AES, visualized

AES-128 starts with a 16-byte key and stretches it into 11 round keys (176 bytes total). The original key becomes round key 0; the next ten are derived from it by repeatedly applying RotWord, SubWord, and a round-constant XOR.

Notice how unrelated each round key looks from the next — that's the point. But the relationship is deterministic and reversible: if an attacker recovers any round key, they can run the schedule backwards and get the original. That's why side-channel hardening (constant-time S-box, masking) matters even on the round keys themselves.

Every entry is the multiplicative inverse of the input byte (in GF(2⁸) modulo the polynomial x⁸ + x⁴ + x³ + x + 1) followed by an affine transformation. The result is a non-linear permutation with strong differential and linear properties — the only such non-linearity in the entire cipher.

Read the table as: row = high nibble, column = low nibble. So S-box(0x53) = the byte at row 5, column 3 = 0xed. Every byte you process in SubBytes gets routed through here.

Each column of the state is a 4-element vector. MixColumns multiplies it by this fixed matrix:

  ⎡ 02  03  01  01 ⎤
  ⎢ 01  02  03  01 ⎥
  ⎢ 01  01  02  03 ⎥
  ⎣ 03  01  01  02 ⎦

Multiplication is in GF(2⁸): multiplying by 1 is identity; multiplying by 2 is a left-shift with a conditional XOR by 0x1b if the top bit was set; multiplying by 3 is "multiply by 2 then XOR with the original." Add is just XOR.

The matrix entries (1, 2, 3) are tiny on purpose — every multiplication is a couple of cheap ops. The matrix is also MDS (maximum distance separable): change k input bytes and at least 5 − k output bytes change. Combined with ShiftRows on the next round, one bit flip propagates to every byte of state in two rounds flat.

AES-128 uses 10 rounds. AES-192 uses 12. AES-256 uses 14. Why those numbers?

A 4-round version of AES is breakable with a known attack (the "Square attack" by Daemen, Knudsen, and Rijmen) using a few hundred chosen plaintexts. 5 rounds breaks under more sophisticated attacks. 6 rounds resists those but falls to other techniques. The round counts in real AES include a generous safety margin: the best public attack on full AES-128 only shaves a few bits off brute force, leaving an effective security level of roughly 2¹²⁶ operations.

The pattern is also designed-in: every round mixes via SubBytes (non-linear) and MixColumns (diffusion). After 2 rounds, every output byte depends on every input byte. After 10, the dependency tree is so tangled that algebraic attacks have nothing to grab onto.

AES is a block cipher — it always encrypts exactly 16 bytes at a time. To encrypt a longer message you need a mode of operation that wraps the block cipher and handles chaining, parallelism, and authentication.

ECB (Electronic Code Book): encrypt each 16-byte chunk independently. Identical plaintext blocks produce identical ciphertext blocks — which is why you should never use it. The famous ECB Tux image shows the leak.

CTR (Counter): turn the block cipher into a stream cipher by encrypting an incrementing counter and XOR'ing with the plaintext. Fast, parallel, but unauthenticated on its own.

GCM (Galois/Counter Mode): CTR mode plus a polynomial authenticator (GHASH) over the ciphertext. Produces a 16-byte tag the recipient verifies before decrypting. This is what TLS 1.3 uses for AES. A GCM walkthrough is on the roadmap for this app.