Cryptography Reference
In-Depth Information
x
5
+
x
2
+
01
·
25 =
1
x
5
+
x
2
+
01
·
25 =
1
25 =
x
6
+
x
3
+
02
·
x
25 =
x
6
+
x
5
+
x
3
+
x
2
+
x
+ 1
C
i
=
x
5
+
x
2
+ 1,
where
i
= 0
,...,
15. This leads to the output state
C
=(25
,
25
,...,
25).
03
·
4.4.3 Key Addition Layer
The two inputs to the
Key Addition layer
are the current 16-byte state matrix and
a subkey which also consists of 16 bytes (128 bits). The two inputs are combined
through a bitwise XOR operation. Note that the XOR operation is equal to addi-
tion in the Galois field
GF
(2). The subkeys are derived in the key schedule that is
described below in Sect. 4.4.4.
4.4.4 Key Schedule
The
key schedule
takes the original input key (of length 128, 192 or 256 bit) and
derives the subkeys used in AES. Note that an XOR addition of a subkey is used
both at the input and output of AES. This process is sometimes referred to as key
whitening. The number of subkeys is equal to the number of rounds plus one, due
to the key needed for key whitening in the first key addition layer, cf. Fig. 4.2.
Thus, for the key length of 128 bits, the number of rounds is
n
r
= 10, and there are
11 subkeys, each of 128 bits. The AES with a 192-bit key requires 13 subkeys of
length 128 bits, and AES with a 256-bit key has 15 subkeys. The AES subkeys are
computed recursively, i.e., in order to derive subkey
k
i
, subkey
k
i
−
1
must be known,
etc.
The AES key schedule is word-oriented, where 1 word = 32 bits. Subkeys are
stored in a key expansion array
W
that consists of words. There are different key
schedules for the three different AES key sizes of 128, 192 and 256 bit, which are
all fairly similar. We introduce the three key schedules in the following.
Key Schedule for 128-Bit Key AES
The ll subkeys are stored in a key expansion array with the elements
W
[0]
,...,
W
[43].
The subkeys are computed as depicted in Fig. 4.5. The elements
K
0
,...,
K
15
denote
the bytes of the original AES key.
First, we note that the first subkey
k
0
is the original AES key, i.e., the key is
copied into the first four elements of the key array
W
. The other array elements are
