HK1233078B - Method, device and system for outputting quantum key and method, device and system for verifying memeory consistency of quantum key - Google Patents

Description

Quantum key output method, storage consistency verification method, device and system

Technical Field

This application relates to quantum key output technology, specifically to a quantum key output method and device. This application also relates to a quantum key acquisition method and device, a quantum key storage and output method and device, a quantum key distribution and storage method and device, a quantum key output system, and a method and device for verifying the consistency of quantum key storage.

Background Art

To ensure the security of data transmission, the sending device typically uses an encryption algorithm to encrypt the data, while the receiving device uses a corresponding decryption algorithm to decrypt the received data. Classical cryptography has long been a good solution to this data security problem, but its security is based on computational complexity. With the rapid advancements in computing power such as cloud computing and quantum computing, classical cryptography faces a significant risk of being cracked. Quantum cryptography, a cross-fertilization of quantum mechanics and cryptography, relies on the principles of quantum mechanics (the uncertainty principle of unknown quantum states, the measurement collapse principle, and the non-cloning principle) to ensure security. It is independent of the attacker's computing and storage capabilities, providing excellent security for data transmission. Furthermore, because quantum keys are symmetric, data encryption and decryption operations are computationally inexpensive and highly efficient, making them an ideal choice for secure data transmission.

Please see Figure 1, which is a schematic diagram of the quantum key output system. The basic process of using quantum keys for secure data transmission is as follows: the quantum key distribution devices at the sender and receiver negotiate quantum keys through the quantum key distribution protocol and, upon request from the key management device, provide the quantum keys stored in the same address interval to the corresponding key management device. The key management devices on both the sender and receiver use the same address interval to store the received quantum keys and, upon key acquisition request from the corresponding data device, output the quantum keys stored in the same address interval to the data device. The sender's data device uses the acquired quantum key to encrypt the data to be transmitted, while the receiver's data device uses the acquired quantum key to decrypt the received data, thus achieving efficient and secure data transmission.

In actual applications, the above process has the following defects:

(1) When the quantum key obtained by the quantum key distribution device is sent and written into the corresponding quantum key management device, due to network packet loss and hard disk data writing errors, the quantum keys output by the key management devices of the sender and receiver to the data devices of the sender and receiver based on the same storage address may be different, which is usually also called asymmetry or inconsistency, resulting in the data device of the receiver being unable to perform the correct decryption operation and thus unable to obtain the correct original data;

(2) When the number of inconsistent quantum keys obtained by the data devices of the sender and receiver exceeds a preset threshold, the quantum key management devices of the sender and receiver usually need to clear all the obtained quantum keys by restarting or other means to eliminate the problem of inconsistent output quantum keys, which is a waste of the generated quantum keys.

Summary of the Invention

The present invention provides a quantum key output method and apparatus to address the problem of inconsistent quantum key output by key management devices on both the sender and receiver sides. The present invention also provides a quantum key acquisition method and apparatus, a quantum key storage and output method and apparatus, a quantum key distribution and storage method and apparatus, a quantum key output system, and a method and apparatus for verifying the consistency of quantum key storage.

This application provides a quantum key output method, comprising:

The data devices of both the sender and receiver send key acquisition requests to their respective key management devices;

After receiving the key acquisition request, the key management devices of both the sender and the receiver send the quantum key that has passed the consistency verification to the corresponding data device for the corresponding data device to perform data encryption and decryption operations;

The consistency verification means that the key management devices of the sender and receiver store the quantum keys obtained from their respective quantum key distribution devices in the same address interval, and then verify whether the quantum keys stored by both parties in the same address interval are the same; if they are the same, it is deemed that the consistency verification has passed.

Optionally, the method includes:

The quantum key distribution device corresponding to the key management devices of the sender and receiver stores the quantum key obtained through negotiation of the quantum key distribution protocol in the same address interval, verifies the consistency of the quantum keys stored by both parties in the same address interval, and uses the quantum key that passes the consistency verification as the quantum key available for acquisition by the corresponding key management device.

Optionally, the quantum key that has passed consistency verification is pre-stored in key management devices of both the sender and the receiver before the data devices of the sender and the receiver send a key acquisition request;

Accordingly, before the data devices of both the sender and receiver send key acquisition requests to their respective key management devices, the following operations are performed:

The quantum key distribution devices of the sender and receiver negotiate the quantum key through the quantum key distribution protocol and use the same address range to store the quantum key;

The key management devices of both the sender and receiver send key acquisition requests to their respective quantum key distribution devices;

The quantum key distribution devices of both the sender and the receiver send the quantum key stored in the same address range to the corresponding key management device;

The key management devices of the sender and receiver store the received quantum key in the same address interval and verify the consistency of the quantum keys stored by both parties in the same address interval;

Accordingly, the step of sending the quantum key that has passed consistency verification to the corresponding data device includes:

The key management devices of the sender and receiver select the quantum key stored in the same address range from the quantum keys that have passed consistency verification and send it to the corresponding data device.

Optionally, before the key management devices of the sender and receiver send a key acquisition request to their respective quantum key distribution devices, the following operations are performed:

The quantum key distribution devices of the sender and receiver notify their respective key management devices of the number of quantum keys available.

Optionally, after the key management devices of the sender and receiver receive the key acquisition request and before sending the quantum key that has passed consistency verification to the corresponding data device, the following operations are performed:

The key management devices of the sender and receiver respectively send the key acquisition request to their respective quantum key distribution devices;

The quantum key distribution devices of the sender and receiver negotiate the quantum key through the quantum key distribution protocol and use the same address range to store the quantum key;

The quantum key distribution devices of both the sender and the receiver send the quantum key stored in the same address range to the corresponding key management device;

The key management devices of the sender and receiver store the received quantum key in the same address interval and verify the consistency of the quantum keys stored by both parties in the same address interval;

Accordingly, the step of sending the quantum key that has passed consistency verification to the corresponding data device includes:

The key management devices of the sender and receiver select the quantum key stored in the same address range from the quantum keys that have passed consistency verification and send it to the corresponding data device.

Optionally, when the key management devices of the sender and receiver verify that the quantum keys stored by both parties in the same address interval are inconsistent, the following operations are performed:

The quantum keys stored in the same address interval are cleared, and the process proceeds to the step of sending key acquisition requests to respective quantum key distribution devices.

Optionally, after the quantum key distribution devices of the sender and receiver negotiate the quantum key through the quantum key distribution protocol and use the same address interval to store the quantum key, the following operations are performed:

The quantum key distribution devices of the sender and the receiver verify the consistency of the quantum keys stored in the same address interval by both parties, and use the quantum key that passes the consistency verification as the quantum key that can be sent to the key management device.

Optionally, when the quantum key distribution devices of the sender and receiver verify that the quantum keys stored by both parties in the same address interval are inconsistent, the following operation is performed:

The quantum key stored in the same address interval is cleared, and the step of negotiating the quantum key through the quantum key distribution protocol by the quantum key distribution devices of the sender and the receiver is executed.

Optionally, the method includes: the quantum key distribution devices of the sender and receiver periodically performing the operation of verifying the consistency of the quantum keys stored by both parties in the same address interval.

Optionally, the quantum key distribution devices of the sender and the receiver verify the consistency of the quantum keys stored by both parties in the same address interval, and the key management devices of the sender and the receiver verify the consistency of the quantum keys stored by both parties in the same address interval, respectively, in the following manners:

One of the devices uses a preset hash algorithm to calculate a hash value of the quantum key stored in the address interval, and uses the previously obtained quantum key that has passed consistency verification by both devices to encrypt the hash value and the address interval information, and sends the encrypted information to the other device;

The other party device uses the corresponding key to decrypt the received information and obtain the address interval information, uses the preset hash algorithm to calculate the hash value of the quantum key stored in the local corresponding address interval, and determines whether the calculated hash value is the same as the received hash value. If they are the same, a verification pass response is returned to the other party device, otherwise a failure response is returned.

Optionally, after the key management devices of the sender and receiver send the quantum key to the corresponding data device, the following operations are performed:

The data devices on both the sender and receiver verify the consistency of the received quantum key, and use the quantum key that has passed the consistency verification as the key used to perform data encryption and decryption operations.

Optionally, when the data devices of the sending and receiving parties verify that the quantum keys obtained by both parties are inconsistent, the step of the data devices of the sending and receiving parties sending key acquisition requests to their respective key management devices is executed.

Optionally, the data devices of the sender and receiver verify the consistency of the acquired quantum key, including:

One of the devices calculates a hash value of the acquired quantum key using a preset hash algorithm, encrypts the hash value using the previously acquired quantum key that has passed consistency verification, and sends the encrypted information to the other device;

After the other party device uses the corresponding key to decrypt the received information, it uses the preset hash algorithm to calculate the hash value of the locally obtained quantum key, and determines whether the calculated hash value is the same as the received hash value. If they are the same, a verification pass response is returned to the other party device, otherwise a failure response is returned.

Optionally, the quantum key obtained by the quantum key distribution devices of the sender and receiver through negotiation through a quantum key distribution protocol has a corresponding key tag sequence, and each key tag in the key tag sequence is a unique identifier of a different quantum bit in the quantum key;

Accordingly, after the quantum key distribution devices of the sender and receiver use the same address interval to store the quantum key, the following operations are performed: a one-to-one correspondence between the storage address of each quantum bit and the key label is established;

The information sent by the quantum key distribution devices of both the sender and the receiver to the corresponding key management device includes not only the quantum key but also the key tag sequence corresponding to the quantum key. After the key management devices of both the sender and the receiver store the received quantum key in the same address interval, they perform the following operations: establish a one-to-one correspondence between the storage address of each quantum bit and the key tag;

The quantum key distribution devices of the sender and the receiver verify the consistency of the quantum keys stored by both parties in the same address interval, and the key management devices of the sender and the receiver verify the consistency of the quantum keys stored by both parties in the same address interval, respectively, in the following manners:

One of the devices uses a preset hash algorithm to calculate a hash value of a string consisting of a key tag sequence of the quantum key and an address sequence consisting of the storage address of each quantum bit in the quantum key, and uses the quantum key previously obtained and consistency-verified by both devices to encrypt the hash value and the address sequence, or to encrypt the hash value and the key tag sequence, and sends the encrypted information to the other device;

After the other party device uses the corresponding key to decrypt, it obtains the corresponding key tag sequence from the local according to the extracted address sequence, or obtains the corresponding address sequence from the local according to the extracted key tag sequence, and uses the preset hash algorithm to calculate the hash value of the string spliced by the key tag sequence and the address sequence, and determines whether the calculated hash value is the same as the received hash value. If they are the same, a verification pass response is returned to the other party device; otherwise, a failure response is returned.

Optionally, the information sent by the key management devices of the sender and receiver to the corresponding data device includes not only the quantum key but also a key tag sequence of the quantum key;

Accordingly, after receiving the above information from their respective key management devices, the data devices of both parties perform the following operations to verify the consistency of the quantum keys obtained by the data devices of both parties, and if there is inconsistency, proceed to the step of sending key acquisition requests to their respective key management devices:

One of the devices uses a preset hash algorithm to calculate a hash value of a string formed by concatenating the obtained quantum key and the key label sequence, encrypts the hash value and the key label sequence using the quantum key previously obtained by both devices and verified for consistency, and sends the encrypted information to the other device;

After the other party's device uses the corresponding key for decryption, it obtains the corresponding quantum key from the local computer according to the extracted key label sequence, and uses the preset hash algorithm to calculate the hash value of the string composed of the quantum key and the key label sequence, and determines whether the calculated hash value is the same as the received hash value. If they are the same, a verification pass response is returned to the other party's device; otherwise, a failure response is returned.

Optionally, the key tag includes: timestamp information of the quantum bit, and the timestamp information is obtained by the quantum key distribution devices of the sender and receiver during the process of negotiating the quantum key.

Optionally, the interaction between devices via the classic channel is based on HTTPS connection.

Optionally, each device performs a two-way identity authentication before interacting with the other device, and performs subsequent interaction operations after the authentication is passed.

Accordingly, the present application also provides a quantum key output device, comprising:

A data device key request unit, configured for the data devices on both sides of the transmission and reception to send key acquisition requests to their respective key management devices;

The management device key output unit is used to send the quantum key obtained from the corresponding quantum key distribution device and verified by the key management devices of the sender and receiver to the corresponding data device after receiving the key acquisition request, so that the corresponding data device can perform data encryption and decryption operations.

Optionally, the apparatus includes: a distribution device key negotiation and verification unit;

The distribution device key agreement verification unit is used to verify the consistency of the quantum keys stored by both parties in the same address interval after the quantum key obtained through quantum key distribution protocol negotiation with the key management devices of the sender and receiver is stored in the same address interval, and the quantum key that passes the consistency verification is used as the quantum key available for acquisition by the corresponding key management device.

Optionally, the apparatus includes a distribution device key negotiation unit, a management device key request unit, a distribution device key sending unit, and a management device key verification unit, and the above units are started before the data device key request unit operates:

A distribution device key negotiation unit, configured for the quantum key distribution devices of both the sender and the receiver to negotiate a quantum key through a quantum key distribution protocol, and to store the quantum key in the same address interval;

The management device key request unit is used to send key acquisition requests from the key management devices of both parties to their respective quantum key distribution devices;

The key sending unit of the distribution device is used to send the quantum key stored in the same address interval from the quantum key distribution devices of both parties to the corresponding key management device;

A management device key verification unit, configured to ensure that the key management devices of both the sender and the receiver store the received quantum keys in the same address interval and verify the consistency of the quantum keys stored by both parties in the same address interval;

Correspondingly, the key output unit of the management device is specifically configured to, after receiving the key acquisition request, select a quantum key stored in the same address interval from the quantum keys that have passed consistency verification and send it to the corresponding data device.

Optionally, the device includes:

a management device key request forwarding unit, configured to, after the data device key request unit receives the key acquisition request, cause the key management devices of both the sender and receiver to respectively send the key acquisition request to their respective quantum key distribution devices;

A distribution device key negotiation unit, configured for the quantum key distribution devices of both the sender and the receiver to negotiate a quantum key through a quantum key distribution protocol, and to store the quantum key in the same address interval;

The key sending unit of the distribution device is used to send the quantum key stored in the same address interval from the quantum key distribution devices of both parties to the corresponding key management device;

A management device key verification unit, configured to ensure that the key management devices of both the sender and the receiver store the received quantum keys in the same address interval and verify the consistency of the quantum keys stored by both parties in the same address interval;

Correspondingly, the management device key output unit is specifically configured to enable the key management devices of both the sender and receiver to select the quantum key stored in the same address interval from the quantum keys that have passed consistency verification and send it to the corresponding data device.

Optionally, the device includes:

The management device key clearing unit is used to, when the verification result of the management device key verification unit is: failure, cause the key management devices of the sender and receiver to clear the quantum keys stored in the same verified address interval, and trigger the units for the key management devices of the sender and receiver to send key acquisition requests to their respective quantum key distribution devices.

Optionally, the device includes:

The distribution device key verification unit is used to verify the consistency of the quantum keys stored in the same address interval by the quantum key distribution devices of both parties after the distribution device key negotiation unit completes the quantum key negotiation process and uses the same address interval to store the quantum key, and use the quantum key that passes the consistency verification as the quantum key that can be sent to the key management device.

Optionally, the device includes:

The distribution device key clearing unit is used to, when the verification result of the distribution device key verification unit is: failed, cause the quantum key distribution devices of both the sender and the receiver to clear the quantum keys stored in the same verified address interval and trigger the distribution device key negotiation unit to operate.

Optionally, the distribution device key verification unit and the management device key verification unit each include a verification request subunit and a verification execution subunit;

The verification request subunit is configured to cause a device participating in the verification to calculate a hash value of the quantum key stored in the address interval using a preset hash algorithm, encrypt the hash value and the address interval information using a previously obtained quantum key that has passed consistency verification by both devices participating in the verification, and send the encrypted information to the other device participating in the verification;

The verification execution subunit is used for the other party's device to use the corresponding key to decrypt the received information to obtain the address interval information, use the preset hash algorithm to calculate the hash value of the quantum key stored in the local corresponding address interval, and determine whether the calculated hash value is the same as the received hash value. If they are the same, a verification pass response is returned to the other party's device participating in the verification; otherwise, a failure response is returned.

Optionally, the device includes:

The data device key verification unit is used to verify the consistency of the received quantum key after the management device key output unit sends the quantum key to the corresponding data device, and use the quantum key that passes the consistency verification as the key used to perform data encryption and decryption operations.

Optionally, the quantum key obtained by the key negotiation unit of the distribution device through the quantum key distribution protocol has a key tag sequence corresponding thereto; accordingly,

The distribution device key agreement unit includes, in addition to the main body subunit that realizes its functions, a mapping relationship establishment subunit, which is used to establish a one-to-one correspondence between the storage address of each quantum bit and the key label;

The information sent by the distribution device key sending unit to the management device key verification unit includes not only the quantum key but also the key tag sequence corresponding to the quantum key;

The management device key verification unit includes, in addition to a storage subunit and a management device key verification subunit, a mapping relationship establishment subunit; the storage subunit is used for the key management devices of both the sender and the receiver to store the received quantum key in the same address interval; the mapping relationship establishment subunit is used to establish a one-to-one correspondence between the storage address of each quantum bit and the key label, and trigger the management device key verification subunit to operate; the management device key verification subunit is used to verify the consistency of the quantum keys stored by both parties in the same address interval;

The distribution device key verification unit and the management device key verification subunit each include a label verification request subunit and a label verification execution subunit;

The label verification request subunit is configured to cause a device participating in the verification to use a preset hash algorithm to calculate a hash value of a string consisting of a key label sequence of the quantum key and an address sequence consisting of a storage address of each quantum bit in the quantum key, and to encrypt the hash value and the address sequence, or the hash value and the key label sequence, using a quantum key previously obtained and consistency-verified by both devices participating in the verification, and to send the encrypted information to the other device participating in the verification;

The label verification execution sub-unit is used for, after the other party device receives the encrypted information, to decrypt it using the corresponding key, obtain the corresponding key label sequence from the local according to the extracted address sequence, or obtain the corresponding address sequence from the local according to the extracted key label sequence, and use the preset hash algorithm to calculate the hash value of the string spliced by the key label sequence and the address sequence, to determine whether the calculated hash value is the same as the received hash value, and if so, to return a verification pass response to the other party device participating in the verification, otherwise to return a failure response.

In addition, the present application also provides a method for obtaining a quantum key, which is implemented on a data device that encrypts and decrypts data using a quantum key, and includes:

Send a key acquisition request to the key management device;

The quantum key that has passed consistency verification and is sent by the key management device is received as the key used for data encryption and decryption.

Optionally, after receiving the quantum key that has passed consistency verification and is sent by the key management device, perform the following operations:

Verify the consistency of the obtained quantum key with the quantum key obtained by the opposite data device, and use the quantum key that passes the consistency verification as the key used for data encryption and decryption.

Optionally, if the obtained quantum key and the quantum key obtained by the peer data device do not pass consistency verification, go to the step of sending a quantum key acquisition request to the key management device.

Accordingly, the present application also provides a quantum key acquisition device, which is deployed on a data device that uses quantum keys to encrypt and decrypt data, including:

A key acquisition request sending unit, configured to send a key acquisition request to a key management device;

The symmetric key receiving unit is used to receive the quantum key that has passed consistency verification and is sent by the key management device as the key used for data encryption and decryption.

In addition, the present application also provides a quantum key storage and output method, which is implemented on a key management device that provides a quantum key to a data device, and includes:

Receive a key acquisition request sent by a data device;

The quantum key that has passed consistency verification is sent to the data device according to the same address range negotiated with the peer key management device.

Optionally, the quantum key that has passed consistency verification is pre-stored before receiving the key acquisition request sent by the data device;

Accordingly, before receiving the key acquisition request sent by the data device, perform the following operations:

Send a key acquisition request to the quantum key distribution device;

Receive a quantum key sent by a quantum key distribution device, and store the quantum key in the same address range as the peer key management device;

Verify the consistency of the quantum key stored in the address interval and the quantum key stored in the same address interval by the peer key management device, and use the quantum key that passes the consistency verification as the quantum key that can be sent to the data device.

Optionally, after receiving the key acquisition request sent by the data device and before sending the quantum key that has passed consistency verification to the data device according to the same address interval negotiated with the peer key management device, the following operation is performed:

Sending the key acquisition request to the quantum key distribution device;

Receive a quantum key sent by a quantum key distribution device, and store the quantum key in the same address range as the peer key management device;

Verify the consistency of the quantum key stored in the address interval and the quantum key stored in the same address interval by the peer key management device.

Optionally, if the quantum key stored in the address interval and the quantum key stored in the same address interval of the peer management device fail to pass consistency verification, perform the following operations:

Clear the quantum key stored in the address interval, and proceed to the step of sending a key acquisition request to a quantum key distribution device.

Accordingly, the present application also provides a quantum key storage and output device, which is deployed on a key management device that provides quantum keys to data devices, including:

A key acquisition request receiving unit, configured to receive a key acquisition request sent by a data device;

The symmetric key output unit is used to send the quantum key that has passed consistency verification to the data device according to the same address range negotiated with the peer key management device.

In addition, the present application also provides a quantum key distribution storage method, which is implemented on a quantum key distribution device and includes:

Negotiating a quantum key with a peer quantum key distribution device through a quantum key distribution protocol, and storing the acquired quantum key in the same address range as that of the peer quantum key distribution device;

Verifying the consistency of the quantum key stored in the address interval and the quantum key stored in the same address interval by the peer quantum key distribution device;

According to the key acquisition request received from the key management device, the quantum key that has passed the consistency verification is sent to the key management device according to the same address interval negotiated with the peer quantum key distribution device.

Optionally, if the quantum key stored in the address interval and the quantum key stored in the same address interval of the peer quantum key distribution device fail to pass consistency verification, perform the following operations:

Clear the quantum key stored in the address interval, and proceed to the step of negotiating the quantum key with the peer quantum key distribution device through the quantum key distribution protocol.

Accordingly, the present application also provides a quantum key distribution storage device, which is deployed on a quantum key distribution device and includes:

a key distribution storage unit, configured to negotiate a quantum key with a peer quantum key distribution device through a quantum key distribution protocol, and store the acquired quantum key in the same address interval as that of the peer quantum key distribution device;

a key verification unit, configured to verify the consistency of the quantum key stored in the address interval with the quantum key stored in the same address interval by the peer quantum key distribution device;

The symmetric key sending unit is used to send the quantum key that has passed the consistency verification to the key management device according to the same address interval negotiated with the peer quantum key distribution device based on the key acquisition request received from the key management device.

In addition, the present application also provides a quantum key output system, comprising: two subsystems deployed at the sender and receiver respectively; the two subsystems respectively include: a quantum key acquisition device according to any one of the above items, and a quantum key storage and output device according to any one of the above items, and a quantum key distribution and storage device according to any one of the above items.

In addition, the present application also provides a method for verifying the consistency of quantum key storage, which is implemented on a first device and a second device participating in the verification, including:

The first device sends, to the second device, information representing the quantum key to be verified, obtained through the quantum key agreement process, and address interval information storing the quantum key to be verified;

The second device compares the received information with the local corresponding information to determine whether the information corresponding to the address interval and representing the quantum key to be verified on both devices is the same. If they are the same, the second device returns a verification success response to the first device; otherwise, the second device returns a failure response;

The information representing the quantum key to be verified is composed of sub-information units corresponding to the number of quantum key bits. Each sub-information unit is a unique identifier of a different quantum bit in the quantum key to be verified, and corresponds one-to-one to the storage address of the identified quantum bit.

Optionally, the information characterizing the quantum key to be verified includes: the quantum key to be verified itself;

Accordingly, the first device sends information representing the quantum key to be verified, obtained through the quantum key agreement process, and address interval information storing the quantum key to be verified to the second device, including:

The first device calculates a hash value of the quantum key to be verified using a preset hash algorithm, and sends the hash value and the address range information to the second device;

The second device compares the received information with the local corresponding information to determine whether the information representing the quantum key to be verified corresponding to the address interval of the two devices is the same, including:

The second device extracts the address interval information storing the quantum key to be verified from the received information, uses the preset hash algorithm to calculate the hash value of the quantum key stored in the same local address interval, and determines whether the calculated hash value is the same as the received hash value. If they are the same, it is determined that the information corresponding to the address interval and representing the quantum key to be verified of both devices is the same.

Optionally, the information characterizing the quantum key to be verified includes: a key tag sequence of the quantum key to be verified, each key tag in the key tag sequence being the sub-information unit; the address interval information storing the quantum key to be verified includes: an address sequence consisting of the storage address of each quantum bit in the quantum key to be verified;

Accordingly, the first device sends information representing the quantum key to be verified, obtained through the quantum key agreement process, and address interval information storing the quantum key to be verified to the second device, including:

The first device calculates a hash value of a string formed by concatenating the key tag sequence and the address sequence using a preset hash algorithm, and sends the hash value and the address sequence, or the hash value and the key tag sequence, to the second device;

The second device compares the received information with the local corresponding information to determine whether the information representing the quantum key to be verified corresponding to the address interval of the two devices is the same, including:

The second device obtains the corresponding key tag sequence locally based on the address sequence extracted from the received information, or obtains the corresponding address sequence locally based on the extracted key tag sequence, and uses the preset hash algorithm to calculate the hash value of a string formed by splicing the key tag sequence and the address sequence, and determines whether the calculated hash value is the same as the received hash value. If they are the same, it is determined that the information corresponding to the address interval of both devices and the information representing the quantum key to be verified is the same.

Optionally, the key tag includes: timestamp information of the quantum bit.

Optionally, the method further includes:

The first device encrypts the information to be sent using a key pre-agreed between the first device and the second device;

Correspondingly, after receiving the information sent by the first device, the second device decrypts it using the corresponding key and performs subsequent comparison and judgment operations.

Accordingly, the present application also provides a device for verifying the consistency of quantum key storage, comprising:

a key verification request sending unit, configured for the first device to send information representing the quantum key to be verified, obtained through the quantum key agreement process, and address interval information storing the quantum key to be verified, to the second device;

a key verification execution unit configured to enable the second device to compare the received information with the local corresponding information to determine whether the information corresponding to the address interval and representing the quantum key to be verified on both devices is the same; if so, return a verification success response to the first device; otherwise, return a failure response;

The information representing the quantum key to be verified is composed of sub-information units corresponding to the number of quantum key bits. Each sub-information unit is a unique identifier of a different quantum bit in the quantum key to be verified, and corresponds one-to-one to the storage address of the identified quantum bit.

Compared with the prior art, this application has the following advantages:

The quantum key output method and system provided by this application are as follows: the data devices of the sender and receiver respectively send key acquisition requests to their respective key management devices. After receiving the key acquisition requests, the key management devices of the sender and receiver send the quantum keys that have passed consistency verification to the corresponding data devices for the corresponding data devices to perform data encryption and decryption operations. Because the key management devices of the sender and receiver perform consistency verification on the quantum keys stored in the same address range, the synchronization and usefulness of the quantum key output by the quantum key output system are ensured, that is, the quantum keys output to the data devices are all identical and symmetrical, thereby providing a guarantee for the correct execution of the data encryption and decryption process. In particular, even if the quantum keys obtained by the data sender and receiver are asymmetric due to network transmission or other reasons, there is no need to clear the quantum keys stored in the quantum key management devices of the sender and receiver by restarting or other means, thereby avoiding the waste of quantum key resources.

This application provides a method for verifying the consistency of quantum key storage. The two devices involved in the verification compare the information representing the quantum key to be verified, corresponding to the same address interval. This determines whether the quantum keys stored in the same address interval are identical. This provides a basis for both devices to output symmetric quantum keys, ensuring the secure and efficient transmission of user data. In particular, the key tag-based verification method utilizes the key tag's ability to uniquely identify quantum bits, as well as the correspondence between the key tag and the quantum bit storage address. This allows consistency verification to be achieved without transmitting the quantum key, further ensuring the security of the quantum key.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG1 is a schematic diagram of a quantum key output system provided in an embodiment of the present application;

FIG2 is a flow chart of an embodiment of a quantum key output method of the present application;

FIG3 is a process flow chart of a quantum key output method based on real-time acquisition according to an embodiment of the present application;

FIG4 is a flowchart of the interaction between devices based on the real-time acquisition method provided in an embodiment of the present application;

FIG5 is a process flow chart of a quantum key output method based on a pre-acquisition method according to an embodiment of the present application;

FIG6 is a flowchart of the interaction between devices based on the pre-acquisition method provided in an embodiment of the present application;

FIG7 is a schematic diagram of an embodiment of a quantum key output device of the present application;

FIG8 is a flow chart of an embodiment of a method for acquiring a quantum key according to the present application;

FIG9 is a schematic diagram of an embodiment of a quantum key acquisition device of the present application;

FIG10 is a flowchart of an embodiment of a quantum key storage and output method of the present application;

FIG11 is a schematic diagram of an embodiment of a quantum key storage and output device of the present application;

FIG12 is a flowchart of an embodiment of a quantum key distribution and storage method of the present application;

FIG13 is a schematic diagram of an embodiment of a quantum key distribution storage device of the present application;

FIG14 is a schematic diagram of an embodiment of a quantum key output system of the present application;

FIG15 is a flowchart of an embodiment of a method for verifying quantum key storage consistency according to the present application;

FIG16 is a schematic diagram of an embodiment of a device for verifying the consistency of quantum key storage according to the present application.

DETAILED DESCRIPTION

The following description sets forth many specific details to facilitate a thorough understanding of the present application. However, the present application can be implemented in many other ways than those described herein, and those skilled in the art can make similar generalizations without violating the scope of the present application. Therefore, the present application is not limited to the specific implementations disclosed below.

This application provides a quantum key output method and apparatus, a quantum key acquisition method and apparatus, a quantum key storage and output method and apparatus, a quantum key distribution and storage method and apparatus, a quantum key output system, and a method and apparatus for verifying the consistency of quantum key storage. Each of these is described in detail in the following embodiments. Before describing the embodiments in detail, a brief description of the various devices and two main processing flows involved in this technical solution is provided.

Please refer to Figure 1, which shows a schematic diagram of a quantum key output system. From the perspective of data encryption and decryption transmission, the quantum key output system includes two symmetrical sides, one of which includes: a quantum key distribution device QKD-A (Quantum Key Distribution, abbreviated as QKD), a key management device QKS-A (Quantum Key System, abbreviated as QKS), and a data device A, and the other side includes: a quantum key distribution device QKD-B, a key management device QKS-B, and a data device B. The devices on each side and the same type of devices on the opposite side are each other's peer devices. For ease of description, the present application uses the expression of the sending and receiving devices, for example, the sending and receiving quantum key distribution devices, the sending and receiving key management devices, and the sending and receiving data devices.

The QKD devices on both sides of the transmission and reception are used to negotiate quantum keys, while the QKS devices on both sides are used to store the quantum keys obtained from the QKD devices and output them to the data devices. The data devices on both sides then use the obtained quantum keys to perform corresponding data encryption or decryption operations. Due to the possibility of packet loss during the network transmission process between the QKD and QKS devices, and the possibility of errors in the QKS device itself when storing the quantum keys, the quantum keys output by the QKS devices on both sides to the data devices on both sides are asymmetric. To address this issue, the technical solution of this application verifies the consistency of the quantum keys between the QKS devices on both sides and sends the quantum keys that have passed the consistency verification to the data devices, thereby ensuring that the quantum keys output to the data devices on both sides are symmetric from the perspective of the QKS devices.

The subsequent descriptions in this article are also based on the architecture shown in Figure 1. It should be noted that this diagram describes the quantum key output from the perspective of the diagram. In actual implementation, the QKD devices of the sender and receiver, the QKS devices of the sender and receiver, and the data devices of the sender and receiver can be connected through classical channels in the form of wires or wireless to perform operations such as negotiation and data transmission. These connections are not shown in the figure.

Please refer to FIG2 , which is a flow chart of an embodiment of a quantum key output method of the present application, wherein the method comprises the following steps:

Step 201: The data devices of both the sender and receiver send key acquisition requests to their respective key management devices.

Step 202: After receiving the key acquisition request, the key management devices of the sender and receiver send the quantum key that has passed consistency verification to the corresponding data device for the corresponding data device to perform data encryption and decryption operations.

In the specific implementation of the above method, the data device can obtain the key from the key management device in real-time quantum key acquisition (hereinafter referred to as real-time acquisition method) or in pre-acquisition quantum key (hereinafter referred to as pre-acquisition method). The real-time acquisition method means that data device A and data device B send a request to obtain the quantum key to their respective QKS-A device and QKS-B device. At this time, QKS-A device and QKS-B device already have pre-stored quantum keys that have passed consistency verification and can directly output them to data device A and data device B.

The pre-acquisition method means that data device A and data device B send requests to their respective QKS-A device and QKS-B device to obtain quantum keys. There is no pre-stored quantum key in the QKS-A device and QKS-B device. The QKS-A device and QKS-B device forward the requests to the QKD-A device and QKD-B device respectively. The QKD-A device and QKD-B device negotiate a quantum key pair for data device A and data device B through the quantum key distribution protocol, and send it to the QKS-A device and QKS-B device. The QKS-A device and QKS-B device perform consistency verification on the stored quantum key, and finally send the quantum key that passes the consistency verification to data device A and data device B.

Both of the above-mentioned quantum key acquisition methods can achieve the purpose of outputting symmetric quantum keys to data devices A and B by verifying the consistency of quantum keys between devices QKS-A and QKS-B. These two implementations are described in turn below in this embodiment. It should be noted that in the implementations described below, all private information transmitted via classical channels, such as quantum key information, can be encrypted using a key agreed upon by both communicating parties. For example, it can be encrypted using a quantum key previously acquired by both communicating parties. For initial transmissions, it can be encrypted using a shared key preset by both communicating parties. This point will not be repeated below.

Please refer to Figure 3, which is a flowchart of the process of the quantum key output method based on the real-time acquisition method provided in an embodiment of the present application. For ease of understanding, this embodiment also provides a flowchart of the interaction between various devices based on the real-time acquisition method, please refer to Figure 4. The method includes the following steps:

Step 301: The quantum key distribution devices of the sender and receiver negotiate a quantum key through a quantum key distribution protocol and use the same address range to store the quantum key.

The QKD-A device and the QKD-B device negotiate a symmetric quantum key (also known as quantum key agreement) using a quantum key distribution protocol, such as the BB84 protocol. These devices then store the quantum key in the same address range on their respective storage media, such as caches and disks. This same address range can be set by negotiation between the QKD-A and QKD-B devices, or by accumulating the number of quantum keys obtained in this negotiation based on the address range used in the previous storage operation. This is sufficient as long as both parties can ensure that their quantum keys are stored in the same address range.

Taking into account that the QKD-A device or the QKD-B device may also have anomalies such as data writing errors during the process of storing quantum keys, resulting in asymmetry of the quantum keys stored by the QKD-A device and the QKD-B device in the same address interval, this embodiment provides a preferred implementation scheme: the QKD-A device and the QKD-B device verify the consistency of the quantum keys stored by both parties in the same address interval, and use the quantum key that passes the consistency verification as the quantum key that can be sent to the key management device.

In specific implementation, it can be achieved by comparing the hash values of the quantum keys stored in the same address range of both parties. Since the same method can be used to verify the consistency of quantum keys between QKD devices or between QKS devices, the description of this part can be referred to the relevant text description in step 304, and it will not be repeated here.

Furthermore, the above-mentioned verification method requires transmitting the hash value of the quantum key over the network. Once intercepted by a malicious attacker, the security of the quantum key will be compromised. Based on the above considerations, this embodiment provides a preferred implementation method for verifying the consistency of quantum keys between QKD devices (and between QKS devices) by utilizing the correspondence between key labels and storage locations.

In order to implement the above-mentioned preferred embodiment, the quantum key obtained by the QKD devices of the sender and the receiver through negotiation through the quantum key distribution protocol has a corresponding key label sequence, and each key label in the key label sequence is a unique identifier of a different quantum bit in the quantum key; and after the QKD devices of the sender and the receiver use the same address interval to store the quantum key, a one-to-one correspondence between the storage address of each quantum bit and the key label is established.

In a specific implementation, the timestamp information of each qubit can be used as its key tag. The timestamp information of each qubit can be obtained during the quantum key negotiation process between the QKD devices of the sender and receiver. For example, the quantum key negotiation process using the BB84 protocol is based on clock synchronization. Each negotiated qubit has a unique timestamp information corresponding to it, and the timestamp information of each qubit is different. Therefore, this embodiment can use the timestamp information of the qubit as its key tag.

Since the same key tag-based method can be used to verify quantum key consistency between QKD devices or between QKS devices, the description of this part can be found in the relevant text description in step 304 and will not be repeated here.

If the QKD-B device finds through verification that the quantum keys stored in the same address interval of both parties are different, it can return a failure response to the QKD-A device. The QKD-A device and the QKD-B device can clear the quantum key stored in the same address interval and re-negotiate the quantum key through the quantum key distribution protocol. In specific implementations, the QKD-A device and the QKD-B device can also not clear the quantum key stored in the same address interval, but instead overwrite the same address interval with a new quantum key obtained through the next quantum key negotiation.

Using the preferred implementation mode provided above, since the QKD device must perform consistency verification each time it stores the acquired quantum key, and uses the quantum key that passes the consistency verification as the quantum key that can be sent to the corresponding QKS device, then if the subsequent QKS devices of the sender and receiver find that the quantum keys obtained from the corresponding QKD device are inconsistent, it can usually be considered that this is caused by network transmission abnormalities (such as packet loss). Therefore, the QKS devices of the sender and receiver can re-obtain the quantum key from the corresponding QKD device without having to clear all stored quantum keys in the QKD-A device and the QKD-B device by restarting, etc., thereby reducing the waste of the quantum keys already obtained by the QKD device.

In order to further ensure the consistency of the quantum keys stored in the QKD-A device and the QKD-B device, in specific implementation, the consistency of the quantum keys stored in the same address range of the QKD-A device and the QKD-B device can be regularly verified according to a pre-set interval.

In addition, after the QKD-A device and the QKD-B device obtain the quantum key through the quantum key negotiation process and store it in the same address range, they can also send a notification to the corresponding QKS device to inform it of the number of quantum keys currently stored for reference when the QKS device sends a key acquisition request.

Step 302: The key management devices of the sender and receiver send key acquisition requests to their respective quantum key distribution devices.

The QKS-A device and the QKS-B device may negotiate in advance that both parties obtain the length information of the quantum key from their respective QKD devices, and send a key acquisition request carrying the length information to their respective QKD devices.

Step 303: The quantum key distribution devices of both the sender and the receiver send the quantum keys stored in the same address range to the corresponding key management devices.

After receiving the key acquisition request, the QKD-A device and the QKD-B device can determine the address range for extracting the quantum key for the QKS device through negotiation based on the key length information carried in the request, and then extract the quantum key according to the same negotiated address range and send it to the corresponding key management device.

If in step 301, the consistency verification of the quantum key is performed between the QKD-A device and the QKD-B device, then in this step, the QKD-A device and the QKD-B device can determine, through negotiation, the address range for extracting the quantum key that has passed the consistency verification for the corresponding QKS device, and then extract the quantum key according to the same negotiated address range and send it to the corresponding QKS device.

If the QKS-A device and the QKS-B device are to perform quantum key consistency verification through the key tag in the subsequent step 304, then in this step, the QKD-A device and the QKD-B device may also send the key tag sequence of the quantum key while sending the quantum key to the corresponding QKS device.

Step 304: The key management devices of the sender and receiver store the received quantum key in the same address interval and verify the consistency of the quantum keys stored by both parties in the same address interval.

The QKS-A device and the QKS-B device store the received quantum keys in the same address range. The same address range can be set by the QKS-A device and the QKS-B device through negotiation, or it can be determined by both parties by accumulating the number of quantum keys obtained in this negotiation based on the address range used by the two parties in the last storage operation. As long as it can be ensured that both parties store the obtained quantum keys in the same address range, it will be sufficient.

The QKS-A device and the QKS-B device verify the consistency of the quantum keys stored by both parties in the same address range. This can be achieved in a variety of ways, and several optional ways are listed below.

1) Consistency verification is achieved by comparing the hash values of the quantum keys stored in the same address range by both parties.

This method is relatively simple. The specific implementation can be that the QKS-A device uses a preset hash algorithm to calculate the hash value of the quantum key stored in the address interval, and then uses the quantum key obtained by both parties last time and verified to be consistent to encrypt the hash value and the address interval information, and sends the encrypted information to the other party; after the QKS-B device receives the above information sent by the QKS-A device, it uses the corresponding key to decrypt and obtain the address interval information, and uses the preset hash algorithm to calculate the hash value of the quantum key stored in the corresponding address interval locally, and determines whether the calculated hash value is the same as the received hash value. If they are the same, a verification pass response is returned to QSK-A, otherwise a failure response is returned.

In a specific implementation, the address interval information sent by the QKS-A device to the QKS-B device may include the first and last addresses of the address interval, or the first address and the interval length, or the first address and the length of the quantum key whose consistency is to be verified. As long as the QKS-B device can obtain the specific address interval based on the received information, all of these are acceptable. The preset hash algorithm includes SHA-1, SHA-2, or SHA-3, as well as other possible hash algorithms, as long as the QKS-A device and the QKS-B device use the same hash algorithm. To ensure the security of the transmission process, the QKS-A device uses the quantum key that it and the QKS-B device last obtained and passed the consistency verification to encrypt the information to be sent. If this is the first time consistency verification is performed, the shared key preset by both parties can be used for encryption, and the corresponding QKS-B device also uses the preset shared key for decryption. In the implementation method given above, the QKS-A device initiates the verification process and the QKS-B device returns a verification response. In other implementations, the QKS-B device can also initiate the verification process. The various changes to the implementation methods described above are also applicable to the corresponding contents of the other two verification methods described below, and will not be described in detail later.

2) Method 1 of verification using the correspondence between the key tag and the quantum bit storage location.

In order to avoid the security risks caused by the interception of the hash value of the quantum key to be verified during transmission, this embodiment provides a preferred implementation method for consistency verification using the characteristic of the key tag that can uniquely identify the quantum bit, as well as the correspondence between the key tag and the storage location. Using this preferred implementation method, the information obtained by the QKS-A device and the QKS-B device from their respective corresponding QKD devices includes not only the quantum key, but also the key tag sequence of the quantum key. Each key tag in the key tag sequence is a unique identifier for a different quantum bit in the quantum key. After the QKS-A device and the QKS-B device store the received quantum key in the same address interval, a one-to-one correspondence between the storage address of each quantum bit and the key tag is established.

For ease of description, the key label sequence of the quantum key to be verified on QKS-A is denoted as Lab1, the address sequence consisting of the storage address of each qubit in the quantum key to be verified is denoted as Locate1, hash() represents the preset hash algorithm, and the information within {} is the encrypted data. QKS-A and QKS-B can verify the consistency of the quantum keys stored in the same address range on both sides using the following method:

QKS-A calculates the hash value of Lab1 using a preset hash algorithm, encrypts the hash value and Locate1 using the previously obtained and verified quantum key, and sends the encrypted information to QKS-B. That is, QKS-A sends the following information to QKS-B: Verify-A = {hash(Lab1), Locate1}.

After decrypting the received information using the corresponding key, the QKS-B device obtains the hash value and address sequence, obtains the corresponding key tag sequence from the local according to the address sequence, and calculates the hash value of the obtained key tag sequence using the preset hash algorithm. It determines whether the calculated hash value is the same as the received hash value. If they are the same, it returns a verification pass response to the QKS-A device; otherwise, it returns a failure response.

During implementation, the above method may be adjusted. For example, the QKS-A device may send Verify-A = {hash(Locate1), Lab1} to the QKS-B device. Accordingly, the QKS-B device obtains the corresponding address sequence locally based on the received key label sequence, and uses the same hash value calculation and comparison method to determine whether the consistency verification has passed.

3) The second verification method is to use the correspondence between the key tag and the quantum bit storage location.

The above provides a way to verify consistency by using the correspondence between key tags and quantum bit storage locations. Here is another way to verify consistency by using the above correspondence (still using the description method agreed in the previous method):

QKS-A uses a preset hash algorithm to calculate the hash value of the string formed by splicing Lab1 and Locate1, and encrypts the hash value and Locate1 using the previously obtained and verified quantum key of both parties. The encrypted information is sent to QKS-B. That is, QKS-A sends the following information to QKS-B: Verify-A = {hash(Lab1, Locate1), Locate1};

After decrypting the received information using the corresponding key, the QKS-B device obtains the hash value and address sequence, obtains the corresponding key tag sequence from the local computer based on the address sequence, and uses the preset hash algorithm to calculate the hash value of the string composed of the key tag sequence and the address sequence. It determines whether the calculated hash value is the same as the received hash value. If they are the same, a verification pass response is returned to the QKS-A device; otherwise, a verification fail response is returned.

In specific implementations, the above method can also be adjusted to some extent. For example, the QKS-A device can send Verify-A = {hash(Lab1, Locate1), Lab1} to the QKS-B device. Correspondingly, the QKS-B device obtains the corresponding address sequence from the local device based on the received key label sequence, and uses the same hash value calculation and comparison method to determine whether the consistency verification has passed.

So far, three methods have been described to verify the consistency of the quantum keys stored in the same address range of the QKS-A device and the QKS-B device. The first method is relatively simple and does not require the use of key labels, but there may be certain security risks; the second and third methods are relatively complex and utilize the ability of key labels to uniquely identify quantum bits. By establishing a correspondence between key labels and quantum bit storage locations, there is no need to transmit quantum key information on the network. Instead, it verifies whether the address sequence of the quantum bits stored in both devices and the corresponding key label sequence are the same. If they are the same, it can be proved that the quantum keys stored in the same address range of both devices are the same, that is, consistency verification has passed.

If, after performing consistency verification, QKS-A and QKS-B discover that the quantum keys stored in the same address interval are different, i.e., if consistency verification fails, QKS-A and QKS-B may clear the quantum keys stored in the same address interval and proceed to step 302 to re-acquire quantum keys from their respective QKD devices. In a specific implementation, QKS-A and QKS-B may also overwrite the same address interval with a new quantum key to be acquired from the corresponding QKD device, rather than clearing the quantum keys stored in the same address interval.

Since the QKS devices of the sender and receiver must perform consistency verification each time they store the quantum key obtained from the corresponding QKD device, and each time they output the quantum key to the corresponding data device, they are selected from the quantum keys that have passed the consistency verification, then if the data devices of the sender and receiver subsequently find that the quantum keys obtained from the corresponding QKS-A device are inconsistent, it can usually be considered that this is caused by network transmission abnormalities (such as packet loss). Therefore, the data devices of the sender and receiver can obtain the quantum key from the corresponding QKS device again, without having to clear all the stored quantum keys in the QKS-A device and QKS-B device by restarting, etc., to avoid wasting the obtained quantum keys.

It should be noted that this step provides three quantum key consistency verification methods for QKS-A and QKS-B devices. These three methods can also be applied to quantum key consistency verification between QKD-A and QKD-B devices. In other implementations, other methods different from the above methods may also be used. As long as they can verify the consistency of quantum keys stored in the same address range on both devices, they do not deviate from the core of this application and are within the scope of protection of this application.

Step 305: The data devices of both the sender and receiver send key acquisition requests to their respective key management devices.

Data device A and data device B may negotiate in advance to request the QKS device to obtain the length of the quantum key, and send a quantum key acquisition request to their respective QKS devices, where the request carries the length information.

Step 306: After receiving the key acquisition request, the key management devices of the sender and receiver select a quantum key stored in the same address range from the quantum keys that have passed consistency verification and send it to the corresponding data device.

After the QKS-A and QKS-B devices receive the key acquisition request sent by the corresponding data device, they can determine the address range of the quantum key that has passed consistency verification for the data device through negotiation based on the key length information carried in the request, and then send the negotiated quantum key in the same address range to the corresponding data device.

At this point, the QKS-A device and the QKS-B device have output the consistency-verified quantum keys to their respective data devices, so that data devices A and B can use the received quantum keys to perform corresponding encryption and decryption operations on the data that needs to be transmitted confidentially.

Taking into account that packet loss may occur during the transmission process between the QKS device and the corresponding data device, this embodiment also provides a preferred implementation method for performing quantum key consistency verification between data devices, that is, after the QKS devices of the sender and receiver send the quantum key to the corresponding data device, data device A and data device B verify the consistency of the obtained quantum key, and use the quantum key that has passed the consistency verification as the key used to perform data encryption and decryption operations.

Data device A and data device B can verify the consistency of the quantum keys obtained by both parties in a variety of ways. Two optional methods are listed below.

1) Consistency verification is achieved by comparing the hash values of the quantum keys obtained by both parties.

This method is relatively simple. The specific implementation can be that data device A uses a preset hash algorithm to calculate the hash value of the obtained quantum key, and uses the quantum key previously obtained by both parties and verified to be consistent to encrypt the hash value, and sends the encrypted information to data device B; after data device B uses the corresponding key to decrypt the received information, it uses the preset hash algorithm to calculate the hash value of the locally obtained quantum key, and determines whether the calculated hash value is the same as the received hash value. If they are the same, a verification pass response is returned to data device A, otherwise a failure response is returned.

2) Use the correspondence between the quantum key and the key tag sequence to achieve consistency verification.

Using this verification method, the information sent by the QKS devices on both sides to the corresponding data device includes not only the quantum key but also the key tag sequence of the quantum key. For ease of description, the quantum key received by data device A is denoted as Key1, and the corresponding key tag sequence is denoted as Lab1. hash() represents the preset hash algorithm, and the information within {} is the encrypted data. After data device A and data device B receive the quantum key and key tag sequence sent by their respective QKS devices, they perform the following operations to verify the consistency of the quantum key:

Data device A uses a preset hash algorithm to calculate the hash value of the string composed of the obtained quantum key Key1 and the key label sequence Lab1, and uses the quantum key previously obtained by both parties and verified to be consistent to encrypt the hash value and the key label sequence Lab1, and sends the encrypted information to data device B. That is, data device A sends the following information to data device B: Verify-A = {hash(Key1, Lab1), Lab1};

After data device B uses the corresponding key to decrypt the received information, it obtains the corresponding quantum key from the local computer according to the obtained key label sequence, and uses the preset hash algorithm to calculate the hash value of the string spliced together with the quantum key and the key label sequence, and determines whether the calculated hash value is the same as the received hash value. If they are the same, a verification pass response is returned to data device A; otherwise, a failure response is returned.

If data device A and data device B find that the quantum keys obtained by both parties are different after performing consistency verification, that is, they fail the consistency verification, then data device A and data device B can abandon the quantum key obtained this time and go to step 305 to execute, and send key acquisition requests to their respective QKS devices again.

Since the quantum keys output by the QKS device to the data device are all quantum keys stored by it and have passed consistency verification, if the quantum keys obtained by the data devices of the sender and receiver are inconsistent, it is usually caused by network transmission abnormalities (such as packet loss). In this case, there is no need to clear all stored quantum keys in the QKS-A device and the QKS-B device by restarting, etc., to avoid wasting the obtained quantum keys.

Thus, the process of implementing the technical solution of the present application in a real-time acquisition manner has been described in detail through the above steps 301 to 306. It should be noted that, in order to further ensure security, all data interactions in the classic channel in the above processing flow can be carried out based on HTTPS connections, and the digital certificates used by each device participating in the interaction during the authentication process are all issued by a trusted third party; before each two devices interact with each other, two-way identity authentication can also be performed in advance, for example, using a pre-set digital certificate, and the data interaction process can only begin after both parties have passed the other party's identity authentication.

The above describes the process of implementing the technical solution of the present application using a real-time acquisition method. The following describes the process of implementing the technical solution of the present application using a pre-acquisition method. Please refer to Figure 5, which is a processing flow chart of the quantum key output method based on the pre-acquisition method provided in an embodiment of the present application. For ease of understanding, this embodiment also provides a flow chart of the interaction between various devices based on the pre-acquisition method. Please refer to Figure 6. The method includes the following steps:

Step 501: The data devices of both the sender and receiver send key acquisition requests to their respective key management devices.

Step 502: The key management devices of the sender and receiver respectively send the key acquisition request to their respective quantum key distribution devices.

Since the QKS devices of the sender and receiver do not pre-store quantum keys that have passed consistency verification, they forward the received requests to their respective QKD devices.

Step 503: The quantum key distribution devices of the sender and receiver negotiate the quantum key through the quantum key distribution protocol and use the same address range to store the quantum key.

Step 504: The quantum key distribution devices of both the sender and the receiver send the quantum keys stored in the same address range to the corresponding key management devices.

Step 505: The key management devices of the sender and receiver store the received quantum key in the same address interval and verify the consistency of the quantum keys stored by both parties in the same address interval.

Step 506: The key management devices of both the sender and the receiver select the quantum key stored in the same address range from the quantum keys that have passed consistency verification and send it to the corresponding data device.

As can be seen from the steps described above and Figures 4 and 6, the difference between the pre-acquisition method and the real-time acquisition method lies in the different interaction processes between the devices. In the pre-acquisition method, the QKS devices on both the sender and receiver sides do not pre-store a consistency-verified quantum key as in the real-time acquisition method. Instead, upon receiving a key acquisition request from the data device, they obtain the quantum key from the corresponding QKD device, perform consistency verification on the quantum key, and then send the verified quantum key to the data device.

When implementing this technical solution, the core of the pre-acquisition method is the same as the real-time acquisition method: the QKS devices on both sides must verify the consistency of the quantum keys stored in the same address range, thereby ensuring that the keys output to the data device are symmetric. Furthermore, the QKD devices on both sides can also verify the consistency of the stored quantum keys, and the data devices on both sides can also verify the consistency of the received quantum keys. The specific processing process is detailed in the real-time acquisition method above and will not be repeated here. Please refer to the relevant description of the real-time acquisition method.

It should be noted that, in specific implementation, not only can either the real-time acquisition method or the pre-acquisition method be adopted, but the two methods can also be combined for implementation. For example, the QKS devices of the sender and receiver can usually pre-store quantum keys that have been consistency verified, and output quantum keys according to the needs of the corresponding data device. When the data device has a relatively large demand for quantum keys and the QKS devices of the sender and receiver determine that there are no pre-stored keys to output, they can switch to the pre-acquisition mode to continue working.

In summary, the quantum key output method provided by this application ensures the synchronization and usefulness of the quantum keys output by the quantum key output system, as the key management devices of both the sender and receiver verify the consistency of the quantum keys stored in the same address range. Specifically, the quantum keys output to the data device are identical and symmetric, thus ensuring the correct execution of the data encryption and decryption process. In particular, even if the quantum keys obtained by the data sender and receiver are asymmetric due to network transmission or other reasons, there is no need to clear the quantum keys stored in the quantum key management devices of the sender and receiver by restarting the device, thus avoiding the waste of quantum key resources.

In the above-mentioned embodiments, a quantum key output method is provided. Correspondingly, this application also provides a quantum key output device. Please refer to Figure 7, which is a schematic diagram of an embodiment of a quantum key output device of this application. Since the device embodiment is substantially similar to the method embodiment, the description is relatively brief. For relevant details, please refer to the description of the method embodiment. The device embodiment described below is merely illustrative.

A quantum key output device according to this embodiment includes: a data device key request unit 701, configured to send key acquisition requests from the data devices of both the sender and the receiver to their respective key management devices; and a management device key output unit 702, configured to send, after receiving the key acquisition requests, the quantum keys obtained from the corresponding quantum key distribution device and verified by the key management devices of both the sender and the receiver to the corresponding data device, for the corresponding data device to perform data encryption and decryption operations.

Optionally, the apparatus includes: a distribution device key negotiation and verification unit;

The distribution device key agreement verification unit is used to verify the consistency of the quantum keys stored by both parties in the same address interval after the quantum key obtained through quantum key distribution protocol negotiation with the key management devices of the sender and receiver is stored in the same address interval, and the quantum key that passes the consistency verification is used as the quantum key available for acquisition by the corresponding key management device.

Optionally, the apparatus includes a distribution device key negotiation unit, a management device key request unit, a distribution device key sending unit, and a management device key verification unit, and the above units are started before the data device key request unit operates:

A distribution device key negotiation unit, configured for the quantum key distribution devices of both the sender and the receiver to negotiate a quantum key through a quantum key distribution protocol, and to store the quantum key in the same address interval;

The management device key request unit is used to send key acquisition requests from the key management devices of both parties to their respective quantum key distribution devices;

The key sending unit of the distribution device is used to send the quantum key stored in the same address interval from the quantum key distribution devices of both parties to the corresponding key management device;

A management device key verification unit, configured to ensure that the key management devices of both the sender and the receiver store the received quantum keys in the same address interval and verify the consistency of the quantum keys stored by both parties in the same address interval;

Correspondingly, the key output unit of the management device is specifically configured to, after receiving the key acquisition request, select a quantum key stored in the same address interval from the quantum keys that have passed consistency verification and send it to the corresponding data device.

Optionally, the device includes:

a management device key request forwarding unit, configured to, after the data device key request unit receives the key acquisition request, cause the key management devices of both the sender and receiver to respectively send the key acquisition request to their respective quantum key distribution devices;

A distribution device key negotiation unit, configured for the quantum key distribution devices of both the sender and the receiver to negotiate a quantum key through a quantum key distribution protocol, and to store the quantum key in the same address interval;

The key sending unit of the distribution device is used to send the quantum key stored in the same address interval from the quantum key distribution devices of both parties to the corresponding key management device;

A management device key verification unit, configured to ensure that the key management devices of both the sender and the receiver store the received quantum keys in the same address interval and verify the consistency of the quantum keys stored by both parties in the same address interval;

Correspondingly, the management device key output unit is specifically configured to enable the key management devices of both the sender and receiver to select the quantum key stored in the same address interval from the quantum keys that have passed consistency verification and send it to the corresponding data device.

Optionally, the device includes:

The management device key clearing unit is used to, when the verification result of the management device key verification unit is: failure, cause the key management devices of the sender and receiver to clear the quantum keys stored in the same verified address interval, and trigger the units for the key management devices of the sender and receiver to send key acquisition requests to their respective quantum key distribution devices.

Optionally, the device includes:

The distribution device key verification unit is used to verify the consistency of the quantum keys stored in the same address interval by the quantum key distribution devices of both parties after the distribution device key negotiation unit completes the quantum key negotiation process and uses the same address interval to store the quantum key, and use the quantum key that passes the consistency verification as the quantum key that can be sent to the key management device.

Optionally, the device includes:

The distribution device key clearing unit is used to, when the verification result of the distribution device key verification unit is: failed, cause the quantum key distribution devices of both the sender and the receiver to clear the quantum keys stored in the same verified address interval and trigger the distribution device key negotiation unit to operate.

Optionally, the distribution device key verification unit and the management device key verification unit each include a verification request subunit and a verification execution subunit;

The verification request subunit is configured to cause a device participating in the verification to calculate a hash value of the quantum key stored in the address interval using a preset hash algorithm, encrypt the hash value and the address interval information using a previously obtained quantum key that has passed consistency verification by both devices participating in the verification, and send the encrypted information to the other device participating in the verification;

The verification execution subunit is used for the other party's device to use the corresponding key to decrypt the received information to obtain the address interval information, use the preset hash algorithm to calculate the hash value of the quantum key stored in the local corresponding address interval, and determine whether the calculated hash value is the same as the received hash value. If they are the same, a verification pass response is returned to the other party's device participating in the verification; otherwise, a failure response is returned.

Optionally, the device includes:

The data device key verification unit is used to verify the consistency of the received quantum key after the management device key output unit sends the quantum key to the corresponding data device, and use the quantum key that passes the consistency verification as the key used to perform data encryption and decryption operations.

Optionally, the quantum key obtained by the key negotiation unit of the distribution device through the quantum key distribution protocol has a key tag sequence corresponding thereto; accordingly,

The distribution device key agreement unit includes, in addition to the main body subunit that realizes its functions, a mapping relationship establishment subunit, which is used to establish a one-to-one correspondence between the storage address of each quantum bit and the key label;

The information sent by the distribution device key sending unit to the management device key verification unit includes not only the quantum key but also the key tag sequence corresponding to the quantum key;

The management device key verification unit includes, in addition to a storage subunit and a management device key verification subunit, a mapping relationship establishment subunit; the storage subunit is used for the key management devices of both the sender and the receiver to store the received quantum key in the same address interval; the mapping relationship establishment subunit is used to establish a one-to-one correspondence between the storage address of each quantum bit and the key label, and trigger the management device key verification subunit to operate; the management device key verification subunit is used to verify the consistency of the quantum keys stored by both parties in the same address interval;

The distribution device key verification unit and the management device key verification subunit each include a label verification request subunit and a label verification execution subunit;

The label verification request subunit is configured to cause a device participating in the verification to use a preset hash algorithm to calculate a hash value of a string consisting of a key label sequence of the quantum key and an address sequence consisting of a storage address of each quantum bit in the quantum key, and to encrypt the hash value and the address sequence, or the hash value and the key label sequence, using a quantum key previously obtained and consistency-verified by both devices participating in the verification, and to send the encrypted information to the other device participating in the verification;

The label verification execution sub-unit is used for, after the other party device receives the encrypted information, to decrypt it using the corresponding key, obtain the corresponding key label sequence from the local according to the extracted address sequence, or obtain the corresponding address sequence from the local according to the extracted key label sequence, and use the preset hash algorithm to calculate the hash value of the string spliced by the key label sequence and the address sequence, to determine whether the calculated hash value is the same as the received hash value, and if so, to return a verification pass response to the other party device participating in the verification, otherwise to return a failure response.

In addition, the present application also provides a method for obtaining a quantum key, which is implemented on a data device that uses a quantum key to encrypt and decrypt data. Please refer to Figure 8, which is a flow chart of an embodiment of a method for obtaining a quantum key provided by the present application. The parts of this embodiment that are identical to the first embodiment are not repeated here, and the differences are described below. The method for obtaining a quantum key provided by the present application includes:

Step 801: Send a key acquisition request to a key management device.

Step 802: Receive the quantum key that has passed consistency verification and is sent by the key management device as the key used for data encryption and decryption.

After receiving the quantum key that has passed consistency verification sent by the key management device, the consistency of the obtained quantum key and the quantum key obtained by the opposite data device can be further verified, and the quantum key that has passed the consistency verification can be used as the key used for data encryption and decryption.

If it is found through the above verification process that the obtained quantum key is inconsistent with the quantum key obtained by the peer data device, the process can go to step 801 and resend the quantum key acquisition request to the key management device.

In the above-mentioned embodiment, a quantum key acquisition method is provided. Accordingly, the present application also provides a quantum key acquisition device. Please refer to Figure 9, which is a schematic diagram of an embodiment of a quantum key acquisition device of the present application. The device embodiment described below is merely illustrative.

A quantum key acquisition device according to this embodiment is deployed on a data device that uses quantum keys to encrypt and decrypt data, and includes: a key acquisition request sending unit 901, configured to send a quantum key acquisition request to a key management device; and a symmetric key receiving unit 902, configured to receive a quantum key sent by the key management device that has passed consistency verification as a key used for data encryption and decryption.

In addition, the present application also provides a quantum key storage and output method, which is implemented on a key management device that provides quantum keys to data devices. Please refer to Figure 10, which is a flowchart of an embodiment of a quantum key storage and output method provided by the present application. The parts of this embodiment that are the same as the first embodiment are not repeated here, and the differences are described below. The quantum key storage and output method provided by the present application includes:

Step 1001: Receive a key acquisition request sent by a data device.

If real-time quantum key acquisition is used, perform the following operations before this step:

1) Send a key acquisition request to the quantum key distribution device;

2) receiving a quantum key sent by a quantum key distribution device and storing the quantum key in the same address range as the peer key management device;

3) Verifying the consistency of the quantum key stored in the address interval and the quantum key stored in the same address interval by the peer key management device, and using the quantum key that passes the consistency verification as the quantum key that can be sent to the data device.

Step 1002: Send the quantum key that has passed consistency verification to the data device according to the same address range negotiated with the peer key management device.

If the method of pre-acquiring the quantum key is adopted, then the following operations are performed after step 1001 and before this step:

1) sending the key acquisition request to the quantum key distribution device;

2) receiving a quantum key sent by a quantum key distribution device and storing the quantum key in the same address range as the peer key management device;

3) Verifying the consistency of the quantum key stored in the address interval and the quantum key stored in the same address interval by the peer key management device.

Regardless of whether the real-time acquisition method or the pre-acquisition method is adopted, if it is found after consistency verification that the quantum key stored in the address interval is inconsistent with the quantum key stored in the same address interval of the peer management device, the quantum key stored in the address interval can be cleared and a key acquisition request can be resent to the quantum key distribution device.

In the above-mentioned embodiments, a quantum key storage and output method is provided. Accordingly, this application also provides a quantum key storage and output device. Please refer to Figure 11, which is a schematic diagram of an embodiment of a quantum key storage and output device of this application. The device embodiment described below is merely illustrative.

A quantum key storage and output device according to this embodiment is deployed on a key management device that provides quantum keys to data devices, and includes: a key acquisition request receiving unit 1101, configured to receive a key acquisition request sent by a data device; and a symmetric key output unit 1102, configured to send a quantum key that has passed consistency verification to the data device according to the same address range negotiated with the peer key management device.

In addition, the present application also provides a quantum key distribution and storage method, which is implemented on a quantum key distribution device. Please refer to Figure 12, which is a flowchart of an embodiment of a quantum key distribution and storage method provided by the present application. The parts of this embodiment that are the same as the first embodiment are not repeated here, and the differences are described below. The quantum key distribution and storage method provided by the present application includes:

Step 1201: negotiate a quantum key with a peer quantum key distribution device through a quantum key distribution protocol, and store the acquired quantum key in the same address range as that of the peer quantum key distribution device.

Step 1202: Verify the consistency of the quantum key stored in the address interval and the quantum key stored in the same address interval by the peer quantum key distribution device.

Step 1203: Based on the quantum key acquisition request received from the key management device, the quantum key that has passed consistency verification is sent to the key management device according to the same address range negotiated with the peer quantum key distribution device.

If, after consistency verification is performed in step 1202, it is found that the quantum key stored in the address interval is inconsistent with the quantum key stored in the same address interval by the peer quantum key distribution device, the quantum key stored in the address interval can be cleared and the process proceeds to step 1201 for execution.

It should be noted that if a real-time quantum key acquisition method is adopted, the key acquisition request from the key management device may be received after step 1202; if a pre-acquisition method is adopted, the request may be received before step 1201.

In the above-mentioned embodiments, a quantum key distribution storage method is provided. Accordingly, this application also provides a quantum key distribution storage device. Please refer to Figure 13, which is a schematic diagram of an embodiment of a quantum key distribution storage device of this application. The device embodiment described below is merely illustrative.

A quantum key distribution storage device according to this embodiment is implemented on a quantum key distribution device, including: a key distribution storage unit 1301, configured to negotiate a quantum key with a peer quantum key distribution device through a quantum key distribution protocol, and store the acquired quantum key in the same address interval as that of the peer quantum key distribution device; a key verification unit 1302, configured to verify the consistency of the quantum key stored in the address interval with the quantum key stored in the same address interval by the peer quantum key distribution device; and a symmetric key sending unit 1303, configured to send the quantum key that has passed consistency verification to the key management device in accordance with the same address interval negotiated with the peer quantum key distribution device, based on a key acquisition request received from the key management device.

In addition, this application also provides a quantum key output system. Please refer to Figure 14, which is a schematic diagram of an embodiment of a quantum key output system provided by this application. The quantum key output system provided by this application includes: two subsystems deployed at the sender and receiver, respectively, one of which includes: a quantum key acquisition device 1401-1, a quantum key storage and output device 1402-1, and a quantum key distribution storage device 1403-1; the other subsystem includes: a quantum key acquisition device 1401-2, a quantum key storage and output device 1402-2, and a quantum key distribution storage device 1403-2.

The quantum key output system can operate in either a real-time quantum key acquisition mode or a pre-acquisition mode. The interaction between the devices in these two modes has been described in detail in the embodiments of the quantum key output method and will not be repeated here.

In addition, the present application also provides a method for verifying the consistency of quantum key storage, which is implemented on a first device and a second device involved in the verification. Please refer to Figure 15, which is a flowchart of an embodiment of a method for verifying the consistency of quantum key storage provided by the present application. The parts of this embodiment that are the same as the first embodiment are not repeated here, and the differences are described below. The method for verifying the consistency of quantum key storage provided by the present application includes:

Step 1501: The first device sends information representing the quantum key to be verified, obtained through the quantum key agreement process, and address range information storing the quantum key to be verified, to the second device.

The information characterizing the quantum key to be verified is composed of sub-information units corresponding to the number of quantum key bits. Each sub-information unit is a unique identifier of a different quantum bit in the quantum key to be verified, and has a one-to-one correspondence with the storage address of the identified quantum bit.

The information representing the quantum key to be verified may include the quantum key to be verified, with each qubit in the quantum key serving as the sub-information unit. In this manner, the first device may calculate a hash value of the quantum key to be verified using a preset hash algorithm and transmit the hash value and the address range information to the second device.

The information representing the quantum key to be verified may also include: a key tag sequence of the quantum key to be verified, where each key tag in the key tag sequence is the sub-information unit; and the address range information storing the quantum key to be verified includes: an address sequence consisting of the storage address of each quantum bit in the quantum key to be verified. When using this method, the first device can use a preset hash algorithm to calculate a hash value of a string composed of the key tag sequence and the address sequence, and send the hash value and the address sequence, or the hash value and the key tag sequence, to the second device participating in the verification.

During specific implementation, the timestamp information of the quantum bit can be used as the key tag.

Step 1502: The second device compares the received information with the local corresponding information to determine whether the information corresponding to the address interval and representing the quantum key to be verified on both devices is the same. If they are the same, a verification success response is returned to the first device; otherwise, a failure response is returned.

When the information representing the quantum key to be verified is the quantum key to be verified itself, the second device can extract the address interval information storing the quantum key to be verified from the received information, use the preset hash algorithm to calculate the hash value of the quantum key stored in the same local address interval, and compare the calculated hash value with the received hash value. If they are the same, it is determined that the information representing the quantum key to be verified corresponding to the address interval of both devices is the same, and a verification success response is returned to the first device; otherwise, a failure response is returned.

When the information representing the quantum key to be verified is a key tag sequence of the quantum key to be verified, the second device may obtain the corresponding key tag sequence locally based on the address sequence extracted from the received information, or obtain the corresponding address sequence locally based on the extracted key tag sequence, and use the preset hash algorithm to calculate a hash value of a string formed by splicing the key tag sequence and the address sequence; determine whether the calculated hash value is the same as the received hash value; if so, determine that the information corresponding to the address interval and representing the quantum key to be verified of both devices is the same, and return a verification success response to the first device; otherwise, return a failure response.

It should be noted that the method for verifying the consistency of quantum key storage provided in this application can be implemented on the devices of both parties that need to perform quantum key storage consistency verification. The devices of both parties can be quantum key distribution devices of the sender and receiver, or key management devices of the sender and receiver.

In addition, when executing the above step 1501, the first device can use the key pre-agreed with the second device to encrypt the information to be sent; accordingly, when executing step 1502, after the second device receives the information sent by the first device, it uses the corresponding key to decrypt it and performs subsequent comparison and judgment operations.

As can be seen from the above description, the method for verifying quantum key storage consistency provided by this application involves the two devices participating in the verification comparing the information corresponding to the same address interval and representing the quantum key to be verified. This determines whether the quantum keys stored in the same address interval are the same, thereby providing a basis for both parties to output symmetric quantum keys, ensuring the secure and efficient transmission of user data. In particular, the key tag-based verification method utilizes the characteristic that key tags can uniquely identify quantum bits, as well as the corresponding relationship between key tags and quantum bit storage addresses, thereby achieving consistency verification without transmitting quantum keys, further ensuring the security of quantum keys.

In the above-mentioned embodiment, a method for verifying the consistency of quantum key storage is provided. Accordingly, this application also provides an apparatus for verifying the consistency of quantum key storage. Please refer to Figure 16, which is a schematic diagram of an embodiment of the apparatus for verifying the consistency of quantum key storage in this application. The apparatus embodiment described below is merely illustrative.

An apparatus for verifying quantum key storage consistency according to this embodiment includes: a key verification request sending unit 1601, configured for a first device to send information representing a quantum key to be verified, obtained through a quantum key agreement process, and address interval information storing the quantum key to be verified, to a second device; and a key verification execution unit 1602, configured for the second device to compare the received information with local corresponding information to determine whether the information representing the quantum key to be verified corresponding to the address interval on both devices is identical; if so, returning a verification success response to the first device; otherwise, returning a failure response.

Although the present application is disclosed as above with the preferred embodiments, it is not intended to limit the present application. Any person skilled in the art may make possible changes and modifications without departing from the spirit and scope of the present application. Therefore, the scope of protection of the present application shall be based on the scope defined by the claims of the present application.

In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.

Memory may include non-permanent storage in a computer-readable medium, random access memory (RAM) and/or non-volatile memory in the form of read-only memory (ROM) or flash RAM. Memory is an example of a computer-readable medium.

1. Computer-readable media includes permanent and non-permanent, removable and non-removable media that can be implemented by any method or technology to store information. Information can be computer-readable instructions, data structures, program modules, or other data. Examples of computer storage media include, but are not limited to, phase-change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technologies, compact disc read-only memory (CD-ROM), digital versatile disc (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other non-transmission media that can be used to store information that can be accessed by a computing device. As defined herein, computer-readable media does not include non-transitory media such as modulated data signals and carrier waves.

2. Those skilled in the art will appreciate that the embodiments of the present application may be provided as methods, systems, or computer program products. Therefore, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware. Furthermore, the present application may take the form of a computer program product implemented on one or more computer-usable storage media (including but not limited to magnetic disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.

Claims (37)

1. A quantum key output method, characterized in that it includes: Both the transmitting and receiving data devices send key acquisition requests to their respective key management devices. After receiving the key acquisition request, the QKS key management device of both the sender and receiver will send the quantum key that has passed the consistency verification to the corresponding data device for the corresponding data device to perform data encryption and decryption operations; The consistency verification refers to the process whereby the key management devices of both the sender and receiver store the quantum keys obtained from their respective quantum key distribution devices (QKD) in the same address range, and then verify whether the quantum keys stored in the same address range are the same. If they are the same, then the consistency verification is considered to have passed. The quantum key that has passed consistency verification and is sent by the key management devices of both the sender and receiver to the corresponding data devices is obtained in the following manner: The key management devices of both the sender and receiver send the key acquisition request to their respective corresponding quantum key distribution devices, which are referred to as the sender and receiver quantum key distribution devices. The quantum key distribution devices of the sender and receiver negotiate quantum keys through a quantum key distribution protocol and store the quantum keys in the same address range. They verify the consistency of the quantum keys stored in the same address range by both parties and use the quantum keys that pass the consistency verification as quantum keys that can be obtained by the corresponding key management devices of the sender and receiver. The quantum key distribution devices of the sender and receiver will send the quantum keys stored in the same address range and verified for consistency to the corresponding key management devices of the sender and receiver. The key management devices for both the sender and receiver store the received quantum keys in the same address range and verify the consistency of the quantum keys stored by both parties in the same address range. Accordingly, the step of sending the quantum key that has passed consistency verification to the corresponding data device includes: The key management devices of both the sender and receiver select quantum keys stored in the same address range from the quantum keys that have passed consistency verification and send them to the corresponding data devices. 2. The quantum key output method according to claim 1, wherein the quantum key that has passed the consistency verification is pre-stored in the key management device of the sender and receiver before the data devices of both parties send a key acquisition request. 3. The quantum key output method according to claim 2, characterized in that, before the key management devices of both the sender and receiver send key acquisition requests to their respective quantum key distribution devices, the following operations are performed: The quantum key distribution devices of both the sender and receiver notify their respective key management devices of the number of available quantum keys. 4. The quantum key output method according to claim 1, wherein the quantum key that has passed the consistency verification is stored in the key management device of the sender and receiver after the key management device of the sender and receiver receives the key acquisition request and before the quantum key that has passed the consistency verification is sent to the corresponding data device. 5. The quantum key output method according to claim 1, characterized in that, when the key management devices of the sender and receiver verify that the quantum keys stored by both parties in the same address range are inconsistent, the following operation is performed: The quantum keys stored in the same address range are cleared, and the process proceeds to the step of sending key acquisition requests to the respective quantum key distribution devices. 6. The quantum key output method according to claim 1, characterized in that, when the quantum key distribution devices of the transmitting and receiving parties verify that the quantum keys stored by both parties in the same address range are inconsistent, the following operation is performed: The quantum key stored in the same address range is cleared, and the process proceeds to the step of negotiating the quantum key through the quantum key distribution protocol between the sending and receiving quantum key distribution devices. 7. The quantum key output method according to claim 1, characterized in that it includes: the quantum key distribution devices of the sending and receiving parties periodically performing the operation of verifying the consistency of the quantum keys stored by both parties in the same address range. 8. The quantum key output method according to claim 1, characterized in that the quantum key distribution device of the sending and receiving parties verifies the consistency of the quantum keys stored by both parties in the same address range, and the key management device of the sending and receiving parties verifies the consistency of the quantum keys stored by both parties in the same address range, respectively, are implemented in the following ways: One device uses a preset hash algorithm to calculate the hash value of the quantum key stored in the address range, and uses the quantum key that both devices previously obtained and passed the consistency verification to encrypt the hash value and the address range information, and sends the encrypted information to the other device. The other device decrypts the received information using the corresponding key to obtain the address range information, calculates the hash value of the quantum key stored in the corresponding address range locally using the preset hash algorithm, and determines whether the calculated hash value is the same as the received hash value. If they are the same, it returns a verification success response to the other device; otherwise, it returns a failure response. 9. The quantum key output method according to claim 1, characterized in that, after the key management devices of both the sender and receiver send the quantum key to the corresponding data device, the following operation is performed: The sending and receiving data devices verify the consistency of the received quantum key and use the quantum key that has passed the consistency verification as the key used to perform data encryption and decryption operations. 10. The quantum key output method according to claim 9, characterized in that, when the data devices of the transmitting and receiving parties verify that the quantum keys obtained by both parties are inconsistent, the process proceeds to the step of the data devices of the transmitting and receiving parties respectively sending key acquisition requests to their respective key management devices. 11. The quantum key output method according to claim 9, characterized in that the verification of the consistency of the obtained quantum key by the data devices of both the sender and receiver includes: One device uses a preset hash algorithm to calculate the hash value of the acquired quantum key, encrypts the hash value using the quantum key that was previously acquired by both devices and passed the consistency verification, and sends the encrypted information to the other device. After the other device decrypts the received information using the corresponding key, it calculates the hash value of the locally acquired quantum key using the preset hash algorithm, and determines whether the calculated hash value is the same as the received hash value. If they are the same, it returns a verification success response to the other device; otherwise, it returns a failure response. 12. The quantum key output method according to claim 1, wherein the quantum key obtained by the quantum key distribution devices of the sender and receiver through the quantum key distribution protocol has a corresponding key tag sequence, and each key tag in the key tag sequence is a unique identifier for different qubits in the quantum key; Accordingly, after the quantum key distribution devices of the sender and receiver use the same address range to store the quantum key, they perform the following operation: establish a one-to-one correspondence between the storage address of each quantum bit and the key tag; The information sent by the quantum key distribution devices of the sender and receiver to the corresponding key management devices includes not only the quantum key, but also the key tag sequence corresponding to the quantum key; after storing the received quantum key in the same address range, the key management devices of the sender and receiver perform the following operation: establish a one-to-one correspondence between the storage address of each quantum bit and the key tag; The quantum key distribution devices of the sending and receiving parties verify the consistency of the quantum keys stored by both parties in the same address range, and the key management devices of the sending and receiving parties verify the consistency of the quantum keys stored by both parties in the same address range, respectively, in the following ways: One device uses a preset hash algorithm to calculate the hash value of a string formed by concatenating the key tag sequence of the quantum key and the address sequence consisting of the storage address of each quantum bit in the quantum key. It then uses the quantum key previously obtained by both devices and verified for consistency to encrypt the hash value and the address sequence, or encrypts the hash value and the key tag sequence, and sends the encrypted information to the other device. After the other device decrypts the string using the corresponding key, it retrieves the corresponding key tag sequence from the local machine based on the extracted address sequence, or retrieves the corresponding address sequence from the local machine based on the extracted key tag sequence. It then uses the preset hash algorithm to calculate the hash value of the string formed by concatenating the key tag sequence and the address sequence. It then determines whether the calculated hash value is the same as the received hash value. If they are the same, it returns a verification success response to the other device; otherwise, it returns a failure response. 13. The quantum key output method according to claim 12, wherein the information sent by the key management devices of both the sender and receiver to the corresponding data devices includes not only the quantum key, but also the key tag sequence of the quantum key; Accordingly, after receiving the aforementioned information from their respective key management devices, the transmitting and receiving data devices perform the following operations to verify the consistency of the quantum keys obtained by the transmitting and receiving data devices, and if there is a discrepancy, proceed to the step of sending key acquisition requests to their respective key management devices respectively: One device uses a preset hash algorithm to calculate the hash value of the string formed by concatenating the acquired quantum key and key tag sequence, and uses the quantum key previously acquired by both devices and verified for consistency to encrypt the hash value and key tag sequence, and sends the encrypted information to the other device. After the other device decrypts the data using the corresponding key, it obtains the corresponding quantum key from the local device based on the extracted key tag sequence, and uses the preset hash algorithm to calculate the hash value of the string formed by concatenating the quantum key and the key tag sequence. It then determines whether the calculated hash value is the same as the received hash value. If they are the same, it returns a verification success response to the other device; otherwise, it returns a failure response. 14. The quantum key output method according to claim 12, wherein the key tag includes: timestamp information of the quantum bit, the timestamp information being obtained by the quantum key distribution devices of both the sender and receiver during the process of negotiating the quantum key. 15. The quantum key output method according to claim 1, wherein the interaction process between the devices via classical channels is based on HTTPS connections. 16. The quantum key output method according to claim 1, characterized in that each device performs two-way authentication before interacting, and performs subsequent interaction operations after successful authentication. 17. A quantum key output device, characterized in that it comprises: The data device key request unit is used for the data devices of both the transmitting and receiving parties to send key acquisition requests to their respective key management devices. The management device key output unit is used to send the quantum key obtained from the corresponding quantum key distribution device and verified by the key management devices of both the sender and receiver after receiving the key acquisition request to the corresponding data device, so that the corresponding data device can perform data encryption and decryption operations. The device further includes a distribution device key negotiation unit, a distribution device key verification unit, a distribution device key sending unit, and a management device key verification unit; The key negotiation unit of the distribution device is used for the quantum key distribution devices of the sending and receiving parties to negotiate the quantum key through the quantum key distribution protocol and to store the quantum key in the same address range; The distribution device key verification unit is used to verify the consistency of the quantum keys stored in the same address range by both parties after the distribution device key negotiation unit completes the quantum key negotiation process and stores the quantum keys in the same address range, and to use the quantum key that has passed the consistency verification as the quantum key that can be sent to the key management device. The key sending unit of the distribution device is used for the quantum key distribution devices of both the sender and receiver to send the quantum keys stored in the same address range to the corresponding key management devices. The management device key verification unit is used to verify the consistency of the quantum keys stored by both the sending and receiving key management devices in the same address range. 18. The quantum key output device according to claim 17, wherein the device further comprises: a management device key request unit; The management device key request unit is used to send a key acquisition request from the key management devices of both the sender and receiver to their respective quantum key distribution devices. Accordingly, the key output unit of the management device is specifically used to, after receiving the key acquisition request, select the quantum key stored in the same address range from the quantum keys that have passed the consistency verification and send it to the corresponding data device. The distribution device key negotiation unit, distribution device key verification unit, management device key request unit, distribution device key sending unit, and management device key verification unit are started before the data device key request unit operates. 19. The quantum key output device according to claim 17, characterized in that the device further comprises: a management device key request forwarding unit; the management device key request forwarding unit is configured to, after the data device key request unit receives the key acquisition request, send the key acquisition request from the transceiver key management devices to their respective quantum key distribution devices; correspondingly, the management device key output unit is specifically configured to, from the quantum keys that have passed consistency verification, select quantum keys stored in the same address range and send them to the corresponding data devices; The management device key request forwarding unit, the distribution device key negotiation unit, the distribution device key verification unit, the distribution device key sending unit, and the management device key verification unit are started after the data device key request unit works and before the management device key output unit works. 20. The quantum key output device according to claim 19, characterized in that the device further comprises: The management device key clearing unit is used to clear the quantum key stored in the same address range of the verified entity when the verification result of the management device key verification unit is unsuccessful, and to trigger the unit for the key management devices of both the sender and receiver to send key acquisition requests to their respective quantum key distribution devices. 21. The quantum key output device according to claim 17, characterized in that the device further comprises: The distribution device key clearing unit is used to clear the quantum key stored in the same address range being verified by both the sending and receiving quantum key distribution devices when the verification result of the distribution device key verification unit is unsuccessful, and to trigger the operation of the distribution device key negotiation unit. 22. The quantum key output device according to claim 17, wherein the distribution device key verification unit and the management device key verification unit each include a verification request subunit and a verification execution subunit; The verification request subunit is used by one of the devices participating in the verification to calculate the hash value of the quantum key stored in the address range using a preset hash algorithm, and to encrypt the hash value and the address range information using the quantum key that has passed the consistency verification previously obtained by both devices participating in the verification, and then send the encrypted information to the other device participating in the verification. The verification execution subunit is used to decrypt the received information using the corresponding key to obtain the address range information, calculate the hash value of the quantum key stored in the corresponding address range locally using the preset hash algorithm, and determine whether the calculated hash value is the same as the received hash value. If they are the same, a verification pass response is returned to the participating verification device; otherwise, a failure response is returned. 23. The quantum key output device according to claim 17, characterized in that it further comprises: The data device key verification unit is used to verify the consistency of the received quantum key after the management device key output unit sends the quantum key to the corresponding data device, and to use the quantum key that has passed the consistency verification as the key used to perform data encryption and decryption operations. 24. The quantum key output device according to claim 17, characterized in that the quantum key obtained by the key negotiation unit of the distribution device through the quantum key distribution protocol has a corresponding key tag sequence; accordingly, In addition to the main body subunit that implements its function, the key negotiation unit of the distribution device also includes a mapping relationship establishment subunit, which is used to establish a one-to-one correspondence between the storage address of each quantum bit and the key tag. The information sent by the distribution device key sending unit to the management device key verification unit includes not only the quantum key, but also the key tag sequence corresponding to the quantum key; The management device key verification unit includes a storage subunit, a management device key verification subunit, and a mapping relationship establishment subunit. The storage subunit is used for both the sending and receiving key management devices to store the received quantum keys in the same address range. The mapping relationship establishment subunit is used to establish a one-to-one correspondence between the storage address of each quantum bit and the key tag, and to trigger the operation of the management device key verification subunit. The management device key verification subunit is used to verify the consistency of the quantum keys stored by both parties in the same address range. The distribution device key verification unit and the management device key verification subunit each include a tag verification request subunit and a tag verification execution subunit; The tag verification request subunit is used by one of the devices participating in the verification to calculate the hash value of a string formed by concatenating the key tag sequence of the quantum key and the address sequence composed of the storage address of each quantum bit in the quantum key using a preset hash algorithm. The hash value and the address sequence are then encrypted using the quantum key previously obtained by both devices participating in the verification and which has passed consistency verification, or the hash value and the key tag sequence are encrypted. The encrypted information is then sent to the other device participating in the verification. The tag verification execution subunit is used to decrypt the encrypted information using the corresponding key after the other device receives it, obtain the corresponding key tag sequence from the local machine based on the extracted address sequence, or obtain the corresponding address sequence from the local machine based on the extracted key tag sequence, and calculate the hash value of the string formed by concatenating the key tag sequence and the address sequence using the preset hash algorithm. It then determines whether the calculated hash value is the same as the received hash value. If they are the same, it returns a verification success response to the other device participating in the verification; otherwise, it returns a failure response. 25. A quantum key acquisition method, characterized in that the method is implemented on a data device that uses quantum keys to encrypt and decrypt data, comprising: Send a key acquisition request to the key management device; The quantum key that has passed consistency verification is received from the key management device and used as the key for data encryption and decryption; The quantum key that has passed consistency verification and is sent by the key management device is obtained in the following manner: The key management devices of both the sender and receiver send the key acquisition request to their respective corresponding quantum key distribution devices, which are referred to as the sender and receiver quantum key distribution devices. The quantum key distribution devices of the sender and receiver negotiate quantum keys through a quantum key distribution protocol and store the quantum keys in the same address range. They verify the consistency of the quantum keys stored in the same address range by both parties and use the quantum keys that pass the consistency verification as quantum keys that can be obtained by the corresponding key management devices of the sender and receiver. The quantum key distribution devices of the sender and receiver will send the quantum keys stored in the same address range and verified for consistency to the corresponding key management devices of the sender and receiver. The key management devices for both the sender and receiver store the received quantum keys in the same address range and verify the consistency of the quantum keys stored by both parties in the same address range. The key management devices of both the sender and receiver select quantum keys stored in the same address range from the quantum keys that have passed consistency verification and send them to the corresponding data devices. 26. The quantum key acquisition method according to claim 25, characterized in that, after receiving the quantum key that has passed consistency verification sent by the key management device, the following operation is performed: The consistency between the obtained quantum key and the quantum key obtained by the peer data device is verified, and the quantum key that passes the consistency verification is used as the key for data encryption and decryption. 27. The quantum key acquisition method according to claim 26, characterized in that, if the acquired quantum key and the quantum key acquired by the peer data device fail to pass the consistency verification, the process proceeds to the step of sending a quantum key acquisition request to the key management device. 28. A quantum key acquisition device, characterized in that the device is deployed on a data device that uses quantum keys to encrypt and decrypt data, comprising: The key acquisition request sending unit is used to send a key acquisition request to the key management device; A symmetric key receiving unit is used to receive the quantum key that has passed consistency verification sent by the key management device, as the key used for data encryption and decryption; The quantum key that has passed consistency verification and is sent by the key management device is obtained in the following manner: The key management devices of both the sender and receiver send the key acquisition request to their respective corresponding quantum key distribution devices, which are referred to as the sender and receiver quantum key distribution devices. The quantum key distribution devices of the sender and receiver negotiate quantum keys through a quantum key distribution protocol and store the quantum keys in the same address range. They verify the consistency of the quantum keys stored in the same address range by both parties and use the quantum keys that pass the consistency verification as quantum keys that can be obtained by the corresponding key management devices of the sender and receiver. The quantum key distribution devices of the sender and receiver will send the quantum keys stored in the same address range and verified for consistency to the corresponding key management devices of the sender and receiver. The key management devices for both the sender and receiver store the received quantum keys in the same address range and verify the consistency of the quantum keys stored by both parties in the same address range. The key management devices of both the sender and receiver select quantum keys stored in the same address range from the quantum keys that have passed consistency verification and send them to the corresponding data devices. 29. A quantum key storage and output method, characterized in that the method is implemented on a key management device that provides quantum keys to data devices, comprising: Receive key acquisition requests sent by data devices; The quantum key that has passed consistency verification is sent to the data device according to the same address range negotiated with the peer key management device; The quantum key that has passed consistency verification and is sent to the data device is obtained in the following manner: Send a key acquisition request to the quantum key distribution device; The quantum key is received from the quantum key distribution device and stored in the same address range as the peer key management device. Verify the consistency between the quantum key stored in the address range and the quantum key stored in the same address range by the peer key management device, and use the quantum key that passes the consistency verification as the quantum key that can be sent to the data device; The process involves a quantum key distribution device negotiating a quantum key with a peer quantum key distribution device via a quantum key distribution protocol, and storing the acquired quantum key in the same address range as the peer quantum key distribution device. The consistency between the quantum key stored in the address range and the quantum key stored in the same address range by the peer quantum key distribution device is verified. Based on a received key acquisition request, the quantum key that has passed consistency verification is sent to the key management device according to the same address range negotiated with the peer quantum key distribution device. 30. The quantum key storage and output method according to claim 29, wherein the quantum key that has passed the consistency verification is pre-stored before receiving the key acquisition request sent by the data receiving device. 31. The quantum key storage and output method according to claim 29, wherein the quantum key that has passed the consistency verification is stored after the key acquisition request sent by the receiving data device and before the quantum key that has passed the consistency verification is sent to the data device according to the same address range negotiated with the peer key management device. 32. The quantum key storage and output method according to claim 30 or 31, characterized in that, if the quantum key stored in the address range and the quantum key stored in the same address range by the peer key management device fail the consistency verification, the following operation is performed: The quantum key stored in the address range is cleared, and the process proceeds to the step of sending a key acquisition request to the quantum key distribution device. 33. A quantum key storage and output device, characterized in that the device is deployed on a key management device that provides quantum keys to data devices, comprising: A key acquisition request receiving unit is used to receive key acquisition requests sent by the data device; A symmetric key output unit is used to send a consensus-verified quantum key to the data device according to the same address range negotiated with the peer key management device, wherein the consensus-verified quantum key sent to the data device is obtained in the following manner: Send a key acquisition request to the quantum key distribution device; The quantum key is received from the quantum key distribution device and stored in the same address range as the peer key management device. Verify the consistency between the quantum key stored in the address range and the quantum key stored in the same address range by the peer key management device, and use the quantum key that passes the consistency verification as the quantum key that can be sent to the data device; The process involves a quantum key distribution device negotiating a quantum key with a peer quantum key distribution device via a quantum key distribution protocol, and storing the acquired quantum key in the same address range as the peer quantum key distribution device. The consistency between the quantum key stored in the address range and the quantum key stored in the same address range by the peer quantum key distribution device is verified. Based on a received key acquisition request, the quantum key that has passed consistency verification is sent to the key management device according to the same address range negotiated with the peer quantum key distribution device. 34. A quantum key distribution storage method, characterized in that the method is implemented on a quantum key distribution device, comprising: The quantum key is negotiated with the peer quantum key distribution device through a quantum key distribution protocol, and the obtained quantum key is stored in the same address range as the peer quantum key distribution device; Verify the consistency between the quantum key stored in the address range and the quantum key stored in the same address range by the peer quantum key distribution device; Based on the key acquisition request received from the key management device, the quantum key that has passed the consistency verification is sent to the key management device according to the same address range negotiated with the peer quantum key distribution device; The key management device stores the quantum key in the same address range as the peer key management device; verifies the consistency between the quantum key stored in the address range and the quantum key stored in the same address range by the peer quantum key management device, and sends the quantum key that has passed the consistency verification to the corresponding data device. 35. The quantum key distribution and storage method according to claim 34, characterized in that, if the quantum key stored in the address range and the quantum key stored in the same address range by the peer quantum key distribution device fail the consistency verification, the following operation is performed: The quantum key stored in the address range is cleared, and the process proceeds to the step of negotiating the quantum key with the peer quantum key distribution device via the quantum key distribution protocol. 36. A quantum key distribution storage device, characterized in that the device is deployed on a quantum key distribution device, comprising: A key distribution storage unit is used to negotiate a quantum key with a peer quantum key distribution device through a quantum key distribution protocol, and to store the obtained quantum key in the same address range as the peer quantum key distribution device; A key verification unit is used to verify the consistency between the quantum key stored in the address range and the quantum key stored in the same address range by the peer quantum key distribution device. A symmetric key transmission unit is configured to send a quantum key that has passed consistency verification to the key management device according to a key acquisition request received from the key management device and within the same address range negotiated with the peer quantum key distribution device; wherein the key management device stores the quantum key in the same address range as the peer key management device; verifies the consistency between the quantum key stored in the address range and the quantum key stored in the same address range by the peer quantum key management device, and sends the quantum key that has passed consistency verification to the corresponding data device. 37. A quantum key output system, characterized in that it comprises: two subsystems respectively deployed on the transmitting and receiving sides; the two subsystems respectively comprise: the quantum key acquisition device as described in claim 28, the quantum key storage and output device as described in claim 33, and the quantum key distribution and storage device as described in claim 36.