Journal of Parallel and Distributed Computing 141 (2020) 1–9

Contents lists available at ScienceDirect

J. Parallel Distrib. Comput.

journal homepage: www.elsevier.com/locate/jpdc

A blockchain based decentralized data security mechanism for the

Internet of Things
∗
Chunpeng Ge, Zhe Liu , Liming Fang
College of Computer Science and Technology, Nanjing University of Aeronautics and Astronautics, Nanjing, China

article info a b s t r a c t

Article history: The Internet of Things (IoT) is the core infrastructure of the smart city information system. With the
Received 25 November 2019 explosive growth of IoT devices, how to securely maintain the important data generated by IoT devices
Received in revised form 13 February 2020 has become an important issue. In the conventional IoT-cloud based infrastructure, the sensitive IoT
Accepted 17 March 2020
data was stored in a third cloud service provider. However, in such a manner, the private IoT data
Available online 25 March 2020
may be disclosed by the cloud server since the cloud server knows all the data stored in it. This paper,
Keywords: for the first time, proposes a decentralized secure mechanism based on the blockchain technique to
IoT store the important data generated in the IoT system. This mechanism effectively solves the data
Blockchain reliability, security and privacy issues that may be encountered in the conventional IoT-cloud system.
UTXO Considering the defects of simplified payment verification used by light nodes in blockchain networks,
Accumulator
this paper proposes an Unspent Transaction Output (UTXO) verification mechanism based on the RSA
accumulator, which makes the computational complexity of light nodes to generate and verify the
UTXO proof to be constant. The proposed mechanism not only provides proof of inclusion but also
supports efficient proof of exclusion for a lightweight node. Our experiment results indicate that the
proposed scheme is practical and efficient.
© 2020 Elsevier Inc. All rights reserved.

1. Introduction scalability [16,29,34]. However, cloud storage also encounters

Since the notion of the Internet of Things was proposed by
the International Telecommunication Union in 2005, technologies
such as sensor networks [15,27,40], cloud computing [5,45], and
edge computing [11–13,23,33,46] have been developing and ma-
turing, and the Internet of Things industry has been expanding
rapidly. With the development of Industry 4.0 [4,26], Vehicle
Internet [3,48], Smart Home [9,18,35] and Smart City [10,17,24],
more and more devices are connected to the network and realize
mutual communication. The Internet of things is leveraged to
connect the physical world with the digital world and begin to
accelerate the era of ‘‘Internet of everything" [39,42,43]. Accord-
ing to the National Cable TV Association (NCTA), by 2020, the
number of installed base of the connected equipments is expected
to grow to more than 50 billion units, which is nearly five times of
that in 2012. These IoT devices change people’s lives while always
generating huge amounts of data. By 2020, the Internet of Things
will generate about 4.4ZB data.
The storage and maintenance of such a large amount of data
need extra cost to data owners. The cloud storage is widely
adopted due to its convenience, cost effectiveness, and strong
∗ Corresponding author.
E-mail addresses: gecp@nuaa.edu.cn (C. Ge), liuzhenuaa@gmail.com
(Z. Liu), fangliming@nuaa.edu.cn (L. Fang).
security issues. When the IoT data is stored in the cloud, the
data owner loses control of the data [25,28], which may lead to
security problems. For example, the cloud server may tamper or
manipulate the stored data for some commercial purpose [19,25].
At the meanwhile, the privacy of the data may also be problem-
atic. The cloud service provider may illegally access the data that
the user places on the cloud storage server, and use the data for
data analysis and other behaviors that infringe the user’s privacy
rights. Moreover, if the cloud service provider’s fails, the entire
data will be lost, making the entire system unavailable.
To solve the above problems, this paper proposes a decentral-
ized storage mechanism based on blockchain for the IoT data. The
blockchain storage does not need to be managed by trusted third
parties, while ensuring the security, reliability and privacy of IoT
data [33,38,47]. In blockchain storage, since the whole ledger of
the blockchain is very large, data management nodes may only
store block headers. The simplified payment verification for the
use of light nodes in blockchain storage can only provide proof of
inclusion of transactions, but does not provide effective proof of
exclusion, while the computational complexity of the verification
increases with logarithm. Hence, this paper also proposes a UTXO
verification scheme based on RSA accumulator, which makes
the computational complexity of the light node constant, and
provides proof of inclusion and exclusion of the transaction. Here,
we list our contributions:

https://doi.org/10.1016/j.jpdc.2020.03.005
0743-7315/© 2020 Elsevier Inc. All rights reserved.
2 C. Ge, Z. Liu and L. Fang / Journal of Parallel and Distributed Computing 141 (2020) 1–9
Fig. 1. The infrastructure of the blockchain.
• We propose a decentralized storage mechanism based on
the blockchain technology, that is, blockchain storage to
store important IoT data. The proposed storage method is
decentralized and does not require third party management.
This blockchain storage has advantages in terms of data
security, privacy, and reliability.
• We propose a model of RSA dynamic universal accumula-
tor and design a UTXO verification scheme based on RSA
accumulator, which provides proof of inclusion and exclu-
sion for light nodes, and greatly improves the efficiency of
transaction verification to a constant time.
1.1. Roadmap
Section two introduces the related work we have done. Section
three of this paper proposes a model based on blockchain storage
and the advantages and defects of this storage method. Section
four proposes an UTXO verification mechanism based on RSA ac-
cumulator. Section five gives the security proof of our mechanism.
Section six analyzes the performance of our proposed scheme.
Finally, the text concludes in section seven.
2. Related work
2.1. Blockchain
The notion of blockchain was first introduced by Satoshi
Nakamoto [31]. Blockchain combines data blocks in a chain struc-
ture in chronological order and uses cryptographic methods to
guarantee imtamperability and unforgeability decentralized dis-
tributed ledgers. Blockchain forms a network through P2P pro-
tocol. Unlike the centralized network, the computers on each
node of the blockchain network have equal status. Each node
provides network services together. Each node discovers and
maintains connections with its neighbor nodes, propagates and
verifies transactions, and synchronizes data blocks. There are six
layers in The blockchain system. And from bottom to top, they
are: data layer, network layer, consensus layer, incentive layer,
contract layer, and application layer. The infrastructure model of
the blockchain is demonstrated in Fig. 1.
The data layer, which is The lowest layer, encapsulates the
data structure of the data block, cryptography algorithm, times-
tamps, etc. The network layer consists of mechanisms for dis-
tributed P2P networking, data transmission and verification. The
core algorithm of blockchain — consensus mechanism is part of
the consensus layer. This determines how efficiently nodes can
agree on the validity of block data in decentralized system with
highly decentralized decision rights. This layer provides other
consensus algorithms of network nodes as well. For example, the
Proof of Work (PoW) [6], the Proof of Stake (PoS) [20] and Dele-
gated Proof of Stake (DPOS) [22]. The incentive layer takes care of
economic factors for blockchain. The contract layer supports pro-
grammable features such as smart contract. The application layer
is the layer for the actual application scenarios of blockchain, such
as applications built on the Ethereum.
2.2. Cryptographic accumulator
The accumulator is defined as a one-way hash function with
quasi-exchange properties [2]. That is, if for all x ∈ X and all
y1 , y2 ∈ Y , the one-way hash function h : X × Y → X satisfies the
quasi-exchange property:
h (h (x, y1 ) , y2 ) = h (h (x, y2 ) , y1 ) (1)
The accumulator scheme allows all elements xj in the finite set
X = x1 , . . . , xn to be accumulated into a compact value accX , accX
does not depend on the accumulation of xj order. Select g ∈ G as
the base and the accumulator is defined as:
accX = h(. . . h(g , x1 ), . . . , xn ) (2)
By calculating the witness w itxi of each element xi ∈ X , verify
h(w itxi , xi ) = acc X , and prove the membership of xi in accX . Due to
the collision resistant property, it is computationally impossible
to find a witness for any non-accumulated value y ∈ / X . The
dynamic accumulator allows user to add/remove values to a given
accumulator and update existing witnesses (without recalculating
these values each time the cumulative set changes). Moreover,
in order to provide member witnesses, the accumulator should
also need to provide non-member witnesses for y ∈ / X , which re-
sults in a generic accumulator. Again, collision resistant property
ensures it is not possible to create non-membership witnesses
for values xi ∈ X . Moreover, an accumulator should provide
the undeniable and indistinguishable properties. The undeniable
property indicates that it should not be computationally feasible
to compute two contradicting witnesses for z ∈ X and z ∈ / X . The
indistinguishable property describes that the accumulated set X
should not be leaked by the accumulator or the witnesses.
The accumulator was initially used as a timestamp to capture
the existence of a value at a particular time. As time goes, the
roles of accumulators have been extended to include membership
testing, reliable certificate management and so on. An accumula-
tor scheme that allows witnesses to have undisclosed value in
zero knowledge is now widely used to revoke group signatures
and anonymous credentials [36]. The accumulator is also used
for zero coins, which is an anonymous extension of the bitcoin
cryptocurrency [30].
3. Proposed blockchain-based storage system
3.1. System model
In this subsection, we propose a decentralized storage mecha-
nism based on blockchain to store IoT data. Thousands of entities
and individuals in the world have huge unused storage space,
from large enterprises to small family businesses, to large hard
disk shelves and everyone’s laptops with small hard drives. We
 C. Ge, Z. Liu and L. Fang / Journal of Parallel and Distributed Computing 141 (2020) 1–9
Fig. 2. Decentralized blockchain storage model.
use the incentive mechanism of blockchain to pool these storage
nodes around the world and build a very huge storage pool, so
that users who provide storage are rewarded with virtual tokens,
and users who use storage need to pay virtual tokens. In our
proposed model, it is mainly composed of the following entities,
as shown in Fig. 2:
• Internet of Things Devices: With the development of 5G
technology and the development of the Internet of Things,
the number of IoT devices has increased rapidly [21,32,41].
As a result, we need to store a large amount of data gener-
ated by the devices. In our model, the device collects the
data and transmits it to the data management node for
processing.
• Data management Node: The data management node first
encrypts and shards the data collected by all its IoT devices
and stores them in each node of the distributed network.
Then the transaction information, including the hash of data,
the address where the sharded file is stored, and the pay-
ment, are stored in the blockchain, protecting the file’s
routing path from tampering.
• Storage Node: Users can rent out their unused hard disk
space. These free hard disk space becomes the storage node
of the decentralized network. The storage node obtains
the corresponding reward by storing the data sent by the
data management node. At the same time, the blockchain
rewards legitimate storage nodes and removes dishonest
nodes through incentives in smart contracts.
In this system, IoT devices collect data and transmit it to
the data management node [8,44]. The data management node
shards the data and encrypts each data block using asymmetric
encryption technology. This ensures the privacy of the user data.
Even if the data is leaked, the other party cannot know the
specific content of the data. The data management node obtains
more fragments by redundant algorithms, such as copying copies
or erasure code encoding, and then stores the fragments into
distributed storage nodes. This effectively avoids the negative
effects of a single point of failure, even if a node loses data, it
will not affect the integrity of the data. The data management
node generates a hash value for the encrypted file, and then gen-
erates a transaction sent to the blockchain P2P network, which
includes the data hash, the address of the shard data storage,
and the amount paid. Once the transaction is confirmed, it will
be packaged in the block and broadcast to other miners. Other
3
miners will add the block to their blockchain after verification.
At the same time, the smart contract in the blockchain will audit
the node in the blockchain network and remove dishonest nodes.
3.2. Blockchain storage advantage and defect
Blockchain storage is a decentralized and distributed storage
method. Data is shard and stored on tens of millions of nodes
globally through P2P networks, and more copies are generated
by redundant algorithms. Therefore, the blockchain storage tech-
nology makes the data not to be stored in a single server, which
effectively avoids the negative impact of a single point of failure, e
The stored data is divided into small blocks, which are encrypted
and stored in a large number of nodes. This can avoid the central-
ized risk of centralized storage. Even if the data loss of a node will
not have an impact. Even if a piece of data is leaked, the specific
contents cannot be identified. The storage address of shard data,
the hash of the file, and the amount of the transaction are stored
in the blockchain, which makes the data cannot be tampered with
and greatly ensures the security of the data. In a word, blockchain
storage does not need to be managed by a trusted third party,
which guarantees the security, reliability and privacy of Internet
of things data.
Blockchain network is a P2P network composed of several
nodes for broadcasting transaction information and data blocks.
A node that hold the complete blockchain data are called full
node. However, with the continuous mining of blockchain, the
complete blockchain data is also increasing. For example, the
size of the Bitcoin blockchain has risen to nearly 250 GB, which
increases by about 12 GB every quarter. For a node to save such
a large amount of data is a huge cost, and the hard disk space
of the node in the blockchain storage is equivalent to the asset,
so most nodes will not store the complete blockchain data. Most
data management nodes and storage nodes of the blockchain only
store the block headers of all the blocks, and do not download the
specific transaction information contained in the block, thereby
generating a blockchain without transaction information. These
nodes are added as light nodes to the blockchain network.
When data management nodes store data in distributed stor-
age nodes, a transaction is issued in the network. Most storage
nodes cannot perform transaction verification on the transaction
because they do not store a complete blockchain. Transaction ver-
ification is performed by the full node of the blockchain. It mainly
involves verifying whether there is enough UTXO, whether there
is a double flower, and judging the unlock script. The verification
method used by the light node is simplified payment verification
(SPV), which can only determine whether the transaction is in-
cluded in the blockchain and has several confirmations. However,
the simplified payment verification used by light node can only
provide inclusion proof for transactions, but cannot provide an ef-
ficient exclusion proof. Meanwhile, the computational complexity
of the light node verification increases in logarithm.
To solve the above problems, we design a UTXO verifica-
tion scheme based on the RSA accumulator for light node. This
scheme enables the light node to use UTXO for verification, pro-
viding proof of inclusion and efficient proof of exclusion. The
computational complexity of the new verification method is con-
stant, which greatly improves the efficiency of the light node
verification transaction.
4. UTXO Verification scheme based on the RSA accumulator
4.1. Strong RSA assumption
Given an RSA modulus N and a random number z ∈ ZN∗ , the
strong RSA problem is to find r and y, where r > 1, y ∈ ZN∗ such
that yr = z. We assume that the problem is difficult to solve. The
only way to break these two assumptions is to solve the integer
factorization problem.
4 C. Ge, Z. Liu and L. Fang / Journal of Parallel and Distributed Computing 141 (2020) 1–9
4.2. The RSA dynamic universal accumulator model
A secure RSA dynamic universal accumulator is a tuple (Xk , Fk ),
where Xk is the input domain of the accumulated elements in the
accumulator; Fk is a family of functions such that each f ∈ Fk is
defined as f : Uf × Xf → Uf , and Uf is the input domain of this
function f . Furthermore, the RSA dynamic universal accumulator
needs to satisfy the following properties:
• Efficient generation: There exists an efficient probabilistic
polynomial time (PPT) algorithm Gen that, on input a security
parameter 1k , outputs a random function f of Fk . The al-
gorithm simultaneously outputs auxiliary information about
the function f , which is expressed by auxf .
• Efficient evaluation: Every f ∈ Fk is a PPT function, on input
(g , x) ∈ Uf × Xf , outputs a value acc ∈ Uf , where g is the
base of the accumulator, and we call acc the accumulator
value and x was accumulated into acc.
• Quasi-commutativity: For all f ∈ Fk , g ∈ Uf , and x1 , x2 ∈
Xk : f (f (g , x1 ), x2 ) = f (f (g , x2 ), x1 ). If X = x1 , . . . , xn ⊂ Xk ,
according to quasi-commutativity, the result of value f (f (i ·
(g , x1 ), i·), xn ) does not depend on the order of the elements.
Hence, we can denote it by f (g , X ).
• Membership witness: For every f ∈ Fk , let acc ∈ Uf and
x ∈ X ⊂ Xk . There exists a PPT algorithm that can generate
a proof of membership wit for the accumulated elements
x ∈ X in the accumulator. There is a membership verification
function ϕ : if ϕ1 (w it , acc , x) = 1, the value wit is called a
membership witness.
• Non-membership witness: For every f ∈ Fk , let acc ∈ Uf
and x ∈ / X ⊂ Xk . There exists a PPT algorithm that can
generate a proof of non-membership w it for the elements
x∈ / X in the accumulator that is not accumulated. There is
a membership verification function ϕ : if ϕ2 (w it , acc , x) = 1,
the value w it is called a non-membership witness.
• Efficient update of accumulator: There is an efficient PPT
algorithm H. For the accumulator value calculated by the set
X i.e. acc = f (g , X ). If a value x̂ ∈ / X is added to the accu-
mulator, the algorithm H updates the original ⋃ accumulator
H(acc , x̂) = (acc) ˆ such that acc ˆ = f (g , X x̂); if a value
x̂ ∈ X is deleted from the accumulator, the algorithm H
updates the original accumulator H(auxf , acc , x̂) = acc ˆ such
ˆ = f (g , X \ {x̂}).
that acc
• Efficient update of membership witness: From the above,
acc and acc ˆ are the original and updated accumulatori ’s
value, and x̂ is the added or deleted element. There is an
efficient PPT algorithm P1 , on input w it, acc, acc, ˆ x, x̂, where
x ̸ = x̂, x ∈ / X and ϕ1 (wit , acc , x) = 1, outputs the updated
membership witness w ˆit such that ϕ1 (w ˆit , acc
ˆ , x) = 1.
• Efficient update of non-membership witness: From the
above, acc and acc ˆ are the original and updated
accumulatori ’s value, and x̂ is the added or deleted element.
There is an efficient PPT algorithm P2 , on input w it, acc,
acc,
ˆ x, x̂, where x ̸= x̂, x ∈ / X and ϕ1 (wit , acc , x) = 1,
outputs the updated membership witness w ˆit such that
ϕ1 (wit , acc
ˆ ˆ , x) = 1.
4.3. Our scheme
Our proposed construction consists of three phases: setup
(executed only once), the request and proof generation phase,
and the verification phase. In Section 4.3.3, we illustrate the
approach the proposed scheme used to effectively update the
UTXO commitment.
4.3.1. Setup phase
In blockchain, the data stored in the full node is mainly divided
into two parts: On the one hand, all transaction data is stored
in the blockchain; on the other hand, the UTXO set is extracted
and stored in the local on-disk database. Today’s banks, credit
cards and securities trading systems all based on account-based
designs, supported by relational databases. The blockchain stor-
age is based on the transaction ledger mode. In the proposed
blockchain, there is no concept of an account. The blockchain
ledger records one transaction after another. Each transaction
has several transaction inputs and several transaction outputs.
Generally speaking, each transaction takes one or more inputs,
producing one or more outputs. The UTXO is backtracked from
the block file. While a full node downloads these blocks, the node
traverses the block files to find all Unspent Transaction Outputs
and constructs an UTXO set locally. A new block is mined at
every time of ten minutes. All the full nodes in the blockchain
network update the UTXO set according to the new block, delete
the UTXOs that have been spent, and add new UTXOs.
There are two reasons why the light node cannot use UTXO
to verify a transaction: First, the light node only saves the block
headers of all the blocks without saving all the specific transac-
tion information, so the light node cannot build its own UTXO.
Second, all the full nodes build their own UTXO set locally. When
the light node randomly requests the full node for the UTXO proof
of the transaction that needs to be verified, the full node cannot
provide the proof for the light node that the transaction is not
spent.
In summary, if the light node wants to use UTXO to verify
the received transaction, then it first needs to maintain a unique
UTXO set on the Bitcoin blockchain, and secondly need to pro-
vide efficient proof for the elements in the collection. In our
proposed scheme, we use RSA dynamic universal accumulator to
implement these functions. Since the input domain of the RSA
accumulator is limited to prime numbers, the full nodes in the
blockchain need to process the elements in the UTXO set to map
to the collision-resistant prime numbers. In this paper, we design
a simple prime generation algorithm Hprime to map the elements
in the UTXO set to prime numbers: To begin with this, a collision-
resistant hash function H is used to hash the element UTXOi in the
UTXO set, so as to get xi = H(UTXOi ), if xi is a prime number, this
algorithm outputs the prime represent xi of the element; if xi is
not a prime number, this algorithm continues to iterate over this
value, such that xi = H(xi ), until xi is prime, finally output xi .
The RSA accumulator is designed based on the strong RSA
assumption. Before using RSA accumulator to maintain a unique
UTXO set on the blockchain, the proposed scheme needs to com-
plete the initialization of RSA accumulator: The first step is to
generate a random modulus N of length k, where N must be a safe
prime. The value of modulus N is calculated by formula N = pq,
where p = 2p′ + 1, q = 2q′ + 1, the lengths of p and q are equal,
p, q, p′ , q′ are all prime numbers. Then, select a random value
g from QRN , where QRN denotes the group of quadratic residues
modulo N, and g is the base of the RSA accumulator. Finally,
auf = (N , g) is sent to the blockchain as a public parameter, so
that the parameter is visible to all nodes.
A block in our scheme contains a block header and body. The
block header contains parent hash, version, nonce, timestamp,
difficulty target and Merkle root. The number of transactions in
the block and all related transaction data generated during are
saved in the block body. The blockchain network can dynamically
adjust the difficulty target of the PoW consensus process. The
miners who first find the correct Nonce and pass the verification
of all the miners will obtain the accounting right of the current
block. Our scheme adds a new byte UTXO commitment in the
block header, i.e. the cumulative value accUTXO of the UTXO set and
 C. Ge, Z. Liu and L. Fang / Journal of Parallel and Distributed Computing 141 (2020) 1–9
uses it as one of the steps for the entire miner to verify that the
newly dug block is legal. The specific process is shown in Fig. 3:
First, the mining node uses the prime generation algorithm Hprime
to process the locally stored UTXO set and maps the elements
into prime numbers. Then, by using the RSA accumulator, the
processed UTXO set is accumulated to generate an accumulated
value accUTXO , and the this value is added to the block header
as an UTXO commitment, finally, the mining nodes calculate the
block header hash value including the UTXO commitment [37].
The mining node that finds the block whose hash value is less
than the difficulty target and has been verified by all the nodes
will obtain the accounting right of the current block.
In the blockchain network, the full nodes verify the new block,
the verification process includes verifying the UTXO commitment
in the block header. The full node calculates the accumulated
value accUTXO through the locally stored UTXO set and compares it
with the UTXO commitment in the block header. Since the cryp-
tographic accumulator has the property of quasi-commutativity,
that is, h(h(g , x1 ), x2 ) = h(h(g , x2 ), x1 ), the accumulated value
accUTXO will not change due to the different order of the elements
stored in the local UTXO collection for different full nodes. In this
way, all the full nodes can verify the UTXO set stored locally, so
as to maintain a unique UTXO set on the blockchain network.
The setup phase mainly consists of the following algorithms:
Hprime (H , UTXOi ) → (xi ): The algorithm inputs the collision-
resistant hash function H and the elements UTXOi in the UTXO
set, such that xi = H(UTXOi ), where i is the index of the element
in the UTXO collection, i = (1, . . . , n):
• If xi is a prime, the algorithm outputs xi ;
• If xi is not a prime, then the algorithm continues to iterate
over xi , such that xi = H(xi ), until xi is prime, and finally
outputs xi .
Gen(1k ) → (auf ): On input the security parameter k, the
generation algorithm calculates a random modulus N of
length k, N is a safe prime number, such that N = pq,
where p = 2p′ + 1, q = 2q′ + 1, the lengths of p and q are
equal, and p, q, p′ , q′ are all prime numbers. The algorithm
also randomly selects a value g from QRN , which is the base
of the RSA accumulator, where QRN denotes the quadratic
residual group of the modulus N. Finally, it outputs the
public parameters auf = (N , g) to the blockchain network
so that all nodes are visible.
Map(Hprime , U1 ) → (U2 ): On input the prime number gener-
ation algorithm Hprime and the UTXO set U1 = UTXO1 , . . . ,
UTXOn . The algorithm maps the elements in the UTXO set
to prime numbers, i.e. xi = Hprime (UTXOi ), such that U2 =
x1 , . . . , xn . Then, it outputs the prime set U2 .
AccVal(auf , U2 ) → (accUTXO ): On input the public parameters
auf = (N , g) and the set of prime numbers U2 = x1 , . . . , xn .
The algorithm uses the RSA accumulator to calculate the
accumulated value accUTXO of the set: accUTXO = g x1 ···xn =
n WitCreat(auf , U2 , xj ) → (w itxj or w it xj ): On input prime number xj ,
g Π1=1 xi . Finally, this algorithm outputs accUTXO .
AddVal(accUTXO ): On input accumulated value accUTXO , the
algorithm adds the accumulated value accUTXO as an UTXO
commitment to the block header.
4.3.2. Request and proof generation phase
In the previous section, we maintained a unique UTXO set
on the blockchain network by accumulating the UTXO set using
the RSA accumulator and adding the accumulated value as an
UTXO commitment to the block header. Therefore, the light node
can use UTXO to verify the received transaction. The simplified
payment verification used by the light node requires the light
5
node to download all the block headers, so that the blockchain
size is only 1/1000 of the complete blockchain. However, using
scheme designed by us, the light node only needs to save the
block header of the newly generated block, which further reduces
the block size that the light node needs to save.
In our scheme, light node receives a transaction, and light
node has downloaded the latest block header, light node verifies
whether the transaction is packaged into the blockchain. The light
node extracts the newly generated unspent transaction output
UTXOj from the received transaction, and randomly sends the ex-
tracted UTXOj as a challenge to the entire node in the blockchain
network, to ask whether the extracted UTXOj exists in the local
UTXO set of the full node.
After receiving the challenge from the light node, the random
full node traverses the local UTXO set to determine whether the
received UTXOj exists in the set. According to the RSA accumu-
lator’s property to provide membership witnesses for elements
in an accumulative set, as well as it’s property to support non-
membership witnesses for elements in a non-accumulative set,
the full node can provide corresponding proof by determining
whether the received UTXOj exists in the local UTXO set. The
full node first maps the received UTXOj to prime xj by the prime
generating algorithm Hprime , such that xj = Hprime (UTXOj ). If UTXOj
exists in the UTXO set, that is, xj ∈ U2 , then the full node
calculates its inclusion proof through the public parameter ∏n auf =
(N , g) in the blockchain network: w itxj = g (Πi=1 xi )/xj = g i=1,i̸=j i .
n x
If UTXOj does not exist in the UTXO set, that is, xj ∈ / U, then
the full node calculates its exclusion proof, i.e. non-membership
witness. For xj ∈ / (U2 ,∏since )xj , x1 , . . . , xn are ∏
obviously prime
n n
numbers, then gcd xj , i=1 xi = 1. Let u = i=1 xi , by using
Euclidean algorithm a and b can be found, for a, b ∈ Z, such that
au + bxj = 1. Then the full node calculates d = g (−b) through
the public parameters auf = (N , g) in the blockchain network,
so the exclusion proof of xj , that is, the ( non-membership witness
can be expressed as w it xj = (a, d) = a, g −b . The full node sends
)
the calculated proof and the received unspent transaction output
UTXOj mapped prime number xj , that is, w itxj or w it xj , xj as proof
to the light node.
The request and proof generation phase mainly consist of the
following algorithms:
Etx(txj ) → (UTXOj ): On input the transaction txj , the algorithm
extracts the newly generated unspent transaction output UTXOj
from the received transaction, it outputs UTXOj .
Req(UTXOj ): On input the unspent transaction output UTXOj , this
algorithm causes the light node to send UTXOj as a challenge
request to random full nodes in the blockchain network.
Map(Hprime , UTXOj ) → (xj ): On input the unspent transaction
output UTXOj and the prime generation algorithm Hprime , this
algorithm maps the received UTXOj through the prime gener-
ation algorithm Hprime to the prime number xj , that is, xj =
Hprime (UTXOj ), outputs prime number xj .
the set of prime numbers U2 = x1 , ·, xn , and the public parameters
auf = (N , g). This algorithm traverses the set of prime numbers
U2 and determines whether the received UTXOj exists in the UTXO
set:
• If UTXOj exists in the UTXO set, that is, xj ∈ U2 , the al-
gorithm calculates it’s inclusion witness through the public
parameters auf = (N , g) in the blockchain network:
witxj = g (Πi=1 xi )/xj = g
n
∏n
i=1,i̸ =j xi (3)
/ U∏
• If UTXOj does not exist in the UTXO set, that is, xj ∈ 2 . Since
n
xj , x1 , ·, xn are obviously prime numbers, let u = i=1 xi ,
6 C. Ge, Z. Liu and L. Fang / Journal of Parallel and Distributed Computing 141 (2020) 1–9

Fig. 3. Addition of UTXO commitment in the blockchain.

gcd(xj , u) = 1. a and b can be found using the Euclidean U5 = {xh , xh+1 , . . . ., xh+L } and U6 = {x1 , x2 , . . . , xM }, then returns
algorithm, for a, b ∈ Z , such that au + bxj = 1. This U5 and U6 .
algorithm calculates d = g (−b) from the public parameters
UpdAcc(U5 , U6 , auf , accUTXO ) → (accUTXO
′′
): On input the public
auf = (N , g). Its exclusion proof, that is, non-membership
parameters auf = (N , g), the UTXO commitment accUTXO , U5 and
witness can be defined as:
U6 , this algorithm updates the UTXO commitment in the block
wit xj = (a, d) = a, g −b
( )
(4) header:
• First, the elements in U5 = {xh , xh+1 , . . . ., xh+L } are deleted
Rep((w itxj or w it xj , xj )): On input the proof (w itxj or w it xj , xj ), this from the set U2 , and the accumulated values in the set are
algorithm sends the proof (w itxj or w it xj , xj ) as a reply back to the then recalculated:
corresponding light node. ′ Πx∈U2 \U5 xi
accUTXO =g N (5)
4.3.3. Update of the UTXO commitment
• Then, add the elements in U6 = {x1 , x2 , . . . .., xM } to U2 ,
In the blockchain, the mining node digs up a new block each
accumulated value updates can be performed in batches.
time, the UTXO set is updated, the UTXO that has been spent
The elements
∏M in the set U6 are aggregated and defined as
is deleted, and the newly generated UTXO is added. Hence, ev-
x∗ = i=1 xi , the update of UTXO commitment can be
ery new block is dug up, the UTXO commitment in the block
calculated as:
header requires an efficient update. Since the RSA dynamic uni-
x∗
versal accumulator proposed in this paper allows to dynamic acc′′UTXO = acc′UTXO N (6)
addition/deletion of values to/from a given accumulator and cor-
responding update of accumulated values, so the UTXO commit- Finally, this algorithm outputs the updated UTXO commitment
′′
ment can get efficient update. accUTXO .
In the proposed scheme, when the mining node performs the
mining of the new block, it first traverses the transaction to be 5. Security proof
put into the new block to generate two UTXO sets, that is, the
UTXO set U3 = {UTXOh , UTXOh+1 , . . . , 5.1. Correctness of the proposed scheme
UTXOh+L } that has been spent and the newly generated unspent
UTXO set U4 = {UTXO1 , UTXO2 , . . . , UTXOM }. Next, the mining Theorem 1. The scheme achieves the correctness property under
node uses the prime generation algorithm Hprime to map the the strong RSA assumption, i.e. for ( any
) probabilistic polynomial-time
elements in the two UTXO sets to prime numbers: xi = H(UTXOi ), algorithm A, (f , N , g) ← Gen 1k , (x, w it , U2 ) ← A(f , N , g) and
such that U5 = {UTXOh , UTXOh+1 , . . . , (x, w it , U2 ) ← A(f , N , g), the following equations hold:
UTXOh+L } and U4 = {UTXO1 , UTXO2 , . . . , UTXOM }. The mining
x ∈ U2 , accUTXO = f (N , g , U2 ) ,
[ ]
node first deletes the UTXO that has been spent in the locally Pr = 1;
v erify (x, wit , accUTXO ) = 1
saved UTXO set, and then recalculates the accumulated value . (7)
= g Πx∈U2 \U5 xi , where accUTXO / U2 , (accUTXO = f (N), g , U2 ) ,
′ ∗
[ ]
of the UTXO set: accUTXO is the x∈
Pr = 1;
accumulated value after deleting the UTXO that has been spent. v erify x, wit , accUTXO = 2
When these new unspent UTXOs are added to the UTXO set,
the accumulated value update can be performed in batches. ∏M The Proof. Let modulus N is a safe prime, such that N = pq, and
elements in the set U6 are aggregated and defined as x∗ = i=1 xi . g is randomly selected from QRN , where p = 2p′ + 1, q =
The addition of the accumulated value in the newly generated 2q′ + 1, the lengths of p and q are equal, and p, q, p′ , q′ are
′′ ′ x∗
block can be calculated as accUTXO = accUTXO , the accumulated ll prime numbers, QRN denotes the quadratic residual group of
′′
value accUTXO is the updated UTXO commitment. the modulus N. Suppose there is a polynomial-time adversary A,
The update of the UTXO commitment mainly consists of the which on input N and g ∈ QRN , outputs an element x∗ , a witness
following algorithms: wit ∗ corresponding to the element, and a set of prime numbers
UsGen(tx) → (U3 , U4 ): On input all transactions txi that will be U2 = x1 , . . . , xn .
put into the new block, this algorithm generates two sets, that Assume x ∈ U2 , the polynomial-time adversary A can calculate
is, the set U3 = {UTXOh , UTXOh+1 , . . . . . . , UTXOh+L } that has been u, the UTXO commitment accUTXO , and the membership witness
spent and the newly generated UTXO set U4 = {UTXO1 , UTXO2 , n
wit, where u = ni=1 xi , accUTXO = g Πi=1 xi = g u , and wit = g u/x .
∏
. . . . . . , UTXOM }. Then, it outputs U3 and U4 . x
Then verify the membership witness: w it x = g (u/x) = g u =
Map(Hprime , U3 , U4 ) → (U5 , U6 ): On input the prime generation accUTXO .
algorithm Hprime , U3 , and U4 . The algorithm maps
( elements
) in Assume x ∈/ U2 , the polynomial-time adversary A can calcu-
two UTXO sets to prime numbers: xi = Hprime UTXOj , such that late u, the UTXO commitment accUTXO , and the non-membership
 C. Ge, Z. Liu and L. Fang / Journal of Parallel and Distributed Computing 141 (2020) 1–9 7

Πin=1 xi
witness w it, where accUTXO = g = g u . Since x, x1 , . . . , xn are If the second equation of (8) holds, A outputs a value x∗i ∈
obviously prime numbers, gcd(x, u) = 1. a and b can be found
∗
U2 , a non-membership witness w it x∗ = (a, d) = (a, g −b ), and
using the Euclidean algorithm, for a, b ∈ Z , such that au + bx = 1. i
an UTXO set of prime numbers U2 = x1 , . . . , xn , such that
The non-membership witness defines as: w it = (a, d) = (a, g −b ). ∗
v erify(N , g , x∗i , wit x∗ , accUTXO ) = 2, that is, accUTXO
a
= g ua =
a
Then verify the non-membership witness: accUTXO = g ua = ∗ ∗
i
∗ ∗
g 1−bx −bx x
= g g = d g. g 1−bxi = g −bxi g = d(xi ) g holds. S invokes A with output x∗i , w it x∗ ,
i
x∗
and accUTXO , such that g ua−1 = d i . Since gcd(au − 1, x∗i ) = 1, a′
5.2. The collision resistant property of the proposed scheme and b′ can be found using the Euclidean algorithm, for a′ , b′ ∈ Z,
such that a′ (au − 1) = 1 + b′ x∗i , then S can efficiently compute y =
Theorem 2. The proposed scheme is collision-resistant under the ′ ′ ∗ ′ ′ ∗ ′ ∗ ′ ∗ a′ ′ ∗
da g −b , such that yxi = (da g −b )xi = da xi g −b xi = g ua−1 g −b xi =
strong RSA assumption i.e. for any probabilistic polynomial-time al- ′ ′ ∗
g a (au−1)−b xi = g. S solves the strong RSA problem.
gorithm A, (f , N , g) ← Gen(1k ), O = {OA , OW , OU }, (x∗i , w itx∗∗ , U2 )
i
∗
← AO (f , N , g), (x∗i , wit x∗ , U2 ) ← AO (f , N , g), the following 5.3. Undeniability of the proposed scheme
i
equations hold:
Theorem 3. The proposed scheme is undeniable under the strong
/ U2 , accUTXO = f (N , g , U2 ) ;
x∗i ∈
[ ]
Pr ≤ ϵ; RSA assumption, t. For any probabilistic polynomial-time algorithm
v erify(x∗i , witx∗∗ accUTXO ) = 1 ∗
A, (f , N , g) ← Gen(1k ), O = {OA , OW , OU } and (x∗i , w itx∗∗ , w it x∗ )
i
(8) i i
x∗i ∈ U2 , accUTXO = f (N , g , U2 ) ; ← AO (f , N , g), the following equation holds:
[ ]
Pr ∗ ≤ ϵ;
v erify(x∗i , w it x∗ , accUTXO ) = 2
accUTXO = f (N , g , U2 )∧
⎡ ⎤
i

Pr ⎣ v erify(xi , w itx∗i , accUTXO ) = 1∧ ⎦ ≤ ϵ

∗ ∗
where ϵ is a negligible function, O is defined as O = OA , OW , OU , (9)
∗
where OA , OW and OU respectively represent the oracles of the v erify(x∗i , wit x∗ , accUTXO ) = 2
i
algorithms AccVal, WitCreat, and UpdAcc. These oracles allow an
adversary to query at any number of times.
Proof. Suppose there exists a polynomial-time adversary A, we
show how to construct a probabilistic polynomial-time adversary
Proof. The strong RSA assumption suggests that, given an RSA
S that solves the strong RSA problem by invoking A. Let modulus
modulus N and a random value g selected from QRN , g ∈ QRN ,
N is a safe prime, g is randomly selected from QRN . S is given
where QRN denotes the quadratic residual group of the modulus
modulus N and g ∈ QRN as input, and then start the game. S
N, find r and y is computationally infeasible, such that yr = g,
simulates all oracles for A as shown in the previous section.
where r > 1, y ∈ ZN∗ .
If the equation holds, A outputs a value x∗i , a non-membership
Suppose there exists a polynomial-time adversary A, we show ∗
witness w it x∗ = (a, d) = (a, g −b ), and a membership witness
how to construct a probabilistic polynomial-time adversary S i
that solves the strong RSA problem by invoking A. Note that, all witx∗ , such that v erify(N ,
∗
i
∗ ∗
arithmetic operations in the proof are modulo N. g , x∗i , w it x∗ , accUTXO ) = 2 and v erify(N , g , x∗i , w it x∗ , accUTXO ) =
i i
∗
Let modulus N is a safe prime, such that N = pq, and g is 2, that is, w itx∗∗ xi a
= accUTXO = g u and accUTXO = g ua =
randomly selected from QRN . S is given modulus N and g ∈ QRN ∗ ∗i ∗
g 1−bxi = g −bxi g = dxi g holds. S invokes A with output x∗i ,
as input, and then start the game by setting the public parameters ∗ ∗ ∗ ∗
auf = (N , g). S simulates the oracles for A as follows:
wit(x∗ ∗ ) , w it (x∗ ) , and accUTXO , such that witx∗∗ axi = dxi g = g 1−bxi .
i i i
OA : For a given the public parameters auf = (N , g), an Since gcd(ax∗i , 1 − bx∗i ) = 1, a′ and b′ can be found using the
UTXO set of prime numbers U2 = x1 , . . . , xn , A calls algorithm Euclidean algorithm, for a′ , b′ ∈ Z , such that a′ ax∗i = 1 +
′ ′
AccVal(auf , U2 ) → (accUTXO ) and return the UTXO commitment b′ (1 − bx∗i ), then S can efficiently compute y = w itx∗∗ a g −b ,
i
accUTXO . ∗ ′ ∗ ′ ∗ ′ ∗
such that y1−bxi = (g ′ w itx∗∗ −b )1−bxi = g a (1−bxi ) w itx∗∗ −b (1−bxi ) =
OU : For a given the public parameters auf = (N , g), the ∗ ′ ′ ∗
i
′ ∗ ′ ∗
i

UTXO commitment accUTXO , element xm deleted to the UTXO set (w itx∗∗ axi )a w itx∗∗ −b (1−bxi ) = w itx∗∗ a axi −b (1−bxi ) = w itx∗∗ . S can solve
i i i i
U2 element xh added to the UTXO set U2 , A calls algorithm the strong RSA problem.
UpdAcc(xi , xh , auf , accUTXO ) → (accUTXO
′′
) and updates the UTXO
′′
commitment. Then it returns accUTXO . 6. Implementation and evaluation
OW : For a given the public parameters auf = (N , g), an UTXO
set of prime numbers U2 = x1 , . . . , xn , and element xi , A judges The blockchain light node transaction verification scheme
the element xi . If xi ∈ U2 , calls algorithm WitCreat(auf , U2 , xi ) → based on the RSA accumulator is written and implemented in the
(w it(xi ) ) and generates membership witnesses w itxi ; if xi ∈ / U2 , C++ language. In the proposed scheme, we use the open source
calls algorithm WitCreat(auf , U2 , xi ) → (w it xi ) and generates C library FLINT for number theory computations, that is, the
non-membership witnesses w it xi . Then it returns w itxi or w it xi . modulo operations performed in the RSA accumulator [14]. Our
If the first equation of (8) holds, A outputs a value x∗i ∈ / U2 , a proposed scheme uses the digest generation algorithm SHA-256
membership witness w itx∗∗ , and an UTXO set of prime numbers to design a prime generation algorithm Hprime that maps elements
i
U2 = x1 , . . . , xn , such that v erify(N , g , x∗i , w itx∗∗ , accUTXO ) = 1, in the UTXO set to collision-resistant prime numbers [7]. The
∗
i security level of our scheme depends on the number of bits of
that is, w itx∗∗ xi = accUTXO = g u holds. S invokes A with output the modulus N in the RSA accumulator. We use 3072-bit RSA
i
x∗i , w itx∗∗ , and accUTXO . Let u = Πin=1 xi , since x∗i , x1 , . . . , xn are modulus equivalent to the 128-bit security level according to
i
obviously prime numbers, gcd(x∗i , u) = 1. a and b can be found NIST definition [1]. The specific test for the experiment was run
using the Euclidean algorithm, for a, b ∈ Z , such that ax∗i = 1 + bu, on a computer with an Intel Core i7 64-bit 3.4 GHz cpu and 16
then S can efficiently compute y = g a w itx∗∗ −b , such that yu = GB RAM. We vary the number of transactions from 500 to 3000
∗ i
∗ step by 500 and record the relevant verification time. We execute
(g a w itx∗∗ −b )u = g ua w itx∗∗ −bu = (w itx∗∗ xi )a w itx∗∗ −bu = w itx∗∗ axi −bu = each experiment 100 times to get the average time. Their specific
i i i i i
witx∗∗ . S solves the strong RSA problem. performance is shown in Fig. 4.
i
8 C. Ge, Z. Liu and L. Fang / Journal of Parallel and Distributed Computing 141 (2020) 1–9
Fig. 4. Computational complexity of transaction verification.
7. Conclusions
How to secure the storage of data generated by IoT nodes
has become an important issue. This paper, for the first time,
proposes a decentralized storage mechanism based on blockchain
to store IoT data. This mechanism effectively solves the data
reliability, security and privacy issues that may be encountered
when Internet of things data are stored. According to the different
verification transaction modes of full nodes and light nodes in the
blockchain network, this paper also proposes an UTXO verifica-
tion mechanism based on the RSA accumulator, which makes the
verification computational complexity of the light node constant
to be constant. Moreover, the proposed scheme provides both
inclusion proof and exclusion proof light nodes.
Declaration of competing interest
The authors declare that they have no known competing finan-
cial interests or personal relationships that could have appeared
to influence the work reported in this paper.
CRediT authorship contribution statement
Chunpeng Ge: Conceptualization, Methodology. Zhe Liu: Con-
ceptualization, Funding acquisition. Liming Fang: Formal analy-
sis, Data curation.
Acknowledgments
This work was supported by the National Natural Science
Foundation of China (Grant No. 61702236, 61872181) and the
National Science Foundation for Post-doctoral Scientists of China
(No.2019M651826).
References
[1] E. Barker, W. Barker, W. Burr, W. Polk, M. Smid, Recommendation for key
management part 1: General (revision 3), NIST Spec. Publ. 800 (57) (2012)
1–147.
[2] J. Benaloh, M. De Mare, One-way accumulators: A decentralized alternative
to digital signatures, in: Workshop on the Theory and Application of
Cryptographic Techniques, Springer, 1993, pp. 274–285.
[3] D. Cao, B. Zheng, B. Ji, Z. Lei, C. Feng, A robust distance-based relay
selection for message dissemination in vehicular network, Wirel. Netw.
(2018) http://dx.doi.org/10.1007/s11276-018-1863-4.
[4] K.R. Choo, S. Gritzalis, J.H. Park, Cryptographic solutions for industrial
Internet-of-Things: Research challenges and opportunities, IEEE Trans. Ind.
Inf. 14 (8) (2018) 3567–3569, http://dx.doi.org/10.1109/TII.2018.2841049.
[5] G. Chunpeng, Z. Liu, J. Xia, F. Liming, Revocable identity-based broadcast
proxy re-encryption for data sharing in clouds, IEEE Trans. Dependable
Secure Comput. (2019) 1–1. http://dx.doi.org/10.1109/TDSC.2019.2899300.
[6] C. Dwork, M. Naor, Pricing via processing or combatting junk mail, in:
Annual International Cryptology Conference, Springer, 1992, pp. 139–147.
[7] M.J. Dworkin, SHA-3 StandArd: Permutation-Based Hash and Extendable-
Output Functions, Tech. Rep., 2015.
[8] H. El-Sayed, S. Sankar, M. Prasad, D. Puthal, A. Gupta, M. Mohanty, C.-T.
Lin, Edge of things: The big picture on the integration of edge, iot and
the cloud in a distributed computing environment, IEEE Access 6 (2017)
1706–1717.
[9] E. Fernandes, J. Jung, A. Prakash, Security analysis of emerging smart home
applications, in: Security and Privacy, 2016.
[10] K. Gai, Y. Wu, L. Zhu, M. Qiu, M. Shen, Privacy-preserving energy trading
using consortium blockchain in smart grid, IEEE Trans. Ind. Inf. 15 (6)
(2019) 3548–3558.
[11] K. Gai, Y. Wu, L. Zhu, L. Xu, Y. Zhang, Permissioned blockchain and
edge computing empowered privacy-preserving smart grid networks, IEEE
Internet Things J. 6 (5) (2019) 7992–8004.
[12] K. Gai, Y. Wu, L. Zhu, Z. Zhang, M. Qiu, Differential privacy-based
blockchain for industrial Internet of Things, IEEE Trans. Ind. Inf. (2019).
[13] A. Gouglidis, N. Shirazi, A. Farshad, D. Hutchison, A. Gouglidis, N. Shirazi, A.
Farshad, D. Hutchison, The extended cloud: Review and analysis of mobile
edge computing and fog from a security and resilience perspective, IEEE
J. Sel. Areas Commun. (2016).
[14] W.B. Hart, Fast library for number theory: an introduction, in: International
Congress on Mathematical Software, Springer, 2010, pp. 88–91.
[15] S. He, K. Xie, K. Xie, Z. Li, C. Xu, Interference-aware multi-source
transmission, in: Trustcombigdatasei.spa, 2017.
[16] G. Jia, G. Han, J. Jiang, S. Chan, Y. Liu, Dynamic cloud resource management
for efficient media applications in mobile computing environments, Pers.
Ubiquitous Comput. 22 (3) (2018) 561–573.
[17] G. Jia, G. Han, H. Rao, L. Shu, Edge computing-based intelligent manhole
cover management system for smart cities, IEEE Internet Things J. 5 (3)
(2018) 1648–1656, http://dx.doi.org/10.1109/JIOT.2017.2786349.
[18] A. Jose, R. Malekian, Improving smart home security; integrating logical
sensing into smart home, IEEE Sens. J. 17 (13) (2017) 4269–4286.
[19] W.I. Khedr, H.M. Khater, E.R. Mohamed, Cryptographic accumulator-based
scheme for critical data integrity verification in cloud storage, IEEE Access
7 (2019) 65635–65651.
[20] S. King, S. Nadal, Ppcoin: Peer-to-peer crypto-currency with proof-of-stake,
2012, self-published paper, August 19.
[21] R.K. Kodali, V. Jain, S. Bose, L. Boppana, IoT Based smart security and
home automation system, in: 2016 International Conference on Computing,
Communication and Automation (ICCCA), IEEE, 2016, pp. 1286–1289.
[22] D. Larimer, Delegated proof-of-stake, 2014.
[23] W. Li, Z. Chen, X. Gao, W. Liu, J. Wang, Multi-model framework for indoor
localization under mobile edge computing environment, IEEE Internet
Things J. (2018).
[24] X. Li, R. Lu, X. Liang, X. Shen, J. Chen, X. Lin, Smart community: an
internet of things application, IEEE Commun. Mag. 49 (11) (2011) 68–75,
http://dx.doi.org/10.1109/MCOM.2011.6069711.
[25] Z. Li, C. Ma, D. Wang, Towards multi-hop homomorphic identity-
based proxy re-encryption via branching program, IEEE Access 5 (2017)
16214–16228.
[26] X. Li, J. Peng, J. Niu, F. Wu, J. Liao, K.R. Choo, A robust and energy
efficient authentication protocol for industrial internet of things, IEEE
Internet Things J. 5 (3) (2018) 1606–1615, http://dx.doi.org/10.1109/JIOT.
2017.2787800.
[27] L. Li, G. Xu, L. Jiao, X. Li, H. Wang, J. Hu, H. Xian, W. Lian, et al., A
secure random key distribution scheme against node replication attacks
in industrial wireless sensor systems, IEEE Trans. Ind. Inf. (2019).
[28] C. Lin, D. He, N. Kumar, X. Huang, P. Vijaykumar, K.-K.R. Choo, HomeChain:
A blockchain-based secure mutual authentication system for smart homes,
IEEE Internet Things J. (2019).
[29] Y. Liu, Y. Ren, C. Ge, J. Xia, Q. Wang, A CCA-secure multi-conditional proxy
broadcast re-encryption scheme for cloud storage system, J. Inf. Secur.
Appl. 47 (2019) 125–131.
[30] I. Miers, C. Garman, M. Green, A.D. Rubin, Zerocoin: Anonymous distributed
e-cash from bitcoin, in: 2013 IEEE Symposium on Security and Privacy,
IEEE, 2013, pp. 397–411.
[31] S. Nakamoto, et al., Bitcoin: A peer-to-peer electronic cash system, 2008.
[32] J. Pan, J. McElhannon, Future edge cloud and edge computing for internet
of things applications, IEEE Internet Things J. 5 (1) (2017) 439–449.
[33] Y. Ren, Y. Leng, Y. Cheng, J. Wang, Secure data storage based on blockchain
and coding in edge computing, Math. Biosci. Eng 16 (2019) 1874–1892.
[34] Y. Ren, Y. Liu, C. Qian, Digital continuity guarantee based on data consis-
tency in cloud storage, in: International Conference on Cloud Computing
and Security, Springer, 2018, pp. 3–11.
 C. Ge, Z. Liu and L. Fang / Journal of Parallel and Distributed Computing 141 (2020) 1–9
[35] V. Sivaraman, H.H. Gharakheili, A. Vishwanath, R. Boreli, O. Mehani,
Network-level security and privacy control for smart-home iot devices,
in: IEEE International Conference on Wireless Mobile Computing, 2015.
[36] A. Sudarsono, T. Nakanishi, N. Funabiki, Efficient proofs of attributes
in pairing-based anonymous credential system, in: International Sympo-
sium on Privacy Enhancing Technologies Symposium, Springer, 2011, pp.
246–263.
[37] P. Todd, Making UTXO set growth irrelevant with low-latency delayed txo
commitments, 2016.
[38] J. Wang, Y. Gao, W. Liu, A.K. Sangaiah, H.-J. Kim, An intelligent data gather-
ing schema with data fusion supported for mobile sink in wireless sensor
networks, Int. J. Distrib. Sens. Netw. 15 (3) (2019) 1550147719839581.
[39] J. Wang, Y. Gao, W. Liu, W. Wu, S.-J. Lim, An asynchronous clustering
and mobile data gathering schema based on timer mechanism in wireless
sensor networks, Comput. Mater. Contin. 58 (2019) 711–725.
[40] J. Wang, Y. Gao, X. Yin, F. Li, H.J. Kim, An enhanced PEGASIS algorithm
with mobile sink support for wireless sensor networks, Wirel. Commun.
Mob. Comput. 2018 (8) (2018) 1–9.
[41] J. Wang, C. Ju, Y. Gao, A.K. Sangaiah, G.-j. Kim, A PSO based energy efficient
coverage control algorithm for wireless sensor networks, Comput. Mater.
Contin. 56 (2018) 433–446.
[42] B. Yin, X. Wei, Communication-efficient data aggregation tree construction
for complex queries in IoT applications, IEEE Internet Things J. 6 (2) (2018)
3352–3363.
[43] C. Yin, J. Xi, R. Sun, J. Wang, Location privacy protection based on
differential privacy strategy for big data in industrial internet of things,
IEEE Trans. Ind. Inf. 14 (8) (2018) 3628–3636, http://dx.doi.org/10.1109/
TII.2017.2773646.
[44] B. Yin, S. Zhou, S. Zhang, K. Gu, F. Yu, On efficient processing of continuous
reverse skyline queries in wireless sensor networks, TIIS 11 (4) (2017)
1931–1953.
[45] F. Zafar, A. Khan, S.U.R. Malik, M. Ahmed, A. Anjum, M.I. Khan, N. Javed,
M. Alam, F. Jamil, A survey of cloud computing data integrity schemes,
Comput. Secur. 65 (C) (2017) 29–49.
[46] X. Zeng, G. Xu, X. Zheng, Y. Xiang, W. Zhou, E-AUA: An efficient anonymous
user authentication protocol for mobile IoT, IEEE Internet Things J. 6 (2)
(2018) 1506–1519.
[47] Y. Zhang, D. He, K.-K.R. Choo, BaDS: Blockchain-based architecture for data
sharing with ABS and CP-ABE in IoT, Wirel. Commun. Mob. Comput. (2018).
[48] L. Zhou, Q. Liu, Y. Wang, H. Li, Secure group information exchange scheme
for vehicular ad hoc networks, Pers. Ubiquitous Comput. 21 (5) (2017)
903–910.
9
Chunpeng Ge (M’16) received the Ph.D. degree in
Computer Science from Nanjing University of Aeronau-
tics and Astronautics in 2016. He is now a research
fellow of Singapore University of Technology and
Design. His current research interests include cryp-
tography, information security and privacy preserving
for blockchain. His recent work has focused on the
topics of public key encryption with keyword search,
proxy re-encryption, identity-based encryption, and
techniques for resistance to CCA attacks.
Zhe Liu received the B.S. and M.S. degrees in Shan-
dong University in 2008 and 2011, respectively. He
is a professor in College of Computer Science and
Technology, Nanjing University of Aeronautics and As-
tronautics (NUAA), China. Before joining NUAA, he
was a researcher in SnT, University of Luxembourg,
Luxembourg. He received his Ph.D. degree Laboratory
of Algorithmics, Cryptology and Security (LACS), Uni-
versity of Luxembourg, Luxembourg in 2015. His Ph.D.
thesis has received the prestigious FNR Awards 2016 —
Outstanding Ph.D. Thesis Award for his contributions
in cryptographic engineering on IoT devices. His research interests include
computer arithmetic and information security. He has co-authored more than
70 research peer-reviewed journal and conference papers.
Liming Fang received the Ph.D. degree in Computer
Science from Nanjing University of Aeronautics and
Astronautics in 2012, and has been a postdoctor in
the information security from City University of Hong
Kong. He is the associate professor at the School of
Computer Science, Nanjing University of Aeronautics
and Astronautics. Now, he is a visiting scholar of the
Department of Electrical and Computer Engineering
New Jersey Institute of Technology. His current re-
search interests include cryptography and information
security. His recent work has focused on the topics of
public key encryption with keyword search, proxy re-encryption, identity-based
encryption, and techniques for resistance to CCA attacks.