[1401] in cryptography@c2.net mail archive
Online bets without trusted third parties
daemon@ATHENA.MIT.EDU (Anonymous Remailer)
Mon Sep 1 21:58:09 1997
To: cryptography@c2.net
Date: Mon, 01 Sep 1997 20:08:06 MDT
From: valdeez@juno.com (Anonymous Remailer)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Bets without trusted third parties
Often people want to make online bets about some outcome. It would be
convenient to use electronic cash to do so.
The simplest approach is to use the honor system. Both parties commit
to paying the amount of the bet if they lose. Once the outcome
occurs, the losing party pays the winning party the amount of the bet.
However, this has the problem that the losing party has an incentive
not to pay the winning party, since he loses money by doing so.
A solution is to use a trusted third party, just as with regular bets.
Each person could give the amount of the bet to a third party to hold.
Once the outcome of the bet was decided, the third party would give
the total amount to the winner of the bet.
A problem with this is the need to find a third party who is trusted
by both bettors.
Here is another way to do bets without using a third party like this.
There is still some incentive to cheat, but it is not as much as in
the honor system approach.
Qualitatively it is analogous to using torn cash. If two people want
to bet $100, each can take a $100 bank note, tear it in half, and give
it to the other person. Then the loser is supposed to give both
halves to the winner.
This gives the loser less incentive to cheat. The two $100 halves are
worthless in themselves. Hence he does not lose any money by giving
them to the winner. There may still be some incentive to cheat, for
example the loser's satisfaction in keeping the winner from getting
his winnings. But in this case the incentive is less than in the
honor system method, since the loser does not profit directly.
This can be done in electronic form using Chaum's ecash.
The idea is that each party withdraws cash using blinding provided by
the other party. They then prove to the other party that they have
done so and have a signature from the bank on the supplied blind
value, using a zero knowledge proof. This is analogous to giving half
a bank note to the other person.
The key idea here is that the only way one party can give the other a
credible zero knowledge proof that they have a signature on the
blinded ecash value is if they actually interacted with the bank and
got their account debited for the specified amount. But since they
don't know the blinding value used, they can't do anything with that
signature. As far as they are concerned, it is a signature on a
random number. Neither party by themselves has the information needed
to acquire the value of the withdrawn cash. It will be necessary to
know both the blinding factor and the signature in order to make the
cash worth something.
Once the bet is decided, the losing party reveals the bank's signature
on the blinded cash, to allow the other party to unblind the cash he
was given, and also provides the blinding factors to allow the other
party to unblind the cash he withdrew. This is analogous to giving
the two half bank notes to the winner.
The only special crypto needed (beyond the ordinary blind signatures
used in ecash) is the zero knowledge proof that the ecash has the
right format.
In more detail, the way the ecash withdrawal works is as follows.
Alice creates a blinded ecash banknote and gives it to Bob. Bob
re-blinds this (to protect his own anonymity) and presents it at the
bank. The bank debits Bob's account and signs the blinded banknote.
Bob strips off his blinding factor. What he is left with is a
signature by the bank on the value Alice gave him. It will be
necessary for one party to learn both this signed value and Alice's
blinding factors in order to acquire the value of the cash.
Bob gives Alice a zero knowledge proof that he knows the bank's
signature on the value she gave him. This proves that he withdrew
money using her blinding factors. We need a crypto protocol which can
let Bob prove that he knows a signature by a third party on the value
Alice gave him.
One such protocol is the Guillou-Quisquater identification protocol.
It allows Bob to prove to Alice that he knows an RSA signature (using
the bank's modulus n and exponent e) on the blinded value "v" which
she gave him. Let the RSA signature from the bank be sign(v).
The protocol works as follows. Bob chooses a random value k, and
gives Alice r = k^e mod n. Alice challenges with a random value c <= e.
Bob responds with s = k * sign(v)^c. Alice verifies that s^e = r * v^c.
This protocol gives Bob a 1/e chance of cheating, so it may have to be
repeated a few times depending on the value of e used by the bank.
The result is a method for online betting analogous to the bill
splitting system. It can't guarantee that no cheating will occur, but
it does arrange things so that the loser doesn't achieve a direct
financial gain by refusing to pay the winner.
Unfortunately, human nature being what it is, losers often have bad
feelings towards winners, and they may have other reasons for refusing
to pay, ranging from sour grapes to an honest belief that they have
not lost the bet. This protocol doesn't deal with those problems.
But it should at least reduce the incentives to cheat in online betting.
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQA/AwUBNAtb0odkQEO7GUZ0EQKbywCgm5dgaWfvkcB8tkje3aVq7NlckeIAnRHo
BydLjKOwWR0+7EtedRaNQwTd
=KdxI
-----END PGP SIGNATURE-----
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP for Personal Privacy 5.0
mQGiBDQLW4wRBADemxW0NqF/SQ/RN/EuWW4xtJwkUYIPxPdIOqaWBmowoYcY/V8y
uusmgptvsvFGFesHTvDO70ngJpCyp0gRfpUjmV/xvIvBOXheu5Go61evBEiKHJgj
qMVcB36bUUyH7uNO8BYpow8l6rB39kc2FDwP/pwfN0HjXeIGzA453yj+iwCg/x2I
gM9qu8b6/btMZsHO/zPyTU8EAKV8W3CbXMDudmctm8VDzjyFDjEqPM2H5QUhlRPI
rBIy4LgMkYvOL70PbgyYMLiepsoRb3Atdj162FKY3lrCq9zx2AGm2CobzEvgmDmi
QgCQOIweCm3Ao/SxmQBmP+wEO2Gs6LWD4Dhr6oPTp0khCP/vHJpH6C1qrZx9tUbx
MRL7A/9E1nwBgFj7jD/4XzwIuRWkxeBg/t+KfIid15GX7U7zivRUugOj6/kcdqt0
rLk+rmzASwfv6qlC+0lC4z6t8Gop/NWTYHryqiwES/2uSTFrtU6hgLXQ4IG1FLvM
AS7YfHz1qF0lmhEXZzaaRI5ITxoI8w27+4VrwujWPOVqO18nRrQLQ3J5cHRvIHVz
ZXKJAEsEEBECAAsFAjQLW4wECwMBAgAKCRCHZEBDuxlGdOO8AJ9P6Kcid7wvY9Jy
vK6gN7YGeSeJPwCfRX5tUucwt1Q0TjApkOtBOECU+OO5AQ0ENAtbmhAEAM/z3Wn6
hXwzFR0eNJnV41PYZ7HaPwm4X+kr2rPXxbVb3TleK8/Rj8bA9bxZa1gI2BwHjA+u
HqR1nhN2AYwPLHMu1s76Vn2SUYWbaPn7H+g1K3fBaEAB8cuVRxW2vBk0VEkuabhA
Yl1j/Y2XD45Qle7+27C+hdSc2gu9fxPES7uBAAICA/92d4ELrbkD1B8b8PSpRxyM
ep9fLYEDmxFBuJScnh1sZC0GV25blfleMhrmvkA5ysLefywdoVv5UOQJZTLAGhZe
lQ0wdaU8svCkj8TvY6JZWqDsV2CLRJpx05dBkuPCfV/4w5CcWEgKbPM5ic+VquVs
H0lQr4ODKlByQScQCDEIZokAPwMFGDQLW5qHZEBDuxlGdBECPPIAoL9sT2AGy5KT
pBUvrV2swnTIk37gAKDp+0dvZzgvP84p37YHTWuqN5ZHmg==
=qtQJ
-----END PGP PUBLIC KEY BLOCK-----
E-mail was meant to be Free, And so should Free Speech
To Report any Abuse or Request Your E-Mail Address to
be BLOCKED, Contact valdeez@juno.com
