RCON for AES 192 and 256

Question

This is question about how many RCON values are used in AES 192 and 256.
I read the NIST Publication introducing AES and in Appendix A.2 and A.3 (Key Expansion for 192 and 256-bit keys), only $rcon_1$ to $rcon_8$ were used for 192 bits and upto $rcon_7$ for 256 bits. My question is how can only 7 or 8 values of $rcon$ be used when we have more rounds in AES 192 and 256.
To my understanding, $rcon$ is used every round so should't we have more $rcon$ values (owing to the increased no. of rounds in AES192 and 256) instead of less?

Welcome to Cryptography. Did you check the book titled as The Design of RijndaeL: AES - The Advanced Encryption Standard — kelalaka, Jul 03 '20 at 16:25
@kelalaka I went through the Key Schedule and No of Rounds. It only specified how the rcon values were generated, but that does not answer my question. — Keane Moraes, Jul 03 '20 at 17:06
related What is the importance of Rcon in Rjindael's key expansion from a security prespective? — kelalaka, Jul 03 '20 at 20:24

kelalaka · Answer 1 · 2021-11-22T15:25:22.117

I've got a response from Vincent Rijmen. Here's the complete response:

rcon is used in the computation of the roundkeys. AES192 and AES256 have less iterations of the roundkey computation, since each of these computations produced more than 128 bits of roundkey material. That’s why we need less rcon values.

Paŭlo Ebermann's great answer gives some details in ASCII images, here I will try to explain this in a different way.

AES-128 key schedule uses 4 32-bit word columns for 11 round keys that need 10 rcon values.
AES-192 key schedule uses 6 32-bit word columns for 13 round keys that need 8 rcon values.
AES-192 key schedule uses 8 32-bit word columns for 15 round keys that need 7 rcon values.

The extra round key is for the initial round key which is XORed with the plaintext.

In AES-192: the 13 round keys need 52 32-bit words. Using 6 32-bit words with 8 rounds produces keys for 13.5 rounds, a little more than necessary. The first and half of the second is the key itself.
In AES-256: the 15 round keys need 60 32-bit words. Using 8 32-bit words with 7 rounds produces keys for 16 rounds, more than necessary. The first two are the key itself.

Thank you for your reply. Just to clarify, in AES 192 and 256, due to >4 columns, we essentially have leftover bytes that carry into the next key expansion round - as for the rcon , these values are used only after our 4x6 (in 192-bit keys) or 4x8 (in 256-bit keys) is exhausted. Is this correct? — Keane Moraes, Jul 06 '20 at 18:39
Yes, keep in mind that for 192-bits half is left for the next round. rcon is not leftover, it is simply less used due to the rounds in the key schedule. — kelalaka, Jul 06 '20 at 18:49

score 1 · Answer 2 · answered Feb 12 '23 at 16:27

I have been trying to understand and implement AES in a project and came across this. I know it is an older post, but I did not see an answer that DIRECTLY answered the question. After doing some digging and wrapping my head around this, here is the simplest answer I could come to:

Regardless of the length of the key used in AES (128, 192, 256), the data is encrypted using 16-byte blocks. Because of this, the key expansion requires more rounds to produce a sufficient number of bytes for encryption as the key length is reduced. The key length for AES-128 is 16 bytes, for AES-192 is 24 bytes, and for AES-256 is 32 bytes. From here, explicitly the number of rounds is:

(key expansion rounds) = (block bytes) * (encryption rounds) / (key length)

For 128: (16 * 11) / 16 = 11 (key expansion rounds) for 176 bytes
For 192: (16 * 13) / 24 = 8.667 (key expansion rounds) for 208 bytes
For 256: (16 * 15) / 32 = 7.5 (key expansion rounds) for 240 bytes

This is how the higher-level encryption requires LESS rcon values, i.e. key expansion rounds, versus the lower-level encryption.

b degnan · Answer 3 · 2020-07-03T21:51:16.823

1

You have 10, 12, and 14 rounds respectively; however, they are not linear increments depending on the key schedule. For AES-192, you have 8 different values and you have 7 values for AES-256. The RCON value only changes with every round for AES-128.

The RCON value (in hardware) is generated by a register that is 8-bits and increments every round. It wraps around with the count, and left alone for encryption, you'd get:

0: 00000001 
1: 00000010 
2: 00000100 
3: 00001000 
4: 00010000 
5: 00100000 
6: 01000000 
7: 10000000 
8: 00011011 
9: 00110110 
10: 01101100 
11: 11011000 
12: 10101011 
13: 01001101 
14: 10011010

This is not what you'll actually use, but it's necessary to have a complete discussion. In the above list, for AES-128, you'd start at round 0, and the final round, 9 (the 10th round), you will have 0x36.

For AES-192 and AES-256, you end up skipping constants due to the key schedule. For AES-192:

0: 00000001 
1: 00000001 
2: 00000001
3: 00000010 
4: 00000100 
5: 00000100 
6: 00001000 
7: 00010000 
8: 00010000 
9: 00100000 
10: 01000000 
11: 01000000 
12: 10000000

For AES-256:

0: 00000001 
1: 00000001 
2: 00000001
3: 00000001 
4: 00000010
5: 00000010 
6: 00000100 
7: 00000100 
8: 00001000 
9: 00001000 
10: 00010000 
11: 00010000 
12: 00100000 
13: 00100000 
14: 01000000

You can implement this in many ways. The naive approach that you'd have in class, but is easy to follow (also, FPGAs would do this generally):

The way that I generally do it (note, this is encryption, you move tap 4 for decryption):

The clock control increments the value.

edited Jul 03 '20 at 21:51

answered Jul 03 '20 at 19:44

b degnan

4,810
1
24
48

1

Hmm. The Op asking why less rcon is used for AES 256 while there are more rounds. AES uses up to rcon10 for AES-128 (as 11 round keys are needed), up to rcon8 for AES-192, and up to rcon7 for AES-256 – kelalaka Jul 03 '20 at 20:02
1

This is still not answering the why, it is answering what. It is a design choice by the designer of the AES. So Why do they select like this? – kelalaka Jul 03 '20 at 20:19
1

hold on. ill get that in there too. i’m trying to find time so i’m piecemeal creating an answer – b degnan Jul 03 '20 at 20:25
1

Maybe the answer linked as a comment under the question may help. – kelalaka Jul 03 '20 at 20:37
1

@kelalaka I put the short answer at the top. Thoughts? I'm trying to make a point to have more complete answers, but it usually takes me a bit to find all of the pieces. – b degnan Jul 03 '20 at 21:53
1

error's comment if Rcon(i) replaced with i, won't make any difference since Rcon[0-32] are unique. The real use is the defending againts the slide attacks. Also The first one is the introduction of asymmetry. Asymmetry in the key schedule prevents symmetry in the round transformation and between the rounds leading to weaknesses or allows attacks. Examples of such weaknesses are the complementation property of the DES or weak keys such as in the DES [28]. Examples of attacks that exploit symmetry are slide attacks. – kelalaka Jul 03 '20 at 22:10
1

However, these still don't tell the reason, maybe there is no reason at all. If so, I believe they would tell in their book. – kelalaka Jul 03 '20 at 22:10
1

you’d probably have to ask rimjen. poncho might know. i’ve never see why written. – b degnan Jul 03 '20 at 22:47
1

I did. Let wait some time. – kelalaka Jul 03 '20 at 23:25

RCON for AES 192 and 256

3 Answers3