Rijndael (AES) key schedule

How the Rijndael key schedule (AES) expands a secret key into per-round round keys: operations, differences for 128/192/256-bit keys, structure of round keys, and security/implementation notes.

The Rijndael key schedule is the deterministic procedure that expands a short secret key into the set of round keys used by the Advanced Encryption Standard (AES). AES implements Rijndael with a fixed 128-bit block and three key lengths (128, 192 and 256 bits). The key schedule translates the original key into a sequence of 128-bit round keys — one for each cipher round plus the initial key — so the cipher can mix key material into the state at every round.

Basic structure and terminology

The expansion works in units called 32-bit words (often denoted w[i]). AES uses Nb=4 words per round key (128 bits). The initial key supplies Nk words, where Nk is 4, 6 or 8 for 128-, 192- and 256-bit keys, respectively. The complete key schedule produces Nb*(Nr+1) words in total — for example AES-128 yields 44 words (11 round keys), AES-192 yields 52 words and AES-256 yields 60 words.

Core operations

Three small transformations are repeatedly applied during expansion:

RotWord: rotate the four bytes of a word left by one position.
SubWord: apply the AES S-box to each byte of a word (a nonlinear byte substitution).
Rcon: XOR with a round-dependent constant byte in the high-order byte of a word; these constants come from powers of 2 in the finite field GF(2^8).

Algorithm outline

The schedule is typically described as a simple loop. Starting with the Nk words from the key, each new word w[i] is derived from previous words. In concise terms:

Let temp = w[i-1].
If i mod Nk == 0, set temp = SubWord(RotWord(temp)) XOR Rcon[i/Nk].
Else if Nk > 6 and i mod Nk == 4, set temp = SubWord(temp). (This applies for AES-256.)
Then w[i] = w[i-Nk] XOR temp.

Groups of four consecutive words form each 128-bit round key; these are used directly in the AddRoundKey step of AES.

Differences among key sizes

AES-128 (Nk=4, Nr=10): every fourth new word uses RotWord+SubWord+Rcon; total 44 words (11 round keys).
AES-192 (Nk=6, Nr=12): similar logic with Nk=6; total 52 words (13 round keys).
AES-256 (Nk=8, Nr=14): in addition to the Nk==0 rule, every word whose index mod Nk equals 4 sees a solitary SubWord; total 60 words (15 round keys).

History, rationale and security notes

Rijndael's key schedule was designed for simplicity and efficient software/hardware implementation while providing sufficient diffusion of key material across rounds. The schedule's small, byte-oriented operations align with AES's S-box and state byte structure. Over time, cryptanalysts have studied the schedule: some theoretical related-key attacks exist against reduced-round variants or atypical use cases, but standard AES with independent keys and recommended use remains widely regarded as secure. Implementers should be mindful of side-channel leakage: the expansion can be precomputed, but care must be taken to avoid timing or cache-based exposures when expanding keys at runtime.

Implementation and references

Most practical implementations precompute the full set of round keys once and store them in memory form suited to the cipher loop. Optimizations trade off memory and speed (for example, computing keys on demand versus storing all round keys). For formal details and test vectors consult the AES specification or formal references: AES key schedule specification.