[Cryptography] A Scheme for Verifiable Lottery

Peter Fairbrother peter at tsto.co.uk
Wed Dec 2 13:27:30 EST 2020

On 01/12/2020 00:36, Yunxiang Li wrote:
> On Mon, 2020-11-30 at 14:14 -0800, John-Mark Gurney wrote:
>> Seems to me that a better way is similar to the coin flip implemented
>> by keybase: https://book.keybase.io/docs/chat/coin-flip
> yeah, I thought about using something similar like everyone giving the organizer
> a random number between 0 and 1, and the random number is the decimal part of
> the sum, so as long as there is one random input the result is going to be
> random. The problem with this is that it would require the organizer to publish
> the list of participants.
> I had a quick go over with the coin flip procedure, it seems like it does
> require the list of participants as well.

That is not a problem, the published list is just a list of ticket 
numbers and the associated choices. The idea that each participant 
creates a 256-bit number doesn't have that problem either.

However both ideas are broken by this attack:

Organiser sells n real tickets. He also "sells" say n/10 fake tickets. 
He then can generate lots of hashes for one (or bits for several) one of 
the fake tickets and finds a hash where one of his fake tickets is the 

He can pay cash for the fake tickets if needed, as long as the prize is 
more than n/10 times the ticket price.

Peter Fairbrother

More information about the cryptography mailing list