CN111147232A - QKD communication node and quantum key resource migration method and device thereof - Google Patents
QKD communication node and quantum key resource migration method and device thereof Download PDFInfo
- Publication number
- CN111147232A CN111147232A CN201911167195.8A CN201911167195A CN111147232A CN 111147232 A CN111147232 A CN 111147232A CN 201911167195 A CN201911167195 A CN 201911167195A CN 111147232 A CN111147232 A CN 111147232A
- Authority
- CN
- China
- Prior art keywords
- key
- storage space
- node
- quantum
- key storage
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0852—Quantum cryptography
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Physics & Mathematics (AREA)
- Electromagnetism (AREA)
- Theoretical Computer Science (AREA)
- Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
Abstract
The invention provides a QKD communication node and a quantum key resource migration method and device thereof, wherein the method comprises the following steps: after determining the key storage space of the resource surplus and the resource shortage in the local quantum key pool, taking the node corresponding to the key storage space of the resource surplus as a key emigration node, and taking the node corresponding to the key storage space of the resource shortage as a key emigration node; and after a plurality of quantum keys are removed from the key storage space with the surplus resources, copying the removed quantum keys to the key storage space with the deficient resources, encrypting the removed quantum keys and sending the encrypted quantum keys to the key immigration node for storage. The invention can migrate the quantum key and realize the resource balanced distribution of the quantum key pool of the QKD communication node in the network.
Description
Technical Field
The invention relates to the technical field of quantum key distribution, in particular to a QKD communication node and a quantum key resource migration method and device thereof.
Background
Quantum Key Distribution (QKD) technology utilizes Quantum mechanical characteristics to ensure communication security. The method enables two communication parties to generate and share a random and safe secret key to encrypt and decrypt messages, does not depend on requirements and assumptions on computational complexity, and has the advantage of unconditional safety in theory.
In present quantum key distribution networks, a quantum key transceiver and a network node are fixed at the same position to form a QKD communication node; in order to ensure timely communication between the QKD communication nodes in the QKD network, the QKD communication nodes can generate quantum keys when information does not need to be sent, reserve the keys in quantum key pools, and divide the quantum key pools into individual key spaces. Then, the optical time division multiplexing technology is used to divide the key space into a plurality of periodic time slices, and the time slices can provide periodic keys for a plurality of services and update the keys, so that the one-to-many relationship between the key pool and the services can be realized.
That is, in the QKD network architecture, a QKD communication node may communicate with multiple nodes, that is, the number of nodes paired with the QKD communication node to generate quantum keys may be greater than or equal to 1, so that the quantum key pool local in the QKD communication node may be divided into multiple key storage spaces for storing the shared quantum keys generated by the nodes, respectively.
However, the key generation rate of the QKD communication node is substantially unchanged, which in the past has resulted in key resources in the key storage space with the partial nodes far exceeding the current requirements, and key requirements in the key storage space with the partial nodes being far lower than the current requirements. This imbalance in key states can cause a degradation in network performance.
Disclosure of Invention
In view of this, the present invention provides a QKD communication node, and a quantum key resource migration method and apparatus thereof, which can migrate a quantum key to implement resource balanced distribution of a quantum key pool of the QKD communication node in a network.
Based on the above purpose, the present invention provides a quantum key resource migration method, which includes:
after determining the key storage space of the resource surplus and the resource shortage in the local quantum key pool, taking the node corresponding to the key storage space of the resource surplus as a key emigration node, and taking the node corresponding to the key storage space of the resource shortage as a key emigration node;
and after a plurality of quantum keys are removed from the key storage space with the surplus resources, copying the removed quantum keys to the key storage space with the deficient resources, encrypting the removed quantum keys and sending the encrypted quantum keys to the key immigration node for storage.
Preferably, before the step of encrypting the obtained quantum key and sending the encrypted quantum key to the key immigration node for storage, the method further includes:
sending encrypted key emigration and immigration notifications to the key emigration and immigration nodes respectively; and
the step of encrypting the removed quantum key and then sending the encrypted quantum key to the key immigration node for storage specifically comprises the following steps:
encrypting the removed quantum key by using the quantum key in the key storage space corresponding to the key immigration node, and then sending the encrypted quantum key to the key immigration node;
and after receiving the key migration notification, the key migration node determines a sending node of the key migration notification, decrypts the received information by using a quantum key shared by the sending node of the key migration notification in a quantum key pool of the node after receiving information subsequently sent by the node, and stores the quantum key obtained by decryption into a key storage space corresponding to the sending node of the key migration notification.
Preferably, after the sending the encrypted key emigration and immigration notifications to the key emigration and immigration nodes, the method further includes:
and the key emigration node eliminates a plurality of quantum keys from the quantum keys shared by the quantum key pool of the node and the sending node of the key emigration notice according to the received key emigration notice.
The determining of the key storage space with resource surplus and resource shortage in the local quantum key pool specifically includes:
detecting the storage state of each key storage space in a local quantum key pool;
respectively calculating the key upper and lower limit thresholds of each key storage space according to the storage state of each key storage space;
determining the key storage space with the key storage capacity larger than the calculated key upper limit threshold value as the key storage space with the remained resources;
and judging the key storage space with the key storage amount smaller than the calculated key lower limit threshold value as the key storage space with the lack of resources.
Wherein, the calculating the key upper and lower threshold values of each key storage space according to the storage state of each key storage space specifically includes:
respectively calculating the key upper and lower limit thresholds of the key storage space according to the following formula I and II:
t is sxi (formula one)
In the formula I, T is a calculated key upper limit threshold value of a key storage space, S represents a key consumption rate of the key storage space, and I represents an average duration of a key consumption peak period of the key storage space;
m ═ sxf (formula two)
In the second formula, M is a calculated lower key threshold of the key storage space, S represents a key consumption rate of the key storage space, and F represents a time required for generating a new quantum key in the key storage space.
The invention also provides a quantum key resource migration device, comprising:
the key storage state detection module is used for determining the key storage space of resource surplus and resource shortage in the local quantum key pool;
the key migration module is used for taking the node corresponding to the key storage space with the surplus resources as a key migration-out node and taking the node corresponding to the key storage space with the deficient resources as a key migration-in node; and after a plurality of quantum keys are removed from the key storage space with the surplus resources, copying the removed quantum keys to the key storage space with the deficient resources, encrypting the removed quantum keys and sending the encrypted quantum keys to the key immigration node for storage.
The present invention also provides a QKD communication node, comprising: the quantum key resource migration device is described above.
In the technical scheme provided by the invention, after the key storage space with the surplus resources and the deficient resources is determined from the local quantum key pool of the QKD communication node, the node corresponding to the key storage space with the surplus resources is taken as a key emigration node, and the node corresponding to the key storage space with the deficient resources is taken as a key emigration node; and after a plurality of quantum keys are removed from the key storage space with the surplus resources, copying the removed quantum keys to the key storage space with the deficient resources, encrypting the removed quantum keys and sending the encrypted quantum keys to the key immigration node for storage. Therefore, keys in the key storage space with key resources exceeding the current requirement can be migrated to the key storage space with key requirements far lower than the current requirement, resource balanced distribution of quantum key pools of the QKD communication nodes in the network is achieved, quantum key resources between the QKD communication nodes and the nodes with frequent communication are supplemented, quantum keys between the nodes idle compared with communication are not wasted and are migrated to other key storage spaces for utilization, and the use efficiency of the keys is improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic network topology diagram of a QKD network according to an embodiment of the present invention;
fig. 2 is a flowchart of a quantum key resource migration method in a QKD communication node according to an embodiment of the present invention;
fig. 3 is a flowchart of a method for determining a key storage space for resource surplus and resource deficiency according to an embodiment of the present invention;
FIG. 4 is a flowchart of a quantum key migration method according to an embodiment of the present invention;
fig. 5 is a block diagram of an internal structure of a quantum key resource migration apparatus according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to specific embodiments and the accompanying drawings.
It is to be noted that technical terms or scientific terms used in the embodiments of the present invention should have the ordinary meanings as understood by those having ordinary skill in the art to which the present disclosure belongs, unless otherwise defined. The use of "first," "second," and similar terms in this disclosure is not intended to indicate any order, quantity, or importance, but rather is used to distinguish one element from another. The word "comprising" or "comprises", and the like, means that the element or item listed before the word covers the element or item listed after the word and its equivalents, but does not exclude other elements or items. The terms "connected" or "coupled" and the like are not restricted to physical or mechanical connections, but may include electrical connections, whether direct or indirect. "upper", "lower", "left", "right", and the like are used merely to indicate relative positional relationships, and when the absolute position of the object being described is changed, the relative positional relationships may also be changed accordingly.
In the technical scheme of the invention, after key storage spaces of resource surplus and resource deficiency in a local quantum key pool are determined, nodes corresponding to the key storage spaces of the resource surplus are taken as key emigration nodes, and the nodes corresponding to the key storage spaces of the resource deficiency are taken as key emigration nodes; and after a plurality of quantum keys are removed from the key storage space with the surplus resources, copying the removed quantum keys to the key storage space with the deficient resources, encrypting the removed quantum keys and sending the encrypted quantum keys to the key immigration node for storage.
The technical solution of the embodiments of the present invention is described in detail below with reference to the accompanying drawings.
In a QKD network architecture, one QKD communication node can generate a shared quantum key with multiple QKD communication nodes; therefore, a local quantum key pool in a QKD communication node can be divided into a plurality of key storage spaces for storing the shared quantum keys generated by the nodes, that is, each key storage space of the quantum key pool of a QKD communication node corresponds to a node, and is used for storing the shared quantum keys generated by the node corresponding to the key storage space and the QKD communication node to which the quantum key pool belongs.
For example, in the network topology shown in fig. 1, node F may generate a shared quantum key with node a, node B, and node C, respectively; and a corresponding key storage space A, a corresponding key storage space B and a corresponding key storage space C are respectively divided for the node A, the node B and the node C in the quantum key pool of the node F.
The quantum key resource migration method in the QKD communication node provided by the embodiment of the present invention has a specific flow as shown in fig. 2, and includes the following steps:
step S201: the storage state of each key storage space in the local quantum key pool in the QKD communication node is detected.
In the step, the storage state of each key storage space in a local quantum key pool in the QKD communication node is detected; wherein, the storage state of the key storage space may include: a key storage amount of the key storage space, a key consumption rate of the key storage space, an average duration of key consumption peaks of the key storage space, a time required to generate a new quantum key in the key storage space.
Step S202: and determining the key storage space with the surplus resources and the deficient resources in the local quantum key pool according to the detected storage state of the key storage space.
Specifically, the key storage space of resource surplus and resource deficiency in the local quantum key pool can be determined according to the method flow shown in fig. 3, including the following sub-steps:
substep S301: and respectively calculating the key upper limit threshold and the key lower limit threshold of each key storage space according to the storage state of each key storage space.
Specifically, the key upper threshold of the key storage space may be calculated according to the following formula one:
t is sxi (formula one)
In the formula one, T is a calculated key upper limit threshold of the key storage space, S represents a key consumption rate of the key storage space, and I represents an average duration of a key consumption peak period of the key storage space.
For example, for node F in the network topology shown in fig. 1, the storage states of key storage space a, key storage space B, key storage space C and the calculated upper threshold of the key of the node are shown in table 1 below:
TABLE 1
The lower key threshold of the key storage space may be calculated according to the following formula two:
m ═ sxf (formula two)
In the second formula, M is a calculated lower key threshold of the key storage space, S represents a key consumption rate of the key storage space, and F represents a time required for generating a new quantum key in the key storage space.
For example, for node F in the network topology shown in fig. 1, the storage states of the key storage space B, the key storage space C and the calculated lower threshold of the key are shown in table 2 below:
TABLE 2
Substep S302: for each key storage space, judging whether the key storage amount of the key storage space is larger than the key upper limit threshold value of the key storage space, and judging whether the key storage amount of the key storage space is smaller than the key lower limit threshold value of the key storage space.
For example, as for the node F in the network topology shown in fig. 1, according to the calculation results in table 1 and table 2, it can be determined that the key storage amount 50 of the key storage space a is larger than the key upper limit threshold T of 33.39, and the key storage amount 10 of the key storage space C is smaller than the key upper limit threshold M of 15.82.
Substep S303: and determining the key storage space with the key storage capacity larger than the calculated key upper limit threshold as the key storage space with the surplus resources, and determining the key storage space with the key storage capacity smaller than the calculated key lower limit threshold as the key storage space with the shortage of resources.
For example, for a node F in the network topology shown in fig. 1, a key storage space a in the quantum key pool of the node is determined as a resource-remaining key storage space, and a key storage space C in the quantum key pool of the node is determined as a resource-deficient key storage space.
Step S203: and carrying out quantum key migration.
In this step, the node corresponding to the key storage space with the surplus resources is used as a key emigration node, and the node corresponding to the key storage space with the deficient resources is used as a key emigration node; after removing a plurality of quantum keys from the key storage space of the remaining resources, copying the removed quantum keys to the key storage space of the lacking resources, encrypting the removed quantum keys, and sending the encrypted quantum keys to the key immigration node for storage, wherein the specific flow is shown in fig. 4, and the specific flow comprises the following substeps:
substep S401: and taking the node corresponding to the key storage space with the surplus resources as a key emigration node, and taking the node corresponding to the key storage space with the deficient resources as a key emigration node.
For example, for a node F in the network topology shown in fig. 1, a node a corresponding to a key storage space a determined to be resource-surplus in the quantum key pool of the node F is taken as a key emigration node, and a node C corresponding to a key storage space C determined to be resource-deficient is taken as a key emigration node.
Substep S402: and removing a plurality of quantum keys from the residual key storage space of the resources, and sending encrypted key emigration and emigration notifications to the key emigration and emigration nodes.
Specifically, the number of quantum keys shifted out from the remaining key storage space of the resource in this sub-step may be determined according to the following method:
if the difference between the key storage amount in the key storage space with the surplus resources and the key upper limit threshold is larger than the difference between the key storage amount in the key storage space with the deficient resources and the key lower limit threshold, determining the number of the shifted quantum keys according to the difference between the key storage amount in the key storage space with the deficient resources and the key lower limit threshold;
if the difference between the key storage amount in the key storage space with the surplus resources and the key upper limit threshold is less than or equal to the difference between the key storage amount in the key storage space with the deficient resources and the key lower limit threshold, the number of the removed quantum keys is a% of the difference between the key storage amount in the key storage space with the surplus resources and the key upper limit threshold; wherein a can be set to a number between 0 and 100 by those skilled in the art according to practical situations.
In this sub-step, encrypted key emigration and immigration notifications can also be sent to the key emigration and immigration nodes.
For example, for the network topology shown in fig. 1, node F may encrypt the key emigration notification using a shared quantum key generated by node a in the key storage space a, and then send the encrypted key emigration notification to node a serving as the key emigration node; wherein the key emigration notification can indicate the number of emigrated quantum keys.
The node F can also encrypt the key migration notification by using a shared quantum key generated by the node C in the key storage space C, and then send the encrypted key migration notification to the node C serving as the key migration node; and the key immigration notice can indicate the number of immigrated quantum keys.
Substep S403: and copying the removed quantum key to the key storage space with the deficient resources, encrypting the removed quantum key and sending the encrypted quantum key to the key immigration node for storage.
For example, for the network topology shown in fig. 1, the node F may copy the quantum key removed from the key storage space a to the key storage space C, encrypt the removed quantum key with the shared quantum key generated by the node C in the key storage space C, and send the encrypted quantum key to the node C as the key immigration node for storage.
Substep S404: the key immigration node stores the received quantum key according to the key immigration notice; and the key emigration node eliminates a plurality of quantum keys according to the key emigration notice.
Specifically, after receiving the key migration notification, the key migration node determines a sending node of the key migration notification, and after receiving information subsequently sent by the node, decrypts the received information by using a quantum key shared by a quantum key pool of the node and the sending node of the key migration notification, and stores the quantum key obtained by decryption in a key storage space corresponding to the sending node of the key migration notification.
And the key emigration node eliminates a plurality of quantum keys from a key storage space of the quantum key pool of the node corresponding to the sending node of the key emigration notice according to the received key emigration notice.
For example, for the network topology shown in fig. 1, after receiving the key migration notification, the node C serving as the key migration node determines that the sending node of the key migration notification is the node F, and if information subsequently sent by the node F is received, the node C decrypts the received information by using the quantum key shared with the node F in the quantum key pool of the node, so as to obtain a plurality of migrated quantum keys; and the node C stores the quantum key obtained by decryption into a key storage space corresponding to the node F in the local quantum key pool.
For the network topology shown in fig. 1, after determining that a node a serving as a key emigration node is a node F according to the received key emigration notification, removing a plurality of quantum keys from quantum keys shared with the node F in a quantum key pool of the node; the number of removed quantum keys may be determined according to the number of migrated quantum keys indicated in the key migration notification.
It should be noted that the method of the embodiment of the present invention may be executed by a single device, such as a computer or a server. The method of the embodiment can also be applied to a distributed scene and completed by the mutual cooperation of a plurality of devices. In the case of such a distributed scenario, one of the multiple devices may only perform one or more steps of the method according to the embodiment of the present invention, and the multiple devices interact with each other to complete the method.
An internal structural block diagram of a quantum key resource migration apparatus provided in an embodiment of the present invention is shown in fig. 5, and includes: a key storage state detection module 501 and a key migration module 502.
The key storage state detection module 501 is configured to determine a key storage space where resources are left and deficient in a local quantum key pool;
the key migration module 502 is configured to use a node corresponding to the key storage space with the remaining resources as a key migration-out node, and use a node corresponding to the key storage space with the lacking resources as a key migration-in node; and after a plurality of quantum keys are removed from the key storage space with the surplus resources, copying the removed quantum keys to the key storage space with the deficient resources, encrypting the removed quantum keys and sending the encrypted quantum keys to the key immigration node for storage.
Specifically, the key storage state detection module 501 detects the storage state of each key storage space in the local quantum key pool; respectively calculating the key upper and lower limit thresholds of each key storage space according to the storage state of each key storage space; determining the key storage space with the key storage capacity larger than the calculated key upper limit threshold value as the key storage space with the remained resources; and judging the key storage space with the key storage amount smaller than the calculated key lower limit threshold value as the key storage space with the lack of resources.
The key migration module 502 may specifically include the following units: a key migration node determination unit 511, a key migration number determination unit 512, a key migration notification unit 513, a key internal migration unit 514, and a key transmission unit 515.
The key migration node determining unit 511 is configured to use a node corresponding to the key storage space where the resource is left as a key migration node, and use a node corresponding to the key storage space where the resource is lacking as a key migration node;
the key migration number determining unit 512 is configured to determine, if it is determined that a difference between a key storage amount in the key storage space remaining in the resource and a key upper limit threshold is greater than a difference between a key storage amount in the key storage space lacking in the resource and a key lower limit threshold, a number of the removed quantum keys according to the difference between the key storage amount in the key storage space lacking in the resource and the key lower limit threshold; if the difference between the key storage amount in the key storage space with the remained resources and the key upper limit threshold is determined to be less than or equal to the difference between the key storage amount in the key storage space with the lacked resources and the key lower limit threshold, the number of the removed quantum keys is a% of the difference between the key storage amount in the key storage space with the remained resources and the key upper limit threshold; wherein a is a set number between 0 and 100;
the key migration notification unit 512 is configured to send encrypted key migration and key migration notifications to the key migration and key migration nodes; specifically, the key migration/migration notification may indicate the number of migrated quantum keys determined by the key migration number determination unit 512.
The key internal migration unit 514 is configured to copy the removed quantum keys to the key storage space with the missing resources after removing a number of quantum keys from the key storage space with the remaining resources; specifically, the key internal migration unit 514 may, according to the number of migrated quantum keys determined by the key migration number determination unit 512, copy the removed quantum keys to the key storage space with the lack of resources after removing a corresponding number of quantum keys from the key storage space with the remaining resources.
The key sending unit 515 is configured to encrypt the quantum key removed from the remaining key storage space of the resource and send the encrypted quantum key to the key immigration node for storage.
The quantum key distribution device may be disposed in the QKD communication node, and a detailed method for implementing functions of each module in the device may refer to a method detailed in each step in the flow shown in fig. 2, which is not described herein again.
In the technical scheme provided by the invention, after the key storage space with the surplus resources and the deficient resources is determined from the local quantum key pool of the QKD communication node, the node corresponding to the key storage space with the surplus resources is taken as a key emigration node, and the node corresponding to the key storage space with the deficient resources is taken as a key emigration node; and after a plurality of quantum keys are removed from the key storage space with the surplus resources, copying the removed quantum keys to the key storage space with the deficient resources, encrypting the removed quantum keys and sending the encrypted quantum keys to the key immigration node for storage. Therefore, keys in the key storage space with key resources exceeding the current requirement can be migrated to the key storage space with key requirements far lower than the current requirement, resource balanced distribution of quantum key pools of the QKD communication nodes in the network is achieved, quantum key resources between the QKD communication nodes and the nodes with frequent communication are supplemented, quantum keys between the nodes idle compared with communication are not wasted and are migrated to other key storage spaces for utilization, and the use efficiency of the keys is improved.
Computer-or server-readable media of the embodiments, including non-transitory and non-transitory, removable and non-removable media, may implement the information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device.
Those of ordinary skill in the art will understand that: the discussion of any embodiment above is meant to be exemplary only, and is not intended to intimate that the scope of the disclosure, including the claims, is limited to these examples; within the idea of the invention, also features in the above embodiments or in different embodiments may be combined, steps may be implemented in any order, and there are many other variations of the different aspects of the invention as described above, which are not provided in detail for the sake of brevity.
In addition, well known power/ground connections to Integrated Circuit (IC) chips and other components may or may not be shown within the provided figures for simplicity of illustration and discussion, and so as not to obscure the invention. Furthermore, devices may be shown in block diagram form in order to avoid obscuring the invention, and also in view of the fact that specifics with respect to implementation of such block diagram devices are highly dependent upon the platform within which the present invention is to be implemented (i.e., specifics should be well within purview of one skilled in the art). Where specific details (e.g., circuits) are set forth in order to describe example embodiments of the invention, it should be apparent to one skilled in the art that the invention can be practiced without, or with variation of, these specific details. Accordingly, the description is to be regarded as illustrative instead of restrictive.
While the present invention has been described in conjunction with specific embodiments thereof, many alternatives, modifications, and variations of these embodiments will be apparent to those of ordinary skill in the art in light of the foregoing description. For example, other memory architectures (e.g., dynamic ram (dram)) may use the discussed embodiments.
The embodiments of the invention are intended to embrace all such alternatives, modifications and variances that fall within the broad scope of the appended claims. Therefore, any omissions, modifications, substitutions, improvements and the like that may be made without departing from the spirit and principles of the invention are intended to be included within the scope of the invention.
Claims (10)
1. A quantum key resource migration method is characterized by comprising the following steps:
after determining the key storage space of the resource surplus and the resource shortage in the local quantum key pool, taking the node corresponding to the key storage space of the resource surplus as a key emigration node, and taking the node corresponding to the key storage space of the resource shortage as a key emigration node;
and after a plurality of quantum keys are removed from the key storage space with the surplus resources, copying the removed quantum keys to the key storage space with the deficient resources, encrypting the removed quantum keys and sending the encrypted quantum keys to the key immigration node for storage.
2. The method according to claim 1, further comprising, before sending the obtained quantum key after encryption to the key migrating node for storage:
sending encrypted key emigration and immigration notifications to the key emigration and immigration nodes respectively; and
the step of encrypting the removed quantum key and then sending the encrypted quantum key to the key immigration node for storage specifically comprises the following steps:
encrypting the removed quantum key by using the quantum key in the key storage space corresponding to the key immigration node, and then sending the encrypted quantum key to the key immigration node;
and after receiving the key migration notification, the key migration node determines a sending node of the key migration notification, decrypts the received information by using a quantum key shared by the sending node of the key migration notification in a quantum key pool of the node after receiving information subsequently sent by the node, and stores the quantum key obtained by decryption into a key storage space corresponding to the sending node of the key migration notification.
3. The method of claim 2, further comprising, after sending the encrypted key emigration and immigration notifications to the key emigration and immigration nodes, respectively:
and the key emigration node eliminates a plurality of quantum keys from the quantum keys shared by the quantum key pool of the node and the sending node of the key emigration notice according to the received key emigration notice.
4. The method according to claim 1, wherein the determining of the key storage space in the local quantum key pool with the resource surplus and the resource deficit specifically comprises:
detecting the storage state of each key storage space in a local quantum key pool;
respectively calculating the key upper and lower limit thresholds of each key storage space according to the storage state of each key storage space;
determining the key storage space with the key storage capacity larger than the calculated key upper limit threshold value as the key storage space with the remained resources;
and judging the key storage space with the key storage amount smaller than the calculated key lower limit threshold value as the key storage space with the lack of resources.
5. The method according to claim 4, wherein the calculating the upper and lower threshold values of the key of each key storage space according to the storage state of each key storage space comprises:
respectively calculating the key upper and lower limit thresholds of the key storage space according to the following formula I and II:
t is sxi (formula one)
In the formula I, T is a calculated key upper limit threshold value of a key storage space, S represents a key consumption rate of the key storage space, and I represents an average duration of a key consumption peak period of the key storage space;
m ═ sxf (formula two)
In the second formula, M is a calculated lower key threshold of the key storage space, S represents a key consumption rate of the key storage space, and F represents a time required for generating a new quantum key in the key storage space.
6. The method according to any of claims 1-5, wherein the number of quantum keys removed from the remaining key storage space of the resource is determined in particular according to the following method:
if the difference between the key storage amount in the key storage space with the surplus resources and the key upper limit threshold is larger than the difference between the key storage amount in the key storage space with the deficient resources and the key lower limit threshold, determining the number of the shifted quantum keys according to the difference between the key storage amount in the key storage space with the deficient resources and the key lower limit threshold;
if the difference between the key storage amount in the key storage space with the surplus resources and the key upper limit threshold is less than or equal to the difference between the key storage amount in the key storage space with the deficient resources and the key lower limit threshold, the number of the removed quantum keys is a% of the difference between the key storage amount in the key storage space with the surplus resources and the key upper limit threshold;
wherein a is a set number between 0 and 100.
7. A quantum key resource migration apparatus, comprising:
the key storage state detection module is used for determining the key storage space of resource surplus and resource shortage in the local quantum key pool;
the key migration module is used for taking the node corresponding to the key storage space with the surplus resources as a key migration-out node and taking the node corresponding to the key storage space with the deficient resources as a key migration-in node; and after a plurality of quantum keys are removed from the key storage space with the surplus resources, copying the removed quantum keys to the key storage space with the deficient resources, encrypting the removed quantum keys and sending the encrypted quantum keys to the key immigration node for storage.
8. The apparatus of claim 7,
the key storage state detection module is specifically used for detecting the storage state of each key storage space in the local quantum key pool; respectively calculating the key upper and lower limit thresholds of each key storage space according to the storage state of each key storage space; determining the key storage space with the key storage capacity larger than the calculated key upper limit threshold value as the key storage space with the remained resources; and judging the key storage space with the key storage amount smaller than the calculated key lower limit threshold value as the key storage space with the lack of resources.
9. The apparatus according to claim 7, wherein the key migration module specifically includes:
a key migration node determining unit, configured to use a node corresponding to the key storage space with the remaining resources as a key migration node, and use a node corresponding to the key storage space with the lacking resources as a key migration node;
a key migration number determination unit, configured to determine, if it is determined that a difference between a key storage amount in the key storage space remaining in the resource and a key upper limit threshold is greater than a difference between a key storage amount in the key storage space lacking in the resource and a key lower limit threshold, a number of quantum keys to be removed according to the difference between the key storage amount in the key storage space lacking in the resource and the key lower limit threshold; if the difference between the key storage amount in the key storage space with the remained resources and the key upper limit threshold is determined to be less than or equal to the difference between the key storage amount in the key storage space with the lacked resources and the key lower limit threshold, the number of the removed quantum keys is a% of the difference between the key storage amount in the key storage space with the remained resources and the key upper limit threshold; wherein a is a set number between 0 and 100;
a key migration notification unit, configured to send encrypted key migration notification and key migration notification to the key migration node and the key migration node;
a key internal migration unit, configured to copy the removed quantum key to the key storage space with the resource deficiency after removing the quantum keys from the key storage space with the remaining resources;
and the key sending unit is used for encrypting the quantum key removed from the residual key storage space of the resource and then sending the encrypted quantum key to the key immigration node for storage.
10. A QKD communication node, comprising: a quantum key resource migration apparatus as claimed in any one of claims 7 to 9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911167195.8A CN111147232A (en) | 2019-11-25 | 2019-11-25 | QKD communication node and quantum key resource migration method and device thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911167195.8A CN111147232A (en) | 2019-11-25 | 2019-11-25 | QKD communication node and quantum key resource migration method and device thereof |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111147232A true CN111147232A (en) | 2020-05-12 |
Family
ID=70516656
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911167195.8A Pending CN111147232A (en) | 2019-11-25 | 2019-11-25 | QKD communication node and quantum key resource migration method and device thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111147232A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114944917A (en) * | 2022-07-21 | 2022-08-26 | 国开启科量子技术(北京)有限公司 | Method, apparatus, medium, and device for migrating virtual machine using quantum key |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105357001A (en) * | 2015-12-10 | 2016-02-24 | 安徽问天量子科技股份有限公司 | Quantum secrete key dynamic distribution management method and system |
| US20160285629A1 (en) * | 2015-03-24 | 2016-09-29 | Kabushiki Kaisha Toshiba | Quantum key distribution device, quantum key distribution system, and quantum key distribution method |
| CN106850204A (en) * | 2017-02-27 | 2017-06-13 | 北京邮电大学 | Quantum key distribution method and system |
| CN106961327A (en) * | 2017-02-27 | 2017-07-18 | 北京邮电大学 | Key management system and method based on quantum key pond |
| CN107171792A (en) * | 2017-06-05 | 2017-09-15 | 北京邮电大学 | A kind of virtual key pond and the virtual method of quantum key resource |
| CN107294708A (en) * | 2017-06-26 | 2017-10-24 | 国家电网公司 | A kind of quantum key optimum allocation method and device based on message flow |
| CN110365476A (en) * | 2019-07-01 | 2019-10-22 | 北京邮电大学 | The schedule management method of QKD network and its key based on SDN |
| CN110445604A (en) * | 2019-07-01 | 2019-11-12 | 北京邮电大学 | The sending method of QKD network based on SDN and its service request |
-
2019
- 2019-11-25 CN CN201911167195.8A patent/CN111147232A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160285629A1 (en) * | 2015-03-24 | 2016-09-29 | Kabushiki Kaisha Toshiba | Quantum key distribution device, quantum key distribution system, and quantum key distribution method |
| CN105357001A (en) * | 2015-12-10 | 2016-02-24 | 安徽问天量子科技股份有限公司 | Quantum secrete key dynamic distribution management method and system |
| CN106850204A (en) * | 2017-02-27 | 2017-06-13 | 北京邮电大学 | Quantum key distribution method and system |
| CN106961327A (en) * | 2017-02-27 | 2017-07-18 | 北京邮电大学 | Key management system and method based on quantum key pond |
| CN107171792A (en) * | 2017-06-05 | 2017-09-15 | 北京邮电大学 | A kind of virtual key pond and the virtual method of quantum key resource |
| CN107294708A (en) * | 2017-06-26 | 2017-10-24 | 国家电网公司 | A kind of quantum key optimum allocation method and device based on message flow |
| CN110365476A (en) * | 2019-07-01 | 2019-10-22 | 北京邮电大学 | The schedule management method of QKD network and its key based on SDN |
| CN110445604A (en) * | 2019-07-01 | 2019-11-12 | 北京邮电大学 | The sending method of QKD network based on SDN and its service request |
Non-Patent Citations (1)
| Title |
|---|
| 王华 等: "《 量子密钥分发城域光组网技术前瞻》", 《通信学报》 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114944917A (en) * | 2022-07-21 | 2022-08-26 | 国开启科量子技术(北京)有限公司 | Method, apparatus, medium, and device for migrating virtual machine using quantum key |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3937421A1 (en) | Blockchain integrated station and cryptographic acceleration card, key management methods and apparatuses | |
| EP2405388A1 (en) | Method of generating a virtual private community and network using the virtual private community | |
| CN109726563B (en) | Data statistics method, device and equipment | |
| CN111049645A (en) | Internet of things system and quantum key distribution method and device thereof | |
| CN112910639A (en) | Quantum encryption service transmission method under multi-domain scene and related equipment | |
| CN114006694A (en) | Quantum key processing method and device, electronic equipment and storage medium | |
| CN111740815A (en) | Ciphertext-based two-party secret sharing method, device, equipment and storage medium | |
| CN103152346A (en) | Privacy protection method, server and system of massive users | |
| US20230396421A1 (en) | Method and device for quantum key distribution | |
| CN111147232A (en) | QKD communication node and quantum key resource migration method and device thereof | |
| Fan | Coping with the big data: Convergence of communications, computing and storage | |
| KR101553986B1 (en) | System and method of distrubuted data storage, restoration | |
| Yousif et al. | Information security for big data using the NTRUEncrypt method | |
| CN111798236A (en) | Transaction data encryption and decryption method, device and equipment | |
| CN107391541A (en) | A kind of real time data merging method and device | |
| Sharma et al. | Cloud Storage Security using Firebase and Fernet Encryption | |
| CN114301826B (en) | Message transmission method and device | |
| CN115426104A (en) | Quantum key supply proprietary and shared protection method and related equipment | |
| US11595204B2 (en) | Adaptive re-keying in a storage system | |
| US7715556B2 (en) | Key establishment method and system using commutative linear function | |
| CN116204357B (en) | Mobile phone terminal data backup method and system based on hong Monte-go system | |
| Suthar et al. | PMS-Sharing: Framework for Automatically Authenticating users in a Group to Allow Sharing Storage | |
| CN112073180B (en) | QKD network deployed in metropolitan area network and access network and key distribution method thereof | |
| US9407641B2 (en) | Service access control | |
| WO2023124530A1 (en) | Data encryption system and related product |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200512 |
|
| RJ01 | Rejection of invention patent application after publication |