A method and apparatus for generating a re-encryption key

By generating a re-encryption key through sampling the preimage of the gate matrix and the first matrix, the private key is avoided from participating in the generation, reducing the amount of computation. Furthermore, the key information is masked by ciphertext errors, which solves the problems of excessive key norm and large amount of computation, thus achieving semantically secure re-encryption.

CN116668013BActive Publication Date: 2026-07-14ALIBABA (CHINA) CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
ALIBABA (CHINA) CO LTD
Filing Date
2023-05-09
Publication Date
2026-07-14

Smart Images

  • Figure CN116668013B_ABST
    Figure CN116668013B_ABST
Patent Text Reader

Abstract

The one or more embodiments of the specification provide a method and device for generating a re-encryption key, the method comprising: obtaining a private key and a public key of a delegate user, the private key of the delegate user containing a gate matrix, and the public key of the delegate user containing a first matrix whose gate is the gate matrix; performing inverse image sampling on a public key of a trustee user according to the gate matrix and the first matrix; and generating a re-encryption key for the trustee user according to a sampling result.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This specification relates to one or more embodiments in the field of cryptography, and more particularly to a method and apparatus for generating a re-encryption key. Background Technology

[0002] Proxy Re-Encryption Schemes (PRE) are a type of public-key encryption protocol that allows for the existence of a proxy between a principal user and a proxy user. The proxy can convert ciphertext encrypted with the principal user's public key into ciphertext encrypted with the proxy user's public key using a re-encryption key. In other words, it re-encrypts the ciphertext using the re-encryption key to generate re-encrypted ciphertext, and in this process, it does not require access to the plaintext or the private key of either user. Summary of the Invention

[0003] In view of this, one or more embodiments of this specification provide a method and apparatus for generating a re-encryption key, which can solve the shortcomings existing in the related technology.

[0004] To achieve the above objectives, one or more embodiments of this specification provide the following technical solutions:

[0005] According to a first aspect of one or more embodiments of this specification, a method for generating a re-encryption key is provided, the method comprising:

[0006] Obtain the private key and public key of the entrusting user, wherein the private key of the entrusting user contains a limit gate matrix, and the public key of the entrusting user contains a limit gate that is the first matrix of the limit gate matrix;

[0007] Preimage sampling is performed on the public key of the entrusted user based on the threshold matrix and the first matrix;

[0008] A re-encryption key for the entrusted user is generated based on the sampling results.

[0009] According to a second aspect of one or more embodiments of this specification, a method for proxy re-encryption is provided, the method comprising:

[0010] Obtain the target ciphertext sent by the entrusting user and the re-encryption key for the entrusted user; wherein, the private key of the entrusting user contains a threshold matrix, the public key of the entrusting user contains a first matrix with the threshold as the threshold matrix, and the re-encryption key is generated by sampling the preimage sampling result of the public key of the entrusted user according to the threshold matrix and the first matrix;

[0011] The target ciphertext is re-encrypted using the re-encryption key to obtain the target re-encrypted ciphertext;

[0012] The target re-encrypted ciphertext is sent to the entrusted user.

[0013] According to a third aspect of one or more embodiments of this specification, an apparatus for generating a re-encryption key is provided, the apparatus comprising:

[0014] Acquisition Unit: Acquires the private key and public key of the entrusting user, wherein the private key of the entrusting user contains a limit gate matrix, and the public key of the entrusting user contains a limit gate that is the first matrix of the limit gate matrix;

[0015] Sampling unit: performs preimage sampling on the public key of the entrusted user based on the threshold matrix and the first matrix;

[0016] Generation unit: Generates a re-encryption key for the entrusted user based on the sampling results.

[0017] According to a fourth aspect of one or more embodiments of this specification, an apparatus for proxy re-encryption is provided, the apparatus comprising:

[0018] Acquisition Unit: Acquires the target ciphertext sent by the entrusting user and the re-encryption key for the entrusted user; wherein, the private key of the entrusting user contains a threshold matrix, the public key of the entrusting user contains a first matrix with the threshold as the threshold matrix, and the re-encryption key is generated by sampling the preimage sampling result of the public key of the entrusted user according to the threshold matrix and the first matrix;

[0019] Encryption unit: Re-encrypts the target ciphertext according to the re-encryption key to obtain the target re-encrypted ciphertext;

[0020] Sending unit: Sends the target re-encrypted ciphertext to the entrusted user.

[0021] According to a fifth aspect of one or more embodiments of this specification, an electronic device is provided, comprising:

[0022] processor;

[0023] Memory used to store processor-executable instructions;

[0024] The processor implements the steps of the method as described in the first aspect by running the executable instructions.

[0025] According to a sixth aspect of one or more embodiments of this specification, a computer-readable storage medium is provided that stores computer instructions thereon, which, when executed by a processor, implement the steps of the method as described in the first aspect.

[0026] According to a seventh aspect of one or more embodiments of this specification, a computer program is provided that, when executed by a processor, implements the steps of the method as described in the first aspect.

[0027] As can be seen from the above technical solutions, the re-encryption key generation method provided in one or more embodiments of this specification performs preimage sampling on the entrusted user's public key using the first matrix contained in the entrusting user's public key and the threshold matrix corresponding to the first matrix, and generates the entrusted user's re-encryption key based on the sampling result. This ensures that the entrusting user's private key does not participate in the re-encryption key generation process, thereby avoiding the problem of the re-encryption key norm being too large due to the generation of the re-encryption key based on the private key. Consequently, the re-encrypted ciphertext can be generated based on the re-encryption key with a relatively small norm, which not only satisfies the adversary's query for the re-encrypted ciphertext but also reduces the computational load of generating the re-encrypted ciphertext. Attached Figure Description

[0028] Figure 1 This is an exemplary embodiment of the architecture diagram of a PRE system.

[0029] Figure 2 This is a flowchart of a method for generating a re-encryption key, provided in an exemplary embodiment.

[0030] Figure 3 This is a flowchart of a proxy re-encryption method provided in an exemplary embodiment.

[0031] Figure 4 This is an exemplary embodiment of an interaction diagram for proxy re-encryption.

[0032] Figure 5 This is a schematic structural diagram of a device provided in an exemplary embodiment.

[0033] Figure 6 This is a block diagram of an apparatus for generating a re-encryption key, provided in an exemplary embodiment.

[0034] Figure 7 This is a block diagram of a proxy re-encryption device provided in an exemplary embodiment. Detailed Implementation

[0035] Exemplary embodiments will now be described in detail, examples of which are illustrated in the accompanying drawings. When the following description relates to the drawings, unless otherwise indicated, the same numerals in different drawings denote the same or similar elements. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with one or more embodiments of this specification. Rather, they are merely examples of apparatuses and methods consistent with some aspects of one or more embodiments of this specification as detailed in the appended claims.

[0036] It should be noted that the steps of the corresponding methods are not necessarily performed in the order shown and described in this specification in other embodiments. In some other embodiments, the methods may include more or fewer steps than described in this specification. Furthermore, a single step described in this specification may be broken down into multiple steps in other embodiments; and multiple steps described in this specification may be combined into a single step in other embodiments.

[0037] The user information (including but not limited to user device information, user personal information, etc.) and data (including but not limited to data used for analysis, data stored, data displayed, etc.) involved in this application are all information and data authorized by the user or fully authorized by all parties. Furthermore, the collection, use and processing of the relevant data must comply with the relevant laws, regulations and standards of the relevant countries and regions, and corresponding operation entry points are provided for users to choose to authorize or refuse.

[0038] To further illustrate one or more embodiments of this specification, the following embodiments are provided:

[0039] In the PRE protocol, there are principal users, agents, and trustees. The principal user can be the one sharing plaintext data, and the trustee user can be the one receiving plaintext data. For both principal and trustee users, the agent, acting as a third party, is semi-honest; that is, the principal user can share plaintext data with the trustee through the agent, but there is no guarantee that the agent will not spy on the content of the plaintext data.

[0040] Figure 1 This is an exemplary embodiment of an architecture diagram of a PRE system, such as... Figure 1 As shown, the delegating user 11 can encrypt the plaintext to be shared using their own public key to obtain ciphertext 101 (the delegating user 11 can decrypt ciphertext 101 using their own private key to obtain the plaintext). They can also obtain the public key 103 of the entrusted user 13 from the entrusted user 13 through the agent 12, and generate a re-encryption key 102 based on the public key 103 and their own private key. After generating ciphertext 101 and the re-encryption key 102, the delegating user 11 can send them to the agent 12, who will then re-encrypt ciphertext 101 using the re-encryption key 102 to obtain re-encrypted ciphertext 104. The agent 12 can then send the re-encrypted ciphertext 104 to the entrusted user 13, who can decrypt it using their private key to obtain the plaintext, thus completing the sharing of plaintext between the delegating user 11 and the entrusted user 13.

[0041] In a PRE system, semantic security means that an adversary cannot obtain the plaintext from the ciphertext. For example, an adversary may obtain two plaintexts of the same length and one of them as ciphertext, but the adversary still cannot distinguish the plaintext corresponding to the ciphertext from the two plaintexts (ciphertext indistinguishability).

[0042] In different definitions of semantic security, the revelation that an adversary can query differs. If a key encryption algorithm can be proven semantically secure under a specific semantic security definition, then the key encryption algorithm can be said to satisfy that specific semantic security. For example, in the IND-CPA (indistinguishability against chosen plaintext attacks) security definition, the revelation that an adversary can query includes some plaintext from the principal user. If the adversary cannot determine the corresponding ciphertext based on this plaintext, then the encryption algorithm satisfies IND-CPA security. In the IND-CCA (indistinguishability against chosen ciphertext attacks) security definition, the revelation that an adversary can query includes some ciphertext from the principal user. If the adversary cannot determine the corresponding plaintext based on this ciphertext, then the encryption algorithm satisfies IND-CCA security. In both of these semantic security definitions, the revelation that an adversary can query does not include the re-encryption key generated by the principal user for the trustee user, nor the re-encryption ciphertext generated based on the re-encryption key. However, in practical applications, an adversary could obtain the re-encrypted ciphertext intended for the entrusted user without the entrusting user's knowledge.

[0043] In light of this situation, related technologies have proposed the HRA (indistinguishability honest re-encryption attacks) security definition. In the HRA security definition, the adversary can query the re-encryption key and the re-encryption ciphertext. To prove the semantic security (indistinguishability of the ciphertext) of the key encryption algorithm within the HRA security definition, it is necessary to simulate the re-encryption key and re-encryption ciphertext for the adversary.

[0044] The following describes the methods for generating re-encryption keys in related technologies (the key encryption method used here is a dual encryption method based on the fault-tolerant learning problem; of course, other encryption methods can also be used, and this specification does not limit this):

[0045] The public key of user A is Among them, B a and D a For the public key parameter of the entrusting user, It is a ring of integers modulo q. Delegating user a can use their own public key to access the plaintext. After encryption, the ciphertext obtained is:

[0046]

[0047] in, It follows a discrete Gaussian distribution.

[0048] Delegate user A's private key or Among them, R a Selected from Gaussian discrete distribution or R a ←U({0,1} m×m ), and satisfy B a ·R a =-D a modq, A set of short basis (small norm) for a q-ary lattice or a gate matrix capable of preimage sampling; the q-ary lattice is as follows:

[0049]

[0050] User A can decrypt ciphertext using the private key, for example: when the private key is... In this case, the preimage sampling algorithm commonly used in lattice ciphers is used to select samples with smaller sampling norms that satisfy condition B. a ·R a =-D a modq's R a Then, the plaintext is calculated:

[0051]

[0052] The re-encryption key generated by user A for user B is rk. a→b The public key of the entrusted user b is

[0053] In the private key sk of the entrusted user a a =R a In this case, the formula for calculating the re-encryption key is:

[0054]

[0055] in, as well as The coefficients all follow an appropriate discrete Gaussian distribution. Meet the conditions

[0056] At this time, according to rka→b The re-encrypted ciphertext obtained by re-encrypting the ciphertext is:

[0057]

[0058] Among them, for Meet the conditions

[0059] Private key of user a In this case, the formula for calculating the re-encryption key is: Matrix R a,b,1 and R a,b,2 The sampled image was obtained using the preimage sampling algorithm, and the calculation formula is as follows:

[0060]

[0061] in, and E i,j,1 , The coefficients all follow an appropriate discrete Gaussian distribution.

[0062] At this time, according to rk a→b The re-encrypted ciphertext obtained by re-encrypting the ciphertext is:

[0063]

[0064] In proving semantic security within the HRA security definition, to embed an instance of the corresponding fault-tolerant learning problem to prove the indistinguishability of the ciphertext, the challenger needs to pass the public key parameter of the delegating user, i.e., B... a and D a Replace with The elements are uniformly randomized. And originally B... a and D a Matrices with a large norm are found in B. a and D a When replaced with uniformly random elements (e.g., a uniformly random matrix), i.e., B a and D a It will no longer be a matrix with a large norm, according to B a and D a The generated R a Or R a,b,1 R a,b,2 This will result in a matrix with a large norm. The error term in the re-encrypted ciphertext from the entrusting user a to the entrusted user b contains R. a Or R a,b,1 R a,b,2 In R a Or R a,b,1 R a,b,2In the case of matrices with a large norm, the challenger cannot simulate the re-encryption of ciphertext to provide to the adversary, that is, cannot provide the adversary with an oracle of the re-encryption of ciphertext.

[0065] In related technologies, error obfuscation methods are used to add a portion of error distribution with a larger norm to the re-encrypted ciphertext during re-encryption, thereby masking the presence of R. a Or R a,b,1 R a,b,2 The error term is used to simulate the re-encrypted ciphertext in the security proof. However, this method requires an additional error distribution norm of at least superpolynomial scale, which means that when decrypting the re-encrypted ciphertext, the corresponding computational modulus q is also at least superpolynomial or exponential scale, thus increasing the computational cost of decryption.

[0066] To address the problems existing in related technologies, this specification proposes a method for generating re-encryption keys.

[0067] Figure 2 This is a flowchart illustrating a method for generating a re-encryption key, as provided in an exemplary embodiment. Figure 2 As shown, the method may include the following steps:

[0068] Step 202: Obtain the private key and public key of the entrusting user. The private key of the entrusting user contains a limit gate matrix, and the public key of the entrusting user contains a limit gate that is the first matrix of the limit gate matrix.

[0069] As mentioned earlier, the entrusting user can be the data sharer, and the entrusted user can be the data recipient.

[0070] The public key of user A is Among them, B a and D a For the public key parameter of the entrusting user, These are common system parameters. It is an integer ring modulo q.

[0071] The private key of user A is When generating the private key, R a Satisfy B a ·R a =-D a modq, and R a , {R i,j} j∈[4] Taken from the discrete Gaussian distribution, the discrete Gaussian distribution is:

[0072] {A i,j} j∈[2] For the first matrix mentioned above, {Ri,j} j∈[4] Let be the gate matrix of the first matrix. Both of these matrices are known to the challenger.

[0073] Step 204: Perform preimage sampling on the public key of the entrusted user based on the threshold matrix and the first matrix.

[0074] The public key of the entrusted user b is In this case, the formula for preimage sampling of the entrusted user's public key based on the threshold matrix and the first matrix is:

[0075]

[0076] H1 and H2 are common parameters, both of which are Invertible matrices in the matrix. The first matrix {A} i,j} j∈[2] The form is In H i When G is an invertible matrix, it is R. i,j .

[0077] Step 206: Generate a re-encryption key for the entrusted user based on the sampling results.

[0078] The re-encryption key generated by user A for user B is The formula for calculating preimage sampling in related technologies is as follows:

[0079]

[0080] As mentioned above, B a and D a Since it belongs to a matrix with a large norm, when it is replaced with uniformly random elements, R a,b,1 and R a,b,2 A larger norm means a larger norm for the modulus q. However, the re-encryption key generation method proposed in this specification uses... Replace B a ,use Replace D a To avoid delegating the public key parameter B of user a a and D a Participating in the generation process of the re-encryption key, so that the generated X y,t and X′ y,t The norm is relatively small, thus reducing the norm of the modulus q.

[0081] In this embodiment, the entrusted user's public key is preimage sampled using the first matrix contained in the entrusting user's public key and the corresponding threshold matrix. The entrusted user's re-encryption key is then generated based on the sampling result. This ensures that the entrusting user's private key does not participate in the re-encryption key generation process, thereby avoiding the problem of an excessively large re-encryption key norm caused by generating the re-encryption key based on the private key. Consequently, the re-encrypted ciphertext can be generated based on the re-encryption key with a relatively small norm, which not only satisfies the adversary's query for the re-encrypted ciphertext but also reduces the computational load of generating the re-encrypted ciphertext.

[0082] In one embodiment, the method further includes: re-encrypting the target ciphertext according to the re-encryption key to obtain the original re-encrypted ciphertext; generating a ciphertext error and adding the ciphertext error to the original re-encrypted ciphertext to obtain the target re-encrypted ciphertext; wherein the ciphertext error is used to mask the information of the re-encryption key in the original re-encrypted ciphertext.

[0083] In this embodiment, by adding ciphertext errors to the original re-encrypted ciphertext, the information of the re-encryption key contained in the target re-encrypted ciphertext is masked by the ciphertext errors, thereby preventing an adversary from determining the re-encryption key based on the re-encrypted ciphertext when they obtain the dictum of the re-encrypted ciphertext.

[0084] Furthermore, the method further includes: encrypting the original plaintext according to the public key of the entrusting user to obtain the original ciphertext; generating ciphertext redundancy according to the threshold matrix, and adding the ciphertext redundancy to the original ciphertext to obtain the target ciphertext; the generation of ciphertext error includes: generating the ciphertext error according to the sampling result and the ciphertext redundancy.

[0085] User A can use their own public key to access plaintext. Encryption is performed, and the resulting target ciphertext is

[0086]

[0087] in, and For ciphertext redundancy, M a,1 =A i,1 +[0|H1·G|H ct ·G];M a,2 =A i,2 +[0|H2·G|H ct ·G],H ct For those related to this ciphertext A randomly selected invertible uniform matrix can be used to represent the original ciphertext in the form of:

[0088] In the original ciphertext The re-encryption key is In this case, the formula for calculating the ciphertext error is:

[0089]

[0090] in, For b∈[2], covariance matrix γ is the sampling parameter of the gate matrix. Ciphertext error and... All follow a discrete Gaussian distribution

[0091] It can be seen that the ciphertext error is unrelated to the re-encryption key.

[0092] The formula for calculating the target re-encrypted ciphertext is:

[0093]

[0094] Where, for b∈[2], The calculation results are as follows:

[0095]

[0096] The final re-encrypted ciphertext is It can be seen that the information of the re-encryption key has been obscured by the ciphertext error, and even if the adversary obtains the re-encryption ciphertext, they will not be able to determine the re-encryption key.

[0097] In this embodiment, the ciphertext error can be calculated by adding ciphertext redundancy to the target ciphertext. Then, the ciphertext error is added to the original re-encrypted ciphertext, so that the information of the re-encryption key contained in the target re-encrypted ciphertext is masked by the ciphertext error, thereby preventing the adversary from determining the re-encryption key based on the re-encrypted ciphertext when they obtain the message of the re-encrypted ciphertext.

[0098] In one embodiment, the private key of the entrusting user further includes a private key parameter, and the decryption result of the private key parameter on the target ciphertext is the original plaintext.

[0099] The private key parameter is R a When decrypting the target ciphertext using the private key of the entrusting user, the corresponding field in the original ciphertext can be obtained from the target ciphertext. and These two parts are identical to the ciphertext in related technologies, therefore the decryption process is also the same, i.e.

[0100] In this embodiment, by separating the decryption function of the private key of the entrusting user from the re-encryption key generation function, the private key is only used for decryption and does not participate in the generation of the re-encryption key. This allows the re-encrypted ciphertext to be generated based on the re-encryption key with a relatively small norm, which not only satisfies the adversary's query for the re-encrypted ciphertext, but also reduces the computational load of generating the re-encrypted ciphertext.

[0101] In the HRA security definition, the proclamations that an adversary can query include: the delegating user's public and private keys, the unchallenged ciphertext obtained by encrypting plaintext with the delegating user's public key (this unchallenged ciphertext is a different ciphertext from the challenged ciphertext the adversary intends to challenge), the re-encryption key generated by the delegating user for the entrusted user, and the re-encryption ciphertext obtained by re-encrypting with that re-encryption key. The security proof for each type of proclamation is described below:

[0102] An adversary obtains the re-encryption key and the re-encryption ciphertext, and in the security proof, delegates user A's public key pk. a = (B a D a ,{A i,j} j∈[2] B in ) a and D a It is replaced with a uniformly random matrix, but the first matrix {A} i,j} j∈[2] Part of it remains unchanged, since the generation of the re-encryption key is only related to the first matrix, and not to B. a and D a It is unrelated, therefore it can normally simulate the re-encryption key and re-encryption ciphertext.

[0103] In addition to the re-encryption key and re-encryption ciphertext, the adversary obtains the public keys of both the principal and the entrusted user, not only B a and D a It needs to be replaced with a uniformly random matrix, B b and D b It also needs to be replaced with a uniformly random matrix. At this point, we can make the assumption based on the multi-secret fault-tolerant learning problem: B b ·S a,Db +E a,b,1 and D b ·S a,b +E a,b,2 -D b The right-hand terms of these two preimage samples and The uniformly random matrices in R are indistinguishable, thus allowing sampling of R. a,b,1 and This allows for the simulation of the corresponding re-encryption key.

[0104] Based on the aforementioned instructions, the adversary can also obtain non-challenging ciphertext. In order to embed samples in the form of fault-tolerant learning problems into the challenging ciphertext, in addition to B... b and D b In addition to replacing it with a uniformly random matrix, randomly select an invertible matrix. H as a challenge to the ciphertext ct Subsequently, when the conditions are met (When H1 and H2 are invertible matrices, G is {R} i,j} j∈[4] Since the label H is randomly and uniformly selected each time, the label of the non-challenge ciphertext (each ciphertext has a corresponding label H) is... ct The probability that H is the same as that of a randomly selected H is negligible. At this point, We can choose a special set of invertible matrices such that H ct -H is invertible, thus allowing the use of the gate matrix R. i,2 from Deciphering from (ciphertext redundancy) and Then, the corresponding re-encrypted ciphertext is simulated by sampling an appropriately distributed matrix and error using the preimage sampling algorithm. In addition to the original re-encrypted ciphertext, the simulated re-encrypted ciphertext also contains the ciphertext error calculated based on ciphertext redundancy. This ciphertext error can mask the re-encryption key information in the re-encrypted ciphertext. Therefore, an adversary cannot calculate the re-encryption key based on the obtained re-encrypted ciphertext.

[0105] Figure 3 This is a flowchart illustrating a proxy re-encryption method provided in an exemplary embodiment. For example... Figure 3 As shown, the method may include the following steps:

[0106] Step 302: Obtain the target ciphertext sent by the entrusting user and the re-encryption key for the entrusted user; wherein, the private key of the entrusting user contains a threshold matrix, the public key of the entrusting user contains a first matrix of the threshold matrix, and the re-encryption key is generated by sampling the preimage sampling result of the public key of the entrusted user according to the threshold matrix and the first matrix.

[0107] Step 304: Re-encrypt the target ciphertext according to the re-encryption key to obtain the target re-encrypted ciphertext.

[0108] Step 306: Send the target re-encrypted ciphertext to the entrusted user.

[0109] In this embodiment, the entrusted user's public key is preimage sampled using the first matrix contained in the entrusting user's public key and the corresponding threshold matrix. The entrusted user's re-encryption key is then generated based on the sampling result. This ensures that the entrusting user's private key does not participate in the re-encryption key generation process, thereby avoiding the problem of an excessively large re-encryption key norm caused by generating the re-encryption key based on the private key. Consequently, the re-encrypted ciphertext can be generated based on the re-encryption key with a relatively small norm, which not only satisfies the adversary's query for the re-encrypted ciphertext but also reduces the computational load of generating the re-encrypted ciphertext.

[0110] In one embodiment, encrypting the target ciphertext according to the re-encryption key to obtain a target re-encrypted ciphertext includes: re-encrypting the target ciphertext according to the re-encryption key to obtain an original re-encrypted ciphertext; generating a ciphertext error and adding the ciphertext error to the original re-encrypted ciphertext to obtain the target re-encrypted ciphertext; wherein the ciphertext error is used to mask the information of the re-encryption key in the original re-encrypted ciphertext.

[0111] In this embodiment, by adding ciphertext errors to the original re-encrypted ciphertext, the information of the re-encryption key contained in the target re-encrypted ciphertext is masked by the ciphertext errors, thereby preventing an adversary from determining the re-encryption key based on the re-encrypted ciphertext when they obtain the dictum of the re-encrypted ciphertext.

[0112] Furthermore, the target ciphertext includes the original ciphertext and ciphertext redundancy, the ciphertext redundancy being generated based on a threshold matrix; the generation of ciphertext error includes: generating the ciphertext error based on the sampling result and the ciphertext redundancy.

[0113] In this embodiment, the ciphertext error can be calculated by adding ciphertext redundancy to the target ciphertext. Then, the ciphertext error is added to the original re-encrypted ciphertext, so that the information of the re-encryption key contained in the target re-encrypted ciphertext is masked by the ciphertext error, thereby preventing the adversary from determining the re-encryption key based on the re-encrypted ciphertext when they obtain the message of the re-encrypted ciphertext.

[0114] Figure 4 This is an exemplary embodiment providing an interaction diagram for proxy re-encryption. For example... Figure 4 As shown, the method may include the following steps:

[0115] Step 402: Delegate the user to generate the target ciphertext.

[0116] The delegate can encrypt the original plaintext using their own public key to obtain the original ciphertext, then generate ciphertext redundancy based on the gate matrix contained in the public key, and add the ciphertext redundancy to the original ciphertext to obtain the target ciphertext.

[0117] Step 404: The entrusting user obtains the entrusted user's public key. Step 406: The agent returns the entrusted user's public key.

[0118] A principal user can send a request to an agent to obtain the public key of the entrusted user. The request may include the identity of the entrusted user (such as an IP address), which instructs the agent to obtain the entrusted user for the request.

[0119] In one scenario, the agent maintains the entrusted user's public key. The agent can identify the entrusted user based on the identifier contained in the retrieval request and return the corresponding public key to the principal user. In another scenario, the agent does not maintain the entrusted user's public key. The agent can identify the entrusted user based on the identifier contained in the retrieval request, send a public key retrieval request to the entrusted user, obtain the entrusted user's public key, and return it to the principal user.

[0120] Step 408: The user is entrusted to generate a re-encryption key. Step 410: The user is entrusted to send the target ciphertext and the re-encryption key.

[0121] After obtaining the entrusted user's public key, the delegating user can perform preimage sampling on the entrusted user's public key based on the first matrix contained in their own public key, and generate a re-encryption key for the entrusted user based on the sampling result. After generating the target ciphertext and the re-encryption key, the delegating user can send them to the agent.

[0122] Step 412: The agent generates a re-encrypted ciphertext.

[0123] The target ciphertext contains the original ciphertext and ciphertext redundancy. The agent can generate ciphertext error based on the ciphertext redundancy and the gate matrix. The agent can re-encrypt the original ciphertext portion of the target ciphertext using the received re-encryption key to obtain the original re-encrypted ciphertext, and generate the target re-encrypted ciphertext based on the ciphertext error and the original re-encrypted ciphertext.

[0124] Step 414: The agent sends the re-encrypted ciphertext. Step 416: The entrusted user decrypts the re-encrypted ciphertext.

[0125] The agent can send the generated target re-encrypted ciphertext to the entrusted user. The entrusted user can decrypt the target re-encrypted ciphertext using their own private key to obtain the original plaintext, thus completing the sharing of the original plaintext from the entrusting user to the entrusted user.

[0126] Figure 5 This is a schematic structural diagram of a device provided in an exemplary embodiment. Please refer to... Figure 5At the hardware level, the device includes a processor 502, an internal bus 504, a network interface 506, memory 509, and non-volatile memory 510, and may also include other hardware required for its functions. One or more embodiments of this specification can be implemented in software, for example, the processor 502 reads the corresponding computer program from the non-volatile memory 510 into memory 508 and then runs it. Of course, in addition to software implementation, one or more embodiments of this specification do not exclude other implementation methods, such as logic devices or a combination of hardware and software, etc. That is to say, the execution subject of the following processing flow is not limited to each logic unit, but can also be hardware or logic devices.

[0127] Please refer to Figure 6 A re-encryption key generation device can be applied to, for example... Figure 6 The device shown, in order to implement the technical solution of this specification, may include:

[0128] The acquisition unit 602 is used to acquire the private key and public key of the entrusting user, wherein the private key of the entrusting user contains a limit gate matrix, and the public key of the entrusting user contains a first matrix of the limit gate matrix;

[0129] Sampling unit 604 is used to perform preimage sampling on the public key of the entrusted user according to the threshold matrix and the first matrix;

[0130] The generation unit 606 is used to generate a re-encryption key for the entrusted user based on the sampling results.

[0131] Optional, also includes:

[0132] The encryption unit 608 is used to re-encrypt the target ciphertext according to the re-encryption key to obtain the original re-encrypted ciphertext;

[0133] The first adding unit 610 is used to generate a ciphertext error and add the ciphertext error to the original re-encrypted ciphertext to obtain the target re-encrypted ciphertext; wherein the ciphertext error is used to mask the information of the re-encryption key in the original re-encrypted ciphertext.

[0134] Optional,

[0135] The method further includes: a second adding unit 612, used to encrypt the original plaintext according to the public key of the entrusting user to obtain the original ciphertext; generate ciphertext redundancy according to the threshold matrix, and add the ciphertext redundancy to the original ciphertext to obtain the target ciphertext;

[0136] The generation unit 606 is specifically used to generate the ciphertext error based on the sampling result and the ciphertext redundancy.

[0137] Optionally, the private key of the entrusting user may further include a private key parameter, and the decryption result of the private key parameter on the target ciphertext is the original plaintext.

[0138] Please refer to Figure 7 A proxy re-encryption device can be applied to, for example Figure 7 The device shown, in order to implement the technical solution of this specification, may include:

[0139] The acquisition unit 702 is used to acquire the target ciphertext sent by the entrusting user and the re-encryption key for the entrusted user; wherein, the private key of the entrusting user contains a threshold matrix, the public key of the entrusting user contains a first matrix with the threshold as the threshold matrix, and the re-encryption key is generated by sampling the preimage sampling result of the public key of the entrusted user according to the threshold matrix and the first matrix;

[0140] The encryption unit 704 is used to re-encrypt the target ciphertext according to the re-encryption key to obtain the target re-encrypted ciphertext;

[0141] The sending unit 706 is used to send the target re-encrypted ciphertext to the entrusted user.

[0142] Optionally, the encryption unit 704 is specifically used for:

[0143] The target ciphertext is re-encrypted using the re-encryption key to obtain the original re-encrypted ciphertext;

[0144] A ciphertext error is generated and added to the original re-encrypted ciphertext to obtain the target re-encrypted ciphertext; wherein the ciphertext error is used to mask the information of the re-encryption key in the original re-encrypted ciphertext.

[0145] Optionally, the target ciphertext includes the original ciphertext and ciphertext redundancy, wherein the ciphertext redundancy is generated based on a threshold matrix;

[0146] The encryption unit 704 is specifically used to generate the ciphertext error based on the sampling result and the ciphertext redundancy.

[0147] The systems, devices, modules, or units described in the above embodiments can be implemented by computer chips or entities, or by products with certain functions. A typical implementation device is a computer, which can take the form of a personal computer, laptop computer, cellular phone, camera phone, smartphone, personal digital assistant, media player, navigation device, email sending and receiving device, game console, tablet computer, wearable device, or any combination of these devices.

[0148] In a typical configuration, a computer includes one or more processors (CPU), input / output interfaces, network interfaces, and memory.

[0149] Memory may include non-persistent storage in computer-readable media, such as random access memory (RAM) and / or non-volatile memory, such as read-only memory (ROM) or flash RAM. Memory is an example of computer-readable media.

[0150] Computer-readable media, including both permanent and non-permanent, removable and non-removable media, can store information using any method or technology. Information can be computer-readable instructions, data structures, modules of programs, or other data. Examples of computer storage media include, but are not limited to, phase-change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technologies, CD-ROM, digital versatile optical disc (DVD) or other optical storage, magnetic tape, disk storage, quantum memory, graphene-based storage media or other magnetic storage devices, or any other non-transferable medium that can be used to store information accessible by a computing device. As defined herein, computer-readable media does not include transient computer-readable media, such as modulated data signals and carrier waves.

[0151] The computer-readable medium (or computer-readable storage medium) described above or in any other form may store computer instructions that, when executed by a processor, implement one or more of the embodiments described above, thereby realizing the technical solutions of this specification.

[0152] This specification also provides a computer program that, when executed by a processor, implements one or more of the embodiments described above, thereby achieving the technical solutions of this specification. This computer program may be specifically recorded on the computer-readable medium described above or in any other form, and this specification does not impose any limitations on this.

[0153] It should also be noted that the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or apparatus that includes said element.

[0154] The foregoing has described specific embodiments of this specification. Other embodiments are within the scope of the appended claims. In some cases, the actions or steps recited in the claims may be performed in a different order than that shown in the embodiments and may still achieve the desired result. Furthermore, the processes depicted in the drawings do not necessarily require the specific or sequential order shown to achieve the desired result. In some embodiments, multitasking and parallel processing are possible or may be advantageous.

[0155] The terminology used in one or more embodiments of this specification is for the purpose of describing particular embodiments only and is not intended to limit the scope of one or more embodiments of this specification. The singular forms “a,” “described,” and “the” used in one or more embodiments of this specification and in the appended claims are also intended to include the plural forms unless the context clearly indicates otherwise. It should also be understood that the term “and / or” as used herein refers to and includes any or all possible combinations of one or more associated listed items.

[0156] It should be understood that although the terms first, second, third, etc., may be used to describe various information in one or more embodiments of this specification, such information should not be limited to these terms. These terms are only used to distinguish information of the same type from one another. For example, first information may also be referred to as second information without departing from the scope of one or more embodiments of this specification, and similarly, second information may also be referred to as first information. Depending on the context, the word "if" as used herein may be interpreted as "when," "in response to a determination," or "when," or "in the event of a determination."

[0157] The above description is merely a preferred embodiment of one or more embodiments of this specification and is not intended to limit the scope of one or more embodiments of this specification. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of one or more embodiments of this specification should be included within the protection scope of one or more embodiments of this specification.

Claims

1. A method for generating a re-encryption key, characterized in that, The method includes: Obtain the private key and public key of the entrusting user. The private key of the entrusting user contains a gate matrix, and the public key of the entrusting user contains a first matrix of the gate matrix. The private key of the entrusting user also contains private key parameters. The decryption result of the private key parameters on the target ciphertext is the original plaintext, so as to separate the decryption function of the entrusting user's private key from the re-encryption key generation function. Preimage sampling is performed on the public key of the entrusted user based on the threshold matrix and the first matrix; A re-encryption key for the entrusted user is generated based on the sampling results.

2. The method according to claim 1, characterized in that, Also includes: The target ciphertext is re-encrypted using the re-encryption key to obtain the original re-encrypted ciphertext. A ciphertext error is generated and added to the original re-encrypted ciphertext to obtain the target re-encrypted ciphertext; wherein the ciphertext error is used to mask the information of the re-encryption key in the original re-encrypted ciphertext.

3. The method according to claim 2, characterized in that, The method further includes: encrypting the original plaintext according to the public key of the entrusting user to obtain the original ciphertext; generating ciphertext redundancy according to the threshold matrix, and adding the ciphertext redundancy to the original ciphertext to obtain the target ciphertext; The generation of ciphertext error includes: generating the ciphertext error based on the sampling result and the ciphertext redundancy.

4. A method for proxy re-encryption, characterized in that, The method includes: The system obtains the target ciphertext sent by the entrusting user and the re-encryption key for the entrusted user; wherein, the entrusting user's private key contains a threshold matrix, the entrusting user's public key contains a first matrix with thresholds of the threshold matrix, and the re-encryption key is generated by sampling the preimage of the entrusted user's public key based on the threshold matrix and the first matrix; the entrusting user's private key also contains private key parameters, and the decryption result of the private key parameters on the target ciphertext is the original plaintext, so as to separate the decryption function of the entrusting user's private key from the re-encryption key generation function; The target ciphertext is re-encrypted using the re-encryption key to obtain the target re-encrypted ciphertext; The target re-encrypted ciphertext is sent to the entrusted user.

5. The method according to claim 4, characterized in that, The step of encrypting the target ciphertext according to the re-encryption key to obtain the target re-encrypted ciphertext includes: The target ciphertext is re-encrypted using the re-encryption key to obtain the original re-encrypted ciphertext; A ciphertext error is generated and added to the original re-encrypted ciphertext to obtain the target re-encrypted ciphertext; wherein the ciphertext error is used to mask the information of the re-encryption key in the original re-encrypted ciphertext.

6. The method according to claim 5, characterized in that, The target ciphertext includes the original ciphertext and ciphertext redundancy, wherein the ciphertext redundancy is generated based on a limit gate matrix; The generation of ciphertext error includes: generating the ciphertext error based on the sampling result and the ciphertext redundancy.

7. An electronic device, characterized in that, include: processor; Memory used to store processor-executable instructions; The processor implements the steps of the method as described in any one of claims 1-6 by running the executable instructions.

8. A computer-readable storage medium storing computer instructions thereon, characterized in that, When executed by the processor, this instruction implements the steps of the method as described in any one of claims 1-6.

9. A computer program product, characterized in that, Includes a computer program / instructions that, when executed by a processor, implement the steps of the method as described in any one of claims 1-6.