Communication key acquisition method and device of quantum security device terminal, and storage medium

By pre-setting an initial key and a random expansion algorithm at the factory for quantum-safe devices, and combining this with the hybrid key generated by the key operator to dynamically derive communication keys, the problems of key center management burden and security risks are solved, and efficient and secure inter-terminal communication is achieved.

CN122179098APending Publication Date: 2026-06-09MATRICTIME DIGITAL TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
MATRICTIME DIGITAL TECH CO LTD
Filing Date
2026-03-20
Publication Date
2026-06-09

Smart Images

  • Figure CN122179098A_ABST
    Figure CN122179098A_ABST
Patent Text Reader

Abstract

The application discloses a kind of quantum security equipment terminal's communication key acquisition method, equipment and storage medium, the method includes: quantum security equipment terminal at factory, its own equipment ID is entered to key center, initial key and expansion algorithm are sent to quantum security equipment terminal by key center;Quantum security equipment terminal is first communicated with key operator, key operator authenticates its legitimacy to key center, after authentication, first key operator and second key operator are connected and generate hybrid key, then based on hybrid key first quantum security equipment terminal and second quantum security equipment terminal each generate communication key and are authenticated.The application generates hybrid key and the mechanism of communication key by pre-setting initial key and random expansion algorithm at factory, realizes the dual protection of quantum security and dynamic derivative key, provides higher level communication security guarantee for communication information.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of key technology, specifically to a method, device, and storage medium for obtaining communication keys for a quantum-safe device terminal. Background Technology

[0002] With the rapid development of IoT technology, the number of terminal devices is exploding, making the need for secure communication between devices increasingly urgent. In existing communication security systems, key management is a core element in ensuring the confidentiality and integrity of data transmission. Currently, a common practice is for a key center to pre-configure a unique initial key for each terminal device at the factory, serving as a root of trust for device identity and secure communication. After the user and the key operator complete authentication, subsequent communication between terminals relies on this initial key for data encryption and decryption to ensure the confidentiality and integrity of data transmission.

[0003] However, existing technologies have significant shortcomings in practical implementation. While using the factory-preset initial key for data encryption and decryption simplifies the communication process, it places a heavy management burden on the key center. Specifically, in a network environment with a massive number of terminal devices, every secure communication between two devices requires the key center to negotiate or distribute session keys. This not only necessitates the key center storing and maintaining a huge key association table but also makes the key center a bottleneck in system communication and a potential single point of failure. An attack or overload on the key center could lead to large-scale communication outages.

[0004] More importantly, using the initial key directly for communication poses serious security risks. Because the initial key remains unchanged for a long time and is statically bound to the device, if the initial key of a device is illegally stolen or cracked during communication, attackers can not only decrypt all current communication content of that device, but also potentially threaten the security of the entire key system through reverse analysis. This would require the key center to update the entire network's keys on a large scale, resulting in huge operational costs and security vulnerabilities.

[0005] Therefore, how to dynamically derive communication keys with high security and one-time pad characteristics from the initial key while ensuring low key management costs, so as to reduce the burden on the key center and improve the security of communication between terminals, has become an urgent technical problem to be solved in the field of IoT secure communication. Summary of the Invention

[0006] Purpose of the Invention: The purpose of this invention is to provide a method, device, and storage medium for obtaining communication keys for quantum-safe device terminals. This solves the problem of existing technologies that directly use the factory-preset initial key as the communication key, which imposes a significant management burden on the key center and poses serious security risks. This invention achieves dual protection of quantum security and dynamically derived keys through a mechanism that uses a factory-preset initial key and a random expansion algorithm, along with a mechanism for dynamically generating hybrid keys and communication keys during communication. This provides a higher level of communication security for communication information.

[0007] Technical solution: This invention provides a method for obtaining communication keys for a quantum-safe device terminal, the method comprising the following steps:

[0008] (1) When the quantum security device terminal leaves the factory, it records its own device ID into the key center. The key center generates an initial key corresponding to the device ID and randomly selects an expansion algorithm from its own expansion algorithm set. Then, it sends the initial key and expansion algorithm to the quantum security device terminal.

[0009] (2) When the quantum secure device terminal communicates with the key operator for the first time, the key operator authenticates the legitimacy of the device to the key center through the device ID sent by the quantum secure device terminal. After the authentication is successful, the key center sends the initial key corresponding to the device ID to the key operator for storage, and records the correspondence between the device ID and the key operator.

[0010] (3) The first quantum secure device terminal, as the sender, sends its request to communicate with the second quantum secure device terminal, as the receiver, to the first key operator connected to the first quantum secure device terminal; the first key operator sends the device ID of the second quantum secure device terminal in the request to the key center, and the key center sends the address of the second key operator connected to the second quantum secure device terminal to the first key operator, and creates a symmetric key pool for the first key operator and the second key operator;

[0011] (4) The first key operator and the second key operator connect and generate a hybrid key. Then, based on the hybrid key, the first quantum security device terminal and the second quantum security device terminal each generate a communication key and perform authentication. After successful authentication, the first quantum security device terminal and the second quantum security device terminal obtain the communication key.

[0012] Furthermore, the key center includes a key mapping table and an operator mapping table. The key mapping table is used to associate and store the device ID of the quantum security device terminal with its corresponding initial key and expansion algorithm. The operator mapping table is used to associate and store the device ID of the quantum security device terminal with its corresponding key operator.

[0013] Furthermore, the authentication of its legitimacy with the key center refers to:

[0014] When a quantum-safe device terminal communicates with a key operator for the first time, it sends its own device ID to the key operator. The key operator then sends the device ID of the quantum-safe device terminal to the key center. The key center checks its locally entered device IDs to see if the device ID of the quantum-safe device terminal sent by the key operator exists. If it exists, the device ID of the quantum-safe device terminal sent by the key operator is valid; if it does not exist, the device ID of the quantum-safe device terminal sent by the key operator is invalid.

[0015] Furthermore, the generation of the hybrid key refers to:

[0016] The first key operator obtains a first encryption key k1 and its index idx1 from its local symmetric key pool. It then uses the first encryption key k1 to encrypt the initial key K corresponding to the device ID of the first quantum secure device terminal, obtaining the first ciphertext DATA1. The first ciphertext DATA1 and the index idx1 of the first encryption key are then sent to the second key operator. The second key operator obtains a first decryption key k1' from its local symmetric key pool based on the index idx1 of the first encryption key. It uses the first decryption key k1' to decrypt the first ciphertext DATA1, obtaining the initial key K corresponding to the device ID of the first quantum secure device terminal. Similarly, the second key operator encrypts the initial key M corresponding to the device ID of the second quantum secure device terminal and sends it to the first key operator, who then decrypts it to obtain the initial key M corresponding to the device ID of the second quantum secure device terminal.

[0017] Then, the first key operator and the second key operator each perform an XOR operation on the initial key K corresponding to the device ID of the local first quantum security device terminal and the initial key M corresponding to the device ID of the second quantum security device terminal to obtain the hybrid key S.

[0018] Furthermore, after step (2), the key center deletes the initial key corresponding to the device ID of the quantum security device terminal that has passed the legality authentication locally.

[0019] Furthermore, the specific process by which the first quantum secure device terminal and the second quantum secure device terminal based on the hybrid key each generate communication keys and perform authentication is as follows:

[0020] 1) The first key operator sends the initial key M and the hybrid key S corresponding to the device ID of the local second quantum security device terminal to the first quantum security device terminal. The first quantum security device terminal concatenates the initial key K corresponding to its own device ID with the initial key M corresponding to the device ID of the second quantum security device terminal to obtain the key L to be expanded.

[0021] 2) The first quantum secure device terminal uses its local augmentation algorithm to augment the key L to obtain the augmented key X. Then, the augmented key X is divided into the first to Nth segments according to the length of the hybrid key S. The hybrid key S is then used to perform XOR operations on the first to Nth segments in sequence. The first to Nth segments after the XOR operation are then concatenated to obtain the communication key T. The first quantum secure device terminal generates an irreducible polynomial p1 locally and records the string formed by the coefficients of each term in the irreducible polynomial p1 except for the highest term as str1. Then, an input random number s1 is generated locally, and a hash function H is generated based on the irreducible polynomial p1 and the input random number s1. p1,s1 Using hash function H p1,s1 The hash value of the communication key T is calculated to obtain the hash value H1(T);

[0022] 3) The first quantum secure device terminal sends the string str1, hash value H1(T), input random number s1, and its local expansion algorithm to the first key operator. The first key operator encrypts the string str1', hash value H1(T)', input random number s1', and the expansion algorithm of the first quantum secure device terminal. The second key operator decrypts the string str1', hash value H1(T)', input random number s1', and the expansion algorithm of the first quantum secure device terminal. The second key operator sends the initial key K corresponding to the device ID of the first quantum secure device terminal, the hybrid key S, the string str1', hash value H1(T)', input random number s1', and the expansion algorithm of the first quantum secure device terminal to the second quantum secure device terminal.

[0023] 4) After receiving the data, the second quantum secure device terminal first concatenates the initial key K corresponding to the device ID of the first quantum secure device terminal and the initial key M corresponding to its own device ID to obtain the key to be expanded L; then, it uses the expansion algorithm of the first quantum secure device terminal to expand the key to be expanded L to obtain the expanded key X'; then, it divides the expanded key X' into the first to Nth segments according to the length of the hybrid key S; then, it uses the hybrid key S to perform XOR operations on the first to Nth segments in sequence, and then concatenates the first to Nth segments after the XOR operation to obtain the communication key T';

[0024] The second quantum-secure device terminal generates an irreducible polynomial p1' with a coefficient of 1 for each term of the polynomial except for the highest term, based on the coefficients of each term in the string str1'. It then uses the irreducible polynomial p1' and the input random number s1' to generate a hash function H'. p1,s1 Next, using the hash function H' p1,s1 Calculate the hash value of the communication key T' to obtain the hash value H2(T); compare the received hash value H1(T)' with the calculated hash value H2(T). If they match, the communication key authentication is successful, and both the first quantum security device terminal and the second quantum security device terminal obtain the communication key; if they do not match, repeat step (4).

[0025] Furthermore, the expanded algorithm set includes, but is not limited to, the DES algorithm, the 3DES algorithm, and the AES algorithm.

[0026] The present invention also includes a computer device comprising at least a processor and a memory, wherein the processor is configured to execute a computer program stored in the memory to implement a communication key acquisition method for a quantum-safe device terminal as described in any of the preceding claims.

[0027] The present invention also includes a computer-readable storage medium storing a computer program that, when executed by a processor, implements the communication key acquisition method for a quantum-safe device terminal as described in any of the preceding claims.

[0028] The beneficial effects of this invention are:

[0029] (1) The communication key of the present invention does not directly use a static initial key, but on the basis of the initial key, the operators generate a hybrid key through connection, and dynamically derive a unique communication key for each session based on the hybrid key; this mechanism ensures that even if the key of a certain communication is cracked, it will not affect the security of other historical or future communications, fundamentally eliminating the security risks caused by key reuse, and providing extremely high security for data transmission between quantum security device terminals.

[0030] (2) This invention decentralizes the key derivation process to the key operator level. The key center only intervenes when registering and authenticating devices and creating symmetric key pools for operators. Once a secure channel is established between operators and a hybrid key is generated, the subsequent generation of terminal communication keys is completed autonomously by the operators and terminals. This layered architecture greatly reduces the key management burden and communication load of the key center, enabling the entire process to maintain efficient operation and good scalability when facing a massive number of quantum security device terminals.

[0031] (3) This invention constructs a multi-level trusted key distribution system: First, the device registers with the key center and obtains an initial key upon leaving the factory, establishing a root of trust between the device and the center; second, during the communication establishment phase, the key operator needs to authenticate the device's legitimacy through the key center to ensure that only legitimate devices can access the network; finally, after obtaining the communication key derived from the hybrid key provided by the operator, both communicating terminals need to be authenticated. This layered authentication and key distribution mechanism effectively prevents man-in-the-middle attacks and unauthorized device access, ensuring the security and reliability of the communication key throughout the distribution process.

[0032] (4) This invention introduces initial differences in the subsequent key derivation process by pre-setting an expansion algorithm set in the key center and randomly assigning different expansion algorithms to the device when it leaves the factory. This makes different devices have different key derivation bases, which enhances their risk resistance. At the same time, the final generation of the communication key depends on the hybrid key between operators and the terminal's own computation, which makes the key generation process more flexible and not completely dependent on the key center, giving it a stronger independent key processing capability.

[0033] (5) By introducing a key operator as an intermediate bridge and using the key center to provide operator addresses and create symmetric key pools, the present invention realizes rapid connection between the two operators. The symmetric key pools established in advance or quickly between operators provide an efficient key foundation for subsequent frequent inter-terminal communication, avoiding complex global key negotiation for each communication, thereby simplifying the communication establishment process, shortening the connection establishment time, and improving the user experience. Attached Figure Description

[0034] Figure 1 This is a schematic diagram of the participants in the communication key acquisition method of the present invention;

[0035] Figure 2 This is a flowchart illustrating the communication key acquisition method of the present invention;

[0036] Figure 3 A schematic diagram for obtaining the hybrid key;

[0037] Figure 4 This is a schematic diagram illustrating the generation of the communication key. Detailed Implementation

[0038] The present invention will be further described below with reference to the accompanying drawings and embodiments:

[0039] Existing pairwise communication between terminals relies on an initial key for data encryption and decryption. This approach has significant shortcomings: First, every secure communication between two devices requires a key center to negotiate or distribute session keys. This not only necessitates the key center storing and maintaining a massive key association table but also makes the key center a bottleneck in system communication and a potential single point of failure. Furthermore, because the initial key remains unchanged and is statically bound to the device, if it is illegally stolen or cracked, attackers can decrypt all current communication content of that device. This necessitates large-scale updates to the entire network's keys, resulting in substantial operational costs and security vulnerabilities. Therefore, dynamically deriving highly secure communication keys with one-time pad characteristics from the initial key to alleviate the burden on the key center and improve the security of inter-terminal communication has become a pressing technical challenge in the field of secure IoT communication.

[0040] In view of this, this embodiment proposes a method for obtaining communication keys for quantum-safe device terminals. The participants in this method include a key center, multiple key operators, and multiple quantum-safe device terminals. The key center is connected to multiple key operators, and each key operator is connected to multiple quantum-safe device terminals within its jurisdiction. Together, they form a system for quantum-safe device terminals to obtain communication keys. Figure 1 As shown, in this embodiment, the key operators are a first key operator and a second key operator. The first key operator is connected to the first quantum security device terminal, and the second key operator is connected to the second quantum security device terminal. The first quantum security device terminal and the second quantum security device terminal are the two parties in communication, forming a system for the quantum security device terminal to obtain communication keys.

[0041] like Figure 2 As shown, the method for obtaining the communication key of the quantum-safe device terminal includes the following steps:

[0042] (1) When a quantum-safe device terminal leaves the factory, its device ID is entered into the key center. The key center then generates an initial key corresponding to the device ID and randomly selects an expansion algorithm from its own expansion algorithm set. The initial key and expansion algorithm are then sent to the quantum-safe device terminal. The expansion algorithm set of the key center includes, but is not limited to, DES, 3DES, and AES algorithms, as well as other expansion algorithms, which are not listed here. This invention introduces initial differences for the subsequent key derivation process by pre-setting the expansion algorithm set in the key center and randomly assigning different expansion algorithms to the device when it leaves the factory. This allows different devices to have different key derivation bases, enhancing their risk resistance.

[0043] Meanwhile, to facilitate recording the relationship between the device ID, initial key, and expansion algorithm of quantum-safe device terminals, the key center also maintains a key mapping table. This table associates and stores the device ID of a quantum-safe device terminal with its corresponding initial key and expansion algorithm. Since the key center serves multiple quantum-safe device terminals simultaneously, it also generates initial keys for different device IDs. Therefore, it is necessary to associate and store the corresponding device ID with the initial key and expansion algorithm locally.

[0044] (2) When the quantum secure device terminal communicates with the key operator for the first time, the key operator authenticates its legitimacy to the key center through the device ID sent by the quantum secure device terminal. Specifically, this means:

[0045] When a quantum-safe device terminal communicates with a key operator for the first time, it sends its own device ID to the key operator. The key operator then sends the device ID of the quantum-safe device terminal to the key center. The key center checks its locally stored device IDs to see if the device ID of the quantum-safe device terminal sent by the key operator exists. If it exists, it means that the device ID of the quantum-safe device terminal sent by the key operator is valid; if it does not exist, it means that the device ID of the quantum-safe device terminal sent by the key operator is invalid. For invalid quantum-safe device terminals, the key operator refuses to communicate with them.

[0046] After successful authentication, the key center sends the initial key corresponding to the device ID to the key operator for storage, and simultaneously records the correspondence between the device ID and the key operator. At this point, the key center can also maintain an operator mapping table, which associates and stores the device ID of the quantum security device terminal with its corresponding key operator. Since the key center has already sent the initial key corresponding to the device ID to the key operator for storage, the key center can delete the initial key corresponding to the device ID of the authenticated quantum security device terminal locally, thus alleviating the key storage pressure on the key center.

[0047] (3) The first quantum secure device terminal, as the sender, sends its request to communicate with the second quantum secure device terminal, as the receiver, to the first key operator connected to the first quantum secure device terminal. In other words, the request includes the device ID of the second quantum secure device terminal. The first key operator sends the device ID of the second quantum secure device terminal in the request to the key center. The key center then sends the address of the second key operator connected to the second quantum secure device terminal to the first key operator, and creates a symmetric key pool for the first key operator and the second key operator. Since the first key operator already has the address of the second key operator, it can establish a communication connection with the second key operator. This invention achieves rapid connection between the two operators by introducing a key operator as an intermediate bridge and utilizing the key center to provide operator addresses and create symmetric key pools. The symmetric key pools pre-established or quickly established between operators provide an efficient key foundation for subsequent frequent inter-terminal communication, avoiding complex global key negotiation for each communication, thereby simplifying the communication establishment process, shortening the connection establishment time, and improving the user experience.

[0048] (4) The first key operator and the second key operator connect and generate a hybrid key. Generating a hybrid key means: such as Figure 3 As shown, the first key operator obtains the first encryption key k1 and its index idx1 from its local symmetric key pool. It then uses the first encryption key k1 to encrypt the initial key K corresponding to the device ID of the first quantum secure device terminal, obtaining the first ciphertext DATA1. The first ciphertext DATA1 and the index idx1 of the first encryption key are then sent to the second key operator. The second key operator obtains the first decryption key k1' from its local symmetric key pool based on the index idx1 of the first encryption key. It uses the first decryption key k1' to decrypt the first ciphertext DATA1, obtaining the initial key K corresponding to the device ID of the first quantum secure device terminal. Similarly, the second key operator encrypts the initial key M corresponding to the device ID of the second quantum secure device terminal (the encryption key is also obtained from its local symmetric key pool) and sends it to the first key operator. The first key operator decrypts the encryption key to obtain the initial key M corresponding to the device ID of the second quantum secure device terminal.

[0049] Then, the first key operator and the second key operator each perform an XOR operation on the initial key K corresponding to the device ID of the local first quantum secure device terminal and the initial key M corresponding to the device ID of the second quantum secure device terminal to obtain the hybrid key S. This invention decentralizes the key derivation process to the key operator level, with the key center only intervening during device registration, authentication, and the creation of symmetric key pools for operators. Once a secure channel is established between operators and a hybrid key is generated, subsequent terminal communication key generation is completed autonomously by the operators and terminals. This layered architecture greatly reduces the key management burden and communication load of the key center, enabling the entire process to maintain efficient operation and good scalability even when facing a massive number of quantum secure device terminals.

[0050] Then, based on the hybrid key, the first quantum secure device terminal and the second quantum secure device terminal each generate a communication key and perform authentication. After successful authentication, the first quantum secure device terminal and the second quantum secure device terminal obtain the communication key. The specific process of generating the communication key and performing authentication is as follows:

[0051] 1) such as Figure 4 As shown, the first key operator sends the initial key M and the hybrid key S corresponding to the device ID of the local second quantum security device terminal to the first quantum security device terminal. The first quantum security device terminal concatenates its own initial key K corresponding to its device ID with the initial key M corresponding to the device ID of the second quantum security device terminal to obtain the key L to be expanded.

[0052] 2) The first quantum secure device terminal uses its local augmentation algorithm to augment the key L to obtain the augmented key X. Then, the augmented key X is divided into the first to Nth segments according to the length of the hybrid key S. The hybrid key S is then used to perform XOR operations on the first to Nth segments in sequence. The first to Nth segments after the XOR operation are then concatenated to obtain the communication key T. Next, the first quantum secure device terminal generates an irreducible polynomial p1 locally and records the string formed by the coefficients of each term in the irreducible polynomial p1 except for the highest term as str1. Then, an input random number s1 is generated locally, and a hash function H is generated based on the irreducible polynomial p1 and the input random number s1. p1,s1 Using hash function H p1,s1 The hash value of the communication key T is calculated to obtain the hash value H1(T);

[0053] 3) The first quantum secure device terminal sends the string str1, hash value H1(T), input random number s1, and its local expansion algorithm to the first key operator. The first key operator then encrypts the string str1', hash value H1(T)', input random number s1', and the expansion algorithm of the first quantum secure device terminal. The encryption key is obtained from the local symmetric key pool. The second key operator then decrypts the string str1', hash value H1(T)', input random number s1', and the expansion algorithm of the first quantum secure device terminal. The second key operator sends the initial key K corresponding to the device ID of the first quantum secure device terminal, the hybrid key S, the string str1', hash value H1(T)', input random number s1', and the expansion algorithm of the first quantum secure device terminal to the second quantum secure device terminal.

[0054] 4) After receiving the data, the second quantum secure device terminal first concatenates the initial key K corresponding to the device ID of the first quantum secure device terminal and the initial key M corresponding to its own device ID to obtain the key to be expanded L; then, it uses the expansion algorithm of the first quantum secure device terminal to expand the key to be expanded L to obtain the expanded key X'; then, it divides the expanded key X' into the first to Nth segments according to the length of the hybrid key S; then, it uses the hybrid key S to perform XOR operations on the first to Nth segments in sequence, and then concatenates the first to Nth segments after the XOR operation to obtain the communication key T';

[0055] The second quantum-secure device terminal generates an irreducible polynomial p1' with a coefficient of 1 for each term of the polynomial except for the highest term, based on the coefficients of each term in the string str1'. It then uses the irreducible polynomial p1' and the input random number s1' to generate a hash function H'. p1,s1 Next, using the hash function H' p1,s1 The hash value of the communication key T' is calculated to obtain the hash value H2(T); the received hash value H1(T)' is compared with the calculated hash value H2(T). If they match, the communication key authentication is successful, and both the first quantum security device terminal and the second quantum security device terminal obtain the communication key and can communicate; if they do not match, step (4) is repeated. It can be seen that the final generation of the communication key depends on the hybrid key between operators and the terminal's own computation, which makes the key generation process more flexible and not completely dependent on the key center, giving it a stronger independent key processing capability.

[0056] In summary, the communication key of this invention does not directly use a static initial key. Instead, based on the initial key, operators generate a hybrid key through a connection, and dynamically derive a unique communication key for each session from this hybrid key. This mechanism ensures that even if the key for a certain communication is cracked, it will not affect the security of other historical or future communications, fundamentally eliminating the security risks caused by key reuse and providing extremely high security for data transmission between quantum-safe device terminals. Moreover, this invention constructs a multi-level trusted key distribution system: First, the device registers with the key center and obtains an initial key at the factory, establishing a root of trust between the device and the center; second, during the communication establishment phase, the key operator needs to authenticate the device's legitimacy through the key center, ensuring that only legitimate devices can access the network; finally, after obtaining the communication key derived from the hybrid key provided by the operator, both communicating terminals need to be authenticated. This progressive authentication and key distribution mechanism effectively prevents man-in-the-middle attacks and unauthorized device access, ensuring the security and reliability of the communication key throughout the entire distribution process.

[0057] This invention also provides a computer device, which includes at least a processor and a memory. The memory stores a computer program, and the processor executes the computer program stored in the memory to implement the steps in the communication key acquisition method of the quantum-safe device terminal of this invention.

[0058] This invention also provides a computer-readable storage medium storing a computer program. When the computer program is executed by a processor, it implements the steps in the communication key acquisition method for the quantum-safe device terminal of this invention.

Claims

1. A method for obtaining the communication key of a quantum-safe device terminal, characterized in that, The method includes the following steps: (1) When the quantum security device terminal leaves the factory, it records its own device ID into the key center. The key center generates an initial key corresponding to the device ID and randomly selects an expansion algorithm from its own expansion algorithm set. Then, it sends the initial key and expansion algorithm to the quantum security device terminal. (2) When the quantum secure device terminal communicates with the key operator for the first time, the key operator authenticates the legitimacy of the device to the key center through the device ID sent by the quantum secure device terminal. After the authentication is successful, the key center sends the initial key corresponding to the device ID to the key operator for storage, and records the correspondence between the device ID and the key operator. (3) The first quantum secure device terminal, as the sender, sends its request to communicate with the second quantum secure device terminal, as the receiver, to the first key operator connected to the first quantum secure device terminal; the first key operator sends the device ID of the second quantum secure device terminal in the request to the key center, and the key center sends the address of the second key operator connected to the second quantum secure device terminal to the first key operator, and creates a symmetric key pool for the first key operator and the second key operator; (4) The first key operator and the second key operator connect and generate a hybrid key. Then, based on the hybrid key, the first quantum security device terminal and the second quantum security device terminal each generate a communication key and perform authentication. After successful authentication, the first quantum security device terminal and the second quantum security device terminal obtain the communication key.

2. The method for obtaining the communication key of a quantum-safe device terminal according to claim 1, characterized in that: The key center has a key mapping table and an operator mapping table. The key mapping table is used to associate and store the device ID of the quantum security device terminal with its corresponding initial key and expansion algorithm. The operator mapping table is used to associate and store the device ID of the quantum security device terminal with its corresponding key operator.

3. The method for obtaining the communication key of a quantum-safe device terminal according to claim 1, characterized in that: The authentication of its legitimacy with the key center refers to: When a quantum-safe device terminal communicates with a key operator for the first time, it sends its own device ID to the key operator. The key operator then sends the device ID of the quantum-safe device terminal to the key center. The key center checks its locally entered device IDs to see if the device ID of the quantum-safe device terminal sent by the key operator exists. If it exists, the device ID of the quantum-safe device terminal sent by the key operator is valid; if it does not exist, the device ID of the quantum-safe device terminal sent by the key operator is invalid.

4. The method for obtaining the communication key of a quantum-safe device terminal according to claim 1, characterized in that: The generation of the hybrid key refers to: The first key operator obtains the first encryption key k1 and the index idx1 of the first encryption key from its local symmetric key pool. Then, it uses the first encryption key k1 to encrypt the initial key K corresponding to the device ID of the first quantum security device terminal to obtain the first ciphertext DATA1. Finally, it sends the first ciphertext DATA1 and the index idx1 of the first encryption key to the second key operator. The second key operator obtains the first decryption key k1' from its local symmetric key pool based on the index idx1 of the first encryption key, and uses the first decryption key k1' to decrypt the first ciphertext DATA1 to obtain the initial key K corresponding to the device ID of the first quantum secure device terminal; similarly, the second key operator encrypts the initial key M corresponding to the device ID of the second quantum secure device terminal and sends it to the first key operator, and the first key operator decrypts it to obtain the initial key M corresponding to the device ID of the second quantum secure device terminal; Then, the first key operator and the second key operator each perform an XOR operation on the initial key K corresponding to the device ID of the local first quantum security device terminal and the initial key M corresponding to the device ID of the second quantum security device terminal to obtain the hybrid key S.

5. The method for obtaining the communication key of a quantum-safe device terminal according to claim 1, characterized in that: After step (2), the key center deletes the initial key corresponding to the device ID of the quantum security device terminal that has passed the legality authentication locally.

6. The method for obtaining the communication key of a quantum-safe device terminal according to claim 4, characterized in that: The specific process by which the first quantum secure device terminal and the second quantum secure device terminal, based on hybrid keys, each generate communication keys and perform authentication is as follows: 1) The first key operator sends the initial key M and the hybrid key S corresponding to the device ID of the local second quantum security device terminal to the first quantum security device terminal. The first quantum security device terminal concatenates the initial key K corresponding to its own device ID with the initial key M corresponding to the device ID of the second quantum security device terminal to obtain the key L to be expanded. 2) The first quantum secure device terminal uses its local augmentation algorithm to augment the key L to obtain the augmented key X. Then, the augmented key X is divided into the first to Nth segments according to the length of the hybrid key S. The hybrid key S is then used to perform XOR operations on the first to Nth segments in sequence. The first to Nth segments after the XOR operation are then concatenated to obtain the communication key T. The first quantum secure device terminal generates an irreducible polynomial p1 locally and records the string formed by the coefficients of each term in the irreducible polynomial p1 except for the highest term as str1. Then, an input random number s1 is generated locally, and a hash function H is generated based on the irreducible polynomial p1 and the input random number s1. p1,s1 Using hash function H p1,s1 The hash value of the communication key T is calculated to obtain the hash value H1(T); 3) The first quantum secure device terminal sends the string str1, hash value H1(T), input random number s1, and its local expansion algorithm to the first key operator. The first key operator encrypts the string str1', hash value H1(T)', input random number s1', and the expansion algorithm of the first quantum secure device terminal. The second key operator decrypts the string str1', hash value H1(T)', input random number s1', and the expansion algorithm of the first quantum secure device terminal. The second key operator sends the initial key K corresponding to the device ID of the first quantum secure device terminal, the hybrid key S, the string str1', hash value H1(T)', input random number s1', and the expansion algorithm of the first quantum secure device terminal to the second quantum secure device terminal. 4) After receiving the data, the second quantum secure device terminal first concatenates the initial key K corresponding to the device ID of the first quantum secure device terminal and the initial key M corresponding to its own device ID to obtain the key to be expanded L; then, it uses the expansion algorithm of the first quantum secure device terminal to expand the key to be expanded L to obtain the expanded key X'; then, it divides the expanded key X' into the first to Nth segments according to the length of the hybrid key S; then, it uses the hybrid key S to perform XOR operations on the first to Nth segments in sequence, and then concatenates the first to Nth segments after the XOR operation to obtain the communication key T'; The second quantum-secure device terminal generates an irreducible polynomial p1' with a coefficient of 1 for each term of the polynomial except for the highest term, based on the coefficients of each term in the string str1'. It then uses the irreducible polynomial p1' and the input random number s1' to generate a hash function H'. p1,s1 Next, using the hash function H' p1,s1 Calculate the hash value of the communication key T' to obtain the hash value H2(T); compare the received hash value H1(T)' with the calculated hash value H2(T). If they match, the communication key authentication is successful, and both the first quantum security device terminal and the second quantum security device terminal obtain the communication key; if they do not match, repeat step (4).

7. The method for obtaining the communication key of a quantum-safe device terminal according to claim 1, characterized in that: The expanded algorithm set includes, but is not limited to, the DES algorithm, the 3DES algorithm, and the AES algorithm.

8. A computer device, characterized in that: The computer device includes at least a processor and a memory, wherein the processor is used to execute a computer program stored in the memory to implement the communication key acquisition method of the quantum-safe device terminal as described in any one of claims 1-7.

9. A computer-readable storage medium, characterized in that: It stores a computer program, which, when executed by a processor, implements the communication key acquisition method for a quantum-safe device terminal as described in any one of claims 1-7.