Re: AES Key expansion

From: Mike Amling (nospam_at_nospam.com)
Date: 08/11/05 

Date: Thu, 11 Aug 2005 17:27:26 GMT

u_stadler@yahoo.de wrote:
> hi
>
> i have a question:
>
> i heard somewhere that the key can also be expanded from the last 4
> words.
> (for example i have word 0 to 43 for a 128 bit key i can generate all
> the other words if i know word 40 to 43.
>
> how can this be done?

   See the key expansion on page 14 of the original Rijndael document at
http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf (still there
after all these years). For a 128-bit key,
Nk=4
Nr=10
Nb=4
in Daemen and Rijmen's pseudo-code:

KeyExpansion(byte Key[4*Nk] word W[Nb*(Nr+1)]) {
   // Copy 8-bit key bytes to 32-bit integers W[0..Nk-1].
   for(i = 0; i < Nk; i++) {
     W[i] = (Key[4*i],Key[4*i+1],Key[4*i+2],Key[4*i+3]);
   }
   // Expand W[0..Nk-1] to W[Nk..Nb*(Nr+1)-1].
   for(i = Nk; i < Nb * (Nr + 1); i++) {
     temp = W[i - 1];
     if (i % Nk == 0) {
       temp = SubByte(RotByte(temp)) ^ Rcon[i / Nk];
     }
     W[i] = W[i - Nk] ^ temp;
   }
}

   Note that the expansion is reversible. E.g.,

for (i=Nb*(Nr+1)-1; i>=Nk; --i) {
   temp=W[i-1];
   if (i%Nk==0) {
     temp=InvRotByte(InvSubByte(temp^Rcon[i/Nk]));
   }
   W[i-Nk]=W[i]^temp;
}

   In fact, the entire expanded array W is determined by the values of
any Nk consecutive elements.

--Mike Amling