CN114362947B - Wide-area quantum key service method and system - Google Patents

Wide-area quantum key service method and system Download PDF

Info

Publication number
CN114362947B
CN114362947B CN202210260246.7A CN202210260246A CN114362947B CN 114362947 B CN114362947 B CN 114362947B CN 202210260246 A CN202210260246 A CN 202210260246A CN 114362947 B CN114362947 B CN 114362947B
Authority
CN
China
Prior art keywords
service
virtual link
quantum key
exclusive
area
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210260246.7A
Other languages
Chinese (zh)
Other versions
CN114362947A (en
Inventor
陈晖�
陈娟
杜新如
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chengdu Liang'an Blockchain Technology Co ltd
Original Assignee
Chengdu Liang'an Blockchain Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chengdu Liang'an Blockchain Technology Co ltd filed Critical Chengdu Liang'an Blockchain Technology Co ltd
Priority to CN202210260246.7A priority Critical patent/CN114362947B/en
Publication of CN114362947A publication Critical patent/CN114362947A/en
Application granted granted Critical
Publication of CN114362947B publication Critical patent/CN114362947B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a wide area quantum key service method and a system, wherein the method comprises the steps of responding to a user request, obtaining one or more virtual link parameters and two user key associated parameters, and calculating the exclusive or value of the virtual link parameters and the two user key associated parameters; the system comprises a primary service device, two or more secondary service devices and an end-to-end key service device, wherein the two or more secondary service devices are used for providing end-to-end key service between any two service nodes in the wide-area QKD network or/and between users of the wide-area QKD network. The invention realizes the internet of the quantum key service process based on the QKD link network virtualization, realizes the multi-field sharing of the wide-area QKD network based on the general service platform interface, effectively solves the problem of the scale application of the QKD network, is a safer and more efficient real-time quantum key service technology, and has good application prospect.

Description

Wide-area quantum key service method and system
Technical Field
The invention relates to the technical field of quantum key distribution networks and application, in particular to a wide-area quantum key service method and a wide-area quantum key service system.
Background
With the rapid development of high-performance computing technologies such as quantum computing, cryptographic algorithms and key agreement protocols based on computational complexity security face greater and greater security challenges, and in this context, quantum Key Distribution (QKD) of physical security is rapidly developed. However, the QKD network is a relatively independent network infrastructure outside the business system, and both the complexity and cost of the QKD network far exceed those of the traditional key distribution means and cryptographic application systems, so it is difficult to directly integrate the QKD network into the business system based on the internet architecture. In addition, a uniform standard interface is lacked between QKD networks constructed by different enterprises and users, and interconnection and intercommunication and resource sharing between the different QKD networks face challenges. Therefore, the unified application service platform for constructing the wide-area QKD network has important application value for the large-scale application of the QKD network.
Disclosure of Invention
In order to solve the problems of quantum key service in the background art, the invention provides a wide-area quantum key service method, which comprises the following steps: the wide area quantum key service system responds to a service request of a user, judges whether service nodes of two target users for obtaining preset keys belong to the same local QKD network, if so, the wide area quantum key service system transfers the service request of the user to the corresponding local area quantum key service system, the local area quantum key service system obtains one or more local area virtual link parameters, sends a service instruction to the service nodes related to the one or more local area virtual link parameters and obtains corresponding user key related parameters, calculates exclusive or values of the one or more local area virtual link parameters and the two user key related parameters, and respectively sends the exclusive or values to the two target users or respectively sends the exclusive or values to the two target users through the wide area quantum key service system; otherwise, the wide area quantum key service system acquires one or more cross-domain virtual link parameters, sends a service instruction to a service node associated with the one or more cross-domain virtual link parameters and acquires corresponding user key associated parameters, calculates the exclusive or values of the one or more cross-domain virtual link parameters and the two user key associated parameters, and respectively sends the exclusive or values to the two target users; the virtual link parameter is an exclusive-or value of quantum keys of two service nodes or a shared quantum key (in general, a service node stores a quantum key associated with one or more virtual link slices, but does not store an end-to-end shared quantum key; if two service nodes already share the end-to-end shared quantum key, the quantum key can also be used as the virtual link parameter), and the user key associated parameter is an exclusive-or value of one or more quantum keys of the service node associated with one or more virtual link parameters and one user key.
Further, the method further comprises: identity authentication is carried out between the wide-area quantum key service system and the user, and identity authentication is carried out between the quantum key service system and the service node; wherein the identity authentication comprises any one of the following methods: adopting a method of presetting random numbers; a method of combining a CA certificate and a preset random number is adopted; adopting an identity authentication algorithm of anti-quantum computation; the method combines the identity authentication algorithm of anti-quantum computation with the preset random number.
The invention also provides a wide-area quantum key service system, which comprises at least one primary service device and two or more secondary service devices; the primary service device comprises a storage unit and a data processing unit, wherein the storage unit is used for storing programs and instructions or cross-domain virtual link parameters, the programs and the instructions, and the data processing unit is used for responding to service requests of users by calling the programs and the instructions stored in the storage unit and providing end-to-end key service for any two service nodes in the wide-area QKD network or/and users of the wide-area QKD network; the secondary service device comprises a storage unit and a data processing unit, wherein the storage unit is used for storing programs and instructions or storing local virtual link parameters, the programs and the instructions, and the data processing unit is used for responding to a service request of the primary service device by calling the programs and the instructions stored in the storage unit, acquiring one or more local virtual link parameters, sending the service instruction to a service node associated with the local virtual link parameters and acquiring corresponding user key associated parameters, calculating an exclusive or value of the local virtual link parameters and the two user key associated parameters, and respectively sending the exclusive or value to two target users or respectively sending the exclusive or value to the two target users through a wide-area quantum key service system.
Further, the system further comprises: the system comprises a plurality of service node devices or a plurality of virtual service node devices, a data processing unit and a data processing unit, wherein the storage unit is used for storing a user preset key, a quantum key associated with a virtual link, a program and an instruction; and the user key association parameter is provided in response to the instruction of the primary service device or/and the secondary service device.
Further, the above system further comprises: a portion of bandwidth resources of the wide-area quantum key distribution network is used to create a wide-area virtual link slice database, or a relay node in the wide-area quantum key distribution network sends a plurality of associated exclusive-or values to corresponding server devices and is respectively used to create different virtual link slices, or is used to create a virtual quantum key distribution network.
Further, the above system further comprises: and the identity management subsystem is used for carrying out identity management on the service node device or the virtual service node device in the wide-area quantum key distribution network.
Further, the above system further comprises: the virtual link service device is used for managing the local virtual link slice database or/and the cross-domain virtual link slice database, providing the local virtual link slice or/and the cross-domain virtual link slice service, or/and providing the local virtual link parameter or/and the cross-domain virtual link parameter service.
Further, the above system further comprises: random number service device, which is used to provide random number service or/and data safety service based on random number.
The invention realizes the internetworking of the quantum key service process based on the QKD link network virtualization, realizes the multi-field sharing of the wide-area QKD network based on the general service platform interface, effectively solves the problem of scale application of the QKD network, is a safer and more efficient real-time quantum key service technology, and has good application prospect.
Drawings
Fig. 1 is a schematic diagram of a local area virtual link and a method for applying the same;
FIG. 2 is a schematic diagram of a cross-domain virtual link and a method for applying the same;
fig. 3 is a schematic diagram of a wide-area quantum key service method according to an embodiment of the present invention;
fig. 4 is a schematic diagram of a wide-area quantum key service system according to an embodiment of the present invention (where 401 represents a primary service device, 402 and 403 represent 2 secondary service devices, and 404 to 407 represent 4 service node virtual machine devices).
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in detail below with reference to the accompanying drawings and specific embodiments.
In order to facilitate understanding of innovativeness and practicability of the invention, application scenarios of the invention are described, and the invention is used for providing a general service platform for large-scale application of a wide-area QKD network, and is a quantum key service system realized based on a conventional communication network technology, so that all communication processes in the invention are preferably carried out by using conventional communication means such as the internet or/and the mobile internet adopted by a service system.
For convenience of understanding the specific implementation principle of the method and system of the present invention, as background technology, fig. 1 shows a method for creating a local area virtual link slice and an application method thereof, and specifically illustrates a virtual link parameter and a method for creating and using a virtual link slice. As shown in fig. 1, the local area QKD network includes serving nodes 4, 5, 6, and 7, relay nodes 1, 2, and 3; regarding the associated XOR values of 3 relay nodes as a local virtual link slice, that is, one local virtual link slice includes the associated XOR values { XOR _ ijk } of all 3 relay nodes, that is, an XOR value of a shared key between one relay node and any two adjacent nodes, XOR _ ijk is a shared key between node j and node i, and an XOR value of a shared key between node j and node K, for example, XOR _412= K4 \1 = K _2_1, where K _4 \1is a shared key between node 4 and node 1, K _2_1 is a shared key between node 2 and node 1, and ^ is a bit XOR operator; the quantum keys associated with the virtual link slice by each service node are K _4 \, K _5 \, K _6 \, and K _7 \, respectively. A plurality of the above virtual link slices form a local area virtual link slice database (in a specific embodiment, each association xor value in a virtual link slice has uniquely determined identification information, and one or more associated xor values of all relay nodes on a relay link can be quickly queried through the identification information and used to create an end-to-end xor association or virtual link parameter). Virtual link parameters (or local area virtual link parameters) between any two service nodes may be generated based on any one slice in the virtual link slice database, for example, the virtual link parameters between service node 4 and service node 5 are XOR _413 ≦ XOR _135= K \4 _1 ≦ K _5_3 (where XOR _ ijk = XOR _ kji, K _ i _ j = K _ j _ i). Further, in a possible embodiment, virtual link parameters between two application devices may also be generated; for example, if the service node 4 shares the key packet Ku with the application terminal U in advance, the service node 5 shares the key packet Kv with the application terminal V in advance; the service node 4 sends K _4 ≦ Ku to the server, the service node 5 sends K _5 ≦ Ku to the same server, and the server calculates (XOR _413 ≦ XOR _ 135) = (K _4 ≦ Ku) = (K _5 ≦ Ku) = Ku ≦ Kv).
Fig. 2 shows a cross-domain virtual link and an application method thereof, where a service node a in a first target network stores a shared quantum key Kax associated with one local area virtual link slice, and a service node B in a second target network stores a shared quantum key Kby associated with another local area virtual link slice, where the two local area virtual link slices are completely isolated. In order to realize cross-domain intercommunication, a trusted third party or a trusted relay node C distributes shared quantum keys Ka and Kb for A and B respectively, and A calculates Kax ^ Ka; b, calculating Kby ≧ Kb; c, calculating Ka ^ Kb; and forming a cross-domain intercommunication virtual link slice by the three exclusive-or values and the corresponding two local area virtual link slices. Cross-domain virtual link parameters between two cross-domain service nodes may be computed based on one cross-domain interworking virtual link slice (e.g., the cross-domain virtual link parameter between cross-domain service nodes a and B is Kax [. Times.kby). The trusted third party or trusted relay node C includes, but is not limited to, a quantum key distribution relay satellite (service nodes a and B include both a satellite ground reception device and a service node device, respectively), one or more relay nodes in a quantum key distribution backbone network, and their corresponding QKD links. Obviously, a customized virtual link slice database can be created based on the same QKD network and by adopting time division multiplexing or bandwidth division, wherein the time division multiplexing includes but is not limited to generating an exclusive or value of different virtual link slices by using different time periods between one relay node and adjacent nodes, and the bandwidth division includes but is not limited to using a part of a shared key negotiated between adjacent nodes for generating an exclusive or value of some virtual link slice or virtual link slices.
Wide-area QKD networks in the present invention include, but are not limited to, at least two local-area QKD networks and relay links therebetween; or, at least one local area QKD network (including a service node formed by at least one quantum key distribution relay satellite terrestrial receiving device) and at least one quantum key distribution relay satellite terrestrial receiving device and service node device; or, an application scene formed by at least two quantum key distribution relay satellite ground receiving devices and a service node device; the quantum key distribution relay satellite terrestrial receiving device and the service node device, including but not limited to the quantum key distribution relay satellite terrestrial receiving device and the service node device, are two independent server devices and are integrated server devices (an integrated system of the optical fiber QKD transmitting and receiving system and the quantum key distribution relay satellite terrestrial receiving device).
An embodiment of a wide-area quantum key service method provided in an embodiment of the present invention, as shown in fig. 3, includes the following steps: step 301, the primary service device (or wide-area quantum key service system, the same below) responds to a service request of a user, and determines whether service nodes of two target users, which acquire a preset key, belong to the same local QKD network (in general, a user acquires a unique ID when applying for network entry and registration, acquires the preset key and establishes service association with the corresponding service node, and can query the affiliated service node and the local QKD network where the affiliated service node is located through the unique ID), if so, step 302 is skipped, otherwise, step 306 is skipped; step 302, the primary service device transfers the service request of the user to corresponding first and second secondary service devices (or local area service devices, the same applies below), and the secondary service devices respectively obtain one or more local area virtual link parameters; step 303, sending a service instruction to a service node associated with one or more local area virtual link parameters; step 304, the secondary service device receives the corresponding user key associated parameters sent by the two service nodes, and calculates the xor values of the one or more local virtual link parameters and the two user key associated parameters (in the case of calculating the xor values of the plurality of local virtual link parameters and the two user key associated parameters, for example, if 3 local virtual link parameters are L1, L2, and L3, respectively, and the corresponding two user key associated parameters are P1 and P2, respectively, then calculates L1 ≦ L2 ≦ L3 ≦ P1 ≦ P2, where P1 and P2 are both the xor values of 3 quantum keys and user keys associated with the 3 local virtual links, the same applies below); step 305, the secondary service device sends the exclusive-or values to the primary service device respectively (in a possible embodiment, the exclusive-or values are sent to two target users respectively, and the service is skipped to the end of the service); jumping to step 308; step 306, the primary service device obtains one or more cross-domain virtual link parameters and sends a service instruction to a service node associated with the one or more cross-domain virtual link parameters; step 307, the primary service device receives corresponding user key associated parameters sent by the two service nodes, and calculates an exclusive or value of one or more cross-domain virtual link parameters and the two user key associated parameters; step 308 the primary service means sends the exclusive or value to the first and second users, respectively. The virtual link parameter is an exclusive or value of quantum keys of two service nodes or a shared quantum key (in general, a service node stores a quantum key associated with one or more cross-domain virtual link slices, but does not store an end-to-end shared quantum key; if two service nodes already share an end-to-end shared quantum key, the quantum key can also be used as a virtual link parameter), and the user key associated parameter is an exclusive or value of one or more quantum keys of the service nodes associated with one or more virtual link parameters and one user key.
In a possible embodiment, on the basis of any of the above embodiments, the method further includes performing identity authentication between the primary service device or the wide-area quantum key service system and the user, and performing identity authentication between the primary and secondary service devices and the service node; wherein the identity authentication comprises any one of the following methods: a method of presetting random numbers is adopted (including but not limited to that two communication parties carry out identity authentication by comparing Hash values of preset random numbers or certain random data therein, namely, the two communication parties respectively calculate the Hash values of corresponding data, if the two Hash values are completely consistent, the identity authentication is passed, otherwise, the identity authentication is not passed, or a certain random data in the preset random numbers is used for encrypting a message for identity authentication, namely, one party encrypts a message, the other party decrypts to obtain a target message, the identity authentication is passed, otherwise, the identity authentication is not passed); a method of combining a CA certificate with a preset random number is adopted (including but not limited to, a sender encrypts a message by using the preset random number or one of the preset keys and carries out digital signature, and then encrypts the message by using a public key of a receiver, wherein the receiver firstly decrypts the message, then verifies the signature, then decrypts the message by using the preset random number or one of the preset keys, and if the decrypted message is consistent with the sent message, the identity authentication is passed); the method comprises the steps of adopting an anti-quantum-computation identity authentication algorithm (the invention does not specifically limit the adopted anti-quantum-computation identity authentication algorithm), and adopting a method of combining the anti-quantum-computation identity authentication algorithm with a preset random number (including but not limited to the steps that a sender encrypts a message by using the preset random number or one of the groups and carries out digital signature, then, the public key of a receiver is used for encryption, the receiver firstly decrypts, then, verifies the signature, then, decrypts by using the preset random number or one of the groups, and if the decrypted message is consistent with the sent message, the identity authentication is passed).
In any of the above embodiments, obtaining one or more local area virtual link parameters and obtaining one or more cross-domain virtual link parameters includes any of: selecting one or more local area virtual link parameters or cross-domain virtual link parameters from the corresponding virtual link slice database (under the condition that the first-level service device does not store the cross-domain virtual link slice database, the local area virtual link parameters or the cross-domain virtual link parameters are obtained from other servers storing the cross-domain virtual link slice database, under the condition that the second-level service device does not store the local area virtual link slice database, the local area virtual link slice database is obtained from other servers storing the local area virtual link slice database), inquiring the associated exclusive-or values of the relay nodes on one or more corresponding links, and respectively carrying out exclusive-or operation (namely, the relay nodes store a plurality of associated exclusive-or values in advance, and obtain the corresponding associated exclusive-or values through inquiry).
In one possible embodiment, a wide-area quantum key service system embodiment includes at least one primary service device, two or more secondary service devices. In one possible embodiment, a wide-area quantum key service system embodiment may include at least one primary service device, two or more secondary service devices, any number of service node virtual machine devices (or virtual service node devices). Fig. 4 shows an embodiment of a wide-area quantum key service system provided by the present invention, which includes a primary service device 401, two secondary service devices 402 and 403, and four service node virtual machine devices (or virtual service node devices) 404 to 407. The primary service device 401 includes a storage unit and a data processing unit, where the storage unit is used to store programs and instructions or is used to store cross-domain virtual link parameters, programs and instructions; the data processing unit is used for responding to a service request of a user by calling the programs and instructions stored in the storage unit, and providing an end-to-end key service (including providing the end-to-end key service by adopting the embodiment method shown in fig. 3) between any two service nodes in the wide-area QKD network or/and between users in the wide-area QKD network. Each of the secondary service devices 402 and 403 includes a storage unit and a data processing unit, where the storage unit is configured to store a program and an instruction or is configured to store a local area virtual link parameter, a program, and an instruction, and the data processing unit is configured to respond to a service request of the primary service device by invoking the program and the instruction stored in the storage unit, acquire one or more local area virtual link parameters, send a service instruction to a service node associated with the local area virtual link parameter and acquire a corresponding user key association parameter, calculate an exclusive or value between the local area virtual link parameter and the two user key association parameters, and send the exclusive or value to two target users respectively or send the exclusive or value to the two target users through a wide area quantum key service system. The service node virtual machine device (or virtual service node device) comprises a storage unit and a data processing unit, wherein the storage unit is used for storing a user preset key, a quantum key associated with a virtual link, a program and an instruction; the system is used for responding to the instruction of the primary service device or/and the secondary service device and providing the user key association parameter.
In a possible embodiment, the secondary service devices 402 and 403 in the above embodiments are respectively service devices belonging to two local QKD networks (the service node virtual device 404 and 405 and the service node virtual device 406 and 407 are respectively belonging to different local QKD networks), and respectively store corresponding local virtual link slices; the primary service device 401 stores cross-domain virtual link slices. In one possible embodiment, the primary service device 401 in the above embodiment obtains the cross-domain virtual link slice from another server.
In a possible embodiment, on the basis of any of the above embodiments, a part of bandwidth resources of the wide-area quantum key distribution network is further included for creating the wide-area virtual link slice database, or a relay node in the wide-area quantum key distribution network sends a plurality of association exclusive-or values to a corresponding server apparatus and is respectively used for creating different virtual link slices, or is used for creating the virtual quantum key distribution network (including, but not limited to, the wide-area virtual link slice database or/and the local virtual link slice database created based on the association exclusive-or value of a specific relay node in the wide-area QKD network).
In a possible embodiment, on the basis of any of the above embodiments, an identity management subsystem is further included, configured to perform identity management on the service node device or the virtual service node device in the wide-area quantum key distribution network.
In a possible embodiment, on the basis of any of the foregoing embodiments, the virtual link service device is further included, and is configured to manage a local area virtual link slice database or/and a cross-domain virtual link slice database, provide a local area virtual link slice or/and a cross-domain virtual link slice service, or/and provide a local area virtual link parameter or/and a cross-domain virtual link parameter service.
In a possible embodiment, on the basis of any of the above embodiments, a random number service device is further included for providing a random number service or/and a random number-based data security service (including, but not limited to, masking the target data with the random number).
In a possible embodiment, the virtual service node apparatus in the foregoing embodiment is further configured to distribute a preset key or/and a CA certificate and a preset key for the user, and create an association identifier of the preset key and the CA certificate.
In a possible embodiment, on the basis of any of the above embodiments, if the serving node is simultaneously used as a relay node, the serving node configures a virtual relay node and sets a logical isolation; if one relay node is simultaneously used as a service node, it is necessary to configure a virtual service node and set logical isolation.
In a possible embodiment, the data processing unit in the above embodiments is used for performing identity authentication, data encryption and decryption processing, and the like.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, apparatus (or system), or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects.
While the invention has been described in conjunction with specific features and embodiments thereof, it will be evident that various modifications and combinations can be made thereto without departing from the spirit and scope of the invention. Accordingly, the specification and figures are merely exemplary of the invention as defined in the appended claims and are intended to cover any and all modifications, variations, combinations, or equivalents within the scope of the invention. It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.

Claims (10)

1. A wide-area quantum key service method, comprising: the wide area quantum key service system responds to a service request of a user, judges whether service nodes of two target users for obtaining preset keys belong to the same local QKD network, if so, the wide area quantum key service system transfers the service request of the user to the corresponding local area quantum key service system, the local area quantum key service system obtains one or more local area virtual link parameters, sends a service instruction to the service nodes related to the one or more local area virtual link parameters and obtains corresponding user key related parameters, calculates exclusive or values of the one or more local area virtual link parameters and the two user key related parameters, and respectively sends the exclusive or values to the two target users or respectively sends the exclusive or values to the two target users through the wide area quantum key service system; otherwise, the wide area quantum key service system acquires one or more cross-domain virtual link parameters, sends a service instruction to a service node associated with the one or more cross-domain virtual link parameters and acquires corresponding user key associated parameters, calculates the exclusive or value of the one or more cross-domain virtual link parameters and the two user key associated parameters, and respectively sends the exclusive or value to two target users; the virtual link parameters are exclusive-OR values of quantum keys of two service nodes or shared quantum keys, and the user key association parameters are exclusive-OR values of one or more quantum keys of the service nodes associated with one or more virtual link parameters and one user key; the method for acquiring the cross-domain virtual link parameters comprises the steps that a first service node in a first local area QKD network stores a first shared quantum key associated with one local area virtual link slice, a second service node in a second local area QKD network stores a second shared quantum key associated with another local area virtual link slice, the first service node and the second service node respectively calculate the quantum key respectively shared with a trusted third party and the exclusive OR values of the first shared quantum key and the second shared quantum key and respectively send the exclusive OR values to the trusted third party, the trusted third party calculates the exclusive OR value of two received data, three exclusive OR values respectively calculated by the first service node, the second service node and the trusted third party and two corresponding local area virtual link slices are used as a cross-domain intercommunication virtual link slice, and the cross-domain virtual link parameters between the two cross-domain service nodes are calculated based on the cross-domain intercommunication virtual link slice.
2. The method of claim 1, comprising performing identity authentication between the wide-area quantum key service system and the user, and performing identity authentication between the quantum key service system and the service node; wherein the identity authentication comprises any one of the following methods: adopting a method of presetting random numbers; a method of combining a CA certificate and a preset random number is adopted; adopting an identity authentication algorithm of anti-quantum computation; the method combines the identity authentication algorithm of anti-quantum computation with the preset random number.
3. The method of claim 1, wherein obtaining one or more local area virtual link parameters and obtaining one or more cross-domain virtual link parameters comprises any of: one or more local area virtual link parameters or cross-domain virtual link parameters are selected from the corresponding local area or cross-domain virtual link slice database, the associated exclusive-or values of all relay nodes on one or more corresponding links are inquired, and exclusive-or operation is respectively carried out.
4. A wide-area quantum key service system comprises at least one primary service device and two or more secondary service devices, and is characterized in that: the first-level service device comprises a storage unit and a data processing unit, wherein the storage unit is used for storing programs and instructions or cross-domain virtual link parameters, the programs and the instructions, and the data processing unit is used for responding to service requests of users by calling the programs and the instructions stored in the storage unit and providing end-to-end key service for any two service nodes in the wide-area QKD network or/and users in the wide-area QKD network; the secondary service device comprises a storage unit and a data processing unit, wherein the storage unit is used for storing programs and instructions or storing local virtual link parameters, the programs and the instructions, the data processing unit is used for responding to a service request of the primary service device by calling the programs and the instructions stored in the storage unit, acquiring one or more local virtual link parameters, sending the service instruction to a service node associated with the local virtual link parameters and acquiring corresponding user key associated parameters, calculating an exclusive or value of the local virtual link parameters and the two user key associated parameters, and respectively sending the exclusive or value to two target users or respectively sending the exclusive or value to the two target users through a wide-area quantum key service system; the end-to-end key service is provided for users of a wide-area QKD network, and comprises a first secondary service node in a first local QKD network stores a first shared quantum key associated with one local virtual link slice, a second secondary service node in a second local QKD network stores a second shared quantum key associated with another local virtual link slice, the first secondary service node and the second secondary service node respectively calculate exclusive OR values of quantum keys respectively shared with a trusted third party and the first shared quantum key and the second shared quantum key and respectively send the exclusive OR values to the trusted third party, the trusted third party calculates exclusive OR values of two received data, three exclusive OR values respectively calculated by the first secondary service node, the second secondary service node and the trusted third party and two corresponding local virtual link slices are used as a cross-domain intercommunication virtual link slice, and a primary service device calculates cross-domain virtual link parameters between two cross-domain service nodes based on the cross-domain intercommunication virtual link slice.
5. The system of claim 4, comprising: the system comprises a plurality of service node devices or a plurality of virtual service node devices, and is characterized by comprising a storage unit and a data processing unit, wherein the storage unit is used for storing a user preset key, a quantum key associated with a virtual link, a program and an instruction; the system is used for responding to the instruction of the primary service device or/and the secondary service device and providing the user key association parameter.
6. The system of claim 4 or 5, comprising: a portion of bandwidth resources of a wide-area quantum key distribution network, configured to create a wide-area virtual link slice database, or a relay node in the wide-area quantum key distribution network sends a plurality of associated exclusive-or values to corresponding server devices, and is respectively configured to create different virtual link slices, or is configured to create a virtual quantum key distribution network.
7. The system of claim 6, comprising: and the identity management subsystem is characterized by being used for carrying out identity management on the service node device or the virtual service node device in the wide-area quantum key distribution network.
8. The system of claim 4 or 5, comprising: the virtual link service device is used for managing a local virtual link slice database or/and a cross-domain virtual link slice database, providing local virtual link slice or/and cross-domain virtual link slice service, or/and providing local virtual link parameter or/and cross-domain virtual link parameter service.
9. The system of claim 4 or 5, comprising: random number service means for providing random number service or/and data security service based on random numbers.
10. The system according to claim 5, wherein the virtual service node device is configured to distribute the provisioning key or/and the CA certificate and the provisioning key for the user, and create an associated identifier of the provisioning key and the CA certificate.
CN202210260246.7A 2022-03-17 2022-03-17 Wide-area quantum key service method and system Active CN114362947B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210260246.7A CN114362947B (en) 2022-03-17 2022-03-17 Wide-area quantum key service method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210260246.7A CN114362947B (en) 2022-03-17 2022-03-17 Wide-area quantum key service method and system

Publications (2)

Publication Number Publication Date
CN114362947A CN114362947A (en) 2022-04-15
CN114362947B true CN114362947B (en) 2022-12-02

Family

ID=81094983

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210260246.7A Active CN114362947B (en) 2022-03-17 2022-03-17 Wide-area quantum key service method and system

Country Status (1)

Country Link
CN (1) CN114362947B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115567196A (en) * 2022-08-05 2023-01-03 成都量安区块链科技有限公司 Quantum security cryptosystem and infrastructure
CN116527259B (en) * 2023-07-03 2023-09-19 中电信量子科技有限公司 Cross-domain identity authentication method and system based on quantum key distribution network

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103763099A (en) * 2014-02-13 2014-04-30 国家电网公司 Electric power security communication network based on quantum key distribution technology
CN110086713A (en) * 2019-04-17 2019-08-02 北京邮电大学 It is a kind of to divide domain method for routing for wide area quantum key distribution network
CN110138550A (en) * 2019-05-06 2019-08-16 国网甘肃省电力公司信息通信公司 QKD network system model, distributed multi-user QKD network model and its distribution method
CN110677241A (en) * 2019-09-01 2020-01-10 成都量安区块链科技有限公司 Quantum network virtualization architecture method and device

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101830339B1 (en) * 2016-05-20 2018-03-29 한국전자통신연구원 Apparatus for quantum key distribution on a quantum network and method using the same
CN107437995A (en) * 2016-05-27 2017-12-05 西安电子科技大学 Satellite-based wide area quantum communication network system and communication means
CN109995515B (en) * 2017-12-29 2020-08-11 成都零光量子科技有限公司 Quantum key relay method
CN110808837B (en) * 2019-11-21 2021-04-27 国网福建省电力有限公司 Quantum key distribution method and system based on tree-shaped QKD network
CN113676315B (en) * 2021-07-04 2024-04-30 河南国科量子通信技术应用研究院 Slicing application method of star-ground integrated quantum network
CN113691313A (en) * 2021-07-04 2021-11-23 河南国科量子通信网络有限公司 Satellite-ground integrated quantum key link virtualization application service system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103763099A (en) * 2014-02-13 2014-04-30 国家电网公司 Electric power security communication network based on quantum key distribution technology
CN110086713A (en) * 2019-04-17 2019-08-02 北京邮电大学 It is a kind of to divide domain method for routing for wide area quantum key distribution network
CN110138550A (en) * 2019-05-06 2019-08-16 国网甘肃省电力公司信息通信公司 QKD network system model, distributed multi-user QKD network model and its distribution method
CN110677241A (en) * 2019-09-01 2020-01-10 成都量安区块链科技有限公司 Quantum network virtualization architecture method and device

Also Published As

Publication number Publication date
CN114362947A (en) 2022-04-15

Similar Documents

Publication Publication Date Title
CN112039872B (en) Cross-domain anonymous authentication method and system based on block chain
US20220006627A1 (en) Quantum key distribution node apparatus and method for quantum key distribution thereof
JP6680791B2 (en) Method, apparatus and system for quantum key distribution
US6330671B1 (en) Method and system for secure distribution of cryptographic keys on multicast networks
US8200963B2 (en) Combination-based broadcast encryption method
CN114362947B (en) Wide-area quantum key service method and system
CN108683747A (en) Resource acquisition, distribution, method for down loading, device, equipment and storage medium
US20060177067A1 (en) Hybrid broadcast encryption method
CN112311537B (en) Block chain-based equipment access authentication system and method
CN111262699A (en) Quantum security key service method and system
WO2009143766A1 (en) Method, system for distributing key and method, system for online updating public key
WO2006078654A2 (en) A cryptographic system for resource starved ce device secure upgrade and re-configuration
CN113193957B (en) Quantum key service method and system separated from quantum network
CN110868290B (en) Key service method and device without central control
JP4156588B2 (en) Cryptographic communication system, key distribution server, terminal device, and key sharing method
CN114401151A (en) Group message encryption method, device, equipment and storage medium
Bouabdellah et al. A secure cooperative transmission model in VANET using attribute based encryption
US10412057B2 (en) Service access method and system, and apparatus
CN113193958B (en) Quantum key service method and system
CN113297599B (en) Data transmission system, data acquisition method, terminal and storage medium
CN114374509A (en) Quantum key service middling station system and method
CN116112185A (en) Private data sharing method based on blockchain and zero knowledge proof
CN113676315B (en) Slicing application method of star-ground integrated quantum network
CN114268441A (en) Quantum security application method, client device, server device and system
CN113452513B (en) Key distribution method, device and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant