1=round Nb So.c S0.0 S03 2 WI+c S03 c S1,0 31,3 ⊕ WI W1+3 51.3 +2 520 2 S23 S2,0 S23 S30 S39 S33 s30 ,2 3,3 Figure 10.AddRoundKey()XORs each column of the State with a word from the key schedule. 5.2 Key Expansion The AES algorithm takes the Cipher Key,K,and performs a Key Expansion routine to generate a key schedule.The Key Expansion generates a total of Nb(Nr 1)words:the algorithm requires an initial set of Nb words,and each of the Nr rounds requires Nb words of key data.The resulting key schedule consists of a linear array of 4-byte words,denoted [wi ]with i in the range 0≤i<Nb(Nr+1). The expansion of the input key into the key schedule proceeds according to the pseudo code in Fig.11. Subword (is a function that takes a four-byte input word and applies the S-box (Sec.5.1.1, Fig.7)to each of the four bytes to produce an output word.The function Rotword (takes a word [ao,a1,a2,a3]as input,performs a cyclic permutation,and returns the word [a,a2,a3,ao].The round constant word array,Rcon[i],contains the values given by [x,(00),(00),(00)],with xbeing powers ofx(x is denoted as (2))in the field GF(2),as discussed in Sec.4.2(note that i starts at 1,not 0). From Fig.11,it can be seen that the first Nk words of the expanded key are filled with the Cipher Key.Every following word,w[i],is equal to the XOR of the previous word,w[i-1],and the word Nk positions earlier,w[i-Nk].For words in positions that are a multiple of Nk,a transformation is applied to w[i-1]prior to the XOR,followed by an XOR with a round constant,Reon [i].This transformation consists of a cyclic shift of the bytes in a word (Rotword ())followed by the application of a table lookup to all four bytes of the word (SubWord ()) It is important to note that the Key Expansion routine for 256-bit Cipher Keys (Nk=8)is slightly different than for 128-and 192-bit Cipher Keys.If Nk=8 and i-4 is a multiple of Nk, then Subword (is applied to w[i-1]prior to the XOR. 1919 0,0 s 0,1 s 0,2 s 0,3 s ' 0,0 s ' 0,1 s ' 0,2 s ' 0,3 s 1,0 s 1,1 s 1,2 s 1,3 s ' 1,0 s ' 1,1 s ' 1,2 s ' 1,3 s 2,0 s 2,1 s 2,2 s 2,3 s ' 2,0 s ' 2,1 s ' 2,2 s ' 2,3 s 3,0 s 3,1 s 3,2 s 3,3 s wl wl +1 wl +2 wl +3 ' 3,0 s ' 3,1 s ' 3,2 s ' 3,3 s Figure 10. AddRoundKey() XORs each column of the State with a word from the key schedule. 5.2 Key Expansion The AES algorithm takes the Cipher Key, K, and performs a Key Expansion routine to generate a key schedule. The Key Expansion generates a total of Nb (Nr + 1) words: the algorithm requires an initial set of Nb words, and each of the Nr rounds requires Nb words of key data. The resulting key schedule consists of a linear array of 4-byte words, denoted [wi ], with i in the range 0 £ i < Nb(Nr + 1). The expansion of the input key into the key schedule proceeds according to the pseudo code in Fig. 11. SubWord() is a function that takes a four-byte input word and applies the S-box (Sec. 5.1.1, Fig. 7) to each of the four bytes to produce an output word. The function RotWord() takes a word [a0,a1,a2,a3] as input, performs a cyclic permutation, and returns the word [a1,a2,a3,a0]. The round constant word array, Rcon[i], contains the values given by [x i-1,{00},{00},{00}], with x i-1 being powers of x (x is denoted as {02}) in the field GF(28 ), as discussed in Sec. 4.2 (note that i starts at 1, not 0). From Fig. 11, it can be seen that the first Nk words of the expanded key are filled with the Cipher Key. Every following word, w[i], is equal to the XOR of the previous word, w[i-1], and the word Nk positions earlier, w[i-Nk]. For words in positions that are a multiple of Nk, a transformation is applied to w[i-1] prior to the XOR, followed by an XOR with a round constant, Rcon[i]. This transformation consists of a cyclic shift of the bytes in a word (RotWord()), followed by the application of a table lookup to all four bytes of the word (SubWord()). It is important to note that the Key Expansion routine for 256-bit Cipher Keys (Nk = 8) is slightly different than for 128- and 192-bit Cipher Keys. If Nk = 8 and i-4 is a multiple of Nk, then SubWord() is applied to w[i-1] prior to the XOR. Å c s0, c s1, c s2, c s3, ' 0,c s ' 1,c s ' 2,c s ' 3,c s wl+c l = round * Nb