Cryptography Reference
In-Depth Information
Algorithm 10.3
The AES key expansion algorithm.
( k )
RCon[1] 0x01000000
RCon[2] 0x02000000
RCon[3] 0x04000000
RCon[4] 0x08000000
RCon[5] 0x10000000
RCon[6] 0x20000000
RCon[7] 0x40000000
RCon[8] 0x80000000
RCon[9] 0x1B000000
RCon[10] 0x36000000
for i =0to ( N k 1) do
w [ i ] [ k 4 i ,k 4 i +1 ,k 4 i +2 ,k 4 i +3 ]
for i = N k to ( N b ( N r +1) 1) do
t ← w [ i − 1]
if ( i mod N k =0)
then t ← SubWord(RotWord( t )) RCon[ i/N k ]
else if ( N k > 6 and i mod N k =4)
then t ←
SubWord( t )
w [ i ] ← w [ i − N k ] ⊕ t
( w )
The AES key expansion algorithm is summarized in Algorithm 10.3. We
assume that N k is included in k , so we don't have to consider N k as additional
parameter. The algorithm employs a round constant word array, RCon[ i ] for 0 <
i
N r . The array contains the values given by [ x i− 1 , 0x00 , 0x00 , 0x00 ], with
x i− 1 being powers of x ( x is 0x02 )inthefield
F 2 8 . 27
In addition to RCon, the
algorithm employs two auxiliary functions:
SubWord() takes a 4-byte input word and applies the S-box of the SubBytes()
transformation to each of the 4 bytes to produce an output word.
RotWord() takes a 4-byte input word and performs a cyclic shift left (i.e., if
the input word is [ a 0 ,a 1 ,a 2 ,a 3 ], then the output word is [ a 1 ,a 2 ,a 3 ,a 0 ]).
The AES key expansion algorithm works as follows: First, the round constant
word array RCon is initialized as described before. Then the first N k words of the
key schedule are filled with the bytes of the original key. The rest of the key schedule
is filled in a second for-loop. In this loop, every word w [ i ] is set to the sum modulo
2 of the previous word w [ i
1] and the word that is located N k positions earlier
27
Note that the index i starts at 1 (not 0).
Search WWH ::




Custom Search