The Advanced Encryption Standard uses a key schedule to expand a short key into a number of separate round keys. The three AES variants have a different number of rounds. Each variant requires a separate 128-bit round key for each round plus one more.[note 1] The key schedule produces the needed round keys from the initial key.
i | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 |
---|---|---|---|---|---|---|---|---|---|---|
rci | 01 | 02 | 04 | 08 | 10 | 20 | 40 | 80 | 1B | 36 |
The round constant rconi for round i of the key expansion is the 32-bit word:[note 2]
where rci is an eight-bit value defined as :
where is the bitwise XOR operator and constants such as 0016 and 11B16 are given in hexadecimal. Equivalently:
where the bits of rci are treated as the coefficients of an element of the finite field , so that e.g.
represents the polynomial
.
AES uses up to rcon10 for AES-128 (as 11 round keys are needed), up to rcon8 for AES-192, and up to rcon7 for AES-256.[note 3]
Define:
Also define RotWord as a one-byte left circular shift:[note 6]
and SubWord as an application of the AES S-box to each of the four bytes of the word:
Then for :