Cryptography Reference
In-Depth Information
RC
[1]=
x
0
=(0000 0001)
2
,
RC
[2]=
x
1
=(0000 0010)
2
,
RC
[3]=
x
2
=(0000 0100)
2
,
.
RC
[10]=
x
9
=(0011 0110)
2
.
The function
g
() has two purposes. First, it adds nonlinearity to the key sched-
ule. Second, it removes symmetry in AES. Both properties are necessary to thwart
certain block cipher attacks.
Key Schedule for 192-Bit Key AES
AES with 192-bit key has 12 rounds and, thus, 13 subkeys of 128 bit each. The
subkeys require 52 words, which are stored in the array elements
W
[0]
,...,
W
[51].
The computation of the array elements is quite similar to the 128-bit key case and
is shown in Fig. 4.6. There are eight iterations of the key schedule. (Note that these
key schedule iterations do
not
correspond to the 12 AES rounds.) Each iteration
computes six new words of the subkey array
W
. The subkey for the first AES round
is formed by the array elements (
W
[0]
,
W[1],
W
[2]
,
W
[3]), the second subkey by
the elements (
W
[4]
,
W[5],
W
[6]
,
W
[7]), and so on. Eight round coefficients
RC
[
i
] are
needed within the function
g
(). They are computed as in the 128-bit case and range
from
RC
[1]
,...,
RC
[8].
Key Schedule for 256-Bit Key AES
AES with 256-bit key needs 15 subkeys. The subkeys are stored in the 60 words
W
[0]
,...,
W
[59]. The computation of the array elements is quite similar to the 128-
bit key case and is shown in Fig. 4.7. The key schedule has seven iterations, where
each iteration computes eight words for the subkeys. (Again, note that these key
schedule iterations do not correspond to the 14 AES rounds.) The subkey for the first
AES round is formed by the array elements (
W
[0]
,
W[1],
W
[2]
,
W
[3]), the second
subkey by the elements (
W
[4]
,
W[5],
W
[6]
,
W
[7]), and so on. There are seven round
coefficients
RC
[1]
,...,
RC
[7] within the function
g
() needed, that are computed as
in the 128-bit case. This key schedule also has a function
h
() with 4-byte input and
output. The function applies the S-Box to all four input bytes.
In general, when implementing any of the key schedules, two different ap-
proaches exist:
1. Precomputation
All subkeys are expanded first into the array
W
. The encryption
(decryption) of a plaintext (ciphertext) is executed afterwards. This approach is often
taken in PC and server implementations of AES, where large pieces of data are
encrypted under one key. Please note that this approach requires (
n
r
+ 1)
·
16 bytes
of memory, e.g., 11
·
16 = 176 bytes if the key size is 128 bits. This is the reason
