Editing Key schedule

{{Short description|Algorithm that calculates all the round keys from the key}}
{{Refimprove|date=July 2008}}

[[Image:DES-key-schedule.png|thumbnail|220px|The key schedule of DES ("<<<" denotes a left rotation), showing the calculation of each round key ("Subkey").]]

In [[cryptography]], the so-called [[product cipher]]s are a certain kind of cipher, where the (de-)ciphering of data is typically done as an iteration of ''[[Round (cryptography)|rounds]]''.  The setup for each round is generally the same, except for round-specific fixed values called a [[round constant]], and round-specific data derived from the [[key (cryptography)|cipher key]] called a '''round key'''.  A '''key schedule''' is an algorithm that calculates all the round keys from the key.

== Some types of key schedules ==
*Some ciphers have simple key schedules. For example, the block cipher [[Tiny Encryption Algorithm|TEA]] splits the 128-bit key into four 32-bit pieces and uses them repeatedly in successive rounds.
*[[Data Encryption Standard|DES]] has a key schedule in which the 56-bit key is divided into two 28-bit halves; each half is thereafter treated separately. In successive rounds, both halves are rotated left by one or two bits (specified for each round), and then 48 round key bits are selected by [[DES supplementary material#Permuted choice 2 .28PC-2.29|Permuted Choice 2]] (PC-2) – 24 bits from the left half and 24 from the right. The rotations have the effect that a different set of bits is used in each round key; each bit is used in approximately 14 out of the 16 round keys.
*To avoid simple relationships between the cipher key and the round keys, in order to resist such forms of [[cryptanalysis]] as [[related-key attack]]s and [[slide attack]]s, many modern ciphers use more elaborate key schedules to generate an "expanded key" from which round keys are drawn. Some ciphers, such as [[Rijndael key schedule|Rijndael (AES)]] and [[Blowfish (cipher)|Blowfish]], use the same operations as those used in the data path of the cipher algorithm for their key expansion, sometimes initialized with some "[[nothing-up-my-sleeve number]]s". Other ciphers, such as [[RC5]], expand keys with functions that are somewhat or completely different from the encryption functions.

== Notes ==
[[Lars Knudsen|Knudsen]] and Mathiassen (2004) give some experimental evidence that indicate that the key schedule plays a part in providing strength against [[linear cryptanalysis|linear]] and [[differential cryptanalysis]]. For toy [[Feistel cipher]]s, it was observed that those with complex and well-designed key schedules can reach a uniform distribution for the probabilities of [[differential cryptanalysis|differentials]] and [[linear cryptanalysis|linear hulls]] faster than those with poorly designed key schedules.

==References==
* Lars R. Knudsen and John Erik Mathiassen, [http://www.ii.uib.no/~johnm/publications/MF3RF5W1W9TPG6RD.pdf On the Role of Key Schedules in Attacks on Iterated Ciphers], ESORICS 2004, pp322&ndash;334.
* Uri Blumenthal and Steven M. Bellovin, [https://www.cs.columbia.edu/~smb/papers/ides.pdf A Better Key Schedule for DES-like Ciphers], Proceedings of PRAGOCRYPT '96.

{{Cryptography navbox | block}}

[[Category:Cryptographic algorithms]]