This paper introduces Post-Quantum Identity Encryption (PQIE), a fully lattice-based security layer for Decentralized Identifiers (DIDs) that encrypts entire DID Documents with Ring-Learning-With-Errors (Ring-LWE) and applies a built-in homomorphic noise filter. The framework is blockchain-agnostic: encrypted identities (or their hashes) can be stored on any key-value ledgers. PQIE is positioned at the intersection of post-quantum cryptography and self-sovereign identity. Where traditional DID methods focus on substituting elliptic-curve keys with lattice signatures, our approach re-thinks the entire trust pipeline—from key material to on-chain storage—by insisting that no part of the DID Document ever travels or rests in plaintext.
Digital identity is rapidly shifting from centralized systems to distributed systems, where users control their own credentials. The W3C Decentralized Identifier (DID) specification decouples identifiers from centralized registries by anchoring them in distributed ledgers. Yet most DID methods still rely on elliptic-curve cryptography—susceptible to quantum attacks. Blockchain provides an immutable substrate for storing identity proofs, but quantum readiness remains an open gap.
Blockchains introduce an append-only ledger where every state transition is cryptographically attested. This immutability is attractive to identity systems because it eliminates single points of compromise. However, the transparency of public chains also magnifies privacy risk: metadata correlation attacks can reveal social graphs or user-credential relationships.
Self-Sovereign Identity (SSI) combines DIDs and Verifiable Credentials (VCs) to give individuals agency over how their data are shared. Creating a quantum-resistant SSI stack requires post-quantum key generation, end-to-end encryption, and efficient noise management. PQIE addresses these needs while remaining ledger-independent.
PQIE - is a common method for identities that rely on the implementation of the Post-Quantum Identity Encryption (PQIE) framework. The framework is compatible with any key-value ledger and focuses on ensuring maximum privacy and quantum-resistance using Ring-Learning-With-Errors (Ring-LWE) cryptography.
PQIE’s strategy of encrypting the entire DID Document mitigates this leakage while retaining auditability via on-chain hash pointers.
From an economic perspective the cost of on-chain bytes matters. Lattice ciphertexts can be bulky, but our homomorphic filtering keeps the encrypted DID payload below 2 kB, which costs low over blockchain operations.
| Block | What it does | Minimal implementation detail |
|---|---|---|
| O:User Interface | Captures identity data and initiates “Create DID”. | Web form / mobile app sends JSON to a back-end endpoint. |
| A:Ring-LWE Key Generator | Produces quantum-safe key pair (pk, sk). | • n = 512 • q ≈ 24 577 • σ ≈ 4.0 |
| A:DID Derivation | Converts pk into a standards-compliant DID string. | did:pqie: + base58( SHA-256(pk)[:16] ). |
| A:DID Document Builder | Assembles JSON-LD doc containing: DID, verification keys, services. | Embed pk under verificationMethod[0]. |
| A:PQIE Encryptor | Encrypts the entire DID Document with Ring-LWE KEM. | 1. Generate ephemeral lattice key 2. Derive shared secret SS = KEM(pk) 3. AES-GCM(SS, DID-JSON) ⇒ ciphertext C. |
| B:Homomorphic Noise Filter | Keeps lattice noise small over long sessions. | compute cᵢ’ = (cᵢ mod q/4); set new modulus q←q/4. |
| B:Post-Quantum Signature | Signs ciphertext so verifiers know it came from the controller. | Use PQIE Ring-LWE signature, Attach signature. |
| E:Ledger Writer | Stores ciphertext on any blockchain. | Either as transaction or as pointer |
| F:Resolver Plug-in | Retrieves, decrypts, and verifies. | Fetch on-chain payload P. Decapsulate and Decrypt clear_doc. Signature Verify. Return plaintext DID. |
This diagram shows how a fully quantum-safe digital identity is created, stored, and verified using PQIE and Hyperledger Indy. When someone wants a new DID, they start with their personal details and use a special Ring-LWE algorithm to make a key pair. That DID string is then encrypted into a single blob (ciphertext) and noise is filtered out so the encrypted data stays small and fast. This encrypted DID is placed on a ledger. Later, if anyone needs to look up that DID, they fetch the encrypted blob, use the matching public key to decrypt it, and reveal the real DID.
The process first converts a user’s personal attributes into a suitable polynomial form and adds a small Gaussian “noise” polynomial to mask the underlying data. It then performs the core Ring-LWE encryption and applies a Number-Theoretic Transform (NTT) to enable efficient polynomial operations and manage noise. A nonlinear tanh activation scrambles any remaining linear structure in the transformed coefficients before generating two cryptographic hash digests that together produce a unique token used as the DID suffix. Next, a JSON-LD DID Document is assembled—including the "id", the "verificationMethod", the "authentication" entry, and a "service" endpoint. Finally, this encrypted DID Document is written to a ledger-agnostic storage layer.
2.4.1 Signature generation: When creating a PQIE signature, we compute a single hash value from the encrypted DID data along with the DID string itself. This hash becomes the “digest” that we will sign. To produce the signature, the signer’s secret key and a fresh small random polynomial “y” are used together.
2.4.2 Verification: Resolvers retrieve the encrypted DID Document, decrypt it with the public key, and verify the signature before releasing attributes. In the Ring-LWE KEM Decapsulation step, the resolver uses the DID’s stored public key pk to recover the shared secret.
Starting from a nonce or random seed N, the system first performs an LWE-based randomized signature over the newly generated DID string. Once the DID is signed, the process builds a full JSON-LD DID Document. After assembling the DID Document in JSON form, a ledger-write operation occurs—writing the DID and its encrypted document onto the chosen blockchain via the ledger-agnostic interface, ensuring immutability.
The namestring that shall identify this DID method is: pqie
A DID that uses this method MUST begin with the prefix: did:pqie
The method specific identifier is composed of a primary-hash, secondary-hash, and entropy-suffix.
pqie-did = "did:pqie:" pqie-specific-idstring
pqie-specific-idstring = pqie-identifier
pqie-identifier = 8HEXDIG ":" 8HEXDIG ":" 8HEXDIG
Where HEXDIG = 0-9 / a-f (lowercase hex digits).
did:pqie:5135e697:8b7ecf94:a3f21bc0
did:pqie:a1b2c3d4:e5f60718:9c0dab3e
did:pqie:12345678:90abcdef:1234abcd
Example of DID document of regular identity:
{
"@context": ["https://www.w3.org/ns/did/v1", "https://dixadholakiya.github.io/pqie-did-spec/context.jsonld"],
"id": "did:pqie:5135e697:8b7ecf94:a3f21bc0",
"verificationMethod": [{
"id": "did:pqie:5135e697:8b7ecf94:a3f21bc0#key-1",
"type": "PQIE-RingLWE2024",
"controller": "did:pqie:5135e697:8b7ecf94:a3f21bc0",
"publicKeyLattice": "AAAA...",
"latticeParams": { "n": 512, "q": 24593 }
}],
"authentication": ["did:pqie:5135e697:8b7ecf94:a3f21bc0#key-1"]
}
The pqie did method uses additional JSON-LD types.
The JSON-LD vocabulary is stored in:
https://dixadholakiya.github.io/pqie-did-spec/context.jsonld# publicKeyLattice
(Operational key) and latticeParams types.https://schema.iden3.io/core/jsonld/iden3proofs.jsonld Each identity has a unique DID that is determined by the initial identity state (derived from the base identity attributes). This identifier is called the Genesis ID, under which the initial claims and verification methods are bound.
The creation of the identity (did:pqie) begins by generating a base Kyber-512 keypair ($n=512$,
$q=24593$). For identity attribute binding, the user's underlying claims are lifted into a Ring-LWE
polynomial with injected Gaussian noise (σ=4.0).
The Genesis ID (pqie-identifier) is deterministically constructed by taking the
sha3_512 and blake2b hashes of the public key lattice and appending a 4-byte
random entropy suffix to prevent collisions.
The Genesis Claims, including the raw public key and metadata representation, are encrypted via a Ring-LWE
Key Encapsulation Mechanism (KEM) and AES-GCM into a secure payload known as a Digital Envelope. This
Envelope is pinned to decentralized storage (e.g., IPFS), and its resulting CID is anchored directly on the
ledger (e.g., via an Indy NYM transaction or Ethereum smart contract).
Adding new keys, rotating existing keys, or updating the encrypted claims requires governed state
transitions. The state transition is executed by creating a new Digital Envelope reflecting the updated DID
Document.
To validate the transition without exposing the underlying private keys or plaintext documents, the
controller generates a Post-Quantum Lattice Signature (e.g., using Dilithium) over the new Digital
Envelope's IPFS CID and the previous state root. This signature is verified by the ledger node (or smart
contract) before accepting the state update, ensuring only the exact mathematical owner can transition the
identity state.
When the identity owner explicitly revokes their operational Kyber-512 keys or an assigned governing authority issues a revocation constraint (in the case of on-chain KYC identities), the identity is considered deactivated. A signed lattice transaction is submitted to the registry, appending a revocation flag. A deactivated identity can no longer generate valid Token structures, create proofs, or execute state transitions.
EcdsaSecp256k1RecoveryMethod2020) that relies on the EVM address from which the identity
was originally created.Abstract algorithm for resolving (read operation).
The PQIE resolver is a ledger-agnostic plug-in that fetches the encrypted payload from the storage layer indicated by the DID (e.g., Hyperledger Indy NYM record or IPFS CID pointer), decapsulates the Ring-LWE KEM shared secret, decrypts the DID Document via AES-GCM, and verifies the lattice signature before returning the plaintext DID Document.
PQIE did driver accepts DID in URI format. Currently, we support three URI formats:
did:pqie:5135e697:8b7ecf94:a3f21bc0did:pqie:5135e697:8b7ecf94:a3f21bc0?state=<hex_of_state>did:pqie:5135e697:8b7ecf94:a3f21bc0?gist=<hex_of_gist_state>Each of these formats has a different read algorithm. But they all have a certain common logic of presentation.
Common steps for all formats of DID:
Step 5:
did...#state=<state> Resolve DID document by committed state. In some cases, we
should get historical DID to validate the information that was replaced at the current time.did...#gist=<state> Resolve state by gist state. Identities can exist under a
global state for increased security and anonymity.JSON result description: https://dixadholakiya.github.io/pqie-did-spec/context.jsonld#state-info
Build representation document: After fetching the gist and the user’s state it is possible to build a representation document.
@context: ["https://www.w3.org/ns/did/v1", "https://dixadholakiya.github.io/pqie-did-spec/context.jsonld"] to
this didDocument, add object to this array
{
"@context": ["https://w3id.org/did-resolution/v1"],
"didDocument": {},
"didResolutionMetadata": {},
"didDocumentMetadata": {}
}
A live Universal Resolver-compatible driver for did:pqie is publicly hosted and
conforms to the
W3C DID Resolution specification.
GET https://pqie-resolver-production.up.railway.app/1.0/identifiers/{did}
Replace {did} with any valid did:pqie identifier.
curl https://pqie-resolver-production.up.railway.app/1.0/identifiers/did:pqie:5135e697:8b7ecf94:a3f21bc0
The endpoint returns a fully-compliant application/did+ld+json document including:
didDocument — the W3C DID Document with PQIE-RingLWE2024 verification methodsdidResolutionMetadata — content type, resolver version, and resolved timestampdidDocumentMetadata — creation date, version ID, method name, and deactivation status| Path | Description |
|---|---|
/health | Health check — returns resolver status and timestamp |
/1.0/methods/pqie | Method metadata — crypto suite, syntax, storage back-ends |
/resolve/{did} | Convenience alias for the standard resolution endpoint |
The resolver is open-source and available at
https://github.com/dixadholakiya/pqie-did-spec.
The Docker image is built automatically via Dockerfile in the repository root.
Our DID method prevents forgery and falsification through the usage of Post-Quantum Lattice Signatures (Dilithium) and Ring-LWE Digital Envelopes, such that only the exact mathematical identity owner can issue or present DID-linked credentials. The identity owner can choose to A) Only issue verifiable claims locked under their lattice public key or; B) Issue access tokens utilizing the homomorphic properties of Ring-LWE where specific metadata evaluations are computed directly over the ciphertexts without leaking the raw data. The controller securely signs data transitions, protecting against forgery even against cryptanalytically relevant quantum computers (CRQCs).
Eavesdropping attacks need to be mitigated by the usage of a secure communication channel (secured with TLS or similar means), since we use a message-based communication protocol that is not natively encrypted in transit layers. However, PQIE's "Encrypted-by-Default" architecture wraps the initial and updated DID Document structures in a Digital Envelope (AES-GCM locked by Ring-LWE KEM). As a result, network listeners and passive ledger observers only ever intercept an encrypted IPFS CID payload, providing a secondary robust defense-in-depth against data scraping.
The did:pqie method leverages modern Ring-LWE lattice cryptography. The initial standard uses
Kyber-512 parameters ($n=512$, $q=24593$) for key encapsulation/encryption, mapping variables closely to
NIST’s FIPS 203. For signature authentication, parameter sets corresponding to Dilithium (FIPS 204) are
required to sign the Digital Envelope states. In the future, other post-quantum parameter sets can be
dynamically encoded using the latticeParams object within the DID Document’s verification
method, providing immediate forward compatibility as post-quantum standardized extensions evolve.
The DID method inherently includes support for comprehensive key rotation semantics; however, if the core Kyber lattice secret key ($s$) is compromised, an attacker may generate valid post-quantum signatures to rotate operational keys and thereby hijack the identity state mappings. Controllers SHOULD rigorously store their lattice private keys in hardware-backed security modules (HSM) or mathematically robust Trusted Execution Environments (TEE).
The syntax and construction of the did:pqie DID and its universally distributed Document helps
to ensure that no Personally Identifiable Information (PII) or personal data is exposed over the public
network layer:
Implementers are strongly encouraged to review the following:
A core innovation of the PQIE framework is its natively ledger-agnostic architecture. Because the entirety of the DID Document is encapsulated within a Ring-LWE KEM Digital Envelope before transmission, the resulting cryptographic payload (or its hash pointer) can be securely written to any underlying distributed ledger technology (DLT) or key-value store.
This means did:pqie is not locked to a specific blockchain. The method natively abstracts the
storage layer via a Ledger-Agnostic Interface (Layer E), allowing implementations to anchor identities on:
Verifiers and resolvers simply fetch the on-chain payload via the respective ledger adapter and proceed with standard decapsulation and signature verification, entirely decoupled from the consensus mechanism or tokenomics of the underlying host chain.
Because PQIE is ledger-agnostic, it can plug into diverse Web 3.0 runtimes. DeFi platforms can embed quantum-safe KYC proofs, healthcare networks can share encrypted patient IDs across hospitals, supply-chain consortia can bind tamper-proof product DIDs to digital twins, and metaverse environments can issue long-lived, privacy-preserving avatar credentials.
Ring-LWE hardness is reducible to the worst-case Shortest Vector Problem (SVP) in ideal lattices. We adopt the Kyber-512 core parameters for encryption compatibility, with modulus q = 3329 and polynomial degree n = 256, but expand to n = 512 for signature tightness. The ciphertext modulus is selected as a product of two 14-bit primes, enabling RNS decomposition that aligns with AVX2 vector lanes. Table 2 compares our security margins with Dilithium-III and Falcon-512.
| Scheme | n | q | Quantum Bit-Security |
|---|---|---|---|
| PQIE-Enc | 512 | 24577 | 256 |
| Dilithium-III | 256 | 8380417 | 192 |
| Falcon-512 | 512 | 24593 | 128 |
The core security assumption underpinning PQIE is the Ring Learning With Errors (Ring-LWE) problem over cyclotomic rings $\mathbb{Z}_p[x]/(x^n + 1)$. Recovering the exact secret polynomial $s$ from a generated public sample $b = a \cdot s + e \pmod q$ is mathematically reducible to the Shortest Vector Problem (SVP) in a family of ideal lattices.
This specific construction withstands not only the best known classical lattice reduction attacks (e.g., BKZ algorithm parameters), but is definitively immune to Quantum Fourier-Sampling Attacks (such as Shor's algorithm, which easily factors RSA and solves Discrete Logarithms for Elliptic Curves).
To prevent side-channel leakage across consecutive protocol sessions, PQIE injects specific non-linear distortions during polynomial mapping:
The error polynomial $e(x)$ is meticulously sampled from a zero-centered discrete Gaussian distribution ($\sigma \approx 4.0$). Each individual coefficient $e_i$ is bound heavily between $(-5 \dots +5)$, mathematically ensuring that the initial cryptographic noise remains minimal.
However, during active sessions (especially regarding Verifiable Credentials that rely heavily on zero-knowledge evaluation over ciphertexts), noise inherently grows. PQIE applies an aggressive Homomorphic Noise Filter:
The PQIE infrastructure provides a comprehensive suite of tools for identity management:
did:pqie identifiers.The did:pqie method is fully compatible with the DIDComm Messaging v2 protocol:
X25519KeyAgreementKey2019 for DIDComm envelope encryption if required by legacy systems.
did:pqie document can declare DIDComm messaging transport paths
natively.