The present invention relates generally to cryptography. More particularly, the present invention relates to expansion of cryptographic keys.
In the Advanced Encryption System (AES), encryption of plaintext into ciphertext proceeds in several iterations, referred to as “rounds.” Each round employs one of several cryptographic keys, referred to as “round keys,” that result from key expansion of a shared cryptographic key referred to as a “cipher key.” AES specifies three different key lengths, each using a different number of rounds, and therefore, round keys, as shown in Table 1. Referring to Table 1, while the length Nb of the plaintext is always four 32-bit words, the key length Nk and number of rounds Nr can vary, as can the number of round keys Nr+1, which includes the cipher key and a round key for each of the Nr rounds.
TABLE 1Key LengthBlock SizeNumber of (Nk words)(Nb words)Rounds (Nr)AES-1284410AES-1926412AES-2568414
To encrypt plaintext, the cipher key is expanded to obtain the Nr round keys using a key expansion technique specified by the AES standard. According to key expansion, the initial round key is simply the cipher key. The second round key is derived from the initial round key. The third round key is derived from the second round key, and so on. In the initial round, the initial round key is applied to a block of Nb words of the plaintext. In each subsequent round, the corresponding round key is applied to an intermediate result referred to as the “state.” At the completion of the rounds, the state is a block of Nb words of ciphertext.
To decrypt the ciphertext, the process is reversed using the same round keys. That is, the final round key is used in the first round of decryption, and the initial round key is used in the last round. However, the AES standard does not provide a reverse key expansion technique. That is, the AES standard does not provide a technique for deriving the round key for a decryption round from the round key of the previous decryption round. Therefore, conventional AES cryptographic schemes store all of the round keys generated during key expansion for use during decryption. One disadvantage of this approach is the cost of the memory required to store the round keys. For example, for AES-256, the 15 round keys, each comprising eight 32-bit words, require 480 bytes of memory.