In 2024, FidesInnova founders Gholamreza Ramezan and Ehsan Meamari published a peer-reviewed paper in IEEE introducing the zk-IoT framework — the first formal cryptographic framework for securing IoT devices and their data using zero-knowledge proofs on blockchain platforms. This article summarizes the key concepts, architecture, and benchmarks from that research for a technical audience.
Full citation: G. Ramezan and E. Meamari, "zk-IoT: Securing the Internet of Things with Zero-Knowledge Proofs on Blockchain Platforms," IEEE, 2024. View on IEEE Xplore ↗
The Internet of Things has a fundamental trust problem. When an IoT device reports a sensor reading, a downstream system has no way to verify that:
Existing approaches — TLS encryption, hardware attestation chips (TPM), secure boot — address some of these concerns but require trusting a central certificate authority, a hardware manufacturer, or a cloud intermediary. None of them provide a publicly verifiable, trustless proof of correct device execution.
The zk-IoT paper proposes a new cryptographic primitive specifically designed for this gap.
The paper introduces the concept of a functional commitment for IoT firmware. A functional commitment is a cryptographic object that proves a specific function (the device firmware) was executed on specific input data (sensor readings) and produced a specific output — without revealing the function internals or the input data.
Applied to IoT: a device generates a proof that its firmware function f, executed on sensor input x, produced output y. Any verifier can check this proof using only the public verification key, the claimed output y, and the proof itself. They do not need to know x (the raw sensor value) or inspect f (the firmware code).
The framework consists of four components working together:
An IoT device running firmware augmented with the FidesInnova ZKP library. The device generates a zk-SNARK proof (specifically using the Groth16 proof system) for each sensor reading or execution cycle. The proof certifies correct firmware execution without revealing the firmware or the raw sensor data.
The FidesInnova IoT Server acts as a relayer. It receives proofs from devices, aggregates them, runs Service Contracts (user-defined JavaScript programs that process sensor data), and submits the resulting proofs to the blockchain. The relayer also provides the MQTT broker, device management dashboard, and Service Market gateway.
Proofs are stored on the FidesInnova blockchain — an EVM-compatible chain using Delegated Decentralized Proof of Stake (D2PoS) consensus, designed for high-throughput, low-latency IoT proof submission. Stored proofs are immutable, publicly readable, and verifiable by anyone without special access.
Any party — an end user, a regulator, an insurer, an automated smart contract — can retrieve a proof from the blockchain and verify it using the public verification key. Verification does not require contacting the device, the node operator, or FidesInnova.
zk-Device → Relayer Node → Blockchain → Verifier — the four-component zk-IoT trust pipeline
The paper uses the Groth16 proof system — a well-established zk-SNARK construction that provides:
The firmware execution trace is converted into an arithmetic circuit (R1CS — Rank-1 Constraint System), then into a QAP (Quadratic Arithmetic Program), and finally into a Groth16 proof. This process happens on the IoT device itself during the measurement cycle.
A key concern for any IoT cryptographic scheme is whether it is practical on resource-constrained hardware. The paper reports benchmarks on representative IoT hardware:
694 ms
Average time to generate a zk-SNARK proof on a typical IoT microcontroller (ARM Cortex-M class)
19 ms
Time to verify a submitted proof on the blockchain node — fast enough for real-time applications
~200 bytes
Compact proof representation suitable for transmission over constrained IoT networks (LoRa, NB-IoT, MQTT)
Low
The ZKP library is optimized for devices with limited RAM and flash — compatible with ESP32 and Cortex-M class MCUs
These benchmarks demonstrate that zk-IoT is not just theoretically sound — it is practically deployable on the same class of hardware used in mass-market IoT products today.
Beyond firmware verification, the paper introduces Service Contracts as a programmable layer on top of the proof system. A Service Contract is a JavaScript program that runs inside the Relayer Node and can itself generate ZKP proofs for its outputs.
This means higher-level computations — "the average temperature across 100 devices was 22°C last hour", "device X was online continuously for 7 days", "total energy consumption across a building was 450 kWh" — can all be proven cryptographically, not just raw sensor readings. The trust chain extends from individual device measurements up through aggregated analytics.
The paper also introduces D2PoS (Delegated Decentralized Proof of Stake) — a consensus mechanism adapted for IoT blockchain requirements. Unlike standard DPoS systems, D2PoS accounts for the high transaction throughput typical of IoT sensor networks (thousands of proof submissions per second across large deployments) while maintaining the decentralization properties required for a trustless system.
The paper formally analyzes the security properties of the zk-IoT framework under standard cryptographic assumptions:
These properties hold under the Decisional Diffie-Hellman (DDH) assumption and the security of the underlying elliptic curve (BN-128), both of which are standard hardness assumptions in modern cryptography.
The zk-IoT paper represents the first peer-reviewed, practically benchmarked framework for applying zero-knowledge proofs to IoT device verification. Its significance lies in three areas: