Barrington Plays Cards: The Complexity of Card-based Protocols
BBarrington Plays Cards: The Complexity ofCard-based Protocols
Pavel Dvořák
Charles University, Prague, Czech [email protected]ff.cuni.cz
Michal Koucký
Charles University, Prague, Czech [email protected]ff.cuni.cz
Abstract
In this paper we study the computational complexity of functions that have efficient card-basedprotocols. Card-based protocols were proposed by den Boer [6] as a means for secure two-partycomputation. Our contribution is two-fold: We classify a large class of protocols with respect tothe computational complexity of functions they compute, and we propose other encodings of inputswhich require fewer cards than the usual 2-card representation.
Theory of computation → Computational complexity andcryptography
Keywords and phrases
Efficient card-based protocol, Branching program, Turing machine
Funding
The authors were supported by Czech Science Foundation GAČR (grant
Acknowledgements
We thank Václav Blažej for suggesting how to use face-up cards to emulate redand blue card backs.
Card-based protocols were proposed by den Boer [6] as a means for secure two-partycomputation. In this scenario, we have two players — Alice and Bob — who hold inputs x and y respectively. Their goal is to securely compute a given function f on those inputs. Bysecure computation, we mean that the players learn nothing from observing the computationexcept for what is implied by the output f ( x, y ). Den Boer introduced a model where theinputs x and y are encoded by a sequence of playing cards and the players operate on thecards to compute the function. They can use additional cards for computation. In particular,den Boer showed how to securely compute AND of two bits using five cards in total.Niemi and Renvall [17] extended the results to show how to compute arbitrary Booleanfunction f . They represent each input bit by two face-down cards: 1 is represented as ♥♣ ,and 0 as ♣♥ . They use the same representation throughout the computation and show howto securely compute AND of bits encoded in this representation with the outputbeing encoded in the same way. Since NOT can be obtained by swapping the two cardsrepresenting a given bit this allows them to compute any function. They can evaluate anyBoolean circuit on the inputs by a protocol of length proportional to the size of the circuitand using a number of auxiliary cards that corresponds to the width of the circuit.Nishida et al. [18] reduced the number of auxiliary cards to 6 for any Boolean function.For most functions, the protocol will be of exponential length as it essentially evaluates theDNF of f . Several other works studied the number of cards necessary for computing variouselementary functions such as AND and XOR [7, 11, 9, 8, 18, 20, 16, 13, 15, 11, 1, 9].Motivated by the question what can be efficiently computed by such protocols and howmany cards one needs to compute various functions, in this work, we investigate efficient protocols that are protocols of polynomial length. Our contribution is two-fold: We classify a r X i v : . [ c s . CC ] O c t Barrington Plays Cards a large class of protocols with respect to the computational complexity of functions theycompute, and we propose other encodings of inputs which require fewer cards than the 2-cardrepresentation. We summarize our results next: We show that oblivious protocols of polynomial length that do not modify their input(they are read-only ) and use only a constant number of auxiliary cards compute precisely thefunctions in NC , the class of functions computed by Boolean circuits of logarithmic depth.(Alternatively, NC is the class of functions computed by Boolean formulas of polynomialsize.) By oblivious protocol we mean a protocol whose actions depend only on the currentvisible state. Oblivious read-only protocols of polynomial length with a logarithmic number of auxiliarycards correspond to the class of functions computable by polynomial-size branching programs.(This class is also known as L /poly , the non-uniform version of deterministic log-space.) We also investigate protocols that use a constant number of auxiliary cards but areallowed to use the cards representing the input for their computation provided that theyguarantee that by the end of the computation the input will be restored to its original value.We show that such protocols can compute functions that are believed to be outside of NC .For example, they can compute languages that are complete for NL , the non-deterministiclog-space. Hence, read-only protocols are presumably weaker than protocols that may modifytheir input. We study alternative encodings of inputs that are more efficient that the 2-card encoding.We look at 1-card encoding where 1 is represented by ♥ and 0 by ♣ . In this encoding, Aliceand Bob need only one card per bit to commit the bit. We show similar complexity resultsfor this encoding as for the 2-card encoding: read-only protocols with a constant number ofauxiliary cards are NC , with a logarithmic number of cards it is the non-uniform log-space,and if we allow using the input cards for computation we get potentially more powerfulprotocols.A disadvantage of the 1-card protocol is that it still needs a supply of n cards ♥ and n cards ♣ to represent any n -bit input. Although, if one restricted his attention to inputs thatcontain the same number of 1’s and 0’s, it would suffice to have n/ ♥ and n/ ♣ . Such inputs form a substantial fraction of all n -bit inputs, they are Θ(2 n / √ n ) many. We propose a new 1 / n/ ♥ and n/ ♣ to represent any n -bit input. The 1 / ♥ -cards and one halfof the ♣ -cards. There is an empty space left instead of each removed card. There is a wayfor each player to encode his input so that the other player learns no information about theopponent’s input. We show that using this encoding we can simulate any read-only protocolthat uses 2-card encoding. Hence, any NC function on n bits can be securely computedusing only n + O (1) cards, counting also the input cards. We do not know how to securelyperform protocols for 1 / As mentioned above, a study of card-based protocols was started by den Boer [6] whointroduced a secure 5-card protocol for computing AND. However, this protocol does notproduce output in a face-down 2-card format, thus it can not be used for designing protocolsfor arbitrary function. Since then a lot of work was done in improving AND protocols andother primitive functions. Crépeau and Kilian [5] provided a 1-party card-based protocolwhere the player can pick a random permutation π with no fixed point and the player has no . Dvořák and M. Koucký 3 information about π . Their technique can be used for designing a 2-party computation ofa general function. Niemi and Renvall [17] introduced an AND protocol, which takes twobits b , b represented in the 2-card format as input and outputs two cards which represent b ∧ b in face-down 2-card format. They also introduced a protocol for copying a bit in the2-card format, which is used during simulation of circuits. Their protocols with a protocol forNOT (which is trivial) can be used for computing any Boolean function f and the number ofused cards is at most linear in the size of a circuit (using AND and NOT gates) computing f . They also introduced a protocol to copy a single card with almost perfect security – thecard suit is revealed only with a small probability. Such protocol cannot exist with perfectsecurity as was proved by Mizuki and Shizuya [14]. The copying and AND protocols werefurther improved and simplified in [20, 16, 13, 15, 11, 1, 9].Nishida et al. [18] proved that any Boolean function f : { , } n × { , } n → { , } canbe computed with 4 n cards encoding the input and 6 additional helping cards. Mizuki [12]proved that 2 n + 2 is needed to compute AND of n bits. Francis et al. [7] provided protocolsand tight lower bounds on the number of cards needed for computing any two-bit inputtwo-bit output function. Other lower bounds for AND of 2 bits and of n bits in variousregimes were provided by Koch et al. [11, 9] and by Kastner et al. [8].The security of card-based protocols is provided by shuffling the cards — one playershuffles the cards (applies some random permutation to them) in a way so that the otherplayer has no information about the new order of shuffled cards. Koch et al. [11] provided a4-card AND protocol. However, they used a non-uniform distribution for picking a randompermutation, which is difficult to perform by humans. Nishimura et al. [19] suggested an“easy-for-human” procedure how to apply a shuffling permutation picked from a non-uniformdistribution using envelopes.One can distinguish two types of attack. Passive: honest-but-curious player – she follows the protocol but she wants to retrieve asmuch information as possible about the other player input. Active: malicious player – she can deviate from the protocol.Koch and Walzer [10] proved that if a passive-secure protocol Π uses only uniform closedshuffles (each shuffling permutation is picked uniformly from some permutation group) thenthe protocol Π can be transformed into an active-secure protocol.
In this section we define card-based protocols which securely compute some Boolean functionon a joint input of Alice and Bob. Alice gets an input x ∈ { , } n and Bob gets an input y ∈{ , } n , and their goal is to compute f ( x, y ) for some function f : { , } n × { , } n → { , } ,while not revealing anything about their input to the other player. The protocol proceedsfirst by Alice and Bob committing their input into a sequence of cards, and then operatingon the cards together with some auxiliary cards. At the end of the protocol, the playerslearn the output f ( x, y ).In this section we consider the usual of the input, where each input isrepresented as a sequence of cards, two cards per bit: value 1 is represented by ♥♣ andvalue 0 is represented by ♣♥ where the cards are put face-down on the table. Hence eachplayer needs 2 n cards to commit his input. All the cards have the same back, say blue. Inthe beginning, face-down cards representing the player inputs are in front of the players.Between them, there is a deck of s prescribed auxiliary cards of ♥ and ♣ . There is available Barrington Plays Cards some empty space on the table to operate with the cards. We assume that the cards areplaced on the table in some specific positions (locations), numbered 1 , . . . , m , where:1 , . . . , n are positions of Alice’s input cards,2 n + 1 , . . . , n are positions of Bob’s cards,4 n + 1 , . . . , n + s are the initial positions of the helping cards in the deck,4 n + s + 1 , . . . , m are initially empty positions.We call the positions 1 , . . . , n as the input positions and the remaining positions as the work space . We say a position is occupied if there is a card on it, otherwise, it is empty . Wedenote an empty position by × . Let q = m − n denote the amount of the work space. Weassume q = O ( s ). Thus, there are 4 n + s cards on the table and 4 n + q = m positions.The players can move their input cards and cards from the deck to the work space andback. Formally, the basic actions which can be executed by the players are: Move( p, i, j ) : The player p moves a card from the position i to position j . Shuffle( p, T, Γ ) : The player p applies a random permutation from Γ to the cards on thetable on positions T ⊆ { n + 1 , . . . , m } . Turn( p, i ) : The player p turns the i -th card on the table face-up if it is face-down, and viceversa.The protocol specifies which action to take next based on the sequences of visible statesseen on the table so far. The current visible state of the table is what an external viewercould observe, that is which positions are currently occupied and what is the top of eachcard laying on the table. If there are c distinct cards then there are at most ( c + 2) m distinctvisible states. Hence, based on the sequence of visible states from the beginning of thegame the protocol specifies which action to take next or whether to end. In the end, theprotocol specifies which cards represent the output of the run of the protocol. (They mightbe face-down.) We say the protocol Π computes a function f : { , } n × { , } n → { , } iffor all inputs x, y ∈ { , } n , on the inputs x and y the protocol outputs f ( x, y ). The lengthof the protocol is the maximum number of actions executed by the protocol over all inputs( x, y ) ∈ { , } n × { , } n and all possible outcomes of shuffling. We say that a protocol is oblivious if the action executed next depends only on the current visible state and the numberof actions taken so far.The shuffling operation provides randomness for the execution of the protocol. Hence,the sequence of visible states the protocol passes through is a random variable. We will saythat a protocol is secure if for any pair of inputs ( x, y ) and ( x , y ) to Alice and Bob, where f ( x, y ) = f ( x , y ), the distribution of the sequence of visible states of the protocol on inputs( x, y ) and ( x , y ) is the same. Notice, that this implies that neither of the players learnsanything about the input of the other player except for what is implied by f ( x, y ).Often we will be interested in protocols that provide their output encoded in face-downcards. In such a scenario we will require for the security of the protocol that the distributionsof visible states during the protocol will be identical for all input pairs ( x, y ).We say the protocol is robust if a cheating player, that is a player who deviates from theprotocol, is either caught by reaching an invalid visible state (where cards have unexpectedvalues or positions) or the distribution of visible states does not leak any information aboutthe other player input except for what would be leaked by honest players. In particular, ifsay Bob is cheating and Alice is honest, for a robust protocol we require that for any input x of Bob and any two inputs y, y to Alice, where f ( x, y ) = f ( x, y ), the distribution of thesequence of visible states during the game on inputs ( x, y ) and ( x, y ) is the same. We willbe designing only robust oblivious protocols. . Dvořák and M. Koucký 5 We say the protocol is read-only if the value of cards placed on the input positions1 , . . . , n is always the same whenever a position is occupied.Let s - SP be the class of function families { f n : { , } n × { , } n → { , }} n ≥ for whichwe have a sequence of secure read-only oblivious protocols, one for each n , which are oflength polynomial in n , with deck size s and work space size 2 s . (At the beginning the first s work space positions are occupied by the deck of cards, and the remaining s positionsare empty). We might allow s to be a function of n . We define SP = S s ≥ s - SP . That is afunction belongs to SP if it has polynomial length protocols which use a constant number ofauxiliary cards and constant size work space. A branching program B for a Boolean function f : { , } n → { , } is defined as follows. Itconsists of a directed acyclic graph G such that each vertex has out-degree either 2 or 0. Theset of edges E of the graph G is split into two sets, zero-edges E and one-edges E , in sucha way that every vertex v of out-degree 2 is incident to exactly one outgoing zero-edge andexactly one outgoing one-edge. Each vertex of out-degree 2 is labeled by an index ‘ ∈ [ n ].A branching program B is layered if the vertices are partitioned into layers L , . . . , L d .The edges go only from a layer L i to a layer L i +1 (for all i < d ). Vertices of out-degree 0 areexactly vertices in the layer L d . The number of layers d is the length of B and the width w of B is the maximum size of its layers, i.e., w = max i | L i | .A layered branching program is oblivious if vertices in the same layer have the same label.A branching program is a permutation branching program if each layer has exactly w verticesand for every two consecutive layers L j and L j +1 zero-edges and one-edges form matching M j and M j , respectively. We can view the matchings M j and M j as two permutations π j , π j : [ w ] → [ w ]. Note that we can rearrange all layers such that all permutations π j areidentities.One vertex of in-degree 0 is an initial vertex ¯ v . Some vertices of out-degree 0 aredenoted as accepting vertices. The computation of a branching program B on an input string x ∈ { , } n proceeds as follows. It starts in the initial vertex ¯ v which is the first active vertex.Suppose v is an active vertex and ‘ ∈ [ n ] is the label of v . If the out-degree of v is 2, then thenext active vertex is determined by the zero- or one-edge according to the value of x ‘ . Moreformally, let e = { v, v } be the edge in E x ‘ . Then, the vertex v is the new active vertex.We repeat this procedure until a vertex u of out-degree 0 is reached. An input x ∈ { , } n is accepted if and only if u is an accepting vertex. The branching program B computes afunction f : { , } n → { , } if it accepts exactly those x ∈ { , } n such that f ( x ) = 1.The class of functions PB contains all the functions computable by layered branchingprograms of constant width and polynomial length. A permutation branching programis restricted if it has exactly one accepting vertex v acc and exactly one rejecting vertex v rej in the last layer L d . The computation of a restricted permutation branching programends always in the vertices v acc or v rej and it accepts an input if it ends in the acceptingvertex v acc . A class w - PBP contains Boolean functions which are computable by restrictedpermutation branching programs of width w and polynomial length. We use the famousBarrington’s theorem [2], which says that constant-width (permutation) branching programsare as powerful as NC -circuits. (cid:73) Theorem 1 (Barrington [2]) . PB ⊆ NC ⊆ - PBP . Barrington Plays Cards
In this section, we prove one of our main theorems that read-only oblivious protocols ofpolynomial length that use constant work space compute the same functions as polynomial-size constant-width branching programs. (cid:73)
Theorem 2. SP = NC . To simulate a branching program by SP -protocol we need an oblivious implementationof copying a bit in the committed 2-card format. We use a procedure by Stiglic [20]. It isstraightforward to implement the procedure to be oblivious. We include the proof for thesake of completeness. (cid:73) Theorem 3.
There is a secure oblivious protocol that takes a bit b in 2-card representationplaced in the work space and produces two 2-card copies of the bit in the work space. Theprotocol needs an auxiliary deck with three cards ♥ and three ♣ with the same back as theinput bit. Proof. 1.
Alice arranges the cards from the auxiliary deck face-up to create the followingconfiguration.? ? |{z} b ♥♣♥♣♥♣ She turns the last six cards. Both, Alice and Bob, apply a random cyclic shift (denotedby h , i ) to them.? ? |{z} b h ? ? |{z} b ? ? |{z} b ? ? |{z} b i They apply a random cyclic shift to the first four cards. h ? ? ? ? i ? ? |{z} b ? ? |{z} b She turns the first four cards face-up. a. If the sequence is alternating (i.e., ♥♣♥♣ or its shift) then b = b . Thus, the last 4cards represent two copies of b . ♥♣♥♣ ? ? |{z} b ? ? |{z} b b. Otherwise (i.e., ♥♣♣♥ or its shift) then b = 1 − b . Thus, the last 4 cards representtwo copies of negation of b . In that case, she switches the fifth with the sixth card andthe seventh with the eighth card to represent two copies of b as well. ♥♣♣♥ ? ? |{z} − b ? ? |{z} − b Alice and Bob might want to turn over and shuffle the first four left-over auxiliary cardsafter step 4. The last four cards represent two copies of b face-down in the 2-card format.To make the protocol oblivious we must implement both 4.a) and 4.b) by the samenumber of actions. To do so we include additional actions in 4.a) which have no effectsuch as shuffling a single card. . Dvořák and M. Koucký 7 It is clear the described protocol is secure. The only step where they can gain someinformation about b is Step 4, when Alice turns some cards. However, the cyclic shiftsin Steps 2 and 3 were done by both players. Thus, Alice reveals the alternating sequence( ♥♣♥♣ ) in Step 4 with the probability exactly (independently on the value of b ) even ifone of the players would be cheating. Thus, the protocol is secure. (cid:74) To prove NC ⊆ SP we use as the first step Barrington’s theorem [2]. By Barrington’stheorem, each function f : { , } n × { , } n → { , } from NC can be computed by apolynomial length width-5 restricted permutation branching program. We will build aprotocol that simulates the actions of the branching program layer by layer. We will keeptrack of the image of the initial vertex of the branching program. For that, we will use fivecards ♥♣♣♣♣ , where the position of ♥ corresponds to the image of the initial vertex (theactive vertex), and we will apply the permutations prescribed by the branching program onthose five cards. If the input variable assigned to a particular level of the branching programis set to 1 we are expected to perform the permutation otherwise we are supposed to donothing, i.e., apply the identity permutation. Any permutation can be decomposed into asequence of simple transpositions (swaps) so we will use swaps conditioned by the inputvariable to either permute the five cards or leave them the way they are. We will implementthe following primitive: Alice and Bob want to conditionally swap two cards α, β accordingto the value of bit b represented in the face-down 2-card form in the work space withoutrevealing the value of b . They also want to make sure that if b = 1 the swap occurs and if b = 0 the swap does not occur. (cid:73) Theorem 4.
Let ˜ α, ˜ β be two sequences of face-down cards of the same length in the workspace, and let γ δ be a face-down 2-card representation of b in the work space. There is asecure oblivious protocol such that during the protocol players swap the sequences α and β ifand only if b = 1 . The protocol uses two auxiliary cards ♣ . Proof.
The swapping protocol works as follows. Alice rearranges the input cards together with two auxiliary face-up cards ♣ as follows: ♣ γ ˜ α ♣ δ ˜ β Thus, if b = 0 we have ♣♣ ˜ α ♣♥ ˜ β and if b = 1 we have ♣♥ ˜ α ♣♣ ˜ β . The players do notknow which situation are they in. Both, Alice and Bob, apply a random cyclic shift to the cards, e.g.:˜ α ♣ δ ˜ β ♣ γ Alice turns the cards γ and δ representing b face-up. She knows what cards to turn,as the cards γ and δ are preceded by ♣ face-up. At the end she reorders the sequence(keeping the cyclic order) so that ♣♣ are the first cards, e.g.:˜ α ♣♥ ˜ β ♣♣ → ♣♣ ˜ α ♣♥ ˜ β If b = 0 then γδ = ♣♥ and the sequences ˜ α ˜ β are not swapped. On the other hand if b = 1 then γδ = ♥♣ and the sequences are swapped.Note that the cards in ˜ α and ˜ β are face-down during the whole protocol. It is also clear thatthis is a secure and robust protocol, and it can be implemented obliviously. In Step 3 thecards δ and γ representing the bit b are revealed. However, because of random cyclic shiftsin Step 2 (again done by both players), these cards are in the order ♥♣ with probability ,independently of the value of b . Thus the swapping protocol is secure. (cid:74) Barrington Plays Cards
Now we are ready to prove the first inclusion of Theorem 2. (cid:73)
Theorem 5. - PBP ⊆ SP . Proof.
Let f : { , } n × { , } n → { , } be a function in 5- PBP . Then, the function f canbe computed by a branching program P with the following properties: Each layer has exactly 5 vertices. The input vertex is the first vertex in the first layer.The computation ends either in the accepting vertex v acc or in the rejecting vertex v rej . The permutation from each layer i to the layer i + 1 corresponding to 0 is the identity.Alice and Bob represent the first layer as ♥♣♣♣♣ , each card represents one vertex in thelayer. The card ♥ represents the active vertex in the layer (the initial vertex in the firstlayer). We call these 5 cards the program cards . Alice and Bob put the program cards at thework space and turn them face-down. Alice and Bob simulate the program P layer by layer.They apply permutations determined by P to the program cards according to the player’sinput bits. Suppose we have a representation of the active vertex in the i -th layer and wewant to calculate the active vertex at the ( i + 1)-th layer. Without loss of generality thelabel of the i -th layer is Alice’s bit x ‘ (otherwise the roles of Alice and Bob are reversed).Thus, we want to apply some permutation ρ i ∈ S to the program cards if x ‘ = 1 and keepthe order of the program cards if x ‘ = 0.We decompose the permutation ρ i into transposition τ ◦ · · · ◦ τ r . For j = 1 , . . . , r , Alicewill apply the transposition τ j to the program cards. She runs the protocol Γ of Theorem 3to get cards γ, δ representing her bit x ‘ in the work space. More formally, after the executionof Γ , there are two pairs of cards such that each pair represent the bit x j in the 2-cardformat. She puts one pair back to the input positions, i.e., the protocol Π is indeed read-only.We denote the cards of the second pair as γ and δ . Alice will use them for a conditionalswap. She runs the protocol Γ given by Theorem 4 (applied to the cards γ, δ and to thetwo program cards which should be affected by the transposition τ j ). That is, Alice swapsthe two cards that τ j is acting on if and only if x ‘ = 1. After applying this procedure for alltranspositions τ , . . . , τ r , the permutation ρ i got applied to the program cards if and only if x ‘ = 1 (otherwise the order of the program cards does not change).Alice and Bob repeat this procedure for each layer of the branching program. Let α bethe card representing the accepting vertex v acc and β be the card representing the rejectingvertex v rej at the end of the simulation. The cards α, β represent the output of the program.If the input is accepted, then the accepting vertex v acc is active at the end of the simulationand thus the card α has suit ♥ and the card β has suit ♣ . Thus, the cards α, β represent 1.On the other hand, if the input is rejected, then the rejecting vertex v rej is active. Thus, thecards α, β have suits ♣ and ♥ , respectively, and they represent 0.The protocol Π is clearly SP -protocol as the players only sequentially apply the copyingprotocol Γ and the swapping protocol Γ to the program cards. We claim the simulationprotocol Π is secure. Both protocols Γ and Γ are secure. The only helping cards which areused during the whole run of the protocol Π are program cards which are placed face-upfrom the deck and then turned face-down for the rest of the protocol. (cid:74) Now we prove the opposite inclusion of Theorem 2. (cid:73)
Theorem 6. SP ⊆ PB . Proof.
Consider a family of functions { f n : { , } n × { , } n → { , }} n ≥ for which wehave a sequence of secure read-only oblivious protocols, one for each n , which are of lengthpolynomial in n , with deck size s and work space size 2 s . Let c be the number of different . Dvořák and M. Koucký 9 cards used by the protocol. At any moment, the work space can be in at most (2 c + 1) s different states which we call the internal states of the protocol. For any n ≥ c + 1) s branching program of the same length T n as the protocol for f n . Eachlayer of the branching program consists of vertices where each vertex corresponds to oneinternal state of the protocol. We need to define edges between the layers of the branchingprogram.Let v be a vertex at layer t ∈ { , . . . , T n − } . It corresponds to some internal statewhich in turn determines a visible state that together with t determines the action takenby the protocol at such a state. We define the edges based on the type of that action. Ifthe action is a move of a card from some input position into the work space then node v queries the value of the corresponding input variable and the outgoing edges lead to nodescorresponding to internal states that reflect a move of the card into the work space. If theaction is a shuffle operation then node v queries variable x and irrespective of its value bothoutgoing edges go to the node in the next layer corresponding to the internal state obtainedby applying one of the allowed permutations. (The particular choice of the permutation doesnot matter.) Similarly, for a move of a card within the work space or out from the workspace, the edges will go into a node that reflects the internal state after the move. In the lastlayer, we designate vertices that correspond to accepting states of the protocol as acceptingall other nodes will be rejecting.It should be clear from the construction that the resulting branching program computes f n and has the required properties. (cid:74) Theorem 2 is a corollary of Theorems 5 and 6 and Barrington’s theorem (Theorem 1).
In this section, we will look at computation that obliviously and securely computes oncommitted inputs in 2-card representation. The exact split of the input between Alice andBob is irrelevant in this section so we assume that the total length of the input is n bits.The protocols are expected to preserve the committed inputs: Although they may be allowedto modify the committed input during the computation, by the end of the computationthe committed input must be restored to its original form. The protocols do not leak anyinformation about the committed inputs except for what can be derived from the outputcards if they are inspected. The protocols can be carried out by either player. To guaranteerobustness and security shuffle operations should be always done by both players. (We useonly uniformly random shuffle and random cyclic shift so performing them twice does notchange their output distribution.) (cid:73) Theorem 7.
Let s ( n ) ≥ log n be a non-decreasing function. Let f be a function computableby a Turing machine in space s ( n ) . Then f is in O ( s ( n )) - SP . Let
SEL : { , } n → { , } be the function such that SEL ( c, b, a ) = a if c = 0 and SEL ( c, b, a ) = b otherwise. Proof.
We describe the algorithm for the protocol in high-level form and leave details ofthe construction to the interested reader. Let f be computable by a Turing machine M .Without loss of generality, we assume M uses a binary alphabet, on inputs of length n it useswork space exactly s ( n ) bits and computes for t ( n ) steps. The output of M is determined bythe first bit of its work tape. We will simulate the computation of M step by step. The protocol will use 8 s ( n ) + 4 log n + O (1) auxiliary cards. Two blocks w and w willrepresent 2 s ( n ) bits, each, and two blocks p and j will represent log n bits each. In additionto that there is a block q of O (1) bits, and some additional auxiliary bits. We need a constantnumber of positions to be empty. All the bits are encoded in 2-card representation. Theblock w represents the content of the work tape of M , 2 bits per tape cell, where the secondbit indicates the presence of the work tape head on that particular tape cell. The block p encodes in binary the current position of the input head of M . The block q encodes theinternal state of M .The protocol simulates one step of M as follows: first, it determines the value b of thebit scanned by the input head, then it calculates into w the content of the work tape of M after this step. Then it updates the internal state, the input head position p , and switches w and w .To determine b the protocol looks at each input bit x i one by one and records the onethat has an index corresponding to p . Set b to 0. For i = 1 , . . . , n , the protocol copies x i intosome work space b , it sets j to represent i , obliviously compares p and j while recording theresult into c . (Comparing bit strings can be done by an NC circuit so there is an obliviousprotocol for that of poly-logarithmic length.) From c , b and b we can calculate the newvalue of b by evaluating SEL ( c, b, b ). This can be done obliviously. After processing all theinput bits, b has the value of the currently scanned input bit.Now, we can determine w , the content of the work tape of M after this step of thecomputation. We compute w cell by cell. The value of each cell is a function of the inputbit b , M ’s state q , and the previous content of the cell in w together with the content ofadjacent cells. Hence, the value of each bit of w is a function of constantly many bits andcan be computed obliviously.After computing w , we can also calculate d , the direction in which the input head of M should move, and the new state q of M . This can be done by scanning w for the work tapeposition, and recording the relevant information for q and d when we pass over the currentwork cell similarly to determining the value of the input bit b .From p and d , we obliviously calculate the next position of the input head into j . (Eachbit of j can be computed by an NC circuit from p and d .) Finally, we switch the contents of w and w , p and j , and q and q .We repeat this procedure t ( n ) times. In the end, the first bit of w indicates the output of M . As each step of the computation can be implemented securely, obliviously, and robustly,we obtain a secure, oblivious, and robust protocol for f that uses O ( s ( n )) work space and O ( s ( n )) auxiliary cards. (cid:74) As the card-based protocols allow for non-uniformity by protocols using O (log n ) workspace we can simulate not only log-space Turing machines but also polynomial-size branchingprograms (the non-uniform log-space ). The above proof can be extended to Turing machinestaking advice: the protocol can provide the advice bit by bit during the phase when theinput is scanned bit by bit to determine b . (We assume that the advice is provided to theTuring machine on bit positions with index > n . For those positions instead of copying thenon-existent input bits, the protocol hardwires the appropriate bit into b . As the advice isthe same for each input, this can be done publicly.)By essentially the same proof as Theorem 6 we can obtain a simulation of oblivious, read-only secure protocols that use a logarithmic amount of work space by branching programs ofpolynomial size. Let O (log n )- SP = S k ( k + k log n )- SP . We get: . Dvořák and M. Koucký 11 (cid:73) Theorem 8.
The class of functions computable by polynomial-size branching programsequals to O (log n ) - SP . So far we have looked only at read-only protocols. If we remove the condition to be read-onlywe get a potentially larger class of functions computable by such protocols. When theprotocol is not read-only, we still require the protocol to restore its input into the originalstate by the end of the computation. We also require the protocol to be secure so not to leakany information about the input except for what is implied by the protocol output cards.We give examples of functions that can be computed by protocols modifying their inputwhich we conjecture are outside of the read-only protocol class with similar bound on thework space. Proving this conjecture would amount to separating NC from log-space, a majoropen problem in complexity theory.Let s ( n ) be a non-decreasing function such that log n ≤ s ( n ) ≤ n/ ∗ n . Let g : { , } n → { , } be in NC , and h : { , } n − s ( n ) log ∗ n → { , } be a function computable by aTuring machine in space O ( s ( n )) and polynomial time. Define f : { , } n → { , } as follows: f ( x ) = (cid:26) g ( x ) if x n +1 − s ( n ) log ∗ n · · · x n = 0 · · · ,h ( x · · · x n − s ( n ) log ∗ n ) otherwise. (cid:73) Theorem 9.
The function f defined above is computable by secure robust oblivious protocolsof polynomial length that use a constant amount of work space. Proof.
The protocol for f proceeds as follows. It first computes the OR of the input bits x n +1 − s ( n ) log ∗ n · · · x n using a protocol for NC functions where the output c of the protocolis encoded in 2-card representation in its work space. Then it computes the value g of g ( x )encoded in 2-card representation in the work space. Finally, it uses the cards representinginput bits x n +1 − s ( n ) log ∗ n · · · x n to simulate the computation of a Turing machine for h asin the proof of Theorem 7. The simulation is done so that if c = 1 then nothing is doneto the input (the simulation is vacuous) and if c = 0 the simulation is really happening.The simulation uses the input bits x n +1 − s ( n ) log ∗ n · · · x n to store w, w , p and j (from thesimulation), everything else is done in the actual work space of constant size. Whenever thesimulation wants to write some value a into an input position used for the simulation, it copiesthe value into the work space, it copies there the current value d of the destination position,computes SEL ( c, a, d ) and replaces cards in the destination by the output of SEL ( c, a, d ).(Hence, if c = 0 nothing has happened.) Reading a value can be done by copying theparticular bit into the work space and then working with the copied cards. This way theinput is undisturbed if c = 1 and it is overwritten if c = 0. At the end of simulation, theprotocol copies the output bit h , which is the first bit of w into the actual work space, andwrites value 0 to all input bits x n +1 − s ( n ) log ∗ n · · · x n conditionally on c = 0. (Bit values readfrom the storage, taking part in the vacuous computation, will be the same throughoutthe computation. So the simulations of the NC circuits implementing various steps of thecomputation will be secure.)Finally, the protocol computes SEL ( c, h, g ) which is the output of the protocol. All partsof the protocol can be done securely and obliviously. (This is true also when c = 0 and thesimulation of the Turing machine is bogus.) The protocol restores its committed input bythe end of the computation. (cid:74) One can also use the technique of catalytic computation to construct protocols forfunctions not know to be in NC . Buhrman et al. [3, 4] show how to use memory which contains some information for computation while restoring the memory to its original contentby the end of the computation. For example, they can solve the connectivity on directedgraphs this way, the problem CONN ( G ): Given an n × n adjacency matrix of a directed graph G decide whether there is a path from vertex 1 to vertex n . They present a polynomial-sizeprogram for CONN ( G ), which uses 3 n + 1 work registers and n input registers, each holdingone bit of information. The program consists of instruction of the form r i ← r i ⊕ u · v, where u and v are arbitrary registers different from r i or constants 0 and 1. The programis oblivious, so it is a straight line program consisting of such instructions. The programhas the property that all registers are guaranteed to have the initial value by the end of thecomputation except for one specified work register which contains the output value. It isstraightforward to implement each such an instruction by secure and robust protocol sincethe instructions are computable in NC .This allows to design an oblivious, secure protocol of polynomial length with constantwork space for a function f : { , } n → { , } that is defined as: f ( G , G , G , G ) = 1 ifand only if from the vertex 1 we can reach the vertex n in each of the graphs represented byadjacency matrices G , G , G and G . Such a function is unlikely to be contained in NC ,as CONN ( G ) is known to be complete for nondeterministic log-space computation. Hence,it is unlikely that protocols that are allowed to modify their input could be simulated byread-only protocols using similar resources. In this section, we consider other ways how Alice and Bob can commit their input which usefewer cards. The first natural encoding is to represent each bit 1 by face-down card ♥ andbit 0 by ♣ . These cards would be stored in front of the players in input positions 1 , . . . , n .Whenever the players want to operate with the committed bit they need to extend it to2-card representation.There are two ways we know how to do it. Niemi and Renvall [17] gave a protocol that isable to extend the bit without knowing its value. However, there is a small probability ofleaking the value of the bit being extended. The probability is inversely proportional to thenumber of cards used for the protocol. Hence, one would need a large number of helpingcards in order to make sure that the probability of leaking information is negligible. Thatwould erase any savings from the 1-card representation.The other way which we use here is to allow the player who owns the particular inputbit to extend it using a designated deck of two face-down cards ♣ and ♥ . Once the bit isextended it can be copied by the protocol from Theorem 3, the first card of the first copy canbe put back in the input position, the second card can be put back into the auxiliary deck,and the second copy can be used for further computation. The auxiliary deck containing thesame cards as earlier should be shuffled by both players at the end of this procedure. Theprotocol is robust since a player cheating by extending the input bit by a wrong card will becaught in Step 4 of the copying protocol.For this procedure, we need to augment our set of actions by the action of extendinga bit by a complementary card from a designated deck. This action can be performed byshuffling the auxiliary deck, then peeking at the value of the card we are extending, andselecting the complementary card by peeking at each card in the deck. . Dvořák and M. Koucký 13 With this operation in mind, we need to extend the definition of protocol security. Wesay a protocol is secure from Alice if for any pair of inputs ( x, y ) and ( x, y ) to Alice and Bob,the distribution of the sequence of visible states of the protocol together with the sequenceof cards seen by Alice while peeking at them during the extension action on inputs ( x, y )and ( x, y ) is the same. Similarly, the protocol is secure from Bob if for any pair of inputs( x, y ) and ( x , y ) to Alice and Bob, the distribution of visible states and cards peeked at byBob will be the same on both inputs ( x, y ) and ( x , y ). The protocol is secure if it is securefrom both Alice and Bob.Using the extension action we can perform all read-only protocols that used the 2-cardbit commitment of inputs even for inputs committed in 1-card representation. They will besecure as long as the player performing each extension is the owner of the input bit as seeinghis/her input bits does not affect the security definition. Hence, the power of the model staysessentially the same with this modification.Security becomes more of an issue for protocols that are allowed to modify their inputs.Yet, we can prove a result similar to Theorem 9 for slightly modified function f . Let g : { , } n → { , } be in NC , and h : { , } n − s ( n ) log ∗ n → { , } be a function computableby a Turing machine in space O ( s ( n )) and polynomial time, where log n ≤ s ( n ) ≤ n/ ∗ n ..Define f : { , } n → { , } as follows: f ( x ) = (cid:26) g ( x ) if x n +1 − s ( n ) log ∗ n · · · x n = 0101 · · · ,h ( x · · · x n − s ( n ) log ∗ n ) otherwise.We assume s ( n ) log ∗ n is even, and the first half of x n +1 − s ( n ) log ∗ n · · · x n is held by Aliceand the other half by Bob. The other bits can be split between the players arbitrarily. (cid:73) Theorem 10.
The function f defined above is computable by secure robust obliviousprotocols of polynomial length that use a constant amount of work space and 1-card encodingof input bits. Proof.
The protocol for f proceeds similarly to the one in Theorem 9. It first verifieswhether the input bits x n +1 − s ( n ) log ∗ n · · · x n differ from 0101 · · ·
01 (assuming their number iseven) using protocol for NC functions. The output c of the verification is encoded in 2-cardrepresentation in the work space. Then the protocol computes the value g of g ( x ) encoded in2-card representation in the work space. Up until this point, we use the protocol describedabove to extend input bits into 2-card representations by the player who owns the input bit.Now we want to use the cards representing input bits x n +1 − s ( n ) log ∗ n · · · x n to simulatecomputation of a Turing machine M for computing h = h ( x , . . . , x n − s ( n ) log ∗ n ) as in theprevious proofs. We will use these input cards for storage when c = 0 and when c = 1 we willkeep them intact. In the former case, we will eventually reset the input bits/cards to the initialstate. Let I be positions of cards which represent bits x · · · x n − s ( n ) log ∗ n at the beginning ofthe protocol. Thus, the cards on the positions I represent (in the 1-card encoding) the inputfor M . These cards will be in a read-only regime during the whole computation. Let J bethe positions of cards representing x n +1 − s ( n ) log ∗ n · · · x n . The cards on J will represent in2-card encoding the content of tapes of M during the computation. Thus, | J | = s ( n ) log ∗ n but the cards on J will represent s ( n ) log ∗ n bits. As x n +1 − s ( n ) log ∗ n · · · x n = 0101 · · ·
01 (if c = 0), the cards on J represent s ( n ) log ∗ n zeros at the beginning of the protocol.The simulation proceeds in a similar way as the simulation in proof of Theorem 9. Forreading bits from I that encode the input bits to M we use the same 1-card extensionprotocol as above to copy them into work-space. Now, we need procedures that will read andwrite bits in 2-card representations from positions J . However, if c = 1 some two consecutive positions would not represent a bit correctly (the two cards on them would have the samesuit). The read/write procedures need to work and be secure even in this case. The playerscannot simply inspect the cards on positions J because they may represent some intermediateresults of the computation.First, we describe how to read a bit b encoded in J . We want to create a 2-cardrepresentation of bit b in work space if c = 0 or a valid 2-card representation of some bit if c = 1. The bit b is represented by 2 cards α, β on positions in J . Note that α and β can beof the same suit if c = 1. Suppose Alice owns the positions in J representing the bit b , thecase of Bob’s positions is symmetric. First, Alice will add complementary cards to α and β as follows. Alice prepares the sequence: ♣♣ α ♣♥ β , then she turns the second and fifth cardface-down to get a sequence ♣ ? α ♣ ? β. Bob shuffles the six cards cyclically at random. Now, Alice extends the card preceding each ♣ that is face-up (cards α and β ) by a complementary card to the right taken from anauxiliary deck. Alice sees the suit of the cards α and β during this action but she does notknow their actual order. Bob shuffles the cards cyclically again and turns face-up the cardsfollowing the two ♣ that are face-up. Now, by a cyclic shift, they rearrange the cards so thatthey look like ♣♣ αα ♣♥ ββ, where α and β are cards complementary to α and β , respectively. They can copy each of thecard pairs α, α and β, β to verify that Alice used complementary cards and the pairs α, α and β, β indeed represent two bits in 2-card encodings.By following this protocol, Alice learns whether the two cards α, β have the same suit orare distinct. If the suits are the same she also learns the suit. However, in that situation c = 1 and she already knew all this information. In the later case, she knows that the bitsat those input positions are distinct, but she knew that already. She does not learn theirrelative order because of the shuffle by Bob. Thus, she does not know whether they werealtered since the beginning of the protocol or not.To finish the read procedure, Alice copies the pair α, α (by the protocol of Theorem 3)to get two copies represented by cards α , α , α , α . She returns the cards α and β backto the positions in J from which she moved the cards α and β at the beginning. The cards α and α are used further in the computation. Other cards ( α , β ) are moved back to theauxiliary deck. If the cards α and β have different suits then the cards α , α represent thebit b , as the card α and α have the same suit. If the cards α and β have the same suit thenthe cards α , α are a valid representation of some bit b . However, in that case c = 1 andthe value of b is irrelevant for the computation. Bit values read from the storage, takingpart in the bogus computation, will be consistent throughout the computation. Thus, thesimulations of the NC circuits implementing various steps of the computation are secure.Now, we describe how to store a bit in 2-card encodings on to some positions in J . Again,suppose we want to store a bit b on to positions owned by Alice and occupied by cards γ and γ . Let α and β be cards representing b . We want a procedure that will do thefollowing. If c = 0 then the cards γ and γ are replaced by cards of the same suits as α and β , respectively. Otherwise, if c = 1 then the new cards need to have the same suitsas γ and γ . First, Alice will add complementary cards to γ and γ to get a sequence γ , γ , γ , γ (she proceeds in the same was as in the read procedure above). Let d and d be bits represented by γ , γ and γ , γ , respectively. She creates two copies of b , negates the . Dvořák and M. Koucký 15 second one, and computes a = SEL ( c, b, d ) and a = SEL ( c, − b, d ). Let δ , δ and δ , δ be cards representing a and a respectively. If c = 0 then the cards δ , δ represent the bit b . If c = 1 then the cards δ and δ have the same suits as the cards γ and γ , respectively.Thus, Alice moves the cards δ and δ into the positions of the cards γ and γ and movesthe rest of the cards to the deck.To avoid leakage of information from the way Alice picks the cards from the auxiliarydeck when picking a card of a particular suit, she proceeds as follows. She knows how manycards of that suit are in the deck. Thus, she shuffles the cards at random and then proceedsleft to right to pick one of the cards of that suit uniformly at random. To achieve that shepicks each card of the desired suit with probability 1 / ( k + 1), where k is the number ofunseen cards of the desired suit still in the deck. This process guarantees that Alice will picka card from a completely random position.In this way the protocol can use x n +1 − s ( n ) log ∗ n · · · x n to compute h = h ( x ). Afterobtaining value h it outputs SEL ( c, h, g ). (cid:74) Hence, also in the case of the 1-card representation of the input one can take advantageof the input cards to compute functions that seem unattainable with read-only protocols.
In the 1/2-card encoding we represent value 1 by either ♥× or ×♣ , and value 0 by either ♣× or ×♥ . Here × represents an empty bit position. To commit her input Alice picks n/ × in the position of ♥ ,for the remaining bits she leaves the empty spot in place of ♣ (in the 2-card encoding of thebit). This way, she uses exactly n/ ♣ and ♥ to commit her input. It is easy to verifythat for each bit there is exactly 1 / n + O (1) cards to compute any NC function on n -bitinputs.We do not know how to implement protocols which could modify their inputs. Modifyingan input bit would require either picking the empty spot in the representation at random(which could lead to using substantially more cards of each type) or reusing the cards thatare there. In the latter case we do not know how to do it without leaking information. References Yuta Abe, Yu-ichi Hayashi, Takaaki Mizuki, and Hideaki Sone. Five-card and protocol incommitted format using only practical shuffles. In
Proceedings of the 5th ACM on ASIA Public-Key Cryptography Workshop , APKC ’18, page 3–8, New York, NY, USA, 2018. Association forComputing Machinery. URL: https://doi.org/10.1145/3197507.3197510 , doi:10.1145/3197507.3197510 . David Barrington. Bounded-width polynomial-size branching programs recognize exactlythose languages in nc1.
Journal of Computer and System Sciences , 38:150–164, 02 1989. doi:10.1016/0022-0000(89)90037-8 . Harry Buhrman, Richard Cleve, Michal Koucký, Bruno Loff, and Florian Speelman. Computingwith a full memory: Catalytic space. In
Proceedings of the Forty-Sixth Annual ACM Symposium on Theory of Computing , STOC ’14, page 857–866, New York, NY, USA, 2014. Association forComputing Machinery. URL: https://doi.org/10.1145/2591796.2591874 , doi:10.1145/2591796.2591874 . R. E. Cleve.
Methodologies for Designing Block Ciphers and Cryptographic Protocols . PhDthesis, CAN, 1989. Claude Crépeau and Joe Kilian. Discreet solitary games. In Douglas R. Stinson, editor,
Advances in Cryptology — CRYPTO’ 93 , pages 319–330, Berlin, Heidelberg, 1994. SpringerBerlin Heidelberg. Bert den Boer. More efficient match-making and satisfiability the five card trick. In Jean-Jacques Quisquater and Joos Vandewalle, editors,
Advances in Cryptology — EUROCRYPT’89 , pages 208–217, Berlin, Heidelberg, 1990. Springer Berlin Heidelberg. Danny Francis, Syarifah Ruqayyah Aljunid, Takuya Nishida, Yu-ichi Hayashi, Takaaki Mizuki,and Hideaki Sone. Necessary and sufficient numbers of cards for securely computing two-bitoutput functions. In Raphaël C.-W. Phan and Moti Yung, editors,
Paradigms in Cryptology –Mycrypt 2016. Malicious and Exploratory Cryptology , pages 193–211, Cham, 2017. SpringerInternational Publishing. Julia Kastner, Alexander Koch, Stefan Walzer, Daiki Miyahara, Yu-ichi Hayashi, TakaakiMizuki, and Hideaki Sone. The minimum number of cards in practical card-based protocols.In Tsuyoshi Takagi and Thomas Peyrin, editors,
Advances in Cryptology – ASIACRYPT 2017 ,pages 126–155, Cham, 2017. Springer International Publishing. Alexander Koch. The landscape of optimal card-based protocols. Cryptology ePrint Archive,Report 2018/951, 2018. urlhttps://eprint.iacr.org/2018/951. Alexander Koch and Stefan Walzer. Foundations for actively secure card-based cryptography.In Martin Farach-Colton, Giuseppe Prencipe, and Ryuhei Uehara, editors, , volume 157 of
LIPIcs , pages 17:1–17:23. Schloss Dagstuhl - Leibniz-Zentrumfür Informatik, 2021. URL: https://doi.org/10.4230/LIPIcs.FUN.2021.17 , doi:10.4230/LIPIcs.FUN.2021.17 . Alexander Koch, Stefan Walzer, and Kevin Härtel. Card-based cryptographic protocols using aminimal number of cards. In Tetsu Iwata and Jung Hee Cheon, editors,
Advances in Cryptology– ASIACRYPT 2015 , pages 783–807, Berlin, Heidelberg, 2015. Springer Berlin Heidelberg. Takaaki Mizuki. Card-based protocols for securely computing the conjunction of multiplevariables.
Theor. Comput. Sci. , 622(C):34–44, April 2016. URL: https://doi.org/10.1016/j.tcs.2016.01.039 , doi:10.1016/j.tcs.2016.01.039 . Takaaki Mizuki, Michihito Kumamoto, and Hideaki Sone. The five-card trick can be done withfour cards. In Xiaoyun Wang and Kazue Sako, editors,
Advances in Cryptology – ASIACRYPT2012 , pages 598–606, Berlin, Heidelberg, 2012. Springer Berlin Heidelberg. Takaaki Mizuki and Hiroki Shizuya. A formalization of card-based cryptographic protocolsvia abstract machine.
Int. J. Inf. Secur. , 13(1):15–23, February 2014. URL: https://doi.org/10.1007/s10207-013-0219-4 , doi:10.1007/s10207-013-0219-4 . Takaaki Mizuki and Hiroki Shizuya. Practical card-based cryptography. In Alfredo Ferro,Fabrizio Luccio, and Peter Widmayer, editors,
Fun with Algorithms , pages 313–324, Cham,2014. Springer International Publishing. Takaaki Mizuki and Hideaki Sone. Six-card secure and and four-card secure xor. In XiaotieDeng, John E. Hopcroft, and Jinyun Xue, editors,
Frontiers in Algorithmics , pages 358–369,Berlin, Heidelberg, 2009. Springer Berlin Heidelberg. Valtteri Niemi and Ari Renvall. Secure multiparty computations without computers. Technicalreport, 1997. Takuya Nishida, Yu-ichi Hayashi, Takaaki Mizuki, and Hideaki Sone. Card-based protocolsfor any boolean function. In Rahul Jain, Sanjay Jain, and Frank Stephan, editors,
Theory andApplications of Models of Computation , pages 110–121, Cham, 2015. Springer InternationalPublishing. . Dvořák and M. Koucký 17 Akihiro Nishimura, Yu-ichi Hayashi, Takaaki Mizuki, and Hideaki Sone. An implementationof non-uniform shuffle for secure multi-party computation. In
Proceedings of the 3rd ACMInternational Workshop on ASIA Public-Key Cryptography , AsiaPKC ’16, page 49–55, NewYork, NY, USA, 2016. Association for Computing Machinery. URL: https://doi.org/10.1145/2898420.2898425 , doi:10.1145/2898420.2898425 . Anton Stiglic. Computations with a deck of cards.