A Single Shuﬄe Is Enough for Secure Card-Based Computation of Any Boolean Circuit

Secure computation enables a number of players each holding a secret input value to compute a function of the inputs without revealing the inputs. It is known that secure computation is possible physically when the inputs are given as a sequence of physical cards. This research area is called card-based cryptography. One of the important problems in card-based cryptography is to minimize the number of cards and shuﬄes , where a shuﬄe is the most important (and somewhat heavy) operation in card-based protocols. In this paper, we determine the minimum number of shuﬄes for achieving general secure computation. Somewhat surprisingly, the answer is just one , i


Background
Let x = (x 1 , x 2 , · · · , x n ) ∈ {0, 1} n be a secret input and f : {0, 1} n → {0, 1} be a Boolean function. Suppose that each bit of the secret input is encoded by a pair of cards with the following encoding rule: ♣ ♡ if it is 0 and ♡ ♣ if it is 1. A pair of face-down cards ? ? whose encoding value is x i ∈ {0, 1} is called a In terms of the number of shuffles, the best known upper bound is n for n-variable Boolean circuits, which is shown by Shinagawa, Mizuki, Schuldt, Nuida, Kanayama, Nishide, Hanaoka, and Okamoto [14] 1 . Note that a trivial lower bound is one because we cannot securely compute any non-trivial function without shuffles. Indeed, if at least one of cards corresponding to the commitment to x 1 ∈ {0, 1} (the first input bit) is opened at some stage of the protocol, the input bit x 1 is completely revealed, thus insecure. Otherwise, the execution of the protocol cannot depend on the input value x 1 , therefore the correctness cannot be achieved.

Our Result
In this paper, we answer one of the most important open questions: What is the minimum number of shuffles to compute any Boolean circuit?
Surprisingly, the answer is just one; it matches to the trivial lower bound. The type of the shuffle is so-called uniform and closed (see Section 2.3). It is considered to be relatively easy to implement. Moreover, the number of cards required to our protocol is only proportional to the size of the circuit. This is achieved by introducing the garbled circuit methodology [15] into the area of card-based cryptography.
Next we consider the following question: What is the minimum number of shuffles to compute any Boolean circuit using well-known shuffles only?
Although we do not have the complete answer, we construct a nearly optimal protocol that requires two pile-scramble shuffles only. This is done by developing a new technique, which we call a batching technique. This technique enables to combine multiple independent pile-scramble shuffles into a single pile-scramble shuffle (using some additional auxiliary cards).

Our Techniques
Garbled circuit technique. Roughly speaking, the usual garbled circuit technique to securely evaluate a circuit proceeds as follows; (I) represent each gate in the circuit as the truth table of the associated function {0, 1} 2 → {0, 1}; (II) randomly permute the four input-output pairs in the truth table, in order to prevent leakage of the output value when the gate is evaluated; (III) randomly encode each of the inputs and outputs in the truth table (in a consistent manner between the output of the previous gate and the corresponding input(s) of the subsequent gate(s)), in order to hide the input values; (IV) then successively open one true output value among the four in the randomly encoded truth table of each gate, from bottom to top. Protocol 1 in Section 3 is a translation of the process described above into a card-based protocol, where the random permutations in (II) and the random encoding in (III) are realized by shuffle operations (the aforementioned consistency in (III) between the gates are assured by the property of pile-scramble shuffles). See Section 3 for details. Based on the garbled circuit construction, we obtain a general-purpose protocol with one shuffle immediately. We call the resulting protocol Protocol 2. This is done by aggregating all shuffles in the garbled circuit construction into one shuffle. This strategy works because all shuffles in the garbled circuit construction are successively applied.
To the authors' best knowledge, our present work is the first attempt to effectively adapt the garbled circuit methodology to card-based protocols. The reason of why the application of garbled circuits to card-based protocols has not been investigated so far can be presumed as follows. In the early days of cardbased cryptography (from the first work by den Boer [3] in 1989 to the seminal work by Mizuki and Sone [10] in 2009), secure multi-party computation based on garbled circuits was considered fairly inefficient compared to the methodology of successively evaluating fundamental gates based on the secret sharing. In fact, the main techniques for improving the efficiency of garbled circuits was developed in recently (e.g., free XOR gates [8] was proposed in 2008 and half gates [16] was proposed in 2015). For this reason, in the card-based setting as well, the techniques for securely evaluating each fundamental gate have been well established. One of the main contributions of this work is to reveal, as opposed to the intuition described above, that even a naive application of the garbled circuit technique to card-based protocols is not very inefficient compared to the aforementioned successive gate evaluation methodology.
The reason of efficiency improvement by moving to the card-based setting can be explained as follows. In the ordinary setting of garbled circuits, in order to prevent an attack to open more than one output value at some gate, the input values in the truth table should be (randomly) encoded into a significantly large string, as otherwise the adversarial party who is locally evaluating the garbled circuit can guess the encoded inputs other than that given by the previous gates. In contrast, in the card-based setting, a protocol is supposed to be jointly executed by all parties in a public environment, therefore such a dishonest attempt to open more than one output value can be automatically prevented and consequently the garbled truth table may be as small as the original truth table. This phenomenon reflects the typical property of card-based protocols. Note that while the usual garbled circuit technique needs "decryption keys" to evaluate a garbled circuit, the card-based garbled circuit technique does not need them, as one can open a commitment by just turning the cards. Thus in the card-based setting, an oblivious transfer, which is necessary to achieve secure computation with the usual garbled circuits, is not needed.
Moreover, the more important property of the card-based garbled circuit technique which we find in this work is the compatibility with parallel processing of shuffles. Namely, among the four steps in the garbled circuit technique described above, the random permutations (shuffles) for the truth tables in step (II) can be performed in parallel for all gates, and the random encoding (shuffles) of the truth tables in step (III) can be performed in parallel for all input/output bits of the gates, too. The parallel executability of shuffles combined with our batching technique explained in Section 5 achieves a protocol with two efficiently implementable shuffles described in Section 6. In contrast, the existing methodology of successively evaluating fundamental gates is not compatible with the parallel processing; in fact, in this methodology, a shuffle for evaluating a gate cannot be performed until the inputs to the gate are determined by the previously evaluated gates.
Batching technique. Another main contribution of this work is to develop a novel technique to convert a number of certain shuffles performed in parallel into a single shuffle. This is a key tool to construct our protocol with two pilescramble shuffles (Protocol 3), which is an operation of applying a hidden and uniformly random permutation to a sequence of piled cards. Here the number of cards in a pile is supposed to be equal for all the piles in order to make the shuffled piles indistinguishable from each other. Pile-scramble shuffles are used in our protocols as well as in many existing card-based protocols. We also note that this is a kind of general technique, so that this technique is expected to lead to many other applications in card-based cryptography, which will be future research topics.
To explain the batching technique, here we use a small example of combining a pile-scramble shuffle of k piles and a pile-scramble shuffle of ℓ piles. The underlying idea is to first apply a pile-scramble shuffle to the whole of k + ℓ piles and then divide the resulting piles into the first set of k piles and the second set of ℓ piles. Now both of the first k piles and the second ℓ piles are individually shuffled uniformly at random whenever the shuffle for the whole of k + ℓ piles is uniformly random. However, this naive idea does not work in general when the piles consist of face-down cards and the symbols on the front sides of the cards cannot be revealed; in fact, it is impossible in this case to detect the k piles in the first set among the k + ℓ shuffled piles. To overcome this issue, before performing the shuffle, we append some auxiliary face-down cards to the top of each pile, where the auxiliary cards for each of the first k piles (respectively, the second ℓ piles) encode the information that this pile belongs to the first (respectively, second) set of piles. Then even after the shuffle, the piles in the two sets are still distinguishable from each other while keeping the front sides of the original cards secret, by opening the auxiliary cards for each pile only.
We note that this technique requires two kinds of additional cards. One is as mentioned above to make the piles from different sets of piles distinguishable from each other. The other is to equalize the numbers of cards in the piles from different sets of piles, which is required in general since the numbers of cards in the piles must be equal in a pile-scramble shuffle. See Section 5 for details. Therefore, our batching technique increases the total number of cards used in a protocol (see Section 6 for details); but we emphasize that the number of cards in our resulting protocol with two pile-scramble shuffles is still not very large in comparison to the previous shuffle-efficient general-purpose protocol in [13] which requires an exponentially (in the number of inputs) large number of cards. Note that the protocol [13] was the only existing protocol with a small number of shuffles which is fewer than the number of gates in the circuit.

Related Works
The Five-Card Trick, which is a card-based AND protocol using five cards, was proposed by den Boer [3]. Crépeau and Kilian [2] achieved to securely compute any function by constructing protocols for fundamental gates and successively evaluating them. While they are Las-Vegas 2 protocols, Mizuki and Sone [10] constructed finite-runtime protocols for fundamental gates with improving the numbers of cards and shuffles. It yields a general-purpose protocol with q shuffles, where q is the number of gates in a circuit. Shinagawa et al. [13] constructed a general-purpose protocol with 2n shuffles, where n is the number of the input bits. However, up until now, it is still unknown that a constant number of shuffles is sufficient to securely compute any function. In this paper, we show that only one shuffle is sufficient to securely compute any function f : {0, 1} n → {0, 1} m with small number of cards. Our work achieves the first general-purpose protocol with a constant number of shuffles.
Our protocol with a single shuffle (Protocol 2) uses a uniform and closed shuffle. On the other hand, some existing protocols used non-uniform and/or non-closed shuffles [7,12]. It is known that uniform and closed shuffles are easy to implement compared to non-uniform and/or non-closed shuffles. See Section 2.3 for details.
Our protocol with two shuffles (Protocol 3) uses two pile-scramble shuffles. This kind of shuffles is first proposed by Ishikawa et al. [5] to give a protocol which securely generates a random permutation without fixed points. One of our contributions is to develop a new use of pile-scramble shuffles. Specifically, we propose a new idea called the batching technique that combines a number of pile-scramble shuffles into a single pile-scramble shuffle while the previous works [4,5] use them in order to rearrange a sequence according to a random permutation.

Organization
In Section 2, we summarize basic definitions. In Section 3, we introduce a card-based variant of the garbled circuit technique and construct Protocol 1. In Section 4, based on the garbled circuit technique, we construct a generalpurpose protocol with one shuffle (Protocol 2). In Section 5, we present the batching technique. In Section 6, based on the garbled circuit technique and the batching technique, we construct a general-purpose protocol with two pilescramble shuffles (Protocol 3).

Preliminaries
We use S k to denote the k-th symmetric group for an integer k ≥ 1, i.e., S k is the set of all permutations on the set {1, 2, . . . , k}.

Circuits
In this paper, we use the following formulation for the circuits given in [1]. A circuit C is defined as a six-tuple C = (n, m, q, L, R, G). Here, n ≥ 1 is the number of input bits, m ≥ 1 is the number of output bits, q ≥ 1 is the number of gates, L (respectively, R) is a function that takes a gate index and outputs the left (respectively, right) incoming wire of the gate, and G is a function that takes a gate index and two-bit input and returns an output value of the gate. The details of these functions are described in the next paragraph. We assume that each gate has two incoming wires and one outgoing wire, and an outgoing wire that is not an output wire of the protocol may then branch and go into several gates as the incoming wires. Accordingly, the outgoing wire of a gate and the corresponding incoming wire(s) of the subsequent gate(s) are identified with each other. We also allow a case where the two incoming wires of a gate come from the same previous gate, in order to realize by a gate a single-input function such as the NOT function. We do not allow an output wire (the wire corresponding to an output bit of the circuit) to be branched. For example, a COPY circuit that takes a single bit x and outputs two bits (x, x) must have at least two gates in order to have two output wires (see Example 2). Now we associate indices to the input bits, gates, wires, and the output bits as follows: Inputs = {1, · · · , n}, Gates = {n + 1, · · · , n + q}, Wires = {1, · · · , n + q}, Outputs = {n + q − m + 1, · · · , n + q}. A wire w ∈ Wires is called an input wire if w ∈ Inputs ∩ Wires and an output wire if w ∈ Outputs ∩ Wires. For a wire w ∈ Wires and a gate g ∈ Gates, w is called an outgoing wire of g if w = g. Then L, R : Gates → Wires \ Outputs are functions that map a gate to its left (respectively, right) incoming wire. Moreover, for each w ∈ Wires \ Outputs, we write L −1 (w), R −1 (w) to denote the set of the gates g satisfying L(g) = w (respectively, R(g) = w). Finally, G : Gates × {0, 1} 2 → {0, 1} is a function that determines the functionality of each gate; given g ∈ Gates and b 1

Card-based Protocols
In this section, we introduce several definitions about card-based protocols for describing our protocol. We follow the formalization proposed by Mizuki and Shizuya [9]. We also follow some notations described by Koch, Walzer, and Härtel [7]. Here, we only treat a finite-runtime protocol (i.e., a protocol always terminates in a finite number of steps) and our protocol only needs uniform shuffles, which are believed to be easy to implement compared to non-uniform shuffles.
A deck D is a finite multiset of symbols ♡ and ♣. For instance, D = [♡, ♡, ♣, ♣] is a deck. Intuitively, the deck is the set of front-side symbols of the physical cards used during a protocol. For a symbol c ∈ D, c ? denotes a face-up card and ? c a face-down card with symbol c, respectively. For a card α (i.e., α = c ? or α = ? c for some symbol c), top(α) and atom(α) denote the symbol in the upper side and the symbol distinct from '?', respectively. For instance, top( ? ♡ ) = ? and atom( ?
and (atom(α 1 ), · · · , atom(α t )), respectively. For a card α, swap(α) denotes the flipped card, i.e., swap( c ? ) = ? c and swap( ? , 1} * is a face-down card sequence whose arrangement represents x. As in the previous works, we define Com(0) = ( ? ♣ , ? ♡ ) and Com(1) = ( ? ♡ , ? ♣ ). (Note that top(Com(0)) = top(Com(1)) = (?, ?). Intuitively, it means that Com(0) and Com(1) are indistinguishable without turning them over.) For a bit string Intuitively, a protocol execution is a sequential process of, given an input card sequence, transforming the current card sequence step by step where the action at each step is adaptively determined according to the results of previous steps (this is an analogy of the standard formalization of algorithms in terms of Turing machines). To formalize the idea, we define a sequence trace (Γ 0 , Γ 1 , · · · , Γ t ) to be a tuple of card sequences such that Γ 0 is an input card sequence and Γ t is the current card sequence, and define the corresponding visible sequence trace to be (top(Γ 0 ), top(Γ 1 ), · · · , top(Γ t )). We define an action to be an operation that transforms the current card sequence Γ t into a card sequence Γ t+1 (and then appends Γ t+1 to the end of the sequence trace). Then a protocol is formalized as a quadruple P = (D, U, Q, A) consisting of the following objects: D is a deck, U ⊆ Seq D is a set of input card sequences, Q is a set of states having an initial state q 0 ∈ Q and a final state q f ∈ Q, and A : (Q \ {q f }) × Vis → Q × Action is an action function, where Vis is the set of visible sequences and Action consists of the following actions: • (perm, π) for π ∈ S |D| . This transforms a sequence (α 1 , · · · , α |D| ) into a permuted sequence (α π −1 (1) , · · · , α π −1 (|D|) ).
We say that a protocol P = (D, U, Q, A) computes f if the following holds: • It always terminates in a finite number of steps.
• For an execution starting from

Miscellaneous Definitions
Outcome. When P is a set of positions of size 2ℓ pointing commitments Com(a 1 ), · · · , Com(a ℓ ), we say that (a 1 , · · · , a ℓ ) is an outcome of the turning operation. For example, the following operation is (turn, {1, 2}) and the outcome of it is 1 since Com (1)  Uniform and closed shuffles. Shuffles of our model are said to be uniform because in a shuffle, a permutation is uniformly chosen. A shuffle (shuffle, Π) is said to be closed if Π is closed under the composition, i.e., for any π, π ′ ∈ Π, the composite permutation π•π ′ is also contained in Π. A uniform and closed shuffle can be implementable under the honest-but-curious assumption as follows: Each party randomly chooses a permutation from Π, and covertly rearranges the order of cards according to the permutation. Due to the uniform and closed property, the resulting sequence is equivalently distributed to the sequence applied by the shuffle (shuffle, Π). Koch and Walzer [6] showed that uniform and closed shuffles can also be implemented by applying random cuts 3 successively. Therefore, a protocol using uniform and closed shuffles only is considered to be efficient. Our main protocol uses a uniform and closed shuffle only.
Pile-scramble shuffle. Our protocol with two shuffles uses uniform and closed shuffles of special type called pile-scramble shuffles [5]. Let P 1 , · · · , P k ⊂ [|D|] be k disjoint subsets of [|D|] such that each P i has exactly ℓ elements, i.e.,  A pile-scramble shuffle is known to be implementable by physical envelopes; each pile is put into an envelope, and then the order of envelopes is scrambled. The number of envelopes required is the same as the number of piles.

Card-based Garbled Circuits
In this section, we introduce a card-based variant of the garbled circuit technique.
Before presenting our construction, we define some notations.
Let w ∈ Wires be index of a wire. (Recall that Wires = {1, · · · , n + q}.) The position of the first cards corresponding to the left (resp. right) wire w is defined by P 5, 8, 11}}). The position of the first cards corresponding to the wire w is defined by Similarly, the position of the second cards corresponding to the wire w is defined by P Our garbled circuit construction proceeds as follows.
(c) If g ≤ n + q − m, perform (turn, P Example 4 Before proving the correctness and the security of our construction, we give an example of an execution of it for the circuit given in Example 3. In Step 1 of the garbling stage, a pile-scramble shuffle is performed for every g ∈ Gates. In this example, Gates = {3}. For g = 3, forP  In Step 1 of the evaluation stage, turning operations (turn, P i ) for every i ∈ Inputs are performed as follows: ? .
Another example with more complicated circuit (having some branch) is given in Appendix.

Correctness
We show the correctness of the above protocol. In Step 1 of the garbling stage, for each gate g ∈ Gates, a pile-scramble shuffle is performed over the four sets of positionsP  second , the commitments corresponding to the wire w are flipped. Thus it is equivalent to masking the values of the commitments by an independent and uniformly random value r w ∈ {0, 1}. Therefore, after applying it, each row (a, b, G g (a, b)) corresponding to the gate g turns out to be (a ⊕ r L(g) , b ⊕ r R(g) , G g (a, b) ⊕ r g ). Finally, we conclude the proof by showing that the evaluation stage works correctly. If (a 1 , a 2 ) = (x ′ L(g) , x ′ R(g) ) (i.e. it is the case (A) in Step 2(b) of the evaluation stage), then the first row is (a 1 , a 2 , G g (a 1 ⊕r L(g) , a 2 ⊕r R(g) )⊕r g ); thus the value of the k g -th (in this case ) ⊕ r g , where x L(g) and x R(g) are the intermediate values corresponding to the wires L(g) and R(g), respectively. Similarly, we can observe that all four cases in Step 2(b) of the evaluation stage work correctly. Thus in any of the final gates g whose output is an output bit of the circuit, the value of the k g -th commitments is the correct output G g (x L(g) , x R(g) ). (Recall that the output wires are not masked by randomness in Step 2 of the garbling stage.) Therefore, the above protocol correctly computes the circuit.
Security In order to prove the security, we show that for any input distribution, a random variable of the visible sequence and a random variable of the input sequence are stochastically independent. We can observe that the random variable of the visible sequence is essentially equivalent to a random variable of the outcome obtained by turning operations in Steps 1, 2(a) and 2(c) of the evaluation stage. This is because the visible sequence (resp. the outcome) is efficiently computable from the outcome (resp. the visible sequence). Thus it is sufficient to show that the random variable of the outcome and the random variable of the input sequence are stochastically independent. This follows from the fact that the outcome distribution is computable without knowing the input. We construct such a "simulator" as follows. First, it generates, for each gate g, a uniformly random element π g from S 4 . Then the four tuple of outcomes (a 1 , a 2 ), (a 4 , a 5 ), (a 7 , a 8 ), (a 10 , a 11 ) is set to (0, 0), (0, 1), (1, 0), (1, 1) according to the permutation π g , i.e., if π g (1) = 1 then (a 1 , a 2 ) = (0, 0), if π g (2) = 4 then (a 4 , a 5 ) = (1, 1) and so on. It can be seen that the distribution of the simulated outcome is the same as the distribution of the real outcome due to the shuffles applied in the garbling stage. Thus the random variable of the outcome and the random variable of the input sequence are stochastically independent. Therefore, the protocol is secure.
The number of shuffles. It is worthwhile to count the number of shuffles in Protocol 1 to make it easier to compare it with Protocols 2 and 3. It uses |Gates| + |Wires \ Outputs| pile-scramble shuffles.

Our Protocol with One Shuffle
In this section, we construct our protocol with one shuffle. The key observation is that all shuffles in Protocol 1 can be aggregated into one shuffle because they are applied successively.
For every g ∈ Gates, there exists a closed set of permutations Π  . Define Π to be the following set of permutations: where "•" is the composition of permutations. We claim that Π is closed under the composition of permutations. It is sufficient to show that for every gate g ∈ Gates, every wire w ∈ Wires \ Outputs, every π We note that the permutation π (g) 1 ∈ Π (g) 1 corresponds to permuting four input-output pairs of the truth table t g and the permutation π corresponds to masking values of the wire w by a random bit. Since permuting and then masking is equivalent to masking and then permuting, they are commutative. For example, let t g = (a 1 a 2 a 3 , b 1 b 2 b 3 , c 1 c 2 c 3 , d 1 d 2 d 3 ) be a truth table where each triple represents an input-output pair and each i ∈ {1, 2, 3} symbol represents a wire value. Let π (g) 1 be a permutation over inputoutput pairs which moves (⃗ a, ⃗ b, ⃗ c, ⃗ d) to ( ⃗ d, ⃗ a, ⃗ b, ⃗ c) and let π (2) 2 be a permutation which flips the values of the right input wire (indexed by 2). We can observe that they are commutative as follows: a 1 a 2 a 3 , b 1 b 2 a 1 a 2 a 3 , b 1 b 2 where the overlines denote negation.
By aggregating all shuffles in Protocol 1 into a single shuffle (shuffle, Π), our main protocol is obtained.

Protocol 2 (Protocol with One Shuffle)
1. Arrange a sequence to be the initial sequence Γ x as in Protocol 1.

Perform the evaluation stage as in Protocol 1.
The number of cards is 2n + 24q. The correctness and security are easily derived from those of Protocol 1.

Batching Technique
In this section, we introduce a new technique, the batching technique, which converts multiple pile-scramble shuffles that are executable in parallel 4 into a single pile-scramble shuffle. First, we observe the simplest case such that two pile-scramble shuffles are executable in parallel.
Suppose that we wish to perform two pile-scramble shuffle: one is between "•" and "•" (two piles), and the other is among "⋆", "⋄" and " * " (three piles). Then the inserted cards are turned to be face-down cards. Then a pile-scramble shuffle among "•", "•", '⋆", "⋄" and " * " (five piles) is performed as follows. (The above figure shows an example of outcomes of the turning operation.) Finally, rearrange five piles in a way that the former two piles have ♣ and the latter piles have ♡. In this case, the fourth pile (the underlined pile in the following) is moved to the front of the second pile without changing the order of cards in each pile. By ignoring opened cards (two ♣ and three ♡), the result sequence in the following is equivalent (as probabilistic distribution) to the result sequence obtained by applying two pile-scramble shuffle sequentially.  4 We say that a shuffle (shuffle, Π) touches a subset S ⊂ {1, 2, . . . , |D|} if it holds j ∈ S if and only if there exists π j ∈ Π such that π(j) ̸ = j. We say that multiple shuffles (shuffle, Π 1 ), (shuffle, Π 2 ), . . . , (shuffle, Π ℓ ) are executable in parallel if the set S i of indices touched by (shuffle, Π i ) with i = 1, . . . , ℓ is disjoint to each other. This is the core idea of our batching technique. Now we explain the batching technique in the general case. Suppose that we wish to perform N pile-scramble shuffles: the i-th pile-scramble shuffle is among ℓ i piles of n i cards. (Thus the i-th shuffle treats ℓ i · n i cards and there are N i=1 ℓ i · n i cards in total.) Suppose that they are executable in parallel. The total number ∆ of additional cards for the batching technique is:

Our Protocol with Two Pile-Scramble Shuffles
In this section, we construct our protocol with two shuffles. It is obtained by applying the batching technique to our garbled circuit construction.

Protocol 3 (Protocol with Two Shuffles)
1. Arrange a sequence to be the initial sequence Γ x as in Protocol 1.

Apply the batching technique for all shuffles in
Step 1 of the garbling stage in Protocol 1.

Apply the batching technique for all shuffles in
Step 2 of the garbling stage in Protocol 1.

Perform the evaluation stage as in Protocol 1.
All shuffles in Step 1 (respectively Step 2) in Protocol 1 are combined into a pile-scramble shuffle since they are executable in parallel. On the other hand, it is not possible to combine all shuffles in Steps 1 and 2 into a single pile-scramble shuffle by the batching technique since they are not executable in parallel.
We note that in the former batching technique, the Padding step is not needed because all piles are having the same number of cards. The number ∆ 1 of additional cards in the former batching technique is ∆ 1 = 4q⌈log 2 q⌉. The number ∆ 2 of additional cards in the latter batching technique is: first |. Because the additional cards used in the former batching are used in the latter batching, the number of additional cards is max(∆ 1 , ∆ 2 ). Thus the total number M of cards used in our two-shuffle protocol is M = 2n + 24q + max(∆ 1 , ∆ 2 ).

Correctness
The correctness follows from that of Protocol 1 and the fact that the batching techniques do essentially the same as Steps 1 and 2 of Protocol 1.

Security
The security proof is similar to the security proof of Protocol 1. The only difference is that the simulator has to generate the outcome obtained by the batching technique (Steps 1 and 2). This part of the simulation can be easily done. The other part of the simulation is the same as that of Protocol 1. Thus the protocol is secure.
Comparing with Protocol 2 The differences between Protocols 2 and 3 are the number of shuffles, the type of shuffles, and the number of cards. Protocol 2 requires one uniform closed shuffle and 2n + 24q cards but Protocol 3 requires two pile-scramble shuffles and 2n + 24q + max(∆ 1 , ∆ 2 ) cards. Thus Protocol 2 is considered to be more efficient than Protocol 3 at least from a theoretical point of view. On the other hand, from a practical point of view, Protocol 3 is easier to implement by hand than Protocol 2 since it is easy to perform a pilescramble shuffle while the uniform closed shuffle used in Protocol 2 is somewhat complicated.
them, the authors specially thanks Goichiro Hanaoka for his worthful suggestions on this study. The authors express their appreciation to the anonymous reviewers for their valuable comments. The first author was supported during this work by JSPS KAKENHI Grant Numbers 17J01169 and 20J01192, Japan. The second author was supported during this work by JST CREST Grant Number JPMJCR14D6, Japan.