Single-Shuffle Full-Open Protocol

Updated 27 October 2025

Single-Shuffle Full-Open Protocol is a card-based secure computation method that encodes inputs as face-down cards and uses one shuffle to randomize the order before full revelation.
The protocol transforms Private Simultaneous Messages techniques into a physical card setting, ensuring that only the function output is revealed while private inputs remain confidential.
It establishes a trade-off between card usage and shuffle complexity, employing carefully designed pile-shifting operations to guarantee both correctness and anonymity.

A Single-Shuffle Full-Open Protocol is a minimalistic model of card-based secure computation in which, after all parties encode their private inputs as face-down cards, a single shuffle operation is performed and subsequently all cards are opened. The critical feature is that this protocol achieves security purely through the randomness of a single (carefully designed) shuffle, and the “full-open” requirement ensures that no cards remain hidden at the conclusion—so the output is derived solely from public information, yet privacy for the inputs is maintained as long as the protocol is correctly instantiated.

1. Cryptographic Context and Model

Single-Shuffle Full-Open Protocols originate within card-based cryptography, an area addressing secure multi-party computation (MPC) with physical playing cards (Eriguchi et al., 20 Oct 2025). The principal security requirement is that, after revealing all cards post-shuffle, the only information leaked is the function value $f(x_1,\ldots,x_n)$ —all other correlations to the parties’ individual bits (or higher-arity inputs) are statistically eliminated.

Formally, let $n$ parties possess private inputs $(x_1,\ldots,x_n)$ . Each party prepares an encoding (using e.g., suited cards or card sequences) corresponding to their input. The protocol consists of:

Placement: Parties place their encoded cards face down, possibly interleaved or arranged according to protocol-specific rules.
Single Shuffle: Exactly one shuffle (possibly a uniform permutation, a random cut, or a pile-shifting permutation) is applied. The choice of shuffle is dictated by the protocol design and the specific security reductions involved.
Full Open: After the shuffle, every card is turned face up.
Decoding: The sequence of revealed cards is interpreted, according to a prescribed decoding map, to yield $f(x_1,\ldots,x_n)$ .

This model sharply contrasts with protocols employing multiple shuffles or “partial-open” designs (in which some cards remain face down), as well as those using more elaborate cleanup steps.

2. Structural Characterization and Main Results

The principal advance of (Eriguchi et al., 20 Oct 2025) is a general theorem: for every function $f:\{0,1\}^n\to\{0,1\}$ , there exists a single-shuffle full-open protocol that computes $f$ securely. Previous work had only demonstrated such protocols for a narrow class of low-arity functions (e.g., two-input AND, three-input XOR), often relying on specific shuffling forms like the random cut (Shinagawa et al., 4 Jul 2025).

The construction in (Eriguchi et al., 20 Oct 2025) proceeds by “lifting” a Private Simultaneous Messages (PSM) protocol for $f$ to a card-based context:

PSM Origin: Given a PSM protocol where $n$ parties, using shared randomness $s\in S$ , each compute a message $M_i(x_i,s)$ ; the messages are then decoded by a (possibly public) function $D(M_1,\ldots,M_n,s)$ .
Encoding: Each message bit is mapped to a pre-defined card sequence (e.g., diamonds/clubs for 0/1).
Shuffle Design: Parties collectively prepare “piles” representing all possible shares of $s$ and their associated message sequences. A pile-shifting (i.e., selecting one pile at random by a uniform permutation of piles) or a complete shuffle of all cards ensures the final opened sequence reveals only $f(x_1,\ldots,x_n)$ .
Decoding: The open card sequence corresponds to the PSM protocol’s output.

Two concrete protocol variants are given:

General Construction: For a PSM protocol with $r$ -bit randomness and total communication $c$ , the resulting protocol uses $c \cdot 2^{r+1}$ cards and a composite of pile-shifting and complete shuffles.
Additive PSM Construction: When $f$ admits an “additive” PSM structure, card usage can be reduced to $O(n^2)$ (for AND) and $O(n^2 2^n)$ for arbitrary functions, with increased shuffle complexity.

Thus, the framework establishes a feasibility result: any Boolean function ( $f$ ) admits a card-based protocol with the single-shuffle full-open property, achieving perfect privacy of the non-output portions of parties’ inputs.

3. Relation to Card-Based and Shuffle Protocols

Single-shuffle full-open protocols generalize the “single-cut full-open” (SCFO) protocols (Shinagawa et al., 4 Jul 2025), in which the shuffle is restricted to cyclic random cuts. The SCFO approach is well-suited for three- or four-variable functions, with the resulting cyclic order of revealed cards mapping to function values. However, the full generality provided by (Eriguchi et al., 20 Oct 2025) requires more versatile shuffling (for instance, pile-shifting across piles indexed by possible internal random values used in PSMs).

The “shuffle” as a privacy amplifier is conceptually paralleled in the shuffle model of differential privacy (Balle et al., 2019, Damie et al., 2 Jul 2025, Beimel et al., 2020), where a single round of shuffling disconnects messages from their origin, similarly yielding privacy amplification. In card-based settings, the randomness in card positions, after shuffling, obfuscates the mapping from input encodings to output, while the decoding step ensures function correctness.

4. Cryptographic Building Blocks: Connection to PSM Protocols

Private Simultaneous Messages (PSM) protocols are a class of non-interactive MPC protocols in which all parties share randomness and send messages simultaneously to a referee, who outputs $f(x_1,\ldots,x_n)$ . The transformation in (Eriguchi et al., 20 Oct 2025) simulates any such PSM protocol with cards:

Encoding: Each PSM message is encoded in cards by a standard map (e.g., for bit $b$ , mapping to a unique sequence of suits).
Piling: For $r$ possible values of shared randomness $s$ , $2^r$ “piles” are created, each encoding the appropriate set of messages.
Selection via Shuffle: A pile-shifting shuffle ensures the pile corresponding to the actual randomness is positioned for decoding, while residual shuffles erase information on unused piles.
Algebraic Structure for Additive PSM: In the case of additive PSMs, message encodings are performed using modular arithmetic and global random multipliers, which can be directly mapped into card rearrangements and pile operations.

Thus, the inherent communication and randomness complexity of a PSM protocol directly influences the card count and shuffle complexity in the resulting physical protocol.

5. Quantitative Trade-offs: Card Complexity vs. Shuffle Complexity

A central trade-off emerges between the number of cards used and the operational (shuffle) complexity:

Using a general PSM protocol with high randomness complexity leads to exponential card usage but simpler shuffling.
An additive PSM protocol, when available, greatly reduces the card count (especially for functions like AND), but the shuffle operation—composed of many pile-wise and intra-pile shuffles—becomes more intricate.
For a generic function $f$ with randomness complexity $r$ and communication $c$ (in the PSM model), the protocol requires up to $c \cdot 2^{r+1}$ cards. For $f$ decomposed into ANDs via DNF, the protocol may operate with $O(n^2 2^n)$ cards, trading off increased shuffle algebraic complexity.

Variants also exist where only a subset of cards are revealed post-shuffle, reducing both the shuffle and card complexity—though at the cost of the “full-open” property (Eriguchi et al., 20 Oct 2025).

6. Comparisons, Security Guarantees, and Practical Implications

Single-shuffle full-open protocols are tractable for a wide array of practical functions, building upon simpler “single-cut” protocols (random cut) and extending to complex Boolean functions with provable privacy. The security properties are characterized analogously to those of secure shufflers (Damie et al., 2 Jul 2025):

Anonymity: No computationally bounded adversary can associate the output card sequence with an individual party’s input.
Correctness: The protocol output is exactly $f(x_1,\ldots,x_n)$ , deterministically deducible from the sequence of open cards.
Full openness: All cards are public at protocol end, simplifying protocol audits and reducing protocol complexity.

Applications span secure voting, mental poker, secret sharing, and zero-knowledge proofs—particularly in “untrusted hardware” or educational environments (Eriguchi et al., 20 Oct 2025, Shinagawa et al., 4 Jul 2025). Crucially, all privacy relies solely on a single shuffle; no additional subroutines or cleanup procedures are required, which makes this class especially interesting for minimal, robust secure computation.

7. Technical Details and Mathematical Formulations

Key technical ingredients in protocol design include:

Card Encoding: For $x\in\mathbb{Z}_m$ , encode as a sequence $[c_1,\ldots,c_m]$ with $c_i=\heartsuit$ if $i=x$ and $c_i=\clubsuit$ otherwise.
Shuffle Mapping: The protocol applies a permutation (e.g., a uniformly random “pile shift” or complete permutation) and, for an additive PSM, executes operations corresponding to modular multiplication and linear share addition through carefully orchestrated pile splits and merges.
Decoding: The open card layout reveals the function output through a deterministic mapping (e.g., the position of the unique red card corresponds to the value of $f$ ).
Bounds: The minimal card count required for $f$ , denoted $\mathrm{card}(f)$ , is bounded in terms of PSM protocol parameters as

$\frac{\mathrm{rand}(f)}{\log(\mathrm{rand}(f))+n} \leq \mathrm{card}(f) \leq 2^{\mathrm{rand}(f)+1} (\mathrm{rand}(f)+1)n,$

providing a quantitative link between function complexity and protocol resources (Eriguchi et al., 20 Oct 2025).

Summary

In conclusion, single-shuffle full-open protocols form a rigorously designed family of card-based secure computation protocols, now known to exist for arbitrary Boolean functions due to the PSM–to–card–protocol transformation (Eriguchi et al., 20 Oct 2025). Their design achieves correctness and perfect privacy (leaking no information about inputs beyond the output) with minimal operational complexity and without requiring advanced cryptographic hardware or repeated shuffling. These protocols establish a bridge between the theory of MPC and tangible, human-executable secure protocols and offer a blueprint for robust multiparty functionality in low-trust, non-digital environments.

PDF Markdown Chat (Pro)

References (5)

Single-Shuffle Full-Open Card-Based Protocols for Any Function (2025)

A Note on Single-Cut Full-Open Protocols (2025)

The Privacy Blanket of the Shuffle Model (2019)

How to Securely Shuffle? A survey about Secure Shufflers for privacy-preserving computations (2025)

On the Round Complexity of the Shuffle Model (2020)

Whiteboard

Generate a whiteboard explanation of this topic.

Follow Topic

Get notified by email when new papers are published related to Single-Shuffle Full-Open Protocol.