AES: Advanced Encryption Standard

The Advanced Encryption Standard (AES) is a symmetric block cipher algorithm that encrypts and decrypts data in fixed-size blocks of 128 bits using cryptographic keys of 128, 192, or 256 bits. Originally published by NIST as FIPS 197 in 2001, AES replaced the older Data Encryption Standard (DES) and has become the most widely used encryption algorithm worldwide. In the EUDI Wallet ecosystem, AES-256 is the standard choice for protecting credential data at rest on devices and securing data in transit between wallet components.

AES is a symmetric encryption algorithm, meaning the same key is used for both encryption and decryption. This contrasts with asymmetric algorithms like RSA or ECC, which use separate public and private keys. The symmetric nature of AES makes it extremely fast, which is critical for mobile devices where EUDI Wallets operate with limited processing power and battery life.

The algorithm operates on 128-bit blocks of data through multiple rounds of substitution, permutation, mixing, and key addition operations. AES-128 performs 10 rounds, AES-192 performs 12 rounds, and AES-256 performs 14 rounds. Each additional round adds computational complexity for attackers while maintaining efficient performance for legitimate users.

AES is typically used in combination with a mode of operation such as GCM (Galois/Counter Mode), which provides both confidentiality and authenticity. AES-256-GCM is the recommended configuration for EUDI Wallet implementations, as it ensures that encrypted data cannot be tampered with without detection.

Within the EUDI Wallet, AES serves multiple critical security functions. First, it encrypts credential data stored in the device's secure storage area. When a user receives a digital driving license or national ID credential, the wallet encrypts this data with AES-256 before writing it to the secure element or encrypted storage partition. This protects credentials even if the device is physically compromised.

Second, AES protects credential backup data. When EUDI Wallet credentials are backed up to cloud storage for recovery purposes, the data is encrypted with AES-256 using a key derived from the user's authentication factors. This ensures that cloud storage providers cannot access the credential contents, maintaining the privacy-by-design principle of the eIDAS 2.0 framework.

Third, AES is used in TLS (Transport Layer Security) connections that protect communication between the wallet app and backend services such as credential issuers and status registries. The TLS handshake negotiates AES-256-GCM as the bulk encryption cipher for these connections, ensuring end-to-end protection of credential data during issuance and verification flows.

The security of AES encryption depends entirely on proper key management. EUDI Wallet implementations generate AES keys within the device's secure element or Trusted Execution Environment (TEE), ensuring keys never exist in plaintext in the device's main memory. Key derivation functions like HKDF (HMAC-based Key Derivation Function) are used to derive separate AES keys for different purposes, preventing key reuse across contexts.

For backup encryption, the AES key is typically derived from a combination of the user's biometric data hash and a device-specific secret, ensuring that backup data can only be decrypted on the original device or through a controlled recovery process. This approach balances security with usability, allowing credential recovery without creating a single point of failure.

The European Union Agency for Cybersecurity (ENISA) recommends AES-256 for long-term data protection, particularly for identity credentials that may remain valid for years. This recommendation aligns with the EUDI Wallet Architecture Reference Framework, which mandates AES-256 as the minimum encryption standard for credential storage.

While AES handles symmetric encryption (data protection), EUDI Wallets also use asymmetric algorithms like ECDSA for digital signatures and key exchange. These algorithms serve complementary roles: AES encrypts the bulk data efficiently, while ECC-based algorithms handle authentication and key agreement. This hybrid approach combines the speed of symmetric encryption with the flexibility of public key cryptography.

Compared to other symmetric algorithms like ChaCha20, AES has the advantage of hardware acceleration on virtually all modern smartphone processors through dedicated AES-NI (AES New Instructions) circuits. This hardware support means that AES-256 encryption and decryption on mobile devices is nearly instantaneous, providing strong security without noticeable performance impact on EUDI Wallet operations.