Solitaire
CRyptography Applications Bistro
8 April 2004
Tuesday:
– High-tech crypto with sophisticated, expensive
equipment using the principles of quantum
mechanics to solve a problem most people
don’t have
Today:
– Low-tech crypto with ordinary, inexpensive
equipment using the principles of shuffling to
solve a problem most people don’t have
Solitaire
•
•
•
•
Output-feedback mode stream cipher
Designed by Bruce Schneier in 1999
Implemented using a deck of cards
Featured in Neal Stephenson’s novel
Cryptonomicon
Tin-foil hat time
• You want to communicate securely with other
people
• You don’t want the secret police to be able to
decode your messages
• You don’t want to have to keep around
incriminating evidence, such as a computer with
PGP
• You want to be able to do this without electricity
Requirements
• Cannot rely on security-through-obscurity
• Must be secure even against a well-funded
adversary
• Must be simple enough that someone can
remember it
• Must not require incriminating equipment
• Must be entertaining enough to go in a Neal
Stephenson novel
Overview of Solitaire
• The key consists of a shuffled deck, with
two jokers: A and B
• A sequence of cuts and rearrangements
generates a pseudo-random keystream
• The keystream is added to the plaintext,
modulo 26, to encrypt
• The keystream is subtracted from the
ciphertext to decrypt
The Algorithm
1.
2.
3.
4.
Move the A-joker one card down
Move the B-joker two cards down
Perform the triple-cut
Perform a count-cut, using the card on the
bottom to count with
5. Find the output card, using the card on the
top to count with
1. Moving the A joker
9
10
*A
6
9
2
9
10
6
*A
9
2
• If the joker is on the bottom, move it to one below
the top card
2. Moving the B joker
2
3
*B
J
Q
8
2
3
J
Q
*B
8
• If the joker is on the bottom, wrap around like we
did with the A joker
3. The Triple-Cut
A
A
A
A
A
*B
A
A
A
2
*B
A
A
A
6
A
A
A
6
*A
*A
A
A
A
2
A
A
A
A
A
4. The Count Cut
5
5
5
5
J
5
5
5
5
5
5
5
5
5
5
3
5
5
5
5
5
J
5
5
5
5
5
3
5
5
5
5
J
5
= 0+n
 = 13 + n
 = 26 + n
 = 39 + n
*A = *B = 53
5. Finding the output card
7
5
5
5
J
5
J2
5
5
5
5
5
5
5
3
5
1.
2.
3.
4.
Convert the top card to a number
Count down that many from the top
The next card is the output card
If the output card is a joker, go back to
step 1
5. The deck does not change
J = 13 + 11 = 24
= 0+n
 = 13 + n
 = 26 + n
 = 39 + n
*A = *B = 53
PLGRM BZIVF JGH
A
B
C
D
E
F
G
H
I
1
2
3
4
5
6
7
8
9
J
K
L
M
N
O
P
Q
R
10
11
12
13
14
15
16
17
18
S
T
U
V
W
X
Y
Z
19
20
21
22
23
24
25
26
Key Distribution
• Solitaire is a symmetric cipher, so we must
have a key known to both parties
– Use identically shuffled decks: 54!  2237
• requires distributing decks
• requires good shuffling
– Use a bridge ordering: 52!/(13!)4  295
• need way to position jokers
• the secret police read newspapers too
– Use a passphrase to key the deck
Keying the Deck with a
Passphrase
1.
2.
3.
4.
5.
Move the A-joker down one card
Move the B-joker down two cards
Perform the triple cut
Perform the count cut based on top card
Perform a second count cut based on a
letter from the passphrase
How many shuffles does it take
to be “random”?
• In an ideal riffle shuffle, we split the deck in
halves, then interleave the halves
• Cards in the same half are not reordered
• This yields 54!/(27! 27!)  250
• We’d need five shuffles to reach 2237
Shuffling, in practice
• In practice, the 250 interleavings are not
equally likely
– cards near each other don’t separate much
• Keller [1995] claims seven shuffles are
needed
How many bits are in a
passphrase?
• English text is highly redundant
– some studies claim you get 1.4 bits per
character
– You need at least 80 characters
Bias in Solitaire
• One would expect that, if Solitaire is a good
CPRNG, the probability of getting the same
keystream letter twice in a row would be 1/26
• Crowley [2001], through simulations, found that
this is not the case: it appears to be about 1/22.5
• This information could, in theory, be exploited to
form an attack
Non-reversibility
• The cipher was designed to be reversible
– You should be able to reconstruct the previous deck
state from the current deck state
• However, the rules allowing the jokers to move
from the bottom to the top of the deck are not
reversible:
* 1 2 3 4 5 6 ... 51 52  1 * 2 3 4 5 6 ... 51 52
1 2 3 4 5 6 ... 51 52 *  1 * 2 3 4 5 6 ... 51 52
• Reversibility is not necessarily a problem, but
reversible ciphers are easier to analyze
Practical Issues
• Solitaire uses output-feedback mode:
– A single bit error in the ciphertext results in a single-bit
error in the plaintext (good)
– Not self-synchronizing: drop a bit of ciphertext and
everything after it is lost (bad)
– The keystream can be generated in advance of receiving
the message
• Encryption and decryption are slow
• Key distribution is difficult
• Potential attacks based on lack of randomness
Future Work
• Develop attacks on Solitaire
• Develop a hand-computable asymmetric
algorithm
– This would address key distribution problem
– You could, in theory, compute RSA by hand,
but not with reasonable key sizes
(for further details, see Dave’s license tag)
Other Games
• A deck of cards doesn’t have enough entropy for
an assymetric key (237 bits)
– Two decks might be enough (474 or 578 bits)
• An 8x8 chessboard has 64!/(32!8!8!2!2!2!2!2!2!)
 2141 states
– a group in CS588 designed a chess-based cipher last
year
• A 19x19 go board has 3361  2572 states
• Cellular automata might be computable by hand as
well