AES key schedule

The Advanced Encryption Standard uses a key schedule to expand a short key into a number of separate round keys. The three AES variants have a different number of rounds. Each variant requires a separate 128-bit round key for each round plus one more. The key schedule produces the needed round keys from the initial key.

Round constants

{| class="wikitable floatright"

|+ Values of in hexadecimal

|- style="text-align:right;"

!

| 1 || 2 || 3 || 4 || 5 || 6 || 7 || 8 || 9 || 10

|- style="text-align:right;"

!

| 01 || 02 || 04 || 08 || 10 || 20 || 40 || 80 || 1B || 36

|}

The round constant for round of the key expansion is the 32-bit word:

:<math>rcon_i = \begin{bmatrix} rc_i & 00_{16} & 00_{16} & 00_{16} \end{bmatrix}</math>

where is an eight-bit value defined as :

:<math> rc_i =

\begin{cases}

1 & \text{if } i = 1 \\

2 \cdot rc_{i-1} & \text{if } i > 1 \text{ and } rc_{i-1} < 80_{16} \\

(((2 \cdot rc_{i-1}) \oplus \text {11B}_{16} ) \text{ mod } \text {100}_{16} ) & \text{if } i > 1 \text{ and } rc_{i-1} \ge 80_{16}

\end{cases}

</math>

where <math>\oplus</math> is the bitwise XOR operator and constants such as and are given in hexadecimal. Equivalently:

:<math>rc_i = x^{i-1}</math>

where the bits of are treated as the coefficients of an element of the finite field <math>\rm{GF}(2)[x]/(x^8 + x^4 + x^3 + x + 1)</math>, so that e.g. <math>rc_{10} = 36_{16} = 00110110_2</math> represents the polynomial <math>x^5 + x^4 + x^2 + x</math>.

AES uses up to for AES-128 (as 11 round keys are needed), up to for AES-192, and up to for AES-256.<!-- Please read the spec before "fixing" this. "Rounds" here does not refer to rounds of AES, but rounds of the key expansion. -->

The key schedule

thumb|AES key schedule for a 128-bit key.

Define:

• as the length of the key in 32-bit words: 4 words for AES-128, 6 words for AES-192, and 8 words for AES-256
• , , ... as the 32-bit words of the original key
• as the number of round keys needed: 11 round keys for AES-128, 13 keys for AES-192, and 15 keys for AES-256
• , , ... as the 32-bit words of the expanded key

Also define as a one-byte left circular shift:

:<math>\operatorname{RotWord}(\begin{bmatrix} b_0 & b_1 & b_2 & b_3 \end{bmatrix}) = \begin{bmatrix} b_1 & b_2 & b_3 & b_0 \end{bmatrix}</math>

and as an application of the AES S-box to each of the four bytes of the word:

:<math>\operatorname{SubWord}(\begin{bmatrix} b_0 & b_1 & b_2 & b_3 \end{bmatrix}) = \begin{bmatrix} \operatorname{S}(b_0) & \operatorname{S}(b_1) & \operatorname{S}(b_2) & \operatorname{S}(b_3) \end{bmatrix}</math>

Then for <math>i = 0 \ldots 4R-1</math>:

:<math>W_i =

\begin{cases}

K_i & \text{if } i < N \\

W_{i-N} \oplus \operatorname{SubWord}(\operatorname{RotWord}(W_{i-1})) \oplus rcon_{i/N} & \text {if } i \ge N \text{ and } i \equiv 0 \pmod{N} \\

W_{i-N} \oplus \operatorname{SubWord}(W_{i-1}) & \text{if } i \ge N \text{, } N > 6 \text{, and } i \equiv 4 \pmod{N} \\

W_{i-N} \oplus W_{i-1} & \text{otherwise.} \\

\end{cases}

</math>

Notes

References

• FIPS PUB 197: the official AES standard (PDF file)

External links

• Description of Rijndael's key schedule
• schematic view of the key schedule for 128 and 256 bit keys for 160-bit keys on Cryptography Stack Exchange