Solitaire

1
Solitaire

• CRyptography Applications Bistro
• 8 April 2004

2

• Tuesday
• High-tech crypto with sophisticated, expensive
  equipment using the principles of quantum
  mechanics to solve a problem most people dont
  have
• Today
• Low-tech crypto with ordinary, inexpensive
  equipment using the principles of shuffling to
  solve a problem most people dont have

3
Solitaire

• Output-feedback mode stream cipher
• Designed by Bruce Schneier in 1999
• Implemented using a deck of cards
• Featured in Neal Stephensons novel Cryptonomicon

4
Tin-foil hat time

• You want to communicate securely with other
  people
• You dont want the secret police to be able to
  decode your messages
• You dont want to have to keep around
  incriminating evidence, such as a computer with
  PGP
• You want to be able to do this without electricity

5
Requirements

• Cannot rely on security-through-obscurity
• Must be secure even against a well-funded
  adversary
• Must be simple enough that someone can remember
  it
• Must not require incriminating equipment
• Must be entertaining enough to go in a Neal
  Stephenson novel

6
Overview of Solitaire

• The key consists of a shuffled deck, with two
  jokers A and B
• A sequence of cuts and rearrangements generates a
  pseudo-random keystream
• The keystream is added to the plaintext, modulo
  26, to encrypt
• The keystream is subtracted from the ciphertext
  to decrypt

7
The Algorithm

1. Move the A-joker one card down
2. Move the B-joker two cards down
3. Perform the triple-cut
4. Perform a count-cut, using the card on the bottom
   to count with
5. Find the output card, using the card on the top
   to count with

8
1. Moving the A joker
9?
9?
10?
10?
6?
A
A
6?
9?
9?
2?
2?

• If the joker is on the bottom, move it to one
  below the top card

9
2. Moving the B joker
2?
2?
3?
3?
J?
B
Q?
J?
B
Q?
8?
8?

• If the joker is on the bottom, wrap around like
  we did with the A joker

10
3. The Triple-Cut
A?
A?
A?
A?
A?
A?
A?
A?
2?
B
B
A?
A?
A?
A?
A?
A?
6?
6?
A
A
A?
A?
A?
A?
A?
A?
A?
2?
A?
11
4. The Count Cut
5?
5?
5?
5?
5?
5?
5?
5?
J?
J?
5?
5?
5?
5?
5?
5?
5?
3?
5?
5?
5?
5?
5?
5?
5?
5?
5?
5?
5?
5?
3?
J?

• ? 0 n
• ? 13 n
• ? 26 n
• 39 n
• A B 53

5?
5?
12
5. Finding the output card

• Convert the top card to a number
• Count down that many from the top
• The next card is the output card
• If the output card is a joker, go back to step 1
• The deck does not change
• J? 13 11 24

7?
5?
5?
5?
J?
5?
2?
J?
5?
5?
5?
5?
5?
5?
5?
3?

• ? 0 n
• ? 13 n
• ? 26 n
• 39 n
• A B 53

5?
13
PLGRM BZIVF JGH

• A 1 J 10 S 19
• B 2 K 11 T 20
• C 3 L 12 U 21
• D 4 M 13 V 22
• E 5 N 14 W 23
• F 6 O 15 X 24
• G 7 P 16 Y 25
• H 8 Q 17 Z 26
• I 9 R 18

14
Key Distribution

• Solitaire is a symmetric cipher, so we must have
  a key known to both parties
• Use identically shuffled decks 54! ? 2237
• requires distributing decks
• requires good shuffling
• Use a bridge ordering 52!/(13!)4 ? 295
• need way to position jokers
• the secret police read newspapers too
• Use a passphrase to key the deck

15
Keying the Deck with a Passphrase

1. Move the A-joker down one card
2. Move the B-joker down two cards
3. Perform the triple cut
4. Perform the count cut based on top card
5. Perform a second count cut based on a letter from
   the passphrase

16
How many shuffles does it take to be random?

• In an ideal riffle shuffle, we split the deck in
  halves, then interleave the halves
• Cards in the same half are not reordered
• This yields 54!/(27! 27!) ? 250
• Wed need five shuffles to reach 2237

17
Shuffling, in practice

• In practice, the 250 interleavings are not
  equally likely
• cards near each other dont separate much
• Keller 1995 claims seven shuffles are needed

18
How many bits are in a passphrase?

• English text is highly redundant
• some studies claim you get 1.4 bits per character
• You need at least 80 characters

19
Bias in Solitaire

• One would expect that, if Solitaire is a good
  CPRNG, the probability of getting the same
  keystream letter twice in a row would be 1/26
• Crowley 2001, through simulations, found that
  this is not the case it appears to be about
  1/22.5
• This information could, in theory, be exploited
  to form an attack

20
Non-reversibility

• The cipher was designed to be reversible
• You should be able to reconstruct the previous
  deck state from the current deck state
• However, the rules allowing the jokers to move
  from the bottom to the top of the deck are not
  reversible
• 1 2 3 4 5 6 ... 51 52 ? 1 2 3 4 5 6 ... 51 52
• 1 2 3 4 5 6 ... 51 52 ? 1 2 3 4 5 6 ... 51 52
• Reversibility is not necessarily a problem, but
  reversible ciphers are easier to analyze

21
Practical Issues

• Solitaire uses output-feedback mode
• A single bit error in the ciphertext results in a
  single-bit error in the plaintext (good)
• Not self-synchronizing drop a bit of ciphertext
  and everything after it is lost (bad)
• The keystream can be generated in advance of
  receiving the message
• Encryption and decryption are slow
• Key distribution is difficult
• Potential attacks based on lack of randomness

22
Future Work

• Develop attacks on Solitaire
• Develop a hand-computable asymmetric algorithm
• This would address key distribution problem
• You could, in theory, compute RSA by hand, but
  not with reasonable key sizes
• (for further details, see Daves license tag)

23
Other Games

• A deck of cards doesnt have enough entropy for
  an assymetric key (237 bits)
• Two decks might be enough (474 or 578 bits)
• An 8x8 chessboard has 64!/(32!8!8!2!2!2!2!2!2!) ?
  2141 states
• a group in CS588 designed a chess-based cipher
  last year
• A 19x19 go board has 3361 ? 2572 states
• Cellular automata might be computable by hand as
  well