WO2022142461A1 - Distributed wide area quantum cryptography network group key distribution method and system - Google Patents

Distributed wide area quantum cryptography network group key distribution method and system Download PDF

Info

Publication number
WO2022142461A1
WO2022142461A1 PCT/CN2021/117784 CN2021117784W WO2022142461A1 WO 2022142461 A1 WO2022142461 A1 WO 2022142461A1 CN 2021117784 W CN2021117784 W CN 2021117784W WO 2022142461 A1 WO2022142461 A1 WO 2022142461A1
Authority
WO
WIPO (PCT)
Prior art keywords
group
node
nodes
routing
spanning tree
Prior art date
Application number
PCT/CN2021/117784
Other languages
French (fr)
Chinese (zh)
Inventor
原磊
Original Assignee
科大国盾量子技术股份有限公司
山东量子科学技术研究院有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from CN202011587019.2A external-priority patent/CN114697005B/en
Application filed by 科大国盾量子技术股份有限公司, 山东量子科学技术研究院有限公司 filed Critical 科大国盾量子技术股份有限公司
Publication of WO2022142461A1 publication Critical patent/WO2022142461A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • H04L9/0833Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] involving conference or group key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • H04L9/0833Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] involving conference or group key
    • H04L9/0836Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] involving conference or group key using tree structure or hierarchical structure

Definitions

  • the present invention requires the priority of the Chinese patent application filed on December 28, 2020 with the Chinese Patent Office, the application number is 202011587019.2, and the invention name is "a distributed wide-area quantum cryptography network group key distribution method and system", which The entire contents are incorporated herein by reference.
  • the invention belongs to the technical field of encrypted communication of quantum cryptographic networks, and in particular relates to a distributed wide-area quantum cryptographic network group key distribution method and system.
  • the group key service mode is one of the main modes of quantum key service. It is often used in communication scenarios between applications involving multiple parties in a networking environment, such as video conferencing, online transactions, online games, etc. It is an application for group communication in an open network environment.
  • the group key in the quantum cryptography network is obtained through the key relay between the nodes of the quantum cryptography network.
  • the current technology often only considers its application and does not consider its application. Path cost for group key distribution.
  • the current quantum cryptography network has been developed from a metropolitan area network to a wide area network.
  • the path cost occupied by the group key distribution between the metropolitan area networks is larger, so when the number of group members is large, the group key distribution between the metropolitan area networks should first be considered.
  • Key distribution path planning which has not been considered in current group key application and distribution schemes.
  • the present invention proposes a distributed wide-area quantum cryptography network group key distribution method and system.
  • the present invention utilizes distributed routing calculation to determine the optimal selection path between each node in turn to construct the shortest or A shorter total path, thus guaranteeing a minimum or less path cost of group key distribution based on the completion of all group key distribution.
  • the present invention adopts the following technical solutions:
  • a distributed wide-area quantum cryptography network group key distribution method comprising the following steps:
  • the group nodes are grouped according to the metropolitan area network where the group nodes are located, and one group node is selected as the group management node in each group node, and the group management node obtains other group management node information and the same group group node information;
  • each group management node calculates the wide area routing spanning tree of all group management nodes and the metro routing spanning tree of each group node with the goal that the total path of group key distribution is less than the set threshold;
  • the group key is transmitted layer by layer until all nodes of all metro area routing spanning trees have obtained the group key.
  • the node information is a node ID.
  • the routing graph of the quantum cryptographic network in the current routing period when obtaining the routing graph of the quantum cryptographic network in the current routing period, confirm whether there is information on a group node that has newly joined or exited the group communication, where the group node is the quantum cryptographic network where the group members participating in the group communication are located. The node, if so, updates the routing graph of the quantum cryptographic network according to the information content.
  • the group management node does not need to be reselected, and each group management node does not need to recalculate and update the wide area routing spanning tree.
  • the group node participating in the group communication in a certain metropolitan area network does not change during the routing period, it is not necessary to reselect the group management node of the metropolitan area network, and each group node of the metropolitan area network also does not need to be reselected. There is no need to recalculate and update the metropolitan area routing spanning tree of the metropolitan area network.
  • the specific process of calculating the wide area routing spanning tree of all group management nodes includes:
  • the specific process of calculating the spanning tree of metro routes includes:
  • the specific process of transmitting the group key layer by layer includes: the distribution of the group key starts from the root node of the wide area routing spanning tree, and the group node where the root node is located selects a true The random number is used as the group key, the group key is saved, and the group key is relayed to the child nodes of each root node;
  • Each node of the WAN routing spanning tree receives the group key relayed by its parent node, and saves the group key. If the node has child nodes, it relays the group key to each child node until all wide until all nodes of the domain routing spanning tree have obtained the group key.
  • the specific process of transferring the group key layer by layer includes: after each group management node receives the group key, if it is used as the root of the metro routing spanning tree where it is located If the node has child nodes, the group key is relayed to each child node;
  • each node of the metro routing spanning tree After each node of the metro routing spanning tree receives the group key relayed by its parent node, it saves the group key. If the node has child nodes, it relays the group key to each child node of the node. Until every node of the metro routing spanning tree has obtained the group key.
  • the group key is distributed in parallel by using multiple lines.
  • a distributed wide-area quantum cryptography network group key distribution system comprising:
  • the group communication authentication server is configured to perform registration, login authentication and exit management of group members participating in group communication.
  • group nodes are grouped according to the metropolitan area network where the group nodes are located, and the group management nodes of each group are determined. , send information of all group management nodes and all group node information of the group where the group management node is located to each group management node;
  • the group management node which acts as a transit from the WAN to the MAN for the group key, is configured to forward all the MAN node information of the MAN in which it belongs to the MAN node of the group it belongs to, and according to the routing map , with the goal that the total path of group key distribution is less than the set threshold, calculate the WAN routing spanning tree of all group management nodes, and the MAN routing spanning tree of each group node, and follow the WAN routing spanning tree and MAN routing spanning tree in turn. Spanning tree, pass the group key layer by layer;
  • the metro group node is configured to obtain the group key from the group management node of the metro network where it is located.
  • the invention divides the group key distribution process into two processes: group management node group key distribution and metro group node group key distribution. First, group management node group key distribution is performed, and group keys between metropolitan area networks are planned. This prevents the group key from being repeatedly distributed between metropolitan area networks and increases the cost of group key distribution.
  • the invention groups the group nodes according to the metropolitan area network where they are located, the group communication authentication server only needs to communicate with the group management node in each metropolitan area network, and the group management node communicates with the group node of the group where it is located, thereby reducing the distribution of the group key. communication complexity.
  • the wide-area group key distribution route of the present invention only needs to consider the routing spanning tree of the group management node, which reduces the complexity of the wide-area group key distribution route calculation; and selects the location at the center of the network in the calculation of the wide-area route spanning tree
  • the wide-area routing node is used as the root node for the start of group key distribution, which is beneficial to improve the speed of group key distribution and reduce the key relay path cost of group key distribution.
  • the present invention takes the group key distribution total path smaller than the set threshold as the goal, calculates the wide area routing spanning tree of all group management nodes, and the metro area routing spanning tree of each group group node, which is easy to form multiple key distribution processes in the group key distribution process. Lines are distributed in parallel, increasing the speed of group key distribution.
  • each group management node separately calculates the wide area route of the group key and each group node separately calculates the metro area route of the metropolitan area network where it is located, and this distributed route calculation reduces the dependence on the central node.
  • Embodiment 1 is a system structure diagram of Embodiment 1;
  • FIG. 2 is a schematic diagram of a group key distribution flow diagram of Embodiment 2.
  • FIG. 2 is a schematic diagram of a group key distribution flow diagram of Embodiment 2.
  • the group key is relayed between quantum cryptographic network nodes.
  • the current group key distribution technology does not consider the group key
  • the problem of path cost of key distribution is that the optimal path is not adopted for group key distribution, which increases the path cost of group key distribution, thereby increasing the cost of group key encrypted communication.
  • the present invention provides a distributed wide-area quantum cryptography network group key distribution method and system, which will be described in detail below with different embodiments.
  • a distributed wide-area quantum cryptography network group key distribution system as shown in Figure 1, specifically includes: a group communication authentication server, a group management node and a metro group node, and the functions of each part are as follows:
  • the group communication authentication server is responsible for the registration, login authentication and logout management of the group members participating in the group communication.
  • the quantum cryptographic network nodes hereinafter referred to as group nodes
  • group nodes the quantum cryptographic network nodes where the group members participating in the group communication are located are grouped according to the metropolitan area network where the group nodes are located, and each group selects a group node as the group management node, and sends the information to the group node.
  • Each group management node sends the IDs of all group management nodes and the IDs of all group nodes in the group where the group management node is located.
  • Group management node each metropolitan area network with a group node has a group management node
  • the group communication authentication server selects a group node from each metropolitan area network with a group node as a group management node
  • the group management node is a wide area
  • the routing node for group key distribution is the transfer of the group key from the WAN to the metropolitan area network, and is also responsible for forwarding the IDs of all metro group nodes in the metropolitan area network where it is located to the metro group node where it is located.
  • the node ID can also be replaced with other node information, or when forwarding the node ID, other node related information is also sent.
  • the metro group node is the quantum cryptographic network node where the group members of the group communication are located, and obtains the group key through the group management node of the metro network where it is located.
  • Embodiment 2 is a diagrammatic representation of Embodiment 1:
  • a distributed wide-area quantum cryptography network group key distribution method is provided.
  • the specific process is shown in Figure 2.
  • the wide-area quantum cryptography network group key distribution is divided into two processes: group management Node Group Key Distribution and Metro Group Node Group Key Distribution.
  • the group management node group key distribution process is as follows:
  • the group communication authentication server groups the group nodes participating in the group communication according to the metropolitan area network where the group nodes are located, and selects a group node in each group node as the group management node.
  • the group communication authentication server sends all group management node IDs to each group management node, and simultaneously sends all group node IDs of the group where each group management node is located to the group management node of the group.
  • Each group management node receives all group management node IDs sent by the group communication authentication server and all group node IDs of the metropolitan area network in which the group management node is located. Each group management node calculates the wide-area routing spanning tree of all group management nodes according to the wide-area quantum cryptography network routing graph.
  • the calculation method of the WAN spanning tree can be selected as follows:
  • A. First determine the root node of the wide-area routing spanning tree, and calculate the sum of the shortest key relay paths from each group management node to other group management nodes.
  • the group node S with the smallest sum is used as the wide-area route
  • V the set of all group management nodes except the root node S
  • T the set of the wide area routing spanning tree
  • step C Repeat step C until the set V is empty.
  • the distribution of the group key starts from the root node of the WAN spanning tree.
  • the group node where the root node is located selects a true random number as the group key, saves the group key, and relays the group key to Every child node of the root node.
  • Each node of the WAN routing spanning tree receives the group key relayed by its parent node, and saves the group key. If the node has child nodes, it relays the group key to each child node until all wide until all nodes of the domain routing spanning tree have obtained the group key.
  • the root node when the root node is determined, the shortest key relay path and the point less than the set threshold may be used as the root node.
  • the key distribution process of the metro group node group is as follows:
  • each group management node After receiving all the group node IDs of the group where the group management node is located, each group management node forwards all the group node IDs of the group to each group node of the group.
  • Each group node includes a group management node, and calculates the metropolitan area routing spanning tree of all group nodes in this group with the group management node of this group as the root node according to the MAN routing graph where the node is located.
  • the calculation method of the spanning tree of metro routes can be selected as follows:
  • each group management node After each group management node receives the group key, if it has a child node as the root node of the metro routing spanning tree where it is located, it relays the group key to each child node.
  • each node of the metro routing spanning tree After each node of the metro routing spanning tree receives the group key relayed by its parent node, it saves the group key. If the node has child nodes, it relays the group key to each child node of the node. Until every node of the metro routing spanning tree has obtained the group key.
  • the group communication authentication server does not need to reselect the group management node, and each group management node does not need to recalculate and update the wide area routing spanning tree.
  • the group communication authentication server does not need to reselect the group management node of the metropolitan area network, and each group node of the metropolitan area network does not need to Recalculate and update the metro routing spanning tree for the metro network.
  • embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
  • computer-usable storage media including, but not limited to, disk storage, CD-ROM, optical storage, etc.
  • These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory result in an article of manufacture comprising instruction means, the instructions
  • the apparatus implements the functions specified in the flow or flow of the flowcharts and/or the block or blocks of the block diagrams.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • Electromagnetism (AREA)
  • Theoretical Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Provided are a distributed wide area quantum cryptography network group key distribution method and system. The method comprises: acquiring a routing map of a quantum cryptography network within the current routing period; grouping group nodes according to a metropolitan area network where the group nodes are located, selecting a group node from each group of group nodes as a group management node, and the group management node acquiring information of the other group management nodes and information of the group nodes in the same group as the group management node; according to the routing map and by taking a total group key distribution path which is less than a set threshold value as the target, each group management node calculating a wide area routing spanning tree of all the group management nodes and a metropolitan area routing spanning tree of group nodes in each group; and successively transmitting a group key layer by layer according to the wide area routing spanning tree and the metropolitan area routing spanning tree until all the nodes of all the metropolitan area routing spanning trees obtain the group key. By means of the present invention, the dependence on a center node is reduced by means of distributed routing calculation.

Description

一种分布式广域量子密码网络组密钥分发方法及系统A distributed wide-area quantum cryptography network group key distribution method and system
本发明要求于2020年12月28日提交中国专利局、申请号为202011587019.2、发明名称为“一种分布式广域量子密码网络组密钥分发方法及系统”的中国专利申请的优先权,其全部内容通过引用结合在本发明中。The present invention requires the priority of the Chinese patent application filed on December 28, 2020 with the Chinese Patent Office, the application number is 202011587019.2, and the invention name is "a distributed wide-area quantum cryptography network group key distribution method and system", which The entire contents are incorporated herein by reference.
技术领域technical field
本发明属于量子密码网络的加密通信技术领域,具体涉及一种分布式广域量子密码网络组密钥分发方法及系统。The invention belongs to the technical field of encrypted communication of quantum cryptographic networks, and in particular relates to a distributed wide-area quantum cryptographic network group key distribution method and system.
背景技术Background technique
本部分的陈述仅仅是提供了与本发明相关的背景技术信息,不必然构成在先技术。The statements in this section merely provide background information related to the present invention and do not necessarily constitute prior art.
组密钥服务模式是量子密钥服务主要模式之一,经常用于组网环境下多方参与的应用之间的通信场景中,例如视频会议、线上交易、网络游戏等,这类应用可以看作是面向开放式网络环境的群组通信的应用。The group key service mode is one of the main modes of quantum key service. It is often used in communication scenarios between applications involving multiple parties in a networking environment, such as video conferencing, online transactions, online games, etc. It is an application for group communication in an open network environment.
据发明人了解,量子密码网络中的组密钥是通过量子密码网络节点之间的密钥中继得到的,目前的技术在应用量子密码网络组密钥时,往往只考虑其应用而没有考虑组密钥分发的路径成本。As far as the inventors know, the group key in the quantum cryptography network is obtained through the key relay between the nodes of the quantum cryptography network. When applying the group key of the quantum cryptography network, the current technology often only considers its application and does not consider its application. Path cost for group key distribution.
另外,当前量子密码网络已由城域网发展到广域网范围。相对于 城域网内的组密钥分发,城域网之间的组密钥分发所占的路径成本的数量级别更大,所以当组成员数量较多时,首先应当考虑城域网之间组密钥分发路径规划,而当前的组密钥应用和分发方案中还没有考虑到这一问题。In addition, the current quantum cryptography network has been developed from a metropolitan area network to a wide area network. Compared with the group key distribution within the metropolitan area network, the path cost occupied by the group key distribution between the metropolitan area networks is larger, so when the number of group members is large, the group key distribution between the metropolitan area networks should first be considered. Key distribution path planning, which has not been considered in current group key application and distribution schemes.
发明内容SUMMARY OF THE INVENTION
本发明为了解决上述问题,提出了一种分布式广域量子密码网络组密钥分发方法及系统,本发明利用分布式路由计算,通过依次确定各个节点之间的最佳选择路径,构建最短或较短的总路径,从而在完成全部组密钥的分发的基础上,保证最少或较少的组密钥分发的路径成本。In order to solve the above problems, the present invention proposes a distributed wide-area quantum cryptography network group key distribution method and system. The present invention utilizes distributed routing calculation to determine the optimal selection path between each node in turn to construct the shortest or A shorter total path, thus guaranteeing a minimum or less path cost of group key distribution based on the completion of all group key distribution.
根据一些实施例,本发明采用如下技术方案:According to some embodiments, the present invention adopts the following technical solutions:
一种分布式广域量子密码网络组密钥分发方法,包括以下步骤:A distributed wide-area quantum cryptography network group key distribution method, comprising the following steps:
获取当前路由周期的量子密码网络的路由图;Obtain the routing graph of the quantum cryptography network for the current routing period;
按照组节点所在的城域网进行组节点分组,在每组组节点中选择一个组节点作为组管理节点,该组管理节点获取其他组管理节点信息以及同组组节点信息;The group nodes are grouped according to the metropolitan area network where the group nodes are located, and one group node is selected as the group management node in each group node, and the group management node obtains other group management node information and the same group group node information;
每一个组管理节点根据路由图,以组密钥分发总路径小于设定阈值为目标,计算所有组管理节点的广域路由生成树,以及各组组节点的城域路由生成树;According to the routing graph, each group management node calculates the wide area routing spanning tree of all group management nodes and the metro routing spanning tree of each group node with the goal that the total path of group key distribution is less than the set threshold;
依次按照广域路由生成树和城域路由生成树,逐层传递组密钥,直到所有城域路由生成树的所有节点均获得组密钥为止。According to the wide area routing spanning tree and the metro area routing spanning tree in turn, the group key is transmitted layer by layer until all nodes of all metro area routing spanning trees have obtained the group key.
作为可选择的实施方式,所述节点信息为节点ID。As an optional implementation manner, the node information is a node ID.
作为可选择的实施方式,获取当前路由周期的量子密码网络的路由图时,确认是否存在新加入或退出组通信的组节点信息,所述组节点为参与组通信的组成员所在的量子密码网络节点,如果是,按照信息内容更新量子密码网络的路由图。As an optional embodiment, when obtaining the routing graph of the quantum cryptographic network in the current routing period, confirm whether there is information on a group node that has newly joined or exited the group communication, where the group node is the quantum cryptographic network where the group members participating in the group communication are located. The node, if so, updates the routing graph of the quantum cryptographic network according to the information content.
作为可选择的实施方式,如果在路由周期内参加组通信的组成员没有变化,不需要重新选择组管理节点,每个组管理节点不需要重新计算和更新广域路由生成树。As an optional embodiment, if the group members participating in the group communication do not change during the routing period, the group management node does not need to be reselected, and each group management node does not need to recalculate and update the wide area routing spanning tree.
作为可选择的实施方式,如果在路由周期内某个城域网中参加组通信的组节点没有变化,不需要重新选择该城域网的组管理节点,该城域网的每一个组节点也不需要重新计算和更新该城域网的城域路由生成树。As an optional implementation, if the group node participating in the group communication in a certain metropolitan area network does not change during the routing period, it is not necessary to reselect the group management node of the metropolitan area network, and each group node of the metropolitan area network also does not need to be reselected. There is no need to recalculate and update the metropolitan area routing spanning tree of the metropolitan area network.
作为可选择的实施方式,计算所有组管理节点的广域路由生成树的具体过程包括:As an optional implementation manner, the specific process of calculating the wide area routing spanning tree of all group management nodes includes:
确定广域路由生成树的根节点,计算每一个组管理节点到其它组管理节点的最短密钥中继路径和,将路径和小于设定值的组管理节点作为广域路由生成树的根节点;Determine the root node of the WAN spanning tree, calculate the sum of the shortest key relay paths from each group management node to other group management nodes, and take the group management node whose path sum is less than the set value as the root node of the WAN routing spanning tree ;
将所有除已确定的根节点以外的组管理节点作为第一集合,将广域路由生成树的节点作为第二集合;Taking all group management nodes except the determined root node as the first set, and taking the nodes of the WAN spanning tree as the second set;
查找第一集合中距离第二集合中各个组节点最小或小于预设值的若干节点,作为对应组节点的下层节点或子节点,将这些下层节点 与其对应的上层节点的连接边加入第三集合,将下层节点加入第二集合,同时从第一集合中删除上述下层节点;Find several nodes in the first set that are the smallest or smaller than the preset value from each group node in the second set, as the lower nodes or child nodes of the corresponding group nodes, and add the connection edges between these lower nodes and their corresponding upper nodes to the third set , adding the lower-level node to the second set, and simultaneously deleting the above-mentioned lower-level node from the first set;
不断重复,直到第一集合为空为止。Repeat until the first set is empty.
作为可选择的实施方式,计算城域路由生成树的具体过程包括:As an optional implementation manner, the specific process of calculating the spanning tree of metro routes includes:
以本组的组管理节点为根节点;Take the group management node of this group as the root node;
将所有除已确定的根节点以外的城域组节点作为第一集合,将城域路由生成树的节点作为第二集合;Taking all metro group nodes except the determined root node as the first set, and taking the nodes of the metro routing spanning tree as the second set;
查找第一集合中距离第二集合中各个组节点最小或小于预设值的若干节点,作为对应组节点的下层节点或子节点,将这些下层节点与其对应的上层节点的连接边加入第三集合,将下层节点加入第二集合,同时从第一集合中删除上述下层节点;Find several nodes in the first set that are the smallest or smaller than the preset value from each group node in the second set, as the lower nodes or child nodes of the corresponding group nodes, and add the connection edges between these lower nodes and their corresponding upper nodes to the third set , adding the lower-level node to the second set, and simultaneously deleting the above-mentioned lower-level node from the first set;
不断重复,直到第一集合为空为止。Repeat until the first set is empty.
作为可选择的实施方式,按照广域路由生成树,逐层传递组密钥的具体过程包括:组密钥的分发由广域路由生成树的根节点开始,根节点所在的组节点选择一个真随机数作为组密钥,保存组密钥,将组密钥中继到每一个根节点的子节点;As an optional implementation, according to the wide area routing spanning tree, the specific process of transmitting the group key layer by layer includes: the distribution of the group key starts from the root node of the wide area routing spanning tree, and the group node where the root node is located selects a true The random number is used as the group key, the group key is saved, and the group key is relayed to the child nodes of each root node;
每一个广域路由生成树的节点收到其父节点中继的组密钥,保存组密钥,如果该节点存在子节点,则将组密钥中继到每一个子节点上,直到所有广域路由生成树的所有节点均获得组密钥为止。Each node of the WAN routing spanning tree receives the group key relayed by its parent node, and saves the group key. If the node has child nodes, it relays the group key to each child node until all wide until all nodes of the domain routing spanning tree have obtained the group key.
作为可选择的实施方式,按照城域路由生成树,逐层传递组密钥的具体过程包括:每个组管理节点收到组密钥后,如果其做为所在的 城域路由生成树的根节点存在子节点,则将组密钥中继给每一个子节点;As an optional implementation, according to the metro routing spanning tree, the specific process of transferring the group key layer by layer includes: after each group management node receives the group key, if it is used as the root of the metro routing spanning tree where it is located If the node has child nodes, the group key is relayed to each child node;
每一个城域路由生成树的节点收到其父节点中继的组密钥后,保存组密钥,如果该节点存在子节点,则将组密钥中继到该节点的每一个子节点,直到城域路由生成树的每一个节点均获得组密钥为止。After each node of the metro routing spanning tree receives the group key relayed by its parent node, it saves the group key. If the node has child nodes, it relays the group key to each child node of the node. Until every node of the metro routing spanning tree has obtained the group key.
作为可选择的实施方式,如果存在多条总路径小于设定阈值的组密钥分发路径,利用多线路并行分发组密钥。As an optional implementation, if there are multiple group key distribution paths whose total path is less than the set threshold, the group key is distributed in parallel by using multiple lines.
一种分布式广域量子密码网络组密钥分发系统,包括:A distributed wide-area quantum cryptography network group key distribution system, comprising:
组通信认证服务器,被配置为进行参与组通信的组成员的注册、登陆认证和退出管理,在每个路由周期,按照组节点所在的城域网对其进行分组,确定每组的组管理节点,向每个组管理节点发送所有组管理节点的信息和该组管理节点所在组的所有组节点信息;The group communication authentication server is configured to perform registration, login authentication and exit management of group members participating in group communication. In each routing cycle, group nodes are grouped according to the metropolitan area network where the group nodes are located, and the group management nodes of each group are determined. , send information of all group management nodes and all group node information of the group where the group management node is located to each group management node;
组管理节点,作为组密钥从广域网到城域网之间的中转,被配置为向其所在组的城域组节点转发其所在的城域网的所有城域组节点信息,并根据路由图,以组密钥分发总路径小于设定阈值为目标,计算所有组管理节点的广域路由生成树,以及各组组节点的城域路由生成树,依次按照广域路由生成树和城域路由生成树,逐层传递组密钥;The group management node, which acts as a transit from the WAN to the MAN for the group key, is configured to forward all the MAN node information of the MAN in which it belongs to the MAN node of the group it belongs to, and according to the routing map , with the goal that the total path of group key distribution is less than the set threshold, calculate the WAN routing spanning tree of all group management nodes, and the MAN routing spanning tree of each group node, and follow the WAN routing spanning tree and MAN routing spanning tree in turn. Spanning tree, pass the group key layer by layer;
城域组节点,被配置为通过从所在的城域网的组管理节点获得组密钥。The metro group node is configured to obtain the group key from the group management node of the metro network where it is located.
与现有技术相比,本发明的有益效果为:Compared with the prior art, the beneficial effects of the present invention are:
本发明将组密钥分发过程分为组管理节点组密钥分发和城域组 节点组密钥分发两个过程,先进行组管理节点组密钥分发,规划城域网之间的组密钥分发的最佳路径,这防止了组密钥在城域网之间重复分发而增加组密钥分发成本的问题。The invention divides the group key distribution process into two processes: group management node group key distribution and metro group node group key distribution. First, group management node group key distribution is performed, and group keys between metropolitan area networks are planned. This prevents the group key from being repeatedly distributed between metropolitan area networks and increases the cost of group key distribution.
本发明对组节点按照所在城域网进行分组,组通信认证服务器只需要与每个城域网中的组管理节点通信,组管理节点再与其所在组的组节点通信,降低了组密钥分发的通信复杂度。The invention groups the group nodes according to the metropolitan area network where they are located, the group communication authentication server only needs to communicate with the group management node in each metropolitan area network, and the group management node communicates with the group node of the group where it is located, thereby reducing the distribution of the group key. communication complexity.
本发明的广域组密钥分发路由只需要考虑组管理节点的路由生成树,降低了广域组密钥分发路由计算的复杂度;且在广域路由生成树的计算中选择位于网络中心位置的广域路由节点作为组密钥分发开始的根节点,有利于提高组密钥分发的速度,降低组密钥分发的密钥中继路径成本。The wide-area group key distribution route of the present invention only needs to consider the routing spanning tree of the group management node, which reduces the complexity of the wide-area group key distribution route calculation; and selects the location at the center of the network in the calculation of the wide-area route spanning tree The wide-area routing node is used as the root node for the start of group key distribution, which is beneficial to improve the speed of group key distribution and reduce the key relay path cost of group key distribution.
本发明以组密钥分发总路径小于设定阈值为目标,计算所有组管理节点的广域路由生成树,以及各组组节点的城域路由生成树,在组密钥分发过程中容易形成多线路并行分发,提高了组密钥分发的速度。The present invention takes the group key distribution total path smaller than the set threshold as the goal, calculates the wide area routing spanning tree of all group management nodes, and the metro area routing spanning tree of each group group node, which is easy to form multiple key distribution processes in the group key distribution process. Lines are distributed in parallel, increasing the speed of group key distribution.
本发明的每个组管理节点分别计算组密钥的广域路由及每个组节点分别计算其所在的城域网的城域路由,这种分布式路由计算降低了对中心节点的依赖性。In the present invention, each group management node separately calculates the wide area route of the group key and each group node separately calculates the metro area route of the metropolitan area network where it is located, and this distributed route calculation reduces the dependence on the central node.
为使本发明的上述目的、特征和优点能更明显易懂,下文特举较佳实施例,并配合所附附图,作详细说明如下。In order to make the above-mentioned objects, features and advantages of the present invention more obvious and easy to understand, preferred embodiments are given below, and are described in detail as follows in conjunction with the accompanying drawings.
附图说明Description of drawings
构成本发明的一部分的说明书附图用来提供对本发明的进一步 理解,本发明的示意性实施例及其说明用于解释本发明,并不构成对本发明的不当限定。The accompanying drawings forming a part of the present invention are used to provide further understanding of the present invention, and the exemplary embodiments of the present invention and their descriptions are used to explain the present invention, and do not constitute an improper limitation of the present invention.
图1为实施例一的系统结构图;1 is a system structure diagram of Embodiment 1;
图2为实施例二的组密钥分发流程示意图。FIG. 2 is a schematic diagram of a group key distribution flow diagram of Embodiment 2. FIG.
具体实施方式:Detailed ways:
下面结合附图与实施例对本发明作进一步说明。The present invention will be further described below with reference to the accompanying drawings and embodiments.
应该指出,以下详细说明都是例示性的,旨在对本发明提供进一步的说明。除非另有指明,本文使用的所有技术和科学术语具有与本发明所属技术领域的普通技术人员通常理解的相同含义。It should be noted that the following detailed description is exemplary and intended to provide further explanation of the invention. Unless otherwise defined, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs.
需要注意的是,这里所使用的术语仅是为了描述具体实施方式,而非意图限制根据本发明的示例性实施方式。如在这里所使用的,除非上下文另外明确指出,否则单数形式也意图包括复数形式,此外,还应当理解的是,当在本说明书中使用术语“包含”和/或“包括”时,其指明存在特征、步骤、操作、器件、组件和/或它们的组合。It should be noted that the terminology used herein is for the purpose of describing specific embodiments only, and is not intended to limit the exemplary embodiments according to the present invention. As used herein, unless the context clearly dictates otherwise, the singular is intended to include the plural as well, furthermore, it is to be understood that when the terms "comprising" and/or "including" are used in this specification, it indicates that There are features, steps, operations, devices, components and/or combinations thereof.
正如背景技术中所述的,组密钥在量子密码网络节点之间中继,中继路径的距离越长,其中继密钥的生成成本越大,目前的组密钥分发技术没有考虑组密钥分发的路径成本问题,没有采用最佳路径进行组密钥分发,增加了组密钥分发的路径成本,从而增加了组密钥加密通信的成本。As described in the Background Art, the group key is relayed between quantum cryptographic network nodes. The longer the relay path is, the greater the cost of generating the relay key. The current group key distribution technology does not consider the group key The problem of path cost of key distribution is that the optimal path is not adopted for group key distribution, which increases the path cost of group key distribution, thereby increasing the cost of group key encrypted communication.
为了解决这个问题,本发明提供一种分布式广域量子密码网络组密钥分发方法及系统,下面以不同实施例来进行详细说明。In order to solve this problem, the present invention provides a distributed wide-area quantum cryptography network group key distribution method and system, which will be described in detail below with different embodiments.
实施例一:Example 1:
一种分布式广域量子密码网络组密钥分发系统,如图1所示,具体包括:组通信认证服务器、组管理节点和城域组节点,各部分功能如下所述:A distributed wide-area quantum cryptography network group key distribution system, as shown in Figure 1, specifically includes: a group communication authentication server, a group management node and a metro group node, and the functions of each part are as follows:
组通信认证服务器负责参与组通信的组成员的注册、登陆认证和退出管理。在每个路由周期,将参与组通信的组成员所在的量子密码网络节点(以下简称组节点)按照组节点所在的城域网对其进行分组,每组选择一个组节点作为组管理节点,向每个组管理节点发送所有组管理节点的ID和该组管理节点所在组的所有组节点ID。The group communication authentication server is responsible for the registration, login authentication and logout management of the group members participating in the group communication. In each routing period, the quantum cryptographic network nodes (hereinafter referred to as group nodes) where the group members participating in the group communication are located are grouped according to the metropolitan area network where the group nodes are located, and each group selects a group node as the group management node, and sends the information to the group node. Each group management node sends the IDs of all group management nodes and the IDs of all group nodes in the group where the group management node is located.
组管理节点,每一个具有组节点的城域网都具有一个组管理节点,组通信认证服务器从每个具有组节点的城域网中选择一个组节点作为组管理节点,组管理节点为广域组密钥分发的路由节点,是组密钥从广域网到城域网之间的中转,同时负责向其所在的城域组节点转发其所在的城域网的所有城域组节点的ID。Group management node, each metropolitan area network with a group node has a group management node, the group communication authentication server selects a group node from each metropolitan area network with a group node as a group management node, and the group management node is a wide area The routing node for group key distribution is the transfer of the group key from the WAN to the metropolitan area network, and is also responsible for forwarding the IDs of all metro group nodes in the metropolitan area network where it is located to the metro group node where it is located.
当然,在其他实施例中,节点ID也可以替换为其他节点信息,或者在转发节点ID的同时,也发送节点其他相关信息。Of course, in other embodiments, the node ID can also be replaced with other node information, or when forwarding the node ID, other node related information is also sent.
城域组节点为组通信的组成员所在的量子密码网络节点,通过其所在的城域网的组管理节点获得组密钥。The metro group node is the quantum cryptographic network node where the group members of the group communication are located, and obtains the group key through the group management node of the metro network where it is located.
实施例二:Embodiment 2:
以实施例一的系统为基础,提供一种分布式广域量子密码网络组密钥分发方法,具体过程如图2所示,广域量子密码网络组密钥分发分为两个过程:组管理节点组密钥分发和城域组节点组密钥分发。Based on the system of the first embodiment, a distributed wide-area quantum cryptography network group key distribution method is provided. The specific process is shown in Figure 2. The wide-area quantum cryptography network group key distribution is divided into two processes: group management Node Group Key Distribution and Metro Group Node Group Key Distribution.
其中:组管理节点组密钥分发过程如下:Among them: the group management node group key distribution process is as follows:
每个路由周期,组通信认证服务器将参与组通信的组节点按照组节点所在的城域网进行分组,在每组组节点中选择一个组节点作为组管理节点。组通信认证服务器将所有组管理节点ID发送给每一个组管理节点,并同时将每一个组管理节点所在的组的所有组节点ID发送给该组的组管理节点。In each routing period, the group communication authentication server groups the group nodes participating in the group communication according to the metropolitan area network where the group nodes are located, and selects a group node in each group node as the group management node. The group communication authentication server sends all group management node IDs to each group management node, and simultaneously sends all group node IDs of the group where each group management node is located to the group management node of the group.
每一个组管理节点收到组通信认证服务器发送的所有组管理节点ID和组管理节点所在组的城域网的所有组节点ID。每一个组管理节点根据广域量子密码网络路由图计算所有组管理节点的广域路由生成树。Each group management node receives all group management node IDs sent by the group communication authentication server and all group node IDs of the metropolitan area network in which the group management node is located. Each group management node calculates the wide-area routing spanning tree of all group management nodes according to the wide-area quantum cryptography network routing graph.
具体的,广域路由生成树的计算方法可以选用以下方式:Specifically, the calculation method of the WAN spanning tree can be selected as follows:
A、首先确定广域路由生成树的根节点,计算每一个组管理节点到其它组管理节点的最短密钥中继路径和,在本实施例中,将和最小的组节点S作为广域路由生成树的根节点;A. First determine the root node of the wide-area routing spanning tree, and calculate the sum of the shortest key relay paths from each group management node to other group management nodes. In this embodiment, the group node S with the smallest sum is used as the wide-area route The root node of the spanning tree;
B、将所有除根节点S以外的组管理节点的集合记为V,将广域路由生成树的集合记为(U,T),U为生成树的节点集合,T为生成树中的连接节点的边集合,初始时,U只包含一个根节点S,T为空;B. Denote the set of all group management nodes except the root node S as V, and denote the set of the wide area routing spanning tree as (U, T), where U is the node set of the spanning tree, and T is the connection node in the spanning tree The edge set of , initially, U contains only one root node S, and T is empty;
C、查找U和V中距离最近的两个节点(此处的距离是指节点间密钥中继的最短路径长度),设为u和v,其中u∈U,v∈V,将边(u,v)加入集合T,将v加入集合U,同时从集合V中删除节点v;C. Find the two closest nodes in U and V (the distance here refers to the shortest path length of the key relay between nodes), set as u and v, where u ∈ U, v ∈ V, the edge ( u, v) join set T, add v to set U, and delete node v from set V at the same time;
D、重复步骤C,直到集合V为空为止。D. Repeat step C until the set V is empty.
在具体分发过程中,组密钥的分发由广域路由生成树的根节点开始,根节点所在的组节点选择一个真随机数作为组密钥,保存组密钥,将组密钥中继到每一个根节点的子节点。每一个广域路由生成树的节点收到其父节点中继的组密钥,保存组密钥,如果该节点存在子节点,则将组密钥中继到每一个子节点上,直到所有广域路由生成树的所有节点均获得组密钥为止。In the specific distribution process, the distribution of the group key starts from the root node of the WAN spanning tree. The group node where the root node is located selects a true random number as the group key, saves the group key, and relays the group key to Every child node of the root node. Each node of the WAN routing spanning tree receives the group key relayed by its parent node, and saves the group key. If the node has child nodes, it relays the group key to each child node until all wide until all nodes of the domain routing spanning tree have obtained the group key.
当然,在其他实施例中,根节点的确定时,可以将最短密钥中继路径和小于设定阈值的点作为根节点。Of course, in other embodiments, when the root node is determined, the shortest key relay path and the point less than the set threshold may be used as the root node.
城域组节点组密钥分发过程如下:The key distribution process of the metro group node group is as follows:
每个组管理节点收到组管理节点所在组的所有组节点ID后,将本组的所有组节点ID转发给本组的每一个组节点。每一个组节点包括组管理节点根据本节点所在的城域网路由图,以本组的组管理节点为根节点,计算本组所有组节点的城域路由生成树。After receiving all the group node IDs of the group where the group management node is located, each group management node forwards all the group node IDs of the group to each group node of the group. Each group node includes a group management node, and calculates the metropolitan area routing spanning tree of all group nodes in this group with the group management node of this group as the root node according to the MAN routing graph where the node is located.
城域路由生成树的计算方法可以选用:The calculation method of the spanning tree of metro routes can be selected as follows:
(1)将所有除根节点S以外的城域组节点的集合记为V,将城域路由生成树的集合记为(U,T),U为生成树的节点集合,T为生 成树中的连接节点的边集合,初始时,U只包含一个根节点S,T为空;(1) Denote the set of all metro group nodes except the root node S as V, and denote the set of metro routing spanning trees as (U, T), where U is the node set of the spanning tree, and T is the spanning tree in the spanning tree. The set of edges connecting nodes. Initially, U only contains one root node S, and T is empty;
(2)查找U和V中距离最近的两个节点(此处的距离是指节点间密钥中继的最短路径长度),设为u和v,其中u∈U,v∈V,将边(u,v)加入集合T,将v加入集合U,同时从集合V中删除节点v;(2) Find the two closest nodes in U and V (the distance here refers to the shortest path length of the key relay between nodes), set as u and v, where u ∈ U, v ∈ V, the edge (u, v) join set T, add v to set U, and delete node v from set V at the same time;
(3)重复步骤(2),直到集合V为空为止。(3) Repeat step (2) until the set V is empty.
每个组管理节点收到组密钥后,如果其作为所在的城域路由生成树的根节点存在子节点,则将组密钥中继给每一个子节点。After each group management node receives the group key, if it has a child node as the root node of the metro routing spanning tree where it is located, it relays the group key to each child node.
每一个城域路由生成树的节点收到其父节点中继的组密钥后,保存组密钥,如果该节点存在子节点,则将组密钥中继到该节点的每一个子节点,直到城域路由生成树的每一个节点均获得组密钥为止。After each node of the metro routing spanning tree receives the group key relayed by its parent node, it saves the group key. If the node has child nodes, it relays the group key to each child node of the node. Until every node of the metro routing spanning tree has obtained the group key.
如果在路由周期内参加组通信的组成员没有变化,组通信认证服务器不需要重新选择组管理节点,每个组管理节点不需要重新计算和更新广域路由生成树。If the group members participating in the group communication do not change during the routing period, the group communication authentication server does not need to reselect the group management node, and each group management node does not need to recalculate and update the wide area routing spanning tree.
如果在路由周期内某个城域网中参加组通信的组节点没有变化,则组通信认证服务器不需要重新选择该城域网的组管理节点,该城域网的每一个组节点也不需要重新计算和更新该城域网的城域路由生成树。If the group node participating in the group communication in a certain metropolitan area network does not change during the routing period, the group communication authentication server does not need to reselect the group management node of the metropolitan area network, and each group node of the metropolitan area network does not need to Recalculate and update the metro routing spanning tree for the metro network.
本领域内的技术人员应明白,本发明的实施例可提供为方法、系统、或计算机程序产品。因此,本发明可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本发明 可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
本发明是参照根据本发明实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block in the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to the processor of a general purpose computer, special purpose computer, embedded processor or other programmable data processing device to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing device produce Means for implementing the functions specified in a flow or flow of a flowchart and/or a block or blocks of a block diagram.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory result in an article of manufacture comprising instruction means, the instructions The apparatus implements the functions specified in the flow or flow of the flowcharts and/or the block or blocks of the block diagrams.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded on a computer or other programmable data processing device to cause a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process such that The instructions provide steps for implementing the functions specified in the flow or blocks of the flowcharts and/or the block or blocks of the block diagrams.
以上所述仅为本发明的优选实施例而已,并不用于限制本发明,对于本领域的技术人员来说,本发明可以有各种更改和变化。凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。The above descriptions are only preferred embodiments of the present invention, and are not intended to limit the present invention. For those skilled in the art, the present invention may have various modifications and changes. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention shall be included within the protection scope of the present invention.
上述虽然结合附图对本发明的具体实施方式进行了描述,但并非对本发明保护范围的限制,所属领域技术人员应该明白,在本发明的技术方案的基础上,本领域技术人员不需要付出创造性劳动即可做出的各种修改或变形仍在本发明的保护范围以内。Although the specific embodiments of the present invention have been described above in conjunction with the accompanying drawings, they do not limit the scope of protection of the present invention. Those skilled in the art should understand that on the basis of the technical solutions of the present invention, those skilled in the art do not need to pay creative work. Various modifications or deformations that can be made are still within the protection scope of the present invention.

Claims (11)

  1. 一种分布式广域量子密码网络组密钥分发方法,其特征是:包括以下步骤:A distributed wide-area quantum cryptography network group key distribution method, characterized by comprising the following steps:
    获取当前路由周期的量子密码网络的路由图;Obtain the routing graph of the quantum cryptography network for the current routing period;
    按照组节点所在的城域网进行组节点分组,在每组组节点中选择一个组节点作为组管理节点,该组管理节点获取其他组管理节点信息以及同组组节点信息;The group nodes are grouped according to the metropolitan area network where the group nodes are located, and one group node is selected as the group management node in each group node, and the group management node obtains other group management node information and the same group group node information;
    每一个组管理节点根据路由图,以组密钥分发总路径小于设定阈值为目标,计算所有组管理节点的广域路由生成树,以及各组组节点的城域路由生成树;According to the routing graph, each group management node calculates the wide area routing spanning tree of all group management nodes and the metro routing spanning tree of each group node with the goal that the total path of group key distribution is less than the set threshold;
    依次按照广域路由生成树和城域路由生成树,逐层传递组密钥,直到所有城域路由生成树的所有节点均获得组密钥为止。According to the wide area routing spanning tree and the metro area routing spanning tree in turn, the group key is transmitted layer by layer until all nodes of all metro area routing spanning trees have obtained the group key.
  2. 如权利要求1所述的一种分布式广域量子密码网络组密钥分发方法,其特征是:获取当前路由周期的量子密码网络的路由图时,确认是否存在新加入或退出组通信的组节点信息,所述组节点为参与组通信的组成员所在的量子密码网络节点,如果是,按照信息内容更新量子密码网络的路由图。A distributed wide-area quantum cryptographic network group key distribution method as claimed in claim 1, characterized in that: when acquiring the routing graph of the quantum cryptographic network of the current routing period, confirm whether there is a new group that joins or exits the group communication Node information, the group node is the quantum cryptographic network node where the group members participating in the group communication are located, if so, update the routing graph of the quantum cryptographic network according to the information content.
  3. 如权利要求2所述的一种分布式广域量子密码网络组密钥分发方法,其特征是:如果在路由周期内参加组通信的组成员没有变化,不需要重新选择组管理节点,每个组管理节点不需要重新计算和更新广域路由生成树。A distributed wide-area quantum cryptography network group key distribution method as claimed in claim 2, characterized in that: if the group members participating in the group communication do not change within the routing period, there is no need to re-select the group management node, each The group management node does not need to recompute and update the WAN routing spanning tree.
  4. 如权利要求2所述的一种分布式广域量子密码网络组密钥分 发方法,其特征是:如果在路由周期内某个城域网中参加组通信的组节点没有变化,不需要重新选择该城域网的组管理节点,该城域网的每一个组节点也不需要重新计算和更新该城域网的城域路由生成树。A distributed wide-area quantum cryptographic network group key distribution method as claimed in claim 2, characterized in that: if the group node participating in group communication in a certain metropolitan area network does not change during the routing period, it is not necessary to re-select For the group management node of the metropolitan area network, each group node of the metropolitan area network does not need to recalculate and update the metropolitan area routing spanning tree of the metropolitan area network.
  5. 如权利要求1所述的一种分布式广域量子密码网络组密钥分发方法,其特征是:所述节点信息为节点ID。The distributed wide-area quantum cryptography network group key distribution method according to claim 1, wherein the node information is a node ID.
  6. 如权利要求1所述的一种分布式广域量子密码网络组密钥分发方法,其特征是:计算所有组管理节点的广域路由生成树的具体过程包括:A distributed wide-area quantum cryptography network group key distribution method as claimed in claim 1, wherein: the specific process of calculating the wide-area routing spanning tree of all group management nodes comprises:
    确定广域路由生成树的根节点,计算每一个组管理节点到其它组管理节点的最短密钥中继路径和,将路径和小于设定值的组管理节点作为广域路由生成树的根节点;Determine the root node of the WAN spanning tree, calculate the sum of the shortest key relay paths from each group management node to other group management nodes, and take the group management node whose path sum is less than the set value as the root node of the WAN routing spanning tree ;
    将所有除已确定的根节点以外的组管理节点作为第一集合,将广域路由生成树的节点作为第二集合;Taking all group management nodes except the determined root node as the first set, and taking the nodes of the WAN spanning tree as the second set;
    查找第一集合中距离第二集合中各个组节点最小或小于预设值的若干节点,作为对应组节点的下层节点或子节点,将这些下层节点与其对应的上层节点的连接边加入第三集合,将下层节点加入第二集合,同时从第一集合中删除上述下层节点;Find several nodes in the first set that are the smallest or smaller than the preset value from each group node in the second set, as the lower nodes or child nodes of the corresponding group nodes, and add the connection edges between these lower nodes and their corresponding upper nodes to the third set , adding the lower-level node to the second set, and simultaneously deleting the above-mentioned lower-level node from the first set;
    不断重复,直到第一集合为空为止。Repeat until the first set is empty.
  7. 如权利要求1所述的一种分布式广域量子密码网络组密钥分发方法,其特征是:计算城域路由生成树的具体过程包括:A distributed wide-area quantum cryptography network group key distribution method as claimed in claim 1, characterized in that: the specific process of calculating the metro routing spanning tree comprises:
    以本组的组管理节点为根节点;Take the group management node of this group as the root node;
    将所有除已确定的根节点以外的城域组节点作为第一集合,将城域路由生成树的节点作为第二集合;Taking all metro group nodes except the determined root node as the first set, and taking the nodes of the metro routing spanning tree as the second set;
    查找第一集合中距离第二集合中各个组节点最小或小于预设值的若干节点,作为对应组节点的下层节点或子节点,将这些下层节点与其对应的上层节点的连接边加入第三集合,将下层节点加入第二集合,同时从第一集合中删除上述下层节点;Find several nodes in the first set that are the smallest or smaller than the preset value from each group node in the second set, as the lower nodes or child nodes of the corresponding group nodes, and add the connection edges between these lower nodes and their corresponding upper nodes to the third set , adding the lower-level node to the second set, and simultaneously deleting the above-mentioned lower-level node from the first set;
    不断重复,直到第一集合为空为止。Repeat until the first set is empty.
  8. 如权利要求1所述的一种分布式广域量子密码网络组密钥分发方法,其特征是:按照广域路由生成树,逐层传递组密钥的具体过程包括:组密钥的分发由广域路由生成树的根节点开始,根节点所在的组节点选择一个真随机数作为组密钥,保存组密钥,将组密钥中继到每一个根节点的子节点;The method for distributing group keys in a distributed wide-area quantum cryptography network according to claim 1, characterized in that: according to the wide-area routing spanning tree, the specific process of transmitting the group key layer by layer comprises: the distribution of the group key by Starting from the root node of the WAN spanning tree, the group node where the root node is located selects a true random number as the group key, saves the group key, and relays the group key to the child nodes of each root node;
    每一个广域路由生成树的节点收到其父节点中继的组密钥,保存组密钥,如果该节点存在子节点,则将组密钥中继到每一个子节点上,直到所有广域路由生成树的所有节点均获得组密钥为止。Each WAN node of the spanning tree receives the group key relayed by its parent node, saves the group key, and if the node has child nodes, relays the group key to each child node until all the until all nodes of the domain routing spanning tree have obtained the group key.
  9. 如权利要求1所述的一种分布式广域量子密码网络组密钥分发方法,其特征是:按照城域路由生成树,逐层传递组密钥的具体过程包括:每个组管理节点收到组密钥后,如果其做为所在的城域路由生成树的根节点存在子节点,则将组密钥中继给每一个子节点;The method for distributing group keys in a distributed wide-area quantum cryptography network according to claim 1, characterized in that: according to a metropolitan area routing spanning tree, the specific process of transferring the group keys layer by layer comprises: each group management node receives After the group key is obtained, if there is a child node as the root node of the metro routing spanning tree where it is located, the group key is relayed to each child node;
    每一个城域路由生成树的节点收到其父节点中继的组密钥后,保存组密钥,如果该节点存在子节点,则将组密钥中继到该节点的每一 个子节点,直到城域路由生成树的每一个节点均获得组密钥为止。After each node of the metro routing spanning tree receives the group key relayed by its parent node, it saves the group key. If the node has child nodes, it relays the group key to each child node of the node. Until every node of the metro routing spanning tree has obtained the group key.
  10. 如权利要求1所述的一种分布式广域量子密码网络组密钥分发方法,其特征是:如果存在多条总路径小于设定阈值的组密钥分发路径,利用多线路并行分发组密钥。A distributed wide-area quantum cryptography network group key distribution method as claimed in claim 1, characterized in that: if there are multiple group key distribution paths whose total path is less than a set threshold, the group key distribution method is distributed in parallel using multiple lines. key.
  11. 一种分布式广域量子密码网络组密钥分发系统,其特征是:包括:A distributed wide-area quantum cryptography network group key distribution system is characterized by: comprising:
    组通信认证服务器,被配置为进行参与组通信的组成员的注册、登陆认证和退出管理,在每个路由周期,按照组节点所在的城域网对其进行分组,确定每组的组管理节点,向每个组管理节点发送所有组管理节点的信息和该组管理节点所在组的所有组节点信息;The group communication authentication server is configured to perform registration, login authentication and exit management of group members participating in group communication. In each routing cycle, group nodes are grouped according to the metropolitan area network where the group nodes are located, and the group management nodes of each group are determined. , send information of all group management nodes and all group node information of the group where the group management node is located to each group management node;
    组管理节点,作为组密钥从广域网到城域网之间的中转,被配置为向其所在组的城域组节点转发其所在的城域网的所有城域组节点信息,并根据路由图,以组密钥分发总路径小于设定阈值为目标,计算所有组管理节点的广域路由生成树,以及各组组节点的城域路由生成树,依次按照广域路由生成树和城域路由生成树,逐层传递组密钥;The group management node, which acts as a transit from the WAN to the metro network as the group key, is configured to forward all the information of the metro group nodes of the metro network where it is located to the metro group node of the group where it is located, and according to the routing map , with the goal that the total path of group key distribution is less than the set threshold, calculate the wide area routing spanning tree of all group management nodes, and the metro routing spanning tree of each group node, and follow the wide area routing spanning tree and metro routing spanning tree in turn. Spanning tree, pass group key layer by layer;
    城域组节点,被配置为通过从所在的城域网的组管理节点获得组密钥。The metro group node is configured to obtain the group key from the group management node of the metro network where it is located.
PCT/CN2021/117784 2020-12-28 2021-09-10 Distributed wide area quantum cryptography network group key distribution method and system WO2022142461A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202011587019.2A CN114697005B (en) 2020-12-28 Distributed wide area quantum cryptography network group key distribution method and system
CN202011587019.2 2020-12-28

Publications (1)

Publication Number Publication Date
WO2022142461A1 true WO2022142461A1 (en) 2022-07-07

Family

ID=82129833

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/117784 WO2022142461A1 (en) 2020-12-28 2021-09-10 Distributed wide area quantum cryptography network group key distribution method and system

Country Status (1)

Country Link
WO (1) WO2022142461A1 (en)

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1747446A (en) * 2005-10-21 2006-03-15 清华大学 Application layer group broadcasting method with integrated type and distributed type combination
CN103001875A (en) * 2013-01-07 2013-03-27 山东量子科学技术研究院有限公司 Quantum cryptography network dynamic routing method
CN103023781A (en) * 2012-12-13 2013-04-03 清华大学 Shortest path tree and spanning tree combined energy-saving routing method
CN104202772A (en) * 2014-09-09 2014-12-10 河海大学常州校区 Mobile Sink data collection method applied to wireless sensor network and used for node internal-memory resource sharing
CN104579964A (en) * 2013-01-07 2015-04-29 山东量子科学技术研究院有限公司 Dynamic route architecture system for quantum cryptography network
CN108270557A (en) * 2016-12-30 2018-07-10 科大国盾量子技术股份有限公司 A kind of backbone system and its trunking method based on quantum communications
CN109660337A (en) * 2017-12-29 2019-04-19 华南师范大学 A kind of communications network system and its cryptographic key distribution method that quantum is merged with classics
CN109962773A (en) * 2017-12-22 2019-07-02 山东量子科学技术研究院有限公司 Wide area quantum cryptography networks data encryption method for routing
CN109962774A (en) * 2017-12-22 2019-07-02 山东量子科学技术研究院有限公司 Quantum cryptography networks key relays dynamic routing method
CN110086713A (en) * 2019-04-17 2019-08-02 北京邮电大学 It is a kind of to divide domain method for routing for wide area quantum key distribution network
CN110446239A (en) * 2019-07-25 2019-11-12 汕头大学 A kind of wireless sensor network cluster-dividing method and system based on multiple magic square

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1747446A (en) * 2005-10-21 2006-03-15 清华大学 Application layer group broadcasting method with integrated type and distributed type combination
CN103023781A (en) * 2012-12-13 2013-04-03 清华大学 Shortest path tree and spanning tree combined energy-saving routing method
CN103001875A (en) * 2013-01-07 2013-03-27 山东量子科学技术研究院有限公司 Quantum cryptography network dynamic routing method
CN104579964A (en) * 2013-01-07 2015-04-29 山东量子科学技术研究院有限公司 Dynamic route architecture system for quantum cryptography network
CN104202772A (en) * 2014-09-09 2014-12-10 河海大学常州校区 Mobile Sink data collection method applied to wireless sensor network and used for node internal-memory resource sharing
CN108270557A (en) * 2016-12-30 2018-07-10 科大国盾量子技术股份有限公司 A kind of backbone system and its trunking method based on quantum communications
CN109962773A (en) * 2017-12-22 2019-07-02 山东量子科学技术研究院有限公司 Wide area quantum cryptography networks data encryption method for routing
CN109962774A (en) * 2017-12-22 2019-07-02 山东量子科学技术研究院有限公司 Quantum cryptography networks key relays dynamic routing method
CN109660337A (en) * 2017-12-29 2019-04-19 华南师范大学 A kind of communications network system and its cryptographic key distribution method that quantum is merged with classics
CN110086713A (en) * 2019-04-17 2019-08-02 北京邮电大学 It is a kind of to divide domain method for routing for wide area quantum key distribution network
CN110446239A (en) * 2019-07-25 2019-11-12 汕头大学 A kind of wireless sensor network cluster-dividing method and system based on multiple magic square

Also Published As

Publication number Publication date
CN114697005A (en) 2022-07-01

Similar Documents

Publication Publication Date Title
CN101960801B (en) Technique for determining a point-to-multipoint tree linking a root node to a plurality of leaf nodes
CN108270557B (en) Backbone network system based on quantum communication and relay method thereof
CN103051565B (en) A kind of architecture system and implementation method of grade software defined network controller
CN103650433A (en) Route distributing method, system and controller
CN107040400A (en) Network equipment and method
US10404576B2 (en) Constrained shortest path determination in a network
JP2013510459A (en) Separate path computation algorithm
US11121975B2 (en) Framework for temporal label switched path tunnel services
CN109246624A (en) A kind of multicast forward method and relevant device
CN103078796B (en) A kind of route computing method and equipment
CN105939273A (en) Router method, router and router system
CN101155119A (en) Method and device for confirming boundary node of autonomous system and its path computing method
WO2015196646A1 (en) Method for acquiring cross-domain separation paths, path computation element and related storage medium
WO2022142463A1 (en) Group key distribution method in distributed quantum cryptography network, and system
WO2022142461A1 (en) Distributed wide area quantum cryptography network group key distribution method and system
CN105453494B (en) Virtual shortest path tree is established and the method and path-calculating element of processing
CN101984597A (en) Computing method and system for multi-domain two-way label switched path
CN104967562B (en) A kind of method for routing between internet of things equipment node
CN114697005B (en) Distributed wide area quantum cryptography network group key distribution method and system
WO2022142462A1 (en) Centralized wide area quantum cryptography network group key distribution method and system
JP4128944B2 (en) Multicast transfer route setting method, multicast transfer route calculation device, program, and recording medium
US8798050B1 (en) Re-optimization of loosely routed P2MP-TE sub-trees
WO2022142460A1 (en) Centralized quantum cryptography network group key distribution method and system
CN115865334A (en) Quantum key distribution method and device and electronic equipment
CN103023780A (en) Method and device for routing computation

Legal Events

Date Code Title Description
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21913208

Country of ref document: EP

Kind code of ref document: A1