2.1  Coin-Based Protocols

In this paper, we denote a face-down and face-up of a coin by \(\bullet\) and \(\circ\), respectively. We use the encoding as follows:

For two coins \(a,b\in\{\bullet, \circ\}\), \(a\) stacked on top of \(b\) is denoted as \(ab\). For example, \(\bullet \circ\) represents a stack of a face-down coin on top of a face-up coin. For \(c_1, c_2, \ldots, c_k \in \{\bullet, \circ\}\), a stack of \(c_k, c_{k-1}, \ldots, c_1\) from the bottom is denoted by

and this is called a \(k\)-coin bundle. For a positive integer \(k\), we denote the set of all \(k\)-coin bundles by \(\mathsf{B}^k = \{\bullet, \circ\}^k\), and the set of all \(i\)-coin bundles for any \(i \leq k\) by

where the symbol \(\epsilon\) denotes the empty coin bundle, i.e., the \(0\)-coin bundle. For example, \(\mathsf{B}^{\leq 2} = \{\epsilon,\bullet,\circ,\bullet\bullet,\bullet\circ, \circ\bullet,\circ\circ\}\). A sequence of coin bundles is called a coin sequence, and the set of all coin sequences is denoted as \(\mathsf{S}\). We define the set of \(k\)-coin sequences by

where \(\mathsf{size}(b_i)\) is the number of coins in \(b_i\), defined by \(\mathsf{size}(b_i)=n\) if \(b_i \in \mathsf{B}^n\) and \(\mathsf{size}(\epsilon)=0\). An empty coin bundle at the end of the coin sequence can be omitted.

For a coin bundle \(b \in \mathsf{B}^k\), \(\mathsf{top}(b)\), \(\mathsf{bottom}(b)\), and \(\mathsf{turn}(b)\) denote the top of the coin bundle \(b\), the bottom of the coin bundle \(b\), and the flipped bundle \(c\), respectively. For a bundle of \(k\) coins \(c_1c_2\cdots c_k \in \mathsf{B}^k\), we have

where \(\overline{c}\) denotes the flipped coin of \(c \in \{\bullet, \circ\}\). When a face-down coin \(\bullet\) (resp. a face-up coin \(\circ\)) is flipped, it becomes \(\circ\) (resp. \(\bullet\)). For the empty coin bundle \(\epsilon\), we define

For a bit \(a \in \{0,1\}\), a commitment to \(a\) is a \(2\)-coin bundle \(\bullet a\) or \(\circ a\), i.e., a coin bundle of a dummy coin on top of the coin \(a\in \{\bullet, \circ\}\). A commitment with a face-down dummy coin \(\bullet\) is called a black commitment and a commitment with a face-up dummy coin \(\circ\) is called a white commitment. For a coin sequence \(\Gamma=(b_1, b_2, \ldots, b_n)\in \mathsf{S}^k\), we define visible sequence as \(\mathsf{top}(\Gamma) = (\mathsf{top}(b_1),\mathsf{top}(b_2),\ldots, \mathsf{top}(b_n))\). For example, the visible sequence for the coin sequence \(\Gamma=(\bullet\circ,\circ\bullet,\circ\bullet,\bullet\circ)\) is \(\mathsf{top}(\Gamma)=(\bullet,\circ,\circ,\bullet)\). The set of all visible sequences of \(k\)-coin sequences is defined by \(\mathsf{Vis}^k = \{\mathsf{top}(\Gamma) \mid \Gamma \in \mathsf{S}^k \}\).

A coin-based protocol \(P\) is defined by a four-tuple \(P=(k,U,Q,A)\) as in the model of card-based protocols [11]. Here, \(k\) is the number of coins used in the protocol, \(U \subseteq \mathsf{S}^k\) is the set of input coin sequences, \(Q\) is the set of states including the initial state \(q_{0}\in Q\) and final state \(q_{f}\in Q\), \(A:(Q-\{q_{f}\})\times \mathsf{Vis}^k \rightarrow Q\times \mathsf{Action}\) is the action function. We define the set of possible actions in the following.

We can observe that it is enough to have \((k+1)\) positions on the table to deal with \(k\) coins. This implies that any \(k\)-coin sequence can be naturally identified with \((k+1)\) coin bundles by inserting empty coin bundles. Let \(\Gamma=(b_1, b_2, b_3,\ldots, b_{k+1})\in \mathsf{S}^k\) be the current coin sequence. In this paper, we use a set of actions as follows:

Move \((\mathsf{move},n,i, j)\): Here, \(1 \leq n \leq \mathsf{size}(b_i), i, j \in \{1, 2, \ldots, k+1\}, i \neq j\). The top \(n\) coins of the coin bundle \(b_i\) is moved to the top of the coin bundle \(b_j\). For a coin sequence \(\Gamma = (\ldots, b_i^{0}b_i^{1}, \ldots, b_j, \ldots)\) with \(\mathsf{size}(b_i^{0}) = n\), this operation results in the coin sequence \(\Gamma' = (\ldots, b_i^{1}, \ldots, b_i^{0}b_j, \ldots)\).

Flip \((\mathsf{flip},i)\): Here, \(i \in \{1, 2, \ldots, k+1\}\). The coin bundle \(b_i\) is flipped. For a coin sequence \(\Gamma = (\ldots, b_i, \ldots)\), this operation results in the coin sequence \(\Gamma' = (\ldots, \mathsf{turn}(b_i), \ldots)\).

Random flip \((\mathsf{rflip},i)\): Here, \(i \in \{1, 2, \ldots, k+1\}\). The coin bundle \(b_i\) is flipped with probability \(1/2\). For a coin sequence \(\Gamma = (\ldots, b_i, \ldots)\), this operation results in \(\Gamma\) with probability \(1/2\) and the coin sequence \(\Gamma' = (\ldots, \mathsf{turn}(b_i), \ldots)\) with probability \(1/2\).

2.2  Extended Diagrams

In this paper, we use extended diagrams [8] to show the correctness and security of a protocol, which is based on the idea of KWH tree [4] and used in coin-based protocols [5], [6] (see [5], [6], [8] for the detail of extended diagrams). See Fig. 1 for an example of an extended diagram. Each node represents a state of the protocol, and an arrow represents a transition by an action from a current state to the next state. In particular, the root node represents an initial state and the protocol starts with it. A branching occurs when a move operation results in two possible visible sequences. When the protocol reaches a leaf node, it terminates and outputs a coin bundle as output.

Each node has three columns: the left column represents the visible sequence of the current coin sequence, the middle column has possible coin sequences in the current state, and the right column has the probability traces, each corresponding to the coin sequence in the middle column. For the case of two-bit input, a probability trace for a coin sequence is denoted by a four-tuple \((a_{00}, a_{01}, a_{10}, a_{11})\), where \(a_{xy}\) denotes the conditional probability that the input is \((x,y) \in \{0,1\}^2\) conditioned on the coin sequence. Since we use \(p_{00}\), \(p_{01}\), \(p_{10}\), and \(p_{11}\) to denote the probability that the input is \((0,0)\), \((0,1)\), \((1,0)\), and \((1,1)\) respectively, the initial probability trace is either \((p_{00}, 0,0,0)\), \((0, p_{01},0,0)\), \((0,0,p_{10},0)\), or \((0,0,0, p_{11})\).

The correctness of a protocol can be checked by the fact that every leaf node has a coin bundle corresponding to the output in a fixed position. The security of a protocol can be checked by the fact that, for each node, the sum of all probability traces is \((p_{00}, p_{01}, p_{10}, p_{11})\), which means that it leaks no input information.

1. Arrange the coins as follows:

   \[(\circ,\bullet a).\]

   Note that the output can be made a white commitment by setting the coin placed in the first coin bundle to \(\bullet\).

2. \((\mathsf{move},2,2,1)\): Move the second coin bundle to the first coin bundle as follows:

   \[(\bullet a \circ, \epsilon).\]

3. \((\mathsf{flip},1)\): Flip the first coin bundle as follows:

   \[(\bullet \overline{a} \circ, \epsilon).\]

4. \((\mathsf{move},2,1,2)\): Move upper two coins of the first coin bundle to the second position as follows:

   \[(\circ,\bullet \overline{a}).\]

   Output the second coin bundle as the resulting commitment and terminate the protocol.

1. Arrange the coins as follows:

   \[(\bullet, \bullet a,\bullet).\]

   Note that when the input is a white commitment, the coin to be placed in the third coin bundle is \(\circ\).

2. Apply the NOT protocol (from a black commitment to a white commitment) to the first and second coin bundles as follows:

   \[(\circ, \circ \overline{a},\bullet).\]

3. Apply the NOT protocol (from a white commitment to a white commitment) to the second and third coin bundles as follows:

   \[(\circ, \circ a,\bullet).\]

   The second coin bundle is the output commitment of the protocol.

1. Arrange the coins as follows:

   \[(0 \circ,\bullet 0 a, \epsilon).\]

2. \((\mathsf{move},3,2,1)\): Move the second coin bundle to the first coin bundle as follows:

   \[(\bullet 0 a 0 \circ,\epsilon, \epsilon).\]

3. \((\mathsf{rflip},1)\): Apply a random flip to the first coin bundle as follows:

   \[(\bullet 0 a 0 \circ,\epsilon, \epsilon)\longrightarrow(\bullet r a' r \circ,\epsilon, \epsilon),\]

   where \(r \in \{0,1\}\) is a uniformly random bit chosen by the random flip and \(a' =a\oplus r\).

4. \((\mathsf{move},2,1,2)\): Move the top two coins of the first coin bundle to the second position as follows:

   \[(a' r \circ,\bullet r, \epsilon).\]

   If \(a'= \bullet\), go to Step 5. Otherwise, go to Step 6.

5. \((\mathsf{move},2,1,3)\): Move upper two coins of the first coin bundle to the third position as follows:

   \[(\circ,\bullet r, \bullet r).\]

   Output the second and third coin bundles as the copy result and terminate the protocol. (Note that \(a = r\) in this case.)

6. \((\mathsf{move},2,2,1)\): Move the second coin bundle to the first coin bundle as follows:

   \[(\bullet r \circ r \circ, \epsilon, \epsilon).\]

7. \((\mathsf{flip},1)\): Flip the first coin bundle as follows:

   \[(\bullet \overline{r} \bullet \overline{r} \circ, \epsilon, \epsilon).\]

8. \((\mathsf{move},2,1,2)\): Move upper two coins of the first coin bundle to the second position as follows:

   \[(\bullet \overline{r} \circ,\bullet \overline{r}, \epsilon).\]

9. \((\mathsf{move},2,1,3)\): Move upper two coins of the first coin bundle to the third position as follows:

   \[(\circ,\bullet \overline{r}, \bullet \overline{r}).\]

   Output the second and third coin bundles as the copy result and terminate the protocol. (Note that \(a = \overline{r}\) in this case.)

1. Arrange the coins as follows:

   \[(0 \circ,\bullet a,\circ, \bullet b).\]

2. Apply the NOT protocol to the third and fourth coin bundles as follows:

   \[(0 \circ,\bullet a,\circ, \bullet \overline{b}).\]

3. \((\mathsf{move},1,3,1)\): Move the third coin bundle to the first coin bundle as follows:

   \[(\circ 0 \circ,\bullet a,\epsilon, \bullet \overline{b}).\]

4. \((\mathsf{move},2,2,1)\): Move the second coin bundle to the first coin bundle as follows:

   \[(\bullet a \circ 0\circ,\epsilon,\epsilon,\bullet \,\overline{b}).\]

5. \((\mathsf{move},2,4,1)\): Move the fourth coin bundle to the first coin bundle as follows:

   \[(\bullet \,\overline{b} \bullet a \circ 0 \circ,\epsilon,\epsilon,\epsilon).\]

6. \((\mathsf{rflip},1)\): Apply a random flip to the first coin bundle as follows:

   \[(\bullet \,\overline{b} \bullet a \circ 0 \circ,\epsilon,\epsilon,\epsilon)\longrightarrow (\bullet \,c \bullet a' \circ d \circ,\epsilon,\epsilon,\epsilon),\]

   where \(r \in \{0,1\}\) is a uniformly random bit chosen by the random flip, \(a' =a\oplus r\), and \((c, d) = (\overline{b} , 0)\) if \(r = 0\) and \((c, d) = (1, b)\) if \(r = 1\).

7. \((\mathsf{move},3,1,2)\): Move upper three coins of the first coin bundle to the second position as follows:

   \[(a' \circ d \circ,\bullet c \bullet,\epsilon,\epsilon).\]

   If \(a'= \bullet\), go to Step 8. Otherwise, go to Step 10.

8. \((\mathsf{move},1,1,2)\): Move the upper coin of the first coin bundle to the second coin bundle as follows:

   \[(\circ d \circ,\bullet \bullet c \bullet,\epsilon,\epsilon).\]

9. \((\mathsf{move},2,1,3)\): Move upper two coins of the first coin bundle to the third position as follows:

   \[(\circ,\bullet \bullet c \bullet,\circ d,\epsilon).\]

   Output the third coin bundle as the resulting white commitment and terminate the protocol.

10. \((\mathsf{flip},2)\): Flip the second coin bundle as follows:

    \[(\circ \circ d \circ,\circ \overline{c} \circ,\epsilon,\epsilon).\]

11. \((\mathsf{move},2,2,3)\): Move upper two coins of the second coin bundle to the third position as follows:

    \[(\circ \circ d \circ, \circ,\circ \overline{c},\epsilon).\]

    Output the third coin bundle as the resulting white commitment and terminate the protocol.

1. Arrange the coins as follows:

   \[(\circ,\circ,\bullet \,a, \bullet \,b).\]

2. \((\mathsf{move},2,3,1)\): Move the third coin bundle to the first coin bundle as follows:

   \[(\bullet \,a \circ,\circ,\epsilon, \bullet \,b).\]

3. \((\mathsf{move},2,4,2)\): Move the fourth coin bundle to the second coin bundle as follows:

   \[(\bullet \,a \circ,\bullet b \circ,\epsilon,\epsilon).\]

4. \((\mathsf{move},3,2,1)\): Move the second coin bundle to the first coin bundle as follows:

   \[(\bullet b \circ\bullet \,a \circ,\epsilon,\epsilon,\epsilon).\]

5. \((\mathsf{rflip},1)\): Apply a random flip to the first coin bundle as follows:

   \[(\bullet b \circ \bullet a \circ,\epsilon,\epsilon,\epsilon) \longrightarrow (\bullet c \circ \bullet d \circ,\epsilon,\epsilon,\epsilon),\]

   where \((c, d) \in \{(b, a), (\overline{a}, \overline{b})\}\).

6. \((\mathsf{move},3,1,2)\): Move upper three coins of the first coin bundle to the second position as follows:

   \[(\bullet d \circ ,\bullet c \circ,\epsilon,\epsilon).\]

7. \((\mathsf{flip},2)\): Flip the second coin bundle as follows:

   \[(\bullet \,d \circ ,\bullet \,\overline{c} \, \circ,\epsilon,\epsilon).\]

8. \((\mathsf{move},3,2,1)\): Move the second coin bundle to the first coin bundle as follows:

   \[(\bullet \,\overline{c} \circ \bullet \,d \, \circ,\epsilon,\epsilon,\epsilon).\]

9. \((\mathsf{rflip},1)\): Apply a random flip to the first coin bundle as follows:

   \[(\bullet \,\overline{c} \circ \bullet \, d \, \circ,\epsilon,\epsilon,\epsilon) \longrightarrow (\bullet \,e \circ \bullet \, f \, \circ,\epsilon,\epsilon,\epsilon),\]

   where \((e, f) \in \{(\overline{c}, d), (\overline{d}, c)\}\).

10. \((\mathsf{move},1,1,2)\): Move the upper coin of the first coin bundle to the second position as follows:

    \[(e \circ \bullet \, f \, \circ,\bullet,\epsilon,\epsilon).\]

    If \(e= \bullet\), go to Step 11. Otherwise, go to Step 13.

11. \((\mathsf{flip},1)\): Flip the first coin bundle as follows:

    \[(\bullet \overline{f} \circ \bullet \circ,\bullet,\epsilon,\epsilon).\]

12. \((\mathsf{move},2,1,3)\): Move upper two coins of the first coin bundle to the third position as follows:

    \[(\circ \bullet \circ,\bullet,\bullet \overline{f},\epsilon).\]

    Output the third coin bundle as the resulting black commitment and terminate the protocol.

13. \((\mathsf{move},2,1,2)\): Move upper two coins of the first coin bundle to the second coin bundle as follows:

    \[(\bullet \, f \, \circ,\circ \circ \bullet,\epsilon,\epsilon).\]

14. \((\mathsf{move},2,1,3)\): Move upper two coins of the first coin bundle to the third position as follows:

    \[(\circ,\circ \circ \bullet,\bullet f, \epsilon).\]

    Output the third coin bundle as the resulting black commitment and terminate the protocol.