Library

5.5.3 Advanced Encryption Standard (AES)

In 1997 NIST initiated an open international competition to develop a successor to DES. After a four-year evaluation involving public peer review and extensive cryptanalysis, the winning algorithm—Rijndael, designed by Belgian cryptographers Vincent Rijmen and Joan Daemen—was selected in 2000 and standardized as the Advanced Encryption Standard (AES).

AES is a symmetric block cipher that operates on 128-bit blocks and supports key sizes of 128, 192, or 256 bits. Unlike DES, AES is based on substitution–permutation networks (SPNs) rather than the Feistel structure. The algorithm transforms data through a series of rounds (10, 12, or 14 for the three key lengths) that include:

These transformations collectively provide high degrees of confusion and diffusion, as defined by Shannon, making AES resistant to linear and differential cryptanalysis.

The same operations are used for decryption but applied in the reverse order with inverse transformations. AES was designed for efficient implementation on both 8-bit microcontrollers and 32-bit or 64-bit processors and supports hardware acceleration in most modern CPUs.

Since its standardization, AES has been extensively analyzed and remains unbroken when used with appropriate key lengths. No practical cryptanalytic attack faster than brute force is known against full-round AES. As of 2025, AES-128 is considered secure for most applications, while AES-256 is preferred for classified or long-lived data protection.

AES has largely replaced DES and 3DES in all new cryptographic protocols and standards. It forms the basis for secure communications across technologies including Transport Layer Security (TLS), IPsec, Wi-Fi (WPA2 and WPA3), and virtual private networks (VPNs). In banking and embedded systems, legacy support for 3DES continues but is being phased out under updated NIST guidance recommending migration to AES by 2030.

In modern secure-communications systems, symmetric encryption is rarely used in isolation. Instead, authenticated-encryption modes—such as AES-GCM or ChaCha20-Poly1305—are employed to provide confidentiality and integrity simultaneously. These authenticated-encryption with associated data (AEAD) schemes prevent not only passive eavesdropping but also active modification attacks, and they form the basis of contemporary protocols such as TLS 1.3 and IPsec.