CN116170142B

CN116170142B - Distributed collaborative decryption method, device and storage medium

Info

Publication number: CN116170142B
Application number: CN202310430162.8A
Authority: CN
Inventors: 张宇; 王翊心; 张庆勇
Original assignee: Beijing Infosec Technologies Co Ltd
Current assignee: Beijing Infosec Technologies Co Ltd
Priority date: 2023-04-20
Filing date: 2023-04-20
Publication date: 2023-07-18
Anticipated expiration: 2043-04-20
Also published as: CN116170142A

Abstract

The embodiment of the invention provides a distributed collaborative decryption method, equipment and a storage medium, wherein the method comprises the following steps: and obtaining an encrypted ciphertext and a target polynomial, wherein the target polynomial is used for processing K private key components to obtain secret components corresponding to N decryption ends respectively, the target polynomial is a T-1 degree polynomial, and N is not smaller than T. T decryption terminals are randomly selected from N decryption terminals based on the target polynomial, and are determined as target decryption terminals, wherein the number T of the target decryption terminals is determined by the degree of the target polynomial. And sending the first part of the encrypted ciphertext to T target decryption ends, so that the target decryption ends respectively process the secret component and the first part of the encrypted ciphertext by using a Lagrange interpolation method to obtain a decryption component, and sending the decryption component to the server. Based on the T decryption components and the second part of the encrypted ciphertext, the plaintext corresponding to the encrypted ciphertext is determined, so that the security of the lattice encryption algorithm is improved, and the decryption strategy can be flexibly formulated.

Description

Distributed collaborative decryption method, device and storage medium

Technical Field

The present invention relates to the field of network information technologies, and in particular, to a distributed collaborative decryption method, device, and storage medium.

Background

With the importance of security in file transmission and information transmission, more and more encryption methods and decryption algorithms are applied, wherein the lattice encryption algorithm is currently accepted encryption algorithm capable of resisting quantum computers.

In the conventional lattice encryption scheme, a private key is usually held in a single decrypting party, and once the decrypting party is invaded, the private key is revealed, so that the security of information is seriously affected.

Disclosure of Invention

The embodiment of the invention provides a distributed collaborative decryption method, equipment and a storage medium, which are used for improving the security of a lattice encryption algorithm and flexibly formulating a decryption strategy.

In a first aspect, an embodiment of the present invention provides a distributed collaborative decryption method, applied to a server, where the method includes:

the method comprises the steps of obtaining an encrypted ciphertext to be decrypted and a target polynomial, wherein the encrypted ciphertext consists of two parts, the target polynomial is used for processing the K private key components to obtain secret components corresponding to N decryption ends, the target polynomial is a T-1 degree polynomial, and N is not smaller than T;

based on the target polynomial, T decryption terminals are randomly selected from the N decryption terminals to be determined as target decryption terminals, and the number T of the target decryption terminals is determined by the degree of the target polynomial;

The first part of the encrypted ciphertext is sent to T target decryption ends, so that the target decryption ends respectively process the secret component and the first part of the encrypted ciphertext by utilizing a Lagrangian interpolation method to obtain a decryption component, and the decryption component is sent to the server;

and receiving decryption components sent by the T decryptors respectively, and determining a plaintext corresponding to the encrypted ciphertext based on the decryption components and the second part of the encrypted ciphertext.

In a second aspect, an embodiment of the present invention provides a distributed collaborative decryption apparatus, located at a server, where the apparatus includes:

the acquisition module is used for acquiring an encrypted ciphertext to be decrypted and a target polynomial, wherein the encrypted ciphertext is composed of two parts, the target polynomial is used for processing the K private key components to obtain secret components corresponding to N decryption ends, the target polynomial is a T-1 degree polynomial, and N is not smaller than T;

the determining module is used for randomly selecting T decryption terminals from the N decryption terminals based on the target polynomial to determine the T decryption terminals as target decryption terminals, and the number T of the target decryption terminals is determined by the degree of the target polynomial;

The sending module is used for sending the first part of the encrypted ciphertext to T target decryption ends, so that the target decryption ends respectively process the secret component and the first part of the encrypted ciphertext by using a Lagrangian interpolation method to obtain a decryption component, and sending the decryption component to the server;

and the receiving module is used for receiving decryption components sent by the T decryptors respectively and determining a plaintext corresponding to the encrypted ciphertext based on the decryption components and the second part of the encrypted ciphertext.

In a third aspect, an embodiment of the present invention provides an electronic device, including: a memory, a processor, a communication interface; wherein the memory has executable code stored thereon, which when executed by the processor, causes the processor to at least implement the distributed collaborative decryption method according to the first aspect.

In a fourth aspect, embodiments of the present invention provide a non-transitory machine-readable storage medium having executable code stored thereon, which when executed by a processor of a management device, causes the processor to at least implement a distributed collaborative decryption method according to the first aspect.

In a fifth aspect, an embodiment of the present invention provides a distributed collaborative decryption method, applied to a decryption end, where the method includes:

receiving a first part of an encrypted ciphertext sent by a server;

acquiring a secret component for decryption;

processing the secret component and the first part in the encrypted text by using a Lagrange interpolation method to obtain a decryption component;

and sending the decryption component to the server so that the server determines a plaintext corresponding to the encrypted ciphertext based on the decryption component and the second part of the encrypted ciphertext.

In a sixth aspect, an embodiment of the present invention provides a distributed collaborative decryption apparatus, located at a decryption end, where the apparatus includes:

the receiving module is used for receiving the first part of the encrypted ciphertext sent by the server;

an acquisition module for acquiring a secret component for decryption;

the processing module is used for processing the secret component and the first part in the encrypted text by utilizing a Lagrange interpolation method to obtain a decryption component;

and the sending module is used for sending the decryption component to the server so that the server determines a plaintext corresponding to the encrypted ciphertext based on the decryption component and the second part of the encrypted ciphertext.

In a seventh aspect, an embodiment of the present invention provides an electronic device, including: a memory, a processor, a communication interface; wherein the memory has executable code stored thereon, which when executed by the processor, causes the processor to at least implement the distributed collaborative decryption method according to the fifth aspect.

In an eighth aspect, embodiments of the present invention provide a non-transitory machine-readable storage medium, the non-transitory machine operable to

The read storage medium has stored thereon executable code that, when executed by a processor of a computing device, causes the processor to

The processor may implement at least a distributed collaborative decryption method as described in the fifth aspect.

The distributed collaborative decryption method scheme provided by the embodiment of the invention can be applied to a server and a decryption end, and for the server, firstly, an encrypted ciphertext to be decrypted and a target polynomial are obtained. The encryption ciphertext is composed of two parts, the target polynomial is used for processing K private key components in the private key to obtain secret components corresponding to N decryption ends, the target polynomial is a T-1 degree polynomial, and N is not smaller than T. Then, based on the target polynomial, T decryption terminals are randomly selected from N decryption terminals to be determined as target decryption terminals, and the number T of the target decryption terminals is determined by the degree of the target polynomial. Then, the first part of the encrypted ciphertext is sent to T target decryption ends, so that the target decryption ends respectively process the secret component and the first part of the encrypted ciphertext by utilizing a Lagrangian interpolation method to obtain a decryption component, and the decryption component is sent to a server; and receiving decryption components sent by the T decryptors respectively, and determining a plaintext corresponding to the encrypted ciphertext based on the decryption components and the second part of the encrypted ciphertext.

In the scheme, in order to improve the security of the private key and avoid an attacker from attacking and revealing the private key, based on K private key components in the private key, a plurality of T-1 target polynomials are formed, the K private key components are respectively hidden in the secret components by utilizing the plurality of target polynomials and are respectively stored in N decryption ends, so that the decryption ends cannot obtain the complete private key, and the security of the lattice encryption algorithm is improved. And the secret sharing of the private key component is realized based on the T-1 order target polynomial, so that the private key component can be recovered by processing the secret components of any T decryption terminals by utilizing the Lagrangian interpolation method when decryption is performed based on the characteristic of secret sharing of the target polynomial, then the encrypted ciphertext is decrypted based on the recovered private key component, and the decryption of the encrypted ciphertext can be completed by any T decryption terminals, so that the decryption method is more flexible, the decryption strategy can be flexibly customized according to requirements, and the whole decryption process is prevented from being influenced when the individual decryption terminals are in failure.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

FIG. 1 is a flowchart of a distributed collaborative decryption method according to an embodiment of the present invention;

fig. 2 is a schematic diagram of an application scenario of a distributed collaborative decryption method according to an exemplary embodiment of the present invention;

FIG. 3 is a schematic flow chart of constructing T-1 order target polynomials corresponding to private key components based on K private key components by Lagrange interpolation according to an embodiment of the present invention;

FIG. 4 is a schematic flow chart of determining a plaintext corresponding to an encrypted ciphertext based on a decryption component and a second portion of the encrypted ciphertext according to an embodiment of the present invention;

FIG. 5 is a flow chart of a distributed collaborative decryption method according to an exemplary embodiment of the present invention;

fig. 6 is a schematic structural diagram of a distributed collaborative decrypting apparatus according to an embodiment of the present invention;

fig. 7 is a schematic structural diagram of an electronic device corresponding to the distributed collaborative decrypting apparatus provided in the embodiment shown in fig. 6;

fig. 8 is a schematic structural diagram of a distributed collaborative decrypting apparatus according to an embodiment of the present invention;

fig. 9 is a schematic structural diagram of an electronic device corresponding to the distributed collaborative decrypting apparatus provided in the embodiment shown in fig. 8.

Detailed Description

For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.

The terminology used in the embodiments of the invention is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in this application and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise, the "plurality" generally includes at least two, but does not exclude the case of at least one. It should be understood that the term "and/or" as used herein is merely one relationship describing the association of the associated objects, meaning that there may be three relationships, e.g., a and/or B, may represent: a exists alone, A and B exist together, and B exists alone. In addition, the character "/" herein generally indicates that the front and rear associated objects are an "or" relationship. The words "if", as used herein, may be interpreted as "at … …" or "when … …", depending on the context.

It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a product or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such product or system. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a commodity or system comprising such elements.

In addition, the sequence of steps in the method embodiments described below is only an example and is not strictly limited.

In order to facilitate understanding of the technical solution of the present invention, the following briefly describes the related art:

in 1994, the applied academy of science of well-known computer scientists and the university of ma and technology developed the "Xueer algorithm" in quantum computer application, also called quantum prime factor decomposition algorithm, because it proves that the quantum computer can make logarithmic operation, and the speed is far superior to the traditional computer, and the RSA encryption algorithm currently passing through banks and networks can be broken to form a threat. Then if one day quantum computers were truly invented they would destroy many encryption algorithms today, and this terrible possibility would lead scientists to struggle and make new "post quantum" encryption schemes to try to avoid information falling into the hands of quantum hackers.

Lattice encryption algorithms are currently accepted encryption algorithms that are capable of combating quantum computers. In the existing lattice encryption algorithm, the private key is completely mastered by a single decryption party, and once the decryption party is invaded, the private key is revealed, so that serious consequences are caused. In addition, if the private key is split into multiple parts in a secret sharing mode, each split share is stored and saved by different decryptors, a single decryptor cannot recover the complete private key, and only all decryptors cooperate together to recover the complete private key, however, the decryption limitation is great, if a certain decryptor has a problem and cannot decrypt, the complete private key cannot be recovered, so that the use of a user is affected.

Based on the above, the embodiment of the invention provides a solution, based on K private key components in the private key, a T-1 order target polynomial is constructed, the K private key components are respectively hidden in the secret components by using the target polynomial and are respectively stored in N decryption ends, so that the decryption ends can not obtain the complete private key, and the security of the lattice encryption algorithm is improved. And the secret sharing of the private key component is realized based on the T-1 order target polynomial, so that the private key component can be recovered by processing the secret components of any T decryption terminals by utilizing the Lagrangian interpolation method when decryption is performed based on the characteristic of secret sharing of the target polynomial, then the encrypted ciphertext is decrypted based on the recovered private key component, the decryption of the encrypted ciphertext can be completed by any T decryption terminals, the decryption difficulty of the encrypted ciphertext can be reduced, the decryption method is more flexible, and the decryption strategy can be flexibly customized according to requirements, so that the whole decryption process is prevented from being influenced when the individual decryption terminals are in failure.

The distributed collaborative decryption method of the scheme is described in detail below through various embodiments. The distributed collaborative decryption method provided by the embodiment of the invention can be executed by an electronic device, and the electronic device can be a terminal device such as a PC (personal computer), a notebook computer, a smart phone and the like. The decryption processes performed by the server side and the decryption side are exemplarily described below.

Fig. 1 is a flowchart of a distributed collaborative decryption method according to an embodiment of the present invention. Fig. 2 is a schematic diagram of an application scenario of a distributed collaborative decryption method according to an exemplary embodiment of the present invention; referring to fig. 1 and fig. 2, the present embodiment provides a distributed collaborative decryption method, where an execution body of the method may be a server device, and it may be understood that the server device may be implemented as software, or a combination of software and hardware, and specifically, as shown in fig. 1, the distributed collaborative decryption method may include the following steps:

step 101, obtaining an encrypted ciphertext to be decrypted and a target polynomial, wherein the encrypted ciphertext is composed of two parts, the target polynomial is used for processing K private key components to obtain secret components corresponding to N decryption ends, the target polynomial is a T-1 degree polynomial, and N is not smaller than T.

Step 102, based on the target polynomial, T decryption terminals are randomly selected from the N decryption terminals to determine the target decryption terminal, where the number T of the target decryption terminals is determined by the target polynomial degree.

Step 103, sending the first part of the encrypted ciphertext to the T target decryption ends, so that the target decryption ends respectively process the secret component and the first part of the encrypted ciphertext by using a Lagrangian interpolation method to obtain a decryption component, and sending the decryption component to the server.

Step 104, receiving decryption components sent by each of the T decryptors, and determining plaintext corresponding to the encrypted ciphertext based on the decryption components and the second portion of the encrypted ciphertext.

According to the distributed collaborative decryption method provided by the embodiment of the invention, the server side is used as a controller of the decryption process, and before decryption, the server side can acquire the private key for decrypting the ciphertext to be encrypted. Wherein a private key for decrypting the encrypted ciphertext may be generated according to a lattice encryption algorithm. Specifically, a first bit string and a second bit string are randomly generated; determining a first matrix based on the first bit string and a matrix function, wherein the matrix function is used for generating a matrix corresponding to the bit string; determining a second matrix and a third matrix based on the second bit string and the matrix function, and determining the second matrix as a private key; determining a first component of the public key based on the first matrix, the second matrix, and the third matrix; a public key is generated based on the first component and the first bit string.

Specifically, first randomly generating a first bit stringAnd a second bit string->And the first bit string and the second bit string are 256-length random bit strings consisting of 0 or 1, respectively, i.e. +. >. Then, the first bit string +.>Input to the matrix function Sam to obtain a first matrix +.>I.e. +.>. Wherein the Sam function is used to generate corresponding matrices after the random bit string is input, and the elements in each matrix are one polynomial on the polynomial ring, and the polynomial corresponding to each element is one polynomial random in the polynomial ring. Thus, the formula->Characterization will->Input into Sam function to obtain a +.>And each element in the matrix a is a random polynomial included in the polynomial ring. Then, the second bit string ++>Input to the matrix function Sam to obtain a second matrix +.>And a third matrix->I.e. +.>. Wherein the second matrix->Each element of (2) is a polynomial, the third matrix +.>Is also a polynomial and +.>Is a value much smaller than q, and is +.>The coefficients before the respective variables in each polynomial included in (a) are all less than +.>And s is a matrix corresponding to a private key in a public-private key pair generated based on a lattice encryption algorithm. The sum of s and->Respectively is +.>And each matrix contains K elements. Then, based on the formula->Generating a first component of the public key +. >Wherein t is a first component in a two-dimensional vector corresponding to a public key, A is a matrix obtained by inputting a first random bit string into a Sam function, and s is a matrix corresponding to a private key. Finally, a public key is generated based on the first component and the first bit string>. Wherein the public key is a two-dimensional vector, < >>Is a first random bit string and constitutes a second component in a two-dimensional vector corresponding to the public key.

In the embodiment of the invention, the generation process of the public and private key pair can be completed at the server side or can be generated in another trusted device, and the generation process is not limited. And the generated public key can be disclosed externally, so that an encryptor can acquire the public key to encrypt data to be encrypted.

In practical application, if the private key is stored in the server, once the server is attacked by an attacker, the private key will be revealed, and serious influence will be generated. Therefore, in order to improve the security of the private key and avoid the attacker from attacking and revealing the private key, the private key is stored in a plurality of decryption terminals in a scattered way, and the attacker needs to attack a plurality of decryption terminals to obtain the complete private key, so that the difficulty is greatly improved. Specifically, after the server side obtains the private key, the private key comprises K private key components, wherein K is a positive integer; and the private key components are respectively hidden in the secret components corresponding to the N decryption ends and are respectively stored in the N decryption ends, so that the decryption ends cannot obtain the complete private key, and the security of the lattice encryption algorithm is improved. Since the private key is a K1 matrix, each element in the matrix is a polynomial, so K private key components can be directly obtained based on the characteristics of the private key itself. N can be any positive integer and can be set according to actual requirements.

After obtaining the K private key components, generating secret components corresponding to the N decryption terminals, respectively, based on the K private key components, and transmitting the secret components to the decryption terminals corresponding to each. Specifically, a private key for decrypting an encrypted ciphertext is obtained, wherein the private key comprises K private key components, and K is a positive integer; respectively constructing T-1 target polynomials corresponding to the private key components based on the K private key components by using a Lagrange interpolation method, wherein N is larger than T; and generating secret components corresponding to the N decryption terminals respectively based on the target polynomial, and sending the secret components to the decryption terminals corresponding to the N decryption terminals respectively. In the embodiment of the invention, the secret sharing of the private key component is realized by using the T-1 target polynomial, so that the secret component of any T decryption terminals can be recovered by processing the secret components by using the Lagrange interpolation method when decryption is performed based on the characteristic of secret sharing of the target polynomial. It should be noted that: in the embodiment of the invention, N is not less than T (N is greater than T or N is equal to T), the specific numerical value of N, T can be set according to actual requirements, and the server can flexibly formulate a decryption strategy.

Optionally, using the lagrangian interpolation method, based on the K private key components, a specific implementation manner of respectively constructing the T-1 th order target polynomials corresponding to the private key components may include: randomly selecting T-1 first polynomials and N second polynomials, wherein the first polynomials and the second polynomials are random polynomials in a polynomial ring; generating N x K T-1 target polynomials based on the K private key components, the T-1 first polynomials, and the N second polynomials. That is, one decryption side corresponds to K T-1 target polynomials.

In order to realize decryption based on any T decryption terminals, when generating the secret component, a Lagrange interpolation method can be utilized to generate a target polynomial, the private key component is hidden in the T-1 target polynomial, and the secret component is generated based on the target polynomial. In an alternative embodiment, the specific implementation process of generating the secret component may include: randomly selecting T-1 first polynomials and N second polynomials, wherein the first polynomials and the second polynomials are random polynomials in a polynomial ring; generating N x K target polynomials based on the K private key components, T-1 first polynomials, and N second polynomials; and generating secret components corresponding to the N decryption terminals respectively based on the N second polynomials and the target polynomial, and sending the secret components to the decryption terminals corresponding to the N decryption terminals respectively. After receiving the secret component sent by the server, the N decryption terminals may store the secret component locally, so that after subsequently receiving the first portion of the encrypted ciphertext sent by the server, the first portion of the encrypted ciphertext may be decrypted directly based on the secret component, to obtain a decrypted component.

When the server side has a decryption requirement or receives a decryption request, the encrypted ciphertext to be decrypted can be obtained first. The encrypted ciphertext is formed by two parts, and the encrypted ciphertext can be obtained by encrypting data to be encrypted based on a public key by using a lattice encryption algorithm.

After the encrypted ciphertext to be decrypted is obtained, a target polynomial is obtained, and the number of target decryption ends is determined based on the target polynomial. For example, if the target polynomial is a T-1 th order polynomial, then T target decryption terminals are required to decrypt. That is, the number of target decryption terminals is determined by the constructed target polynomial degree. After determining the number T of the target decryption terminals, the server terminal can randomly select T decryption terminals from N decryption terminals according to actual requirements to determine the target decryption terminals, wherein N is greater than T. And then, the first part of the encrypted ciphertext is sent to T target decryption ends, so that the target decryption ends respectively process the secret component and the first part of the encrypted ciphertext by utilizing a Lagrangian interpolation method to obtain a decryption component, and the decryption component is sent to the server. And receiving decryption components sent by the T decryptors, and determining a plaintext corresponding to the encrypted ciphertext based on the decryption components and the second part of the encrypted ciphertext. In the embodiment of the invention, the decryption of the encrypted ciphertext can be realized by utilizing the Lagrangian interpolation method and by cooperatively decrypting any T decryption terminals, and the whole decryption process can be completed without all the decryption terminals, so that the server terminal can flexibly customize the decryption strategy according to the requirements.

In the distributed collaborative decryption scheme provided by the embodiment of the invention, secret sharing of private key components is realized through the T-1 target polynomial, so that the private key components can be recovered by processing the secret components of any T decryption ends by using the Lagrange interpolation method when decryption is performed based on the characteristic of secret sharing of the target polynomial, then the encrypted ciphertext is decrypted based on the recovered private key components, the decryption of the encrypted ciphertext by any T decryption ends is realized, the decryption method is more flexible, and the decryption strategy can be flexibly customized according to requirements so as to avoid influencing the whole decryption process when individual decryption ends fail.

FIG. 3 is a schematic flow chart of constructing T-1 order target polynomials corresponding to private key components based on K private key components by Lagrange interpolation according to an embodiment of the present invention; on the basis of the above embodiment, referring to fig. 3, this embodiment provides an implementation manner of generating secret components corresponding to N decryption ends respectively based on K private key components. Specifically, it may include:

step 301, randomly selecting T-1 first polynomials and N second polynomials, wherein the first polynomials and the second polynomials are random polynomials in a polynomial ring.

Step 302, generating n×k target polynomials based on K private key components, T-1 first polynomials and N second polynomials.

In the embodiment of the invention, the Lagrange interpolation method is utilized, so that any T decryption terminals can decrypt the encrypted ciphertext based on the secret components corresponding to the decryption terminals, when the secret components are generated, the Lagrange interpolation method can be utilized to generate a target polynomial which is shaped like a Lagrange polynomial, and the private key components are hidden in the target polynomial.

Specifically, when generating N secret components, T-1 first polynomials and N second polynomials are randomly selected first, where each of the first polynomial and the second polynomial is a random polynomial in the polynomial ring. The polynomial ring refers to a ring formed by polynomials with coefficients in a ring R, wherein the ring R can be an exchange ring, an integer ring, a surplus ring and the like, and the specific type of the ring R can be set according to actual requirements.

Next, N x K target polynomials are generated based on the K private key components, the T-1 first polynomials, and the N second polynomials. The private key is divided and stored in N decryption terminals, and one decryption terminal corresponds to K target vectors, so that N x K target polynomials are needed to be generated when generating the target polynomials. In an alternative embodiment, based on the K private key components, the T-1 first polynomials, and the N second polynomials, a specific implementation of generating the n×k target polynomials may be: respectively determining K private key components as constant items of K target polynomials corresponding to the decryption end; determining the T-1 first polynomials as coefficients of K target polynomials corresponding to the decryption end; respectively determining N second polynomials as variables of target polynomials corresponding to the N decryption ends; based on the constant term, the coefficient, and the variable, K target polynomials corresponding to the N decryption ends respectively are determined.

Specifically, assuming that the private key is S, the K private key components are respectively，/>Wherein->，/>Representing the jth private key component, +.>Is the j-th element in the private key matrix. T-1 first polynomials are +.>N second polynomials are +.>. Based on the formulaAnd determining K target polynomials corresponding to the N decryption ends. For example, the second polynomial corresponding to the first decryption side is +.>Then the K target polynomials corresponding to the first decryption end are +.>、/>..../>. The second polynomial corresponding to the second decryption end is +.>The second decryption end generates K corresponding target polynomials based on the above formula, where each of the K target polynomials is: />、/>..../>. According to the method, K target polynomials corresponding to the N decryption ends are sequentially generated, and are not described herein.

After generating K target polynomials corresponding to the N decryption terminals, generating secret components corresponding to the N decryption terminals based on the N second polynomials and the target polynomials. The secret component is composed of two parts, and based on the N second polynomials and the target polynomials, the specific implementation manner of generating the secret components corresponding to the N decryption terminals can be as follows: determining the variable of the target polynomial corresponding to each of the N decryption ends as a first part of the secret component; determining K target polynomials corresponding to the N decryption terminals as a second part of the secret component; based on the secret component first portion and the secret component second portion, secret components corresponding to the N decryption terminals, respectively, are generated.

In particular, it can be based on the formulaGenerating secret components corresponding to the N decryption terminals respectively, wherein +.>Is a secret component. For example, assume that the variable of the target polynomial corresponding to the first decryption side is +.>The K target polynomials corresponding to the first decryption end are respectively +.>、/>..../>. Then the secret component corresponding to the first decryption end is. Assume that the variable of the target polynomial corresponding to the second decryption side is +.>The K target polynomials corresponding to the second decryption end are respectively +.>、/>..... Then the secret component corresponding to the second decryption side is +.>。

In the embodiment of the invention, through randomly selecting T-1 first polynomials and N second polynomials, the first polynomials and the second polynomials are random polynomials in a polynomial ring, N x K target polynomials are generated based on K private key components, T-1 first polynomials and N second polynomials, secret components corresponding to N decryption ends are generated based on N second polynomials and the target polynomials, and secret components are sent to the decryption ends corresponding to the N decryption ends, so that private keys can be dispersed in the decryption ends, an attacker can acquire complete private keys only by successfully attacking all decryption ends, the security is greatly improved, and the generated secret components can finish the whole decryption process by decrypting encrypted ciphertext only by any T secret components.

Based on the method for generating the target polynomial according to the above embodiment, in an optional embodiment, a specific implementation manner of generating secret components corresponding to each of the N decryption ends based on the target polynomial may include: determining the variable of the target polynomial corresponding to each of the N decryption ends as a first part of the secret component; determining K target polynomials corresponding to the N decryption terminals as a second part of the secret component; based on the secret component first portion and the secret component second portion, secret components corresponding to the N decryption terminals, respectively, are generated. After generating the secret components corresponding to each of the N decryption terminals, they are transmitted to the respective decryption terminals.

FIG. 4 is a schematic flow chart of determining a plaintext corresponding to an encrypted ciphertext based on a decryption component and a second portion of the encrypted ciphertext according to an embodiment of the present invention; on the basis of the above embodiment, referring to fig. 4, this embodiment provides an implementation manner of determining a plaintext corresponding to an encrypted ciphertext based on a decryption component and a second portion of the encrypted ciphertext. Specifically, it may include:

step 401, accumulating the decrypted components to obtain a product value of the private key and the first portion in the encrypted text.

Step 402, obtaining a difference value between the second portion and the product value in the encrypted text.

Step 403, determining a plaintext corresponding to the encrypted ciphertext based on a preset function and the difference value, wherein the preset function is a coding function in a lattice decryption algorithm.

After receiving the decryption components corresponding to each of the T target decryption terminals, accumulating the decryption components to obtain the product value of the private key and the first part in the encrypted text. Specifically, assuming that the private key is s, the first part in the encrypted text is u, and the decryption components sent by the T target decryption ends respectively correspond to each otherAccumulating the T decryption components by utilizing a Lagrange interpolation method to obtain a product value of the private key and the first part in the encrypted text, namely +.>=su。

Next, a difference between the second portion of the encryption and the product value is obtained. Assuming that the second part in the encrypted text is v, the product value of the private key and the first part in the encrypted text is su, and the difference between the second part in the encrypted text and the product value is=/>su. And finally, determining a plaintext corresponding to the encrypted ciphertext based on a preset function and a difference value, wherein the preset function is a coding function in a lattice decryption algorithm. And define a preset function Where q is a preset parameter, mod is a remainder function,for->And rounding up nearby. Specifically, based on the formula->And obtaining a plaintext corresponding to the encrypted ciphertext.

In the embodiment of the invention, the product value of the private key and the first part in the encrypted text is obtained by accumulating the decryption components, the difference value of the second part in the encrypted text and the product value is obtained, and the plaintext corresponding to the encrypted ciphertext is determined based on the preset function and the difference value, so that the decryption of the encrypted ciphertext based on any T decryption ends is realized, the decryption process is flexible, and the individual requirements of users can be better met.

FIG. 5 is a flow chart of a distributed collaborative decryption method according to an exemplary embodiment of the present invention; referring to fig. 5, the present embodiment provides a distributed collaborative decryption method, where the execution body of the method may be a decryption device, and it is understood that the device may be implemented as software, or a combination of software and hardware. Specifically, the distributed collaborative decryption method may include:

step 501, a first portion of an encrypted ciphertext sent by a server is received.

Step 502, obtain a secret component for decryption.

Step 503, processing the secret component and the first part of the encrypted ciphertext by using a Lagrange interpolation method to obtain a decrypted component.

Step 504, the decrypted component is sent to the server, so that the server determines a plaintext corresponding to the encrypted ciphertext based on the decrypted component and the second portion of the encrypted ciphertext.

The distributed collaborative decryption method provided by the embodiment of the invention firstly obtains the secret component for decryption before decryption. The specific implementation manner of obtaining the secret component may be: and receiving the secret component sent by the server and storing the secret component so as to acquire the secret component for decryption after receiving the encrypted ciphertext sent by the server subsequently, and decrypting the encrypted ciphertext based on the stored secret component.

After receiving the encrypted ciphertext sent by the server, the decryption component is obtained by processing the secret component and the first part of the encrypted ciphertext by using a Lagrange interpolation method. Wherein the secret component is composed of a first part of the secret component and a second part of the secret component, and optionally, the first parts of the secret component and the encrypted text are processed by using lagrangian interpolation, and a specific implementation process for obtaining the decrypted component may include: acquiring a Lagrange interpolation basis function and a secret component first part corresponding to T-1 target decryption ends; based on the Lagrange interpolation basis function, the secret component first part, the secret component second part and the encrypted ciphertext first part corresponding to the T-1 target decryption ends, the decryption components are obtained.

In an alternative embodiment, the received encrypted ciphertext is assumed to beAssume that T target decryption ends areThe first part of the secret component of the target decryption end can be shared between the target decryption ends, namely the shared set. The decryption end is->Calculating the first part of the secret component->I.e.,/>. Next, calculate the decryption component +.>I.e. < ->,。

And finally, the decryption component is sent to the server, so that the server determines a plaintext corresponding to the encrypted ciphertext based on the decryption component and the second part of the encrypted ciphertext, and the decryption of the encrypted ciphertext based on the decryption component in the T decryption terminals is achieved.

For the specific decryption process of all the target decryption terminals for decryption, which are the same as the operation performed by the decryption terminal in the above method, the execution process of other target decryption terminals can refer to the implementation process described above.

In summary, in the embodiment of the present invention, a secret component for decryption is obtained by receiving a first portion of an encrypted ciphertext sent by a server, processing the secret component and the first portion of the encrypted ciphertext by using a lagrangian interpolation method to obtain a decrypted component, and sending the decrypted component to the server, so that the server determines a plaintext corresponding to the encrypted ciphertext based on the decrypted component and a second portion of the encrypted ciphertext, that is, constructs a T-1 order target polynomial by using K private key components, and then generates secret components corresponding to N decrypting ends based on the T-1 order target polynomial to realize secret sharing of the private key components, so that the private key component can be recovered based on the decrypted component sent by each of any T decrypting persons by using the lagrangian interpolation method, and the encrypted ciphertext is decrypted based on the private key component.

The specific implementation process of some steps of the scheme provided in the embodiment of the present invention may refer to the related descriptions in the other embodiments, which are not described herein.

In the above embodiment, the whole decryption process is controlled by the server, the operations such as private key hiding and the like are completed at the server, and finally, the decryption components of the multiple target decryption terminals are uniformly processed at the server, so that the plaintext corresponding to the encrypted ciphertext is obtained. However, in practical application, in order to make the whole decryption process simpler, the operation of the server side may be performed in the decryption side, one decryption side is selected from the plurality of decryption sides as the main decryption side, and finally the final decryption is completed in the main decryption side.

In specific application, the distributed collaborative decryption process comprises a master decryption end device and a slave decryption end device, and in the embodiment of the invention, the distributed collaborative decryption process comprises a master decryption end and a slave decryption end deviceThe distributed collaborative decryption method of the slave decryption terminal comprises the following steps ofThe steps are as follows:

and step 1, the decryption end generates a public and private key pair.

The process of generating the public-private key pair may be performed at the master decryption end or may be performed at any slave decryption end, which is not limited. Specifically, the first bit string is randomly generated And a second bit string->And->Wherein (1)>And->The two random bit strings are respectively represented by the formula +.>256-length random bit strings consisting of 0 or 1, respectively.

Then, the first bit stringInput to the matrix function Sam to obtain a first matrix +.>I.e.The Sam function is used for generating corresponding matrixes after the random bit string is input, the elements in each matrix are one polynomial on a polynomial ring, and the polynomial corresponding to each element is one polynomial which is random in the polynomial ring. The formula characterizes>Input into Sam function to obtain a +.>And each element in the matrix a is a random polynomial included in the polynomial ring.

Then, the second bit stringInput to matrix function Sam, determine the second matrix +.>And a third matrix->I.e.Wherein the second matrix->Each element of (2) is a polynomial, the third matrix +.>Is also a polynomial and +.>Is a value much smaller than q, and is +.>The coefficients before the respective variables in each polynomial included in (a) are all less than +.>And s is a matrix corresponding to a private key in a public-private key pair generated based on a lattice encryption algorithm. The sum of s and- >Respectively is +.>And each matrix contains K elements, that is, thes and->Each vector contains K elements, and each vector contains K components.

Finally, a first matrix is acquiredAnd a second matrix->Product value of +.>Obtaining the product value and the third matrix +.>Sum of (2)Determining the sum value as the first component of the public key +.>And based on the first component->And a first bit string->Generating a public key->I.e. +.>T is the first component in the binary group corresponding to the public key, and +.>. This->For inputting the first random bit string into the matrix obtained in the Sam function, s is the matrix corresponding to the private key. Wherein (1)>Is the first bit string and is +.>A second component in the tuple corresponding to the public key is formed. After the public-private key pair is generated, the public key may be disclosed so that the encryptor can acquire the public key and then encrypt the public key.

Step 2, the decryption end performs segmentation processing on the private key to obtain K private key components, wherein K is a positive integer, and generates a sum based on the K private key componentsAnd the decryption terminals respectively correspond to the secret components and send the secret components to the decryption terminals respectively corresponding to the decryption terminals.

The process of generating the secret component may be performed at the master decryption end or may be performed at any slave decryption end, which is not limited. Specifically, random selection -1 first polynomial +.>And->Second polynomial->. Defining a target polynomialWherein->Calculate and->Target polynomials corresponding to the decryption terminals>}. Then, calculate and +.>Secret components corresponding to the decryption terminals>. Finally, the secret component->Secret sent to decryptor->The secret component and the decryptor are respectively +.>And the number is in one-to-one correspondence.

And 3, receiving the secret components corresponding to the decryption terminals, and storing the secret components.

And 4, receiving an encrypted ciphertext to be decrypted by the decryption terminal, wherein the encrypted ciphertext is composed of two parts.

In practical applications, the decryption end may obtain the encrypted ciphertext to be encrypted from the encryptor. The specific encryption process can be as follows: let the plaintext be m. Randomly selecting a bit stringThe formula characterizes the->Is a bit string of length 256 consisting of 0 or 1. The first bit string->Input to matrix function->Obtaining a first matrixBit string +.>Input to matrix function->Obtaining a matrix r->And +.>，In the random bit string->After input into the Sam function, three matrices are obtained, r,/respectively>And +.>This->Is +.>Matrix of->Each element of (2) is a polynomial, which +. >For a K->And is->Each element of (2) also corresponds to a polynomial, which +.>Is one ofAnd is->The element of (2) is also a polynomial>Is a value much smaller than q, and is +.>The coefficients preceding the respective independent variables in each polynomial included in (a) are all less than +.>。

Next, a first portion of the encrypted ciphertext is generatedI.e. +.>This->For inputting a first random bit string into a first matrix obtained in the Sam function, the +.>Is the transposed matrix of matrix A, r is the random bit string +.>Inputting into a matrix obtained in the Sam function, and the matrix is a +.>Is a matrix of random bit string +.>Inputting into Sam function to obtain matrix, which is +.>Matrix, therefore, the first component of the ciphertext corresponding vector isA matrix.

Then, a second portion of the encrypted ciphertext is generatedI.e. +.>The t is the first component in the two-dimensional vector corresponding to the public key, and the first component is +.>Matrix of->A transposed matrix of one component in the vector corresponding to the public key, the transposed matrix being one +.>Is the matrix of (1), r is the random bit string +.>Inputting into a matrix obtained in the Sam function, and the matrix is a +.>Is a matrix of random bit string +. >Input into Sam function to obtain matrix, which is +.>Matrix (S)>Rounding, m is a polynomial corresponding to plaintext, and the second component of the vector corresponding to ciphertextIs +.>A matrix.

Finally, output ciphertextThe u, v are respectively two components of the vector corresponding to the ciphertext, and the u is also a vector containing K elements, that is, the u is also +>Matrix, and each component in the vector corresponding to each component in the ciphertext is a polynomial on the polynomial ring, and v is +_>Matrix, and the->The element in the matrix is also a polynomial on the polynomial ring.

Step 5, slaveRandom selection of +.>The decryption end is determined as the target decryption end, N is not less than +.>And from->One of the target decryption terminals is selected as the master decryption terminal.

Wherein the main decryption end is not lost in generality, usingAnd (3) representing.

And step 6, the master decryption end and the slave decryption end process the secret component and the first part in the encrypted ciphertext by using a Lagrange interpolation method to obtain a decryption component.

Specifically, assume thatThe decryption end of each object is->The first part of the secret component of the target decryption end can be shared between the target decryption ends, namely the shared set +. >. All slave decryption ends->Separately calculate->,/>And calculate +.>。

And 7, all the slave decryption terminals send the decryption components corresponding to the slave decryption terminals to the master decryption terminal.

Specifically, all decryption components from the decryption endSend to the main decryption end->。/>Calculating +.>。

And 8, the main decryption terminal receives the decryption components sent by the secondary decryption terminals and determines the plaintext corresponding to the encrypted ciphertext based on the decryption components and the second part in the encrypted ciphertext.

Specifically, the primary decryption end calculatesThereby obtaining a plaintext corresponding to the encrypted ciphertext.

The relevant content of the embodiment, which is not described in the present embodiment, may refer to the relevant description in the foregoing embodiment, which is not repeated here.

A distributed collaborative decryption apparatus according to one or more embodiments of the present invention will be described in detail below. Those skilled in the art will appreciate that these means may be configured by the steps taught by the present solution using commercially available hardware components.

Fig. 6 is a schematic structural diagram of a distributed collaborative decrypting apparatus according to an embodiment of the present invention, where the apparatus is located in a server device, as shown in fig. 6, and the apparatus includes: the device comprises an acquisition module 11, a determination module 12, a sending module 13 and a receiving module 14.

The obtaining module 11 is configured to obtain an encrypted ciphertext to be decrypted and a target polynomial, where the encrypted ciphertext is composed of two parts, the target polynomial is configured to process the K private key components to obtain secret components corresponding to N decryption ends, and the target polynomial is a T-1 degree polynomial, where N is not less than T;

a determining module 12, configured to randomly select T decryption terminals from the N decryption terminals based on the target polynomial, to determine the T decryption terminals as target decryption terminals, where the number T of target decryption terminals is determined by the target polynomial degree;

a sending module 13, configured to send the first portion of the encrypted ciphertext to T target decryption ends, so that the target decryption ends respectively process the secret component and the first portion of the encrypted ciphertext by using a lagrangian interpolation method, obtain a decryption component, and send the decryption component to the server;

and the receiving module 14 is configured to receive decryption components sent by the T decryptors, and determine plaintext corresponding to the encrypted ciphertext based on the decryption components and the second portion of the encrypted ciphertext.

Optionally, the apparatus may further include a generating module, specifically may be configured to: acquiring a private key for decrypting an encrypted ciphertext, wherein the private key comprises K private key components, and K is a positive integer; respectively constructing T-1 target polynomials corresponding to the private key components based on K private key components by using a Lagrange interpolation method; and generating secret components corresponding to the N decryption terminals respectively based on the target polynomial, and sending the secret components to the decryption terminals corresponding to the N decryption terminals respectively, wherein N is not smaller than T.

Optionally, the generating module may specifically be configured to: randomly generating a first bit string and a second bit string; determining a first matrix based on the first bit string and a matrix function, wherein the matrix function is used for generating a matrix corresponding to the bit string; determining a second matrix and a third matrix based on the second bit string and the matrix function, and determining the second matrix as a private key; determining a first component of a public key based on the first matrix, the second matrix, and the third matrix; a public key is generated based on the first component and the first bit string.

Optionally, the generating module may specifically be configured to: randomly selecting T-1 first polynomials and N second polynomials, wherein the first polynomials and the second polynomials are random polynomials in a polynomial ring; generating N x K T-1 target polynomials based on the K private key components, the T-1 first polynomials, and the N second polynomials.

Optionally, the generating module may specifically be configured to: respectively determining the K private key components as constant items of K target polynomials corresponding to a decryption end; determining the T-1 first polynomials as coefficients of K target polynomials corresponding to a decryption end; respectively determining the N second polynomials as variables of target polynomials corresponding to the N decryption ends; and determining K target polynomials corresponding to the N decryption ends respectively based on the constant term, the coefficient and the variable.

Optionally, the generating module may be specifically further configured to: determining the variable of the target polynomial corresponding to each of the N decryption terminals as a first part of a secret component; determining K target polynomials corresponding to the N decryption terminals as a second part of the secret component; based on the secret component first portion and the secret component second portion, secret components corresponding to the N decryption terminals respectively are generated.

Optionally, the receiving module 14 may specifically be configured to: accumulating the decryption components to obtain a product value of the private key and a first part in the encrypted text; obtaining a difference value between the second part in the encrypted text and the product value; and determining a plaintext corresponding to the encrypted ciphertext based on a preset function and the difference value, wherein the preset function is a decryption function used for acquiring the plaintext in a lattice decryption algorithm.

The apparatus shown in fig. 6 may perform the steps performed by the service-side device in the foregoing embodiments, and detailed performing procedures and technical effects are referred to the descriptions in the foregoing embodiments, which are not repeated herein.

In one possible design, the structure of the distributed collaborative decryption apparatus shown in fig. 6 may be implemented as an electronic device, as shown in fig. 7, where the electronic device may include: a first processor 21, a first memory 22, a first communication interface 23. Wherein the first memory 22 has stored thereon executable code which, when executed by the first processor 21, causes the first processor 21 to at least perform the steps performed by the server-side device in the previous embodiments.

Additionally, embodiments of the present invention provide a non-transitory machine-readable storage medium having executable code stored thereon, which when executed by a processor of an electronic device, causes the processor to at least implement a distributed collaborative decryption method as provided in the previous embodiments.

Fig. 8 is a schematic structural diagram of a distributed collaborative decrypting apparatus according to an embodiment of the present invention, where the apparatus is located in a decrypting device, as shown in fig. 8, and the apparatus includes: the device comprises a receiving module 31, an acquiring module 32, a processing module 33 and a transmitting module 34.

The receiving module 31 is configured to receive a secret component and an encrypted ciphertext sent by the server, where the encrypted ciphertext is formed by two parts;

an acquisition module 32 for acquiring a secret component for decryption;

a processing module 33, configured to process the secret component and the first portion in the encrypted text by using lagrangian interpolation to obtain a decrypted component;

and the sending module 34 is configured to send the decryption component to the server, so that the server determines a plaintext corresponding to the encrypted ciphertext based on the decryption component and the second portion of the encrypted ciphertext.

Optionally, before the receiving the first portion of the encrypted ciphertext sent by the server, the apparatus may further include a storage module having a storage module configured to: and receiving the secret component sent by the server side and storing the secret component.

Optionally, the processing module 33 may be specifically configured to obtain a base function of the lagrangian interpolation and a first portion of the secret component corresponding to the T-1 target decryption ends; and obtaining decryption components based on the Lagrangian interpolation basis function, the secret component first part corresponding to the T-1 target decryption end, the secret component first part, the secret component second part and the first part in the encrypted ciphertext.

The apparatus shown in fig. 8 may perform the steps performed by the decryption end device in the foregoing embodiment, and the detailed execution process and technical effects are referred to the description in the foregoing embodiment, which is not repeated herein.

In one possible design, the structure of the distributed collaborative decryption apparatus shown in fig. 8 may be implemented as an electronic device, as shown in fig. 9, where the device may include: a second processor 41, a second memory 42, a second communication interface 43. Wherein the second memory 42 has stored thereon executable code which, when executed by the second processor 41, causes the second processor 41 to at least perform the steps performed by the decryption end device as in the previous embodiments.

Additionally, embodiments of the present invention provide a non-transitory machine-readable storage medium having executable code stored thereon, which when executed by a processor of a device, causes the processor to at least implement a distributed collaborative decryption method as provided in the previous embodiments.

The apparatus embodiments described above are merely illustrative, wherein the units described as separate components may or may not be physically separate. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.

From the above description of the embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by adding necessary general purpose hardware platforms, or may be implemented by a combination of hardware and software. Based on such understanding, the foregoing aspects, in essence and portions contributing to the art, may be embodied in the form of a computer program product, which may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.

Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims

1. The distributed collaborative decryption method is characterized by being applied to a server and comprising the following steps:

acquiring a private key for decrypting an encrypted ciphertext, wherein the private key comprises K private key components, and K is a positive integer;

randomly selecting T-1 first polynomials and N second polynomials, wherein the first polynomials and the second polynomials are random polynomials in a polynomial ring;

generating N x K T-1 target polynomials based on the K private key components, the T-1 first polynomials and the N second polynomials by using a Lagrange interpolation method, wherein each decryption end corresponds to K T-1 target polynomials, and N is not smaller than T;

Determining the variable of the target polynomial corresponding to each of the N decryption ends as a first part of the secret component;

determining K target polynomials corresponding to the N decryption terminals as a second part of the secret component;

based on the first secret component part and the second secret component part, secret components corresponding to the N decryption terminals are respectively generated, and the secret components are sent to the decryption terminals corresponding to the N decryption terminals;

obtaining an encrypted ciphertext to be decrypted and a target polynomial, wherein the encrypted ciphertext consists of two parts;

and receiving decryption components sent by the T decryption terminals respectively, and determining a plaintext corresponding to the encrypted ciphertext based on the decryption components and the second part of the encrypted ciphertext.

2. The method of claim 1, wherein the obtaining a private key for decrypting the encrypted ciphertext comprises:

randomly generating a first bit string and a second bit string;

determining a first matrix based on the first bit string and a matrix function, wherein the matrix function is used for generating a matrix corresponding to the bit string;

determining a second matrix and a third matrix based on the second bit string and the matrix function, and determining the second matrix as a private key;

determining a first component of a public key based on the first matrix, the second matrix, and the third matrix;

a public key is generated based on the first component and the first bit string.

3. The method of claim 2, wherein the generating N x K target polynomials based on the K private key components, the T-1 first polynomials, and the N second polynomials comprises:

respectively determining the K private key components as constant items of K target polynomials corresponding to a decryption end;

determining the T-1 first polynomials as coefficients of K target polynomials corresponding to a decryption end;

respectively determining the N second polynomials as variables of target polynomials corresponding to the N decryption ends;

And determining K target polynomials corresponding to the N decryption ends respectively based on the constant term, the coefficient and the variable.

4. The method of claim 1, wherein the determining plaintext corresponding to the encrypted ciphertext based on the decrypted component and a second portion of the encrypted ciphertext comprises:

accumulating the decryption components to obtain a product value of the private key and a first part in the encrypted text;

obtaining a difference value between the second part in the encrypted text and the product value;

and determining a plaintext corresponding to the encrypted ciphertext based on a preset function and the difference value, wherein the preset function is a coding function in a lattice decryption algorithm.

5. The distributed collaborative decryption method is characterized by being applied to a decryption end and comprising the following steps:

receiving a secret component sent by a server and storing the secret component, wherein the secret component consists of two parts, a first part of the secret component is determined by a variable of a target polynomial corresponding to the decryption end, a second part of the secret component is determined by K target polynomials corresponding to the decryption end, the target polynomials are generated by K private key components, T-1 first polynomials and N second polynomials, and the first polynomials and the second polynomials are random polynomials in a polynomial ring;

Receiving a first part of an encrypted ciphertext sent by a server;

acquiring a secret component for decryption;

6. The method of claim 5, wherein the secret component consists of a secret component first portion and a secret component second portion, wherein the processing the secret component and the first portion of the encrypted text using lagrangian interpolation to obtain a decrypted component comprises:

acquiring a Lagrange interpolation basis function and a secret component first part corresponding to T-1 target decryption ends;

and obtaining decryption components based on the Lagrangian interpolation basis function, the secret component first part corresponding to the T-1 target decryption end, the secret component first part, the secret component second part and the first part in the encrypted ciphertext.

7. An electronic device, comprising: a memory, a processor, a communication interface; wherein the memory has stored thereon executable code which, when executed by the processor, causes the processor to perform the distributed collaborative decryption method of any of claims 1 to 4 or 5-6.

8. A non-transitory machine-readable storage medium having executable code stored thereon, which when executed by a processor, causes the processor to perform the distributed collaborative decryption method of any of claims 1-4 or 5-6.