These days, with development of network communications and electronic commerce, security ensuring in communications becomes a vital issue. One means of security ensuring is a cryptographic technology, and currently communications using various cryptographic techniques are actually being executed.
For example, there has been put in practical use a system in which a cryptographic processing module is embedded into a small device, such as an IC card, data transmission and reception is performed between the IC card and a reader/writer acting as a data reading and writing device, authentication processing or encryption/decryption of send/receive data is performed.
There are various algorithms in cryptographic processing, which are broadly divided into the one key cryptographic system in which different encryption key and decryption key, for example, a public key and a secret key, are set and the common key cryptographic system in which a common key is set as an encryption key and a decryption key.
There are also various algorithms in the common key cryptographic system. One of them is a system in which a plurality of keys are generated using a common key as a base and data conversion processing is repeatedly performed for each unit of block (64 bits, 128 bits, etc.) using the plurality of generated keys. A typical algorithm that applies such a key generation method and data conversion processing is a common-key-block cryptographic method.
As a typical algorithm of common-key-block cryptographic processing, for example, there is a DES (Data Encryption Standard) algorithm as a United States federal standard encryption, and is widely used in various fields.
Any algorithm of the common-key-block cryptographic processing typified by the DES can mainly be divided into a round function section for performing conversion of input data and a key schedule section for generating a key to be applied in each round of a round function (F-function) part. A round key (subkey) to be applied in each round of the round function section is generated in the key schedule section to which one master key (main key) is inputted, and is applied in each round function part.
However, in such common key cryptographic processing, leakage of the key by cryptanalysis has become a problem. As a typical technique of cryptanalysis or attack technique, there are known a differential analysis (also called differential cryptanalysis method or differential cryptanalysis attack) in which an application key in each round function is analyzed by analyzing many inputs data (plaintext) and its output data (ciphertext), and a linear analysis (also called linear cryptanalysis method or linear cryptanalysis attack) that carries out an analysis based on plaintexts and corresponding ciphertexts.
That it is easy to analyze a key by cryptanalysis means low safety of the cryptographic processing. In the conventional DES algorithm, there is a problem that, since the processing (conversion matrix) to be applied in a linear conversion section in a round function (F-function) section is equivalent in a round of each stage, cryptanalysis is easy to do, and consequently it results in easy analysis of the key.