I Introduction
Since the advent of the Bitcoin protocol in 2008 [1], a large wave of blockchain protocols has emerged, aiming to support the implementation of decentralized applications, or dApps, that reduce the need of a central authority to supervise the interactions in multiagent systems [2]. A promising use of dApps is in the Internet of Things (IoT) services, e.g. for executing economic transactions in smart grid applications in which devices interact through a blockchain to trade energy [3, 4] or to solve distributed optimizations [5].
Storing the entire blockchain and processing every transaction require a remarkable amount of storage memory and computations. This is not feasible for IoT devices, as they are often constrained with respect to memory, computation, communication and power. Instead, the IoT devices may act as lightweight clients, which only store a subset of the blockchain data, possibly encoded [6], needed to verify certain events of interest. The IoT devices, configured as lightweight clients, are connected to a set of regular blockchain nodes (BNs), e.g. via a wireless base station, see Fig. 1. These devices are constantly synchronizing with the BNs [7], receiving a minimal amount of information, namely the block headers. In addition, when certain events that are of interest to a specific device occur, e.g. modification of specific accounts’ state or transactions involving these accounts, the BNs transmit the updates to the device, including the proof of their inclusion (PoIs) in the blockchain.
While the architecture with lightweight clients reduces the processing and memory requirements, there is still a need for a remarkable amount of downlink traffic in order to maintain synchronization to the global blockchain [7]. This type of operation challenges the common assumption that IoT devices mostly generate uplink traffic [8, 9], urging the investigation in accurate models for blockchain traffic. Schemes that reduce the amount of traffic exchanged between the lightweight clients and the BNs have previously been proposed, either by modifying the block structure [10], [11], by leveraging on the characteristics of accountbased blockchains, e.g. Ethereum [12], or by backing the authenticity of the transmitted information with a deposit of credit [13], [14].
This work is motivated by the observation that the blockchain synchronization process can be tailored to the actual requirements of timely information updates to the IoT devices. That is, the ultimate target is not to keep the devices always synchronized, but to synchronize them according to the needs of the underlying dApp. Hence, we replace the legacy scheme, in which the BNs transmits the information to the devices whenever available, with a novel approach in which the information is accumulated and pushed only when needed by the end IoT devices. Among the multitude of blockchain protocols, we focus on the Ethereum specification [15], but the overall principle of aggregation can be applied to other “accountbased” blockchains.
The contributions of this work can be summarized as follows:

We propose and analyze an aggregation scheme, implemented at the BNs, that reduces the duty cycle of the device and the amount of transferred data, at the cost of an increased information delay at the IoT device. The reduction is achieved when events of interests to the device occur multiple times within an aggregation period, and is mainly caused by avoiding transmission of temporary states, but also because the size of the proof of inclusion increases sublinearly with the number of events.

We extend our previous model [7] by including the possibility for the IoT device to observe multiple accounts, and for the base station to select the transmission rate. The result is a model for lightweight clients that is rich, but simple to analyze. We show its potential application by constructing a set of observed accounts that increases the privacy of the IoT device, while keeping the communication cost low.

We study the cost of transmitting the proof of inclusion for the updated data, namely the MerklePatricia tree data structures, and provide experimental results obtained for Ethereum protocol.
The remainder of the paper is organized as follows. Section II provides an introduction to blockchain protocols, focusing on Ethereum, and describes the lightweight protocol variants. The system model is introduced in Section III and analyzed in Section IV. Section V presents the evaluation and Section VI concludes the paper.
Ii Blockchain protocol
This section introduces the main components of the Ethereum protocol [15], that is a popular choice for blockchain systems tailored for IoT applications [3, 16, 17]. The common trait of Ethereum with other blockchain protocols can be found in [18].
The Ethereum blockchain is a database that records of history of the states of accounts in a chain of blocks. An account is a data structure that contains an amount of credit and a generalpurpose memory block. The account may also contain a set of predefined procedures that can read and write to the memory; in this case, the account is called smart contract. The state of an account can be changed by transactions, either directly or through the invocation of a procedure in a smart contract. We shall refer to these modifications of accounts as events.
Transactions are signed by devices using an asymmetric cipher, and identified by their hash values^{1}^{1}1The hash value of some input data is the output of a hash function defined by the blockchain protocol, and is indicated as ., as in the Bitcoin specification [1]. The transactions are organized in a chain of blocks. Besides a set of transactions, each block contains cryptographic signatures of the current states of the accounts and a pointer to the preceding block in the chain, which defines a causal relationship between blocks. When a block is appended to the blockchain, the transactions that it includes are considered valid.
The Ethereum database is replicated at multiple nodes that are interconnected by a communication network. Each node can append new blocks to the blockchain and inform the rest of the network about a new state of the database. To avoid uncontrolled generation of blocks, so as to keep the database replications consistent, the nodes establish a leader election mechanism that (i) reduces the probability that more than one node generates a valid block at the same time and (ii) keeps the block generation rate lower than the propagation delay of the communication network. Notable examples of leader election mechanisms in blockchains are Proof of Work
[1] and Proof of Stake [19]. In order for a block to be considered valid, it must provide information that can be used to verify that it has been generated in accordance with the leader election mechanism.Iia The block data structure
A block is composed of a header and a body, see Fig. 2. The block header has a fixed size, while the rest of the block contains the actual transactions and has a variable size. When the number of transactions in a block is high, the variablesize part takes a dominant portion of the total block size. The information specified in the header includes: the block hash value, an incremental counter, the cryptographic signature of the node that generated it, the proof that the block is valid, e.g., Proof of Work solution, and one or more hash values that represent roots of PoI trees. In this work, we mainly consider the transactions tree and the state tree. The transactions tree, which uniquely binds the modifications of accounts certified by a block with the block header, can be used to prove that specific transactions are included in the block. The state tree, depicted on the righthand side of Fig. 2, provides a snapshot of the entire collection of account states.^{2}^{2}2The state tree is a characteristic of the Ethereum specification.
IiB Proof of inclusion (PoI) via MerklePatricia trees
The Ethereum protocol provides PoIs using MerklePatricia trees [15, 20, 21]. A MerklePatricia tree has three types of nodes; leaf, extension and branch nodes, see Fig. 2, as in standard Patricia trees [22], and is used to efficiently store and retrieve data structures associated with strings. In the blockchain context, the string is the hash value of the address of an account or transaction, and the data structure to be retrieved is the account/transaction itself. The branch nodes only store the hash value of the list of its child nodes, see Fig. 2. Leaf and extension nodes, also illustrated in Fig. 2, store a key, that is the hash value of the common path shared by all child nodes, and a value. The value stored by extension nodes is the hash value of the list of child nodes, and the one of the leaf nodes is the hash value of the data that is to be authenticated (e.g. an account or transaction). The use of a hash function to index the addresses provides equal length of the strings, which are equiprobable.
The presence of a specific node in the MerklePatricia tree is proven by constructing its PoI. A PoI is a collection of node values that enables generation of the hash value, contained by the root node of the tree, e.g. the node labeled in Fig. 2, starting from the specific node to prove. By comparing the generated root hash value with the value stored in the block header, the inclusion in the blockchain of the data structure, associated with the specific node, can be verified [1]. In practice, the PoI is used to verify that a particular leaf node, i.e. an account or transaction, is present in a state tree. Specifically, a PoI is created by starting from the root of the MerklePatricia tree, and descending to the specific node. At each level, all nodes, that are siblings to the node on the path from the root to the specific node, are collected, as illustrated in Fig. 3 ((a) and (b)). Notice that a PoI, in general, contains much fewer nodes than the complete MerklePatricia tree since most of the branches are not collected during the descent from the root [21].
A single proof can be constructed to prove multiple data structures by collecting the union of the nodes required to prove each of the data structures. We shall refer to such a proof as a Proof of Multiple Inclusions (PoMI)^{3}^{3}3In contrast with prior literature [20], we use the terms PoI and PoMI to differentiate the proof from the blockchainspecific data structure that provides it, e.g. Merkle tree (in Bitcoin) or MerklePatricia tree (in Ethereum).. Since the nodes required to prove each data structure are likely to intersect, a PoMI is typically much smaller than if each data structure is to be proven by an individual PoI. Fig. 3(c) provides an example of this reduction, for the proof of both nodes 4 and 8. If two individual proofs are build, the PoI of node 4 contains nodes {5, 2, 3} and the PoI of node 8 contains {1, 2, 6, 7}, such that seven nodes are needed in total. However, if the proofs are sent together in a PoMI, only nodes {2, 5, 6, 7} are needed, motivating the advantage of using this data structure.
IiC Synchronization protocols
A blockchain client is updated on modifications of the blockchain database, observed by BNs, by means of a synchronization protocol. In [7] we have presented three possible protocols that can be adopted for this purpose, denoted by P1, P2 and P3. With P1, the client itself stores the entire blockchain, and locally checks the correctness of the transactions. This configuration is not envisaged for IoT devices due to the requirements of storage memory and processing, and will not be considered in this work. In P2, the BNs are notified about the account updates that the client is interested in receiving. Hence, the client receives the block headers from the BNs, by default, and the accounts of interest, only when they are modified. This scheme, referred to as a lightweight protocol, reduces the amount of data communicated in the downlink, as well as the amount of local processing. In fact, the client only verifies that the information sent by BNs is consistent, delegating to them the auditing of the actual validity of the transactions [21]. It follows that, with P2, the client must be connected to at least one honest BN to be able to detect the presence of false information. Finally, in protocol P3 the IoT device is connected to a proxy node that only sends to the device the useful information, without providing any proof that is included in the blockchain. This protocol is also not considered in this work, as it requires the device to fully trust the proxy node, which is not in line with the envisioned trustless decentralized architecture.
In this paper, we assume that the IoT devices have memory and processing limitations and only consider the lightweight protocols of type P2, such as Bitcoin’s Simplified Payment Verification (SPV) [1] and the Ethereum Light Client [23], which are designed to allow clients to verify the inclusion of transactions in the blockchain without downloading and storing the entire blockchain. Specifically, clients only download block headers, as well as the data structures (e.g. account or transaction data structures) that are of interest.
Fig. 4 shows the messages exchanged between a client and a BN using a lightweight protocol during three block periods. The red crosses represent the instants at which new blocks are generated. In the basic lightweight protocol, Fig. 4(a), the information is pushed in the downlink from BS as it becomes available. In the first block period there is no information of interest, and only the block header is sent, while in the second and third periods there are events of interest and the respective data are sent with their PoMI.
The presence of both transactions and state tree roots in the Ethereum block headers, see Fig. 2, permits to adopt two different approaches to update the local copy of the account states, as illustrated with the following example. Suppose that an account is updated multiple times during several block periods. The BN can send the last version of the account data, with the corresponding partition of state tree at the last block. In this case, the IoT device just replaces the local data if the PoI root matches the one included in the last block header, otherwise refuses it, cf. [12, 20]. Alternatively, the BNs send the whole sequence of transactions that modified the account, along the block periods, together with the collection of their PoIs build from the transactions tree. The sequence of transactions is applied, by the device, to its local version of the account state, to finally reconstruct the updated state. In this paper, we only consider the first approach, and we remark the extension to the second one in Sec. VD.
Iii System Model
The scheme proposed in this paper aggregates the information in order to reduce the communication cost, see Fig. 4(b). Given that the application run by the client can tolerate a delay, information is accumulated at the BN and then periodically released at the subsequent aggregation point. The approach followed by the BN is to always send a proof by means of the state tree, triggering the replacement of the local copy of the client. This permits to send only the latest version of accounts that are modified multiple times during the accumulation, and merge the PoIs of accounts modified in different blocks, in a unique PoMI. The scheme is investigated in detail in the rest of the paper.
Iiia Blockchain network and IoT device
We consider a blockchain network in which new blocks are generated at exponentially distributed intervals with (networkwide) rate
. A single IoT device is connected to a set of BNs via a wireless link through a base station, see Fig. 1. The device subscribes to block headers for all generated blocks as well as state updates for a set of accounts, which are a subset of the existing accounts. The generic account, indexed as , is updated independently in a block with probability (or relative frequency) . We consider the case where the device is not interested in the full state history of the observed accounts, but merely in their most recent state. That is, the device needs to be informed about only the most recent state of the observed accounts, as well as receive the PoMI that proves the inclusion of the specific account states in the blockchain. The case is representative of a class of problems in which the age of the information, i.e. data freshness, is more valuable than tracking all state changes, and includes environmental monitoring applications and power grid stabilization systems [24].To simplify the presentation, we assume that a block header and updated accounts’ states take up a fixed number of and bits, respectively. In contrast with this, the size of the PoMI, with length bits, is random as a result of the PoMI tree data structure. Specifically, as described in Section II, the size of the PoMI is sublinear in the number of accounts.
IiiB Aggregation protocol
The block headers and the updated observed accounts are aggregated at a BN, termed aggregation BN, selected by the device, and transmitted to the device periodically every seconds. The value of depends on the information delay, tolerated by the application, from the instant at which the account is modified, to the instant at which the update is delivered to the device. Upon successful reception of the transmission, the IoT device acknowledges the packet. We assume that the device selects the sequence of aggregation BNs, over different aggregation period, as part of the initial network association procedure, e.g. by means of a seed sequence. Consequently, the execution of the protocol only requires downlink messages, because all the information, needed by BNs, is sent by the IoT device in the initialization phase. When no transmission is ongoing, the device is assumed to be in powersaving mode.
IiiC Wireless link
The wireless downlink from the base station to the IoT device is assumed to be a block Rayleighfading channel with constant channel gain over the duration of a transmission and independent channel gains across transmissions. This occurs, for example, in system based on perpacket frequency hopping (FH). Due to the power constraints of the IoT device, we assume that the base station has no information about the channel and hence performs no power or rate adaptation. As a result, a transmission may fail with probability [25]
(1) 
where is the average received signaltonoise ratio (SNR), is the transmission rate in bits/s, is the bandwidth of the channel in Hz. The downlink packet is retransmitted until it has been received successfully by the device.
In contrast to the downlink transmissions, we assume that the transmission of the acknowledgment packet in the uplink happens instantaneously and is always received reliably, thanks to power control, performed at the IoT device side, based on the received transmission.
IiiD Frame structure
The downlink frame, represented in Fig. 5, consists of bits, and is divided into a fixed number of header bits, representing the standard communication protocol overhead, and a variable number of payload bits, corresponding the blockchain information, i.e. . Its duration is related to the transmission rate as
where is the number of transmissions, including retransmissions due to outage.
If the transmission of the frame takes longer than the transmission period, i.e. , due to retransmissions, it is halted and considered failed. In this case, that has been analyzed in [7], since the block headers are required in order for the IoT device to stay synchronized to the blockchain, the next frame should include the block headers accumulated in the current frame. In this work, we consider the channel and block generation parameters that provide a negligible probability that the frame cannot be received in the current transmission period, so that the phenomenon can be ignored.^{4}^{4}4Scenarios for which this assumption does not hold can be observed when the probability of outage is rather high, and the transmission rate is low. The payload bits are divided into bits for block headers and bits for account updates, i.e. . and are random as they depend on the number of generated blocks and account updates.
Iv Analysis
In this section, we present an analysis of the aggregation scheme. To this end, we first obtain the distribution of the frame size and frame transmission duration, and then use this result to evaluate the communication cost and latency.
Iva Frame size distribution
Recall that the frame is divided into header bits, bits for block headers and bits for account states. The header bits are fixed, while depends on the number of generated blocks during the aggregation period , indicated as . Similarly,
depends on the number of generated blocks, as it impacts the number of observed accounts that are updated. We indicate the probability distributions of
and , conditioned on the number of generated blocks, respectively as and . As a result, we may factorize the distribution of the total frame size as(2) 
where we have used the fact that . The possible sizes are conditioned on the event that blocks are generated during given by
(3) 
The formula directly follows from the assumption of exponential waiting time between blocks, which has been shown to hold for blockchains based on Proof of Work [26].
IvA1 Distribution of
Since we assumed that the block headers are always received within the current transmission period, i.e. , the size of , when blocks are generated, can be approximated with the fixed quantity bits, yielding in (2).
If this is not the case, the number of block headers that needs to be transmitted should be modeled as a bulk queue, where blocks arrive according to a Poisson distribution with rate
, and are served in bulks of up to , where denotes the smallest integer greater than or equal to . However, this makes the accurate analysis intractable and is outside of the scope for this work.IvA2 Distribution of
In order to obtain the size of the account updates , we first need to characterize the number of accounts that are updated during an aggregation period . The probability that account , characterized by relative frequency ^{5}^{5}5
This quantity is not assumed but experimentally estimated in Sec.
V., is updated at least once in blocks accumulated during the aggregation period is given by . We denote by the total number of accounts that are modified at least once in blocks. Since each of the accounts is updated independently conditioned on ,follows a Poisson binomial distribution parameterized by the account update probabilities
:(4) 
is the set of all subsets of with cardinality , is an element of and is the complement of . This distribution is used to find the distribution of , conditioned on :
(5) 
Notice that only depends on the realization of the number of modified accounts . This permits us to write
(6) 
To complete the analysis, we need to characterize the size of PoMI and accounts’ information. The size of accounts’ information varies only with the number of modified accounts,; as in our model they have fixed size of , this size is simply bit. On the other hand, the PoMI length
does not only depend on the number of observed accounts, but also on their position in the state tree. For simplicity, we assume that the tree is perfectly balanced at all levels, and that the location of the observed accounts at the last level is uniformly distributed. The approximation is supported by the fact that Patricia trees are generally wellbalanced
[27].However, the fact that the number of proofs that each node can be part of is bounded by the number of descendant leaf nodes, makes the problem of obtaining the distribution of the number of nodes in the PoMI a hard combinatorial problem; even the expected value of the number of nodes is computationally intractable to obtain. Instead, we approximate the number of nodes by relaxing this condition. The resulting approximation captures the characteristics of the PoMI size as the number of modified accounts grows, and is accurate as long as the number of modified accounts is much lower than the total number of leaf nodes in the tree. This is typically the case, as the set of observed accounts is small. Specifically, relaxation results in the following recursive approximation of the expected number of nodes in a PoMI for accounts, when the tree has height :
(7) 
with . The derivation is given in Appendix A.
To obtain the expected number of bits for a PoMI, we assume that the tree does not contain extension nodes, as they have variable size, see [22]. Hence, with this approximation, the internal nodes are only branch nodes. Indicated the size of the output of the hash function with , each internal node has fixed size of bits. Instead, the leaf nodes are composed by a key and a value, see Sec. II, both containing hash values, resulting in a fixed size of bits. In conclusion, we obtain the expected number of bits required for a PoMI of accounts:
(8) 
IvB Transmission duration
The total transmission duration depends on and the number of (re)transmissions that is needed before the packet is successfully received by the IoT device.
A frame is transmitted successfully with probability
, independent of the size of the frame, and hence the number of transmissions is geometrically distributed with the probability mass function
(9) 
Since the rate remains fixed across (re)transmissions, it follows that the probability density function of
is(10)  
(11) 
IvC Data savings of the aggregation protocol
Since the states of accounts can be verified from the state tree root contained in the most recent block header, the aggregation scheme provides data savings by (i) sending a unique PoMI that certifies only the latest state of the modified accounts, (ii) sending only the most updated copy of the account data structure, and (iii) reducing the amount of frame overhead, . We consider protocol P2 from [7] introduced in Sec. IIC as the benchmark. Recall that P2 requires the device to download the following information at each block period: the frame overhead , a notification of the new block from each peer, the block header, the PoMI and the account data structures. In addition, with P2, the device receives a notification of new block, indicated as “Block ready” in Fig. 4(a), from each BN, and consequently selects a BN with uplink message, indicated as “Block request” in the same figure. However, to establish a fair comparison with the aggregation protocol, we assume that the BN, in charge of sending the update, is preselected via random seed also in P2, removing the need of these messages.
The expected amount of bits downloaded with protocol P2 during a block period is
(12) 
The expression is based on (5), and on the fact that exactly one block is generated during a block period.
The expected number of bits per block period downloaded using the aggregation protocol proposed in this paper is given by averaging (2):
(13) 
where is the expected number of blocks within the aggregation period. We can now express the savings of the aggregation protocol as
(14)  
(15) 
V Evaluation
Blockchain  

1200  4046 bit  
320 kb  256 bit  16  
Communication channel  
250 kbit/s  180 kHz  30 dB 
To validate our model and show the performance of the aggregation scheme, we have modified the Python implementation of Ethereum protocol, PyEthereum [28]. The system, parametrized as listed in Table I, includes a randomly generated blockchain. This is obtained by generating accounts that contain random information, with size bits, and inserting them in a newly initialized blockchain database. For the statistical characterization of accounts updates, we take as reference the Ethereum main network as described in the following section.
Va Statistical characterization of accounts updates
The statistics of account updates plays a fundamental role in the design and evaluation of blockchain protocols. We base our evaluation on the Ethereum main network dataset [29], by analyzing the activity during blocks numbered from 5.1 to 6.4 million. Fig. 6 shows the frequency of updates of the most updated accounts, indexed in descending order of their updates frequencies. To extract this metric, we do not distinguish between transactions from/to the accounts, or consider if there are multiple transaction involving one account in the same block. We model the relative frequency of updates of account according to the broken powerlaw:
We opt for this function, instead of the plain powerlaw, adopted e.g. in [30, 31], because the most frequent accounts are associated to web services that provide currency exchanges and are updated at similar rates. The least squares fit gives , , , . This function, also shown in Fig. 6, is used to generate the relative frequencies for our “synthetic” blockchain in the evaluation.
In addition to obtaining the account update probabilities, we inspect the accuracy of modelling the number of blocks between two account updates as a geometric distribution as assumed in our model. We compare the empirical cumulative density function (CDF) of an account, , to the CDF of a geometric distribution with parameter . Fig. 7 shows the results obtained for some accounts of the data set. It results that the assumption only holds for frequently updated accounts. This behaviour should be taken into account in future works.
VB Validation of MerklePatricia proofs length
Since the analysis of the length of a MerklePatricia proof is based on the assumption that the tree is perfectly balanced, the analysis is validated by comparing analytical results both to numerical results obtained from a perfectly balanced tree, and to measurements obtained from the MerklePatricia tree implementation in PyEthereum, which is in general unbalanced, see Fig. 8. In particular, Fig. 8(a) compares the analytical expression for the average number of nodes that compose a PoMI with the experimental data obtained from PyEthereum and with numerical results. The results show that the analytical expression fits the numerical results obtained for a balanced tree; at the same time, it overestimates the average number of nodes, needed for a PoMI, in the Ethereum system. This follows from the fact that the average depth of leaves in a Patricia tree is greater than in a balanced tree [27], implying that some internal levels might not be completely populated, hence the slight reduction in number of nodes needed for the PoMI. Fig. 8(b) compares the length of the PoMI. For the numerical and analytical results, each node is represented by the corresponding hash value, while for the experimental data the PoMI data structure is represented with Recursive Length Prefix (RLP) [15]. The RLP also contains information about the structure of the tree, therefore introducing a small overhead. For this reason, the length for the experimental data is slightly larger than the ones of the numerical and analytical results.
The experimental setup also permits to characterize the distribution of the number of nodes in a PoMI, see Fig. 9, in which we show the results obtained for a blockchain with levels, completely filled, therefore containing accounts, where is the maximum number of children of a node. The relative position of the accounts in the tree clearly impacts the length of their PoMI and, hence, the communication cost of transmitting them. In addition, the results provide insights on the consequence of using the expected length of PoMI, instead of its distribution, in (6
). As the variance of the PoMI distribution remarkably increases with the number of included accounts,
, the precision of the approximation is decreased. On the other hand, its contribution to the total length of the payload, , is counterbalanced by the weight of accounts’ data structure, which becomes predominant. This is shown in details in the following text.VC Performance of the aggregation protocol
We consider a scenario in which the device is connected to BNs via a communication link parameterized as in Table I. We remark that if the device is solely interested in observing accounts that are updated sporadically, the aggregation protocol only provides reduction of the communication overhead (the frame headers). Therefore, we focus the evaluation on the case where the device observes active accounts. An account, , is considered active if it is updated at least once every seconds, with probability , i.e.
(16) 
In the rest of the work, we set . By requesting updates about more active accounts, than those of actual interest, the device can increase its privacy, at the cost of downloading unnecessary information. The application is further discussed in Sec. VE.
VC1 Duty cycle tradeoffs
Fig. 10 reports the complementary CDF of the duration of the transmission, , for two deterministic sets of observed accounts: , that contains the two most frequently updated ones, and , containing the 20 less active accounts when s.^{6}^{6}6According to our definition, see (16), there are 41 active accounts for s and 695 for s. The sets are formed to illustrate two interesting limit scenarios. The probability of channel outage, derived from and of Table I, is . The number of observed accounts, and their statistics, clearly plays a central role in shaping the CDF, as the size of the account data structure is much bigger than the size of a block header, see Table I.
The study of the duty cycle of the device, reported in Fig. 11, covers several fundamental tradeoffs. Fig. 11(a) shows that the duty cycle decreases when the channel quality (SNR) increases, due to the reduced number of retransmissions, and saturates for high values of SNR, as retransmissions are not likely to happen. A possible strategy that can be adopted by the IoT device, to reduce its duty cycle, is to update less frequently, i.e. increase , or reduce the set of observed accounts. Fig. 11(b) reports the duty cycle as function of the transmission rate of the wireless link. At low rates, the duty cycle of the device is drastically increased. On the other hand, selecting a high rate causes transmission failures and therefore retransmissions which become dominant when the rate reaches a certain level.
VC2 Communication cost
The rest of the results focuses on how the different parts of the frame contribute to its total length and on the aggregation gain, defined in Sec. IVC. We construct a set containing accounts, by randomly selecting among those that are active during s. It should be noted that is a possible realization of . Fig. 12 shows the amount of information, downloaded during 24 hours of execution, for different values of and different realizations of accounts in . In this scenario, there are no retransmissions; their effect would be a proportional increase in all the quantities. The figure shows that most of communication cost is due to the size of the account data structures, which is an order of magnitude higher w.r.t. the size of PoMI, and two order of magnitudes higher than the size of the block headers and communication protocol headers.
The aggregation gain, , is shown in Fig. 13 for several values of the aggregation period, , and compared with a simulation of the system. The figure shows a good match between the simulation and the analytics, and that the gain is remarkable, even for small values of . As the observed accounts are updated almost surely during a period, and will be downloaded in the next transmission. This causes the gain to increase linearly when is large.
VD Remarks on possibilities to further reduce of the communication cost
We briefly discuss possible directions for a further reduction of the communication cost for IoT lightweight clients, based on the insights provided by the evaluation of the protocol. The size of the accounts’ data structures has shown a prominent impact on the amount of transmitted data. This can be reduced with several approaches, for example (i) by keeping their size as small as possible, during the design phase of the contract; (ii) by compressing the account information before sending it; (iii) by only sending the portion of account structure that has changed.
A completely different approach is to send the updates by means of the transactions tree, when the corresponding accounts are rarely updated. In fact, the size of a transaction is typically lower than the one of the account. In addition, while the state tree grows with the number of accounts, the transactions tree size is limited by the block size. This option, mentioned in Sec. IIC, has not been considered in this paper, as it does not provide aggregation gain. Future works can consider this extension by (i) including in the system model the statistics of the number of transactions, that modify an account, in a single block; (ii) considering also the contribution of the transactions tree to the size of in (5); (iii) finding a strategy to decide if sending the update under the form of updated state, or as collection of transactions.
VE Example application: privacy of IoT device
We conclude this section by providing an example application of the aggregation protocol. Consider a scenario in which the IoT device is solely interested in observing one (active) account, indexed as . However, to keep private, it requests updates about additional accounts, in which it is not interested, from BNs (privacy by obfuscation) [14]
. A malicious BN is aware that the IoT device is interested in one account and applies an outlier detection technique to find it. In the presented model, the only feature available to the BN is the relative frequency of update of accounts. For both sides (device and BN), it is reasonable to assume that the set of observed accounts, indicated as
, only contains active accounts, since non active accounts would be excluded by the outlier detection.Based on these considerations, the IoT device constructs by adding and other random active accounts. The construction starts with , then is iteratively incremented. At each iteration, the set of active accounts is split in segments and one account is randomly picked from each segment ( is always picked among the accounts in its segment). The iteration is repeated until the tolerated communication cost, expressed by (13), is reached. Finally, is sent to the BN. There is a tradeoff between the delay, given by the aggregation protocol, and privacy, i.e. . This tradeoff is shown in Fig. 14, for different tolerated communication costs , and (that is an active account). A further improvement, not implemented in this paper, is impose that accounts in should be located in proximity of each other in the state tree. In fact, this provides shorter PoMI and therefore lower communication cost, see Fig. 9.
Vi Conclusion
In this paper, we have investigated what is the communication cost of sending blockchain information to Ethereumlike lightweight clients. A novel aggregation scheme has been proposed that has the potential to obtain a lower communication cost, at the expense of higher information delay, or availability of information, at the application layer. The analysis of the scheme showed the probability distributions of the data structures exchanged over the wireless link, and their impact on the total downlink budget.
Finally, the results show that, if the statistics of account updates and the channel state are known, the lightweight clients can construct a list of events of interest that provides a predictable average communication cost. The example application illustrated how to apply our findings to improve the privacy of IoT devices. The guidelines presented in this paper can be applied to design more advanced blockchain lightweight protocols.
Appendix A Derivation of the expected number of nodes in a PoMI
Under the relaxation described in Sec. IV, the probability that an arbitrary node at level is ancestor to one of
modified leaf nodes (denoted by the binary random variable
) is , where is the number of nodes at level that are ancestors to a modified leaf node and is the branching factor of the tree. Since is a binary random variable, , and the expected total number of ancestor nodes at level is . By the law of total expectation,By applying a firstorder Taylor expansion at we obtain
(17)  
Denoting and using the fact that the PoMI will always contain a single root to define , (17) can be obtained by recursion. The approximated number of nodes for a complete PoMI, in a tree of height , is the sum of the nodes required at each level which yields (7):
References
 [1] S. Nakamoto, “Bitcoin: A peertopeer electronic cash system,” [Online]. Available: https://bitcoin.org/bitcoin.pdf, 2008, accessed: 20180717.
 [2] K. Christidis and M. Devetsikiotis, “Blockchains and smart contracts for the internet of things,” IEEE Access, vol. 4, pp. 2292–2303, 2016.
 [3] P. Danzi, M. Angjelichinoski, Č. Stefanović, and P. Popovski, “Distributed proportionalfairness control in microgrids via blockchain smart contracts,” in 2017 IEEE International Conference on Smart Grid Communications (SmartGridComm), Oct 2017, pp. 45–51.
 [4] J. Horta, D. Kofman, D. Menga, and A. Silva, “Novel market approach for locally balancing renewable energy production and flexible demand,” in 2017 IEEE International Conference on Smart Grid Communications (SmartGridComm), Oct 2017, pp. 533–539.
 [5] E. Münsing, J. Mather, and S. Moura, “Blockchains for decentralized optimization of energy resources in microgrid networks,” in Control Technology and Applications (CCTA), 2017 IEEE Conference on. IEEE, 2017, pp. 2164–2171.
 [6] D. Perard, J. Lacan, Y. Bachy, and J. Detchart, “Erasure codebased low storage blockchain node,” Preprint available: https://arxiv.org/abs/1805.00860, 2018.
 [7] P. Danzi, A. E. Kalor, C. Stefanovic, and P. Popovski, “Analysis of the communication traffic for blockchain synchronization of iot devices,” in 2018 IEEE International Conference on Communications (ICC). IEEE, 2018, pp. 1–7.
 [8] M. Z. Shafiq, L. Ji, A. X. Liu, J. Pang, and J. Wang, “A first look at cellular machinetomachine traffic: large scale measurement and characterization,” ACM SIGMETRICS performance evaluation review, vol. 40, no. 1, pp. 65–76, 2012.
 [9] C. Bockelmann, N. Pratas, H. Nikopour, K. Au, T. Svensson, C. Stefanovic, P. Popovski, and A. Dekorsy, “Massive machinetype communications in 5g: Physical and maclayer solutions,” IEEE Communications Magazine, vol. 54, no. 9, pp. 59–65, 2016.
 [10] A. Kiayias, A. Miller, and D. Zindros, “Noninteractive proofs of proofofwork,” Cryptology ePrint Archive, Report 2017/963, 2017. Accessed: 20171003, 2017.
 [11] A. Palai, M. Vora, and A. Shah, “Empowering light nodes in blockchains with block summarization,” in New Technologies, Mobility and Security (NTMS), 2018 9th IFIP International Conference on. IEEE, 2018, pp. 1–5.
 [12] “The ethereumblockchain size will not exceed 1tb anytime soon,” [Online]. Available: https://dev.to/5chdn/theethereumblockchainsizewillnotexceed1tbanytimesoon58a, accessed: 20180717.
 [13] “Slock.it incubed client,” [Online]. Available: https://slock.it/ incubed.html, accessed: 20180717.
 [14] D. Gruber et al., “Unifying lightweight blockchain client implementations,” NDSS 2018  Workshop on Decentralized IoT Security and Standards, 2018.
 [15] G. Wood, “Ethereum: A secure decentralised generalised transaction ledger,” [Online]. Available: http://gavwood.com/paper.pdf, 2014, accessed: 20180717.
 [16] Y. Zhang, S. Kasahara, Y. Shen, X. Jiang, and J. Wan, “Smart contractbased access control for the internet of things,” IEEE Internet of Things Journal, pp. 1–1, 2018.
 [17] O. Alphand et al., “Iotchain: A blockchain security architecture for the internet of things,” in Wireless Communications and Networking Conference (WCNC), 2018 IEEE. IEEE, 2018, pp. 1–6.
 [18] A. Narayanan, J. Bonneau, E. Felten, A. Miller, and S. Goldfeder, Bitcoin and Cryptocurrency Technologies: A Comprehensive Introduction. Princeton University Press, 2016.
 [19] A. Kiayias, A. Russell, B. David, and R. Oliynykov, “Ouroboros: A provably secure proofofstake blockchain protocol,” in Annual International Cryptology Conference. Springer, 2017, pp. 357–388.
 [20] V. Buterin, “Merkling in ethereum,” [Online]. Available: https://blog.ethereum.org/2015/11/15/merklinginethereum/, accessed: 20180717.
 [21] M. AlBassam et al., “Fraud proofs: Maximising light client security and scaling blockchains with dishonest majorities,” ArXiv preprint arXiv:1809.09044v1, 2018.
 [22] D. R. Morrison, “Patricia  practical algorithm to retrieve information coded in alphanumeric,” Journal of the ACM (JACM), vol. 15, no. 4, pp. 514–534, 1968.
 [23] F. Zsolt, “Client side flow control model for the les protocol,” [Online]. Available: https://github.com/zsfelfoldi/goethereum/wiki/ClientSideFlowControlmodelfortheLESprotocol, 2016, accessed: 20180717.
 [24] Y. Sun, E. UysalBiyikoglu, R. D. Yates, C. E. Koksal, and N. B. Shroff, “Update or wait: How to keep your data fresh,” IEEE Transactions on Information Theory, vol. 63, no. 11, pp. 7492–7508, Nov 2017.
 [25] D. Tse and P. Viswanath, Fundamentals of Wireless Communication. Cambridge University Press, 2005.
 [26] C. Decker and R. Wattenhofer, “Information propagation in the bitcoin network,” in PeertoPeer Computing (P2P), 2013 IEEE Thirteenth International Conference on. IEEE, 2013, pp. 1–10.
 [27] B. Rais, P. Jacquet, and W. Szpankowski, “Limiting distribution for the depth in patricia tries,” SIAM Journal on Discrete Mathematics, vol. 6, no. 2, pp. 197–213, 1993.
 [28] “Pyethereum,” [Online]. Available: https://github.com/ethereum/pyethereum, accessed: 20180717.
 [29] “Google cloud blog,” [Online]. Available: https://cloud.google.com/ blog/products/dataanalytics/ethereumbigquerypublicdatasetsmartcontractanalytics, accessed: 20180924.
 [30] M. Lischke and B. Fabian, “Analyzing the bitcoin network: The first four years,” Future Internet, vol. 8, no. 1, p. 7, 2016.
 [31] S. Somin, G. Gordon, and Y. Altshuler, “Social Signals in the Ethereum Trading Network,” Preprint available: https://arxiv.org/abs/1805.12097, 2018.