Additional Constructions to Solve the Generalized Russian Cards Problem using Combinatorial Designs

In the generalized Russian cards problem, we have a card deck $X$ of $n$ cards and three participants, Alice, Bob, and Cathy, dealt $a$, $b$, and $c$ cards, respectively. Once the cards are dealt, Alice and Bob wish to privately communicate their hands to each other via public announcements, without the advantage of a shared secret or public key infrastructure. Cathy should remain ignorant of all but her own cards after Alice and Bob have made their announcements. Notions for Cathy's ignorance in the literature range from Cathy not learning the fate of any individual card with certainty (weak $1$-security) to not gaining any probabilistic advantage in guessing the fate of some set of $\delta$ cards (perfect $\delta$-security). As we demonstrate, the generalized Russian cards problem has close ties to the field of combinatorial designs, on which we rely heavily, particularly for perfect security notions. Our main result establishes an equivalence between perfectly $\delta$-secure strategies and $(c+\delta)$-designs on $n$ points with block size $a$, when announcements are chosen uniformly at random from the set of possible announcements. We also provide construction methods and example solutions, including a construction that yields perfect $1$-security against Cathy when $c=2$. We leverage a known combinatorial design to construct a strategy with $a=8$, $b=13$, and $c=3$ that is perfectly $2$-secure. Finally, we consider a variant of the problem that yields solutions that are easy to construct and optimal with respect to both the number of announcements and level of security achieved. Moreover, this is the first method obtaining weak $\delta$-security that allows Alice to hold an arbitrary number of cards and Cathy to hold a set of $c = \lfloor \frac{a-\delta}{2} \rfloor$ cards. Alternatively, the construction yields solutions for arbitrary $\delta$, $c$ and any $a \geq \delta + 2c$.


Introduction
In Section 8 we discuss a variant of the generalized Russian cards problem and present a solution using transversal designs. We discuss related work in Section 9. Finally, we give some concluding remarks in Section 10.

Combinatorial Designs
In this section, we present fundamental definitions and standard results from the theory of combinatorial designs needed in this paper. For general references on this material, we refer the reader to Stinson [25] and Colbourn and Dinitz [5]. All results stated in this section without proof can be found in [5,25].

t-designs
Definition 2.1. Let v, k, λ, and t be positive integers with v > k ≥ t. A t-(v, k, λ)-design is a set system (X, B) such that the following are satisfied: 1. |X| = v, 2. each block contains exactly k points, and 3. every subset of t distinct points from X occurs in precisely λ blocks.

Definition 2.3.
A symmetric BIBD is a (v, k, λ)-BIBD in which there are v blocks.
Theorem 2.4. In a symmetric BIBD, any two blocks intersect in exactly λ points.
Definition 2.5. The design formed by taking λ copies of every k-subset of a v-set as blocks is a t-v, k, λ v−t k−t -design, called a trivial t-design.
The following theorems are standard results for t-designs: Theorem 2.6. Let (X, B) be a t-(v, k, λ)-design. Let Y ⊆ X such that |Y | = s ≤ t. Then there are precisely Theorem 2.7. Let (X, B) be a t-(v, k, λ)-design. Let Y ⊆ X and Z ⊆ X such that Y ∩ Z = ∅, |Y | = i, |Z| = j, and i + j ≤ t. Then there are precisely blocks in B that contain all the points in Y and none of the points in Z. Definition 2.9. A t-(v, k, 1)-design is called a Steiner system with parameters t, k, v and is denoted by S(t, k, v).
Remark 2.10. A Steiner triple system of order v, or STS(v), is an S(2, 3, v), i.e., a Steiner system in which k = 3. It is known that an STS(n) exists if and only if n ≡ 1, 3 mod 6, n ≥ 7.
Definition 2.11. A large set of t-(v, k, 1)-designs is a set {(X, B 1 ), . . . , (X, B N )} of t-(v, k, 1)designs (all of which have the same point set, X), in which every k-subset of X occurs as a block in precisely one of the B i s. That is, the B i s form a partition of X k .
Remark 2.12. It is easy to prove that there must be exactly N = v−t k−t designs in a large set of t-(v, k, 1)-designs. Example 2.14. A large set of STS(9) [22].  15. Let t, v, k, and λ be positive integers satisfying k ≥ t ≥ 2. A transversal design TD λ (t, k, v) is a triple (X, G, B) such that the following properties are satisfied: 1. X is a set of kv elements called points, 2. G is a partition of X into k subsets of size v called groups, 3. B is a set of k-subsets of X called blocks, 4. any group and any block contain exactly one common point, and 5. every subset of t points from distinct groups occurs in precisely λ blocks.
Many of the standard results for t-designs can be extended to transversal designs. The following terminology and results are useful: Definition 2. 16. Let (X, G, B) be a TD λ (t, k, v) and write G = {G j : 1 ≤ j ≤ k}. Suppose Z ⊆ X such that |Z| = i ≤ k and |Z ∩ G j | ≤ 1 for 1 ≤ j ≤ k. We say Z is a partial transversal of G. If i = k, then we say Z is a transversal of G.
Definition 2.17. For a partial transversal Z of G, we let G Z = {G j ∈ G : Z ∩ G j = ∅} denote the set of groups that intersect Z. If Y , Z ⊆ X are partial transversals of G such that G Z ∩ G Y = ∅, we say Y , Z are group disjoint.
Theorem 2.18. Let (X, G, B) be a TD λ (t, k, v). Suppose Y ⊆ X such that |Y | = s ≤ t and Y is a partial transversal of G. Then there are exactly λ s = λv t−s blocks containing all the points in Y .
Proof. Fix a subset of t − s groups disjoint from Y , say G ′ 1 , . . . , G ′ t−s . Consider a t-subset X consisting of all the points from Y and one point from each of G ′ 1 , . . . , G ′ t−s . In particular, there are v t−s such t-subsets X, and each such X occurs in precisely λ blocks. Note that every block that contains Y is a transversal of G, so every such block contains exactly one such t-subset X. Therefore Y occurs in precisely λv t−s blocks, as desired.
blocks in B that contain all the points in Y and none of the points in Z.
Proof. Consider the set of groups G Z that intersect Z. There are (v − 1) j subsets X such that X consists of all the points from Y and one point from each group in G Z , but X contains no points from Z. Each such (i + j)-subset X occurs in precisely λ i+j blocks by Theorem 2.18. Therefore there are λ i+j (v − 1) j = λv t−i−j (v − 1) j blocks that contain all the points of Y but none of the points of Z.
We can also apply the notion of large sets to transversal designs: Definition 2.20. A large set of TD λ (t, k, v) on the point set X and group partition G is a set {(X, G, B 1 ), . . . , (X, G, B N )} of TD λ (t, k, v) in which every set of k points from distinct groups of X occurs as a block in precisely one of the B i s.
Remark 2.21. It is easy to see that there must be N = v k λv t transversal designs in a large set of TD λ (t, k, v).
Transversal designs are equivalent to orthogonal arrays: Definition 2.22. Let t, v, k, and λ be positive integers satisfying k ≥ t ≥ 2. An orthogonal array OA λ (t, k, v) is a pair (X, D) such that the following properties are satisfied: 1. X is a set of v elements called points, 2. D is a λv t by k array whose entries are elements of X, and 3. within any t columns of D, every t-tuple of points occurs in precisely λ rows. Example 2.23. An OA 1 (2, 4, 3). 1 1 1 1  1 2 3 3  1 3 2 2  2 1 2 3  2 2 1 2  2 3 3 1  3 1 3 2  3 2 2 1  3 3 1 3 It is easy to see the correspondence between orthogonal arrays and transversal designs. Suppose (X, D) is an OA λ (t, k, v). We define a bijection φ between the rows r j of D and the blocks B j of a TD λ (t, k, v) as follows. For each row Example 2.24. The blocks of the TD 1 (2, 4, 3) obtained from the OA 1 (2,4,3) in Example 2.23: The above construction method can be reversed for an arbitrary TD λ (t, k, v), say (X, G, B). To see this, note that we can relabel the points such that X = {1, . . . , v} × {1, . . . , k} and G = {G i : 1 ≤ i ≤ k}. Then the fact that any block and any group must contain exactly one common point implies that for each B ∈ B, we can form the k-tuple We can form an orthogonal array OA λ (t, k, v) by taking all of these k-tuples as rows.
. . , (X, D N )}, in which every k-tuple of elements from X occurs as a row in precisely one of the D i s. That is, the D i s form a partition of the set X k of k-tuples with entries from X. Remark 2.26. It is easy to see that there must be N = v k λv t orthogonal arrays in a large set of OA λ (t, k, v).
A useful type of orthogonal array is a linear array, especially for constructing large sets: Definition 2.27. Let (X, D) be an OA λ (t, k, v). We say (X, D) is linear if X = F q for some prime power q and the rows of D form a subspace of (F q ) k of dimension log q |D|.
Linear orthogonal arrays (and hence the corresponding transversal designs) are easy to construct. In particular, the following is a useful construction method.
Theorem 2.28. Suppose q is a prime power and k and ℓ are positive integers. Suppose M is an ℓ by k matrix over F q such that every set of t columns of M is linearly independent. Then (X, D) is a linear OA q ℓ−t (t, k, q), where D is the q ℓ by k matrix formed by taking all linear combinations of the rows of M .
Let q be a prime power and for every x ∈ F q , let x = [1, x, x 2 , . . . , x t−1 ] ∈ (F q ) t for some integer t ≥ 2. Construct the t by q matrix M by taking the columns to be the vectors (x) T for every x ∈ F q , where here (x) T means the transpose of x. Applying Theorem 2.28 to M yields the following result: Corollary 2.29. Let t ≥ 2 be an integer and let q be a prime power. Then there exists a linear OA 1 (t, q, q).
The following result is immediate.
Corollary 2.30. Let t ≥ 2 be an integer and let q be a prime power. Then there exists a linear TD 1 (t, q, q).
Remark 2.31. The constructions discussed in Corollaries 2.29 and 2.30 are known as Reed-Solomon codes [25].
We now discuss how to construct a large set of linear orthogonal arrays from a "starting" linear orthogonal array. Suppose (X, D) is a linear OA λ (t, k, v). We can obtain a large set of orthogonal arrays (and therefore transversal designs) from (X, D) by taking the set of cosets of D in (F q ) k . In particular, D is a subspace of (F q ) k , so the cosets of D form a partition of (F q ) k .

Terminology and Notation
We review the terminology and notation established by Swanson and Stinson [27]. Throughout, we let X t denote the set of n t t-subsets of X, where t is a positive integer. Let X be a deck of n cards. In an (a, b, c)-deal of X, Alice is dealt a hand H A of a cards, Bob is dealt a hand H B of b cards, and Cathy is dealt a hand H C of c cards, such that a + b + c = n. That is, it must be the case that H A ∪ H B ∪ H C = X. We assume these hands are random and dealt by some external entity.
An announcement by Alice is a subset of X a containing Alice's current hand, H A . More generally, Alice chooses a set of m announcements i.e., the set of possible announcements for Alice given the hand H A . Alice's announcement strategy, or simply strategy, consists of a probability distribution p H A defined on g(H A ), for every H A ∈ X a . In keeping with Kerckhoffs' principle, we assume the set of announcements and probability distributions are fixed ahead of time and public knowledge. For a given hand H A ∈ X a , Alice randomly chooses an index i ∈ g(H A ) according to the probability distribution p H A . Alice broadcasts the integer i to specify her announcement A i . Without loss of generality, we assume that p H A (i) > 0 for all i ∈ g(H A ).
For the purposes of this paper, we assume there exists some constant γ such that |g(H A )| = γ for every H A and that every probability distribution p H A is uniform; such strategies are termed γ-equitable, or simply equitable. Throughout, we use the phrase (a, b, c)-strategy A to denote a strategy for an (a, b, c)-deal, where A is the associated set of possible announcements for Alice.
The following notation is useful in discussing the properties of a given strategy A. For any subset Y ⊆ X and any announcement A i ∈ A, we define That is, P A (Y, i) is the set of hands of A i that do not intersect the subset Y . When the strategy A is clear from context, we write P A (Y, i) as P (Y, i).

Informative strategies
We say Alice's strategy is informative for Bob provided that for all H B ∈ X b and for all i. That is, if Equation (??) is satisfied, Bob can determine the set of a cards that Alice holds from Alice's announcement. In particular, this implies that Bob can announce Cathy's hand, thereby informing Alice of the card deal as well. Specified on the level of individual announcements, we say an announcement A i is informative provided |P (H B , i)| ≤ 1 for any hand H B ∈ X b . The following theorem, first shown by Albert et al. [1], is a useful equivalence condition for informative announcements: The following is an immediate corollary. We make the following observation, which follows directly from Theorem 4.1 and the definition of a t-design. It is possible to have informative (a, b, c)-strategies using announcements which are t-designs with λ > 1. In particular, Theorem 4.1 indicates that the block intersection properties of the chosen design are relevant to whether or not the strategy is informative. If every announcement is a symmetric BIBD, for example, then the strategy is guaranteed to be informative when a − c > λ. This is because the intersection of any two blocks in a symmetric BIBD contains exactly λ points, as stated in Theorem 2.4.
We make one more observation relating combinatorial designs and informative strategies.

Lemma 4.4. Suppose a > c and each announcement
Proof. Consider an announcement A i ∈ A. If λ i > 1, then there exist two blocks whose intersection has cardinality at least t i ≥ a − c. This contradicts Theorem 4.1, so λ i = 1, as desired.
blocks that contain t i −1 fixed points. Since t i −1 ≥ a−c, this contradicts Theorem 4.1, so t i = a−c, as desired.

Secure strategies
We provide the general security definitions and state the equivalent combinatorial characterization of secure equitable strategies from Swanson and Stinson [27].
1. Alice's strategy is weakly δ-secure against Cathy provided that for any announcement A i , for Weak security means that, from Cathy's point of view, any set of δ or fewer elements from X\H C may or may not be held by Alice. 2. Alice's strategy is perfectly δ-secure against Cathy provided that for any announcement A i , for any H C ∈ X c such that P (H C , i) = ∅, and for any Perfect security means that, from Cathy's point of view, the probability that any set of δ or fewer cards from X\H C is held by Alice is a constant.
Swanson and Stinson [27] show that in an equitable strategy any hand H A ∈ P (H C , i) is equally likely from Cathy's point of view: Swanson and Stinson [27] also establish the following equivalent combinatorial conditions: Suppose that Alice's strategy is γ-equitable. Then the following hold: 1. Alice's strategy is weakly δ-secure against Cathy if and only if, for any announcement A i , for any H C ∈ X c such that P (H C , i) = ∅, and for any 2. Alice's strategy is perfectly δ-secure against Cathy if and only if, for any announcement A i and for any H C ∈ X c such that P (H C , i) = ∅, it holds that We have the following elementary result: Proof. We proceed by contradiction. Suppose P ({x}, i) = ∅ for some A i ∈ A and x ∈ X. Then x occurs in every hand of A i . That is, if Alice announces A i , then Alice must hold x. In particular, this implies that Cathy's hand, say H C , does not contain x and Here is a sufficient condition for an equitable strategy to be perfectly 1-secure against Cathy, first shown by Swanson and Stinson [27]: Then the strategy is perfectly 1-secure against Cathy.
In fact, the condition that every announcement A i be a 2-(n, a, λ i )-design is also a necessary condition for an equitable (a, b, 1)-strategy to be perfectly 1-secure, as the following Theorem shows.
Theorem 5.6. Suppose we have an equitable (a, b, 1)-strategy A that is perfectly 1-secure against Cathy. Then every announcement A i ∈ A is a 2-(n, a, λ i )-design.
Proof. First observe that since Cathy holds only one card, Lemma 5.4 immediately implies that any element x ∈ X is a possible hand for Cathy. Consider an announcement A i ∈ A. We proceed by showing that every pair of distinct elements x, y ∈ X occurs in a constant number of hands of Define r x to be the number of hands of A i containing x. We proceed by counting r x in two different ways. On the one hand, we immediately have On the other hand, we can relate r x to P ({y}, i) for any y = x ∈ X as follows. Since the strategy is perfectly 1-secure, x occurs a constant number of times in P ({y}, i), namely a a+b |P ({y}, i)| times. In particular, this is the number of times x occurs in a hand of A i without y. That is, letting λ xy denote the number of times x occurs together with y in a hand of A i , we have This gives us Now, following the same logic for y, we also have Equating Equations (??) and (??) shows that |P ({x}, i)| is independent of the choice of x ∈ X. That is, r x is independent of x (by Equation (??)), so every point of X occurs in a constant number of hands of A i , say r hands. Moreover, Equation (??) then gives so λ xy is independent of x and y. That is, every pair of points x, y ∈ X occurs a constant number of times, which we denote by λ i . This implies A i is a 2-(n, a, λ i )-design.
The relationship between combinatorial designs and strategies that satisfy our notion of perfect security is quite deep. We now generalize the results from Swanson and Stinson [27] and Theorem 5.6 above to account for perfect δ-security and card deals with c ≥ 1. We begin with a generalization of Lemma 5.5 that shows that in an equitable (a, b, c)-strategy, if each announcement is a t-design with block size a, the strategy satisfies perfect (t − c)-security.
Proof. Consider an announcement A i ∈ A and a possible hand H C for Cathy. Since c ≤ t, Theorem 2.7 implies there are λ i a+b a n−t a−t blocks in A i that do not contain any of the points of H C .
Let δ ≤ t − c. Then Theorem 2.7 also implies that each set of δ points x 1 , . . . , x δ ∈ X\H C is contained in precisely of these blocks. Thus, for any set of δ points x 1 , . . . , x δ ∈ X\H C , we have so Condition 2 of Theorem 5.3 is satisfied.
We approach a true generalization of Theorem 5.6 incrementally for readability. For deals satisfying c = 1, we have the following necessary condition for an equitable strategy to be perfectly δ-secure.
Theorem 5.8. Suppose we have an equitable (a, b, 1)-strategy A that is perfectly δ-secure against Cathy. Then every announcement A i ∈ A is a (δ + 1)-(n, a, λ i )-design.
Proof. We proceed by induction on δ. The base case (δ = 1) is shown in Theorem 5.6.
Consider an announcement A i ∈ A. For a subset Y ⊆ X, let λ Y denote the number of hands of A i that contain Y . We show A i must be a (δ + 1)-design as follows.
Suppose we have Y ⊆ X, where |Y | = δ + 1. Pick an element y ∈ Y . Since c = 1, we have by Lemma 5.4 that {y} is a possible hand for Cathy. Since A is equitable and perfectly δ-secure, we have (by Theorem 5.3) Moreover, since perfect δ-security implies perfect 1-security, |P ({y}, i)| is independent of y, as shown in the proof of Theorem 5.6. That is, the number of hands of A i that contain the δ-subset Y \{y} but do not contain y is independent of the choice of Y and y ∈ Y , i.e. is some constant, say s.
Therefore, λ Y is some constant independent of Y , so every (δ + 1)-subset occurs in a constant number of hands of A i , say λ i . This implies A i is a (δ + 1)-(n, a, λ i )-design, as desired.
We are now ready to give a combinatorial characterization of general (a, b, c)-strategies that are equitable and perfectly δ-secure for some δ ≥ 1. We give an inductive proof that relies on Theorem 5.8 as the base case.
Theorem 5.9. Suppose we have an equitable (a, b, c)-strategy A that is perfectly δ-secure against Cathy. Then every announcement A i ∈ A is a (c + δ)-(n, a, λ i )-design.
Proof. We proceed by induction on c. The base case c = 1 is shown in Theorem 5.8. Recall that for a strategy A, an announcement A i ∈ A, and a subset Y ⊆ X, we make the strategy A explicit in the notation P(Y, i) by writing P A (Y, i).
Let y ∈ X and define X ′ = X\{y}. Define an (a, b, c − 1)-strategy A ′ by We now show A ′ is perfectly δ-secure. Suppose Cathy holds a (c − 1)-subset Y ⊆ X ′ satisfying P A ′ (Y, i) = ∅ for some A ′ i . In particular, note that if no such A ′ i exists, then A ′ is trivially perfectly δ-secure.
Consider a δ-subset Z ⊆ X ′ \Y = X\(Y ∪ {y}). We wish to count the number of hands in which together with the fact that P A ′ (Y, i) = P A (Y ∪ {y}, i), immediately implies A ′ is perfectly δ-secure. Moreover, since A ′ is a perfectly δ-secure (a, b, c − 1)-strategy, we have by the inductive hypothesis that every announcement Since we chose y to be an arbitrary element of X, this implies A is a (c−1+δ)-perfectly secure (a, b+c−1, 1)-strategy. Then the base case (Theorem 5.8) implies that every announcement A i ∈ A is a (c + δ)-(n, a, λ i )design for some λ i (where λ i may depend on i), as desired.
Theorem 5.9 immediately implies the following bound on the security parameter δ for equitable strategies: Corollary 5.10. Suppose we have an equitable (a, b, c)-strategy A that is perfectly δ-secure against Cathy. Then δ ≤ a − c.
Remark 5.11. If we have an equitable (a, b, c)-strategy A that is perfectly δ-secure against Cathy, where δ = a − c, then each announcement A i ∈ A is an a-design. In fact, since every a-subset of X must appear a constant number of times in each A i , we see that each A i is a trivial a-design. In this case, we see Alice's strategy is not informative for Bob.
Together, Theorem 5.7 and Theorem 5.9 show a direct correspondence between t-designs and equitable announcement strategies that are perfectly δ-secure for some δ satisfying δ ≤ t − c. We state this result in the following theorem for clarity.
Theorem 5.12. A γ-equitable (a, b, c)-strategy A on card deck X that is perfectly δ-secure against Cathy is equivalent to a set of (c + δ)-designs with point set X and block size a having the property that every a-subset of X occurs in precisely γ of these designs.

Simultaneously Informative and Secure Strategies
In general, we want to find an (a, b, c)-strategy (for Alice) that is simultaneously informative for Bob and (perfectly or weakly) δ-secure against Cathy. We first consider informative strategies that provide security for individual cards and then consider informative strategies that provide security for multiple cards.
The following was first shown by Albert et al. [1]: If a ≤ c + 1, then there does not exist a strategy for Alice that is simultaneously informative for Bob and weakly 1-secure against Cathy.
It is worth observing that a strategy that is not informative for Cathy implies, for any announcement A i by Alice and possible hand H C ∈ X c such that P (H C , i) = ∅ , that |P (H C , i)| ≥ 2. That is, there must exist distinct H A , H ′ A ∈ P (H C , i). Following the same technique as in the proof of Lemma 4.1, this implies |H A ∩ H ′ A | ≥ a − b. If in addition the strategy is informative for Bob, by This gives us the following result (which is also discussed by Albert et al. [1]): Theorem 6.2. If c ≥ b, then there does not exist a strategy for Alice that is simultaneously informative for Bob and weakly 1-secure against Cathy.
We now focus on (3, n − 4, 1)-deals and examine the relationship between informative and perfectly 1-secure strategies and Steiner triple systems.
The following is an immediate consequence of Theorem 5.6 and Lemma 4.4.
Corollary 6.3. Suppose (a, b, c) = (3, n − 4, 1) and suppose that Alice's strategy is equitable, informative for Bob, and perfectly 1-secure against Cathy. Then every announcement is a Steiner triple system.
In fact, any (a, b, a − 2)-strategy that is informative, equitable, and perfectly 1-secure also satisfies c = 1 (and hence a = 3). This result was first shown in Swanson and Stinson [27], but the proof provided here is greatly simplified.
Theorem 6.4 . Consider an (a, b, c)-deal such that a − c = 2. Suppose that Alice's strategy is equitable, informative for Bob, and perfectly 1-secure against Cathy. Then a = 3 and c = 1.
Proof. Theorem 5.9 implies that every announcement is an (a − 1)-design. Since c ≥ 1, we have a − 1 ≥ a − c, so we may apply Lemma 4.4. This implies a − 1 = a − c, so we have c = 1, as desired.
Our proof technique works for the generalizations of Theorem 6.4 and Corollary 6.3 shown in Swanson and Stinson [27] as well. That is, strategies that are equitable, informative for Bob, and perfectly (a − c − 1)-secure against Cathy must satisfy c = 1 and each announcement must be an (a − 1)-(n, a, 1)-design, also known as a Steiner system S(a − 1, a, n). Theorem 6.5. Consider an (a, b, c)-deal. Suppose that Alice's strategy is equitable, informative for Bob, and perfectly (a − c − 1)-secure against Cathy. Then c = 1.
Proof. The proof is identical to the proof of Theorem 6.4. Corollary 6.6. Consider an equitable (a, b, 1)-strategy that is informative for Bob and perfectly (a − 2)-secure against Cathy. Then every announcement is a Steiner system S(a − 1, a, n).
Proof. The fact that every announcement is an (a−1)-design follows immediately from Theorem 5.9. To see that λ = 1, we may apply Lemma 4.4. This is easy to see, however: since every (a − 1)-subset occurs λ times, the fact that the strategy is informative for Bob implies λ = 1.
In fact, we can use Theorem 5.9 and Lemma 4.4 to derive the following bound on the security parameter δ for perfectly δ-secure and informative strategies, which helps put the above results in context. Corollary 6.7. Suppose we have an equitable (a, b, c)-strategy that is perfectly δ-secure against Cathy and informative for Bob. Then δ ≤ a − 2c.
Proof. If the strategy is perfectly δ-secure, then by Theorem 5.9, every announcement is a (c + δ)design. Now, if c + δ < a − c holds, then δ < a − 2c, as desired. If c + δ ≥ a − c, then since the strategy is informative for Bob, we can apply Lemma 4.4. This yields c + δ = a − c, so we have δ = a − 2c in this case.

Construction methods and examples
Theorem 5.7 indicates that we can use t-designs to construct equitable strategies that are perfectly δ-secure against Cathy for δ = t − c, where c ≤ t − 1. In fact, so long as we use t-designs with λ = 1 and c ≤ a − t, such a strategy will also be informative for Bob (Corollary 4.3). This is a very interesting result, as we can use a single "starting design" to obtain equitable strategies that are informative for Bob and perfectly δ-secure against Cathy. We give a general method for this next. First we require some definitions.
Definition 7.1. Suppose that D = (X, B) is a t-(v, k, λ)-design. An automorphism of D is a permutation π of X such that π fixes the multiset B. We denote the collection of all automorphisms of D by Aut(D). Proof. Let the symmetric group S n act on D. We obtain a set of designs isomorphic to D, which are the announcements in our strategy. Since each announcement is a t-(n, a, 1)-design, the resulting scheme is perfectly (t − c)-secure against Cathy by Theorem 5.7. Furthermore, since a − c ≥ t and λ = 1, no two blocks have more than a − c − 1 points in common, so Theorem 4.1 implies the scheme is informative for Bob. The total number of designs m is equal to n!/|Aut(D)| (as this is the index of Aut(D) in S n ). To see that γ = m n−t a−t , consider a fixed t-subset A of X. Then in particular, there are n−t a−t possible blocks of size a that contain A. Now, every one of the m designs contains exactly one of these n−t a−t blocks, and these n−t a−t blocks occur equally often among the m designs. Thus, a given block B occurs in m n−t a−t of the designs, as desired. [27], in which the case c = 1 is treated.

Remark 7.4. Theorem 7.3 is a generalization of a result in Swanson and Stinson
Remark 7.5. The technique described in Theorem 7.3 shows how to use a single "starting design" D on n points to construct a strategy that inherits its properties from D. That is, the strategy obtained by letting the symmetric group S n act on D will be informative and perfectly δ-secure if D is an informative announcement that satisfies Condition 2 of Definition 5.1 for the fixed announcement D.
We now discuss some other constructions of strategies using results from design theory, including some applications of Remark 7.5. All constructions discussed may be found in Colbourn and Dinitz [5].
It is clear that we can use any Steiner triple system, or 2-(n, 3, 1)-design, as a starting design to obtain an equitable (3, n − 4, 1)-strategy that is informative for Bob and perfectly 1-secure against Cathy. It is known that an STS(n) exists if and only if n ≡ 1, 3 mod 6, n ≥ 7. We state this result in the following Corollary. Corollary 7.6. There exists an equitable (3, n − 4, 1)-strategy for Alice that is informative for Bob However, only finitely many Steiner t-designs are known for t > 3 and none are known for t > 5. Table 1 lists strategies resulting from known Steiner 5-and 4-designs. All known S(4, a, n) designs are derived designs from S(5, a + 1, n + 1) designs, formed by choosing an element x, selecting all blocks containing x and then deleting x from these blocks.
We next discuss existence results for optimal strategies. As shown in Swanson and Stinson [27], the number of announcements m in an informative (a, b, c)-strategy must satisfy m ≥ n−a+c c . A strategy is optimal if m = n−a+c c . The following result by Swanson and Stinson [27] follows immediately from the existence of large sets of Steiner triples, discussed in Remark 2.13, and Lemma 5.5.
Theorem 7.12. [27] Suppose (a, b, c) = (3, n − 4, 1), where n ≡ 1, 3 mod 6, n > 7. Then there exists an optimal strategy for Alice that is informative for Bob and perfectly 1-secure against Cathy. Example 7.13. Consider the large set of STS(9) from Example 2.14. This set of announcements is an optimal (3, 5, 1) strategy that is perfectly 1-secure against Cathy and informative for Bob.
As discussed in Theorem 7.12, if we can construct a large set of 2-(n, 3, 1)-designs, this set forms an optimal strategy that is informative and perfectly 1-secure, and a large set of STS(n) exists whenever n ≡ 1, 3 mod 6 and n > 7. However, there are certain choices of n for which there is a particularly nice construction for a large set of STS(n), such that it would be easy for Alice and Bob to create this large set on their own. We forego the details of this construction, which is due to Schreiber [24], but remark that this construction method applies whenever each prime divisor p of n − 2 has the property that the order of (−2) modulo p is congruent to 2 modulo 4.
Two other types of designs that can be used to construct informative and perfectly 1-secure strategies where Cathy holds one card are hyperplanes in projective spaces and Hadamard designs. For a discussion of these constructions, we refer the reader to Stinson [25]. We have the following results.
Corollary 7.14. There exists an equitable q d −1 q−1 , q d − 1, 1 -strategy that is informative for Bob and perfectly 1-secure against Cathy, where q ≥ 2 is a prime power and d ≥ 2 is an integer.

Proof. It is known that there exists a symmetric
-BIBD D for every prime power q ≥ 2 and integer d ≥ 2. The design D is a hyperplane in a projective space (or, in the case d = 2, a finite projective plane). Let the symmetric group S n act on D as in the proof of Theorem 7.3, where n = (q d+1 − 1)/(q − 1), to obtain Alice's strategy.
Lemma 5.5 immediately implies that this strategy is perfectly 1-secure against Cathy. To see that this strategy is informative, recall that the intersection of two blocks in a symmetric BIBD has size λ = (q d−1 − 1)/(q − 1). It is easy to see that the strategy will be informative provided a − c > λ, which is the case here.
Corollary 7.15. There exists an equitable q−1 2 , q−1 2 , 1 -strategy that is informative for Bob and perfectly 1-secure against Cathy, where q ≡ 3 mod 4 is an odd prime power.
Proof. It is known that there exists a symmetric q, q−1 2 , q−3

4
-BIBD D for every odd prime power q such that q ≡ 3 mod 4. The design D is a Hadamard design. Let the symmetric group S q act on D as in the proof of Theorem 7.3 to obtain Alice's strategy.
Lemma 5.5 immediately implies that this strategy is perfectly 1-secure against Cathy. To see that this strategy is informative, recall that the intersection of two blocks in a symmetric BIBD has size λ = (q − 3)/4. It is easy to see that the strategy will be informative provided a − c > λ, which is the case here.
Remark 7.16. Any symmetric BIBD may be used to construct equitable strategies that are perfectly 1-secure against Cathy for c = 1. If D is a symmetric 2-(n, a, λ)-design, the order of D is a − λ. The block intersection property we need to guarantee that the strategy is informative is that the order is greater than 1, which will always be the case. Colbourn and Dinitz [5] list known families of symmetric BIBDs.

Cordón-Franco et al. Geometric Protocol
Cordón-Franco et al. [8] present a geometric protocol based on hyperplanes that yields informative and weakly δ-secure equitable (a, b, c)-strategies for arbitrary c, δ > 0 and appropriate parameters a and b. The geometric protocol is stated as follows.
Protocol 1 (Geometric Protocol [8]) Let p be a prime power and let d and s < p be positive integers. Let X be a deck of p d+1 cards and suppose we have an (a, b, c)-deal such that a = sp d . Given a hand H A ∈ X a , the set of possible announcements for Alice is the set of bijections from X to AG d+1 (p) satisfying the condition that H A maps to the union of s parallel hyperplanes in AG d+1 (p). For every H A ∈ X a , assume Alice picks uniformly at random from the set of possible bijections.
In particular, the geometric protocol defines an equitable strategy in which Cathy may hold more than one card. We analyze when the geometric protocol achieves perfect, rather than weak, security, whereas Cordón-Franco et al. [8] show that the general case achieves weak s-security for a card deck of size p d+1 , where a = sp d , if c < sp d − s 2 p d−1 and max{c + s, cs} ≤ p.
We translate the geometric protocol into our model in the next observation.
Observation 7.17 Let A be the strategy defined by the geometric protocol. An announcement A i ∈ A is equivalent to the set of all possible unions of s parallel hyperplanes. In particular, there are p s (p d+1 − 1)/(p − 1) possible hands for Alice in each A i .
We first consider general results from design theory with respect to the above construction. Let us view X as the set of points in AG d+1 (p), and let B be denote the set of all hyperplanes in AG d+1 (p). It is well-known that (X, B) is a resolvable p d+1 , p d , λ -BIBD, where λ = (p d − 1)/(p − 1). Moreover, each point has degree r = (p d+1 − 1)/(p − 1), and there are r equivalance classes of parallel hyperplanes, each of size p. Let Π 1 , . . . , Π r denote these equivalence classes. Note that in each such equivalence class, every point of F d+1 p occurs exactly once. Define the design (X, C) by forming a collection of all possible unions of s parallel hyperplanes. Stated formally, for 1 ≤ i ≤ r, define B i to be the collection of all s-subsets of the parallel class Π i , and define C to be the union of the B i over the parallel classes. That is, The above discussion immediately implies the following observation: Observation 7.18 and Theorem 5.7 imply that the Geometric Protocol achieves perfect 1-security when Cathy holds one card, i.e., for (sp d , p d+1 − sp d − 1, 1)-deals where p is a prime power and s < p.
Moreover, as shown by Stinson et al. [26], the design (X, C) is a 3-design precisely when p = 2s, so p must be an even prime power. In this case, (X, C) is a 3-p d+1 , p d+1 /2, λ ′′ -design, where That is, for card decks and deals satisfying certain parameters, the strategy defined by the geometric protocol is a 3-design. This implies that we can sometimes achieve perfect 2-security for deals in which Cathy holds one card, or perfect 1-security for deals in which Cathy holds two cards. We state the result in the following theorem for clarity.
Theorem 7.19. Let p be a prime power and let d ≥ 1 be a positive integer. Let X be a deck of p d+1 cards and fix an (a, b, c)-deal with a = sp d . Then in the strategy A defined by the geometric protocol, each announcement A i is a 3-design if and only if p = 2 ℓ for some positive integer ℓ and s = 2 ℓ−1 .

A Variant of the Russian Cards Problem
In this section, we consider a variation of the generalized Russian cards problem, in which we change the manner in which the cards are dealt. Our motivation for restricting the deal is to widen the solution space. Since the generalized Russian cards problem requires a suitable set of t-designs to maximize security against Cathy-and constructing t-designs for t > 2 is in general quite difficultwe explore certain types of deals where suitable constructions are more readily available. An added advantage of our deal restriction is that in this new framework, we can view Alice's hand as an a-tuple over an alphabet of size v. If Alice's hand represents a secret key, this variation is more in keeping with traditional key agreement schemes in cryptography, as typically secret keys are tuples rather than sets.
Suppose our deck X consists of n = va cards, where v and a are positive integers such that v > a. Rather than allowing Alice, Bob, and Cathy to have any hand of the appropriate size, we first split the deck X into a piles, each of size v. Alice is given a hand H A of a cards, such that she holds exactly one card from each pile. Cathy's hand H C of c cards is assumed to contain no more than one card from each pile. The remainder of the deck becomes Bob's hand, H B . Observe that we can use the same framework for this problem as for the original; we have only placed a limitation on the set of possible hands Alice, Bob, and Cathy might hold. The necessary modifications to the security definitions and the definition of an informative strategy are straightforward.
This variant admits a nice solution using transversal designs; we refer the reader to Section 2.2 for the relevant definitions and a discussion of these designs. In the context of a transversal design TD λ (t, a, v), we can view the piles of cards as the groups G 1 , . . . , G a of the design. In this case, Alice's hand is a transversal and Cathy's hand is a partial transversal of G 1 , . . . , G a . Note that Cathy therefore only considers transversals as possible hands for Alice. When we discuss weak (or perfect) δ-security, we are interested in the probability (from Cathy's point of view) that Alice holds partial transversals of order δ.
We first show Theorem 4.1 holds for this variant of the Russian cards problem: We proceed by constructing a card deal consistent with the announcement A i such that {H A , H ′ A } ⊆ P (H B , i) , which implies the announcement is not informative for Bob.
Write |H A ∩ H ′ A | = ℓ. Let Alice's hand be H A , so it is possible for Alice to announce A i . Let Cathy's hand contain all the cards in H ′ A that are not also contained in H A ; this is possible since c ≥ a − ℓ. Then Bob's hand H B contains all the remaining cards. In particular, we have In light of Theorem 8.1, the following result is straightforward.
Theorem 8.2. Consider an (a, b, c)-deal following the above rules and suppose that each announcement in an equitable (a, b, c)-strategy is a TD 1 (t, a, v) satisfying t ≤ a − c. Then the strategy is informative for Bob.
We can use an argument similar to that of Swanson and Stinson [27] to derive a lower bound on the size of Alice's announcement. Proof. Fix a set of cards X ′ of size a − c, no two of which are from the same pile. There are v c possible hands for Alice that contain X ′ . These hands must occur in different announcements, by Theorem 4.1 (which holds for this variation of the problem). Therefore m ≥ v c .
As before, we refer to a strategy that meets this bound as optimal. We have the following result. Theorem 8.4. Suppose that a > c. An optimal (a, b, c)-strategy for Alice that is informative for Bob is equivalent to a large set of TD 1 (t, a, v), where t = a − c.
Proof. Suppose there exists a large set of TD 1 (a − c, a, v). Recall from Definition 2.20 that the set of all blocks sets (i.e., possible announcements) in this large set form a partition of the set of all transversals and that there are precisely v c designs in such a set. Then it is easy to see that this immediately yields an optimal (a, b, c)-strategy for Alice that is informative for Bob.
Conversely, suppose there is an optimal (a, b, c)-strategy for Alice that is informative for Bob. We need to show that every announcement is a TD 1 (a − c, a, v). As in the proof of Theorem 8.3, fix a set of cards X ′ of size a − c, no two of which are from the same pile. The v c possible hands for Alice that contain X ′ must occur in different announcements. However, there are a total of v c announcements, so every announcement must contain exactly one block that contains X ′ .
The following result shows how transversal designs with arbitrary t can be used to achieve weak δ-security for permissible parameters δ ≤ t − c. As in Definition 2.17, for a transversal design TD λ (t, a, v), say (X, G, B), and a partial transversal Y of G, we let G Y denote the set of groups of the transversal design that have nonempty intersection with the partial transversal Y .
Theorem 8.5. Consider an (a, b, c)-deal following the above rules and suppose that each announcement in an equitable (a, b, c)-strategy is a TD λ (t, a, v), where c ≤ t − 1. Then the strategy is weakly (t − c)-secure against Cathy.
Proof. Fix an announcement A i for Alice. Suppose A i is a TD λ (t, a, v), say (X, G, B). Consider a possible hand H C for Cathy. In particular, H C is a partial transversal of the groups G 1 , . . . , G a ∈ G.
Since c ≤ t, Theorem 2.19 implies there are blocks in A i that do not contain any of the points of H C . Consider a partial transversal Y of order δ ≤ t − c. Since Y is not necessarily group disjoint from H C , we must consider the number of groups which intersect both Y and H C . In particular, the δ-subset Y never occurs with any other cards from G Y ∩ G H C , by definition of transversal designs.
Let ℓ = |G H C \G Y |. That is, ℓ is the number of groups that do not intersect Y , but from which Cathy has cards. Write z 1 , . . . , z ℓ for Cathy's cards from these ℓ groups. We wish to compute the number of blocks which contain all the points in Y but miss all of the points of H C . This is the same as the number of blocks that contain all the points in Y but miss all the points in {z 1 , . . . , z ℓ }. Since ℓ + δ ≤ t, by Theorem 2.19, we have λv t−ℓ−δ (v − 1) ℓ such blocks.
That is, a given set of points x 1 , . . . , x δ ∈ X\H C that might be held by Alice is contained in precisely Thus, for any partial transversal of δ distinct points x 1 , . . . , x δ ∈ X\H C , we have so Condition 1 of Theorem 5.3 is satisfied. Remark 8.6. We do not achieve perfect (t−c)-security in Theorem 8.5 because the number of hands of P (H C , i) containing a given partial transversal Y of δ distinct points, where δ ≤ t − c, depends on ℓ = |G H C \G Y |. In fact, we cannot expect to achieve better security than that of the construction given in Theorem 8.5 for this variant of the generalized Russian cards problem. This is because the rules for the deal imply that for each pile from which Cathy holds a card, Cathy knows that Alice holds one of the other (v − 1) cards, and for every other pile, Cathy knows only that Alice holds one of the other v cards.
As discussed in Section 2.2, large sets of transversal designs TD λ (t, k, v) are easy to construct when you have a linear TD λ (t, k, v) "starting design". As stated in Theorem 2.29, a linear TD 1 (t, q, q) exists whenever the point set X = (F q ) 2 and q is a prime power. The construction method for such a transversal design is simple; we refer the reader to the relevant discussion in Section 2.2 on Theorem 2.28 and Corollaries 2.29 and 2.30.
In particular, we can construct a linear TD 1 (t, a, q) for a prime power q ≥ a by first constructing a TD 1 (t, q, q) and then (if necessary) deleting q − a groups. This yields a wide range of informative and weakly (t − c)-secure (a, n − a − c, c)-strategies for card decks of size n = aq and any choice of c satisfying c ≤ min{t − 1, a − t}. If we take t = a − c, these strategies are optimal. We summarize this result in the following theorem.
Theorem 8.7. Consider the above variant of the generalized Russian cards problem. Let q be a prime power such that q ≥ a and c ≤ a−1 2 . Then there exists an equitable (a, aq − a − c, c)-strategy that is optimal, informative for Bob, and weakly (a − 2c)-secure against Cathy.

Discussion and Comparison with Related Work
The Russian cards problem and variants of it has received a fair amount of attention in the literature, with focus ranging from possible applications to key generation [2,3,[15][16][17][18][19]21,23], to analyses based on epistemic logic [9][10][11][12], to card deals with more than three players [14,20]. Of more relevance to our work is the recent research that takes a combinatorial approach [1-4, 6, 27], on which we now focus.
Many useful results concerning parameter bounds and announcement sizes for weak 1-security, some of which we use in this paper, are given by Albert et al. [1]. Albert et al. [2,3] and Cordón-Franco et al. [6] discuss protocols for card deals of a particular form that achieve weak 1-security, using card sums modulo an appropriate parameter for announcements. Atkinson et al. [4] is the only work of which we are aware that treats security notions stronger than weak 1-security, other than work by Swanson and Stinson [27] and subsequent work by Cordón-Franco et al. [8].
In addition, there has been recent work [7,13] in which protocols consisting of more than one announcement by Alice and Bob are considered, which is a generalization of the problem which we consider here. van Ditmarsch and Soler-Toscano [13] show that no good announcement exists for card deals of the form (4, 4, 2) using bounds from Albert et al. [1]. The authors instead give an interactive protocol that requires at least three rounds of communication in order for Alice and Bob to learn each other's hands; their protocol uses combinatorial designs to determine the initial announcement by Alice and the protocol analysis is done using epistemic logic.
Cordón-Franco et al. [7] consider four-step solutions for the generalized Russian cards problem with parameters (a, b, c) such that c > a. Although Cordón-Franco et al. [7] present a "protocol", their solution is not a protocol in the typical sense of the word, as it is unclear if the protocol is executable or not. The authors demonstrate the existence of a necessary construction for their protocol when the card deal parameters satisfy specific conditions, but do not address the feasibility of finding such constructions in practice. In particular, the security of the protocol itself relies heavily on the ability of the players to pick such a construction uniformly at random from all possible constructions. Since it is unclear if this is feasible, the protocol is questionable, albeit theoretically interesting in that it attempts to treat cases where c > a.
In this paper, we build extensively on results by Swanson and Stinson [27]. In particular, we greatly simplify the proofs for results connecting certain types of perfectly δ-secure deals and Steiner systems, originally shown in Swanson and Stinson [27]. The construction technique using a "starting design", given in Theorem 7.3 is a generalization of the technique given by Swanson and Stinson [27]. This generalized construction technique allows us to answer in the affirmative the question on the existence of perfectly secure and informative strategies for deals in which Cathy holds more than one card.
Cordón-Franco et al. [8] further elaborate on protocols of length two and the notion of weak δ-security. The authors present a geometric protocol, discussed in Section 7.1, based on hyperplanes that yields informative and weakly δ-secure equitable (a, b, c)-strategies for appropriate parameters. In particular, this protocol allows Cathy to hold more than one card. In certain card deals, this protocol achieves perfect δ-security for δ equal to one or two. We remark that with the exception of Section 7.1, our results were completed independently of Cordón-Franco et al. [8].

Concluding Remarks and Future Work
We give a characterization for solutions to the generalized Russian cards problem that are perfectly δ-secure. That is, we show an equivalence between a γ-equitable strategy that is perfectly δ-secure for some δ and a set of (c + δ)-designs on n points with block size a, where this set must satisfy the additional property that every a-subset of X occurs in precisely γ of these designs.
Building on the results of Swanson and Stinson [27], we show how to use a "starting" t-(n, a, 1)design to construct equitable (a, b, c)-strategies that are informative and perfectly (t − c)-secure against Cathy for any choice of c satisfying c ≤ min{t − 1, a − t}. In particular, this indicates that if an appropriate t-design exists, it is possible to achieve perfect security for deals where Cathy holds more than one card. We present an example construction, based on inversive planes, for (q + 1, q 2 − q − 2, 2)-strategies which are perfectly 1-secure against Cathy and informative for Bob, where q is a prime power. We also analyze the security properties of Cordón-Franco et al.'s [8] geometric protocol, remarking that this protocol yields a nice construction for a 3-design for certain parameters.
In addition, we discuss a variation of the Russian cards problem which admits nice solutions using transversal designs. The variant changes the manner in which the cards are dealt, but the resulting problem can be solved using large sets of transversal designs with λ = 1 and arbitrary t, which are easy to construct. In particular, this solution is optimal in terms of the number of announcements and provides the strongest possible security for appropriate parameters. That is, for card decks of size aq, where q ≥ a is a prime power, we achieve (a, aq − a − c, c)-strategies that are optimal, informative for Bob, and weakly (a − 2c)-secure against Cathy for c ≤ a−1 2 . There are many open problems in the area, especially for deals with c > 1. Given the general difficulty of constructing t-designs for t > 2 and λ = 1, we see that constructing perfectly δ-secure and informative strategies for c > 1 is a difficult combinatorial problem. A more promising direction for the case c > 1 may be strategies that are weakly δ-secure for δ > 1, a concept first introduced by Swanson and Stinson [27], which has received some attention in current literature [8]. In particular, further characterizing such strategies using combinatorial notions might prove informative.