The AES Encryption Calculator demonstrates AES-128, AES-192, and AES-256 encryption concepts including key scheduling, round structure, and block cipher mechanics. Used for cryptography education, security auditing, and understanding the world's most widely deployed symmetric encryption standard.
12
rounds
66
blocks
16
bytes
1,048
bytes
1,064
bytes
1,061
bytes
24
bytes
12
rounds
66
blocks
16
bytes
1,048
bytes
1,064
bytes
1,061
bytes
24
bytes
The calculator for AES encryption demonstrates the mechanics of the Advanced Encryption Standard — the symmetric block cipher adopted by NIST in 2001 after a five-year international competition and now protecting the vast majority of encrypted data worldwide, from HTTPS connections to encrypted hard drives, messaging apps, and government classified communications.
AES is a symmetric block cipher with a fixed block size of 128 bits and three key length options:
Each round (except the final) consists of four operations: SubBytes (byte substitution via the S-box), ShiftRows (row permutation), MixColumns (column mixing via GF(2⁸) arithmetic), and AddRoundKey (XOR with round key). The final round omits MixColumns. The password entropy calculator helps assess how many bits of entropy a given key or password provides against brute-force attacks.
AES derives all round keys from the original cipher key through the key expansion algorithm. For AES-128, 11 round keys (one initial key plus one per round) are generated from the 128-bit input key using the Rijndael key schedule, which applies the S-box and Rcon constants through a recursive expansion. The security of AES depends critically on the key schedule producing round keys that appear independent and unpredictable, preventing round-key related attacks. Key management — how keys are generated, stored, transmitted, and rotated — is typically the weakest link in AES deployments, not the algorithm itself. The password strength checker assesses key quality for human-derived keys.
No practical attack against full-round AES exists as of 2025. Security analysis context:
The practical security of AES depends on implementation quality, key management, and mode of operation. The RSA calculator covers public-key cryptography used alongside AES in hybrid encryption systems. The security and cryptography calculators provide educational tools for understanding modern cryptographic systems.
AES encrypts fixed 128-bit blocks. For messages longer than one block, a mode of operation specifies how blocks are chained:
The calculator determines AES structural parameters based on three inputs:
Number of Rounds:
$$R = \begin{cases} 10 & \text{if key size} = 128 \\ 12 & \text{if key size} = 192 \\ 14 & \text{if key size} = 256 \end{cases}$$
Each round applies four transformations: SubBytes (S-box substitution), ShiftRows (byte permutation), MixColumns (column mixing in GF(28)), and AddRoundKey (XOR with round key). The final round omits MixColumns.
Number of Blocks:
$$B = \left\lceil \frac{\text{data\_size}}{16} \right\rceil$$
AES always operates on 16-byte (128-bit) blocks regardless of key size.
Output Size: Depends on the mode of operation:
IV / Nonce:
$$\text{IV size} = \begin{cases} 0 & \text{ECB (no IV)} \\ 16 \text{ bytes} & \text{CBC} \\ 12 \text{ bytes} & \text{GCM (96-bit nonce)} \end{cases}$$
Total Ciphertext: The complete output includes the encrypted data, IV/nonce (prepended), and authentication tag (GCM only, 16 bytes appended).
The number of rounds directly affects both security margin and performance. AES-128 with 10 rounds is approximately 40% faster than AES-256 with 14 rounds, but AES-256 provides a larger security margin against potential future attacks. For most applications, AES-256 is recommended despite the performance difference, which is negligible on modern hardware with AES-NI instruction support.
The output size is critical for storage and bandwidth planning. CBC mode with PKCS#7 padding can expand data by up to 16 bytes (one full block), while GCM mode produces output exactly equal to the input size plus a fixed 28-byte overhead (12-byte nonce + 16-byte tag). For large datasets, this difference is negligible; for small messages or constrained protocols, GCM's predictable overhead is advantageous.
Always use GCM mode for new implementations. ECB is insecure for any data with patterns (the famous ECB penguin demonstrates this visually). CBC requires careful IV management and is vulnerable to padding oracle attacks if not implemented correctly. GCM provides authenticated encryption, preventing both eavesdropping and tampering in a single operation.
Inputs
Results
Encrypting 1 KB with AES-256-GCM requires 14 rounds per block across 64 blocks. GCM adds no padding, so the encrypted data is 1024 bytes. With the 12-byte nonce and 16-byte authentication tag, total output is 1052 bytes—only 2.7% overhead.
Inputs
Results
Encrypting 100 bytes with AES-128-CBC uses 10 rounds. PKCS#7 padding expands the data to 112 bytes (7 blocks of 16). With the 16-byte IV prepended, total output is 128 bytes—28% overhead. CBC's padding overhead is more significant for small messages.
The number refers to the key size in bits. AES-128 uses a 128-bit key with 10 rounds, AES-192 uses 192 bits with 12 rounds, and AES-256 uses 256 bits with 14 rounds. All three use 128-bit (16-byte) blocks. Larger keys provide greater security margins: AES-128 offers 128-bit security, while AES-256 offers 256-bit security. AES-256 is approximately 40% slower but is recommended for sensitive data and government applications.
ECB (Electronic Codebook) encrypts each 16-byte block independently with the same key. Identical plaintext blocks produce identical ciphertext blocks, leaking structural patterns in the data. The famous 'ECB penguin' image demonstrates this: encrypting a bitmap image in ECB mode preserves the visual outline. ECB provides no semantic security and should never be used for any real application. Use GCM or, if AEAD is not available, CBC with HMAC.
GCM (Galois/Counter Mode) is an AEAD (Authenticated Encryption with Associated Data) mode that provides both confidentiality and integrity in a single operation. It combines CTR mode encryption with GHASH authentication. GCM requires a unique 96-bit nonce per encryption, produces no padding overhead, and appends a 16-byte authentication tag that detects any tampering. It is the default cipher suite in TLS 1.3 and is recommended by NIST, NSA, and IETF.
The 16-byte (128-bit) authentication tag is a cryptographic checksum computed over both the ciphertext and any additional authenticated data (AAD) using the GHASH function. During decryption, the tag is recomputed and compared—if they don't match, the ciphertext has been tampered with and decryption is rejected. This prevents forgery, truncation, and bit-flipping attacks that plague unauthenticated modes like ECB and CBC.
PKCS#7 padding fills the last block to exactly 16 bytes by appending N bytes, each with value N. If the data is already block-aligned, a full 16-byte padding block is added (all bytes = 0x10). For example, if 3 bytes of padding are needed, the bytes 0x03 0x03 0x03 are appended. This ensures unambiguous padding removal during decryption. GCM mode does not require padding because it uses counter mode (stream cipher).
Modern CPUs with AES-NI hardware instructions (Intel since 2010, AMD since 2011) can encrypt at 2-8 GB/s per core. Without hardware acceleration, software AES achieves 100-500 MB/s. AES-128 is about 40% faster than AES-256 due to fewer rounds. GCM mode adds minimal overhead compared to raw CTR mode because GHASH is highly parallelizable and also has hardware acceleration (PCLMULQDQ instruction).
AES-NI (AES New Instructions) is a set of CPU instructions that perform AES encryption rounds directly in hardware. Intel introduced AES-NI in 2010 with the Westmere architecture, and AMD followed in 2011. These instructions execute a full AES round in a single clock cycle, providing 3-10x speedup over software implementations while also eliminating timing side-channel vulnerabilities. Virtually all modern x86 and ARM (ARMv8 Cryptography Extensions) processors support hardware AES.
For current threats, AES-128 provides ample security—no practical attack is anywhere close to breaking it. However, AES-256 is recommended for several reasons: it provides defense-in-depth against potential future cryptanalytic advances, it offers 128-bit security against Grover's quantum algorithm (vs. 64-bit for AES-128), and the performance difference is negligible on hardware with AES-NI. Organizations like NIST and NSA recommend AES-256 for long-term sensitive data.
The Initialization Vector (CBC) or nonce (GCM) ensures that encrypting the same plaintext with the same key produces different ciphertext each time. In CBC, the 16-byte IV must be random and unpredictable. In GCM, the 12-byte nonce must be unique (never reused with the same key)—nonce reuse in GCM is catastrophic, allowing complete key recovery via the 'forbidden attack'. Use a counter or random value to ensure uniqueness.
TLS (Transport Layer Security) uses AES as its primary symmetric cipher. In TLS 1.3, the mandatory cipher suites are TLS_AES_256_GCM_SHA384 and TLS_AES_128_GCM_SHA256. During the TLS handshake, client and server use asymmetric cryptography (ECDHE) to establish a shared secret, which is then used to derive AES session keys. All subsequent data is encrypted with AES-GCM, providing both confidentiality and integrity for every HTTPS connection.
How helpful was this calculator?
Be the first to rate!
