AES Inverse Key Schedule

Question

I have a 128-bit input-block and the corresponding cipher-block given. Additionally I have the last round-key given. Is it now possible to get (calculate) the associated cipher-key? I already implemented the normal key-schedule with the rcon to generate the round-keys out of a cipher-key (like on wikipedia: https://en.wikipedia.org/wiki/Rijndael_key_schedule), but it didn't help me much for the other way... Ist the AES Key Schedule easily invertible? I'm a bit baffled now because i thought it would be.

Thanks in advance for your answers.

Answer 1

Yes, that is possible: It is quite obvious from the description of the key schedule that all involved operations are invertible. An implementation of that inversion is the function aes128_key_schedule_inv_round found in this C file.

Answer 2

Yes. See the schema in this answer.

You are given $k_{43}, k_{42}, k_{41}, k_{40}$. So you can compute $k_{39}$ from $k_{43} = k_{42} \oplus k_{39}$ etc. Just follows the recursion backwards. There is only one unknown at every stage.

Answer 3

Following the answer of @Henno Brandsma.

For AES-256:

---

$k_{56} = f(k_{55}) \oplus k_{48} \to k_{48} = f(k_{55}) \oplus k_{56}$

$k_{57} = k_{56} \oplus k_{49} \space\space\space\space\space\to k_{49} = k_{56}\oplus k_{57}$

$k_{58} = k_{57} \oplus k_{50} \space\space\space\space\space\to k_{50} = k_{57}\oplus k_{58}$

$k_{59} = k_{58} \oplus k_{51} \space\space\space\space\space\to k_{51} = k_{58}\oplus k_{59}$

---

Note that the function $f()$ does not change in the inverse key schedule .