Discussed in this section is how the different services are deployed in the framework to meet IoT demands as well as how they can be practically realized in the implementation. Later in the section, an account regarding satisfaction of previously defined design principles for the proposed scheme is given.
4.3.1. Deployment of Services for IoT Requirements
Computation offloading, the first service deployed in our framework plays the role of relieving the heavy and intensive computation tasks from the less capable end devices onto powerful servers found on the edge network. Due to high computing power required in solving such puzzles as PoW during the mining process in blockchain, the resource-disadvantaged mobile devices running IoT applications are incapable of executing them on their own. With edge servers deployed at the edge of the network closer to end devices, their abundant resources can take the processing load from the devices and enable them to participate in the blockchain network. Such tasks involving computations of hashes, encryption and decryption as well as PoW are offloaded from the devices and outsourced to edge servers for execution. Blockchain safeguards the security aspects of this module in a case when a computation operation requires assignment to multiple edge nodes. Having been relieved of such operations increases the battery lifetime for devices and speeds up the execution of tasks with efficiency and assured security.
For offloading computation in our framework we adopt the off-chain state channels proposed by Kasireddy in [25
]. This approach offers extensibility for blockchain to store more data and perform more complex operations. With this scheme implemented in our model, the issue of adaptability will be addressed and blockchain’s ability to scale with increasing number of transactions will improve. Tools to implement off-chain state channels in our model include a smart contract powered decentralized Lightning Network (https://lightning.network/
) presented in [36
] or its Ethereum equivalent, Raiden Network (https://raiden.network/
) that extends Ethereum with scalable and timely transactions.
The off-chain state channels provide a mechanism of interaction in blockchain whereby events that were supposed to be carried out on blockchain are conducted off the blockchain instead. As illustrated in Figure 6
below, the procedure was achieved in three steps using cryptographically secure mechanisms to achieve significant enhancements with increased speed and lowered costs. After locking part of the blockchain state in step 1 using smart contracts, participants were then able to make updates to their desired transactions in step 2 without committing to the blockchain. Afterwards, the participants submitted the state back to blockchain in step 3, which provided settlement by closing the state channel and unlocking the state again. In this proceeding, only step 1 and 3 involved executions that were published on the blockchain network while step 2 at which most of the intensive tasks were executed did not involve blockchain at all.
Utilizing the off-chain state channels, the less capable IoT devices could lock portions of the blockchain that was needed by their own transactions in step 1 above. Then in step 2, these devices could either download firmware updates or upload data and files with summary of their transactions to be shared with other devices without having to deal with the entire blockchain. Finally, in the last step, the updates made in the locked states were committed back to the main chain where the state channel was closed, and locked state was unlocked.
There is also a proposition by Yeow et al. in [29
] and Eyal et al. with their Bitcoin-NG (Bitcoin-next generation) protocol in [24
] of using side chains. The target is to improve performance using a protocol that allows connections of new side chains to the main chain with back-and-forth transfers of transactions between the main chain and different other side chains. This scheme, however, incurs high delays in crossing the side chains across the main chain to get the funds to destined side chains where such funds need to be spent and will not be suitable for our model.
Outsourced decentralized data storage, compared to the centralized storage mechanisms in cloud computing, the decentralized storage achieved by the integration of edge computing and blockchain exploits the benefits of both to provide increased storage sizes, high security of stored data and keeps data closer to users. Storing data on edge servers close to owners and consumers decreases the communication latency and elevates the system availability, durability and performance. The large storage capacity offered by edge computing complements the validated security in blockchain to ensure a decentralized storage management in P2P basis without entrusting the data to any centralized entity. Additional mechanisms of Proof-of-Space and Proof-of-Spacetime were also introduced for prover participants to convince verifier participants of their replicating capabilities and times of their data storage. These additional features were combined to attain a data integrity service that facilitated data verification to ensure integrity of the stored data along with utilization of Ethereum and smart contracts. With this service, IoT applications were enabled to attain more storage capacities by outsourcing their storage to higher capacity servers on the edge and other peers whereby blockchain was there to guarantee secure storage. We utilized the Data Integrity Service originally formulated by Dziembowski et al. in [26
] and the off-chain state channels explained in computation offloading deployment above to realize secure outsourced data storage in our framework.
The blockchain-based Data Integrity Service (DIS) as illustrated in Figure 7
is detailed in [26
] as a potential solution for data integrity. In DIS, users were identified as data owners and consumers running their respective data owner applications (DOA) and data consumer applications (DCA). The cloud storage service (CSS) can either be provided as just a service on the cloud or can also practically be treated as a node on the blockchain. Both the owners and consumers were uniquely identified by their corresponding public keys in the blockchain system. Upon joining the blockchain network, both the DOA and DCAs got a key pair generated for them, a private key and a corresponding public key. While the public key would be used to identify each node’s account, the corresponding private key would be used in accessing the node’s account. All transactions could only be completed in the system when the node’s account had enough deposit. While both DOAs and DCAs could flexibly join the network as miners, it was normally challenging and mostly needless for the DOAs to get their deposit by being miners because of their deficient computing power. As for DCAs, based on their hardware facilities and finances, they could also flexibly act as miners or not.
The practical solution for the data integrity service for outsourcing storage in our integrated framework was realized by utilizing a combination of Ethereum and smart contracts. This solution requires that data originating from end devices to be encrypted before being outsourced to safeguard data confidentiality. Using Proof-of-Space (PoSpace), peers involved in a P2P network must legitimize their claims of making deposits and commit the space they possess [30
]. PoSpace in this context described a means for a prover to express valid interest when requesting a service by investing significant amount of memory or disk space to solve a challenge administered by a verifier. It is important to note that in solving the issued challenge for PoSpace, apart from dedicating the required space, huge amounts of files need to be exchanged between the prover and verifier, which renders this approach pretty much impractical, but again, security always comes at a price.
To generate and link a transaction in blockchain, peers need to register and validate their transactions by solving the verification challenges as set in proof of space. A smart contract was utilized by IoT users when storing transactions in this framework. After locally encrypting the information to prevent unauthorized access, a transaction was created and then announced by owner clients to the P2P network and made claims for requirements and inquired costs to be incurred. In turn, the miners (peers in the P2P network) checked the users’ requirements and available service in transactions to offer clients the needed storage for rent. With adequate incentives and punishments being enforced through smart contracts, IoT devices can thus outsource their data to be stored in a decentralized P2P storage system.
To check integrity of the outsourced data; IoT users generate a new challenge transaction for which the miners hosting the data need to compute a proof (to be verified by users) and put it on blockchain. In the case when the computed proof fails the verification, the miners as data hosts are punished by rewarding the deposit initially committed by them when registering to the IoT users. Miners can revoke, when needed, the committed space by producing a cancelling transaction and withdraw the deposit that was committed during registration.
Network traffic control, along with the two described services, assured security in transmission of data from one entity to another is of great importance. This service is deployed to provide network control mechanisms to carry data between devices in those transactions traversing the network across some intermediate nodes. This extends to protect communications of the smart contracts themselves carrying rules that govern various transactional aspects. The contracts could be exchanged by nodes that are likely located at opposite edges of the network and this transmission must be protected. It is imperative therefore, that, both data and contracts communications be protected to achieve reliable and efficient coordination in the network. Such details as rights and privileges, user addressing, cryptographic information and transactions validity period are carried in these messages. As the messages are transported among the devices in the network, security attacks at different levels need to be well addressed in the design. As edge computing bridges subordinate layers and the superior and interfaces with various other systems and protocols (Wi-Fi, M2M and cellular networks for instance), management of the network in this heterogeneous environment becomes inevitably a challenge. The effective measures for this deployment is the use of software-defined networks (SDN) and its extension to SDN components (SDNC) as described by Sharma et al. in [37
] through provision of better network visibility by dissociating the control plane from the data plane. Ultimately, the use of dynamic virtualization of network resources in the context of SDNs simplifies management of the network management and facilitates realization of privacy and security in the network through blockchain [38
]. Measures involving blockchain technologies have been fused in our framework to enable access control, authentication of users and transactions, integrity and data privacy in the framework.
To practically realize enhanced anonymity in the traffic flowing across network nodes in our framework we utilize Zerocash—Zcash (https://z.cash/
), its predecessor Zerocoin (http://zerocoin.org/
), and linkable ring signature schemes (https://github.com/sorrge/LSAG
) presented in [40
] and [41
]. Zerocash provides a strong privacy-preserving digital currency, Zerocoin offers a cryptocurrency that conceals details of the transaction whereas linkable ring signature avails means to verify whether same signer generated two different signatures, but yet no way to tell the signer’s identity.
We discovered three possible approaches to preserve anonymity for blockchain, mixing services, ring signatures and non-interactive zero-knowledge proof from Feng et al. in [3
]. The mixing services can offer protection against anonymity attacks by obscuring relationships in a transaction between senders and receivers. The obfuscation allows concealment of entity’s identity that is involved in the communication along with contents being transmitted. A ring signature is formed from a set of chosen members that joins the ring without intervention of any central entity and one of the members anonymously signs the message on everyone’s behalf. The ring signature produces a valid but anonymous digital signature from the ring of participants without revealing the identity of the signature’s producer. As for zero-knowledge proof (ZKP), a cryptographic scheme is provided in which a transaction can be validated without leakage of any extra information.
Despite its spontaneity in mixing transactions for blockchain, the mixing services incur a lot of delay when participants discover one another before their transactions are able to be mixed. The ring signature as illustrated in Figure 8
a and initially designed by [42
], without going in a lot of details; uses a public key infrastructure (PKI) to generate valid signatures for all members in the ring, which the verifier can validate without discovering the true identity of the real signer. The linkable ring signature is a scheme formed when an entity in the ring is able to sign the same message twice using the same tag whereas the used signatures can be linked using PKI mechanisms, but the signer’s identity stays anonymous [3
]. In spite of the strong anonymity availed by ring signatures, the large size of its transactions, the direct proportionality between its signature’s size to the number of entities in the ring, and its difficulty in auditability are key limitations that it still suffers from.
ZKP on the other hand offers a suitable protocol to anonymously verify transactions in blockchain using its non-interactive zero-knowledge proof (NIZK) variant. In NIZK proof, the connection between the prover and verifier is removed to enable anonymity during transactions. Without diving into detailed explanation of how they operate, zerocoin and zerocash both utilize cryptographic procedures in NIZK proof to prevent transaction analysis and enhance anonymity. Zerocoin is presented by Miers et al. in [27
] to counter graphic analysis of transactions and allow full anonymous transactions of currency. It employs NIZK proof procedures to authenticate minted coin before being redeemed later with equal-valued new coin that possess no prior information and hence unlinking the transactions from their origins of payment. Furthermore, zerocash described in [28
] provides even a higher level of privacy for blockchain by enabling participants to anonymously pay each other directly without revealing origin, destination and amounts involved in transactions. Figure 8
b below illustrates mechanisms to send and receive Zcash in a transaction using shielded addresses and through generated ZKP, other participants are able to verify encrypted data in the transaction without revealing the address.