1. Introduction
1.1. Background
Let be finite sets, a natural number, and a function. Suppose that players each having as input wish to know an output value without revealing their own inputs from other players. Secure computation protocols can solve this kind of situation. Secure computation was formalized by Yao[53, 54] and has been studied as a central topic in cryptography (cf. see the survey on secure computation by Lindell [19]).
Cardbased cryptography [7, 6] is a kind of secure computation, which uses a deck of physical cards. Given a sequence of facedown cards (which is typically an encoding of input ), a cardbased protocol transforms it to an output sequence (which is typically an encoding of output ) by a bunch of physical operations on cards. One of the features of cardbased cryptography is that it allows us to understand intuitively the correctness and security of a protocol, since we can actually perform the protocol by hands. For this reason, it is expected to be used as an educational material. Indeed, some universities [5, 20, 25] have actually dealt with cardbased cryptography as an educational material.
In cardbased protocols, a shuffle, which is a probabilistic rearrangement, is allowed to apply a sequence of cards. It is considered as the most crucial operation in cardbased protocols since randomness from shuffles is the primary tool to obtain the security of protocols. Among shuffles, a random cut (RC), a random bisection cut (RBC), and a pilescramble shuffle (PSS) are the most effective shuffles in the history of cardbased cryptography. Indeed, most cardbased protocols are constructed with these shuffles only^{1}^{1}1We regard a pileshifting shuffle which is a pile version of a random cut as a random cut. (cf. protocols with RCs only [7, 6, 34, 35, 48, 32, 12, 22, 44, 52, 41, 23, 17, 40, 2, 15], protocols with RBCs only [31, 29, 28, 38, 36, 37, 27, 45], protocols with PSSs only [10, 3, 43, 14, 39, 42, 46, 33], protocols with RCs and RBCs only [1, 51, 16, 24], protocols with RCs and PSSs only [4, 49, 8, 18, 50], and protocols with RBCs and PSSs only [13, 26, 11, 47]). With this background, it is essential to study further what can be done by these shuffles. In this article, we focus on the feasibility of PSSs.
1.2. Contribution
In this article, we show that a class of graph shuffles can be achieved by the use of PSSs only. Let be a directed graph. A graph shuffle for is a shuffle that arranges a sequence of cards according to an automorphism of chosen uniformly at random. Our main contribution is to construct a cardbased protocol that achieves a graph shuffle for any graph . We call this a graph shuffle protocol for . The number of cards in our protocol is , where and are the numbers of vertices and arrows of , respectively. All shuffles in our protocol are PSSs.
We note that a class of graph shuffles captures a lot of natural shuffles. Indeed, a RC, a RBC, and a PSS are special cases of graph shuffles. Thus, a straightforward corollary of our main result is that a RC can be done by PSSs only. Since a PSS can be quickly done by RCs (cf. see Crépeau and Kilian [6]’s idea for generating a random fixedfree permutation), this shows that PSS and RC are essentially equivalent from the viewpoint of feasibility.
For some concrete cases of graph shuffles, we improve the number of cards in our protocol. In particular, we improve graph shuffle protocols for a directed cycle graph and a cycle graph. Note that a graph shuffle for a directed cycle graph is a RC. For a directed cycle graph with vertices, we design a graph shuffle protocol with cards while the general protocol requires cards. For a cycle graph with vertices, we design a graph shuffle protocol with cards while the general protocol requires cards.
2. Preliminaries
In this section, we collect some fundamentals in cardbased cryptography; see [30] for example.
2.1. Cards
Throughout this article, we deal with physical cards with the symbol “?” on the backs. A card with a natural number in red (resp. black) on the front is called a redcard (resp. a blackcard).
We distinguish between the natural number (written in red) and the natural number (written in black). We denote by the set of all natural numbers written in red. The set is a totally ordered set by using the natural order on . We define a totally order on by if and only if

and ,

and , or

and .
A deck is a nonempty multiset such that . Let be a deck. An expression with is said to be a faceup card (resp. a facedown card) of . A lying card of is the faceup card of or the facedown card of , and in this case, we set . A cardsequence from is a list of lying cards of , say , such that as multisets. For a cardsequence , we write for the th term. A faceup card is represented by , and a facedown card is represented by . Given a card with the expression , we write , , and . For a cardsequence and a subset , we define an operator by
The cardsequence is called the visible sequence of . Let be a pair of a collection of subsets of (i.e.,
) and a probability distribution on
. Now, we also define an operation associated with the pair bywhere is chosen from
depending on the probability distribution
. Note that if with a subset andis a uniform distribution on
, then .2.2. Shuffles
For a natural number , we denote by the symmetric group of degree , that is, the group whose elements are all bijective maps from to itself, and whose group multiplication is the composition of functions. An element of the symmetric group is called a permutation.
Given a cardsequence and , we have a cardsequence in the natural way:
Now, we recall an operation on a cardsequence which is called a “shuffle”. Roughly speaking, a shuffle is a probabilistic reordering operation on a cardsequence. Let be a pair of a subset of and a probability distribution on . For a cardsequence , an operation associated with the pair is defined by
where is chosen from depending on the probability distribution . Note that when we apply a shuffle to a cardsequence, no one knows which permutation was actually chosen. We also note that if for some , then .
Definition 2.1.
A shuffle is said to be uniform closed if is closed under the multiplication of the symmetric group, and is the uniform distribution on .
All shuffles dealt with this article are uniform closed shuffles.
Example 2.2.

A uniform closed shuffle for cards is called a pilescramble shuffle (PSS for short) if there exists a natural number such that is isomorphic to . The following shuffle is an example of a PSS:
In the above example, since this rearranges piles with cards, one can take which is isomorphic to . We use to denote a PSS for piles each having cards.

Let be the permutation
and set . A uniform closed shuffle is called a randum cut (RC for short).
2.3. Procotols
Mizuki and Shizuya [30] define the formal definition of a cardbased protocol via an abstract machine. In this section, we recall the definition of a cardbased protocol and introduce a shuffle protocol, which is a particular cardbased protocol realizing a shuffle.
2.3.1. Cardbased protocols
To put it briefly, a “protocol” is a Turing machine that chooses one of the following operations to be applied to a cardsequence
: turning or shuffling .For a deck , the set of all cardsequences from will be denoted by . Then the visible sequence set is defined as the set of all sequences for . We also define the sets of the actions:
A protocol is a Markov chain, that is, a stochastic model describing a sequence of possible actions in which the probability of each action depends only on the state attained in the previous event. Let
be a finite set with two distinguished states, which are called an initial state and a final state .Definition 2.3.
A cardbased protocol is a quadruple , where is an input set and is a partial action function
which depends only on the current state and visible sequence, specifying the next state and an operation on the cardsequence from , such that is defined if . For a state and a visible sequence such that , we obtain the next state . When we have , the protocol terminates.
Let be a cardbased protocol. For an execution of with an input cardsequence , we obtain a sequence of results of actions as follows:
where for . If the action function is undefined for some , we say that “ aborts at Step in the execution”. Note that even for the same input cardsequence , the obtained chains may be different for each execution. If the protocol terminates for an input cardsequence , then we have a chain of results as follows:
In this case, is called an initial sequence, is called a final sequence, and the sequence
where , is called a visible sequencetrace of . We denote by the set of all finial sequences, which is obtained by .
Example 2.4.
Let us consider the following. Take the deck , and hence use the following cards.
Now, we give a cardbased protocol such that
In this case, the cardsequence is changed by the protocol as follows:
Thus, the final sequence is .
2.3.2. Shuffle protocols
A shuffle protocol is a cardbased protocol realizing a shuffle operation. It takes a cardsequence such that as input and outputs such that for a permutation is chosen from depending on some probability distribution:
where is a cardsequence of helping cards. As for the correctness, we require that by the protocol is the same as . As for the security, we require that no one knows which permutation is actually chosen.
Definition 2.5.
Let be decks, an input set from , and a cardsequence from . We define an input set from by . A cardbased protocol is said to be a shuffle protocol if the following conditions are satisfied:

always terminates within a fixed number of steps, i.e., it is a finiteruntime protocol;

for any input sequence , the final sequence forms such that for some permutation ;

for any input sequence , none of cards contained in are not turned at any step of a protocol execution.
Let
be a random variable of the first
cards of the final sequence when is given as an input cardsequence. Let be a shuffle. We say that realizes if for any , and are the same. We say that is secure if for any , is stochastically independent of the random variable of the visible sequencetrace of when is an initial cardsequence.3. Graph shuffle protocols
In this section, we construct a cardbased protocol called the graph shuffle protocol for a directed graph. First, we introduce a graph shuffle in Subsection 3.1. Second, we construct the graph shuffle protocol, which is a shuffle protocol for any graph shuffle in Subsection 3.2. We note that our protocol requires PSSs only.
3.1. Graph shuffle
First, we recall some fundamentals from graph theory; for example, see [9].
A directed graph is a quadruple consisting of two sets , and two maps . Each element of (resp. ) is called a vertex (resp. an arrow). For an arrow , we call (resp. ) the source (resp. the target) of . We will commonly write or to indicate that an arrow has the source and the target , and identify with a pair . A directed graph is finite if two sets and are finite sets. In this article, a graph means a finite directed graph with vertices and arrows.
Let be a graph. For a vertex , we define the following three functions:
The number is called the degree of . We set .
For graphs and , a pair consisting of maps and is a morphism of graphs if holds. In addition, if and are bijective, is called an isomorphism of graphs. In this case, we say that and are isomorphic as graphs. In other words, two graphs and are isomorphic as graphs when in exists if and only if exists in . We denote by the set of all isomorphisms from to , and the set of all such that . For a graph , an isomorphism from to itself is called an automorphism. We denote by the set of all automorphisms of , and the set of all such that . has a structure of groups by the composition of maps. Note that, if has no multiple arrows, then an automorphism is determined by . In the case that is an undirected graph, one can transform into the following directed graph :
Definition 3.1.
Let be a graph. The uniform closed shuffle is called the graph shuffle for over cards. (Recall that has vertices.)
3.2. Graph shuffle protocols
In this subsection, we construct a graph shuffle protocol, which is a shuffle protocol of the graph shuffle for a graph . We set . Let be any deck, and any input set from . We set a cardsequence of helping cards as follows:
Comments
There are no comments yet.