Post on 19-Oct-2020
transcript
Motivating Scenario I
1 2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
DEPARTMENT OF INFORMATICS, INSTITUTE OF THEORETICAL INFORMATICS
Card-based Cryptographic ProtocolsUsing a Minimal Number of Cards
Alexander Koch, Stefan Walzer, Kevin Härtel [asiacrypt/KochWH15]
KIT – University of the State of Baden-Wuerttemberg andNational Research Center of the Helmholtz Association www.kit.edu
Motivating Scenario I
1 2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
Secrets: Do I love him/her?To compute: Is there mutual affection?
Secure 2-party AND without computers
TrustedComputation
Motivating Scenario I
1 2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
Secrets: Do I love him/her?To compute: Is there mutual affection?
Secure 2-party AND without computers
TrustedComputation
Motivating Scenario I
1 2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
Secrets: Do I love him/her?To compute: Is there mutual affection?
Secure 2-party AND without computers
TrustedComputation
Motivating Scenario I
1 2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
Secrets: Do I love him/her?To compute: Is there mutual affection?
Secure 2-party AND without computers
TrustedComputation
Motivating Scenario II
2 2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
Hey, help me compute yd mod n.
Motivating Scenario II
2 2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
Hey, help me compute yd mod n.
Sure, just tell me...
Motivating Scenario II
2 2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
Hey, help me compute yd mod n.
Sure, just tell me...
I’m not telling you y ,d or n.
Motivating Scenario II
2 2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
Hey, help me compute yd mod n.
Sure, just tell me...
I’m not telling you y ,d or n.
Nor may you know the result.
Motivating Scenario II
2 2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
Hey, help me compute yd mod n.
Sure, just tell me...
I’m not telling you y ,d or n.
Nor may you know the result.
...
Motivating Scenario II
2 2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
Hey, help me compute yd mod n.
Sure, just tell me...
I’m not telling you y ,d or n.
Nor may you know the result.
Sure, I’ll get some cards.
Setting and Goal
3 2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
Two types of indistinguishable cards:Heart ♥ and club ♣ with backside .
Encode bits as
♣ ♥ =̂ 0
♥ ♣ =̂ 1
Our goal (“committed format”)
Take face-down input (bits a,b)
Compute face-down output (a ∧ b)Learn nothing about the input or output during protocol run.
Setting and Goal
3 2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
Two types of indistinguishable cards:Heart ♥ and club ♣ with backside .
Encode bits as
♣ ♥ =̂ 0
♥ ♣ =̂ 1
Our goal (“committed format”)
Take face-down input (bits a,b)
Compute face-down output (a ∧ b)Learn nothing about the input or output during protocol run.
The if-then-else Operator
4 2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
Definition
(if a then b else c) :=
{b if a = 1c if a = 0
Also known as: (a ? b : c)Note:
(a ∧ b) ≡ (if a then b else 0)(if a then b else c) ≡ (if ¬a then c else b)
Computing “if a then b else c” (cmp.[faw/MizukiS09])
5 2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
Conceptually With Cards
Input: a,b,c
With equal probability set(a′,b′, c′) = (a,b, c) or(a′,b′, c′) = (¬a, c,b)
Test a′
return b’ return c’
1 0
Input: ︸ ︷︷ ︸a
︸ ︷︷ ︸b
︸ ︷︷ ︸c
With equal probability doeither nothing or
Turn 1,2
♥ ♣ ︸ ︷︷ ︸output
♣ ♥ ︸ ︷︷ ︸output
♥ ♣ ♣ ♥
Can we do better than six cards?
6 2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
Main Question: How many cards needed to compute a ∧ b whereInput and output encoded as ♥ ♣ = 1, ♣ ♥ = 0.We are and remain oblivious of input and output.
Our Results
4 cards5 cards
Not yet published
probably 6 cards4 cards
Can we do better than six cards?
6 2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
Main Question: How many cards needed to compute a ∧ b whereInput and output encoded as ♥ ♣ = 1, ♣ ♥ = 0.We are and remain oblivious of input and output.
Our Results
4 cards5 cards
Not yet published
probably 6 cards4 cards
Can we do better than six cards?
6 2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
Main Question: How many cards needed to compute a ∧ b whereInput and output encoded as ♥ ♣ = 1, ♣ ♥ = 0.We are and remain oblivious of input and output.
Our Results
4 cards (Model of Mizuki & Shizuya)5 cards (MS but a-priori bound runtime)
Not yet published
probably 6 cards (MS but only “uniform closed” shuffles)4 cards (Player-Perm model)
Computational ModelBased on ijisec/MizukiS14
7 2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
Operations
(perm,π). Apply permutation π to the sequence of cards.(shuffle,Π,F ). Apply permutation π ∈ Π, drawn according to F .
Note: We don’t know which π was chosen!(turn,T ). Reveal cards in positions given by T .
(result,b1,b2). Output cards in positions b1, b2.
Correctness: Cards given by result-operationalways encodes correct output bit.
Security: The observations (made during turns) arestochastially independent of input and output.
State Transitions: The Six-Card Protocol
8 2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
♥♣♥♣♣♥ X11♥♣♣♥♣♥ X10♣♥♥♣♣♥ X01♣♥♣♥♣♥ X00
♥♣♥♣♣♥ 1/2X11♥♣♣♥♣♥ 1/2X10 + 1/2X00♣♥♥♣♣♥ 1/2X01♣♥♣♥♣♥ 1/2X00 + 1/2X10♣♥♣♥♥♣ 1/2X11♥♣♣♥♥♣ 1/2X01
(shuffle, {id, (1 2)(3 5)(4 6)})
♥♣♥♣♣♥ X11♥♣♣♥♣♥ X10 + X00♥♣♣♥♥♣ X01
♣♥♣♥♥♣ X11♣♥♣♥♣♥ X10 + X00♣♥♥♣♣♥ X01
(turn, {1,2})♥ ♣ ♣ ♥
(result,3,4)X
(result,5,6)X
Protocol State:Annotate currently possiblesequences with probability interms of symbolic input prob.Xij = Pr[a = i ,b = j ]
State Transitions: The Six-Card Protocol
8 2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
♥♣♥♣♣♥ X11♥♣♣♥♣♥ X10♣♥♥♣♣♥ X01♣♥♣♥♣♥ X00
♥♣♥♣♣♥ 1/2X11♥♣♣♥♣♥ 1/2X10 + 1/2X00♣♥♥♣♣♥ 1/2X01♣♥♣♥♣♥ 1/2X00 + 1/2X10♣♥♣♥♥♣ 1/2X11♥♣♣♥♥♣ 1/2X01
(shuffle, {id, (1 2)(3 5)(4 6)})
♥♣♥♣♣♥ X11♥♣♣♥♣♥ X10 + X00♥♣♣♥♥♣ X01
♣♥♣♥♥♣ X11♣♥♣♥♣♥ X10 + X00♣♥♥♣♣♥ X01
(turn, {1,2})♥ ♣ ♣ ♥
(result,3,4)X
(result,5,6)X
Protocol State:Annotate currently possiblesequences with probability interms of symbolic input prob.Xij = Pr[a = i ,b = j ]
State Transitions: The Six-Card Protocol
8 2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
♥♣♥♣♣♥ X11♥♣♣♥♣♥ X10♣♥♥♣♣♥ X01♣♥♣♥♣♥ X00
♥♣♥♣♣♥ 1/2X11♥♣♣♥♣♥ 1/2X10 + 1/2X00♣♥♥♣♣♥ 1/2X01♣♥♣♥♣♥ 1/2X00 + 1/2X10♣♥♣♥♥♣ 1/2X11♥♣♣♥♥♣ 1/2X01
(shuffle, {id, (1 2)(3 5)(4 6)})
♥♣♥♣♣♥ X11♥♣♣♥♣♥ X10 + X00♥♣♣♥♥♣ X01
♣♥♣♥♥♣ X11♣♥♣♥♣♥ X10 + X00♣♥♥♣♣♥ X01
(turn, {1,2})♥ ♣ ♣ ♥
(result,3,4)X
(result,5,6)X
Protocol State:Annotate currently possiblesequences with probability interms of symbolic input prob.Xij = Pr[a = i ,b = j ]
State Transitions: The Six-Card Protocol
8 2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
♥♣♥♣♣♥ X11♥♣♣♥♣♥ X10♣♥♥♣♣♥ X01♣♥♣♥♣♥ X00
♥♣♥♣♣♥ 1/2X11♥♣♣♥♣♥ 1/2X10 + 1/2X00♣♥♥♣♣♥ 1/2X01♣♥♣♥♣♥ 1/2X00 + 1/2X10♣♥♣♥♥♣ 1/2X11♥♣♣♥♥♣ 1/2X01
(shuffle, {id, (1 2)(3 5)(4 6)})
♥♣♥♣♣♥ X11♥♣♣♥♣♥ X10 + X00♥♣♣♥♥♣ X01
♣♥♣♥♥♣ X11♣♥♣♥♣♥ X10 + X00♣♥♥♣♣♥ X01
(turn, {1,2})♥ ♣ ♣ ♥
(result,3,4)X
(result,5,6)X
Protocol State:Annotate currently possiblesequences with probability interms of symbolic input prob.Xij = Pr[a = i ,b = j ]
State Transitions: The Six-Card Protocol
8 2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
♥♣♥♣♣♥ X11♥♣♣♥♣♥ X10♣♥♥♣♣♥ X01♣♥♣♥♣♥ X00
♥♣♥♣♣♥ 1/2X11♥♣♣♥♣♥ 1/2X10 + 1/2X00♣♥♥♣♣♥ 1/2X01♣♥♣♥♣♥ 1/2X00 + 1/2X10♣♥♣♥♥♣ 1/2X11♥♣♣♥♥♣ 1/2X01
(shuffle, {id, (1 2)(3 5)(4 6)})
♥♣♥♣♣♥ X11♥♣♣♥♣♥ X10 + X00♥♣♣♥♥♣ X01
♣♥♣♥♥♣ X11♣♥♣♥♣♥ X10 + X00♣♥♥♣♣♥ X01
(turn, {1,2})♥ ♣ ♣ ♥
(result,3,4)X
(result,5,6)X
Protocol State:Annotate currently possiblesequences with probability interms of symbolic input prob.Xij = Pr[a = i ,b = j ]
State Transitions: The Six-Card Protocol
8 2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
♥♣♥♣♣♥ X11♥♣♣♥♣♥ X10♣♥♥♣♣♥ X01♣♥♣♥♣♥ X00
♥♣♥♣♣♥ 1/2X11♥♣♣♥♣♥ 1/2X10 + 1/2X00♣♥♥♣♣♥ 1/2X01♣♥♣♥♣♥ 1/2X00 + 1/2X10♣♥♣♥♥♣ 1/2X11♥♣♣♥♥♣ 1/2X01
(shuffle, {id, (1 2)(3 5)(4 6)})
♥♣♥♣♣♥ X11♥♣♣♥♣♥ X10 + X00♥♣♣♥♥♣ X01
♣♥♣♥♥♣ X11♣♥♣♥♣♥ X10 + X00♣♥♥♣♣♥ X01
(turn, {1,2})♥ ♣ ♣ ♥
(result,3,4)X
(result,5,6)X
Protocol State:Annotate currently possiblesequences with probability interms of symbolic input prob.Xij = Pr[a = i ,b = j ]
State Transitions: The Six-Card Protocol
8 2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
♥♣♥♣♣♥ X11♥♣♣♥♣♥ X10♣♥♥♣♣♥ X01♣♥♣♥♣♥ X00
♥♣♥♣♣♥ 1/2X11♥♣♣♥♣♥ 1/2X10 + 1/2X00♣♥♥♣♣♥ 1/2X01♣♥♣♥♣♥ 1/2X00 + 1/2X10♣♥♣♥♥♣ 1/2X11♥♣♣♥♥♣ 1/2X01
(shuffle, {id, (1 2)(3 5)(4 6)})
♥♣♥♣♣♥ X11♥♣♣♥♣♥ X10 + X00♥♣♣♥♥♣ X01
♣♥♣♥♥♣ X11♣♥♣♥♣♥ X10 + X00♣♥♥♣♣♥ X01
(turn, {1,2})♥ ♣ ♣ ♥
(result,3,4)X
(result,5,6)X
Protocol State:Annotate currently possiblesequences with probability interms of symbolic input prob.Xij = Pr[a = i ,b = j ]
State Transitions: The Six-Card Protocol
8 2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
♥♣♥♣♣♥ X11♥♣♣♥♣♥ X10♣♥♥♣♣♥ X01♣♥♣♥♣♥ X00
♥♣♥♣♣♥ 1/2X11♥♣♣♥♣♥ 1/2X10 + 1/2X00♣♥♥♣♣♥ 1/2X01♣♥♣♥♣♥ 1/2X00 + 1/2X10♣♥♣♥♥♣ 1/2X11♥♣♣♥♥♣ 1/2X01
(shuffle, {id, (1 2)(3 5)(4 6)})
♥♣♥♣♣♥ X11♥♣♣♥♣♥ X10 + X00♥♣♣♥♥♣ X01
♣♥♣♥♥♣ X11♣♥♣♥♣♥ X10 + X00♣♥♥♣♣♥ X01
(turn, {1,2})♥ ♣ ♣ ♥
(result,3,4)X
(result,5,6)X
Protocol State:Annotate currently possiblesequences with probability interms of symbolic input prob.Xij = Pr[a = i ,b = j ]
State Transitions: The Six-Card Protocol
8 2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
♥♣♥♣♣♥ X11♥♣♣♥♣♥ X10♣♥♥♣♣♥ X01♣♥♣♥♣♥ X00
♥♣♥♣♣♥ 1/2X11♥♣♣♥♣♥ 1/2X10 + 1/2X00♣♥♥♣♣♥ 1/2X01♣♥♣♥♣♥ 1/2X00 + 1/2X10♣♥♣♥♥♣ 1/2X11♥♣♣♥♥♣ 1/2X01
(shuffle, {id, (1 2)(3 5)(4 6)})
♥♣♥♣♣♥ X11♥♣♣♥♣♥ X10 + X00♥♣♣♥♥♣ X01
♣♥♣♥♥♣ X11♣♥♣♥♣♥ X10 + X00♣♥♥♣♣♥ X01
(turn, {1,2})♥ ♣ ♣ ♥
(result,3,4)X
(result,5,6)X
Protocol State:Annotate currently possiblesequences with probability interms of symbolic input prob.Xij = Pr[a = i ,b = j ]
State Transitions: The Six-Card Protocol
8 2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
♥♣♥♣♣♥ X11♥♣♣♥♣♥ X10♣♥♥♣♣♥ X01♣♥♣♥♣♥ X00
♥♣♥♣♣♥ 1/2X11♥♣♣♥♣♥ 1/2X10 + 1/2X00♣♥♥♣♣♥ 1/2X01♣♥♣♥♣♥ 1/2X00 + 1/2X10♣♥♣♥♥♣ 1/2X11♥♣♣♥♥♣ 1/2X01
(shuffle, {id, (1 2)(3 5)(4 6)})
♥♣♥♣♣♥ X11♥♣♣♥♣♥ X10 + X00♥♣♣♥♥♣ X01
♣♥♣♥♥♣ X11♣♥♣♥♣♥ X10 + X00♣♥♥♣♣♥ X01
(turn, {1,2})♥ ♣ ♣ ♥
(result,3,4)X
(result,5,6)X
Protocol State:Annotate currently possiblesequences with probability interms of symbolic input prob.Xij = Pr[a = i ,b = j ]
State Transitions: The Six-Card Protocol
9 2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
♥♣♥♣♣♥ X11♥♣♣♥♣♥ X10♣♥♥♣♣♥ X01♣♥♣♥♣♥ X00
♥♣♥♣♣♥ 1/2X11♥♣♣♥♣♥ 1/2X10 + 1/2X00♣♥♥♣♣♥ 1/2X01♣♥♣♥♣♥ 1/2X00 + 1/2X10♣♥♣♥♥♣ 1/2X11♥♣♣♥♥♣ 1/2X01
(shuffle, {id, (1 2)(3 5)(4 6)})
♥♣♥♣♣♥ X11♥♣♣♥♣♥ X10 + X00♥♣♣♥♥♣ X01
♣♥♣♥♥♣ X11♣♥♣♥♣♥ X10 + X00♣♥♥♣♣♥ X01
(turn, {1,2})♥ ♣ ♣ ♥
(result,3,4)X
(result,5,6)X
Protocol State:Annotate currently possiblesequences with probability interms of symbolic input prob.Xij = Pr[a = i ,b = j ]
Impossibility Result
10 2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
TheoremThere is no secure finite-runtime four-card AND protocol
Proof IdeaEach sequence belongs either to output 0 or to 1.An i |j-state has i 0-sequences and j 1-sequences.Define non-reachable “good” states:
start state
“bad” states “good” states
not possibleby turn/shuffle
final states
start type: 3|1♥♣♥♣ X11♥♣♣♥ X10♣♥♥♣ X01♣♥♣♥ X00
e.g. 2|2 state:♣♥♥♣ X01 + X00♣♥♣♥ X10♥♣♣♥ 1/2X11♥↑♣↑♥♣ 1/2X11
Impossibility Result
10 2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
TheoremThere is no secure finite-runtime four-card AND protocol
Proof IdeaEach sequence belongs either to output 0 or to 1.An i |j-state has i 0-sequences and j 1-sequences.Define non-reachable “good” states:
start state
“bad” states “good” states
not possibleby turn/shuffle
final states
start type: 3|1♥♣♥♣ X11♥♣♣♥ X10♣♥♥♣ X01♣♥♣♥ X00
e.g. 2|2 state:♣♥♥♣ X01 + X00♣♥♣♥ X10♥♣♣♥ 1/2X11♥↑♣↑♥♣ 1/2X11
Impossibility Result
10 2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
TheoremThere is no secure finite-runtime four-card AND protocol
Proof IdeaEach sequence belongs either to output 0 or to 1.An i |j-state has i 0-sequences and j 1-sequences.Define non-reachable “good” states:
start state
“bad” states “good” states
not possibleby turn/shuffle
final states
start type: 3|1♥♣♥♣ X11♥♣♣♥ X10♣♥♥♣ X01♣♥♣♥ X00
e.g. 2|2 state:♣♥♥♣ X01 + X00♣♥♣♥ X10♥♣♣♥ 1/2X11♥↑♣↑♥♣ 1/2X11
Proof Idea – Single Card Turns
11 2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
1|1
2|1 1|2without const pos
2|2
2|11|2with const pos
3|11|3
4|11|4
5|11|5
2|3 3|2
2|4 4|2 3|3
“Bad” States “Good” States
Observation 1. After turn: with const pos. and ≤ 3 sequences.Observation 2. Turnable states are i |j with i , j ≥ 2.Observation 3. W.l.o.g. consider only turnable states with i ≥ j that are bad.
Proof Idea – Single Card Turns
11 2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
1|1
2|1 1|2without const pos
2|2
2|11|2with const pos
3|11|3
4|11|4
5|11|5
2|3 3|2
2|4 4|2 3|3
“Bad” States “Good” States
Observation 1. After turn: with const pos. and ≤ 3 sequences.
Observation 2. Turnable states are i |j with i , j ≥ 2.Observation 3. W.l.o.g. consider only turnable states with i ≥ j that are bad.
Proof Idea – Single Card Turns
11 2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
1|1
2|1 1|2without const pos
2|2
2|11|2with const pos
3|11|3
4|11|4
5|11|5
2|3 3|2
2|4 4|2 3|3
“Bad” States “Good” States
Observation 1. After turn: with const pos. and ≤ 3 sequences.
Observation 2. Turnable states are i |j with i , j ≥ 2.
Observation 3. W.l.o.g. consider only turnable states with i ≥ j that are bad.
Proof Idea – Single Card Turns
11 2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
1|1
2|1 1|2without const pos
2|2
2|11|2with const pos
3|11|3
4|11|4
5|11|5
2|3 3|2
2|4 4|2 3|3
“Bad” States “Good” States
Observation 1. After turn: with const pos. and ≤ 3 sequences.Observation 2. Turnable states are i |j with i , j ≥ 2.
Observation 3. W.l.o.g. consider only turnable states with i ≥ j that are bad.
Proof Idea – Single Card Turns
11 2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
1|1
2|1 1|2without const pos
2|2
2|11|2with const pos
3|11|3
4|11|4
5|11|5
2|3 3|2
2|4 4|2 3|3
“Bad” States “Good” States
Observation 1. After turn: with const pos. and ≤ 3 sequences.Observation 2. Turnable states are i |j with i , j ≥ 2.Observation 3. W.l.o.g. consider only turnable states with i ≥ j that are bad.
Proof Idea – Single Card Turns
11 2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
1|1
2|1 1|2without const pos
2|2
2|11|2with const pos
3|11|3
4|11|4
5|11|5
2|3 3|2
2|4 4|2 3|3
“Bad” States “Good” States
Observation 1. After turn: with const pos. and ≤ 3 sequences.Observation 2. Turnable states are i |j with i , j ≥ 2.Observation 3. W.l.o.g. consider only turnable states with i ≥ j that are bad.
Proof Idea – Shuffles
12 2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
1|1
2|1 1|2without const pos
2|2
2|11|2with const pos
3|11|3
4|11|4
5|11|5
2|3 3|2
2|4 4|2 3|3
“Bad” States “Good” States
??
s0: ♥♥♣♣s′0: ♥♣♥♣s1: ♥♣♣♥
s′′0: ♣♥♣♥s′1: ♣♥♣♥
p = ½
Observation 1. Shuffles increase #sequences per type
Apply (shuffle,Π,F ) to this state.Case 1: All π ∈ Π put constant column to same position.=⇒ the resulting state still has a constant column.
Apply (shuffle,Π,F ) to this state.Case 2: There are π1,π2 ∈ Π putting the const. col. in different pos.=⇒ the resulting state has at least 5 sequences.
Proof Idea – Shuffles
12 2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
1|1
2|1 1|2without const pos
2|2
2|11|2with const pos
3|11|3
4|11|4
5|11|5
2|3 3|2
2|4 4|2 3|3
“Bad” States “Good” States
??
s0: ♥♥♣♣s′0: ♥♣♥♣s1: ♥♣♣♥
s′′0: ♣♥♣♥s′1: ♣♥♣♥
p = ½
Observation 1. Shuffles increase #sequences per type
Apply (shuffle,Π,F ) to this state.Case 1: All π ∈ Π put constant column to same position.=⇒ the resulting state still has a constant column.
Apply (shuffle,Π,F ) to this state.Case 2: There are π1,π2 ∈ Π putting the const. col. in different pos.=⇒ the resulting state has at least 5 sequences.
Proof Idea – Shuffles
12 2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
1|1
2|1 1|2without const pos
2|2
2|11|2with const pos
3|11|3
4|11|4
5|11|5
2|3 3|2
2|4 4|2 3|3
“Bad” States “Good” States
??
s0: ♥♥♣♣s′0: ♥♣♥♣s1: ♥♣♣♥
s′′0: ♣♥♣♥s′1: ♣♥♣♥
p = ½
Observation 1. Shuffles increase #sequences per type
Apply (shuffle,Π,F ) to this state.Case 1: All π ∈ Π put constant column to same position.=⇒ the resulting state still has a constant column.
Apply (shuffle,Π,F ) to this state.Case 2: There are π1,π2 ∈ Π putting the const. col. in different pos.=⇒ the resulting state has at least 5 sequences.
Proof Idea – Shuffles
12 2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
1|1
2|1 1|2without const pos
2|2
2|11|2with const pos
3|11|3
4|11|4
5|11|5
2|3 3|2
2|4 4|2 3|3
“Bad” States “Good” States
??
s0: ♥♥♣♣s′0: ♥♣♥♣s1: ♥♣♣♥
s′′0: ♣♥♣♥s′1: ♣♥♣♥
p = ½
Observation 1. Shuffles increase #sequences per type
Apply (shuffle,Π,F ) to this state.Case 1: All π ∈ Π put constant column to same position.=⇒ the resulting state still has a constant column.
Apply (shuffle,Π,F ) to this state.Case 2: There are π1,π2 ∈ Π putting the const. col. in different pos.=⇒ the resulting state has at least 5 sequences.
Proof Idea – Shuffles
12 2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
1|1
2|1 1|2without const pos
2|2
2|11|2with const pos
3|11|3
4|11|4
5|11|5
2|3 3|2
2|4 4|2 3|3
“Bad” States “Good” States
??
s0: ♥♥♣♣s′0: ♥♣♥♣s1: ♥♣♣♥s′′0: ♣♥♣♥s′1: ♣♥♣♥
p = ½
Observation 1. Shuffles increase #sequences per type
Apply (shuffle,Π,F ) to this state.Case 1: All π ∈ Π put constant column to same position.=⇒ the resulting state still has a constant column.
Apply (shuffle,Π,F ) to this state.Case 2: There are π1,π2 ∈ Π putting the const. col. in different pos.=⇒ the resulting state has at least 5 sequences.
Our Four-Card Protocol
13 2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
♥♣♥♣
♥
X11♥♣♣♥
♥
X10♣♥♥♣
♥
X01♣♥♣♥
♥
X00start state
♥♥♣♣
♥
1/2X11♥♣♥♣
♥
1/2X11♣♥♥♣
♥
1/2X10 + 1/2X01♥♣♣♥
♥
1/2X10 + 1/2X01♣♥♣♥
♥
1/2X00♣♣♥♥
♥
1/2X00(shuffle, {id, (1 3)(2 4), (2 3), (1 2 4 3)})
♥♥♣♣
♥
X11♣♥♥♣
♥
X10 + X01♣♥♣♥
♥
X00
♥♥♣♣
♥
X1♣♥♥♣
♥
1/2X0♣♥♣♥
♥
1/2X0
(shuffle, {id, (3 4)})
♥♥♣♣
♥
1/3X1♣♣♥♥
♥
2/3X1♣♥♥♣
♥
1/6X0♥♣♣♥
♥
1/3X0♣♥♣♥
♥
1/2X0
(shuffle, {id, (1 3)(2 4)},F )F : id 7→ 1/3, (1 3)(2 4) 7→ 2/3
♥♥♣♣
♥
X1♥♣♣♥
♥
X0(result,2,4)X
♣♣♥♥
♥
X1♣♥♥♣
♥
1/4X0♣♥♣♥
♥
3/4X0
(turn, {1})♣ ♥
♣♣♥♥
♥
X1♣♥♥♣
♥
1/2X0♣♥♣♥
♥
1/2X0
(shuffle, {id, (3 4)})
♥♣♥♣
♥
X11♥♣♣♥
♥
X10 + X01♣♣♥♥
♥
X00
♥♣♥♣
♥
X1♥♣♣♥
♥
1/2X0♣♣♥♥
♥
1/2X0
(shuffle, {id, (1 3)})
(turn, {2})♣ ♥
(perm, (1 2 4 3))
♥♣♥♣ 1/3X1♣♥♣♥ 2/3X1♥♣♣♥ 1/6X0♣♥♥♣ 1/3X0♣♣♥♥ 1/2X0
(shuffle, {id, (1 2)(3 4)},F )F : id 7→ 1/3, (1 2)(3 4) 7→ 2/3
♥♣♥♣ X1♣♥♥♣ X0
(result,1,2)X
♣♥♣♥ X1♥♣♣♥ 1/4X0♣♣♥♥ 3/4X0
(turn, {4})♣ ♥
♣♥♣♥ X1♥♣♣♥ 1/2X0♣♣♥♥ 1/2X0
(shuffle, {id, (1 3)})
(perm, (1 3 4 2))
♣♥♥♣♥ 2/3X1♥♥♣♥♣ 1/3X1♥♥♣♣♥ 1/2X0♥♣♣♥♥ 1/6X0♥♥♥♣♣ 1/3X0
(perm, (1 5 2 4)), (shuffle, {id, (5 4 3 2 1)},F )F : id 7→ 2/3, (5 4 3 2 1) 7→ 1/3
♥♥♣♥♣ X1♥♥♥♣♣ X0
(result,4,3)X
♣♥♥♣♥ X1♥♥♣♣♥ 3/4X0♥♣♣♥♥ 1/4X0
(result,3,1)X
(turn, {5})♣ ♥
Our Four-Card Protocol
13 2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
♥♣♥♣
♥
X11♥♣♣♥
♥
X10♣♥♥♣
♥
X01♣♥♣♥
♥
X00start state
♥♥♣♣
♥
1/2X11♥♣♥♣
♥
1/2X11♣♥♥♣
♥
1/2X10 + 1/2X01♥♣♣♥
♥
1/2X10 + 1/2X01♣♥♣♥
♥
1/2X00♣♣♥♥
♥
1/2X00(shuffle, {id, (1 3)(2 4), (2 3), (1 2 4 3)})
♥♥♣♣
♥
X11♣♥♥♣
♥
X10 + X01♣♥♣♥
♥
X00
♥♥♣♣
♥
X1♣♥♥♣
♥
1/2X0♣♥♣♥
♥
1/2X0
(shuffle, {id, (3 4)})
♥♥♣♣
♥
1/3X1♣♣♥♥
♥
2/3X1♣♥♥♣
♥
1/6X0♥♣♣♥
♥
1/3X0♣♥♣♥
♥
1/2X0
(shuffle, {id, (1 3)(2 4)},F )F : id 7→ 1/3, (1 3)(2 4) 7→ 2/3
♥♥♣♣
♥
X1♥♣♣♥
♥
X0(result,2,4)X
♣♣♥♥
♥
X1♣♥♥♣
♥
1/4X0♣♥♣♥
♥
3/4X0
(turn, {1})♣ ♥
♣♣♥♥
♥
X1♣♥♥♣
♥
1/2X0♣♥♣♥
♥
1/2X0
(shuffle, {id, (3 4)})
♥♣♥♣
♥
X11♥♣♣♥
♥
X10 + X01♣♣♥♥
♥
X00
♥♣♥♣
♥
X1♥♣♣♥
♥
1/2X0♣♣♥♥
♥
1/2X0
(shuffle, {id, (1 3)})
(turn, {2})♣ ♥
(perm, (1 2 4 3))
♥♣♥♣ 1/3X1♣♥♣♥ 2/3X1♥♣♣♥ 1/6X0♣♥♥♣ 1/3X0♣♣♥♥ 1/2X0
(shuffle, {id, (1 2)(3 4)},F )F : id 7→ 1/3, (1 2)(3 4) 7→ 2/3
♥♣♥♣ X1♣♥♥♣ X0
(result,1,2)X
♣♥♣♥ X1♥♣♣♥ 1/4X0♣♣♥♥ 3/4X0
(turn, {4})♣ ♥
♣♥♣♥ X1♥♣♣♥ 1/2X0♣♣♥♥ 1/2X0
(shuffle, {id, (1 3)})
(perm, (1 3 4 2))
♣♥♥♣♥ 2/3X1♥♥♣♥♣ 1/3X1♥♥♣♣♥ 1/2X0♥♣♣♥♥ 1/6X0♥♥♥♣♣ 1/3X0
(perm, (1 5 2 4)), (shuffle, {id, (5 4 3 2 1)},F )F : id 7→ 2/3, (5 4 3 2 1) 7→ 1/3
♥♥♣♥♣ X1♥♥♥♣♣ X0
(result,4,3)X
♣♥♥♣♥ X1♥♥♣♣♥ 3/4X0♥♣♣♥♥ 1/4X0
(result,3,1)X
(turn, {5})♣ ♥
Our Five-Card Protocol
13 2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
♥♣♥♣♥ X11♥♣♣♥♥ X10♣♥♥♣♥ X01♣♥♣♥♥ X00
start state
♥♥♣♣♥ 1/2X11♥♣♥♣♥ 1/2X11♣♥♥♣♥ 1/2X10 + 1/2X01♥♣♣♥♥ 1/2X10 + 1/2X01♣♥♣♥♥ 1/2X00♣♣♥♥♥ 1/2X00
(shuffle, {id, (1 3)(2 4), (2 3), (1 2 4 3)})
♥♥♣♣♥ X11♣♥♥♣♥ X10 + X01♣♥♣♥♥ X00
♥♥♣♣♥ X1♣♥♥♣♥ 1/2X0♣♥♣♥♥ 1/2X0
(shuffle, {id, (3 4)})
♥♥♣♣♥ 1/3X1♣♣♥♥♥ 2/3X1♣♥♥♣♥ 1/6X0♥♣♣♥♥ 1/3X0♣♥♣♥♥ 1/2X0
(shuffle, {id, (1 3)(2 4)},F )F : id 7→ 1/3, (1 3)(2 4) 7→ 2/3
♥♥♣♣♥ X1♥♣♣♥♥ X0
(result,2,4)X
♣♣♥♥♥ X1♣♥♥♣♥ 1/4X0♣♥♣♥♥ 3/4X0
(turn, {1})♣ ♥
♣♣♥♥♥ X1♣♥♥♣♥ 1/2X0♣♥♣♥♥ 1/2X0
(shuffle, {id, (3 4)})
♥♣♥♣♥ X11♥♣♣♥♥ X10 + X01♣♣♥♥♥ X00
♥♣♥♣♥ X1♥♣♣♥♥ 1/2X0♣♣♥♥♥ 1/2X0
(shuffle, {id, (1 3)})
(turn, {2})♣ ♥
(perm, (1 2 4 3))
♥♣♥♣ 1/3X1♣♥♣♥ 2/3X1♥♣♣♥ 1/6X0♣♥♥♣ 1/3X0♣♣♥♥ 1/2X0
(shuffle, {id, (1 2)(3 4)},F )F : id 7→ 1/3, (1 2)(3 4) 7→ 2/3
♥♣♥♣ X1♣♥♥♣ X0
(result,1,2)X
♣♥♣♥ X1♥♣♣♥ 1/4X0♣♣♥♥ 3/4X0
(turn, {4})♣ ♥
♣♥♣♥ X1♥♣♣♥ 1/2X0♣♣♥♥ 1/2X0
(shuffle, {id, (1 3)})
(perm, (1 3 4 2))
♣♥♥♣♥ 2/3X1♥♥♣♥♣ 1/3X1♥♥♣♣♥ 1/2X0♥♣♣♥♥ 1/6X0♥♥♥♣♣ 1/3X0
(perm, (1 5 2 4)), (shuffle, {id, (5 4 3 2 1)},F )F : id 7→ 2/3, (5 4 3 2 1) 7→ 1/3
♥♥♣♥♣ X1♥♥♥♣♣ X0
(result,4,3)X
♣♥♥♣♥ X1♥♥♣♣♥ 3/4X0♥♣♣♥♥ 1/4X0
(result,3,1)X
(turn, {5})♣ ♥
Our Five-Card Protocol
13 2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
♥♣♥♣♥ X11♥♣♣♥♥ X10♣♥♥♣♥ X01♣♥♣♥♥ X00
start state
♥♥♣♣♥ 1/2X11♥♣♥♣♥ 1/2X11♣♥♥♣♥ 1/2X10 + 1/2X01♥♣♣♥♥ 1/2X10 + 1/2X01♣♥♣♥♥ 1/2X00♣♣♥♥♥ 1/2X00
(shuffle, {id, (1 3)(2 4), (2 3), (1 2 4 3)})
♥♥♣♣♥ X11♣♥♥♣♥ X10 + X01♣♥♣♥♥ X00
♥♥♣♣♥ X1♣♥♥♣♥ 1/2X0♣♥♣♥♥ 1/2X0
(shuffle, {id, (3 4)})
♥♥♣♣♥ 1/3X1♣♣♥♥♥ 2/3X1♣♥♥♣♥ 1/6X0♥♣♣♥♥ 1/3X0♣♥♣♥♥ 1/2X0
(shuffle, {id, (1 3)(2 4)},F )F : id 7→ 1/3, (1 3)(2 4) 7→ 2/3
♥♥♣♣♥ X1♥♣♣♥♥ X0
(result,2,4)X
♣♣♥♥♥ X1♣♥♥♣♥ 1/4X0♣♥♣♥♥ 3/4X0
(turn, {1})♣ ♥
♣♣♥♥♥ X1♣♥♥♣♥ 1/2X0♣♥♣♥♥ 1/2X0
(shuffle, {id, (3 4)})
♥♣♥♣♥ X11♥♣♣♥♥ X10 + X01♣♣♥♥♥ X00
♥♣♥♣♥ X1♥♣♣♥♥ 1/2X0♣♣♥♥♥ 1/2X0
(shuffle, {id, (1 3)})
(turn, {2})♣ ♥
(perm, (1 2 4 3))
♥♣♥♣ 1/3X1♣♥♣♥ 2/3X1♥♣♣♥ 1/6X0♣♥♥♣ 1/3X0♣♣♥♥ 1/2X0
(shuffle, {id, (1 2)(3 4)},F )F : id 7→ 1/3, (1 2)(3 4) 7→ 2/3
♥♣♥♣ X1♣♥♥♣ X0
(result,1,2)X
♣♥♣♥ X1♥♣♣♥ 1/4X0♣♣♥♥ 3/4X0
(turn, {4})♣ ♥
♣♥♣♥ X1♥♣♣♥ 1/2X0♣♣♥♥ 1/2X0
(shuffle, {id, (1 3)})
(perm, (1 3 4 2))
♣♥♥♣♥ 2/3X1♥♥♣♥♣ 1/3X1♥♥♣♣♥ 1/2X0♥♣♣♥♥ 1/6X0♥♥♥♣♣ 1/3X0
(perm, (1 5 2 4)), (shuffle, {id, (5 4 3 2 1)},F )F : id 7→ 2/3, (5 4 3 2 1) 7→ 1/3
♥♥♣♥♣ X1♥♥♥♣♣ X0
(result,4,3)X
♣♥♥♣♥ X1♥♥♣♣♥ 3/4X0♥♣♣♥♥ 1/4X0
(result,3,1)X
(turn, {5})♣ ♥
On the Issue of Shuffling
14 2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
Problem: How to rearrange cards (with your hands) s.t. you don’tknow what you did after you did it?
p = 1/3 p = 2/3
do nothing Rotate by 1
We have three answers:Restrict to plausible subset of shuffles.Explain the problem away, suggesting additional tools.Use two players knowing different things about the computation.
Answer 1: Restrict to “Uniform Closed” Shufflesuniform distribution on a (sub-)group of permutations
15 2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
Example: Swapping with p = 1/2
p = 1/2 p = 1/2
do nothing (1,2)↔ (3,4)
Answer 1: Restrict to “Uniform Closed” Shufflesuniform distribution on a (sub-)group of permutations
15 2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
Example: The shuffle from the six-card protocol
p = 1/2 p = 1/2
do nothing (1)↔ (2), (3,4)↔ (5,6)
Answer 1: Restrict to “Uniform Closed” Shufflesuniform distribution on a (sub-)group of permutations
15 2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
Example: Random Cyclic Shift
p = 1/4 p = 1/4 p = 1/4 p = 1/4
Rotate by 0 Rotate by 1 Rotate by 2 Rotate by 3
Answer 1: Restrict to “Uniform Closed” Shufflesuniform distribution on a (sub-)group of permutations
15 2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
Example: Random Cyclic Shift
p = 1/4 p = 1/4 p = 1/4 p = 1/4
Rotate by 0 Rotate by 1 Rotate by 2 Rotate by 3
Note: Repeating those shuffles doesn’t hurt (S ◦ S = S).Do it till you lost track.With several people: Take turns looking away.
Conjecture With only such “uniform closed” shuffles:Six cards are needed for AND.
Answer 2: Two Players + 2-Sided Lottery TicketsWorks for all shuffles with rational probabilities.
16 2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
p = 1/3 p = 2/3
do nothing Rotate by 1
Ticket has X on front and Y on back.Player 1 sees X and rotates by X.Player 2 sees Y and rotates by Y.
Create one ticket for each column:X 0 0 0 1 1 1 2 2 2 3 3 3Y 1 1 0 0 0 3 3 3 2 2 2 1
X + Y 1 1 0 1 1 0 1 1 0 1 1 0
Y=3X = 2 Y = 3
Knowing only X (or Y)gives no info about X + Y.
I(X ;X + Y ) = 0I(Y ;X + Y ) = 0
Answer 2: Two Players + 2-Sided Lottery TicketsWorks for all shuffles with rational probabilities.
16 2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
p = 1/3 p = 2/3
do nothing Rotate by 1
Ticket has X on front and Y on back.Player 1 sees X and rotates by X.Player 2 sees Y and rotates by Y.
Create one ticket for each column:X 0 0 0 1 1 1 2 2 2 3 3 3Y 1 1 0 0 0 3 3 3 2 2 2 1
X + Y 1 1 0 1 1 0 1 1 0 1 1 0
Y=3X = 2 Y = 3
Knowing only X (or Y)gives no info about X + Y.
I(X ;X + Y ) = 0I(Y ;X + Y ) = 0
Answer 2: Two Players + 2-Sided Lottery TicketsWorks for all shuffles with rational probabilities.
16 2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
p = 1/3 p = 2/3
do nothing Rotate by 1
Ticket has X on front and Y on back.Player 1 sees X and rotates by X.Player 2 sees Y and rotates by Y.
Create one ticket for each column:X 0 0 0 1 1 1 2 2 2 3 3 3Y 1 1 0 0 0 3 3 3 2 2 2 1
X + Y 1 1 0 1 1 0 1 1 0 1 1 0
Y=3X = 2 Y = 3
Knowing only X (or Y)gives no info about X + Y.
I(X ;X + Y ) = 0I(Y ;X + Y ) = 0
Answer 2: Two Players + 2-Sided Lottery TicketsWorks for all shuffles with rational probabilities.
16 2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
p = 1/3 p = 2/3
do nothing Rotate by 1
Ticket has X on front and Y on back.Player 1 sees X and rotates by X.Player 2 sees Y and rotates by Y.
Create one ticket for each column:X 0 0 0 1 1 1 2 2 2 3 3 3Y 1 1 0 0 0 3 3 3 2 2 2 1
X + Y 1 1 0 1 1 0 1 1 0 1 1 0
Y=3X = 2 Y = 3
Knowing only X (or Y)gives no info about X + Y.
I(X ;X + Y ) = 0I(Y ;X + Y ) = 0
Answer 3: “PlayerPerm-Model”
17 2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT
Each random permutation performed by either player 1 or 2.Player remembers permutations she performed.Player’s permutations need not be independent.
With this we can implement:
Uniform closed shuffles (easy).Some more complicated shuffles.“Undo”-operations.A four-card AND protocol with finite runtime.
References: I
18 2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards
KIT