The Five-Card Trick
In card-based cryptography, manipulating Boolean values entails the use of the following encoding:
That is, the left card being black represents 0, and the left card being red represents 1. According to this encoding rule (
1), Alice can put her private input bit
\(a\in \{0,1\}\) on a table using two cards
, keeping its value hidden:
Such a pair of face-down cards is called a
commitment to a bit
\(a\in \{0,1\}\). Similarly, Bob can put a commitment to his private input bit
\(b\in \{0,1\}\) on the table, keeping its value secret from Alice (and others). Given the commitments to
\(a\in \{0,1\}\) and
\(b\in \{0,1\}\), along with a helping card
, the five-card trick [
2] proceeds as follows.
1.
Put the helping red card between the two input commitments, apply a
NOT computation to the left commitment (to
a) by swapping the positions of its two cards, so that we have a commitment to the negation
\(\bar{a}\), and turn over the middle red card:
Note that the three cards in the middle will be
, i.e., three red cards will be consecutive only when
\(a = b = 1\), namely,
\(a\wedge b=1\).
2.
Apply a
random cut (denoted by
\(\langle \cdot \rangle \)) to the sequence of the five cards:
A random cut, meaning a cyclic shuffling operation, uniformly randomly shifts the positions of the sequence without changing the order
1. Mathematically, one permutation is uniformly randomly selected from
$$\begin{aligned} \{\mathsf {id},\,(1\,2\,3\,4\,5),\,(1\,2\,3\,4\,5)^2,\,(1\,2\,3\,4\,5)^3,\,(1\,2\,3\,4\,5)^4\}, \end{aligned}$$
and the selected permutation is applied to the sequence of the five cards, where
\(\mathsf {id}\) is the identity permutation and
\((i_1\,i_2\,\dots \,i_\ell )\) represents a cyclic permutation. (Nobody knows the selected permutation.)
3.
Reveal the five cards. If the three red cards
are consecutive (apart from cyclic rotation), then
\(a \wedge b = 1\). Otherwise,
\(a \wedge b = 0\).
This is the five-card trick, which is simple and elegant. Although the five-card trick is extremely useful as mentioned, it has one drawback: it cannot deal with a logical conjunction of three or more variables, where players
\(P_1,P_2,\dots ,P_n\) with
\(n\ge 3\) want to conduct a secure multiparty AND computation. To overcome such a limitation, researchers have designed “committed-format AND protocols,” which are able to perform secure AND computation of three or more inputs.
The Six-Card AND Protocol in Committed Format
A committed-format AND protocol should produce a commitment to
\(a \wedge b\):
from the input commitments to
a and
b. In contrast to the five-card trick, the output is obtained as a commitment to
\(a \wedge b\), keeping its value secret; hence, the output commitment can be used as the input for another computation. There are many existing committed-format AND protocols in the literature (as shown in Table
1). Among these, we herein introduce the Mizuki–Sone protocol [
10], which is considered to be the simplest for humans to execute. This protocol uses two helping cards
and proceeds as follows.
Table 1
Committed-format AND protocols
| 4 | 10 | No | Yes | Yes | Yes | 8 |
| 2 | 12 | No | Yes | Yes | Yes | 7.5 |
| 2 | 8 | No | Yes | Yes | Yes | 2 |
Mizuki–Sone, 2009 [ 10] (§ 1.2) | 2 | 6 | Yes | Yes | Yes | Yes | 1 |
Koch–Walzer–Härtel, 2015 [ 7] | 2 | 4 | No | No | Yes | Yes | 8 |
2 | 5 | Yes | No | No | No | 14/3 |
| 2 | 4 | No | Yes | No | No | 8 |
Ruangwises–Itoh, 2019 [ 16] | 2 | 5 | Yes | Yes | No | No | 14/3 |
| 2 | 5 | No | Yes | Yes | Yes | 7 |
| 2 | 5 | No | Yes | Yes | Yes | 4.5 |
1.
Put the two helping cards between two input commitments, and turn them over:
2.
Rearrange the order of the sequence as:
3.
Apply a
random bisection cut denoted by
\(\left[ \, \cdot \, | \, \cdot \, \right] \), i.e., bisect the sequence of the six cards and shuffle the two halves:
Mathematically, the permutation
\(\mathsf {id}\) or
\((1\,4)(2\,5)(3\,6)\) is selected with a probability of 1/2, and the selected permutation is applied to the sequence of the six cards.
2
4.
Rearrange the order of the sequence as:
5.
Reveal the two left-most cards; then, a commitment to
\(a \wedge b\) is obtained, depending on the order of the two face-up cards
and
:
This is the six-card AND protocol in committed format [
10]. Given
n input commitments to
\(x_1,x_2,\dots ,x_n\), and executing such a committed-format AND protocol
\(n-1\) times, a secure AND computation of
n variables can be conducted, i.e., we can obtain a commitment to
\(x_1\wedge x_2\wedge \cdots \wedge x_n\).
Known Results and Our Contribution
As discussed previously, committed-format AND protocols are a useful and indispensable primitive, and designing such AND protocols is a major research topic in the field of card-based cryptography. As enumerated chronologically in Table
1, there are many committed-format AND protocols. The Mizuki–Sone protocol proposed in 2009 [
10] (and described in Section
1.2) is the fourth committed-format AND protocol in literature; it uses six cards, which are fewer than the previous three protocols [
3,
13,
17] require; furthermore, as shown in the fourth column of Table
1, the Mizuki–Sone protocol is the first committed-format AND protocol that terminates in a finite number of shuffles (actually, it terminates after a single shuffle, namely, a random bisection cut, as indicated in Sect.
1.2).
After the invention of the Mizuki–Sone six-card AND protocol in 2009, it had been a challenging open question to determine whether one could construct an AND protocol (in committed format) with five cards or less. In 2015, Koch, Walzer, and Härtel [
7] succeeded in answering the question appropriately; i.e., they presented a four-card AND protocol in committed format, which is the fifth protocol, as shown in Table
1. Their four-card protocol is optimal in terms of the number of required cards, because we need four cards for arranging two input commitments, as long as we follow the encoding (
1). As shown in the fourth column of Table
1, their four-card AND protocol does not terminate with a fixed number of shuffles, indicating that it is a Las Vegas algorithm. In addition, they constructed a five-card AND protocol that terminates with a finite number of shuffles; see the sixth protocol shown in Table
1. Furthermore, they proved that there is no four-card committed-format AND protocol with a finite number of shuffles. Therefore, when we focus our attention on finite-runtime protocols, the five-card AND protocol in committed format is optimal in terms of the number of cards.
Now, let us revisit Table
1, which contains columns regarding shuffles being uniform, cyclic, and/or closed. Note that the first four protocols (from 1993 to 2009) all have the answer “yes.” We formally define the uniformity, cyclicity, and closedness of shuffles. Following the formal computation model of card-based protocols [
8], a shuffle action is specified by a set
\(\varPi \) of permutations and a probability distribution
\({\mathcal {F}}\) on
\(\varPi \):
$$\begin{aligned} (\mathsf {shuf}, \varPi , {\mathcal {F}}); \end{aligned}$$
if
\({\mathcal {F}}\) is uniform, we say that the shuffle is
uniform; if
\(\varPi \) is a cyclic subgroup (of the symmetric group), we say that it is
cyclic; if
\(\varPi \) is a subgroup, we say that it is
closed. For example, the random bisection cut that the Mizuki–Sone protocol uses can be formally written as:
$$\begin{aligned} (\mathsf {shuf}, \{\mathsf {id},(1\,4)(2\,5)(3\,6)\}, \, \mathsf {id} \! \mapsto \! 1/2, \, (1\,4)(2\,5)(3\,6) \! \mapsto \! 1/2). \end{aligned}$$
Thus, a random bisection cut is surely a uniform and cyclic (and hence, closed) shuffle. The first three protocols [
3,
13,
17] in Table
1 utilize only random cuts, which are also uniform and cyclic.
On the other hand, the two Koch–Walzer–Härtel protocols [
7] use non-uniform and/or non-closed shuffles, such as:
$$\begin{aligned} (\mathsf {shuf}, \{\mathsf {id}, (1\,2)(3\,4)\}, \, \mathsf {id} \! \mapsto \! 1/3, \, (1\,2)(3\,4) \! \mapsto \! 2/3) \end{aligned}$$
and
$$\begin{aligned} (\mathsf {shuf}, \{\mathsf {id}, (5\,4\,3\,2\,1)\},\, \mathsf {id} \! \mapsto \! 2/3,\, (5\,4\,3\,2\,1)\! \mapsto \! 1/3). \end{aligned}$$
Recently, Koch [
5], as well as Ruangwises and Itoh [
16], independently modified the Koch–Walzer–Härtel protocols to obtain protocols using only uniform shuffles, although those shuffles are non-closed; see the seventh and eighth protocols, as shown in Table
1. Thus, it is relatively difficult for humans to practically implement the existing four-card and five-card protocols. Note that Koch and Walzer [
6] showed that any uniform closed shuffles can be implemented by human hands with the help of a secure implementation of the random cut (such as the Hindu cut [
18,
19]).
Therefore, a natural question has arisen:
Can we construct a committed-format AND protocol with five cards or less using only uniform closed shuffles?
This is one of the most important open problems in card-based cryptography.
In this paper, we will answer this question affirmatively, i.e., we will design five-card AND protocols in committed format using only uniform closed shuffles (see the last two rows in Table
1). The shuffles that our protocols use are random cuts and random bisection cuts, both of which can be easily implemented by humans, as mentioned above. Hence, we believe that humans can effortlessly execute our protocols. Specifically, we propose two protocols: in Sect.
2, we present a five-card AND protocol whose expected number of shuffles is seven, while in Sect.
3, we improve upon the protocol, such that the expected number of shuffles can be reduced to 4.5 (although the construction is somewhat complicated).
An earlier version of this study was presented and appeared as a conference paper [
1]. This present paper is extended compared to the conference paper: This paper provides another novel five-card AND protocol using a less number of shuffles and verify the correctness and security of the protocol. Section
3 is devoted to these new findings.