
Problems with Bruce Schneier's “Solitaire” (2001) - privong
http://www.ciphergoth.org/crypto/solitaire/
======
Animats
As a usable cypher, it has some practical problems. If you restart from the
same deck for each message, both messages are encrypted with the same key
stream. That's easy to break even with just two messages.

If you continue to use the deck from its ending state from the previous
message, the security is better. But if the recipient ever misses a message,
they're out of sync. The usual procedure with progressive key systems like
this is to transmit a sequence number at the start of each message which tells
the recipient where to start.

As a practical matter, people will screw up all that card manipulation. This
is a criticism of most paper and pencil systems. In practice, intelligence
agencies that use paper and pencil systems need a staff which decodes garbled
transmissions, where the key is slightly off.

Whether this cypher is any good isn't clear. Work has been done on analyzing
it.[1] It's known that there are bad keys, starting decks which lead to a
short cycle, and that these are rare. There's a paper on this out of Moscow's
Institute of Cryptology, Communication, and Information.[2] Key comment, after
they describe what the paper covers: "Methods based on investigation of group
or semigroup properties of stream cypher not published in open literature".
They're not saying if they can crack it. But they did prove that it's
isomorphic to a cypher which is the same except for some modifications which
make it simpler. They may have proved that the fooling around with the jokers
doesn't help, but I'm not sure.

"Between Silk and Cyanide: A Codemaker's War, 1941-1945", by Leo Marks, goes
into the practical problems of paper and pencil encryption systems in wartime.
The British went into WWII using Playfair, which is a crappy transposition
cypher. He converted to a system where long one-time keys were printed on thin
silk. This allowed spies to carry lots of keying material in a small space.

[1] [https://portail.telecom-
bretagne.eu/publi/public/fic_downloa...](https://portail.telecom-
bretagne.eu/publi/public/fic_download.jsp?id=32899) [2]
[https://eprint.iacr.org/2003/169](https://eprint.iacr.org/2003/169)

~~~
todd8
Thanks for the comments. I thoroughly enjoyed _Between Silk and Cyanide_. A
small correction, the Playfair is actually a substitution cipher (mapping
diagrams to diagrams) not a transposition cipher. The Playfair is a paper and
pencil cipher that can usually be broken by hand with even modest amounts of
material[1]. The Playfair (and the Wheatstone bridge) were invented by Sir
Charles Wheatstone.

[1] Helen F. Gaines, _Cryptanalysis_ , chapter 21.
[https://www.amazon.com/Cryptanalysis-Study-Ciphers-Their-
Sol...](https://www.amazon.com/Cryptanalysis-Study-Ciphers-Their-
Solution/dp/0486200973)

------
elcapitan
The Solitaire link in the article doesn't work, so here's a description on
Bruce Schneier's website:

[https://www.schneier.com/academic/solitaire/](https://www.schneier.com/academic/solitaire/)

~~~
vmateixeira
In my case it's being blocked by BT and redirecting to theirs security and
risk management page[0].

[0] -
[http://www.globalservices.bt.com/uk/en/products_category/sec...](http://www.globalservices.bt.com/uk/en/products_category/security_and_risk_management?cid=\(pl\)counterpane\(cm\)redirect)

~~~
elcapitan
Is that a block? Just seems to me that this is a fairly old article
referencing some other fairly old page, which now probably redirects
categorically to that BT page.

~~~
vmateixeira
Yes, I think so. I can see 404s but when it comes to security/encryption links
it's not the first time it has happened. I can't access these ones either
[0],[1], linked from [2].

[0]
[http://www.counterpane.com/blowfish.html](http://www.counterpane.com/blowfish.html)

[1] [http://www.counterpane.com/bfsh-koc.zip](http://www.counterpane.com/bfsh-
koc.zip)

[2] [http://bcrypt.sourceforge.net/](http://bcrypt.sourceforge.net/)

Edit: I just realised this page belongs to the same domain name as the
previous.

~~~
mintplant
I'm not on BT and I'm getting the same redirects. Looks like Counterpane was
acquired [1] by BT in 2006 and became BT Managed Security Solutions [2].

[1]
[https://www.schneier.com/blog/archives/2006/10/bt_acquires_c...](https://www.schneier.com/blog/archives/2006/10/bt_acquires_cou.html)

[2]
[https://en.wikipedia.org/wiki/BT_Managed_Security_Solutions](https://en.wikipedia.org/wiki/BT_Managed_Security_Solutions)

~~~
vmateixeira
Alright, thanks for the tip!

------
Phemist
For my last job interview, I encrypted the plaintext "DO IT" (as in, hire me!)
with solitaire. I still remember sitting in the train on my way to the job
interview, frantically shuffling cards to generate the ciphertext.

My interviewer thought it was a fun gesture and it definitely helped in me
landing the job. Had they known about these vulnerabilities in the cypher
beforehand, I'm not so sure I would've gotten it. :p

~~~
detaro
Did they give you that as a preparation task or how did that come up in your
interview?!

~~~
Phemist
I had just finished 'Necronomicon' at the time. I thought I'd do something
pro-active and show up with a little thoughtful gift, related to the company's
main focus.

~~~
Phemist
'Cryptonomicon'. Of course..

~~~
empath75
Although the idea of Lovecraftian cryptography is appealing to me.

~~~
zokier
Summoning an Old One with a deck of cards would have also been really
impressive. I would not dare to not hire someone with such skills.

~~~
stcredzero
Charles Stross has a series of stories that involves people summoning demons
and casting magic with computers and nerdy stuff. (The "Laundry")

------
jhallenworld
>The CPRNG state machine is not reversible, contrary to what the operational
notes claim...

>>1\. Find the A joker. Move it one card down. (That is, swap it with the card
beneath it.) If the joker is the bottom card of the deck, move it just below
the top card.

(so in reverse: if A is 2nd card you don't know to make it top card or bottom
card).

This ambiguity could be simply fixed: when you move A down, don't skip the top
card, just put it at the top. Similarly for B, count the move from bottom to
top as one of the two moves. It seems like you are doing less by not skipping
a card, but you do create a new valid configuration, so maybe it does not
hurt...

------
j2kun
Can someone explain what the desired features of a "hand cipher" are?

~~~
brohee
Well, I would say :

\- practical (using a manageable amount of paper, and/or common items like a
chess board, playing cards or dominoes...)

\- fast enough (encrypt say at least one word per minute, pretty sure manual
RC4 doesn't qualify here)

\- secure against an adversary using computing ressources

\- provides a way to easily store a strong key, a shuffled deck is pretty good
at this

~~~
pavel_lishin
I'd add "plausibly deniable" as well - requiring either party to have a copy
of "The Lil' Saboteur's Guide To Field Encryption" is probably bad for
espionage.

------
taspeotis

        Problems with Bruce Schneier's “Solitaire” (ciphergoth.org)
    

There's no year in the title, which raised my ire. It's an old article. But
it's hard to tell how old this article is. The end of the article has an
update dated "2001 August 13" and the Last-Modified header is "Wed, 19 Jan
2005 00:12:22 GMT".

~~~
ciphergoth
Yes, I agree that would have been wise, sorry about that! These days I'd use
blogging software that would date things automatically. However I'm sure this
dates from 1999 or before, because it was as a result of writing this that I
ended up going to crypto conferences like FSE in 2000.

~~~
vitus
Given that Cryptonomicon was published in 1999, I'd guess the article wasn't
published before then.

So... 1999?

~~~
ciphergoth
That would make sense :)

------
exabrial
Ah, so it's confirmed. Bruce is an NSA asset.
[http://m.slashdot.org/story/193287](http://m.slashdot.org/story/193287)

