Abstract
It is known that secure computation can be done by using a deck of physical cards. This area is called cardbased cryptography. Shinagawa et al. (in: Provable security—9th international conference, ProvSec 2015, Kanazawa, Japan, 2015) proposed regular nsided polygon cards that enable to compute functions over \({\mathbb {Z}}/n{\mathbb {Z}}\). In particular, they designed efficient protocols for linear functions (e.g. addition and constant multiplication) over \({\mathbb {Z}}/n{\mathbb {Z}}\). Here, efficiency is measured by the number of cards used in the protocol. In this paper, we propose a new type of cards, dihedral cards, as a natural generalization of regular polygon cards. Based on them, we construct efficient protocols for various interesting functions such as carry of addition, equality, and greaterthan, whose efficient construction has not been known before. Beside this, we introduce a new protocol framework that captures a wide class of card types including binary cards, regular polygon cards, dihedral cards, and so on.
Introduction
Secure computation enables a set of parties each having inputs to jointly compute a predetermined function of their inputs without revealing their inputs beyond the output. Cardbased cryptography (ex. [2, 4, 9]) is secure computation that can be done by using a deck of physical cards, instead of computer devices. This makes people understand the correctness and security of secure computation, even for people who are not familiar with mathematics. Indeed, it is applied to educational situations; some universities (e.g., Cornell University [7], University of Waterloo [3], and Tohoku University [8]) adopt cardbased cryptography as a teaching material for beginner students.
While most of all existing works [1, 3,4,5,6, 9,10,11,12, 16] are mainly focused on binary computation only, a lot of secure computation that arises in everyday and classroom situations needs to take multivalued inputs. For instance, secure computation of the average score, which takes a number of scores and outputs the average of them, is such a canonical example. In order to compute multivalued functions efficiently, Shinagawa et al. [15] proposed a deck of regular polygon cards, whose shape is a regular nsided polygon for the base number n. They proposed a twocard addition protocol that outputs \(x + y \bmod n\) given two cards having \(x, y \in {\mathbb {Z}}/n{\mathbb {Z}}\).
Does a deck of regular polygon cards realize sufficiently efficient secure computation for multivalued functions? Up until now, there exist efficient protocols only for a very restrictive class of functions such as addition and subtraction, however, it requires a large number of cards for computing a function in the outside of the class (in general, it requires \(O(n^k)\) cards for k inputs). Unfortunately, there are no efficient protocols even for very simple functions such as addition with carry, where given two integers \(x, y \in \{0, 1, \ldots , n1\}\), it outputs a carry of addition, the predicate “\(x+y \ge n\)”. To compute a carry of addition efficiently is one of the open problems in this area. In this paper, we solve it by designing a new type of cards.
Our Contribution
Dihedral cards We design a new type of cards, dihedral cards, which is based on the use of invisible ink. It enables to construct several efficient protocols. Introducing invisible ink in the area of cardbased cryptography is also our contribution. We construct an efficient protocol for computing interesting predicates: a carry of addition “\(x+y\ge n\)”, equality with zero “\(x=0\)”, equality “\(x=y\)”, and greater than “\(x\ge y\)”. Table 1 shows a comparison between our protocols and the previous protocols [15] with regular polygon cards (RPC). Somewhat surprisingly, our protocols with dihedral cards (DC) for these predicates requires only two cards while all existing RPCbased protocols for the same predicates requires a large number of cards depending on the modulus n.
A unified protocol model We introduce a new protocol model for describing protocols with our new cards (Sect. 2). Our model has somewhat generality. It captures a wide class of protocols not only our dihedral cards but also other type of cards. For example, our model also captures regular polygon cards [14, 15]. See Appendix for the definition of regular polygon cards in our model. We believe that our model will be applied to future works proposing new cards. We left to give concrete definitions for other cards as future works.
A Unified Protocol Model
In this section, we introduce a protocol model for describing not only our dihedral cards but also other cards. Roughly speaking, a cardbased protocol can be specified by a deck of cards and a set of operations. Thus in order to describe a new type of cards, we must define a suitable deck of cards and a suitable set of operations. In this section, we explain the model with the case of the standard binary cards in order to make it easier to read for those who are familiar with the ordinary cardbased cryptography. We give definitions for dihedral cards in Sect. 3. We also give definitions for other cards in Appendix.
Deck, Sequence, and Visible Sequence
In MizukiShizuya model, a deck is defined by a finite multiset. For example, \({\mathcal {D}}= \{\clubsuit , \clubsuit , \clubsuit , \heartsuit , \heartsuit , \heartsuit \}\) denotes a deck consists of six cards: three clubs and three hearts. All backsides are assumed to be “\(\varvec{?}\)”. (Thus, it is required the condition that \({\mathcal {D}}\cap \{\varvec{?}\} = \emptyset \).) Although it captures some class of decks including decks of binary cards and number cards , it is not sufficient if nonstandard cards (like dihedral cards) are used.
In our model, we define a deck as follows:
Definition 1
(Deck) A deck \({\overline{\mathcal{D}}}\) is defined by a fivetuple as follows:
where \({\mathcal {C}}\) is a finite set called a card set, \({\mathcal {T}}\subset \{t \mid {t}: {\mathcal {C}}\rightarrow {\mathcal {C}}\}\) is called a transformation set, \(\varSigma \) is a finite set called a symbol set, \(\mathsf {vis}: {\mathcal {C}}\rightarrow \varSigma \) is a function called a vision function, and \({\mathcal {D}}\) is a finite multiset called a deck set, where the base set is \({\mathcal {C}}\). We assume that \({\mathcal {T}}\) always contains the identity function \(\mathsf {id}: {\mathcal {C}}\rightarrow {\mathcal {C}}\). The former fourtuple \(({\mathcal {C}}, {\mathcal {T}}, \varSigma , \mathsf {vis})\) is called a card specification. \(\blacksquare \)
Example 1
Consider a deck of cards whose back sides are , which is used by the FiveCard Trick [2]. The deck is described by the following:

The card set is \({\mathcal {C}}= \{\clubsuit /\varvec{?}, \heartsuit /\varvec{?}, \varvec{?}/\clubsuit , \varvec{?}/\heartsuit \}\);

The symbol set is \(\varSigma = \{\clubsuit , \heartsuit , \varvec{?}\}\);

The transformation set is \({\mathcal {T}}= \{\mathsf {id}, \mathsf {turn}\}\), where the function \(\mathsf {turn}\) is defined by \(\mathsf {turn}(X/Y) = Y/X\) for any \(X, Y \in \varSigma \);

The vision function \(\mathsf {vis}\) is defined by \(\mathsf {vis}(X/Y) = X\) for any \(X, Y \in \varSigma \);

The deck set is \({\mathcal {D}}= \{\clubsuit /\varvec{?}, \clubsuit /\varvec{?}, \heartsuit /\varvec{?}, \heartsuit /\varvec{?}, \heartsuit /\varvec{?}\} = \{(\clubsuit /\varvec{?})^2, (\heartsuit /\varvec{?})^3\}\).
For the card set \({\mathcal {C}}\), the element “\(\,\clubsuit /\varvec{?}\)” (resp. “\(\,\heartsuit /\varvec{?}\)”) means a faceup card (resp. ) and the element “\(\,\varvec{?}/\clubsuit \)” (resp. “\(\,\varvec{?}/\heartsuit \)”) means a facedown card whose front side is (resp. ). The transformation set has a turning transformation \(\mathsf {turn}\). By applying \(\mathsf {turn}\) to a card, a faceup card is changed to a facedown card (and vice versa). The vision function specifies what information is revealed from a card. From faceup cards “\(\,\clubsuit /\varvec{?}\)” and “\(\,\heartsuit /\varvec{?}\)”, it reveals the symbols “\(\,\clubsuit \)” and “\(\,\heartsuit \)”, on the other hand, from facedown cards “\(\,\varvec{?}/\clubsuit \)” and “\(\,\varvec{?}/\heartsuit \)”, it reveals “\(\,\varvec{?}\)” only. This card specification \(({\mathcal {C}}, {\mathcal {T}}, \varSigma , \mathsf {vis})\) is called the binary cards. Hereafter, we denote the binary cards by \(\mathsf {Binary}= ({\mathcal {C}}^\mathsf{b}, {\mathcal {T}}^\mathsf{b}, \varSigma ^\mathsf{b}, \mathsf {vis}^\mathsf{b})\). \(\blacksquare \)
Sequence We define a sequence as follows:
Definition 2
(Sequence) Let \(\overline{\mathcal{D}}= ({\mathcal {C}}, {\mathcal {T}}, \varSigma , \mathsf {vis}, {\mathcal {D}})\) be a deck. A sequence s in \(\overline{\mathcal{D}}\) is defined as follows:
where \(t_1, t_2, \ldots , t_{{\mathcal {D}}} \in {\mathcal {T}}\) and \({\mathcal {D}}= \{x_1, x_2, \ldots , x_{{\mathcal {D}}}\}\) as a multiset. The set of all sequences in \(\overline{\mathcal{D}}\) is denoted by \(\mathsf {Seq}^{\overline{\mathcal{D}}}\). \(\blacksquare \)
Example 2
Let \(\overline{\mathcal{D}}= (\mathsf {Binary}, {\mathcal {D}})\) be the deck in Example 1. An example of a sequence s of \(\overline{\mathcal{D}}\) is as follows:
This is because s is represented as follows:
It represents a sequence . \(\blacksquare \)
Visible sequence We define a visible sequence as follows:
Definition 3
(Visible sequence) Let \(\overline{\mathcal{D}}= ({\mathcal {C}}, {\mathcal {T}}, \varSigma , \mathsf {vis}, {\mathcal {D}})\) be a deck and let \(s = (x_1, x_2, \ldots , x_{{\mathcal {D}}}) \in \mathsf {Seq}^{\overline{\mathcal{D}}}\) be a sequence in \(\overline{\mathcal{D}}\). The visible sequence of s in \(\overline{\mathcal{D}}\) is defined as follows:
The set of all visible sequences in \(\overline{\mathcal{D}}\) is defined as follows:
\(\blacksquare \)
Example 3
Let s be the sequence in Example 2. The visible sequence of s is \(\mathsf {vis}(s) = (\varvec{?},\varvec{?},\heartsuit ,\varvec{?},\varvec{?})\). We sometimes write it by \((\varvec{?}^2,\heartsuit ,\varvec{?}^2)\) or \(\varvec{?}^2\heartsuit \varvec{?}^2\). \(\blacksquare \)
Operation
Let \(\overline{\mathcal{D}}\) be a deck. Let \(s \in \mathsf {Seq}^{\overline{\mathcal{D}}}\) be a sequence in \(\overline{\mathcal{D}}\). We consider two types of operations, conversion and opening, as follows:

Conversion: It converts s into a new sequence \(s' \in \mathsf {Seq}^{\overline{\mathcal{D}}}\). When it is deterministic, it is called a deterministic operation (e.g. permutation and turn). When it is randomized, it is called a probabilistic operation (e.g. shuffle).

Opening: It reveals some information on s when a visible sequence of the sequence is not changed (e.g. sign opening in Sect. 3.2).
Now we define the most standard set of operations (of conversion) for binary cards. Let \(\overline{\mathcal{D}}= (\mathsf {Binary}, {\mathcal {D}})\) be a deck of binary cards such that \({\mathcal {D}} = \ell \) and let \(s = (c_1, c_2, \ldots , c_{\ell }) \in \mathsf {Seq}^{\overline{\mathcal{D}}}\) be a sequence in \(\overline{\mathcal{D}}\). We define three sets of operations, permutation, turning, and shuffle as follows:
Permutation For \(\pi \in S_{\ell }\) (here \(S_{\ell }\) denotes the \(\ell \)th symmetric group), a permutation operation \((\mathsf {perm}, \pi )\) generates a new sequence in \(\overline{\mathcal{D}}\) as follows:
That is, the card in the ith position in s is moved to the \(\pi (i)\)th position in the new sequence. The set of permutations \(\mathsf {Perm}_{\ell }\) for sequences of \(\ell \) cards is defined as follows:
Turn For a set of positions \(T \subset [\ell ]\) (here \([\ell ]\) denotes the set \(\{1, 2, \ldots , \ell \}\)), a turning operation \((\mathsf {turn}, T)\) takes s as input and returns a new sequence \(s' \in \mathsf {Seq}^{\overline{\mathcal{D}}}\) as follows:
where for \(i \in T\), it holds \(c'_i = \mathsf {turn}(c_i)\), where this “\(\mathsf {turn}\)” is a transformation (i.e., \(\mathsf {turn}\in {\mathcal {T}}^\mathsf{b}\)), and for \(i \not \in T\), it holds \(c'_i = c_i\). The set of turnings \(\mathsf {Turn}_{\ell }\) for sequences of \(\ell \) cards is defined as follows:
We note that a turning operation is not an opening but a conversion since it changes the view of a sequence. Opening is used for operations that do not change the view of a sequence.
Shuffle A shuffle operation is defined by a tuple \((\mathsf {shuffle}, \varPi , D)\), where \(\varPi \subset S_{\ell }\) is a subset of permutations and D is a probability distribution on \(\varPi \). It randomly generates a new sequence \(s' \in \mathsf {Seq}^{{\mathcal {D}}}\) as follows:
where \(\pi \in \varPi \) is independently and randomly chosen according to D. The set of shuffles \(\mathsf {Shuf}_{\ell }\) for sequences of \(\ell \) cards is defined as follows:
View
Let \(\overline{\mathcal{D}}\) be a deck. Let \({\mathcal {O}}\) be a set of operations. For a sequence \(s \in \mathsf {Seq}^{\overline{\mathcal{D}}}\), an operation \(\mathsf{op}\in {\mathcal {O}}\) converts it into a new sequence \(s' \in \mathsf {Seq}^{\overline{\mathcal{D}}}\) with revealed information \(r \in \{0,1\}^*\) as follows:
where if \(\mathsf{op}\) is conversion, revealed information is defined by \(r = \bot \), and if \(\mathsf{op}\) is opening, \(s'\) is identical to s. What is revealed from this process to the players? Before applying \(\mathsf{op}\), they observe a visible sequence \(\mathsf {vis}(s)\). After applying \(\mathsf{op}\), they observe a visible sequence \(\mathsf {vis}(s')\) and revealed information r. Thus, all information revealed from the above process is \((\mathsf {vis}(s), \mathsf {vis}(s'), r)\). See sign opening and value opening in Sect. 3.2 for concrete example of openings.
Suppose that a list of k operations \(\mathbf {\mathsf{op}} \in {\mathcal {O}}^k\) is applied to a sequence \(s_0\) as follows:
Assume that the ith operation brings revealed information \(r_i \in \{0,1\}^*\). Then, all information revealed from the above process is given as follows:
where \(r_0 = \bot \) and \(r_i = \bot \) if the ith operation is conversion. This is called a view of \(\mathbf {\mathsf{op}}\) starting with the sequence \(s_0\). The set of views \(\mathsf {View}^{\overline{\mathcal{D}}}\) is defined as follows:
Example 4
Let \(\overline{\mathcal{D}}= (\mathsf {Binary}, {\mathcal {D}})\) be the deck in Example 1. Let \({\mathcal {O}}\) be a set of operations \({\mathcal {O}}= \mathsf {Perm}_5 \cup \mathsf {Turn}_5\). Let \(\mathbf {\mathsf{op}}\) be a list of operations defined as follows:
When it is applied to a sequence \(s_0 = (\varvec{?}/\clubsuit , \varvec{?}/\heartsuit , \varvec{?}/\clubsuit )\) as follows:
a view of \(\mathbf {\mathsf{op}}\) starting with the sequence \(s_0\) is given as follows:
We sometimes omit revealed information it is clear that all operations are conversion as follows:
We also write the above by \(\varvec{?}^3 \rightarrow \varvec{?}^3 \rightarrow \heartsuit \clubsuit \varvec{?}\rightarrow \varvec{?}\clubsuit \heartsuit \). \(\blacksquare \)
Protocol
Protocol We define a protocol as follows:
Definition 4
(Protocol) A protocol \({\mathcal {P}}\) is defined by a fivetuple as follows:
where

\(n \in {\mathbb {N}}\) is any natural number called the number of inputs;

X is a finite set called an input domain;

\(\overline{\mathcal{D}}= ({\mathcal {C}}, {\mathcal {T}}, \varSigma , \mathsf {vis}, {\mathcal {D}})\) is a deck;

\({\mathcal {O}}\) is a finite set called an operation set;

\(A: \mathsf {View}^{\overline{\mathcal{D}}} \rightarrow {\mathcal {O}}\cup \{\bot \}\) is an action function.\(\blacksquare \)
Execution of a protocol Let \({\mathcal {P}}= (n, X, \overline{\mathcal{D}}, {\mathcal {O}}, A)\) be a protocol. Let \(s_0 \in \mathsf {Seq}^{\overline{\mathcal{D}}}\) be a sequence. An execution of \({\mathcal {P}}\) starting with \(s_0\) proceeds as follows:

1.
The initial sequence is set to \(s_0\) as follows:
Set \(s \leftarrow s_0\) and \(v \leftarrow (\mathsf {vis}(s_0), \bot )\), where s is a variable of the current sequence and v is a variable of the entire view of an execution.

2.
Compute the action function \(A(v) = \alpha \); if \(\alpha \ne \bot \), apply the operation \(\alpha \) to the sequence s; and obtain a new sequence \(s'\) with revealed information \(r \in \{0,1\}^*\); Set \(s \leftarrow s'\) and append “\(\rightarrow (\mathsf {vis}(s'), r)\)” to v; Repeat this step until it happens \(\alpha = \bot \).

3.
If \(A(v) = \bot \), terminate the execution.
Example 5
We describe a (slightly modified version of) sixcard AND protocol by Mizuki and Sone [9] as follows:
The deck \(\overline{\mathcal{D}}\) is defined by \(\overline{\mathcal{D}}= (\mathsf {Binary}, \{(\clubsuit /\varvec{?})^3, (\heartsuit /\varvec{?})^3\})\). The operation set \({\mathcal {O}}\) is defined by \({\mathcal {O}}= \mathsf {Perm}_6 \cup \mathsf {Turn}_6 \cup \mathsf {Shuf}_6\). The action function A is defined by:

\(A(v_0) = (\mathsf {perm}, (2\;4\;3))\);

\(A(v_1) = (\mathsf {shuffle}, \varPi , D)\) where \(\varPi = \{\mathsf {id},(1\;4)(2\;5)(3\;6)\}\) and D is a uniform distribution over \(\varPi \);

\(A(v_2) = (\mathsf {perm}, (2\;4\;3)^{1})\);

\(A(v_3) = (\mathsf {turn}, \{1,2\})\);

\(A(v_4) = (\mathsf {perm}, (1\;2) (3\;5) (4\;6))\);

\(A(v) = \bot \) for any \(v \not \in \{v_0, v_1, v_2, v_3, v_4\}\).
where

\(v_0 = (\varvec{?}^6, \bot )\);

\(v_1 = (\varvec{?}^6, \bot ) \rightarrow (\varvec{?}^6, \bot )\);

\(v_2 = (\varvec{?}^6, \bot ) \rightarrow (\varvec{?}^6, \bot ) \rightarrow (\varvec{?}^6, \bot )\);

\(v_3 = (\varvec{?}^6, \bot ) \rightarrow (\varvec{?}^6, \bot ) \rightarrow (\varvec{?}^6, \bot ) \rightarrow (\varvec{?}^6, \bot )\);

\(v_4 = (\varvec{?}^6, \bot ) \rightarrow (\varvec{?}^6, \bot ) \rightarrow (\varvec{?}^6, \bot ) \rightarrow (\varvec{?}^6, \bot ) \rightarrow (\heartsuit \clubsuit \varvec{?}^4, \bot )\).
We describe an execution of this protocol starting with an initial sequence \(s_0 = (\mathsf {com}(x_1), \mathsf {com}(x_2), \mathsf {com}(1))\) as follows:
where the commitment \(\mathsf {com}(b)\) (\(b \in \{0,1\}\)) be two facedown cards whose front sides are if \(b=0\) and otherwise. The protocol proceeds as follows:

1.
\((\mathsf {perm}, (2\;4\;3))\): Rearrange the order of the sequence as follows:

2.
\((\mathsf {shuffle}, \varPi , D)\): Apply the shuffle:
This shuffle is called a random bisection cut.

3.
\((\mathsf {perm}, (2\;4\;3)^{1})\): Rearrange the order of the sequence as follows:

4.
\((\mathsf {turn}, \{1,2\})\): Turn the leftmost commitment as follows:
If it is the former case, i.e., the opened symbols are , the protocol terminates. Otherwise, it proceeds to the next Step.

5.
\((\mathsf {perm}, (1\;2) (3\;5) (4\;6)\})\): Rearrange the order of the sequence as follows:
After Steps 4 and 5, the protocol terminates. Then, the finial sequence is given as follows:
Since it contains a commitment to \(x_1 \wedge x_2\), it is said to be an AND protocol. \(\blacksquare \)
Functionality
In order to define the correctness and the security of protocols, we introduce a notion of functionality. Informally speaking, a functionality is a pair of sequences parametrized by input variables \(\mathbf {x} \in X^n\). For example, the following is the functionality \({\mathcal {F}}_\mathrm{AND}\) of MizukiSone’s AND protocol (See Example 5).
It is also described as follows:
When some part of input/output sequences in a functionality are not important, \(\bot \) is used. For example, when the AND protocol does not care about the rightmost commitment in the output sequence, it is described as follows:
Sequence with a dummy symbol Let \(\overline{\mathcal{D}}= ({\mathcal {C}}, {\mathcal {T}}, \varSigma , \mathsf {vis}, {\mathcal {D}})\) be a deck with \({\mathcal {C}}\cap \{\bot \} = \emptyset \), where \(\bot \) is a dummy symbol. Let \(s = (c_1, c_2, \ldots , c_{\ell }) \in \mathsf {Seq}^{\overline{\mathcal{D}}}\) be a sequence. A sequence \(s' = (c'_1, c'_2, \ldots , c'_{\ell }) \in ({\mathcal {C}}\cup \{\bot \})^{\ell }\) is said to be a dummy sequence of s if \(c'_i \in \{c_i, \bot \}\) for all \(i \in [\ell ]\). Thus, there exist \(2^{\ell }\) dummy sequences of any sequence of \(\ell \) cards. The set of dummy sequences of s is denoted by \(\mathsf {Seq}_{\bot }(s)\). The set of dummy sequences of \(\overline{\mathcal{D}}\) is defined by
We say that \(s \in \mathsf {Seq}^{\overline{\mathcal{D}}}\) is matched with \(s' \in \mathsf {Seq}_{\bot }^{\overline{\mathcal{D}}}\) if \(s' \in \mathsf {Seq}_{\bot }(s)\).
Example 6
For a sequence \(s = (c_1, c_2, c_3)\), \(\mathsf {Seq}_{\bot }(s)\) is given as follows:
For a sequence \(s' = (c_1, c_2, c'_3)\) with \(c'_3 \ne c_3\), \(s'\) is matched with \((c_1, c_2, \bot )\). \(\blacksquare \)
Variable sequence Let \(\overline{\mathcal{D}}\) be a deck, X be an input domain, and n be the number of inputs. A variable sequence s over \(\mathsf {Seq}^{\overline{\mathcal{D}}}\) is defined by a function \(s: X^n \rightarrow \mathsf {Seq}^{\overline{\mathcal{D}}}\). A variable dummy sequence s over \(\mathsf {Seq}_{\bot }^{\overline{\mathcal{D}}}\) is defined by a function \(s: X^n \rightarrow \mathsf {Seq}_{\bot }^{\overline{\mathcal{D}}}\).
Example 7
An input sequence s(x) of MizukiSone’s AND protocol is a variable sequence \(s: \{0,1\}^2 \rightarrow \mathsf {Seq}^{\overline{\mathcal{D}}}\) defined as follows:
An output sequence \(s'(x)\) of MizukiSone’s AND protocol is a variable dummy sequence \(s': \{0,1\}^2 \rightarrow \mathsf {Seq}_{\bot }^{\overline{\mathcal{D}}}\) defined as follows:
\(\blacksquare \)
Functionality A functionality is defined as follows:
Definition 5
(Functionality) Let \(\overline{\mathcal{D}}\) be a deck, X be an input domain, and n be the number of inputs. A functionality \({\mathcal {F}}\) is defined by a pair:
where \(s_{\mathsf {in}}: X^n \rightarrow \mathsf {Seq}^{\overline{\mathcal{D}}}\) is a variable sequence over \(\mathsf {Seq}^{\overline{\mathcal{D}}}\) and \(s_{\mathsf {out}}: X^n \rightarrow \mathsf {Seq}_{\bot }^{\overline{\mathcal{D}}}\) is a variable dummy sequence over \(\mathsf {Seq}_{\bot }^{\overline{\mathcal{D}}}\). \(\blacksquare \)
Correctness
Correctness The correctness of protocols is defined as follows:
Definition 6
(Correctness) Let \({\mathcal {P}}= (n, X, \overline{\mathcal{D}}, {\mathcal {O}}, A)\) be a protocol. Let \({\mathcal {F}}= (s_{\mathsf {in}}, s_{\mathsf {out}})\) be a functionality. We say that \({\mathcal {P}}\) correctly realizes \({\mathcal {F}}\) if for any input \(\mathbf {x} \in X^n\), any execution of \({\mathcal {P}}\) starting with \(s_{\mathsf {in}}(\mathbf {x})\) terminates with a sequence s that is matched with \(s_{\mathsf {out}}(\mathbf {x})\). \(\blacksquare \)
The correctness of protocols in a committed format is defined as follows:
Definition 7
(Correctness in a committed format) Let \(\overline{\mathcal{D}}= ({\mathcal {C}}, {\mathcal {T}}, \varSigma , \mathsf {vis}, {\mathcal {D}})\) and \(\overline{\mathcal{D}}' = ({\mathcal {C}}, {\mathcal {T}}, \varSigma , \mathsf {vis}, {\mathcal {D}}')\) be decks such that \({\mathcal {D}}\) contains n copies of \({\mathcal {D}}'\) as multiset. (\({\mathcal {C}}, {\mathcal {T}}, \varSigma \), and \(\mathsf {vis}\) are common.) Let \({\mathcal {P}}= (n, X, \overline{\mathcal{D}}, {\mathcal {O}}, A)\) be a protocol. Let \({\mathcal {F}}= (s_{\mathsf {in}}, s_{\mathsf {out}})\) be a functionality. Let \(f: X^n \rightarrow X\) be a function. Let \(\mathsf {com}: X \rightarrow \mathsf {Seq}^{\overline{\mathcal{D}}'}\) be a function that takes an input and returns a sequence. We say that \({\mathcal {P}}\) correctly computes f if it satisfies the following:

\({\mathcal {P}}\) correctly realizes \({\mathcal {F}}\);

\(s_{\mathsf {in}} = (\mathsf {com}(x_1), \mathsf {com}(x_2), \ldots , \mathsf {com}(x_n), s)\) where s is a (possibly empty) fixed sequence;

\(s_{\mathsf {out}}\) contains \(\mathsf {com}(f(x_1, x_2, \ldots , x_n))\). \(\blacksquare \)
Security
The probability distribution of a view Let \({\mathcal {P}}= (n, X, \overline{\mathcal{D}}, {\mathcal {O}}, A)\) be a protocol. Let \(s_0 \in \mathsf {Seq}^{\overline{\mathcal{D}}}\) be a sequence and let \(x \in X^n\) be an input. The probability distribution of a view of \({\mathcal {P}}\) with input x and starting with sequence \(s_0\) is denoted by \(\mathsf {view}_{{\mathcal {P}}}(s_0)\), where randomness comes from probability operations (e.g., shuffles).
Security The security of protocols is defined as follows:
Definition 8
(Security) Let \({\mathcal {P}}= (n, X, \overline{\mathcal{D}}, {\mathcal {O}}, A)\) be a protocol. Let \({\mathcal {F}}= (s_{\mathsf {in}}, s_{\mathsf {out}})\) be a functionality. We say that \({\mathcal {P}}\) securely realizes \({\mathcal {F}}\) if for every \(x, x' \in X^n\), it holds \(\mathsf {view}_{{\mathcal {P}}}(s_{\mathsf {in}}(x)) = \mathsf {view}_{{\mathcal {P}}}(s_{\mathsf {in}}(x'))\). \(\blacksquare \)
Example 8
Let us prove that the protocol given in Example 5 securely realizes the functionality \({\mathcal {F}}_\mathrm{AND} = (s_{\mathsf {in}}, s_{\mathsf {out}})\) defined as follows:
Let \(x \in \{0,1\}^2\) be any input. The probability distribution of a view of the protocol starting with the sequence \(s_{\mathsf {in}}(x) = (\mathsf {com}(x_1), \mathsf {com}(x_2), \mathsf {com}(1))\) is given as follows:
where \(v = (\varvec{?}^6, \bot ) \rightarrow (\varvec{?}^6, \bot ) \rightarrow (\varvec{?}^6, \bot ) \rightarrow (\varvec{?}^6, \bot )\). Due to the random bisection cut, the above probability distribution \(\mathsf {view}(s_{\mathsf {in}}(x))\) is the same for any \(x \in \{0,1\}^2\). Therefore, it securely realizes the functionality. \(\blacksquare \)
Composition of Protocols
Subroutine operation Let \({\mathcal {P}}= (n, X, \overline{\mathcal{D}}, {\mathcal {O}}, A)\) be a protocol. A subroutine of \({\mathcal {P}}\) is a “magical box” that executes the protocol \({\mathcal {P}}\) in a single step: it takes a sequence \(s_0 \in \mathsf {Seq}^{\overline{\mathcal{D}}}\) as an input and outputs a final sequence of \({\mathcal {P}}\) when the initial sequence is \(s_0\) as follows:
Formally, a subroutine operation for a protocol \({\mathcal {P}}\) is defined as follows:
where \(T\subset [\ell ]\) is a subset of positions such that T is the number of cards of \({\mathcal {P}}\). (We assume that the number of cards of \({\mathcal {P}}\) is equal to or less than \(\ell \).) The set of subroutine operations with \({\mathcal {P}}\) is denoted as follows:
For protocols \({\mathcal {P}}_1, {\mathcal {P}}_2, \ldots , {\mathcal {P}}_k\), we define the set of subroutine operations as follows:
We define an subroutinerespecting protocol as follows:
Definition 9
(Subroutinerespecting protocol) Let \({\mathcal {F}}_\mathrm{sub} = (s_{\mathsf {in}}, s_{\mathsf {out}})\) be a functionality using \(\ell _\mathrm{sub}\) cards. Let \({\mathcal {P}}_\mathrm{sub} = (n_\mathrm{sub}, X_\mathrm{sub}, \overline{\mathcal{D}}_\mathrm{sub}, {\mathcal {O}}_\mathrm{sub}, A_\mathrm{sub})\) be a protocol using \(\ell _\mathrm{sub}\) cards. Let \({\mathcal {P}}= (n, X, \overline{\mathcal{D}}, {\mathcal {O}}, A)\) be a protocol using \(\ell \) cards (\(\ell \ge \ell _\mathrm{sub}\)). We say that \({\mathcal {P}}\) is subroutinerespecting for \({\mathcal {P}}_\mathrm{sub}\) and \({\mathcal {F}}_\mathrm{sub}\) if it satisfies as follows:

\(\mathsf {Subroutine}_{\ell }[{\mathcal {P}}_\mathrm{sub}] \subset {\mathcal {O}}\);

For any input \(x \in \{0,1\}^n\), whenever \({\mathcal {P}}\) enters an operation \((\mathsf {subroutine}, {\mathcal {P}}_\mathrm{sub}, T)\), the cards on positions T in the current sequence is identical to \(s_{\mathsf {in}}(x')\) for some input \(x' \in X_\mathrm{sub}\). Here, the input \(x'\) for \({\mathcal {P}}_\mathrm{sub}\) can be varied for each call of the subroutine for \({\mathcal {P}}_\mathrm{sub}\). \(\blacksquare \)
Example 9
Let \({\mathcal {P}}_\mathrm{AND2}\) be a twobit AND protocol defined as follows:
that correctly and securely realizes a functionality \({\mathcal {F}}_\mathrm{AND2}\) as follows:
This is obtained from Mizuki and Sone’s AND protocol in Example 5 with a small modification. By using the subroutine of \({\mathcal {P}}_\mathrm{AND2}\), we construct an eightcard threebit AND protocol \({\mathcal {P}}_\mathrm{AND3}\) defined as follows:
that realizes a functionality \({\mathcal {F}}_\mathrm{AND3} = (s_{\mathsf {in}}, s_{\mathsf {out}})\) as follows:
It proceeds as follows:

1.
\((\mathsf {subroutine}, {\mathcal {P}}_\mathrm{AND2}, \{1,2,3,4,7,8\})\): Apply the twobit AND protocol for cards on \(\{1,2,3,4,7,8\}\) as follows:

2.
\((\mathsf {subroutine}, {\mathcal {P}}_\mathrm{AND2}, \{3,4,5,6,7,8\})\): Apply the twobit AND protocol for cards on \(\{3,4,5,6,7,8\}\) as follows:
We can observe that the protocol \({\mathcal {P}}_\mathrm{AND3}\) is subroutinerespecting for \({\mathcal {P}}_\mathrm{AND2}\) and \({\mathcal {F}}_\mathrm{AND2}\): the first condition in Definition 9 is satisfied since the operation set of \({\mathcal {P}}_\mathrm{AND3}\) is \(\mathsf {Subroutine}_{8}[{\mathcal {P}}_\mathrm{AND2}]\); and, the second condition in Definition 9 is satisfied since for each call of the subroutine \({\mathcal {P}}_\mathrm{AND2}\), the cards on positions T in the sequence is identical to \(s_{\mathsf {in}}(x')\) for some \(x' \in \{0,1\}^2\). \(\blacksquare \)
Proposition 1
(Composition theorem) Let \({\mathcal {P}}_i = (n_i, X_i, \overline{\mathcal{D}}_i, {\mathcal {O}}_i, A_i)\) (\(i \in [k]\)) be a protocol that correctly and securely realizes a functionality \({\mathcal {F}}_i\). Let \({\mathcal {P}}= (n, X, \overline{\mathcal{D}}, {\mathcal {O}}\cup \mathsf {Subroutine}_{\ell }[{\mathcal {P}}_1, {\mathcal {P}}_2, \ldots , {\mathcal {P}}_k], A)\) be a protocol that is subroutinerespecting for \({\mathcal {P}}_i\) and \({\mathcal {F}}_i\), and \({\mathcal {O}}\) is upward compatible with \({\mathcal {O}}_i\) for every \(i \in [k]\). If \({\mathcal {P}}\) correctly and securely realizes a functionality \({\mathcal {F}}\), then there exists a protocol \({\mathcal {P}}' = (n, X, \overline{\mathcal{D}}, {\mathcal {O}}, A)\) that correctly and securely realizes \({\mathcal {F}}\). \(\blacksquare \)
Proof
The protocol \({\mathcal {P}}'\) is obtained from the protocol \({\mathcal {P}}\) by replacing all subroutine calls of \({\mathcal {P}}_i\) with the protocols \({\mathcal {P}}_i\) for all \(i \in [k]\). We can observe that the final sequence of \({\mathcal {P}}\) and that of \({\mathcal {P}}'\) are the same since \({\mathcal {P}}\) is subroutinerespecting. Thus, \({\mathcal {P}}'\) correctly realizes \({\mathcal {F}}\). We can also observe that a view of \({\mathcal {P}}'\) is obtained from a view of \({\mathcal {P}}\) by replacing all subroutine calls of \({\mathcal {P}}_i\) with a view of \({\mathcal {P}}_i\) for all \(i \in [k]\). Since \({\mathcal {P}}\) and \({\mathcal {P}}_i\) securely realize \({\mathcal {F}}\) and \({\mathcal {F}}_i\), respectively, for all \(i \in [k]\). Thus, \({\mathcal {P}}'\) also securely realizes \({\mathcal {F}}\). \(\blacksquare \)
Dihedral Cards
Dihedral Cards
Let \(m \ge 2\) be any integer. A dihedral card of modulus m is a card as follows:

It holds a nonbinary value \(x \in {\mathbb {Z}}_{2m}\);

A transformation from x to \(x+c\) (for any constant \(c \in {\mathbb {Z}}_{2m}\)) is allowed;

A transformation from x to \(x+c\) (for any constant \(c \in {\mathbb {Z}}_{2m}\)) is allowed;

For a card holding x, it is possible to observe whether \(x \ge m\) only;

For a card holding x, it is possible to observe \(x \bmod m\) only.
Thus, the shape of dihedral cards of modulus m is a regular 2msided polygon. For example, a dihedral card of modulus 4 is implemented as follows:
Four vertices among eight vertices have blue dots and an arrow is written on the center. The front side and the back side are the same pattern satisfying that any vertex having a blue dot in the front side also has a dot in the back side. Here, all blue circles and arrows are written by invisible ink^{Footnote 1} in order to hide a value of a card. Since it is a hexagon, it can hold a value \(x \in {\mathbb {Z}}_8\) as follows:
The first transformation from x to \(x+c\) is done by a rotation with \((360{c}/2m)^{\circ }\) as in the case of cyclic cards. A nontrivial property is to allow the second transformation from x to \(x+c\). This is done by a flipping. Say \(c=0\). A transformation from x to \(x\) is done by a flipping with a vertical line as follows:
For \(m = 4\), each axis of line symmetry corresponds to some \(c \in {\mathbb {Z}}_8\) as follows:
Indeed, a transformation from x to \(x+7\) is done by a flipping as follows:
For a general modulus m, an axis of line symmetry rotated by \((180{c}/2m)^{\circ }\) from the vertical line corresponds to \(c \in {\mathbb {Z}}_{2m}\). Finally, we need to open a bit \({\mathsf {p}}(x \ge m)\) and a value \(x \bmod m\). Here, \({\mathsf {p}}(\text {statement})\) is a predicate that outputs 1 if the statement is true and 0 false. Thanks to the property of invisible ink, this is done by illuminating a black light with a cover. For a card holding x, it is possible to observe \({\mathsf {p}}(x \ge m)\) only as follows:
In the above case, since the vertex has a blue dot, the predicate \({\mathsf {p}}(x \ge m)\) is 0. (We can observe that for a card holding x, the vertex has a blue dot if and only if \(x < 4\).) Similarly, it is possible to observe the value \(x \bmod m\) only as follows:
In the above case, since the card holds either 1 or 5, the value \(x \bmod m\) is 1. For \(x \in {\mathbb {Z}}_{2m}\), \({\mathsf {p}}(x \ge m)\) is called a sign of x and \(x \bmod m\) is called a value of x.
A card specification of dihedral cards For \(x \in {\mathbb {Z}}_{2m}\), we denote a card holding x by \([\![x]\!]\). The card set of dihedral cards of modulus m, denoted by \({\mathcal {C}}^\mathsf{d}_m\), is defined as follows:
Let \([\![x]\!] \in {\mathcal {C}}^\mathsf{d}_m\) be a card holding a value \(x \in {\mathbb {Z}}_{2m}\). For any constant \(a \in {\mathbb {Z}}_{2m}\), a rotation operation with a degree a is defined as follows:
For any constant \(a \in {\mathbb {Z}}_{2m}\), a flipping operation with an axis a is defined as follows:
The transformation set of dihedral cards of modulus m, denoted by \({\mathcal {T}}^\mathsf{d}_m\), is defined as follows:
The symbol set of dihedral cards of modulus m, denoted by \(\varSigma ^\mathsf{d}_m\), is defined as follows:
The vision function \(\mathsf {vis}^\mathsf{d}_m: {\mathcal {C}}^\mathsf{d}_m \rightarrow \varSigma ^\mathsf{d}_m\) of dihedral cards of modulus m is defined as follows:
A card specification of dihedral cards of modulus m, denoted by \(\mathsf {Dihedral}_m\), is defined as follows:
Commitment A commitment to \(x \in {\mathbb {Z}}_{2m}\) is defined by \([\![x]\!]\).
Operations for Dihedral Cards
For dihedral cards, we introduce eight operations: permutation, rotation, rotation shuffle, flipping, flipping shuffle, twosided rotation shuffle, sign opening, and value opening.
Permutation This operation is the same as permutation for binary cards in Sect. 2.2. For modulus m, the set of permutations \(\mathsf {Perm}_{m,\ell }\) for sequences of \(\ell \) dihedral cards with modulus m is defined as follows:
Rotation For \(T \subset [\ell ]\) and \(a \in {\mathbb {Z}}_m\), a rotation operation is defined as follows:
For a sequence \(s = (c_1, c_2, \ldots , c_{\ell }) \in \mathsf {Seq}^{\overline{\mathcal{D}}}\), by applying a rotation operation \((\mathsf {rot}, T, a)\), it is transformed into a new sequence \(s' = (c'_1, c'_2, \ldots , c'_{\ell }) \in \mathsf {Seq}^{\overline{\mathcal{D}}}\) such that \(c'_i = \mathsf {rot}^a(c_i)\) for all \(i \in T\) and \(c'_i = c_i\) for all \(i \not \in T\). For example, for a sequence \(s = (\underline{0}, \underline{1}, [\![2]\!], [\![3]\!])\) with modulus \(m=4\), a rotation operation \((\mathsf {rot}, \{1,2,4\}, 1)\) transforms it into a new sequence \(s' = (\underline{1}, \underline{2}, [\![2]\!], [\![2]\!])\) as follows:
The set of rotations \(\mathsf {Rot}_{m,\ell }\) is defined as follows:
Rotation shuffle For \(T \subset [\ell ]\), a rotation shuffle is defined as follows:
For all \(i \in T\), the ith card in the sequence is rotated with a degree \(r \in {\mathbb {Z}}_m\), here r is uniformly and randomly chosen from \({\mathbb {Z}}_m\) and this r is common for all \(i \in T\). The other cards are unchanged. For example, for a sequence \(([\![x_1]\!], [\![x_2]\!], [\![x_3]\!], [\![x_4]\!])\) with modulus \(m=4\), a rotation shuffle \((\mathsf {rotshuf}, \{1,2,3\})\) generates a sequence \(([\![x_1r]\!], [\![x_2r]\!], [\![x_3r]\!], [\![x_4]\!])\) for a random \(r \in {\mathbb {Z}}/4{\mathbb {Z}}\) as follows:
The set of rotation shuffles is defined as follows:
Flipping A flipping operation is defined as follows:
where \(a \in {\mathbb {Z}}_{2m}\) is an axis of flipping and \(T \subset [\ell ]\) is a subset of positions. By applying a flipping operation \((\mathsf {flip}, a, T)\), a sequence is converted as follows:
where \(x'_i = x_i + a\) for all \(i \in T\) and \(x'_i = x_i\) for all \(i \not \in T\). For example, for a sequence \(([\![0]\!], [\![2]\!], [\![5]\!], [\![7]\!])\) of modulus \(m=4\), a flipping operation \((\mathsf {flip}, 0, \{1,2,3,4\})\) converts it into a new sequence \(([\![0]\!], [\![6]\!], [\![3]\!], [\![1]\!])\). The set of flipping operations \(\mathsf {Flip}_{m,\ell }\) is defined as follows:
Flipping shuffle A flipping shuffle is defined as follows:
where \(k \in [\ell ]\) is the number of axes, \(a_1, a_2, \ldots , a_k \in {\mathbb {Z}}_{2m}\) are axes of flipping and \(T_1, T_2, \ldots , T_k \subset [\ell ]\) are disjoint subsets of positions. For all \(1 \le i \le k\), all cards on \(T_i\) are flipped (by \(\mathsf {flip}_{a_i}\)) randomly and simultaneously. Here, the random bit designating whether flipped or not is common for all i. The other cards are unchanged. For example, for a sequence \(([\![0]\!], [\![2]\!], [\![5]\!], [\![7]\!])\) of modulus \(m=4\), a flipping shuffle \((\mathsf {flipshuf}, (0,1), \{1,2\}, \{3,4\})\) generates a new sequence:
A flipping shuffle is implemented by using two wooden boards as follows:
The set of flipping shuffles is defined as follows:
Twosided rotation shuffle A twosided rotation shuffle is defined by:
where \(T \subset [\ell ]\) is a subset of positions. By applying a twosided rotation shuffle \((\mathsf {twoshuf}, T)\), a sequence is converted as follows:
where \(x'_i = x_i + rm\) for a random bit \(r \in \{0,1\}\) if \(i \in T\) and \(x'_i = x_i\) otherwise. Note that the random bit r is common for all \(i \in T\). For example, for a sequence \(([\![0]\!], [\![2]\!], [\![5]\!], [\![7]\!])\) of modulus \(m=4\), a twosided rotation shuffle \((\mathsf {twoshuf}, \{1,2,3,4\})\) generates a new sequence as follows:
A twosided rotation shuffle is implemented by using two clips as follows:
The set of twosided rotation shuffles is defined as follows:
Sign opening A sign opening is defined as follows:
where \(i \in [\ell ]\) is a position. For a sequence \(([\![x_1]\!], [\![x_2]\!], \ldots , [\![x_{\ell }]\!])\), it publicly reveals a bit value \({\mathsf {p}}(x_i \ge m) \in \{0,1\}\). It is treated as revealed information. That is, it outputs revealed information \(r = {\mathsf {p}}(x_i \ge m)\) without changing the sequence. For example, for a sequence \(([\![0]\!], [\![2]\!], [\![5]\!], [\![7]\!])\) of modulus \(m=4\), a sign opening \((\mathsf {sgnopen}, 3)\) outputs the sign of the third card “1” (\({\mathsf {p}}(5 \ge 4)\)) as revealed information. The set of sign openings is defined as follows:
Value opening A value opening is defined as follows:
where \(i \in [\ell ]\) is a position. For a sequence \(([\![x_1]\!], [\![x_2]\!], \ldots , [\![x_{\ell }]\!])\), it publicly reveals a value \(x_i \bmod m \in {\mathbb {Z}}_m\). It is treated as revealed information. That is, it outputs revealed information \(r = (x_i \bmod m)\) without changing the sequence. For example, for a sequence \(([\![0]\!], [\![2]\!], [\![5]\!], [\![7]\!])\) of modulus \(m=4\), a value opening \((\mathsf {valopen}, 4)\) outputs the value of the fourth card “3” (\(=7 \bmod 4\)) as revealed information. The set of value openings is defined as follows:
Full opening A full opening is defined as follows:
where \(i \in [\ell ]\) is a position. For a sequence \(([\![x_1]\!], [\![x_2]\!], \ldots , [\![x_{\ell }]\!])\), it publicly reveals a value \(x_i \in {\mathbb {Z}}_{2m}\). It is treated as revealed information. Note that it is equivalent to applying a sign opening and a value opening successively. Thus, the full opening can be viewed as a syntax sugar of applying a sign opening and a value opening successively.
Notations
Hereafter, we use notations as follows.
Operations We assume that the set of operations is \({\mathcal {O}}^\mathsf{d}_{m,\ell }\) defined as follows:
Protocols with Dihedral Cards
Initialization Protocol
Functionality A functionality \({\mathcal {F}}^\mathrm{d}_\mathrm{init}\) is defined as follows:
where \(x \in {\mathbb {Z}}_{2m}\).
Protocol An initialization protocol \({\mathcal {P}}^\mathrm{d}_\mathrm{init}\) is defined as follows:
It proceeds as follows:

1.
\((\mathsf {rotshuf}, \{1\})\): Apply a rotation shuffle to it:
$$\begin{aligned}{}[\![x]\!] ~\rightarrow ~ [\![x']\!]. \end{aligned}$$ 
2.
\((\mathsf {open}, 1)\): Apply a full opening operation to it. Let \(x' \in {\mathbb {Z}}_{2m}\) be the opened value, which is treated as revealed information.
$$\begin{aligned} \hbox { revealed information}\ x'. \end{aligned}$$ 
3.
\((\mathsf {rot}, \{1\}, x')\): Rotate it with a degree \(x'\) as follows:
$$\begin{aligned}{}[\![x']\!] ~\rightarrow ~ [\![0]\!] \end{aligned}$$The protocol terminates.
Correctness The correctness is trivial.
Security Let \(x \in {\mathbb {Z}}_{2m}\) be any input. The probability distribution of a view of the protocol starting with the sequence \(s_{\mathsf {in}}(x) = [\![x]\!]\) is given as follows:
where \(x' = x + r\) for a uniform random value \(r \in {\mathbb {Z}}_{2m}\). This is equivalent to a probability distribution \(\mathsf {view}^*\) defined as follows:
where \(r' \in {\mathbb {Z}}_{2m}\) is a uniform random value. The distribution \(\mathsf {view}^*\) does not depend on x. Thus, for every \(x, x' \in {\mathbb {Z}}_{2m}\), the following holds:
Therefore, \({\mathcal {P}}^\mathrm{d}_\mathrm{init}\) securely realizes \({\mathcal {F}}^\mathrm{d}_\mathrm{init}\).
Efficiency The number of cards is one. Note that this is the minimum number of cards. The number of probabilistic operations is one (one rotation shuffle).
Addition Protocol
Functionality A functionality \({\mathcal {F}}^\mathrm{d}_\mathrm{add}\) is defined as follows:
where \(x_1, x_2 \in {\mathbb {Z}}_{2m}\).
Protocol An addition protocol \({\mathcal {P}}^\mathrm{d}_\mathrm{add}\) is defined as follows:
It proceeds as follows:

1.
\((\mathsf {flip}, 0, \{1\})\): Flip the left card along with the 0axis as follows:
$$\begin{aligned} ([\![x_1]\!], [\![x_2]\!]) ~\rightarrow ~ ([\![x_1]\!], [\![x_2]\!]). \end{aligned}$$ 
2.
\((\mathsf {rotshuf}, \{1,2\})\): Apply a rotation shuffle to them:
$$\begin{aligned} ([\![x_1]\!], [\![x_2]\!]) ~\rightarrow ~ ([\![x'_1]\!], [\![x'_2]\!]). \end{aligned}$$ 
3.
\((\mathsf {open}, 1)\): Apply a full opening operation to the left card. Let \(x'_1 \in {\mathbb {Z}}_{2m}\) be the opened value, which is treated as revealed information.
$$\begin{aligned} \hbox { revealed information}\ x'_1. \end{aligned}$$ 
4.
\((\mathsf {rot}, \{1,2\}, {x'_1})\): Rotate them so that they are added by \({x'_1}\):
$$\begin{aligned} ([\![x'_1]\!], [\![x'_2]\!]) ~\rightarrow ~ ([\![{0}]\!], [\![x'_2  {x'_1}]\!]) \end{aligned}$$
Correctness By the rotation shuffle, \(x'_1 = x_1 + r\) and \(x'_2 = x_2 + r\) for a uniform random value \(r \in {\mathbb {Z}}_{2m}\). The right card in the final sequence is \([\![x'_2  x'_1]\!] = [\![(x_2 + r)  (x_1 + r)]\!] = [\![x_1 + x_2]\!]\). Therefore, the above protocol \({\mathcal {P}}^\mathrm{d}_\mathrm{add}\) correctly realizes the functionality \({\mathcal {F}}^\mathrm{d}_\mathrm{add}\).
Security Let \(x = (x_1, x_2) \in ({\mathbb {Z}}_{2m})^2\) be any input. The probability distribution of a view of the protocol starting with the sequence \(s_{\mathsf {in}}(x) = ([\![x_1]\!], [\![x_2]\!])\) is given as follows:
Since \(x'_1 = x_1 + r\) for a uniform random value \(r \in {\mathbb {Z}}_{2m}\) is distributed uniformly randomly, the above distribution is equivalent to a probability distribution \(\mathsf {view}^*\) defined as follows:
where \(r' \in {\mathbb {Z}}_{2m}\) is a uniform random value. The distribution \(\mathsf {view}^*\) does not depend on x. Thus, for every \(x, x' \in {\mathbb {Z}}_{2m}\), the following holds:
Therefore, \({\mathcal {P}}^\mathrm{d}_\mathrm{add}\) securely realizes \({\mathcal {F}}^\mathrm{d}_\mathrm{add}\).
Efficiency The number of cards is two. Note that this is the minimum number of cards since the number of inputs is two. The number of probabilistic operations is one (one rotation shuffle).
Sign Normalization Protocol
Functionality A functionality \({\mathcal {F}}^\mathrm{d}_\mathrm{sign}\) is defined as follows:
where \(x \in {\mathbb {Z}}_{2m}\).
Protocol A protocol \({\mathcal {P}}^\mathrm{d}_\mathrm{sign}\) is defined as follows:
It proceeds as follows:

1.
\((\mathsf {twoshuf}, \{1\})\): Apply a twosided rotation shuffle to the input card as follows:
$$\begin{aligned}{}[\![x]\!] \rightarrow [\![x']\!], \end{aligned}$$where \(x' = x + rm\) for a uniform random bit \(r \in \{0,1\}\).

2.
\((\mathsf {sgnopen}, 1)\): Apply the sign opening to the card. Let \(s' \in \{0,1\}\) be the sign of the card, which is treated as revealed information.
$$\begin{aligned}{}[\![x']\!] \rightarrow [\![x']\!],~~~\hbox { revealed information}\ s'. \end{aligned}$$ 
3.
\((\mathsf {rot}, \{1\}, s'm)\): Rotate the card with a degree \(s'm\):
$$\begin{aligned}{}[\![x']\!] \rightarrow [\![x'+s'm]\!]. \end{aligned}$$
Correctness Let \(x = v + sm\) for \(v \in {\mathbb {Z}}_m\) and \(s \in \{0,1\}\). Due to the property of a twosided rotation shuffle, \(x'\) is represented by \(x' = v + (s \oplus r)m\) and \(s'\) is represented by \(s' = s\oplus r\). Thus, the card in the final sequence is \([\![x'+s'm]\!] = [\![v + (s \oplus r)m + s'm]\!] = [\![v + (s \oplus r)m + (s \oplus r)m]\!] = [\![v]\!]\). (Note that every computation is done over \({\mathbb {Z}}_{2m}\).) Therefore, the above protocol \({\mathcal {P}}^\mathrm{d}_\mathrm{sign}\) correctly realizes the functionality \({\mathcal {F}}^\mathrm{d}_\mathrm{sign}\).
Security Let \(x = v + sm \in {\mathbb {Z}}_{2m}\) (\(v \in {\mathbb {Z}}_m\) and \(s \in \{0,1\}\)) be any input. The probability distribution of a view of the protocol starting with the sequence \(s_{\mathsf {in}}(x) = [\![x]\!]\) is given as follows:
where \(s' = s\oplus r \in \{0,1\}\) for a uniform random bit r. It is equivalent to a probability distribution \(\mathsf {view}^*\) defined as follows:
where \(r' \in \{0,1\}\) is a uniform random value. Thus, for every \(x, x' \in {\mathbb {Z}}_{2m}\), the following holds:
Therefore, \({\mathcal {P}}^\mathrm{d}_\mathrm{sign}\) securely realizes \({\mathcal {F}}^\mathrm{d}_\mathrm{sign}\).
Efficiency The number of cards is one. Note that this is the minimum number of cards. The number of probabilistic operations is one (one twosided rotation shuffle).
SigntoValue Protocol
Functionality A functionality \({\mathcal {F}}^\mathrm{d}_\mathrm{sv}\) is defined as follows:
where \(x \in {\mathbb {Z}}_{2m}\).
Protocol A protocol \({\mathcal {P}}^\mathrm{d}_\mathrm{sv}\) is defined as follows:
It proceeds as follows:

1.
\((\mathsf {twoshuf}, \{1\})\): Apply a twosided rotation shuffle to the input card as follows:
$$\begin{aligned} ([\![x]\!],[\![0]\!]) ~\rightarrow ~ ([\![x+r_1m]\!],[\![r_1m]\!]), \end{aligned}$$where \(r_1 \in \{0,1\}\) is a uniform random bit.

2.
\((\mathsf {sgnopen}, 1)\): Apply the sign opening to the left card. Let \(s_1 \in \{0,1\}\) be the sign of the left card, which is treated as revealed information. (We can observe that \(s_1 = {\mathsf {p}}(x \ge m) \oplus r_1\).)

3.
\((\mathsf {rot}, \{2\}, s_1m)\): Rotate the right card with a degree \(s_1m\):
$$\begin{aligned} ([\![x+r_1m]\!],[\![r_1m]\!]) ~\rightarrow ~ ([\![x+r_1m]\!],[\![(r_1\oplus s_1)m]\!]). \end{aligned}$$ 
4.
\((\mathsf {subroutine}, {\mathcal {P}}^\mathrm{d}_{\mathsf {init}}, \{1\})\): Apply the initialization protocol \({\mathcal {P}}^\mathrm{d}_{\mathsf {init}}\) as follows:
$$\begin{aligned} ([\![x+r_1m]\!],[\![(r_1\oplus s_1)m]\!]) ~\rightarrow ~ ([\![0]\!],[\![(r_1\oplus s_1)m]\!]). \end{aligned}$$ 
5.
\((\mathsf {flipshuf}, (\mathsf {flip}_{1}, \mathsf {flip}_m), (1,2))\): Apply a flipping shuffle as follows:
$$\begin{aligned} ([\![0]\!],[\![(r_1\oplus s_1)m]\!]) ~\rightarrow ~ ([\![r_2]\!],[\![(r_1\oplus s_1\oplus r_2)m]\!]), \end{aligned}$$where \(r_2 \in \{0,1\}\) is a uniform random bit.

6.
\((\mathsf {sgnopen}, 2)\): Apply the sign opening to the right card. Let \(s_2 \in \{0,1\}\) be the sign of the right card, which is treated as revealed information. (We can observe that \(s_2 = r_1\oplus s_1\oplus r_2\).) If \(s_2 = 0\), the protocol terminates.

7.
\((\mathsf {rot}, \{2\}, m)\): If \(s_2 = 1\), rotate the right card with a degree m:
$$\begin{aligned} ([\![r_2]\!],[\![m]\!]) ~\rightarrow ~ ([\![r_2]\!],[\![0]\!]). \end{aligned}$$ 
8.
\((\mathsf {flip}, 1, \{1\})\): If \(s_2 = 1\), apply a flipping with an axis 1 as follows:
$$\begin{aligned} ([\![r_2]\!],[\![0]\!]) ~\rightarrow ~ ([\![r_2+1]\!],[\![0]\!]). \end{aligned}$$The protocol terminates.
Correctness If \(s_2 = 0\) at Step 6, the protocol terminates. In this case, the left card in the final sequence is given as follows:
If \(s_2 = 1\) at Step 6, the protocol proceeds to Step 8. In this case, the left card in the final sequence is given as follows:
Therefore, the above protocol \({\mathcal {P}}^\mathrm{d}_\mathrm{sv}\) correctly realizes the functionality \({\mathcal {F}}^\mathrm{d}_\mathrm{sv}\).
Security Let \(x = v + sm \in {\mathbb {Z}}_{2m}\) (\(v \in {\mathbb {Z}}_m\) and \(s \in \{0,1\}\)) be any input. The probability distribution of a view of the protocol starting with the sequence \(s_{\mathsf {in}}(x) = ([\![x]\!], [\![0]\!])\) is given as follows:
where \(s_1 = {\mathsf {p}}(x \ge m)\oplus r_1 \in \{0,1\}\) for a uniform random bit \(r_1\), \(s_2 = r_1\oplus s_1 \oplus r_2 \in \{0,1\}\) for a uniform random bit \(r_2\), and the last two components “\(\rightarrow (\varvec{?}^2, \bot ) \rightarrow (\varvec{?}^2, \bot )\)” appears only when \(s_2 = 0\). It is equivalent to a probability distribution \(\mathsf {view}^*\) defined as follows:
where \(r'_1, r'_2 \in \{0,1\}\) are uniform random bits and the last two components appears only when \(r'_2 = 0\). Thus, for every \(x, x' \in {\mathbb {Z}}_{2m}\), the following holds:
Therefore, \({\mathcal {P}}^\mathrm{d}_\mathrm{sv}\) securely realizes \({\mathcal {F}}^\mathrm{d}_\mathrm{sv}\).
Efficiency The number of cards is two. The number of subroutine calls is one (one call of the initialization protocol). From Proposition 1, a signtovalue protocol without subroutines can be obtained. The number of probabilistic operations is three (one rotation shuffle, one twosided rotation shuffle, and one flipping shuffle).
Carry Protocol
Functionality A functionality \({\mathcal {F}}^\mathrm{d}_\mathrm{carry}\) is defined as follows:
where \(x_1, x_2 \in {\mathbb {Z}}_m\).
Protocol A protocol \({\mathcal {P}}^\mathrm{d}_\mathrm{carry}\) is defined as follows:
It proceeds as follows:

1.
\((\mathsf {subroutine}, {\mathcal {P}}^\mathrm{d}_\mathrm{add}, \{1, 2\})\): Apply the addition protocol in Sect. 4.2 to the sequence as follows:
$$\begin{aligned} ([\![x_1]\!], [\![x_2]\!]) ~\rightarrow ~ ([\![x_1+x_2]\!], [\![0]\!]). \end{aligned}$$ 
2.
\((\mathsf {subroutine}, {\mathcal {P}}^\mathrm{d}_\mathrm{sv}, \{1\})\): Apply the signtovalue protocol in Sect. 4.4 to the first card as follows:
$$\begin{aligned} ([\![x_1+x_2]\!], [\![0]\!]) ~\rightarrow ~ ([\![{\mathsf {p}}(x_1+x_2\ge m)]\!], [\![0]\!]). \end{aligned}$$
Correctness The correctness is trivial.
Security Let \(x = (x_1, x_2) \in ({\mathbb {Z}}_m)^2\) be any input. The probability distribution of a view of the protocol starting with the sequence \(s_{\mathsf {in}}(x) = ([\![x_1]\!], [\![x_2]\!])\) is given as follows:
It does not depend on x since it is just a fixed sequence. Thus, for every \(x, x' \in ({\mathbb {Z}}_m)^2\), the following holds:
Therefore, \({\mathcal {P}}^\mathrm{d}_\mathrm{carry}\) securely realizes \({\mathcal {F}}^\mathrm{d}_\mathrm{carry}\).
Efficiency The number of cards is two. The number of subroutine calls is two (one call of the addition protocol and one call of the signtovalue protoocol). From Proposition 1, a carry protocol without subroutines can be obtained. The number of probabilistic operations is four (two rotation shuffles, one twosided rotation shuffle, and one flipping shuffle).
Equality with Zero Protocol
Functionality A functionality \({\mathcal {F}}^\mathrm{d}_\mathrm{zero}\) is defined as follows:
where \(x \in {\mathbb {Z}}_m\).
Protocol A protocol \({\mathcal {P}}^\mathrm{d}_\mathrm{zero}\) is defined as follows:
It proceeds as follows:

1.
\((\mathsf {flip}, {m}, \{1\})\): Flip the first card along with the axis m as follows:
$$\begin{aligned} ([\![x]\!], [\![0]\!]) ~\rightarrow ~ ([\![{mx}]\!], [\![0]\!]). \end{aligned}$$ 
2.
\((\mathsf {subroutine}, {\mathcal {P}}^\mathrm{d}_\mathrm{sv}, \{1\})\): Apply the signtovalue protocol in Sect. 4.4 to the first card as follows:
$$\begin{aligned} ([\![{mx}]\!], [\![0]\!]) ~\rightarrow ~ ([\![s]\!], [\![0]\!]), \end{aligned}$$where \(s = {\mathsf {p}}({mx \ge m})\).

3.
\((\mathsf {flip}, 1, \{1\})\): Flip the first card along with the axis 1 as follows:
$$\begin{aligned} ([\![s]\!], [\![0]\!]) ~\rightarrow ~ ([\![s+1]\!], [\![0]\!]). \end{aligned}$$The protocol terminates.
Correctness For any \(x \in {\mathbb {Z}}_m\), it holds \({\mathsf {p}}({mx \ge m}) = 0\) if and only if \(x=0\). Thus, the above protocol \({\mathcal {P}}^\mathrm{d}_\mathrm{zero}\) correctly realizes the functionality \({\mathcal {F}}^\mathrm{d}_\mathrm{zero}\).
Security Let \(x \in {\mathbb {Z}}_m\) be any input. The probability distribution of a view of the protocol starting with the sequence \(s_{\mathsf {in}}(x) = ([\![x]\!], [\![0]\!])\) is given as follows:
It does not depend on x since it is just a fixed sequence. Thus, for every \(x, x' \in ({\mathbb {Z}}_m)^2\), the following holds:
Therefore, \({\mathcal {P}}^\mathrm{d}_\mathrm{zero}\) securely realizes \({\mathcal {F}}^\mathrm{d}_\mathrm{zero}\).
Efficiency The number of cards is two. The number of subroutine calls is one (one call of the signtovalue protocol). From Proposition 1, an equality with zero protocol without subroutines can be obtained. The number of probabilistic operations is three (one rotation shuffle, one twosided rotation shuffle, and one flipping shuffle).
Equality Protocol
Functionality A functionality \({\mathcal {F}}^\mathrm{d}_\mathrm{equal}\) is defined as follows:
where \(x_1, x_2 \in {\mathbb {Z}}_m\).
Protocol A protocol \({\mathcal {P}}^\mathrm{d}_\mathrm{equal}\) is defined as follows:
It proceeds as follows:

1.
\((\mathsf {subroutine}, {\mathcal {P}}^\mathrm{d}_\mathrm{sub}, \{1\})\): Apply the subtraction protocol to the sequence as follows:
$$\begin{aligned} ([\![x_1]\!], [\![x_2]\!]) ~\rightarrow ~ ([\![x_2x_1]\!], [\![0]\!]). \end{aligned}$$ 
2.
\((\mathsf {subroutine}, {\mathcal {P}}^\mathrm{d}_\mathrm{sign}, \{1\})\): Apply the sign normalization protocol in Sect. 4.3 to the first card as follows:
$$\begin{aligned} ([\![x_2x_1]\!], [\![0]\!]) ~\rightarrow ~ ([\![z]\!], [\![0]\!]). \end{aligned}$$ 
3.
\((\mathsf {subroutine}, {\mathcal {P}}^\mathrm{d}_\mathrm{zero}, \{1,2\})\): Apply the equality with zero protocol in Sect. 4.6 as follows:
$$\begin{aligned} ([\![z]\!], [\![0]\!]) ~\rightarrow ~ ([\![{\mathsf {p}}(z=0)]\!], [\![0]\!]). \end{aligned}$$
Correctness By the sign normalization protocol \({\mathcal {P}}^\mathrm{d}_\mathrm{sign}\), \(z = x_2  x_1 \bmod m\). Thus, the sequence \(([\![z]\!], [\![0]\!])\) is matched with a subroutine of \({\mathcal {P}}^\mathrm{d}_\mathrm{zero}\). We can also observe that \(z = 0\) if and only if \(x_1=x_2\). Thus, the above protocol \({\mathcal {P}}^\mathrm{d}_\mathrm{equal}\) correctly realizes the functionality \({\mathcal {F}}^\mathrm{d}_\mathrm{equal}\).
Security Let \(x = (x_1, x_2) \in ({\mathbb {Z}}_m)^2\) be any input. The probability distribution of a view of the protocol starting with the sequence \(s_{\mathsf {in}}(x) = ([\![x_1]\!], [\![x_2]\!])\) is given as follows:
It does not depend on x since it is just a fixed sequence. Thus, for every \(x, x' \in ({\mathbb {Z}}_m)^2\), the following holds:
Therefore, \({\mathcal {P}}^\mathrm{d}_\mathrm{equal}\) securely realizes \({\mathcal {F}}^\mathrm{d}_\mathrm{equal}\).
Efficiency The number of cards is two. The number of subroutine calls is three (one call of the subtraction protocol, one call of the sign normalization protocol, and one call of the equality with zero protocol). From Proposition 1, an equality protocol without subroutines can be obtained. The number of probabilistic operations is five (two rotation shuffles, two twosided rotation shuffles, and one flipping shuffle).
Greaterthan Protocol
Functionality A functionality \({\mathcal {F}}^\mathrm{d}_\mathrm{gr}\) is defined as follows:
where \(x_1, x_2 \in {\mathbb {Z}}_m\).
Protocol A protocol \({\mathcal {P}}^\mathrm{d}_\mathrm{gr}\) is defined as follows:
It proceeds as follows:

1.
\((\mathsf {subroutine}, {\mathcal {P}}^\mathrm{d}_\mathrm{sub}, \{1,2\})\): Apply the subtraction protocol in Sect. 4.2 to the sequence as follows:
$$\begin{aligned} ([\![x_1]\!], [\![x_2]\!]) ~\rightarrow ~ ([\![x_2x_1]\!], [\![0]\!]). \end{aligned}$$ 
2.
\((\mathsf {subroutine}, {\mathcal {P}}^\mathrm{d}_\mathrm{sv}, \{1,2\})\): Apply the signtovalue protocol in Sect. 4.4 as follows:
$$\begin{aligned} ([\![x_2x_1]\!], [\![0]\!]) ~\rightarrow ~ ([\![1{\mathsf {p}}(x_2\ge x_1)]\!], [\![0]\!]). \end{aligned}$$ 
3.
\((\mathsf {flip}, 1, \{1\})\): Flip the first card along with the axis 1 as follows:
$$\begin{aligned} ([\![1{\mathsf {p}}(x_2\ge x_1)]\!], [\![0]\!]) ~\rightarrow ~ ([\![{\mathsf {p}}(x_2\ge x_1)]\!], [\![0]\!]). \end{aligned}$$The protocol terminates.
Correctness The correctness is trivial.
Security Let \(x = (x_1, x_2) \in ({\mathbb {Z}}_m)^2\) be any input. The probability distribution of a view of the protocol starting with the sequence \(s_{\mathsf {in}}(x) = ([\![x_1]\!], [\![x_2]\!])\) is given as follows:
It does not depend on x since it is just a fixed sequence. Thus, for every \(x, x' \in ({\mathbb {Z}}_m)^2\), the following holds:
Therefore, \({\mathcal {P}}^\mathrm{d}_\mathrm{gr}\) securely realizes \({\mathcal {F}}^\mathrm{d}_\mathrm{gr}\).
Efficiency The number of cards is two. The number of subroutine calls is two (one call of the subtraction protocol and one call of the signtovalue protocol). From Proposition 1, a greater than protocol without subroutines can be obtained. The number of probabilistic operations is four (two rotation shuffles, one twosided rotation shuffle, and one flipping shuffle).
Conclusion and Future Work
In this paper, we designed a new type of cards, dihedral cards, with invisible ink, and constructed efficient protocols for various interesting predicates. We believe that the use of invisible ink makes it easier to design a new type of cards that enable to construct efficient secure computation protocols. An interesting research direction is to find such a new type of cards and objects, e.g., polyhedron.
Notes
Invisible ink is used for writing, which is invisible but can be made visible with illuminating a black light. It can be used for steganography, which hides the existence of plain texts while cryptography hides the contents of plain texts.
References
Abe, Y., Hayashi, Y., Mizuki, T., Sone, H.: Fivecard AND protocol in committed format using only practical shuffles. In: Proceedings of the 5th ACM on ASIA PublicKey Cryptography Workshop, APKC@AsiaCCS, Incheon, Republic of Korea, June 4, 2018, pp. 3–8 (2018). https://doi.org/10.1145/3197507.3197510
den Boer, B.: More efficient matchmaking and satisfiability: The Five Card Trick. In: Advances in Cryptology—EUROCRYPT ’89, Workshop on the Theory and Application of of Cryptographic Techniques, Houthalen, Belgium, April 10–13, 1989, Proceedings, pp. 208–217 (1989). https://doi.org/10.1007/3540468854_23
Cheung, E., Hawthorne, C., Lee, P.: Cs 758 project: Secure computation with playing cards (2013). https://csclub.uwaterloo.ca/~cdchawth/files/papers/secure_playing_cards.pdf
Crépeau, C., Kilian, J.: Discreet solitary games. In: Advances in Cryptology—CRYPTO ’93, 13th Annual International Cryptology Conference, Santa Barbara, California, USA, August 2226, 1993, Proceedings, pp. 319–330 (1993). https://doi.org/10.1007/3540483292_27
Kastner, J., Koch, A., Walzer, S., Miyahara, D., Hayashi, Y., Mizuki, T., Sone, H.: The minimum number of cards in practical cardbased protocols. In: Advances in Cryptology—ASIACRYPT 2017—23rd International Conference on the Theory and Applications of Cryptology and Information Security, Hong Kong, China, December 3–7, 2017, Proceedings, Part III, pp. 126–155 (2017). https://doi.org/10.1007/9783319707006_5
Koch, A., Walzer, S., Härtel, K.: Cardbased cryptographic protocols using a minimal number of cards. In: Advances in Cryptology—ASIACRYPT 2015  21st International Conference on the Theory and Application of Cryptology and Information Security, Auckland, New Zealand, November 29–December 3, 2015, Proceedings, Part I, pp. 783–807 (2015). https://doi.org/10.1007/9783662487976_32
Marcedone, A., Wen, Z., Shi, E.: Secure dating with four or fewer cards. Cryptology ePrint Archive, Report 2015/1031 (2015)
Mizuki, T.: Applications of cardbased cryptography to education. IEICE Tech. Rep. 116(289), 13–17 (2016). (In Japanese)
Mizuki, T., Sone, H.: Sixcard secure AND and fourcard secure XOR. In: Frontiers in Algorithmics, Third International Workshop, FAW 2009, Hefei, China, June 2023, 2009. Proceedings, pp. 358–369 (2009). https://doi.org/10.1007/9783642022708_36
Mizuki, T., Kumamoto, M., Sone, H.: The fivecard trick can be done with four cards. In: Advances in Cryptology  ASIACRYPT 2012—18th International Conference on the Theory and Application of Cryptology and Information Security, Beijing, China, December 2–6, 2012. Proceedings, pp. 598–606 (2012). https://doi.org/10.1007/9783642349614_36
Mizuki, T., Uchiike, F., Sone, H.: Securely computing XOR with 10 cards. Austral. J. Combinator. 36, 279–293 (2006)
Niemi, V., Renvall, A.: Secure multiparty computations without computers. Theor. Comput. Sci. 191(1–2), 173–183 (1998). https://doi.org/10.1016/S03043975(97)001072
Shinagawa, K.: Cardbased cryptography with invisible ink. In: T.V. Gopal, J. Watada (eds.) Theory and Applications of Models of Computation—15th Annual Conference, TAMC 2019, Kitakyushu, Japan, April 1316, 2019, Proceedings, Lecture Notes in Computer Science, vol. 11436, pp. 566–577. Springer (2019). https://doi.org/10.1007/9783030148126_35
Shinagawa, K., Mizuki, T., Schuldt, J.C.N., Nuida, K., Kanayama, N., Nishide, T., Hanaoka, G., Okamoto, E.: Multiparty computation with small shuffle complexity using regular polygon cards. In: Provable Security—9th International Conference, ProvSec 2015, Kanazawa, Japan, November 24–26, 2015, Proceedings, pp. 127–146 (2015). https://doi.org/10.1007/9783319260594_7
Shinagawa, K., Mizuki, T., Schuldt, J.C.N., Nuida, K., Kanayama, N., Nishide, T., Hanaoka, G., Okamoto, E.: Cardbased protocols using regular polygon cards. IEICE Transactions 100A(9), 1900–1909 (2017). http://search.ieice.org/bin/summary.php?id=e100a_9_1900
Stiglic, A.: Computations with a deck of cards. Theor. Comput. Sci. 259(1–2), 671–678 (2001). https://doi.org/10.1016/S03043975(00)004096
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
A preliminary conference version appeared at [13]. The main additions from the conference version are Sect. 2 (formal protocol definition) and all security proofs in Sect. 4. This article is a part of my PhD dissertation.
Appendix
Appendix
Definition for Regular Polygon Cards
We define the card specification of regular polygon cards. Regular polygon cards are also known as cyclic cards. Hereafter, we call them cyclic cards. The card specification of cyclic cards is given as follows.
For \(x \in {\mathbb {Z}}_m\), we denote a faceup card having x by \(\underline{x}\) and a facedown card having x by \([\![x]\!]\). The card set of cyclic cards of modulus m, denoted by \({\mathcal {C}}^\mathsf{c}_m\), is defined as follows:
For a card \(c \in {\mathcal {C}}^\mathsf{c}_m\), we define two types of transformations: rotation and turning. For any \(j \in {\mathbb {Z}}_m\), a rotation operation with a degree j is defined as follows:
Physically, this is a rotation with \((360/m)^{\circ }\). Note that a facedown card \([\![i]\!]\) is transformed into a facedown card \([\![ij]\!]\) since a rotation of facedown cards is a backward rotation of faceup cards. A turning operation is defined as follows:
The transformation set of cyclic cards of modulus m, denoted by \({\mathcal {T}}^\mathsf{c}_m\), is defined as follows:
The symbol set of cyclic cards of modulus m, denoted by \(\varSigma ^\mathsf{c}_m \), is defined as follows:
The vision function \(\mathsf {vis}^\mathsf{c}_m: {\mathcal {C}}^\mathsf{c}_m \rightarrow \varSigma ^\mathsf{c}_m\) of cyclic cards of modulus m is defined as follows:
A card specification of cyclic cards of modulus m, denoted by \(\mathsf {Cyclic}_m\), is defined as follows:
Operations for cyclic cards are defined similarly to operations for binary cards and dihedral cards. Specifically, permutations and turnings are defined almost the same as binary cards, and rotations and rotation shuffles are defined almost the same as dihedral cards.
Rights and permissions
This article is published under an open access license. Please check the 'Copyright Information' section either on this page or in the PDF for details of this license and what reuse is permitted. If your intended use exceeds what is permitted by the license or if you are unable to locate the licence and reuse information, please contact the Rights and Permissions team.
About this article
Cite this article
Shinagawa, K. Cardbased Cryptography with Dihedral Symmetry. New Gener. Comput. 39, 41–71 (2021). https://doi.org/10.1007/s00354020001179
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00354020001179
Keywords
 Secure computation
 Cardbased cryptography
 Invisible ink