Session – Cloud Infrastructure and Information Security

CanDID: Can-Do Decentralized Identity with Legacy Compatibility, Sybil-Resistance, and Accountability

Speaker: Dr. Fan Zhang (张帆)

Assistant Professor

Department of Computer Science

Duke University

Durham, NC 27708


Dr. Fan Zhang recently received his Ph.D. in Computer Science from Cornell University, advised by Prof. Ari Juels. His research interest is the security, privacy, and scalability of decentralized systems, in particular those enabled by blockchains and trusted execution environments (TEEs). His works have been featured in Forbes, MIT Tech Review, IEEE Spectrum, CoinDesk, BitcoinMagazine, and numerous blockchain news outlets. Several of his works have seen industry uptake. He is a member of IC3 and a recipient of an IBM Ph.D. Fellowship for 2018-2020. Fan Zhang will join the Department of Computer Science at Duke University as an Assistant Professor in 2021.


While decentralized identity (DID) promises to give users greater control over their private data, it burdens users with the management of private keys, creating a significant risk of key loss. Existing and proposed approaches also presume the spontaneous availability of a credential-issuance ecosystem, creating a bootstrapping problem. They also omit essential functionality, like resistance to Sybil attacks and the ability to detect misbehaving or sanctioned users while preserving user privacy.


In this talk, I’ll introduce CanDID, a platform for the practical, user-friendly realization of decentralized identity, the idea of empowering end-users with the management of their own credentials. CanDID addresses these challenges by issuing credentials in a user-friendly way that draws securely and privately on data from existing, unmodified web service providers. Such legacy compatibility similarly enables CanDID users to leverage their existing online accounts for the recovery of lost keys. Using a decentralized committee of nodes, CanDID provides strong confidentiality for user’s keys, real-world identities, and data, yet prevents users from spawning multiple identities and allows identification (and blacklisting) of sanctioned users.


I’ll present the CanDID architecture and its technical innovations and report on experiments demonstrating its practical performance.