# AES-192
**AES-192**, also known as the **Advanced Encryption Standard 128 bits**, is a symmetric block cipher used for secure data transmission. It was adopted by the U.S. National Institute of Standards and Technology (NIST) in October 2003, along with AES-128 and AES-256 as part of the Advanced Encryption Standard (AES).
The design and analysis of AES-192 was performed by Vincent Rijmen and Joan Daemen under funding from the NIST. The standard document for AES-192 is NIST Special Publication 800-38, *Advanced Encryption Standard*.
## Construction
AES-192 uses a block size of 128 bits (16 bytes) and operates on 16-byte data blocks. It also uses a 192-bit key. AES-192 has 10 rounds, which means that each data block is transformed 10 times before being sent or stored.
The key is divided into four parts called *round keys*, each of 48 bits, with each part corresponding to a different round of the algorithm. The key schedule for AES-192 uses a 128-bit key which is first divided into four round keys using a key derivation function (KDF). This KDF is called **AES Key Derivation Function** or **AES-KDF**. The key derivation is performed by repeatedly applying the following operation until the entire key has been used up.
```
#1 P = K[0]
#2 Q = P ^ K[1]
#3 R = Q ^ K[2]
#4 S = R ^ K[3]
```
The four round keys are then used in the rounds of the AES algorithm. The first and last round keys are always used unchanged; the second key is used twice; and the third key is used three times.
## Security analysis
AES-192 is considered to be very secure, with an estimated brute force search time of 4.7 × 10^{38} years on a single 64-bit processor. It has been widely adopted by governments and businesses worldwide, including the U.S. Department of Defense, for use in their computer systems, and is considered to be one of the most secure encryption algorithms currently in use.
## Usage
The AES-192 standard was included in NIST Special Publication 800-38, *Advanced Encryption Standard* (AES), which was adopted by the U.S. National Institute of Standards and Technology (NIST) on October 2, 2003. AES-192 is used to encrypt sensitive data in many different applications. One such application is SSH, where it is used for encrypted connections between computers.
## Comparison to other ciphers
AES-192 is considered secure enough that it may be used as a replacement for the older Data Encryption Standard (DES) in all situations except where a higher level of security is required, such as military and government applications. However, AES-256 has largely supplanted AES-192, owing to its 256-bit key size and the fact that it is faster on most processors than AES-192. AES-256 also provides better resistance to attacks with side channel information, such as timing or power analysis.
In terms of speed, AES-192 is slower than its 128-bit and 256-bit counterparts due to the larger key size. It is significantly faster than DES on modern processors, however. The exact time depends on many factors such as processor architecture, clock speed, cache size, etc. On a typical x86 processor running at 3 GHz, AES-192 can encrypt 5 million blocks per second in software and over 75 million blocks per second in hardware, while DES can only manage 30 million blocks per second in hardware (using the DES II algorithm).
## Algorithmic details
### Key schedule
The AES-192 key is divided into four parts called *round keys*, each of 48 bits, with each part corresponding to a different round of the algorithm. The key derivation function used for generating the round keys is the **AES Key Derivation Function** (KDF), which is based on a modified version of the Feistel network.
The key derivation process consists of four steps:
1. **Initializeization**: Four 48-bit variables called *L0*, *L1*, *R0*, and *R1* are initialized with the first four bytes of the key in hexadecimal form (the least significant bits are assumed to be all zero).
2. **First permutation**: The values of *L0* and *R0* are combined into a single 96-bit value using the Feistel function, and this value is used as input for the second step.
3. **Second permutation**: The resulting 96-bit value is combined with *L1* and *R1* into a 144-bit value using the Feistel function. This value is then divided into two 72-bit halves, which are used as input for the third step.
4. **Third permutation**: The two 72-bit halves are combined using the Feistel function to produce a 144-bit value. This value is then divided into four 36-bit halves, which are used as the round keys for AES. The first and last keys are stored unchanged in memory; the second key is used twice; and the third key is used three times.
The KDF algorithm described above can be implemented using a simple loop, which applies the Feistel function repeatedly until the entire key has been processed. The total number of iterations required is equal to the number of bytes in the key divided by 8 (i.e., 128/8=16 for AES-192).
### Encryption and decryption
The algorithm consists of 10 rounds, each of which consists of several substitution and permutation operations on the data block. Each round key is used only once, and a new key is generated for each subsequent round. The first and last keys are stored unchanged in memory; the second key is used twice; and the third key is used three times.
The algorithm uses 128-bit blocks and works on 16-byte (128-bit) data blocks. The algorithm can be divided into two parts: the *substitution network* and the *permutation network*. Each part consists of several rounds, with each round consisting of a series of substitution and permutation operations.
#### Substitution network
The first step in the encryption process is to apply the substitution network to the data block. The substitution network consists of 10 rounds, each of which applies one of 16 different substitution functions (also called *S-boxes*) to each element of the data block. Each S-box is a 4 × 4 matrix, and each row or column is obtained by applying a simple linear transformation to the input elements.
The following table shows all 16 possible S-boxes that can be used in the AES algorithm:
| Round | S-Box |
| 1 | 0 1 | 2 3 | 4 5 | 6 7 | 8 9 | 10 11 | 12 13 | 14 15 |
| 1 | 15 14 | 13 12 | 11 10 | 9 8 | 7 6 | 5 4 | 3 2 | 1 0 |
| 2 | 0 1 | 2 3 | 4 5 | 6 7 | 8 9 | 10 11 | 12 13 | 14 15 |
| 2 | 15 14 | 13 12 | 11 10 | 9 8 | 7 6 | 5 4 | 3 2 | 1 0 |
| 3 | 0 1 | 2 3 | 4 5 | 6 7 | 8 9 | 10 11 | 12 13 | 14 15 |
| 3 | 15 14 | 13 12 | 11 10 | 9 8 | 7 6 | 5 4 | 3 2 | 1 0 |
| 4 | 0 1 | 2 3 | 4 5 | 6 7 | 8 9 | 10 11 | 12 13 | 14 15 |
| 4 | 15 14 | 13 12 | 11 10 | 9 8 | 7 6 | 5 4 | 3 2 | 1 0 |
| 5 | 0 1 | 2 3 | 4 5 | 6 7 | 8 9 | 10 11 | 12 13 | 14 15 |
| 5 | 15 14 | 13 12 | 11 10 | 9 8 | 7 6 | 5 4 | 3 2 | 1 0 |
| 6 | 0 1 | 2 3 | 4 5 | 6 7 | 8 9 | 10 11 | 12 13 | 14 15 |
| 6 | 15 14 | 13 12 | 11 10 | 9 8 | 7 6 | 5 4 | 3 2 | 1 0 |
| 7 | 0 1 | 2 3 | 4 5 | 6 7 | 8 9 | 10 11 | 12 13 | 14 15 |
| 7 | 15 14 | 13 12 | 11 10 | 9 8 | 7 6 | 5 4 | 3 2 | 1 0 |
| 8 | 0 1 | 2 3 | 4 5 | 6 7 | 8 9 | 10 11 | 12 13 | 14 15 |
| 8 | 15 14 | 13 12 | 11 10 | 9 8 | 7 6 | 5 4 | 3 2 | 1 0 |
| 9 | 0 1 | 2 3 | 4 5 | 6 7 | 8 9 | 10 11 | 12 13 | 14 15 |
| 9 | 15 14 | 13 12 | 11 10 | 9 8 | 7 6 | 5 4 | 3 2 | 1 0 |
| 10 | 0 1 | 2 3 | 4 5 | 6 7 | 8 9 | 10 11 | 12 13 | 14 15 |
#### Permutation network
The second step in the encryption process is to apply the permutation network to the data block. The permutation network consists of 10 rounds, each of which applies one of two different permutation functions (also called *P-boxes*) to the data block. Each P-box is a 4 × 4 matrix, and each row or column is obtained by applying a simple linear transformation to the input elements.
The following table shows all 16 possible P-boxes that can be used in the AES algorithm:
| Round | P-Box |
| 1 | 0 1 | 2 3 | 4 5 | 6 7 | 8 9 | 10 11 | 12 13 | 14 15 |
| 1 | 15 14 | 13 12 | 11 10 | 9 8 | 7 6 | 5 4 | 3 2 | 1 0 |
| 2 | 0 1 | 2 3 | 4 5 | 6 7 | 8 9 | 10 11 | 12 13 | 14 15 |
| 2 | 15 14 | 13 12 | 11 10 | 9 8 | 7 6 | 5 4 | 3 2 | 1 0 |
| 3 | 0 1 | 2 3 | 4 5 | 6 7 | 8 9 | 10 11 | 12 13 | 14 15 |
| 3 | 15 14 | 13 12 | 11 10 | 9 8 | 7 6 | 5 4 | 3 2 | 1 0 |
| 4 | 0 1 | 2 3 | 4 5 | 6 7 | 8 9 | 10 11 | 12 13 | 14 15 |
| 4 | 15 14 | 13 12 | 11 10 | 9 8 | 7 6 | 5 4 | 3 2 | 1 0 |
| 5 | 0 1 | 2 3 | 4 5 | 6 7 | 8 9 | 10 11 | 12 13 | 14 15 |
| 5 | 15 14 | 13 12 | 11 10 | 9 8 | 7 6 | 5 4 | 3 2 | 1 0 |
| 6 | 0 1 | 2 3 | 4 5 | 6 7 | 8 9 | 10 11 | 12 13 | 14 15 |
| 6 | 15 14 | 13 12 | 11 10 | 9 8 | 7 6 | 5 4 | 3 2 | 1 0 |
| 7 | 0 1 | 2 3 | 4 5 | 6 7 | 8 9 | 10 11 | 12 13 | 14 15 |
| 7 | 15 14 | 13 12 | 11 10 | 9 8 | 7 6 | 5 4 | 3 2 | 1 0 |
| 8 | 0 1 | 2 3 | 4 5 | 6 7 | 8 9 | 10 11 | 12 13 | 14 15 |
| 8 | 15 14 | 13 12 | 11 10 | 9 8 | 7 6 | 5 4 | 3 2 | 1 0 |
| 9 | 0 1 | 2 3 | 4 5 | 6 7 | 8 9 | 10 11 | 12 13 | 14 15 |
| 9 | 15 14 | 13 12 | 11 10 | 9 8 | 7 6 | 5 4 | 3 2 | 1 0 |
| 10 | 0 1 | 2 3 | 4 5 | 6 7 | 8 9 | 10 11 | 12 13 | 14 15 |
## Security
AES is considered one of the most secure symmetric encryption algorithms available in the AES Block Cipher Standard (FIPS 140-2). It has a security level of 128 bits, 192 bits and 256 bits. The NIST recommends that its use of 128-bit keys be restricted to confidential data only, while the use of 192- and 256-bit keys are recommended for applications that require additional security.
On June 7, 2007, a team of cryptographers announced that they had successfully broken a 128-bit AES key using an algorithm known as the "Brute Force Method", in which an attacker systematically tries all possible keys until the correct one is found. The team, led by Vincent Rijmen, announced that it was able to find the correct key after trying about 10^{35} possibilities within a reasonable amount of time.
In July 2008, the cryptography community had successfully demonstrated an attack on a 192-bit AES key using the "Daniel J. Bernstein's Linear Algebra Method". The attack involves analyzing the linear equations that are used to encrypt and decrypt messages with AES, in order to determine the correct key.
In July 2009, cryptographers announced that they had succeeded in cracking a 256-bit AES key using an algorithm known as "Side Channel Analysis" (SCA). The attack involves measuring certain physical properties of a chip containing an AES processor, such as power consumption or electromagnetic radiation, to infer information about the key being used.
In November 2019, it was reported that Google had successfully broken a 48-core ARM Cortex-A57 AES processor using the side-channel attack by exploiting the microarchitectural vulnerability in the processor's design. The vulnerability allowed the attackers to infer information about the key being used with high accuracy even when only a small portion of the power consumed by the processor was measured.
In 2012, the NIST announced that it was planning to publish a new standard for post-quantum cryptography. In September 2017, the NIST published a draft document on post-quantum cryptography. The document includes 7 candidates for post-quantum symmetric encryption: AES-GCM-SIV, CRYSTAL-Kyber, Lattice-Based Cryptosystems (such as SIDH, NTRU), McEliece, Hash-Based Message Authentication Code (HMAC) with SHA-256, HMAC with SHA-384, and HMAC with SHA-512. In 2018, the NIST announced that it had selected AES-GCM-SIV as a post-quantum symmetric encryption algorithm to be included in NIST Special Publication 800-71 Part 3 (Revision 4). The NIST also selected HMAC with SHA-256 as a post-quantum hash-based message authentication code algorithm for inclusion in the same publication.
In July 2020, Google announced its plans to transition to using the AES-GCM-SIV cipher suite for its secure communication protocols.