Hide a Liar: Card-Based ZKP Protocol for Usowan

Abstract

A Zero-Knowledge Proof (ZKP) protocol allows a participant to prove the knowledge of some secret without revealing any information about it. While such protocols are typically executed by computers, there exists a line of research proposing physical instances of ZKP protocols. Up to now, many card-based ZKP protocols for pen-and-pencil puzzles, like Sudoku, have been designed. Those games, mostly edited by Nikoli, have simple rules, yet designing them in card-based ZKP protocols is non-trivial. This is partly due to the fact that the solution should not be leaked during the protocol. In this work, we propose a card-based protocol for Usowan, a Nikoli game. In Usowan, for each room of a puzzle instance, there is exactly one piece of false information. The goal of the game is to detect this wrong data amongst the correct data and also to satisfy the other rules. Designing a card-based ZKP protocol to deal with the property of detecting a liar has never been done. In some sense, we propose a physical ZKP for hiding of a liar.

Appendices

A Mizuki–Sone Copy Protocol [22]

The protocol proceeds as follows.⁴

1. 1.

   Turn over all face-up cards and put the commitment to a above the four additional cards as follows:

   

   Note that black-to-red represents 0, and red-to-black represents 1 according to Eq. (2).

2. 2.

   Apply a pile-shifting shuffle as follows:

   

3. 3.

   Reveal the two above cards and obtain two commitments to a as follows (note that negating a commitment is easy).

   1. (a)

      If they are , then the four bottom cards are .

   2. (b)

      If they are , then the four bottom cards are .

B Input-preserving Five-Card Trick [16]

The sub-protocol proceeds as follows.

1. 1.

   Add helping cards and swap the two cards of the commitment to a so that we have the negation \(\overline{b}\), as follows:

   

2. 2.

   Rearrange the sequence of cards and turn over the face-up cards as:

   

3. 3.

   Regarding cards in the same column as a pile, apply a pile-shifting shuffle to the sequence:

   

4. 4.

   Reveal all the cards in the above row.

   1. (a)

      If the resulting sequence is (up to cyclic shifts), then \(a\vee b=0\).

   2. (b)

      If it is (up to cyclic shifts), then \(a\vee b=1\).

5. 5.

   After turning over all the face-up cards, apply a pile-shifting shuffle.

6. 6.

   Reveal all the cards in the bottom row; then, the revealed cards should include exactly one .

7. 7.

   Shift the sequence of piles so that the leftmost card is the revealed and swap the two cards of the commitment to \(\overline{b}\) to restore commitments to a and b.

C How to Form a White Polyomino

Before explaining the protocol, we need to describe two crucial sub-protocols first, namely the chosen pile protocol and the 4-neighbour protocol.

1.1 C.1 Chosen Pile Protocol [9]

This protocol allows P to choose a pile of cards without V knowing which one it is. Some operations can be done on this pile while all the commitments are replaced in their initial order.

This protocol is an extended version of the “chosen pile cut” proposed in [14]. Given m piles \(({\textbf {p}}_1,{\textbf {p}}_2,\ldots ,{\textbf {p}}_m)\) with 2m additional cards, the chosen pile protocol enables a prover P to choose the i-th pile \({\textbf {p}}_i\) (without revealing the index i) and revert the sequence of m piles to their original order after applying other operations to \(p_i\).

1. 1.

   Using \(m-1\) and one , P places m face-down cards (denoted by row 2) below the given piles such that only the i-th card is . We further put m cards (denoted by row 3) below the cards such that only the first card is :

   

2. 2.

   Considering the cards in the same column as a pile, apply a pile-shifting shuffle to the sequence of piles.

3. 3.

   Reveal all the cards in row 2. Then, exactly one appears, and the pile above the revealed is the i-th pile (thus P can obtain \({\textbf {p}}_i\)). After this step is invoked, other operations are applied to the chosen pile. Then, the chosen pile is placed back to the i-th position in the sequence.

4. 4.

   Remove the revealed cards, i.e., the cards in row 2. (Note, therefore, that we do not use the card revealed in Step 3.) Then, apply a pile-shifting shuffle.

5. 5.

   Reveal all the cards in row 3. Then, one appears, and the pile above the revealed is \({\textbf {p}}_1\). Therefore, by shifting the sequence of piles (such that \({\textbf {p}}_1\) becomes the leftmost pile in the sequence), we can obtain a sequence of piles whose order is the same as the original one without revealing any information about the order of the input sequence.

1.2 C.2 Sub-protocol: 4-Neighbour Protocol [27]

Given pq commitments placed on a \(p\times q\) grid, a prover P has a commitment in mind, which we call a target commitment. The prover P wants to reveal the target commitment and another one that lies next to the target commitment (without revealing their exact positions). Here, a verifier V should be convinced that the second commitment is a neighbour of the first one (without knowing which one) as well as V should be able to confirm the colours of both the commitments. To handle the case where the target commitment is at the edge of the grid, we place commitments to red (as “dummy” commitments) in the left of the first column and the below of the last row to prevent P from choosing a commitment that is not a neighbour. Thus, the size of the expanded grid is \((p+1)\times (q+1)\).⁵

This sub-protocol proceeds as follows.

1. 1.

   P and V pick the \((p+1)(q+1)\) commitments on the grid from left-to-right and top-to-bottom to make a sequence of commitments:

   

2. 2.

   P uses the chosen pile protocol (Sect. 2) to reveal the target commitment.

3. 3.

   P and V pick all the four neighbours of the target commitment. Since a pile-shifting shuffle is a cyclic reordering, the distance between commitments are kept (up to a given modulo). That is, for a target commitment (not at the edge), the possible four neighbours are at distance one for the left or right one, and \(p+1\) for the bottom or top one. Therefore, P and V can determine the positions of all the four neighbours.

4. 4.

   Among these four neighbours, P chooses one commitment using the chosen pile protocol and reveals it.

5. 5.

   P and V end the second and first chosen pile protocols.

1.3 C.3 Full Protocol

Assume that there is a grid having \(p\times q\) cells. Without loss of generality, P wants to arrange white commitments on the grid such that they form a white-polyomino while V is convinced that the placement of commitments is surely a white-polyomino. The method is as follows.

1. 1.

   P and V place a commitment to black (i.e., ) on every cell and commitments to red as mentioned in Sect. 2.4 so that they have \((p+1)(q+1)\) commitments on the board.

2. 2.

   P uses the chosen pile protocol to choose one black commitment that P wants to change.

   1. (a)

      V swaps the two cards constituting the chosen commitment so that it becomes a white commitment (recall the encoding (1)).

   2. (b)

      P and V end the chosen pile protocol to return the commitments to their original positions.

3. 3.

   P and V repeat the following steps exactly \(pq-1\) times.

   1. (a)

      P chooses one white commitment as a target and one black commitment among its neighbours using the 4-neighbour protocol; the neighbour is chosen such that P wants to make it white.

   2. (b)

      V reveals the target commitment. If it corresponds to white, then V continues; otherwise V aborts.

   3. (c)

      V reveals the neighbour commitment (chosen by P). If it corresponds to black, then P makes the neighbour white or keep it black (depending on P’s choice) by executing the following steps; otherwise V aborts.

      1. i.

         If P wants to change the commitment, P places face-down club-to-heart pair below it; otherwise, P places a heart-to-club pair:

         

      2. ii.

         Regarding cards in the same column as a pile, V applies a pile-shifting shuffle to the sequence of piles:

         

      3. iii.

         V reveals the two cards in the second row. If the revealed right card is , then V swaps the two cards in the first row; otherwise V does nothing.

   4. (d)

      P and V end the 4-neighbour protocol.

4. 4.

   P and V remove all the red commitments (i.e., dummy commitments) so that we have pq commitments on the board.

After this process, V is convinced that all the white commitments represent a white-polyomino. Therefore, this method allows a prover P to make a solution that only P has in mind, guaranteed to satisfy the connectivity constraint.

If the number of white cells in the final polyomino, say k, is public to a verifier V, it is sufficient that in Step 3, P and V repeat \(k-1\) times and in Step 3c, and hence, V simply swaps the two cards constituting the neighbour commitment to make it white (without P’s choice).

D Security Proofs

Our protocol needs to verify three security properties given as theorems. Note that the sub-protocols used from the literature have been proven secure i.e., they are correct, complete, sound and zero-knowledge.

Theorem 1

(Completeness). If P knows the solution of an Usowan grid, then P can convince V.

Proof

P convinces V in the sense that the protocol does not abort which means that all the rules are satisfied. The protocol can be split into two phases: (1) the connectivity phase and (2) the verification phase.

(1) Since P knows the solution, the white cells are connected and hence P can always choose a black commitment at step 2 to swap it to white.

(2) For the lonely black verification, there is no configuration of two black cells that are touching horizontally nor vertically hence for every pair of adjacent cells, there is always at least one white cell.

For the liar verification, there is exactly (in each region) one numbered cell surrounded by a different number of black cells. Suppose, without lost of generality, that the liar cell is equal to i in a given region (the same result could be applied for each other region). When the sum of the four neighbours is done, the card at position (from left) \(i+1\) is otherwise the numbered card is not a liar. Thus when revealing the cards at the last step, there is always a card.

Theorem 2

(Soundness). If P does not provide a solution of the \(p\times q\) Usowan grid, P is not able to convince V.

Proof

Suppose that P does not provide a solution. If the white cells are not connected, then P cannot choose a neighbor commitment that P wants to change at step 3c. If there are two black commitments touching (or more), then the five-card trick will output 0; hence, V will abort. Finally, if there is not one liar exactly in a given region, then the last step of the verification will reveal either no or at least two s; hence, V will abort.

Theorem 3

(Zero-knowledge). V learns nothing about P’s solution of the given grid G.

Proof

We use the same proof technique as in [11], namely the description of an efficient simulator that simulates the interaction between an honest prover and a cheating verifier. The goal is to produce an indistinguishable interaction from the verifier’s view (with the prover). Notice that the simulator does not have the solution but it can swap cards during shuffles. Informally, the verifier cannot distinguish between the distributions of two protocols, one that is run with the actual solution and one with random commitments. The simulator acts as follows.

• The simulator constructs a random connected white polyomino.

• During the lonely black verification, the simulator replaces the cards in the five-card trick introduced in Sect. 2.3 with . While the latter sequence is randomly shifted, this ensure that the protocol continues.

• During the liar verification, the simulator simply replaces, in the last step, the cards to have exactly one and the rest as s. This ensure that there is exactly one liar in a given region, meaning that the protocol does not abort.

The simulated and real proofs are indistinguishable and hence V learns nothing from the connectivity and verification phases. Finally, we conclude that the protocol is zero-knowledge.