Bibliography on Mental Poker

Heiko StamerHeikoStamer@gmx.net

Version 1.6

Abstract

This bibliography maintains some references to scientific papers onthe so-called “Mental Poker” problem: it asks whether it is possibleto play a fair game of poker without physical cards and without atrusted dealer, i.e., by phone or over the Internet. This question hasraised some interesting solutions in the early days of public researchin cryptography and stimulated some important considerations likesemantic security. Nowadays it gains again some attention due to thefreaky hype of cryptocurrencies.

References

[AskarovSabelfeld:2005] Aslan Askarov and Andrei Sabelfeld. Security-Typed Languages for Implementation of Cryptographic Pro-tocols: A Case Study of Mutual Distrust. Technical Report2005-13, Department of Computer Science and Engineering,Chalmers University of Technology and Goeborg Univer-sity, 2005.

[AskarovSabelfeld:2005:ESORICS] Aslan Askarov and Andrei Sabelfeld.Security-Typed Languages for Implementation of Crypto-graphic Protocols: A Case Study. In Sabrina De Capitanidi Vimercati, Paul F. Syverson, and Dieter Gollmann, ed-itors, Computer Security - ESORICS 2005, Proceedings of the10th European Symposium on Research in Computer Security,volume 3679 of Lecture Notes in Computer Science, pages 197–221. Springer Verlag, 2005.

1

Abstract: Security protocols are critical for pro-tecting modern communication infrastructuresand are therefore subject to thorough analysis.However practical implementations of these pro-tocols lack the same level of attention and thusmay be more exposed to attacks. This paper dis-cusses security assurance provided by security-typed languages when implementing crypto-graphic protocols. Our results are based on acase study using Jif, a Java-based security-typedlanguage, for implementing a non-trivial crypto-graphic protocol that allows playing online pokerwithout a trusted third party. The case study de-ploys the largest program written in a security-typed language to date and identifies insightsranging from security guarantees to useful pat-terns of secure programming.

[AuYoungTuttle:2004] Alvin AuYoung and Christopher Tuttle. Crypto-graphic Blackjack. Final Project Report CSE 207, Universityof California at San Diego, 2004.

Abstract: Internet casinos have become a billiondollar industry. The increasing popularity of on-line gaming is surprising given its weak guaran-tees of fairness compared to those offered by phys-ical casinos. We apply a bit commitment protocolto an online blackjack game that provides strongfairness guarantees between the player and casinowithout compromising the play of the game. Weintroduce a set of experiments that capture thefairness guarantees of the protocol, and describehow this protocol can be extended to other onlinegames.

[BaranyFuredi:1983] Imre Barany and Zlotan Furedi. Mental Poker withThree or More Players. Information and Control, 59(1–3):84–93, 1983.

[BarnettSmart:2003:IMA] Adam Barnett and Nigel P. Smart. Mental PokerRevisited. In Kenneth G. Paterson, editor, Cryptography andCoding, Proceedings of the 9th IMA International Conference,

2

volume 2898 of Lecture Notes in Computer Science, pages 370–383. Springer Verlag, 2003.

Abstract: We discuss how to implement a securecard game without the need for a trusted dealer, aproblem often denoted “Mental Poker” in the lit-erature. Our solution requires a broadcast channelbetween all players and the number of bits neededto represent each card is independent of the num-ber of players. Traditional solutions to “MentalPoker” require a linear relation between the num-ber of players and the number of bits required torepresent each card.

[Castella-Roca:2005] Jordi Castella-Roca. Contributions to Mental Poker.PhD thesis, Universitat Autonoma de Barcelona, 2005.

Abstract: Computer networks and especially theInternet have allowed some common activitiessuch as shopping or gambling to become remote(e-shopping and e-gambling). The poker gameplayed over a network is known as mental poker.The problem with mental poker is the difficulty ofkeeping it practical while guaranteeing the samestandards of security, fairness and auditability of-fered by standard casinos for physical poker. Theimportant aspects to take into account when de-signing mental poker protocols are: functionality,security, and computational and communicationcost. Proposals in the literature usually focus onthe first two items only. This makes comparisonsdifficult. This thesis starts with a formal cost anal-ysis of the main proposals in the literature. Theanalysis is not limited to costs, though; securityis also analyzed and, in fact, our study detecteda fundamental weakness in one of the comparedmental poker protocols. The attack is presentedin a separate chapter after the global comparativeanalysis. The three following chapters of this the-sis present three new protocols that enhance theproposals in the literature in different ways. Thefirst proposal belongs to the family of TTP-free

3

protocols and does not preserve the confidential-ity of player strategies; it reduces the computa-tional cost by avoiding the use of zeroknowledgeproofs. The second proposal is TTP-free, preservesthe confidentiality of player strategies and reducesthe computational cost by requiring players to per-form less mathematical operations. The third pro-posal addresses a novel functionality usually notoffered in the literature, namely player dropouttolerance, i.e. the ability to continue the game evenif some players leave it.

[Castella-RocaDazaDomingo-FerrerSebe:2006] Jordi Castella-Roca,Vanesa Daza, Josep Domingo-Ferrer, and Francesc Sebe.Privacy Homomorphisms for E-Gambling and MentalPoker. In Proceedings of the IEEE International Conference onGranular Computing, pages 788–791, 2006.

Abstract: With the development of computer net-works, situations where a set of players remotelyplay a game (e-gaming) have become usual. Of-ten players play for money (e-gambling), whichrequires standards of security similar to those inphysical gambling. Cryptographic tools have beencommonly used so far to provide security to e-gambling. Homomorphic encryption is an exam-ple of such tools. In this paper we review themental poker protocols, where players are as-sumed to remotely play poker. We focus on thekey advantage of using cryptosystems with ho-momorphic properties (privacy homomorphisms)because they offer the possibility of manipulatingcards in encrypted form.

[Castella-RocaDomingo-Ferrer:2004:ITCC] Jordi Castella-Roca and JosepDomingo-Ferrer. On the Security of an Efficient TTP-FreeMental Poker Protocol. In Proceedings of the InternationalConference on Information Technology: Coding and Computing(ITCC ’04), volume 2, pages 781–784. IEEE Computer Soci-ety, 2004.

4

Abstract: Using commutative cryptosystems isa way to obtain efficient mental poker protocolswhich do not require using a trusted third party(TTP). However, the security of such protocols de-pends on the particular cryptosystem used. Weshow that a TTP-free mental poker protocol usingan ElGamal-like commutative cryptosystem is in-secure.

[Castella-RocaDomingo-FerrerRieraBorrell:2003:INDOCRYPT] JordiCastella-Roca, Josep Domingo-Ferrer, Andreu Riera, andJoan Borrell. Practical Mental Poker Without a TTP Basedon Homomorphic Encryption. In Thomas Johansson andSubhamoy Maitra, editors, Progress in Cryptology - IN-DOCRYPT 2003, volume 2904 of Lecture Notes in ComputerScience, pages 280–294. Springer Verlag, 2003.

Abstract: A solution for obtaining impartial ran-dom values in on-line gambling is presented inthis paper. Unlike most previous proposals, ourmethod does not require any TTP and allows e-gambling to reach standards of fairness, securityan auditability similar to those common in phys-ical gambling. Although our solution is detailedhere for the particular case of games with re-versed cards (e.g. poker), it can be easily adaptedfor games with open cards (e.g. blackjack) andfor random draw games (e.g. keno). Thanks tothe use of permutations of homomorphically en-crypted cards, the protocols described have mod-erate computational requirements.

[Castella-RocaDomingo-FerrerSebe:2005] Jordi Castella-Roca, FrancescSebe, and Josep Domingo-Ferrer. Dropout-Tolerant TTP-Free Mental Poker. In Sokratis Katsikas, Javier Lopez, andGunther Pernul, editors, Trust, Privacy, and Security in Digi-tal Business, Proceedings of the Second International ConferenceTrustBus 2005, volume 3592 of Lecture Notes in Computer Sci-ence, pages 30–40. Springer Verlag, 2005.

Abstract: There is a broad literature on distributedcard games over communications networks, col-

5

lectively known as mental poker. Like in any dis-tributed protocol, avoiding the need for a TrustedThird Party (TTP) in mental poker is highly desir-able, because really trusted TTPs are not alwaysavailable and seldom free. This paper deals withthe player dropout problem in mental poker with-out a TTP. A solution based on zero-knowledgeproofs is proposed. While staying TTP-free, ourproposal allows the game to continue after playerdropout.

[Castella-RocaDomingo-FerrerSebe:2006] Jordi Castella-Roca, JosepDomingo-Ferrer, and Francesc Sebe. On the Security of aRepaired Mental Poker Protocol. In Information Technol-ogy: New Generations, Proceedings of the Third InternationalConference (ITNG 2006), pages 664–668, 2006.

Abstract: In 2003, Zhao, Varadharajan and Muproposed a mental poker protocol whose securitywas shown to be flawed in 2004: any player (orany outsider knowing the deck coding) is able todecrypt encrypted cards without knowing the en-cryption key. In 2005, the first two authors pub-lished a repaired version of this TTP-free mentalpoker protocol. We show here that this second ver-sion is also flawed: the first player can find allcleartexts of the final encrypted shuffled deck ofcards. Both protocols are similar to Shamir-Rivest-Adleman’s mental poker, but they replace an ex-ponential commutative cipher with an ElGamal-like commutative cipher. We conclude that chang-ing the underlying commutative cipher is the rea-son of their weakness.

[Castella-RocaDomingo-FerrerSebe:2006:CARDIS] Jordi Castella-Roca,Josep Domingo-Ferrer, and Francesc Sebe. A Smart Card-Based Mental Poker System. In Josep Domingo-Ferrer,Joachim Posegga, and Daniel Schreckling, editors, SmartCard Research and Advanced Applications, Proceedings of 7thIFIP WG 8.8/11.2 International Conference (CARDIS 2006),volume 3928 of Lecture Notes in Computer Science, pages48–61. Springer Verlag, 2006.

6

Abstract: On-line casinos have experienced agreat expansion since the generalized use of In-ternet started. There exist in the literature sev-eral proposals of systems allowing secure remotegaming. Nevertheless, the security requirementsof some game families lead to the use of complexand costly cryptographic protocols. A particularlychallenging game family is mental poker. In thispaper we present a smart card-based e-gamingsystem for mental poker with a low computationalcost.

[Castella-RocaDomingo-FerrerSebe:2017:ASIACRYPT] Iddo Bentov, Ran-jit Kumaresan, and Andrew Miller. Instantaneous Decen-tralized Poker. In Tsuyoshi Takagi and Thomas Peyrin, ed-itors, Advances in Cryptology – ASIACRYPT 2017 – 23rd In-ternational Conference on the Theory and Applications of Cryp-tology and Information Security, Hong Kong, China, December3–7, 2017, Proceedings, Part II, volume 10624 of Lecture Notesin Computer Science, pages 410–440. Springer Verlag, 2017.

Abstract: We present efficient protocols for amor-tized secure multiparty computation with penal-ties and secure cash distribution, of which pokeris a prime example. Our protocols have an ini-tial phase where the parties interact with a cryp-tocurrency network, that then enables them tointeract only among themselves over the courseof playing many poker games in which moneychanges hands. The high efficiency of our proto-cols is achieved by harnessing the power of state-ful contracts. Compared to the limited expressivepower of Bitcoin scripts, stateful contracts enablericher forms of interaction between standard se-cure computation and a cryptocurrency. We for-malize the stateful contract model and the secu-rity notions that our protocols accomplish, andprovide proofs in the simulation paradigm. More-over, we provide a reference implementation inEthereum/Solidity for the stateful contracts thatour protocols are based on. We also adapt our

7

off-chain cash distribution protocols to the spe-cial case of stateful duplex micropayment chan-nels, which are of independent interest. In com-parison to Bitcoin based payment channels, ourduplex channel implementation is more efficientand has additional features.

[ChouYeh:2002] Jue-Sam Chou and Yi-Shiung Yeh. Mental Poker Gamebased on a Bit Commitment Scheme through Network. In-ternational Journal of Computer and Telecommunications Net-working, 38(2):247–255, 2002.

Abstract: There are many schemes proposed onmental poker so far. Most of them are based onthe composition of each player’s private permu-tation of cards. Yet, each one is either too com-plex or has some drawbacks in it. In other words,no solution has come to reality. In this paper, wepropose a permutation-free method, i.e. a bit com-mitment scheme, along with the RSA cryptosys-tem (Cryptography-Theory and Practice, CRCPress, Boca Raton, 1995; Public-key Cryptography,Springer, Berlin, 1996) to implement the mentalpoker game. It is not only simple but also concisein concept.

[Coppersmith:1985:CRYPTO] Don Coppersmith. Cheating at MentalPoker. In Hugh C. Williams, editor, Advances in Cryptology- CRYPTO ’85: Proceedings, volume 218 of Lecture Notes inComputer Science, pages 104–107. Springer Verlag, 1985.

Abstract: We review the “mental poker” schemedescribed by Shamir, Rivest and Adleman [SRA].We present two possible means of cheating, de-pending on careless implementation of the SRAscheme. One will work if the prime p is such thatp−1 has a small prime divisor. In the other scheme,the names of the cards “TWO OF CLUBS” havebeen extended by random-looking bits, chosen bythe cheater.

[Crepeau:1985:CRYPTO] Claude Crepeau. A Secure Poker Protocol thatMinimizes the Effect of Player Coalitions. In Hugh C.

8

Williams, editor, Advances in Cryptology - CRYPTO ’85: Pro-ceedings, volume 218 of Lecture Notes in Computer Science,pages 73–86. Springer Verlag, 1985.

Abstract: What can we expect from a poker proto-col? How close to reality can we come? From theoutset of this research, we realized that a crypto-graphic protocol could achieve more security thanits real life counterpart (with physical cards). Butevery protocol proposed until now was far fromoffering all the possibilities of a real deck of cardsor could not acheive the full security we were ex-pecting.

[Crepeau:1986:CRYPTO] Claude Crepeau. A Zero-Knowledge Poker Pro-tocol that Achieves Confidentiality of the Players’ Strategyor How to Achieve an Electronic Poker Face. In Andrew M.Odlyzko, editor, Advances in Cryptology - CRYPTO ’86: Pro-ceedings, volume 263 of Lecture Notes in Computer Science,pages 239–247. Springer Verlag, 1986.

Abstract: Many attempts have been previouslymade to achieve a protocol that would allow peo-ple to play mental poker [SRA, GM1, BF, FM, Yu,Cr] (I would rather say electronic poker). Unfor-tunately no solution has ever come close to realitywith respect to poker strategy. Poker players usu-ally claim that luck has nothing to do with theirgains. In fact, poker is a very strategic game. Often,an inexperienced player will loose a lot of moneywhen playing against an experienced player, onlybecause the former cannot hide so easily his emo-tions. The experienced player can easily knowwhether his opponent has a good hand or not.Electronic poker is an ideal way of hiding one’semotions. But, in fact, every protocol proposedthus far ruins this perfect poker face since theirsecurity is based on the fact that all hands are re-vealed at the end of the game. This means that thestrategy of the players is known to all his oppo-nents. In particular, if one bluffs with a bad handin the hope that all his opponents will give up,

9

he still has to reveal his hand at the end, in orderto participate in the verification part of the pro-tocol. Moreover, when a player opens his hand,he does not want his opponents to learn the mo-ment at which each of his cards was drawn, sincethis would give them some information about hisstrategy. This paper proposes a new poker proto-col that allows players to keep secret their strat-egy. This protocol is an extension of the one givenby Crepeau in [Cr]. The security will not be basedon the knowledge of the entire deck of card at theend of the game, but rather on some independentinformation linked to the entries of the deck. Thisprotocol achieves every constraints of a real pokergame. It is the first complete solution to the men-tal poker problem. It achieves all the necessaryconditions suggested in [Cr]: Uniqueness of cardsUniform random distribution of cards Absence oftrusted third party Cheating detection with a veryhigh probability Complete confidentiality of cardsMin imal effect of coalitions Complete confiden-tiality of strategy.

[CrepeauKilian:1993:CRYPTO] Claude Crepeau and Joe Kilian. DiscreetSolitary Games. In Douglas R. Stinson, editor, Advances inCryptology - CRYPTO ’93, Proceedings of the 13th Annual In-ternational Cryptology Conference, volume 773 of Lecture Notesin Computer Science, pages 319–330. Springer Verlag, 1993.

Abstract: Cryptographic techniques have beenused intensively in the past to show how to playmultiparty games in an adversarial scenario. Wenow investigate the cryptographic power of adeck of cards in a solitary scenario. In particular,we show how a person can select a random per-mutation satisfying a certain criterion discreetly(without knowing which one was picked) usinga simple deck of cards. We also show how it ispossible using cards to play games of partial infor-mation such as POKER, BRIDGE and other cardsgames in solitary.

10

[DavidDowsleyLarangeira:2017] Bernardo David, Rafael Dowsley, andMario Larangeira. Kaleidoscope: An Efficient Poker Pro-tocol with Payment Distribution and Penalty Enforcement.Cryptology ePrint Archive: Report 2017/899, 2017.

Abstract: The research on secure poker protocolswithout trusted intermediaries has a long historythat dates back to modern cryptography’s infancy.Two main challenges towards bringing it intoreal-life are enforcing the distribution of the re-wards, and penalizing misbehaving/aborting par-ties. Using recent advances on cryptocurrenciesand blockchain technologies, Andrychowicz et al.(IEEE S&P 2014 and FC 2014 BITCOIN Workshop)were able to address those problems. Improvingon these results, Kumaresan et al. (CCS 2015) andBentov et al. (ASIACRYPT 2017) proposed spe-cific purpose poker protocols that made signifi-cant progress towards meeting the real-world de-ployment requirements. However, their protocolsstill lack either efficiency or a formal security proofin a strong model. Specifically, the work of Ku-maresan et al. relies on Bitcoin and simple con-tracts, but is not very efficient as it needs numer-ous interactions with the cryptocurrency networkas well as a lot of collateral. Bentov et al. achievefurther improvements by using stateful contractsand off-chain execution: they show a solutionbased on general multiparty computation that hasa security proof in a strong model, but is alsonot very efficient. Alternatively, it proposes to usetailor-made poker protocols as a building block toimprove the efficiency. However, a security proofis unfortunately still missing for the latter case:the security properties the tailor-made protocolwould need to meet were not even specified, letalone proven to be met by a given protocol. Oursolution closes this undesirable gap as it concur-rently: (1) enforces the rewards’ distribution; (2)enforces penalties on misbehaving parties; (3) hasefficiency comparable to the tailor-made proto-

11

cols; (4) has a security proof in a simulation-basedmodel of security. Combining techniques from theabove works, from tailor-made poker protocolsand from efficient zero-knowledge proofs for shuf-fles, and performing optimizations, we obtain asolution that satisfies all four desired criteria anddoes not incur a big burden on the blockchain.

[Edwards:1994] Jonathan Edwards. Implementing Electronic Poker: APractical Exercise in Zero-Knowledge Interactive Proofs.Master’s thesis, Department of Computer Science, Univer-sity of Kentucky, 1994.

[FortuneMerritt:1984:CRYPTO] Steven Fortune and Michael Merritt.Poker Protocols. In G.R. Blakley and David Chaum, edi-tors, Advances in Cryptology: Proceedings of CRYPTO ’84, vol-ume 196 of Lecture Notes in Computer Science, pages 454–466.Springer Verlag, 1984.

Abstract: The situation is quite serious. After fouryears of research, there has been no satisfactoryway for a group of card sharks to play poker overthe phone. Until now. In this paper, we present anew method for playing ‘mental poker,’ discussits significance, and mention some of the furtherquestions it raises. Ante up. The rules for men-tal poker are just like regular poker, except thatplayers communicate over the phone, and thereare no physical cards. The hard part of mentalpoker is dealing the cards. Hands must be ran-dom and disjoint, and players should not be ableto claim to have any cards but those dealt (asleeve will hold as many ‘virtual cards’ as an-gels will fit on the head of a pin). Playing mentalpoker is a difficult problem for a number of rea-sons. The foremost reason is that it is impossible,a result due to Shamir, Rivest and Adleman. Ofcourse, this is an information-theoretic result, andthe same reference presents a method for playingmental poker that relies on the difficulty of invert-ing certain cryptographic transformations. Unfor-tunately, a cryptographic flaw allows players to

12

determine the color of each other’s cards. Thisset the stage for a new implementation devisedby Goldwasser and Micali, which was proven tohide all partial information (up to an explicit cryp-tographic assumption). Unfortunately, this imple-mentation works only for two players, which is avery restricted kind of poker. Next, Barany andFuredi devised a protocol that permits three ormore players to play poker, but only if playersare not permitted to form coalitions. If two play-ers conspire, they can learn the contents of every-one else’s hands. The following section discussesthis history of mental poker in more detail, outlin-ing the key ideas, contributions and limitations ofthis earlier work. This paper presents a new wayof playing mental poker. Unlike earlier solutions,it is secure against coalitions, permits any num-ber of players, and uses inexpensive, highly se-cure cryptographic techniques. The protocol doesrequire the participation of a trusted party to shuf-fle the cards. However, thereafter the trusted partydoes not participate in the protocol. The protocolcan be easily adapted to play almost all types ofpoker known to the authors. Of course, poker isa metaphor for any system in which users shouldhave only partial information about the dynamicallocation of resources. Beyond this, the poker pro-tocol presented here takes on a broader signifi-cance because of the simple tools used in its im-plementation.

[GoldreichMicaliWigderson:1987:STOC] Oded Goldreich, Silvio Micali,and Avi Wigderson. How to play ANY mental game. InProceedings of the 19th Annual ACM Conference on Theory ofComputing (STOC ’87), pages 218–229. ACM Press, 1987.

Abstract: We present a polynomial-time algorithmthat, given as a input the description of a gamewith incomplete information and any number ofplayers, produces a protocol for playing the gamethat leaks no partial information, provided the

13

majority of the players is honest. Our algorithmautomatically solves all the multi-party protocolproblems addressed in complexity-based cryptog-raphy during the last 10 years. It actually is acompleteness theorem for the class of distributedprotocols with honest majority. Such completenesstheorem is optimal in the sense that, if the majorityof the players is not honest, some protocol prob-lems have no efficient solution.

[GoldwasserMicali:1982:STOC] Shafi Goldwasser and Silvio Micali. Prob-abilistic Encryption & How To Play Mental Poker KeepingSecret All Partial Information. In Proceedings of the 14th An-nual ACM Symposium on Theory of Computing (STOC ’82),pages 365–377. ACM Press, 1982.

Abstract: This paper proposes an EncryptionScheme that possess the following property: Anadversary, who knows the encryption algorithmand is given the cyphertext, cannot obtain any in-formation about the clear-text. Any implementa-tion of a Public Key Cryptosystem, as proposedby Diffie and Hellman in [8], should possessthis property. Our Encryption Scheme follows theideas in the number theoretic implementations ofa Public Key Cryptosystem due to Rivest, Shamirand Adleman [13], and Rabin [12].

[Golle:2005:ITCC] Philippe Golle. Dealing Cards in Poker Games. In Pro-ceedings of the International Conference on Information Technol-ogy: Coding and Computing (ITCC ’05), volume 1, pages 506–511. IEEE Computer Society, 2005.

Abstract: This paper proposes a new proto-col for shuffling and dealing cards, that is de-signed specifically for games of mental poker.Our protocol takes advantage of two features ofpoker games that are overlooked by generic card-shuffling protocols: 1) cards in poker games aredealt in rounds, with betting in-between, ratherthan all at once and 2) the total number of cardsdealt in a game of poker is small (it depends on

14

the number of players but is typically less thanhalf the deck). With these observations in mind,we propose a protocol that spreads the compu-tational cost of dealing cards more evenly acrossrounds. Compared to protocols that shuffle thewhole deck upfront, our approach offers a dra-matic decrease in latency and overall computa-tional cost. Our protocol is fair, private and ro-bust. It is ideally suited for resource-constraineddevices such as PDAs.

[HarnLinGong:2000] L. Harn, H.-Y. Lin, and G. Gong. Bounded-to-Unbounded Poker Game. Electronics Letters, 36(3):214–215,2000.

Abstract: The bounded-to-unbounded pokergame is a fair poker game that can be played overthe Internet. It allows both dealer and player todistribute cards in a fair and secure manner. Inaddition, the presented protocol assumes that theplayer is computationally bounded: however, thedealer is computationally unbounded.

[KurosawaKatayamaOgata:1997] Kaoru Kurosawa, Yutaka Katayama,and Wakaha Ogata. Reshufflable and Laziness TolerantMental Card Game Protocol. IEICE Transactions Fundamen-tals, E80-A(1):72–78, 1997.

Abstract: This paper presents a reshufflable andlaziness tolerant mental card game protocol. First,our protocol can reshuffle any subset of cards. Forexample, some opened cards and some face downcards can be shuffled together. Next, we considertwo types of honest players, currently active andcurrently nonactive. A player is currently nonac-tive if he dropped out the game or he declared”pass” and has not declared ”rejoin” yet. In theproposed protocol, if more than half of the play-ers are currently active, they can play the game.In this case, the privacy of the currently nonactiveplayers are kept secret.

15

[KurosawaKatayamaOgataTsujii:1990:EUROCRYPT] Kaoru Kurosawa,Yutaka Katayama, Wakaha Ogata, and Shigeo Tsujii. Gen-eral Public Key Residue Cryptosystem and Mental PokerProtocols. In Ivan B. Damgard, editor, Advances in Cryp-tology - EUROCRYPT ’90, Proceedings of the Workshop on theTheory and Application of of Cryptographic Techniques, volume473 of Lecture Notes in Computer Science, pages 374–388.Springer Verlag, 1990.

Abstract: This paper presents a general methodhow to construct public key cryptosystems basedon the r-th residue problem. Based on the pro-posed method, we present the first mental pokerprotocol which can shuffle any set of cards.Its fault tolerant version is given, too. An effi-cient zero knowledge interactive proof system forquadratic non-residuosity is also shown.

[Lipton:1979] Richard J. Lipton. How to Cheat at Mental Poker. TechnicalReport, Computer Science Department, Berkeley University,1979.

[Lipton:1981] Richard J. Lipton. How to Cheat at Mental Poker. Proceed-ings of the AMS Short Course on Cryptology, 1981.

[Pinna:2002] Michael Pinna. A Secure Card Game. BA Thesis, Gonwille& Caius College, University of Cambridge, 2002.

[Schindelhauer:1998] Christian Schindelhauer. A Toolbox for Mental CardGames. Technical Report A-98-14, Medizinische UniversitatLubeck, 1998.

Abstract: Mental card games are played with-out a trusted party and without cards. It is wellknown that the problem of mental card games canbe solved in principle. But the schemes knownso far are too messy to be used in practice. Onlyfor the mental poker game a suitable solution isknown [Crep 87] that achieves security againstplayer coalition and complete confidentiality ofa player’s strategy. Here, we present a general-purpose scheme that may be used as basic tool-box for straight-forward implementations of card

16

games. We present a data structure for cards anddecks that is secure against player coalitions andenables standard operations like picking up acard, opening it, and (re-)mixing stacks. Further-more, we introduce tools for special operationslike inserting a card into the deck, splitting thedeck, parting the game. The correctness of all op-erations is testified by zero-knowledge proofs. Fi-nally, we discuss security problems that are typi-cal for mental card games and suggest solutions toenable all players maximum possible fairness.

[ShamirRivestAdleman:1979] Adi Shamir, Ronald L. Rivest, andLeonard M. Adleman. Mental Poker. Technical ReportMIT-LCS-TM-125, Massachusetts Institute of Technology,1979.

Abstract: Is it possible to play a fair game of ’Men-tal Poker’. We will give a complete (but paradox-ical) answer to this question. We will first provethat the problem is intrinsically insoluble, andthen describe a fair method of playing ’MentalPoker’.

[ShamirRivestAdleman:1981] Adi Shamir, Ronald L. Rivest, andLeonard M. Adleman. Mental Poker. The MathematicalGardner, pages 37–43, 1981.

Abstract: Can two potentially dishonest play-ers play a fair game of poker without using anycards—for example, over the phone? This paperprovides the following answers: No. (Rigorousmathematical proof supplied.) Yes. (Correct andcomplete protocol given.)

[SooSamsudinGoh:2002] Wai Han Soo, Azman Samsudin, and AlwynGoh. Efficient Mental Card Shuffling via OptimisedArbitrary-Sized Benes Permutation Network. In Agnes HuiChan and Virgil Gligor, editors, Information Security, Proceed-ings of the 5th International Conference (ISC 2002), volume 2433of Lecture Notes in Computer Science, pages 446–458. SpringerVerlag, 2002.

17

Abstract: The presumption of player distrustand untrustworthiness in mental card gaming re-sults in the formulation of complex and compute-intensive protocols, particularly for shuffling. Wepresent a robust, verifiable and efficient card shuf-fling protocol based on an optimisation of Chang-Melham arbitrary-sized (AS) Benes permutationnetwork (PN), which can flexibly accommodatesvariable pack sizes, achieving optimal shufflingperformance. We also outline the use of these PNsin a distributed (among h players) construction,which combines the best attributes of Abe andJakobsson-Juels mix-net formalisms. Card shuf-fling can therefore be executed on a structurallysimple mix-net – with only t + 1 PNs requiredfor operational robustness against collusion by tcheating players, and efficient zero knowledgeproofs (ZKP) to verify correct shuffling by eachplayer. Shuffling efficiency is also enhanced byour limited application of verifiable secret sharing(VSS) on the ElGamal keys. The resultant protocolachieves an asymptotic complexity of O(tNlgN)for N inputs; which is comparable or superior toprevious schemes.

[Stamer:2005:WEWoRC] Heiko Stamer. Efficient Electronic Gambling: AnExtended Implementation of the Toolbox for Mental CardGames. In Christopher Wolf, Stefan Lucks, and Po-Wah Yau,editors, Proceedings of the 1st Western European Workshop onResearch in Cryptology (WEWoRC 2005), volume P-74 of Lec-ture Notes in Informatics, pages 1–12. Gesellschaft fur Infor-matik e.V., 2005.

Abstract: There are many wonderful protocolsin cryptography which are still waiting for theirrealization. Here we consider efficient solutionsfor secure electronic card games. Our contribu-tion seems to be the first known practical im-plementation that requires no trusted third-partyand simultaneously keeps the players’ strategiesconfidential. The provided open source library

18

LibTMCG can be used for creating secure peer-to-peer games and furthermore for some unusual ap-plications, e.g., secure multi-party computation orsimple electronic voting schemes.

[Tetikoglu:2007] Ipek Tetikoglu. The Elgamal Cryptosystem is better thanthe RSA Cryptosystem for Mental Poker. Master’s thesis,Department of Computational Mathematics, Duquesne Uni-versity, 2007.

Abstract: Cryptosystems are one of the most im-portant parts of secure online poker card games.However, there is no research comparing theRSA Cryptosystem (RC) and Elgamal Cryptosys-tem (EC) for mental poker card games. This pa-per compares the RSA Cryptosystem and El-gamal Cryptosystem implementations of mentalpoker card games using distributed key genera-tion schemes. Each implementation is based on ajoint encryption/decryption of individual cards.Both implementations use shared private key en-cryption/decryption schemes and neither uses atrusted third party (TTP). The comparison cri-teria will be concentrated on the security andcomputational complexity of the game, collusionsamong the players and the debate between thediscrete logarithm problem (DLP) and the factor-ing problem (FP) for the encryption/decryptionschemes. Under these criteria, the comparison re-sults demonstrate that the Elgamal Cryptosystemhas better efficiency and effectiveness than RSAfor mental poker card games.

[Wei:2014] Tzer-jen Wei. Secure and practical constant round mentalpoker. Information Sciences, 273:352–386, 2014.

Abstract: We present a new mental poker proto-col, which achieves negligible probability of cheat-ing in constant round. All of previous secure men-tal poker protocol use L-round zero-knowledgeprotocols to ensure the probability of successfulactive cheating to be O(2−L). Our protocol uses a

19

different way to verify the integrity of the shuf-fle. The cryptosystem and the basic structure ofour protocol is based on Castella-Roca’s mentalprotocol, which is very efficient and secure. TheL-round zero-knowledge shuffle verification is re-placed by a checksum-like framework. There aretwo kinds of checksums used in our shuffle: linearchecksum and double exponentiation. The “linearchecksum” is used to make sure that every cardin the deck is distinct. The “double exponentia-tion checksum” is used to make sure that everycard has a legitimate face value. The security canbe proved under DDH assumption. The proba-bility of successful cheating is negligible, even ifthe adversary can actively corrupt the majority ofplayers. It is also very fast. For a 9 player game,the computation cost of our shuffle is compara-ble to the L-round verification with L = 4. Thetime complexity of our shuffle is Θ(MN + N2)E(compares to Θ(MN2L)E for a L-round shuffle),where N is the number of players, M is the num-ber of cards, and E is the computation cost of onemodular exponentiation. The communication costis also reduced. Compares to the L-round protocolwe based on, number of messages is reduced fromΘ(N3L) to Θ(N2), and the total length of messagesis reduced from Θ(N2L(M + N))η to Θ(MN2)η,where η is the length of an encryption key. Fora 9-player game, our shuffle requires only 53%messages, and total length of messages is only 7%(compares to the case L = 30 and all L rounds ofshuffle verification are allowed to run in parallel).It is the first constant round mental poker proto-col that is provably secure and efficient enough tosatisfy the practical needs. The probability of suc-cessful cheating is negligible.

[WeiWang:2012] Tzer-jen Wei and Lih-Chung Wang. A fast mental pokerprotocol. Journal of Mathematical Cryptology, 6(1):39–68, 2012.

Abstract: In this paper, we present a fast and se-

20

cure mental poker protocol. The basic structure isthe same as Barnett & Smart’s and Castella-Roca’sprotocols but our encryption scheme is different.With this alternative encryption scheme, our shuf-fle is not only twice as fast, but it also has differ-ent security properties. As such, Barnett & Smart’sand Castella-Roca’s security proof cannot be ap-plied to our protocol directly. Nevertheless, ourprotocol is still provably secure under the DDH as-sumption. The only weak point of our protocol isthat reshuffling a small subset of cards might takelonger than Barnett & Smart’s and Castella-Roca’sprotocols. Therefore, our protocol is more suitablefor card games such as bridge, most poker games,mahjong, hearts, or black jack, which do not re-quire much partial reshuffling.

[Yung:1982] Mordechai Yung. K-Player Mental Poker. Master’s thesis,Tel-Aviv University, 1982.

[Yung:1984:CRYPTO] Mordechai Yung. Cryptoprotocols: Subscription toa Public Key, the Secret Blocking and the Multi-Player Men-tal Poker Game. In G.R. Blakley and David Chaum, edi-tors, Advances in Cryptology: Proceedings of CRYPTO ’84, vol-ume 196 of Lecture Notes in Computer Science, pages 439–453.Springer Verlag, 1984.

Abstract: Investigating the capabilities of publickey and related cryptographic techniques has re-cently become an important area of cryptographicresearch. In this paper we present some new algo-rithms and cryptographic protocols (Cryptoproto-cols) which enlarge the range of applications ofpublic key systems and enable us to perform cer-tain transactions in communication networks. Thebasic cryptographic tools used are Rabin’s Oblivi-ous Transfer Protocol and an algorithm we devel-oped for Number Embedding which is provablyhard to invert. We introduce the protocol “Sub-scription to a Public Key”, which gives a way totransfer keys over insecure communication chan-nels and has useful applications to cryptosystems.

21

We develop the “Secret Blocking Protocol”, spec-ified as follows: ‘A transfers a secret to B, B canblock the message. If B does not block it, there isa probability P that he might get it. (1/2P ≤ 1,where we can control the size of P ). A does notknow if the message was blocked (but he canfind out later)’. The classic cryptotransaction is the“Mental Poker Game”. A cryptographically securesolution to the “Multi Player Mental Poker Game”is given. The approach used in constructing thesolution provides a general methodology of prov-able and modular “Protocol Composition”.

[ZhaoVaradharajan:2005:ITCC] Weiliang Zhao and Vijay Varadharajan.Efficient TTP-Free Mental Poker Protocols. In Proceedings ofthe International Conference on Information Technology: Codingand Computing (ITCC ’05), volume 1, pages 745–750. IEEEComputer Society, 2005.

Abstract: Zhao et. al proposed an efficient men-tal poker protocol which did not require using atrusted third party (TTP). The protocol is efficientand suitable for any number of players but it in-troduces a security flaw. In this paper, we proposetwo mental poker protocols based on Zhao’s pre-vious work. The security flaw has been removedand the additional computing cost is small.

[ZhaoVaradharajanMu:2003] Weiliang Zhao, Vijay Varadharajan, andYi Mu. A Secure Mental Poker Protocol Over The Internet. InChris Johnson, Paul Montague, and Chris Steketee, editors,ACSW Frontiers 2003, Proceedings of the Australasian Informa-tion Security Workshop, volume 21 of Conferences in Researchand Practice in Information Technology, pages 105–109. Aus-tralian Computer Society, 2003.

Abstract: An effcient and secure mental pokerscheme is proposed in this paper. It is based onmultiple encryption and decryption of individualcards. The protocol satisfies all major security re-quirements of a real mental poker. It gets rid of theCard Salesman and guarantees minimal effect due

22

to collusion of players. The protocol is secure andmore effcient compared with other known proto-cols. The strategies of players can be kept confi-dential with the introduction of a Dealer. The pro-tocol is suitable to be implemented in an on-linecard game.

23