JP2002091296A - Device and program for generating expanded key, and recording medium - Google Patents

Abstract

PROBLEM TO BE SOLVED: To improve security of a common key system relating to an expanded key generation device for generating an expanded key from a ciphered key by generating intermediate data from the ciphered key at a 1st step, selecting an arbitrary data from the intermediate data at a 2nd step to process it by a irreversible conversion and generating an expanded key of the arbitrary number of steps, and speedily generating expanded key of the arbitrary steps through the irreversible conversion. SOLUTION: This device is configured so as to be provided with an intermediate data generating means for dividing a bit string of an inputted cryptographic key into plural groups, generating an operation result of a plural number i by processing these divided groups of the bit strings each by arithmetic operation plural (i) times, performing an arithmetic operation for gathering the operation results together respectively among the plural groups concerning the operation results of the plural number i of each of these generated groups, and generating the plural number (i) of the intermediate data, and an expanded key generation for selecting one of the plural number (i) of the intermediate data based on the number of steps r of a specified expanded key, and processing the selected intermediate data by the irreversible conversion to generate the expanded key of the number of steps r.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to an extended key generation device for generating an extended key from an encryption key, an extended key generation program, and a recording medium.

[0002]

2. Description of the Related Art FIG. 8 shows the configuration of an encryption process using general common key encryption. The encryption device shown in FIG. 8 receives a plaintext and an encryption key as input and outputs an encrypted text, and is composed of an encryption processing device and an extended key generation device. The encryption processing device sequentially performs encryption processing 1 to encryption processing n,
An n-stage process is performed. The expanded key processing device sequentially generates an expanded key 1 to an expanded key n used in each of the n-stage encryption processes based on the input encryption key. The generation of the extended key is an important problem, and high speed and security are required.

[0003] Conventionally, as a system capable of high-speed processing, DES
There is an extended key generation method. In this expanded key generation method of DES, as shown in the expanded key generation apparatus on the right side of FIG. 9, an encryption key is input and an expanded key n is generated from an expanded key 1 only by cyclic shift and bit transposition. Is fast.

[0004] As a system with higher security, M
ARS extended key generation method (MARS-acandidate cipher f
or AES, THE First AES Conference 1998 p1-p9)
There is.

[0005]

In the former DES extended key generation method shown in FIG. 9 described above, an extended key is generated only by cyclic shift and bit transposition (see the * portion on the right side of FIG. 9). Although the processing is fast, there is a problem that the bit information of the encryption key can be easily obtained from the bit information of the expanded key. For this reason, if even one of the n expanded keys leaks information, the information of the encryption key also leaks, and there is a problem in security.

The above-mentioned MARS extended key generation method cannot easily obtain the encryption key information from the extended key information, so that it is highly secure. There was a problem that processing could not be performed.

[0007] The present invention solves these problems,
In the first step, intermediate data is generated from the encryption key. In the second step, any data is selected from the intermediate data and irreversible conversion is performed to generate an expanded key of an arbitrary number of stages. The purpose is to increase the security of the common key system by high-speed generation after conversion.

[0008]

Means for solving the problem will be described with reference to FIG. In FIG. 1, an encryption device 1 receives a plaintext and an encryption key as input and outputs an encrypted text, and includes an extended key processing device 3 and the like.

The expanded key processing device 3 generates an expanded key from an encryption key. In this example, the expanded key processing device 3 includes an intermediate data generating device 4 and an expanded key generating device 5. The intermediate data generating device 4 receives the encryption key and generates a plurality of i intermediate data.

The expanded key generation device 5 generates an expanded key of the specified number r of stages from a plurality of i intermediate data.
Next, the operation will be described.

The intermediate data generation device 4 divides the input bit sequence of the encryption key into a plurality of groups, performs a plurality of operations on the bit sequences of each of the divided groups a plurality of times i to generate a plurality i of operation results. An operation is performed on the generated plurality of i operation results for each group to combine the operation results into a single unit among the plurality of groups, to generate a plurality of i intermediate data, and the expanded key generation device 5 specifies the specified expanded key. From the intermediate data of a plurality i based on the number r of stages
One of them is selected, and the selected intermediate data is irreversibly converted to generate an expanded key with the number of stages r.

At this time, the bit string of the input encryption key is a bit string obtained by operating a non-linear function on the bit string of the input encryption key. In addition, a logical operation is performed as a single operation.

[0013] After performing an operation to combine them into one,
A non-linear function is operated to generate intermediate data. Further, after performing transposition of the selected intermediate data according to the number of stages r, irreversible conversion is performed.

Therefore, in the first stage, intermediate data is generated from the encryption key, and in the second stage, arbitrary data is selected from the intermediate data and irreversible conversion is performed to generate an expanded key of an arbitrary number of stages, thereby expanding the data. The key can be generated at a high speed through irreversible transformation to increase the security of the common key system.

[0015]

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Next, an embodiment and operation of the present invention will be described in detail sequentially with reference to FIGS.

FIG. 1 shows a system configuration diagram of the present invention.
In FIG. 1, an encryption device 1 receives a plaintext and an encryption key as input, and outputs an encrypted text, and includes an encryption processing device 2 and an extended key processing device 3.

The encryption processing device 2 performs encryption processing (1) to n of encryption processing (n) based on the expansion key 1 to the expansion key n.
It performs stepwise processing to create and output a ciphertext. The encryption process (1) to the encryption process (n) receive the extended key 1 to the extended key n generated by the extended key processing device 3, perform the respective encryption processes, and output the ciphertext from the last stage. .

The expanded key processing device 3 generates an expanded key from an encryption key. In this case, the expanded key processing device 3 includes an intermediate data generating device 4, an expanded key generating device 5, and the like. The intermediate data generating device 4 receives the encryption key and generates a plurality of intermediate data i (see FIGS. 2 and 3).

The expanded key generation device 5 generates an expanded key of a designated number r of stages from a plurality of intermediate data (see FIGS. 2 and 4). Next, an operation of generating an extended key from an encryption key under the configuration of FIG. 1 will be described in detail according to the order of the flowchart of FIG.

FIG. 2 is a flowchart illustrating the operation of the present invention. In FIG. 2, S1 inputs a user key.
For this, an encryption key (user key) is input to the encryption device 1 of FIG. 1 together with the plaintext. This means that the intermediate data generation device 4 constituting the extended key processing device 3 in FIG. 1 has taken in the user key (encryption key).

In step S2, a non-linear function M is calculated. This means that the bit string of the encryption key is 8 bits as shown in FIG.
The data is divided into groups, and a non-linear function M is calculated on the bit strings of each group (described later with reference to FIGS. 6 and 7).

In step S3, a constant is added when the number is an even number. S
4 multiplies a constant when it is odd. These S3, S4
As shown in FIG. 3 to be described later, a constant is added to the bit string after the calculation of the nonlinear function M when the number is even, and the constant is multiplied when the number is odd.

In step S5, an exclusive OR is calculated. In this operation, as shown in FIG. 3, which will be described later, an exclusive OR operation is performed on the bit string added with the constant in S4 and the bit string multiplied by the constant.

In step S6, a non-linear function M is calculated. That is, a non-linear function M is calculated on the bit string after the calculation in S5 to generate intermediate data. S4, S5, S6
And a plurality of constants (for example, in the case of FIG. 3, i = 0, 1, 2,
Are added and multiplied for each of the three constants, and then an exclusive OR operation and a non-linear function operation are respectively performed. In the case of FIG. 3, three intermediate data are generated.

Through steps S1 to S6, a user key (encryption key) is input and, for example, according to the configuration shown in FIG. 3, intermediate data composed of a plurality (three in FIG. 3) having undergone irreversible conversion is created. Becomes possible.

In step S7 of FIG. 2, the number of stages r is input. This is done by inputting the number r of stages of the expanded key to be created. As a result, in the present invention, it is possible to directly create an expanded key of the specified number of levels in subsequent S8 to S11.

In step S8, a corresponding value is selected from the intermediate data. In this case, the corresponding intermediate data is selected one by one based on the number of stages r from among a plurality of intermediate data of a plurality i shown in FIG.

In step S9, the transposition is performed according to the number r of stages. In this case, the data rearrangement processing device shown in FIG. 4A inputs the number of stages r and transposes the intermediate data selected in S8 (see FIGS. 5C and 5D).

In step S10, irreversible conversion G of the transposed intermediate data is performed (see FIG. 4B). In step S11, r steps of expanded keys are output. In this case, the data calculated in S10 is output as an expanded key of r stages.

In S12, it is determined whether or not the processing is completed. If YES, the process ends. In the case of NO, the process returns to S7 to create an expanded key of the next specified number r of stages. S7 above
In steps S11 to S11, based on the intermediate data for each of the plurality i generated in steps S1 to S6, 1
Successive intermediate data is selected, transposed according to the number of stages r, and then subjected to irreversible conversion, so that an expanded key having the specified number of stages r can be generated at high speed through irreversible conversion. The details will be sequentially described below.

FIG. 3 shows an explanatory diagram (intermediate data) of the present invention. In FIG. 3, k0 to k7 in the upper row are bit strings obtained by sequentially dividing the bit string of the encryption key (user key) into eight.

M in the upper and lower rows represents a non-linear function operation (see FIGS. 6 and 7 described later). + Represents addition of a constant. Here, the addition of M (4i) is performed by adding the value of the constant M when i = 0, 1, or 2 when the subscript of k of the divided bit string is, for example, the even number of S3 in FIG. This indicates that the three are output. Similarly, M (4i +
1), M (4i + 2) and M (4i + 3) also have i =
This indicates that three values obtained by adding the values of the constants M at the time of 0, 1, and 2 are output.

X represents constant multiplication. Where i + 1
In the case where the subscript of k of the divided bit string is, for example, the odd number of S4 in FIG. 2 described above, three values obtained by multiplying the constant values when i = 0, 1, and 2 are output. Represent.

+ Indicates exclusiveness of the result of addition and multiplication
Indicates that a sum operation is performed. a_iFrom d_iIs h
Represents the output of two intermediate data. Here, a_iFrom d _i
Three output intermediate data (i = 0, 1, 2)
Represents

As described above, after the encryption key is divided into eight groups and the non-linear function M is calculated for each bit string, three constants are added to even numbers and three constants are added to odd numbers. The multiplied, added and multiplied data are combined into one by an exclusive OR operation, and the nonlinear function M is further operated to generate three intermediate data.

FIG. 4 shows an explanatory diagram (expansion key) of the present invention. FIG. 4A shows the number of stages r from the intermediate data for each i data.
Is shown, a system configuration for selecting one based on the above and generating an expanded key.

In FIG. 4A, the intermediate data is, in this case, an intermediate data composed of a _i , b _i , c _i , and d _i (i = 0, 1, 2) generated by the configuration of FIG. Data (intermediate key)
It is.

The select value determination device determines the intermediate data a _i , b _i , and b based on the number r of stages of the expanded key to be created.
c _i, is to determine whether to select any of those i of _d i (i = 0,1,2). The determination is made according to the equation (1) in FIG.

The selector is, _X r determined by the select value determination _unit, Y _r, Z _r, in accordance with _{W r,} where, i = 0, 1, 2 of the corresponding ones of the intermediate data _{a (X} r), b ( _Yr ), c ( _Zr ), d ( _Wr )
Are selected one by one.

The data rearrangement processing device selects the selected intermediate data a (X _r ), b (Y _r ), c
_(Z r), and performs rearrangement of d _{(W r)} the (transposed). This transposition is performed as shown in FIG.
The transposition corresponding to the number r of stages is performed.

[0041] G (X, Y, Z, W, r) computing device, the intermediate data after the rearrangement (X, Y, Z, W ) on the basis of, and generates an expanded key _E x Key Canada _r is there. This produces an expanded key _E x Key Canada _r in the configuration of FIG. 4 to be described later (b).

With the above configuration, it is possible to specify the number r of stages from the intermediate data and generate an expanded key of the number r of stages. The details will be sequentially described below. (B) of FIG.
FIG. 5A shows a detailed configuration of a G (X, Y, Z, W) calculation device of FIG.

In FIG. 4B, the 1-bit left cyclic shift shifts the data bit sequence by cycling one bit to the left. The exclusive OR performs an exclusive OR operation of two data.

The addition is to add two data. Subtraction is to subtract other data from one data. The above-described circuits are connected as shown in the figure to select and transpose the intermediate data (X, Y,
Z, W), it is possible to generate an extended key.

FIG. 5 shows an explanatory diagram of the present invention. FIG. 5A shows that the data of the number of stages r is 1 from the intermediate data for each i data.
Equation (1) used when one is selected is shown. The illustrated equation (1) is as follows.

X _r = Z _r = r mod 3 Y _r = W _r = r + [r / 3] mod 3 FIG. 5 (b) schematically shows equation (1) of FIG. 5 (a). . This is a value obtained by actually calculating the value of equation (1) in FIG. 5A, and is a value for selecting one of three values of 0, 1, and 2 when the number of stages is r. , 9 patrollers.

A value (one of three values of i = 0, 1, 2) corresponding to the number of stages r is determined from FIGS. 5 (a) and 5 (b), and was determined in the number of stages r from the intermediate data of the i-number increments by _{a) (X r, Y r} , it is possible to select Z r, the _{W r).}

FIG. 5C shows an order table. The order table of FIG. 5 (a), the order (sequence) when the intermediate data of the number of stages r selected in (b) _{(X r,} Y _r, Z r, _{W r)} rearranges (substituted) To decide.
Here, the data is rearranged as shown in the rearrangement order on the right side in association with the number r of rows on the left side (performed by the data rearrangement processing device in FIG. 4A).

Next, the non-linear function operation will be described with reference to FIGS. FIG. 6A shows a non-linear function M
The following shows an example of the overall configuration of the operation shown in FIG. Here, a state will be described in which a user key (encryption key) m (for example, 32 bits) is input and a non-linear function M is calculated to generate a result w (32 bits).

(1) The 32 bits of the user key are sequentially m, 6, 5, 5, 5, 56 bits as shown in FIG.
It is divided into 0, m1, m2, m3, m4, and m5. (2) m1, m2, m3, m4 divided into 5 bits
Is the corresponding x according to the table of S5 (x) in FIG.
To the value of S5 (x) corresponding to

(3) Similarly, m divided into 6 bits
0 and m6 are converted into S6 (x) values corresponding to the corresponding x according to the table of S6 (x) in FIG. 6C. (4) By (2) and (3), v is the data v shown in FIG. 6A.

(5) In the determinant schematically shown in FIG. 7 (e), the matrix is placed at the position shown by the arrow from FIG. 7 (d).
The data v generated in (4) is placed, a matrix operation is performed on both, and w on the right side is calculated. As a result, FIG.
(The operation result of the non-linear function M) obtained by the XOR calculation apparatus using the MDS.

As described above, for example, the calculation of the nonlinear function M of FIG. 3 can be performed in the order shown in the configuration of FIG. FIG. 6B shows S5 of FIG. 6A.
FIG. 6C shows an example of the table of (x), and FIG. 6C shows an example of the table of S6 (x) of FIG. 6A.

FIG. 7C shows constants (constants used in an XOR calculation device using MDS) when performing a matrix operation on the nonlinear function M, and FIG. 7D shows an XOR calculation device using MDS. Schematically shows the matrix operation performed by.

Next, the first-stage process of generating intermediate data from the user key and the second-stage process of generating an expanded key having a specified number r of stages from the intermediate data will be described using mathematical expressions and symbols. explain.

(1) First-stage processing (processing for generating intermediate data from a user key): (1-1) A 256-bit encryption key is converted into eight data k0, k1,. k7 (Fig. 3
(1-2) Using the non-linear function M that receives the 32 bits divided in (1-1) and outputs the 32 bits, calculates the following (1-3) to (1-6) , The intermediate data a (i), b (i), c (i), and d (i) are generated by i =
This is performed for 0, 1, and 2 (see FIG. 3). Further, for the nonlinear function M, (3-1) to (3-6) are executed.

(1-3) a (i) = M (Ta (k0,
i) Calculate XOR Ua (k1, i). Where T
a (k0, i) = M (k0) + M (4i), Ua (k
(1, i) = M (k1) × (i + 1). XOR
Represents an exclusive OR operation.

(1-4) b (i) = M (Tb (k2,
i) Calculate XOR Ub (k3, i). However,
Tb (k3, i) = M (k2) + M (4i + 1), Ub
(K3, i) = M (k3) × (i + 1).

(1-5) c (i) = M (Tc (k4,
i) Calculate XOR Uc (k5, i). However,
Tc (k4, i) = M (k4) + M (4i + 2), Uc
(K5, i) = M (k5) × (i + 1).

(1-6) d (i) = M (Td (k6,
i) Calculate XOR Ud (k7,1)). Where Td (k6, i) = M (k6) + M (4i + 3),
Ud (k7, i) = M (k7) × (i + 1).

(2) Second-stage processing (processing for generating an expanded key with the specified number r of stages from the intermediate data): (2-1) Expanded key ExKeyr with r stages (r = 0.1 ·
() Is calculated according to the following (2-2) to (2-4) (see FIG. 4 (a)).

(2-2) Xr = Zr = r mod3
Using the sequence X, Y, Z, W represented by Yr = Wr = r + [r / 3] mod 3 (Formula (1)), (X, Y, Z, W)
= (A (Xr), b (Yr), c (Zr), d (W
r)).

(2-3) r ′ = (r + [r / 36]) m
For r ′ satisfying od12, (X, Y, Z, W) =
The data rearrangement indicated by ORDER — 12 (X, Y, Z, W, r ′) is performed. However, ORDER_12
(X, Y, Z, W, r ') follow (c) in FIG.

(2-4) ExKeyr = G (X, Y,
Z, W), an expanded key of r stages is calculated. However,
G (X, Y, Z, W) = ((x << 1) + Y) XO
R (((Z << 1) -W) <<<< 1] and <<<<
1 represents a one-bit left cyclic shift (see FIG. 4B).

(3) Operation processing of nonlinear function M: (3-1) From 32-bit input m, the following (3-2)
, And outputs 32-bit w according to (3-6) (see FIG. 6A).

(3-2) A value m0 obtained by dividing m into bits
... m5 is given according to the following. m0 = (0th to 5th bits of m) m1 = (6th to 10th bits of m) m2 = (11th to 15th bits of m) m3 = (16th bit of m) M4 = (21st to 25th bit of m) m5 = (26th to 31st bit of m) (3-3) 5 bits are output for 5 bits input Using a nonlinear transformation function S5 and a nonlinear transformation function S6 that outputs 6 bits for a 6-bit input, s0 = S6 (m0) s1 = S5 (m1) s2 = S5 (m2) s3 = S5 (m3) s4 = S5 (m4) s5 = S6 (m5) Here, S5 and S6 are shown in FIGS. 6B and 6C, respectively, as described above.

(3-4) v = s0 | s1 | s2 | s3
| S4 | s5 is calculated. | Represents concatenation of bit values. (3-5) Using a conversion table MDS that outputs 32 bits from the i-th bit value vi of v and a 5-bit input, w = (v0 × MDS (0)) XOR (v1 × M
DS (1)) XOR... XOR (v31 × MDS (3
1)) is calculated. Where vi × MDS (i) is v
0 when i = 0, and MDS (i) when vi = 1.
Further, the MDS complies with FIG.

(3-6) Output w.

[0069]

As described above, according to the present invention,
In the first stage, intermediate data is generated from the encryption key, and in the second stage, any data is selected from the intermediate data and irreversible conversion is performed to generate an expanded key of an arbitrary number of stages. The key can be generated at a high speed through irreversible transformation to increase the security of the common key system. Thus, (1) For example, although a large processing time is required to generate one piece of intermediate data, the number of required intermediate data can be reduced by the expanded key generation device 5, and an expanded key with high security can be obtained. Can be generated at high speed.

(2) Also, the generated expanded key ExKey
.. 0, ExKey1,..., Without storing all of ExKeyn-1, if only the required expanded key is generated during the encryption or decryption processing, only the specified number of expanded keys r is processed at high speed. There is a remarkable feature that it can be generated. The effect of this will be described below.

Generally, the common key cryptosystem uses Ex
When the expanded key is used in the order of Key0, ExKey1,... ExKeyn-1, ExKeyn is used for decryption.
-1... As in ExKey1 and ExKey0, the expanded key is used in the reverse order of the encryption. Where ExKe
When an extended key generation method that requires the value of ExKey0 to generate y1 is used (see FIG. 9 described above), when ExKey1 is generated sequentially, ExKey1 cannot be directly generated, and ExKey0 is first generated. Generate and use this with ExKe
Since y1 is generated, the expanded key generation time for decryption is later than that for encryption.

On the other hand, according to the present invention, an extended key can be generated by designating an arbitrary number r of stages independently of the other extended keys, so that the extended keys are represented by ExKey0, ExKey1,.
The generation in the order of Keyn-1 is also performed by ExKeyn-1.
.. Also generate ExKey1 and ExKey0 in this order.
There is a remarkable feature that it can be performed in the same processing time.

As described above, according to the present invention, even when an extended key is sequentially generated, the processing time for encryption and decryption is the same, and the time for generating an extended key for decryption is later than that for encryption. Has a remarkable effect of preventing.

[Brief description of the drawings]

FIG. 1 is a system configuration diagram of the present invention.

FIG. 2 is a flowchart illustrating the operation of the present invention.

FIG. 3 is an explanatory diagram (intermediate data) of the present invention.

FIG. 4 is an explanatory diagram (enlarged key) of the present invention.

FIG. 5 is an explanatory diagram of the present invention.

FIG. 6 is an explanatory diagram (a non-linear function operation, part 1) of the present invention;

FIG. 7 is an explanatory diagram (nonlinear function operation, part 2) of the present invention.

FIG. 8 is an explanatory diagram of a common key method.

FIG. 9 is an overall block diagram of a conventional DES algorithm.

[Explanation of symbols]

 1: encryption device 2: encryption processing device 3: expanded key processing device 4: intermediate data generation device 5; expanded key generation device M: non-linear function G: irreversible function

 ──────────────────────────────────────────────────続 き Continuing from the front page (72) Inventor Masahiko Takenaka 4-1-1, Kamidadanaka, Nakahara-ku, Kawasaki-shi, Kanagawa Prefecture Inside Fujitsu Limited (72) Inventor Naoya Torii 4-1-1, Kamiodanaka, Nakahara-ku, Kawasaki-shi, Kanagawa No. 1 Fujitsu Co., Ltd. (72) Inventor Jun Yajima 4-1-1, Kamiodanaka, Nakahara-ku, Kawasaki-shi, Kanagawa Prefecture 1-1 Inside Fujitsu Co., Ltd. No. 1 Fujitsu Limited (72) Inventor Kazuhiro Yokoyama 4-1-1, Kamiodanaka, Nakahara-ku, Kawasaki City, Kanagawa Prefecture F-term within Fujitsu Limited (reference) 5J104 AA01 AA16 AA18 JA03 NA02

Claims (7)

[Claims] In an extended key generation apparatus for generating an extended key from an encryption key, a bit string of an input encryption key is divided into a plurality of groups, and a plurality of operations are performed on the bit strings of each of the divided groups a plurality of times. Intermediate data for generating a plurality of i operation results, performing an operation of combining the operation results among the plurality of groups into one unit for each of the generated i operation results for each group, and generating a plurality of i intermediate data Generating means for selecting one of the plurality of intermediate data based on the specified number r of expanded keys and irreversibly converting the selected intermediate data to generate an expanded key having the number of steps r An extended key generation device comprising: a generation unit. 2. A bit string of the input encryption key,
2. The expanded key generation apparatus according to claim 1, wherein the bit string of the input encryption key is a bit string obtained by calculating a non-linear function. 3. The extended key generation device according to claim 1, wherein the operation to be integrated into one is a logical operation. 4. The expanded key generation device according to claim 1, wherein after performing the operation of combining the data into one, an intermediate data is generated by calculating a non-linear function. 5. The expanded key generation apparatus according to claim 1, wherein the irreversible conversion is performed after the transposition of the selected intermediate data according to the number of stages r. 6. An input encryption key bit string is divided into a plurality of groups, a plurality of i operations are performed on the bit strings of each of the divided groups to generate a plurality of i operation results, and each of the generated groups is generated. For each of a plurality of i calculation results, a corresponding calculation result is
An intermediate data generating means for performing a summing operation to generate a plurality of intermediate data; and selecting one of the plurality of i intermediate data based on the designated number r of expanded keys, and selecting the selected intermediate data. A computer-readable recording medium in which a program for functioning as an extended key generating means for irreversibly converting data and generating an extended key having a number of steps r is recorded. 7. An input encryption key bit string is divided into a plurality of groups, a plurality of i operations are performed on each of the divided bit strings in each group to generate a plurality i of operation results, and each of the generated groups is generated. For each of a plurality of i calculation results, a corresponding calculation result is
An intermediate data generating means for performing a summing operation to generate a plurality of intermediate data; and selecting one of the plurality of i intermediate data based on the designated number r of expanded keys, and selecting the selected intermediate data. An extended key generation program for functioning as an extended key generation unit for irreversibly converting data to generate an extended key having a number r of stages.