Independent Perspective on Core Integrity Requirements for Electronic Draw Systems and RNGs
Thomas Bierbach's perspective on core integrity requirements for electronic draw systems and RNGs
an independent perspective of industry best practices and standards.
In a recent EL webinar “Draws, balls, and RNGs”, Thomas Bierbach, a consultant to Bulletproof, a GLI Company, and lottery security authority, shared his perspective about core integrity requirements for electronic draw systems and RNGs. Thomas Bierbach has researched many and reviewed various electronic draw systems (EDS) and the underlying RNGs, and provides a thorough independent perspective of industry best practices and standards. We would like to share his recommendations on RNG integrity as we believe they provide an important guideline for the lottery industry. His discussion is in alignment with our company vision, “to have the industry embrace non repudiation and proof of integrity as a standard for random number generation.”
Bierbach identified what he believed should be core integrity requirements for Electronic Draw Systems.
0. Randomness
Bierbach begins his panel discussing the “zero requirement”, necessary to any RNG: randomness. Certification is essential to ensure that the RNG yields random results. However, certification does not ensure that manipulation, malpractice, or malfunction do not compromise the RNG randomness, such as happened in several lotteries when a machine used for the drawings generated the same winning numbers in consecutive games over a few day period. See the Des Moines Register for historic examples of repeat numbers selected on an Electronic Draw Systems. (here) (See here for more information).
Bierbach says: “For the longest time everybody thought that if a random number generator is certified that means it is secure and it operates at the highest levels of integrity, which created a bit of a false sense of security. Again, the certification only confirms that the results of the random number generator are random and have fair distribution based on a specification that is tested. It does not confirm that the random number generator and the electronic draw system (EDS) it is deployed in are tamper-proof and work with absolute integrity.”
1. Unpredictability
Other than randomness, unpredictability is another obvious core requirement for EDSs. Unpredictability means that no one can determine from past draw results what the upcoming results will be, or from current draw results what future results will be. Of course, if the draw results are predictable, then some individuals will be able to unfairly win the games.
2. Non repudiation of origin
Bierbach’s number two requirement is non repudiation of the origin of random numbers, which is the proof of the draw outcomes and of their origin, where we can be certain that the result coming out at the end of the electronic draw system really originated from the very source of that electronic draw system.
Draw Non repudiation protects lotteries against draw system vulnerabilities. Draw system weaknesses include hardware failures, software defects, and insider fraud – all which are difficult to spot because incorrect or fraudulent numbers look just like randomly generated outcomes! (For more about non repudiation, read these two blogs posts: “Future Tamper Proof RNG” and “Non Repudiation and Draw Integrity“)
3. Auditability and Repeatability
The third requirement is the auditability and repeatability of an electronic draw system. This concept is very simple: Bierbach references the ‘old fashioned’ ball draw systems which are very auditable because they are often observed by millions of players on the television. Prior to the draws, balls are weighed and tested, then the draws take places, and then post-draw testing and weighing happens. They are not repeatable however, as a one-time event, they are compared to shattering a glass, which will never break exactly the same way twice.
In Szrek’s electronic draw system, the draw system creates a proof of integrity record, and then the audit process takes that record and recreates the draw results. By recreating the results, the auditor is able to match them with the original results and confirm that they are correct. If verification fails, it is a proof of a problem, you can analyze what the problem is; and if verification gives positive results, it proves conclusively that there was no problem. See “What is Proof of Integrity?” for more detail. For a case study about proving the validity of a draw, see “Expect the Unexpected“. You may also refer to the WLA article “Random chance is the essence of the lottery”, on page 10, ‘A seemingly unusual draw’.
4. Transparency
Bierbach advocates for the importance of transparency in lottery draws, saying
“Many electronic draw systems that I’ve reviewed are lacking transparency. They’re highly complex and complicated systems that obviously, according to the developers and the creators of those systems, operate at a high level of integrity. However, I can’t see it. I call this the Black Box effect… I can’t really see what’s going on inside the system and inside the process, because all we know about electronic draw systems is we’re looking at a computer. Somebody pushes a button and the number appears on the screen. We don’t really know where that number comes from.”
Concurring with Bierbach about the importance of transparency, we wrote about this very topic in our white paper, “Redefining Transparency in Lottery Draws” .
To say that a problem has not been noticed is not to say that one has not occurred, as random numbers all look alike!
We believe the industry as a whole would benefit from transparency in the draw process through proof of integrity, which guarantees the integrity of the whole random number generation process.
5. Understandability (black box factor)
The last core integrity requirement that Bierbach discusses and stresses as extremely important is the understandability of the system. “Not everybody is able to explain the details where a seed comes from, where the randomness is created, what the chain of custody is… and all these things just leave gaps open. That leaves the security folks of a lottery, for example, deploying an EDS and just having to trust the system to be of highest integrity. Trust as we all know is great but it’s not really a good security control.”
We’ve discussed the black box factor in a recent NASPL article, “Deconstructing the Black Box”.
As experts in RNG, at Szrek2Solutions we concur with this vision of core integrity factors for EDSs. We appreciate Thomas Bierbach’s perspective and share his vision as a helpful guideline to lotteries and other organizations in the industry.
Bulletproof's Assessment of Szrek Draw Technology (2018)
Independent Review of Security and Nonrepudiation of the Szrek2Solutions Electronic Draw System (EDS)
While certifying randomness is a standard procedure for every deployment, providing non repudiation and proof of integrity are not often required. As a leader in RNG technology, we found value in having our products independently reviewed to assess and validate our technology. In 2018, Bulletproof, a GLI company, evaluated Szrek2Solutions’ RNG solution, Trusted Draw™ and Trusted Audit™.
This independent review by Bulletproof highlights the importance of proof of integrity in draw systems and confirms that our technology provides this unique value proposition. Lotteries that use our Trusted Draw and Trusted Audit systems are guaranteed that they will not have any undetected draw problems, whether they are due to hardware faults, software faults, or fraud. And, if draw results come out looking ‘non random’, they will be able to prove their validity and randomness. Read it here:
Summary of the final report ‘Independent Review of Security and Nonrepudiation of the Szrek2Solutions Electronic Draw System (EDS)’ validated Szrek’s RNG draw solution as meeting or exceeding the best practices by providing conclusive auditability and proof of integrity.
In a PGRI interview, Paul Jason asks Szrek2Solutions VP, “Who is this Review most relevant to — who are you trying to communicate the results of this Bulletproof independent review to?
Helena Pereira: “We need to reach security directors, IT directors, and draw staff, but our audience is very much the executive directors and key decision makers in lotteries who are determining whether to use an electronic draw system. We want to make them all aware that the risks of using random number generators can be eradicated by using RNGs which provide nonrepudiation of draw outcomes. We believe that transparency and 100% fault and fraud detection need to become a standard required from any RNG solution used by the industry. The industry continues to be exposed to security risks, unless transparency and nonrepudiation of the draw outcomes is being enforced.
We hope to change the way of thinking regarding electronic draw systems: with proof of integrity for every draw and consistent verification, electronic draw systems provide a viable, secure alternative to mechanical machines at a much lower price point. Similarly, to how gaming systems use an independent ICS system to ensure gaming system integrity, an electronic draw system must also provide non repudiation and independent verification of integrity for the draw process.”
Helena Pereira, Vice President, Szrek2Solutions