A secure additive protocol for card players

Consider three players Alice, Bob and Cath who hold a, b and c cards, respectively, from a deck of d=a+b+c cards. The cards are all different and players only know their own cards. Suppose Alice and Bob wish to communicate their cards to each other without Cath learning whether Alice or Bob holds a specific card. Considering the cards as consecutive natural numbers 0,1,…, we investigate general conditions for when Alice or Bob can safely announce the sum of the cards they hold modulo an appropriately chosen integer. We demonstrate that this holds whenever a,b>2 and c=1. Because Cath holds a single card, this also implies that Alice and Bob will learn the card deal from the other player’s announcement.

💡 Research Summary

The paper investigates a classic information‑theoretic secrecy problem often called the “Russian cards problem.” Three participants—Alice, Bob, and Cath—draw a, b, and c distinct cards respectively from a deck of d = a + b + c cards labelled 0,…,d‑1. Alice and Bob wish to learn each other’s hands through public communication while preventing Cath from learning the ownership of any particular card.

The authors model the deck as the additive group Z/(d) and introduce the n‑ModSum protocol: for an integer n ≥ d, Alice and Bob each announce the sum of their cards modulo n. When n = d this is called the DModSum protocol; when n is the smallest prime p ≥ d it is called the LPModSum protocol. Two properties are required of any announcement:

1. Informative – after the announcements, Alice and Bob must be able to reconstruct the complete deal.
2. Secure – Cath must not be able to deduce whether any specific card belongs to Alice or to Bob.

The paper first shows that the informative property holds whenever Cath holds exactly one card (c = 1). Knowing the total sum of all cards, Alice’s announced sum, and her own hand, Bob can compute Cath’s single card; the same reasoning works for Alice. Thus the protocol is automatically informative for c = 1, regardless of n.

The security analysis is more subtle. The authors prove a necessary and sufficient combinatorial condition (Proposition 6): for every value x∈Z/(d) and every subset S of d − c − 1 cards (i.e., a + b − 1 cards), there must exist subsets A⊂S of size a and B⊂S of size b such that the modulo‑n sums of A and B both equal x. If this condition fails, Cath can construct an alternative deal consistent with the announced sum in which a particular card is forced to belong to Alice (or Bob), breaking security.

To guarantee the condition, the authors invoke a theorem originally conjectured by Erdős and Heilbronn and later proved by Dias da Silva and Hamidoune (Proposition 7). For a prime modulus d, the set of all n‑element sums of a subset A⊂Z/(d) has size at least min{d, n|A| − n² + 1}. Applying this with n = a (or b) and |A| = a + b − 1 yields a simple inequality:

 a·b − 2a − b − c + 1 ≥ 0 and a·b − 2b − a − c + 1 ≥ 0.

When c = 1 these inequalities reduce to a > 2 and b > 2. Consequently, Corollary 9 states that for deals of size (a, b, 1) with a + b + 1 prime, the DModSum protocol is secure if and only if a, b > 2.

The case where d is not prime is handled by the Least‑Prime ModSum (LPModSum) protocol: choose p, the smallest prime ≥ d, and announce sums modulo p. Using Bertrand’s postulate and Nagura’s theorem, the authors guarantee that p is at most 2d − 2 (or 6⁄5 d for larger d), ensuring p is close enough to d that the same combinatorial inequalities still hold. They prove (Theorem 13) that for all a, b ≥ 3, except the symmetric exceptional cases (a,b) = (3,4) or (4,3), the LPModSum protocol is secure for (a, b, 1).

The paper contrasts its approach with earlier design‑theoretic solutions, which required more complex combinatorial structures and multiple rounds of communication. By reducing the problem to two simple additive announcements, the authors obtain a protocol that is both conceptually minimal and provably optimal under the stated conditions. Moreover, they connect the protocol to the “bit‑exchange” problem: a single sum announcement effectively shares the secret bit “Alice holds card i” between Alice and Bob while keeping it hidden from Cath.

In summary, the authors provide a complete characterization of when additive modulo‑sum announcements enable Alice and Bob to exchange full hand information securely against a single‑card eavesdropper. The results rely on deep combinatorial number‑theoretic theorems and elementary properties of prime distribution, offering a mathematically elegant and practically simple solution to a classic cryptographic puzzle.