CN114362929A - Protection method and device based on quantum key distribution network and electronic equipment - Google Patents

Protection method and device based on quantum key distribution network and electronic equipment Download PDF

Info

Publication number
CN114362929A
CN114362929A CN202111396923.XA CN202111396923A CN114362929A CN 114362929 A CN114362929 A CN 114362929A CN 202111396923 A CN202111396923 A CN 202111396923A CN 114362929 A CN114362929 A CN 114362929A
Authority
CN
China
Prior art keywords
key
path
link
protection
hop
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111396923.XA
Other languages
Chinese (zh)
Inventor
郁小松
张秦
赵永利
李亚杰
张�杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing University of Posts and Telecommunications
Original Assignee
Beijing University of Posts and Telecommunications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing University of Posts and Telecommunications filed Critical Beijing University of Posts and Telecommunications
Priority to CN202111396923.XA priority Critical patent/CN114362929A/en
Publication of CN114362929A publication Critical patent/CN114362929A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/12Shortest path evaluation
    • H04L45/122Shortest path evaluation by minimising distances, e.g. by selecting a route with minimum of number of hops
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/22Alternate routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/24Multipath
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0827Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving distinctive intermediate devices or communication paths
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0872Generation of secret information including derivation or calculation of cryptographic keys or passwords using geo-location information, e.g. location data, time, relative position or proximity to other entities

Abstract

The application provides a protection method, a device and electronic equipment based on a quantum key distribution network; the method comprises the following steps: network topology abstraction is carried out to obtain a virtual topology map, and key resource information in the virtual topology map is determined; analyzing the service request to obtain a service path and a key requirement of the service request, and calculating the key resource of each hop of link; according to the key resources and in combination with the key requirements, implementing a preset working path algorithm, and screening out a target working path from the service paths; screening at least one candidate protection path from the rest service paths based on the screening of the target working path, and determining the sequence of the candidate protection paths; and constructing a protection threshold value by using key resources based on the hop count of the candidate protection path, combining the key resources and the key requirements, implementing a preset protection path algorithm according to the sequence, determining a target protection path related to the service request, and recording and updating in the virtual topology map.

Description

Protection method and device based on quantum key distribution network and electronic equipment
Technical Field
Embodiments of the present application relate to the field of network communication technologies, and in particular, to a protection method and apparatus based on a quantum key distribution network, and an electronic device.
Background
In the existing protection scheme of the quantum key distribution network, only the protection and recovery of the quantum key distribution network based on the trusted relay are usually considered, and an effective protection scheme is lacked for the quantum key distribution network mixed by the trusted relay and the untrusted relay.
Based on this, a scheme capable of providing protection for a quantum key distribution network in which trusted relays and untrusted relays are mixed is needed.
Disclosure of Invention
In view of this, an object of the present application is to provide a protection method and apparatus based on a quantum key distribution network, and an electronic device.
In view of the above, the present application provides a protection method based on a quantum key distribution network, where the quantum key distribution network includes: trusted nodes and untrusted nodes;
the method is applied to a trusted node in the quantum key distribution network, and comprises the following steps:
the trusted node records the physical position relation between other trusted nodes and non-trusted nodes to obtain a physical map of the quantum key distribution network;
in response to determining that a physical connection is formed between any two trusted nodes only through one untrusted node, virtualizing and removing the untrusted node in the physical map, and directly connecting the two trusted nodes through a virtual link;
responding to the fact that a physical direct connection link is formed between any two untrusted nodes, and virtualizing and disconnecting the physical direct connection link between the two untrusted nodes in the physical map to obtain a virtual topological map;
and further comprising:
analyzing the received service request, determining all service paths of the service request in the virtual topological map, and calculating the key requirement of the service request on each hop of link and the key resource of each hop of link in the service paths; selecting the link with the least hop number and the key resource of each hop of the link which is more than or equal to the key requirement as a target working path in the service path, and virtualizing and disconnecting the link which does not meet the key requirement in the virtual topology map;
selecting the service path without a virtualization disconnection link as a candidate protection path in the virtual topological map, calculating the total key requirement of the whole candidate protection path, and constructing a protection threshold value lower than the total key requirement; selecting the candidate protection path with the fewest hops and the key resource of each hop of the link being more than or equal to the key requirement as a target protection path within the protection threshold range;
and in response to the determination that the target working path and the target protection path are screened out, updating the current occupation situation of the service path and the occupation situation of the key resource in the virtual topological map.
Based on the same inventive concept, the present application further provides a protection device based on a quantum key distribution network, where the quantum key distribution network includes: trusted nodes and untrusted nodes;
the device is applied to a trusted node in the quantum key distribution network, and comprises: the system comprises a topology module, a target working path module, a target protection path module and an updating module;
the topology module is configured to record physical position relations of other trusted nodes and non-trusted nodes to obtain a physical map of the quantum key distribution network; in response to determining that a physical connection is formed between any two trusted nodes only through one untrusted node, virtualizing and removing the untrusted node in the physical map, and directly connecting the two trusted nodes through a virtual link; responding to the fact that a physical direct connection link is formed between any two untrusted nodes, and virtualizing and disconnecting the physical direct connection link between the two untrusted nodes in the physical map to obtain a virtual topological map;
the target working path module is configured to analyze the received service request, determine all service paths of the service request in the virtual topology map, and calculate the key requirement of the service request on each hop of link and the key resource of each hop of link in the service paths; selecting the link with the least hop number and the key resource of each hop of the link which is more than or equal to the key requirement as a target working path in the service path, and virtualizing and disconnecting the link which does not meet the key requirement in the virtual topology map;
the target protection path module is configured to select the service path without a virtualization disconnection link as a candidate protection path in the virtual topology map, calculate the total key requirement of the whole candidate protection path, and construct a protection threshold value lower than the total key requirement; selecting the candidate protection path with the fewest hops and the key resource of each hop of the link being more than or equal to the key requirement as a target protection path within the protection threshold range;
and the updating module is configured to respond to the determination that the target working path and the target protection path are screened out, and update the current occupation situation of the service path and the occupation situation of the key resource in the topological network.
Based on the same inventive concept, the present application further provides an electronic device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and when the processor executes the program, the quantum key distribution network-based protection method as described in any one of the above is implemented.
As can be seen from the above, according to the protection method, device and electronic device based on the quantum key distribution network provided by the application, based on network topology abstraction, an untrusted node is abstracted into a virtual link, and a trusted relay node and an untrusted relay node are comprehensively considered to select a target working path and a target protection path in the network, so that both the target working path and the target protection path are in a network in which the trusted relay node and the untrusted relay node are mixed, and therefore, not only is the key requirement of a service request satisfied, but also the maximum full load value that can be provided is met, and stable and reliable protection is provided for the quantum key distribution network.
Drawings
In order to more clearly illustrate the technical solutions in the present application or the related art, the drawings needed to be used in the description of the embodiments or the related art will be briefly introduced below, and it is obvious that the drawings in the following description are only embodiments of the present application, and it is obvious for those skilled in the art that other drawings can be obtained according to these drawings without creative efforts.
Fig. 1A is a flowchart of a virtual topology map construction based on a quantum key distribution network according to an embodiment of the present application;
fig. 1B is a flow chart of path allocation based on a quantum key distribution network according to an embodiment of the present application;
fig. 2 is a schematic block diagram of a protection device based on a quantum key distribution network according to an embodiment of the present application;
fig. 3 is a schematic architecture diagram of a quantum key distribution network according to an embodiment of the present application;
FIG. 4 is a schematic diagram of a virtual topological map according to an embodiment of the present application;
FIG. 5 is a schematic flow chart illustrating target work path allocation according to an embodiment of the present disclosure;
fig. 6 is a schematic flow chart of target protection path allocation according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is further described in detail below with reference to the accompanying drawings in combination with specific embodiments.
It should be noted that technical terms or scientific terms used in the embodiments of the present application should have a general meaning as understood by those having ordinary skill in the art to which the present application belongs, unless otherwise defined. The use of "first," "second," and similar terms in the embodiments of the present application do not denote any order, quantity, or importance, but rather the terms are used to distinguish one element from another. The word "comprising" or "comprises", and the like, means that the element or item listed before the word covers the element or item listed after the word and its equivalents, but does not exclude other elements or items.
As described in the background section, the related protection method based on the quantum key distribution network also has difficulty in meeting the needs of actual communication.
The applicant finds in the course of implementing the present application that the main problems with the related protection method based on quantum key distribution network are: in the related technical scheme, the problems of a quantum key distribution network protection and recovery scheme based on the trusted relay and the like are mainly considered and solved, and the problem of a quantum key distribution protection strategy in a mixed relay scene of the trusted relay and the non-trusted relay is not considered.
It is to be appreciated that the method can be performed by any apparatus, device, platform, cluster of devices having computing and processing capabilities.
Hereinafter, the technical method of the present application will be described in detail by specific examples.
Referring to fig. 1A and 1B, a quantum key distribution network-based protection method according to an embodiment of the present application includes the following steps:
and S101, recording the physical position relationship between other trusted nodes and non-trusted nodes by the trusted node to obtain a physical map of the quantum key distribution network.
In the present application, taking the architecture of the quantum key distribution network shown in fig. 3 as an example, as shown in fig. 3, a QKD (quantum key distribution) network includes a trusted relay node, that is, a trusted node in the present application, and an untrusted relay node, that is, an untrusted node in the present application.
In the key transmission, each trusted node has functions as a source node and a sink node, that is, a start node and an end node in a path.
In this embodiment, first, a network in which trusted nodes and untrusted nodes are mixed is abstracted in network topology, and each trusted node needs to abstract the network topology of the entire network, and store the result of the network topology abstraction, that is, the virtual topology map.
Specifically, each trusted node traverses the whole QKD network, distinguishes other trusted nodes and non-trusted nodes except the trusted node, records the positions of all other trusted nodes and non-trusted nodes and the connection between the trusted nodes and the non-trusted nodes, and updates the record to the routing table of the trusted node to obtain a physical map of the QKD network.
And step S102, responding to the fact that physical connection is formed between any two credible nodes only through one non-credible node, virtualizing and removing the non-credible node in the physical map, and directly connecting the two credible nodes through a virtual link.
In this embodiment, based on the obtained physical map, virtualization processing may be further performed on the untrusted node, where "virtualization" may also be referred to as "abstraction" in this embodiment.
Specifically, for any two trusted nodes, if the middle is connected by a physical link only through one untrusted node and no trusted node exists, the untrusted node is virtualized and removed in a physical map of the QKD network, and the two trusted nodes are directly connected by a virtual link.
Step S103, responding to the fact that a physical direct connection link is formed between any two untrusted nodes, and breaking the physical direct connection link between the two untrusted nodes in the physical map in a virtualization mode to obtain a virtual topological map.
In this embodiment, for at least two untrusted nodes directly connected by a physical link, in a physical map of the QKD network, the physical direct link between the untrusted nodes is disconnected in a virtualized manner, and the physical map on which the network topology abstraction operation is completed is used as a virtual topology map.
Taking the QKD network structure shown in fig. 3 as an example, when step S101 and step S102 are executed, the connection between the untrusted node 7 and the untrusted node 8 in fig. 3 may be broken in a virtualized manner, and the untrusted node 7 and the untrusted node 8 may be abstracted away; further, the trusted node 2 and the trusted node 4 are connected in a virtualized direct connection manner, and the trusted node 3 and the trusted node 6 are connected in a virtualized direct connection manner, so that a virtual topology map as shown in fig. 4 is obtained, wherein the virtualized direct connection is represented by a dotted line, and a solid line represents a physical direct connection link.
Further, based on the virtual topology map obtained in step S101, step S102, and step S103, it is necessary to confirm the key resource information in the virtual topology map.
Specifically, the key resource information includes: the number of wavelength channel time slots of the link between nodes, and the key generation rate per time slot.
In the example of fig. 4, the number of wavelength channel timeslots of a direct link between two nodes is 5 timeslots, which is denoted as: m is 5; the key generation rate is 1 key per slot, which is noted as: vp=1unit/s。
Step S104, analyzing the received service request, determining all service paths of the service request in the virtual topological map, and calculating the key requirement of the service request on each hop of link and the key resource of each hop of link in the service paths; and selecting the link which has the least hop number and the key resource of each hop of the link which is more than or equal to the key requirement as a target working path in the service path, and virtualizing and disconnecting the link which does not meet the key requirement in the virtual topology map.
In the embodiment of the present application, the process of this step is described in detail by using a flow diagram of target work path assignment shown in fig. 5.
Specifically, step S104 may include the steps of:
step S501, network topology abstraction, which is a network topology abstraction process performed on the physical network in step S101, step S102, and step S103, and obtains a corresponding virtual topology map.
Step S502, receiving a service request.
I.e., after receiving the service request, step S104, i.e., the following processes of S503 to S507, is started.
Step S503, analyzing the service request, determining all service paths of the service request in the virtual topological map, and calculating the key requirement of the service request for each hop of link and the key resource of each hop of link in the service path.
The analysis process specifically includes: the trusted node receiving the service request analyzes the service request to obtain the service attribute of the service request.
The service attribute may include: the service request source node, destination node, and service start time TsService duration ThService end time TendAnd the required amount of keys per unit time Vr
Further, the trusted node determines all service paths capable of executing the service request in the virtual topology map by using the source node and the sink node, and calculates the specific hop count of each service path.
In this embodiment, the hop count of each service path is defined as: the number of trusted nodes included in the traffic path.
The process of calculating the key requirement comprises: the key requirement for each hop link is calculated using the following equation.
Key requirement of link is Vr×Th
In this embodiment, the calculated key requirement is only used as the key requirement when the service request is executed under a single link in the service path, and the key requirement of each hop of link is the same, further, the sum of the key requirements of all links in one path may be used as the key total requirement of the path.
The process of computing key resources comprises: and calculating the key resource of each hop of link by using the following formula, and taking the key resource as the maximum full value of the key resource in the link.
Key resource of link is Vp×m×Th
The calculated key resource is only used as the key resource of a single link in the service paths, and the key resource of each hop of the link is the same in this embodiment.
Further, when the hop link is already occupied by the executing service request, the amount of the key resource occupied by the hop link should be subtracted from the calculated maximum full value of the key resource when considering the unoccupied key resource.
And step S504, determining candidate working paths.
The method specifically comprises the following steps: and arranging all the service paths according to the hop count of the service paths from a small hop count to a large hop count, and selecting the service path with the minimum hop count as a candidate working path.
When a plurality of service paths with the same hop count and the minimum hop count appear, 1 service path with the minimum hop count can be randomly selected as a candidate working path.
And step S505, judging whether the candidate working path can meet the key requirement in the service duration.
The method specifically comprises the following steps: and comparing the key requirement with the unoccupied key resource along each hop of link in the candidate working path so as to further judge the candidate working path.
In this embodiment, the calculation of the key resource and the key requirement is only exemplary in sequence, and the key resource and the key requirement of each hop of link may be calculated first according to the above-mentioned manner, and the calculation result described above may be invoked for the candidate working path, and the key resource and the key requirement may also be calculated here.
Further, when the unoccupied key resources of each hop link are less than the key requirement, indicating that the available key resources of the link may not meet the key requirement for executing the service request, and the candidate working path is not suitable to be taken as the target working path, if the judgment result in step S505 is no, step S506 is selected to be executed, and further, step S504 and step S505 are executed again.
Further, when the unoccupied key resources of any link are greater than or equal to the key requirement, indicating that the available key resources of the candidate working path can meet the key requirement for executing the service request, the determination result in step S505 is yes, and step S507 is selected to be executed.
In step S506, abstracting to disconnect the link may specifically include: and abstracting and disconnecting the link which does not satisfy the execution of the service by the key resource in the virtual topological map, and further abstracting and disconnecting the path.
And further, in the rest of other service paths, selecting the next service path, that is, the service path with the least hop count, as a new candidate working path according to a pre-arranged sequence.
Step S507, taking the candidate working path for which the key resource of each hop link satisfies the service request as the target working path.
Further, the resources of the target working path will be allocated for the traffic path.
In this embodiment, according to the target working path allocation method, the execution process of step S104 is described by using a specific virtual topology example shown in fig. 4.
When the service request R1 reaches QKD, the service attribute of R1 is obtained by resolving R1: a source node: a trusted node 1; the sink node: a trusted node 6; service start time Ts: the 20 th s; service duration Th: 30 s; service end time Tend: the 50 th s; and, the required key amount per unit time Vr:2unit/s。
Based on the source node being a trusted node 1 and the sink node being a trusted node 6, 6 service paths are obtained: p1-4-2-3-6;P1-2-4-5-6;P1-4-5-6;P1-4-2-6;P1-2-3-6(ii) a And P1-2-6
Further, the ordering of the 6 traffic paths is: p1-2-6>P1-2-3-6=P1-4-2-6=P1-4-5-6>P1-2-4-5-6=P1-4-2-3-6
Further, a traffic path P is calculated1-2-6Key requirement per hop link for link when performing R1:
Vr×Th=2×30=0units
computing a traffic path P1-2-6Key resources of the medium link:
Vp×m×Th×=1×5×30=150units
also, in this embodiment, the traffic path P1-2-6Any unoccupied key resource, whose key resource is greater than the key requirement, will therefore be the traffic path P1-2-6As a target work path.
Step S105, selecting the service path without the virtualization disconnection link as a candidate protection path in the virtual topological map, calculating the total key requirement of the whole candidate protection path, and constructing a protection threshold value lower than the total key requirement; and selecting the candidate protection path with the fewest hops and the key resource of each hop of the link being more than or equal to the key requirement as a target protection path within the protection threshold range.
In the embodiment of the present application, the process of this step is described in detail by using a flow diagram of target protection path allocation shown in fig. 6.
Specifically, step S105 may include the steps of:
step S601, completing the target working path allocation, which is a process of obtaining the target working path according to the steps shown in fig. 5.
And step S602, removing the target working path and the abstracted disconnected candidate working path.
Specifically, according to the step S601, the selected target working path and the abstracted and disconnected candidate working path are removed from the service paths of the service request, so as to obtain the remaining service paths.
And step S603, determining candidate protection paths and sequencing.
Specifically, the remaining traffic paths are taken as candidate protection paths.
Further, all the candidate protection paths are arranged according to the order of the hop count from small to large by using the hop count of the candidate protection paths.
Further, when the hop counts of the plurality of candidate protection paths are equal, the order of each other is randomly arranged between the candidate protection paths having the equal hop counts.
In the present embodiment, according to the example of fig. 4, the selected target working path P is removed1-2-6The remaining traffic path P1-4-2-3-6;P1-2-4-5-6;P1-4-5-6;P1-4-2-6And P1-2-3-6Are all taken as candidate protection paths.
Further, the order of the candidate protection paths, according to the number of hops, is still maintained as: p1-2-3-6=P1-4-2-6=P1-4-5-6>P1-2-4-5-6=P1-4-2-3-6
Step S604, determine whether the key requirement is greater than the protection threshold.
In this embodiment, since it is not suggested that the protection path carries the key total requirement of the service request in a full load state, a protection threshold for executing the service request may be constructed for each candidate protection path, and a determination may be made as to whether executing the candidate protection path is suitable for executing the service request by using the protection threshold.
Specifically, based on the hop count of the candidate protection path, the protection threshold of the candidate protection path is established according to the following protection threshold formula:
protective threshold value of Vp×m×ThX (number of service path hops-1) xY
Y is a preset threshold parameter, and the range of the protection threshold can be adjusted according to the threshold parameter.
In this embodiment, the calculation of the protection threshold is only exemplary in sequence, and only the related candidate protection paths may be calculated in the above manner, or the protection threshold of each traffic path may be calculated first, and the pre-calculation result is called for the candidate protection paths here.
In the example shown in fig. 4, the threshold parameter is set to 0.8, and therefore, in accordance with the rank order of the candidate protection paths, at P1-2-3-6And P1-4-2-6Randomly selecting a candidate protection path and calculating the protection threshold value of the candidate protection path.
In particular, with P1-2-3-6For example, the protection threshold is:
Vp×m×Thx (service path hop count-1) × Y ═ 1 × 5 × 30 × (4-1) × 0.8 ═ 360units
Further, the key total requirement of the candidate protection path is calculated as follows:
Vr×Thx (service path hop count-1) 2 × 30 × 3 180units
And further, selecting candidate protection paths according to the obtained protection threshold and the key total demand and the sequence, comparing the key total demand with the protection threshold, and judging whether the key total demand is greater than the protection threshold.
Further, when the total key requirement is greater than the preset protection threshold, if the determination result in step S604 is yes, it indicates that the candidate protection path will operate in a state close to the maximum full load value when the service request is executed by the candidate protection path, and therefore it is determined that the candidate protection path cannot be used as the target protection path, then step S605 may be optionally executed.
Further, when the total key requirement is less than or equal to the preset protection threshold, the determination result in step S604 is no, which indicates that the candidate protection path does not operate in a state close to the maximum full load value when the service request is executed by the candidate protection path, and therefore it is determined that the candidate protection path may be used as the target protection path, then step S606 may be optionally executed.
In step S605, abstracting the disconnected candidate protection path specifically includes: the candidate protection path is abstracted off in the virtual topology map to show that the path is not considered in the following steps.
Further, the abstracted and disconnected candidate protection paths are removed, and the next candidate protection path is selected from the remaining candidate protection paths according to the pre-arranged order, that is, the protection threshold in step S604 is determined again when the hop count is the least.
And step S606, judging whether the link key resources meet the key requirements.
Specifically, the calculated key requirement and the unoccupied key resource are called for the link in the candidate protection path, and the two are compared to judge whether the key resource meets the key requirement.
In this embodiment, the calculation of the key resource and the key requirement is only exemplary in sequence, and the key resource and the key requirement of each hop of link may be calculated first according to the above-mentioned manner, and then the calculation result described above is called for the candidate protection path, or the key resource and the key requirement may be calculated here.
Further, when the unoccupied key resources in each hop of link are all smaller than the key requirement, which indicates that the available key resources of the link in the candidate protection path may not meet the key requirement for executing the service request, if the determination result in step S606 is no, step S605 is selected to be executed again, step S604 is further executed, specifically, the candidate protection path that has been abstracted and disconnected is removed again, the next candidate protection path in the sequence, that is, the candidate protection path with the lowest hop count, is selected from the remaining candidate protection paths, and whether the key resources are sufficient is determined again.
Further, when the unoccupied key resources of each hop of link in the candidate protection path are all greater than or equal to the key requirement, which indicates that the key resources of each hop of link can meet the key requirement for executing the service request, the determination result in step S606 is yes, and step S607 is selectively executed.
Step S607, determining the candidate protection path whose link meets the key requirement and whose total key requirement is not greater than the protection threshold as the target protection path, and allocating the protection path as the protection resource to the service request.
P selected in the above process, in connection with the example of the virtual topological map shown in FIG. 41-2-3-6If the judgment is satisfied, the target protection path is taken as the protection path, and P is taken as1-2-3-6Assigned to service request R1.
In the present application, the above-mentioned determination of the protection threshold of the candidate protection path and the determination of whether the key resource is sufficient are only exemplary in the execution sequence shown in fig. 6, and the determination of whether the key resource of the candidate protection path is sufficient may be performed first and then the determination of the protection threshold may be performed; the judgment of the key resource and the judgment of the protection threshold value can be carried out simultaneously.
Step S106, responding to the determination that the target working path and the target protection path are screened out, and updating the current occupation situation of the service path and the occupation situation of the key resource in the virtual topological map.
In the embodiment of the application, based on the determination of the target working path and the determination of the target protection path, the key resource occupied in the target working path and the occupied path are recorded; similarly, the key resources occupied in the target protection path and the occupied path are recorded, and the available resources of the corresponding path are updated in the stored virtual topology map.
In another embodiment of the present application, taking the virtual topology map and the key resource information in the previous embodiment as basic conditions, the service request R1 is still executed, and in case that all other conditions are not changed, the 2 nd service request R2 is received by the same QKD network.
The method for analyzing the R2 by the trusted node to obtain the service attribute of R2 specifically includes:
a source node: a trusted node 2; the sink node: a trusted node 5; service start time Ts2: the 30 th s; service duration Th2: 20 s; service end time Tend2: the 50 th s; and, the required key amount per unit time Vr2:4unit/s。
Based on the source node and the sink node, 4 service paths with hop numbers from few to many can be obtained: p2-6-5;P2-4-5;P2-1-4-5(ii) a And P2-3-6-5
At P with the least number of hops2-6-5And P2-4-5In (1), P is randomly selected2-6-5As the candidate working path, P is found by the above-mentioned update of the relevant path information at the time of executing R12-6-5The link between trusted node 2 and trusted node 6 is already executing R1, so P2-6-5Unoccupied key resources may not satisfy the key requirements of executing R2 and virtualize the break traffic path.
Further, at this time, P2-4-5The number of hops in the virtual topological map is minimal and therefore selected as a new candidate working path, and P2-4-5Satisfies the key resource required to execute R2, and therefore P will be2-4-5As a target work path.
Further, in the traffic path, the virtualized disconnected P is removed2-6-5And P has been taken as the target working path2-4-5P will remain2-1-4-5(ii) a And P2-3-6-5As candidate protection paths.
Further, since both have the same hop count, P can be randomly selected in the same order2-1-4-5And judging a protection threshold and a key resource.
Specifically, P is calculated2-1-4-5The key requirements for performing R2 are: 240units and calculates P based on the same threshold parameters as described above2-1-4-5The protection threshold of (2) is: 240 units.
Due to P2-1-4-5If the key requirement for R2 is not greater than the protection threshold, then P is said2-1-4-5Will not run near maximum full load and therefore can be on P2-1-4-5Is determined whether the key resources are sufficient.
Further, P is known from the above-mentioned update of the relevant path information when R1 is executed2-1-4-5Link P in (1)2-1Occupied wavelength channel 2 time slots due to execution of service request R1Therefore, the unoccupied key resources in this hop link do not satisfy the key requirements needed to perform R2.
Further, P is added2-1-4-5The abstraction is broken.
Further, removing virtualized disconnected P2-6-5And P2-1-4-5And P has been taken as the target working path2-4-5The remaining candidate protection paths are: p2-3-6-5
Further, P is calculated2-3-6-5The key requirements for performing R2 are: 240units and calculates P based on the same threshold parameters as described above2-3-6-5The protection threshold of (2) is: 240 units.
Due to P2-3-6-5If the key requirement for R2 is not greater than the protection threshold, then P is said2-3-6-5Will not run near maximum full load and therefore can be on P2-3-6-5Is determined whether the key resources are sufficient.
Further, P2-3-6-5The key resources of (a) are: 300units, greater than the Key requirement of executing R2, will P2-3-6-5As a target protection path, and allocates the protection resource in the network.
Further, the target working path for executing the R2 service request and the target protection path are recorded in the network, and the related resource occupation is updated.
It can be seen that, in the protection method based on the quantum key distribution network according to the embodiment of the present application, based on network topology abstraction, an untrusted node is abstracted to be a virtual link, and a trusted relay node and an untrusted relay node are comprehensively considered to select a target working path and a target protection path in the network, so that both the target working path and the target protection path are in a network in which the trusted relay node and the untrusted relay node are mixed, and therefore, not only is a key requirement of a service request satisfied, but also a maximum full load value that can be provided is met, and stable and reliable protection is provided for the quantum key distribution network.
It should be noted that the method of the embodiments of the present application may be executed by a single device, such as a computer or a server. The method of the embodiment can also be applied to a distributed scene and completed by the mutual cooperation of a plurality of devices. In such a distributed scenario, one of the devices may only perform one or more steps of the method of the embodiments of the present application, and the devices may interact with each other to complete the method.
It should be noted that the above describes some embodiments of the present application. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments described above and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
Based on the same inventive concept, corresponding to any embodiment method, the embodiment of the application also provides a protection device based on the quantum key distribution network.
Referring to fig. 2, the protection apparatus based on quantum key distribution network, wherein the quantum key distribution network includes: trusted nodes and untrusted nodes.
The device is applied to a trusted node in the quantum key distribution network, and specifically comprises: the system comprises a topology module, a target working path module, a target protection path module and an updating module.
Wherein the topology module 201 is configured to: recording the physical position relation of other trusted nodes and non-trusted nodes to obtain a physical map of the quantum key distribution network; in response to determining that a physical connection is formed between any two trusted nodes only through one untrusted node, virtualizing and removing the untrusted node in the physical map, and directly connecting the two trusted nodes through a virtual link; responding to the fact that a physical direct connection link is formed between any two untrusted nodes, and virtualizing and disconnecting the physical direct connection link between the two untrusted nodes in the physical map to obtain a virtual topological map;
the target work path module 202 configured to: analyzing the received service request, determining all service paths of the service request in the virtual topological map, and calculating the key requirement of the service request and the key resource of the service path; selecting a key resource which is more than or equal to the key requirement and has the least hop number as a target working path from the service paths, and virtualizing and disconnecting the key resource which is less than the key requirement and has the hop number which is less than or equal to the target working path in the virtual topological map;
the target protection path module 203 configured to: taking the service path which is not virtualized and disconnected in the virtual topological map as a candidate protection path, and constructing a protection threshold value lower than the key resource based on the key resource of the candidate protection path; selecting the candidate protection path with the key resource more than or equal to the key requirement and the fewest hops as a target protection path within the protection threshold range;
the update module 204 configured to: and in response to the determination that the target working path and the target protection path are screened out, updating the current occupation situation of the service path and the occupation situation of the key resource in the topological network.
As an optional embodiment, the topology module 201 is specifically configured as a relevant module for generating a virtual topology map, and is disposed in and executed by each trusted node.
In the present application, taking the architecture of the quantum key distribution network shown in fig. 3 as an example, as shown in fig. 3, a QKD (quantum key distribution) network includes a trusted relay node, that is, a trusted node in the present application, and an untrusted relay node, that is, an untrusted node in the present application.
In the key transmission, each trusted node has functions as a source node and a sink node, that is, a start node and an end node in a path.
In this embodiment, first, a network in which trusted nodes and untrusted nodes are mixed is abstracted in network topology, and each trusted node needs to abstract the network topology of the entire network, and store the result of the network topology abstraction, that is, the virtual topology map.
Specifically, each trusted node traverses the whole QKD network, distinguishes other trusted nodes and non-trusted nodes except the trusted node, records the positions of all other trusted nodes and non-trusted nodes and the connection between the trusted nodes and the non-trusted nodes, and updates the record to the routing table of the trusted node to obtain a physical map of the QKD network.
In this embodiment, based on the obtained physical map, virtualization processing may be further performed on the untrusted node, where "virtualization" may also be referred to as "abstraction" in this embodiment.
Specifically, for any two trusted nodes, if the middle is connected by a physical link only through one untrusted node and no trusted node exists, the untrusted node is virtualized and removed in a physical map of the QKD network, and the two trusted nodes are directly connected by a virtual link.
In this embodiment, for at least two untrusted nodes directly connected by a physical link, in a physical map of the QKD network, the physical direct link between the untrusted nodes is disconnected in a virtualized manner, and the physical map on which the network topology abstraction operation is completed is used as a virtual topology map.
Taking the QKD network structure shown in fig. 3 as an example, the connection between the untrusted node 7 and the untrusted node 8 in fig. 3 may be broken virtually, and the untrusted node 7 and the untrusted node 8 may be abstracted away; further, the trusted node 2 and the trusted node 4 are connected in a virtualized direct connection manner, and the trusted node 3 and the trusted node 6 are connected in a virtualized direct connection manner, so that a virtual topology map as shown in fig. 4 is obtained, wherein the virtualized direct connection is represented by a dotted line, and a solid line represents a physical direct connection link.
Further, based on the obtained virtual topology map, it is necessary to confirm the key resource information in the virtual topology map.
Specifically, the key resource information includes: the number of wavelength channel time slots of the link between nodes, and the key generation rate per time slot.
In the example of fig. 4, the number of wavelength channel timeslots of a direct link between two nodes is 5 timeslots, which is denoted as: m is 5; the key generation rate is 1 key per slot, which is noted as: vp=1unit/s。
As an optional embodiment, the target working path module 202 is specifically configured to be a module related to a target working path for executing a service request, and is disposed in each trusted node and run by the trusted node.
In the embodiment of the present application, the detailed description is given by using a flow diagram of target work path assignment shown in fig. 5.
Specifically, after receiving a service request, starting to analyze the service request, determining all service paths of the service request in the virtual topology map, and calculating key requirements of the service request for each hop of link and key resources of each hop of link in the service paths.
The analysis process specifically includes: the trusted node receiving the service request analyzes the service request to obtain the service attribute of the service request.
The service attribute may include: the service request source node, destination node, and service start time TsService duration ThService end time TendAnd the required amount of keys per unit time Vr
Further, the trusted node determines all service paths capable of executing the service request in the virtual topology map by using the source node and the sink node, and calculates the specific hop count of each service path.
In this embodiment, the hop count of each service path is defined as: the number of trusted nodes included in the traffic path.
The process of calculating the key requirement comprises: the key requirement for each hop link is calculated using the following equation.
Key for a linkRequirement is Vr×Th
In this embodiment, the calculated key requirement is only used as the key requirement when the service request is executed under a single link in the service path, and the key requirement of each hop of link is the same, further, the sum of the key requirements of all links in one path may be used as the key total requirement of the path.
The process of computing key resources comprises: and calculating the key resource of each hop of link by using the following formula, and taking the key resource as the maximum full value of the key resource in the link.
Key resource of link is Vp×m×Th
The calculated key resource is only used as the key resource of a single link in the service paths, and the key resource of each hop of the link is the same in this embodiment.
Further, when the hop link is already occupied by the executing service request, the amount of the key resource occupied by the hop link should be subtracted from the calculated maximum full value of the key resource when considering the unoccupied key resource.
Further, according to the hop count of the service path, all the service paths are arranged in the order of the hop count from small to large, and the service path with the least hop count is selected as a candidate working path.
When a plurality of service paths with the same hop count and the minimum hop count appear, 1 service path with the minimum hop count can be randomly selected as a candidate working path.
Further, whether the candidate working path can meet the key requirement in the service duration is judged.
The method specifically comprises the following steps: and comparing the key requirement with the unoccupied key resource along each hop of link in the candidate working path so as to further judge the candidate working path.
Further, when the unoccupied key resources of each hop link are smaller than the key requirement, it indicates that the available key resources of the link may not meet the key requirement for executing the service request, and the candidate working path is not suitable to be used as the target working path.
Further, when the unoccupied key resources of any link are greater than or equal to the key requirement, it indicates that the available key resources of the candidate working path can meet the key requirement for executing the service request.
Further, the link which does not satisfy the execution of the service of the key resource is abstracted and disconnected in the virtual topological map, and further the path is abstracted and disconnected.
And further, in the rest of other service paths, selecting the next service path, that is, the service path with the least hop count, as a new candidate working path according to a pre-arranged sequence.
And further, taking the candidate working path of which the key resource of each hop link meets the requirement of executing the service request as a target working path.
Further, the resources of the target working path will be allocated for the traffic path.
In this embodiment, according to the target working path allocation method, a specific virtual topology example shown in fig. 4 is described.
When the service request R1 reaches QKD, the service attribute of R1 is obtained by resolving R1: a source node: a trusted node 1; the sink node: a trusted node 6; service start time Ts: the 20 th s; service duration Th: 30 s; service end time Tend: the 50 th s; and, the required key amount per unit time Vr:2unit/s。
Based on the source node being a trusted node 1 and the sink node being a trusted node 6, 6 service paths are obtained: p1-4-2-3-6;P1-2-4-5-6;P1-4-5-6;P1-4-2-6;P1-2-3-6(ii) a And P1-2-6
Further, the method can be used for preparing a novel materialThe 6 traffic paths are ordered as follows: p1-2-6>P1-2-3-6=P1-4-2-6=P1-4-5-6>P1-2-4-5-6=P1-4-2-3-6
Further, a traffic path P is calculated1-2-6Key requirement per hop link for link when performing R1:
Vr×Th=2×30=0units
computing a traffic path P1-2-6Key resources of the medium link:
Vp×m×Th×=1×5×30=150units
also, in this embodiment, the traffic path P1-2-6Any unoccupied key resource, whose key resource is greater than the key requirement, will therefore be the traffic path P1-2-6As a target work path.
As an optional embodiment, the target protection path module 203 is specifically configured to be a relevant module for allocating a target protection path, and is disposed in each trusted node, and is operated by the trusted node, where the target protection path is used to provide another alternative path for the service request, so as to be used in the case where a target working path of the service request fails or is otherwise unavailable.
In an embodiment of the present application, the target working path and the abstracted disconnected candidate working path are first removed.
Specifically, in the service paths of the service request, the selected target working path is removed, and the candidate working path which is abstractly disconnected is removed, so as to obtain the remaining service paths.
And further, taking the residual service path as a candidate protection path.
Further, all the candidate protection paths are arranged according to the order of the hop count from small to large by using the hop count of the candidate protection paths.
Further, when the hop counts of the plurality of candidate protection paths are equal, the order of each other is randomly arranged between the candidate protection paths having the equal hop counts.
Further, it is determined whether the key requirement is greater than a protection threshold.
In this embodiment, since it is not suggested that the protection path carries the key total requirement of the service request in a full load state, a protection threshold for executing the service request may be constructed for each candidate protection path, and a determination may be made as to whether executing the candidate protection path is suitable for executing the service request by using the protection threshold.
Specifically, based on the hop count of the candidate protection path, the protection threshold of the candidate protection path is established according to the following protection threshold formula:
protective threshold value of Vp×m×ThX (number of service path hops-1) xY
Y is a preset threshold parameter, and the range of the protection threshold can be adjusted according to the threshold parameter.
In this embodiment, the calculation of the protection threshold is only exemplary in sequence, and only the related candidate protection paths may be calculated in the above manner, or the protection threshold of each traffic path may be calculated first, and the pre-calculation result is called for the candidate protection paths here.
In the example shown in fig. 4, the threshold parameter is set to 0.8, and therefore, in accordance with the rank order of the candidate protection paths, at P1-2-3-6And P1-4-2-6Randomly selecting a candidate protection path and calculating the protection threshold value of the candidate protection path.
In particular, with P1-2-3-6For example, the protection threshold is:
Vp×m×Thx (service path hop count-1) × Y ═ 1 × 5 × 30 × (4-1) × 0.8 ═ 360units
Further, the key total requirement of the candidate protection path is calculated as follows:
Vr×Thx (service path hop count-1) 2 × 30 × 3 180units
And further, selecting candidate protection paths according to the obtained protection threshold and the key total demand and the sequence, comparing the key total demand with the protection threshold, and judging whether the key total demand is greater than the protection threshold.
Further, when the total key requirement is greater than the preset protection threshold, it indicates that the candidate protection path executes the service request, and the candidate protection path is operated in a state close to the maximum full load value, so that it is determined that the candidate protection path may not be used as the target protection path.
Further, when the total key requirement is less than or equal to the preset protection threshold, it indicates that the candidate protection path will not operate in a state close to the maximum full load value when the candidate protection path executes the service request, and therefore it is determined that the candidate protection path may be the target protection path 06.
Further, the candidate protection path is abstracted to be disconnected in the virtual topology map, so that the path is not considered in the following steps.
Further, the abstracted and disconnected candidate protection paths are removed, and the next candidate protection path is selected from the remaining candidate protection paths according to the prearranged sequence, namely the protection threshold is judged again when the hop count is the least.
Further, the calculated key requirement and the unoccupied key resource are called for the link in the candidate protection path, and the two are compared to judge whether the key resource meets the key requirement.
Further, when the unoccupied key resources in each hop of link are less than the key requirements, indicating that the available key resources of the link in the candidate protection path may not meet the key requirements for executing the service request, removing the abstracted and broken candidate protection paths again, selecting the next candidate protection path in the sequence, that is, the candidate protection path with the least hop count, from the remaining candidate protection paths, and determining whether the key resources are sufficient again.
Further, when the unoccupied key resources of each hop of link in the candidate protection path are greater than or equal to the key requirement, it indicates that the key resources of each hop of link can satisfy the key requirement for executing the service request.
And determining the candidate protection path of which the link meets the key requirement and the total key requirement is not greater than the protection threshold as a target protection path, and distributing the protection path as a protection resource to the service request.
P selected in the above process, in connection with the example of the virtual topological map shown in FIG. 41-2-3-6If the judgment is satisfied, the target protection path is taken as the protection path, and P is taken as1-2-3-6Assigned to service request R1.
As an optional embodiment, the updating module 204 is specifically configured to update a relevant module of the resource status in the virtual topology map. And is arranged in each trusted node and is operated by the trusted node.
In this embodiment, based on the determination of the target working path and the determination of the target protection path, the key resource occupied in the target working path and the occupied path are recorded; similarly, the key resources occupied in the target protection path and the occupied path are recorded, and the available resources of the corresponding path are updated in the stored virtual topology map.
For convenience of description, the above devices are described as being divided into various modules by functions, and are described separately. Of course, the functions of the modules may be implemented in the same or multiple software and/or hardware when implementing the embodiments of the present application.
The apparatus of the foregoing embodiment is used to implement the corresponding protection method based on the quantum key distribution network in any of the foregoing embodiments, and has the beneficial effects of the corresponding method embodiment, which are not described herein again.
Based on the same inventive concept, corresponding to any of the above-mentioned embodiments, the embodiments of the present application further provide an electronic device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and when the processor executes the program, the quantum key distribution network-based protection method according to any of the above embodiments is implemented.
Fig. 7 is a schematic diagram illustrating a more specific hardware structure of an electronic device according to this embodiment, where the electronic device may include: a processor 1010, a memory 1020, an input/output interface 1030, a communication interface 1040, and a bus 1050. Wherein the processor 1010, memory 1020, input/output interface 1030, and communication interface 1040 are communicatively coupled to each other within the device via bus 1050.
The processor 1010 may be implemented by a general-purpose CPU (Central Processing Unit), a microprocessor, an Application Specific Integrated Circuit (ASIC), or one or more Integrated circuits, and is configured to execute related programs to implement the technical solutions provided in the embodiments of the present Application.
The Memory 1020 may be implemented in the form of a ROM (Read Only Memory), a RAM (Random Access Memory), a static storage device, a dynamic storage device, or the like. The memory 1020 may store an operating system and other application programs, and when the technical solution provided by the embodiment of the present application is implemented by software or firmware, the relevant program codes are stored in the memory 1020 and called to be executed by the processor 1010.
The input/output interface 1030 is used for connecting an input/output module to input and output information. The i/o module may be configured as a component in a device (not shown) or may be external to the device to provide a corresponding function. The input devices may include a keyboard, a mouse, a touch screen, a microphone, various sensors, etc., and the output devices may include a display, a speaker, a vibrator, an indicator light, etc.
The communication interface 1040 is used for connecting a communication module (not shown in the drawings) to implement communication interaction between the present apparatus and other apparatuses. The communication module can realize communication in a wired mode (such as USB, network cable and the like) and also can realize communication in a wireless mode (such as mobile network, WIFI, Bluetooth and the like).
Bus 1050 includes a path that transfers information between various components of the device, such as processor 1010, memory 1020, input/output interface 1030, and communication interface 1040.
It should be noted that although the above-mentioned device only shows the processor 1010, the memory 1020, the input/output interface 1030, the communication interface 1040 and the bus 1050, in a specific implementation, the device may also include other components necessary for normal operation. Furthermore, it will be understood by those skilled in the art that the above-described apparatus may also include only those components necessary to implement the embodiments of the present application, and not necessarily all of the components shown in the figures.
The apparatus of the foregoing embodiment is used to implement the corresponding protection method based on the quantum key distribution network in any of the foregoing embodiments, and has the beneficial effects of the corresponding method embodiment, which are not described herein again.
Those of ordinary skill in the art will understand that: the discussion of any embodiment above is meant to be exemplary only, and is not intended to intimate that the scope of the disclosure, including the claims, is limited to these examples; within the context of the present application, features from the above embodiments or from different embodiments may also be combined, steps may be implemented in any order, and there are many other variations of the different aspects of the embodiments of the present application as described above, which are not provided in detail for the sake of brevity.
In addition, well-known power/ground connections to Integrated Circuit (IC) chips and other components may or may not be shown in the provided figures for simplicity of illustration and discussion, and so as not to obscure the embodiments of the application. Furthermore, devices may be shown in block diagram form in order to avoid obscuring embodiments of the application, and this also takes into account the fact that specifics with respect to implementation of such block diagram devices are highly dependent upon the platform within which the embodiments of the application are to be implemented (i.e., specifics should be well within purview of one skilled in the art). Where specific details (e.g., circuits) are set forth in order to describe example embodiments of the application, it should be apparent to one skilled in the art that embodiments of the application can be practiced without, or with variation of, these specific details. Accordingly, the description is to be regarded as illustrative instead of restrictive.
While the present application has been described in conjunction with specific embodiments thereof, many alternatives, modifications, and variations of these embodiments will be apparent to those of ordinary skill in the art in light of the foregoing description. For example, other memory architectures (e.g., dynamic ram (dram)) may use the discussed embodiments.
The embodiments of the present application are intended to embrace all such alternatives, modifications and variances that fall within the broad scope of the appended claims. Therefore, any omissions, modifications, substitutions, improvements, and the like that may be made without departing from the spirit and principles of the embodiments of the present application are intended to be included within the scope of the present application.

Claims (10)

1. A quantum key distribution network based protection method, the quantum key distribution network comprising: trusted nodes and untrusted nodes;
the method is applied to a trusted node in the quantum key distribution network, and comprises the following steps:
the trusted node records the physical position relation between other trusted nodes and non-trusted nodes to obtain a physical map of the quantum key distribution network;
in response to determining that a physical connection is formed between any two trusted nodes only through one untrusted node, virtualizing and removing the untrusted node in the physical map, and directly connecting the two trusted nodes through a virtual link;
responding to the fact that a physical direct connection link is formed between any two untrusted nodes, and virtualizing and disconnecting the physical direct connection link between the two untrusted nodes in the physical map to obtain a virtual topological map;
and further comprising:
analyzing the received service request, determining all service paths of the service request in the virtual topological map, and calculating the key requirement of the service request on each hop of link and the key resource of each hop of link in the service paths; selecting the link with the least hop number and the key resource of each hop of the link which is more than or equal to the key requirement as a target working path in the service path, and virtualizing and disconnecting the link which does not meet the key requirement in the virtual topology map;
selecting the service path without a virtualization disconnection link as a candidate protection path in the virtual topological map, calculating the total key requirement of the whole candidate protection path, and constructing a protection threshold value lower than the total key requirement; and selecting the candidate protection path with the fewest hops and the key resource of each hop of the link being more than or equal to the key requirement as a target protection path within the protection threshold range.
2. The method of claim 1, further comprising:
and in response to the determination that the target working path and the target protection path are screened out, updating the current occupation situation of the service path and the occupation situation of the key resource in the virtual topological map.
3. The method of claim 1, wherein the obtaining the physical map of the quantum key distribution network comprises:
each trusted node performs the following operations:
traversing the whole network, distinguishing other trusted nodes from the non-trusted nodes, and recording the physical positions of the other trusted nodes and the non-trusted nodes into a routing table of the trusted nodes.
4. The method of claim 1, wherein the determining all traffic paths of the traffic request in the virtual topology map comprises:
obtaining a source node and a destination node of the service request through analyzing the service request;
determining all the service paths related to the service request according to the source node and the sink node;
analyzing to obtain the service duration and the unit time key amount of the service request;
the calculating the key requirement of the service request to each hop of link and the key resource of each hop of link in the service path includes:
calculating the key requirement of the service request for each hop of the link by using the service duration and the key amount per unit time;
determining the number of wavelength channel time slots and the key generation rate of the virtual topological map;
and calculating the key resource of each hop of the link by using the number of the wavelength channel time slots and the key generation rate.
5. The method according to claim 1, wherein the selecting, as a target working path, a path with a minimum number of hops and the key resource of each hop of the link being greater than or equal to a key requirement comprises:
taking the service path with the least hop number as a candidate working path;
in response to determining that there are a plurality of the traffic paths with equal and minimum hop counts, randomly selecting the candidate working path among the traffic paths with minimum hop counts;
judging key resource sufficiency along each hop of the link of the candidate working path;
responding to the fact that the unoccupied key resources of each hop of the link are larger than or equal to the key requirement of the service request on each hop of the link, determining that the key resources are sufficient, and taking the candidate working path as the target working path;
the virtualizing the link that does not satisfy the key requirement to be disconnected comprises:
in response to determining that the key resource of the link which is unoccupied is smaller than the key requirement of the service request for each hop of link, abstracting and disconnecting the link in the virtual topology map, and selecting a new candidate working path from the rest service paths.
6. The method of claim 1, wherein the calculating a total key requirement for the entire candidate protection path, and constructing a protection threshold below the total key requirement comprises:
calculating the total resource of the whole candidate protection path by using the key resource of the link and the hop count of the candidate protection path, and taking the total requirement of the key as the maximum full load value of the whole candidate protection path;
presetting a threshold parameter less than 1, and calculating the protection threshold when the candidate protection path is used based on the maximum full load value.
7. The method according to claim 1, wherein the selecting, within the protection threshold range, the candidate protection path with the fewest hops and the key resource of each hop of the link being greater than or equal to the key requirement as a target protection path comprises:
ranking the candidate protection paths;
comparing the total key requirements of the candidate protection paths with the protection threshold value according to the sequence;
virtualizing the candidate protection path to be disconnected in response to determining that the total key requirement is greater than the preset protection threshold;
in response to determining that the total key requirement is less than or equal to a preset protection threshold, determining key resource sufficiency along each hop of the link of the candidate protection path;
responding to that the unoccupied key resources of each hop of the link are greater than or equal to the key requirement of the service request on each hop of the link, determining that the key resources are sufficient, and taking the candidate protection path as the target protection path;
and in response to the fact that the key resources which are not occupied by the links are smaller than the key requirement of the service request on each hop of the links, abstracting and disconnecting the links in the virtual topology map, and judging the protection threshold and the key resource sufficiency on the next candidate protection path in the sequence.
8. The method of claim 7, wherein the ranking the candidate protection paths comprises:
determining the hop count of each of the candidate protection paths;
and arranging the candidate protection paths according to the sequence of the hop count from few to many.
9. A quantum key distribution network based protection device, the quantum key distribution network comprising: trusted nodes and untrusted nodes;
the device is applied to a trusted node in the quantum key distribution network, and comprises: the system comprises a topology module, a target working path module, a target protection path module and an updating module;
the topology module is configured to record physical position relations of other trusted nodes and non-trusted nodes to obtain a physical map of the quantum key distribution network; in response to determining that a physical connection is formed between any two trusted nodes only through one untrusted node, virtualizing and removing the untrusted node in the physical map, and directly connecting the two trusted nodes through a virtual link; responding to the fact that a physical direct connection link is formed between any two untrusted nodes, and virtualizing and disconnecting the physical direct connection link between the two untrusted nodes in the physical map to obtain a virtual topological map;
the target working path module is configured to analyze the received service request, determine all service paths of the service request in the virtual topology map, and calculate the key requirement of the service request on each hop of link and the key resource of each hop of link in the service paths; selecting the link with the least hop number and the key resource of each hop of the link which is more than or equal to the key requirement as a target working path in the service path, and virtualizing and disconnecting the link which does not meet the key requirement in the virtual topology map;
the target protection path module is configured to select the service path without a virtualization disconnection link as a candidate protection path in the virtual topology map, calculate the total key requirement of the whole candidate protection path, and construct a protection threshold value lower than the total key requirement; selecting the candidate protection path with the fewest hops and the key resource of each hop of the link being more than or equal to the key requirement as a target protection path within the protection threshold range;
and the updating module is configured to respond to the determination that the target working path and the target protection path are screened out, and update the current occupation situation of the service path and the occupation situation of the key resource in the topological network.
10. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable by the processor, characterized in that the processor implements the method according to any of claims 1 to 8 when executing the computer program.
CN202111396923.XA 2021-11-23 2021-11-23 Protection method and device based on quantum key distribution network and electronic equipment Pending CN114362929A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111396923.XA CN114362929A (en) 2021-11-23 2021-11-23 Protection method and device based on quantum key distribution network and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111396923.XA CN114362929A (en) 2021-11-23 2021-11-23 Protection method and device based on quantum key distribution network and electronic equipment

Publications (1)

Publication Number Publication Date
CN114362929A true CN114362929A (en) 2022-04-15

Family

ID=81095513

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111396923.XA Pending CN114362929A (en) 2021-11-23 2021-11-23 Protection method and device based on quantum key distribution network and electronic equipment

Country Status (1)

Country Link
CN (1) CN114362929A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115021904A (en) * 2022-05-23 2022-09-06 苏州大学 Quantum key distribution protection method and system based on probability sharing risk
CN115150341A (en) * 2022-07-15 2022-10-04 中国联合网络通信集团有限公司 Resource reservation method, device and storage medium

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080095176A1 (en) * 2006-10-20 2008-04-24 Ciena Corporation System and method for supporting virtualized links at an exterior network-to-network interface
EP2713556A1 (en) * 2012-09-28 2014-04-02 NTT DoCoMo, Inc. Mapping a network topology request to a physical network
WO2016112086A1 (en) * 2015-01-08 2016-07-14 Alibaba Group Holding Limited Quantum key distribution system, method and apparatus based on trusted relay
CN109005030A (en) * 2018-07-13 2018-12-14 北京邮电大学 The guard method and system of key business in a kind of quantum network
CN110601974A (en) * 2019-08-05 2019-12-20 国网内蒙古东部电力有限公司信息通信分公司 Method for selecting shared protection path
CN110855438A (en) * 2019-11-21 2020-02-28 国网福建省电力有限公司 Quantum key distribution method and system based on annular QKD network
CN111711517A (en) * 2020-07-23 2020-09-25 苏州大学 Quantum key distribution protection method and system based on service security level
CN113179514A (en) * 2021-03-25 2021-07-27 北京邮电大学 Quantum key distribution method and related equipment in relay coexistence scene
WO2021197548A1 (en) * 2020-04-02 2021-10-07 Deutsche Telekom Ag Use of quantum-safe keys with terminal devices

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080095176A1 (en) * 2006-10-20 2008-04-24 Ciena Corporation System and method for supporting virtualized links at an exterior network-to-network interface
EP2713556A1 (en) * 2012-09-28 2014-04-02 NTT DoCoMo, Inc. Mapping a network topology request to a physical network
WO2016112086A1 (en) * 2015-01-08 2016-07-14 Alibaba Group Holding Limited Quantum key distribution system, method and apparatus based on trusted relay
CN109005030A (en) * 2018-07-13 2018-12-14 北京邮电大学 The guard method and system of key business in a kind of quantum network
CN110601974A (en) * 2019-08-05 2019-12-20 国网内蒙古东部电力有限公司信息通信分公司 Method for selecting shared protection path
CN110855438A (en) * 2019-11-21 2020-02-28 国网福建省电力有限公司 Quantum key distribution method and system based on annular QKD network
WO2021197548A1 (en) * 2020-04-02 2021-10-07 Deutsche Telekom Ag Use of quantum-safe keys with terminal devices
CN111711517A (en) * 2020-07-23 2020-09-25 苏州大学 Quantum key distribution protection method and system based on service security level
CN113179514A (en) * 2021-03-25 2021-07-27 北京邮电大学 Quantum key distribution method and related equipment in relay coexistence scene

Non-Patent Citations (6)

* Cited by examiner, † Cited by third party
Title
QIN ZHANG等: "Hybrid-Trusted/Untrusted-Relay based Protection Strategy in Quantum Key Distribution Enabled Optical Networks (QKD-ON)", 2021 19TH INTERNATIONAL CONFERENCE ON OPTICAL COMMUNICATIONS AND NETWORKS(ICOCN), pages 1 - 3 *
SHENGYU ZHANG等: "fragmentation-aware entanglement routing for quantum networks", JOURNAL OF LIGHTWAVE TECHNOLOGY *
曹原;赵永利;郁小松;张杰;: "量子密钥分发驱动安全电力通信网络体系架构", 中国电力, no. 10 *
王妍: "面向虚拟业务提供的量子密钥分发网络资源分配技术研究", 硕士电子期刊 *
陈晖;: "一个新型的量子密钥服务体系架构", 中国电子科学研究院学报, no. 03 *
韩伟;武欣嵘;朱勇;周星宇;徐超;: "基于信任中继的QKD网络路由选择研究", 军事通信技术, no. 04 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115021904A (en) * 2022-05-23 2022-09-06 苏州大学 Quantum key distribution protection method and system based on probability sharing risk
CN115150341A (en) * 2022-07-15 2022-10-04 中国联合网络通信集团有限公司 Resource reservation method, device and storage medium
CN115150341B (en) * 2022-07-15 2023-09-29 中国联合网络通信集团有限公司 Resource reservation method, device and storage medium

Similar Documents

Publication Publication Date Title
CN114362929A (en) Protection method and device based on quantum key distribution network and electronic equipment
CN104618264A (en) Method and system for Adaptive Scheduling of Data Flows in Data Center Networks for Efficient Resource Utilization
CN110519406B (en) Virtual address allocation method and device, CTDB cluster and storage medium
CN107894919A (en) Timed task triggering method, device, equipment and readable storage medium storing program for executing
EP3616369B1 (en) Communications network node, communications network and communication method
JPWO2014208661A1 (en) Virtual machine layout design apparatus, method, system, and program
CN110932981B (en) Data exchange system supporting automatic routing
CN114268371A (en) Quantum channel resource allocation method and device and electronic equipment
US11575581B2 (en) Utilizing constraints to determine optimized network plans and to implement an optimized network plan
CN111641556B (en) Routing resource allocation method and device of optical network
JP6325348B2 (en) Virtual machine placement device
CN111147600B (en) Service execution method and terminal under cluster environment
Duong et al. Efficient make before break capacity defragmentation
JP6960444B2 (en) Computer system and resource management method
JP7264270B2 (en) Information processing method, information processing program, information processing device, and information processing system
CN109962914B (en) Firewall configuration method and device
CN111427682B (en) Task allocation method, system, device and equipment
CN108270605A (en) The determining method, apparatus and equipment of a kind of important network element
CN109818767B (en) Method and device for adjusting Redis cluster capacity and storage medium
CN113596630B (en) Routing resource allocation method and device of hybrid grid optical network
CN111629050A (en) Node scheduling method and device, storage medium and electronic device
KR101577265B1 (en) Apparatus for resource management and operation method of the same
JP5287399B2 (en) Information processing apparatus processing program, information processing apparatus processing method, and information processing apparatus
WO2023005993A1 (en) Method and apparatus for selecting cloud platform, and device, and medium
CN117675725A (en) Method and device for distributing resources required by service facing edge data center network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination