A Fair, Traceable, Auditable and Participatory Randomization Tool for Legal Systems
Marcos Vinicius M. Silva, Marcos Antonio Simplicio Jr., Roberto Augusto Castellanos Pfeiffer, Julio Michael Stern
AA Fair, Traceable, Auditable and Participatory RandomizationTool for Legal Systems
Marcos Vinicius M. Silva , Marcos Antonio Simplicio Jr. ,Roberto Augusto Castellanos Pfeiffer , Julio Michael Stern Escola Politecnica, Universidade de S˜ao Paulo Law School, Universidade de S˜ao Paulo Institute of Mathematics and Statistics, Universidade de S˜ao Paulo [email protected], [email protected],[email protected], [email protected]
Abstract.
Many real-world scenarios require the random selection of one ormore individuals from a pool of eligible candidates. One example of especialsocial relevance refers to the legal system, in which the jurors and judges arecommonly picked according to some probability distribution aiming to avoid bi-ased decisions. In this scenario, ensuring auditability of the random drawingprocedure is imperative to promote confidence in its fairness. With this goal inmind, this article describes a protocol for random drawings specially designedfor use in legal systems. The proposed design combines the following proper-ties: security by design, ensuring the fairness of the random draw as long asat least one participant behaves honestly; auditability by any interested party,even those having no technical background, using only public information; andstatistical robustness, supporting drawings where candidates may have distinctprobability distributions. Moreover, it is capable of inviting and engaging asparticipating stakeholders the main interested parties of a legal process, in away that promotes process transparency, public trust and institutional resilience.An open-source implementation is also provided as supplementary material..
Keywords: randomization; statistical sampling; auditability; security by de-sign; legal systems. The function of the legal system is the... congruentgeneralization of normative behavior expectations.
Niklas Luhmann (1985), A Sociological Theory of Law.
1. Introduction
Randomization procedures are routinely used in the design of scientific experiments, inmedical trials, and in the operation of legal systems. Its use is motivated by the capacityto shield processes against the possibility of all sorts of information biases, extraneousinfluences, illegitimate interference or spurious manipulations, independently from in-tention, concealment, or manifestation. Indeed, in the general framework of randomizedexperiments [28, p.340-348], this shielding is accomplished via a composition of two ope-rations: intervention and randomization. In medical trials, for example, the intervention a r X i v : . [ c s . CR ] J un s realized when a set of participants, called the experiment group, is treated with the newdrug that needs to be tested. The remaining participants, collectively called the controlgroup, may then receive no intervention, or simply a placebo (aiming to distinguish even-tual psychological effects created by the test itself). However, for a variety of reasons, thedecision to which group a patient is assigned may be biased by those conducting the trials;analogously, knowledge about the assignment process itself may allow a participant to in-fer its corresponding group. Hence, aiming to produce reliable results, the patient-groupallocation should be unpredictable for all entities involved, i.e., it should be realized viarandomization.In the specific context of legal procedures, randomization is employed by manycountries as a tool to avoid (the perception of) biased decisions. Examples include theselection of jurors [6] and judges [7], in which the main goal is to guarantee that eachcandidate has a pre-defined (not necessarily uniform) probability of being picked. In thisscenario, though, randomization comes with two additional requirements: auditability bydesign and active social engagement. More precisely, auditability by design improvesthe trust in the system. Hence, it can avoid suspicions commonly raised when statisticaldeviations are observed in a non-auditable random procedure [19], even if such biasesare not the result of ill-intent. Meanwhile, an active, self-reflective and well-coordinatedparticipation by pertinent members of a community can result in more engagement andinclusiveness, relevant aspects of social practices that also apply to the legal system [36,40]. Combined, such requirements can help legal systems to achieve an important goal: toensure that its norms (expressed as laws, procedures and regulations) are well understood,recognized, valued [17, 18, 36].The scientific understanding of randomization procedures is linked to develop-ment of mathematical statistics and cryptography (for a historical overview, see [19, 35]).After all, randomness is a critical component of any cryptographic solutions involvingsecret keys, leading to the need of tools for generating (pseudo)random numbers and forstatistically assessing their suitability [11, 23, 25, 29]. Ensuring that the randomness ge-nerator can be audited by anyone, on the other hand, is a more challenging issue. Somesolutions in the literature rely on on the concept of “open hardware”, so anyone with te-chnical enough background can (at a given time) examine and evaluate the internal circuitand components of the hardware responsible for generating randomness [14]. There arealso proposals that rely on distributed solutions that are expected to generate randomnessas part of its regular operation, such as cryptocurrencies [32], thus facilitating auditingby non-technicians. One drawback of this approach, however, is that the resulting ap-plication’s security and availability may be affected by external events unrelated to theapplication itself, but typical of the underlying solution (e.g., forks, implementation bugs,or collusion attacks) [2, 39]. Traditionally, auditability of random results has been dis-cussed by protocols for online games involving chance [9, 13, 34]. Nevertheless, therequirements in those applications are commonly different from the drawing in legal pro-cedures, in particular due to the asymmetry of participants (e.g., the casino owner vs. theplayers) and the focus on strictly uniform probability distributions.In this article, we describe an auditable random drawing protocol that combinessocial engagement and support for multiple probability distributions. Therefore, it is par-ticularly suited for the context of legal procedures. The solution builds upon the propertiesf hash-based bit-commitment mechanisms [21], so it can be executed quite efficiently.In addition, the scheme’s security does not rely on any third-party system; instead, itsfairness is assured as long as at least one stakeholder participating in the drawing cor-rectly executes the protocol. At the same time, auditability in the system requires nosoftware or hardware analysis, but only the set of messages publicly exchanged amongthe stakeholders.Section 2 discusses the use and importance of randomization in legal procedure,using the Brazilian legal system as an example. Section 3 presents the proposed proto-cols in detail. Section 4 analyzes the different security aspects of the protocol. Section5 presents some examples of the protocols developed in this article applied to typicaloperations in the legal system. Section 6 presents our final considerations.
2. The role of randomization in legal systems: the case of Brazil
The consolidation of modern democracies presupposes the separation of powers. In par-ticular, an independent judicial branch is commonly seen as essential to properly checkan excessive or abusive exercise of power by the other branches of government [10]. Atthe same time, such independence promotes the impartiality of judges, i.e., the absenceof personal interests or preferences in a trial [20]. The importance of a impartial judici-ary is such that it was elevated to the status of a fundamental guarantee by the UniversalDeclaration of Human Rights, whose Article 10 states that “
Everyone is entitled in fullequality to a fair and public hearing by an independent and impartial tribunal, in thedetermination of his rights and obligations and of any criminal charge against him ” [38].In Brazil, impartiality is closely related to the guarantee of the natural judge, i.e.,everyone shall be entitled to be judged by a court and a judge previously designated inaccordance with the law. In this context, it is important to ensure a random distributionof the lawsuits among the several judges and/or justices that compose the courts of firstinstance, the tribunals of second instance and the supreme courts. Accordingly, apart fromexceptions established by law, the distribution of cases must be randomized, so there isno prior designation of the judge and all members of the court receive a similar numberof cases. In particular, a random distribution is important in repetitive demands for whichthere are different interpretations of the same law by each judge. After all, impartialitywould be at risk if a plaintiff could somehow manipulate the distribution criteria aimingto have a case attributed to a judge who ruled it favorably.Recognizing the importance of randomization in the legal system, the BrazilianCode of Civil Procedure establishes that “ distribution [of cases] will be made accordingto the internal rules of procedure of the court, observing the alternation, electronic drawand publicity ”[5, Art. 930]. In the Federal Supreme Court, this is accomplished via acomputerized system that is expected to be public and have its data accessible to interes-ted parties [37, Art. 66]. Such publicity is in accordance with the Brazilian Access toInformation Act (AIA) [4], which stipulates as a rule the access to all information anddata held by the Government. However, the computer system responsible for distributinglawsuits has never had its details publicized, and the successive requests for doing so havebeen denied by the supreme court [31]. One of the main arguments for the refusal is thatthe specification and source code employed by this system should be covered by secrecy,evoking one caveat contained in the Brazilian AIA [4, Art. 22]: “
The provisions of thisaw do not exclude the other legal hypotheses of secrecy and secrecy of justice or the hy-potheses of industrial secrecy arising from the direct exploitation of economic activity bythe State or by a natural person or private entity that has any link with the public autho-rities ”. In practice, however, such secrecy creates a “security through obscurity”system,which has been considered a poor practice by security practitioners for more than 100years due to its inherent lack of auditability [12]. Hence, there are no technical groundsto support secrecy of the algorithms and source code employed, while the legal groundsare still a matter of dispute.Unfortunately, until this controversy is resolved (e.g., by the bill of law 8503/2017,which compels the removal of such secrecy [30]), the system will remain unable to pro-vide enough transparency to assuage eventual suspicion and distrust, even if unjustified.This issue is especially troublesome when we consider that the Supreme Court is oftencalled to decide delicate questions that are subject of heated debate in the society at large.In such cases, any distrust motivated by security by obscurity may spill over other so-cial systems, spreading institutional discredit to a much wider scope and, in so doing,potentially threaten social harmony or stability [18].Such concerns motivate the development of proposals following a security by de-sign concept, which implies that the system’s security does not depend on the secrecy ofits implementation or of its components [22, Sec. 2.4]. In the specific case of Brazil,this approach is expected to avoid any clashes with the principles of publicity imposedby the Federal Constitution, the Code of Civil Procedure and the AIA. The main goal ofthe remainder of this article is to show that it is possible to specify and implement such asolution having transparency and auditability at its core.
3. Auditable random draw
In this section, we describe the process of randomly drawing some entity among a list ofeligible candidates. The proposed protocols build upon the ideas originally discussed byM. Blum for solving the “Coin-flipping by telephone” problem [1, 3], where two mutuallyuntrusted parties play a virtual coin tossing game: after each player chooses “heads” or“tails”, an outcome is randomly drawn in such a manner that both players can verifythe fairness of the result (i.e., in this case, that each one had a 50% chance of winning).Basically, the solution employs a commit-and-reveal scheme [21], leading to a protocolthat is general enough to be applied in a variety of applications. Indeed, it has beentraditionally employed in protocols for online gambling [9] and peer-to-peer card games[34]. In this article, though, we focus specifically on the context of legal cases, assumingthat entities like judge, juror(s), rapporteur, or the court itself must be selected at randomin a judicial proceeding.We discuss two main protocols: one version where a single drawing is requiredfor a given proceeding, and an extension that optimizes latency and bandwidth usagein scenarios where multiple entities must be simultaneously drawn for the same or forseveral proceedings. We also discuss some possible protocol variants, as well as how thedescribed schemes could be instantiated in for handling real-world judicial proceedings.
For convenience to the reader, Table 1 lists the general notation adopted hereinafter. abela 1. General notation
Symbol Definition λ System’s security level x $ ← X Uniform sampling of an element x from space X | Y | Number of elements in a set or list Y Draw
A random drawing procedure ∆ = { Draw , . . . } A list of drawing procedures S = { s , . . . } Set of stakeholders s j participating in drawing procedure Draw E = { e , . . . } Ordered list of eligible candidates e j in drawing procedure DrawDID
Unique identifier of a drawing procedure
Drawinfo
Any metadata related to drawing procedure
Draw share
A stakeholder’s contribution to the random draw C Commitment to the contribution share in a given drawing mask
A random masking value: hides contribution share in commitment Cd The result of the random draw pk, sk
An entity’s public and private keys, respectively H ( M ) Hash of an arbitrary message Mσ A digital signature S ( sk, M ) Signing message M using private key sk V ( pk, M, σ ) Verification of signature σ on message M , using public key pk In the described protocols, we consider that each drawing procedure
Draw can berepresented by the set of fields { DID , S, E, info } , described as follows: • DID (mandatory): a unique identifier for the drawing procedure. In particular,when a drawing is associated with a proceeding whose unique identifier is
PID ,one might simply make
DID = PID || cnt , where || denotes concatenation (using asuitable, reserved character) and cnt is a counter for the number of the drawing in-side that proceeding. For example, suppose that a proceeding’s identifier is PID = , and that a random draw is required for defining its judge. This firstdrawing could then be identified as DID = . • S (mandatory): the set of all stakeholders s j (where (cid:54) j < | S | ) that mustparticipate in the random draw as witnesses of its fairness. This set may containany number of interested parties, which may be either proceeding-specific (e.g.,defense lawyer, prosecutor, and judge) or more general (e.g., Ministry of Justice,Supreme Court, and bar council). Each interested party must be identified by apublic key, so their corresponding digital signatures can be verified during theprotocol’s execution. Without loss of generality, we assume that the public key pk s j of each interested party s j ∈ S is part of a digital certificate issued by trus-ted Certificate Authority (CA), so that certificate’s fingerprint can be used as anunambiguous identifier. • E (mandatory): the list of all candidates e j (where (cid:54) j < | E | ) that are eligibleto be randomly drawn. For example, it might refer to all judges that are eligible forthe proceeding, excluding entities with conflict of interest; it may also includingduplicates, aiming to handle non-uniform probability distributions (see Section3.4 for details). The identification of each candidate and their order in the listmust be unequivocal. This can be accomplished, for example, by means of a listcontaining their corresponding social security numbers, functional identifiers, origital certificate fingerprints, sorted in lexicographic order. • info (optional): represents all relevant metadata about the drawing in a human-readable form. This field might include, for example, the proceeding title, class,subject, and last modification date. This field is left as optional in the protocolbecause, if a reliable source is available, such metadata can be obtained from DID itself.We denote by H ( M ) the application of a hash-function H : { , } ∗ → { , } h over the arbitrary-length input M . In the protocols hereby described, hash functions areemployed in the construction of a commitment mechanism [21]: after computing andrevealing H ( M ) , an entity becomes “committed” to M , since it is computationally hardto find M (cid:48) (cid:54) = M such that H ( M (cid:48) ) = H ( M ) for a secure hash function; at the same time,one-way property of the hash-function prevents anyone from learning the value of M untilit is deliberately disclosed. We also assume that H follows a fairly uniform distributionin { , } h , which is standard for secure hash functions. Standardized algorithms believedto provide such properties include instances from the SHA-2 [24] family.We write S ( sk, M ) to denote the computation of a digital signature of input M using the private key sk , giving as output a signature σ . The corresponding signatureverification procedure under public key pk is then denoted V ( pk, M, σ ) . We assume thata standardized algorithm is employed for this purpose, such as ECDSA or EdDSA [26].For all algorithms employed, we assume a security level λ ≥ bits, as it isusual in modern systems [27]. Let
Draw i = { DID i , S i , E i , info i } represent a random drawing procedure performed bystakeholders S i . To pick a random candidate from E i , each stakeholder s j ∈ S i engagesin a two-phase procedure, described in what follows and illustrated in Figure 1. Firstly, s j generates a random masking value mask i, j $ ← { , } λ for security level λ . Inaddition, s j picks a random value share i, j satisfying (cid:54) share i, j (cid:54) | E i | , which willlater be used as that stakeholder’s contribution to the random draw. We note that, as longas both mask i, j and share i, j are kept secret and can be considered unpredictable, theirvalues could be picked arbitrarily by s j or computed using a suitable random numbergenerator [23, 25].Subsequently, each stakeholder s j computes its own commitment C i, j ←H ( Draw i , mask i, j , share i, j ) by applying the hash function H on the drawing data Draw i (common to all parties), on the masking value mask i, j , and on its random contribution share i, j . With this approach, the potentially low-entropy hash input share i, j cannot beguessed from C i, j , since it is combined with the high-entropy masking value mask i, j [21]. Finally, s j signs a message containing the commitment C i, j and the drawingdata Draw i , using the private key sk j . The digital signature generated in this manner, i,0Draw i share i,0 C i,1 Draw i share i,1 mask i,1 C i,|S|-1 Draw i mask i,|S|-1 . . . share i,|S|-1 (mod |E i |) d mask i,0 ∑ Figura 1. Auditable random draw procedure. σ i, j ← S ( sk j , { Draw i , C i, j } ) , provides authenticity and non-repudiation to the commit-ment sent by s j , which allows latter auditing. Finally, s j broadcasts a message containing { Draw i , C i, j , σ i, j } to all other stakeholders s j (cid:48) (cid:54) = j . Upon reception of a commitment C i, j (cid:48) , each stakeholder s j checks the corresponding sig-nature by running the verification algorithm V ( pk j (cid:48) , { Draw i , C i, j (cid:48) } , σ i, j (cid:48) ) . Only after allcommitments C i, j (cid:48) (cid:54) = j are received and their signatures are correctly verified, stakeholder s j reveals the pair { mask i, j , share i, j } to all of its peers. Note that it is not necessaryto digitally sign the message revealed in this manner, since { mask i, j , share i, j } was in-directly signed when computing σ i, j : to verify its validity, it is enough to check that C i, j ? = H ( Draw i , mask i, j , share i, j ) holds true.Using the random contributions share i, j from all stakeholders, the result of therandom draw is d = ( (cid:80) | S i |− j =0 share i, j ) mod | E i | . The drawn candidate is then set to e d ,following the original order of candidates from E i . This approach ensures that every can-didate e j has the same probability of being drawn because, if at least one stakeholder s j picks share i, j uniformly at random in [0 , | E i | [ , the resulting sum will also be uniformlydistributed in the same interval [33], independently of collusion among other parties. Inaddition, any entity is capable of auditing the drawing by: (1) verifying the digital sig-natures on the revealed values; (2) recomputing d independently; and (3) comparing theobtained d with the value reported by the stakeholders that participated in the drawing. The process described in Section 3.2 can be extended to enable multiple random drawsto be executed by a group of stakeholders S with a single commit-and-reveal procedure.This extension is discussed in what follows. i,j Draw i share i,j mask i,j Draw i-1 share i-1,j mask i-1,j
Draw share mask ... random Figura 2. Chaining structure enabling multiple random draws from a single com-mitment.
Let ∆ = { Draw i } (for i (cid:62) ) be a list of random draws { DID i , S, E i , info i } that share thesame set of stakeholders S and that are ordered according to some rule (e.g., followingthe lexicographic order of DID i ). Similarly to the single-drawing case, each stakeholder s j ∈ S i starts by picking a random mask , j $ ← { , } λ . In addition, s j picks one ran-dom share i, j for each Draw i ∈ ∆ , each of which satisfying (cid:54) share i, j (cid:54) | E i | forthe corresponding E i . The ∆ commitments from s j are then obtained iteratively: first,by making C , j ← H ( Draw , mask , j , share , j ) ; the subsequent C i, j for i (cid:62) are thencomputed as C i, j ← H ( Draw i , mask i, j , share i, j ) , where mask i, j = C i − , j . The resul-ting data structure is illustrated in Figure 2. Finally, the last commitment C | ∆ | , j computedin this manner is signed and broadcast to all stakeholders. After s j receives and validates all commitments C | ∆ | , j (cid:48) (cid:54) = j from its peers, it broadcasts mask , j together with all picked values of share i, j (for i (cid:62) ). This allows any entity,including stakeholders, to verify that the signed commitment C | ∆ | , j originally providedby s j was indeed built from mask , j and the set of disclosed share i, j : it suffices toreproduce the aforementioned procedure that, supposedly, was followed by s j when com-puting each C i, j . If such verification holds true for all commitments, each random draw d i is once again computed as d i = ( (cid:80) | S i |− j =0 share i, j ) mod | E i | for each i (cid:62) . Onceagain, the fairness of the drawing procedure can be audited by independent entities, whoare able to verify that d was computed from the signed commitments. Many real-world random drawing applications require that n eligible candidates in a list E have the same probability of being drawn, that is, a uniform probability distribution. Inthis case, the ordered list E = { e , . . . e n − } would contain only distinct identifiers, oneper candidate e j .Nevertheless, there are situations in which the n eligible candidates must be selec-ted according to a non-uniform probability distribution P (0) , P (1) . . . P ( n − , where P ( j ) (cid:62) and (cid:80) P ( j ) = 1 . For example, in the context of legal proceedings, some pu-blicly available and law-abiding rules may dictate that the judge for a given case shouldbe picked with higher or lower probability depending on well-established methodologiesand criteria. For example, these criteria may include judges’ current workloads, casecomplexities or legal specialty areas, among other. These probability distributions mayeven be adjusted along the time aiming to make the judges’ loads converge, in the longrun, to a targeted equilibrium goal. Some statistical methods for calculating, calibratingand adjusting such non-uniform distributions are discussed in [8, 15, 16]. standard technique for handling non-uniform probability distributions consistsin repeating the identifier of every candidate e j proportionally to P ( j ) . The case in whichprobabilities are expressed as fractions with a common denominator, P ( j ) = a j /b is sim-ple to handle: we only have to build E as a b -long list where the identifier for each candi-date e j appears (e.g., contiguously) a total of a j times. For example, if we need a randomdraw among 4 candidates with probability distributions { / , / , / , / } , where b = 10 , we would have E = { e , e , e , e , e , e , , e , e , e , e } . Taking as common de-nominator a larger integer power of ten, i.e. b = 10 k , allows for a good approximation ofany distribution expressed in decimal form, like a centesimal or a millesimal scale for acommon denominator of b = 100 or b = 1000 .The case in which probabilities are expressed as fractions in canonical form, P ( j ) = a j /b j , with no common denominator, is handled as follows: (1) compute (cid:96) ← lcm( b , b , . . . ) , i.e., the lowest common multiple of the fractions’ denominators, b j ; and (2) build E as a (cid:96) -long list where the identifier for each candidate e j appears(e.g., contiguously) a total of (cid:96) · a j /b j times. For example, if we need a random drawamong 4 candidates with probability distributions { / , / , / , / } , then we wouldhave (cid:96) ← lcm(3 , ,
6) = 12 , and E = { e , e , e , e , e , e , e , e , e , e , e , e } .Despite repetitions in the list E , we note that the computational representation of E can remain quite compact: by representing each candidate by the pair ( e j , P ( j )) , noactual identifier repetition is necessary. A slightly modified version of the described protocols can be employed aiming to savesome bandwidth during the reveal phase. This variation consists in use the masking values mask i, j directly as source of randomness instead of relying on the additional randomvalues of share i, j . For the single drawing procedure from Section 3.2, this means that d would be computed by adding up mask i, j , i.e., as d = ( (cid:80) | S i |− j =0 mask i, j ) mod | E i | .In this case, share i, j itself could be omitted from the protocol, and only mask i, j wouldbe revealed by the stakeholders to their peers. In addition, multiple random draws couldthen be implemented without the chaining structure described in Section 3.3: instead,one could employ a pseudo-random number generator [25] taking as seed the value of d obtained in the single-drawing procedure.The drawback of this approach is that the distribution of d computed in this mannermay lead to distortions in the protocol’s probability distribution. Specifically, the lowest (2 λ | S i | mod | E i | ) values of d would have a favorable probability bias: instead of beingselected with probability / | E i | , their actual chance would be / | E i | + 1 / λ .Notice that such probability issue only arises in this modified protocol when λ | S i | mod | E i | (cid:54) = 0 . In addition, the resulting bias should be negligible whenever | E i | (cid:28) λ , which is likely to be the case in many real-world applications. For exam-ple, one would expect a small | E i | when the judge for a procedure needs to be randomlydrawn according to an uniform distribution. Nevertheless, | E i | may grow for suppor-ting arbitrary drawing probabilities associated with each candidate. Therefore, aimingto ensure the wide applicability of the hereby described protocols, we recommend using share i, j as an additional value in actual implementations. . Security Analysis In this section, we analyze the attack surface of the proposed secure drawing mechanism,considering the security properties of its underlying cryptographic primitives.
Suppose a malicious stakeholder s a is able to learn all contributions share i, j (cid:54) = a from itspeers before sending its own commitment C i, a ← H ( Draw i , mask i, a , share i, a ) . In thatcase, s a can choose the value of d i by picking share i, a accordingly. The confidentialityof all share i, j in the commitment phase is, thus, critical for the drawing procedure’sfairness.In the described protocol, the confidentiality of every pre-image resistance duringthe commitment phase is protected by the underlying hash function’s pre-image resis-tance. Specifically, to obtain share i, j , s a would have to find the hash function’s input ( Draw i , mask i, j , share i, j ) from its output C i, j . This requires guessing mask i, j in theone-draw protocol described in Section 3.2, or mask , j in the multi-draw protocol fromSection 3.3. As long as such masking values are at least λ -bits long and randomly picked,such guessing attempts should be computationally infeasible.Notice that the confidentiality of every share i, j is relinquished in the revealphase, when those values are disclosed together with the corresponding mask i, j . At thattime, however, it would be computationally hard for s a to modify the already committed share , a , picked before any share i, j (cid:54) = a was known (see Section 4.2). Hence, the drawingprocedure cannot be manipulated as long as every s j reveal its own { mask i, j , share i, j } only after all commitments C i, j (cid:48) (cid:54) = j are received from their peers. Suppose a malicious stakeholder s a can modify its own share i, a after learning all con-tributions share i, j (cid:54) = a from its peers. In this scenario, similarly to the attack described inSection 4.1, s a can pick a modified value share (cid:48) i, a that leads to the desired value of d i .In the described protocols, such attack is unfeasible as long as a collision-resistant hash function H is employed when computing the commitment C i, a . Moreprecisely, after s a broadcasts its commitment C i, a = H ( Draw i , mask i, a , share i, a ) ,the value of { mask (cid:48) i, a , share (cid:48) i, a } subsequently revealed would only be accepted asvalid by its peers if the following collision occurs: H ( Draw i , mask i, a , share i, a ) = H ( Draw i , mask (cid:48) i, a , share (cid:48) i, a ) .Notice also that attempts to replace C i, a itself during the reveal phase would alsofail. After all, stakeholders would not enter the reveal phase until C i, a is received and itssignature is verified. A malicious stakeholder s a might decide to send different commitments to different setsof stakeholders, leading to a distinct value of d computed in each of them. The resultwould be a denial-of-service attack, because there would be no consensus among all sta-keholders. Even though there is no mechanism to prevent such attack, the culprit can beeasily identified after the stakeholders compare the received commitments. The attackercould then be penalized accordingly, and the digitally signed commitments could be usedas proof of misbehavior. .4. Collusion resistance As mentioned in Section 3.2, the value of d = ( (cid:80) | S i |− j =0 share i, j ) mod | E i | obtained inthe hereby described protocol follows an uniform distribution in [0 , | E i | [ as long as atleast one stakeholder s j picks share i, j uniformly at random in [0 , | E i | [ [33]. Hence, thefairness of the random draw is ensured even if | S i | − stakeholders collude, e.g., byrevealing and/or agreeing on their own contributions share i, j (cid:48) (cid:54) = j .We note that, if there is a collusion among all stakeholders (i.e., a consensus), thenit is possible to manipulate the drawing procedure while giving auditors a false impressionof fairness. Hence, the choice of a suitable set of stakeholders S is a critical requirementin the system. In the specific case of drawing a proceeding’s judge, meeting such requi-rement should be quite easy, in particular if opposing parties like the defense lawyer andprosecutor are included as S . The successful impersonation of a honest stakeholder s j might lead to a few undesirablesituations. For example, suppose that both the legitimate and a forged/replayed com-mitment from s j are accepted as valid in a random draw, Since the resulting duplicationwould be indistinguishable from the denial of service attack described in Section 4.3, s j might be unjustly accused of misbehavior. As another example, suppose that n stakehol-ders in collusion gather forged/replayed commitments from all of the remaining | S i | − n stakeholders that would participate in a drawing. In that case, auditors could be trickedinto believing that a given drawing result was fair, when it was actually manipulated bythe colluding parties.To prevent such attacks, two mechanisms are employed in the hereby describedprotocols. First, to prevent forgery, all stakeholders must be unequivocally identified (e.g.,by their digital certificates) and their commitments must be signed using a secure digitalsignature algorithm. Second, to prevent replay attacks, every random draw procedure Draw i includes a unique identifier; hence, a commitment C i, j for Draw i would not bemistakenly accepted as valid in another drawing procedure Draw i (cid:48) (cid:54) = i . Any malicious stakeholder s a can engage in a denial of service attack by refusing toprovide either { C i, a , σ i, a } or { mask i, a , share i, a } , preventing the completion of the pro-tocol’s execution. Even though there are no mechanisms to prevent such attacks fromoccurring, the non-compliant parties can be easily identified in the protocol. Hence, ade-quate measures can be taken in response, depending on the target scenario. For example,if the contribution from s a is not mandatory, then the drawing procedure could be restartedafter s a is removed from S i . The described protocol requires s j to broadcast { C i, j , σ i, j } (in the commit phase) and { mask i, j , share i, j } (in the reveal phase). Such broadcasts can be performed either direc-tly, using the stakeholders’ network addresses, or with the aid of an intermediate server.One benefit of the latter approach, though, is that each s j would need to send a singleessage to the server, rather than learning its peers’ addresses and sending one indivi-dual message to each peer. Hence, for better efficiency, such a server-based architecturemay be preferred in actual deployments Meanwhile, security-wise, there would be no im-pact in terms of security: even if the server is untrustworthy, it would be unable to forgeor modify any of the exchanged messages because they are all messages signed by thecorresponding stakeholders.The main caveat in a server-based architecture is that third parties interested inauditing the drawing result should not blindly trust the data provided by the server. Thereason is that the server could collude with a a malicious stakeholder s a for replacingthe latter’s (signed) contribution in the drawing and, thus, manipulate its result from thatauditor’s perspective. Hence, auditors should always confirm that any data provided bythe intermediate server matches the messages actually seen by all stakeholders. Noticethat such confirmation allows auditors not only to avoid tampering attempts, but also ena-bles the identification of the malicious stakeholder(s) behind this attempt: after all, theauditor would observe two distinct commitments C i, a and C (cid:48) i, a signed by s a for the samedrawing Draw i , a situation that should never occur in a regular protocol execution. Actu-ally, this very possibility of identifying tampering attempts should dissuade stakeholdersfrom colluding with the intermediate server.
5. Implementation
We have developed a simple Java library that implements all the steps of the protocolsdescribed in Sections 3.2 and 3.3. The source code is available under the MIT Licenseat https://doi.org/10.24433/CO.6108166.v1 , so it can be freely adapted for fit-ting the needs of real-world implementation. It also includes routines for performing thefunctional testing of the protocol’s main routines (a reproducible run is made available).The provided code does not include a graphical interface, since its details woulddepend on the actual platform (e.g., desktops, mobile phones or dedicated hardware) andalso on the details of the scenario (e.g., usual number of stakeholders, and whether ornot non-uniform probability distributions are required). We are currently implementinga prototype mobile application that uses an intermediate server for facilitating the com-munication among peers. Figure 3 illustrates the graphical interface expected for thisproof-of-concept. Specifically, it shows the look-and-feel for mobile users during:(a) The commit phase, when 4 stakeholders must send their signed commitments. Atthe moment shown in the interface, only two of them (namely, share and mask . The interface shows that two sta-keholders (namely,
6. Final Considerations
In this article, we describe a collaborative random drawing protocol with arbitrary proba-bility distributions and whose fairness can be audited by any interested party (includingnon-technicians). The scheme follows a security-by-design best practice, contrasting with raw 12345/678-9
Commit Reveal ResultCandidates:5 +
Stakeholders:4 − Anne Adler
See commit
Anne Adler
See commit
Cora Cohen
Waiting commit
Cora Cohen
Waiting commit
Ben Bates
Waiting commit
Ben Bates
Waiting commit
Dan Deuce
See commit
Dan Deuce
See commit you
Send commit
Your share: − + mask: cmFuZG9tc2VjcmV0bWFzaw== Draw 12345/678-9
Commit Reveal ResultCandidates:5 +
Stakeholders:4 − Anne Adler
Reveal
Anne Adler
Reveal
Cora Cohen
Reveal
Cora Cohen
Reveal
Ben Bates
Waiting reveal
Ben Bates
Waiting reveal
Dan Deuce
Waiting reveal
Dan Deuce
Waiting reveal you
Reveal Your share: − + mask: cmFuZG9tc2VjcmV0bWFzaw== Draw 12345/678-9
Commit Reveal ResultCandidates:5 − Stakeholders:4 − Anne Adler
Reveal
Anne Adler
Reveal
Cora Cohen
Reveal
Cora Cohen
Reveal
Ben Bates
Reveal
Ben Bates
Reveal
Dan Deuce
Reveal
Dan Deuce
Reveal you
Close Result: (4 + + +
4) mod 5 = 1 B C D E (a) (b) (c) Figura 3. Graphical interface for the described protocol’s proof-of-concept imple-mentation: (a) commit phase; (b) reveal phase; (c) end of the protocol, withone out of five candidates being randomly drawn by four stakeholders. technically unsound approaches based on security-by-obscurity . In addition, it is desig-ned to allow and invite the active participation of any number of stakeholders or theirrepresentatives. This active engagement of interested parties and social organizations isintended to foster trust and confidence in the legal processes. Indirectly, it should alsostrengthen the institutions that compose a truly autonomous Legal System, enhancingtheir harmonious relations with other branches of government and, in this way, promotingsocial peace.
Acknowledgements and Funding
This work was supported by: Ripple’s University Blockchain Research Initiative; CNPq(Brazilian National Council for Scientific and Technological Development – grants PQ307648/2018-4 and 301198/2017-9); and FAPESP (S˜ao Paulo Research Foundation,grants CEPID-CeMEAI 2013/07375-0 and CEPID-Shell-RCGI 2014/50279-4). Theauthors are grateful for early conversations with Julio Adolfo Zucon Trecenti from ABJ(Brazilian Jurimetrics Association), and for the mobile interface design conceived by Gi-ovanni A. dos Santos and Joao Paulo A. S. E. Lins.
Referˆencias [1] M. Blum. Coin flipping by telephone: a protocol for solving impossible problems.
ACMSIGACT News , 15(1):23–27, 1983.2] J. Bonneau, A. Miller, J. Clark, A. Narayanan, J. Kroll, and E. Felten. Sok: Researchperspectives and challenges for bitcoin and cryptocurrencies. In
IEEE Symposiumon Security and Privacy , pages 104–121. IEEE, 2015.[3] G. Brassard, D. Chaum, and C. Cr´epeau. Minimum disclosure proofs of knowledge.
Journal of computer and system sciences , 37(2):156–189, 1988.[4] Brazil. Brazilian Access to Information Act (in Portuguese). , 2011.[5] Brazil. Brazilian Code of Civil Procedure (in Portuguese). , 2018.[6] N. Duxbury.
Random Justice: On Lotteries and Legal Decision-Making . Oxford Univer-sity Press, 2002.[7] T. Eisenberg, T. Fisher, and I. Rosen-Zvi. Does the judge matter? exploiting randomassignment on a court of last resort to assess judge and case selection effects.
Journalof Empirical Legal Studies , 9(2):246–290, 2012.[8] V. Fossaluza, M. S. Lauretto, C. A. B. Pereira, and J. M. Stern. Combining optimizationand randomization approaches for the design of clinical trials. In
InterdisciplinaryBayesian Statistics , pages 173–184. Springer, 2015.[9] C. Hall and B. Schneier. Remote electronic gambling. In
Proc. of the 13th Annual Com-puter Security Applications Conference (ACSAC’97) , pages 232–238, USA, 1997.IEEE Computer Society.[10] A. Hamilton, J. Madison, and J. Jay.
The Federalist Papers (reprint) . American Libraryof World Literature, 1788, 1961.[11] J.M. Hammersley and D.C. Handscomb.
Monte Carlo Methods . Methuen’s monographson applied probability and statistics. Methuen, 1964.[12] A. Kerckhoffs. La cryptographie militaire (military cryptography).
Journal des sciencesmilitaires , IX:5—-83, January 1883. (in French).[13] E. Konstantinou, V. Liagkou, P. Spirakis, Y. Stamatiou, and M. Yung. Electronic nationallotteries. In
Financial Cryptography , pages 147–163, Berlin, Heidelberg, 2004.Springer.[14] B. Lampert, R. Wahby, S. Leonard, and P. Levis. Robust, low-cost, auditable randomnumber generation for embedded system security. In
Proc. of the 14th ACM Confe-rence on Embedded Network Sensor Systems (SenSys’16) , pages 16––27, New York,NY, USA, 2016. ACM.[15] M. S. Lauretto, F. Nakano, C. A. B. Pereira, and J. M. Stern. Intentional sampling bygoal optimization with decoupling by stochastic perturbation. In
AIP ConferenceProceedings , volume 1490, pages 189–201. American Institute of Physics, 2012.[16] M. S. Lauretto, R. B. Stern, K. L. Morgan, M. H. Clark, and Julio J. L. Stern. Haphazardintentional allocation and rerandomization to improve covariate balance in experi-ments. In
AIP Conference Proceedings , volume 1853, pages 050003.1–050003.8.AIP Publishing LLC, 2017.[17] N. Luhmann.
A Sociological Theory of Law . Routledge, London, 1985.18] N. Luhmann.
Ecological Communication . The University of Chicago Press, 1989.[19] D. Marcondes, C. Peixoto, and J.M. Stern. Assessing randomness in case assignment:The case study of the Brazilian Supreme Court.
Law, Probability and Risk , 18(2-3):97–114, 2019.[20] Ch. L. S. Montesquieu.
Esprit des lois . Nourse & Vaillant, Paris, 1758.[21] M. Naor. Bit commitment using pseudo-randomness. In
Advances in Cryptology(CRYPTO’89) , pages 128–136, New York, NY, 1990. Springer New York.[22] NIST. (SP 800-123): Guide to General Server Security . National Institute of Standardsand Technology, July 2008.[23] NIST. (SP 800-22 rev.1) A Statistical Test Suite for Random and Pseudorandom NumberGenerators for Cryptographic Applications . National Institute of Standards andTechnology, Gaithersburg, MD, USA, April 2010.[24] NIST. (FIPS 180-4) Secure Hash Standard (SHS) . National Institute of Standards andTechnology, August 2015.[25] NIST. (SP 800-90A rev.1) Recommendation for Random Number Generation Using De-terministic Random Bit Generators . National Institute of Standards and Technology,Gaithersburg, MD, USA, June 2015.[26] NIST. (FIPS PUB 186-5 - Draft) Digital Signature Standard (DSS) . NIST, Gaithersburg,USA, 2019.[27] NIST. (SP 800-131A Rev. 2) Transitioning the Use of Cryptographic Algorithms and KeyLengths . National Institute of Standards and Technology, Mar. 2019.[28] J. Pearl.
Causality: Models, Reasoning, and Inference . Cambridge University Press,2009.[29] B. Ripley.
Stochastic Simulation . Wiley Series in Probability and Statistics. Wiley, 1987.[30] E. Rodrigues. Bill of law 8503/2017 (in Portuguese). , 2017.[31] T. Rover. Secret source code: without publicizing current system, Bra-zilian Supreme Court opens consultation about proceedings distribu-tion (in Portuguese). , 2020.[32] O. Saa and J.M. Stern. Auditable blockchain randomization tool.
Proceedings ,33(1):17.1–17.6, 2019.[33] P. Scozzafava. Uniform distribution and sum modulo m of independent random variables.
Statistics & Probability Letters , 18(4):313–314, 1993.[34] M. Simplicio, M. Santos, R. Leal, M. Gomes, and W. Goya. SecureTCG: a lightweightcheating-detection protocol for P2P multiplayer online trading card games.
Securityand Communication Networks , 7(12):2412–2431, 2014.[35] J. M. Stern. Decoupling, sparsity, randomization, and objective bayesian inference.
Cy-bernetics and Human Knowing , 15:49–68, 2008.36] J. M. Stern. Verstehen (causal/ interpretative understanding), erklaeren (law-governeddescription/ prediction), and empirical legal studies.
Journal of Institutional andTheoretical Economics , 174(1):105–114, 2018.[37] STF. Internal rules for the Brazilian Federal Supreme Court (in Portuguese). , 2020.[38] United Nations. Universal declaration of human rights. , 1948.[39] Z. Wan, D. Lo, X. Xia, and L. Cai. Bug characteristics in blockchain systems: A large-scale empirical study. In
IEEE/ACM 14th Int. Conf. on Mining Software Repositories(MSR) , pages 413–424, 2017.[40] E. Wenger.