Papers
Topics
Authors
Recent
Search
2000 character limit reached

Address-Based Identity Matching

Updated 5 July 2026
  • Address-Based Identity Matching is defined as using persistent, structured identifiers to link records across diverse domains including postal, NAC, and blockchain systems.
  • Approaches range from nonparametric distribution matching and dense transformer-based retrieval to cryptographic certificate-backed methods, each tailored to specific identity signals.
  • Empirical evaluations demonstrate high accuracy and precision while also highlighting challenges such as data sparsity, variability in address formats, and privacy concerns.

Address-based identity matching denotes a class of linkage problems in which an address-like identifier is used to decide whether records refer to the same real-world entity, device, household, or controller. In the cited literature, the term spans at least four technically distinct settings: resolving noisy postal addresses to canonical records, recognizing the same endpoint across randomized network addresses in enterprise Network Access Control (NAC), linking blockchain profiles that belong to the same wallet or entity across domains, and cryptographically binding arbitrary identity strings to Ethereum addresses through certificate-based identity-based signatures (Duarte et al., 2023, Seralathan, 17 Mar 2026, Somin et al., 2024, Murasaki et al., 16 Jul 2025). The common thread is that the address is not treated merely as a string token, but as an identity anchor whose persistence, structure, timing behavior, or certified provenance can be exploited for matching.

1. Domain scope and problem formulations

In postal and customer-data settings, address-based identity matching is formulated as deciding whether two or more records refer to the same household, individual, or organization by leveraging address information as a primary signal. One line of work casts the task as linking an unnormalized address string to a canonical record in a normalized database, with particular emphasis on “door-level” accuracy so that neighboring units in the same building are not conflated (Duarte et al., 2023). Another line treats the address as a hierarchical object rather than unstructured text, with labels such as province, city, district, road, building number, unit, and room, and predicts whether a pair of addresses is a non-match, partial match, or exact match (Zhang et al., 2023).

In enterprise NAC, address-based identity matching historically meant recognizing the same physical endpoint across sessions by its network-layer or link-layer address, especially the MAC address. MAC randomization disrupts that model because randomized and changing MAC addresses eliminate persistence and the manufacturer OUI signal previously used for classification. The proposed replacement is a persistent identity layer centered on a server-generated 128-bit GUID, called the Persistent Device Identifier (PDID), which is distributed through RADIUS and correlated to certificates, MDM identifiers, posture-agent identifiers, usernames, and profiling features (Seralathan, 17 Mar 2026).

In blockchain analytics, the problem shifts from lexical normalization to controller linkage. One study evaluates address-to-address matching across ERC-20 token domains on Ethereum, where the same wallet appears in multiple token-specific domains on a given day and the ground truth identity is address equality across domains. Rather than using graph structure or semantic content, the method relies on inter-event time distributions derived from on-chain timestamps (Somin et al., 2024). A distinct Ethereum line addresses identity binding rather than cross-domain behavioral matching: it binds an arbitrary string such as a name or label to an address through a Key Generation Center (KGC) certificate over the user public key and the identity string, while preserving Ethereum’s ordinary ECDSA with key recovery (Murasaki et al., 16 Jul 2025).

These formulations share a surface vocabulary but differ materially in what “address” denotes: a postal location string, a randomized MAC address, an Ethereum address, or a domain-specific profile keyed by a wallet. This suggests that address-based identity matching is better understood as a family of linkage regimes than as a single algorithmic problem.

2. Identity signals and representational choices

The central design choice is the representation of the address signal. In temporal blockchain matching, the address is represented indirectly through activity timing. For a profile udu_d on day τ\tau, activity times Aτud=(t0ud,,tmud)[τ,τ+1]A^{u_d}_{\tau} = (t_0^{u_d}, \dots, t_m^{u_d}) \subset [\tau,\tau+1] induce an inter-event sequence

Sτud=(Δt1ud,,Δtmud),Δtiud=tiudti1ud.S^{u_d}_{\tau} = (\Delta t_1^{u_d}, \dots, \Delta t_m^{u_d}), \quad \Delta t_i^{u_d} = t_i^{u_d} - t_{i-1}^{u_d}.

The temporal fingerprint is then the empirical CDF

Qτud(Δt)={δSτud:δΔt}m.Q^{u_d}_{\tau}(\Delta t) = \frac{\left| \{ \delta \in S^{u_d}_{\tau} : \delta \le \Delta t \} \right|}{m}.

This representation is explicitly nonparametric, avoids KDE in the main method, uses UTC day windows, does not de-seasonalize in the core experiments, and treats burstiness and heavy tails as signal rather than noise (Somin et al., 2024).

In postal matching, the address is represented textually but with strong structural bias. The Portuguese siamese-transformer system uses normalized addresses with components such as artery type, artery name, door ID, accommodation ID, and ZIP code, and encodes each address with multilingual DistilBERT, mean pooling, and an MLP with tanh to a 512-dimensional embedding (Duarte et al., 2023). The hierarchical Chinese system first resolves address elements with FLAT using 21 labels, then learns fine-grained address representations with NEZHA and Whole Word Masking at the element level, and finally combines sentence-level and element-level matching features (Zhang et al., 2023). The invoice-oriented semantic pipeline parses fields including name, streetName, city, state, zipCode, extnZip, country, and full Address, then uses BM25 and component-aware re-ranking (Gupta et al., 2024).

In NAC, the representation is explicitly identifier-centric. The PDID is a UUID v4 generated server-side, persisted for the device lifecycle, and carried in RADIUS Access-Accept messages. The correlation layer maps multiple MACs and attributes to one PDID. When strong identity signals exist, the system binds the PDID to certificate identifiers, MDM/EMM enrollment IDs, or posture-agent IDs; when they do not, it falls back to multi-attribute similarity over DHCP fingerprint vectors, hostname, DNS FQDN, HTTP User-Agent, SNMP sysDescr/sysObjectID, access port, SSID, and time window, using

S=iwisimi ⁣(xicurrent,xihistorical),S = \sum_{i} w_i \,\mathrm{sim}_i\!\left(x_i^{\text{current}},\, x_i^{\text{historical}}\right),

with correlation if SτS \ge \tau (Seralathan, 17 Mar 2026).

In Ethereum identity binding, the representational basis is cryptographic rather than behavioral or textual. An Ethereum address AA is defined as

A=LSB20 ⁣(Keccak256(Enc(PxPy))),A = \operatorname{LSB}_{20}\!\left(\mathrm{Keccak256}\big(\text{Enc}(P_x \| P_y)\big)\right),

where P=(Px,Py)P=(P_x,P_y) is the secp256k1 public key. The KGC certifies the binding between τ\tau0 and an arbitrary identity string τ\tau1, and verification checks both the user signature and the KGC signature on τ\tau2 (Murasaki et al., 16 Jul 2025).

3. Methodological families

One methodological family is nonparametric distribution matching. In the Ethereum temporal-fingerprint system, cross-domain pairs are scored by the two-sample Kolmogorov–Smirnov distance

τ\tau3

ranked in ascending order, optionally filtered by a goodness-of-fit indicator, and returned as top-τ\tau4 candidates. A supervised extension constructs daily cross-domain similarity graphs weighted by KS distance and trains a 2-layer TGNN with positive and negative edge labels inferred from KS thresholds τ\tau5 and τ\tau6 (Somin et al., 2024).

A second family is dense retrieval plus reranking. The Portuguese system uses a siamese bi-encoder to retrieve the top 10 candidates from a normalized address database, restricted to a CP4-derived auxiliary shard, and then reranks those candidates with a DistilBERT cross-encoder that jointly encodes query and candidate as a sentence pair. The bi-encoder is trained with a margin-based contrastive loss using easy, hard, and very hard negatives; the cross-encoder is trained with cross-entropy over the top candidates (Duarte et al., 2023). A related semantic pipeline first retrieves likely candidates from an OCR-derived address pool with BM25, then computes a threshold on the top-1/top-2 score difference τ\tau7, and invokes a BERT-assisted component-weighted re-ranker when the case is ambiguous (Gupta et al., 2024).

A third family is hierarchical address modeling. The hierarchical-information system is organized as a three-stage pipeline: FLAT-based element resolution, NEZHA representation learning with Whole Word Masking over address elements, and interactive matching that fuses sentence-level and element-level features before three-way classification. The explicit goal is to use address hierarchy to improve performance on irregular addresses and to pay closer attention to special parts of the address (Zhang et al., 2023).

A fourth family is protocol-native persistent identity. The RADIUS-based NAC framework does not attempt to recover persistence from randomized MACs by string matching alone. Instead, it injects a stable device identifier into the authentication plane. In 802.1X, the RADIUS server validates EAP-TLS, correlates the request to an existing PDID or creates a new one, returns the PDID in Access-Accept, and reuses it across later authentications with different MACs. In MAB and IoT cases, the framework uses profiling and contextual correlation when certificates or agents are unavailable (Seralathan, 17 Mar 2026).

A fifth family is certificate-backed identity binding on Ethereum. The certificate-based IBS construction instantiates identity-based signatures from ECDSA with key recovery. Setup creates the KGC key pair; Extract generates a per-identity ECDSA key pair and a KGC signature over τ\tau8; Sign produces a user ECDSA signature on message τ\tau9; Verify checks that the recovered signer address matches the address computed from Aτud=(t0ud,,tmud)[τ,τ+1]A^{u_d}_{\tau} = (t_0^{u_d}, \dots, t_m^{u_d}) \subset [\tau,\tau+1]0, and that the KGC signature on Aτud=(t0ud,,tmud)[τ,τ+1]A^{u_d}_{\tau} = (t_0^{u_d}, \dots, t_m^{u_d}) \subset [\tau,\tau+1]1 recovers the KGC address. The method therefore binds arbitrary strings to existing Ethereum addresses without replacing the signature system used in ordinary transactions (Murasaki et al., 16 Jul 2025).

4. Reported empirical behavior

The temporal-fingerprint study evaluates Ethereum mainnet ERC-20 transactions over 14 days, with over 250k daily traders and token-defined domains Aτud=(t0ud,,tmud)[τ,τ+1]A^{u_d}_{\tau} = (t_0^{u_d}, \dots, t_m^{u_d}) \subset [\tau,\tau+1]2. The KS-based fingerprint achieves a mean AUC of approximately 0.78 across 14 days, near error-less precision up to the top 200 KS-ranked pairs on average, approximately 96% precision for the top-100 predictions, and approximately 83% of correct pairs within the top-10 candidates per profile. The 2-layer TGNN further boosts precision on the top-1000 candidate edges, and noise injection with Gaussian perturbations of 5 minutes and 60 minutes still yields Precision@10 of approximately 78% and approximately 74%, respectively (Somin et al., 2024).

The Portuguese siamese-transformer system is evaluated on a normalized database of approximately 430k curated Portuguese addresses, more than 3 million raw addresses reduced to approximately 1.1 million valid records, and a held-out test set of approximately 60k unnormalized records. The bi-encoder reaches 95.68% door-level top-1 accuracy and 99.41% top-10 retrieval at door level; with thresholding at 0.99 it reaches 97.39%. The proposed bi-encoder plus cross-encoder system reports 95.32% door-level accuracy unfiltered and 98.35% with threshold 0.90 while discarding 18.08% of low-confidence pairs; artery-level accuracy rises from 97.08% to 99.71% with thresholding. Under GPU inference, the system is about 4.5 times faster than BM25 (Duarte et al., 2023).

The hierarchical-information address matcher reports element-resolution F1, precision, accuracy, and recall all above 0.9 after approximately 40 epochs on the CCKS2021 address element dataset. On address matching, the hierarchical method improves the baseline by 3.23 F1 points, 1.77 accuracy points, and 3.64 recall points. Ablation results indicate that removing address learning based on Whole Word Masking causes a drop of 2.78 F1, 2.63 accuracy, and 2.87 recall, while removing element matching reduces F1 by 0.88, accuracy by 0.31, and recall by 0.29 (Zhang et al., 2023).

The semantic invoice pipeline uses an address pool of 19,524 records derived from OCR on web-scraped invoices from multiple countries. In the reported comparison, BM25+BERT achieves Precision 1.00, Recall 0.97, and F1 0.97, above string matching, dictionary methods, AMT, DEEPAM, Word2Vec+RF, and Word2Vec+SVM (Gupta et al., 2024).

The NAC framework presents use-case-specific confidence levels rather than a benchmark corpus. Reported effectiveness is “Very High (>99%)” for BYOD and MDM-managed devices, “High (>95%)” for VPN and non-VPN posture via agent identifiers, “Medium (>80%)” for registered guests, and “Medium (>75%)” for randomized IoT profiling. For license counting, the framework contrasts “up to Aτud=(t0ud,,tmud)[τ,τ+1]A^{u_d}_{\tau} = (t_0^{u_d}, \dots, t_m^{u_d}) \subset [\tau,\tau+1]3 device records” without the framework to Aτud=(t0ud,,tmud)[τ,τ+1]A^{u_d}_{\tau} = (t_0^{u_d}, \dots, t_m^{u_d}) \subset [\tau,\tau+1]4 device records with the framework, and gives the example “50,000 devices × 10 weekly connections → cut from 500,000 spurious records to 50,000 (10× improvement)” (Seralathan, 17 Mar 2026).

The Ethereum IBS implementation reports 21,849 gas for verifying a user message signature and 26,251 gas for verifying the KGC certificate, with combined IBS verification approximately 2.2 times a single ECDSA verification. Because the certificate verification is independent of the transaction message, it need only be done once per Aτud=(t0ud,,tmud)[τ,τ+1]A^{u_d}_{\tau} = (t_0^{u_d}, \dots, t_m^{u_d}) \subset [\tau,\tau+1]5, after which transaction verification costs are about the same as a single ECDSA verification (Murasaki et al., 16 Jul 2025).

5. Failure modes, robustness, and recurrent misconceptions

A recurrent failure mode is data sparsity. In temporal blockchain matching, very few events per window yield unstable fingerprints, which motivates aggregation to longer windows or KDE alternatives. The same study also notes overlapping behavior as a source of near-collisions, since genuinely similar schedules can produce small KS distances, and cross-domain shifts can weaken matching when behavior differs sharply across domains (Somin et al., 2024). In postal matching, missing door numbers, ambiguous accommodation details, severe abbreviation variants, transposed tokens, punctuation variation, and multi-occupancy buildings all increase the risk of false links; thresholding and human review are therefore integral to operational deployment (Duarte et al., 2023, Gupta et al., 2024).

Another failure mode is weak identity assurance. In NAC, EAP-TLS certificate binding is the strongest correlation path, whereas MAB and profiling-only paths are explicitly weaker and should be constrained by policy. The framework states that open, unauthenticated hotspots are out of scope because no reliable correlation is possible without defeating privacy. It also identifies duplicate PDID creation under concurrent authentications as an operational hazard, addressed through locking, re-checks after lock acquisition, and distributed coordination across a server cluster (Seralathan, 17 Mar 2026).

A common misconception is that privacy-preserving surface changes eliminate matching. The blockchain timing study shows the opposite for encrypted or pseudonymous environments: simply knowing when an individual is active, without who they talk to or what they discuss, can be sufficient for linkage at scale (Somin et al., 2024). A related misconception in NAC is that MAC randomization necessarily destroys enterprise device continuity; the RADIUS-native PDID framework argues instead that persistence can be reintroduced at the AAA layer without client-side operating-system changes and without discarding the privacy benefits randomization was meant to provide (Seralathan, 17 Mar 2026).

In Ethereum identity binding, a different misconception concerns “vanity” semantics. The IBS-based construction does not directly generate a vanity address containing chosen characters. The paper states that Ethereum’s key-recovery model prevents direct vanity-address generation through IBS and that the construction instead “connect[s] any string with an address” by certifying the binding between the string and the public key underlying the address (Murasaki et al., 16 Jul 2025).

6. Privacy, compliance, and research directions

Address-based identity matching is inseparable from privacy and compliance. The temporal-fingerprint work explicitly frames timing-only leakage as a privacy risk on public blockchains and recommends mitigations such as randomized delays with sufficient variance, batching with differential privacy, and protocol-level privacy mechanisms including ring signatures, zero-knowledge proofs, and mixer designs that decorrelate per-address timing (Somin et al., 2024). The NAC framework presents the opposite institutional perspective: persistent identity is needed for HIPAA device-level accountability, FISMA/NIST SP 800-53 controls such as CM-8 and SI-4, PCI-DSS segmentation and logging continuity, and Zero Trust per-request device verification. Its privacy-preserving stance is that the PDID is CSPRNG-generated, not derived from MAC/OUI, and can be deleted on retirement or privacy request (Seralathan, 17 Mar 2026).

Operational governance also differs by domain. Postal and invoice systems emphasize calibrated thresholds, manual review queues for low-confidence matches, and the risk of conflating neighboring units or households when address evidence is incomplete (Duarte et al., 2023, Gupta et al., 2024). Blockchain systems emphasize the tension between linkage power and pseudonymity, as well as the need for candidate pruning and approximate methods because naïve all-pairs KS across domains scales as Aτud=(t0ud,,tmud)[τ,τ+1]A^{u_d}_{\tau} = (t_0^{u_d}, \dots, t_m^{u_d}) \subset [\tau,\tau+1]6 (Somin et al., 2024). Ethereum identity-binding systems emphasize replay protection, domain separation, KGC trust, and the possibility of revocation or multi-identity support as open design questions (Murasaki et al., 16 Jul 2025).

The forward-looking research agenda in the cited work is correspondingly heterogeneous. For temporal fingerprints, planned extensions include KS approximation, candidate generation via LSH on summary statistics, hierarchical matching from clusters to addresses, parametric fits and Hawkes-based embeddings, and multi-resolution fingerprints over hourly, daily, and weekly scales (Somin et al., 2024). For NAC, open challenges include standardizing a RADIUS attribute for PDID via RADEXT/MADINAS and improving uniqueness in IoT environments with many identical devices (Seralathan, 17 Mar 2026). For postal matching, the natural directions are broader locale adaptation, synthetic typo and abbreviation augmentation, calibration, ANN indexing for larger-scale retrieval, and fusion with additional identity attributes while maintaining privacy and compliance (Duarte et al., 2023, Gupta et al., 2024, Zhang et al., 2023).

Taken together, these studies show that address-based identity matching is not reducible to simple address comparison. It may depend on distributional behavior, hierarchical text structure, authentication-plane identifiers, or certified public-key bindings. The technical problem is therefore not just whether two address strings or tokens look alike, but which notion of persistence, equivalence, and control is being formalized in a given system.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Address-Based Identity Matching.