JP2011193180A - Key sharing system, key sharing method and key sharing program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To eliminate the problem of setting evaluation criteria or the like and an information leakage risk when a terminal performs the verification of the randomness of pseudo random numbers by constituting the terminal itself so as not to perform the verification. <P>SOLUTION: A key sharing/public key encryption means 112 takes out a part of data for state update for updating the internal state of a pseudo random number generation means 113, and performs public key encryption to the part of data transmitted to a server 120. A randomness evaluation means 124 transmits a randomness determination result of the internal state of the pseudo random number generation means 113 which is obtained on the basis of a comparison result between data obtained by updating a part of the data for state update received from the terminal 110 and a prescribed threshold to the terminal 110 through a key sharing/public key decryption means 123. The randomness evaluation means 124 executes key sharing processing when the randomness determination result passes, and performs randomness evaluation/update processing on the basis of the data received and decrypted by the key sharing/public key decryption means 123 when the randomness determination result is rejected. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention relates to a key sharing method, a key sharing method, and a key sharing program, and more particularly to a key sharing method, a key sharing method, and a key sharing program that are used for encryption of communication between a server that is a host device and a terminal.

  Encryption is an indispensable technology for concealing communication. Modern encryption realizes communication concealment by keeping the encryption key secret even if the algorithm is disclosed. In communication using encryption, the issue is how to share a secret key for encrypting data between the transmitting side and the receiving side that perform communication.

  Modern ciphers are broadly classified into common key ciphers and public key ciphers. The former is typically a block cipher such as DES (Data Encryption Standard) or AES (Advanced Encryption Standard), and assumes that the transmitting side and the receiving side have the same secret key in advance. The latter is typically RSA encryption, and the keys used for encryption and decryption are different. The key used for encryption is called a public key, and the key used for decryption is called a secret key. Public key cryptography has the property that it is very difficult to guess a secret key from a public key. For this reason, even if the public key is made public, if the secret key is not leaked, the information encrypted with the public key can be decrypted only by the person who has the secret key. However, public key cryptography requires a much larger calculation amount than common key cryptography. For this reason, a secret key (referred to as a session key) used in common key cryptography is shared using public key cryptography, and actual data is often encrypted using common key cryptography.

When using public key cryptography, it is necessary to ensure that domain parameters and public keys that define operations used in public key cryptography are correct. In the case of a method using a discrete logarithm on a finite field, the domain parameter is composed of a prime number p that determines a remainder system operation and an element g (mod p) of mod_p that is a generation source of the discrete logarithm problem. The public key is generally defined as y = g ^x mod p with respect to the secret key x mod q. Here, the prime number q is the order of the element g, that is, the smallest natural number a that satisfies g ^a = 1 mod p. q is a divisor of p-1. In this specification, the domain parameter and the public key are collectively referred to as a public parameter.

Which is a typical key sharing algorithm using the public key cryptography, Diffie-Hellman key agreement algorithm, which is published by Hermann (Hellman) and Diffie (Diffie) is, eavesdropping a g ^r mod p and g ^s mod p of the public key It is known to be strong against passive attacks that seek confidential information, but weak against active attacks such as spoofing. Therefore, when using the Diffie-Hellman key sharing algorithm, it is essential to authenticate the communication partner. As for the key sharing with authentication, for example, a method described in Non-Patent Document 1 issued by the National Institute of Standards and Technology (NIST) is known.

  By the way, a method based on a public key certificate by a certificate authority is well known for guaranteeing the validity of public key parameters. On the other hand, in a closed cryptographic communication system, it is possible to ensure reliability by directly obtaining public information from a reliable organization.

  FIG. 12 shows a block diagram of an example of the closed cryptographic communication system. As shown in the figure, the cryptographic communication system 500 includes parameter generation means 501, a server 502 serving as a host device, and a terminal 503. A plurality of terminals 503 exist for one server 502, and each terminal 503 communicates with the server 502. The parameter generation unit 501 generates public key encryption parameters and key information at the time of terminal distribution, sets necessary information in the server 502 and the terminal 503, and passes the terminal 503 to the user.

  In this cryptographic communication system 500, it is assumed that the security of the server 502 and the terminal 503 is greatly different. In other words, it is assumed that the server 502 is in a safe place, and the risk of leakage of confidential information and unauthorized processing is very small. On the other hand, it is assumed that the terminal 503 has a high risk of theft or information leakage. When the public key parameter is set in advance in the terminal 503, the terminal 503 uses the setting for a relatively long time. Therefore, when an attacker obtains the information of the terminal 503, an attack opportunity for the public key parameter occurs for a relatively long time.

  In an application that requires high-strength security, such a situation is not desirable, and it is desirable that an attacker obtains as little information as possible from the terminal 503. For this purpose, a method is conceivable in which the server 502 transmits the public key parameter to the terminal 503 at the start of the session without storing any key information in the terminal 503 in advance.

  However, at this time, there arises a problem that the server 502 can be easily impersonated. Further, when an unauthorized server sends an unauthorized domain parameter to the terminal 503, the security may be impaired even if the secret key is not leaked. For example, if an attacker sets an element g with a very small order, the attacker can guess the key information shared by the Diffie-Hellman algorithm without knowing the secret key. End up.

  A key sharing system that addresses this problem is disclosed in Patent Document 1. The key sharing system described in Patent Document 1 is a key sharing method disclosed by the present inventor, and the outline of the invention will be described below with reference to FIGS. 13 and 14. In FIG. 13 and FIG. 14, the same components as those in FIG. Note that the key sharing uses the Diffie-Hellman key sharing algorithm on a finite field, but the same key sharing can be performed using modules formed by rational points of elliptic curves on the finite field.

  FIG. 13 shows information generated by the parameter generation unit 501 in FIG. 12 and information held by the server 502 and the terminal 503. In FIG. 13, the parameter generation means 501 receives a list of domain parameters {p (i), q (i), g (i): i = 1, 2, 3,. And (x (i), y (i)) of the corresponding private key and public key are set. Also, the parameter generation unit 501 has a hash value h (i) (= Hash (p) with p (i) || g (i), which is a bit string obtained by concatenating p (i) and g (i), as input data. (i) || g (i))).

  The server 502 holds, for each terminal 503, a list 601 composed of a list of domain parameters input from the parameter generation unit 501, a secret key, and public keys (x (i), y (i)). The terminal 503 stores a list 602 in which the hash value h (i) input from the parameter generation unit 501 is combined with the public key y (i).

  Next, the operation of the key sharing system described in Patent Document 1 will be described using the flowchart of FIG. First, the terminal 503 transmits a terminal ID to the server 502 (step S401). As a result, the server 502 determines the parameter index i to be used in the parameter list for the terminal 503 of the transmission source (step S402). Subsequently, the server 502 generates a bit string p || g obtained by concatenating p = p (i) and g = g (i) corresponding to the index i, and transmits it (steps S403 and S404).

  The terminal 503 calculates a hash value Hash (p || g) for the received bit string p || g and compares it with the stored hash value h (i) (step S405). If they do not match, the key sharing process is terminated, assuming that an invalid parameter has been sent. If the validity of p and g can be confirmed in step S405, the terminal 503 executes key sharing processing using the following Diffie-Hellman key sharing algorithm.

That is, the terminal 503 generates a random number r (step S406), calculates w (= g ^r mod p) using the random number r (step S407), and transmits it to the server 502 (step S408). The server 502 calculates Z (= w ^{x (i)} mod p) from the received bit string w using the secret key x (i) (step S409), and uses the key Z from the value Z using the key derivation function kdf (). A secret key K is generated (step S410).

On the other hand, the terminal 503 calculates z (= y (i) ^r mod p) using the public key y (i) and the random number r (step S411) and uses the key derivation function kdf () from the value z. A secret key k is generated (step S412). “Otherinfo” that is an input of the key derivation function kdf () in steps 310 and 312 is information shared in advance between the server 502 and the terminal 503 (may be public information). As a result, information unique to the terminal 503 such as the terminal ID is included in the information “otherinfo”, so that spoofing can be prevented. A hash function or the like is applied to the key derivation function kdf ().

  As can be seen from the flowchart shown in FIG. 14, the security of the key sharing method described in Patent Document 1 greatly depends on the randomness of the random number r generated by the terminal 503 (difficulty of prediction for an attacker). . Random number generators are broadly classified into true random number generators (non-deterministic random bit generators) and pseudo-random number generators (deterministic random bit generators) based on physical phenomena. The latter determines the output based on the internal state of the random number generator, but has the property that it is difficult to guess the internal state and the next output even if the output bit string is observed. Generate a random number using. The pseudo random number generator is described in detail in Non-Patent Document 2, for example.

  It is ideal to use a true random number generator using hardware, but this also changes the characteristics depending on the environment and the passage of time, and it is difficult to evaluate it. For this reason, a pseudo random number generator should be used for the terminal 503. Is often appropriate.

  FIG. 15 shows an operation function diagram of an example of the pseudorandom number generator. The pseudo-random number generator 700 determines a pseudo-random number that is a bit string output by the output generation processing 702 based on the internal state (memory) 701. The bit width of this pseudo-random number is determined by the hash function used in the output generation process 702 and the data width of the block cipher. When the output generation process 702 is executed, the internal state update process 703 is executed at a timing determined by the algorithm to prepare for the next output.

  When the attacker succeeds in guessing the internal state 701 at a certain point in time, the pseudo random number generator 700 can determine all sequences ahead of the attacker. A refresh process 704 for updating is required. The pseudo random number generator 700 also requires a startup process 705 for setting the internal state 701 at startup.

  The external randomness is acquired from an “entropy source” which is an element having randomness in the terminal device. If the terminal 503 is a computer, a process number as an entropy source, a time taken for communication with the server 502, an access speed to the hard disk, and the like are listed as candidates. A bit string representing these data is called entropy information 706 in FIG. The refresh process 704 is a process for updating the internal state 701 using the entropy information 706 that is the state update data. Therefore, even if the attacker succeeds in guessing the internal state 701 at a certain point, the entropy information 706 is obtained. Otherwise, it will be difficult for an attacker to estimate the state after the refresh process.

  The unique information that is input to the startup processing 705 in FIG. 15 is information unique to a device such as a MAC (Media Access Control) address or an IP (Internet Protocol) address in a computer, and is a fixed value. When the startup process 705 sets the internal state 701 using this unique information at startup, a different internal state 701 can be set for each device. Further, the additional information 707 that is input to the update process 703 and the refresh process 704 is temporary information that is not random, such as a public key. This additional information 707 is also one of practical measures against impersonation and the like, like the unique information.

  As the update process 703, the update process (Update ()) of the pseudorandom number generation process described in Non-Patent Document 2 can be applied. In addition, the output generation processing 702 described above can be applied to the output generation processing (Output ()) of the pseudorandom number generation processing described in Non-Patent Document 2.

  FIG. 16A shows the update processing (Update ()) of the pseudo random number generation processing described in Non-Patent Document 2, and shows the update processing using HMAC (Hashed based Message Authentication Code) that is a keyed hash function. . FIG. 16B shows a specific configuration of the output generation process (Output ()) of the pseudorandom number generation process described in Non-Patent Document 2. 16A and 16B, (K, V) is in the internal state. “HMAC” in FIGS. 16A and 16B is disclosed in Non-Patent Document 3.

  Patent Document 2 discloses a configuration in which one communication device generates a public key and transmits it to the other communication device in a key sharing method between two communication devices. Patent Document 3 discloses that a comparison is made as to whether or not the random number received by the random number verification means matches, and that the key is shared based on the comparison result.

JP 2009-239737 A JP 2006-140743 A JP-A-9-312463

NIST Special Publication (SP) 800-56A, `` Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography '', 2006 NIST Special Publication 800-90, `` Recommendation for Random Number Generator Using Deterministic Random Bit Generators (Rivised) '', 2007 NIST Federal Information Processing Standards (FIPS) Publication 198, `` The Keyed-Hash Message Authentication Code (HMAC) '', 2002

  The security of the secret key generated by key sharing in the cryptographic communication system 500 including the secure server 502 and the terminal 503 vulnerable to an attack shown in FIG. It depends heavily on the difficulty. The key sharing method described in Patent Document 1 aimed at solving the vulnerability to the vulnerability of the terminal 503 is based on a random number generator that generates a random number, and the security of the secret key depends on the random number generated by the terminal. In many cases, it is appropriate to use a pseudo-random number generator, and the pseudo-random number generator described in Non-Patent Document 2 can be used.

  However, even if such a pseudo-random number generator is used, in the key sharing method described in Patent Document 1, it is desirable that the terminal itself verify the randomness of the pseudo-random number generated by the terminal in order to guarantee safety. In the verification, there are problems such as the setting of calculation resources and evaluation criteria and the risk of leakage of statistical information from the terminal.

  Further, Patent Document 2 and Patent Document 3 only disclose a configuration under the premise that the random number generator is safe, and the random number verification means described in Patent Document 3 verifies the random number generator. Not going.

  The present invention has been made in view of the above points, and in a cryptographic communication system including a secure server and a terminal vulnerable to an attack or the like, the terminal itself does not verify the randomness of the pseudorandom number. Accordingly, an object of the present invention is to provide a key sharing method, a key sharing method, and a key sharing program that can eliminate the problem of the setting of evaluation criteria and the risk of information leakage when a terminal performs verification.

In order to achieve the above object, the key sharing method of the present invention is a key sharing method between a server that is a host device and one or more terminals,
The terminal generates a pseudo random number and extracts a part of the state update data for updating the internal state, and a part of the state update data extracted by the pseudo random number generator. Public key encryption means for encrypting certain extracted data using a pseudorandom number based on a predetermined public key algorithm and transmitting the extracted data to the server,
The server receives the public key encryption transmitted from the terminal and decrypts the extracted data. Based on the extracted extracted data, the server determines the randomness of the current internal state of the pseudorandom number generating means of the terminal. Randomness evaluation means for generating cumulative entropy, which is a numerical value for estimation, and generating a randomness determination result of an internal state of the pseudorandom number generation means based on a comparison result between the cumulative entropy and a predetermined threshold; and a randomness determination result And a first key sharing means for executing a key sharing process using a predetermined first key sharing algorithm when the key is passed.

  In order to achieve the above object, a key sharing method of the present invention is a key sharing method between a server as a host device and one or more terminals. A first step of generating a pseudo-random number and extracting a part of the state update data for updating the internal state of the pseudo-random number generation means; and the state update data extracted by the terminal in the first step A second step of transmitting the extracted data that is a part of the encrypted data to the server using a pseudo-random number and public key encryption based on a predetermined public key algorithm, and the server receives the public key encryption transmitted from the terminal A third step of decoding the extracted data, and a cumulative value which is a numerical value for estimating the randomness of the current internal state of the pseudorandom number generating means of the terminal based on the extracted extracted data in the server. A fourth step of generating a loppy, and a fifth step of generating a randomness determination result of the internal state of the pseudorandom number generation means based on a comparison result between the cumulative entropy generated in the fourth step and a predetermined threshold value And a sixth step of executing a key sharing process using a predetermined first key sharing algorithm when the randomness determination result is acceptable in the server.

In order to achieve the above object, a key sharing program of the present invention is a key sharing program for causing a computer included in one or more terminals connected to a server as a host device to perform key sharing processing. In addition,
An extraction step for generating a pseudo-random number and extracting a part of the state update data for updating the internal state of the pseudo-random number generation, and an extraction data that is a part of the state update data extracted in the extraction step , Public key encryption using a pseudo-random number and public key encryption based on a predetermined public key algorithm and transmitting to the server, and a transmission step are executed.

  According to the present invention, by applying public key encryption, the terminal does not need to hold a secret key, and since the server determines the randomness of the pseudorandom number generated by the terminal, the terminal itself is a pseudorandom number. Therefore, it is possible to eliminate the problem of setting evaluation criteria and the risk of information leakage when the terminal performs verification.

It is a block diagram of one Embodiment of the key sharing system of this invention. It is a flowchart for operation | movement description of the key sharing module of the terminal in FIG. It is a flowchart for detailed operation | movement description of step S104 in FIG. FIG. 2 is a diagram schematically showing a rule for generating data S by the pseudo random number generation means of the terminal in FIG. 1 extracting every other bit (sequence) in units of bits or symbols. It is a flowchart for detailed operation | movement description of step S205 in FIG. 3 is a flowchart for explaining the operation of key sharing processing of the server in FIG. 1. It is a flowchart for detailed operation | movement description of step S301 in FIG. It is a flowchart for detailed operation | movement description of step S304 in FIG. It is a schematic diagram of an example of the frequency table of entropy information. It is a schematic diagram of the other example of the frequency table of entropy information. It is explanatory drawing of an example of operation | movement of the pseudorandom number generation means in a terminal. It is a block diagram of an example of an encryption communication system. It is a figure which shows the information produced | generated by the parameter production | generation means in FIG. 12, and the information which a server and a terminal hold | maintain. 13 is a flowchart for explaining the operation of FIG. 12. It is an operation | movement functional diagram of an example of a pseudorandom number generator. It is a figure which shows the update process of a pseudorandom number generation process described in the nonpatent literature 2, and an output generation process.

  Next, embodiments of the present invention will be described with reference to the drawings.

  FIG. 1 shows a block diagram of an embodiment of a key sharing method according to the present invention. In the figure, a key sharing method 100 according to the present embodiment includes a terminal 110 and a server 120. A plurality of terminals 110 may be connected to the server 120.

  The terminal 110 has a key sharing module 111 as a component. The key sharing module 111 includes a key sharing / public key encryption unit 112 and a pseudo random number generation unit 113. Further, the terminal 110 has an entropy source that supplies entropy information to the pseudo-random number generation means 113. The key sharing / public key encryption unit 112 uses the pseudo random number generated by the pseudo random number generation unit 113 to perform key sharing processing based on, for example, the Diffie-Hellman key sharing algorithm. Further, the key sharing / public key encryption unit 112 takes out a part of the state update data for updating the internal state of the pseudo random number generation unit 113 and performs public key encryption on the server based on the ElGamal encryption algorithm, for example. 120.

  The server 120 includes random number generation means 121 and a key sharing module 122. The random number generation means 121 is a reliable random number generation means outside the key sharing module 122, and supplies the random number used by the key sharing module 122 in the key sharing processing to the key sharing module 122. The key sharing module 122 includes a key sharing / public key decrypting unit 123 and a randomness evaluating unit 124 as components.

  The randomness evaluation unit 124 includes a pseudo-random number generation unit 113 that is obtained based on a comparison result between data obtained by updating a part of the state update data received from the terminal 110 (cumulative entropy E described later) and a predetermined threshold. The randomness determination result of the internal state is transmitted to the terminal 110 through the key sharing / public key decrypting means 123. Further, the randomness evaluation unit 124 controls the execution of the key sharing process according to the randomness determination result. That is, when the randomness determination result is acceptable, the randomness evaluation unit 124 executes key sharing processing based on, for example, the Diffie-Hellman key sharing algorithm. Further, when the randomness determination result is unacceptable, the randomness evaluation means 124 is based on the public key encrypted data transmitted from the terminal 110 received and decrypted by the key sharing / public key decryption means 123. , Perform randomness evaluation / update processing. The same public key parameter is used for the key sharing process and the public key encryption.

  Next, the operation of the key sharing method 100 of this embodiment will be described.

  First, the operation of the key sharing module 111 of the terminal 110 will be described with reference to the flowchart of FIG.

  When the key sharing module 111 of the terminal 110 is activated, the pseudo-random number generation unit 113 executes a startup process, and sets the status of the pseudo-random number generation unit 113 to “0” indicating the initial state (step S101). . In the startup process of the pseudo random number generation means 113, the internal state of the pseudo random number generation function is initialized with the unique information of the terminal 110.

  Subsequently, the pseudo-random number generation unit 113 becomes a “standby” operation after being activated, and updates the entropy information from the entropy source periodically or irregularly (step S102). Next, the key sharing module 111 determines whether or not there is a request for execution of key sharing processing from the user / application (step S103). If there is no request for executing the key sharing process, the standby operation in step S102 is continued, but if there is a request for executing the key sharing process, the key sharing / public key encryption unit 112 executes the key sharing process (step S104). In this key sharing process, the key sharing / public key encryption unit 112 communicates with the server 120 using the pseudo-random number sequence output from the pseudo-random number generation unit 113, as will be described later, and the pseudo-random number generation unit 113. The key sharing process by the key sharing algorithm is executed after verifying the randomness of the internal state.

  Subsequently, the key sharing module 111 determines whether or not there is a key sharing module stop request from the user / application (step S105). If there is no key sharing module stop request, the key sharing module 111 returns to the standby operation in step S102, but if there is a key sharing module stop request, the operation ends.

  Next, the detailed operation of step S104 will be described with reference to FIG.

  FIG. 3 shows a flowchart for explaining the detailed operation of the key sharing processing step S104. The key sharing / public key encryption unit 112 transmits a status status to the server 120 when the key sharing process is activated, and receives a randomness determination result from the server 120 (step S201). Subsequently, the key sharing / public key encryption unit 112 determines whether the state status to be transmitted is not “0” indicating the initial state, and the received randomness determination result is acceptable (step S202). . The key sharing / public key encryption unit 112 proceeds to step S208, which will be described later, when the determination condition of step S202 is satisfied, and executes key sharing processing by the key sharing algorithm. If the determination condition is not satisfied, the pseudo-random number The process of step S203-S207 is performed with the production | generation means 113. FIG.

  In step S <b> 203, the pseudo random number generation unit 113 extracts data to be transmitted to the server 120 from the entropy information, and outputs the data to the key sharing / public key encryption unit 112. This extracted data is a part of the state update data for updating the internal state of the pseudo-random number generating means 113, and this is hereinafter referred to as extracted data S. In subsequent step S204, the pseudorandom number generation means 113 executes a refresh process. In the subsequent step S205, the key sharing / public key encryption unit 112 executes entropy information transmission processing in which the extracted data S is public key encrypted as described later and transmitted to the server 120.

  Subsequently, in step S206, the key sharing / public key encryption unit 112 receives the randomness determination result from the server 120, and when the state status is “0”, the state status is set to “1” indicating that it is not the initial state. Set. In step S207, the key sharing / public key encryption unit 112 determines whether the randomness determination result received from the server 120 indicates success. When the randomness determination result does not indicate pass, the terminal key sharing process is terminated, but when the randomness determination result indicates pass, the key sharing process by the key sharing algorithm is executed (step S208).

  FIG. 4 shows the constituent elements of the pseudorandom number generation means 113 necessary for executing the entropy information extraction process of step S203. In the figure, pseudo random number generation means 113 extracts data S to be transmitted to server 120 by extraction means 115 from entropy information 114. The entropy information 114 is a memory and holds data # 1 to # 4... Corresponding to the type of entropy source. The extraction unit 115 extracts a part of the entropy information 114 and generates extracted data S for transmission.

  FIG. 4 schematically shows a rule for generating data S by extracting every other bit (column) in units of bits or symbols. In addition, regarding a source that guarantees randomness, such as source # 3 in FIG. As shown in FIG. 4, these extraction rules may be dynamically set from the server 120 to the terminal 110.

  Next, the detailed operation of step S205 in FIG. 3 will be described with reference to FIG.

  FIG. 5 shows a flowchart for explaining the detailed operation of the entropy information transmission processing step S205. In the entropy information transmission process of step S205, first, the pseudorandom number generation means 113 generates and outputs a pseudorandom number (a bit string of a fixed length) R used for public key encryption (step S2051). Subsequently, the key sharing / public key encryption unit 112 uses the bit string R as a random number and extracts it from the state update data for updating the internal state of the pseudo random number generation unit 113 by the pseudo random number generation unit 113. Data obtained by encrypting the extracted data S with the public key is generated (step S2052). Then, the key sharing / public key encryption unit 112 transmits the extracted data S encrypted in step S2052 to the server 120 (step S2053).

  Next, the key sharing process of the server 120 will be described with reference to FIG.

  FIG. 6 is a flowchart for explaining the operation of the key sharing process of the server 120. First, the randomness evaluation unit 124 in the server 120 executes a randomness determination process for the internal state of the pseudorandom number generation unit 113 of the terminal 110 (step S301). The detailed operation of this randomness determination processing step S301 will be described later.

  Subsequently, the key sharing / public key decrypting means 123 in the server 120 determines whether or not the randomness determination result obtained in step S301 is acceptable (step S302). If the randomness determination result is acceptable, the key sharing / public key decrypting unit 123 proceeds to step S306 to execute the key sharing process by the key sharing algorithm, and if the randomness determination result is unacceptable, the following step S303 is performed. The process of S305 is executed.

  In step S303, the key sharing / public key decrypting means 123 receives the encrypted data transmitted in step S2053 in FIG. 5 from the terminal 110, decrypts it, and obtains the extracted data S from the entropy information of the terminal 110. . In the subsequent step S304, the randomness evaluation unit 124 calculates the randomness (information amount) of the current entropy information of the terminal 110 based on the extracted data S input from the key sharing / public key decryption unit 123, and the randomness. The determination is performed, and the statistical value of the extracted data in the randomness evaluation unit 124 is updated. The detailed operation of this randomness evaluation / update processing step S304 will be described later.

  In step S305, the key sharing / public key decrypting unit 123 determines whether the randomness determination result obtained in step S304 is acceptable. If the randomness determination result is acceptable, the key sharing / public key decryption unit 123 proceeds to step S306 to execute the key sharing process by the key sharing algorithm, and if the randomness determination result is unacceptable, the key sharing process is performed. finish.

  Next, the detailed operation of step S301 in FIG. 6 will be described with reference to FIG.

  FIG. 7 shows a flowchart for explaining the detailed operation of the randomness determination processing step S301. In step S301, the randomness evaluation unit 124 manages a numerical value for estimating the randomness of the current internal state for each terminal 110 (hereinafter referred to as cumulative entropy E). Hereinafter, the flowchart of FIG. 7 will be described.

  The randomness evaluation unit 124 receives the state status transmitted from the terminal 110 through the key sharing / public key decryption unit 123 (step S3011), and determines whether or not the state status is “0” (step S3012). When it is determined that the status status is “0”, the randomness evaluation means 124 determines that the terminal 110 is in a startup state, and resets the accumulated entropy E corresponding to the terminal 110 to “0” (step S3013), the randomness determination result indicating failure is notified to the terminal 110 through the key sharing / public key decryption means 123 (step S3014).

  On the other hand, when it is determined in step S3012 that the status status is not “0”, the randomness evaluation unit 124 determines that the terminal 110 is not in the starting state, and the value of the cumulative entropy E corresponding to the terminal is determined in advance. It is determined whether or not the set threshold value T is exceeded (step S3015). When it is determined in step S3015 that the cumulative entropy E is less than the threshold value T, the process proceeds to step S3014, and a randomness determination result indicating failure is notified to the terminal 110 through the key sharing / public key decryption unit 123.

  On the other hand, when the randomness evaluation unit 124 determines in step S3015 that the cumulative entropy E is greater than or equal to the threshold value T, the randomness determination result indicating pass to the terminal 110 is passed through the key sharing / public key decryption unit 123. Notification is made (step S3016). Subsequently, the randomness evaluation unit 124 updates the cumulative entropy E of the terminal 110 (step S3017). This update is made smaller in accordance with the amount of random number sequences used in the key sharing algorithm. Since a certain amount of random number sequences are used in the key sharing algorithm, typically, a constant is reduced with respect to the cumulative entropy E. Done in

  Next, the detailed operation of step S304 will be described with reference to FIG.

  FIG. 8 shows a flowchart for explaining the detailed operation of the randomness evaluation / update processing step S304. In the randomness evaluation / update processing step S304, first, the randomness evaluation means 124 uses the frequency table of the entropy information that is held, based on the extracted data S restored in step S303, The entropy held by the entropy information is estimated (step S3041). In this step S3041, if the frequency table is, for example, a frequency table composed of the bit pattern and frequency in the restored extracted data, the probability of occurrence of the bit pattern of the received and restored extracted data is estimated based on the frequency table. To do.

  Subsequently, the randomness evaluation unit 124 updates the accumulated entropy E of the internal state of the pseudorandom number generation unit 113 of the terminal 110 using the entropy estimated in step S3041 (step S3042). This update is typically performed by adding the entropy estimated in step S3041 to the cumulative entropy E under an upper limit determined from a pseudorandom number generation algorithm.

  Subsequently, the randomness evaluation unit 124 updates the held entropy information frequency table based on the extracted data S received and restored (step S3043). The update timing of the frequency table does not need to be performed following the process of step S3042, and can be performed after the key sharing process is completed.

  Subsequently, the randomness evaluation unit 124 determines whether or not the value of the cumulative entropy E corresponding to the terminal 110 is equal to or greater than a preset threshold value T as in step S3015 (step S3044). When it is determined in step S3044 that the cumulative entropy E is less than the threshold T, the process proceeds to step S3047, and a randomness determination result indicating failure is notified to the terminal 110 through the key sharing / public key decryption unit 123.

  On the other hand, when the randomness evaluation unit 124 determines in step S3044 that the cumulative entropy E is greater than or equal to the threshold T, the randomness evaluation result indicating pass to the terminal 110 is passed through the key sharing / public key decryption unit 123. Notification is made (step S3045). Subsequently, the randomness evaluation unit 124 updates the cumulative entropy E of the terminal 110 in the same manner as in step S3017 (step S3046).

  FIG. 9 is a schematic diagram illustrating an example of a frequency table of entropy information used in steps S3041 and S3043. As schematically shown in FIG. 9A, the frequency table is a table in which each terminal and each source of the entropy source are associated with each other, and each column of the table is a server as shown in FIG. 9B. 120 is composed of the bit pattern and its frequency in the extracted data decoded. Here, “frequency” indicates the probability of the occurrence of the corresponding bit pattern. A frequency table in which the total of terminals is calculated for each source is also conceivable. It is also conceivable to prepare a plurality of such frequency tables in consideration of the time history from the startup.

  FIG. 10 is a schematic diagram of another example of the entropy information frequency table used in steps S3041 and S3043. The frequency table of another example is a table in which the number of activations and each source of the entropy source are associated with each terminal, as schematically shown in FIG. 10 (A). As shown in (B), it is composed of a bit pattern of entropy information after activation and its frequency. When this frequency table is used, it is possible to estimate the entropy of the internal state of the pseudorandom number generator 113 in consideration of the change in entropy information after activation.

  Next, the main part of the above embodiment will be described more specifically and in detail.

  The aforementioned Diffie-Hellman key sharing algorithm can be applied to the key sharing algorithm in step S208 in the terminal 110 and the key sharing algorithm in step S306 in the server 120. At this time, as the public key encryption algorithm of the extracted data S used in step S205, it is natural to apply ElGamal encryption using the same domain parameter and public key as the key sharing algorithm.

  In the ElGamal encryption in step S205, using the description used in FIG. 14, pseudo-random number generation means 113 for domain parameters p (modulus prime number) and g (generation source) of the Diffie-Hellman key sharing algorithm. Is used to convert the extracted data S into ciphertext C according to the following equation.

C = (g ^R mod p, S · y (i) ^R mod p) (1)
In step S113, the server 120 calculates y (i) ^R mod p = (g ^R ) ^{x (i)} mod p (2) from the secret key x (i) and g ^R mod p in the received ciphertext C.
And the extracted data S is decoded by the following equation.

S · y (i) ^R / y (i) ^R mod p = S (3)
The guarantee of the validity of the above p, g, and y (i) can be realized in the same manner as described with reference to FIG.

  Typical entropy sources when the terminal 110 is a computer include process ID, hard disk seek time, communication time with the server 120, program execution time, etc., as described above. It is also conceivable to use an external random number generation means provided by the system as an entropy source.

  At this time, as shown in FIG. 11, a part of the output of the external random number generation unit is used as an entropy source held in the entropy information 114 of the pseudo random number generation unit 113, and the remaining output of the external random number generation unit is generated as a pseudo random number. A method of generating a final pseudorandom number by adding the output series obtained by the output generation process 116 of the means 113 and the adder 117 is conceivable.

  Further, as a pseudo-random number generation algorithm used by the pseudo-random number generation unit 113 in the terminal 110, for example, any secure algorithm assured in Non-Patent Document 2 can be used. When the SHA-256 is used as the HMAC hash function in the pseudo-random algorithm using the HMAC shown in FIG. It becomes natural to do. At this time, when updating the cumulative entropy E in step S3042 in the server 120, the update process is performed with this value as the upper limit. The threshold T used in steps S3015 and S3044 is a security parameter set by the system, and is generally set to “112” or more in the pseudorandom number generation algorithm using the SHA-256 HMAC.

  Also, the bit pattern corresponding to the sources # 1, # 2, # 3,... Of the extracted data S is (s_1, s_2, s_3,...), And the bit pattern obtained from the frequency table shown in FIG. If the estimated probability of s_i is p_i, the randomness (information amount) of the extracted data S can be estimated by the following equation under the assumption that each source is independent.

h (S) =-log p_1-log p_2-log p_3 (4)
Here, the bottom of log in the formula (4) is 2. The unit of h (S) is a bit. When the statistics of the frequency table are not sufficient, it is appropriate to determine the estimation probability p_i in consideration of the correction value based on Bayesian estimation. It is also conceivable that the frequency table is generated after sufficiently learning and used.

  Further, in the frequency table shown in FIG. 9, since the estimated probability p_i is obtained for each of the terminals 110 and the total for the extracted data S, h (S) can also be calculated accordingly. . At this time, it is appropriate to estimate the randomness of the extracted data S with the minimum value. As described above, in this embodiment, by collecting the entropy information of each terminal 110 in the server 120, randomness with respect to other terminals can also be measured, so that the accuracy of randomness evaluation can be improved. it can.

Since the extracted data S used by the randomness evaluation unit 124 in the server 120 is a part of the entropy information of the pseudorandom number generation unit 113, the estimated value H of the randomness of the entropy information of the pseudorandom number generation unit 113 is , (4) H = λh (S) (5)
And a method of deriving by setting the coefficient λ can be considered.

  When the extracted data S is generated by extracting bits from the entire entropy information at the ratio ρ, the coefficient λ is simply set to 1 / ρ. However, when the extracted data S and the remaining portion of the entropy information cannot be regarded as independent, it is appropriate to set the coefficient λ to a value smaller than 1 / ρ. In addition, although this independence is assumed, it is conceivable that the coefficient λ is set to 1 / (ρ−1) when leakage at the time of transmission to the server 120 is assumed. Considering these matters comprehensively, the server 120 quantifies the randomness of the entropy information of the terminal 110 from the extracted data S.

  Further, the update of the cumulative entropy E in step S3017 in FIG. 7 and step S3046 in FIG. 8 is a process of reducing the cumulative entropy E according to the amount of the random number sequence used in key sharing. Considering an attack in which the internal state of the pseudo-random number generating means 113 is randomly set to generate a sequence and matching with the actually generated random number sequence to estimate the internal state, the same table Then, the success probability of the attack is proportional to the length of the actually acquired random number sequence.

  Therefore, if a random number sequence of length L is used in the key sharing algorithm, the update of the cumulative entropy E in steps S3017 and S3046 described above is a process of subtracting the constant represented by A in the following equation from the current cumulative entropy E. I do.

E ← E−A, A = log (L) + c (6)
However, in the formula (6), c is an appropriate constant.

  Since the random number sequence having the same length as the key sharing algorithm is used in the public key encryption process of the extracted data S in step S205, the update of the cumulative entropy E in step S3042 in FIG. The value to be added is added to the current cumulative entropy E.

E ← E + B, B = max (HA, 0) (7)
However, in the formula (7), H and A are values indicated by the formula (5) and the formula (6), respectively, and max (x, y) is selected as a larger value between x and y. It is a function.

  As described above, in the key sharing method of the present embodiment, since the server 120 performs the determination of the randomness of the pseudorandom number generated by the terminal 110 (the determination of the randomness of the internal state of the pseudorandom number generation unit 113), the terminal 110 itself However, it is not necessary to verify the randomness of the pseudo-random numbers, thereby eliminating the problem of setting evaluation criteria and the risk of information leakage when the terminal 110 performs verification.

  Further, in the key sharing method of the present embodiment, since the terminal 110 itself encrypts the entropy information of the terminal 110 and transmits it to the server 120, it leaks even if data on the communication path is acquired by a third party. Information can be suppressed. Further, in the present embodiment, by applying public key encryption, the terminal 110 does not need to hold a secret key, and domain parameters and public key public information are transmitted to the terminal using a key sharing algorithm and public key encryption. Since 110 and the server 120 are shared, additional processing such as a validity check becomes unnecessary. Furthermore, in this embodiment, since the server 120 aggregates the entropy information of each terminal 110, the accuracy of randomness evaluation can be improved.

  The present invention is not limited to the above embodiment, and includes, for example, a key sharing program that causes each operation of the key sharing module 111 or 122 to be executed by a computer in the terminal 110 or the server 120, respectively. is there.

  A part or all of the above-described embodiment can be described as in the following supplementary notes, but is not limited thereto.

(Appendix 1)
A key sharing method between a server that is a host device and one or more terminals,
The terminal
A pseudo-random number generating means for generating a pseudo-random number and extracting a part of the state update data for updating the internal state;
Public key cryptography that encrypts the extracted data that is a part of the state update data extracted by the pseudo random number generation means based on a predetermined public key algorithm using the pseudo random number and transmits it to the server And means for
The server
Public key decryption means for receiving the public key cipher transmitted from the terminal and decrypting the extracted data;
Based on the decoded extracted data, a cumulative entropy that is a numerical value for estimating the randomness of the current internal state of the pseudo-random number generating means of the terminal is generated, and a comparison result between the cumulative entropy and a predetermined threshold value Randomness evaluation means for generating the randomness determination result of the internal state of the pseudorandom number generation means based on
And a first key sharing unit that executes a key sharing process using a predetermined first key sharing algorithm when the randomness determination result indicates success.

(Appendix 2)
The randomness evaluation means has a function of transmitting the randomness determination result to the terminal,
The terminal receives the randomness determination result transmitted from the server, and executes the public key encryption by the public key encryption means when the random determination result indicates failure, and the random The key sharing method according to appendix 1, further comprising second key sharing means for executing a key sharing process using a predetermined second key sharing algorithm when the determination result indicates success.

(Appendix 3)
The key sharing method according to claim 1, wherein the randomness evaluation unit generates the randomness determination result indicating pass when the cumulative entropy is equal to or greater than the threshold, and indicating failure when the cumulative entropy is less than the threshold. method.

(Appendix 4)
The key sharing according to claim 1, wherein the server has setting means for dynamically setting an extraction rule for extracting a part of the state update data for the pseudo-random number generation means of the terminal. method.

(Appendix 5)
The terminal has external random number generation means;
The pseudo random number generation means uses a part of the output of the external random number generation means as an entropy source of the pseudo random number generation means, adds the remainder of the output of the external random number generation means to an output sequence, and The key sharing method according to appendix 1, wherein a final pseudo-random number to be supplied to the generating means is generated.

(Appendix 6)
The randomness evaluation means includes a frequency table of bit patterns in the decoded extracted data, estimates the occurrence probability of the bit pattern of the extracted data received and decoded using the frequency table, and estimates The key sharing method according to supplementary note 1, wherein the cumulative entropy is updated with the result, and the updated cumulative entropy is used to determine the randomness of the internal state of the pseudorandom number generating means of the terminal.

(Appendix 7)
The key sharing method according to appendix 6, wherein the frequency table is a frequency table for each of the terminals connected to the server or for all the terminals.

(Appendix 8)
The key sharing method according to appendix 6 or 7, wherein the randomness evaluation unit updates the frequency table based on the decrypted extracted data after the cumulative entropy update.

(Appendix 9)
The public key encryption performed by the public key encryption unit and the key sharing process performed by the first key sharing unit use the same public key parameter, wherein the same public key parameter is used. Key sharing method.

(Appendix 10)
The public key encryption means performs public key encryption using ElGamal encryption, and the first and second key sharing means perform key sharing processing using a Diffie-Hellman key sharing algorithm. The key sharing method according to claim 8.

(Appendix 11)
A key sharing method between a server that is a host device and one or more terminals,
A first step of generating a pseudo-random number by the pseudo-random number generator in the terminal and extracting a part of the state update data for updating the internal state of the pseudo-random number generator;
The terminal transmits the extracted data, which is a part of the state update data extracted in the first step, to the server by public key encryption using the pseudo random number based on a predetermined public key algorithm. A second step of:
A third step in which the server receives the public key cipher transmitted from the terminal and decrypts the extracted data;
A fourth step of generating cumulative entropy, which is a numerical value for estimating the randomness of the current internal state of the pseudorandom number generation means of the terminal, based on the decoded extracted data in the server;
A fifth step of generating the randomness determination result of the internal state of the pseudo-random number generation means based on a comparison result between the cumulative entropy generated in the fourth step and a predetermined threshold;
And a sixth step of executing a key sharing process by a predetermined first key sharing algorithm when the randomness determination result is acceptable in the server.

(Appendix 12)
A seventh step of transmitting the randomness determination result generated in the fifth step to the terminal;
An eighth step in which the terminal receives the randomness determination result transmitted from the server and determines whether the randomness determination result indicates pass;
When the random determination result indicates failure in the eighth step, the public key encryption in the second step is executed, and when the random determination result indicates success, a predetermined second The key sharing method according to claim 11, further comprising: a ninth step of executing a key sharing process based on the key sharing algorithm.

(Appendix 13)
The key sharing according to claim 11, wherein the fifth step generates the randomness determination result indicating pass when the cumulative entropy is greater than or equal to the threshold, and indicating failure when the cumulative entropy is less than the threshold. Method.

(Appendix 14)
The key sharing method according to claim 11, wherein the server includes a tenth step of dynamically setting an extraction rule for extracting a part of the state update data in the first step of the terminal. .

(Appendix 15)
The first step uses a part of the output of the external random number generation unit as an entropy source to extract a part of the state update data, and adds the remainder of the output of the external random number generation unit to the output sequence. The key sharing method according to appendix 11, wherein a final pseudo-random number used in the second step is generated.

(Appendix 16)
The fifth step estimates a probability of occurrence of a bit pattern of the extracted data received and decoded using a frequency table of bit patterns in the decoded extracted data, and the cumulative entropy is calculated based on the estimation result. 12. The key sharing method according to appendix 11, wherein the updated entropy is used for determining the randomness of the internal state of the pseudorandom number generating means of the terminal.

(Appendix 17)
The key sharing method according to supplementary note 16, wherein the frequency table is a frequency table for each of the terminals connected to the server or for all the terminals.

(Appendix 18)
The key sharing method according to supplementary note 16 or 17, wherein the fifth step updates the frequency table based on the decrypted extracted data after the cumulative entropy update.

(Appendix 19)
The key sharing according to any one of appendices 11 to 18, wherein the public key encryption in the second step and the key sharing process in the sixth step use the same public key parameters. Method.

(Appendix 20)
The second step includes public key encryption using ElGamal encryption, and the sixth step and the eighth step perform key sharing processing using a Diffie-Hellman key sharing algorithm. The key sharing method according to claim 18.

(Appendix 21)
A key sharing program that causes a computer of one or more terminals connected to a server that is a host device to perform key sharing processing,
In the computer,
An extraction step of generating a pseudo-random number and extracting a part of the state update data for updating the internal state of the pseudo-random number generation;
Public key encryption, wherein the extracted data, which is a part of the state update data extracted in the extraction step, is public key encrypted based on a predetermined public key algorithm using the pseudo random number and transmitted to the server; A key sharing program characterized by causing the transmission step to be executed.

(Appendix 22)
Decrypting the public key encrypted extracted data received by the server, receiving the randomness determination result of the internal state of the pseudo-random number that is decrypted and generated and transmitted based on the extracted data; A determination step of determining whether or not the randomness determination result indicates success;
The public key encryption and the public key encryption by the transmission step are executed when the random determination result indicates failure in the determination step, and a predetermined key is selected when the random determination result indicates pass The key sharing program according to appendix 21, further comprising: a key sharing step for executing a key sharing process using a sharing algorithm.

(Appendix 23)
A key sharing program for causing a computer of a server, which is a host device connected to one or more terminals, to perform key sharing processing,
In the computer,
The terminal generates a pseudo random number, receives a public key cipher transmitted by public key encrypting a part of state update data for updating the internal state of the pseudo random number based on a predetermined public key algorithm A decoding step of decoding the extracted data that is part of the state update data;
A cumulative entropy generating step of generating a cumulative entropy that is a numerical value for estimating the randomness of the current internal state of the pseudo-random number of the terminal based on the decoded extracted data;
A randomness determination result generation step for generating the randomness determination result of the internal state of the pseudorandom number based on a comparison result between the generated cumulative entropy and a predetermined threshold;
And a key sharing step for executing a key sharing process using a predetermined first key sharing algorithm when the randomness determination result is acceptable.

100 Key sharing method 110, 503 Terminal 112 Key sharing / public key encryption means 113 Pseudorandom number generation means 114 Entropy information (memory)
115 Extraction means 116 Output generation processing 117 Adder 120, 502 Server 121 Random number generation means 122, 111 Key sharing module 123 Key sharing / public key decryption means 124 Randomness evaluation means 500 Cryptographic communication system 501 Parameter generation means

Claims (10)

A key sharing method between a server that is a host device and one or more terminals,
The terminal
A pseudo-random number generating means for generating a pseudo-random number and extracting a part of the state update data for updating the internal state;
Public key cryptography that encrypts the extracted data that is a part of the state update data extracted by the pseudo random number generation means based on a predetermined public key algorithm using the pseudo random number and transmits it to the server And means for
The server
Public key decryption means for receiving the public key cipher transmitted from the terminal and decrypting the extracted data;
Based on the decoded extracted data, a cumulative entropy that is a numerical value for estimating the randomness of the current internal state of the pseudo-random number generating means of the terminal is generated, and a comparison result between the cumulative entropy and a predetermined threshold value Randomness evaluation means for generating the randomness determination result of the internal state of the pseudorandom number generation means based on
And a first key sharing unit that executes a key sharing process using a predetermined first key sharing algorithm when the randomness determination result indicates success. The randomness evaluation means has a function of transmitting the randomness determination result to the terminal,
The terminal receives the randomness determination result transmitted from the server, and executes the public key encryption by the public key encryption means when the random determination result indicates failure, and the random 2. The key sharing method according to claim 1, further comprising second key sharing means for executing key sharing processing by a predetermined second key sharing algorithm when the determination result indicates success.   2. The key according to claim 1, wherein the server has setting means for dynamically setting an extraction rule for extracting a part of the state update data for the pseudo-random number generation means of the terminal. Sharing method. The terminal has external random number generation means;
The pseudo random number generation means uses a part of the output of the external random number generation means as an entropy source of the pseudo random number generation means, adds the remainder of the output of the external random number generation means to an output sequence, and 2. The key sharing method according to claim 1, wherein a final pseudo-random number to be supplied to the converting means is generated.   The randomness evaluation means includes a frequency table of bit patterns in the decoded extracted data, estimates the occurrence probability of the bit pattern of the extracted data received and decoded using the frequency table, and estimates 2. The key sharing method according to claim 1, wherein the cumulative entropy is updated with the result, and the updated cumulative entropy is used to determine the randomness of the internal state of the pseudo random number generation means of the terminal. A key sharing method between a server that is a host device and one or more terminals,
A first step of generating a pseudo-random number by the pseudo-random number generator in the terminal and extracting a part of the state update data for updating the internal state of the pseudo-random number generator;
The terminal transmits the extracted data, which is a part of the state update data extracted in the first step, to the server by public key encryption using the pseudo random number based on a predetermined public key algorithm. A second step of:
A third step in which the server receives the public key cipher transmitted from the terminal and decrypts the extracted data;
A fourth step of generating cumulative entropy, which is a numerical value for estimating the randomness of the current internal state of the pseudorandom number generation means of the terminal, based on the decoded extracted data in the server;
A fifth step of generating the randomness determination result of the internal state of the pseudo-random number generation means based on a comparison result between the cumulative entropy generated in the fourth step and a predetermined threshold;
And a sixth step of executing a key sharing process by a predetermined first key sharing algorithm when the randomness determination result is acceptable in the server. A seventh step of transmitting the randomness determination result generated in the fifth step to the terminal;
An eighth step in which the terminal receives the randomness determination result transmitted from the server and determines whether the randomness determination result indicates pass;
When the random determination result indicates failure in the eighth step, the public key encryption in the second step is executed, and when the random determination result indicates success, a predetermined second The key sharing method according to claim 6, further comprising: a ninth step of executing a key sharing process according to the key sharing algorithm.   The key sharing according to claim 6, wherein the server includes a tenth step of dynamically setting an extraction rule for extracting a part of the state update data in the first step of the terminal. Method. A key sharing program that causes a computer of one or more terminals connected to a server that is a host device to perform key sharing processing,
In the computer,
An extraction step of generating a pseudo-random number and extracting a part of the state update data for updating the internal state of the pseudo-random number generation;
Public key encryption, wherein the extracted data, which is a part of the state update data extracted in the extraction step, is public key encrypted based on a predetermined public key algorithm using the pseudo random number and transmitted to the server; A key sharing program characterized by causing the transmission step to be executed. Decrypting the public key encrypted extracted data received by the server, receiving the randomness determination result of the internal state of the pseudo-random number that is decrypted and generated and transmitted based on the extracted data; A determination step of determining whether or not the randomness determination result indicates success;
The public key encryption and the public key encryption by the transmission step are executed when the random determination result indicates failure in the determination step, and a predetermined key is selected when the random determination result indicates pass The key sharing program according to claim 9, further comprising: a key sharing step for executing a key sharing process using a sharing algorithm.

Images