Electronic information storage medium, IC chip, IC card, key data recording method, key data setting method, and program

The electronic information storage medium with a reserved key data area and adaptive updating mechanisms addresses the challenge of transitioning to post-quantum cryptography by supporting longer key lengths and encryption strengths, ensuring seamless cryptoagility in IC chips.

JP2026109951APending Publication Date: 2026-07-02DAI NIPPON PRINTING CO LTD

Patent Information

Authority / Receiving Office
JP · JP
Patent Type
Applications
Current Assignee / Owner
DAI NIPPON PRINTING CO LTD
Filing Date
2024-12-20
Publication Date
2026-07-02

Smart Images

  • Figure 2026109951000001_ABST
    Figure 2026109951000001_ABST
Patent Text Reader

Abstract

This invention provides an electronic information storage medium, an IC chip, an IC card, a key data recording method, a key data setting method, and a program that can ensure cryptoagility during the transition from conventional cryptographic algorithms to post-quantum cryptographic algorithms. [Solution] SE1 is pre-allocated a key data area with recording capacity capable of recording other key data with a key length at least longer than the initially recorded key data. When SE1 receives a command containing other key data from an external terminal 2, it updates and records the other key data in the key data area in place of the currently recorded key data in accordance with the command.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] The present invention relates to the technical field of IC chips and the like that can support post-quantum cryptographic algorithms.

Background Art

[0002] In recent years, in IC cards equipped with IC (Integrated Circuit) chips, in order to enable secure signature generation / verification and key exchange even when a quantum computer is developed, a transition (switch) from conventional cryptographic algorithms (for example, RSA (Rivest-Shamir-Adleman cryptosystem) or ECDSA (Elliptic Curve Digital Signature Algorithm)) to post-quantum cryptographic (PQC (Post-Quantum Cryptography)) post-quantum cryptographic algorithms (for example, CRYSTALS-Dilithium) has been studied. As a related technique, Patent Document 1 discloses a technique that can use a hybrid digital certificate of a quantum-vulnerable cryptographic system and a post-quantum cryptographic system during the transition from a quantum-vulnerable cryptographic system to a post-quantum cryptographic system.

Prior Art Documents

Patent Documents

[0003]

Patent Document No. 1

Summary of the Invention

Problems to be Solved by the Invention

[0004] Incidentally, ensuring so-called cryptoagility is crucial for a smooth and rapid transition from conventional cryptographic algorithms to post-quantum cryptography algorithms. However, because the key length of the key data used in post-quantum cryptography algorithms is longer than that of conventional cryptographic algorithms, it has been difficult to ensure cryptoagility in terms of storing the key data used in post-quantum cryptography algorithms in memory when attempting to add support for post-quantum cryptography algorithms to IC chips that are designed for conventional cryptographic algorithms.

[0005] Therefore, the present invention has been made in view of these points, and aims to provide an electronic information storage medium, an IC chip, an IC card, a key data recording method, a key data setting method, and a program that can efficiently ensure cryptoagility when transitioning from conventional cryptographic algorithms to post-quantum cryptographic algorithms. [Means for solving the problem]

[0006] To solve the above problems, the invention described in claim 1 is an electronic information storage medium that has a memory having a key data area reserved in advance for recording key data, and is capable of receiving commands from an external terminal, wherein the key data area has a recording capacity capable of recording other key data having a longer key length than the key data currently recorded in the key data area, and is characterized by comprising: receiving means for receiving a command including the other key data from the external terminal, and recording means for updating and recording the other key data in the key data area in place of the key data currently recorded in response to the command.

[0007] The invention described in claim 2 is characterized in that, in the electronic information storage medium described in claim 1, the recording means determines whether the key length of the other key data is longer than the key length of the key data being recorded, and updates and records the other key data in the key data area only if it is determined that the key length of the other key data is longer than the key length of the key data being recorded.

[0008] The invention described in claim 3 is characterized in that, in the electronic information storage medium described in claim 1, the recording means determines whether the encryption strength of the other key data is higher than the encryption strength of the key data being recorded, and updates and records the other key data in the key data area only if it is determined that the encryption strength of the other key data is higher than the encryption strength of the key data being recorded.

[0009] The invention described in claim 4 is an electronic information storage medium according to any one of claims 1 to 3, wherein the recording means determines whether the number of update records performed in the key data area has reached a predetermined update limit, and updates and records the other key data in the key data area only if it is determined that the update limit has not been reached.

[0010] The invention described in claim 5 is an electronic information storage medium according to any one of claims 1 to 3, wherein the memory has a plurality of key data areas, each of which is set to change the priority of the update record, and the recording means selects one of the key data areas based on the priority and updates and records the other key data in the selected key data area.

[0011] The invention described in claim 6 is characterized in that, in the electronic information storage medium described in claim 5, the priority is set based on the cryptographic strength of the key data recorded in each of the plurality of key data areas.

[0012] The invention described in claim 7 is characterized in that, in the electronic information storage medium described in claim 1, the receiving means further receives a command from the external terminal indicating the setting of key data, and in response to the command indicating the setting of key data, sets a portion of the updated recorded other key data as key data to be used in an encryption algorithm different from the encryption algorithm in which the other key data is used.

[0013] The invention described in claim 8 is an electronic information storage medium that has a memory having a key data area reserved in advance for recording first key data, and is capable of receiving commands from an external terminal, comprising: receiving means for receiving a command from the external terminal indicating the setting of key data; and setting means for setting a portion of the data of the first key data recorded in the key data area as second key data to be used in a second cryptographic operation scheme different from the first cryptographic operation scheme in which the first key data is used, in response to the command indicating the setting of key data.

[0014] The invention described in claim 9 is an IC chip that has a memory having a key data area reserved in advance for recording key data, and is capable of receiving commands from an external terminal, wherein the key data area has a recording capacity capable of recording other key data having a longer key length than the key data currently recorded in the key data area, and is characterized by comprising: receiving means for receiving a command including the other key data from the external terminal, and recording means for updating and recording the other key data in the key data area in place of the key data currently recorded in response to the command.

[0015] The invention described in claim 10 is an IC card that has a memory having a key data area reserved in advance for recording key data, and is capable of receiving commands from an external terminal, wherein the key data area has a recording capacity capable of recording other key data having a longer key length than the key data currently recorded in the key data area, and is characterized by comprising: receiving means for receiving a command including the other key data from the external terminal, and recording means for updating and recording the other key data in the key data area in place of the key data currently recorded in response to the command.

[0016] The invention described in claim 11 is a method for recording key data, performed by a computer contained in an electronic information storage medium capable of receiving commands from an external terminal, the computer having a memory having a key data area reserved in advance for recording key data, wherein the key data area has a recording capacity capable of recording other key data having a longer key length than the key data currently recorded in the key data area, and the method includes the steps of receiving a command from the external terminal that includes the other key data, and updating and recording the other key data in the key data area in place of the key data currently recorded, in response to the command.

[0017] The invention described in claim 12 is a key data setting method performed by a computer contained in an electronic information storage medium that has a memory having a key data area reserved in advance for recording first key data and is capable of receiving commands from an external terminal, the method comprising: receiving a command from the external terminal indicating the setting of key data; and, in response to the command indicating the setting of key data, setting a portion of the data of the first key data recorded in the key data area as second key data to be used in a second cryptographic operation method different from the first cryptographic operation method in which the first key data is used.

[0018] The invention described in claim 13 is characterized in that a computer included in an electronic information storage medium capable of receiving commands from an external terminal functions as a receiving means for receiving a command including the other key data from the external terminal, and as a recording means for updating and recording the other key data in the key data area in place of the key data currently being recorded, in response to the command.

[0019] The invention according to claim 14 is characterized in that a computer included in an electronic information storage medium having a memory with a key data area reserved in advance for recording first key data and capable of receiving commands from an external terminal functions as receiving means for receiving, from the external terminal, a command indicating setting of key data, and setting means for setting, in response to the command indicating setting of the key data, a part of the data of the first key data being recorded in the key data area as second key data to be used in a second encryption operation method different from the first encryption operation method in which the first key data is used.

Advantages of the Invention

[0020] According to the present invention, cryptography can be efficiently ensured when migrating from a conventional encryption algorithm to a quantum-resistant encryption algorithm.

Brief Description of the Drawings

[0021] [Figure 1] It is a diagram showing an example of the hardware configuration of SE1. [Figure 2] It is a conceptual diagram showing an example of one key data area Ar0 set in NVM13. [Figure 3] It is a conceptual diagram showing an example of one key area Ar1 set in NVM13. [Figure 4] It is a conceptual diagram showing an example of two key areas Ar2 and Ar3 set in NVM13. [Figure 5] It is a sequence diagram showing an example of an operation performed between SE1 and an external terminal 2 in Example 1. [Figure 6] It is a flowchart showing a key data area update process (Example 1) executed by CPU15 when an update flag is recorded in the update information area. [Figure 7] It is a flowchart showing a key data area update process (Example 2) executed by CPU15 when the number of updates is recorded in the update information area. [Figure 8]This flowchart shows the key data area update process (Example 3) executed by the CPU 15 when the update priority is recorded in the update information area of ​​each of the multiple configured key areas. [Figure 9] This is a sequence diagram showing an example of an operation performed between SE1 and external terminal 2 in Example 2. [Modes for carrying out the invention]

[0022] Embodiments of the present invention will be described in detail below with reference to the drawings. The embodiments described below are examples in which the present invention is applied to a secure element (hereinafter referred to as "SE").

[0023] [1. SE1 Configuration and Functions] First, the configuration and function of SE1 according to this embodiment will be described with reference to Figure 1. Figure 1 is a diagram showing an example of the hardware configuration of SE1. SE1 is, for example, a tamper-resistant IC chip and is an example of an electronic information storage medium. SE1 is mounted on IC cards such as credit cards, cash cards, or My Number cards. Alternatively, SE1 may be mounted on secure devices such as IoT devices or smartphones. In this case, SE1 may be mounted on the secure device as a small IC card so that it can be attached and detached, or it may be mounted on an embedded board as an eUICC (Embedded Universal Integrated Circuit Card) so that it cannot be easily removed or replaced from the secure device.

[0024] As shown in Figure 1, SE1 includes an I / O circuit 11, RAM (Random Access Memory) 12, NVM (Nonvolatile Memory) 13, ROM (Read Only Memory) 14, CPU (Central Processing Unit) 15 (an example of a computer), and a coprocessor 16 that performs cryptographic calculations, etc. SE1 may also be equipped with a random number generator (not shown). The I / O circuit 11 serves as the interface with the external terminal 2. Communication between SE1 and the external terminal 2 may be contactless or contactless. In the case of contactless communication, communication between SE1 and the external terminal 2 is performed via, for example, an IC card or an antenna (not shown) mounted on a secure device. In communication between SE1 and the external terminal 2, command APDUs (Application Protocol Data Units) and response APDUs as defined in ISO / IEC 7816-3, etc., are exchanged. Examples of the external terminal 2 include transaction terminals and management terminals installed in stores, etc.

[0025] NVM13 is a non-volatile memory such as flash memory or Electrically Erasable Programmable Read-Only Memory. The OS (Operating System) and the program of the present invention are stored in NVM13. The program of the present invention causes the CPU15 to function as a receiving means, recording means, and setting means, etc., in the present invention. Furthermore, the NVM13 stores instantiated authentication applications that define (i.e., are written in program code) the authentication process executed in the connection (authentication procedure) for initiating (establishing) a secure session (encrypted communication) with the external terminal 2, and one or more transaction applications that define the transaction process executed in the secure session. In the secure session, the session key generated in the authentication process is used to encrypt or decrypt the command APDU and response APDU.

[0026] Here, the authentication process includes conventional authentication processing, which includes cryptographic calculations according to conventional cryptographic algorithms (hereinafter referred to as "conventional algorithms"), and PQC authentication processing, which includes cryptographic calculations according to post-quantum cryptography algorithms (hereinafter referred to as "PQC algorithms"). Cryptographic calculations are described, for example, by program code, calculation formulas, and parameters. Conventional algorithms may be public-key cryptographic algorithms such as RSA or ECDSA, or symmetric-key cryptographic algorithms such as DES (Data Encryption Standard) or AES (Advanced Exception Standard). On the other hand, PQC algorithms may be lattice-based cryptographic algorithms such as CRYSTALS-Dilithium or FALCON. Furthermore, even within the same type of PQC algorithm, security levels may differ, for example, CRYSTALS-Dilithium, level 2 and CRYSTALS-Dilithium, level 5. The higher the security level, the longer the key length of the key data and the higher the cryptographic strength. In conventional authentication processes, the executable APDU commands are set to INITIALIZE UPDATE and EXTERNAL AUTHENTICATE, while in PQC authentication processes, the executable APDU commands are set to PERFORM SECURITY OPERATION and MUTUAL AUTHENTICATE.

[0027] Furthermore, an authentication application that defines both conventional authentication processing and PQC authentication processing may be installed on SE1 before its shipment (for example, at the time of SE issuance). Alternatively, an authentication application that defines only conventional authentication processing may be installed on SE1 before its shipment, and PQC authentication processing may be added to the authentication application (for example, by adding a patch) at a store or other location after SE1's shipment. In addition, key data used in conventional algorithms (for example, a private key and / or shared key that form a key pair with a public key) may be recorded in NVM13 before SE1's shipment, for example. On the other hand, key data used in PQC algorithms (for example, a private key that forms a key pair with a public key) may be recorded in NVM13 at a store or other location after SE1's shipment, for example.

[0028] Furthermore, the NVM13 has a pre-allocated key data area for recording key data. For example, during the instantiation process of the authentication application before the SE1 is shipped, the key data area is set (in other words, allocated) to a predetermined memory address range on the NVM13, and the key data used by the conventional algorithm is initially recorded in this key data area. This key data area is configured to have a recording capacity that allows it to record other key data with a longer key length than the recorded key data (the key data being recorded). Here, other key data refers to key data that should be updated and recorded in the key data area in the future (for example, after the SE1 is shipped) (for example, key data used by the PQC algorithm). In other words, the above recording capacity is pre-allocated in the NVM13 so that key data with expected key lengths in the future can be updated and recorded. This makes it possible to ensure crypto agility for the PQC algorithm with a minimum amount of memory on devices with limited memory capacity such as the SE1. In addition, security can be improved by making algorithm changes to the conventional algorithm irreversible. It is also desirable that the NVM13 stores the public key certificate of the key pair unique to the SE1.

[0029] Figure 2 is a conceptual diagram showing an example of a key data area Ar0 configured in NVM13. Figure 2(A) shows an unupdated key data area Ar0, while Figure 2(B) shows an updated key data area Ar0. As shown in Figure 2(A), a portion of the unupdated key data area Ar0 contains key data D01 used by conventional algorithms, and the portion where key data D01 is not recorded is unused, i.e., free space. This free space allows other key data D02 with a longer key length than key data D01 to be updated and recorded later. As shown in Figure 2(B), in the updated key data area Ar0, other key data D02 used by the PQC algorithm (e.g., CRYSTALS-Dilithium, level 2) is updated and recorded in place of key data D01 (i.e., key data D01 is overwritten by key data D02). The management of the key data area Ar0 and key data D01, D02, etc., should preferably be done by an authentication application, for example. The system may be configured so that after another key data D02 is updated, yet another key data (limited to key data of a size less than or equal to the recording capacity of the key data area Ar0) is updated and recorded in the key data area Ar0, or it may be configured so that yet another key data is prohibited from being updated and recorded in the key data area Ar0.

[0030] Furthermore, as shown in Figure 2(C), the key data area Ar0 may be configured to be shared by multiple key data with different key lengths. In the key data area Ar0 shown in Figure 2(C), key data D03 (first key data) used in the PQC algorithm is recorded, and a portion of key data D03 is set as key data D04 (second key data) used in conventional algorithms. For example, since any value such as a random number can be used for the common key used in symmetric-key cryptography algorithms such as AES, a portion of the secret key (key data generated using hashing, etc.) used in CRYSTALS-Dilithium can be set as key data D04. As an example of this usage, it is assumed that key data D03 is updated and recorded in place of key data D01, and then key data D04 is set. However, key data D03 may be recorded in the key data area Ar0 and key data D04 may be set before the SE1 is shipped. In the example shown in Figure 2(C), a predetermined set of bits (for example, 256 bits) from the beginning of the key data D03 is considered a portion. However, the key data D04 may also be set as a portion by concatenating multiple separated points (bit ranges) in the key data D03.

[0031] As an example other than that shown in Figure 2, the NVM13 may be configured with the key data area associated with it, including a key number area for recording the key number of the key data, an update information area for recording information about updates to the key data area, and an algorithm information area for recording information indicating at least one of the encryption algorithm and key length of the key data. This allows for efficient management of the key data area and the key data. The information indicating the encryption algorithm shows what encryption algorithm is currently supported. Examples of update information include an update flag (indicating whether other key data has been updated), update count (number of update records), and update priority (priority of update records). Here, the update priority is set to be changeable for each key data area when multiple key data areas are configured in the NVM13.

[0032] The key number area, update information area, algorithm information area, and key data area are collectively referred to as the "key area." NVM13 may have one key area configured or multiple key areas configured. The key number mentioned above is a serial number for managing the key area and does not change even if other key data is updated in the key data area. However, if the key data in the key data area is changed from key data used by the conventional algorithm to key data used by the PQC algorithm due to an update record, the key number in the key number area associated with the key data area may be changed. In addition, the key area may include a key ID area for recording a key ID that identifies the key data recorded in the key data, either in place of the key number area or in addition to the key number area.

[0033] Figure 3 is a conceptual diagram showing an example of a key area Ar1 configured in NVM13. Figure 3(A) shows an unupdated key area Ar1, Figure 3(B) shows an updated (first update) key area Ar1, and Figure 3(C) shows an updated (second update) key area Ar1. Here, the key area Ar1 consists of a key number area Ar11, an update information area Ar12 for recording update flags, an algorithm information area Ar13, and a key data area Ar14. As shown in Figure 3(A), a portion of the unupdated key data area Ar14 has key data D11 used in conventional algorithms recorded in it, and the portion where key data D11 is not recorded is unused. The "no update" in the update information area Ar12 shown in Figure 3(A) indicates that the key data area Ar14 is unupdated (i.e., other key data D12 has not been updated). In the algorithm information area Ar13 shown in Figure 3(A), "RSA" indicates the cryptographic algorithm used for key data D11, and "2048bit" indicates the key length of key data D11. Note that a portion of the unupdated key data area Ar14 may contain key data used for DES or AES.

[0034] As shown in Figure 3(B), in the updated (first update) key data area Ar14, the key data D12 used in the PQC algorithm has been updated (first time) in place of the key data D11, and the update information area Ar12 and the algorithm information area Ar13 have also been updated (first time). The "Updated" status in the update information area Ar12 shown in Figure 3(B) indicates that the key data area Ar14 has been updated (i.e., the other key data D12 has been updated). The "CRYSTALS-Dilithium, level 2" in the algorithm information area Ar13 shown in Figure 3(B) indicates the cryptographic algorithm in which the other key data D12 is used. Furthermore, as shown in Figure 3(C), in the updated (second update) key data area Ar14, the other key data D13 has been updated (second time) in place of the key data D12, and the update information area Ar12 and the algorithm information area Ar13 have also been updated (second time). The "CRYSTALS-Dilithium, level 5" in the algorithm information area Ar13 shown in Figure 3(C) indicates the cryptographic algorithm for which the other key data D13 is used. Note that the update information area Ar12 may record the update count instead of an update flag. In this case, the update count is incremented by 1 each time the key data is updated.

[0035] Figure 4 is a conceptual diagram showing an example of two key regions Ar2 and Ar3 set in NVM13. Note that more than three key regions may be set. Figure 4(A) shows the unupdated key regions Ar2 and Ar3, Figure 4(B) shows the updated (first update) key region Ar2 and the unupdated key region Ar3, and Figure 4(C) shows the updated (first update) key region Ar2 and the updated (first update) key region Ar3. Here, key regions Ar2 and Ar3 are composed of key number regions Ar21 and Ar31, update information regions Ar22 and Ar32, algorithm information regions Ar23 and Ar33, and key data regions Ar24 and Ar34. As shown in Figure 4(A), parts of the unupdated key data regions Ar24 and Ar34 each contain key data D21 and D31 used in conventional algorithms, respectively, and the parts where key data D21 and D31 are not recorded are unused. Key data D31 has a longer key length and higher cryptographic strength than key data D21. The update priority of 1 in the update information area Ar22 is higher than the update priority of 2 in the update information area Ar32. Therefore, key data area Ar24 will be updated before key data area Ar34, and after the update, the update priorities will be swapped. The update priority is set based on the cryptographic strength of key data D21 and D31 recorded in key data areas Ar24 and Ar34, respectively.

[0036] As shown in Figure 4(B), the updated (first update) key data area Ar24 has been updated (first update) with another key data D22 used in the PQC algorithm in place of key data D21, and the update information area Ar22 and the algorithm information area Ar23 have also been updated (first update). That is, the update information area Ar22 shown in Figure 4(B) has been updated from update priority 1 to update priority 2, and the update information area Ar32 shown in Figure 4(B) has been updated from update priority 2 to update priority 1. Therefore, the key data area Ar34 will be updated before the key data area Ar24. Furthermore, as shown in Figure 4(C), the updated (first update) key data area Ar34 has been updated (first update) with another key data D32 used in the PQC algorithm in place of key data D31, and the update information area Ar32 and the algorithm information area Ar33 have also been updated (first update). In other words, the update information area Ar22 shown in Figure 4(C) is updated from update priority 2 to update priority 1, and the update information area Ar32 shown in Figure 4(C) is updated from update priority 1 to update priority 2.

[0037] When CPU 15 receives a command APDU containing the aforementioned other key data from external terminal 2 in a secure session initiated by the successful completion of a connection between it and external terminal 2, it updates (i.e., overwrites) the currently recorded key data in the key data area according to the command APDU. For example, a CHANGE KEY can be applied to such a command APDU. A CHANGE KEY consists of a header section composed of CLA (instruction class), INS (instruction code), P1 and P2 (parameters), and a body section. The body section of the CHANGE KEY consists of Lc and DATA, where Lc indicates the length of DATA, and DATA stores at least information indicating the cryptographic algorithm (e.g., including the key length) and other key data in TLV format.

[0038] When CPU15 receives a CHANGE KEY containing other key data, it should determine whether the key length of the other key data is longer than the key length of the currently recorded key data. Only if it determines that the key length of the other key data is longer than the key length of the currently recorded key data should it update and record the other key data in the key data area. This prevents changes from being made from key data with high encryption strength to key data with low encryption strength, thereby improving the security of SE1.

[0039] Alternatively, when CPU 15 receives a CHANGE KEY containing other key data, it may determine whether the cryptographic strength of the other key data is higher than that of the key data currently being recorded, and only if it determines that the cryptographic strength of the other key data is higher than that of the key data currently being recorded, it may update and record the other key data in the key data area. The level of cryptographic strength of the key data may be determined based on the key length of the key data, or it may be determined based on information indicating the cryptographic algorithm used by the key data. This also prevents the change from high-cryptographic-strength key data to low-cryptographic-strength key data, thereby improving the security of SE1.

[0040] Furthermore, if an update flag is recorded in the update information area (for example, as shown in Figure 3), when the CPU 15 receives a CHANGE KEY containing other key data, it determines whether the update flag in the update information area indicates no update, and only if it determines that there is no update, it may update and record the other key data in the key data area. This improves the security of SE1 because, once other key data has been updated and recorded in the key data area, subsequent updates cannot be recorded.

[0041] Alternatively, if the update count is recorded in the update information area, when the CPU 15 receives a CHANGE KEY containing other key data, it may determine whether the update count in the update information area (i.e., the number of update records made in the key data area) has reached a predetermined update limit (>0), and only if it determines that the update limit has not been reached, it may update and record other key data in the key data area. Here, the update limit may be set, for example, in the program of the present invention. This makes it possible to limit the number of times other key data is updated and recorded in the key data area, thereby improving the security of SE1.

[0042] Alternatively, if an update priority is recorded in the update information area of ​​each of the multiple configured key areas (for example, as shown in Figure 4), when the CPU 15 receives a CHANGE KEY containing other key data, it may select one of the key data areas based on the update priority (selecting the key data area with the highest update priority) and update and record the other key data in the selected key data area. In this case, the CPU 15 may lower the update priority of the updated key data area. This allows for updating to key data with a higher security level.

[0043] Furthermore, if the key data area is shared by multiple key data with different key lengths (for example, as shown in Figure 2(C)), after other key data used by the PQC algorithm is recorded (or updated) in the key data area, the CPU 15 receives a command APDU from the external terminal 2 indicating the setting of key data. In response to the command APDU, the CPU 15 sets a portion of the recorded other key data as key data used in a different cryptographic algorithm (e.g., DES or AES) than the cryptographic algorithm (e.g., CRYSTALS-Dilithium) in which the other key data is used. For example, it is preferable that data equivalent to the key length of the key data used in DES or AES (i.e., a portion of the data) is randomly extracted from one or more locations in the other key data. This saves space used within the NVM 13.

[0044] [2. Operations performed between SE1 and external terminal 2] Next, the operations performed between SE1 and external terminal 2 will be described separately in Example 1 and Example 2.

[0045] (Example 1) In Example 1, with reference to Figures 5 to 8, an example of operation when key data is updated and recorded in the key data area of ​​the NVM13 of SE1 will be described. As a premise of Example 1, it is assumed that the key data area of ​​the NVM13 of SE1 contains key data used in conventional algorithms (for example, performed before the SE1 is shipped).

[0046] Figure 5 is a sequence diagram showing an example of operation performed between SE1 and external terminal 2 in Embodiment 1. The operation shown in Figure 5 is performed, for example, when, after the SE1 has been shipped, an opportunity arises to change from a conventional algorithm (e.g., DES or AES) to a PQC algorithm (e.g., CRYSTALS-Dilithium), and when SE1, which is held by a user, starts communicating with external terminal 2, for example, installed in a store. It is assumed that an initial sequence (e.g., reset and initial response) is performed between SE1 and external terminal 2 before the operation shown in Figure 5 begins, and thereafter SE1 selects an authentication application in response to a SELECT (command APDU) from external terminal 2 and responds.

[0047] When the operation shown in Figure 5 is initiated, the external terminal 2 generates a random number Re and sends an INITIALIZE UPDATE to SE1 to start the authentication process (mutual authentication) (step S1). Here, the body of the INITIALIZE UPDATE consists of Lc, DATA, and Le, where Lc indicates the length of DATA and Le indicates the length of the response APDU to be sent to the INITIALIZE UPDATE. DATA stores the random number Re, information indicating the conventional algorithm, and the key ID of the common key CK to be used in TLV format. It is assumed that the common key CK is shared in advance between SE1 and the external terminal 2.

[0048] Next, when SE1 receives an INITIALIZE UPDATE from external terminal 2, it executes processing corresponding to the INITIALIZE UPDATE (step S2). In the processing corresponding to the INITIALIZE UPDATE, SE1 generates a random number Rc. Here, the random number Rc may be generated by a random number generator, or it may be generated by pseudorandom number calculation by CPU 15. Next, SE1 calculates (generates) the session key SK using a conventional algorithm with the common key CK, the random number Re, and the random number Rc. For example, CPU 15 calculates the session key SK by having coprocessor 16 perform cryptographic calculations, etc.

[0049] Next, SE1 calculates the authentication code ACc using a conventional algorithm with the session key SK, random number Re, random number Rc, and a pre-set specific value (step S3). For example, CPU 15 causes coprocessor 16 to perform cryptographic operations (for example, encrypting the random number Re, random number Rc, and the specific value with the session key SK) to calculate the authentication code ACc. Next, SE1 sends a response APDU containing the random number Rc and the authentication code ACc in TLV format to external terminal 2 (step S4).

[0050] Next, when external terminal 2 receives the response APDU from SE1, it calculates the session key SK using the common key CK, random number Re, and random number Rc according to the conventional algorithm, and verifies the authentication code ACc using the session key SK (step S5). If the verification is successful (for example, the authentication code ACc is successfully decrypted using the session key SK), external terminal 2 calculates the authentication code ACe using the session key SK, random number Re, random number Rc, and a pre-set specific value according to the conventional algorithm (step S6). Next, external terminal 2 sends EXTERNAL AUTHENTICATE to SE1 (step S7). Here, the body of EXTERNAL AUTHENTICATE consists of Lc and DATA, and the authentication code ACe is stored in DATA.

[0051] Next, upon receiving EXTERNAL AUTHENTICATE from external terminal 2, SE1 verifies the authentication code ACe using the session key SK (step S8). If this verification is successful, SE1 sends a response APDU indicating the authentication result (authentication successful) to external terminal 2 (step S9). Subsequently, upon receiving the response APDU from SE1, external terminal 2 terminates the authentication process and a secure session is started between it and SE1.

[0052] When a secure session is initiated, external terminal 2 encrypts the CHANGE KEY using the session key SK to generate an encryption command and sends the encryption command to SE1 (step S10). Here, the DATA in the body of the CHANGE KEY stores information indicating the encryption algorithm (PQC algorithm) and other key data in TLV format. Next, when SE1 receives the encryption command from external terminal 2, it decrypts the encryption command and performs a key data area update process (one of Figures 6 to 8) according to the CHANGE KEY extracted by decryption (step S11).

[0053] Figure 6 is a flowchart of the key data area update process (Example 1) executed by the CPU 15 when an update flag is recorded in the update information area. In the key data area update process shown in Figure 6, the CPU 15 determines whether the update flag in the update information area indicates no update (step S101). If it is determined that the update flag indicates no update (step S101: YES), the process proceeds to step S103. On the other hand, if it is determined that the update flag does not indicate no update (i.e., indicates an update) (step S101: NO), a response APDU indicating the processing result (update failed) is generated (step S102), and the process proceeds to step S12.

[0054] In step S103, the CPU 15 determines whether the key length of other key data included in the body of the CHANGE KEY is longer than the key length of the key data currently recorded in the key data area. If it is determined that the key length of the other key data is longer than the key length of the key data currently recorded (step S103: YES), the process proceeds to step S104. On the other hand, if it is determined that the key length of the other key data is not longer than the key length of the key data currently recorded (step S103: NO), the process proceeds to step S102.

[0055] In step S103, it may be determined whether the key length of the other key data is greater than or equal to the key length of the key data being recorded. If it is determined that the key length of the other key data is greater than or equal to the key length of the key data being recorded, the process proceeds to step S104; otherwise, the process proceeds to step S102. Alternatively, in step S103, it may be determined whether the cryptographic strength of the other key data is higher than the cryptographic strength of the key data being recorded. If it is determined that the cryptographic strength of the other key data is higher than the cryptographic strength of the key data being recorded, the process proceeds to step S104; otherwise, the process proceeds to step S102.

[0056] In step S104, the CPU 15 updates (overwrites) other key data contained in the body of the CHANGE KEY in the key data area. Next, the CPU 15 updates the update flag indicating that an update has been made (updated) in the update information area, and also updates the information indicating the cryptographic algorithm (PQC algorithm) contained in the body of the CHANGE KEY in the algorithm information area (step S105). Next, the CPU 15 generates a response APDU indicating the processing result (update successful) (step S106), and proceeds to step S12.

[0057] Figure 7 is a flowchart of the key data area update process (Example 2) executed by the CPU 15 when the update count is recorded in the update information area. In the key data area update process shown in Figure 7, the CPU 15 determines whether the update count in the update information area has reached the update limit (step S111). If it is determined that the update count has not reached the update limit (step S111: NO), the process proceeds to step S113. On the other hand, if it is determined that the update count has reached the update limit (step S111: YES), a response APDU indicating the processing result (update failure) is generated (step S112), and the process proceeds to step S12.

[0058] In step S113, the CPU 15 determines whether the key length of other key data included in the body of the CHANGE KEY is longer than the key length of the key data currently recorded in the key data area. If it is determined that the key length of the other key data is longer than the key length of the key data currently recorded (step S113: YES), the process proceeds to step S114. On the other hand, if it is determined that the key length of the other key data is not longer than the key length of the key data currently recorded (step S113: NO), the process proceeds to step S112. In step S113, as in step S103, it may also be determined whether the key length of the other key data is greater than or equal to the key length of the key data currently recorded, or whether the cryptographic strength of the other key data is higher than the cryptographic strength of the key data currently recorded.

[0059] In step S114, the CPU 15 updates (overwrites) other key data contained in the body of the CHANGE KEY in the key data area. Next, the CPU 15 increments the update count in the update information area by 1 and updates the algorithm information area with information indicating the cryptographic algorithm (PQC algorithm) contained in the body of the CHANGE KEY (step S115). Then, the CPU 15 generates a response APDU indicating the processing result (update successful) (step S116) and proceeds to step S12.

[0060] Figure 8 is a flowchart of the key data area update process (Example 3) executed by the CPU 15 when the update priority is recorded in the update information area of ​​each of the multiple configured key areas. In the key data area update process shown in Figure 8, the CPU 15 determines whether the key length of other key data included in the body of CHANGE KEY is longer than the key length of the key data currently recorded in the key data area (step S121). If it is determined that the key length of other key data is longer than the key length of the key data currently recorded (step S121: YES), the process proceeds to step S123.

[0061] On the other hand, if it is determined that the key length of the other key data is not longer than the key length of the key data being recorded (step S121: NO), a response APDU indicating the processing result (update failed) is generated (step S122), and the process proceeds to step S12. Note that in step S121, as in step S103, it may be determined whether the key length of the other key data is greater than or equal to the key length of the key data being recorded, or whether the cryptographic strength of the other key data is higher than the cryptographic strength of the key data being recorded.

[0062] In step S123, the CPU 15 refers to the update priority of each update information area of ​​the multiple configured key areas and selects the key data area with the highest update priority. Next, the CPU 15 updates (overwrites) the key data area selected in step S123 with other key data contained in the body of the CHANGE KEY (step S124).

[0063] Next, the CPU 15 changes the update priority of each update information area and records the update, and also updates the algorithm information area with information indicating the cryptographic algorithm (PQC algorithm) contained in the body of the CHANGE KEY (step S125). In this change of update priority, the update priority of the update information area associated with a key data area where other key data has been updated is lowered, and the update priority of the update information area associated with a key data area where the other key data has not been updated is raised. Next, the CPU 15 generates a response APDU indicating the processing result (update successful) (step S126) and proceeds to step S12.

[0064] In step S12, SE1 encrypts the response APDU, which indicates the result of the key data area update process (e.g., update success or update failure), using the session key SK to generate an encrypted response, and sends this encrypted response to the external terminal 2. In this way, the other key data becomes available for authentication and transaction processing after the update recording of the other key data is completed.

[0065] (Example 2) In Example 2, with reference to Figure 9, an example of operation will be described when the key data area in the NVM13 of SE1 is shared by multiple key data with different key lengths. As a premise of Example 2, after other key data used in the PQC algorithm (referred to as "first key data") is recorded in the key data area, a portion of the recorded other key data is set as key data used in the conventional algorithm that uses the other key data (referred to as "second key data"), and the conventional algorithm is set to be usable in the authentication application, while the PQC algorithm is set to be unusable (for example, before SE1 is shipped). Therefore, after SE1 is shipped and before the cryptographic algorithm is switched, key data is usable in authentication processing and transaction processing according to the conventional algorithm, but other key data is unusable.

[0066] Figure 9 is a sequence diagram showing an example of operation performed between SE1 and external terminal 2 in Embodiment 2. The operation shown in Figure 9 is performed, similar to Figure 5, for example, when, after the shipment of SE1, an opportunity arises to change from a conventional algorithm (e.g., DES or AES) to a PQC algorithm (e.g., CRYSTALS-Dilithium), and when SE1, which is held by a user, starts communicating with external terminal 2 installed, for example, in a store. It is assumed that an initial sequence is performed between SE1 and external terminal 2 before the operation shown in Figure 9 begins, and thereafter SE1 selects an authentication application in response to a SELECT from external terminal 2. The processing of steps S21 to S29 shown in Figure 9 is the same as the processing of steps S1 to S9 shown in Figure 5.

[0067] In step S30, the external terminal 2 encrypts the CHANGE KEY using the session key SK to generate an encryption command and sends the encryption command to SE1. Here, the DATA in the body of the CHANGE KEY stores information indicating the encryption algorithm (PQC algorithm), but no other key data is stored as in Embodiment 1. Next, when SE1 receives the encryption command from the external terminal 2, it decrypts the encryption command and executes an encryption algorithm switching process according to the CHANGE KEY extracted by decryption (step S31).

[0068] In the encryption algorithm switching process, the available encryption algorithm is switched from the conventional algorithm to the PQC algorithm based on the information indicating the encryption algorithm (PQC algorithm) contained in the body of the CHANGE KEY. For example, the switch is made when the conventional algorithm is set to be unusable and the PQC algorithm is set to be usable in the authentication application. As a result, INITIALIZE UPDATE and EXTERNAL AUTHENTICATE are disabled (prohibited) in the authentication process, while PERFORM SECURITY OPERATION and MUTUAL AUTHENTICATE are enabled.

[0069] Next, SE1 encrypts the response APDU, which indicates the result of the cryptographic algorithm switching process (for example, switching successful), using the session key SK to generate an encrypted response, and sends this encrypted response to the external terminal 2 (step S32). In this way, other key data becomes available in the authentication and transaction processes after the cryptographic algorithm has been switched to the PQC algorithm, according to the PQC algorithm.

[0070] In the authentication process after switching to the PQC algorithm as described above, a PERFORM SECURITY OPERATION is sent from external terminal 2 to SE1. The PERFORM SECURITY OPERATION contains the public key certificate of external terminal 2. Upon receiving the PERFORM SECURITY OPERATION, SE1 verifies the origin of the public key certificate (for example, by verifying the signature using the public key that forms a key pair with the private key used to sign the public key certificate) and sends a response APDU indicating the verification result (for example, verification successful) to external terminal 2. Next, upon receiving the response APDU from SE1, external terminal 2 sends a MUTUAL AUTHENTICATE to SE1. The MUTUAL AUTHENTICATE contains the primary public key included in the temporary key pair generated by external terminal 2.

[0071] Next, upon receiving the MUTUAL AUTHENTICATE, SE1 calculates shared secret A using the PQC algorithm with the temporary public key stored in it and SE1's private key (first key data), and generates a temporary key pair of the temporary private key and the temporary public key. Next, SE1 calculates shared secret B using the PQC algorithm with the temporary public key stored in the MUTUAL AUTHENTICATE and the generated temporary private key, and further calculates the session key and authentication code using the PQC algorithm with shared secret A and shared secret B, etc. Finally, SE1 sends a response APDU containing the generated temporary public key and the calculated authentication code, etc., to external terminal 2.

[0072] Next, upon receiving the response APDU, the external terminal 2 calculates shared secret A, shared secret B, session key, and authentication code in the same manner as SE1, and verifies the authentication code contained in the response APDU using the calculated session key. If the verification is successful, a secure session is started, and the first key data is used, for example, in transaction processing.

[0073] In Example 2, an example was shown where either the conventional algorithm or the PQC algorithm is enabled. However, the system may be configured to enable both the conventional algorithm and the PQC algorithm. In this case, no switching from the conventional algorithm to the PQC algorithm occurs. Instead, the conventional algorithm or the PQC algorithm is selected according to the type of command APDU (for example, determined by INS), and the first or second key data is used according to the selected cryptographic algorithm. For example, if SE1 receives an INITIALIZE UPDATE from external terminal 2, it selects the conventional algorithm and uses the second key data. However, if it receives a PERFORM SECURITY OPERATION from external terminal 2, it selects the PQC algorithm and uses the first key data.

[0074] As described above, according to the above embodiment, SE1 is configured to have a key data area with a recording capacity that can record other key data with a key length longer than the first recorded key data. When SE1 receives a command APDU containing other key data from an external terminal 2, it updates and records the other key data in the key data area in accordance with the command APDU, thereby efficiently ensuring crypto agility when transitioning from a conventional algorithm to the PQC algorithm.

[0075] As a variation, as in Example 1, key data used by the conventional algorithm may be recorded in the key data area of ​​SE1 before shipment, and after other key data (first key data) is updated and recorded in the key data area after shipment, SE1 may be configured to set a portion of the updated other key data as key data used by the conventional algorithm (second key data) when it receives a command APDU indicating the setting of key data from an external terminal 2 at a store or the like. In this case as well, no switching of the encryption algorithm is performed, and either the conventional algorithm or the PQC algorithm is selected according to the type of command APDU, and the first or second key data is used according to the selected encryption algorithm. This makes it possible to respond flexibly even if the use of the conventional algorithm and its key data becomes necessary after other key data (first key data) has been updated and recorded in the key data area of ​​SE1. [Explanation of symbols]

[0076] 1 SE 2 External terminals 11 I / O circuit 12 RAM 13 NVM 14 ROM 15 CPU 16 coprocessors

Claims

1. An electronic information storage medium having a memory having a key data area pre-allocated for recording key data, and capable of receiving commands from an external terminal, The aforementioned key data area has a recording capacity that allows it to record other key data with a longer key length than the key data currently recorded in the key data area. Receiving means for receiving commands including the other key data from the external terminal, A recording means that, in response to the command, updates and records the other key data in the key data area in place of the key data currently being recorded, An electronic information storage medium characterized by comprising the following features.

2. The electronic information storage medium according to claim 1, characterized in that the recording means determines whether the key length of the other key data is longer than the key length of the key data being recorded, and updates and records the other key data in the key data area only if it is determined that the key length of the other key data is longer than the key length of the key data being recorded.

3. The electronic information storage medium according to claim 1, characterized in that the recording means determines whether the encryption strength of the other key data is higher than the encryption strength of the key data being recorded, and updates and records the other key data in the key data area only if it is determined that the encryption strength of the other key data is higher than the encryption strength of the key data being recorded.

4. The recording means determines whether the number of update records made in the key data area has reached a predetermined update limit, and only if it is determined that the update limit has not been reached, updates the other key data in the key data area, as described in any one of claims 1 to 3.

5. The memory has a plurality of key data areas, and the priority of the update record in each key data area is set to be changeable. The recording means is characterized by selecting one of the key data areas based on the priority and updating and recording the other key data in the selected key data area, as described in any one of claims 1 to 3.

6. The electronic information storage medium according to claim 5, characterized in that the priority is set based on the cryptographic strength of the key data recorded in each of the multiple key data areas.

7. The receiving means further receives a command from the external terminal indicating the setting of key data, The electronic information storage medium according to claim 1, further comprising setting means for setting a portion of the other updated key data as key data used in a cryptographic operation different from the cryptographic operation in which the other key data is used, in response to a command indicating the setting of the key data.

8. An electronic information storage medium having a memory having a key data area pre-allocated for recording first key data, and capable of receiving commands from an external terminal, A receiving means that receives a command indicating the setting of key data from the aforementioned external terminal, A setting means that, in response to a command indicating the setting of the aforementioned key data, sets a portion of the data of the first key data recorded in the key data area as second key data to be used in a second cryptographic operation scheme different from the first cryptographic operation scheme in which the said first key data is used, An electronic information storage medium characterized by comprising the following features.

9. An IC chip having a memory that has a key data area pre-allocated for recording key data, and capable of receiving commands from an external terminal, The aforementioned key data area has a recording capacity that allows it to record other key data with a longer key length than the key data currently recorded in the key data area. Receiving means for receiving commands including the other key data from the external terminal, A recording means that, in response to the command, updates and records the other key data in the key data area in place of the key data currently being recorded, An IC chip characterized by having the following features.

10. An IC card having a memory that has a key data area pre-allocated for recording key data, and capable of receiving commands from an external terminal, The aforementioned key data area has a recording capacity that allows it to record other key data with a longer key length than the key data currently recorded in the key data area. Receiving means for receiving commands including the other key data from the external terminal, A recording means that, in response to the command, updates and records the other key data in the key data area in place of the key data currently being recorded, An IC card characterized by having the following features.

11. A key data recording method executed by a computer contained in an electronic information storage medium capable of receiving commands from an external terminal, the computer having a memory having a key data area pre-allocated for recording key data, The aforementioned key data area has a recording capacity that allows it to record other key data with a longer key length than the key data currently recorded in the key data area. The steps include receiving a command containing the other key data from the external terminal, In response to the command, the steps include updating and recording the other key data in the key data area in place of the key data currently being recorded, A method for recording key data, characterized by including the following:

12. A key data setting method executed by a computer contained in an electronic information storage medium capable of receiving commands from an external terminal, the computer having a memory having a key data area pre-allocated for recording first key data, The steps include receiving a command from the external terminal indicating the setting of key data, In response to a command indicating the setting of the aforementioned key data, the step of setting a portion of the data of the first key data recorded in the key data area as second key data to be used in a second cryptographic operation scheme different from the first cryptographic operation scheme in which the said first key data is used; A method for setting key data, characterized by including the following:

13. A computer included in an electronic information storage medium capable of receiving commands from an external terminal is provided with a memory having a key data area pre-allocated for recording key data, the key data area having a recording capacity capable of recording other key data with a longer key length than the key data currently recorded in the key data area, and the key data area having a key data area having a recording capacity capable of recording other key data with a longer key length than the key data currently recorded in the key data area. Receiving means for receiving commands including the other key data from the external terminal, A program characterized by functioning as a recording means that updates and records other key data in the key data area in place of the key data being recorded, in response to the aforementioned command.

14. A computer contained in an electronic information storage medium that has a memory having a key data area pre-allocated for recording first key data, and that can receive commands from an external terminal, A receiving means that receives a command indicating the setting of key data from the aforementioned external terminal, A program characterized by functioning as a setting means that, in response to a command indicating the setting of the aforementioned key data, sets a portion of the data of the first key data recorded in the key data area as second key data to be used in a second cryptographic operation scheme different from the first cryptographic operation scheme in which the first key data is used.