The Advanced Encryption Standard uses a key schedule to expand a short key into a number of separate round keys. The three AES variants have a different number of rounds. Each variant requires a separate 128-bit round key for each round plus one more.[1] The key schedule produces the needed round keys from the initial key.
| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | ||
| 01 | 02 | 04 | 08 | 10 | 20 | 40 | 80 | 1B | 36 |
rconi=\begin{bmatrix}rci&0016&0016&0016\end{bmatrix}
where is an eight-bit value defined as :
rci= \begin{cases} 1&ifi=1\\ 2 ⋅ rci-1&ifi>1andrci-1<8016\\ (2 ⋅ rci-1) ⊕ 11B16&ifi>1andrci-1\ge8016\end{cases}
where
⊕
rci=xi-1
\rm{GF}(2)[x]/(x8+x4+x3+x+1)
rc10=3616=001101102
x5+x4+x2+x
AES uses up to for AES-128 (as 11 round keys are needed), up to for AES-192, and up to for AES-256.[2]
Define:
Also define as a one-byte left circular shift:
\operatorname{RotWord}(\begin{bmatrix}b0&b1&b2&b3\end{bmatrix})=\begin{bmatrix}b1&b2&b3&b0\end{bmatrix}
and as an application of the AES S-box to each of the four bytes of the word:
\operatorname{SubWord}(\begin{bmatrix}b0&b1&b2&b3\end{bmatrix})=\begin{bmatrix}\operatorname{S}(b0)&\operatorname{S}(b1)&\operatorname{S}(b2)&\operatorname{S}(b3)\end{bmatrix}
Then for
i=0\ldots4R-1
Wi= \begin{cases} Ki&ifi<N\\ Wi-N ⊕ \operatorname{SubWord}(\operatorname{RotWord}(Wi-1)) ⊕ rconi/N&ifi\geNandi\equiv0\pmod{N}\\ Wi-N ⊕ \operatorname{SubWord}(Wi-1)&ifi\geN,N>6,andi\equiv4\pmod{N}\\ Wi-N ⊕ Wi-1&otherwise.\\ \end{cases}