A novel lottery protocol for mobile environments

Computers and Electrical Engineering xxx (2015) xxx–xxx Contents lists available at ScienceDirect Computers and Electrical Engineering journal homepage: www.elsevier.com/locate/compeleceng A novel lottery protocol for mobile environments q Chin-Ling Chen a,⇑, Mao-Lun Chiang b, Wei-Chech Lin a, De-Kui Li c a b c Department of Computer Science and Information Engineering, Chaoyang University of Technology, Taichung 41349, Taiwan, ROC Department of Information and Communication Engineering, Chaoyang University of Technology, Taichung 41349, Taiwan, ROC Department of Information Management, Liaocheng University, Liaocheng, Shandong, China a r t i c l e i n f o Article history: Received 25 August 2014 Received in revised form 16 July 2015 Accepted 17 July 2015 Available online xxxx Keywords: E-lottery Fairness Elliptic curve Attack Mutual authentication a b s t r a c t In general, in order for individuals to take part in a lottery, they must purchase physical lottery tickets from a store. However, due to the popularity and portability of smart phones, this paper proposes a lottery entry purchase protocol for joint multi-participants in a mobile environment. This method integrates cryptology, including elliptic curve cryptography and public key infrastructure, enabling users to safely and fairly join a lottery via a mobile device. The lottery organization involves an untraceable tamperproof decryptor to generate the winning numbers, and the generation of those winning numbers is fair and publicly verifiable. All participants share an equal probability of winning the prize. Subsequently, a comparison table shows that the proposed protocol can withstand attacks and efficiently satisfy the known requirements in a mobile environment. In addition, this study also ensures public verification and mutual authentication. Ó 2015 Elsevier Ltd. All rights reserved. 1. Introduction Lottery gambling is non-predictable [1–3] and its prizes vary in size. While all participants stand a chance of winning, it is impossible to know which participant will win each lottery. The actual value of the prize will vary, depending on how many people take part in each lottery, and how many winners there are for each draw. This form of gambling thus remains fascinating and exciting for many people. Participants must select several numbers when they purchase each lottery ticket, and the lottery organization (LO) randomly generates the winning number. If the numbers selected by a participant match the randomly selected winning numbers, then they will have won the lottery. Sometimes, however, different participants select the same winning numbers, and in this case the prize money will be shared between them. If the prize is not claimed, the prize will be added to the prize money generated for the next draw, often called ‘‘roll-over’’. This is an extremely powerful method to entice participant to purchase lottery tickets. With the rapid growth and development of portable devices (such as the cell phone or PDA) [4–7], mobile commerce has becomes a focal issue. At present, a method for implementing a fair and secure joint purchase e-lottery protocol via a mobile environment has still not been proposed. This study thus reviewed some lottery schemes to propose just such a solution. In 2005, Chow et al. [8] proposed an e-lottery scheme using a verifiable random function. Lee and Chang [9] proposed an q Reviews processed and recommended for publication to the Editor-in-Chief by Guest Editor Dr. W-H-Hsieh. ⇑ Corresponding author. E-mail addresses: [email protected] (C.-L. Chen), [email protected] (M.-L. Chiang), [email protected] (W.-C. Lin), [email protected] (D.-K. Li). http://dx.doi.org/10.1016/j.compeleceng.2015.07.016 0045-7906/Ó 2015 Elsevier Ltd. All rights reserved. Please cite this article in press as: Chen C-L et al. A novel lottery protocol for mobile environments. Comput Electr Eng (2015), http:// dx.doi.org/10.1016/j.compeleceng.2015.07.016 2 C.-L. Chen et al. / Computers and Electrical Engineering xxx (2015) xxx–xxx electronic t-out-of-n lottery on the Internet in 2009. Even though the winning prize probability is very low [10], the participants can adopt the following two methods to enhance their probability of winning.  The coordinator can join other participants to purchase one lottery ticket if the coordinator and participant just want to spend a small amount of money.  If the coordinator wants to purchase sequential numbers of lottery tickets, the coordinator can invite other participants in order to collect more money. The previous schemes [9–11] offered a participant lottery purchases on the Internet, but could not support an efficient joint purchase protocol in a mobile environment. So, the participants had to collect funds and commit a coordinator to purchase many lottery tickets in order to increase the probability of winning the lottery. A fair and joint e-lottery protocol cannot depend on the presupposition that the coordinator can be trusted. The chances for any participant to win the prize must be equal, and that participant must be able to claim his/her own prize. However the important issue is that the participant can be awarded the prize individually, even when the coordinator denies the committed activity. Moreover, this study noted that the elliptic curve is suitable for mobile environments [12,13]. Elliptic curve cryptography (ECC) can use a small key size to achieve the same security level of a discrete logarithm problem (DLP). For example, 160-bit ECC and 1024-bit RSA have the same security level [14]. In 2004, Liaw [15] proposed an untraceable decryptor which can randomly input a selector with memory, and store the input data in a buffer. Furthermore, it can be designed to output data when receiving n records, or at a specific pre-set time. If it receives an enabling signal, the public key decryptor will select a pair of parameters for itself automatically, and the private key cannot be modified because it is stored in the PROM. In a lottery protocol, one of the fundamental characteristics is that no one can predict or control the outcome. When a lottery is run, participants must believe that the lottery was fair and secure. In addition, a fair and secure joint purchase e-lottery protocol in a mobile environment is also necessary. Therefore, this study proposes the following requirements for a good joint purchase lottery protocol for a mobile environment:  Defend against attacks: The proposed protocol must be secure against known attacks (such as replay attack, man-in-the-middle attack, and impersonation attack).  Anonymity: The coordinator should be anonymous to ensure a fair transaction during the ticket purchase.  Verifiability: All legal lotteries and the generation of the winning numbers must be publicly verifiable.  Fairness: The probability of each participant winning must be the same.  Accuracy: The prize should be rewarded to the real winner/s and genuine proportional prizes allotted. The remainder of this paper is arranged as follows. Section 2 presents the preliminaries of bilinear pairings and related mathematical assumptions. Section 3 describes the proposed efficient joint purchase protocol. Security analyses of this protocol are presented in Section 4. Section 5 offers discussion of the performance analysis. Conclusions are presented in Section 6. 2. Preliminary This section will introduce bilinear pairings and related methodologies. Bilinear pairings are defined on elliptic curves for efficient ID-based cryptosystems [16–20]. 2.1. Bilinear pairing G1 is an additive cyclic group with a large prime order q, and G2 is a multiplicative cyclic group with the same order q. G1 is a subgroup of the additive group of points on an elliptic curve over a finite field EðF p Þ, and G2 is a subgroup of the multiplicative group over a finite field. P is a generator of G1 . The detailed descriptions of groups, maps and other parameters are given in [16–20]. A bilinear pairing is a map e : G1  G1 ! G2 , and satisfies the following properties: (1) Bilinear: e(aP, bQ) = eðP; Q Þab for all P; Q 2 G1 , and a; b 2 Z q . (2) Non-degenerate: there exists P; Q 2 G1 such that eðP; Q Þ – 1. (3) Computability: For all P; Q 2 G1 , there is an efficient algorithm to compute eðP; Q Þ. A bilinear map which satisfies the above three properties is called an admissible bilinear map. 2.2. Related mathematical assumptions Bilinear pairings have the following problems and assumptions defined on elliptic curves. Please cite this article in press as: Chen C-L et al. A novel lottery protocol for mobile environments. Comput Electr Eng (2015), http:// dx.doi.org/10.1016/j.compeleceng.2015.07.016 C.-L. Chen et al. / Computers and Electrical Engineering xxx (2015) xxx–xxx 3 (1) Decision Diffie-Hellman (DDH) problem: Given xP, yP, zP 2 G1 for some x; y; z 2 Z q , let eðxP; yPÞ and eðP; zPÞ. Hence, the DDH problem is easily addressed in G1 . (2) Computational Diffie-Hellman (CDH) problem: Given P, xP, yP 2 G1 , it is difficult to compute xyP 2 G1 ; hence, the CDH problem is difficult to address in G1 . (3) Bilinear Diffie-Hellman (BDH) assumption: Let (P, xP, yP, zP) for some x; y; z 2 Z q ; computing eðP; PÞxyz 2 G2 is difficult. 3. The proposed scheme This section will describe an efficient joint purchase protocol based on an elliptic curve for mobile environments. The method consists of five phases: the initial phase, the joint participant phase, the ticket purchase phase, the winning number generation phase and the lottery prize claim phase. There are five parties in the proposed protocol:      Coordinator (C): The coordinator collects participants’ information and commits to buying lottery tickets. Participant (P): One of the participants using a mobile device to participate in the lottery. Participant Group (PG): All of the participants (including the coordinator). Lottery Proxy Center (LPC): A trustee web site that is committed to coordinating the lottery. Lottery Originator (LO): An organization deploying an LPC provides the lottery prizes and holds the lottery; The LO also sets up an untraceable and tamperproof decryptor [14] to generate winning numbers for each lottery draw. In order to hold a fair and verifiable lottery, the LO is involved in the proposed protocol, generating the winning number, for public verification. Cryptology, such as symmetrical encryption and hash chain, is applied in the proposed protocol. The Internet Secure Socket Layer (SSL) protocol is applied to protect the end-to-end communications for lottery issuing and casting. A scenario involving the proposed protocol is shown in Fig. 1. (1) LO P: The participant uses his/her identity to register to the LO. The LO sends back a permit ticket. (2) C P: The coordinator sends a request message for ticket purchases to other participants. The participants then respond to a hidden identity message. LPC: The coordinator proposes a purchase request including a participant’s information, to purchase lottery (3) C tickets with participants’ information. (4) LPC PG: The LPC sends shadows to the participants’ group, respectively. LO: The LPC sends shadows to the participants’ group, respectively. (5) LPC (6) LO P: The LO generates winning numbers by untraceable decryptor, and then publishes the winning numbers. LO: The winning participant uses his/her shadow to claim the winning prize. Finally, the LO returns an invoice (7) P to the participant. Fig. 1. Structure of our protocol. Please cite this article in press as: Chen C-L et al. A novel lottery protocol for mobile environments. Comput Electr Eng (2015), http:// dx.doi.org/10.1016/j.compeleceng.2015.07.016 4 C.-L. Chen et al. / Computers and Electrical Engineering xxx (2015) xxx–xxx The following notations are used in the proposed protocol: the random number generated by X, rX 2 Z q a large number where n ¼ p  q; uðnÞ is a Euler Totient function and uðnÞ ¼ ðp  1Þðq  1Þ. The ðp; qÞ is a pair of large prime numbers rx n h1 ðÞ h2 ðÞ RðÞ PRGðÞ IDi HIDi s dID CK c;i Ek ðMÞ=DkðMÞ SSKX ðMÞ V PKX ðMÞ Sig i TK i SHK X SHK XY f ðxÞ Q NX Num ta; tp; tc timestampX x½R Inv X m jj  A9B a one way hash function, h1 : f0; 1g  G1 ! f0; 1gk , where k is the fixed output length [21] the map-to-point function, h2 : f0; 1g ! G1 the real random number function [22] the pseudo-random number generation function the identity of user i the hash value of the user i identity, where HIDi ¼ h2 ðIDi Þ the LO and LPC’s secret key, s 2 Z q the private identity of user i the session key between coordinator and user i use symmetrical key k to encrypt or decrypt message M use X’s private key SK X to sign message M use X’s public key PK X to verify message M the ith signature the permit ticket of the ith purchase X’s shadow the shadow key between X and Y a polynomial function generated for embedding the LO’s private key SK LO , where f ðxÞ ¼ c  x þ SK LO mod uðnÞ; c 2 ½1; uðnÞ the point of group G1 the nonce generated by X, and the N X 2 Z q the lottery number selected by coordinator, where Num ¼ ðno1 ; no2 ; . . . ; noj Þ the time of winner announcement; deadline of prize claim request; deadline for collecting information between coordinator and participants X 0 s timestamp the x coordinate of the R point on the elliptic curve [23] X’s invoice the number of participants the concatenation operation the exclusive OR operation comparing whether or not A is equal to B the secure channel (for example: SSL channel) the insecure channel 3.1. Construct session key model In the initial phase, the participant i should register to be a legal user. The LO then issues a purchasing permit, public identity and private identity for participant i. The scenario of the initial phase is shown in Fig. 2. Step 1: The LO generates a secret key s and sends it to LPC; the LO also selects a finite field F q over a large odd prime q > 2160 , and then an elliptic curve function is used: EC q ða; bÞ : y2 x3 þ ax þ bðmod qÞ with the order q over F q , where 2 a; b 2 F q , and 4a3 þ 27b – 0 mod q [16], with the public point Q with the order n over EC q ða; bÞ. The LO computes Q pub ¼ s  Q . The Ek () and Dk () are the symmetric encryption and decryption algorithms [16], respectively. Then it publishes: EC q ða; bÞ; Q ; Q pub ; Ek ðÞ; and; Dk ðÞ. Step 2: The participant i sends his/her real identity IDi to the LO for registration. Step 3: First, the LO checks the real identity, and then generates the public identity HIDi , private identity dIDi , and purchases permit ticket TK i . HIDi ¼ h2 ðIDi Þ dIDi ¼ s  HIDi ð1Þ ð2Þ C TK i ¼ ESK LO ðdIDi Þ ð3Þ SGi ¼ SSK LO ðC TK i Þ ð4Þ TK i ¼ ðC TK i ; SGi Þ ð5Þ Please cite this article in press as: Chen C-L et al. A novel lottery protocol for mobile environments. Comput Electr Eng (2015), http:// dx.doi.org/10.1016/j.compeleceng.2015.07.016 5 C.-L. Chen et al. / Computers and Electrical Engineering xxx (2015) xxx–xxx Fig. 2. Overview of the initial phase. Fig. 3. Overview of the joint participant phase. The LO stores IDi , and then sends the initial messages ðHIDi ; dIDi ; TK i Þ to participant i. Step 4: Upon receiving the initial message, participant i verifies ticket TK i V PK LO ðSG1 Þ 9 CTK 1 ð6Þ If the equality holds, then participant i uses TK i to purchase a lottery entry. Afterward, the LO and LPC can verify the participant’s identity via ticket TK i . 3.2. Joint participant phase In the joint participant phase, coordinator C broadcasts a request message to other participants. If the other participators agree to the coordinator’s request, they will respond with a message to the coordinator. The scenario of the joint participant phase is shown in Fig. 3. Step 1: The Coordinator C chooses a nonce N c and a point Q of the group G1 . The coordinator then computes Q c and T c : Q c ¼ Nc  Q ð7Þ T c ¼ Nc  Q pub þ h1 ðQ c Þ  dIDc ð8Þ Please cite this article in press as: Chen C-L et al. A novel lottery protocol for mobile environments. Comput Electr Eng (2015), http:// dx.doi.org/10.1016/j.compeleceng.2015.07.016 6 C.-L. Chen et al. / Computers and Electrical Engineering xxx (2015) xxx–xxx The coordinator selects a random number r c and a number Num of the lottery to generate a signature sc : Rc ¼ r c  Q ð9Þ sc ¼ r 1 c ðNum  N c  x½Rc Þmod n ð10Þ The coordinator repeatedly stores Num, N c and Q c in the database and broadcasts request messages ðQ c ; T c ; HIDc ; Num; Rc ; sc ; tc Þ to other participants. Step 2: Upon receiving the request message, participant i checks if the request has been made before the collect deadline time tc . Next, the participant checks the coordinator’s legality: eðT c ; QÞ 9 eðQ c þ h1 ðQ c Þ  HIDc Þ; Q pub Þ ð11Þ If the equality holds, then participant i checks the lottery number Num: V 1 ¼ x½Rc   Q c þ sc  Rc ð12Þ V 2 ¼ Num  Q ð13Þ V 1 9V 2 ð14Þ Participant i chooses a nonce N i and computes Q i : Q i ¼ Ni  Q ð15Þ Participant i generates the session key CK c;i between coordinator C and participant i for encrypting the participant’s information: CK c;i ¼ Ni  Q c ð16Þ C 1 ¼ ECK c;i ðIDi Þ ð17Þ Finally, participant i sends the response message ðQ i ; C 1 Þ to the coordinator C. Step 3: Upon receiving the response message, coordinator C computes the session key CK c;i and decrypts C 1 : CK c;i ¼ Nc  Q i ð18Þ IDi ¼ DCK c;i ðC 1 Þ ð19Þ The coordinator stores ðIDi ; Q i Þ in the database. 3.3. Lottery ticket purchase phase 3.3.1. The lottery ticket purchase procedure In this procedure, the coordinator integrates the participants’ information into the purchase request for the LPC. The scenario is shown in Fig. 4. Step 1: After the tc , coordinator C generates the purchase message M buy with participants’ information: Mbuy ¼ ðID1 kID2 k . . . kIDm kQ 1 kQ 2 k . . . kQ m Þ ð20Þ Fig. 4. Overview of the lottery purchase procedure. Please cite this article in press as: Chen C-L et al. A novel lottery protocol for mobile environments. Comput Electr Eng (2015), http:// dx.doi.org/10.1016/j.compeleceng.2015.07.016 C.-L. Chen et al. / Computers and Electrical Engineering xxx (2015) xxx–xxx V buy ¼ M buy  h1 ðeðHIDc ; Nc  Q pub ÞÞ 7 ð21Þ Coordinator C uses his/her private identity to encrypt the purchase information ððQ c ; V buy Þ; TK c ; timestampc ; NumÞ, where TK c ¼ ðC TK c ; SGc Þ issued by LO: C 2 ¼ EdIDc ððQ c ; V buy Þ; TK c ; timestampc ; NumÞ ð22Þ Coordinator C sends purchase message ðC 2 ; HIDc Þ to the LPC for lottery ticket purchase. Step 2: The LPC uses secret key s and HIDc to decrypt C 2 : dIDc ¼ s  HIDc ð23Þ ððQ c ; V buy Þ; TK c ; timestampc ; NumÞ ¼ DdIDc ðC 2 Þ ð24Þ The LPC checks if timestampLPC  timestampc 6 DT. Upon receiving SGc and C TKc from TK c , the LPC then verifies: V PK LO ðSGc Þ 9 CTK c : ð25Þ 3.3.2. The lottery ticket purchase procedure Upon receiving the purchase message, the LPC verifies the coordinator’s identity, generates the lottery for the participant group, and then sends the lottery numbers to participants, respectively. The scenario is shown in Fig. 5. Step 1: The LPC extracts the participants’ information M buy from V buy : Mbuy ¼ V buy  h1 ðeðdIDc ; Q c ÞÞ ¼ ðID1 kID2 k . . . kIDm kQ 1 kQ 2 k . . . kQ m Þ ð26Þ HID1 ¼ h2 ðID1 Þ; for i ¼ 1 to m, where m is the number of participants. The LPC then selects a nonce N RPC and generates K i as participants’ shadows SHK i for claiming the prize: SHi ¼ f ðHIDi ÞðHLO =ðHIDi  HLO ÞÞmod /ðnÞ; for i ¼ 1 to m K i ¼ ðNLPC  HIDi ÞPK LO mod n; for i ¼ 1 to m SH SHK i ¼ K i i mod n; for i ¼ 1 to m ð27Þ ð28Þ The LPC generates the RQ LPC and ST j in order for participants to verify the LPC’s identity: Fig. 5. Overview of the LPC lottery issues procedure. Please cite this article in press as: Chen C-L et al. A novel lottery protocol for mobile environments. Comput Electr Eng (2015), http:// dx.doi.org/10.1016/j.compeleceng.2015.07.016 8 C.-L. Chen et al. / Computers and Electrical Engineering xxx (2015) xxx–xxx RQ LPC ¼ NLPC  Q ð29Þ ST j ¼ N LPC  Q pub þ h1 ðRQ LPC Þ  dLPC ð30Þ To ensure that the shadow is mapped to the true participant, the LPC hides the lottery SHK i in RV i by the participant’s public identity HIDi and public point Q pub . The participant extracts his/her own shadow SHK i by using the secret key s and public identity HIDi : RV i ¼ SHK i  h1 ðeðs  HIDi ; NLPC  Q pub ÞÞ; for i ¼ 1 to m ð31Þ At last, the LPC generates the tickets of lottery TK rafflej as proof that the participants possess their lottery tickets: C rafflej ¼ ESK LPC ðID1 kID2 k . . . kIDm Þ ð32Þ SGrafflej ¼ SSK LPC ðC rafflej ; Num; ta ; t p Þ ð33Þ TK rafflej ¼ ðC rafflej ; SGrafflej ; Num; ta ; t p Þ ð34Þ The LPC sends lottery message ðHLO ; RQ LPC ; ST j ; RV i ; TK rafflej Þ to the participant group. Step 2: Upon receiving the lottery message, the participants check if the message is round or not: Check eðST j ; Q Þ9eðRQ LPC þ h1 ðRQ LPC Þ  HRO Þ; Q pub Þ ð35Þ If the equality holds, the participants get their shadows SHK i with the private identity dIDi : SHK i ¼ RV i  h1 ðeðdIDi ; RQ LPC ÞÞ; for i ¼ 1 to m ð36Þ 3.3.3. Storage of purchase information by LO procedure The LPC sends participants’ information to the LO. The LO generates the shadow key by the participant information and stores it in the database. Fig. 6 shows the scenario of storing purchase information. Step 1: The LPC generates shadow key SHi;LO : SHi;LO ¼ f ðHLO ÞðHIDi =ðHLO  HIDi ÞÞmod /ðnÞ; for i ¼ 1 to m ð37Þ and integrates K i into K and SHi;LO into SH: K ¼ ðK 1 kK 2 k . . . kK m Þ; for i ¼ 1 to m ð38Þ SH ¼ ðSH1;LO kSH2;LO k . . . kSHm;LO Þ; for i ¼ 1 to m ð39Þ The LPC sends ðNum; N LPC ; M buy ; K; SHÞ to the LO via secure channel. Step 2: Upon receiving the message, the LO uses SHi;LO and K i to compute T i;LO : SHi;LO T i;LO ¼ K i ; for i ¼ 1 to m ð40Þ The LO stores ðNumkN LPC kM buy kKkT 1;LO kT 2;LO k . . . kT m;LO Þ in the database. Fig. 6. Overview of the LO stores purchase information procedure. Please cite this article in press as: Chen C-L et al. A novel lottery protocol for mobile environments. Comput Electr Eng (2015), http:// dx.doi.org/10.1016/j.compeleceng.2015.07.016 C.-L. Chen et al. / Computers and Electrical Engineering xxx (2015) xxx–xxx 9 3.4. Winning number generation phase After the winner announcement deadline, the LO sends k numbers (i.e. 1, 2, . . . , 59) [1] to the decryptor for the generation of the winning numbers. The scenario of the decryptor generating the winning numbers is shown in Fig. 7. Step 1: Upon receiving the 59 numbers from the LO, the decryptor generates a new public/private key ðep ; np Þ=dp [23], and then selects a random number t i by real random function [22], for i = 1 to k. Step 2: The decryptor uses ti and the public key ðep ; np Þ to generate M i : e Mi ¼ t i p ðnoi Þmod np ; for i ¼ 1 to k ð41Þ M ¼ ðM 1 kM2 k . . . kM k Þ ð42Þ It then selects 6 winning numbers V 1 ; V 2 ; . . . ; V 6 by pseudo-random number generating function PRG(): V j ¼ PRGðMÞ; for j ¼ 1 to 6 ð43Þ The decryptor uses private key dp to sign V j : V 0j ¼ ðV j Þdp  t1 ¼ ðnoj Þdp mod np ; for j ¼ 1 to 6 j ðV 01 kV 02 k . . . kV 06 kMkep kdp knp Þ The decryptor then publishes ðV 01 kV 02 k . . . kV 06 kep knp Þ to the LO. Step 3: The LO uses the public key ðep ; np Þ to decrypt: ð44Þ for public verification. Moreover, the decryptor sends wnoj ¼ ðV j Þep mod np ¼ noi ; for j ¼ 1 to 6 ð45Þ and then publishes the winning numbers (wno1 ; wno2 ; . . . ; wno6 ). 3.5. Lottery prize claim phase In this phase, the winning participant claims the prize if his/her number matches the winning number. The LO uses the relative shadow to check the participant’s identity, which is already in the database; if it matches, the LO grants the claim into his/her credit and generates an invoice for the winning participant. In Fig. 8, the participant claims the prize from LO by his/her shadow and ticket. Step 1: Before the claim deadline tp , participant i must generate the claim message with his/her shadow SHK i , private IDi and TK rafflej to claim the prize: U i;WIN ¼ SHK i  h1 ðeðHIDi ; Ni  Q pub ÞÞ ð46Þ C 3 ¼ EdID ððQ i ; U i;WIN Þ; TK rafflej ; timestampi;WIN Þ ð47Þ i To prove the participant has claimed the prize, the participant must generate the signature by his/her shadow SHK i : Ri ¼ r i  Q ð48Þ si ¼ r i  1ðSHK i  N i  x½Ri Þmod n ð49Þ Fig. 7. Overview of the decryptor winning numbers generating phase. Please cite this article in press as: Chen C-L et al. A novel lottery protocol for mobile environments. Comput Electr Eng (2015), http:// dx.doi.org/10.1016/j.compeleceng.2015.07.016 10 C.-L. Chen et al. / Computers and Electrical Engineering xxx (2015) xxx–xxx Fig. 8. Overview of the lottery prize claim phase. The LPC then sends ðNum; C 3 ; IDi ; Ri ; si Þ to the LO via secure channel. Step 2: The LO first checks if the Num and IDi exist in the database. If they do not, it rejects the request. Next, the LO uses Num to find if the consistent lottery information exists in the database and then checks the participant’s identity and number: Num 9 NumWIN ð50Þ The LO recovers the private identity dIDi from the database by the identity IDi : HIDi ¼ h2 ðIDi Þ ð51Þ dIDi ¼ s  HIDi ð52Þ ððPi ; U i;WIN Þ; TK rafflej ; timestampi;WIN Þ ¼ DdID ðC 3 Þ ð53Þ Check timestampLO  timestampi 6 DT ð54Þ i V PK LO ðSGrafflej Þ 9 Crafflej ð55Þ SHK i ¼ U i;WIN  h1 ðeðdID1 ; Q i Þ ð56Þ SHK i Ti ¼ Ki N0LPC mod n ð57Þ ¼ ðT i;LO  T i Þ  HIDi ð58Þ Check N0LRC 9NLPC ð59Þ If the above verifications hold, the LO dispatches the prize to the winner’s credit, and computes invoice C Inv i : C Inv i ¼ ESK LO ðHIDi ; timestampInv i ; Num; SHK i Þ ð60Þ SGInv i ¼ SSK LO ðC Inv i Þ ð61Þ TK Inv i ¼ ðSGInv i ; C Inv i Þ ð62Þ Finally, the LO stores the draw information ðNum; IDi ; SHK i ; Ri ; si timestampInv i Þ in the database. In this way, if the winning participant denies having claimed the prize, the LO can use ðNum; IDi ; SHK i ; Ri ; si timestampInv i Þ to prove that the prize was issued, and then send the invoice message TK Inv i to the winning participant. Step 3: Participant i verifies the invoice message: V PK LO ðSGInv i Þ 9 CInv i ð63Þ If the equality holds, the participant checks if the prize has been transferred to his/her credit. Please cite this article in press as: Chen C-L et al. A novel lottery protocol for mobile environments. Comput Electr Eng (2015), http:// dx.doi.org/10.1016/j.compeleceng.2015.07.016 C.-L. Chen et al. / Computers and Electrical Engineering xxx (2015) xxx–xxx 11 4. Security analysis This section will discuss known attacks and criteria for the proposed protocol. 4.1. Replay attack In the lottery ticket purchase phase, coordinator C sends purchase messages ðC 2 ; HIDi Þ to the LPC. If a malicious attacker intercepts or wiretaps the messages, the attacker can use the message to request a lottery ticket as the message comprises the coordinator’s public identity HIDi . Even if the LPC receives and agrees to the replay message; the attacker will still not be able to claim the prize because the LPC sends back the lottery tickets with the identity from M buy ¼ ðID1 kID2 k . . . kIDm kQ 1 kQ 2 k . . . kQ m Þ and only the receiver should use the correct private identity dIDi to retrieve the shadow SHK i to claim the prize as follows: SHK i ¼ RV i  h1 ðeðdIDi ; RQ LPC ÞÞ Therefore, an attacker cannot claim the prize by replay attack. 4.2. Man-in-the-middle attack Assume an attacker intercepts messages ðQ c ; T c ; HIDc ; Num; Rc ; sc ; tc Þ between the coordinator and participant. They can modify the coordinator’s identity HIDc to HIDA and the number Num to NumA . The participant will thus receive the fake messages ðQ c ; T c ; HIDA ; NumA ; Rc ; sc  t c Þ. First, the participant checks the legality by: eðT c ; Q Þ 9 eðQ c þ h1 ðQ c Þ  HIDA Þ; Q pub Þ eððQ c þ h1 ðQ c Þ  HIDA ÞQ pub Þ ¼ eððNc  Q þ h1 ðQ c Þ  HIDA Þ; s  Q Þ s ¼ eððNc  Q þ h1 ðQ c Þ  HIDA Þ; QÞ ¼ eððNc  s  Q þ h1 ðQ c Þ  s  HIDA Þ; Q Þ ¼ eððNc  Q pub þ h1 ðQ c Þ  dIDA Þ; Q Þ – eðT c ; PÞ ¼ eððNc  Q pub þ h1 ðQ c Þ  dIDc Þ; Q Þ Therefore, the attacker should have the secret key s to make the private identity dIDc for forging the legal identity. But the secret key s is kept secret by the LO and LPC. Second, the selected lottery number NumA should be checked as follows: V 1 ¼ x½R  Q c þ ðs Þ  Rc ¼ ðx½RÞ  N c  Q þ ðr 1 c ðNum  N c  x½RÞðr c  Q Þ ¼ ðx½RÞ  N c  Q þ ðNum  Nc  x½RÞQ ¼ ðNumÞQ – ðNumA ÞQ ¼ V 2 Thus, it cannot pass the verification, unless the attacker knows the nonce N c . But nonce N c was generated by the coordinator and can never be disclosed. 4.3. Impersonation attack Due to repeated forgery attempts (such as double claiming, without sharing with anyone else) taking place in lotteries, it is important to be able to verify a participant’s identity. This study discusses three cases of attempted forgery that are addressed by the proposed protocol. Case 1: The attacker impersonates a legal coordinator. The attacker uses the request message ðQ c ; T c ; HIDc ; Num; Rc ; sc ; tc Þ to request a participant’s information. He/she can get the replay message ðQ i ; C 1 Þ and use the nonce nc to generate the session key CK c;i ¼ N c  Q i . However, an attack that extracts nonce N c is difficult to achieve because of the Elliptic Curve Discrete Log Problem (ECDLP) from Q c . Therefore, the attacker cannot obtain the participant’s real identity IDi . Case 2: The attacker impersonates a legal participant. If the LPC agrees to the purchase, it will generate shadow SHK i for every participant from Mbuy and send them to participants, respectively. Even if the attacker gets the messages ðRQ LPC ; ST j ; RV i Þ; he/she must have a private identity dIDc to receive the shadow as follows: Please cite this article in press as: Chen C-L et al. A novel lottery protocol for mobile environments. Comput Electr Eng (2015), http:// dx.doi.org/10.1016/j.compeleceng.2015.07.016 12 C.-L. Chen et al. / Computers and Electrical Engineering xxx (2015) xxx–xxx RV i  h1 ðeðs  HIDi ; RQ i ÞÞ ¼ RV i  h1 ðeðHIDi ; NLPC  QÞs Þ ¼ RV i  h1 ðeðHIDi ; Q ÞsNLPC Þ ¼ SHK i  h1 ðeðHIDi ; Q pub ÞNLPC Þ  h1 ðeðHIDi ; s  Q ÞNLPC Þ ¼ SHK i However, the private identity dIDc and secret key s can never be leaked, so it is impossible for an attacker to obtain the shadow SHK i . Case 3: The attacker impersonates a legal winning participant. When a participant presents SHK i and Num to claim a prize, the LO will index by Num to find the corresponding K i and T i;LO in the database. The LO then checks the legality as follows: SH SHK ðT i;LO  T i Þ  HIDi ¼ ðK i i;LO  K i i Þ  HIDi  f ðH ÞðH =ðH H ÞÞ f ðH ÞðH =ðH H ÞÞ  IDi IDi ID IDi LO LO LO LO ¼ Ki  Ki i  HIDi  ðcH þSK ÞðH =ðH H ÞÞ ðcH þSK ÞðH =ðH H ÞÞ  IDi IDi IDi IDi LO LO LO LO LO LO ¼ Ki  Ki  HIDi  ðcH H þcH H þSK ðH þH Þ=ðH H ÞÞ  LO IDi IDi LO LO IDi LO LO IDi  HIDi ¼ Ki  SK LO ¼ ðN LPC  HIDi ÞPK LO  HIDi ¼ NLRC ¼ N0LRC If the participant is not a real winner, his/her identity will not be present in the database. 4.4. Anonymity issue A participant’s ticket TK c is very important, so the proposed method encrypts this information into C 2 with his/her private identity dIDc and then blends it into the lottery ticket purchase phase as follows: C 2 ¼ EdIDc ððQ c ; V buy Þ; TK c ; timestampc ; NumÞ In particular, the participant’s information ðIDi ; Q i Þ is blended into V buy as follows: M buy ¼ ðID1 kID2 k . . . kIDn kQ 1 kQ 2 k . . . kQ m Þ V buy ¼ Mbuy  h1 ðeðHIDc ; Q pub ÞNc Þ Only the LO and LPC have the secret key s to make the private identity dIDi , as follows: dIDi ¼ s  HIDi Thus participants’ identities are secret during the transactions. 4.5. Verifiability issue In the winning number generation phase, the decryptor selects and publishes the winning number message ðV 01 kV 02 k . . . kV 06 kMkep kdp knp Þ. The participants can use the published parameters ðMkep kdp jjnp Þ to verify the published winning numbers ðwno1 ; wno2 ; . . . ; wno6 Þ as follows: e check t i p  ðnoi Þmod np 9 M i ; for i ¼ 1 to k 9 V 0j ; for j ¼ 1 to 6 check ðMj Þdp  t1 j e check ðV 0j Þ p mod np 9 wnou ; for j ¼ 1 to 6 If anyone challenges the result of the winning numbers ðwno1 ; wno2 ; . . . ; wno6 Þ, they can use the pseudo-random number generation function PRG() with M to generate the winning numbers again. 4.6. Fairness issue The lottery protocol should ensure an equal probability of winning the prize for every participant. The decryptor’s winning number generating function cannot be controlled or influenced by the LO or any participants. In the proposed protocol, the untraceable and tamperproof decryptor is independent, despite being set up by the LO. When the LO sends the selected numbers noi to the decryptor, the decryptor automatically generates a pair of parameters e/d for itself. Even if the decryptor publishes the parameters after generating the winning numbers, the LO or participants will not be able to guess the parameters for the next generation. Because the decryptor uses the real random number function to generate parameters, the real Please cite this article in press as: Chen C-L et al. A novel lottery protocol for mobile environments. Comput Electr Eng (2015), http:// dx.doi.org/10.1016/j.compeleceng.2015.07.016 13 C.-L. Chen et al. / Computers and Electrical Engineering xxx (2015) xxx–xxx number has a corresponding random number ti . For this reason, the real random numbers have a new fake number M 0 for every iteration by new parameters ðt i ; ep ; dp ; np Þ. The queue is also different every time in the decryptor. Since no one can predict the outcome, the winning number generation is fair. 4.7. Accuracy issue If the LO distributes the winning prize, he/she should accurately know how many participants are engaged in the lottery. In the purchase phase, the coordinator integrates participants’ information into purchase message M buy ; the LPC then follows the message to generate shadows and the LO stores the purchase message in the database. When a participant claims a prize, the LO will generate correlated shadow keys by the purchase message. If the participant is a legal winner, the LO checks: N0LRC 9 NLPC Moreover, the purchase message includes participants’ information. The LO can count the number of the purchase in order to determining which prize/s should be allocated to each winning participant. 5. Performance analysis This section compares the performance of the proposed method in terms of security and computation costs, and compares this performance with those of other methods to show the contribution of this paper. First, the security and function analysis of the proposed protocol is compared with previous protocols in Table 1. From this it is clear that the proposed protocol can withstand attacks and satisfy the known requirements, while other protocols cannot. Chow et al. and Lee and Chang’s protocol only use the pseudo-random function to generate winning numbers. These other protocols cannot, therefore, defend against known attacks. Moreover, they do not satisfy the fairness, accuracy and public verification request requirements in a mobile environment. Therefore, a participant in the proposed protocol can use his/her cell phone or mobile device to simply and safely purchase lottery numbers by him/herself or jointly with other participants. Subsequently, Table 2 summarizes the performance of the proposed protocol in terms of joint purchase, lottery ticket purchase, and prize claiming. This study defines some notations for the proposed protocol as follows: T e : the time taken to execute a bilinear map operation e : G1  G1 ! G2 . T mul : the time taken to execute a multiplication operation of point. T H1 : the time taken to execute a one-way hash function h1 (). T H2 : the time taken to execute a map-to-point hash function h2 (). T add : the time taken to execute an addition operation of points. T exp : the time taken to execute a modular exponentiation operation. T sym : the time taken to execute a symmetrical encryption/decryption operation. T XOR : the time taken to execute an XOR operation. T sign : the time taken to sign a signature. m: the number of participants. The time taken to execute a bilinear map operation T e is longer than other operations, with the exclusion of the time taken to execute a symmetrical encryption/decryption operation T sym . Some lightweight operations of the simulation results demonstrate that T add and T H1 are trivial in comparison with T e ; T mul and T H2 . The operation of the participant’s mobile device is lightweight while the lottery proxy center and lottery originator are regarded as powerful devices. Table 1 The security comparison of our protocol and related protocols. Against replay attack Against man-in-the middle attack Against impersonation attack Against insider attack On-line system Anonymity Mutual authentication Fairness Public verification Accuracy Based on mobile environment Joint purchase Our protocol Chow et al.’s protocol [8] Lee and Chang protocol [9] Y Y Y Y Y Y Y Y Y Y Y Y Y N N N Y Y N N N Y N N Y Y Y N Y Y Y N N N N N Please cite this article in press as: Chen C-L et al. A novel lottery protocol for mobile environments. Comput Electr Eng (2015), http:// dx.doi.org/10.1016/j.compeleceng.2015.07.016 14 C.-L. Chen et al. / Computers and Electrical Engineering xxx (2015) xxx–xxx Table 2 The computation cost of the joint purchase and claim prize. Joint purchase Purchase lottery Generate winning number Claim prize Participant Coordinator 2T e þ 6T mul þ 1T H1 þ2T add þ 1T sym 3T e þ 1T mul þ 2T H1 þ1T add þ 1T XOR 7T mul þ 1T H1 þ 2T add þ1T sym 1T e þ 1T mul þ 1T H1 þ1T add þ 1T sym þ 1T XOR LPC LO ð1 þ mÞT e þ ð4 þ 5mÞT mul þð2 þ mÞT H1 þ ðmÞT H2 þð1 þ 2mÞT add þ ð2mÞT exp þ1T sym þ ð1 þ 2mÞT XOR mT exp 6T exp 1T e þ 4T mul þ 1T add þ1T H1 þ 1T sym þ 1T XOR Decryptor (k + 6)T exp þ 6T mul 1T e þ 2T mul þ 1T H1 þ1T H2 þ 1T add þ 1T exp þ1T sym þ 2T XOR þ 1T sign In Table 2, it is seen that the participant plays a part in every phase, but his/her computation cost is not heavy. The coordinator joins other participant information and purchase lottery. However, his/her computation is similar to that of other participants. The LO should maintain low computation to keep the system stable, even if the LO is a powerful server. Obviously, the LPC has high computation cost; it must verify the coordinator’s identity, generate lottery numbers for every participant and send participant information to the LO. This is necessary so that the proposed scheme can prevent the attacks discussed above, and so that participants can claim their prizes. Based on the description above, the ticket purchase process can be guaranteed by the proposed lottery ticket purchase protocol with low computation cost. 6. Conclusions In general, lottery participants must purchase physical lottery tickets in stores. However, smart phones and mobile devices have become very popular and powerful, and are capable of supporting secure mobile environments. This study therefore proposes a fair and secure protocol allowing users to safely and fairly purchase lottery tickets by smart phone. Since ECC is easily implemented in mobile devices, a joint e-lottery scheme is proposed. The proposed scheme can achieve security and particular requests as follows:      Support e-lottery activity. Public verification. Fairness. Defend against known attacks. Mutual authentication. In the proposed scheme, even if the coordinator wishes to pocket prizes without sharing with anyone else, they will fail. This is because winning participants can claim prizes independently, even if the coordinator misappropriates the prize. Furthermore, the fairness of the winning number is ensured by the use of an untraceable and tamperproof decryptor with a real random number generation function. It can also provide public verification by a pseudo-random number generation function. Based on the performance analysis, the proposed lottery protocol can satisfy the fairness, accuracy, and public verification requests in a mobile environment requirements. As a result, each mobile user can easily purchase lottery numbers using their smart device. In addition, the proposed protocol can prevent the various malicious attacks discussed above with low computation costs. Future research will investigate participant commissions join other brokers to claim prizes in a mobile environment. Acknowledgements This research was supported by the Ministry of Science and Technology, Taiwan, ROC, under contract number MOST 103-2221-E-324 -023, MOST 103-2622-E-212-009 -CC2, MOST103-2632-E-324-001-MY3 and MOT 104-2221-E-324-012. References [1] [2] [3] [4] [5] California State Lottery Home Page. <http://www.calottery.com/default.htm> [access available on 07.05.15]. Mega millions Official Home. <http://www.megamillions.com/> [access available on 07.05.15]. Powerball-Home page. <http:/www.powerball.com/> [access available on 07.05.15]. Mahmood Anzar, Javaid Nadeem, Razzaq Sohail. A review of wireless communications for smart grid. Renew Sustain Energy Rev 2015(41):248–60. Daghighi Babak, Kiah Miss Laiha Mat, Shamshirband Shahaboddin, Rehman Muhammad Habib Ur. Toward secure group communication in wireless mobile environments: issues, solutions, and challenges. J Network Comput Appl 2015(50):1–14. Please cite this article in press as: Chen C-L et al. A novel lottery protocol for mobile environments. Comput Electr Eng (2015), http:// dx.doi.org/10.1016/j.compeleceng.2015.07.016 C.-L. Chen et al. / Computers and Electrical Engineering xxx (2015) xxx–xxx 15 [6] Chen Y-L, Cheng C-M. Combining a chaos system with an Arnold cat map for a secure authentication scheme in wireless communication networks. Eng Comput 2014(31):317–30. [7] Pietro R-D, Guarino S, Verde N-V, Domingo-Ferrer J. Security in wireless ad-hoc networks–a survey. Comput Commun 2014(51):1–20. [8] Chow S-S-M, Hui L-C-K, Yiu S-M, Chow K-P. An e-lottery scheme using verifiable random function. Lect Notes Comput Sci 2005;3428:651–60. [9] Lee J-S, Chang C-C. Design of electronic t-out-of-n lotteries on the Internet. Comput Stand Inter 2009;31(2):395–400. [10] Wu H-H. Testing of the randomness of the lottery winning numbers and the signed lottery. Institute of Statistics National University of Kaohsiung, Master thesis; July 2005. [11] Chen C-L, Liao Y-H, Tsaur W-J. A secure and fair joint e-lottery protocol. Sci World J 2014;2014:14. http://dx.doi.org/10.1155/2014/139435. Article ID 139435, <http://www.hindawi.com/journals/tswj/2014/139435/>. [12] Wu T-Y, Tseng Y-M. An efficient user authentication and key exchange protocol for mobile client–server environment. Comput Netw 2010;54(9):1520–30. [13] Yang J-H, Chang C-C. An efficient three-party authenticated key exchange protocol using elliptic curve cryptography for mobile-commerce environments. J Syst Softw 2009;82(9):1497–502. [14] Buchmann J-A. Introduction to cryptography, second ed.; 2003. [15] Liaw H-T. A secure electronic voting protocol for general elections. Comput Secur 2004;23(2):107–19. [16] Boneh D, Franklin M. Identity-based encryption from the Weil pairing. Adv Cryptology 2001;2139:213–29. [17] Koblitz N. Elliptic curve cryptosystem. Math Comput 1987;48:203–9. [18] Okamoto E, Okamoto T. Cryptosystems based on pairing over elliptic curve pairing. Lect Notes Comput Sci 2005;3558:1–4. [19] Sakai R, Kasahara M. ID-based cryptosystems with pairing on elliptic curve, Cryptology ePrint Archive (2003), Report 2003/54. <http:/eprint.iacr.org/ 2003/054.pdf> [access available on 25.0814]. [20] Sakai R, Ohgishi K, Kasahara M. Cryptosystems based on pairing. In: Proceedings of the 2000 symposium on cryptography and information security. Okinawa 2000-C20; 2000. [21] Sarkar P. Domain extender for collision resistant hash functions: improving upon Merkle–Damgard iteration. Discrete Appl Math 2009;157:1086–97. [22] Quantum Random Bit Generator Service. <http://random.irb.hr/> [access available on 25.08.14]. [23] RSA-Home. <http://www.thersa.org/> [access available on 07.05.15]. Chin-Ling Chen was born in Taiwan in 1961. He received his B.Sc. degree in Computer Science and Engineering from Feng Cha University in 1991, and his M.Sc. and Ph.D. degrees in Applied Mathematics at National Chung Hsing University, Taichung, Taiwan, in 1999 and 2005, respectively. He is a member of the Chinese Association for Information Security. From 1979 to 2005, he was a senior engineer at Chunghwa Telecom Co., Ltd. He is currently a professor in the Department of Computer Science and Information Engineering at Chaoyang University of Technology, Taiwan. His research interests include cryptography, network security and electronic commerce. Dr. Chen has published over 60 articles on the above research fields in SCI/SSCI international journals. Mao-Lun Chiang received his M.S. degree in Information Management from Chaoyang University of Technology, and his Ph.D. degree from the Department of Computer Science of National Chung-Hsing University, Taiwan. He is an assistant professor in the Department of Information and Communication Engineering at the Chaoyang University of Technology, Taiwan. His current research interests include Ad Hoc network, mobile computing, distributed data processing, fault tolerant computing, and cloud computing. Wei-Chech Lin was born in Taiwan in 1985. He received his B.S. degree in Computer Science and Information Engineering from DAYEH University, Changhuam, Taiwan. He received his M.S. degree from the Department of Computer Science and Information, Chaoyang University of Technology in 2010. His research interests include cryptography and electronic commerce. De-Kui Li was born in 1979. He received his M.S., and Ph.D. degrees in Management Information Systems from Kwangwoon University, Seoul, South Korea, in 2012. His research interests include business intelligence and data mining. Please cite this article in press as: Chen C-L et al. A novel lottery protocol for mobile environments. Comput Electr Eng (2015), http:// dx.doi.org/10.1016/j.compeleceng.2015.07.016