As the information society continues to develop, the necessity of information security technologies for securely protecting information used increases. One configuration element of information security technologies are encryption technologies, and encryption technologies are currently used by various products and systems.
Though there are various types of encryption processing algorithms, one of the basic technologies is called a shared key block encryption. According to the shared key block encryption, a key for encryption and a key for decryption are shared items. In both the encryption processing and the decryption processing, multiple keys are generated from these shared keys, and a data conversion processing is repeatedly executed in block data units of a certain block unit such as 64 bits, 128 bits, 256 bits, or other.
DES (Data Encryption Standard), which was the previous US standard, and AES (Advanced Encryption Standard), which is the current US standard, are known as representative shared key block encryption algorithms. Other various shared key block encryptions continue to be proposed, and the CLEFIA proposed by Sony Corporation in 2007 is also a shared key block encryption.
These kind of shared key block encryption algorithms are mainly configured with an encryption processing unit including a round function execution unit for repeatedly executing conversions of input data, and a key scheduling unit for generating round keys to be applied at each round regarding the round function unit. The key scheduling unit first generates an expanded key in which the bit count is increased on the basis of a master key (master key), which is a secret key, and generates round keys (secondary keys) to be applied at each round function unit regarding the encryption processing unit, based on the generated expanded key.
Configurations for repeatedly executing the round function including linear conversion units and non-linear conversion units are known as specific configurations of these kinds of algorithms. Representative structures include the Feistel structure and the expanded Feistel structure, for example. The Feistel structure and the expanded Feistel structure include structures that convert plaintext into ciphertext by the repetition of a simple round function including an F function as a data conversion function. The linear conversion processing and the non-linear conversion processing are executed by the F function. Further, NPL 1 and NPL 2 are examples of literature which discloses encryption processing applying the Feistel structure and the expanded Feistel structure.
There are two types of embodiments of encryption algorithms, software implementations and hardware implementations. With hardware implementations, costs can be reduced and low energy consumption can be expected when implementing as hardware by designing the implementation so that the circuit scale is as small as possible. For this reason, regardless of whether new algorithms or existing algorithms, various implementation methods for miniaturization have been proposed.
For example, a miniaturization method corresponding to an AES encryption having a Substitution Permutation Network (SPN) structure is proposed by Hamalainen, Alho, Hannikainen, Hamalainen, et al. Details about this miniaturization method are disclosed in NPL 3 “Panu Hamalainen, Timo Alho, Marko Hannikainen, and Timo D. Hamalainen. Design and implementation of low-area and low-power AES encryption hardware core. In DSD, pages 577-583. IEEE Computer Society, 2006. 9”.
According to this disclosed implementation method, miniaturization of the circuit scale is achieved by processing AES 128-bit block encryption in calculation units of every 8 bits. The implementation method from Hamalainen, et al. can also be applied to CLEFIA and others having an expanded Feistel structure, which is different from the SPN structure.
However, if the existing technique is applied simplistically, in addition to block length worth of registers, registers necessary for storing intermediate values of F function calculations in the non-linear processing unit increase. For example, when considering an application into CLEFIA, in addition to 128 bits worth of block length registers, 32 bits worth of registers also increase.