Jean-Philippe Aumasson

“The most common failure seen with stream ciphers is an amateur mistake: it occurs when a nonce is reused more than once with the same key. This produces identical keystreams, allowing you to break the encryption by XORing two ciphertexts together. The keystream then vanishes, and you’re left with the XOR of the two plaintexts.

For example, older versions of Microsoft Word and Excel used a unique nonce for each document, but the nonce wasn’t changed once the document was modified. As a result, the clear and encrypted text of an older version of a document could be used to decrypt later encrypted versions.”
― Jean-Philippe Aumasson, Serious Cryptography: A Practical Introduction to Modern Encryption

“Each operation contributes to AES’s security in a specific way:
* Without KeyExpansion, all rounds would use the same key, K, and AES would be vulnerable to slide attacks.
* Without AddRoundKey, encryption wouldn’t depend on the key; hence, anyone could decrypt any ciphertext without the key.
* SubBytes brings nonlinear operations, which add cryptographic strength. Without it, AES would just be a large system of linear equations that is solvable using high-school algebra.
* Without ShiftRows, changes in a given column would never affect the other columns, meaning you could break AES by building four 232 element codebooks for each column. (Remember that in a secure block cipher, flipping a bit in the input should affect all the output bits.)
* Without MixColumns, changes in a byte would not affect any other bytes of the state. A chosen-plaintext attacker could then decrypt any ciphertext after storing 16 lookup tables of 256 bytes each that hold the encrypted values of each possible value of a byte.”
― Jean-Philippe Aumasson, Serious Cryptography: A Practical Introduction to Modern Encryption