Building a Digital Identity System with Post-Quantum Cryptography

A comprehensive undergraduate thesis project on PQC-based digital identity.


Project

As quantum computing edges closer to practical application, the cryptographic foundations of the internet—and digital identity—stand on shaky ground. My undergraduate thesis project tackles this issue head-on by designing a Digital Identity System secured using Post-Quantum Cryptographic (PQC) primitives. This blog post outlines the design, experimentation, and motivation behind the project.


🔍 Motivation

Current public-key infrastructure (PKI) is critically dependent on classical assumptions such as the hardness of factoring (RSA) or discrete logarithms (ECDSA). Quantum adversaries, empowered by Shor’s algorithm, could break these schemes. To build a future-resilient digital identity system, we must shift to schemes considered secure under quantum adversaries. This project does exactly that.


🛠️ System Overview

The identity system is composed of modular cryptographic components, implemented in C for performance and auditability, and connected via a Node.js interface to web and browser endpoints.

Key Components:

PrimitiveAlgorithmRole
KEMCRYSTALS-Kyber (768)Key exchange and encryption
Digital SignatureCRYSTALS-DilithiumAuthentication and signing
Hash FunctionSHAKE256Identity derivation and hashing

Identity Function

A hybrid identity key is created by hashing together a user’s Kyber public key and Dilithium public key using SHAKE256:

SHAKE256(identity_key, kyber_pk || dilithium_pk);

Web Integration

To make the system usable in real-world scenarios, I built a browser-extension-based identity provider, connected to a local native messaging host running a C backend. The goal is to enable secure PQC key usage within the browser, support Hierarchical Deterministic Identities (inspired by BIP32) and allow Selective Disclosure Credentials for privacy-preserving authentication

Security & Performance Analysis

I conducted a full timing side-channel analysis of Kyber and Dilithium functions. The aim was to identify potential leakage patterns under multiple iterations. Techniques Used:

  1. Welch’s t-test for statistical divergence
  2. Z-score & Mahalanobis distance for anomaly detection
  3. PCA for dimensionality reduction
  4. Heatmaps, boxplots, and timing histograms This was implemented using Python, with the goal of uncovering deterministic timing artifacts that may pose a threat to post-quantum implementations.

Theoretical Foundations

The system includes a formal threat model rooted in the Quantum Random Oracle Model (QROM). The following aspects were explored:

  1. Formal security proofs for combined key derivation
  2. IND-CCA and EUF-CMA model assumptions
  3. Side-channel models and implementation-level attack surface

This project is one of the most comprehensive and extensive projects I have undertaken. I intend to improve it further, with formal verification of the identity generation algorithm and robust implementation attacks. The project code can be found at GitHub.

© 2025 Manas Patil