KR101249394B1 - Proxy re-encryption method from lattices and apparatus therefor - Google Patents

Abstract

The present invention relates to a method and apparatus for surrogate re-encryption based on a lattice environment capable of increasing the efficiency of computation and ensuring the safety of a quantum algorithm, by using a learning with error (LWE) problem transformation algorithm, Generate a re-encryption secret key for re-encrypting the ciphertext encrypted with the public key of the first user into the ciphertext encrypted with the public key of the second user, and encrypting the first user expressed as an LWE problem for the secret key of the first user. If is input, by converting the LWE problem for the secret key of the first user to the LWE problem for the secret key of the second user using the re-encryption secret key, the cipher text of the first user is encrypted text of the second user It is characterized by re-encryption.

Description

Proxy re-encryption method from lattices and apparatus therefor}

The present invention relates to surrogate re-encryption, and more particularly, to a surrogate re-encryption method and apparatus therefor based on a lattice environment capable of increasing the efficiency of an operation and ensuring the safety of a quantum algorithm.

Proxy re-encryption is a technology that allows an authorized representative to change the cipher text sent from one user to the cipher text of another user without seeing the contents of the plain text.

The proxy re-encryption technique is highly secure because there is no possibility of exposing the contents of plain text during the re-encryption process, and various fields requiring information protection such as smart grid, e-mail, database security, and digital right management (DRM) are required. Applied in

In other words, by applying a surrogate re-encryption technique, in an e-mail forwarding system that is considered to be basically untrusted, an encrypted mail can be forwarded to another person without exposing the contents to the e-mail server.

In addition, according to the guidelines for smart grid safety published at the National Institute of Standards and Technology (NIST) in 2010, surrogate re-encryption techniques are used to interoperate devices in smart grids that are intermittently connected. Data can be passed securely through delegated but untrusted delegates.

In order to ensure the security in this re-encryption, the agent must not be able to obtain any information in the plain text, and this security must be ensured even in the case of collusion attacks between the agents.

A variety of surrogate re-encryption methods have been proposed to satisfy these safety requirements. Most surrogate re-encryption techniques are based on traditional mathematical features such as factoring, discrete algebra, and Diffie-Hellman problems in pairing. It is designed based on.

However, the recent development and development of quantum algorithms can no longer guarantee the safety of surrogate re-encryption schemes designed based on the Diffie-Hellman problem in factoring, discrete algebra, and pairing. Therefore, a new surrogate re-encryption method that can guarantee the safety of the quantum algorithm is required.

The present invention has been proposed to ensure the security in surrogate re-encryption, and a method and apparatus for surrogate re-encryption based on a lattice environment capable of increasing the efficiency of the operation and ensuring the safety of the quantum algorithm are provided. To provide.

As a means for solving the above-described problems, the present invention uses a learning with error (LWE) problem conversion algorithm, to re-encrypt the cipher text encrypted with the public key of the first user to the cipher text encrypted with the public key of the second user Generating a re-encryption secret key; Receiving a ciphertext of the first user, which is a combination of an LWE problem for the first user's public key and a plaintext encrypted with a hash function; Convert the LWE problem for the public key of the first user to the LWE problem for the public key of the second user using the re-encryption secret key, and encrypt the LWE problem for the public key of the second user with the hash function It provides a surrogate re-encryption method based on a lattice environment comprising the step of generating a cipher text of the second user by combining the plain text.

In addition, the present invention is a means for solving the above-described problem, by using the LWE (Learning with error) problem conversion algorithm, re-encrypt the cipher text encrypted with the public key of the first user to the cipher text encrypted with the public key of the second user A surrogate re-encryption key generation unit for generating a re-encryption secret key for performing the analysis; A receiving unit for receiving a cipher text of the first user, which is composed of a combination of an LWE problem for the first user's public key and a plain text encrypted with a hash function; Convert the LWE problem for the public key of the first user to the LWE problem for the public key of the second user using the re-encryption secret key, and convert the LWE problem for the public key of the second user into the hash function and the hash function. A surrogate re-encryption unit combining the encrypted plain text to generate an encrypted text of the second user; And a transmitter configured to transmit the cipher text of the second user to the second user.

Surrogate re-encryption according to the present invention, which is designed based on a lattice environment, has advantages in terms of safety and efficiency over other surrogate re-encryption methods designed based on existing mathematically difficult problems. Specifically, based on the Lattice environment, it is possible to reduce the complexity of the operation to increase the efficiency of the operation, and the safety of not exposing any information about the plain text is based on the difficulty of the LWE problem, The safety against attacks is based on the difficulty of the SIS problem, thereby ensuring the safety of quantum computing systems.

In addition, since the present invention is transitive, it is possible to reduce the key management burden of the delegate in an environment where ciphertext conversion occurs frequently.

In addition, the present invention can be proved to be safe under conditions that prevent the attacker from simultaneously obtaining an exchangeable secret key.

1 is a block diagram showing the basic structure of a surrogate encryption system according to the present invention.
2 is a flowchart illustrating an encryption method for plain text in the surrogate re-encryption method according to the present invention.
3 is a flowchart illustrating a decryption method for a cipher text in the surrogate re-encryption method according to the present invention.
4 is a flowchart illustrating a proxy re-encryption method in a lattice environment according to the present invention.
5 is a block diagram showing the configuration of a proxy re-encryption apparatus in a lattice environment according to the present invention.

Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings. In the following description and the accompanying drawings, detailed description of well-known functions or constructions that may obscure the subject matter of the present invention will be omitted. In addition, it should be noted that like elements are denoted by the same reference numerals as much as possible throughout the drawings.

The present invention proposes a surrogate re-encryption method based on a Lattice environment in order to solve the problem that mathematical algorithms, such as factorization and discrete algebra, which are considered difficult to solve in the past, have not been secured by the development of quantum algorithms. .

이지만, 래티스 환경에 기반한 암호화 시스템에서의 연산 복잡도는

으로 훨씬 효율적이게 된다. 더불어, 래티스 환경에 기반한 암호 시스템은 양자 알고리즘에 대한 안전성을 제공할 수 있다.When designing an encryption system in a Lattice environment, the security can be proved based on the Lattice's worst-case problem, thus providing higher security than the encryption system designed based on the existing average-case problem. In addition, the computational complexity of cryptographic systems based on mathematical techniques such as factorization and discrete algebra

However, the computational complexity in Lattice-based cryptographic systems

This makes it much more efficient. In addition, cryptographic systems based on Lattice environments can provide security for quantum algorithms.

First, the concept and properties of lattice applied to the surrogate re-encryption method according to the present invention will be described first.

( Lattice )

를 사용하는데, 이것은 유한개의 지수를 가지는

의 이산 가산 서브그룹(discrete additive subgroup)이다. 즉, 쿼션트 그룹(Quotient group)

이 유한하다. 그리고, 하나의 래티스

은 하기의 수학식과 같이 m개의 선형 독립 기저 벡터

의 모든 정수 선형 결합의 집합과 동일하게 정의된다.In the present invention, m-dimensional full-rank integer lattice for surrogate re-encryption

, Which has a finite number of exponents

Is a discrete additive subgroup of. That is, the quentient group

This is finite. And one lattice

Is m linear independent basis vectors as

Is defined equal to the set of all integer linear combinations.

인 경우, 동일한 래티스를 생성하는 기저들은 무수히 많게 된다.here,

If, the basis for producing the same lattice is innumerable.

과,

는 정수이며, 차원 n은 본 발명에서 사용되는 시큐리티 파라미터이고, 모든 다른 파라미터들은 n의 함수들로 내포되었다고 가정한다. 이때 m차원 하드 래티스는 패리티 검사 행렬

에 의해 생성되며, 다음과 같이 정의된다.In particular, the present invention uses a particular form of integer lattice. In other words,

and,

Is an integer, dimension n is a security parameter used in the present invention, and all other parameters are implied by functions of n. Where m-dimensional hard lattice is the parity check matrix

It is created by and defined as

에 의해 생성되는 코셋(coset)은 다음과 같이 정의된다.And parity check matrix for y

The coset generated by is defined as follows.

에 대해, 균등하게 랜덤한

의 열 벡터는

상의 모두를 생성할 수 있다(단

확률을 제외한다). 따라서, 본 발명에서는 균등하게 랜덤한 A를 사용한다.With some fixed constant C> 1

Equally random

Column vector of the

You can create all of the tops

Exclude probability). Therefore, in the present invention, evenly random A is used.

( SIS Wow LWE  Problem)

Short integer solution (SIS) and learning with error (LWE) problems in Lattice belong to Average-case hardness problems, but each is a Worst-case hardness problems. There is a way to connect.

에 대해 균등하게 랜덤한 행렬

를 입력받아

와

(즉,

)을 만족하는 0이 아닌 정수 벡터

를 찾는 것이고, LWE 문제는 정수 p와 Z_q에서 정의된 에러 분포

에 대해,

의 분포와

의 분포를 서로 구분하는 것이다. 참고로, 상기 수식에서 '<-'는 해당 분포에서 랜덤하게 선택하는 것을 의미한다.Here, what is the SIS problem

Equally random matrix for

Take input

Wow

(In other words,

A nonzero integer vector satisfying

The LWE problem is the error distribution defined by the integers p and Z _q .

About,

Distribution and

To distinguish the distribution of. For reference, '<-' in the formula means to select randomly from the distribution.

( At Lattice Gaussian  Distribution)

에 대해 가우시안 함수(Gaussian function)

는

로 정의된다. 어떤 코셋

에 대해, 코셋 상의 중심이 0이 아닌 이산 가우시안 분포(discrete gaussian distribution)

는 각각의

에서

에 비례하는 확률을 가진다. 여기서 S는 어떤

에 대한

의 기저를 말하며,

이다.With any s> 0 and dimension

Gaussian function for

The

. Any corset

Discrete gaussian distribution with a nonzero center on the corset

Respectively,

in

Has a probability proportional to Where S is

For

The basis of

to be.

로부터 샘플링할 수 있는 PPT 알고리즘

이 존재한다.with a statistical distance of negl (n)

PPT algorithm that can sample from

Lt; / RTI &gt;

(Base and trapdoor ( bases and trapdoors )

와 이러한 매트릭스로 생성된 래티스

의 짧은 기저 S를 생성하는 알고리즘

이 제안되었다. 여기서, 파라미트들은

을 만족하며, 기저 S의 길이는

만큼 짧다. 임의 래티스의 짧은 기저를 찾는 문제는 결국 SIS(Short Integer Solution)이므로, 알고리즘

은 임의의 래티스와 그것의 트랩도어, 즉, 짧은 기저를 생성하게 된다.M. Ajtai's "Generating hard instances of the short basis problem" (Wiedermann, J., Van Emde Boas, P., Nielsen, M. (eds.) ICALP 1999. LNCS, vol. 1644, pp. 1-9. Springer, Heidelberg, 1999) contains randomly selected matrices from uniform distributions.

And the lattice generated from these matrices

Algorithm to Generate Short Base S of

This has been proposed. Where the parameters are

, And the length of the base S is

As short as The problem of finding a short basis for random lattice is, after all, a short integer solution (SIS), so the algorithm

Will generate an arbitrary lattice and its trapdoor, ie a short basis.

( LWE  Problem conversion algorithm)

를 활용하여,

와 그것의 트랩도어 T_A를 사용하여 A에 관한 LWE 문제(

)를 s,x 값을 알지 못한 채 B에 대한 LWE 문제(

)의 형태로 변환할 수 있다.Algorithm mentioned above

By utilizing

LWE problem with A using its trapdoor T _A and

) LWE problem for B without knowing the value of s, x (

) Into the form

이라고 할 때,

를 수행하여

를 만족하는 길이가 짧은 r_i를 생성할 수 있으며, 이를 m번 반복하면,

를 만족하는 짧은 길이를 갖는 매트릭스

를 생성할 수 있다.In other words,

When I say

By doing

We can create a short r _i that satisfies. If you repeat this m times,

Matrix with short length to satisfy

Lt; / RTI &gt;

를 A에 관한 LWE 문제(

)의 좌변에 곱하면,

로 변환되어 B에 대한 LWE 문제가 된다. 다만, 두 분포

와

은 같은 s값을 갖게 되지만, 노이즈 (x,x')의 분포는 서로 다르다. Thus, the matrix

LWE issues with A (

Multiply by the left side of

Is converted into a LWE problem for B. However, two distributions

Wow

Have the same s value, but the distribution of noise (x, x ') is different.

Next, a method and apparatus for surrogate re-encryption in a lattice environment according to the present invention applied by applying the above-described concepts will be described. For reference, in the following embodiment, a case where the cipher text encrypted with the public key of the user a is converted into the cipher text encrypted with the public key of the user b will be described as an example.

1 is a view showing the configuration of a surrogate re-encryption system according to the present invention.

을 유저 b의 공개키로 암호화된 암호문

으로 재암호화한다.In Fig. 1, reference numeral 10 denotes a proxy re-encryption apparatus for performing proxy re-encryption according to the present invention. The proxy re-encryption apparatus 10 receives the cipher text encrypted with the public key of any user and re-encrypts the cipher text encrypted with the public key of another user. In an embodiment of the present invention, a ciphertext encrypted with the public key of user a

Ciphertext encrypted with user b's public key

Reencrypt with.

을 송신하며, 제2 단말(20b)는 유저 b의 공개키로 암호화된 암호문

을 수신하고, 수신된 암호문을 유저 b의 비밀키로 복호화하여 메시지 M을 획득하게 된다.Reference numerals 20a and 20b denote terminals of users who transmit and receive cipher texts, and are referred to as first and second terminals for convenience of description below. In the following embodiment, the first terminal 20a encrypts the message M encrypted with the public key of the user a.

The second terminal 20b transmits the ciphertext encrypted with the public key of the user b.

Receive the message, and decrypt the received cipher text with the private key of user b to obtain message M.

Hereinafter, a proxy re-encryption method in a lattice environment according to the present invention through the above-described proxy re-encryption system will be described with reference to the flowcharts of FIGS. 2 to 4.

First, FIG. 2 is a flowchart illustrating an encryption process applied to a surrogate encryption system according to the present invention.

Referring to FIG. 2, in the surrogate re-encryption system according to the present invention, a public key, a secret key, and a hash function are set to generate an encrypted text of the plain text M (S110). The public and private keys are set for each user, and the hash function is commonly used for all users. Specifically, the public and private keys for each user are each set to a matrix arbitrarily selected from an equal distribution and a short basis of a lattice generated from the matrix.

을 이용하여, 균등한 분포에서 임의로 선택된 매트릭스 A와, 상기 매트릭스로 생성되는 래티스의 짧은 기저 T_{A ,}

,

를 생성하고, 이렇게 생성된 A와 T_A를 임의의 유저(예를 들어, 유저 a)의 공개키(

)와 비밀키(

)로 설정한다.Taking the case of user a as an example, the algorithm described previously

Using matrix A randomly selected in an even distribution, and the short basis T _A of the lattice produced by the matrix _,

,

A and T _A are generated, and the public key (for example, user a)

) And secret key (

).

로 설정한다. In addition, in the present invention, the hash function to be used for encryption

.

,

, ,

,

,

이다.In the above,

,

,,

,

,

to be.

와, 노이즈 벡터

를 생성하고, 상술한 바와 같이 설정된 공개키와 비밀키와 해시함수를 이용하여, 유저 a의 암호문

은 다음의 수학식 2와 같이 생성한다(S120).And an arbitrary vector

With noise vector

Is generated and the ciphertext of the user a using the public key, the secret key, and the hash function set as described above.

Is generated as in Equation 2 below (S120).

Here, A is the private key of user a, M represents the plaintext M before being encrypted, and H is a predetermined hash function. That is, ciphertext C ₁ is represented by the LWE problem for A selected as secret key A, and ciphertext C ₂ is calculated by the plaintext and hash function to be encrypted.

The decryption process for the cipher text as shown in Equation 2 is performed as shown in FIG.

의 값이 q보다 작기 때문에, mod q 연산은 생략될 수 있다.That is, referring to FIG. 3, in order to obtain the plaintext M from the ciphertext as shown in Equation 2, first, a secret key T _A , which is a symmetric key of the public key used to generate the ciphertext, and C ₁ of the ciphertext are as follows. Calculated as in Equation 3 below, the ciphertext C ₁ is decrypted (S210). In the last step of Equation 3 below

Since the value of is less than q, the mod q operation can be omitted.

Next, the noise vector x is calculated by multiplying the inverse matrix of the secret key by the calculation result of step S210 (S220).

를 계산하여, s 값을 계산한다(S230).Then, using the calculated noise vector x,

To calculate the value of s to calculate (S230).

Finally, the plain text M may be decoded by substituting the s value into Equation 4 below (S240).

The present invention re-encrypts a ciphertext that is encrypted and decrypted as described above by another ciphertext of another user.

4 is a flowchart illustrating a lattice-based surrogate re-encryption method according to the present invention.

Referring to FIG. 4, the surrogate re-encryption apparatus 10 according to the present invention first generates a secret key for surrogate re-encryption (S310). The secret key for proxy re-encryption is generated as a secret key for re-encrypting the cipher text of user a into cipher text of user b,

)를 생성하는데, 이를 위하여, 유저 a의 비밀키 T_A와 유저 b의 공개키

, 그리고 파라미터

을 사용하여, 앞서 설명한 LWE 문제 변환 알고리즘을 통해

를 계산한다. 즉,

를 만족하면서 길이가 짧은

를 생성하여, 비밀키를

로 설정한다.In addition, the present invention is a secret key of the delegate that can change the cipher text encrypted with the public key of the user a (

For this purpose, user a's private key T _A and user b's public key

, And parameters

Using the LWE problem conversion algorithm

. In other words,

Short length while satisfying

Create a private key

.

을 수신한다(S320). 이때 수신된 암호문은 수학식 2와 같이 정의된다.As described above, in the state where the secret key is set, the surrogate re-encryption apparatus 10 encrypts the ciphertext encrypted by the public key A and the hash function of the user a from the first terminal 20a.

Receive (S320). At this time, the received cipher text is defined as in Equation 2.

를 수신된 암호문 C₁과 곱하여, 유저 a의 LWE 문제 C₁를 유저 b의 LWE 문제 C₁'로 변환함에 의하여, 유저 a의 암호문

를 유저 b의 암호문

로 재암호화한다.When the cipher text is received in this way, the proxy re-encryption apparatus 10 re-encrypts the received cipher text of the user a into the cipher text of the user b using the LWE problem conversion algorithm described above (S330). In more detail, as shown in Equation 5 below, a secret key set using the user a's private key and the user's b public key through step S310.

Multiply by the received ciphertext C ₁ and convert the user a's LWE problem C ₁ to the user b's LWE problem C ₁ ', thereby converting the user's a ciphertext.

Ciphertext of user b

Reencrypt with.

를 제2 단말(20b)로 전송한다(S340).In addition, the proxy re-encryption apparatus 10 is a re-encrypted cipher text

It is transmitted to the second terminal 20b (S340).

를 상기 도 3과 같은 방법으로 유저 b의 비밀키를 이용하여 복호화하여 평문 M을 획득할 수 있다.After that, the second terminal 20b receives the cipher text.

In the same manner as in FIG. 3, the plaintext M can be obtained by decrypting using the secret key of the user b.

As described above, the surrogate re-encryption method of the present invention is based on the difficulty of the LWE problem, the security that does not expose any information about the plain text, and the security against collusion attacks between the delegates is based on the difficulty of the SIS problem Put it.

In addition, the surrogate re-encryption method according to the present night's c ciphertext conversion may be allowed. That is, re-encryption is possible in the range where the magnitude of noise does not exceed q. In addition, in the present invention, when a delegate is given a secret key for the conversion from user a to user b and a secret key for the conversion from user b to user c, the surrogate re-encryption apparatus according to the present invention uses two secret key values. Thus, a secret key for the conversion from user a to user c can be calculated, which can reduce the key management burden on the delegate in an environment where ciphertext conversion occurs frequently.

The surrogate re-encryption method according to the present invention can be recorded on a computer-readable recording medium. Here, the recording medium may include a program command, a data file, a data structure, etc. alone or in combination. Program instructions recorded on the recording medium may be those specially designed and constructed for the present invention, or they may be of the kind well-known and available to those having skill in the computer software arts. For example, the recording medium may be magnetic media such as hard disks, floppy disks and magnetic tapes, optical disks such as Compact Disk Read Only Memory (CD-ROM), digital video disks (DVD), Magnetic-Optical Media, such as floppy disks, and hardware devices specially configured to store and execute program instructions, such as ROM, random access memory (RAM), flash memory, and the like. do. Examples of program instructions may include machine language code such as those generated by a compiler, as well as high-level language code that may be executed by a computer using an interpreter or the like. Such a hardware device may be configured to operate as one or more software modules to perform the operations of the present invention, and vice versa.

Fig. 5 is a block diagram showing the detailed configuration of the surrogate re-encryption apparatus 10 according to the present invention for executing the surrogate re-encryption method in the lattice environment described above.

Referring to FIG. 5, the surrogate re-encryption apparatus 10 may include a surrogate re-encryption key generation unit 11, a receiver 12, a surrogate re-encryption unit 13, and a transmitter 14. .

The surrogate re-encryption key generation unit 11 generates a secret key that can re-encrypt the cipher text of the arbitrary user a into the cipher text of the other user b using the LWE problem conversion algorithm. The secret key may be obtained by acquiring a private key of user a and a public key of user b, and the process may be performed as in step S310 of FIG. 4 described above.

The receiving unit 12 receives the cipher text to be re-encrypted and delivers it to the surrogate re-encrypting unit 13. More specifically, the receiving unit 12 receives the cipher text of the user a, wherein the cipher text received is defined as in Equation 2.

The surrogate re-encryption unit 130 re-encrypts the cipher text transmitted from the receiving unit 12 using the secret key generated by the surrogate re-encryption key generation unit 11 with the cipher text encrypted with the public key of another user (user b). . The re-encryption may be performed as in Equation 5.

The transmitter 13 transmits the ciphertext re-encrypted by the proxy re-encryption unit 130 to the destination, that is, the second terminal 20b.

The secret key generation principle and the re-encryption principle of the surrogate re-encryption unit 13 of the surrogate re-encryption key generator 11 of the surrogate re-encryption apparatus 10 may be easily understood from the description with reference to FIG. 4.

While the present invention has been described in connection with what is presently considered to be practical exemplary embodiments, it is to be understood that the invention is not limited to the disclosed embodiments, but, on the contrary, It will be apparent to those skilled in the art. In addition, although specific terms are used in the specification and the drawings, they are only used in a general sense to easily explain the technical contents of the present invention and to help the understanding of the present invention, and are not intended to limit the scope of the present invention.

Surrogate re-encryption according to the present invention, which can be used in various fields that require security, such as smart grid, e-mail, database security, DRM, etc., is designed based on a lattice environment, and based on existing mathematical problems It has advantages in terms of safety and efficiency over other surrogate re-encryption methods designed. In particular, based on the Lattice environment, it is possible to reduce the complexity of the operation to increase the efficiency of the operation, and the safety of not exposing any information about the plain text is based on the difficulty of the LWE problem, The safety against attacks is based on the difficulty of the SIS problem, thereby ensuring the safety of quantum computing systems. In addition, since the present invention is transitive, it is possible to reduce the key management burden of the delegate in an environment where ciphertext conversion occurs frequently.

10: surrogate re-encryption device
11: proxy re-encryption key generation unit
12: receiver
13: proxy re-encryption unit
14: transmitter
20a: first terminal
20b: second terminal

Claims (11)

Generating a re-encryption secret key for re-encrypting a cipher text encrypted with the public key of the first user using a learning with error (LWE) problem conversion algorithm;
Receiving a ciphertext of the first user, which is a combination of an LWE problem for the first user's public key and a plaintext encrypted with a hash function;
Convert the LWE problem for the public key of the first user to the LWE problem for the public key of the second user using the re-encryption secret key, and encrypt the LWE problem for the public key of the second user with the hash function And generating a cipher text of the second user by combining the plain texts according to the Lattice environment. The method of claim 1, wherein the private and public keys of the first and second users are
A method of re-encryption based on a lattice environment, wherein each matrix is randomly selected from a uniform distribution and a short basis of a lattice generated from the matrix. delete The cipher text of claim 1, wherein
Computing the LWE problem for the public key of the first and second users of the first and second user's secret key and the ciphertext of the first and second users, to calculate the key value of the hash function, using the calculated key value A surrogate re-encryption method based on a lattice environment, wherein the plain text can be extracted by decrypting the plain text encrypted by the hash function. The method of claim 2, wherein generating the re-encryption secret key
Through the LWE problem conversion algorithm, the public key of the first user can be converted into the public key of the second user, and a short value of less than or equal to a preset value is calculated and set as a secret key for re-encryption. Surrogate re-encryption method based on lattice environment. delete A proxy re-encryption key generation unit that generates a re-encryption secret key for re-encrypting a cipher text encrypted with the public key of the first user using a learning-error (LWE) problem conversion algorithm. ;
A receiving unit for receiving a cipher text of the first user, which is composed of a combination of an LWE problem for the first user's public key and a plain text encrypted with a hash function;
Convert the LWE problem for the public key of the first user to the LWE problem for the public key of the second user using the re-encryption secret key, and convert the LWE problem for the public key of the second user into the hash function and the hash function. A surrogate re-encryption unit combining the encrypted plain text to generate an encrypted text of the second user; And
And a transmitter configured to transmit the cipher text of the second user to the second user. 8. The method of claim 7, wherein the private and public keys of the first and second users are
A surrogate re-encryption apparatus based on a lattice environment, each of which is set to a matrix arbitrarily selected from a uniform distribution and a short basis of a lattice generated from the matrix. delete 8. The method of claim 7, wherein the first and second user's cipher text
Computing the LWE problem for the public key of the first and second users of the first and second user's secret key and the ciphertext of the first and second users, to calculate the key value of the hash function, using the calculated key value An apparatus for surrogate re-encryption based on a lattice environment, wherein a plain text can be extracted by decrypting a plain text encrypted with a hash function. delete

Images