AES (Advanced Encryption Standard)
The cipher that encrypts the modern world — chosen by open competition, scrutinised for two decades, still unbroken.
Why This Matters
AES is the cipher that runs the internet. When you load a webpage over HTTPS, when your phone wakes from sleep and unlocks, when WhatsApp delivers a message, when Wi-Fi authenticates your laptop — it is almost certainly AES doing the bulk encryption. After two decades of intense academic and intelligence-agency scrutiny, no attack faster than ~2126 operations is known against AES-128 in its standard configuration. It is, in practice, the cipher.
By 1997 NIST knew DES was finished and ran an open international competition to replace it. Fifteen submissions from twelve countries; five finalists (MARS, RC6, Rijndael, Serpent, Twofish) survived to round two. After three years of public cryptanalysis NIST chose Rijndael by Joan Daemen and Vincent Rijmen of Belgium — the first non-American cipher ever to become a US government standard. The choice was driven by speed, hardware-friendliness, and design clarity. FIPS 197 was published 26 November 2001.
AES is a substitution-permutation network operating on a 4×4 byte state. Each round applies four operations:
- SubBytes — replace each byte via a non-linear S-box (algebraic inverse in GF(28))
- ShiftRows — cyclically shift each row by 0/1/2/3 positions
- MixColumns — multiply each column by a fixed polynomial (skipped in the final round)
- AddRoundKey — XOR with the round-specific subkey
AES-128 runs 10 rounds, AES-192 runs 12, AES-256 runs 14. The key schedule expands the master key into all round keys. The four-operation round delivers Shannon's confusion (S-box) and diffusion (ShiftRows + MixColumns); after 2 rounds every output bit depends on every input bit, after the full round count the dependency is mathematically saturated.
The best known attack on full AES-128 is biclique cryptanalysis at 2126.1 operations — faster than brute force by a factor of four, but still completely impractical. Practical AES failures are always implementation flaws: cache-timing side channels (BEAST, CRIME, Lucky 13), weak modes (ECB), nonce reuse in GCM, or padding oracles in CBC. Modern Intel and ARM CPUs include AES-NI / AES instructions that make AES essentially free in software, removing the last reason to roll alternative ciphers.
| Where | How AES is Used |
|---|---|
| HTTPS (TLS 1.2/1.3) | AES-128-GCM and AES-256-GCM are the default authenticated-encryption ciphers |
| Full-disk encryption | BitLocker (XTS-AES-128/256), FileVault 2, LUKS, dm-crypt all default to AES |
| Wi-Fi WPA2 / WPA3 | AES-CCMP replaced TKIP/RC4 in 2004; WPA3 adds AES-GCMP-256 |
| Messaging apps | Signal, WhatsApp, iMessage all wrap AES-GCM under their key-ratchet protocols |
| US government | NSA CNSA Suite mandates AES-256 for TOP SECRET data |
| Era | Modern · 2001 |
| Status | Universal standard; NSA-approved for TOP SECRET data with 192/256-bit keys (CNSA Suite) |
| Origin | Joan Daemen & Vincent Rijmen (Belgium, 1998); standardised as FIPS 197 in 2001 |
| Year | 2001 |
| Type | Symmetric block cipher (substitution-permutation network, 128-bit block, 128/192/256-bit key) |
| Modern Role | HTTPS, full-disk encryption (BitLocker, FileVault, LUKS), Wi-Fi WPA2/3, VPNs, messaging apps, cloud storage |