Lightweight Blockchain Architecture for Authentication and Authorization in Resource-Constrained IoT Networks

Abstract

The exponential proliferation of Internet of Things (IoT) devices demands scalable, energy-efficient, and cryptographically robust authentication. Conventional Public Key Infrastructure (PKI) and centralized systems impose prohibitive computational and energy burdens on Class 1 constrained nodes (?10 KB RAM, ?100 KB Flash per RFC 7228 [1]). Standard blockchain implementations exacerbate resource demands through consensus overhead and ledger storage. This paper presents a four-layer lightweight blockchain architecture that delegates intensive cryptographic operations to edge gateways. A formally specified three-phase authentication protocol employing Elliptic Curve Cryptography (ECC) for key establishment and HMAC-SHA-256 for per-session authentication is introduced and verified using BAN logic [2] against the Dolev-Yao threat model [3]. Simulation on a TI CC2650 profile via Contiki OS/Cooja across 30 independent trials demonstrates: 73.2% energy reduction vs. PKI (12.30 ± 0.41 mJ vs. 45.80 ± 1.32 mJ); 84.3% reduction vs. standard blockchain; 66.7% RAM reduction (1.60 ± 0.06 KB); 326% battery lifetime improvement; and 301.3 ± 12.8 auth/s throughput at 100,000 devices.

Introduction

The text presents a lightweight blockchain-based authentication framework for IoT designed to secure billions of resource-constrained devices while overcoming the limitations of traditional PKI and standard blockchain systems.

Key Points:

1. Problem Context:
   • IoT is projected to exceed 75 billion devices by 2025, creating immense authentication and authorization challenges.
   • Traditional PKI is unsuitable for IoT due to high computation, single points of failure, and limited scalability.
   • Standard blockchain provides decentralization and immutability but is too resource-intensive for low-power IoT devices.
2. Proposed Solution:
   • Four-layer architecture:
     1. IoT Devices: Class 1 constrained nodes perform only ECC key storage, HMAC-SHA-256 computation, and state management.
     2. Edge Gateways: Moderate-capability devices handle ECC verification, DPoS consensus, session key management, and transaction batching.
     3. Blockchain Network: Permissioned blockchain with DPoS consensus validates and stores transactions and smart contracts.
     4. Application Layer: Consumes blockchain-authenticated data for access control, compliance, and anomaly detection.
   • Three-phase protocol:
     • Phase 1 – Device Registration: One-time registration using ECC keys, certificates, and session key establishment via ECDH.
     • Phase 2 – Session Authentication: Per-connection two-message HMAC exchange requiring no ECC operations, reducing CPU cycles by 87.2% versus full ECDSA.
     • Phase 3 – Blockchain Attestation: Gateways batch authentication records into Merkle-root transactions for tamper-evident, periodic on-chain storage.
   • Security Guarantees: Mutual authentication, forward secrecy, and resistance to replay attacks. Verified using BAN logic and evaluated under the Dolev-Yao threat model.
3. Experimental Evaluation:
   • Platform: Contiki OS with Cooja simulator, TI CC2650 hardware (16 MHz, 20 KB RAM, 128 KB Flash).
   • Baselines: Traditional PKI, centralized HMAC server, standard blockchain, Lightweight Scalable Blockchain (LSB).
   • Metrics: CPU cycles, memory usage, and energy consumption over 30 trials with statistical validation.
4. Results:
   • CPU Efficiency: Phase 2 HMAC requires 1.05M cycles vs. ~19M for ECDSA, yielding 87.2% reduction.
   • Memory Footprint: Peak RAM 1.6 KB, 66.7–74.2% lower than PKI and standard blockchain.
   • Energy Consumption: 12.3 mJ per authentication, 73–84% lower than PKI and standard blockchain, with energy savings mainly from reduced message count.

Conclusion

This paper presented a lightweight blockchain architecture for IoT authentication, bridging blockchain\'s security properties with IoT\'s computational constraints through architectural delegation. Phase 1 confines asymmetric cryptography to gateway-executed provisioning; Phase 2 reduces per-session operations to HMAC-SHA-256 and two messages—achieving 87.2% CPU cycle reduction. Across 30 independent trials: 73.2% energy reduction vs. PKI; 84.3% vs. standard blockchain; 66.7% RAM reduction; 326% battery lifetime extension; and 376× throughput improvement at 100K devices. BAN logic [2] formally confirms mutual authentication and Dolev-Yao analysis [3] demonstrates attack resistance. Future work includes physical hardware validation, ProVerif-based formal verification, device revocation protocol design, and post-quantum ECC replacement [20] for Class 2 devices.

References

[1] C. Bormann, M. Ersue, and A. Keranen, \"Terminology for Constrained-Node Networks,\" IETF RFC 7228, May 2014. doi: 10.17487/RFC7228 [2] M. Burrows, M. Abadi, and R. M. Needham, \"A Logic of Authentication,\" ACM Trans. Comput. Syst., vol. 8, no. 1, pp. 18–36, Feb. 1990. doi: 10.1145/77648.77649 [3] D. Dolev and A. C. Yao, \"On the Security of Public Key Protocols,\" IEEE Trans. Inf. Theory, vol. 29, no. 2, pp. 198–208, Mar. 1983. doi: 10.1109/TIT.1983.1056650 [4] L. Atzori, A. Iera, and G. Morabito, \"The Internet of Things: A Survey,\" Comput. Netw., vol. 54, no. 15, pp. 2787–2805, Nov. 2010. doi: 10.1016/j.comnet.2010.05.010 [5] R. Housley, W. Polk, W. Ford, and D. Solo, \"Internet X.509 Public Key Infrastructure Certificate and CRL Profile,\" IETF RFC 3280, Apr. 2002. doi: 10.17487/RFC3280 [6] S. Sicari, A. Rizzardi, L. A. Grieco, and A. Coen-Porisini, \"Security, Privacy and Trust in Internet of Things: The Road Ahead,\" Comput. Netw., vol. 76, pp. 146–164, Jan. 2015. doi: 10.1016/j.comnet.2014.11.008 [7] S. Nakamoto, \"Bitcoin: A Peer-to-Peer Electronic Cash System,\" White Paper, Oct. 2008. [Online]. Available: https://bitcoin.org/bitcoin.pdf [8] Z. Zheng, S. Xie, H.-N. Dai, X. Chen, and H. Wang, \"Blockchain Challenges and Opportunities: A Survey,\" Int. J. Web Grid Serv., vol. 14, no. 4, pp. 352–375, Dec. 2018. doi: 10.1504/IJWGS.2018.095647 [9] K. Christidis and M. Devetsikiotis, \"Blockchains and Smart Contracts for the Internet of Things,\" IEEE Access, vol. 4, pp. 2292–2303, May 2016. doi: 10.1109/ACCESS.2016.2566339 [10] D. Larimer, \"Delegated Proof-of-Stake (DPOS),\" BitShares White Paper, 2014. [Online]. Available: https://how.bitshares.works/en/master/technology/dpos.html [11] A. Dorri, S. S. Kanhere, R. Jurdak, and P. Gauravaram, \"LSB: A Lightweight Scalable Blockchain for IoT Security and Privacy,\" in Proc. IEEE PerCom Workshops, Kona, HI, Mar. 2017, pp. 618–623. doi: 10.1109/PERCOMW.2017.7917634 [12] V. S. Miller, \"Use of Elliptic Curves in Cryptography,\" in Proc. CRYPTO \'85, Santa Barbara, CA, 1985, pp. 417–426. doi: 10.1007/3-540-39799-X_31 [13] N. Koblitz, \"Elliptic Curve Cryptosystems,\" Math. Comput., vol. 48, no. 177, pp. 203–209, Jan. 1987. doi: 10.1090/S0025-5718-1987-0866109-5 [14] M. Bellare, R. Canetti, and H. Krawczyk, \"Keying Hash Functions for Message Authentication,\" IETF RFC 2104, Feb. 1997. doi: 10.17487/RFC2104 [15] P. Porambage, C. Schmitt, P. Kumar, A. Gurtov, and M. Ylianttila, \"Two-Phase Authentication Protocol for Wireless Sensor Networks in Distributed IoT Applications,\" in Proc. IEEE WCNC, Istanbul, Turkey, Apr. 2014, pp. 2769–2774. doi: 10.1109/WCNC.2014.6952860 [16] V. Hassija et al., \"A Survey on IoT Security: Application Areas and Security Threats,\" IEEE Access, vol. 7, pp. 82721–82743, Jun. 2019. doi: 10.1109/ACCESS.2019.2924045 [17] M. A. Khan and K. Salah, \"IoT Security: Review, Blockchain Solutions, and Open Challenges,\" Future Gener. Comput. Syst., vol. 82, pp. 395–411, May 2018. doi: 10.1016/j.future.2017.11.022 [18] J. Granjal, E. Monteiro, and J. S. Silva, \"Security for the Internet of Things: A Survey of Existing Protocols and Open Research Issues,\" IEEE Commun. Surv. Tutor., vol. 17, no. 3, pp. 1294–1312, 2015. doi: 10.1109/COMST.2015.2388550 [19] E. Androulaki et al., \"Hyperledger Fabric: A Distributed Operating System for Permissioned Blockchains,\" in Proc. 13th EuroSys Conf., Porto, Portugal, Apr. 2018, pp. 1–15. doi: 10.1145/3190508.3190538 [20] NIST, \"Post-Quantum Cryptography: Selected Algorithms 2022,\" NIST, Jul. 2022. [Online]. Available: https://csrc.nist.gov/Projects/post-quantum-cryptography. doi: 10.6028/NIST.IR.8413

Copyright

Copyright © 2026 Shivani Saraswat , Sushil Kumar Sharma. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.