Threshold Key Management Scheme for Blockchain-Based Intelligent Transportation Systems

Intelligent transportation systems (ITS) have always been an important application of Internet of *ings (IoT). Today, big data and cloud computing have further promoted the construction and development of ITS. At the same time, the development of blockchain has also brought new features and convenience to ITS. However, due to the endless emergence of increasingly advanced types of attacks, the security of blockchain-based ITS needs more attention from industry and academia. In this paper, we focus on exploring the primitives in cryptography to guarantee the security of blockchain-based ITS. In particular, the authentication, encryption, and key management schemes in cryptography are discussed. Furthermore, we propose two methods for achieving the threshold key management in blockchain-based ITS. *e proposed threshold key management scheme (with threshold t) enables various stakeholders to recover a secret if the number of participated stakeholders is at least t. It should be noted that the proposed threshold key management scheme is efficient and secure for multiple users in blockchain-based ITS, especially for the data-sharing scenario.


Introduction
Nowadays, Internet of ings (IoT) [1,2] have experienced unprecedented development due to the widespread of big data and cloud computing [3]. Modern intelligent transportation systems (ITS) [4][5][6][7] have extensively benefited from IoT technology. At the same time, the development of blockchain [8,9] has also brought new features and convenience to ITS. However, due to the endless emergence of increasingly advanced types of attacks, the security of blockchain-based ITS needs more attention from industry and academia. e problems in ITS, such as data origin authentication, reliability, and trustworthiness, are required to be solved. Note that the blockchain technology maintains the decentralized, distributed, and tamperproof properties [8], which can guarantee the security and reliability of ITS communication. Also, the security of ITS requires more attention and delicate design to prevent it from various attacks. Generally speaking, the security attributes of ITS security mainly include confidentiality, integrity, consistency, and availability. Confidentiality means that the transmitted data in ITS will not be leaked and accessed illegally. Note that encryption is an effective method to protect the confidentiality of the transmitted data in ITS. Integrity means that the data in ITS will not be maliciously destroyed and deleted. Consistency means that the data in ITS meets the entity integrity. e auditing scheme in cryptography can be employed to protect the integrity and consistency of ITS. Availability means that if a user is authorized, she/he can access ITS. Undoubtedly, cryptography plays a vital role in protecting the security of ITS.
In recent years, cryptography has developed rapidly and has been widely used in various fields of the Internet and computers. Generally, cryptography can be divided into two parts: classical cryptography and modern cryptography. Classical cryptography is based on replacement and substitution methods, while modern cryptography is based on mathematics, computer, and communication science. e main research topics of modern cryptography include information encryption, digital signatures, data integrity, and identity authentication. More precisely, the paper [10] published by Shannon marks the beginning of modern cryptography. In this paper, the concept of unconditional security was proposed. Based on this concept, one-time pad (OTP) [11] is unconditional security; that is, even if an attacker has unlimited computing resources, it is impossible to decipher the ciphertext encrypted by OTP. However, it is obvious that OTP is unrealistic since the OTP requires that the transmission channel is secure, which is unpractical in reality. In addition, if one can transmit the secret for the OPT, why not she/he transmits the message of the same length? Although unconditional security drives the proposal of computational security [12], the computational security is the fundamental of modern cryptography.
Modern cryptography includes symmetric cryptography and asymmetric cryptography. e later is also known as the public key cryptography [13]. e pioneer work of the public key cryptography is the well-known Diffie-Hellman key exchange [14], which was proposed by Diffie and Hellman in 1976. After that, the RSA algorithm [15] was designed by Rivest et al. e security of RSA algorithm is based on the factoring problem. Since then, a large number of excellent research results have emerged in the field of public cryptography. In this paper, primitives in cryptography is explored and utilized for achieving ITS security. Specifically, the threshold key management scheme is designed based on the (t, n) threshold secret sharing, which is an efficient and secure cryptography primitive. e rest of this paper is organized as follows. Section 2 introduces ITS security architecture and some corresponding cryptographic techniques. Section 3 presents three secret-sharing schemes in detail. Section 4 proposes the threshold key management scheme for ITS security. Section 5 draws the conclusion for this paper.

Related Works
Cryptography plays a vital role in protecting the security of ITS. Figure 1 shows the mechanism in protecting ITS security and the corresponding cryptography primitives. e ITS security architecture mainly includes access management, security management, and data encryption. In particular, access management consists of user authentication and access control. Security management can be classified into decentralize management and centralize management. Data encryption falls into two categories: the encryption at the client side and the encryption at the server side. Generally speaking, the encryption at the server side can achieve higher security level than the encryption at the client side.
On the contrary, various cryptography technologies can be used to protect ITS security. Figure 1 lists some effective and well-designed schemes in cryptography, which can be employed at the different branches of ITS architecture to ensure security. In the access management branch, MAC and digital signature are suitable. Currently, the most commonly used techniques in digital signature are BLS signature [16], group signature [17], and ring signature [18]. BLS signature has many desirable properties such as the length of the signature, which is short, and the aggregatability of the signature. e group signature and ring signature enable a group of users to sign on a message with properties of anonymity, traceability, and unforgeability. In the data encryption branch, various encryption schemes in cryptography can be referred to protect the data security of both the client side and the server side. Generally speaking, the encryption can be divided into the symmetric encryption and the asymmetric encryption. In addition, the key management [19] plays an essential role in both the symmetric encryption and the asymmetric encryption. At present, the well-recognized symmetric encryption schemes are DES, AES, RC6, and TwoFish, while the cutting edge asymmetric encryption schemes include the searchable encryption [20] and homomorphic encryption [21]. e key management is an essential mechanism in encryption, which ensures the security of the key. Improper key management may threaten the security of encrypted data. e key exchange protocol [22], secret sharing [23], and hierarchical key management [24] are effective methods in key management. In this paper, we mainly focus on the secret-sharing scheme to protect ITS security.
e main contributions of this paper can be summarized as follows: (1) ITS security architecture is presented. In this paper, the main branches of ITS security are outlined. In addition, the corresponding cryptographic technologies are listed, which can ensure the security of ITS. (2) ree kinds of secret-sharing schemes are studied in this paper. e mainstream schemes in the field of secret sharing are being studied. In particular, Shamir's secret-sharing scheme, Blakley's secretsharing scheme, and CRT secret-sharing scheme are studied in this paper. (3) e threshold key management scheme for ITS security is designed. Based on Shamir's secret-sharing scheme and the CRT secret-sharing scheme, we proposed the threshold key management scheme. e proposed scheme enables n stakeholders to share data and gives each stakeholder the control over the data. Note that the fault tolerance is also supported by taking advantage of the secret-sharing scheme. Namely, the system can perform well, provided that, at least, t stakeholders are legal.
In the paper, aiming at the security threats in ITS, the secret-sharing schemes are employed in the blockchainbased ITS to support threshold key management, thus, ensuring the reliability and the privacy of ITS.

Secret-Sharing Schemes
In this section, three types of secret sharing are introduced. Generally speaking, a secret sharing in cryptography is a scheme that enables the division of a secret s into n shares such that if and only if the combination of at least t shares can recover the secret. e secret sharing with t threshold can also be named (t, n) secret sharing.

Shamir's Secret Sharing.
e secret-sharing scheme [25] proposed by Shamir is based on the Lagrange polynomials. Essentially, the basic idea of Shamir's scheme is based on the fact that two points decide a line, three points decide a parabola, and so on. In general, a polynomial of degree t − 1 can be defined by t points on it. Specifically, a polynomial f(x) of degree t − 1 is selected for a secret-sharing scheme with t threshold: (1) Here, the coefficient of x is selected at random while the secret is encoded as the constant a 0 . e share that is distributed to distinct stakeholders i is a point in f(x) with random selected x i and corresponding y i � f(x i ). In order to recover the secret (i.e., a 0 ), the corporation of at least t stakeholders is required. In particular, these t stakeholders maintain t point in the curve defined by f(x). Based on the Lagrange polynomial shown in equation (2), these t stakeholders can reconstruct the polynomial f(x), and therefore, recovering the secret a 0 , From Shamir's works, various secret-sharing schemes based on the Lagrange polynomials were proposed, which can be found in [26][27][28]. Moreover, Shamir's secret sharing is employed in various applications such as the cloud computing [29,30] and the privacy-preserving environment [31].

Blakley's Secret Sharing.
e secret-sharing scheme [32] proposed by Blakley is based on the hyperplanes. e basic fact of Blakley's secret sharing is that n nonparallel hyperplanes in n-dimensional space must intersect at exactly one point. For example, three nonparallel planes must intersect at exactly one point in 3-dimensional space. In this scheme, with n stakeholders and t threshold, the secret is encoded as a point in a t-dimensional space, while the share of each stakeholders is the affine hyperplane that passes through the secret point (it is clear that the number of the affine hyperplane is infinite). In particular, the affine hyperplanes in the t-dimensional space can be defined by In order to generate n share for n stakeholders, t random coefficients are selected for stakeholders i and corresponding y i can be calculated as Note that the secret is encoded as one coordinate x i , which is fixed and the rest t − 1 coordinates can be selected at random. Any t stakeholders together can calculate the secret by solving the solution of Blakley's secret sharing has also been studied and improved since it has been proposed. In [33][34][35], the extension and application of Blakley's secret sharing can be found.

CRT Secret Sharing.
e secret-sharing scheme [36] proposed by Asmuth and Bloom is based on Chinese remainder theorem (CRT).
Given a set of pairwise co-prime number m 1 , m 2 , m 3 , . . . , m n , the following linear congruence equations have a unique solution for modular M, where M � n i�1 m i :  Figure 1: ITS security architecture and the corresponding cryptographic technologies.
Moreover, the unique solution can be calculated by where C i � M/m i . CRT is a fundamental theorem in cryptography; the CRT-based secret sharing has always been studied since it was proposed. e recent research progress in the CRTbased secret sharing can be found in [37][38][39].
In the following, we employ these three kinds of secretsharing schemes to design the threshold key management scheme for multiple stakeholders in ITS.

Threshold Key Management for Database Security
In this section, the threshold key management scheme in blockchain-based ITS is proposed based on the secretsharing scheme.

e System Model.
In this section, the system model of the threshold key management for blockchain-based ITS security is presented. Figure 2 depicts the system model. In the system model, the shared data are possessed by n vehicles. In order to facilitate the use and sharing [40], they want to store the data in the cloud. However, storing plaintext data may bring many security issues. us, these n vehicles can generate a key to encrypt data to ensure data storage security. In our system, the secret-sharing scheme is utilized to generate the key. Note that, in the secret-sharing scheme, the key is divided into n pieces and distributed to n vehicles in a secure channel. After that, if and only if at least t vehicles together can recover the key, here, t is the threshold of the secret-sharing scheme. In this way, the data are protected with the following properties: (i) Each of the n vehicles has control over the data. Specifically, any t vehicles of these n vehicles together can recover the key. us, they can decrypt the data. (ii) e invalidation of some vehicles will not cause the key to be unrecoverable. More precise, the invalidation of n − t + 1 is tolerable.

Cross-Domain Communication
Architecture. e architecture of ITS cross-domain communication changes when the blockchain technology is introduced. Figure 3 shows the cross-domain communication in ITS of the traditional architecture. In Figure 3, it can be observed that the communication between vehicles in distinct domains triggers five channels including the communication between vehicle and RSU, the communication between CA and RSU, and the communication between CAs. e detailed channels are marked with red color in Figure 3. In contrast, Figure 4 shows the cross-domain communication in ITS of the blockchain-based architecture. It can be seen in Figure 4 that the communication of vehicles in distinct domains can be simplified by the blockchain network. Also, by taking advantage of the blockchain technology, the reliability of the communication can be guaranteed.

Key Management Scheme Based on Shamir's Secret
Sharing. Based on Shamir's secret sharing, the key management scheme for blockchain-based ITS can be designed as follows: (i) Key generation: to share data D for n stakeholders, the owner of the data D selected a random AES key. e key can be key← 0, 1 { } l . Here, l is the security parameter of the system, which can be 128-bit, 192bit, or 256-bit depending on the security level of the system. (ii) reshold selection: the n stakeholders jointly decide the threshold t. (iii) Polynomial generation: the owner of the data selects a polynomial of degree t − 1 as equation (1). e key is encoded as the constant a 0 , while the other t − 1 coefficients are selected randomly. (iv) Share generation: for each stakeholder i, the data owner chooses a point x i and calculates the corresponding y i . en, the data owner distributes the pair (x i , y i ) to stakeholder i. To distribute key for n stakeholders, the data owner needs to calculate n pairs of (x i , y i ) and distribute these pairs to the corresponding stakeholder in a secure way. (v) Encryption: after the key distribution, the data owner encrypts data D with key and uploads the encrypted data E to the cloud. Here, E � AES key (D). (vi) Decryption: with the received part, a stakeholder, together with other t − 1 stakeholders, can recover the key. After that, these stakeholders can decrypt the encrypted data E.
In the following, an example is presented for the key management scheme. In this example, 10 stakeholders are involved and the threshold is 4. e selected polynomial is shown equation (8). e corresponding secret is 2006, which is in a decimal form: e 10 pairs of (x i , y i ) are distributed to each stakeholders. Table 1 shows the 10 pairs of (x i , y i ) selected based on equation (7). Here, in order to facilitate readers' understanding, x is set from 2 to 11. We note that, in practice, the value of x i can be selected randomly over the function domain to preserve security. en, we show that any 4 pairs from Table 1 can be used to recover the secret 2006. In the example, (4, 4358),    (5, 6421), (6,9493), and (7, 13577) are selected for the secret recovery. In equation (2), l j (x) is Lagrange basis polynomials, which is shown in equation (8): Note that based on equations (2) and (9) and the four selected pairs, the secret can be recovered. Equation (10) shows the calculation in detail: It can be observed from equation (9) that the secret value 2006 is recovered by 4 pairs (x i , y i ) of the polynomial. In fact, any 4 pairs are sufficient for the secret recovery based on the interpolation polynomial.

Key Management Scheme Based on CRT.
Based on CRT secret sharing, the key management scheme for blockchainbased ITS can be designed as follows: (i) Key generation: this phase is identical to the key management scheme based on Shamir's secret sharing. e data owner selects an AES key. (ii) reshold selection: the n stakeholders jointly decide the threshold t. (iii) Parameters' selection: the owner of the data selects n co-prime numbers m such that (m i , m j ) � 1 holds for each pair of m i and m j , (i ≠ j). After that, based on the selected threshold, the owner of the data calculates the product of these n co-prime numbers as M � t i�1 m i . Here, the selected key should satisfy 0 ≤ key < m 1 . (iv) Share generation: to divide the secret key, the data owner selects a random number r and calculates S � key + r · m 1 . Here, the selected random number r should satisfy 0 ≤ r < M/m 1 − 1. (v) Share distribution: for each stakeholder i(i > 1), the data owner distributes S i to stakeholder i. Here, Similarly, this value is transmitted in a secure way. (vi) Encryption and decryption: after the key distribution, the data owner encrypts data D with key and uploads the encrypted data E to the cloud. In addition, the decryption needs the involvement of at least t stakeholders. ey can construct the following linear congruence equations: Based on CRT, this linear congruence equations has a unique solution: where M * � t i�2 m i and C i � M * /m i . To show the performance of CRT and Shamir's secretsharing-based key management scheme, the complexity of recovery operations of these two schemes is analyzed. Figure 6 depicts the comparison between Shamir's secretsharing-based key management scheme and CRT secretsharing-based key management scheme. It can be observed from Figure 6 that the scheme based on CRT is more efficient than the scheme based on Shamir's secret sharing.

Conclusion
In this paper, blockchain-based ITS architecture and the corresponding cryptographic technologies are presented. Moreover, the threshold key management scheme for blockchain-based ITS is proposed. To achieve threshold key management, the secret-sharing schemes are employed, which supports threshold key sharing for multiple stakeholders. Taking advantage of the secret-sharing schemes, the security and fault tolerance data sharing in ITS can be supported. e comparison of CRT and Shamir's secret sharing-based key management scheme is also conducted, which indicates that CRT-based scheme has an advantage over Shamir's secret-sharing-based scheme on the complexity of recovery operations.

Data Availability
e performance data used to support the findings of this study are included within the article.

Conflicts of Interest
e authors declare that they have no conflicts of interest.