AES can be run with a 128, 192, or 256 bit key. Each variation uses a slightly different key schedule and set of rounds to encrypt blocks of a message.


AES, like Blowfish and DES before it, is a block cypher. It operates not on the entire message, but instead on 16-byte blocks of the message. If a message is not evenly divisible by 16 bytes, then it is padded with random numbers until it is. Each block is run through the cipher on its own.

To diffuse the message throughout the ciphertext, the blocks are not simply processed independently. A bit of information is carried forward from one block to the next in a mode of operation called Cipher Block Chaining (CBC). The ciphertext of one block is XORed with the plaintext of the next block before it is encrypted. That way, a small change in the message toward the beginning is diffused throughout the rest of the message.

To prevent messages that begin with the same plaintext from having the same ciphertext at the beginning, the first block is XORed with a random set of bytes. These are called the Initialization Vector (IV). The recipient needs the IV to decrypt the message, but it is not part of the key. It can be transmitted in the clear with no loss of confidentiality.


The key is not simply applied to the block in one operation. Instead, it is applied iteratively in a set of rounds. The number of rounds depends upon the key length, and is between 10 and 14.

Each round include the following four steps:

Shifting rows and mixing columns are designed to confuse the effects of the key on the message. As opposed to simply XORing, these operations make sure that a small change in the key produces a large change in the ciphertext.

Key expansion is the process of running the key schedule, as described next.

Key schedule

The key schedule is an algorithm that computes a round key from the symmetric key. Since the round key is XORed with the 16-byte block, it must also be 16-bytes (or 128 bits). But the symmetric key can be as much as twice that length. So the key schedule produces only 16 bytes for each round, even when the whole key is bigger than that.

The AES key schedule is called "key expansion" because it produces more bits in the combined round keys than there are in the symetric key. But it's important to recognize that this process does not add any information, or entropy, to the system. There is no more key material in the set of round keys than there was in the original symmetric key. There are just more bits. The whole point of key expansion is to further confuse the key within the ciphertext.

The AES key schedule includes the following operations:

These operations make sure that a small change in the key results in a large change in the ciphertext, thus making AES resilient to differential cryptanalysis.