pith. sign in

arxiv: 2605.18146 · v2 · pith:56EBD7CMnew · submitted 2026-05-18 · 💻 cs.CR

DARTIC: Decentralized Anonymous Reputation at Scale for Trustworthy Crowdsourcing

Mouhamed Amine Bouchiha , Mourad Rabah , Ronan Champagnat , Abdelaziz Amara Korba , Yacine Ghamri-Doudane This is my paper

Pith reviewed 2026-05-20 09:49 UTC · model grok-4.3

classification 💻 cs.CR
keywords decentralized crowdsourcinganonymous reputationzkSNARK proofsSybil resistancedual-ledger systemblockchain scalabilityprivacy-preserving reputationon-chain crowdsourcing
0
0 comments X

The pith

DARTIC achieves anonymity, reputation binding, and scalability together in on-chain crowdsourcing by binding pseudonyms to one token via zkSNARK proofs on a dual-ledger system.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper tries to show that crowdsourcing services built on blockchains can let people participate without linking their actions across tasks while still holding them accountable through a lasting reputation score. It does so by letting users pick fresh pseudonyms for each interaction and using cryptographic proofs to tie every pseudonym back to one secret access token. A reader would care because most current decentralized reputation systems force a tradeoff between privacy and resistance to fake accounts or rating manipulation. The authors support the approach with performance tests in crowdsensing and federated learning settings, showing proof times under three seconds and major cuts in verification cost when proofs are aggregated.

Core claim

The central claim is that a dual-ledger architecture lets requesters and workers employ distinct pseudonyms for unlinkability across tasks, while zkSNARK set membership proofs bind all those pseudonyms to a single access token without exposing the linkage, thereby blocking Sybil creation and reputation resets; two aggregation methods then compress many proofs into one for efficient verification, and an automated privacy-preserving model scores contributions dynamically in varied crowdsourcing contexts.

What carries the argument

zkSNARK-based set membership proofs that cryptographically bind every user pseudonym to one access token while preserving unlinkability, backed by a dual-ledger system that assigns separate pseudonyms per interaction.

If this is right

  • Requesters and workers can switch pseudonyms freely across tasks while their contributions remain tied to one reputation score.
  • Sybil attacks and reputation-reset attempts are blocked because every pseudonym must prove membership in the set controlled by one token.
  • Aggregating proofs reduces verification time for 1024 instances from 8.7 seconds to 0.96 seconds.
  • zk-batching lowers on-chain gas costs by more than 100 times relative to direct Layer-1 verification.
  • The same construction works for both crowdsensing data collection and federated learning model training.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same binding technique could support other decentralized services that need private participation yet persistent accountability, such as anonymous yet rated marketplaces.
  • If the proofs remain secure at larger batch sizes, the approach could support crowdsourcing markets with thousands of simultaneous tasks without central coordinators.
  • Dynamic reputation scoring across task types might reduce reliance on platform-specific rating algorithms in future Web3 applications.

Load-bearing premise

The cryptographic binding of pseudonyms to a single access token through zkSNARK proofs keeps identities unlinkable and stops Sybil or reset attacks without creating fresh vulnerabilities or needing trusted setups beyond standard zkSNARK assumptions.

What would settle it

An experiment in which an adversary creates multiple unlinkable pseudonyms tied to the same token, successfully resets reputation despite the proofs, or where aggregated verification time for 1024 proofs fails to drop below one second would falsify the joint achievement of anonymity, binding, and scalability.

Figures

Figures reproduced from arXiv: 2605.18146 by Abdelaziz Amara Korba, Mouhamed Amine Bouchiha, Mourad Rabah, Ronan Champagnat, Yacine Ghamri-Doudane.

Figure 1
Figure 1. Figure 1: DARTIC Framework: DON denotes decentralized oracle network, smart contracts (SCs) names are, ISC: iden￾tity, BSC: business, RSC: reputation, ASC: access and DSC: deposit; AT and RT denote access and reputation tokens; SSA and SSN denote social security administration and number; DDP refers to a decentralized dispute protocol. can be detected and appropriately sanctioned without com￾promising honest users’ … view at source ↗
Figure 2
Figure 2. Figure 2: DARTIC’s anonymous reputation lifecycle. Users start by (Step 1) proving the ownership of a valid AT and minting an initial RT0 . In (Step 2), reputation tokens are spent or used to interact within the CSML, generating unlinkable pseudonyms for each transaction. In (Step 3), oracle nodes evaluate interactions and securely update reputations on-chain via a threshold signature. Finally, in (Step 4), after k … view at source ↗
Figure 3
Figure 3. Figure 3: Latency and Throughput of DARTIC. ISC DSC RSC ASC mintAT deposit spendAT withdrawmintRT spendRT useRT updateRT 0.0 0.5 1.0 1.5 2.0 2.5 Gas Used 1e6$9.97 $10.47 $12.80 $4.17 $4.85 $4.73 $1.50 $1.61 $4.95 $6.45 $1.64 $0.17 [PITH_FULL_IMAGE:figures/full_fig_p012_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Deployment and invocation gas costs. Cost [PITH_FULL_IMAGE:figures/full_fig_p012_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Proving and verification times of spendRT vs. number of workers. mintAT deposit spendAT withdraw mintRT spendRT useRT updateRT 0 200 400 600 800 1000 1200 Total Gas (×10^6) L1, 64 calls L2×10, 64 calls L1, 512 calls L2×10, 512 calls L1, 1024 calls L2×10, 1024 calls [PITH_FULL_IMAGE:figures/full_fig_p013_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: Total Gas Cost: L1 vs L2 (L2×10 for visibility). [PITH_FULL_IMAGE:figures/full_fig_p013_6.png] view at source ↗
Figure 7
Figure 7. Figure 7: Asymmetric dynamics of reputation updates with PW [PITH_FULL_IMAGE:figures/full_fig_p016_7.png] view at source ↗
Figure 8
Figure 8. Figure 8: Comparison of reputation models: our PW-Mean vs. [PITH_FULL_IMAGE:figures/full_fig_p018_8.png] view at source ↗
Figure 9
Figure 9. Figure 9: Privacy, linkability, and Safety vs. W under retaliatory attacks. 1 2 3 5 8 13 21 RT Reuse Window W 0.0 0.2 0.4 0.6 0.8 1.0 Metric Value RAU ( utility) On-chain cost (normalized, ) RSI ( stability) Var_life ( volatility) (a) Learning tasks: random 1 2 3 5 8 13 21 RT Reuse Window W 0.0 0.2 0.4 0.6 0.8 1.0 Metric Value RAU ( utility) On-chain cost (normalized, ) RSI ( stability) Var_life ( volatility) (b) Se… view at source ↗
Figure 10
Figure 10. Figure 10: RAU, stability, cost. vs. W under random & collusive attacks. 1 2 3 5 8 13 21 RT Reuse Window W 0.0 0.5 1.0 1.5 2.0 Gas / 1000 interactions 1e9 Cost with SnarkPack Cost without SnarkPack Knee (SnarkPack) W=3 Knee (No SnarkPack) W=3 (a) Learning tasks 1 2 3 5 8 13 21 RT Reuse Window W 0.0 0.5 1.0 1.5 2.0 Gas / 1000 interactions 1e9 Cost with SnarkPack Cost without SnarkPack Knee (SnarkPack) W=3 Knee (No Sn… view at source ↗
Figure 11
Figure 11. Figure 11: Gas per 1000 interactions vs. W with/without Snark￾Pack aggregation. 0.00 0.02 0.04 0.06 0.08 0.10 AUClink 0.00 0.02 0.04 0.06 0.08 Drawdown 0.0 0.2 0.4 0.6 0.8 1.0 OnChainCost 1 2 3 5 8 13 21 W values Knee W*=3 [PITH_FULL_IMAGE:figures/full_fig_p020_11.png] view at source ↗
read the original abstract

On-chain crowdsourcing leverages blockchain's decentralization, transparency, and tamper-resistance to build trustworthy and verifiable Web3 crowdsourced services. However, existing decentralized reputation frameworks do not reconcile anonymity, reputation binding, and scalability. This paper demonstrates how on-chain crowdsourcing can simultaneously achieve these requirements under a trust-minimized model. We introduce DARTIC, a decentralized, anonymous, and scalable reputation-driven framework for crowdsourcing. DARTIC presents a dual-ledger system that enables requesters and workers to use distinct pseudonyms across interactions, ensuring unlinkability while maintaining accountability. To mitigate Sybil and reputation-reset attacks, we employ zkSNARK-based set membership proofs, cryptographically binding all user pseudonyms to a single access token without revealing the linkage. For scalability, we investigate two aggregation techniques that compress multiple proofs into a single succinct proof to minimize verification overhead. In addition, we design an automated, privacy-preserving reputation model that dynamically evaluates contributions across diverse crowdsourcing contexts. To demonstrate practicality, we instantiate and assess DARTIC in both crowdsensing and federated learning scenarios. Experimental results show that (i) individual proof generation for token spending completes in less than 3s, (ii) aggregation reduces the verification time of 1024 proofs from 8.7s to 0.96s, and (iii) zk-batching lowers gas costs by more than 100x compared to a pure Layer-1 deployment. These results demonstrate that anonymity, robust reputation binding, and scalability can be jointly achieved in fully decentralized crowdsourcing systems.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

3 major / 2 minor

Summary. The manuscript introduces DARTIC, a decentralized anonymous reputation framework for on-chain crowdsourcing. It uses a dual-ledger system to let requesters and workers employ distinct pseudonyms for unlinkability, zkSNARK-based set membership proofs to cryptographically bind all pseudonyms to a single access token (preventing Sybil and reputation-reset attacks), proof aggregation techniques to reduce verification overhead, and a privacy-preserving dynamic reputation model. The approach is instantiated and evaluated in crowdsensing and federated learning scenarios, with reported metrics including individual proof generation under 3 seconds, aggregation reducing verification of 1024 proofs from 8.7s to 0.96s, and over 100x gas cost reduction versus pure Layer-1.

Significance. If the cryptographic constructions and trust assumptions hold, the work would be significant for reconciling anonymity, accountability via reputation, and scalability in trust-minimized blockchain crowdsourcing, a longstanding tension in decentralized systems. The concrete performance numbers and dual-scenario evaluation provide practical evidence of feasibility. The absence of formal security analysis, however, limits the strength of the central demonstration that the three properties are jointly achieved without new attack surfaces.

major comments (3)
  1. [zkSNARK set membership proofs (Section 4)] The trust-minimized model claim (abstract and zkSNARK construction) is load-bearing for the central result yet rests on an unaddressed assumption: standard zkSNARK set-membership proofs (used to bind pseudonyms to the access token) typically require a trusted setup whose trapdoor must remain secret. The manuscript does not specify a transparent system (e.g., STARKs) or a decentralized MPC ceremony, leaving open the possibility that forgery of membership proofs could undermine Sybil resistance and unlinkability.
  2. [Security analysis (Section 5)] No formal security definitions, game-based models, or proofs are provided for the claimed properties of anonymity, unlinkability, and Sybil/reputation-reset resistance. The soundness of the dual-ledger plus zkSNARK binding therefore relies on unshown derivations, which directly affects the demonstration that these properties are simultaneously achieved under the stated model.
  3. [Experimental evaluation (Section 6)] Table 1 and the experimental results paragraph report concrete timing and gas-cost figures but omit key methodological details (zkSNARK library, curve parameters, aggregation implementation, hardware, and blockchain testbed). This weakens the scalability claims that rest on the reported 100x gas reduction and sub-second aggregated verification.
minor comments (2)
  1. [Abstract] The abstract states that 'two aggregation techniques' are investigated but does not name or briefly characterize them; this should be added for immediate clarity.
  2. [System model (Section 3)] Notation for pseudonyms, access tokens, and the dual ledgers is introduced piecemeal; a single notation table or consistent definition paragraph early in the system model would improve readability.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for the constructive feedback on our manuscript. We address each of the major comments below, indicating where revisions will be made to improve clarity and completeness.

read point-by-point responses

  1. Referee: [zkSNARK set membership proofs (Section 4)] The trust-minimized model claim (abstract and zkSNARK construction) is load-bearing for the central result yet rests on an unaddressed assumption: standard zkSNARK set-membership proofs (used to bind pseudonyms to the access token) typically require a trusted setup whose trapdoor must remain secret. The manuscript does not specify a transparent system (e.g., STARKs) or a decentralized MPC ceremony, leaving open the possibility that forgery of membership proofs could undermine Sybil resistance and unlinkability.

    Authors: We appreciate the referee highlighting this important aspect of the trust model. The DARTIC construction relies on zkSNARKs for the set membership proofs to ensure binding without revealing linkages. While many zkSNARK implementations do involve a trusted setup, our threat model assumes that the setup is performed honestly or that the proving key is publicly available without trapdoor leakage, consistent with common practices in blockchain applications. To strengthen the manuscript, we will revise Section 4 to explicitly state the trusted setup assumption and discuss its implications for the trust-minimized claim, including potential mitigation via multi-party computation ceremonies if applicable. revision: yes

  2. Referee: [Security analysis (Section 5)] No formal security definitions, game-based models, or proofs are provided for the claimed properties of anonymity, unlinkability, and Sybil/reputation-reset resistance. The soundness of the dual-ledger plus zkSNARK binding therefore relies on unshown derivations, which directly affects the demonstration that these properties are simultaneously achieved under the stated model.

    Authors: We acknowledge that a formal security analysis would provide stronger guarantees. In the current manuscript, Section 5 presents informal arguments based on the properties of the dual-ledger system and the soundness of zkSNARKs for preventing Sybil attacks and ensuring unlinkability. We agree this can be improved. In the revised version, we will add formal security definitions and game-based models for the key properties, along with proof sketches demonstrating how the constructions achieve them under the stated assumptions. revision: yes

  3. Referee: [Experimental evaluation (Section 6)] Table 1 and the experimental results paragraph report concrete timing and gas-cost figures but omit key methodological details (zkSNARK library, curve parameters, aggregation implementation, hardware, and blockchain testbed). This weakens the scalability claims that rest on the reported 100x gas reduction and sub-second aggregated verification.

    Authors: The referee is correct that additional details are necessary for reproducibility. The experiments utilized the circom library for zkSNARK circuit compilation with the BN254 curve, proof aggregation implemented via a custom batching protocol, conducted on a machine with an Intel Core i7 processor and 16GB RAM, and deployed on the Ethereum Goerli testnet for gas measurements. We will update Section 6 and Table 1 with these specifics in the revised manuscript to fully support the reported performance metrics. revision: yes

Circularity Check

0 steps flagged

No circularity: construction from standard primitives

full rationale

The paper presents DARTIC as a framework built from dual ledgers and zkSNARK set-membership proofs to bind pseudonyms to access tokens. No equations, fitted parameters, or self-citations are shown reducing the claimed anonymity/reputation/scalability properties to inputs by construction. Experimental timings and gas costs are measured outcomes, not tautological derivations. The derivation chain remains self-contained against external cryptographic benchmarks.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 2 invented entities

The design rests on standard cryptographic assumptions for zkSNARK soundness and on the novel system components introduced by the authors.

axioms (1)
  • domain assumption zkSNARKs provide sound and zero-knowledge set membership proofs that bind pseudonyms to an access token without revealing linkages
    Invoked to prevent Sybil and reputation-reset attacks while preserving unlinkability.
invented entities (2)
  • Dual-ledger system no independent evidence
    purpose: Separate pseudonyms for requesters and workers to achieve unlinkability across interactions
    New architectural component introduced to reconcile anonymity and accountability.
  • Access token with zkSNARK binding no independent evidence
    purpose: Cryptographic link that binds all pseudonyms to one identity without disclosure
    Core mechanism to mitigate Sybil attacks.

pith-pipeline@v0.9.0 · 5839 in / 1353 out tokens · 35766 ms · 2026-05-20T09:49:33.458069+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

66 extracted references · 66 canonical work pages · 1 internal anchor

  1. [1]

    CrowdBC: A Blockchain-Based Decentralized Framework for Crowdsourcing,

    M. Li, J. Weng, A. Yang, W. Lu, Y . Zhang, L. Hou, J.-N. Liu, Y . Xi- ang, and R. H. Deng, “CrowdBC: A Blockchain-Based Decentralized Framework for Crowdsourcing,”IEEE Transactions on Parallel and Distributed Systems, vol. 30, no. 6, pp. 1251–1266, 2019

    work page 2019

  2. [2]

    TrustWorker: A Trustwor- thy and Privacy-Preserving Worker Selection Scheme for Blockchain- Based Crowdsensing,

    S. Gao, X. Chen, J. Zhu, X. Dong, and J. Ma, “TrustWorker: A Trustwor- thy and Privacy-Preserving Worker Selection Scheme for Blockchain- Based Crowdsensing,”IEEE Transactions on Services Computing, vol. 15, no. 6, pp. 3577–3590, 2022

    work page 2022

  3. [3]

    Decentralized services computing paradigm for blockchain-based data governance: Programmability, inter- operability, and intelligence,

    X. Liu, S. X. Sun, and G. Huang, “Decentralized services computing paradigm for blockchain-based data governance: Programmability, inter- operability, and intelligence,”IEEE Transactions on Services Computing, vol. 13, no. 2, pp. 343–355, 2019

    work page 2019

  4. [4]

    ZebraLancer: Private and anonymous crowdsourcing system atop open blockchain,

    Y . Lu, Q. Tang, and G. Wang, “ZebraLancer: Private and anonymous crowdsourcing system atop open blockchain,” in2018 IEEE 38th International Conference on Distributed Computing Systems (ICDCS). IEEE, 2018, pp. 853–865

    work page 2018

  5. [5]

    Dynamic and privacy-preserving reputation management for blockchain-based mobile crowdsensing,

    K. Zhao, S. Tang, B. Zhao, and Y . Wu, “Dynamic and privacy-preserving reputation management for blockchain-based mobile crowdsensing,” IEEE Access, vol. 7, pp. 74 694–74 710, 2019

    work page 2019

  6. [6]

    CrowdR-FBC: A distributed fog- blockchains for mobile crowdsourcing reputation management,

    Y . Yu, S. Liu, L. Guoet al., “CrowdR-FBC: A distributed fog- blockchains for mobile crowdsourcing reputation management,”IEEE Internet of Things Journal, vol. 7, no. 9, pp. 8722–8735, 2020

    work page 2020

  7. [7]

    Privacy-preserving reputation systems based on blockchain and other cryptographic building blocks: A survey,

    O. Hasan, L. Brunie, and E. Bertino, “Privacy-preserving reputation systems based on blockchain and other cryptographic building blocks: A survey,”ACM Computing Surveys, vol. 55, no. 2, pp. 1–37, 2022

    work page 2022

  8. [8]

    R-Manager: Con- sortium Blockchain-Based Vehicle Reputation Management for High- Quality Reports in Traffic-Oriented Crowdsourcing,

    E. Yu, Y . Xu, L. Gao, J. Cao, Q. Xiang, and L. He, “R-Manager: Con- sortium Blockchain-Based Vehicle Reputation Management for High- Quality Reports in Traffic-Oriented Crowdsourcing,”IEEE Transactions on Vehicular Technology, vol. 74, no. 1, pp. 984–999, 2025

    work page 2025

  9. [9]

    A UA V-Assisted Truth Discovery Approach With Incentive Mechanism Design in Mobile Crowd Sensing,

    P. Wang, Z. Li, B. Guo, S. Long, S. Guo, and J. Cao, “A UA V-Assisted Truth Discovery Approach With Incentive Mechanism Design in Mobile Crowd Sensing,”IEEE/ACM Transactions on Networking, vol. 32, no. 2, pp. 1738–1752, 2024

    work page 2024

  10. [10]

    Robust qos predic- tion based on reputation integrated graph convolution network,

    Z. Wu, D. Ding, Y . Xiu, Y . Zhao, and J. Hong, “Robust qos predic- tion based on reputation integrated graph convolution network,”IEEE Transactions on Services Computing, vol. 17, no. 3, pp. 1154–1167, 2023

    work page 2023

  11. [11]

    BlockSense: Towards trustworthy mobile crowdsensing via proof-of-data blockchain,

    J. Huang, L. Kong, L. Cheng, H.-N. Dai, M. Qiu, G. Chen, X. Liu, and G. Huang, “BlockSense: Towards trustworthy mobile crowdsensing via proof-of-data blockchain,”IEEE Transactions on Mobile Computing, vol. 23, no. 2, pp. 1016–1033, 2022

    work page 2022

  12. [12]

    AutoDFL: A Scalable and Automated Reputation-Aware Decentralized Federated Learning,

    M. M. Dif, M. A. Bouchiha, M. Rabah, and Y . Ghamri-Doudane, “AutoDFL: A Scalable and Automated Reputation-Aware Decentralized Federated Learning,” inIEEE/IFIP Network Operations and Manage- ment Symposium (NOMS), 2025, pp. 1–9

    work page 2025

  13. [13]

    Anonymous reputation system for IIoT-enabled retail marketing atop PoS blockchain,

    D. Liu, A. Alahmadi, J. Niet al., “Anonymous reputation system for IIoT-enabled retail marketing atop PoS blockchain,”IEEE Transactions on Industrial Informatics, vol. 15, no. 6, pp. 3527–3537, 2019

    work page 2019

  14. [14]

    DARS: Empowering Trust in Blockchain-Based Real-World Applica- tions with a Decentralized Anonymous Reputation System,

    M. A. Bouchiha, Y . Ghamri-Doudane, M. Rabah, and R. Champagnat, “DARS: Empowering Trust in Blockchain-Based Real-World Applica- tions with a Decentralized Anonymous Reputation System,” inAdvanced Information Networking and Applications. Springer, 2024, pp. 48–61

    work page 2024

  15. [15]

    An anonymous, trust and fairness based privacy preserving service construction framework in mobile crowdsourcing,

    X. Chen, B. Yang, Q. He, S. Zhang, T. Wang, H. Song, and A. Liu, “An anonymous, trust and fairness based privacy preserving service construction framework in mobile crowdsourcing,”IEEE Transactions on Services Computing, vol. 18, no. 2, pp. 618–632, 2025

    work page 2025

  16. [16]

    Decentralized reputation,

    T. Dimitriou, “Decentralized reputation,” in11th ACM Conference on Data and Application Security and Privacy. ACM, 2021, pp. 119–130

    work page 2021

  17. [17]

    A trustless privacy- preserving reputation system,

    A. Schaub, R. Bazin, O. Hasan, and L. Brunie, “A trustless privacy- preserving reputation system,” in31st IFIP International Information Security and Privacy Conference (SEC). Springer, 2016, pp. 398–411

    work page 2016

  18. [18]

    Blockchain-Based Reputation Privacy Preserving for Quality-Aware Worker Recruitment Scheme in MCS,

    Q. Deng, Q. Zuo, Z. Li, H. Liu, and Y . Xie, “Blockchain-Based Reputation Privacy Preserving for Quality-Aware Worker Recruitment Scheme in MCS,”IEEE/ACM Transactions on Networking, vol. 32, no. 6, pp. 5188–5203, 2024

    work page 2024

  19. [19]

    Aggregating crowd wisdom via blockchain: A private, correct, and robust realization,

    H. Duan, Y . Zheng, Y . Du, A. Zhou, C. Wang, and M. H. Au, “Aggregating crowd wisdom via blockchain: A private, correct, and robust realization,” in2019 IEEE International Conference on Pervasive Computing and Communications (PerCom). IEEE, 2019, pp. 1–10

    work page 2019

  20. [20]

    AV eCQ: Anonymous Verifiable Crowdsourcing With Worker Quali- ties,

    V . Koutsos, S. Damle, D. Papadopoulos, S. Gujar, and D. Chatzopoulos, “AV eCQ: Anonymous Verifiable Crowdsourcing With Worker Quali- ties,”IEEE Transactions on Dependable and Secure Computing, vol. 22, no. 1, pp. 406–423, 2024

    work page 2024

  21. [21]

    FedCrowd: A federated and privacy- preserving crowdsourcing platform on blockchain,

    Y . Guo, H. Xie, Y . Miaoet al., “FedCrowd: A federated and privacy- preserving crowdsourcing platform on blockchain,”IEEE Transactions on Services Computing, vol. 15, no. 4, pp. 2060–2073, 2022

    work page 2060

  22. [22]

    PrivBCS: a privacy-preserving and efficient crowdsourcing system with fine-grained worker selection based on blockchain,

    J. Chen, W. Liang, L. Xiao, C. Yang, R. Zhang, Z. Gui, and A. Poniszewska-Mara ´nda, “PrivBCS: a privacy-preserving and efficient crowdsourcing system with fine-grained worker selection based on blockchain,”Connection Science, vol. 35, no. 1, p. 2202837, 2023

    work page 2023

  23. [23]

    CoPiFL: A collusion-resistant and privacy-preserving federated learning crowd- sourcing scheme using blockchain and homomorphic encryption,

    R. Xiong, W. Ren, S. Zhao, J. He, Y . Renet al., “CoPiFL: A collusion-resistant and privacy-preserving federated learning crowd- sourcing scheme using blockchain and homomorphic encryption,”Fu- ture Generation Computer Systems, vol. 156, pp. 95–104, 2024

    work page 2024

  24. [24]

    DECO: Liberating Web Data Using Decentralized Oracles for TLS,

    F. Zhang, D. Maram, H. Malvai, S. Goldfeder, and A. Juels, “DECO: Liberating Web Data Using Decentralized Oracles for TLS,” in2020 ACM SIGSAC Conference on Computer and Communications Security (CCS). ACM, 2020, pp. 1919–1938

    work page 2020

  25. [25]

    CanDID: Can-do decentralized identity with legacy compatibility, sybil-resistance, and accountability,

    D. Maram, H. Malvai, F. Zhang, N. Jean-Louis, A. Frolov, T. Kell, T. Lobbanet al., “CanDID: Can-do decentralized identity with legacy compatibility, sybil-resistance, and accountability,” inIEEE Symposium on Security and Privacy (S&P). IEEE, 2021, pp. 1348–1366

    work page 2021

  26. [26]

    zk-creds: Flexible Anonymous Credentials from zkSNARKs and Existing Identity Infras- tructure,

    M. Rosenberg, J. White, C. Garman, and I. Miers, “zk-creds: Flexible Anonymous Credentials from zkSNARKs and Existing Identity Infras- tructure,” in2023 IEEE Symposium on Security and Privacy (S&P). IEEE, 2023, pp. 790–808

    work page 2023

  27. [27]

    The Byzantine generals prob- lem,

    L. Lamport, R. Shostak, and M. Pease, “The Byzantine generals prob- lem,” inConcurrency: the works of Leslie Lamport, 2019, pp. 203–226

    work page 2019

  28. [28]

    D. R. Kuhn, V . Hu, W. T. Polk, and S.-J. Chang,SP 800-32. Introduction to public key technology and the federal PKI infrastructure. National Institute of Standards & Technology, 2001

    work page 2001

  29. [29]

    The honey badger of BFT protocols,

    A. Miller, Y . Xia, K. Croman, E. Shi, and D. Song, “The honey badger of BFT protocols,” in2016 ACM SIGSAC Conference on Computer and Communications Security (CCS). ACM, 2016, pp. 31–42

    work page 2016

  30. [30]

    Chainlink 2.0: Next steps in the evolution of decentralized oracle networks,

    L. Breidenbachet al., “Chainlink 2.0: Next steps in the evolution of decentralized oracle networks,”Chainlink, White paper, vol. 1, 2021

    work page 2021

  31. [31]

    Town Crier: An authenticated data feed for smart contracts,

    F. Zhang, E. Cecchetti, K. Croman, A. Juels, and E. Shi, “Town Crier: An authenticated data feed for smart contracts,” inACM SIGSAC Conference on Computer and Communications Security. ACM, 2016, pp. 270–282

    work page 2016

  32. [32]

    Multi-trapdoor commitments and their applications to proofs of knowledge secure under concurrent man-in-the-middle at- tacks,

    R. Gennaro, “Multi-trapdoor commitments and their applications to proofs of knowledge secure under concurrent man-in-the-middle at- tacks,” in24th Annual International Cryptology Conference (CRYPTO 2004). Springer, 2004, pp. 220–236

    work page 2004

  33. [33]

    Fast multiparty threshold ECDSA with fast trustless setup,

    R. Gennaro and S. Goldfeder, “Fast multiparty threshold ECDSA with fast trustless setup,” in2018 ACM SIGSAC Conference on Computer and Communications Security (CCS), 2018, pp. 1179–1194

    work page 2018

  34. [34]

    One round threshold ecdsa with identifiable abort,

    ——, “One round threshold ecdsa with identifiable abort,”Cryptology ePrint Archive, Paper 2020/540, 2020. 15

    work page 2020

  35. [35]

    Practical asynchronous distributed key generation,

    S. Das, T. Yurek, Z. Xiang, A. Miller, L. Kokoris-Kogias, and L. Ren, “Practical asynchronous distributed key generation,” inIEEE Symposium on Security and Privacy (S&P). IEEE, 2022, pp. 2518–2534

    work page 2022

  36. [36]

    On the size of pairing-based non-interactive arguments,

    J. Groth, “On the size of pairing-based non-interactive arguments,” in 35th Annual International Conference on the Theory and Applications of Cryptographic Techniques. Springer, 2016, pp. 305–326

    work page 2016

  37. [37]

    PLONK: Permuta- tions over Lagrange-bases for Oecumenical Noninteractive arguments of Knowledge,

    A. Gabizon, Z. J. Williamson, and O. Ciobotaru, “PLONK: Permuta- tions over Lagrange-bases for Oecumenical Noninteractive arguments of Knowledge,”Cryptology ePrint Archive, Paper 2019/953, 2019

    work page 2019

  38. [38]

    Zero- knowledge proofs for set membership: efficient, succinct, modular,

    D. Benarroch, M. Campanelli, D. Fiore, K. Gurkanet al., “Zero- knowledge proofs for set membership: efficient, succinct, modular,” Designs, Codes and Cryptography, vol. 91, no. 11, pp. 3457–3525, 2023

    work page 2023

  39. [39]

    Verifiable random functions,

    S. Micali, M. Rabin, and S. Vadhan, “Verifiable random functions,” in 40th annual symposium on foundations of computer science (cat. No. 99CB37039). IEEE, 1999, pp. 120–130

    work page 1999

  40. [40]

    IPFS - Content Addressed, Versioned, P2P File System

    J. Benet, “IPFS - Content Addressed, Versioned, P2P file system,”arXiv preprint arXiv:1407.3561, 2014

    work page internal anchor Pith review Pith/arXiv arXiv 2014

  41. [41]

    Securedtrust: A dynamic trust computation model for secured communication in multiagent systems,

    A. Das and M. M. Islam, “Securedtrust: A dynamic trust computation model for secured communication in multiagent systems,”IEEE Trans- actions on Dependable and Secure Computing, vol. 9, no. 2, pp. 261– 274, 2011

    work page 2011

  42. [42]

    Tornado cash privacy solution version 1.4,

    A. Pertsev, R. Semenov, and R. Storm, “Tornado cash privacy solution version 1.4,”White paper, vol. 1, p. 7, 2019

    work page 2019

  43. [43]

    Tor: The second- generation onion router,

    R. Dingledine, N. Mathewson, and P. Syverson, “Tor: The second- generation onion router,” in13th USENIX security symposium, vol. 4, 2004, pp. 303–320

    work page 2004

  44. [44]

    Powers-of- Tau to the people: Decentralizing setup ceremonies,

    V . Nikolaenko, S. Ragsdale, J. Bonneau, and D. Boneh, “Powers-of- Tau to the people: Decentralizing setup ceremonies,”Cryptology ePrint Archive, Paper 2022/1592, 2022

    work page 2022

  45. [45]

    The MNIST database of handwritten digits,

    Y . LeCunet al., “The MNIST database of handwritten digits,” 2005

    work page 2005

  46. [46]

    Learning multiple layers of features from tiny images,

    A. Krizhevsky, G. Hintonet al., “Learning multiple layers of features from tiny images,” 2009

    work page 2009

  47. [47]

    Sensing the air we breathe—the opensense zurich dataset,

    J. J. Li, B. Faltings, O. Saukh, D. Hasenfratz, and J. Beutel, “Sensing the air we breathe—the opensense zurich dataset,” inAAAI Conference on Artificial Intelligence (AAAI), vol. 26, no. 1, 2012, pp. 323–325

    work page 2012

  48. [48]

    Snarkpack: Practical snark aggregation

    N. Gailly, M. Maller, and A. Nitulescu, “Snarkpack: Practical snark aggregation.” Berlin, Heidelberg: Springer-Verlag, 2022, p. 203–229

    work page 2022

  49. [49]

    Pianist: Scalable zkrollups via fully distributed zero-knowledge proofs,

    T. Liu, T. Xie, J. Zhang, D. Song, and Y . Zhang, “Pianist: Scalable zkrollups via fully distributed zero-knowledge proofs,” inIEEE Sympo- sium on Security and Privacy (S&P). IEEE, 2024, pp. 1777–1793

    work page 2024

  50. [50]

    Blockchain-Based Federated Learning With SMPC Model Verification Against Poisoning Attack for Healthcare Systems,

    A. P. Kalapaaking, I. Khalil, and X. Yi, “Blockchain-Based Federated Learning With SMPC Model Verification Against Poisoning Attack for Healthcare Systems,”IEEE Transactions on Emerging Topics in Computing, vol. 12, no. 1, pp. 269–280, 2024

    work page 2024

  51. [51]

    Mudguard: Taming malicious majorities in federated learning using privacy-preserving byzantine- robust clustering,

    R. Wang, X. Wang, H. Chenet al., “Mudguard: Taming malicious majorities in federated learning using privacy-preserving byzantine- robust clustering,”ACM on Measurement and Analysis of Computing Systems, vol. 8, no. 3, pp. 1–41, 2024

    work page 2024

  52. [52]

    Are you contributing trust- worthy data? the case for a reputation system in participatory sensing,

    K. L. Huang, S. S. Kanhere, and W. Hu, “Are you contributing trust- worthy data? the case for a reputation system in participatory sensing,” inACM international conference on Modeling, analysis, and simulation of wireless and mobile systems (MSWiM), 2010, pp. 14–22. A. REPUTATIONMODELING This appendix presents two instantiations of our reputation model. M...

    work page 2010

  53. [53]

    Each interaction is weighted with Eq

    Interaction Evaluation:The evaluation must preserve pri- vacy: the reputation model neither uses nor reveals workers’ historical and sensitive data. Each interaction is weighted with Eq. (1) and the contribution from a workervis evaluated using Eq. (2). Each parameter valueP v j ,e.g., feedback, is associated with a corresponding weight, denoted byα j. In...

    work page

  54. [54]

    Reputation Update:Global reputation scores are updated using a piecewise-weighted mean (PW-Mean) function Eq. (3). As shown in Fig. 7, this asymmetry ensures that malicious interactions have a stronger impact than positive ones, making reputation harder to build than to lose

    work page

  55. [55]

    The update rule in Eq

    Theoretical properties of the PW-Mean update:We ana- lyze the PW-Mean fundamental mathematical properties. The update rule in Eq. (3) defines a bounded stochastic dynamical system driven by trust observations. We show that it (i) preserves reputation values within valid limits, (ii) ensures smooth and stable evolution under arbitrary trust sequences, (iii...

    work page

  56. [56]

    Proof Sketch

    Completeness: Definition 7.1:Completeness ensures that if the prover’s statementxis valid (i.e.,x∈L, whereLis the language of valid statements) and the prover follows the protocol honestly, the verifier will always accept the proof. Proof Sketch. •For access control: 1.The prover knowsa, and the cryptographic commitment cmA is correctly computed ascm A =C...

    work page

  57. [57]

    Proof Sketch

    Soundness: Definition 7.2 (Soundness):ensures that no malicious prover can convince the verifier to accept a false statementx /∈L except with negligible probability. Proof Sketch. •The statementxcorresponds to the root of the Merkle tree (rtA for access control orrt R for reputation binding). •The witnesswconsists of: –The secret (aorb), –The cryptographi...

    work page

  58. [58]

    Proof Sketch

    Zero-Knowledge: Definition 7.3 (Zero-knowledge):A proof system is zero- knowledge if for any probabilistic polynomial-time (PPT) adversaryA, there exists a PPT simulatorSsuch that the simulated proof is computationally indistinguishable from a real proof, given only the statementx. Proof Sketch. •Consider a zkSNARK proof system with a common refer- ence s...

    work page

  59. [59]

    The functions tested in- cludemintAT,deposit,spendAT,withdraw,mintRT, spendRT,useRT, andupdateRT

    Scalability:We evaluate the gas consumption of selected functions in our system, comparing execution onLayer 2 (zkSync)versusLayer 1 (EVM). The functions tested in- cludemintAT,deposit,spendAT,withdraw,mintRT, spendRT,useRT, andupdateRT. Each function may op- erate on multiple L2 batches, and zkSync allowsaggregated submissionof multiple batches per L1 tr...

    work page

  60. [60]

    Reputation Effectiveness:We simulate three different workers’ behaviors for the learning tasks as follows: (i)Honest.consistently engage in training the model (v4, v5, v6, v8, v9). (ii)Malicious.attempt to poison the model 0 5 10 15 20 #T ask (CNN) 0.2 0.4 0.6 0.8Reputation 0 5 10 15 20 #T ask (ResNet) v1 (PW-Mean) v3 (PW-Mean) v5 (PW-Mean) v1 (W-Mean) v3...

    work page

  61. [61]

    However, longer reuse windows increase (i) linkability risk and exposure to retaliation/bad- mouthing, and (ii) the blast radius when targeted

    Optimal RT Reuse Window:Workers may reuse a repu- tation token (RT) across multiple interactions to benefit from continuity (i.e., a stable presentation of recent reputation and smoother task acceptance). However, longer reuse windows increase (i) linkability risk and exposure to retaliation/bad- mouthing, and (ii) the blast radius when targeted. Frequent...

    work page

  62. [62]

    We train a pairwise classifier to predict same-AT vs

    Privacy & Linkability.LetΦdenote metadata observable by a network adversary or counterparties (e.g., time gaps, reward scale, coarse context bins, behavioral style). We train a pairwise classifier to predict same-AT vs. different-AT across interaction pairs. AUClink(W) :=ROC-AUC of the linkage classifier, k-Anon(W) :=avg. size of indistinguishable cluster...

    work page

  63. [63]

    Safety Against Bad-Mouthing / Retaliation.Three metrics are used: Max drop from initial reputation, Drawdown(W) =E max t≤W Rv,0 −R v,t ;(9) Time to recover to 95% of the initial reputation, TTR0.95(W) =E[min{t≤W:R v,t ≥0.95R v,0}] ;(10) And the probability that reputation exceeds hiring threshold at any point: Pr hire (W) =P(R v,t ≥R hire)(11) Drawdown (F...

    work page

  64. [64]

    Figs.10b and 10a)

    Utility & Cost.Define risk-adjusted utility: RAU(W) =E[Accepted tasks×reward]| {z } utility −λ1 Drawdown(W)| {z } safety loss −λ 2 AUClink(W)| {z } privacy loss −λ3 OnChainCost(W)| {z } gas/latency ,(12) with,OnChainCost(W)∝ 1 W ×cost(mintRT+spendRT) RAU generally increases fromW= 1toW= 8across all attack types, peaking atW= 8for random andW= 5 collusive ...

    work page

  65. [65]

    RSI slightly decreases withW, especially under retaliatory and collusive attacks (Fig.10b and 10a), indicating that longer RT lifespans may expose workers to fluctuations

    Stability.We use the reputation stability indexRSI(W) within each RT lifetime (higher is better), andVar life(Rv) variance ofR v across lifetimes (lower is better). RSI slightly decreases withW, especially under retaliatory and collusive attacks (Fig.10b and 10a), indicating that longer RT lifespans may expose workers to fluctuations. At smallW, RSI remai...

    work page

  66. [66]

    Medium windows (W= 3–8) provide a balanced tradeoff between utility, cost, and privacy, making them the preferred choice in most scenarios

    Optimal Window.RAU, drawdown, linkability, and cost trends (Fig.12) reveal an empirical sweet spot near: W ⋆ ∈ {3,5,8}, Specifically, small windows (W= 1–2) offer strong privacy and safety guarantees but incur high blockchain costs. Medium windows (W= 3–8) provide a balanced tradeoff between utility, cost, and privacy, making them the preferred choice in ...

    work page arXiv 2000