[Cryptography] A Scheme for Verifiable Lottery

[Yunxiang Li]

On Sun, 2020-11-29 at 01:40 +0000, Peter Fairbrother wrote:
> ...
> 
> I may be misunderstanding something, you are not clear, but afaict the 
> organiser publishes the hash of the lucky number then reveals it after 
> the entries are closed. The organiser then has the advantage of knowing 
> the lucky number while entries can be bought, and can translate that 
> into free tries.

Yes, each participants gets <lucky number> many hashes, and their score is the
lowest of the bunch, for each hash, only the number used change, lottery name
and username say the same.

The idea was that for a given username, the organizer can pick the lucky number
to give it a good score, and the number of times he tries to get that lucky
number is upper-bounded by the number itself, so it gives everyone else at least
the same number of tries.

However, the usernames does let the organizer try however many times they wishes
while not increasing the lucky number. That's a problem. I mean it would be
fairly obvious that the account corresponding to the username was fake. but it's
still a big problem in the scheme.

I need to think about this more, it seems pretty hard to avoid since it's
basically increasing the number of times you participate in the lottery, which
is always going to work for any lottery scheme.

> If not, the lucky number serves no purpose I can see. If the lucky 
> number is public then the public can try new usernames to find one which 
> hashes to a low number.

The lucky number could have been public, yes. But it would ruin the fun since
people can see what score they'll get before the reveal, and therefore affects
the number of participants.

ofc this is not considering the problem from above :(

> [2] what you have described is not repeated hashing as far as I can 
> tell, it is just lots of different hashes. The results of the previous 
> hash are not used to calculate the next hash.

That was a bad choice of word, yeah