SyRA: Sybil-Resilient Anonymous Signatures with Applications to Decentralized Identity

We study Sybil-Resilient Anonymous (SyRA) signatures, a cryptographic primitive that enables credentialed users to generate, on demand, unlinkable pseudonyms tied to any given context, and issue signatures on behalf of these pseudonyms. Concretely, SyRA allows a distributed issuer to turn any legacy identity or personhood identifier, possibly of low entropy, into a unique associated cryptographic key of high pseudoentropy, for use in generating signatures for any given context. Sybil-resilient anonymous signatures achieve three main objectives: 1) Sybil resilience: every user is entitled to at most one digital identity, 2) anonymity: no information about the user’s real identity is leaked, and 3) non-interactive context switching: users can create on their own at most one credential for any given context in a manner that is unlinkable across contexts.

We conceptualize the SyRA primitive as an ideal functionality in the Universal Composition (UC) setting and put forth SASSI, an efficient, pairing-based construction that realizes it by utilizing two levels of verifiable random functions (VRFs), a design which may be of independent interest. The first level consists of threshold VRF issuance of a user’s unique secret key tied to their real-world identifier. The second level allows a user to create signatures for each context, under a unique pseudonym per context. Compared to prior cryptographic tools capable of realizing SyRA, SASSI has the unique feature that issuers are stateless and hence do not need to retain any information about past user interactions, a relevant property for a decentralized implementation.

We overview various applications of SASSI in multiparty systems, such as cryptocurrency account management and airdrops, e-voting (e.g., for decentralized governance), and privacy-preserving regulatory compliance (e.g., AML/CFT checks). In the context of creating addresses for digital assets, SyRA signatures enable users to embed their legacy identity into their address in a manner that protects their privacy for each application with which they interact. We demonstrate the practicality of SASSI by providing an implementation and performance evaluation of our construction.