 # Barrington Plays Cards: The Complexity of Card-based Protocols

In this paper we study the computational complexity of functions that have efficient card-based protocols. Card-based protocols were proposed by den Boer [EUROCRYPT '89] as a means for secure two-party computation. Our contribution is two-fold: We classify a large class of protocols with respect to the computational complexity of functions they compute, and we propose other encodings of inputs which require fewer cards than the usual 2-card representation.

## Authors

##### This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

## 1 Introduction

Card-based protocols were proposed by den Boer  as a means for secure two-party computation. In this scenario, we have two players — Alice and Bob — who hold inputs and respectively. Their goal is to securely compute a given function on those inputs. By secure computation, we mean that the players learn nothing from observing the computation except for what is implied by the output . Den Boer introduced a model where the inputs and are encoded by a sequence of playing cards and the players operate on the cards to compute the function. They can use additional cards for computation. In particular, den Boer showed how to securely compute AND of two bits using five cards in total.

Niemi and Renvall  extended the results to show how to compute arbitrary Boolean function . They represent each input bit by two face-down cards: 1 is represented as , and 0 as . They use the same representation throughout the computation and show how to securely compute AND of bits encoded in this 2-card representation with the output being encoded in the same way. Since NOT can be obtained by swapping the two cards representing a given bit this allows them to compute any function. They can evaluate any Boolean circuit on the inputs by a protocol of length proportional to the size of the circuit and using a number of auxiliary cards that corresponds to the width of the circuit.

Nishida et al.  reduced the number of auxiliary cards to 6 for any Boolean function. For most functions, the protocol will be of exponential length as it essentially evaluates the DNF of . Several other works studied the number of cards necessary for computing various elementary functions such as AND and XOR [7, 11, 9, 8, 18, 20, 16, 13, 15, 11, 1, 9].

Motivated by the question what can be efficiently computed by such protocols and how many cards one needs to compute various functions, in this work, we investigate efficient protocols that are protocols of polynomial length. Our contribution is two-fold: We classify a large class of protocols with respect to the computational complexity of functions they compute, and we propose other encodings of inputs which require fewer cards than the 2-card representation. We summarize our results next:

1. We show that oblivious protocols of polynomial length that do not modify their input (they are read-only) and use only a constant number of auxiliary cards compute precisely the functions in , the class of functions computed by Boolean circuits of logarithmic depth. (Alternatively, is the class of functions computed by Boolean formulas of polynomial size.) By oblivious protocol we mean a protocol whose actions depend only on the current visible state.

2. Oblivious read-only protocols of polynomial length with a logarithmic number of auxiliary cards correspond to the class of functions computable by polynomial-size branching programs. (This class is also known as , the non-uniform version of deterministic log-space.)

3. We also investigate protocols that use a constant number of auxiliary cards but are allowed to use the cards representing the input for their computation provided that they guarantee that by the end of the computation the input will be restored to its original value. We show that such protocols can compute functions that are believed to be outside of . For example, they can compute languages that are complete for , the non-deterministic log-space. Hence, read-only protocols are presumably weaker than protocols that may modify their input.

4. We study alternative encodings of inputs that are more efficient that the 2-card encoding. We look at 1-card encoding where 1 is represented by and 0 by . In this encoding, Alice and Bob need only one card per bit to commit the bit. We show similar complexity results for this encoding as for the 2-card encoding: read-only protocols with a constant number of auxiliary cards are , with a logarithmic number of cards it is the non-uniform log-space, and if we allow using the input cards for computation we get potentially more powerful protocols.

A disadvantage of the 1-card protocol is that it still needs a supply of cards and cards to represent any -bit input. Although, if one restricted his attention to inputs that contain the same number of 1’s and 0’s, it would suffice to have cards and cards . Such inputs form a substantial fraction of all -bit inputs, they are many.

5. We propose a new -card encoding which requires only cards and cards to represent any -bit input. The -card encoding is obtained from the 2-card encoding by removing from each pair of cards one card, in total one half of the -cards and one half of the -cards. There is an empty space left instead of each removed card. There is a way for each player to encode his input so that the other player learns no information about the opponent’s input. We show that using this encoding we can simulate any read-only protocol that uses 2-card encoding. Hence, any function on bits can be securely computed using only cards, counting also the input cards. We do not know how to securely perform protocols for -card encoding that would modify their input.

### 1.1 Previous Work

As mentioned above, a study of card-based protocols was started by den Boer  who introduced a secure 5-card protocol for computing AND. However, this protocol does not produce output in a face-down 2-card format, thus it can not be used for designing protocols for arbitrary function. Since then a lot of work was done in improving AND protocols and other primitive functions. Crépeau and Kilian  provided a 1-party card-based protocol where the player can pick a random permutation with no fixed point and the player has no information about . Their technique can be used for designing a 2-party computation of a general function. Niemi and Renvall  introduced an AND protocol, which takes two bits represented in the 2-card format as input and outputs two cards which represent in face-down 2-card format. They also introduced a protocol for copying a bit in the 2-card format, which is used during simulation of circuits. Their protocols with a protocol for NOT (which is trivial) can be used for computing any Boolean function and the number of used cards is at most linear in the size of a circuit (using AND and NOT gates) computing

. They also introduced a protocol to copy a single card with almost perfect security – the card suit is revealed only with a small probability. Such protocol cannot exist with perfect security as was proved by Mizuki and Shizuya

. The copying and AND protocols were further improved and simplified in [20, 16, 13, 15, 11, 1, 9].

Nishida et al.  proved that any Boolean function can be computed with cards encoding the input and 6 additional helping cards. Mizuki  proved that is needed to compute AND of bits. Francis et al.  provided protocols and tight lower bounds on the number of cards needed for computing any two-bit input two-bit output function. Other lower bounds for AND of 2 bits and of bits in various regimes were provided by Koch et al. [11, 9] and by Kastner et al. .

The security of card-based protocols is provided by shuffling the cards — one player shuffles the cards (applies some random permutation to them) in a way so that the other player has no information about the new order of shuffled cards. Koch et al. 

provided a 4-card AND protocol. However, they used a non-uniform distribution for picking a random permutation, which is difficult to perform by humans. Nishimura et al.

 suggested an “easy-for-human” procedure how to apply a shuffling permutation picked from a non-uniform distribution using envelopes.

One can distinguish two types of attack.

1. Passive: honest-but-curious player – she follows the protocol but she wants to retrieve as much information as possible about the other player input.

2. Active: malicious player – she can deviate from the protocol.

Koch and Walzer  proved that if a passive-secure protocol uses only uniform closed shuffles (each shuffling permutation is picked uniformly from some permutation group) then the protocol can be transformed into an active-secure protocol.

## 2 Preliminaries

### 2.1 Card-based Protocols

In this section we define card-based protocols which securely compute some Boolean function on a joint input of Alice and Bob. Alice gets an input and Bob gets an input , and their goal is to compute for some function , while not revealing anything about their input to the other player. The protocol proceeds first by Alice and Bob committing their input into a sequence of cards, and then operating on the cards together with some auxiliary cards. At the end of the protocol, the players learn the output .

In this section we consider the usual 2-card encoding of the input, where each input is represented as a sequence of cards, two cards per bit: value is represented by and value is represented by where the cards are put face-down on the table. Hence each player needs cards to commit his input. All the cards have the same back, say blue. In the beginning, face-down cards representing the player inputs are in front of the players. Between them, there is a deck of prescribed auxiliary cards of and . There is available some empty space on the table to operate with the cards. We assume that the cards are placed on the table in some specific positions (locations), numbered , where:

• are positions of Alice’s input cards,

• are positions of Bob’s cards,

• are the initial positions of the helping cards in the deck,

• are initially empty positions.

We call the positions as the input positions and the remaining positions as the work space. We say a position is occupied if there is a card on it, otherwise, it is empty. We denote an empty position by . Let denote the amount of the work space. We assume . Thus, there are cards on the table and positions.

The players can move their input cards and cards from the deck to the work space and back. Formally, the basic actions which can be executed by the players are:

Move()

: The player moves a card from the position to position .

Shuffle()

: The player applies a random permutation from to the cards on the table on positions .

Turn()

: The player turns the -th card on the table face-up if it is face-down, and vice versa.

The protocol specifies which action to take next based on the sequences of visible states seen on the table so far. The current visible state of the table is what an external viewer could observe, that is which positions are currently occupied and what is the top of each card laying on the table. If there are distinct cards then there are at most distinct visible states. Hence, based on the sequence of visible states from the beginning of the game the protocol specifies which action to take next or whether to end. In the end, the protocol specifies which cards represent the output of the run of the protocol. (They might be face-down.) We say the protocol computes a function if for all inputs , on the inputs and the protocol outputs . The length of the protocol is the maximum number of actions executed by the protocol over all inputs and all possible outcomes of shuffling. We say that a protocol is oblivious if the action executed next depends only on the current visible state and the number of actions taken so far.

The shuffling operation provides randomness for the execution of the protocol. Hence, the sequence of visible states the protocol passes through is a random variable. We will say that a protocol is

secure if for any pair of inputs and to Alice and Bob, where , the distribution of the sequence of visible states of the protocol on inputs and is the same. Notice, that this implies that neither of the players learns anything about the input of the other player except for what is implied by .

Often we will be interested in protocols that provide their output encoded in face-down cards. In such a scenario we will require for the security of the protocol that the distributions of visible states during the protocol will be identical for all input pairs .

We say the protocol is robust if a cheating player, that is a player who deviates from the protocol, is either caught by reaching an invalid visible state (where cards have unexpected values or positions) or the distribution of visible states does not leak any information about the other player input except for what would be leaked by honest players. In particular, if say Bob is cheating and Alice is honest, for a robust protocol we require that for any input of Bob and any two inputs to Alice, where , the distribution of the sequence of visible states during the game on inputs and is the same. We will be designing only robust oblivious protocols.

We say the protocol is read-only if the value of cards placed on the input positions is always the same whenever a position is occupied.

Let - be the class of function families for which we have a sequence of secure read-only oblivious protocols, one for each , which are of length polynomial in , with deck size and work space size . (At the beginning the first work space positions are occupied by the deck of cards, and the remaining positions are empty). We might allow to be a function of . We define . That is a function belongs to if it has polynomial length protocols which use a constant number of auxiliary cards and constant size work space.

### 2.2 Branching Programs

A branching program for a Boolean function is defined as follows. It consists of a directed acyclic graph such that each vertex has out-degree either 2 or 0. The set of edges of the graph is split into two sets, zero-edges and one-edges , in such a way that every vertex of out-degree 2 is incident to exactly one outgoing zero-edge and exactly one outgoing one-edge. Each vertex of out-degree 2 is labeled by an index .

A branching program is layered if the vertices are partitioned into layers . The edges go only from a layer to a layer (for all ). Vertices of out-degree 0 are exactly vertices in the layer . The number of layers is the length of and the width of is the maximum size of its layers, i.e., .

A layered branching program is oblivious if vertices in the same layer have the same label. A branching program is a permutation branching program if each layer has exactly vertices and for every two consecutive layers and zero-edges and one-edges form matching and , respectively. We can view the matchings and as two permutations . Note that we can rearrange all layers such that all permutations are identities.

One vertex of in-degree 0 is an initial vertex . Some vertices of out-degree 0 are denoted as accepting vertices. The computation of a branching program on an input string proceeds as follows. It starts in the initial vertex which is the first active vertex. Suppose is an active vertex and is the label of . If the out-degree of is 2, then the next active vertex is determined by the zero- or one-edge according to the value of . More formally, let be the edge in . Then, the vertex is the new active vertex. We repeat this procedure until a vertex of out-degree 0 is reached. An input is accepted if and only if is an accepting vertex. The branching program computes a function if it accepts exactly those such that .

The class of functions PB contains all the functions computable by layered branching programs of constant width and polynomial length. A permutation branching program is restricted if it has exactly one accepting vertex and exactly one rejecting vertex in the last layer . The computation of a restricted permutation branching program ends always in the vertices or and it accepts an input if it ends in the accepting vertex . A class contains Boolean functions which are computable by restricted permutation branching programs of width and polynomial length. We use the famous Barrington’s theorem , which says that constant-width (permutation) branching programs are as powerful as -circuits.

[Barrington ] .

## 3 Simulating Branching Programs

In this section, we prove one of our main theorems that read-only oblivious protocols of polynomial length that use constant work space compute the same functions as polynomial-size constant-width branching programs.

.

To simulate a branching program by -protocol we need an oblivious implementation of copying a bit in the committed 2-card format. We use a procedure by Stiglic . It is straightforward to implement the procedure to be oblivious. We include the proof for the sake of completeness.

[] There is a secure oblivious protocol that takes a bit in 2-card representation placed in the work space and produces two 2-card copies of the bit in the work space. The protocol needs an auxiliary deck with three cards and three with the same back as the input bit.

###### Proof.
1. Alice arranges the cards from the auxiliary deck face-up to create the following configuration.

 ??b♡♣♡♣♡♣
2. She turns the last six cards. Both, Alice and Bob, apply a random cyclic shift (denoted by ) to them.

 ??b⟨??b′??b′??b′⟩
3. They apply a random cyclic shift to the first four cards.

 ⟨????⟩??b′??b′
4. She turns the first four cards face-up.

1. If the sequence is alternating (i.e., or its shift) then . Thus, the last 4 cards represent two copies of .

 ♡♣♡♣??b??b
2. Otherwise (i.e., or its shift) then . Thus, the last 4 cards represent two copies of negation of . In that case, she switches the fifth with the sixth card and the seventh with the eighth card to represent two copies of as well.

 ♡♣♣♡??1−b??1−b

Alice and Bob might want to turn over and shuffle the first four left-over auxiliary cards after step 4. The last four cards represent two copies of face-down in the 2-card format. To make the protocol oblivious we must implement both 4.a) and 4.b) by the same number of actions. To do so we include additional actions in 4.a) which have no effect such as shuffling a single card.

It is clear the described protocol is secure. The only step where they can gain some information about is Step 4, when Alice turns some cards. However, the cyclic shifts in Steps 2 and 3 were done by both players. Thus, Alice reveals the alternating sequence () in Step 4 with the probability exactly (independently on the value of ) even if one of the players would be cheating. Thus, the protocol is secure. ∎

To prove we use as the first step Barrington’s theorem . By Barrington’s theorem, each function from can be computed by a polynomial length width-5 restricted permutation branching program. We will build a protocol that simulates the actions of the branching program layer by layer. We will keep track of the image of the initial vertex of the branching program. For that, we will use five cards , where the position of corresponds to the image of the initial vertex (the active vertex), and we will apply the permutations prescribed by the branching program on those five cards. If the input variable assigned to a particular level of the branching program is set to 1 we are expected to perform the permutation otherwise we are supposed to do nothing, i.e., apply the identity permutation. Any permutation can be decomposed into a sequence of simple transpositions (swaps) so we will use swaps conditioned by the input variable to either permute the five cards or leave them the way they are. We will implement the following primitive: Alice and Bob want to conditionally swap two cards according to the value of bit represented in the face-down 2-card form in the work space without revealing the value of . They also want to make sure that if the swap occurs and if the swap does not occur.

Let be two sequences of face-down cards of the same length in the work space, and let be a face-down 2-card representation of in the work space. There is a secure oblivious protocol such that during the protocol players swap the sequences and if and only if . The protocol uses two auxiliary cards .

###### Proof.

The swapping protocol works as follows.

1. Alice rearranges the input cards together with two auxiliary face-up cards as follows:

 ♣γ ~α ♣δ ~β

Thus, if we have and if we have . The players do not know which situation are they in.

2. Both, Alice and Bob, apply a random cyclic shift to the cards, e.g.:

 ~α ♣δ ~β ♣γ
3. Alice turns the cards and representing face-up. She knows what cards to turn, as the cards and are preceded by face-up. At the end she reorders the sequence (keeping the cyclic order) so that are the first cards, e.g.:

 ~α♣♡~β♣♣→♣♣~α♣♡~β

If then and the sequences are not swapped. On the other hand if then and the sequences are swapped.

Note that the cards in and are face-down during the whole protocol. It is also clear that this is a secure and robust protocol, and it can be implemented obliviously. In Step 3 the cards and representing the bit are revealed. However, because of random cyclic shifts in Step 2 (again done by both players), these cards are in the order with probability , independently of the value of . Thus the swapping protocol is secure. ∎

Now we are ready to prove the first inclusion of Theorem 3.

###### Proof.

Let be a function in . Then, the function can be computed by a branching program with the following properties:

1. Each layer has exactly 5 vertices. The input vertex is the first vertex in the first layer. The computation ends either in the accepting vertex or in the rejecting vertex .

2. The permutation from each layer to the layer corresponding to 0 is the identity.

Alice and Bob represent the first layer as , each card represents one vertex in the layer. The card represents the active vertex in the layer (the initial vertex in the first layer). We call these 5 cards the program cards. Alice and Bob put the program cards at the work space and turn them face-down. Alice and Bob simulate the program layer by layer. They apply permutations determined by to the program cards according to the player’s input bits. Suppose we have a representation of the active vertex in the -th layer and we want to calculate the active vertex at the -th layer. Without loss of generality the label of the -th layer is Alice’s bit (otherwise the roles of Alice and Bob are reversed). Thus, we want to apply some permutation to the program cards if and keep the order of the program cards if .

We decompose the permutation into transposition . For , Alice will apply the transposition to the program cards. She runs the protocol of Theorem 3 to get cards representing her bit in the work space. More formally, after the execution of , there are two pairs of cards such that each pair represent the bit in the 2-card format. She puts one pair back to the input positions, i.e., the protocol is indeed read-only. We denote the cards of the second pair as and . Alice will use them for a conditional swap. She runs the protocol given by Theorem 3 (applied to the cards and to the two program cards which should be affected by the transposition ). That is, Alice swaps the two cards that is acting on if and only if . After applying this procedure for all transpositions , the permutation got applied to the program cards if and only if (otherwise the order of the program cards does not change).

Alice and Bob repeat this procedure for each layer of the branching program. Let be the card representing the accepting vertex and be the card representing the rejecting vertex at the end of the simulation. The cards represent the output of the program. If the input is accepted, then the accepting vertex is active at the end of the simulation and thus the card has suit and the card has suit . Thus, the cards represent 1. On the other hand, if the input is rejected, then the rejecting vertex is active. Thus, the cards have suits and , respectively, and they represent 0.

The protocol is clearly SP-protocol as the players only sequentially apply the copying protocol and the swapping protocol to the program cards. We claim the simulation protocol is secure. Both protocols and are secure. The only helping cards which are used during the whole run of the protocol are program cards which are placed face-up from the deck and then turned face-down for the rest of the protocol.

Now we prove the opposite inclusion of Theorem 3.

.

###### Proof.

Consider a family of functions for which we have a sequence of secure read-only oblivious protocols, one for each , which are of length polynomial in , with deck size and work space size . Let

be the number of different cards used by the protocol. At any moment, the work space can be in at most

different states which we call the internal states of the protocol. For any we will build a width- branching program of the same length as the protocol for . Each layer of the branching program consists of vertices where each vertex corresponds to one internal state of the protocol. We need to define edges between the layers of the branching program.

Let be a vertex at layer . It corresponds to some internal state which in turn determines a visible state that together with determines the action taken by the protocol at such a state. We define the edges based on the type of that action. If the action is a move of a card from some input position into the work space then node queries the value of the corresponding input variable and the outgoing edges lead to nodes corresponding to internal states that reflect a move of the card into the work space. If the action is a shuffle operation then node queries variable and irrespective of its value both outgoing edges go to the node in the next layer corresponding to the internal state obtained by applying one of the allowed permutations. (The particular choice of the permutation does not matter.) Similarly, for a move of a card within the work space or out from the work space, the edges will go into a node that reflects the internal state after the move. In the last layer, we designate vertices that correspond to accepting states of the protocol as accepting all other nodes will be rejecting.

It should be clear from the construction that the resulting branching program computes and has the required properties. ∎

Theorem 3 is a corollary of Theorems 3 and 3 and Barrington’s theorem (Theorem 2.2).

## 4 Simulating Turing Machines

In this section, we will look at computation that obliviously and securely computes on committed inputs in 2-card representation. The exact split of the input between Alice and Bob is irrelevant in this section so we assume that the total length of the input is bits. The protocols are expected to preserve the committed inputs: Although they may be allowed to modify the committed input during the computation, by the end of the computation the committed input must be restored to its original form. The protocols do not leak any information about the committed inputs except for what can be derived from the output cards if they are inspected. The protocols can be carried out by either player. To guarantee robustness and security shuffle operations should be always done by both players. (We use only uniformly random shuffle and random cyclic shift so performing them twice does not change their output distribution.)

Let be a non-decreasing function. Let be a function computable by a Turing machine in space . Then is in -SP.

Let be the function such that if and otherwise.

###### Proof.

We describe the algorithm for the protocol in high-level form and leave details of the construction to the interested reader. Let be computable by a Turing machine . Without loss of generality, we assume uses a binary alphabet, on inputs of length it uses work space exactly bits and computes for steps. The output of is determined by the first bit of its work tape. We will simulate the computation of step by step.

The protocol will use auxiliary cards. Two blocks and will represent bits, each, and two blocks and will represent bits each. In addition to that there is a block of bits, and some additional auxiliary bits. We need a constant number of positions to be empty. All the bits are encoded in 2-card representation. The block represents the content of the work tape of , 2 bits per tape cell, where the second bit indicates the presence of the work tape head on that particular tape cell. The block encodes in binary the current position of the input head of . The block encodes the internal state of .

The protocol simulates one step of as follows: first, it determines the value of the bit scanned by the input head, then it calculates into the content of the work tape of after this step. Then it updates the internal state, the input head position , and switches and .

To determine the protocol looks at each input bit one by one and records the one that has an index corresponding to . Set to 0. For , the protocol copies into some work space , it sets to represent , obliviously compares and while recording the result into . (Comparing bit strings can be done by an circuit so there is an oblivious protocol for that of poly-logarithmic length.) From , and we can calculate the new value of by evaluating . This can be done obliviously. After processing all the input bits, has the value of the currently scanned input bit.

Now, we can determine , the content of the work tape of after this step of the computation. We compute cell by cell. The value of each cell is a function of the input bit , ’s state , and the previous content of the cell in together with the content of adjacent cells. Hence, the value of each bit of is a function of constantly many bits and can be computed obliviously.

After computing , we can also calculate , the direction in which the input head of should move, and the new state of . This can be done by scanning for the work tape position, and recording the relevant information for and when we pass over the current work cell similarly to determining the value of the input bit .

From and , we obliviously calculate the next position of the input head into . (Each bit of can be computed by an circuit from and .) Finally, we switch the contents of and , and , and and .

We repeat this procedure times. In the end, the first bit of indicates the output of .

As each step of the computation can be implemented securely, obliviously, and robustly, we obtain a secure, oblivious, and robust protocol for that uses work space and auxiliary cards. ∎

As the card-based protocols allow for non-uniformity by protocols using work space we can simulate not only log-space Turing machines but also polynomial-size branching programs (the non-uniform log-space). The above proof can be extended to Turing machines taking advice: the protocol can provide the advice bit by bit during the phase when the input is scanned bit by bit to determine . (We assume that the advice is provided to the Turing machine on bit positions with index . For those positions instead of copying the non-existent input bits, the protocol hardwires the appropriate bit into . As the advice is the same for each input, this can be done publicly.)

By essentially the same proof as Theorem 3 we can obtain a simulation of oblivious, read-only secure protocols that use a logarithmic amount of work space by branching programs of polynomial size. Let --. We get:

The class of functions computable by polynomial-size branching programs equals to -SP.

So far we have looked only at read-only protocols. If we remove the condition to be read-only we get a potentially larger class of functions computable by such protocols. When the protocol is not read-only, we still require the protocol to restore its input into the original state by the end of the computation. We also require the protocol to be secure so not to leak any information about the input except for what is implied by the protocol output cards.

We give examples of functions that can be computed by protocols modifying their input which we conjecture are outside of the read-only protocol class with similar bound on the work space. Proving this conjecture would amount to separating from log-space, a major open problem in complexity theory.

Let be a non-decreasing function such that . Let be in , and be a function computable by a Turing machine in space and polynomial time. Define as follows:

 f(x)={g(x)if xn+1−s(n)log∗n⋯xn≠0⋯0,h(x1⋯xn−s(n)log∗n)otherwise.

The function defined above is computable by secure robust oblivious protocols of polynomial length that use a constant amount of work space.

###### Proof.

The protocol for proceeds as follows. It first computes the OR of the input bits using a protocol for functions where the output of the protocol is encoded in 2-card representation in its work space. Then it computes the value of encoded in 2-card representation in the work space. Finally, it uses the cards representing input bits to simulate the computation of a Turing machine for as in the proof of Theorem 4. The simulation is done so that if then nothing is done to the input (the simulation is vacuous) and if the simulation is really happening. The simulation uses the input bits to store and (from the simulation), everything else is done in the actual work space of constant size. Whenever the simulation wants to write some value into an input position used for the simulation, it copies the value into the work space, it copies there the current value of the destination position, computes and replaces cards in the destination by the output of . (Hence, if nothing has happened.) Reading a value can be done by copying the particular bit into the work space and then working with the copied cards. This way the input is undisturbed if and it is overwritten if . At the end of simulation, the protocol copies the output bit , which is the first bit of into the actual work space, and writes value 0 to all input bits conditionally on . (Bit values read from the storage, taking part in the vacuous computation, will be the same throughout the computation. So the simulations of the circuits implementing various steps of the computation will be secure.)

Finally, the protocol computes which is the output of the protocol. All parts of the protocol can be done securely and obliviously. (This is true also when and the simulation of the Turing machine is bogus.) The protocol restores its committed input by the end of the computation. ∎

One can also use the technique of catalytic computation to construct protocols for functions not know to be in . Buhrman et al. [3, 4] show how to use memory which contains some information for computation while restoring the memory to its original content by the end of the computation. For example, they can solve the connectivity on directed graphs this way, the problem : Given an adjacency matrix of a directed graph decide whether there is a path from vertex to vertex . They present a polynomial-size program for , which uses work registers and input registers, each holding one bit of information. The program consists of instruction of the form

 ri←ri⊕u⋅v,

where and are arbitrary registers different from or constants 0 and 1. The program is oblivious, so it is a straight line program consisting of such instructions. The program has the property that all registers are guaranteed to have the initial value by the end of the computation except for one specified work register which contains the output value. It is straightforward to implement each such an instruction by secure and robust protocol since the instructions are computable in .

This allows to design an oblivious, secure protocol of polynomial length with constant work space for a function that is defined as: if and only if from the vertex we can reach the vertex in each of the graphs represented by adjacency matrices and . Such a function is unlikely to be contained in , as is known to be complete for nondeterministic log-space computation. Hence, it is unlikely that protocols that are allowed to modify their input could be simulated by read-only protocols using similar resources.

## 5 More Efficient Input Encodings

### 5.1 1-Card Encoding

In this section, we consider other ways how Alice and Bob can commit their input which use fewer cards. The first natural encoding is to represent each bit by face-down card and bit by . These cards would be stored in front of the players in input positions . Whenever the players want to operate with the committed bit they need to extend it to 2-card representation.

There are two ways we know how to do it. Niemi and Renvall  gave a protocol that is able to extend the bit without knowing its value. However, there is a small probability of leaking the value of the bit being extended. The probability is inversely proportional to the number of cards used for the protocol. Hence, one would need a large number of helping cards in order to make sure that the probability of leaking information is negligible. That would erase any savings from the 1-card representation.

The other way which we use here is to allow the player who owns the particular input bit to extend it using a designated deck of two face-down cards and . Once the bit is extended it can be copied by the protocol from Theorem 3, the first card of the first copy can be put back in the input position, the second card can be put back into the auxiliary deck, and the second copy can be used for further computation. The auxiliary deck containing the same cards as earlier should be shuffled by both players at the end of this procedure. The protocol is robust since a player cheating by extending the input bit by a wrong card will be caught in Step 4 of the copying protocol.

For this procedure, we need to augment our set of actions by the action of extending a bit by a complementary card from a designated deck. This action can be performed by shuffling the auxiliary deck, then peeking at the value of the card we are extending, and selecting the complementary card by peeking at each card in the deck.

With this operation in mind, we need to extend the definition of protocol security. We say a protocol is secure from Alice if for any pair of inputs and to Alice and Bob, the distribution of the sequence of visible states of the protocol together with the sequence of cards seen by Alice while peeking at them during the extension action on inputs and is the same. Similarly, the protocol is secure from Bob if for any pair of inputs and to Alice and Bob, the distribution of visible states and cards peeked at by Bob will be the same on both inputs and . The protocol is secure if it is secure from both Alice and Bob.

Using the extension action we can perform all read-only protocols that used the 2-card bit commitment of inputs even for inputs committed in 1-card representation. They will be secure as long as the player performing each extension is the owner of the input bit as seeing his/her input bits does not affect the security definition. Hence, the power of the model stays essentially the same with this modification.

Security becomes more of an issue for protocols that are allowed to modify their inputs. Yet, we can prove a result similar to Theorem 4.1 for slightly modified function . Let be in , and be a function computable by a Turing machine in space and polynomial time, where .. Define as follows:

 f′(x)={g(x)if xn+1−s(n)log∗n⋯xn≠0101⋯01,h(x1⋯xn−s(n)log∗n)otherwise.

We assume is even, and the first half of is held by Alice and the other half by Bob. The other bits can be split between the players arbitrarily.

[] The function defined above is computable by secure robust oblivious protocols of polynomial length that use a constant amount of work space and 1-card encoding of input bits.

###### Proof.

The protocol for proceeds similarly to the one in Theorem 4.1. It first verifies whether the input bits differ from (assuming their number is even) using protocol for functions. The output of the verification is encoded in 2-card representation in the work space. Then the protocol computes the value of encoded in 2-card representation in the work space. Up until this point, we use the protocol described above to extend input bits into 2-card representations by the player who owns the input bit.

Now we want to use the cards representing input bits to simulate computation of a Turing machine for computing as in the previous proofs. We will use these input cards for storage when and when we will keep them intact. In the former case, we will eventually reset the input bits/cards to the initial state. Let be positions of cards which represent bits at the beginning of the protocol. Thus, the cards on the positions represent (in the 1-card encoding) the input for . These cards will be in a read-only regime during the whole computation. Let be the positions of cards representing . The cards on will represent in 2-card encoding the content of tapes of during the computation. Thus, but the cards on will represent bits. As (if ), the cards on represent zeros at the beginning of the protocol.

The simulation proceeds in a similar way as the simulation in proof of Theorem 4.1. For reading bits from that encode the input bits to we use the same 1-card extension protocol as above to copy them into work-space. Now, we need procedures that will read and write bits in 2-card representations from positions . However, if some two consecutive positions would not represent a bit correctly (the two cards on them would have the same suit). The read/write procedures need to work and be secure even in this case. The players cannot simply inspect the cards on positions because they may represent some intermediate results of the computation.

First, we describe how to read a bit encoded in . We want to create a 2-card representation of bit in work space if or a valid 2-card representation of some bit if . The bit is represented by 2 cards on positions in . Note that and can be of the same suit if . Suppose Alice owns the positions in representing the bit , the case of Bob’s positions is symmetric. First, Alice will add complementary cards to and as follows. Alice prepares the sequence: , then she turns the second and fifth card face-down to get a sequence

 ♣?α♣?β.

Bob shuffles the six cards cyclically at random. Now, Alice extends the card preceding each that is face-up (cards and ) by a complementary card to the right taken from an auxiliary deck. Alice sees the suit of the cards and during this action but she does not know their actual order. Bob shuffles the cards cyclically again and turns face-up the cards following the two that are face-up. Now, by a cyclic shift, they rearrange the cards so that they look like

 ♣♣α¯¯¯¯α♣♡β¯¯¯β,

where and are cards complementary to and , respectively. They can copy each of the card pairs and to verify that Alice used complementary cards and the pairs and indeed represent two bits in 2-card encodings.

By following this protocol, Alice learns whether the two cards have the same suit or are distinct. If the suits are the same she also learns the suit. However, in that situation and she already knew all this information. In the later case, she knows that the bits at those input positions are distinct, but she knew that already. She does not learn their relative order because of the shuffle by Bob. Thus, she does not know whether they were altered since the beginning of the protocol or not.

To finish the read procedure, Alice copies the pair (by the protocol of Theorem 3) to get two copies represented by cards . She returns the cards and back to the positions in from which she moved the cards and at the beginning. The cards and are used further in the computation. Other cards () are moved back to the auxiliary deck. If the cards and have different suits then the cards represent the bit , as the card and have the same suit. If the cards and have the same suit then the cards are a valid representation of some bit . However, in that case and the value of is irrelevant for the computation. Bit values read from the storage, taking part in the bogus computation, will be consistent throughout the computation. Thus, the simulations of the circuits implementing various steps of the computation are secure.

Now, we describe how to store a bit in 2-card encodings on to some positions in . Again, suppose we want to store a bit on to positions owned by Alice and occupied by cards and . Let and be cards representing . We want a procedure that will do the following. If then the cards and are replaced by cards of the same suits as and , respectively. Otherwise, if then the new cards need to have the same suits as and . First, Alice will add complementary cards to and to get a sequence (she proceeds in the same was as in the read procedure above). Let and be bits represented by and , respectively. She creates two copies of , negates the second one, and computes and . Let and be cards representing and respectively. If then the cards represent the bit . If then the cards and have the same suits as the cards and , respectively. Thus, Alice moves the cards and into the positions of the cards and and moves the rest of the cards to the deck.

To avoid leakage of information from the way Alice picks the cards from the auxiliary deck when picking a card of a particular suit, she proceeds as follows. She knows how many cards of that suit are in the deck. Thus, she shuffles the cards at random and then proceeds left to right to pick one of the cards of that suit uniformly at random. To achieve that she picks each card of the desired suit with probability , where is the number of unseen cards of the desired suit still in the deck. This process guarantees that Alice will pick a card from a completely random position.

In this way the protocol can use to compute . After obtaining value it outputs . ∎

Hence, also in the case of the 1-card representation of the input one can take advantage of the input cards to compute functions that seem unattainable with read-only protocols.

### 5.2 1/2-Card Encoding

In the 1/2-card encoding we represent value 1 by either or , and value 0 by either or . Here represents an empty bit position. To commit her input Alice picks of her input bits, and for those input bits, she leaves the empty spot in the position of , for the remaining bits she leaves the empty spot in place of (in the 2-card encoding of the bit). This way, she uses exactly cards and to commit her input. It is easy to verify that for each bit there is exactly probability that the missing card will be on the left. Hence, the positions of the missing cards do not leak any information about her input. Bob proceeds in the same way to commit his input.

After committing their inputs they can run any read-only protocol similar to the case of 1-card encoding. Whenever an input bit is needed it is copied into a 2-card representation by essentially the same protocol as in the case of 1-card encoding.

This means that we need only cards to compute any function on -bit inputs.

We do not know how to implement protocols which could modify their inputs. Modifying an input bit would require either picking the empty spot in the representation at random (which could lead to using substantially more cards of each type) or reusing the cards that are there. In the latter case we do not know how to do it without leaking information.

## References

•  Yuta Abe, Yu-ichi Hayashi, Takaaki Mizuki, and Hideaki Sone. Five-card and protocol in committed format using only practical shuffles. In Proceedings of the 5th ACM on ASIA Public-Key Cryptography Workshop, APKC ’18, page 3–8, New York, NY, USA, 2018. Association for Computing Machinery.
•  David Barrington. Bounded-width polynomial-size branching programs recognize exactly those languages in nc1. Journal of Computer and System Sciences, 38:150–164, 02 1989.
•  Harry Buhrman, Richard Cleve, Michal Koucký, Bruno Loff, and Florian Speelman. Computing with a full memory: Catalytic space. In Proceedings of the Forty-Sixth Annual ACM Symposium on Theory of Computing, STOC ’14, page 857–866, New York, NY, USA, 2014. Association for Computing Machinery.
•  R. E. Cleve. Methodologies for Designing Block Ciphers and Cryptographic Protocols. PhD thesis, CAN, 1989.
•  Claude Crépeau and Joe Kilian. Discreet solitary games. In Douglas R. Stinson, editor, Advances in Cryptology — CRYPTO’ 93, pages 319–330, Berlin, Heidelberg, 1994. Springer Berlin Heidelberg.
•  Bert den Boer. More efficient match-making and satisfiability the five card trick. In Jean-Jacques Quisquater and Joos Vandewalle, editors, Advances in Cryptology — EUROCRYPT ’89, pages 208–217, Berlin, Heidelberg, 1990. Springer Berlin Heidelberg.
•  Danny Francis, Syarifah Ruqayyah Aljunid, Takuya Nishida, Yu-ichi Hayashi, Takaaki Mizuki, and Hideaki Sone. Necessary and sufficient numbers of cards for securely computing two-bit output functions. In Raphaël C.-W. Phan and Moti Yung, editors, Paradigms in Cryptology – Mycrypt 2016. Malicious and Exploratory Cryptology, pages 193–211, Cham, 2017. Springer International Publishing.
•  Julia Kastner, Alexander Koch, Stefan Walzer, Daiki Miyahara, Yu-ichi Hayashi, Takaaki Mizuki, and Hideaki Sone. The minimum number of cards in practical card-based protocols. In Tsuyoshi Takagi and Thomas Peyrin, editors, Advances in Cryptology – ASIACRYPT 2017, pages 126–155, Cham, 2017. Springer International Publishing.
•  Alexander Koch. The landscape of optimal card-based protocols. Cryptology ePrint Archive, Report 2018/951, 2018.
•  Alexander Koch and Stefan Walzer. Foundations for actively secure card-based cryptography. In Martin Farach-Colton, Giuseppe Prencipe, and Ryuhei Uehara, editors, 10th International Conference on Fun with Algorithms, FUN 2021, May 30 to June 1, 2021, Favignana Island, Sicily, Italy, volume 157 of LIPIcs, pages 17:1–17:23. Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2021.
•  Alexander Koch, Stefan Walzer, and Kevin Härtel. Card-based cryptographic protocols using a minimal number of cards. In Tetsu Iwata and Jung Hee Cheon, editors, Advances in Cryptology – ASIACRYPT 2015, pages 783–807, Berlin, Heidelberg, 2015. Springer Berlin Heidelberg.
•  Takaaki Mizuki. Card-based protocols for securely computing the conjunction of multiple variables. Theor. Comput. Sci., 622(C):34–44, April 2016.
•  Takaaki Mizuki, Michihito Kumamoto, and Hideaki Sone. The five-card trick can be done with four cards. In Xiaoyun Wang and Kazue Sako, editors, Advances in Cryptology – ASIACRYPT 2012, pages 598–606, Berlin, Heidelberg, 2012. Springer Berlin Heidelberg.
•  Takaaki Mizuki and Hiroki Shizuya. A formalization of card-based cryptographic protocols via abstract machine. Int. J. Inf. Secur., 13(1):15–23, February 2014.
•  Takaaki Mizuki and Hiroki Shizuya. Practical card-based cryptography. In Alfredo Ferro, Fabrizio Luccio, and Peter Widmayer, editors, Fun with Algorithms, pages 313–324, Cham, 2014. Springer International Publishing.
•  Takaaki Mizuki and Hideaki Sone. Six-card secure and and four-card secure xor. In Xiaotie Deng, John E. Hopcroft, and Jinyun Xue, editors, Frontiers in Algorithmics, pages 358–369, Berlin, Heidelberg, 2009. Springer Berlin Heidelberg.
•  Valtteri Niemi and Ari Renvall. Secure multiparty computations without computers. Technical report, 1997.
•  Takuya Nishida, Yu-ichi Hayashi, Takaaki Mizuki, and Hideaki Sone. Card-based protocols for any boolean function. In Rahul Jain, Sanjay Jain, and Frank Stephan, editors, Theory and Applications of Models of Computation, pages 110–121, Cham, 2015. Springer International Publishing.
•  Akihiro Nishimura, Yu-ichi Hayashi, Takaaki Mizuki, and Hideaki Sone. An implementation of non-uniform shuffle for secure multi-party computation. In Proceedings of the 3rd ACM International Workshop on ASIA Public-Key Cryptography, AsiaPKC ’16, page 49–55, New York, NY, USA, 2016. Association for Computing Machinery.
•  Anton Stiglic. Computations with a deck of cards. Theor. Comput. Sci., 259(1):671–678, May 2001.