## 1 Introduction

The most well known card-based cryptographic protocol uses five cards showing two different types of symbols, $$\heartsuit$$ and $$\clubsuit$$, which are otherwise assumed to be physically indistinguishable. Let us quickly describe the elegant “five-card trick” of den Boer [B89] for computing a logical AND operation on the bits of two players. For this, the players input their bits as a commitment, which is two face-down cards either as $$\heartsuit \,\clubsuit$$ or $$\clubsuit \,\heartsuit$$, encoding $$1$$ or $$0$$, respectively, with a separating $$\clubsuit$$ card in between, so that the possible input sequences look like this:

Now, the second player inverts his bit by swapping his cards, leading to the following situation:

Observe that only in the case of $$a=b=1$$, the three $$\clubsuit$$s are consecutive. The following cyclic arrangement of cards as seen from below a “glass table” makes it obvious that this property is preserved under cyclic shifts of the cards:

By applying a cyclic shift by a random offset, the correspondence of the positions to the players is obscured. This “shuffling” of the cards can be done by the players taking turns in applying a cyclic shift of a random offset, without letting the other players observe the permutation that has been applied to the cards. By revealing all cards afterwards, the players can check whether the three $$\clubsuit$$s are consecutive and deduce that the output is $$1$$ if this is the case, and $$0$$ otherwise.

This example illustrates that a deck of cards can be used to securely evaluate functions, without the players giving away anything about their inputs that cannot be deduced from the result of the execution of such a card-based cryptographic protocol. The utility of these protocols is evident from their use in classrooms and lectures to illustrate secure multiparty computation to non-experts to the field of cryptography, or in an introductory course. Moreover, the possibility of performing these protocols without the use of computers is an interesting distinctive feature.

In their ASIACRYPT 2012 paper, Mizuki, Kumamoto, and Sone [MKS12] were able to reduce the number of cards to the best possible of $$4$$, which is already necessary to encode the inputs. However, both protocols have an important caveat: They unavoidably reveal the final result during the computation. This makes them inadequate for use in larger protocols, for instance when evaluating complex logical circuits.

Therefore, starting with [NR98, S01, CK93], several researchers came up with so-called committed format protocols, which output a commitment encoding the result by two cards, as described above. This allows for using the output commitment of the protocol as an input to another protocol and for having a fine-grained control on who learns what about the result.

So far, the protocols using the least number of cards for computing AND in committed format are

• the six-card protocol of Mizuki and Sone [MS09], which has a deterministic runtime (cf. Fig. 2), and

• the five-card Las Vegas protocol of [CHL13], as described in Example 1. Note that this protocol may end in a configuration which needs restarting with probability and utilizes a rather complex shuffle operation. (These operations will be discussed in Sect. 8).

This leads to the natural question on the minimality of cards needed for a secure committed format AND, which has been posed in several places in the literature, see, e.g., [MS09, MS14a, MKS12]. Moreover in [CHL13], the authors ask whether there is a “deterministic” five-card variant of their protocol. In this paper, we answer these questions comprehensively.

To cope with these questions, [MS14a] defined a formal computational model stating the possible operations that a card-based protocol can make. To allow for strong impossibility results, the authors give a rather wide palette of possible operations that can be applied to the cards, e.g., shuffling with an arbitrary probability distribution on the set of permutations. Our paper shows that this yields rather strong possibility results by utilizing “non-closed” shuffles, as defined in Sect. 8.

Note that all protocols are in the honest-but-curious setting (although some analysis of malicious behavior has been done in [MS14b]), i.e., the players execute the protocol according to its description, but gather any information they can possibly obtain.

Contribution. In this paper, we

• introduce a four-card Las Vegas protocol for the AND of two players’ bits,

• give a five-card variant, which has an a priori bound on the number of execution steps, i.e., a finite-runtime protocol,

• show that this is optimal, as four-card finite-runtime protocols computing AND in committed format are impossible,

• define a method of enriching the description of a protocol, that makes correctness and security transparent and gives a good understanding of how these protocols work, which can be used as a leverage to devise impossibility results. We therefore believe that this method is of general interest for research in card-based cryptography,

• state a general $$2k$$-card protocol for any $$k$$-ary boolean function, which can be seen as a touchstone for the practicability of the underlying computational model,

• discuss the computational model of [MS14a] briefly.

For comparison with other protocols, we refer the reader to Tables 1 and 2. For the former, we have three key parameters in describing the properties of protocols: whether it is committed format, whether it is a finite-runtime or a Las Vegas algorithm, and whether “non-closed” or “non-uniform” shuffles are used in the protocols, for which it is not yet apparent how they can be run in practice, cf. Section 8 for a discussion. Table 1 states the minimal number of cards for protocols with the given parameters and gives the corresponding references.

In Table 2 we compare our $$2k$$-card protocol of Sect. 7 with the best protocol for general boolean functions in the literature, with respect to the number of cards, namely [N+15]. While our protocol reduces the number of cards by six, it is a Las Vegas protocol with a substantial probability to end in a state which requires to restart the protocol. Moreover, it uses the non-closed shuffles mentioned above. Even though the expected number of restarts until a successful run is of order $$O(2^k)$$, each run of our protocol requires only a constant number of steps. This result can also be interpreted as a touchstone of the plausibility of the computational model for card-based protocols.

Outline. In Sect. 2 we introduce the basic computational model of card-based protocols and a strong information-theoretic security definition. We describe a method for the analysis of protocols in Sect. 3. We give a description of our four- and five-card protocols in Sects. 4 and 5, respectively. In the subsequent Sect. 6 we show that five cards are necessary for finite-runtime protocols. In Sect. 7 we state a Las Vegas protocol for general boolean functions using a strong shuffle operation that the computational model allows. We discuss these shuffle operations in Sect. 8. Finally, we conclude the paper in Sect. 9.

Notation. In the paper we use the following notation.

• Cycle Decomposition. For $$n \in \mathbb {N}$$ and numbers $$a_1,a_2,\ldots ,a_k \le n$$ we write $$\pi = (a_1\;a_2\;\ldots \;a_k)$$ for the permutation $$\pi \in S_{n}$$ that maps $$a_i$$ to $$a_{i+1}$$ for $$1 \le i \le k-1$$ and $$a_k$$ to $$a_1$$ and all other $$x \le n$$ to themselves. We call this a cycle. Cycles are maps, so they can be composed with $$\circ$$, which we will omit in the following, e.g. $$(1\;3\;5)(2\;4)$$ maps $$1 \mapsto 3$$, $$3 \mapsto 5$$, $$5 \mapsto 1$$, $$2 \mapsto 4$$ and $$4 \mapsto 2$$.

• Drawing from a Probability Distribution. If $$\mathcal {F}$$ is a probability distribution on a set X, we write $$x \leftarrow \mathcal {F}$$ to indicate that $$x \in X$$ should be randomly chosen from X according to $$\mathcal {F}$$.

• Sequence Indices. Given a sequence $$x = (\alpha _1, \ldots , \alpha _l)$$ and an index $$i$$ with $$1 \le i \le l$$, we denote by $$x[i]$$, the $$i$$th entry of the sequence, namely $$\alpha _i$$.

## 2 Machine Model and Security of Card-Based Protocols

Mizuki and Shizuya [MS14a] came up with an elegant framework to model a computation with card-based cryptographic protocols. We adopt their setting to our needs and quickly review the important definitions in the following.

A deck $$\mathcal {D}$$ is a finite multiset of symbols, its elements are cards. We will restrict ourselves to the case where $$\mathcal {D}$$ contains two types of symbols, depicted by $$\heartsuit$$ and $$\clubsuit$$. For a symbol $$c\in \mathcal {D}$$, $$\frac{c}{\mathord {?}}$$ denotes a face-up card and $$\frac{\mathord {?}}{c}$$ a face-down card with symbol $$c$$, respectively. Here, ‘?’ is a special backside symbol, not contained in $$\mathcal {D}$$. For a face-up or face-down card $$\alpha$$, $$\mathsf{top}\,(\alpha )$$ and $$\mathsf{atom}\,(\alpha )$$ denote the symbol in the “numerator” and the symbol distinct from ‘?’, respectively.

Cards are lying on the table in a sequence. A sequence is obtained by permuting $$\mathcal {D}$$ and choosing face-up or face-down for each card. For example, $$(\frac{\mathord {?}}{\clubsuit }, \frac{\clubsuit }{\mathord {?}}, \frac{\mathord {?}}{\heartsuit }, \frac{\mathord {?}}{\heartsuit }, \frac{\mathord {?}}{\clubsuit })$$ is a sequence of $$\mathcal {D}=[\clubsuit , \clubsuit , \clubsuit , \heartsuit , \heartsuit ]$$. We extend $$\mathsf{top}\,(\cdot )$$ and $$\mathsf{atom}\,(\cdot )$$ from single cards to sequences of cards in the canonical way. For a sequence $$\varGamma$$, $$\mathsf{top}\,(\varGamma )$$ is the visible sequence of $$\varGamma$$. For example, $$\mathsf{top}\,{(\frac{\mathord {?}}{\clubsuit }, \frac{\clubsuit }{\mathord {?}}, \frac{\mathord {?}}{\heartsuit }, \frac{\mathord {?}}{\heartsuit }, \frac{\mathord {?}}{\clubsuit })} = (\mathord {?}, \clubsuit , \mathord {?}, \mathord {?}, \mathord {?})$$. We denote the set of all visible sequences of $$\mathcal {D}$$ by $${\mathsf{{Vis}}}^{\mathcal {D}}$$, or $${\mathsf{{Vis}}}^{}$$ for short. Furthermore, we define the set of atomic sequences $${\mathsf{{AtSeq}}}^{\mathcal {D}}$$, or $${\mathsf{{AtSeq}}}^{}$$ for short, as the set of all permutations of $$\mathcal {D}$$.

A protocol $$\mathcal {P}$$ is a quadruple $$(\mathcal {D}, U, Q, A)$$, where $$\mathcal {D}$$ is a deck, $$U$$ is a set of input sequences, $$Q$$ is a set of states with two distinguished states $$q_0$$ and $$q_ f$$, being the initial and the final state. Moreover, we have a (partial) action function

\begin{aligned}A:(Q \setminus \{q_ f \}) \times {\mathsf{{Vis}}}^{} \rightarrow Q \times \mathsf{{Action}},\end{aligned}

depending only on the current state and visible sequence, specifying the next state and an operation on the sequence from $$\mathsf{{Action}}$$ that contains the following actions:

• $$(\mathsf{{perm}}, \pi )$$ for a permutation $$\pi \in S_{|\mathcal {D}|}$$ from the symmetric group $$S_{|\mathcal {D}|}$$ on elements $$\{1, \ldots , |\mathcal {D}|\}$$. This transforms a sequence $$\varGamma =(\alpha _1, \ldots , \alpha _{|\mathcal {D}|})$$ into

\begin{aligned}\mathsf{perm}_{\pi }\left( \varGamma \right) :=(\alpha _{\pi ^{-1}(1)}, \ldots , \alpha _{\pi ^{-1}(|\mathcal {D}|)}),\end{aligned}

i.e., it permutes the cards according to $$\pi$$.

• $$(\mathsf{{turn}}, T)$$ for $$T\subseteq \{1, \ldots , |\mathcal {D}|\}$$. This transforms a sequence $$\varGamma =(\alpha _1, \ldots , \alpha _{|\mathcal {D}|})$$ into

\begin{aligned}\mathsf{turn}_{T}\left( \varGamma \right) :=(\beta _1, \ldots , \beta _{|\mathcal {D}|}),\text { where } \beta _i = {\left\{ \begin{array}{ll} \mathsf{swap}(\alpha _i), &{}\text {if } i\in T,\\ \alpha _i, &{}\text {otherwise}, \end{array}\right. }\end{aligned}

i.e., it turns over all cards from a turn set $$T$$. Here $$\mathsf{swap}(\frac{c}{\mathord {?}}) :=\frac{\mathord {?}}{c}$$ and $$\mathsf{swap}(\frac{\mathord {?}}{c}) :=\frac{c}{\mathord {?}}$$, for $$c\in \mathcal {D}$$.

• $$(\mathsf{{shuffle}}, \varPi , \mathcal {F})$$ for a probability distribution $$\mathcal {F}$$ on $$S_{|\mathcal {D}|}$$ with support $$\varPi$$. This transforms a sequence $$\varGamma$$ into the random sequence

\begin{aligned}{\mathsf{{shuffle}}}_{\varPi , \mathcal {F}}\left( \varGamma \right) :=\mathsf{perm}_{\pi }\left( \varGamma \right) , \text { for } \pi \leftarrow \mathcal {F},\end{aligned}

i.e., $$\pi \in \varPi$$ is drawn according to $$\mathcal {F}$$ and then applied to $$\varGamma$$. Note that the players do not learn the chosen permutation when executing the protocol (unless they can derive it from $$\mathcal {F}$$ and the visible sequence after the operation). If $$\mathcal {F}$$ is the uniform distribution on $$\varPi$$, we may omit it and write $$(\mathsf{{shuffle}}, \varPi )$$.

• $$(\mathsf{{rflip}}, \varPhi , \mathcal {G})$$ for a probability distribution $$\mathcal {G}$$ on $$2^{\{1, \ldots , |\mathcal {D}|\}}$$ with support $$\varPhi$$. This transforms a sequence $$\varGamma$$ into

\begin{aligned}{\mathsf{{rflip}}}_{\varPhi , \mathcal {G}}\left( \varGamma \right) :=\mathsf{turn}_{T}\left( \varGamma \right) , \text { for } T\leftarrow \mathcal {G},\end{aligned}

i.e., $$T\subseteq \{1, \ldots ,|\mathcal {D}|\}$$ is drawn according to $$\mathcal {G}$$ and then the corresponding cards of $$\varGamma$$ are turned.

• $$(\mathsf{{restart}})$$. This transforms a sequence into the start sequence. This special operation requires that the first component of $$A$$’s output, i.e., the next state, is $$q_0$$. This allows for Las Vegas protocols that “fail” and start over with a certain probability. Protocols with a (deterministic) finite runtime do not need this operation.

• $$(\mathsf{{result}}, p_1, \ldots , p_l)$$ for a list of positions $$p_1, \ldots , p_l \in \{1, \ldots , |\mathcal {D}|\}$$. This special operation occurs if and only if the first component of $$A$$’s output is $$q_ f$$. This halts the protocol and specifies that $$(\alpha _{p_1}, \ldots , \alpha _{p_l})$$ is the output, where $$\varGamma =(\alpha _1, \ldots , \alpha _{|\mathcal {D}|})$$ is the current sequence.

A tuple $$(\varGamma _0, {\varGamma }_1, \ldots , {\varGamma }_t)$$ of sequences such that $$\varGamma _0 \in U$$ and $${\varGamma }_{i+1}$$ arises from $${\varGamma }_i$$ by an operation as specified by the action function in a protocol run is a sequence trace; in that case $$(\mathsf{top}\,(\varGamma _0), \mathsf{top}\,({\varGamma }_1), \ldots , \mathsf{top}\,({\varGamma }_t))$$ is a visible sequence trace.Footnote 1

A protocol terminates when entering the final state $$q_ f$$. A protocol is called finite-runtime Footnote 2 if there is a fixed bound on the number of steps, and in contrast Las Vegas, if it terminates almost surely (i.e., with probability $$1$$) and in a number of steps that is only expectedly finite.

Next we describe a canonical form for protocols computing boolean functions. For this we interpret two cards with distinct symbols as $$1$$, if their symbols are arranged $$\heartsuit \,\clubsuit$$, and $$0$$, if they are arranged as $$\clubsuit \,\heartsuit$$.

### Definition 1

Let $$f:\{0,1\}^k \rightarrow \{0,1\}$$ be a boolean function. Then we say a protocol $$\mathcal {P} = (\mathcal {D}, U, Q, A)$$ computes $$f$$, if the following holds:

• the deck $$\mathcal {D}$$ contains at least $$k$$ cards of each symbol,

• there is a one-to-one correspondence between inputs and input sequences, with the convention that for $$b\in \{0,1\}^k$$ we have that $$U$$ contains $$\varGamma ^{b} = (\alpha _1, \ldots , \alpha _{|\mathcal {D}|})$$, where

\begin{aligned}(\alpha _{2i-1}, \alpha _{2i}) = {\left\{ \begin{array}{ll} (\frac{\mathord {?}}{\heartsuit }, \frac{\mathord {?}}{\clubsuit }), &{}\text { if } b[i] = 1,\\ (\frac{\mathord {?}}{\clubsuit }, \frac{\mathord {?}}{\heartsuit }), &{}\text { if } b[i] = 0, \end{array}\right. }\end{aligned}

for $$1 \le i\le k$$. The remaining $$|\mathcal {D}|- 2k$$ “helping” cards are arranged in some canonical way (their arrangement does not depend on $$b$$). In this paper we assume that the helping $$\clubsuit$$s are to the left of the helping $$\heartsuit$$s.

• it terminates almost surely,

• for an execution starting with $$\varGamma ^b$$ for $$b\in \{0,1\}^k$$ the protocol ends with the action $$(\mathsf{{result}}, p_1, p_2)$$, such that

\begin{aligned}\mathsf{atom}\,{(\beta _{p_1}, \beta _{p_2})} = {\left\{ \begin{array}{ll} (\heartsuit , \clubsuit ), &{}\text {if } f(b) = 1,\\ (\clubsuit , \heartsuit ), &{}\text {otherwise,} \end{array}\right. }\end{aligned}

where $$\varGamma =(\beta _1, \ldots , \beta _{|\mathcal {D}|})$$ is the final sequence.

### Example 1

Let us describe, as an example, the Las Vegas five-card AND protocol of Hawthorne, and Lee [CHL13]. Here, the deck is $$\mathcal {D}= [\heartsuit , \heartsuit , \clubsuit , \clubsuit , \clubsuit ]$$ and the set of inputs is given by $$U=\{\varGamma ^{11}, \varGamma ^{10}, \varGamma ^{01}, \varGamma ^{00}\}$$, where $$\varGamma ^{11} = (\frac{\mathord {?}}{\heartsuit }, \frac{\mathord {?}}{\clubsuit }, \frac{\mathord {?}}{\heartsuit }, \frac{\mathord {?}}{\clubsuit }, \frac{\mathord {?}}{\clubsuit })$$, $$\varGamma ^{10} = (\frac{\mathord {?}}{\heartsuit }, \frac{\mathord {?}}{\clubsuit }, \frac{\mathord {?}}{\clubsuit }, \frac{\mathord {?}}{\heartsuit }, \frac{\mathord {?}}{\clubsuit })$$, $$\varGamma ^{01} = (\frac{\mathord {?}}{\clubsuit }, \frac{\mathord {?}}{\heartsuit }, \frac{\mathord {?}}{\heartsuit }, \frac{\mathord {?}}{\clubsuit }, \frac{\mathord {?}}{\clubsuit })$$, and $$\varGamma ^{00} = (\frac{\mathord {?}}{\clubsuit }, \frac{\mathord {?}}{\heartsuit }, \frac{\mathord {?}}{\clubsuit }, \frac{\mathord {?}}{\heartsuit }, \frac{\mathord {?}}{\clubsuit })$$. The protocol $$\mathcal {P} = (\mathcal {D}, U, \{q_0, q_1, q_2, q_3, q_{ f }\}, A)$$ is then described by $$A$$ as follows:

1. 1.

$$A(q_0, v) = (q_1, (\mathsf{{perm}}, (2\;3\;4\;5)))$$, i.e., insert the helping card at position 2.Footnote 3

2. 2.

$$A(q_1, v) = (q_2, (\mathsf{{shuffle}}, \varPi ))$$, where $$\varPi = \{{\mathsf{{id}}}, (1\;4\;2\;5\;3)\}$$.

3. 3.

$$A(q_2, v) = (q_3, (\mathsf{{turn}}, \{1\}))$$, i.e., turn the first card.

4. 4.

$$A(q_3, v) = {\left\{ \begin{array}{ll} (q_ f , (\mathsf{{result}}, 2, 3)), &{} \text {if } v[1] = \clubsuit ,\\ (q_0, (\mathsf{{restart}})), &{} \text {otherwise.} \end{array}\right. }$$

Here, $$v$$ denotes the current visible sequence in each step. Note that there is no obvious way to implement the shuffle in step 2 efficiently, as it is non-closed. See Sect. 8 for discussion.

### Definition 2

(secure, committed format). Let $$\mathcal {P} = (\mathcal {D},U,Q,A)$$ be a protocol. Let $$\varGamma _0$$ be a random variable with values in the set of input sequences U and a distribution $$\mathcal {M}$$ on $$U$$. Let V be a random variable for the visible sequence trace of the protocol execution.

$$\mathcal {P}$$ is secure or private if $$\varGamma _0$$ and V are stochastically independent.

Moreover, let $$R$$ be a random variable that encodes the output of the protocol. Then $$\mathcal {P}$$ is said to be in committed format, if $$\mathsf{atom}\,(R)$$ and $$V$$ are stochastically independent. (In particular, this implies that an index occurring in the $$\mathsf{{result}}$$ action points to a face-down card, unless this part of the output is constant.)

From this definition it is apparent that if there is a functional dependency between the inputs and the output, then security implies committed format. Note that it is stronger than other security definitions in the literature that were defined to also capture non-committed format protocols, such as the five-card trick of [B89].

When the input is provided by players, each of them have a partial knowledge on $$\varGamma _0$$. The definition then implies that, even given this partial knowledge, $$\varGamma _0$$ and $$V$$ are still independent. Therefore the players cannot learn anything about the inputs of the other players, as the result is not part of $$V$$.

## 3 A Calculus of States

From a specification of a protocol it is not immediately obvious whether it is correct and private. We describe a new method to obtain a rich description of possible protocol runs, from which correctness and privacy can be more easily recognized. We use this method in later sections to describe our constructions and prove the impossibility of finite-runtime four-card AND in Sect. 6. We believe this method is of general interest for researchers in the field of card-based cryptography.

When describing all possible executions of a protocol we obtain a tree which branches when the visible sequence differs. The nodes of this tree correspond to the visible sequence traces that can occur during the run of the protocol. Each node has an action associated to it, namely the action that the protocol prescribes for that situation. In the following, this action is a label on the outgoing edges.

Take for instance the six-card AND protocol of [MS09], as shown in Fig. 1. We hope that it will soon become clear why the protocol works.

Until the fourth step (the turn step) there is no observable difference, i.e., all visible sequences contain only ‘$$\mathord {?}$$’. After the turn, there are two types of executions that can be distinguished by players. If security was violated, i.e., players can deduce information about the input, then this is because some inputs are more likely to lead to a specific visible sequence than other inputs.

While the actual sequence on the table and the actual input of the players is typically unknown, knowledge about the former implies knowledge about the latter and vice versa. To facilitate the privacy analysis, we annotate the nodes of the tree with this dependent knowledge. A state in our sense captures the probability distribution of atomic sequences conditioned on the input sequence.

### Definition 3

Let $$\mathcal {P}$$ be a secure protocol computing $$f:\{0,1\}^k \rightarrow \{0,1\}$$ and $$V$$ be a visible sequence trace of $$\mathcal {P}$$. The state S of $$\mathcal {P}$$ belonging to $$V$$ is the map $$S:{\mathsf{{AtSeq}}}^{} \rightarrow \mathbb {X}_k$$, with $$s \mapsto \Pr [s|V]$$, where:

• $$\mathbb {X}_k$$ denotes the polynomials over the variables $$X_b$$ for $$b \in \{0,1\}^k$$ of the form $$\sum _{b \in \{0,1\}^k} \beta _b X_b$$, for $$\beta _b\in [0, 1] \subseteq \mathbb {R}$$. We interpret these polynomials as probabilities which depend on the probabilities of the inputs $$b$$, symbolized by the variables $$X_b$$ for $$b \in \{0,1\}^k$$.

• for $$s\in {\mathsf{{AtSeq}}}^{}$$, $$\Pr [s|V]$$ denotes the (symbolic) probability that the current atomic sequence is $$s$$ given that current visible sequence trace is $$V$$. (It will later be apparent that the probability $$\Pr [s|V]$$ is indeed in $$\mathbb {X}_k$$.)

We say a state S contains an atomic sequence s (or s is in S for short) if S(s) is not the zero polynomial. For $$k\ge 2$$, we introduce the additional shorthands $$X_0 :=\sum _{f(b) = 0} X_b$$ and $$X_1 :=\sum _{f(b) = 1} X_b$$.

Let $$S$$ be a state. Given a probability distribution $$\mathcal M$$ on the inputs, then substituting each variable $$X_b$$ with the probability of the input b, yields a probability distribution on the atomic sequences in $$S$$. In particular, if s is an atomic sequence in S and S(s) the corresponding polynomial, substituting 1 for the variable $$X_b$$ and 0 for the other variables in S(s), yields the probability that s is the current atomic sequence, given the input b and any information observed so far. Accordingly, we can use our notions to analyze player knowledge in multiparty computations where an agent has partial information about the input.

As an illustration of our method, consider the states of the six-card AND protocol from above, see Fig. 2 on page 10, where states are represented by a box with atomic sequences on the left and the associated polynomials on the right. In such a $$2$$-ary protocol, a state maps each atomic sequence to a polynomial of the form $$\beta _{11}X_{11} + \beta _{10}X_{10} + \beta _{01}X_{01} + \beta _{00}X_{00}$$, where $$\beta _{11}, \beta _{10}, \beta _{01}, \beta _{00} \in [0,1]$$.

• In the start state, each input $$b \in \{00,01,10,11\}$$ is associated with a unique input sequence $$\varGamma ^{b} \in U$$, which, by our conventions in Definition 1, are $$\varGamma ^{11} = (\heartsuit ,\clubsuit ,\heartsuit ,\clubsuit ,\clubsuit ,\heartsuit )$$, $$\varGamma ^{10} = (\heartsuit ,\clubsuit ,\clubsuit ,\heartsuit ,\clubsuit ,\heartsuit )$$, $$\varGamma ^{01} = (\clubsuit ,\heartsuit ,\heartsuit ,\clubsuit ,\clubsuit ,\heartsuit )$$ and $$\varGamma ^{00} = (\clubsuit ,\heartsuit ,\clubsuit ,\heartsuit ,\clubsuit ,\heartsuit )$$. The probability of $$\mathsf{atom}\,(\varGamma ^{b})$$ being the current atomic sequence is therefore exactly $$X_b$$, i.e., the probability that b is the input. The remaining $$\left( {\begin{array}{c}6\\ 3\end{array}}\right) - 4$$ atomic sequences are mapped to zero and omitted in the presentation.

• The first (and third) action is a permutation. Mathematically, nothing interesting happens here: If an atomic sequence $$s$$ had its probability captured by S(s), then after permuting with a permutation $$\pi$$, these probabilities are then assigned to the atomic sequence $$\pi (s)$$.

• The shuffle introduces uncertainty. Consider for instance the case that the input was “10”. Then, before the shuffle, we must have had the atomic sequence $$s = (\heartsuit ,\clubsuit ,\heartsuit ,\clubsuit ,\clubsuit ,\heartsuit )$$. It was either permuted by $${\mathsf{{id}}}$$ or by $$\pi = (1\;4)(2\;5)(3\;6)$$, yielding either s itself or $$s'=(\clubsuit ,\clubsuit ,\heartsuit ,\heartsuit ,\clubsuit ,\heartsuit )$$, both with probability . This explains the coefficients of $$X_{10}$$ in the polynomials for s and $$s'$$.

• The turn step can yield two possible visible sequences: $$(\heartsuit ,\clubsuit ,?,?,?,?)$$ and $$(\clubsuit ,\heartsuit ,?,?,?,?)$$. Crucially, the probability of observing $$(\clubsuit ,\heartsuit ,?,?,?,?)$$ is the same for each possible input, so no information about the actual sequence is leaked: If $$(\clubsuit ,\heartsuit ,?,?,?,?)$$ would be observed slightly more frequently for, say, the input “01” than for the input “10”, then observing $$(\clubsuit ,\heartsuit ,?,?,?,?)$$ would be weak evidence that the input was “01”. In the case at hand, however, the probability for the right branch is for each input, as the sum of the polynomials of the atomic sequences branching right is .

After the turn our knowledge has changed, for instance, if we have observed $$(\heartsuit ,\clubsuit ,?,?,?,?)$$ and know that the input was “11” then we know beyond doubt that the atomic sequence must then be $$(\heartsuit ,\clubsuit ,\heartsuit ,\clubsuit ,\clubsuit ,\heartsuit )$$, explaining the coefficient 1 of $$X_{11}$$.

• The output given by the $$\mathsf{{result}}$$ actions is correct: For all polynomials containing $$X_{11}$$ with non-zero coefficient, the corresponding atomic sequence has $$(\heartsuit ,\clubsuit )$$ at the specified positions and for all polynomials containing one of the other variables with non-zero coefficient, the corresponding atomic sequence has $$(\clubsuit ,\heartsuit )$$ there.

Note that “mixed” polynomials with non-zero coefficients of both types cannot occur in a final state of a protocol.

Derivation Rules for States. To compute the states we first identify the start state and then specify how subsequent states arise from a given state when performing an action. The rules of our calculus can also be seen as an inductive proof that our definition of a state is sound in secure protocols, as the probabilities are in $$\mathbb {X}_k$$ as claimed.

The start state $$S_0$$ with initial visible sequence trace $$V_0$$ contains exactly the input sequences in $$U$$. Each $${\varGamma }_b \in U$$ of input $$b\in \{0,1\}^k$$ is mapped to the probability $$\Pr [\mathsf{atom}\,({\varGamma }_b)|V_0] = X_b$$.

An action $$\mathsf{{act}}\in \mathsf{{Action}}$$ on a state $$S$$ belonging to a visible sequence trace $$V$$ can result in visible sequences $$v_1, \ldots , v_n$$. In the following, we state the rules for the derivation of these subsequent states $$S_1, \ldots , S_n$$ belonging to the extended visible sequences traces $$V\mathop {\Vert }v_i$$, obtained by appending the new visible sequence $$v_i$$ to the trace, for $$1\le i\le n$$. We restrict the presentation to shuffle and randomized flip operations, as the permutation and turn operations are special cases. For an illustration, we refer to Fig. 3.

Shuffle Action. Let $$\mathsf{{act}} = (\mathsf{{shuffle}}, \varPi , \mathcal {F})$$. If all cards are face-down before the shuffle, $$\mathsf{{act}}$$ can result in only one visible sequence, but in general let $$\varPi _v$$ be the subset of $$\varPi$$ that leads to some visible sequence $$v$$ with corresponding state $$S'$$. If $$\mathcal {F}_{|v}$$ denotes the probability distribution on $$\varPi _v$$ conditioned on the fact that $$v$$ is observed, we have that

\begin{aligned}S'(s) = \sum _{\pi \in \varPi _v}\mathcal {F}_{|v}(\pi )\cdot S(\pi ^{-1}(s)).\end{aligned}

In other words, the probability for the atomic sequence s in the new state $$S'$$ is obtained by considering all atomic sequences $$\pi ^{-1}(s)$$ from which s may have originated through some $$\pi \in \varPi _v$$ and summing the probability of those atomic sequences in the old state, weighted with the probabilities that the corresponding $$\pi$$ is chosen.

Randomized Flip Action. Let $$\mathsf{{act}} = (\mathsf{{rflip}}, \varPhi , \mathcal {G})$$. Consider the state $$S'$$ belonging to the visible sequence trace $$V' :=V\mathop {\Vert }v$$ for the new visible sequence $$v$$, resulting from a flip of some turn set $$T \in \varPhi$$. We say that v is compatible with an atomic sequence s from S if v and s agree in all positions that are not ‘?’ in v. The set of all atomic sequences compatible with v is denoted by $$C_v$$.

Let $$P_v := \sum _{s \in C_v} S(s)$$. This polynomial represents the probability of observing v if T is turned in state S. Let $$\beta _b$$ be the coefficients of $$P_v$$, i.e., $$P_v = \sum _{b \in \{0,1\}^k}\beta _b X_b$$. If the coefficients differ, i.e., $$\beta _{b_1} \ne \beta _{b_2}$$ for two inputs $$b_1$$ and $$b_2$$, then the probability of observing v when turning T in state S depends on the input. This must not be the case in secure protocols where visible sequences and inputs are independent.

In secure protocols, we therefore know that

\begin{aligned} P_v = \sum _{{b \in \{0,1\}^k}}{\!\!\!\!\!}\beta _vX_b = \beta _v{\!\!\!\!\!}\sum _{{b \in \{0,1\}^k}}X_b, \end{aligned}

for some $$\beta _v \in \mathbb {R}$$. In our interpretation as probabilities, we have $$\sum _{b \in \{0,1\}^k} X_b = 1$$, i.e., the sum over all input probabilities is $$1$$. From this, we obtain $$P_v = \beta _v$$.

Then, using Bayes’ formula yields

\begin{aligned} S'(s)&= \Pr [s|V'] = \Pr [s|(V\mathop {\Vert }v)] = \Pr [v|V, s]\cdot \frac{\Pr [s|V]}{\Pr [v|V]}\\&= \Pr [v|V, s]\cdot \frac{S(s)}{P_v} = {\left\{ \begin{array}{ll} S(s)/\beta _v, &{} \text { if } s \in C_v,\\ 0, &{} \text{ otherwise, } \end{array}\right. } \end{aligned}

where $$\Pr [v|V, s]$$ denotes the probability that $$v$$ occurs, given that the visible sequence trace is $$V$$ and the actual atomic sequence is $$s$$, and $$\Pr [v|V]$$ denotes the probability that $$v$$ occurs, given that the visible sequence trace is $$V$$. Note that the actual atomic sequence $$s$$ determines the visible sequence of the turn action, so $$\Pr [v|V, s]$$ is either $$0$$ or $$1$$.

Checking Correctness and Security. Since we keep track of the set of possible atomic sequences for any state of the protocol, we can decide for any $$\mathsf{{result}}$$ action whether it yields the correct output in all cases.

To check privacy, first note that shuffle actions never reveal new critical information: When shuffling with face-up cards, the shuffle may reveal information about which permutation was used to shuffle, but this information is a fresh random variable independent of all previous information. Considering turns or randomized flips, we already identified the condition before: A turn does not violate privacy if for every visible sequence v that may result from the turn, the set $$C_v$$ of atomic sequences that are compatible with v must fulfill $$\sum _{s\in C_v} S(s) = \beta _v\in [0,1]$$ since this exactly means that the probability to observe a visible sequence does not depend on the inputs. As this was a precondition for the derivation rule of randomized flips, being able to construct a diagram by the rules above is a witness to the security of the protocol. (In this sense, Fig. 2 is an alternative proof for the security of the six-card AND protocol of [MS09].)

Las Vegas vs Finite-Runtime. In our formalism, the states of a finite-runtime protocol form a finite tree without restart actions. A Las Vegas protocol, in contrast, makes use of restart actions, or its states form a cyclic or infinite diagram.

## 4 A Four-Card Las Vegas AND Protocol

We present a secure protocol to compute AND on two bits in committed format and without restarts. An algorithmic description is given in Protocol 1 and a representation in the state calculus of Sect. 3, from which correctness and privacy can be deduced, is given in Fig. 4.

Note that the state diagram contains a cycle, i.e., it is possible to return to a state that was encountered before. This implies that the protocol is not finite-runtime. However, on the cycle there are two turn operations each of which have a chance of to yield a final state and therefore leave the cycle. The probability to return to a state on the cycle is therefore $$(\frac{2}{3})^2 = \frac{4}{9}$$ and the probability to take the cycle k times is $$(\frac{4}{9})^k$$. The expected number of times the cycle is taken is therefore $$\sum _{k \ge 0} (\frac{4}{9})^k = (1-\frac{4}{9})^{-1} = \frac{9}{5}$$. In particular, the expected runtime of the protocol is bounded. We summarize our result in the following theorem.

### Theorem 1

There is a secure Las Vegas protocol to compute AND on two bits in committed format and without restarts.

In contrast to the protocol for general boolean functions presented in Sect. 7 the shuffle operations are “closed”, a circumstance we discuss more closely in Sect. 8.

## 5 A Five-Card Finite-Runtime AND Protocol

In the presentation of our five-card finite-runtime AND protocol in committed format, we reuse part of our four-card protocol from Sect. 4. We just have to show that we can “break out” of the cycle of the four card protocol by using the fifth card. This yields a finite-runtime protocol with at most 12 steps in every execution. Here, the fifth card is chosen to have symbol $$\heartsuit$$.

An algorithmic description is given in Protocol 2 and a representation of the crucial component in the state calculus of Sect. 3, from which correctness and privacy can be deduced, is given in Fig. 5. We summarize our result in the following theorem.

### Theorem 2

There is a secure five-card finite-runtime protocol to compute AND on two bits in committed format.

## 6 Finite-Runtime AND Requires Five Cards

There are secure protocols with four cards computing AND in committed format using either the restart operation (see Sect. 7) or running in cycles for a number of iterations that is finite only in expectation (see Sect. 4). However, it would be nice to have a protocol that is finite-runtime, i.e., is guaranteed to terminate after a finite number of steps. In the following we show that this is impossible.

To this end, we distinguish several different types of states and later analyze which state transitions are possible. We need the following definitions and observations only for the deck $$\mathcal {D}= [\heartsuit ,\heartsuit ,\clubsuit ,\clubsuit ]$$, but choose to state some of them in a more general form to better convey the underlying ideas.

### Definition 4

Let $$\mathcal {P}$$ be a protocol with deck $$\mathcal {D}$$ computing a boolean function $$f$$. Let $$s$$ be an atomic sequence, $$S$$ a state of $$\mathcal {P}$$ and $$P=S(s)$$ the polynomial representing the probability of $$s$$ in $$S$$.

1. 1.

If $$P$$ contains only variables $$X_{b}$$ with $$f(b)=1$$ or $$f(b) = 0$$, then $$s$$ is called a $$1$$-sequence or $$0$$-sequence, respectively.

2. 2.

If $$P$$ contains variables of both types, then $$s$$ is called a $$\bot \text {-}$$ sequence.

3. 3.

We say that $$S$$ is of type $$i/j$$, or an i / j-state, if its number of $$0$$-sequences and $$1$$-sequences is $$i$$ and $$j$$, respectively, and it does not contain any $$\bot \text {-}$$sequences.

4. 4.

We call a state $$S$$ final if it does not contain a $$\bot \text {-}$$sequence and there are indices $$m, n\in \{1, \ldots , |\mathcal {D}|\}$$, such that all $$1$$-sequences have $$\heartsuit$$ at position $$m$$, all $$0$$-sequences have $$\clubsuit$$ at position $$m$$, and the other way round at position $$n$$. In that case $$(\mathsf{{result}},m,n)$$ is a correct output operation.

Note that a protocol that produces a $$\bot \text {-}$$sequence cannot be finite-runtime: once the $$\bot \text {-}$$sequence is lying on the table, it is impossible to decide whether the output should be 0 or 1. Thus, any protocol that proceeds to output something without restarting in between produces an incorrect result with positive probability; and any protocol that may use a restart, may take this execution path an unbounded number of times.

Since we are interested in the existence of finite-runtime protocols, we restrict our attention to protocols that never produce $$\bot \text {-}$$sequences. We now bundle a few simple properties about i / j-states in the following lemma.

### Lemma 1

Given a secure protocol computing a non-constant boolean function with deck $$\mathcal {D}$$, consisting of $$n$$ $$\heartsuit$$s and $$m$$ $$\clubsuit$$s where $$n,m \ge 1$$, the following holds.

1. 1.

In a state of type $$i/j$$, we have $$i, j \ge 1$$, otherwise players could derive the the result, contradicting the committed format property.

2. 2.

If a turn in a state $$S$$ of type $$i/j$$ can result in two different successor states $$S_1$$ and $$S_2$$ of type $$i_1/j_1$$ and $$i_2/j_2$$, respectively, then $$i=i_1+i_2$$ and $$j=j_1+j_2$$. In particular, $$i\ge 2$$ and $$j\ge 2$$.

3. 3.

In a state of type $$i/j$$ resulting from a turn that revealed a $$\heartsuit$$ or $$\clubsuit$$ we have $$i+j\le \left( {\begin{array}{c}n+m-1\\ n-1\end{array}}\right)$$ or $$i+j\le \left( {\begin{array}{c}n+m-1\\ m-1\end{array}}\right)$$, respectively.

4. 4.

Let $$S$$ be a state of type $$i/j$$ and $$S'$$ a state of type $$i'/j'$$ resulting from $$S$$ via a shuffle operation. Then we have $$i' \ge i$$, $$j' \ge j$$.

5. 5.

If $$S$$ is a final state of type $$i/j$$, then $$i,j\le \left( {\begin{array}{c}n+m-2\\ n-1\end{array}}\right)$$.

6. 6.

Two atomic sequences differ in an even number of positions, i.e., have even distance.

7. 7.

Given an atomic sequence $$s\in {\mathsf{{AtSeq}}}^{}$$, there are

\begin{aligned}\left( {\begin{array}{c}n\\ \frac{d}{2}\end{array}}\right) \left( {\begin{array}{c}m\\ \frac{d}{2}\end{array}}\right) \end{aligned}

atomic sequences of (even) distance $$d$$ to $$s$$.

8. 8.

Any two sequences have distance at most $$\min {\{2m,2n\}}$$.

9. 9.

After a single-card turn revealing $$\heartsuit$$ or $$\clubsuit$$, any two sequences of the state have distance at most $$2n - 2$$ or $$2m - 2$$, respectively.

### Theorem 3

There is no secure finite-runtime four-card AND protocol in committed format.

### Proof

Let P be a secure protocol computing $$AND$$ with four cards in committed format.

We will define a set of good states, denoted by $$\mathcal {G}$$, that contain all final states but not the starting state and show that any operation on a non-good state will produce at least one non-good state as a successor. From this it is then clear by induction that P is not finite-runtime.

A state S is good iff it fulfills one of the following properties:

• S is a $$1/1$$-state,

• S is a $$2/2$$-state,

• S is a $$1/2$$- or $$2/1$$-state containing two atomic sequences of distance 4.

We first observe which state types i / j can occur with our deck: Since there are $$6 = \left( {\begin{array}{c}4\\ 2\end{array}}\right)$$ atomic sequences in total, we need $$i+j \le 6$$. By Lemma 1, item 1, states with $$i=0$$ or $$j=0$$ cannot occur.

Final States are Good. From item 5 in Lemma 1 we know that final states fulfil $$i,j \le 2$$ so the only candidate for final states are 1 / 1, 2 / 2, 1 / 2 and 2 / 1. We need to show that they are good which is true by definition for 1 / 1 and 2 / 2. Consider a final $$1/2$$-state (the argument for the $$2/1$$-state is symmetric). Its $$0$$-sequence differs from both $$1$$-sequences in the two positions used for the output. Since the two $$1$$-sequences are distinct, at least one of them must differ from the $$0$$-sequence in another position, meaning they must have distance at least 3 and therefore distance 4 (item 6 in Lemma 1).

Therefore, all final sequences are good, but the start state, which is a $$3/1$$-state, is non-good. Consider an action $$\mathsf{{act}}\in \mathsf{{Action}}$$ that acts on a non-good state. We show that $$\mathsf{{act}}$$ has a non-good successor state by considering all cases for the type of $$\mathsf{{act}}$$:

Non-trivial Single-card Turns. Let $$S$$ be a non-good state of type $$i/j$$, and $$S_\heartsuit$$ and $$S_\clubsuit$$ the two possible states after a turn of a single card. From item 2 in Lemma 1, we know that $$S$$ has to be of type $$i/j$$, with $$i,j\ge 2$$, excluding the case of $$2/2$$, as $$S$$ is non-good. This leaves the following possible types for $$S$$: $$2/3$$, $$3/3$$, $$2/4$$ where we assume without loss of generality that $$i \le j$$. The turn partitions the sequences onto the two branches in one of the following ways:

From item 3 in Lemma 1, we know that a state resulting directly from a turn contains at most $$3$$ atomic sequences, thereby ruling out turn-transitions that lead to a 2 / 2- or $$1/3$$-state. Moreover, any $$2/1$$- or $$1/2$$-state occurring after a turn has the property that all atomic sequences have pairwise distance $$2$$ by item 9 in Lemma 1. By definition, such $$2/1$$-states are non-good. Note that a turn action on a $$2/3$$-state – while producing a good and even final $$1/1$$-state – produces a non-good $$1/2$$-state on the other branch.Footnote 4

Non-branching Shuffles. Now consider a shuffle that produces a unique subsequent state $$S'$$ of type $$i'/j'$$. We want to show that $$S'$$ is non-good. Using item 4 in Lemma 1 and the fact that a good $$S'$$ would require $$i',j' \le 2$$, we only need to consider the case that S is a non-good state with $$i,j\le 2$$, i.e., S is of type 1 / 2 or 2 / 1 with pairwise distance 2 – without loss of generality of type 1 / 2 and with a $$0$$-sequence $$s_0$$ and two $$1$$-sequences $$s_1$$ and $$s_1'$$. We argue that without loss of generality S is of the form

This is because

• S contains a constant column: Let k and l be the positions where $$s_0$$ differs from $$s_1$$, and m, n the positions where $$s_0$$ differs from $$s_1'$$. If $$\{k,l\}$$ and $$\{m,n\}$$ are disjoint, then $$s_1$$ and $$s_1'$$ have distance 4 – a contradiction. Otherwise $$\{k,l,m,n\}$$ has size at most 3 so there is one position where all atomic sequences agree.

• The constant column can be assumed to be in position 1 and to contain $$\heartsuit$$s. This completely determines the atomic sequences occurring in S. Our choice to pick the $$0$$-sequence is arbitrary, but inconsequential.

If all permutations in the shuffle map 1 to the same $$i \in \{1,2,3,4\}$$, then $$S'$$ will have a constant column in position i. Then $$S'$$ is still of type 1 / 2 with sequences of pairwise distance 2, so non-good. If there are two permutations in the shuffle that map 1 to different positions $$i \ne j$$, then $$S'$$ will contain all three atomic sequences with $$\heartsuit$$ in position i and all three atomic sequences with $$\heartsuit$$ in position j. There is only one atomic sequence with $$\heartsuit$$ in both positions. So $$S'$$ contains at least $$3 + 3 - 1 = 5$$ atomic sequences and is therefore non-good.

Other Actions. The hard work is done, but for completeness, we need to consider the remaining actions as well:

Restart. :

This action is not allowed in our finite-runtime setting.

Result. :

Since non-good states are non-final this action cannot be applied.

Permutation. :

This is just a special case of a non-branching shuffle.

Trivial turn. :

If $$\mathsf{{act}}$$ is a turn operation that can only result in a single visible sequence (the turn is trivial), then the outcome of the turn was known in advance and the state does not change.

Multi-card turn. :

If $$\mathsf{{act}}$$ turns more than one card, then $$\mathsf{{act}}$$ can be decomposed into single-card turn actions, turning the cards one after the other. We already know that a single-card turn from a non-good state yields a non-good subsequent state, so following a “trail” of non-good states shows $$\mathsf{{act}}$$ produces a non-good state as well.

Randomized flip. :

If $$\mathsf{{act}}$$ is a randomized flip then consider any turn set T that $$\mathsf{{act}}$$ might be picked. We already know that turning T yields a non-good subsequent state and this is also a subsequent state of $$\mathsf{{act}}$$.

Branching shuffle. :

If $$\mathsf{{act}}$$ is a shuffle that produces several subsequent states (this requires shuffling with a face-up card), then restricting the set of allowed permutations to those corresponding to one of the visible sequences yields an ordinary shuffle that therefore yields a single subsequent non-good state. This state is also a subsequent state of $$\mathsf{{act}}$$.

This concludes the proof.    $$\square$$

## 7 A 2k-Card Protocol for any k-ary Boolean Function

The following protocol will compute a k-ary boolean function with 2k cards and success probability $$2^{-k}$$ in three steps: One shuffle, one turn and one result or restart action. The “hard work” is done in an “irregularly complex” shuffle operation, which may pose practical problems we expand upon in Sect. 8.

### Theorem 4

For any boolean function $$f:\{0,1\}^k \rightarrow \{0,1\}$$ there is a secure Las Vegas protocol in committed format using 2k cards. The expected number of $$\mathsf{{restart}}$$ actions in a run is $$2^k - 1$$.

### Proof

Note first that all unary boolean functions can easily be implemented: The identity and not-function is simple (just output the input or the inversed input) and for the constant functions we may shuffle the two cards (to obscure the input), then turn the cards over, arrange them to represent the constant and then return the positions of the corresponding cards, via $$\mathsf{{result}}$$.

We now assume $$k \ge 2$$. For each input $$b = (b_1, b_2, \ldots , b_k) \in \{0,1\}^k$$ we define the permutation:

\begin{aligned} \pi _b := (2\;3)^{1-f(b)}\circ (1\;2)^{b_1}(3\;4)^{b_2}\cdots (2k-1\;2k)^{b_k}.\end{aligned}

In other words, when applied to an input sequence, $$\pi _b$$ first swaps the i-th input bit for each i such that $$b_i = 1$$. Afterwards, it swaps the second and third card if $$f(b) = 0$$.

We can now describe the steps of our protocol:

1. 1.

$$(\mathsf{{shuffle}}, \{\pi _b:b \in \{0,1\}^k\})$$, i.e., pick $$b \in \{0,1\}^k$$ uniformly at random and permute the cards with $$\pi _b$$.

2. 2.

$$(\mathsf{{turn}},\{1,4,6,8,\ldots ,2k\})$$, i.e., turn over the first card and all cards with even indices except 2.

3. 3.

If the turn revealed $$\clubsuit$$ in position 1 and $$\heartsuit$$ everywhere else, i.e., the visible sequence is $$(\clubsuit ,\mathord {?},\mathord {?},\heartsuit ,\mathord {?},\heartsuit ,\ldots ,\mathord {?},\heartsuit )$$, then perform $$(\mathsf{{result}},2,3)$$. Otherwise, $$(\mathsf{{restart}})$$.

For a deeper understanding of what is actually going on, we suggest contemplating on Fig. 6 (which is, admittedly, somewhat intimidating), but correctness and privacy are surprisingly easy to show directly:

Correctness. Assume the input is $$b \in \{0,1\}^k$$ and a $$\mathsf{{result}}$$ action is performed. Then the visible sequence after the turn was $$(\clubsuit ,\mathord {?},\mathord {?},\heartsuit ,\mathord {?},\heartsuit ,\ldots ,\mathord {?},\heartsuit )$$. This means the permutation $$\pi$$ done by the shuffle must have first transformed the input sequence to $$(\clubsuit ,\heartsuit ,\clubsuit ,\heartsuit ,\clubsuit ,\heartsuit ,\ldots ,\clubsuit ,\heartsuit )$$ (before potentially flipping the cards in position 2 and 3). This can be interpreted as the sequence encoding only $$0$$s, therefore $$\pi$$ has flipped exactly the card pairs, where the input sequence had $$(\heartsuit ,\clubsuit )$$ encoding $$1$$. This implies $$\pi = \pi _b$$. From the definition of $$\pi _b$$ it is now clear that the output is $$(\heartsuit ,\clubsuit )$$ if $$f(b) = 1$$ and $$(\clubsuit ,\heartsuit )$$ if $$f(b) = 0$$.

Privacy. Let v be a visible sequence after the turn step. Consider an input sequence $${\varGamma }_b$$ belonging to the input $$b \in \{0,1\}^k$$. The probability that $${\varGamma }_b$$ yields the visible sequence v in the turn is exactly $$2^{-k}$$ since exactly one of the $$2^k$$ permutations in the shuffle action swaps the appropriate set of pairs of positions. This means the probability to observe v is $$2^{-k}$$ – and thus independent of the input sequence.

Runtime. The probability to observe $$(\clubsuit ,\mathord {?},\mathord {?},\heartsuit ,\ldots ,\mathord {?},\heartsuit )$$ in the turn step is $$2^{-k}$$, the probability to restart is therefore $$1 - 2^{-k}$$. This yields a runtime that is finite in expectation – of order $$O(2^k)$$.    $$\square$$

## 8 On the Implementation of Shuffle Operations

The shuffle used in the protocol in Sect. 7, while allowed in the formalism by [MS14a], is of questionable practicality: in general there is no obvious way to perform it in a real world situation with actual people and actual cards such that the players do not learn anything about the permutation that was done in the shuffle. In a weaker form this also applies to the protocols in Sects. 4 and 5.

Other shuffle operations, such as $$(\mathsf{{shuffle}}, \{{\mathsf{{id}}},(1\;2)\})$$ that either perform a swap or do nothing, both with probability $$\frac{1}{2}$$, are unproblematic to implement with two players Alice and Bob: first let Alice perform the shuffle while Bob is looking away and then have Bob perform the shuffle while Alice is looking away. Provided they do not tell each other what they did, to both of them the cards seem to be swapped with probability . Here, it is crucial that performing the swap twice yields the identity: one of the allowed permutations.

In general, a shuffle action $$\mathsf{{act}} = (\mathsf{{shuffle}},\varPi , \mathcal {F})$$ can be implemented in this way if $$\mathsf{{act}}$$ is closed, i.e., $$\varPi ^2 := \{ \pi _1 \circ \pi _2\mid \pi _1,\pi _2 \in \varPi \} = \varPi$$ and uniform, i.e., $$\mathcal {F}$$ is the uniform distribution on $$\varPi$$. Note that our protocols in Sects. 4, 5 and 7 use shuffles that are not uniform and/or not closed, see Tables 1 and 2. Therefore, it may be worthwhile to continue studying shuffles in several directions:

• Restrict the computational model to uniform closed shuffles and examine the properties of the new model.

• Replace the action $$\mathsf{{shuffle}}$$ of the computational model by an alternative action $$\mathsf{{playerPerm}}$$ executed by a single player, while other players are not allowed to look on the table. Here, $$(\mathsf{{playerPerm}}, p,\varPi ,\mathcal {F})$$ is like $$(\mathsf{{shuffle}}, \varPi , \mathcal {F})$$, with the difference that the executing player $$p$$ learns which permutation has been chosen. As argued above, this at least as powerful as allowing uniform closed shuffles.

• Search for a more clever way to implement shuffles with everyday objects.

• Weaken the honest-but-curious assumption and discuss implementations of shuffles with respect to, e.g., robustness against active attacks.

## 9 Conclusion

To summarize our results, we have extensively considered the question on tight lower bound on the number of cards for AND protocols, which has been open for several years. We believe that our answer to this question is satisfactory, as we do not only give two concrete AND protocols with different properties, we also show an impossibility result. Apart from the impossibility for perfect copy of a single card in [MS14a], we are the first to give such a type of result. This may be because of the sparsity of good ways to speak about card-based protocols. We believe to have overcome this problem by introducing an elegant “calculus of protocol states” in Sect. 3. Finally, we give a protocol for evaluating a $$k$$-ary boolean function with the theoretical minimum of cards, i.e., the $$2k$$ cards which are already necessary for encoding the input.

Open Problems. Our paper identifies a number of open problems in the field of card-based cryptographic protocols. This is, for example, how to implement non-closed or non-uniform shuffles and in consequence back up the current computational model with more evidence that its definition is rooted in reality. In the same way, we ask whether there is a finite-runtime five-card protocol using only closed and/or uniform shuffles.

The same set of questions which have been answered in Table 1 can also be asked for general boolean functions: What is the minimal number of cards for finite-runtime protocols with and without closed shuffles. Analogously, a tight lower bound on the number of cards in Las Vegas protocols using only uniform closed shuffles would be interesting.