Actively revealing card attack on card-based protocols

In 1989, den Boer presented the first card-based protocol, called the “five-card trick,” that securely computes the AND function using a deck of physical cards via a series of actions such as shuffling and turning over cards. This protocol enables a couple to confirm their mutual love without revealing their individual feelings. During such a secure computation protocol, it is important to keep any information about the inputs secret. Almost all existing card-based protocols are secure under the assumption that all players participating in a protocol are semi-honest or covert, i.e., they do not deviate from the protocol if there is a chance that they will be caught when cheating. In this paper, we consider a more malicious attack in which a player as an active adversary can reveal cards illegally without any hesitation. Against such an actively revealing card attack, we define the t-secureness, meaning that no information about the inputs leaks even if at most t cards are revealed illegally. We then actually design t-secure AND protocols. Thus, our contribution is the construction of the first formal framework to handle actively revealing card attacks as well as their countermeasures.

1. According to the encoding rule: ♣ ♥ = 0 and ♥ ♣ = 1, Alice commits her private bit a to two face-down cards of different colors (♣, ♥) without anyone else seeing the order of the two cards: Such a pair of face-down cards is called a commitment to a. Similarly, Bob places a commitment to b on the table. Therefore, together with the remaining red card ♥ , the initial sequence of the five cards is 3. Swap the first and second cards (from the left), namely the two cards constituting the commitment to a; owing to the encoding (1), this action performs the NOT operation such that a commitment to the negation a of a is obtained: It is noteworthy that only when a = b = 1, the three cards in the middle will be ♥ ♥ ♥ . 4. Apply a random cut, denoted by · ; it is a shuffle action to cyclically shift the sequence of cards at random: ? ? ? ? ? → ? ? ? ? ? .
Note that the shift offset is uniformly distributed on {0, 1, 2, 3, 4} and nobody knows the offset 1 . 5. Open all the five cards.
-If three consecutive red cards ♥ ♥ ♥ (apart from cyclic rotation) appear, we have a ∧ b = 1. -If ♥ ♥ ♥ do not appear, we have a ∧ b = 0. This is the five-card trick, which securely computes the AND function, i.e., it reveals only the value of a ∧ b. As an application, for instance, this card-based protocol enables Alice and Bob to confirm their mutual love without revealing their individual feelings.
During such a secure computation protocol, it is important to keep any information about the inputs secret. As seen above, the five-card trick preserves the secrecy of the inputs a, b by virtue of the face-down cards, and the shuffle action eliminates the individual values of the inputs aside from the exact value of a ∧ b. In other words, the five-card trick is secure provided that all players obey the protocol. Similar to the five-card trick, almost all existing card-based protocols (e.g., Mizuki and Sone 2009;Koch et al. 2015;Niemi and Renvall 1998;Mizuki et al. 2012;Ishikawa et al. 2015) are secure under the assumption that all players are semi-honest or covert, i.e., they do not deviate from the protocol if there is a chance that they will be caught when cheating. In most cases, a card-based protocol is executed completely publicly with all eyes fixed on how the cards are manipulated, and hence, any illegal actions by the players (or others) will be noticed (Mizuki and Shizuya 2014b); thus, any semi-honest or covert player always follows the protocol.
By contrast, this paper considers a more malicious attack: We assume that one player (e.g., Alice) is an active adversary who may possibly reveal face-down cards illegally without any hesitation. For example, if Alice suddenly reveals the commitment to b at Step 3 during the execution of the fivecard trick, Bob's private input will be leaked immediately. We call such a malicious attack the actively revealing card attack. (It should be noted that active attacks on card-based protocols have been comprehensively discussed in Koch and Walzer (2020).) To the best of our knowledge, this actively revealing card attack has not been studied so far except for using envelopes considered by Koch and Walzer (2020). In their work, we may place each card into an envelope to prevent face-down cards from being revealed illegally. However, using envelopes is not convenient; hence, we solicit another solution that does not rely on any additional tools such as envelopes. Thus, we have to devise a method to keep individual players' inputs secret even if some of the face-down cards are revealed maliciously. To this end, we borrow an idea from secret sharing schemes (Shamir 1979) such that each input commitment will be split into several "share" commitments. Specifically, as the "revealing-card tolerance," we introduce the concept of "t-secureness" in which any information regarding the inputs will be preserved even if at most t cards are revealed maliciously. Subsequently, we design a 1-secure AND protocol as well as a general t-secure AND protocol. Thus, our main contribution is to construct the first formal framework to handle actively revealing card attacks and their countermeasures.
This paper focuses on non-committed format protocols that specify the output value by revealing some face-down cards, as shown in the five-card trick (or in others, e.g., Mizuki et al. 2012). By contrast, there are committed format protocols that produce commitments (consisting of facedown cards) as the output (e.g., Mizuki and Sone 2009;Stiglic 2001;Niemi and Renvall 1998;Crépeau and Kilian 1994): Because the output is hidden owing to the face-down cards, during such a committed format protocol, information regarding the input as well as output will not be leaked. Meanwhile, committed format protocols have been formalized well; no formal treatment of non-committed format protocols has been reported (note that because a committed format protocol does not leak any information, it suffices to consider perfect secrecy; meanwhile, a non-committed format protocol needs to leak some information regarding the input to reveal the output value, and hence, a more careful treatment is required). Herein, we first formalize a non-committed format protocol. This formalization is one of our major results.
It is noteworthy that Mizuki and Shizuya (2014b) previously adopted a similar idea to deal with the situation where some of the cards may be flawed, i.e., the cards may have scuff marks on their backs (undoubtedly, the problem of flawed cards is different from that of the actively revealing card attack, but they may share some common features). Because this previous work (Mizuki and Shizuya 2014b) considered only committed format protocols, it is interest-ing future work to apply the technique proposed herein to design "scuff-proof" non-committed format protocols.
The remainder of this paper is organized as follows. In Sect. 2, we briefly introduce a formal approach for describing a card-based protocol. In Sect. 3, we formally define a non-committed format protocol. In Sect. 4, we define the tsecureness against the actively revealing card attack. In Sect. 5, we construct a 1-secure AND protocol and confirm its security. In Sect. 6, we construct a t-secure AND protocol and confirm its security. Finally, the paper is concluded in Sect. 7.
An earlier version of this paper was presented and appeared as a conference paper (Takashima et al. 2019). The main difference is twofold. First, we have expended Sect. 5 to elaborate on our 1-secure AND protocol; especially, Figs 2, 3 and 4 are new materials. Second, we have added Sect. 6 to extend our 1-secure AND protocol to a general t-secure one so that t-secureness can be achieved. In addition, we have enhanced the definitions of security in a more rigorous way in Sect. 4.

Preliminaries
In this section, we present the way to formally describe a card-based protocol.
The computational model of card-based protocols has been formalized via abstract machine Shizuya 2014a, 2017;Koch et al. 2015). Roughly speaking, a protocol consists of a series of three actions: turn, perm, and shuf actions, along with a sequence of cards.
Consider a sequence of d cards. A turn action is specified by a set T ⊆ {1, 2, . . . , d} of positions of cards; the action (turn, T ) turns over every card whose position is in T . A perm action is specified by a permutation π ∈ S d , where S d denotes the symmetric group of degree d; the action (perm, π) rearranges the positions of d cards according to π . A shuf action is specified by a set ⊆ S d of permutations; the action (shuf, ) probabilistically rearranges the positions of d cards according to a permutation π uniformly drawn from . We call a protocol using exactly d cards a d-card protocol.
To illustrate, recall the execution of the five-card trick (den Boer 1990) presented in the previous section. It uses two types of cards, ♣ and ♥ , whose backs are ? . All cards of the same type are indistinguishable. The five-card trick, which is a 5-card protocol, starts with a sequence of five cards: ? ?
Step 5 is (turn, {1, 2, 3, 4, 5}). To discuss the correctness and security of protocols, we use the concept of statuses of a protocol. For example, the initial status of the five-card trick (as in Eq. (2)) is described as follows: where p i j denotes the probability that input (a, b) is equal to (i, j) for every (i, j) ∈ {0, 1} 2 ; in other words, ( p 00 , p 01 , p 10 , p 11 ) denotes a probability distribution on the input set {0, 1} 2 . The status above consists of four entries, each of which is a pair of a symbol sequence (such as ♣♥♣♥♥) and a probability trace (such as ( p 00 , 0, 0, 0); the first entry means that the symbol sequence ♣♥♣♥♥ and the event (a, b) = (0, 0) occur with a probability of p 00 (and ♣♥♣♥♥ with (a, b) = (0, 0) never occurs), the second entry means that ♣♥♥♣♥ and (a, b) = (0, 1) occur with a probability of p 01 , and so on. The initial status (and succeeding statuses) are transformed into another status by an action as shown in Fig. 1. In particular, the turn action results in ten "leaf" statuses.
The expression of protocols illustrated in Fig. 1 was established by Koch et al. (2015) where a tree structure specifies a protocol. We modify it slightly using the probability traces introduced by Mizuki and Komano (2018). We call such a tree the (modified) KWH-tree of a protocol. Borrowing a terminology in graph theory, we call the bottom statuses in a KWH-tree the leaf statuses.
Note that in each of the first three statuses (namely, "nonleaf" statuses) depicted in Fig. 1, the (coordinate-wise) sum of all probability traces is equal to ( p 00 , p 01 , p 10 , p 11 ); this guarantees that no information about the input (a, b) will be leaked. Regarding the ten leaf statuses, each of them has only one probability trace, which is either p 00 p 00 + p 01 + p 10 , p 01 p 00 + p 01 + p 10 , p 10 p 00 + p 01 + p 10 , 0 or (0, 0, 0, 1); this implies that any information other than the value of a ∧ b will not be leaked.
During a protocol execution, the "status" captures the joint distribution of (I , S) conditioned on P, where I is the input, S is the current card sequence, and P is the publicly available information. The two distribution above are the distribution To the best of our knowledge, Fig. 1 is the first attempt to depict the KWH-tree of the five-card trick. Because a formal treatment for non-committed format protocols does not exist, we will create such a formal framework, as will be explained in the next section.

Formalizing non-committed format protocols
In this section, we formally define a non-committed format protocol for a Boolean function, based on the encoding (1). First, we define an "n-input protocol," where the first 2n cards on the table are n input commitments.
Definition 1 Let d ≥ 2n for an integer n ≥ 2, and let P be a d-card protocol. We say that P is an n-input protocol if its initial status consists of the following 2 n entries: where α is a symbol sequence of length d −2n. Here, p i , 0 ≤ i ≤ 2 n − 1, is the probability that the n-bit input is equal to the binary expression of i. Furthermore, we call the tuple ( p 0 , . . . , p 2 n −1 ) an input distribution.
Next, we define some properties regarding the statuses.
Definition 2 Let P be an n-input protocol with an input distribution ( p 0 , . . . , p 2 n −1 ), and consider a Boolean function are the preimages of 0 and 1 under f , respectively. -We say that a status S is an output-0 status if the above constants satisfy c 0 = 1 and c 1 = 0, i.e., the sum of its probability traces (q 0 , . . . , q 2 n −1 ) satisfies for every b ∈ {0, 1} n . -We say that a status S is an output-1 status if the above constants satisfy c 0 = 0 and c 1 = 1, i.e., the sum of its probability traces (q 0 , . . . , q 2 n −1 ) satisfies For example, see the leaf statuses in Fig. 1; the five left leaves are output-0 statuses, and the five right leaves are output- We are now ready to formally define a non-committed format protocol. Definition 3 Let P be an n-input protocol, and let f : {0, 1} n → {0, 1} be a Boolean function. We say that P works for f in a non-committed format if the following holds: -every leaf status is either an output-0 status or an output-1 status, and all other statuses are opaque; -P terminates almost surely in a number of actions that is finite in expectation.
One can easily verify that the five-card trick satisfies the conditions in Definition 3.
As seen in Definition 3, this paper focuses on one-bit output functions.

Defining revealing-card tolerance
As mentioned before, this paper considers the active attack where an adversary can reveal some cards without obeying a protocol. Because the execution of a protocol is conducted publicly, it is difficult for an adversary to illegally reveal many cards simultaneously. Thus, we assume that, for a threshold t ≥ 1, such a malicious adversary can reveal at most t cards at most once during an execution of the protocol.
Note that any n-input protocol (defined in Definition 1) cannot be "secure" against the actively revealing card attack because the adversary is able to reveal some cards that constitute the input commitments to obtain the secret values immediately after the protocol starts. Therefore, the input commitments must be masked. To achieve this, we borrow an idea from secret sharing schemes. Hence, instead of directly placing commitments to their private bits, Alice places two commitments to a 1 , a 2 ∈ {0, 1} where a = a 1 ⊕ a 2 , i.e., her private bit a is split into a 1 and a 2 randomly, and Bob places two commitments similarly: ( For such an input sequence, even if at most one card is revealed illegally, the values of a and b will not be leaked. The status of the above input sequence can be written as: By further extending this, we have an (n, t + 1)-input protocol, as in the following Definition 4. Hereinafter, for b ∈ {0, 1} n , b[i] denotes the i-th bit (of the n-bit sequence b).
Definition 4 Let d ≥ 2n(t + 1) for integers n ≥ 2 and t ≥ 1, and let P be a d-card protocol. We say that P is an (n, t + 1)input protocol if its initial status consists of all entries in b∈{0,1} n E b such that 1} is interpreted as a pair of symbols based on the encoding: 0 = ♣♥ and 1 = ♥♣, and α is a symbol sequence of length d − 2n(t + 1).
When implementing an (n, t + 1)-input protocol, each player P i generates t random bits to prepare t + 1 commitments to ? ?
In this case, player P i knows the values of x 1 i through x t+1 i ; for example, for the input (3) above, Alice knows the values of a 1 and a 2 and Bob knows the value of b 1 and b 2 . Taking this into account, we consider KWH-trees "conditioned on player's view," as follows. Let us start with a small example. For the input (3) above, assume that Alice knows that a = (a 1 , a 2 ) = (0, 0), i.e., the first four cards are ♣♥♣♥; then, the "conditioned" status becomes: Following this initial status, we can easily create its KWHtree; we call it the player-view KWH-tree |a = (0, 0). To extend this idea, generally, we can have the player-view KWH-tree |x i =s for i, 1 ≤ i ≤ n, and s ∈ {0, 1} t+1 . (Thus, this paper considers only the case where each player has a one-bit input.) We are now ready to define the "t-secureness" as in the following Definition 7 along with Definitions 5 and 6.
First, Definition 5 is a natural extension of Definitions 2 and 3.
Next, we have to consider "opaque" statuses in a playerview KWH-tree. The reason is as follows. Assume that a = a 1 ⊕ a 2 and b = b 1 ⊕ b 2 , and that we happen to have a commitment to (a 1 ∧ b 1 ) ⊕ (a 1 ∧ b 2 ). If Alice knows a 1 = 1, for instance, revealing this commitment immediately gives Alice the value of b 1 ⊕ b 2 = b; by contract, just knowing the value of (a 1 ∧ b 1 ) ⊕ (a 1 ∧ b 2 ) (without any knowledge about a 1 , b 1 , and b 2 ) does not provide the exact value of b. Therefore, we need the following Definition 6.
Definition 6 Let P be an (n, t + 1)-input protocol. Consider the player-view KWH-tree |x i =s for any i, 1 ≤ i ≤ n, and s ∈ {0, 1} t+1 . A status S is said to be opaque under player's view x i = s if the (coordinate-wise) sum of its probability traces (q 0 , . . . , q 2 n −1 ) satisfies Finally, it suffices to consider any attacks of revealing at most t cards and opaqueness against them under any player's view.
Definition 7 Let P be an (n, t + 1)-input protocol working for a Boolean function f in a non-committed format. We say that P is t-secure if any resulting status from applying any action (turn, T ) with |T | ≤ t to every status of P satisfies one of the followings: -it is an opaque status under x i = s in any player-view KWH-tree |x i =s for every i, 1 ≤ i ≤ n, and s ∈ {0, 1} t+1 ; -it is an output-0 status; -it is an output-1 status.

Our 1-secure AND protocol
In this section, we describe the construction of a 1-secure AND protocol. In Sect. 5.1, we present its outline; our protocol consists of the setup, first, second, and third phases. In Sects. 5.2, 5.3, and 5.4, we provide the details of the first, second, and third phases, respectively.

Outline of our protocol
Because we wish to design a 1-secure AND computation of two variables (namely, n = 2 and t = 1), we should use a (2, 2)-input protocol. Therefore, Alice and Bob create commitments to a 1 , a 2 ∈ {0, 1} and b 1 , b 2 ∈ {0, 1} such that a = a 1 ⊕ a 2 and b = b 1 ⊕ b 2 , respectively. Given such input commitments, to obtain the AND value, it suffices to compute (a 1 ∧b 1 )⊕(a 1 ∧b 2 )⊕(a 2 ∧b 1 )⊕(a 2 ∧b 2 ) = a ∧b. To this end, our protocol proceeds as follows.
Setup phase. Satisfying Definition 4, Alice places two commitments to a 1 and a 2 , and Bob places two commitments to b 1 and b 2 : ? ? Second phase. From three commitments to a 1 , b 1 , and b 2 , make two commitments to a 1 ∧ b 1 and a 1 ∧ b 2 using the existing AND protocol (Mizuki and Shizuya 2014b); similarly, from three commitments to a 2 , b 1 , and b 2 , make two commitments to a 2 ∧ b 1 and a 2 ∧ b 2 : ? ?
Here, we analyze the security of the setup phase. There are 16 possibilities for (a 1 , a 2 , b 1 , b 2 ) ∈ {0, 1} 4 , and as seen in Sect. 4, the initial status can be written as the first four columns and the last column in Table 1. From this, one can obtain any player-view KWH-tree |x i =s for every i, 1 ≤ i ≤ 2, and s ∈ {0, 1} 2 , such as the status (4) above. For example, if Alice knowing a 1 = a 2 = 0 is malicious and reveals the fifth card illegally, the resulting status becomes either ( p 00 + p 01 ) , 0, 0 , and one can confirm that both of them are opaque under x 1 = (0, 0). In this way, one can easily confirm that an action (turn, { j}) for any j results in an opaque status under x i = s (in any player-view KWH-tree). Note that (turn, { j}) reveals (at most) one bit among a 1 , a 2 , b 1 , b 2 .

First phase
In this phase, we duplicate the commitments to b 1 and b 2 . To this end, we use the existing COPY protocol (Mizuki and Sone 2009) whose KWH-tree is shown in Fig. 2; it performs the following: ? ?
By executing the COPY protocol twice, we have During this first phase, an action (turn, { j}) for any j reveals at most one bit among b 1 and b 2 ; hence, similar to the setup phase, any resulting status from an illegal revealment will be opaque under every player's view. Fig. 2 The KWH-tree of the existing COPY protocol (Mizuki and Sone 2009)

Second phase
In this phase, we use the existing AND protocol (Mizuki and Shizuya 2014b): ? ?  Figure 3 is the KWH-tree of this AND protocol. We destroy the commitments to x ∧ y and x ∧ z by shuffling each of them.
By executing the AND protocol twice, we have During this second phase, an action (turn, { j}) for any j reveals at most one bit among a 1 , a 2 , b 1 , b 2 , a 1 ∧ b 1 , a 1 ∧  b 2 , a 2 ∧b 1 , a 2 ∧b 2 , a 1 ∧b 1 , a 1 ∧b 2 , a 2 ∧b 1 , a 2 ∧b 2 ; Table 1 implies that any illegal resulting status will be opaque under every player's view. For example, suppose that Alice knows a 1 = a 2 = 1 and she reveals the value of a 1 ∧ b 1 = 0; then, there are two entries for (a 1 , a 2 , a 1 ∧ b 1 ) = (1, 1, 0) in Table 1 (namely, the fourth and eighth rows), from which   we can calculate that the sum of the probability traces of the current status is ( p 00 p 00 + p 01 , p 01 p 00 + p 01 , 0, 0).

Third phase
In this phase, we compute ( Note that the number of commitments to 1 among the four commitments can be 0, 1, 2, or 4 (as known from Table 1) and that the number is 1 if and only if a ∧ b = 1.
1. Negate the commitment to a 1 ∧ b 1 by (perm, (1 2)): Note that the number of commitments to 1 among the four commitments can be 0, 1, 2, or 3 and that the number is 0 or 2 if and only if a ∧ b = 1. 2. By this step along with the next two steps, we add a common random bit to the four commitments. Rearrange the sequence of the eight cards by (perm, (2 5 3)(4 6 7)): 6. Reveal all the cards by (turn, {1, 2, 3, 4, 5, 6, 7, 8}). Then, count the commitments : -If the number of commitments to 1 is odd, a ∧ b = 0.
-If the number of commitments to 1 is even, a ∧ b = 1.
The KWH-tree of our XOR subprotocol, which implies the correctness and secrecy, is shown in Fig. 4.
During this third phase, an action (turn, { j}) for any j reveals at most one bit among a 1 ∧ b 1 , a 1 ∧ b 2 , a 2 ∧ b 1 , and a 2 ∧ b 2 ; Table 1 implies that any illegal resulting status from the statuses except for the leaf statuses will be opaque (under any player's view) and any illegal resulting status from the leaf statuses will be an output-0 status or an output-1 status.
To summarize, our 1-secure AND protocol satisfies Definition 7; hence, it is proved to be 1-secure.

Our t-secure AND protocol
We extend our 1-secure AND protocol presented in Sect. 5 to a general one so that we have a t-secure AND protocol in this section.

Idea
To construct a t-secure AND protocol, let us first consider how to construct a 2-secure AND protocol. As our 1-secure AND protocol (shown in Sect. 5) does, we make Alice's private bit a be split into a 1 , a 2 , and a 3 randomly, and make Bob's private bit b be split similarly. Then, one should consider the following formula (by virtue of the distributivity in the field {{0, 1}, ⊕, ∧}): Remember that in our 1-secure AND protocol, we directly compute (a 1 ∧ b 1 ) ⊕ (a 1 ∧ b 2 ) ⊕ (a 2 ∧ b 1 ) ⊕ (a 2 ∧ b 2 ) by using our specialized 4-bit XOR subprotocol. Because it seems somewhat difficult to construct such a specialized 9-bit XOR subprotocol, we consider the use of the existing XOR protocol (Mizuki and Sone 2009), by which we can Fig. 4 The KWH-tree of our specialized 4-bit XOR subprotocol obtain a commitment to x ⊕ y from two given commitments to x and y.
To compute a ∧ b according to Eq. (6), it is natural to first make a commitment to (a 1 ∧ b 1 ) ⊕ (a 1 ∧ b 2 ). However, note that this commitment has information about b 1 and b 2 ; if Alice knows a 1 = 1 for example, the value of this commitment implies b 1 ⊕ b 2 and the value of a commitment to a 1 ∧ b 3 implies b 3 . Therefore, Alice can learn the value of b 1 ⊕ b 2 ⊕ b 3 = b by revealing the corresponding two cards maliciously as soon as such commitments are produced. That is, 2-secureness cannot be realized by just using the existing XOR protocol, based on Eq. (6). To overcome this, it suffices to add two random bits r 1 and r 2 . That is, we can consider the following formula: Based on the above idea, the construction of our 2-secure AND protocol is as follows.
where r 1 and r 2 are uniformly distributed random bits. Make a single commitment to r 1 ⊕ r 2 using the existing XOR protocol (Mizuki and Sone 2009) We call this commitment the accumulator A, which will be updated by adding a i ∧ b j as in Eq. (7). 2. Make two copied commitments to each of b 1 , b 2 , and b 3 using the existing COPY protocol (Mizuki and Sone 2009). 3. Make three commitments to (a 1 ∧ b 1 ), (a 1 ∧ b 2 ), and (a 1 ∧ b 3 ) using the existing AND protocol (Mizuki and Shizuya 2014b). 4. Make a commitment to A ⊕ (a 1 ∧ b 1 ) using the existing XOR protocol (Mizuki and Sone 2009):
We regard the obtained commitment as the accumulator A:=A ⊕ (a 1 ∧ b 1 ). Similarly, we add a 1 ∧ b 2 and a 1 ∧ b 3 to A one by one. 5. In a similar manner, add everything from a 2 ∧b 1 to a 3 ∧b 3 to the accumulator A. 6. Reveal the accumulator A and the commitments to r 1 and r 2 . The parity of all the revealed values is equal to a ∧ b.
Intuitively, this protocol is 2-secure because to learn the values added to the accumulator A, one has to reveal the values of the three commitments, namely the accumulator A and commitments to r 1 and r 2 . We will show the t-secureness in Sect. 6.4; roughly speaking, revealing two values among available commitments does not recover the value of b. Finally, let us extend the above idea to realize t-secureness. First, we make an input private bit a be split into t + 1 bits a 1 , a 2 , . . . , a t+1 . Similarly, we make b be split into t +1 bits. Then, to compute a ∧ b, we consider the following formula: To compute this, we make t + 1 commitments, namely the accumulator A = r 1 ⊕ · · · ⊕ r t and commitments to r i , 1 ≤ i ≤ t. Then, we add everything from a 1 ∧ b 1 to a t+1 ∧ b t+1 to the accumulator A.

Procedure of our t-secure AND protocol
Based on the idea explained in Sect. 6.1, our t-secure AND protocol proceeds as follows.
where r i , 1 ≤ i ≤ t, is a uniformly distributed random bit. Make a single commitment to the accumulator A = r 1 ⊕ · · · ⊕ r t using the existing XOR protocol (Mizuki and Sone 2009) t − 1 times: 3. Make two copied commitments to each of b j , 1 ≤ j ≤ t +1, using the existing COPY protocol (Mizuki and Sone 2009). 4. Make commitments to a 1 ∧ b j , 1 ≤ j ≤ t + 1, using the existing AND protocol (Mizuki and Shizuya 2014b). 5. Make a commitment to A ⊕ (a 1 ∧ b 1 ) using the existing XOR protocol (Mizuki and Sone 2009):
We regard the obtained commitment as the accumulator A:=A⊕(a 1 ∧b 1 ). Similarly, we add a 1 ∧b k , 2 ≤ k ≤ t+1, to A one by one. 6. In a similar manner, add everything from a 2 ∧b 1 to a t+1 ∧ b t+1 to the accumulator A. (For a t+1 , making two copied commitments to each of b j is not needed.) 7. Reveal the accumulator A and the commitments to r i , 1 ≤ i ≤ t. The parity of all the revealed values is equal to a ∧ b.

Evaluation
Let us count the number of required cards for our t-secure AND protocol presented in Sect. 6.2. In Step 1, 4(t + 1) cards are needed. In Step 2, 4t cards are needed. Note that 2(t − 1) revealed cards which arise during the existing XOR protocol (Mizuki and Sone 2009) can be reused for the next step. In Step 3, we need four additional cards to make two copied commitments to b 1 by using the existing COPY protocol (Mizuki and Sone 2009). In this protocol, two cards should be revealed, and we can reuse them to make two copied commitments to b 2 and so on. That is, 4+2t cards are needed. Since 2(t − 1) cards are left in the previous step, we need six more cards in this step. In Step 4, since the existing AND protocol (Mizuki and Shizuya 2014b) requires four additional cards, we need two more cards along with two cards revealed in the previous step. In this step, six cards are revealed and can be reused. In Step 5, since the existing XOR protocol (Mizuki and Sone 2009) is used t + 1 times, 2(t + 1) cards (along with the six cards revealed in the previous step) can be reused for the next step. In Step 6, for a i , 2 ≤ i ≤ t, to make two copied commitments to each of b j , 1 ≤ j ≤ t + 1, we need 4 + 2t cards as mentioned before. Since 2(t + 1) + 6 cards are left, no more card is needed. In total, 4(t + 1) + 4t + 6 + 2 = 8t + 12 cards are needed. Let us count the number of required shuffles. In our protocol, we use the existing AND, XOR, and COPY protocols (Mizuki and Sone 2009;Mizuki and Shizuya 2014b). Each of them needs one shuffle to execute. In Step 2, we apply a random cut t times and execute the existing XOR protocol t −1 times. In Step 3, we execute the existing COPY protocol t + 1 times. In Step 4, we execute the existing AND protocol and destroy the unnecessary two commitments by shuffling all of them. In Step 5, we execute the existing XOR protocol t + 1 times. In Step 6, for a i , 2 ≤ i ≤ t + 1, we execute the existing COPY protocol t + 1 times (except for the case of i = t + 1), the existing AND protocol (along with destroying commitments), and the existing XOR protocol t +1 times. In total, t +t −1+t(t +1+2 +t +1)+2 +t +1 = 2t 2 +7t +2 shuffles are needed.
Our 1-secure AND protocol uses 16 cards and 8 shuffles, and our t-secure AND protocol (when t = 1) uses 20 cards and 11 shuffles. The difference is that, while the former (1-secure) one uses our specialized 4-bit XOR subprotocol (where a shuffle is applied twice), the later (t-secure) one creates two pairs of t random commitments (where a shuffle is applied once) and adds the value of a i ∧ b j for all i and j, 1 ≤ i, j ≤ t + 1, to the accumulator one by one (where a shuffle is applied four times).

Security of our protocol
In this subsection, we show that our protocol presented in Sect. 6.2 is t-secure (recall Definition 7).
Without loss of generality, suppose that Alice will reveal t cards illegally. During our protocol, commitments to a i ∧ b j , 1 ≤ i, j ≤ t + 1, will appear; if a i = 0, those commitments always have the value of 0. Therefore, we assume for now that Alice knows a i = 1 for all i. That is, we consider the KWH-tree |x 1 =(1,1,...,1) . Then, during the protocol, pos-sibly available commitments (to be revealed by Alice) are "shares" b 1 , . . . , b t+1 , the accumulator A, and random bits r 1 , . . . , r t . If Alice reveals t values from b 1 , . . . , b t+1 and r 1 , . . . , r t (without A), then the resulting status is still opaque obviously. Therefore, we may assume that Alice reveals the accumulator A. Now, Alice can reveal t − 1 more commitments. There are two cases to consider.
Without loss of generality, assume that A does not contain b 1 . Then, reveal all cards except for b 1 and r 1 . In a similar way to Case 1, we can show that the resulting status is opaque.

Conclusion
In this paper, we first described the KWH-tree of the fivecard trick and formally defined non-committed protocols. Against the actively revealing card attack, we defined the t-secureness and presented a 1-secure AND protocol and a general t-secure AND protocol. We assume in this paper that players' inputs are one-bit and they want to securely compute a one-bit output function. Thus, extending the results to the case of multiple bits is an intriguing direction for future research. Furthermore, considering actively revealing attacks on other problems or models (e.g., Ono and Manabe 2020; Ruangwises and Itoh 2020; Shinagawa and Nuida 2021;Sasaki et al. 2020;Miyahara et al. 2020;Takashima et al. 2020;Koch et al. 2019;Ibaraki and Manabe 2016;Ono and Manabe 2019;Ono and Manabe 2018) will be future work in the research area of card-based cryptography.