Received September 15, 2020, accepted September 28, 2020, date of publication October 1, 2020, date of current version

October 14, 2020.

Digital Object Identifier 10.1109/ACCESS.2020.3028189

Privacy-Preserving Traffic Management: A

Blockchain and Zero-Knowledge Proof
Inspired Approach
WANXIN LI 1 , (Graduate Student Member, IEEE), HAO GUO 2, (Member, IEEE),
MARK NEJAD 1 , (Member, IEEE), AND CHIEN-CHUNG SHEN 2, (Member, IEEE)
1 Department of Civil and Environmental Engineering, University of Delaware, Newark, DE 19716, USA
2 Department of Computer and Information Sciences, University of Delaware, Newark, DE 19716, USA
Corresponding author: Mark Nejad (nejad@udel.edu)

ABSTRACT Incorporation of connected vehicle (CV) data into real-time traffic management systems
presents a host of new challenges resulting from the current lack of data integrity and data privacy in traffic
networks. Over the past few years, blockchain technologies have been inspiring extensive innovations in
the transportation field. However, due to the transparency property, sensitive data stored on the blockchain
would be accessible to anyone, resulting in a lack of privacy. In this paper, we propose a decentralized
and location-aware architecture to address the data integrity along with the privacy-preserving issues in
blockchain-based traffic management systems. Our proposed architecture integrates with permissioned and
modular blockchain network and non-interactive zero-knowledge range proof (ZKRP) protocol. We develop
the prototype system on the Hyperledger Fabric platform and Hyperledger Ursa cryptographic library. The
performance results show that our approach is effective and feasible for real-time traffic management while
preserving the data privacy requirements.

INDEX TERMS Blockchain, connected vehicle, data integrity, data privacy, traffic management, vehicular
network, zero-knowledge range proof.

I. INTRODUCTION lead to severe consequences in a transportation such as

Modern traffic management systems utilize a large amount congestions [1] and collisions [2].
of vehicular data (such as vehicles’ identification number, For privacy, commuters’ fear of leaking personal informa-
location, trajectory, etc.) for real-time decision making. The tion and the regulatory requirements for compliance in pro-
ever-growing incorporation of real-time traffic data from con- tecting data privacy are the primary concern when designing
nected vehicles into these traffic management systems brings traffic management systems. For instance, there are regula-
further data security and privacy challenges. Therefore, assur- tory requirements on data privacy such as the General Data
ance of the integrity and privacy of traffic data over its entire Protection Regulation and the California Consumer Privacy
life-cycle is a critical aspect of the design, implementation, Act with implementation dates in 2018 and 2020, respectively
and operation of such traffic management systems. [3], [4]. In addition, real-time traffic feeds from passing
For integrity, centralized traffic management systems and vehicles into traffic management systems may be exploited
their data centers can be attacked by processing malicious by a successful attacks to extract sensitive information about
messages containing false traffic and vehicular data sent the commuters. The problem becomes worse when the raw
from connected vehicles in the vehicular networks [1]. These data stream contains commuters’ private information that is
malicious messages can include false information about vehi- not needed for the operation the traffic management systems.
cle identification number, location, trajectory, etc. With- In addition to the integrity and privacy issues of traffic
out an effective defense mechanism, malicious data could data, centralized traffic management systems suffer from a
single point of failure. In this paper, using the permissioned
The associate editor coordinating the review of this manuscript and blockchain platform of Hyperledger Fabric [5], we pro-
approving it for publication was Songwen Pei . pose a blockchain-based, decentralized traffic management

This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License.

VOLUME 8, 2020 For more information, see https://creativecommons.org/licenses/by-nc-nd/4.0/ 181733
 W. Li et al.: Privacy-Preserving Traffic Management: A Blockchain and ZKP Inspired Approach

inter-blockchain privacy when vehicles traverse across the

boundary between two areas under different jurisdiction and
need to switch from one traffic management system into
another in a privacy-preserving manner.
We address the problem of data integrity and privacy for
CV-based traffic management systems in multiple vehicular
networks. This paper makes the following contributions:
• We present a decentralized and location-aware traffic
data management architecture for multiple blockchain-
based connected vehicular networks scenario. The
architecture provides a novel design of transforming
centralized traffic data management systems into decen-
tralized blockchain-based networks and maintained
vehicular data as digital records
• We propose the concept of gateway that resides between
two adjacent blockchain-based traffic management sys-
tems to switch traveling vehicles from one blockchain
into another. The gateway is responsible for verifying the
information of an incoming vehicle, preventing spoofing
attacks from malicious vehicles, and logging into the
‘entering’ traffic management system on behalf of the
traveling vehicle. Specifically, we articulate the design
of the gateway by developing a non-interactive zero-
knowledge range proof (ZKRP) scheme, where a travel-
FIGURE 1. Physical and blockchain planes of connected vehicular ing vehicle (acting as a prover) sends ZKRP-encrypted
networks.
message to the gateway (acting as a verifier) to validate
the information of the vehicle without revealing any
sensitive data.
architecture that leverages the vehicular networks of con- • We prototype the proposed architecture and gateway
nected vehicles (CV) and edge nodes (roadside units and on Hyperledger Fabric with Hyperledger Ursa [7] cryp-
toll stations). As depicted in Fig. 1, over a large geographic tographic library. In the proof-of-concept experiments,
area, there exist multiple CV-based vehicular networks. For we successfully develop our blockchain-based traffic
instance, the transportation authority of each municipality, management system to protect traffic data of connected
county, and province or state may be responsible for the vehicles against potential attacks while preserving their
traffic management over its respective area of jurisdiction. privacy. To measure the system performance, we analyze
Also depicted in Fig. 1, the traffic management architecture transaction latency, throughput and success rate based on
of each transportation authority is composed of the physical Hyperledger Caliper benchmark tool. The results show
plane and the blockchain plane. Vehicles and edge nodes that our system is effective and feasible for decentralized
form a vehicular network in the physical plane. In contrast, traffic management.
in the blockchain plane, traffic management functions are
implemented in smart contracts. Connected vehicles, acting The remainder of the paper is organized as fol-
as clients, send vehicular information in transactions to the lows. Section II reviews the background knowledge of
edge nodes that act as Hyperledger Fabric peers to exe- cryptographic commitment and zero-knowledge proof.
cute transactions, order transactions vi a consensus proto- In Section III, we describe the architecture design of gateway
col, and validate transactions before committing them into based on ZKRP and depict its operational workflow with two
the blockchain, an immutable transaction ledger maintained blockchain networks. In Section IV, we perform extensive
within a distributed network of peers. In addition, the tamper- experiments to evaluate the performance of the prototyped
proof nature of the blockchain ensures the integrity of the blockchain network and the gateway validation process. Also,
traffic data. we discuss the robustness of the proposed architecture against
To preserve privacy for the connected vehicles within each potential attacks. We review related work in Section V and
Hyperledger Fabric blockchain network (intra-blockchain conclude the paper in Section VI.
privacy), mechanisms such as channels, private transactions,
access control polices, and zero-knowledge proof (ZKP) II. BACKGROUND KNOWLEDGE
based schemes of Identity Mixer and Zero-Knowledge Asset A. CRYPTOGRAPHIC COMMITMENT
Transfer (ZKAT) have been adopted by or proposed for A cryptographic commitment scheme allows a prover to com-
Hyperledger Fabric [6]. However, it is not obvious to facilitate pute a value that hides some secret without ambiguity, in the

181734 VOLUME 8, 2020

W. Li et al.: Privacy-Preserving Traffic Management: A Blockchain and ZKP Inspired Approach

sense that no one later will be able to argue that this value was proposed by Boudot in 2000 [14] and followed by the
corresponds to a different secret. In other words, given the work accomplished by Schoenmakers in his presentations
impossibility to change the hidden secret, we say that the [15] and [16]. The main difference is that ZKRP works with
prover commits to that secret. A commitment scheme has the numeric intervals instead of generic sets used in ZKSM,
following two properties: which makes ZKRP a special case of ZKSM. ZKRP allows
1) Binding. Given a commitment y, it is hard to compute the blockchain network to validate that a secret number is
a different pair of secret δ and random number γ whose within a known range without disclosing the secret number.
commitment is also y. This property guarantees that For example, in the context of payment systems, it is possible
there is no ambiguity in the commitment scheme. Thus, to validate that a payment-amount is positive without disclos-
after y is published, it is hard to open it to a different ing the amount, which is done by Monero [17]. Moreover,
value. ING Bank described how to implement ZKRP protocol in
2) Hiding. It is hard to compute any information about the Ethereum [18]. Therefore, ZKRP can be applied to many
secret δ given the commitment y. kinds of decentralized applications that have numeric inter-
Formally, a commitment scheme is defined by algorithms vals along with other requirements, such as e-voting systems
Commit and Open as follows: [19], [20] and e-auction systems [21], [22].
1) Given secret δ and random value γ , Commit(δ, γ )
III. ARCHITECTURE OF THE GATEWAY
computes a commitment y as the output that hides the
In this section, we describe the proposed gateway architec-
actual information δ such that it is hard to compute
ture in two subsections. In Subsection A, we describe the
secret δ 0 and random value γ 0 that satisfies Commit(δ 0 ,
detailed steps for gateway design with the proposed ZKRP
γ 0 ) = Commit(δ, γ ). In particular, it is hard to invert
protocol. In Subsection B, we explain the workflow of gate-
function Commit to find δ or γ .
way. By referring to Fig. 2, we first describe the following
2) Given the commitment y, secret δ and random value
components which take part in the proposed architecture:
γ , Open(y, δ, γ ) returns true if and only if y =
• I-SIG: Intelligent Traffic Signal System. It takes arrival
Commit(δ, γ ).
vehicle information as input and generates optimal
Commitment schemes are used in zero-knowledge proofs.
signal plans at intersections. I-SIG system has been
Specifically, we propose to extend the Pedersen commit-
deployed in New York City, City of Tampa, and State
ment [8]. Given group Zp of prime order p, elements g and h,
of Wyoming since 2016 [23].
and random value γ , the commitment for secret δ is computed
• Gateway: The gateways act as verifiers for validating
as follows:
traversing vehicles and consist of RSUs at state bound-
y = Commit(δ, γ ) = gδ hγ . (1) aries.
• Traversing Vehicle: The traversing vehicle is the com-

B. ZERO-KNOWLEDGE PROOF muter who wants to switch the vehicular network

Zero-knowledge proof was proposed in 1989 by Goldwasser, without revealing sensitive information to gateways
Micali, and Rackoff [9]. In the context of cryptography, (verifiers).
• Blockchain: Blockchain (in our prototype, Hyperledger
a ZKP protocol is a method by which one party, termed
prover, can prove, through a cryptographic commitment Fabric) is utilized as a distributed ledger for the archi-
scheme, to another party, termed verifier, that they know tecture, which manages vehicular data and serves as
a secret δ, without conveying any information apart from a tamper-proof log for intelligent traffic management
the fact they know the secret δ [10]. A zero-knowledge set systems.
membership (ZKSM) proof enables a prover to prove that a
secret δ lies in a given set [u, v]. We describe ZKSM based
on the notation by Camenisch et al. [11]:

PK {(δ, γ ) : y = gδ hγ ∧ (u ≤ δ ≤ v)}, (2)

where y = gδ hγ is a commitment of the secret δ ∈ [u, v]

using the random value γ . In other words, the above proof
will convince the verifier that the secret in the commitment y
lies in the set [u, v].
In this paper, we focus on a particular kind of ZKP, called
zero-knowledge range proof (ZKRP), which is closely related
to ZKSM protocols. The first schemes of ZKRP protocols
were proposed in 1995 by Damgård [12] and in 1997 by
Fujisaki et al. [13]. However, these schemes were not efficient
to be used in practice. The first practical ZKRP scheme FIGURE 2. Components of gateway and its operation scenario.

VOLUME 8, 2020 181735

 W. Li et al.: Privacy-Preserving Traffic Management: A Blockchain and ZKP Inspired Approach

Our architecture brings a novel design approach to facil- the proof is valid. Scheme Version 1 describes an interactive
itate inter-network operations while preserving data privacy. ZKP in the context of gateway.
We use the scenario depicted in Fig. 2 to illustrate an instance
when a vehicle traverses cross the boundary of two states Scheme Version 1 Interactive ZKP
over a physical vehicular network and switches between two 1) The traversing CV wants to prove to the gateway that
blockchain networks. The ZKRP protocol will preserves the it comes from the location δ: compute the commitment
privacy and integrity of CVs traversing across states or locali- based on the discrete logarithm [24] of y = gδ to the
ties. Within the communication range of a gateway, a travers- base g.
ing connected vehicle acts as a prover to prove its vehicular 2) The traversing CV picks a random v ∈ Zp , computes
information to the gateway, a verifier, with a ZKRP-based t = gv and sends t to the gateway.
encrypted message. Therefore, it can pass the boundary and 3) The gateway picks a random c ∈ Zp , and send it back
switch to a different blockchain network without revealing as a challenge message to the traversing CV.
any sensitive information. 4) The traversing CV computes r = v − cδ and returns r
For intra-network, we design and develop blockchain- to the gateway.
based vehicular networks on Hyperledger Fabric platform. 5) The gateway checks whether gr yc ≡ t. This holds
Each blockchain network maintains a regional (e.g., because gr yc = gv−cδ gδc = gv = t.
statewide) distributed ledger for recording and sharing vehic-
ular data as input for traffic management systems. After regis-
tration, connected vehicles can broadcast their vehicular data
2) NON-INTERACTIVE ZERO-KNOWLEDGE PROOF
to blockchain network by submitting transaction requests.
Interactive ZKP is not suitable for the gateway since it would
Transactions will be validated by Hyperledger Fabric peers
increase the communication overhead for verification and
and recorded permanently on the ledger.
cannot meet the gateway’s real-time operation requirements.
Fiat-Shamir heuristic [25] is a generic technique that con-
A. GATEWAY DESIGN WITH ZKRP SCHEME
verts interactive ZKP schemes into non-interactive proto-
As shown in Fig. 3, we introduce gateways that are deployed
cols. It allows replacing the interactive step 3) in Scheme Ver-
on the boundaries between blockchain-based vehicular net-
sion 1 with a non-interactive random oracle function. In prac-
works for seamlessly switching from one blockchain network
tice, we can use a cryptographic hash function [26] instead.
into another. To preserve the privacy of the traveling vehicle,
The non-interactive ZKP is shown in Scheme Version 2 [27].
we describe how to construct the ZKRP protocol step by
step for the gateway module. The traversing vehicle acts as
Scheme Version 2 Non-Interactive ZKP
a prover to prove its vehicular information (e.g., location) to 1) The traversing CV wants to prove that it comes from
a gateway, acting as a verifier, in a ZKRP-based encrypted the location δ: compute the commitment based on the
message. As a result, the vehicle passes the boundary and discrete logarithm of y = gδ to the base g.
switch the blockchain network without revealing any sensi- 2) The traversing CV picks a random v ∈ Zp , computes
tive information to the other parties. t = gv .
3) The traversing CV computes c = H (g, y, t), where H
is a cryptographic hash function [26].
4) The traversing CV computes r = v − cδ. The resulting
proof is the pair (t, r). As r is an exponent of g, it is
calculated modulo q − 1.
5) The gateway checks whether gr yc ≡ t.

3) NON-INTERACTIVE ZERO-KNOWLEDGE RANGE PROOF

The secret δ can be decomposed into δj uj (0 ≤ j ≤ l) to obtain
ZKRP [28] as follows:
l
X
δ= δj uj . (3)
FIGURE 3. Function of gateway mechanism.
j=0

Therefore, if each δj belongs to the interval [0, u), we have

1) INTERACTIVE ZERO-KNOWLEDGE PROOF δ ∈ [0, ul ). Scheme Version 2 can be transformed into
Most available ZKP protocols described in the literature are Scheme Version 3.
interactive. In general, the prover must answer the challenge Scheme Version 3 works for the range [0, ul ). In order to
message sent by the verifier in order to convince him/her that obtain ZKRP on an arbitrary range [a, b], we propose to apply

181736 VOLUME 8, 2020

W. Li et al.: Privacy-Preserving Traffic Management: A Blockchain and ZKP Inspired Approach

Scheme Version 3 Non-Interactive ZKRP for Interval [0, ul ) B. WORKFLOW OF THE GATEWAY
1) The traversing CV wants to prove that it comes from The workflow of the proposed gateway that resides between
the location δ: compute the commitment based on the two adjacent blockchain-based traffic management systems
discrete logarithm of y = gδ to the base g and δ ∈ is depicted in Fig. 5. In the beginning, a CV riding over the
[0, ul ). area covered by blockchain network #1 provides vehicular
2) The traversing CV picks a random vj ∈ Zp for every data to the corresponding traffic management systems (e.g.,
j ∈ Zl , and computes tj = gvj . I-SIG). When the CV (a prover) wants to cross the boundary
3) The traversing CV computes c = H (g, y, t), where H into another vehicular network, it first encrypts its vehicular
is a cryptographic hash function [26]. information using the proposed ZKRP protocol and then
4) The traversing CV computes rj = vj − cδ for every broadcasts a proof request to a crossing gateway (a verifier).
j ∈ Zl . The resulting proof is the pair (tj , rj ). As rj is an Then, the gateway validates the ZKRP encrypted information.
exponent of g, it is calculated modulo q − 1. If the ZKRP encrypted information can be verified, the gate-
5) The gateway checks whether grj yc ≡ tj for every j ∈ Zl . way confirms the request with the traversing CV and switches
the vehicle into blockchain network #2. After switching the
network, the CV starts sharing vehicular data directly with
blockchain network #2.

IV. EXPERIMENTS AND EVALUATION

FIGURE 4. Two overlapping ranges illustrating secret δ lies in the A. EXPERIMENTAL SETUP
range [a, b]. We conduct extensive experiments to evaluate the perfor-
mance of the prototyped blockchain-based traffic manage-
an improvement of a folklore reduction described by Schoen- ment systems and the ZKRP gateway. The prototype is
makers in [15] and [16]. Instead of trying to prove range implemented in three interworking modules: i) Blockchain
proof through a square decomposition, the folklore reduction Network; ii) Reverse Geocoding; iii) Gateway Validation.
is a more efficient method based on bit decomposition [29]. The Blockchain Networks are developed on Hyperledger
In the context of our range proof construction, suppose that Fabric v1.2. The Reverse Geocoding is developed on JSFid-
ul−1 < b < ul . To prove δ ∈ [a, b], it suffices to show that: dle [30] with the Google Maps Geocoding API [31]. The
Gateway Validation is developed by using the Hyperledger
δ ∈ [a, a + ul ] and δ ∈ [b − ul , b]. (4) Ursa cryptographic library. To measure the performance
of blockchain-based system, we run benchmark tests using
As illustrated in Fig. 4, proving that secret δ lies in above
Hyperledger Caliper [32]. The prototype and experiments are
subsets can be derived from the previous proof that δ ∈
deployed and conducted on multiple Fabric peers in Docker
[0, ul ), respectively:
containers locally on Ubuntu 18.04 operating system with
δ ∈ [a, a + ul ) ⇐⇒ δ − a ∈ [0, ul ), (5) 2.8 GHz Intel i5-8400 processor and 8GB DDR4 memory.

δ ∈ [b − ul , b) ⇐⇒ δ − b + ul ∈ [0, ul ). (6) B. MODULE 1: BLOCKCHAIN NETWORK

1) DEVELOPMENT
As a result, the range proof can be extended for an arbitrary
Hyperledger Composer [33] is a framework and toolset
range [a, b]. The final non-interactive range proof construc-
to build and run applications on top of Hyperledger Fab-
tion process is shown in Scheme Version 4.
ric, which provides four programmable portions: model file
(.cto), script file (.js), access control list (.acl) and query file
Scheme Version 4 Non-Interactive ZKRP for Interval [a, b] (.qry). The model file defines all the objects in the network
1) The traversing CV wants to prove that it comes from while smart contracts are written in the script file. Hyper-
the location δ: compute the commitment based on the ledger Fabric provides access control list to facilitate access
discrete logarithm of y = gδ to the base g and δ ∈ polices for different participants. As for query file, it works
[a, b], namely δ ∈ [a, a + ul ] ∩ δ ∈ [b − ul , b]. similar to conventional database query operations. These files
2) The traversing CV picks a random vj ∈ Zp for every are finally packaged into one business network archive (.bna)
j ∈ Zl , and computes tj = gvj . file and deployed into Hyperledger Fabric blockchain net-
3) The traversing CV computes c = H (g, y, t), where H work.
is a cryptographic hash function [26]. As shown in Fig. 6, we develop the blockchain-based traf-
4) The traversing CV computes rj = vj − cδ for every fic management system on Hyperledger Fabric using Com-
j ∈ Zl . The resulting proof is the pair (tj , rj ). As rj is an poser, which maintains regional ledgers for recording and
exponent of g, it is calculated modulo q − 1. sharing vehicular data containing vehicle identity number,
5) The gateway checks whether grj yc ≡ tj for every j ∈ Zl . location, trajectory and timestamp. Data structures of par-
ticipants and vehicular data are defined in the model file.

VOLUME 8, 2020 181737

 W. Li et al.: Privacy-Preserving Traffic Management: A Blockchain and ZKP Inspired Approach

FIGURE 5. Workflow of gateway between two blockchain-based vehicular networks.

combinations of multiple conditional statements to serve

complex access control design.
• Action: It indicates the final decision after executing the
access control policy. It can be either ALLOW or DENY.
For instance, the policy below states it allows a client to only
READ his/her own vehicular data from the ledger:
rule Client_Can_Read_Vehicular_Data {
description: "Client can only read
his/her own vehicular data."
participant(p): "org.bvn.prototype
.Client"
operation: READ
resource(r): "org.bvn.prototype
FIGURE 6. Vehicular data in blockchain network.
.CV_Data"
condition: "r.owner.getIdentifier()
=== p.getIdentifier()"
Smart contracts including functionalities of information action: ALLOW
recording and retrieval are coded in the script file. }
By utilizing access control policy, we enable clients to
own their generated vehicular data and enforce the system Queries defined in the query file (.qry) contain WHERE
to determine which participants are allowed to read, write, clause to define the criteria by which vehicular data or par-
and update data. We define the access control policy for our ticipants are selected. In our design, the query language can
system with the follows components: return specific results from the ledger if the given condition is
satisfied. For instance, the query below can filter out speeding
• Participant: It indicates the participants involved in the
connected vehicles that are faster than 70 mph:
access control procedure.
• Operation: It defines the actions governed by the access query Select_Speeding_Vehicles {
control policy. Three actions are supported in our sys- description: "Select speeding vehicles
tem: READ, WRITE, and UPDATE. that are faster than 70 mph."
• Resource: It indicates the vehicular data which the statement:
access control policy applies to. SELECT org.bvn.prototype.CV_Data
• Condition: It defines the conditional statements WHERE (Trajectory.speed > 70)
over multiple variables. Our system can support }

181738 VOLUME 8, 2020

W. Li et al.: Privacy-Preserving Traffic Management: A Blockchain and ZKP Inspired Approach

FIGURE 8. Transaction latency vs. Hyperledger Fabric endorsement

policies.
FIGURE 7. Blockchain network login window.

Hyperledger Composer also provides a web interface for

interacting with the blockchain network. Each participant
has an ID registry for connecting to the blockchain network
as shown in Fig. 7. A traffic management authority (e.g.,
US Department of Transportation) acts as the administrator to
issue access permissions for the other participants including
connected vehicles, RSUs, and traffic management systems
(e.g., I-SIG).

2) PERFORMANCE OF BLOCKCHAIN NETWORK

To evaluate the performance of the blockchain-based traf-
fic management system, we conduct benchmark tests using
Hyperledger Caliper benchmark tool with different endorse-
ment policies. These endorsement policies define the set of FIGURE 9. Transaction throughput vs. Hyperledger Fabric endorsement
policies.
peers need to agree on the results of a transaction before it
can be committed to the ledger. The latency measures the
time of a transaction from submission by the client until it C. MODULE 2: REVERSE GEOCODING
is processed and written into the ledger. Maximum, min- The Blockchain Network module records geographic
imum and average latency for the test cycles are shown information in GPS coordinates to serve traffic management
in Fig. 8. With the increasing number of peers, the transaction systems (e.g., I-SIG). Specifically, the Gateway Validation
latency increases. The throughput measures the flow rate module is designed to take the ZIP Code as the secret
of processed transactions through the blockchain network, for ZKRP. For this reason, we add the Reverse Geocoding
in the unit of transactions per second, during the test cycle. module, which serves as a critical step to convert geographic
As shown in Fig. 9, the transaction throughput decreases with information from GPS coordinates (latitude and longitude)
the increasing number of peers. The choice of endorsement into integer values of the ZIP Code for the Gateway Validation
policy can impact transaction latency and throughput because module.
more endorsing peers increase the complexity of the endors- Reverse geocoding services are available through APIs
ing process. and other web services as well as mobile phone applica-
The success rate measures how many transactions out tions [34]. In our study, we use Google Maps Geocod-
of the submitted transactions have been successfully pro- ing APIs to enable the Reverse Geocoding function on
cessed and written into the blockchain during a test cycle. JSFiddle, which is an online integrated development envi-
A failed transaction could be due to the time-outs, wrong ronment (IDE) for developing and testing user-created
network configuration or bugs in smart contracts. For all HTML, CSS and JavaScript codes. For instance, if a
the test cycles with different endorsement policies, our traversing vehicle’s current GPS coordinate is (45.091466,
blockchain network can always achieve 100% success -107.349952), the Reverse Geocoding module converts the
rates. geographic information into ZIP Code 59089, which is used

VOLUME 8, 2020 181739

 W. Li et al.: Privacy-Preserving Traffic Management: A Blockchain and ZKP Inspired Approach

On the prover side, we instantiate a secret value, e.g.,

59089, as the ZIP Code for the traversing vehicle’s location,
which is converted by the reverse geocoding module.
The traversing vehicle, known as the prover, generates
a ZKRP-based proof for this secret value by executing
proof_builder to invoke new_proof_builder func-
tion of the Ursa Prover library. The running time for proof
generation is, on average, 98 ms in our experimental setting.
The proof_builder works as follows:
let mut proof_builder = Prover:
:new_proof_builder().unwrap();
FIGURE 10. Running process of Gateway Validation module.
proof_builder
.add_common_attribute("ZIPCode")
.unwrap();
to generate a ZKRP-encrypted message for Gateway Valida- proof_builder.add_sub_proof_request(
tion in next subsection. &sub_proof_request,
&credential_schema,
&non_credential_schema,
D. MODULE 3: GATEWAY VALIDATION
&cred_signature,
In the design of Gateway Validation, ZKRP is a method by
&cred_values,
which one traversing vehicle proves to the gateway (verifier)
&cred_pub_key,
that it comes from a specific blockchain network N (δ) cover-
None,
ing location δ, without conveying any information apart from
None,
the fact that it comes from the location δ. The proposed ZKRP
).unwrap();
scheme protects the privacy of vehicular information in the
process of switching blockchain networks. On the verifier side, upon receiving the proof, the gate-
We develop the Gateway Validation module using Hyper- way runs proof_verifier to verify if the secret value
ledger Ursa, which is an active incubating project for pro- lies within the range of [59001, 59937] without revealing
viding trusted cryptographic libraries for distributed systems. the actual information. The proof_verifier invokes
Hyperledger Ursa provides Rust APIs for constructing the new_proof_verifier function from the Ursa Verifier
ZKRP scheme. As shown in Fig. 10, the Gateway Validation library. If the response is positive, the gateway validates and
module runs in three processes of setup, prover action, and switches the network for the traversing vehicle. The running
verifier action. time for verification is, on average, 97 ms in our experimental
setting. The proof_verifier is shown as follows:
1) PROCESS CLARIFICATION let mut proof_verifier = Verifier:
In the setup process, the Gateway Validation module first gen- :new_proof_verifier().unwrap();
erates private and public key pairs for all participants, which proof_verifier.add_sub_proof_request(
works similarly to attribute-based credentials [35]. Then, &sub_proof_request,
the module executes sub_proof_request_builder &credential_schema,
to invoke the new_ sub_proof_request_builder &non_credential_schema,
function of the Ursa Verifier library to set the interval for &cred_pub_key,
range proof. In this example, we use the range [59001, 59937] None,
to represent the ZIP Code range for the state of Montana: None,
).unwrap();
let mut sub_proof_request_builder =
let is_valid = proof_verifier
Verifier::new_sub_proof_request
.verify(&proof, &proof_request_nonce)
_builder().unwrap();
.unwrap();
sub_proof_request_builder
.add_predicate("ZIPCode", "GE", 59001)
.unwrap(); 2) PERFORMANCE OF ZKRP SCHEME
sub_proof_request_builder To evaluate the performance of the ZKRP scheme, we con-
.add_predicate("ZIPCode", "LE", 59937) duct extensive experiments to analyze the effect of varying
.unwrap(); the size of secrets and the number of secrets. The size of
let sub_proof_request = secrets in ZKRP is measured by its set range and length.
sub_proof_request_builder The default secret range is 936 from the interval [59001,
.finalize().unwrap(); 59937] defined in Section IV-D1. We first changed the range

181740 VOLUME 8, 2020

W. Li et al.: Privacy-Preserving Traffic Management: A Blockchain and ZKP Inspired Approach

FIGURE 12. Response against gateway spoofing attack.

FIGURE 11. Running time of Ursa ZKRP vs. the number of secrets. 1) VEHICULAR DATA ATTACK
Conventional traffic management systems can be attacked
of secrets from 2 to 25 , 210 ,
and 215 231 ,
and the results by tampering their centralized database [1]. Our proposed
showed that both proof generating time and verifying time are system can reject tampering existing vehicular data due to the
constant regardless of the secret range, and the time remains immutable feature of blockchain which ensures data integrity
around 98 ms and 97 ms, respectively. The default length of by recording data on a distributed ledger. Once the infor-
the secret instance is 5 digit (ZIP Code). We then changed mation of an arriving vehicle is recorded on the distributed
the length of secrets from 1 to 3, 5, 7 and 9 digits, and the ledger, it does not allow any participant to tamper it. If there is
results showed that both proof generating time and verifying any attempt to tamper the ledger, our system will immediately
time are also constant regardless of the secret length, and the reject this action.
time remains around 98 ms and 97 ms, respectively, for each
secret. 2) GATEWAY SPOOFING ATTACK
Our ZKRP scheme can offer constant proof generating A gateway spoofing attack happens when an attacker belong-
and verifying time because the commitment of a secret ing to one blockchain network N () spoofs the gateway that it
is computed by a hash function [26] in Scheme Ver- belongs to another blockchain network N (δ). In this scenario,
sion 4 (Section III-A). In the experiments, we invoke validating vehicular information and switching networks
new_proof_builder and new_proof_verifier become challenging tasks if the attacker successfully injects
functions from the Ursa library, which utilize a HashMap false login status among multiple blockchain networks. For
to compute and verify the commitment. As a result, proof instance, if the attacker intends to spoof that it is coming from
generating and verifying time are independent from the the Montana State network, but it is actually coming from the
size of secret values. This allows our ZKRP scheme to Colorado State network (e.g., ZIP Code 80612). The Gateway
have more flexibility for verifying different numerical secret Validation module is resistant to gateway spoofing attacks by
values (e.g., ID number, credit card number, etc,.) with- incorporating the ZKRP protocol, which is shown in Fig. 12.
out sacrificing security and efficiency. We then increase
the number of secrets from 1 to 2, 3, 4 and 5 for each 3) EAVESDROPPING ATTACK
client, and measure the running time of the proof generat- Our proposed gateway mechanism can protect the system
ing and verifying phases. Because each secret is processed from eavesdropping attacks. In such attacks, the malicious
sequentially, both proof generating and verifying running attacker intercepts the message between the data sender and
time showed a linear growth with the increasing number data receiver in order to recover the secret information or gain
of secrets in Fig. 11. Given our scenario where the secrets access to the sensitive information. In the worst case, if the
are independent, in theory, multiple secrets can be proved in message has been accessed by the attacker, it cannot reveal the
parallel to achieve constant time. However, the linear growth actual information since the vehicular information is ZKRP-
in running time cannot be avoided in this work because the encrypted. As a result, no sensitive information is disclosed
current Hyperledger Ursa does not have parallel computing if the eavesdropping attack happens.
capability.
V. RELATED WORK
E. DISCUSSION ON POTENTIAL ATTACKS A. BLOCKCHAIN RESEARCH IN TRANSPORTATION
In this subsection, we discuss the robustness of the proposed In recent years, investigating the blockchain paradigm in
blockchain and ZKP inspired architecture for traffic manage- the general transportation field has attracted a great deal of
ment against potential attacks. attention [36]–[39]. Two main applications of the blockchain

VOLUME 8, 2020 181741

 W. Li et al.: Privacy-Preserving Traffic Management: A Blockchain and ZKP Inspired Approach

technology to the transportation industry are freight tracking on the Google Maps APIs, and the Gateway Validation mod-
and supply chain management. For instance, IBM has been ule on the Hyperledger Ursa cryptographic library. For the
working with Walmart to develop an efficient blockchain- blockchain network, we measure the benchmarks including
based tracking system for the food supply chain [40], which transaction latency, throughput and success rate using the
involves the transportation of merchants. In such a sce- Hyperledger Caliper benchmark tool. For the ZKRP scheme,
nario, the blockchain technology helps to reduce tracking we measure the proof generating and verifying time under
time for goods from weeks to seconds. Blockchain technol- different settings. The results demonstrate that our proposed
ogy is also a candidate solution in forensic investigation. system is effective and feasible for decentralized traffic
Hossain et al. [41] proposed FIF-IoT, which is a forensic management.
investigation framework using a public blockchain to find
facts in criminal incidents in IoT-based systems. Besides, Guo REFERENCES
et al. [42] proposed a blockchain-inspired ‘‘proof of event’’ [1] Q. A. Chen, Y. Yin, Y. Feng, Z. M. Mao, and H. X. Liu, ‘‘Exposing con-
mechanism for accident event recording in CV networks. gestion attack on emerging connected vehicle based traffic signal control,’’
in Proc. Netw. Distrib. Syst. Secur. Symp., 2018, pp. 1–15.
A decentralized trust management system for vehicular net-
[2] J. Blum and A. Eskandarian, ‘‘The threat of intelligent collisions,’’ IT Prof.,
works was proposed in [43]. In this paper, vehicles are able to vol. 6, no. 1, pp. 24–29, Jan. 2004.
query the trust values of neighbors and then assess the credi- [3] Wikipedia Contributors. (2020). General Data Protection Regula-
bilities of received messages using blockchain technologies. tion. [Online]. Available: https://en.wikipedia.org/wiki/General_Data_
Protection_Regulation
[4] Wikipedia Contributors. (2020). California Consumer Privacy Act.
B. SPOOFING ATTACKS IN VEHICULAR NETWORKS [Online]. Available: https://en.wikipedia.org/wiki/California_Consumer_
Vehicular networks are vulnerable to cyberattacks. Privacy_Act
[5] Hyperledger Fabric. Accessed: Dec. 1, 2019. [Online]. Available:
Amoozadeh et al. [44] presented the spoofing effects of secu- https://www.hyperledger.org/projects/fabric
rity attacks on the communication channel as well as sensor [6] E. Androulaki, S. Cocco, and C. Ferris, Private and Confidential
tampering. Dominic et al. [45] proposed a risk assessment Transactions With Hyperledger Fabric. IBM Developer, Armonk, NY,
USA, 2018. [Online]. Available: https://developer.ibm.com/tutorials/cl-
framework for CV applications consisting of an automated
blockchain-private-confidential-transactions-hyperledger-fabric-zero-
driving reference architecture and threat model. In a recent knowledge-proof
study, Chen et al. [1] showed that the I-SIG system is vul- [7] Hyperledger Ursa. Accessed: Dec. 3, 2019. [Online]. Available:
nerable at the signal control algorithm level. Due to limited https://www.hyperledger.org/projects/ursa
[8] T. P. Pedersen, ‘‘Non-interactive and information-theoretic secure verifi-
computation power, the signal controller cannot handle data able secret sharing,’’ in Proc. Annu. Int. Cryptol. Conf. Berlin, Germany:
validation in real-time processing requirement, 5-7 seconds. Springer, 1991, pp. 129–140.
They conducted their V2I attacking strategy by spoofing [9] S. Goldwasser, S. Micali, and C. Rackoff, ‘‘The knowledge complexity of
interactive proof systems,’’ SIAM J. Comput., vol. 18, no. 1, pp. 186–208,
arrival vehicular information, which caused congestion at Feb. 1989.
intersections. [10] Wikipedia Contributors. (2020). Zero-Knowledge Proof. [Online]. Avail-
able: https://en.wikipedia.org/wiki/Zero-knowledge_proof
C. ZERO-KNOWLEDGE PROOF FOR BLOCKCHAIN [11] J. Camenisch and R. Chaabouni, ‘‘Efficient protocols for set membership
and range proofs,’’ in Proc. Int. Conf. Theory Appl. Cryptol. Inf. Secur.
Zero-knowledge proof enables one party to prove the knowl- Berlin, Germany: Springer, 2008, pp. 234–252.
edge to another party without conveying any information [12] I. B. Damgård, ‘‘Practical and provably secure release of a secret and
about the knowledge. Zcash implements the zero-knowledge exchange of signatures,’’ J. Cryptol., vol. 8, no. 4, pp. 201–222, Sep. 1995.
[13] E. Fujisaki and T. Okamoto, ‘‘Statistical zero knowledge protocols to prove
succinct non-interactive arguments of knowledge (ZK- modular polynomial relations,’’ in Proc. Annu. Int. Cryptol. Conf. Berlin,
SNARK) to protect the transaction privacy in cryptocurrency Germany: Springer, 1997, pp. 16–30.
network [46]. Koens et al. [18] proposed an efficient zero- [14] F. Boudot, ‘‘Efficient proofs that a committed number lies in an interval,’’
in Proc. Int. Conf. Theory Appl. Cryptograph. Techn. Berlin, Germany:
knowledge range proof in Ethereum without the interactive Springer, 2000, pp. 431–444.
communications between participants. In addition, Bullet- [15] B. Schoenmakers, ‘‘Some efficient zeroknowledge proof techniques,’’ in
proofs are proposed for efficient range proofs on commit- Proc. Workshop Cryptograph. Protocols, 2001.
[16] B. Schoenmakers, ‘‘Interval proofs revisited,’’ in Proc. Int. Workshop
ted values, which are short non-interactive zero-knowledge
Frontiers Electron. Elections, 2005.
proofs without a trusted setup process [47]. [17] K. Li, R. Yang, M. H. Au, and Q. Xu, ‘‘Practical range proof for cryptocur-
rency Monero with provable security,’’ in Proc. Int. Conf. Inf. Commun.
VI. CONCLUSION Secur. Springer, 2017, pp. 255–262.
[18] T. Koens, C. Ramaekers, and C. Van Wijk, Efficient Zero-Knowledge
In this paper, we propose a decentralized and location-aware Range Proofs in Ethereum, ING, blockchain@ ing.com, Amsterdam, The
traffic management system to protect data integrity and pri- Netherlands, 2018.
vacy in a scenario of multiple blockchain-based connected [19] P. McCorry, S. F. Shahandashti, and F. Hao, ‘‘A smart contract for board-
room voting with maximum voter privacy,’’ in Proc. Int. Conf. Financial
vehicular networks. Our system innovatively incorporates Cryptogr. Data Secur. Cham, Switzerland: Springer, 2017, pp. 357–375.
zero-knowledge range proof into a gateway mechanism [20] I. Damgård, M. Jurik, and J. B. Nielsen, ‘‘A generalization of Paillier’s
to verify connected vehicles traversing between adjacent public-key system with applications to electronic voting,’’ Int. J. Inf. Secur.,
blockchain networks without revealing any sensitive infor- vol. 9, no. 6, pp. 371–385, 2010.
[21] I. Miers, C. Garman, M. Green, and A. D. Rubin, ‘‘Zerocoin: Anonymous
mation. We develop the Blockchain Network module on the distributed E-Cash from bitcoin,’’ in Proc. IEEE Symp. Secur. Privacy,
Hyperledger Fabric platform, the Reverse Geocoding module May 2013, pp. 397–411.

181742 VOLUME 8, 2020

W. Li et al.: Privacy-Preserving Traffic Management: A Blockchain and ZKP Inspired Approach

[22] M. O. Rabin, Y. Mansour, S. Muthukrishnan, and M. Yung, ‘‘Strictly- [46] E. B. Sasson, A. Chiesa, C. Garman, M. Green, I. Miers, E. Tromer, and
black-box zero-knowledge and efficient validation of financial transac- M. Virza, ‘‘Zerocash: Decentralized anonymous payments from bitcoin,’’
tions,’’ in Proc. Int. Colloq. Automata, Lang., Program. Berlin, Germany: in Proc. IEEE Symp. Secur. Privacy, May 2014, pp. 459–474.
Springer, 2012, pp. 738–749. [47] B. Bunz, J. Bootle, D. Boneh, A. Poelstra, P. Wuille, and G. Maxwell,
[23] CV Pilot Deployment Program. Accessed: Nov. 7, 2019. [Online]. Avail- ‘‘Bulletproofs: Short proofs for confidential transactions and more,’’ in
able: https://www.its.dot.gov/pilots Proc. IEEE Symp. Secur. Privacy (SP), May 2018, pp. 315–334.
[24] J. Camenisch and M. Stadler, ‘‘Proof systems for general statements
about discrete logarithms,’’ Dept. Comput. Sci., ETH Zurich, Zurich,
Switzerland, Tech. Rep. 260, 1997.
[25] A. Fiat and A. Shamir, ‘‘How to prove yourself: Practical solutions to
identification and signature problems,’’ in Proc. Conf. Theory Appl. Cryp- WANXIN LI (Graduate Student Member, IEEE)
tograph. Techn. Berlin, Germany: Springer, 1986, pp. 186–194. received the B.Sc. degree in computer science
[26] M. Bellare and P. Rogaway, ‘‘Random oracles are practical: A paradigm for from Chongqing University, Chongqing, China,
designing efficient protocols,’’ in Proc. 1st ACM Conf. Comput. Commun. in 2015, and the M.Sc. degree in computer sci-
Secur., 1993, pp. 62–73.
ence from the University of Delaware, USA,
[27] Wikipedia Contributors. (2020). Fiat–Shamir Heuristic. [Online]. Avail-
in 2017, where he is currently pursuing the Ph.D.
able: https://en.wikipedia.org/wiki/Fiat-Shamir_heuristic
[28] E. Morais, C. van Wijk, and T. Koens, ‘‘Zero knowledge set membership,’’
degree. His research interests include the area
ING Bank, Amsterdam, The Netherlands, Tech. Rep., 2018. of blockchain, intelligent transportation systems
[29] R. Chaabouni. (2007). Efficient Protocols for Set Membership and Range (ITS), connected and autonomous vehicles, and
Proofs. supervisors: Dr. Jan Camenisch (IBM ZRL), Prof. Abhi She- the Internet of Things (IoT).
lat (IBM ZRL, Univ. Virginia), Prof. Serge Vaudenay (EPFL LASEC)
Asiacrypt 2008 publication:. [Online]. Available: http://infoscience.
epfl.ch/record/128718 and http://infoscience.epfl.ch/record/113794
[30] JSFiddle Editor. Accessed: Feb. 6, 2020. [Online]. Available:
https://jsfiddle.net HAO GUO (Member, IEEE) received the B.S.
[31] Google Maps Geocoding API. Accessed: Feb. 6, 2020. [Online]. Available: degree from Northwest University, Xi’an, China,
https://developers.google.com/maps/documentation/geocoding/start in 2012, the M.S. degree from the Illinois Institute
[32] H. Caliper. (2019). Hyperledger Caliper Architecture. Accessed: of Technology, Chicago, USA, in 2014, and the
Oct. Oct. 3, 2019. [Online]. Available: https://hyperledger.github.io/ Ph.D. degree from the University of Delaware,
caliper/docs/2_Architecture.html Newark, USA, in 2020, all in computer science.
[33] Hyperledger Composer. Accessed: Dec. 1, 2019. [Online]. Available: His research interests include blockchain and dis-
https://www.hyperledger.org/projects/composer tributed ledger technology, data privacy and secu-
[34] S. Kumar, M. A. Qadeer, and A. Gupta, ‘‘Location based services using rity, cybersecurity, cryptography technology, and
Android (LBSOID),’’ in Proc. IEEE Int. Conf. Internet Multimedia Ser- the Internet of Things (IoT). He is a member
vices Archit. Appl. (IMSAA), Dec. 2009, pp. 1–5. of ACM.
[35] M. Koning, P. Korenhof, G. Alpár, and J.-H. Hoepman, ‘‘The ABC of ABC:
An analysis of attribute-based credentials in the light of data protection, pri-
vacy and identity,’’ Radboud Univ. Nijmegen, Nijmegen, The Netherlands,
Tech. Rep., 2014.
[36] Y. Yuan and F.-Y. Wang, ‘‘Towards blockchain-based intelligent trans- MARK NEJAD (Member, IEEE) is currently
portation systems,’’ in Proc. IEEE 19th Int. Conf. Intell. Transp. Syst.
an Assistant Professor with the Department of
(ITSC), Nov. 2016, pp. 2663–2668.
Civil and Environmental Engineering, Univer-
[37] W. Li, M. Nejad, and R. Zhang, ‘‘A blockchain-based architecture for
sity of Delaware. He has published more than
traffic signal control systems,’’ in Proc. IEEE Int. Congr. Internet Things
(ICIOT), Jul. 2019, pp. 33–40. 30 peer-reviewed articles in venues, such as
[38] M. Baza, N. Lasla, M. M. Mahmoud, G. Srivastava, and M. Abdallah, Transportation Science, the IEEE TRANSACTIONS
‘‘B-ride: Ride sharing with privacy-preservation, trust and fair payment ON PARALLEL AND DISTRIBUTED SYSTEMS, and the

atop public blockchain,’’ IEEE Trans. Netw. Sci. Eng., early access, IEEE TRANSACTIONS ON COMPUTERS. His research
Dec. 23, 2019, doi: 10.1109/TNSE.2019.2959230. interests include connected and automated vehi-
[39] M. Baza, M. Nabil, N. Lasla, K. Fidan, M. Mahmoud, and M. Abdallah, cles, network optimization, parallel and distributed
‘‘Blockchain-based firmware update scheme tailored for autonomous vehi- computing, blockchain, and game theory. He is a member of INFORMS.
cles,’’ in Proc. IEEE Wireless Commun. Netw. Conf. (WCNC), Apr. 2019, He received several publication awards, including the 2016 Best Doc-
pp. 1–7. toral Dissertation Award of the Institute of Industrial and Systems Engi-
[40] IBM Food Trust. Accessed: Nov. 18, 2019. [Online]. Available: neers (IISE) and the 2019 CAVS Best Paper Award from the IEEE VTS.
https://www.ibm.com/blockchain/solutions/food-trust
[41] M. Hossain, Y. Karim, and R. Hasan, ‘‘FIF-IoT: A forensic investigation
framework for IoT using a public digital ledger,’’ in Proc. IEEE Int. Congr.
Internet Things (ICIOT), Jul. 2018, pp. 33–40.
[42] H. Guo, E. Meamari, and C.-C. Shen, ‘‘Blockchain-inspired event record- CHIEN-CHUNG SHEN (Member, IEEE) received
ing system for autonomous vehicles,’’ 2018, arXiv:1809.04732. [Online]. the B.S. and M.S. degrees in computer science
Available: http://arxiv.org/abs/1809.04732 from National Chiao Tung University, Taiwan,
[43] Z. Yang, K. Yang, L. Lei, K. Zheng, and V. C. M. Leung, and the Ph.D. degree in computer science from
‘‘Blockchain-based decentralized trust management in vehicular
UCLA. He was a Research Scientist with Bellcore
networks,’’ IEEE Internet Things J., vol. 6, no. 2, pp. 1495–1505,
Applied Research, working on control and man-
Apr. 2019.
agement of broadband networks. He is currently
[44] M. Amoozadeh, A. Raghuramu, C.-N. Chuah, D. Ghosal, H. M. Zhang,
J. Rowe, and K. Levitt, ‘‘Security vulnerabilities of connected vehicle a Professor with the Department of Computer and
streams and their impact on cooperative driving,’’ IEEE Commun. Mag., Information Sciences, University of Delaware. His
vol. 53, no. 6, pp. 126–132, Jun. 2015. research interests include blockchain, Wi-Fi, SDN
[45] D. Dominic, S. Chhawri, R. M. Eustice, D. Ma, and A. Weimerskirch, and NFV, ad hoc and sensor networks, dynamic spectrum management,
‘‘Risk assessment for cooperative automated driving,’’ in Proc. 2nd cybersecurity, distributed computing, and simulation. He was a recipient of
ACM Workshop Cyber-Physical Syst. Secur. Privacy (CPS-SPC), 2016, the NSF CAREER Award and a member of ACM.
pp. 47–58.

VOLUME 8, 2020 181743