CN115865334B - Quantum key distribution method and device and electronic equipment - Google Patents
Quantum key distribution method and device and electronic equipment Download PDFInfo
- Publication number
- CN115865334B CN115865334B CN202211486216.4A CN202211486216A CN115865334B CN 115865334 B CN115865334 B CN 115865334B CN 202211486216 A CN202211486216 A CN 202211486216A CN 115865334 B CN115865334 B CN 115865334B
- Authority
- CN
- China
- Prior art keywords
- key
- message
- protocol
- end node
- node
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
The disclosure provides a quantum key distribution method, a quantum key distribution device and electronic equipment, relates to the technical field of quantum computing, and particularly relates to the technical field of quantum communication. The specific implementation scheme is as follows: receiving a first message sent by a first end node through a first protocol; generating a second message with the message type of the first message type through a second protocol based on the first request identifier, the first distribution path, the first node identifier and the key characteristic information, and transmitting the second message to a second end node through the first protocol; under the condition that a third message of which the message type sent by the second end node aiming at the second message is the second message type is received, acquiring first keys between the relay node and two nodes respectively through a second protocol and/or a third protocol based on the types and key characteristic information of two adjacent nodes of the relay node; and transmitting the key ciphertext generated based on the first key to the target end node through a first protocol.
Description
Technical Field
The disclosure relates to the technical field of quantum computing, in particular to the technical field of quantum communication, and specifically relates to a quantum key distribution method, a quantum key distribution device and electronic equipment.
Background
The quantum network is a mode of enabling a classical network through quantum technology, and through the use of quantum resources and quantum communication technology, the information processing capacity of the classical network is improved, the safety of information transmission is enhanced, and brand-new internet service is provided.
One particularly important application in quantum networks is quantum key distribution (Quantum Key Distribution, QKD), which is the use of quantum mechanical properties to secure communications, which enables two parties to the communication to generate and share a random, secure classical key to encrypt and decrypt messages.
Currently, network design is typically done for quantum key distribution in a quantum network from the response of a single quantum key distribution request.
Disclosure of Invention
The disclosure provides a quantum key distribution method, a quantum key distribution device and electronic equipment.
According to a first aspect of the present disclosure, there is provided a quantum key distribution method applied to a relay node of a quantum key distribution network, comprising:
receiving a first message sent by a first end node through a first protocol, wherein the first message comprises a first request identifier of a quantum key distribution request initiated by the first end node, a first distribution path, a first node identifier of a second end node and key characteristic information, and the first protocol is used for determining a transmission path of the message in a quantum key distribution process of the quantum key distribution network;
Generating a second message with a message type of a first message type through a second protocol based on the first request identifier, the first distribution path, the first node identifier and the key characteristic information under the condition that the number of resources required by the quantum key distribution request corresponding to the first request identifier is not more than the processing capacity of the relay node, and sending the second message to the second end node through the first protocol, wherein the second protocol is used for scheduling the received quantum key distribution request, and the first message type is used for identifying a sender of the quantum key distribution request to initiate the quantum key distribution request;
under the condition that a third message with a second message type is received by the second end node for the second message, wherein the message type sent by the second end node is the second message type, based on the types of two adjacent nodes of the relay node and the key characteristic information, a first key between the relay node and the two nodes is acquired through a second protocol and/or a third protocol, the second message type is used for identifying a resource reservation request initiated by a receiver of a quantum key distribution request, and the third protocol is used for carrying out key distribution by using quantum bits as an information carrier;
And transmitting a key ciphertext generated based on the first key to a target end node through the first protocol, wherein the target end node is the first end node or the second end node, the key ciphertext is used for determining a target key shared by the first end node and the second end node, and the target key is used for mutual communication between the first end node and the second end node.
According to a second aspect of the present disclosure, there is provided a quantum key distribution method, applying a first end node of a quantum key distribution network, comprising:
generating a fifteenth message through a fourth protocol, wherein the fourth protocol is used for initiating a quantum key distribution request, and the fifteenth message comprises a first request identifier of the quantum key distribution request initiated by the first end node, a first distribution path, a first node identifier of the second end node and key characteristic information;
generating a first message with a first message type through a second protocol based on the first request identifier, the first distribution path, the first node identifier and the key characteristic information, wherein the second protocol is used for processing the message according to the role type of the end node and the message type corresponding to the received message, and the first message type is used for identifying a sender of a quantum key distribution request to initiate the quantum key distribution request;
Transmitting the first message to the second end node through a first protocol, wherein the first protocol is used for determining a transmission path of the message in the quantum key distribution process of the quantum key distribution network;
and under the condition that a third message with a second message type is received by the second end node aiming at the message type sent by the first message, acquiring a target key shared with the second end node through a third protocol, wherein the target key is used for mutual communication between the first end node and the second end node, the third protocol is used for carrying out key distribution by using quantum bits as information carriers, and the second message type is used for identifying a resource reservation request initiated by a receiver of a quantum key distribution request.
According to a third aspect of the present disclosure, there is provided a quantum key distribution method applied to a second end node of a quantum key distribution network, comprising:
receiving a first message sent by a first end node through a first protocol, wherein the first message is generated by the first end node through a fourth protocol and a second protocol, the first protocol is used for determining a sending path of the message in a quantum key distribution process of the quantum key distribution network, the second protocol is used for processing the message according to a role type of the end node and a message type corresponding to the received message, the fourth protocol is used for initiating a quantum key distribution request, and the first message comprises a first request identifier of the quantum key distribution request initiated by the first end node, a first distribution path, a first node identifier of the second end node and key characteristic information;
Generating a third message with a message type of a second message type by the first protocol, the second protocol and the fourth protocol based on the first request identifier, the first distribution path, the first node identifier and the key characteristic information, wherein the second message type is used for identifying a resource reservation request initiated by a receiver of a quantum key distribution request;
and returning the third message to the first end node through the first protocol, acquiring a target key shared with the first end node through the third protocol, wherein the target key is used for mutual communication between the first end node and the second end node, and the third protocol is used for carrying out key distribution by using quantum bits as an information carrier.
According to a fourth aspect of the present disclosure, there is provided a quantum key distribution apparatus, applied to a relay node of a quantum key distribution network, comprising:
the first receiving module is used for receiving a first message sent by a first end node through a first protocol, wherein the first message comprises a first request identifier of a quantum key distribution request initiated by the first end node, a first distribution path, a first node identifier of a second end node and key characteristic information, and the first protocol is used for determining a transmission path of the message in the quantum key distribution process of the quantum key distribution network;
A first generating module, configured to generate, based on the first request identifier, the first distribution path, the first node identifier, and the key feature information, a second message with a first message type by using a second protocol, where the second protocol is used to schedule the received quantum key distribution request, and the first message type is used to identify a sender of the quantum key distribution request to initiate the quantum key distribution request, where the number of resources required for the quantum key distribution request corresponding to the first request identifier does not exceed the processing capability of the relay node;
the first sending module is used for sending the second message to the second end node through the first protocol;
a first obtaining module, configured to obtain, when receiving a third message of a second message type sent by the second end node for the second message, a first key between the relay node and two nodes respectively through the second protocol and/or a third protocol based on types of two nodes adjacent to the relay node and the key feature information, where the second message type is used to identify a resource reservation request initiated by a receiver of a quantum key distribution request, and the third protocol is used to perform key distribution using quantum bits as an information carrier;
And the second sending module is used for sending a key ciphertext generated based on the first key to a target end node through the first protocol, wherein the target end node is the first end node or the second end node, the key ciphertext is used for determining a target key shared by the first end node and the second end node, and the target key is used for mutual communication between the first end node and the second end node.
According to a fifth aspect of the present disclosure there is provided a quantum key distribution device for use in a first end node of a quantum key distribution network, comprising:
a seventh generating module, configured to generate a fifteenth packet according to a fourth protocol, where the fourth protocol is used to initiate a quantum key distribution request, and the fifteenth packet includes a first request identifier of the quantum key distribution request initiated by the first end node, a first distribution path, a first node identifier of the second end node, and key feature information;
an eighth generating module, configured to generate, based on the first request identifier, the first distribution path, the first node identifier, and the key feature information, a first message with a message type being a first message type through a second protocol, where the second protocol is configured to process the message according to a role type of an end node and a message type corresponding to the received message, and the first message type is used to identify a sender of a quantum key distribution request to initiate a quantum key distribution request;
An eighth sending module, configured to send the first packet to the second end node through a first protocol, where the first protocol is used to determine a sending path of the packet in the quantum key distribution process of the quantum key distribution network;
and the second acquisition module is used for acquiring a target key shared with the second end node through a third protocol under the condition that a third message of which the message type sent by the second end node aiming at the first message is a second message type is received, wherein the target key is used for carrying out mutual communication between the first end node and the second end node, the third protocol is used for carrying out key distribution by using quantum bits as information carriers, and the second message type is used for identifying a resource reservation request initiated by a receiver of a quantum key distribution request.
According to a sixth aspect of the present disclosure there is provided a quantum key distribution device for use in a second end node of a quantum key distribution network, comprising:
a fourth receiving module, configured to receive a first packet sent by a first end node through a first protocol, where the first packet is generated by the first end node through a fourth protocol and a second protocol, where the first protocol is used to determine a sending path of the packet in a process of quantum key distribution by the quantum key distribution network, the second protocol is used to process the packet according to a role type of the end node and a message type corresponding to the received packet, and the fourth protocol is used to initiate a quantum key distribution request, and the first packet includes a first request identifier of the quantum key distribution request initiated by the first end node, a first distribution path, a first node identifier of the second end node, and key feature information;
A ninth generating module, configured to generate, based on the first request identifier, the first distribution path, the first node identifier, and the key feature information, a third message with a message type being a second message type through the first protocol, the second protocol, and the fourth protocol, where the second message type is used to identify a resource reservation request initiated by a receiver of a quantum key distribution request;
a ninth sending module, configured to send the third packet to the first end node through the first protocol;
and the third acquisition module is used for acquiring a target key shared with the first end node through a third protocol, wherein the target key is used for carrying out intercommunication between the first end node and the second end node, and the third protocol is used for carrying out key distribution by using the quantum bit as an information carrier.
According to a seventh aspect of the present disclosure, there is provided an electronic device comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein, the liquid crystal display device comprises a liquid crystal display device,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform any one of the methods of the first aspect, or to perform any one of the methods of the second aspect, or to perform any one of the methods of the third aspect.
According to an eighth aspect of the present disclosure, there is provided a non-transitory computer-readable storage medium storing computer instructions for causing a computer to perform any of the methods of the first aspect, or to perform any of the methods of the second aspect, or to perform any of the methods of the third aspect.
According to a ninth aspect of the present disclosure, there is provided a computer program product comprising a computer program which, when executed by a processor, implements any of the methods of the first aspect, or performs any of the methods of the second aspect, or performs any of the methods of the third aspect.
According to the technology disclosed by the invention, the problem of relatively poor request scheduling performance of the quantum key distribution network is solved, and the scheduling performance of the quantum key distribution network on the quantum key distribution request can be improved.
It should be understood that the description in this section is not intended to identify key or critical features of the embodiments of the disclosure, nor is it intended to be used to limit the scope of the disclosure. Other features of the present disclosure will become apparent from the following specification.
Drawings
The drawings are for a better understanding of the present solution and are not to be construed as limiting the present disclosure. Wherein:
Fig. 1 is a flow diagram of a quantum key distribution method according to a first embodiment of the present disclosure;
FIG. 2 is a schematic diagram of a protocol stack in a network architecture of a quantum key distribution network system;
FIG. 3 is a schematic diagram of a process flow in which an end-to-end quantum key distribution request is rejected as failing to join the request queue;
fig. 4 shows that the request for end-to-end quantum key distribution exceeds the relay node R 1 A process flow diagram that is rejected for the processing capacity of (2);
FIG. 5 is a flow diagram of a quantum key distribution method of a specific example provided by the present disclosure;
fig. 6 is a flow diagram of a quantum key distribution method according to a second embodiment of the present disclosure;
fig. 7 is a flow diagram of a quantum key distribution method according to a third embodiment of the present disclosure;
fig. 8 is a schematic structural view of a quantum key distribution device according to a fourth embodiment of the present disclosure;
fig. 9 is a schematic structural view of a quantum key distribution device according to a fifth embodiment of the present disclosure;
fig. 10 is a schematic structural view of a quantum key distribution device according to a sixth embodiment of the present disclosure;
fig. 11 is a schematic block diagram of an example electronic device used to implement embodiments of the present disclosure.
Detailed Description
Exemplary embodiments of the present disclosure are described below in conjunction with the accompanying drawings, which include various details of the embodiments of the present disclosure to facilitate understanding, and should be considered as merely exemplary. Accordingly, one of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the present disclosure. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
First embodiment
Quantum key distribution provides a secure method of distributing keys between two parties in communication, the security of which is ensured by quantum mechanics rationales. According to the quantum unclonable principle, an unknown quantum state cannot be perfectly cloned, which prohibits an eavesdropper from copying the transmitted information. Meanwhile, any eavesdropping operation in the quantum key distribution process can change the transmitted quantum state, and the error rate is increased, so that both communication parties detect the existence of eavesdroppers.
As shown in fig. 1, the present disclosure provides a quantum key distribution method applied to a relay node of a quantum key distribution network, including the steps of:
Step S101: receiving a first message sent by a first end node through a first protocol, wherein the first message comprises a first request identifier of a quantum key distribution request initiated by the first end node, a first distribution path, a first node identifier of a second end node and key characteristic information, and the first protocol is used for determining a transmission path of the message in a quantum key distribution process of the quantum key distribution network;
step S102: generating a second message with a message type of a first message type through a second protocol based on the first request identifier, the first distribution path, the first node identifier and the key characteristic information under the condition that the number of resources required by the quantum key distribution request corresponding to the first request identifier is not more than the processing capacity of the relay node, and sending the second message to the second end node through the first protocol, wherein the second protocol is used for scheduling the received quantum key distribution request, and the first message type is used for identifying a sender of the quantum key distribution request to initiate the quantum key distribution request;
step S103: under the condition that a third message with a second message type is received by the second end node for the second message, wherein the message type sent by the second end node is the second message type, based on the types of two adjacent nodes of the relay node and the key characteristic information, a first key between the relay node and the two nodes is acquired through a second protocol and/or a third protocol, the second message type is used for identifying a resource reservation request initiated by a receiver of a quantum key distribution request, and the third protocol is used for carrying out key distribution by using quantum bits as an information carrier;
Step S104: and transmitting a key ciphertext generated based on the first key to a target end node through the first protocol, wherein the target end node is the first end node or the second end node, the key ciphertext is used for determining a target key shared by the first end node and the second end node, and the target key is used for mutual communication between the first end node and the second end node.
In this embodiment, the quantum key distribution method relates to the technical field of quantum computing, in particular to the technical field of quantum communication, and can be widely applied to a key-based communication scene. The quantum key distribution method of the embodiments of the present disclosure may be performed by the quantum key distribution apparatus of the embodiments of the present disclosure. The quantum key distribution apparatus of the embodiments of the present disclosure may be configured in any electronic device to perform the quantum key distribution method of the embodiments of the present disclosure. The electronic device may be a device corresponding to a relay node of a quantum key distribution network.
The quantum key distribution method of the embodiment is applied to a quantum key distribution network, and the quantum key distribution network may include a first end node, a second end node and a relay node, where the first end node may be an initiating node of a quantum key distribution request, and the second end node may be a node in end-to-end communication with the first end node.
The first end node and the second end node are collectively called as end nodes of a quantum key distribution network, the quantum key distribution network can comprise a plurality of end nodes and a plurality of relay nodes, two end nodes in the quantum key distribution network want to communicate, and in order to ensure confidentiality of communication, the quantum key distribution is required to be used for safely sharing a session key so as to encrypt and transmit the communication data. Several such requests are generated in the quantum key distribution network for a certain period of time.
When the quantum network processes the request, performance indexes such as bandwidth, time delay, packet loss rate and the like in the classical network need to be considered, and factors such as fidelity, success probability, decoherence and the like with quantum communication characteristics need to be considered. Therefore, structures and designs in classical networks often cannot be directly applied to quantum networks.
In addition, current industry research on quantum network architecture is in the early stage, and many different network architectures and designs have been proposed by researchers, but lack a unified network architecture standard. Moreover, the research on quantum key distribution in a quantum network at present mostly only researches the response flow of the network to a single request and corresponding performance parameters, and the response process when the quantum network receives a plurality of quantum key distribution requests and the performance parameters of different nodes in the process of responding to the plurality of requests are seldom analyzed from the perspective of the whole network.
The purpose of this embodiment is to schedule and execute the quantum key distribution request by designing the quantum key distribution network, so as to process the scheduling multi-user request for the quantum key distribution network, ensure the best effort delivery of the request and the high-efficiency utilization of the network performance, efficiently and safely establish the end-to-end key for different end nodes, and improve the communication security between the end nodes.
Among other things, quantum key distribution (Quantum Key Distribution, QKD) exploits quantum mechanical properties to secure communications, which enable two parties to a communication to generate and share a random, secure key to encrypt and decrypt messages.
In the network architecture of the quantum key distribution network, the protocol stack carried by the relay node can be three layers, namely a scheduling layer, a network layer and a link layer from top to bottom, and the relay node is respectively loaded with the protocol stack comprising three layers of protocols.
As shown in fig. 2, in the relay node, a transmission path of a message may be determined by a first protocol of a network layer, such as qkrerouting protocol, and specifically, a downstream node adjacent to the transmission path may be determined.
The second protocol of the scheduling layer, such as QKDRMP protocol, can evaluate and schedule the received quantum key distribution request, so that the quantum key distribution network can process the request for scheduling multiple users, and the scheduling and response of the multiple requests on the whole network layer are realized, thereby ensuring the normal work of the network and the normal delivery of the request.
A third protocol through the link layer, such as the key generation protocol (e.g., BB84 protocol, etc.), may establish keys with neighboring nodes so that different end nodes may be made to obtain shared keys for mutual communication.
Correspondingly, the protocol stack carried by the end node can have four layers, namely an application layer, a scheduling layer, a network layer and a link layer from top to bottom, and the end node is respectively loaded with the protocol stack containing four layers of protocols.
As shown in fig. 2, in the end node, a quantum key distribution request may be initiated or processed by a fourth protocol of the application layer (at the top of the protocol stack), such as the qkvapp protocol.
The request information is passed to lower or upper layer protocols as the case may be, depending on whether the end node is the request initiator or the receiver, via a second protocol of the scheduling layer (at the third layer of the protocol stack), such as the QKDRMP protocol.
The transmission path of the message can be determined by a first protocol of a network layer (located at a second layer of a protocol stack), such as qkrerouting protocol, and specifically, a downstream node adjacent to the transmission path can be determined.
A third protocol, such as the key generation protocol (e.g., BB84 protocol, etc.), through the link layer (at the first layer of the protocol stack) may establish a key with the neighboring nodes, thereby enabling the different end nodes to obtain a shared key for mutual communication.
It should be noted that, the network architecture of the quantum key distribution network system is independent of the specific protocol used by each layer, for example, in the qkrouting protocol, the routing table may be generated by configuring static routing or according to a dynamic routing algorithm, in the key generation protocol, any quantum key distribution protocol such as BB84, B92 may be used, and even different key distribution protocols may be selected between different adjacent nodes according to needs or experimental device restrictions.
In addition, in the network architecture of the quantum key distribution network, a message structure of a QKDRMP message is designed for a QKDRMP protocol of a second layer of the protocol stack, as shown in the following table 1, to control an operation of a scheduling layer for different types of messages in the quantum key distribution process. The message structure of the qkdrpmessage message mainly comprises four parts, namely a source node, a destination node, a message processing protocol and data content.
Table 1 message structure table of qkdrmpressage message
The source node refers to a sender of the message, the destination node refers to a receiver of the message, and the message type can be set in the data content to indicate different types of messages and perform corresponding processing actions. As shown in table 2, the message types involved in qkdrpmessage messages in the quantum key distribution process are an example, and are described in detail below in describing the quantum key distribution process.
Table 2 message type table involved in qkdrpmessage message in quantum key distribution process
Likewise, the qkdtuting protocol located at the lower layer of the QKDRMP in the protocol stack sets the same message structure and similar message types, so as to implement interaction with the QKDRMP, so as to implement stepwise processing of the request.
In the network architecture of the quantum key distribution network system, a message structure of a qkdmssage message is designed for a qkdm routing protocol of a second layer of the protocol stack, and the message structure is the same as that of the qkdmssage message, as shown in table 3 below.
Table 3 message structure table of qkdmssage message
As shown in table 4, the message types involved in qkdmssage messages in the quantum key distribution process are an example, and are described in detail below in describing the quantum key distribution process.
Table 4 message type table related to qkdmssage message in quantum key distribution process
Before step S101, if the first end node needs to establish a key with the second end node, a quantum key distribution request may be initiated, and the qkvapp protocol in the own protocol stack generates a qkdrmpressage message (i.e., a fifteenth message) with a message type of the seventh message type PATH according to the corresponding message, as shown in table 5. The data may include information such as a path of the request (first distribution path), a number of keys, a key length (key feature information), a request id (first request identifier, unique identifier for distinguishing different requests), and a first node identifier of the second end node.
Table 5 structural table of fifteenth message
After that, the message is transferred to the QKDRMP protocol of the lower layer for processing, and after the QKDRMP protocol of the first end node determines that the message type is PATH, a qkdmssage message (i.e. the first message) with the message type being the first message type REQUEST is generated according to the data of the PATH message, as shown in table 6, and transferred to the qkdtRouting protocol of the lower layer.
TABLE 6 Structure Table of first message
The qkrerouting protocol in the first end node determines that the message type is a REQUEST, determines whether a direct channel exists between the first end node and the second end node, if so, transmits the REQUEST message through the direct channel, otherwise, transmits the REQUEST message (first message) through the relay node.
The first message may include a first request identifier of a quantum key distribution request initiated by the first end node, a first distribution path, a first node identifier of the second end node, and key feature information.
Accordingly, when the quantum key distribution request initiated by the first end node needs to be transmitted through the relay node to reach the second end node, in step S101, the relay node may receive the first packet sent by the first end node through the first protocol (i.e. qkrerouting protocol).
In step S102, after receiving the REQUEST message, the relay node adds itself to the path information of the REQUEST message (i.e. updates the first distribution path), and determines whether the number of resources required by the quantum key distribution REQUEST corresponding to the first REQUEST identifier exceeds the processing capability of the relay node, e.g. determines whether the number of resources corresponding to the key feature information, the number of resources required by the processing REQUEST, etc. exceeds the processing capability of the relay node.
In an alternative embodiment, the packet may be unpacked by a qkdm routing protocol, and a qkdram message with a PATH type generated according to data therein is delivered to an upper layer of a protocol stack.
And after receiving the PATH message, the QKDRMP protocol of the upper layer evaluates the quantum key distribution request represented by the message. For example, if the number of resources corresponding to the requested key feature information does not exceed the processing capability of the relay node, a qkdmssage message (i.e., a second message with a message type being the first message type REQUEST) consistent with the content of the previously received REQUEST message (i.e., the first message) may be generated by the qkdmmp protocol based on the first REQUEST identifier, the first distribution path, the first node identifier, and the key feature information and transferred to the lower layer of the protocol stack.
The fact that the number of resources corresponding to the requested key feature information does not exceed the processing capability of the relay node may mean that the number of resources corresponding to the requested key feature information does not exceed the maximum capacity of a key pool pre-constructed by the relay node, and the key pool stores a key generated by the relay node in advance through a key generation protocol.
Correspondingly, under the condition that the message type is determined to be the first message type REQUEST, the lower-layer QKDruting protocol forwards the message to the next-hop node on the path according to the routing table stored by the node so as to send the second message Wen Xiangdi to the two-end node.
In this way, the REQUEST message is forwarded layer by layer through the relay node between the first end node and the second end node, and the REQUEST message can reach the second end node.
After receiving the REQUEST message, the second end node adds itself into the PATH information of the message (i.e. updates the first distribution PATH), and generates a corresponding qkdrpmessage message with the message type of PATH according to the information in the REQUEST message by the qkwruting protocol, and transmits the qkdrpmessage message to the upper layer of the protocol stack.
The QKDRMP protocol continues to transmit the PATH message upwards to the upper layer of the protocol stack, and after the QKDApp protocol of the upper layer receives the PATH message, a QKDRMP message (shown in table 7) with a message type of a third message type RESV is generated according to the first request identifier, the first distribution PATH, the first node identifier and the key characteristic information in the PATH message and transmitted to the lower layer of the protocol stack.
TABLE 7 Structure Table of RESV message
After the QKDRMP at the lower layer receives the RESV message, a qkdmssage message (i.e., a third message) with a message type of ACCEPT of the second message type is generated according to the requested data information, as shown in table 8, and is further transferred to the lower layer of the protocol stack.
Table 8 structural table of third message
When the QKDruting protocol at the lower layer receives the ACCEPT message, forwarding the ACCEPT message to the last hop node of the second end node according to the path information contained in the message; and simultaneously, a local Key Generation protocol is started, and key distribution is waited for to be started with an upstream node.
Accordingly, in step S103, the relay node may receive, through the first protocol, a third message returned by the second end node for the second message, i.e. the REQUEST message, i.e. the ACCEPT message.
And then, based on the types and key characteristic information of two adjacent nodes of the relay node, acquiring the first keys between the relay node and the two nodes respectively through a second protocol and/or a third protocol.
After receiving the ACCEPT message, the relay node first judges the types of the upstream node and the downstream node adjacent to the relay node through the QKDrutting protocol. If there are end nodes in two nodes adjacent to the relay node, the key is built by the third protocol, namely the key generation protocol, so as to acquire a first key between the two nodes adjacent to the relay node respectively.
If another relay node exists in two adjacent nodes, the relay node can generate a corresponding RESV message through the QKDruting protocol and transmit the RESV message to an upper layer of a protocol stack. Correspondingly, the relay node can schedule the quantum key distribution request of each end node and the relay node through the QKDRMP protocol based on the RESV message, and perform corresponding resource management.
When the QKDRMP schedules and processes the quantum key distribution request corresponding to the first request identifier, the qkwrting protocol located at the lower layer of the QKDRMP may receive the scheduling message, and acquire the first key between the relay node and two adjacent nodes based on the key feature information.
In step S104, in the case that two first keys are obtained, the two first keys are subjected to exclusive or operation, a key ciphertext is generated, and the key ciphertext is sent to the target end node through the qkrerouting protocol.
In an alternative embodiment, the key transmission direction is from the first end node to the second end node, and at this time, the key ciphertext may be sent to the second end node through the qkrerouting protocol, and the second end node completes the key exchange operation, so as to obtain the target key.
In another alternative embodiment, the key transfer direction is from the second end node to the first end node, and at this time, the key ciphertext may be sent to the first end node through the qkrerouting protocol, and the first end node completes the key exchange operation, so as to obtain the target key.
The key exchange operation is to exclusive-or the key established by the end node and the adjacent relay node with the received key ciphertext so as to obtain the key shared with the other end node.
In this embodiment, by designing the quantum key distribution network, the QKDRMP protocol is designed on the relay node, so that the quantum key distribution request initiated by the end node can be scheduled and executed, so that the multi-user request can be scheduled for the quantum key distribution network, the scheduling and processing of multiple requests in the quantum key distribution network can be realized, the best effort delivery of the request and the efficient utilization of the network performance can be ensured, the end-to-end key can be efficiently and safely established for different end nodes, and the communication security between the end nodes can be improved.
And the QKDRMP protocol of each relay node can schedule the request according to the parameters such as the arrival time of the request and the number of required resources, thereby realizing the scheduling and the response of a plurality of requests on the whole network layer and ensuring the normal work of the network and the normal delivery of the request.
Optionally, the step S103 specifically includes at least one of the following:
acquiring a first key matched with the key characteristic information from a target key pool in N key pools of the relay node which are constructed in advance through the second protocol under the condition that the types of the two nodes comprise a first type, wherein the target key pool is a key pool corresponding to an adjacent relay node of the relay node under the first distribution path, the first type indicates that the node is a relay node, and N is a positive integer;
And in the case that the types of the two nodes comprise a second type, establishing a first key with an adjacent end node of the relay node under the first distribution path through the third protocol, wherein the second type indicates that the node is the end node. In the key generation protocol, the upstream node can be selected as the sender of quantum information, and the downstream node can be selected as the receiver, or vice versa. Without loss of generality, the upstream node can be unified as a sender of quantum information while describing, and the downstream node can be taken as a receiver of information to start key distribution.
In the present embodiment, a structure in which a storage key is provided for each relay node in the entire quantum key distribution network is referred to as a key pool. The key pools store keys generated between two adjacent relay nodes in the form of classical information, a plurality of key pools exist in one relay node, and the keys stored in different key pools can be used by requests passing through different links.
The key pool is an important structure for managing resources, interacts with the QKDRMP protocol and the qkrerouting protocol of the relay node, and delivers keys to the request. While the end node does not have a key pool structure, a key needs to be established between the end node and the relay node in real time.
That is, when the types of two adjacent nodes include the first type, that is, when there is a relay node in the two adjacent nodes, the relay node may generate a corresponding RESV message through the qkrerouting protocol and transmit the RESV message to an upper layer of the protocol stack. Correspondingly, the relay node can schedule the quantum key distribution request of each end node and the relay node through the QKDRMP protocol based on the RESV message, and perform corresponding resource management.
When the QKDRMP schedules and processes the quantum key distribution request corresponding to the first request identifier, a qkwrting protocol located at the lower layer of the QKDRMP may receive the scheduling message, and obtain, by using the qkwrting protocol, the first key matched with the key feature information from the target key pool in the N key pools of the relay node constructed in advance. The target key pool is a key pool corresponding to a relay node adjacent to the relay node in the first distribution path, that is, a key pool corresponding to a relay node link adjacent to the relay node.
Therefore, the management and distribution of network resources can be realized through the key pool structure and the QKDRMP protocol, the speed of the quantum key distribution network for delivering the key to the request can be improved, the best effort delivery of the request is ensured, and the performance parameters of different nodes in the network when responding to a plurality of requests are improved.
When the type of two adjacent nodes of the relay node includes the second type, that is, when there is an end node in the two adjacent nodes of the relay node, the relay node can immediately start to establish the first key with the second type, that is, the key generation protocol.
Therefore, the relay node can adopt different operations according to the types of two adjacent nodes of the relay node, so that the acquisition of the first secret key between the relay node and the two nodes respectively is realized, and the normal work of the network for secret key distribution is ensured.
Optionally, the obtaining, by the second protocol, the first key matched with the key feature information from a target key pool in N key pools of the relay node, where the target key pool is pre-constructed, includes:
generating a fourth message with a third message type by the first protocol, wherein the third message type is used for identifying a resource reservation request initiated by a receiver of a quantum key distribution request, and the fourth message carries the key characteristic information and the first request identifier;
when the number of the requests in the pre-built request queue is determined to be smaller than a first preset threshold value through the second protocol, adding the fourth message into the request queue;
And under the condition that the fourth message corresponding to the first request identifier is acquired from the request queue, acquiring a first key matched with the key characteristic information from the target key pool.
In this embodiment, if at least one side adjacent to the relay node is the relay node, the qkrerouting protocol may generate a RESV message (i.e., a fourth message) with a message type of the third message type, and transmit the RESV message to an upper layer of the protocol stack.
When the QKDRMP receives the RESV message, it may determine whether the number of requests in the pre-constructed request queue reaches a first preset threshold, and if not, add the RESV message to the request queue (i.e., add the request corresponding to the fourth message to the request queue). The first preset threshold may be set according to practical situations, and is not specifically limited herein.
The present embodiment designs a structure of a request queue to realize the reception, scheduling, and processing of a request. When a relay node receives a request, the QKDrutting protocol judges whether the request needs the assistance of a key pool or not, if so, the request is transmitted to the upper layer of a protocol stack, and if not, the key generation protocol at the lower layer of the protocol stack is informed to start establishing a key. The QKDRMP protocol of the upper layer may add a request (e.g., RESV message of the request) to the request queue after receiving the request. Thus, when the relay node receives the RESV message, the RESV message can be added into the request queue to wait for scheduling, and the flow of the relay node is further limited through the request queue with fixed capacity.
The QKDRMP protocol of each relay node may schedule the request according to parameters such as the time of arrival of the request and the number of resources needed. The request queue may determine the order of execution of the requests following a first-in-first-out or other scheduling principle and monitor in real time whether the relay node is in a state to process the requests. If the relay node is in an idle state, a request is thrown for processing. After each request is processed, the relay node also notifies the request queue to throw the next request.
When the request queue throws a request, for example, when throwing a request corresponding to the first request identifier, that is, the relay node may obtain a fourth packet corresponding to the first request identifier from the request queue. Correspondingly, the relay node can acquire the first key matched with the key characteristic information from the target key pool.
Therefore, by designing a network structure for carrying out resource management and request scheduling on the quantum key distribution network, namely by designing a QKDRMP protocol and a request queue, the relay node can realize quantity evaluation and ordered scheduling processing on quantum key distribution requests by combining the QKDRMP protocol and the request queue, thereby being beneficial to efficiently playing the performance of the network and ensuring the quality of user service, and having important theoretical and practical significance.
Optionally, the method further comprises:
generating a fifth message with two message types of a fourth message type by the second protocol under the condition that the number of the requests in the request queue is greater than or equal to the first preset threshold value through the second protocol, wherein the fourth message type is used for identifying that the resource reservation request is refused by the relay node, the fifth message carries an error type field, and the error type field is used for indicating the sending direction of the message;
and respectively transmitting the fifth message to an end node corresponding to the first request identifier in the quantum key distribution network through the first protocol based on the value of the error type field in the fifth message.
In this embodiment, after receiving the request, if the QKDRMP protocol at the upper layer determines that the request queue is full (i.e., determines that the number of requests in the request queue is greater than or equal to the first preset threshold), the QKDRMP protocol considers that the relay node is busy and cannot process the request at this time, which may cause the failure of adding the fourth message to the request queue, the relay node refuses the quantum key distribution request corresponding to the fourth message, generates a relevant refusing message, and invokes the qkdting protocol to send the quantum key distribution request to the upstream node and the downstream direction.
At this time, two qkdmssage messages (i.e., fifth messages) having the fourth message type REJECT may be generated through the QKDRMP protocol, as shown in tables 9 and 10.
Table 9 a fifth message structure table
Table 10 structural table of another fifth message
The source node of both REJECT messages is the current relay node (with relay node R p For example) and destination nodes are Alice and Bob, respectively.
In addition, both fifth messages, i.e. both REJECT messages, may carry an error type field, and the value of the error type field err_type in the data content may be set to 2 and 3, respectively. The QKDRMP protocol may pass REJECT messages to the lower layers of the protocol stack.
After the QKDruting protocol positioned at the lower layer of the QKDRMP in the protocol stack receives the message from the QKDRMP protocol, different operations are adopted according to the message type.
In one scenario, if a REJECT message is received, the QKDruting protocol first determines the error type field err_type in its data content, and if the err_type of the REJECT message=2 and the destination node is Alice (i.e., the first end node), the QKDruting protocol forwards the REJECT message to the first end node for transmission to the first end node.
If err_type=3 and the destination node is Bob (i.e., the second end node), then the qkrouting protocol forwards the REJECT message to the next-hop node for transmission to the second end node. Correspondingly, under the condition that the relay node receives the REJECT message, the downstream node of the relay node can generate a QKDRMPMssage message with the message type of REJECT according to the REJECT message through the QKDrutting protocol and transmit the QKDRMPMssage message to the upper layer of a protocol stack. The QKDRMP protocol at the upper layer checks, when receiving the REJECT message, whether there is a RESV message corresponding to the same request in its own request queue using the request id field in the message, if yes, discards the RESV message, if not, it means that the request has been executed at the current relay node, records the key corresponding to the request as an invalid key (i.e. records the state of the key as invalid), and synchronizes the message of the invalid key to the second end node Bob.
The process flow of rejecting an end-to-end quantum key distribution request in the event of a request queue join failure is shown in fig. 3. Wherein the figure is that the quantum key distribution request is sent to the relay node R 2 The communication flow chart after the failure of joining the request queue, as shown in FIG. 3, is marked 1 Indicating when the request is at the relay node R 2 When attempting to join the request queue fails, the relay node R 2 The QKDRMP protocol of (c) generates two REJECT messages to pass down, and the qkdtrauding protocol transmits the two REJECT messages up/down, respectively. Superscript 2 Indicating that if the request is not present in the request queue at this time, meaning that the request has been scheduled and delivered, the relay node R at this time 3 The request corresponding key may be recorded as an invalid key.
Therefore, by designing the REJECT message to inform that the quantum key distribution request reaching the relay node is refused, the resources of the relay node can be effectively managed, the effective processing of the request is ensured, and the efficient processing of the request is ensured.
Optionally, the method further comprises:
under the condition that a sixth message with a fourth message type is received and the value of an error type field carried by the sixth message is a first target value, if a message corresponding to a second request identifier carried by the sixth message is queried in the request queue, deleting the message corresponding to the second request identifier in the request queue;
And if the message corresponding to the second request identifier carried by the sixth message is not queried in the request queue, recording the key corresponding to the second request identifier as an invalid key.
In this embodiment, the relay node may send a REJECT message carrying the first request identifier according to the queue request, and other relay nodes may also send REJECT messages according to the queue request, when the relay node receives a REJECT message (i.e. a sixth message) carrying the second request identifier, the relay node may determine a value of an error type field carried by the REJECT message, and if the value of the error type field carried by the REJECT message is a first target value (for example, the first target value is 3), the relay node may generate, according to the REJECT message, a qkdrpmssage message with a message type of REJECT to an upper layer of a protocol stack by using a qkdtRouting protocol.
When receiving the REJECT message, the QKDRMP protocol of the upper layer uses the request id (namely the second request identifier) in the REJECT message to check whether the RESV message corresponding to the same request exists in the own request queue, if so, the RESV message is discarded, if not, the request is completely executed in the current relay node, the key corresponding to the request is recorded as an invalid key, and the information of the invalid key is synchronized to the second end node Bob. Therefore, the resources of the relay node can be effectively managed, and the normal work of the network and the normal and accurate delivery of other requests are ensured.
Optionally, after the adding the fourth packet to the request queue, the method further includes:
generating a seventh message with a message type of the second message type through the second protocol, wherein the seventh message carries an operation type field and the first distribution path, and the operation type field is used for indicating an operation mode of the message;
and sending the seventh message to the first end node through the first protocol based on the first distribution path under the condition that the value of the operation type field is determined to be a second target value.
In this embodiment, if the fourth message joins the request queue successfully, a qkdmssage message (i.e., a seventh message) with a message type of ACCEPT of the second message type is generated by the qkdmmp protocol, and is delivered to the lower layer of the protocol stack, where the ACCEPT message may include an operation type field and a first distribution path, and the operation type field may be set to 'Forward'.
After the QKDruting protocol positioned at the lower layer of the QKDRMP in the protocol stack receives the message from the QKDRMP protocol, different operations are adopted according to the message type. If an ACCEPT message is received and the value of the operation type field is a second target value, such as 'Forward', the qkrouting protocol forwards the ACCEPT message to the previous hop node of the current node according to the path information in the ACCEPT message, so as to send the ACCEPT message to the first end node, and waits for the request to be thrown out by the request queue.
Thus, the resource reservation of the request can be realized, and the forwarding of the resource reservation message of the second end node to the first end node can be realized, so that the normal operation of the network is ensured.
Optionally, after the adding the fourth packet to the request queue, the method further includes:
generating an eighth message with a fifth message type by the second protocol, wherein the eighth message comprises the first distribution path and the first node identifier, and the fifth message type is used for identifying that the relay node successfully adds a resource reservation request into the request queue;
and transmitting the eighth message to the second end node through the first protocol based on the first distribution path and the first node identifier.
In this embodiment, if the fourth message is successfully added to the request queue, a qkdmssage message (i.e., an eighth message) with a message type of CONF being the fifth message type is generated by the qkdmmp protocol, and as shown in table 11, the certificate for successfully adding to the request queue as a request at the current relay node is transferred to the lower layer of the protocol stack.
Table 11 structural table of eighth message
After the QKDruting protocol positioned at the lower layer of the QKDRMP in the protocol stack receives the message from the QKDRMP protocol, different operations are adopted according to the message type. And if the CONF message is received, forwarding the CONF message to the next hop node according to the destination node and the path information in the CONF message. The downstream node will forward the CONF message directly after receiving it until it reaches the second end node Bob.
Thus, the CONF message is designed to serve as a feedback mechanism accepted by the quantum key distribution request, so that the normal operation of the network can be realized.
Optionally, the obtaining, in the case that the fourth packet corresponding to the first request identifier is obtained from the request queue, a first key matched with the key feature information from the target key pool includes:
generating a ninth message with a message type of the second message type by the second protocol based on the fourth message under the condition that the fourth message corresponding to the first request identifier is obtained from the request queue, wherein the ninth message carries an operation type field;
and under the condition that the value of the operation type field is determined to be a third target value, acquiring a first key matched with the key characteristic information from the target key pool through the first protocol.
In this embodiment, when the request queue throws a request, for example, when the relay node obtains a fourth message corresponding to the first request identifier from the request queue, the relay node may generate, according to the RESV message thrown from the request queue, a qkdmssage message (i.e., a ninth message) with a message type being an ACCEPT of the second message type, where the ACCEPT message may include an operation type field, and a value of the operation type field may be set to 'operation', and the operation type field is transferred to a lower layer of the protocol stack.
After receiving the ACCEPT message representing that the request is scheduled, the qkdtRouting protocol located at the lower layer of the QKDRMP confirms that the value of the operation type field is a third target value such as 'operation', and then different operations are adopted according to the types of two nodes adjacent to the relay node, so as to obtain a first key matched with the key characteristic information from the target key pool through a first protocol.
Specifically, the relay node uses the relay node R p For example, a relay node R p When both ends are relay nodes, the qkrerouting protocol respectively takes out first keys between the two target key pools and upstream/downstream nodes respectively, which are respectively expressed asAnd->
If the relay node R p One end is a relay node, the other end is an end node, the qkrerouting protocol takes a first key from a target key pool corresponding to the relay node end, and the other end establishes the first key with the end node by starting a key generation protocol.
Therefore, the quantum key distribution request can be scheduled through the request queue, and the key delivery of the relay node to the request can be realized through the key pool, so that the multi-user request can be scheduled for the quantum key distribution network, and the network resource can be effectively managed.
Optionally, after the first key matched with the key feature information is obtained from the target key pool through the first protocol, at least one of the following is further included:
under the condition that the types of the two nodes are the first type, performing exclusive OR operation on the two first keys respectively acquired from the target key pool to obtain the key ciphertext;
and if the relay node is inquired to finish key distribution with the two nodes respectively under the condition that the types of the two nodes are the first type and the second type, performing exclusive OR operation on a first key acquired from the target key pool and a first key established through the third protocol to obtain the key ciphertext.
In this embodiment, when two adjacent nodes are relay nodes, when two first keys are obtained from the target key pool, an exclusive-or operation may be performed on the two first keys to generate a key ciphertext, and the key ciphertext is usedAnd (3) representing.
In the case that one of two adjacent relay nodes is an end node, when the first key is acquired from the target key pool, whether the key establishment process on the other side is completed or not can be queried, if so, exclusive or operation is carried out on the two first keys to generate a key ciphertext, and if not, the first key acquired from the target key pool can be temporarily stored locally. Similarly, when the first key on the other side is established, it is also queried whether the key on the key pool side is delivered, and the same subsequent operation is adopted.
Thus, the normal operation of the network can be realized.
Optionally, the step S104 specifically includes:
generating a tenth message with a sixth message type by the first protocol, wherein the tenth message comprises the first distribution path and the key ciphertext, and the sixth message type is used for identifying the key ciphertext generated by the relay node according to the keys of two adjacent nodes;
and transmitting the tenth message to the target end node through the first protocol based on the first distribution path.
In this embodiment, when the key CIPHERTEXT is obtained, a qkdm message (i.e., a tenth message) with a message type of cipherext being the sixth message type may be generated through a qkdtrouting protocol, and as shown in table 12, the cipherext message may carry a first distribution path and the key CIPHERTEXT, and the cipherext message is sent to the target end node according to the path of transmission of the cipherext message and the key distribution direction. For example, if the key distribution direction is from the first end node to the second end node, the cipherext message may be sent to the next hop node of the current relay node, so that the cipherext message reaches the second end node.
Table 12 structural table of tenth message
Thus, the normal operation of the network for key distribution of different end nodes can be ensured.
Optionally, the method further comprises:
analyzing the first message through the first protocol;
generating an eleventh message with a seventh message type by the first protocol based on the first request identifier, the first distribution path, the first node identifier of the second end node and the key characteristic information, wherein the seventh message type is used for identifying and sending a quantum key distribution request;
generating a twelfth message with a fourth message type through the second protocol under the condition that the number of resources corresponding to the key characteristic information is determined to exceed the maximum capacity of a target key pool in N key pools of the pre-constructed relay node based on the eleventh message;
and under the condition that the value of the error type field carried by the twelfth message is determined to be a fourth target value, transmitting the twelfth message to the first end node through the first protocol based on the first distribution path.
In this embodiment, after receiving the REQUEST message (i.e., the first message) through the qkrerouting protocol, the relay node may add itself to the PATH of the REQUEST message, unpack it through the qkrerouting protocol, and generate a qkdrmpressage message (i.e., the eleventh message) with a message type of PATH being the seventh message type according to the data (including the first REQUEST identifier, the first distribution PATH, the first node identifier of the second end node, and the key feature information) therein, and transmit the qkdrmpressage message to an upper layer of the protocol stack.
After receiving the PATH message, the QKDRMP protocol at the upper layer evaluates the resources of the request represented by the PATH message, and if the number of resources corresponding to the key feature information exceeds the maximum capacity of the target key pool (the key pool corresponding to the transmission link of the quantum key distribution request) of the relay node, refuses the quantum key distribution request corresponding to the PATH message.
At this time, the QKDRMP protocol may generate a qkdmssage message (i.e., twelfth message) with a message type of REJECT, set the value of the error type field to 1 in the data, as shown in Table 13, and transmit the message to the lower layer of the protocol stack.
TABLE 13 Structure Table of twelfth message
The QKDruting of the lower layer adopts different operations according to the message type of the received QKDmessage. If the value of the error type field is a fourth target value, such as 1, the qkrerouting protocol determines if the error type field is a fourth target value, and if so, forwards the REJECT message to the previous hop node according to the path information contained in the REJECT message. And after receiving the REJECT message, the relay node on the upstream path directly forwards the REJECT message upstream until the REJECT message reaches the first end node.
When receiving the REJECT message, the first end node may transfer it layer by layer up to the qkvapp protocol, which discards the corresponding quantum key distribution request.
An end-to-end quantum key distribution request exceeds the relay node R 1 The flow of the process to be rejected for the processing power of (c) is shown in figure 4. Thus, when the QKDRMP protocol of the relay node receives the PATH message, the quantum key distribution request can be roughly evaluated, and the request exceeding the processing capacity of the relay node is filtered, so that a plurality of end-to-end quantum keys in the network are realizedThe key distribution request is effectively scheduled and processed, the network efficiency is improved, and the application scene is more in line with the actual requirements.
Optionally, after step S104, the method further includes:
receiving a thirteenth message with an eighth message type sent by the target end node aiming at the key ciphertext;
and the eighth message type is used for identifying the target end node to confirm that the key ciphertext sent by the relay node is received.
In this embodiment, the target end node, such as the second end node, receives a signal from the relay node R q When the message type is a qkdram message of cipherext (i.e., the tenth message), the qkdram routing protocol directly generates a corresponding qkdram message of cipherext type, and transmits the corresponding qkdram message to the upper layer, and after receiving the qkdram message of cipherext type, the qkdram protocol receives the relay node R q The key CIPHERTEXT of the message is recorded and the cipherext message is transmitted to the upper layer.
After receiving the cipherext message, the qkvapp protocol stores the cipherext message locally and generates a destination node as a relay node R q The qkdrpmessage message with the message type of eighth message type ACKNOWLEDGE is delivered to the lower layer as shown in table 14.
Table 14 structural Table of QKDRMPMessage messages of ACKNOWLEDGE
After receiving the message, the QKDRMP protocol of the lower layer generates a qkdmssage message (i.e., thirteenth message) with a message type of the eighth message type ACKNOWLEDGE, and continues to transmit to the lower layer as shown in table 15. The QKDruting protocol forwards the ACKNOWLEDGE message to the previous hop node until reaching the relay node R q 。
Table 15 ACKNOWLEDGE's QKDMessage message Structure Table
Thus, a feedback mechanism of the ACKNOWLEDGE message is designed to ensure the normal operation of the network.
Optionally, after step S104, the method further includes:
receiving a fourteenth message with a ninth message type, which is sent by the target end node aiming at the key ciphertext, wherein the fourteenth message carries the first distribution path, and the ninth message type is used for marking that the key shared by the first end node and the second end node is built;
And transmitting the fourteenth message to the other end node sharing the secret key with the target end node through the first protocol based on the first distribution path.
In this embodiment, the qkvapp protocol of the target end node, such as the second end node Bob, checks whether the key CIPHERTEXT of all the relay nodes is received each time the cipherext message is received and the key CIPHERTEXTs are stored, and if so, performs the following decryption operation (i.e., key exchange operation) on the key CIPHERTEXTs to obtain the target key shared with the first end node Alice, where the key exchange operation is that
Meanwhile, a node of the qkdppp protocol in the protocol stack generates an item is a first end node Alice, the message type is a qkdrpmessage message of a ninth message type DONE, as shown in table 16, and the QKDRMP protocol of the lower layer generates a corresponding QKDMessage message (namely a fourteenth message) of the message type DONE according to the DONE message, as shown in table 17, and the qkdtuting protocol is responsible for sending the DONE message to the first end node Alice.
Table 16 structural Table of QKDRMPMssage message of DONE
Table 17 structural table of QKDMessage message of DONE
/>
In this way, key establishment for two different end nodes can be achieved.
The following describes the quantum key distribution method of the present embodiment in detail with a specific example, as shown in fig. 5, and it is assumed that one user Alice (corresponding to the first end node) in the network wants to establish a target key with another user Bob (corresponding to the second end node) by quantum key distribution, and the specific flow from generation to delivery of a quantum key distribution request is as follows:
alice initiates a key REQUEST (namely a quantum key distribution REQUEST), generates a REQUEST message and sends the REQUEST message to a next hop node;
2. the relay node receives the REQUEST message and selects to forward or reject the message according to the demand of the message on the resource;
bob receives the REQUEST message, processes the message by the protocol stack, and returns an ACCEPT message;
4. receiving the ACCEPT message by the relay nodes along the way, and adding the corresponding request into a request queue;
alice receives the ACCEPT message and starts to start key distribution with the downstream node;
6. the end node stores the key generated with the upstream/downstream in the local;
bob records and returns an acknowledgement message ACKNOWLEDGE after receiving the cipherext message from the relay node;
bob confirms that the key ciphertext of all relay nodes is received, decrypts the key ciphertext to obtain an end-to-end target key, and sends back a DONE message to Alice;
9. The relay node forwards the DONE message;
alice receives the DONE message.
In fig. 5, the superscript is 1 The determination condition is whether the number of requested resources is greater than the maximum capacity of the key pool.
Thus, alice and Bob complete the key establishment.
Second embodiment
As shown in fig. 6, the present disclosure provides a quantum key distribution method applied to a first end node of a quantum key distribution network, including the steps of:
step S601: generating a fifteenth message through a fourth protocol, wherein the fourth protocol is used for initiating a quantum key distribution request, and the fifteenth message comprises a first request identifier of the quantum key distribution request initiated by the first end node, a first distribution path, a first node identifier of the second end node and key characteristic information;
step S602: generating a first message with a first message type through a second protocol based on the first request identifier, the first distribution path, the first node identifier and the key characteristic information, wherein the second protocol is used for processing the message according to the role type of the end node and the message type corresponding to the received message, and the first message type is used for identifying a sender of a quantum key distribution request to initiate the quantum key distribution request;
Step S603: transmitting the first message to the second end node through a first protocol, wherein the first protocol is used for determining a transmission path of the message in the quantum key distribution process of the quantum key distribution network;
step S604: and under the condition that a third message with a second message type is received by the second end node aiming at the message type sent by the first message, acquiring a target key shared with the second end node through a third protocol, wherein the target key is used for mutual communication between the first end node and the second end node, the third protocol is used for carrying out key distribution by using quantum bits as information carriers, and the second message type is used for identifying a resource reservation request initiated by a receiver of a quantum key distribution request.
In this embodiment, in step S601, if the first end node needs to establish a key with the second end node, a quantum key distribution request may be initiated, and the qkvapp protocol in the own protocol stack generates a qkdrmpressage message (i.e., the fifteenth message) with a message type of the seventh message type PATH according to the corresponding message, as shown in table 5. The data may include information such as a path of the request (first distribution path), a number of keys, a key length (key feature information), a request id (first request identifier, unique identifier for distinguishing different requests), and a first node identifier of the second end node.
In step S602, the message is transferred to the QKDRMP protocol of the lower layer for processing, and after the QKDRMP protocol of the first end node determines that the message type is PATH, a qkdmssage message (i.e., the first message) with the message type being the first message type REQUEST is generated according to the data of the PATH message, as shown in table 6, and transferred to the qkdtRouting protocol of the lower layer.
In step S603, the qkrerouting protocol in the first end node determines that the message type is a REQUEST, determines whether a direct channel exists between the first end node and the second end node, if so, transmits the REQUEST message through the direct channel, otherwise, transmits the REQUEST message (first message) through the relay node. The detailed process of transmitting the REQUEST message (the first message) through the relay node and reaching the second end node is described in detail in the first embodiment, and will not be described herein.
In step S604, after receiving the first message, if there are sufficient resources locally, the second end node may add the node identifier of its own node to the first distribution path, and generate a third message including complete path information, key feature information to be established, which may be referred to as an ACCEPT message, and return the ACCEPT message according to the path information. And meanwhile, starting a Key Generation protocol to carry out quantum key distribution on an upstream node adjacent to the second end node, and establishing a key.
When the second end node returns a third message, namely an ACCEPT message, if the first end node is not directly connected with the second end node, after receiving the ACCEPT message, the relay node along the way performs resource evaluation, adds a request to a request queue, and when the request is thrown out from the request queue to perform scheduling processing of the request, the key of an upstream/downstream node is acquired from a key pool according to key characteristic information such as the number and the length of the key, and the key cipher text is generated and then sent to a target end node so that the end node acquires a target key shared between the first end node and the second end node.
When the first end node receives a third message with a second message type being the second message type sent by the second end node aiming at the first message, a third protocol, namely a key generation protocol, can be started, quantum key distribution is carried out on downstream nodes adjacent to the first end node, and a key is established. The detailed process of the second end node sending the third message with the second message type for the first message is described in detail in the first embodiment, and will not be described herein.
Correspondingly, under the condition that both the first end node and the second end node start the Key Generation protocol, the first end node can acquire the target key shared with the second end node through the Key Generation protocol, and meanwhile, the second end node can acquire the target key shared with the first end node through the Key Generation protocol.
In an alternative embodiment, if the first end node is directly connected to the second end node, that is, there is a directly connected quantum channel between the first end node and the second end node, the target key generated by one end node (the first end node or the second end node) may be encoded into the qubit through the key generation protocol, and transmitted to the other end node through the directly connected quantum channel.
In another alternative embodiment, if the first end node is not directly connected to the second end node, that is, the middle needs to perform quantum key distribution through the relay node, at this time, a key ciphertext sent by the relay node may be obtained, and the target key generated based on the end node is exchanged to the other end node by means of the key ciphertext of the relay node, so that the other end node may obtain the target key that is communicated with the end node.
In this embodiment, by designing the quantum key distribution network, the QKDRMP protocol is designed on the first end node, so that the consistency of the design of each node protocol in the network is maintained, and the relay node can schedule and execute the quantum key distribution request initiated by the end node, so as to process and schedule multi-user requests for the quantum key distribution network, realize the scheduling and processing of multiple requests in the quantum key distribution network, ensure the best effort delivery of the requests and the efficient utilization of the network performance, efficiently and safely establish the end-to-end keys for different end nodes, and improve the communication security between the end nodes.
Optionally, the step S604 specifically includes any one of the following:
establishing a target key for communication with a downstream node adjacent to the first end node in the first distribution path through the third protocol so that the second end node obtains the target key for communication with the first end node;
receiving first quantum information sent by the second end node through the third protocol under the condition that the second end node is a downstream node adjacent to the first end node in the first distribution path, wherein the first quantum information carries a target key, and the target key is a key which is generated by the second end node and is communicated with the first end node;
and under the condition that M relay nodes exist between the first end node and the second end node, receiving thirteenth messages respectively sent by the M relay nodes through the first protocol, performing exclusive-or operation on a second key and a key ciphertext carried by the thirteenth messages to obtain the target key, wherein the key ciphertext is obtained by performing exclusive-or operation on two first keys, the two first keys are keys shared by the relay nodes respectively with an adjacent upstream node and an adjacent downstream node, the second key is a key established by the first end node through the third protocol and the adjacent downstream node, and M is a positive integer.
In this embodiment, the obtaining, by the third protocol, the target key shared with the second end node may include three scenarios.
The first scenario is: the first end node establishes a target key with a downstream node adjacent to the first end node through a third protocol, and transmits the target key to the second end node, so that the second end node obtains the target key communicated with the first end node, namely, the key transmission direction is from the first end node to the second end node.
The first end node may establish the target key with its neighboring downstream node through the third protocol, and the first end node may generate the target key, encode the target key into the qubit through the third protocol, and distribute the target key to the downstream node through the quantum channel, that is, the upstream-to-downstream distribution key, or establish the key with its neighboring downstream node, encode the target key into the qubit through the third protocol, and distribute the target key to the first end node through the quantum channel, that is, the downstream-to-upstream distribution key. Where the downstream and upstream concepts are relative to a distribution path, the distribution path may be defined as a path from a first end node to a second end node.
The second scenario is: the key transmission direction is from the second end node to the first end node, the second end node can establish a target key with an upstream node thereof through a third protocol, under the condition that the first end node is directly connected with the second end node, the second end node can directly send quantum information carrying the target key to the first end node, and correspondingly, the first end node can receive the quantum information sent through the third protocol to obtain the target key.
The manner in which the second end node may establish the target key with its upstream node through the third protocol may be similar to the manner in which the first end node establishes the target key with its neighboring downstream node through the third protocol, which is not described herein.
The third scenario is: the key transmission direction is from the second end node to the first end node, and under the condition that the first end node is not directly connected with the second end node, namely a relay node exists between the first end node and the second end node, under the scene, the relay node can acquire a first key by means of the first embodiment and acquire a key ciphertext, wherein the key established between the second end node and an upstream node thereof can be a target key, and the key established between the first end node and a downstream node thereof can be a second key.
The relay node sends a tenth message carrying the key ciphertext to the first end node, the first end node can jointly decrypt the received key ciphertext through the second key, and particularly can obtain the target key through exclusive-or operation between the second key and the key ciphertext carried in the tenth message.
In this embodiment, an appropriate delivery manner may be selected according to an actual scenario of key delivery, so that both the first end node and the second end node may obtain the target key for end-to-end communication of both end nodes.
Optionally, the first key includes at least one of:
when the M relay nodes include a first relay node, the first key is obtained from a target key pool in N key pools of the first relay node, which are constructed in advance, based on the key feature information, wherein the first relay node is a node in which at least one of an adjacent upstream node and an adjacent downstream node is a relay node, the target key pool is a key pool corresponding to an adjacent relay node of the first relay node, and N is a positive integer;
in the case that the M relay nodes include a second relay node, the first key is a key established by the second relay node and an adjacent end node through the third protocol, and the second relay node is a node in which at least one of an adjacent upstream node and an adjacent downstream node is an end node.
In this embodiment, through the key pool structure and QKDRMP protocol, management and allocation of network resources can be achieved, so that the speed of delivering a key to a request by a quantum key distribution network can be improved, best effort delivery of the request is ensured, and performance parameters of different nodes in the network in response to a plurality of requests are improved.
Optionally, after the step S604, the method further includes:
under the condition that the first end node generates a sixteenth message with a tenth message type through the first protocol, storing a secret key carried by the sixteenth message through the second protocol and the fourth protocol;
wherein the tenth message type is used to identify that the first end node establishes a key with an adjacent downstream node via the third protocol.
In this embodiment, after the first end node and the second end node successfully establish the key through the key generation protocol, the qkdm routing protocol may generate a qkdmssage message (i.e., sixteenth message) with a message type of READY as a tenth message type, as shown in table 18, and store the generated key therein, and then the qkdm routing protocol transfers the READY message to an upper layer.
Table 18 READY's qkdmssage message structure table
After receiving the message, the upper QKDRMP protocol generates a QKDRMP message with a message type READY, and as shown in table 19, the QKDRMP message continues to be transferred to the upper layer of the protocol stack. After the qkvapp protocol at the top layer receives the message, the key is saved.
Table 19 structural table of READY qkdrpmessage message
In this way, the storage of the key is achieved.
Optionally, the sixteenth packet further carries a completion field, where the completion field is used to indicate whether the establishment of the key shared by the first end node and the second end node is completed, and the method further includes:
setting a value of the completion field to a fifth target value, in the case where the first end node and the second end node are directly connected, the fifth target value indicating that key establishment shared by the first end node and the second end node is completed;
in the event that the first end node and the second end node are not directly connected, setting a value of a completion field to a sixth target value, the sixth target value indicating that the key shared by the first end node and the second end node is not established to completion.
In this embodiment, after the first end node and the second end node successfully establish the key through the key generation protocol, whether further key exchange operation needs to be performed may be determined through the qkrerouting protocol. A completion field may be carried in the READY message to indicate whether further key exchange operations need to be performed, such as completion flags shown in tables 18 and 19.
If there is a direct connection between the first end node and the second end node, the end-to-end key establishment has been completed without a subsequent key exchange operation. Accordingly, the completion field carried in the READY message may be set to a fifth target value, which may be a wire.
Accordingly, the first end node and the second end node can learn that the end-to-end key establishment process is completed according to the value of the completion field (i.e., completion flag) in the data content of the message, save the key, and end the quantum key distribution request at the end node side.
If there is no direct connection channel between the first end node and the second end node, further key exchange operations need to be performed to complete the end-to-end key establishment. At this time, the value of the completion field of the data content in READY message generated by qkdaxing and QKDRMP protocols is set to a sixth target value, which may be False, and the qkvapp node saves the key after receiving the READY message and waits for a subsequent key exchange operation.
In this way, the preservation of the key can be achieved.
Optionally, after the step S604, the method further includes:
storing the target key through the second protocol and the fourth protocol when a fourteenth message with a ninth message type is received by the second end node for the first message through the first protocol, or the first end node generates a fourteenth message with a ninth message type through the first protocol;
Wherein the ninth message type is used to identify that the key establishment shared by the first end node and the second end node is complete.
In this embodiment, the message type of the fourteenth message is DONE, and the indication flag completes the end-to-end key establishment, ending the quantum key distribution flow.
In a scenario, if the key transfer direction is from the first end node to the second end node, after the end-to-end key establishment is completed, the second end node may generate a DONE message and send the DONE message to the first end node, and the first end node may receive the DONE message and store the target key, thereby ending the quantum key distribution flow.
In another scenario, if the key transfer direction is from the second end node to the first end node, after the end-to-end key establishment is completed, the first end node may generate a DONE message, store the target key, send the DONE message to the second end node, and end the quantum key distribution flow.
In this way, quantum key distribution may be achieved, establishing end-to-end keys for the first end node and the second end node.
Third embodiment
As shown in fig. 7, the present disclosure provides a quantum key distribution method applied to a second end node of a quantum key distribution network, including the steps of:
Step S701: receiving a first message sent by a first end node through a first protocol, wherein the first message is generated by the first end node through a fourth protocol and a second protocol, the first protocol is used for determining a sending path of the message in a quantum key distribution process of the quantum key distribution network, the second protocol is used for processing the message according to a role type of the end node and a message type corresponding to the received message, the fourth protocol is used for initiating a quantum key distribution request, and the first message comprises a first request identifier of the quantum key distribution request initiated by the first end node, a first distribution path, a first node identifier of the second end node and key characteristic information;
step S702: generating a third message with a message type of a second message type by the first protocol, the second protocol and the fourth protocol based on the first request identifier, the first distribution path, the first node identifier and the key characteristic information, wherein the second message type is used for identifying a resource reservation request initiated by a receiver of a quantum key distribution request;
step S703: returning the third message to the first end node through the first protocol;
Step S704: and acquiring a target key shared with the first end node through a third protocol, wherein the target key is used for mutual communication between the first end node and the second end node, and the third protocol is used for key distribution by using quantum bits as information carriers.
In this embodiment, the steps S701 to S704 are respectively described in detail in the first embodiment and the second embodiment, and are not described in detail here.
According to the method, through designing the quantum key distribution network, the QKDRMP protocol is designed on the second end node, the consistency of the protocol design of each node in the network is maintained, so that the relay node can schedule and execute the quantum key distribution request initiated by the end node, and therefore the quantum key distribution network can be used for processing and scheduling multi-user requests, scheduling and processing of a plurality of requests in the quantum key distribution network are achieved, best effort delivery of the requests and efficient utilization of network performance are guaranteed, end-to-end keys are built for different end nodes efficiently and safely, and communication security among the end nodes is improved.
Optionally, the step S704 includes any one of the following:
Establishing a target key for communication with an upstream node adjacent to the second end node under the first distribution path through the third protocol so that the first end node obtains the target key for communication with the second end node;
receiving second quantum information sent by the first end node through the third protocol under the condition that the first end node is an upstream node adjacent to the second end node in the first distribution path, wherein the second quantum information carries a target key, and the target key is a key which is generated by the first end node and is communicated with the second end node;
and under the condition that M relay nodes exist between the first end node and the second end node, receiving thirteenth messages respectively sent by the M relay nodes through the first protocol, performing exclusive-or operation on a third key and a key ciphertext carried by the thirteenth messages to obtain the target key, wherein the key ciphertext is obtained by performing exclusive-or operation on two first keys, the two first keys are keys shared by the relay nodes respectively with an adjacent upstream node and an adjacent downstream node, the third key is a key established by the second end node through the third protocol and the adjacent upstream node, and M is a positive integer.
In this embodiment, an appropriate delivery manner may be selected according to an actual scenario of key delivery, so that both the first end node and the second end node may obtain the target key for end-to-end communication of both end nodes.
Fourth embodiment
As shown in fig. 8, the present disclosure provides a quantum key distribution apparatus 800 applied to a relay node of a quantum key distribution network, including:
a first receiving module 801, configured to receive a first packet sent by a first end node through a first protocol, where the first packet includes a first request identifier of a quantum key distribution request initiated by the first end node, a first distribution path, a first node identifier of a second end node, and key feature information, and the first protocol is used to determine a transmission path of the packet in a process of performing quantum key distribution by the quantum key distribution network;
a first generating module 802, configured to generate, based on the first request identifier, the first distribution path, the first node identifier, and the key feature information, a second message with a first message type by using a second protocol, where the second protocol is used to schedule the received quantum key distribution request, and the first message type is used to identify a sender of the quantum key distribution request to initiate the quantum key distribution request, where the number of resources required for the quantum key distribution request corresponding to the first request identifier does not exceed the processing capability of the relay node;
A first sending module 803, configured to send the second packet to the second end node through the first protocol;
a first obtaining module 804, configured to obtain, when receiving a third message of a second message type sent by the second end node for the second message, a first key between the relay node and the two nodes respectively according to a second protocol and/or a third protocol based on types of two nodes adjacent to the relay node and the key feature information, where the second message type is used to identify a resource reservation request initiated by a receiver of a quantum key distribution request, and the third protocol is used to perform key distribution using a quantum bit as an information carrier;
and a second sending module 805, configured to send, by using the first protocol, a key ciphertext generated based on the first key to a target end node, where the target end node is the first end node or the second end node, the key ciphertext is used to determine a target key shared by the first end node and the second end node, and the target key is used to perform intercommunication between the first end node and the second end node.
Optionally, the first obtaining module 804 includes:
a first obtaining sub-module, configured to obtain, in a case where the types of the two nodes include a first type, a first key matched with the key feature information from a target key pool of N key pools of the relay node, where the target key pool is a key pool corresponding to an adjacent relay node of the relay node in the first distribution path, and the first type indicates that the node is a relay node, and N is a positive integer;
and the first establishing sub-module is used for establishing a first key with an adjacent end node of the relay node under the first distribution path through the third protocol when the types of the two nodes comprise a second type, and the second type indicates that the node is the end node.
Optionally, the first obtaining submodule includes:
a first generating unit, configured to generate, according to the first protocol, a fourth message with a message type that is a third message type, where the third message type is used to identify a resource reservation request initiated by a receiver of a quantum key distribution request, and the fourth message carries the key feature information and the first request identifier;
An adding unit, configured to add the fourth packet to the request queue when it is determined by the second protocol that the number of requests in the pre-constructed request queue is less than a first preset threshold;
the first obtaining unit is configured to obtain, from the target key pool, a first key that matches the key feature information when the fourth packet corresponding to the first request identifier is obtained from the request queue.
Optionally, the method further comprises:
a second generating module, configured to generate, by using the second protocol, a fifth message with two message types being a fourth message type when the number of requests in the request queue is determined to be greater than or equal to the first preset threshold by using the second protocol, where the fourth message type is used to identify that a resource reservation request is rejected by the relay node, and the fifth message carries an error type field, where the error type field is used to indicate a sending direction of the message;
and a third sending module, configured to send, by using the first protocol, the fifth packet to an end node corresponding to the first request identifier in the quantum key distribution network, where the third sending module is configured to send, by using the first protocol, the fifth packet based on the value of the error type field in the fifth packet.
Optionally, the method further comprises:
a deleting module, configured to, when a sixth message with a fourth message type is received and a value of an error type field carried by the sixth message is a first target value, delete a message corresponding to a second request identifier carried by the sixth message in the request queue if the message corresponding to the second request identifier is queried in the request queue;
and the recording module is used for recording the key corresponding to the second request identifier as an invalid key if the message corresponding to the second request identifier carried by the sixth message is not queried in the request queue.
Optionally, the method further comprises:
a third generating module, configured to generate, according to the second protocol, a seventh packet with a message type that is the second message type, where the seventh packet carries an operation type field and the first distribution path, where the operation type field is used to indicate an operation mode of the packet;
and a fourth sending module, configured to send, based on the first distribution path, the seventh packet to the first end node through the first protocol, where the value of the operation type field is determined to be a second target value.
Optionally, the method further comprises:
a fourth generating module, configured to generate, according to the second protocol, an eighth packet with a message type that is a fifth message type, where the eighth packet includes the first distribution path and the first node identifier, and the fifth message type is used to identify that the relay node successfully adds a resource reservation request to the request queue;
and a fifth sending module, configured to send, based on the first distribution path and the first node identifier, the eighth packet to the second end node through the first protocol.
Optionally, the first obtaining unit is specifically configured to:
generating a ninth message with a message type of the second message type by the second protocol based on the fourth message under the condition that the fourth message corresponding to the first request identifier is obtained from the request queue, wherein the ninth message carries an operation type field;
and under the condition that the value of the operation type field is determined to be a third target value, acquiring a first key matched with the key characteristic information from the target key pool through the first protocol.
Optionally, the method further comprises:
the first exclusive-or operation module is used for carrying out exclusive-or operation on two first keys respectively acquired from the target key pool under the condition that the types of the two nodes are the first types to obtain the key ciphertext;
And the second exclusive-or operation module is used for carrying out exclusive-or operation on the first key acquired from the target key pool and the first key established through the third protocol to obtain the key ciphertext if the relay node is inquired that the relay node and the two nodes respectively complete key distribution under the condition that the types of the two nodes are the first type and the second type.
Optionally, the second sending module 805 is specifically configured to:
generating a tenth message with a sixth message type by the first protocol, wherein the tenth message comprises the first distribution path and the key ciphertext, and the sixth message type is used for identifying the key ciphertext generated by the relay node according to the keys of two adjacent nodes;
and transmitting the tenth message to the target end node through the first protocol based on the first distribution path.
Optionally, the method further comprises:
the analysis module is used for analyzing the first message through the first protocol;
a fifth generating module, configured to generate, according to the first request identifier, the first distribution path, the first node identifier of the second end node, and the key feature information, an eleventh packet with a message type of a seventh message type according to the first protocol, where the seventh message type is used to identify that a quantum key distribution request is sent;
A sixth generating module, configured to generate, according to the second protocol, a twelfth message with a message type being a fourth message type when it is determined, based on the eleventh message, that the number of resources corresponding to the key feature information exceeds a maximum capacity of a target key pool in the N key pools of the relay node that are constructed in advance;
and a sixth sending module, configured to send, based on the first distribution path, the twelfth packet to the first end node through the first protocol when it is determined that the value of the error type field carried by the twelfth packet is a fourth target value.
Optionally, the method further comprises:
the second receiving module is used for receiving a thirteenth message with the eighth message type, which is sent by the target end node aiming at the key ciphertext;
and the eighth message type is used for identifying the target end node to confirm that the key ciphertext sent by the relay node is received.
Optionally, the method further comprises:
a third receiving module, configured to receive a fourteenth packet with a ninth message type, where the fourteenth packet is sent by the target end node for the key ciphertext, and the fourteenth packet carries the first distribution path, and the ninth message type is used to identify that the key establishment shared by the first end node and the second end node is completed;
And a seventh sending module, configured to send, based on the first distribution path, the fourteenth packet to the other end node sharing the key with the target end node through the first protocol.
The quantum key distribution device 800 provided in the present disclosure can implement each process implemented by the first embodiment of the quantum key distribution method, and can achieve the same beneficial effects, so that repetition is avoided, and no further description is provided herein.
Fifth embodiment
As shown in fig. 9, the present disclosure provides a quantum key distribution apparatus 900 applied to a first end node of a quantum key distribution network, comprising:
a seventh generating module 901, configured to generate a fifteenth packet according to a fourth protocol, where the fourth protocol is used to initiate a quantum key distribution request, and the fifteenth packet includes a first request identifier of the quantum key distribution request initiated by the first end node, a first distribution path, a first node identifier of the second end node, and key feature information;
an eighth generating module 902, configured to generate, based on the first request identifier, the first distribution path, the first node identifier, and the key feature information, a first message with a message type that is a first message type through a second protocol, where the second protocol is used to process the message according to a role type of an end node and a message type corresponding to the received message, and the first message type is used to identify a sender of a quantum key distribution request to initiate the quantum key distribution request;
An eighth sending module 903, configured to send the first packet to the second end node through a first protocol, where the first protocol is used to determine a sending path of the packet in the quantum key distribution process of the quantum key distribution network;
a second obtaining module 904, configured to obtain, when receiving a third message of a second message type sent by the second end node for the first message, a target key shared with the second end node through a third protocol, where the target key is used for performing intercommunication between the first end node and the second end node, the third protocol is used for performing key distribution by using a quantum bit as an information carrier, and the second message type is used for identifying a resource reservation request initiated by a receiver of a quantum key distribution request.
Optionally, the second obtaining module 904 includes:
a second establishing sub-module, configured to establish, by using the third protocol, a target key that is mutually communicated with a downstream node adjacent to the first end node in the first distribution path, so that the second end node obtains the target key that is communicated with the first end node;
A first receiving sub-module, configured to receive, when the second end node is a downstream node adjacent to the first end node in the first distribution path, first quantum information sent by the second end node through the third protocol, where the first quantum information carries a target key, where the target key is a key generated by the second end node and communicated with the first end node;
and the first exclusive-or operation submodule is used for receiving thirteenth messages respectively sent by the M relay nodes through the first protocol under the condition that M relay nodes exist between the first end node and the second end node, carrying out exclusive-or operation on a second key and a key ciphertext carried by the thirteenth messages to obtain the target key, wherein the key ciphertext is obtained by carrying out exclusive-or operation on two first keys, the two first keys are keys respectively shared by the relay nodes with an adjacent upstream node and an adjacent downstream node, the second key is a key established by the first end node through the third protocol and the adjacent downstream node, and M is a positive integer.
Optionally, the first key includes at least one of:
When the M relay nodes include a first relay node, the first key is obtained from a target key pool in N key pools of the first relay node, which are constructed in advance, based on the key feature information, wherein the first relay node is a node in which at least one of an adjacent upstream node and an adjacent downstream node is a relay node, the target key pool is a key pool corresponding to an adjacent relay node of the first relay node, and N is a positive integer;
in the case that the M relay nodes include a second relay node, the first key is a key established by the second relay node and an adjacent end node through the third protocol, and the second relay node is a node in which at least one of an adjacent upstream node and an adjacent downstream node is an end node.
Optionally, the method further comprises:
the first storage module is configured to store, when the first end node generates a sixteenth message with a message type being a tenth message type through the first protocol, a key carried by the sixteenth message through the second protocol and the fourth protocol;
wherein the tenth message type is used to identify that the first end node establishes a key with an adjacent downstream node via the third protocol.
Optionally, the sixteenth packet further carries a completion field, where the completion field is used to indicate whether the establishment of the key shared by the first end node and the second end node is completed, and the apparatus further includes:
a first setting module, configured to set, in a case where the first end node and the second end node are directly connected, a value of the completion field to a fifth target value, where the fifth target value indicates that establishment of a key shared by the first end node and the second end node is completed;
and the second setting module is used for setting the value of the completion field to a sixth target value in the condition that the first end node and the second end node are not directly connected, wherein the sixth target value indicates that the secret key shared by the first end node and the second end node is not established.
Optionally, the method further comprises:
a second storage module, configured to store, when receiving, by using the first protocol, a fourteenth packet with a message type of a ninth message type returned by the second end node for the first packet, or when the first end node generates, by using the first protocol, a fourteenth packet with a message type of a ninth message type, the target key by using the second protocol and the fourth protocol;
Wherein the ninth message type is used to identify that the key establishment shared by the first end node and the second end node is complete.
The quantum key distribution device 900 provided in the present disclosure can implement each process implemented by the second embodiment of the quantum key distribution method, and can achieve the same beneficial effects, so that repetition is avoided, and no further description is provided herein.
Sixth embodiment
As shown in fig. 10, the present disclosure provides a quantum key distribution apparatus 1000 applied to a second end node of a quantum key distribution network, comprising:
a fourth receiving module 1001, configured to receive a first packet sent by a first end node through a first protocol, where the first packet is generated by the first end node through a fourth protocol and a second protocol, the first protocol is used to determine a sending path of a packet in a process of performing quantum key distribution by the quantum key distribution network, the second protocol is used to process the packet according to a role type of the end node and a message type corresponding to the received packet, and the fourth protocol is used to initiate a quantum key distribution request, and the first packet includes a first request identifier of the quantum key distribution request initiated by the first end node, a first distribution path, a first node identifier of the second end node, and key feature information;
A ninth generating module 1002, configured to generate, based on the first request identifier, the first distribution path, the first node identifier, and the key feature information, a third message with a message type being a second message type through the first protocol, the second protocol, and the fourth protocol, where the second message type is used to identify a resource reservation request initiated by a receiver of a quantum key distribution request;
a ninth sending module 1003, configured to send the third packet to the first end node through the first protocol;
a third obtaining module 1004, configured to obtain a target key shared with the first end node through a third protocol, where the target key is used for mutual communication between the first end node and the second end node, and the third protocol is used for performing key distribution by using a quantum bit as an information carrier.
Optionally, the third obtaining module 1004 includes:
a third establishing sub-module, configured to establish, by using the third protocol, a target key that is mutually communicated with an upstream node adjacent to the second end node under the first distribution path, so that the first end node obtains the target key that is communicated with the second end node;
A second receiving sub-module, configured to receive, when the first end node is an upstream node adjacent to the second end node in the first distribution path, second quantum information sent by the first end node through the third protocol, where the second quantum information carries a target key, and the target key is a key generated by the first end node and communicated with the second end node;
and the second exclusive-or operation submodule is used for receiving thirteenth messages respectively sent by the M relay nodes through the first protocol under the condition that M relay nodes exist between the first end node and the second end node, carrying out exclusive-or operation on a third key and a key ciphertext carried by the thirteenth messages to obtain the target key, wherein the key ciphertext is obtained by carrying out exclusive-or operation on two first keys, the two first keys are keys respectively shared by the relay nodes with an adjacent upstream node and an adjacent downstream node, the third key is a key established by the second end node through the third protocol and the adjacent upstream node, and M is a positive integer.
The quantum key distribution device 1000 provided in the present disclosure can implement each process implemented by the third embodiment of the quantum key distribution method, and can achieve the same beneficial effects, so that repetition is avoided, and no further description is provided herein.
In the technical scheme of the disclosure, the related processes of collecting, storing, using, processing, transmitting, providing, disclosing and the like of the personal information of the user accord with the regulations of related laws and regulations, and the public order colloquial is not violated.
According to embodiments of the present disclosure, the present disclosure also provides an electronic device, a readable storage medium and a computer program product.
FIG. 11 illustrates a schematic block diagram of an example electronic device that may be used to implement embodiments of the present disclosure. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The electronic device may also represent various forms of mobile devices, such as personal digital processing, cellular telephones, smartphones, wearable devices, and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the disclosure described and/or claimed herein.
As shown in fig. 11, the apparatus 1100 includes a computing unit 1101 that can perform various appropriate actions and processes according to a computer program stored in a Read Only Memory (ROM) 1102 or a computer program loaded from a storage unit 1108 into a Random Access Memory (RAM) 1103. In the RAM 1103, various programs and data required for the operation of the device 1100 can also be stored. The computing unit 1101, ROM 1102, and RAM 1103 are connected to each other by a bus 1104. An input/output (I/O) interface 1105 is also connected to bus 1104.
Various components in device 1100 are connected to I/O interface 1105, including: an input unit 1106 such as a keyboard, a mouse, etc.; an output unit 1107 such as various types of displays, speakers, and the like; a storage unit 1108, such as a magnetic disk, optical disk, etc.; and a communication unit 1109 such as a network card, modem, wireless communication transceiver, or the like. The communication unit 1109 allows the device 1100 to exchange information/data with other devices through a computer network such as the internet and/or various telecommunication networks.
The computing unit 1101 may be a variety of general purpose and/or special purpose processing components having processing and computing capabilities. Some examples of computing unit 1101 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various computing units running machine learning model algorithms, a Digital Signal Processor (DSP), and any suitable processor, controller, microcontroller, etc. The computing unit 1101 performs the respective methods and processes described above, such as a quantum key distribution method. For example, in some embodiments, the quantum key distribution method may be implemented as a computer software program tangibly embodied on a machine-readable medium, such as storage unit 1108. In some embodiments, some or all of the computer programs may be loaded and/or installed onto device 1100 via ROM 1102 and/or communication unit 1109. When a computer program is loaded into RAM 1103 and executed by computing unit 1101, one or more steps of the quantum key distribution method described above may be performed. Alternatively, in other embodiments, the computing unit 1101 may be configured to perform the quantum key distribution method by any other suitable means (e.g. by means of firmware).
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuit systems, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), systems On Chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs, the one or more computer programs may be executed and/or interpreted on a programmable system including at least one programmable processor, which may be a special purpose or general-purpose programmable processor, that may receive data and instructions from, and transmit data and instructions to, a storage system, at least one input device, and at least one output device.
Program code for carrying out methods of the present disclosure may be written in any combination of one or more programming languages. These program code may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus such that the program code, when executed by the processor or controller, causes the functions/operations specified in the flowchart and/or block diagram to be implemented. The program code may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of this disclosure, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. The machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on a computer having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and pointing device (e.g., a mouse or trackball) by which a user can provide input to the computer. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic input, speech input, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a background component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such background, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), and the internet.
The computer system may include a client and a server. The client and server are typically remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server may be a cloud server, a server of a distributed system, or a server incorporating a blockchain.
It should be appreciated that various forms of the flows shown above may be used to reorder, add, or delete steps. For example, the steps recited in the present disclosure may be performed in parallel, sequentially, or in a different order, provided that the desired results of the disclosed aspects are achieved, and are not limited herein.
The above detailed description should not be taken as limiting the scope of the present disclosure. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives are possible, depending on design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present disclosure are intended to be included within the scope of the present disclosure.
Claims (44)
1. A quantum key distribution method applied to a relay node of a quantum key distribution network, comprising:
receiving a first message sent by a first end node through a first protocol, wherein the first message comprises a first request identifier of a quantum key distribution request initiated by the first end node, a first distribution path, a first node identifier of a second end node and key characteristic information, and the first protocol is used for determining a transmission path of the message in a quantum key distribution process of the quantum key distribution network;
Generating a second message with a message type of a first message type through a second protocol based on the first request identifier, the first distribution path, the first node identifier and the key characteristic information under the condition that the number of resources required by the quantum key distribution request corresponding to the first request identifier is not more than the processing capacity of the relay node, and sending the second message to the second end node through the first protocol, wherein the second protocol is used for scheduling the received quantum key distribution request, and the first message type is used for identifying a sender of the quantum key distribution request to initiate the quantum key distribution request;
under the condition that a third message with a second message type is received by the second end node for the second message, wherein the message type sent by the second end node is the second message type, based on the types of two adjacent nodes of the relay node and the key characteristic information, a first key between the relay node and the two nodes is acquired through a second protocol and/or a third protocol, the second message type is used for identifying a resource reservation request initiated by a receiver of a quantum key distribution request, and the third protocol is used for carrying out key distribution by using quantum bits as an information carrier;
And transmitting a key ciphertext generated based on the first key to a target end node through the first protocol, wherein the target end node is the first end node or the second end node, the key ciphertext is used for determining a target key shared by the first end node and the second end node, and the target key is used for mutual communication between the first end node and the second end node.
2. The method according to claim 1, wherein the obtaining, based on the type of two nodes adjacent to the relay node and the key feature information, the first key between the relay node and the two nodes respectively through the second protocol and/or the third protocol includes at least one of:
acquiring a first key matched with the key characteristic information from a target key pool in N key pools of the relay node which are constructed in advance through the second protocol under the condition that the types of the two nodes comprise a first type, wherein the target key pool is a key pool corresponding to an adjacent relay node of the relay node under the first distribution path, the first type indicates that the node is a relay node, and N is a positive integer;
And in the case that the types of the two nodes comprise a second type, establishing a first key with an adjacent end node of the relay node under the first distribution path through the third protocol, wherein the second type indicates that the node is the end node.
3. The method of claim 2, wherein the obtaining, by the second protocol, the first key matching the key feature information from a target key pool of the N key pools of the relay node, the target key pool comprising:
generating a fourth message with a third message type by the first protocol, wherein the third message type is used for identifying a resource reservation request initiated by a receiver of a quantum key distribution request, and the fourth message carries the key characteristic information and the first request identifier;
when the number of the requests in the pre-built request queue is determined to be smaller than a first preset threshold value through the second protocol, adding the fourth message into the request queue;
and under the condition that the fourth message corresponding to the first request identifier is acquired from the request queue, acquiring a first key matched with the key characteristic information from the target key pool.
4. A method according to claim 3, further comprising:
generating a fifth message with two message types of a fourth message type by the second protocol under the condition that the number of the requests in the request queue is greater than or equal to the first preset threshold value through the second protocol, wherein the fourth message type is used for identifying that the resource reservation request is refused by the relay node, the fifth message carries an error type field, and the error type field is used for indicating the sending direction of the message;
and respectively transmitting the fifth message to an end node corresponding to the first request identifier in the quantum key distribution network through the first protocol based on the value of the error type field in the fifth message.
5. The method of claim 4, further comprising:
under the condition that a sixth message with a fourth message type is received and the value of an error type field carried by the sixth message is a first target value, if a message corresponding to a second request identifier carried by the sixth message is queried in the request queue, deleting the message corresponding to the second request identifier in the request queue;
And if the message corresponding to the second request identifier carried by the sixth message is not queried in the request queue, recording the key corresponding to the second request identifier as an invalid key.
6. The method of claim 3, after the adding the fourth message to the request queue, further comprising:
generating a seventh message with a message type of the second message type through the second protocol, wherein the seventh message carries an operation type field and the first distribution path, and the operation type field is used for indicating an operation mode of the message;
and sending the seventh message to the first end node through the first protocol based on the first distribution path under the condition that the value of the operation type field is determined to be a second target value.
7. The method of claim 3, after the adding the fourth message to the request queue, further comprising:
generating an eighth message with a fifth message type by the second protocol, wherein the eighth message comprises the first distribution path and the first node identifier, and the fifth message type is used for identifying that the relay node successfully adds a resource reservation request into the request queue;
And transmitting the eighth message to the second end node through the first protocol based on the first distribution path and the first node identifier.
8. A method according to claim 3, wherein, in the case that the fourth message corresponding to the first request identifier is obtained from the request queue, obtaining the first key matched with the key feature information from the target key pool includes:
generating a ninth message with a message type of the second message type by the second protocol based on the fourth message under the condition that the fourth message corresponding to the first request identifier is obtained from the request queue, wherein the ninth message carries an operation type field;
and under the condition that the value of the operation type field is determined to be a third target value, acquiring a first key matched with the key characteristic information from the target key pool through the first protocol.
9. The method of claim 8, further comprising, after the obtaining, by the first protocol, a first key from the target key pool that matches the key feature information, at least one of:
Under the condition that the types of the two nodes are the first type, performing exclusive OR operation on the two first keys respectively acquired from the target key pool to obtain the key ciphertext;
and if the relay node is inquired to finish key distribution with the two nodes respectively under the condition that the types of the two nodes are the first type and the second type, performing exclusive OR operation on a first key acquired from the target key pool and a first key established through the third protocol to obtain the key ciphertext.
10. The method of claim 1, wherein the sending, by the first protocol, the key ciphertext generated based on the first key to the target end node comprises:
generating a tenth message with a sixth message type by the first protocol, wherein the tenth message comprises the first distribution path and the key ciphertext, and the sixth message type is used for identifying the key ciphertext generated by the relay node according to the keys of two adjacent nodes;
and transmitting the tenth message to the target end node through the first protocol based on the first distribution path.
11. The method of claim 1, further comprising:
analyzing the first message through the first protocol;
generating an eleventh message with a seventh message type by the first protocol based on the first request identifier, the first distribution path, the first node identifier of the second end node and the key characteristic information, wherein the seventh message type is used for identifying and sending a quantum key distribution request;
generating a twelfth message with a message type of a fourth message type through the second protocol under the condition that the resource number corresponding to the key characteristic information is determined to exceed the maximum capacity of a target key pool in N key pools of the relay node constructed in advance based on the eleventh message;
and under the condition that the value of the error type field carried by the twelfth message is determined to be a fourth target value, transmitting the twelfth message to the first end node through the first protocol based on the first distribution path.
12. The method of claim 1, further comprising, after the sending, by the first protocol, the key ciphertext generated based on the first key to the target end node:
Receiving a thirteenth message with an eighth message type sent by the target end node aiming at the key ciphertext;
and the eighth message type is used for identifying the target end node to confirm that the key ciphertext sent by the relay node is received.
13. The method of claim 1, further comprising, after the sending, by the first protocol, the key ciphertext generated based on the first key to the target end node:
receiving a fourteenth message with a ninth message type, which is sent by the target end node aiming at the key ciphertext, wherein the fourteenth message carries the first distribution path, and the ninth message type is used for marking that the key shared by the first end node and the second end node is built;
and transmitting the fourteenth message to the other end node sharing the secret key with the target end node through the first protocol based on the first distribution path.
14. A quantum key distribution method applied to a first end node of a quantum key distribution network, comprising:
generating a fifteenth message through a fourth protocol, wherein the fourth protocol is used for initiating a quantum key distribution request, and the fifteenth message comprises a first request identifier of the quantum key distribution request initiated by the first end node, a first distribution path, a first node identifier of the second end node and key characteristic information;
Generating a first message with a first message type through a second protocol based on the first request identifier, the first distribution path, the first node identifier and the key characteristic information, wherein the second protocol is used for processing the message according to the role type of the end node and the message type corresponding to the received message, and the first message type is used for identifying a sender of a quantum key distribution request to initiate the quantum key distribution request;
transmitting the first message to the second end node through a first protocol, wherein the first protocol is used for determining a transmission path of the message in the quantum key distribution process of the quantum key distribution network;
and under the condition that a third message with a second message type is received by the second end node aiming at the message type sent by the first message, acquiring a target key shared with the second end node through a third protocol, wherein the target key is used for mutual communication between the first end node and the second end node, the third protocol is used for carrying out key distribution by using quantum bits as information carriers, and the second message type is used for identifying a resource reservation request initiated by a receiver of a quantum key distribution request.
15. The method of claim 14, wherein the obtaining, via a third protocol, a target key shared with the second end node comprises any one of:
establishing a target key for communication with a downstream node adjacent to the first end node in the first distribution path through the third protocol so that the second end node obtains the target key for communication with the first end node;
receiving first quantum information sent by the second end node through the third protocol under the condition that the second end node is a downstream node adjacent to the first end node in the first distribution path, wherein the first quantum information carries a target key, and the target key is a key which is generated by the second end node and is communicated with the first end node;
and under the condition that M relay nodes exist between the first end node and the second end node, receiving thirteenth messages respectively sent by the M relay nodes through the first protocol, performing exclusive-or operation on a second key and a key ciphertext carried by the thirteenth messages to obtain the target key, wherein the key ciphertext is obtained by performing exclusive-or operation on two first keys, the two first keys are keys shared by the relay nodes respectively with an adjacent upstream node and an adjacent downstream node, the second key is a key established by the first end node through the third protocol and the adjacent downstream node, and M is a positive integer.
16. The method of claim 15, wherein the first key comprises at least one of:
when the M relay nodes include a first relay node, the first key is obtained from a target key pool in N key pools of the first relay node, which are constructed in advance, based on the key feature information, wherein the first relay node is a node in which at least one of an adjacent upstream node and an adjacent downstream node is a relay node, the target key pool is a key pool corresponding to an adjacent relay node of the first relay node, and N is a positive integer;
in the case that the M relay nodes include a second relay node, the first key is a key established by the second relay node and an adjacent end node through the third protocol, and the second relay node is a node in which at least one of an adjacent upstream node and an adjacent downstream node is an end node.
17. The method of claim 14, further comprising, after the obtaining, by a third protocol, a target key shared with the second end node:
under the condition that the first end node generates a sixteenth message with a tenth message type through the first protocol, storing a secret key carried by the sixteenth message through the second protocol and the fourth protocol;
Wherein the tenth message type is used to identify that the first end node establishes a key with an adjacent downstream node via the third protocol.
18. The method of claim 17, wherein the sixteenth message further carries a completion field for indicating whether establishment of a key shared by the first end node and the second end node is complete, the method further comprising:
setting a value of the completion field to a fifth target value, in the case where the first end node and the second end node are directly connected, the fifth target value indicating that key establishment shared by the first end node and the second end node is completed;
in the event that the first end node and the second end node are not directly connected, setting a value of a completion field to a sixth target value, the sixth target value indicating that the key shared by the first end node and the second end node is not established to completion.
19. The method of claim 14, further comprising, after the obtaining, by a third protocol, a target key shared with the second end node:
storing the target key through the second protocol and the fourth protocol when a fourteenth message with a ninth message type is received by the second end node for the first message through the first protocol, or the first end node generates a fourteenth message with a ninth message type through the first protocol;
Wherein the ninth message type is used to identify that the key establishment shared by the first end node and the second end node is complete.
20. A quantum key distribution method applied to a second end node of a quantum key distribution network, comprising:
receiving a first message sent by a first end node through a first protocol, wherein the first message is generated by the first end node through a fourth protocol and a second protocol, the first protocol is used for determining a sending path of the message in a quantum key distribution process of the quantum key distribution network, the second protocol is used for processing the message according to a role type of the end node and a message type corresponding to the received message, the fourth protocol is used for initiating a quantum key distribution request, and the first message comprises a first request identifier of the quantum key distribution request initiated by the first end node, a first distribution path, a first node identifier of the second end node and key characteristic information;
generating a third message with a message type of a second message type by the first protocol, the second protocol and the fourth protocol based on the first request identifier, the first distribution path, the first node identifier and the key characteristic information, wherein the second message type is used for identifying a resource reservation request initiated by a receiver of a quantum key distribution request;
And returning the third message to the first end node through the first protocol, acquiring a target key shared with the first end node through the third protocol, wherein the target key is used for mutual communication between the first end node and the second end node, and the third protocol is used for carrying out key distribution by using quantum bits as an information carrier.
21. The method of claim 20, wherein the obtaining, via a third protocol, a target key shared with the first end node comprises any one of:
establishing a target key for communication with an upstream node adjacent to the second end node under the first distribution path through the third protocol so that the first end node obtains the target key for communication with the second end node;
receiving second quantum information sent by the first end node through the third protocol under the condition that the first end node is an upstream node adjacent to the second end node in the first distribution path, wherein the second quantum information carries a target key, and the target key is a key which is generated by the first end node and is communicated with the second end node;
And under the condition that M relay nodes exist between the first end node and the second end node, receiving thirteenth messages respectively sent by the M relay nodes through the first protocol, performing exclusive-or operation on a third key and a key ciphertext carried by the thirteenth messages to obtain the target key, wherein the key ciphertext is obtained by performing exclusive-or operation on two first keys, the two first keys are keys shared by the relay nodes respectively with an adjacent upstream node and an adjacent downstream node, the third key is a key established by the second end node through the third protocol and the adjacent upstream node, and M is a positive integer.
22. A quantum key distribution device applied to a relay node of a quantum key distribution network, comprising:
the first receiving module is used for receiving a first message sent by a first end node through a first protocol, wherein the first message comprises a first request identifier of a quantum key distribution request initiated by the first end node, a first distribution path, a first node identifier of a second end node and key characteristic information, and the first protocol is used for determining a transmission path of the message in the quantum key distribution process of the quantum key distribution network;
A first generating module, configured to generate, based on the first request identifier, the first distribution path, the first node identifier, and the key feature information, a second message with a first message type by using a second protocol, where the second protocol is used to schedule the received quantum key distribution request, and the first message type is used to identify a sender of the quantum key distribution request to initiate the quantum key distribution request, where the number of resources required for the quantum key distribution request corresponding to the first request identifier does not exceed the processing capability of the relay node;
the first sending module is used for sending the second message to the second end node through the first protocol;
a first obtaining module, configured to obtain, when receiving a third message of a second message type sent by the second end node for the second message, a first key between the relay node and two nodes respectively through the second protocol and/or a third protocol based on types of two nodes adjacent to the relay node and the key feature information, where the second message type is used to identify a resource reservation request initiated by a receiver of a quantum key distribution request, and the third protocol is used to perform key distribution using quantum bits as an information carrier;
And the second sending module is used for sending a key ciphertext generated based on the first key to a target end node through the first protocol, wherein the target end node is the first end node or the second end node, the key ciphertext is used for determining a target key shared by the first end node and the second end node, and the target key is used for mutual communication between the first end node and the second end node.
23. The apparatus of claim 22, wherein the first acquisition module comprises:
a first obtaining sub-module, configured to obtain, in a case where the types of the two nodes include a first type, a first key matched with the key feature information from a target key pool of N key pools of the relay node, where the target key pool is a key pool corresponding to an adjacent relay node of the relay node in the first distribution path, and the first type indicates that the node is a relay node, and N is a positive integer;
and the first establishing sub-module is used for establishing a first key with an adjacent end node of the relay node under the first distribution path through the third protocol when the types of the two nodes comprise a second type, and the second type indicates that the node is the end node.
24. The apparatus of claim 23, wherein the first acquisition submodule comprises:
a first generating unit, configured to generate, according to the first protocol, a fourth message with a message type that is a third message type, where the third message type is used to identify a resource reservation request initiated by a receiver of a quantum key distribution request, and the fourth message carries the key feature information and the first request identifier;
an adding unit, configured to add the fourth packet to the request queue when it is determined by the second protocol that the number of requests in the pre-constructed request queue is less than a first preset threshold;
the first obtaining unit is configured to obtain, from the target key pool, a first key that matches the key feature information when the fourth packet corresponding to the first request identifier is obtained from the request queue.
25. The apparatus of claim 24, further comprising:
a second generating module, configured to generate, by using the second protocol, a fifth message with two message types being a fourth message type when the number of requests in the request queue is determined to be greater than or equal to the first preset threshold by using the second protocol, where the fourth message type is used to identify that a resource reservation request is rejected by the relay node, and the fifth message carries an error type field, where the error type field is used to indicate a sending direction of the message;
And a third sending module, configured to send, by using the first protocol, the fifth packet to an end node corresponding to the first request identifier in the quantum key distribution network, where the third sending module is configured to send, by using the first protocol, the fifth packet based on the value of the error type field in the fifth packet.
26. The apparatus of claim 25, further comprising:
a deleting module, configured to, when a sixth message with a fourth message type is received and a value of an error type field carried by the sixth message is a first target value, delete a message corresponding to a second request identifier carried by the sixth message in the request queue if the message corresponding to the second request identifier is queried in the request queue;
and the recording module is used for recording the key corresponding to the second request identifier as an invalid key if the message corresponding to the second request identifier carried by the sixth message is not queried in the request queue.
27. The apparatus of claim 24, further comprising:
a third generating module, configured to generate, according to the second protocol, a seventh packet with a message type that is the second message type, where the seventh packet carries an operation type field and the first distribution path, where the operation type field is used to indicate an operation mode of the packet;
And a fourth sending module, configured to send, based on the first distribution path, the seventh packet to the first end node through the first protocol, where the value of the operation type field is determined to be a second target value.
28. The apparatus of claim 24, further comprising:
a fourth generating module, configured to generate, according to the second protocol, an eighth packet with a message type that is a fifth message type, where the eighth packet includes the first distribution path and the first node identifier, and the fifth message type is used to identify that the relay node successfully adds a resource reservation request to the request queue;
and a fifth sending module, configured to send, based on the first distribution path and the first node identifier, the eighth packet to the second end node through the first protocol.
29. The apparatus of claim 24, wherein the first obtaining unit is specifically configured to:
generating a ninth message with a message type of the second message type by the second protocol based on the fourth message under the condition that the fourth message corresponding to the first request identifier is obtained from the request queue, wherein the ninth message carries an operation type field;
And under the condition that the value of the operation type field is determined to be a third target value, acquiring a first key matched with the key characteristic information from the target key pool through the first protocol.
30. The apparatus of claim 29, further comprising:
the first exclusive-or operation module is used for carrying out exclusive-or operation on two first keys respectively acquired from the target key pool under the condition that the types of the two nodes are the first types to obtain the key ciphertext;
and the second exclusive-or operation module is used for carrying out exclusive-or operation on the first key acquired from the target key pool and the first key established through the third protocol to obtain the key ciphertext if the relay node is inquired that the relay node and the two nodes respectively complete key distribution under the condition that the types of the two nodes are the first type and the second type.
31. The apparatus of claim 22, wherein the second transmitting module is specifically configured to:
generating a tenth message with a sixth message type by the first protocol, wherein the tenth message comprises the first distribution path and the key ciphertext, and the sixth message type is used for identifying the key ciphertext generated by the relay node according to the keys of two adjacent nodes;
And transmitting the tenth message to the target end node through the first protocol based on the first distribution path.
32. The apparatus of claim 22, further comprising:
the analysis module is used for analyzing the first message through the first protocol;
a fifth generating module, configured to generate, according to the first request identifier, the first distribution path, the first node identifier of the second end node, and the key feature information, an eleventh packet with a message type of a seventh message type according to the first protocol, where the seventh message type is used to identify that a quantum key distribution request is sent;
a sixth generating module, configured to generate, according to the second protocol, a twelfth message with a message type being a fourth message type when it is determined, based on the eleventh message, that the number of resources corresponding to the key feature information exceeds a maximum capacity of a target key pool in N key pools of the relay node constructed in advance;
and a sixth sending module, configured to send, based on the first distribution path, the twelfth packet to the first end node through the first protocol when it is determined that the value of the error type field carried by the twelfth packet is a fourth target value.
33. The apparatus of claim 22, further comprising:
the second receiving module is used for receiving a thirteenth message with the eighth message type, which is sent by the target end node aiming at the key ciphertext;
and the eighth message type is used for identifying the target end node to confirm that the key ciphertext sent by the relay node is received.
34. The apparatus of claim 22, further comprising:
a third receiving module, configured to receive a fourteenth packet with a ninth message type, where the fourteenth packet is sent by the target end node for the key ciphertext, and the fourteenth packet carries the first distribution path, and the ninth message type is used to identify that the key establishment shared by the first end node and the second end node is completed;
and a seventh sending module, configured to send, based on the first distribution path, the fourteenth packet to the other end node sharing the key with the target end node through the first protocol.
35. A quantum key distribution device for use in a first end node of a quantum key distribution network, comprising:
a seventh generating module, configured to generate a fifteenth packet according to a fourth protocol, where the fourth protocol is used to initiate a quantum key distribution request, and the fifteenth packet includes a first request identifier of the quantum key distribution request initiated by the first end node, a first distribution path, a first node identifier of the second end node, and key feature information;
An eighth generating module, configured to generate, based on the first request identifier, the first distribution path, the first node identifier, and the key feature information, a first message with a message type being a first message type through a second protocol, where the second protocol is configured to process the message according to a role type of an end node and a message type corresponding to the received message, and the first message type is used to identify a sender of a quantum key distribution request to initiate a quantum key distribution request;
an eighth sending module, configured to send the first packet to the second end node through a first protocol, where the first protocol is used to determine a sending path of the packet in the quantum key distribution process of the quantum key distribution network;
and the second acquisition module is used for acquiring a target key shared with the second end node through a third protocol under the condition that a third message of which the message type sent by the second end node aiming at the first message is a second message type is received, wherein the target key is used for carrying out mutual communication between the first end node and the second end node, the third protocol is used for carrying out key distribution by using quantum bits as information carriers, and the second message type is used for identifying a resource reservation request initiated by a receiver of a quantum key distribution request.
36. The apparatus of claim 35, wherein the second acquisition module comprises:
a second establishing sub-module, configured to establish, by using the third protocol, a target key that is mutually communicated with a downstream node adjacent to the first end node in the first distribution path, so that the second end node obtains the target key that is communicated with the first end node;
a first receiving sub-module, configured to receive, when the second end node is a downstream node adjacent to the first end node in the first distribution path, first quantum information sent by the second end node through the third protocol, where the first quantum information carries a target key, where the target key is a key generated by the second end node and communicated with the first end node;
and the first exclusive-or operation submodule is used for receiving thirteenth messages respectively sent by the M relay nodes through the first protocol under the condition that M relay nodes exist between the first end node and the second end node, carrying out exclusive-or operation on a second key and a key ciphertext carried by the thirteenth messages to obtain the target key, wherein the key ciphertext is obtained by carrying out exclusive-or operation on two first keys, the two first keys are keys respectively shared by the relay nodes with an adjacent upstream node and an adjacent downstream node, the second key is a key established by the first end node through the third protocol and the adjacent downstream node, and M is a positive integer.
37. The apparatus of claim 36, wherein the first key comprises at least one of:
when the M relay nodes include a first relay node, the first key is obtained from a target key pool in N key pools of the first relay node, which are constructed in advance, based on the key feature information, wherein the first relay node is a node in which at least one of an adjacent upstream node and an adjacent downstream node is a relay node, the target key pool is a key pool corresponding to an adjacent relay node of the first relay node, and N is a positive integer;
in the case that the M relay nodes include a second relay node, the first key is a key established by the second relay node and an adjacent end node through the third protocol, and the second relay node is a node in which at least one of an adjacent upstream node and an adjacent downstream node is an end node.
38. The apparatus of claim 35, further comprising:
the first storage module is configured to store, when the first end node generates a sixteenth message with a message type being a tenth message type through the first protocol, a key carried by the sixteenth message through the second protocol and the fourth protocol;
Wherein the tenth message type is used to identify that the first end node establishes a key with an adjacent downstream node via the third protocol.
39. The apparatus of claim 38, wherein the sixteenth message further carries a completion field for indicating whether establishment of a key shared by the first end node and the second end node is complete, the apparatus further comprising:
a first setting module, configured to set, in a case where the first end node and the second end node are directly connected, a value of the completion field to a fifth target value, where the fifth target value indicates that establishment of a key shared by the first end node and the second end node is completed;
and the second setting module is used for setting the value of the completion field to a sixth target value in the condition that the first end node and the second end node are not directly connected, wherein the sixth target value indicates that the secret key shared by the first end node and the second end node is not established.
40. The apparatus of claim 35, further comprising:
a second storage module, configured to store, when receiving, by using the first protocol, a fourteenth packet with a message type of a ninth message type returned by the second end node for the first packet, or when the first end node generates, by using the first protocol, a fourteenth packet with a message type of a ninth message type, the target key by using the second protocol and the fourth protocol;
Wherein the ninth message type is used to identify that the key establishment shared by the first end node and the second end node is complete.
41. A quantum key distribution device for use in a second end node of a quantum key distribution network, comprising:
a fourth receiving module, configured to receive a first packet sent by a first end node through a first protocol, where the first packet is generated by the first end node through a fourth protocol and a second protocol, where the first protocol is used to determine a sending path of the packet in a process of quantum key distribution by the quantum key distribution network, the second protocol is used to process the packet according to a role type of the end node and a message type corresponding to the received packet, and the fourth protocol is used to initiate a quantum key distribution request, and the first packet includes a first request identifier of the quantum key distribution request initiated by the first end node, a first distribution path, a first node identifier of the second end node, and key feature information;
a ninth generating module, configured to generate, based on the first request identifier, the first distribution path, the first node identifier, and the key feature information, a third message with a message type being a second message type through the first protocol, the second protocol, and the fourth protocol, where the second message type is used to identify a resource reservation request initiated by a receiver of a quantum key distribution request;
A ninth sending module, configured to send the third packet to the first end node through the first protocol;
and the third acquisition module is used for acquiring a target key shared with the first end node through a third protocol, wherein the target key is used for carrying out intercommunication between the first end node and the second end node, and the third protocol is used for carrying out key distribution by using the quantum bit as an information carrier.
42. The apparatus of claim 41, wherein the third acquisition module comprises:
a third establishing sub-module, configured to establish, by using the third protocol, a target key that is mutually communicated with an upstream node adjacent to the second end node under the first distribution path, so that the first end node obtains the target key that is communicated with the second end node;
a second receiving sub-module, configured to receive, when the first end node is an upstream node adjacent to the second end node in the first distribution path, second quantum information sent by the first end node through the third protocol, where the second quantum information carries a target key, and the target key is a key generated by the first end node and communicated with the second end node;
And the second exclusive-or operation submodule is used for receiving thirteenth messages respectively sent by the M relay nodes through the first protocol under the condition that M relay nodes exist between the first end node and the second end node, carrying out exclusive-or operation on a third key and a key ciphertext carried by the thirteenth messages to obtain the target key, wherein the key ciphertext is obtained by carrying out exclusive-or operation on two first keys, the two first keys are keys respectively shared by the relay nodes with an adjacent upstream node and an adjacent downstream node, the third key is a key established by the second end node through the third protocol and the adjacent upstream node, and M is a positive integer.
43. An electronic device, comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein, the liquid crystal display device comprises a liquid crystal display device,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of any one of claims 1-13, or to perform the method of any one of claims 14-19, or to perform the method of any one of claims 20-21.
44. A non-transitory computer readable storage medium storing computer instructions for causing a computer to perform the method of any one of claims 1-13, or to perform the method of any one of claims 14-19, or to perform the method of any one of claims 20-21.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211486216.4A CN115865334B (en) | 2022-11-24 | 2022-11-24 | Quantum key distribution method and device and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211486216.4A CN115865334B (en) | 2022-11-24 | 2022-11-24 | Quantum key distribution method and device and electronic equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115865334A CN115865334A (en) | 2023-03-28 |
| CN115865334B true CN115865334B (en) | 2023-07-21 |
Family
ID=85666147
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211486216.4A Active CN115865334B (en) | 2022-11-24 | 2022-11-24 | Quantum key distribution method and device and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115865334B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116319097B (en) * | 2023-05-19 | 2023-09-22 | 广东广宇科技发展有限公司 | Multi-node data transmission method based on quantum encryption |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109995510A (en) * | 2017-12-29 | 2019-07-09 | 成都零光量子科技有限公司 | A kind of quantum key relay services method |
| CN114362939A (en) * | 2020-12-31 | 2022-04-15 | 广东国腾量子科技有限公司 | Trusted relay quantum secret communication network-based dynamic routing forwarding method, storage device and intelligent terminal |
Family Cites Families (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108023725B (en) * | 2016-11-04 | 2020-10-09 | 华为技术有限公司 | Quantum key relay method and device based on centralized management and control network |
| CN110266473A (en) * | 2019-04-22 | 2019-09-20 | 北京邮电大学 | Method, relay node and the distribution method of relay node distribution quantum key |
| CN111865567B (en) * | 2019-04-29 | 2021-11-30 | 科大国盾量子技术股份有限公司 | Relay method, device, system, equipment and storage medium of quantum key |
| CN112953710B (en) * | 2021-01-28 | 2022-07-01 | 西安电子科技大学 | Wireless/wired hybrid QKD network based on trusted relay |
| CN114978477A (en) * | 2021-02-18 | 2022-08-30 | 国科量子通信网络有限公司 | Open type key distribution network architecture based on physical system |
| CN113765663B (en) * | 2021-09-26 | 2022-11-25 | 清华大学 | Method and device for strengthening security of quantum key distribution network |
| CN114124388B (en) * | 2022-01-27 | 2022-05-10 | 济南量子技术研究院 | Gossip protocol synchronization method based on quantum key |
| CN114900293B (en) * | 2022-05-06 | 2023-05-05 | 浙江九州量子信息技术股份有限公司 | Quantum key global relay method and system based on dispatching center |
| CN115276976B (en) * | 2022-07-25 | 2023-07-07 | 北京百度网讯科技有限公司 | Quantum key distribution method and device and electronic equipment |
-
2022
- 2022-11-24 CN CN202211486216.4A patent/CN115865334B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109995510A (en) * | 2017-12-29 | 2019-07-09 | 成都零光量子科技有限公司 | A kind of quantum key relay services method |
| CN114362939A (en) * | 2020-12-31 | 2022-04-15 | 广东国腾量子科技有限公司 | Trusted relay quantum secret communication network-based dynamic routing forwarding method, storage device and intelligent terminal |
Non-Patent Citations (1)
| Title |
|---|
| Zhang Qin ; Liu Yikai ; Yu Xiaosong ; Zhao Yongli ; Zhang Jie.Photonics.2022,第9卷(第4期),239-239. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115865334A (en) | 2023-03-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2018082345A1 (en) | Quantum key relay method and device based on centralized management and control network | |
| US8510562B2 (en) | Content distribution with mutual anonymity | |
| TW201919363A (en) | Method and system for quantum key distribution and data processing | |
| US9306734B2 (en) | Communication device, key generating device, and computer readable medium | |
| CN115276976B (en) | Quantum key distribution method and device and electronic equipment | |
| CN107040378A (en) | A kind of key dispatching system and method based on Multi-user Remote Communication | |
| CN110581763A (en) | Quantum key service block chain network system | |
| US20180376400A1 (en) | A device within a wireless peer-to-peer network, wireless communication system and control method | |
| CN107147492A (en) | A kind of cipher key service System and method for communicated based on multiple terminals | |
| CN115865334B (en) | Quantum key distribution method and device and electronic equipment | |
| US9166930B2 (en) | Waved time multiplexing | |
| WO2023000940A1 (en) | Data processing method and apparatus, and network element device, storage medium and program product | |
| JP2017517220A (en) | OpenFlow communication method and system, control unit, and service gateway | |
| CN110875914B (en) | Method and device for transmitting messages based on shared session link | |
| CN108964961A (en) | A kind of method, apparatus and system of management transmission network slice | |
| Zhang et al. | Fragmentation-aware entanglement routing for quantum networks | |
| WO2018006305A1 (en) | Method for generating forwarding table, and forwarding device | |
| CN113221146B (en) | Method and device for data transmission among block chain nodes | |
| CN110098930B (en) | Bell state-based two-party quantum key negotiation method and system | |
| CN109462605B (en) | IM communication system and communication method thereof | |
| CN108900584B (en) | Data transmission method and system for content distribution network | |
| CN115865333B (en) | Quantum entanglement establishment method and device and electronic equipment | |
| CN105960791B (en) | Stateless message transmission route | |
| CN101860544A (en) | Transmitting system and method of session initiation protocol message | |
| WO2022166556A1 (en) | Method and apparatus for realizing secure multicast in blockchain network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |