Constant-Deposit Multiparty Lotteries on Bitcoin for Arbitrary Number of Players and Winners

Abstract

Secure lottery is a cryptographic protocol that allows multiple players to determine a winner from them uniformly at random, without any trusted third party. Bitcoin enables us to construct a secure lottery to guarantee further that the winner receives reward money from the other losers. Many existing works for Bitcoin-based lottery use deposits to ensure that honest players never be disadvantaged in the presence of adversaries. Bartoletti and Zunino (FC 2017) proposed a Bitcoin-based lottery protocol with a constant deposit, i.e., the deposit amount is independent of the number of players. However, their scheme is limited to work only when the number of participants is a power of two. We tackle this problem and propose a lottery protocol applicable to an arbitrary number of players based on their work. Furthermore, we generalize the number of winners; namely, we propose a secure (k, n)-lottery protocol. To the best of our knowledge, this is the first work to address Bitcoin-based (k, n)-lottery protocol. Notably, our protocols maintain the constant deposit property.

Appendices

A Proofs of Lemmas

Proof of Lemma 1: Let \(\pi _{l\in [L]}\) such that \(|\pi _l| = l\) be the l-th match for player p. Suppose \(v^l_p/v^{l-1}_p\) be the probability that p wins at \(\pi _l\). Then, the probability that p wins the tournament holds:

$$\begin{aligned} \frac{1}{v^l_p}\times \frac{v^l_p}{v^{l-1}_p} \times \cdots \times \frac{v^1_p}{v^0_p} = \frac{1}{n^0_p}=\frac{1}{N}. \end{aligned}$$

This is also true for any player.    \(\square \)

Proof of Lemma 2: Let \(\pi _i\) such that \(|\pi _i| = i\in [k]\) be the i-th match for player \(p_{i+1}\) and \(l_{i-1}\), where \(l_{i-1}\) is the loser of (\(i-1\))-th match The probability that p wins the tournament holds:

$$\begin{aligned} 1 - \frac{i}{i+1}\times \frac{i+1}{i+2} \times \cdots \times \frac{k}{k+1} = \frac{k}{k+1}. \end{aligned}$$

This is also true for any player. Moreover, the probability of winning the parties in S simultaneously equals the probability of losing \(p\notin S\). Thus, the probability of winning the parties in S simultaneously is equivalent for any \(S \subset P\) such that \(|S|=k\).    \(\square \)

Proof of Lemma 3: For any \(j \in [k]\), the winning probability in \((n-j,n-j+1)\)-lottery can be expressed by \((n-j-1)/(n-j)\), as shown in Lemma 2. Since the probability of each \((k',k'+1)\)-lottery is independent, the probability that a player wins the entire (k, n)-lottery can be written as:

$$\begin{aligned} \frac{n-1}{n}\times \frac{n-2}{n-1} \times \cdots \times \frac{k}{k+1} = \frac{k}{n}. \end{aligned}$$

Moreover, since the losers are chosen uniformly at random in each \((k',k'+1)\)-lottery, it is obvious that the winning probability of any set of k players is equivalent.

B Transaction Templates for Constructing (k, n)-Lottery

To combine multiple \((k,k+1)\)-lottery protocols, we modify \(\textsf{Win}\) transactions. See Fig. 8 that shows the point of connection between j-th lottery and \((j+1)\)-th lottery protocols. The output scripts of \(\textsf{Win}(\pi ^j,a)\) in j-th lottery are used as input of \(\textsf{Win}(\pi ^{j+1},a)\) in \((j+1)\)-th lottery protocol. Furthermore, \(\textsf{Win}(\pi ^j_r,a)\) redistributes \(\$d\) to \(\textsf{Win}(\pi ,a)\) for deposits of the next lottery. With this modification, \(K_p(\textsf{WinInit}, \pi , a)\) and \(K_p(\textsf{Return}, \pi , a)\) are added to the key pairs prepared in the initialization phase.

Fig. 8.

Graphical description of the connection between j-th lottery and \((j+1)\)-th lottery protocols