Use the strongest available random source when shuffling

jherland · jherland · commit 602a3e972395 · 2020-04-28T02:57:47.000+02:00
We need to provide cryptographically secure random shuffling. Looking at Python's implementation of random.shuffle()[1], we see that (a) it is a straightforward implementation of Durstenfeld's shuffle algorithm[2] (which is as unbiased as its random number source), and (b) it allows for a custom `random` function to be passed in. Hence, AFAICS, we should get a cryptographically secure shuffle as long as we pass in a `random` function that itself is cryptographically secure. Quoting the documentation of the secrets module: The secrets module provides access to the most secure source of randomness that your operating system provides. class secrets.SystemRandom A class for generating random numbers using the highest-quality sources provided by the operating system. Therefore, the best we can do is AFAICS to simply use the `random` function available from secrets.SystemRandom class. [1]: https://github.com/python/cpython/blob/v3.6.10rc1/Lib/random.py#L263 [2]: https://en.wikipedia.org/wiki/Fisher–Yates_shuffle#The_modern_algorithm [3]: https://docs.python.org/3.6/library/secrets.html#random-numbers
diff --git a/dp3t/protocols/lowcost.py b/dp3t/protocols/lowcost.py
@@ -77,6 +77,18 @@ def batch_start_from_time(time):
     return (int(time.timestamp()) // SECONDS_PER_BATCH) * SECONDS_PER_BATCH
 
 
+def secure_shuffle(items):
+    """Perform a cryptographically secure shuffling of the given items
+
+    Args:
+        items (obj:list): A list of items to be shuffled
+
+    Returns:
+        Nothing. Items are shuffled in place
+    """
+    random.shuffle(items, secrets.SystemRandom().random)
+
+
 #########################################
 ### BASIC CRYPTOGRAPHIC FUNCTIONALITY ###
 #########################################
@@ -130,8 +142,7 @@ def generate_ephids_for_day(current_day_key, shuffle=True):
 
     # Shuffle the resulting ephids
     if shuffle:
-        # WARNING: replace with a secure shuffle
-        random.shuffle(ephids)
+        secure_shuffle(ephids)
 
     return ephids
 
@@ -310,7 +321,7 @@ def add_observation(self, ephid, time):
         self.observations[batch_start].append(ephid)
 
         # Shuffle observations to hide receive order
-        random.shuffle(self.observations[batch_start])
+        secure_shuffle(self.observations[batch_start])
 
     def get_tracing_information(
         self,
@@ -451,4 +462,4 @@ def housekeeping_after_batch(self, batch):
             self.observations[day_time].extend(observations)
 
             # Reshuffle to make sure we do not store ordering data
-            random.shuffle(self.observations[day_time])
+            secure_shuffle(self.observations[day_time])
