Motivating Scenario I Card-based Cryptographic Protocols Using a - - PowerPoint PPT Presentation

SLIDE 1

Motivating Scenario I

1

2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards

DEPARTMENT OF INFORMATICS, INSTITUTE OF THEORETICAL INFORMATICS

Card-based Cryptographic Protocols Using a Minimal Number of Cards

Alexander Koch, Stefan Walzer, Kevin Härtel [asiacrypt/KochWH15]

KIT – University of the State of Baden-Wuerttemberg and National Research Center of the Helmholtz Association

www.kit.edu

SLIDE 2

Motivating Scenario I

1

2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards

Secrets: Do I love him/her? To compute: Is there mutual affection? Secure 2-party AND without computers

Trusted Computation

SLIDE 3

Motivating Scenario I

1

2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards

Secrets: Do I love him/her? To compute: Is there mutual affection? Secure 2-party AND without computers

Trusted Computation

SLIDE 4

Motivating Scenario I

1

2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards

Secrets: Do I love him/her? To compute: Is there mutual affection? Secure 2-party AND without computers

Trusted Computation

SLIDE 5

Motivating Scenario I

1

2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards

Secrets: Do I love him/her? To compute: Is there mutual affection? Secure 2-party AND without computers

Trusted Computation

SLIDE 6

Motivating Scenario II

2

2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards

Hey, help me compute yd mod n.

SLIDE 7

Motivating Scenario II

2

2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards

Hey, help me compute yd mod n. Sure, just tell me...

SLIDE 8

Motivating Scenario II

2

2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards

Hey, help me compute yd mod n. Sure, just tell me... I’m not telling you y, d or n.

SLIDE 9

Motivating Scenario II

2

2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards

Hey, help me compute yd mod n. Sure, just tell me... I’m not telling you y, d or n. Nor may you know the result.

SLIDE 10

Motivating Scenario II

2

2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards

Hey, help me compute yd mod n. Sure, just tell me... I’m not telling you y, d or n. Nor may you know the result. ...

SLIDE 11

Motivating Scenario II

2

2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards

Hey, help me compute yd mod n. Sure, just tell me... I’m not telling you y, d or n. Nor may you know the result. Sure, I’ll get some cards.

SLIDE 12

Setting and Goal

3

2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards

Two types of indistinguishable cards:

Heart ♥ and club ♣ with backside .

Encode bits as

♣ ♥ ˆ = 0 ♥ ♣ ˆ = 1

Our goal (“committed format”)

Take face-down input (bits a, b) Compute face-down output (a ∧ b) Learn nothing about the input or output during protocol run.

SLIDE 13

Setting and Goal

3

2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards

Two types of indistinguishable cards:

Heart ♥ and club ♣ with backside .

Encode bits as

♣ ♥ ˆ = 0 ♥ ♣ ˆ = 1

Our goal (“committed format”)

Take face-down input (bits a, b) Compute face-down output (a ∧ b) Learn nothing about the input or output during protocol run.

SLIDE 14

The if-then-else Operator

4

2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards

Definition

(if a then b else c) :=

• b

if a = 1 c if a = 0

Also known as: (a ? b : c) Note:

(a ∧ b) ≡ (if a then b else 0) (if a then b else c) ≡ (if ¬a then c else b)

SLIDE 15

Computing “if a then b else c” (cmp. [faw/MizukiS09])

5

2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards

Conceptually With Cards

Input: a,b,c With equal probability set (a′, b′, c′) = (a, b, c) or (a′, b′, c′) = (¬a, c, b) Test a′ return b’ return c’ 1 Input:

a b c

With equal probability do either nothing or Turn 1,2

♥ ♣

• utput

♣ ♥

• utput

♥ ♣ ♣ ♥

SLIDE 16

Can we do better than six cards?

6

2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards

Main Question: How many cards needed to compute a ∧ b where Input and output encoded as ♥ ♣ = 1, ♣ ♥ = 0. We are and remain oblivious of input and output.

Our Results

4 cards 5 cards

Not yet published

probably 6 cards 4 cards

SLIDE 17

Can we do better than six cards?

6

2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards

Main Question: How many cards needed to compute a ∧ b where Input and output encoded as ♥ ♣ = 1, ♣ ♥ = 0. We are and remain oblivious of input and output.

Our Results

4 cards 5 cards

Not yet published

probably 6 cards 4 cards

SLIDE 18

Can we do better than six cards?

6

2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards

Main Question: How many cards needed to compute a ∧ b where Input and output encoded as ♥ ♣ = 1, ♣ ♥ = 0. We are and remain oblivious of input and output.

Our Results

4 cards (Model of Mizuki & Shizuya) 5 cards (MS but a-priori bound runtime)

Not yet published

probably 6 cards (MS but only “uniform closed” shuffles) 4 cards (Player-Perm model)

SLIDE 19

Computational Model

Based on ijisec/MizukiS14

7

2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards

Operations

(perm, π). Apply permutation π to the sequence of cards. (shuffle, Π, F). Apply permutation π ∈ Π, drawn according to F. Note: We don’t know which π was chosen! (turn, T). Reveal cards in positions given by T. (result, b1, b2). Output cards in positions b1, b2.

Correctness: Cards given by result-operation

always encodes correct output bit.

Security: The observations (made during turns) are

stochastially independent of input and output.

SLIDE 20

State Transitions: The Six-Card Protocol

8

2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards

♥♣♥♣♣♥ X11 ♥♣♣♥♣♥ X10 ♣♥♥♣♣♥ X01 ♣♥♣♥♣♥ X00 Protocol State: Annotate currently possible sequences with probability in terms of symbolic input prob. Xij = Pr[a = i, b = j]

SLIDE 21

State Transitions: The Six-Card Protocol

8

2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards

♥♣♥♣♣♥ X11 ♥♣♣♥♣♥ X10 ♣♥♥♣♣♥ X01 ♣♥♣♥♣♥ X00 Protocol State: Annotate currently possible sequences with probability in terms of symbolic input prob. Xij = Pr[a = i, b = j]

SLIDE 22

State Transitions: The Six-Card Protocol

8

2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards

♥♣♥♣♣♥ X11 ♥♣♣♥♣♥ X10 ♣♥♥♣♣♥ X01 ♣♥♣♥♣♥ X00 Protocol State: Annotate currently possible sequences with probability in terms of symbolic input prob. Xij = Pr[a = i, b = j]

SLIDE 23

State Transitions: The Six-Card Protocol

8

2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards

♥♣♥♣♣♥ X11 ♥♣♣♥♣♥ X10 ♣♥♥♣♣♥ X01 ♣♥♣♥♣♥ X00 ♥♣♥♣♣♥ 1 /

2X11

♥♣♣♥♣♥ 1 /

2X10 + 1

/

2X00

♣♥♥♣♣♥ 1 /

2X01

♣♥♣♥♣♥ 1 /

2X00 + 1

/

2X10

♣♥♣♥♥♣ 1 /

2X11

♥♣♣♥♥♣ 1 /

2X01

(shuffle, {id, (1 2)(3 5)(4 6)}) Protocol State: Annotate currently possible sequences with probability in terms of symbolic input prob. Xij = Pr[a = i, b = j]

SLIDE 24

State Transitions: The Six-Card Protocol

8

2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards

♥♣♥♣♣♥ X11 ♥♣♣♥♣♥ X10 ♣♥♥♣♣♥ X01 ♣♥♣♥♣♥ X00 ♥♣♥♣♣♥ 1 /

2X11

♥♣♣♥♣♥ 1 /

2X10 + 1

/

2X00

♣♥♥♣♣♥ 1 /

2X01

♣♥♣♥♣♥ 1 /

2X00 + 1

/

2X10

♣♥♣♥♥♣ 1 /

2X11

♥♣♣♥♥♣ 1 /

2X01

(shuffle, {id, (1 2)(3 5)(4 6)}) Protocol State: Annotate currently possible sequences with probability in terms of symbolic input prob. Xij = Pr[a = i, b = j]

SLIDE 25

State Transitions: The Six-Card Protocol

8

2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards

♥♣♥♣♣♥ X11 ♥♣♣♥♣♥ X10 ♣♥♥♣♣♥ X01 ♣♥♣♥♣♥ X00 ♥♣♥♣♣♥ 1 /

2X11

♥♣♣♥♣♥ 1 /

2X10 + 1

/

2X00

♣♥♥♣♣♥ 1 /

2X01

♣♥♣♥♣♥ 1 /

2X00 + 1

/

2X10

♣♥♣♥♥♣ 1 /

2X11

♥♣♣♥♥♣ 1 /

2X01

(shuffle, {id, (1 2)(3 5)(4 6)}) Protocol State: Annotate currently possible sequences with probability in terms of symbolic input prob. Xij = Pr[a = i, b = j]

SLIDE 26

State Transitions: The Six-Card Protocol

8

2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards

♥♣♥♣♣♥ X11 ♥♣♣♥♣♥ X10 ♣♥♥♣♣♥ X01 ♣♥♣♥♣♥ X00 ♥♣♥♣♣♥ 1 /

2X11

♥♣♣♥♣♥ 1 /

2X10 + 1

/

2X00

♣♥♥♣♣♥ 1 /

2X01

♣♥♣♥♣♥ 1 /

2X00 + 1

/

2X10

♣♥♣♥♥♣ 1 /

2X11

♥♣♣♥♥♣ 1 /

2X01

(shuffle, {id, (1 2)(3 5)(4 6)}) ♥♣♥♣♣♥ X11 ♥♣♣♥♣♥ X10 + X00 ♥♣♣♥♥♣ X01 ♣♥♣♥♥♣ X11 ♣♥♣♥♣♥ X10 + X00 ♣♥♥♣♣♥ X01 (turn, {1, 2})

♥ ♣ ♣ ♥

(result, 3, 4)

• (result, 5, 6)
• Protocol State:

Annotate currently possible sequences with probability in terms of symbolic input prob. Xij = Pr[a = i, b = j]

SLIDE 27

State Transitions: The Six-Card Protocol

8

2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards

♥♣♥♣♣♥ X11 ♥♣♣♥♣♥ X10 ♣♥♥♣♣♥ X01 ♣♥♣♥♣♥ X00 ♥♣♥♣♣♥ 1 /

2X11

♥♣♣♥♣♥ 1 /

2X10 + 1

/

2X00

♣♥♥♣♣♥ 1 /

2X01

♣♥♣♥♣♥ 1 /

2X00 + 1

/

2X10

♣♥♣♥♥♣ 1 /

2X11

♥♣♣♥♥♣ 1 /

2X01

(shuffle, {id, (1 2)(3 5)(4 6)}) ♥♣♥♣♣♥ X11 ♥♣♣♥♣♥ X10 + X00 ♥♣♣♥♥♣ X01 ♣♥♣♥♥♣ X11 ♣♥♣♥♣♥ X10 + X00 ♣♥♥♣♣♥ X01 (turn, {1, 2})

♥ ♣ ♣ ♥

(result, 3, 4)

• (result, 5, 6)
• Protocol State:

Annotate currently possible sequences with probability in terms of symbolic input prob. Xij = Pr[a = i, b = j]

SLIDE 28

State Transitions: The Six-Card Protocol

8

2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards

♥♣♥♣♣♥ X11 ♥♣♣♥♣♥ X10 ♣♥♥♣♣♥ X01 ♣♥♣♥♣♥ X00 ♥♣♥♣♣♥ 1 /

2X11

♥♣♣♥♣♥ 1 /

2X10 + 1

/

2X00

♣♥♥♣♣♥ 1 /

2X01

♣♥♣♥♣♥ 1 /

2X00 + 1

/

2X10

♣♥♣♥♥♣ 1 /

2X11

♥♣♣♥♥♣ 1 /

2X01

(shuffle, {id, (1 2)(3 5)(4 6)}) ♥♣♥♣♣♥ X11 ♥♣♣♥♣♥ X10 + X00 ♥♣♣♥♥♣ X01 ♣♥♣♥♥♣ X11 ♣♥♣♥♣♥ X10 + X00 ♣♥♥♣♣♥ X01 (turn, {1, 2})

♥ ♣ ♣ ♥

(result, 3, 4)

• (result, 5, 6)
• Protocol State:

Annotate currently possible sequences with probability in terms of symbolic input prob. Xij = Pr[a = i, b = j]

SLIDE 29

State Transitions: The Six-Card Protocol

8

2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards

♥♣♥♣♣♥ X11 ♥♣♣♥♣♥ X10 ♣♥♥♣♣♥ X01 ♣♥♣♥♣♥ X00 ♥♣♥♣♣♥ 1 /

2X11

♥♣♣♥♣♥ 1 /

2X10 + 1

/

2X00

♣♥♥♣♣♥ 1 /

2X01

♣♥♣♥♣♥ 1 /

2X00 + 1

/

2X10

♣♥♣♥♥♣ 1 /

2X11

♥♣♣♥♥♣ 1 /

2X01

(shuffle, {id, (1 2)(3 5)(4 6)}) ♥♣♥♣♣♥ X11 ♥♣♣♥♣♥ X10 + X00 ♥♣♣♥♥♣ X01 ♣♥♣♥♥♣ X11 ♣♥♣♥♣♥ X10 + X00 ♣♥♥♣♣♥ X01 (turn, {1, 2})

♥ ♣ ♣ ♥

(result, 3, 4)

• (result, 5, 6)
• Protocol State:

Annotate currently possible sequences with probability in terms of symbolic input prob. Xij = Pr[a = i, b = j]

SLIDE 30

State Transitions: The Six-Card Protocol

9

2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards

♥♣♥♣♣♥ X11 ♥♣♣♥♣♥ X10 ♣♥♥♣♣♥ X01 ♣♥♣♥♣♥ X00 ♥♣♥♣♣♥ 1 /

2X11

♥♣♣♥♣♥ 1 /

2X10 + 1

/

2X00

♣♥♥♣♣♥ 1 /

2X01

♣♥♣♥♣♥ 1 /

2X00 + 1

/

2X10

♣♥♣♥♥♣ 1 /

2X11

♥♣♣♥♥♣ 1 /

2X01

(shuffle, {id, (1 2)(3 5)(4 6)}) ♥♣♥♣♣♥ X11 ♥♣♣♥♣♥ X10 + X00 ♥♣♣♥♥♣ X01 ♣♥♣♥♥♣ X11 ♣♥♣♥♣♥ X10 + X00 ♣♥♥♣♣♥ X01 (turn, {1, 2})

♥ ♣ ♣ ♥

(result, 3, 4)

• (result, 5, 6)
• Protocol State:

Annotate currently possible sequences with probability in terms of symbolic input prob. Xij = Pr[a = i, b = j]

SLIDE 31

Impossibility Result

10

2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards

Theorem

There is no secure finite-runtime four-card AND protocol

Proof Idea

Each sequence belongs either to output 0 or to 1. An i|j-state has i 0-sequences and j 1-sequences. Define non-reachable “good” states:

start state

“bad” states “good” states

not possible by turn/shuffle final states

SLIDE 32

Impossibility Result

10

2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards

Theorem

There is no secure finite-runtime four-card AND protocol

Proof Idea

Each sequence belongs either to output 0 or to 1. An i|j-state has i 0-sequences and j 1-sequences. Define non-reachable “good” states:

start state

“bad” states “good” states

not possible by turn/shuffle final states

start type: 3|1

♥♣♥♣ X11 ♥♣♣♥ X10 ♣♥♥♣ X01 ♣♥♣♥ X00

SLIDE 33

Impossibility Result

10

2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards

Theorem

There is no secure finite-runtime four-card AND protocol

Proof Idea

Each sequence belongs either to output 0 or to 1. An i|j-state has i 0-sequences and j 1-sequences. Define non-reachable “good” states:

start state

“bad” states “good” states

not possible by turn/shuffle final states

start type: 3|1

♥♣♥♣ X11 ♥♣♣♥ X10 ♣♥♥♣ X01 ♣♥♣♥ X00

e.g. 2|2 state:

♣♥♥♣ X01 + X00 ♣♥♣♥ X10 ♥♣♣♥ 1 /

2X11

♥

↑

♣

↑

♥♣ 1 /

2X11

SLIDE 34

Proof Idea – Single Card Turns

11

2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards

1|1 2|1 1|2

without const pos

2|2 2|1 1|2

with const pos

3|1 1|3 4|1 1|4 5|1 1|5 2|3 3|2 2|4 4|2 3|3 “Bad” States “Good” States

SLIDE 35

Proof Idea – Single Card Turns

11

2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards

1|1 2|1 1|2

without const pos

2|2 2|1 1|2

with const pos

3|1 1|3 4|1 1|4 5|1 1|5 2|3 3|2 2|4 4|2 3|3 “Bad” States “Good” States

Observation 1. After turn: with const pos. and ≤ 3 sequences.

SLIDE 36

Proof Idea – Single Card Turns

11

2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards

1|1 2|1 1|2

without const pos

2|2 2|1 1|2

with const pos

3|1 1|3 4|1 1|4 5|1 1|5 2|3 3|2 2|4 4|2 3|3 “Bad” States “Good” States

Observation 2. Turnable states are i|j with i, j ≥ 2.

SLIDE 37

Proof Idea – Single Card Turns

11

2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards

1|1 2|1 1|2

without const pos

2|2 2|1 1|2

with const pos

3|1 1|3 4|1 1|4 5|1 1|5 2|3 3|2 2|4 4|2 3|3 “Bad” States “Good” States

Observation 3. W.l.o.g. consider only turnable states with i ≥ j that are bad.

SLIDE 38

Proof Idea – Single Card Turns

11

2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards

1|1 2|1 1|2

without const pos

2|2 2|1 1|2

with const pos

3|1 1|3 4|1 1|4 5|1 1|5 2|3 3|2 2|4 4|2 3|3 “Bad” States “Good” States

SLIDE 39

Proof Idea – Single Card Turns

11

2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards

1|1 2|1 1|2

without const pos

2|2 2|1 1|2

with const pos

3|1 1|3 4|1 1|4 5|1 1|5 2|3 3|2 2|4 4|2 3|3 “Bad” States “Good” States

SLIDE 40

Proof Idea – Shuffles

12

2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards

1|1 2|1 1|2

without const pos

2|2 2|1 1|2

with const pos

3|1 1|3 4|1 1|4 5|1 1|5 2|3 3|2 2|4 4|2 3|3 “Bad” States “Good” States

Observation 1. Shuffles increase #sequences per type

SLIDE 41

Proof Idea – Shuffles

12

2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards

1|1 2|1 1|2

without const pos

2|2 2|1 1|2

with const pos

3|1 1|3 4|1 1|4 5|1 1|5 2|3 3|2 2|4 4|2 3|3 “Bad” States “Good” States

Observation 1. Shuffles increase #sequences per type

SLIDE 42

Proof Idea – Shuffles

12

2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards

1|1 2|1 1|2

without const pos

2|2 2|1 1|2

with const pos

3|1 1|3 4|1 1|4 5|1 1|5 2|3 3|2 2|4 4|2 3|3 “Bad” States “Good” States ? ?

SLIDE 43

Proof Idea – Shuffles

12

2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards

1|1 2|1 1|2

without const pos

2|2 2|1 1|2

with const pos

3|1 1|3 4|1 1|4 5|1 1|5 2|3 3|2 2|4 4|2 3|3 “Bad” States “Good” States s0: ♥♥♣♣ s′

0: ♥♣♥♣

s1: ♥♣♣♥

Apply (shuffle, Π, F) to this state. Case 1: All π ∈ Π put constant column to same position. = ⇒ the resulting state still has a constant column.

SLIDE 44

Proof Idea – Shuffles

12

2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards

1|1 2|1 1|2

without const pos

2|2 2|1 1|2

with const pos

3|1 1|3 4|1 1|4 5|1 1|5 2|3 3|2 2|4 4|2 3|3 “Bad” States “Good” States s0: ♥♥♣♣ s′

0: ♥♣♥♣

s1: ♥♣♣♥ s′′

0: ♣♥♣♥

s′

1: ♣♥♣♥

p = ½

Apply (shuffle, Π, F) to this state. Case 2: There are π1, π2 ∈ Π putting the const. col. in different pos. = ⇒ the resulting state has at least 5 sequences.

SLIDE 45

Our Four-Card Protocol

13

2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards

♥♣♥♣ X11 ♥♣♣♥ X10 ♣♥♥♣ X01 ♣♥♣♥ X00 start state ♥♥♣♣

1

/

2X11

♥♣♥♣

1

/

2X11

♣♥♥♣

1

/

2X10 + 1

/

2X01

♥♣♣♥

1

/

2X10 + 1

/

2X01

♣♥♣♥

1

/

2X00

♣♣♥♥

1

/

2X00

(shuffle, {id, (1 3)(2 4), (2 3), (1 2 4 3)}) ♥♥♣♣ X11 ♣♥♥♣ X10 + X01 ♣♥♣♥ X00 ♥♥♣♣ X1 ♣♥♥♣

1

/

2X0

♣♥♣♥

1

/

2X0

(shuffle, {id, (3 4)}) ♥♥♣♣

1

/

3X1

♣♣♥♥

2

/

3X1

♣♥♥♣

1

/

6X0

♥♣♣♥

1

/

3X0

♣♥♣♥

1

/

2X0

(shuffle, {id, (1 3)(2 4)}, F) F : id → 1 /

3, (1 3)(2 4) → 2

/

3

♥♥♣♣ X1 ♥♣♣♥ X0 (result, 2, 4)

• ♣♣♥♥

X1 ♣♥♥♣

1

/

4X0

♣♥♣♥

3

/

4X0

(turn, {1})

♣ ♥

♣♣♥♥ X1 ♣♥♥♣

1

/

2X0

♣♥♣♥

1

/

2X0

(shuffle, {id, (3 4)}) ♥♣♥♣ X11 ♥♣♣♥ X10 + X01 ♣♣♥♥ X00 ♥♣♥♣ X1 ♥♣♣♥

1

/

2X0

♣♣♥♥

1

/

2X0

(shuffle, {id, (1 3)}) (turn, {2})

♣ ♥

(perm, (1 2 4 3)) ♥♣♥♣

1

/

3X1

♣♥♣♥

2

/

3X1

♥♣♣♥

1

/

6X0

♣♥♥♣

1

/

3X0

♣♣♥♥

1

/

2X0

(shuffle, {id, (1 2)(3 4)}, F) F : id → 1 /

3, (1 2)(3 4) → 2

/

3

♥♣♥♣ X1 ♣♥♥♣ X0 (result, 1, 2)

• ♣♥♣♥

X1 ♥♣♣♥

1

/

4X0

♣♣♥♥

3

/

4X0

(turn, {4})

♣ ♥

♣♥♣♥ X1 ♥♣♣♥

1

/

2X0

♣♣♥♥

1

/

2X0

(shuffle, {id, (1 3)}) (perm, (1 3 4 2))

SLIDE 46

Our Four-Card Protocol

13

2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards

♥♣♥♣ X11 ♥♣♣♥ X10 ♣♥♥♣ X01 ♣♥♣♥ X00 start state ♥♥♣♣

1

/

2X11

♥♣♥♣

1

/

2X11

♣♥♥♣

1

/

2X10 + 1

/

2X01

♥♣♣♥

1

/

2X10 + 1

/

2X01

♣♥♣♥

1

/

2X00

♣♣♥♥

1

/

2X00

(shuffle, {id, (1 3)(2 4), (2 3), (1 2 4 3)}) ♥♥♣♣ X11 ♣♥♥♣ X10 + X01 ♣♥♣♥ X00 ♥♥♣♣ X1 ♣♥♥♣

1

/

2X0

♣♥♣♥

1

/

2X0

(shuffle, {id, (3 4)}) ♥♥♣♣

1

/

3X1

♣♣♥♥

2

/

3X1

♣♥♥♣

1

/

6X0

♥♣♣♥

1

/

3X0

♣♥♣♥

1

/

2X0

(shuffle, {id, (1 3)(2 4)}, F) F : id → 1 /

3, (1 3)(2 4) → 2

/

3

♥♥♣♣ X1 ♥♣♣♥ X0 (result, 2, 4)

• ♣♣♥♥

X1 ♣♥♥♣

1

/

4X0

♣♥♣♥

3

/

4X0

(turn, {1})

♣ ♥

♣♣♥♥ X1 ♣♥♥♣

1

/

2X0

♣♥♣♥

1

/

2X0

(shuffle, {id, (3 4)}) ♥♣♥♣ X11 ♥♣♣♥ X10 + X01 ♣♣♥♥ X00 ♥♣♥♣ X1 ♥♣♣♥

1

/

2X0

♣♣♥♥

1

/

2X0

(shuffle, {id, (1 3)}) (turn, {2})

♣ ♥

(perm, (1 2 4 3)) ♥♣♥♣

1

/

3X1

♣♥♣♥

2

/

3X1

♥♣♣♥

1

/

6X0

♣♥♥♣

1

/

3X0

♣♣♥♥

1

/

2X0

(shuffle, {id, (1 2)(3 4)}, F) F : id → 1 /

3, (1 2)(3 4) → 2

/

3

♥♣♥♣ X1 ♣♥♥♣ X0 (result, 1, 2)

• ♣♥♣♥

X1 ♥♣♣♥

1

/

4X0

♣♣♥♥

3

/

4X0

(turn, {4})

♣ ♥

♣♥♣♥ X1 ♥♣♣♥

1

/

2X0

♣♣♥♥

1

/

2X0

(shuffle, {id, (1 3)}) (perm, (1 3 4 2))

SLIDE 47

Our Five-Card Protocol

13

2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards

♥♣♥♣♥ X11 ♥♣♣♥♥ X10 ♣♥♥♣♥ X01 ♣♥♣♥♥ X00 start state ♥♥♣♣♥ 1 /

2X11

♥♣♥♣♥ 1 /

2X11

♣♥♥♣♥ 1 /

2X10 + 1

/

2X01

♥♣♣♥♥ 1 /

2X10 + 1

/

2X01

♣♥♣♥♥ 1 /

2X00

♣♣♥♥♥ 1 /

2X00

(shuffle, {id, (1 3)(2 4), (2 3), (1 2 4 3)}) ♥♥♣♣♥ X11 ♣♥♥♣♥ X10 + X01 ♣♥♣♥♥ X00 ♥♥♣♣♥ X1 ♣♥♥♣♥ 1 /

2X0

♣♥♣♥♥ 1 /

2X0

(shuffle, {id, (3 4)}) ♥♥♣♣♥ 1 /

3X1

♣♣♥♥♥ 2 /

3X1

♣♥♥♣♥ 1 /

6X0

♥♣♣♥♥ 1 /

3X0

♣♥♣♥♥ 1 /

2X0

(shuffle, {id, (1 3)(2 4)}, F) F : id → 1 /

3, (1 3)(2 4) → 2

/

3

♥♥♣♣♥ X1 ♥♣♣♥♥ X0 (result, 2, 4)

• ♣♣♥♥♥ X1

♣♥♥♣♥ 1 /

4X0

♣♥♣♥♥ 3 /

4X0

(turn, {1})

♣ ♥

♣♣♥♥♥ X1 ♣♥♥♣♥ 1 /

2X0

♣♥♣♥♥ 1 /

2X0

(shuffle, {id, (3 4)}) ♥♣♥♣♥ X11 ♥♣♣♥♥ X10 + X01 ♣♣♥♥♥ X00 ♥♣♥♣♥ X1 ♥♣♣♥♥ 1 /

2X0

♣♣♥♥♥ 1 /

2X0

(shuffle, {id, (1 3)}) (turn, {2})

♣ ♥

(perm, (1 2 4 3)) ♣♥♥♣♥ 2 /

3X1

♥♥♣♥♣ 1 /

3X1

♥♥♣♣♥ 1 /

2X0

♥♣♣♥♥ 1 /

6X0

♥♥♥♣♣ 1 /

3X0

(perm, (1 5 2 4)), (shuffle, {id, (5 4 3 2 1)}, F) F : id → 2 /

3, (5 4 3 2 1) → 1

/

3

♥♥♣♥♣ X1 ♥♥♥♣♣ X0 (result, 4, 3)

• ♣♥♥♣♥ X1

♥♥♣♣♥ 3 /

4X0

♥♣♣♥♥ 1 /

4X0

(result, 3, 1)

• (turn, {5})

♣ ♥

SLIDE 48

Our Five-Card Protocol

13

2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards

♥♣♥♣♥ X11 ♥♣♣♥♥ X10 ♣♥♥♣♥ X01 ♣♥♣♥♥ X00 start state ♥♥♣♣♥ 1 /

2X11

♥♣♥♣♥ 1 /

2X11

♣♥♥♣♥ 1 /

2X10 + 1

/

2X01

♥♣♣♥♥ 1 /

2X10 + 1

/

2X01

♣♥♣♥♥ 1 /

2X00

♣♣♥♥♥ 1 /

2X00

(shuffle, {id, (1 3)(2 4), (2 3), (1 2 4 3)}) ♥♥♣♣♥ X11 ♣♥♥♣♥ X10 + X01 ♣♥♣♥♥ X00 ♥♥♣♣♥ X1 ♣♥♥♣♥ 1 /

2X0

♣♥♣♥♥ 1 /

2X0

(shuffle, {id, (3 4)}) ♥♥♣♣♥ 1 /

3X1

♣♣♥♥♥ 2 /

3X1

♣♥♥♣♥ 1 /

6X0

♥♣♣♥♥ 1 /

3X0

♣♥♣♥♥ 1 /

2X0

(shuffle, {id, (1 3)(2 4)}, F) F : id → 1 /

3, (1 3)(2 4) → 2

/

3

♥♥♣♣♥ X1 ♥♣♣♥♥ X0 (result, 2, 4)

• ♣♣♥♥♥ X1

♣♥♥♣♥ 1 /

4X0

♣♥♣♥♥ 3 /

4X0

(turn, {1})

♣ ♥

♣♣♥♥♥ X1 ♣♥♥♣♥ 1 /

2X0

♣♥♣♥♥ 1 /

2X0

(shuffle, {id, (3 4)}) ♥♣♥♣♥ X11 ♥♣♣♥♥ X10 + X01 ♣♣♥♥♥ X00 ♥♣♥♣♥ X1 ♥♣♣♥♥ 1 /

2X0

♣♣♥♥♥ 1 /

2X0

(shuffle, {id, (1 3)}) (turn, {2})

♣ ♥

(perm, (1 2 4 3)) ♣♥♥♣♥ 2 /

3X1

♥♥♣♥♣ 1 /

3X1

♥♥♣♣♥ 1 /

2X0

♥♣♣♥♥ 1 /

6X0

♥♥♥♣♣ 1 /

3X0

(perm, (1 5 2 4)), (shuffle, {id, (5 4 3 2 1)}, F) F : id → 2 /

3, (5 4 3 2 1) → 1

/

3

♥♥♣♥♣ X1 ♥♥♥♣♣ X0 (result, 4, 3)

• ♣♥♥♣♥ X1

♥♥♣♣♥ 3 /

4X0

♥♣♣♥♥ 1 /

4X0

(result, 3, 1)

• (turn, {5})

♣ ♥

SLIDE 49

On the Issue of Shuffling

14

2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards

Problem: How to rearrange cards (with your hands) s.t. you don’t

know what you did after you did it? p = 1/3 p = 2/3

do nothing Rotate by 1

We have three answers: Restrict to plausible subset of shuffles. Explain the problem away, suggesting additional tools. Use two players knowing different things about the computation.

SLIDE 50

Answer 1: Restrict to “Uniform Closed” Shuffles

uniform distribution on a (sub-)group of permutations

15

2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards

Example: Swapping with p = 1/2

p = 1/2 p = 1/2

do nothing (1, 2) ↔ (3, 4)

SLIDE 51

Answer 1: Restrict to “Uniform Closed” Shuffles

uniform distribution on a (sub-)group of permutations

15

2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards

Example: The shuffle from the six-card protocol

p = 1/2 p = 1/2

do nothing (1) ↔ (2), (3, 4) ↔ (5, 6)

SLIDE 52

Answer 1: Restrict to “Uniform Closed” Shuffles

uniform distribution on a (sub-)group of permutations

15

2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards

Example: Random Cyclic Shift

p = 1/4 p = 1/4 p = 1/4 p = 1/4

Rotate by 0 Rotate by 1 Rotate by 2 Rotate by 3

SLIDE 53

Answer 1: Restrict to “Uniform Closed” Shuffles

uniform distribution on a (sub-)group of permutations

15

2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards

Example: Random Cyclic Shift

p = 1/4 p = 1/4 p = 1/4 p = 1/4

Rotate by 0 Rotate by 1 Rotate by 2 Rotate by 3

Note: Repeating those shuffles doesn’t hurt (S ◦ S = S).

Do it till you lost track. With several people: Take turns looking away.

Conjecture With only such “uniform closed” shuffles:

Six cards are needed for AND.

SLIDE 54

Answer 2: Two Players + 2-Sided Lottery Tickets

Works for all shuffles with rational probabilities.

16

2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards

p = 1/3 p = 2/3

do nothing Rotate by 1

Ticket has X on front and Y on back. Player 1 sees X and rotates by X. Player 2 sees Y and rotates by Y.

Create one ticket for each column:

X 0 0 0 1 1 1 2 2 2 3 3 3 Y 1 1 0 0 0 3 3 3 2 2 2 1 X + Y 1 1 0 1 1 0 1 1 0 1 1 0

Y = 3 X = 2

Y = 3 Knowing only X (or Y) gives no info about X + Y. I(X; X + Y) = 0 I(Y; X + Y) = 0

SLIDE 55

Answer 2: Two Players + 2-Sided Lottery Tickets

Works for all shuffles with rational probabilities.

16

2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards

p = 1/3 p = 2/3

do nothing Rotate by 1

Ticket has X on front and Y on back. Player 1 sees X and rotates by X. Player 2 sees Y and rotates by Y.

Create one ticket for each column:

X 0 0 0 1 1 1 2 2 2 3 3 3 Y 1 1 0 0 0 3 3 3 2 2 2 1 X + Y 1 1 0 1 1 0 1 1 0 1 1 0

Y = 3 X = 2

Y = 3 Knowing only X (or Y) gives no info about X + Y. I(X; X + Y) = 0 I(Y; X + Y) = 0

SLIDE 56

Answer 2: Two Players + 2-Sided Lottery Tickets

Works for all shuffles with rational probabilities.

16

2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards

p = 1/3 p = 2/3

do nothing Rotate by 1

Ticket has X on front and Y on back. Player 1 sees X and rotates by X. Player 2 sees Y and rotates by Y.

Create one ticket for each column:

X 0 0 0 1 1 1 2 2 2 3 3 3 Y 1 1 0 0 0 3 3 3 2 2 2 1 X + Y 1 1 0 1 1 0 1 1 0 1 1 0

Y = 3 X = 2

Y = 3 Knowing only X (or Y) gives no info about X + Y. I(X; X + Y) = 0 I(Y; X + Y) = 0

SLIDE 57

Answer 2: Two Players + 2-Sided Lottery Tickets

Works for all shuffles with rational probabilities.

16

2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards

p = 1/3 p = 2/3

do nothing Rotate by 1

Ticket has X on front and Y on back. Player 1 sees X and rotates by X. Player 2 sees Y and rotates by Y.

Create one ticket for each column:

X 0 0 0 1 1 1 2 2 2 3 3 3 Y 1 1 0 0 0 3 3 3 2 2 2 1 X + Y 1 1 0 1 1 0 1 1 0 1 1 0

Y = 3 X = 2

Y = 3 Knowing only X (or Y) gives no info about X + Y. I(X; X + Y) = 0 I(Y; X + Y) = 0

SLIDE 58

Answer 3: “PlayerPerm-Model”

17

2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards

Each random permutation performed by either player 1 or 2. Player remembers permutations she performed. Player’s permutations need not be independent.

With this we can implement:

Uniform closed shuffles (easy). Some more complicated shuffles. “Undo”-operations. A four-card AND protocol with finite runtime.

SLIDE 59

References: I

18

2015-12-03 Koch, Walzer - Card-based Cryptographic Protocols Using a Minimal Number of Cards