According to AbbreviationFinder, AES stands for Advanced Encryption Standard.Also known as Rijndael (pronounced “Rain Doll” in English), it is a block encryption scheme adopted as an encryption standard by the United States government. The AES was announced by the National Institute of Standards and Technology (NIST) as FIPS PUB 197 of the United States (FIPS 197) on November 26, 2001 after a standardization process that lasted 5 years. It became an effective standard on May 26, 2002. Since 2006, AES is one of the most popular algorithms used in symmetric cryptography. The cipher was developed by two Belgian cryptologists, Joan Daemen and Vincent Rijmen, both students at Katholieke Universiteit Leuven, and submitted to the AES selection process under the name “Rijndael”.

### Pseudocode

- Key expansion using Rijndael’s key scheme.
- Initial stage:
- AddRoundKey
- Rounds:

- SubBytes – in this step a non-linear substitution is performed where each byte is replaced with another according to a lookup table.
- ShiftRows – in this step a transposition is performed where each row of the «state» is cyclically rotated a certain number of times.
- MixColumns – mixing operation that operates on the columns of the state, combining the four bytes in each column using a linear transformation.
- AddRoundKey – each byte of the “state” is combined with the “round” key; each “round” key is derived from the encryption key using an iteration of the key.

- Final stage:

- SubBytes 2. ShiftRows 3. AddRoundKey

### SubBytes Stage – Bit Substitution

In the SubBytes stage, each byte in the array is updated using the 8-bit Rijndael S-box. This operation provides the non-linearity in the encryption. The S-box used comes from the inverse function around the GF (28), known to have great non-linearity properties. To avoid attacks based on simple algebraic properties, the S-box is constructed by combining the inverse function with an invertible affine transformation. The S-box is also chosen to avoid stable points (and is therefore a derangement), and also any opposite stable points. The S-box is described in greater depth in Rijndael’s S-box article.

### ShiftRows-Shift rows stage

The ShiftRows step operates on the state rows; cyclically rotates the bytes in each row by a certain offset. In AES, the first row stays in the same position. Each byte in the second row is rotated one position to the left. Similarly, the third and fourth rows are rotated by the offsets of two and three respectively. In this way, each column of the state resulting from the ShiftRows step is made up of bytes from each column of the initial state. (Variants of Rijndael with larger block size have different offsets).

### AddRoundKey stage – Subkeys calculation

In the AddRoundKey step, the subkey is combined with the state. In each round a subkey of the main key is obtained, using the iteration of the key; each subkey is the same size as the state. The subkey is added by combining each byte of the state with the corresponding byte of the subkey using XOR.

## Security

As of 2005, no successful attack against AES has been found. The United States National Security Agency (NSA) reviewed all AES candidate finalists, including Rijndael, and declared that all of them were safe enough for use in unclassified information from the United States government. In June 2003, the United States government announced that AES could be used for classified information:

“The design and strength of all key lengths of the AES algorithm (ie, 128, 192 and 256) are sufficient to protect classified information up to the SECRET level. TOP SECRET information will require use of either the 192 or 256 key lengths. The implementation of AES in products intended to protect national security systems and / or information must be reviewed and certified by NSA prior to their acquisition and use. ”

This event marks the first time that the public has had access to an NSA-approved encryptor for top secret information (TOP SECRET). It is interesting to note that many public products use 128-bit keys by default; The NSA may suspect a fundamental weakness in keys of this size, citation required, or simply prefer to have a margin of safety for top secret documents (which should remain secure for decades to come). In 2002, a theoretical attack, called an “XSL attack”, was announced by Nicolas Courtois and Josef Pieprzyk, showing a potential weakness in the AES algorithm. Various crypto experts they have found problems in the mathematics underlying the proposed attack, suggesting that the authors may have made an error in their estimates. Whether this line of attack can be taken against AES is still an open question. So far, the XSL attack against AES seems speculative; it is unlikely that anyone could actually carry out this attack.