JP2024000429A - Electronic information storage medium, key generating method, program, ic chip and key generation system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an electronic information storage medium, a key generating method, a program, an IC chip, and a key generation system with enhanced security in a key generation process.

SOLUTION: An electronic information storage medium 10 for using a key in a lattice cipher includes the steps of: generating a random number of a predetermined random number length to generate a polynomial for a key (S1, S2); and obtaining the key using the polynomial generated by the random number.

SELECTED DRAWING: Figure 4

COPYRIGHT: (C)2024,JPO&INPIT

Description

The present invention relates to the technical field of electronic information storage media, key generation methods, programs, IC chips, and key generation systems that utilize keys in lattice cryptography.

Once quantum computers are realized, existing cryptographic algorithms will be able to be solved in a short time, and in particular, public key cryptosystems such as RSA (Rivest-Shamir-Adleman cryptosystem) can be analyzed using the Shor algorithm. It has been known. As a countermeasure to quantum computers, quantum-resistant computer cryptography such as lattice cryptography exists. For example, Patent Document 1 describes a generation device that generates a public key in public key cryptography using basis vectors of a rotated lattice space obtained by rotating a lattice space defined using a polynomial ring by a predetermined rotation matrix. is disclosed.

JP 2019-32377 Publication

However, the conventional key generation device described above uses basis vectors rotated by a rotation matrix, but the key generation method itself is not protected, so depending on the key generation device, tampering may result in an unauthorized key. There was a problem in that there was a possibility that .

The present invention has been made in view of the above-mentioned problems, and aims to provide an electronic information storage medium, a key generation method, a program, an IC chip, and a key generation system with enhanced security in key generation. .

In order to solve the above problem, the invention according to claim 1 provides a secure element for using a key in lattice cryptography, in which a random number of a predetermined random number length is used to generate a polynomial for the key. The present invention is characterized by comprising: a random number generation means for generating a random number, and a key acquisition means for acquiring the key based on the polynomial generated from the random number.

The invention according to claim 2 is characterized in that the electronic information storage medium according to claim 1 further includes random number output means for outputting the random number to a control device that generates the polynomial.

According to a third aspect of the invention, in the electronic information storage medium according to the second aspect, in order to generate the polynomial, based on random number output determination information regarding whether or not to output the random number to the control device, A random number output means outputs the random number to the control device.

The invention according to claim 4 is characterized in that the electronic information storage medium according to claim 1 further includes polynomial generation means for generating the polynomial from the random number.

The invention according to claim 5 is characterized in that the electronic information storage medium according to claim 4 further includes polynomial output means for outputting the polynomial to a control device that generates the polynomial.

According to a sixth aspect of the invention, in the electronic information storage medium according to the fifth aspect, the polynomial output means outputs the polynomial based on polynomial output determination information regarding whether or not to output the polynomial to the control device. is output to the control device.

The invention according to claim 7 is a key generation method executed by an electronic information storage medium for using a key in a lattice cryptography, in which a polynomial of a predetermined random number length is used to generate a polynomial for the key. The method is characterized in that it includes a random number generation step of generating a random number, and a key acquisition step of acquiring the key based on the polynomial generated by the random number.

The invention according to claim 8 provides a computer included in an electronic information storage medium for using a key in a lattice cipher, a random number that generates a random number of a predetermined random number length in order to generate a polynomial for the key. It is characterized in that it functions as a generation means and a key acquisition means for acquiring the key based on the polynomial generated using the random number.

The invention according to claim 9 is an IC chip for using a key in lattice cryptography, comprising: random number generation means for generating a random number of a predetermined random number length in order to generate a polynomial for the key; The method is characterized by comprising a key acquisition means for acquiring the key based on the polynomial generated by the random number.

The invention according to claim 10 provides a key generation system comprising: an electronic information storage medium for using a key in a lattice cipher; and a control device that controls the electronic information storage medium to generate the key. The electronic information storage medium includes a random number generation unit that generates a random number of a predetermined random number length in order to generate a polynomial for the key, and a key acquisition unit that acquires the key using the polynomial generated from the random number. It is characterized by having the following.

According to the present invention, there is provided an electronic information storage medium for using a key in a lattice cryptography, which generates random numbers of a predetermined random number length in order to generate a polynomial for the key, and generates a polynomial generated from the random numbers. By obtaining the key according to the method, it is possible to generate random numbers necessary for generating the polynomial within the electronic information storage medium, and therefore security in key generation can be strengthened.

1 is a diagram illustrating a schematic configuration example of a key generation system for lattice cryptography according to a first embodiment; FIG. 2 is a diagram illustrating an example of a schematic configuration of a secure element in FIG. 1. FIG. 2 is a diagram illustrating an example of a schematic configuration of a control device in FIG. 1. FIG. 7 is a flowchart illustrating an example of key generation operations for the lattice cipher according to the first embodiment. 3 is a flowchart illustrating an example of a subroutine for polynomial generation of a lattice cipher. 7 is a flowchart showing the key generation operation of the lattice cipher according to the second embodiment.

Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings. The embodiment described below is an embodiment in which the present invention is applied to a lattice cryptographic key generation system.

(First embodiment)
[1. General configuration and functions of lattice cryptographic key generation system 1]
First, a schematic configuration of a lattice cryptographic key generation system 1 according to a first embodiment of the present invention will be described with reference to FIG. 1 and the like. FIG. 1 is a diagram showing a schematic configuration example of a lattice cryptographic key generation system 1 according to the first embodiment.

As shown in FIG. 1, a key generation system 1 for lattice encryption includes a secure element 10 for lattice encryption and a control device 20 that can control the secure element 10.

The secure element 10 is an example of an electronic information storage medium or an IC chip, and is, for example, a tamper-resistant IC chip. The form of the secure element 10 includes an eSE (embedded secure element) form, a SIM card (subscriber identity module card) form, and the like. The secure element 10 is installed, for example, in an IC card such as a credit card or cash card, a control device such as an ECU (Electronic Control Unit), or a mobile device such as a smartphone. In the case of a mobile device such as a smartphone, the secure element 10 may be mounted on a small IC card that is removable from the mobile device, or may be installed as an eUICC (Embedded Universal Integrated Circuit Card) so that it cannot be easily removed or replaced from the mobile device. It may also be mounted on a built-in board.

The control device 20 is a device that can be connected to the secure element 10 and has computer functions. For example, the control device 20 may be an issuing machine at a manufacturing factory of the secure element 10, or may be a mobile device equipped with the secure element 10. The control device 20 may be an ECU, a POS terminal (POS: Point of Sales), a personal computer connectable to the secure element 10, a tablet computer, or the like. Note that the control device 20 may be a server device connected via a network such as the Internet.

The connection between the secure element 10 and the control device 20 may be a contact type or a non-contact type. In the case of a contact type, the secure element 10 has a contact terminal. In the case of a non-contact type, the secure element 10 has an antenna capable of communicating with the control device 20, and may be connected to the control device 20 by short-range wireless communication. For example, NFC (Near Field Communication), Bluetooth (registered trademark), or UWB (Ultra Wide Band) technology is used for near field communication.

Here, there are NTRU schemes, LWE schemes, AD schemes, GGH schemes, etc. as lattice encryption schemes, but lattice schemes that use polynomials for key generation, like the NTRU scheme, are preferable.

Next, a general configuration example of the secure element 10 will be explained. FIG. 2 is a diagram showing an example of a schematic configuration of the secure element 10. As shown in FIG.

As shown in FIG. 2, the secure element 10 includes a communication section 11, a storage section 12, a control section 14, and the like.

The communication unit 11 serves as an interface with the control device 20. The communication unit 11 has a contact terminal in the case of a contact type, and has an antenna for communication with the control device 20 in the case of a non-contact type.

The storage unit 12 is a nonvolatile memory such as a flash memory or an electrically erasable programmable read-only memory. The storage unit 12 stores data necessary for generating keys in lattice cryptography and data such as secret keys necessary for secure communication. The secure element 10 securely communicates with an external device and performs a digital signature using a key in the lattice cipher stored in the storage unit 12.

Note that the storage unit 12 may store information regarding the ability of the secure element 10 to calculate a lattice cipher. Information regarding the ability to calculate a lattice cipher, which is an example of random number output determination information, includes specifications of the control unit 13 such as calculation speed, calculation accuracy, number of digits of calculation, memory space capacity, etc. of the control unit 13, and memory of the secure element 10. , the remaining capacity of the memory of the secure element 10, etc.

The control unit 13 includes a RAM (Random Access Memory), a ROM (Read Only Memory) 14, a CPU (Central Processing Unit), and the like. The control unit 13 has a random number generation function and the like. The random number generation function may be realized by software or hardware. The secure element 10 functions as a computer, and the control unit 13 performs various calculations and processes according to programs.

The storage unit 12, ROM, etc. stores an operating system and programs such as applications (including the program of the present invention). Here, the application includes an application necessary for generating a key in lattice cryptography.

Next, an example of a schematic configuration of the control device 20 will be described. FIG. 3 is a diagram showing an example of a schematic configuration of the control device 20. As shown in FIG.

As shown in FIG. 3, the control device 20 includes a communication section 21, a storage section 22, a display section 23, an operation section 24, a system control section 25, and an input/output interface section 26. The system control section 25 and the input/output interface section 26 are connected via a system bus 27.

The communication unit 21 serves as an interface with the secure element 10. The communication unit 21 has a contact terminal when the secure element 10 is a contact type, and has an antenna for communication with the secure element 10 when the secure element 10 is a non-contact type.

The storage unit 22 is configured by, for example, a hard disk drive, a solid state drive, or the like. The storage unit 22 stores an operating system and applications. Applications include polynomial generation programs, lattice cryptographic calculation programs, and the like.

Note that the storage unit 22 may store information regarding the ability of the secure element 10 to calculate a lattice cipher.

The display section 23 is configured by, for example, a liquid crystal display element or an organic EL (Electro Luminescence) element. The operation unit 24 includes, for example, a keyboard and a mouse.

The system control unit 25 includes, for example, a CPU, a RAM, and a ROM. In the system control unit 25, the CPU reads and executes various programs stored in the ROM, RAM, and storage unit 22. For example, the system control unit 25 calculates a polynomial for a lattice cipher or a lattice cipher. Note that the system control unit 25 may have a configuration that does not include a ROM.

The input/output interface section 26 is an interface between the communication section 21, the storage section 22, etc., and the system control section 25.

[2. Operation of lattice cryptographic key generation system 1]
Next, the operation of the lattice cryptographic key generation system 1 will be described with reference to the drawings. FIG. 4 is a flowchart illustrating an example of key generation operations for the lattice cipher according to the first embodiment. FIG. 5 is a flowchart showing an example of a subroutine for polynomial generation of lattice cryptography.

(2.1 Operation of key generation for lattice cryptography)
As shown in FIG. 4, the lattice cryptographic key generation system 1 sets a necessary random number length for the secure element 10 (step S1). Specifically, the control device 20 transmits information on a predetermined random number length necessary for key generation of the lattice cipher to the secure element 10, depending on the security level and the like. Note that within the secure element 10, the predetermined random number length may be determined in advance. Furthermore, if the random number length has been specified in advance or is a fixed length, this step may be omitted.

Next, the lattice cryptographic key generation system 1 generates random numbers within the secure element (step S2). Specifically, the control unit 13 of the secure element 10 generates a plurality of random numbers with a predetermined random number length based on the random number length information from the control device 20. Note that the required number of random numbers are generated in a polynomial generation subroutine for the lattice cipher, which will be described later. In this way, the secure element 10 functions as an example of a random number generation means that generates random numbers of a predetermined random number length in order to generate a polynomial for a key.

Next, the lattice cryptographic key generation system 1 outputs the random number generated by the secure element 10 to the control device 20 (step S3). Specifically, the control unit 13 of the secure element 10 transmits the generated random numbers to the control device 20 via the communication unit 11. Note that when outputting random numbers, a check code such as a cyclic redundancy check may be added to the random numbers in order to guarantee the integrity of the random numbers.

If there is no error in the random numbers, the control device 20 stores the received random numbers in the storage unit 22 or the RAM of the system control unit 25 or the like. If there is an error in the random number, the control device 20 requests the secure element 10 for the random number again.

Note that if the environment of the lattice cryptographic key generation system 1 is bad, the secure element 10 and the control device 20 may perform secure communication such as mutual authentication. In this way, the secure element 10 functions as an example of a random number output means that outputs random numbers to a control device that generates a polynomial.

Next, the lattice cryptographic key generation system 1 generates a polynomial using random numbers (step S4). Specifically, the control device 20 determines the coefficients of each term of the polynomial f and the polynomial g from random numbers based on a subroutine for polynomial generation of lattice cryptography, which will be described later. For example, the polynomial f and the polynomial g are integer coefficient polynomials of degree N-1 or lower, with coefficients of 0, 1, or -1.

Here, in the case of the NTRU encryption, the polynomial f has df coefficients of "1", (df-1) coefficients of "-1", and other coefficients of "0". It is generated as follows. Polynomial g is generated such that dg coefficients are "1", dg coefficients are "-1", and other coefficients are "0". In the NTRU encryption, polynomials f and g are randomly generated using parameters df and dg. Note that the parameters df and dg may have the same value.

Next, the lattice cipher key generation system 1 generates lattice cipher key information from the polynomial. Specifically, the control device 20 generates an NTRU encryption key from the polynomial f and the polynomial g. More specifically, the control device 20 calculates a polynomial Fp such that Fp×f=1 (mod p). Next, the control device 20 generates a polynomial h from h=Fq×g (mod q) using a polynomial Fq such that Fq×f=1 (mod q). Here, p and q are integers of 2 or more and are relatively prime. Also, x = y (mod q) is the remainder when the i-th coefficient of the polynomial y is divided by the modulus q so that the remainder falls within the range of 0 to q-1. (0≦i≦N-1). Further, polynomial f, polynomial Fp, and polynomial Fq correspond to a private key, and polynomial h corresponds to a public key.

By calculating polynomial f and polynomial g from random numbers generated inside the secure element 10, it is possible to generate a polynomial (Fp, Fq, h) of a key pair that is not vulnerable.

Next, the control device 20 transmits the generated key information to the secure element 10. The secure element 10 stores the received key information in the storage unit 12. In this way, the secure element 10 functions as an example of a key acquisition unit that acquires a key using a polynomial generated using random numbers.

The secure element 10 uses the private key and public key of the lattice encryption stored in the storage unit 12 to perform mutual authentication and the like with an external device, and performs secure communication with the quantum-resistant computer. The secure element 10 uses the private key and public key of the lattice cipher stored in the storage unit 12 to perform a digital signature.

Note that the control device 20 may transmit the polynomial information received from the secure element 10 to another computer for executing the lattice cryptographic operation. For example, the other computer is a computer that specializes in lattice cryptographic operations.

(2.2 Polynomial generation subroutine for lattice cryptography)
Next, a subroutine for polynomial generation of lattice cryptography will be explained using figures. FIG. 5 is a flowchart showing an example of a subroutine for polynomial generation of lattice cryptography. Note that the polynomial generation subroutine for the lattice cipher is applied to each of the polynomials f and g.

As shown in FIG. 5, the lattice cryptographic key generation system 1 determines whether an undetermined "+1" term remains (step S10). Specifically, the system control unit 25 of the control device 20 refers to the storage unit 22 or the RAM of the system control unit 25, and determines whether an undetermined “+1” term remains in the coefficients of the polynomial f or the polynomial g. Determine whether or not the Note that the storage unit 22 or the RAM of the system control unit 25 stores information such as whether or not the coefficients of each term of the polynomial are determined and the values of the determined coefficients.

If an undetermined "+1" term remains (step S10: YES), the lattice cryptographic key generation system 1 obtains a random number r (step S11). Specifically, the system control unit 25 of the control device 20 acquires one random number r from among the random numbers received from the secure element 10 from the storage unit 22 or the like. Note that the used random numbers may be deleted. Further, the control device 20 may request the secure element 10 to generate a random number each time, and may receive the random number.

Next, the lattice cryptographic key generation system 1 calculates k=r mod N (step S12). Specifically, the system control unit 25 of the control device 20 uses the random number r to calculate k=r mod N. Here, k is a value indicating the kth term of the polynomial, and takes a value from 0 to N-1.

Next, the lattice cryptographic key generation system 1 determines whether k is an undetermined term (step S13). Specifically, the system control unit 25 of the control device 20 refers to the storage unit 22 and the like to determine whether the k-th term of the polynomial is an undetermined term.

If k is an undetermined term (step S13: YES), the lattice cryptographic key generation system 1 sets k to be a "+1" term (step S14). Specifically, the system control unit 25 of the control device 20 sets the k-th term of the polynomial to the "+1" term. The system control unit 25 stores “+1” for the k-th term of the polynomial in the storage unit 22 or the like, or stores information indicating that the value of the coefficient has been determined as a flag.

If k is not an undetermined term (step S13: NO), the control device 20 returns to the process of step S11.

Next, the control device 20 returns to the process of step S10.

If there is no undetermined "+1" term remaining (step S10: NO), the lattice cryptographic key generation system 1 determines whether or not an undetermined "-1" term remains (step S15). ). Specifically, the system control unit 25 of the control device 20 refers to the storage unit 22 or the RAM of the system control unit 25, and determines whether there is an undetermined “-1” term in the coefficients of the polynomial. Determine whether

If an undetermined "-1" term remains (step S15: YES), the lattice cryptographic key generation system 1 obtains a random number r (step S16). Specifically, the system control unit 25 of the control device 20 acquires one random number r from among the random numbers received from the secure element 10 from the storage unit 22 or the like.

Next, the lattice cryptographic key generation system 1 calculates k=r mod N as in step S12 (step S17).

Next, the lattice cryptographic key generation system 1 determines whether k is an undetermined term, as in step S13 (step S18).

If k is an undetermined term (step S18: YES), the lattice cryptographic key generation system 1 sets k to a term of "-1" (step S19). Specifically, the system control unit 25 of the control device 20 sets the k-th term of the polynomial to the "-1" term. The system control unit 25 stores "-1" for the k-th term of the polynomial in the storage unit 22 or the like, or stores information indicating that the value of the coefficient has been determined as a flag.

If k is not an undetermined term (step S18: NO), the control device 20 returns to the process of step S16.

If there are no undetermined "-1" terms remaining (step S15: NO), the lattice cryptographic key generation system 1 sets the remaining terms to "0" (step S20). Specifically, the system control unit 25 of the control device 20 refers to the storage unit 22, etc., and sets the value of the coefficient to “0” for the term whose coefficient has not been determined.

This subroutine sets the coefficients of each term of polynomials such as polynomial f and polynomial g. Note that the method for determining the coefficients of each term of the polynomial is not limited to the above-described subroutine, but may be any method as long as the coefficients of each term of the polynomial are randomly determined.

As explained above, according to the embodiment, the secure element 10, which is an example of an electronic information storage medium, generates random numbers of a predetermined random number length in order to generate a polynomial for a key in a lattice cryptography, and By obtaining the key based on the polynomial generated by can do.

When outputting the random number to the control device 20 that generates a polynomial, the secure element 10 does not need to generate the polynomial internally, so there is no need to increase the specifications of the secure element 10, and it can be realized at low cost.

(Second embodiment)
Next, a second embodiment will be described using FIG. 6. Note that the same reference numerals are used for the same or corresponding parts as in the first embodiment, and only different configurations and operations will be described. The same applies to other embodiments and modifications.

In this embodiment, the polynomial is generated inside the secure element 10. FIG. 6 is a flowchart showing the key generation operation of the lattice cipher according to the second embodiment.

As shown in FIG. 6, the lattice cryptographic key generation system 1 sets a necessary random number length for the secure element 10 (step S30). Specifically, the control device 20 transmits information on a predetermined random number length necessary for key generation of the lattice cipher to the secure element 10, depending on the security level and the like. The control device 20 transmits values of parameters N, df, dg, p, q, etc. necessary for generating the lattice cipher. Note that within the secure element 10, the predetermined random number length and the values of parameters N, df, dg, p, q, etc. may be determined in advance.

Next, the lattice cryptographic key generation system 1 generates random numbers within the secure element (step S31). Specifically, the control unit 13 of the secure element 10 generates a plurality of random numbers with a predetermined random number length based on the random number length information from the control device 20, as in step S2.

Next, the lattice cryptographic key generation system 1 generates a polynomial using random numbers (step S32). Specifically, the control unit 13 of the secure element 10 determines the coefficients of each term of the polynomial f and the polynomial g from random numbers based on the polynomial generation subroutine of the lattice cipher, as in step S4. In this way, the secure element 10 functions as an example of a polynomial generating means that generates a polynomial from random numbers.

Next, the lattice cipher key generation system 1 determines whether the lattice cipher calculation is to be performed inside the secure element 10 (step S33). Specifically, the control unit 13 of the secure element 10 refers to the storage unit 12 and performs lattice cipher operations such as key generation, encryption, and decryption based on the ability of the secure element 10 to calculate lattice ciphers. It is determined whether or not to be executed inside the secure element 10. For example, if the value of the parameter N is larger than a predetermined value and calculation is impossible due to the size of the memory space of the control unit 13, the control unit 13 determines that the lattice cryptographic operation cannot be executed internally. Further, if the amount of stored key information is large and the capacity of the storage unit 12 is insufficient, the control unit 13 determines that the lattice cipher calculation cannot be executed internally. In this way, the secure element 10 functions as an example of a random number output means that outputs a random number to the control device based on the random number output determination information as to whether or not to output the random number to the control device in order to generate a polynomial. .

Note that the secure element 10 may determine whether or not to perform the lattice cipher calculation within the secure element 10 based on information such as the speed and security required for the lattice cipher calculation. In this case, the information required for the calculation of the lattice code is provided by the control device 20. For example, if a high level of security is required, the lattice cipher calculation is performed inside the secure element 10, and if the calculation is desired to be faster than the calculation speed of the secure element 10, the lattice cipher calculation is performed outside the secure element 10. It will be carried out in

Further, the determination as to whether or not to perform the lattice cipher calculation inside the secure element 10 may be based on the determination result received from the control device 20. The control device 20 refers to the storage unit 22 and determines whether or not to perform the lattice cipher calculation inside the secure element 10 based on the ability of the secure element 10 to calculate the lattice cipher. The control device 20 transmits the determination result to the secure element 10. The secure element 10 determines whether or not to perform the lattice cipher calculation within the secure element 10 based on the received determination result.

If the cryptographic operation is to be performed inside the secure element 10 (step S33: YES), the lattice cryptographic key generation system 1 stores the polynomial in the memory of the secure element (step S34). Specifically, the control unit 13 of the secure element 10 stores information on the generated polynomial in the storage unit 12.

Next, the control unit 13 of the secure element 10 refers to the storage unit 12 and performs lattice cipher calculations such as lattice cipher key generation from the polynomial information. The control unit 13 stores the generated key information in the storage unit 12. In this way, the secure element 10 functions as an example of a key acquisition unit that acquires a key using a polynomial generated using random numbers.

If the cryptographic operation is not performed inside the secure element 10 (step S33: NO), the lattice cryptographic key generation system 1 outputs the polynomial to the outside (step S35). Specifically, the secure element 10 transmits information on the generated polynomials f and g to the control device 20. The control device 20 generates key information such as polynomial Fp, polynomial Fp, polynomial h, etc. based on the received polynomial information. Control device 20 transmits the generated key information to secure element 10. The secure element 10 stores the received key information in the storage unit 12. In this way, the secure element 10 functions as an example of a polynomial output means that outputs a polynomial to a control device that generates the polynomial. Furthermore, the secure element 10 functions as an example of a polynomial output unit that outputs a polynomial to a control device that generates the polynomial based on polynomial output determination information on whether to output the polynomial to the control device.

As explained above, according to the embodiment, when outputting a random number to the control device 20 based on the random number output determination information on whether or not to output the random number to the control device 20 in order to generate a polynomial, the random number A polynomial can be generated even when the specification of the secure element 10 is exceeded, such as when the length is longer than a predetermined value or when the parameter N is larger than a predetermined value.

When the secure element 10 further includes a polynomial generating means for generating a pre-polynomial from a random number, the polynomial is generated inside the secure element 10, so that security is further improved.

When outputting a polynomial to the control device 20 that generates the polynomial, a key for lattice encryption can be generated even when the specifications of the secure element 10 are exceeded, such as when the random number length is longer than a predetermined value or when the parameter N is larger than a predetermined value.

When outputting a polynomial to the control device 20 based on the polynomial output determination information as to whether or not to output the polynomial to the control device 20, the polynomial output determination information can appropriately determine whether or not to output the polynomial to the control device 20.

1 Key generation system 10 Secure element (electronic information storage medium, IC chip)
20 Control device (control device)

Claims (10)

An electronic information storage medium for using a key in a lattice cryptography,
Random number generation means for generating random numbers of a predetermined random number length in order to generate a polynomial for the key;
key acquisition means for acquiring the key based on the polynomial generated by the random number;
An electronic information storage medium comprising: The electronic information storage medium according to claim 1,
An electronic information storage medium further comprising random number output means for outputting the random number to a control device that generates the polynomial. The electronic information storage medium according to claim 2,
Electronic information characterized in that, in order to generate the polynomial, the random number output means outputs the random number to the control device based on random number output determination information as to whether or not to output the random number to the control device. storage medium. The electronic information storage medium according to claim 1,
An electronic information storage medium further comprising polynomial generation means for generating the polynomial from the random number. The electronic information storage medium according to claim 4,
An electronic information storage medium further comprising polynomial output means for outputting the polynomial to a control device that generates the polynomial. The electronic information storage medium according to claim 5,
An electronic information storage medium characterized in that the polynomial output means outputs the polynomial to the control device based on polynomial output determination information regarding whether to output the polynomial to the control device. A key generation method performed by an electronic information storage medium for using a key in a lattice cryptography, the method comprising:
a random number generation step of generating a random number of a predetermined random number length to generate a polynomial for the key;
a key obtaining step of obtaining the key based on the polynomial generated by the random number;
A key generation method characterized by comprising: A computer included in an electronic information storage medium for using a key in a lattice cipher,
random number generation means for generating random numbers of a predetermined random number length in order to generate a polynomial for the key, and
A program that functions as a key acquisition means for acquiring the key based on the polynomial generated by the random number. An IC chip for using a key in lattice cryptography,
Random number generation means for generating random numbers of a predetermined random number length in order to generate a polynomial for the key;
key acquisition means for acquiring the key based on the polynomial generated by the random number;
An IC chip characterized by comprising: A key generation system comprising an electronic information storage medium for using a key in a lattice cipher, and a control device that controls the electronic information storage medium to generate the key,
The electronic information storage medium is
Random number generation means for generating random numbers of a predetermined random number length in order to generate a polynomial for the key;
key acquisition means for acquiring the key based on the polynomial generated by the random number;
A key generation system comprising:

Images