CN116155492B - A segmented key distribution method and system for hybrid relay QKD networks - Google Patents

A segmented key distribution method and system for hybrid relay QKD networks

Info

Publication number
CN116155492B
CN116155492B CN202310171705.9A CN202310171705A CN116155492B CN 116155492 B CN116155492 B CN 116155492B CN 202310171705 A CN202310171705 A CN 202310171705A CN 116155492 B CN116155492 B CN 116155492B
Authority
CN
China
Prior art keywords
path
segmented
key
node
segment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202310171705.9A
Other languages
Chinese (zh)
Other versions
CN116155492A (en
Inventor
李健
王明君
薛开平
陈鲁同
俞能海
孙启彬
陆军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
University of Science and Technology of China USTC
Original Assignee
University of Science and Technology of China USTC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by University of Science and Technology of China USTC filed Critical University of Science and Technology of China USTC
Priority to CN202310171705.9A priority Critical patent/CN116155492B/en
Publication of CN116155492A publication Critical patent/CN116155492A/en
Application granted granted Critical
Publication of CN116155492B publication Critical patent/CN116155492B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • H04L9/0855Quantum cryptography involving additional nodes, e.g. quantum relays, repeaters, intermediate nodes or remote nodes
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/70Reducing energy consumption in communication networks in wireless communication networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Electromagnetism (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明涉及一种针对混合中继QKD网络的分段密钥分发方法及系统,其方法包括:S1:QKD网络中任意终端节点发送用户密钥的分发请求后,构建密钥分发路径及其分段路径;其中,密钥分发路径包括:源节点、目的节点、可信和不可信中继节点;每段分段路径包含至少一条子分段路径;S2:在每一条子分段路径上并行地进行密钥分发,并在分段路径的端节点对密钥进行重构,同步生成分段密钥;S3:沿着密钥分发路径,以第一个分段密钥作为该密钥分发路径的用户密钥,其余分段密钥作为加密密钥,经由可信中继转发用户密钥,完成由源节点到目的节点的密钥分发。本发明提供的方法可减少密钥分发的路径长度从而提供安全性,并减少链路上密钥资源的消耗。

This invention relates to a segmented key distribution method and system for hybrid relay QKD networks. The method includes: S1: After any terminal node in the QKD network sends a user key distribution request, it constructs a key distribution path and its segmented paths; wherein, the key distribution path includes: a source node, a destination node, and trusted and untrusted relay nodes; each segmented path contains at least one sub-segmented path; S2: Key distribution is performed in parallel on each sub-segmented path, and the key is reconstructed at the end node of the segmented path to synchronously generate segmented keys; S3: Along the key distribution path, the first segmented key is used as the user key for that key distribution path, and the remaining segmented keys are used as encryption keys. The user key is forwarded via trusted relays to complete the key distribution from the source node to the destination node. The method provided by this invention can reduce the path length of key distribution, thereby providing security, and reduce the consumption of key resources on the link.

Description

Segmented key distribution method and system for hybrid relay QKD network
Technical Field
The invention relates to the technical field of quantum key distribution, in particular to a method and a system for distributing a segmented key aiming at a hybrid relay QKD network.
Background
Information security is a paramount concern in the digital age, and classical cryptography provides a variety of encryption, authentication, and integrity protection algorithms. With the development of quantum information technology, the great computational power improvement and the demonstration of quantum superiority brought by a quantum computer make classical cryptography based on mathematical problems such as prime number decomposition and discrete logarithm no longer safe. To cope with quantum threat, quantum key distribution (Quantum Key Distribution, QKD) technology is used, and One-Time Pad (One Time Pad) is matched to realize theoretically unconditional security of both communication parties.
Various QKD protocols have been developed so far, but they can only distribute QKD keys among nodes that are directly connected at close distances. In order to distribute keys between arbitrary, cross-node, remote parties, it is common practice to compose QKD networks by means of relay technology. Currently trusted relays are widely commercially available for their flexibility and applicability. In the long-distance key distribution process, the final user key is encrypted and protected by the link-level key on each hop, and each relay node on the path firstly decrypts the message containing the encrypted user key to obtain the user key, encrypts the user key and then sends the user key to the next hop. Thus, the user key will be present in plain text at the relay node. This necessitates consideration of security issues of the relay node, considering that an endless attack on the relay node may steal the user key forwarded by the relay node. In order to solve the problem that the untrusted relay node in the QKD network affects the security of user key distribution, the prior work has attempted to perform exclusive-or operation on the keys distributed on multiple paths to obtain the final key based on the method of multi-path key distribution, so as to improve the key security. However, these schemes do not allow for the full use of trusted relays in the network, especially in the context of long-range key distribution, where existing multi-path key distribution schemes do not improve security well and reduce consumption of key resources on the link.
Disclosure of Invention
In order to solve the technical problems, the invention provides a method and a system for distributing a segmented key for a hybrid relay QKD network.
The technical solution of the invention is that a method for distributing the segmented key aiming at the hybrid relay QKD network comprises the following steps:
Step S1, after any terminal node in a QKD network sends a user key distribution request, a key distribution path and a segmentation path thereof are constructed, wherein the key distribution path comprises a source node, a destination node, a trusted relay node and an untrusted relay node;
Step S2, carrying out key distribution on each sub-segment path contained in each segment of the segment path in parallel, reconstructing the key by adopting a key reconstruction function on an end node of the segment path, and synchronously generating a segment key corresponding to each segment of the segment path;
And S3, along the key distribution path, using the first segmented key as a user key of the key distribution path, using the rest segmented keys as encryption keys, and forwarding the user key through the trusted relay to finish the user key distribution from the source node to the destination node.
Compared with the prior art, the invention has the following advantages:
The invention discloses a segmented key distribution method for a hybrid relay QKD network, which segments a key distribution path based on a trusted relay, distributes the risk of key leakage of one key distribution path to each segment, avoids that a single node on the path is attacked to influence the security of the distributed key on the whole path, fully utilizes the security characteristic of the trusted relay, reduces the length of the key distribution path, thereby improving the security of the key distribution process and reducing the consumption of key resources on a link.
Drawings
Fig. 1 is a flowchart of a method of segment key distribution for a hybrid relay QKD network in accordance with an embodiment of the present invention;
fig. 2 is a schematic diagram of a QKD network according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of a non-segmented key distribution method according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of a method for distributing a segment key according to an embodiment of the present invention;
fig. 5 is a block diagram of a segment key distribution system for a hybrid relay QKD network in accordance with an embodiment of the present invention.
Detailed Description
The invention provides a segmented key distribution method for a hybrid relay QKD network, which fully utilizes the security characteristic of a trusted relay, reduces the path length of key distribution, thereby improving the security and reducing the consumption of key resources on a link.
The present invention will be further described in detail below with reference to the accompanying drawings by way of specific embodiments in order to make the objects, technical solutions and advantages of the present invention more apparent.
Example 1
As shown in fig. 1, the method for distributing the segment key for the hybrid relay QKD network according to the embodiment of the present invention includes the following steps:
Step S1, after any terminal node in a QKD network sends a user key distribution request, a key distribution path and a segmentation path thereof are constructed, wherein the key distribution path comprises a source node, a destination node, a trusted relay node and an untrusted relay node;
Step S2, carrying out key distribution on each sub-segment path contained in each segment of segment path in parallel, reconstructing the key by adopting a key reconstruction function on an end node of the segment path, and synchronously generating a segment key corresponding to each segment of segment path;
and S3, along the key distribution path, using the first segment key as a user key of the key distribution path, using the other segment keys as encryption keys, and forwarding the user key through a trusted relay to finish the user key distribution from the source node to the destination node.
In one embodiment, step S1, after any terminal node in the QKD network sends a user key distribution request, a key distribution path and a segment path thereof are constructed, where the key distribution path includes a source node, a destination node, a trusted relay node, and an untrusted relay node, and each segment of segment path includes at least one sub-segment path, and specifically includes:
The method comprises the steps that a centralized controller obtains position information of a trusted relay node serving as a convergence point, a key distribution path is constructed according to a routing algorithm, the key distribution path comprises N trusted relay nodes, and therefore N+1 segmented paths are formed, wherein an end node of each segmented path is a source node, a destination node or a trusted relay node, when the segmented path comprises a plurality of sub-segmented paths, the sub-segmented paths are parallel paths, namely, the sub-segmented paths share a start end node and a stop end node of the segmented path. In particular, when n=0, the path between the source node and the destination node is constituted by a single segment path.
The centralized controller is widely used in the existing QKD network, as shown in fig. 2, and the centralized controller can acquire the network status of the whole QKD network, including the network topology and whether the relay node is trusted, and send routing information and reconfiguration instructions to the relay node. The centralized controller establishes a key distribution path and its segment path according to the actual conditions of the source node, destination node, and network included in the key distribution request of any terminal node in the QKD network. The key distribution path is composed of a plurality of segmented paths in series, and each segmented path comprises a plurality of parallel sub-segmented paths.
The steps of the routing algorithm based on the segmentation in the embodiment of the invention are as follows:
1) And finding the segmented trusted relay node. The initial set of trusted relays is empty. A Dijkstra algorithm is used to find a trusted relay node that is not in the set of trusted relays and that has the smallest sum of hops between the source node and the destination node. And then using an extended Dijkstra algorithm taking the key distribution security probability of the path as the path cost to find the optimal two paths between the source node and the destination node and calculate the security probability of user key distribution between the source node and the destination node, and then also finding the optimal two segmentation paths from the source node to the trusted relay node and the trusted relay node to the destination node and calculate the security probability of user key distribution after segmentation. If the security probability after segmentation is larger, adding the trusted relay node into the set, setting the node as a new source node, and continuously repeating the step 1), otherwise, stopping the step 1).
2) The path of the segment is found. Starting to circularly search available paths in the segment by using the trusted relay set found in the step 1) as a path convergence point. Each round of looping finds a sub-segment path on each segment and updates the topology until the algorithm is aborted when no additional paths are found in a round of looping or the security requirements are met.
The embodiment of the invention calculates the safety of each sub-segment path according to the following formula:
P l is the security probability of a distribution key of a certain sub-segment path on a segment path, l is a relay node set contained in the sub-segment path and comprises a trusted relay node and an untrusted relay node, ρ i is the security probability of a relay node i on the sub-segment path, the probability that the relay node i is not controlled by an attacker is represented, the higher the value of ρ i is, the safer the relay node i is, and when the relay node i is the trusted relay node, ρ i =1 is represented as the absolute security of the trusted relay node;
the security of each segment of the segmented path is calculated according to the following formula:
Wherein s j is a sub-segment path set on the jth segment path, and MP j is the security probability of the segment key obtained by key reconstruction on the jth segment path through the keys on the multiple parallel sub-segment paths.
The security of the user key on the key distribution path is calculated according to the following formula:
wherein, the The SP is the security probability of the user key obtained through the distribution of the segmented key.
In the QKD network shown in fig. 3, the relay nodes except the source node S, the destination node D and one trusted relay node R are all untrusted relay nodes, i.e. the number of trusted relay nodes n=1, and the network includes 2 segment paths S-R and R-D, where the segment path S-R includes three parallel sub-segment paths S-A-R, S-B-R and S-C-R, and the segment path R-D includes two parallel sub-segment paths R-H-D and R-G-D.
In one embodiment, the step S2 includes performing key distribution on each sub-segment path included in each segment of segment path in parallel, and reconstructing a key on an end node of the segment path by using a key reconstruction function, so as to synchronously generate a segment key corresponding to each segment of segment path, where the method specifically includes:
Step S21, regarding a key shared between a starting end node and a next adjacent relay node of each segment of the segmented path as a key of the segmented path, regarding keys shared among other relay nodes on the segmented path as encryption keys, and forwarding the keys in a hop-by-hop encryption and decryption mode through the relay nodes on the segmented path, namely, adopting the key shared with the previous adjacent node to decrypt the keys on the segmented path and adopting the key shared with the next adjacent node to encrypt the keys until reaching a termination end node of the segmented path;
s22, generating a segmented key for obtaining the segmented path by adopting the same key reconstruction function at the end node, namely the initial end node and the end node, on the segmented path;
When the non-segmented key distribution method based on multipath in the existing method is adopted, in order to avoid that an attacker controls a single unreliable relay node and can steal multiple keys, the searched paths are node-disjoint. As shown in fig. 3, when the source node S needs to send the user key KA to the destination node D, only two paths which are not intersected by the source node S and the destination node D can be found, taking paths S-A-R-H-D and S-C-E-F-G-D as examples, the keys A1 and A2 are respectively distributed through the paths, and finally the consistent user key KA can be obtained by performing exclusive or operation on the keys A1 and A2 at the source node S and the destination node D. Assuming that the unit key amount generated between adjacent links is 128 bits and the security probability ρ i =0.9 of the untrusted relay node, considering that the hop numbers of the two paths are 4 hops and 5 hops respectively, the key amount required to be consumed for realizing end-to-end user key distribution on the key distribution path by adopting A one-time pad method is 9 x 128 bits, the security probability of the key A1 after the path S-A-R-H-D hop-by-hop encryption forwarding is 1x 0.9 x 1=0.81, the security probability of the key A2 after the path S-C-E-F-G-D hop-by-hop encryption forwarding is 1x 0.9 x 1=0.6561, the security probability of the end user key after the exclusive-or reconstruction operation is 1- (1-0.81) × (1-0.6561) = 0.9347.
Fig. 4 shows A key distribution method based on A segmented path, which is provided by the invention, wherein A trusted relay node R is used as A segmented point, three parallel sub-segmented paths, namely, S-A-R, S-B-R and S-C-R, are established between A source node S and the trusted relay node R to distribute keys A1, A2 and A3 respectively, and A shared segmented key kA is reconstructed between the source node S and the trusted relay node R through the keys. And constructing two parallel sub-segment paths between the trusted relay node R and the destination node D, namely respectively distributing path keys b1 and b2 by the R-H-D and the R-G-D, reconstructing a shared segment key Kb by the trusted relay node R and the destination node D through the keys, and finally distributing a user key Ka to the destination node D by the trusted relay R by using Ka and Kb in an encryption forwarding method.
Firstly, even if only two parallel sub-segment paths S-A-R, S-B-R are used between the source node S and the trusted relay node R, at this time, according to the security calculation formulA, the security probabilities of the keys A1 and A2 distributed through the two parallel sub-segment paths S-A-R and S-B-R are both 1×0.9×1=0.9, and then the security probability of the segment key kA after the exclusive or reconstruction operation is 1- (1-0.9) ×1-0.9) =0.99. Similarly, two parallel sub-segment paths are used between the trusted relay node R and the destination node D, the security probability of the keys b1 and b2 distributed through the two parallel sub-segment paths R-H-D R and R-G-D is 1×0.9×1=0.9 according to a security calculation formula, and then the security probability of Kb of the segment key after the exclusive or reconstruction operation is 1- (1-0.9) ×1-0.9) =0.99, and finally, ka is used as a user key and Kb is used as an encryption key, and the security probability of the user key obtained by forwarding through the trusted relay node R is 0.99×0.99= 0.9801. Also assuming that the unit key amount generated between adjacent links is 128 bits, the segmentation-based key distribution method adopted by the invention uses A total of four sub-segmentation paths with 2 hops, namely S-A-R, S-B-R, R-H-D, R-G-D, so that the consumed key amount is 8 x 128 bits. Compared with the prior art, the method provided by the invention not only consumes less link key resources, but also has better security for key distribution than the conventional multipath distribution method.
Secondly, the method provided by the invention provides an option with better security, and when the sub-segment path S-C-R is further adopted, the security can be further improved under the condition of consuming more key resources, namely 10 x 128 bits. At this time, according to the security calculation formula, the security probability of the keys a1, a2 and a3 is 0.9, the security probability of the segmented key Ka after the exclusive-or reconstruction operation is 1- (1-0.9) × (1-0.9) =0.999, the security probability of the keys b1 and b2 is 0.9, the security probability of the segmented key Kb after the exclusive-or reconstruction operation is 1- (1-0.9) × (1-0.9) =0.99, and finally, the security probability of the user key forwarded by the trusted relay node R is 0.999×0.99= 0.98901 with Ka as the user key and Kb as the encryption key.
And when the distribution of the path keys is completed on all paths between nodes at two ends of the path of the segment, generating and obtaining the key of the segment by adopting a key reconstruction function aiming at the path keys on all paths of the segment. The method for reconstructing the segmented key in the embodiment of the invention comprises an exclusive OR, a HASH, (t, n) threshold algorithm and the like. As shown in fig. 4, the path keys a1, a2, and a3 generate the segment key Ka through key reconstruction, and the path keys b1, b2, and b3 generate the segment key Kb through key reconstruction.
The segmented key distribution method for the hybrid relay QKD network can utilize more residual paths in the network, shortens the path length by multiplexing the trusted relay nodes, reduces the risk of key leakage, improves the security of key distribution, and reduces the consumption of key resources on links.
In one embodiment, the step S3 includes using a first segment key as a user key of the key distribution path along the key distribution path, using the other segment keys as encryption keys, forwarding the user key via a trusted relay, and completing user key distribution from a source node to a destination node, where the method specifically includes:
Starting from a source node, taking a first segment key as a user key of the key distribution path, adopting a hop-by-hop encryption and decryption mode at a trusted relay node along the key distribution path, namely decrypting by the trusted relay node by adopting a segment key of a former segment path, encrypting by using a segment key of a latter segment path, and then transmitting to a next trusted relay node until reaching a destination node, and obtaining the user key of the key distribution path.
For a key distribution path formed by a plurality of segments, the segment key of the first segment is used as a user key of the key distribution path, and the subsequent aggregation trusted relay node realizes key distribution in a hop-by-hop forwarding mode. In the forwarding process, the key is encrypted and decrypted by the segment key of each segment. As shown in fig. 4, when the segment key Ka is used as the user key Ka of the key distribution path, the trusted relay node R encrypts Ka using the segment key Kb and transmits the encrypted result to the destination node D through the network, and the destination node D decrypts the received encrypted information using Kb to obtain Ka. Finally, the user key Ka of the key distribution path meeting certain security requirements is obtained.
In the embodiment of the invention, the same unreliable relay node is assumed to be controlled by an attacker, and when the segmented key distribution method is adopted, the sub-segmented path keys a 1and b2 are assumed to be leaked if the node A and the node G are attacked at the moment, but the segmented keys Ka and Kb still remain safe. When the non-segmented key distribution method based on multipath in the existing method is adopted, it is also assumed that the node A and the node G are attacked at the moment, the keys a 1and a2 distributed by the two paths are leaked, and the final user key is reconstructed by the keys a 1and a2, so that the security is not ensured.
The invention discloses a segmented key distribution method for a hybrid relay QKD network, which segments a key distribution path based on a trusted relay, distributes the risk of key leakage of one key distribution path to each segment, avoids that a single node on the path is attacked to influence the security of the distributed key on the whole path, fully utilizes the security characteristic of the trusted relay, reduces the length of the key distribution path, thereby improving the security of the key distribution process and reducing the consumption of key resources on a link.
Example two
As shown in fig. 5, an embodiment of the present invention provides a segmented key distribution system for a hybrid relay QKD network, including the following modules:
the routing module 41 for constructing a key distribution path and a segmentation path thereof is used for constructing the key distribution path and the segmentation path thereof after any terminal node in the QKD network sends a user key distribution request, wherein the key distribution path comprises a source node, a destination node, a trusted relay node and an untrusted relay node;
A segmented path key distribution and reconstruction module 42, configured to perform key distribution on each sub-segmented path included in each segmented path in parallel, reconstruct the key at an end node of the segmented path by using a key reconstruction function, and synchronously generate a segmented key corresponding to each segmented path;
the segment key forwarding module 43 is configured to forward the user key along the key distribution path with the first segment key as the user key of the key distribution path and the other segment keys as the encryption keys via a trusted relay, thereby completing user key distribution from the source node to the destination node.
The above examples are provided for the purpose of describing the present invention only and are not intended to limit the scope of the present invention. The scope of the invention is defined by the appended claims. Various equivalents and modifications that do not depart from the spirit and principles of the invention are intended to be included within the scope of the invention.

Claims (3)

1.一种针对混合中继QKD网络的分段密钥分发方法,其特征在于,包括:1. A segmented key distribution method for hybrid relay QKD networks, characterized in that it includes: 步骤S1:QKD网络中任意终端节点发送用户密钥的分发请求后,构建密钥分发路径及其分段路径;其中,所述密钥分发路径包括:源节点、目的节点、可信中继节点和不可信中继节点;每段所述分段路径包含至少一条子分段路径,其中,所述密钥分发路径包括:源节点、目的节点、可信中继节点和不可信中继节点;每段所述分段路径包含至少一条子分段路径,具体包括:Step S1: After any terminal node in the QKD network sends a user key distribution request, it constructs a key distribution path and its segmented paths; wherein, the key distribution path includes: a source node, a destination node, a trusted relay node, and an untrusted relay node; each segmented path contains at least one sub-segmented path, specifically including: 由集中控制器获取作为汇聚点的所述可信中继节点与不可信中继节点的拓扑连接信息,根据路由算法构建密钥分发路径,其中,所述密钥分发路径包含个所述可信中继节点,从而形成个分段路径;其中,每段所述分段路径的端节点是所述源节点、所述目的节点或者所述可信中继节点,当所述分段路径包含多条所述子分段路径时,各条所述子分段路径互为并行路径,即各条所述子分段路径共享所述分段路径的起始端节点和终止端节点;The central controller obtains the topology connection information of the trusted relay node and the untrusted relay node, which serve as the aggregation point, and constructs a key distribution path according to a routing algorithm. The key distribution path includes... The aforementioned trusted relay nodes, thereby forming Each segmented path is a segmented path; wherein the end node of each segmented path is the source node, the destination node, or the trusted relay node. When the segmented path contains multiple sub-segmented paths, each sub-segmented path is a parallel path, that is, each sub-segmented path shares the start and end nodes of the segmented path. 其中,所述路由算法包括:The routing algorithm includes: 1)找到分段的可信中继节点:初始的可信中继集合为空;使用Dijkstra算法找到距离源节点和目的节点之间跳数之和最小且不在可信中继集合中的可信中继节点;然后使用以路径的密钥分发安全概率为路径代价的扩展Dijkstra算法找到源节点和目的节点之间的最优的两条路径并计算源节点到目的节点间用户密钥分发的安全概率,然后同样找到从源节点到可信中继节点以及可信中继节点到目的节点最优的两条分段路径并计算分段后用户密钥分发的安全概率;如果分段后的安全概率更大那么将该可信中继节点加入集合中,并将该节点设为新的源节点继续重复运行步骤1),否则步骤1)中止;1) Find the segmented trusted relay node: The initial trusted relay set is empty; use Dijkstra's algorithm to find the trusted relay node with the smallest sum of hops between the source node and the destination node that is not in the trusted relay set; then use the extended Dijkstra's algorithm with the path's key distribution security probability as the path cost to find the two optimal paths between the source node and the destination node and calculate the security probability of user key distribution between the source node and the destination node; then similarly find the two optimal segmented paths from the source node to the trusted relay node and from the trusted relay node to the destination node and calculate the security probability of user key distribution after segmentation; if the security probability after segmentation is greater, then add the trusted relay node to the set and set the node as the new source node to continue repeating step 1); otherwise, step 1) is terminated. 2)找到分段的路径:使用步骤1)找到的可信中继集合作为路径汇聚点,开始循环搜索分段内的可用路径;每一轮循环在每个分段上找到一条子分段路径并更新拓扑,直到一轮循环中找不到多余路径或者满足安全需求时算法中止;2) Find the path in the segment: Using the set of trusted relays found in step 1) as the path convergence point, start the loop search for available paths in the segment; in each loop, find a sub-segment path in each segment and update the topology, until no redundant path is found in a loop or the security requirements are met, the algorithm terminates. 步骤S2:在每一段所述分段路径包含的每一条子分段路径上并行地进行密钥分发,并在所述分段路径的端节点上采用密钥重构函数对所述密钥进行重构,同步生成每一段分段路径对应的分段密钥,具体包括:Step S2: Perform key distribution in parallel on each sub-segment path contained in each segmented path, and reconstruct the key using a key reconstruction function at the end node of the segmented path, synchronously generating the segmented key corresponding to each segmented path, specifically including: 步骤S21:对每一段所述分段路径中的每一条子分段路径,将该分段路径的起始端节点与后一个相邻中继节点间共享的密钥作为所述子分段路径的密钥,所述子分段路径上其余中继节点间共享的密钥作为加密密钥,经由所述子分段路径上的中继节点以逐跳加解密的方式,进行所述密钥的转发,即所述子分段路径上的节点采用与前一个相邻节点共享的密钥解密,并采用与后一个相邻节点共享的密钥进行加密的方式进行密钥的转发,直至到达所述分段路径的终止端节点;从而在每一段所述分段路径的所有所述子分段路径并行地完成密钥分发过程,此时,所述分段路径上的起始端节点和终止端节点共享其所包含的所有子分段路径上分发的密钥;Step S21: For each sub-segment path in each segmented path, the key shared between the starting node and the next adjacent relay node of the segmented path is used as the key of the sub-segment path, and the key shared between the remaining relay nodes on the sub-segment path is used as the encryption key. The key is forwarded hop-by-hop through the relay nodes on the sub-segment path, that is, the nodes on the sub-segment path use the key shared with the previous adjacent node to decrypt and the key shared with the next adjacent node to encrypt, until the terminal node of the segmented path is reached; thus, the key distribution process is completed in parallel in all the sub-segment paths of each segmented path. At this time, the starting node and the terminal node of the segmented path share the keys distributed on all the sub-segment paths it contains. 步骤S22:在所述分段路径上的端节点,即起始端节点和终止端节点采用同一种密钥重构函数,生成得到该分段路径的分段密钥;Step S22: At the end nodes on the segmented path, namely the starting end node and the ending end node, the same key reconstruction function is used to generate the segmented key for the segmented path; 步骤S3:沿着所述密钥分发路径,以第一个所述分段密钥作为该密钥分发路径的用户密钥,其余所述分段密钥作为加密密钥,经由所述可信中继进行所述用户密钥的转发,完成由所述源节点到所述目的节点的所述用户密钥分发。Step S3: Along the key distribution path, the first segment key is used as the user key for the key distribution path, and the remaining segment keys are used as encryption keys. The user key is forwarded via the trusted relay to complete the distribution of the user key from the source node to the destination node. 2.根据权利要求1所述的针对混合中继QKD网络的分段密钥分发方法,其特征在于,所述步骤S3:沿着所述密钥分发路径,以第一个所述分段密钥作为该密钥分发路径的用户密钥,其余所述分段密钥作为加密密钥,经由所述可信中继进行所述用户密钥的转发,完成由所述源节点到所述目的节点的所述用户密钥分发,具体包括:2. The segmented key distribution method for a hybrid relay QKD network according to claim 1, characterized in that step S3: along the key distribution path, using the first segmented key as the user key for the key distribution path, and the remaining segmented keys as encryption keys, the user key is forwarded via the trusted relay to complete the user key distribution from the source node to the destination node, specifically including: 从所述源节点开始,将第一个所述分段密钥作为该密钥分发路径的用户密钥,沿着所述密钥分发路径,在所述可信中继节点采用逐跳加解密的方式,即所述可信中继节点采用前一段分段路径的分段密钥进行解密,并用后一段所述分段路径的分段密钥进行加密,然后传递到下一个可信中继节点,直到到达所述目的节点,获取该密钥分发路径的用户密钥。Starting from the source node, the first segment key is used as the user key for the key distribution path. Along the key distribution path, the trusted relay node uses a hop-by-hop encryption/decryption method, that is, the trusted relay node uses the segment key of the previous segment path to decrypt and uses the segment key of the next segment path to encrypt, and then passes it to the next trusted relay node, until the destination node is reached to obtain the user key for the key distribution path. 3.一种针对混合中继QKD网络的分段密钥分发系统,其特征在于,包括下述模块:3. A segmented key distribution system for hybrid relay QKD networks, characterized in that it comprises the following modules: 构建密钥分发路径及其分段路径的路由模块,用于QKD网络中任意终端节点发送密钥分发请求后,构建密钥分发路径及其分段路径;其中,所述密钥分发路径包括:源节点、目的节点、可信中继节点和不可信中继节点;每段所述分段路径包含至少一条子分段路径,其中,所述密钥分发路径包括:源节点、目的节点、可信中继节点和不可信中继节点;每段所述分段路径包含至少一条子分段路径,具体包括:A routing module for constructing key distribution paths and their segmented paths is provided. This module is used in the QKD network to construct key distribution paths and their segmented paths after any terminal node sends a key distribution request. The key distribution path includes a source node, a destination node, a trusted relay node, and an untrusted relay node. Each segmented path contains at least one sub-segmented path, specifically including: 由集中控制器获取作为汇聚点的互殴所述可信中继节点与不可信中继节点的拓扑连接信息,根据路由算法构建密钥分发路径,其中,所述密钥分发路径包含个所述可信中继节点,从而形成个分段路径;其中,每段所述分段路径的端节点是所述源节点、所述目的节点或者所述可信中继节点,当所述分段路径包含多条所述子分段路径时,各条所述子分段路径互为并行路径,即各条所述子分段路径共享所述分段路径的起始端节点和终止端节点;The centralized controller obtains the topology connection information of the trusted and untrusted relay nodes, which serve as the aggregation point, and constructs a key distribution path according to a routing algorithm. The key distribution path includes... The aforementioned trusted relay nodes, thereby forming Each segmented path is a segmented path; wherein the end node of each segmented path is the source node, the destination node, or the trusted relay node. When the segmented path contains multiple sub-segmented paths, each sub-segmented path is a parallel path, that is, each sub-segmented path shares the start and end nodes of the segmented path. 其中,所述路由算法包括:The routing algorithm includes: 1)找到分段的可信中继节点:初始的可信中继集合为空;使用Dijkstra算法找到距离源节点和目的节点之间跳数之和最小且不在可信中继集合中的可信中继节点;然后使用以路径的密钥分发安全概率为路径代价的扩展Dijkstra算法找到源节点和目的节点之间的最优的两条路径并计算源节点到目的节点间用户密钥分发的安全概率,然后同样找到从源节点到可信中继节点以及可信中继节点到目的节点最优的两条分段路径并计算分段后用户密钥分发的安全概率;如果分段后的安全概率更大那么将该可信中继节点加入集合中,并将该节点设为新的源节点继续重复运行步骤1),否则步骤1)中止;1) Find the segmented trusted relay node: The initial trusted relay set is empty; use Dijkstra's algorithm to find the trusted relay node with the smallest sum of hops between the source node and the destination node that is not in the trusted relay set; then use the extended Dijkstra's algorithm with the path's key distribution security probability as the path cost to find the two optimal paths between the source node and the destination node and calculate the security probability of user key distribution between the source node and the destination node; then similarly find the two optimal segmented paths from the source node to the trusted relay node and from the trusted relay node to the destination node and calculate the security probability of user key distribution after segmentation; if the security probability after segmentation is greater, then add the trusted relay node to the set and set the node as the new source node to continue repeating step 1); otherwise, step 1) is terminated. 2)找到分段的路径:使用步骤1)找到的可信中继集合作为路径汇聚点,开始循环搜索分段内的可用路径;每一轮循环在每个分段上找到一条子分段路径并更新拓扑,直到一轮循环中找不到多余路径或者满足安全需求时算法中止;2) Find the path in the segment: Using the set of trusted relays found in step 1) as the path convergence point, start the loop search for available paths in the segment; in each loop, find a sub-segment path in each segment and update the topology, until no redundant path is found in a loop or the security requirements are met, the algorithm terminates. 分段路径密钥分发及重构模块,用于在每一段所述分段路径包含的每一条子分段路径上并行地进行密钥分发,并在所述分段路径的端节点上采用密钥重构函数对所述密钥进行重构,同步生成每一段分段路径对应的分段密钥,具体包括:The segmented path key distribution and reconstruction module is used to perform key distribution in parallel on each sub-segmented path contained in each segmented path, and to reconstruct the key at the end nodes of the segmented path using a key reconstruction function, synchronously generating the segmented key corresponding to each segmented path. Specifically, it includes: 步骤S21:对每一段所述分段路径中的每一条子分段路径,将该分段路径的起始端节点与后一个相邻中继节点间共享的密钥作为所述子分段路径的密钥,所述子分段路径上其余中继节点间共享的密钥作为加密密钥,经由所述子分段路径上的中继节点以逐跳加解密的方式,进行所述密钥的转发,即所述子分段路径上的节点采用与前一个相邻节点共享的密钥解密,并采用与后一个相邻节点共享的密钥进行加密的方式进行密钥的转发,直至到达所述分段路径的终止端节点;从而在每一段所述分段路径的所有所述子分段路径并行地完成密钥分发过程,此时,所述分段路径上的起始端节点和终止端节点共享其所包含的所有子分段路径上分发的密钥;Step S21: For each sub-segment path in each segmented path, the key shared between the starting node and the next adjacent relay node of the segmented path is used as the key of the sub-segment path, and the key shared between the remaining relay nodes on the sub-segment path is used as the encryption key. The key is forwarded hop-by-hop through the relay nodes on the sub-segment path, that is, the nodes on the sub-segment path use the key shared with the previous adjacent node to decrypt and the key shared with the next adjacent node to encrypt, until the terminal node of the segmented path is reached; thus, the key distribution process is completed in parallel in all the sub-segment paths of each segmented path. At this time, the starting node and the terminal node of the segmented path share the keys distributed on all the sub-segment paths it contains. 步骤S22:在所述分段路径上的端节点,即起始端节点和终止端节点采用同一种密钥重构函数,生成得到该分段路径的分段密钥;Step S22: At the end nodes on the segmented path, namely the starting end node and the ending end node, the same key reconstruction function is used to generate the segmented key for the segmented path; 分段密钥转发模块,用于沿着所述密钥分发路径,以第一个所述分段密钥作为该密钥分发路径的用户密钥,其余所述分段密钥作为加密密钥,经由所述可信中继进行所述密钥的转发,完成由所述源节点到所述目的节点的所述用户密钥分发。The segmented key forwarding module is used to forward the key along the key distribution path, using the first segmented key as the user key for the key distribution path and the remaining segmented keys as encryption keys, via the trusted relay, thereby completing the distribution of the user key from the source node to the destination node.
CN202310171705.9A 2023-02-22 2023-02-22 A segmented key distribution method and system for hybrid relay QKD networks Active CN116155492B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310171705.9A CN116155492B (en) 2023-02-22 2023-02-22 A segmented key distribution method and system for hybrid relay QKD networks

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310171705.9A CN116155492B (en) 2023-02-22 2023-02-22 A segmented key distribution method and system for hybrid relay QKD networks

Publications (2)

Publication Number Publication Date
CN116155492A CN116155492A (en) 2023-05-23
CN116155492B true CN116155492B (en) 2026-03-31

Family

ID=86354183

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310171705.9A Active CN116155492B (en) 2023-02-22 2023-02-22 A segmented key distribution method and system for hybrid relay QKD networks

Country Status (1)

Country Link
CN (1) CN116155492B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116743650A (en) * 2023-07-27 2023-09-12 重庆师范大学 A multi-segmented QKD routing algorithm

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102130769A (en) * 2011-03-10 2011-07-20 北京邮电大学 A Model and Method for Quantum Key Distribution Request Control and Automatic Implementation
CN105827397A (en) * 2015-01-08 2016-08-03 阿里巴巴集团控股有限公司 Quantum key distribution system, method and device based on trusted relay

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019144319A1 (en) * 2018-01-24 2019-08-01 华为技术有限公司 Quantum communication chip and system
CN112865964B (en) * 2018-04-13 2024-04-12 华为技术有限公司 Quantum key distribution method, device and storage medium
CN113517980B (en) * 2020-04-09 2023-07-21 中国移动通信有限公司研究院 A key processing method, device and storage medium

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102130769A (en) * 2011-03-10 2011-07-20 北京邮电大学 A Model and Method for Quantum Key Distribution Request Control and Automatic Implementation
CN105827397A (en) * 2015-01-08 2016-08-03 阿里巴巴集团控股有限公司 Quantum key distribution system, method and device based on trusted relay

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
A Segment-Based Multipath Distribution Method in Partially-Trusted Relay Quantum Networks;Mingjun Wang et al.;IEEE Communications Magazine;20230307;全文 *
QKD网络中密钥分发方案和应用研究;王明君;中国优秀硕士学位论文全文数据库 信息科技辑;20240415;全文 *

Also Published As

Publication number Publication date
CN116155492A (en) 2023-05-23

Similar Documents

Publication Publication Date Title
CN110581763B (en) A quantum key service blockchain network system
CN113765664B (en) Block chain network secure communication method based on quantum key
US11438149B2 (en) Quantum key distribution method and system based on tree QKD network
CN112187450B (en) Method, device, equipment and storage medium for key management communication
CN110011995B (en) Encryption and decryption method and device in multicast communication
CN113037499B (en) Block chain encryption communication method and system
CN114375560A (en) Quantum key distribution method, device and system
CN118573408B (en) End-to-end data encryption processing method
WO2023082600A1 (en) Quantum key-based blockchain network and data secure transmission method
Zeng et al. Practical hybrid PQC-QKD protocols with enhanced security and performance
CN108768632B (en) AKA identity authentication system and method based on symmetric key pool and relay communication
CN114401085A (en) Network architecture of quantum secret communication network and key storage method
CN111385090B (en) Key distribution method and system based on multi-key combination quantum key relay
CN116155492B (en) A segmented key distribution method and system for hybrid relay QKD networks
CN108964888B (en) Improved AKA identity authentication system and method based on symmetric key pool and relay communication
Liu et al. A multi-path QKD algorithm with multiple segments
Ertaul et al. Elliptic curve cryptography based threshold cryptography (ecc-tc) implementation for manets
CN106953727A (en) Based on the group safety certifying method without certificate in D2D communications
Li et al. A new scheme for key management in ad hoc networks
CN114374564B (en) An internal gateway routing link security management system and method
US20250301322A1 (en) Secret Communication System And Method Based On Network Coding
CN114362926B (en) Quantum secure communication network key management communication system and method based on key pool
Lin et al. Quantum key distribution in partially-trusted QKD ring networks
CN117997522A (en) Quantum session key-based data interaction method, electronic equipment and medium
CN108737091B (en) AKA-like identity authentication system and method based on symmetric key pool and relay communication

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant