1. Patent Search
  2. Details

Method and system for performing a secure key relay of an encryption key

20230018829 · 2023-01-19

    Inventors

    Cpc classification

    International classification

    Abstract

    A method and system for performing a secure key relay of an encryption key, K.sub.enc, provided by an initial node, KN.sub.0, and used by an encoding unit (ENC) of a first data transceiver for encoding plain data, P.sub.data, to provide encrypted cipher data, C.sub.data, transported via a data transport link, DTL, to a decoding unit (DEC) of a second data transceiver which decodes the transported cipher data, C.sub.data, using the relayed encryption key, K.sub.enc, provided by a terminal node, KN.sub.N, as a decoding key to retrieve the plain data, P.sub.data, wherein the relay of the encryption key, K.sub.enc, from the initial node, KN.sub.0, to the terminal node, KN.sub.N, is performed by means of intermediate relay nodes, KN.sub.1, KN.sub.2 . . . KN.sub.N−1, and comprises the steps of sharing (S1) QKD-keys, K, between the nodes via secure quantum channels, QCH, of a quantum key distribution network, QKDN; performing (S2) encryption of shared QKD-KEYS, K, at the initial node, KN.sub.0, and at each intermediate relay node, KN.sub.1, KN.sub.2 . . . KN.sub.N−1, and blinding them with a blinding value, S.sub.i, of the respective node to provide an encrypted cipher key, CK.sub.i, by the initial node, KN.sub.0, and by each intermediate relay node, KN.sub.1, KN.sub.2 . . . KN.sub.N−1; distributing (S3) or pre-distributing the blinding values, S.sub.i, of the initial node, KN.sub.0, and of each intermediate relay node, KN.sub.1, KN.sub.2 . . . KN.sub.N−1; transmitting (S4) the encrypted cipher keys, CK.sub.i, of the initial node, KN.sub.0, and of each of the intermediate relay nodes, KN.sub.1, KN.sub.2 . . . KN.sub.N−1, to the terminal node, KN.sub.N; performing (S6) by the terminal node, KN.sub.N, logic operations on reconstructed or pre-distributed blinding values, S.sub.i, on the basis of the encrypted cipher keys, CK.sub.i, received by the terminal node, KN.sub.N, from the initial node, KN.sub.0, and received from each of the intermediate relay nodes, KN.sub.1, KN.sub.2 . . . KN.sub.N−1, to provide the encryption key, K.sub.enc, used by the decoding unit (DEC) of the second data transceiver as a decoding key to retrieve the plain data, P.sub.data.

    Claims

    1. A method for performing a secure key relay of an encryption key, K.sub.enc, provided by an initial node, KN.sub.0, and used by an encoding unit of a first data transceiver for encoding plain data, P.sub.data, to provide encrypted cipher data, C.sub.data, transported via a data transport link, DTL, to a decoding unit (DEC) of a second data transceiver which decodes the transported cipher data, C.sub.data, using the relayed encryption key, K.sub.enc, provided by a terminal node, KN.sub.N, as a decoding key to retrieve the plain data, P.sub.data, wherein the relay of the encryption key, K.sub.enc, from the initial node, KN.sub.0, to the terminal node, KN.sub.N, is performed by means of intermediate relay nodes, KN.sub.1, KN.sub.2 . . . KN.sub.N−1, and comprises the steps of: sharing QKD-keys, K, between the nodes via secure quantum channels, QCH, of a quantum key distribution network, QKDN; performing encryption of shared QKD-KEYS, K, at the initial node, KN.sub.0, and at each intermediate relay node, KN.sub.1, KN.sub.2 . . . KN.sub.N−1, and blinding them with a blinding value, S.sub.i, of the respective node to provide an encrypted cipher key, CK.sub.i, by the initial node, KN.sub.0, and by each intermediate relay node, KN.sub.1, KN.sub.2 . . . KN.sub.N−1; transmitting the encrypted cipher keys, CK.sub.i, of the initial node, KN.sub.0, and of each of the intermediate relay nodes, KN.sub.1, KN.sub.2 . . . KN.sub.N−1, to the terminal node, KN.sub.N; and performing by the terminal node, KN.sub.N, logic operations on blinding values, S.sub.i, on the basis of the encrypted cipher keys, CK.sub.i, received by the terminal node, KN.sub.N, from the initial node, KN.sub.0, and received from each of the intermediate relay nodes, KN.sub.1, KN.sub.2 . . . KN.sub.N−1, to provide the encryption key, K.sub.enc, used by the decoding unit (DEC) of the second data transceiver as a decoding key to retrieve the plain data, P.sub.data.

    2. The secure key relay method according to claim 1 wherein the blinding values, Si, of the initial node, KN0, and of each intermediate relay node, KN1, KN2 . . . KNN−1, are distributed as shares, p, to the other nodes by using a secret sharing protocol.

    3. The secure key relay method according to claim 1 wherein the blinding values, Si, of the initial node, KN0, and of each of the intermediate relay nodes, KN1, KN2 . . . KNN−1, is reconstructed by the terminal node, KNN, on the basis of the shares, p, received by the terminal node, KNN.

    4. The secure key relay method according to claim 2 wherein the secret sharing protocol used to distribute the blinding values, S.sub.i, of the initial node, KN.sub.0, and of the intermediate relay nodes, KN.sub.1, KN.sub.2 . . . KN.sub.N−1, comprises a Shamir secret sharing (SSS) protocol.

    5. The secure key relay method according to claim 1 wherein the blinding value, S.sub.i, of each node used for blinding the encrypted shared QKD-keys, K, comprises a unique random value which is generated by a local random number generator, RNG, of the respective node.

    6. The secure key relay method according to claim 1 wherein the encrypted QKD-keys, K, are blinded with the blinding value, S.sub.i, of the respective node by performing an XOR-operation on the encrypted QKD-keys and the respective blinding value, S.sub.i, of the node.

    7. The secure key relay method according to claim 1 wherein the encryption key, K.sub.enc, is generated by a key generator of the initial node, KN.sub.0, connected to the encoding unit of the first data transceiver or wherein the encryption key, K.sub.enc, is received by the encoding unit of the first data transceiver by means of a user interface or by means of a control data interface.

    8. The secure key relay method according to claim 1 wherein the encryption key, K.sub.enc, is stored in a key memory along with a key identifier, KEY-ID, of the encryption key, K.sub.enc, wherein the key identifier, KEY-ID, of the encryption key, K.sub.enc, relayed from the initial node, KN.sub.0, via the intermediate relay nodes, KN.sub.1, KN.sub.2 . . . KN.sub.N−1, to the terminal node, KN.sub.N, is transported from the first data transceiver via the data transmission link, DTL, to the second data transceiver.

    9. The secure key relay method according to claim 1 wherein the encrypted cipher data, C.sub.data, is transported as payload within data packets transmitted by the first data transceiver via the data transmission link, DTL, to the second data transceiver wherein the key identifier, KEY-ID, of the encryption key, K.sub.enc, is transported in the overheads, OH, of the transported data packets.

    10. The secure key relay method according to claim 1 wherein the encryption key, K.sub.enc, is used by the encryption unit (ENC) of the first data transceiver for performing a symmetric key encryption, such as AES, of the plain data, P.sub.data, or as a one-time pad, OTP, for a predefined amount of received plain data, P.sub.data, or for a predefined time period.

    11. The secure key relay method according to claim 1 wherein the initial node, KN.sub.0, the intermediate relay nodes, KN.sub.1, KN.sub.2 . . . KN.sub.N−1, and the terminal node, KN.sub.N, comprise electrical or optical transceivers connected with each other via transport links used to transport the encrypted cipher keys, CK.sub.i, and the shares, p, of the blinding values, S.sub.i, between the transceivers.

    12. The secure key relay method according to claim 1 wherein the decoding unit of the second data transceiver which decodes the encrypted cipher data, C.sub.data, received via the data transport link, DTL, from the first data transceiver uses the relayed encoding key, K.sub.enc, provided by the terminal node, KN.sub.N, as a decoding key, wherein the encoding key used by the decoding unit as the decoding key is identified by the key identifier, KEY-ID, currently received by the second data transceiver via the data transport link, DTL.

    13. The secure key relay method according to claim 1 wherein the logic operations performed by the terminal node, KN.sub.N, to provide the encryption key, K.sub.enc, on the basis of the reconstructed blinding values, S.sub.i, and the received encrypted cipher keys, CK.sub.i, comprise XOR-operations.

    14. A secure key relay system used for relay of an encryption key, K.sub.enc, said secure key relay system comprising: an initial node, KN.sub.0, connected to an encoding unit (ENC) of a first data transceiver which is adapted to encode plain data, P.sub.data, using an encryption key, K.sub.enc, provided by the initial node, KN.sub.0, to provide encrypted cipher data, C.sub.data; a terminal node, KN.sub.N, connected to a decoding unit (DEC) of a second data transceiver which is adapted to decode the encrypted cipher data, C.sub.data, received from the first data transceiver via a data transport link, DTL, using a relayed encryption key, K.sub.enc, as a decoding key to retrieve the plain data, P.sub.data; and at least one intermediate relay node adapted to perform a secure key relay of the encryption key, K.sub.enc, used by the encoding unit from the initial node, KN.sub.0, to the terminal node, KN.sub.N, by performing a secure key relay method comprising the steps of: sharing QKD-keys, K, between the nodes via secure quantum channels, QCH, of a quantum key distribution network, QKDN; performing encryption of shared QKD-KEYS, K, at the initial node, KN.sub.0, and at each intermediate relay node, KN.sub.1, KN.sub.2 . . . KN.sub.N−1, and blinding them with a blinding value, S.sub.i, of the respective node to provide an encrypted cipher key, CK.sub.i, by the initial node, KN.sub.0, and by each intermediate relay node, KN.sub.1, KN.sub.2 . . . KN.sub.N−1; transmitting the encrypted cipher keys, CK.sub.i, of the initial node, KN.sub.0, and of each of the intermediate relay nodes, KN.sub.1, KN.sub.2 . . . KN.sub.N−1, to the terminal node, KN.sub.N; and performing by the terminal node, KN.sub.N, logic operations on blinding values, S.sub.i, on the basis of the encrypted cipher keys, CK.sub.i, received by the terminal node, KN.sub.N, from the initial node, KN.sub.0, and received from each of the intermediate relay nodes, KN.sub.1, KN.sub.2 . . . KN.sub.N−1, to provide the encryption key, K.sub.enc, used by the decoding unit (DEC) of the second data transceiver as a decoding key to retrieve the plain data, P.sub.data.

    15. The secure key relay system according to claim 14 wherein the initial node, KN.sub.0, the terminal node, KN.sub.N, and the at least one intermediate relay node comprise electrical or optical transceivers connected with each other by means of transport links used to transport the encrypted cipher keys, CK.sub.i, and the shares, p, of the blinding values, S.sub.i, between the transceivers.

    16. The secure key relay system according to claim 14 wherein the initial node, KN.sub.0, and the terminal node, KN.sub.N, comprise trusted nodes of the secure key relay system.

    17. The secure key relay system according to claim 14 wherein the initial node, the intermediate relay nodes and the terminal node are connected at least pairwise via secure quantum channels, QCH, of a quantum key distribution network, QKDN.

    18. The secure key relay system according to claim 14 wherein the data transport link, DTL, used for transport of the encrypted cipher data between the first data transceiver and the second data transceiver comprises an optical data transport link, ODTL, or an electrical data transport link, EDTL.

    Description

    BRIEF DESCRIPTION OF FIGURES

    [0032] In the following, possible embodiments of the different aspects of the present invention are described in more detail with reference to the enclosed figures.

    [0033] FIG. 1 shows a block diagram for illustrating a possible exemplary embodiment of a secure key relay system according to the present invention;

    [0034] FIGS. 2A, 2B illustrate a possible embodiment of a secret sharing protocol employed in a possible embodiment of the secure key relay system according to the present invention;

    [0035] FIG. 3 shows a further diagram for illustrating an operation of a secret sharing protocol used by the secure key relay system according to the present invention;

    [0036] FIG. 4 shows a block diagram for illustrating a possible exemplary embodiment of a secure key relay system according to the present invention;

    [0037] FIG. 5 shows a flowchart of a possible exemplary embodiment of a computer-implemented method for performing a secure key relay of an encryption key;

    [0038] FIGS. 6, 7 show block diagrams for illustrating further possible exemplary embodiments of a secure key relay system according to the present invention.

    DETAILED DESCRIPTION OF EMBODIMENTS

    [0039] FIG. 1 shows schematically a possible exemplary embodiment of a secure key relay system 1 according to the present invention used for relay of an encryption key K.sub.enc. The secure key relay system 1 as illustrated in FIG. 1 can be used to perform a secure key relay of at least one encryption key K.sub.enc provided by an initial node KN.sub.0 to a terminal node KN.sub.N via intermediate key relay nodes KN.sub.1, KN.sub.2 . . . KN.sub.N−1. The encryption key K.sub.enc is provided by the initial node KN.sub.0 and can be used by an encoding unit ENC of a first data transceiver TR-A for encoding or encrypting plain data P.sub.data to provide encrypted cipher data C.sub.data. The encoding unit ENC of the first data transceiver TR-A (Alice) is adapted to encode plain data P.sub.data using the encryption key K.sub.enc received from a data source. The encoding unit ENC of the first data transceiver TR-A provides encrypted cipher data C.sub.data transported via a data transport link DTL to a decoding unit DEC of a second data transceiver TR-B which decodes the transported cipher data C.sub.data using the relayed encryption key K.sub.enc provided by the terminal node KN.sub.N as a decoding key to retrieve the plain data P.sub.data. The retrieved plain data P.sub.data can be further processed by a subsequent processing unit. The relay of the encryption key K.sub.enc from the initial node KN.sub.0 to the terminal node KN.sub.N is performed by the intermediate relay nodes KN.sub.1, KN.sub.2 . . . KN.sub.N−1 as illustrated in FIG. 1. The initial node KN.sub.0, the terminal node KN.sub.N and the at least one intermediate key relay node can comprise in a possible embodiment electrical or optical transceivers connected with each other by means of electrical or optical transport links used to transport the encrypted cipher keys CK and shares p of the blinding values S.sub.i between the transceivers. The number of intermediate key relay nodes KN used for relay of the encryption key K.sub.enc can vary depending on the use case, in particular depending on the length of the optical or electrical data transport link DTL between the transceivers TR-A, TR-B.

    [0040] The relay of the encryption key K.sub.enc can be performed by the computer-implemented method as illustrated in the flowchart of FIG. 5. In FIG. 5 a possible embodiment for a key encryption relay using secret sharing protocols is illustrated. Other techniques to encrypt or blind the communication between the intermediate nodes and the terminal node can be used in alternative embodiments.

    [0041] In a first step S1, QKD-keys are shared between nodes via secure quantum channels QCH of a quantum key distribution network QKDN. As illustrated in FIG. 1, the initial node KN.sub.0, the intermediate relay nodes KN.sub.1, KN.sub.2 . . . KN.sub.N−1 as well as the terminal node KN.sub.N form a chain of nodes connected with each other via electrical transport links ETL as shown in FIG. 1. Further, neighboring nodes are connected pairwise by secure quantum channels QCH of a quantum key distribution network QKDN. In the quantum layer, a pair of QKD-modules can generate a pair of symmetric (identical) random bit strings based on an QKD protocol. Each QKD-module can be installed in a node of the key relay node chain illustrated in FIG. 1. Accordingly, at least two neighboring nodes within the key relay node chain shown in FIG. 1 can share QKD-keys via a secure quantum channel QCH as shown in FIG. 1.

    [0042] In a further step for performing the secure key relay of the encryption key K.sub.enc, the encryption of shared QKD-keys at the initial node KN.sub.0 and at each intermediate node is performed in step S2 and then they are blinded with a blinding value S.sub.i of the respective node to provide an encrypted cipher key by the initial node KN.sub.0 and by each intermediate relay node KN.sub.1, KN.sub.2 . . . KN.sub.N−1. Each node KN.sub.i can hold a so-called blinding value S.sub.i. The binding value S.sub.i of a node can be pre-distributed to the respective node or can be distributed to the node using a secret sharing protocol. Blinding comprises a technique to hide a secret key by performing an XOR-operation with a random value. Blinding forms a specific encryption technique. The blinding values S.sub.i of the different nodes can be distributed to the nodes by a secret sharing protocol SSS in such a way that an aggregation or a so-called sum of all blinding values S.sub.i can be calculated only at the terminal node KN.sub.N as also illustrated in FIG. 1. The blinding values S.sub.i can in a possible embodiment be distributed to the key relay nodes by a secret sharing protocol SSS before a key relay is performed. In a possible embodiment, the secret sharing protocol SSS used to distribute the blinding values S.sub.i in step S3 is formed by a Shamir secret sharing (SSS) protocol. The distribution of the blinding values in step S3 is not necessary if the blinding values have already been pre-distributed. The secret sharing protocol SSS in general comprises an input or distribution phase and a reconstruction phase as also illustrated in FIGS. 2A, 2B, 3. The blinding values S.sub.i of the initial node KN.sub.0 and of each intermediate key relay node KN.sub.1, KN.sub.2 . . . KN.sub.N−1 are distributed in step S3 as shares p to the other nodes by using a secret sharing protocol, in particular the Shamir secret sharing protocol SSS as shown schematically in FIG. 2A. The calculation of the shares p can be achieved by using a polynomial function f as illustrated in the example of FIG. 2B. In an alternative embodiment the blinding values S.sub.i can be pre-distributed to the nodes.

    [0043] After having distributed the shares p using the secret sharing protocol SSS, in step S3 the encrypted cipher keys CK.sub.i of the initial node KN.sub.0 and of each of the intermediate relay nodes KN.sub.1, KN.sub.2 . . . KN.sub.N−1 are transmitted in step S4 to the terminal node KN.sub.N.

    [0044] In a further step S5, the blinding values S.sub.i of the initial node KN.sub.0 and each of the intermediate relay nodes KN.sub.1, KN.sub.2 . . . KN.sub.N−1 can be reconstructed on the basis of the shares p received by the terminal node KN.sub.N. The reconstruction of the blinding values S.sub.i is illustrated in FIG. 3. If the blinding values S.sub.i have been pre-distributed the reconstruction in step S5 is not required.

    [0045] In a final step S6, logic operations are performed by the terminal node KN.sub.N on the reconstructed or pre-distributed blinding values S.sub.i on the basis of the encrypted cipher keys CK.sub.i received by the terminal node KN.sub.N from the initial node KN.sub.0 and received from each of the intermediate relay nodes KN.sub.1, KN.sub.2 . . . KN.sub.N−1 to provide the original encryption key K.sub.enc used by the decoding unit DEC of the second data transceiver TR-B (Bob) as a decoding key to retrieve the plain data P.sub.data as also illustrated in FIG. 1.

    [0046] The computer-implemented method for performing a secure key relay of an encryption key K.sub.enc comprises in a possible embodiment the main steps S1,S2,S4,S6 as illustrated in the flowchart of FIG. 5. In FIG. 5 a possible embodiment for a key encryption relay is illustrated where a secret sharing protocol is used to distribute blinding values. Other techniques to encrypt or blind the communication between the initial node KN.sub.0/intermediate relay nodes KN.sub.i and the terminal node KN.sub.N can be used in alternative embodiments. Accordingly the steps S3, S5 illustrated in the flowchart of FIG. 5 form optional steps.

    [0047] A first step S1 of sharing the QKD-keys is performed by a quantum key distribution network QKDN connected to the nodes of the secure key relay chain as shown in FIG. 1.

    [0048] A step S2 of performing an encryption of the shared QKD-keys and a step of distributing S3 the blinding values S.sub.i is performed by every key relay node of the key relay node chain shown in FIG. 1 with the exception of the terminal node KN.sub.N.

    [0049] Accordingly, the present invention provides according to a further aspect a key relay node KN adapted to perform encryption of a shared QKD-key and adapted to blind an encryption key K.sub.enc with a blinding value S.sub.i to provide an encrypted cipher key CK.sub.i which is transmitted by the respective key relay node KN to the terminal node KN.sub.N. The respective key relay node KN is further adapted to distribute shares p of its blinding value S.sub.i to the other key relay nodes KN within the key relay node chain using a secret sharing protocol.

    [0050] The terminal node KN.sub.N is adapted to perform steps S5, S6 of the embodiment of the computer-implemented method as illustrated in the flowchart of FIG. 5. The terminal node KN.sub.N is adapted to reconstruct the blinding values S of the initial node and of each of the intermediate key relay nodes KN.sub.1, KN.sub.2 . . . KN.sub.N−1 on the shares p received from the other nodes. The terminal node is further adapted to perform logic bitwise operations on the reconstructed blinding values S.sub.i on the basis of the encrypted cipher keys CK.sub.i received by the terminal node KN.sub.N from the initial node KN.sub.0 and from each of the intermediate key relay nodes KN.sub.1, KN.sub.2 . . . KN.sub.N−1 to provide the original encryption key K.sub.enc and to supply this encryption key to the decoding unit DEC of the second data transceiver TR-B. The decoding unit DEC uses the supplied key as a decryption key in a symmetrical decryption algorithm to retrieve the original plain data P.sub.data.

    [0051] In a possible embodiment, the blinding value S.sub.i of each node used for blinding the encrypted shared QKD-keys K comprises a unique random value. This unique random value can be generated in a possible embodiment by a local random number generator RNG implemented in the respective node. The random number generator RNG may be implemented as a pseudo random number generator PRNG.

    [0052] The QKD-keys K shared between the nodes via the secure quantum channels QCH in step S1 can be OTP-encrypted in step S2 in a possible embodiment by performing a bitwise XOR-operation on the shared QKD-keys K at the respective node. The OTP-encrypted QKD-keys can be blinded in step S2 with the blinding value S.sub.i of the respective node by performing also an XOR-operation on the OTP-encrypted QKD-keys and the respective blinding value S.sub.i of the respective node.

    [0053] In a possible embodiment of the secure key relay system 1 as illustrated in FIG. 1, the encryption key K.sub.enc can be generated by a key generator of the initial node KN.sub.0 being connected to the encoding unit ENC of the first data transceiver TR-A or by a QKD connected to the initial node. In an alternative embodiment, the encryption key K.sub.enc can also be received from an external key generator connected to the initial node or by means of a user interface or by means of a control data interface.

    [0054] The generated or received encryption key K.sub.enc can be stored in a local key memory of the first data transceiver TR-A along with an associated unique key identifier KEY-ID of the respective encryption key K.sub.enc. The key identifier KEY-ID of the encryption key K.sub.enc is transported from the first data transceiver TR-A (Alice) via the data transmission link DTL to the second data transceiver TR-B (Bob). Along the same data transmission link DTL, the encrypted cipher data C.sub.data can be transported as payload within data packets DP. Each data packet DP can comprise an overhead OH and a payload section PL. The data packets DPs are transmitted by the first data transceiver TR-A via the data transmission link DTL to the second data transceiver TR-B. The data transmission link DTL can comprise in a preferred embodiment an optical data transmission link ODTL. In an alternative embodiment, the data transmission link DTL can also comprise a wired or wireless electronic data transmission link EDTL. The key identifier KEY-ID of the encryption key K.sub.enc which is relayed from the initial node KN.sub.0 via the intermediate key relay nodes KN.sub.1, KN.sub.2 . . . KN.sub.N−1 to the terminal node KN.sub.N can be transported in a possible embodiment within an associated field of the overheads OH of the associated transport data packets DPs. The encryption key K.sub.enc is used by the encoding unit ENC of the first data transceiver TR-A for performing a symmetric key encryption, for instance AES, of the plain data P.sub.data The employed key encryption can comprise a symmetric key encryption. The symmetric encryption and decryption has the advantage that it can be performed at a high processing speed. The encryption key K.sub.enc can be used as a one-time pad OTP for a predefined amount of the received plain data P.sub.data.

    [0055] The plain data P can comprise any kind of data such as image data, audio data or text data used to carry information from the same or different data sources.

    [0056] The encryption of the plain data P and the decryption of the encrypted payload data PL can be performed by the transceivers TR in real time. The key relay can be performed in parallel in real time during transport of the data packets DP via the data transport link DTL. In an alternative embodiment a key relay of a sequence or group of encryption keys can be performed in advance of the transport of the encrypted data payload PL within the data packets DPs. In this case the serial transmitted data packets DPs carry a corresponding sequence of associated key identifiers Key-IDs for the already relayed encryption keys.

    [0057] The transport of the encrypted data via the data transport link DTL can be performed by means of data packets. In an alternative embodiment the transport of the encrypted data can be performed in a data stream.

    [0058] The initial node KN.sub.0, the intermediate relay nodes KN.sub.1, KN.sub.2 . . . KN.sub.N−1 and the terminal node KN.sub.N comprise in a possible embodiment electrical transceivers connected with each other via electrical transport links which can be used to transport the encrypted cipher keys CK.sub.i as well as the shares p of the blinding values S.sub.i of the respective nodes between the electrical transceivers. In an alternative embodiment the initial node KN.sub.0, the intermediate relay nodes KN.sub.1, KN.sub.2 . . . KN.sub.N−1 and the terminal node KN.sub.N comprise optical transceivers connected with each other via optical transport links which can be used to transport the encrypted cipher keys CKi as well as the shares p of the blinding values Si of the respective nodes between the optical transceivers.

    [0059] The decryption unit DEC of the second data transceiver TR-B (Bob) is adapted to decode, i.e. to decrypt, the encrypted cipher data C.sub.data received via the data transport link DTL from the first data transceiver TR-A using the relayed encoding key K.sub.enc provided by the terminal node KN.sub.N as a decoding key. The key used by the decoding unit DEC as a decoding key is identified by the key identifier KEY-ID currently received by the second data transceiver TR-B via the data transport link DTL. This key identifier KEY-ID can be transported within a field of an overhead OH of the received data packets. In a possible embodiment, the logic operations performed in step S6 by the terminal node KN.sub.N to provide the encryption key K.sub.enc used by the decoding unit DEC for decryption comprise XOR-operations performed on the basis of the reconstructed blinding values S and the received encrypted cipher keys CK.sub.i.

    [0060] As can be seen in the block diagram of FIG. 1, the initial node KN.sub.0 as well as each intermediate key relay node KN.sub.1, KN.sub.2 . . . KN.sub.N−1 is adapted to perform an XOR-operation on a pair of shared QKD-keys and blinding them with an associated blinding value S.sub.i of the respective node to provide an encrypted cipher key CK.sub.i. For example, the initial node KN.sub.0 performs an XOR-operation of the shared QKD-keys K.sub.enc, K1 and blinds them with a blinding value S.sub.0 to calculate an encrypted cipher key CK.sub.0. In the same manner, the first intermediate relay node KN.sub.1 performs an XOR-operation of the shared QKD-keys K1, K2 and blinds them with a blinding value S.sub.i also performing an XOR-operation to provide an encrypted cipher key CK.sub.i. All these calculated encrypted cipher keys CK.sub.i are supplied by the initial node KN.sub.0 and by each intermediate key relay node KN.sub.1, KN.sub.2 . . . KN.sub.N−1 to the terminal node KN.sub.N.

    [0061] The blinding values S of the initial node KN.sub.0 and of each intermediate key relay node KN.sub.1, KN.sub.2 . . . KN.sub.N−1 can be distributed as shares p to the other nodes by using a secret sharing protocol SSS as illustrated in FIGS. 2A, 2B. First, a polynomial f(x) of degree n is generated where S.sub.0 of the polynomial function f(x)=f(0) as also illustrated in FIG. 2B. In a further substep n+1 shares p.sub.0, . . . p.sub.n are created such that p.sub.i=(x.sub.i,f(x.sub.i)) for i=0, . . . , n. Finally, the created share p.sub.i is distributed to the key relay nodes KN.sub.i as shown schematically in FIG. 2A. The distribution of the shares p of the blinding values S.sub.i is performed by means of electrical transport links ETL connecting the initial node KN.sub.0, the terminal node KN.sub.N and the at least one intermediate key relay node KN.sub.1, KN.sub.2 . . . KN.sub.N−1. There is a single initial node KN.sub.0, a single terminal node KN.sub.N and a predefined number of key relay nodes KN. Each node is adapted to share its blinding value S.sub.i with the other nodes by using a secret sharing protocol, in particular Shamir's secret sharing protocol SSS. Each nodes generates in a possible embodiment a random value and can convert the generated random value into n shares p using the secret sharing protocol SSS. Each share p is distributed to the other nodes one by one. The terminal node KN.sub.N is adapted to aggregate the n shares p received from the other nodes to calculate an aggregation share S of the blinding values S.sub.i. This is also illustrated in FIG. 3. FIG. 3 illustrates a reconstruction phase using a secret sharing protocol SSS. The reconstruction is performed by the terminal node KN.sub.N on the basis of the received shares p.sub.i. In a first substep, the shares p.sub.i received from the other nodes KN.sub.i (i=0, . . . N−1) are collected by the terminal node KN.sub.N. The received and temporarily stored shares p.sub.0, . . . p.sub.n of the other nodes are reconstructed by the terminal node using the polynomial function f of degree n by Lagrange interpolation. From this, the blinding value S.sub.i for each node can be reconstructed or computed Si=f(0). The terminal node KN.sub.N can then perform logic operations, in particular XOR-operations, on the reconstructed blinding values on the basis of the encrypted cipher keys CK.sub.i received by the terminal node KN.sub.N from the initial node KN.sub.0 and received from each of the intermediate relay nodes KN.sub.1, KN.sub.2 . . . KN.sub.N−1 to provide the original encryption key K.sub.enc which then can be used by the decoding unit DEC of the second data transceiver TR-B as the decoding key in a decryption process to retrieve the plain data P.sub.data.

    [0062] The secure key relay system 1 according to the present invention can in a possible embodiment make use of a method of distributing and reconstructing blinding values S.sub.i involving a secret sharing protocol. This includes an input sharing phase as illustrated in the diagram of FIG. 2A and a reconstruction phase as illustrated in the diagram of FIG. 3. At the input sharing phase as illustrated in FIG. 2A, each node generates a unique blinding value S.sub.i which can be converted into n shares p by a secret sharing technique. Then, these shares p are distributed to other n relay nodes one by one as shown in FIG. 2A.

    [0063] In a reconstruction phase, the terminal node KN.sub.N aggregates the n shares p from the other nodes and reconstructs the original blinding value S.sub.i from each node by a secret sharing technique. This process can be repeated for every relay node. By this process, each blinding value S.sub.i is kept perfectly secure unless all nodes are hacked and their shares are revealed.

    [0064] Besides the process of distributing and reconstructing blinding values S.sub.i by using a secret sharing protocol, the secure key relay system 1 also uses a process of hiding the QKD-key by performing an XOR-operation with a random value. Each key relay node generates a unique random value which forms a so-called blinding value S. The shared QKD-keys at each node are XORed with each other (OTP-encrypted) and can then in addition also undergo an XOR-operation with the associated blinding value (CK.sub.i=(K.sub.i⊕K.sub.i+1⊕S.sub.i)). Then, the outcome, i.e. the cipher key CK.sub.i, is sent to the trusted terminal node KN.sub.N. In this process, a security breach of a key relay node may reveal the shared QKD-keys K and the blinding value S.sub.i but does not reveal any information on other QKD keys K of other nodes since each node comprises different blinding values S. Hence, the encryption key K.sub.enc which is relayed over the nodes is protected under all circumstances.

    [0065] FIG. 4 shows a possible embodiment of a secure key relay system 1 according to the present invention. In the illustrated example, the secure key relay system 1 comprises a first data transceiver TR-A connected via a data transmission link DTL to a second data transceiver TR-B. In the illustrated embodiment, both transceivers TR-A, TR-B comprise optical transceivers connected via an optical data transmission link. Plain data P.sub.data can be encrypted by an encryption unit ENC of the first data transceiver TR-A to provide encrypted cipher data C.sub.data transported via the optical data transport link ODTL to a decoding unit DEC of the second data transceiver TR-B. The decoder DEC of the second transceiver TR-B uses a relayed encryption key K.sub.enc provided by the connected terminal node TN.sub.N as a decoding key to retrieve in a decryption process the original plain data P.sub.data. In the illustrated example, the first and second transceiver TR-A, TR-B comprise an FSP3000 unit. In the illustrated examples of FIGS. 4,7 the key relay nodes KN used for relaying the encryption key K.sub.enc can comprise optical or electrical transceivers connected with each other by means of optical or electrical transport links used to transport the encrypted cipher keys CK.sub.i and the shares p of the blinding values S.sub.i between the transceivers. In the illustrated examples of FIG. 4, 7 the transceivers can comprise FSP150 devices. FIG. 4 shows an embodiment with a single key relay node KN1. FIG. 7 shows an embodiment with two key relay nodes KN1, KN2. The key relay nodes can be untrusted nodes and may not require additional protection mechanisms. The initial node and the terminal nodes are trusted nodes.

    [0066] The electrical transceivers can comprise Ethernet transceivers. The electrical transceivers are in turn connected to QKD-units which provide quantum channels QCH for sharing QKD-keys between nodes. As can be seen in FIG. 4, a pair of QKD-units is connected via a secure quantum channel QCH and an associated service channel required for processing the shared quantum keys. Two QKD-units share a QKD key for secure communication through the QKD-network. As can be seen from the diagram of FIG. 4, the secure key relay system 1 comprises a chain of key relay nodes between an initial node KN.sub.0 and a terminal KN.sub.N formed by electrical transceivers such as Ethernet transceivers. The key relay nodes used for the key relay have connection to a background QKD (quantum key distribution) network. This is used to share QKD-keys K between the electrical transceivers used for a key relay. The secure key relay system 1 can be connected to a data transport system which uses a medium for data transport. The data transport system can use either optical data transport links ODTL or electrical data transport links EDTL. As can be seen in FIG. 4, the secure key relay system 1 is sandwiched between the nodes of the data transport system and the nodes of the quantum key distribution network QKDN. Since the number of key relay nodes KN is unlimited, the secure key relay can be performed over a wide distance between two remote transceivers TR-A and TR-B. The range of key relay can comprise several hundred or even thousands of kilometers. Accordingly, there is no restriction for the key relay range in contrast to a conventional quantum channel. The required XOR-operations as illustrated in FIG. 1 can be performed very fast without requiring hardware with high complexity. The secure key relay system 1 is very resilient against attacks without requiring hardware protection of the intermediate key relay nodes. The sequence or chain of key relay nodes KN can also comprise nodes on a path of a meshed network as also illustrated in FIG. 6. In the illustrated embodiment of FIG. 6 the key relay nodes KN can be managed by registration, switch on/off or e.g. authentication. In a possible embodiment an optimal route can be found based on QKD key rates an access rate. It is also possible to change the route on request dynamically. In case of a security breach emergency key relay nodes KN can be added, removed or updated. In a possible embodiment the transceivers TR-A, TR-B can be connected to a SDN Controller as shown in FIG. 6.