Why should ECB mode be avoided?

In Electronic Codebook (ECB) mode, identical plaintext blocks encrypt to identical ciphertext blocks, leaking structure in the data (famously visible when encrypting an image). Secure modes such as CTR, CBC, or GCM use an initialization vector or counter so that repetition is hidden.

Is AES-256 meaningfully more secure than AES-128?

Both are considered secure against classical attacks; AES-128 already exceeds any feasible brute-force search. AES-256 offers a larger security margin and is favored for long-term confidentiality and post-quantum hedging, since Grover's algorithm only halves the effective key length.

Block Ciphers and AES

Block ciphers encrypt fixed-size blocks of data under a secret key; the Advanced Encryption Standard (AES) is the dominant modern block cipher and the foundation of most deployed symmetric encryption.

Definition

A block cipher is a keyed, invertible function that maps a fixed-length block of plaintext bits to a block of ciphertext bits of the same length; AES is the standardized block cipher operating on 128-bit blocks with 128-, 192-, or 256-bit keys.

Scope

This topic covers the structure and security of block ciphers, including substitution-permutation networks and Feistel constructions, the AES algorithm in particular, and the modes of operation (such as CBC, CTR, and GCM) that turn a fixed-block primitive into a scheme for messages of arbitrary length. It addresses cryptanalytic attacks (differential and linear cryptanalysis) and the notion of a block cipher as a pseudorandom permutation. It excludes stream ciphers and keyless hash functions, which are treated separately.

Core questions

How is a secure permutation on a large block built from simple, analyzable round operations?
Why is AES structured as a substitution-permutation network rather than a Feistel network?
How do modes of operation extend a block cipher to messages of arbitrary length safely?
What do differential and linear cryptanalysis reveal about a cipher's resistance to attack?
What does it mean to model a block cipher as a pseudorandom permutation?

Key concepts

block size and key size
substitution-permutation network
Feistel network
S-box
rounds and key schedule
modes of operation (ECB, CBC, CTR, GCM)
differential and linear cryptanalysis
pseudorandom permutation

Key theories

Substitution-permutation network: AES iterates rounds that combine a nonlinear byte substitution (SubBytes), linear mixing (ShiftRows, MixColumns), and key addition; alternating substitution and permutation realizes Shannon's confusion and diffusion goals with provable resistance to differential and linear attacks.
Modes of operation: A block cipher alone only encrypts one block; modes such as CBC, CTR, and the authenticated GCM specify how to chain or counter blocks so that long messages are encrypted securely and, in authenticated modes, with integrity.

Mechanisms

AES processes a 128-bit block arranged as a 4x4 byte matrix through 10, 12, or 14 rounds (for 128-, 192-, 256-bit keys). Each round applies SubBytes (a fixed nonlinear S-box), ShiftRows (a byte permutation), MixColumns (a linear transform over a finite field), and AddRoundKey (XOR with a round key from the key schedule). The combination provides strong diffusion within a few rounds and resistance to known cryptanalysis.

Clinical relevance

AES is ubiquitous in deployed systems: it secures the bulk data of TLS-protected web traffic, full-disk encryption (BitLocker, FileVault, LUKS), Wi-Fi (WPA2/WPA3), VPNs, and encrypted messaging. Hardware AES instructions (AES-NI) make it fast enough to encrypt high-throughput links transparently.

Evidence & guidelines

AES is specified in NIST FIPS 197 and approved for protecting classified information up to TOP SECRET (with 192- or 256-bit keys) under NSA's Commercial National Security Algorithm Suite. The block-cipher modes are standardized in NIST SP 800-38 series. The older DES is deprecated; AES-GCM and AES-CCM are the recommended authenticated modes.

History

After DES (1977) became too weak for its 56-bit key, NIST ran an open, international competition (1997-2000) to select a successor. Fifteen candidates were publicly cryptanalyzed; the Rijndael design by Belgian cryptographers Joan Daemen and Vincent Rijmen was selected and standardized as AES in FIPS 197 (2001). Differential cryptanalysis (Biham and Shamir) and linear cryptanalysis (Matsui), developed against DES, shaped the design criteria for AES.

Key figures

Joan Daemen
Vincent Rijmen
Horst Feistel
Eli Biham
Adi Shamir
Mitsuru Matsui

Seminal works

daemen2002
nist2001aes
katz2020

Frequently asked questions

Why should ECB mode be avoided?: In Electronic Codebook (ECB) mode, identical plaintext blocks encrypt to identical ciphertext blocks, leaking structure in the data (famously visible when encrypting an image). Secure modes such as CTR, CBC, or GCM use an initialization vector or counter so that repetition is hidden.
Is AES-256 meaningfully more secure than AES-128?: Both are considered secure against classical attacks; AES-128 already exceeds any feasible brute-force search. AES-256 offers a larger security margin and is favored for long-term confidentiality and post-quantum hedging, since Grover's algorithm only halves the effective key length.