Towards Decentralized IoT Updates Delivery Leveraging Blockchain and Zero-Knowledge Proofs

Internet of Things (IoT) devices are being deployed in huge numbers around the world, and often present serious vulnerabilities. Accordingly, delivering regular software updates is critical to secure IoT devices. Manufactures face two predominant challenges in providing software updates to IoT devices: 1) scalability of the current client-server model and 2) integrity of the distributed updates - exacerbated due to the devices' computing power and lightweight cryptographic primitives. Motivated by these limitations, we propose CrowdPatching, a blockchain-based decentralized protocol, allowing manufacturers to delegate the delivery of software updates to self-interested distributors in exchange for cryptocurrency. Manufacturers announce updates by deploying a smart contract (SC), which in turn will issue cryptocurrency payments to any distributor who provides an unforgeable proof-of-delivery. The latter is provided by IoT devices authorizing the SC to issue payment to a distributor when the required conditions are met. These conditions include the requirement for a distributor to generate a zero-knowledge proof, generated with a novel proving system called zk-SNARKs. Compared with related work, CrowdPatching protocol offers three main advantages. First, the number of distributors can scale indefinitely by enabling the addition of new distributors at any time after the initial distribution by manufacturers (i.e., redistribution among the distributor network). The latter is not possible in existing protocols and is not account for. Secondly, we leverage the recent common integration of gateway or Hub in IoT deployments in our protocol to make CrowdPatching feasible even for the more constraint IoT devices. Thirdly, the trustworthiness of distributors is considered in our protocol, rewarding the honest distributors' engagements. We provide both informal and formal security analysis of CrowdPatching using Tamarin Prover.