Definition
The Advanced Encryption Standard (AES) is an encryption standard adopted by the U.S. government.
Basics
In cryptography, the Advanced Encryption Standard (AES), which is also known as Rijndael, is a block cipher algorithm used as an encryption standard by the U.S. government. It has been looked at a lot and is now used all over the world, as was the case with its predecessor, the Data Encryption Standard (DES). AES was announced by National Institute of Standards and Technology (NIST) as U.S. FIPS PUB 197 (FIPS 197) on November 26, 2001 after a 5year standardization process in which fifteen competing designs were presented and evaluated before Rijndael was selected as the most suitable. It became effective as a standard May 26, 2002. As of 2008, AES is one of the most popular algorithms used in symmetric key cryptography. It is available by choice in many different encryption packages. This marks the first time that the public has had access to a cipher algorithm approved by NSA for top secret information.
This cipher algorithm was developed by two Belgian cryptographers, Joan Daemen and Vincent Rijmen, and submitted to the AES selection process under the name "Rijndael", a portmanteau of the names of the inventors. (Rijndael is pronounced. Strictly speaking, AES is not precisely Rijndael (although in practice they are used interchangeably), following are the main differences:
 Rijndael supports a larger range of block sizes and key sizes and can use any combination of key and block sizes in any multiple of 32 bits, with a minimum of 128 bits and a maximum of 256 bits.
 AES has a fixed block sizes of 128 bits and three values of key size 128, 192, or 256 bits.
"The design and strength of all key lengths of the AES algorithm (i.e., 128, 192 and 256) are sufficient to protect classified information up to the SECRET level. TOP SECRET information will require use of either the 192 or 256 key lengths. The implementation of AES in products intended to protect national security systems and/or information must be reviewed and certified by NSA prior to their acquisition and use."
Many AES public products use 128bit secret keys by default; it is possible that the NSA may assume that 128bit secret keys are weak and they may prefer a longer keys for top secret documents.
Unlike DES (the predecessor of AES), AES is a substitutionpermutation network, not a Feistel network. AES is fast in both software and hardware, is relatively easy to implement, and requires little memory. As a new encryption standard, it is currently being deployed on a large scale on various platforms.
Topics of Interest
In cryptography, the Advanced Encryption Standard (AES) is an encryption standard adopted by the U.S. government. The standard comprises three block ciphers, AES128, AES192 and AES256, adopted from a larger collection originally published as Rijndael. Each AES cipher has a 128bit block size, with key sizes of 128, 192 and 256 bits, respectively. The AES ciphers have been analyzed extensively and are now used worldwide, as was the case with its predecessor, the Data Encryption Standard (DES).
AES was announced by National Institute of Standards and Technology (NIST) as U.S. FIPS PUB 197 (FIPS 197) on November 26, 2001 after a 5year standardization process in which fifteen competing designs were presented and evaluated before Rijndael was selected as the most suitable. It became effective as a Federal government standard on May 26, 2002 after approval by the Secretary of Commerce. It is available in many different encryption packages. AES is the first publicly accessible and open cipher approved by the NSA for top secret information (see Security of AES, below).
The Rijndael cipher was developed by two Belgian cryptographers, Joan Daemen and Vincent Rijmen, and submitted by them to the AES selection process. Rijndael is a portmanteau of the names of the two inventors.
Description of the cipher
AES is based on a design principle known as a Substitution permutation network. It is fast in both software and hardware. Unlike its predecessor, DES, AES does not use a Feistel network.
AES has a fixed block size of 128 bits and a key size of 128, 192, or 256 bits, whereas Rijndael can be specified with block and key sizes in any multiple of 32 bits, with a minimum of 128 bits and a maximum of 256 bits.
AES operates on a 4×4 array of bytes, termed the state (versions of Rijndael with a larger block size have additional columns in the state). Most AES calculations are done in a special finite field.
The AES cipher is specified as a number of repetitions of transformation rounds that convert the input plaintext into the final output of ciphertext. Each round consists of several processing steps, including one that depends on the encryption key. A set of reverse rounds are applied to transform ciphertext back into the original plaintext using the same encryption key.
Highlevel description of the algorithm
 KeyExpansion using Rijndael's key schedule
 Initial Round
 AddRoundKey
 SubBytes—a nonlinear substitution step where each byte is replaced with another according to a lookup table.
 ShiftRows—a transposition step where each row of the state is shifted cyclically a certain number of steps.
 MixColumns—a mixing operation which operates on the columns of the state, combining the four bytes in each column
 AddRoundKey—each byte of the state is combined with the round key; each round key is derived from the cipher key using a key schedule.
 Final Round (no MixColumns)
 SubBytes
 ShiftRows
 AddRoundKey
Optimization of the cipher: On systems with 32bit or larger words, it is possible to speed up execution of this cipher by combining SubBytes and ShiftRows with MixColumns, and transforming them into a sequence of table lookups. This requires four 256entry 32bit tables, which utilizes a total of four kilobytes (4096 bytes) of memory—one kilobyte for each table. A round can now be done with 16 table lookups and 12 32bit exclusiveor operations, followed by four 32bit exclusiveor operations in the AddRoundKey step.
If the resulting four kilobyte table size is too large for a given target platform, the table lookup operation can be performed with a single 256entry 32bit table by the use of circular rotates.
Using a byteoriented approach it is possible to combine the SubBytes, ShiftRows, and MixColumns steps into a single round operation.
Security: Until May 2009, the only successful published attacks against the full AES were sidechannel attacks on specific implementations. The National Security Agency (NSA) reviewed all the AES finalists, including Rijndael, and stated that all of them were secure enough for US Government nonclassified data. In June 2003, the US Government announced that AES may be used to protect classified information.
On July 1, 2009, Bruce Schneier blogged about a relatedkey attack on the 192bit and 256bit versions of AES discovered by Alex Biryukov and Dmitry Khovratovich; the related key attack on the 256bit version of AES exploits AES' somewhat simple key schedule and has a complexity of 2119. This is a followup to an attack discovered earlier in 2009 by Alex Biryukov, Dmitry Khovratovich, and Ivica Nikolic, with a complexity of 296 for one out of every 235 keys.
Another attack was blogged by Bruce Schneier on July 30, 2009 and published on August 3, 2009. This new attack, by Alex Biryukov, Orr Dunkelman, Nathan Keller, Dmitry Khovratovich, and Adi Shamir, is against AES256 that uses only two related keys and 239 time to recover the complete 256bit key of a 9round version, or 245 time for a 10round version with a stronger type of related subkey attack, or 270 time for a 11round version. 256bit AES uses 14 rounds, so these attacks aren't effective against full AES.
In November 2009, the first attack against a reduced 8round version of AES128 was published. This knownkey distinguishing attack is an improvement of the rebound or the startfromthemiddle attacks for AESlike permutations, which view two consecutive rounds of permutation as the application of a socalled SuperBox. It works on the 8round version of AES128, with a computation complexity of 248, and a memory complexity of 232.
Sidechannel attacks do not attack the underlying cipher and so have nothing to do with its security as described here, but attack implementations of the cipher on systems which inadvertently leak data. There are several such known attacks on certain implementations of AES.
Source: Wikipedia (All text is available under the terms of the GNU Free Documentation License and Creative Commons AttributionShareAlike License.)
