An encryption processing apparatus encrypts a plaintext and decrypts an encrypted-text by use of a specific algorithm. A side-channel attack to the encryption processing apparatus has been reported, the side-channel attack being a passive attack, such as SPA (Simple Power Analysis) or DPA (Differential Power Analysis), which derives an internal secret key only by measuring power or electromagnetic wave during an operation. A countermeasure for the side-channel attack is essential and significant, since the side-channel attack does not leave the trace of the attack.
The side-channel attack is performed by deriving consumption power and/or electromagnetic wave that can be measured during a computation of the encryption process or decryption process, and a secret key that can be calculated from an estimated secret key and that has high similarity to intermediate data. As a countermeasure for the side-channel attack, there has been known a technique of disturbing the intermediate data by masking the intermediate data with use of random numbers to make it difficult to determine the degree of similarity, which invalidates the side-channel attack.
A conventional encryption processing apparatus having incorporated therein a countermeasure for the side-channel attack includes a physical random number generator circuit or pseudo random number generator circuit independently of an encryption circuit. Therefore, the circuit scale is increased, and the power consumption tends to increase. For example, an encryption processing apparatus mounted to a compact portable device such as an IC card needs to decrease the circuit scale and power consumption as much as possible. Accordingly, it has been desired to invalidate the side-channel attack with reduced circuit scale and power consumption.