I am given the last round key in AES and I want to infer all round keys and the first round key which is the cipherkey.
Can anyone provide an algorithm to do that?
Asked
Active
Viewed 3,775 times
1 Answers
10
For AES-128, it's easy (that is, so easy that there are hardware AES implementations that, in decrypt mode, just store the last round key, and derive all the other subkeys, including the first one, on the fly).
Let us treat the expanded key as a series of 32 bit words $w[0], w[1], w[2], w[3], ..., w[40], w[41], w[42], w[43]$, there $w[0], w[1], w[2], w[3]$ are the 128 bit AES key, and $w[40], w[41], w[42], w[43]$ is the last round key.
Then, the key expansion process is defined as $w[i] = w[i-4] \oplus F_i(w[i-1])$, where $F_i$ is a simple function that involves possibly sending the inputs through the sbox, and xoring in the round constant. Starting with $w[0], w[1], w[2], w[3]$, this allows us to efficiently compute the rest of the $w$ array.
So, if we rewrite this as $w[j] = w[j+4] \oplus F_{j+4}(w[j+3])$ (which we get by setting $j = i-4$ and rearranging), then, starting with $w[40], w[41], w[42], w[43]$, we can compute $w[39]$ using this formula, and then work our way backwards through the key schedule, ending with the initial values.
For AES-192 and AES-256, it's actually pretty similar, except that you need more information than the last round key (which makes sense; there are only 128 last round key bits; not enough information to recover the full 192 or 256 bit key). However, if you have the last 6 $w$ elements (for AES-192), or last 8 elements (for AES-256), the same logic works.
poncho
- 154,064
- 12
- 239
- 382