Cryptography Reference
In-Depth Information
Algorithm 10.3
The AES key expansion algorithm.
(
k
)
RCon[1]
←
0x01000000
RCon[2]
←
0x02000000
RCon[3]
←
0x04000000
RCon[4]
←
0x08000000
RCon[5]
←
0x10000000
RCon[6]
←
0x20000000
RCon[7]
←
0x40000000
RCon[8]
←
0x80000000
RCon[9]
←
0x1B000000
RCon[10]
←
0x36000000
for
i
=0to (
N
k
−
1) do
w
[
i
]
←
[
k
4
i
,k
4
i
+1
,k
4
i
+2
,k
4
i
+3
]
for
i
=
N
k
to (
N
b
(
N
r
+1)
−
1) do
t ← w
[
i −
1]
if (
i
mod
N
k
=0)
then
t ←
SubWord(RotWord(
t
))
⊕
RCon[
i/N
k
]
else if (
N
k
>
6 and
i
mod
N
k
=4)
then
t ←
SubWord(
t
)
w
[
i
]
← w
[
i − N
k
]
⊕ t
(
w
)
The AES key expansion algorithm is summarized in Algorithm 10.3. We
assume that
N
k
is included in
k
, so we don't have to consider
N
k
as additional
parameter. The algorithm employs a round constant word array, RCon[
i
] for 0
<
i
N
r
. The array contains the values given by [
x
i−
1
,
0x00
,
0x00
,
0x00
], with
x
i−
1
being powers of
x
(
x
is
0x02
)inthefield
≤
F
2
8
.
27
In addition to RCon, the
algorithm employs two auxiliary functions:
•
SubWord() takes a 4-byte input word and applies the S-box of the SubBytes()
transformation to each of the 4 bytes to produce an output word.
•
RotWord() takes a 4-byte input word and performs a cyclic shift left (i.e., if
the input word is [
a
0
,a
1
,a
2
,a
3
], then the output word is [
a
1
,a
2
,a
3
,a
0
]).
The AES key expansion algorithm works as follows: First, the round constant
word array RCon is initialized as described before. Then the first
N
k
words of the
key schedule are filled with the bytes of the original key. The rest of the key schedule
is filled in a second for-loop. In this loop, every word
w
[
i
] is set to the sum modulo
2 of the previous word
w
[
i
−
1] and the word that is located
N
k
positions earlier
27
Note that the index
i
starts at 1 (not 0).