Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Tyche: Collateral-Free Coalition-Resistant Multiparty Lotteries with Arbitrary Payouts

Quentin Kniep, Roger Wattenhofer

TL;DR

Tyche, a family of protocols for performing practically (as well as asymptotically) efficient multiparty lotteries, resistant against aborts and majority coalitions, based on a commit-and-reveal approach, requiring only a collision-resistant hash function.

Abstract

We propose Tyche, a family of protocols for performing practically (as well as asymptotically) efficient multiparty lotteries, resistant against aborts and majority coalitions. Our protocols are based on a commit-and-reveal approach, requiring only a collision-resistant hash function. All our protocols use a blockchain as a public bulletin board and for buy-in collection and payout settlement. Importantly though, they do not rely on it or any other third party for providing randomness. Also, participants are not required to post any collateral beyond their buy-in. Any honest participant can eventually settle the lottery, and dishonest behavior never reduces the winning probability of any honest participant. Further, we adapt all three protocols into anonymous lotteries, where (under certain conditions) the winner is unlinkable to any particular participant. We show that our protocols are secure, fair, and some preserve the participants' privacy. Finally, we evaluate the performance of our protocols, particularly in terms of transaction fees, by implementing them on the Sui blockchain. There we see that per user transaction fees are reasonably low and our protocols could potentially support millions of participants.

Tyche: Collateral-Free Coalition-Resistant Multiparty Lotteries with Arbitrary Payouts

TL;DR

Tyche, a family of protocols for performing practically (as well as asymptotically) efficient multiparty lotteries, resistant against aborts and majority coalitions, based on a commit-and-reveal approach, requiring only a collision-resistant hash function.

Abstract

We propose Tyche, a family of protocols for performing practically (as well as asymptotically) efficient multiparty lotteries, resistant against aborts and majority coalitions. Our protocols are based on a commit-and-reveal approach, requiring only a collision-resistant hash function. All our protocols use a blockchain as a public bulletin board and for buy-in collection and payout settlement. Importantly though, they do not rely on it or any other third party for providing randomness. Also, participants are not required to post any collateral beyond their buy-in. Any honest participant can eventually settle the lottery, and dishonest behavior never reduces the winning probability of any honest participant. Further, we adapt all three protocols into anonymous lotteries, where (under certain conditions) the winner is unlinkable to any particular participant. We show that our protocols are secure, fair, and some preserve the participants' privacy. Finally, we evaluate the performance of our protocols, particularly in terms of transaction fees, by implementing them on the Sui blockchain. There we see that per user transaction fees are reasonably low and our protocols could potentially support millions of participants.
Paper Structure (19 sections, 13 theorems, 2 equations, 12 figures, 2 tables)

This paper contains 19 sections, 13 theorems, 2 equations, 12 figures, 2 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. Preliminaries
  4. Cryptographic Definitions
  5. Collateral-Free Lotteries
  6. Model
  7. Two-Party Lottery
  8. Single-Winner Multiparty Lottery
  9. Main Tyche Protocol
  10. Weighted Winning Probabilities
  11. Naive Generalizations
  12. Arbitrary Payout Functions
  13. Perfect Shuffling
  14. Privacy-Preserving Lotteries
  15. Evaluation
  16. ...and 4 more sections

Key Result

Lemma 1

Given a protocol that achieves fairness (def:fairness) and liveness (def:liveness). A participant aborting this protocol at any point (i) may decrease but never increase their own payout and (ii) may never decrease the payout of any honest participant.

Figures (12)

  • Figure 1: Two-party Lottery based on two_player_lotteries.
  • Figure 2: Timeline of the phases of the two-party lottery.
  • Figure 3: Example tournament tree with 8 players for the single-winner lottery based on zero_collateral_lotteries. Each node in the tree represents one instance of the two-party lottery. All winners of any layer advance to the next higher layer.
  • Figure 4: Phases for multiparty lottery. Example for tournament tree height of three, i.e., $n=8$ participants, such as the one seen in \ref{['fig:tree-1-winner']}. Some phases serve the function of two phases in the underlying two-party lottery protocols and are denoted as such.
  • Figure 5: Same tournament as in \ref{['fig:tree-1-winner']}, depicted in sorting network sorting_networks notation as introduced by Donald Knuth knuth_notation. Each arrow indicates a single two-player coin flip with 50% chance of either player winning, with the arrow head indicating the new position of the winner.
  • ...and 7 more figures

Theorems & Definitions (38)

  • Definition 1: Cryptographic Hash Function
  • Definition 2: Commitment Scheme
  • Definition 3: Zero-Knowledge Proof
  • Definition 4: Security
  • Definition 5: Fairness
  • Definition 6: Public Verifiability
  • Definition 7: Liveness
  • Definition 8: Collateral-Freeness
  • Lemma 1: Abort Resistance
  • Definition 9: Payout Function
  • ...and 28 more