There is a large literature in cryptography on mental poker. It’s all very interesting but hasn’t quite crossed the threshold into being practical. There’s a much better approach they could be taking which I’ll now explain.

Traditionally ‘mental poker’ has meant an unspecified poker variant, played by exactly two people, with the goal of making it so the players can figure out who’s the better poker player. This is close to but not exactly what the requirements should be. In practice these days when people say ‘poker’ they mean Hold’em and the goal should be to make playing over a blockchain practical. Limiting it to exactly two players is completely reasonable. The requirement of running on a blockchain is quite onerous because computation there is extremely expensive but Hold’em has special properties which as I’ll explain enables a much simpler approach.

Side note on ‘practical’: Cryptographers might describe a protocol which requires a million dollars in resources and a month of time to compute as being ‘practical’, meaning it can physically be accomplished. I’m using the much more constraining definition of ‘practical’ as being that players can do it using just their laptops and not have such a bad experience that they rage quit.

The usual approach goes like this: The players collaboratively generate a deck of encrypted cards, then shuffle them, and whenever a player needs to know one card the other player gives enough information that that one card can be decrypted by the other player. This is a very general approach which can support a lot of games, but has a lot of issues. There are heavyweight cryptographic operations everywhere, often involving multiple round trips, which is a big problem for running on chain. There are lots of potential attacks where a player can cheat and get a peek at a card in which case there has to be a mechanism for detecting that and slashing the opponent. Having slashing brings all manner of other issues where a player can get fraudulently slashed, which is unfortunately for a game like poker where even if a player literally goes into a coma it only counts as a fold. There are cryptographic ways of making this machinery unnecessary, but those extra requirements come at a cost.

For those of you who don’t know, Hold’em works like this (skipping the parts about betting): Both players get two secret hole cards which the opponent can’t see. Five community cards get dealt out on the table visible to both players. If nobody folds then the players reveal their cards and whoever can form a better hand using a combination of their hole cards and the community cards wins. There are two important properties of this which make the cryptography a lot easier: There are only nine cards total, and they never move.

A much simpler approach to implementing mental poker goes like this: The game rules as played on chain use commit and reveal and simply hash together the committed values to make the cards. No attempt is made by the on chain play to avoid card repetitions. Before a hand even starts both players reveal what their commits are going to be. They then do collaborative computation to figure out if any of the nine cards will collide. If they will, they skip that hand. If they won’t, they play that hand on chain with the commits baked in at the very beginning.

This approach works much better. The costs on chain are about as small as they could possibly be, with all the difficulty shoved off chain and up front. If a player peeks during the collaborative computation or fails to demonstrate that they didn’t peek then the hand never starts in the first place, no slashing needed. The expensive computational bits can be done at the players’s leisure up front with no having to wait during hands.

Unfortunately none of the literature on mental poker works this way. If anybody makes an implementation which is practical I’ll actually use it. The only extra requirement is that the hashing algorithm is sha256. Until then I’m implementing a poker variant which doesn’t have card removal effects.