How to Solve Millionaires’ Problem with Two Kinds of Cards

Card-based cryptography, introduced by den Boer aims to realize multiparty computation (MPC) by using physical cards. We propose several efficient card-based protocols for the millionaires’ problem by introducing a new operation called Private Permutation (PP) instead of the shuffle used in most of existing card-based cryptography. Shuffle is a useful randomization technique by exploiting the property of card shuffling, but it requires a strong assumption from the viewpoint of arithmetic MPC because shuffle assumes that public randomization is possible. On the other hand, private randomness can be used in PPs, which enables us to design card-based protocols taking ideas of arithmetic MPCs into account. Actually, we show that Yao’s millionaires’ protocol can be easily transformed into a card-based protocol by using PPs, which is not straightforward by using shuffles because Yao’s protocol uses private randomness. Furthermore, we propose entirely novel and efficient card-based millionaire protocols based on PPs by securely updating bitwise comparisons between two numbers, which unveil a power of PPs. As another interest of these protocols, we point out they have a deep connection to the well-known logical puzzle known as “The fork in the road.”


Background and Motivation
Background Consider a scenario where n players P 1 , P 2 , … , P n hold private data x 1 , x 2 , … , x n respectively, and they wish to compute a value of a function f (x 1 , x 2 , … , x n ) without revealing their own data. In this scenario, it is impossible to hide all information of the players' inputs, since the computed value f (x 1 , x 2 , … , x n ) leaks certain information of their inputs. Hence, we require to hide the information of inputs other than the information of f (x 1 , x 2 , … , x n ) . The techniques for realizing such a requirement are called multiparty computation (MPC). MPC is one of the most important research topics in cryptography and information security. Actually, MPC has many cryptographic applications such as electronic auctions and electronic votings.
It is known that MPC can be realized by using several cards, and such a special implementation of MPC is called a card-based cryptography [4,5]. Unlike general MPC protocols implemented on computers, the card-based cryptography is realized by manual operations. Obviously, manual operations take much longer time than the operations on computers. Hence, it is important to reduce the number of steps in the card-based cryptography. Based on a similar reason, smaller number of cards is desirable for an efficient implementation of card-based cryptography.
Much of the research related to card-based cryptography has been devoted to secure computation of logical gates such as AND and XOR, 1 since any computation can be implemented by their combinations. The central issue when designing efficient card-based cryptography for logical gates is to minimize the number of cards required in the protocol. For instance, Mizuki-Sone [9] realized AND and XOR operations on two binary inputs with six and four cards, respectively, and recently, Koch-Walzer-Härtel [11] reduced the number of cards to five in AND. 2 However, [11] assumes the existence of a special shuffle with non-uniform distribution, and hence, it is defficult to be implemented. 3 Thus we adopt Mizuki-Sone protocols [9], which are easy to be implemented, as previous research in the efficiency evaluations.
The randomization is also important in order to realize card-based cryptography. In previous works, a randomization operation called shuffle is considered to be useful for card-based protocols with a smaller number of cards, and the usage of this operation has been extensively studied thus far.
We note that shuffles have two special features: The first feature is that a shuffle in a card-based cryptography specifies a certain permutation, whereas a shuffle in ordinary card games permutes the set of cards in a completely random manner. The second feature is that the result of a permutation must not be known to any players (including the player performing the shuffle). For instance, a random bisection cut [9] is a useful type of shuffles described as follows: an even number of cards are divided into two sets consisting of the same number of cards, and these two sets are permuted (in this case, exchanged) many times until none of the players can recognize how many times the two sets of cards are permuted.
Motivation and Our Idea We observe here that the following two problems exist in card-based protocols for logical gates utilizing shuffles: 1. Constructing a protocol by using logical gates is a general technique, but it can be less efficient than protocols specially developed to perform a certain function. 2. Shuffles are too card-oriented operations. From the viewpoint of arithmetic MPC, they cannot be realized by a single operation but can be realized by at least two players to communicate with each other. 4 We discuss (1) and (2) in detail before we propose our idea: (1): It is known that at least one shuffle is necessary for a randomize operation in realizing card-based cryptography. Actually, card-based protocols for logical gates, such as AND, OR and COPY [9], can be realized by using one random bisection cut. This fact implies that it is impossible to make the number of shuffles less than the number of logical gates as long as we construct card-based protocols by the combination of logical gates. 5 For instance, consider the case of the millionaires' problem initiated by Yao's seminal work [2], which is a secure two-party computation involving a comparison of two numbers without making each millionaire's wealth public. Comparing two numbers less than m ∈ ℕ by logical gates can be realized as in Algo. 1, which involves 2⌈log m⌉ − 1 AND and 2⌈log m⌉ − 2 OR times. 6 When executing these logical gates, the COPY operation [9] is necessary for copy ¬a i and b i in each comparison of bits. Summarizing, 6⌈log m⌉ − 5 random bisection cuts are necessary in total in order to implement Algo. 1.
We can expect this inefficiency to be resolved if we design a card-based cryptography specialized for the function computed in the protocol, although such improvement has not been studied intensively to date. Proceeding with this idea, it is natural to recall Yao's solution to the millionaires' problem [2] since it does not depend on logical gates but specializes in comparing two numbers privately. As we will see in Sect. 3.1, Yao's protocol involves public key encryption, which is difficult to implement by logical gates, but is easy to realize by using face-down cards without public/private keys! Then, we can show a simple implementation of Yao's protocol by cards if we get rid of restriction of using logical gates.
(2): When we construct a card-based protocol with shuffles, it would be hard to use arithmetic MPC protocols straightforwardly because arithmetic MPCs normally assume private randomness whereas all operations in a card-based protocol with shuffles must be executed in public. This hardness would be an obstacle to construct card-based protocol for millionaires' problem based on Yao's original ideas, and motivates us to also employ the private randomness in card-based cryptography. Hence, in this paper, we explicitly allow such a private operation in card-based cryptography. 7 In most of previous works, all operations are performed in public so as to avoid cheating. On the other hand, since we adopt the operation of executing in player's private area, our card-based protocols are realized under the semi-honest model.
Algorithm 1 Comparing protocol constructed by logical gates Input: a = (a n · · · a 2 a 1 ) In previous works, a shuffle is considered as a building block for randomization, but actually, it is not a single operation from the viewpoint of arithmetic MPC. For instance, a random bisection cut can be realized as follows: Alice first generates a random number r A and permutes bisected cards r A times behind her back, and sends the permuted cards to the other player, say Bob. Bob privately generates a random number r B and permutes bisected cards r B times behind his back. If r A and r B are kept private by Alice and Bob, respectively, this protocol shuffles bisected cards r A + r B times, and no one can know the number of permutations.
Note that such private randomness and private operations ( (r A , r B ) and permutations in this example, respectively) are often used in arithmetic MPC. We call such a permutation behind one's back Private Permutation (PP). The introduction of PPs makes it easy to see that shuffles, including a random bisection cut, generally consist of at least two PPs and one communication. Introducing PPs, evaluations of card-based protocols are almost parallel to those of arithmetic MPC. Concretely, the number of PPs and communications is considered as computational cost, and the number of cards is considered as memory cost.

Our Contributions
As shown above, the concept of a PP is motivated by (1) and (2). We propose two essentially different protocols for Millionaires' problem based on this concept, and call them proposed protocols I and II. The evaluations of our results presented in this paper are summarized in Table 1, where we use the number of communications, PPs, and cards as efficiency measures.
We first construct a card-based cryptographic protocol for the millionaires' problem based on Yao's solution for two numbers less than or equal to m (proposed protocol I), which does not include logical gates. In the implementation, shuffles are not used, and PPs play a key role instead of shuffles. Even though this protocol is naïve, only one communication and two PPs are sufficient, which is a considerable improvement of card-based cryptography based on logical gates. On the other hand, the number of cards required by the protocol is 2m, which is much worse than the protocol based on logical gates ( 4⌈log m⌉ + 2).
Not only transforming Yao's solution to card-based cryptography but also we propose an entirely new card-based cryptographic protocol based on PPs (proposed protocol II), which is specially developed to solve the millionaires' problem. Proposed protocol II is more efficient in terms of the number of communications, PPs, and cards. This protocol succeeds in reducing the number of communications and PPs to almost 1/3 and 1/6, respectively, compared to the protocol for logical gates, whereas the number of cards remains the same (see Proposed protocol II in Table 1). The new protocol compares two numbers bit by bit, starting from the less significant bit, and the compared results are recorded on cards, called storage. The results recorded in the storage need to be kept secret from both Alice and Bob, to solve the millionaires' problem securely. Hence, we show how to manipulate the storage privately by using PPs.
It is very interesting to note that the idea of proposed protocol II is the same as that of the well-known logical puzzle "The fork in the road". 8 This observation will be introduced when explaining the idea of the proposed protocol II in Sect. 4.1.
Unfortunately, proposed protocol II requires still the same number of cards with the previous work whereas the other measures are evidently improved. Hence, we discuss how to reduce the number of cards in Sect. 4.3. The main idea of this improvement is that inputs are not represented as the sequence of cards but are memorized in player's mind. This improvement enables the proposed protocol II to realize with only six cards. This paper is the full version of [15]. We extended the earlier version [15] by proposing a new protocol in Sect. 4.3 that solves the millionaires' problem with only six cards. We also improved presentations, especially surveys are updated in Sect. 2.3.

Organization
The remaining part of this paper is organized as follows: We introduce several notations, basic operations of cards including PP, and the security notion for card-based cryptography in Sect. 2. In Sect. 3, the card-based cryptography for the millionaires' problem based on Yao's protocol is presented. Sect. 4 is devoted to the proposal of a new cardbased cryptographic protocol with storage. We also show an improvement of the proposed protocol which reduces the number of cards. We summarize our results in Sect. 5.

Notations and Basic Operations of Cards
In card-based cryptography, we normally use two types of cards such as ♣ and ♥ . We assume that two cards with the same mark are indistinguishable. We also assume that all cards have the same design on their reverse sides, and that they are indistinguishable and represented as ? . The Boolean values 0 and 1 are encoded as ♣ ♥ and ♥ ♣ , respectively. Note that we regard the sequence of cards as a vector. In this paper, we use the following fundamental card operations [12]. Note that these operations are executed publicly.
• Face up: A pair of face-down cards for the Boolean value x ∈ {0, 1} , is called commitment. In particular, the permutation for a commitment is referred to as swap.
For simplicity, ♣ and ♥ are represented as ♣ and ♡ , respectively.

Random Bisection Cut and Private Permutation
Random Bisection Cut This is a key technique to realize efficient card-based cryptography for logical gates, e.g., 6-card AND protocol [9], which is described as follows: For a positive integer v, suppose that there is a sequence of 2v face-down cards. Denote the left and right halves by 1 and 2 , respectively. Namely, we define Then, 1 and 2 are interchanged or left unchanged with probability 1/2. Depicting this by using figures, one of either is selected with a probability 1/2. This operation, called random bisection cut, is executed in public but it is assumed that no player knows whether one of the above is selected.
Shuffles such as random bisection cut are regarded as a convenient randomization technique for implementing card-based cryptography. However, the assumption of shuffle is card-oriented, as is pointed out in Sect1.1, so there is a gap from arithmetic MPC. Concretely, arithmetic MPC cannot accept the following assumptions: • All players cannot identify the random number even if it is generated in public area. • Every player cannot know the random number which is generated by him/herself. Both assumptions are natural for real shuffles, e.g., in playing cards. It is not possible to assume in arithmetic MPC. However, we realize the same requirements shown in above under the same assumption in arithmetic MPC by allowing private randomness and communications. Concretely, a random bisection cut by Alice can be realized as follows: Alice first generates a random number r A and permutes the bisected cards r A times behind her back, and sends the permuted cards to the other player, say v cards (1) Bob. Bob privately generates a random number r B and permutes the bisected cards r B times behind his back. If r A and r B are kept private by Alice and Bob, respectively, this protocol permutes the bisected cards r A + r B times, and no one can know the number of permutations. As long as we implement card-based cryptography based on logical gates, at least one shuffle such as a random bisection cut is necessary for every logical gate except negation, which would have a highly adverse impact on the efficiency of the protocols. Private Permutation. We resolve the above-mentioned drawbacks by decomposing the shuffle operation into the private permutations behind the player's back and the communication between them. Hence, we introduce a new randomization operation called Private Permutation (PP), which can be formalized as follows: For a positive integer t, let ∈ {♣, ♡} t be a vector consisting of t face-down cards. For a set P t of all permutations over 9 Then, for a positive integer t and a set of possible permutations R t , the private permutation is defined as follows: Note that the same function was introduced in the previous works [11,12] although we impose an additional assumption on this function. Namely, we assume that the player executing [t] R t keeps s secret, whereas he/she makes the other parameters public, which is easy to realize by permuting the cards behind the player's back. This requirement was firstly introduced in the conference version os this paper [15] explicitly. We note that, not only the random bisection cut, but also several different types of shuffles, e.g., in [6], can be realized by PPs by specifying R t appropriately.
For instance, consider the set of permutations capable of randomly interchanging the first and the latter halves of a vector as follows: For a positive integer v, let Eq. 4 means that 0 ( ) = ( 1 , 2 ) and 1 ( ) = ( 2 , 1 ) for ∶= ( 1 , 2 ) given by (1). Then, the random bisection cut for 2v cards is represented as where s is chosen from {0, 1} uniformly at random and it is known only by the player executing this operation. In executing the random bisection cut, for the sequence of cards , Alice executes ( , r A ) =∶ � by using her private randomness Protocol 1 6-card AND protocol [9] (using shuffle) 1) Set up the initial value (a, 0, b) represented by the commitments of six cards. 2) Apply π := (1, 3, 4, 2, 5, 6) to the sequence of cards prepared in the step 1).
Note that the result of 2)-4) is either (a, 0, b) or (¬a, b, 0) with probability 1/2. 5) Open the first bit. If it is 0, then output the second bit. Otherwise, output the third bit. Graphically, this step is represented as Efficiency Measures. Most of the previous works, e.g., [12,13], considered the number of shuffles as the computational complexity since shuffle is the most timeconsuming operation. On the other hand, in this paper we consider that the computational complexity is evaluated by the number of PPs and communications since such measures are suitable for arithmetic MPC. In this paper, successive PPs executed by one player without communication and/or face up is counted as one PP since the composition of permutations is also regarded as a permutation and the subsequent private permutation can be executed at once behind the player's back.

Example: 6-card AND Protocol
In order to clarify the difference between shuffles and PPs, we show two kinds of implementations of 6-card AND protocol, namely, we show the protocol realized by using shuffles (Protocol 1) and PPs (Protocol 2) respectively. Note that, all operations in protocols 1 are executed in public. On the other hand, there are both private and public operations in protocol 2, so that it needs to be clearly distinguished whether the operation is private or public.
We assume that two players, Alice and Bob, hold secret bits a ∈ {0, 1} and b ∈ {0, 1} , respectively, and they wish to calculate a ∧ b without revealing information of their inputs. We introduce the 6-card AND protocol [9] realizing this requirement.

Security Notion
Throughout this paper, we assume that both Alice and Bob are semi-honest players. Following [10], we introduce the security notion (perfect secrecy) of card-based cryptography for the millionaires' problem. Protocol 2 6-card AND protocol [9] (using PPs) 1) Set up the initial value c = (a, 0, b) represented by the commitments of six cards. First, one of both players, say Alice, holds these six cards. 2) Alice applies π = (1, 3, 4, 2, 5, 6) to c in public. Let the sequence executed this permutation be c . 3-i) Alice privately executes the following PP with respect to R bc 6 which is defined in (4) with v = 3.
In defining the security of card-based cryptography, view plays a key role. View is roughly defined to be a vector of random variables 10 to the data that each player can obtain in the protocol. Specifically, view includes the randomvariables corresponding to the input of the player, the output of the protocol, public information all players can gain, and random values which are used when the player makes a random choice.
For a fixed integer m ∈ ℕ , let a ∈ [m] and b ∈ [m] be positive integers representing the wealth of Alice and Bob, respectively, which are the input for protocol. The common output of the millionaires' problem for Alice and Bob is represented as The information obtained by Alice and Bob in the protocol can be classified into private information denoted by r A and r B , and public information denoted by . Hence, Alice's (resp., Bob's) view can be described as the sequence of random variables corresponding to her (resp., his) input a (resp., b), output of the protocol, private information r A (resp., r B ) and public information . The private information r A (resp., r B ) is the random number generated by Alice (resp., Bob) for PPs. The public information is the cards that Alice and Bob made public by turning them face up. Note that, in arithmetic MPC, view includes information that each player receives via private channel, but in card-based cryptography, there is no private channel.
Only face-up cards can reveal information, and hence, we can define the face-up cards are included in the view as public information. Let R A , R B , and be random variables corresponding to the values r A , r B , and , respectively. Then, the views of Alice and Bob are represented as (A, (A, B), R A , ) and (B, (A, B), R B , ) , respectively.
Intuitively, if all Alice's (resp., Bob's) private and public information can be simulated from Alice's (resp., Bob's) input and output, we can say that no information is contained in the private and public information other than Alice's (resp., Bob's) input and output. Hence, we can formulate perfect secrecy of card-based cryptography for the millionaires' problem as follows: Definition 1 (Perfect secrecy) Consider the millionaires' problem for Alice and Bob. We say that the card-based cryptography for the millionaires' problem is perfectly secure if there exist simulators A and B such that for all possible inputs a and b, it holds that where U perf ≡ V means that the (joint) probability distributions P U and P V corresponding to the random variables U and V, respectively, are perfectly the same.

Our Idea Behind the Proposed Protocol I
We propose a card-based cryptography that resolves the millionaires' problem by cards based on Yao's original solution utilizing PPs. 11 Before providing our protocol, we explain Yao's public key based solution [2] as follows: Yao's Solution to the Millionaires' Problem. For a fixed integer m ∈ ℕ , assume that Alice and Bob have wealth represented by positive integers a and b, respectively, is a public-key encryption of Alice. That is, A ∶ X → X is an encryption under Alice's public-key, and A is a decryption under Alice's private-key.
⟨1⟩ Bob selects a random N-bit integer x ∈ X , and computes c ∶= A (x) privately. ⟨2⟩ Bob sends the number c − b + 1 in the mod 2 N sense to Alice. ⟨3⟩ For i = 1, 2, … , m , Alice computes privately the values of ⟨4⟩ Alice generates a random prime p ∈ [2 N∕2 − 1] , and computes the values , then go to the next step; otherwise generate another random prime p and repeat the process until all z u differ by at least 2. ⟨5⟩ Alice makes z � = (z 1 , z 2 , … , z a , z a+1 + 1, z a+2 + 1, … , z m + 1) ; each value is in the mod p sense. ⟨6⟩ Alice sends p and the vector z ′ to Bob. ⟨7⟩ Bob looks at the b-th number in z ′ . If it is equal to x mod p, then a ≥ b , otherwise a < b. ⟨8⟩ Bob sends the result to Alice.
Our Idea Behind Proposed Protocol I. We first point out that the key steps of Yao's protocol are ⟨5⟩-⟨7⟩ , where Alice privately adds 1 to each of z a+1 , z a+2 , … , z m in the m-dimensional vector, and sends the vector to Bob. He privately checks the bth value in the vector, and outputs the result. This private operation can be implemented by PP in card-based cryptography, which corresponds to the step ⟨3⟩ in the following proposed protocol I.
Note that, in Yao's solution, ⟨1⟩-⟨4⟩ are necessary for realizing the key steps ⟨5⟩ -⟨7⟩ securely, since they prevent the vector z ′ in ⟨5⟩ from leaking Alice's wealth a to Bob. However, in a card-based cryptography, these steps can be replaced with single step since face down plays the role of encryption. Furthermore, the communication in ⟨8⟩ can be removed in the card-based protocol since face-up cards on the tabletop can immediately be recognized by both Alice and Bob.

Proposed Protocol I
Based on the ideas discussed in the previous section, we propose a card-based cryptography for the millionaires' problem based on Yao's solution (see Protocol 3). We refer to this protocol proposed protocol I. The definitions of a, b and m are the same as the previous section.
Note that steps 1) and 2) in the proposed protocol I correspond to steps ⟨1⟩-⟨5⟩ , and the steps 3) and 4) correspond to steps ⟨6⟩ and ⟨7⟩ , respectively, which show that the step 2) considerably simplifies Yao's protocol. We omit the proof of correctness of the proposed protocol since it is almost obvious from Yao's protocol.

Note that (
A , A ) in Yao's millionaires' protocol must be public-key encryption since a is obtained by Bob in step ⟨6⟩ if ( A , A ) is a private key encryption. On the other hand, in the proposed protocol I, such leakage of a to Bob is prevented by requiring that all cards except ′ b are completely randomized in public by Alice or Bob at the end of the protocol.
Efficiency of the proposed protocol I In the proposed protocol, 2m cards are used. The number of PPs and communications is constant, i.e., it does not depend on the input length. We use two PPs in steps 2) and 4), and one communication in step 3), and this outperforms the protocol based on logical gates (see Algorithm 1). We note that the steps 4) and 5) are necessary so that Bob turns ′ b face up publicly without making b public. 12

Theorem 1
The proposed protocol I is perfectly secure; it satisfies (8) and (9) in Definition 1.
Proof Consider the randomness used by Alice and Bob denoted by R A and R B , respectively. In this protocol, no randomness is used by Alice since she only swaps the cards by using a and m. Hence, it is not necessary for the simulator A to simulate R A . We also find that Bob does not use his randomness, and R B also need not be simulated by B .
Regarding the public value , observe that it is only the cards ′ b revealed in step 5), and the binary value represented by ′ b is equal to the truth value of a ≥ b . Hence, is uniquely determined from the output, and it can obviously be simulated, which completes the proof. ◻ Remark Thanks to the special operations of card-based cryptography, e.g., face up, face down, and swap, etc., proposed protocol I is not only a direct transformation of Yao's protocol, but also is superior to the original one from several aspects. For instance, the proposed protocol I does not use any randomness, whereas randomness is necessary for generating public/private keys in the original solution by Yao. Furthermore, it is worth observing that both Alice and Bob can know the output result simultaneously in the proposed protocol I, whereas Bob is required to announce his result to Alice in Yao's original protocol (see step ⟨8⟩).

Ideas Behind Proposed Protocol II
In order to reduce the number of cards to below 2m, it is natural to represent the wealth of Alice and Bob as binary number with ⌈log m⌉ bits (i.e., 2⌈log m⌉ cards).
This approach enables us to consider the strategy by comparing the Alice's and Bob's wealth bit-by-bit starting from their least significant bits. Let (a n , … , a 1 ) and (b n , … , b 1 ) be the binary representation of the positive integers a and b, respectively, where n ∶= ⌈log m⌉ and a i , b i ∈ {0, 1} , i = 1, 2, … , n . For each i ∈ [n] , assume that a i and b i are represented by pairs of cards i,l i,r and i,l i,r , respectively, where i,l i,r , i,l i,r ∈ {♣♡, ♡♣} . For instance, a i = 1 is represented by cards as i,l i,r = ♡♣.
Note that, however, such a two-card representation of binary number is redundant in a bit-by-bit comparison since we can represent 0 and 1 by ♣ and ♡ , respectively. 13 In this one-card representation, i,l and i,l suffice to represent a i and b i , respectively. Further, their negations, ¬a i and ¬b i , are also represented by i,r and i,r , respectively. In the following, we consider a scenario in which Alice prepares (a n , … , a 1 ) by using a two-card representation, but here, Alice and Bob use a one-card representation for comparison.
We compare the bits of Alice and Bob by preparing a device (equipped by a card as well) called comparison storage, denoted by cs ∈ {♣, ♡} , that records the bit-bybit comparison results. Our idea is roughly described as follows: We assume that Bob compares i,l (i.e., b i ) with Alice's card i,l (i.e., a i ) from i = 1 to n, and he overwrites cs with i,l (i.e., b i ) if i,l ≠ i,l (i.e., b i ≠ a i ) while cs remains untouched if this is not the case (i.e., b i = a i ). Recalling that Bob overwrites the comparison storage with his bit, Bob is shown to be richer if the comparison storage is ♡ (i.e., 1) at the end of the protocol. Similarly, Alice is shown to be richer if the comparison storage is ♣ (i.e., 0) at the end of the protocol. As is easily understood, however, this rough idea has the following a problem:

P1)
If Bob were to directly compare his bits with those of Alice, such a comparison strategy would easily leaks Alice's bits to Bob.
This problem can be avoided by considering the following modified randomized strategy: Since Alice prepares (a n , … , a 1 ) by two-card representations, she sends Bob i,l (i.e., a i ) or i,r (i.e., ¬a i ) with probability 1/2. Such a randomization is effective for concealing the value of Alice's bit from Bob, but we encounter another problem:

P2)
Since Alice sends i,w to Bob w ∈ {l, r} with a probability of 1/2, he cannot tell from i,w whether a i ≠ b i or not.
Problem P2) is resolved by introducing another storage called dummy storage, denoted by ds ∈ {♣, ♡} , and communicating the pair of cs and ds between Alice and Bob.
Hereafter, we refer to the pair consisting of cs and ds as storage. Bob overwrites cs and ds corresponding to the result of a i ≠ b i and a i = b i . However, just adding a new storage is insufficient to resolve the problem that Bob cannot determine whether a i ≠ b i or a i = b i , i.e., he cannot determine which one of cs and ds should be overwritten.
Problem P2) can be rephrased using binary numbers as follows: Let a � i ∈ {0, 1} be a binary number that Bob receives, but he does not know whether a � i = a i (in the case of w = l ) or a � i = ¬a i (in the case of w = r ). Our main object is to find a i ≠ b i or a i = b i even if either one of a � i = a i or a � i = ¬a i is sent. 14 Basic idea for resolving P2) is that Bob uses the fact that what he knows is either Making use of this fact, Alice and Bob treat cs and ds as an ordered pair of face-down cards, and assume that either (cs, ds) or (ds, cs) is determined by Alice's private random choice w ∈ {l, r} as follows: • If Alice selects w = l and sends Bob i,l ∈ {♣, ♡} (i.e., a i ), then she sends him (cs, ds) with i,l . • If Alice selects w = r and sends Bob i,r ∈ {♣, ♡} (i.e., ¬a i ), then she sends him (ds, cs) with i,r .
Note that i,w is not necessary to be face-down when she sends it since no information on a leaks to Bob from i,w . We can see that the order of cs and ds is synchronized with w ∈ {l, r} (i.e., a i and ¬a i ) in Alice. Owing to this synchronization, Bob can correctly overwrite cs only when a i ≠ b i by implementing the following strategy, even if he does not know which one of cs and ds should be overwritten. Let ( l , r ) be the storage Bob receives from Alice. Then Bob's behavior after receiving i,w from Alice is shown below.
• If i,w ≠ i,l (i.e., a ′ i ≠ b i ) holds, Bob overwrites the left element l of the storage ( l , r ) with i,l (i.e., b i ). Table 2 Synchronization mechanism in the proposed protocol with storage (cs, ds), w = l (ds, cs), w = r • If i,w = i,l (i.e., a � i = b i ) holds, Bob overwrites the right element r of the storage ( l , r ) with i,l (i.e., b i ).
Let ( � l , � r ) be the storage overwritten by Bob, and he returns ( � l , � r ) to Alice. Then, by using w ∈ {l, r} that Alice generated, she privately rearranges ( � l , � r ) so as to place cs and ds on the left and the right, respectively. After repeating these procedures from i = 1 to n, Bob is shown to be richer if cs = ♡ (i.e., 1) whereas the contrary is true if cs = ♣ (i.e., 0).
It is easy to see from Table 2 that our synchronization strategy for storage works well. This is best clarified by discussing the proposed protocol by using binary numbers rather than cards. For instance, consider the case where Alice compares her bit a i = 1 with Bob's bit b i = 0 (the second line in Table 2). If Alice selects w = l , Bob receives a bit a � i = a i = 1 and compares it with Bob's bit b i = 0 . Since a ′ i ≠ b i , the left-hand side element of the storage, i.e., cs, is overwritten by b i = 0 . On the other hand, if Alice selects w = r , Bob receives a bit a � i = ¬a i = 0 and compares it with his bit b i = 0 . Since a � i = b i = 0 , the right-hand side element of the storage, i.e., cs, is overwritten by b i = 0 . Anyway, cs is correctly overwritten by b i = 0 (< a i = 1) as expected.
Remark It is interesting to note that the logic of the above synchronization strategy is the same as that of the well-known logical puzzle "The fork in the road," [1, p.25] (see footnote * 8 ). Note that the point of the "The fork in the road" is that we need to obtain the correct answer (correct branch) from "yes-no-questions," regardless of whether the native bystander tells the truth. The one of the well-known answers to this puzzle is that the logician should ask "if I ask the right way goes to the village, then do you answer YES?." This question consists of two propositions as follows: Q1) The right way goes to the village.

Q2) The bystander answers YES.
Suppose that the right way goes to the village. If the native bystander is a truthteller, then obviously the logician receives YES. On the other hand, the logician have the same answer (YES) even if the bystander is a liar because of the following double negation:

L1)
The liar wants to say NO to Q1) because Q1) is true. L2) The liar has to say YES because Q2) is false (due to L1)).
Namely, telling lies twice for Q1) and Q2), the liar says YES if the right way goes to the village; NO otherwise. Our synchronization strategy has the same structure with this puzzle. In proposed protocol II, Alice chooses whether she sends a i (i.e., truth) or ¬a i (i.e., lie), which corresponds to L1). If she chooses the lie, then she reverses the order of storage cards cd and ds, which has the same effect with L2).
Due to this structure of double negation, Bob can correctly record the comparison result regardless of Alice's choice. Therefore, we can verify the correctness of proposed protocol II.
Finally, the output value correctly becomes cs = ♡ as a < b regardless of random choices of Alice.
Efficiency of the proposed protocol II. This protocol requires two communications for every bit therefore it requires 2⌈log m⌉ communications. We note that steps (2-v) and (2-i), when i is incremented, can also be regarded as one PP. Hence, this protocol requires 2⌈log m⌉ + 1 PPs. The number of cards is 4⌈log m⌉ + 2.

Theorem 2
The proposed protocol II is perfectly secure; it satisfies (8) and (9) in Definition 1.
Proof Consider the randomness used by Alice and Bob denoted by R A and R B , respectively. From step (2-i), the value of R A = (W 1 , W 2 , … , W n ) where W i is the random variable corresponding to w in the i-th loop in step 2). Each random variable W i , i = 1, 2, … , n takes the value in {l, r} with probability 1/2, and it is independent from the other random variables. Hence, R A can obviously be simulated by A by using n independent uniform binary numbers. Similarly to the proposed protocol I, Bob does not use any randomness, and hence, B does not have to simulate R B .
Regarding the simulation of public information , observe that is the n values represented by the face-up cards in step (2-iii), i.e., = ( 1,W 1 , 2,W 2 , … , n,W n ) . Hence, is easily simulated by A by a which is represented by her 2n cards, and the random variable R A = (W 1 , W 2 , … , W n ) . On the other hand, for Bob, = ( 1,W 1 , 2,W 2 , … , n,W n ) seems to be uniformly distributed over {♡, ♣} n since he does not know the value of W i = w i , which is selected randomly by Alice. Hence, is easily simulated by S B .
Since the simulators A and B can be explicitly constructed as above, we complete the proof of the theorem. ◻

Millionaires' Problem Can Be Solved with Only Six Cards
Although the proposed protocol II was improved in terms of the numbers of PPs and communications, as is shown in Table 1, it still requires the same number of cards with the previous work based on logical gates. However, we show that the proposed protocol II can be realized with only six cards in this section. Our main idea is to reuse the card discarded by Bob in step (2-iii) of Protocol 4. 16 We note that, however, cannot be simply reused. If is reused simply and accessed by Alice and/or Bob, they can obtain information about which holds information on their inputs. For instance, in Protocol 4, suppose that Bob could look at the front of in step (2-iii) for i = 1 . Noticing that (cs, ds) = (♣, ♡) is public information when i = 1 , a 1 completely leaks to Bob since he can tell whether w = l or not. Inductively, should not be simply reused when i ≥ 1 because also holds information about Alice's choice of w.
Therefore, we need to erase information about for reusing it. However, it is impossible to erase the information about as long as we adopt the one-card representation since a single card cannot be randomized as opposed to the case of twocard representation. Hence, we should employ two-card representation for the storage (and the input) in Protocol 4. Concretely, if is in two-card representation, Bob returns randomized to Alice instead of discarding it by Bob in Protocol 4. Then, she can reuse .
One may think that this modification makes the protocol inefficient since the number of storage cards increases. However, surprisingly, this modification allows Alice and Bob to use as his/her inputs if they hold inputs in their mind! Namely, at the cost of using six cards for (cs, ds) and , Alice and Bob do not necessary to have their cards to represent their inputs (if they can remember the inputs). Therefore, six cards are sufficient to realize a card-based protocol for millionaires' problem with efficient memory and communication cost. The improved protocol shown in Protocol 5. As shown in the step 1), the storage cards are represented by two-card representation. The steps (2-v) and (2-viii) are executed for erasing information of by Bob and Alice.
Efficiency of the improvement of proposed protocol II. This protocol requires two communications for every bit therefore it requires 2⌈log m⌉ communications. We note that the sequence of PPs executed in steps (2-iv) and (2-v) can be regarded as one PP. Similarly, steps (2-vii) to (2-i), when i is incremented, can also be regarded as one PP. Hence, this protocol requires 2⌈log m⌉ + 1 PPs.

Concluding Remarks
In this paper, we proposed two efficient card-based cryptography (called proposed protocols I and II) for the millionaires' problem by introducing a new operation called private permutation (PP). Proposed protocol I is constructed based on Yao's solution. This solution was realized by using public key encryption instead of logical gates, and hence, it could not be straightforwardly implemented to card-based cryptography based on logical gates. However, we show that Yao's solution can be easily implemented by using cards if we do not restrict ourselves by logical gates and use PPs instead. This protocol could be realized with one communication and two PPs, and is therefore much more effective than the existing protocol (see Table 1). However, the number of cards increases. It is worth mentioning that proposed protocol I is not only a direct transformation of Yao's protocol, but is also superior to the original protocol in the sense that randomness and the announcement of the result are not required as opposed to Yao's original protocol.
Proposed protocol II is entirely novel. It consists of the communication of two types of storage for recording the compared result between two players. This proposed protocol is superior to the existing protocol based on logical gates with respect to the number of communications and PPs, whereas the number of cards is the same as the existing protocol. Furthermore, it is interesting to remark that proposed protocol II and the well-known logical puzzle known as "The fork in the road," are deeply related. But this protocol is not made efficient from the view point of the number of cards (see Table 1). Hence we proposed a method to reduce the number of cards. The improved protocol works only six cards by memorizing the inputs in player's mind without representing them using cards. otherwise does not. Each swap operation must be executed privately, and it is described as the following PP with respect to R bc 2 := {π 0 , π 1 } which is given by (4) with v = 1: where χ ge (·, ·) is defined in (7), i.e., χ ge (i − 1, a) = 1 iff i > a. As a result, Alice privately generates the sequence of cards x := (x 1 , x 2 , . . . , x m ) where 1, a)). 3) Alice sends x to Bob. 4) Bob privately moves x b to the first element of x , which is described as the following PP: where R mf 2m := {π i } m−1 i=0 such that π i : (1, 2, . . . , m) (i + 1, 1, 2, . . . , i, i + 2, . . . , m). 5) Bob reveals the left most commitment of PP The remaining cards are completely randomized by Alice or Bob in public in order to discard the information of x except for x b . We call this operation "the remaining cards are discarded," hereafter. Protocol 4 Proposed Protocol II: Protocol for Millionaires' Problem with Storage 1) Alice prepares a face-down ♣ and a face-down ♥ *15 as the comparison storage cs and the dummy storage ds, respectively. We call the pair consisting of cs and ds storage. She also prepares a sequence of 2n cards (α n,l α n,r , . . . , α 2,l α 2,r , α 1,l α 1,r ), which is a binary representation of her wealth a ∈ [m]. Bob also prepares the sequence of 2n cards (β n,l β n,r , . . . , β 2,l β 2,r , β 1,l β 1,r ), which is the binary representation of his wealth b ∈ [m]. 2) For i = 1, 2, . . . , n, repeat the following operations (2-i)-(2-v): (2-i) Alice privately chooses w ∈ {l, r} uniformly at random. Then, execute the following PP with respect to R bc 2 which is defined in (4) with v = 1: (σ l , σ r ) := PP [2] R bc 2 ((cs, ds), χ eq (w, r)) (12) where χ eq (w, r) = 1 if w = r, and χ eq (w, r) = 0 otherwise. (2-ii) Alice sends Bob (σ l , σ r ) in addition to α i,w . Here, α i,w need not be face down. (2-iii) Bob compares β i,l with α i,w in his mind. If they are different, he privately overwrites σ l with β i,l , otherwise he privately overwrites σ r with β i,l . This operation can be described as the following PP with respect to R ow1 3 := {π 0 , π 1 } where π 0 : (1, 2, 3) (1, 3, 2) and π 1 : (1, 2, 3) (3, 2, 1): (σ l , σ r , η) := PP [3] R ow1 3 ((σ l , σ r , β i,l ), χ eq (β i,l , α i,w )) (13) where χ eq (·, ·) := 1 − χ eq (·, ·). The extra card η is discarded without turning it face up. (2-iv) Bob sends Alice (σ l , σ r ). (2-v) Alice rearranges the storage cards privately depending on the random value w chosen in (2-i), i.e., executes the PP such that PP [2] R bc 2 ((σ l , σ r ), χ eq (w, l)), which is used for the new storage cards (cs, ds). 3) Alice turns cs face up to output. If the card is ♣ , then a ≥ b. Otherwise, a < b. After completing the protocol, ds is discarded without revealing.
Protocol 5 Improvement of Proposed Protocol II 1) Alice prepares two face-down ♣ and two face-down ♥ as the storage. First, let cs = 0, ds = 0, i.e., cs and ds are expressed with two cards respectively. She also prepares one ♣ and one ♥. 2) For i = 1, 2, . . . , n, repeat the following operations.
η := PP where r a ∈ {0, 1} is chosen uniformly at random. 3) Alice turns cs face up to output. If cs = 0, then a ≥ b. Otherwise, a < b.
After completing the protocol, ds is discarded without revealing.