AES key schedule

Last updated February 07, 2024

The Advanced Encryption Standard uses a key schedule to expand a short key into a number of separate round keys. The three AES variants have a different number of rounds. Each variant requires a separate 128-bit round key for each round plus one more.^{[note 1]} The key schedule produces the needed round keys from the initial key.

Round constants

Values of $rc i$ in hexadecimal
$i$	1	2	3	4	5	6	7	8	9	10
$rc i$	01	02	04	08	10	20	40	80	1B	36

The round constant $rcon i$ for round $i$ of the key expansion is the 32-bit word:^{[note 2]}

rcon_{i}={\begin{bmatrix}rc_{i}&00_{16}&00_{16}&00_{16}\end{bmatrix}}

where $rc i$ is an eight-bit value defined as :

rc_{i}={\begin{cases}1&{\text{if }}i=1\\2\cdot rc_{i-1}&{\text{if }}i>1{\text{ and }}rc_{i-1}<80_{16}\\(2\cdot rc_{i-1})\oplus {\text{11B}}_{16}&{\text{if }}i>1{\text{ and }}rc_{i-1}\geq 80_{16}\end{cases}}

where $\oplus$ is the bitwise XOR operator and constants such as $0016$ and $11B 16$ are given in hexadecimal. Equivalently:

rc_{i}=x^{i-1}

where the bits of $rc i$ are treated as the coefficients of an element of the finite field ${\rm {{GF}(2)[x]/(x^{8}+x^{4}+x^{3}+x+1)}}$ , so that e.g. $rc_{10}=36_{16}=00110110_{2}$ represents the polynomial $x^{5}+x^{4}+x^{2}+x$ .

AES uses up to $rcon 10$ for AES-128 (as 11 round keys are needed), up to $rcon 8$ for AES-192, and up to $rcon 7$ for AES-256.^{[note 3]}

The key schedule

Define:

$N$ as the length of the key in 32-bit words: 4 words for AES-128, 6 words for AES-192, and 8 words for AES-256
$K 0$ , $K 1$ , ... $K N -1$ as the 32-bit words of the original key
$R$ as the number of round keys needed: 11 round keys for AES-128, 13 keys for AES-192, and 15 keys for AES-256^{[note 4]}
$W 0$ , $W 1$ , ... $W 4 R -1$ as the 32-bit words of the expanded key^{[note 5]}

Also define $RotWord$ as a one-byte left circular shift:^{[note 6]}

\operatorname {RotWord} ({\begin{bmatrix}b_{0}&b_{1}&b_{2}&b_{3}\end{bmatrix}})={\begin{bmatrix}b_{1}&b_{2}&b_{3}&b_{0}\end{bmatrix}}

and $SubWord$ as an application of the AES S-box to each of the four bytes of the word:

\operatorname {SubWord} ({\begin{bmatrix}b_{0}&b_{1}&b_{2}&b_{3}\end{bmatrix}})={\begin{bmatrix}\operatorname {S} (b_{0})&\operatorname {S} (b_{1})&\operatorname {S} (b_{2})&\operatorname {S} (b_{3})\end{bmatrix}}

Then for $i=0\ldots 4R-1$ :

W_{i}={\begin{cases}K_{i}&{\text{if }}i<N\\W_{i-N}\oplus \operatorname {SubWord} (\operatorname {RotWord} (W_{i-1}))\oplus rcon_{i/N}&{\text{if }}i\geq N{\text{ and }}i\equiv 0{\pmod {N}}\\W_{i-N}\oplus \operatorname {SubWord} (W_{i-1})&{\text{if }}i\geq N{\text{, }}N>6{\text{, and }}i\equiv 4{\pmod {N}}\\W_{i-N}\oplus W_{i-1}&{\text{otherwise.}}\\\end{cases}}

Notes

↑ Non-AES Rijndael variants require up to 256 bits of expanded key per round
↑ In FIPS-197 the $rc_{i}$ value is the least significant byte at index 0
↑ The Rijndael variants with larger block sizes use more of these constants, up to $rcon 29$ for Rijndael with 128-bit keys and 256 bit blocks (needs 15 round keys of each 256 bit, which means 30 full rounds of key expansion, which means 29 calls to the key schedule core using the round constants). The remaining constants for $i \geq 11$ are: 6C, D8, AB, 4D, 9A, 2F, 5E, BC, 63, C6, 97, 35, 6A, D4, B3, 7D, FA, EF and C5
↑ Other Rijndael variants require $max(N, B) + 7$ round keys, where $B$ is the block size in words
↑ Other Rijndael variants require $BR$ words of expanded key, where $B$ is the block size in words
↑ Rotation is opposite of byte order direction. FIPS-197 byte addresses in arrays are increasing from left to right^{[ref 1]} in little endian but rotation is from right to left. In AES-NI^{[ref 2]} and in the Linux kernel's lib/crypto/aes.c^{[ref 3]}, the byte ordering is increasing from right to left in little endian but rotation is from left to right.

Related Research Articles

The Advanced Encryption Standard (AES), also known by its original name Rijndael, is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001.

<span class="mw-page-title-main">Exclusive or</span> True when either but not both inputs are true

Exclusive or, exclusive disjunction, exclusive alternation, logical non-equivalence, or logical inequality is a logical operator whose negation is the logical biconditional. With two inputs, XOR is true if and only if the inputs differ. With multiple inputs, XOR is true if and only if the number of true inputs is odd.

In cryptography, a block cipher mode of operation is an algorithm that uses a block cipher to provide information security such as confidentiality or authenticity. A block cipher by itself is only suitable for the secure cryptographic transformation of one fixed-length group of bits called a block. A mode of operation describes how to repeatedly apply a cipher's single-block operation to securely transform amounts of data larger than a block.

<span class="mw-page-title-main">Serpent (cipher)</span>

Serpent is a symmetric key block cipher that was a finalist in the Advanced Encryption Standard (AES) contest, in which it ranked second to Rijndael. Serpent was designed by Ross Anderson, Eli Biham, and Lars Knudsen.

In linear algebra and functional analysis, a projection is a linear transformation $from a vector space to itself such that . That is, whenever is applied twice to any vector, it gives the same result as if it were applied once. It leaves its image unchanged. This definition of "projection" formalizes and generalizes the idea of graphical projection. One can also consider the effect of a projection on a geometrical object by examining the effect of the projection on points in the object.$

KCDSA is a digital signature algorithm created by a team led by the Korea Internet & Security Agency (KISA). It is an ElGamal variant, similar to the Digital Signature Algorithm and GOST R 34.10-94. The standard algorithm is implemented over $, but an elliptic curve variant (EC-KCDSA) is also specified.$

In mathematics, the kernel of a linear map, also known as the null space or nullspace, is the linear subspace of the domain of the map which is mapped to the zero vector. That is, given a linear map $L : V \to W$ between two vector spaces $V$ and $W$ , the kernel of $L$ is the vector space of all elements $v$ of $V$ such that $L (v) = 0$ , where $0$ denotes the zero vector in $W$ , or more symbolically:

The Rijndael S-box is a substitution box used in the Rijndael cipher, on which the Advanced Encryption Standard (AES) cryptographic algorithm is based.

Poly1305 is a universal hash family designed by Daniel J. Bernstein for use in cryptography.

The MixColumns operation performed by the Rijndael cipher or Advanced Encryption Standard is, along with the ShiftRows step, its primary source of diffusion. Each column of bytes is treated as a four-term polynomial $, each byte representing an element in the Galois field . The coefficients are elements within the prime sub-field .$

The GOST hash function, defined in the standards GOST R 34.11-94 and GOST 34.311-95 is a 256-bit cryptographic hash function. It was initially defined in the Russian national standard GOST R 34.11-94 Information Technology – Cryptographic Information Security – Hash Function. The equivalent standard used by other member-states of the CIS is GOST 34.311-95.

Disk encryption is a special case of data at rest protection when the storage medium is a sector-addressable device. This article presents cryptographic aspects of the problem. For an overview, see disk encryption. For discussion of different software packages and hardware devices devoted to this problem, see disk encryption software and disk encryption hardware.

In cryptography, a one-way compression function is a function that transforms two fixed-length inputs into a fixed-length output. The transformation is "one-way", meaning that it is difficult given a particular output to compute inputs which compress to that output. One-way compression functions are not related to conventional data compression algorithms, which instead can be inverted exactly or approximately to the original data.

ShāngMì 4 is a block cipher used in the Chinese National Standard for Wireless LAN WAPI and also used with Transport Layer Security.

In cryptography, Galois/Counter Mode (GCM) is a mode of operation for symmetric-key cryptographic block ciphers which is widely adopted for its performance. GCM throughput rates for state-of-the-art, high-speed communication channels can be achieved with inexpensive hardware resources.

Threefish is a symmetric-key tweakable block cipher designed as part of the Skein hash function, an entry in the NIST hash function competition. Threefish uses no S-boxes or other table lookups in order to avoid cache timing attacks; its nonlinearity comes from alternating additions with exclusive ORs. In that respect, it is similar to Salsa20, TEA, and the SHA-3 candidates CubeHash and BLAKE.

An AES instruction set is a set of instructions that are specifically designed to perform AES encryption and decryption operations efficiently. These instructions are typically found in modern processors and can greatly accelerate AES operations compared to software implementations. An AES instruction set includes instructions for key expansion, encryption, and decryption using various key sizes.

ACE is the collection of units, implementing both a public key encryption scheme and a digital signature scheme. Corresponding names for these schemes — «ACE Encrypt» and «ACE Sign». Schemes are based on Cramer-Shoup public key encryption scheme and Cramer-Shoup signature scheme. Introduced variants of these schemes are intended to achieve a good balance between performance and security of the whole encryption system.

Simon is a family of lightweight block ciphers publicly released by the National Security Agency (NSA) in June 2013. Simon has been optimized for performance in hardware implementations, while its sister algorithm, Speck, has been optimized for software implementations.

A biclique attack is a variant of the meet-in-the-middle (MITM) method of cryptanalysis. It utilizes a biclique structure to extend the number of possibly attacked rounds by the MITM attack. Since biclique cryptanalysis is based on MITM attacks, it is applicable to both block ciphers and (iterated) hash-functions. Biclique attacks are known for having weakened both full AES and full IDEA, though only with slight advantage over brute force. It has also been applied to the KASUMI cipher and preimage resistance of the Skein-512 and SHA-2 hash functions.

References

FIPS PUB 197: the official AES standard (PDF file)

↑ "Federal Information Processing Standards Publication 197 November 26, 2001 Announcing the ADVANCED ENCRYPTION STANDARD (AES)" (PDF). p. 8. Retrieved 2020-06-16.
↑ "Intel® Advanced Encryption Standard (AES) New Instructions Set" (PDF). p. 13.
↑ "aes.c". GitHub . Retrieved 2020-06-15.

External links

Description of Rijndael's key schedule
schematic view of the key schedule for 128 and 256 bit keys for 160-bit keys on Cryptography Stack Exchange

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Non-AES Rijndael variants require up to 256 bits of expanded key per round

[2] In FIPS-197 the $rc_{i}$ value is the least significant byte at index 0

[3] The Rijndael variants with larger block sizes use more of these constants, up to $rcon 29$ for Rijndael with 128-bit keys and 256 bit blocks (needs 15 round keys of each 256 bit, which means 30 full rounds of key expansion, which means 29 calls to the key schedule core using the round constants). The remaining constants for $i \geq 11$ are: 6C, D8, AB, 4D, 9A, 2F, 5E, BC, 63, C6, 97, 35, 6A, D4, B3, 7D, FA, EF and C5

[4] Other Rijndael variants require $max(N, B) + 7$ round keys, where $B$ is the block size in words

[5] Other Rijndael variants require $BR$ words of expanded key, where $B$ is the block size in words

[9] Rotation is opposite of byte order direction. FIPS-197 byte addresses in arrays are increasing from left to right^{[ref 1]} in little endian but rotation is from right to left. In AES-NI^{[ref 2]} and in the Linux kernel's lib/crypto/aes.c^{[ref 3]}, the byte ordering is increasing from right to left in little endian but rotation is from left to right.

[6] "Federal Information Processing Standards Publication 197 November 26, 2001 Announcing the ADVANCED ENCRYPTION STANDARD (AES)" (PDF). p. 8. Retrieved 2020-06-16.

[7] "Intel® Advanced Encryption Standard (AES) New Instructions Set" (PDF). p. 13.

[8] "aes.c". GitHub . Retrieved 2020-06-15.

[note 1]

[note 2]

[note 3]

[note 4]

[note 5]

[note 6]

[ref 1]

[ref 2]

[ref 3]