CONCEPTUAL ARCHITECTURE AND FORMAL MODEL OF SELF-SOVEREIGN DIGITAL TWINS IN IoT ECOSYSTEMS

Authors

DOI:

https://doi.org/10.28925/2663-4023.2026.33.1231

Keywords:

Digital Twins, Decentralized Identifiers, Internet of Things, Blockchain, Verified Credentials, Zero-Knowledge Proofs, Hardware Security Modules, Data Privacy, Distributed Systems

Abstract

The paper presents a conceptual architecture of self-sovereign digital twins (SSDT) for IoT ecosystems, which provides decentralized management of device identity and data without dependence on centralized providers. The proposed solution eliminates the main shortcomings of traditional IoT systems associated with centralized data storage, provider compromise risks, and lack of privacy guarantees. A three-tier architecture is developed: the physical layer ensures authentic data collection on IoT devices with cryptographic signing; the digital twin layer on the computing gateway implements decentralized identifier (DID) management, credential storage, access policy evaluation, and zero-disclosure evidence generation; the blockchain layer guarantees immutable audit through a private blockchain with fail-safe consensus, smart contracts for the DID registry, credential status management, and access operation logging. The SSDT model is formalized as a tuple that includes a decentralized identifier, a set of attributes, a state function, access policies, cryptographic keys, and transaction history, with clearly defined security invariants. A threat model based on the STRIDE methodology adapted to distributed IoT systems is analyzed. The analysis covers key assets (identities, credentials, telemetry, and private keys) and groups threats into areas: exchange integrity, identity threats, and confidentiality. Man-in-the-Middle attacks, replay attacks, device spoofing, credential forgery, access policy bypass, and key compromise are identified. A set of countermeasures is proposed that includes mutual TLS, cryptographic message signing, timestamps, mandatory DID registration in the blockchain, device attestation, revocation status checking, request frequency limitation, key rotation, and hardware security modules. Zero-disclosure proof mechanisms are used to ensure privacy. The results of the study confirm the possibility of creating scalable, private and self-sovereign IoT device management systems. The architecture provides horizontal scalability, low latency due to edge processing, and privacy by design. The practical value lies in the possibility of application in industrial IoT, personal monitoring systems, and smart cities. Further research directions include formal verification, optimization of ZKP for resource-dependent devices, and compatibility with existing IoT platforms.

Downloads

Download data is not yet available.

References

Tao, F., Zhang, M., & Nee, A. Y. C. (2019). Digital twin driven smart manufacturing. Academic Press. https://doi.org/10.1016/C2018-0-02206-9

Mühle, A., Grüner, A., Gayvoronskaya, T., & Meinel, C. (2018). A survey on essential components of a self-sovereign identity. Computer Science Review, 30, 80-86. https://doi.org/10.48550/arXiv.1807.06346

Androulaki, E., Barger, A., Bortnikov, V., et al. (2018). Hyperledger Fabric: A distributed operating system for permissioned blockchains. In Proceedings of the Thirteenth EuroSys Conference (pp. 1-15). https://doi.org/10.48550/arXiv.1801.10228

Grieves, M., & Vickers, J. (2017). Digital twin: Mitigating unpredictable, undesirable emergent behavior in complex systems. In Transdisciplinary perspectives on complex systems (pp. 85-113). Springer. https://doi.org/10.1007/978-3-319-38756-7_4

Atzori, L., Iera, A., & Morabito, G. (2010). The internet of things: A survey. Computer Networks, 54(15), 2787-2805. https://doi.org/10.1016/j.comnet.2010.05.010

Sporny, M., Longley, D., & Chadwick, D. (2022). Decentralized identifiers (DIDs) v1.0. W3C Recommendation. Retrieved February 17, 2026, from https://www.w3.org/TR/did-core/

Sporny, M., Longley, D., & Chadwick, D. (2022). Verifiable credentials data model v1.1. W3C Recommendation. Retrieved February 17, 2026, from https://www.w3.org/TR/vc-data-model/

Chaum, D. (1985). Security without identification: Transaction systems to make big brother obsolete. Communications of the ACM, 28(10), 1030-1044.

Camenisch, J., & Lysyanskaya, A. (2001). An efficient system for non-transferable anonymous credentials with optional anonymity revocation. In International Conference on the Theory and Applications of Cryptographic Techniques(pp. 93-118).Springer.https://doi.org/10.1007/3-540-44987-6_7

Vukolić, M. (2015). The quest for scalable blockchain fabric: Proof-of-work vs. BFT replication. In International Workshop on Open Problems in Network Security (pp. 112-125). Springer. https://doi.org/10.1007/978-3-319-39028-4_9

Goldwasser, S., Micali, S., & Rackoff, C. (1989). The knowledge complexity of interactive proof systems. SIAM Journal on Computing, 18(1), 186-208. https://doi.org/10.1145/22145.22178

Ben-Sasson, E., Chiesa, A., Tromer, E., et al. (2014). Succinct non-interactive zero knowledge for a von Neumann architecture. In 23rd USENIX Security Symposium (pp. 781–796). https://dl.acm.org/doi/10.5555/2671225.2671275

Bünz, B., Bootle, J., Boneh, D., et al. (2018). Bulletproofs: Short proofs for confidential transactions and more. In 2018 IEEE Symposium on Security and Privacy (pp. 315-334). IEEE. https://doi.org/10.1109/SP.2018.00020

Kosba, A., Miller, A., Shi, E., et al. (2016). Hawk: The blockchain model of cryptography and privacy-preserving smart contracts. In 2016 IEEE Symposium on Security and Privacy (pp. 839-858). IEEE. https://doi.org/10.1109/SP.2016.55

Shi, W., Cao, J., Zhang, Q., et al. (2016). Edge computing: Vision and challenges. IEEE Internet of Things Journal, 3(5), 637-646. https://doi.org/10.1109/JIOT.2016.2579198

Bonomi, F., Milito, R., Zhu, J., & Addepalli, S. (2012). Fog computing and its role in the internet of things. In Proceedings of the First Edition of the MCC Workshop on Mobile Cloud Computing (pp. 13-16). https://doi.org/10.1145/2342509.2342513

Satyanarayanan, M., Bahl, P., Caceres, R., & Davies, N. (2009). The case for VM-based cloudlets in mobile computing. IEEE Pervasive Computing, 8(4), 14-23. https://doi.org/10.1109/MPRV.2009.82

Yi, S., Li, C., & Li, Q. (2015). A survey of fog computing: Concepts, applications and issues. In Proceedings of the 2015 Workshop on Mobile Big Data (pp. 37-42). https://doi.org/10.1145/2757384.2757397

Bernstein, D. J., Duif, N., Lange, T., et al. (2012). High-speed high-security signatures. Journal of Cryptographic Engineering, 2(2), 77-89. https://doi.org/10.1007/s13389-012-0027-1

Espressif Systems.(2026). ESP32 technical reference manual(Version 5.7). Retrieved February 17, 2026, https://www.espressif.com/sites/default/files/documentation/esp32_technical_reference_manual_en.pdf

Barricelli, B. R., Casiraghi, E., & Fogli, D. (2019). A survey on digital twin: Definitions, characteristics, applications, and design implications. IEEE Access, 7, 167653-167671. https://doi.org/10.1109/ACCESS.2019.2953499

Hu, V. C., Ferraiolo, D., Kuhn, R., et al. (2013). Guide to attribute based access control (ABAC) definition and considerations (NIST Special Publication 800-162). National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800-162

Merkle, R. C. (1987). A digital signature based on a conventional encryption function. In Conference on the Theory and Application of Cryptographic Techniques (pp. 369-378). Springer. https://doi.org/10.1007/3-540-48184-2_32

Shostack, A. (2014). Threat modeling: Designing for security. John Wiley & Sons.

Callegati, F., Cerroni, W., & Ramilli, M. (2009). Man-in-the-middle attack to the HTTPS protocol. IEEE Security & Privacy, 7(1), 78-81. https://doi.org/10.1109/MSP.2009.12

Rescorla, E. (2018). The transport layer security (TLS) protocol version 1.3 (RFC 8446). https://doi.org/10.17487/RFC8446

Needham, R. M., & Schroeder, M. D. (1978). Using encryption for authentication in large networks of computers. Communications of the ACM, 21(12), 993-999. https://doi.org/10.1145/359657.359659

Trusted Computing Group. (2019). TPM 2.0 library specification. Retrieved February 17, 2026, from https://trustedcomputinggroup.org/resource/tpm-library-specification/

Anderson, R. (2020). Security engineering: A guide to building dependable distributed systems (3rd ed.). John Wiley & Sons.

Bass, L., Clements, P., & Kazman, R. (2021). Software architecture in practice (4th ed.). Addison-Wesley Professional.

Banks, A., & Gupta, R. (2014). MQTT version 3.1.1. OASIS Standard. Retrieved February 17, 2026, from http://docs.oasis-open.org/mqtt/mqtt/v3.1.1/os/mqtt-v3.1.1-os.html

Downloads


Abstract views: 8

Published

2026-06-25

How to Cite

Ovsianko, D., & Nyemkova, E. (2026). CONCEPTUAL ARCHITECTURE AND FORMAL MODEL OF SELF-SOVEREIGN DIGITAL TWINS IN IoT ECOSYSTEMS. Electronic Professional Scientific Journal «Cybersecurity: Education, Science, Technique», 1(33), 537–554. https://doi.org/10.28925/2663-4023.2026.33.1231

Issue

Vol. 1 No. 33 (2026): Cybersecurity: Education, Science, Technique

Section

Articles

License

Copyright (c) 2026 Дмитро Овсянко, Олена Нємкова

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.