Key schedule (cryptography)

Algorithm that derives per-round subkeys from a master key for iterative ciphers; covers purpose, common designs, security trade-offs, and notable examples such as DES and AES.

Overview

A key schedule is the component of an iterative or product cipher that takes a single master key and derives the many smaller keys used in each round of encryption or decryption. In many block ciphers the core transformation is repeated several times with identical structure but different parameters; those per-round parameters that depend on the secret key are commonly called subkeys. The key schedule computes those subkeys in a deterministic way so that the same master key will always yield the same sequence of round keys. The term appears frequently in discussions of cryptography and in descriptions of product ciphers.

How a key schedule works

At a basic level a key schedule accepts a secret key of fixed length and produces a sequence of values for use by the round function. Implementation details vary: some schedules are simple linear expansions or rotations, while others include non-linear functions, mixing operations, or constants to increase diffusion between round keys and the cipher state. The subkeys are often used to modify the round function by XOR, addition, or as inputs to substitution boxes.

Typical properties and design goals

Independence: Subkeys should behave as if independent to frustrate attacks that exploit relationships between rounds.
Diffusion: Small changes in the master key should produce large, unpredictable differences across subkeys.
Nonlinearity: Introducing non-linear steps can prevent algebraic attacks that reconstruct the master key from observed subkeys.
Efficiency: Schedules must strike a balance between computational cost, memory use (precomputed round keys), and implementation simplicity.
Resistance to related-key attacks: A robust schedule avoids simple, exploitable relations when different but related master keys are used.

History and notable examples

Early block ciphers often used straightforward schedules. DES, for instance, derives sixteen subkeys from its 56-bit master key through permutations and rotations; those per-round values are widely studied because weaknesses in the key schedule can weaken the whole algorithm. Modern ciphers like AES (Rijndael) embed a more elaborate expansion that combines XORs and byte substitutions to produce round keys for each round of the cipher. Cipher designers routinely publish both the round function and the key schedule because the security of the entire system depends on both parts working together.

Uses, examples and practical implications

Key schedules are central to block ciphers, stream ciphers that derive internal keys, and some modes of operation that require independent subkeys. Practically, designers and implementers must choose whether to precompute all subkeys (saving time at the cost of memory) or compute them on the fly (saving memory at the cost of CPU work). Weak schedules have enabled several attacks in the literature, including those that exploit related keys or fixed points; consequently, key schedule design is an important element in cipher evaluation.

Distinctions and notable facts

It is important to distinguish the key schedule from the round function: the former produces control material (subkeys), while the latter transforms plaintext/state using that material. Some contemporary proposals intentionally couple the schedule and the round function more tightly to avoid separation-of-concerns attacks. When reading cipher specifications or analyses, the reader will often see discussions of both encryption/decryption behaviour such as decryption and the way individual subkey values are generated. For further technical overviews and design examples, consult standard references or cipher specifications that describe both parts together.