LinkDID: A Privacy-Preserving, Sybil-Resistant and Key-Recoverable Decentralized Identity Scheme
Rui Song
TL;DR
LinkDID tackles Sybil resistance, key loss, and privacy in decentralized identities by binding and progressively aggregating user identifiers on a verifiable registry. It uses zero-knowledge proofs and an incremental Merkle tree to create an associated identifier (aid) that constrains credential presentation, enabling trustless key recovery and preventing credential transfers without sacrificing privacy. The scheme provides formal UC-security guarantees, a practical main construction, and extensions for accountability and revocation, with performance results showing sub-second proof times for modest identifier counts and feasible on-chain verification costs. The work demonstrates that progressive identifier association can raise Sybil-attack costs substantially while maintaining usability on consumer devices, offering a practical path toward privacy-preserving, Sybil-resistant Web3 identities with verifiable ownership and revocation capabilities.
Abstract
Decentralized identity frameworks grant users full sovereignty over their digital assets in the Web3 ecosystem. However, allowing arbitrary creation of identifiers makes the system susceptible to Sybil attacks and puts assets at risk when keys are lost or compromised. Moreover, the lack of identification prevents anonymous credential schemes from deterring malicious transfers. While existing solutions attempt to address these issues by linking identifiers to entities through trusted intermediaries, these entities are not always accessible and require costly offline interactions. In this work, we introduce LinkDID, a decentralized identity scheme offering Sybil resistance, trustless key recovery, and nontransferable anonymous credentials. LinkDID creates blockchainbased bindings between identifiers and gradually combines identifiers belonging to the same holder into a unified associated identifier. As all identifiers within an association are presumed to belong to one individual, any fraudulent activity can be detected. The association grows larger as interactions increase, substantially reducing the likelihood of successful Sybil attacks. This mechanism allows holders to recover identifiers with lost or stolen keys by proving knowledge of specific association structures. Additionally, LinkDID prevents unauthorized transfers through blockchain-based identifier-key bindings and proofs of ownership for credentials. The evaluation shows that LinkDID effectively achieves progressive Sybil resistance while surpassing state-of-the-art anonymous credential schemes, achieving identifier association and credential presentation times of 2.41s and 3.31s on consumer-grade devices.