In view of the characteristics of multi-domain optical networks under hierarchical PCE architecture,a novel key management scheme (referred to as KMS-KI) based on key hypergraph and identity-based cryptography was proposed in this paper.Differing from the classic decentralized key managements based on logic key tree,the key relationship of multi-domain optical networks was firstly modeled into key hypergraph with two layers,namely the vertices represented by points and the key relation at all levels described with hyperedge.In this way,the key layered relation of network can be better reflected in the model of key hypergraph.And then,the master keys,the public keys and private keys,the session keys,the layer group keys and the inter-domain keys were generated respectively and dynamically managed by using hierarchical identity-based cryptography and improved private key generation strategies.By the way,the security protection of private keys and the problem of single point’s failure of private key generation center were better solved.Meanwhile,by fusing the idea of member characteristic value,when the members join or leave the group,the remaining group members automatically used the key value of the pPCE or cPCE to calculate and update the group key.So,the risk that the new group key was uncovered by adversary was greatly reduced.The analytical results showed that,KMS-KI scheme has the forward and backward security,confidentiality of private keys and the ability of resisting collusive attack.Meanwhile,it not only supported hierarchical identity-based cryptography,but also had achieved better comprehensive performance than typical decentralized schemes in terms of numbers of the key storage,numbers of cPCE communication,encryption and decryption times.
