Voting with a Logarithmic Number of Cards - Semantic Scholar
UCNC 2013 (Jul. 4, 2013, Milano)
… 2 log n + 6
n voters
Voting with a Logarithmic Number of Cards Takaaki Mizuki, Isaac Kobina Asiedu, Hideaki Sone Tohoku University 1
Abstract
Abstract There are 2 candidates and n voters.
2 candidates
election
n voters
3
Abstract There are 2 candidates and n voters. Usually, n ballot papers are required. n voters
2 candidates
election
n ballot papers 4
Abstract There are 2 candidates and n voters. Usually, n ballot papers are required. We show O(log n) cards conduct an election. n voters
2 candidates
election …
O(log n) cards 5
Contents 1. Introduction 2. Known Protocols 3. Voting with a Logarithmic Number of Cards 4. New Adder Protocols 5. Conclusion 6
Contents 1. Introduction 2. Known Protocols 1.1 Computation Using a Deck of Cards
3. Voting with a Logarithmic
1.2 History of Card-Based Protocols
Number of Cards 1.3 Our Results
4. New Adder Protocols 5. Conclusion 7
n voters
2 candidates
election … a deck cards
In this paper, we use a deck of cards. 8
9
face-up turn over ? ? ? ? ? ? face-down
10
face-up turn over ? ? ? ? ? ? face-down
How to implement voting? The simplest way is as follows. 11
1. Distribute two cards of different suits to each voter.
n voters
12
1. Distribute two cards of different suits to each voter.
n voters
13
1. Distribute two cards of different suits to each voter. 2. Each voter privately commits his/her ballot according to the encoding.
? ?
? ?
? ?
= candidate
? ?
? ?
= candidate 14
1. Distribute two cards of different suits to each voter. 2. Each voter privately commits his/her ballot. 3. Shuffle all left cards and reveal them.
? ?
? ?
? ?
? ?
? ?
collect all left cards
15
1. Distribute two cards of different suits to each voter. 2. Each voter privately commits his/her. 3. Shuffle all left cards and reveal them.
?
?
?
?
?
? ?? ??
16
1. Distribute two cards of different suits to each voter. 2. Each voter privately commits his/her. 3. Shuffle all left cards and reveal them.
?
? ?? ??
?
?
?
?
shuffle and reveal
17
1. Distribute two cards of different suits to each voter. 2. Each voter privately commits his/her. 3. Shuffle all left cards and reveal them.
?
3 votes
?
2 votes
?
?
?
=
= 18
n voters
???? ?? ?? ?? 2n cards Voting can be naively done using 2n cards.
19
n voters
Voting can be naively done using 2n cards. This paper shows that, by applying cardbased cryptographic protocols, O(log n) cards can also conduct voting.
20
Notations and the history Card-based protocols provide secure computation.
21
Notations and the history Card-based protocols provide secure computation. To deal with Boolean values, this encoding is used:
=0
=1
22
Notations and the history To deal with Boolean values, this encoding is used:
=0
=1
commitment A commitment to a bit
x 0,1 is
a pair ? ? of two face-down cards holding the value of
x.
23
Notations and the history To deal with Boolean values, this encoding is used:
=0
=1
commitment A commitment to a bit
x 0,1 is
a pair ? ? of two face-down cards holding the value of
x.
? ?
x
24
Notations and the history Example of secure computation ? ?
x
=0 =1
Notations and the history Example ? ?
x
reverse the order ? ?
=0 =1
Notations and the history Example ? ?
x
=0
reverse the order ? ?
=1 ? ?
x
Notations and the history Example ? ?
x
=0
reverse the order ? ?
=1 ? ?
x
With keeping the value of x secret, we can get a commitment to the negation x of x .
Notations and the history Example ? ?
x
=0
reverse the order ? ?
=1 ? ?
x
With keeping the value of x secret, we can get a commitment to the negation x of x . Secure NOT operation is trivial.
Notations and the history Example ? ?
x
=0
reverse the order ? ?
=1 ? ?
x
With keeping the value of x secret, we can get a commitment to the negation x of x . Secure NOT operation is trivial. How about secure AND operation?
Notations and the history
=0
How about secure AND operation?
? ?
? ?
? ?
a
b
a∧b
With keeping the values of
a
b secret, a∧b.
and
we want to get a commitment to
=1
Notations and the history
=0
How about secure AND operation?
? ?
? ?
? ?
a
b
a∧b
a and b a∧b.
With keeping the values of to get a commitment to
=1
secret, we want
There have been such four protocols in the literatures.
History of Secure AND protocols ?? ?? a
…
…
??
b
AND
required cards
Crepeau-Kilian
10
[CRYPTO ’93]
Niemi-Renvall
a∧b avg. # of trials
6 ♦♦
12
2.5
8
2
6
1
[TCS, 1998]
Stiglic [TCS, 2001]
Mizuki-Sone [FAW 2009]
33
History of Secure AND protocols ?? ?? a
…
…
??
b
AND
required cards
Crepeau-Kilian
10
[CRYPTO ’93]
Niemi-Renvall
6 ♦♦
12
[TCS, 1998]
Stiglic
a∧b avg. # of trials
8
Will be 2.5 introduced in Section 2.2 2
[TCS, 2001]
Mizuki-Sone
6
1
[FAW 2009] 34
History of Secure XOR protocols ?? ?? a
XOR Crepeau-Kilian
…
…
b
?? a○ +b
# of required cards
# of avg. # types of trials
14
4
6
10
2
2
4
2
1
[CRYPTO ’93]
Mizuki, et. al [AJoC, 2006]
Mizuki-Sone [FAW 2009]
35
History of Secure XOR protocols ?? ?? a
XOR Crepeau-Kilian
…
…
b
a○ +b
# of required cards
# of avg. # Will be types of trials
14
introduced in 4 6 Section 2.3
10
2
2
4
2
1
[CRYPTO ’93]
Mizuki, et. al
??
[AJoC, 2006]
Mizuki-Sone [FAW 2009]
36
Existing COPY protocols ?? a
…
?? ?? a
a
Make identical copies of a commitment.
37
Existing COPY protocols ?? a
…
?? ?? a
a
Make identical copies of a commitment.
I’ll introduce the best existing COPY protocol in Section 2.4
38
Outline of our results
Voting
39
Outline of our results a b Half adder
s = a○ +b
c = a∧b
Voting
40
Outline of our results Using existing AND/XOR/COPY protocols Half adder 10 Voting
[# of cards]
41
Outline of our results Using existing AND/XOR/COPY protocols Half adder 10 Applying a half adder Voting 2 log n + 8 [# of cards]
42
Outline of our results Using existing AND/XOR/COPY protocols
Devising a tailor-made half adder
Half adder 10
8
Voting 2 log n + 8 [# of cards]
43
Outline of our results Using existing AND/XOR/COPY protocols
Devising a tailor-made half adder
Half adder 10
8
2 log n + 8
2 log n + 6
Voting
[# of cards]
44
Outline of our results Using existing AND/XOR/COPY protocols
Devising a tailor-made half adder
Half adder 10
8
2 log n + 8
2 log n + 6
Voting
[# of cards]
45
Contents 1. Introduction 2. Known Protocols 3. Voting with a Logarithmic 2.1 Random Bisection Cuts Number of Cards 2.2 Six-Card AND Protocol
New Adder Protocols 2.34.Four-Card XOR Protocol 2.45.Copy Protocol with a Random Bisection Cut Conclusion 46
2.1 Random Bisection Cuts a random bisection cut Bisect a given deck of cards, and then randomly switch the resulting two portions:
[
? ? ? ? ? ?
prob. 1/2 ? ? ?? ? ? not switched
] prob. 1/2
? ? ? ? ? ? switched
a random bisection cut Bisect a given deck of cards, and then randomly switch the resulting two portions:
[
? ? ? ? ? ?
prob. 1/2 ? ? ?? ? ? not switched
] prob. 1/2
? ? ? ? ? ? switched
easy-to-implement card shuffling operation
2.2 Six-Card AND Protocol Secure AND can be done with 6 cards [6]. ? ?
? ?
? ?
a
b
a∧b =0 =1
[6] T. Mizuki and H. Sone, Six-Card Secure AND and Four-Card Secure XOR, FAW 2009, LNCS 5598, pp. 358–369, 2009.
=0
???? a
=1
b
??????
???? ??
??????
a
b
0
?????? ???? ??????
a∧b
????
[??? ???]
a∧b 50
=0
???? a
b
??????
???? ?? a
b
=1
0
?????? ??????
Arrange 2 commitments ?????? and 2 additional cards: ? ? ? ?
a
b
???? a∧b
????
[??? ???]
a∧b 51
=0
???? a
=1
b
??????
???? ??
??????
a
b
0
Turn over the rightmost two cards:
?????? ? ? ? ? ? ? ???? ??????
[??? ???]
a
b
a∧b
0
They become a ???? commitment to 0. a∧b 52
=0
???? a
b
??????
???? ?? a
b
=1
0
??????
?????? Rearrange the positions: ? ? ? ? ? ? ????
??????
a∧b
? ? ? ? ? ?
????
[??? ???]
a∧b 53
???? a
=0 =1 Apply a random bisection cut:
b
[
]
? ? ? ? ? ? ??????
???? ?? of 1/2 a 0 b prob. ? ? ? ?? ? ?????? (a) ??????
?????? prob. of 1/2 ? ? ? ?? ? ???? (b) a∧b
????
[??? ???]
a∧b 54
??????
???? a
??????
b
???? ?? a 0 bRearrange the positions: (a) ? ? ? ? ? ? ?????? ?????? ? ? ? ? ? ? ??? ?? ? [ ]
(b) ? ? ? ?? ? ???? a∧b
???? ? ? ? ?? ? a∧b 55
??????
???? a
??????
b
???? ?? a
b
0
(a) ? ? ? ?? ?
?????? ???? ??????
[??? ???]
(b) a∧b ? ? ? ?? ? ???? a∧b 56
??????
???? a
??????
b
???? ?? a
b
(a)
0
? ? ? ?? ? ?????? ? ? ? ?? ? ??????
a
b
[??? ???]
0
???? (b) a∧b ? ? ? ?? ? ???? a∧b 57
??????
???? a
??????
b
???? ?? a
b
(a)
0
? ? ? ?? ? ?????? ? ? ? ?? ? ??????
a
b
[??? ???]
0
a
????
b
0
(b) a∧b ? ? ? ?? ? ???? a∧b 58
??????
???? a
??????
b
???? ?? a
b
(a)
0
? ? ? ?? ? ?????? ? ? ? ?? ? ??????
a
b
[??? ???]
0
a
b 0 ???? (b) a∧b
? ? ? ?? ? ????
a-
a∧b
0
b 59
??????
???? a
??????
b
????(a) ?? a
b
0
? ? ? ?? ? ?????? a b 0 (b) ?????? ? ? ? ?? ?
[??? 0 ?] b a- ?? 60
??????
???? a
??????
b
????(a) ?? a
b
0
? ? ? ?? ? ?????? a b 0 (b) ?????? ? ? ? ?? ?
[??? 0 ?] b a- ??
? ? ? ?? ? ???? a + r -r∧b r∧b a∧b
where r∈{0,1} is a random bit. ???? a∧b 61
??????
???? a
??????
b
????(a) ?? r=0 a
b
0
? ? ? ?? ? ?????? a b 0 (b) r = 1 ?????? ? ? ? ?? ?
[??? 0 ?] b a- ??
? ? ? ?? ? ???? a + r -r∧b r∧b a∧b
where r∈{0,1} is a random bit. ???? a∧b 62
=0
=1
???? areveal b
??????
???? ?? ? ? ? ?? ?
??????
a
b
a+r
0
-r∧b
r∧b
??????
????
??????
a∧b
???? a∧b
[??? ???] 63
???? areveal b
=0 ??????
???? ?? ? ?? ?
?????? =1
a
b
a+r
0
-r∧b
r∧b
??????
????
??????
a∧b
a + r = 0, i.e., a = r
???? a∧b
[??? ???] 64
???? areveal b
=0 ??????
???? ?? ? ?? ?
?????? =1
a
b
0
r∧b ?????? = a∧b a + r = 0, i.e., a = r a+r
??????
???? a∧b
???? a∧b
[??? ???] 65
???? areveal b
No information about a leaks =0 ?????? because r is random.
???? ?? ? ?? ? a
b
?????? =1
0
r∧b ?????? = a∧b a + r = 0, i.e., a = r a+r
??????
???? a∧b
???? a∧b
[??? ???] 66
???? areveal b
=0 ??????
???? ?? ? ?? ?
?????? =1
a
b
a+r
0
-r∧b
r∧b
a + r = 1, i.e., a = r??????
????
??????
a∧b
???? a∧b
[??? ???] 67
???? areveal b
=0 ??????
???? ?? ? ?? ?
?????? =1
a
b
a+r
0
-r∧b
= a∧b ??????
a + r = 1, i.e., a = r ??????
???? a∧b
???? a∧b
[??? ???] 68
=0
???? a
=1
b
??????
???? ??
??????
a
b
0
??????
Works! ????
??????
a∧b
????
[??? ???]
a∧b 69
2.3 Four-Card XOR Protocol Secure XOR can be done with 4 cards [6]. ? ?
? ?
? ?
a
b
a+b =0 =1
[6] T. Mizuki and H. Sone, Six-Card Secure AND and Four-Card Secure XOR, FAW 2009, LNCS 5598, pp. 358–369, 2009.
???? a
b
???? ????
???? ????
?? a○ +b
[??
??]
?? a○ +b 71
2.4 Copy Protocol with a Random Bisection Cut Making a copy can be done with 4 additional cards [6]. ? ?
? ?
? ?
a
a
a =0 =1
[6] T. Mizuki and H. Sone, Six-Card Secure AND and Four-Card Secure XOR, FAW 2009, LNCS 5598, pp. 358–369, 2009.
=0
?? a
??????
???? ?? a
=1
0
??????
0
?????? ???? ??????
a
a
????
[??? ???]
- a-
a
73
Contents 1. Introduction 2. Known Protocols 3. Voting with a Logarithmic Number of Cards 4. New Adder Protocols 5. Conclusion 74
Outline of our results Using existing AND/XOR/COPY protocols
Devising a tailor-made half adder
Half adder 10
8
2 log n + 8
2 log n + 6
Voting
[# of cards]
75
Half adder a b
s = a○ +b
c = a∧b
76
Half adder a
s = a○ +b
b
c = a∧b
? ?
? ?
? ?
? ?
a
b
a∧b
a+b 77
? ?
? ?
? ?
? ?
a
b
a∧b
a+b
Remember that AND can be done with 6 cards; XOR can be done with 4 cards; COPY can be done with 4 additional cards.
78
AND can be done with 6 cards; XOR can be done with 4 cards; COPY can be done with 4 additional cards. ? ?
? ?
a
b
10 cards
79
AND can be done with 6 cards; XOR can be done with 4 cards; COPY can be done with 4 additional cards. ? ?
? ?
a
b
80
AND can be done with 6 cards; XOR can be done with 4 cards; COPY can be done with 4 additional cards. ? ?
? ?
a
b
? ?
? ?
? ?
a
b
a 81
AND can be done with 6 cards; XOR can be done with 4 cards; COPY can be done with 4 additional cards. ? ?
? ?
? ?
a
b
a
? ?
? ?
? ?
? ?
a
b
a
b 82
AND can be done with 6 cards; XOR can be done with 4 cards; COPY can be done with 4 additional cards.
? ?
? ?
? ?
? ?
a
b
a
b
? ?
? ?
? ?
a
b
a∧b 83
AND can be done with 6 cards; XOR can be done with 4 cards; COPY can be done with 4 additional cards.
? ?
? ?
? ?
a
b
a∧b
? ?
? ?
a+b
a∧b 84
Outline of our results Using existing AND/XOR/COPY protocols
Devising a tailor-made half adder
Half adder 10
8
2 log n + 8
2 log n + 6
Voting
[# of cards]
85
Outline of our results Using existing AND/XOR/COPY protocols
Devising a tailor-made half adder
Half adder 10
8
2 log n + 8
2 log n + 6
Voting
[# of cards]
86
x1 ∈{0,1}
x2
x3
x4
xn
…
n voters
? ? ? ? ? ? ? ? 2 log n + 8 cards
=0
=1
encoding for candidates
87
x2
x3
x4
xn
… x1 ∈{0,1} ? ?
x1
88
x3
x4
xn
… x2 ∈{0,1} ? ?
? ?
x2
x1
89
x3
x4
xn
…
? ?
? ?
x2
x1
Apply a half adder 90
x3
x4
xn
…
? ? ? ?
binary representation of x1 + x2 91
x4
xn
… x3 ? ?
x3
? ? ? ?
binary representation of x1 + x2 92
x4
xn
…
? ?
x3
? ? ? ?
binary representation of x1 + x2 Apply a half adder (and XOR) 93
x4
xn
…
? ? ? ?
binary representation of x1 + x2 + x3 94
x4
xn
… For example, if x1 = x2 = x3 = 1, then ? ? ? ? MSB
1 MLB 1 binary representation of x1 + x2 + x3 95
x4
xn
… For example, if x1 = 1 and x2 = x3 = 0, then ? ? ? ?
1 0 binary representation of x1 + x2 + x3 96
xn
…
2 log n cards ? ?
…
? ?
binary representation of x1 + … + xn-1 97
… xn
2 log n cards
? ?
xn
? ?
…
? ?
binary representation of x1 + … + xn-1 98
… 2 log n + 2 (or 2 log n ) cards ? ? ? ?
…
? ?
binary representation of x1 + … + xn 99
Outline of our results Using existing AND/XOR/COPY protocols
Devising a tailor-made half adder
Half adder 10
8
2 log n + 8
2 log n + 6
Voting
[# of cards]
100
Contents 1. Introduction 2. Known Protocols 3. Voting with a Logarithmic Number of Cards 4. New Adder Protocols 5. Conclusion 101
Outline of our results Using existing AND/XOR/COPY protocols
Devising a tailor-made half adder
Half adder 10
8
2 log n + 8
2 log n + 6
Voting
[# of cards]
102
???? a
=0
b COPY
???? ?? a
=1
b
b
???????? ????????
???????? ?? ?? ?? ????????
[???? ????]
a○ +b
a∧b
?? ?? ?? a○ +b a∧b 103
???? a
=0
b COPY
???? ?? a
=1
b
???????? ????????
b
?? ?????? ? ?? ? ? ? ? ?
-
?????? r r∧b r∧b a + r a +??
[???? ????]
?? ?? ?? a○ +b
a∧b
?? ?? ?? a○ +b a∧b 104
???? a
=0
b COPY
???? ?? a
=1
b
b
???????? ????????
???????? ?? ?? ?? ????????
[???? ????]
a○ +b
a∧b
?? ?? ?? a○ +b a∧b 105
Outline of our results Using existing AND/XOR/COPY protocols
Devising a tailor-made half adder
Half adder 10
8
2 log n + 8
2 log n + 6
Voting
[# of cards]
106
Outline of our results Using existing AND/XOR/COPY protocols
Devising a tailor-made half adder
Half adder 10
8
2 log n + 8
2 log n + 6
Voting
[# of cards]
107
Outline of our results Using existing AND/XOR/COPY protocols
Devising a tailor-made half adder
Half adder 10
8
2 log n + 8
2 log n + 6
Voting
[# of cards]
108
Contents 1. Introduction 2. Known Protocols 3. Voting with a Logarithmic Number of Cards 4. New Adder Protocols 5. Conclusion 109
We gave a 8-card secure half adder protocol. =0
=1
?? ?? ?? a○ +b
???? a
b
a∧b
?? ?? ?? a○ +b a∧b
It enables us to conduct voting with 2 log n + 6 cards. … 2 log n + 6
n voters
110
I hope card-based protocols would help you with • intuitive explanation of crypto. to non-specialists • education in classroom.
That’s all. Thank you for your attention.
A (real) deck of cards available to the first several people; please contact the speaker.
111
… 2 log n + 6
n voters
Voting with a Logarithmic Number of Cards Takaaki Mizuki, Isaac Kobina Asiedu, Hideaki Sone Tohoku University 1
Abstract
Abstract There are 2 candidates and n voters.
2 candidates
election
n voters
3
Abstract There are 2 candidates and n voters. Usually, n ballot papers are required. n voters
2 candidates
election
n ballot papers 4
Abstract There are 2 candidates and n voters. Usually, n ballot papers are required. We show O(log n) cards conduct an election. n voters
2 candidates
election …
O(log n) cards 5
Contents 1. Introduction 2. Known Protocols 3. Voting with a Logarithmic Number of Cards 4. New Adder Protocols 5. Conclusion 6
Contents 1. Introduction 2. Known Protocols 1.1 Computation Using a Deck of Cards
3. Voting with a Logarithmic
1.2 History of Card-Based Protocols
Number of Cards 1.3 Our Results
4. New Adder Protocols 5. Conclusion 7
n voters
2 candidates
election … a deck cards
In this paper, we use a deck of cards. 8
9
face-up turn over ? ? ? ? ? ? face-down
10
face-up turn over ? ? ? ? ? ? face-down
How to implement voting? The simplest way is as follows. 11
1. Distribute two cards of different suits to each voter.
n voters
12
1. Distribute two cards of different suits to each voter.
n voters
13
1. Distribute two cards of different suits to each voter. 2. Each voter privately commits his/her ballot according to the encoding.
? ?
? ?
? ?
= candidate
? ?
? ?
= candidate 14
1. Distribute two cards of different suits to each voter. 2. Each voter privately commits his/her ballot. 3. Shuffle all left cards and reveal them.
? ?
? ?
? ?
? ?
? ?
collect all left cards
15
1. Distribute two cards of different suits to each voter. 2. Each voter privately commits his/her. 3. Shuffle all left cards and reveal them.
?
?
?
?
?
? ?? ??
16
1. Distribute two cards of different suits to each voter. 2. Each voter privately commits his/her. 3. Shuffle all left cards and reveal them.
?
? ?? ??
?
?
?
?
shuffle and reveal
17
1. Distribute two cards of different suits to each voter. 2. Each voter privately commits his/her. 3. Shuffle all left cards and reveal them.
?
3 votes
?
2 votes
?
?
?
=
= 18
n voters
???? ?? ?? ?? 2n cards Voting can be naively done using 2n cards.
19
n voters
Voting can be naively done using 2n cards. This paper shows that, by applying cardbased cryptographic protocols, O(log n) cards can also conduct voting.
20
Notations and the history Card-based protocols provide secure computation.
21
Notations and the history Card-based protocols provide secure computation. To deal with Boolean values, this encoding is used:
=0
=1
22
Notations and the history To deal with Boolean values, this encoding is used:
=0
=1
commitment A commitment to a bit
x 0,1 is
a pair ? ? of two face-down cards holding the value of
x.
23
Notations and the history To deal with Boolean values, this encoding is used:
=0
=1
commitment A commitment to a bit
x 0,1 is
a pair ? ? of two face-down cards holding the value of
x.
? ?
x
24
Notations and the history Example of secure computation ? ?
x
=0 =1
Notations and the history Example ? ?
x
reverse the order ? ?
=0 =1
Notations and the history Example ? ?
x
=0
reverse the order ? ?
=1 ? ?
x
Notations and the history Example ? ?
x
=0
reverse the order ? ?
=1 ? ?
x
With keeping the value of x secret, we can get a commitment to the negation x of x .
Notations and the history Example ? ?
x
=0
reverse the order ? ?
=1 ? ?
x
With keeping the value of x secret, we can get a commitment to the negation x of x . Secure NOT operation is trivial.
Notations and the history Example ? ?
x
=0
reverse the order ? ?
=1 ? ?
x
With keeping the value of x secret, we can get a commitment to the negation x of x . Secure NOT operation is trivial. How about secure AND operation?
Notations and the history
=0
How about secure AND operation?
? ?
? ?
? ?
a
b
a∧b
With keeping the values of
a
b secret, a∧b.
and
we want to get a commitment to
=1
Notations and the history
=0
How about secure AND operation?
? ?
? ?
? ?
a
b
a∧b
a and b a∧b.
With keeping the values of to get a commitment to
=1
secret, we want
There have been such four protocols in the literatures.
History of Secure AND protocols ?? ?? a
…
…
??
b
AND
required cards
Crepeau-Kilian
10
[CRYPTO ’93]
Niemi-Renvall
a∧b avg. # of trials
6 ♦♦
12
2.5
8
2
6
1
[TCS, 1998]
Stiglic [TCS, 2001]
Mizuki-Sone [FAW 2009]
33
History of Secure AND protocols ?? ?? a
…
…
??
b
AND
required cards
Crepeau-Kilian
10
[CRYPTO ’93]
Niemi-Renvall
6 ♦♦
12
[TCS, 1998]
Stiglic
a∧b avg. # of trials
8
Will be 2.5 introduced in Section 2.2 2
[TCS, 2001]
Mizuki-Sone
6
1
[FAW 2009] 34
History of Secure XOR protocols ?? ?? a
XOR Crepeau-Kilian
…
…
b
?? a○ +b
# of required cards
# of avg. # types of trials
14
4
6
10
2
2
4
2
1
[CRYPTO ’93]
Mizuki, et. al [AJoC, 2006]
Mizuki-Sone [FAW 2009]
35
History of Secure XOR protocols ?? ?? a
XOR Crepeau-Kilian
…
…
b
a○ +b
# of required cards
# of avg. # Will be types of trials
14
introduced in 4 6 Section 2.3
10
2
2
4
2
1
[CRYPTO ’93]
Mizuki, et. al
??
[AJoC, 2006]
Mizuki-Sone [FAW 2009]
36
Existing COPY protocols ?? a
…
?? ?? a
a
Make identical copies of a commitment.
37
Existing COPY protocols ?? a
…
?? ?? a
a
Make identical copies of a commitment.
I’ll introduce the best existing COPY protocol in Section 2.4
38
Outline of our results
Voting
39
Outline of our results a b Half adder
s = a○ +b
c = a∧b
Voting
40
Outline of our results Using existing AND/XOR/COPY protocols Half adder 10 Voting
[# of cards]
41
Outline of our results Using existing AND/XOR/COPY protocols Half adder 10 Applying a half adder Voting 2 log n + 8 [# of cards]
42
Outline of our results Using existing AND/XOR/COPY protocols
Devising a tailor-made half adder
Half adder 10
8
Voting 2 log n + 8 [# of cards]
43
Outline of our results Using existing AND/XOR/COPY protocols
Devising a tailor-made half adder
Half adder 10
8
2 log n + 8
2 log n + 6
Voting
[# of cards]
44
Outline of our results Using existing AND/XOR/COPY protocols
Devising a tailor-made half adder
Half adder 10
8
2 log n + 8
2 log n + 6
Voting
[# of cards]
45
Contents 1. Introduction 2. Known Protocols 3. Voting with a Logarithmic 2.1 Random Bisection Cuts Number of Cards 2.2 Six-Card AND Protocol
New Adder Protocols 2.34.Four-Card XOR Protocol 2.45.Copy Protocol with a Random Bisection Cut Conclusion 46
2.1 Random Bisection Cuts a random bisection cut Bisect a given deck of cards, and then randomly switch the resulting two portions:
[
? ? ? ? ? ?
prob. 1/2 ? ? ?? ? ? not switched
] prob. 1/2
? ? ? ? ? ? switched
a random bisection cut Bisect a given deck of cards, and then randomly switch the resulting two portions:
[
? ? ? ? ? ?
prob. 1/2 ? ? ?? ? ? not switched
] prob. 1/2
? ? ? ? ? ? switched
easy-to-implement card shuffling operation
2.2 Six-Card AND Protocol Secure AND can be done with 6 cards [6]. ? ?
? ?
? ?
a
b
a∧b =0 =1
[6] T. Mizuki and H. Sone, Six-Card Secure AND and Four-Card Secure XOR, FAW 2009, LNCS 5598, pp. 358–369, 2009.
=0
???? a
=1
b
??????
???? ??
??????
a
b
0
?????? ???? ??????
a∧b
????
[??? ???]
a∧b 50
=0
???? a
b
??????
???? ?? a
b
=1
0
?????? ??????
Arrange 2 commitments ?????? and 2 additional cards: ? ? ? ?
a
b
???? a∧b
????
[??? ???]
a∧b 51
=0
???? a
=1
b
??????
???? ??
??????
a
b
0
Turn over the rightmost two cards:
?????? ? ? ? ? ? ? ???? ??????
[??? ???]
a
b
a∧b
0
They become a ???? commitment to 0. a∧b 52
=0
???? a
b
??????
???? ?? a
b
=1
0
??????
?????? Rearrange the positions: ? ? ? ? ? ? ????
??????
a∧b
? ? ? ? ? ?
????
[??? ???]
a∧b 53
???? a
=0 =1 Apply a random bisection cut:
b
[
]
? ? ? ? ? ? ??????
???? ?? of 1/2 a 0 b prob. ? ? ? ?? ? ?????? (a) ??????
?????? prob. of 1/2 ? ? ? ?? ? ???? (b) a∧b
????
[??? ???]
a∧b 54
??????
???? a
??????
b
???? ?? a 0 bRearrange the positions: (a) ? ? ? ? ? ? ?????? ?????? ? ? ? ? ? ? ??? ?? ? [ ]
(b) ? ? ? ?? ? ???? a∧b
???? ? ? ? ?? ? a∧b 55
??????
???? a
??????
b
???? ?? a
b
0
(a) ? ? ? ?? ?
?????? ???? ??????
[??? ???]
(b) a∧b ? ? ? ?? ? ???? a∧b 56
??????
???? a
??????
b
???? ?? a
b
(a)
0
? ? ? ?? ? ?????? ? ? ? ?? ? ??????
a
b
[??? ???]
0
???? (b) a∧b ? ? ? ?? ? ???? a∧b 57
??????
???? a
??????
b
???? ?? a
b
(a)
0
? ? ? ?? ? ?????? ? ? ? ?? ? ??????
a
b
[??? ???]
0
a
????
b
0
(b) a∧b ? ? ? ?? ? ???? a∧b 58
??????
???? a
??????
b
???? ?? a
b
(a)
0
? ? ? ?? ? ?????? ? ? ? ?? ? ??????
a
b
[??? ???]
0
a
b 0 ???? (b) a∧b
? ? ? ?? ? ????
a-
a∧b
0
b 59
??????
???? a
??????
b
????(a) ?? a
b
0
? ? ? ?? ? ?????? a b 0 (b) ?????? ? ? ? ?? ?
[??? 0 ?] b a- ?? 60
??????
???? a
??????
b
????(a) ?? a
b
0
? ? ? ?? ? ?????? a b 0 (b) ?????? ? ? ? ?? ?
[??? 0 ?] b a- ??
? ? ? ?? ? ???? a + r -r∧b r∧b a∧b
where r∈{0,1} is a random bit. ???? a∧b 61
??????
???? a
??????
b
????(a) ?? r=0 a
b
0
? ? ? ?? ? ?????? a b 0 (b) r = 1 ?????? ? ? ? ?? ?
[??? 0 ?] b a- ??
? ? ? ?? ? ???? a + r -r∧b r∧b a∧b
where r∈{0,1} is a random bit. ???? a∧b 62
=0
=1
???? areveal b
??????
???? ?? ? ? ? ?? ?
??????
a
b
a+r
0
-r∧b
r∧b
??????
????
??????
a∧b
???? a∧b
[??? ???] 63
???? areveal b
=0 ??????
???? ?? ? ?? ?
?????? =1
a
b
a+r
0
-r∧b
r∧b
??????
????
??????
a∧b
a + r = 0, i.e., a = r
???? a∧b
[??? ???] 64
???? areveal b
=0 ??????
???? ?? ? ?? ?
?????? =1
a
b
0
r∧b ?????? = a∧b a + r = 0, i.e., a = r a+r
??????
???? a∧b
???? a∧b
[??? ???] 65
???? areveal b
No information about a leaks =0 ?????? because r is random.
???? ?? ? ?? ? a
b
?????? =1
0
r∧b ?????? = a∧b a + r = 0, i.e., a = r a+r
??????
???? a∧b
???? a∧b
[??? ???] 66
???? areveal b
=0 ??????
???? ?? ? ?? ?
?????? =1
a
b
a+r
0
-r∧b
r∧b
a + r = 1, i.e., a = r??????
????
??????
a∧b
???? a∧b
[??? ???] 67
???? areveal b
=0 ??????
???? ?? ? ?? ?
?????? =1
a
b
a+r
0
-r∧b
= a∧b ??????
a + r = 1, i.e., a = r ??????
???? a∧b
???? a∧b
[??? ???] 68
=0
???? a
=1
b
??????
???? ??
??????
a
b
0
??????
Works! ????
??????
a∧b
????
[??? ???]
a∧b 69
2.3 Four-Card XOR Protocol Secure XOR can be done with 4 cards [6]. ? ?
? ?
? ?
a
b
a+b =0 =1
[6] T. Mizuki and H. Sone, Six-Card Secure AND and Four-Card Secure XOR, FAW 2009, LNCS 5598, pp. 358–369, 2009.
???? a
b
???? ????
???? ????
?? a○ +b
[??
??]
?? a○ +b 71
2.4 Copy Protocol with a Random Bisection Cut Making a copy can be done with 4 additional cards [6]. ? ?
? ?
? ?
a
a
a =0 =1
[6] T. Mizuki and H. Sone, Six-Card Secure AND and Four-Card Secure XOR, FAW 2009, LNCS 5598, pp. 358–369, 2009.
=0
?? a
??????
???? ?? a
=1
0
??????
0
?????? ???? ??????
a
a
????
[??? ???]
- a-
a
73
Contents 1. Introduction 2. Known Protocols 3. Voting with a Logarithmic Number of Cards 4. New Adder Protocols 5. Conclusion 74
Outline of our results Using existing AND/XOR/COPY protocols
Devising a tailor-made half adder
Half adder 10
8
2 log n + 8
2 log n + 6
Voting
[# of cards]
75
Half adder a b
s = a○ +b
c = a∧b
76
Half adder a
s = a○ +b
b
c = a∧b
? ?
? ?
? ?
? ?
a
b
a∧b
a+b 77
? ?
? ?
? ?
? ?
a
b
a∧b
a+b
Remember that AND can be done with 6 cards; XOR can be done with 4 cards; COPY can be done with 4 additional cards.
78
AND can be done with 6 cards; XOR can be done with 4 cards; COPY can be done with 4 additional cards. ? ?
? ?
a
b
10 cards
79
AND can be done with 6 cards; XOR can be done with 4 cards; COPY can be done with 4 additional cards. ? ?
? ?
a
b
80
AND can be done with 6 cards; XOR can be done with 4 cards; COPY can be done with 4 additional cards. ? ?
? ?
a
b
? ?
? ?
? ?
a
b
a 81
AND can be done with 6 cards; XOR can be done with 4 cards; COPY can be done with 4 additional cards. ? ?
? ?
? ?
a
b
a
? ?
? ?
? ?
? ?
a
b
a
b 82
AND can be done with 6 cards; XOR can be done with 4 cards; COPY can be done with 4 additional cards.
? ?
? ?
? ?
? ?
a
b
a
b
? ?
? ?
? ?
a
b
a∧b 83
AND can be done with 6 cards; XOR can be done with 4 cards; COPY can be done with 4 additional cards.
? ?
? ?
? ?
a
b
a∧b
? ?
? ?
a+b
a∧b 84
Outline of our results Using existing AND/XOR/COPY protocols
Devising a tailor-made half adder
Half adder 10
8
2 log n + 8
2 log n + 6
Voting
[# of cards]
85
Outline of our results Using existing AND/XOR/COPY protocols
Devising a tailor-made half adder
Half adder 10
8
2 log n + 8
2 log n + 6
Voting
[# of cards]
86
x1 ∈{0,1}
x2
x3
x4
xn
…
n voters
? ? ? ? ? ? ? ? 2 log n + 8 cards
=0
=1
encoding for candidates
87
x2
x3
x4
xn
… x1 ∈{0,1} ? ?
x1
88
x3
x4
xn
… x2 ∈{0,1} ? ?
? ?
x2
x1
89
x3
x4
xn
…
? ?
? ?
x2
x1
Apply a half adder 90
x3
x4
xn
…
? ? ? ?
binary representation of x1 + x2 91
x4
xn
… x3 ? ?
x3
? ? ? ?
binary representation of x1 + x2 92
x4
xn
…
? ?
x3
? ? ? ?
binary representation of x1 + x2 Apply a half adder (and XOR) 93
x4
xn
…
? ? ? ?
binary representation of x1 + x2 + x3 94
x4
xn
… For example, if x1 = x2 = x3 = 1, then ? ? ? ? MSB
1 MLB 1 binary representation of x1 + x2 + x3 95
x4
xn
… For example, if x1 = 1 and x2 = x3 = 0, then ? ? ? ?
1 0 binary representation of x1 + x2 + x3 96
xn
…
2 log n cards ? ?
…
? ?
binary representation of x1 + … + xn-1 97
… xn
2 log n cards
? ?
xn
? ?
…
? ?
binary representation of x1 + … + xn-1 98
… 2 log n + 2 (or 2 log n ) cards ? ? ? ?
…
? ?
binary representation of x1 + … + xn 99
Outline of our results Using existing AND/XOR/COPY protocols
Devising a tailor-made half adder
Half adder 10
8
2 log n + 8
2 log n + 6
Voting
[# of cards]
100
Contents 1. Introduction 2. Known Protocols 3. Voting with a Logarithmic Number of Cards 4. New Adder Protocols 5. Conclusion 101
Outline of our results Using existing AND/XOR/COPY protocols
Devising a tailor-made half adder
Half adder 10
8
2 log n + 8
2 log n + 6
Voting
[# of cards]
102
???? a
=0
b COPY
???? ?? a
=1
b
b
???????? ????????
???????? ?? ?? ?? ????????
[???? ????]
a○ +b
a∧b
?? ?? ?? a○ +b a∧b 103
???? a
=0
b COPY
???? ?? a
=1
b
???????? ????????
b
?? ?????? ? ?? ? ? ? ? ?
-
?????? r r∧b r∧b a + r a +??
[???? ????]
?? ?? ?? a○ +b
a∧b
?? ?? ?? a○ +b a∧b 104
???? a
=0
b COPY
???? ?? a
=1
b
b
???????? ????????
???????? ?? ?? ?? ????????
[???? ????]
a○ +b
a∧b
?? ?? ?? a○ +b a∧b 105
Outline of our results Using existing AND/XOR/COPY protocols
Devising a tailor-made half adder
Half adder 10
8
2 log n + 8
2 log n + 6
Voting
[# of cards]
106
Outline of our results Using existing AND/XOR/COPY protocols
Devising a tailor-made half adder
Half adder 10
8
2 log n + 8
2 log n + 6
Voting
[# of cards]
107
Outline of our results Using existing AND/XOR/COPY protocols
Devising a tailor-made half adder
Half adder 10
8
2 log n + 8
2 log n + 6
Voting
[# of cards]
108
Contents 1. Introduction 2. Known Protocols 3. Voting with a Logarithmic Number of Cards 4. New Adder Protocols 5. Conclusion 109
We gave a 8-card secure half adder protocol. =0
=1
?? ?? ?? a○ +b
???? a
b
a∧b
?? ?? ?? a○ +b a∧b
It enables us to conduct voting with 2 log n + 6 cards. … 2 log n + 6
n voters
110
I hope card-based protocols would help you with • intuitive explanation of crypto. to non-specialists • education in classroom.
That’s all. Thank you for your attention.
A (real) deck of cards available to the first several people; please contact the speaker.
111
