> AES — ADVANCED ENCRYPTION STANDARD
The idea in plain English: AES works with data arranged in a 4×4 grid of bytes (16 bytes = 128 bits total). It applies four operations to this grid, one after another, repeated 10, 12, or 14 times (depending on key size). First, each byte is replaced with a different byte via a lookup table (SubBytes). Then the rows of the grid are shifted (ShiftRows). Then the columns are mixed together using algebra (MixColumns). Finally, a round key is XORed into the state (AddRoundKey). The result is a thoroughly scrambled block that's mathematically impossible to unscramble without the key.
Why this really exists: By 1997, DES was clearly obsolete (Deep Crack broke it in 1998), so NIST held an open international competition. 15 ciphers were submitted from 12 countries. In 2000, the Rijndael cipher (by Belgian cryptographers Joan Daemen and Vincent Rijmen) won. AES is now the most widely used symmetric encryption algorithm on Earth — your HTTPS connection, your WiFi password, your phone's disk encryption, and secure messaging apps all use AES. It's fast in both hardware and software, and no practical attack has ever been found on the full 10-round version.
▸ The Four AES Operations
Every AES round (except the last) applies all four operations in sequence:
1. SubBytes — Each of the 16 state bytes is replaced using the AES S-box (a 16×16 lookup table). The S-box is based on the multiplicative inverse in GF(28) followed by an affine transformation. This is the only non-linear step — without it, AES would be solvable with linear algebra.
2. ShiftRows — Row 0 stays put. Row 1 rotates left by 1 byte. Row 2 rotates left by 2 bytes. Row 3 rotates left by 3 bytes. This spreads each column's influence across all columns.
3. MixColumns — Each column (4 bytes) is treated as a polynomial over
GF(28) and multiplied by a fixed polynomial:
3x³ + x² + x + 2. This mixes all four bytes within a column together. The last
round skips MixColumns (it's structurally identical to have it, but skipping
saves computation without reducing security).
4. AddRoundKey — The 128-bit round key (derived from the cipher key via Rijndael's key schedule) is XORed byte-by-byte into the state.
💡 Decryption in AES reverses these operations with their inverses: InvSubBytes, InvShiftRows (rotate right), InvMixColumns, and AddRoundKey (XOR is its own inverse). This is unlike Feistel ciphers (DES) where encryption and decryption are the same structure.
▸ The AES S-Box (Lookup Table)
Each byte of the state is replaced by S[byte]. The S-box was designed to be resistant to differential and linear cryptanalysis. Here is the standard 16×16 lookup table (row = high nibble, column = low nibble):
---+------------------------------------------------
0 |63 7c 77 7b f2 6b 6f c5 30 01 67 2b fe d7 ab 76
1 |ca 82 c9 7d fa 59 47 f0 ad d4 a2 af 9c a4 72 c0
2 |b7 fd 93 26 36 3f f7 cc 34 a5 e5 f1 71 d8 31 15
3 |04 c7 23 c3 18 96 05 9a 07 12 80 e2 eb 27 b2 75
4 |09 83 2c 1a 1b 6e 5a a0 52 3b d6 b3 29 e3 2f 84
5 |53 d1 00 ed 20 fc b1 5b 6a cb be 39 4a 4c 58 cf
6 |d0 ef aa fb 43 4d 33 85 45 f9 02 7f 50 3c 9f a8
7 |51 a3 40 8f 92 9d 38 f5 bc b6 da 21 10 ff f3 d2
8 |cd 0c 13 ec 5f 97 44 17 c4 a7 7e 3d 64 5d 19 73
9 |60 81 4f dc 22 2a 90 88 46 ee b8 14 de 5e 0b db
a |e0 32 3a 0a 49 06 24 5c c2 d3 ac 62 91 95 e4 79
b |e7 c8 37 6d 8d d5 4e a9 6c 56 f4 ea 65 7a ae 08
c |ba 78 25 2e 1c a6 b4 c6 e8 dd 74 1f 4b bd 8b 8a
d |70 3e b5 66 48 03 f6 0e 61 35 57 b9 86 c1 1d 9e
e |e1 f8 98 11 69 d9 8e 94 9b 1e 87 e9 ce 55 28 df
f |8c a1 89 0d bf e6 42 68 41 99 2d 0f b0 54 bb 16
Example: byte 0x53 → row 5, col 3 → S[0x53] = 0xed
💡 The S-box is computed mathematically, not randomly chosen. It's the multiplicative inverse in GF(2⁸) of the byte (with 0x00 mapping to itself), followed by an affine transformation over GF(2). This design ensures optimal resistance to differential and linear cryptanalysis.
▸ Worked Example — One Round of AES-128
Let's trace a single round of AES-128 with a 4×4 state. Key size: 128 bits (16 bytes). AES-128 = 10 rounds total. The state is shown as bytes arranged column-by-column (standard AES convention):
19 a0 9a e9
3d f4 c6 f8
e3 e2 8d 48
be 2b 2a 08
Step 1 — SubBytes: Replace each byte via S-box
d4 e0 b8 1e
27 bf b4 41
11 98 5d 52
ae f1 e5 30
Step 2 — ShiftRows: Row 0 unchanged, Row 1 ← 1 left, Row 2 ← 2 left, Row 3 ← 3 left
d4 e0 b8 1e
bf b4 41 27
5d 52 11 98
30 ae f1 e5
Step 3 — MixColumns: Each column multiplied by fixed polynomial
New column 0 = [d4, bf, 5d, 30] mixed with [2,3,1,1] in GF(2⁸):
0xd4*2 + 0xbf*3 + 0x5d*1 + 0x30*1 = 0x04
0xd4*1 + 0xbf*2 + 0x5d*3 + 0x30*1 = 0x66
0xd4*1 + 0xbf*1 + 0x5d*2 + 0x30*3 = 0x81
0xd4*3 + 0xbf*1 + 0x5d*1 + 0x30*2 = 0xe5
(... repeat for columns 1, 2, 3 ...)
Step 4 — AddRoundKey: XOR with K1 (the first round key)
New state = MixColumns(state) ⊕ K1
This completes one round. Repeat 9 more times (10 rounds total), skipping MixColumns on the final round.
After all 10 rounds, the 16-byte state is the ciphertext. The key schedule generates all 11 round keys (K0 through K10) from the original 16-byte cipher key using a recursive expansion involving S-box substitutions and round constant XORs.
▸ AES Variants by Key Size
| Variant | Key Size | Rounds | Block Size | Security Level |
|---|---|---|---|---|
| AES-128 | 128 bits (16 B) | 10 | 128 bits | ✅ Sufficient for all current applications |
| AES-192 | 192 bits (24 B) | 12 | 128 bits | 🟢 Overkill for current threats |
| AES-256 | 256 bits (32 B) | 14 | 128 bits | 🟢 Resistant to quantum attacks (Grover's algorithm halves the security, still 128-bit effective) |
💡 Despite having different round counts, all three variants use the same 128-bit block size. The original Rijndael submission supported variable block sizes (128, 192, 256), but NIST standardized only the 128-bit block version as AES. The key schedule expansions differ between variants — AES-256's key schedule is more complex to derive 14 round keys from 32 bytes.
▸ The NIST Competition — A New Standard Is Born
Jan 1997: NIST announces an open competition to replace DES
Aug 1998: 15 candidate algorithms accepted from 12 countries — Rijndael (Belgium), Serpent (UK/Israel/Denmark), Twofish (USA), RC6 (USA), MARS (USA), and 10 others
Mar 1999: 5 finalists chosen: Rijndael, Serpent, Twofish, RC6, MARS
Oct 2000: Rijndael wins — chosen for its excellent combination of security, performance (fast in both software and hardware), simplicity, and flexibility
Nov 2001: Published as FIPS PUB 197 — becomes the US government standard
2002–present: AES becomes the de facto global encryption standard adopted by NIST, ISO/IEC, and every major technology company
The other finalists were all strong ciphers — Serpent was actually more conservative (more rounds, higher security margin) but 2–3× slower. Twofish (designed by Bruce Schneier, creator of Blowfish) was a close runner-up. Rijndael won because it was elegant, fast, and had an excellent security margin — and 20+ years later, no practical attack breaks full AES.
▸ Real-World Applications
- HTTPS / TLS: Every secure website you visit uses AES to encrypt your connection. AES-GCM (Galois/Counter Mode) is the standard cipher suite in TLS 1.3
- WiFi (WPA2/WPA3): Your wireless router encrypts all traffic with AES-CCMP. WPA3 mandates AES as the only encryption option
- Disk encryption: BitLocker (Windows), FileVault (macOS), and LUKS (Linux) all use AES-XTS to encrypt your hard drive
- Signal / WhatsApp: End-to-end encrypted messaging uses AES in combination with the Double Ratchet protocol
- VPNs: OpenVPN, WireGuard, and IPSec all use AES for tunnel encryption
- Smartphones: Both Apple's Secure Enclave and Android's KeyStore use AES hardware acceleration for on-device encryption
- Cloud storage: AWS S3, Google Cloud Storage, and Azure Blob Storage all support server-side AES-256 encryption