Symmetric · Block Cipher · FIPS 197

AESAdvanced Encryption Standard · 128 · 192 · 256

The world's most widely deployed block cipher. Learn the round structure, encrypt blocks live across all three key sizes, and test yourself — everything in one place.

The core idea

What AES is and where it fits

AES is a symmetric block cipher: the same secret key both encrypts and decrypts, and it operates on fixed-size blocks of data. It was selected by NIST in 2001 (originally the Rijndael algorithm by Daemen & Rijmen) to replace the aging DES, and is specified in FIPS PUB 197.

Today AES protects almost everything: TLS connections, disk encryption (BitLocker, FileVault, LUKS), Wi-Fi (WPA2/WPA3), VPNs, and signal-protocol messaging.

One block size, three key sizes

A frequent exam trap: AES always uses a 128-bit block. Only the key length varies, which in turn changes the number of rounds.

AES-128
Key size128 bits / 16 B
Block size128 bits
Rounds10
Round keys11
Security~128-bit
AES-192
Key size192 bits / 24 B
Block size128 bits
Rounds12
Round keys13
Security~192-bit
AES-256
Key size256 bits / 32 B
Block size128 bits
Rounds14
Round keys15
Security~256-bit

Rule of thumb: rounds = Nk + 6, where Nk is the number of 32-bit words in the key (4, 6, or 8).

The state — a 4 × 4 matrix of bytes

AES doesn't process bytes one at a time. Each 128-bit block is laid out as a 4 × 4 matrix of bytes called the state, filled column-by-column. Every round operation transforms this matrix.

byte 0 → state[0][0],   byte 1 → state[1][0],   ...   byte 4 → state[0][1],   byte 5 → state[1][1], ...Column-major ordering. After all rounds the state is read out column-by-column back into 16 ciphertext bytes.

Key vocabulary

  • Block cipher — encrypts fixed-size blocks; needs a mode of operation (ECB, CBC, CTR, GCM…) to handle messages longer than one block.
  • Symmetric — encryption and decryption use the same key (vs. RSA / ElGamal which use separate keys).
  • Round — one full pass of the four transformations. AES applies several in sequence.
  • Round key — a 128-bit subkey derived from the cipher key, XOR'd into the state each round.
  • Key expansion / key schedule — the algorithm that turns one cipher key into many round keys.
  • S-box — a fixed 256-byte lookup table that provides AES's non-linearity.
  • GF(2⁸) — the Galois field over which MixColumns is defined; bytes are treated as polynomials.

Round structure & operations

What happens inside each round

The overall flow

Initial:  AddRoundKey  (with round key 0)Mixes the cipher key into the plaintext before any rounds begin.
Rounds 1 .. Nr−1:   SubBytesShiftRowsMixColumnsAddRoundKeyThe standard four-step round, repeated Nr − 1 times.
Final round Nr:   SubBytesShiftRowsAddRoundKeyThe last round omits MixColumns — a small but important detail.

Where Nr = 10, 12 or 14 for AES-128/192/256 respectively.

The four operations

① SubBytes — non-linear substitution
Each byte of the state is replaced by another byte via a fixed 256-entry lookup table called the S-box. This is the only non-linear step and the source of AES's resistance to linear cryptanalysis. The S-box is constructed from the multiplicative inverse in GF(2⁸) followed by an affine transformation.
② ShiftRows — diffusion across columns
Each row of the state is cyclically left-shifted by a fixed amount: row 0 by 0, row 1 by 1, row 2 by 2, row 3 by 3. This spreads each byte's influence across columns, ensuring that one input byte affects every output column after enough rounds.
③ MixColumns — diffusion within columns
Each column (4 bytes) is multiplied by a fixed 4 × 4 matrix in GF(2⁸). The result mixes each byte of the column into all four output bytes. The fixed matrix is {02, 03, 01, 01 / 01, 02, 03, 01 / 01, 01, 02, 03 / 03, 01, 01, 02}. Skipped in the final round — by design, so decryption is well-defined.
④ AddRoundKey — key mixing
The state is XOR'd byte-wise with the current round key. This is the only step that depends on the secret key — every other operation is publicly known. The cipher's secrecy lives entirely in this step.

Key expansion (key schedule)

AES turns the cipher key into a sequence of round keys via the key expansion routine. Each round key is 128 bits (one state-worth). The schedule uses three helpers:

  • RotWord — cyclically left-shifts a 4-byte word by one byte.
  • SubWord — applies the S-box to each of the four bytes.
  • Rcon — a round-dependent constant XOR'd into the first byte of certain words.

AES-256 additionally applies SubWord to every fourth word, since its key has more material to expand.

Operation summary

OperationActs onPurposeLinear?
SubByteseach bytenon-linearityno
ShiftRowseach rowdiffusion across columnsyes
MixColumnseach columndiffusion within columnyes
AddRoundKeyfull statekey mixing (secrecy)yes

Live AES calculator

Real AES encryption with full round-by-round state trace

Worked example — first round of AES-128

FIPS-197 Appendix B reference vector

We'll trace the official NIST test vector through key generation and the first complete round, showing every state matrix in hex.

Inputs

Plaintext (16 bytes)
32 43 f6 a8 88 5a 30 8d 31 31 98 a2 e0 37 07 34
Cipher key (16 bytes, AES-128)
2b 7e 15 16 28 ae d2 a6 ab f7 15 88 09 cf 4f 3c

Initial state (column-major)

The 16 plaintext bytes fill the 4 × 4 state matrix column-by-column:

32
88
31
e0
43
5a
31
37
f6
30
98
07
a8
8d
a2
34

Step 0 — AddRoundKey (initial, with round key 0)

Round key 0 = cipher key
XOR plaintext with the cipher key, byte by byte
e.g. column 0: 32 ⊕ 2b = 19,   43 ⊕ 7e = 3d,   f6 ⊕ 15 = e3,   a8 ⊕ 16 = be
19
a0
9a
e9
3d
f4
c6
f8
e3
e2
8d
48
be
2b
2a
08

Round 1 begins

① SubBytes — apply S-box to every byte
e.g. sbox[0x19] = d4,   sbox[0x3d] = 27,   sbox[0xe3] = 11, ...
d4
e0
b8
1e
27
bf
b4
41
11
98
5d
52
ae
f1
e5
30
② ShiftRows — cyclic left shift by row index
row 0: no shift,   row 1: ← 1,   row 2: ← 2,   row 3: ← 3
d4
e0
b8
1e
bf
b4
41
27
5d
52
11
98
30
ae
f1
e5
③ MixColumns — multiply each column by the fixed matrix in GF(2⁸)
column 0: (d4, bf, 5d, 30) → (04, 66, 81, e5)
Computing column 0, first byte: 2·d4 ⊕ 3·bf ⊕ 5d ⊕ 30 = b3 ⊕ da ⊕ 5d ⊕ 30 = 04. Repeat for all 16 bytes.
04
e0
48
28
66
cb
f8
06
81
19
d3
26
e5
9a
7a
4c
④ AddRoundKey — XOR with round key 1
round key 1 (from key expansion): a0 fa fe 17 88 54 2c b1 23 a3 39 39 2a 6c 76 05
a4
68
6b
02
9c
9f
5b
6a
7f
35
ea
50
f2
2b
43
49

This is the state at the end of round 1. Nine more rounds follow (with the last omitting MixColumns), eventually producing the ciphertext 39 25 84 1d 02 dc 09 fb dc 11 85 97 19 6a 0b 32.

Open the Calculator tab and click Load FIPS-197 test vector to see all 10 rounds traced out automatically.

Test yourself

6 questions · instant feedback · explanations
Score
0 / 6
Answer the questions to see how you're doing.