Yoshifumi Manabe,Hibiki Ono

DOI: https://doi.org/10.1007/s00354-024-00257-2

2024-06-17

New Generation Computing

Abstract:This paper shows new kinds of card-based cryptographic protocols with a standard deck of cards using private operations. They are multi-party secure computations executed by multiple players without computers. Most card-based cryptographic protocols use a special deck of cards that consists of many cards with two kinds of marks. Though these protocols are simple and efficient, the users need to prepare such special cards. Few protocols were shown that use a standard deck of playing cards. Though the protocols with a standard deck of cards can be easily executed in our daily lives, the numbers of cards used by these protocols are larger than the ones that use the special deck of cards. This paper shows logical AND, logical XOR, and copy protocols for a standard deck of cards that use the minimum number of cards. Any Boolean functions can be computed with a combination of the above protocols. The new protocols use private operations that are executed by a player at a place where the other players cannot see. The results show the effectiveness of private operations in card-based cryptographic protocols. This paper also shows protocols that use private input operations. When each player privately inputs his/her secret value, this type of protocol is used. Last, we show asymmetric card protocols to further reduce the number of cards.

computer science, theory & methods, hardware & architecture

Anastasiia Doi,Tomoki Ono,Yoshiki Abe,Takeshi Nakai,Kazumasa Shinagawa,Yohei Watanabe,Koji Nuida,Mitsugu Iwamoto

DOI: https://doi.org/10.1007/s00354-024-00268-z

2024-06-24

New Generation Computing

Abstract:Card-based cryptography aims to realize secure multiparty computation with physical cards. This paper is the first to address Private Set Intersection (PSI) and Private Set Union (PSU) in card-based cryptography. PSI and PSU are well-studied secure computation protocols to compute the set intersection and the set union, respectively. We show two-party PSI and PSU protocols in each of the two operation models: one is the shuffle-based model in which parties perform all operations publicly, and the other is the private-permutation-based model that allows parties to perform some operations privately. In the shuffle-based model, we show PSI and PSU protocols can be realized with existing secure AND and OR protocols, respectively. However, these protocols have an issue of increasing the number of shuffles depending on the size of the universal set. To resolve the issue, we further propose PSI and PSU protocols with only one shuffle at the cost of increasing the number of cards. In the private-permutation-based model, we show PSI and PSU protocols can be achieved with existing secure AND and OR protocols, respectively, as in the shuffle-based protocols. These protocols have an advantage of requiring only one private permutation and one communication. We further show that the number of cards of these protocols can be reduced at the cost of increasing the number of private permutations and communications.

computer science, theory & methods, hardware & architecture

Takeshi Nakai,Keita Iwanari,Tomoki Ono,Yoshiki Abe,Yohei Watanabe,Mitsugu Iwamoto

DOI: https://doi.org/10.1007/s00354-024-00269-y

2024-06-23

New Generation Computing

Abstract:Card-based cryptography is a secure computation protocol realized by using physical cards. There are two models on card-based cryptography: public and private models. We adopt private one that allows players to handle cards privately. While much of the existing works for card-based cryptography use two-colored cards, it is also a vital task to construct an efficient protocol with playing cards. In the public model, 2 n cards are necessary for any n -bit input protocol since at least two cards are required to express a Boolean value. It holds true for both two-colored and playing-card settings. On the other hand, the private model enables us to construct a protocol with fewer than 2 n cards. However, all existing protocols that achieve such properties are only in the two-colored setting. This paper shows that the private model enables us to construct a protocol with fewer than 2 n cards using the playing cards. We first show two-bit input protocols with fewer than four cards for logical operations, AND, OR, and XOR. Furthermore, we show a three-input majority voting protocol using only three cards, which is constructed by combining our AND and OR protocols. Notably, our proposed protocols require no randomness. All operations are deterministic and depend only on players' private inputs.

computer science, theory & methods, hardware & architecture

Yuji Hashimoto,Kazumasa Shinagawa,Koji Nuida,Masaki Inamura,Goichiro Hanaoka

DOI: https://doi.org/10.1587/transfun.E101.A.1512

2017-09-22

Abstract:We consider a problem, which we call secure grouping, of dividing a number of parties into some subsets (groups) in the following manner: Each party has to know the other members of his/her group, while he/she may not know anything about how the remaining parties are divided (except for certain public predetermined constraints, such as the number of parties in each group). In this paper, we construct an information-theoretically secure protocol using a deck of physical cards to solve the problem, which is jointly executable by the parties themselves without a trusted third party. Despite the non-triviality and the potential usefulness of the secure grouping, our proposed protocol is fairly simple to describe and execute. Our protocol is based on algebraic properties of conjugate permutations. A key ingredient of our protocol is our new techniques to apply multiplication and inverse operations to hidden permutations (i.e., those encoded by using face-down cards), which would be of independent interest and would have various potential applications.

Cryptography and Security

Suthee Ruangwises

DOI: https://doi.org/10.1007/978-3-031-17510-7_12

2022-10-25

Abstract:Research in secure multi-party computation using a deck of playing cards, often called card-based cryptography, dates back to 1989 when Den Boer introduced the "five-card trick" to compute the logical AND function. Since then, many protocols to compute different functions have been developed. In this paper, we propose a new encoding scheme that uses five cards to encode each integer in $\mathbb{Z}/6\mathbb{Z}$. Using this encoding scheme, we develop protocols that can copy a commitment with 13 cards, add two integers with 10 cards, and multiply two integers with 14 cards. All of our protocols are the currently best known protocols in terms of the required number of cards. Our encoding scheme can be generalized to encode integers in $\mathbb{Z}/n\mathbb{Z}$ for other values of $n$ as well.

Cryptography and Security

Takeshi Nakai,Yuto Misawa,Yuuki Tokushige,Mitsugu Iwamoto,Kazuo Ohta

DOI: https://doi.org/10.1007/s00354-020-00118-8

2021-01-05

New Generation Computing

Abstract:Abstract Card-based cryptography, introduced by den Boer aims to realize multiparty computation (MPC) by using physical cards. We propose several efficient card-based protocols for the millionaires’ problem by introducing a new operation called Private Permutation (PP) instead of the shuffle used in most of existing card-based cryptography. Shuffle is a useful randomization technique by exploiting the property of card shuffling, but it requires a strong assumption from the viewpoint of arithmetic MPC because shuffle assumes that public randomization is possible. On the other hand, private randomness can be used in PPs, which enables us to design card-based protocols taking ideas of arithmetic MPCs into account. Actually, we show that Yao’s millionaires’ protocol can be easily transformed into a card-based protocol by using PPs, which is not straightforward by using shuffles because Yao’s protocol uses private randomness. Furthermore, we propose entirely novel and efficient card-based millionaire protocols based on PPs by securely updating bitwise comparisons between two numbers, which unveil a power of PPs. As another interest of these protocols, we point out they have a deep connection to the well-known logical puzzle known as “The fork in the road.”

computer science, theory & methods, hardware & architecture

Suthee Ruangwises,Tomoki Ono,Yoshiki Abe,Kyosuke Hatsugai,Mitsugu Iwamoto

DOI: https://doi.org/10.1007/978-3-031-63742-1_2

2024-08-16

Abstract:Research in the area of secure multi-party computation with an unconventional method of using a physical deck of playing cards began in 1989 when den Boer proposed a protocol to compute the logical AND function using five cards. Since then, the area has gained interest from many researchers and several card-based protocols to compute various functions have been developed. In this paper, we propose a card-based protocol called the overwriting protocol that can securely compute the $k$-candidate $n$-variable equality function $f: \{0,1,\ldots ,k-1\}^n \rightarrow \{0,1\}$. We also apply the technique used in this protocol to compute other similar functions.

Cryptography and Security

Daiki Miyahara,Yu-ichi Hayashi,Takaaki Mizuki,Hideaki Sone

DOI: https://doi.org/10.1016/j.tcs.2019.11.005

IF: 1.002

2020-01-01

Theoretical Computer Science

Abstract:Yao's millionaire protocol enables Alice and Bob to know whether or not Bob is richer than Alice by using a public-key cryptosystem without revealing the actual amounts of their properties. In this paper, we present simple and practical implementations of Yao's millionaire protocol using a physical deck of playing cards; we straightforwardly implement the idea behind Yao's millionaire protocol so that even non-experts can easily understand their correctness and secrecy. Our implementations are based partially on the previous card-based scheme proposed by Nakai, Tokushige, Misawa, Iwamoto, and Ohta; their scheme admits players' private actions on a sequence of cards called Private Permutation (PP), implying that a malicious player could make an active attack (for example, he/she could exchange some of the cards stealthily when doing such a private action). By contrast, our implementations rely on a familiar shuffling operation called a random cut, and hence, they can be conducted completely publicly so as to avoid any active attack. More specifically, we present two card-based implementations of Yao's millionaire protocol; one uses a two-colored deck of cards (which consists of black and red cards), and the other uses a standard deck of playing cards. Furthermore, we also provide card-based protocols that rely on a logical circuit representing the comparison.

computer science, theory & methods

Dhaneshwar Mardi,Surbhi Tanwar,Jaydeep Howlader

DOI: https://doi.org/10.1002/spy2.176

2021-06-09

Security and Privacy

Abstract:Multiparty computation is raising importance because its primary objective is to replace any trusted third party in the distributed computation. This work presents two multiparty shuffling protocols where each party, possesses a private input, agrees on a random permutation while keeping the permutation secret. The proposed shuffling protocols are based on permutation network, thereby data-oblivious. The first proposal is -permute that permutes inputs in all possible ways. -permute network consists of layers, and in each layer there are gates. Our second protocol is -permute shuffling that defines a permutation set where , and the resultant shuffling is a random permutation . The -permute network contains less number of layers compare with -permute network. Let , the -permute network would define layers. The proposed shuffling protocols are unconditionally secure against malicious adversary who can corrupt at most parties. The probability that adversary can learn the outcome of -permute is upper bound by . Whereas, the probability that adversary can learn the outcome of -permute is upper bounded by , for some positive integer , and a recursive definition of . The protocols allow the parties to build quorums, and distribute the load among the quorums.

English Else

Ágnes Kiss,Jian Liu,Thomas Schneider,N. Asokan,Benny Pinkas

DOI: https://doi.org/10.1515/popets-2017-0044

2017-01-01

Proceedings on Privacy Enhancing Technologies

Abstract:Abstract Private set intersection (PSI) is a cryptographic technique that is applicable to many privacy-sensitive scenarios. For decades, researchers have been focusing on improving its efficiency in both communication and computation. However, most of the existing solutions are inefficient for an unequal number of inputs, which is common in conventional client-server settings. In this paper, we analyze and optimize the efficiency of existing PSI protocols to support precomputation so that they can efficiently deal with such input sets. We transform four existing PSI protocols into the precomputation form such that in the setup phase the communication is linear only in the size of the larger input set, while in the online phase the communication is linear in the size of the smaller input set. We implement all four protocols and run experiments between two PCs and between a PC and a smartphone and give a systematic comparison of their performance. Our experiments show that a protocol based on securely evaluating a garbled AES circuit achieves the fastest setup time by several orders of magnitudes, and the fastest online time in the PC setting where AES-NI acceleration is available. In the mobile setting, the fastest online time is achieved by a protocol based on the Diffie-Hellman assumption.

Andres Cordon-Franco,Hans van Ditmarsch,David Fernandez-Duque,Joost J. Joosten,Fernando Soler-Toscano

DOI: https://doi.org/10.48550/arXiv.1111.0156

2011-11-01

Abstract:Consider three players Alice, Bob and Cath who hold a, b and c cards, respectively, from a deck of d=a+b+c cards. The cards are all different and players only know their own cards. Suppose Alice and Bob wish to communicate their cards to each other without Cath learning whether Alice or Bob holds a specific card. Considering the cards as consecutive natural numbers 0,1,..., we investigate general conditions for when Alice or Bob can safely announce the sum of the cards they hold modulo an appropriately chosen integer. We demonstrate that this holds whenever a,b>2 and c=1. Because Cath holds a single card, this also implies that Alice and Bob will learn the card deal from the other player's announcement.

Discrete Mathematics,Cryptography and Security

Suthee Ruangwises

DOI: https://doi.org/10.1007/978-3-031-47963-2_6

2023-09-15

Abstract:Secure multi-party computation using a physical deck of cards, often called card-based cryptography, has been extensively studied during the past decade. Card-based protocols to compute various Boolean functions have been developed. As each input bit is typically encoded by two cards, computing an $n$-variable Boolean function requires at least $2n$ cards. We are interested in optimal protocols that use exactly $2n$ cards. In particular, we focus on symmetric functions. In this paper, we formulate the problem of developing $2n$-card protocols to compute $n$-variable symmetric Boolean functions by classifying all such functions into several NPN-equivalence classes. We then summarize existing protocols that can compute some representative functions from these classes, and also solve some open problems in the cases $n=4$, 5, 6, and 7. In particular, we develop a protocol to compute a function $k$Mod3, which determines whether the sum of all inputs is congruent to $k$ modulo 3 ($k \in \{0,1,2\}$).

Cryptography and Security

Borja Balle,James Bell,Adrià Gascón

2023-09-08

Abstract:Motivated by recent developments in the shuffle model of differential privacy, we propose a new approximate shuffling functionality called Alternating Shuffle, and provide a protocol implementing alternating shuffling in a single-server threat model where the adversary observes all communication. Unlike previous shuffling protocols in this threat model, the per-client communication of our protocol only grows sub-linearly in the number of clients. Moreover, we study the concrete efficiency of our protocol and show it can improve per-client communication by one or more orders of magnitude with respect to previous (approximate) shuffling protocols. We also show a differential privacy amplification result for alternating shuffling analogous to the one for uniform shuffling, and demonstrate that shuffling-based protocols for secure summation based a construction of Ishai et al. (FOCS'06) remain secure under the Alternating Shuffle. In the process we also develop a protocol for exact shuffling in single-server threat model with amortized logarithmic communication per-client which might be of independent interest.

Cryptography and Security

Sven Laur,Jan Willemson,Bingsheng Zhang

DOI: https://doi.org/10.1007/978-3-642-24861-0_18

2011-01-01

Abstract:Most of the multi-party computation frameworks can be viewed as oblivious databases where data is stored and processed in a secret-shared form. However, data manipulation in such databases can be slow and cumbersome without dedicated protocols for certain database operations. In this paper, we provide efficient protocols for oblivious selection, filtering and shuffle essential tools in privacy-preserving data analysis. As the first contribution, we present a 1-out-of-n oblivious transfer protocol with 0(log log n) rounds, which achieves optimal communication and time complexity and works over any ring Z(N). Secondly, we show how to construct round-efficient shuffle protocols with optimal asymptotic computation complexity and provide several optimizations.

Kazumasa SHINAGAWA,Kengo MIYAMOTO

DOI: https://doi.org/10.1587/transfun.2022cip0020

2023-03-01

Abstract:Kazumasa SHINAGAWA,Kengo MIYAMOTO, Vol.E106-A, No.3, pp.306-314 In card-based cryptography, a deck of physical cards is used to achieve secure computation. A shuffle, which randomly permutes a card-sequence along with some probability distribution, ensures the security of a card-based protocol. The authors proposed a new class of shuffles called graph shuffles, which randomly permutes a card-sequence by an automorphism of a directed graph (New Generation Computing 2022). For a directed graph G with n vertices and m edges, such a shuffle could be implemented with pile-scramble shuffles with 2(n + m) cards. In this paper, we study graph shuffles and give an implementation, an application, and a slight generalization. First, we propose a new protocol for graph shuffles with 2n + m cards. Second, as a new application of graph shuffles, we show that any cyclic group shuffle, which is a shuffle over a cyclic group, is a graph shuffle associated with some graph. Third, we define a hypergraph shuffle, which is a shuffle by an automorphism of a hypergraph, and show that any hypergraph shuffle can also be implemented with pile-scramble shuffles. Publication Date: 2023/03/01

computer science, information systems,engineering, electrical & electronic, hardware & architecture

Hassan Jameel Asghar,Arghya Mukherjee,Gavin K. Brennen

2024-09-06

Abstract:We present a quantum protocol which securely and implicitly implements a random shuffle to realize differential privacy in the shuffle model. The shuffle model of differential privacy amplifies privacy achievable via local differential privacy by randomly permuting the tuple of outcomes from data contributors. In practice, one needs to address how this shuffle is implemented. Examples include implementing the shuffle via mix-networks, or shuffling via a trusted third-party. These implementation specific issues raise non-trivial computational and trust requirements in a classical system. We propose a quantum version of the protocol using entanglement of quantum states and show that the shuffle can be implemented without these extra requirements. Our protocol implements k-ary randomized response, for any value of k > 2, and furthermore, can be efficiently implemented using fault-tolerant computation.

Quantum Physics,Cryptography and Security

Jason Fulman

DOI: https://doi.org/10.48550/arXiv.math/9910087

2000-05-12

Abstract:Type A affine shuffles are compared with riffle shuffles followed by a cut. Although these probability measures on the symmetric group S_n are different, they both satisfy a convolution property. Strong evidence is given that when the underlying parameter $q$ satisfies $gcd(n,q-1)=1$, the induced measures on conjugacy classes of the symmetric group coincide. This gives rise to interesting combinatorics concerning the modular equidistribution by major index of permutations in a given conjugacy class and with a given number of cyclic descents. It is proved that the use of cuts does not speed up the convergence rate of riffle shuffles to randomness. Generating functions for the first pile size in patience sorting from decks with repeated values are derived. This relates to random matrices.

Combinatorics,Probability

Helger Lipmaa,Bingsheng Zhang

DOI: https://doi.org/10.1007/978-3-642-32928-9_27

2013-01-01

Journal of Computer Security

Abstract:We propose a new non-interactive perfect zero-knowledge NIZK shuffle argument that, when compared with the only previously known efficient NIZK shuffle argument by Groth and Lu, has a small constant factor times smaller computation and communication, and is based on more standard computational assumptions. Differently from Groth and Lu who only prove the co-soundness of their argument under purely computational assumptions, we prove computational soundness under a necessary knowledge assumption. We also present a general transformation that results in a shuffle argument that has a quadratically smaller common reference string CRS and a small constant factor times longer argument than the original shuffle. This can be interpreted as a general technique of decreasing the offline cost of an arbitrary shuffle argument.

Yanxue Jia,Shi-Feng Sun,Hong-Sheng Zhou,Jiajun Du,Dawu Gu

2022-01-01

Abstract:Private Set Union (PSU) allows two players, the sender and the receiver, to compute the union of their input datasets without revealing any more information than the result. While it has found numerous applications in practice, not much research has been carried out so far, especially for large datasets. In this work, we take shuffling technique as a key to design PSU protocols for the first time. By shuffling receiver's set, we put forward the first protocol, denoted as Pi(R)(PSU), that eliminates the expensive operations in previous works, such as additive homomorphic encryption and repeated operations on the receiver's set. It outperforms the state-of-the-art design by Kolesnikov et al. (ASIACRYPT 2019) in both efficiency and security; the unnecessary leakage in Kolesnikov et al.'s design, can be avoided in our design. We further extend our investigation to the application scenarios in which both players may hold unbalanced input datasets. We propose our second protocol Pi(S)(PSU), by shuffling the sender's dataset. This design can be viewed as a dual version of our first protocol, and it is suitable in the cases where the sender's input size is much smaller than the receiver's. Finally, we implement our protocols Pi(R)(PSU) and Pi(S)(PSU) in C++ on big datasets, and perform a comprehensive evaluation in terms of both scalability and parallelizability. The results demonstrate that our design can obtain a 4-5 x improvement over the state-of-the-art by Kolesnikov et al. with a single thread in WAN/LAN settings.

Seng Pei Liew,Satoshi Hasegawa,Tsubasa Takahashi

2023-07-04

Abstract:We study a protocol for distributed computation called shuffled check-in, which achieves strong privacy guarantees without requiring any further trust assumptions beyond a trusted shuffler. Unlike most existing work, shuffled check-in allows clients to make independent and random decisions to participate in the computation, removing the need for server-initiated subsampling. Leveraging differential privacy, we show that shuffled check-in achieves tight privacy guarantees through privacy amplification, with a novel analysis based on R{é}nyi differential privacy that improves privacy accounting over existing work. We also introduce a numerical approach to track the privacy of generic shuffling mechanisms, including Gaussian mechanism, which is the first evaluation of a generic mechanism under the distributed setting within the local/shuffle model in the literature. Empirical studies are also given to demonstrate the efficacy of the proposed approach.

Machine Learning,Cryptography and Security