# Re: AES Key expansion

From: Mike Amling (nospam_at_nospam.com)
Date: 08/11/05

```Date: Thu, 11 Aug 2005 17:27:26 GMT

```

> hi
>
> i have a question:
>
> i heard somewhere that the key can also be expanded from the last 4
> words.
> (for example i have word 0 to 43 for a 128 bit key i can generate all
> the other words if i know word 40 to 43.
>
> how can this be done?

See the key expansion on page 14 of the original Rijndael document at
http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf (still there
after all these years). For a 128-bit key,
Nk=4
Nr=10
Nb=4
in Daemen and Rijmen's pseudo-code:

KeyExpansion(byte Key[4*Nk] word W[Nb*(Nr+1)]) {
// Copy 8-bit key bytes to 32-bit integers W[0..Nk-1].
for(i = 0; i < Nk; i++) {
W[i] = (Key[4*i],Key[4*i+1],Key[4*i+2],Key[4*i+3]);
}
// Expand W[0..Nk-1] to W[Nk..Nb*(Nr+1)-1].
for(i = Nk; i < Nb * (Nr + 1); i++) {
temp = W[i - 1];
if (i % Nk == 0) {
temp = SubByte(RotByte(temp)) ^ Rcon[i / Nk];
}
W[i] = W[i - Nk] ^ temp;
}
}

Note that the expansion is reversible. E.g.,

for (i=Nb*(Nr+1)-1; i>=Nk; --i) {
temp=W[i-1];
if (i%Nk==0) {
temp=InvRotByte(InvSubByte(temp^Rcon[i/Nk]));
}
W[i-Nk]=W[i]^temp;
}

In fact, the entire expanded array W is determined by the values of
any Nk consecutive elements.

--Mike Amling