#
Minimum Round Card-Based Cryptographic Protocols Using Private Operations^{ †}

^{*}

^{†}

## Abstract

**:**

## 1. Introduction

#### 1.1. Motivation

#### 1.2. Related Works

## 2. Preliminaries

#### 2.1. Basic Notations

#### 2.2. Private Operations

**Primitive**

**1.**

**Primitive**

**2.**

**Primitive**

**3.**

#### 2.3. Definition of Round

**Protocol**

**1.**

- 1.
- Alice executes a private random bisection cut on $commit\left(x\right)$. Let the output be $commit\left({x}^{\prime}\right)$. Alice sends $commit\left({x}^{\prime}\right)$ and $commit\left(y\right)$ to Bob.
- 2.
- Bob executes a private reveal on $commit\left({x}^{\prime}\right)$. Bob privately sets the following:$${S}_{2}=\left\{\begin{array}{cc}commit\left(y\right)\left|\right|commit\left(0\right)\hfill & \mathrm{if}\phantom{\rule{4.pt}{0ex}}{x}^{\prime}=1\hfill \\ commit\left(0\right)\left|\right|commit\left(y\right)\hfill & \mathrm{if}\phantom{\rule{4.pt}{0ex}}{x}^{\prime}=0\hfill \end{array}\right.$$
- 3.
- Alice executes a private reverse selection on ${S}_{2}$ using the bit b generated in the private random bisection cut. Let the obtained sequence be ${S}_{3}$. Alice outputs ${S}_{3}$.

#### 2.4. Our Results

## 3. XOR, AND, and Copy with the Minimum Number of Rounds

#### 3.1. XOR Protocol

**Protocol**

**2.**

- 1.
- Alice executes a private random bisection cut on input ${S}_{0}=commit\left(x\right)$ and ${S}_{0}^{\prime}=commit\left(y\right)$, using the same random bit b. Let the output be ${S}_{1}=commit\left({x}^{\prime}\right)$ and ${S}_{1}^{\prime}=commit\left({y}^{\prime}\right)$, respectively. Note that ${x}^{\prime}=x\oplus b$ and ${y}^{\prime}=y\oplus b$. Alice sends ${S}_{1}$ and ${S}_{1}^{\prime}$ to Bob.
- 2.
- Bob executes a private reveal on ${S}_{1}=commit\left({x}^{\prime}\right)$. Bob executes a private reverse cut on ${S}_{1}^{\prime}$ using ${x}^{\prime}$. Let the result be ${S}_{2}$. Bob outputs ${S}_{2}$.

**Theorem**

**1.**

**Proof.**

#### 3.2. AND Protocol

**Protocol**

**3.**

- 1.
- Alice executes a private random bisection cut on ${S}_{0}=commit\left(x\right)$ and ${S}_{0}^{\prime}=commit\left(0\right)\left|\right|$$commit\left(y\right)$ using the same random bit b. Two new cards are used to set $commit\left(0\right)$. Let the output be ${S}_{1}=commit\left({x}^{\prime}\right)$ and ${S}_{1}^{\prime}$, respectively. Note the following:$${S}_{1}^{\prime}=\left\{\begin{array}{cc}commit\left(y\right)\left|\right|commit\left(0\right)\hfill & \mathrm{if}\phantom{\rule{4.pt}{0ex}}b=1\hfill \\ commit\left(0\right)\left|\right|commit\left(y\right)\hfill & \mathrm{if}\phantom{\rule{4.pt}{0ex}}b=0\hfill \end{array}\right.$$
- 2.
- Bob executes a private reveal on ${S}_{1}$. Bob executes a private reverse selection on ${S}_{1}^{\prime}$ using ${x}^{\prime}$. Let the selected cards be ${S}_{2}$. Bob outputs ${S}_{2}$ as the result.

**Theorem**

**2.**

**Proof.**

#### 3.3. Copy Protocol

**Protocol**

**4.**

- 1.
- Alice executes a private random bisection cut on ${S}_{0}=commit\left(x\right)$. Let the output be ${S}_{1}=commit\left({x}^{\prime}\right)$. Alice sets ${S}_{1}^{\prime}$ as m copies of $commit\left(b\right)$, where b is the bit selected in the random bisection cut. Note that ${x}^{\prime}=x\oplus b$. Alice sends ${S}_{1}$ and ${S}_{1}^{\prime}$ to Bob.
- 2.
- Bob executes a private reveal on ${S}_{1}$ and obtains ${x}^{\prime}$. Bob executes a private reverse cut on each pair of ${S}_{1}^{\prime}$ using ${x}^{\prime}$. Let the result be ${S}_{2}$. Bob outputs ${S}_{2}$.

**Theorem**

**3.**

**Proof.**

#### 3.4. Any Two-Variable Boolean Functions

**Theorem**

**4.**

**Proof.**

#### 3.5. n-Variable Boolean Functions

**Protocol**

**5.**

- 1.
- Alice executes a private random bisection cut on $commit\left({x}_{i}\right)$ $(i=1,2,\dots ,n)$. Let the results be $commit\left({x}_{i}^{\prime}\right)(i=1,2,\dots ,n)$. ${x}_{i}^{\prime}={x}_{i}\oplus {b}_{i}(i=1,2,\dots ,n)$. Note that one random bit ${b}_{i}$ is selected for each ${x}_{i}(i=1,2,\dots ,n)$. Alice generates ${2}^{n}$ commitment ${S}_{{a}_{1},{a}_{2},\dots ,{a}_{n}}$ $({a}_{i}\in \{0,1\},i=1,2,\dots ,n)$ as ${S}_{{a}_{1},{a}_{2},\dots ,{a}_{n}}=$ $commit\left(f({a}_{1}\oplus {b}_{1},{a}_{2}\oplus {b}_{2},\dots ,{a}_{n}\oplus {b}_{n})\right)$.Alice sends $commit\left({x}_{i}^{\prime}\right)(i=1,2,\dots ,n)$ and ${S}_{{a}_{1},{a}_{2},\dots ,{a}_{n}}$ $({a}_{i}\in \{0,1\},i=1,2,\dots ,n)$ to Bob.
- 2.
- Bob executes a private reveal on $commit\left({x}_{i}^{\prime}\right)$ $(i=1,2,\dots ,n)$. Bob outputs ${S}_{{x}_{1}^{\prime},{x}_{2}^{\prime},\dots ,{x}_{n}^{\prime}}$.

**Theorem**

**5.**

**Proof.**

## 4. Protocols without Private Reveals

#### 4.1. XOR Protocol without Private Reveals

**Protocol**

**6.**

- 1.
- Alice executes a private random bisection cut on ${S}_{0}=commit\left(x\right)$ and ${S}_{0}^{\prime}=commit\left(y\right)$ using the same random bit b. Let the output be ${S}_{1}=commit\left({x}^{\prime}\right)$ and ${S}_{1}^{\prime}=commit\left({y}^{\prime}\right)$, respectively. Note that ${x}^{\prime}=x\oplus b$ and ${y}^{\prime}=y\oplus b$. Alice sends ${S}_{1}$ and ${S}_{1}^{\prime}$ to Bob.
- 2.
- Bob executes a private random bisection cut on ${S}_{1}$ and ${S}_{1}^{\prime}$ using a private bit ${b}^{\prime}$. Let the output be ${S}_{2}=commit\left({x}^{\prime \prime}\right)$ and ${S}_{2}^{\prime}=commit\left({y}^{\prime \prime}\right)$, respectively. ${x}^{\prime \prime}=x\oplus b\oplus {b}^{\prime}$ and ${y}^{\prime \prime}=y\oplus b\oplus {b}^{\prime}$ hold. Bob publicly opens ${S}_{2}$ and obtains ${x}^{\prime \prime}$. Alice can see ${x}^{\prime \prime}$. Bob publicly sets the following:$${S}_{3}=\left\{\begin{array}{cc}commit\left(\overline{{y}^{\prime \prime}}\right)\hfill & \mathrm{if}\phantom{\rule{4.pt}{0ex}}{x}^{\prime \prime}=1\hfill \\ commit\left({y}^{\prime \prime}\right)\hfill & \mathrm{if}\phantom{\rule{4.pt}{0ex}}{x}^{\prime \prime}=0\hfill \end{array}\right.$$

**Theorem**

**6.**

**Proof.**

#### 4.2. AND Protocol without Private Reveals

**Protocol**

**7.**

- 1.
- Alice executes a private random bisection cut on ${S}_{0}=commit\left(x\right)$. Let the result be ${S}_{1}=commit\left({x}^{\prime}\right)$. Alice sends ${S}_{1}$ and ${S}_{0}^{\prime}=commit\left(y\right)$ to Bob.
- 2.
- Bob executes a private random bisection cut on ${S}_{1}$, using a private bit ${b}^{\prime}$. Let the result be ${S}_{1}^{\prime}=commit\left({x}^{\prime \prime}\right)$. ${x}^{\prime \prime}=x\oplus b\oplus {b}^{\prime}$ holds. Bob publicly opens ${S}_{1}^{\prime}$ and obtains value ${x}^{\prime \prime}$. Alice can see ${x}^{\prime \prime}$. Bob publicly sets the following:$${S}_{2}=\left\{\begin{array}{cc}commit\left(y\right)\left|\right|commit\left(0\right)\hfill & \mathrm{if}\phantom{\rule{4.pt}{0ex}}{x}^{\prime \prime}=1\hfill \\ commit\left(0\right)\left|\right|commit\left(y\right)\hfill & \mathrm{if}\phantom{\rule{4.pt}{0ex}}{x}^{\prime \prime}=0\hfill \end{array}\right.$$
- 3.
- Alice executes a private reverse selection on ${S}_{3}$ using the bit b generated in the private random bisection cut. Let the result be ${S}_{4}$. Alice outputs ${S}_{4}$.

**Theorem**

**7.**

**Proof.**

**Protocol**

**8.**

- 1.
- Alice executes a private random bisection cut on ${S}_{0}=commit\left(x\right)$ and ${S}_{0}^{\prime}=commit\left(0\right)\left|\right|$ $commit\left(y\right)$ using the same random bit b. Two new cards are used to set $commit\left(0\right)$. Let the output be ${S}_{1}=commit\left({x}^{\prime}\right)$ and ${S}_{1}^{\prime}$, respectively. Note the following:$${S}_{1}^{\prime}=\left\{\begin{array}{cc}commit\left(y\right)\left|\right|commit\left(0\right)\hfill & \mathrm{if}\phantom{\rule{4.pt}{0ex}}b=1\hfill \\ commit\left(0\right)\left|\right|commit\left(y\right)\hfill & \mathrm{if}\phantom{\rule{4.pt}{0ex}}b=0\hfill \end{array}\right.$$
- 2.
- Bob executes a private random bisection cut on ${S}_{1}$ and ${S}_{1}^{\prime}$ using the same random bit ${b}^{\prime}$. Let the result be ${S}_{2}$ and ${S}_{2}^{\prime}$, respectively. Note that ${S}_{2}=commit(x\oplus b\oplus {b}^{\prime})$. Bob publicly opens cards of ${S}_{2}$ and obtains ${x}^{\prime \prime}=x\oplus b\oplus {b}^{\prime}$. Alice can see ${x}^{\prime \prime}$. Bob publicly selects the left pair of ${S}_{2}^{\prime}$ if ${x}^{\prime \prime}=0$, otherwise selects the right pair of ${S}_{2}^{\prime}$. Bob outputs the pair as the result.

**Theorem**

**8.**

**Proof.**

#### 4.3. Copy Protocol without Private Reveals

**Protocol**

**9.**

- 1.
- Alice executes a private random bisection cut on ${S}_{0}=commit\left(x\right)$. Let the result be ${S}_{1}=commit\left({x}^{\prime}\right)$. Note that ${x}^{\prime}=x\oplus b$. Alice sends ${S}_{1}$ to Bob.
- 2.
- Bob executes a private random bisection cut on ${S}_{1}$ using a private random bit ${b}^{\prime}$. Let the result be ${S}_{2}=commit\left({x}^{\prime \prime}\right)$. Note that ${x}^{\prime \prime}=x\oplus b\oplus {b}^{\prime}$.Bob publicly opens ${S}_{2}$ and obtains ${x}^{\prime \prime}$. Alice can see ${x}^{\prime \prime}$. Bob publicly sets m pairs of cards of ${x}^{\prime \prime}$. Bob faces down the cards. Let the cards be ${S}_{3}$. Bob executes a private reverse cut on each pair of ${S}_{3}$ using ${b}^{\prime}$. Let the result be ${S}_{3}^{\prime}$. Bob sends ${S}_{3}^{\prime}$ to Alice.
- 3.
- Alice executes a private reverse cut on each pair of ${S}_{3}^{\prime}$ using b. Alice outputs the pairs.

**Theorem**

**9.**

**Proof.**

**Protocol**

**10.**

- 1.
- Alice executes a private random bisection cut on ${S}_{0}=commit\left(x\right)$. Let the result be ${S}_{1}=commit\left({x}^{\prime}\right)$. Note that ${x}^{\prime}=x\oplus b$. Alice privately sets ${S}_{1}^{\prime}$ as m copies of $commit\left(b\right)$. Alice sends ${S}_{1}$ and ${S}_{1}^{\prime}$ to Bob.
- 2.
- Bob executes a private random bisection cut on ${S}_{1}$ and each pair of ${S}_{1}^{\prime}$ using a private random bit ${b}^{\prime}$. Let the output be ${S}_{2}=commit\left({x}^{\prime \prime}\right)$ and ${S}_{2}^{\prime}$, respectively.Bob publicly opens ${S}_{2}$ and obtains ${x}^{\prime \prime}$. Alice can see ${x}^{\prime \prime}$. Bob publicly swaps each pair of ${S}_{2}^{\prime}$ if ${x}^{\prime \prime}=1$. Otherwise, Bob does nothing. Let the result be ${S}_{3}$. Bob outputs ${S}_{3}$.

**Theorem**

**10.**

**Proof.**

#### 4.4. n-Variable Boolean Functions without Private Reveals

**Protocol**

**11.**

- 1.
- Alice executes a private random bisection cut on $commit\left({x}_{i}\right)$ $(i=1,2,\dots ,n)$. Let the results be $commit\left({x}_{i}^{\prime}\right)(i=1,2,\dots ,n)$. ${x}_{i}^{\prime}={x}_{i}\oplus {b}_{i}(i=1,2,\dots ,n)$. Note that one random bit ${b}_{i}$ is selected for each ${x}_{i}(i=1,2,\dots ,n)$. Alice generates ${2}^{n}$ commitment ${S}_{{a}_{1},{a}_{2},\dots ,{a}_{n}}$ $({a}_{i}\in \{0,1\},i=1,2,\dots ,n)$ as ${S}_{{a}_{1},{a}_{2},\dots ,{a}_{n}}=$ $commit\left(f({a}_{1}\oplus {b}_{1},{a}_{2}\oplus {b}_{2},\dots ,{a}_{n}\oplus {b}_{n})\right)$.Alice sends $commit\left({x}_{i}^{\prime}\right)(i=1,2,\dots ,n)$ and ${S}_{{a}_{1},{a}_{2},\dots ,{a}_{n}}$ $({a}_{i}\in \{0,1\},i=1,2,\dots ,n)$ to Bob.
- 2.
- Bob executes a private random bisection cut on $commit\left({x}_{i}^{\prime}\right)(i=1,2,\dots ,n)$. Note that one random bit ${b}_{i}^{\prime}$ is selected for each ${x}_{i}^{\prime}(i=1,2,\dots ,n)$. Let $commit\left({x}_{i}^{\prime \prime}\right)$ $(i=1,2,\dots ,n)$ be the obtained value. ${x}_{i}^{\prime \prime}={x}_{i}\oplus {b}_{i}\oplus {b}_{i}^{\prime}(i=1,2,\dots ,n)$ is satisfied. Bob privately relocates ${S}_{{a}_{1},{a}_{2},\dots ,{a}_{n}}({a}_{i}\in \{0,1\},i=1,2,\dots ,n)$ so that ${S}_{{a}_{1},{a}_{2},\dots ,{a}_{n}}^{\prime}={S}_{{a}_{1}\oplus {b}_{1}^{\prime},{a}_{2}\oplus {b}_{2}^{\prime},\dots ,{a}_{n}\oplus {b}_{n}^{\prime}}({a}_{i}\in \{0,1\},$ $i=1,2,\dots ,n)$. The cards satisfy ${S}_{{a}_{1},{a}_{2},\dots ,{a}_{n}}^{\prime}=$ $commit\left(f({a}_{1}\oplus {b}_{1}\oplus {b}_{1}^{\prime},{a}_{2}\oplus {b}_{2}\oplus {b}_{2}^{\prime},\dots ,{a}_{n}\oplus {b}_{n}\oplus {b}_{n}^{\prime})\right)$.Bob publicly reveals $commit\left({x}_{i}^{\prime \prime}\right)$ and obtains ${x}_{i}^{\prime \prime}(i=1,2,\dots ,n)$. Alice can see ${x}_{i}^{\prime \prime}(i=1,2,\dots ,n)$. Bob publicly selects ${S}_{{x}_{1}^{\prime \prime},{x}_{2}^{\prime \prime},\dots ,{x}_{n}^{\prime \prime}}^{\prime}$.

**Theorem**

**11.**

**Proof.**

## 5. Protocols That Preserve an Input

**Protocol**

**12.**

- 1.
- Alice executes a private random bisection cut on input ${S}_{0}=commit\left(x\right)$ and ${S}_{0}^{\prime}=commit\left(y\right)$ using the same random bit b. Let the output be ${S}_{1}=commit\left({x}^{\prime}\right)$ and ${S}_{1}^{\prime}=commit\left({y}^{\prime}\right)$, respectively. Note that ${x}^{\prime}=x\oplus b$ and ${y}^{\prime}=y\oplus b$. Alice sends ${S}_{1}$ and ${S}_{1}^{\prime}$ to Bob.
- 2.
- Bob executes a private reveal on ${S}_{1}=commit\left({x}^{\prime}\right)$. Bob executes a private reverse cut on ${S}_{1}^{\prime}$, using ${x}^{\prime}$. Let the result be ${S}_{2}$. Bob outputs ${S}_{2}$. Bob sends back ${S}_{1}=commit\left({x}^{\prime}\right)$ to Alice.
- 3.
- Alice executes a private reverse cut on ${S}_{1}$ using b and obtains $commit\left(x\right)$.

**Theorem**

**12.**

**Proof.**

**Protocol**

**13.**

- 1.
- Alice executes a private random bisection cut on ${S}_{0}=commit\left(x\right)$ and ${S}_{0}^{\prime}=commit\left(y\right)$ using the same random bit b. Let the output be ${S}_{1}=commit\left({x}^{\prime}\right)$ and ${S}_{1}^{\prime}=commit\left({y}^{\prime}\right)$, respectively. Note that ${x}^{\prime}=x\oplus b$ and ${y}^{\prime}=y\oplus b$. Alice sends ${S}_{1}$ and ${S}_{1}^{\prime}$ to Bob.
- 2.
- Bob executes a private random bisection cut on ${S}_{1}$ and ${S}_{1}^{\prime}$ using a private bit ${b}^{\prime}$. Let the output be ${S}_{2}=commit\left({x}^{\prime \prime}\right)$ and ${S}_{2}^{\prime}=commit\left({y}^{\prime \prime}\right)$, respectively. ${x}^{\prime \prime}=x\oplus b\oplus {b}^{\prime}$ and ${y}^{\prime \prime}=y\oplus b\oplus {b}^{\prime}$ hold. Bob publicly opens ${S}_{2}$ and obtains ${x}^{\prime \prime}$. Alice can see ${x}^{\prime \prime}$. Bob publicly sets the following:$${S}_{3}=\left\{\begin{array}{cc}commit\left(\overline{{y}^{\prime \prime}}\right)\hfill & \mathrm{if}\phantom{\rule{4.pt}{0ex}}{x}^{\prime \prime}=1\hfill \\ commit\left({y}^{\prime \prime}\right)\hfill & \mathrm{if}\phantom{\rule{4.pt}{0ex}}{x}^{\prime \prime}=0\hfill \end{array}\right.$$
- 3.
- Alice executes a private reverse cut on ${S}_{1}$ using b and obtains $commit\left(x\right)$.

**Theorem**

**13.**

**Proof.**

**Protocol**

**14.**

- 1.
- Alice executes a private random bisection cut on ${S}_{0}=commit\left(x\right)$ and ${S}_{0}^{\prime}=commit\left(0\right)\left|\right|$$commit\left(y\right)$ using the same random bit b. Two new cards are used to set $commit\left(0\right)$. Let the output be ${S}_{1}=commit\left({x}^{\prime}\right)$ and ${S}_{1}^{\prime}$, respectively. Note the following:$${S}_{1}^{\prime}=\left\{\begin{array}{cc}commit\left(y\right)\left|\right|commit\left(0\right)\hfill & \mathrm{if}\phantom{\rule{4.pt}{0ex}}b=1\hfill \\ commit\left(0\right)\left|\right|commit\left(y\right)\hfill & \mathrm{if}\phantom{\rule{4.pt}{0ex}}b=0\hfill \end{array}\right.$$
- 2.
- Bob executes a private reveal on ${S}_{1}$. Bob executes a private reverse selection on ${S}_{1}^{\prime}$ using ${x}^{\prime}$. Let the selected cards be ${S}_{2}$. Bob outputs ${S}_{2}$ as the result. Bob sends back ${S}_{1}=commit\left({x}^{\prime}\right)$ to Alice.
- 3.
- Alice executes a private reverse cut on ${S}_{1}$ using b and obtains $commit\left(x\right)$.

**Theorem**

**14.**

**Proof.**

**Protocol**

**15.**

- 1.
- Alice executes a private random bisection cut on ${S}_{0}=commit\left(x\right)$. Let the result be ${S}_{1}=commit\left({x}^{\prime}\right)$. Alice sends ${S}_{1}$ and ${S}_{0}^{\prime}=commit\left(y\right)$ to Bob.
- 2.
- Bob executes a private random bisection cut on ${S}_{1}$ using a private bit ${b}^{\prime}$. Let the result be ${S}_{1}^{\prime}=commit\left({x}^{\prime \prime}\right)$. ${x}^{\prime \prime}=x\oplus b\oplus {b}^{\prime}$ holds. Bob publicly opens ${S}_{1}^{\prime}$ and obtains value ${x}^{\prime \prime}$. Alice can see ${x}^{\prime \prime}$. Bob publicly sets the following:$${S}_{2}=\left\{\begin{array}{cc}commit\left(y\right)\left|\right|commit\left(0\right)\hfill & \mathrm{if}\phantom{\rule{4.pt}{0ex}}{x}^{\prime \prime}=1\hfill \\ commit\left(0\right)\left|\right|commit\left(y\right)\hfill & \mathrm{if}\phantom{\rule{4.pt}{0ex}}{x}^{\prime \prime}=0\hfill \end{array}\right.$$
- 3.
- Alice executes a private reverse selection on ${S}_{3}$ using the bit b generated in the private random bisection cut. Let the result be ${S}_{4}$. Alice outputs ${S}_{4}$. Alice executes a private reverse cut on ${S}_{1}$ using b and obtains $commit\left(x\right)$.

**Theorem**

**15.**

**Proof.**

**Protocol**

**16.**

- 1.
- Alice executes a private random bisection cut on ${S}_{0}=commit\left(x\right)$. Let the result be ${S}_{1}=commit\left({x}^{\prime}\right)$. Alice sends ${S}_{1}$ and ${S}_{0}^{\prime}=commit\left(y\right)$ to Bob.
- 2.
- Bob executes a private random bisection cut on ${S}_{1}$, using a private bit ${b}^{\prime}$. Let the result be ${S}_{1}^{\prime}=commit\left({x}^{\prime \prime}\right)$. ${x}^{\prime \prime}=x\oplus b\oplus {b}^{\prime}$ holds. Bob publicly opens ${S}_{1}^{\prime}$ and obtains value ${x}^{\prime \prime}$. Alice can see ${x}^{\prime \prime}$. Bob publicly sets the following:$${S}_{2}=\left\{\begin{array}{cc}commit\left(f\right(1,y\left)\right)\left|\right|commit\left(f\right(0,y\left)\right)\hfill & \mathrm{if}\phantom{\rule{4.pt}{0ex}}{x}^{\prime \prime}=1\hfill \\ commit\left(f\right(0,y\left)\right)\left|\right|commit\left(f\right(1,y\left)\right)\hfill & \mathrm{if}\phantom{\rule{4.pt}{0ex}}{x}^{\prime \prime}=0\hfill \end{array}\right.$$
- 3.
- Alice executes a private reverse selection on ${S}_{3}$ using the bit b generated in the private random bisection cut. Let the result be ${S}_{4}$. Alice outputs ${S}_{4}$. Let ${S}_{4}^{\prime}$ be the cards that are not selected.
- 4.
- Alice and Bob execute the XOR protocol that preserves an input without private reveals (Protocol 12) for ${S}_{4}$ and ${S}_{4}^{\prime}$. Let the preserved input, ${S}_{4}$, be the result. We obtain $commit\left(y\right)$ from the XOR result.

**Theorem**

**16.**

**Proof.**

**Protocol**

**17.**

- 1.
- Alice executes a private random bisection cut on $commit\left({x}_{i}\right)$ $(i=1,2,\dots ,n)$. Let the results be $commit\left({x}_{i}^{\prime}\right)(i=1,2,\dots ,n)$. ${x}_{i}^{\prime}={x}_{i}\oplus {b}_{i}(i=1,2,\dots ,n)$. Note that one random bit ${b}_{i}$ is selected for each ${x}_{i}(i=1,2,\dots ,n)$. Alice generates ${2}^{n}$ commitment ${S}_{{a}_{1},{a}_{2},\dots ,{a}_{n}}$ $({a}_{i}\in \{0,1\},i=1,2,\dots ,n)$ as ${S}_{{a}_{1},{a}_{2},\dots ,{a}_{n}}=$ $commit\left(f({a}_{1}\oplus {b}_{1},{a}_{2}\oplus {b}_{2},\dots ,{a}_{n}\oplus {b}_{n})\right)$.Alice sends $commit\left({x}_{i}^{\prime}\right)(i=1,2,\dots ,n)$ and ${S}_{{a}_{1},{a}_{2},\dots ,{a}_{n}}$ $({a}_{i}\in \{0,1\},i=1,2,\dots ,n)$ to Bob.
- 2.
- Bob executes a private reveal on $commit\left({x}_{i}^{\prime}\right)$ $(i=1,2,\dots ,n)$. Bob outputs ${S}_{{x}_{1}^{\prime},{x}_{2}^{\prime},\dots ,{x}_{n}^{\prime}}$. Bob sends back $commit\left({x}_{i}^{\prime}\right)(i=1,2,\dots ,n)$ to Alice.
- 3.
- Alice executes a private reverse cut on $commit\left({x}_{i}^{\prime}\right)$ using ${b}_{i}(i=1,2,\dots ,n)$. Alice obtains $commit\left({x}_{i}\right)(i=1,2,\dots ,n)$.

**Theorem**

**17.**

**Proof.**

**Protocol**

**18.**

- 1.
- 2.
- Bob executes a private random bisection cut on $commit\left({x}_{i}^{\prime}\right)(i=1,2,\dots ,n)$. Note that one random bit ${b}_{i}^{\prime}$ is selected for each ${x}_{i}^{\prime}(i=1,2,\dots ,n)$. Let $commit\left({x}_{i}^{\prime \prime}\right)$ $(i=1,2,\dots ,n)$ be the obtained value. ${x}_{i}^{\prime \prime}={x}_{i}\oplus {b}_{i}\oplus {b}_{i}^{\prime}(i=1,2,\dots ,n)$ is satisfied. Bob privately relocates ${S}_{{a}_{1},{a}_{2},\dots ,{a}_{n}}({a}_{i}\in \{0,1\},i=1,2,\dots ,n)$ so that ${S}_{{a}_{1},{a}_{2},\dots ,{a}_{n}}^{\prime}={S}_{{a}_{1}\oplus {b}_{1}^{\prime},{a}_{2}\oplus {b}_{2}^{\prime},\dots ,{a}_{n}\oplus {b}_{n}^{\prime}}({a}_{i}\in \{0,1\},$ $i=1,2,\dots ,n)$. The cards satisfy that ${S}_{{a}_{1},{a}_{2},\dots ,{a}_{n}}^{\prime}=$ $commit\left(f({a}_{1}\oplus {b}_{1}\oplus {b}_{1}^{\prime},{a}_{2}\oplus {b}_{2}\oplus {b}_{2}^{\prime},\dots ,{a}_{n}\oplus {b}_{n}\oplus {b}_{n}^{\prime})\right)$.Bob publicly reveals $commit\left({x}_{i}^{\prime \prime}\right)$ and obtains ${x}_{i}^{\prime \prime}(i=1,2,\dots ,n)$. Alice can see ${x}_{i}^{\prime \prime}(i=1,2,\dots ,n)$. Bob publicly selects ${S}_{{x}_{1}^{\prime \prime},{x}_{2}^{\prime \prime},\dots ,{x}_{n}^{\prime \prime}}^{\prime}$. Bob privately sets $commit({x}_{i}^{\prime \prime}\oplus {b}_{i}^{\prime})(i=1,2,\dots ,n)$. Note that ${x}_{i}^{\prime \prime}\oplus {b}_{i}^{\prime}={x}_{i}\oplus {b}_{i}(i=1,2,\dots ,n)$. Bob sends these pairs to Alice.
- 3.
- Alice privately executes a private reverse cut on $commit({x}_{i}\oplus {b}_{i})$ using ${b}_{i}$ for each $i(i=1,2,\dots ,n)$. Alice obtains $commit\left({x}_{i}\right)(i=1,2,\dots ,n)$.

**Theorem**

**18.**

**Proof.**

## 6. Parallel Computations

## 7. Asymmetric Card Protocols

**Protocol**

**19.**

- 1.
- Alice randomly selects bit b. If b=1, Alice turns $commit\left(x\right)$ and $commit\left(y\right)$ upside down, otherwise does nothing. Let the result be ${S}_{1}$ and ${S}_{1}^{\prime}$, respectively. Note that ${S}_{1}=commit\left({x}^{\prime}\right)$ and ${S}_{1}^{\prime}=commit\left({y}^{\prime}\right)$, where ${x}^{\prime}=x\oplus b$ and ${y}^{\prime}=y\oplus b$. Alice sends ${S}_{1}$ and ${S}_{1}^{\prime}$ to Bob.
- 2.
- Bob executes a private reveal on ${S}_{1}$ and obtains ${x}^{\prime}$. If ${x}^{\prime}=1$, Bob privately turns ${S}_{1}^{\prime}$ upside down and otherwise does nothing. Let the result be ${S}_{2}$. Bob outputs ${S}_{2}$.

**Protocol**

**20.**

- 1.
- Alice executes a private random bisection cut on $commit\left(0\right)\left|\right|commit\left(y\right)$ using a random bit b. Let the result be ${S}_{1}^{\prime}$. If b=1, Alice turns $commit\left(x\right)$ upside down, and otherwise does nothing. Let the output be ${S}_{1}=commit\left({x}^{\prime}\right)$. Note that ${x}^{\prime}=x\oplus b$. Alice sends ${S}_{1}$ and ${S}_{1}^{\prime}$ to Bob.
- 2.
- Bob executes a private reveal on ${S}_{1}$. Bob executes a private reverse selection on ${S}_{1}^{\prime}$, using ${x}^{\prime}$. Let the selected card be ${S}_{2}$. Bob outputs ${S}_{2}$ as the result.

**Protocol**

**21.**

- 1.
- Alice randomly selects bit b. If b=1, Alice privately turns $commit\left(x\right)$ upside down, otherwise does nothing. Let the result be ${S}_{1}=commit\left({x}^{\prime}\right)$. Note that ${x}^{\prime}=x\oplus b$. Alice privately sets ${S}_{1}^{\prime}$ as m copies of $commit\left(b\right)$. Alice sends ${S}_{1}$ and ${S}_{1}^{\prime}$ to Bob.
- 2.
- Bob executes a private reveal on ${S}_{1}$ and obtains ${x}^{\prime}$. Bob privately upside down all cards of ${S}_{1}^{\prime}$ if ${x}^{\prime}=1$, otherwise does nothing. Let the results be ${S}_{2}$. Bob outputs ${S}_{2}$.

**Theorem**

**19.**

**Proof.**

## 8. Conclusions

## Author Contributions

## Funding

## Institutional Review Board Statement

## Informed Consent Statement

## Data Availability Statement

## Conflicts of Interest

## References

- Mizuki, T.; Shizuya, H. Computational Model of Card-Based Cryptographic Protocols and Its Applications. IEICE Trans. Fundam. Electron. Commun. Comput. Sci.
**2017**, 100, 3–11. [Google Scholar] [CrossRef] - Koch, A. The Landscape of Optimal Card-based Protocols; Report 2018/951; IACR Cryptology ePrint Archive; 2018. [Google Scholar]
- Mizuki, T.; Shizuya, H. A formalization of card-based cryptographic protocols via abstract machine. Int. J. Inf. Secur.
**2014**, 13, 15–23. [Google Scholar] [CrossRef] - Cheung, E.; Hawthorne, C.; Lee, P. CS 758 Project: Secure Computation with Playing Cards. 2013. Available online: http://cdchawthorne.com/writings/secure_playing_cards.pdf (accessed on 1 April 2021).
- Mizuki, T. Applications of Card-Based Cryptography to Education; IEICE Technical Report ISEC2016-53; IEICE: Tokyo, Japan, 2016; pp. 13–17. (In Japanese) [Google Scholar]
- Den Boer, B. More efficient match-making and satisfiability the five card trick. In Proceedings of the EUROCRYPT ’89, LNCS, Houthalen, Belgium, 10–13 April 1989; Volume 434, pp. 208–217. [Google Scholar]
- Mizuki, T.; Sone, H. Six-Card Secure AND and Four-Card Secure XOR. In Proceedings of the 3rd International Workshop on Frontiers in Algorithms (FAW 2009), LNCS, Hefei, China, 20–23 June 2009; Volume 5598, pp. 358–369. [Google Scholar]
- Koch, A.; Walzer, S.; Härtel, K. Card-based cryptographic protocols using a minimal number of cards. In Proceedings of the Asiacrypt 2015, LNCS, Auckland, New Zealand, 29 November–3 December 2015; Volume 9452, pp. 783–807. [Google Scholar]
- Ono, H.; Manabe, Y. Card-Based Cryptographic Logical Computations Using Private Operations. New Gener. Comput.
**2021**, 39, 19–40. [Google Scholar] [CrossRef] - Nakai, T.; Misawa, Y.; Tokushige, Y.; Iwamoto, M.; Ohta, K. How to Solve Millionaires’ Problem with Two Kinds of Cards. New Gener. Comput.
**2021**, 39, 73–96. [Google Scholar] [CrossRef] - Ono, H.; Manabe, Y. Efficient Card-based Cryptographic Protocols for the Millionaires’ Problem Using Private Input Operations. In Proceedings of the 13th Asia Joint Conference on Information Security (AsiaJCIS 2018), Guilin, China, 8–9 August 2018; pp. 23–28. [Google Scholar]
- Miyahara, D.; Hayashi, Y.I.; Mizuki, T.; Sone, H. Practical card-based implementations of Yao’s millionaire protocol. Theor. Comput. Sci.
**2020**, 803, 207–221. [Google Scholar] [CrossRef] - Dvořák, P.; Kouckỳ, M. Barrington Plays Cards: The Complexity of Card-based Protocols. arXiv
**2020**, arXiv:2010.08445. [Google Scholar] - Koch, A.; Walzer, S. Private Function Evaluation with Cards. Cryptology ePrint Archive, Report 2018/1113, 2018. Available online: https://eprint.iacr.org/2018/1113 (accessed on 1 April 2021).
- Mizuki, T.; Asiedu, I.K.; Sone, H. Voting with a logarithmic number of cards. In Proceedings of the 12th International Conference on Unconventional Computing and Natural Computation (UCNC 2013), LNCS, Milan, Italy, 1–5 July 2013; Volume 7956, pp. 162–173. [Google Scholar]
- Nakai, T.; Shirouchi, S.; Iwamoto, M.; Ohta, K. Four Cards Are Sufficient for a Card-Based Three-Input Voting Protocol Utilizing Private sends. In Proceedings of the 10th International Conference on Information Theoretic Security (ICITS 2017), LNCS, Hong Kong, China, 29 November–2 December 2017; Volume 10681, pp. 153–165. [Google Scholar]
- Nishida, T.; Mizuki, T.; Sone, H. Securely computing the three-input majority function with eight cards. In Proceedings of the 2nd International Conference on Theory and Practice of Natural Computing (TPNC 2013), LNCS, Cáceres, Spain, 3–5 December 2013; Volume 8273, pp. 193–204. [Google Scholar]
- Watanabe, Y.; Kuroki, Y.; Suzuki, S.; Koga, Y.; Iwamoto, M.; Ohta, K. Card-based majority voting protocols with three inputs using three cards. In Proceedings of the 2018 International Symposium on Information Theory and Its Applications (ISITA), Singapore, 28–31 October 2018; pp. 218–222. [Google Scholar]
- Ibaraki, T.; Manabe, Y. A More Efficient Card-Based Protocol for Generating a Random Permutation without Fixed Points. In Proceedings of the 3rd International Conference on Mathematics and Computers in Sciences and in Industry (MCSI 2016), Chania, Greece, 27–29 August 2016; pp. 252–257. [Google Scholar]
- Ishikawa, R.; Chida, E.; Mizuki, T. Efficient card-based protocols for generating a hidden random permutation without fixed points. In Proceedings of the 14th International Conference on Unconventional Computation and Natural Computation (UCNC 2015), LNCS, Auckland, New Zealand, 30 August–3 September 2015; Volume 9252, pp. 215–226. [Google Scholar]
- Hashimoto, Y.; Nuida, K.; Shinagawa, K.; Inamura, M.; Hanaoka, G. Toward Finite-Runtime Card-Based Protocol for Generating Hidden Random Permutation without Fixed Points. IEICE Trans. Fundam. Electron. Commun. Comput. Sci.
**2018**, 101-A, 1503–1511. [Google Scholar] [CrossRef] - Murata, S.; Miyahara, D.; Mizuki, T.; Sone, H. Efficient Generation of a Card-Based Uniformly Distributed Random Derangement. In Proceedings of the 15th International Workshop on Algorithms and Computation (WALCOM 2021), LNCS, Yangon, Myanmar, 28 February–2 March 2021; Springer International Publishing: Cham, Switzerland, 2021; Volume 12635, pp. 78–89. [Google Scholar]
- Hashimoto, Y.; Shinagawa, K.; Nuida, K.; Inamura, M.; Hanaoka, G. Secure grouping protocol using a deck of cards. IEICE Trans. Fundam. Electron. Commun. Comput. Sci.
**2018**, 101, 1512–1524. [Google Scholar] [CrossRef][Green Version] - Takashima, K.; Abe, Y.; Sasaki, T.; Miyahara, D.; Shinagawa, K.; Mizuki, T.; Sone, H. Card-based protocols for secure ranking computations. Theor. Comput. Sci.
**2020**, 845, 122–135. [Google Scholar] [CrossRef] - Shinoda, Y.; Miyahara, D.; Shinagawa, K.; Mizuki, T.; Sone, H. Card-Based Covert Lottery. In Proceedings of the 13th International Conference on Information Technology and Communications Security (SecITC 2020), LNCS, Bucharest, Romania, 19–20 November 2020; Springer: Cham, Switzerland, 2020; Volume 12596, pp. 257–270. [Google Scholar]
- Sasaki, T.; Miyahara, D.; Mizuki, T.; Sone, H. Efficient card-based zero-knowledge proof for sudoku. Theor. Comput. Sci.
**2020**, 839, 135–142. [Google Scholar] [CrossRef] - Bultel, X.; Dreier, J.; Dumas, J.G.; Lafourcade, P.; Miyahara, D.; Mizuki, T.; Nagao, A.; Sasaki, T.; Shinagawa, K.; Sone, H. Physical Zero-Knowledge Proof for Makaro. In Proceedings of the 20th International Symposium on Stabilization, Safety, and Security of Distributed Systems (SSS 2018), LNCS, Tokyo, Japan, 4–7 November 2018; Volume 11201, pp. 111–125. [Google Scholar]
- Miyahara, D.; Sasaki, T.; Mizuki, T.; Sone, H. Card-Based Physical Zero-Knowledge Proof for Kakuro. IEICE Trans. Fundam. Electron. Commun. Comput. Sci.
**2019**, 102, 1072–1078. [Google Scholar] [CrossRef] - Dumas, J.G.; Lafourcade, P.; Miyahara, D.; Mizuki, T.; Sasaki, T.; Sone, H. Interactive physical zero-knowledge proof for Norinori. In Proceedings of the 25th International Computing and Combinatorics Conference(COCOON 2019), LNCS, Xi’an, China, 29–31 July 2019; Springer: Cham, Switzerland, 2019; Volume 11653, pp. 166–177. [Google Scholar]
- Lafourcade, P.; Miyahara, D.; Mizuki, T.; Sasaki, T.; Sone, H. A Physical ZKP for Slitherlink: How to Perform Physical Topology-Preserving Computation. In Proceedings of the 15th International Conference on Information Security Practice and Experience (ISPEC 2019), LNCS, Kuala Lumpur, Malaysia, 26–28 November 2019; Springer: Cham, Switzerland, 2019; Volume 11879, pp. 135–151. [Google Scholar]
- Ruangwises, S.; Itoh, T. Physical Zero-Knowledge Proof for Numberlink Puzzle and k Vertex-Disjoint Paths Problem. New Gener. Comput.
**2021**, 39, 3–17. [Google Scholar] [CrossRef] - Miyahara, D.; Robert, L.; Lafourcade, P.; Takeshige, S.; Mizuki, T.; Shinagawa, K.; Nagao, A.; Sone, H. Card-based ZKP protocols for Takuzu and Juosan. In Proceedings of the 10th International Conference on Fun with Algorithms (FUN 2020); LIPICS Vol. 157; Schloss Dagstuhl-Leibniz-Zentrum für Informatik: Saarbrücken, Germany, 2020. [Google Scholar]
- Ruangwises, S.; Itoh, T. Physical Zero-Knowledge Proof for Ripple Effect. In Proceedings of the 15th International Workshop on Algorithms and Computation (WALCOM 2021), LNCS, Yangon, Myanmar, 28 February–2 March 2021; Springer International Publishing: Cham, Switzerland, 2021; Volume 12635, pp. 296–307. [Google Scholar]
- Robert, L.; Miyahara, D.; Lafourcade, P.; Mizuki, T. Interactive Physical ZKP for Connectivity:Applications to Nurikabe and Hitori. In Proceedings of the 17th International Conference on Computability in Europe (CiE 2021), Virtual Event; LNCS; Springer International Publishing: Cham, Switzerland, 2021; Volume 12813, pp. 373–384. [Google Scholar]
- Kurosawa, K.; Shinozaki, T. Compact Card Protocol. In Proceedings of the 2017 Symposium on Cryptography and Information Security (SCIS 2017), Okinawa, Japan, 24–27 January 2017; IEICE: Tokyo, Japan, 2017. 1A2–6 (In Japanese). [Google Scholar]
- Shirouchi, S.; Nakai, T.; Iwamoto, M.; Ohta, K. Efficient Card-based Cryptographic Protocols for Logic Gates Utilizing Private Permutations. In Proceedings of the 2017 Symposium on Cryptography and Information Security (SCIS 2017), Okinawa, Japan, 24–27 January 2017; IEICE: Tokyo, Japan, 2017. 1A2–2 (In Japanese). [Google Scholar]
- Mizuki, T.; Kumamoto, M.; Sone, H. The five-card trick can be done with four cards. In Proceedings of the Asiacrypt 2012, LNCS, Beijing, China, 2–6 December 2012; Volume 7658, pp. 598–606. [Google Scholar]
- Miyahara, D.; Ueda, I.; Hayashi, Y.i.; Mizuki, T.; Sone, H. Evaluating card-based protocols in terms of execution time. Int. J. Inf. Secur.
**2020**, 1–12. [Google Scholar] [CrossRef] - Nishida, T.; Hayashi, Y.; Mizuki, T.; Sone, H. Card-based protocols for any boolean function. In Proceedings of the 15th International Conference on Theory and Applications of Models of Computation (TAMC 2015), LNCS, Singapore, 18–20 May 2015; Volume 9076, pp. 110–121. [Google Scholar]
- Crépeau, C.; Kilian, J. Discreet solitary games. In Proceedings of the 13th Crypto, LNCS, Santa Barbara, CA, USA, 22–26 August 1993; Volume 773, pp. 319–330. [Google Scholar]
- Niemi, V.; Renvall, A. Secure multiparty computations without computers. Theor. Comput. Sci.
**1998**, 191, 173–183. [Google Scholar] [CrossRef][Green Version] - Stiglic, A. Computations with a deck of cards. Theor. Comput. Sci.
**2001**, 259, 671–678. [Google Scholar] [CrossRef][Green Version] - Kastner, J.; Koch, A.; Walzer, S.; Miyahara, D.; Hayashi, Y.; Mizuki, T.; Sone, H. The Minimum Number of Cards in Practical Card-Based Protocols. In Proceedings of the Asiacrypt 2017, Part III, LNCS, Hong Kong, China, 3–7 December 2017; Volume 10626, pp. 126–155. [Google Scholar]
- Ruangwises, S.; Itoh, T. AND Protocols Using Only Uniform Shuffles. In Proceedings of the 14th International Computer Science Symposium in Russia (CSR 2019), LNCS, Novosibirsk, Russia, 1–5 July 2019; Volume 11532, pp. 349–358. [Google Scholar]
- Nishimura, A.; Nishida, T.; Hayashi, Y.; Mizuki, T.; Sone, H. Card-based protocols using unequal division shuffles. Soft Comput.
**2018**, 22, 361–371. [Google Scholar] [CrossRef] - Abe, Y.; Hayashi, Y.i.; Mizuki, T.; Sone, H. Five-Card AND Computations in Committed Format Using Only Uniform Cyclic Shuffles. New Gener. Comput.
**2021**, 39, 97–114. [Google Scholar] [CrossRef] - Nishimura, A.; Nishida, T.; Hayashi, Y.; Mizuki, T.; Sone, H. Five-card secure computations using unequal division shuffle. In Proceedings of the 4th International Conference on Theory and Practice of Natural Computing (TPNC 2015), LNCS, Mieres, Spain, 15–16 December 2015; Volume 9477, pp. 109–120. [Google Scholar]
- Toyoda, K.; Miyahara, D.; Mizuki, T.; Sone, H. Six-Card Finite-Runtime XOR Protocol with Only Random Cut. In Proceedings of the 7th ACM Workshop on ASIA Public-Key Cryptography, Taipei, Taiwan, 6 October 2020; pp. 2–8. [Google Scholar]
- Mizuki, T. Card-based protocols for securely computing the conjunction of multiple variables. Theor. Comput. Sci.
**2016**, 622, 34–44. [Google Scholar] [CrossRef] - Nishida, T.; Hayashi, Y.; Mizuki, T.; Sone, H. Securely computing three-input functions with eight cards. IEICE Trans. Fundam. Electron. Commun. Comput. Sci.
**2015**, 98, 1145–1152. [Google Scholar] [CrossRef] - Shinagawa, K.; Mizuki, T. The Six-Card Trick:Secure Computation of Three-Input Equality. In Proceedings of the 21st International Conference on Information Security and Cryptology (ICISC 2018), LNCS, Seoul, Korea, 28–30 November 2018; Volume 11396, pp. 123–131. [Google Scholar]
- Yasunaga, K. Practical Card-Based Protocol for Three-Input Majority. IEICE Trans. Fundam. Electron. Commun. Comput. Sci.
**2020**, E103.A, 1296–1298. [Google Scholar] [CrossRef] - Manabe, Y.; Ono, H. Card-based Cryptographic Protocols for Three-input Functions Using Private Operations. In Proceedings of the 32nd International Workshop on Combinatorial Algorithms (IWOCA 2021), LNCS, Ottawa, ON, Canada, 5–7 July 2021; Springer: Cham, Switzerland, 2021; Volume 12757, pp. 469–484. [Google Scholar]
- Shinagawa, K.; Nuida, K. A single shuffle is enough for secure card-based computation of any Boolean circuit. Discret. Appl. Math.
**2021**, 289, 248–261. [Google Scholar] [CrossRef] - Francis, D.; Aljunid, S.R.; Nishida, T.; Hayashi, Y.; Mizuki, T.; Sone, H. Necessary and Sufficient Numbers of Cards for Securely Computing Two-Bit Output Functions. In Proceedings of the Second International Conference on Cryptology and Malicious Security (Mycrypt 2016), LNCS, Kuala Lumpur, Malaysia, 1–2 December 2016; Volume 10311, pp. 193–211. [Google Scholar]
- Mizuki, T.; Shizuya, H. Practical card-based cryptography. In Proceedings of the 7th International Conference on Fun with Algorithms (FUN2014), LNCS, Lipari Island, Sicily, Italy, 1–3 July 2014; Volume 8496, pp. 313–324. [Google Scholar]
- Mizuki, T. Efficient and secure multiparty computations using a standard deck of playing cards. In Proceedings of the 15th International Conference on Cryptology and Network Security (CANS 2016), LNCS, Milan, Italy, 14–16 November 2016; Springer: Cham, Switzerland, 2016; Volume 10052, pp. 484–499. [Google Scholar]
- Shinagawa, K.; Mizuki, T. Secure computation of any boolean function based on any deck of cards. In Proceedings of the 13th International Workshop on Frontiers in Algorithmics (FAW 2019), LNCS, Sanya, China, 29 April–3 May 2019; Springer: Cham, Switzerland, 2019; Volume 11458, pp. 63–75. [Google Scholar]
- Niemi, V.; Renvall, A. Solitaire zero-knowledge. Fundam. Informaticae
**1999**, 38, 181–188. [Google Scholar] [CrossRef] - Shinagawa, K.; Nuida, K.; Nishide, T.; Hanaoka, G.; Okamoto, E. Committed AND protocol using three cards with more handy shuffle. In Proceedings of the 2016 International Symposium on Information Theory and Its Applications (ISITA 2016), Monterey, CA, USA, 30 October– 2 November 2016; IEICE: Tokyo, Japan, 2016; pp. 700–702. [Google Scholar]
- Manabe, Y.; Ono, H. Card-based Cryptographic Protocols with a Standard Deck of Cards Using Private Operations. In Proceedings of the 18th International Colloquium on Theoretical Aspects of Computing (ICTAC 2021), LNCS, Nur-Sultan, Kazakhstan, 6–10 September 2021; Springer: Cham, Switzerland, 2021; Volume 12819. [Google Scholar]
- Koyama, H.; Miyahara, D.; Mizuki, T.; Sone, H. A Secure Three-Input AND Protocol with a Standard Deck of Minimal Cards. In Proceedings of the 16th International Computer Science Symposium in Russia (CSR 2021), LNCS, Sochi, Russia, 28 June–2 July 2021; Springer International Publishing: Cham, Switzerland, 2021; Volume 12730, pp. 242–256. [Google Scholar]
- Koch, A.; Schrempp, M.; Kirsten, M. Card-based cryptography meets formal verification. New Gener. Comput.
**2021**, 39, 115–158. [Google Scholar] [CrossRef] - Manabe, Y.; Ono, H. Secure Card-Based Cryptographic Protocols Using Private Operations Against Malicious Players. In Proceedings of the 13th International Conference on Information Technology and Communications Security (SecITC 2020), LNCS, Bucharest, Romania, 19–20 November 2020; Springer: Cham, Switzerland, 2020; Volume 12596, pp. 55–70. [Google Scholar]

Article | # of Rounds | # of Cards | Preserving an Input | Private Reveal |
---|---|---|---|---|

[9] | 3 | 4 | No | Use |

[9] | 3 | 4 | Yes | Use |

[7] | 2 | 4 | No | Does not use |

Protocol 2 | 2 | 4 | No | Use |

Protocol 6 | 2 | 4 | No | Does not use |

Protocol 12 | 3 | 4 | Yes | Use |

Protocol 13 | 3 | 4 | Yes | Does not use |

Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |

© 2021 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Ono, H.; Manabe, Y. Minimum Round Card-Based Cryptographic Protocols Using Private Operations. *Cryptography* **2021**, *5*, 17.
https://doi.org/10.3390/cryptography5030017

**AMA Style**

Ono H, Manabe Y. Minimum Round Card-Based Cryptographic Protocols Using Private Operations. *Cryptography*. 2021; 5(3):17.
https://doi.org/10.3390/cryptography5030017

**Chicago/Turabian Style**

Ono, Hibiki, and Yoshifumi Manabe. 2021. "Minimum Round Card-Based Cryptographic Protocols Using Private Operations" *Cryptography* 5, no. 3: 17.
https://doi.org/10.3390/cryptography5030017