Graph Automorphism Shuffles from Pile-Scramble Shuffles

by   Kengo Miyamoto, et al.

A pile-scramble shuffle is one of the most effective shuffles in card-based cryptography. Indeed, many card-based protocols are constructed from pile-scramble shuffles. This article aims to study the power of pile-scramble shuffles. In particular, for any directed graph G, we introduce a new protocol called "a graph shuffle protocol for G", and show that it is realized by using pile-scramble shuffles only. Our proposed protocol requires 2(n+m) cards, where n and m are the numbers of vertices and arrows of G, respectively. The number of pile-scramble shuffles is k+1, where 1 ≤ k ≤ n is the number of distinct degrees of vertices in G. As an application, a random cut for n cards, which is also an important shuffle, can be realized by 2n cards and 2 pile-scramble shuffles.



There are no comments yet.


page 1

page 2

page 3

page 4


Automorphism Shuffles for Graphs and Hypergraphs and Its Applications

In card-based cryptography, a deck of physical cards is used to achieve ...

Ramsey Numbers of Trails

We initiate the study of Ramsey numbers of trails. Let k ≥ 2 be a positi...

A Closer Look at the Tropical Cryptography

We examine two public key exchange protocols proposed recently by Grigor...

A note on the distribution of the extreme degrees of a random graph via the Stein-Chen method

We offer an alternative proof, using the Stein-Chen method, of Bollobás'...

Energetics of Feedback: Application to Memory Erasure

Landauer's erasure principle states that any irreversible erasure protoc...

Graphs and codes produced by a new method for dividing a natural number by two

In this paper, we introduce a new method which we call it MZ-method, for...

Deciding the existence of cut-off in parameterized rendez-vous networks

We study networks of processes which all execute the same finite-state p...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1. Introduction

1.1. Background

Let be finite sets, a natural number, and a function. Suppose that players each having as input wish to know an output value without revealing their own inputs from other players. Secure computation protocols can solve this kind of situation. Secure computation was formalized by Yao[53, 54] and has been studied as a central topic in cryptography (cf. see the survey on secure computation by Lindell [19]).

Card-based cryptography [7, 6] is a kind of secure computation, which uses a deck of physical cards. Given a sequence of face-down cards (which is typically an encoding of input ), a card-based protocol transforms it to an output sequence (which is typically an encoding of output ) by a bunch of physical operations on cards. One of the features of card-based cryptography is that it allows us to understand intuitively the correctness and security of a protocol, since we can actually perform the protocol by hands. For this reason, it is expected to be used as an educational material. Indeed, some universities [5, 20, 25] have actually dealt with card-based cryptography as an educational material.

In card-based protocols, a shuffle, which is a probabilistic rearrangement, is allowed to apply a sequence of cards. It is considered as the most crucial operation in card-based protocols since randomness from shuffles is the primary tool to obtain the security of protocols. Among shuffles, a random cut (RC), a random bisection cut (RBC), and a pile-scramble shuffle (PSS) are the most effective shuffles in the history of card-based cryptography. Indeed, most card-based protocols are constructed with these shuffles only111We regard a pile-shifting shuffle which is a pile version of a random cut as a random cut. (cf. protocols with RCs only [7, 6, 34, 35, 48, 32, 12, 22, 44, 52, 41, 23, 17, 40, 2, 15], protocols with RBCs only [31, 29, 28, 38, 36, 37, 27, 45], protocols with PSSs only [10, 3, 43, 14, 39, 42, 46, 33], protocols with RCs and RBCs only [1, 51, 16, 24], protocols with RCs and PSSs only [4, 49, 8, 18, 50], and protocols with RBCs and PSSs only [13, 26, 11, 47]). With this background, it is essential to study further what can be done by these shuffles. In this article, we focus on the feasibility of PSSs.

1.2. Contribution

In this article, we show that a class of graph shuffles can be achieved by the use of PSSs only. Let be a directed graph. A graph shuffle for is a shuffle that arranges a sequence of cards according to an automorphism of chosen uniformly at random. Our main contribution is to construct a card-based protocol that achieves a graph shuffle for any graph . We call this a graph shuffle protocol for . The number of cards in our protocol is , where and are the numbers of vertices and arrows of , respectively. All shuffles in our protocol are PSSs.

We note that a class of graph shuffles captures a lot of natural shuffles. Indeed, a RC, a RBC, and a PSS are special cases of graph shuffles. Thus, a straightforward corollary of our main result is that a RC can be done by PSSs only. Since a PSS can be quickly done by RCs (cf. see Crépeau and Kilian [6]’s idea for generating a random fixed-free permutation), this shows that PSS and RC are essentially equivalent from the viewpoint of feasibility.

For some concrete cases of graph shuffles, we improve the number of cards in our protocol. In particular, we improve graph shuffle protocols for a directed cycle graph and a cycle graph. Note that a graph shuffle for a directed cycle graph is a RC. For a directed cycle graph with vertices, we design a graph shuffle protocol with cards while the general protocol requires cards. For a cycle graph with vertices, we design a graph shuffle protocol with cards while the general protocol requires cards.

2. Preliminaries

In this section, we collect some fundamentals in card-based cryptography; see [30] for example.

2.1. Cards

Throughout this article, we deal with physical cards with the symbol “?” on the backs. A card with a natural number in red (resp. black) on the front is called a red-card (resp. a black-card).

We distinguish between the natural number (written in red) and the natural number (written in black). We denote by the set of all natural numbers written in red. The set is a totally ordered set by using the natural order on . We define a totally order on by if and only if

  • and ,

  • and , or

  • and .

A deck is a non-empty multiset such that . Let be a deck. An expression with is said to be a face-up card (resp. a face-down card) of . A lying card of is the face-up card of or the face-down card of , and in this case, we set . A card-sequence from is a list of lying cards of , say , such that as multisets. For a card-sequence , we write for the -th term. A face-up card is represented by  , and a face-down card is represented by ? . Given a card with the expression , we write , , and . For a card-sequence and a subset , we define an operator by

The card-sequence is called the visible sequence of . Let be a pair of a collection of subsets of (i.e.,

) and a probability distribution on

. Now, we also define an operation associated with the pair by

where is chosen from

depending on the probability distribution

. Note that if with a subset and

is a uniform distribution on

, then .

2.2. Shuffles

For a natural number , we denote by the symmetric group of degree , that is, the group whose elements are all bijective maps from to itself, and whose group multiplication is the composition of functions. An element of the symmetric group is called a permutation.

Given a card-sequence and , we have a card-sequence in the natural way:

Now, we recall an operation on a card-sequence which is called a “shuffle”. Roughly speaking, a shuffle is a probabilistic reordering operation on a card-sequence. Let be a pair of a subset of and a probability distribution on . For a card-sequence , an operation associated with the pair is defined by

where is chosen from depending on the probability distribution . Note that when we apply a shuffle to a card-sequence, no one knows which permutation was actually chosen. We also note that if for some , then .

Definition 2.1.

A shuffle is said to be uniform closed if is closed under the multiplication of the symmetric group, and is the uniform distribution on .

All shuffles dealt with this article are uniform closed shuffles.

Example 2.2.
  1. A uniform closed shuffle for cards is called a pile-scramble shuffle (PSS for short) if there exists a natural number such that is isomorphic to . The following shuffle is an example of a PSS:

    In the above example, since this rearranges piles with cards, one can take which is isomorphic to . We use to denote a PSS for piles each having cards.

  2. Let be the permutation

    and set . A uniform closed shuffle is called a randum cut (RC for short).

2.3. Procotols

Mizuki and Shizuya [30] define the formal definition of a card-based protocol via an abstract machine. In this section, we recall the definition of a card-based protocol and introduce a shuffle protocol, which is a particular card-based protocol realizing a shuffle.

2.3.1. Card-based protocols

To put it briefly, a “protocol” is a Turing machine that chooses one of the following operations to be applied to a card-sequence

: turning or shuffling .

For a deck , the set of all card-sequences from will be denoted by . Then the visible sequence set is defined as the set of all sequences for . We also define the sets of the actions:

A protocol is a Markov chain, that is, a stochastic model describing a sequence of possible actions in which the probability of each action depends only on the state attained in the previous event. Let

be a finite set with two distinguished states, which are called an initial state and a final state .

Definition 2.3.

A card-based protocol is a quadruple , where is an input set and is a partial action function

which depends only on the current state and visible sequence, specifying the next state and an operation on the card-sequence from , such that is defined if . For a state and a visible sequence such that , we obtain the next state . When we have , the protocol terminates.

Let be a card-based protocol. For an execution of with an input card-sequence , we obtain a sequence of results of actions as follows:

where for . If the action function is undefined for some , we say that “ aborts at Step in the execution”. Note that even for the same input card-sequence , the obtained chains may be different for each execution. If the protocol terminates for an input card-sequence , then we have a chain of results as follows:

In this case, is called an initial sequence, is called a final sequence, and the sequence

where , is called a visible sequence-trace of . We denote by the set of all finial sequences, which is obtained by .

Example 2.4.

Let us consider the following. Take the deck , and hence use the following cards.

Now, we give a card-based protocol such that

In this case, the card-sequence is changed by the protocol as follows:

Thus, the final sequence is .

2.3.2. Shuffle protocols

A shuffle protocol is a card-based protocol realizing a shuffle operation. It takes a card-sequence such that as input and outputs such that for a permutation is chosen from depending on some probability distribution:

where is a card-sequence of helping cards. As for the correctness, we require that by the protocol is the same as . As for the security, we require that no one knows which permutation is actually chosen.

Definition 2.5.

Let be decks, an input set from , and a card-sequence from . We define an input set from by . A card-based protocol is said to be a shuffle protocol if the following conditions are satisfied:

  1. always terminates within a fixed number of steps, i.e., it is a finite-runtime protocol;

  2. for any input sequence , the final sequence forms such that for some permutation ;

  3. for any input sequence , none of cards contained in are not turned at any step of a protocol execution.


be a random variable of the first

cards of the final sequence when is given as an input card-sequence. Let be a shuffle. We say that realizes if for any , and are the same. We say that is secure if for any , is stochastically independent of the random variable of the visible sequence-trace of when is an initial card-sequence.

3. Graph shuffle protocols

In this section, we construct a card-based protocol called the graph shuffle protocol for a directed graph. First, we introduce a graph shuffle in Subsection 3.1. Second, we construct the graph shuffle protocol, which is a shuffle protocol for any graph shuffle in Subsection 3.2. We note that our protocol requires PSSs only.

3.1. Graph shuffle

First, we recall some fundamentals from graph theory; for example, see [9].

A directed graph is a quadruple consisting of two sets , and two maps . Each element of (resp. ) is called a vertex (resp. an arrow). For an arrow , we call (resp. ) the source (resp. the target) of . We will commonly write or to indicate that an arrow has the source and the target , and identify with a pair . A directed graph is finite if two sets and are finite sets. In this article, a graph means a finite directed graph with vertices and arrows.

Let be a graph. For a vertex , we define the following three functions:

The number is called the degree of . We set .

For graphs and , a pair consisting of maps and is a morphism of graphs if holds. In addition, if and are bijective, is called an isomorphism of graphs. In this case, we say that and are isomorphic as graphs. In other words, two graphs and are isomorphic as graphs when in exists if and only if exists in . We denote by the set of all isomorphisms from to , and the set of all such that . For a graph , an isomorphism from to itself is called an automorphism. We denote by the set of all automorphisms of , and the set of all such that . has a structure of groups by the composition of maps. Note that, if has no multiple arrows, then an automorphism is determined by . In the case that is an undirected graph, one can transform into the following directed graph :

Definition 3.1.

Let be a graph. The uniform closed shuffle is called the graph shuffle for over cards. (Recall that has vertices.)

3.2. Graph shuffle protocols

In this subsection, we construct a graph shuffle protocol, which is a shuffle protocol of the graph shuffle for a graph . We set . Let be any deck, and any input set from . We set a card-sequence of helping cards as follows: