Building a Digital Identity System with Post-Quantum Cryptography
A comprehensive undergraduate thesis project on PQC-based digital identity.
As quantum computing edges closer to practical application, the cryptographic foundations of the internet—and digital identity—stand on shaky ground. My undergraduate thesis project tackles this issue head-on by designing a Digital Identity System secured using Post-Quantum Cryptographic (PQC) primitives. This blog post outlines the design, experimentation, and motivation behind the project.
🔍 Motivation
Current public-key infrastructure (PKI) is critically dependent on classical assumptions such as the hardness of factoring (RSA) or discrete logarithms (ECDSA). Quantum adversaries, empowered by Shor’s algorithm, could break these schemes. To build a future-resilient digital identity system, we must shift to schemes considered secure under quantum adversaries. This project does exactly that.
🛠️ System Overview
The identity system is composed of modular cryptographic components, implemented in C for performance and auditability, and connected via a Node.js interface to web and browser endpoints.
Key Components:
| Primitive | Algorithm | Role |
|---|---|---|
| KEM | CRYSTALS-Kyber (768) | Key exchange and encryption |
| Digital Signature | CRYSTALS-Dilithium | Authentication and signing |
| Hash Function | SHAKE256 | Identity derivation and hashing |
Identity Function
A hybrid identity key is created by hashing together a user’s Kyber public key and Dilithium public key using SHAKE256:
SHAKE256(identity_key, kyber_pk || dilithium_pk);Web Integration
To make the system usable in real-world scenarios, I built a browser-extension-based identity provider, connected to a local native messaging host running a C backend. The goal is to enable secure PQC key usage within the browser, support Hierarchical Deterministic Identities (inspired by BIP32) and allow Selective Disclosure Credentials for privacy-preserving authentication
Security & Performance Analysis
I conducted a full timing side-channel analysis of Kyber and Dilithium functions. The aim was to identify potential leakage patterns under multiple iterations. Techniques Used:
- Welch’s t-test for statistical divergence
- Z-score & Mahalanobis distance for anomaly detection
- PCA for dimensionality reduction
- Heatmaps, boxplots, and timing histograms This was implemented using Python, with the goal of uncovering deterministic timing artifacts that may pose a threat to post-quantum implementations.
Theoretical Foundations
The system includes a formal threat model rooted in the Quantum Random Oracle Model (QROM). The following aspects were explored:
- Formal security proofs for combined key derivation
- IND-CCA and EUF-CMA model assumptions
- Side-channel models and implementation-level attack surface
This project is one of the most comprehensive and extensive projects I have undertaken. I intend to improve it further, with formal verification of the identity generation algorithm and robust implementation attacks. The project code can be found at GitHub.