AES, the substitution-permutation lineage, and why we still use it
The Advanced Encryption Standard was selected from the NIST competition in 2000. The winning design — Rijndael, by Joan Daemen and Vincent Rijmen — is a substitution-permutation network operating on a 128-bit block. Its inner loop applies a non-linear byte substitution (the S-box), a row-shift, a column-mix, and a key XOR; the loop runs 10, 12, or 14 times depending on the key length (128, 192, 256 bits respectively).
The design choices reflect a specific philosophy. The S-box is
algebraically derived (a finite-field inversion composed with an affine
transformation) rather than randomly chosen — this gives provable resistance
to specific differential and linear attacks. The MixColumns step is also
algebraically motivated: a multiplication by a fixed polynomial in
GF(2^8), chosen for its diffusion properties. The whole cipher
is "designed", not "evolved".
In hardware AES is extremely fast: the operations are all SIMD-friendly, and modern CPUs ship dedicated AES-NI instructions that execute a full round in 4–5 cycles. A 1 GHz core can encrypt several gigabytes per second. The energy cost on mobile silicon is correspondingly trivial. There is no plausible scenario in which AES is the bottleneck in a modern application.
The cipher has held up. After 25 years of public cryptanalysis,
the best known attack on full AES-128 is a slight improvement over brute
force — about 2^126 operations rather than 2^128,
not exploitable in practice. The attacks on round-reduced variants (7-round
AES-128, 8-round AES-192, 9-round AES-256) have improved over time, but the
full versions remain effectively unbroken. Most modern protocols use AES as
their default symmetric primitive, and there is no current pressure to
change.