Distrib. Random Process for a large-scale P2P Lottery

Robert Riemann with supervision of Stéphane Grumbach

image: DPA

Lottery Business

Security of the Lottery

To ensure fair-play and trust of the players:

  • strict legal regulations (State Lottery only)
  • technical procedure, the Lottery protocol
The Lottery Protocol shall provide legitimacy for the lottery outcome.

Lottery Protocol Properties

  • Correctness of the Random Process
  • Verifiability of the Random Process
  • Privacy of the Player
  • Eligibility of the Ticket
  • Confidentiality of the Number
  • Completeness of the Reward

A Secure Lottery

  • players buy tickets from Authority in person
  • player verify random nature of drawing setup
  • winning tickets are drawn from urn under public supervision of all players
  • all other tickets are drawn to convince the loosers of the correctness
  • random process cannot be repeated


Recent Lottery History

  • pre-emptive ticket sale at public retail stores
  • few individuals supervise random process &
    majority learns result from public live broadcast
  • online ticket sale requiring authentication
  • live internet show (Youtube) instead of Radio/TV
  • Lotto numbers generated automatically online

Der Aufsichtsbeamte hat sich vor dieser Sendung von dem ordnungsgemäßen Zustand des Ziehungsgerätes und der 49 Kugeln überzeugt.

Für mich macht es keinen Unterschied ob die Ausstrahlung im Internet oder im TV erfolgt.

The public servant convinced himself before this emission of the proper state of the drawing apparatus and the 49 balls.

For me, it does not make a difference if the emission is broadcasted in the internet or on TV.

Encountered Issues

  • correctness not verifiable (trust assumed),
  • no privacy of the player
  • no confidentiality of the number
  • completeness of reward not verifiable
  • not robust (single point of failure)

Promises of Distributed Random Process

  • balance of power (equipotent players)
    • no single point of failure
    • interruption-resistant
  • balance of trust (no lottery officials)

Naive P2P Lottery

  • n players choose number 
  • each player reveals number on Public Bulletin Board
  • players compute sum mod n to find winner


  • verifiable, complete
  • not scalable
  • not correct (last player determines winner)
  • not robust (last player may not reveal)

(one winner out of n peers)

Less Naive P2P Lottery

  • n players choose number 
  • each player commits publicly on number,
    e.g. posts hash(number) on Public Bulletin Board
  • only afterwards, all players reveal their numbers
  • players compute sum mod n to find winner


  • correct, verifiable, confidential, complete
  • not scalable, not robust (last player may not reveal)

(one winner out of n peers)

P2P Lottery based on Aggregation ADVOKAT


Tree Overlay
(Peers = Leafs)


Aggregation Algorithm

ADVOKAT provides Confidential Commitment on
sort of Distributed Public Bulletin Board

Tree Overlay Network

based on the Kademlia DHT


Tree for:

  • finding peers
  • guiding aggregation

Kademlia used in:


Merkle Tree

Aggregation Algorithm

  1. peers connect (with a Tracker) to the DHT with KID
  2. peers update their k-Buckets with peers in sibling subtrees
  3. peers request aggregates (here: hashes) of sibling subtrees
    to compute aggregate (here: hash) of common parent node

P2P Lottery Protocol

  1. Ticket Purchase
    1. Each player generates key pair                    and picks any
    2. Each players acquires signature     on        of Authority
    3. Player joins ADVOKAT aggregation with 
  2. Distributed Random Process
    1. Peers compute jointly Merkle Root        of all  
  3. Winner Identification
    1. Authority learns       by sampling
    2. Winners from list ordered by                     
x_i = \text{hash}(t_i)
xi=hash(ti)x_i = \text{hash}(t_i)

(version reduced to core concepts)

a_i = \text{hash}(r_i)
ai=hash(ri)a_i = \text{hash}(r_i)
x_i \texttt{ XOR } a_R
xi XOR aRx_i \texttt{ XOR } a_R

Protocol Properties

  • correct: no peeking
  • verifiable: players contribute to randomness
  • complete: player number verifiable with aggregation
  • eligibility: signatures and matching total number
  • confidentiality: player number protected by hash
  • privacy: player identities only revealed to authority
  • scalable: message complexity per peer 

Assumption: honest majority of players

\mathcal{O}(\log n)
O(logn)\mathcal{O}(\log n)



Robust Aggregation I


  • peers create key pair
  • authorization token       (signature on        )
  • KID                           hence determined by peer and authority


  • Merkle Tree of hashes ensures immutability of descendant hashes
x_i = \text{sha3}(t_i)
xi=sha3(ti)x_i = \text{sha3}(t_i)

Robust Aggregation II

Correctness and Completeness (probabilistic):

  • signatures on computed hashes express consensus
  • redundantant requests; find majority consens
  • ban of Byzantine peers signing conflicting hashes

Protocol Outlook


  • dynamically adapt №
    of confirmations to
    tree configuration

Dishonest Peers


  • analyse limits of
    potential manipulations 


  • distributed lottery
  • distributed auction

Peer Churn

  • deal with peers arriving late
  • deal with peers leaving early

IFIP DAIS 2017: Distributed Random Process for a large-scale Peer-to-Peer Lottery

By Robert Riemann

IFIP DAIS 2017: Distributed Random Process for a large-scale Peer-to-Peer Lottery

presentation of the conference paper: Riemann, R., & Grumbach, S. (2017). Distributed Random Process for a large-scale Peer-to-Peer Lottery. In Proc. of 17th IFIP Distributed Applications and Interoperable Systems. Neuchâtel: Springer. http://dx.doi.org/10.1007/978-3-319-59665-5_3

  • 1,183