Pseudonym Party Protocol

Updated 7 November 2025

The paper introduces a proof-of-personhood scheme where in-person token issuance and cryptographic validation secure one person, one vote.
It employs physical attendance checks and linkable ring signatures to enforce token uniqueness and robust Sybil resistance.
The protocol guarantees strong privacy and coercion resistance by decoupling digital personhood from personal identity through anonymous token circulation.

The Pseudonym Party Protocol is a proof-of-personhood scheme designed to enforce strict “one person, one vote” semantics in digital democracy, cryptographically ensuring that each claim of digital personhood is tied to a single, living human participant without reference to any pre-existing identity, attribute, document, or centralized database. The protocol centers on in-person, periodic gatherings (pseudonym parties) at which attendees are observed to be present and issued unique, privacy-preserving, anonymous tokens. These tokens enable subsequent digital actions such as voting or rate-limited service access while preserving user anonymity, resisting Sybil attacks, and supporting coercion-resistant use cases.

1. Protocol Structure and Workflow

At each pseudonym party—which may occur singly or as synchronized, federated events across multiple locations—all present individuals are issued a single, unique, time-limited digital token. The steps are as follows:

Check-in and Token Issuance: Individuals physically attend the event and are observed entering before a globally synchronized cutoff time. Each is issued a token: a cryptographically random value or cryptographic keypair, with no embedded or recorded linkage to real-world identity, and no biometric or document check.
Transparency and Auditing: Organizers and external witnesses certify that the process was conducted without fraud (e.g., stuffing) and that tokens correspond one-to-one with unique, present humans. The published list of distributed tokens is made public, along with possible photographic or videographic evidence.
Token Renewal: Once distributed, the tokens are valid only until the next scheduled party, at which point renewal requires re-attendance and fresh issuance. This bounding of validity period ensures population churn and limits attack windows for Sybil strategies.

Cryptographically, tokens are random values or keypairs, and their use in downstream digital protocols leverages constructions such as linkable ring signatures to permit anonymous, yet accountable, participation in digital systems.

2. Sybil Resistance and One-Person-One-Vote Enforcement

The protocol’s central technical property is Sybil resistance. This is achieved by:

Physical exclusion principle: One physical body can attend only one event at one time, so the protocol’s security assumption is grounded in physical law rather than electronic records. Synchronized closing of entrances across federated parties ensures exclusivity even at scale.
Token uniqueness: Each individual can obtain at most one valid token per event/run, preventing duplication via cryptographic means (only the unique token appears in the published list; all usage must be linked via proper cryptographic proof to a valid distributed token).
Verifiability: Everyone can audit the event’s claimed population vis-à-vis issued tokens, and challenge or dispute counting irregularities or evidence of collusion/stuffing.

This model, while contingent on practical enforcement of physical constraints (attendance verification, coordinated entry cutoff), fundamentally eliminates the “multiple credentials per body” attack vector typical of identity-document-based or virtual Sybil-resistance schemes.

3. Privacy, Anonymity, and Unlinkability

The protocol enforces strict separation between personhood attestation and personal identity:

No identity or attribute recording: Attendees are not required to reveal any identifying information or attributes; even pseudonym tokens are random strings or cryptographic keys, not linked to any biometric, government ID, or social graph.
Token use privacy: Token usage—such as casting a vote or claiming a rate-limited service—is implemented using cryptographic techniques such as linkable ring signatures over the published set of tokens $T = \{t_1, \ldots, t_N\}$ . A user proves possession of some $t_i$ in $T$ without revealing which, enabling anonymous authentication with rate-limiting per token.
Re-use and unlinkability: Except in cases where double-use must be detected (e.g., multiple votes in the same poll), cryptographic tags are constructed to prevent cross-context linkage, ensuring that usage of the same token in different applications or events is unlinkable.
Physical disguise: Attendees may disguise themselves at the event, maximizing privacy against local observers; the protocol is agnostic to physical presentation.

This construction completely decouples digital personhood from any attribute, affiliation, or identifier, resulting in strong, composable privacy and robust unlinkability across applications and time.

4. Coercion Resistance and Vote-Buying Defense

To defend against coercion and vote-buying threats—where an adversary bribes or coerces individuals to surrender their tokens or vote a certain way—the protocol incorporates:

Moment of enforced privacy: Each attendee, upon check-in, enters a privacy booth and is issued both real and fake tokens (on paper or digital medium), so only they know which token is valid.
Untraceability of tokens: Upon leaving the booth, the participant may reveal any of their tokens to a coercer. However, only the real token is honored in subsequent voting or authentication, and fake tokens are indistinguishable from real ones to external parties—inherently breaking enforcement of purchased votes.
Cryptographic construction: The core cryptographic primitives (compact, linkable ring signatures) ensure that only possession of the valid token allows participation in digital processes, while double-use or transfer attempts are blocked via tag linkage.

The protocol design ensures plausible deniability against post-event coercion and enables resistance to vote-buying, matching or exceeding best practices in coercion-resistant in-person voting systems.

5. Cryptographic Mechanisms and Token Use

The protocol relies on established cryptographic primitives to convert possession of tokens into privacy-preserving digital claims:

Linkable Ring Signatures: A user with token $t_i$ proves to the relying application their membership in the set $T$ by producing a signature over a message $m$ , including a cryptographic tag unique to the use context. Tag collisions reveal double-use within the same context (e.g., double-voting) while distinct contexts remain unlinkable.
Token format: Tokens may be random strings, cryptographic public keys, or other high-entropy nondeterministic values. The public list $T$ is published so applications and users can verify valid membership.
Renewal and expiration: Tokens expire on a predictable schedule, requiring re-attendance. This ensures the token population changes between events, limiting Sybil accumulation via physical or process attacks.

All cryptographic security claims are predicated on the difficulty of breaking the underlying primitives (e.g., discrete logarithm for ring signatures, sufficient entropy in random tokens).

6. Comparison to Alternative Proof-of-Personhood Models

A comparison with alternative Sybil-resistance and identity/token models highlights distinctive security and inclusion properties:

Approach	Inclusive	Equal	Secure	Private
Government Identity	No	No	No	No
Biometric Identity	No	No	No	No
Self-Sovereign Identity	No	No	No	No/Yes
Proof of Investment	?	No	Yes	Yes
Social Trust Networks	?	No	No	No
Threshold Verification	?	No	No	?
Pseudonym Parties	Yes	Yes	Yes	Yes

The Pseudonym Party Protocol is unique in providing high inclusion (no identity or attribute gating), equality (one person, one token), robust security (physical Sybil resistance, transparency, and cryptographic enforcement), and strict privacy (untraceable tokens and anonymous cryptographic usage). Most competing approaches fall short in at least one dimension, frequently either sacrificing privacy or allowing various forms of Sybil or coercion-based abuse.

7. Applications and Technical Implications for Digital Democracy

Pseudonym Party Protocols are directly applicable to online voting, liquid democracy, sample-based juries, universal basic income distribution, rate-limited access to social networks or communication services, and any application predicated on inalienable, rate-limited personhood. The system’s transparency of process, physical security, and cryptographically enforced privacy create a new paradigm for digital participation that is resistant to both technical and social vulnerabilities endemic in identity-based or trust-dependent models.

Implementation of such schemes is contingent on the availability of scalable, federated in-person events, support for mass transparent auditing, and robust device security for token issuance and use. Trade-offs include exclusion of those unable to attend physically (requiring separate accommodation protocols) and substantial logistics for regular, trustworthy event organization. Nevertheless, the protocol represents a uniquely strong technical foundation for digital personhood.

A plausible implication is that, while the protocol addresses core requirements for inclusion, privacy, security, and equality, its scalability and accommodation of remote or disabled individuals are contingent on future social and technical innovations.

PDF Markdown Chat (Pro)

Follow Topic

Get notified by email when new papers are published related to Pseudonym Party Protocol.