The Scientific World Journal

Volume 2014, Article ID 139435, 14 pages

http://dx.doi.org/10.1155/2014/139435

## A Secure and Fair Joint E-Lottery Protocol

^{1}Department of Computer Science and Information Engineering, Chaoyang University of Technology, Taichung 41349, Taiwan^{2}Department of Information Management, Da-Yeh University, Changhua 51591, Taiwan

Received 23 January 2014; Accepted 3 March 2014; Published 30 April 2014

Academic Editors: M. Ivanovic and F. Yu

Copyright © 2014 Chin-Ling Chen et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

The attractive huge prize causes people to adore lotteries. Due to the very small probability of winning prizes, the players can enhance their probability of winning by using the method of joint purchase. In spite of many lottery schemes having been proposed, most e-lottery schemes focus on the players’ privacy or computation overhead rather than support a joint purchase protocol on the Internet. In this paper, we use the multisignature and verifiable random function to construct a secure and fair joint e-lottery scheme. The players can check the lottery integrity, and the winning numbers can be verified publicly.

#### 1. Introduction

Gambling has the property of nonpredictability and attractive prizes. Players have the chance to obtain a huge prize but of course they cannot predict who the winner will be. Hence, gambling is very fascinating for many people, and the lottery is one kind of popular gambling [1–3]. The players must select their favorite numbers and pay money to purchase lottery tickets. After the deadline of the purchasing phase, the lottery organization (LO) randomly generates the winning numbers. If no one wins the lottery, the prize money will accumulate for the next round. The attractive huge prizes are an extremely powerful factor causing people to purchase lottery tickets and the main reason remains popular among players.

In past years, many lottery schemes were proposed. In 2006, Chow et al. [4] proposed practical electronic lotteries with an offline trusted third party (TTP); their scheme can satisfy all of the identified requirements without the presence of TTP for generating the winning numbers; the result of this generation is publicly verifiable.

Next, Lee and Chang [5] proposed an electronic -out-of- lottery on the Internet in 2009. The scheme is based on the Chinese Remainder Theorem that allows lottery players to simultaneously select out of numbers in a ticket without iterative selection. The drawback of this scheme is that the computation overhead of players in purchasing lotteries is too heavy.

In the same year, Lee et al. [6] proposed noniterative privacy preservation for online lotteries. This scheme not only allows players to choose -out-of- numbers in lotteries without iterative selection but also preserves the privacy of players’ choices. Nevertheless, the computation overhead in purchasing lotteries is still heavy for the player who accesses the Internet with mobile or wireless devices.

In an overview of the above schemes, we find that the majority of the schemes focus on the players’ privacy or computation overhead but cannot support a joint purchase protocol on the Internet.

Due to the probability of winning prize being very small [7], the players can employ two strategies of purchase to enhance the probability of winning prizes as follows.(i)The player invites other players to collect more cash, and then the player purchases the sequential numbers to increase the probability of obtaining a prize.(ii)The player pays a small amount of money to purchase the lotteries in cooperation with other players.

To the best of our knowledge, there exist only two websites, called “e-Lottery Syndicates” [8] and “Myleto” [9], which provide a trading platform (TP) for purchases and a proxy purchase service. The difference between the above websites is that the former provides individual purchases while the latter provides joint purchases. Since our scheme focuses on joint purchases, we chose “Myleto” to discuss joint purchases.

The process for joint purchase in “Myleto” enables the players to bet their favorite numbers by using the “Myleto,” and then “Myleto” counts the preferred numbers of players to generate the popular numbers after the deadline of purchase phase. Then, “Myleto” takes the popular numbers to purchase the lottery for the trusted lottery organization (LO). Finally, LO generates the winning numbers and publishes them on the bulletin board. Then “Myleto” distributes the different prizes to the winning players according to the numbers they bet.

Even if the solution for the joint purchase lottery exists, according to our observations some drawbacks remain.(1)From the user’s viewpoint, the risks are as follows:(i)if the joint purchase players win the first prize, the person receiving the award has a chance to abscond with the funds;(ii)the player’s lottery purchase evidence depends on the picture at the time of purchase and the credit card transaction receipt. However, the former lacks credibility because it is easy to fake, and the latter lacks immediacy since the credit card transaction receipt adopts a monthly settlement;(iii)if the player’s purchase information is lost or the TP refuses to give out the prize, the player cannot proffer strong evidence to prove the winner is himself/herself.(2)From the TP’s viewpoint, the risk is as follows:(i)if a malicious player forges a picture and a credit card transaction receipt to claim the prize, the TP will find it hard to recognize whether the prize claim evidence is true or false.

At present, we have seen that the current TP of joint purchase exhibits some drawbacks, so determining how to implement a fair and secure joint purchase e-lottery protocol is still an open issue.

Hence, we propose a fair and secure joint e-lottery protocol to guarantee the rights and interests of the players and TP. Simultaneously, our proposed protocol also supports individual purchases.

The proposed scheme must be able to achieve the following requirements [4–6] such that the proposed scheme can be applied in actual practice.(1)*Public Verification*. All the valid lottery tickets and the winning numbers must be verified via a verifiable random function.(2)*Fairness*. No one can predict the winning result before the winning numbers are published.(3)*Security*. No one can forge a winning lottery or impersonate a lottery winner to claim the prize.(4)*Correctness*. The players can verify the public information of the bulletin board by themselves.(5)*Anonymity*. Including lottery agents, no one can identify the participants by the lottery ticket.(6)*Convenience*. The legitimate players should be able to purchase lottery via Internet.(7)*Without Preregistration*. Players need not register at any lottery agent or drawing center in advance, as registration in advance is unnecessary; this requirement should conform to an electronic lottery to make it more realistic.(8)*No Online Trusted Third Party (TTP)*. An electronic lottery is said to be impractical if the security of the entire mechanism depends on an online trusted third party.(9)*Participants’ Legality*. The scenario of the joint e-lottery scheme should ensure the participants’ legality via a multisignature.(10)*Support Joint and Individual E-Lottery Service*. The protocol must support joint and individual e-lottery service, respectively.

The remainder of this paper is organized to describe and analyze our joint e-lottery scheme as follows. Section 2 introduces related cryptographic techniques used in our scheme. Section 3 presents our proposed protocol, and the security requirements are analyzed in Section 4. Our conclusions are presented in the final section.

#### 2. Preliminaries

In this section, we introduce three cryptographic techniques used in our scheme: a verifiable random function, an identity-based signature scheme, and an efficient identity-based RSA multisignature scheme.

##### 2.1. Verifiable Random Function

A verifiable random function (VRF) was first proposed by Micali et al. [10]. Essentially, it is a pseudorandom function [11] providing noninteractively verifiable proof of the output’s correctness. Therefore, the above properties of VRF are suitable for our scheme.

On the basis of the notation in [12], a set of functions is a verifiable function; suppose there exist polynomial-time algorithms such that(1) is a probabilistic algorithm to generate a secret key SK that is generated by a random function and the corresponding public key PK that enables public verification;(2) is an algorithm that computes the VRF’s output ;(3) is an algorithm that computes the proof that ;(4) is an algorithm that verifies ;(5)the VRF should satisfy the following properties.(6)uniqueness: where ;(7)computability: is efficiently computable;(8)provability: , Prove (SK, )) and ;(9)pseudorandomness: the probability that an attacker can input any bit of for his/her choice is negligible even if she/he has seen the values of many given .

##### 2.2. Review of Shamir’s Identity-Based Signature Scheme

In 1985, in order to simplify the public key authentication problem, Shamir [13] first offered the concept of an identity-based (ID-based) cryptosystem. In this system, each signer needs to register with a private key generator (PKG) and identify himself/herself before accessing the network resource. Once the registration is completed, the PKG will use the signer’s identity to generate the secret key. The signer’s identity may include the signer’s name, email, and address. The advantage of this scheme is that there is no need for a public key directory in the system. The communicating parties only need to know the “identity” of his/her communication partner and the public key of the PKG is able to verify the signature or send an encrypted message.

We first introduce the notations used to explain how Shamir’s scheme was constructed:

: a pair of large prime numbers; : a large number, where , , and is Euler’s totient function; : ’s public and private key, respectively, where ; : a one way hash function; : a message; : comparing whether or not is equal to .

###### 2.2.1. Private Key Generator (PKG) Keys

The private key generator (PKG) chooses its public and private key pair as follows.

*Step 1. *Run the probabilistic polynomial algorithm to generate two random large primes, and .

*Step 2. *Choose a random public key such that and compute the private key .

###### 2.2.2. Signer Secret Key Generation

In this algorithm, the signer gets a copy of his/her secret key from the PKG through a two-step process.

*Step 1. *A signer submits his/her identity to the PKG.

*Step 2. *The PKG uses its private key to sign the signer’s identity by generating the secret key such that .

###### 2.2.3. Message Signing

To sign a message , the signer with the secret key and the corresponding public key of the PKG signs a message by generating a signature pair as follows.

*Step 1. *Select a random number and compute

*Step 2. *For the same random number , compute
is the complete signature of the message .

###### 2.2.4. Message Verification

The identity-based signature of a signer with identity is valid if and only if the following equality holds:

##### 2.3. Review of Harn’s Efficient Identity-Based RSA Multisignatures Scheme

In the 2008, Harn and Ren [14] first proposed a digital signature of a message generated by multiple signers with multiple private keys based on Shamir’s identity-based signature (IBS) scheme. This was a first efficient identity-based RSA multisignatures scheme with both fixed length and verification time. Harn and Ren’s scheme is secure against forgeries under chosen-message attack, against multisigner collusion attack, and adaptive chosen-identity attack.

###### 2.3.1. Private Key Generator (PKG) Keys

The PKG chooses its public and private key pairs as follows.

*Step 1. *Runs the probabilistic polynomial algorithm to generate two random large primes, and .

*Step 2. *Choose a random public key such that and compute the private key .

###### 2.3.2. Signer Secret Key Generation

In this algorithm, the signer gets a copy of his/her secret key from the PKG through a two-step process.

*Step 1. *A signer submits his/her identity to the PKG.

*Step 2. *The PKG uses its private key to sign the message digest of the identity to generate the secret key , such that . No one will be able to distinguish between the identity and its message digest .

###### 2.3.3. Message Signing

To generate an identity-based multisignature, each signer carries out the followings steps.

*Step 1. *Choose a random integer and compute .

*Step 2. *Broadcast to other signers.

*Step 3. *Upon receiving of . each signer computes

*Step 4. *Broadcast to all signers.

*Step 5. *After receiving of . the multisignatures component can be computed as
The multisignature for message is .

###### 2.3.4. Multisignature Verification

To verify a multisignature of a message of signers whose identities are , anyone can verify the correctness as follows:

#### 3. The Proposed Joint E-Lottery Protocol

The structure of our scheme is illustrated in Figure 1.

There are four participants involved in the proposed e-lottery scheme.(1)*Private Key Generator (PKG)*. The off-line trusted third party which generates private keys to all participants.(2)*Player (P)*. The player is a participator in the lottery gamble.(3)Trading* Platform (TP)*. The trading platform is a website to provide players for joining the e-lottery game.(4)*Lottery Originator (LO)*. The LO issues the lotteries, generates the winning numbers to sell lotteries to gain revenue, and gives out the prizes.

*Step 1. *P, TP, LO PKG: all participants must register to PKG to acquire their private key with his/her pseudoidentity.

*Step 2. *P TP: the players bet their favorite numbers to the TP.

*Step 3. *TPLO: the TP gathers the statistics on the betting numbers to generate the majority of popular numbers and then purchases the popular numbers with the LO.

*Step 4. *LOP: the LO issues lotteries to the players.

*Step 5. *P LO: after the winning numbers are announced, the winning players use their winning lotteries and private keys to claim the prizes won.

The following notations are used in our protocol:

: the favorite numbers of the th player; : the published hash chain set of the valid random seed generated by player, which is involved in generating the winning number, where chain_{0} is the initial vector; the , , , and ; : the th ciphertext; : the identity-based signature of message ; : the request message; : the message digest of the th player’s identity; PL: the purchased list, where ; : one way hash function [15]; : the random number is selected by ; : the hash value, where ; : the session key between the and which is constructed by IETF [16, 17]; : an encryption function which uses the session key to encrypt the message ; : a decryption function which uses the session key to decrypt the ciphertext .

##### 3.1. Constructing the Session Key Model

Diffie and Hellman proposed a key agreement protocol [18] in 1978. The RFC 2631 was drawn up for the key agreement protocol in 1999 by the IETF. Therefore, we use the RFC 2631 protocol to construct the session keys. The session keys are used in our protocol with three situations. First, when the purchase is individual, the player must share the session key to protect his/her favorite numbers. Second, the TP and LO are jointed to sign the multisignature; they must share a common secret key to encrypt the signature. Third, the LO issues the lotteries to players, and the winning players send the claim prize message to the LO; they must also share a session key to encrypt or decrypt the messages.

##### 3.2. The Initialization Phase

In this phase, the PKG performs the keys generating function to generate the public and private keys. On the other hand, the LO performs the VRF to generate the related functions and then publishes it.

*Step 1. *The PKG selects a random number and then performs to generate the public and private .

*Step 2. *The LO performs the VRF to generate the related functions that include , and .

##### 3.3. The Registration Phase

In this phase, all of the roles submit their identities to the PKG to become legal participants. Notably, the players must submit their identities (including the players’ name, email, and addresses) and a random number to PKG and then PKG signs the message digest of the identity by its and .

The PKG computes the participants’ private keys with its as in the following equations:

After that, the PKG publishes ID_{TP} and ID_{LO} on the bulletin board.

##### 3.4. The Players Bet for Lottery Numbers Phase

In this phase, the players can bet their favorite numbers via the TP and then the TP publishes the purchase information on the bulletin board. When this phase is finished, the TP will send bulletin board information to the LO. According to the received information, the LO publishes the winning numbers. Moreover, players, TP, and LO can use the published bulletin board information to check whether or not the following three information items are correct.(1)The players’ purchased lotteries are included in the hash chain.(2)The players’ bet numbers are valid or not.(3)The players are legal or not.

The individual purchase is also included in the hash chain and the purchased information (including identity information, hash chain value, and hash value of the random number) is also published on the bulletin board, except for the selected favorite numbers.

The players bet for lottery numbers phase is illustrated in Figure 2, and the bulletin board information is illustrated in Table 1.

If anyone questions the players’ legality then they can use the signature of the players’ identity of the bulletin board to verify the legality of the players by

*Step 1. *If the purchase is individual then the player must compute session key (refer to Section 3.1), using it to protect the individual’s favorite number as follows:
The individual and joint purchases are both required to process (11)–(15).

Then, the th player selects a random number to compute The uses his/her private key to compute Here, we denote the signature as follows: Finally, the uses his/her private key to sign his/her identity as follows: We denote the signature as follows: The difference between the multisignature and is that the former is published on the bulletin board and all participants can use it to verify the player’s legality, while the latter is used to achieve the message nonrepudiation for the TP.

Afterward, if the purchase is individual then the request message , signature , and related parameters are sent to the TP.

If the purchase is joint, the request message , signature , and related parameters are sent to the TP.

*Step 2. *After receiving the message, if it comes from individual purchase then the TP must decrypt the ciphertext to obtain and then the following procedures are processed for individual and joint purchases.

First, the TP checks the validity of signature as follows:
The TP links into the hash chain as follows:
Next, the TP selects a random number to compute
Here, we denote the signature of as follows:
Finally, TP sends signature to the .

*Step 3. *After receiving , checks the validity of signature as follows:
If the signature is invalid, then the terminates the transaction.

##### 3.5. The Purchase Phase

After the purchase deadline, the TP gathers the statistics on numbers to generate the popular numbers. Subsequently, the TP sends the purchase message that includes purchase list and the partial signature to the LO. Note that the lottery’s numbers of individual purchase are determined by individual buyers rather than through counting by TP; individual purchase is the same as joint purchase.(1)The individual purchase is included in the purchase list.(2)The TP also computes the partial signature for individual purchase.

The overview of the purchase phase is illustrated in Figure 3.

*Step 1. *After the purchase deadline, the TP counts the preferred numbers of all of the players to generate the popular numbers Num; then the TP selects a random number to compute the partial signature and as follows:
Here, we denote the signature of Num as follows:
Finally, the TP sends the request message , signature , and the popular numbers Num to the LO.

*Step 2. *Before receiving the message , the LO checks the signature validity as follows:
Subsequently, the LO selects random number to compute
LO uses the partial signature of the TP and LO to compute as follows:
The TP and LO construct the session key and then encrypt the partial signature as follows:
The LO uses the private key to compute the partial signature of as follows:
Here, we denote the signature of as
Finally, the LO sends to TP.

*Step 3. *After receiving , the TP checks the validity of signature as follows:
The TP uses the session key to decrypt the cipher text as follows:
According to the purchased list PL, the TP uses its private key to compute the partial multisignatures of the player’s lottery as in (31) as follows:
To protect the message, the TP uses the session key to encrypt parameters as follows:
The TP uses its private key to compute the partial signature of as
Here, we denote the signature of as follows:
Afterward, the TP sends the request message , signature and cipher message to the LO.

*Step 4. *Once receiving the message , the LO checks the signature validity as follows:
The LO uses its private key to decrypt the cipher text as follows:
According to the purchase list PL, the LO uses its private key to compute the partial multisignatures of all players as follows:
and then LO uses the partial multisignatures of and to compute
We denote the lottery as

##### 3.6. The Lottery Issue Phase

Upon receiving the purchase message, the LO issues the lotteries to all players (including the joint purchase and individual purchase) and then the players can apply the multisignature to verify the validity of the lottery. The lottery issue phase is illustrated in Figure 4.

*Step 1. *The LO and construct the session key and then encrypt the as follows:
Next, the LO selects random number to compute
and uses its private key to compute the partial signature as follows:
Here, we denote the signature of as follows:
Afterward, the LO sends the request message , signature , and ciphertext to .

*Step 2. *When receiving the message , checks the validity of signature as follows:
and then uses the session key to decrypt ciphertext as follows:
Finally, checks the validity of signature as follows:

##### 3.7. The Winning Numbers Generation and Verification Phase

After the lottery purchase deadline, the LO uses the function of winning numbers generation with the value of final hash chain to generate the winning numbers and then publishes it on the bulletin board. The overview of the winning numbers generation and verification phase is illustrated in Figure 5.

Simultaneously, if the players question whether or not the LO is honest, they can use the public verification function to verify the correctness of the winning numbers.

*Step 1. *The LO uses its private key and the value of final hash chain to calculate
Finally, the LO publishes the WinNum and on the bulletin board.

*Step 2. *After the winning numbers are published, any player can checkthecorrectness of the winning numbers via the public verification function as follows:

##### 3.8. The Claim Prize Phase

After the winning numbers are published, the winner of th player can submit his/her winning lottery and the random number to claim the prize. Simultaneously, the LO publishes the winning lotteries, random number of winning player selected, and identity digest of winners on the bulletin board. If the other players suspect the legality of winning lottery, they can use the public verification function to verify it. The overview of the claim prize phase is illustrated in Figure 6.

*Step 1. *The and LO construct the session key . In order to claim the prize, the winning player presents the important evidences to prove his/her identity and then uses the session key to encrypt that evidence as follows:
Next, the computes as
and uses its private key to compute the partial signature as follows:
Here, we denote the signature of as follows:
Afterward, sends the request message , signature , and ciphertext to LO.

*Step 2. *Once receiving message , the LO checks the signature validity as follows:
and then uses the session key to decrypt the cipher message as follows:
If (53) holds, and then computes as follows
Finally, the LO uses the multisignature to verify the correctness of winning lottery as

#### 4. Analysis

Here, we use many kinds of scenarios to analyze the proposed joint electronic lottery scheme and to verify whether or not it achieves the requirements. In order to simplify the explanation, suppose there exists an intruder* Eve* in the network system and she is capable of eavesdropping communications between the TP, LO, and players.

##### 4.1. Public Verification

All the valid lotteries and the winning numbers must be verified via a verifiable random function.

*Scenario 1*. Suppose that any player suspects the correctness of winning numbers.

*Proof. *The one suspecting can use (48) to verify the correctness of the winning numbers by (48).

*Scenario 2*. Suppose that any player suspects the correctness of winning lotteries.

*Proof. *The one suspecting can use the related parameters (including random number of the winning player selected , the winning numbers WinNum, and the winning lottery ) and (56) to verify the correctness of winning lotteries. The verification equation is as in (56), where .

The derivation of the verification is shown as follows:
Because the multisignature of the winning numbers is valid, the winning lottery is correct.

##### 4.2. Fairness

No one can predict the winning result before the LO publishes the winning numbers.

*Scenario 3*. If a player wants to predict or bias the winning result, he or she will fail.

*Proof. *Since each purchasing behavior is random and occasional, the final value of hash chain is contributed by all of the lotteries. Hence, no one can learn the final value of the hash chain .

##### 4.3. Security

No one can forge winning lotteries or impersonate lottery winners to claim their prize.

*Scenario 4*. If* Eve* tries to forge a winning lottery to claim the prize, she will fail.

*Proof. *In reviewing the purchase phase, the TP and LO used their private keys and to sign the lotteries. On the other hand, if* Eve* wants to fake the winning lottery, she must forge their private keys, respectively. In fact, she must solve the factorization problem in RSA cryptosystems [19].

*Scenario 5*. If* Eve* tries to forge a winning player, she will fail.

*Proof. *In the prize claim phase, the lottery winner must submit his/her digest , random number and (where ) to proof his/her identity. If* Eve* uses the fake random number to claim the prize, then LO can perceive the attempt via the following equation:

On the other hand, if* Eve* wants to impersonate a winning player, she must find the . In fact, based on the secure one way hash function, it is computationally infeasible to obtain from .

##### 4.4. Correctness

The players can verify the public information via the bulletin board by themselves.

*Scenario 6*. The one suspecting questions(1)the correctness of the player who bet numbers ,(2)the correctness of the value of final hash chain ,(3)the correctness of popular numbers Num.

*Proof. *The one suspecting can use the published bulletin board information to verify the , Num, and as(1)the players can check whether the bet numbers are equal to the public information ;(2)they can recalculate all bet numbers of players to determine whether the popular numbers Num is equal to the recalculated value;(3)finally, the players can verify the validity of the value of final hash chain by using the public function hash chain as follows:
where is the number of the sold lottery tickets so far.

##### 4.5. Anonymity

Including the TP and LO, no one can identify the player from the lottery.

*Scenario 7*. If* Eve* tries to distinguish between messages digest and real identity of player, she will fail.

*Proof. *In the registration phase, the players submit their personal information to the PKG and then PKG generates a message digest with personal information as (players’ personal information).

The message digest is a well-known cryptographic assumption: the secure one way hash function has properties such that given a message , it is easy to compute . On the other hand, it is computationally infeasible to obtain from . And given , it is infeasible to find to let . Hence* Eve* cannot find the real identity of the player from .

##### 4.6. Convenience

Players are able to purchase lottery tickets if they can access the Internet. Clearly, the proposed joint e-lottery mechanism can achieve this requirement as indicated in the players betting for lottery numbers phase.

##### 4.7. Without Preregistration

Players need not register at any lottery organizations in advance. In our scheme, the players need not register at any lottery organizations except for the PKG. In fact, if the players want to join other ID-based applications, the players still need to register to PKG for any PKI applications.

##### 4.8. No Online Trusted Third Party

The proposed joint e-lottery mechanism does not require an online TTP.

In our scheme, no online TTP is used to participate in all of the transaction scenarios. Therefore, this requirement is completed in our scheme.

##### 4.9. Participants’ Legality

The scenario of the proposed joint e-lottery mechanism should ensure participants’ legality.

*Scenario 8*. Suppose that players suspect the legality of the TP and LO.

*Proof. *In the lottery issuing phase, upon the players receiving lotteries from the LO, players can use the multisignature of lotteries to confirm the legality of TP and LO by (46).

If the equation holds, the participants’ legality can be authenticated.

That is, only the legitimate private key is able to sign the valid signature. From another viewpoint, the PKG uses its private key to generate in the registration phase; if anyone attempts to forge he/she must solve the RSA public-key cryptosystem to acquire the private key. In fact, it is an integer factorization problem [19].

*Scenario 9*. Suppose that the players, TP, or LO suspect the legality of player.

*Proof. *Anyonesuspecting can authenticate the player’s legality by verifying the signature by (9).

If the equation holds, the th player’s legality can be authenticated; the derivation of the verification is shown as follows:

From the above derivation of the verification, only the legitimate private key is able to sign the valid signature. On the other hand, the player is only able to sign the valid signature if he/she registers with the PKG as a legal participant and acquires the private key .

##### 4.10. Support Joint and Individual E-Lottery Service

The protocol can support joint and individual e-lottery service, respectively. In our proposed scheme, we propose two purchase models to satisfy the requirements. Hence, two purchase models have the same rights and protections making our proposed scheme more practical and attractive.

##### 4.11. Discussions

Our scheme focuses on proposing a secure and fair joint e-lottery, despite requiring more communication, more data transfer, and a higher computational complexity. We compare the functional properties between related works and ours in Table 2.

Table 2 shows that our scheme achieves the two new functional properties in comparison with related works [4–6]: participant’s legality and supporting joint and individual e-lottery service.

In addition, we compare mechanisms with the existed lottery websites [8, 9] and ours in Table 3. Basically, [8, 9] only support a lottery agent. So, the player should register with the TP; this differs from ours.

Table 3 shows that our scheme adopted the ID-based multisignature to verify the legality of all participants while existing lottery websites lack effective mechanisms to achieve this requirement. On the other hand, the existing websites do not have remedial measures to prevent malicious behaviors by the lottery agent or players; for instance, the lottery agent refuses to give out the prize, a malicious player forges a picture to claim a prize, or the purchased lottery of a player is lost when the lottery agent’s database crashes. Our scheme uses the ID-based multisignature to provide nonrepudiation evidence to prevent the above situations.

#### 5. Conclusions

In this paper, we present a novel joint e-lottery protocol using the multisignature and verifiable random function. Having been proved, the new mechanism can achieve the requirements of general electronic lotteries. The players can increase the probability of winning prizes by using the proposed secure and fair joint e-lottery scheme. Notably, anyone can verify the correctness of winning lotteries and participants’ legality simultaneously by verifying the multisignature; this functionality increases the convenience and security when a new participant joins the system. In the future, we are going to integrate the cash flow concept into our system.

#### Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

#### Acknowledgment

This research was supported by the National Science Council, Taiwan, under contract nos. NSC 101-2221-E-324-005-MY2, 101-2221-E-212-006-MY3, and 102-2219-E-212-001.

#### References

- Mega millions, http://www.megamillions.com/.
- 649Lotter, http://www.649lotter.com/.
- California State Lottery, http://www.calottery.com/default.htm.
- S. S. M. Chow, L. C. K. Hui, S. M. Yiu, and K. P. Chow, “Practical electronic lotteries with offline TTP,”
*Computer Communications*, vol. 29, no. 15, pp. 2830–2840, 2006. View at Publisher · View at Google Scholar · View at Scopus - J.-S. Lee and C.-C. Chang, “Design of electronic t-out-of-n lotteries on the Internet,”
*Computer Standards and Interfaces*, vol. 31, no. 2, pp. 395–400, 2009. View at Publisher · View at Google Scholar · View at Scopus - J.-S. Lee, C.-S. Chan, and C.-C. Chang, “Non-iterative privacy preservation for online lotteries,”
*IET Information Security*, vol. 3, no. 4, pp. 139–147, 2009. View at Publisher · View at Google Scholar · View at Scopus - J. Haigh, “The statistics of lotteries,” in
*Handbook of Sports and Lottery Markets*, pp. 481–502, 2008. View at Google Scholar - e-Lottery Syndicates, http://www.e-lottery-syndicates.com/.
- Myleto, http://www.myleto.cc/.
- S. Micali, M. Rabin, and S. Vadhan, “Verifiable random functions,” in
*Proceedings of the IEEE 40th Annual Conference on Foundations of Computer Science*, pp. 120–130, October 1999. View at Scopus - O. Goldreich, S. Goldwasser, and S. Micali, “How to construct random functions (extended abstract),” in
*Proceedings of the IEEE Annual Symposium on Foundations of Computer Science*, pp. 464–479, 1984. - A. Lysyanskaya, “Unique signatures and verifiable random functions from the DH-DDH separation,” in
*Proceedings of the Advances in Cryptology (CRYPTO '02)*, vol. 2442 of*Lecture Notes in Computer Science*, pp. 597–612, 2002. - A. Shamir, “Identity-based cryptosystems and signature schemes,” in
*Proceedings of the Advances in Cryptology (CRYPTO ’85)*, vol. 196 of*Lecture Notes in Computer Science*, pp. 47–53, 1985. - L. Harn and J. Ren, “Efficient identity-based RSA multisignatures,”
*Computers and Security*, vol. 27, no. 1-2, pp. 12–15, 2008. View at Publisher · View at Google Scholar · View at Scopus - P. Sarkar, “Domain extender for collision resistant hash functions: improving upon Merkle-Damgård iteration,”
*Discrete Applied Mathematics*, vol. 157, no. 5, pp. 1086–1097, 2009. View at Publisher · View at Google Scholar · View at Scopus - C.-L. Chen and M.-H. Liu, “A traceable E-cash transfer system against blackmail via subliminal channel,”
*Electronic Commerce Research and Applications*, vol. 8, no. 6, pp. 327–333, 2009. View at Publisher · View at Google Scholar · View at Scopus - Internet Engineering Task Force (IETF) Working Group, “RFC 2631 Diffie-Hellman Key Agreement Method,” June 1999.
- W. Diffie and M. E. Hellman, “New directions in cryptography,”
*IEEE Transactions on Information Theory*, vol. 22, no. 6, pp. 644–654, 1976. View at Google Scholar · View at Scopus - R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,”
*Communications of the ACM*, vol. 21, no. 2, pp. 120–126, 1978. View at Publisher · View at Google Scholar · View at Scopus