Most crowdsales now require users to verify their ETH address before purchasing tokens, to do this they require the user to sign up and perform KYC via their website.
The back-end then adds this address to a whitelist which then allows this participant to purchase tokens.
However, how is this possible? Does the backend require its own eth account which then pays for each verification transaction?
I've seen some contracts use an eliptic curve signature against a 'signer address' by supplying the users hashed address, along with r, s and v and checking if it then equals the signers address.
Again, how does this work? Does it mean that on the back-end, servers will calculate the hash of a users address, calculate the EC sig against the signer and then store the EC sig in the whitelist?
So to answer my own question, the standard method for verifying that users are on your whitelist without having to store unnecessary data on your contract is to use the eliptic curve digital signature algorithm for signing users addresses.
You should ask for your users ETH address upon registration, and then you can sign that ETH address using a specified ethereum private key using ecdsa against a known public address (stored on the contract).
This then supplies 3 values, v, r and s which are sent to the contract and can be recovered via an ecrecover function. If the function then returns the known public address, you can verify that you're backend must have signed the eth address with the backends private key therefore, proving the user is a whitelisted participant.