FIG. 25 represents an encryption function which is used in DES described in “Gendai Ango Riron (Modern Cipher Theory)” (The Institute of Electronics, Information and Communication Engineers, published on Nov. 15, 1997, page 46).
As shown in FIG. 25, eight S-boxes are used. These eight S-boxes are mutually different tables. Each table outputs 4-bit data from 6-bit input data.
FIG. 26 shows non-linear transformation function which is described in “Specification of E2—a 128-bit Block Cipher” (Nippon Telegraph and Telephone Corporation, published on Jun. 14, 1998, page 10).
As shown in FIG. 26, each S-function unit consists of eight S-boxes.
Conventional encryption devices use multiple S-boxes. Since some ciphers are equipped with mutually different tables, memory usage is increased as compared to ones equipped with one S-box. Since, on the other hand, other ciphers use only one S-box, the security of the cipher is decreased.
As shown in FIG. 7, when a normal data transformation unit (FL) 250 is inserted in the encryption unit, it is required to provide an inverse data transformation unit (FL−1) 270 in a decryption unit to decrypt the ciphertexts. Since, generally, the normal data transformation unit (FL) 250 and the inverse data transformation unit (FL−1) 270 are mutually different circuits, causes a problem that the encryption unit and the decryption unit cannot provide the same configuration.
Furthermore, in generating extension keys, complex operations are required in order to generate the extension keys having higher security. There is another problem in case of generating the extension keys that the number of bits of key data to be input as an initial value should be fixed.
The present invention aims to provide systems in which circuits for encryption and decryption are the same, and in which circuit area, program size and memory usage which are used for non-linear transformation computation can be reduced, and furthermore, the extension keys can be generated using a simpler configuration.