Recently, from a viewpoint of security, the need to implement an encryption function is increasing also with respect to an embedded device. An example of an encryption scheme used for such an encryption function includes AES (Advanced Encryption Standard)-GCM (Galois/Counter Mode) that uses GCM as a block cipher mode of operation of AES that is a symmetric key encryption scheme.
An encryption algorithm ε used for the AES-GCM utilizes a secret key K, an initial vector IV, a plaintext message P, and an authentication parameter A as inputs, and outputs a ciphertext C and an authentication tag T. The encryption algorithm ε may be represented by the following formula:εK(IV,P,A)=(C,T)where the authentication parameter A is a data that is not encrypted and is used only for the authentication.
The encryption algorithm ε used for the AES-GCM described above is formed by an AES encryption function, a GCTR function, and a GHASH function (for example, refer to Non-Patent Document 1).