Symmetric Encryption - Learning Module

Loading content...

0/228

AES: The Advanced Encryption Standard

The World's Most Important Algorithm

Every second, trillions of bits flow across the internet protected by a single algorithm. When you send a text message, make a bank transfer, or stream a video, your data is scrambled by the same mathematical process used by intelligence agencies, military systems, and Fortune 500 companies worldwide.

This algorithm is the Advanced Encryption Standard (AES)—and its selection in 2001 marked perhaps the most transparent, rigorous, and successful public cryptographic competition in history.

Unlike its predecessor DES, which emerged from secretive government collaboration, AES was chosen through a five-year worldwide competition that examined 15 candidate algorithms under unprecedented public scrutiny. The winner, Rijndael (pronounced "rain-doll"), wasn't just secure—it was elegant, efficient, and mathematically beautiful.

Today, AES is so ubiquitous that it's built directly into modern processor hardware. Understanding AES isn't optional for anyone working in security or networking—it's foundational.

What You Will Learn

By the end of this page, you will understand the AES selection process and why Rijndael won over 14 competitors, the Substitution-Permutation Network (SPN) architecture that distinguishes AES from Feistel ciphers, the four fundamental operations (SubBytes, ShiftRows, MixColumns, AddRoundKey), how AES achieves confusion and diffusion through mathematical elegance, AES modes of operation and authenticated encryption (GCM), and AES security analysis and the current state of cryptanalytic research.

The AES Competition: A New Era of Transparent Cryptography

In 1997, NIST announced an open competition to select a replacement for the aging DES. Unlike DES's closed development, the AES process would be fully public—anyone could submit an algorithm, and the evaluation would occur in the open, with academic papers, public conferences, and worldwide participation.

AES Competition Requirements

•Block size: Fixed at 128 bits (double DES's 64-bit blocks, solving Sweet32-type vulnerabilities)
•Key sizes: Support for 128, 192, and 256 bits (providing scalable security for different applications)
•Security: Resistance to all known cryptanalytic attacks (including differential and linear cryptanalysis)
•Performance: Efficient implementation in both software and hardware across diverse platforms
•Simplicity: Algorithm should be understandable and implementable without proprietary knowledge
•Flexibility: Suitable for smart cards, hardware accelerators, and high-throughput servers alike

AES Competition Timeline
Date	Event	Details
Jan 1997	Competition announced	NIST calls for AES candidates
Aug 1998	Round 1 begins	15 algorithms submitted from 12 countries
Aug 1999	Round 2 finalists	5 finalists selected: Mars, RC6, Rijndael, Serpent, Twofish
Apr 2000	Third AES conference	Extensive public analysis of finalists
Oct 2000	Rijndael selected	NIST announces winner
Nov 2001	FIPS 197 published	AES becomes official U.S. government standard
May 2002	AES effective	AES replaces DES as mandatory federal standard

The Five Finalists:

After intensive analysis, five algorithms advanced to the final round:

Algorithm	Designers	Key Feature	Security Margin
MARS	IBM	Complex structure, crypto-variable operations	Very high
RC6	RSA Labs	Data-dependent rotations, integer multiplication	Good
Rijndael	Daemen & Rijmen	Elegant math, parallel structure	Good
Serpent	Anderson, Biham, Knudsen	Maximum security margin, 32 rounds	Very high
Twofish	Schneier et al.	Feistel, key-dependent S-boxes	High

Why Rijndael Won:

Rijndael's victory came from its exceptional balance across all evaluation criteria:

Security: Withstood all cryptanalytic attempts during evaluation
Efficiency: Fastest in both software and hardware implementations
Simplicity: Clean mathematical structure, easy to analyze
Flexibility: Equally suitable for 8-bit smart cards and 64-bit servers
Parallelizability: Operations enable hardware acceleration

Serpent had the highest security margin but was significantly slower. Twofish was complex but didn't outperform Rijndael. Rijndael offered the best overall engineering tradeoff.

The Name "Rijndael"

Rijndael combines the names of its Belgian creators: Joan Daemen and Vincent Rijmen. The algorithm was developed independently of any government or corporation, demonstrating that world-class cryptography could emerge from academic research. NIST renamed it "AES" for the standard, but cryptographers often still refer to it as Rijndael.

AES Parameters and High-Level Structure

AES operates on 128-bit blocks and supports three key lengths. The number of rounds varies with key size, providing appropriate security margins for each configuration.

AES Variants and Parameters
Variant	Key Size	Block Size	Rounds	Subkey Size	Security Level
AES-128	128 bits (16 bytes)	128 bits	10 rounds	128 bits × 11	~2^128 operations
AES-192	192 bits (24 bytes)	128 bits	12 rounds	128 bits × 13	~2^192 operations
AES-256	256 bits (32 bytes)	128 bits	14 rounds	128 bits × 15	~2^256 operations

The State Array:

AES organizes the 128-bit block as a 4×4 matrix of bytes called the state. All operations work on this state representation:

128-bit input: b₀ b₁ b₂ b₃ b₄ b₅ b₆ b₇ b₈ b₉ b₁₀ b₁₁ b₁₂ b₁₃ b₁₄ b₁₅

                    Organized as 4×4 state array:
                    ┌────────────────────────────────┐
                    │  b₀   b₄   b₈   b₁₂ │  Row 0 │
                    │  b₁   b₅   b₉   b₁₃ │  Row 1 │
                    │  b₂   b₆   b₁₀  b₁₄ │  Row 2 │
                    │  b₃   b₇   b₁₁  b₁₅ │  Row 3 │
                    └────────────────────────────────┘
                      Col0  Col1  Col2  Col3

                    Note: Bytes fill column-by-column (column-major order)

High-Level AES Structure:

┌─────────────────────────────────────────────────────────────────────────┐
│                        AES-128 ENCRYPTION                               │
├─────────────────────────────────────────────────────────────────────────┤
│                                                                         │
│   128-bit Plaintext          128-bit Key                                │
│         │                         │                                     │
│         ▼                         ▼                                     │
│   ┌──────────┐              ┌──────────────┐                            │
│   │  State   │              │ Key Schedule │                            │
│   │ (4×4)    │              │ (generate 11 │                            │
│   └────┬─────┘              │ round keys)  │                            │
│        │                    └──────┬───────┘                            │
│        │                           │                                    │
│   ┌────┴───────────────────────────┴────────────────────────────────┐   │
│   │                     AddRoundKey (with K₀)                       │   │
│   └────────────────────────────┬────────────────────────────────────┘   │
│                                │                                        │
│   ╔══════════════════════════════════════════════════════════════════╗  │
│   ║                    ROUNDS 1-9 (repeated)                         ║  │
│   ║  ┌─────────────────────────────────────────────────────────────┐ ║  │
│   ║  │  SubBytes    → ShiftRows    → MixColumns   → AddRoundKey    │ ║  │
│   ║  └─────────────────────────────────────────────────────────────┘ ║  │
│   ╚══════════════════════════════════════════════════════════════════╝  │
│                                │                                        │
│   ┌────────────────────────────▼────────────────────────────────────┐   │
│   │        ROUND 10 (final round - no MixColumns)                   │   │
│   │  SubBytes    → ShiftRows    → AddRoundKey                       │   │
│   └────────────────────────────┬────────────────────────────────────┘   │
│                                │                                        │
│                                ▼                                        │
│                        128-bit Ciphertext                               │
│                                                                         │
└─────────────────────────────────────────────────────────────────────────┘

Substitution-Permutation Network

Unlike DES's Feistel network (which processes half the block per round), AES uses a Substitution-Permutation Network (SPN) that transforms the entire block every round. This means all 128 bits are actively processed in each round, achieving full diffusion faster. The tradeoff: AES requires invertible operations (each step must be reversible for decryption).

SubBytes: The Non-Linear Core

SubBytes is AES's only non-linear operation—and consequently, its primary source of security. Each byte of the state is independently transformed through a fixed substitution table (S-box), providing the confusion required to resist cryptanalysis.

The AES S-box:

Unlike DES's seemingly arbitrary S-boxes (which were actually carefully designed to resist then-classified differential cryptanalysis), the AES S-box is derived from a clear mathematical formula:

S-box construction:
1. Compute multiplicative inverse in GF(2⁸) [Galois Field with polynomial x⁸+x⁴+x³+x+1]
2. Apply affine transformation in GF(2)

For input byte b:
   S(b) = A · b⁻¹ + c

Where:
   b⁻¹  = multiplicative inverse of b in GF(2⁸), with 0⁻¹ defined as 0
   A    = fixed 8×8 matrix over GF(2)
   c    = constant vector 0x63

Why This Works:

The multiplicative inverse provides excellent non-linearity—it's highly non-linear in terms of addition (XOR). The affine transformation then disrupts any remaining algebraic structure that might be exploitable.

S-box Table (Hexadecimal):

     |  0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F
-----+------------------------------------------------
  0  | 63 7C 77 7B F2 6B 6F C5 30 01 67 2B FE D7 AB 76
  1  | CA 82 C9 7D FA 59 47 F0 AD D4 A2 AF 9C A4 72 C0
  2  | B7 FD 93 26 36 3F F7 CC 34 A5 E5 F1 71 D8 31 15
  3  | 04 C7 23 C3 18 96 05 9A 07 12 80 E2 EB 27 B2 75
  4  | 09 83 2C 1A 1B 6E 5A A0 52 3B D6 B3 29 E3 2F 84
  5  | 53 D1 00 ED 20 FC B1 5B 6A CB BE 39 4A 4C 58 CF
  6  | D0 EF AA FB 43 4D 33 85 45 F9 02 7F 50 3C 9F A8
  7  | 51 A3 40 8F 92 9D 38 F5 BC B6 DA 21 10 FF F3 D2
  8  | CD 0C 13 EC 5F 97 44 17 C4 A7 7E 3D 64 5D 19 73
  9  | 60 81 4F DC 22 2A 90 88 46 EE B8 14 DE 5E 0B DB
  A  | E0 32 3A 0A 49 06 24 5C C2 D3 AC 62 91 95 E4 79
  B  | E7 C8 37 6D 8D D5 4E A9 6C 56 F4 EA 65 7A AE 08
  C  | BA 78 25 2E 1C A6 B4 C6 E8 DD 74 1F 4B BD 8B 8A
  D  | 70 3E B5 66 48 03 F6 0E 61 35 57 B9 86 C1 1D 9E
  E  | E1 F8 98 11 69 D9 8E 94 9B 1E 87 E9 CE 55 28 DF
  F  | 8C A1 89 0D BF E6 42 68 41 99 2D 0F B0 54 BB 16

Usage: S(0x53) → row 5, column 3 → 0xED

SubBytes Operation:

State before SubBytes:          State after SubBytes:
┌────┬────┬────┬────┐           ┌────┬────┬────┬────┐
│ 32 │ 88 │ 31 │ E0 │           │ 23 │ C4 │ C7 │ E1 │
│ 43 │ 5A │ 31 │ 37 │     →     │ 1A │ BE │ C7 │ 9A │
│ F6 │ 30 │ 98 │ 07 │   S-box   │ 42 │ 04 │ 46 │ C5 │
│ A8 │ 8D │ A2 │ 34 │           │ C2 │ 5D │ 3A │ 18 │
└────┴────┴────┴────┘           └────┴────┴────┴────┘

Each byte independently substituted: 32 → S(32) = 23, etc.

Inverse S-box for Decryption

Decryption requires the inverse S-box: InvSubBytes applies S⁻¹ to each byte. The inverse is computed by reversing the construction: first apply the inverse affine transformation, then compute the multiplicative inverse. A separate 256-entry inverse table is typically precomputed for efficiency.

ShiftRows: Inter-Column Diffusion

ShiftRows is a simple but critical permutation step. It cyclically shifts the bytes in each row of the state by different offsets, ensuring that bytes from different columns mix in subsequent operations.

ShiftRows Operation:

┌─────────────────────────────────────────────────────────────────────────┐
│                         SHIFTROWS TRANSFORMATION                        │
├─────────────────────────────────────────────────────────────────────────┤
│                                                                         │
│   Original State:                   After ShiftRows:                    │
│   ┌────┬────┬────┬────┐            ┌────┬────┬────┬────┐                │
│   │ S₀₀│ S₀₁│ S₀₂│ S₀₃│ Row 0     │ S₀₀│ S₀₁│ S₀₂│ S₀₃│ (no shift)    │
│   │ S₁₀│ S₁₁│ S₁₂│ S₁₃│ Row 1  →  │ S₁₁│ S₁₂│ S₁₃│ S₁₀│ (shift 1)     │
│   │ S₂₀│ S₂₁│ S₂₂│ S₂₃│ Row 2     │ S₂₂│ S₂₃│ S₂₀│ S₂₁│ (shift 2)     │
│   │ S₃₀│ S₃₁│ S₃₂│ S₃₃│ Row 3     │ S₃₃│ S₃₀│ S₃₁│ S₃₂│ (shift 3)     │
│   └────┴────┴────┴────┘            └────┴────┴────┴────┘                │
│                                                                         │
│   Shift amounts (circular left shift):                                  │
│   Row 0: 0 bytes (unchanged)                                           │
│   Row 1: 1 byte                                                        │
│   Row 2: 2 bytes                                                       │
│   Row 3: 3 bytes                                                       │
│                                                                         │
└─────────────────────────────────────────────────────────────────────────┘

Concrete Example:

Before ShiftRows:                After ShiftRows:
┌────┬────┬────┬────┐           ┌────┬────┬────┬────┐
│ A1 │ B1 │ C1 │ D1 │           │ A1 │ B1 │ C1 │ D1 │  ← unchanged
│ A2 │ B2 │ C2 │ D2 │     →     │ B2 │ C2 │ D2 │ A2 │  ← shift left 1
│ A3 │ B3 │ C3 │ D3 │           │ C3 │ D3 │ A3 │ B3 │  ← shift left 2
│ A4 │ B4 │ C4 │ D4 │           │ D4 │ A4 │ B4 │ C4 │  ← shift left 3
└────┴────┴────┴────┘           └────┴────┴────┴────┘

Why ShiftRows Matters:

ShiftRows ensures that each column of the state (after ShiftRows) contains bytes from all four original columns. When MixColumns subsequently operates on columns, it mixes bytes that originally came from different parts of the input.

Without ShiftRows, each column would evolve independently—no inter-column diffusion would occur, and the cipher would be far weaker.

Diffusion Pattern:

Original column 0:  [A1, A2, A3, A4]
    ↓ SubBytes (each byte independently)
    ↓ ShiftRows

Column 0 now contains: [S(A1) from col0, S(B2) from col1, S(C3) from col2, S(D4) from col3]
    ↓ MixColumns

All 4 output bytes of column 0 now depend on bytes from ALL 4 original columns!

Inverse ShiftRows:

For decryption, InvShiftRows shifts in the opposite direction (right instead of left):

Row 0: 0 bytes (unchanged)
Row 1: 1 byte right
Row 2: 2 bytes right
Row 3: 3 bytes right

Hardware Efficiency

ShiftRows is essentially "free" in hardware implementations. It requires no actual computation—just rewiring the connections between registers. In software, it's implemented as byte reordering, which is also extremely fast. This zero-cost diffusion is part of why AES is so efficient.

MixColumns: The Mathematical Mixer

MixColumns is where AES's mathematical elegance shines brightest. Each column of the state is treated as a 4-element vector over GF(2⁸) and multiplied by a fixed matrix. This operation provides inter-byte diffusion within columns—complementing ShiftRows' inter-column diffusion.

The MixColumns Matrix:

┌         ┐   ┌         ┐   ┌         ┐
│ 02 03 01 01 │   │ S₀ │   │ S'₀ │
│ 01 02 03 01 │ × │ S₁ │ = │ S'₁ │
│ 01 01 02 03 │   │ S₂ │   │ S'₂ │
│ 03 01 01 02 │   │ S₃ │   │ S'₃ │
└         ┘   └    ┘   └     ┘

All operations in GF(2⁸) with irreducible polynomial x⁸ + x⁴ + x³ + x + 1

What Does This Mean?

For column [S₀, S₁, S₂, S₃], the output is:

S'₀ = (02 · S₀) ⊕ (03 · S₁) ⊕ (01 · S₂) ⊕ (01 · S₃)
S'₁ = (01 · S₀) ⊕ (02 · S₁) ⊕ (03 · S₂) ⊕ (01 · S₃)
S'₂ = (01 · S₀) ⊕ (01 · S₁) ⊕ (02 · S₂) ⊕ (03 · S₃)
S'₃ = (03 · S₀) ⊕ (01 · S₁) ⊕ (01 · S₂) ⊕ (02 · S₃)

Where:
  ⊕ = XOR (addition in GF(2⁸))
  · = multiplication in GF(2⁸)
  01 · x = x (identity)
  02 · x = x shifted left; if high bit was set, XOR with 0x1B
  03 · x = (02 · x) ⊕ x

Galois Field Multiplication:

Multiplication by 02 in GF(2⁸):
──────────────────────────────
xtime(b) = {
    if (b & 0x80) == 0:   // high bit not set
        return b << 1
    else:                  // high bit set, reduce mod polynomial
        return (b << 1) ^ 0x1B
}

Examples:
  02 · 0x57 = 0xAE     (0x57 << 1 = 0xAE, no reduction needed)
  02 · 0xAE = 0x47     (0xAE << 1 = 0x15C, XOR 0x1B = 0x47)
  03 · 0x57 = 02·0x57 ⊕ 0x57 = 0xAE ⊕ 0x57 = 0xF9

MixColumns Example:

Input column:     Calculation:                              Output:
┌────┐                                                       ┌────┐
│ D4 │   S'₀ = 02·D4 ⊕ 03·BF ⊕ 01·5D ⊕ 01·30 = ...        │ 04 │
│ BF │   S'₁ = 01·D4 ⊕ 02·BF ⊕ 03·5D ⊕ 01·30 = ...        │ 66 │
│ 5D │   S'₂ = 01·D4 ⊕ 01·BF ⊕ 02·5D ⊕ 03·30 = ...        │ 81 │
│ 30 │   S'₃ = 03·D4 ⊕ 01·BF ⊕ 01·5D ⊕ 02·30 = ...        │ E5 │
└────┘                                                       └────┘

Why This Matrix?

The MixColumns matrix was chosen for several properties:

Maximum Distance Separable (MDS): Any change in input bytes propagates to all output bytes
Invertible: The inverse matrix exists for decryption
Efficient: Multiplication only by 01, 02, 03 (and their inverses for decryption)

Why No MixColumns in Final Round

The final round omits MixColumns. Why? Because it provides no additional security when followed immediately by AddRoundKey (both are linear operations). Omitting it makes encryption and decryption more symmetric and slightly faster. The cipher remains fully secure without it in the final round.

AddRoundKey: Where the Secret Enters

AddRoundKey is the simplest AES operation but arguably the most important: it's where the secret key actually influences the cipher. Without AddRoundKey, AES would be a fixed, public transformation—trivially reversible by anyone.

AddRoundKey Operation:

┌─────────────────────────────────────────────────────────────────────────┐
│                         ADDROUNDKEY OPERATION                           │
├─────────────────────────────────────────────────────────────────────────┤
│                                                                         │
│   State:                      Round Key:              Result:           │
│   ┌────┬────┬────┬────┐       ┌────┬────┬────┬────┐   ┌────┬────┬────┬────┐│
│   │ S₀₀│ S₀₁│ S₀₂│ S₀₃│       │ K₀₀│ K₀₁│ K₀₂│ K₀₃│   │S₀₀⊕K₀₀│...│...│...││
│   │ S₁₀│ S₁₁│ S₁₂│ S₁₃│  ⊕    │ K₁₀│ K₁₁│ K₁₂│ K₁₃│ = │...│...│...│...││
│   │ S₂₀│ S₂₁│ S₂₂│ S₂₃│       │ K₂₀│ K₂₁│ K₂₂│ K₂₃│   │...│...│...│...││
│   │ S₃₀│ S₃₁│ S₃₂│ S₃₃│       │ K₃₀│ K₃₁│ K₃₂│ K₃₃│   │...│...│S₃₃⊕K₃₃││
│   └────┴────┴────┴────┘       └────┴────┴────┴────┘   └────┴────┴────┴────┘│
│                                                                         │
│   Each byte of state XORed with corresponding byte of round key        │
│   This is the ONLY operation that uses the key                         │
│                                                                         │
└─────────────────────────────────────────────────────────────────────────┘

Properties of XOR in AddRoundKey:

Self-inverse: XOR undoes itself (a ⊕ k ⊕ k = a)
Bitwise independence: Each bit operates independently
Perfect mixing: Any bit of the key affects the output
Zero cost: XOR is the fastest operation on any processor

Round Key Derivation:

Each round uses a different 128-bit round key derived from the original key through the key schedule (key expansion). For AES-128:

Round 0:  K₀  = Original key (used before Round 1)
Round 1:  K₁  = Derived from K₀
Round 2:  K₂  = Derived from K₁
...
Round 10: K₁₀ = Derived from K₉

Total: 11 round keys × 128 bits = 1,408 bits of expanded key material

AES Key Schedule (AES-128):

The key expansion generates 11 round keys from the 16-byte original key:

Original key: K = [W₀, W₁, W₂, W₃]  (4 words of 4 bytes each)

For i = 4 to 43:
    temp = W[i-1]
    if i mod 4 == 0:
        temp = SubWord(RotWord(temp)) ⊕ Rcon[i/4]
    W[i] = W[i-4] ⊕ temp

Where:
  RotWord: circular left shift of 4 bytes by 1 position
  SubWord: apply S-box to each of 4 bytes
  Rcon[j]: round constant = [2^(j-1), 0, 0, 0] in GF(2⁸)

Round keys:
  K₀ = [W₀, W₁, W₂, W₃]     (original)
  K₁ = [W₄, W₅, W₆, W₇]
  K₂ = [W₈, W₉, W₁₀, W₁₁]
  ...
  K₁₀ = [W₄₀, W₄₁, W₄₂, W₄₃]

Key Schedule Security

The key schedule ensures that round keys are sufficiently different from each other and from the original key. Each round key depends on all bytes of the original key through cascading dependencies. Related-key attacks have been studied, but no practical attack exists for properly implemented AES with independently random keys.

AES in Action: A Complete Example

Let's trace a complete AES-128 encryption to see how the four operations work together to achieve confusion and diffusion. We'll observe how a single plaintext byte spreads its influence across the entire ciphertext block.

Initial Setup:

Plaintext:  00 11 22 33 44 55 66 77 88 99 AA BB CC DD EE FF
Key:        00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

State (column-major):          Key (column-major):
┌────┬────┬────┬────┐          ┌────┬────┬────┬────┐
│ 00 │ 44 │ 88 │ CC │          │ 00 │ 04 │ 08 │ 0C │
│ 11 │ 55 │ 99 │ DD │          │ 01 │ 05 │ 09 │ 0D │
│ 22 │ 66 │ AA │ EE │          │ 02 │ 06 │ 0A │ 0E │
│ 33 │ 77 │ BB │ FF │          │ 03 │ 07 │ 0B │ 0F │
└────┴────┴────┴────┘          └────┴────┴────┴────┘

════════════════════════════════════════════════════════════
Initial AddRoundKey (K₀ = original key):
════════════════════════════════════════════════════════════

State ⊕ K₀:
┌────┬────┬────┬────┐   ┌────┬────┬────┬────┐   ┌────┬────┬────┬────┐
│ 00 │ 44 │ 88 │ CC │   │ 00 │ 04 │ 08 │ 0C │   │ 00 │ 40 │ 80 │ C0 │
│ 11 │ 55 │ 99 │ DD │ ⊕ │ 01 │ 05 │ 09 │ 0D │ = │ 10 │ 50 │ 90 │ D0 │
│ 22 │ 66 │ AA │ EE │   │ 02 │ 06 │ 0A │ 0E │   │ 20 │ 60 │ A0 │ E0 │
│ 33 │ 77 │ BB │ FF │   │ 03 │ 07 │ 0B │ 0F │   │ 30 │ 70 │ B0 │ F0 │
└────┴────┴────┴────┘   └────┴────┴────┴────┘   └────┴────┴────┴────┘

Round 1 (showing diffusion):

════════════════════════════════════════════════════════════
SubBytes (each byte through S-box):
════════════════════════════════════════════════════════════

┌────┬────┬────┬────┐           ┌────┬────┬────┬────┐
│ 00 │ 40 │ 80 │ C0 │           │ 63 │ 09 │ CD │ BA │
│ 10 │ 50 │ 90 │ D0 │  S-box →  │ CA │ 53 │ 60 │ 70 │
│ 20 │ 60 │ A0 │ E0 │           │ B7 │ D0 │ E0 │ E1 │
│ 30 │ 70 │ B0 │ F0 │           │ 04 │ 51 │ E7 │ 8C │
└────┴────┴────┴────┘           └────┴────┴────┴────┘

════════════════════════════════════════════════════════════
ShiftRows:
════════════════════════════════════════════════════════════

┌────┬────┬────┬────┐           ┌────┬────┬────┬────┐
│ 63 │ 09 │ CD │ BA │ Row 0→    │ 63 │ 09 │ CD │ BA │
│ CA │ 53 │ 60 │ 70 │ Row 1→    │ 53 │ 60 │ 70 │ CA │
│ B7 │ D0 │ E0 │ E1 │ Row 2→    │ E0 │ E1 │ B7 │ D0 │
│ 04 │ 51 │ E7 │ 8C │ Row 3→    │ 8C │ 04 │ 51 │ E7 │
└────┴────┴────┴────┘           └────┴────┴────┴────┘

Notice: Each column now has bytes from ALL 4 original columns!

════════════════════════════════════════════════════════════
MixColumns (each column mixed):
════════════════════════════════════════════════════════════

Column 0: [63, 53, E0, 8C] → Matrix multiply → [5F, 57, F7, 1C]

The byte 63 (from original position [0,0]) now influences
ALL FOUR output bytes of column 0!

════════════════════════════════════════════════════════════
AddRoundKey (with K₁):
════════════════════════════════════════════════════════════

State ⊕ K₁ = Round 1 output

After Round 1:

A single input byte now influences an entire column. After Round 2, it influences multiple columns. By Round 4, every output bit depends on every input bit and every key bit—complete diffusion achieved.

Avalanche Effect

AES exhibits almost perfect avalanche: changing a single input bit changes approximately 50% of output bits. After just 2 rounds, changes propagate throughout the state. By the end of 10 rounds, ciphertexts from similar plaintexts are statistically indistinguishable from random. This is Shannon's diffusion principle in action.

AES Modes and Authenticated Encryption

AES is a block cipher—it encrypts 128-bit blocks. Real data requires modes of operation to handle arbitrary-length messages. Modern best practice strongly favors authenticated encryption modes that provide both confidentiality and integrity.

Modern AES Modes Comparison
Mode	Type	Parallelizable	Authenticated	Recommendation
ECB	Block	Yes	No	❌ NEVER USE - patterns leak
CBC	Block	Decrypt only	No	⚠️ Legacy; requires separate MAC
CTR	Stream-like	Yes	No	⚠️ Fast but unauthenticated
GCM	AEAD	Yes	Yes	✅ RECOMMENDED - fast, authenticated
CCM	AEAD	No	Yes	✅ Good for constrained devices
XTS	Disk encryption	Yes	No	✅ Standard for disk encryption

AES-GCM: The Gold Standard

Galois/Counter Mode (GCM) is the most widely deployed authenticated encryption mode:

┌─────────────────────────────────────────────────────────────────────────┐
│                           AES-GCM STRUCTURE                             │
├─────────────────────────────────────────────────────────────────────────┤
│                                                                         │
│   Inputs:                                                               │
│   - Key K (128, 192, or 256 bits)                                       │
│   - Nonce/IV (96 bits recommended)                                      │
│   - Plaintext P (arbitrary length)                                      │
│   - Additional Authenticated Data (AAD) - optional, in clear           │
│                                                                         │
│   Outputs:                                                              │
│   - Ciphertext C (same length as P)                                     │
│   - Authentication Tag T (typically 128 bits)                           │
│                                                                         │
│   ═══════════════════════════════════════════════════════════════════   │
│                                                                         │
│   ENCRYPTION:                                                           │
│   ────────────                                                          │
│                    Nonce || Counter                                     │
│                           │                                             │
│                           ▼                                             │
│                    ┌──────────────┐                                     │
│              K ───►│   AES-CTR    │───► Keystream                       │
│                    └──────────────┘         │                           │
│                                             ▼                           │
│                     Plaintext ────────⊕────►Ciphertext                  │
│                                                    │                    │
│                                                    ▼                    │
│                    ┌──────────────────────────────────────────────┐     │
│                    │             GHASH (Galois MAC)               │     │
│         AAD ──────►│  Polynomial multiplication in GF(2^128)      │     │
│                    └────────────────────┬─────────────────────────┘     │
│                                         │                               │
│                                         ▼                               │
│                                  Authentication Tag                     │
│                                                                         │
│   DECRYPTION: Verify tag FIRST, then decrypt. Reject if tag invalid.   │
│                                                                         │
└─────────────────────────────────────────────────────────────────────────┘

GCM Properties:

Confidentiality: CTR mode encryption
Authentication: GHASH provides integrity for ciphertext AND additional data
Parallelizable: Both encryption and authentication can be hardware-accelerated
Single-pass: Encryption and authentication computed together
Nonce-misuse sensitivity: Reusing a nonce with the same key is CATASTROPHIC

GCM Nonce Reuse Is Fatal

If the same nonce is ever used twice with the same key in GCM, an attacker can: (1) recover the XOR of plaintexts, (2) forge valid authentication tags for arbitrary messages, and (3) potentially recover the authentication key entirely. Always use random or carefully managed unique nonces. For high-volume applications, consider AES-GCM-SIV which provides nonce-misuse resistance.

AES Security: Two Decades of Scrutiny

Since its adoption in 2001, AES has been subjected to intense cryptanalytic scrutiny. While researchers have found theoretical weaknesses, no practical attack on properly implemented AES exists.

Known Attacks on AES (All Impractical)
Attack	Target	Complexity	Practical?
Biclique Attack	AES-128/192/256	2^126.1 / 2^189.7 / 2^254.4	No - barely better than brute force
Related-Key Attacks	AES-192, AES-256	2^99.5 / 2^119	No - requires related keys (unrealistic)
Side-Channel (Cache)	Implementations	Varies	Yes - attacks implementation, not algorithm
Fault Injection	Implementations	Varies	Yes - attacks implementation, not algorithm
Algebraic Attacks (XL)	Theoretical	2^200	No - far worse than brute force

The Biclique Attack (2011):

The best known attack on full AES:

AES-128: 2^126.1  (vs brute force 2^128) - ~4× speedup
AES-192: 2^189.7  (vs brute force 2^192) - ~5× speedup
AES-256: 2^254.4  (vs brute force 2^256) - ~3× speedup

Context:
  2^126 operations is still utterly infeasible
  If every atom in the universe computed 1 billion keys/sec,
  it would take ~10^15 years to exhaust the space

Verdict: Theoretically notable, practically irrelevant

Related-Key Attacks:

These attacks assume an adversary can observe encryptions under keys with known mathematical relationships. This is an extraordinarily weak threat model—realistic systems never use related keys. The attacks are interesting academically but not a concern for practitioners.

What Actually Matters: Implementation Attacks

Real-world AES vulnerabilities come from implementation flaws:

Cache-timing attacks: Table lookups cause cache hits/misses that leak key information
Power analysis: CPU power consumption varies based on operations and data values
Electromagnetic emissions: EM signals reveal internal operations
Fault injection: Inducing computational errors reveals key bytes

Countermeasures

Modern implementations protect against side-channels through: (1) Constant-time code that avoids data-dependent branches and memory accesses, (2) Hardware AES instructions (AES-NI) that execute in fixed time regardless of data, (3) Masking techniques that randomize intermediate values, and (4) Physical shielding against EM and power analysis. Always use well-vetted cryptographic libraries and hardware acceleration when available.

Summary: AES—The Global Standard

AES represents the culmination of decades of cryptographic research, selected through the most rigorous public competition in cryptographic history. Its elegant mathematics, exceptional efficiency, and proven security have made it the universal choice for symmetric encryption.

Key Takeaways

•Transparent selection: AES emerged from a five-year public competition, establishing a new standard for cryptographic algorithm development with worldwide participation.
•Substitution-Permutation Network: Unlike DES's Feistel structure, AES transforms the entire 128-bit block each round, achieving faster diffusion through SubBytes, ShiftRows, MixColumns, and AddRoundKey.
•Mathematical elegance: Operations are defined over Galois fields (GF(2⁸)), providing strong algebraic foundations that facilitate security analysis.
•Scalable security: Support for 128, 192, and 256-bit keys (with 10, 12, 14 rounds respectively) provides flexibility from standard to post-quantum preparation.
•Hardware acceleration: AES-NI instructions provide native hardware support on modern processors, enabling encryption at 10+ GB/s.
•Use authenticated modes: Always prefer AES-GCM or similar AEAD modes. Unauthenticated encryption (CTR, CBC alone) leaves systems vulnerable to manipulation attacks.

What's Next:

With symmetric encryption algorithms—DES, 3DES, and AES—thoroughly understood, the next page addresses the critical challenge that spans all symmetric cryptography: key management. How are keys generated, stored, distributed, rotated, and destroyed? Key management failures have caused more cryptographic disasters than algorithm weaknesses. Understanding these operational security aspects is essential for deploying symmetric encryption in real systems.

Page Complete

You now understand AES's internal operations, security properties, and mode selection. You can explain why AES won the NIST competition, how its four operations achieve confusion and diffusion, and why authenticated encryption modes like GCM are essential. The final page addresses how to protect the keys that make all this cryptographic machinery useful.