I just published a post on Medium meant for a more general audience on what happens if you take any 128-bit string, encrypt it with AES using a fixed key, then take the output and encrypt it again, ad infinitum. Here I’ll explain the answer in more formally.

In particular, let $S$ be the set of all 128-bit strings. For example, the ASCII string THIS IS A TEST!! is in $S$. Let $K$ be an AES keyspace (of 128-, 192-, or 256-bit). Then AES is a function $$f : S \times K \to S,$$ or if we fix $k \in K$, a bijective function, $$f_k : S \to S.$$

We claim that for any $x \in S$, the sequence $$x, f_k(x), f_k^2(x), \ldots$$ must form a cycle. Consider the set $$V = \{ x, f_k(x), f_k^2(x), \ldots \}.$$ For all $v = f_k^n(x) \in V$ with $n \in \mathbf{N}$ we have $v \in S$, which implies $V \subseteq S$ and $\lvert V\rvert \le \lvert S\rvert$. Since the cardinality is bounded, some of the elements will be repeated and the sequence forms a cycle.

If the sequence $x, f_k(x), f_k^2(x), \ldots$ forms a cycle, then there exists $0 \le m \le n \le \lvert S\rvert - 1$ such that $f_k^m(x) = f_k(f_k^n(x)) = f_k^{n+1}(x)$, that is $f_k^n(x)$ links to an earlier or the same element in the sequence $f_k^m(x)$. We claim that $m = 0$. Since $f_k$ is a bijection over $S$, the inverse $f_k^{-1}(y)$ exists for all $y \in S$. Since $f_k^{n+1}(x) = f_k^m(x)$ we must have $$f_k^{-1}(f_k^m(x)) = f_k^n(x) = f_k^{m-1}(x) \in V.$$ if $m > 0$, then $f_k^n(x) \ne f_k^{m-1}(x)$ as they are distinct elements in the set $V$, contradicting the above. This forces $m = 0$, giving rise to $$f_k^n(x) = f_k^{-1}(x)$$ or $$x = f_k^{n+1}(x) = f_k(f_k^n(x))$$ as required. In other words, the sequence must go back to the original input $x$.