AES (Advanced Encryption Standard).

AES is a symmetric block cipher standardized by NIST in FIPS 197 after Vincent Rijmen and Joan Daemen's Rijndael design beat fourteen rivals (including Twofish, Serpent, RC6 and MARS) in an open five-year competition to replace DES. NIST announced Rijndael as the winner on 2 October 2000 and published FIPS 197 on 26 November 2001. It encrypts 128-bit blocks with 128-, 192- or 256-bit keys, running 10, 12 or 14 rounds — each composed of SubBytes (a non-linear S-box), ShiftRows, MixColumns and AddRoundKey operating on a 4×4 byte state.

Modes matter more than the cipher itself: ECB leaks block patterns and must never be used, CBC and CTR provide confidentiality only, and authenticated modes — AES-GCM, AES-CCM, AES-GCM-SIV — also detect tampering. GCM is fragile to nonce reuse: repeating a single IV under the same key can leak the GHASH authentication subkey and forge messages.

The strongest published attack remains the 2011 biclique cryptanalysis by Bogdanov, Khovratovich and Rechberger, recovering an AES-128 key in roughly 2¹²⁶·¹ operations — only a four-fold speedup over brute force, so AES stays unbroken in practice. Real-world risk lies in implementation: cache-timing side channels against software T-tables drove adoption of constant-time hardware (Intel AES-NI from 2010, ARMv8 crypto extensions). Grover's quantum algorithm only halves effective key strength, which is why AES-256 is the conservative post-quantum choice.

flowchart LR
  PT[128-bit plaintext block] --> AK0[AddRoundKey]
  K[Cipher key 128/192/256] --> KE[Key expansion to round keys]
  KE --> AK0
  AK0 --> R{Rounds 1..n-1}
  R --> SB[SubBytes S-box]
  SB --> SR[ShiftRows]
  SR --> MC[MixColumns]
  MC --> AKn[AddRoundKey]
  AKn --> R
  R --> FR[Final round: no MixColumns]
  FR --> CT[Ciphertext block]