I just published a post on Medium meant for a more general audience on what happens if you take any 128-bit string, encrypt it with AES using a fixed key, then take the output and encrypt it again, ad infinitum. Here I’ll explain the answer in more formally.

In particular, let \(S\) be the set of all 128-bit strings. For example, the ASCII string THIS IS A TEST!! is in \(S\). Let \(K\) be an AES keyspace (of 128-, 192-, or 256-bit). Then AES is a function \[ f : S \times K \to S, \] or if we fix \(k \in K\), a bijective function, \[ f_k : S \to S. \]

We claim that for any \(x \in S\), the sequence \[ x, f_k(x), f_k^2(x), \ldots \] must form a cycle. Consider the set \[ V = { x, f_k(x), f_k^2(x), \ldots }. \] For all \(v = f_k^n(x) \in V\) with \(n \in \mathbf{N}\) we have \(v \in S\), which implies \(V \subseteq S\) and \(\lvert V\rvert \le \lvert S\rvert\). Since the cardinality is bounded, some of the elements will be repeated and the sequence forms a cycle.

If the sequence \(x, f_k(x), f_k^2(x), \ldots\) forms a cycle, then there exists \(0 \le m \le n \le \lvert S\rvert - 1\) such that \(f_k^m(x) = f_k(f_k^n(x)) = f_k^{n+1}(x)\), that is \(f_k^n(x)\) links to an earlier or the same element in the sequence \(f_k^m(x)\). We claim that \(m = 0\). Since \(f_k\) is a bijection over \(S\), the inverse \(f_k^{-1}(y)\) exists for all \(y \in S\). Since \(f_k^{n+1}(x) = f_k^m(x)\) we must have \[ f_k^{-1}(f_k^m(x)) = f_k^n(x) = f_k^{m-1}(x) \in V. \] if \(m > 0\), then \(f_k^n(x) \ne f_k^{m-1}(x)\) as they are distinct elements in the set \(V\), contradicting the above. This forces \(m = 0\), giving rise to \[ f_k^n(x) = f_k^{-1}(x) \] or \[ x = f_k^{n+1}(x) = f_k(f_k^n(x)) \] as required. In other words, the sequence must go back to the original input \(x\).