[Cryptography] A Scheme for Verifiable Lottery

Peter Fairbrother peter at tsto.co.uk
Sat Nov 28 20:40:52 EST 2020


On 25/11/2020 03:31, Yunxiang Li wrote:
[...]
> Post the following info:
>    A Lottery name, this needs to be unique each time
>    MAC tag of a chosen "lucky number"
>    The number of winners
> When participants sign-up, they are given some sort of proof for joining,
> "Lottery name + username" signed with the organizer's keypair (for example)
> Calculate participants' score from their unique username
>    score = min(hash(1, <lottery name>, <username>),
>                hash(2, <lottery name>, <username>),
>                ...,
>                hash(<lucky number>, <lottery name>, <username>

> Winners are the participants with the lowest score.
> Announce the winner, the lucky number with the MAC key used to generate the tag
> 
> The rationale for the repeated hashing is that since the randomness are picked
> by the organizer, there's no way to stop them from favoring someone by trying
> possible lucky numbers. Therefore with this scheme, they would need to give
> everyone else at least the same number of tries, making picking favorites
> impossible.

IIUC that doesn't work - but I don't understand precisely what you are 
saying [1]. I don't see how the repeated [2] hashing gains you anything 
(and it sure doesn't make it fast to compute, unless you have hardware 
hashers).

But the scheme is broken anyway. Here is one attack:

N tickets sold. Organiser picks N trial usernames and test hashes them 
with genuine lucky number etc.

Organiser's shill then buys the test with the lowest score and discards 
the other tests. Shill has a 50% chance of winning.


I may be misunderstanding something, you are not clear, but afaict the 
organiser publishes the hash of the lucky number then reveals it after 
the entries are closed. The organiser then has the advantage of knowing 
the lucky number while entries can be bought, and can translate that 
into free tries.

If not, the lucky number serves no purpose I can see. If the lucky 
number is public then the public can try new usernames to find one which 
hashes to a low number.

Peter Fairbrother

[1] this scheme is not well-described. suppose I want to calculate the 
second hash - is the username different? do I calculate a series of 
hashes for each entrant?

[2] what you have described is not repeated hashing as far as I can 
tell, it is just lots of different hashes. The results of the previous 
hash are not used to calculate the next hash.




More information about the cryptography mailing list