The Advanced Encryption Standard (AES), also known by its original name Rijndael (),
is a specification for the
encryption
In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can decip ...
of electronic data established by the U.S.
National Institute of Standards and Technology
The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness. NIST's activities are organized into physical sci ...
(NIST) in 2001.
AES is a variant of the Rijndael
block cipher
In cryptography, a block cipher is a deterministic algorithm operating on fixed-length groups of bits, called ''blocks''. Block ciphers are specified cryptographic primitive, elementary components in the design of many cryptographic protocols and ...
developed by two
Belgian
Belgian may refer to:
* Something of, or related to, Belgium
* Belgians, people from Belgium or of Belgian descent
* Languages of Belgium, languages spoken in Belgium, such as Dutch, French, and German
*Ancient Belgian language, an extinct languag ...
cryptographers,
Joan Daemen
Joan Daemen (; born 1965) is a Belgian cryptographer who co-designed with Vincent Rijmen the Rijndael cipher, which was selected as the Advanced Encryption Standard (AES) in 2001. More recently, he co-designed the Keccak cryptographic hash, whi ...
and
Vincent Rijmen
Vincent Rijmen (; born 16 October 1970) is a Belgian cryptographer and one of the two designers of the Rijndael, the Advanced Encryption Standard. Rijmen is also the co-designer of the WHIRLPOOL cryptographic hash function, and the block cipher ...
, who submitted a proposal
to NIST during the
AES selection process. Rijndael is a family of ciphers with different key and block sizes. For AES, NIST selected three members of the Rijndael family, each with a block size of 128 bits, but three different key lengths: 128, 192 and 256 bits.
AES has been adopted by the
U.S. government
The federal government of the United States (U.S. federal government or U.S. government) is the national government of the United States, a federal republic located primarily in North America, composed of 50 states, a city within a fede ...
. It supersedes the
Data Encryption Standard
The Data Encryption Standard (DES ) is a symmetric-key algorithm for the encryption of digital data. Although its short key length of 56 bits makes it too insecure for modern applications, it has been highly influential in the advancement of cry ...
(DES), which was published in 1977. The algorithm described by AES is a
symmetric-key algorithm
Symmetric-key algorithms are algorithms for cryptography that use the same cryptographic keys for both the encryption of plaintext and the decryption of ciphertext. The keys may be identical, or there may be a simple transformation to go between th ...
, meaning the same key is used for both encrypting and decrypting the data.
In the United States, AES was announced by the NIST as U.S.
FIPS PUB 197 (FIPS 197) on November 26, 2001.
This announcement followed a five-year standardization process in which fifteen competing designs were presented and evaluated, before the Rijndael cipher was selected as the most suitable.
[See ]Advanced Encryption Standard process
The Advanced Encryption Standard (AES), the symmetric block cipher ratified as a standard by National Institute of Standards and Technology of the United States (NIST), was chosen using a process lasting from 1997 to 2000 that was markedly more ...
for more details.
AES is included in the
ISO
ISO is the most common abbreviation for the International Organization for Standardization.
ISO or Iso may also refer to: Business and finance
* Iso (supermarket), a chain of Danish supermarkets incorporated into the SuperBest chain in 2007
* Iso ...
/
IEC
The International Electrotechnical Commission (IEC; in French: ''Commission électrotechnique internationale'') is an international standards organization that prepares and publishes international standards for all electrical, electronic and r ...
18033-3 standard. AES became effective as a U.S. federal government standard on May 26, 2002, after approval by the U.S.
Secretary of Commerce
The United States secretary of commerce (SecCom) is the head of the United States Department of Commerce. The secretary serves as the principal advisor to the president of the United States on all matters relating to commerce. The secretary rep ...
. AES is available in many different encryption packages, and is the first (and only) publicly accessible
cipher
In cryptography, a cipher (or cypher) is an algorithm for performing encryption or decryption—a series of well-defined steps that can be followed as a procedure. An alternative, less common term is ''encipherment''. To encipher or encode i ...
approved by the U.S.
National Security Agency
The National Security Agency (NSA) is a national-level intelligence agency of the United States Department of Defense, under the authority of the Director of National Intelligence (DNI). The NSA is responsible for global monitoring, collecti ...
(NSA) for
top secret
Classified information is material that a government body deems to be sensitive information that must be protected. Access is restricted by law or regulation to particular groups of people with the necessary security clearance and need to know, ...
information when used in an NSA approved cryptographic module.
[See Security of AES below.]
Definitive standards
The Advanced Encryption Standard (AES) is defined in each of:
* FIPS PUB 197: Advanced Encryption Standard (AES)
* ISO/IEC 18033-3: Block ciphers
Description of the ciphers
AES is based on a design principle known as a
substitution–permutation network
In cryptography, an SP-network, or substitution–permutation network (SPN), is a series of linked mathematical operations used in block cipher algorithms such as AES (Rijndael), 3-Way, Kalyna, Kuznyechik, PRESENT, SAFER, SHARK, and Square.
S ...
, and is efficient in both software and hardware. Unlike its predecessor DES, AES does not use a
Feistel network
In cryptography, a Feistel cipher (also known as Luby–Rackoff block cipher) is a symmetric structure used in the construction of block ciphers, named after the German-born physicist and cryptographer Horst Feistel, who did pioneering research whi ...
. AES is a variant of Rijndael, with a fixed
block size of 128
bit
The bit is the most basic unit of information in computing and digital communications. The name is a portmanteau of binary digit. The bit represents a logical state with one of two possible values. These values are most commonly represente ...
s, and a
key size
In cryptography, key size, key length, or key space refer to the number of bits in a key used by a cryptographic algorithm (such as a cipher).
Key length defines the upper-bound on an algorithm's security (i.e. a logarithmic measure of the fastest ...
of 128, 192, or 256 bits. By contrast, Rijndael ''per se'' is specified with block and key sizes that may be any multiple of 32 bits, with a minimum of 128 and a maximum of 256 bits. Most AES calculations are done in a particular
finite field
In mathematics, a finite field or Galois field (so-named in honor of Évariste Galois) is a field that contains a finite number of elements. As with any field, a finite field is a set on which the operations of multiplication, addition, subtr ...
.
AES operates on a 4 × 4
column-major order
In computing, row-major order and column-major order are methods for storing multidimensional arrays in linear storage such as random access memory.
The difference between the orders lies in which elements of an array are contiguous in memory. In ...
array of 16 bytes
termed the ''state'':
[Large-block variants of Rijndael use an array with additional columns, but always four rows.]
::
The key size used for an AES cipher specifies the number of transformation rounds that convert the input, called the
plaintext
In cryptography, plaintext usually means unencrypted information pending input into cryptographic algorithms, usually encryption algorithms. This usually refers to data that is transmitted or stored unencrypted.
Overview
With the advent of comp ...
, into the final output, called the
ciphertext
In cryptography, ciphertext or cyphertext is the result of encryption performed on plaintext using an algorithm, called a cipher. Ciphertext is also known as encrypted or encoded information because it contains a form of the original plaintext ...
. The number of rounds are as follows:
* 10 rounds for 128-bit keys.
* 12 rounds for 192-bit keys.
* 14 rounds for 256-bit keys.
Each round consists of several processing steps, including one that depends on the encryption key itself. A set of reverse rounds are applied to transform ciphertext back into the original plaintext using the same encryption key.
High-level description of the algorithm
# round keys are derived from the cipher key using the
AES key schedule
AES uses a key schedule to expand a short key into a number of separate round keys. The three AES variants have a different number of rounds. Each variant requires a separate 128-bit round key for each round plus one more.Non-AES Rijndael varian ...
. AES requires a separate 128-bit round key block for each round plus one more.
# Initial round key addition:
## each byte of the state is combined with a byte of the round key using
bitwise xor
In computer programming, a bitwise operation operates on a bit string, a bit array or a binary numeral (considered as a bit string) at the level of its individual bits. It is a fast and simple action, basic to the higher-level arithmetic operati ...
.
# 9, 11 or 13 rounds:
## a
non-linear
In mathematics and science, a nonlinear system is a system in which the change of the output is not proportional to the change of the input. Nonlinear problems are of interest to engineers, biologists, physicists, mathematicians, and many other ...
substitution step where each byte is replaced with another according to a
lookup table
In computer science, a lookup table (LUT) is an array that replaces runtime computation with a simpler array indexing operation. The process is termed as "direct addressing" and LUTs differ from hash tables in a way that, to retrieve a value v wi ...
.
## a transposition step where the last three rows of the state are shifted cyclically a certain number of steps.
## a linear mixing operation which operates on the columns of the state, combining the four bytes in each column.
##
# Final round (making 10, 12 or 14 rounds in total):
##
##
##
The step
In the step, each byte
in the ''state'' array is replaced with a
using an 8-bit
substitution box
In cryptography, an S-box (substitution-box) is a basic component of symmetric key algorithms which performs substitution. In block ciphers, they are typically used to obscure the relationship between the key and the ciphertext, thus ensuring Shan ...
. Note that before round 0, the ''state'' array is simply the plaintext/input. This operation provides the non-linearity in the
cipher
In cryptography, a cipher (or cypher) is an algorithm for performing encryption or decryption—a series of well-defined steps that can be followed as a procedure. An alternative, less common term is ''encipherment''. To encipher or encode i ...
. The S-box used is derived from the
multiplicative inverse
In mathematics, a multiplicative inverse or reciprocal for a number ''x'', denoted by 1/''x'' or ''x''−1, is a number which when Multiplication, multiplied by ''x'' yields the multiplicative identity, 1. The multiplicative inverse of a rat ...
over , known to have good non-linearity properties. To avoid attacks based on simple algebraic properties, the S-box is constructed by combining the inverse function with an invertible
affine transformation
In Euclidean geometry, an affine transformation or affinity (from the Latin, ''affinis'', "connected with") is a geometric transformation that preserves lines and parallelism, but not necessarily Euclidean distances and angles.
More generally, ...
. The S-box is also chosen to avoid any fixed points (and so is a
derangement
In combinatorial mathematics, a derangement is a permutation of the elements of a set, such that no element appears in its original position. In other words, a derangement is a permutation that has no fixed points.
The number of derangements of ...
), i.e.,
, and also any opposite fixed points, i.e.,
.
While performing the decryption, the step (the inverse of ) is used, which requires first taking the inverse of the affine transformation and then finding the multiplicative inverse.
The step
The step operates on the rows of the state; it cyclically shifts the bytes in each row by a certain
offset
Offset or Off-Set may refer to:
Arts, entertainment, and media
* "Off-Set", a song by T.I. and Young Thug from the '' Furious 7: Original Motion Picture Soundtrack''
* ''Offset'' (EP), a 2018 EP by singer Kim Chung-ha
* ''Offset'' (film), a 200 ...
. For AES, the first row is left unchanged. Each byte of the second row is shifted one to the left. Similarly, the third and fourth rows are shifted by offsets of two and three respectively.
[Rijndael variants with a larger block size have slightly different offsets. For blocks of sizes 128 bits and 192 bits, the shifting pattern is the same. Row is shifted left circular by bytes. For a 256-bit block, the first row is unchanged and the shifting for the second, third and fourth row is 1 byte, 3 bytes and 4 bytes respectively—this change only applies for the Rijndael cipher when used with a 256-bit block, as AES does not use 256-bit blocks.] In this way, each column of the output state of the step is composed of bytes from each column of the input state. The importance of this step is to avoid the columns being encrypted independently, in which case AES would degenerate into four independent block ciphers.
The step
In the step, the four bytes of each column of the state are combined using an invertible
linear transformation
In mathematics, and more specifically in linear algebra, a linear map (also called a linear mapping, linear transformation, vector space homomorphism, or in some contexts linear function) is a mapping V \to W between two vector spaces that pre ...
. The function takes four bytes as input and outputs four bytes, where each input byte affects all four output bytes. Together with , provides
diffusion
Diffusion is the net movement of anything (for example, atoms, ions, molecules, energy) generally from a region of higher concentration to a region of lower concentration. Diffusion is driven by a gradient in Gibbs free energy or chemical p ...
in the cipher.
During this operation, each column is transformed using a fixed matrix (matrix left-multiplied by column gives new value of column in the state):
::
Matrix multiplication is composed of multiplication and addition of the entries. Entries are bytes treated as coefficients of polynomial of order
. Addition is simply XOR. Multiplication is modulo irreducible polynomial
. If processed bit by bit, then, after shifting, a conditional
XOR
Exclusive or or exclusive disjunction is a logical operation that is true if and only if its arguments differ (one is true, the other is false).
It is symbolized by the prefix operator J and by the infix operators XOR ( or ), EOR, EXOR, , ...
with 1B
16 should be performed if the shifted value is larger than FF
16 (overflow must be corrected by subtraction of generating polynomial). These are special cases of the usual multiplication in
.
In more general sense, each column is treated as a polynomial over
and is then multiplied modulo
with a fixed polynomial
. The coefficients are displayed in their
hexadecimal
In mathematics and computing, the hexadecimal (also base-16 or simply hex) numeral system is a positional numeral system that represents numbers using a radix (base) of 16. Unlike the decimal system representing numbers using 10 symbols, hexa ...
equivalent of the binary representation of bit polynomials from