Balance-Based Cryptography: Physically Computing Any Boolean Function

Secure multi-party computation is an area in cryptography which studies how multiple parties can compare their private information without revealing it. Besides digital protocols, many unconventional protocols for secure multi-party computation using physical objects have also been developed. The vast majority of them use playing cards as the main tools. In 2024, Kaneko et al. introduced the use of a balance scale and coins in zero-knowledge proof protocols for pencil puzzles. In this paper, we extend the use of these tools to secure multi-party computation. In particular, we develop four protocols that can securely compute any $n$-variable Boolean function using a balance scale and coins.

💡 Research Summary

The paper introduces a novel family of physical secure multi‑party computation (MPC) protocols that rely solely on a double‑pan balance scale and two types of coins (heavy and light). Building on the 2024 work of Kaneko et al., which used a balance and coins for zero‑knowledge proofs of pencil puzzles, the authors extend the paradigm to compute arbitrary Boolean functions among n participants without any digital hardware. Four protocols are presented: (1) an AND protocol, (2) a threshold‑function protocol Tₖ, (3) a symmetric‑function protocol Sₙˣ, and (4) a general‑Boolean‑function protocol based on the Shannon (Boole) expansion.

Protocol 1 – AND
Each participant receives one heavy and one light coin. To encode a private bit xᵢ, the participant places the heavy coin on a designated pan if xᵢ = 1, otherwise the light coin. All participants place their chosen coins on the same side of the scale; the opposite side receives n heavy coins. The scale balances if and only if every participant contributed a heavy coin, i.e., all bits are 1. The protocol uses 3n coins (2 per participant plus n extra heavy coins) and a single comparison, and it leaks no information beyond the final Boolean result under the semi‑honest model.

Protocol 2 – Threshold Tₖ
For a given integer k (1 ≤ k ≤ n), the same encoding as in the AND protocol is used. A custom weight W = (k − 1)·w + (n − k + 1)·(w − δ) + δ² is placed on the opposite pan, where w is the weight of a heavy coin and δ is the weight difference (δ ≫ ε, the scale’s tolerance). Because W lies strictly between the total weight of k − 1 heavy + (n − k + 1) light coins and that of k heavy + (n − k) light coins, the scale tips toward the participants’ side exactly when at least k heavy coins are present, i.e., when at least k input bits equal 1. The protocol needs only 2n coins plus the custom weight (or alternatively 3n coins and a δ²‑weight coin) and a single comparison.

Protocol 3 – Symmetric Functions Sₙˣ
A symmetric Boolean function depends only on the Hamming weight of the input. Let X ⊆ {0,…,n} denote the set of Hamming weights for which the function outputs 1. For each k ∈ X a “non‑special” bag is prepared containing k heavy and n − k light coins. Additionally, a “special” bag is provided where each participant deposits a heavy coin if his bit is 1, otherwise a light coin, and marks the bag internally with a pen (the mark is invisible without opening the bag). All non‑special bags are shuffled uniformly. The protocol repeatedly selects a non‑special bag, shuffles it together with the special bag, places both on the scale, and checks for balance. If a balance occurs, the Hamming weight of the inputs equals the k of that bag, and the function outputs 1. After at most |X| iterations (or ⌈n/2⌉ after the optimization that computes the complement when |X| > n/2), the protocol terminates with output 0. The resource usage is at most ⌈n/2⌉ + 1 bags, ⌈n/2⌉ + 2 coins per participant, and ⌈n/2⌉ comparisons.

Protocol 4 – Arbitrary Boolean Functions
Any Boolean function f : {0,1}ⁿ → {0,1} can be expressed as a sum of conjunctions (Shannon expansion). Let B_f be the set of input vectors for which f evaluates to 1. For each b ∈ B_f a bag is prepared. Each participant places a heavy coin in bag b if his input bit xᵢ equals bᵢ, otherwise a light coin. After all participants have filled every bag, the bags are shuffled uniformly. For each bag, the participants pour its contents onto one pan and place n heavy coins on the opposite pan. If any bag balances, the corresponding conjunction is satisfied, and f(x) = 1. Otherwise, f(x) = 0. The protocol requires |B_f| bags, 2n − 1 comparisons, and 2n − 1 heavy and light coins per participant. When |B_f| > 2ⁿ − 1, the complement function ¬f is computed instead, reducing the number of bags to at most 2ⁿ⁻¹.

Security Model and Proof Sketch
All protocols assume a semi‑honest (honest‑but‑curious) adversary model: participants follow the prescribed steps but may try to infer additional information from observed data. The only observable outcome of each comparison is whether the two pans balance. Because the weight difference between heavy and light coins (δ) is chosen far larger than the scale’s tolerance (ε), the scale’s response is deterministic and reveals no partial weight information. Random shuffling of bags (or of the special bag with a non‑special bag) guarantees that no participant can link a particular bag to a specific Hamming weight or conjunction. Consequently, each participant learns only the final Boolean output, satisfying the standard definition of privacy in MPC under the semi‑honest model.

Practical Considerations
A key contribution is the reduction to just two coin weights, eliminating the need for a large family of distinct coin masses used in earlier balance‑based protocols. The custom weight required for threshold functions can be synthesized from a single δ²‑weight coin together with appropriate numbers of heavy and light coins, simplifying physical preparation. The protocols are amenable to classroom demonstrations, low‑resource environments, or scenarios where electronic devices are prohibited. Limitations include the reliance on a sufficiently precise balance (ε ≪ δ) and the need for truly random manual shuffling of bags, which may be mitigated by using mechanical shuffling devices or automated robotic arms.

Conclusion and Future Work
The authors have demonstrated that a balance scale and a pair of coin weights constitute a universal physical computing substrate for secure multi‑party Boolean evaluation. This expands the toolbox of physical cryptography beyond cards and envelopes, offering an intuitive, verifiable, and low‑cost alternative for secure computation. Future research directions include automating the protocols with robotic manipulators and electronic scales to handle larger n, exploring robustness against malicious (rather than merely semi‑honest) adversaries, and integrating multiple balances to achieve parallelism and reduce the number of sequential comparisons.