The minimum number of cards in practical card-based protocols

Julia Kastner; Alexander Koch; Stefan Walzer; Daiki Miyahara; Yu ichi Hayashi; Takaaki Mizuki; Hideaki Sone

doi:10.1007/978-3-319-70700-6_5

The minimum number of cards in practical card-based protocols

Julia Kastner, Alexander Koch, Stefan Walzer, Daiki Miyahara, Yu ichi Hayashi, Takaaki Mizuki, Hideaki Sone

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

33 Citations (Scopus)

Abstract

The elegant “five-card trick” of den Boer (EUROCRYPT 1989) allows two players to securely compute a logical AND of two private bits, using five playing cards of symbols ♥ and ♣. Since then, card-based protocols have been successfully put to use in classroom environments, vividly illustrating secure multiparty computation - and evoked research on the minimum number of cards needed for several functionalities. Securely computing arbitrary circuits needs protocols for negation, AND and bit copy in committed-format, where outputs are commitments again. Negation just swaps the bit’s cards, computing AND and copying a bit n times can be done with six and 2n+2 cards, respectively, using the simple protocols of Mizuki and Sone (FAW 2009). Koch et al. (ASIACRYPT 2015) showed that five cards suffice for computing AND in finite runtime, albeit using relatively complex and unpractical shuffle operations. In this paper, we show that if we restrict shuffling to closed permutation sets, the six-card protocol is optimal in the finite-runtime setting. If we additionally assume a uniform distribution on the permutations in a shuffle, we show that restart-free four-card AND protocols are impossible. These shuffles are easy to perform even in an actively secure manner (Koch and Walzer, ePrint 2017). For copying bit commitments, the protocol of Nishimura et al. (ePrint 2017) needs only 2n + 1 cards, but performs a number of complex shuffling steps that is only finite in expectation.We show that it is impossible to go with less cards. If we require an a priori bound on the runtime, we show that the (2n + 2)-card protocol is card-minimal.

Original language	English
Title of host publication	Advances in Cryptology – ASIACRYPT 2017 - 23rd International Conference on the Theory and Applications of Cryptology and Information Security, Proceedings
Editors	Tsuyoshi Takagi, Thomas Peyrin
Publisher	Springer Verlag
Pages	126-155
Number of pages	30
ISBN (Print)	9783319706993
DOIs	https://doi.org/10.1007/978-3-319-70700-6_5
Publication status	Published - 2017
Event	23rd Annual International Conference on Theory and Application of Cryptology and Information Security, ASIACRYPT 2017 - Hong Kong, Hong Kong Duration: 2017 Dec 3 → 2017 Dec 7

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	10626 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	23rd Annual International Conference on Theory and Application of Cryptology and Information Security, ASIACRYPT 2017
Country/Territory	Hong Kong
City	Hong Kong
Period	17/12/3 → 17/12/7

Keywords

Boolean AND
COPY
Card-based protocols
Committed format
Cryptography without computers
Secure computation

Access to Document

10.1007/978-3-319-70700-6_5

Cite this

Kastner, J., Koch, A., Walzer, S., Miyahara, D., Hayashi, Y. I., Mizuki, T., & Sone, H. (2017). The minimum number of cards in practical card-based protocols. In T. Takagi, & T. Peyrin (Eds.), Advances in Cryptology – ASIACRYPT 2017 - 23rd International Conference on the Theory and Applications of Cryptology and Information Security, Proceedings (pp. 126-155). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10626 LNCS). Springer Verlag. https://doi.org/10.1007/978-3-319-70700-6_5

Kastner, Julia ; Koch, Alexander ; Walzer, Stefan et al. / The minimum number of cards in practical card-based protocols. Advances in Cryptology – ASIACRYPT 2017 - 23rd International Conference on the Theory and Applications of Cryptology and Information Security, Proceedings. editor / Tsuyoshi Takagi ; Thomas Peyrin. Springer Verlag, 2017. pp. 126-155 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{f8b3f59934754ffbad78d7264fb76365,

title = "The minimum number of cards in practical card-based protocols",

abstract = "The elegant “five-card trick” of den Boer (EUROCRYPT 1989) allows two players to securely compute a logical AND of two private bits, using five playing cards of symbols ♥ and ♣. Since then, card-based protocols have been successfully put to use in classroom environments, vividly illustrating secure multiparty computation - and evoked research on the minimum number of cards needed for several functionalities. Securely computing arbitrary circuits needs protocols for negation, AND and bit copy in committed-format, where outputs are commitments again. Negation just swaps the bit{\textquoteright}s cards, computing AND and copying a bit n times can be done with six and 2n+2 cards, respectively, using the simple protocols of Mizuki and Sone (FAW 2009). Koch et al. (ASIACRYPT 2015) showed that five cards suffice for computing AND in finite runtime, albeit using relatively complex and unpractical shuffle operations. In this paper, we show that if we restrict shuffling to closed permutation sets, the six-card protocol is optimal in the finite-runtime setting. If we additionally assume a uniform distribution on the permutations in a shuffle, we show that restart-free four-card AND protocols are impossible. These shuffles are easy to perform even in an actively secure manner (Koch and Walzer, ePrint 2017). For copying bit commitments, the protocol of Nishimura et al. (ePrint 2017) needs only 2n + 1 cards, but performs a number of complex shuffling steps that is only finite in expectation.We show that it is impossible to go with less cards. If we require an a priori bound on the runtime, we show that the (2n + 2)-card protocol is card-minimal.",

keywords = "Boolean AND, COPY, Card-based protocols, Committed format, Cryptography without computers, Secure computation",

author = "Julia Kastner and Alexander Koch and Stefan Walzer and Daiki Miyahara and Hayashi, {Yu ichi} and Takaaki Mizuki and Hideaki Sone",

note = "Funding Information: This study was supported by Tedec-Meiji Farma, S.A., Madrid, Spain. Publisher Copyright: {\textcopyright} International Association for Cryptologic Research 2017.; 23rd Annual International Conference on Theory and Application of Cryptology and Information Security, ASIACRYPT 2017 ; Conference date: 03-12-2017 Through 07-12-2017",

year = "2017",

doi = "10.1007/978-3-319-70700-6_5",

language = "English",

isbn = "9783319706993",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Verlag",

pages = "126--155",

editor = "Tsuyoshi Takagi and Thomas Peyrin",

booktitle = "Advances in Cryptology – ASIACRYPT 2017 - 23rd International Conference on the Theory and Applications of Cryptology and Information Security, Proceedings",

address = "Germany",

}

Kastner, J, Koch, A, Walzer, S, Miyahara, D, Hayashi, YI, Mizuki, T & Sone, H 2017, The minimum number of cards in practical card-based protocols. in T Takagi & T Peyrin (eds), Advances in Cryptology – ASIACRYPT 2017 - 23rd International Conference on the Theory and Applications of Cryptology and Information Security, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 10626 LNCS, Springer Verlag, pp. 126-155, 23rd Annual International Conference on Theory and Application of Cryptology and Information Security, ASIACRYPT 2017, Hong Kong, Hong Kong, 17/12/3. https://doi.org/10.1007/978-3-319-70700-6_5

The minimum number of cards in practical card-based protocols. / Kastner, Julia; Koch, Alexander; Walzer, Stefan et al.
Advances in Cryptology – ASIACRYPT 2017 - 23rd International Conference on the Theory and Applications of Cryptology and Information Security, Proceedings. ed. / Tsuyoshi Takagi; Thomas Peyrin. Springer Verlag, 2017. p. 126-155 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10626 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - The minimum number of cards in practical card-based protocols

AU - Kastner, Julia

AU - Koch, Alexander

AU - Walzer, Stefan

AU - Miyahara, Daiki

AU - Hayashi, Yu ichi

AU - Mizuki, Takaaki

AU - Sone, Hideaki

N1 - Funding Information: This study was supported by Tedec-Meiji Farma, S.A., Madrid, Spain. Publisher Copyright: © International Association for Cryptologic Research 2017.

PY - 2017

Y1 - 2017

N2 - The elegant “five-card trick” of den Boer (EUROCRYPT 1989) allows two players to securely compute a logical AND of two private bits, using five playing cards of symbols ♥ and ♣. Since then, card-based protocols have been successfully put to use in classroom environments, vividly illustrating secure multiparty computation - and evoked research on the minimum number of cards needed for several functionalities. Securely computing arbitrary circuits needs protocols for negation, AND and bit copy in committed-format, where outputs are commitments again. Negation just swaps the bit’s cards, computing AND and copying a bit n times can be done with six and 2n+2 cards, respectively, using the simple protocols of Mizuki and Sone (FAW 2009). Koch et al. (ASIACRYPT 2015) showed that five cards suffice for computing AND in finite runtime, albeit using relatively complex and unpractical shuffle operations. In this paper, we show that if we restrict shuffling to closed permutation sets, the six-card protocol is optimal in the finite-runtime setting. If we additionally assume a uniform distribution on the permutations in a shuffle, we show that restart-free four-card AND protocols are impossible. These shuffles are easy to perform even in an actively secure manner (Koch and Walzer, ePrint 2017). For copying bit commitments, the protocol of Nishimura et al. (ePrint 2017) needs only 2n + 1 cards, but performs a number of complex shuffling steps that is only finite in expectation.We show that it is impossible to go with less cards. If we require an a priori bound on the runtime, we show that the (2n + 2)-card protocol is card-minimal.

AB - The elegant “five-card trick” of den Boer (EUROCRYPT 1989) allows two players to securely compute a logical AND of two private bits, using five playing cards of symbols ♥ and ♣. Since then, card-based protocols have been successfully put to use in classroom environments, vividly illustrating secure multiparty computation - and evoked research on the minimum number of cards needed for several functionalities. Securely computing arbitrary circuits needs protocols for negation, AND and bit copy in committed-format, where outputs are commitments again. Negation just swaps the bit’s cards, computing AND and copying a bit n times can be done with six and 2n+2 cards, respectively, using the simple protocols of Mizuki and Sone (FAW 2009). Koch et al. (ASIACRYPT 2015) showed that five cards suffice for computing AND in finite runtime, albeit using relatively complex and unpractical shuffle operations. In this paper, we show that if we restrict shuffling to closed permutation sets, the six-card protocol is optimal in the finite-runtime setting. If we additionally assume a uniform distribution on the permutations in a shuffle, we show that restart-free four-card AND protocols are impossible. These shuffles are easy to perform even in an actively secure manner (Koch and Walzer, ePrint 2017). For copying bit commitments, the protocol of Nishimura et al. (ePrint 2017) needs only 2n + 1 cards, but performs a number of complex shuffling steps that is only finite in expectation.We show that it is impossible to go with less cards. If we require an a priori bound on the runtime, we show that the (2n + 2)-card protocol is card-minimal.

KW - Boolean AND

KW - COPY

KW - Card-based protocols

KW - Committed format

KW - Cryptography without computers

KW - Secure computation

UR - http://www.scopus.com/inward/record.url?scp=85037827397&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85037827397&partnerID=8YFLogxK

U2 - 10.1007/978-3-319-70700-6_5

DO - 10.1007/978-3-319-70700-6_5

M3 - Conference contribution

AN - SCOPUS:85037827397

SN - 9783319706993

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 126

EP - 155

BT - Advances in Cryptology – ASIACRYPT 2017 - 23rd International Conference on the Theory and Applications of Cryptology and Information Security, Proceedings

A2 - Takagi, Tsuyoshi

A2 - Peyrin, Thomas

PB - Springer Verlag

T2 - 23rd Annual International Conference on Theory and Application of Cryptology and Information Security, ASIACRYPT 2017

Y2 - 3 December 2017 through 7 December 2017

ER -

Kastner J, Koch A, Walzer S, Miyahara D, Hayashi YI, Mizuki T et al. The minimum number of cards in practical card-based protocols. In Takagi T, Peyrin T, editors, Advances in Cryptology – ASIACRYPT 2017 - 23rd International Conference on the Theory and Applications of Cryptology and Information Security, Proceedings. Springer Verlag. 2017. p. 126-155. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-319-70700-6_5

The minimum number of cards in practical card-based protocols

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this