1 Introduction

1.1 Background

Secure Multi-Party Computation (MPC) is a cryptographic protocol that allows parties to jointly compute a function using their private data as inputs [24]. All participants cooperate to calculate the value of the function that takes their private data as input while keeping the input secret from other participants. Roughly speaking, there are two approaches in designing protocols of MPC: One is devoted to construct the protocols for computing the gates of circuits such as AND and OR functions for general purpose. The other aims to obtain efficient protocols for computing a specific function such as comparison and majority voting. Recently, one of the actively investigated topics in the latter approach is computing the intersection of multiple sets securely, which is called Private Set Intersection (PSI) [6]. PSI has been studied intensively [5, 18,19,20] since there are several practical applications of PSI, such as the Google Password Checkup [23] and Apple PSI system. Similarly, we also focus on Private Set Union (PSU) [7], in which we calculates the union of multiple sets. PSU is also important because it has several applications, one of which is an aggregation of blacklists [10, 21].

While we assume that MPC is executed on computers, there is a research area to implement MPC with physical tools such as cards instead of computers. This paper deals with card-based cryptography that aims to realize MPC with physical cards [2, 3]. Card-based cryptography has two research directions similar to MPC. Research on card-based cryptography is initiated by den Boer in 1989 [3] as a protocol called five-card trick to compute AND gate, and a committed AND protocol was proposed by Killian et al. [2]. Since then, various protocols have been proposed for computing logical gates (e.g., [1, 11, 12, 15]). On the other hand, there are several results to obtain a protocol for computing a specific function: a millionaire protocol [16], a protocol generating a random permutation without fixed points [2], a secure ranking protocol [22], a secure grouping protocol [9], a secure sorting protocol [8], and so on. In this paper, we show card-based PSI and PSU protocols for the first time because they are well-studied in cryptography but have not been focused on in card-based cryptography yet.

The efficiency in card-based cryptography is measured by the number of cards, the number of shuffles, and the number of communications. In particular, many works have been dedicated to reducing the number of cards. For example, towards efficiency improvement for the five-card trick, which is an AND protocol using five cards, Mizuki, Kumamoto, and Sone realized an AND protocol using four cards [15].

1.2 Our Contributions

This paper shows PSI and PSU protocols in card-based cryptography for the first time. In this paper, we consider a two-party protocol; there are Alice and Bob, and they have sets \(A \subseteq U\) and \(B \subseteq U\), respectively, where U is a universe set and contains n elements. They want to compute \(A \cap B\) (resp., \(A \cup B\)), and the PSI protocol (resp., the PSU protocol) guarantees that no information more than the output is leaked.

We propose PSI and PSU protocols in each of two major operating models in card-based cryptography, the shuffle-based model and the private-permutation-based model. In the shuffle-based model, all operations are performed publicly, and shuffles are crucial ingredients to achieving privacy. In the private-permutation-based model, we consider private permutations (private operations) instead of shuffles, that is parties are allowed to permute cards privately.

1.2.1 Card-Based PSI Protocols

In the shuffle-based model, we propose three card-based PSI protocols (see Table 1). shufPSI-1 is a basic protocol based on a combination of shuffle-based AND protocols. We then improve it regarding the numbers of shuffles and cards by allowing the sizes of input sets to be public. In particular, this protocol, shufPSI-2, is realized by using only one shuffle. Furthermore, we propose shufPSI-3 by modifying shufPSI-2 so that it can be realized with only one shuffle while keeping the input set size secret. Moreover, we show how to extend our (two-party) PSI protocol to a multi-party PSI protocol (denoted by \(\textsf {shufMPSI}\)-1).

In the private-permutation-based model, we propose two card-based PSI protocols (see Table 2). ppPSI-1 is a basic protocol based on a combination of private-permutation-based AND protocols. Then, based on an idea of reusing cards, we present ppPSI-2 that reduces the number of cards although the numbers of private permutations and communications increase. We further present a multi-party PSI protocol ppMPSI-1.

Table 1 Comparison of shuffle-based PSI protocols
Table 2 Comparison of private-permutation-based PSI protocols

1.2.2 Card-Based PSU Protocols

In the shuffle-based model, we propose three card-based PSU protocols (see Table 3). shufPSU-1 is a basic protocol based on a combination of shuffle-based OR protocols. We then provide an improved protocol shufPSU-2 at the cost of making the size of input sets public. Furthermore, we modify shufPSU-2 and propose shufPSU-3 that only requires one shuffle while keeping the input set size secret, though it increases the number of cards. Moreover, we show how to extend our (two-party) PSU protocol to a multi-party PSI protocol (denoted by \(\textsf {shufMPSU}\)-1).

Table 3 Comparison of shuffle-based PSU protocols
Table 4 Comparison of private-permutation-based PSU protocols

In the private-permutation-based model, we show two card-based PSU protocols (See Table 4). ppPSU-1 is a basic protocol based on a combination of private-permutation-based OR protocols. Then, with a similar idea to ppPSI-2, we present an improved PSU protocol ppPSU-2. We further present a multi-party PSU protocol ppMPSU-1.

1.2.3 Differences from the Conference Version

We summarize the improvements from the paper presented at ISITA 2022 paper [4] below:

  1. 1.

    Improved PSI protocols: We improve shufPSI-3 by reducing the number of cards required for the protocol from 9n to 7n. Specifically, the modified protocol only requires for Alice to place 2n face-down cards, whereas the previous protocol required 3n face-down cards. Consequently, the protocol also requires only 2n (instead of 3n) numbered cards, and therefore we reduced 2n cards in total.

  2. 2.

    New card-based PSU protocols: Based on the PSI protocols, we provide the PSU protocols, which were not contained in the conference version.

  3. 3.

    New multi-party PSI and PSU protocols: For each of the shuffle-based and private-permutation-based models, we present how to construct multi-party PSI (resp. PSU) protocols based on our proposed two-party PSI (resp. PSU) protocols.

Besides, we correct the numbers of private permutations and communications for the private-permutation-based protocols (see Tables 2 and 4).

2 Preliminaries

2.1 Cards and Notations

In this paper, we use two colored cards,   and  , and numbered cards for any integer i. The backs of all cards are indistinguishable and denoted by  . Face-down cards representing a Boolean value is called a commitment.Footnote 1

For any positive integer \(i \in \mathbb {N}\), [i] denotes the set of integers \(\{1,\ldots ,i\}\). Let \(U = \{u_1,\ldots , u_n\}\) be a universal set. For a set X, we denote by |X| the number of elements in X and denote by \(\overline{X}\) the complement set of X, i.e., \(\overline{X}= U \setminus X\). Let \(A, B \subseteq U\) be input sets of two parties, Alice and Bob, respectively. Hereafter, to represent a data set \(X \subseteq U\), we regard X as an n-bit string \(X = (x_1, \cdots , x_n)\) defined by \(x_i:= 1\) if \(u_i \in X\) and \(x_i:= 0\) otherwise. We consider both the input and the output for our protocols as n-bit strings.

2.2 The Shuffle-Based Model

2.2.1 Operations

Most of the previous works in card-based cryptography are based on the shuffle-based model in which all operations are performed in public, such as on a table. In the shuffle-based model, parties use the following three operations to construct a protocol.

  • Public permutation: It rearranges the order of a card sequence.

  • Turn: It turns a card over.

  • Shuffle: It randomly rearranges the order of a card sequence according to some probability distribution on the set of permutations.

The efficiency of protocols in the shuffle-based model is mainly measured by the number of cards and the number of shuffles.

2.2.2 Shuffles Used in Our Protocols

We describe the shuffles used in this paper below.

Random cut: A random cut is a shuffle in which the target row of cards is cyclically shifted a random number of times. As a result, every possible cyclically-shifted card row appears with equal probability. Here, we assume that no player knows the random number, i.e., how many times the card row cyclically is shifted.

Random bisection cut: A random bisection cut is a shuffle in which an even number of cards are divided into the same number of cards on the left and right sides, and the left and right sides are randomly swapped. Suppose that we have 2v cards for an integer v. First, the 2v cards are equally divided into the left side \(\textbf{u}_0\) and the right side \(\textbf{u}_1\) as follows:

Then, \(\textbf{u}_0\) and \(\textbf{u}_1\) are randomly swapped as follows:

As a result, we have one of the two sequences as above with probability 1/2 for each. Here, we assume no players can identify how many times the both sides are swapped.

Pile scramble shuffle: A pile scramble shuffle is a completely random shuffle among piles of cards. Suppose that for a positive integer s, we have s piles of cards \((\mathbf {\rho }_1, \mathbf {\rho }_{2},\dots , \mathbf {\rho }_{s})\) each having the same number of cards. Let r be a permutation chosen uniformly at random from the s-th symmetric group. The pile scramble shuffle results in \((\mathbf {\rho }_{r^{-1}(1)},\mathbf {\rho }_{r^{-1}(2)},\cdots ,\mathbf {\rho }_{r^{-1}(s)})\) as below.

The random permutation r is not known to any players.

2.2.3 Encoding a Set with Cards

Since there is no private operation in the shuffle-based model, using face-down cards is the only way to represent a player’s input while keeping the value secret. In this paper, we use two encoding ways for an input set. The first way uses two cards to express a Boolean value such that and . (We call this encoding the two-card representation.) A set \(X \subseteq U\) is expressed as a card sequence \((x_1,\dots ,x_n)\), where if \(u_i \notin X\) and otherwise.

The second way is based on the one-card representation, and . The set X is expressed as a card sequence \((x_1,\dots ,x_n)\), where if \(u_i \notin X\) and otherwise.

2.3 Private-Permutation-Based Model

2.3.1 Operations

The private-permutation-based model is implicitly proposed by Marcedone, Wen, and Shi [13] and formally defined by Nakai, Tokushige, Misawa, Iwamoto, and Ohta [16]. In contrast to the shuffle-based model, the private-permutation-based model allows each players to permute cards while hiding the permutation from other players. Such a private permutation is justified by hiding and permuting the cards behind their backs. The private-permutation-based model uses the following four operations.

  • Public permutation: The same as in the shuffle-based model.

  • Private permutation: It rearranges the order of a card sequence in a private area.

  • Turn: The same as in the shuffle-based model.

  • Communication: It passes cards from one party to another.

We remark that any uniform closed shuffle, which is a shuffle whose permutation set forms a group and the probability distribution over the set is a uniform one, can be realized in the private-permutation-based model. For example, random bisection cuts can be realized in the private-permutation-based model by two players Alice and Bob in the following way. At the beginning of the procedure, Alice holds a sequence of 2v cards in her hands.

  1. 1.

    Alice chooses \(r_A \in \{0,1\}\) uniformly at random, and swaps \((\mathbf {\rho }_0,\mathbf {\rho }_1)\) if \(r_A = 1\) and does nothing otherwise.

  2. 2.

    Alice sends \((\mathbf {\rho }_{r_A},\mathbf {\rho }_{1-r_A})\) to Bob.

  3. 3.

    Bob chooses \(r_B \in \{0,1\}\) uniformly at random, and swaps \((\mathbf {\rho }_{r_A},\mathbf {\rho }_{1-r_A})\) if \(r_B = 1\) and does nothing otherwise.

The order of the resulting sequence is \((\mathbf {\rho }_{r_A \oplus r_B},\mathbf {\rho }_{1-r_A \oplus r_B})\) where \(\oplus \) indicates exclusive OR. Since the random bits generated by each player are kept secret, each player cannot determine whether two piles are swapped and it brings the same effect as a random bisection cut. In the private-permutation-based model, the efficiency of protocols is mainly measured by the numbers of cards, private permutations, and communications.

2.3.2 Encoding a Set with Cards

The private-permutation-based model allows a player to express his/her input without using a commitment [13, 17]. This is thanks to the fact that a player can express his/her input secretly by using a private permutation depend on the value. We call such an encoding the private-permutation-based representation. In the model, players use the private-permutation-based representation in addition to the one-card (or two-card) representations, shown in Sect. 2.2.3.

2.4 Definition of Card-Based PSI and PSU Protocols

We say a protocol is correct if the protocol ensures every player to obtain a correct output for any inputs. A protocol fulfills security if any player cannot learn any more information than the output from his/her view of the protocol. A protocol guarantees independence of inputs if no player can make his/her input depend on the other player’s input.

Given two sets \(A, B \subseteq U\), a card-based PSI protocol outputs a card sequence representing the set intersection \(A \cap B\) with security and independence of inputs. Similarly, given two sets \(A, B \subseteq U\), a card-based PSU protocol outputs a card sequence representing the set union \(A \cup B\) with security and independence of inputs.

3 Existing Card-Based AND Protocols

This paper shows PSI and PSU protocols can be constructed from existing AND and OR protocols, respectively. This section describes existing card-based AND protocols, which are components of our protocols, in the shuffle-based and the private-permutation-based models. We here omit the descriptions about OR protocols since they are easily obtained from AND protocols by the De Morgan’s law.

Assume that Alice and Bob have their binary inputs \(a, b \in \{0,1\}\) and want to compute \(a \wedge b\). A (secure) AND protocol takes two binary inputs \(a, b \in \{0,1\}\), and outputs \(a \wedge b\) without revealing any other information.

3.1 Five-Card AND Protocol in the Shuffle-based Model

The five-card trick [3] is an AND protocol with five cards in the shuffle-based model. Each of Alice and Bob has two cards   and  . The protocol proceeds as follows:

  1. 1.

    Alice and Bob put their own commitments of the two-card representation and an additional card   as follows:

  2. 2.

    After turning the middle card  , a random cut is applied to the five cards.

  3. 3.

    Turn over all cards. The output value is \(a\wedge b = 1\) if there are three consecutive hearts       in cyclic order, otherwise \(a\wedge b = 0\).

3.2 Three-Card AND Protocol in the Private-Permutation-Based Model

Marcedone, Wen, and Shi proposed a three-card AND protocol in the private-permutation-based model [13]. In this protocol, Boolean values are encoded as \(0 \mapsto \)  and \(1 \mapsto \) , respectively. Alice has two cards   and  , and Bob has a card  . The protocol proceeds as follows.

  1. 1.

    Alice sends Bob a face-down card of   (resp.,  ) if \(a = 0\) (resp., if \(a = 1\)).

  2. 2.

    Bob performs a private permutation as follows:

    • If \(b = 0\), place the face-down card of   on the left of the received card.

    • If \(b = 1\), place the face-down card of   on the right of the received card.

  3. 3.

    Alice (or Bob) turns over the left card.

    • If it is  , then \(a\wedge b = 0\).

    • If it is  , then \(a\wedge b = 1\).

Note that Alice and Bob use the one-card and the private-permutation-based representations for their inputs, respectively.

figure w

4 Proposed PSI Protocols

4.1 Shuffle-Based PSI Protocols

This section shows our card-based PSI protocols in the shuffle-based model.

4.1.1 PSI Protocol from an Existing AND Protocol

We first show that a PSI protocol can be constructed from existing card-based AND protocols. Hereafter, we describe our protocol based on the five-card AND protocol, shown in Sect. 3.1.

Let Alice and Bob hold input sets A and B, respectively. The binary notation satisfies that for any \(i \in [n]\), \(a_i = 1\) and \(b_i = 1\) if and only if \(u_i\) lies in the set intersection \(A \cap B\). Hence, the set intersection can be obtained from the AND operations to each element. If we apply the five-card trick to each bit simply, the protocol would require 5n cards overall. Recall that the five-card trick uses one card in addition to the input representation. To reduce the number of cards, we reuse the additional card for each bit comparison. As a result, we realize a PSI protocol with \(4n+1\) cards. (See shufPSI-1, which shows the concrete procedure).

figure x

Correctness: it follows from the relation that \(a_i = b_i = 1\) if and only if \(u_i \in A \cap B\).

Security: it follows from the security of the underlying AND protocol.

Independence of inputs: The players make all elements of their sets as commitments at the setup phase independently. Hence, it is obvious that the protocol guarantees independence of inputs. (The same is true for the other protocols constructed in the shuffle-based model, and thus, we omit the proofs regarding their independence of inputs.)

4.1.2 PSI Protocol Using Only One Shuffle with Public Input Set Sizes

A PSI protocol requires at least n shuffles as long as we rely on the AND protocol-based solution since it requires a shuffle bit-by-bit. This section presents another approach to achieve a PSI protocol that does not rely on AND protocols.

We show a PSI protocol with 3n cards and one pile scramble shuffle only. We allow the protocol to reveal the sizes of sets |A| and |B|. Moreover, this protocol uses n numbered cards (\(i\in [n]\)) as additional cards. The back of numbered cards are the same as   and  . shufPSI-2 shows the 3n-card PSI protocol.

Correctness: it follows from the fact that both \(\alpha '_i\) and \(\beta '_i\) are   if and only if \(u_i \in A\cap B\).

Security: in step (3), the front sides of \((\alpha '_i, \beta '_i)\) are one of four patterns:  ,  ,  , and  . We can observe that the number of   is \(|A \cap B|\), the number of   is \(|A \setminus B|\), the number of   is \(|B \setminus A|\), and the number of is \(|U\setminus (A \cup B)|\). Since all of them are efficiently computable from |A|, |B|, and \(A \cap B\), no information beyond the output information is leaked. Therefore, shufPSI-2 is secure.

figure as

4.1.3 PSI Protocol Using Only One Shuffle with Private Input Set Sizes

We also propose a PSI protocol where the input set sizes |A| and |B| are made private at the cost of increasing the number of cards in comparison to shufPSI-2. See shufPSI-3 that shows the procedure. It requires 7n cards and one pile scramble shuffle.

Since the correctness of shufPSI-3 can be shown in the same way as shufPSI-2, we omit the details. We here present the security proof for shufPSI-3.

Security: In step 3, parties turn over all of \(\{\alpha '_i \}_{i \in [2n]}\) to face-up. Since the sequence is randomized by the pile scramble shuffle, Bob does not learn anything about A from the card sequence. Furthermore, parties turn over \(\beta '_j\) to face-up if \(\alpha '_j\) is   in the step. Since the number of   in \(\{\alpha '_i \}_{i \in [2n]}\) is n, which is public information, the number of cards turned over in \(\{\beta '_i \}_{i \in [2n]}\) is also n. Also, the number of   in the card sequence is \(|A \cap B|\). Hence, from the cards made face-up, Alice and Bob cannot learn any additional information than the output. Therefore, shufPSI-3 is secure.

figure aw

4.2 Private-Permutation-Based PSI Protocols

4.2.1 PSI Protocol from AND Protocols

As in the previous section, we first show a PSI protocol constructed with the three-card AND protocol, shown in Sect. 3.2. See ppPSI-1 for concrete descriptions. The idea is the same as shufPSI-shufPSI-1. Namely, the results of bitwise AND operations give the set intersection. The same discussion as in shufPSI-shufPSI-1 holds for correctness and security. Also, it is obvious that the protocol guarantees the independence of inputs since Bob opens no card before he inputs all elements of his set. (Note that step 2 corresponds to the procedure that Bob inputs his set.)

4.2.2 PSI Protocol Based on Sequential Comparison

In this section, we improve ppPSI-1 in terms of the number of cards. To reduce the number of cards, we focus on the n cards discarded without being used as the output. The main idea is to reuse these discarded cards by changing the protocol to sequential bitwise comparison. In other words, we reduce the number of cards by reusing cards that would be discarded in the next bit comparison. To do so, we employ two-card representations, i.e., and , unlike ppPSI-1, and Alice uses a sequence of 2n cards, called comparison cards, to represent her input \((a_1,\ldots ,a_n)\).

It is important to note that the discarded cards cannot be reused as-is since they have information about players’ inputs. To resolve this issue, we introduce two additional cards  , called extra cards, in addition to comparison cards. These extra cards allow Alice and Bob to compare each bit and reuse cards without compromising security. As a result, we reduce the number of cards to \(2n + 2\) although the numbers of communications and private permutations increase (see ppPSI-2 for the detailed procedure).

figure az

Correctness: See step 2-i) of ppPSI-2. As a result of this step, \(p_i\) becomes the extra cards   if \(b_i=0\) (i.e., \(a_i \wedge b_i =0\)). If \(b_i =1\), then \(p_i\) is set as \(a_i\). In other words, \(p_i\) is   if \(a=1\), or is   otherwise. Thus, ppPSI-2 is correct.

Security: Although Bob performs the operation depending on his input in step 2-(a), the operation is hidden from Alice based on the assumption of private permutations. Hence, the information of his input is not leaked to Alice at this point. Alice turns the extra cards face up in step 2-(b). Since these cards are randomized with \(r_{A,i}\) and \(r_{B,i}\) privately chosen by Alice and Bob, respectively, no information is leaked from the operation. Note that the players can realize the same result of a shuffle by carrying out two private permutations with random numbers chosen independently, as described in Sect. 2.3. Therefore, Alice and Bob cannot obtain any information other than their own input and output.

Independence of inputs: As described in the proof of security, Bob cannot learn any information about A from the cards made face-up at step 2-(b). Hence, Bob cannot choose his input at step 2-(a) depend on A. Thus, the protocol guarantees independence of inputs.

Interestingly, our two-party PSI protocol ppPSI-2 can be extended to a multi-party PSI protocol without increasing the number of cards. More precisely, we can realize a multi-party PSI protocol with \(2n+2\) cards regardless of the number of involved players. We present the protocol in Sect. 6.2.

figure bg

5 Proposed PSU Protocols

This section shows our card-based PSU protocols. By using the De Morgan’s law, i.e., \(A \cup B = \overline{\overline{A} \cap \overline{B}}\), we can construct a PSU protocol from a PSI protocol. We describe the idea below:

Idea behind our PSU protocols: Let Alice and Bob hold \(A \subseteq U\) and \(B \subseteq U\), respectively. Alice and Bob run a PSI protocol for \(\overline{A}\) and \(\overline{B}\) and obtain the output \(\overline{A} \cap \overline{B}\). Since \(\overline{A} \cap \overline{B} = \overline{A \cup B}\) holds, they can learn the set union \(A \cup B\) by computing the complement set of the output. If the underlying PSI protocol fulfills security and independence of inputs, the same is true for the PSU protocol obtained by this construction.

In our protocols, an input set is expressed as an n-bit string \(X=(x_1,\dots ,x_n)\), where \(x_i =0\) (resp. \(x_i=1\)) means \(u_i \notin X\) (resp. \(u_i \in X\)). Then, \(\overline{X}\) can be obtained by flipping every bit of X. That is, the output of a PSI protocol for \(\overline{A}\) and \(\overline{B}\) holds \((\lnot a_1 \wedge \lnot b_1, \dots , \lnot a_n \wedge \lnot b_n)\), and the players can obtain \(A \cup B\) by flipping all bits of the output. Note that \(a \vee b = \lnot (\lnot a \wedge \lnot b)\) holds from the De Morgan’s law. It implies that we can construct a PSU protocol based on an OR protocol by the same idea of our PSI protocols.

5.1 Shuffle-Based PSU Protocols

In this section, we propose card-based PSU protocols in the shuffle-based model.

5.1.1 PSU Protocol from an OR Protocol

We first show that a PSU protocol can be constructed from a card-based OR protocol obtained from the five-card trick and the De Morgan’s law.

Let Alice and Bob hold input sets A and B, respectively. The binary notation satisfies that for any \(i \in [n]\), \(a_i = 1\) or \(b_i = 1\) if and only if \(u_i\) lies in the set union \(A\cup B\). Hence, the set union can be obtained from the OR operations to each element. Now, from the De Morgan’s law, we can obtain an OR protocol by negating the input and output bits in the five-card trick. Thus, we have a PSU protocol in the same way as shufPSI-shufPSI-1. See shufPSU-1 for the concrete procedure. Note that the negations of input and output bits are executed in steps 1-a-i and 1-a-iii, respectively.

Correctness: it follows from the relation that \(a_i = 1\) or \(b_i = 1\) if and only if \(u_i \in A \cup B\).

Security: it follows from the security of the underlying OR protocol.

5.1.2 PSU Protocol Using Only One Shuffle with Public Input Set Sizes

Next, we show a PSU protocol, which leaks the sizes of the sets |A| and |B| as in shufPSI-2. Thus, the protocol can be used when |A| and |B| are publicly known. shufPSU-2 shows the 3n-card PSU protocol.

Correctness: it follows from the fact that both \(\alpha '_i\) and \(\beta '_i\) are   if and only if \(u_i \in \overline{A \cup B}.\)

Security: in step (3), the front sides of \((\alpha '_i, \beta '_i)\) are one of four patterns:  ,  ,  , and  . We can observe that the number of   is \(|\overline{A \cup B}|\), the number of   is \(|A \setminus B|\), the number of   is \(|B \setminus A|\), and the number of is \(|A \cap B|\). Since all of them are efficiently computable from |A|, |B|, and \(|\overline{A \cup B}|\), no information beyond the output information is leaked. Therefore, shufPSU-2 is secure.

Note that shufPSU-2 and shufPSU-3 shown later output the complementary set \(\overline{A \cup B}\), not \(A \cup B\). To obtain \(A \cup B\), we can compute \(U \setminus \overline{A \cup B}\) after the protocol.

figure by

5.1.3 PSU Protocol Using Only One Shuffle with Private Input Set Sizes

We construct shufPSU-3 based on our PSI protocol, shufPSI-3. shufPSU-3 eliminates the condition that the input sizes |A| and |B| are leaked, at the price of the 4n additional cards.

Since the correctness of shufPSU-3 can be shown in the same way as shufPSU-2, we omit the details. We here present the security proof for shufPSU-3.

Security: In step 2, parties turn over all of \(\{\alpha '_i \}_{i \in [2n]}\) to face-up. Since the sequence is randomized by the pile scramble shuffle, Bob does not learn anything about A from the card sequence. Furthermore, parties turn over \(\beta '_j\) to face-up if \(\alpha '_j\) is   in the step. Since the number of   in \(\{\alpha '_i \}_{i \in [2n]}\) is n, which is public information, the number of cards turned over in \(\{\beta '_i \}_{i \in [2n]}\) is also n. Also, the number of   in the card sequence is \(|\overline{A \cup B}|\). Hence, from the cards made face-up, Alice and Bob cannot learn any additional information than the output. Therefore, shufPSU-3 is secure.

figure cc

5.2 Private-Permutation-Based PSU Protocols

In this section, we propose card-based PSU protocols in the private-permutation-based model. We omit the discussion on correctness and security for the proposed protocols in this section because the same discussion as in Sect. 4.2 holds.

5.2.1 PSU Protocols from OR Protocols

In Sect. 4.2.1, the PSI protocol was realized based on the AND protocol. Here, we describe a PSU protocol based on the three-card OR protocol, which is shown in ppPSU-1.

figure cd

5.2.2 PSU Protocol Based on Sequential Comparison

In Sect. 4.2.2, we proposed a PSI protocol based on sequential comparison (ppPSI-2). By slightly modifying ppPSI-2, we obtain a \((2n+2)\)-card PSU protocol. (See ppPSU-2, which shows the concrete procedure.)

As well as ppPSI-2, our two-party PSU protocol ppPSU-2 can be extended to a multi-party PSU protocol of which the number of cards is \(2n+2\). We present the protocol in Sect. 6.2.

figure ce

6 Card-Based Multi-party PSI and PSU Protocols

6.1 Multi-party Protocols in the Shuffle-Based Model

Based on the same idea for shufPSI-shufPSI-1, we can realize a card-based multi-party PSI protocol. (Given \(X_1,\dots ,X_m \subseteq U\), a multi-party PSI protocol outputs \(X_1 \cap \dots \cap X_m\), and it guarantees security and independence of inputs.) For \(i \in [m]\), let \(X_i = (x_{i,1},\dots ,x_{i,n})\). Then, \(X_1 \cap \dots \cap X_m =(x_{1,1} \wedge \dots \wedge x_{m,1},\dots ,x_{1,n} \wedge \dots \wedge x_{m,n})\) holds. It implies that a card-based multi-party PSI protocol can be obtained from a card-based m-input AND protocol.Also, it is well known that a (two-input) AND protocol with thecommitted-format can be extended to an m-input AND protocol. (Given two commitment \(a, b \in \{0,1\}\) with the two-card representation, the committed-format AND protocol outputs a commitment that represents \(a \wedge b\) with the two-card representation.Footnote 2) That is, we can construct a card-based multi-party PSI protocol from a committed-format (two-input) AND protocol.

We here discuss the efficiency in the case where we adopt the committed-format AND protocol shown in [14], which uses two cards in addition to the input cards, i.e., it consists of six cards. By reusing the additional cards as in shufPSI-shufPSI-1 for each execution of the committed-format AND protocol, we can construct a multi-party PSI protocol with \(2mn+2\) cards. (Note that each of m players holds 2n cards for his/her input.) Also, since the committed-format AND protocol [14] requires one shuffle, the multi-party protocol consists of mn shuffles. (We call this protocol shufMPSI-1.)

The similar discussion holds for the PSU protocol. That is, we can construct a card-based multi-party PSU protocol from a committed-format OR protocol with \(2mn+2\) cards and mn shuffles. (We call this protocol shufMPSU-1.)

6.2 Multi-party Protocols in the Private-Permutation-Based Model

ppMPSI-1 shows our multi-party PSI protocol. The protocol generally follow the same construction ideas of the two-party protocol ppPSI-2.

Let players \(P_1,\dots ,P_m\) hold \(X_1,\dots ,X_m \subseteq U\), respectively. Intuitively, in ppMPSI-1, players run the following process: First, \(P_1\) and \(P_2\) carry out the two-party PSI protocol for \(X_1\) and \(X_2\), and obtain a commitment of \(X_1 \cap X_2\). Afterwards, \(P_2\) and \(P_3\) carry out the two-party PSI protocol for \(X_1 \cap X_2\) and \(X_3\), and obtain commitments of \(X_1 \cap X_2 \cap X_3\). Note that since \(P_3\) uses the private-permutation-based representation for his/her input, they need to prepare no additional card and can complete this process with the cards used in the previous process. By repeating the same process up to \(P_n\), players can obtain commitments of \(X_1 \cap \dots \cap X_m\). Since players can perform such process with 2n comparison cards and two extra cards by reusing them for all players, we can construct a multi-party PSI protocol with \(2n+2\) cards. Also, it uses \((m-1)(3n-2)\) private permutations and \((m-1)(2n-1)\) communications.

By a similar way, we can realize a multi-party PSU protocol with \(2n+2\) cards, \((m-1)(3n-2)\) private permutations and \((m-1)(2n-1)\) communications. (See ppMPSU-1 that shows the procedure.)

figure cf
figure cg

7 Concluding Remarks

This paper focused on PSI and PSU protocols, which are the well-studied MPC protocols, in card-based cryptography for the first time. We proposed PSI and PSU protocols in each of shuffle-based and private-permutation-based models.

The basic protocols in the shuffle-based model are shufPSI-shufPSI-1 and shufPSU-1, which are based on the shuffle-based AND and OR protocols, respectively, and they require \(4n+1\) cards and n shuffles. These basic protocols can be improved in terms of both the numbers of cards and shuffles by weakening the security level, i.e., by making the input set sizes public. The resultant protocols shufPSI-2 and shufPSU-2 only require 3n cards and one pile scramble shuffle. We also showed that the protocols, shufPSI-3 and shufPSU-3, requires only one shuffle while keeping the input set sizes secret, though they require 7n cards.

In the private-permutation-based model, we showed that the basic protocols can be realized based on a similar idea to the shuffle-based model. We constructed the basic protocols, ppPSI-1 and ppPSU-1, based on the private-permutation-based AND and OR protocols. Thanks to the private permutations, they only require 3n cards, which are fewer than the shuffle-based basic protocols shufPSI-shufPSI-1 and shufPSU-1. We then provided improved protocols, ppPSI-2 and ppPSU-2, by reusing several cards used in the basic protocols, though the numbers of private permutations and communications are increased.