AES key schedule

AES uses a key schedule to expand a short key into a number of separate round keys. The three AES variants have a different number of rounds. Each variant requires a separate 128-bit round key for each round plus one more.^{[note 1]} The key schedule produces the needed round keys from the initial key.

Round constants

Values of Template:Mvar in hexadecimal

Template:Mvar	1	2	3	4	5	6	7	8	9	10
Template:Mvar	01	02	04	08	10	20	40	80	1B	36

The round constant Template:Mvar for round Template:Mvar of the key expansion is the 32-bit word:

${\displaystyle rcon_{i}={\begin{bmatrix}rc_{i}&00_{16}&00_{16}&00_{16}\end{bmatrix}}}$

where Template:Mvar is an eight-bit value defined as:

${\displaystyle rc_{i}={\begin{cases}1&{\text{if }}i=1\\2\cdot rc_{i-1}&{\text{if }}i>1{\text{ and }}rc_{i-1}<80_{16}\\(2\cdot rc_{i-1})\oplus {\text{1B}}_{16}&{\text{if }}i>1{\text{ and }}rc_{i-1}\geq 80_{16}\end{cases}}}$

where ${\displaystyle \oplus }$ is the bitwise XOR operator and constants such as Template:Math and Template:Math are given in hexadecimal. Equivalently:

${\displaystyle rc_{i}=x^{i-1}}$

where the bits of Template:Mvar are treated as the coefficients of an element of the finite field ${\displaystyle {\rm {{GF}(2)[x]/(x^{8}+x^{4}+x^{3}+x+1)}}}$, so that e.g. ${\displaystyle rc_{10}=36_{16}=00110110_{2}}$ represents the polynomial ${\displaystyle x^{5}+x^{4}+x^{2}+x}$.

AES uses up to Template:Math for AES-128 (as 11 round keys are needed), up to Template:Math for AES-192, and up to Template:Math for AES-256.^{[note 2]}

The key schedule

Define:

• Template:Mvar as the length of the key in 32-bit words: 4 words for AES-128, 6 words for AES-192, and 8 words for AES-256
• Template:Math, Template:Math, ... Template:Math as the 32-bit words of the original key
• Template:Mvar as the number of round keys needed: 11 round keys for AES-128, 13 keys for AES-192, and 15 keys for AES-256^{[note 3]}
• Template:Math, Template:Math, ... Template:Math as the 32-bit words of the expanded key^{[note 4]}

Also define Template:Math as a one-byte left circular shift:

${\displaystyle \operatorname {RotWord} ({\begin{bmatrix}b_{0}&b_{1}&b_{2}&b_{3}\end{bmatrix}})={\begin{bmatrix}b_{1}&b_{2}&b_{3}&b_{0}\end{bmatrix}}}$

and Template:Math as an application of the AES S-box to each of the four bytes of the word:

${\displaystyle \operatorname {SubWord} ({\begin{bmatrix}b_{0}&b_{1}&b_{2}&b_{3}\end{bmatrix}})={\begin{bmatrix}\operatorname {S} (b_{0})&\operatorname {S} (b_{1})&\operatorname {S} (b_{2})&\operatorname {S} (b_{3})\end{bmatrix}}}$

Then for ${\displaystyle i=0\ldots 4R-1}$:

${\displaystyle W_{i}={\begin{cases}K_{i}&{\text{if }}i<N\\W_{i-N}\oplus \operatorname {SubWord} (\operatorname {RotWord} (W_{i-1}))\oplus rcon_{i/N}&{\text{if }}i\geq N{\text{ and }}i\equiv 0{\pmod {N}}\\W_{i-N}\oplus \operatorname {SubWord} (W_{i-1})&{\text{if }}i\geq N{\text{, }}N>6{\text{, and }}i\equiv 4{\pmod {N}}\\W_{i-N}\oplus W_{i-1}&{\text{otherwise.}}\\\end{cases}}}$

Notes

Template:Reflist

References

• FIPS PUB 197: the official AES standard (PDF file)

External links

• Description of Rijndael's key schedule
• schematic view of the key schedule for 128 and 256 bit keys for 160-bit keys on Cryptography Stack Exchange

Cite error: <ref> tags exist for a group named "note", but no corresponding <references group="note"/> tag was found