTPUT published
   in Step 6 is correct by working out what it should be themselves)

**********************
  Threat Environment
**********************
An open source implementation of this protocol has been released at
    http://fairdice.sourceforge.net/
It is anticipated that this will be used between Casinos and game
players to collaboratively select between possible event outcomes
(eg Roll a die, spin a wheel, etc) in a manner that is verifiable
to all participants as being:
a) not riggable (no participant can deliberatly cause a particular OUTPUT)
b) not predictable (no participant can know the OUTCOME until either told
   or in posession of all the USERTEXTs or INPUTs, and the MODULO).

A participant could make on the order of 1 million dollars per collision.
IE Finding two USERTEXTs for a particular SHAREDTEXT that give the same
DIGEST.

**********************
  Specific Questions
**********************

Does the protocol achieve what it intends, or are there breaks?

What would be sufficient lengths for the SHAREDTEXT and USERTEXT
to make finding a collision uneconomic within the next 100 years
(assuming Moore's law, not quantum crypto).

For the exact details of the protocol, and explanations of
how it is carried out over an internet connection, see:
  http://fairdice.sourceforge.net/crypto/

Yours sincerely,

Douglas Reay

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com