Nowadays, with the development of network communication and electronic commerce, security ensuring in communication has become an important issue. One method for ensuring security is cryptographic technology, and communication using various encryption techniques is currently done in actuality.
For example, a system has been put into practical use in which a cryptographic processing module is embedded in a compact device such as an IC card to perform data transmission and reception between the IC card and a reader/writer serving as a data reading and writing apparatus to perform authentication processing or encryption and decryption of transmission and reception data.
There are various cryptographic processing algorithms, which are broadly classified into a public key cryptographic scheme in which an encryption key and a decryption key are set as different keys, for example, a public key and a private key, and a common key cryptographic scheme in which an encryption key and a decryption key are set as a common key.
The common key cryptographic scheme has various algorithms, one of which is a scheme in which a plurality of keys are generated based on a common key and data transformation processing in units of a block (such as 64-bit or 128-bit) is repeatedly executed using the plurality of generated keys. A typical algorithm with the application of such a key generation scheme and data transformation processing is a common key block cipher scheme.
As typical algorithms for common key block ciphers, for example, the DES (Data Encryption Standard) algorithm, which was formerly the U.S. standard cryptography, the AES (Advanced Encryption Standard) algorithm, which is the current U.S. standard cryptography, etc., have been known.
Such algorithms for common key block ciphers are mainly constituted by round function sections having F-function sections that repeatedly execute the transformation of input data, and a key scheduling section that generates round keys to be applied in the F-function sections in respective rounds of the round function sections. The key scheduling section first increases the number of bits to generate an expanded key on the basis of a master key (main key), which is a private key, and generates, on the basis of the generated expanded key, round keys (sub-keys) to be applied in the F-function sections in the respective rounds of the round function sections.
A known specific structure that executes an algorithm to which such round functions (F functions) are applied is a Feistel structure. The Feistel structure has a structure that transforms plaintext into ciphertext by using simple repetition of round functions (F-functions) serving as data transformation functions. Examples of documents describing cryptographic processing with the application of the Feistel structure include Non-Patent Documents 1 and 2.
However, problems of common key block cipher processing to which the Feistel structure is applied involve leakage of keys due to cryptanalysis. Typical known techniques of cryptanalysis or attack techniques include differential analysis (also called differential cryptanalysis or differential attack) in which multiple pieces of input data (plaintext) having certain differences therebetween and output data (ciphertext) thereof are analyzed to analyze keys applied in respective round functions, and linear analysis (also called linear cryptanalysis or linear attack) in which analysis based on plaintext and corresponding ciphertext is performed.
Easy analysis of keys due to cryptanalysis implies low security of the cryptographic processing therefor. In cryptographic algorithms of the related art, since processes (transformation matrices) applied in linear transformation sections of round function (F-function) sections are equal to each other in rounds of respective stages, analysis is feasible, resulting in easy analysis of keys.
As a configuration to address such a problem, a configuration in which two or more different matrices are arranged in linear transformation sections of round function (F-function) sections in a Feistel structure so that the matrices are switched every round has been proposed. This technology is called a diffusion-matrix switching mechanism (DSM: Diffusion Switching Mechanism, hereinafter referred to as DSM). This DSM enables enhancement of resistance to differential attacks or linear attacks. A cryptographic processing configuration to which such a diffusion-matrix switching mechanism (DSM) is applied is described in, for example, Patent Document 1.
However, the execution of cryptographic processing to which a diffusion-matrix switching mechanism (DSM) is applied requires to implement different round functions (F-functions) in which different matrices are set. It also requires switching in accordance with a sequence, wherein a plurality of round functions are determined in advance, and requires the provision of a new control mechanism. When a cryptographic processing apparatus is constructed, the number of required components increases, which prevents compactness of the apparatus and causes an increase in cost. There is another problem in that the switching control involves a reduction in processing speed.    Patent Document 1: Japanese Unexamined Patent Application Publication No. 2006-72054    Non-Patent Document 1: K. Nyberg, “Generalized Feistel networks”, ASIACRYPT '96, SpringerVerlag, 1996, pp. 91-104.    Non-Patent Document 2: Yuliang Zheng, Tsutomu Matsumoto, Hideki Imai: On the Construction of Block Ciphers Provably Secure and Not Relying on Any Unproved Hypotheses. CRYPTO 1989: 461-480