Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
0 2015-12-03 Alexander Koch et al. – Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
DEPARTMENT OF INFORMATICS, INSTITUTE OF THEORETICAL INFORMATICS
Card-based Cryptographic ProtocolsUsing a Minimal Number of Cards
ASIACRYPT 2015 | Alexander Koch, Stefan Walzer, Kevin Härtel
KIT – The Research University in the Helmholtz Association www.kit.edu
♥ ♣ ♥ ♣ → ♥ ♣ ♣ ♥
Motivating Scenario ICalculating Mutual Interest with Playing Cards
1 2015-12-03 Alexander Koch et al. – Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
Secrets: Do I fancy him/her?To compute: Is there mutual interest?
Secure 2-party AND without computers
TrustedComputation
Motivating Scenario ICalculating Mutual Interest with Playing Cards
1 2015-12-03 Alexander Koch et al. – Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
Secrets: Do I fancy him/her?To compute: Is there mutual interest?
Secure 2-party AND without computers
TrustedComputation
Motivating Scenario ICalculating Mutual Interest with Playing Cards
1 2015-12-03 Alexander Koch et al. – Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
Secrets: Do I fancy him/her?To compute: Is there mutual interest?
Secure 2-party AND without computers
TrustedComputation
Motivating Scenario ICalculating Mutual Interest with Playing Cards
1 2015-12-03 Alexander Koch et al. – Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
Secrets: Do I fancy him/her?To compute: Is there mutual interest?
Secure 2-party AND without computers
TrustedComputation
Motivating Scenario IIExplaining MPC to Non-Experts/Students
2 2015-12-03 Alexander Koch et al. – Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
You meet s.o. at a bar and want to explain MPC as an examplefrom your work life.
Motivating Scenario IIExplaining MPC to Non-Experts/Students
2 2015-12-03 Alexander Koch et al. – Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
You meet s.o. at a bar and want to explain MPC as an examplefrom your work life. Or to students in class
Motivating Scenario IIIYou are a theoretician
2 2015-12-03 Alexander Koch et al. – Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
What is possible with unconventional computational models?MPC from indistinguishability of cards & correct shuffling
cf. to physical assumptions like tamper-proofness of hardware
♥ ♣ ♥︸ ︷︷ ︸
finite state control
– read vis. card seq.– do action on cards
Setting and Goal
3 2015-12-03 Alexander Koch et al. – Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
Two types of indistinguishable cards:Heart ♥ and club ♣ with backside .
Encode bits as
♣ ♥ =̂ 0
♥ ♣ =̂ 1
Our goal (“committed format”)
Take face-down input (bits a,b)
Compute face-down output (a ∧ b)
Learn nothing about the input or output during protocol run.
♥ ♣
Curiosity:is perfectly hiding & binding
Setting and Goal
3 2015-12-03 Alexander Koch et al. – Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
Two types of indistinguishable cards:Heart ♥ and club ♣ with backside .
Encode bits as
♣ ♥ =̂ 0
♥ ♣ =̂ 1
Our goal (“committed format”)
Take face-down input (bits a,b)
Compute face-down output (a ∧ b)
Learn nothing about the input or output during protocol run.
♥ ♣
Curiosity:is perfectly hiding & binding
Setting and Goal
3 2015-12-03 Alexander Koch et al. – Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
Two types of indistinguishable cards:Heart ♥ and club ♣ with backside .
Encode bits as
♣ ♥ =̂ 0
♥ ♣ =̂ 1
Our goal (“committed format”)
Take face-down input (bits a,b)
Compute face-down output (a ∧ b)
Learn nothing about the input or output during protocol run.
♥ ♣
Curiosity:is perfectly hiding & binding
A Simple Six-Card AND ProtocolMizuki and Sone [MS09]
4 2015-12-03 Alexander Koch et al. – Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
Observation: (a ∧ b) ≡ (if a then b else 0)
≡ (if ¬a then 0 else b)
The Protocol: ︸︷︷︸a
︸︷︷︸b
︸︷︷︸0
p =½−−−→ ︸︷︷︸¬a
︸︷︷︸0
︸︷︷︸b
With probability 1/2: Apply permutation (1 2)(3 5)(4 6).For privacy: each player once, without the other looking.
Turn first two cards♥ ♣︸ ︷︷ ︸=̂ 1
result is cards 3, 4 ♣ ♥︸ ︷︷ ︸=̂ 0
result is cards 5, 6
A Simple Six-Card AND ProtocolMizuki and Sone [MS09]
4 2015-12-03 Alexander Koch et al. – Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
Observation: (a ∧ b) ≡ (if a then b else 0)≡ (if ¬a then 0 else b)
The Protocol: ︸︷︷︸a
︸︷︷︸b
︸︷︷︸0
p =½−−−→ ︸︷︷︸¬a
︸︷︷︸0
︸︷︷︸b
With probability 1/2: Apply permutation (1 2)(3 5)(4 6).For privacy: each player once, without the other looking.
Turn first two cards♥ ♣︸ ︷︷ ︸=̂ 1
result is cards 3, 4 ♣ ♥︸ ︷︷ ︸=̂ 0
result is cards 5, 6
A Simple Six-Card AND ProtocolMizuki and Sone [MS09]
4 2015-12-03 Alexander Koch et al. – Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
Observation: (a ∧ b) ≡ (if a then b else 0)≡ (if ¬a then 0 else b)
The Protocol: ︸︷︷︸a
︸︷︷︸b
︸︷︷︸0
p =½−−−→ ︸︷︷︸¬a
︸︷︷︸0
︸︷︷︸b
With probability 1/2: Apply permutation (1 2)(3 5)(4 6).
For privacy: each player once, without the other looking.
Turn first two cards♥ ♣︸ ︷︷ ︸=̂ 1
result is cards 3, 4 ♣ ♥︸ ︷︷ ︸=̂ 0
result is cards 5, 6
A Simple Six-Card AND ProtocolMizuki and Sone [MS09]
4 2015-12-03 Alexander Koch et al. – Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
Observation: (a ∧ b) ≡ (if a then b else 0)≡ (if ¬a then 0 else b)
The Protocol: ︸︷︷︸a
︸︷︷︸b
︸︷︷︸0
p =½−−−→ ︸︷︷︸¬a
︸︷︷︸0
︸︷︷︸b
With probability 1/2: Apply permutation (1 2)(3 5)(4 6).For privacy: each player once, without the other looking.Turn first two cards♥ ♣︸ ︷︷ ︸=̂ 1
result is cards 3, 4 ♣ ♥︸ ︷︷ ︸=̂ 0
result is cards 5, 6
Demonstration of the Six-Card-ProtocolMizuki and Sone [MS09]
5 2015-12-03 Alexander Koch et al. – Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
♥ ♣ ♥ ♣
♥ ♣ ♥ ♣ ♣ ♥
♥ ♣ ♥ ♣ ♣ ♥
(shuffle, {id,π = (1 2)(3 5)(4 6)})
♣ ♥ ♣ ♥ ♥ ♣
id with p = 1/2 π with p = 1/2
♥ ♣♥ ♣ ♣ ♥
♣ ♥♣ ♥ ♥ ♣
(turn, {1,2}) (turn, {1,2})
Demonstration of the Six-Card-ProtocolMizuki and Sone [MS09]
5 2015-12-03 Alexander Koch et al. – Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
♥ ♣ ♥ ♣
♥ ♣ ♥ ♣ ♣ ♥
♥ ♣ ♥ ♣ ♣ ♥
(shuffle, {id,π = (1 2)(3 5)(4 6)})
♣ ♥ ♣ ♥ ♥ ♣
id with p = 1/2 π with p = 1/2
♥ ♣♥ ♣ ♣ ♥
♣ ♥♣ ♥ ♥ ♣
(turn, {1,2}) (turn, {1,2})
Demonstration of the Six-Card-ProtocolMizuki and Sone [MS09]
5 2015-12-03 Alexander Koch et al. – Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
♥ ♣ ♥ ♣
♥ ♣ ♥ ♣ ♣ ♥
♥ ♣ ♥ ♣ ♣ ♥
(shuffle, {id,π = (1 2)(3 5)(4 6)})
♣ ♥ ♣ ♥ ♥ ♣
id with p = 1/2 π with p = 1/2
♥ ♣♥ ♣ ♣ ♥
♣ ♥♣ ♥ ♥ ♣
(turn, {1,2}) (turn, {1,2})
Demonstration of the Six-Card-ProtocolMizuki and Sone [MS09]
5 2015-12-03 Alexander Koch et al. – Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
♥ ♣ ♥ ♣
♥ ♣ ♥ ♣ ♣ ♥
♥ ♣ ♥ ♣ ♣ ♥
(shuffle, {id,π = (1 2)(3 5)(4 6)})
♣ ♥ ♣ ♥ ♥ ♣
id with p = 1/2 π with p = 1/2
♥ ♣♥ ♣ ♣ ♥
♣ ♥♣ ♥ ♥ ♣
(turn, {1,2}) (turn, {1,2})
Can we do better than six cards?Open problem from [MS09; MS14; MKS12]
6 2015-12-03 Alexander Koch et al. – Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
Main Question: Can a ∧ b be computed with 4 cards?in committed format (in the model of Mizuki and Shizuya [MS14])
Our Results1 Yes, 4 cards suffice. . .2 But 4-card protocols are necessarily Las Vegas (LV)
no a priori bound on runtimemethod: analyze “states” of protocols
3 Yes, 5 cards suffice for finite-runtime protocols4 LV protocol for k -ary functions using 2k cards5 Note: “Complex” Shuffles needed.
without committed output:[MKS12]: 4-card protocol
without committed input and output:[MWS15]: 2- and 3-card protocols
Can we do better than six cards?Open problem from [MS09; MS14; MKS12]
6 2015-12-03 Alexander Koch et al. – Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
Main Question: Can a ∧ b be computed with 4 cards?in committed format (in the model of Mizuki and Shizuya [MS14])
Our Results1 Yes, 4 cards suffice. . .2 But 4-card protocols are necessarily Las Vegas (LV)
no a priori bound on runtimemethod: analyze “states” of protocols
3 Yes, 5 cards suffice for finite-runtime protocols4 LV protocol for k -ary functions using 2k cards5 Note: “Complex” Shuffles needed.
without committed output:[MKS12]: 4-card protocol
without committed input and output:[MWS15]: 2- and 3-card protocols
Can we do better than six cards?Open problem from [MS09; MS14; MKS12]
6 2015-12-03 Alexander Koch et al. – Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
Main Question: Can a ∧ b be computed with 4 cards?in committed format (in the model of Mizuki and Shizuya [MS14])
Our Results1 Yes, 4 cards suffice. . .2 But 4-card protocols are necessarily Las Vegas (LV)
no a priori bound on runtimemethod: analyze “states” of protocols
3 Yes, 5 cards suffice for finite-runtime protocols4 LV protocol for k -ary functions using 2k cards5 Note: “Complex” Shuffles needed.
without committed output:[MKS12]: 4-card protocol
without committed input and output:[MWS15]: 2- and 3-card protocols
State Transitions: The Six-Card Protocol
7 2015-12-03 Alexander Koch et al. – Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
♥♣♥♣♣♥ X11♥♣♣♥♣♥ X10♣♥♥♣♣♥ X01♣♥♣♥♣♥ X00
♥♣♥♣♣♥ 1/2X11♥♣♣♥♣♥ 1/2X10 + 1/2X00♣♥♥♣♣♥ 1/2X01♣♥♣♥♣♥ 1/2X00 + 1/2X10♣♥♣♥♥♣ 1/2X11♥♣♣♥♥♣ 1/2X01
(shuffle, {id, (1 2)(3 5)(4 6)})
♥♣♥♣♣♥ X11♥♣♣♥♣♥ X10 + X00♥♣♣♥♥♣ X01
♣♥♣♥♥♣ X11♣♥♣♥♣♥ X10 + X00♣♥♥♣♣♥ X01
(turn, {1,2})♥ ♣ ♣ ♥
(result,3,4)X
(result,5,6)X
Protocol State:Annotate currently possiblesequences with probability interms of symbolic input prob.Xij = Pr[a = i ,b = j ]
State Transitions: The Six-Card Protocol
7 2015-12-03 Alexander Koch et al. – Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
♥♣♥♣♣♥ X11♥♣♣♥♣♥ X10♣♥♥♣♣♥ X01♣♥♣♥♣♥ X00
♥♣♥♣♣♥ 1/2X11♥♣♣♥♣♥ 1/2X10 + 1/2X00♣♥♥♣♣♥ 1/2X01♣♥♣♥♣♥ 1/2X00 + 1/2X10♣♥♣♥♥♣ 1/2X11♥♣♣♥♥♣ 1/2X01
(shuffle, {id, (1 2)(3 5)(4 6)})
♥♣♥♣♣♥ X11♥♣♣♥♣♥ X10 + X00♥♣♣♥♥♣ X01
♣♥♣♥♥♣ X11♣♥♣♥♣♥ X10 + X00♣♥♥♣♣♥ X01
(turn, {1,2})♥ ♣ ♣ ♥
(result,3,4)X
(result,5,6)X
Protocol State:Annotate currently possiblesequences with probability interms of symbolic input prob.Xij = Pr[a = i ,b = j ]
State Transitions: The Six-Card Protocol
7 2015-12-03 Alexander Koch et al. – Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
♥♣♥♣♣♥ X11♥♣♣♥♣♥ X10♣♥♥♣♣♥ X01♣♥♣♥♣♥ X00
♥♣♥♣♣♥ 1/2X11♥♣♣♥♣♥ 1/2X10 + 1/2X00♣♥♥♣♣♥ 1/2X01♣♥♣♥♣♥ 1/2X00 + 1/2X10♣♥♣♥♥♣ 1/2X11♥♣♣♥♥♣ 1/2X01
(shuffle, {id, (1 2)(3 5)(4 6)})
♥♣♥♣♣♥ X11♥♣♣♥♣♥ X10 + X00♥♣♣♥♥♣ X01
♣♥♣♥♥♣ X11♣♥♣♥♣♥ X10 + X00♣♥♥♣♣♥ X01
(turn, {1,2})♥ ♣ ♣ ♥
(result,3,4)X
(result,5,6)X
Protocol State:Annotate currently possiblesequences with probability interms of symbolic input prob.Xij = Pr[a = i ,b = j ]
State Transitions: The Six-Card Protocol
7 2015-12-03 Alexander Koch et al. – Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
♥♣♥♣♣♥ X11♥♣♣♥♣♥ X10♣♥♥♣♣♥ X01♣♥♣♥♣♥ X00
♥♣♥♣♣♥ 1/2X11♥♣♣♥♣♥ 1/2X10 + 1/2X00♣♥♥♣♣♥ 1/2X01♣♥♣♥♣♥ 1/2X00 + 1/2X10♣♥♣♥♥♣ 1/2X11♥♣♣♥♥♣ 1/2X01
(shuffle, {id, (1 2)(3 5)(4 6)})
♥♣♥♣♣♥ X11♥♣♣♥♣♥ X10 + X00♥♣♣♥♥♣ X01
♣♥♣♥♥♣ X11♣♥♣♥♣♥ X10 + X00♣♥♥♣♣♥ X01
(turn, {1,2})♥ ♣ ♣ ♥
(result,3,4)X
(result,5,6)X
Protocol State:Annotate currently possiblesequences with probability interms of symbolic input prob.Xij = Pr[a = i ,b = j ]
State Transitions: The Six-Card Protocol
7 2015-12-03 Alexander Koch et al. – Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
♥♣♥♣♣♥ X11♥♣♣♥♣♥ X10♣♥♥♣♣♥ X01♣♥♣♥♣♥ X00
♥♣♥♣♣♥ 1/2X11♥♣♣♥♣♥ 1/2X10 + 1/2X00♣♥♥♣♣♥ 1/2X01♣♥♣♥♣♥ 1/2X00 + 1/2X10♣♥♣♥♥♣ 1/2X11♥♣♣♥♥♣ 1/2X01
(shuffle, {id, (1 2)(3 5)(4 6)})
♥♣♥♣♣♥ X11♥♣♣♥♣♥ X10 + X00♥♣♣♥♥♣ X01
♣♥♣♥♥♣ X11♣♥♣♥♣♥ X10 + X00♣♥♥♣♣♥ X01
(turn, {1,2})♥ ♣ ♣ ♥
(result,3,4)X
(result,5,6)X
Protocol State:Annotate currently possiblesequences with probability interms of symbolic input prob.Xij = Pr[a = i ,b = j ]
State Transitions: The Six-Card Protocol
7 2015-12-03 Alexander Koch et al. – Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
♥♣♥♣♣♥ X11♥♣♣♥♣♥ X10♣♥♥♣♣♥ X01♣♥♣♥♣♥ X00
♥♣♥♣♣♥ 1/2X11♥♣♣♥♣♥ 1/2X10 + 1/2X00♣♥♥♣♣♥ 1/2X01♣♥♣♥♣♥ 1/2X00 + 1/2X10♣♥♣♥♥♣ 1/2X11♥♣♣♥♥♣ 1/2X01
(shuffle, {id, (1 2)(3 5)(4 6)})
♥♣♥♣♣♥ X11♥♣♣♥♣♥ X10 + X00♥♣♣♥♥♣ X01
♣♥♣♥♥♣ X11♣♥♣♥♣♥ X10 + X00♣♥♥♣♣♥ X01
(turn, {1,2})♥ ♣ ♣ ♥
(result,3,4)X
(result,5,6)X
Protocol State:Annotate currently possiblesequences with probability interms of symbolic input prob.Xij = Pr[a = i ,b = j ]
State Transitions: The Six-Card Protocol
7 2015-12-03 Alexander Koch et al. – Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
♥♣♥♣♣♥ X11♥♣♣♥♣♥ X10♣♥♥♣♣♥ X01♣♥♣♥♣♥ X00
♥♣♥♣♣♥ 1/2X11♥♣♣♥♣♥ 1/2X10 + 1/2X00♣♥♥♣♣♥ 1/2X01♣♥♣♥♣♥ 1/2X00 + 1/2X10♣♥♣♥♥♣ 1/2X11♥♣♣♥♥♣ 1/2X01
(shuffle, {id, (1 2)(3 5)(4 6)})
♥♣♥♣♣♥ X11♥♣♣♥♣♥ X10 + X00♥♣♣♥♥♣ X01
♣♥♣♥♥♣ X11♣♥♣♥♣♥ X10 + X00♣♥♥♣♣♥ X01
(turn, {1,2})♥ ♣ ♣ ♥
(result,3,4)X
(result,5,6)X
Protocol State:Annotate currently possiblesequences with probability interms of symbolic input prob.Xij = Pr[a = i ,b = j ]
State Transitions: The Six-Card Protocol
7 2015-12-03 Alexander Koch et al. – Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
♥♣♥♣♣♥ X11♥♣♣♥♣♥ X10♣♥♥♣♣♥ X01♣♥♣♥♣♥ X00
♥♣♥♣♣♥ 1/2X11♥♣♣♥♣♥ 1/2X10 + 1/2X00♣♥♥♣♣♥ 1/2X01♣♥♣♥♣♥ 1/2X00 + 1/2X10♣♥♣♥♥♣ 1/2X11♥♣♣♥♥♣ 1/2X01
(shuffle, {id, (1 2)(3 5)(4 6)})
♥♣♥♣♣♥ X11♥♣♣♥♣♥ X10 + X00♥♣♣♥♥♣ X01
♣♥♣♥♥♣ X11♣♥♣♥♣♥ X10 + X00♣♥♥♣♣♥ X01
(turn, {1,2})♥ ♣ ♣ ♥
(result,3,4)X
(result,5,6)X
Protocol State:Annotate currently possiblesequences with probability interms of symbolic input prob.Xij = Pr[a = i ,b = j ]
State Transitions: The Six-Card Protocol
7 2015-12-03 Alexander Koch et al. – Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
♥♣♥♣♣♥ X11♥♣♣♥♣♥ X10♣♥♥♣♣♥ X01♣♥♣♥♣♥ X00
♥♣♥♣♣♥ 1/2X11♥♣♣♥♣♥ 1/2X10 + 1/2X00♣♥♥♣♣♥ 1/2X01♣♥♣♥♣♥ 1/2X00 + 1/2X10♣♥♣♥♥♣ 1/2X11♥♣♣♥♥♣ 1/2X01
(shuffle, {id, (1 2)(3 5)(4 6)})
♥♣♥♣♣♥ X11♥♣♣♥♣♥ X10 + X00♥♣♣♥♥♣ X01
♣♥♣♥♥♣ X11♣♥♣♥♣♥ X10 + X00♣♥♥♣♣♥ X01
(turn, {1,2})♥ ♣ ♣ ♥
(result,3,4)X
(result,5,6)X
Protocol State:Annotate currently possiblesequences with probability interms of symbolic input prob.Xij = Pr[a = i ,b = j ]
State Transitions: The Six-Card Protocol
7 2015-12-03 Alexander Koch et al. – Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
♥♣♥♣♣♥ X11♥♣♣♥♣♥ X10♣♥♥♣♣♥ X01♣♥♣♥♣♥ X00
♥♣♥♣♣♥ 1/2X11♥♣♣♥♣♥ 1/2X10 + 1/2X00♣♥♥♣♣♥ 1/2X01♣♥♣♥♣♥ 1/2X00 + 1/2X10♣♥♣♥♥♣ 1/2X11♥♣♣♥♥♣ 1/2X01
(shuffle, {id, (1 2)(3 5)(4 6)})
♥♣♥♣♣♥ X11♥♣♣♥♣♥ X10 + X00♥♣♣♥♥♣ X01
♣♥♣♥♥♣ X11♣♥♣♥♣♥ X10 + X00♣♥♥♣♣♥ X01
(turn, {1,2})♥ ♣ ♣ ♥
(result,3,4)X
(result,5,6)X
Protocol State:Annotate currently possiblesequences with probability interms of symbolic input prob.Xij = Pr[a = i ,b = j ]
State Transitions: The Six-Card Protocol
8 2015-12-03 Alexander Koch et al. – Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
♥♣♥♣♣♥ X11♥♣♣♥♣♥ X10♣♥♥♣♣♥ X01♣♥♣♥♣♥ X00
♥♣♥♣♣♥ 1/2X11♥♣♣♥♣♥ 1/2X10 + 1/2X00♣♥♥♣♣♥ 1/2X01♣♥♣♥♣♥ 1/2X00 + 1/2X10♣♥♣♥♥♣ 1/2X11♥♣♣♥♥♣ 1/2X01
(shuffle, {id, (1 2)(3 5)(4 6)})
♥♣♥♣♣♥ X11♥♣♣♥♣♥ X10 + X00♥♣♣♥♥♣ X01
♣♥♣♥♥♣ X11♣♥♣♥♣♥ X10 + X00♣♥♥♣♣♥ X01
(turn, {1,2})♥ ♣ ♣ ♥
(result,3,4)X
(result,5,6)X
Protocol State:Annotate currently possiblesequences with probability interms of symbolic input prob.Xij = Pr[a = i ,b = j ]
Impossibility Result
9 2015-12-03 Alexander Koch et al. – Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
TheoremThere is no secure finite-runtime four-card AND protocol
Proof IdeaEach sequence belongs either to output 0 or to 1.An i |j-state has i 0-sequences and j 1-sequences.Define non-reachable “good” states:
start state
“bad” states “good” states
not possibleby turn/shuffle
final states
start type: 3|1♥♣♥♣ X11♥♣♣♥ X10♣♥♥♣ X01♣♥♣♥ X00
e.g. 2|2 state:♣♥♥♣ X01 + X00♣♥♣♥ X10♥♣♣♥ 1/2X11♥↑♣↑♥♣ 1/2X11
Impossibility Result
9 2015-12-03 Alexander Koch et al. – Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
TheoremThere is no secure finite-runtime four-card AND protocol
Proof IdeaEach sequence belongs either to output 0 or to 1.An i |j-state has i 0-sequences and j 1-sequences.Define non-reachable “good” states:
start state
“bad” states “good” states
not possibleby turn/shuffle
final states
start type: 3|1♥♣♥♣ X11♥♣♣♥ X10♣♥♥♣ X01♣♥♣♥ X00
e.g. 2|2 state:♣♥♥♣ X01 + X00♣♥♣♥ X10♥♣♣♥ 1/2X11♥↑♣↑♥♣ 1/2X11
Impossibility Result
9 2015-12-03 Alexander Koch et al. – Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
TheoremThere is no secure finite-runtime four-card AND protocol
Proof IdeaEach sequence belongs either to output 0 or to 1.An i |j-state has i 0-sequences and j 1-sequences.Define non-reachable “good” states:
start state
“bad” states “good” states
not possibleby turn/shuffle
final states
start type: 3|1♥♣♥♣ X11♥♣♣♥ X10♣♥♥♣ X01♣♥♣♥ X00
e.g. 2|2 state:♣♥♥♣ X01 + X00♣♥♣♥ X10♥♣♣♥ 1/2X11♥↑♣↑♥♣ 1/2X11
Proof Idea – Single Card Turns
10 2015-12-03 Alexander Koch et al. – Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
1|1
2|1 1|2without const pos
2|2
2|11|2with const pos
3|11|3
4|11|4
5|11|5
2|3 3|2
2|4 4|2 3|3
“Bad” States “Good” States
Observation 1. After turn: with const pos. and ≤ 3 sequences.Observation 2. Turnable states are i |j with i , j ≥ 2.Observation 3. W.l.o.g. we need to consider half of the states.
Proof Idea – Single Card Turns
10 2015-12-03 Alexander Koch et al. – Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
1|1
2|1 1|2without const pos
2|2
2|11|2with const pos
3|11|3
4|11|4
5|11|5
2|3 3|2
2|4 4|2 3|3
“Bad” States “Good” States
Observation 1. After turn: with const pos. and ≤ 3 sequences.
Observation 2. Turnable states are i |j with i , j ≥ 2.Observation 3. W.l.o.g. we need to consider half of the states.
Proof Idea – Single Card Turns
10 2015-12-03 Alexander Koch et al. – Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
1|1
2|1 1|2without const pos
2|2
2|11|2with const pos
3|11|3
4|11|4
5|11|5
2|3 3|2
2|4 4|2 3|3
“Bad” States “Good” States
Observation 1. After turn: with const pos. and ≤ 3 sequences.
Observation 2. Turnable states are i |j with i , j ≥ 2.
Observation 3. W.l.o.g. we need to consider half of the states.
Proof Idea – Single Card Turns
10 2015-12-03 Alexander Koch et al. – Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
1|1
2|1 1|2without const pos
2|2
2|11|2with const pos
3|11|3
4|11|4
5|11|5
2|3 3|2
2|4 4|2 3|3
“Bad” States “Good” States
Observation 1. After turn: with const pos. and ≤ 3 sequences.Observation 2. Turnable states are i |j with i , j ≥ 2.
Observation 3. W.l.o.g. we need to consider half of the states.
Proof Idea – Single Card Turns
10 2015-12-03 Alexander Koch et al. – Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
1|1
2|1 1|2without const pos
2|2
2|11|2with const pos
3|11|3
4|11|4
5|11|5
2|3 3|2
2|4 4|2 3|3
“Bad” States “Good” States
Observation 1. After turn: with const pos. and ≤ 3 sequences.Observation 2. Turnable states are i |j with i , j ≥ 2.Observation 3. W.l.o.g. we need to consider half of the states.
Proof Idea – Single Card Turns
10 2015-12-03 Alexander Koch et al. – Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
1|1
2|1 1|2without const pos
2|2
2|11|2with const pos
3|11|3
4|11|4
5|11|5
2|3 3|2
2|4 4|2 3|3
“Bad” States “Good” States
Observation 1. After turn: with const pos. and ≤ 3 sequences.Observation 2. Turnable states are i |j with i , j ≥ 2.Observation 3. W.l.o.g. we need to consider half of the states.
Proof Idea – Shuffles
11 2015-12-03 Alexander Koch et al. – Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
1|1
2|1 1|2without const pos
2|2
2|11|2with const pos
3|11|3
4|11|4
5|11|5
2|3 3|2
2|4 4|2 3|3
“Bad” States “Good” States
??
s0: ♥♥♣♣s′0: ♥♣♥♣s1: ♥♣♣♥
s′′0: ♣♥♣♥s′1: ♣♥♣♥
p = ½
Observation 1. Shuffles increase #sequences per type
Apply (shuffle,Π,F ) to this state.Case 1: All π ∈ Π put constant column to same position.=⇒ the resulting state still has a constant column.
Apply (shuffle,Π,F ) to this state.Case 2: There are π1,π2 ∈ Π putting the const. col. in different pos.=⇒ the resulting state has at least 5 sequences.
Proof Idea – Shuffles
11 2015-12-03 Alexander Koch et al. – Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
1|1
2|1 1|2without const pos
2|2
2|11|2with const pos
3|11|3
4|11|4
5|11|5
2|3 3|2
2|4 4|2 3|3
“Bad” States “Good” States
??
s0: ♥♥♣♣s′0: ♥♣♥♣s1: ♥♣♣♥
s′′0: ♣♥♣♥s′1: ♣♥♣♥
p = ½
Observation 1. Shuffles increase #sequences per type
Apply (shuffle,Π,F ) to this state.Case 1: All π ∈ Π put constant column to same position.=⇒ the resulting state still has a constant column.
Apply (shuffle,Π,F ) to this state.Case 2: There are π1,π2 ∈ Π putting the const. col. in different pos.=⇒ the resulting state has at least 5 sequences.
Proof Idea – Shuffles
11 2015-12-03 Alexander Koch et al. – Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
1|1
2|1 1|2without const pos
2|2
2|11|2with const pos
3|11|3
4|11|4
5|11|5
2|3 3|2
2|4 4|2 3|3
“Bad” States “Good” States
??
s0: ♥♥♣♣s′0: ♥♣♥♣s1: ♥♣♣♥
s′′0: ♣♥♣♥s′1: ♣♥♣♥
p = ½
Observation 1. Shuffles increase #sequences per type
Apply (shuffle,Π,F ) to this state.Case 1: All π ∈ Π put constant column to same position.=⇒ the resulting state still has a constant column.
Apply (shuffle,Π,F ) to this state.Case 2: There are π1,π2 ∈ Π putting the const. col. in different pos.=⇒ the resulting state has at least 5 sequences.
Proof Idea – Shuffles
11 2015-12-03 Alexander Koch et al. – Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
1|1
2|1 1|2without const pos
2|2
2|11|2with const pos
3|11|3
4|11|4
5|11|5
2|3 3|2
2|4 4|2 3|3
“Bad” States “Good” States
??
s0: ♥♥♣♣s′0: ♥♣♥♣s1: ♥♣♣♥
s′′0: ♣♥♣♥s′1: ♣♥♣♥
p = ½
Observation 1. Shuffles increase #sequences per type
Apply (shuffle,Π,F ) to this state.Case 1: All π ∈ Π put constant column to same position.=⇒ the resulting state still has a constant column.
Apply (shuffle,Π,F ) to this state.Case 2: There are π1,π2 ∈ Π putting the const. col. in different pos.=⇒ the resulting state has at least 5 sequences.
Proof Idea – Shuffles
11 2015-12-03 Alexander Koch et al. – Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
1|1
2|1 1|2without const pos
2|2
2|11|2with const pos
3|11|3
4|11|4
5|11|5
2|3 3|2
2|4 4|2 3|3
“Bad” States “Good” States
??
s0: ♥♥♣♣s′0: ♥♣♥♣s1: ♥♣♣♥s′′0: ♣♥♣♥s′1: ♣♥♣♥
p = ½
Observation 1. Shuffles increase #sequences per type
Apply (shuffle,Π,F ) to this state.Case 1: All π ∈ Π put constant column to same position.=⇒ the resulting state still has a constant column.
Apply (shuffle,Π,F ) to this state.Case 2: There are π1,π2 ∈ Π putting the const. col. in different pos.=⇒ the resulting state has at least 5 sequences.
Our Four-Card Protocol
12 2015-12-03 Alexander Koch et al. – Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
♥♣♥♣
♥
X11♥♣♣♥
♥
X10♣♥♥♣
♥
X01♣♥♣♥
♥
X00
start state
♥♥♣♣
♥
1/2X11♥♣♥♣
♥
1/2X11♣♥♥♣
♥
1/2X10 + 1/2X01♥♣♣♥
♥
1/2X10 + 1/2X01♣♥♣♥
♥
1/2X00♣♣♥♥
♥
1/2X00(shuffle, {id, (1 3)(2 4), (2 3), (1 2 4 3)})
♥♥♣♣
♥
X11♣♥♥♣
♥
X10 + X01♣♥♣♥
♥
X00
♥♥♣♣
♥
X1♣♥♥♣
♥
1/2X0♣♥♣♥
♥
1/2X0
(shuffle, {id, (3 4)})
♥♥♣♣
♥
1/3X1♣♣♥♥
♥
2/3X1♣♥♥♣
♥
1/6X0♥♣♣♥
♥
1/3X0♣♥♣♥
♥
1/2X0
(shuffle, {id, (1 3)(2 4)},F )F : id 7→ 1/3, (1 3)(2 4) 7→ 2/3
♥♥♣♣
♥
X1♥♣♣♥
♥
X0
(result,2,4)X
♣♣♥♥
♥
X1♣♥♥♣
♥
1/4X0♣♥♣♥
♥
3/4X0
(turn, {1})♣ ♥
♣♣♥♥
♥
X1♣♥♥♣
♥
1/2X0♣♥♣♥
♥
1/2X0
(shuffle, {id, (3 4)})
♥♣♥♣
♥
X11♥♣♣♥
♥
X10 + X01♣♣♥♥
♥
X00
♥♣♥♣
♥
X1♥♣♣♥
♥
1/2X0♣♣♥♥
♥
1/2X0
(shuffle, {id, (1 3)})
(turn, {2})♣ ♥
(perm, (1 2 4 3))
♥♣♥♣ 1/3X1♣♥♣♥ 2/3X1♥♣♣♥ 1/6X0♣♥♥♣ 1/3X0♣♣♥♥ 1/2X0
(shuffle, {id, (1 2)(3 4)},F )F : id 7→ 1/3, (1 2)(3 4) 7→ 2/3
♥♣♥♣ X1♣♥♥♣ X0
(result,1,2)X
♣♥♣♥ X1♥♣♣♥ 1/4X0♣♣♥♥ 3/4X0
(turn, {4})♣ ♥
♣♥♣♥ X1♥♣♣♥ 1/2X0♣♣♥♥ 1/2X0
(shuffle, {id, (1 3)})
(perm, (1 3 4 2))
♣♥♥♣♥ 2/3X1♥♥♣♥♣ 1/3X1♥♥♣♣♥ 1/2X0♥♣♣♥♥ 1/6X0♥♥♥♣♣ 1/3X0
(perm, (1 5 2 4)), (shuffle, {id, (5 4 3 2 1)},F )F : id 7→ 2/3, (5 4 3 2 1) 7→ 1/3
♥♥♣♥♣ X1♥♥♥♣♣ X0
(result,4,3)X
♣♥♥♣♥ X1♥♥♣♣♥ 3/4X0♥♣♣♥♥ 1/4X0
(result,3,1)X
(turn, {5})♣ ♥
Our Four-Card Protocol
12 2015-12-03 Alexander Koch et al. – Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
♥♣♥♣
♥
X11♥♣♣♥
♥
X10♣♥♥♣
♥
X01♣♥♣♥
♥
X00
start state
♥♥♣♣
♥
1/2X11♥♣♥♣
♥
1/2X11♣♥♥♣
♥
1/2X10 + 1/2X01♥♣♣♥
♥
1/2X10 + 1/2X01♣♥♣♥
♥
1/2X00♣♣♥♥
♥
1/2X00(shuffle, {id, (1 3)(2 4), (2 3), (1 2 4 3)})
♥♥♣♣
♥
X11♣♥♥♣
♥
X10 + X01♣♥♣♥
♥
X00
♥♥♣♣
♥
X1♣♥♥♣
♥
1/2X0♣♥♣♥
♥
1/2X0
(shuffle, {id, (3 4)})
♥♥♣♣
♥
1/3X1♣♣♥♥
♥
2/3X1♣♥♥♣
♥
1/6X0♥♣♣♥
♥
1/3X0♣♥♣♥
♥
1/2X0
(shuffle, {id, (1 3)(2 4)},F )F : id 7→ 1/3, (1 3)(2 4) 7→ 2/3
♥♥♣♣
♥
X1♥♣♣♥
♥
X0
(result,2,4)X
♣♣♥♥
♥
X1♣♥♥♣
♥
1/4X0♣♥♣♥
♥
3/4X0
(turn, {1})♣ ♥
♣♣♥♥
♥
X1♣♥♥♣
♥
1/2X0♣♥♣♥
♥
1/2X0
(shuffle, {id, (3 4)})
♥♣♥♣
♥
X11♥♣♣♥
♥
X10 + X01♣♣♥♥
♥
X00
♥♣♥♣
♥
X1♥♣♣♥
♥
1/2X0♣♣♥♥
♥
1/2X0
(shuffle, {id, (1 3)})
(turn, {2})♣ ♥
(perm, (1 2 4 3))
♥♣♥♣ 1/3X1♣♥♣♥ 2/3X1♥♣♣♥ 1/6X0♣♥♥♣ 1/3X0♣♣♥♥ 1/2X0
(shuffle, {id, (1 2)(3 4)},F )F : id 7→ 1/3, (1 2)(3 4) 7→ 2/3
♥♣♥♣ X1♣♥♥♣ X0
(result,1,2)X
♣♥♣♥ X1♥♣♣♥ 1/4X0♣♣♥♥ 3/4X0
(turn, {4})♣ ♥
♣♥♣♥ X1♥♣♣♥ 1/2X0♣♣♥♥ 1/2X0
(shuffle, {id, (1 3)})
(perm, (1 3 4 2))
♣♥♥♣♥ 2/3X1♥♥♣♥♣ 1/3X1♥♥♣♣♥ 1/2X0♥♣♣♥♥ 1/6X0♥♥♥♣♣ 1/3X0
(perm, (1 5 2 4)), (shuffle, {id, (5 4 3 2 1)},F )F : id 7→ 2/3, (5 4 3 2 1) 7→ 1/3
♥♥♣♥♣ X1♥♥♥♣♣ X0
(result,4,3)X
♣♥♥♣♥ X1♥♥♣♣♥ 3/4X0♥♣♣♥♥ 1/4X0
(result,3,1)X
(turn, {5})♣ ♥
Our Five-Card Protocol
12 2015-12-03 Alexander Koch et al. – Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
♥♣♥♣♥ X11♥♣♣♥♥ X10♣♥♥♣♥ X01♣♥♣♥♥ X00
start state
♥♥♣♣♥ 1/2X11♥♣♥♣♥ 1/2X11♣♥♥♣♥ 1/2X10 + 1/2X01♥♣♣♥♥ 1/2X10 + 1/2X01♣♥♣♥♥ 1/2X00♣♣♥♥♥ 1/2X00
(shuffle, {id, (1 3)(2 4), (2 3), (1 2 4 3)})
♥♥♣♣♥ X11♣♥♥♣♥ X10 + X01♣♥♣♥♥ X00
♥♥♣♣♥ X1♣♥♥♣♥ 1/2X0♣♥♣♥♥ 1/2X0
(shuffle, {id, (3 4)})
♥♥♣♣♥ 1/3X1♣♣♥♥♥ 2/3X1♣♥♥♣♥ 1/6X0♥♣♣♥♥ 1/3X0♣♥♣♥♥ 1/2X0
(shuffle, {id, (1 3)(2 4)},F )F : id 7→ 1/3, (1 3)(2 4) 7→ 2/3
♥♥♣♣♥ X1♥♣♣♥♥ X0
(result,2,4)X
♣♣♥♥♥ X1♣♥♥♣♥ 1/4X0♣♥♣♥♥ 3/4X0
(turn, {1})♣ ♥
♣♣♥♥♥ X1♣♥♥♣♥ 1/2X0♣♥♣♥♥ 1/2X0
(shuffle, {id, (3 4)})
♥♣♥♣♥ X11♥♣♣♥♥ X10 + X01♣♣♥♥♥ X00
♥♣♥♣♥ X1♥♣♣♥♥ 1/2X0♣♣♥♥♥ 1/2X0
(shuffle, {id, (1 3)})
(turn, {2})♣ ♥
(perm, (1 2 4 3))
♥♣♥♣ 1/3X1♣♥♣♥ 2/3X1♥♣♣♥ 1/6X0♣♥♥♣ 1/3X0♣♣♥♥ 1/2X0
(shuffle, {id, (1 2)(3 4)},F )F : id 7→ 1/3, (1 2)(3 4) 7→ 2/3
♥♣♥♣ X1♣♥♥♣ X0
(result,1,2)X
♣♥♣♥ X1♥♣♣♥ 1/4X0♣♣♥♥ 3/4X0
(turn, {4})♣ ♥
♣♥♣♥ X1♥♣♣♥ 1/2X0♣♣♥♥ 1/2X0
(shuffle, {id, (1 3)})
(perm, (1 3 4 2))
♣♥♥♣♥ 2/3X1♥♥♣♥♣ 1/3X1♥♥♣♣♥ 1/2X0♥♣♣♥♥ 1/6X0♥♥♥♣♣ 1/3X0
(perm, (1 5 2 4)), (shuffle, {id, (5 4 3 2 1)},F )F : id 7→ 2/3, (5 4 3 2 1) 7→ 1/3
♥♥♣♥♣ X1♥♥♥♣♣ X0
(result,4,3)X
♣♥♥♣♥ X1♥♥♣♣♥ 3/4X0♥♣♣♥♥ 1/4X0
(result,3,1)X
(turn, {5})♣ ♥
Our Five-Card Protocol
12 2015-12-03 Alexander Koch et al. – Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
♥♣♥♣♥ X11♥♣♣♥♥ X10♣♥♥♣♥ X01♣♥♣♥♥ X00
start state
♥♥♣♣♥ 1/2X11♥♣♥♣♥ 1/2X11♣♥♥♣♥ 1/2X10 + 1/2X01♥♣♣♥♥ 1/2X10 + 1/2X01♣♥♣♥♥ 1/2X00♣♣♥♥♥ 1/2X00
(shuffle, {id, (1 3)(2 4), (2 3), (1 2 4 3)})
♥♥♣♣♥ X11♣♥♥♣♥ X10 + X01♣♥♣♥♥ X00
♥♥♣♣♥ X1♣♥♥♣♥ 1/2X0♣♥♣♥♥ 1/2X0
(shuffle, {id, (3 4)})
♥♥♣♣♥ 1/3X1♣♣♥♥♥ 2/3X1♣♥♥♣♥ 1/6X0♥♣♣♥♥ 1/3X0♣♥♣♥♥ 1/2X0
(shuffle, {id, (1 3)(2 4)},F )F : id 7→ 1/3, (1 3)(2 4) 7→ 2/3
♥♥♣♣♥ X1♥♣♣♥♥ X0
(result,2,4)X
♣♣♥♥♥ X1♣♥♥♣♥ 1/4X0♣♥♣♥♥ 3/4X0
(turn, {1})♣ ♥
♣♣♥♥♥ X1♣♥♥♣♥ 1/2X0♣♥♣♥♥ 1/2X0
(shuffle, {id, (3 4)})
♥♣♥♣♥ X11♥♣♣♥♥ X10 + X01♣♣♥♥♥ X00
♥♣♥♣♥ X1♥♣♣♥♥ 1/2X0♣♣♥♥♥ 1/2X0
(shuffle, {id, (1 3)})
(turn, {2})♣ ♥
(perm, (1 2 4 3))
♥♣♥♣ 1/3X1♣♥♣♥ 2/3X1♥♣♣♥ 1/6X0♣♥♥♣ 1/3X0♣♣♥♥ 1/2X0
(shuffle, {id, (1 2)(3 4)},F )F : id 7→ 1/3, (1 2)(3 4) 7→ 2/3
♥♣♥♣ X1♣♥♥♣ X0
(result,1,2)X
♣♥♣♥ X1♥♣♣♥ 1/4X0♣♣♥♥ 3/4X0
(turn, {4})♣ ♥
♣♥♣♥ X1♥♣♣♥ 1/2X0♣♣♥♥ 1/2X0
(shuffle, {id, (1 3)})
(perm, (1 3 4 2))
♣♥♥♣♥ 2/3X1♥♥♣♥♣ 1/3X1♥♥♣♣♥ 1/2X0♥♣♣♥♥ 1/6X0♥♥♥♣♣ 1/3X0
(perm, (1 5 2 4)), (shuffle, {id, (5 4 3 2 1)},F )F : id 7→ 2/3, (5 4 3 2 1) 7→ 1/3
♥♥♣♥♣ X1♥♥♥♣♣ X0
(result,4,3)X
♣♥♥♣♥ X1♥♥♣♣♥ 3/4X0♥♣♣♥♥ 1/4X0
(result,3,1)X
(turn, {5})♣ ♥
Summary
13 2015-12-03 Alexander Koch et al. – Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
Runtime Shuffles #Cards Reference
exp. finite non-uniform closed 4 [KWH15]exp. finite uniform non-closed 4 [KWH15]
finite non-uniform non-closed 5 [KWH15]finite uniform closed ≤ 6 [MS09]
Open Question: What if we restrict the computational model?
Thank you for your attention!
Summary
13 2015-12-03 Alexander Koch et al. – Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
Runtime Shuffles #Cards Reference
exp. finite non-uniform closed 4 [KWH15]exp. finite uniform non-closed 4 [KWH15]
finite non-uniform non-closed 5 [KWH15]finite uniform closed ≤ 6 [MS09]
Open Question: What if we restrict the computational model?
Thank you for your attention!
Summary
13 2015-12-03 Alexander Koch et al. – Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
Runtime Shuffles #Cards Reference
exp. finite non-uniform closed 4 [KWH15]exp. finite uniform non-closed 4 [KWH15]
finite non-uniform non-closed 5 [KWH15]finite uniform closed ≤ 6 [MS09]
Open Question: What if we restrict the computational model?
Thank you for your attention!
References: I
14 2015-12-03 Alexander Koch et al. – Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
A. Koch, S. Walzer, and K. Härtel. “Card-basedCryptographic Protocols Using a Minimal Number ofCards”. In: ASIACRYPT 2015. Ed. by T. Iwata andJ. Cheon. Vol. 9452. LNCS. Springer, 2015,pp. 783–807.
T. Mizuki, M. Kumamoto, and H. Sone. “The Five-CardTrick Can Be Done with Four Cards”. In: ASIACRYPT2012. Ed. by X. Wang and K. Sako. Vol. 7658. LNCS.Springer, 2012, pp. 598–606.
T. Mizuki and H. Sone. “Six-Card Secure AND andFour-Card Secure XOR”. In: FAW 2009. Ed. byX. Deng, J. E. Hopcroft, and J. Xue. Vol. 5598. LNCS.Springer, 2009, pp. 358–369.
References: II
15 2015-12-03 Alexander Koch et al. – Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
T. Mizuki and H. Shizuya. “A formalization ofcard-based cryptographic protocols via abstractmachine”. In: Int. J. Inf. Secur. 13.1 (2014), pp. 15–23.
A. Marcedone, Z. Wen, and E. Shi. Secure Dating withFour or Fewer Cards. Cryptology ePrint Archive,Report 2015/1031. https://eprint.iacr.org/. 2015.
References: III
16 2015-12-03 Alexander Koch et al. – Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
Various Artists. Title image from http:
//pdpics.com/photo/6619-ten-cards-of-all-suits/,public domain. Image of Bar fromhttps://pixabay.com/en/bar-pub-restaurant-
rustic-barrels-406884/, public domain. Image oflecture hall from brett jordan,https://www.flickr.com/photos/x1brett/1472187414,CC-BY-2.0. XKCD comic figures by Randall Munroefrom https://xkcd.com/, CC-BY-NC-2.5.