|
|
Encryption and decryption each require the generation of Lr round keys, called collectively the key schedule. This occurs through expansion of the secret user key by attaching recursively derived 4-byte words ki = (k0,i, k1,i, k2,i, k3,i) to the user key.
The first Lk words k0,..., 
of the key schedule are formed from the secret user key itself. For Lk Î {4,6} the next 4-byte word ki is determined by XOR-ing the preceding word ki−1 with 
. If i ≡ 0 mod Lk, then a function 
(k, i) is applied before the XOR operation, which is composed of a cyclic left shift (left rotation) r(k) of k bytes, a substitution S(r(k)) from the Rijndael S-box (we shall return to this later), and an XOR with a constant c (⌊i/Lk⌋), so that altogether the function F is given by 
(k, i) := S(r(k)) ⊕ c (⌊i/Lk⌋).
The constants c(j) are defined by c(j) := (rc(j), 0, 0, 0), where rc(j) are recursively determined elements from 
: rc(1) := 1, rc(j) := rc(j − 1). · x = xj−1. Expressed in numerical values, this is equivalent to rc(1) := '01', rc(j) := rc(j − 1) • '02'. From the standpoint of programming, rc(j) is computed by a (j − 1)-fold execution of the function xtime described above, beginning with the argument 1, or more rapidly by access to a table (Tables 19.6 and 19.7).
|
'01' |
'02' |
'04' |
'08' |
'10' |
'20' |
'40' |
'80' |
'1B' |
'36' |
|
'6C' |
'D8' |
'AB' |
'4D' |
'9A' |
'2F' |
'5E' |
'BC' |
'63' |
'C6' |
|
'97' |
'35' |
'6A' |
'D4' |
'B3' |
'7D' |
'FA' |
'EF' |
'C5' |
'91' |
|
00000001 |
00000010 |
00000100 |
00001000 |
00010000 |
|
00100000 |
01000000 |
10000000 |
00011011 |
00110110 |
|
01101100 |
11011000 |
10101011 |
01001101 |
10011010 |
|
00101111 |
01011110 |
10111100 |
01100011 |
11000110 |
|
10010111 |
00110101 |
01101010 |
11010100 |
10110011 |
|
01111101 |
11111010 |
11101111 |
11000101 |
10010001 |
For keys of length 256 bits (that is, Lk = 8) an additional S-box operation is inserted: If i ≡ 4 mod Lk, then before the XOR operation ki−1 is replaced by S (ki−1).
Thus a key schedule is built up of Lb · (Lr + 1) 4-byte words, including the secret user key. At each round i = 0,..., Lr −1 the next Lb 4-byte words 
through kLb·(i+1) are taken as round keys from the key schedule. The round keys are conceptualized, in analogy to the structuring of the message blocks, as a two-dimensional structure of the form depicted in Table 19.8.
|
k0,0 |
k0,1 |
k0,2 |
k0,3 |
k0,4 |
... |
|
|
k1,0 |
k1,1 |
k1,2 |
k1,3 |
k1,4 |
... |
|
|
k2,0 |
k2,1 |
k2,2 |
k2,3 |
k2,4 |
... |
|
|
k3,0 |
k3,1 |
k3,2 |
k3,3 |
k3,4 |
... |
|
For key lengths of 128 bits key generation can be understood from an examination of Figure 19.2
There are no weak keys known, those whose use would weaken the procedure.
|
Team-Fly
|
|
