Purpose: Expand a short cryptographic key into multiple round keys.

AES supports 128, 192, or 256-bit key sizes.

The key is expanded into an array of 32-bit words: $\{W[1], W[2], ..., W[n-1]\}$.

Number of rounds $N_r$ and expanded words:

AES-128: $N_r = 10$, expanded key $n = 44$ words.
AES-192: $N_r = 12$, expanded key $n = 52$ words.
AES-256: $N_r = 14$, expanded key $n = 60$ words.

Round keys = groups of 4 words (128 bits).

Three core functions:

RotWord: cyclically shifts a 4-byte word.
SubWord: applies the S-box to each byte.
Rcon: round constant $\{02^{i-1}, 00, 00, 00\}$ in $GF(2^8)$.

Modes of Operation: Classification and Status

Confidentiality only (legacy): ECB, CBC, CFB, OFB, CTR.
Authenticated Encryption (AEAD): GCM/GMAC, CCM, SIV family (e.g., AES-GCM-SIV).
Storage only: XTS-AES (no integrity, sector tweakable).
Format Preserving Encryption (FPE): FF1, FF3-1 (specialized use).

Modes of Operation: ECB, CBC, CFB, OFB, CTR in 2025

Legacy/Pedagogical:
- ECB: leaks patterns; do not use.
- CBC: vulnerable to padding oracles unless carefully paired with a MAC; not parallelizable on encryption.
- CFB/OFB: stream-like; rarely justifiable over modern AEAD.
Still useful:
- CTR: good building block; but must be paired with MAC/AEAD. Easily parallelizable; careful counter management.

Modes of Operation: AEAD Choices

AES-GCM: fastest with AES-NI/ARMv8 crypto extensions; requires unique 96-bit nonce.
AES-GCM-SIV: abuse-resistant (safe against nonce reuse with the same key); deterministic by (key, nonce, AAD, PT).
CCM: used in constrained environments (e.g., 802.15.4); longer authentication latency.

General AEAD Structure

Guarantees:
1. Confidentiality (encryption of plaintext).
2. Integrity/Authentication (verification of ciphertext + AAD).
Inputs:
- $K$: secret key
- $N$: nonce/IV
- $A$: associated data (authenticated but not encrypted)
- $P$: plaintext
Outputs:
- $C$: ciphertext
- $T$: authentication tag

AES-CTR Mode: Pseudocode

# Encryption
def AES_CTR_Encrypt(K, N, P):
    C = []
    for i, block in enumerate(split_blocks(P)):
        counter = N || int_to_bytes(i)  # Concatenate nonce and counter
        keystream = AES_Encrypt(K, counter)
        C_block = block ⊕ keystream
        C.append(C_block)
    return concat(C)

# Decryption
def AES_CTR_Decrypt(K, N, C):
    P = []
    for i, block in enumerate(split_blocks(C)):
        counter = N || int_to_bytes(i)
        keystream = AES_Encrypt(K, counter)
        P_block = block ⊕ keystream
        P.append(P_block)
    return concat(P)

AES-CCM: Pseudocode

# CCM = CTR + CBC-MAC
def AES_CCM_Encrypt(K, N, A, P):
    T = CBC_MAC(K, N, A, P)  # Compute authentication tag
    C = AES_CTR_Encrypt(K, N, P)
    return (C, T)

def AES_CCM_Decrypt(K, N, A, C, T):
    P = AES_CTR_Decrypt(K, N, C)
    T_check = CBC_MAC(K, N, A, P)
    if T_check != T:
        raise AuthenticationError
    return P