Lottery Protocol Using Oblivious Transfer Based on

Lottery Protocol Using Oblivious Transfer Based on ECC

279

Lottery Protocol Using Oblivious Transfer Based on ECC Yining Liu1, Gao Liu1, Chin-Chen Chang2 Guangxi Key Laboratory of Trusted Software, Guilin University of Electronic Technology, China 2 Department of Information Engineering and Computer Science, Feng Chia University, Taiwan {ynliu2011, gaoliu9865, alan3c}@gmail.com

1

Abstract In 2014, a (t, n) electronic lottery protocol was proposed to achieve a series of functional properties including the correctness, fairness, randomness, traceability, unforgeability, robustness, practicability and efficiency. However, a weakness that destroys the fairness and randomness is often ignored, i.e., if at least t + 1 players collude, they can control the generation of a specific winning result to obtain the prize. Using the oblivious transfer based on elliptic curve cryptography (ECC), this paper presents an improved lottery protocol, which not only inherits the previous merits, but also resists against the collusion attack from the participants such that the fairness and the randomness are really achieved. Furthermore, the improved protocol is more efficient than the previous version due to the feature of ECC. Keywords: Electronic lottery, Oblivious transfer, Elliptic curve cryptography.

1 Introduction Lottery is often launched to raise funds for the certain charities [1]. With the explosive development of network technologies and the adoption of smart phones, the electronic lottery (e-lottery) develops rapidly and attracts more and more players to join the game. However, the data transmitted in public channel might release the privacy of player and be forged. Therefore, the e-lottery protocol should satisfy the basic privacy and data integrity [2-4]. Due to the feature of e-lottery, more and more security requirements are necessary, which consist of the fairness, the traceability, etc. Moreover, the resource of the mobile devices is constrained, and thus the algorithms running on them should be lightweight. Hash chain is usually employed for the verification of the fairness and the randomness in [5-7], but the verification needs other players’ cooperation. A (t, n) e-lottery protocol [8] was proposed by Lee and Chang in 2009. However, Lee-Chang’s protocol cannot achieve the fairness and randomness exactly, since the lottery issuer (LI) and the player purchasing last can collude to generate a specific winning result. In order to overcome this flaw, Liu et al. presented an improved protocol [9] using the *Corresponding author: Chin-Chen Chang; E-mail: [email protected] DOI: 10.6138/JIT.2017.18.2.20150909

verifiable random number (VRN), which not only inherits the merits of Lee-Chang’s protocol, but also achieves the enhanced fairness and randomness. However, in [10], the assumption that the pre-defined domain should be small is demonstrated, which restricts the practicability of LeeChang’s protocol and Liu et al.’s improved protocol. In 2014, Chen et al. proposed a novel joint e-lottery protocol [11] by using the multi-signature [12-13] and VRN, which allows the players to purchase jointly to enhance the probability of winning, and achieves the requirements of general e-lottery protocol. However, the existence of offline trusted third party might create the trust bottleneck, which generates the private keys and distributes them to all participants, so the robustness cannot be achieved well. Based on VRN and Mu et al.’s (t, n) oblivious transfer (OT) protocol [14], a practical (t, n) e-lottery protocol [15] was proposed in 2014. However, there exists a flaw that at least t + 1 players can collusively generate the designated winning result to obtain the prize. To solve the problem, an efficient (t, n) e-lottery protocol is proposed with LouHuang’s OT protocol [16] based on ECC [17-18], which not only prevents at least t + 1 players from controlling the generation of the result, but also is more efficient. The rest of this paper is organized as follows. The preliminaries about Lou-Huang’s OT protocol based on ECC are demonstrated in Section 2. Moreover, [15] and its flaw analysis are outlined in Section 3. In Section 4, an improved (t, n) e-lottery protocol is presented. Afterwards, the analysis of proposed protocol is given in Section 5. Eventually, the conclusion is drawn in Section 6.

2 Preliminaries yyElliptic Curve Discrete Logarithm (ECDL) Problem Given a point cyclic group G = 〈P〉 over elliptic curve Eq with order e, and Q ∈ G, it is impossible to extract a from Q = aP. yyElliptic Curve Diffie-Hellman (ECDH) Problem Given aP and bP over E q , it is infeasible in the polynomial time to obtain Based on ECDL problem and ECDH problem over Eq, Lou and Huang proposed an efficient (t, n) oblivious transfer protocol [16], in which the sender holds n secrets M1, M2, ..., Mn and sends t of them to the receiver due to the

Journal of Internet Technology Volume 18 (2017) No.2

where i = 1, 2, ..., n, and r1, r2, ..., rn are random numbers chosen by LI. (3) With the received LTl, Alice can derive the receipt consisting of Mj = γ j / β jsj, j ∈ {i1, i2, ..., it}. yyDrawing Phase Assume m tickets were sold, and LI generates the winning result as follows: (1) LI firstly publishes H(S), subsequently, all players publish (1, h1), (2, h2), ..., (m, hm). (2) LI generates A(x) = a0 + a1x + ... + amxm passing through (1, h1), (2, h2), ..., (m + 1, hm+1), where hm+1 = H(S). (3) The set {a0(modn) + 1, a1(modn) + 1, ..., at-1(modn) + 1} is published as the winning result W = {win1, win2, ..., wint}, and A(x) is also published for the verification. yyVerification Phase Alice ensures the randomness and fairness of the final result by checking hl = A(l) and the set {a0(modn) + 1, a1(modn) + 1, ..., at-1(modn) + 1}. yyClaim Phase Alice claims the prize by sending her ticket LTl and {si1, si2, ..., sit} to LI. By verifying hl = H(si1 || si2 || ... || sit) and yj = gsj, j ∈ {i1, i2, ..., it} LI can ensure Alice’s claim.

… …

c1,m+1 c2,m+1

cm+1,1 cm+1,2 … cm+1,m+1

=

1 1

1 2

… …

1 2m …

c1,2 c2,2

…



c1,1 c2,1

…

3.2 Flaw of Liu et al.’s E-Lottery Protocol According to Liu et al.’s e-lottery protocol, at least t + 1 malicious players can control the generation of a specific winning result to obtain the prize when they collude. Moreover, LI, other honest players and any observer cannot detect this attack. Obviously, this is unfair for the honest players and breaks the randomness. In the following, we describe this weakness. For simplicity, suppose only t + 1 malicious players launch the collusion attack, i.e., t players holding LT1, LT2, ..., LTt attempt to make another player Uk, (k ≠ 1, 2, ..., t) owning his/her ticket LTk and selection {i1, i2, ..., it} be the winner. In the Drawing Phase, after H(S) and (l, hl), l = t + 1, t + 2, ..., m have been published, where m is known by all, the t players collude to compute the inverse matrix as following:

…

3.1 Review of Liu et al.’s E-Lottery Protocol In Liu et al.’s e-lottery protocol [15], Alice selects t favorites from n numbers. Moreover, all the operations are manipulated over GF(p), where p is a large prime number. Suppose g is a generator of GF(p) with order q, which satisfies q = p – 1, and H(x) is a one-way hash function. yyInitialization Phase LI chooses x1, x2, ..., xn and a secret S randomly, and publishes (1, x1), (2, x2), ..., (n, xn). yyPurchase Phase Alice buys the l-th ticket as follows: (1) Alice chooses t pairs (i1, xi1), (i2, xi2), (it, xit) from (1, x1), (2, x2), ..., (n, xn), selects t random numbers si1, si2, ..., sit, then computes yj = gsj, j = i1, i2, ..., it and hl = H(si1 || si2 || ... || sit). Alice generates the polynomial f(x) = c0 + c1x + ... + ct– t–1 x passing through (xi1, yi1), (xi2, yi2), (xit, yit) and computes 1 yj = f(xj), j ∈ {1, 2, ..., n}\{i1, i2, ..., it}. Then Alice transmits (x1, y1), (x2, y2), ..., (xn, yn) to LI. (2) After receiving (x 1, y 1), (x 2, y 2), ..., (x n, y n), LI constructs f(x) with any t points, and verifies f(x) by using the other (n – t) points. If all hold, LI stores the received message for the verification in the Claim Phase. LI constructs the l-th ticket LTl = l || (β 1, γ 1) || (β 2, γ 2) || ... || (β n, γ n) for Alice by computing



…

3 Liu et al.’s E-Lottery Protocol

β i = gri Mi = H(i || l || S), (1) γ i = Mi yiri

…

receiver’s selections. Moreover, the sender does not learn which t secrets have been received by the receiver (denoted as receiving ambiguity), and the receiver only obtains the exact t secrets from the sender (denoted as sending privacy). The general process is described as follows. the sender randomly chooses n points P1, P2, ..., Pn ∈ G and publishes Eq, P1, P2, ..., Pn, e. (1) The receiver selects t secrets s 1, s 2, ..., s t ∈ Z *e randomly and computes t points Q1 = s1Pr1, Q2 = s2Pr2, ..., Qt = st Prt over Eq, where Pr1, Pr2, ..., Prt ∈ {P1, P2, ..., Pn} are selected by the receiver. Then, the receiver sends {Q1, Q2, ..., Qt} to the sender. (2) With the received {Q 1, Q 2, ..., Q t}, the sender chooses a random secret d (it is noted that d shouldn’t be reused for the sending privacy), and computes Zi = (Zix, Ziy) = dPi, ci = Zix + Mi, i = 1, 2, ..., n and Wi = dQi, i = 1, 2, ..., t. Then, the sender transmits {W1, W2, ..., Wt} and {c1, c2, ..., cn} to the receiver. (3) After receiving {W1, W2, ..., Wt} and {c1, c2, ..., cn}, the receiver derives t points by computing Zr1 = s1–1W1, Zr2 = s2–1W2, ..., Zrt = st–1Wt over Eq, where Zrj ∈ {Z1, Z2, ..., Zn} for j = 1, 2, ..., t. Subsequently, the receiver extracts the t messages Mr1 = cr1 – Zr1 , Mr2 = cr2 – Zr2 , Mrt = crt – Zrt x x x where Mr1, Mr2, ..., Mrt ∈ {M1, M2, ..., Mn}.

…

280

–1

1 m + 1 … (m + 1)m

(2) Afterwards, these t players determine their hl, l = 1, 2, ..., t by solving the following matrix equation

Lottery Protocol Using Oblivious Transfer Based on ECC

ct,1 ct,2 … ct,t

ht

it –

Σ

m+1 l=t+1 m+1 l=t+1

c1,lhl c1,lhl

…

h1 i h2 = 1

…

…

c1,1 c1,2 … c1,t c2,1 c2,2 … c2,t …



Σ –Σ

i1 –

m+1 l=t+1

(3)

c1,lhl

Finally, the t players publish hl, l = 1, 2, ..., t. Thus the player Uk who holds LTk and {i1, i2, ..., it} is the winner, and all equations in the Verification Phase and Claim Phase hold since Uk does not forge hk. For example, assume all operations are executed over F7, t = 2 and there are m = 4 players, who are denoted as U1, U2, U3, U4. In addition, U1 and U2 collude to make U3 holding the selection {1, 2} be the winner. Suppose h3 = 2, h4 = 3, h5 = 1 have been published in the Drawing Phase. (1) Both U1 and U2 compute the inverse matrix



5 0 5 0 5

4 5 3 1 1

3 5 0 4 2

2 2 6 3 1

1 1 1 2 1 2 0 = 1 3 6 1 4 5 1 5

1 22 32 42 52

1 23 33 43 53

1 24 34 44 54

–1

(4)

(2) U1 and U2 solve the following matrix equation

5 4 0 5

h1 2 = (5) h2 5

to obtain h1 = 1, h2 = 1, and publish (1, 1), (2, 1). With the published (1, 1), (2, 1), (3, 2), (4, 3), (5, 1), A(x) 1 + 2x + 5x2 + 3x3 + 4x4 is generated by LI, the winning result is W = {1, 2}, and U3 can obtain the prize in the Claim Phase, since he/she publishes the valid value h3. Therefore, U1, U2 and U3 can collude to cheat LI and this is thus unfair for the player U4. As a consequence, the fairness and the randomness are not really achieved in Liu et al.’s e-lottery protocol. Mu et al.’s OT protocol [14] is employed in Liu et al.’s e-lottery protocol. Furthermore, Mu et al.’s OT protocol and Lou-Huang’s OT protocol [16] based on ECC need the modular exponentiation computation and the point multiplication computation respectively. Thus the latter is obviously more efficient than the former, since the modular exponentiation computation burden is higher than the point multiplication computation burden in ECC [16]. Although many existing OT protocols can take place of Mu et al.’s OT protocol and be utilized in Liu et al.’s e-lottery protocol successfully, most of them need the modular exponentiation computation and cannot increase the efficiency of the protocol greatly. Therefore, the efficiency will be greatly enhanced if Lou-Huang’s OT protocol is used in Liu et al.’s e-lottery protocol instead of Mu et al.’s OT protocol.

281

In order to address the above flaw and increase the efficiency, an improved (t, n) e-lottery protocol is proposed using Lou-Huang’s OT protocol, which not only resists against the collusion attack from at least t + 1 malicious players, but also reduces the computation burden.

4 An Efficient E-Lottery Protocol Using ECC Alice can select t favorites from the given numbers. Subsequently, LI chooses a one-way hash function H(x), a large prime number q and an elliptic curve Eq over the finite field Fq. A point cyclic group G = 〈P〉 is over Eq with order e, where P is the generator of G. Furthermore, all computations are performed over Eq. yyInitialization Phase LI randomly picks up distinct points P1, P2, ..., Pn ∈ G and a secret number S, then publishes the parameters {Eq, P1, P2, ..., Pn, e}. yyPurchase Phase The l-th ticket is purchased by Alice as follows: (1) Alice chooses random numbers si1, si2, ..., sit ∈ Z*e and Pi1, Pi2, ..., Pit ∈ {P1, P2, ..., Pn}. Alice computes Q1 = si1 Pi1, Q2 = si2 Pi2, Qt = sit Pit, hl = H(si1 || si2 || ... || sit) and h*l = H(hl), moreover, she sends {Q1, Q2, ..., Qt} to LI and publishes h*l. (2) With the received {Q1, Q2, ..., Qt} from Alice, LI stores Q1, Q2, ..., Qt for the verification in the Claim Phase. LI selects a random number d, and computes Zi = (Zix, Ziy) = dPi

Mi = H(i || l || S)

, i = 1, 2, ..., n,(6)

ci = Zix + Mi and Wj = dQj, for j = 1, 2, ..., t. LI generates the l-th ticket LTl = l || (W1, c1) || (W2, c2) || ... || (Wt, ct) || ct+1 || ... || cn and sends LTl to Alice. (3) Upon receiving LT l from LI, Alice recovers t receipts by computing Zij = (Zij , Zij ) sij–1Wj, j = 1, 2, ..., t x

y

and Mj = cj – Zjx, j ∈ {i1, i2, ..., it}. yyDrawing Phase Assume that m tickets are purchased after the ticket sale system was closed, consequently, LI can generate the winning result as follows: (1) LI firstly publishes (m + 1, hm+1), where hm+1 = H(S), then all players publish (1, h1), l = 1, 2, ..., m. (2) LI verifies h*l = H(hl), for l = 1, 2, ..., m. If all equations hold, LI constructs a polynomial A(x) = a0 + a1x + ... + amxm passing through (1, h1), (2, h2), ..., (m, hm) and (m + 1, hm+1). The coefficients {a0, a1, ..., am} can be extracted from the matrix equation:

1 2

… …

1 2m …

1 1

…



Journal of Internet Technology Volume 18 (2017) No.2

…

282

1 m + 1 … (m + 1)

a0 a1 m

am

=

h1 h2

(7)

hm+1

(3) The set {a0(modn) + 1, a1(modn) + 1, ..., at-1(modn) + 1} is published as the winning result W = {win1, win2, ..., wint} by LI, and A(x) is also published for the verification. Moreover, the element aj(modn) + 1 for j = t, t + 1, ..., m, is added to W in turn for t distinct elements in it if there exist the same elements in it. yyVerification Phase Alice can verify if her contribution is involved in the generation of the winning result by checking h l = A(l) with her (l, hl). Furthermore, she checks the winning result {a0(modn) + 1, a1(modn) + 1, ..., at-1(modn) + 1}. In addition, anyone can authenticate the randomness and fairness of the winning result by checking h*l = H(hl), for l = 1, 2, ..., m, hl = A(l), for l = 1, 2, ..., m + 1, and {a0(modn) + 1, a1(modn) + 1, ..., at-1(modn) + 1}, such that the proposed protocol achieves the public verification. yyClaim Phase If W = {i1, i2, ..., it,}, Alice transmits her ticket LTl and secrets {si1, si2, ..., sit} to LI. Afterwards, LI verifies hl = H(si1 || si2 || ... || sit) and Qj = sjPj, for j = i1, i2, ..., it, to ensure the Alice’s claim.

5 Analysis In this section, we analyze that the proposed protocol achieves a series of functional properties comprising of the correctness, the fairness, the randomness, the traceability, the unforgeability, the robustness and the efficiency. Moreover, the merits of the previous protocol are inherited, such as practicability. Correctness Correctness means that any player can choose t numbers, and his/her selections are recorded and blinded correctly. In the Purchase Phase, Q1, Q2, ..., Qt reflects and blinds Alice’s selections, since nobody can derive si1, si2, ..., sit from hl due to the feature of one-way hash function and know which t points Pi1, Pi2, ..., Pit are selected by Alice. In addition, any malicious player cannot derive more than t receipts. Suppose that the malicious player Alice obtains t receipts Mj, for j = i1, i2, ..., it, from LI, and she attempts to obtain other receipts Mj, j ∉ {i 1, i 2, ..., i t}. Therefore, she must derive Zjx by computing Zj = (Zjx, Zjy) = dPj, j ∉ {i1, i2, ..., it}. However, she cannot derive d from Zij = dPij, j = 1, 2, ..., t due to the ECDL problem. Moreover, she also cannot obtain Mj, j ∉ {i1, i2, ..., it} by computing Mj = H(j || l || S), j ∉ {i1, i2, ..., it}, since S cannot be derived from H(S) due to the feature of one-way hash function. As

a result, the malicious player cannot have knowledge about more than t receipts. Fairness The fairness of proposed protocol is also associated with the randomness, that is to say, the randomness is achieved if the final result is really fair. Suppose that the malicious players attempt to collude to control the generation of a pre-designated result. Thus they should know h l of other honest players and LI to forge their corresponding hl and publish h*l = H(hl) before the ticket sale system is shut down. However, the malicious players are obviously unable to break the fairness, since the random and occasional purchasing behavior results in the uncertainty of the value m, i.e., they might be unable to know m. Although m can be derived by the malicious players before the ticket sale system is closed, they cannot have idea about H(S) and extract hl from h*l = H(hl), which are published by the honest players in the Purchase Phase, such that they are unable to forge their corresponding hl. Moreover, even if LI is corrupted and releases H(S) to the malicious players, they also cannot control the generation of a specific result due to the unknown hash value hl the honest players hold. After the ticket sale system was shut down and before H(S) is published, any adversary including LI cannot obtain the players’ hl from the published h*l due to the feature of one-way hash function. As long as there is the honest player who does not release the corresponding hl to LI, he/she cannot forge hm+1', hm+1' ≠ H(S) to break the fairness. After H(S) is published, the result is also generated and cannot be forged. If the malicious players publish the modified hl'(hl' ≠ hl) for the prize in the Drawing Phase, anyone including LI can detect hl' by checking hl* ≠ H(hl') which are published by all players in the Purchase Phase. In addition, if LI publishes A'(x) not passing through (l, hl), l = 1, 2, ..., m + 1, it obviously can be detected by checking hl ≠ A'(l). Therefore, anyone can check hl* = H(hl), l = 1, 2, ..., m, hl = A(l), l = 1, 2, ..., m + 1 and {a0(modn) + 1, a1(modn) + 1, ..., at-1(modn) + 1} to prevent the malicious players and LI from breaking the fairness. It is clear that the winning result is fair for all. Moreover, anyone can verify the fairness and randomness, since the data for verification has been published in the Purchase Phase and Drawing Phase. Therefore, the proposed protocol achieves the public verification. Traceability Traceability ensures that Alice can verify whether her ticket contributes to the generation of the winning result. Alice can use her (l, hl) to check hl = A(l) and {a0(modn) + 1, a1(modn) + 1, ..., at-1(modn) + 1} in the Verification Phase. Therefore, she can be convinced of her contribution if the

Lottery Protocol Using Oblivious Transfer Based on ECC

equations hold. Furthermore, Alice’s verification needs no other’s collaboration. Unforgeability Unforgeability means nobody can counterfeit the winning ticket. In fact, it is not feasible for the adversary to counterfeit the winning ticket in the proposed protocol. If the adversary attempts to forge the winner Alice’s ticket in the Claim Phase, he/she needs to send si1, si2, ..., sit to LI. We know it is impossible for the adversary to derive si1, si2, ..., sit from the published hl due to the feature of oneway hash function. Moreover, even if the adversary can ensure Pi1, Pi2, ..., Pit with the published winning result {i1, i2, ..., it}, he/she also cannot obtain sij from Qj, j = 1, 2, ..., t due to the ECDL problem. In addition, though the adversary knows d, it is also impossible for him/her to obtain si1, si2, ..., sit from Wj = dsij Pij, j = 1, 2, ..., t. Therefore, the adversary cannot counterfeit the winner’s ticket in the Claim Phase without knowing si1, si2, ..., sit. Robustness The robustness is achieved since the proposed protocol also does not rely on a trusted third party, in which LI is only to verify hl* = H(hl), l = 1, 2, ..., m, and construct A(x) and W ={a0(modn) + 1, a1(modn) + 1, ..., at-1(modn) + 1} In fact, with the published information, the verifications hl* = H(hl), l = 1, 2, ..., m, and the generation of A(x) and W can be performed by anyone. Consequently, the trust bottleneck is removed, such that the robustness is achieved. More Efficiency The proposed protocol is more efficient than the previous one. We focus on the complex computations, whose time cost are defined in Table 1, since the time cost of other computations are negligible. For the identical security level, the key size of ECC is smaller than that of RSA [19-20], and the time cost for one point multiplication computation in ECC is less than that for one modular exponentiation computation in RSA (i.e., Tem < Te) [16]. For instance, the security of 160-bit ECC is comparable with Table 1 Notation for Related Computation Time Cost

Notation

Definition

Te

A modular exponentiation computation time cost.

Tm

A modular multiplication computation time cost.

Ti

A modular inversion computation time cost.

Tt

The generation time cost of a polynomial passing through t points.

Tem

A point multiplication time cost.

283

that of 1024-bit RSA, and the security of 224-bit ECC is comparable with that of 2048-bit RSA [21]. Moreover, an inverse computation and a modular exponentiation in a finite field cost about same time [22]. LI’s computing power is considered to be huge such that we don’t focus on LI’s computation complexity. In the Purchase Phase, we compare Alice’s computation time cost of Liu et al.’s e-lottery protocol [15] with proposed protocol. Alice’s computation time cost in the Purchase Phase of Liu et al.’s e-lottery protocol and proposed protocol are 2tTe + tT m + tTi + T t and 2tTem + tTi, respectively. Obliviously, in the Purchase Phase, Alice’s computation time cost in the proposed protocol is far less than that in Liu et al.’s e-lottery protocol. Furthermore, Alice’s computation complexity in the Verification Phase of proposed protocol is equal to that of Liu et al.’s e-lottery protocol if only the traceability is required by Alice. Moreover, the proposed protocol allows anyone including Alice to verify the fairness and randomness, which produces the heavy computation burden. However, it ensures the enhanced security compared with Liu et al.’s e-lottery protocol. In general, the proposed protocol is more efficient than Liu et al.’s e-lottery protocol. In addition, we compare the functional properties of related works with our proposed protocol in Table 2. Table 2 Functional Property Comparison of Related Works

Properties

Liu et Chen et Liu et Ours al.’s [9] al.’s [11] al.’s [15]

Correctness









Fairness/Randomness









Traceability









Unforgeability









Robustness









Public verification









Practicability









6 Conclusion Based on Lou-Huang’s efficient (t, n) OT protocol using ECC, an improved (t, n) e-lottery protocol achieves the correctness, the fairness, the randomness, the traceability, the unforgeability, and the robustness. Moreover, the proposed protocol is more efficient.

Acknowledgements This work was partly supported by National Natural Science Foundation of China under grant Nos.

284

Journal of Internet Technology Volume 18 (2017) No.2

61363069, 61301166 and 61562015, partly supported by Guangxi Natural Science Foundation of China (Nos. 2014GXNSFAA118364, 2015GXNSFDA139038), Innovation Project of Guangxi Graduate Education (No. YCSZ2015149), High Level Innovation Team of Guangxi Colleges and Universities and Outstanding Scholars Fund, Program for Innovative Research Team of Guilin University of Electronic Technology.

References [1] J. Zhou and C. Tan, Playing Lottery on the Internet, 3rd International Conference on Information and Communications Security, Xi’an, China, 2001, pp. 189-201. [2] D . H e a n d D . Wa n g , R o b u s t B i o m e t r i c s Based Authentication Scheme for Multi-Server Environment, IEEE Systems Journal, Vol. 9, No. 3, pp. 816-823, September, 2015. [3] P. Guo, J. Wang, B. Li and S. Lee, A Variable Threshold-Value Authentication Architecture for Wireless Mesh Networks, Journal of Internet Technology, Vol. 15, No. 6, pp. 929-936, November, 2014. [4] D. He, J. Chen and J. Hu, Improvement on a Smart Card Based Password Authentication Scheme, Journal of Internet Technology, Vol. 13, No. 3, pp. 405-410, May, 2012. [5] S. S. M. Chow, L. C. K. Hui, S. M. Yiu and K. P. Chow, Practical Electronic Lotteries with Offline TTP, Computer Communications, Vol. 29, No. 15, pp. 2830-2840, September, 2006. [6] Y. Y. Chen, J. K. Jan and C. L. Chen, Design of a Fair Proxy Raffle Protocol on the Internet, Computer Standards and Interfaces, Vol. 27, No. 4, pp. 415422, April, 2005. [7] Y. Liu, L. Hu and H. Liu, Using an Efficient Hash Chain and Delaying Function to Improve an e-Lottery Scheme, International Journal of Computer Mathematics, Vol. 84, No. 7, pp. 967-970, August, 2007. [8] J. S. Lee and C. C. Chang, Design of Electronic t-outof-n Lotteries on the Internet, Computer Standard and Interfaces, Vol. 31, No. 2, 2009, pp. 395-400. [9] Y. Liu, D. Lin, C. Cheng, H. Chen and T. Jiang, An Improved t-out-of-n E-Lottery Protocol, International Journal of Communication System, Vol. 27, No. 11, pp. 3223-3231, November, 2014. [10] D. Gray and C. Sheedy, The Security of Lee and Chang’s t-out-of-n Lottery Protocol, 2009, http://

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]

[20]

[21]

[22]

computing.dcu.ie/wpapers/2009/0109.pdf C. L. Chen, Y. H. Liao and W. J. Tsaur, A Secure and Fair Joint e-Lottery Protocol, The Scientific World Journal, April, 2014, doi:10.1155/2014/139435. A. Shamir, Identity-Based Cryptosystems and Signature Schemes, CRYPTO 84 on Advances in Cryptology, Santa Barbara, CA, 1985, pp. 47-53. L. Harn and J. Ren, Efficient Identity-Based RSA Multisignatures, Computers & Security, Vol. 27, No. 1-2, pp. 12-15, March, 2008. Y. Mu, J. Zhang, V. Varadharajan and Y. Lin, Robust Non-Interative Oblivious Transfer, IEEE Communications Letters, Vol. 7, No. 4, pp. 153-156, April, 2003. Y. Liu, C. Cheng, T. Jiang and C. C. Chang, A Practical Lottery Using Oblivious Transfer, International Journal of Communication Systems, Vol. 29, No. 2, pp. 277-282, January, 2016. D.-C. Lou and H.-F. Huang, An Efficient t-outof-n Oblivious Transfer for Information Security and Privacy Protection, International Journal of Communication Systems, Vol. 27, No. 12, pp. 37593767, December, 2014. C. L. Hsu and K. Y. Tsai, New ECC-Based Remote User Authentication Scheme with Key Agreement Using Smart Cards, Journal of Internet Technology, Vol. 12, No. 4, pp. 601-608, July, 2011. S.-H. Wu, F. Kang and Q. Pu, Practical Remote Mutual Authentication with Key Agreement Scheme for Mobile Devices on Elliptic Curve Cryptosystem, Journal of Internet Technology, Vol. 13, No. 3, pp. 411-418, May, 2012. V. S. Miller, Use of Elliptic Curves in Cryptography, Lecture Notes in Computer Sciences; 218 on Advances in Cryptology -- CRYPTO 85, Santa Barbara, CA, 1986, pp. 417-426. R. L. Rivest, M. E. Hellman, J. C. Anderson and J. W. Lyons, Responses to NIST’s Proposal, Communications of the ACM, Vol. 35, pp. 5-52, July, 1992. R. L. Rivest, A. Shamir and L. Adleman, A Method for Obtaining Digital Signatures and Public-Key Cryptosystems, Communications of the ACM, Vol. 21, No. 2, pp. 120-126, February, 1978. V. Dimitrov and T. Cooklev, Two Algorithms for Modular Exponentiation Using Nonstandard A r i t h m e t i c s , I E I C E Tr a n s a c t i o n s o f t h e Fundamentals, Vol. E78-A, No. 1, pp. 82-87, January, 1995.

Lottery Protocol Using Oblivious Transfer Based on ECC

Biographies Yining Liu is currently a professor in Guilin University of Electronic Technology, Guilin, China. He received the BS degree in Applied Mathematics from Information Engineering University, Zhengzhou, China, in 1995, the MS in Computer Software andTheory from Huazhong University of Scienceand Technology, Wuhan, China, in 2003, and the PhD degree in Mathematics from Hubei University, Wuhan, China, in 2007. His research interests include the analysis of information security protocol, the smart grid, and e-voting. Gao Liu is now pursuing his MS degree in Guilin University of Electronic Technology, Guilin, China. He received the BS degree in Applied Mathematics from Yibin University, Sichuan, China, in 2013. His research interests focus on e-voting, micropayment, e-lottery, and smart grid. Chin-Chen Chang received his PhD degree in computer engineering from National Chiao Tung University. His first degree is Bachelor of Science in Applied Mathematics and master degree is Master of Science in computer and decision sciences. Both were awarded in National TsingHua University. Dr. Chang served in National Chung Cheng University from 1989 to 2005. His title is Chair Professor in Department of Information Engineering and Computer Science, Feng Chia University, from Feb. 2005. He is a Fellow of IEEE and a Fellow of IEE, UK. His research interests include database design, computer cryptography, image compression and data structures.

285