0
$\begingroup$

How do you get the rcon for AES's key scheduler? Where does it come from; is it a constant because it seems to differ?

  • 0
    @Lubos What is x? Am I getting this all wrong. Is x an unknown?2011-05-24

1 Answers 1

1

The bytes in AES are considered as elements in a finite field of size $2^8$, and we can see them as polynomials over a variable $x$, where multiplication is done modulo a fixed 8-th degree polynomial. It turns out that the polynomial $x$ (represented by the byte value 2) is primitive: $x^k$ runs over all non-zero bytes values once for $k=0 \ldots 254$, when we compute modulo the fixed polynomial, etc. The designers wanted a different constant for every round, so they took these powers as the round constants (other choices would have been possible). The values are fixed for AES (they are not dependent on the key, or other stuff), but they do vary per round, and this is to make the key-schedule less symmetric. They can be generated "on the fly" (by the multiplication by $x$) and this would make for the possibility of small (we need less memory to store the round constants, in e.g. smartcards) implementations.