Abstract
Card-based cryptography realizes cryptographic tasks, such as secure computation, with a deck of physical cards. The primary research subjects for card-based cryptography are theoretical studies that, for example, propose efficient protocols regarding the number of required cards and procedures. However, almost all prior studies are based on the ideal physical assumption that the backs of all cards are indistinguishable without verification. This study addresses this assumption from a physical perspective to improve the security of card-based cryptography. In the first attempt, we assume a strong attacker who uses ink and a high-performance camera to distinguish the backs of the cards. We experimented with them and confirmed that such an attacker could identify the inked area of the back by analyzing an image captured by the camera. Based on our study, one can address another approach, such as using invisible oil and smartphone cameras to verify the physical assumption. This study is a seminal work that addresses this physical assumption. In addition to the verification, we study secret information that such a strong attacker can obtain during the execution of card-based protocols.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
This resolution is significantly lower than the latest smartphone cameras (about 10 megapixels).
- 2.
As seen from Fig. 4, one could notice the color difference if one carefully observes the backs. This is because the blue reflection area is the one the human eye can detect. In this study, however, we focus on using a high-performance camera to identify the inked backs. This study does not discuss the card’s wear, material, and texture.
- 3.
The SAM initially calculates the angle (in the radian), but this analysis software calculates the cosine of the angle.
- 4.
Refer to the following URL for ink details. https://www.mpuni.co.jp/en/company/rd/index.html.
- 5.
The negation of a commitment can be obtained simply by swapping the two cards comprising the commitment.
References
Abe, Y., Hayashi, Y., Mizuki, T., Sone, H.: Five-card AND computations in committed format using only uniform cyclic shuffles. New Gener. Comput. 39(1), 97–114 (2021). https://doi.org/10.1007/s00354-020-00110-2
Costiuc, M., Maimuţ, D., Teşeleanu, G.: Physical cryptography. In: Simion, E., Géraud-Stewart, R. (eds.) SecITC 2019. LNCS, vol. 12001, pp. 156–171. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-41025-4_11
Boer, B.: More efficient match-making and satisfiability the five card trick. In: Quisquater, J.-J., Vandewalle, J. (eds.) EUROCRYPT 1989. LNCS, vol. 434, pp. 208–217. Springer, Heidelberg (1990). https://doi.org/10.1007/3-540-46885-4_23
Kastner, J., et al.: The minimum number of cards in practical card-based protocols. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10626, pp. 126–155. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70700-6_5
Khan, Z., Shafait, F., Mian, A.: Automatic ink mismatch detection for forensic document analysis. Pattern Recogn. 48(11), 3615–3626 (2015). https://doi.org/10.1016/j.patcog.2015.04.008
Kneitel, A.: Casino countermeasures: are casinos cheating. Harv. J. Sports Ent. L. 10, 55 (2019)
Koch, A.: The landscape of security from physical assumptions. In: 2021 IEEE Information Theory Workshop (ITW), Los Alamitos, CA, USA, pp. 1–6. IEEE (2021). https://doi.org/10.1109/ITW48936.2021.9611501
Koch, A., Schrempp, M., Kirsten, M.: Card-based cryptography meets formal verification. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11921, pp. 488–517. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34578-5_18
Koch, A., Walzer, S., Härtel, K.: Card-based cryptographic protocols using a minimal number of cards. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 783–807. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48797-6_32
Kruse, F., et al.: The spectral image processing system (SIPS)–interactive visualization and analysis of imaging spectrometer data. Remote Sens. Environ. 44(2), 145–163 (1993). https://doi.org/10.1016/0034-4257(93)90013-N
Manabe, Y., Ono, H.: Secure card-based cryptographic protocols using private operations against malicious players. In: Maimut, D., Oprina, A.-G., Sauveron, D. (eds.) SecITC 2020. LNCS, vol. 12596, pp. 55–70. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-69255-1_5
Marcedone, A., Wen, Z., Shi, E.: Secure dating with four or fewer cards. Cryptology ePrint Archive, Report 2015/1031 (2015). https://eprint.iacr.org/2015/1031
Mizuki, T., Kumamoto, M., Sone, H.: The five-card trick can be done with four cards. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 598–606. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34961-4_36
Mizuki, T., Shizuya, H.: Practical card-based cryptography. In: Ferro, A., Luccio, F., Widmayer, P. (eds.) FUN 2014. LNCS, vol. 8496, pp. 313–324. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-07890-8_27
Mizuki, T., Sone, H.: Six-card secure AND and four-card secure XOR. In: Deng, X., Hopcroft, J.E., Xue, J. (eds.) FAW 2009. LNCS, vol. 5598, pp. 358–369. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-02270-8_36
Nakai, T., Misawa, Y., Tokushige, Y., Iwamoto, M., Ohta, K.: How to solve millionaires’ problem with two kinds of cards. New Gener. Comput. 39(1), 73–96 (2021). https://doi.org/10.1007/s00354-020-00118-8
Niemi, V., Renvall, A.: Solitaire zero-knowledge. Fundam. Inf. 38(1,2), 181–188 (1999). https://doi.org/10.3233/FI-1999-381214
Ono, H., Manabe, Y.: Card-based cryptographic logical computations using private operations. New Gener. Comput. 39(1), 19–40 (2021). https://doi.org/10.1007/s00354-020-00113-z
Pass, R., Shelat, A.: A course in cryptography (2010). https://www.cs.cornell.edu/ rafael/
Ruangwises, S., Itoh, T.: Securely computing the n-variable equality function with 2n cards. Theor. Comput. Sci. 887, 99–110 (2021). https://doi.org/10.1016/j.tcs.2021.07.007
Shinagawa, K.: Card-based cryptography with dihedral symmetry. New Gener. Comput. 39(1), 41–71 (2021). https://doi.org/10.1007/s00354-020-00117-9
Shinagawa, K., Mizuki, T.: The six-card trick: secure computation of three-input equality. In: Lee, K. (ed.) ICISC 2018. LNCS, vol. 11396, pp. 123–131. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-12146-4_8
Shinagawa, K., Nuida, K.: A single shuffle is enough for secure card-based computation of any Boolean circuit. Discret. Appl. Math. 289, 248–261 (2021). https://doi.org/10.1016/j.dam.2020.10.013
Shinoda, Y., Miyahara, D., Shinagawa, K., Mizuki, T., Sone, H.: Card-based covert lottery. In: Maimut, D., Oprina, A.-G., Sauveron, D. (eds.) SecITC 2020. LNCS, vol. 12596, pp. 257–270. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-69255-1_17
Specim: Specim IQ user manual. https://www.specim.fi/downloads/iq/manual/software/iq/topics/illumination.html. Accessed 1 July 2022
USA Today: Poker cheat who wore infrared contact lenses gets jail (2013). https://www.usatoday.com/story/news/world/2013/09/26/france-card-sharp-infrared-contact-lenses-jailed/2878239/. Accessed 1 July 2022
Acknowledgements
We thank the anonymous referees, whose comments have helped us improve the presentation of the paper. This work was supported in part by JSPS KAKENHI Grant Number JP18H05289.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Theoretical Considerations for Attacks
A Theoretical Considerations for Attacks
In Sect. 4, we confirmed that attacks using ink and the hyperspectral camera are possible. This appendix selects the five-card trick [3] and MS-AND [15] as examples and clarifies that such an attack leaks information about input values.
1.1 A.1 How to Execute the Protocol
The basic setup is described in Sect. 1. We use two colored cards:
and
. A player uses these two cards to encode Boolean values as follows:
When two face-down cards represent a bit \(x\in \{0,1\}\) based on this encoding, we call these cards a commitment to x and denote it as follows:
In the five-card trick and MS-AND, Alice and Bob place commitments to \(a,b\in \{0,1\}\) on the table, respectively, and use additional cards to obtain only the value of \(a\wedge b\).
The five-card trick uses an additional card
. First, the commitment to \(\overline{a}\) and b are lined upFootnote 5. The additional face-down card is then placed between the two commitments. Note that the three consecutive cards in the middle are reds if and only if \(a=b=1\). Subsequently, a cyclic shuffling operation called random cut is performed to randomize the order, and all five cards are finally turned over. Here, we have \(a\wedge b=1\) if the three reds are consecutive apart from the cyclic shift; otherwise, \(a\wedge b=0\) as follows:
In the MS-AND, we place an additional commitment to 0 between the two commitments as follows:
First, the second card from the left and the two cards in the middle are swapped. Second, a shuffling operation called a random bisection cut is applied to the sequence; that is, the left and right halves are swapped randomly. The second and third cards are then replaced with the fourth card. Finally, the first two cards are revealed, and a commitment to \(a\wedge b\) can be obtained as follows:
1.2 A.2 Information Obtained from This Attack
Recall that the assumed attacker can identify the inked card. Because every player privately manipulates its commitment before starting a protocol, we consider an attacker who secretly inks their own commitment. Let us consider information that the attacker can gain in the two protocols presented previously.
In the five-card trick [3], if both players input commitments to 1, they can quickly determine that the other’s input is 1 from the output value. Consider whether information about the other’s input can be obtained if the attacker inputs a commitment to 0. We focus on the sequence of cards after shuffling, namely, the following five sequences:
If one knows the position of one’s commitment, the value of the other’s commitment can be derived because all the cards are revealed. In summary, if we know which card we have placed, we can always obtain the value of the other’s input in the five-card trick.
In the MS-AND [15], however, we found that information gained by an attacker depends on their position. First, we consider the case where Alice is an attacker. Assume that Alice inputs a commitment to 0 and always knows the location of her
. Here, if we denote by
all the cards other than her
when obtaining the output commitment, the sequence is as follows:
However, to obtain the output commitment, we reveal the two cards on the left. Thus, even if Alice knows the location of her commitment, she obtains no information about Bob’s input.
However, Bob can obtain Alice’s input value under the same conditions because the sequence when obtaining the output commitment is as follows:
To obtain the output commitment, the two cards on the left are revealed, which represent a or \(\overline{a}\). Knowing the position of Bob’s
, he can determine whether the two cards represent a or \(\overline{a}\). If his
is in the fourth and the first two revealed cards are
, the two cards represent \(\overline{a}\) and Bob has \(a=1\). Thus, Bob can obtain Alice’s input, which holds even if the card to be marked is
.
It is interesting to discuss why such asymmetry arises, that is, the attack effectiveness changes depending on the protocols, and to elucidate the condition for such asymmetry. In the case of the MS-AND [15], the reason is clear because the two revealed cards before obtaining the output commitment is either a commitment to a or \(\overline{a}\) because of the shuffle applied previously. Thus, Alice gains no information even if her commitment is marked by her. However, this property is specific to the MS-AND, and a card-based protocol often reveals one of the attacker’s commitment, the other’s commitment, and additional cards (e.g., [1, 17]); hence, the condition for such asymmetry is not trivial. To discover this, we need to study many card-based protocols, classifying cards possibly revealed in a protocol and clarifying whether an attacker can gain information about the other’s input value; we will leave this in our future work.
1.3 A.3 Discussion
We discuss whether this attack is realistic. Although our study revealed that the inked areas could be identified as indicated in Sect. 3, this attack is limited because it uses a high-cost camera of over $10,000. We plan to investigate the use of cameras in smartphones because they are widely available. In addition, conducting this attack during the execution of protocols is impossible without another player noticing because a halogen lamp must be prepared in this attack. This attack will be feasible at the end of the protocol. That is, an attacker remembers the order of the sequence of cards at the end and then conducts this attack without the other players watching it. One might think that this attack is infeasible because all cards are completely shuffled at the end of any card-based protocol to prevent leakage of information. However, no card-based protocol shuffles face-up cards at the end because they simply indicate either the output value, such as the five-card trick [3] or the following action, such as the MS-AND [15] (cf, [22]). Thus, this attack implies a new insight that all cards, including face-up cards, should be shuffled after the end of any card-based protocol.
Based on the experimental results, countermeasures against this attack include making the backs black and white, which have a unique reflection ratio and making the mesh of the backs finer. To physically prevent ink from adhering to the cards, the cards can be covered with sleeves.
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Shimano, M., Sakiyama, K., Miyahara, D. (2023). Towards Verifying Physical Assumption in Card-Based Cryptography. In: Bella, G., Doinea, M., Janicke, H. (eds) Innovative Security Solutions for Information Technology and Communications. SecITC 2022. Lecture Notes in Computer Science, vol 13809. Springer, Cham. https://doi.org/10.1007/978-3-031-32636-3_17
Download citation
DOI: https://doi.org/10.1007/978-3-031-32636-3_17
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-32635-6
Online ISBN: 978-3-031-32636-3
eBook Packages: Computer ScienceComputer Science (R0)