Publicly verifiable lotteries: Applications of delaying functions

  • David M. Goldschlag
  • Stuart G. Stubblebine
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1465)


This paper uses delaying functions, functions that require significant calculation time, in the development of a one-pass lottery scheme in which winners are chosen fairly using only internal information. Since all this information may be published (even before the lottery closes), anyone can do the calculation and therefore verify that the winner was chosen correctly. Since the calculation uses a delaying function, ticket purchasers cannot take advantage of this information. Fraud on the part of the lottery agent is detectable and no single ticket purchaser needs to be trusted. Coalitions of purchasers attempting to control the winning ticket calculation are either unsuccessful or are detected. The scheme can be made resistant to coalitions of arbitrary size. Since we assume that coalitions of larger size are harder to assemble, the probability that the lottery is fair can be made arbitrarily high. The paper defines delaying functions and contrasts them with pricing functions [8] and time-lock puzzles [15].


Price Function Delay Function Lottery Ticket Service Attack Client Agent 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    W. Aiello, S. Venkatesan, and R. Venkatesan. Design of practical and provably good random number generators. Proceedings of the Sixth Annual ACM-SIAM Symposium on Discrete Algorithms, ACM, New York, NY, Jan. 1995.Google Scholar
  2. 2.
    M. Bellare, J. Garay, and T. Rabin. Distributed Pseudo-Random Bit Generators — A New Way to Speed-Up Shared Coin Tossing, PODC'96, ACM, 1996.Google Scholar
  3. 3.
    T. Beth and Y. Desmedt. Identification tokens-or: solving the chess grandmaster problem. Advances in Cryptology — CRYPTO '90 Proceedings, pp. 169–176.Google Scholar
  4. 4.
    M. Blum. Coin flipping by telephone-a protocol for solving impossible problems. Spring COMPCON 82, IEEE, 1982, pp. 133–137.Google Scholar
  5. 5.
    A. Broder. A provably secure polynomial approximation scheme for the distributed lottery problem. Proceedings of the 4th Annual ACM Symposium on Principles of Distributed Computing, 1985, pp. 136–148.Google Scholar
  6. 6.
    J. Y. Cai, A. Nerurkar, M. Y. Wu. The Design of Uncheatable Benchmarks Using Complexity Theory, technical report 97-10, Department of Computer Science, SUNY Buffalo, 1997.Google Scholar
  7. 7.
    D. Chaum, “Security without Identification: Transaction Systems to Make Big Brother Obsolete”, CACM (28,10), October 1985, pp. 1030–1044.Google Scholar
  8. 8.
    C. Dwork, and M. Naor. Pricing via processing or combating junk mail. Weizmann Technical Report CS95-20, 1995 (Also preliminary version in CRYPTO '92, pp. 139–147).Google Scholar
  9. 9.
    M. K. Franklin and D. Malkhi. Auditable Metering with Lightweight Security, Financial Cryptography 1997, LNCS Vol. 1318, Springer-Verlag, 1997.Google Scholar
  10. 10.
    J. Kahn, G. Kalai, and N. Linial. The influence of variables on Boolean functions. 29th Annual Symposium on Foundations of Computer Science, IEEE Washington, DC, USA, 1988, pp. 68–80.Google Scholar
  11. 11.
    E. Kushilevitz, Y. Mansour, and M. Rabin, On Lotteries with Unique Winners, SIAM Journal on Discrete Mathematics, vol. 8, No. 1, pp. 93–98, February, 1995.zbMATHMathSciNetCrossRefGoogle Scholar
  12. 12.
    R. Merkle. Secure Communications Over Insecure Channels. Communications of the ACM, vol. 21, no. 4, April, 1978, pp. 284–299.CrossRefGoogle Scholar
  13. 13.
    A. Menezes, P. van Oorschot, and S. Vanstone. Handbook of Applied Cryptography, CRC Press, 1997.Google Scholar
  14. 14.
    R. Rivest. Electronic Lottery Tickets as Micropayments, Financial Cryptography 1997.Google Scholar
  15. 15.
    R. Rivest, A. Shamir, and D. Wagner. Time-lock puzzles and timed-release Crypto. Unpublished manuscript, February, 1996. See ~rivest/ Scholar
  16. 16.
    S. Roman. Coding and Information Theory. Graduate texts in Mathematics number 134, Springer-Verlag, 1992.Google Scholar
  17. 17.
    P. Syverson, S. Stubblebine, and D. Goldschlag. Unlinkable Serial Transactions, Financial Cryptography 1997, LNCS Vol. 1318, Springer-Verlag, 1997.Google Scholar
  18. 18.
    P. Syverson, D. Goldschlag, and M. Reed. Anonymous Connections and Onion Routing, Proceedings of the Symposium on Security and Privacy, Oakland, CA, May 1997.Google Scholar
  19. 19.
    A. Webster and S. Tavares. One the design of S-boxes, Advances in Cryptology — Crypto 85 (LNCS 218), pp. 523–34, 1986.Google Scholar
  20. 20.
    P. R. Zimmerman. PGPfone Owner's Manual, Version 1.0 beta 7, July 8, 1996, p. 33.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1998

Authors and Affiliations

  • David M. Goldschlag
    • 1
  • Stuart G. Stubblebine
    • 2
  1. 1.DivxHerndonUSA
  2. 2.AT&T Labs-ResearchFlorham ParkUSA

Personalised recommendations