AES key schedule

Template:Short description The Advanced Encryption Standard uses a key schedule to expand a short key into a number of separate round keys. The three AES variants have a different number of rounds. Each variant requires a separate 128-bit round key for each round plus one more.^{[note 1]} The key schedule produces the needed round keys from the initial key.

Values of Template:Mvar in hexadecimal

Template:Mvar	1	2	3	4	5	6	7	8	9	10
Template:Mvar	01	02	04	08	10	20	40	80	1B	36

The round constant Template:Mvar for round Template:Mvar of the key expansion is the 32-bit word:Template:Refn

${\displaystyle rco{n}_i=\left[\begin{array}{cccc}r{c}_i& 00_{16}& 00_{16}& 00_{16}\end{array}\right]}$

where Template:Mvar is an eight-bit value defined as :

${\displaystyle r{c}_i=\{\begin{array}{cc}1& \text{if }i=1\\ 2\cdot r{c}_{i-1}& \text{if }i>1\text{ and }r{c}_{i-1}<80_{16}\\ (2\cdot r{c}_{i-1})\oplus {\text{11B}}_{16}& \text{if }i>1\text{ and }r{c}_{i-1}\ge 80_{16}\end{array}}$

where ${\displaystyle \oplus }$ is the bitwise XOR operator and constants such as Template:Math and Template:Math are given in hexadecimal. Equivalently:

${\displaystyle r{c}_i=x^{i-1}}$

where the bits of Template:Mvar are treated as the coefficients of an element of the finite field ${\displaystyle \mathrm{G}\mathrm{F}\mathrm{(}\mathrm{2}\mathrm{)}\mathrm{[}\mathrm{x}\mathrm{]}/\mathrm{(}{\mathrm{x}}^{\mathrm{8}}\mathrm{+}{\mathrm{x}}^{\mathrm{4}}\mathrm{+}{\mathrm{x}}^{\mathrm{3}}\mathrm{+}\mathrm{x}\mathrm{+}\mathrm{1}\mathrm{)}}$, so that e.g. ${\displaystyle r{c}_{10}=36_{16}=00110110_2}$ represents the polynomial ${\displaystyle x^5+x^4+x^2+x}$.

AES uses up to Template:Math for AES-128 (as 11 round keys are needed), up to Template:Math for AES-192, and up to Template:Math for AES-256.^{[note 2]}

Define:

• Template:Mvar as the length of the key in 32-bit words: 4 words for AES-128, 6 words for AES-192, and 8 words for AES-256
• Template:Math, Template:Math, ... Template:Math as the 32-bit words of the original key
• Template:Mvar as the number of round keys needed: 11 round keys for AES-128, 13 keys for AES-192, and 15 keys for AES-256^{[note 3]}
• Template:Math, Template:Math, ... Template:Math as the 32-bit words of the expanded key^{[note 4]}

Also define Template:Math as a one-byte left circular shift:Template:Refn

${\displaystyle \mathrm{RotWord}(\left[\begin{array}{cccc}{b}_0& b_1& b_2& b_3\end{array}\right])=\left[\begin{array}{cccc}{b}_1& b_2& b_3& b_0\end{array}\right]}$

and Template:Math as an application of the AES S-box to each of the four bytes of the word:

${\displaystyle \mathrm{SubWord}(\left[\begin{array}{cccc}{b}_0& b_1& b_2& b_3\end{array}\right])=\left[\begin{array}{cccc}\mathrm{S}(b_0)& \mathrm{S}(b_1)& \mathrm{S}(b_2)& \mathrm{S}(b_3)\end{array}\right]}$

Then for ${\displaystyle i=0\dots 4R-1}$:

${\displaystyle W_i=\{\begin{array}{cc}{K}_i& \text{if }i<N\\ W_{i-N}\oplus \mathrm{SubWord}(\mathrm{RotWord}(W_{i-1}))\oplus rco{n}_{i/N}& \text{if }i\ge N\text{ and }i\equiv 0(\mathrm{mod}N)\\ W_{i-N}\oplus \mathrm{SubWord}(W_{i-1})& \text{if }i\ge N\text{, }N>6\text{, and }i\equiv 4(\mathrm{mod}N)\\ W_{i-N}\oplus W_{i-1}& \text{otherwise.}\end{array}}$

Template:Reflist

• FIPS PUB 197: the official AES standard (PDF file)

Template:Reflist

• Description of Rijndael's key schedule
• schematic view of the key schedule for 128 and 256 bit keys for 160-bit keys on Cryptography Stack Exchange

Cite error: <ref> tags exist for a group named "note", but no corresponding <references group="note"/> tag was found