CN110690928B - Quantum relay link virtualization method and device - Google Patents

Quantum relay link virtualization method and device Download PDF

Info

Publication number
CN110690928B
CN110690928B CN201910820367.0A CN201910820367A CN110690928B CN 110690928 B CN110690928 B CN 110690928B CN 201910820367 A CN201910820367 A CN 201910820367A CN 110690928 B CN110690928 B CN 110690928B
Authority
CN
China
Prior art keywords
target
node
virtual
relay
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910820367.0A
Other languages
Chinese (zh)
Other versions
CN110690928A (en
Inventor
陈晖�
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chengdu Liang'an Blockchain Technology Co ltd
Original Assignee
Chengdu Liang'an Blockchain Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chengdu Liang'an Blockchain Technology Co ltd filed Critical Chengdu Liang'an Blockchain Technology Co ltd
Priority to CN201910820367.0A priority Critical patent/CN110690928B/en
Publication of CN110690928A publication Critical patent/CN110690928A/en
Application granted granted Critical
Publication of CN110690928B publication Critical patent/CN110690928B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04BTRANSMISSION
    • H04B10/00Transmission systems employing electromagnetic waves other than radio-waves, e.g. infrared, visible or ultraviolet light, or employing corpuscular radiation, e.g. quantum communication
    • H04B10/70Photonic quantum communication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04BTRANSMISSION
    • H04B10/00Transmission systems employing electromagnetic waves other than radio-waves, e.g. infrared, visible or ultraviolet light, or employing corpuscular radiation, e.g. quantum communication
    • H04B10/29Repeaters
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • H04L9/0855Quantum cryptography involving additional nodes, e.g. quantum relays, repeaters, intermediate nodes or remote nodes

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • Electromagnetism (AREA)
  • Optics & Photonics (AREA)
  • Theoretical Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a quantum relay link virtualization method, which comprises the following steps: selecting a target relay node associated with one or more key relay links between n target service nodes in a target network, each node negotiating a shared key packet with each adjacent node; selecting two corresponding shared key groups aiming at each relay node associated with each key relay link, calculating the XOR value of the two shared key groups and sending the XOR value to a target receiver, carrying out XOR operation on the XOR values sent by all the relay nodes by the target receiver, recording the XOR operation result as a virtual link state, and storing, outputting or storing and outputting the virtual link state; the invention also provides a quantum relay link virtualization device. The invention can solve the problems of the quantum network such as the concurrency conflict of the scale quantum link, the large delay of the quantum relay link and the like, can be widely used for the virtual quantum link service, and has good application and popularization prospects.

Description

Quantum relay link virtualization method and device
Technical Field
The invention relates to the technical field of quantum communication relay link networks and application thereof, in particular to a quantum relay link virtualization method and device.
Background
A Quantum node in a Quantum communication network generally consists of a classical communication terminal connected to a classical communication network and a Quantum device terminal connected to a Quantum Key Distribution (QKD) network. In classical communication, the problem of channel loss is solved by using an amplifier, but quantum communication cannot directly adopt a relay mode of "recovery-amplification" in classical communication due to the limitation of quantum signal non-clonality. Since the quantum channel attenuation increases with the increase of the transmission distance, when the transmission distance between the transmitting end and the receiving end is greater than the effective transmission distance, it is difficult to generate a practically usable quantum key again. Therefore, the effective transmission distance of the point-to-point QKD is limited. Due to the lack of practical no-landing quantum communication relay technology, quantum trusted relay technology is typically employed in QKD networks. However, the relay mode has the problems of concurrent conflict of quantum links in scale, large delay of trusted relay, difficult trusted security management of relay nodes and the like. The solution of the above problems has very important practical significance for application and popularization of quantum communication networks.
Disclosure of Invention
In order to solve the technical problem of the quantum communication network in the background art, the invention provides a quantum relay link virtualization method and a quantum relay link virtualization device. The invention provides a quantum relay link virtualization method, which comprises the following steps: selecting a target relay node with which N key relay links between N target serving nodes in the target network are associated (where N is an integer greater than 1, N is an integer greater than 0 and not greater than C (N,2), and C (N,2) is a combined number of 2 arbitrarily selected from N); each of the target serving node and the target relay node negotiates one or more shared key groups with each of the adjacent target nodes; for each key relay link of the N key relay links, each target relay node associated with the key relay link selects two corresponding shared key packets, calculates an exclusive-or value of the two shared key packets, and transmits the exclusive-or value to a target receiver (for convenience, the exclusive-or value is hereinafter referred to as virtual node routing status data); two target service nodes associated with the key relay link respectively and safely store corresponding shared key groups; the target receiver performs xor operation on the virtual node routing state data sent by all the target relay nodes, creates a link identifier for the xor operation result (for convenience, the link identifier is hereinafter referred to as a virtual link state identifier, the xor operation result is referred to as virtual link state data, and the xor operation result and the virtual link state identifier thereof are referred to as a virtual link state), and stores, or outputs, or stores and outputs the virtual link state; the two target service nodes respectively and safely store corresponding shared key groups and the virtual link state data, which have the same global identifier or association, wherein the target nodes comprise target service nodes and target relay nodes, and the virtual link state identifier comprises: global identification, identification of associated service nodes.
Optionally, the method further includes: after the target relay node finishes all virtual link state data needing to participate in calculation, all the used shared key groups are destroyed; or, the target relay node destroys the shared key packet after the virtual node routing state data of one shared key packet, which needs to participate in the calculation, is completely completed.
Optionally, the method further includes: aiming at a virtual link state between two target service nodes, the two target service nodes respectively generate a random number packet, one of the target service nodes calculates an exclusive-or value (for convenience, denoted as an exclusive-or value a) of the shared key packet associated with the virtual link state and the random number packet, the other target service node calculates an exclusive-or value (for convenience, denoted as an exclusive-or value b) of the shared key packet associated with the virtual link state and the random number packet, the two target service nodes respectively transmit the exclusive-or value a and the exclusive-or value b to a target receiver, the two target service nodes respectively and securely store the random number packet as a corresponding shared key packet, and the target receiver performs an exclusive-or operation on corresponding virtual link state data and the exclusive-or value a and the exclusive-or value b to create a virtual link state identifier for the operation result; the random number packet and the shared key packet have the same data format, and have the same global identifier or one-to-one correspondence with the virtual link state.
Optionally, the method further includes: carrying out correctness verification on the virtual link state, comprising the following steps: one target service node calculates an exclusive-or value of the shared key group associated with the virtual link state and the virtual link state data, calculates a data digest of the exclusive-or value or a part of the data and transmits the data digest to another associated target service node, and the other target service node calculates a data digest of the shared key group associated with the virtual link state or a part of the data of the shared key group, if the two data digests are the same, the data digest passes correctness verification; or the two target service nodes respectively send the two data digests to a third party, and the third party compares the two data digests, and if the two data digests are the same, the correctness is verified.
Optionally, the method further includes: either or both of the following: (1) before creating virtual node routing state data, a target node acquires a global identifier, wherein the method for acquiring the global identifier comprises the steps of determining the current global identifier according to a virtualization instruction or determining the current global identifier according to the last global identifier, (2) before creating the virtual node routing state data, the target relay node and an adjacent target node confirm the negotiated shared key packet and the global identifier of the virtual node routing state data used for creating the shared key packet, and the negotiated shared key packet is used for creating the virtual node routing state data with the same global identifier by the target relay node and the adjacent target relay node respectively.
Optionally, the method further includes: each target node reports topology information of the target node to a network controller or a target receiver, wherein the topology information comprises: identification of the target node, link status between the target node and each neighboring target node.
Optionally, the method further includes: the network controller or the target receiving direction issues a virtualization instruction to each target node associated with the N key relay links, where the virtualization instruction is used to indicate any one or more of the following: global identification, data format of shared key grouping, data structure of virtual node routing state, identification of target receiver and data transmission mode. Alternatively, any one or any plurality of the following is determined according to established system policies: global identification, data format of shared key grouping, data structure of virtual node routing state, data structure of virtual link network slice, identification of target receiver and data transmission mode.
The invention also provides a quantum relay link virtualization device, which comprises but is not limited to: a quantum node device, a virtualization server device, to execute any one or more of the methods described above; the device comprises a software module, a hardware module or an integrated module of software and hardware.
Compared with the conventional QKD relay link network adopting quantum trusted relay technology, the method has the following innovations: the invention realizes the separation of quantum relay link service and the QKD network, does not need to coordinate QKD link resources in real time to carry out quantum key trusted relay, and can effectively solve the problems of concurrent conflict and trusted relay delay of the scale relay link in the QKD network; the quantum relay node does not need to store a quantum key, so that the safety management risk of the quantum relay node is reduced. Therefore, the invention has good application and popularization prospects in the field of quantum communication network scale application.
Drawings
Fig. 1 is a schematic diagram of a quantum relay link virtualization method according to an embodiment of the present invention;
fig. 2 is a schematic flowchart of a quantum relay link virtualization method according to an embodiment of the present invention;
fig. 3 is a schematic diagram of an application embodiment of a quantum relay link virtualization method according to an embodiment of the present invention;
fig. 4 is a schematic diagram illustrating a method for negotiating a shared key packet according to an embodiment of the present invention;
fig. 5 is a schematic diagram illustrating another method for negotiating a shared key packet according to an embodiment of the present invention;
fig. 6 is a schematic diagram of a shared key group identifier according to an embodiment of the present invention;
fig. 7 is a schematic diagram of another shared key group identifier provided in the embodiment of the present invention;
fig. 8 is a schematic diagram of a virtual node routing state identifier according to an embodiment of the present invention;
fig. 9 is a schematic diagram of a virtual node status identifier according to an embodiment of the present invention;
fig. 10 is a schematic diagram of a relay node application provided in the embodiment of the present invention;
fig. 11 is a schematic diagram of a virtual node routing state of a relay node according to an embodiment of the present invention;
fig. 12 is a schematic diagram illustrating a method for creating a cross-domain interworking virtual link network slice according to an embodiment of the present invention;
fig. 13 is a schematic diagram of a quantum relay link virtualization node apparatus according to an embodiment of the present invention;
fig. 14 is a schematic diagram of a quantum relay link virtualization server device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention and some terms and meanings thereof will be described below.
(1) Target networks to which embodiments of the present invention are applicable include, but are not limited to, any of the following networks: quantum key distribution network, quantum communication network, quantum sensing network, quantum security internet, other networks which adopt a point-to-point single-hop landing forwarding mode for relay transmission; accordingly, the target nodes in embodiments of the present invention include, but are not limited to, any one or more of the following nodes: quantum relay nodes, quantum service nodes (or quantum access nodes), virtual quantum relay nodes, virtual quantum service nodes. The target node in the embodiment of the present invention is suitable for, but not limited to, a target node accessing a target network through an optical fiber interface and a wireless interface (or a free space interface).
(2) The quantum relay link virtualization in the embodiment of the invention is electronization or instantiation of the quantum relay link function, and data after electronization or instantiation can be used by separating from a physical network to which the data belongs.
(3) The relay node of the embodiment of the invention is a node used as a relay in a target network, or a node which has at least two adjacent nodes on one or more relay links and is used as a relay, wherein the relay node does not store a key which is negotiated between the relay node and the adjacent nodes and is used for function virtualization of the relay node; serving nodes (or access nodes) refer to other nodes in the target network that are not used for relaying or are not used directly for relaying (in some possible designs, serving nodes may be used for relaying through virtual nodes); in addition, for a specific embodiment of the present invention, the corresponding target network includes the relay node and the serving node included in the above embodiment.
(4) The communication channels involved in embodiments of the invention for quantum networks include quantum channels and conventional communication network channels, wherein conventional communication network channels are employed for other communication processes except that quantum key distribution between adjacent quantum nodes (an adjacent quantum node refers to two nodes capable of normal point-to-point QKD or quantum communication) requires occupation of the quantum channel or link, and include, but are not limited to, one or more of wired communication and wireless/mobile/satellite communication channels.
(5) The terms "virtual node routing status", "virtual node status", "virtual network status", "virtual link network status", etc. used in the embodiments of the present invention are only used to mark corresponding data or files, and are not used to limit corresponding data or files, and all schemes that are merely replacing names and have no substantive difference belong to the protection scope of the present invention.
(6) The shared key packet in the embodiment of the invention is shared data with a certain data length. Because different application systems have different requirements on the length of the shared key and the rate of the point-to-point QKD link has a certain difference, the invention does not specially limit the data length of the shared key packet; it is obvious that the data length refers to counting by the same data unit (e.g., bit, byte). In practice, the data length of the shared key packet (e.g., 2048 bits, 100 kbytes, 10 mbytes, 1 gbyte, or any other data length that meets the requirements of the system) may be determined according to the rate of encoding of the QKD system in actual use, the specific requirements of the application system, or future industry standard requirements. It should be clear that, for each virtualization process of the same embodiment, the shared key packets negotiated between all neighboring target nodes have the same data format (including but not limited to data type, data length, and data reading and writing order).
(7) The global identifier in the embodiment of the invention is a virtualization identifier which keeps all nodes in a target network consistent, that is, before virtual node routing state data is created, a target relay node and an adjacent target node confirm a negotiated shared key group and the global identifier of the virtual node routing state data used for creation, the target relay node and the adjacent target relay node respectively use the negotiated shared key group for creating virtual node routing state data or/and a virtual node state with the same global identifier, and the group identifier of the corresponding shared key group stored by the adjacent target service node is consistent with the global identifier; the global identifier may be used to distinguish different target networks, and may also be used to distinguish different embodiments in the target network; the global identifier may adopt a global number unified in the whole network, or may adopt an identifier combining the target network identifier and the global number.
In order to make the technical solutions and advantages of the present invention clearer, the present invention is described in detail below with reference to the accompanying drawings and specific embodiments.
Fig. 1 shows a quantum relay link virtualization method provided in an embodiment of the present invention, which includes the steps of:
s101: selecting target relay nodes associated with N key relay links between N target service nodes in a target network (where N is an integer greater than 1, N is an integer greater than 0 and not greater than C (N,2), and C (N,2) is a combined number of 2 arbitrarily selected from N), each of the target service nodes and the target relay nodes negotiating one or more shared key packets with each of neighboring target nodes, respectively;
s102: for each key relay link of the N key relay links, each target relay node associated with the key relay link selects two corresponding shared key packets, calculates an exclusive-or value of the two shared keys and sends the exclusive-or value to a target receiver (for convenience, the exclusive-or value is hereinafter referred to as virtual node routing status data), and the two target service nodes associated with the key relay link respectively and securely store the corresponding shared key packets;
s103: the target receiver performs xor operation on the virtual node routing state data sent by all the target relay nodes, and creates a link identifier for the xor operation result (for convenience, the link identifier is hereinafter referred to as a virtual link state identifier, the xor operation result is referred to as virtual link state data, and the xor operation result and the virtual link state identifier thereof are referred to as a virtual link state); storing, outputting, or storing and outputting the virtual link state; the two target service nodes respectively and safely store corresponding shared key groups which have the same global identification or one-to-one corresponding association with the virtual link state; the virtual link status identifiers include, but are not limited to: global identification, identification of associated service nodes.
Fig. 2 is a schematic flow chart of a quantum relay link virtualization method according to an embodiment of the present invention, which is further described below. The method comprises the following steps:
s201: selecting a key relay link, i.e. the network controller selects a target relay node in the target network to which one or more key relay links connecting n target serving nodes are associated (where n is an integer greater than 1);
s202: issuing an instruction, that is, the network controller issues a virtualization instruction to a target relay node associated with the certain key relay link, where the virtualization instruction is used to instruct: global identification, data format of shared key grouping, data structure of virtual node routing state, data structure of virtual node state, identification of target receiver and data transmission mode;
s203: negotiating quantum key grouping with adjacent nodes, namely, respectively negotiating a shared quantum key grouping between a target quantum relay node associated with the key relay link and each adjacent target quantum node;
s204: negotiating quantum key grouping with adjacent nodes, namely negotiating a shared quantum key grouping between the target quantum service node associated with the key relay link and each adjacent target quantum relay node respectively;
s205: creating virtual node routing state data, that is, selecting two corresponding shared quantum key packets by each target quantum relay node associated with the key relay link, and calculating an exclusive or value of the two shared quantum key packets (for convenience, the exclusive or value is hereinafter referred to as virtual node routing state data);
s206: the quantum key groups are stored safely, namely, the corresponding shared quantum key groups are respectively and safely stored by the target quantum service nodes associated with the key relay link;
s207: target quantum relay nodes associated with the key relay links respectively send the virtual node routing state data to a virtualization server;
s208: creating a virtual link state, that is, the virtualization server performs an exclusive or operation on the virtual node routing state data sent by all the target quantum relay nodes, and creates a link identifier for the exclusive or operation result (for convenience, the link identifier is hereinafter referred to as a virtual link state identifier, the exclusive or operation result is referred to as virtual link state data, and the exclusive or operation result and the virtual link state identifier thereof are referred to as a virtual link state); storing, outputting, or storing and outputting the virtual link state; the two target service nodes respectively and safely store corresponding shared key groups, and the virtual link states have the same global identification or one-to-one corresponding association. Other virtual link states are created using the method described above. Wherein, the above steps S203 and S204 do not have an absolute precedence order in time series, that is, they may be performed simultaneously, or step S203 precedes S204, or step S204 precedes S203; similarly, there is no absolute precedence order in the time series of the above steps S205 and S206.
In one possible design, the network controller may select a corresponding key relay link according to the requirement of the virtualization server (the content of the requirement includes, but is not limited to, the target service node and the virtual link therebetween) and issue a virtualization instruction to the associated node.
In one possible design, in the above embodiment, only a portion of the virtual link state may be created.
In one possible design, in the above embodiment, a limited time for receiving the routing state of the virtual node is set, and if the routing state of the corresponding virtual node of the certain quantum relay node or the certain quantum relay nodes is not received within the limited time, a retransmission instruction is issued to the corresponding certain quantum relay node or the certain quantum relay nodes, or in the case of confirming that the corresponding certain quantum relay node or the certain quantum relay nodes are abnormal, other alternative key relay links are reselected.
In a possible design, in the above embodiment, a target quantum node is selected according to topology information reported by nodes, and if some selected target quantum node has an abnormal condition or reports topology information of the node on time or sends a virtual node routing state, the target quantum node is rejected.
The application method of the embodiment of the present invention is further described below with reference to the application embodiment of the quantum relay link virtualization method provided in the embodiment of the present invention shown in fig. 3.
As shown in fig. 3, it is assumed that virtual link states between S1 and S2, S1 and S3, S2 and S3 need to be created, and 3 key relay links (including S1-R1-R2-R3-R4-S2, S1-R1-R2-R3-S3, S2-R4-R3-S3) are selected, i.e., a target node includes 3 serving nodes (S1, S2, and S3) and 4 relay nodes (R1, R2, R3, and R4), while nodes S4, S5, S6, and R5 in the network do not participate in relay quantum link virtualization between the above target nodes.
As shown in fig. 3, it is assumed that in the primary quantum relay link virtualization flow, the shared quantum key group negotiated between S1 and R1 is Ks1R1, the shared quantum key group negotiated between R1 and R2 is Kr1R2, the shared quantum key group negotiated between R2 and R3 is Kr2R3, the shared quantum key group negotiated between R3 and R4 is Kr3R4, the shared quantum key group negotiated between R3 and S3 is Kr3S3, and the shared quantum key group negotiated between R4 and S2 is Kr4S 2; then, the virtual node routing state data of R1 is (Ks1R1 ≧ Kr1R2), the virtual node routing state data of R2 is (Kr1R2 × Kr2R3), the routing state data of 3 virtual nodes of R3 are (Kr2R3 × Kr3R4), (Kr2R3 × Kr3s3) and (Kr3s3 × Kr3R4), respectively, the virtual node routing state data of R4 is (Kr3R4 × Kr4s 2); virtual link states between S1 and S2, S1 and S3, S2 and S3 are created, respectively, that is,
VQL_s1s2=(Ks1r1⊕Kr1r2)⊕(Kr1r2⊕Kr2r3)⊕(Kr2r3⊕Kr3r4)⊕(Kr3r4⊕Kr4s2)
=Ks1r1⊕Kr4s2,
VQL_s1s3=(Ks1r1⊕Kr1r2)⊕(Kr1r2⊕Kr2r3)⊕(Kr2r3⊕Kr3s3)=Ks1r1⊕Kr3s3,
VQL_s2s3=(Kr3s3⊕Kr3r4)⊕(Kr3r4⊕Kr4s2)=Kr3s3⊕Kr4s2。
obviously, the above-described 3 virtual link states are repeatedly used by the virtual node routing state data of the common relay node (that is, VQL _ s1s2 and VQL _ s1s3 both use (Ks1r1 ≧ Kr1r2) and (Kr1r2 ≦ Kr2r3), VQL _ s1s2 and VQL _ s2s3 both use (Kr3r4 ≦ Kr4s 2)).
In a possible design, it is also possible to negotiate a shared quantum key packet and calculate a virtual node routing state of the relay node for the above 3 virtual link states, respectively, and obtain a new embodiment.
In another possible design, the target network may be planned into a plurality of target network embodiments including different target service nodes according to different service requirements, and a virtual link network slice may be created for each target network embodiment.
In one possible design, S1 and S2 generate random number packets rk _ a and rk _ b, respectively, and compute a = rk _ a ≦ Ks1r1 and b = rk _ b ≦ Kr4S2, respectively, and then send a and b to the virtualization server or third party server, respectively, which computes:
VQL _ S1S2 ≦ a ≦ b = Ks1r1 ≦ Kr4S2 ≦ rk _ a ≦ Ks1r1 ≦ rk _ b ≦ Kr4S2= rk _ a ≦ rk _ b, let rk _ a ≦ rk _ b be the virtual link state between S1 and S2, S1 and S2 securely store the random number packets rk _ a and rk _ b, respectively; wherein, rk _ a and rk _ b have the same data type, data length, data reading and writing order and using method as Ks1r1 and Kr4s2, and have one-to-one correspondence with the virtual link status. Similarly, virtual link states between other serving nodes may be generated.
In one possible design, the virtualization server or the third party server sends the virtual link status VQL _ S1S2 to S1 and S2, respectively, and S1 and S2 may negotiate the shared key by the above method, i.e., S1 may calculate:
rk _ a ≦ Ks1r1 ≦ VQL _ s1s2 ≦ rk _ a ≦ Ks1r1 ≦ Ks1r1 ≦ Kr4s2 ≦ rk _ a ≦ Kr4s 2; and sending to S2, S2 calculating: kr4s2 ≦ rk _ a ≦ Kr4s2 ≦ rk _ a; that is, the sharing of rk _ a between S1 and S2 is achieved. In addition, S1 and S2 may also negotiate to use Ks1r1 or Kr4S2 as the shared key, for example, if S1 and S2 negotiate to use Ks1r1 as the shared key, S2 calculates VQL _ S1S2 £ Kr4S2 ═ Ks1r 1.
It should be clear that the above-mentioned identification of the shared quantum key packet has symmetry, i.e. Krirj = Krjri, and the identification of the virtual link state also has similar symmetry, i.e. VQL _ sisj = VQL _ sjsi.
Further, in one possible design, the virtual link states and their identifications in any of the above embodiments are packaged as a data file (the data file is referred to as a virtual link network slice), wherein the data file includes but is not limited to a data list file, or a database file, and one or some of the virtual link states can be obtained quickly by accessing the data file, and the corresponding virtual link network slice identifications include but are not limited to: target network identification, global identification, number of virtual link states.
Compared with a commonly adopted single-hop forwarding relay mode, quantum link conflict and time delay do not exist when the key service is carried out by using the embodiment, the relay node does not need to store quantum keys, and less quantum communication bandwidth is occupied.
Further, in a possible design, on the basis of any one of the above embodiments, the method may include: and after finishing all the virtual link state data needing to participate in the calculation, the target relay node completely destroys the used shared secret key group, or after finishing all the virtual node routing state data needing to participate in the calculation, the target relay node destroys the shared quantum secret key group.
Further, in a possible design, on the basis of any of the foregoing embodiments, the performing correctness verification on the virtual link state may include: one target service node calculates an exclusive-or value of the shared key packet associated with the virtual link state and the virtual link state data, calculates a data digest of the exclusive-or value or a part of the data and transmits the data digest to another associated target service node, and another target service node calculates a data digest of the shared key packet associated with the virtual link state or a part of the data of the shared key packet, and if the two data digests are the same, the correctness verification is passed, or if the two data digests are respectively transmitted to a third party by the two target service nodes, the third party compares the two data digests, and if the two data digests are the same, the correctness verification is passed.
Further, in a possible design, on the basis of any one of the above embodiments, any one or two of the following items may be further included: (1) before creating a virtual node routing state, a target node acquires a global identifier, wherein the method for acquiring the global identifier comprises the steps of determining the current global identifier according to a virtualization instruction or determining the current global identifier according to the last global identifier, (2) before creating the virtual node routing state, a target relay node and an adjacent target node confirm a negotiated shared key group and the global identifier of the virtual node routing state used for creating the shared key group, and the target relay node and the adjacent target relay node respectively use the negotiated shared key group for creating the virtual node routing state with the same global identifier.
Further, in a possible design, on the basis of any one of the above embodiments, the method may further include: determining any one or more of the following according to a given system policy: global identification, data format of shared key grouping, data structure of virtual node routing state, data structure of virtual link network slice, identification of target receiver and data transmission mode.
Further, in a possible design, on the basis of any of the foregoing embodiments, a virtual link service may also be provided, that is, one or more virtual link statuses associated with two service nodes are sent to the two service nodes or/and application devices served by the two service nodes, where the application devices include, but are not limited to: password application device, agent device of service node, virtual link service agent device.
Further, in a possible design, on the basis of any of the above embodiments, one or more virtual link network slices may also be sent to the virtual link service agent apparatus, or/and the virtual link service apparatus.
In any of the above embodiments, a real-time sharing method, or/and a pre-caching method may be used to negotiate a shared secret key group or a shared quantum secret key group; wherein the content of the first and second substances,
the real-time sharing method comprises the following steps: the target node negotiates a certain amount of shared quantum keys with adjacent target nodes, takes the certain amount of shared quantum keys as a shared quantum key group and creates a group identifier; alternatively, the method for negotiating a shared quantum key packet according to the embodiment of the present invention shown in fig. 4 includes the following steps: s401: the target node negotiates a certain amount of shared quantum keys with adjacent target nodes; s402: the target node and the adjacent target node respectively divide the shared quantum key into one or more groups by adopting the same data format, and carry out randomness test on each group by adopting the same randomness test method; s403: taking a group passing the randomness test as a shared quantum key group and creating a group identifier;
the foregoing precaching method includes (another method for negotiating a shared quantum key packet according to the embodiment of the present invention shown in fig. 5): s501: the target node negotiates a certain amount of shared quantum keys with adjacent target nodes; s502: respectively dividing the shared quantum key into one or more groups by adopting the same data format, performing randomness test on each group by adopting the same randomness test method, caching each group which passes the randomness test and respectively creating a group identifier; s503: and negotiating with the adjacent target nodes to respectively select one packet with the same or identical packet number from the cached packets as a shared quantum key packet. Wherein, the negotiating a certain amount of shared quantum keys includes but is not limited to: and sequentially negotiating quantum keys with a plurality of adjacent target nodes, or simultaneously negotiating quantum keys with a plurality of adjacent target nodes, or negotiating quantum keys with corresponding adjacent target nodes according to a virtualization instruction, wherein the negotiated quantum keys can occupy the whole bandwidth of the quantum key distribution channel or only occupy part of the bandwidth of the whole quantum key distribution channel.
In a possible design, the negotiating a shared quantum key packet may further include: consistency check, wherein the consistency check comprises: the target node and the adjacent target node respectively calculate the data abstract or the Hash value of a sharing quantum key group, if the two data abstract or the Hash value are different, the consistency check cannot be passed, and the negotiation is repeated; otherwise, passing consistency check and successfully negotiating a shared quantum key packet.
It should be understood that the specific use or method of use of any one or more of the following as indicated by the virtualization instructions includes: the global identifier can be used for distinguishing different target networks and different embodiments in the target networks, can adopt a global number unified by the whole network, and can also adopt an identifier combining the target network identifier and the global number; the data format of the shared quantum key packet includes but is not limited to data type, data length and data reading and writing sequence; the data structure of the virtual node routing state comprises the content of the virtual node routing state identifier and the ordering relation thereof adopted in one embodiment; the identification of the target receiver is used for determining the receiver; the data transmission mode is used for determining whether an encryption mode or a non-encryption mode is adopted.
It is obvious that the method steps of any of the above embodiments can be recombined to give new embodiments having the same application properties as the method of the present invention. Therefore, methods based on simple combinations of the above method steps and content adaptation fall within the scope of the present invention.
The shared quantum key packet or the shared key packet in the above embodiments includes, but is not limited to: group identification, shared quantum key data (shared quantum key with group length); the data structure of the shared quantum key group identifier may adopt a shared quantum key group identifier provided in the embodiment of the present invention shown in fig. 6, that is, the group identifier includes: the grouping number, the current node ID and the adjacent node ID are equivalent, and the current node ID and the adjacent node ID can be replaced by the routing identification of the current node and the adjacent node; wherein, the ID can also adopt other identifiers which can uniquely identify the corresponding nodes; the packet number may be a local number or a global number, in which case, when a certain shared quantum key packet is used to create a virtual node routing state, the corresponding local number is changed to the global number of the corresponding virtual node routing state.
On the basis of the data structure shown in fig. 6, a new shared quantum key grouping or grouping identification embodiment can be obtained by adding any one or any more of the following content options: data format, check information and time stamp, wherein the check information can be data digest (or Hash value) or MAC code of the shared quantum key packet; the content of the data format includes any one or any plurality of the following: data type (e.g., using binary, 16-ary storage), data length, and data read and write order.
Further, as an example, fig. 7 shows another data structure of a shared quantum key packet provided by one possible embodiment of the present invention, that is, the data structure includes a packet number, a current node ID, an adjacent node ID, a data length, check information, and quantum key data, where the data length may be the data length of the quantum key data or the data length of the entire shared quantum key packet; the check information may be a quantum key data digest (or Hash value) or a MAC code.
The virtual node routing state in the above embodiments includes, but is not limited to: virtual node routing state identification, virtual node routing state data (i.e., the exclusive or value of the shared quantum key packet between the current relay node and the two adjacent destination nodes). Fig. 8 shows a virtual node routing state identifier provided in an embodiment of the present invention, where the content of the virtual node routing state identifier includes but is not limited to: global number, current relay node ID1, neighbor node ID2, neighbor node ID3 (or link identifications of the last and next neighbor target nodes connecting the current node with the current relay node).
The content of the virtual node state identifier in the above embodiment includes, but is not limited to (as shown in fig. 9, a virtual node state identifier provided by the embodiment of the present invention): global number, current relay node ID1, number of virtual node routing states, where the number of virtual node routing states can be calculated from the number of neighboring destination nodes, and therefore the number of virtual node routing states can be replaced with the number of neighboring destination nodes and a new embodiment is obtained.
On the basis of the above embodiments, a plurality of new embodiments can be obtained by adding the virtual node routing state (or the virtual link state) or the content of the identification thereof, that is, by adding any one or any plurality of the following: an identifier of the target network for distinguishing different target networks;
a local identifier for distinguishing a plurality of virtual node routing states having the same global identifier (or for distinguishing a plurality of virtual link states having the same global identifier); checking information, wherein the checking information is used for checking the integrity of a routing state (or a virtual link state) of a virtual node and comprises a data abstract, a Hash value or an MAC code of corresponding data; digitally signing, namely digitally signing the routing state (or the virtual link state) of the virtual node by adopting a digital signature algorithm; a timestamp for recording the creation time of the routing state (or virtual link state) of the virtual node; a data digest (or Hash value) of the current virtual node routing state (or virtual link state), a data digest (or Hash value) of the last virtual node routing state (or virtual link state), or a data digest (or Hash value) of the current and last virtual node routing states (or virtual link states). Further, in one possible design, the above-described private key for digital signature cannot be illegally accessed or derived.
In a possible design, an identification type may be further added to the various identifications in the above embodiments, where the identification type is used to distinguish a virtual routing state identification, a virtual node state, a virtual link network slice, and a virtual link state.
The storage in the above embodiments includes, but is not limited to, any one or more of the following options: the method comprises the following steps of local storage, cloud storage and server-side storage, wherein the local storage method comprises but is not limited to: storing the virtual node routing state or/and the virtual node state in a memory of the target node device (wherein the memory comprises but is not limited to a local memory or a network storage space), and sending the virtual node routing state identification or/and the virtual node state identification to the server; cloud storage methods include, but are not limited to: storing the virtual node routing state (or virtual node routing state data) or/and the virtual node state on a cloud storage space; server-side storage includes, but is not limited to: and sending the routing state of the virtual node or/and the state of the virtual node to one or more servers for storage.
The outputting or sending in the above embodiments includes, but is not limited to, any one or both of the following options: real-time output and passive response output; among these, real-time output includes but is not limited to: outputting the created virtual node routing state or/and the virtual node state to a memory of a target node device or/and a third party server or/and a target receiver indicated by a virtualization instruction in real time; passive response outputs include, but are not limited to: and outputting the routing state of the virtual node with the specific number or/and the state of the virtual node to the memory of the relay node device or/and a third party server or/and a target receiver indicated by the virtualization instruction according to the virtualization instruction.
Further, in one possible design, the outputting or sending in the above embodiment may be an encrypted transmission, the encrypted transmission including any one or more of the following options: the encryption transmission is carried out by adopting a symmetric cryptographic algorithm, the encryption transmission is carried out by adopting an asymmetric cryptographic algorithm, and the encryption transmission is carried out by adopting a tunnel mode or a transmission mode of VPN.
The server in the above embodiments may include, but is not limited to, any one or any plurality of the following options: the system comprises a network management device, a network virtualization management device, a service node device, a cloud storage service device and a block chain accounting node device.
The target recipient in the above embodiments may include, but is not limited to, any one or any plurality of the following options: the system comprises a network management device, a network virtualization management device, a service node device, a cloud storage service device and a block chain accounting node device.
The method for creating a virtual node routing state provided by the embodiment of the present invention is further described below for a relay node with 3 target neighboring nodes (e.g., a relay node application diagram provided by the embodiment of the present invention shown in fig. 10, a relay node R and 3 target neighboring nodes A, B and C; if comparing the embodiment shown in fig. 3, R may correspond to R3, A, B and C may correspond to R2, R4 and S3, respectively). As shown in fig. 10, it is assumed that the relay node R negotiates with 3 neighboring nodes A, B and C using the above-mentioned method to use the shared quantum key groups Kra, Krb and Krc, respectively (the shared quantum key groups may be negotiated with 3 neighboring nodes in turn, or with multiple neighboring nodes at the same time, or negotiated with corresponding neighboring nodes according to virtualization instructions); c (3, 2) =3 virtual node routing states (virtual node routing states of one relay node provided by the embodiment of the present invention shown in fig. 11, including virtual node routing states VRS0, VRS1 and VRS 2) are generated based on the above-mentioned 3 shared quantum key packets, where the node identification includes an ID identification 1101 (i.e., ID _ R) of the target relay node, a global number 1102 (i.e., 000123), a number 1103 (i.e., 3) of virtual node routing states, a data length 1104 (i.e., 3 × 1MB, a data length of each virtual node routing state is 1 MB), a data type 1105 (i.e., 16-ary), and the virtual node routing state (i.e., state data in fig. 11) includes an ID identification 1106 of the target relay node, an ID identification 1107 of the first neighboring node, an ID identification 1107 of the second neighboring node, virtual node routing state data 1109, a data digest 1110 of the virtual node routing state, Local number 1111 of the virtual node routing state.
The method comprises the following steps: the relay node R negotiates a sharing quantum key group with A, B and C respectively by adopting a real-time sharing method or a pre-caching method, wherein the real-time sharing method comprises the following steps: negotiating a shared quantum key with an adjacent node in real time, and processing the shared quantum key into a shared quantum key group by adopting a key preprocessing method, for example: negotiating a 1MB key, and taking the key as a shared quantum key group after creating a group identifier and integrity check information; the pre-caching method comprises the following steps: negotiating with the adjacent node about the shared quantum key, processing the shared quantum key into one or more shared quantum key groups by adopting a key preprocessing method, caching the shared quantum key groups, and negotiating with the adjacent node about selecting one shared quantum key group with the same group number from the cached shared quantum key groups respectively. For example: negotiating a 10MB key at a time, dividing the key into 10 groups, respectively carrying out randomness tests, respectively creating a group identifier and integrity check information for each group passing the randomness tests, and taking the group identifier and the integrity check information as a shared quantum key group after the group identifier and the integrity check information are created; obtaining a global number of a current virtual node routing state (1102 in fig. 11), wherein R and A, B, C respectively negotiate a shared quantum key packet (Kra, Krb, and Krc), and R and A, B, C respectively confirm the global number of the Kra, Krb, and Krc and the virtual node routing state used for creation (e.g., 1102 in fig. 11); r creates 3 virtual node routing states (i.e., VRS0, VRS1, and VRS2 using Kra, Krb, and Krc, where VRS0 ═ (0, ID _ R, ID _ a, ID _ B, Kra ≦ Krb, Hash (Kra ≦ Krb)), and the like), destroys Kra, Krb, and Krc; if a request for sending the routing state of the virtual node by the server is received, R sends the corresponding routing state of the virtual node to the server or a target receiving party indicated by the request of the server; the VRS0, the VRS1 and the VRS2 are packaged into a virtual node routing state respectively, and the 3 virtual node routing states are stored or output or stored and output.
In one possible design, the virtual node state shown in fig. 11 may be packaged as a database file, from which global number 1102 and local number 1111 may uniquely determine a virtual node routing state.
Additionally, since there is a correlation between VRS0, VRS1, and VRS2, i.e., where the exclusive-or value of any two virtual node routing state data is equal to the third virtual node routing state data, e.g., VRS0 VRS1 VRS2, in one possible design, the relay node may create (C (n,1) -1) virtual node routing states. Similar applicable features are substantially equivalent and are intended to fall within the scope of the present invention.
It should be clear that, in any of the above embodiments, for a certain quantum relay link virtualization, each target node uses the same data format and data structure, including but not limited to using the same shared key packet length, data type, data high-low order, the same identification content, and its ordering manner.
Although the present invention has been described with respect to the data structures of the above-described shared key packets and virtual node routing states (which may include, but are not limited to, content options for the target data and its identity and their ordering, data type, data length, etc.), it is contemplated that elements or variables in the above-described data structures may be randomly combined and do not significantly affect application performance; in addition, it is obvious that if a certain element or variable (for example, a storage type, a data length) in a certain data structure is used as a global variable, the corresponding data format may not include the variable, and therefore, the present invention does not specifically limit the position ordering relationship of the element or variable in the data structure, nor does it limit the implementation manner of the certain element or variable; in addition, with similar considerations, the present invention does not specifically limit the position ordering relationship of elements or variables in the data format, nor the implementation of a certain element or variable. Methods obtained by randomly combining or adjusting the positions of the elements in the data structure also fall within the scope of the present invention. Obviously, some content options in the above virtual node routing state (or virtual node routing state) identification can be used as part of the corresponding virtual node routing state (or virtual node routing state) data in possible designs, and such similar possible designs fall within the scope of the present invention.
Fig. 12 is a schematic diagram of a method for creating cross-domain interworking virtual link network slices according to an embodiment of the present invention, where a serving node a in a first target network stores a shared key packet Kax associated with one virtual link network slice, and a serving node B in a second target network stores a shared key packet Kby associated with another virtual link network slice, where cross-domain interworking cannot be performed because the two virtual link network slices are completely isolated; in order to realize cross-domain intercommunication, a trusted third party C distributes shared key groups Ka and Kb for A and B respectively, A calculates Kax ^ Ka and creates a corresponding virtual node routing state identifier; b, calculating Kby ≧ Kb and creating a corresponding virtual node routing state identifier; c calculates Ka ≦ Kb and creates a corresponding virtual node routing state identifier (obviously, if Ka is the same as Kb, Ka ≦ Kb =0, so corresponding calculation may not be performed or the virtual node routing state may not be defaulted); and forming a cross-domain intercommunication virtual link network slice by the routing states of the three virtual nodes and the two virtual link network slices.
In one possible design, if there are service nodes accessing two different target networks at the same time, one of the service nodes is selected to use the xor value and the identifier of its corresponding two associated shared key packets as a virtual node routing status of the cross-domain interworking virtual link network slice, and a cross-domain interworking virtual link network slice is formed together with the virtual link network slices of the two different target networks. For example, assuming a and B in fig. 12 are the same serving node, and Kax and Kby are shared key packets associated with corresponding virtual link network slices of target network one and target network two, respectively, then a calculates Kax ≦ Kby and creates a corresponding virtual node routing state identifier; the virtual node routing state is formed into a cross-domain interworking virtual link network slice along with the corresponding two virtual link network slices.
Fig. 13 is a schematic diagram of a quantum relay link virtualization node device according to an embodiment of the present invention.
A transceiver: including various interface modules, for example, a transceiver as shown in fig. 13 may include interface module 1301, interface module 1302; the interface module 1301 is configured to report topology information of the quantum relay node to the virtualization server 1307 and receive a virtualization instruction; and is also used to send the virtual node routing status or/and the virtual node status to the virtualization server 1307; the data processing unit 1303: for negotiating shared key packets with the neighboring quantum nodes 1306, or/and, creating virtual node routing states; optionally, the quantum key distribution unit 1305 is further configured to obtain the quantum key; node virtualization unit 1304: storage and output management for virtual node routing states or/and virtual node states; wherein, the virtual node routing state comprises: the exclusive or value and the corresponding identification of the shared key group between the target quantum relay node and two adjacent target quantum nodes; the virtual node states include: routing states and corresponding identifications of part or all of virtual nodes of the target quantum relay node; the virtualization instructions are for indicating any one or more of the following: global identification, data format of shared key grouping, data structure of virtual node routing state, data structure of virtual node state, identification of target receiver and data transmission mode; topology information includes, but is not limited to: identification of the node, link state between the node and each adjacent target quantum node.
Fig. 14 is a schematic diagram of a quantum relay link virtualization server device according to an embodiment of the present invention, where the quantum relay link virtualization server device includes: including a processor 1401, memory 1402, transceiver 1403, and optionally, a bus 1404 and a communication interface 1405. A memory 1402 for storing programs and instructions; a processor 1401, configured to execute, by calling the program and the instruction stored in the memory: determining the identification of a target service node and the identification of a target relay node associated with each relay link virtualization request according to the relay link virtualization requests acquired by the transceiver, determining virtualization instructions and issuing the virtualization instructions to all corresponding target nodes; and is further configured to perform: performing exclusive-or operation on the virtual node routing state data sent by all the target relay nodes, creating link identifiers for the exclusive-or operation results, and storing, outputting or storing and outputting the exclusive-or operation results to create link identifiers; the transceiver 1403 is configured to receive topology information of a corresponding node reported by a target node, and further configured to obtain a relay link virtualization request, and send a virtualization instruction corresponding to the relay link virtualization request to each target node on the relay link, so that each target node negotiates a shared key and creates a virtual node routing state according to the virtualization instruction, receives the virtual node routing state, and sends the virtual node routing state to the data processing unit.
Further, in one possible design, the processor is further configured to perform: and verifying the digital signature of the current virtual node state of the target quantum relay node, wherein if the digital signature cannot pass the verification, the corresponding node needs to resend the corresponding current virtual node state.
The bus may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in FIG. 14, but this is not intended to represent only one bus or type of bus.
The memory may include volatile memory (volatile memory), such as random-access memory (RAM); the memory may also include a non-volatile memory (non-volatile memory), such as a flash memory (flash memory), a Hard Disk Drive (HDD) or a solid-state drive (SSD); the memory may also comprise a combination of memories of the kind described above.
The communication interface may be a wired communication access, a wireless communication interface, or a combination thereof, wherein the wired communication interface may be, for example, an ethernet interface. The ethernet interface may be an optical interface, an electrical interface, or a combination thereof. The wireless communication interface may be a WLAN interface.
The processor may be a Central Processing Unit (CPU), a Network Processor (NP), or a combination of a CPU and an NP. The processor may further include a hardware chip. The hardware chip may be an application-specific integrated circuit (ASIC), a Programmable Logic Device (PLD), or a combination thereof. The PLD may be a Complex Programmable Logic Device (CPLD), a field-programmable gate array (FPGA), a General Array Logic (GAL), or any combination thereof.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, apparatus (or system), or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (or systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While the invention has been described in conjunction with specific features and embodiments thereof, it will be evident that various modifications and combinations can be made thereto without departing from the spirit and scope of the invention. Accordingly, the specification and figures are merely exemplary of the invention as defined in the appended claims and are intended to cover any and all modifications, variations, combinations, or equivalents within the scope of the invention. It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.

Claims (20)

1. A quantum relay link virtualization method is characterized by comprising the following steps: selecting a target relay node associated with N key relay links among N target service nodes in a target network (where N is an integer greater than 1, N is an integer greater than 0 and not greater than C (N,2), and C (N,2) is a combination number of 2 arbitrarily selected from N), each of the target service nodes and the target relay nodes negotiating one or more shared key packets with each of neighboring target nodes, respectively, selecting corresponding two shared key packets for each of the N key relay links associated with each of the target relay nodes, calculating and transmitting an exclusive-or value of the two shared key packets to a target recipient (for convenience, the exclusive-or value is hereinafter referred to as virtual node routing status data), the two target service nodes associated with the key relay links securely storing the corresponding shared key packets, respectively, the target receiver performs xor operation on all the virtual node routing state data sent by the target relay nodes, creates a link identifier for the xor operation result (for convenience, the link identifier is hereinafter referred to as a virtual link state identifier, the xor operation result is referred to as virtual link state data, and the xor operation result and the virtual link state identifier thereof are referred to as a virtual link state), stores, or outputs, or stores and outputs the virtual link state, wherein corresponding shared key groups respectively and securely stored by the two target service nodes have the same global identifier or one-to-one corresponding association with the virtual link state data, the target nodes include a target service node and a target relay node, and the virtual link state identifier includes: global identification, identification of associated service nodes.
2. The quantum relay link virtualization method according to claim 1, comprising: and after finishing all the virtual link state data needing to participate in the calculation, the target relay node destroys all the used shared key groups, or after finishing all the virtual node routing state data needing to participate in the calculation, the target relay node destroys the shared key groups.
3. The quantum relay link virtualization method according to claim 2, comprising: for a virtual link state between two target service nodes, the two target service nodes respectively generate a random number packet, wherein one target service node calculates an exclusive-or value (for convenience, denoted as exclusive-or value a) of a shared key packet associated with the virtual link state and the random number packet, the other target service node calculates an exclusive-or value (for convenience, denoted as exclusive-or value b) of the shared key packet associated with the virtual link state and the random number packet, the two target service nodes respectively transmit exclusive-or value a and exclusive-or value b to a target receiver, the two target service nodes respectively securely store the random number packets as corresponding shared key packets, the target receiver performs exclusive-or operation on corresponding virtual link state data with exclusive-or value a and exclusive-or value b, and creates a virtual link state identifier for the exclusive-or operation result, the random number packet and the shared key packet have the same data format and have the same global identification or one-to-one corresponding association with the virtual link state.
4. The method of claim 1, 2 or 3, comprising: carrying out correctness verification on the virtual link state, comprising the following steps: one target service node calculates an exclusive-or value of the shared key packet associated with the virtual link state and the virtual link state data, calculates a data digest of the exclusive-or value or a part of the data thereof and transmits the data digest to another associated target service node, and the other target service node calculates a data digest of the shared key packet associated with the virtual link state or a part of the data of the shared key packet, if the two data digests are the same, the correctness verification is passed, or the two target service nodes respectively transmit the two data digests to a third party, the third party compares the two data digests, and if the two data digests are the same, the correctness verification is passed.
5. The method of claim 1, 2 or 3, comprising: each target node reports topology information of the target node to a network controller or a target receiver, wherein the topology information comprises: identification of the target node, link status between the target node and each neighboring target node.
6. The method of claim 1, 2 or 3, comprising: the network controller or the target receiving direction issues a virtualization instruction to each target node associated with the N key relay links, where the virtualization instruction is used to indicate any one or more of the following: global identification, data format of shared key grouping, data structure of virtual node routing state, identification of target receiver and data transmission mode.
7. The method of claim 1, 2 or 3, comprising: determining any one or more of the following according to a given system policy: global identification, data format of shared key grouping, data structure of virtual node routing state, data structure of virtual link network slice, identification of target receiver and data transmission mode.
8. The method of claim 1, wherein negotiating a shared key packet comprises any one or both of the following:
the real-time sharing method comprises the following steps: the target node and the adjacent target node negotiate a certain amount of shared keys in real time, the certain amount of shared keys are used as a shared key group, or the target node and the adjacent target node respectively divide the shared keys into one or more groups by adopting the same data format, carry out randomness test on each group by adopting the same randomness test method, and use a group which passes the randomness test as a shared key group,
the pre-caching method comprises the following steps: the method comprises the following steps that a target node negotiates a certain amount of shared keys with an adjacent target node, the shared keys are respectively divided into one or more groups by adopting the same data format, randomness test is carried out on each group by adopting the same randomness test method, each group passing the randomness test is cached and a group identifier is respectively created, and the target node negotiates to select one group with the same group number or the same group number from the cached groups as a shared key group, wherein the negotiating of the certain amount of shared keys comprises any one of the following methods: the method comprises the steps of negotiating a shared key with a plurality of adjacent target nodes in sequence, simultaneously negotiating the shared key with the plurality of adjacent target nodes, and negotiating the shared key with the corresponding adjacent target nodes according to a virtualization instruction, wherein the negotiation of the shared key comprises the occupation of the whole bandwidth of a key negotiation channel or the occupation of only part of the bandwidth of the whole key negotiation channel.
9. The method of claim 1 or 8, wherein negotiating a shared key packet further comprises: creating a group identification, the group identification comprising: the method comprises the steps of grouping numbers and route identifications (or identifications of a current relay node and an adjacent target node) of the current target node and the adjacent target node, wherein the grouping numbers adopt local numbers or global identifications, and under the condition of adopting the local numbers, after a certain shared key grouping is used for creating a virtual node route state, the corresponding local numbers are changed into the global identifications of the corresponding virtual node route state.
10. The quantum relay link virtualization method according to claim 1, comprising: creating an identifier (hereinafter referred to as a virtual node routing state identifier) for the virtual node routing state data, the identifier comprising: a global identifier, and routing identifiers of a previous neighboring target node and a next neighboring target node that connect the target relay node and the target relay node (or, an identifier of the target relay node, an identifier of the first neighboring target node, and an identifier of the second neighboring target node).
11. The quantum relay link virtualization method of claim 1, wherein the storing comprises any one or more of the following options: the method comprises the following steps of local storage, cloud storage and server side storage, wherein the local storage method comprises the following steps: the virtual link state is stored in a local memory or a network memory space, and the cloud storage method comprises the following steps: storing the virtual link state in a cloud storage space, wherein the server-side storage comprises: and sending the virtual link state to one or more third-party servers for storage.
12. The quantum relay link virtualization method of claim 1, wherein the sending (or outputting) comprises any one or more of the following options: real-time transmission (or output), passive response transmission (or output), wherein the real-time transmission (or output) comprises: transmitting virtual node routing state data (or virtual link state) to an intended recipient (or output local storage or network storage space, or/and third party server, or/and associated service node) in real-time, passive response transmission (or output) comprising: the virtual node routing state data (or virtual link state) with the particular number is sent to the intended recipient (or exported to a third party server, or/and associated service node) in accordance with the virtualization instruction.
13. The method of claim 1 or 12, wherein the transmitting further comprises: an encrypted transmission comprising any one or more of the following options: the encryption transmission is carried out by adopting a symmetric cryptographic algorithm, the encryption transmission is carried out by adopting an asymmetric cryptographic algorithm, and the encryption transmission is carried out by adopting a tunnel mode or a transmission mode of VPN.
14. The quantum relay link virtualization method of claim 1, 3 or 12, wherein the target recipient comprises any one or more of the following options: the system comprises a central server of a target network, a regional central server of the target network, a target network controller, a target network management device, a target network virtualization management device, a service node device, a cloud storage service device and a billing node device of a block chain.
15. The quantum relay link virtualization method according to claim 1 or 3, wherein the virtual link states form a virtual link state block chain in time order, wherein forming a virtual link state block chain comprises: and creating a block head for the virtual link state, wherein the virtual link state is used as a block body, and the block head comprises a block number, a timestamp and a Hash value of the block, wherein the block number is the same as the global identification or has one-to-one corresponding correlation.
16. The method of claim 1 or 3, wherein providing virtual link services comprises: transmitting one or more virtual link states associated with two serving nodes to the two serving nodes, or/and application devices served by the two serving nodes, wherein the application devices comprise: password application device, agent device of service node, virtual link service agent device.
17. The quantum relay link virtualization method according to claim 1 or 3, comprising providing a service of negotiating shared keys, that is, a virtualization server or a third-party server respectively sends a virtual link state to two associated service nodes, the two service nodes negotiate to use an associated shared key packet of one of the service nodes as a shared key, and accordingly, the other service node calculates an exclusive-or value of the corresponding associated shared key packet held by the other service node and the virtual link state data and obtains the shared key, or, further, one service node calculates an exclusive-or value of a data packet and the shared key and sends the exclusive-or value to the other service node, and the other service node calculates an exclusive-or value of the exclusive-or value and the shared key and obtains the data packet, wherein, the data packets include random number packets or message packets.
18. A quantum relay link virtualization apparatus, comprising: a quantum node device, a virtualization server device, performing the method of any one or more of claims 1-3, wherein the device comprises a software module, or a hardware module, or an integrated module of software and hardware.
19. The quantum relay link virtualization apparatus of claim 18, wherein the quantum node apparatus comprises:
a transceiver, configured to report topology information of the quantum node to a virtualization server device or a network controller, receive a virtualization instruction issued by the virtualization server device or the network controller, and send a virtual node routing state to the virtualization server device,
a data processing unit for negotiating a shared key packet with a neighboring target node, creating a virtual node routing state associated with a target key relay link,
a node virtualization unit for storage and output management of virtual node routing states,
wherein, the virtual node routing state comprises: an exclusive-or value of a shared key packet between a target relay node and two adjacent target nodes and its corresponding identification, the virtualization instruction to indicate any one or any plurality of: global identification, data format of shared key grouping, data structure of virtual node routing state, identification of a target receiver and data transmission mode, wherein the topological information comprises: identification of the node, link status between the node and each neighboring target node.
20. The quantum relay link virtualization device according to claim 19, wherein the virtualization server device comprises:
a memory for storing programs and instructions,
a data processing unit for executing, by calling the program and the instruction stored in the memory: according to the relay link virtualization requests acquired by the transceiver, determining the identifier of the target service node and the identifier of the target relay node associated with each relay link virtualization request, determining virtualization instructions and issuing the virtualization instructions to all corresponding target nodes, and further configured to perform: performing XOR operation on the virtual node routing state data sent by all the target relay nodes, creating link identifiers for the XOR operation results, storing or outputting or storing and outputting the XOR operation results to create link identifiers,
the transceiver is used for receiving topology information of a corresponding node reported by a target node, acquiring a relay link virtualization request, and issuing a virtualization instruction corresponding to the relay link virtualization request to each target node on the relay link, so that each target node negotiates a shared key and creates a virtual node routing state according to the virtualization instruction, receives the virtual node routing state and sends the virtual node routing state to the data processing unit.
CN201910820367.0A 2019-09-01 2019-09-01 Quantum relay link virtualization method and device Active CN110690928B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910820367.0A CN110690928B (en) 2019-09-01 2019-09-01 Quantum relay link virtualization method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910820367.0A CN110690928B (en) 2019-09-01 2019-09-01 Quantum relay link virtualization method and device

Publications (2)

Publication Number Publication Date
CN110690928A CN110690928A (en) 2020-01-14
CN110690928B true CN110690928B (en) 2020-10-16

Family

ID=69108686

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910820367.0A Active CN110690928B (en) 2019-09-01 2019-09-01 Quantum relay link virtualization method and device

Country Status (1)

Country Link
CN (1) CN110690928B (en)

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114389796A (en) * 2020-10-16 2022-04-22 中创为(成都)量子通信技术有限公司 Quantum cloud key negotiation method, device and system, quantum and quantum cloud server
CN114389797A (en) * 2020-10-16 2022-04-22 中创为(成都)量子通信技术有限公司 Relay link routing method and device based on quantum cloud key negotiation and quantum cloud server
CN113193958B (en) * 2021-05-10 2023-07-07 成都量安区块链科技有限公司 Quantum key service method and system
CN113193957B (en) * 2021-05-10 2023-03-31 成都量安区块链科技有限公司 Quantum key service method and system separated from quantum network
CN113328853B (en) * 2021-05-25 2023-09-08 成都量安区块链科技有限公司 Coalition chain system for improving security by adopting quantum key
CN113364869B (en) * 2021-06-04 2022-07-15 杭州复杂美科技有限公司 Block chain message transmission method, equipment and storage medium
CN113691313A (en) * 2021-07-04 2021-11-23 河南国科量子通信网络有限公司 Satellite-ground integrated quantum key link virtualization application service system
CN114024824B (en) * 2021-10-27 2023-11-17 中国人民解放军战略支援部队信息工程大学 Quantum network management system
CN116170396A (en) * 2022-12-29 2023-05-26 天翼云科技有限公司 IM message transmission method and system

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105471576A (en) * 2015-12-28 2016-04-06 科大国盾量子技术股份有限公司 Quantum key relaying method, quantum terminal nodes and quantum key relaying system
CN105827397A (en) * 2015-01-08 2016-08-03 阿里巴巴集团控股有限公司 Quantum key distribution system, method and device based on trusted relay
CN108023725A (en) * 2016-11-04 2018-05-11 华为技术有限公司 A kind of quantum key trunking method and device based on centralized management with control network
CN108768629A (en) * 2018-05-24 2018-11-06 中国科学院信息工程研究所 A kind of credible relaying quantum communications method and system
CN109842485A (en) * 2017-11-26 2019-06-04 成都零光量子科技有限公司 A kind of quantum key service network system having center
CN208986952U (en) * 2018-11-12 2019-06-14 中共中央办公厅电子科技学院 The relay of quantum secret communication network system and communications network system including the device
CN208986950U (en) * 2018-11-12 2019-06-14 中共中央办公厅电子科技学院 A kind of quantum secret communication network system based on quantum key distribution technology
CN109995515A (en) * 2017-12-29 2019-07-09 成都零光量子科技有限公司 A kind of quantum key trunking method
CN109995510A (en) * 2017-12-29 2019-07-09 成都零光量子科技有限公司 A kind of quantum key relay services method

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7512242B2 (en) * 2003-03-21 2009-03-31 Bbn Technologies Corp. Systems and methods for quantum cryptographic key transport
JP6129523B2 (en) * 2012-11-19 2017-05-17 株式会社東芝 Communication apparatus and program
CN107623668A (en) * 2016-07-16 2018-01-23 华为技术有限公司 A kind of method for network authorization, relevant device and system

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105827397A (en) * 2015-01-08 2016-08-03 阿里巴巴集团控股有限公司 Quantum key distribution system, method and device based on trusted relay
CN105471576A (en) * 2015-12-28 2016-04-06 科大国盾量子技术股份有限公司 Quantum key relaying method, quantum terminal nodes and quantum key relaying system
CN108023725A (en) * 2016-11-04 2018-05-11 华为技术有限公司 A kind of quantum key trunking method and device based on centralized management with control network
CN109842485A (en) * 2017-11-26 2019-06-04 成都零光量子科技有限公司 A kind of quantum key service network system having center
CN109995515A (en) * 2017-12-29 2019-07-09 成都零光量子科技有限公司 A kind of quantum key trunking method
CN109995510A (en) * 2017-12-29 2019-07-09 成都零光量子科技有限公司 A kind of quantum key relay services method
CN108768629A (en) * 2018-05-24 2018-11-06 中国科学院信息工程研究所 A kind of credible relaying quantum communications method and system
CN208986952U (en) * 2018-11-12 2019-06-14 中共中央办公厅电子科技学院 The relay of quantum secret communication network system and communications network system including the device
CN208986950U (en) * 2018-11-12 2019-06-14 中共中央办公厅电子科技学院 A kind of quantum secret communication network system based on quantum key distribution technology

Also Published As

Publication number Publication date
CN110690928A (en) 2020-01-14

Similar Documents

Publication Publication Date Title
CN110690928B (en) Quantum relay link virtualization method and device
CN110690961B (en) Quantum network function virtualization method and device
CN110677241B (en) Quantum network virtualization architecture method and device
CN110661620B (en) Shared key negotiation method based on virtual quantum link
CN107567704B (en) Network path pass authentication using in-band metadata
CN112367163B (en) Quantum network virtualization method and device
CN110581763B (en) Quantum key service block chain network system
CN110690962B (en) Application method and device of service node
US11804967B2 (en) Systems and methods for verifying a route taken by a communication
CN110690960B (en) Routing service method and device of relay node
US11336627B2 (en) Packet inspection and forensics in an encrypted network
CN110690964B (en) Quantum service block chain creation method and application system
CN112865964A (en) Quantum key distribution method, equipment and storage medium
CN107078898A (en) A kind of method that the private interconnection of safety is set up on multi-path network
CN110557253B (en) Relay route acquisition method, device and application system
CN112367160A (en) Virtual quantum link service method and device
CN113661683A (en) Method for storing transaction representing asset transfer in distributed network and program thereof
CN112367124B (en) Quantum relay node virtualization method and device
CN112367161A (en) Relay node function virtualization method and device
CN116155483A (en) Block chain signing machine safety design method and signing machine
CN112367162A (en) Application method and device of quantum relay node
CN113557706B (en) Method and system for transmitting data packets, transmitting node and receiving node
CN113517980A (en) Key processing method, device and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant