Distrib. Random Process for a large-scale P2P Lottery
Robert Riemann with supervision of Stéphane Grumbach
image: DPA
Lottery Business
Security of the Lottery
To ensure fair-play and trust of the players:
- strict legal regulations (State Lottery only)
- technical procedure, the Lottery protocol
The Lottery Protocol shall provide legitimacy for the lottery outcome.
Lottery Protocol Properties
- Correctness of the Random Process
- Verifiability of the Random Process
- Privacy of the Player
- Eligibility of the Ticket
- Confidentiality of the Number
- Completeness of the Reward
A Secure Lottery
- players buy tickets from Authority in person
- player verify random nature of drawing setup
- winning tickets are drawn from urn under public supervision of all players
- all other tickets are drawn to convince the loosers of the correctness
- random process cannot be repeated
NOT CONVENIENT
NOT SCALABLE
Recent Lottery History
- pre-emptive ticket sale at public retail stores
- few individuals supervise random process &
majority learns result from public live broadcast - online ticket sale requiring authentication
- live internet show (Youtube) instead of Radio/TV
- Lotto numbers generated automatically online
Der Aufsichtsbeamte hat sich vor dieser Sendung von dem ordnungsgemäßen Zustand des Ziehungsgerätes und der 49 Kugeln überzeugt.
Für mich macht es keinen Unterschied ob die Ausstrahlung im Internet oder im TV erfolgt.
The public servant convinced himself before this emission of the proper state of the drawing apparatus and the 49 balls.
For me, it does not make a difference if the emission is broadcasted in the internet or on TV.
Encountered Issues
- correctness not verifiable (trust assumed),
- no privacy of the player
- no confidentiality of the number
- completeness of reward not verifiable
- not robust (single point of failure)
Promises of Distributed Random Process
- balance of power (equipotent players)
- no single point of failure
- interruption-resistant
- balance of trust (no lottery officials)
Naive P2P Lottery
- n players choose number
- each player reveals number on Public Bulletin Board
- players compute sum mod n to find winner
Properties:
- verifiable, complete
- not scalable
- not correct (last player determines winner)
- not robust (last player may not reveal)
(one winner out of n peers)
Less Naive P2P Lottery
- n players choose number
- each player commits publicly on number,
e.g. posts hash(number) on Public Bulletin Board - only afterwards, all players reveal their numbers
- players compute sum mod n to find winner
Properties:
- correct, verifiable, confidential, complete
- not scalable, not robust (last player may not reveal)
(one winner out of n peers)
P2P Lottery based on Aggregation ADVOKAT
Concepts
Tree Overlay
(Peers = Leafs)
Merkle
Tree
Aggregation Algorithm
ADVOKAT provides Confidential Commitment on
sort of Distributed Public Bulletin Board
Tree Overlay Network
based on the Kademlia DHT
Maymounkov, P., & Mazieres, D. (2002). Kademlia: A peer-to-peer information system based on the xor metric
Tree for:
- finding peers
- guiding aggregation
Kademlia used in:
- BitTorrent
- IPFS file system
- Storj cloud storage
peer
Merkle Tree
Aggregation Algorithm
- peers connect (with a Tracker) to the DHT with KID
- peers update their k-Buckets with peers in sibling subtrees
- peers request aggregates (here: hashes) of sibling subtrees
to compute aggregate (here: hash) of common parent node
P2P Lottery Protocol
- Ticket Purchase
- Each player generates key pair and picks any
- Each players acquires signature on of Authority
- Player joins ADVOKAT aggregation with
- Distributed Random Process
- Peers compute jointly Merkle Root of all
- Winner Identification
- Authority learns by sampling
- Winners from list ordered by
(version reduced to core concepts)
Protocol Properties
- correct: no peeking
- verifiable: players contribute to randomness
- complete: player number verifiable with aggregation
- eligibility: signatures and matching total number
- confidentiality: player number protected by hash
- privacy: player identities only revealed to authority
- scalable: message complexity per peer
Assumption: honest majority of players
Questions?
Contact: http://riemann.cc/about
Backup
Robust Aggregation I
Eligibility:
- peers create key pair
- authorization token (signature on )
- KID hence determined by peer and authority
Verifiability:
- Merkle Tree of hashes ensures immutability of descendant hashes
Robust Aggregation II
Correctness and Completeness (probabilistic):
- signatures on computed hashes express consensus
- redundantant requests; find majority consens
- ban of Byzantine peers signing conflicting hashes
Protocol Outlook
Efficiency
- dynamically adapt №
of confirmations to
tree configuration
Dishonest Peers
Colluding
- analyse limits of
potential manipulations
Applications
- distributed lottery
- distributed auction
Peer Churn
- deal with peers arriving late
- deal with peers leaving early
✓
IFIP DAIS 2017: Distributed Random Process for a large-scale Peer-to-Peer Lottery
By Robert Riemann
IFIP DAIS 2017: Distributed Random Process for a large-scale Peer-to-Peer Lottery
presentation of the conference paper: Riemann, R., & Grumbach, S. (2017). Distributed Random Process for a large-scale Peer-to-Peer Lottery. In Proc. of 17th IFIP Distributed Applications and Interoperable Systems. Neuchâtel: Springer. http://dx.doi.org/10.1007/978-3-319-59665-5_3
- 1,845