Go to MACIS 2017 homepageLeakage-Resilient Riffle Shuffle
Abstract: Analysis of various card-shuffles – finding its mixing-time is an old mathematical problem. The results show that e.g., it takes $$\mathcal {O}(\log n)$$ riffle-shuffles (Aldous and Diaconis, American Mathematical Monthly, 1986) to shuffle a deck of n cards while one needs to perform $$\varTheta (n \log n)$$ steps via cyclic to random shuffle (Mossel et al., FOCS, 2004). Algorithms for generating pseudo-random permutations play a major role in cryptography. Oblivious card shuffles can be seen as block ciphers (and e.g., may be used for format-preserving encryption) while non-oblivious card shuffles often are a building block for cryptographic primitives (e.g., Spritz, RC4). Unfortunately, all results about the mixing times of card shuffling algorithms are in the black-box model. The model does not capture real-world capabilities of adversaries who may be able to e.g., obtain some information about the randomness used during the shuffling. In this paper we investigate the impact on the mixing time of the riffle shuffle by an adversary who is able to eavesdrop some portion of the random bits used by the process. More precisely: assuming that each bit of the randomness leaks independently with probability p we show that whenever RiffleSST performs $$r = \log _{2\over 2-(1-p)^2} {n\atopwithdelims ()2} + \log _{2\over 2-(1-p)^2} \left( \frac{1}{\varepsilon n!}\right) $$ steps, it cannot be distinguished from a permutation selected uniformly at random with the advantage larger than $$\varepsilon $$ .
0 Replies
Loading