Quantum-safe digital credentials with selective disclosure and a public trust registry. Built for regulated digital finance.
Built for regulated digital finance · NIST-standardised post-quantum cryptography · EVM-compatible · Production support for iOS, Android, and institutional HSM enterprise deployments
Simulate Deploy works without a wallet, using purely in-memory chain state. Deploy (Live) requires MetaMask and uses your selected network & account; transactions are broadcast through your wallet (state still tracked in-memory since the contracts aren't pre-deployed).
A regulated authority (a bank, a regulator, a government registrar) issues digital credentials with a post-quantum key. The issuer's identity and the credential's revocation status are anchored on a public trust registry, so any verifier worldwide can confirm both without contacting the issuer's database or moving holder data across borders.
Two post-quantum key pairs: ML-DSA-65 for signing credentials, ML-KEM-768 for the encrypted PII handoff scenario.
Anchors the issuer's public keys to a verifiable chain of authority. Subsequent credentials issued under this DID can be verified against these on-chain keys.
The issuer constructs a credential header containing all of Fatima's claims, builds a Merkle tree of the claim leaves, signs the resulting root with ML-DSA-65.
Each leaf: RPO256(key) ‖ RPO256(value). Tree padded to next power of 2 with domain-separated empty leaves.
Publishes the current Merkle root with a timestamp. Verifiers check this is the issuer's latest authoritative root (revocation-aware).
Fatima Al-Hassan controls her credential and decides what to disclose. She can prove specific claims to a verifier without revealing the others; undisclosed values stay private even from the verifier.
Fatima's credential contains 7 claims. Click each to toggle disclosure - hidden claims stay private, only Merkle paths are revealed.
For each disclosed claim, generate a Merkle inclusion proof against the issuer-signed root. Send proofs + signature to the verifier.
For most regulated identity flows (mDL, EUDIW, this demo), Merkle-inclusion selective disclosure of issuer-signed leaves is the production approach. ZK predicate proofs ("DOB < 2007-01-01" without revealing DOB) are on the roadmap - see How does it work?
The verifier can be another person checking a counterparty's credential in person, a DeFi protocol gating a regulated pool, a centralised exchange running KYC at onboarding, a bank validating a wire counterparty, or any other regulated venue, anywhere in the world. The cryptographic check is the same in every case: validate the issuer's ML-DSA signature, walk the Merkle inclusion proofs for each disclosed claim, read the on-chain trust + revocation state, then grant or deny in milliseconds.
Three checks run in sequence: ML-DSA signature on the credential header, Merkle inclusion proof for each disclosed leaf, on-chain reads for issuer registration and revocation status. Composite outcome determines access.
If the signature, a leaf, or the Merkle root is modified - even by a single bit between Fatima sending and the verifier checking - the verification fails. This is real cryptography, not animation.
After tampering, click Verify Presentation above to see the rejection.
Issuer admin (revocation) and full-KYC scenarios (encrypted PII handoff for cases where selective disclosure isn't sufficient under regulation).
Only the registered issuer of a DID can revoke its credentials - enforced on-chain by the onlyIssuer(did) modifier. A non-issuer transaction reverts. The revocation registry maintains an append-only epoch log for audit.
Connect MetaMask or Simulate Deploy to see transactions...
Where regulation requires full PII to reach the verifier (for example, sophisticated-investor onboarding at a regulated fund) and selective disclosure isn't sufficient: the holder encapsulates a quantum-safe shared secret to the verifier's ML-KEM-768 public key, then encrypts the PII payload with AES-256-GCM. The wire is protected against a future "harvest now, decrypt later" adversary.
The verifier publishes an ML-KEM-768 public key. Holders encrypt PII to this key.
Holder runs (ct, k) ← Encap(pk_v), then encrypts PII with k as AES-256-GCM key.
Verifier runs k ← Decap(sk_v, ct), decrypts PII with AES-256-GCM, runs KYC.
Tampering the ciphertext fails AES-GCM authentication; the verifier rejects the payload.