1. Field of the Invention
The present invention relates to an encryption apparatus and decryption apparatus which employ a plurality of expanded keys in reverse order for encryption and for decryption, and expanded key scheduling apparatus and method therefor, and recording medium storing a computer program therefor.
2. Description of the Related Art
The importance of an encryption technique becomes very high for the purpose of security control of computerized information, in particular, such as information on copyright or information on privacy. Such encryption technique is actually utilized in a variety of forms in a variety of fields.
There are various encryption systems, one of which is a common key encryption system. In the common key encryption system, decryption is carried out by employing a key (common key or secret key) that is identical to a key employed for encryption.
There are various common key encryption systems, one of which is a system employing an expanded key. This system generates a plurality of expanded keys whose total number of bits is greater than the number of bits that it has based on a common key.
In one of the expanded key scheduling systems, a round function (stage function) is acted with respect to a common key, and expanded key is generated based on its output value. Further, a round function is acted with the output value, and a next expanded key is generated based on its output value. Furthermore, a round function is acted with the output value. In this way, round functions are acted one after another, and expanded keys are sequentially generated. Such system is called a round system here.
A common key encryption system employing such expanded key scheduling system includes a common key block encryption system, for example. The common key block encryption system has a structure in which round functions are acted with block data with a predetermined bit length that is a processing unit one after another, with respect to a data randomizing section as well, thereby carrying out encryption or decryption. A typical basic structure of the above encryption system includes a SPN type and Feistel type or the like.
If a round system is employed for generating an expanded key, for example, as in block encryption, it is required to employ an expanded key in an order reversed from an order employed for encryption.
Now, problems with such system will be described here.
FIG. 48 shows an exemplary configuration of an expanded key scheduling section of a conventional encryption apparatus. The generating section comprises round processors 10011 to 1001n connected in series and expanded key converters 10051 to 1005n respectively connected to outputs of the expanded key processors 10051 to 1005n.
At a data randomizing section, an expanded key (1) is required for an encryption process. Because of this, a round function (1) is acted with a common key, and its output value is obtained. Then, an expanded key conversion (1) is acted with the output value, and an expanded key (1) is obtained. A data randomizing section carries out an encryption process by employing this expanded key (1).
At the data randomizing section, an expanded key (2) is required for an encryption process. Because of this, a round function (2) is acted with an output value of the round function (1), and its output value is obtained. Then, an expanded key conversion (2) is acted with the output value, and an expanded key (2) is obtained. The data randomizing section carries out an encryption process by employing this expanded key (2).
Subsequently, an expanded key is generated by an expanded key scheduling section, and an encryption process is carried out by the data randomizing section in the same way.
Now, processing for decryption will be described here.
For decryption, it is required to employ an expanded key in an order reversed from that for encryption, i.e., in order from expanded key (n) to expanded key (1). However, in a conventional decryption apparatus having an expanded key scheduling section with its configuration similar to that shown in FIG. 48, expanded keys are generated in order from expanded key (1) to expanded key (n). Because of this, for example, prior to processing of the data randomizing section, there has been a need to generate all the expanded keys and store them in a memory.
However, there has been a problem that a device having only poor hardware environment such as IC card, for example, does not have a sufficient storage space for storing all the expanded keys required for decryption.
To overcome this problem, there is proposed an expanded key scheduling section shown in FIG. 49. The generating section comprises the round processors 10011 to 1001n connected in series, round processors 1021n to 10212 connected in series, the round processor 1021n being connected to the round processor 1001n, the expanded key converters 10051 to 1005n respectively connected to outputs of the expanded key processors 10212 to 1021n, and 1001n.
An expanded key scheduling process identical to that for encryption is temporarily carried out, and a round function is acted at the last stage, thereby obtaining an output value Rn. Then, the inverse function of each round function is acted with the output value Rn in a stage direction reversed from that for encryption, and expanded keys are generated in order from expanded key (n) to expanded key (1), i.e., in an on-the-fly manner.
However, there has been a problem that a delay time occurs until decryption has been started because of unnecessary time for first generating the same expanded key Rn as that for encryption.
As has been described above, in the conventional technique, expanded keys cannot be generated in reverse order, thus making it necessary to generate and store all the expanded keys prior to a decryption process. Because of this, there has been a problem that there is no sufficient storage space for storing all the expanded keys required for decryption in poor hardware environment such as IC card, for example.
In addition, in order to avoid this problem by generating keys in the on-the-fly manner, it is required to temporarily carry out an expanded key scheduling process identical to that for encryption, act a round function at the last stage, thereby obtaining an output value, and then, act the inverse function of each round function with the output value in the reverse round direction. However, in this case as well, there has been a problem that a delay time is unavoidable until decryption has been started.