Privacy-preserving blockchain model promises secure identity for massive IoT networks

Billions of IoT devices now operate in open, distributed environments, exchanging sensitive data in real time. From industrial control systems to connected healthcare devices, digital identity has become the first line of defense against cyber threats. However, centralized identity management models expose single points of failure, while many blockchain-based systems remain too storage-heavy and computationally demanding for resource-constrained devices.

In a recent study IoT-SBIdM: A Privacy-Preserving Stateless Blockchain-Based Identity Management for Trustworthy Internet of Things Ecosystems, published in Mathematics, researchers introduce a lightweight blockchain architecture that integrates elliptic curve cryptography and zero-knowledge proofs to deliver scalable, privacy-focused identity management tailored specifically for IoT networks.

Rethinking IoT Identity: From centralized control to stateless blockchain design

Digital identity management in IoT environments must support billions of devices that operate with limited processing power, memory, and energy. Traditional identity providers store credentials in centralized servers, creating bottlenecks and security risks. In contrast, blockchain offers decentralization and tamper resistance, but storing identity data directly on-chain introduces scalability challenges.

IoT-SBIdM adopts a stateless blockchain model, reducing reliance on historical blockchain data and minimizing storage demands. Rather than storing complete identity records on-chain, the framework anchors cryptographic references while placing full identity documents and credentials off-chain using the InterPlanetary File System. Only content identifiers and cryptographic commitments are recorded on-chain, significantly lowering blockchain growth rates.

The framework operates across three interconnected layers. The application layer handles interactions between IoT devices and service providers. The issuance and verification layer governs credential generation and validation using decentralized identifiers and zero-knowledge proofs. The distributed ledger layer anchors trust, auditability, and revocation tracking through smart contracts and elliptic curve accumulators.

At the heart of the system lies the adoption of W3C standards for decentralized identifiers and verifiable credentials. Each device generates a decentralized identifier that contains cryptographic public keys, authentication methods, and service endpoints. These identifiers allow devices to establish secure communication channels using elliptic curve key agreement mechanisms.

When a device requests credentials, a trusted issuer generates a verifiable credential containing metadata, claims, and cryptographic proofs. The credential is signed using modern ECDSA cryptographic suites and stored off-chain. A hash of the credential is committed to an elliptic curve accumulator on-chain, enabling efficient verification and revocation without exposing full identity details.

Authentication can occur through full disclosure or selective disclosure modes. In selective disclosure, devices reveal only the minimum required attributes while generating zero-knowledge proofs that confirm the validity of hidden information. This ensures privacy while maintaining cryptographic verifiability.

Performance gains: Storage efficiency and execution speed under scrutiny

Scalability is one of the key claims of the IoT-SBIdM framework. The researchers evaluated blockchain growth trends and compared storage expansion with previous blockchain-based identity systems. The findings indicate that IoT-SBIdM maintains a compact blockchain size even at higher block heights. At 5,000 blocks, the blockchain requires only 45 megabytes of storage, representing a 55 percent reduction compared to recent comparable models and approximately 94 percent reduction relative to older identity management frameworks .

Gas cost analysis of smart contract functions further demonstrated operational efficiency. Credential registration functions, which involve multi-step verification and storage logic, showed the highest gas consumption. However, optimization of smart contract logic resulted in significant cost reductions, particularly in schema registration functions, where gas usage was cut by approximately 63 percent through hashed mapping keys and streamlined state management.

The system was tested on two platforms: a standard laptop representing an edge computing environment, and an ESP32 PLUS development board representing a constrained IoT device. Results show that core operations such as key generation, credential presentation, verification, and revocation execute within milliseconds on both platforms. Even on the ESP32 device, which features limited memory and processing capacity, identity verification and credential presentation remained well within real-time performance thresholds.

Credential issuance emerged as the most computationally intensive phase, taking several seconds due to JSON-LD canonicalization, cryptographic signing, IPFS interaction, and on-chain anchoring. However, the authors note that issuance occurs infrequently compared to authentication and verification cycles, making the latency acceptable in practical deployments.

Comparative performance analysis against prior systems such as BASS and PBidm revealed that IoT-SBIdM achieved lower latency in key generation, proof generation, verification, and revocation phases. Although issuance time was slightly higher due to additional privacy and integrity safeguards, the overall system maintained competitive efficiency while strengthening cryptographic trust guarantees.

Security architecture: Zero-knowledge proofs and accumulator-based verification

The study points out robust security properties embedded within IoT-SBIdM’s architecture. The system is designed to satisfy blindness, unforgeability, traceability, unlinkability, revocability, selective disclosure, and anti-attack resilience.

Elliptic curve-based membership accumulators replace computationally heavy RSA accumulators found in earlier models. These accumulators allow efficient verification of credential membership and revocation status without revealing the full credential content. Combined with Groth16 zero-knowledge proofs, the framework enables privacy-preserving authentication where devices prove credential validity without exposing sensitive attributes.

Secure communication channels are established through W3C DID key agreement mechanisms, leveraging Elliptic Curve Diffie-Hellman ephemeral-static key exchange and AES-256-GCM encryption. This ensures confidentiality, integrity, and tamper resistance during device-to-device and device-to-service interactions.

The threat model considers multiple adversary scenarios, including network attackers attempting denial-of-service or interception attacks, compromised IoT devices attempting credential forgery, malicious issuers issuing unauthorized credentials, and colluding entities attempting proof manipulation. Blockchain immutability, accumulator verification, and cryptographic signing collectively mitigate these risks.

The system also includes a formal revocation protocol. If a credential must be invalidated, the issuer updates the accumulator state and records a revocation audit log on-chain. Verifiers then detect revoked credentials during membership checks, preventing unauthorized access.

Deployment challenges and future outlook

While experimental results demonstrate strong performance, the authors acknowledge practical deployment challenges. Large-scale blockchain deployments may incur cumulative transaction costs. Network latency may affect off-chain storage interactions. Device heterogeneity across IoT ecosystems may introduce variable performance characteristics. Secure key management remains a persistent operational concern.

Future research directions include optimizing credential issuance latency, testing performance on more powerful edge devices such as Raspberry Pi platforms, evaluating compatibility with 5 GHz IoT networks to reduce communication noise, and conducting long-duration testnet experiments to observe blockchain growth under dynamic credential lifecycle conditions.