This application is based on applications Nos. H10-116758 and H10-116759 filed in Japan, the contents of which are hereby incorporated by reference.
1. Field of the Invention
The present invention relates to a cryptographic processing apparatus for encrypting/decrypting data in units of blocks based on a secret key, a cryptographic processing method used in the cryptographic processing apparatus, and a storage medium storing a cryptographic processing program for the cryptographic processing method. The present invention especially relates to a cryptographic processing technique that realizes high-speed cryptographic processing by reducing the amount of substitution table data and the frequency of generation of substitution table data, without loss of security.
2. Description of the Prior Art
As communications of various kinds of information, such as remittance by digital communications, have become widespread in recent years, there has been the growing need for techniques that protect important messages against tapping and tampering by unauthorized third parties. A representative of such techniques effective for improving security is a technique called cryptography.
In communication systems using cryptography, the original message is called xe2x80x9cplaintextxe2x80x9d, the result of converting the plaintext so as to make it unintelligible to third parties is called xe2x80x9cciphertextxe2x80x9d, the conversion for the plaintext is called xe2x80x9cencryptionxe2x80x9d, and the reverse conversion for the ciphertext to recover the original plaintext is called xe2x80x9cdecryptionxe2x80x9d.
A pattern of encryption and decryption is determined by an algorithm and a key which is used as a parameter for the algorithm. The algorithm specifies a family of conversions, while the key specifies one of the conversions in the family. In general, the algorithm is unchanged in a cryptographic processing apparatus, while the key is occasionally changed in the apparatus.
It is assumed that ciphertexts are vulnerable to tapping. An act of decoding a captured ciphertext to obtain the original message by an attacker without knowledge of an algorithm and a key is called xe2x80x9ccryptanalysisxe2x80x9d.
Here, such an attacker (hereinafter xe2x80x9ccryptanalystxe2x80x9d) performs cryptanalysis on the assumption that ciphertexts are known.
Cryptanalysis of deriving a secret plaintext or key only from a ciphertext is called xe2x80x9cciphertext-only attackxe2x80x9d, whereas cryptanalysis of determining a secret key from arbitrary pairs of ciphertexts and plaintexts and specifying a plaintext corresponding to a given ciphertext is called xe2x80x9cknown-plaintext attackxe2x80x9d.
 less than First Example of Conventional Techniques greater than 
One example of conventional cryptosystems is the pseudorandom-number-add-type cryptography.
In this technique, the sender and the receiver each hold an identical secret key in secrecy and generate a random number of a predetermined bit length (hereinafter, xe2x80x9cblockxe2x80x9d) using the secret key as a seed in a random number generator that contains an identical algorithm. During encryption the sender performs an exclusive-OR operation for corresponding bits in the random number and each block of a plaintext to generate a ciphertext. During decryption the receiver performs an exclusive-OR operation for corresponding bits in the random number and each block of the ciphertext to obtain the original plaintext.
Let xe2x80x9cMxe2x80x9d be each block of the plaintext, xe2x80x9cCxe2x80x9d be each block of the ciphertext, xe2x80x9cRxe2x80x9d be the random number, and xe2x80x9c(+)xe2x80x9d be an exclusive-OR operation for corresponding bits. The encryption and the decryption can be expressed respectively as
xe2x80x83C=M(+)Rxe2x80x83xe2x80x83(Formula 1)
M=C(+)Rxe2x80x83xe2x80x83(Formula 2)
A drawback of this cryptography is that it is vulnerable to known-plaintext attack.
Suppose a pair of a plaintext block and a ciphertext block is known. The random number R can be derived using the following Formula 3, and as a result the other plaintext blocks can be obtained.
R=M(+)Cxe2x80x83xe2x80x83(Formula 3)
Thus, cryptanalysts can easily decode pseudorandom-number-add-type ciphertexts by known-plaintext attack.
 less than Second Example of Conventional Techniques greater than 
On the other hand, cryptosystems such as the Data Encryption Standard (DES) and the Fast Data Encipherment Algorithm (FEAL) are relatively secure against known-plaintext attack. For details on these methods, see Eiji Okamoto An Introduction to Encryption Theory, published by Kyoritsu.
In these cryptosystems, data is divided into blocks of 64 bits and intensely shuffled in units of blocks. In the case of the DES algorithm, a data shuffling process which combines transposition with substitution is repeated for sixteen stages for each block.
One example of the block ciphers represented by DES and FEAL is the Blowfish cipher (for details on this cipher, see Bruce Schneier xe2x80x9cDescription of a New Variable-Length Key, 64-Bit Block Cipher (Blowfish)xe2x80x9d in Ross Anderson (ed.) Fast Software Encryption, Lecture Notes in Computer Science, vol. 809, pp.191-204, published by Springer-Verlag).
The following is a description of the Blowfish cipher.
FIG. 1 shows the configuration of a data encrypting apparatus that uses the Blowfish cipher.
In the figure, a data encrypting apparatus 3010 is roughly composed of a data shuffling unit 3011, a stage number controlling unit 3012, a subkey generating unit 3013, and a substitution table data generating unit 3014.
The substitution table data generating unit 3014 generates 32K-bit substitution table data (1024 table values that are each 32 bits long) from 64-bit input key data according to a substitution table data generating algorithm. The substitution table data generating algorithm is not a main feature of the present invention and so its explanation is omitted here.
The subkey generating unit 3013 generates 256-bit data from the 64-bit input key data according to a subkey generating algorithm and divides the 256-bit data into eight sets of 32-bit subkey data SK0xcx9cSK7. Since the subkey generating algorithm is not a main feature of the present invention, its explanation is omitted here.
The data shuffling unit 3011 performs data shuffling for 64-bit input plaintext data (hereinafter xe2x80x9cplaintext blockxe2x80x9d) using the 32K-bit substitution table data generated by the substitution table data generating unit 3014 and 32-bit subkey data generated by the subkey generating unit 3013, and outputs obtained 64-bit data. In general, data shuffling is repeated 16 times to generate 64-bit ciphertext data (hereinafter xe2x80x9cciphertext blockxe2x80x9d).
The stage number controlling unit 3012 controls the number times data shuffling is performed by the data shuffling unit 3011 to generate a ciphertext block from a plaintext block. The stage number controlling unit 3012 counts the number of times data shuffling is performed for each plaintext block. If the counted number is less than a predetermined number, the stage number controlling unit 3012 inputs output data of the data shuffling unit 3011 in the data shuffling unit 3011. If the counted number reaches the predetermined number, the stage number controlling unit 3012 outputs the output data as a ciphertext block.
Here, subkey SK0 is used to perform first data shuffling for a plaintext block, and then data shuffling is repeated using subkeys SK1xcx9cSK7 one by one. After subkey SK7, subkey SK0 is used again.
FIG. 2 shows the configuration of a data decrypting apparatus that uses the Blowfish cipher.
In the figure, a data decrypting apparatus 4010 is roughly composed of a data shuffling unit 4011, a stage number controlling unit 4012, a subkey generating unit 4013, and a substitution table data generating unit 4014.
The data shuffling unit 4011, the subkey generating unit 4013, and the substitution table data generating unit 4014 are the same as the data shuffling unit 3011, the subkey generating unit 3013, and the substitution table data generating unit 3014 in FIG. 1.
The stage number controlling unit 4012 controls the number of times data shuffling is performed by the data shuffling unit 4011 to generate a plaintext block from a ciphertext block. The stage number controlling unit 4012 counts the number of times data shuffling is performed for each ciphertext block. If the counted number is less than a predetermined number, the stage number controlling unit 4012 inputs output data of the data shuffling unit 4011 in the data shuffling unit 4011. If the counted number reaches the predetermined number, the stage number controlling unit 4012 outputs the output data as a plaintext block.
Here, subkey SK7 is used to perform first data shuffling for a ciphertext block, and then data shuffling is repeated using subkeys SK6xcx9cSK0 one by one. Subkey SK7 is used again after subkey SK0.
FIG. 3 shows the detailed construction of the data shuffling unit 3011 shown in FIG. 1.
This data shuffling unit 3011 includes a first exclusive-OR operating unit 3111, a second exclusive-OR operating unit 3112, and a data converting unit 3113.
The first exclusive-OR operating unit 3111 takes an exclusive-OR for corresponding bits in 32-bit subkey data and the higher-order 32 bits (xe2x80x9cX1xe2x80x9d in FIG. 3) of 64-bit input data and outputs resultant 32-bit data S0. This S0 is inputted in the data converting unit 3113 and at the same time becomes the lower-order 32 bits (xe2x80x9cY0xe2x80x9d in FIG. 3) of 64-bit output data.
The data converting unit 3113 is the so-called f function. The data converting unit 3113 converts the 32-bit data S0 using the 32K-bit substitution table data and outputs 32-bit converted data S1.
The second exclusive-OR operating unit 3112 takes an exclusive-OR for corresponding bits in the 32-bit data S1 and the lower-order 32 bits (xe2x80x9cX0xe2x80x9d in FIG. 3) of the 64-bit input data and outputs resultant 32-bit data Y1. This Y1 becomes the higher-order 32 bits of the 64-bit output data.
More specifically, the data shuffling unit 3011 operates as follows.
(1) First, 64-bit input data is divided into the higher-order 32 bits X1 and the lower-order 32 bits X0.
(2) The first exclusive-OR operating unit 3111 finds an exclusive-OR for corresponding bits in the 32-bit data X1 and 32-bit subkey data. As a result, 32-bit data S0 is generated and set as the lower-order 32 bits Y0 of 64-bit output data.
(3) The data converting unit 3113 converts the 32-bit data S0 and outputs 32-bit converted data S1.
(4) The second exclusive-OR operating unit 3112 finds an exclusive-OR for corresponding bits in the 32-bit data S1 and the 32-bit data X0. As a result, 32-bit data is generated and set as the higher-order 32 bits Y1 of the 64-bit output data.
The 64-bit output data made up of Y1 and Y0 is then outputted from the data shuffling unit 3011 in synchronism with a clock (not illustrated).
FIG. 4 shows the detailed construction of the data shuffling unit 4011 shown in FIG. 2.
This data shuffling unit 4011 includes a first exclusive-OR operating unit 4111, a second exclusive-OR operating unit 4112, and a data converting unit 4113.
The first exclusive-OR operating unit 4111 performs an exclusive-OR operation for corresponding bits in 32-bit subkey data and the lower-order 32 bits (xe2x80x9cZ0xe2x80x9d in FIG. 4) of 64-bit input data and outputs resultant 32-bit data W1. This W1 becomes the higher-order 32 bits of 64-bit output data. Meanwhile, Z0 is inputted in the data converting unit 4113 as 32-bit data T0.
The data converting unit 4113 is the so-called f function as the data converting unit 3113. The data converting unit 4113 converts the 32-bit data T0 using the 32K-bit substitution table data and outputs 32-bit converted data T1.
The second exclusive-OR operating unit 4112 performs an exclusive-OR operation for corresponding bits in the 32-bit data T1 and the higher-order 32 bits (xe2x80x9cZ1xe2x80x9d in FIG. 4) of the 64-bit input data and outputs resultant 32-bit data W0. This W0 becomes the lower-order 32 bits of the 64-bit output data.
The specific operation of the data shuffling unit 4011 is similar to the data shuffling unit 3011, so that its explanation is omitted.
FIG. 5 shows the detailed construction of the data converting unit 3113 shown in FIG. 3.
This data converting unit 3113 includes a first substitution table data storing unit 3201, a second substitution table data storing unit 3202, a third substitution table data storing unit 3203, a fourth substitution table data storing unit 3204, a first adding unit 3205, a second adding unit 3206, and an exclusive-OR operating unit 3207.
The 32K-bit substitution table data is divided from the highest-order bit into four sets of 8K-bit substitution table data R3, R2, R1, and R0.
The 32-bit input data S0 is divided from the highest-order bit into four sets of 8-bit data V3, V2, V1, and V0.
The first to fourth substitution table data storing units 3201xcx9c3204 respectively store the four sets of 8K-bit substitution table data R3, R2, R1, and R0, where each set of 8K-bit substitution table data is divided from the highest-order bit into 256 table values that are each 32 bits long. The four sets of 8-bit data V3, V2, V1, and V0 are respectively inputted in the first to fourth substitution table data storing units 3201xcx9c3204, and the first to fourth substitution table data storing units 3201xcx9c3204 respectively specify and output one of the 256 stored table values based on V3xcx9cV1. In the present example, 256 32-bit table values stored in the first substitution table data storing unit 3201 are set as Tab1[0], Tab1[1], . . . , and Tab1[255] in order of decreasing bits. Similarly, 256 32-bit table values stored in the second substitution table data storing unit 3202 are set as Tab2[0], Tab2[1], . . . , and Tab2[255], 256 32-bit table values stored in the third substitution table data storing unit 3203 are set as Tab3[0], Tab3[1], . . . , and Tab3[255], and 256 32-bit table values stored in the fourth substitution table data storing unit 3204 are set as Tab4[0], Tab4[1], . . . , and Tab4[255].
The first adding unit 3205 performs an arithmetic addition on a 32-bit table value outputted from the first substitution table data storing unit 3201 and a 32-bit table value outputted from the second substitution table data storing unit 3202, and outputs resultant lower-order 32-bit data, ignoring any carry beyond the 32nd bit.
When the 32-bit table value outputted from the first substitution table data storing unit 3201 is set as xe2x80x9cJ3xe2x80x9d, the 32-bit table value outputted from the second substitution table data storing unit 3202 is set as xe2x80x9cJ2xe2x80x9d, and the 32-bit data outputted from the first adding unit 3205 is set as xe2x80x9cQ0xe2x80x9d, the above addition is expressed as
Q0=(J3+J2) mod (2{circumflex over ( )}32)
where xe2x80x9ca{circumflex over ( )}bxe2x80x9d represents the xe2x80x9cbxe2x80x9dth power of a, and xe2x80x9cxcex1 mod xcex2xe2x80x9d represents a remainder when xcex1 is divided by xcex2. These representations apply to the formulas given below.
The exclusive-OR operating unit 3207 performs an exclusive-OR operation for corresponding bits in the 32-bit data Q0 and a 32-bit table value outputted from the third substitution table data storing unit 3203, and outputs resultant 32-bit data.
When the 32-bit table value outputted from the third substitution table data storing unit 3203 is set as xe2x80x9cJ1xe2x80x9d and the 32-bit data outputted from the exclusive-OR operating unit 3207 is set as xe2x80x9cQ1xe2x80x9d, the operation of the exclusive-OR operating unit 3207 is expressed as
Q1=Q0(+)J1
where xe2x80x9cxcex1(+)xcex2xe2x80x9d represents an exclusive-OR operation for corresponding bits in xcex1 and xcex2.
The second adding unit 3206 performs an arithmetic addition on the 32-bit data Q1 and a 32-bit table value outputted from the fourth substitution table data storing unit 3204 and outputs resultant lower-order 32-bit data, ignoring any carry beyond the 32nd bit.
When the 32-bit table value outputted from the fourth substitution table data storing unit 3204 is set as xe2x80x9cJ0xe2x80x9d and the 32-bit data outputted from the second adding unit 3206 is set as xe2x80x9cQ2xe2x80x9d, the operation of the second adding unit 3206 is expressed as
Q2=(Q1+J0) mod (2{circumflex over ( )}32)
where Q2 is 32-bit output data S1 of the data converting unit 3113.
The operation of this data converting unit 3113 is as follows.
(1) 32K-bit input substitution table data is divided from the highest-order bit into four sets of substitution table data R3, R2, R1, and R0 which are each made up of 256 32-bit table values. R3xcx9cR0 are then respectively stored in the first to fourth substitution table data storing units 3201xcx9c3204.
(2) 32-bit input data S0 is divided from the highest-order bit into four sets of 8-bit data V3, V2, V1, and V0, which are then respectively inputted in the first to fourth substitution table data storing units 3201xcx9c3204.
(3) The first to fourth substitution table data storing units 3201xcx9c3204 respectively specify and output one of the 256 stored table values based on V3xcx9cV0. As a result, four 32-bit table values J3xcx9cJ0 are outputted respectively from the first to fourth substitution table data storing units 3201xcx9c3204.
(4) The first adding unit 3205 performs an arithmetic addition on J3 and J2 and outputs resultant lower-order 32-bit data Q0, ignoring any carry beyond the 32nd bit.
(5) The exclusive-OR operating unit 3207 performs an exclusive-OR operation for corresponding bits in Q0 and J1 and outputs resultant 32-bit data Q1.
(6) The second adding unit 3206 performs an arithmetic addition on Q1 and J0 and outputs resultant lower-order 32 bits Q2 (=S1), ignoring any carry beyond the 32nd bit.
The security of a data cryptosystem that uses the above data shuffling unit 3011 greatly depends on a data shuffling function of the conversion operations performed in the data converting unit 3113. Since the data converting unit 3113 is equipped with the four substitution table data storing units 3201xcx9c3204 which operate separately from each other, this cryptosystem is highly secure against cryptanalysis and other unauthorized attacks.
The data converting unit 4113 shown in FIG. 4 has the same construction as the data converting unit 3113 and thus is not explained here.
 less than Third Example of Conventional Techniques greater than 
Representative cryptanalysis techniques used against the block ciphers are differential cryptanalysis and linear cryptanalysis. A cryptosystem of the third example has been designed to enhance resistance to such cryptanalysis techniques. Differential cryptanalysis and linear cryptanalysis are described in detail in E. Biham and A. Shamir Differential Cryptanalysis of the Data Encryption Standard, published by Springer-Verlag, and M. Matsui xe2x80x9cLinear Cryptanalysis Method for DES Cipher (I)xe2x80x9d in 1993 Symposium on Cryptography and Information Security (SCIS ""93), Lecture Notes SCIS93-3C.
Differential cryptanalysis and linear cryptanalysis belong to known-plaintext attack that specifies key data by analyzing a plurality of pairs of plaintexts and ciphertexts. These cryptanalysis techniques are built on premises that all ciphertext blocks of a ciphertext to be decoded have been generated using the same key data.
Therefore, by using different key data to encrypt each plaintext block, it is possible to strengthen cryptographic security against these cryptanalysis techniques.
Here, it is not practical to prepare the same number of sets of key data as the number of plaintext blocks, since more sets of key data have to be prepared for more plaintext blocks. To avoid this, a method that uses an immediately preceding ciphertext block as variable information to renew key data is disclosed in the U.S. Pat. No. 4,074,066 (Message Verification and Transmission Error Detection by Block Chaining (Japanese Patent No. 1250077)). According to this method, key data is renewed whenever a plaintext block is encrypted, without preparing the same number of sets of key data as plaintext blocks. Since new key data is generated from original key data every time a plaintext block is encrypted, protection against differential cryptanalysis and linear cryptanalysis can be enhanced without an increase in the amount of key data.
However, in the second example the data shuffling unit 3011 has to store an enormous amount of substitution key data (32K bits) and so is problematic in terms of simplicity of hardware and software implementations. Also, considerable processing time is necessary to generate such a large amount of substitution key data. Nevertheless, it is not desirable to reduce the amount of substitution table data, since it would impair cryptographic security.
When the key chaining method in the third example is applied to the Blowfish cipher in the second example, the following problem arises.
As described above, the Blowfish cipher in the second example generates 32K-bit substitution table data from input key data, while the key chaining method in the third example renews input key data each time a plaintext block is encrypted. Accordingly, when the key chaining method is used in the Blowfish cipher, new substitution table data is generated each time a plaintext block is encrypted. Since the amount of substitution table data is enormous (32K bits), such frequent generation of substitution table data will cause a considerable burden on a processor and seriously decrease processing speed for cryptography. Yet it is equally undesirable to reduce the number of times substitution table data is generated, as it may result in degradation in cryptographic security.
The above difficulties are present not only in the Blowfish cipher but also in other block ciphers that perform cryptographic processing using substitution table data generated from input key data.
In view of the above stated problems, the present invention aims to provide a cryptographic processing apparatus, a cryptographic processing method, and a storage medium storing a cryptographic processing program that realize high-speed cryptographic processing without loss of security by reducing the amount of substitution table data and the frequency of generation of substitution table data, in a block cipher such as the Blowfish cipher which generates substitution table data based on input key data for the use of cryptographic processing.
The above object can be fulfilled by a cryptographic processing apparatus for cryptographically processing input data using a plurality of sets of substitution data to generate output data, the cryptographic processing apparatus including: a storing unit for storing (2{circumflex over ( )}N) sets of substitution data that each have a predetermined number of bits, where N is an integer no less than 2; a dividing unit for dividing the input data which is (Nxc3x97M) bits long into M sets of subdata which are each N bits long, where M is an integer no less than 2; a substituting unit for receiving an input that is any of: the M sets of N-bit subdata; and at least one set of N-bit input merged data obtained as a result that a merge process is performed on the M sets of N-bit subdata, specifying one of the (2{circumflex over ( )}N) sets of substitution data in the storing unit for each N bits of the input, and outputting the set of substitution data specified for each N bits of the input; a fixed conversion performing unit for performing a plurality of different fixed conversions on at least one set of substitution data outputted from the substituting unit, to generate M sets of converted data that each have the predetermined number of bits; and an output data generating unit for generating the output data that is (Nxc3x97M) bits long, based on the M sets of converted data generated by the fixed conversion performing unit.
With this construction, high cryptographic security is attained with a small amount of substitution table data, so that a cryptographic processing apparatus that is preferable in terms of simplicity in hardware/software implementations can be realized.
Here, the predetermined number may be (Nxc3x97M), wherein the substituting unit specifies M sets of substitution data, among the (2{circumflex over ( )}N) sets of substitution data in the storing unit, respectively for the M sets of N-bit subdata, and outputs the specified M sets of substitution data that are each (Nxc3x97M) bits long, wherein the fixed conversion performing unit performs M different fixed conversions respectively on the M sets of substitution data outputted from the substituting unit, to generate the M sets of converted data that are each (Nxc3x97M) bits long, and wherein the output data generating unit performs a merge process on the generated M sets of converted data to generate the output data that is (Nxc3x97M) bits long.
With this construction, the size of substitution table data is reduced to 1/M the size of substitution table data in the conventional techniques without impairing security, so that a cryptographic processing apparatus preferable in terms of simplicity in hardware/software implementations can be realized.
Here, the predetermined number may be N, wherein the substituting unit includes an input merging unit for performing a global merge process on the M sets of N-bit subdata to generate a set of N-bit input merged data, specifies one of the (2{circumflex over ( )}N) sets of substitution data in the storing unit for the set of N-bit input merged data, and outputs the specified set of substitution data that is N bits long, wherein the fixed conversion performing unit performs each of M different fixed conversions on the set of substitution data outputted from the substituting unit, to generate the M sets of converted data that are each N bits long, and wherein the output data generating unit includes: an output merging unit for performing an individual merge process on each of the M sets of subdata and a different one of the M sets of converted data that corresponds to the set of subdata, to generate M sets of output merged data which are each N bits long; and a combining unit for combining the M sets of output merged data generated by the output merging unit to form the output data that is (Nxc3x97M) bits long.
With this construction, the size of substitution table data is reduced to 1/M the size of substitution table data in the conventional techniques without impairing security, so that a cryptographic processing apparatus preferable in terms of simplicity in hardware/software implementations can be realized.
The above object can also be fulfilled by a cryptographic processing apparatus for generating a set of substitution table data and cryptographically processing input data using the set of substitution table data to generate output data, the cryptographic processing apparatus including: a key data storing unit for storing a set of key data; a substitution table data storing unit for storing a set of substitution table data; a block generating unit for dividing the input data into input blocks that each have a predetermined number of bits and outputting the input blocks one by one; a substitution table data generating unit for generating a set of substitution table data and replacing a set of substitution table data in the substitution table data storing unit with the generated set of substitution table data, when an input block is to be cryptographically processed immediately after a specified number of input blocks are cryptographically processed; a key data converting unit for converting, when an input block is to be cryptographically processed after an input block immediately preceding the input block is cryptographically processed, a set of key data in the key data storing unit by performing a bit conversion on the set of key data using an output block generated as a result that the immediately preceding input block is cryptographically processed; and a cryptographic processing unit for cryptographically processing an input block outputted from the block generating unit to generate an output block, using a set of substitution table data in the substitution table data storing unit and any of a converted set of key data generated by the key data converting unit and a set of key data stored in the key data storing unit.
The above object can also be fulfilled by a cryptographic processing apparatus for generating a set of substitution table data and cryptographically processing input data using the set of substitution table data to generate output data, the cryptographic processing apparatus including: a key data storing unit for storing a set of key data; a substitution table data storing unit for storing a set of substitution table data; a block generating unit for dividing the input data into input blocks that each have a predetermined number of bits and outputting the input blocks one by one; a substitution table data generating unit for generating a set of substitution table data and replacing a set of substitution table data in the substitution table data storing unit with the generated set of substitution table data, when an input block is to be cryptographically processed immediately after a specified number of input blocks are cryptographically processed; a key data converting unit for converting, when an input block is to be cryptographically processed after an input block immediately preceding the input block is cryptographically processed, a set of key data in the key data storing unit by performing a bit conversion on the set of key data using the immediately preceding input block; and a cryptographic processing unit for cryptographically processing an input block outputted from the block generating unit to generate an output block, using a set of substitution table data in the substitution table data storing unit and any of a converted set of key data generated by the key data converting unit and a set of key data stored in the key data storing unit.
The above object can also be fulfilled by a cryptographic processing apparatus for generating a set of substitution table data and cryptographically processing input data using the set of substitution table data to generate output data, the cryptographic processing apparatus including: a key data storing unit for storing a set of key data; a substitution table data storing unit for storing a set of substitution table data; a block generating unit for dividing the input data into input blocks that each have a predetermined number of bits and outputting the input blocks one by one; a substitution table data generating unit for generating a set of substitution table data and replacing a set of substitution table data in the substitution table data storing unit with the generated set of substitution table data, when an input block is to be cryptographically processed immediately after a specified number of input blocks are cryptographically processed; a key data converting unit for converting, when an input block is to be cryptographically processed after an input block immediately preceding the input block is cryptographically processed, a set of key data in the key data storing unit by performing a bit conversion on the set of key data using an intermediate block generated during cryptographic processing for the immediately preceding input block; and a cryptographic processing unit for cryptographically processing an input block outputted from the block generating unit through use of a set of substitution table data in the substitution table data storing unit and any of a converted set of key data generated by the key data converting unit and a set of key data stored in the key data storing unit, to generate an intermediate block during cryptographic processing for the input block and generate an output block as a result of the cryptographic processing for the input block.
With this construction, while key data is renewed every time an input block is cryptographically processed, substitution table data derived from key data is not renewed in response to every renewal of key data but renewed only when a specific number of input blocks are cryptographically processed. Accordingly, a cryptographic processing apparatus that performs high-speed cryptographic processing without loss of security can be realized.