Card-Based Cryptographic Logical Computations Using Private Operations

This paper proposes new card-based cryptographic protocols to calculate logic functions with the minimum number of cards using private operations under the semi-honest model. Though various card-based cryptographic protocols were shown, the minimum number of cards used in the protocol has not been achieved yet for many problems. Operations executed by a player where the other players cannot see are called private operations. Private operations have been introduced in some protocols to solve a particular problem or to input private values. However, the effectiveness of introducing private operations to the calculation of general logic functions has not been considered. This paper introduces three new private operations: private random bisection cuts, private reverse cuts, and private reveals. With these three new operations, we show that all of AND, XOR, and copy protocols are achieved with the minimum number of cards by simple three-round protocols. This paper then shows a protocol to calculate any logical functions using these private operations. Next, we consider protocols with malicious players.

Randomization or a private operation is the most important primitive in these card-based protocols. If every primitive executed in a card-based protocol is deterministic and public, the relationship between the private input values and output values is known to the players. When the output value is disclosed, the private input value can be known to the players from the relationship. Thus, all protocols need some random or private operation.
First, randomization primitives have been discussed and then recently, private operations are considered. Many protocols use random bisection cuts [27], which randomly execute swapping two decks of cards or not swapping. If the random value used in the randomization is disclosed, the secret input value is known to the players. There are two types of randomization: single-player randomization and multiple player randomization. For the single-player randomization, the player must not know the random value he selected. Ueda et al. [50] proposed several methods that can be done in front of people, but no one can know the random value. However, if a person privately brings a high-speed video camera, he might able to know the random value by analyzing the image. Currently, the size of high-speed video cameras is too large to privately bring without getting caught, but the size might become smaller in the near future. In the case, the randomization in a public place becomes difficult. By introducing additional cards, a random bisection cut can be executed using a random cut [50], which is a normal shuffle operation in playing cards. Koch and Walzer [13] proposed a protocol for a player to execute a private permutation that is unknown to the other players, but the player can prove that he really executed an allowed permutation. Pile-shifting scramble [34] was proposed that achieves non-uniform shuffles with some special tools. These protocols can be executed in a public place, but they need additional special cards or tools.
A simple solution to execute private randomization is multiple player randomization, in which some operations are executed in a hidden place. To execute a private random bisection cut, Alice executes a random bisection cut in a place where Bob cannot see (under the table, or in the back, etc). Then, Bob executes a random bisection cut in a place where Alice cannot see. The result is unknown to either player. Note that the number of players can be arbitrarily increased. To know the random value, a person needs to know all of the values the players used. Such an operation that is done where the other players cannot see is called a private operation. Therefore, we have a natural question: if we introduce some private operations other than the random bisection cut, can we have effective cardbased cryptographic protocols to calculate logical functions?
Private operations have been first introduced to solve millionaires' problem [29]. The private operations used in the papers are similar to the primitives proposed in this paper, but it is not clear that the primitives can be used for the other protocols. Then private operations were used to calculate logical functions [15,46]. These papers discussed a private operation that sets each player's private inputs. Though the number of cards used in these protocols is less than the ones in the conventional protocols, these protocols cannot be used for general cases when the players do not know the inputs, that is, the inputs are given as committed values. Protocols with committed inputs can also be used for the cases when each player knows his input values by setting his private inputs as committed values. Thus, protocols that accept committed inputs are desirable. Another desirable property is committed output. If the output is given as a committed value, a further private calculation can be done using the output value.
This paper considers card-based protocols with committed inputs and committed outputs using private operations under the semi-honest model. This paper introduces three private operations: private random bisection cuts, private reverse cuts, and private reveals. This paper shows protocols which execute AND, XOR, and copy with four cards, which is the minimum. We also show protocols that calculate any logical functions.
As for the number of cards used for copy protocols, six was the minimum for finite-runtime copy [27], as shown in Table 1. The protocol in [36] uses 5 cards, but the number of steps of the protocol is unbounded. It is proved to be impossible to achieve a copy with four cards by the conventional model without private operations [10]. In their model, each card sequence has a probability to occur. Using the probabilities, players are prohibited to open a card that reveals secret information. Such arguments lead to the impossibility results. On the other hand, if private operations are executed, one card sequence can have two different probabilities: the one Alice knows and the other one Bob knows. Bob is allowed to privately open a card that does not reveal secret information to Bob. The numbers of cards in committed-input, committed-output AND protocols are shown in Table 2. The protocol in [27] uses six cards. Though the protocol in [14] uses four cards, the protocol uses a non-uniform shuffle, which obtains one result by the probability of 1/3 and the other result by the probability of 2/3. Such a non-uniform shuffle is difficult to achieve without some special tools. Another four-card protocol with uniform shuffles [40] does not terminate within a finite time. It is proved to be impossible to achieve finite-runtime AND with four cards by the conventional model without private operations [10,12]. Our protocol uses four cards, which is the minimum, and it is easy to execute.
The number of cards in XOR protocols is shown in Table 3. Though the number of cards is the same in our protocol and [27], an input preserving (shown in Sect. 4.7) can be realized by our protocol without additional cards. This paper then shows several variants of the protocols to calculate any logic functions that includes side effects of the calculations, parallel computations, and preserving an input.
Then, Sect. 5 discusses protocols when a malicious player exists. Last, Sect. 6 shows protocols that use asymmetric cards.  An earlier version of this paper was presented and appeared as a conference paper [38]. The main difference is as follows. Execution examples are shown for the main protocols. This paper improved the discussion in Sect. 5. The detail of the cheat alert protocol is shown. The correctness proof of the protocol is newly written. In addition, a false alert prevention protocol is newly shown. Section 6 is a new section that proposes new protocols using asymmetric cards.

Preliminaries
This section gives the notation and basic definitions of card-based protocols. All Sections other than Section 6 are based on two type card model that is most commonly considered. In the model, there are two kinds of marks, and . Cards of the same marks cannot be distinguished. In addition, the back of both types of cards is . It is impossible to determine the mark in the back of a given card with .
One bit of data is represented by two cards as follows: and .
One pair of cards that represents one bit x ∈ {0, 1} , whose face is down, is called a commitment of x, and denoted as commit(x) . It is written as . Note that when these two cards are swapped, commit(x) can be obtained. Thus, NOT can be calculated without private operations. Linearly ordered cards are called a sequence of cards. A sequence of cards S whose length is n is denoted as S = s 1 , s 2 , … , s n , where s i is the i-th card of the sequence.
. A sequence whose length is even is called an even sequence. S 1 ||S 2 is a concatenation of sequence S 1 and S 2 . All protocols are executed by multiple players. In this paper except for Sect. 5, all players are semi-honest, that is, they obey the rule of the protocols, but try to obtain information x of commit(x) . There is no collusion among players executing one protocol together. No player wants any other player to obtain information on committed values.

Private Operations
We introduce three private operations: private random bisection cuts, private reverse cuts, and private reveals. Note that the protocols in this paper use the operation only when m = 1 and , the player's output , which is or .
Note that a private random bisection cut is the same as the random bisection cut [27], but the operation is executed in a hidden place.
Primitive 2 (Private reverse cut, Private reverse selection) A private reverse cut is the following operation on an even sequence S 2 = s 1 , s 2 , … , s 2m and a bit b ∈ {0, 1} that is given to the player. The player outputs The player executes this operation in a place where the other player cannot see. The player must not disclose the bit b to the other players.
The difference between the private random bisection cut is that b is not newly selected by the player.
When a player executes a private reverse cut on , the player outputs When a private reverse cut is executed using bit b to the sequence to which a private random bisection cut is executed using b, the private reverse cut can undo the private random bisection cut.
Note that in many protocols below, the left m cards are selected after a private reverse cut. The sequence of these two operations is called a private reverse selection. A private reverse selection is the following procedure on an even sequence S 2 = s 1 , s 2 , … , s 2m and the bit b ∈ {0, 1} , which is given to the player. The output Next, we define a private reveal.

Primitive 3 (Private reveal) A player privately opens a given committed bit. The player does not disclose the value to the other players.
Using the obtained value, the player privately sets a sequence of cards. Though the player seems to obtain a secret value by a private reveal, it is avoided by the following procedure. Alice executes a private random bisection cut to commit(x) . The result becomes to commit(x ⊕ b) . When Bob executes a private reveal to commit(x ⊕ b) , Bob has no information about x if b is randomly chosen and not disclosed by Alice. Bob must not disclose the obtained value. If Bob discloses the obtained value to Alice, Alice knows the value of the committed bit.
Card-based protocols are evaluated by the following criteria.
-The number of cards used in the protocol.
The time complexity of protocols in the model without private operations was discussed [20]. The number of rounds was considered as the time complexity of the protocol with private operations. The definition of rounds is as follows [39]. The first round is (possibly parallel) local executions by each player using the cards initially given to each player. The first round begins from the initial state. It ends at the instant when no further local execution is possible without receiving cards from another player. The local executions in each round include sending cards to some other players but do not include receiving cards. The i(> 1)-th round begins with receiving all the cards sent during the (i − 1)-th round. Each player executes local executions using the received cards and the cards left to the player at the end of the (i − 1)-th round. Each player executes until no further local execution is possible without receiving cards from another player. The number of rounds of a protocol is the maximum number of rounds necessary to output the result among all possible inputs and random values. Since each operation is relatively simple, the dominating time to execute protocols with private operations is the time to sending cards between players and setting up so that the cards are not seen by the other players. Thus the number of rounds is the criteria to evaluate the time complexity of cardbased protocols with private operations.

New Copy, AND, and XOR Protocols
Using the private random bisection cuts, private reveals, and private reverse cuts, cory protocol, AND protocol, and XOR protocol with committed inputs and committed outputs can be realized with the minimum number of cards. All of these protocols are executed between two players, Alice and Bob. In Sect. 5, the number of players is increased to improve security.

Alice executes a private random bisection cut on commit(x) . Let the output be
Bob executes a private reveal on commit(x � ) and obtains x ′ . Bob makes m copies of x ′ . Bob faces down these cards. Bob sends these cards, m copies of commit(x � ) , to Alice. 3. Alice executes a private reverse cut to each copy of commit(x � ) using the bit b Alice generated in the private random bisection cut. Alice outputs these copies.
The protocol requires three rounds. Bob's security: When Bob privately opens commit(x � ) , x � = x ⊕ b , thus Bob obtains no information about x if b is randomly selected and not disclosed.
The number of cards: In order to obtain m copies of a commitment, at least 2m cards are necessary. The protocol is executed with 2m cards, thus the number of cards is the minimum. ◻ Comparison of copy protocols(when m = 2 ) is shown in Table 1. This protocol is the first protocol that achieves the minimum number of cards.

AND Protocol
Logical AND can also be executed with the minimum number of cards.
1. Alice executes a private random bisection cut on commit(x) . Let the output be commit(x � ) . Alice sends commit(x � ) and commit(y) to Bob. 2. Bob executes a private reveal on commit(x � ). Bob sets and sends S 2 to Alice. 3. Alice executes a private reverse selection on S 2 using the bit b generated in the private random bisection cut. Let the obtained sequence be S 3 . Alice outputs S 3 .
Note that the two cards that were not selected by Alice at the last step of the protocol, must be discarded. Since the unused cards have some information on x and y, information about input values is leaked if the cards are opened. The protocol requires three rounds.

Example 2 (AND protocol)
Suppose that x = 0 and y = 1 . Input commit(x) = Since x ∧ y = 0 , the result is correct.

Theorem 2
The AND protocol is correct and secure. It uses the minimum number of cards.
Proof Correctness: The desired output can be represented as follows.
Alice and Bob's security: The same as the copy protocol. The number of cards: Any committed-input protocol needs at least four cards to input commit(x) and commit(y) . When Bob sets S 2 , the cards used for commit(x � ) can be used to set commit(0) . Thus, the total number of cards is four and the minimum. ◻ A careful discussion is necessary when a player knows the value x of given commit(x) , for example, x is the player's private input value.
First, consider the case when Bob knows x. When Bob executes a private reveal on commit(x ⊕ b) , Bob knows the bit b Alice selected. This scenario is not a security problem. Bob knows b, thus he knows whether the final output is commit(0) or commit(y) in advance. However, since it is not new information for Bob who already knows x.
Next, consider the case when Alice knows x. Alice knows x � = x ⊕ b . Thus, Alice knows whether the final output is commit(0) or commit(y) in advance, but it is not new information for Alice.
A comparison of AND protocols is shown in Table 2. Though Koch et al. [14] showed a finite step protocol with the minimum number of cards, their protocol must use a non-uniform shuffle, which is not easy to realize.

Alice executes a private random bisection cut on commit(x) . Let the output be
commit(x � ). Alice sends commit(x � ) and commit(y) to Bob. 2. Bob executes a private reveal on commit(x � ) . Bob sets and sends S 2 to Alice. Note that commit(ȳ) can be obtained by swapping the two cards of commit(y). 3. Alice executes a private reverse cut on S 2 using the bit b generated in the private random bisection cut. Let the obtained sequence be S 3 . Alice outputs S 3 .
The protocol requires three rounds. . Since x ⊕ y = 1 , the result is correct.

Theorem 3 The XOR protocol is correct and secure. It uses the minimum number of cards.
Proof Correctness: The desired output can be represented as follows.
Alice and Bob's security: The same as the copy protocol. The number of cards: At least four cards are necessary for any protocol to input commit(x) and commit(y) . This protocol uses no additional cards other than the input cards. ◻ Table 3. Though the minimum number of cards is already realized by [27]. an input preserving (shown in Sect. 4.7) can be realized without additional cards.

Any Logical Functions
Though this paper shows AND and XOR, any two-variable logical functions can also be calculated by a similar protocol.

Theorem 4 Any two-variable logical function can be securely calculated in three rounds and four cards.
Proof Any two-variable logical function f(x, y) can be written as  (1, 1)) means that f (x, y) = 0 (or f (x, y) = 1 ), thus we do not need to calculate f. (f (1, y), f (0, y)) = (1, 0) (or (0, 1)) means the f (x, y) = x (or f (x, y) =x ), thus we do not need to calculate f by a two player protocol.
Next, consider the case when both of (f(1, y), f(0, y)) are y (or ȳ ). This case is when f (x, y) = y (or f (x, y) =ȳ ), thus we do not need to calculate f by a two player protocol.
The next case is when (1, y), f (0, y)) = (y,ȳ) is x ⊕ y , thus this function can be calculated as follows: execute the XOR protocol and NOT is taken to the output. Thus, this function can also be calculated.
The remaining case is when one of (f(1, y), f(0, y)) is y or ȳ and the other is 0 or 1. We modify the second step of AND protocol, so that Bob sets using one commit(y) and the two cards used for commit(x � ) . Then, Alice obtains commit(f (1, y)) if x = 1 and commit(f (0, y)) if x = 0 by the private reverse selection.
Thus, any two-variable logical function can be calculated. ◻ In [27] without private operations, two additional cards are required to calculate any two-variable logical function.

Parallel Computations
The above two-variable logical function calculations can be executed in parallel. Consider the case when commit(x) and commit(y i )(i = 1, 2, … , n) are given and commit(f i (x, y i ))(i = 1, 2, … , n) need to be calculated. They can be executed in parallel. Alice executes a private random bisection cut on commit(x) and sends commit(x � ) and commit(y i )(i = 1, 2, … , n) to Bob. Bob sets S i 2 (i = 1, 2, … , n) using x ′ , commit(y i ) , and f i . Alice executes a private reverse cut or a private reverse selection on each of S i 2 (i = 1, 2, … , n) using the bit b selected at the private random bisection cut. By the procedure, commit(f i (x, y i ))(i = 1, 2, … , n) are simultaneously obtained.

Side Effects
When we execute the AND protocol, two cards are selected by Alice at the final step. The remaining two cards are not used, but they also output some values. The unused two cards' value is thus the output is commit(x ∧ y) . The cards can be used as a side effect just like the six-card AND protocol in [27].
Generally, for a function f that is calculated by AND type protocol shown in Theorem 4, the side-effect output is commit(

Preserving An Input
In the above protocols to calculate logical functions, the input commitment values are lost. If an input is not lost, the input commitment can be used as an input to another calculation. Thus, the input preserving calculation is discussed [31].
In the XOR protocol, commit(x � ) is no more necessary after Bob sets S 2 . Thus, Bob can send back commit(x � ) to Alice when Bob sends S 2 . Then, Alice can recover commit(x) using the private reverse cut. In this modified protocol, the output is commit(x ⊕ y) and commit(x) without additional cards or rounds.
As for the AND type protocol in Theorem 4, commit(x � ) can be sent back to Alice and Alice can recover commit(x) . This modified protocol needs six cards in total.
An input preserving calculation without increasing the number of cards can be executed for AND type protocols just like [31], which recovers commit(y) . Note that the function f satisfies that one of (f(0, y), f(1, y)) is y or ȳ and the other is 0 or 1. Otherwise, we do not need to calculate f by the AND type two player protocol. At the end of the protocol, the side-effect output is x ∧ f (1, y) ⊕ x ∧ f (0, y) . The output f(x, y) can be represented as x ∧ f (1, y) ⊕x ∧ f (0, y) . Execute the above input preserving XOR protocol for these two output values so that f(x, y) is recovered. The output of XOR protocol is Since one of (f (0, y), f(1, y)) is y or ȳ and the other is 0 or 1, the output is y or ȳ (depending on f). Thus, input y can be recovered without additional cards. Thus, preserving an input can be realized by 4 cards, which is the minimum. A comparison of input preserving AND type protocols is shown in Table 4.

n-Variable Logical Functions
Since any 2-variable logical function, x , and copy can be executed, any n-variable logical function can be calculated by the combination of the above protocols.
Using the technique in [31] and above input preserving logical function calculations, any n-variable logical function can be calculated with 2n + 4 cards as follows.
Any logical function f (x 1 , x 2 , … , x n ) can be represented as follows: Since the terms with f (i 1 , i 2 , … , i n ) = 0 can be removed, this function f can be written as The number of terms k(< 2 n ) depends on f. (1)) Input: commit(x i )(i = 1, 2, … , n).

1.
Copy v i 1 from the input x 1 to p 2 . 2. For j = 2, … , n, execute the following procedure: Apply the input-preserving AND protocol to p 2 and input x j (If AND is taken between x j , first execute NOT to the input, then apply the AND protocol, and return the input to x j again.) At the end of this step, T i is obtained at p 2 . 3. If i = 1, move p 2 to p 1 . If i > 1, apply the XOR protocol between p 1 and p 2 . The result is stored to p 1 .
At the end of the protocol, f (x 1 , The number of additional cards in [31] is six. Thus our protocol reduces the number of cards. The number of rounds is O(2 n ).
As another implementation with a larger number of cards, we show that any n-variable logical function can be calculated by the following protocol, whose technique is similar to the one in [15]. Let f be any n-variable logical function.
, the output is correct. The security is the same as the copy protocol. The protocol requires three rounds. The number of cards is 2 n+1 .
Note that in the model without private operations, a new protocol to calculate any logical functions using garbled circuits was proposed [44].

Improving Security
Although this paper assumes all players are semi-honest, some players might be malicious in real cases. In the model without private operations, analysis of mistakes [23] and prevention of revealing attacks [49] were considered. In the model with private operations, it is very hard to prevent malicious actions during a player executes a private operation. One countermeasure to deal with a malicious player is setting one watch person to each player.
The watch person for Alice watches the execution by Alice and verifies that (1) Alice does not open the cards, (2) Alice really uses a random number generator (for example, coin-flipping) to select her random bit, (3) Alice honestly executes a private random bisection cut using the random bit, and (4) Alice honestly executes a private reverse cut or private reverse selection using the bit generated in (2).
The watch person for Bob watches the execution by Bob and verifies that (1) Bob does not open the cards that are not allowed and (2) Bob honestly generates the committed cards using the value Bob privately opened.
Note that the watch persons must not disclose the values they watch. When the number of players is more than two, each player can simultaneously act as a player and a watch person. Let us consider the case with three players, Alice, Bob, and Carol. Bob acts as a watch person for Alice. Carol acts as a watch person for Bob. Alice acts as a watch person for Carol. All the players are in one room. One player goes out of the room for a while and does not watch the execution during the period.
Protocol 6 (Cheat alert AND protocol) Input: commit(x) and commit(y). Output: commit(x ∧ y) .  By these verifications, the players can understand that the protocol is correctly executed if there is no alert.
About the security, Alice knows b 1 and x ⊕ b 1 ⊕ b 2 . Bob knows b 1 and b 2 . Carol knows b 2 and x ⊕ b 1 ⊕ b 2 . Thus, every player has no knowledge about x if no collusion exists.
The correctness of the protocol: the same as the AND protocol. ◻ Similar protocols can be obtained for all the other protocols shown above. Note that in the above three-player protocol, false alarms cannot be prevented. If Bob alerts that Alice misbehaved even if there is no misbehavior, there is no way for Carol to decide which of Alice and Bob is correct. In order to prevent this type of malicious behavior, the protocol needs to be executed more than three players. The protocol with more than three players P 0 , P 1 , … , P n−1 (n > 3) is as follows: Protocol 7 (False alert prevention AND protocol) Select some random number i(0 < i < n). One player is out of the room when each player executes a round of the protocol. All the other players in the room watch the execution by the current player and verify the correctness of the current player.
1. P j (j = 0, … , n − 2) executes a private random bisection cut on commit(x) using random bit b j when P j+i mod n is out of the room, thus commit(x ⊕ n−2 j=0 b j ) is obtained. 2. P n−1 executes a private reveal and sets S 2 when P n−1+i mod n is out of the room. 3. P j (j = 0, … , n − 2) executes a private reverse cut using b j when P j+i mod n is out of the room. 4. After all the private reverse cuts are finished, the left pair is selected as the output.
At any step of the protocol, one player executes some operation and n − 2(> 1) players watch the execution since one player is out of the room. If one malicious player P j misbehaves some operation, n − 2(> 1) watching players alert, thus the misbehavior is detected by the majority. If a watching player falsely alert that P j misbehaved, the other watching player(s) and P j say that P j is correct, thus the alert is detected false by the majority. The correctness of the protocol is just the same as the original AND protocol. In this execution, any player cannot obtain the value of the committed value because he does not have all information if no collusion exists. Similar protocols can be obtained for all the other protocols shown above.

Asymmetric Card Protocols
When we use cards whose face is not symmetric, such as and , but the back is symmetric, one bit data can be represented by one card as and . Protocols with this type of card are first considered in [25] and then several protocols are shown in [45,46]. For such an encoding method, a private random bisection cut on a committed bit is changed to upside-down the card according to the random bit. A private reverse cut and a private reverse selection on an even sequence are unchanged. A private reverse cut and a private reverse selection on a single card are changed as upside down the card according to the random bit selected in the private random bisection cut. Using these private operations, all protocols shown above work for the asymmetric cards. The number of cards used by this protocol is half of the two-type card protocols. Copy, AND, and XOR protocols are shown.  Since b = 1 , Alice turns the cards upside down. The output is m copies of commit(x).
1. Alice randomly selects bit b. If b=1, Alice turns commit(x) upside down. Let the output be commit(x � ) . Alice sends commit(x � ) and commit(y) to Bob. 2. Bob executes a private reveal on commit(x � ). Bob sets and sends S 2 to Alice. 3. Alice executes a private reverse selection on S 2 using the bit b generated in the private random bisection cut. Let the obtained sequence be S 3 . Alice outputs S 3 .  Alice executes a private reverse selection on S 2 . Since b = 1 , the right card is selected. If the output, S 3 , is opened, . Since x ∧ y = 0 , the result is correct.
1. Alice randomly selects bit b. If b=1, Alice turns commit(x) upside down. Let the output be commit(x � ) . Alice sends commit(x � ) and commit(y) to Bob. 2. Bob executes a private reveal on commit(x � ) . If x � = 1, Bob turns commit(y) upside down. Let the obtained card be S 2 . Bob sends S 2 to Alice. 3. Alice executes a private reverse cut on S 2 using the bit b generated in the private random bisection cut. Let the obtained card be S 3 . Alice outputs S 3 . Bob sends S 2 to Alice. Since b = 1 , Alice turns S 2 upside down and obtains S 3 . If the output, S 3 , is opened, . Since x ⊕ y = 1 , the result is correct.
Theorem 6 Using asymmetric cards, Copy, AND, and XOR can be realized using two cards and in three rounds.
Proof The correctness and security proofs are just the same as the ones for the two type card protocols. ◻

Conclusion
This paper proposed new card-based cryptographic protocols with the minimum number of cards using private operations. Though private operations are effective, there is a worry of the malicious actions during private operations. Thus, one of the most important open problems is detecting malicious actions when the number of players is two.