English 
Français
Deutsch
Español
Italiano
Português
日本語
한국어
Русский
A secure end-to-end communication framework for cooperative IoT networks using hybrid blockchain system | Scientific Reports
Scientific Reports volume 15, Article number: 11077 (2025) Cite this article
Metrics details
The Internet of Things (IoT) is a disruptive technology that underpins Industry 5.0 by integrating various service technologies to enable intelligent connectivity among smart objects. These technologies enhance the convergence of Information Technology (IT), Operational Technology (OT), Core Technology (CT), and Data Technology (DT) networks, improving automation and decision-making capabilities. While cloud computing has become a mainstream technology across multiple domains, it struggles to efficiently manage the massive volume of OT data generated by IoT devices due to high latency, data transfer costs, limited resilience, and insufficient context awareness. Fog computing has emerged as a viable solution, extending cloud capabilities to the edge through a distributed peer-to-peer (P2P) network, enabling decentralized data processing and management. However, IoT networks still face critical challenges, including connectivity, heterogeneity, scalability, interoperability, security, and real-time decision-making constraints. Security is a key challenge in IoT implementations, including secure data communication, IoT edge and fog device identity, end-to-end authentication, and secure storage. This paper presents an efficient blockchain-based framework that creates a secure end-to-end communication cooperative flow IoT network. The framework utilizes a hybrid blockchain network that collaborates to offer a collaborative flow of end-to-end secure communication from end devices to cloud storage. The fog servers will maintain a private blockchain as a next-generation public key infrastructure to identify and authenticate the IoT’s edge devices. The consortium blockchain will be maintained in the cloud and integrated with the permission blockchain system. This system ensures secure cloud storage, authorization, efficient key exchange, and remote protection (encryption) of all sensitive information. To improve the synchronization and block generation, reduce overhead, and ensure scalable IoT network operation, we proposed the threshold signature-based Proof of Stake and Validation (PoSV) consensus. Additionally, lightweight authentication protects resource-constrained IoT nodes using an aggregate signature, ensuring security and performance in real-time scenarios. The proposed system is implemented, and its performance is evaluated using key metrics such as cryptographic processing overhead, consensus efficiency, block acceptance time, and transaction delay. The findings show that threshold signature-based Proof of Stake and Validation (PoSV) consensus, reduces the computational burden of individual signature verification, which results in an optimized transaction latency of 80–150 ms, compared to the previous 100–200 ms without Non-PoSV. Additionally, aggregating multiple signatures from different authentication events reduces signing time by 1.98 ms compared to the individual signature time of 2.72 ms and the overhead of verifying multiple individual transactions is 2.87 ms is significantly reduced to1.46 ms along with authentication delay ranges between 95–180 ms. Hence, the proposed framework improves over existing approaches regarding linear computing complexity, increased cryptographic methods, and a more efficient consensus process.
The Internet of Things (IoT) has evolved as a technology integrator in the Fourth Industrial Revolution that combines different service technologies to form intelligent connections between Things, Data, Processes, and People. This integration improves decision-making efficiency by eliminating the need for human interaction. Furthermore, including these service technologies in the IoT architecture as shown in Fig. 1 will improve the integration of information technology (IT), operational technology (OT), core technology (CT), and data technology (DT) networks. IoT/Edge devices have been widely used in various industries, including healthcare, supply chain, smart home systems, smart city applications, and home security systems.
The cloud has become a mainstream technology in various business, entertainment, and social networking applications. This computing integrates layers of IT (Big data, Data Centers) and OT (Edge Networks, Fog Networks). Meanwhile, the IoT devices will generate data faster, and the processing will take place on the IT (Cloud Environment) side, which cannot ingest it. For example, when incorporating the IoT requirements1 into a traditional IT computing architecture, data processing capabilities are limited in their ability to perform real-time data analysis and provide feedback during interactions between OT devices and the IT infrastructure. Hence, cloud networks have physical storage limits that make it challenging to implement heterogeneous IoT networks. Specifically, cloud networks cannot manage large amounts of OT data due to constraints in physical storage, higher latency, higher transfer costs, insufficient context awareness, and impractical resilience, among other factors.
Integrated reference architecture of IoT environment.
Fog networks emerged as a promising solution for extending cloud networks and establishing a distributed peer-to-peer network. This network enables the decentralized processing and management of Internet of Things (IoT) data and services. The fog servers are often situated near IoT devices, providing efficient data computation with lower transmission delays compared to remote clouds. The fog network is an intermediary between edge devices and the cloud layer, allowing real-time applications to Internet of Things (IoT) users with very low latency and fast service response. This will be highly beneficial in the next generation of services[1]. However, IoT security is an intrinsic concern in each challenging issue. The conventional cryptographic primitives require more processing power, processing time, battery power, and physical space, which are unsuitable for resource-constrained IoT networks. The following are the challenges of IoT systems in a Cooperative Environment. However, real-time collaborative dynamics in IoT networks encounter connectivity, heterogeneity, interoperability, scalability2, data management3, and security obstacles. Specifically, the successful deployment of IoT ecosystem is mainly dependent upon IoT security, which poses a significant challenge. Traditional cryptographic primitives demand more processing power, time, battery life, and physical area, making them unsuitable for resource-constrained IoT networks. The following issues for IoT systems in a cooperative context are addressed below.
Device identification: Most IoT devices generate sensitive data. Device identification must be established and managed correctly, with due concern for privacy.
IoT authentication: The existing IoT authentication mechanism4, based on default username-password combinations, poses a significant security risk. Inadequate authentication of malicious IoT devices may result in DDoS attacks.
End-to-end authentication: The lack of fundamental security features in IoT devices increases hackers’ attack surface, potentially jeopardizing the entire IoT network. Therefore, end-to-end authentication5 is essential to optimize resource consumption and improve security.
Distributed fog layer: The fog node processing aggregated data from IoT and edge devices is vulnerable to tampering if the data is not securely stored, compromising confidentiality.
Collaboration between several cloud service providers: The federated cloud in distributed systems illustrates the self-serving behavior of some cloud service providers (CSPs), which may lead to overutilization of other CSPs and, ultimately, compromise the system’s quality of service. The cloud end user cannot authenticate the stored data. Maintaining the integrity of cloud storage is critical.
Insecure data communication: It can result in botnet and DDoS attacks that compromise authentication, confidentiality, and integrity. Conventional authentication mechanisms like password-based systems and OAuth lack complete handling capabilities.
Lack of lightweight technique: Existing Cryptography protocols have shortcomings, including false data detection and the long decryption durations associated with asymmetric cryptographic primitives. Additionally, cryptographic primitives require more computing power, time, battery life, and physical area, making them unsuitable for resource-constrained IoT networks.
Security enabled reference architecture of IoT network.
Hence, IoT networks will undoubtedly face significant challenges in making secure decisions. The deployment of comprehensive IoT security6 and the development of a collaborative workflow are critical and complex issues. The success of IoT is dependent on trust, identification, privacy, protection, safety, and security. Figure 2 shows the Security-Enabled Reference Architecture for IoT Networks, which covers edge devices (WSN), gateways, fog networks, communication technologies, cloud environments, and application-level security.
Our contributions: This paper presents a novel approach that addresses the current research gaps in protecting the cooperative flow of IoT networks. It emphasizes the need to overcome the current limitations of IoT networks by developing a dependable framework that allows the blockchain system to protect an IoT network in a collaborative flow environment. The proposed solution uses blockchain to establish authenticity and reliability. IoT nodes use lightweight encryption to handle resource constraints at the edge as data travels from the fog network to the cloud; additionally, the Proof of Stake Voting (PoSV) consensus enables speedy block creation and reduces synchronization delays. The proposed framework can function over an intermittent network infrastructure by utilizing information from the blockchain. Specifically, The proposed framework amalgamates Private and Consortium Blockchains to integrate Information Technology (IT) and Operational Technology (OT) into an edge-fog-core-cloud architecture. Consortium Blockchain ensures secure end-to-end communication in a collaborative flow environment as shown in Fig. 3. This framework provides effective and reliable identity management for edge nodes, ensuring end-to-end communication security and protecting against a wide range of threats, including DDoS attacks. Furthermore, it lowers the risk of a single point of failure, which is a common problem with centralized systems and secure cloud storage. The following objectives were formulated to address the above challenging issue.
To establish a Pseudo-Anonymous IoT Identification Framework that ensures end-device privacy while reducing block acceptance time using a threshold signature-based consensus approach within a permissioned blockchain system.
To provide end-to-end authentication across various IoT devices from edge to core by integrating blockchain-enabled lightweight authenticated encryption techniques.
To improve secure storage in an adversarial federated cloud environment using the consortium blockchain system in the presence of malicious or selfish cloud providers, alert all network members once any abnormality(attacks) is detected.
To integrate private permission and consortium blockchains to provide end-to-end secure communication in an IoT network in a cooperative flow environment.
Blockchain-enabled reference architecture to secure IoT network in cooperative flow environment.
The remainder of this paper consists of the following: section “Related work” discusses related work done in ensuring authentication, access control and storage integrity. In section “Background” provided background work on ECDSA, Aggregated and Threshold signature schemes. Sections “Proposed work” and “Proposed methodology” the proposed system is described in detail. Sections “Results and performance analysis” and “Performance analysis” discusses Results, performance and security analyses respectively. Finally, Section “Conclusion” concludes the report along with discussing future work.
This section presents the state-of-the-art research as shown in Table 1 that forms the foundation for the proposed work. IoT networks rely on various service technologies, including edge computing, fog computing, network infrastructure, and cloud services. However, these networks face critical challenges to make effective security decisions. The success of IoT is heavily dependent on trust, identity management, privacy protection, safety, and security. Securing an IoT network necessitates an integrated approach with several levels, including edge security, gateway security, fog security, communication protocol security, cloud security, and application-level security. However, IoT devices frequently suffer from insufficient authentication and identification mechanisms. The gateways in the fog layer lack adequate authentication procedures to validate the identity of connected IoT devices. The absence of adequate security measures in the fog network raises concerns regarding the authenticity and integrity of communications within the local network. The problem with centralized authentication techniques leads to a single point of failure. A cloud or fog server compromise could disrupt the entire authentication system, resulting in vulnerabilities in security and operational challenges. Furthermore, using cloud-based authentication for device registration and identification leads to scalability concerns, especially as the number of connected devices increases.
At Device Level, the security of IoT devices has been enhanced with the introduction of blockchain technology that not only improves the authentication methods but also reduces the computational and communication costs. Hameed et al.7 proposed a formally validated decentralized authentication mechanism for blockchain based on Ethereum smart contracts to enhance storage and computational efficiency. However, this paper is vulnerable to Ethereum-specific security risks and cannot achieve quantum security. Zhang et al.8 proposed the Blockchain-Based Cross-Domain Authentication (BCAE) scheme to enhance the cross-domain authentication mechanism and used the Elliptic Curve Digital Signature Algorithm (ECDSA) in the design of the model. This model enhances the security and scalability in the edge computing environment; however, the cost of a blockchain transaction is quite high. Osama et al.9 proposed a hybrid authentication mechanism combining centralized and blockchain-based approaches with lightweight cryptographic primitives, such as ECC and SPECK. Even though their approach enhances security, scalability, and energy efficiency, the resource constraints in the blockchain components present a challenge. In the meantime, Yang et al.10 suggested a Blockchain-Based Secure and Lightweight Authentication protocol for IoT, which employs the modular square root algorithm to guarantee decentralization, light authentication, and attack tolerance. However, the model has poor scalability because of the cost of conducting transactions on the blockchain. These studies show that blockchain-based authentication offers many advantages but also comes with increased computational costs, which can be detrimental to IoT networks that are constrained in resources. Thus, cryptographic algorithms need to be optimized to enhance the efficiency and scalability of IoT networks.
At the fog layer, authentication mechanisms ensure trust and privacy in IoT networks. The issue comes in developing secure authentication algorithms while minimizing computational and transmission overhead. Roy et al.11 introduced a hybrid authentication protocol utilizing lattice-based cryptography in a three-tiered cloud-fog-edge architecture. The protocol uses Ring Learning with Errors (Ring-LWE) and NTRU to ensure quantum-resistant authentication with low processing cost. Nonetheless, the system faces challenges with key management and large implementation. Wang et al.12 developed a Directed Acyclic Graph (DAG)-based blockchain authentication system that propagates authentication requests through fog nodes, reducing computational and storage constraints, but only in DAG-compatible situations. Patwary et al. developed FogAuthChain, a blockchain-based location authentication method that uses device-to-device authentication and Ethereum smart contracts to enable decentralization and tamper-proof authentication. Even though there is an increase in security, the paradigm requires complex blockchain implementation and is restricted to Ethereum-compatible ecosystems. Guo et al.13 proposed a BSRA mechanism that leverages the strength of the blockchain by utilizing Physical Unclonable Functions (PUFs) in conjunction with lightweight cryptographic primitives for enhanced mutual authentication and reduced single-point failures. While BSRA improves security and anonymity, it relies on fog computing and blockchain technology, which might reveal vulnerabilities in the fog nodes. Amanlou et al.14 developed a lightweight authentication mechanism utilizing the Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) Key Exchange and Pre-Shared Key (PSK) authentication. The salient features of the proposed technique are that it provides forward secrecy, low-cost authentication, and is effective for IoT devices with limited resources. However, it also needs excellent key management and further tests on scalability. These works stress the reach of fog networks with blockchain technology, quantum-resilient encryption, lightweight authentication methods, and the paramount importance of adaptive security measures that are scalable within fog networks.
In cloud-based authentication, these approaches eliminate overhead computation to maximize security, efficiency, and scalability. Cloud authentication poses challenges for the algorithms since it needs to be secure, efficient, and scalable. Alam et al.15 proposed a secure authentication protocol combining the ECDLP with hashing and XOR techniques. This makes it possible to perform secure authentication while reducing compute power. His method is resilient to many different attack vectors based on NP-hard complexity. This technique suffers from critical key management issues and needs additional studies for bigger implementations. Wang et al. (2023) suggested a lightweight multi-factor authentication approach for cloud-assisted IoT that implements low latency and scalable security through a combination of ECC and lightweight encryption methods. Their solution reduces authentication and computation overhead but suffers from the same issue, requiring additional refining before deployment becomes viable. These findings, while demonstrating the efficiency of ECC-based cryptographic models and multi-factor authentication for the protection of IoT in the cloud, also illustrate the need for further research and validation of the models.
Securing end-to-end communication across IoT networks requires a careful balance between decentralization, encryption effectiveness, and system scalability. Researchers have explored various approaches to enhance security while minimizing computational and communication burdens. Alshawki et al.16 introduced the Distributed Address Table (DAT). This decentralized framework employs a Distributed Hash Table (DHT) and a structured Peer-to-Peer (P2P) overlay to eliminate reliance on third parties. This approach improves address privacy and strengthens anonymity. It integrates public-key cryptography for gateways and AES-128-CBC symmetric encryption for IoT devices, reducing delays in Network Address Translation (NAT) traversal. However, as network size increases, latency grows logarithmically, and distinct lookup queries contribute to additional overhead. Alluhaidan et al.17 proposed a lightweight encryption model based on a modified Feistel cipher combined with evolutionary algorithm principles. Their approach enhances encryption efficiency and reduces power consumption by 15.75%. However, its reliance on a static initialization state leaves it vulnerable to statistical analysis, making it susceptible to cryptographic attacks. Lizardo et al.18,19 developed Sharelock, a post-quantum secure protocol designed to ensure message confidentiality and integrity through independent key management. While this method offers stronger security guarantees, it introduces high administrative overhead and lacks intrinsic replay attack protection, which may compromise real-time security in dynamic IoT environments. Ferretti et al.20 proposed a proxy re-encryption (PRE) technique for fog-based IoT systems, enabling secure device-to-device communication with minimal computational demands. This strategy supports direct IoT interactions over semi-honest fog nodes, reducing dependence on cloud services and eliminating the need for trusted intermediaries, as seen in Public Key Infrastructure (PKI)-based models. This lightweight encryption method is well-suited for resource-constrained IoT devices, including Arduino, Raspberry Pi, and ARM-based processors. However, the assumption that fog nodes remain semi-honest introduces risks-compromised nodes could become fully malicious, posing serious security threats. Babu et al.21 addressed these concerns by integrating permissioned blockchain systems (pBCS) with smart contracts to secure communication in fog-enabled IoT networks. Their model offers decentralized authentication and end-to-end encryption, eliminating single points of failure commonly seen in centralized security frameworks. The Elliptic Curve Digital Signature Algorithm (ECDSA) helps protect against Man-in-the-Middle (MITM) and replay attacks, while Ethereum 2.0-based smart contracts enhance latency and scalability. However, blockchain implementation introduces higher storage requirements and computational demands, making it less practical for ultra-low-power IoT devices.
Hence, the current work of end-to-end security in IoT ecosystems remains limited, leaving networks vulnerable to potential threats if not addressed effectively. These challenges highlight the need for decentralized, scalable, and resilient security mechanisms to protect IoT networks from evolving cyber threats.
This section presents the background details of the proposed work including ECDSA Digital Signature Scheme, ECDSA based Aggregate Signature Scheme, and lightweight Threshold Signature based and consensus mechanism related to the proposed work. Table 2 illustrates the glossary of symbols used in the proposed work.
The proposed framework uses the ECDSA digital signature algorithm, which is a cryptographic algorithm based on elliptic curve cryptography (ECC). This mechanism mainly authenticates IoT edge devices and ensures their integrity. ECC leverages the mathematical properties of elliptic curves defined over finite fields. The proposed framework uses the secp256k1 elliptic curve, which is represented as: \(E: y^2 \equiv x^3 + ax + b \mod p,\) where \(a = 0\), \(b = 7\), and \(p = 2^{256} - 2^{32} - 977,\) a large prime number. This secp256k1 curve operates in the finite field \({\mathbb {F}}_p\), with a base (generator) point G with a large prime order n. The signature algorithm involves three key processes: Key Generation, Signing, and Verification. These processes are crucial for secure communication.
Key generation: This process begins with the selection of a random private key d, chosen as a random integer in the range \([1, n-1]\). Using this private key, the corresponding public key Q is computed as \(Q = dG\), where Q is a point on the elliptic curve E. These public-private key pairs form the foundation for the signing and verification process.
Signature generation: This process generates a signature for a message, which is hashed to produce the message digest, denoted as \(x = H(m)\), where H(m) is the SHA-256 cryptographic hash algorithm. To ensure the uniqueness of each signature, a random nonce k is selected from the range \([1, n-1]\). To construct the signature, two components are used. The first component, r, is derived as: \(r = r_x \mod n.\) If \(r = 0\), a new k is chosen, and the process repeats. The derived r is selected from the elliptic curve point R. The point R is computed as: \(R = kG, \quad R = (r_x, r_y).\) The second component of the signature, s, is calculated as: \(s = k^{-1} (z + rd) \mod n,\) where \(k^{-1}\) is the modular multiplicative inverse of k modulo n. If \(s = 0\), a new k is selected. Otherwise, the resulting digital signature is the (r, s) pair, uniquely representing the message.
Verification: This process ensures the signature’s authenticity. The verifier calculates the modular inverse of s, denoted as: \(w = s^{-1} \mod n,\) by using the sender’s public key Q and the message hash x. Two scalar values, \(u_1 = zw \mod n, \quad u_2 = rw \mod n,\) are computed. The elliptic curve point \(P = u_1G + u_2Q, \quad P = (P_x, P_y)\) is derived from these values. The signature is valid if the x-coordinate satisfies: \(r' = P_x \mod n \quad \text {equals} \quad r.\) This rigorous process ensures that the signature was created using the corresponding private key, verifying the message’s integrity and authenticity. These operations collectively provide a secure framework for digital authentication in IoT networks.
This section presents efficient solutions to minimize communication and computational overhead, which is required in IoT networks. Each fog device must perform individual message authentication involving multiple signatures in IoT networks. The proposed ECDSA-based aggregate signature scheme combines multiple signatures into a single and short aggregate signature28, which reduces the signature size and verification cost suitable for resource-constrained IoT networks. This scheme comprises five main processes: Key Generation, Signature Generation, signature verification, Signature Aggregation, and Aggregate Verification.
Key generation (KeyGen): The KeyGen process is used by IoT devices to generate a private key sk from the cyclic group \({\mathbb {Z}}_q\). The corresponding public key is computed as: \(pk = sk \cdot G,\) where G is the generator of the elliptic curve group, with an input security parameter \(\lambda\). The private and public keys are critical to security, ensuring a strong one-way relationship. While the private key is kept secret, the public key is shared for signature verification.
Signature generation (Sign): The signature generation process involves signing a message M. A random nonce k is selected from \({\mathbb {Z}}_q\). The use of a random nonce ensures that signatures are unique for the same message, preventing vulnerabilities like key recovery through repeated signatures. The algorithm computes a point \(R = k \cdot G\), where r is the x-coordinate of R modulo q. A hash of the message, \(e = H(M)\), is then calculated. The signature component s is derived as: \(s = k^{-1} (e + sk \cdot r) \mod q.\) Finally, the signature pair is produced as: \(\sigma = (r, s).\)
Signature verification (Verify): The signature verification process checks the authenticity of the signature using the public key pk and elliptic curve computations. The verification ensures that the signature \(\sigma = (r, s)\) corresponds to the message M and the public key pk. The verifier computes the hash: \(e = H(M),\) then calculates: \(w = s^{-1} \mod q, \quad u_1 = e \cdot w \mod q, \quad u_2 = r \cdot w \mod q.\) Using these values, the elliptic curve point is reconstructed as: \(R = u_1 \cdot G + u_2 \cdot pk.\) The signature is valid if the x-coordinate of R modulo q matches r.
Signature aggregation (Sign-Agg): This process aggregates multiple individual signatures into a single short aggregate signature, performed by the fog nodes. Given n individual signatures \(\sigma _i = (r_i, s_i)\) from various IoT devices, the aggregate signature is computed as: \(\Sigma _r = \prod _{i=1}^{n} r_i \mod q, \quad \Sigma _s = \sum _{i=1}^{n} s_i \mod q.\) The final aggregate signature is: \(\Sigma = (\Sigma _r, \Sigma _s).\) This process significantly reduces storage and communication overhead by replacing n signatures with a single compact representation in the blockchain, managed by the fog nodes.
This section introduces the ECC-based threshold signature scheme, an efficient and secure method for obtaining consensus within the proposed permissioned blockchain system29. The proposed Proof of Stake and Validation (PoSV) is an advanced consensus mechanism for permissioned blockchain networks. It integrates the energy efficiency of Proof of Stake (PoS) with robust validation methods that ensure secure and efficient decision-making. The ECC-based Threshold Signature Scheme integrates the compactness and efficiency of ECC’s lightweight features with the collaborative properties of threshold cryptography30. It further improves PoSV by incorporating collaborative validation, wherein a group of validators authenticates transactions, produces an aggregated signature, and attains a secure and resource-efficient consensus. Thus, the proposed scheme effectively reconciles efficiency and security while minimizing communication and storage costs. This multi-signature approach employs aggregate signatures and verification to authenticate IoT devices, improving IoT networks’ scalability and reliability. The ability to aggregate signatures and tolerate faults makes it a practical choice for IoT systems.
Key generation: This process uses the distributed key generation protocol (DKG) to generate a master private key sk and a corresponding global public key \(pk = sk \cdot G\). The master private key is divided into n shares using a Shamir secret sharing scheme. Using a (t, n) secret sharing scheme, the leader fog node splits the secret key sk into n shares \(\{sk_1, sk_2, \dots , sk_n\}\) such that: \(sk_i = f(i) \mod q.\) Each share \(sk_i\) is derived from a polynomial: \(f(x) = sk + a_1x + a_2x^2 + \dots + a_{t-1}x^{t-1} \mod q,\) where the polynomial f(x) ensures that \(sk = f(0)\). Each fog validator \(FV_i\) receives a unique share \(sk_i = f(i)\), ensuring that any t shares can reconstruct the secret key, while fewer than t shares reveal no information about sk. Finally, each fog validator \(V_i\) holds a unique share \(sk_i\), and the global public key remains \(pk = sk \cdot G\).
Block propose and consensus: A Fog Leader broadcasts a message M (e.g., a block or decision) to all fog validators.
Partial signature generation: Once the fog validator receives the message M from the leader, each fog validator \(V_i\) with a share \(sk_i\) computes a partial signature. When a message M needs to be signed for validation, each fog validator selects a random nonce \(k_i\), calculates the elliptic curve point: \(R_i = k_i \cdot G,\) and derives \(r_i\), the x-coordinate of \(R_i\). After performing these preprocessing steps, the fog validator computes: \(s_i = k_i^{-1} (H(M) + sk_i \cdot r_i) \mod q,\) where H(M) is the hash of the message. The partial signature \(\sigma _i = (r_i, s_i)\) is then sent to an aggregator (Fog Leader) for further processing.
Signature aggregation: In this process, the fog leader collects at least t valid partial signatures \(\{\sigma _{i_1}, \sigma _{i_2}, \dots , \sigma _{i_t}\}\) from different fog validators and computes the final aggregated signature, which is compact and consists of a single pair: \(\sigma = (r, s).\) Here, r can be taken from any valid partial signature, and s is computed as: \(s = \sum _{j=1}^t \lambda _j s_{i_j} \mod q,\) where the Lagrange coefficients \(\lambda _j\) are defined as: \(\lambda _j = \prod _{k \ne j} \frac{x_k}{x_k - x_j} \mod q,\) and \(x_j\) are the indices of the fog nodes.
Signature verification: To verify the aggregated signature \(\sigma = (r, s)\), the fog verifier uses the public key pk and the hash H(M) of the message. The verification involves computing: \(u_1 = s^{-1} \cdot H(M) \mod q\), \(u_2 = s^{-1} \cdot r \mod q\), and reconstructing the elliptic curve point: \(R = u_1 \cdot G + u_2 \cdot pk\). The signature is valid if r matches the x-coordinate of \(R \mod q\). This ensures that the signature was collaboratively generated by at least t participants holding valid shares.
System model of IoT network.
The proposed framework enables the blockchain to establish a secure collaborative IoT network, as illustrated in Fig. 5. This network provides edge device identification, IoT device authentication, cloud-based secure storage, authorization, and end-to-end secure communication within IoT networks. Figure 5 illustrates the proposed framework that ensures comprehensive security from edge (IoT) devices to the cloud environment through a combined approach. (1) A real-time simulation network comprises edge nodes. This network comprises permission blockchains and fog nodes, which include gateways, switches, and border routers. The fog servers will operate as an enhanced public key infrastructure, identifying and authenticating the edge devices of the IoT. (2) The consortium blockchain will facilitate the development of the information technology (IT) sector in the Cloud and Application domains. Federated Cloud providers govern this consortium blockchain, which will be connected with the permissioned blockchain system. This solution guarantees safe cloud storage, authorization, efficient key exchange, and remote encryption of all critical information. The two blockchain networks cooperate to provide a secure communication flow from end devices to cloud storage, protecting against various threats, including DDoS attacks.
The system model comprises six primary entities that form the proposed architecture: End Devices, Fog Nodes, Cloud Service Providers (CSPs), Backbone Network, Private Blockchain, and Consortium Blockchain, as shown in Fig. 4.The entire system is represented as: \(S = (D, F, C, B, P, Q)\) where: D represents the set of End Devices, F represents the set of Fog Nodes, C represents the set of Cloud Service Providers (CSPs), B represents the Backbone Network, P represents the Private Blockchain, Q represents the Consortium Blockchain.
IoT End Devices (D): The IoT end devices refer to the sensor devices within IoT systems that sense the surrounding environment and generate data for the system. Typically, these devices operate on batteries and have limited resources. These IoT edge nodes generate and transmit data to fog nodes for processing and authentication. Each end device \(d_i \in D\) is defined as: \(d_i = (ID_{d_i}, K_{d_i}, S_{d_i}, R_{d_i})\) where: \(ID_{d_i}\) is the unique identifier of the device, \(K_{d_i}\) is the cryptographic key for secure communication, \(S_{d_i}\) represents computation and storage capabilities, \(R_{d_i}\) denotes the communication range.
IoT fog nodes (F): IoT Fog nodes are responsible for carrying out fog computing activities within the fog layer. These nodes act as intermediate computing units between IoT end devices and the cloud. Each fog node \(f_j \in F\) is defined as: \(f_j = (ID_{f_j}, K_{f_j}, S_{f_j}, C_{f_j})\) where: \(ID_{f_j}\) is the unique identifier of fog node \(f_j\), \(K_{f_j}\) is the cryptographic key, \(S_{f_j}\) represents the storage capacity, \(C_{f_j}\) indicates participation in the Private Blockchain. Each node in the fog layer is responsible for gathering data from a particular set of IoT end devices29. The fog node authenticates the end devices and conducts necessary computations on the data, such as an integrity check, before delivering it to cloud storage. The use of fog and edge networks enables the future development of Internet of Things (IoT) devices. Multiple gateways can be connected to a single fog node, and multiple end devices can be connected to a single gateway, enabling scalability and flexibility in the IoT network architecture.
Backbone network (B): A public network, such as the internet, facilitates communication between the End Device layer, Fog layer, and Cloud layer.
Private blockchain (P) : The Private Blockchain is maintained by fog nodes for authentication and identity management. It is defined as \(P = (T_P, B_P, C_P, H_P)\). Where \(T_P\) is the set of authentication transactions, \(B_P\) represents blockchain blocks, \(C_P\) is the consensus mechanism (e.g., Proof-of-Stake and Validation), \(H_P\) is the cryptographic hash function. The fog node leader sets up the private blockchain network31. Its primary responsibility is to create the genesis block and register new IoT devices, gateways, and fog nodes within the IoT network. The fog node leader in a private blockchain can only publish a list of registered devices. The genesis block generated by the admin node includes the admin node’s public key address, timestamp, and a list of offline registered IoT devices, gateways, and fog nodes. This private blockchain acts as a public-key infrastructure, and the ledger contains the identities of IoT end devices, fog nodes, cloud service providers (CSPs), and end device metadata. The fog nodes execute smart contracts and create a decentralized peer-to-peer network to manage the IoT data.
Consortium blockchain (Q): The Consortium Blockchain is maintained by CSPs and fog nodes for secure cloud storage. It is defined as: \(Q = (B, C, H, S, T)\) where: B represents blockchain blocks, C is the consensus mechanism (e.g., POSV), H is the cryptographic hash function, S stores access control policies, T contains secure storage transactions.
This subsection presents the Dolev-Yao threat model for proposed IoT Systems, consisting of IoT edge devices, fog nodes, cloud service providers (CSPs), and private and consortium blockchain mechanisms. Using this model, we consider several potential threats that can compromise the security of the proposed system, including Compromised end device identity, Unauthorized access, Malicious fog node, Semi-trusted cloud, Malicious and selfish CSP in federated cloud etc. The following represents potential threats.
Compromised end device identity: In this scenario, an attacker (A) can compromise the identity of an IoT end device (\(d_i\)) and communicate maliciously with the system.
\(\text {Impersonate}(d_i) \rightarrow \text {Communicate with fog node} \rightarrow \text {Compromise identity at fog node}\) The attacker can impersonate the device and send false data or gain unauthorized access to cloud storage by bypassing fog node authentication.
Unauthorized access: The attacker may try to access data stored in cloud storage in a federated environment. \(A: \text {Access Cloud Storage without Authorization} \rightarrow \text {Compromise Data Integrity}.\) The attacker can gain unauthorized access to sensitive data stored by cloud service providers (CSPs) or manipulate the stored data. This access can be through compromised CSPs or unauthorized entities.
Malicious fog node: Fog nodes act as intermediaries between IoT devices and cloud services. An attacker can compromise a fog node, affecting the integrity of data transmitted between devices and the cloud. \(\text {Compromise Fog Node} \rightarrow \text {Modify Communication} \rightarrow \text {Access or Corrupt Data}.\) The attacker can modify, drop, or inject incorrect messages into the communication flow between the IoT devices and cloud services.
Semi-trusted cloud: The federated cloud environment consists of multiple CSPs, which may not be fully trusted. \(A: \text {Exploit Semi-trusted CSP} \rightarrow \text {Manipulate Cloud Storage and Integrity}.\) A semi-trusted CSP may act maliciously or fail to meet the protocol requirements, such as providing false data about storage or computational resources, or even manipulating user data.
Malicious and selfish CSP in federated cloud: In a federated cloud environment, some CSPs may act maliciously or selfishly. These CSPs may not adhere to the agreed-upon protocols, compromising the integrity of the system. An attacker A can exploit a malicious CSP, leading to \(\text {Misreport Storage}\) or \(\text {Denial of Service}\). The attacker can exploit these vulnerabilities to cause denial of service, misplace data, or reduce the overall trustworthiness of the cloud system.
Proposed framework.
Proposed methodology.
This section presents the proposed methodology that uses a collaborative private and consortium blockchain system to secure end-to-end communication in IoT networks. This methodology incorporates private blockchain in fog-enabled IoT networks and consortium blockchain32 in cloud-enabled IoT networks, as shown in Fig. 6. The following summary of the proposed method:
The private blockchain is set up and can be defined as: \(B_f = (F, T, H, SC), \quad B_F^t \mid t \in T(x)\). Where: F represents fog nodes, T represents transactions, H is a cryptographic hash function ensuring integrity, SC is the set of smart contracts governing authentication policies, \(B_F^t\) is the block that contains transactions for IoT device registration and authentication by each fog node. The set of fog layers operates within a private blockchain \(B_f\) for managing registration and authentication of IoT devices, maintaining consensus, validating authentication requests, and managing key storage.
Initially, all the fog nodes \(F_i\) will be registered within the private blockchain and store all their unique identities as \(ID_{F_i} = H(F_i \parallel T(F_i))\) in \(B_F\).
After registration, \(B_F\) assigns an ECC public-private key pair to the registered node. The public key is generated as \(pk_F = g^{sk_F} \mod p\). Where \(sk_F\) is the private key, p is a large prime number, and g is a generator. The fog node is issued an ECDSA certificate signed by the blockchain authority, expressed as \(Cert_{F_i} = Sign_{sk_{CA}}(F_i, pk_{F_i})\), which ensures that only verified fog nodes participate in the network.
IoT devices undergo offline pre-registration before deployment. The key pair for each IoT device is securely stored in a PUF, which is defined as \(PUF(D_i) = f(in)\). Where in is a unique challenge input, and f is the hardware-based function generating a unique cryptographic key. The resulting key pair is \(K_D = (pk_D, sk_D)\). Each IoT device \(I_j\) pre-registers its identity using \(ID_{I_j} = H(I_j \parallel T(I_j))\) along with an individual signature \(\sigma _I\). The IoT devices will register with fog nodes using a signed transaction represented as \(T_{reg} = S(H(ID_{I_j} \parallel ID_{F_i} \parallel T(x)), K_I)\). The transaction is validated via the PoSV consensus mechanism and recorded in \(B_F\).
Upon joining the network, the IoT device submits a registration request \(R_D = (UID_D, pk_D, \sigma _D)\). Where, \(UID_D\) is the unique identifier, \(pk_D\) is the public key, and \(\sigma _D = Sign_{sk_D}(UID_D)\) is the digital signature. The fog node verifies the signature using \(Verify(pk_D, \sigma _D, UID_D)\). Once verified, the device is registered in the blockchain for secure interaction.
To maintain consensus, the fog network uses an ECC-based Threshold Digital Signature (TDS) mechanism, defined as \(TDS = (t, n)\). Where t is the threshold number of fog nodes required to validate a transaction, and n is the total number of other participating fog nodes. The valid transaction T is sent to all fog nodes, and each transaction T is signed by at least t fog nodes using the signature \(\sigma = \sum _{i=1}^{t} Sign_{sk_{F_i}}(T)\). If the threshold is met, then the verified aggregated signature is valid.
The valid fog nodes perform the ECDSA-based aggregate multiple signatures. The IoT edge devices will verify the given aggregate signature \(S_{agg} = \sum _{i=1}^{m} Sign_{sk_{D_i}}(M)\), where M is the authentication message using \(Verify(pk_{D_i}, S_{agg}, M)\). This method reduces the verification complexity, computational overhead, and improves efficiency.
The fog nodes use a smart contract that automates key management policy enforcement, IoT edge device registration, and authentication. The IoT edge registration is expressed as \(SC_{reg}(UID_D, pk_D, \sigma _D)\), which verifies the signature \(\sigma _D\) by the smart contract before approving IoT device registration. The smart contracts also enforce access control policies and revocation mechanisms.
The challenge-response mechanism is performed between the IoT edge device and the fog node for device-level authentication. The fog node sends challenge \(C_h\) to the IoT edge device, and then the IoT edge device computes the response \(R_h\) as \(R_h = H(C_h \parallel K_I)\) and sends it to the fog node. If \(R_h\) is verified, then access is granted.
Once the registration is completed, secure communication is performed between the IoT device and the fog node using an Elliptic Curve Diffie-Hellman (ECDH) key exchange. It is used to establish a secure channel between IoT devices and fog nodes: \(K_{DF} = g^{sk_D sk_F} \mod p\). The secure communication is achieved using AES encryption: \(M_{\text {Aes-Enc}} = E(M, K_I)\) and decryption: \(M = D(M_{\text {Aes-Enc}}, K_F)\). Here, the AES-shared secret is used for encryption: \(\text {Enc}(P, K) = C\), where P is the plaintext data, K is the shared key, and C is the ciphertext.
A bridging protocol ensures communication between fog and cloud networks: \(B_C \leftarrow H(B_F)\), where \(B_C\) is the cloud consortium blockchain. To ensure interoperability, the fog blockchain \(B_f\) and cloud blockchain \(B_c\) perform cross-chain authentication using multi-signature transactions. This is defined as: \(T_{\text {cross}} = \text {Sign}_{sk_{F_i}}(H(B_f)) \parallel \text {Sign}_{sk_{C_j}}(H(B_c))\), where H is the hash function, ensuring trust propagation across layers.
IoT devices are registered in the cloud via fog nodes using aggregated signatures: \(\sigma _A = \sum _{j=1}^{n} S(H(ID_{I_j} \parallel T(x)), K_I)\) which reduces verification complexity.
Authentication ensures device legitimacy: \(V_{auth} = H(ID_{I_j} \parallel ID_{C_k} parallel \sigma _A) {\mathop {=}\limits ^{?}} B_C\) \(\{T_{cross}\} = \text {Sign}_{sk_{F_i}}(H(\{B_f\})) \parallel \text {Sign}_{sk_{C_j}}(H(\{B_c\}))\) where H is the hash function, ensuring trust propagation across layers.
Segregates cloud storage into Committed and Uncommitted Storage for enhanced security to perform efficient storage mechanism
Data is securely stored and retrieved using encryption \(D_{enc} = E(D, K_C)\). Access is managed through blockchain-based identity verification.
The following provides detailed proposed methodology (1) End-to-end Registration and Device Identification framework using the permission blockchain system (2) Multi-Level Authentication in Cooperative IoT Networks. (3) End-to-End Secure Communication.(4) Cloud Secure Storage using Consoritum Blockchain.
The Identification and Registration (IAR) Protocol procedure ensures that only authorized IoT devices, gateways, fog nodes, and border routers can participate in the IoT network, enhancing security and integrity. Registering IoT devices, gateways, fog nodes, and border routers in a blockchain system involves providing their identities and other necessary information into the blockchain ledger. This IAR protocol is a standard protocol built into the permission blockchain system that does not require any current Public Key Infrastructure. The IAR protocol will send registration information between Fog Nodes and Edge Devices using an identity-based ECC protocol. This phase protects IoT edge device privacy by utilizing a pseudo-anonymous identity scheme. Figure 7: Registration of IoT Devices in Permission Blockchain System using Aggregate and Threshold Signatures in IoT Network.
Registration of IoT devices in permission blockchain system using aggregate and threshold signatures in IoT network.
(a) ECC-based aggregate signature scheme. (b) Permissioned blockchain system consensus with threshold signature scheme.
IoT nodes (Edge, Fog, Gateways) must register with the private blockchain before sending or receiving data in the network.
New joining IoT devices send registration requests to a Fog Node in the IoT Network.
IoT devices register on the private blockchain network through communication with fog nodes. They register in two steps: Offline and Online Registration.The Offline Registration involves registering IoT devices to the blockchain system using their Device ID and an Initial Secret key stored in the Physical Unclonable Function (PUF). The network administrator configures the IoT device with a device ID, a coordinator fog node, and a temporary access token. The device ID and key are uploaded to the fog layer admin node from the registered devices’ uncommitted list. The admin node also publishes this information to the blockchain network, resulting in a transaction in the block. While, Online Registration involves registering IoT devices in a private blockchain and assigning them a public-private key pair issued by the blockchain network. The IoT device signs all communications using the ECDSA sign algorithm, and any IoT node can verify the message’s authenticity using the ECDSA verify algorithm. All transactions in the private blockchain are uncommitted until they are included in a block on the blockchain.
A crucial step in the permission blockchain network is registering fog nodes. This can be done by a system administrator or in the same manner as IoT devices. Each fog node, called a fog peer, is assigned a unique ECC-based identification. This identity is pivotal in enabling fog peers to transact on the private blockchain network.
The Blockchain Ledger and Genesis Block: Each fog peer in the private blockchain network is responsible for maintaining the ledger. This is achieved through the system’s consensus process, which allows Fog peers to agree on the blockchain’s current state. The first block in the network, the genesis block, is accepted immediately as there are no other fog peers at this stage.
Fog nodes validate a permission blockchain system. Our proposed work includes ’n’ Fog Nodes, which can securely hold the storage space for all registered IoT edge devices.
After receiving individual signatures from all IoT edge nodes via the ECDSA Protocol. (1) The Fog Node uses an ECC-based Aggregate Signature Scheme for efficient verification and shorter signatures. For example, consider one Fog node receives a ’n’ registration request from the various joining IoT edge nodes, each with ’n’ individual signatures. (2) The Fog node (Validator) creates an ECC-based Aggregate Signature from ’n’ individual signatures, resulting in one short signature. Similarly, other service providers will use the same technique to construct a single short signature from the desired ’n’ individual signatures. Figure 8(a) depicts the IoT device identification and registration process utilizing the ECC-based Aggregate Signature Scheme. The process is shown in the Algorithm 1.
A fog node produces a new block by aggregating uncommitted valid transactions into an Aggregate Signature, which is then stored in the blockchain ledger instead of individual signatures.
The Proof-of-Stake and Validation (PoSV) consensus mechanism will be used to accept blocks as illustrated in Algorithm 2. An ECC-based Threshold Signature Scheme ensures consensus and prevents a single control point among fog nodes. The block will be constructed with the short signatures from all the joining IoT edge device registration requests from the ’n’ Fog nodes signatures that meet the (Consensus) threshold value and will be used to create the block for the registered IoT devices. For example, suppose the ’m’ fog nodes form a distributed group that receives joining registration requests from IoT edge devices. All joining receiving fog nodes will be group members, and the final block will be generated when the t threshold characteristics are reached. In this situation, the block creator fog node will sign and commit the block to the blockchain system. In contrast, the fog nodes will keep the synthetic signature of the identity records of registered IoT edge devices. Figure 8(b) depicts a permissioned blockchain system that uses a threshold signature mechanism.
After registering with the blockchain, the IoT device will be issued an ECC-based identity for secure communication within the IoT network. Each IoT device creates a long-term shared key AES128-\(\text {GCM Key}\) with the fog layer. This key is formed by combining the IoT edge device’s identification with a corresponding fog node using the ECDH algorithm. The generated shared key is AES128-\(\text {GCM Key}\) key encrypts the data sent between the IoT edge device and the fog layer. The key credentials of the IoT edge devices will be kept in an encrypted JSON file on the private blockchain ledger as illustrated in Algorithm 3, allowing any fog node to satisfy the IoT device’s request in the event of a node failure.
The IoT edge device will securely communicate with other edge devices in the IoT network by utilizing its device identification and key credentials.
Creation of aggregate signature
Block proposal in private blockchain
Endorsement of proposed block in private blockchain
Block proposal in consortium blockchain
Endorsement of proposed block in consortium blockchain
This section presents the multi-layer authentication framework that ensures device-level network-level and cloud-level authentication for secure end-to-end communication in IoT networks. This proposed method provides efficient authentication and encryption to protect data from edge devices to the cloud and ensure secure communication paths in the IoT network. The multi-level end-to-end authentication performs robust authentication28, confidentiality, and access control across IoT networks, including IoT device authentication, gateway authentication, network authentication, cloud authentication, and end-to-end encryption to protect against DDOS attacks. Additionally, this method reduces the verification complexity and the computational overhead, and the combined approach of threshold and aggregate signatures improves efficiency.
Figure 9 illustrates a multi-level end-to-end authentication technique within an IoT-enabled federated cloud environment. It comprises three primary authentication levels: Device Level Authentication, Network Level Authentication, and Application Level Authentication. Device Level Authentication is executed within the Fog-Enabled Private Blockchain Network that ensures secure identity verification using a private blockchain maintained by fog nodes.. Network Level Authentication is administered by the Cloud-Enabled Consortium Blockchain Network, to facilitate authentication among fog and IoT edge devices. while Application Level Authentication is executed for access control with threshold signature schemes for secure document retrieval.
Device Level Authentication: IoT devices register and authenticate with a fog-enabled private blockchain. IoT device authentication occurs in the private blockchain maintained by fog nodes. The following steps include:
Private Blockchain Setup: A set of fog nodes \(F = \{ F_1, F_2, \dots , F_n \}\) initializes a private blockchain. The private blockchain stores the registered IoT device identities \(BC_{\text {private}} = \{ (ID_{d_i}, PK_{d_i}, Sig_{d_i}) \ | \ d_i \in D \}\), where \(ID_{d_i}\) is the unique identifier of the IoT device \(d_i\), \(PK_{d_i}\) is the public key of \(d_i\), and \(Sig_{d_i} = \text {Sign}_{SK_{d_i}} (ID_{d_i})\) is the cryptographic signature using the device’s private key.
Registration and Authentication: Each IoT device \(d_i\) generates a key pair \((SK_{d_i}, PK_{d_i}) \leftarrow \text {KeyGen}(1^\lambda )\), where \(SK_{d_i}\) is the private key, \(PK_{d_i}\) is the public key, and \(\lambda\) is the security parameter. A device identity is recorded as \(ID_{d_i} = H(PK_{d_i} \parallel \text {Metadata})\). The device registers itself with the assigned fog node \(F_j\) by creating a unique identifier, \(ID_{D_i} = H(PK_{D_i} \parallel \text {Metadata})\), where H is a cryptographic hash function. Each device signs its identity before registration: \(Sig_{d_i} = \text {Sign}_{SK_{d_i}}(ID_{d_i})\). The device’s authentication request is validated by the fog nodes using a threshold signature scheme, requiring at least t out of n fog nodes: \(Sig_{D_i} = \sum _{k=1}^{t} \lambda _k \cdot Sig_{F_k}\), where \(\lambda _k\) are Lagrange coefficients. Fog nodes verify the aggregate signature: \(\text {Verify}(PK_{d_i}, Sig_{d_i}, ID_{d_i}) \Rightarrow 1 \text { (Valid) or } 0 \text { (Invalid)}\). Once verified and valid, the fog node stores \((ID_{d_i}, PK_{d_i}, Sig_{d_i})\) in the private blockchain \(BC_{\text {private}}\).
Network Level Authentication: The network-level authentication extends the IoT device identity verification to the consortium blockchain. The authentication process extends to ensure secure communication between IoT devices and the federated cloud via Fog nodes using consortium blockchain is explained in Algorithm 4 & 5.
The IoT edge device and fog nodes are registered in the consortium blockchain \(BC_{\text {consortium}} = \{ (ID_{d_i}, AggSig_{d_i}, PK_{d_i}) \ | \ d_i \in D \}\). Where, \(AggSig_{d_i}\) is an aggregated signature formed by multiple fog nodes to validate the IoT device identity. Suppose multiple devices \(\{d_1, d_2,\ldots , d_m\}\) authenticate together. Each device \(d_i\) has its signature \(Sig_{d_i} = \text {Sign}_{SK_{d_i}}(ID_{d_i})\). The aggregate signature is computed as \(Sig_{\text {agg}} = \prod _{i=1}^{m} Sig_{d_i} \mod q\). Where, q is a large prime number, and m is the number of participating fog nodes. The aggregate signature combines all individual signatures. The verifier checks \(e(Sig_{\text {agg}}, g) = \prod _{i=1}^{m} e(H(ID_{d_i}), PK_{d_i})\) using an ECDSA, where m is the number of participating fog nodes. If valid, the IoT edge device is granted network access.
This sections presents a secure communication path between IoT edge devices and federated cloud providers, which will be developed by integrating private and consortium blockchains. This ensures that data sent between IoT edge devices and the cloud is encrypted and authenticated, preventing unauthorized access. The main purpose is to allow end-to-end secure communication in an IoT network in a cooperative flow environment using permission and consortium blockchains. The following procedure provides end-to-end secure communication in an IoT network in a cooperative flow environment.
The VSP node in the cloud has its own ECC-based identity and performs various actions, including secure document upload and retrieval using dedicated functions.
The fog nodes manage device registration at the edge of the IoT network. Once consensus is established in the permission blockchain network, the proposer fog node sends the newly accepted registration block to the cloud-based consortium’s blockchain, allowing end-to-end registration. The cloud node receiving the data authenticates the fog node and checks the block’s contents. After verification, newly registered IoT devices are stored on the cloud consortium blockchain network.
After authenticating the IoT device, the fog blockchain layer securely uploads data to cloud storage. The fog nodes exhibit the identification of the IoT device, the document identifier, and the specific document or data intended to be uploaded.
The fog node uses a permission blockchain smart contract to receive requests and validate IoT device identities. Once the authentication process is completed, the upload request is transmitted to cloud storage by requesting the front-end cloud server. The front-end cloud server carries out the authentication process for IoT edge devices and fog nodes and executes the upload operations.
The cloud conducts end-to-end authentication by verifying IoT device IDs against aggregated registrations maintained in the Cloud Consortium Blockchain. A End-to-End authentication protocol ensures that authentication from the private blockchain is extended to the consortium blockchain. The authenticated IoT devices are stored in the consortium blockchain \(F_j \rightarrow CSP_k: \text {Authenticate } ID_{d_i} \text { using } AggSig_{d_i}\). Where, \(AggSig_{d_i}\) is the aggregate signature, \(F_j\) is the fog node maintaining private blockchain authentication, Authentication is extended across fog nodes and cloud providers, \(CSP_k\) is the cloud service provider managing the consortium blockchain. After successful authentication, the cloud securely uploads documents.
Edge devices of IoT can access cloud storage data using VSP and fog nodes. IoT devices can initiate requests at fog nodes. Upon authentication of the IoT edge device initiating the request, the fog node will forward the retrieval request to the Cloud VSP. Upon successful authentication, the cloud VSP node will verify the identity of the fog and IoT edge devices. Subsequently, the requested data will be collected from the cloud storage and transmitted to the IoT edge device through the fog node.
The documents of IoT devices were encrypted with the AES key before being uploaded; the cloud storage service cannot read the data stored. The identity of the device uploading the document is similarly hidden from the cloud because it is identifiable by the blockchain network’s ECC Public key, which may be changed at any time. A session key \(K_{session}\) is generated and encrypted as \(C_{session} = \text {Enc}_{PK_{D_i}}(K_{session})\). Decryption will be performed by the IoT device: \(K_{session} = \text {Dec}_{SK_{D_i}}(C_{session})\). The secure end-to-end communication in IoT edge devices to cloud networks is established as \(C_{msg} = \text {AES-Enc}(K_{session}, \text {Data})\).
This section presents secure storage in a federated cloud environment in an adversarial environment by utilizing a consortium blockchain to ensure authorization, integrity, efficient key exchange, and confidentiality while remotely protecting (encrypting) all sensitive information and data stored in cloud networks. It aims to improve secure storage in an adversarial federated cloud environment with the consortium blockchain system in the presence of hostile or selfish cloud providers and notify all network members when any abnormality(attacks) is detected.
Suppose there are ‘n’ virtual service providers who can securely provide storage space to all the registered end-users. The following procedure integrates the private and consortium blockchain and registers the IoT nodes in the cloud networks.
The Virtual Service Providers node creates the genesis block, which initiates the consortium blockchain network. The genesis block contains the public key addresses of Cloud Service Providers (CSPs) that will be used for cloud storage. The consortium blockchain system will store registration information for all registered IoT nodes, including edge and fog devices, from the private blockchain system33.
Virtual service providers will manage the consortium’s blockchain system. During the registration process, new end users initiate one of the virtual service providers within the cloud environment to facilitate the registration process.
The consortium blockchain network will monitor the data servers while the VSPs function as peers. Data owners (IoT Devices) and data consumers (End Users) utilize the system’s services to securely store, share, and access data from cloud storage. The servers can function as autonomous nodes or be deployed on the user’s hardware. The servers and the VSP maintain the blockchain ledger34 and execute transactions inside the cloud network.
The fog node uses a smart contract to send block information to the consortium blockchain after producing a new block on the private blockchain. The transaction data is stored in the federated cloud to ensure privacy and security35. In addition, the device’s key credentials, information, and aggregated signatures will be kept in private and consortium blockchain ledgers to enable access permissions and assure data integrity.
To propose an efficient storage scheme, we divide cloud storage into Committed and Uncommitted Storage. Both storage can only be accessed via the consortium blockchain, which ensures secure access and storage.
Secure cloud stroage using consortium blockchain system.
This section presents the results of the experiment and performance analysis of the proposed work. This proposed work is implemented by integrating the Contiki-NG, FogSim, Hyperledger Fabric, CloudSim, and Hyperledger sawtooth at different layers of the IoT network for evaluating the system’s security, scalability, and performance efficiency. The system setup consists of four major components: Contiki-NG and Cooja is used for IoT simulation that simulates 500 IoT sensor devices and also enables communication with the fog layer (6LowPAN Gateways, Border Router) using the MQTT protocol. After the registration, the IoT edge devices securely transmitted the generated sensor data to the fog nodes. FogSim is used for simulating the fog nodes, another layer in the IoT networks. These nodes perform real-time data pre-processing and authentication before securely forwarding the IoT data to the cloud. Hyperledger Fabric is a permissioned blockchain, which is an open-source platform maintained by the Linux foundation. This fabric is deployed at the fog nodes layer. The fog nodes act as blockchain-based endorsing, committing, and anchor peers for executing authentication and validation tasks. A threshold signature-based Proof-of-Stake and Validation (PoSV) consensus mechanism is used to validate transactions using the Switachble plugin. All the IoT devices will be registered on this private blockchain, and their authentication requests will be verified using smart contracts. CloudSim is a framework used to deploy at the cloud layer of the IoT network. The cloud’s multiple Cloud Service Providers (CSPs) will maintain the consortium blockchain. This blockchain ensures access control enforcement, protection against unauthorized modifications, and secure data storage. This framework enhances the security and efficiency of IoT-fog-cloud integration using blockchain technology, including Secure registration and authentication using ECC-based identities, Threshold consensus for blockchain transactions, a trust model for fog nodes, End-to-end data security using encryption and blockchain authentication, and Secure cloud storage and retrieval while maintaining device anonymity. The following are the key processes of the experimental system.
Node registration : IoT devices register on the private blockchain network by communicating with fog nodes. The registration process consists of two steps. (1) Offline Setup: The network administrator assigns a device ID, a coordinator fog node, and a temporary access token to the IoT device. (2) Online Registration: The algorithm device registration in private blockchain is invoked. The IoT device is assigned a blockchain-generated public-private key pair, and the encryption key is established using the ECDH algorithm. Device details are stored in a JSON file within the fog node. Eventually, the fog node creates a blockchain transaction using an aggregate signature, committing all device registrations. Figure 26 shows in Appendix IoT Device registration Request flow to a Fog Server. Figure 27 shows in Appendix establishment of an ECC-based Identity for a fog node.
Fog node identity and registration: Fog nodes are registered in the blockchain network either by a system administrator or through an automated process similar to IoT devices. Each fog node (or fog peer) is assigned an ECC-based identity used for transactions within the private blockchain network. Figure 30 shows in Appendix End-to-End Registration at the fog node.
Blockchain ledger and genesis block: Every fog peer maintains the blockchain ledger and agrees on its state through a consensus mechanism. The genesis block, the first block in the network, is created by the first fog peer added by the system administrator. Since no other fog peers exist at that point, it is accepted immediately. This implementation incorporates a reputation system where fog peers gain credibility for successfully validating blocks, increasing their trustworthiness in the network. Figure 25 shows in Appendix the start-up process of a fog peer in the Private blockchain network.
Transaction list and peer node communication: Fog nodes maintain a transaction list containing (1) Device registrations (2) Message communications. Each peer can create transactions using the /transactAPI. Transactions are signed and broadcast across the network. Fog peers broadcast an existence message to their neighbors, establishing peer connections. When an IoT device requests authentication, the fog node verifies it against the blockchain ledger before forwarding its request to the cloud storage system36. Figure 28 shows in Appendix the blockchain ledger instance presenting stored transactions, authentication records and block structure.
Authentication in private blockchain: IoT devices are initialized on specific ports (e.g., port 4XXX). After registration with their respective fog nodes, devices can send messages via the blockchain network. This process can be tested using the /deviceTransaction API, which transmits a message to be authenticated and stored in the blockchain..
Consensus mechanism: Fog nodes initiate block creation by selecting transactions from the uncommitted transaction pool. The newly created block is then broadcast to all fog peers for validation. Once a block receives a threshold number of validations, it is appended to the blockchain ledger. Figure 29 shows in Appendix the New block creation using the threshold Consensus mechanism.
Cloud consortium blockchain: Cloud nodes operate within a federated cloud environment, independent of the private blockchain at the fog layer. They perform cloud functionalities with dedicated storage space, such as data storage and retrieval. In this system, cloud nodes run on ports ranging from 5000 to 5999. Each cloud node possesses an ECC-based identity and exposes APIs for secure document upload and retrieval.
End-to-end registration of IoT devices: The fog-based private blockchain handles device registration at the network’s edge. When a new registration block is accepted by consensus, the proposer node forwards it to the cloud-based consortium blockchain. The cloud node authenticates the fog node and validates the block contents before storing new IoT device registrations. Figures 31 and 32 show in Appendix Loading a cloud Environment and End-to-End Registration at the Cloud Network.
Data upload to cloud storage: Authenticated IoT devices securely upload data to cloud storage via the fog blockchain layer. The fog nodes expose the \(\texttt {/uploadToCloud}\) API, which accepts userId - Identity of the IoT device, docId - Identifier for the document or data, and doc - The document or data to be uploaded.
E2E authentication and secure data upload: The fog node forwards authenticated upload requests from IoT devices to the cloud blockchain system. The cloud node verifies the IoT device’s userId against registered identities in the Cloud Consortium Blockchain. Data is securely uploaded upon successful authentication using the system’s secure document upload algorithm. Figure 33 shows in Appendix uploading requests from IoT devices to the Cloud Environment via fog nodes.
E2E authentication and secure data retrieval: IoT devices retrieve stored data from cloud storage via fog nodes. The \(\texttt {/retrieveFromCloud}\) API allows devices to request stored documents. The fog node authenticates the requesting IoT device before forwarding the request to the cloud. The cloud node performs additional authentication and retrieves the requested data. Since data is encrypted before storage, the cloud cannot read the contents. Furthermore, the blockchain-based ECC identity ensures device anonymity during data transactions. Figure 34 shows in Appendix uploading request handled by cloud node and Fig. 35 shows in Appendix retrieval request by cloud node.
Transaction latency.
Block acceptance time.
Document upload.
Aggregate signature in blockchain.
Threshold signature in blockchain.
Size of the aggregate signatures.
This section presents the proposed framework’s performance evaluation, focusing on key metrics such as transaction latency, block acceptance time, cryptographic processing overhead, and consensus mechanism efficiency. The system maintains linear complexity, Optimized cryptographic, and efficient consensus mechanisms. The following Figs. 10, 11, 12, 13, 14, 15, 16, 17 and 18 depict the experiment results, which illustrate the various key performance metrics.
Transaction latency is the time required for a transaction to propagate across all fog nodes in the private blockchain network. Figure 10 compares transaction latency in the private blockchain (operating within the fog layer) and the consortium blockchain (maintained by the federated cloud). The Figure 10 shows that transaction latency increases linearly as the number of fog nodes in the network grows. However, the cumulative average transaction time remains stable, confirming that the proposed framework exhibits linear complexity and maintains efficiency as the network scales.Consensus-based threshold signatures allow multiple authentication requests to be efficiently verified in a single aggregated process, reducing the cryptographic overhead and improving authentication efficiency, leading to an authentication delay of 35–60 ms. This optimizes authentication in the Fog Layer, lowering the delay compared to traditional blockchain validation. At the Cloud Layer, authentication relies on smart contract execution for device identity verification and access control. Due to blockchain consensus and multi-signature validation, the authentication delay ranges between 150–250 ms. However, by aggregating multiple signatures from different authentication events, the overhead of verifying multiple individual transactions is significantly reduced, and the authentication delay ranges between 95–180 ms, ensuring a more scalable approach.
Block acceptance time (i.e., the duration required for a block to be verified and appended to the ledger in private and consortium) is a critical parameter in blockchain-based cloud storage systems. The private blockchain maintained by fog nodes and the consortium blockchain maintained by federated cloud nodes serves as the backbone for secure data storage. The POSV consensus time for block finalization is compared against End-to-End (E2E) and Virtualized Secure Network (VSN) models. Figure 11 shows that the proposed system achieves efficient consensus while maintaining security. Additionally, The block acceptance time remains within acceptable limits, ensuring the feasibility of large-scale deployments. While the IoT Layer does not directly involve blockchain transactions, the Fog Layer implements a Threshold Signature Scheme (TSS) combined with PoSV Consensus, reducing the computational burden of individual signature verification. While the IoT Layer does not directly involve blockchain transactions, the Fog Layer implements a Threshold Signature Scheme (TSS) combined with PoSV Consensus, reducing the computational burden of individual signature verification. This results in an optimized transaction latency of 80–150 ms, compared to the previous 100–200 ms without TSS. At the Cloud Layer, a Consortium Blockchain executes smart contracts and multi-party consensus verification, leading to 280–420 ms transaction latencies. However, Aggregate Signature Schemes allow multiple transactions to be validated in batches, reducing the total verification time. This reduces the load on blockchain nodes and improves scalability.
The proposed systems use aggregate signature schemes, and their performance was analyzed to evaluate the computational cost of this scheme. Figure 13 shows that the processing time rises exponentially as the number of aggregate signatures increases. The growth in computational overhead becomes significantly more pronounced when higher security levels are enforced (64-bit, 123-bit, and 256-bit cryptographic security). Similarly, the impact of consensus-based threshold signatures used for computational efficiency was analyzed. As depicted in Figure 14, the processing time for threshold signatures increases exponentially with the security level. These results highlight the trade-off between security strength and computational efficiency, emphasizing the need for optimization techniques to balance security and performance.
The document upload and storage performance in the consortium blockchain was evaluated. Figure 12 presents an analysis of document upload performance. The total time required for uploading documents increases proportionally with the number of uploaded documents. However, the average upload time per document remains stable. This indicates efficient storage management, as the system maintains a consistent processing rate per transaction, ensuring scalability. The impact of signature aggregation on storage efficiency was assessed. Figure 15 shows the size of aggregate signatures increases linearly with the number of participating fog nodes. Higher security levels (e.g., 256-bit encryption) also result in larger signature sizes, imposing additional storage overhead. However, a key advantage of aggregate signatures is that they significantly reduce signing time compared to non-aggregated signatures, particularly as the network grows. As depicted in Figure 16, Aggregation significantly improves signing efficiency, particularly as the number of nodes increases.
Figure 17 Illustrates that aggregated signatures achieve significantly faster verification times than non-aggregated schemes. This demonstrates the effectiveness of signature aggregation in reducing computational complexity while ensuring cryptographic security. At the Fog Layer, ledger-backed identity verification ensures secure and tamper-proof data storage. Integrating Threshold Signatures strengthens identity verification by distributing signing authority across multiple nodes, reducing the risk of single-point failures. At the Cloud Layer, the consortium blockchain utilizes tamper-proof logs, enhancing security and ensuring integrity. Aggregate Signatures further improve storage efficiency, as multiple authentication events and transactions are stored using a compressed, single aggregated signature, reducing blockchain ledger size and improving retrieval efficiency. Scalability is evaluated by assessing the network’s ability to handle a growing number of devices and users. The IoT Layer supports up to 500 nodes, ensuring reliable device-to-gateway communication. The Fog Layer efficiently manages 5-10 fog nodes, balancing computational loads while preventing bottlenecks.
The PoSV consensus mechanisms are vital in determining the throughput and efficiency of blockchain-based systems. Figure 18 presents a comparative throughput analysis across various consensus protocols as the number of nodes increases. Figure 18 shows that the Proof-of-Voting (PoSV) consensus achieves the highest throughput, making it the most efficient mechanism for large-scale deployment. KAFKA-based consensus follows closely in performance, offering high transaction processing rates in controlled environments. Practical Byzantine Fault Tolerance (PBFT) and RAFT exhibit lower throughput due to their higher communication and computational overhead.
Figure 19 shows a comparative throughput analysis of various authentication of IoT networks. The figure demonstrates a significant difference in performance as the number of IoT nodes increases. The proposed work achieves better throughput across all node configurations, from 76.25 requests/sec at 50 nodes to 3071 requests/sec at 500 nodes. This proposed edge and fog-level model significantly outperforms existing models in9,21,37,38. Additionally, the proposed work indicates its ability to efficiently handle a higher number of authentication and communication requests, making it highly scalable for large-scale IoT environments. In contrast, the models in37 and38 exhibit the lowest throughput, peaking at 95.99 and 86.82 requests/sec at 500 nodes, respectively, suggesting that these models may suffer from performance bottlenecks due to computational overheads or inefficient consensus mechanisms.
The model in21 shows moderate scalability, reaching 2456.8 requests/sec at 500 nodes, which, while better than the proposed model at the edge level, still falls short of the proposed work. This makes it suitable for real-time IoT applications, blockchain-based authentication, and large-scale decentralized networks. The findings suggest that while traditional authentication mechanisms in37 and38 may still be viable for smaller-scale implementations, high-performance IoT deployments require more advanced and scalable frameworks to ensure efficient, secure, and seamless communication.
Signing time for aggregate & non-aggregate signature(s).
Verification time for aggregate versus individual signature.
Throughput performance of the proposed consensus with other S.O.A consensus mechanisms.
Figure 20 compares different authentication models used in IoT networks based on data size (in bytes) and the corresponding processing time (in milliseconds). The proposed model at the edge level, fog level, fog level with blockchain, cloud with blockchain, fog level with blockchain is compared with existing models in9,9,37,38. Figure 20 shows that the proposed work integrates fog processing, while other models rely more on cloud-based authentication, which introduces delays due to longer processing times. For small data sizes, the processing time remains low across all models, but a significant performance difference is already noticeable. Our Proposed Work consistently achieves 68.9 ms at 128B, 256B, and 512B, which is higher than all other models, indicating better efficiency. The model in38 follows with values ranging from 57 to 65 ms, However, the models in37 and9 lag slightly behind. This suggests that fog processing in our proposed work allows faster authentication, even for small data packets. As the data size increases, the performance gap widens between fog-based and cloud-dependent authentication models. At 1024B, the Proposed Work reaches 81.3 ms, whereas models in37 and38 achieve only 68 and 61 ms, respectively. The increasing delay in cloud-based models indicates that cloud processing introduces additional overhead, making authentication slower as data size grows. In contrast, the fog-based authentication model in the proposed work maintains efficient performance, demonstrating its suitability for real-time applications. Cloud-based authentication models face severe delays at larger data sizes due to computational overhead and network congestion. The proposed work scales efficiently, achieving 91.866 ms at 8192B, whereas models in37 and38 achieves 78 and 74 ms respectively. The exsiting start of art blockchain models also struggle, as blockchain consensus mechanisms add verification time. This clearly shows that proposed work, leveraging fog processing, reduces reliance on cloud-based authentication, leading to significant performance improvements in large-scale IoT environments.
Throughput analysis.
Uploading the document with varying different data size.
The security analysis of the implemented system showed that using private blockchain networks in IoT is secure against various attacks.
Unauthorized IoT device: The framework requires offline setup of IoT devices where the network admin registers the device information with fog nodes. The setup procedure guarantees a secure key exchange. An attacker can capture some IoT device immediately after the offline registration and maliciously pretend to be the authorized device. However, since the online setup must be completed within some \(\delta t\) duration after offline registration where \(\delta t\) is a short duration, the chances of physical device capture is rare. Hence, the scheme is secure against unauthorized IoT devices. Figure 21 depicts the Unauthorized Access Attack39.
Eavesdropping: The IoT devices establish a shared secret key with fog nodes using ECDH algorithm. This shared key is used for all communications between the IoT devices and fog layer. Similarly, the fog and cloud nodes establish a shared secret key for secure communication.
Distribute denial of service The private blockchain network is setup by the network administrator and hence, all fog nodes and IoT devices are registered offline as mentioned in the registration process. An adversary cannot perform a DDoS attack40 as the requests that are outside the offline registered set of devices will be directly rejected. Hence, the system is secure against DDoS attacks
Message tampering: Digital signatures and aggregate signatures maintain message integrity. The messages sent by the IoT devices to the fog nodes are digitally signed using the ECDSA algorithm. Multiple messages are combined to be sent to cloud storage, and this transaction is signed using the ECDSA aggregate signature scheme. The aggregate signature is stored in the private blockchain after validation by consensus. Due to the security of the blockchain, a validated transaction is hard to tamper with, and hence, the proposed scheme is practically tamper-proof.
Unforgeability: The proposed cryptographic technique guarantees that no adversary may fabricate a legitimate signature without obtaining a minimum of t shares. The secret key sk is never completely reconstructed, maintaining the system’s security even if particular shares are compromised. The implementation of ECC offers strong cryptographic guarantees derived from the ECDLP.
Replay attack resistance: Unique nonces \(k_i\) associate each signature with a particular message, preventing reuse.
Fault tolerance The technique is resilient to faults, necessitating only t out of n legitimate fog validators to produce a valid signature. This guarantees the system can withstand up to \(n - t\) malicious or inactive validators without compromising consensus.
Resilience against identity compromise: Even if an adversary A compromises an IoT device identity, the attack fails due to cryptographic protections. The forgery attempt by A is expressed as: \(A: \text {Forgery}(Sig_{d_i}) \Rightarrow \text {Fails without } SK_{d_i}\). The multi-layered authentication (private blockchain + consortium blockchain) prevents unauthorized access: \(A: \text {Impersonate } d_i \Rightarrow \text {Fails without valid } AggSig_{d_i}\).
Collusion resistance: The secret sharing technique inhibits adversaries from recovering the master private key sk unless they collude with a minimum of t fog nodes. Adversaries cannot recreate the private key from fewer than t shares.
Protection against malicious fog nodes and resilience: Since multiple fog nodes participate in signature aggregation, no single fog node can compromise authentication: \(\text {Majority Voting: } \sum _{j=1}^{m} \text {Valid } Sig_{d_i} > \frac{m}{2}\). Where m is the number of fog nodes. Additionally, to perform the consensus, a threshold signature is required. An adversarial subset of fog nodes cannot compromise authentication: \(t < \frac{n}{2} \Rightarrow \text {No Authentication Granted}\). Additionally, Compactness: The aggregated signature \(\sigma = (r, s)\) maintains a fixed size, irrespective of the number of validators. This approach is robust against up to \(n - t\) faulty or malicious participants, as the remaining t honest participants can produce a valid signature.
Defense against malicious CSPs: Malicious CSPs attempting to alter data face blockchain immutability constraints: \(H(\text {Stored Data}) \ne H(\text {Modified Data}) \Rightarrow \text {Tampering detected}\).
Immutability of authentication records and verifiability: The proposed hybrid blockchain prevents unauthorized modifications: \(H(\text {Stored Data}) \ne H(\text {Tampered Data}) \Rightarrow \text {Tampering detected}\). Further, the proposed mechanism facilitates efficient signature verification, guaranteeing it matches a minimum threshold of t valid signers.
Key search attack: One type of attack that can be used against a blockchain system is known as a Key Search Attack. A malicious attack of this nature involves an attacker making multiple attempts to guess a user’s private key to gain illicit access to confidential information stored in the cloud. However, an attacker cannot obtain a user’s private key during the key generation process since the channel is encrypted using a temporary AES key that the user generates. An attacker must solve the “elliptic curve discrete logarithm problem (ECDLP)” to determine a user’s private key based on their public key.
Impersonation attack: An attacker may try to carry out an impersonation attack to gain unauthorized access to the Blockchain system by posing as a trusted node. The SCS system employs the Membership Service Provider (MSP) offered by the Hyperledger Fabric to distribute X.509 certificates for authentication in the registration phase, which helps to prevent such attacks. In order to impersonate a node in the proposed Blockchain system, an attacker would require a valid X.509 certificate distributed by the MSP. However, recreating the X.509 certificate is a computationally infeasible task due to the complexity of the ECDLP, making it highly unlikely for the attacker to succeed. The X.509 certificate utilized in the proposed Blockchain system for authentication purposes cannot be easily replicated by an attacker because it is created using a portion of the validator node’s private key. Since the private key is complicated to deduce using the ECDLP, an attacker cannot create a valid X.509 certificate without the private key. As a result, the model is secure from impersonation attacks.
Malicious server attack: A malicious server attack involves a scenario where a server or a trusted third party is compromised and behaves on behalf of the attacker. Our proposed Blockchain system has implemented threshold cryptography for verification purposes, which ensures that even if some servers are malicious, they cannot manipulate the information. In addition, our system does not have a single point of failure or a hierarchy of privileges, which means that even if a server node is hacked, it cannot cause significant damage as the other servers will not verify such malicious acts. This design ensures the security and resilience of the proposed Blockchain system against malicious server attacks.Figure 24 depicts the output of a malicious server attack.
Data loss attack: In the event of a data loss attack, the perpetrator attempts to erase information from cloud storage. To carry out this attack, the attacker must have the user’s private key to access the data stored in the cloud via the Blockchain network. The proposed system guarantees that any other method of accessing the cloud storage would be turned down. Because it is difficult for a hacker to obtain the user’s private key, our proposed system is secure against data loss attacks.
Reading unverified documents: The user/attacker tries to read an unverified document. The network throws the error- document not verified, providing integrity to the system. Figure 22 depicts the output of reading the unverified documents.
Changing of data by adversary: The user/attacker tries to change the data through the channel. The network throws the error- document signature does not match. Figure 23 depicts the output of the data integrity attack.
Unauthorized access attack.
Reading unverified documents.
Data integrity attack.
Malicious server attack.
The Internet of Things (IoT) plays a transformative role in Industry 5.0, facilitating intelligent connectivity across IT, OT, CT, and DT networks. However, security challenges prevent its widespread adoption, including device authentication, secure data communication, and real-time decision-making. While integral to data storage and processing, cloud computing suffers latency and high costs, necessitating decentralized approaches like fog computing. This paper presents a collaborative framework that integrates two blockchain layers one is a private blockchain at the fog layer and a consortium blockchain at the cloud layer for establishing a secure end-to-end-communication in IoT environments. The approach enhances identity verification, reliability, and system scalability while optimizing computational efficiency through a validation-based consensus mechanism. In this framework, the IoT edge device enrollment and authentication is performed within a permissioned blockchain network at the fog layer, utilizing self-executing contracts to validate device identities. Meanwhile, a consortium blockchain at the cloud layer governs secure data storage and access control, ensuring tamper resistance and restricted data modifications. Performance evaluations indicate notable improvements in transaction speed, cryptographic processing, and block validation efficiency. Furthermore, deploying blockchain across multiple network layers mitigates single failure points, reduces dependence on centralized cloud storage, and enhances resilience against network disruptions. Our proposed work is simulation based work, which is a limitation. However, In the future work, The proposed work will be tested and delopment in real-time testbed and further, explore AI-driven adaptive security mechanisms and cross-layer trust models to further enhance IoT security and operational efficiency. By integrating blockchain with edge intelligence, IoT networks can achieve improved security, transparency, and reliability, paving the way for a more secure and intelligent Industry 5.0 ecosystem.
The datasets used and/or analysed during the current study are available from the corresponding author and it is available on reasonable request.
SaiKiran, P., SureshBabu, E., Padmini, D., SriLalitha, V. & Krishnanand, V. Security issues and countermeasures of three tier architecture of iot-a survey. Int. J. Pure Appl. Math 115, 49–57 (2017).
Google Scholar
Khan, B. U. I. et al. A scalability enhancement scheme for ethereum blockchains: A graph-based decentralized approach. Eng. Technol. Appl. Sci. Res. 14, 17725–17736 (2024).
Google Scholar
Khan, B. U. I., Goh, K. W., Khan, A. R., Zuhairi, M. F. & Chaimanee, M. Resource management and secure data exchange for mobile sensors using ethereum blockchain. Symmetry 17, 61 (2025).
Google Scholar
Babu, E. S., Devi, A. A., Kavati, I. & Srinivasarao, B. Blockchain-based authentication mechanism for edge devices in fog-enabled iot networks. In TENCON 2023-2023 IEEE Region 10 Conference (TENCON), 558–563 (IEEE, 2023).
Babu, E. S. et al. A distributed identity-based authentication scheme for internet of things devices using permissioned blockchain system. Expert Syst. 39, e12941 (2022).
Google Scholar
Babu, E. S., Barthwal, A. & Kaluri, R. Sec-edge: Trusted blockchain system for enabling the identification and authentication of edge based 5g networks. Comput. Commun. 199, 10–29 (2023).
Google Scholar
Hameed, K., Garg, S., Amin, M. B. & Kang, B. A formally verified blockchain-based decentralised authentication scheme for the internet of things. J. Supercomput. 77, 14461–14501 (2021).
Google Scholar
Zhang, S., Yan, Z., Liang, W., Li, K.-C. & Di Martino, B. Bcae: A blockchain-based cross domain authentication scheme for edge computing. IEEE Internet Things J. (2024).
Khashan, O. A. & Khafajah, N. M. Efficient hybrid centralized and blockchain-based authentication architecture for heterogeneous iot systems. J. King Saud Univ. Comput. Inf. Sci. 35, 726–739 (2023).
Google Scholar
Yang, X. et al. Blockchain-based secure and lightweight authentication for internet of things. IEEE Internet Things J. 9, 3321–3332 (2021).
Google Scholar
Roy, K. S., Deb, S. & Kalita, H. K. A novel hybrid authentication protocol utilizing lattice-based cryptography for iot devices in fog networks. Digit. Commun. Netw. (2022).
Wang, S., Li, H., Chen, J., Wang, J. & Deng, Y. Dag blockchain-based lightweight authentication and authorization scheme for iot devices. J. Inf. Secur. Appl. 66, 103134 (2022).
Google Scholar
Guo, Y., Zhang, Z., Guo, Y. & Xiong, P. Bsra: Blockchain-based secure remote authentication scheme for the fog-enabled internet of things. IEEE Internet Things J. (2023).
Amanlou, S., Hasan, M. K. & Bakar, K. A. A. Lightweight and secure authentication scheme for iot network based on publish-subscribe fog computing model. Comput. Netw. 199, 108465 (2021).
Google Scholar
Alam, I. & Kumar, M. A novel protocol for efficient authentication in cloud-based iot devices. Multimed. Tools Appl. 81, 13823–13843 (2022).
Google Scholar
Kamel, M. B., Ligeti, P., Nagy, A. & Reich, C. Distributed address table (dat): A decentralized model for end-to-end communication in iot. Peer-to-peer networking and applications 1–16 (2022).
Alluhaidan, A. S. D. & Prabu, P. End-to-end encryption in resource-constrained iot device. IEEE Access 11, 70040–70051 (2023).
Google Scholar
Lizardo, A., Barbosa, R., Neves, S., Correia, J. & Araujo, F. End-to-end secure group communication for the internet of things. J. Inf. Secur. Appl. 58, 102772 (2021).
Google Scholar
Babu, E. S., Nagaraju, C. & Prasad, M. K. Analysis of secure routing protocol for wireless adhoc networks using efficient dna based cryptographic mechanism. Procedia Comput. Sci. 70, 341–347 (2015).
Google Scholar
Ferretti, L., Marchetti, M. & Colajanni, M. Fog-based secure communications for low-power iot devices. ACM Trans. Internet Technol. 19, 1–21 (2019).
Google Scholar
Babu, E. S., Rao, M. S., Swain, G., Nikhath, A. K. & Kaluri, R. Fog-sec: Secure end-to-end communication in fog-enabled iot network using permissioned blockchain system. Int. J. Netw. Manag. 33, e2248 (2023).
Google Scholar
Wang, C., Wang, D., Duan, Y. & Tao, X. Secure and lightweight user authentication scheme for cloud-assisted internet of things. IEEE Trans. Inf. Forensics Secur. 18, 2961–2976 (2023).
Google Scholar
Junior, N. F., Silva, A. A., Guelfi, A. E. & Kofuji, S. T. Privacy-preserving cloud-connected iot data using context-aware and end-to-end secure messages. Procedia Comput. Sci. 191, 25–32 (2021).
Google Scholar
Agrawal, R., Singhal, S. & Sharma, A. Blockchain and fog computing model for secure data access control mechanisms for distributed data storage and authentication using hybrid encryption algorithm. Cluster Comput. 1–16 (2024).
Ojha, S. et al. A method to enhance privacy preservation in cloud storage through a three-layer scheme for computational intelligence in fog computing. MethodsX 13, 103053 (2024).
PubMed PubMed Central Google Scholar
Song, H., Li, J. & Li, H. A cloud secure storage mechanism based on data dispersion and encryption. IEEE Access 9, 63745–63751 (2021).
Google Scholar
Ren, Y., Huang, D., Wang, W. & Yu, X. Bsmd: A blockchain-based secure storage mechanism for big spatio-temporal data. Future Gener. Comput. Syst. 138, 328–338 (2023).
Google Scholar
Wang, X. et al. Enabling secure authentication in industrial iot with transfer learning empowered blockchain. IEEE Trans. Ind. Inform. 17, 7725–7733 (2021).
Google Scholar
Khan, B. U. I. et al. Blockchain-enhanced sensor-as-a-service (seaas) in iot: Leveraging blockchain for efficient and secure sensing data transactions. Information 15, 212 (2024).
Google Scholar
Xie, Q. et al. Litecrypt: Enhancing iomt security with optimized he and lightweight dual-authorization. In 2024 IEEE 30th International Conference on Parallel and Distributed Systems (ICPADS), 166–175 (IEEE, 2024).
Wang, W. et al. Bsif: Blockchain-based secure, interactive, and fair mobile crowdsensing. IEEE J. Sel. Areas Commun. 40, 3452–3469 (2022).
ADS Google Scholar
Khan, A. A. et al. Baiot-ems: Consortium network for small-medium enterprises management system with blockchain and augmented intelligence of things. Eng. Appl. Artif. Intell. 141, 109838 (2025).
Google Scholar
Aguru, A. D. & Erukala, S. B. Blockchain-based edge device authentication mechanism in sdn-enabled iot networks. In 2024 IEEE 9th International Conference for Convergence in Technology (I2CT), 1–6 (IEEE, 2024).
Khan, A. A. et al. Secure remote sensing data with blockchain distributed ledger technology: A solution for smart cities. IEEE Access (2024).
Khan, A. A. et al. B-lpoet: A middleware lightweight proof-of-elapsed time (poet) for efficient distributed transaction execution and security on blockchain using multithreading technology. Comput. Electr. Eng. 118, 109343 (2024).
Google Scholar
Devi, A. A., Babu, E. S., Rao, M. S., Kaluri, R. & Gadekallu, T. R. Scs: A secure cloud storage framework with enhanced integrity and auditability using consortium blockchain system. In 2024 IEEE International Conference on Smart Internet of Things (SmartIoT), 79–86 (IEEE, 2024).
Cirani, S., Picone, M., Gonizzi, P., Veltri, L. & Ferrari, G. Iot-oas: An oauth-based authorization service architecture for secure services in iot scenarios. IEEE Sens. J. 15, 1224–1234 (2014).
ADS Google Scholar
Hammi, M. T., Hammi, B., Bellot, P. & Serhrouchni, A. Bubbles of trust: A decentralized blockchain-based authentication system for iot. Comput. Secur. 78, 126–142 (2018).
Google Scholar
Suresh Babu, E., Nagaraju, C. & Krishna Prasad, M. Efficient dna-based cryptographic mechanism to defend and detect blackhole attack in manets. In Proceedings of International Conference on ICT for Sustainable Development: ICT4SD 2015 Volume 1, 695–706 (Springer, 2016).
Babu, E. S., Nagaraju, C. & Prasad, M. K. An implementation analysis and evaluation study of dsr with inactive dos attack in mobile ad hoc networks. Int. J. Eng. Innov. Res. 2, 501 (2013).
Google Scholar
Download references
The European Union-NextGenerationEU finances this study through the National Recovery and Resilience Plan of the Republic of Bulgaria, project No.BG-RRP-2.004-0001-C01.
Department of Computer Science & Engineering, National Institute of Technology Warangal, Warangal, Telangana, India
Suresh Babu Erukala & Anoosha Perumalla
Faculty of Physics and Technology, University of Plovdiv Paisii Hilendarski, 4000, Plovdiv, Bulgaria
Dimitar Tokmakov, Anna Bekyarova-Tokmakova, Nevena Mileva & Slavi Lubomirov
Department of Software and Systems Engineering, Vellore Institute of Technology, Vellore, India
Rajesh Kaluri
You can also search for this author inPubMed Google Scholar
You can also search for this author inPubMed Google Scholar
You can also search for this author inPubMed Google Scholar
You can also search for this author inPubMed Google Scholar
You can also search for this author inPubMed Google Scholar
You can also search for this author inPubMed Google Scholar
You can also search for this author inPubMed Google Scholar
SBE drafted the work or revised it critically for important content, DT,SL performed literature reviews and performed the experiments. AP- Wrote the code, designed the software, or performed the computation work, RK- performed literature reviews and prepared the figures and/or tables, ABT and NM analyzed the data and performed the literature reviews.
Correspondence to Suresh Babu Erukala or Dimitar Tokmakov.
The authors declare no competing interests.
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
See Figs. 25, 26, 27, 28, 29, 30, 31, 32, 33, 34 and 35.
Private blockchain network start-up process.
IoT device registration request flow to a Fog server.
Establishment of an ECC-based Identity for a fog node.
Blockchain Ledger instance presenting stored transactions, authentication records, and block structure.
New block creation using the threshold consensus mechanism.
End-to-end registration time at the Fog node.
Cloud node start-up.
End-to-end registration at the cloud environment.
Upload request from device to cloud via Fog node.
Upload request handled by cloud node.
Retrieval request handled by cloud node.
Open Access This article is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License, which permits any non-commercial use, sharing, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if you modified the licensed material. You do not have permission under this licence to share adapted material derived from this article or parts of it. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by-nc-nd/4.0/.
Reprints and permissions
Erukala, S.B., Tokmakov, D., Perumalla, A. et al. A secure end-to-end communication framework for cooperative IoT networks using hybrid blockchain system. Sci Rep 15, 11077 (2025). https://doi.org/10.1038/s41598-025-96002-w
Download citation
Received: 20 November 2024
Accepted: 25 March 2025
Published: 01 April 2025
DOI: https://doi.org/10.1038/s41598-025-96002-w
Anyone you share the following link with will be able to read this content:
Sorry, a shareable link is not currently available for this article.
Provided by the Springer Nature SharedIt content-sharing initiative