Dilithium Attest

A quantum-resistant attestation and identity verification system leveraging NIST-standardized post-quantum cryptography.

Why Post-Quantum Cryptography Matters NOW

Dilithium Attest uses Dilithium3 (NIST FIPS 204), one of the first post-quantum signature schemes standardized by NIST in 2024. This ensures your attestations remain cryptographically secure even against future quantum adversaries.

What is Dilithium Attest?

A complete attestation registry system for Know Your Customer (KYC), identity verification, credential management, and compliance documentation. Built from the ground up with quantum-resistant cryptography.

Key Features

• Post-Quantum Secure: Dilithium3 (NIST FIPS 204) signatures resistant to quantum attacks
• Deterministic Encoding: CBOR serialization ensures payload integrity
• Blockchain Anchoring: Ethereum smart contract for immutable timestamp proofs
• CLI Tools: Complete command-line interface for key management, issuance, and verification
• Zero Trust: Cryptographic verification without trusted third parties
• Future-Proof: Ready for the quantum era before it arrives

Architecture

┌─────────────────────────────────────────────────────────────┐
│                     Dilithium Attest                        │
├─────────────────────────────────────────────────────────────┤
│                                                             │
│  ┌──────────────┐      ┌──────────────┐                     │
│  │   Issuer     │      │  Verifier    │                     │
│  │              │      │              │                     │
│  │ Private Key  │      │ Public Key   │                     │
│  └──────┬───────┘      └──────┬───────┘                     │
│         │                     │                             │
│         │ 1. Sign             │ 3. Verify                   │
│         ▼                     ▼                             │
│  ┌─────────────────────────────────────┐                    │
│  │      AttestationEnvelope            │                    │
│  ├─────────────────────────────────────┤                    │
│  │ - payload (base64)                  │                    │
│  │ - signature (base64)                │                    │
│  │ - public_key (base64)               │                    │
│  │ - payload_hash (hex)                │                    │
│  └─────────────┬───────────────────────┘                    │
│                │                                            │
│                │ 2. Anchor                                  │
│                ▼                                            │
│  ┌─────────────────────────────────────┐                    │
│  │   AttestationRegistry.sol           │                    │
│  │   (Ethereum Smart Contract)         │                    │
│  │                                     │                    │
│  │   anchor(bytes32 hash)              │                    │
│  │   getAnchorBlock(bytes32 hash)      │                    │
│  └─────────────────────────────────────┘                    │
│                                                             │
└─────────────────────────────────────────────────────────────┘

Quick Start

Prerequisites

• Rust 1.70+
• Foundry (for smart contract deployment)

Installation

git clone https://github.com/iamyxsh/dilithium-attest.git
cd dilithium-attest
cargo build --release

Generate Keys

cargo run -- keygen --pubkey test.pub --privkey test.key

This generates a Dilithium3 keypair:

• test.pub: Public key (2592 bytes)
• test.key: Private key (4000 bytes)

Issue an Attestation

cargo run -- issue \
  --privkey test.key \
  --pubkey test.pub \
  --issuer "VerifiedKYC Inc." \
  --subject "did:example:alice123" \
  --claim '{"kyc_level":"enhanced","verified_at":"2025-01-15"}' \
  --nonce "random-nonce-12345" \
  --output attestation.json

This creates a signed attestation envelope with:

• Payload: Issuer, subject, claims, issuance time, nonce
• Signature: Dilithium3 signature (3309 bytes)
• Public Key: For verification
• Hash: Keccak256 hash of canonical payload

Verify an Attestation

cargo run -- verify --envelope attestation.json

Output:

Attestation verification: SUCCESS

Verification checks:

1. Dilithium3 signature validity
2. Payload integrity (hash matches)
3. Public key consistency

Anchor to Blockchain

cargo run -- anchor \
  --envelope attestation.json \
  --output anchor_metadata.json

This extracts the payload_hash for blockchain anchoring. Deploy the hash to the AttestationRegistry contract:

registry.anchor(0x<payload_hash>);

Use Cases

Financial Services KYC

Quantum-secure identity attestations for banking and fintech:

cargo run -- issue \
  --issuer "Global Bank KYC" \
  --subject "did:customer:9876543" \
  --claim '{"aml_check":"passed","id_verified":true,"risk_score":12}' \
  --nonce "$(openssl rand -hex 16)"

Benefits:

• Attestations remain valid for decades (quantum-resistant)
• Immutable audit trail on blockchain
• Regulatory compliance ready

Healthcare Identity

HIPAA-compliant patient identity verification:

cargo run -- issue \
  --issuer "Hospital Identity Authority" \
  --subject "did:patient:health-id-456" \
  --claim '{"patient_verified":true,"insurance_validated":true}'

Educational Credentials

Quantum-secure academic transcripts and certifications:

cargo run -- issue \
  --issuer "University Registrar" \
  --subject "did:student:alumni-789" \
  --claim '{"degree":"BS Computer Science","graduation":"2025","gpa":"3.8"}'

Enterprise Access Control

Verifiable employee credentials:

cargo run -- issue \
  --issuer "Corporate IT Security" \
  --subject "did:employee:emp-321" \
  --claim '{"clearance_level":"confidential","role":"engineer","expires":"2026-12-31"}'

Smart Contract Deployment

Local Testing (Anvil)

cd contract
anvil

In another terminal:

forge script script/Deploy.s.sol --rpc-url http://localhost:8545 --broadcast --private-key <PRIVATE_KEY>

Sepolia Testnet

export PRIVATE_KEY=<your_private_key>
forge script script/Deploy.s.sol \
  --rpc-url https://eth-sepolia.g.alchemy.com/v2/<API_KEY> \
  --broadcast \
  --verify

Contract API

anchor(bytes32 hash)

• Anchors an attestation hash to the blockchain
• Only original sender can re-anchor the same hash
• Emits: Anchored(bytes32 indexed hash, address indexed sender, uint256 blockNumber)

getAnchorBlock(bytes32 hash) → uint256

• Returns the most recent block number where the hash was anchored
• Returns 0 if never anchored

anchorHistory(bytes32 hash, uint256 index) → (address, uint256)

• Returns historical anchor records for a hash
• Useful for audit trails

Why Dilithium3?

NIST Standardization

Dilithium was standardized as FIPS 204 by NIST in August 2024 after a rigorous 6-year evaluation process. It's one of only three signature schemes selected for post-quantum standardization.

Technical Details

Cryptographic Components

• Signature Scheme: Dilithium3 (Module-LWE lattice-based)
• Hash Function: Keccak256 (SHA-3)
• Serialization: CBOR (RFC 8949) for deterministic encoding
• Encoding: Base64 for binary data in JSON

Attestation Payload Structure

pub struct AttestationPayload {
    pub issuer: String,
    pub subject: String,
    pub claims: HashMap<String, serde_json::Value>,
    pub issued_at: u64,
    pub nonce: String,
}

Serialized to CBOR for deterministic byte representation, then hashed and signed.

Envelope Structure

pub struct AttestationEnvelope {
    pub payload: String,        // base64(CBOR(payload))
    pub signature: String,      // base64(dilithium_sig)
    pub public_key: String,     // base64(dilithium_pk)
    pub payload_hash: String,   // hex(keccak256(CBOR(payload)))
}

Security Considerations

Key Management

• Private keys (4000 bytes) should be stored encrypted at rest
• Use hardware security modules (HSMs) for production issuers
• Implement key rotation policies (though Dilithium keys are quantum-safe)
• Never reuse nonces for the same issuer

Nonce Requirements

• Must be unique per attestation from the same issuer
• Recommended: 128-bit random nonces (16 bytes hex-encoded)
• Prevents replay attacks and ensures attestation uniqueness

Blockchain Anchoring

• Anchoring is optional but recommended for:
  • Regulatory compliance (immutable audit trail)
  • Timestamp verification (when was this attested?)
  • Non-repudiation (issuer cannot deny creating attestation)
• Hash-only anchoring preserves privacy (claims not on-chain)

Testing

Rust Tests

cargo test --workspace

Runs 23 tests including:

• Dilithium3 signing and verification
• CBOR serialization round-trips
• CLI integration tests
• Keccak256 hashing

Smart Contract Tests

cd contract
forge test -vv

Runs 15 tests including:

• Anchoring and re-anchoring
• Access control (original sender restriction)
• Event emission
• Fuzz tests
• Edge cases (zero hash, max hash)

Roadmap

• Batch verification API for multiple attestations
• DID (Decentralized Identifier) resolution integration
• Revocation registry for invalidating attestations
• Hardware wallet support for key storage
• WebAssembly bindings for browser-based verification
• Threshold signatures (multi-issuer attestations)
• ZK-proof integration for selective disclosure

License

MIT License

References

• NIST FIPS 204 - Dilithium Standard
• Dilithium Specification
• NIST Post-Quantum Cryptography
• Quantum Threat Timeline

Contact

For security issues, please email: security@example.com

---

Start securing your attestations against the quantum future today.