Using Post Quantum Cryptography for Self-Sovereign Identity Today

We are developing a transcontinental Self-Sovereign Identity (SSI) stack that provides security against quantum attacks, by using post quantum cryptography (PQC). SSI is a concept and initiative to provide individuals and entities digital credentials which they can control and trust. Our project aims to secure the accessibility of digital credentials by following European (eIDAS, EBSI) and worldwide (W3C, OpenID) standards and implementing a hybrid post quantum cryptographic library.

SSI solutions are at their core about sovereignty over personal identity data. These technologies have not yet seen wide adoption. To help the improvements in data security and privacy to be felt widely in society, these tools need wider adoption, which in turn requires them being more mature. We are increasing the maturity of SSI systems in two ways: making them secure against quantum attacks and fostering interoperability between credentials in the EU and US.

Current SSI systems use standard cryptography, which is not secure against attacks by quantum computers. For these tools to be future-proof and truly secure, this shortcoming must be addressed. Luckily, cryptographic algorithms thought to be secure against quantum computers already exist and have recently been standardized by the US National Institute of Standards and Technology (NIST). These new algorithms (often called Post-Quantum Cryptography or PQC) should also be used in SSI systems, and exactly this is a core result of our project.

The new standards were very recently published (August 13th, 2024), and the algorithms have not yet been tested widely in the real world. As such, they need to start being implemented and tested right away. This presents an issue: how can we make SSI tools secure in the interim? A solution is hybrid cryptography, which uses PQC and classical cryptography in parallel. The security of hybrid systems is backed by time-tested algorithms and is also secure against future threats from quantum computers. Our project is incorporating PQC into SSI systems in a hybrid form.

The hybrid cryptographic scheme that we are developing will use classical cryptography and a PQC algorithm. By classical we mean the commonly implemented digital signature schemes based on RSA or elliptic curves. The PQC digital signature algorithm that is being implemented in our project is ML-DSA (DILITHIUM). The security behind this new algorithm is based on what is known as lattice-based hardness problems and is thought to be secure against quantum computing algorithms. The implementation of this hybrid scheme is novel and impactful on the future usage of digital credentials.

Our project has three main objectives: The implementation of an open-source SSI stack, hybrid post-quantum cryptographic protocol, and the interoperability of EU-US credentials and decentralized identities. Each one of these objectives promotes the core principles of decentralized identity, privacy, sustainable internet, and a human-centric future. The improvement of online privacy and security is especially contingent upon post-quantum cryptography as this will secure the identities of individuals against the quantum computing attacks of the future. Self-sovereign identity provides a decentralized and user-controlled digital credential technology. Interoperability across borders makes SSI truly decentralized. Together these three objectives help build identity technologies that are secure, private, future-proof and decentralized.