Fisher–Yates shuffling, though widely used, may exhibit subtle probability biases in imperative implementations due to off-by-one errors or improper randomness handling. Method: We present the first end-to-end formal verification of its probabilistic semantics in Dafny. We construct a pure functional model of random permutation generation and rigorously prove its output is uniformly distributed over all permutations. Using functional-imperative equivalence, we formally relate this model to an in-place array implementation via loop invariants and inductive reasoning. Contributions: (1) The first mathematically rigorous guarantee that Fisher–Yates yields perfectly uniform shuffles for *any* input length; (2) A reusable framework for verifying probabilistic equivalence between functional specifications and imperative implementations of randomized algorithms; (3) A methodological foundation for formal verification of more complex randomized algorithms, bridging high-level probabilistic reasoning with low-level program semantics.

The Fisher-Yates shuffle is a well-known algorithm for shuffling a finite sequence, such that every permutation is equally likely. Despite its simplicity, it is prone to implementation errors that can introduce bias into the generated permutations. We verify its correctness in Dafny as follows. First, we define a functional model that operates on sequences and streams of random bits. Second, we establish that the functional model has the desired distribution. Third, we define an executable imperative implementation that operates on arrays and prove it equivalent to the functional model. The approach may serve as a blueprint for the verification of more complex algorithms.