In this second lab, you'll get acquainted with AES *and* learn how to cryptographically shuffle a deck of cards.

Due date: Monday, October 3rd, 8:25AM.

Write here the name of the collaborators (just in case):

We will use the implementation of AES provided by the PyCrypto library.

The message space used by this library (as is quite often the case) is the set of strings of valid 8-bit ASCII characters. In other terms, every character in such a string represents a byte. This explains the parameter lengths reported by the library:

(16, (16, 24, 32))

The other widely used convention for the message space would be to write everything as hexadecimal integers; we can easily convert from one view to the other.

Just keep in mind that most 8-bit characters just won't display nicely...

To convert whole strings, a convenient way is the following:

Let us now initialize AES with a randomly generated 16-byte key.

'5402cc8d556bcdcd3d236f2aaf9aa4bd'

We can now start encrypting text.

Notice what happens when blocks repeat:

This breaks semantic security, since the attacker should not be allowed to know that the message has repeating blocks.

**To do**: Encrypt the same message using AES in randomized counter (CTR) mode "by hand" (*i.e.*, don't use the PyCrypto API except to encrypt single blocks). Verify that Bob is able to decrypt the received ciphertext knowing only the shared secret key $k$.

Let's turn to a seemingly unrelated problem: that of a casino wanting to "impredictably" (from the point of view of the players) shuffle a deck of digital playing cards with a 128-bit shuffle key (probably generated from a master key using a CSPRNG). There are $52! \approx 2^{226}$ different ways to shuffle a deck of cards, so the whole description of a shuffle couldn't possibly fit in the shuffle key: it has to be securely derived from it.

The first, "easiest" way to do it would be to:

- Encrypt all card values using the shuffle key.
- Sort lexicographically the resulting ciphertexts.
- Assign to every "plaincard" its position in the sorted "ciphercards" list.

Hence obtaining a shuffled list of the original cards.

**To do:** Do it! What is the first poker hand (first 5 cards) dealt from your shuffled card deck?

The above method works well, but rapidly becomes incovenient when the number of objects to permute gets large. Suppose for example that we want to shuffle not 52, but 52000 cards: with the above method, getting the top 5 would require 52000 single AES evaluations. A more efficient solution (look up "Format-preserving encryption" for more information) is the following:

- Write every card value as a 2-byte word.
- Given a card value $m$, apply to it 3 rounds of a Feistel network with inner function $f$, where $f(b) = \text{first byte of the AES encryption of byte } b \text{ padded with 15 } \#.$
- Repeat step 2. until the resulting value falls in the $[0,51999]$ range; this is the value of the card at position $m$ after the permutation.

**To do:** What are the 5 first cards we get out of this 52000-card deck? How many AES evaluations did this take?

Are you able to tell where card no. 12345 lands in this shuffle? (You should! Using the fact that the Feistel network is easy to invert for somebody who knows the key...)