Enterprise Grade Security

Sign-then-Send Architecture

End-to-End Data Provenance: Ensuring Truth from Source to Blockchain

The Trust Gap in IoT

Standard IoT architectures rely on 'perimeter security'—firewalls and TLS—to protect data in transit. However, once data lands on a cloud server, it is vulnerable to insider threats and database manipulation. 'Sign-then-Send' eliminates this trust gap by attaching a digital signature to the data payload *before* it leaves the device. This signature travels with the data, allowing any downstream consumer (smart contract, dApp, or auditor) to independently verify its origin and integrity.

System Architecture

The Sign-then-Send pipeline consists of four stages:

Architecture Diagram

End-to-End Data Flow Pipeline

1. Data Capture: Sensors collect raw environmental data (e.g., GPS, temperature, voltage).

2. Local Attestation: The raw data is passed to the Secure Element (SE) via a trusted bus.

3. Cryptographic Signing: The SE hashes the data and signs it using the device's private key. It also appends a trusted timestamp and a monotonic counter value.

4. Transmission: The signed packet (Payload + Signature + Metadata) is transmitted over any network (LoRaWAN, 5G, WiFi). The network is treated as untrusted transport.

Technical Specifications

Supported Curvessecp256k1 (Bitcoin/Ethereum), ed25519 (Solana/Polkadot)

Hashing AlgorithmsSHA-256, Keccak-256, Blake2b

Data Overhead< 72 bytes per packet (Signature + Metadata)

Verification Cost~3500 gas (EVM batch verification)

Throughput> 1000 transactions/second (Layer 2 aggregation)

Latency Added< 20ms total processing time

Implementation Example (Solidity Verifier)

solidity

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

contract DataVerifier {
    struct DataPacket {
        address deviceId;
        uint256 timestamp;
        uint256 value;
        bytes signature;
    }

    function verifyPacket(DataPacket memory packet) public pure returns (bool) {
        bytes32 messageHash = keccak256(abi.encodePacked(packet.deviceId, packet.timestamp, packet.value));
        bytes32 ethSignedMessageHash = keccak256(abi.encodePacked("\x19Ethereum Signed Message:\n32", messageHash));
        
        address recoveredSigner = recoverSigner(ethSignedMessageHash, packet.signature);
        return recoveredSigner == packet.deviceId;
    }

    function recoverSigner(bytes32 _ethSignedMessageHash, bytes memory _signature) internal pure returns (address) {
        (bytes32 r, bytes32 s, uint8 v) = splitSignature(_signature);
        return ecrecover(_ethSignedMessageHash, v, r, s);
    }
    
    // Helper function to split signature
    function splitSignature(bytes memory sig) internal pure returns (bytes32 r, bytes32 s, uint8 v) {
        require(sig.length == 65, "invalid signature length");
        assembly {
            r := mload(add(sig, 32))
            s := mload(add(sig, 64))
            v := byte(0, mload(add(sig, 96)))
        }
    }
}

Application Scenarios

Carbon Credit Verification

Solar panels sign energy production data directly. This signed data is used to mint carbon credits on-chain, eliminating the risk of 'greenwashing' or double-counting.

Parametric Insurance

Weather stations sign rainfall data. Smart contracts automatically trigger insurance payouts to farmers when signed data indicates drought conditions, removing claims processing delays.

Proof of Physical Work

DePIN networks reward users for providing infrastructure (e.g., WiFi hotspots). Sign-then-Send ensures that rewards are only distributed for verifiable uptime and bandwidth contributions.