An Information Theoretically Secure E-Lottery Scheme Based on Symmetric Bivariate Polynomials

Abstract

E-lottery schemes have attracted much interest from both industry and academia recently, because they are not only useful to raise funds for charity institutions, but also can be used as the major building blocks to design micro-payment systems. In the literature, a number of e-lottery schemes have been introduced over the last two decades. However, most of these schemes rely on some computational assumptions. In this paper, we introduce a novel e-lottery scheme that achieves information theoretical security. Our proposed scheme is designed using symmetric bivariate polynomials, and it satisfies the required security properties, such as correctness, unpredictability, verifiability, and robustness. Moreover, the winning number is generated in a distributed fashion, so that no trusted third party needs to be involved and the danger of a single point of failure is minimized.

1. Introduction

Today, the lottery has grown into a multi-billion dollar industry, and it is very popular in peoples’ daily life. In one aspect, it allows the players to bet on a small amount of money and get the chance to win a large fortune, and meanwhile, funds raised by the lottery are indispensable sources for various charity institutions. In another aspect, Rivest has shown in [1] that the lottery can be used as the major building block to design micro-payment systems. Therefore, it has attracted much interest from both industry and academia recently because of its practical importance, as well as theoretical potentials.

In general, a lottery scheme consists of the following participants, as shown in Figure 1: lottery issuers, players, and drawing centers. If a player wants to participate in a lottery game, she/he purchases the lottery tickets from some lottery issuer. Note that the player can purchase as many tickets as she/he likes, and each ticket costs her/him a small amount of money. Depending on the rules, in the lottery ticket, the player chooses either one number within some pre-defined large domain or several numbers in some pre-defined small domain. In this paper, we only consider the first case, since a lottery scheme designed in this case can be easily transformed into one that handles the second case, e.g., running the scheme several times in parallel. Once the ticket purchase phase finishes, the winning number is then generated by the drawing centers. If the player’s selected number matches with the winning number, she/he wins, and the lottery ticket that contains the winning number can be used to claim the prize from the lottery issuer.

With the rapid development of technologies, designing the lottery systems using information technologies and implementing them over computer networks have become inevitable trends, and these systems are called e-lotteries. Although the e-lottery is helpful to simplify the ticket purchase experience (i.e., with computer-aided user interfaces) and makes the system more accessible by ordinary users (i.e., the tickets can be purchased remotely at the users’ most convenient time), it also brings many new security issues compared with the traditional lottery systems. For example, a lottery system should guarantee that the winning number is randomly distributed in the pre-defined large domain, and it is unpredictable before its announcement. Note that these requirements ensure that each ticket will have a fair chance to win the prize. Moreover, the drawing phase should be transparent so that the validity of the winning number can be verified. Because computer networks are publicly accessible and they allow the users to communicate with each other without physical contact, the harmonization of these conflicting security requirements is challenging and needs the dedicated design and proper use of some advanced cryptographic techniques.

1.1. Related Works

The first e-lottery scheme was proposed by Goldschlag et al. [2], in which the winning number is generated using the delay function with the purchased tickets as its inputs. Informally, the delay function is a deterministic function that is not hard to compute, but still requires a significant amount of time to complete the computation. Therefore, the drawing phase can be verified by re-computing the delay function with the same inputs, and the unpredictability of the winning number relies on the fact that the players cannot compute the delay function effectively. To guarantee that the winning number is randomly distributed, the scheme requires an early registration of the players, and this step is later used to ensure that the number of participating players is not too small. Otherwise, the winning number may not contain enough entropy, and its distribution can be biased. However, this scheme has several limitations. Firstly, each player is allowed to purchase only one ticket. Secondly, it is not suitable to be used in some real-world e-lottery systems in which the winning number is generated periodically no matter how many tickets have been purchased. Thirdly, the delay function could be a single point of failure, and it may not be robust over time. A related e-lottery scheme has been introduced by Syverson [3] around the same time using weakly-secret bit commitment (WSBC). Note that WSBC has similar properties as the delay function such that once a secret has been committed, it can be read only after a pre-determined amount of time. In [4], Kushilevitz et al. introduced an e-lottery scheme in which the delay function is used in the winning number verification rather than the winning number generation. This scheme does not need to employ a trusted third party (TTP), and the correctness of execution can be verified. Moreover, the early registration of players is not required, and each player is allowed to purchase multiple tickets.

The above schemes mainly focus on the generation of the winning number. In [5], Zhou et al. introduced an e-lottery scheme that focuses on fair payment for lottery tickets and prize claim. Moreover, the players’ anonymity is considered to enhance the participation rate. The downside is that this scheme needs to employ an off-line TTP. The players and the lottery issuers exchange messages using verifiable encrypted signatures, and an off-line TTP needs to be involved if there is any dispute in the exchange. In this scheme, the delay function is also suggested to be used to prevent the last participating player from biasing the distribution of the winning number. Some other e-lottery schemes based on delay functions can be found in [6,7,8]. The design and implementation of large-scale lottery systems have been described in [9,10].

In the literature, several e-lottery schemes also have been introduced without using the delay function. In [11], the winning number is generated by aggregating the drawing centers’ random values. The scheme relies on the homomorphic property of the Paillier encryption [12], and the winning number is retrieved in the drawing phase using the verifiable threshold decryption. Its benefit is that the winning number is independent of the players’ tickets; hence, the e-lottery scheme is more versatile and suits more real-world applications. In [13,14], Lee et al. introduced two e-lottery schemes that further consider the protection of players’ privacy and anonymity. This property is achieved using blind signatures. However, some TTP needs to be involved in the drawing phase to generate the winning number. In [15], Liu et al. extended Lee’s schemes in two aspects. First, players’ privacy is protected using an efficient oblivious transfer rather than blind signatures. Second, the drawing phase is carried out by a number of drawing centers in a distributed fashion using Lagrange interpolation of polynomials. Each drawing center can verify that her/his input has contributed to the winning number by checking whether her/his point satisfies the resulting polynomial. The benefit is that neither the delay function nor any TTP is required in the drawing phase.

1.2. Our Contributions

To the best of our knowledge, most of the existing e-lottery schemes rely on some computational assumptions. In other words, if the adversary has infinite computational power, the security properties in these existing schemes will be violated. In this paper, we introduce a novel e-lottery scheme that achieves information theoretical security. Our proposed scheme is designed using symmetric bivariate polynomials, and its security properties, such as correctness, unpredictability, verifiability, and robustness, can be guaranteed against the adversary who has unlimited resources. Moreover, the winning number is generated in a distributed fashion so that neither TTP nor the delay function needs to be involved; hence, the danger of a single point of failure is minimized. Note that our suggested method also can be used to improve some existing e-lottery schemes. For example, when it is used to generate the winning number in Lee’s schemes [13,14], the TTP can be removed in the drawing phase.

1.3. Organization of the Paper

The rest of the paper is organized as follows: In Section 2, we outline some preliminaries. The models and definitions of e-lottery schemes are described in Section 3. In Section 4, we introduce our proposed e-lottery scheme, and its security and efficiency analyses are presented in Section 5. Finally, we conclude in Section 6.

2. Preliminaries

Symmetric bivariate polynomials have been widely used in the research of information technologies [16,17,18,19,20]. In this section, we describe the symmetric bivariate polynomial, as well as its properties that will be used in our proposed e-lottery scheme. Denote p as some large prime, and all the computations are modulo p unless otherwise stated. The dealer $\mathcal{D}$ first chooses a random symmetric bivariate polynomial $f(x,y)$ over ${\mathbb{Z}}_p$ with degree at most $t-1$ in both x and y as:

$$f(x,y)=a_{0,0}+a_{1,0}x+a_{0,1}y+a_{1,1}xy+\cdots +a_{t-1,t-1}{x}^{t-1}{y}^{t-1}$$

such that $a_{i,j}=a_{j,i}$ for all $i,j\in \{0,1,\dots ,t-1\}$. Moreover, denote $\{{\mathcal{P}}_1,{\mathcal{P}}_2,\dots ,{\mathcal{P}}_n\}$ as a set of players and $\{w_1,w_2,\dots ,w_n\}$ as the public parameters associate with these players. $\mathcal{D}$ computes the shares $h_i\left(x\right)=f(x,w_i)$ for $i=1,2,\dots ,n$ and sends them to the players through the secure channel. Note that each share $h_i\left(x\right)$ is a univariate polynomial with degree at most $t-1$ in x.

Pairwise key establishment: The players can use their shares to establish pairwise secret keys among them without interaction [21]. For example, the $i^{\mathrm{th}}$ player ${\mathcal{P}}_i$ and the $j^{\mathrm{th}}$ player ${\mathcal{P}}_j$ can establish a secret key between them as $k_{i,j}=h_i\left(w_j\right)=h_j\left(w_i\right)=k_{j,i}$. This is because in the symmetric bivariate polynomial $f(x,y)$, we always have $f(w_i,w_j)=f(w_j,w_i)$. Note that in [22,23], Stinson et al. also used this property to authenticate whether the shares $h_i\left(x\right)$ have been generated consistently.

Secret recovery: If t or more than t of these players work together and all these players are honest, they can recover the value $a_{0,0}=f(0,0)$ using their shares $h_i\left(x\right)$ through Lagrange interpolation. Without loss of generality, we assume that the players $\{{\mathcal{P}}_1,{\mathcal{P}}_2,\dots ,{\mathcal{P}}_t\}$ are involved. The value $a_{0,0}$ can be recovered as $a_{0,0}={\sum }_{i=1}^t{h}_i\left(0\right)·{\mathcal{L}}_i$, where ${\mathcal{L}}_i={\prod }_{j=1,j\ne i}^t\frac{w_j}{w_j-w_i}$ is the Lagrange coefficient. Here, each $h_i\left(0\right)$ is a value within ${\mathbb{Z}}_p$.

Robust secret recovery: Even if some players are dishonest, the value $a_{0,0}$ still can be correctly recovered under some conditions [24]. The basic idea is as follows: suppose n players are all involved and that they reveal the values $h_i\left(0\right)$ for $i=1,2,\dots ,n$, but some dishonest players might reveal incorrect $h_i\left(0\right)$ values. Now, every set containing t of the $h_i\left(0\right)$ values can be interpolated into a possible value of $a_{0,0}$, and there are in total $\left(\genfrac{}{}{0pt}{}{n}{t}\right)=\frac{n!}{t!(n-t)!}$ number of such sets. If a particular value of $a_{0,0}$ appears in more than half of these sets, it can be treated as the correct value without ambiguity. The remaining issue is how many dishonest players can be tolerated in this method, and we denote this number as b. Obviously, $b<t$ must hold. Otherwise, these dishonest players can recover $a_{0,0}$ by themselves. Moreover, any two different univariate polynomials with degree $t-1$ agree on at most $t-1$ points. Recall that there are n players and that each player can generate one point; these two polynomials must differ at least $n-t+1$ points. By information theory, the error correction codes have the ability to correct less than $\frac{n-t+1}{2}$ errors. Hence, we have $\frac{n-t+1}{2}>b$, which further implies that $b<n/3$. Under this condition, either the Euclidean decoder or the Berlekamp–Massey decoder can be used to recover the value $a_{0,0}$ efficiently.

Homomorphic property in secret sharing: Note that the values $h_i\left(0\right)$ for $i=1,2,\dots ,n$ can be considered as the shares of the secret $a_{0,0}$ using Shamir secret sharing [25]. In [26], Benaloh discovered the homomorphic property in secret sharing schemes. Denote $(s_1,s_2,\dots ,s_n)$ as a set of shares encoding the secret s and $(s_1^{\prime },s_2^{\prime },\dots ,s_n^{\prime })$ as another set of shares encoding the secret $s^{\prime }$. Moreover, ⊕ and ⊗ are denoted as the operation of shares and operation of the secret, respectively. Then, the set $(s_1\oplus s_1^{\prime },s_2\oplus s_2^{\prime },\dots ,s_n\oplus s_n^{\prime })$ encodes the secret $s\otimes s^{\prime }$. Obviously, Shamir secret sharing enjoys the $(+,+)$ homomorphic property.

3. Models and Definitions

Participants: There are four types of participants in an e-lottery system:

• Lottery issuers: They sell tickets to the players and provide the prize to the winner. We assume that the lottery issuers are honest.
• Players: They buy tickets and hope to win a large fortune.
• Drawing centers: They follow the public procedure to generate the winning number.
• Adversary: The adversary $\mathcal{A}$ is assumed to have unlimited computational resources, and $\mathcal{A}$ can control at most b of the drawing centers. Controlling a drawing center means learning its internal states, modifying its messages, disconnecting it, changing its intended behavior, and so on.

Communication model: We assume that the drawing centers are connected by pairwise secure channels, so that the messages exchanged among them cannot be intercepted or modified by the adversary $\mathcal{A}$. We also assume that there exists a common authenticated broadcast channel that is accessible by every participant. Moreover, we assume that the system is synchronized. Each drawing center can access a common global clock, and it can access some local source of randomness.

System model: An e-lottery scheme consists of the following three phases:

• Purchasing phase: The players can only purchase the tickets in this phase. To purchase a ticket, the player chooses a number in a pre-defined large domain and bets a small amount of money on it. Note that each player can purchase as many tickets as she/he likes. The purchased tickets are physically signed by these lottery issuers, so that they cannot be counterfeited by the players.
• Drawing phase: This phase begins after the purchasing phase. The drawing centers generate the winning number in a distributed fashion. The winning number is required to be randomly distributed in the pre-defined large domain, and it is unpredictable before its announcement. Moreover, this phase should be transparent so that the generation of the winning number can be verified.
• Claiming phase: Once the winning number is announced, the player who has selected the wining number can use her/his ticket to claim the prize from the lottery issuers.

Security properties: The following security properties are advocated in the majority of e-lottery schemes:

• Correctness: The proposed scheme will output the winning number that is randomly distributed in the pre-defined domain in the drawing phase.
• Unpredictability: The adversary cannot predict the winning number before it is announced. Note that the correctness property together with the unpredictability property guarantee that each player will have a fair chance to win the prize.
• Verifiability: It can be verified that the winning number is generated according to the public procedure.
• Robustness: The winning number is generated in a distributed fashion, so that neither TTP nor the delay function needs to be employed.

4. An E-Lottery Scheme with Information Theoretical Security

In this section, we describe our proposed e-lottery scheme with information theoretical security. Its design is inspired by the unconditionally-secure, verifiable secret sharing [22] and privacy preserving data aggregation [27,28], and we have incorporated the techniques in [29] to improve its round complexity.

4.1. The Proposed Scheme

Suppose n drawing centers $\{{\mathcal{P}}_1,{\mathcal{P}}_2,\dots ,{\mathcal{P}}_n\}$ are involved in generating the winning number in the drawing phase, and $\{w_1,w_2,\dots ,w_n\}$ are the public parameters associate with these drawing centers, respectively. The static adversary $\mathcal{A}$ can control at most b of these drawing centers, where $b<t$ and $n\ge t+3b$. The word “static” means that $\mathcal{A}$ chooses the corruption drawing centers at the beginning of the scheme. Moreover, p is denoted as some large prime, and all the computations are assumed to be modulo p unless otherwise stated. The winning number is generated as follows:

• Each drawing center ${\mathcal{P}}_k$ chooses a random symmetric bivariate polynomial with degree at most $t-1$ in both x and y:

  $$f^{\left(k\right)}(x,y)=\sum _{i=0}^{t-1}\sum _{j=0}^{t-1}{a}_{i,j}^{\left(k\right)}{x}^i{y}^j$$

  where $a_{i,j}^{\left(k\right)}=a_{j,i}^{\left(k\right)}$ for all $i,j\in \{0,1,\dots ,t-1\}$. Then, ${\mathcal{P}}_k$ computes $h_m^{\left(k\right)}\left(x\right)=f^{\left(k\right)}(x,w_m)$ and sends it to every other drawing center ${\mathcal{P}}_m$ through the pairwise secure channel. Note that each $h_m^{\left(k\right)}\left(x\right)$ is a univariate polynomial with degree at most $t-1$ in x. At the same time, each ${\mathcal{P}}_i$ sends to every ${\mathcal{P}}_j$ a random value $r_{i,j}^{\left(k\right)}\in {\mathbb{Z}}_p$ through the pairwise secure channel for $i,j\in \{1,2,\dots ,n\}$.
• After receiving $h_m^{\left(k\right)}\left(x\right)$ from ${\mathcal{P}}_k$ and $r_{1,m}^{\left(k\right)},r_{2,m}^{\left(k\right)},\dots ,r_{n,m}^{\left(k\right)}$ from the other drawing centers, each ${\mathcal{P}}_m$ computes the value $c_{m,l}=h_m^{\left(k\right)}\left(w_l\right)+r_{m,l}^{\left(k\right)}+r_{l,m}^{\left(k\right)}$ for every $l\ne m$ and broadcasts these $c_{m,l}^{\left(k\right)}$ values.
• Each ${\mathcal{P}}_m$ computes the maximum subset ${\mathcal{G}}_k\subseteq \{1,2,\dots ,n\}$ such that any ordered pair $(i,j)\in {\mathcal{G}}_k\times {\mathcal{G}}_k$ satisfies the equation $c_{i,j}^{\left(k\right)}=c_{j,i}^{\left(k\right)}$. If $|{\mathcal{G}}_k|\ge n-b$, then ${\mathcal{P}}_m$ broadcasts a bit $v^{\left(k\right)}=\mathtt{SUCC}$ and puts the value k in a list $\mathcal{L}$. Otherwise, ${\mathcal{P}}_m$ simply broadcasts $v^{\left(k\right)}=\mathtt{FAIL}$.
• If $\left|\mathcal{L}\right|\ge n-b$, then each ${\mathcal{P}}_m$ broadcasts a bit $u=\mathtt{SUCC}$ and computes her/his aggregated share as:

  $$h_m\left(x\right)=\sum _{k\in \mathcal{L}}{h}_m^{\left(k\right)}\left(x\right)$$

  Otherwise, ${\mathcal{P}}_m$ simply broadcasts $u=\mathtt{FAIL}$ and stops.
• If $u=\mathtt{SUCC}$, each ${\mathcal{P}}_m$ computes $h_m\left(0\right)$ and sends it to the other drawing centers in $\mathcal{L}$ through the pairwise secure channels.
• Finally, after receiving the $h_i\left(0\right)$ values from the other drawing centers in $\mathcal{L}$, each ${\mathcal{P}}_m$ computes the winning number $s={\sum }_{k\in \mathcal{L}}{a}_{0,0}^{\left(k\right)}$ for at least $n-2b$ of the values she/he has received. Note that this operation can be computed efficiently using the error-correction codes.

4.2. Some Discussions

In order to simplify the above description, we have assumed in Step 1 that every drawing center can access some local source of randomness, and they can choose the random symmetric bivariate polynomial, as well as the random values in ${\mathbb{Z}}_p$. However, in some real-world environments, this assumption is too strong, and it will restrict the applications of the proposed e-lottery scheme. Here, we discuss how the leftover hash lemma [30] can be used to weaken this assumption.

Definition 1 (Universal hash function).

For a keyed hash function $\mathsf{H}$ defined over $(\mathsf{K},\mathsf{M},\mathsf{T})$, where $\mathsf{K}$ is its key space, $\mathsf{M}$ is its message space, and $\mathsf{T}$ is its digest space, given an adversary $\mathcal{A}$, the attack game works as follows: the challenger first randomly selects a key $k\in \mathsf{K}$ and keeps k private and then $\mathcal{A}$ outputs two distinct messages $m_0,m_1\in \mathsf{M}$. We say that $\mathcal{A}$ wins the game if ${\mathsf{H}}_k\left(m_0\right)={\mathsf{H}}_k\left(m_1\right)$. $\mathcal{A}$’s advantage of winning the above game is denoted as ${\mathsf{Adv}}_{\mathcal{A},\mathsf{H}}^{\mathrm{UHF}}$. We say that $\mathsf{H}$ is an ϵ-bounded universal hash function (or ϵ-$\mathsf{UHF}$), if ${\mathsf{Adv}}_{\mathcal{A},\mathsf{H}}^{\mathsf{UHF}}\le ϵ$ for all adversaries $\mathcal{A}$ (even inefficient ones).

Lemma 1 (Leftover hash lemma).

Let $\mathsf{H}$ be a $(1+\alpha )/N$-$\mathsf{UNF}$ defined over $(\mathsf{K},\mathsf{M},\mathsf{T})$, where $N=\left|\mathsf{T}\right|$. Let $k,s_1,s_2,\dots ,s_m$ be mutually independent random variables, where k is randomly distributed in $\mathsf{K}$, and each $s_i$ can be guessed with probability at most γ. Let δ be the statistical difference between $(k,{\mathsf{H}}_k\left(s_1\right),{\mathsf{H}}_k\left(s_2\right),\dots ,{\mathsf{H}}_k\left(s_m\right))$ and the uniform distribution on $\mathsf{K}\times {\mathsf{T}}^m$. Then, we have:

$$\delta \le \frac{1}{2}m\sqrt{N\gamma +\alpha }$$

To see how the leftover hash lemma can be used to weaken the above assumption, suppose $m=1$ and the value s cannot be guessed with probability at most $\gamma$. Then, the leftover hash lemma says that given whatever side information $\mathsf{I}\left(s\right)$ about s, for any adversary $\mathcal{A}$ (even with unlimited computational resources), the advantage in distinguishing $(k,\mathsf{I}\left(s\right),{\mathsf{H}}_k\left(s\right))$ from $(k,\mathsf{I}(s),t)$, where t is a truly-random element of $\mathsf{T}$, is bounded by $\delta \le \sqrt{N\gamma +\alpha }/2$. In other words, if $\gamma$ are sufficiently small, the output of $\mathsf{H}$ will be indistinguishable from a truly random value. Therefore, when using the leftover hash lemma, we only need to assume that the drawing centers are able to generate some values that cannot be guessed with some small probability (e.g., passwords with enough entropy), but there is no need to assume that these values are randomly distributed in some pre-defined domain. In the following section, we still assume that every drawing center can access some local source of randomness in order to simplify the security analysis.

5. Security and Efficiency Analysis

In this section, we analyze the proposed e-lottery scheme and compare it with some existing schemes with respect to the security properties. Moreover, we analyze the computation and communication costs of generating the winning number in our proposed scheme.

5.1. Security Analysis

Theorem 1 (Correctness).

If $n\ge t+3b$ and $b<t$, the proposed e-lottery scheme will output a winning number that is randomly distributed in ${\mathbb{Z}}_p$.

Proof. 

Firstly, suppose the drawing center ${\mathcal{P}}_k$ is good in Step 1. In this case, ${\mathcal{P}}_k$ will randomly select a symmetric bivariate polynomial $f^{\left(k\right)}(x,y)$ over ${\mathbb{Z}}_p$ with degree at most $t-1$, and every other drawing center ${\mathcal{P}}_i$ will receive a univariate polynomial $h_i^{\left(k\right)}\left(x\right)=f^{\left(k\right)}(x,w_i)$ from ${\mathcal{P}}_k$. Because $f^{\left(k\right)}(x,y)$ is symmetric, we have $h_m^{\left(k\right)}\left(w_l\right)=h_l^{\left(k\right)}\left(w_m\right)$ for all good drawing centers ${\mathcal{P}}_m$ and ${\mathcal{P}}_l$. This further implies that the broadcast values $c_{m,l}=h_m^{\left(k\right)}\left(w_l\right)+r_{m,l}^{\left(k\right)}+r_{l,m}^{\left(k\right)}$ and $c_{l,m}=h_l^{\left(k\right)}\left(w_m\right)+r_{l,m}^{\left(k\right)}+r_{m,l}^{\left(k\right)}$ will match in Step 2. Hence, the good drawing centers ${\mathcal{P}}_m$ and ${\mathcal{P}}_l$ will be in the subset ${\mathcal{G}}_k$. Therefore, $v^{\left(k\right)}=\mathtt{SUCC}$ for all good drawing centers in Step 3, and k will be included in the list $\mathcal{L}$. Otherwise, if a good drawing center ${\mathcal{P}}_i$ outputs $v^{\left(k\right)}=\mathtt{FAIL}$, then the size of the maximum subset ${\mathcal{G}}_k$ is at most $n-b-1$. Thus, every good drawing center outputs $v^{\left(k\right)}=\mathtt{FAIL}$. In this case, k will not be included in the list $\mathcal{L}$.

Next, suppose there are T univariate polynomials $h_1^{\left(k\right)}\left(x\right),h_2^{\left(k\right)}\left(x\right),\dots ,h_T^{\left(k\right)}\left(x\right)$ with degree at most $t-1$, where $T>t$, and these polynomials are consistent, i.e., $h_i^{\left(k\right)}\left(w_j\right)=h_j^{\left(k\right)}\left(w_i\right)$ for all $i,j\in \{1,2,\dots ,T\}$. Then, there exists a univariate polynomial $h^{\left(k\right)}\left(x\right)$ with degree at most $t-1$ such that $h^{\left(k\right)}\left(w_i\right)=h_i^{\left(k\right)}\left(0\right)$ for all $i\in \{1,2,\dots ,T\}$, and any t of the values $h_i^{\left(k\right)}\left(0\right)$ can determine the value $h^{\left(k\right)}\left(0\right)=a_{0,0}^{\left(k\right)}$ without ambiguity. To see this, suppose $\mathcal{I}$ and $\mathcal{J}$ are two different t-subsets of $\{1,2,\dots ,T\}$. The univariate polynomial $h_{\mathcal{I}}^{\left(k\right)}\left(x\right)$ can be computed such that $h_{\mathcal{I}}^{\left(k\right)}\left(w_i\right)=h_i^{\left(k\right)}\left(0\right)$ for all $i\in \mathcal{I}$. In particular, $h_{\mathcal{I}}^{\left(k\right)}\left(0\right)$ can be computed using the Lagrange interpolation as $h_{\mathcal{I}}^{\left(k\right)}\left(0\right)={\sum }_{i\in \mathcal{I}}{h}_i^{\left(k\right)}\left(0\right)·{\mathcal{L}}_i$, where ${\mathcal{L}}_i$ is the Lagrange coefficient. Note that similar properties also hold for the set $\mathcal{J}$. Moreover, the equation $h_{\mathcal{I}}^{\left(k\right)}\left(0\right)=h_{\mathcal{J}}^{\left(k\right)}\left(0\right)$ always holds because:

$$\begin{array}{ccc}{h}_{\mathcal{I}}^{\left(k\right)}\left(0\right)\hfill & =& \sum _{i\in \mathcal{I}}{h}_i^{\left(k\right)}\left(0\right)·{\mathcal{L}}_i\hfill \\ \hfill & =& \sum _{i\in \mathcal{I}}(\sum _{j\in \mathcal{J}}{h}_i^{\left(k\right)}\left(w_j\right)·{\mathcal{L}}_j)·{\mathcal{L}}_i\hfill \\ \hfill & =& \sum _{j\in \mathcal{J}}(\sum _{i\in \mathcal{I}}{h}_j^{\left(k\right)}\left(w_i\right)·{\mathcal{L}}_i)·{\mathcal{L}}_j\hfill \\ \hfill & =& \sum _{j\in \mathcal{J}}{h}_j^{\left(k\right)}\left(0\right)·{\mathcal{L}}_j\hfill \\ \hfill & =& h_{\mathcal{J}}^{\left(k\right)}\left(0\right)\hfill \end{array}$$

Furthermore, suppose at least $n-b$ drawing centers output $v^{\left(k\right)}=\mathtt{SUCC}$. Then, we have $|{\mathcal{G}}_k|>n-b$. Because it is assumed that there are at most b bad drawing centers, there must exist more than $n-2b$ good ones in ${\mathcal{G}}_k$, and these good drawing centers ${\mathcal{P}}_i$ have consistent shares $h_i^{\left(k\right)}\left(x\right)$. Using the error correction codes, $h^{\left(k\right)}\left(0\right)=a_{0,0}^{\left(k\right)}$ can always be efficiently recovered by interpolating the $h_i^{\left(k\right)}\left(0\right)$ values. Similarly, thanks to the homomorphic property of secret sharing schemes, the interpolation of the values $h_i\left(0\right)$ (where $h_i\left(x\right)={\sum }_{k\in \mathcal{L}}{h}_i^{\left(k\right)}\left(x\right)$ is the aggregated share) using the error correction codes can recover the winning number $s={\sum }_{k\in \mathcal{L}}{h}^{\left(k\right)}\left(0\right)={\sum }_{k\in \mathcal{L}}{a}_{0,0}^{\left(k\right)}$. If there exists at least one good drawing center in $\mathcal{L}$, the winning number s will be randomly distributed in ${\mathbb{Z}}_p$. In summary, based on the assumption that $b<n/4$, our proposed scheme satisfies the correctness property. □

Theorem 2 (Unpredictability).

If $b<t$, the adversary $\mathcal{A}$ controlling at most b of the drawing centers cannot guess the winning number with probability better than $1/p$ before it is announced in the drawing phase.

Proof. 

We first assume that the symmetric bivariate polynomial $f(x,y)={\sum }_{i=0}^{t-1}{\sum }_{j=0}^{t-1}{a}_{i,j}{x}^i{y}^j$ over ${\mathbb{Z}}_p$ is generated by a trusted dealer $\mathcal{D}$, and each drawing center ${\mathcal{P}}_i$ for $i=1,2,\dots ,n$ receives the univariate polynomial $h_i\left(x\right)=f(x,w_i)$. We show that the adversary $\mathcal{A}$ who controls at most $t-1$ drawing centers cannot recover the polynomial $f(x,y)$ because its threshold is t. To see this, $f(x,y)$ has $t^2$ coefficients, and since $a_{i,j}=a_{j,i}$ for all $i,j\in \{1,2,\dots ,n\}$, $f(x,y)$ has $t^2/2$ different coefficients. Each drawing center ${\mathcal{P}}_i$ can evaluate her/his univariate polynomial $h_i\left(x\right)$ at t independent points. Therefore, ${\mathcal{P}}_1$ can obtain t independent equations. Although ${\mathcal{P}}_2$ also can obtain t equations, one of the equations is the same as ${\mathcal{P}}_1$’s equations; hence, ${\mathcal{P}}_2$ can obtain $t-1$ independent equations. Similarly, ${\mathcal{P}}_3$ can obtain $t-2$ independent equations, and so on. To solve the system of equations with $t^2/2$ unknowns, $t^2/2$ independent equations are needed. t shareholders can obtain $(t+1)t/2$ equations, which is enough, but $t-1$ shareholders can obtain $t(t-1)/2$ equations, which is not enough. Moreover, we show that $\mathcal{A}$ cannot predict the value $a_{0,0}$ with probability better than $1/p$. Note that each pair of drawing centers ${\mathcal{P}}_i$ and ${\mathcal{P}}_j$ can establish a pairwise key without interaction as $k_{i,j}=h_i\left(w_j\right)=h_j\left(w_i\right)=k_{j,i}$. Denote $\mathsf{H}$ as a $n\times t$ Vandermonde matrix that is publicly known and $\mathsf{D}$ as a $t\times t$ private matrix representing the coefficients of $f(x,y)$, and $\mathsf{K}$ is a $n\times n$ matrix representing the pairwise keys:

$$\mathsf{H}=\left[\begin{array}{ccccc}1& w_1& w_1^2& \dots & w_1^{t-1}\\ 1& w_2& w_2^2& \dots & w_2^{t-1}\\ \dots & \dots & \dots & \dots & \dots \\ 1& w_n& w_n^2& \dots & w_n^{t-1}\end{array}\right]\mathsf{D}=\left[\begin{array}{cccc}{a}_{0,0}& a_{1,0}& \dots & a_{t-1,0}\\ a_{0,1}& a_{1,1}& \dots & a_{t-1,1}\\ \dots & \dots & \dots & \dots \\ a_{0,t-1}& a_{1,t-1}& \dots & a_{t-1,t-1}\end{array}\right]$$

$$\mathsf{K}=\left[\begin{array}{cccc}{k}_{1,1}& k_{1,2}& \dots & k_{1,n}\\ k_{2,1}& k_{2,2}& \dots & k_{2,n}\\ \dots & \dots & \dots & \dots \\ k_{n,1}& k_{n,2}& \dots & k_{n,n}\end{array}\right]$$

We have $\mathsf{K}=\mathsf{H}·{(\mathsf{H}·\mathsf{D})}^T$, and ${\mathcal{P}}_i$’s univariate polynomial $h_i\left(x\right)$ is the $i^{\mathrm{th}}$ column in the matrix ${(\mathsf{H}·\mathsf{D})}^T$. Without loss of generality, we assume that $\mathcal{A}$ controls the drawing centers $\{{\mathcal{P}}_1,{\mathcal{P}}_2,\dots ,{\mathcal{P}}_{t-1}\}$. Hence, $\mathcal{A}$ learns the first $t-1$ rows, as well as the first $t-1$ columns of $\mathsf{K}$, because $\mathsf{K}$ is symmetric. However, $\mathcal{A}$ cannot learn the value $k_{t,t}$. For every possible value $k_{t,t}\in {\mathbb{Z}}_p$, not only the entire matrix $\mathsf{K}$ can be determined since the rank of $\mathsf{K}$ is t, but also one can use the relationship $\mathsf{D}={\mathsf{H}}^{-1}·{({\mathsf{H}}^{-1}·\mathsf{K})}^T$ to construct a symmetric bivariate polynomial $f^{\prime }(x,y)={\sum }_{i=0}^{t-1}{\sum }_{j=0}^{t-1}{b}_{i,j}{x}^i{y}^j$, such that $b_{i,j}=b_{j,i}$ for all $i,j\in \{0,1,\dots ,t-1\}$ and $f^{\prime }(x,w_k)=h_k\left(x\right)$ for $k=1,2,\dots ,t-1$. Moreover, each different value $k_{t,t}$ maps to a unique value $b_{0,0}$. Therefore, this proves that if $\mathcal{D}$ is honest, $\mathcal{A}$ cannot guess the value $a_{0,0}$ with probability better than $1/p$.

In our proposed e-lottery scheme, each drawing center serves as the dealer to execute the above dealing phase once, and all these dealing phases are executed independently. Hence, if the drawing center ${\mathcal{P}}_k$ is good, $\mathcal{A}$ cannot guess the value $a_{0,0}^{\left(k\right)}$ with probability better than $1/p$. Moreover, the winning number is $s={\sum }_{k\in \mathcal{L}}{a}_{0,0}^{\left(k\right)}$, where $\mathcal{L}$ contains more than $n-2b$ good drawing centers. Therefore, $\mathcal{A}$ cannot guess the winning number s with probability better than $1/p$, and this finishes the proof for the unpredictable property. □

Theorem 3 (Verifiability).

In the proposed e-lottery scheme, it can be verified that the winning number is generated according to the public procedure.

Proof. 

In the proposed e-lottery scheme, each drawing center first serves as the dealer to share a symmetric bivariate polynomial among all drawing centers, and then, these drawing centers work together to recover the wining number through polynomial interpolation. In the first phase, the drawing centers can verify whether their received univariate polynomials are consistent by checking whether the broadcast values $c_{i,j}=c_{j,i}$ for all $i,j\in \{1,2,\dots ,n\}$. The following two properties are employed in this process: (1) if the dealer follows the protocol, all good drawing centers will output the bit $\mathtt{SUCC}$; (2) if one good drawing center outputs the bit $\mathtt{FAIL}$, all good drawing centers will output the same bit, and the dealer has violated the protocol. In the second phase, given that there are more than $n-b$ drawing centers in $\mathcal{L}$, the winning number always can be efficiently recovered using the error correction codes. This is because more than $2/3$ of the drawing centers in $\mathcal{L}$ are good. Moreover, once the winning number is recovered, the bad drawing centers in $\mathcal{L}$ can be identified, i.e., the winning number can be interpolated by the set that only contains good drawing centers, but it cannot be interpolated by the set that contains some bad ones. Therefore, it can be verified that the winning number is generated according to the public procedure. □

Theorem 4 (Robustness).

The proposed e-lottery scheme employs neither TTP nor the delay function, and the winning number is generated in a distributed fashion.

Proof. 

The proof is obvious. Note that because neither TTP nor the delay function has been used in the proposed e-lottery scheme, the danger of a single point of failure is minimized. □

5.2. Comparison with Some Existing Works

Table 1. Comparison with some existing works IT, information theoretical.

	Correctness	Unpredictability	Verifiability	Robustness	IT Security
Goldschlag’s scheme [2]	Yes	Yes	Yes	No	No
Kushilevitz’s scheme [4]	Yes	Yes	Yes	No	No
Fouque’s scheme [11]	Yes	Yes	Yes	Yes	No
Zhou’s scheme [5]	Yes	Yes	Yes	No	No
Lee’s scheme [13]	Yes	Yes	No	No	No
Liu’s scheme [15]	Yes	Yes	Yes	Yes	No
Our proposed scheme	Yes	Yes	Yes	Yes	Yes

summarizes the comparison of our proposed e-lottery scheme with some existing schemes in the literature regarding the security properties (the abbreviation “IT security” stands for information theoretical security). To the best of our knowledge, our proposed scheme is the first e-lottery scheme that achieves information theoretical security.

5.3. Efficiency Analysis

In Step 1, each drawing center ${\mathcal{P}}_k$ serves as the dealer to select a random symmetric bivariate polynomial $f^{\left(k\right)}(x,y)={\sum }_{i=0}^{t-1}{\sum }_{j=0}^{t-1}{a}_{i,j}^{\left(k\right)}{x}^i{y}^j$ over ${\mathbb{Z}}_p$. There are in total $t^2$ coefficients in $f^{\left(k\right)}(x,y)$, but since $a_{i,j}^{\left(k\right)}=a_{j,i}^{\left(k\right)}$ for all $i,j\in \{0,1,\dots ,t-1\}$, only $t^2/2$ coefficients need to be selected in ${\mathbb{Z}}_p$. Furthermore, ${\mathcal{P}}_k$ needs to evaluate $f^{\left(k\right)}(x,w_l)$, where $l\in \{1,2,\dots ,n\}\setminus k$. The evaluation needs to perform $n-1$ times, and each evaluation requires t multiplications and $t^2$ additions using Horner’s algorithm. Therefore, the total computational cost in this step is $t(n-1)$ multiplications and $t^2(n-1)$ additions in ${\mathbb{Z}}_p$. Moreover, ${\mathcal{P}}_k$ sends the univariate polynomial $h_l^{\left(k\right)}\left(x\right)=f^{\left(k\right)}(x,w_l)$ over ${\mathbb{Z}}_p$ to each other drawing center. The communication cost in this step is $(n-1)t·\left|p\right|$ bits. In Step 2, each drawing center ${\mathcal{P}}_k$ has n univariate polynomials over ${\mathbb{Z}}_p$ (one generated by herself/himself and $n-1$ received from the other drawing centers). For each of these univariate polynomial, ${\mathcal{P}}_k$ evaluates it $n-1$ times. Using Horner’s algorithm, each evaluation takes t multiplications and t additions. Therefore, the total computational cost in this step is $(n^2-n)t$ multiplications and $(n^2-n)t$ additions in ${\mathbb{Z}}_p$. Moreover, each drawing center ${\mathcal{P}}_k$ broadcasts $n^2-n$ values in ${\mathbb{Z}}_p$. Hence, the communication cost in this step is $(n^2-n)·\left|p\right|$ bits. In Step 3, each drawing center ${\mathcal{P}}_k$ compares $(n^2-n)/2$ pairs of values in ${\mathbb{Z}}_p$ and broadcasts n bits. In Step 4, each ${\mathcal{P}}_k$ performs at most $tn$ additions in ${\mathbb{Z}}_p$ and broadcasts 1 bit. In Step 5, each ${\mathcal{P}}_k$ sends a value in ${\mathbb{Z}}_p$ to all other drawing centers. The communication cost in this step is $(n-1)·\left|p\right|$ bits. In Step 6, each ${\mathcal{P}}_k$ recovers the winning number using the error correction codes.

Our proposed e-lottery scheme is very efficient for use in real-world applications because of the following two reasons. Firstly, in our scheme, the modular p can be set as 128 bits or 256 bits; while in many existing works that use public key cryptosystems, this modular needs to be set as several thousand bits in order to achieve the same security level. Secondly, most of the computations in our scheme are modular multiplications and modular additions, and they are much more efficient compared with the modular exponentiations that are required in many existing works. To illustrate this, suppose the security level is set as 128 bits in some application. In other words, the adversary with unlimited computational resources cannot predict the winning number with probability better than $1/2^{128}$. Moreover, suppose $n=9$ and $t=3$ so that $t-1<n/4$ is satisfied. Using these system parameters, in Step 1, the computational cost for each drawing center is 24 multiplications and 72 additions in ${\mathbb{Z}}_p$, where the modular p is a 128-bit prime, and the communication cost is 3072 bits. In Step 2, each drawing center needs to compute 216 multiplications and additions in ${\mathbb{Z}}_p$, and she/he needs to sends 9216 bits to the other drawing centers. In Step 3, each drawing center needs to compare 36 pairs of values in ${\mathbb{Z}}_p$ and broadcasts nine bits. In Step 4, each drawing center performs 27 additions in ${\mathbb{Z}}_p$ and broadcasts 1 bit. In Step 5, the communication cost is 1024 bit. To achieve the same security level, Liu’s scheme [15] needs to use a subgroup with order q, where q is a 256-bit prime, and the modular $p^{\prime }$ needs to be set as a 3072-bit prime according to the NIST recommendations. Each drawing center needs to perform nine full modular exponentiations in ${\mathbb{Z}}_{p^{\prime }}$. Using the square-and-multiply algorithm, these modular exponentiations cost roughly 3456 multiplications in ${\mathbb{Z}}_{p^{\prime }}$. Recall that $p^{\prime }$ is much larger than p; our proposed method therefore has computational advantages over Liu’s scheme. Regarding the communication complexity, in Liu’s scheme, each drawing center needs to broadcast a 3072-bit value and sends 2048-bit values to the other drawing centers. Although our proposed scheme is less efficient in communication costs, it is still acceptable for real-world applications. Moreover, our proposed scheme does not rely on any computational assumption, and this is a property that is not enjoyed in Liu’s scheme.

We have to note that the degree t of the polynomial will affect both the security and efficiency of our proposed scheme. In one aspect, the degree of the polynomial defines the maximum allowed drawing centers controlled by the adversary. Hence, the polynomial with a higher degree can be used to design a scheme with better security. In another aspect, the polynomial with a higher degree will increase the computational costs of the proposed scheme. Therefore, this parameter needs to be selected carefully based on specific requirements.

6. Conclusions

In this paper, we have introduced an e-lottery scheme with the desirable security properties. In particular, the winning number is generated by a number of drawing centers in a distributed fashion, and this procedure can be verified. Before the winning number is announced, it cannot be guessed with a probability better than a pre-defined small value. These properties ensure that the scheme is transparent and every player will have a fair chance to win the prize. Moreover, these properties are guaranteed without relying on computational assumptions. To the best of our knowledge, our scheme is the first e-lottery scheme that satisfies information theoretical security.