Should We Swap Numbers? A Secret Way to Find Out
“If you can’t explain something to a first-year student, then you haven’t really understood it.” — Richard Feynman
I was recently asked to explain some of my research to a broad, non-technical audience, and this quote started nagging at me: did I really understand secure computation well enough to make it that simple? Thankfully, a delightful corner of the field came to my rescue.
A modern dilemma
You’ve just met someone wonderful at a party, and you’d each privately like to answer the same question: would I want to swap numbers with this person?
The trouble is that neither of you wants to say it out loud. Admitting “yes” to someone who would have said “no” is exactly the kind of face-losing moment you’d rather avoid. So what you really want is only the combined answer: do we both want to exchange numbers? You’ll swap only if both of you said yes — like a dating app’s match, but with no app (and no company) sitting in the middle. How do you pull that off?
Mathematically, each of you holds a private bit — yes (1) or no (0) — and you want to compute one function of them: their logical AND. The hard part is the privacy requirement: you must learn the value of that AND and nothing else. If the answer comes out “no,” neither of you should be able to tell whether it was one no or two.
Remarkably, you can do exactly this with nothing but a handful of playing cards. Scroll through it below — the cards in the panel respond as you read — and at the end, you can run the whole thing yourself.
The goal: a private AND
Encoding: put your red card toward the center for “Yes”
The three moves of every secure protocol
Privacy isn't free
Alice and Bob each hold a private “yes” or “no.”
They want to learn one thing only: did we both say yes? Nothing about the individual answers should leak — not to a snoop, and not even to each other.
This is a logical AND.
The reveal is “Yes” in exactly one case — when both inputs are Yes. Every other combination must look identical from outside: just “No.” The hard part isn't computing AND; it's computing it without anyone learning the inputs.
“Just use a trusted referee.”
Each whispers their answer to a neutral third party, who computes the AND and announces it. Clean — but it only moves the problem: now you must trust the referee. Can we do it with no one to trust? Reach for a deck of cards.
Two cards stand in for one secret.
Take cards with identical backs; the order of a red–black pair carries the bit. To say Yes, put your red card toward the center; to say No, the reverse. Because Alice and Bob sit on opposite sides, “toward the center” is mirrored — exactly what makes a shared Yes bunch the reds together.
Each player shows their encoded answer.
Alice holds her pair on the left, Bob holds his on the right — here both are saying Yes — and a red helper card waits in the middle. For now they’re face up, so you can read them.
Turn them down and line them up.
Alice and Bob flip their cards face down and slide them into a line with the helper; then the helper flips down too. Five identical backs — the answers are locked in and unreadable, ready to shuffle.
Gather them into a ring and cut.
Slide the five cards into a circle and give it a random cyclic cut — the whole ring rotates by an amount nobody tracks. The arrangement is scrambled, but its shape is preserved.
Flip them all face-up.
Now look only at the red cards. If the three reds sit together, both said Yes. If they're split apart, at least one said No. Here both said yes — so the reds bunch up and the table reads Yes.
The shuffle is the privacy.
Because the ring was cut by a secret amount, the cards could have started anywhere. All you can read off the layout is one bit — reds together, or not — which is exactly the AND. Whose card was whose? Gone in the shuffle.
Three moves, endlessly reused.
Strip away the cards and you're left with the grammar of every privacy-preserving protocol: commit a hidden input, do some local computation, and communicate through a shared shuffle that blends secrets without exposing them.
Privacy costs more than secrecy alone.
Doing this without a referee takes extra work and back-and-forth. Real cryptographic versions replace cards with math and run many rounds — paying in computation and communication for the privacy.
Run the trick yourself.
Use the panel above to choose a mode and deal — the cards play it out live.
What you just watched
This is the five-card trick, the 1989 protocol by Bert den Boer that kicked off a small, delightful corner of cryptography called card based cryptography. The five-card trick is one entry into the field called secure multiparty computation (MPC): a set of techniques for letting people compute a shared answer from private inputs that none of them ever has to reveal. The cards make the magic tangible, but the structure is exactly the same one used in the cryptographic version:
- Commitment — fixing a secret value so it can’t be changed or read (face-down cards; in real systems, cryptographic commitments or secret shares).
- Local computation — operations each party performs on their own (turning a card; locally combining shares).
- Communication — the shared step that blends secrets without exposing them (the random cut; in real MPC, exchanging masked messages over many rounds).
And the closing caveat is real too: removing the trusted referee isn’t free. Practical MPC pays for privacy in extra computation and communication, which is why a huge amount of research goes into making it cheap enough to deploy — for things like hospitals jointly studying patient outcomes, banks detecting fraud across institutions, or auctions where no one sees the losing bids.
If you want to go deeper, the original protocol is B. den Boer, “More efficient match-making and satisfiability: the five-card trick” (EUROCRYPT ‘89), and the modern survey work by Mizuki, Sone, and others on card-based cryptography is a wonderful rabbit hole.