Card-based cryptography provides simple and practicable protocols for performing secure multi-party computation with just a deck of cards. For the sake of simplicity, this is often done using cards with only two symbols, e.g., \(\clubsuit \) and \(\heartsuit \) . Within this paper, we also target the setting where all cards carry distinct symbols, catering for use-cases with commonly available standard decks and a weaker indistinguishability assumption. As of yet, the literature provides for only three protocols and no proofs for non-trivial lower bounds on the number of cards. As such complex proofs (handling very large combinatorial state spaces) tend to be involved and error-prone, we propose using formal verification for finding protocols and proving lower bounds. In this paper, we employ the technique of software bounded model checking (SBMC), which reduces the problem to a bounded state space, which is automatically searched exhaustively using a SAT solver as a backend. Our contribution is threefold: (a) we identify two protocols for converting between different bit encodings with overlapping bases, and then show them to be card-minimal. This completes the picture of tight lower bounds on the number of cards with respect to runtime behavior and shuffle properties of conversion protocols. For computing AND, we show that there is no protocol with finite runtime using four cards with distinguishable symbols and fixed output encoding, and give a four-card protocol with an expected finite runtime using only random cuts. (b) We provide a general translation of proofs for lower bounds to a bounded model checking framework for automatically finding card- and run-minimal (i.e., the protocol has a run of minimal length) protocols and to give additional confidence in lower bounds. We apply this to validate our method and, as an example, confirm our new AND protocol to have its shortest run for protocols using this number of cards. (c) We extend our method to also handle the case of decks on symbols \(\clubsuit \) and \(\heartsuit \), where we show run-minimality for two AND protocols from the literature.

基于卡的加密技术提供了简单实用的协议，仅用一副卡就可以执行安全的多方计算。为了简单起见，通常使用只有两个符号的卡来完成此操作，例如\（\ clubsuit \）和\（\ heartsuit \）。在本文中，我们还针对所有卡都带有不同符号的设置，以迎合具有常见标准卡座和较弱可分辨性假设的用例。迄今为止，文献仅提供了三种协议，而没有证卡数目的非平凡下限。由于此类复杂的证明（处理非常大的组合状态空间）往往会涉及并且容易出错，因此我们建议使用形式验证来查找协议并证明下界。在本文中，我们采用了软件有界模型检查（SBMC）技术，将问题减少到有界状态空间，该状态空间使用SAT求解器作为后端自动进行穷举搜索。我们的贡献是三方面的：（a）我们确定了两种协议，可以在具有重叠基数的不同位编码之间进行转换，然后将它们显示为最小卡。这样就完成了关于运行时行为和转换协议的混洗属性的卡片数量下限严格的画面。对于计算AND，我们显示不存在使用具有可区分符号和固定输出编码的四张卡的具有有限运行时间的协议，并且仅使用随机剪切给出了具有预期有限运行时间的四卡协议。（b）我们提供了下限证明的一般性翻译，以将其转换为有界模型检查框架，以自动找到卡片和最小交易（即，协议具有最小长度的交易）协议，并为下界提供额外的置信度。我们将其应用于验证我们的方法，例如，确认使用此数量的卡，我们的新AND协议的协议运行时间最短。（c）我们扩展了方法，以处理符号上的套牌的情况\（\ clubsuit \）和\（\ heartsuit \）中，我们从文献中显示了两个AND协议的运行极小值。