In the information society of today, ensuring safe handling of information is important. To ensure the security of information, encryption technology for keeping information confidential and technology for detecting tampering of information are required.
Encryption technology includes encryption using a common key system (hereinafter referred to as common key encryption) and encryption using a public key system (hereinafter referred to as public key encryption). The common key encryption advantageously has faster processing speed and enables compact implementation as compared to the public key encryption. Therefore, the common key encryption is used when an encryption function is added to small devices such as portable telephones and IC cards.
In block cipher, which is one type of common key encryption, data to be encrypted (hereinafter referred to as “plain text”) is divided into block units for encryption. Since the encryption is performed on the basis of a block unit, the data length of plain text must be a multiple of the data length of a block (hereinafter referred to as a “block length”).
Therefore, according to one technique, if the data length of plain text is not a multiple of the block length, padding is concatenated to the plain text to thereby process the plain text into a data length that is a multiple of the block length. The padding to be concatenated includes information necessary for removing the padding at the time of decryption. For example, the padding includes information indicating the data length of the padding (hereinafter referred to as a “padding length”).
A technique of detecting tampering of information includes, for example, a technique of determining whether the contents of padding in plain text decrypted from a series of blocks encrypted for each block length (hereinafter referred to as “encrypted blocks”) conform to a padding rule. As a result, if the contents of the padding in decrypted plain text have changed consequent to tampering of the encrypted blocks, the padding violates the padding rule and therefore, the tampering can be detected.
In a technique of detecting tampering of information, for example, a CRC for identifying plain text is concatenated to the plain text at the time of encryption. The plain text concatenated with the CRC is processed into a data length that is a multiple of the block length by further concatenating padding before encryption. At the time of decryption, a CRC for identifying decrypted plain text is compared with the CRC added to the decrypted plain text in this technique. As a result, if the plain text has changed consequent to tampering of the encrypted blocks, the CRC of the decrypted plain text is different from the CRC added to the decrypted plain text and therefore, the tampering can be detected (see, e.g., Japanese Laid-Open Patent Publication No. 2006-220747).
However, the technique of detecting tampering based on the padding rule has a problem in that, if a block other than a block to which padding is added, i.e., the last block of encrypted text, is subject to tampering, the tampering cannot be detected.
The technique according to Japanese Laid-Open Patent Publication No. 2006-220747 can be used only for a fixed plain text data length and gives no consideration to a case of an arbitrary data length and, if the technique is used for an arbitrary data length, a CRC must newly be concatenated and a data amount is problematically increased. Therefore, it is problematic that the technique according to Japanese Laid-Open Patent Publication No. 2006-220747 is not applicable in an embedded environment with tight resources since an area for concatenating a CRC cannot be prepared.