AES key schedule

The Advanced Encryption Standard uses a key schedule to expand a short key into a number of separate round keys. The three AES variants have a different number of rounds. Each variant requires a separate 128-bit round key for each round plus one more. The key schedule produces the needed round keys from the initial key.

Round constants
The round constant $rc_{i}$ for round $i$ of the key expansion is the 32-bit word:


 * $$rcon_i = \begin{bmatrix} rc_i & 00_{16} & 00_{16} & 00_{16} \end{bmatrix}$$

where $rc_{i}$ is an eight-bit value defined as :
 * $$ rc_i =

\begin{cases} 1 & \text{if } i = 1 \\ 2 \cdot rc_{i-1} & \text{if } i > 1 \text{ and } rc_{i-1} < 80_{16} \\ (2 \cdot rc_{i-1}) \oplus \text {11B}_{16} & \text{if } i > 1 \text{ and } rc_{i-1} \ge 80_{16} \end{cases} $$

where $$\oplus$$ is the bitwise XOR operator and constants such as $00_{16}$ and $11B_{16}$ are given in hexadecimal. Equivalently:


 * $$rc_i = x^{i-1}$$

where the bits of $rcon_{i}$ are treated as the coefficients of an element of the finite field $$\rm{GF}(2)[x]/(x^8 + x^ 4 + x^3 + x + 1)$$, so that e.g. $$rc_{10} = 36_{16} = 00110110_2$$ represents the polynomial $$x^5 + x^4 + x^2 + x$$.

AES uses up to $rcon_{10}$ for AES-128 (as 11 round keys are needed), up to $rcon_{8}$ for AES-192, and up to $rcon_{7}$ for AES-256.

The key schedule


Define:
 * $i$ as the length of the key in 32-bit words: 4 words for AES-128, 6 words for AES-192, and 8 words for AES-256
 * $rcon_{29}$, $i &ge; 11$, ... $K_{0}$ as the 32-bit words of the original key
 * $rc_{i}$ as the number of round keys needed: 11 round keys for AES-128, 13 keys for AES-192, and 15 keys for AES-256
 * $K_{1}$, $K_{N-1}$, ... $max(N, B) + 7$ as the 32-bit words of the expanded key

Also define $W_{0}$ as a one-byte left circular shift:


 * $$\operatorname{RotWord}(\begin{bmatrix} b_0 & b_1 & b_2 & b_3 \end{bmatrix}) = \begin{bmatrix} b_1 & b_2 & b_3 & b_0 \end{bmatrix}$$

and $W_{1}$ as an application of the AES S-box to each of the four bytes of the word:


 * $$\operatorname{SubWord}(\begin{bmatrix} b_0 & b_1 & b_2 & b_3 \end{bmatrix}) = \begin{bmatrix} \operatorname{S}(b_0) & \operatorname{S}(b_1) & \operatorname{S}(b_2) & \operatorname{S}(b_3) \end{bmatrix}$$

Then for $$i = 0 \ldots 4R-1$$:


 * $$W_i =

\begin{cases} K_i & \text{if } i < N \\ W_{i-N} \oplus \operatorname{SubWord}(\operatorname{RotWord}(W_{i-1})) \oplus rcon_{i/N} & \text {if } i \ge N \text{ and } i \equiv 0 \pmod{N} \\ W_{i-N} \oplus \operatorname{SubWord}(W_{i-1}) & \text{if } i \ge N \text{, } N > 6 \text{, and } i \equiv 4 \pmod{N} \\ W_{i-N} \oplus W_{i-1} & \text{otherwise.} \\ \end{cases} $$