This paper addresses the challenge of establishing initial accountability in online communication settings lacking pre-existing trust. We propose Sandi, a decentralized, privacy-preserving accountability system. Its core innovation is the “weakly monotonic verifiable trust score” model: senders hold encrypted labels representing their historical trustworthiness; receivers autonomously decide whether to interact and can anonymously report misbehavior—without registration or long-term keys. Sandi formally guarantees score integrity, end-to-end communication privacy, reporter anonymity, and sender unlinkability. It employs zero-knowledge-friendly scoring, collusion-resistant reporting, and game-theoretic incentives. A formal rationality analysis proves that rational senders significantly suppress misconduct. Sandi is compatible with any lightweight communication protocol and supports account-free receivers, delivering rigorous security and privacy guarantees for open networks. (149 words)

We construct a system, Sandi, to bring trust in online communication through accountability. Sandi is based on a unique"somewhat monotone"accountability score, with strong privacy and security properties. A registered sender can request from Sandi a cryptographic tag encoding its score. The score measures the sender's trustworthiness based on its previous communications. The tag is sent to a receiver with whom the sender wants to initiate a conversation and signals the sender's"endorsement"for the communication channel. Receivers can use the sender's score to decide how to proceed with the sender. If a receiver finds the sender's communication inappropriate, it can use the tag to report the sender to Sandi, thus decreasing the sender's score. Sandi aims to benefit both senders and receivers. Senders benefit, as receivers are more likely to react to communication on an endorsed channel. Receivers benefit, as they can make better choices regarding who they interact with based on indisputable evidence from prior receivers. Receivers do not need registered accounts. Neither senders nor receivers are required to maintain long-term secret keys. Sandi provides a score integrity guarantee for the senders, a full communication privacy guarantee for the senders and receivers, a reporter privacy guarantee to protect reporting receivers, and an unlinkability guarantee to protect senders. The design of Sandi ensures compatibility with any communication system that allows for small binary data transfer. Finally, we provide a game-theoretic analysis for the sender. We prove that Sandi drives rational senders towards a strategy that reduces the amount of inappropriate communication.