Chapter 1 Introduction
1.1. Security goals
 Confidentiality : 기밀성, 비밀성:
 most common aspect of information security
 protect our confidential information
 guard aginst those malicious actions that endanger the confidentiality of the information
 Integrity: 무결성:
 information needs to be changed constantly
 changes need to be done only by authorized entities and through authorized mechanisms
 Availability: 가용성:
 information needs to be available to authorized entities
1.2 Attacks
 Attacks Threatening Confidentiality:
 Snooping: unauthorized access to or interception of data. 도청, 엿보기
 Traffic analysis: to obtain some other type of information by monitoring. 통신량 분석
 Attacks Threatening Integrity:
 Modification: attacker intercepts the message and changes it. Insertion, deletion attack 변조
 Masquerading or spoofing: attacker impersonates somebody else. 신원(명의)도용
 Replaying: attacker obtains a copy of a message sent by a user and later tries to replay it. 다시 사용하기
 Repudiation: 부인, 부정:
 sender of a message denies that she has sent it.
 receiver of a message denies that he has received it
 Attacks Threatening Availability:
 Denial of service (DoS): slows down or totally interrupts the service of a system.
1.3. Services and Mechanisms
 ITUT(International Telecommunication Union:Telecommunication Standardization Sector, 국제전기통신연합) provides some security services and seom mechanisms to implement those services. Security services and mechanisms are closely related because a mechanism or combination of mechanisms are used to provide a service.
1.3.1. Security Services
 Data confidentiality: 메시지 전체 혹은 일부에 대한 기밀성을 유지하는 수단
 Data integirty: modification, insertion, deletion 예방하는 수단
 Authentication: peer entity 인증, data origin 인증하는 수단
 Nonrepudiation: proof of origin, proof of delivery 보장하는 수단
 Access control: unauthorized access 방지하는 수단
Chapter 2. Mathematics of Cryptography
2.1 Integer Arithmetic
 In integer arithmetic, we use a set and a few operations. You are familiar with this set and the corresponding operations, but they are reviewed here to create a background for modular arithmetic.
2.1.1. Set of Integers
 The set of integers, denoted by $Z$, contains all integral numbers (with no fraction) from negative infinity to positive infinity
 \[Z = \{..., 2, 1, 0, 1, 2, ...\}\]
2.1.2. Binary Operations
 In cryptography, we are interesed in three binary operations applied to the set of integers. A binary operation takes two inputs and creates one output.
2.1.3. Integer Division
 In integer arithmetic, if we divide $a$ by $n$ ($a/n$), we can get $q$ and $r$. The relationship between these four integers can be shown as
 \[a = q \times n + r\]
 $n$ : positive
 $r$ : nonnegative
2.1.4. Divisbility
 If $a$ is not zero and we let $r=0$ in the division relation, we get
 \[a = q \times n\]
 If the remainder is zero, $n \mid a$ (n divides a)
 If the remainder is not zero, $n \not \mid a$ (n does not divide a)
 Properties:
 Property 1 : if $a \mid 1$, then $a = \pm 1$
 Property 2 : if $a \mid b$ and $b \mid a$, then $a = \pm b$
 Property 3 : if $a \mid b$ and $b \mid c$, then $a \mid c$.
 Property 4 : if $a \mid b$ and $a \mid c$, then $a \mid (m \times b + n \times c)$, where $m$ and $n$ are arbitrary integers
 Facts 양의 양수만을 고려하였을때:
 The integer 1 has only one divisor, itself.
 Any positive integer has at least two divisors, 1 and itself(but if can have more).
 GCD(Greatest Common Divisor):
 The greatest common divisor of two positive integers is the largest integer that can divide both integers.
 Euclidean Algorithm:
 Fact 1. $gcd(a, 0) = a$
 Fact 2. $gcd(a, b) = gcd(b, a % b), \text{ for } a \ge b > 0$.
r_1 < a; r_2 < b; (initialization) while (r_2 > 0) { q < r_1 / r_2; r < r_1  q * r_2; r_1 < r_2; r_2 < r; } gcd(a, b) < r_1
 Extended Euclidean Algorithm:
 Given two integers $a$ and $b$, we often need to find other two integers, $s$ and $t$, such that
 \[s \times a + t \times b = gcd(a, b)\]
 The extended Eculidean algorithm can calculate the $gcd(a, b)$ and at the same time calculate the value of $s$ and $t$.
r_1 < a; r_2 < b; s_1 < 1; s_2 < 0; t_1 < 0; t_2 < 1; while (r_2 > 0) { q < r_1 / r_2; r < r_1  q * r_2; r_1 < r_2; r_2 < r; s < s_1  q * s_2; s_1 < s_2; s_2 < s; t < t_1  q * t_2; t_1 < t_2; t_2 < t; } gcd(a, b) < r_1; s < s_1; t < t_1;
2.2. Modular Arithmetic
 The division relationship ($a=q \times n + r$) discussed in the previous section has two inputs ($a$ and $n$) and two outputs ($q$ and $r$). In modular arithmetic, we are intereseted in only one of the outputs, the remainder $r$.
2.2.1. Modulo Operator
 The modulo operator is shown as mod. THe second input($n$) is called the modulus. The output $r$ is called the residue
2.2.3. Congruence
 To show that two integers are congruent, we use the congruence operator ($\equiv$):
 $2 \equiv 12 (\text{ mod } 10)$
2.2.4. Operation in $Z_n$
 The three binary operations that we discussed for the set $Z$ can also be defined for the set $Z_n$. The result may need to be mapped to $Z_n$ using the mod operator.
 \[Z_n = \{ 0, 1, 2, ..., (n1)\}\]
 Properties:
 Property 1 : $(a + b) \text{ mod } n = [(a \text{ mod } n) + (b \text{ mod } n)] \text{ mod } n$
 Property 2 : $(a  b) \text{ mod } n = [(a \text{ mod } n)  (b \text{ mod } n)] \text{ mod } n$
 Property 3 : $(a \times b) \text{ mod } n = [(a \text{ mod } n) \times (b \text{ mod } n)] \text{ mod } n$
2.2.5. Inverses
 Additive Inverse:
 In $Z_n$, two numbers $a$ and $b$ are the additive inverse of each other if
 \[(a + b) \text{ mod } n = 0\]
 In $Z_n$, two numbers $a$ and $b$ are the additive inverse of each other if
 Multiplicative Inverse:
 In $Z_n$, two numbers $a$ and $b$ are the multiplicative inverse of each other if
 \[(a * b) \text{ mod } n = 1\]
 An integer $b$ in $Z_n$ has a multiplicative inverse:
 if and only if $gcd(n, b) = 1$
 n과 b가 서로소(n and b are relatively prime)
 In $Z_n$, two numbers $a$ and $b$ are the multiplicative inverse of each other if
2.2.6. Additive and Multiplication Tables
2.2.7. Different Sets
 We need to use $Z_n$ when additive inverses are needed; we need to use $Z_n^*$
2.2.8. Two More sets
 Cryptography often uses two more sets: $Z_p$ and $Z_p^*$. p is a prime number
 \[Z_p = Z_p^* \cup \{ 0 \}\]
Chapter 3. Traidtional SymmetricKey Ciphers
3.1. Introduction
3.1.1. Kerckhoff’s Principle
 Based on Kerckhoff’s principle, one should always assume that the adversary, Eve, knows the encryption/decryption algorith. The reisistance of the cipher to attack must be based only one the secrecy of the key.
 Shanon : The enemy knows the system.
3.1.2. Cryptanalysis
 As cryptography is the science and art of creating secret codes, Cryptanalysis is the science and art of breaking those codes.
3.2. Substitution ciphers (대치암호)
 A substitution cipher replaces one symbol with another. Subsitution ciphers can be categorized as either monoalphabetic ciphers or polyalphabetic ciphers.
3.2.1. Monoalphabetic Ciphers
 In monoalphabetic substitution, the relationship between a symbol in the plaintext to a symbol in the ciphertext is always onetoone.
 Additive Cipher(= Caesar cipher) 덧셈 암호:
 The simplest monoalphabetic cipher is the additive cipher. This cipher is sometimes called a shift cipher and sometimes a Caesar cipher, but the term additive cipher better reveals it mathematical nature.
 \[C = (P + k) \text{ mod } 26\]
 \[P = (C  k) \text{ mod } 26\]
 Historically, additive ciphers are called shift ciphers. Julius Caesar used an additive cipher to communicate with his officers. For this reason, additive ciphers are sometimes referred to as the Caesar cipher. Caesar used a key of 3 for his communications.
 Statistical Attack
 Multiplicative Ciphers
 \[C = (P \times k) \text{ mod } 26\]
 \[P = (C \times k^{1}) \text{ mod } 26\]
 Affine Ciphers (덧셈 곱셈 혼합)
 \[T = (P \times k_1) \text{ mod } 26\]
 \[C = (T + k_2) \text{ mod } 26\]
 \[T = (C  k_2) \text{ mod } 26\]
 \[P = (T \times k_1^{1}) \text{ mod } 26\]
 Monoalphabetic Substitution Cipher:
 Because additive, multiplicative, and affine ciphers have small key domains, they are very vulnerable to bruteforce attack.
 A better solution is to create a mapping between each plaintext character and the corresponding ciphertext character. Alice and Bob can agree on a table showing the mapping for each character.
3.2.2. Polyalphabetic Ciphers
 In polyalphabetic substitution, each occurrence of a character may have ad ifferent substitute. The relationship between a character in the plaintext to a character in the ciphertext is onetomany.
 Autokey Ciphers:
 \[k = (k_1, P_1, P_2, ...)\]
 \[C_i = (P_i + k_i) \text{ mod } 26\]
 \[P_i = (C_i  k_i) \text{ mod } 26\]
 Playfair Cipher : 영국 1차 세계 대전 사용
 5 x 5 의 Secret Key 존재
 J 는 잘 안쓰기 때문에 i와 같은 칸 차지
 두 글자씩 암호:
 같은 글자가 연속으로 나오면 미리 약속한 글자를 삽입
 같은 row : 각 글자의 오른쪽 글자 대치
 같은 column : 각 글자의 아래 글자 대치
 그 외 : 직사각형에서 같은 row의 반대편 글자로 대치
 Vigenere Cipher : 비지네르 프랑스 수학자:
 secret key 가 문자열이고, 이를 돌아가면서 키로 사용
 Hill Cipher:
 secret key 가 m x m 정사각 행렬
 글자수가 안맞으면 끝에 z(약속된 문자) 삽입
 복호화는 secret key 의 역행렬을 사용한다.
 OneTime Pad:
 One of the goals of cryptography is perfect secrecy. A study by Shannon has shown that perfect secrecy can be achieved if each plaintext symbol is encrypted with a key randomly chosen from a key domain. This idea is used in a cipher called onetime pad, invented by Vernam.
3.3. Transposition Ciphers (치환 암호)
 A transposition cipher does not substitute one symbol for another, instead it changes the location of the symbols.
3.3.1. Keyless Transposition Ciphers
 Split odd and even
 example. meet me at the park > memateaketethpr
3.3.2. Keyed Transposition Ciphers
 The key used for encryption and decryption is a permutation key, which shows how the character are permuted.
 For example, key = (3 1 4 5 2)
3.3.3. Combining Two Approaches
 keyless + keyed
3.4. Stream and block ciphers
 The literature divides the symmetric ciphers into two broad categories: stream ciphers and block ciphers.
 Although the definitions are normally applied to modern ciphers, this categorization also applies to traditional ciphers.
3.4.1. Stream Ciphers
 Call the plaintext stream P, the ciphertext stream C, and the key stream K.
 $P=P_1P_2P_3…$, $C=C_1C_2C_3…$, $K=(k_1, k_2, k_3, …)$
3.4.2. Block Ciphers

In a block cipher, a group of plaintext symbols of size $m (m> 1)$ are encrypted together creating a group of ciphertext of the same size. A single key is used to encrypt the whole block even if the key is made of multiple values.

Playfair cipher, Hill cipher
Chapter 6. Data Encryption Standard (DES)
6.1. Introduction
 The Data Encryption Standard (DES) is a symmetrickey block cipher published by the National Institute of Standards and Technology (NIST).
6.1.1. History
 1973, NIST 미국 표준 대칭 키 암호 공모
 IBM의 Lucifer 당선. DES라 부름
 DES 1975 미국 표준 발표.
 현재 : 표준 탈락
6.1.2. Overview
 DES is a block cipher.
 symmetrickey cipher(대칭키 암호)
 동일 plaintext라고 key에 따라 다른 ciphertext가 생성
6.2. DES structure
 The encryption process is made of two permutations(Pboxes), which we call initial and final permutations, and sixteen Feistel rounds.
6.2.1. Initial and Final Permutations
 1~64 정수들의 permutation
 규칙적
 IP와 FP는 서로 역 permutation
6.2.2. Rounds
 $L_i = R_{i  1}$

$R_i = f(R_{i1}, K_i}) \oplus L_{i1}$
 DES Function:
 The heart of DES is the DES function. The DES function applies a 48bit key to the rightmost 32 bits to produce a 32bit output.
 Expansion Pbox:
 Since $R_{i1}$ is a 32bit input and $K_i$ is a 48bit key, we first need to expand $R_{i1}$ to 48bits.
 Although the relationship between the input and output can be defined mathematically, DES uses Table.
 XOR:
 After the expansion permutation, DES uses the XOR operation on the expanded right section and the round key.
 Note that both the right section and the key are 48bits in length.
 Also note that the round key is used only in this operation.
 SBoxes (substitutionbox, 48bits > 32bits):
 The Sboxes do the real mixing (confusion). DES uses 8 Sboxes, each with a 6bit input and a 4bit output.
 불규칙적
 Straight Pbox(Permutation box):
 불규칙적
6.2.3. Cipher and Reverse Cipher
 Using mixers and swappers, we can create the cipher and reverse cipher, each having 16 rounds.
 To achieve this goal, one approach is to make the last round (round 16) different from the others; it has only a mixer and no swapper.

cipher와 reverse cipher는 같은 코드 사용
 Pseudocode for DES cipher ``` Cipher (plainBlock[64], RoundKeys[16, 48], cipherBlock[64]) { permute(64, 64, plainBlock, inBlock, InitialPermutationTable) split(64, 32, inBlock, leftBlock, rightBlock) for (round = 1 to 16) { mixer(leftBlock, rightBlock, RoundKeys[round]) if (round != 16) swapper(leftBlock, rightBlock) } combine(32, 64, leftBlock, rightBlock, outBlock) permute(64, 64, outBlock, cipherBlock, FinalPermutationTable) }
mixer(leftBlock[32], rightBlock[32], RoundKey[48]) { copy(32, rightBlock, T1) function(T1, RoundKey, T2) exclusiveOr(32, leftBlock, T2, T3) copy(32, T3, leftBlock) }
swapper(leftBlock[32], rightBlock[32]) { copy(32, leftBlock, T) copy(32, rightBlock, leftBlock) copy(32, T, rightBlock) }
function(inBlock[32], RoundKey[38], outBlock[32]) { permute(32, 48, inBlock, T1, ExpansionPermutationTable) exclusiveOr(48, T1, RoundKey, T2) substitute(T2, T3, SubstituteTables) permute(32, 32, T3, outBlock, StraightPermutationTable) }
 Key Generation:
 The roundkey generator creates sixteen 48bit keys out of a 56bit cipher key.
### 6.3 DES Analysis
 Critics have used a strong manifier to analyze DES.
 Tests have been done to measure the strength of some desired properties in a block cipher.
#### 6.3.1. Properties
 Two desired properties of a block cipher are the (1)avalanche effect and the (2)completeness.
 To check the (1)avalanche effect in DES, let us encrypt two plaintext blocks (with the same key) that differ only in one bit and observe the differences in the number of bits in each round.
 Although the two plaintext blocks differ only in the rightmost bit, the ciphertext blocks differ in 29 bits. This means that chaning one bit of the plaintext creates a change of approximately 45 percent in hte ciphertext.
 Completeness effect means that each bit of the ciphertext needs to depend on many bits on the plaintext.
#### 6.3.2. Design Criteria
 Shannon, 1949
 Diffusion(확산) : ciphertext와 plaintext의 관계를 숨기는 것
 Confusion(혼돈) : ciphertext와 key의 관계를 숨기는 것
 Product cipher: Substitution과 Transposition(Permutation)을 결합하여 만든 cipher
 Feistel ciphers are a class of product cipher.
 SBoxes 와 PBoxes:
 confusion과 diffusion을 잘 만들고 있다.
 Number of Rounds:
 DES uses sixteen rounds of Feistel ciphers. After eight rounds, the ciphertext is throughly a random function of plaintext and key. DES with less than 16 rounds are more vulnerable to attacks.
#### 6.3.3. DES Weaknesses
 During the last few years critics have found some weaknesses in DES.
 Weaknesses in Key:
 Key size (56bits) is too small: 2^56 keys
 Weak keys exist.
 Key complement:
 In the key domain (2^56), definitely half of the keys are complement of the other half. A key complement can be made by inverting (changing 0 to 1 or 1 to 0) each bit in the key. Does a key complement simplify the job of the cryptanalysis? It happens that it does. The attacker can use only half of the possible keys (2^55) to perform bruteforce attack.
 $$C=E(K, P) \rightarrow \bar C = E(\bar K, \bar P)$$
### 6.4 Multiple DES
 The major criticism of DES regards its key length. This means that we can use double or triple DES to increase the key size.
#### 6.4.1. Double DES
 The first approach is to use double DES(2DES)
 Use two different keys k1 and k2 (= 112 bits)
 MeetintheMiddle Attack:
 However, using a knownplaintext attack called meetinthemiddle attack proves that double DES improves this vulnerability slightly (to 2^57 tests), but not tremendously (to 2^112).
 즉 112 bit인데 57 bit 효과만 나타남
#### 6.4.2. Triple DES
 Triple DES with Three keys:
 Triple DES with three keys is used by many applications such as PGP.
 $$E_{k3}(D_{k2}(E_{k1}(P))) = C$$
 $$D_{k1}(E_{k2}(D_{k3}(C))) = P$$
### 6.5. Security of DES
 DES, as the first important block cipher, has gone through much scrutiny. Among the attempted attacks, three are of interest: bruteforce, differential cryptanalysis, and linear cryptanalysis.
## Chapter 4. Mathematics of Cryptography
### 4.1. Algebraic strucutres
 Cryptography requires sets of integers and specific operations that are defined for those sets. The combination of the set and the operations that are applied to the elements of the set is called an algebraic struture.
#### 4.1.1. Groups
 $<G, \cdot>$ is a group:
 $G$ : a set elements
 $\cdot$ : a binary operation
 if it satisifes four properties (or axioms).
 A commutative (or abelian) group satisfies an extra property, commutativity.
 Closure(닫힘) : $a \cdot b \in G$ for any $a, b \in G$
 Associativity(결합) : $a \cdot (b \cdot c) = (a \cdot b) \cdot c$
 Commuativity(교환) : $a \cdot b = b \cdot a$ for any $a, b \in G$ (abelian group)
 Existence of identity(항등원) : there is $e \in G$ such that $a \cdot e = e \cdot a = a$ for all $a \in G$
 Existence of inverse(역) : there is $a' \in G$ such that $a \cdot a' = a' \cdot a = e$ for each $a \in G$
 Finite Group: the set has a finite number of elements.
 Order of group: $\vert G \vert$ = number of elements (집합의 크기)
#### 4.1.3. Field (체)
 A field, denoted by $<G, \cdot, \square>$, satisfies 11 properties:
 G: set
 $\cdot, \square$ : two binary operators
 $<G, \cdot>$ is an abelian group
 $<G, \square>$ is an abelian group
 Distribution(배분) : $a \square (b \cdot c) = (a \square b) \cdot (a \square c)$ for any $a,b,c \in G$
 Example :
 $<R, +, *>$ is a field.
 정수들로 이루어진 field 필요. $GF(p), GF(2^n)$
 GF(p) field (Galois Field, p는 소수)
 $GF(p) = <Z_p, +, \times>$, p는 소수
### 4.2. $GF(2^n)$ Fields
 In cryptography, we often need to use four operations (addition, subtraction, ultiplicationh, and division). In other words, we need to use fields.
#### 4.2.1. Polynomials 다항식
 A polynomial of degree(차수) n1 is
 $$f(x) = a_{n1}x^{n1} + a_{n2} x^{n2} + \cdots + a_1 x^1 + a_0 x^0$$
 where $x^i$ is called the ith term and $a_i$ is called the coefficient of the ith term.
 Addition and subtraction on polynomials are the same operation.
 Additive identity: 0
 Additive inverse: itself
 Polynomial multiplication:
1. The coefficent multiplication is done is GF(2).
2. The multiplying $x^i$ by $x^j$ results in $x^{i+j}$.
3. The multiplication may create terms with degree more than $n1$, which means the result needs to be reduced using a modulus polynomial (or irreducible polynomial).
 Multiplicative identity: 1
 Multiplicative inverse: use the extended Euclidean algorithm
#### 4.2.3. Summary
 The finite field GF(2^n) can be used to define four operations of addition, subtraction, multiplication and division over nbit words.
## Chapter 7. Advanced Encryption Standard (AES)
### 7.1. Introduction
 The Advanced Encryption Standard (AES) is a symmetrickey block cipher published by the National Institute of Standards and Technology(NIST) in December 2001.
#### 7.1.1. History
 NIST: DES를 대체할 새 대칭 키 블록 암호 선정 절차
 벨기에: Vincent Rijmen and Joan Daemen의 Rijndael 암호에 기반
 In February 2001, NIST announced that a draft of the Federal Information Processing Standard (FIPS) was available for public review and comment.
 Finally, AES was published as FIPS 197 in the Federal Register in December 2001.
#### 7.1.3. Rounds
 AES is a nonFeistel cipher that encrypts and decrypts a data block of 128 bits. It uses 10, 12, or 14 rounds. The key size, which can be 128, 192, or 256 bits, depends on the number of rounds.
 AES has defined three versions (AES128, 192, 256), with 10, 12, and 14 rounds.
 Each version uses a different cipher key size (128, 192, or 256 bits), but the round keys are always 128 bits.
#### 7.1.4. Data Units
 1 byte = 8bits
 1 word = 4 bytes =32 bits
 1 block = 4 words = 16 bytes = 128 bits
#### 7.1.5. Strucutre of Each Round
 AES128 version: 10 rounds
Cipher(InBlock[16], OutBlock[16], w[0 … 43]) { BlockToState(InBlock, S)
S < AddRoundKey(S, w[0…3]) for (round = 1 to 10) { S < SubBytes(S) S < ShiftRows(S) if (round != 10) S < MixColumns(S) S < AddRoundKey(S, w[4 * round, 4 * round + 3]) } StateToBlock(S, OutBlock); }
### 7.2. Transformations
 To provide security, AES uses four types of transformations:
 substitution(SubBytes), permutation(ShiftRows), mixing(MixColumns), and keyadding(AddRoundKey)
#### 7.2.1. Substitution
 AES, like DES, uses substitution. AES uses two invertible transformations.
 SubBytes:
 The first transformation, SubBytes, is used at the encryption site. To subsitute a byte, we interpret the byte as two hexadecimal digits.
 SubBytes table
 Transformation Using GF(2^8) Field
 AES also defines the transformation algebraically using the GF(2^8) field with the irreducible polynomial ($x^8 + x^4 + x^3 + x + 1$)
 $d = X \cdot s^{1} \oplus y$
 InvSubBytes:
 $s=(X^{1} \cdot (d \oplus y))^{1}$
#### 7.2.2. Permutation
 Another transformation found in a round is shifting, which permutes the bytes.
 ShiftRows:
 In the encryption, the transformation is called ShiftRows.
 InvShiftRows:
 In the decryption, the transformation is called InvShiftRows and the shifting is to the right.
#### 7.2.3. Mixing
 We need an interbyte transformation that changes the bits inside a byte, based on the bits inside the neighboring bytes.
 MixColumns:
 The MixColumns transformation operates at the column level; it transforms each coulmn of the stae to a new column.
 InvMixColumns:
 The InvMixColumns transformation is basically the same as the MixColumns transformation.
 The MixColumns and InvMixColumns transformations are inverses of each other.
#### 7.2.4. Key Adding
 AddRoundKey:
 AddRoundKey proceeds one column at a time. AddRoundKey adds a round key word with each state column matrix; the operation in AddRoundKey is matrix addition.
 The AddRoundKey transformation is the inverse of itself.
### 7.3. Key Expansion
 To create round keys for each round, AES uses a keyexpansion process. If the number of rounds is $N_r$, the keyexpansion routine creates $N_r + 1$ 128bit round keys from one single 128bit cipher key.
#### 7.3.1. Key Expansion in AES128
 RotWord(w) : onebyte circular left shift, i.e., [b0, b1, b2, b3] is transformed into [b1, b2, b3, b0]
 SubWord(w) : SubBytes transformation applied to four bytes
KeyExpansion([key_0 to key_{15}], [w_0 to w_{43}]) { for (i = 0 to 3) w_i < key_{4i} + key_{4i+1} + key_{4i+2} + key_{4i+3}
for (i = 4 to 43) { if (i mod 4 != 0) w_i < w_{i1} \oplus w_{i4} else { t < SubWord(RotWord(w_{i1})) \oplus RCon_{i/4} w_i < t \oplus w_{i4} } } }
 Each round key in AES depends on the previous round. The dependency, however, is nonlinear because of SubWord transformation. The addition of the round constants also guarantees that each round key will be different from the previous one.
### 7.4. Ciphers
 AES uses four types of transformations for encryption and decryption. In the standard, the encryption algorithm is referred to as the cipher and the decryption algorithm as the inverse cipher.
Cipher (InBlock[16], OutBlock[16], w[0…43]) { BlockToState(InBlock, S)
S < AddRoundKey(S, w[0…3]) for (round = 1 to 10) { S < SubBytes(S) S < ShiftRows(S) if (round != 10) S < MixColums(S) S < AddRoundKey(S, w[4 * round, 4 * round + 3]) }
StateToBlock(S, OutBlock); } ```