Upload
jeffry-horton
View
218
Download
0
Embed Size (px)
Citation preview
Solitaire
CRyptography Applications Bistro
8 April 2004
Tuesday:– High-tech crypto with sophisticated, expensive
equipment using the principles of quantum mechanics to solve a problem most people don’t have
Today:– Low-tech crypto with ordinary, inexpensive
equipment using the principles of shuffling to solve a problem most people don’t have
Solitaire
• Output-feedback mode stream cipher
• Designed by Bruce Schneier in 1999
• Implemented using a deck of cards
• Featured in Neal Stephenson’s novel Cryptonomicon
Tin-foil hat time
• You want to communicate securely with other people
• You don’t want the secret police to be able to decode your messages
• You don’t want to have to keep around incriminating evidence, such as a computer with PGP
• You want to be able to do this without electricity
Requirements
• Cannot rely on security-through-obscurity• Must be secure even against a well-funded
adversary• Must be simple enough that someone can
remember it• Must not require incriminating equipment• Must be entertaining enough to go in a Neal
Stephenson novel
Overview of Solitaire
• The key consists of a shuffled deck, with two jokers: A and B
• A sequence of cuts and rearrangements generates a pseudo-random keystream
• The keystream is added to the plaintext, modulo 26, to encrypt
• The keystream is subtracted from the ciphertext to decrypt
The Algorithm
1. Move the A-joker one card down
2. Move the B-joker two cards down
3. Perform the triple-cut
4. Perform a count-cut, using the card on the bottom to count with
5. Find the output card, using the card on the top to count with
1. Moving the A joker
• If the joker is on the bottom, move it to one below the top card
9
2
6*A
10
9
9
2
*A610
9
2. Moving the B joker
• If the joker is on the bottom, wrap around like we did with the A joker
2
8
J*B
3
Q
2
8
QJ3
*B
A3. The Triple-Cut
AAAA*B
AAA6
*A
AAA2
AAA2*B
AAA6
*A
AAAAA
4. The Count Cut5555J
555555555535
5555J555553
5555J5
= 0 + n = 13 + n = 26 + n = 39 + n*A = *B = 53
5. Finding the output card7
555J52J555555535
= 0 + n = 13 + n = 26 + n = 39 + n*A = *B = 53
1. Convert the top card to a number2. Count down that many from the top3. The next card is the output card4. If the output card is a joker, go back to
step 15. The deck does not change
J = 13 + 11 = 24
PLGRM BZIVF JGH
A 1 J 10 S 19B 2 K 11 T 20C 3 L 12 U 21D 4 M 13 V 22E 5 N 14 W 23F 6 O 15 X 24G 7 P 16 Y 25H 8 Q 17 Z 26I 9 R 18
Key Distribution
• Solitaire is a symmetric cipher, so we must have a key known to both parties– Use identically shuffled decks: 54! 2237
• requires distributing decks• requires good shuffling
– Use a bridge ordering: 52!/(13!)4 295
• need way to position jokers• the secret police read newspapers too
– Use a passphrase to key the deck
Keying the Deck with a Passphrase
1. Move the A-joker down one card
2. Move the B-joker down two cards
3. Perform the triple cut
4. Perform the count cut based on top card
5. Perform a second count cut based on a letter from the passphrase
How many shuffles does it take to be “random”?
• In an ideal riffle shuffle, we split the deck in halves, then interleave the halves
• Cards in the same half are not reordered
• This yields 54!/(27! 27!) 250
• We’d need five shuffles to reach 2237
Shuffling, in practice
• In practice, the 250 interleavings are not equally likely– cards near each other don’t separate much
• Keller [1995] claims seven shuffles are needed
How many bits are in a passphrase?
• English text is highly redundant– some studies claim you get 1.4 bits per
character– You need at least 80 characters
Bias in Solitaire
• One would expect that, if Solitaire is a good CPRNG, the probability of getting the same keystream letter twice in a row would be 1/26
• Crowley [2001], through simulations, found that this is not the case: it appears to be about 1/22.5
• This information could, in theory, be exploited to form an attack
Non-reversibility
• The cipher was designed to be reversible– You should be able to reconstruct the previous deck
state from the current deck state
• However, the rules allowing the jokers to move from the bottom to the top of the deck are not reversible:* 1 2 3 4 5 6 ... 51 52 1 * 2 3 4 5 6 ... 51 521 2 3 4 5 6 ... 51 52 * 1 * 2 3 4 5 6 ... 51 52
• Reversibility is not necessarily a problem, but reversible ciphers are easier to analyze
Practical Issues
• Solitaire uses output-feedback mode:– A single bit error in the ciphertext results in a single-bit
error in the plaintext (good)– Not self-synchronizing: drop a bit of ciphertext and
everything after it is lost (bad)– The keystream can be generated in advance of
receiving the message
• Encryption and decryption are slow• Key distribution is difficult• Potential attacks based on lack of randomness
Future Work
• Develop attacks on Solitaire
• Develop a hand-computable asymmetric algorithm– This would address key distribution problem– You could, in theory, compute RSA by hand,
but not with reasonable key sizes (for further details, see Dave’s license tag)
Other Games
• A deck of cards doesn’t have enough entropy for an assymetric key (237 bits)– Two decks might be enough (474 or 578 bits)
• An 8x8 chessboard has 64!/(32!8!8!2!2!2!2!2!2!) 2141 states– a group in CS588 designed a chess-based cipher last
year
• A 19x19 go board has 3361 2572 states• Cellular automata might be computable by hand as
well