2014 Eighth International Conference on Software Security and Reliability - Companion Probabilistic Cycle Detection for Schneier’s Solitaire Keystream Algorithm Wiem Tounsi∗, Benjamin Justus∗, Nora Cuppens-Boulahia∗,Fred´ eric´ Cuppens∗, Joaquin Garcia-Alfaro∗∗ ∗Institut Mines-Telecom, Tel´ ecom´ Bretagne, Cesson Sevign´ e,´ France ∗∗Institut Mines-Telecom, Tel´ ecom´ SudParis, CNRS Samovar UMR 5157, Evry, France {FirstName.SurName}@telecom-bretagne.eu ; [email protected] Abstract—Pencil-and-paper ciphers are plausible solutions In this paper, we address some of the aforementioned that could provide lightweight protection to the communication questions about the keystream algorithm of Solitaire. Further- of resource-constrained devices. A good example in this more, we propose a slight variation of the original design category is Schneier’s Solitaire cipher. In this paper, we propose a probabilistic solution that is able to estimate Solitaire’s which could be used as a pseudo-random number generator keystream cycle length. We also present a variation of Solitaire’s (PRNG). We present a cycle detection algorithm, which is original design, and evaluate the resulting construction in terms computationally feasible when the deck size associated to the of predictability. We conduct statistical randomness tests on PRNG is relatively small. We conduct experimental results and both the original design and the modified version based on the show that it is possible to predict the maximum cycle length NIST randomness test suite. The results show that our approach improves the randomness of original Solitaire’s output sequences. period for the Solitaire PRNG of any deck size. To verify the randomness quality of Solitaire keystream, we conduct as well Keywords: ICT Security, Cryptography, Pencil-and-Paper some statistical evaluations of sample sequences generated by Ciphers, Pseudo-Random Number Generators (PRNG), Cycle both Solitaire and our modified version. The evaluations are Detection, Randomness Evaluation. based on the NIST statistical test suite for random and pseudo- random number generators [17]. I. INTRODUCTION Resource-constrained devices, such as sensors and passive Paper organization: Section II introduces the cycle detec- RFID tags, require the input of lightweight cipher designs in tion problem for PRNGs. Section III describes Solitaire’s order to protect their communications [8], [12]. Pencil-and- keystream algorithm. Section IV introduces our cycle estima- paper ciphers, also known as hand ciphers or field ciphers by tion algorithm and reports our experimental results. Section V the military, are a plausible solution to address such a concern presents the NIST randomness evaluation results on the quality [16]. Pencil-and-paper ciphers are encryption methods that are of the Solitaire PRNG. Section VI outlines related work. operated by human beings, and they hold an appropriate bal- Section VII concludes the paper. ance between security and lightweight computation. According II. PRNGS AND THE CYCLE DETECTION PROBLEM to studies like [11], humans and resource-constrained devices share similar sets of memory properties. For example, passive Deterministic pseudo-random number generators (PRNGs) RFID tags are able to store only short secrets of about 32 are often used to generate identical sequences for both the to 128 bits of length in their volatile memory. Human can sender and receiver sides of a communication exchange [19]. maintain about seven decimal digits in their immediate mem- We assume that this sequence is generated synchronously in ory [13]. Nevertheless, electronic devices are more efficient at each party. We also assume that the same sequence is used performing logical operations (e.g., AND, OR, and XOR-like to encrypt the messages following the one-time-pad principle operations), and at choosing random values. [7]. Most PRNGs are designed based on a wide range of Schneier’s Solitaire cipher is a good example of a pencil- cryptographic primitives [3], [6]. Today’s PRNGs are typically and-paper cipher that could be used to protect the commu- based on hash function or block cipher designs. Given the nications of resource-constrained devices. It was designed limited computing power of resource-constrained devices (e.g., by Bruce Schneier at the request of Neal Stephenson for passive RFID tags), block cipher based implementations are the Cryptonomicon novel [18]. Originally called Pontifex in expected to be in use. Stephenson’s novel, the algorithm behind Solitaire aims at Solitaire’s keystream algorithm can be used as a PRNG producing a practical cryptosystem calculated with an ordinary whose output is partitioned in blocks of length n. In block deck of playing cards. Despite decades of existence, few cipher-based PRNGs, the unpredictability of the generator is attacks or cryptanalysis techniques against Solitaire have been assured as long as a threshold N (related to the number of reported in the related literature. Questions such as the period PRNG outputs) is not reached — within the same initial state. of the Solitaire keystream algorithm, statistical properties of This threshold always exists due to the deterministic nature of its generated pseudo-random sequences, and complexity of the PRNGs. Once N is reached, the outputs may enter into a cycle. Solitaire internal states remain open. This cycle is predefined in classical designs of block ciphers, 978-1-4799-5843-6/14 $31.00 © 2014 IEEE 113 DOI 10.1109/SERE-C.2014.29 e.g., Cipher Block Chaining (CBC). It is typically equal to from some t’th number onwards. Here o(t) denotes the t’th 2n/2 [5]. In the sequel, we aim at estimating the threshold number in the keystream output, and S(t) the corresponding value N as the maximum cycle length for the Solitaire PRNG. Solitaire state. Thus, the task of detecting a cycle in the keystream is equivalent to finding a repetition of the Solitaire III. THE SOLITAIRE KEYSTREAM ALGORITHM state at some regular time intervals. This approach turns out to We start with a concise description of the Solitaire be computationally feasible for us when the number of cards keystream algorithm. Further details, including additional ex- is less than 16 (i.e. n ≤ 16, cf. Section IV-A). amples can be found in [18]. Solitaire generates its keystream Let o(t) be a keystream element within a cycle. The cycle using a deck of cards. Each card in the deck (54 cards, length which contains o(t) is equal to the size of the orbit including the 2 jokers) corresponds to a number 1 to 54. For generated by <S(t) > that acted under the transformation instance here, we use the bridge order of suits: clubs (1 - F . Pogorelov and Pudovkina give in [14] some algebraic 13), diamonds (14 - 26), hearts (27 - 39), spades (40 - 52), descriptions of the orbits generated by individual actions Fi. Joker A = 53, Joker B = 54. To initialize the deck, we have to At present, a complete algebraic description of those orbits arrange the cards in the initial configuration that is the state. generated by <F = F1,F2,F3,F4 > does not exist in The state (or key) in this instance corresponds to an element the literature. The best we can do theoretically is to write of the permutation group S54. To produce a single output from down the trivial bound (i.e., the maximum cycle length is the keystream algorithm, the followings steps should be carried necessarily less than the group order |Sn| = n!). There are out: some evidences, as shown in the next sections, that suggest 1) Find the A joker. Move it one card down. If the joker the orbit sizes should grow exponentially with respect to n. is the bottom card of the deck, move it just below the top card. B. Uniform Distribution Property of Keystream Outputs 2) Find the B joker. Move it two cards down. If the joker We start by validating the uniform distribution property of is the bottom card of the deck, move it just below the the Solitaire keystream outputs. Figures 1(a) and 1(b) plot second card. If the joker is one up from the bottom card, the frequency of occurrence of all possible keystream output move it just below the top card. values. They correspond to, respectively, a deck of 10 cards 3) Perform a triple cut. That is, swap the cards above the (Figure 1(a)); and 66 cards (Figure 1(b)). The plots depict the first joker with the cards below the second joker. average value associated to the frequency of occurrence of 4) Perform a count cut. Look at the bottom card. Count each card (excluding the jokers, which are never provided as down from the top card that number. Cut after the card a valid output). It also represents their 95% confidence inter- that you counted down to, leaving the bottom card on vals. To generate these two figures, we used 1,000 different the bottom. sequences, composed of 100,000 keystream outputs each. 5) Find the output card (number). To do this, look at the top We can observe that the uniform distribution property card. Count down that many cards. If one hits a joker, emerges when the number of cards n gets large. Indeed, as restart Step 1. This is the output card/number. can be seen from Figure 1(a), the probability distribution Solitaire is a block-permutation based algorithm. The for a deck of 10 cards lies in the range between 0.118 keystream output starts repeating itself after a cycle is reached. and 0.137. This is to be compared with the perfect uniform The cycle length of the keystream is a crucial piece of distribution score 1/8=0.125. For a deck of 66 cards, information since key recovery becomes possible once an the discrepancy between the actual probability distribution adversary is able to predict the keystream outputs.