Schneier on Security

wumpus • August 22, 2017 12:15 PM

This sounds like the “voting machine problem” where a few engineers can quickly converge on the obvious solution (a voting machine that spits out a human & machine readable ballot) while legislators will prefer a solution provided by a donor without caring about the issues.

The biggest issue I can think of is the “big heist problem”. As of today, a powerball jackpot will award $443 million dollars. While even standard accounting/checking methods failed to stop this gang (likely any company hired to run the lottery is completely corrupt), unless you can completely prevent an attack every time lottery numbers are chosen (at least for powerball-level jackpots) it is likely worth an attack that only exposes the criminals after they are safely in Brazil. – Note: While I doubt that many people sufficiently numerate follow lotto, I think that powerball never got this large while Tipton’s gang was controlling the numbers…

So the issues for such a random number generate are pretty severe:

Modification of numbers should be futile. Sending the numbers into a secure hash should solve this issue, but have fun explaining this to those in control. Note that making the hash well beyond Bruce’s “x wide with y rounds” unbreakable crypto would be completely reasonable for such a scheme (presumably starting with a SHA1024 hash). Don’t forget to make sure that hash is audited multiple times between generation and publication.

Allowing the public access to the hash changes everything, I suspect even the most brazen criminals wouldn’t be certain they’ve anonymously cried wolf enough times to get away with using pregenerated data.

The problem with the public option is the “chain of custody” problem. You have a limited window of publicly available data, all which should have far higher security than can be expected. I suspect that the size of the publicly available data will be a lot smaller than readers of this site would expect, probably only closing Dow Jones data and major league final scores in a narrow window of time between the end of ticket sales and the announcing the winners. Ideally it should be >> 40 bits, but I don’t expect any real solution that will be available in a national emergency.

In practice, the real security will come from “each auditor provides a >>40 bit string of random data and verifies the hash of all auditor supplied data. While this data certainly must be public, I’m not including it in what I call “publicly available data”: that should be things that no specific cabal can gain sufficient control. Without the public option, this provides full security if only one auditor is trustworthy. With the public option, it keeps working as long as the publicly available data is sufficiently random and available AND the public agrees with the lottery agency (see election trust problem) OR a single auditor is trustworthy (presumably the lottery agency will always believe the auditors)

This system assumes that even if our auditors formed a cabal and secretly passed the numbers around ahead of time they, it still wouldn’t be worth maintaining the cabal until some event allowed them to ignore the public data. Judging by how long it took to catch Tipton (and crew) this might not be sufficient and a robust public option would be needed (although I originally assumed that subverting all auditors would be difficult then I remembered Arthur Anderson and Co and just how much their “trust” is worth).

I’m guessing that the publicly available data would have to be defined as sources of data likely to be as available as the lottery data itself (and presumably no winning data would be available until both it and some percentage of the input data was available). This would at least take care of the “cheating is easy without publicly available input”.

While the multiple auditors may appear redundant in this situation, I still think they are valuable in that if any auditor decided that collaborating with other auditors and buying tickets in advance in hopes that they can subvert the public data is simply not worth it, they will drop out of any conspiracy and produce completely random data. It shouldn’t be difficult to set the randomness and availability of public data such that the auditors are supply physically produced crypto-hard random data. I have my doubts on the hardness of reliable public data (although the hash of digitally available evening TV news would be an ideal source of completely random data. No idea if any are streaming over the internet, nor how resistant to emergencies they really are). No idea what the risk/reward needed to keep the guys from Arthur Anderson who certified Enron’s accounting to keep sending crypto-hard numbers is, but that is the key to this system. Good luck explaining to lottery officials and state legislators that you need to hold up a week’s worth of lottery money because of internet issues. That money will be demanded even after an EMP blast destroys all computers in the state (although how you would verify the ticket or pay it out is beyond me).

• I’m guessing that Tipton and crew came from the gambling industry. That industry presumably has systems in place to avoid cheating the house, but I suspect that cheating the players isn’t remotely as well guarded (keeping insiders off the floor is primarily keeping them from the house’s money). Since the lotto payout money is fixed, the “house” didn’t care who won, and Tipton’s crew took advantage of that.

** I had to rewrite this whole thing once I realized that it was quite possible for the public to check the auditors hashes. That changes everything and answers the “who watches the watchmen” problem. Considering that Enron was hardly the only company allowed to cook their books (and that the SEC is only slowly getting companies back on GAAP), this is pretty critical to securing any such system.