CN110690961A - Quantum network function virtualization method and device - Google Patents
Quantum network function virtualization method and device Download PDFInfo
- Publication number
- CN110690961A CN110690961A CN201910820377.4A CN201910820377A CN110690961A CN 110690961 A CN110690961 A CN 110690961A CN 201910820377 A CN201910820377 A CN 201910820377A CN 110690961 A CN110690961 A CN 110690961A
- Authority
- CN
- China
- Prior art keywords
- node
- virtual
- state
- network
- target
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04B—TRANSMISSION
- H04B10/00—Transmission systems employing electromagnetic waves other than radio-waves, e.g. infrared, visible or ultraviolet light, or employing corpuscular radiation, e.g. quantum communication
- H04B10/29—Repeaters
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04B—TRANSMISSION
- H04B10/00—Transmission systems employing electromagnetic waves other than radio-waves, e.g. infrared, visible or ultraviolet light, or employing corpuscular radiation, e.g. quantum communication
- H04B10/70—Photonic quantum communication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/085—Secret sharing or secret splitting, e.g. threshold schemes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0852—Quantum cryptography
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0852—Quantum cryptography
- H04L9/0855—Quantum cryptography involving additional nodes, e.g. quantum relays, repeaters, intermediate nodes or remote nodes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
- H04L9/3239—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
- H04L9/3268—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Physics & Mathematics (AREA)
- Electromagnetism (AREA)
- Theoretical Computer Science (AREA)
- Optics & Photonics (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a quantum network function virtualization method, which comprises the following steps: each target node of the target network respectively creates a current virtual node state and respectively sends the current virtual node state to one or more target receivers, and the target receivers encapsulate the current virtual node states of all the target nodes and corresponding identifications thereof into a virtual network state or a virtual network state slice. The invention also provides a quantum network function virtualization device. The invention can solve the problems of the quantum network such as the concurrency conflict of the scale quantum link, the large delay of the quantum relay link and the like; the invention has quantum security and high efficiency, can be widely used for quantum networks, and has good application and popularization prospects.
Description
Technical Field
The invention relates to the technical field of quantum communication networks and application thereof, in particular to a quantum network function virtualization method and device.
Background
A Quantum node in a Quantum communication network generally consists of a classical communication unit connected to a classical communication network and a Quantum device unit connected to a Quantum Key Distribution (QKD) network. Due to the lack of practical no-landing quantum communication relay technology, quantum trusted relay technology is typically employed in QKD networks. However, the network mode has the problems of high network complexity, concurrent conflict of scale quantum links, large trusted relay delay, difficult trusted security management of relay nodes and the like. The solution of the above problems is of great practical significance to the application and popularization of quantum communication networks, and quantum network virtualization is an innovative route for solving the above problems.
Disclosure of Invention
In order to solve the technical problems in the background art, the present invention provides a quantum network function virtualization method and apparatus. The invention provides a quantum network function virtualization method, which comprises the following steps: each target node of the target network respectively creates a current virtual node state and respectively sends the current virtual node state to one or more target receivers, and the one or more target receivers create an identifier for the current virtual node state of all or a part of the target nodes (for convenience, the current virtual node state of all or a part of the target nodes and the corresponding identifier thereof are hereinafter referred to as a virtual network state); or, further, encapsulating the current virtual node state of all or a part of the target nodes and their corresponding identifications as a data file (for convenience, the data file is hereinafter referred to as a virtual network state slice); wherein the target node comprises: some or all of the relay nodes and serving nodes (or access nodes) in the target network; the virtual node state includes a part or all of a virtual node routing state of the target node, wherein one virtual node routing state includes: and the exclusive OR value of the shared key grouping between the target node and two adjacent target nodes and the corresponding virtual node routing state identification.
Optionally, the method further includes: creating a virtual mapping network of a target network, comprising: a distributed virtual mapping network, or/and a centralized virtual mapping network; the distributed virtual mapping network is characterized in that: each target node creates a virtual node; the centralized virtual mapping network is characterized in that: the third-party server creates a virtual node for each target node; wherein, the virtual mapping network comprises: network link topology information between target nodes; the virtual nodes are used for storing or outputting corresponding virtual node states.
Optionally, the method further includes: creating a virtual link state between any two serving nodes (for convenience, respectively a source node and a sink node) in some or all of the serving nodes in the target network, including: selecting a virtual network state or a virtual network state slice, selecting a key relay link between the source node and the sink node, screening out corresponding virtual node routing data in all virtual node states associated with the key relay link from the virtual network state or the virtual network state slice, calculating an exclusive-or value of all the virtual node routing data, and creating an identifier for the exclusive-or value (for convenience, the exclusive-or value is recorded as virtual link state data, the identifier is recorded as a virtual link state identifier, and the exclusive-or value and the corresponding identifier are recorded as a virtual link state between the source node and the sink node); or, further, encapsulating the virtual link state between any two service nodes in a part or all of the service nodes in the target network or a part of the virtual link state into one or more data files (for convenience, the data files are referred to as virtual link network slices); wherein the virtual node routing data comprises: an exclusive or value of a shared key packet between the target node and two associated neighboring nodes; the virtual link identifier includes: global identification, identification of source node and sink node; the method for selecting a key relay link between a source node and a sink node comprises the following steps: and selecting a key relay link connected with the least relay nodes or randomly selecting a communicable key relay link according to the virtual network routing topology information.
Optionally, the method further includes: the target node performs identity authentication with a neighboring target node or/and a network controller, wherein the identity authentication comprises: CA certificate based authentication or initial root key based authentication.
Optionally, the method further includes: the target node reports topology information of the target node to a network controller or a target receiver, wherein the topology information comprises: identification of the target node, link status between the target node and each neighboring target node.
Optionally, the method further includes: the target node receives a virtualization instruction issued by a network controller or a target receiver, wherein the virtualization instruction is used for indicating any one or more of the following contents: global identification, data format of shared key grouping, data structure of virtual node routing state, data structure of virtual node state, identification of target receiver and data transmission mode. Optionally, any one or more of the following is determined according to established system policies: global identification, data format of shared key grouping, data structure of virtual node routing state, data structure of virtual node state, data structure of virtual network state, data structure of virtual link state, identification of target receiver and data transmission mode.
Optionally, the method further includes: the virtual node states form a virtual node state block chain according to the time sequence; the method for forming the virtual node state block chain comprises the following steps: and creating a block header for the virtual node state, wherein the virtual node state is used as a block body, the block header comprises but is not limited to a block number, a timestamp and a Hash value of the block, and the block number is the same as the global identification or has one-to-one corresponding association.
Optionally, the method further includes: the virtual network state forms a virtual network state block chain according to a time sequence, wherein the method for forming the virtual network state block chain comprises the following steps: and creating a block header for the virtual network state, wherein the virtual network state is used as a block body, and the block header comprises but is not limited to a block number, a timestamp and a Hash value of the block, wherein the block number is the same as the global identification or has one-to-one correspondence relationship.
Optionally, the method further includes: the virtual link network slice block chain is formed by the virtual link network slices according to the time sequence, wherein the step of forming the virtual link network slice block chain comprises the following steps: creating a block header for the virtual link network slice, and using the virtual link network slice as a block body, wherein the block header includes but is not limited to a block number, a timestamp, and a Hash value of the block, and the block number is the same as the global identifier or has a one-to-one correspondence relationship.
Optionally, the method further includes: a method for encapsulating virtual network states or virtual network state slices of two different target networks into a cross-domain interworking virtual network state or virtual network state slice, comprising: if the service node which is accessed into two different target networks simultaneously exists, selecting one service node to take the XOR value and the identification of two corresponding associated shared key groups as a virtual node routing state of a cross-domain intercommunication virtual network state or a virtual network state slice, and forming a cross-domain intercommunication virtual network state or a virtual network state slice together with the virtual network states or the virtual network state slices of the two different target networks; if there is no service node accessing two different target networks at the same time, the trusted third party distributes a shared key packet (for convenience, denoted as Ka and Kb, respectively) to one service node of the two target networks, respectively, and then, one of the service nodes takes the exclusive or value and the identification of the corresponding associated shared key packet and Ka as a virtual node routing state, the other service node takes the exclusive or value and the identification of the corresponding associated shared key packet and Kb as a virtual node routing state, if Ka is different from Kb, the trusted third party takes the exclusive OR value and the identification of Ka and Kb as a virtual node routing state, and the virtual node routing state and the virtual network states or virtual network state slices of the two different target networks form a cross-domain intercommunication virtual network state or virtual network state slice.
Optionally, the method further includes: setting conditions for creating a virtual network state or slice, including: the intended recipient has received the virtual node routing state required to create a virtual quantum link state between any two serving nodes, or has reached a defined time to create a current virtual network state or slice.
Optionally, the method further includes: and marking the freshness of the virtual network state (or/and the virtual link state) according to the generation time or/and the use frequency of the virtual network state (or/and the virtual link state), wherein the freshness is inversely related to the generation time and the use frequency.
Optionally, the method further includes: the intended recipient sends one or more virtual network states (or virtual link network slices) to the virtual link service broker means, or/and the virtual link service means.
Optionally, the method further includes: providing a virtual link service, comprising: sending one or more virtual link states associated with two serving nodes to the two serving nodes or/and an application device served by the two serving nodes, wherein the application device comprises: password application device, agent device of service node, virtual link service agent device.
Optionally, the method further includes: the method comprises the steps of providing a shared key negotiation service, namely, the target receiver sends a virtual link state to two associated service nodes respectively, the two service nodes negotiate to adopt an associated shared key group of one service node as a shared key, correspondingly, the other service node calculates an exclusive OR value of the corresponding associated shared key group stored by the other service node and the virtual link state data and obtains the shared key, or, further, one service node calculates an exclusive OR value of a data group and the shared key and sends the data group to the other service node, and the other service node calculates an exclusive OR value of the exclusive OR value and the shared key and obtains the data group, wherein the data group comprises a random number group or a message group.
The invention also provides a quantum network function virtualization device, which comprises but is not limited to: the node device and the virtualization server device execute any one of the methods described above, wherein the device includes a software module, a hardware module, or an integrated module of software and hardware.
Compared with the conventional QKD network adopting quantum trusted relay technology, the method has the following innovations: the invention realizes the separation of quantum relay link service and the QKD network, does not need to coordinate QKD link resources in real time to carry out quantum key trusted relay, and can effectively solve the problems of concurrent conflict and trusted relay delay of the scale relay link in the QKD network; the quantum relay node does not need to store a quantum key, so that the safety management risk of the quantum relay node is reduced. Therefore, the invention has good application and popularization prospects in the field of quantum communication network scale application.
Drawings
Fig. 1 is a schematic diagram of a quantum network function virtualization method according to an embodiment of the present invention;
fig. 2 is a schematic flow chart of a quantum network function virtualization according to an embodiment of the present invention;
fig. 3 is a schematic diagram of a method for creating a virtual node state by a quantum relay node according to an embodiment of the present invention;
fig. 4 is a schematic diagram of a method for creating a virtual node state by a quantum service node according to an embodiment of the present invention;
fig. 5 is a schematic diagram of a method for creating a virtual link state according to an embodiment of the present invention;
fig. 6 is a schematic diagram of a quantum network function virtualization application network according to an embodiment of the present invention;
fig. 7 is a schematic diagram illustrating a method for negotiating a shared key packet according to an embodiment of the present invention;
fig. 8 is a schematic diagram illustrating another method for negotiating a shared key packet according to an embodiment of the present invention;
fig. 9 is a schematic diagram of a data structure of a shared key packet according to an embodiment of the present invention;
fig. 10 is a schematic diagram of a virtual node routing state identifier according to an embodiment of the present invention;
fig. 11 is a schematic diagram of a virtual node state of a node according to an embodiment of the present invention;
fig. 12 is a schematic diagram illustrating a method for creating a cross-domain interworking virtual network state (or slice) according to an embodiment of the present invention;
fig. 13 is a schematic diagram of a node device for quantum network virtualization according to an embodiment of the present invention;
fig. 14 is a schematic diagram of a virtualization server device for quantum network virtualization according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention and some terms and meanings thereof will be described below.
(1) Target networks to which embodiments of the present invention are applicable include, but are not limited to, any of the following networks: quantum key distribution network, quantum communication network, quantum sensing network, quantum security internet, other networks which adopt a point-to-point single-hop landing forwarding mode for relay transmission; accordingly, target quantum nodes in embodiments of the invention include, but are not limited to: some or all quantum relay nodes in the target quantum network, some or all quantum service nodes (or quantum access nodes) in the target quantum network. The target quantum node in the embodiment of the present invention is suitable for, but not limited to, a target quantum node accessing a target quantum network through a fiber interface and a wireless interface (or a free space interface).
(2) The virtualization in the embodiment of the invention is the electronization or instantiation of the quantum network function, and the electronized or instantiated data can be used by being separated from the physical network to which the electronized or instantiated data belongs.
(3) The target relay node of the embodiment of the invention is a node used as a relay in a target network, or a node which has at least two adjacent nodes on one or more relay links and is used as a relay, wherein the relay node does not store a key which is negotiated between the relay node and the adjacent nodes and is used for virtualizing the function of the target network; serving nodes (or access nodes) refer to other nodes in the target network that are not used for relaying or are not used directly for relaying (in some possible designs, serving nodes may be used for relaying through virtual nodes); in addition, for a specific embodiment of the present invention, the corresponding target network includes the relay node and the serving node included in the above embodiment.
(4) The communication channels involved in embodiments of the present invention for quantum networks include quantum channels and conventional communication network channels, wherein conventional communication network channels are employed for other communication processes except that quantum key distribution between adjacent quantum nodes (an adjacent quantum node refers to two nodes capable of normal point-to-point QKD or quantum communication, the same below) requires occupation of a quantum channel or link, and include, but are not limited to, one or more of wired communication and wireless/mobile/satellite communication channels.
(5) The terms "virtual node routing status", "virtual node status", "virtual network status", "virtual link network status", etc. used in the embodiments of the present invention are only used to mark corresponding data or files, and are not used to limit corresponding data or files, and all schemes that are merely replacing names and have no substantive difference belong to the protection scope of the present invention.
(6) The shared key packet in the embodiment of the invention is shared data with a certain data length. Because different application systems have different requirements on the length of the shared key and the rate of the point-to-point QKD link has a certain difference, the invention does not specially limit the data length of the shared key packet; it is obvious that the data length refers to counting by the same data unit (e.g., bit, byte). In practice, the data length of the shared key packet (e.g., 2048 bits, 100 kbytes, 10 mbytes, 1 gbyte, or any other data length that meets the requirements of the system) may be determined according to the rate of encoding of the QKD system in actual use, the specific requirements of the application system, or future industry standard requirements. It should be clear that, for each virtualization process of the same embodiment, the shared key packets negotiated between all neighboring target nodes have the same data format (including but not limited to data type, data length, and data reading and writing order).
(7) The global identifier in the embodiment of the invention is a virtualized identifier that all nodes in a target network keep consistent, that is, before a virtual node routing state is created, a target quantum relay node and an adjacent target quantum node confirm a negotiated shared key group and a global identifier of the virtual node routing state used for creation, the target quantum relay node and the adjacent target quantum relay node respectively use the negotiated shared key group for creating a virtual node routing state or/and a virtual node state with the same global identifier, and the group identifier of the corresponding shared key group stored by the adjacent target quantum service node is consistent with the global identifier; the global identifier may be used to distinguish different target networks, and may also be used to distinguish different embodiments in the target network; the global identifier may adopt a global number unified in the whole network, or may adopt an identifier combining the target network identifier and the global number.
In order to make the technical solutions and advantages of the present invention clearer, the present invention is described in detail below with reference to the accompanying drawings and specific embodiments.
Fig. 1 is a schematic diagram of a quantum network function virtualization method according to an embodiment of the present invention, including the steps of:
s101: each target node of the target network respectively creates a current virtual node state and respectively sends the current virtual node state to one or more target receivers;
s102: the one or more target receivers create identifiers for the current virtual node states of all the target nodes (for convenience, the current virtual node states of all the target nodes and their corresponding identifiers are hereinafter referred to as a virtual network state); or, further, the current virtual node states of all the target nodes and their corresponding identifications are packaged as a data file (for convenience, the data file is referred to as a virtual network state slice); wherein the target node comprises: some or all of the relay nodes and serving nodes (or access nodes) in the target network; the virtual node state includes a part or all of a virtual node routing state of the target node, wherein one virtual node routing state includes: and the exclusive OR value of the shared key grouping between the target node and two adjacent target nodes and the corresponding virtual node routing state identification.
Fig. 2 is a schematic flow chart of a quantum network function virtualization process according to an embodiment of the present invention, which further illustrates the method; the method comprises the following steps:
s201: the quantum node reports topology information of the corresponding node to a network controller, wherein the topology information includes but is not limited to: the quantum node identification and the link state between the quantum node and each adjacent quantum node;
s202: the network controller issues a virtualization instruction, that is, the network controller issues the virtualization instruction to the quantum node, where the virtualization instruction is used to indicate: global identification, data format of sharing quantum key grouping, data structure of virtual node routing state, data structure of virtual node state, identification of target receiver and data transmission mode;
s203: negotiating quantum key groups with adjacent nodes, namely, respectively negotiating a shared quantum key group with each adjacent target quantum node by the quantum nodes;
s204: each quantum node respectively creates a virtual node state;
s205: each quantum node respectively sends the corresponding virtual node state to a target receiver;
s206: the target recipient creates a virtual quantum network state.
In the above embodiments, the creating of the virtual node states by the quantum nodes respectively includes a schematic diagram of a method for creating a virtual node state by a quantum relay node provided in the embodiment of the present invention shown in fig. 3, and a schematic diagram of a method for creating a virtual node state by a quantum service node provided in the embodiment of the present invention shown in fig. 4.
The method for creating the virtual node state by the quantum relay node provided by the embodiment of the invention comprises the following steps (as shown in fig. 3): s301: respectively negotiating a shared quantum key group with each of n adjacent target nodes (wherein n is a natural number greater than 1 and not greater than the number of all nodes adjacent to the relay node);
s302: calculating the xor value of any two of the shared quantum key packets and creating a corresponding identifier (for convenience, the xor value is hereinafter referred to as virtual node routing state data, the identifier is referred to as a virtual node routing state identifier, and the xor value and the corresponding identifier are referred to as a virtual node routing state), creating C (n,2) virtual node routing states (that is, creating virtual node routing state identifiers for all the C (n,2) virtual node routing states, respectively), and deleting the n shared quantum key packets;
s303: a node identifier is created for the C (n,2) virtual node routing states (for convenience, the node identifier is hereinafter referred to as a virtual node state identifier, and the C (n,2) virtual node routing states and their corresponding node identifiers are hereinafter referred to as a virtual node state). Optionally, in another possible embodiment, the C (n,2) virtual node routing statuses and their corresponding node identifications may be further encapsulated as a data file, and the data file is taken as a virtual node status; the data file includes but is not limited to a data list file or a database file, and a certain or some virtual node routing state can be quickly acquired by accessing the data file.
The method for creating the virtual node state by the quantum service node provided by the embodiment of the invention comprises the following steps (as shown in fig. 4): s401: negotiating a shared quantum key packet with each of m adjacent destination nodes, respectively (where m is a natural number greater than 0);
s402: creating virtual relay nodes, generating a random number group, respectively calculating the exclusive or value of any two shared quantum key groups in the (m +1) shared quantum key groups, creating an identifier, and creating C (m +1,2) virtual node routing states; that is, the random number packet is used as one shared quantum key packet between the virtual relay node and the service node, m adjacent target nodes and the service node are used as (m +1) adjacent target nodes of the virtual relay node, the exclusive or value of any two shared quantum key packets in the (m +1) shared quantum key packets is calculated, and a corresponding identifier is created (for convenience, the exclusive or value is hereinafter referred to as virtual node routing state data, the identifier is referred to as virtual node routing state identifier, and the exclusive or value and the corresponding identifier are referred to as a virtual node routing state);
s403: creating node identifiers for the routing states of the C (m +1,2) virtual nodes (for convenience, the node identifiers are referred to as virtual node state identifiers hereinafter, and the node identifiers and the corresponding routing states of the C (m +1,2) virtual nodes are referred to as a virtual node state); the random number packet is stored safely, wherein the random number packet and the shared quantum key packet have the same data format; alternatively, in another possible embodiment, the C (m +1,2) virtual node routing statuses and their corresponding node identifications may be encapsulated as a data file, and the data file may be used as a virtual node status. The data file includes, but is not limited to, a data list file, or a database file, and a certain or some virtual node states can be quickly acquired by accessing the data list file.
In one possible design, the network controller may determine and issue the virtualization instruction according to a request of the target recipient.
In one possible design, in the above embodiment, a limited time for receiving the routing state of the virtual node is set, and if the routing state of the corresponding virtual node of the one or some quantum nodes is not received within the limited time, a retransmission instruction is issued to the corresponding one or some quantum nodes, or if the corresponding one or some quantum nodes are confirmed to be abnormal, the corresponding one or some quantum nodes are rejected from the target quantum node of the target quantum network.
In a possible design, in the above embodiment, a target quantum node in a target quantum network is selected according to topology information reported by a node, and if some selected target quantum node has an abnormal condition or reports topology information of the node on time or sends a virtual node routing state, the target quantum node is rejected out of the target quantum node in the target quantum network.
Fig. 5 is a schematic diagram of a method for creating a virtual quantum link state according to an embodiment of the present invention, that is, creating a virtual quantum link state between all any two quantum service nodes (for convenience, respectively denoted as a source node and a sink node) in a part of or all quantum service nodes in a target quantum network, where the method includes: s501: selecting a virtual quantum network state or a virtual network state slice; s502: selecting a quantum key relay link between a source node and a sink node, screening out corresponding virtual node routing data in all virtual quantum node routing states associated with the quantum key relay link from the virtual quantum network state or virtual network state slice, calculating an exclusive-or value of the all virtual node routing data, and creating a virtual quantum link state identifier for the exclusive-or value (for convenience, the exclusive-or value is recorded as virtual quantum link state data, and the virtual quantum link state identifier and the corresponding exclusive-or value thereof are recorded as a virtual quantum link state between the source node and the sink node); s503: encapsulating virtual quantum link states between any two quantum service nodes in a part or all of quantum service nodes in a target quantum network into one or more data files (for convenience, the data files are recorded as virtual quantum link network slices); the data file includes but is not limited to a data list file or a database file, and a certain or some virtual link states can be rapidly acquired by accessing the data file; the virtual quantum link state identifiers include, but are not limited to: global identification, identification of source node and host node, and check value of the virtual link state data; the method for selecting a quantum key relay link between a source node and a sink node includes but is not limited to: and selecting a quantum key relay link connected with the least quantum relay node according to the virtual quantum network routing topology information, and randomly selecting a communicable quantum key relay link.
The application method of the foregoing embodiment of the present invention is further described with reference to the application embodiment of the quantum network function virtualization method provided in the embodiment of the present invention shown in fig. 6. As shown in fig. 6, the target quantum nodes in the target quantum network include 5 service nodes (S1, S2, S3, S4, and S5) and 5 relay nodes (R1, R2, R3, R4, and R5) in fig. 6, assuming that the shared quantum key negotiated between S1 and R1 is grouped into Ks1R1 in the primary quantum network function virtualization flow; the shared quantum key negotiated between R1 and R2 is grouped as Kr1R2, and the shared quantum key negotiated between R1 and R5 is grouped as Kr1R 5; the shared quantum key negotiated between R2 and R3 is grouped as Kr2R 3; the shared quantum key negotiated between R3 and R4 is Kr3R4, the shared quantum key negotiated between R3 and R5 is Kr3R5, and the shared quantum key negotiated between R3 and S3 is Kr3S 3; the shared quantum key negotiated between S4 and R5 is grouped as Ks4R 5; the shared quantum key negotiated between R4 and S2 is grouped as Kr4S 2; the shared quantum key negotiated between R4 and S5 is grouped as Kr4S 5; s1, S2, S3, S4, and S5 generate random number groups RKs1, RKs2, RKs3, RKs4, and RKs5, respectively.
The corresponding virtual network states include a virtual node routing state of R including (Ks1R Kr 1R), (Kr1R 0Kr 1R), a virtual node routing state of R including (Kr1R 1Kr 2R), 6 virtual node routing states of R including (Kr2R 2Kr 3R), (Kr2R 3Kr 3S), (Kr2R 4Kr 5R), (Kr5R 5Kr 3R), (Kr5R 6Kr 3S), and (Kr3S 7Kr 3R), a virtual node routing state of R including (Kr3R 8Kr 4S), (Kr3R 9Ks 5R), (Kr4S 5R), a virtual node routing state of R including (Ks4R 0Kr 1R), (Ks4R 5R), (Ks1R 5R) and a virtual node routing state of R including (RK 2R) routing states, the virtual node routing states including (RK 2R) routing states of R, and the virtual node routing states including (RK 2R) routing states of R including the RK 4S 4R.
In one possible design, since R2 is an optional relay node, the virtual network state may not include the virtual node routing state of R2, or R2 may not be the target relay node.
In one possible design, a respective virtual link network slice may be created that may include virtual link states between any two of S1, S2, S3, S4, and S5, e.g., between S1 and S2:
VQL_s1s2=(RKs1⊕Ks1r1)⊕(Ks1r1⊕Kr1r2)⊕(Kr1r2⊕Kr2r3)⊕(Kr2r3⊕Kr3r4)⊕
(Kr3r4⊕Kr4s2)⊕(RKs2⊕Ks2r4)=RKs1⊕RKs2;
virtual link state between S1 and S3:
VQL_s1s3=(RKs1⊕Ks1r1)⊕(Ks1r1⊕Kr1r2)⊕(Kr1r2⊕Kr2r3)⊕(Kr2r3⊕Kr3s3)⊕
(RKs3 ⊕ Ks3r3) = RKs1 ⊕ RKs 3; other (C (5,2) -2) virtual link states may be calculated in a similar manner.
It should be clear that the above-mentioned identification of the shared quantum key packet has symmetry, i.e. Krirj = Krjri, and the identification of the virtual link state also has similar symmetry, e.g. VQL _ sisj = VQL _ sjsi.
In one possible design, the virtual network state may not include the virtual node routing state of S1, S2, S3, S4, and S5, and the corresponding virtual link state becomes the exclusive or value of the associated two shared quantum key packets, e.g., the virtual link state between S1 and S2:
VQL_s1s2=(Ks1r1⊕Kr1r2)⊕(Kr1r2⊕Kr2r3)⊕(Kr2r3⊕Kr3r4)⊕(Kr3r4⊕Kr4s2)
= Ks1r1 ⊕ Kr4s2, other virtual link states may be calculated in the same way.
In one possible design, S1, S2, S3, S4, and S5 in the above embodiments may send the corresponding virtual node routing state in an encryption mode.
In one possible design, C (5,2) =10 virtual link states between 5 service nodes in the above embodiment may be encapsulated into multiple subnet slices; for example, a subnet slice may be packaged as a virtual link network slice including virtual link states between any two nodes of S1, S2, and S3, a subnet slice including a virtual link network slice including virtual link states between any two nodes of S3, S4, and S5.
In one possible design, the target quantum node may include a part of the service nodes (a combination of any number of S1, S2, S3, S4, S5) and a part or all of the relay nodes (a part or all of R1, R2, R3, R4, and R5) in fig. 6, and create corresponding virtual network states or/and virtual link network slices using the above method.
In another possible design, the target network may be planned into a plurality of target network embodiments including different target service nodes according to different service requirements, and a virtual link network slice may be created for each target network embodiment.
In one possible design, the virtualized server or a third party server sends the virtual link state VQL _ S1S2 to S1 and S2, respectively, and S1 and S2 may negotiate the shared key based on VQL _ S1S2, i.e., S1 may calculate rk _ a ⊕ RKs1 ⊕ VQL _ S1S2 ═ rk _ a ⊕ RKs1 ⊕ RKs1 ⊕ RKs2 ═ rk _ a ⊕ RKs2, and send to S2, S2 calculate RKs2 ⊕ rk _ a ⊕ RKs2 ═ rk _ a, i.e., sharing rk _ a between S1 and S2 is achieved, additionally, in another possible design, S1 and S1 may also use RKs1 or RKs1 as the shared key, e.g., if S1 and S1 negotiate the shared key, rk3672 may calculate rk3672 as the shared key.
In one possible design, the virtualization server or a third-party server sends the virtual link network slice to a combination of any number of the S1, S2, S3, S4 and S5 respectively, for example, sending to S1, S2 and S3, negotiating S1, S2 and S3 uses an associated shared quantum key packet of one quantum service node (i.e., the corresponding random number packet) as a group shared key, acquiring the associated shared quantum key packet by other quantum service nodes based on the virtual link network slice, injecting the associated shared quantum key packet into associated encryption devices respectively by S1, S2 and S3, for example, assuming that the associated shared quantum key packet RKs1 of the S1 and the virtual link network slice is selected as the group shared key, calculating RKs2 ⊕ VQL _ S1S2 — RKs1 by S3, calculating S3 ⊕ VQL _ S1S = 53, i.e., realizing a multiple rk8427 service key sharing between two virtual link network slices, and realizing a multiple rk8427 encryption method based on the sharing key sharing method.
In one possible design, a virtualization server or a third-party server sends the virtual link network slice to any combination of S1, S2, S3, S4, and S5, respectively, where a quantum service node (denoted as a source node) selects a virtual quantum link network state or slice and encrypts target data of the source node using a shared quantum key group (i.e., the corresponding random number group) associated with the virtual quantum link network state or slice to obtain a ciphertext, creates a ciphertext identifier for the ciphertext and discloses the ciphertext and the ciphertext identifier thereof, and other quantum service nodes calculate an exclusive or value of the corresponding virtual quantum link state data and a corresponding associated shared quantum key group of the corresponding quantum service node based on the virtual quantum link network state or slice, obtain an associated shared quantum key group of the source node, decrypt the ciphertext using the associated shared quantum key group to obtain target data sent by the source node;
s2 calculates RKs2 ⊕ VQL _ S1S2 ⊕ RKs1 ⊕ R = RKs2 ⊕ RKs1 ⊕ RKs2 ⊕ RKs1 ⊕ R = R;
s3 calculates RKs3 ⊕ VQL _ S1S3 ⊕ RKs1 ⊕ R = RKs3 ⊕ RKs1 ⊕ RKs3 ⊕ RKs1 ⊕ R = R;
the ciphertext identifier includes, but is not limited to: identification of virtual quantum link network state or slice, identification of source node and encryption mode; encryption methods include, but are not limited to, exclusive-or encryption using a symmetric cryptographic algorithm; the target data includes, but is not limited to, any one or more of the following: message grouping, random key data, sensing data, audio and video monitoring data, calculation data and data files.
Further, in one possible design, any one or more of the above S1, S2, S3, S4, and S5 may respectively transmit random number packets associated with one or more virtual quantum link network states or slices to other proxy devices, and the above method may be employed between proxy devices or between proxy devices and other quantum service nodes to negotiate shared keys or to share secure data.
Further, in one possible design, if a point-to-point quantum key distribution link exists between two target quantum service nodes in a certain embodiment, any one of the quantum service nodes may not have the other quantum service node as an adjacent target node.
Further, in a possible design, on the basis of any one of the above embodiments, the method may further include: creating a virtual mapping network of a target quantum network, comprising: distributed virtual mapping networks, centralized virtual mapping networks; the distributed virtual mapping network is characterized in that: each target quantum node creates a virtual quantum node; the centralized virtual mapping network is characterized in that: the third-party server creates a virtual quantum node for each target quantum node; wherein, the virtual mapping network further comprises: network link topology information between target quantum nodes; the virtual quantum nodes are used for storing or outputting corresponding virtual node states or virtual node routing states. Further, in another possible design, a quantum key relay link between two quantum service nodes (respectively referred to as a source node and a sink node) may be further selected, each virtual quantum node on the quantum key relay link transmits virtual routing data with the same global identifier to a quantum service node or a third-party server, the quantum service node or the third-party server performs an exclusive-or operation on the virtual routing status data of each target quantum node with the same global identifier, and the quantum service node and another associated quantum service node may negotiate a shared key based on the result of the exclusive-or operation and may further be used for data encryption communication between the quantum service node and the other associated quantum service node.
Further, in a possible design, on the basis of the foregoing embodiment, the method may further include: carrying out correctness verification on the virtual link state, comprising the following steps: and if the two data digests are the same, the correctness verification is passed, or the two target quantum service nodes respectively send the two data digests to a third party, and the third party compares the two data digests, and if the two data digests are the same, the correctness verification is passed.
Further, in one possible design, the C (n,2) virtual link states and their identifications may be packaged as a data file, which is recorded as a virtual link network slice; wherein the virtual link network slice identifier includes but is not limited to: a target quantum network identification, a global identification, a number of virtual link states.
Further, in one possible design, in any of the above embodiments, any one or any plurality of the following may be determined according to a given system policy: the method comprises the steps of global identification, data format of a shared quantum key grouping, data structure of a virtual node routing state, data structure of a virtual node state, data structure of a virtual network state, data structure of a virtual quantum link state, identification of a target receiving party and a data transmission mode.
Further, in a possible design, on the basis of any of the above embodiments, the freshness of the virtual network state/slice (or virtual link state/slice) may be labeled according to the generation time or/and the usage frequency of the virtual network state/slice (or virtual link state/slice), wherein the freshness is inversely related to the generation time or the usage frequency.
Further, in a possible design, on the basis of any of the above embodiments, one or more virtual network states or virtual link network slices may also be sent to the virtual link service agent apparatus, or/and the virtual link service apparatus.
Further, in a possible design, on the basis of any of the foregoing embodiments, a virtual link service may also be provided, that is, one or more virtual link statuses associated with two service nodes are sent to the two service nodes or/and application devices served by the two service nodes, where the application devices include, but are not limited to: password application device, agent device of service node, virtual link service agent device.
In any of the above embodiments, a real-time sharing method, or a pre-caching method may be used to negotiate a shared quantum key group or a shared quantum key group; the real-time sharing method comprises the following steps: the target quantum node negotiates a certain amount of shared quantum keys with adjacent target quantum nodes, takes the certain amount of shared quantum keys as a shared quantum key group and creates a group identifier; alternatively, the method for negotiating a shared quantum key packet according to the embodiment of the present invention shown in fig. 7 includes the following steps: s701: the target quantum node negotiates a certain amount of shared quantum keys with the adjacent target quantum nodes; s702: the target quantum node and the adjacent target quantum node respectively divide the shared quantum key into one or more groups by adopting the same data format, and carry out randomness test on each group by adopting the same randomness test method; s703: taking a group passing the randomness test as a shared quantum key group and creating a group identifier;
the foregoing precaching method includes (another method for negotiating a shared quantum key packet according to the embodiment of the present invention shown in fig. 8): s801: the target quantum node negotiates a certain amount of shared quantum keys with the adjacent target quantum nodes; s802: respectively dividing the shared quantum key into one or more groups by adopting the same data format, performing randomness test on each group by adopting the same randomness test method, caching each group which passes the randomness test and respectively creating a group identifier;
s803: and negotiating with the adjacent target quantum nodes to respectively select one group with the consistent or same group number from the cached groups as a shared quantum key group.
The negotiating a quantum of shared quantum keys includes, but is not limited to: sequentially negotiating with a plurality of adjacent target quantum nodes to share a quantum key, or simultaneously negotiating with the plurality of adjacent target quantum nodes to share the quantum key, or negotiating with the corresponding adjacent target quantum nodes to share the quantum key according to a virtualization instruction; the negotiation shared quantum key can occupy the whole bandwidth of the quantum key distribution channel or only occupy part of the bandwidth of the whole quantum key distribution channel.
In a possible design, the negotiating a shared quantum key packet may further include: consistency check, wherein the consistency check includes but is not limited to: respectively calculating a data abstract or a Hash value of a shared quantum key group by the target quantum node and the adjacent target quantum node, if the two data abstracts or Hash values are different, the two data abstracts or Hash values cannot pass consistency check, and renegotiating; otherwise, passing consistency check and successfully negotiating a shared quantum key packet.
Further, in a possible design, on the basis of any one of the above embodiments, the method may include: before the virtual node routing state is created, the target node and the adjacent target node confirm the negotiated shared key group and the global identification of the virtual node routing state used for creation, and the target node and the adjacent target node respectively use the negotiated shared key group for creating the virtual node routing state with the same global identification.
Further, in a possible design, on the basis of any one of the above embodiments, the method may include: and after the quantum relay node finishes C (n,2) virtual node routing states, destroying the n shared quantum key groups, or after all virtual node routing state data needing to participate in calculation of one shared quantum key group are finished, namely destroying the shared quantum key group.
It should be understood that the specific use or method of use of any one or more of the following as indicated by the virtualization instructions includes: the global identifier can be used for distinguishing different target quantum networks and different embodiments in the target quantum networks, can adopt a global number unified by the whole network, and can also adopt an identifier combining the target quantum network identifier and the global number; the data format of the shared quantum key packet includes but is not limited to data type, data length and data reading and writing sequence; the data structure of the virtual node routing state includes, but is not limited to, the content of the virtual node routing state identifier and its ordering relationship, which is adopted in one embodiment; the identification of the target receiver is used for determining the ID of the receiver; the data transmission mode is used for determining whether an encryption mode or a non-encryption mode is adopted.
It is obvious that the method steps of any of the above embodiments can be recombined to give new embodiments having the same application properties as the method of the present invention. Therefore, methods based on simple combinations of the above method steps and content adaptation fall within the scope of the present invention.
The shared quantum key packet or the shared key packet in the above embodiments includes, but is not limited to: group identification, shared quantum key data (shared quantum key with group length); the data structure of the shared quantum key grouping identifier may adopt: the grouping number, the ID of the current node and the ID of the adjacent target quantum node are equivalent, and the ID of the current node and the ID of the adjacent target quantum node can be replaced by the link identifiers of the current node and the adjacent target quantum node; wherein, the ID can also adopt other identifiers which can uniquely identify the corresponding nodes; the packet number may be a local number or a global number, in which case, when a certain shared quantum key packet is used to create a virtual node routing state, the corresponding local number is changed to the global number of the corresponding virtual node routing state.
Optionally, a new shared quantum key grouping or grouping identification embodiment may be obtained by adding any one or any plurality of the following content options: data format, check information and time stamp, wherein the check information can be data digest (or Hash value) or MAC code of the shared quantum key packet; the content of the data format includes any one or any plurality of the following: data type (e.g., using binary, 16-ary storage), data length, and data read and write order.
Further, as an example, fig. 9 shows a schematic diagram of a data structure of a shared quantum key packet according to one possible embodiment of the present invention, that is, the data structure includes: grouping number, current node ID, adjacent node ID, data length, check information and quantum key data; the data length may be the data length of the quantum key data, or the data length of the entire shared quantum key packet; the check information may be a quantum key data digest (or Hash value) or a MAC code.
The virtual node routing state in the above embodiments includes, but is not limited to: virtual node routing state identification, virtual node routing state data (i.e., the exclusive or value of the shared quantum key packet between the current node and two neighboring nodes). Fig. 10 shows a virtual node routing state identifier provided in an embodiment of the present invention, where the content of the virtual node routing state identifier includes, but is not limited to: global number, current node ID1, neighbor ID2, neighbor ID3 (or, routing identifiers of the previous neighbor and the next neighbor connecting the current node with the current node).
The content of the virtual node status identifier in the above embodiment includes but is not limited to: global number, current node ID1, virtual node routing state number; the number of routing states of the virtual nodes can be obtained by calculating the number of the adjacent nodes, so that the number of routing states of the virtual nodes can be replaced by the number of the adjacent nodes, and a new embodiment is obtained.
On the basis of the above embodiments, a plurality of new embodiments can be obtained by adding any one or more of the following options to the virtual node state identifier (or virtual network state identifier): an identifier of the target network for distinguishing different target networks; a local identifier for distinguishing routing states of a plurality of virtual nodes having the same global identifier (or for distinguishing states of a plurality of virtual nodes having the same global identifier); the verification information is used for verifying the integrity of the virtual node state (or the virtual network state), and comprises a data abstract, a Hash value or an MAC code of corresponding data; digitally signing, namely digitally signing the virtual node state (or the virtual network state) by adopting a digital signature algorithm; a timestamp for recording the creation time of the virtual node state (or virtual network state); a data digest (or Hash value) of a current virtual node state (or virtual network state), a data digest (or Hash value) of a previous virtual node state (or virtual network state), or a data digest (or Hash value) of a current and a previous virtual node state (or virtual network state), wherein the digitally signed private key for a virtual node routing state cannot be illegally accessed or derived.
Further, in one possible design, the above-described private key for digital signature cannot be illegally accessed or derived.
In a possible design, an identifier type may be further added to the various identifiers in the above embodiments, and the identifier type is used to distinguish a virtual routing state identifier, a virtual node state, a virtual network state, and a virtual link state.
Further, in a possible design, based on the embodiments shown in fig. 1 and fig. 2, the virtual node state block chain may be created in time sequence, where the method for forming the virtual node state block chain includes, but is not limited to: and creating a block header for the virtual node state, wherein the virtual node state is used as a block body, and the block header comprises but is not limited to a block number, a timestamp and a Hash value of the block, wherein the block number is the same as the global identification or has one-to-one correspondence relationship.
Further, in a possible design, based on the embodiment shown in fig. 1, fig. 2, or fig. 5, the virtual network state block chain may be formed in time sequence, where the method for forming the virtual network state block chain includes, but is not limited to: and creating a block header for the virtual network state, wherein the virtual network state is used as a block body, and the block header comprises but is not limited to a block number, a timestamp and a Hash value of the block, wherein the block number is the same as the global identification or has one-to-one correspondence relationship.
Further, in a possible design, based on the embodiment shown in fig. 1, fig. 2, or fig. 5, the virtual link state block chain may be formed in time sequence, where the forming of the virtual link state block chain includes but is not limited to: and creating a block header for the virtual link state, wherein the virtual link state is used as a block body, and the block header comprises but is not limited to a block number, a timestamp and a Hash value of the block, wherein the block number is the same as the global identification or has one-to-one correspondence relationship.
The storage in the above embodiments includes, but is not limited to, any one or more of the following options: the method comprises the following steps of local storage, cloud storage and server-side storage, wherein the local storage method comprises but is not limited to: storing the virtual node routing state or/and the virtual node state in a memory of the target node device (wherein the memory includes but is not limited to a local memory or a network storage space), and sending the virtual node routing state identification or/and the virtual node state identification to the server; cloud storage methods include, but are not limited to: storing the virtual node routing state (or virtual node routing state data) or/and the virtual node state on a cloud storage space; server-side storage includes, but is not limited to: and sending the routing state of the virtual node or/and the state of the virtual node to one or more servers for storage.
The outputting or sending in the above embodiments includes, but is not limited to, any one or both of the following options: real-time sending and passive response sending; wherein, real-time transmission includes but is not limited to: outputting the created virtual node routing state or/and the virtual node state to a memory of a target node device or/and a third party server or/and a target receiver indicated by a virtualization instruction in real time; passive response transmission includes, but is not limited to: and outputting the routing state of the virtual node with the specific number or/and the state of the virtual node to the memory of the target node device or/and a third-party server or/and a target receiver indicated by the virtualization instruction according to the virtualization instruction.
Further, in one possible design, the outputting or sending in the above embodiment may be an encrypted transmission, the encrypted transmission including any one or more of the following options: the encryption transmission is carried out by adopting a symmetric cryptographic algorithm, the encryption transmission is carried out by adopting an asymmetric cryptographic algorithm, and the encryption transmission is carried out by adopting a tunnel mode or a transmission mode of VPN.
The server in the above embodiments may include, but is not limited to, any one or any plurality of the following options: the system comprises a network management device, a network virtualization management device, a service node device, a cloud storage service device and a block chain accounting node device.
The target recipient in the above embodiments may include, but is not limited to, any one or any plurality of the following options: the system comprises a network management device, a network virtualization management device, a service node device, a cloud storage service device and a block chain accounting node device.
The method of creating a virtual node routing state provided by embodiments of the present invention is further described below for a relay node with 3 target neighboring nodes (relay node R with 3 target neighboring nodes A, B and C; if comparing the embodiments shown in fig. 6, R may correspond to R5, A, B and C may correspond to R1, R3 and S4, respectively) in fig. 6. Assuming that the relay node R and 3 neighboring nodes A, B and C respectively adopt the above method to negotiate and adopt the shared quantum key groups Kra, Krb and Krc; generating C (3,2) =3 virtual node routing states (a schematic diagram of virtual node routing states of one relay node provided by the embodiment of the present invention shown in fig. 11, including virtual node routing states VRS0, VRS1 and VRS 2) based on the above-mentioned 3 shared quantum key packets, where the node identities include an ID identity 1101 (i.e., ID _ R) of the target quantum relay node, a global number 1102 (i.e., 000123), a number 1103 (i.e., 3) of virtual node routing states, a data length 1104 (i.e., 3 × 1MB, a data length of each virtual node routing state is 1 MB), a data type 1105 (i.e., 16-ary), and the virtual node routing states (i.e., state data in fig. 11) include an ID identity 1106 of the target quantum relay node, an ID identity 1107 of the first neighboring node, an ID identity 1108 of the second neighboring node, virtual node routing state data 1109, and a data length, Data digest of virtual node routing state 1110, local number of virtual node routing state 1111.
The relay node R creates a virtual node state including the steps of the relay node R negotiating a shared quantum key packet with A, B and C respectively by the real-time sharing method or the pre-caching method, for example, negotiating a key of 1MB with A, B and C respectively, as a shared quantum key packet after creating a packet identifier and integrity check information, or negotiating a shared quantum key with an adjacent node, processing the shared quantum key into one or more shared quantum key packets by the key preprocessing method, caching the shared quantum key packets, negotiating with the adjacent node to select a shared quantum key packet having the same packet number from the cached shared quantum key packets, for example, negotiating a key of 10MB at a time, dividing into 10 packets, performing randomness test, creating a packet identifier and integrity check information for each packet passing the randomness test, creating a packet identifier and integrity check information, and destroying a shared quantum key packet after creating the packet identifier and integrity check information, acquiring a global number of a current virtual node routing state (virtual number in FIG. 11), R and R A, B, C negotiating a packet identifier (Kra, Krb and integrity check information), storing VRA, VRb, Krc, Kr 35c, Kr5, Kr # and VRb, Kr # of Kr # 12, Kr # and Kr # of Kr # s # 9, Kr # of Kr # s # 11, Kr # and Kr # of Kr # 11, and Kr # of Kr # 9, and Kr # of Kr # s # of Kr # 11, wherein the virtual node R11, and Kr # of Kr # and Kr # of Kr # 11, and Kr # 9, and Kr # of Kr.
In one possible design, the virtual node state shown in fig. 11 may be packaged as a database file, from which global number 1102 and local number 1111 may uniquely determine a virtual node routing state.
In addition, since there is a correlation between VRS0, VRS1, and VRS2, i.e., where the exclusive-or value of any two virtual node routing state data is equal to the third virtual node routing state data, e.g., VRS0 ⊕ VRS1 — VRS2, in one possible design, the relay node may create (C (n,1) -1) virtual node routing states.
It should be clear that, in any of the above embodiments, for a certain quantum network function virtualization, each target quantum node uses the same data format and data structure, including but not limited to using the same shared key packet length, data type, data high-low order, the same identification content, and its ordering manner.
Although the present invention has described the data structure of the above-mentioned shared key packet and virtual node routing state (which may include content options of the target data and its identification and its ordering, data type, data length, etc.), it is contemplated that the elements or variables in the above-mentioned data structure may be randomly combined and do not significantly affect the application performance; in addition, it is obvious that if a certain element or variable (for example, a storage type, a data length) in a certain data structure is used as a global variable, the corresponding data format may not include the variable, and therefore, the present invention does not specifically limit the position ordering relationship of the element or variable in the data structure, nor does it limit the implementation manner of the certain element or variable; in addition, with similar considerations, the present invention does not specifically limit the position ordering relationship of elements or variables in the data format, nor the implementation of a certain element or variable. Methods obtained by randomly combining or adjusting the positions of the elements in the data structure also fall within the scope of the present invention. Obviously, some content options in the above virtual node routing state (or virtual node routing state) identification can be used as part of the corresponding virtual node routing state (or virtual node routing state) data in possible designs, and such similar possible designs also fall within the scope of the present invention.
Fig. 12 is a schematic diagram of a method for creating a cross-domain interworking virtual network state (or slice) according to an embodiment of the present invention, in which a service node a in a first target network stores a shared key packet Kax associated with one virtual network state, a service node B in a second target network stores a shared key packet Kby associated with another virtual network state, and cross-domain interworking is not possible due to complete isolation of the two virtual network states, a trusted third party C distributes shared key packets Ka and Kb for a and B, respectively, a calculates Kax ⊕ Ka and creates a corresponding virtual node routing state identifier, B calculates Kby ⊕ Kb and creates a corresponding virtual node routing state identifier, C calculates Ka ⊕ Kb and creates a corresponding virtual node routing state identifier (obviously, if Ka and Kb are the same, Ka ⊕ Kb =0, and thus corresponding calculation or the default virtual node routing state may not be performed), and the three virtual node routing states (or the two virtual network states) are formed together (or formed into a cross-domain interworking virtual slice).
In one possible design, if there is a service node accessing two different target networks simultaneously, one of the service nodes is selected to have its corresponding two associated shared key packet exclusive or values and their identifications as a virtual node routing state of a cross-domain interworking virtual network state or virtual network state slice, and a cross-domain interworking virtual network state or virtual network state slice is formed along with the virtual network states or virtual network state slices of the two different target networks, for example, assuming that a and B in fig. 12 are the same service node and Kax and Kby are shared key packets associated with corresponding virtual network states of a target network one and a target network two, respectively, a calculates Kax ⊕ Kby and creates corresponding virtual node routing state identifications, and forms the virtual node routing state along with the corresponding two virtual network states into a cross-domain interworking virtual network state.
In one possible design, the cross-domain interworking virtual network state may be encapsulated as a cross-domain interworking virtual network state slice. Further, in one possible design, a cross-domain interworking virtual link network slice may also be created.
Fig. 13 is a schematic diagram of a node device for virtualizing quantum network functions according to an embodiment of the present invention, where the node device includes:
a transceiver: including various interface modules, for example, a transceiver as shown in fig. 13 may include interface module 1301, interface module 1302; the interface module 1301 is configured to report topology information of the quantum node to the virtualization server 1307 and receive a virtualization instruction; and is also used to send the virtual node routing status or/and the virtual node status to the virtualization server 1307;
the data processing unit 1303: for negotiating shared key packets with the neighboring quantum nodes 1306, or/and, creating virtual node routing states, or/and, also for creating virtual node states; optionally, the quantum key distribution unit 1305 is further configured to obtain the quantum key;
node virtualization unit 1304: storage and output management for virtual node routing states or/and virtual node states; wherein, the virtual node routing state comprises: the exclusive or value and the corresponding identification of the shared key group between the target quantum node and two adjacent target quantum nodes;
the virtual node states include: routing states and corresponding identifications of a part of or all of virtual nodes of the target quantum nodes; the virtualization instructions are for indicating any one or more of the following: global identification, data format of shared key grouping, data structure of virtual node routing state, data structure of virtual node state, identification of target receiver and data transmission mode; the topology information includes: identification of the node, link state between the node and each adjacent target quantum node.
Fig. 14 is a schematic diagram of a virtualization server device for virtualizing quantum network functions according to an embodiment of the present invention, where the virtualization server device includes: including a processor 1401, memory 1402, transceiver 1403, and optionally, a bus 1404 and a communication interface 1405. A memory 1402 for storing programs and instructions; a processor 1401, configured to execute, by calling the program and the instruction stored in the memory: the method is used for executing the following steps by calling programs and instructions stored in the memory: packaging the current virtual node states and corresponding identifications of all target quantum nodes into a virtual network state or slice, or/and packaging the virtual link states between any two quantum service nodes in a part of or all quantum service nodes in the target network into a virtual link network slice; the transceiver 1403 is configured to send a quantum network virtualization request to the network controller, receive a virtual node state of the target quantum node, optionally, further configured to receive topology information of the corresponding node reported by the target quantum node, further configured to obtain a virtualization request, and send a virtualization instruction corresponding to the virtualization request to each target quantum node, so that each target quantum node negotiates a shared quantum key according to the virtualization instruction and creates a virtual node state, and receives a virtual node state and sends the virtual node state to the data processing unit.
Further, in one possible design, the processor is further configured to perform: creating a virtual mapping network of a target quantum network, comprising: distributed virtual mapping network, centralized virtual mapping network, distributed virtual mapping network characterized by: each target quantum node creates a virtual node, and the centralized virtual mapping network is characterized in that: the third-party server creates a virtual node for each target quantum node; wherein, the virtual mapping network comprises: network link topology information between target quantum nodes; the virtual nodes are used for storing or outputting corresponding virtual node states.
Further, in another possible design, the processor is further configured to perform: and verifying the digital signature of all or part of the virtual node states, and if the digital signature cannot be verified, the corresponding node needs to retransmit the corresponding virtual node state.
The bus may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in FIG. 14, but this is not intended to represent only one bus or type of bus.
The memory may include volatile memory (volatile memory), such as random-access memory (RAM); the memory may also include a non-volatile memory (non-volatile memory), such as a flash memory (flash memory), a Hard Disk Drive (HDD) or a solid-state drive (SSD); the memory may also comprise a combination of memories of the kind described above.
The communication interface may be a wired communication access, a wireless communication interface, or a combination thereof, wherein the wired communication interface may be, for example, an ethernet interface. The ethernet interface may be an optical interface, an electrical interface, or a combination thereof. The wireless communication interface may be a WLAN interface.
The processor may be a Central Processing Unit (CPU), a Network Processor (NP), or a combination of a CPU and an NP. The processor may further include a hardware chip. The hardware chip may be an application-specific integrated circuit (ASIC), a Programmable Logic Device (PLD), or a combination thereof. The PLD may be a Complex Programmable Logic Device (CPLD), a field-programmable gate array (FPGA), a General Array Logic (GAL), or any combination thereof.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, apparatus (or system), or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (or systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While the invention has been described in conjunction with specific features and embodiments thereof, it will be evident that various modifications and combinations can be made thereto without departing from the spirit and scope of the invention. Accordingly, the specification and figures are merely exemplary of the invention as defined in the appended claims and are intended to cover any and all modifications, variations, combinations, or equivalents within the scope of the invention. It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.
Claims (36)
1. A quantum network function virtualization method, comprising: each target node of the target network creates a current virtual node status and sends the current virtual node status to one or more target receivers, respectively, the one or more target receivers create an identifier for the current virtual node status of all or a part of the target nodes (for convenience, the current virtual node status of all or a part of the target nodes and their corresponding identifiers are hereinafter referred to as a virtual network status), or, further, encapsulate the current virtual node status of all or a part of the target nodes and their corresponding identifiers into a data file (for convenience, the data file is hereinafter referred to as a virtual network status slice), wherein the target nodes include: some or all relay nodes and serving nodes (or access nodes) in the target network, and the virtual node state includes: some or all of the virtual node routing states of the destination node, wherein a virtual node routing state comprises: the exclusive or value of the shared key grouping negotiated by the target node and two adjacent target nodes respectively and the corresponding virtual node routing state identification thereof, wherein the target network comprises any one of the following options: quantum key distribution network, quantum communication network, quantum sensing network, quantum security internet.
2. The quantum network function virtualization method according to claim 1, comprising: creating a virtual mapping network of a target network, comprising: a distributed virtual mapping network, or/and a centralized virtual mapping network, the distributed virtual mapping network characterized by: each target node creates a virtual node, and the centralized virtual mapping network is characterized in that: the third-party server creates a virtual node for each target node, wherein the virtual mapping network further comprises: and network link topology information between the target nodes, wherein the virtual nodes are used for storing or outputting corresponding virtual node states.
3. A quantum network function virtualization method according to claim 1 or 2, comprising: creating a virtual link state between any two serving nodes (for convenience, respectively a source node and a sink node) in some or all of the serving nodes in the target network, including: selecting a virtual network state or a slice of virtual network states, selecting a key relay link between the source node and a sink node, screening out from the virtual network state or slice of virtual network states corresponding virtual node routing data in all virtual node states associated with the key relay link, computing an exclusive-or value of the total virtual node routing data, creating an identification for the exclusive-or value (for convenience, the exclusive-or value is denoted as virtual link state data, the identification is denoted as a virtual link state identification, the exclusive-or value and its corresponding identification is denoted as a virtual link state between the source node and the sink node), or, further, encapsulating virtual link states or portions thereof between any two of all of the serving nodes in a portion or all of the serving nodes in the destination network as one or more data files (for convenience, record the data file as a virtual link network slice),
wherein the virtual node routing data comprises: an exclusive-or value of a shared key packet between a target node and two associated neighboring nodes, the virtual link identification comprising: the global identification, the identification of the source node and the destination node, and the method for selecting a key relay link between the source node and the destination node comprises the following steps: and selecting a key relay link connected with the least relay nodes or randomly selecting a communicable key relay link according to the virtual network routing topology information.
4. A quantum network function virtualization method according to claim 1,2 or 3, comprising: the target node performs identity authentication with a neighboring target node or/and a network controller, wherein the identity authentication comprises: CA certificate based authentication or initial root key based authentication.
5. A quantum network function virtualization method according to claim 1,2, 3 or 4, comprising: the target node reports topology information of the target node to a network controller or a target receiver, wherein the topology information comprises: identification of the target node, link status between the target node and each neighboring target node.
6. A quantum network function virtualization method according to claim 1,2, 3, 4 or 5, comprising: the target node receives a virtualization instruction issued by a network controller or a target receiver, wherein the virtualization instruction is used for indicating any one or more of the following: global identification, data format of shared key grouping, data structure of virtual node routing state, data structure of virtual node state, identification of target receiver and data transmission mode.
7. A quantum network function virtualization method according to claim 1,2, 3, 4 or 5, comprising: determining any one or more of the following according to a given system policy: global identification, data format of shared key grouping, data structure of virtual node routing state, data structure of virtual node state, data structure of virtual network state, data structure of virtual link state, identification of target receiver and data transmission mode.
8. The quantum network function virtualization method of claim 1, wherein the creating a current virtual node state comprises: the method comprises the steps that a relay node creates a current virtual node state and a service node creates the current virtual node state, wherein the relay node creates the current virtual node state and comprises the following steps: the relay node negotiates a shared key packet with each of n adjacent destination nodes, respectively (where n is a natural number greater than 1 and not greater than the number of all nodes adjacent to the relay node), calculates an exclusive-or value of any two shared key packets in the n shared key packets and creates a corresponding identifier (for convenience, the exclusive-or value is hereinafter referred to as virtual node routing state data, the identifier is referred to as a virtual node routing state identifier, the exclusive-or value and its corresponding identifier are referred to as a virtual node routing state), creates node identifiers for the C (n,2) virtual node routing states (for convenience, the node identifier is hereinafter referred to as a virtual node state identifier, the C (n,2) virtual node routing states and their corresponding node identifiers are referred to as a virtual node state), or, further, encapsulating said C (n,2) virtual node routing states and their corresponding node identifications as a data file, treating said data file as a virtual node state,
the service node creating the current virtual node state comprises: the service node negotiates a shared key packet with each of m adjacent destination nodes, respectively (where m is a natural number greater than 0), creates a virtual relay node, generates a random number packet and creates a corresponding packet identifier, regards the random number packet as a shared key packet between the virtual relay node and the service node, regards m adjacent destination nodes and the service node as (m +1) adjacent destination nodes of the virtual relay node, calculates an exclusive-or value of any two shared key packets of the (m +1) shared key packets and creates a corresponding identifier (for convenience, hereinafter, the exclusive-or value is referred to as virtual node routing state data, the identifier is referred to as a virtual node routing state identifier, and the exclusive-or value and its corresponding identifier are referred to as a virtual node routing state), creating a node identifier for the C (m +1,2) virtual node routing states (for convenience, the node identifier is hereinafter referred to as a virtual node state identifier, and the node identifier and its corresponding C (m +1,2) virtual node routing states are hereinafter referred to as a virtual node state), and securely storing the random number packet, or, further, encapsulating the C (m +1,2) virtual node routing states and their corresponding node identifiers into a data file, and regarding the data file as a virtual node state, wherein the random number packet and the shared key packet have the same data format.
9. The method of creating a virtual network state of claim 8, comprising: after the creation of all the virtual node routing states is completed, the target node destroys all the shared key groups which are used and do not need to be stored, or destroys the shared key group after all the virtual node routing state data which need to participate in calculation of one shared key group are completed.
10. The method of claim 8, wherein negotiating a shared key group comprises any one or both of: the real-time sharing method comprises the following steps: the method comprises the following steps that a target node and an adjacent target node negotiate a certain amount of shared keys in real time, the certain amount of shared keys are used as a shared key group, or the target node and the adjacent target node respectively divide the shared keys into one or more groups by adopting the same data format, carry out randomness test on each group by adopting the same randomness test method, and use a group which passes the randomness test as a shared key group, wherein the pre-caching method comprises the following steps: the target node negotiates a certain amount of shared keys with adjacent target nodes, the shared keys are respectively divided into one or more groups by adopting the same data format, the randomness test is carried out on each group by adopting the same randomness test method, each group passing the randomness test is cached and a group identifier is respectively created, and the target node negotiates with the adjacent target nodes to respectively select one group with the same or the same group number from the cached groups as a shared key group.
11. The quantum network function virtualization method of claim 10, wherein negotiating an amount of shared keys comprises any one of the following methods: the method comprises the steps of negotiating a shared key with a plurality of adjacent target nodes in sequence, simultaneously negotiating the shared key with the plurality of adjacent target nodes, and negotiating the shared key with the corresponding adjacent target nodes according to a virtualization instruction, wherein the negotiation of the shared key comprises the occupation of the whole bandwidth of a key negotiation channel or the occupation of only part of the bandwidth of the whole key negotiation channel.
12. The method of claim 10, wherein negotiating a shared key packet further comprises: consistency check, wherein the consistency check comprises: and the target node and the adjacent target node carry out consistency check on each shared key group, if the consistency check cannot be passed, the negotiation is carried out again, otherwise, one shared key group is successfully negotiated.
13. A quantum network function virtualization method according to claim 1, 3, 6, 7, 9, 10 or 12, wherein a group identification is created for the shared key group, the group identification comprising: the packet number, the link identification of the current target node and the adjacent target node (or the current target node identification, the adjacent target node identification), wherein the packet number adopts a local number or a global identification, and in the case of adopting the local number, after a certain shared key packet or/and random number packet is used for creating the virtual node routing state, the corresponding local number is changed into the global identification of the corresponding virtual node routing state.
14. The quantum network function virtualization method of claim 8, comprising any one or both of: (1) before creating a virtual node state, obtaining a global identification, wherein the method for obtaining the global identification comprises the steps of determining the current global identification according to a virtualization instruction or determining the current global identification according to the last global identification, (2) before creating the virtual node routing state, confirming the negotiated shared key group and the global identification of the virtual node routing state used by the negotiated shared key group by a target node and an adjacent target node, and using the negotiated shared key group by the target node and the adjacent target node for creating the virtual node routing state with the same global identification.
15. The quantum network function virtualization method of claim 1,
the virtual node routing state identification comprises: a global identity, routing identities of a previous neighboring target node and a next neighboring target node connecting the current target node and the current target node (or, an identity of the current serving node, an identity of the first neighboring target node, an identity of the second neighboring target node),
the content of the virtual node state identifier comprises: the identity of the current target node, the global identity, the number of virtual node routing states or the number of neighboring target nodes,
the virtual network state identification comprises: global identification, number of virtual node states.
16. A quantum network function virtualization method according to claim 15, wherein the content of the virtual node status identifier (or virtual network status identifier) further comprises any one or more of the following:
identification of the target network, for distinguishing between different target networks,
a local identification for distinguishing between multiple virtual node routing states having the same global identification (or for distinguishing between multiple virtual node states having the same global identification),
checking information for checking integrity of a routing state of the virtual node (or a state of the virtual node), including a data digest of the corresponding data, or a Hash value, or a MAC code,
digital signature, adopting a digital signature algorithm to digitally sign the virtual node state (or the virtual network state),
a time stamp for recording a creation time of a virtual node state (or a virtual network state),
a data digest (or Hash value) of a current virtual node state (or virtual network state), a data digest (or Hash value) of a last virtual node state (or virtual network state), or a data digest (or Hash value) of a current and last virtual node state (or virtual network state), wherein the digitally signed private key for a virtual node routing state cannot be illegally accessed or derived.
17. A quantum network function virtualization method according to claim 1 (or 3), comprising: and marking the freshness of the virtual network state (or/and the virtual link state) according to the generation time or/and the use frequency of the virtual network state (or/and the virtual link state), wherein the freshness is inversely related to the generation time and the use frequency.
18. The quantum network function virtualization method according to claim 3, comprising: providing a key service, comprising the steps of: the method comprises the following steps: selecting a virtual link network slice for m service nodes in a target network (wherein m is an integer greater than 1), and respectively sending the virtual link network slice to the m service nodes, and performing a second step: the m service nodes negotiate to adopt an associated shared key group of a certain service node A as a group shared key, any other service node B calculates an exclusive OR value of corresponding virtual link state data and the corresponding associated shared key group of the service node B based on the virtual link network slice, and obtains the associated shared key group of the service node A, and the m service nodes respectively inject the associated shared key group into the associated encryption devices.
19. The quantum network function virtualization method according to claim 3, comprising: the application method of the virtual link network slice is applicable to the scenes comprising the following steps: the method comprises the following steps that a plurality of nodes respectively and independently acquire or calculate data, one node acquires or calculates one data, namely encrypts the data and discloses a corresponding ciphertext, and other nodes can decrypt the ciphertext in real time and acquire the data, and specifically comprises the following steps: selecting one or more virtual link network slices (where m is an integer greater than 1) for m service nodes in a target network, respectively sending the virtual link network slices to the m service nodes, selecting one virtual link network slice by one service node (denoted as a source node), encrypting target data of the source node by using a shared key packet associated with the virtual link network slice to obtain a ciphertext, creating a ciphertext identifier for the ciphertext and disclosing the ciphertext and the ciphertext identifier thereof, respectively calculating, by the other one or more service nodes, an exclusive or value of corresponding virtual quantum link state data and a corresponding associated shared key packet of the corresponding service node based on the virtual link network slice, and obtaining the associated shared key packet of the source node, decrypting the ciphertext by using the associated shared key packet to obtain the target data sent by the source node, wherein the ciphertext identifier comprises: the method comprises the steps of identification of a virtual link network slice, identification of a source node and an encryption mode, wherein the encryption mode comprises exclusive-or encryption by adopting a symmetric cryptographic algorithm, and target data comprises any one or more of the following data: message grouping, random key data, sensing data, audio and video monitoring data, calculation data and data files.
20. A quantum network function virtualization method according to claim 1 or 3, comprising: the target recipient providing virtual link services, comprising: transmitting one or more virtual link states associated with two serving nodes to the two serving nodes, or/and application devices served by the two serving nodes, wherein the application devices comprise: password application device, agent device of service node, virtual link service agent device.
21. A quantum network function virtualization method according to claim 1, 3, 18 or 20, comprising: and providing a service of negotiating the shared key, namely, the target receiver respectively sends a virtual link state to the two associated service nodes, the two service nodes negotiate to adopt the associated shared key packet of one service node as a shared key, correspondingly, the other service node calculates the exclusive or value of the corresponding associated shared key packet stored by the other service node and the virtual link state data and obtains the shared key, or further, one service node calculates the exclusive or value of a data packet and the shared key and sends the exclusive or value to the other service node, and the other service node calculates the exclusive or value of the exclusive or value and the shared key and obtains the data packet, wherein the data packet comprises a random number packet or a message packet.
22. A quantum network function virtualization method according to claim 1, 5, 6, 7, 20 or 21, wherein the target recipient comprises any one or more of the following options: the system comprises a target network management server, a network controller, a network virtualization server device, a service node device, a cloud storage service device and a accounting node device of a block chain.
23. The quantum network function virtualization method according to claim 1, comprising: the virtual node states form a virtual node state block chain according to a time sequence, wherein the method for forming the virtual node state block chain comprises the following steps: creating a block header for the virtual node state, using the virtual node state as a block body, wherein the block header comprises a block number, a timestamp and a Hash value of the block, the block number is the same as or has one-to-one correspondence with the global identifier,
or/and: the virtual network state forms a virtual network state block chain according to the time sequence, wherein the method for forming the virtual network state block chain comprises the following steps: and creating a block header for the virtual network state, wherein the virtual network state is used as a block body, the block header comprises a block number, a timestamp and a Hash value of the block, and the block number is the same as the global identification or has one-to-one corresponding correlation.
24. The quantum network function virtualization method of claim 3, wherein the virtual link network slices form a virtual link network slice block chain in time order, wherein forming a virtual link network slice block chain comprises: and creating a block header for the virtual link network slice, wherein the virtual link network slice is used as a block body, the block header comprises a block number, a timestamp and a Hash value of the block, and the block number is the same as the global identification or has one-to-one corresponding correlation.
25. A quantum network function virtualization method according to claim 2, wherein the storing comprises any one or more of the following options: local storage, cloud storage, server-side storage, wherein,
the local storage method comprises the following steps: the virtual link state is stored in local memory or network storage,
the cloud storage method comprises the following steps: storing the virtual link state on a cloud storage space,
the server-side storage comprises: and sending the virtual link state to one or more third-party servers for storage.
26. A quantum network function virtualization method according to claim 1 (or 2), wherein the sending (or outputting) comprises any one or both of the following options: a real-time transmission method, a passive response transmission method, wherein,
the real-time sending method comprises the following steps: the method for sending the virtual node state to a local memory or a network storage space, or/and a third-party server, or/and an associated service node in real time comprises the following steps: and sending the virtual node state with the specific number to a third-party server or/and an associated service node according to the virtualization instruction.
27. The quantum network function virtualization method of claim 1 or 26, wherein the sending further comprises: an encrypted transmission comprising any one or more of the following options: the encryption transmission is carried out by adopting a symmetric cryptographic algorithm, the encryption transmission is carried out by adopting an asymmetric cryptographic algorithm, and the encryption transmission is carried out by adopting a tunnel mode or a transmission mode of VPN.
28. The quantum network function virtualization method according to claim 1, comprising: a method for encapsulating virtual network states or virtual network state slices of two different target networks into a cross-domain interworking virtual network state or virtual network state slice, comprising: if a service node simultaneously accessing two different target networks exists, selecting one service node to take the exclusive-or value and the identification of two corresponding associated shared key packets as a virtual node routing state of a cross-domain intercommunication virtual network state or a virtual network state slice, forming a cross-domain intercommunication virtual network state or a virtual network state slice together with the virtual network state or the virtual network state slice of the two different target networks, if no service node simultaneously accessing the two different target networks exists, a trusted third party distributes a shared key packet (respectively marked as Ka and Kb for convenience) for one service node of the two target networks respectively, and then one service node takes the exclusive-or value and the identification of the corresponding associated shared key packet and Ka as a virtual node routing state, and the other service node takes the XOR value and the identification of the corresponding associated shared key grouping and Kb as a virtual node routing state, if Ka is different from Kb, the trusted third party takes the XOR value and the identification of Ka and Kb as a virtual node routing state, and the virtual node routing state and the virtual network states or virtual network state slices of the two different target networks form a cross-domain intercommunication virtual network state or virtual network state slice.
29. The quantum network function virtualization method according to claim 1, comprising: setting conditions for creating a virtual network state or slice, including: the intended recipient has received the virtual node routing state required to create a virtual quantum link state between any two serving nodes, or has reached a defined time to create a current virtual network state or slice.
30. The method of claim 2, wherein providing virtual node state services comprises: selecting a key relay link between two service nodes (respectively marked as a source node and a destination node), wherein each virtual node on the key relay link sends virtual routing data with the same global identification to a service node or a third-party server, and the service node or the third-party server performs exclusive-or operation on the virtual routing state data of each target node with the same global identification.
31. A quantum network function virtualization apparatus, comprising: node apparatus, virtualization server apparatus for performing the method of any of claims 1-7, wherein the apparatus comprises a software module, or a hardware module, or an integrated module of software and hardware.
32. The quantum network function virtualization device of claim 31, wherein the node device comprises: a transceiver, configured to report topology information of the quantum node to a virtualization server device or a network controller, receive a virtualization instruction issued by the virtualization server device or the network controller, and send a routing status of the virtual node to the virtualization server device,
a data processing unit for negotiating a shared key packet with a neighboring target node, creating a virtual node routing state, or/and, further, for creating a virtual node state,
a node virtualization unit for storage and output management of virtual node routing states or/and virtual node states,
wherein, the virtual node routing state comprises: the xor value and the corresponding identifier of the shared key packet between the target relay node and two adjacent target nodes, and the virtual node state includes: some or all of the virtual node routing states of the target relay node and their corresponding identities, the virtualization instructions being for indicating any one or more of: global identification, data format of shared key grouping, data structure of virtual node routing state, data structure of virtual node state, identification of target receiver, and data transmission mode, wherein the topology information includes: identification of the node, link status between the node and each neighboring target node.
33. A quantum network function virtualization device according to claim 31 or 32, wherein the virtualization server device comprises:
a memory for storing programs and instructions,
a data processing unit for executing, by calling the program and the instruction stored in the memory: encapsulating the current virtual node state and its corresponding identification of all target quantum nodes as one virtual network state or slice, or/and encapsulating the virtual link state between any two quantum service nodes in a part or all of the quantum service nodes in the target network as a virtual link network slice,
a transceiver, configured to send a quantum network virtualization request to a network controller, receive a virtual node state of a target quantum node, optionally, further configured to receive topology information of a corresponding node reported by the target quantum node, further configured to obtain the virtualization request, and send a virtualization instruction corresponding to the virtualization request to each target quantum node, so that each target quantum node negotiates a shared quantum key and creates a virtual node state according to the virtualization instruction, receives a virtual node state, and sends the virtual node state to a data processing unit,
wherein the topology information includes: an identification of the node, a link state between the node and each of the neighboring target nodes, the virtualization instructions to indicate any one or more of: global identification, data format of shared key grouping, data structure of virtual node routing state, data structure of virtual node state, identification of target receiver and data transmission mode.
34. A quantum network function virtualization server device according to claim 31, 32 or 33, wherein the virtualization server device further comprises: a virtual link service unit, configured to send one or more virtual link statuses associated with two service nodes to the two service nodes or/and an application device served by the two service nodes, wherein the application device includes: password application device, agent device of service node, virtual link service agent device.
35. The quantum network function virtualization server device of claim 33, wherein the data processing unit is further configured to perform: creating a virtual mapping network of a target network, comprising: a distributed virtual mapping network, or/and a centralized virtual mapping network, wherein,
the distributed virtual mapping network is characterized in that: each of the target nodes creates a virtual node,
the centralized virtual mapping network is characterized in that: the third party server creates a virtual node for each target node, wherein,
the virtual mapping network includes: information of the network link topology between the target nodes,
the virtual nodes are used for storing or outputting corresponding virtual node states.
36. The quantum network function virtualization server device of claim 33, wherein the data processing unit is further configured to perform: a digital signature of all or a portion of the virtual node state is verified.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910820377.4A CN110690961B (en) | 2019-09-01 | 2019-09-01 | Quantum network function virtualization method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910820377.4A CN110690961B (en) | 2019-09-01 | 2019-09-01 | Quantum network function virtualization method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110690961A true CN110690961A (en) | 2020-01-14 |
CN110690961B CN110690961B (en) | 2022-04-12 |
Family
ID=69108681
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910820377.4A Active CN110690961B (en) | 2019-09-01 | 2019-09-01 | Quantum network function virtualization method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110690961B (en) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111262699A (en) * | 2020-03-03 | 2020-06-09 | 成都量安区块链科技有限公司 | Quantum security key service method and system |
CN111884798A (en) * | 2020-07-22 | 2020-11-03 | 全球能源互联网研究院有限公司 | Electric power business quantum encryption system |
CN114124384A (en) * | 2022-01-26 | 2022-03-01 | 浙江九州量子信息技术股份有限公司 | QKD network virtualization method and quantum key cloud platform |
CN114285550A (en) * | 2021-12-09 | 2022-04-05 | 成都量安区块链科技有限公司 | Quantum security key service network, system and node device |
CN117579276A (en) * | 2024-01-16 | 2024-02-20 | 浙江国盾量子电力科技有限公司 | Quantum encryption method for feeder terminal and quantum board card module |
EP4354787A1 (en) * | 2022-10-11 | 2024-04-17 | Bull Sas | Method for creating a trusted map of verified secure nodes for a network of nodes in a quantum internet |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080144836A1 (en) * | 2006-12-13 | 2008-06-19 | Barry Sanders | Distributed encryption authentication methods and systems |
CN108023725A (en) * | 2016-11-04 | 2018-05-11 | 华为技术有限公司 | A kind of quantum key trunking method and device based on centralized management with control network |
CN108270557A (en) * | 2016-12-30 | 2018-07-10 | 科大国盾量子技术股份有限公司 | A kind of backbone system and its trunking method based on quantum communications |
CN109995510A (en) * | 2017-12-29 | 2019-07-09 | 成都零光量子科技有限公司 | A kind of quantum key relay services method |
-
2019
- 2019-09-01 CN CN201910820377.4A patent/CN110690961B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080144836A1 (en) * | 2006-12-13 | 2008-06-19 | Barry Sanders | Distributed encryption authentication methods and systems |
CN108023725A (en) * | 2016-11-04 | 2018-05-11 | 华为技术有限公司 | A kind of quantum key trunking method and device based on centralized management with control network |
CN108270557A (en) * | 2016-12-30 | 2018-07-10 | 科大国盾量子技术股份有限公司 | A kind of backbone system and its trunking method based on quantum communications |
CN109995510A (en) * | 2017-12-29 | 2019-07-09 | 成都零光量子科技有限公司 | A kind of quantum key relay services method |
Non-Patent Citations (3)
Title |
---|
ALEJANDRO AGUADO ETAL.: "Virtual Network Function Deployment and Service Automation to Provide End-to-End Quantum Encryption", 《JOURNAL OF OPTICAL COMMUNICATIONS AND NETWORKING》 * |
伍典策: "基于量子中继器的量子信息网络体系结构及路由技术研究", 《中国优秀硕士学位论文全文数据库 (信息科技辑)》 * |
陈晖 等: "量子密钥服务及移动应用技术", 《中国电子科学研究院学报》 * |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111262699A (en) * | 2020-03-03 | 2020-06-09 | 成都量安区块链科技有限公司 | Quantum security key service method and system |
CN111884798A (en) * | 2020-07-22 | 2020-11-03 | 全球能源互联网研究院有限公司 | Electric power business quantum encryption system |
CN111884798B (en) * | 2020-07-22 | 2023-04-07 | 全球能源互联网研究院有限公司 | Electric power business quantum encryption system |
CN114285550A (en) * | 2021-12-09 | 2022-04-05 | 成都量安区块链科技有限公司 | Quantum security key service network, system and node device |
CN114124384A (en) * | 2022-01-26 | 2022-03-01 | 浙江九州量子信息技术股份有限公司 | QKD network virtualization method and quantum key cloud platform |
CN114124384B (en) * | 2022-01-26 | 2022-04-29 | 浙江九州量子信息技术股份有限公司 | QKD network virtualization method and quantum key cloud platform |
EP4354787A1 (en) * | 2022-10-11 | 2024-04-17 | Bull Sas | Method for creating a trusted map of verified secure nodes for a network of nodes in a quantum internet |
CN117579276A (en) * | 2024-01-16 | 2024-02-20 | 浙江国盾量子电力科技有限公司 | Quantum encryption method for feeder terminal and quantum board card module |
CN117579276B (en) * | 2024-01-16 | 2024-03-29 | 浙江国盾量子电力科技有限公司 | Quantum encryption method for feeder terminal and quantum board card module |
Also Published As
Publication number | Publication date |
---|---|
CN110690961B (en) | 2022-04-12 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110690961B (en) | Quantum network function virtualization method and device | |
CN110690928B (en) | Quantum relay link virtualization method and device | |
CN110677241B (en) | Quantum network virtualization architecture method and device | |
CN110661620B (en) | Shared key negotiation method based on virtual quantum link | |
US10187209B2 (en) | Cumulative schemes for network path proof of transit | |
CN110690962B (en) | Application method and device of service node | |
CN112367163B (en) | Quantum network virtualization method and device | |
CN110690960B (en) | Routing service method and device of relay node | |
CN110690964B (en) | Quantum service block chain creation method and application system | |
EP4258593A1 (en) | Ota update method and apparatus | |
US20180219913A1 (en) | Packet inspection and forensics in an encrypted network | |
CN114157415A (en) | Data processing method, computing node, system, computer device and storage medium | |
WO2018214701A1 (en) | Data message transmission method, network device, control device, and network system | |
CN115174061A (en) | Message transmission method and device based on block chain relay communication network system | |
CN112367160B (en) | Virtual quantum link service method and device | |
CN114142995B (en) | Key security distribution method and device for block chain relay communication network | |
CN110557253A (en) | Relay route acquisition method, device and application system | |
CN113193958B (en) | Quantum key service method and system | |
CN112367124B (en) | Quantum relay node virtualization method and device | |
CN116016529A (en) | Load balancing management method and device for IPSec VPN (Internet protocol security virtual private network) equipment | |
EP4283955A1 (en) | Communication key configuration method and apparatus | |
CN112367161A (en) | Relay node function virtualization method and device | |
CN114143038A (en) | Key secure distribution method and device for block chain relay communication network | |
CN112367162A (en) | Application method and device of quantum relay node | |
US11805110B2 (en) | Method for transmitting data packets |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |