Hades: Practical Decentralized Identity with Full Accountability and Fine-grained Sybil-resistance

Decentralized identity (DID), the idea of giving users complete control over their identity-related data, is being used to solve the privacy tension in the identity management of decentralized applications (Dapps). While existing approaches do an excellent job of solving the privacy tension, they have not adequately addressed the accountability and Sybil-resistance issues. Moreover, these approaches have a considerable gas overhead, making them impractical for Dapps. We presented Hades, a novel practical DID system supporting full accountability and fine-grained Sybil-resistance while providing strong privacy properties. Hades supports three aspects of accountability, i.e., auditability, traceability, and revocation. Hades is the first DID system that supports accountability in all these three aspects. Hades is also the first DID system that supports fine-grained Sybil-resistance, enabling Dapps to customize personalized Sybil resistance strategies based on users’ identity attributes. Hades can run efficiently on the Ethereum Virtual Machine (EVM). We implemented and evaluated Hades. The benchmarks showed that Hades has the lowest gas cost incurred on EVM as far as we know. Also, we presented a case study on attribute-associated fair NFT distribution (“airdrops”) where all previous works failed, whereas we gave a solution leveraging Hades.


BG: What is the problem?
The permissionless nature of blockchain makes it difficult to link blockchain addresses to real-world identities.

Leads to:
• It's challenging for Dapps to implement access control based on identity attributes.
(e.g., age) • Dapps face potential legal compliance risks.(e.g., KYC compliance) • Once a Dapp is attacked, it is difficult to trace the attacker.
• Users can acquire disproportionate benefits by generating a multitude of addresses (Sybil attack)

Solutions
Naive solution: attach the user's wallet an on-chain credential issued by a Certificate Authority (CA).
the openness of blockchain leads to users being exposed to a significant risk of privacy leakage.
the most promising solutions: • decentralized identities (DIDs) and anonymous credentials • Basic idea: to allow the user to unlinkably show that they possess a credential authenticating her/his identity without disclosing the original credential.

Accountability is critical to
• identify individuals responsible for malicious behaviors (auditability) • retrieve all activities of a suspect for investigations (e.g.anti-money laundering) (traceability) • revoke credentials that are lost, stolen, or associated with malicious behaviors.(Revocation) The privacy-preserving requirement makes supporting traceability, auditability, and revocation challenging.
Unfortunately, none of the existing works can fully support all those accountability features.
Sybil-resistance is extremely necessary in certain scenarios, such as anonymous voting, fair currency distribution ("airdrops").
Implementing Sybil resistance while ensuring unlinkability is challenging because the application cannot determine whether the access comes from the same user.
Unfortunately, Few previous works support traceability.
CanDID is the state-of-the-art DID system to support Sybil-resistance, but • at the cost of compromising unlinkability.
• the Sybil-resistance process requires the participation of the committee

Limitations & Challenges
#3 Inefficiencies of running on the blockchain.
Managing identity through smart contracts is desirable: the smart contracts of Dapps could directly call the identity management system However, to ensure privacy, most previous works rely on complex cryptographic computations, resulting in enormous on-chain overhead.
Furthermore, due to the lack of an effective credential revocation mechanism, these cryptographic computations often need to be re-executed multiple times.

What is Hades?
We presented Hades, a DID system with • full accountability.supporting traceability, auditability, and revocation.
• fine-grained Sybil-resistance.① Sybil-resistance can be implemented based on user identity attributes (e.g.assigning different access limits for users of different age groups).
② does not require the assistance of a committee or a Certificate Authority (CA).
• Practical.① has the lowest gas cost incurred on EVM as far as we know.② An address only needs to be verified once during its validity period.
• privacy-preserving.① The identity of the user and the issuer of the credentials are both concealed; ② pseudonyms can not be linked.

The Overview of Hades
• Committee.a union of several distinct entities responsible for system management and identity accountability.honest-majority • CA. an authorized organization that authenticates and stores users' identity attributes.semi-honest • Identity Contract.a system contract that verifies, stores, and manages users' pseudonyms.
• Dapp. a series of smart contracts deployed on the blockchain.
• Users.access DApps using pseudonyms.malicious The Workflow of Hades Basic Ideas of Hades • Practical.zk-SNARKs can be verified efficiently on EVM → building privacy-preserving properties on top of zk-SNARKs • Decentralized accountability.All information required for accountability is encrypted using threshold public-key encryption → Accountability requires the consent of more than a certain number of committee members.
• Tracing.assign each pseudonym a unique trapdoor-linkable identifier → With the knowledge of the secret trapdoor, all relevant pseudonyms can be traced by their identifiers.
• Revocation.all pseudonyms of a user can be traced → can be revoked.
• Sybil-resistance.attach each access a unique unlinkable context-based access token → a user can generate limited numbers of access tokens for a given context.

Cryptographic Schemes
• Zero-knowledge proofs.Allow a user to prove in zero-knowledge that the secret values and all other public values satisfy some statements .
• Merkle trees: The Merkle tree allows a prover to commit to an arbitrary finite set  of values, and for any value , reveal with a proof whether  ∈  or  ∉  • the user is required to provide a trace string ψ  to the issuer, which is TPKE encryption of the trapdoor

Pseudonym Registration expiration time Pedersen commitment of Identity attributes
This ensures that the range of nonce values is not too large

Used for audit and tracing
A zero-knowledge proof to prove that all values are correctly generated The address to be registered.
• Instead of disclosing the credential, the user presents a zero-knowledge proof to the identity contract, proving possession of a valid identity credential.
• For auditing, the user is required to provide a trace string ψ  to the contract, which is TPKE encryption of identity information.
• To enable tracing, users are required to employ trapdoor β to deterministically produce the nonce k used in encryption, making the ciphertext a unique identifier.
• A zero-knowledge proof ensures that all values are correctly generated.• To revoke a credential, the committee first adds the credential's public key (i.e.,   ) into the revocation tree and updates the new tree root to the identity contract → proof of pseudonym registration using this credential will fail verification • Trace all pseudonyms registered using this credential → marks these pseudonyms "revoked" in the identity contract.

The revocation does not affect the validity of other users' pseudonyms
The credential, and the pseudonyms associated to the credential can be revocated.

••
Threshold public-key encryption: Threshold public-key encryption (TPKE) allows a set of users to decrypt a ciphertext if a predetermined threshold of authorized users cooperates • Generalized Pedersen commitment: In Hades, a generalized version of Pedersen commitment scheme is used to hide values of identity attributes into a commitment.We introduced a trapdoor for each credential, which can be used to trace all the pseudonyms associated with that credential.
has shown malicious behavior, its identity-related information can be revealed by a threshold number of committee members.•To register a pseudonym, an audit string  a is submitted to the identity contract, which is TPKE encryption of the owner's public key   and the issuer's public key   •  +1 of committee members can collaboratively decrypt the audit string to recover the public keys • By querying the CA identified by   with   , the identity information associated with the pseudonym can be revealed.ψ compare with the ψ recorded on the identity contract • A trace string   was provided to the issuer when the user apply credential •  +1 of committee members can collaboratively decrypt the trace string to recover the trapdoor • With the trapdoor , the authority can locally calculate all the identifiers that the user can currently use.• With the identifiers recorded in the identity contract, the authority can identify all pseudonyms belong to the user.If a user has shown malicious behavior, all pseudonyms belong to him/her can be revealed by a threshold number of committee members.the range of the nonce Revocation Add the pubkey of the credential to the revoke tree Mark the related pseudonyms as invalid on the blockchain.