Verifying the Fisher-Yates Shuffle Algorithm in Dafny
Stefan Zetzsche, Jean-Baptiste Tristan, Tancrede Lepoint, Mikael Mayer
TL;DR
This work addresses the challenge of verifying that the Fisher-Yates shuffle provides uniform randomness over permutations within Dafny, a nontrivial task given limited native probabilistic support. It introduces a functional model based on a bitstream randomness source and the Hurd monad, proves that this model yields the correct uniform distribution, and then provides an imperative array-based implementation whose correctness is established by proving equivalence to the functional model. The contributions include a rigorous probabilistic formalization (bitstreams, measure spaces, independence) and a practical verification blueprint that can be applied to other randomized algorithms, with a concrete pathway to format-preserving tokenization applications. The approach demonstrates how to bridge high-level probabilistic reasoning with executable code, enabling reliable, unbiased shuffles in security-sensitive contexts and guiding future verification work in similar settings.
Abstract
The Fisher-Yates shuffle is a well-known algorithm for shuffling a finite sequence, such that every permutation is equally likely. Despite its simplicity, it is prone to implementation errors that can introduce bias into the generated permutations. We verify its correctness in Dafny as follows. First, we define a functional model that operates on sequences and streams of random bits. Second, we establish that the functional model has the desired distribution. Third, we define an executable imperative implementation that operates on arrays and prove it equivalent to the functional model. The approach may serve as a blueprint for the verification of more complex algorithms.