1 Introduction

Card-based protocols are unconventional computing methods using a deck of physical cards; their advantage is that they can be executed by humans practically (e.g., [4, 8, 11, 16]). To illustrate this, let us explain how to manipulate Boolean values based on a two-colored deck of cards. Given a black card and a red card  , a Boolean value can be expressed as:

(1)

Following this encoding, for example, two players, Alice and Bob, can each put two cards face down on a table, representing their private bits a and b, respectively:

(2)

Here, we assume that the backs of all cards are indistinguishable and that the fronts or are also indistinguishable if the cards have the same color. We call the left pair of two face-down cards in (2) a commitment to a. Similarly, the right pair of two face-down cards are a commitment to b.

Typically, given two input commitments to \(a,b\in \{0,1\}\), as in (2), a card-based protocol should generate a commitment to the value of a predetermined function \(f\left( a,b\right) \). For instance, we can get a commitment to \(a \wedge b\) without leaking any information about a and b, if we execute an AND protocol:

Table 1 The existing AND protocols (in committed format)
Full size table

As in Table 1, there are many existing AND protocols (in committed formatFootnote 1). This table implies that the design of “efficient” protocols is one of the goals of card-based protocols; so far, the efficiency has been evaluated in terms of three metrics: (i) the number of required cards, (ii) the number of colors, and (iii) the average number of required trials. These evaluation metrics are simple and reasonable. However, if we are going to actually execute a card-based protocol, these three metrics are insufficient to accurately estimate the number of operations that need to be done during the protocol and the overall execution time of the protocol.

Therefore, in this paper, we introduce new metrics to evaluate protocol efficiency more precisely. That is, we determine all the operations during a protocol to help analyze the execution time. Furthermore, we actually evaluate all the AND protocolsFootnote 2 shown in Table 1, based on our new criteria by counting the number of operations thoroughly. As an application example, we also make a comparison of the AND protocols and discuss which protocol is the most efficient and practical.

The rest of this paper is organized as follows: In Sect. 2, we introduce the AND protocol invented by Stiglic [23] as an example and then give a formalization of the operations in card-based protocols [10]. In Sect. 3, we give new metrics of efficiency, which directly indicate the execution time of a protocol. In Sect. 4, we evaluate the existing AND protocols based on our proposed metrics. In Sect. 5, we conduct a further investigation into evaluation of the execution time. We conclude this study in Sect. 6.

An earlier version of this paper was presented and appeared as a conference paper [7]. The difference is as follows. This paper takes the AND protocol recently proposed by Abe et. al. [1] into account, so that Sect. 3.2.4 along with Fig. 8 has been added and Sect. 4 has been updated. Furthermore, this paper first creates a full version of the KWH-tree [6] of the Crépeau–Kilian AND protocol [3] as Fig. 6 in Sect. 3.2.2 and that of the Niemi–Renvall AND protocol [15] as Fig. 7 in Sect. 3.2.3. In addition, this paper investigates the execution time of rearrangement operations for cards more precisely; Sect. 5 is devoted to this new treatment.

2 Preliminaries: a protocol with operations

In this section, we introduce Stiglic’s AND protocol [23] as an example to demonstrate the possible operations in card-based protocols. It should be noted that card-based protocols are outside the Turing model [10, 12].

As seen in Table 1, Stiglic’s protocol requires a two-colored deck of eight cards and two average trials. Given input commitments to a and b along with four additional cards  , the protocol proceeds as follows:

  1. 1.

    Arrange the sequence as:

  2. 2.

    Apply a random cut to the sequence of eight cards:

    The term “random cut” means a cyclic shuffle. If we attach numbers to the cards for the sake of convenience:

    then a random cut results in one of the following eight sequences (with a probability of \(\tfrac{1}{8}\)):

    Note that a random cut is known to be easily implemented by humans securely via the Hindu cut [25] as shown in Fig. 3.

  3. 3.

    Turn over the first two cards (from the left).

    1. (a)

      If the revealed cards are  , we obtain a commitment to \(a\wedge b\) as follows:

    2. (b)

      If the revealed cards are  , we obtain

    3. (c)

      If the revealed cards are or  , turn over the third card.

      1. i.

        If the three face-up cards are  , we have

      2. ii.

        If the three face-up cards are  , we have

      3. iii.

        If the three face-up cards are or  , turn them over and go back to Step 2.

This is Stiglic’s AND protocol, which we denote by \({\mathcal {P}}_{\mathrm {Sti}}\) hereinafter. A shuffling operation called a random cut is used in Step 2 of \(\mathcal {P_\mathrm {Sti}}\). The average number of trials is two, because the probability that Step 3–(c)–iii occurs and we go back to Step 2 is \(\frac{1}{2}\).

As seen partially in the description of \(\mathcal {P_\mathrm {Sti}}\), the possible operations used in card-based protocols (not just Stiglic’s but others that have not been described thus far) are turning-over, rearrangement, and shuffling operations, which can be formalized as follows [10]. Below, we assume a sequence of d cards \(\Gamma = \left( \alpha _1,\alpha _2,\ldots ,\alpha _d\right) \).

  1. 1.

    Turning-over operation: (\({\textsf {turn}},i\)). A \(\mathsf {turn}\) operation involves turning over the ith card \(\alpha _i\), as shown in Fig. 1. The resulting sequence is

    $$\begin{aligned} \left( \alpha _1,\ldots ,\alpha _{i\!-\!1},\beta _i,\alpha _{i\!+\!1},\ldots ,\alpha _d\right) , \end{aligned}$$

    where \(\beta _i\) is obtained by turning over \(\alpha _i\).

  2. 2.

    Rearrangement operation: (\({\textsf {perm}},\pi \)). A \(\mathsf {perm}\) operation involves the application of a permutation \(\pi \in S_d\) (where \(S_d\) represents the symmetric group of degree d) to the sequence, as illustrated in Fig. 2. The resulting sequence is

    $$\begin{aligned} \left( \alpha _{\pi ^{-1}\text{(1) }},\alpha _{\pi ^{-1}\text{(2) }},\dots ,\alpha _{\pi ^{-1}\text{( }d\text{) }}\right) . \end{aligned}$$
  3. 3.

    Shuffling operation: (\({\textsf {shuffle}},\Pi ,{\mathcal {F}}\)). A \(\mathsf {shuffle}\) operation involves the application of a permutation \(\pi \in \Pi \) chosen from a permutation set \(\Pi \subseteq \,S_d\) according to a probability distribution \({\mathcal {F}}\). See Fig. 3 again for an example of a shuffle. Note that a set \(\Pi \) along with a distribution \({\mathcal {F}}\) specifies a shuffle. We simply write (\({\textsf {shuffle}},\Pi \)) if \({\mathcal {F}}\) is uniform.

Fig. 1
figure 1

Turning-over operation

Full size image
Fig. 2
figure 2

Rearrangement operation

Full size image
Fig. 3
figure 3

Shuffling operation: The Hindu cut

Full size image

We define

$$\begin{aligned} {\mathsf {R}}{\mathsf {C}}^{\{i_1,i_2,\ldots ,i_\ell \}}\overset{\mathrm {def}}{=}\{\left( i_1 \ i_2 \ \cdots \ i_\ell \right) ^{j}\mid 1\le j \le \ell \}, \end{aligned}$$

for a cyclic permutation (\(i_1\,i_2\,\cdots \,i_\ell \)) such that \(i_1<i_2<\cdots <i_\ell \). Note that the random cut in Stiglic’s protocol can be expressed as (\({\textsf {shuffle}},{\mathsf {R}}{\mathsf {C}}^{\{1,2,3,4,5,6,7,8\}}\)).

3 New metrics and execution time of protocols

As mentioned in Sect. 2, \({\textsf {turn}}\), \({\textsf {perm}}\), and \({\textsf {shuffle}}\) operations are used in card-based protocols. We need to take these operations into account to analyze the “execution time” of protocols. In other words, the efficiency evaluation metrics shown in Table 1, i.e., the number of required cards, the number of colors, and the average number of trials, are insufficient to estimate the overall execution time.

In Sect. 3.1, we clarify all the operations that need to be considered. In Sect. 3.2, we count the number of occurrences of each operation for every AND protocol. In Sect. 3.3, we provide new metrics to estimate the execution time of protocols.

3.1 Operations to consider

In addition to the three kinds of operations, i.e., \({\textsf {turn}}\), \({\textsf {perm}}\), and \({\textsf {shuffle}}\), introduced in Sect. 2, we define another operation, named \({\textsf {add}}\). The \({\textsf {add}}\) operation involves the addition of a card to the sequence with its face up (in order for players to be able to confirm the color), as shown in Fig. 4. When actually executing a protocol that requires additional cards, this \({\textsf {add}}\) operation is necessary.

Fig. 4
figure 4

Add operation: adding two cards

Full size image

Therefore, altogether, the actual execution of a card-based protocol invokes four kinds of operations: \({\textsf {add}}\), \({\textsf {turn}}\), \({\textsf {perm}}\), and \({\textsf {shuffle}}\).

3.2 Analysis of the number of operations in each protocol

In this subsection, we analyze the number of operations in each of the seven existing AND protocols shown in Table 1. To this end, we use the KWH-tree [6] developed by Koch, Walzer, and Härtel, which is a diagram showing the state transition.

Let us take the KWH-tree of \({\mathcal {P}}_{\mathrm {Sti}}\) shown in Fig. 5 as an example to explain the notation of the KWH-tree. Each box is associated with the “visible sequence trace” that means transitions of a sequence of cards visible from the table during the execution of the protocol. In each box, there are sequences of colors and the associated polynomials next to them. A polynomial represents the conditional probability that the current sequence is compatible with the associated sequence of colors (given the visible sequence trace), where \(X_{ij}\) denotes the probability that the input is (ij).

3.2.1 Stiglic’s protocol

We first analyze \(\mathcal {P_\mathrm {Sti}}\) in detail. The KWH-tree of \(\mathcal {P_\mathrm {Sti}}\) is shown in Fig. 5. This figure enables us to count all the operations appearing in \(\mathcal {P_\mathrm {Sti}}\), as follows:

  1. 1.

    The number of \({\textsf {add}}\) (adding a card) operations The number of \({\textsf {add}}\) operations in \(\mathcal {P_\mathrm {Sti}}\) is four, because we add four cards to execute the protocol.

  2. 2.

    The number of \({\textsf {turn}}\)(turning over a card) operations Firstly, we execute the \({\textsf {turn}}\) operation four times, because we need to turn over the four added cards after checking their colors. Secondly, we require the \({\textsf {turn}}\) operation twice because of \(\left( \mathsf {turn},{\{1,2\}}\right) \) after applying the first random cut. At this time, the probability that or appears and the protocol terminates is \(\frac{1}{8}\times 2\). On the other hand, the probability that the protocol terminates by \(\left( \mathsf {turn},{\{3\}}\right) \) is \(\frac{3}{8}\times \frac{1}{3}\times 2\). If the protocol does not terminate by \(\left( \mathsf {turn},{\{3\}}\right) \), we have to turn over the three face-up cards and execute \(\left( \mathsf {turn},{\{1,2\}}\right) \) again after applying a random cut. Consequently, the expected number of \({\textsf {turn}}\) operations in \(\mathcal {P_\mathrm {Sti}}\) is

    $$\begin{aligned} 4\,+\,{\displaystyle \Sigma _{n=1}^{\infty }}\left( \left( 12n-7\right) \times 1\text{/ }4\times \left( 1\text{/ }2\right) ^{n-1}\right) = 12.5. \end{aligned}$$
  3. 3.

    The number of \({\textsf {perm}}\) (rearranging a sequence of cards) operations We use no \({\textsf {perm}}\) operation in \(\mathcal {P_\mathrm {Sti}}\), and hence, the number of utilizations of the \({\textsf {perm}}\) operation is 0.

  4. 4.

    The number of \({\textsf {shuffle}}\) (shuffling a sequence of cards) operations As seen in the calculation for \({\textsf {turn}}\), the probability that \(\mathcal {P_\mathrm {Sti}}\) terminates by \(\left( \mathsf {turn},{\{1,2\}}\right) \) is \(\frac{1}{4}\). The probability that \(\mathcal {P_\mathrm {Sti}}\) terminates by \(\left( \mathsf {turn},{\{3\}}\right) \) is \(\frac{1}{4}\), and the probability that \(\mathcal {P_\mathrm {Sti}}\) does not terminate and gets into a loop is \(\frac{1}{2}\). Therefore, the expected number of \({\textsf {shuffle}}\) operations is 2.

Thus, the numbers of \({\textsf {add}}\), \({\textsf {turn}}\), \({\textsf {perm}}\), and \({\textsf {shuffle}}\) operations are 4, 12.5, 0, and 2, respectively. See the line of \(\mathcal {P_\mathrm {Sti}}\) in Table 2.

Fig. 5
figure 5

\({\mathcal {P}}_\mathrm {Sti}\)’s KWH-tree

Full size image

3.2.2 Crépeau and Kilian’s protocol

We also create the KWH-tree of \(\mathcal {P_\mathrm {CK}}\) (Crépeau and Kilian’s protocol [3]) as shown in Fig. 6, which tells us that the numbers of \({\textsf {add}}\), \({\textsf {turn}}\), \({\textsf {perm}}\), and \({\textsf {shuffle}}\) operations are 6, 21, 1, and 8, respectively. See the line of \(\mathcal {P_\mathrm {CK}}\) in Table 2.

Table 2 The number of operations in the practical AND protocols
Full size table
Fig. 6
figure 6

\({\mathcal {P}}_\mathrm {CK}\)’s KWH-tree; this figure is rotated clockwise by \(90^\circ \). Note that we use (six) \(\mathsf {perm}^*\) in this figure for avoiding the KWH-tree to be complicated; the original \({\mathcal {P}}_\mathrm {CK}\) in [3] does not use them, and we do not count the number of them for Table 2

Full size image

3.2.3 Niemi and Renvall’s protocol

The KWH-tree of \(\mathcal {P_\mathrm {NR}}\) is shown in Fig. 7, from which we can count the numbers of operations as shown in Table 2.

Fig. 7
figure 7

\({\mathcal {P}}_\mathrm {NR}\)’s KWH-tree, where \(X_{0}=X_{00}+X_{01}+X_{10}\) and \(X_{1}=X_{11}\). The above left part makes two copied commitments to a, the above right part makes two copied commitments to b, and the bottom part produces a commitment to \(a\wedge b\) from these four commitments

Full size image

3.2.4 Abe, Hayashi, Mizuki, and Sone’s protocol

The KWH-tree of \(\mathcal {P_\mathrm {AHMS}}\) is shown in Fig. 8, from which we can count the numbers of operations as shown in Table 2.

Fig. 8
figure 8

\({\mathcal {P}}_\mathrm {AHMS}\)’s KWH-tree [1], where \(X_0=X_{00}+X_{01}+X_{10}\) and \(X_1=X_{11}\)

Full size image

3.2.5 The others

The KWH-tree of \(\mathcal {P_\mathrm {MS}}\) (Mizuki and Sone’s protocol [13]) has been given in some existing literatures (e.g., [6, 12]). Utilizing this KWH-tree, we are able to count each operation in \(\mathcal {P_\mathrm {MS}}\). Table 2 summarizes the result.

In addition, we conducted the same calculation for the two KWH protocols [6]. Table 3 shows the number of operations in the protocols. These protocols need shuffles which have non-uniform probability distributions,Footnote 3 and hence, they need special indistinguishable boxes or envelopes [16] to be implemented. Therefore, we have judged that these two protocols are more time-consuming than the other five protocols. Therefore, in the sequel, we focus on the five protocols in Table 2, which we call “practical” AND protocols.

3.3 Execution time of protocols

In this subsection, we present an expression for the execution time of each protocol based on four metrics. First, we denote the execution time of \({\textsf {add}}\), \({\textsf {turn}}\), \({\textsf {perm}}\), and \({\textsf {shuffle}}\) by \({ {t_\mathrm {add}}}\), \({ {t_\mathrm {turn}}}\), \({ {t_\mathrm {perm}}}\), and \({ {t_\mathrm {shuf}}}\), respectively. In addition, \(\mathrm {Time\left( {\mathcal {P}}\right) }\) denotes the overall execution time of a protocol \({\mathcal {P}}\). Then, the execution time of the protocols in Table 2 can be simply expressed as follows:

  1. 1.

    Crépeau & Kilian’s protocol (\(\mathcal {P_\mathrm {CK}}\)): \(\mathrm {Time\left( {\mathcal {P}}_\mathrm {CK}\right) } = 6{{ {t_\mathrm {add}}}}+21{{ {t_\mathrm {turn}}}}+{{ {t_\mathrm {perm}}}}+8{{ {t_\mathrm {shuf}}}}\).

  2. 2.

    Niemi & Renvall’s protocol (\(\mathcal {P_\mathrm {NR}}\)): \(\mathrm {Time\left( {\mathcal {P}}_\mathrm {NR}\right) } = 8{{ {t_\mathrm {add}}}}+28{{ {t_\mathrm {turn}}}}+2.5{{ {t_\mathrm {perm}}}}+7.5{{ {t_\mathrm {shuf}}}}\).

  3. 3.

    Stiglic’s protocol (\(\mathcal {P_\mathrm {Sti}}\)): \(\mathrm {Time\left( {\mathcal {P}}_\mathrm {Sti}\right) } = 4{{ {t_\mathrm {add}}}}+12.5{{ {t_\mathrm {turn}}}}+2{{ {t_\mathrm {shuf}}}}\).

  4. 4.

    Mizuki & Sone’s protocol (\(\mathcal {P_\mathrm {MS}}\)): \(\mathrm {Time\left( {\mathcal {P}}_\mathrm {MS}\right) } = 2{{ {t_\mathrm {add}}}}+4{{ {t_\mathrm {turn}}}}+2{{ {t_\mathrm {perm}}}}+{{ {t_\mathrm {shuf}}}}\).

  5. 5.

    Abe & Hayashi & Mizuki & Sone’s protocol (\(\mathcal {P_\mathrm {AHMS}}\)): \(\mathrm {Time\left( {\mathcal {P}}_\mathrm {AHMS}\right) } = {{ {t_\mathrm {add}}}}+17{{ {t_\mathrm {turn}}}}+6{{ {t_\mathrm {perm}}}}+7{{ {t_\mathrm {shuf}}}}\).

In the next section, we make a comparison to determine the most efficient and practical protocol.

4 Comparison of the protocols

In this section, we evaluate the efficiency of the five practical AND protocols in Table 2 and discuss which protocol is the most efficient.

4.1 Efficiency comparison based on the execution time

In this subsection, we compare the execution times of the protocols.

First, we compare each coefficient of equation shown in Sect. 3.3 or Table 2. Obviously, we obtain the following inequalities:

$$\begin{aligned}&\mathrm {Time\left( {\mathcal {P}}_\mathrm {Sti}\right) } \,< \mathrm {Time\left( {\mathcal {P}}_\mathrm {CK}\right) }, \\&\mathrm {Time\left( {\mathcal {P}}_\mathrm {Sti}\right) } \, < \mathrm {Time\left( {\mathcal {P}}_\mathrm {NR}\right) }. \end{aligned}$$

Therefore, \({\mathcal {P}}_\mathrm {Sti}\) is superior to \({\mathcal {P}}_\mathrm {CK}\) and \({\mathcal {P}}_\mathrm {NR}\).

Next, we compare \({\mathcal {P}}_\mathrm {Sti}\) with \({\mathcal {P}}_\mathrm {MS}\). At first glance, the coefficients might give us an impression that \({\mathcal {P}}_\mathrm {MS}\) would be better than \({\mathcal {P}}_\mathrm {Sti}\). However, we cannot immediately come to a conclusion because \(\mathrm {Time\left( {\mathcal {P}}_\mathrm {MS}\right) }\) has \(2{{ {t_\mathrm {perm}}}}\), while \(\mathrm {Time\left( {\mathcal {P}}_\mathrm {Sti}\right) }\) has no \({{ {t_\mathrm {perm}}}}\). Therefore, we actually measured the duration of each operation by manipulating real cards. For its experimental method and detailed result, see Appendix A.

Table 3 The number of operations in the KWH protocols [6]
Full size table

As a result, our measurement provides us the following relationship:

$$\begin{aligned} { {t_\mathrm {add}}}= { {t_\mathrm {turn}}}\ \ \mathrm {and} \ \ 0.1{ {t_\mathrm {perm}}}< { {t_\mathrm {turn}}}. \end{aligned}$$
(3)

Moreover, it is reasonable to assume that

$$\begin{aligned} { {t_\mathrm {perm}}}< { {t_\mathrm {shuf}}}, \end{aligned}$$

because the shuffling operation generally takes more time than the rearrangement operation. From these assumptions, we have \(\mathrm {Time\left( {\mathcal {P}}_\mathrm {MS}\right) } < \mathrm {Time\left( {\mathcal {P}}_\mathrm {Sti}\right) }\).

Finally, we compare \({\mathcal {P}}_\mathrm {MS}\) with \({\mathcal {P}}_\mathrm {AHMS}\). Because we have assumed that \({ {t_\mathrm {add}}}={ {t_\mathrm {turn}}}\) as the above, we have \(\mathrm {Time\left( {\mathcal {P}}_\mathrm {MS}\right) }<\mathrm {Time\left( {\mathcal {P}}_\mathrm {AHMS}\right) }\).

As a result, we may conclude that \({\mathcal {P}}_\mathrm {MS}\) is the protocol with the least execution time (as long as we admit the above assumptions).

One might think that the execution time of the shuffle used in \({\mathcal {P}}_{\mathrm {Sti}}\) (i.e., a random cut) and the execution time of the shuffle used in \({\mathcal {P}}_{\mathrm {MS}}\) and \({\mathcal {P}}_{\mathrm {AHMS}}\) (i.e., a random bisection cut) are different. We note that the authors in [24] showed that a random bisection cut can be reduced to a random cut if the backsides of all cards are vertically asymmetric such as . Therefore, we may assume that they are the same. Moreover, we measured the execution time of the secure implementation for a random bisection cut proposed in [24], which uses additional tools such as a ball and a rubber band; if we use this implementation, \({\mathcal {P}}_{\mathrm {Sti}}\) is faster (see Sect. 4.3 for the details).

4.2 Impact of execution time of shuffling

In the previous subsection, we assumed that \({ {t_\mathrm {perm}}}< { {t_\mathrm {shuf}}}\) holds. In this subsection, we further investigate how the difference between \({ {t_\mathrm {perm}}}\) and \({ {t_\mathrm {shuf}}}\) affects the overall execution time of a protocol. To this end, we regard \({ {t_\mathrm {shuf}}}\) as a variable and other metrics \({ {t_\mathrm {add}}}\), \({ {t_\mathrm {turn}}}\), and \({ {t_\mathrm {perm}}}\) as constants. Specifically, based on our measurement of the actual execution time, we fixFootnote 4

$$\begin{aligned} {{ {t_\mathrm {add}}}} = {{ {t_\mathrm {turn}}}} = 0.8 \ (\mathrm {sec.}), \ \ {{ {t_\mathrm {perm}}}} = 7{{ {t_\mathrm {turn}}}}. \end{aligned}$$
(4)

Then, we vary the value \({ {t_\mathrm {shuf}}}\) from three seconds to sixty seconds; Fig. 9 shows the result. According to this figure, \({\mathcal {P}}_\mathrm {Sti}\) and \({\mathcal {P}}_\mathrm {MS}\) are considered to be more efficient.

Fig. 9
figure 9

The total execution time of each protocol for different shuffle times

Full size image

4.3 Execution time of the secure implementation proposed in [24]

As shown in Table 2, we counted the numbers of the shuffles used in the practical AND protocols in the same way even if they are different. This is because a random bisection cut used in \({\mathcal {P}}_{\mathrm {MS}}\) and \({\mathcal {P}}_{\mathrm {AHMS}}\) can be reduced to the application of the Hindu cut to a sequence of cards if the backsides are vertically asymmetric, as mentioned before. On the other hand, the authors in [24] proposed a secure implementation of a random bisection cut using additional tools such as a ball and rubber band, which does not depend on a pattern of the backsides. Therefore, it is reasonable to consider the case where one uses such an implementation of a random bisection cut in \({\mathcal {P}}_{\mathrm {MS}}\), which might affect our conclusion that \({\mathcal {P}}_{\mathrm {MS}}\) is the fastest one. For this, we measured the execution time of it (denoted by \(t_{\mathrm {RBC}}\)) by manipulating real tools that are exactly the same ones used in [24]. Its experimental method and result are shown in Appendix A.2.

As a result, we found that \(t_{\mathrm {RBC}}>120\,\mathrm {sec}\). Because the authors in [25] showed that it suffices to apply the Hindu cut for 30 s, we derive the following relationship:

$$\begin{aligned} t_{\mathrm {RBC}}>4t_{\mathrm {HC}}, \end{aligned}$$

where \(t_{\mathrm {HC}}\) denotes the execution time of applying the Hindu cut. From this, we have \(\mathrm {Time\left( {\mathcal {P}}_\mathrm {Sti}\right) }<\mathrm {Time\left( {\mathcal {P}}_\mathrm {MS}\right) }\), and hence, we may conclude that \({\mathcal {P}}_{\mathrm {Sti}}\) is the fastest one (on average) if one uses the above implementation [24].

5 Further investigation of rearrangement operations

In the previous section, we varied the value \({ {t_\mathrm {shuf}}}\), while \({ {t_\mathrm {perm}}}\) is fixed. In this section, we discuss possible necessity of varying the value \({ {t_\mathrm {perm}}}\).

We now enumerate in Table 4 the \({\textsf {perm}}\) operations used in the protocols shown in Table 2. Let us take a look at \(\left( \mathsf {perm},{\left( 2\,4\,3\right) }\right) \) used in \({\mathcal {P}}_{\mathrm {MS}}\) as an example. This rearrangement operation can be done by exchanging the second card and the portion consisting the third and fourth cards:

As in this example, any cyclic permutation of the form \(\left( i_1\,i_2\,\cdots \,i_\ell \right) ^j\) for some j, \(1\le j \le \ell -1\) such that \(i_1<i_2<\cdots <i_\ell \) can be done by exchanging two “portions” of cards. Therefore, we can assume that the execution times of the permutations shown in Table 4 except for the ones used in \({\mathcal {P}}_{\mathrm {CK}}\) and \({\mathcal {P}}_{\mathrm {NR}}\) are the same.

In contrast, \(\left( \mathsf {perm},{\left( 2\,3\,6\,4\,7\,5\right) }\right) \) used in \({\mathcal {P}}_{\mathrm {CK}}\) and

$$\begin{aligned} \begin{aligned} \pi _1&=\begin{pmatrix} 1 &{} 2 &{} 3 &{} 4 &{} 5 &{} 6 &{} 7 &{} 8 &{} 9 &{} 10 \\ 8 &{} 7 &{} 9 &{} 10 &{} 2 &{} 1 &{} 4 &{} 3 &{} 5 &{} 6 \end{pmatrix},\\ \pi _2&=\begin{pmatrix} 3 &{} 4 &{} 5 &{} 6 &{} 7 &{} 8 &{} 9 &{} 10 &{} 11 &{} 12 \\ 6 &{} 7 &{} 3 &{} 11 &{} 8 &{} 12 &{} 5 &{} 4 &{} 10 &{} 9 \end{pmatrix} \end{aligned} \end{aligned}$$
(5)

(and similar ones) used in \({\mathcal {P}}_{\mathrm {NR}}\) are not such a form. First, \(\left( \mathsf {perm},{\left( 2\,3\,6\,4\,7\,5\right) }\right) \) can be illustrated as follows:

To perform this, we move the second card to the third position and the fifth card to the second position and then exchange the portions consisting the third and fourth cards with the portion consisting the sixth and seventh cards. We actually measured the execution time of this move by manipulating real cards. As a result, we found that \(\left( \mathsf {perm},{\left( 2\,3\,6\,4\,7\,5\right) }\right) \) takes approximately four times as long as just exchanging two portions.

Table 4 Permutations used in the practical AND protocols, where \(\pi _1\) and \(\pi _2\) are given in Eq. 5
Full size table

Remember that \(\pi _1\) is one of the six permutations appeared in the left part of \({\mathcal {P}}_{\mathrm {NR}}\)’s KWH-tree in Fig. 7. These six permutations are similar: They move the first to fourth cards to the seventh to tenth, the fifth to eighth cards to the first to fourth, and the ninth and tenth cards to the fifth and sixth, respectively. Among the six permutations, \(\left( \mathsf {perm},{\pi _1}\right) \) should take the longest time. We also actually measured the execution time of this move. As a result, we found that it takes approximately nine to ten times as long as just exchanging two portions.

Finally, \(\pi _2\) is one of the six permutations appeared in the right part of \({\mathcal {P}}_{\mathrm {NR}}\)’s KWH-tree. These six permutations are also similar: They move the third and fourth cards to the sixth and seventh, the ninth to tenth cards to the fourth and fifth, and the eleventh to twelfth cards to the ninth to tenth, respectively. They also move the revealed black cards to the third and eighth and the revealed red cards to the eleventh and the twelfth. We also actually measured the execution time of \(\left( \mathsf {perm},{\pi _2}\right) \), which should take the longest time among the six permutations. As a result, we found that it takes approximately eleven to twelve times as long as just exchanging two portions.

Therefore, \(\mathrm {Time\left( {\mathcal {P}}_\mathrm {CK}\right) }\) and \(\mathrm {Time\left( {\mathcal {P}}_\mathrm {NR}\right) }\) could be larger than those in Sect. 3.3. However, even if so, the statement that \({\mathcal {P}}_\mathrm {MS}\) is the protocol with the least execution time (which we concluded in Sect. 4.1) does hold.

The detailed results for measuring the execution time of applying the four permutations can be seen in Appendix A.3.

6 Conclusion

The widely-used efficiency evaluation metrics of card-based protocols do not capture the number of operations fully, and hence, it is difficult to estimate their execution time accurately. Therefore, we considered all kinds of possible operations so that we have four metrics, and focused on counting the number of operations comprehensively to estimate the execution time of protocols. Our new criteria allow us to evaluate the efficiency of protocols. Thus, we were able to compare the execution time of the protocols. Some reasonable assumptions concluded that the Mizuki–Sone AND protocol [13] is the most efficient and practical as an AND protocol in terms of the execution time.

To count the number of operations, we created KWH-trees for \(\mathcal {P_\mathrm {CK}}\) and \(\mathcal {P_\mathrm {Sti}}\) as shown in Figs. 5 and 6, respectively. This is the first attempt to describe KWH-trees for these previous protocols, and we believe that Figs. 5 and 6 themselves form one of the major contributions of this paper.

Intriguing future work involves applying our new criteria to other existing protocols using different types of cards (e.g., [21, 22]) or those using private operations (e.g., [14, 17,18,19]).