# Advanced Encryption Standard

The **Advanced Encryption Standard**, or **AES**, is a US government specification for a block cipher to replace the earlier and weaker Data Encryption Standard (DES). AES encrypts data in 128-bit blocks and can take a 128, 192 or 256-bit key. DES used 64-bit blocks and a 56-bit key.

As for DES, AES is required for some applications in government and in regulated industries, but is also also widely used in other applications and widely used outside the US. As for DES, there is a whole generation of ciphers with some similarities to AES, those can be substituted for AES in applications, and some governments choose one of those as a national standard rather than adopt a US standard.

Starting in the late 90s, the US National Institute of Standards and Technology (NIST) ran a competition to find a block cipher to replace DES. Fifteen candidates were submitted; for descriptions of the criteria used and of all candidates see AES competition.

In October 2002, they announced [1] the winner — **Rijndael** (pronounced approximately "rhine doll"), from two Belgian designers. That algorithm is now the Advanced Encryption Standard.

The NIST page on AES has much detail, including links to all the Rinjdael design documents, to several implementations, and to the official standard, approved as FIPS 197. The external links of the block cipher article have additional links.

## Design

AES is an iterated block cipher, but unlike DES it is not a Feistel cipher; the overall structure is an SP network. Nonlinearity is obtained by mixing operations from different algebraic groups. There are four operations.

Two give confusion:

- AddRoundKey: bitwise XOR of 128-bit state and 128-bit round key
- SubBytes: run individual bytes through an 8 by 8 S-box

The other two give diffusion, treating the 128-bit block as a four by four matrix of bytes (as did an earlier cipher from the same designers, Square):

- ShiftRows: cyclicly shift each row by a fixed amount
- MixColumns: treat each column as a polynomial over the Galois field
**GF**(*2*); multiply it by one constant polynomial modulo another^{8}

It encrypts 128-bit blocks with a 128, 192 or 256-bit key. The number of rounds varies with key size: 10 for 128-bit keys, 12 for 192-bit keys and 14 for 256-bit keys. The numbers of rounds were chosen based on an analysis showing that they are enough to give resistance to linear cryptanalysis and differential cryptanalysis.

## AES in hardware

There are a number of AES chips on the market, for example Seagate, and many academic papers on the design of such chips, for example Su, Lin, Huang & Wu.

Intel is adding AES instructions in their CPUs.