Sandi: A System for Accountability

TL;DR

Sandi proposes an epoch-based, privacy-preserving reputation system that provides trust signals for sender-receiver interactions without exposing message contents. It uses a centralized Accountability Server (AS) to manage sender scores and issue endorsement tags that bind to specific receivers, while enabling reporters to penalize misbehavior through degraded communication access. The design ensures score integrity, reporter privacy via differential privacy, and sender unlinkability using cryptographic commitments and Privacy Pass tokens. The paper formalizes rational-sender behavior under defined score-updates and demonstrates that honest, privacy-conscious play yields stable, interpretable incentives, supported by security proofs and a Rust-based implementation. This approach offers a practical, scalable framework for accountability in one-to-one online communication with strong privacy guarantees and minimal central-data exposure.

Abstract

We present a system, Sandi, for creating trust through accountability. Concretely, we focus on online communication scenarios, where the communicating parties do not know each other, yet would benefit from a degree of initial trust. Sandi can be seen as a reputation system that measures bad behavior, with strong integrity protections and resistance to manipulation. Unlike most reputation systems, Sandi is entirely based on ``downvotes'' and therefore requires strong privacy guarantees to prevent retaliation. It utilizes a ticket-based reporting mechanism to limit who can report. We also prove that Sandi incentivizes good behavior in a well-defined sense. Sandi is by design unidirectional, so that message senders have Sandi scores and receivers can report them for inappropriate communication, but it is designed to benefit both senders and receivers. Senders benefit, as receivers are more likely to react to communication with the added trust signal. Receivers benefit from seeing senders' scores, allowing them to make more informed decisions about which senders to trust. Receivers do not need registered accounts and neither senders nor receivers need long-term keys. Sandi guarantees score integrity, communication privacy, reporter privacy to protect reporting receivers, and sender unlinkability. Sandi can be implemented on top of any communication system that allows for small binary data transfer.

Figures (14)

• Figure 1: In $\mathsf{Sandi}$, a sender obtains an endorsement tag from $\mathsf{AS}$, which it sends to a receiver. The receiver can optionally use the tag to report the sender.
• Figure 2: Delayed reporting with $\mathsf{E}\xspace = 3$. The horizontal arrows indicate the delay from tag issuance to a receiver receiving the tag. The dotted horizontal lines indicate the remaining time to report until the tag expires (vertical bar). The "Score update" line shows when $\mathsf{AS}$ collects the reports from the "Issuance epoch" to update the sender's score. The second tag from the top is considered invalid by the receiver, as it was received too late (after its $\mathsf{val\_period}$).
• Figure 3: Epoch key registration protocol.
• Figure 4: Endorsement tag and blind sender-token issuance protocol.
• Figure 5: Endorsement tag and blinded sender-token verification protocol.

Theorems & Definitions (18)

• Definition 1: Reward function
• Definition 2: Reward probability function
• Definition 3: Report probability function
• Definition 4: Rational receiver
• Definition 5: Rational sender
• Definition 6: Score function
• Definition 7: Reputation function
• Definition 8: Communication channel
• Definition 9: Optimal sender's strategy
• Definition 10: Normalized sender's strategy