COVER FEATURE ATTRIBUTES OF QUALITY

Considerations for Decision

Makers and Developers
Toward the Adoption
of Decentralized Key
Management Systems
Technology in Emerging
Applications
Wei Yao , Nicholas Gorlewski, Fadi P. Deek , and Guiling Wang , New Jersey ­Institute of Technology

Public key infrastructure has been widely used in key

management systems (KMSs). This article undertakes a
comprehensive examination of the current decentralized KMS
(DKMS) approaches with the objective of providing organizational
decision makers and technical developers some guidance toward
the adoption of DKMS technology in their respective applications.

T
he public key infrastructure (PKI) was introduced
in the 1990s to make the management of certif-
icates and encryption keys possible.1 However,
the notion of centralization is a major aspect of
traditional PKIs. Because of this interest in decentralized
Digital Object Identifier 10.1109/MC.2023.3339390
Date of current version: 26 June 2024
management, such approaches can be seen as early as
1996, with decentralized trust management2 and its pro-
posed PolicyMaker system.
PolicyMaker aims to separate generic mechanisms
from application-specific policy, appearing to appli-
cations as a database query engine. The system binds
public keys to descriptions of actions instead of identi-
ties. One example is electronic voting systems requiring

CO M PUTE R 0018-9 162 / 24©2024I EEE PUBLISHED BY THE IEEE COMPUTER SOCIET Y J U LY 2 0 2 4  27
ATTRIBUTES OF QUALITY

users to assert that they are registered DKMS approaches and, to the best of Decentralized identity
voters while not allowing the system our knowledge, is the first survey spe- authentication and KM
to learn requestors’ identities.2 cifically focused on DKMS. Our aim SM9 is identity-based cryptography
In the following years, other key is to provide organizational decision that can avoid the PKI system and
decentralized systems emerged: Hydra makers and technical developers with allows solutions for lightweight appli-
cations, such as the IoT.3 A deficiency
of SM9, however, is that it needs a
trusted third party called a key gen-
erator center to generate and manage
THIS ARTICLE UNDERTAKES A keys. A decentralized solution using
COMPREHENSIVE EXAMINATION OF THE blockchain that includes an identity
CURRENT DKMS APPROACHES AND, TO generator center (IGC) solely to gener-
THE BEST OF OUR KNOWLEDGE, IS THE ate an identifier and key for first-time
registration is suggested.3 This identi-
FIRST SURVEY SPECIFICALLY FOCUSED fier can be used as a public key, while
ON DKMS. a private key or parameters would be
updated if necessary. The update of a
private key or SM9 parameters would
be done through transactions stored
in 2002, focusing on symmetric cryp- some guidance toward adopting DKMS on a blockchain. The update is essen-
tographic key distribution in large technology in their respective applica- tial because of the immutable nature
groups, and TrustMe in 2003, empha- tions. The main contributions are of blockchain that offers a meaning-
sizing anonymous trust management ful way to audit past behaviors, and
in peer-to-peer environments. The 1. an overview of critical rep- the approach starts with a parameter
mid-2000s saw further developments, resentative DKMS, from the initialization phase. In the parame-
such as the exploration of group keys general DKMS to DKMS for ter initialization phase, base points
in ad hoc networks and the introduc- the Internet of Things (IoT), P 1 ∈ 1 and P 2 ∈ 2 are established.
tion of new cryptographic techniques ending with the DKMS used in Afterward, the IGC generates a ran-
to enhance security. vehicular networks dom number that is used as the private
Despite these advancements, tra- 2. a detailed comparison of listed key SkI and computes PkI = [SkI]P 1 to
ditional PKI systems continue to face DKMS on various key aspects. use as the public key. The IGC would
challenges in scalability, flexibility, then keep the private key secret and
and vulnerability to centralized points The rest of the article is structured publish the public key. To make use of
of failure. This has led to a growing as follows: The “Representative DKMS” the SM9 signature algorithm, the IGC
need for more robust and decentral- section introduces several surveyed needs to generate another private key
ized approaches. Decentralized key DKMS schemes and implementa- according to its identifier IDI.3 The IGC
management systems (DKMS) have tions. The “Comparison of Surveyed computes t 1, the sum of the private key,
emerged as a potential solution to these DKMS” section evaluates, analyzes, and and the hash of the identifier, where N
challenges, offering enhanced security compares all DKMS covered in this arti- is the size of the finite field. Then, it
and distributed control mechanisms. cle. The “Future Studying” provides computes t2 through Tu et al.3
By exploring the evolution and capa- a summary of our research objectives
bilities of DKMS, this article aims to and proposes existing challenges and t 1 = H(ID i, N) + SkI(1)
highlight how these systems address future work. t2 = SkI ⋅ t 1 mod N.(2)
the limitations of traditional PKI and
provide a more resilient framework. REPRESENTATIVE DKMS When multiplied by a base point
This article undertakes a compre- This section discusses prominent pro- P 2, a signature skI is generated and
hensive examination of the current posed solutions to creating DKMS. stored on the blockchain through a

28 COMPUTER  W W W.CO M P U T E R .O R G /CO M P U T E R

transaction. The public key ID is given
along with the parameters (P 1, P 2, PkI)
and a validity period of T.
The next phase involves generat-
ing an identifier for a new user Ui. This
user applies to the IGC, and the IGC
generates a unique identifier ID i that
is used as a public key. Similar to the
way in which the IGC generated its sig-
nature, it generates the user’s private
key Ski by computing t 1 and t2.
Then, the IGC computes Ski = [t2]P2 to
get the private key. This is done offline
to send keys safely while the process is
recorded on the blockchain.3
If a key needs to be updated, the
user can act independently to accom-
plish this by selecting a random num-
ber k ∈ [1, N − 1] as a private key and
compute Pki = [k]P 1 as the public key.
Similar to the previous phases, t 1 and t2
would be calculated to get the new Ski
with the exception that the SkI in the
previous equations would be replaced
by the random number k. This process
would be recorded in the blockchain as
a transaction.3
Because cryptographic keys have
the possibility of being leaked, there
needs to be an efficient way to give
users new keys. In this approach, the
IGC is used to generate a new key for
the user, if needed securely, and the
identifier ID i of the user would remain
the same, and t 1 and t2 would be cal-
culated in the same manner as a new
user registration to get a new pri-
vate key Ski. The public information
would be shared on the blockchain as
a transaction.4
The NuCypher KMS
NuCypher KMS is a DKMS, encryption,
and access control service that enables
private data sharing between arbi-
trary numbers of participants in pub-
lic consensus networks and uses proxy
reencryption to delegate decryption
rights. 5 Unlike traditional KMSs,
NuCypher does not require a central-
ized party, and a network token is used
to incentivize users to participate in
network activities. In addition, NuCy-
pher is interoperable with different
decentralized storage systems such as
InterPlanetary File System (IPFS) and
Swarm.5
Public-key encryption (PKE) is a
type of encryption between two par-
ties and does not require a common
secret. Each user has a public/private
key pair (pkr/skr), and hybrid crypto-
systems can be created to combine
this convenience with the efficiency
of a symmetric encryption algo-
rithm. An example is the use of the
Elliptic-Curve Integrated Encryption
Scheme (ECIES),5 which relies on a
key-derivation function for deriving a
Message Authentication Code key and
then deriving a symmetric encryp-
tion key from the Elliptic-Curve Dif-
fie-Hellman (ECDH) shared secret.5
With this, a reencryption algorithm
creates a key by randomly generating
an ephemeral key pair ske/pke instead
of having to use two private keys to
generate a reencrypted key. With the
use of a reencryption node rk A→ e, this
would look like Egorov et al.5
ske = random()(3)
rk A→ e = rekey(sk A, ske)(4)
sk′e = encrypt pke(pkB, ske)(5)
rk A→ B = (rk A→ e, sk′e).(6)
Because sk′e would be needed to
decrypt the reencrypted ciphertext
cA, sk′e is attached to the reencryption
result (Egorov et al.5)
ce = reencrypt(rk A→ e, cA)(7)
cB = (ce, sk′e).(8)
Then, decryption can be done by
the receiver (Egorov et al.5)
ske = decrypt PKE(skB, sk′e)(9)
m = decrypt PKE(ske, ce).(10)
There are multiple reencryption
nodes to perform this reencryption
and apply access management poli-
cies.5 This allows for a system that does
not need an always-online entity, and
the benefit of using proxy reencryp-
tion in this scenario is that a proxy
can transform ciphertexts from one
public key to another without chang-
ing the underlying message.5 This
allows for noncentralized key rotation
and not having to expose unencrypted
keys server side.
With proxy reencryption, min-
ers in the network can perform key
rotation and are incentivized to do so
with tokens. The steps are as follows.
Within a specified time interval, min-
ers can stake several tokens by using a
smart contract (SC). Miners reencrypt
the data, and a challenge protocol is
performed to ensure that the reen-
crypted data are not wrong or random.
This challenge is created by using
multiple “fake” encryption keys and
requiring that the miners supply the
hash before and after reencryption. If
the miner is challenged and exposes
a “fake” reencryption, the challenger
receives the miner’s stake.
Blockchain-based KM
in unmanned aerial
vehicle networks
The immutable and decentralized
nature of blockchain technology
makes it a promising solution for the
challenges of KM. Blockchain tech-
nology has been applied to develop a
DKMS for unmanned aerial vehicles
(UAVs).6 This is done because flying
J U LY 2 0 2 4  29
ATTRIBUTES OF QUALITY
ad hoc networks (FANETs) usually
require base stations (BSs) or complex
infrastructure that can become attack
targets or increase the communication
overheads of the UAVs.6 Decentraliz-
ing the KM process allows better per-
formance against attacks and light-
weight energy consumption for UAVs
in the network.
The decentralized architecture used
in this FANET includes clusters of UAVs
that have a “cluster head” UAV and BSs
THE IMMUTABLE AND DECENTRALIZED
NATURE OF BLOCKCHAIN TECHNOLOGY
MAKES IT A PROMISING SOLUTION FOR
THE CHALLENGES OF KM.
where UAVs are initialized. This head
UAV has more computational resources
than the other UAVs in the cluster and
higher transmission power. Mem-
ber UAVs can communicate only with
other members in the same cluster,
while the head can maintain commu-
nications between different clusters.6
This means that the nonhead UAVs are
required to keep only the latest state
of the blockchain, containing the lat-
est member list and the cluster head
list (CHL).
Because these devices have lim-
ited resources, a different consen-
sus approach is used. The consensus
involves miner election to elect a glob-
ally recognized generator of the next
block from all the blockchain main-
tainers (head UAVs) at each round.6 If
the system is at the kth block genera-
tion phase, a Block k is generated and
distributed, while head UAVs use a dis-
tributed random generation protocol
30 COMPUTER 
to create a random value rk. With this
random value, each head UAV can
compute the hash of Block k and subse-
quently (as in Tan et al.) compute6
H(Block′k) = H(rk H(Block k)).(11)
After calculating this hash, the head
UAVs calculate a miner election score
of each head UAV in the network;
heads can be denoted as UAVx0, where
the x represents the xth cluster. Scores
are calculated as in Tan et al.,6 where ⊕
denotes the XOR operation and PK x0 is
the public key of UAVx0
score x0 = H(Block′k) ⊕ H(PK x0).(12)
Once these scores are calculated, the
head UAV with the lowest score becomes
the miner for Block k+1 . If there is
some problem with the chosen miner,
the next lowest score is chosen as the
alternative.
Before UAVs are placed online and
flown to do their work, they are ini-
tialized at a BS in an offline and secure
environment.6 This involves a gen-
eration of system parameters where
a nonsingular elliptic curve (n) is
selected, where n is a large prime num-
ber and contains points that form an
additive cyclic group . P is a gener-
ator of this cyclic group with order
q. The BS randomly selects a secret
key SK B ∈ *, and the public key is
calculated by PK B = SK B ⋅ P. Once the
public key is calculated, the following
information is published: (n, q, P, PK B).
After the public key of a UAV is pub-
lished, the BS authenticates the iden-
tity of UAVs and divides all the authen-
ticated UAVs into different clusters Cx,
where x denotes the cluster number,
and a computationally powerful UAV
is selected as cluster head. The BS dis-
tributes key pairs to all members such
that the following set can be generated
(Tan et al.6):
LML x = {PK x1, PK x2, PK x3, …, PK xnx}.(13)
This set contains all the public keys
of valid member UAVs in Cx (n x denotes
the number of member UAVs in Cx).6
Each drone in Cx stores its key pair as
well as LML x, and public keys are used
as identifiers. Once all clusters are cre-
ated, the BS can generate the following
set (Tan et al.6):
CHL = {C1, PK10; C2, PK20; …; Cm, PKm0}
(14)
This set contains all the public
keys of the head UAVs in the network.
Each UAV receives and stores the CHL.
Lastly, the BS generates the genesis
block Block0 for the blockchain that
includes the initialization transaction
for each drone, a signature based on
the private key of the BS, and a time
stamp.6 This genesis block is sent to all
head UAVs.
Because confidentiality must be
kept within clusters, head UAVs dis-
tribute cluster keys to encrypt data.
Head UAVs first generate a cluster
key Gkeyx and then use a cluster key
distribution algorithm η(⋅) combined
with LML x to broadcast η(Gkeyx) and
Sign SK x0{H(η(Gkey x))} to all valid
members of the cluster Cx.6 Once a
different head UAV receives η(Gkeyx),
W W W.CO M P U T E R .O R G /CO M P U T E R
it verifies the signature of UAVx0 and
uses an inverse algorithm η−1(⋅) with
its private key Sk xy to extract Gkeyx.
Lightweight DKMS in
IoT environments
Access control is a relevant subject in
enterprise computing environments
but can also suffer from the same pit-
falls as other centralized architec-
tures. A token management protocol
for managing keys and a hierarchi-
cal architecture, named DLGKM-AC,
which includes a key distribution cen-
ter (KDC) having ownership of many
sub-KDCs (SKDCs), has been proposed.7
The number of SKDCs is not fixed, and
they help alleviate potential overhead
that a centralized architecture would
have when rekeying.
The system model in this approach
consists of three layers.
1. The publisher layer contains
groups of IoT devices, namely
device groups (DGs) with lim-
ited resources. If a new device
joins the system, it is assigned
to one of these DGs.
2. In contrast, the subscriber layer
is composed of a group of users,
called a user group (UG), that
wants access to the data from
the publisher layer. When a user
joins a UG, encryption keys are
distributed using the primary
key encryption (MKE) technique.
3. In the group key manager layer
resides the KDC central server
that relates publishers to the
rest of the system and manages
the keys’ update process within
the DGs.7 This KDC has a backup
server to maintain the latest
keys in the system, and SKDCs
manage group communications
within the UG. If needed, the
KDC can also establish one-time
communications to authenti-
cate a user or device.
The system is initialized by the
group key manager, where the KDC
runs an MkeyGen algorithm to gener-
ate a primary key and several subor-
dinate keys to communicate with the
SKDCs under its control. If a new SKDC
is added to the system, the KDC runs
the MkeyGen algorithm again to gen-
erate a subordinate key and to update
the primary key.7 After the primary
and subordinate keys are generated,
SKDCs initialize all key pairs, and
multiple IoT DGs are created to group
together devices with similar attri-
butes. The KDC creates key encryption
keys (KEKs) for each device in the DGs,
and a logical key hierarchy (LKH) tree
is created to distribute updated keys to
devices.7 For the LKH tree, devices in
a DG are leaf nodes, and random keys
DKj are created and assigned to leaves
in the tree. Each device Dj in a DG
receives path keys PK t from the root
node to the parent node of the tree.7
These path keys are used as KEKs to
encrypt the group key by the KDC in
a rekeying process and to distribute
updated keys to leaf nodes.
Multiple UGs UGK can also be con-
structed, and each UGK can accommo-
date rk users for a period T. Each user Ui
in the UG is authenticated before join-
ing the system and shares a secret key
UK i with the SKDC.7 The UG is given an
identifier ID by the SKDC, IDUGK.
For updates to groups, such as when
a member joins or leaves, keys need to
be updated. An example is when a new
user Ujoin joins a group. First, the user
registers with the relevant SKDC after
authentication. The SKDC follows the
JoKeyUpdate algorithm to update the
group key and generate a subordinate
token for the new user. After updating
the key, the SKDC uses JoKeyDistrib-
ute to distribute a rekeying message
in the group. This message is given to
the main KDC and all users subscribed
to this group. Users that are already
established in the group update TEKj
through a hash function to minimize
overhead in the system, where TEK is
a traffic encryption key. This ensures
that Ujoin cannot access the data that
the group previously exchanged. The
SKDC sends this, and the subordinate
token, to Ujoin via unicast message.7
Distributed KM in 5G
network small cells
With the advent of the 5G cellular
network, there is a call to implement
small-cell technolog y to f unction
in 5G environments. The use of net-
work coding-enabled mobile small
cells (NC-MSCs) can fill this void since
these devices can be set up on the fly
and cover an urban landscape as nec-
essary, and they also allow multihop
device-to-device (D2D) communica-
tion. DISTANT, a decentralized KM
approach that uses NC-MSCs, has
been introduced.8 The network model
for DISTANT builds off of the model
by project SECRET in de Ree et al.8
and features a distributed certificate
authority (CA) network within the
model. The entire cellular network
is divided into networks of NC-MSCs,
and each is maintained by a hotspot
that performs the duties of a cluster
head. Each hotspot is controlled by
a centralized software-defined con-
troller, and through the cooperation
of these hotspots, a wireless network
with several gateways is formed. Data
traffic between nodes is done through
multihop D2D communications where
a node with data (source nodes) trans-
mits data to nodes that request the
J U LY 2 0 2 4  31
ATTRIBUTES OF QUALITY
data (destination nodes).8 Nodes are
not required to be in the same mobile
small cell, owing to D2D communica-
tions and relay nodes. The DISTANT
protocol uses the difficulty of the dis-
crete logarithm problem to enable
secure KM and is composed of the fol-
lowing themes.8
Network initialization. A set of t
nodes is selected and given keying
material that allows the t nodes to ini-
tial join nodes during network deploy-
ment collectively. This means that an
online centralized trusted third party
(TTP), such as a network operator, is
not needed for KM services.8
To create the primary key pair
and its shares, the TTP generates two
large prime numbers p and q such that
q | p − 1. Also, the TTP selects a gener-
ator g of a cyclic multiplicative group
* with order q and a hash function h(⋅)
that is collision free. A random pri-
mary polynomial f M(x) of degree t − 1
is generated by the TTP where each
coefficient of the terms in the polyno-
mial is an element in *. The private
key is SK M, and the public key is PK M.
The TTP gives each node i an identifier
ID i and a share si of the primary private
key. These shares will need the ability to
be verified, so the TTP computes wit-
ness values wi for i = {0, …, t − 1}, and
each node is provided public values p,
q, g, h(⋅), PK M, {wi} so that a node can
verify its share.8 This process includes
the following calculations:
SK M = f M (0) (15)
PK M ≡ gSK M (mod p)(16)
si ≡ f M(ID i) (mod q)(17)
wi ≡ gai (mod p).(18)
The TTP also initializes a proto-
col with each node i, as described by
32 COMPUTER 
de Ree et al.8 This is done to establish
keying materials. First, the TTP selects
a random secret sv TTP ∈ * and com-
putes the partial commitment cTTP .
This is transmitted to node i so that it
can compute its own commitment ci.
Then, i can transmit (IDi, ci) to the TTP
so that the TTP can compute the partial
private key SKTTP that the node can use
to compute its key pair. When this pro-
cess is done for all t initial nodes, the
TTP destroys f m(x) and the associated
primary private key SK M (de Ree et al.8)
cTTP→ i ≡ gsv TTP (mod p)(19)
sv i ⋅
ci ≡ g cTTP→ i (mod p)(20)
SKTTP→ i.(21)
Self-generated certificate creation
and update. To reduce overhead on the
system, nodes can independently gen-
erate and update their own certificates
as follows.8 The initial keying material
(ci,0, SK i,0, PK i,0) is kept secret during
network deployment and used to derive
keying material (ci,k, SK i,k, PK i,k) for
the kth self-generated certificate. The
node i picks a random secret value and
computes its new commitment, simi-
lar to the commitment equation in net-
work deployment. With this new com-
mitment, the node computes its new
key pair that can be used for the kth
self-generated certificate CERTi,k, which
includes the node’s identity, initial com-
mitment, new commitment, new public
key, new time stamp, and signature.
Verifying a self-generated certificate.
This certificate must be distributed and
verified by verifiers in the network.8
First, the verifier checks the validity
based on the time stamp of the certif-
icate and then computes a hash α that
is derived from values in the certifi-
cate CERTi,k. If this hash matches the
hash computed in the Schnorr’s sig-
nature step mentioned in the previous
section, then the signature is deemed
valid. For the verifier to accept the con-
tent of the self-generated certificate,
the following equivalency must be
valid (de Ree et al.8):
PK i,k ≡ ci,k ⋅ (ci,0 ⋅ PK M )
h(IDi,ci,0) h(IDi,ci,k)
(mod p).(22)
An efficient decentralized KM
mechanism for vehicular ad
hoc networks with blockchain
Vehicular ad hoc networks (VANETs)
bring essential modernization to
transport systems through intelli-
gent transportation systems. With
such developments, practical secu-
rity frameworks are needed. A DKMS,
DB-KMM, based on blockchain has
been proposed.9 It features automatic
registration, update, and revocation of
a user’s public key while using a light-
weight authentication and key agree-
ment protocol based on the bivariate
polynomial. Vehicles are assumed to
be equipped with an on-board unit
and wireless communication capabil-
ities, including a hardware security
module for secure storage.9
In network initialization, a Vehicle
Service Provider (VSP) generates sys-
tem parameters and algorithms. The
Elliptic-Curve Digital Signature Algo-
rithm (ECDSA) is used for authentica-
tion, and the ECIES is used for encryp-
tion and decryption.9 The VSP selects
n bivariate t-degree polynomials {f1,
f2, …, fn} with a node p and where f is
defined by Ma et al.9
t
f ( p, y) = ∑ a x y . (23)
ij
i j
i, j = 0
Each polynomial coefficient aij is a
positive integer randomly selected on
W W W.CO M P U T E R .O R G /CO M P U T E R
a finite field GF(q), and each polyno-
mial generates t key values (KVs) and
calculates polynomial fragments (F)
with the KV through the following (Ma
et al.9):
t
gj = ∑ a p (0 ≤ j ≤ t). (24)
ij
i
i=0
The VSP registers each blockchain
node with the blockchain network using
the account private key and address to
generate an SC. Once on the network,
the blockchain node automatically
creates a contract address, and then,
only the VSP and blockchain nodes are
allowed to send the transaction to trig-
ger the execution of an SC, which offers
four functions: registerPK, updatePK,
updatePK, and voteUser. These func-
tions manage the public keys.9
Registration. To register with the
VSP, a user submits information such
as name, ID number, phone number,
driver’s license, license plate, etc.9 The
VSP generates a unique ID, a key pair
(PubK, PriK), and a validity period (VP).
The VSP then randomly selects m poly-
nomials where (1 ≤ m ≤ n) and distrib-
utes the KV and corresponding seg-
ment F to the registered user. The VSP
encapsulates binding data ID, PubK,
VP in JavaScript Object Notation for-
mat and encodes the data as hexadeci-
mal embedded into the data field of the
transaction.9 This is sent to the block-
chain network and the SC function reg-
isterPK is triggered. After successful
execution and mining, this transaction
is recorded on the blockchain. The VSP
provides secret material containing the
binding data and polynomial parame-
ters to the newly registered users.9
Authentication. A vehicle V can get a
roadside unit’s (RSU’s) key value KVRSU
and the public key PubKRSU through a
broadcast message from the RSU and
calculate Kv. V must also calculate a
hash code HC1, where Mreq is the request
message and Tv is the current time
stamp of V.9 It is assumed that the hash-
ing algorithm H is collision resistant
Kv ← f(KVv, KVRSU)(25)
HC1 ← H(ID v, Kv, Mreq, Tv).(26)
To verify the legitimacy of the
request, V signs {ID v, Kv, Mreq, Tv} with
PriKv to obtain S1 and then send {ID v,
KVv, Mreq, Tv, HC1, S1 } to the RSU. The
THE DKMS ARCHITECTURES
DISCUSSED IN THIS ARTICLE COVER
SEVERAL DIFFERENT TECHNIQUES,
AND ALL ARE DECENTRALIZED OR
SEMIDECENTRALIZED.
RSU then checks T RSU − Tv ≤ ΔT. If suc-
cessful, the RSU calculates a session
key K RSU and computes V’s commit-
ment value HC1′ to see if it matches HC1
(Ma et al.9)
HC1′ ← H(ID v, K RSU, Mreq, Tv).(27)
If it does not match, the process is
term inated. Ot her w ise, t he RSU
retrieves PubKv and VP from the block-
chain. After ensuring the legality of
the public key, the RSU applies PubKv
to verify the correctness of signature
S 1 , and if successful, V can join the
VANET.9 Vehicles must also authen-
ticate RSUs so that adversaries cannot
imitate RSUs. To enable authentica-
tion, the RSU signs a response mes-
sage {IDRSU, K RSU, Mres, T RSU} with
its private key PriK RSU as follows
(Ma et al.9):
S2 ← SigPriKRSU(IDRSU, KRSU, Mres, T RSU).
(28)
Upon V receiving the message (IDRSU,
Mres, S2, T RSU), V checks TRSU − Tv ≤ ΔT. If
this inequality is satisfied, V retrieves
the public key of the RSU from the
blockchain and checks the validity and
legitimacy of the public key, PubK RSU
(Ma et al.9) If verified, V asserts that the
RSU is legal, and the mutual authenti-
cation process is completed.
COMPARISON OF
SURVEYED DKMS
This section examines and compares
the different aspects of each DKMS
approach discussed in this article.
Comparison characteristics include
the architectures, use case areas, cryp-
tographic algorithms, and blockchain
implementations.
Overall architecture
The DKMS architectures discussed
in this article cover several different
techniques, and all are decentralized
or semidecentralized. The approach
of Sandoval et al.15 uses a trustless
Dolev–Yao model with untrusted buf-
fer/relay servers, contrasting with
SM9’s decentralized network of IGCs.3
Here, IGCs generate unique identifiers
J U LY 2 0 2 4  33
ATTRIBUTES OF QUALITY
and initial key pairs for users, seen as a
trustworthy element.
NuCypher’s architecture includes a
decentralized network of reencryption
nodes, allowing users to rotate or update
their keys with a minimum stake. Yu
et al.14 propose a serverless architecture
inspired by the Web-of-Trust, where
user trust is established through a net-
work of introductions, and message sets
are stored in a digest tree using Chrono-
Sync for synchronization.
Kanyamee et al.11 focus on decen-
tralized key recovery using a net-
work of agents, enhancing reliability
against key recovery center attacks.
Tan et al.6 implement a system where a
BS deploys UAVs forming clusters with
cluster heads managing keys via block-
chain. Similarly, Khasawneh et al.13
divide sensors into grids with heads for
intragrid communication, and De Ree
et al.8 use a hierarchical structure with
mobile hotspots and a central control-
ler for small-cell networks.
Within the field of the IoT, many use
cases involve devices or sensors sending
their data to a central computing sys-
tem, where they can then be interpreted
by users, as done in supervisor control
and data acquisition (SCADA) systems.
If this is extended to KM, it is imperative
to increase the availability for the user,
and Dammak et al.7 do this by using
an architecture that decentralizes a
KDC using SKDCs, splits devices into
DGs based on functionality, and splits
users into groups with similar inter-
ests. SKDCs can then be used to manage
group communications for users and
take the load off of the KDC,7 resulting
in a more flexible system where the KDC
interacts with devices and SDKCs inter-
act with users. Having the KDC as the
party to store public keys allows for a
logical key hierarchy (LKH) for efficient
storage and retrieval of keys.
34 COMPUTER 
VANETs differ from IoT networks in
that vehicular networks need to have
much higher flexibility when it comes
to the mobility of users. This is tradi-
tionally done through a decentral-
ized network of RSUs along roads, and
these RSUs form nodes in a blockchain
network and allow for indirect vehi-
cle interaction with the blockchain to
perform KM. This can also be seen in
Javaid et al.12 with the exception that
user identity is generated from physi-
cal unclonable functions (PUFs).
The architecture of Lu et al.10 uses a
law enforcement agency for managing
the network and storing pairs of public
keys with real identities in case there
are disputes. Lu et al.10 also use two sets
of Merkle trees, where a chronological
Merkle tree is used for hashing trans-
actions chronologically and including
the root of the tree in the blockchain.
The other Merkle tree used is the lexi-
cographical Merkle tree to keep track of
any keys revoked in the KMS.17
Use case areas
In the Overall Architecture section
mentioned previously, Yu et al.14 and
Sandoval et al.15 are focused on e-mail
and messaging applications. SM93 and
NuCypher5 have many different use
cases, including encrypted messaging
systems. This allows for chat function-
alities, much like in Yu et al.14
The group-centric architecture of
Zhou et al.16 allows for data-intensive
services, such as video streaming, due
to the ability of group heads to cre-
ate new session keys whenever a user
leaves or joins the group. This princi-
ple can be extended into other services
that require a subscription, such as
music streaming or GPS services. Other
group-centric architectures, such as Tan
et al.,6 Dammak et al.,7 and Khasawneh
et al.,13 can be used for IoT systems
and low-resource applications, such as
SCADA systems, while the architecture
of de Ree8 is specifically designed for
wireless mobile networks. The use of
RSUs in Ma et al.,9 Lu et al.,10 and Javaid
et al.12 makes these approaches imprac-
tical outside of a VANET setting.
When it comes to scenarios involving
an unavailable cryptographic key or legal
investigation into messaging systems,
the multiagent key recovery system in
Kanyamee and Sathitwiriyawong11 can
be used. The decentralization of the key
recovery agent in this KMS allows for
high system availability and possible
malicious attacks on key recovery sys-
tems used by law enforcement.
Cryptographic algorithms
Key agreement in Sandoval et al.15 uses
the ECDH protocol. This allows users in
the network to go through a round of
password-authenticated key exchange
and share their shared secrets as neces-
sary. Sandoval et al.15 also discuss using
the ring learning with errors problem
for quantum safety in the future as
higher quantum bit (qubit) quantum
computers are becoming more stable.
Public-key cryptography is also
employed in SM93 through the use of the
SM9 algorithm. This is different from
ECDH due to the use of identity as the
public key for a user. SM9 is an asymmet-
ric algorithm, and the implementation
involves a user applying to an IGC for an
identifier that is used as a public key for
the user. Once the identifier is calculated,
the IGC can calculate the private key and
send both keys securely to the user. Tu
et al.3 use a blockchain for key updates,
so SM9 digital signatures are used to sign
transactions on the blockchain to guar-
antee that transactions cannot be forged;
the SM9 digital signature algorithm uses
a key generation center to generate the
digital signature of a signer.
W W W.CO M P U T E R .O R G /CO M P U T E R
 The NuCypher KMS5 uses an ECIES
in its proxy reencryption approach;
proxy reencryption is a type of PKE that
allows for reencryption without alter-
ing ciphertext. When data are stored in
a cloud or decentralized storage, they
are encrypted with the owner’s pub-
lic key, and the data themselves are
encrypted with a random symmetric
key with one key per file.
The use of multilinear forms in Zhou
et al.16 uses the Computational Multi-
linear Diffie-Hellman (CMDH) problem,
which is computationally hard. These
multilinear forms reduce the rekeying
cost for group keys when there is leav-
ing or switching by users in the net-
work. Public/private keys are gener-
ated for servers in the architecture. In
the NDN Chat applications of Yu et al.,14
all data packets are authenticated with
digital signatures, and data packets are
signed with public-key cryptography.
Symmetric cryptography is used
in Kanyamee and Sathitwiriyawong11
with parties sharing a secret session
key. A decentralized network of trusted
key recovery agents helps to recover
keys in the case of loss or investigation.
The generation of system param-
eters in Tan et al.6 involves the BS
selecting a nonsingular elliptic curve
to generate a private key and a corre-
sponding public key. For drones in the
network, the public and private key
pair is also created by the BS when first
deployed into the network.
The grid architecture of Khasawneh
et al.13 has sensors in the network
establishing shared secret keys with
the grid head in their group. A common
key is established between grid heads
that lie on the same row and share a
common key between grid heads that
lie on the same column.
With the use of the KDC and SKDCs
in Dammak et al.,7 MKE is used where
the KDC generates a secondary key for
a new SKDC and update its primary
key. Upon this initialization, each
SKDC initializes the system for many
users by generating a primary key and
a set of N public-private key pairs (sec-
ondary keys) for users in the network.
Like other approaches in this arti-
cle, de Ree et al.8 rely on the discrete
logarithm problem for its security. A
primary key pair and primary polyno-
mial are generated upon network ini-
tialization, and each node in the net-
work is given a share of the primary
private key. The decentralized trusted
third party (TTP) assists a node in gen-
erating its key pair, and once the ini-
tial nodes have obtained their keying
material, the TTP destroys the primary
polynomial and primary private key.8
In VANETs, Ma et al.9 use a VSP that
chooses a bivariate function and employs
ECDSA or ECIES (elliptic-curve cryptog-
raphy) to generate key pairs for new vehi-
cles. Public keys are updated through
transactions on a blockchain and are
stored in the RSUs. Asymmetric cryptog-
raphy is also used in Lu et al.,10 with the
exception being that certificates contain-
ing public keys and signatures of authori-
ties are also used. This differs from Javaid
et al.,12 which relies on the PUFs that offer
cryptographic identifiers based on the
hardware’s inherent differences when
manufactured and can establish a root of
trust and replace secret keys.
Decentralization with blockchain
Blockchain is used as a means for inter-
action and storage in several of the
approaches discussed here. In Tu et al.,3
Egorov et al.,5 Tan et al.,6 Ma et al.,9 and
Javaid et al.,12 a single blockchain is
used, while Lu et al.10 employ two sepa-
rate blockchains to improve the scalabil-
ity of the decentralized KM scheme. Tu
et al.3 use an Identity Generation Center
(IGC), which initializes the system, gen-
erates its key pair, creates a unique iden-
tifier and key pair for a user in the sys-
tem (registration), changes identity for
a user if needed, participates in the key
update process, and allows for a user to
change their private key if the key has
been leaked. The changing of a private
key or the changing of identity requires
the signature of the IGC. This places
much responsibility on the IGC, and
because of this, IGCs are decentralized
into a network of IGCs to avoid the prob-
lems associated with a central authority.
When the IGC wants to update its own
key, the process is recorded on the block-
chain as a transaction through a consen-
sus mechanism.3
Key updates and key rotations with
the blockchain in NuCypher5 involve
the use of SCs with a minimum stake
amount for reencryption services.
Blockchain for decentralization in
IoT drone networks is explored in Tan
et al.,6 where there is a BS that deploys
all the drones and distributes public and
private keys to all members of the net-
work. Once deployed, many users form
a single group that contains a group
head. Group heads have more comput-
ing resources and communicate with a
blockchain used for KM purposes.
Using blockchain for KM is also
extended to VANETs in Ma et al.,9 Lu
et al.,10 and Javaid et al.12 with the use
of RSUs. While all of these articles use
approaches with RSUs, the responsibil-
ity of the RSUs differs across approaches.
Ma et al.9 use RSUs as nodes in the block-
chain network that participate as min-
ers, host the blockchain, interact with
the blockchain to receive public key
data, broadcast public keys, and verify
vehicles’ signatures.
Lu et al.10 require that the RSUs verify
all broadcasted messages and transac-
tions that are recorded on the blockchain.
J U LY 2 0 2 4  35
ATTRIBUTES OF QUALITY

The RSUs also must update data for
authentication that are stored in each
vehicle through vehicle-to-infrastructure
communication.
Javaid et al.12 also use the RSUs as
miners that also host the blockchain and
SCs. However, in Javaid et al.,12 the RSUs
also act as a decentralized CA network
and, therefore, must store all certifi-
cates that have been issued to vehicles.
This allows an enforcer SC to verify that
a vehicle is registered with the network.
FUTURE STUDYING
DKMS represent a significant improve-
ment in the field of KM. By leverag-
ing decentralized networks and cryp-
tography technologies, these systems
provide enhanced security and effec-
tiveness compared to traditional cen-
tralized PKI systems. This article has
presented a detailed demonstration of
select DKMS systems. The other out-
comes of our systematization effort,
as illustrated in Table 1, highlight the
varying levels of support for gover-
nance, privacy, and security across dif-
ferent DKMS platforms. Overall, our
intent for this article is to provide orga-
nizational decision makers and devel-
opers with a comprehensive under-
standing of the current landscape of
DKMS. We trust that this will aid them
in making informed decisions about
adopting existing DKMS frameworks
or leveraging essential technologies to
design their own specialized DKMS. We
also recognize that further research is
needed to address the challenges and
limitations of current DKMS and to
develop new approaches to enhancing
their performance, scalability, security,
usability, and governance.
We outline some of the key research
directions as follows:
1. Interoperability standards: Estab-
lish protocols and standards to
foster secure communication
and key exchanges among vari-
ous DKMS.
2. Performance and scalability:
Devise efficient consensus
algorithms, enhance data

TABLE 1. Comparisons of selected DKMS.

DKMS Cryptographic Consensus

schema Architecture Use case areas ­methodologies Blockchain algorithms SC

BARS10 Decentralized VANET Hardware based Customized blockchain PoW x

9
DB-KMM — VANET ECDSA/ECIES Ethereum PoW ü

LGKM-AC7 Semidecentralized The IoT and wireless networks primary key and — — —
secondary keys

FANET6 Semidecentralized The IoT and wireless networks PKI — — —

HADM-KRS11 Decentralized General purpose Session key — — —

Javaid et al.12 Decentralized VANET PKI Ethereum Dynamic PoW ü

Khasawneh Semidecentralized The IoT and wireless networks Shared secret key — — —
et al.13

NDN14 Decentralized Message service PKI — — —

NuCypher5 Decentralized General purpose ECIES Consortium/private PoS ü

blockchain

PakeMail15 Semidecentralized E-mail or message services ECDH — — —

SM93 Decentralized General purpose SM9 Not mentioned PoW ü

Zhou et al.16 — Video streaming CMDH — — —

PoW: proof of work; PoS: proof of stake.

36 COMPUTER  W W W.CO M P U T E R .O R G /CO M P U T E R

 storage techniques, and man-
age distributed systems adeptly
to improve the performance
and scalability of DKMS.
3. Security and privacy: Foster
advanced KM approaches to
mitigate the risks of key loss
or theft while heightening
authentication and authoriza-
tion mechanisms for superior
security and privacy.18
4. User experience: Create user-
friendly interfaces accessible
to a broad user base, including
those with limited technical
expertise, to encourage wide-
spread DKMS adoption.
[email protected]
.
5. Governance and regulation:
Develop governance struc-
tures to maintain system
integrity and formulate regu-
latory frameworks to ensure
legal and ethical DKMS
operations.19
6. Applications: Explore innova-
[email protected]
.
tive applications of DKMS in
fields like identity manage-
ment, data security, and supply
chain management, leveraging
the unique features of DKMS
to enhance their relevance in
various domains.20
W
e encourage researchers
and developers to continue
exploring the potential of
DKMS to build a more secure, decen-
tralized, and user-friendly future for
digital identity and KM.
ACKNOWLEDGMENT
The authors gratefully acknowledge
that this research is partially supported
by Federal Highway Administra-
tion Exploratory Advanced Research
(FHWA EAR) Grant 693JJ320C000021.
ABOUT THE AUTHORS
WEI YAO is a Ph.D. candidate in computer science at New Jersey Institute of
Technology, Newark, NJ 07102-1982 USA. His research interests include the
Internet of Things, cybersecurity, blockchain technologies, and applications in
various areas. Yao received an M.S. in electronic engineering from the Univer-
sity of Hartford and an M.S. in computer science from Central Connecticut State
University. He is a Graduate Student Member of IEEE. Contact him at wy95@
njit.edu.
NICHOLAS GORLEWSKI is a machine learning engineer at Prudential Finan-
cial, Newark, NJ 07102 USA. His research interests include blockchain technol-
ogies, software systems, and applied machine learning. Gorlewski received an
M.S. in computer science from the New Jersey Institute of Technology. Contact
him at
FADI P. DEEK is a distinguished professor at the New Jersey Institute of Tech-
nology (NJIT), Newark, NJ 07102-1982 USA. His faculty appointments are in
two departments: informatics (in the College of Computing) and mathematical
sciences (in the College of Science and Liberal Arts). He also serves as a
member of the graduate faculty at Rutgers University-Newark. Deek received
a Ph.D. in computer and information science from NJIT. Contact him at fadi.
GUILING (GRACE) WANG is a distinguished professor of computer science and
associate dean for research at the Ying Wu College of Computing, New Jersey
Institute of Technology (NJIT), Newark, NJ 07102-1982 USA, and the founding
director of the NJIT Center for AI Research. She also holds a joint appointment
at the MT School of Management. Her research interests include FinTech, deep
learning, blockchain technologies, and intelligent transportation. She received
a Ph.D. in computer science and engineering with a minor in statistics from
Pennsylvania State University. She is a Fellow of IEEE and the Asia-Pacific Arti-
ficial Intelligence Association and a Chartered Financial Analyst. Contact her at
[email protected].
REFERENCES 2. M. Blaze, J. Feigenbaum, and J. Lacy,
1. U. Maurer, “Modelling a pub- “Decentralized trust management,”
lic-key infrastructure,” in Proc. in Proc. IEEE Symp. Secur. Privacy,
Eur. Symp. Res. Comput. Secur., 1996, pp. 164–173, doi: 10.1109/
Berlin, Germany: Springer-Ver- SECPRI.1996.502679.
lag, 1996, pp. 325–350, doi: 3. Y. Tu, J. Gan, Y. Hu, R. Jin, Z. Yang,
10.1007/3-540-61770-1_45. and M. Liu, “Decentralized identity
J U LY 2 0 2 4  37
ATTRIBUTES OF QUALITY
authentication and key manage-
ment scheme,” in Proc. IEEE 3rd Conf.
Energy Internet Energy Syst. Integr.
(EI2), Changsha, China: IEEE, Nov.
2019, pp. 2697–2702, doi: 10.1109/
EI247390.2019.9062013. [Online].
Available: https://ieeexplore.ieee.org/
document/9062013/
4. W. Yao, F. P. Deek, R. Murimi, and G.
Wang, “Sok: A taxonomy for critical
analysis of consensus mechanisms in
consortium blockchain,” IEEE Access,
vol. 11, pp. 79572–79587 , Jul. 2023,
doi: 10.1109/ACCESS.2023.3298675.
5. M. Egorov, M. Wilkison, and D.
Nunez, “NuCypher KMS: Decentral-
ized key management system,” Nov.
2017, arXiv: 1707.06140.
6. Y. Tan, J. Liu, and N. Kato, “Block-
chain-based key management for het-
erogeneous flying ad hoc network,”
IEEE Trans. Ind. Informat., vol. 17, no.
11, pp. 7629–7638, Nov. 2021, doi:
10.1109/TII.2020.3048398. [Online].
Available: https://ieeexplore.ieee.
org/document/9311800/
7. M. Dammak, S.-M. Senouci, M. A.
Messous, M. H. Elhdhili, and C.
Gransart, “Decentralized light-
weight group key management
for dynamic access control in IoT
environments,” IEEE Trans. Netw.
Service Manag., vol. 17, no. 3, pp.
1742–1757, Sep. 2020, doi: 10.1109/
TNSM.2020.3002957.
8. M. de Ree, G. Mantas, J. Rodriguez,
and I. E. Otung, “Distributed trusted
authority-based key management for
beyond 5G network coding-enabled
mobile small cells,” in Proc. IEEE 2nd
5G World Forum (5GWF), Dresden, Ger-
many: IEEE, Sep. 2019, pp. 80–85, doi:
10.1109/5GWF.2019.8911711. [Online].
Available: https://ieeexplore.ieee.
org/document/8911711/
9. Z. Ma, J. Zhang, Y. Guo, Y. Liu, X. Liu,
and W. He, “An efficient decentralized
38 COMPUTER 
key management mechanism for NDN chat application,” University of
VANET with blockchain,” IEEE Trans. California, Los Angeles, USA, Tech.
Veh. Technol., vol. 69, no. 6, pp. Rep. NDN-0023, 2014.
5836–5849, Jun. 2020, doi: 10.1109/ 15. I. V. Sandoval, A. Atashpendar, G.
TVT.2020.2972923. [Online]. Avail- Lenzini, and P. Y. A. Ryan, “PakeMail:
able: Https://ieeexplore.ieee.org/ Authentication and key management
document/8990046/ in decentralized secure email and
10. Z. Lu, W. Liu, Q. Wang, G. Qu, and Z. messaging via PAKE,” Jul. 2021, arXiv:
Liu, “A privacy-preserving trust model 2107.06090.
based on blockchain for VANETs,” 16. W. Zhou, Y. Xu, and G. Wang, “Decen-
IEEE Access, vol. 6, pp. 45,655– tralized group key management for
45,664, Aug. 2018, doi: 10.1109/ hierarchical access control using
ACCESS.2018.2864189. [Online]. multilinear forms,” Concurrency Com-
Available: https://ieeexplore.ieee. put., Pract. Experience, vol. 28, no. 3,
org/document/8428638/. pp. 631–645, Mar. 2016, doi: 10.1002/
11. K. Kanyamee and C. Sathitwiri- cpe.3328. [Online]. Available:
yawong, “High-availability decen- https://onlinelibrary.wiley.com/
tralized multi-agent key recovery doi/10.1002/cpe.3328.
system,” in Proc. 8th IEEE/ACIS Int. 17. Y. Yuan and F.-Y. Wang, “Towards
Conf. Comput. Inf. Sci., Shanghai, blockchain-based intelligent trans-
China: IEEE, 2009, pp. 290–294, portation systems,” in Proc. IEEE 19th
doi: 10.1109/ICIS.2009.187. [Online]. Int. Conf. Intell. Transp. Syst. (ITSC),
Available: http://ieeexplore.ieee.org/ 2016, pp. 2663–2668, doi: 10.1109/
document/5222875/ ITSC.2016.7795984.
12. U. Javaid, M. N. Aman, and B. Sik- 18. M. de Ree, G. Mantas, J. Rodriguez,
dar, “A scalable protocol for driv- and I. E. Otung, “DECENT: Decentral-
ing trust management in internet ized and efficient key management to
of vehicles with blockchain,” IEEE secure communication in dense and
Internet Things J., vol. 7, no. 12, pp. dynamic environments,” IEEE Trans.
11,815–11,829, Dec. 2020, doi: 10.1109/ Intell. Transp. Syst., vol. 24, no. 7, pp.
JIOT.2020.3002711. [Online]. Avail- 7586–7598, Jul. 2023, doi: 10.1109/
able: https://ieeexplore.ieee.org/ TITS.2022.3160068.
document/9119117/ 19. C. Zhang, W. Li, Y. Luo, and Y. Hu,
13. S. Khasawneh, Z. Chang, R. Liu, “AIT: An AI-enabled trust manage-
M. Kadoch, and J. Lu, “A decentral- ment system for vehicular networks
ized hierarchical key management using blockchain technology,” IEEE
scheme for grid-organized wireless Internet Things J., vol. 8, no. 5, pp.
sensor networks (DHKM),” in Proc. 3157–3169, Mar. 2021, doi: 10.1109/
Int. Wireless Commun. Mobile Comput. JIOT.2020.3044296.
(IWCMC), Limassol, Cyprus: IEEE, 20. M. A. Kandi, D. E. Kouicem, M.
Jun. 2020, pp. 1613–1617, doi: 10.1109/ Doudou, H. Lakhlef, A. Bouabdal-
IWCMC48107.2020.9148362. [Online]. lah, and Y. Challal, “A decentralized
Available: https://ieeexplore.ieee. blockchain-based key management
org/document/9148362/. protocol for heterogeneous and
14. Y. Yu, A. Afanasyev, Z. Zhu, and L. dynamic IoT devices,” Comput. Com-
Zhang, “An endorsement-based key mun., vol. 191, pp. 11–25, Jul. 2022,
management system for decentralized doi: 10.1016/j.comcom.2022.04.018.
W W W.CO M P U T E R .O R G /CO M P U T E R