One of encryption schemes commonly used in recent years is a scheme in which a block cipher is employed such as the Advanced Encryption Standard (AES). For the block cipher, a key scheduler to which a key is input and from which a plurality of expanded keys is output and a scrambler that scrambles input data are often provided, and the scrambler performs arithmetic processes such as permutation and inversion of input data using the expanded keys respectively in a plurality of rounds.
When arithmetic processes are performed in each of the rounds, a method of detecting an error by performing verification in each round can be applied. If a circuit for verification is provided for performing verification in each round, the arithmetic processes and the verification processes can be performed in parallel, an arithmetic operation result is determined with an overhead of one round, and encryption and decryption processes including the verification can be performed at high speed. “Concurrent Error Detection Schemes for Fault-based Side-Channel Cryptanalysis of Symmetric Block Cipher”, IEEE Transactions on Computer-Added Design of Integrated circuit and Systems, VO. 21 No. 12, December 2002 reports various error detecting methods to be applied to the block cipher.
It is desired that encryption devices and decryption devices have high processing speeds and small sizes. For verification that is a countermeasure to an error during arithmetic operation for encryption and decryption, a register that holds or generates arithmetic operation results for comparison with verification results is needed. In addition, a register having the same size as an expanded key storing register is needed so as to store expanded keys to be used for the verification, which hinders the circuit from being reduced in size.