Why is x^8 + x^4 + x^3 + x + 1 used in AES's Rcon?

Question

I am not familiar with field theory so please bear with me if this is obvious to you.

I was wondering why this particular reducing polynomial $x^8+x^4+x^3+x+1$ is picked for AES' Rcon. Can't it be some other polynomials?

Answer 1

The polynomial $x^8+x^4+x^3+x+1$ is the minimal irreducible binary polynomial of degree 8, in the sense that:

1. it has the smallest possible number of terms for an irreducible binary polynomial of that degree, and
2. among all the irreducible binary polynomials with the same degree and number of terms, it has the smallest exponents.

In particular, it is the degree-8 polynomial listed in Seroussi's well known table of low-weight binary irreducible polynomials published in 1998, and the first degree-8 polynomial listed in Appendix 2, Table C of Lidl & Niederreiter's Introduction to Finite Fields and Their Applications (1986). It's quite plausible that the AES authors may have simply looked it up in one of these tables, or in some other similar list.

In any case, the use of such "canonical" minimal polynomials is hardly unusual in crypto. For example, the GCM mode polynomial $x^{128}+x^7+x^2+x+1$ is also the minimal irreducible polynomial of degree 128, while the Whirlpool polynomial $x^8+x^4+x^3+x^2+1$ (differing from the AES polynomial by the replacement of the $x$ term with $x^2$) is the minimal primitive binary polynomial of degree 8 and is explicitly documented to have been picked from the Lidl & Niederreiter table.

Answer 2

It can be any other irreducible polynomial. For example, Twofish (another candidate for AES) uses another polynomials (they are primitive and irreducible):