MIT/LCS/TM- 125 
MEt-.TTAL POK.ER 
Adi Shamir 
Ronald L. Rivest 
Leonar d M. Adleman 
February 1979 
MENTAL POKER 
by 
Adi Shamir 
Ronald L. Rivest 
Leonard M. Adleman 
January 29, 1979 
This report was prepared with the support of National . Science Foundation 
grants No.'s MCS78-05849 and MCS78-04343; and by the Office of Naval 
Research under contract No. Ncn>l4-76-C-0366. 
MASSACHUSETTS INSTITUTE OF TECHNOLOGY 
LABORATORY FOR COMPUTER SCIENCE 
CAMBRIDGE M~ACHUSETTS 02139 
Mental Poker 
by Adi Shamir, Ronald L. Rivest, and Leonard M. Adleman 
MIT . 
Cambridge, Massachusetts 02139 
November 29, 1978 
Abstract 
Can two potentially dishonest players play a fair game of poker without 
using any cards (e.g. over the phone)? 
This paper provides the fol/owing answers: 
(I) No. (Rigorous mathematical proof supplied.) 
(J) Yes. (Correct & complete protocol given.) 
Keywords: Poker, cryptography. 
This report was prepared with the support of National Science Foundation 
grants No.'s MCS78-05849 and MCS78-04343; and by the Office of Naval 
Research under contract No. NC0014-76-C-0366. 
2 
Om;e there were two "mental chess" experts who had become tired of 
· their pastime. 
"Let's play 'Mental Poker,' for variety" suggested one. 
"Sure" said the other. ''Just let me deal!" 
Our anecdote suggests the following question (proposed by Robert W. 
Floyd): 
Is it possible to play a fair game of ''Mental Poker"? 
We will give a complete (but paradoxical) answer to this question. We will first 
prove that the problem is intrinsically insoluble, and then describe a fair method 
of playing "Mental Poker". · 
I. What docs it mean to play "Mental Poker"? 
The game of "Mental Poker" is played just like ordinary poker (see 
"Hoyle"[2]) except that there are no cards: all communications between the 
players must be accomplished using messages. It may perhaps make the ground 
rules clearer if we imagine two players, Bob and Alice, who want to play poker 
over the telephone. Since it is impossible to send playing cards over a phone 
line, the entire game (including the deal) must be realized using only spoken (or 
digitally transmitted) messages bet,\·een the two players. 
\Ve assume that neither player is above cheating. "Having an ace up 
one's sleeve" might be easy if the aces don't really exist! A fair method of 
playing Mental Poker should preclude any sort of cheating. 
A fair game must begin with · a "fair deal". To accomplish this, the 
players exchange a sequence of messages according to some agreed-upon 
procedure. (The procedure may require each player to use dice or other 
randomizing devices to compute his hand or the messages he transmits.) Each 
player must then know which cards are in his hand, but must have no 
information about which cards are in the other player's hand. The dealing 
method should ensure that the hands are disjoint, and that all possible hands are 
equally likely for each player. 
I 
1· 3 
I 
During the game the players may want to draw new cards from the 
"remaining deck", or to reveal certain cards in their hand to the opposing player. 
They must be able to do so without compromising the security of the cards 
remaining in their hand. 
At the end of the game, each player must be able to check that the 
game was played fairly and that the other player has not cheated. If one player 
claimed that he was dealt four aces, the other player must now be able to 
confirm this. 
The above set of requirements makes a "fair game" of Mental Poker 
look rather difficult to achieve. To make things easier, we'll assume that both 
players own computers. This enables the use of complicated protocols (say, 
involving encryption). ,ve do not assume that either player will trust the other's 
computer. (The players could program their computers to cheat!) 
\Ve suggest that you might find it an interesting challenge to attempt 
to find on your own a method for playing Mental Poker, before reading further. 
II. Summary of Results 
\Ve will present two results on the problem of playing :'.\1ental Poker: 
(1) A rigourous proof that it is theoretically impossible to "deal the 
cards" in a ,vay ,vhich simultaneously ensures that the two hands are disjoint 
and that neither player has any knowledge of the other player's hand (other than 
that the opponent's hand is disjoint from his). 
(2) An elegant protocol for "dealing the cards" that permits one to play 
a fair game of Mental Poker as desired. 
The blatant contradiction between our two re~ults is real in that it is 
not due to any tricks or faults in either result. \Ve will, in fact, leave to the 
reader the enjoyable task of puzzling out the differences in underlying 
assumptions that account for our contradictory r' 'Sults. 
III. The Impossibility Proof 
For the sake of simplicity, we consider the minimal non-trivial case of 
dealing two different cards (one to each player) from a deck of three cards 
{X, Y, Z}. The impossibility proof for this case can be easily generalized to any 
combination of cards and hand sizes. 
4 
If a legal protocol for this case exists, then after exchanging finitely 
many messages Alice and Bob each know their card but not their opponent's 
card. These messages must coordinate the two players' choices of cards to 
prevent them from getting the same card. 
Suppose that for a particular "deal" 
- the messages exchanged are M 1, ... , Mn , 
- the card Alice actually gets is X , and 
- the card Bob actually gets is Y . 
\Ve define SA to be the set of cards that Alice could have gotten in any "deals" 
where exactly the same messages are exchanged. (Since each player may want to 
make some random choices in order to get a card which is unpredictable to the 
other player, different deals could arise with the same sequence of messages 
being exchanged.) ObYiously, the card X is in SA . 
If SA were to contain just the card X , then the deal would violate our 
requirement that Bob should have no information about Alice's card. Clearly 
the sequence of messages uniquely determines Alice's card in this case, so in an 
information-theoretic sense he has (total) information about her card. 
Furthermore, in any physically-realizable (and terminating) protocol for the deal, 
Alice has only a finite number of random computations possible, so that Bob can 
actually determine Alice's card by examining all of them which are consistent 
with the gi\'en message sequence. 
On the other hand if SA contains all three cards, then Bob cannot get 
any card •· regardless of which card he gets, the message sequence is consistent 
with the possibility that Alice's card is the same. Consequently, SA must contain 
exactly two cards. 
The set SB of cards Bob can get without altering his external behavior 
is similarly defined, and · it must also contain exactly two cards. However, the 
total number of cards in the deck is three, so that SA and SB can not be 
disjoint. (In our example, Z belongs to both sets.) Thus it could happen that 
both Bob and Alice get the card Z in the case that the message sequence is M1, 
... , i\In. Thus the protocol cannot guarantee that Bob and Alice will choose 
distinct cards. We conclude that a fair deal is impossible. 
IV. A Protocol for the Deal 
The following solution meets all the requirements for the problem. 
First of all, Bob and Alice agree on a pair of encryption and decryption 
functions E and D which have the following properties: 
5 
(1) E K_(_X) is the encrypted version of a message X under key K, 
(2) DK _(_EK _(_X)) = X for all messages X and keys K, 
(3) EK_(_EJX)) = EJEK_(_X'J) for all messages X and keys J and K, 
(4) Given X and EK(X) it is computationally impossible for a 
cryptanalyst to derive K, for all X and K, 
(5) Given any messages X and Y, it is computationally impossible to 
find keys J and K such that EJ X) = EK_(_ .Y). 
Property (3), the commutativity of encryption, is somewhat unusual 
but not impossible to achieve. Properties (4) and (5), (especially (4)), essentially 
state that E is "cryptographically strong" or "unbreakable". 
As an example of a function with the above properties, consider 
where n is a large number (prime or composite with a given factorization) which 
is known to both Bob and Alice, and where 
gcd(K, cp(n) ) = 1 . 
(<f,(n) is Euler's totient function, which can be easily computed from the pnme 
factorization of n.) 
The corresponding decoding function is 
where 
L·K = l (mod q,(n)). 
Since 
E satisfies property (3). For more details on the cryptographic strength and 
importance of this function see [1,3,4]. \Ve describe this particular encryption 
fuction here only to demonstrate that the kind of encryption functions we desire 
apparently exist; we will not make use of any particular properties this function 
has other than (1) ... (5). 
6 
Once Bob and Alice have agreed on the functions E and D (in our 
example this means agreeing on p), they choose secret encryption keys B and A 
respecti\'ely. These keys remain secret until the end of the game, when they are 
revealed to verify that no cheating has occurred. 
Bob now takes the fifty-two messages: 
"TWO OF CLUBS", 
"THREE OF CLUBS", 
"ACE OF SPADES" 
and encrypts each one (whose bit string is considered as a number) using his key 
B. (That is, he computes EB("TWO OF CLUBS"), etc.) He then shuffles 
(randomly rearranges) the encrypted deck and transmits it all to Alice. 
Alice selects five cards (messages) at random and sends them back to 
Bob; these messages Bob decodes to find out what his hand is. Alice has no 
way of knowing anything about Bob's hand since the encryption key B is known 
only to Bob. 
Now Alice selects five other messages, encrypts them with her key A, and 
sends them to Bob. Each of these five messages is now doubly encrypted as 
EA(EB(.\f)), or equivalently EB(EA(lef)), for each M. Bob decrypts these 
messages obtaining E A(M) for these five messages and sends them back to Alice. 
Alice can decrypt them using her key A to obtain her hand. Since Bob does not 
know A, he has no knowledge of Alice's hand. 
Michael Rabin suggested a nice physical analogy for the above process. 
\Ve can view encryption as equivalent to placing a padlock on a box containing 
the card . Bob initially locks all the cards in individual undistinguishable boxes 
with padlocks all of which have key B. Alice selects five boxes to return to him 
for his hand, and then sends him back five more boxes to which she has also 
added her own padlock with key A to the clasp ring. Bob removes his padlock 
from all ten boxes and returns to Alice those still locked with her padlock, for 
her hand. Notice the implicit use of commutativity in the order in which the 
padlocks are locked and unlocked. 
Should either player desire additional cards during the game, the above 
procedure can be repeated for each card. 
At the end of the game both players reveal their secret keys. Now 
either player can check that the other was "actually dealt" the cards he claimed 
to have during play. By property (5) neither player can cheat by revealing a key 
other than the one actually used (one which would give him a better h, nd). 
7 
The above procedure is easily generalized to handle more than two 
players, as well. (Details left to the reader.) Another obvious generalization is 
to use commutative encryption functions in secret communications systems to 
send arbitrary messages (rather than just card names) over a communications 
channel which is being eavesdropped. 
V. Conclusions 
\Ve have proved that the card-dealing problem is insoluble, and then 
we have presented a working solution to the problem. We leave it to you, the 
reader, 1he puzzle of reconciling these results. (Hint: Each player \\.'Ould in fact 
be able to determine the other player's hand from the available information, if it 
were not. for the enormous computational difficulty of doing so by "breaking" 
the code.) 
VI. Acknowledgements 
\Ve should like to thank Robert W. Floyd, Michael Rabin, and Albert 
Meyer for motivation and valuable suggestions. 
VII. References 
[I] Diffie, \Vhitfield and Martin E. Hellman, "New Directions in Cryptography," 
IEEE Trans. Info. Theory IT-22(Nov. 1976), 644-654. 
[2] Morehead, A. H., R. L. Frey, and G. Mott-Smith, The New Complete Hoyle, 
Garden City Books, Garden City, New York, 1947. 
[3] Pohlig, Stephen C. and ~artin E. Hellman, "An Improved Algorithm for 
Computing Logarithms over GF(p) and its Cryptographic Significance," 
IEEE Trans. Info. Theory IT-24(Jan. 1978), 106-110. 
[4] Rivest, Ronald L., Adi Shamir, and Leonard M. Adleman, "A Method for 
Obtaining Digital Signatures and Public-Key Cryptosystems," CACM 
21(Feb. 1978), 120-126.