Rijndael key schedule

The Advanced Encryption Standard uses a key schedule to expand a short key into a number of separate round keys. The three AES variants have a different number of rounds. Each variant requires a separate 128-bit round key for each round plus one more.Non-AES Rijndael variants require up to 256 bits of expanded key per round The key schedule produces the needed round keys from the initial key.

Round constants

The round constant for round of the key expansion is the 32-bit word:

:$rcon_i = \begin rc_i & 00_ & 00_ & 00_ \end$

where is an eight-bit value defined as :
:$rc_i = \begin 1 & \text i = 1 \\ 2 \cdot rc_ & \text i > 1 \text rc_ < 80_ \\ (((2 \cdot rc_) \oplus \text _ ) \text \text _ ) & \text i > 1 \text rc_ \ge 80_ \end$

where $\oplus$ is the bitwise XOR operator and constants such as and are given in hexadecimal. Equivalently:

:$rc_i = x^$

where the bits of are treated as the coefficients of an element of the finite field \rm(2) (x^8 + x^ 4 + x^3 + x + 1), so that e.g. $rc_ = 36_ = 00110110_2$ represents the polynomial $x^5 + x^4 + x^2 + x$.

AES uses up to for AES-128 (as 11 round keys are needed), up to for AES-192, and up to for AES-256.
The Rijndael variants with larger block sizes use more of these constants, up to for Rijndael with 128-bit keys and 256 bit blocks (needs 15 round keys of each 256 bit, which means 30 full rounds of key expansion, which means 29 calls to the ''key schedule core'' using the round constants). The remaining constants for are: 6C, D8, AB, 4D, 9A, 2F, 5E, BC, 63, C6, 97, 35, 6A, D4, B3, 7D, FA, EF and C5

The key schedule

Define:
* as the length of the key in 32-bit words: 4 words for AES-128, 6 words for AES-192, and 8 words for AES-256
* , , ... as the 32-bit words of the original key
* as the number of round keys needed: 11 round keys for AES-128, 13 keys for AES-192, and 15 keys for AES-256Other Rijndael variants require round keys, where is the block size in words
* , , ... as the 32-bit words of the expanded keyOther Rijndael variants require words of expanded key, where is the block size in words

Also define as a one-byte left circular shift:

:$\operatorname(\begin b_0 & b_1 & b_2 & b_3 \end) = \begin b_1 & b_2 & b_3 & b_0 \end$

and as an application of the AES S-box to each of the four bytes of the word:

:$\operatorname(\begin b_0 & b_1 & b_2 & b_3 \end) = \begin \operatorname(b_0) & \operatorname(b_1) & \operatorname(b_2) & \operatorname(b_3) \end$

Then for $i = 0 \ldots 4R-1$:

:$W_i = \begin K_i & \text i < N \\ W_ \oplus \operatorname(\operatorname(W_)) \oplus rcon_ & \text i \ge N \text i \equiv 0 \pmod \\ W_ \oplus \operatorname(W_) & \text i \ge N \text N > 6 \text i \equiv 4 \pmod \\ W_ \oplus W_ & \text \\ \end$

Notes

References

FIPS PUB 197: the official AES standard
(PDF file)
{{reflist, group=ref

External links

Description of Rijndael's key schedule
* schematic view of the key schedul
for 128 and 256 bit keysfor 160-bit keys
on Cryptography Stack Exchange

Advanced Encryption Standard
Key management