DEV Community

Zeke
Zeke

Posted on

Sybil Resistance Without Biometrics: Multi-Dimensional Identity Scoring

#nostr #identity #security #opensource

Most Sybil resistance boils down to one of two things: scan your eyeball, or stake tokens. Both have problems. Biometrics create honeypots. Staking just means rich attackers win.

I've been working on a different approach for the Nostr Web of Trust hackathon and wanted to share the math behind it.

The Core Insight

Instead of one trust score, measure identity across independent dimensions:

  • Lightning payment history (channel age, routing volume)
  • Content proof-of-work (consistent posting over time)
  • Social graph position (follows, vouches, interactions)
  • Key age and activity patterns

Faking any single dimension is cheap. But faking all of them simultaneously? The cost scales as 2^n where n is the number of independent dimensions.

Three dimensions = 8x the cost of faking one. Five dimensions = 32x. At some point, it's cheaper to just be real.

How It Works 

const { DepthScorer } = require('@powforge/identity');

const scorer = new DepthScorer({
  dimensions: ['lightning', 'content', 'social', 'temporal'],
  weights: { lightning: 0.3, content: 0.25, social: 0.25, temporal: 0.2 }
});

const result = await scorer.analyze(pubkey);
console.log(result.depth);      // 0.0 - 1.0 composite score
console.log(result.dimensions);  // per-dimension breakdown
console.log(result.spoofCost);   // estimated cost to fake this identity
Enter fullscreen mode Exit fullscreen mode

Why Multi-Dimensional Beats Single-Score

PageRank-style approaches (what most WoT systems use) collapse everything into one number. That works until someone games the follow graph. A sock puppet can accumulate follows, but it can't simultaneously:

  • Route Lightning payments for 6 months
  • Post thoughtful content weekly
  • Have a key that's been active since 2023
  • Maintain organic social graph patterns

Each dimension is a different kind of proof-of-work. Not SHA-256 grinding, but life grinding. Time you actually spent being a real person on the network.

Try It

The SDK is MIT licensed. If you're building anything that needs to distinguish real users from bots without asking for personal data, I'd love to hear how you'd use it.

Building this for the WoT-a-thon hackathon. Demo day is tomorrow (April 16) at 3pm UTC on zap.stream/nosfabrica. Come watch if you're curious about the state of decentralized identity.

Top comments (0)