Private Function Evaluation with Cards

Abstract

AbstractCard-based protocols allow to evaluate an arbitrary fixed Boolean function $$f$$ f on a hidden input to obtain a hidden output, without the executer learning anything about either of the two (e.g., [12]). We explore the case where $$f$$ f implements a universal function, i.e., $$f$$ f is given the encoding $$\langle P \rangle$$ ⟨ P ⟩ of a program $$P$$ P and an input $$x$$ x and computes $$f(\langle P \rangle , x) = P(x)$$ f ( ⟨ P ⟩ , x ) = P ( x ) . More concretely, we consider universal circuits, Turing machines, RAM machines, and branching programs, giving secure and conceptually simple card-based protocols in each case. We argue that card-based cryptography can be performed in a setting that is only very weakly interactive, which we call the “surveillance” model. Here, when Alice executes a protocol on the cards, the only task of Bob is to watch that Alice does not illegitimately turn over cards and that she shuffles in a way that nobody knows anything about the total permutation applied to the cards. We believe that because of this very limited interaction, our results can be called program obfuscation. As a tool, we develop a useful sub-protocol $${{\mathrm{\mathsf {sort}}}}_{\varPi }{X} {\uparrow } Y$$ sort Π X ↑ Y that couples the two equal-length sequences $$X, Y$$ X , Y and jointly and obliviously permutes them with the permutation $$\pi \in \varPi$$ π ∈ Π that lexicographically minimizes $${\pi }(X)$$ π ( X ) . We argue that this generalizes ideas present in many existing card-based protocols. In fact, AND, XOR, bit copy [37], coupled rotation shuffles [30] and the “permutation division” protocol of [22] can all be expressed as “coupled sort protocols”.