The AES Block Cipher: Advanced Encryption Standard
Advanced Encryption Standard (AES) is a block cipher designed with some inherent flexibility. It can use three possible block sizes of b=128, 192, or 256 bits, and can use three possible key lengths n=128, 192, or 256 bits. The diagram below describes the smallest variant with b=128 and n=128. A key length n=128 was considered to be secure against brute force attacks in 2019. The AES variants with larger key lengths are in the standard to “future-proof” the cipher.
Like DES (Data Encryption Standard), AES also consists of multiple rounds, each accepting a “round key.” There are ten rounds in the common AES-128 variant - the larger variants have a few extra rounds. The rounds are identical except for the first and last ones: just before the first round, there is an extra “pre-round transformation” that also accepts key (K0 in the diagram). And the final round (round 10) is slightly different from all the others. Like in DES, AES has a round-key-generator component that produces the 11 round keys (K0 plus 10 keys for the rounds) - but unlike DES, the round keys are all full-sized 128-bit keys.
Some of the inner workings of around rely on algebraic operations. However, a crucial element in the AES round function is a random-looking 256-element array called a substitution-box (S-box). As part of the round function, AES replaces bytes in the current round’s input by the value it finds through a lookup in the S-box.
AES decryption is structurally similar to that of DES. First, all of the round keys are generated (from top to bottom), and then the ciphertext is fed at the bottom and decrypted round by round going from bottom to top until the plaintext emerges. However, unlike in DES, the AES round function is not self-inverting. A separate round-decryption function inverts the round-encryption function (when it’s supplied with the same round-key).
AES was designed to allow fast implementation in both hardware and software and weak and strong CPUs. This means that it does not use much bit-twiddling (or bit manipulation). It operates on standard 8-bit quantities that fit naturally in a computer byte.
The AES cipher was invented in 1998 under the name “Rijndael,” an acronym of its inventors’ names, Belgian cryptographers Vincent Rijmen and Joan Daemen. It was submitted to NIST as one of the 15 proposals of a new cipher to replace DES. Between 1997 and 2001, NIST held a careful, transparent, and public selection process for the new cipher. It culminated in the choice of Rijndael as the Advanced Encryption Standard (AES) in 2001.
As of 2019, AES seems to be holding up well against cryptanalysis, despite many attempts to crack. Its key length of n=128 is large enough to defeat brute force attacks using current technology, and to date, no shortcuts or weaknesses that truly threaten AES’s security have been published. The US government accepts (in fact mandates) the use of AES to protect Top Secret documents. Of course, this is no guarantee for the future: we may wake up one day and discover that AES was broken. But in the meantime, AES remains the default cipher of choice for all modern applications.
However, there is one known gap in the security of AES - or, more precisely, in the security of common implementations of AES. As we saw, AES uses lookups into the S-box array. It turns out that simple implementations of S-box lookups are susceptible to side-channel attacks - and in particular, to cache attacks, like the ones we mentioned when we described Meltdown. It turns out that if the attacker can find out which entries in the S-box are looked-up - he can break the key. This does not mean that AES itself is broken, and there are special AES implementations that avoid this vulnerability. However, it requires serious attention if a side-channel attack is plausible; especially, if the targeted device has a fixed secret key hard-coded inside.
AES is widely supported in both hardware and software. To date, no practical cryptanalytic attacks against AES have been discovered. However, AES security is only assured if it is correctly implemented.