Card-based Cryptographic Protocols Using a …...0 2015-12-03 Alexander Koch et al. – Card-based Cryptographic Protocols Using a Minimal Number of Cards KIT DEPARTMENT OF INFORMATICS,

0 2015-12-03 Alexander Koch et al. – Card-based Cryptographic Protocols Using a Minimal Number of Cards

KIT

DEPARTMENT OF INFORMATICS, INSTITUTE OF THEORETICAL INFORMATICS

Card-based Cryptographic ProtocolsUsing a Minimal Number of Cards

ASIACRYPT 2015 | Alexander Koch, Stefan Walzer, Kevin Härtel

KIT – The Research University in the Helmholtz Association www.kit.edu

♥ ♣ ♥ ♣ → ♥ ♣ ♣ ♥

Motivating Scenario ICalculating Mutual Interest with Playing Cards


KIT

Secrets: Do I fancy him/her?To compute: Is there mutual interest?

Secure 2-party AND without computers

TrustedComputation



KIT



TrustedComputation



KIT



TrustedComputation



KIT



TrustedComputation

Motivating Scenario IIExplaining MPC to Non-Experts/Students


KIT

You meet s.o. at a bar and want to explain MPC as an examplefrom your work life.

Motivating Scenario IIExplaining MPC to Non-Experts/Students


KIT

You meet s.o. at a bar and want to explain MPC as an examplefrom your work life. Or to students in class

Motivating Scenario IIIYou are a theoretician


KIT

What is possible with unconventional computational models?MPC from indistinguishability of cards & correct shuffling

cf. to physical assumptions like tamper-proofness of hardware

♥ ♣ ♥︸︷︷︸

finite state control

– read vis. card seq.– do action on cards

Setting and Goal


KIT

Two types of indistinguishable cards:Heart ♥ and club ♣ with backside .

Encode bits as

♣ ♥ =̂ 0

♥ ♣ =̂ 1

Our goal (“committed format”)

Take face-down input (bits a,b)

Compute face-down output (a ∧ b)

Learn nothing about the input or output during protocol run.

♥ ♣

Curiosity:is perfectly hiding & binding

Setting and Goal


KIT


Encode bits as

♣ ♥ =̂ 0

♥ ♣ =̂ 1





♥ ♣


Setting and Goal


KIT


Encode bits as

♣ ♥ =̂ 0

♥ ♣ =̂ 1





♥ ♣


A Simple Six-Card AND ProtocolMizuki and Sone [MS09]


KIT

Observation: (a ∧ b) ≡ (if a then b else 0)

≡ (if ¬a then 0 else b)

The Protocol: ︸︷︷︸a

︸︷︷︸b

︸︷︷︸0

p =½−−−→ ︸︷︷︸¬a

︸︷︷︸0

︸︷︷︸b

With probability 1/2: Apply permutation (1 2)(3 5)(4 6).For privacy: each player once, without the other looking.

Turn first two cards♥ ♣︸︷︷︸=̂ 1

result is cards 3, 4 ♣ ♥︸︷︷︸=̂ 0

result is cards 5, 6



KIT

Observation: (a ∧ b) ≡ (if a then b else 0)≡ (if ¬a then 0 else b)


︸︷︷︸b

︸︷︷︸0

p =½−−−→ ︸︷︷︸¬a

︸︷︷︸0

︸︷︷︸b

With probability 1/2: Apply permutation (1 2)(3 5)(4 6).For privacy: each player once, without the other looking.






KIT



︸︷︷︸b

︸︷︷︸0

p =½−−−→ ︸︷︷︸¬a

︸︷︷︸0

︸︷︷︸b

With probability 1/2: Apply permutation (1 2)(3 5)(4 6).

For privacy: each player once, without the other looking.






KIT



︸︷︷︸b

︸︷︷︸0

p =½−−−→ ︸︷︷︸¬a

︸︷︷︸0

︸︷︷︸b

With probability 1/2: Apply permutation (1 2)(3 5)(4 6).For privacy: each player once, without the other looking.Turn first two cards♥ ♣︸︷︷︸=̂ 1



Demonstration of the Six-Card-ProtocolMizuki and Sone [MS09]


KIT

♥ ♣ ♥ ♣

♥ ♣ ♥ ♣ ♣ ♥

♥ ♣ ♥ ♣ ♣ ♥

(shuffle, {id,π = (1 2)(3 5)(4 6)})

♣ ♥ ♣ ♥ ♥ ♣

id with p = 1/2 π with p = 1/2

♥ ♣♥ ♣ ♣ ♥

♣ ♥♣ ♥ ♥ ♣

(turn, {1,2}) (turn, {1,2})



KIT

♥ ♣ ♥ ♣

♥ ♣ ♥ ♣ ♣ ♥

♥ ♣ ♥ ♣ ♣ ♥

(shuffle, {id,π = (1 2)(3 5)(4 6)})

♣ ♥ ♣ ♥ ♥ ♣


♥ ♣♥ ♣ ♣ ♥

♣ ♥♣ ♥ ♥ ♣

(turn, {1,2}) (turn, {1,2})



KIT

♥ ♣ ♥ ♣

♥ ♣ ♥ ♣ ♣ ♥

♥ ♣ ♥ ♣ ♣ ♥

(shuffle, {id,π = (1 2)(3 5)(4 6)})

♣ ♥ ♣ ♥ ♥ ♣


♥ ♣♥ ♣ ♣ ♥

♣ ♥♣ ♥ ♥ ♣

(turn, {1,2}) (turn, {1,2})



KIT

♥ ♣ ♥ ♣

♥ ♣ ♥ ♣ ♣ ♥

♥ ♣ ♥ ♣ ♣ ♥

(shuffle, {id,π = (1 2)(3 5)(4 6)})

♣ ♥ ♣ ♥ ♥ ♣


♥ ♣♥ ♣ ♣ ♥

♣ ♥♣ ♥ ♥ ♣

(turn, {1,2}) (turn, {1,2})

Can we do better than six cards?Open problem from [MS09; MS14; MKS12]


KIT

Main Question: Can a ∧ b be computed with 4 cards?in committed format (in the model of Mizuki and Shizuya [MS14])

Our Results1 Yes, 4 cards suffice. . .2 But 4-card protocols are necessarily Las Vegas (LV)

no a priori bound on runtimemethod: analyze “states” of protocols

3 Yes, 5 cards suffice for finite-runtime protocols4 LV protocol for k -ary functions using 2k cards5 Note: “Complex” Shuffles needed.

without committed output:[MKS12]: 4-card protocol

without committed input and output:[MWS15]: 2- and 3-card protocols



KIT









KIT







State Transitions: The Six-Card Protocol


KIT

♥♣♥♣♣♥ X11♥♣♣♥♣♥ X10♣♥♥♣♣♥ X01♣♥♣♥♣♥ X00

♥♣♥♣♣♥ 1/2X11♥♣♣♥♣♥ 1/2X10 + 1/2X00♣♥♥♣♣♥ 1/2X01♣♥♣♥♣♥ 1/2X00 + 1/2X10♣♥♣♥♥♣ 1/2X11♥♣♣♥♥♣ 1/2X01

(shuffle, {id, (1 2)(3 5)(4 6)})

♥♣♥♣♣♥ X11♥♣♣♥♣♥ X10 + X00♥♣♣♥♥♣ X01

♣♥♣♥♥♣ X11♣♥♣♥♣♥ X10 + X00♣♥♥♣♣♥ X01

(turn, {1,2})♥ ♣ ♣ ♥

(result,3,4)X

(result,5,6)X

Protocol State:Annotate currently possiblesequences with probability interms of symbolic input prob.Xij = Pr[a = i ,b = j ]



KIT

♥♣♥♣♣♥ X11♥♣♣♥♣♥ X10♣♥♥♣♣♥ X01♣♥♣♥♣♥ X00

♥♣♥♣♣♥ 1/2X11♥♣♣♥♣♥ 1/2X10 + 1/2X00♣♥♥♣♣♥ 1/2X01♣♥♣♥♣♥ 1/2X00 + 1/2X10♣♥♣♥♥♣ 1/2X11♥♣♣♥♥♣ 1/2X01

(shuffle, {id, (1 2)(3 5)(4 6)})

♥♣♥♣♣♥ X11♥♣♣♥♣♥ X10 + X00♥♣♣♥♥♣ X01

♣♥♣♥♥♣ X11♣♥♣♥♣♥ X10 + X00♣♥♥♣♣♥ X01

(turn, {1,2})♥ ♣ ♣ ♥

(result,3,4)X

(result,5,6)X




KIT

♥♣♥♣♣♥ X11♥♣♣♥♣♥ X10♣♥♥♣♣♥ X01♣♥♣♥♣♥ X00

♥♣♥♣♣♥ 1/2X11♥♣♣♥♣♥ 1/2X10 + 1/2X00♣♥♥♣♣♥ 1/2X01♣♥♣♥♣♥ 1/2X00 + 1/2X10♣♥♣♥♥♣ 1/2X11♥♣♣♥♥♣ 1/2X01

(shuffle, {id, (1 2)(3 5)(4 6)})

♥♣♥♣♣♥ X11♥♣♣♥♣♥ X10 + X00♥♣♣♥♥♣ X01

♣♥♣♥♥♣ X11♣♥♣♥♣♥ X10 + X00♣♥♥♣♣♥ X01

(turn, {1,2})♥ ♣ ♣ ♥

(result,3,4)X

(result,5,6)X




KIT

♥♣♥♣♣♥ X11♥♣♣♥♣♥ X10♣♥♥♣♣♥ X01♣♥♣♥♣♥ X00

♥♣♥♣♣♥ 1/2X11♥♣♣♥♣♥ 1/2X10 + 1/2X00♣♥♥♣♣♥ 1/2X01♣♥♣♥♣♥ 1/2X00 + 1/2X10♣♥♣♥♥♣ 1/2X11♥♣♣♥♥♣ 1/2X01

(shuffle, {id, (1 2)(3 5)(4 6)})

♥♣♥♣♣♥ X11♥♣♣♥♣♥ X10 + X00♥♣♣♥♥♣ X01

♣♥♣♥♥♣ X11♣♥♣♥♣♥ X10 + X00♣♥♥♣♣♥ X01

(turn, {1,2})♥ ♣ ♣ ♥

(result,3,4)X

(result,5,6)X




KIT

♥♣♥♣♣♥ X11♥♣♣♥♣♥ X10♣♥♥♣♣♥ X01♣♥♣♥♣♥ X00

♥♣♥♣♣♥ 1/2X11♥♣♣♥♣♥ 1/2X10 + 1/2X00♣♥♥♣♣♥ 1/2X01♣♥♣♥♣♥ 1/2X00 + 1/2X10♣♥♣♥♥♣ 1/2X11♥♣♣♥♥♣ 1/2X01

(shuffle, {id, (1 2)(3 5)(4 6)})

♥♣♥♣♣♥ X11♥♣♣♥♣♥ X10 + X00♥♣♣♥♥♣ X01

♣♥♣♥♥♣ X11♣♥♣♥♣♥ X10 + X00♣♥♥♣♣♥ X01

(turn, {1,2})♥ ♣ ♣ ♥

(result,3,4)X

(result,5,6)X




KIT

♥♣♥♣♣♥ X11♥♣♣♥♣♥ X10♣♥♥♣♣♥ X01♣♥♣♥♣♥ X00

♥♣♥♣♣♥ 1/2X11♥♣♣♥♣♥ 1/2X10 + 1/2X00♣♥♥♣♣♥ 1/2X01♣♥♣♥♣♥ 1/2X00 + 1/2X10♣♥♣♥♥♣ 1/2X11♥♣♣♥♥♣ 1/2X01

(shuffle, {id, (1 2)(3 5)(4 6)})

♥♣♥♣♣♥ X11♥♣♣♥♣♥ X10 + X00♥♣♣♥♥♣ X01

♣♥♣♥♥♣ X11♣♥♣♥♣♥ X10 + X00♣♥♥♣♣♥ X01

(turn, {1,2})♥ ♣ ♣ ♥

(result,3,4)X

(result,5,6)X




KIT

♥♣♥♣♣♥ X11♥♣♣♥♣♥ X10♣♥♥♣♣♥ X01♣♥♣♥♣♥ X00

♥♣♥♣♣♥ 1/2X11♥♣♣♥♣♥ 1/2X10 + 1/2X00♣♥♥♣♣♥ 1/2X01♣♥♣♥♣♥ 1/2X00 + 1/2X10♣♥♣♥♥♣ 1/2X11♥♣♣♥♥♣ 1/2X01

(shuffle, {id, (1 2)(3 5)(4 6)})

♥♣♥♣♣♥ X11♥♣♣♥♣♥ X10 + X00♥♣♣♥♥♣ X01

♣♥♣♥♥♣ X11♣♥♣♥♣♥ X10 + X00♣♥♥♣♣♥ X01

(turn, {1,2})♥ ♣ ♣ ♥

(result,3,4)X

(result,5,6)X




KIT

♥♣♥♣♣♥ X11♥♣♣♥♣♥ X10♣♥♥♣♣♥ X01♣♥♣♥♣♥ X00

♥♣♥♣♣♥ 1/2X11♥♣♣♥♣♥ 1/2X10 + 1/2X00♣♥♥♣♣♥ 1/2X01♣♥♣♥♣♥ 1/2X00 + 1/2X10♣♥♣♥♥♣ 1/2X11♥♣♣♥♥♣ 1/2X01

(shuffle, {id, (1 2)(3 5)(4 6)})

♥♣♥♣♣♥ X11♥♣♣♥♣♥ X10 + X00♥♣♣♥♥♣ X01

♣♥♣♥♥♣ X11♣♥♣♥♣♥ X10 + X00♣♥♥♣♣♥ X01

(turn, {1,2})♥ ♣ ♣ ♥

(result,3,4)X

(result,5,6)X




KIT

♥♣♥♣♣♥ X11♥♣♣♥♣♥ X10♣♥♥♣♣♥ X01♣♥♣♥♣♥ X00

♥♣♥♣♣♥ 1/2X11♥♣♣♥♣♥ 1/2X10 + 1/2X00♣♥♥♣♣♥ 1/2X01♣♥♣♥♣♥ 1/2X00 + 1/2X10♣♥♣♥♥♣ 1/2X11♥♣♣♥♥♣ 1/2X01

(shuffle, {id, (1 2)(3 5)(4 6)})

♥♣♥♣♣♥ X11♥♣♣♥♣♥ X10 + X00♥♣♣♥♥♣ X01

♣♥♣♥♥♣ X11♣♥♣♥♣♥ X10 + X00♣♥♥♣♣♥ X01

(turn, {1,2})♥ ♣ ♣ ♥

(result,3,4)X

(result,5,6)X




KIT

♥♣♥♣♣♥ X11♥♣♣♥♣♥ X10♣♥♥♣♣♥ X01♣♥♣♥♣♥ X00

♥♣♥♣♣♥ 1/2X11♥♣♣♥♣♥ 1/2X10 + 1/2X00♣♥♥♣♣♥ 1/2X01♣♥♣♥♣♥ 1/2X00 + 1/2X10♣♥♣♥♥♣ 1/2X11♥♣♣♥♥♣ 1/2X01

(shuffle, {id, (1 2)(3 5)(4 6)})

♥♣♥♣♣♥ X11♥♣♣♥♣♥ X10 + X00♥♣♣♥♥♣ X01

♣♥♣♥♥♣ X11♣♥♣♥♣♥ X10 + X00♣♥♥♣♣♥ X01

(turn, {1,2})♥ ♣ ♣ ♥

(result,3,4)X

(result,5,6)X




KIT

♥♣♥♣♣♥ X11♥♣♣♥♣♥ X10♣♥♥♣♣♥ X01♣♥♣♥♣♥ X00

♥♣♥♣♣♥ 1/2X11♥♣♣♥♣♥ 1/2X10 + 1/2X00♣♥♥♣♣♥ 1/2X01♣♥♣♥♣♥ 1/2X00 + 1/2X10♣♥♣♥♥♣ 1/2X11♥♣♣♥♥♣ 1/2X01

(shuffle, {id, (1 2)(3 5)(4 6)})

♥♣♥♣♣♥ X11♥♣♣♥♣♥ X10 + X00♥♣♣♥♥♣ X01

♣♥♣♥♥♣ X11♣♥♣♥♣♥ X10 + X00♣♥♥♣♣♥ X01

(turn, {1,2})♥ ♣ ♣ ♥

(result,3,4)X

(result,5,6)X


Impossibility Result


KIT

TheoremThere is no secure finite-runtime four-card AND protocol

Proof IdeaEach sequence belongs either to output 0 or to 1.An i |j-state has i 0-sequences and j 1-sequences.Define non-reachable “good” states:

start state

“bad” states “good” states

not possibleby turn/shuffle

final states

start type: 3|1♥♣♥♣ X11♥♣♣♥ X10♣♥♥♣ X01♣♥♣♥ X00

e.g. 2|2 state:♣♥♥♣ X01 + X00♣♥♣♥ X10♥♣♣♥ 1/2X11♥↑♣↑♥♣ 1/2X11



KIT



start state



final states

start type: 3|1♥♣♥♣ X11♥♣♣♥ X10♣♥♥♣ X01♣♥♣♥ X00

e.g. 2|2 state:♣♥♥♣ X01 + X00♣♥♣♥ X10♥♣♣♥ 1/2X11♥↑♣↑♥♣ 1/2X11



KIT



start state



final states

start type: 3|1♥♣♥♣ X11♥♣♣♥ X10♣♥♥♣ X01♣♥♣♥ X00

e.g. 2|2 state:♣♥♥♣ X01 + X00♣♥♣♥ X10♥♣♣♥ 1/2X11♥↑♣↑♥♣ 1/2X11

Proof Idea – Single Card Turns


KIT

1|1

2|1 1|2without const pos

2|2

2|11|2with const pos

3|11|3

4|11|4

5|11|5

2|3 3|2

2|4 4|2 3|3

“Bad” States “Good” States

Observation 1. After turn: with const pos. and ≤ 3 sequences.Observation 2. Turnable states are i |j with i , j ≥ 2.Observation 3. W.l.o.g. we need to consider half of the states.



KIT

1|1


2|2


3|11|3

4|11|4

5|11|5

2|3 3|2

2|4 4|2 3|3


Observation 1. After turn: with const pos. and ≤ 3 sequences.

Observation 2. Turnable states are i |j with i , j ≥ 2.Observation 3. W.l.o.g. we need to consider half of the states.



KIT

1|1


2|2


3|11|3

4|11|4

5|11|5

2|3 3|2

2|4 4|2 3|3


Observation 1. After turn: with const pos. and ≤ 3 sequences.

Observation 2. Turnable states are i |j with i , j ≥ 2.

Observation 3. W.l.o.g. we need to consider half of the states.



KIT

1|1


2|2


3|11|3

4|11|4

5|11|5

2|3 3|2

2|4 4|2 3|3


Observation 1. After turn: with const pos. and ≤ 3 sequences.Observation 2. Turnable states are i |j with i , j ≥ 2.

Observation 3. W.l.o.g. we need to consider half of the states.



KIT

1|1


2|2


3|11|3

4|11|4

5|11|5

2|3 3|2

2|4 4|2 3|3





KIT

1|1


2|2


3|11|3

4|11|4

5|11|5

2|3 3|2

2|4 4|2 3|3



Proof Idea – Shuffles


KIT

1|1


2|2


3|11|3

4|11|4

5|11|5

2|3 3|2

2|4 4|2 3|3


??

s0: ♥♥♣♣s′0: ♥♣♥♣s1: ♥♣♣♥

s′′0: ♣♥♣♥s′1: ♣♥♣♥

p = ½

Observation 1. Shuffles increase #sequences per type

Apply (shuffle,Π,F ) to this state.Case 1: All π ∈ Π put constant column to same position.=⇒ the resulting state still has a constant column.

Apply (shuffle,Π,F ) to this state.Case 2: There are π1,π2 ∈ Π putting the const. col. in different pos.=⇒ the resulting state has at least 5 sequences.



KIT

1|1


2|2


3|11|3

4|11|4

5|11|5

2|3 3|2

2|4 4|2 3|3


??

s0: ♥♥♣♣s′0: ♥♣♥♣s1: ♥♣♣♥

s′′0: ♣♥♣♥s′1: ♣♥♣♥

p = ½






KIT

1|1


2|2


3|11|3

4|11|4

5|11|5

2|3 3|2

2|4 4|2 3|3


??

s0: ♥♥♣♣s′0: ♥♣♥♣s1: ♥♣♣♥

s′′0: ♣♥♣♥s′1: ♣♥♣♥

p = ½






KIT

1|1


2|2


3|11|3

4|11|4

5|11|5

2|3 3|2

2|4 4|2 3|3


??

s0: ♥♥♣♣s′0: ♥♣♥♣s1: ♥♣♣♥

s′′0: ♣♥♣♥s′1: ♣♥♣♥

p = ½






KIT

1|1


2|2


3|11|3

4|11|4

5|11|5

2|3 3|2

2|4 4|2 3|3


??

s0: ♥♥♣♣s′0: ♥♣♥♣s1: ♥♣♣♥s′′0: ♣♥♣♥s′1: ♣♥♣♥

p = ½




Our Four-Card Protocol


KIT

♥♣♥♣

♥

X11♥♣♣♥

♥

X10♣♥♥♣

♥

X01♣♥♣♥

♥

X00

start state

♥♥♣♣

♥

1/2X11♥♣♥♣

♥

1/2X11♣♥♥♣

♥

1/2X10 + 1/2X01♥♣♣♥

♥

1/2X10 + 1/2X01♣♥♣♥

♥

1/2X00♣♣♥♥

♥

1/2X00(shuffle, {id, (1 3)(2 4), (2 3), (1 2 4 3)})

♥♥♣♣

♥

X11♣♥♥♣

♥

X10 + X01♣♥♣♥

♥

X00

♥♥♣♣

♥

X1♣♥♥♣

♥

1/2X0♣♥♣♥

♥

1/2X0

(shuffle, {id, (3 4)})

♥♥♣♣

♥

1/3X1♣♣♥♥

♥

2/3X1♣♥♥♣

♥

1/6X0♥♣♣♥

♥

1/3X0♣♥♣♥

♥

1/2X0

(shuffle, {id, (1 3)(2 4)},F )F : id 7→ 1/3, (1 3)(2 4) 7→ 2/3

♥♥♣♣

♥

X1♥♣♣♥

♥

X0

(result,2,4)X

♣♣♥♥

♥

X1♣♥♥♣

♥

1/4X0♣♥♣♥

♥

3/4X0

(turn, {1})♣ ♥

♣♣♥♥

♥

X1♣♥♥♣

♥

1/2X0♣♥♣♥

♥

1/2X0


♥♣♥♣

♥

X11♥♣♣♥

♥

X10 + X01♣♣♥♥

♥

X00

♥♣♥♣

♥

X1♥♣♣♥

♥

1/2X0♣♣♥♥

♥

1/2X0


(turn, {2})♣ ♥

(perm, (1 2 4 3))

♥♣♥♣ 1/3X1♣♥♣♥ 2/3X1♥♣♣♥ 1/6X0♣♥♥♣ 1/3X0♣♣♥♥ 1/2X0

(shuffle, {id, (1 2)(3 4)},F )F : id 7→ 1/3, (1 2)(3 4) 7→ 2/3

♥♣♥♣ X1♣♥♥♣ X0

(result,1,2)X

♣♥♣♥ X1♥♣♣♥ 1/4X0♣♣♥♥ 3/4X0

(turn, {4})♣ ♥

♣♥♣♥ X1♥♣♣♥ 1/2X0♣♣♥♥ 1/2X0


(perm, (1 3 4 2))

♣♥♥♣♥ 2/3X1♥♥♣♥♣ 1/3X1♥♥♣♣♥ 1/2X0♥♣♣♥♥ 1/6X0♥♥♥♣♣ 1/3X0

(perm, (1 5 2 4)), (shuffle, {id, (5 4 3 2 1)},F )F : id 7→ 2/3, (5 4 3 2 1) 7→ 1/3

♥♥♣♥♣ X1♥♥♥♣♣ X0

(result,4,3)X

♣♥♥♣♥ X1♥♥♣♣♥ 3/4X0♥♣♣♥♥ 1/4X0

(result,3,1)X

(turn, {5})♣ ♥

Our Four-Card Protocol


KIT

♥♣♥♣

♥

X11♥♣♣♥

♥

X10♣♥♥♣

♥

X01♣♥♣♥

♥

X00

start state

♥♥♣♣

♥

1/2X11♥♣♥♣

♥

1/2X11♣♥♥♣

♥

1/2X10 + 1/2X01♥♣♣♥

♥

1/2X10 + 1/2X01♣♥♣♥

♥

1/2X00♣♣♥♥

♥

1/2X00(shuffle, {id, (1 3)(2 4), (2 3), (1 2 4 3)})

♥♥♣♣

♥

X11♣♥♥♣

♥

X10 + X01♣♥♣♥

♥

X00

♥♥♣♣

♥

X1♣♥♥♣

♥

1/2X0♣♥♣♥

♥

1/2X0


♥♥♣♣

♥

1/3X1♣♣♥♥

♥

2/3X1♣♥♥♣

♥

1/6X0♥♣♣♥

♥

1/3X0♣♥♣♥

♥

1/2X0

(shuffle, {id, (1 3)(2 4)},F )F : id 7→ 1/3, (1 3)(2 4) 7→ 2/3

♥♥♣♣

♥

X1♥♣♣♥

♥

X0

(result,2,4)X

♣♣♥♥

♥

X1♣♥♥♣

♥

1/4X0♣♥♣♥

♥

3/4X0

(turn, {1})♣ ♥

♣♣♥♥

♥

X1♣♥♥♣

♥

1/2X0♣♥♣♥

♥

1/2X0


♥♣♥♣

♥

X11♥♣♣♥

♥

X10 + X01♣♣♥♥

♥

X00

♥♣♥♣

♥

X1♥♣♣♥

♥

1/2X0♣♣♥♥

♥

1/2X0


(turn, {2})♣ ♥

(perm, (1 2 4 3))

♥♣♥♣ 1/3X1♣♥♣♥ 2/3X1♥♣♣♥ 1/6X0♣♥♥♣ 1/3X0♣♣♥♥ 1/2X0

(shuffle, {id, (1 2)(3 4)},F )F : id 7→ 1/3, (1 2)(3 4) 7→ 2/3

♥♣♥♣ X1♣♥♥♣ X0

(result,1,2)X

♣♥♣♥ X1♥♣♣♥ 1/4X0♣♣♥♥ 3/4X0

(turn, {4})♣ ♥

♣♥♣♥ X1♥♣♣♥ 1/2X0♣♣♥♥ 1/2X0


(perm, (1 3 4 2))

♣♥♥♣♥ 2/3X1♥♥♣♥♣ 1/3X1♥♥♣♣♥ 1/2X0♥♣♣♥♥ 1/6X0♥♥♥♣♣ 1/3X0


♥♥♣♥♣ X1♥♥♥♣♣ X0

(result,4,3)X

♣♥♥♣♥ X1♥♥♣♣♥ 3/4X0♥♣♣♥♥ 1/4X0

(result,3,1)X

(turn, {5})♣ ♥

Our Five-Card Protocol


KIT

♥♣♥♣♥ X11♥♣♣♥♥ X10♣♥♥♣♥ X01♣♥♣♥♥ X00

start state

♥♥♣♣♥ 1/2X11♥♣♥♣♥ 1/2X11♣♥♥♣♥ 1/2X10 + 1/2X01♥♣♣♥♥ 1/2X10 + 1/2X01♣♥♣♥♥ 1/2X00♣♣♥♥♥ 1/2X00

(shuffle, {id, (1 3)(2 4), (2 3), (1 2 4 3)})

♥♥♣♣♥ X11♣♥♥♣♥ X10 + X01♣♥♣♥♥ X00

♥♥♣♣♥ X1♣♥♥♣♥ 1/2X0♣♥♣♥♥ 1/2X0


♥♥♣♣♥ 1/3X1♣♣♥♥♥ 2/3X1♣♥♥♣♥ 1/6X0♥♣♣♥♥ 1/3X0♣♥♣♥♥ 1/2X0

(shuffle, {id, (1 3)(2 4)},F )F : id 7→ 1/3, (1 3)(2 4) 7→ 2/3

♥♥♣♣♥ X1♥♣♣♥♥ X0

(result,2,4)X

♣♣♥♥♥ X1♣♥♥♣♥ 1/4X0♣♥♣♥♥ 3/4X0

(turn, {1})♣ ♥

♣♣♥♥♥ X1♣♥♥♣♥ 1/2X0♣♥♣♥♥ 1/2X0


♥♣♥♣♥ X11♥♣♣♥♥ X10 + X01♣♣♥♥♥ X00

♥♣♥♣♥ X1♥♣♣♥♥ 1/2X0♣♣♥♥♥ 1/2X0


(turn, {2})♣ ♥

(perm, (1 2 4 3))

♥♣♥♣ 1/3X1♣♥♣♥ 2/3X1♥♣♣♥ 1/6X0♣♥♥♣ 1/3X0♣♣♥♥ 1/2X0

(shuffle, {id, (1 2)(3 4)},F )F : id 7→ 1/3, (1 2)(3 4) 7→ 2/3

♥♣♥♣ X1♣♥♥♣ X0

(result,1,2)X

♣♥♣♥ X1♥♣♣♥ 1/4X0♣♣♥♥ 3/4X0

(turn, {4})♣ ♥

♣♥♣♥ X1♥♣♣♥ 1/2X0♣♣♥♥ 1/2X0


(perm, (1 3 4 2))

♣♥♥♣♥ 2/3X1♥♥♣♥♣ 1/3X1♥♥♣♣♥ 1/2X0♥♣♣♥♥ 1/6X0♥♥♥♣♣ 1/3X0


♥♥♣♥♣ X1♥♥♥♣♣ X0

(result,4,3)X

♣♥♥♣♥ X1♥♥♣♣♥ 3/4X0♥♣♣♥♥ 1/4X0

(result,3,1)X

(turn, {5})♣ ♥

Our Five-Card Protocol


KIT

♥♣♥♣♥ X11♥♣♣♥♥ X10♣♥♥♣♥ X01♣♥♣♥♥ X00

start state

♥♥♣♣♥ 1/2X11♥♣♥♣♥ 1/2X11♣♥♥♣♥ 1/2X10 + 1/2X01♥♣♣♥♥ 1/2X10 + 1/2X01♣♥♣♥♥ 1/2X00♣♣♥♥♥ 1/2X00

(shuffle, {id, (1 3)(2 4), (2 3), (1 2 4 3)})

♥♥♣♣♥ X11♣♥♥♣♥ X10 + X01♣♥♣♥♥ X00

♥♥♣♣♥ X1♣♥♥♣♥ 1/2X0♣♥♣♥♥ 1/2X0


♥♥♣♣♥ 1/3X1♣♣♥♥♥ 2/3X1♣♥♥♣♥ 1/6X0♥♣♣♥♥ 1/3X0♣♥♣♥♥ 1/2X0

(shuffle, {id, (1 3)(2 4)},F )F : id 7→ 1/3, (1 3)(2 4) 7→ 2/3

♥♥♣♣♥ X1♥♣♣♥♥ X0

(result,2,4)X

♣♣♥♥♥ X1♣♥♥♣♥ 1/4X0♣♥♣♥♥ 3/4X0

(turn, {1})♣ ♥

♣♣♥♥♥ X1♣♥♥♣♥ 1/2X0♣♥♣♥♥ 1/2X0


♥♣♥♣♥ X11♥♣♣♥♥ X10 + X01♣♣♥♥♥ X00

♥♣♥♣♥ X1♥♣♣♥♥ 1/2X0♣♣♥♥♥ 1/2X0


(turn, {2})♣ ♥

(perm, (1 2 4 3))

♥♣♥♣ 1/3X1♣♥♣♥ 2/3X1♥♣♣♥ 1/6X0♣♥♥♣ 1/3X0♣♣♥♥ 1/2X0

(shuffle, {id, (1 2)(3 4)},F )F : id 7→ 1/3, (1 2)(3 4) 7→ 2/3

♥♣♥♣ X1♣♥♥♣ X0

(result,1,2)X

♣♥♣♥ X1♥♣♣♥ 1/4X0♣♣♥♥ 3/4X0

(turn, {4})♣ ♥

♣♥♣♥ X1♥♣♣♥ 1/2X0♣♣♥♥ 1/2X0


(perm, (1 3 4 2))

♣♥♥♣♥ 2/3X1♥♥♣♥♣ 1/3X1♥♥♣♣♥ 1/2X0♥♣♣♥♥ 1/6X0♥♥♥♣♣ 1/3X0


♥♥♣♥♣ X1♥♥♥♣♣ X0

(result,4,3)X

♣♥♥♣♥ X1♥♥♣♣♥ 3/4X0♥♣♣♥♥ 1/4X0

(result,3,1)X

(turn, {5})♣ ♥

Summary


KIT

Runtime Shuffles #Cards Reference

exp. finite non-uniform closed 4 [KWH15]exp. finite uniform non-closed 4 [KWH15]

finite non-uniform non-closed 5 [KWH15]finite uniform closed ≤ 6 [MS09]

Open Question: What if we restrict the computational model?

Thank you for your attention!

Summary


KIT






Summary


KIT






References: I


KIT

A. Koch, S. Walzer, and K. Härtel. “Card-basedCryptographic Protocols Using a Minimal Number ofCards”. In: ASIACRYPT 2015. Ed. by T. Iwata andJ. Cheon. Vol. 9452. LNCS. Springer, 2015,pp. 783–807.

T. Mizuki, M. Kumamoto, and H. Sone. “The Five-CardTrick Can Be Done with Four Cards”. In: ASIACRYPT2012. Ed. by X. Wang and K. Sako. Vol. 7658. LNCS.Springer, 2012, pp. 598–606.

T. Mizuki and H. Sone. “Six-Card Secure AND andFour-Card Secure XOR”. In: FAW 2009. Ed. byX. Deng, J. E. Hopcroft, and J. Xue. Vol. 5598. LNCS.Springer, 2009, pp. 358–369.

References: II


KIT

T. Mizuki and H. Shizuya. “A formalization ofcard-based cryptographic protocols via abstractmachine”. In: Int. J. Inf. Secur. 13.1 (2014), pp. 15–23.

A. Marcedone, Z. Wen, and E. Shi. Secure Dating withFour or Fewer Cards. Cryptology ePrint Archive,Report 2015/1031. https://eprint.iacr.org/. 2015.

https://eprint.iacr.org/

References: III


KIT

Various Artists. Title image from http:

//pdpics.com/photo/6619-ten-cards-of-all-suits/,public domain. Image of Bar fromhttps://pixabay.com/en/bar-pub-restaurant-

rustic-barrels-406884/, public domain. Image oflecture hall from brett jordan,https://www.flickr.com/photos/x1brett/1472187414,CC-BY-2.0. XKCD comic figures by Randall Munroefrom https://xkcd.com/, CC-BY-NC-2.5.

http://pdpics.com/photo/6619-ten-cards-of-all-suits/

http://pdpics.com/photo/6619-ten-cards-of-all-suits/

https://pixabay.com/en/bar-pub-restaurant-rustic-barrels-406884/

https://pixabay.com/en/bar-pub-restaurant-rustic-barrels-406884/

https://www.flickr.com/photos/x1brett/1472187414

https://creativecommons.org/licenses/by/2.0/

https://xkcd.com/

https://creativecommons.org/licenses/by-nc/2.5/

Documents

Card-based Cryptographic Protocols Using a …...0 2015-12-03 Alexander Koch et al. – Card-based Cryptographic Protocols Using a Minimal Number of Cards KIT DEPARTMENT OF INFORMATICS,