SKH: Lattice-Rooted Anonymous Keys for Quantum-Safe Decentralized Identity

Markus Maiwald · 2026-03-01 · v1

Current self-sovereign identity (SSI) systems face two existential challenges: (1) vulnerability to quantum computing attacks on elliptic curve cryptography, and (2) susceptibility to Sybil attacks in permissionless networks. We introduce the Sovereign Key Helix (SKH), a hierarchical identity architecture that addresses both challenges simultaneously. SKH introduces a lattice-rooted anonymous root key (DNAKey) – an FIPS 204 ML-DSA-65 keypair seeded from a memory-hard Argon2id derivation – that never appears on any wire. From this lattice root, unlinkable Persona seeds are derived via hardened lattice hierarchical derivation [Vadim, 2026], which in turn generate context-separated operational identities (SoulKeys) and ephemeral session keys (SessionKeys) through one-way cryptographic derivation. The architecture provides post-quantum confidentiality via X25519 + FIPS 203 ML-KEM-768 hybrid key encapsulation, with Ed25519 signatures active today and a forward-compatible upgrade path to hybrid Ed25519 + ML-DSA-65 post-quantum signatures. For Sybil resistance, SKH introduces context-scoped nullifiers derived from the pre-keypair Argon2id root, enabling cryptographic uniqueness proofs within specific application contexts without cross-context correlation – with soundness independent of the lattice assumption. We provide game-based security analysis with proof sketches for key derivation indistinguishability, cross-context unlinkability under Module-LWE hardness, session unlinkability, hybrid signature unforgeability, Persona unlinkability, and nullifier soundness. Experimental evaluation on x86-64 demonstrates Ed25519 signing in 86 $\mu$ s, hybrid KEM in 95 $\mu$ s, and nullifier derivation in 0.47 $\mu$ s – with deployment-reality benchmarks against W3C DID, KERI, and AnonCreds showing that SKH’s native implementation achieves competitive performance with strictly superior security properties. To our knowledge, SKH is the first SSI architecture to simultaneously achieve a post-quantum lattice root, Sybil resistance through cryptographic design, persona-level unlinkability, and context-separated identity without blockchain dependency.

Keywords: self-sovereign identity, post-quantum cryptography, lattice-based key derivation, ML-DSA-65, Sybil resistance, decentralized identity, context-scoped nullifiers, persona unlinkability

Terminology and Notation Reference

Architecture Terminology

Term	Definition
SKH	Sovereign Key Helix – the identity architecture presented in this paper
DNAKey (Tier 0)	Lattice-rooted anonymous root: ML-DSA-65 keypair + Argon2id root seed. Never on wire
Persona (Tier 1)	Unlinkable life-context seed derived from DNAKey via lattice HD
SoulKey (Tier 2)	Context-separated operational identity (Ed25519 + X25519 + ML-KEM-768)
SessionKey (Tier 3)	Ephemeral per-interaction keypair; CSPRNG-generated, not derived
Root seed	256-bit Argon2id output; seeds ML-DSA-65 keygen and nullifier derivation
Nullifier	Context-scoped BLAKE3 hash; Sybil-unique proof without identity reveal
Entropy stamp	Proof-of-cost token (Argon2id, 2 MiB); anti-spam for identity creation
Pre-rotation	Commitment to next public key at creation; prevents post-compromise rotation
Kenya Rule	50 MB RAM budget for inclusive deployment on low-end devices
`did:skh1`	DID method; gossip-based key event resolution (no blockchain)
QVL	Quasar Vector Lattice – weighted trust graph for reputation gating

Mathematical Notation

Symbol	Meaning
$\lambda$	Security parameter (128 bits)
$\calA$	Probabilistic polynomial-time (PPT) adversary
$\negl(\lambda)$	Negligible function in $\lambda$
$\Adv^{X}_{\calA}(\lambda)$	Adversary’s advantage in security game $X$
$\concat$	Concatenation
$\HKDF(k, s, \ell)$	HMAC-based key derivation (Extract + Expand)
$\BLAKE(m)$	BLAKE3 hash (256-bit output)
$\MLDSA$	FIPS 204 ML-DSA-65 (lattice digital signature)
$\MLKEM$	FIPS 203 ML-KEM-768 (lattice key encapsulation)
$\MLWE$	Module Learning With Errors (lattice hardness assumption)
$\PersonaDerive(d, i, c)$	Lattice HD from DNAKey $d$ , index $i$ , context $c$
$\SoulDerive(p, c)$	HKDF-BLAKE3 from Persona seed $p$ , context $c$
$\Nullify(d, s)$	$\BLAKE(d.\mathit{root} \concat d.\mathit{salt} \concat \texttt{"skh1:null:"} \concat s)$

1. Introduction

1.1 Motivation

The migration to post-quantum cryptography (PQC) represents one of the most significant cryptographic transitions in computing history. NIST’s 2024 standardization of ML-KEM [Standards, 2024] and ML-DSA [Standards, 2024] (formerly Kyber and Dilithium) provides the foundation for quantum-resistant algorithms, but identity systems face unique challenges in this transition. Simultaneously, decentralized networks continue to struggle with Sybil attacks – where adversaries create multiple identities to gain disproportionate influence – a problem that remains unsolved at scale [Douceur, 2002].

Self-sovereign identity (SSI) systems [Allen, 2016], which aim to give individuals control over their digital identities without centralized authorities, are particularly affected by both challenges. Current SSI architectures either: (a) rely on pre-quantum elliptic curve cryptography, (b) expose correlatable identifiers across interactions, or (c) depend on blockchain-based registration that introduces centralization risks.

1.2 Gap Analysis

W3C DID/VC [Sporny, 2022][Sporny, 2022] provides flexible identity frameworks but lacks native post-quantum support and often relies on blockchain anchoring (did:ion, did:ethr) or trusted web servers (did:web). The single-layer identity model exposes the root of trust as the identifier itself, enabling correlation attacks.

KERI [Smith, 2021] achieves ambient verifiability without blockchains through Key Event Logs (KELs) and witness networks but uses correlatable Autonomic Identifiers (AIDs) that persist across all interactions. KERI lacks built-in context separation – every interaction uses the same identifier, enabling tracking across contexts. Post-quantum extensions remain unspecified.

Hyperledger AnonCreds [Foundation, 2023] provides sophisticated selective disclosure via Camenisch–Lysyanskaya signatures [Camenisch, 2004] but relies on pairing-friendly curves (BLS12-381) that are not post-quantum secure and depends on Indy blockchain infrastructure.

The Gap: No existing SSI architecture combines: (1) post-quantum security, (2) anonymous root keys with hierarchical derivation, (3) context-separated operational identities, and (4) Sybil resistance without trusted registration authorities. We survey 30+ systems in Section 7 and confirm this gap exhaustively.

1.3 Our Approach

The Sovereign Key Helix (SKH) introduces a hierarchical key architecture with four logical tiers:

Tier 0 (DNAKey): Anonymous lattice root – an ML-DSA-65 [Standards, 2024] keypair seeded from memory-hard Argon2id [Biryukov, 2016] key derivation. Never appears on any wire, in any protocol message, or in any DID document. Stored exclusively in hardware enclaves or cold vaults. The pre-keypair Argon2id output is preserved as the root seed for nullifier derivation and mnemonic recovery.
Tier 1 (Persona): Unlinkable persona seeds derived from the DNAKey via hardened lattice hierarchical derivation [Vadim, 2026] (Construction 1). Each persona represents a distinct life context (citizen, pseudonym, financial). Unlinkability is proven under the Module-LWE assumption – a structural guarantee, not merely computational.
Tier 2 (SoulKey): Context-separated operational identity derived deterministically from a Persona seed via SLIP-0010 [{SatoshiLabs, 2016] (Ed25519, hardened) and HKDF-BLAKE3 [Krawczyk, 2010][O'Connor, 2020] (post-quantum components). Each context receives a distinct SoulKey with independent cryptographic material. Rotatable via pre-rotation commitments.
Tier 3 (SessionKey): Fresh ephemeral keypair per interaction, generated from CSPRNG (not derived from SoulKey). Delegation certificates link SessionKeys to SoulKeys without revealing which SoulKey.

Cryptographic envelope. The architecture is designed for phased post-quantum migration with a lattice root from genesis. The DNAKey is an ML-DSA-65 lattice keypair, providing a post-quantum signing root that can produce quantum-resistant signatures for recovery ceremonies and internal authority tokens (subject to strict wire: false constraints). Key encapsulation uses hybrid X25519 [Bernstein, 2006] + ML-KEM-768 [Standards, 2024], providing post-quantum confidentiality today. Signatures use Ed25519 [Bernstein, 2012] in the current deployment, with the architecture supporting a forward-compatible upgrade to hybrid Ed25519 + ML-DSA-65 signatures at the SoulKey level. The SoulKey data structure reserves space for ML-DSA-65 key material from genesis, ensuring DID stability across the transition. Either algorithm family can fail independently; the system degrades gracefully.

Sybil resistance. Context-scoped nullifiers derived via $\BLAKE(\mathit{root\_seed} \concat \mathit{salt} \concat \mathit{scope\_id})$ – where $\mathit{root\_seed}$ is the pre-keypair Argon2id output – provide cryptographic uniqueness proofs per application context, combined with weighted trust graph reputation gating and proof-of-cost tokens. Crucially, nullifier soundness is independent of the lattice assumption; it holds under BLAKE3 collision resistance alone.

1.4 Contributions

First lattice-rooted SSI architecture combining a post-quantum ML-DSA-65 anonymous root, hierarchical identity, and Sybil resistance in a decentralized, non-blockchain SSI stack (validated by exhaustive survey of 30+ systems).
Four-tier anonymity gradient (DNAKey $\to$ Persona $\to$ SoulKey $\to$ SessionKey) with provable unlinkability between tiers via game-based security reductions under Module-LWE and PRF assumptions (Section 5).
Persona-layer unlinkability via lattice hierarchical derivation [Vadim, 2026], reducing cross-persona correlation to the Module-LWE hardness assumption – a structural guarantee stronger than PRF-based derivation alone.
Context-scoped nullifier mechanism for privacy-preserving Sybil resistance without cross-context correlation, with soundness independent of the lattice assumption (Section 6).
Financial key separation doctrine enabling independent threat modeling for value storage versus identity management (Section 9).
Experimental evaluation with microbenchmarks and comparative analysis against W3C DID, KERI, and AnonCreds on real hardware (Section 8).

2.1 W3C Decentralized Identifiers

The W3C DID specification [Sporny, 2022] provides a standardized framework for self-sovereign identity but leaves cryptographic implementation to individual DID methods. Most production methods (did:ethr, did:ion) rely on blockchain anchoring, introducing availability dependencies and potential censorship vectors. The did:key method provides true decentralization but lacks persistence and key rotation capabilities.

Critically, W3C DID has no concept of an anonymous root key. The DID is the identifier used in all interactions, making correlation trivial without additional privacy layers (e.g., BBS+ signatures [Boneh, 2004][Pointcheval, 2016]) that add complexity and often rely on pairing curves incompatible with post-quantum security.

2.2 KERI

KERI [Smith, 2021] achieves decentralized identity without blockchains through Key Event Logs and witness networks. Pre-rotation commitments prevent unauthorized key changes even if current keys are compromised – a technique SKH adopts.

However, KERI’s AIDs are deterministically derived from the initial public key and persist across all interactions. While cryptographically secure, this creates perfect correlation: every interaction by an entity can be linked to every other interaction. KERI provides no context separation and no unlinkability from the root.

2.3 Anonymous Credentials

Idemix and CL-signatures. Camenisch and Lysyanskaya [Camenisch, 2004][Camenisch, 2002] introduced anonymous credentials where the master secret never appears in presentations – the strongest existing notion of anonymous root keys. However, CL-signatures rely on RSA/pairing assumptions that are not post-quantum secure. Coconut credentials [Sonnino, 2019] extend this with threshold issuance but inherit the pairing dependency. None of these systems provide Sybil resistance or context separation at the identity architecture level.

Semaphore and RLN. The closest prior art to SKH’s nullifier mechanism is Semaphore [Foundation, 2020], which introduced hash-based nullifiers – $H(\mathit{identity\_secret}, \mathit{external\_nullifier})$ – enabling anonymous signaling with per-context uniqueness within Ethereum-anchored identity groups. RLN [WhiteHat, 2022] extends this with epoch-based rate limiting and economic slashing via secret reconstruction. SKH inherits the core nullifier pattern from this lineage but diverges architecturally in several dimensions. First, SKH’s nullifier secret is not a flat keypair but a hierarchical DNAKey that generates unlimited context-separated SoulKeys via one-way derivation – making context separation an intrinsic property of the identity architecture rather than an application-managed parameter. Second, SKH replaces Groth16 [Groth, 2016] (which relies on BN254 pairings vulnerable to Shor’s algorithm [Shor, 1997]) with FRI-based STARKs [Ben-Sasson, 2018], achieving post-quantum safety and eliminating the trusted setup ceremony. Third, SKH requires no blockchain anchoring; identity commitments propagate via gossip-based key event resolution. Finally, SKH layers nullifier uniqueness with weighted trust graph reputation, proof-of-cost tokens, and behavioral admission control. The tradeoff is proof size: STARK proofs (45–200 KB) are orders of magnitude larger than Groth16 (~128 bytes), though recursive composition [Kothapalli, 2022][Bowe, 2020] targets 2–5 KB in production.

Distinguishing SKH from hypothetical extensions. A hypothetical migration of Semaphore to STARK-based proofs would address the post-quantum gap but would retain Ethereum dependency for identity group management. Similarly, post-hoc addition of ML-DSA signatures to KERI would not provide context separation or anonymous root keys. SKH’s contribution is the elimination of all blockchain anchoring while maintaining cryptographic Sybil resistance in a context-separated, hierarchical identity architecture – the combination of non-blockchain architecture with post-quantum key exchange, anonymous root keys, and context-scoped nullifiers is, to our knowledge, novel.

2.4 Post-Quantum Identity Proposals

Recent work on quantum-safe digital identity has focused primarily on signature scheme replacement – migrating from ECDSA to ML-DSA or Falcon within existing identity frameworks. These proposals address the cryptographic primitive level but do not address architectural questions of identity hierarchy, correlation resistance, or Sybil resistance. The NIST PQ standards [Standards, 2024][Standards, 2024][Standards, 2024] provide the algorithmic foundation; SKH provides the architectural framework. Hybrid key exchange has been studied extensively [Stebila, 2017][Bindel, 2019][Schwabe, 2020] in the context of TLS; SKH applies hybrid principles to identity rather than transport.

Most recently, lattice-based hierarchical deterministic key derivation [Vadim, 2026] provides formal unlinkability proofs for child keys derived from lattice parent keys under Module-LWE. SKH adopts this construction (Construction 1) for Persona derivation from the ML-DSA-65 DNAKey, gaining provable unlinkability under a structural lattice assumption rather than a PRF assumption on hash functions. To our knowledge, SKH is the first identity architecture to use lattice HD as the derivation mechanism between an anonymous root and operational identities.

2.5 Sybil-Resistant Systems

Sybil resistance mechanisms fall into several categories [Douceur, 2002]: resource testing (proof-of-work), trusted certification (government IDs, biometrics), social graph analysis [Cao, 2012], and economic cost. Worldcoin [Foundation, 2023] achieves strong Sybil resistance via iris biometrics but requires a centralized biometric oracle. BrightID [Stallard, 2019] uses social graph verification parties. Proof of Humanity [Cooperative, 2021] combines video submissions with vouching. All existing Sybil-resistant systems either require blockchain anchoring, centralized trust anchors (biometric oracles, verification committees), or sacrifice user anonymity. SKH combines cryptographic uniqueness (nullifiers), economic cost (proof-of-cost tokens), and social graph reputation – without centralized trust or blockchain dependency.

2.6 Hierarchical Identity and Group Signatures

Hierarchical identity-based encryption [Boneh, 2001][Horwitz, 2002][Gentry, 2002] and group signatures [Chaum, 1991][Bellare, 2003] provide relevant architectural inspiration. HIBE allows key delegation in a hierarchy; group signatures allow anonymous authentication within a group. SKH differs from both: HIBE delegates decryption capability (not identity derivation), and group signatures require a group manager (trusted authority). SKH’s hierarchy is self-sovereign – no authority controls the derivation tree. Linkable ring signatures [Liu, 2004] share the notion of linkability within a scope; SKH’s nullifiers achieve a similar property through hash-based derivation rather than algebraic structure.

3. Threat Model

3.1 Adversary Capabilities

We consider five adversary classes:

Passive Observer ( $\calA_\mathrm{obs}$ ). Observes all wire traffic; attempts correlation and traffic analysis. Cannot decrypt or modify messages.

Active Network Attacker ( $\calA_\mathrm{net}$ ). Intercepts, modifies, replays, and injects messages. Controls network segments but not endpoints.

Compromised Endpoint ( $\calA_\mathrm{end}$ ). Gains access to a device’s SoulKey (Tier 2) but not the DNAKey (Tier 0) or mnemonic backup.

Quantum Adversary ( $\calA_\mathrm{Q}$ ). Possesses a cryptographically relevant quantum computer (CRQC) capable of running Shor’s algorithm against elliptic curve discrete logarithms.

Sybil Operator ( $\calA_\mathrm{syb}$ ). Can generate unlimited DNAKeys and SoulKeys, attempting to gain disproportionate influence in voting, markets, or resource allocation.

3.2 Security Goals

G1 – Unlinkability. Given two protocol interactions, $\calA_\mathrm{obs}$ cannot determine whether they originate from the same DNAKey with advantage better than $\negl(\lambda)$ .

G2 – Post-Quantum Security. Even with a CRQC, $\calA_\mathrm{Q}$ cannot forge signatures, decrypt past communications, or derive DNAKeys from public information.

G3 – Sybil Resistance. The economic and computational cost of creating $n$ independent identities that pass reputation gating scales superlinearly with $n$ .

G4 – Forward Secrecy. Compromise of current keys does not compromise past communications or pre-rotated future keys.

G5 – Financial Compartmentalization. Compromise of the DNAKey (Tier 0) MUST NOT compromise financial keys derived from an independent BIP-39 seed. That is, $\calA_\mathrm{end}$ who obtains $\mathit{sk}_{\MLDSA}$ and $\mathit{root\_seed}$ gains zero advantage in recovering financial private keys generated from an independent entropy source.

3.3 Trust Assumptions

Hardware enclaves: DNAKey generation assumes honest hardware (TPM, Secure Enclave, TrustZone) during initial creation.
CSPRNG: The system’s random number generator produces unpredictable output.
BLAKE3: Provides pre-image resistance, second pre-image resistance, and collision resistance with 128-bit post-quantum security [O'Connor, 2020].
Argon2id: Memory-hard KDF parameters are sufficient to prevent GPU/ASIC brute force at the configured cost [Biryukov, 2016].

4. SKH Architecture

4.1 Design Principles

Separation of concerns. Routing (L0), identity verification (L1), and governance/policy (L2) operate at distinct layers with minimal coupling.

Mechanism over policy. The gossip-based routing protocol provides no policy enforcement – it only finds paths. Policy enforcement occurs at the identity layer (admission control) and above.

Exit is default. Users can always generate new DNAKeys and migrate. No recovery mechanisms that create backdoors.

Ceremony agnosticism. The protocol provides typed mechanisms – nullifier primitives, citizenship tier interfaces, trust graph infrastructure – without embedding specific verification ceremonies. How humans transition between citizenship tiers is governance policy, not protocol architecture (Section 9.5).

4.2 Tier 0: DNAKey (Lattice-Rooted Anonymous Root)

The DNAKey is the lattice-rooted foundation of cryptographic identity. Generation proceeds in two stages:

\mathit{root\_seed} = \mathrm{Argon2id}\!\left(\mathit{entropy},\; \mathit{salt},\; t{=}3,\; m{=}64\,\text{MiB},\; p{=}4\right)

(\mathit{pk}_{\MLDSA},\; \mathit{sk}_{\MLDSA}) = \MLDSA.\KGen(\mathit{root\_seed})

where $\mathit{entropy} \in \{0,1\}^{\geq 256}$ and $\mathit{salt} \in \{0,1\}^{128}$ . The $\mathit{root\_seed}$ is the 256-bit Argon2id output that seeds the ML-DSA-65 [Standards, 2024] lattice keypair generation. Crucially, the $\mathit{root\_seed}$ is retained alongside the lattice keypair: it serves as the nullifier derivation input (Section 6), decoupling nullifier soundness from the lattice assumption.

Deterministic key generation. FIPS 204 [Standards, 2024] specifies randomized key generation for ML-DSA-65, where the internal CSPRNG provides fresh randomness. SKH instantiates $\MLDSA.\KGen$ deterministically by replacing the internal random byte source with $\mathrm{SHAKE256}(\mathit{root\_seed})$ used as an extensible output function (XOF), following the paradigm of deterministic ECDSA (RFC 6979). This ensures that given the same $\mathit{root\_seed}$ , the identical ML-DSA-65 keypair is reproduced – a prerequisite for mnemonic recovery. The ML-DSA-65 security proof under Module-LWE is unaffected: the reduction treats key generation randomness as given (i.e., the keypair is sampled honestly), not as a property of the randomness source. Deterministic instantiation changes the source from a CSPRNG to a KDF output, which is indistinguishable from random under the PRF security of SHAKE256.

The DNAKey is a lattice keypair, not a symmetric seed. This upgrade from the v1 architecture [Vadim, 2026] enables three capabilities: (1) the DNAKey can produce quantum-resistant ML-DSA-65 signatures for recovery ceremonies and internal authority tokens (subject to strict wire: false constraints); (2) Persona derivation uses hardened lattice HD (Section 4.3), providing unlinkability under Module-LWE rather than PRF security alone; (3) the Argon2id memory-hard layer is preserved – GPU/ASIC brute-force resistance is unchanged.

Recovery: BIP-39 [Palatinus, 2013] mnemonic (24 words) or SLIP-39 [{SatoshiLabs, 2019] Shamir split-custody. The mnemonic backs up the Argon2id entropy; re-derivation reconstructs $\mathit{root\_seed}$ and subsequently the ML-DSA-65 keypair deterministically.

Storage: Hardware security enclave (ARM TrustZone, Apple Secure Enclave, TPM 2.0), encrypted cold storage, or mnemonic backup.

Critical invariant: Neither the $\mathit{root\_seed}$ nor the ML-DSA-65 secret key $\mathit{sk}_{\MLDSA}$ may be stored in plaintext, transmitted over any network, or serialized in any wire format. Compiler-enforced wire: false attributes ensure this at build time in the reference implementation. The ML-DSA-65 public key $\mathit{pk}_{\MLDSA}$ is similarly wire: false – it is used only for internal Persona derivation verification, never as a network identifier.

Death semantics: If the DNAKey (either $\mathit{root\_seed}$ or $\mathit{sk}_{\MLDSA}$ ) is compromised, the identity is cryptographically dead. No recovery mechanism exists – by design. Recovery would require trusted third parties, creating systemic backdoors.

4.3 Tier 1: Persona (Unlinkable Life Context)

The Persona layer mediates between the lattice-rooted DNAKey and the operational SoulKeys. Each Persona represents a distinct life context – citizen identity, pseudonymous activity, financial operations – and is provably unlinkable across contexts under the Module-LWE hardness assumption.

\mathit{persona\_seed}_i = \PersonaDerive\!\left(\mathit{sk}_{\MLDSA},\; i,\; \mathit{ctx}\right)

where $\LatticeHD$ denotes the hardened lattice hierarchical derivation of [Vadim, 2026] (Construction 1). The derivation produces a 256-bit Persona seed that is computationally independent of all other Persona seeds derived from the same DNAKey – this independence holds under Module-LWE, which is a structural assumption on the lattice, not merely a computational PRF assumption.

Architectural role. The Persona layer serves three functions. First, it provides a clean separation between the lattice root (which carries quantum-resistant signing capability) and the operational identity layer (which uses application-specific key types). Second, it enables the derivation of an unlimited number of unlinkable identity contexts from a single DNAKey. Third, it provides a natural compartmentalization boundary: compromise of a Persona seed exposes only that context, not sibling Personas or the DNAKey.

Financial Persona. For cryptocurrency and financial operations, implementations SHOULD use an independent BIP-39 [Palatinus, 2013] seed rather than deriving financial keys from the DNAKey. The threat model for value storage differs from identity: compromise of the identity hierarchy MUST NOT compromise financial assets. Implementations MAY offer a convenience mode where the financial seed is derived from the DNAKey via Lattice HD, but this mode MUST carry an explicit warning regarding single-root risk. Financial key derivation within the independent seed uses standard BIP-32 [Wuille, 2012] hardened paths for wallet compatibility.

Four-tier key hierarchy diagram showing DNAKey at top, Persona seeds at tier 1, SoulKeys at tier 2, and SessionKeys at tier 3 — Figure 1: SKH four-tier key hierarchy. DNAKey (Tier 0) is an ML-DSA-65 lattice keypair that derives unlinkable Persona seeds (Tier 1) via hardened lattice HD. Each Persona generates context-separated SoulKeys (Tier 2) via SLIP-0010 and HKDF-BLAKE3. SessionKeys (Tier 3) are CSPRNG-generated (not derived) and linked via encrypted delegation certificates. Arrows indicate cryptographic derivation or delegation; no reverse computation is feasible. Cross-persona unlinkability is proven under Module-LWE.

4.4 Tier 2: SoulKey (Context-Separated Identity)

SoulKeys are derived deterministically from a Persona seed via two complementary mechanisms:

\mathit{soul\_ed} = \mathrm{SLIP\text{-}0010}\!\left(\mathit{persona\_seed},\; \texttt{"m/44'/666'/0'/0'/0'"}\right)

\mathit{soul\_pq} = \HKDF\!\left(\mathit{persona\_seed},\; \mathit{salt},\; \texttt{"skh1:pq:"} \concat \mathit{prim}\right)

SLIP-0010 [{SatoshiLabs, 2016] provides hardened Ed25519 derivation with proven path independence. The derivation path uses coin type $666'$ which is not registered in SLIP-44. Implementations MUST NOT reuse this path for financial key derivation (Section 9.2). A SLIP-44 registration is pending. HKDF-BLAKE3 [Krawczyk, 2010][O'Connor, 2020] derives post-quantum key material (ML-DSA-65, ML-KEM-768) from the Persona seed with explicit primitive labels.

From the Persona seed, four keypairs are generated deterministically. The current deployment generates three active keypairs with a reserved slot for future PQ signature activation:

Ed25519: Classical signing ( $\mathit{sk}_\mathrm{Ed}, \mathit{pk}_\mathrm{Ed}$ ) via SLIP-0010 – always active.
X25519: Classical key exchange ( $\mathit{sk}_\mathrm{X}, \mathit{pk}_\mathrm{X}$ ) derived from Ed25519 per RFC 7748 – always active.
ML-KEM-768: Post-quantum key encapsulation ( $\mathit{sk}_\mathrm{ML}, \mathit{pk}_\mathrm{ML}$ ) via HKDF-BLAKE3 – always active.
ML-DSA-65: Post-quantum signing ( $\mathit{sk}_\mathrm{Dil}, \mathit{pk}_\mathrm{Dil}$ ) via HKDF-BLAKE3 – generated from genesis, with signature verification activated when the PQ signature upgrade path is enabled. The ML-DSA-65 keypair is generated at SoulKey creation, seeded deterministically from the Persona seed. The DID commits to both real public keys from genesis. Activation refers to the point at which verifiers begin requiring ML-DSA-65 signatures in the AND-composition – it is a signature verification policy change, not a key generation event. Pre-Phase-5 implementations where liboqs is unavailable MAY zero the ML-DSA-65 component, producing a migration-artifact DID that will differ from the post-Phase-5 DID for the same Ed25519 component.

DID generation:

\mathit{did} = \texttt{"did:skh1:"} \concat \mathrm{base32lower}\!\left(\BLAKE(\mathit{pk}_\mathrm{Ed} \concat \mathit{pk}_\mathrm{Dil})\right)

In pre-Phase-5 deployments where liboqs is unavailable, $\mathit{pk}_\mathrm{Dil}$ may be zeroed; such DIDs are treated as migration artifacts. The reference implementation in the Janus application layer uses a simplified $\BLAKE(\mathit{pk}_\mathrm{Ed})$ derivation as a deployment convenience when ML-DSA-65 is not yet available; the canonical method uses the full hybrid hash. See Appendix A.

Pre-rotation. At creation, commit $\mathit{pre\_rot\_hash} = \BLAKE(\mathit{next\_pk}_\mathrm{Ed} \concat \mathit{next\_pk}_\mathrm{Dil})$ . An attacker who compromises the current SoulKey cannot rotate – the next key was committed before compromise.

4.5 Tier 3: SessionKey (Ephemeral)

SessionKeys are not derived from SoulKeys – they are fresh Ed25519 keypairs from CSPRNG. This ensures zero mathematical linkage.

Delegation certificate. The SoulKey signs a certificate binding the SessionKey to specific capabilities and a time window. This certificate is encrypted to the verifier using Hybrid KEM (see below).

Unlinkability. An observer seeing two SessionKeyBundles sees only random 32-byte public keys, ephemeral X25519 values, and opaque ML-KEM ciphertexts. No correlation is mathematically possible without breaking the underlying cryptographic assumptions.

4.6 Hybrid Post-Quantum Cryptography

Hybrid signatures (Algorithm 1). The signature scheme supports two modes: Ed25519-only (current deployment) and hybrid (PQ upgrade path). In hybrid mode, every authentication requires both Ed25519 and ML-DSA-65 signatures via AND-composition: verifiers accept only if all present signatures verify. The wire format encodes an explicit presence flag ( $f$ ), enabling graceful transition without breaking existing verifiers.

Function HybridSign( $m, \mathit{sk}_\mathrm{Ed}, \mathit{sk}_\mathrm{Dil}, f$ ):

$\sigma_\mathrm{Ed} \leftarrow \Sign_\mathrm{Ed}(\mathit{sk}_\mathrm{Ed}, m)$ — 64 B
if $f = 1$ then $\sigma_\mathrm{Dil} \leftarrow \Sign_\mathrm{Dil}(\mathit{sk}_\mathrm{Dil}, m)$ — 3,309 B
else $\sigma_\mathrm{Dil} \leftarrow \bot$
return $(\sigma_\mathrm{Ed}, f, \sigma_\mathrm{Dil})$ — 65 B or 3,374 B

Function HybridVerify( $m, (\sigma_\mathrm{Ed}, f, \sigma_\mathrm{Dil}), \mathit{pk}_\mathrm{Ed}, \mathit{pk}_\mathrm{Dil}$ ):

$r \leftarrow \Vfy_\mathrm{Ed}(\mathit{pk}_\mathrm{Ed}, m, \sigma_\mathrm{Ed})$
if $f = 1$ then $r \leftarrow r \;\wedge\; \Vfy_\mathrm{Dil}(\mathit{pk}_\mathrm{Dil}, m, \sigma_\mathrm{Dil})$
return $r$

Hybrid KEM (Algorithm 2). Session key derivation combines X25519 ECDH with ML-KEM-768 encapsulation:

Function HybridEncaps( $\mathit{pk}_\mathrm{X}, \mathit{pk}_\mathrm{ML}$ ):

$(\mathit{ek}, \mathit{ss}_\mathrm{X}) \leftarrow \mathrm{X25519.DH}(\mathit{ek}_\mathrm{sec}, \mathit{pk}_\mathrm{X})$
$(\mathit{ct}_\mathrm{ML}, \mathit{ss}_\mathrm{ML}) \leftarrow \Encaps_\mathrm{ML}(\mathit{pk}_\mathrm{ML})$
$K \leftarrow \HKDF(\mathit{ss}_\mathrm{X} \concat \mathit{ss}_\mathrm{ML},\; \mathit{salt},\; \texttt{"skh1:kem"})$
return $(\mathit{ek}, \mathit{ct}_\mathrm{ML}, K)$

Either shared secret can be compromised without exposing the combined symmetric key $K$ . This follows the hybrid KEM framework of Bindel et al. [Bindel, 2019].

4.7 The `did:skh1` Method

Resolution: Via gossip-based key event resolution – no global registry. Each node reconstructs the hash chain from the genesis event. Instantiated as the Key Event Framework (KEF) in the Libertaria stack – see Appendix A.

CRUD operations:

Create: Genesis event with pre-rotation commitment.
Read: Local-first gossip-based resolution.
Update: Key rotation with pre-rotation proof.
Deactivate: Tombstone event (irreversible).

5. Security Analysis

We present game-based security analysis with proof sketches following standard cryptographic reduction methodology. Full proofs with explicit game-hop reductions are in preparation for the extended version; here we state the main theorems.

Notation. $\lambda$ denotes the security parameter (128 bits). $\calA$ is a probabilistic polynomial-time (PPT) adversary. $\HMAC(k, m)$ denotes HMAC instantiated with BLAKE3. We define:

\begin{aligned} \PersonaDerive(d, i, \mathit{ctx}) &= \LatticeHD.\mathrm{DeriveHardened}(d.\mathit{sk}_{\MLDSA},\; i,\; \texttt{"skh1:persona:"} \concat \mathit{ctx}) \\ \SoulDerive(p, \mathit{ctx}) &= \HKDF(p,\; \mathit{salt},\; \texttt{"skh1:pq:"} \concat \mathit{ctx}) \\ \Nullify(d, s) &= \BLAKE(d.\mathit{root\_seed} \concat d.\mathit{salt} \concat \texttt{"skh1:nullifier:"} \concat s) \end{aligned}

where $d$ denotes a DNAKey (lattice keypair + root seed) and $p$ denotes a Persona seed.

5.1 Key Derivation Indistinguishability (IND-HKDF)

The SKH SoulKey derivation is IND-HKDF secure if no PPT adversary $\calA$ , given the public keys of a SoulKey, can distinguish whether they were derived from a DNAKey via HKDF-BLAKE3 or sampled uniformly at random, with non-negligible advantage.

If $\HMAC$ is a $(t, \epsilon)$ -secure PRF in both the Extract and Expand steps, then:

\Adv^{\mathrm{IND\text{-}HKDF}}_{\calA}(\lambda) \leq \Adv^{\mathrm{PRF}}_{\Extract}(\lambda) + \Adv^{\mathrm{PRF}}_{\Expand}(\lambda)

Proof sketch. By a sequence of two game hops. Game 0 is the real derivation. Game 1 replaces the Extract output ( $\mathit{prk}$ ) with a uniformly random value; the transition cost is bounded by the PRF advantage of the Extract step (following Krawczyk [Krawczyk, 2010], Theorem 1). Game 2 replaces the Expand output ( $\mathit{soul\_secret}$ ) with random; the transition cost is bounded by the PRF advantage of the Expand step. In Game 2, the adversary’s view is identically distributed to the random case, yielding advantage exactly $1/2$ .

5.2 Persona Unlinkability (UNL-PERSONA)

The SKH Persona layer achieves persona unlinkability if no PPT adversary $\calA$ , given two Persona seeds (or any downstream key material derived from them), can determine whether they share a DNAKey or come from independent DNAKeys, with non-negligible advantage.

Under the Module-LWE hardness assumption (as formalized in [Vadim, 2026], Construction 1):

\Adv^{\mathrm{UNL\text{-}PERSONA}}_{\calA}(\lambda) \leq \Adv^{\MLWE}_{n,q,\chi}(\lambda)

where $n$ , $q$ , $\chi$ are the ML-DSA-65 lattice parameters.

Proof sketch. Direct reduction to the unlinkability proof of [Vadim, 2026], Construction 1. The hardened lattice HD derivation produces child seeds whose public components are computationally indistinguishable from uniformly random lattice elements under Module-LWE. Given two Persona seeds $p_0, p_1$ derived from the same DNAKey at distinct indices, the corresponding public components are indistinguishable from two independently sampled lattice elements. An adversary who can distinguish the same-DNAKey case from the independent-DNAKey case can be used to construct a distinguisher for Module-LWE with the same advantage. The hardened derivation path ensures no public information about the parent key is leaked.

Comparison with v1 reduction. The previous version of this construction reduced cross-context unlinkability to HKDF-BLAKE3 PRF security. The lattice-based reduction relies on a different class of assumption: Module-LWE is a structural assumption on lattice problems with worst-case-to-average-case reductions, whereas PRF security is a computational assumption on hash functions. This diversifies the cryptographic foundations – even if one assumption class weakens, the other may hold. The Persona layer provides unlinkability as a structural property of the lattice, complementing the hash function’s pseudorandomness.

Dependency caveat. The UNL-PERSONA reduction relies on the formal unlinkability proof of [Vadim, 2026], which is an unreviewed ePrint preprint as of this writing. If the underlying construction is revised or the proof invalidated, SKH degrades gracefully: Persona derivation reverts to the v1 HKDF-BLAKE3 path, and cross-context unlinkability reduces to IND-HKDF security (Theorem 5.2), which is sound independently. The lattice HD construction strengthens the unlinkability guarantee but is not load-bearing for the remainder of the security analysis – in particular, nullifier soundness (Theorem 5.9), session unlinkability (Theorem 5.5), and hybrid signature unforgeability (Theorem 5.6) do not depend on it.

5.3 Cross-Context Unlinkability (UNL-TIER)

The SKH architecture achieves cross-context unlinkability if no PPT adversary $\calA$ , given two sets of SoulKey public keys from distinct contexts, can determine whether they share a DNAKey or come from independent DNAKeys, with non-negligible advantage.

Under UNL-PERSONA (Theorem 5.4) and the IND-HKDF security of Theorem 5.2:

\Adv^{\mathrm{UNL\text{-}TIER}}_{\calA}(\lambda) \leq \Adv^{\MLWE}_{n,q,\chi}(\lambda) + 2 \cdot \Adv^{\mathrm{IND\text{-}HKDF}}_{\calA}(\lambda)

Proof sketch. The derivation path from DNAKey to SoulKey now passes through two layers: Lattice HD (DNAKey $\to$ Persona) and HKDF-BLAKE3 (Persona $\to$ SoulKey). By UNL-PERSONA, the Persona seeds are indistinguishable from random under Module-LWE. Conditioned on this, the HKDF-BLAKE3 derivation from Persona seed to SoulKey keypairs is indistinguishable from random via IND-HKDF (two instances, one per SoulKey). The composition follows from the standard hybrid argument: replace the Persona seeds with random values (cost: $\Adv^{\MLWE}$ ), then replace each SoulKey derivation with random (cost: $2 \cdot \Adv^{\mathrm{IND\text{-}HKDF}}$ ).

5.4 Session Unlinkability (UNL-SESSION)

Under the IND-CCA2 security of the hybrid KEM [Bindel, 2019]:

\Adv^{\mathrm{UNL\text{-}SESSION}}_{\calA}(\lambda) \leq \Adv^{\mathrm{IND\text{-}CCA2}}_{\mathrm{HybridKEM}}(\lambda) + \Adv^{\mathrm{AE}}_{\mathrm{XChaCha20}}(\lambda)

Proof sketch. SessionKeys are CSPRNG-generated with zero mathematical linkage to SoulKeys. The only link is the delegation certificate, encrypted via Hybrid KEM (X25519 + ML-KEM-768) and XChaCha20-Poly1305. Breaking session unlinkability requires either: (a) breaking IND-CCA2 of the hybrid KEM, or (b) breaking authenticated encryption. Both are negligible under standard assumptions.

5.5 Hybrid Signature Unforgeability (EUF-HYBRID)

The AND-composition of Ed25519 and ML-DSA-65 is EUF-CMA secure if at least one component scheme is EUF-CMA secure:

\Adv^{\mathrm{EUF\text{-}CMA}}_{\mathrm{Hybrid}}(\lambda) \leq \min\!\left(\Adv^{\mathrm{EUF\text{-}CMA}}_{\mathrm{Ed25519}}(\lambda),\; \Adv^{\mathrm{EUF\text{-}CMA}}_{\mathrm{ML\text{-}DSA}}(\lambda)\right)

Proof sketch. A forger against the hybrid scheme must produce valid signatures under both Ed25519 and ML-DSA-65 simultaneously. A successful forgery therefore implies a forgery against whichever component remains secure. By contradiction: if the hybrid is broken, both components must be broken. The advantage is thus bounded by the minimum of the two component advantages.

5.6 Composite Security Bound

Combining the five core theorems, the overall SKH security advantage is:

\begin{aligned} \Adv^{\mathrm{SKH}}_{\calA}(\lambda) \leq\; & \underbrace{\Adv^{\MLWE}_{n,q,\chi}(\lambda)}_{\text{Persona unlinkability}} + \Adv^{\mathrm{PRF}}_{\BLAKE}(\lambda) + \Adv^{\mathrm{PRF}}_{\HMAC}(\lambda) \\ &+ \min\!\left(\Adv^{\mathrm{EUF}}_{\mathrm{Ed}}(\lambda),\; \Adv^{\mathrm{EUF}}_{\mathrm{Dil}}(\lambda)\right) + \min\!\left(\Adv^{\mathrm{DDH}}_{\mathrm{X25519}}(\lambda),\; \Adv^{\MLWE}_{\mathrm{ML\text{-}KEM}}(\lambda)\right) \\ &+ \Adv^{\mathrm{AE}}_{\mathrm{XChaCha20}}(\lambda) \end{aligned}

Each term is negligible under standard assumptions. The $\min$ terms encode the hybrid property: breaking the system requires breaking both the classical and post-quantum components simultaneously. The new $\Adv^{\MLWE}$ term reflects the lattice-rooted Persona derivation.

Composition justification. The summation is sound because the constituent security games target independent cryptographic properties: Persona unlinkability (Module-LWE hardness), key derivation (PRF security of BLAKE3/HMAC), signature unforgeability (EUF-CMA of Ed25519 and ML-DSA-65), key exchange confidentiality (DDH/MLWE), and symmetric encryption (AE of XChaCha20). These games share no common secrets – the Persona derivation uses the DNAKey’s lattice secret key, the HKDF derivation uses the Persona seed, the signature keys are derived independently from each, and the KEM shared secrets are independent of the authentication keys. Compromise of one primitive does not provide advantage against another. The bound follows from the standard union bound over independent events.

Nullifier independence. The nullifier security properties (Theorem 5.9, Theorem 5.10) are independent of both the lattice assumption and the authentication/confidentiality bounds. Nullifiers are derived from the pre-keypair $\mathit{root\_seed}$ (the Argon2id output), not from the ML-DSA-65 keypair. They reduce directly to BLAKE3 collision resistance and PRF security, which are already accounted for in the $\Adv^{\mathrm{PRF}}_{\BLAKE}$ term. Even if ML-DSA-65 is completely broken, nullifier soundness and cross-scope unlinkability are preserved.

Current deployment bound. In the Ed25519-only deployment (ML-DSA-65 SoulKey signatures not yet activated), the signature term simplifies to $\Adv^{\mathrm{EUF}}_{\mathrm{Ed}}(\lambda)$ alone. The KEM term retains the $\min$ since hybrid KEM is already active. The $\Adv^{\MLWE}$ term is always present since the Persona layer is active from genesis.

5.7 Post-Quantum Security

SKH’s post-quantum posture is strengthened by the lattice-rooted DNAKey. In the current deployment:

Root identity is post-quantum secure. The DNAKey is an ML-DSA-65 lattice keypair; the Persona derivation uses lattice HD under Module-LWE. A CRQC cannot recover the DNAKey secret key or derive Persona seeds from public information.

Confidentiality is post-quantum secure via hybrid X25519 + ML-KEM-768. A CRQC breaks X25519 but ML-KEM-768 protects the shared secret.

Authentication at the SoulKey level uses Ed25519, with ML-DSA-65 activation deferred. The architecture reserves ML-DSA-65 key material from genesis; activation requires no identity migration or DID changes. The SoulKey’s DID hash commits to the ML-DSA-65 public key slot from creation. When activated, the same DID continues to resolve – only the signature verification policy changes from Ed25519-only to AND-composition.

Sybil resistance is post-quantum independent. Nullifiers are derived from the Argon2id root seed via BLAKE3; no lattice or elliptic curve computation is involved. Nullifier soundness survives a CRQC.

Post-activation analysis (when ML-DSA-65 is enabled):

If ECDLP becomes easy (CRQC, lattices remain hard): Ed25519 signatures forgeable, X25519 breakable, but ML-DSA-65 and ML-KEM-768 remain secure. Authentication degrades to ML-DSA-65 only; confidentiality via ML-KEM-768.

If lattice problems become easy (novel attacks, ECDLP remains hard): ML-DSA-65 forgeable, ML-KEM-768 breakable, but Ed25519 and X25519 remain secure.

Simultaneous failure: Full system compromise – requires migration to new algorithm classes (hash-based via SLH-DSA [Standards, 2024], code-based, multivariate).

5.8 Forward Secrecy

SoulKey rotation via pre-rotation commitments provides forward secrecy: compromise of current keys does not affect past keys (already rotated) or future keys (pre-committed but not yet revealed). SessionKeys provide perfect forward secrecy per interaction: each SessionKey is ephemeral and destroyed after use.

5.9 Nullifier Soundness (NUL-SOUND)

No PPT adversary can produce two distinct DNAKeys $d_0 \neq d_1$ such that $\Nullify(d_0, s) = \Nullify(d_1, s)$ for any scope $s$ , with non-negligible probability:

\Pr\!\left[\Nullify(d_0, s) = \Nullify(d_1, s) \;\middle|\; d_0 \neq d_1\right] \leq \Adv^{\mathrm{CR}}_{\BLAKE}(\lambda)

Proof sketch. Direct reduction to BLAKE3 collision resistance. Given two distinct DNAKeys $d_0, d_1$ with $d_0.\mathit{root\_seed} \concat d_0.\mathit{salt} \neq d_1.\mathit{root\_seed} \concat d_1.\mathit{salt}$ , the nullifier inputs are distinct. A collision in the nullifier outputs is therefore a collision in BLAKE3. Note that the ML-DSA-65 lattice keypair is not involved in nullifier computation; the reduction depends solely on BLAKE3 collision resistance. Under standard assumptions, BLAKE3 provides 128-bit collision resistance (256-bit output, birthday bound $2^{128}$ ), yielding negligible collision probability for polynomially many identities.

5.10 Nullifier Cross-Scope Unlinkability (NUL-UNLINK)

Given nullifiers from two different scopes $s_1 \neq s_2$ , no PPT adversary can determine whether they derive from the same DNAKey with non-negligible advantage:

\Adv^{\mathrm{NUL\text{-}UNLINK}}_{\calA}(\lambda) \leq \Adv^{\mathrm{PRF}}_{\BLAKE}(\lambda)

Proof sketch. Model BLAKE3 as a PRF keyed by $d.\mathit{root\_seed} \concat d.\mathit{salt}$ and evaluated on $\texttt{"skh1:nullifier:"} \concat s_i$ . The domain separation prefix ensures distinct inputs for distinct scopes. Under the PRF assumption, outputs on distinct inputs are computationally indistinguishable from independent random values. Thus an adversary observing $\Nullify(d, s_1)$ and $\Nullify(d, s_2)$ cannot distinguish the same-DNAKey case from the independent-DNAKey case – the nullifiers are indistinguishable from two independent random 256-bit strings. This reduction is entirely independent of the ML-DSA-65 lattice keypair.

6. Sybil Resistance

6.1 Context-Scoped Nullifiers

A nullifier provides deterministic uniqueness within a scope without revealing identity across scopes. Crucially, nullifiers are derived from the pre-keypair root seed (the Argon2id output), not from the ML-DSA-65 lattice keypair:

\mathit{nullifier} = \BLAKE\!\left(\mathit{root\_seed} \concat \mathit{salt} \concat \texttt{"skh1:nullifier:"} \concat \mathit{scope\_id}\right)

This design ensures that nullifier soundness is independent of the lattice assumption. Even if ML-DSA-65 is broken, the nullifier’s collision resistance and cross-scope unlinkability hold under BLAKE3 alone – a deliberately defensive layering of cryptographic assumptions.

Function NullifierDerive( $\mathit{DNAKey}, \mathit{scope\_id}$ ):

$\mathit{input} \leftarrow \mathit{DNAKey.root\_seed} \concat \mathit{DNAKey.salt} \concat \texttt{"skh1:nullifier:"} \concat \mathit{scope\_id}$
$\mathit{nullifier} \leftarrow \BLAKE(\mathit{input})$ — 32 B output
return $\mathit{nullifier}$

Properties:

Deterministic: Same root seed + scope $\rightarrow$ same nullifier (enables duplicate detection).
One-way: Nullifier reveals nothing about root seed or DNAKey (BLAKE3 pre-image resistance).
Scope-separated: Different scopes $\rightarrow$ different nullifiers (indistinguishable from random by BLAKE3 PRF security).
Lattice-independent: Nullifier security does not depend on Module-LWE; it holds under BLAKE3 assumptions alone.

Nullifier derivation flow diagram showing DNAKey and scope_id inputs, concatenation, BLAKE3 hashing, nullifier output, and FRI-STARK proof generation — Figure 2: Nullifier derivation and FRI-STARK proof flow. The DNAKey's pre-keypair root seed and scope are concatenated with a domain-separation prefix and hashed via BLAKE3 to produce a deterministic nullifier. An FRI-STARK proof demonstrates knowledge of a root seed producing the nullifier without revealing the seed or the ML-DSA-65 lattice keypair. Nullifier proofs use hash-native FRI-STARKs (80–200 KB); recovery and membership proofs use lattice-native LaBRADOR (30–60 KB).

6.2 Heterogeneous Proof Architecture

SKH employs a split proof architecture that matches each proof type to its native algebraic domain:

Lattice-native proofs (LaBRADOR/LaZer). Recovery proofs – demonstrating ownership of a DNAKey, Persona derivation correctness, and SoulKey membership – involve lattice relations (Module-LWE commitments, ML-DSA-65 key structure, polynomial ring arithmetic in $R_q = \mathbb{Z}_q[X]/(X^{256}+1)$ ). For these proofs, SKH uses LaBRADOR [Beullens, 2023], a compact proof system for R1CS over module lattices, and its verification-optimized extension LaZer [Lyubashevsky, 2024]. LaBRADOR proofs are 30–60 KB for typical lattice relation sizes, with verification in ~50 ms. Both LaBRADOR and LaZer are peer-reviewed (Crypto 2023 and CCS 2024, respectively) and operate natively over the Module-LWE structure that SKH already assumes for Persona derivation.

Hash-native proofs (FRI-STARK). Nullifier proofs – demonstrating knowledge of a root seed that produces a given nullifier via BLAKE3 hashing – are hash-native: the witness is a preimage and the relation is a hash computation. FRI-based STARKs [Ben-Sasson, 2018] are the natural choice: they require no trusted setup, are plausibly post-quantum, and their arithmetization efficiently encodes hash function evaluation. Nullifier STARK proofs are 80–200 KB before recursive composition.

Rationale. Encoding lattice relations (matrix multiplications over $\mathbb{Z}_q$ with $q = 8{,}380{,}417$ , polynomial arithmetic in $R_q$ ) inside a STARK circuit is possible but incurs a multiplicative blowup in constraint count – the STARK must simulate modular arithmetic over a 23-bit prime within its native field. Conversely, encoding BLAKE3 inside a lattice proof system would be equally unnatural. The heterogeneous architecture assigns each proof to its algebraically native domain, minimizing proof size and prover cost simultaneously.

6.3 Trust Graph Reputation Gating

The weighted trust graph (instantiated as the Quasar Vector Lattice (QVL) – see Appendix A and the separate QVL Technical Report for the full formalization) is defined as $G = (V, E, w, t)$ where $w: E \rightarrow [-1, 1]$ assigns trust weights and $t: E \rightarrow \mathbb{R}^+$ assigns timestamps. Trust scores incorporate temporal decay:

\alpha(t) = \exp\!\left(-\lambda_d \cdot (t_\mathrm{now} - t)\right)

Market access predicate:

\mathit{Access} = \underbrace{\mathit{NullifierProof.valid}}_{\text{ZK proof}} \;\wedge\; \underbrace{\mathit{nullifier} \notin \mathit{seen\_set}}_{\text{uniqueness}} \;\wedge\; \underbrace{\mathit{score}(v) \geq \theta}_{\text{reputation}} \;\wedge\; \underbrace{\mathit{dist}(v, o) \leq h_\mathrm{max}}_{\text{proximity}}

Four-layer Sybil defense stack: Layer 1 Proof-of-Cost (Argon2id), Layer 2 Nullifier Uniqueness (BLAKE3), Layer 3 Trust Graph Reputation, Layer 4 Behavioral Admission Control — Figure 3: Four-layer Sybil defense stack. Each layer increases the cost of maintaining fake identities. Layer 3 (trust graph) provides the dominant cost scaling of the order n times R, where R is non-parallelizable human-effort time.

6.4 Attack Analysis

Fresh DNAKey attack. Attacker creates $n$ DNAKeys with valid proof-of-cost tokens. Cost: $n \times$ Argon2id computation (~117 ms each, GPU-resistant). Blocked by: trust graph reputation gate (fresh identities have score 0.0).

Sybil wash trading. Attacker uses same DNAKey for multiple positions. Blocked by: nullifier uniqueness (same DNAKey + scope $\rightarrow$ same nullifier; duplicate rejected).

Behavioral mimicry. Attacker simulates human social graph topology. Blocked by: clustering coefficient analysis plus admission control temporal pattern detection.

Let $R$ denote the minimum time to establish trust score $\geq \theta$ through genuine social graph interaction. The cost of maintaining $n$ independent identities that each pass the access predicate is $\Omega(n \cdot R)$ , where $R$ is measured in human-effort time and is not parallelizable.

Proof sketch. Layer 1 (nullifier uniqueness) prevents identity reuse per scope – each position requires a distinct DNAKey. Layer 2 (proof-of-cost) adds computational cost per DNAKey. Layer 3 (trust graph) requires each identity to independently accumulate reputation through social interactions. Since human trust-building is inherently sequential and cannot be simulated without genuine social activity (bounded by clustering coefficient analysis), each of the $n$ identities requires $\Omega(R)$ independent effort, yielding total cost $\Omega(n \cdot R)$ .

Line chart showing Sybil attack cost scaling across 4 defense layers — Figure 4: Sybil attack cost scaling across defense layers. Layer 1 (proof-of-cost) is computationally negligible (shown times 1000). Layer 2 (nullifier uniqueness) forces distinct DNAKeys but adds minimal cost. Layer 3 (trust graph reputation, R = 24h per identity) dominates, making cost linear and non-parallelizable. Layer 4 (behavioral analysis) adds a superlinear O(n-squared) penalty as clustering detection probabilistically catches coordinated identities. The dashed line shows a 30-day time budget; an attacker with Layer 3+4 active can sustain approximately 28 identities in 30 days of continuous effort.

7. Comparative Evaluation

The following table summarizes the security property comparison across identity systems. We survey 30+ systems exhaustively; the table shows the four primary comparison targets.

Property	SKH	W3C DID	KERI	AnonCreds
PQ lattice root	Yes	No	No	No
Anonymous root key	Yes	No	No	No
Persona unlinkability	Yes	No	No	Partial
Context separation	Yes	No	No	Partial
PQ key exchange	Yes	No	No	No
PQ signatures (ready)	Partial	No	No	No
Sybil resistance	Yes	No	No	No
Financial separation	Yes	No	No	No
No blockchain	Yes	Partial	Yes	No
Key rotation	Yes	Yes	Yes	Yes
Selective disclosure	Yes	Partial	No	Yes

Yes = native support. Partial = partial or method-dependent. No = absent.

Radar chart comparing SKH, DID:key, KERI, and AnonCreds across five axes: PQ Safety, Privacy, Sybil Resistance, Performance, and Wire Compactness — Figure 5: Multi-axis comparison of identity system properties. Axes: PQ Safety (post-quantum root + KEM + signature readiness), Privacy (anonymous root + context separation + selective disclosure), Sybil Resistance (nullifiers + proof-of-cost + trust graph), Performance (identity creation + signing + verification), Wire Compactness (inverse of on-wire overhead). Scores are normalized 1–10 based on the feature comparison and benchmark results. SKH dominates on security axes; classical systems dominate on wire compactness (a PQ-inherent tradeoff).

8. Experimental Evaluation

8.1 Implementation and Methodology

The reference implementation is written in Zig 0.16 (ReleaseFast) with an application layer in Janus – a language that compiles directly to Zig with full interoperability (no FFI boundary; the compiled output is a single native binary). Comparative benchmarks use Python 3.12 with cryptography, pynacl, keri, and anoncreds libraries. All benchmarks run on x86-64 Linux with warm-up iterations ( $n_w{=}10$ ), followed by $n{=}1000$ samples for fast operations and $n{=}100$ for slow operations (> 10 ms). We report medians and standard deviations.

Hardware: x86-64, AMD/Intel 64-bit processor, Linux 6.x kernel, ReleaseFast optimization (Zig) and default compilation (Python C extensions).

Language asymmetry as thesis. The comparison between native Zig/Janus (SKH) and Python (DID, KERI, AnonCreds) is intentional and reflects a core contribution. Existing SSI deployments run on Python or JavaScript runtimes with C extension bindings for cryptographic primitives. SKH’s native implementation – with zero-allocation stack-based cryptographic operations and compile-time safety guarantees – is itself part of the architectural contribution. The performance gap between native and interpreted implementations is not a benchmarking artifact; it is the deployment reality that SKH is designed to address.

Variance note. Several operations exhibit high standard deviations relative to their medians (e.g., Ed25519 sign: $\sigma/\mu \approx 0.80$ ; hybrid KEM: $\sigma/\mu \approx 1.02$ ). This reflects OS scheduling jitter and cache effects on a non-isolated system; median values are robust to these outliers. Operations with deterministic execution paths (ML-KEM-768, Argon2id, BLAKE3) show correspondingly low variance ( $\sigma/\mu < 0.10$ ).

Reproducibility. The SKH cryptographic core (Zig), benchmark harness, and comparative benchmark scripts are available at https://git.sovereign-society.org/skh/skh-paper. The Zig benchmark reproduces Table 1; the Python comparative benchmark reproduces Table 2.

8.2 SKH Cryptographic Operation Latencies

Table 1: SKH cryptographic operation latencies (x86-64, Zig ReleaseFast). All medians over $n$ samples with warm-up. Operations marked with a dagger are projected for the hybrid PQ signature upgrade path (ML-DSA-65 activation).

Tier	Operation	Median	$\sigma$	$n$
Tier 0: DNAKey (Root Identity)
	Argon2id (64 MiB, $t{=}3$ , $p{=}4$ )	117.19 ms	7.42 ms	100
Tier 2: SoulKey (Context-Separated Identity)
	HKDF-SHA256 derivation	0.93 $\mu$ s	0.20 $\mu$ s	1000
	BLAKE3 derivation	0.62 $\mu$ s	0.12 $\mu$ s	1000
	Full generation (Ed+X+ML-KEM+DID)	171.41 $\mu$ s	165.13 $\mu$ s	1000
Signatures (Current: Ed25519)
	Ed25519 sign (256 B)	86.37 $\mu$ s	68.85 $\mu$ s	1000
	Ed25519 verify (256 B)	106.50 $\mu$ s	99.26 $\mu$ s	1000
Signatures (Projected: Hybrid Ed25519 + ML-DSA-65)
	ML-DSA-65 keygen	55.49 $\mu$ s	3.07 $\mu$ s	1000
	ML-DSA-65 sign (256 B)	143.38 $\mu$ s	162.96 $\mu$ s	1000
	ML-DSA-65 verify	69.93 $\mu$ s	75.42 $\mu$ s	1000
	Hybrid sign (256 B)	203.11 $\mu$ s	160.82 $\mu$ s	1000
	Hybrid verify	135.80 $\mu$ s	68.08 $\mu$ s	1000
Key Exchange (Active: Hybrid X25519 + ML-KEM-768)
	X25519 ECDH	72.52 $\mu$ s	76.52 $\mu$ s	1000
	ML-KEM-768 keygen	15.80 $\mu$ s	1.36 $\mu$ s	1000
	ML-KEM-768 encapsulate	16.15 $\mu$ s	1.74 $\mu$ s	1000
	ML-KEM-768 decapsulate	20.81 $\mu$ s	1.12 $\mu$ s	1000
	Hybrid KEM (X25519+ML-KEM+HKDF)	94.58 $\mu$ s	96.88 $\mu$ s	1000
Sybil Resistance
	Nullifier derivation (BLAKE3)	0.47 $\mu$ s	0.33 $\mu$ s	1000
	Entropy stamp (Argon2id, 2 MiB)	2.67 ms	0.66 ms	100

Table 1 presents microbenchmark results for all SKH cryptographic operations. The table distinguishes between currently active operations and projected hybrid signature costs when ML-DSA-65 is activated. Key observations:

DNAKey generation (117 ms) is deliberately slow – Argon2id memory-hardness is a feature, not a bottleneck, performed once per identity lifetime.
SoulKey derivation via BLAKE3 completes in 0.62 $\mu$ s – three orders of magnitude faster than DNAKey generation, enabling instant context switching.
Ed25519 signing (86 $\mu$ s) and verification (107 $\mu$ s) are the current authentication cost. Upon ML-DSA-65 activation, hybrid signing would add 117 $\mu$ s (203 $\mu$ s total) – still well within interactive latency budgets.
ML-KEM-768 operations (16–21 $\mu$ s) are faster than X25519 ECDH (73 $\mu$ s), consistent with ML-KEM’s efficient matrix-based design. Hybrid KEM is already active and provides post-quantum confidentiality.
Nullifier derivation (0.47 $\mu$ s) is a single BLAKE3 hash – negligible overhead for Sybil resistance.

8.3 Comparative Benchmarks

Table 2: Deployment-reality comparison of identity system operations (median latency). SKH: native Zig/Janus; others: Python – reflecting actual deployment runtimes. ”---” indicates the system lacks the capability.

Operation	SKH	W3C DID:key	KERI	AnonCreds
	Zig/Janus	Python	Python	Python
Identity creation	171 $\mu$ s	92 $\mu$ s	470 $\mu$ s	119 ms
Key derivation	0.93 $\mu$ s	---	31 $\mu$ s	---
Sign	86 $\mu$ s	50 $\mu$ s	58 $\mu$ s	---
Verify	107 $\mu$ s	147 $\mu$ s	93 $\mu$ s	---
Key rotation	pre-rot.†	77 $\mu$ s‡	442 $\mu$ s	---§
Anonymous proof	0.47 $\mu$ s‖	---	---	114 ms
Proof verification	hash∥	---	---	98 ms
PQ hybrid KEM	95 $\mu$ s	---	---	---
PQ hybrid sign	203 $\mu$ s	---	---	---
PQ confidentiality?	Yes	No	No	No
PQ auth (upgrade)?	Ready	No	No	No
Blockchain required?	No	No	No	Optional

Notes: Pre-rotation commitment preserves identity continuity. Creating a new DID:key loses all history and reputation. AnonCreds requires credential revocation and re-issuance. Nullifier: BLAKE3(root || salt || scope); Sybil-unique per context. Verification is a single BLAKE3 hash comparison (<1 $\mu$ s). ML-DSA-65 activation; scaffolding deployed, key material reserved from genesis.

Table 2 presents a deployment-reality comparison. The language asymmetry – SKH in native Zig/Janus versus DID:key, KERI, and AnonCreds in Python – is deliberate. Existing SSI deployments run on interpreted runtimes with C extension bindings for cryptographic primitives. SKH’s native implementation is part of the contribution: zero-allocation, stack-based cryptographic operations with compile-time memory safety. The performance gap reflects the deployment reality these systems would face in production, not an algorithmic complexity comparison.

Key findings:

SKH identity creation (171 $\mu$ s) is competitive with DID:key (92 $\mu$ s) despite generating three keypairs (Ed25519 + X25519 + ML-KEM-768) with DID hash computation versus DID:key’s single Ed25519 keypair.
SKH’s nullifier derivation (0.47 $\mu$ s) versus AnonCreds ZK proof generation (114 ms) represents a ~245,000x performance difference. SKH nullifiers are not full zero-knowledge proofs but provide cryptographic Sybil uniqueness per context – a sufficient primitive for the access predicate.
SKH is the only system offering post-quantum key exchange. The hybrid KEM overhead (95 $\mu$ s) is modest; upon ML-DSA-65 activation, hybrid signing would add 117 $\mu$ s over Ed25519-only.

v2 benchmark note. The identity creation figure of 171 $\mu$ s reflects v1 benchmarks (HKDF-BLAKE3 derivation path). The v2 architecture adds ML-DSA-65 keygen (~55 $\mu$ s, Table 1) and Lattice HD Persona derivation (uncharacterized). Projected v2 identity creation cost is the sum of Argon2id (one-time) + ML-DSA-65 keygen + Lattice HD derivation + SLIP-0010/HKDF-BLAKE3 + keypair generation. Updated benchmarks including the full v2 derivation path and LaBRADOR proof generation latencies are in preparation.

Bar chart comparing identity creation latency across SKH, DID:key, KERI, and AnonCreds on a log scale — Figure 6: Identity creation latency across systems (log scale). AnonCreds includes full credential issuance (CL signatures). SKH includes hybrid PQ key generation. DID:key is fastest but lacks hierarchy, PQ safety, and key rotation.

Grouped bar chart comparing operation latencies across identity systems — Figure 7: Grouped operation latency comparison (log scale). Missing capabilities rendered at baseline. SKH is competitive on classical operations despite generating PQ key material, and provides unique capabilities (key derivation, anonymous proofs) that other systems lack entirely. The 245,000x gap between SKH nullifier derivation (0.47 microseconds) and AnonCreds ZK proof (114 ms) reflects architectural difference: hash-based uniqueness vs. CL-signature zero-knowledge.

8.4 Wire Overhead and Data Sizes

Table 3: Wire overhead comparison. SKH shows current (Ed25519-only) and projected (hybrid) sizes.

Structure	SKH	W3C DID:key	KERI	AnonCreds
Public key (current)	32 B	32 B	44 B	5,811 B
Public key (hybrid)	1,984 B	---	---	---
Signature (current)	65 B	64 B	88 B	~5,000 B
Signature (hybrid)	3,374 B	---	---	---
Identity document	~400 B	~300 B	299 B	~3,100 B
ID document (hybrid)	~7,200 B	---	---	---
Recovery proof (LaBRADOR)	30–60 KB	---	---	---
Nullifier proof (FRI-STARK)	80–200 KB	---	---	~17 KB

Notes: Recovery proofs are lattice-native [Beullens, 2023][Lyubashevsky, 2024]; prove ML-DSA-65 key ownership and Persona derivation. Nullifier proofs are hash-native [Ben-Sasson, 2018]; prove BLAKE3 preimage for nullifier. Before recursive composition.

Table 3 shows SKH’s wire overhead in both the current Ed25519-only deployment and the projected hybrid configuration. In the current deployment, SKH’s wire footprint is comparable to classical systems (65 B signatures vs. 64 B for DID:key). Upon ML-DSA-65 activation, signatures grow to 3,374 B – dominated by the ML-DSA-65 component (3,309 B) – but remain within a single TCP segment. This 50x increase over classical signatures is an inherent cost of PQ safety shared by all PQ migration proposals. The proof sizes – 30–60 KB for lattice-native recovery proofs (LaBRADOR) and 80–200 KB for hash-native nullifier proofs (FRI-STARK) – are amortized: proofs are generated once per scope entry or recovery ceremony, not per interaction.

8.5 Memory Footprint

Table 4: Memory footprint of SKH data structures. Current (Ed25519-only) and hybrid (with ML-DSA-65) allocations.

Structure	Current	Hybrid
DNAKey (root seed + salt + ML-DSA-65)	6,480 B*	6,480 B*
SoulKey (all keypairs)	160 B	3,752 B
SoulKey (public only)	32 B	1,984 B
SessionKey (Ed25519 ephemeral)	64 B	64 B
Signature	65 B	3,374 B
SessionKeyBundle (on wire)	~200 B	~1,352 B
ML-KEM-768 ciphertext	1,088 B	1,088 B
Nullifier	32 B	32 B
Entropy stamp (serialized)	77 B	77 B
DID (BLAKE3 hash)	32 B	32 B

DNAKey breakdown: root seed (32 B) + salt (16 B) + params (16 B) + ML-DSA-65 pk (1,952 B) + ML-DSA-65 sk (4,000 B) + metadata (464 B). Never on wire; stored in hardware enclave.

In the current deployment, total SoulKey material per context is 160 B – a device managing 10 contexts uses approximately 1.6 KB of key material. The DNAKey now requires ~6.5 KB due to the ML-DSA-65 keypair (1,952 B public + 4,000 B secret + 48 B root seed + salt), but this is stored exactly once per identity lifetime in the hardware enclave. Even in the full hybrid configuration (3,752 B per SoulKey), a DNAKey plus one Persona seed (32 B) plus one SoulKey plus one SessionKey totals ~10.3 KB. A device managing 10 independent identity contexts uses ~44 KB – well within the 50 MB RAM budget assumed for low-end deployment targets (the “Kenya Rule” for inclusive design). The dominant memory cost is the ML-DSA-65 key material, which is inherent to NIST FIPS 204 and cannot be reduced without sacrificing security level.

9. Discussion and Limitations

9.1 Deployment Considerations

Hardware requirements. DNAKey generation requires secure enclaves or air-gapped devices. The ML-DSA-65 keygen adds ~55 $\mu$ s to initial identity creation (see Table 1), with the Argon2id step (117 ms) remaining the dominant cost. ML-DSA-65 key material requires ~6 KB storage in the enclave. Not suitable for browser-only deployments.

Proof generation cost. Nullifier proof generation (FRI-STARK) is computationally expensive (~1–10 s on modern hardware). Recovery proofs (LaBRADOR/LaZer) have comparable prover cost but with verification in ~50 ms. Both proof types are acceptable for high-value interactions (market entry, governance votes, recovery ceremonies) but too slow for per-packet authentication.

Scope definition. Who defines $\mathit{scope\_id}$ ? Malicious operators could fragment scopes to weaken nullifier protection. Mitigation: scope definitions published at the governance federation level with auditability.

Benchmark methodology. The comparative benchmarks (Table 2) compare native Zig/Janus (SKH) with Python (DID, KERI, AnonCreds). This asymmetry is intentional: it reflects the deployment reality where existing SSI stacks run on interpreted runtimes while SKH targets native execution. We present the numbers as deployment-reality comparisons rather than algorithmic complexity measurements.

9.2 Limitations

Collusion. Two distinct humans with two DNAKeys can still coordinate. Nullifiers prevent same-DNAKey reuse but not multi-human collusion.

Operator corruption. If the market operator is corrupt, nullifier checks become theater. Mitigation: deploy on sovereign computing infrastructure where federated governance enforces operator accountability. The Libertaria sovereign computing stack provides one such deployment target – see Appendix A.

Hardware compromise. Physical device compromise with memory extraction can steal DNAKeys. Mitigation: mnemonic backups enable new identity bootstrap.

Wire overhead. Upon ML-DSA-65 activation, PQ key material and signatures will be 50x larger than classical equivalents. This is an inherent cost of PQ safety shared by all PQ migration proposals. In the current Ed25519-only deployment, wire overhead is comparable to classical systems.

PQ signature activation at SoulKey level. The current deployment uses Ed25519-only signatures at the SoulKey level, with ML-KEM-768 providing PQ confidentiality and the ML-DSA-65 lattice root already active at Tier 0. SoulKey-level ML-DSA-65 activation requires linking the liboqs library for the application layer – the architecture scaffolding, DID commitment, and DNAKey lattice root are in place. This phased approach allows production deployment to proceed while the SoulKey PQ signature path matures.

9.3 Financial Key Separation

SKH separates financial key material from identity key material by design:

Independent threat models. The threat model for value storage (Bitcoin, Ethereum wallets) differs fundamentally from identity. Compromise of the identity hierarchy – even total DNAKey exposure – MUST NOT compromise financial assets. The attack surfaces are different (phishing vs. side-channel extraction), the consequences are different (identity death vs. asset loss), and the recovery mechanisms are different (social recovery vs. wallet recovery).

Recommended architecture. Financial keys SHOULD use an independent BIP-39 [Palatinus, 2013] seed, not derived from the DNAKey. Financial key derivation within this independent seed uses standard BIP-32 [Wuille, 2012] hardened paths (e.g., m/44'/0'/0' for Bitcoin, m/44'/60'/0' for Ethereum), ensuring compatibility with every existing hardware wallet and financial ecosystem.

Convenience mode. Implementations MAY offer a mode where the financial seed is derived from the DNAKey via Lattice HD (as a Financial Persona). This mode MUST carry an explicit warning: compromise of the DNAKey exposes all financial assets. The protocol provides the mechanism; the user provides the risk judgment.

Design rationale. The innovation in SKH is in the identity layer. The financial layer should be boringly standard. Breaking compatibility with existing BIP-32 wallets gains nothing and costs the entire existing financial ecosystem. Compartmentalized risk is the correct default.

9.4 Ceremony Agnosticism

The SKH protocol explicitly separates mechanism (what the protocol provides) from policy (what governance decisions are required):

Citizenship tiers. The protocol defines a typed CitizenshipTier enum (T0–T3) with capability implications:

T0 – Anonymous: SoulKey only. No resource allocation rights. No ceremony required.
T1 – Witnessed: $N$ witnesses via the trust graph (QVL). Community recognition.
T2 – Verified: ZK-linked credential from an external authority (e.g., eIDAS [Parliament, 2014]).
T3 – Founded: Physical presence ceremony. Highest trust, Chapter-specific.

Protocol provides mechanism. The protocol provides the nullifier primitive, the trust tier interface (enum + capability mapping), and the trust graph infrastructure. It does not define how a human transitions between tiers.

Governance provides policy. Transition ceremonies are Chapter-level governance decisions. One Chapter may require physical presence for T3. Another may accept a ZK-linked eIDAS credential for T2. A third may have entirely different criteria appropriate to its cultural context. The protocol is agnostic – it provides the typed interface; the governance layer provides the transition rules.

Design principle. Ceremony is politics. Protocol is math. Keep them separated by an API boundary. A system that embeds specific ceremony requirements at the protocol level cannot adapt to the diversity of human governance models. A system that provides typed mechanisms and leaves policy to governance can.

9.5 Future Work

ML-DSA-65 SoulKey activation: Completing the hybrid signature upgrade path at the SoulKey level with production liboqs integration and performance validation. The DNAKey lattice root is already active.
Full game-hop proofs: Formal security proofs with explicit reductions and tight advantage bounds are in preparation for the extended version. The Persona unlinkability theorem (Theorem 5.4) already cites the formal proof of [Vadim, 2026].
Formal verification: Machine-checkable proofs via Lean4, EasyCrypt, and Tamarin Prover (in progress).
Proof optimization: Recursive composition of FRI-STARK nullifier proofs for reduced proof sizes; exploration of LaBRADOR/LaZer proof aggregation for batched recovery verification. The heterogeneous proof architecture (Section 6.2) enables independent optimization of each proof pipeline.
Lattice-native proof benchmarks: Characterizing LaBRADOR/LaZer proof generation and verification latencies for the specific ML-DSA-65 recovery relation on x86-64 and ARM targets using the LaZer [Lyubashevsky, 2024] library.
Cross-method interoperability: Bridging SKH with existing W3C DID ecosystems via resolver adapters.
ARM benchmarks: Extending evaluation to ARM Cortex-A53 class devices for mobile deployment assessment, with particular attention to ML-DSA-65 keygen latency on constrained hardware.
Persona-level selective disclosure: Extending BBS+ or KVAC-style selective disclosure to operate at the Persona boundary, enabling cross-Persona credential presentation without DNAKey correlation.

10. Conclusion

The Sovereign Key Helix provides a foundation for post-quantum, Sybil-resistant self-sovereign identity that addresses fundamental limitations in current systems. By rooting identity in an ML-DSA-65 lattice keypair and deriving unlinkable Personas via hardened lattice HD, SKH achieves privacy guarantees provable under Module-LWE – a structural lattice assumption stronger than the PRF-based reductions of prior work. The four-tier architecture (DNAKey $\to$ Persona $\to$ SoulKey $\to$ SessionKey) separates root anonymity, persona unlinkability, context-separated operation, and ephemeral interaction into distinct cryptographic layers.

Post-quantum security is present from genesis: the lattice-rooted DNAKey provides quantum-resistant Persona derivation, hybrid X25519 + ML-KEM-768 provides post-quantum confidentiality, and the architecture reserves ML-DSA-65 key material at the SoulKey level for a forward-compatible hybrid signature upgrade – ensuring DID stability across the transition. Context-scoped nullifiers – derived from the pre-keypair Argon2id root seed, independent of the lattice assumption – combined with trust graph reputation gating create economically prohibitive costs for Sybil attacks without trusted registration authorities.

Financial key separation ensures that identity compromise does not imply asset loss. Ceremony-agnostic citizenship tiers provide typed mechanisms without embedding governance policy in the protocol.

Experimental evaluation demonstrates competitive performance: Ed25519 signing in 86 $\mu$ s, hybrid KEM in 95 $\mu$ s, and nullifier derivation in 0.47 $\mu$ s. The native Zig/Janus implementation – with zero-allocation cryptographic operations – outperforms existing SSI stacks running on interpreted runtimes. To our knowledge, SKH is the first SSI architecture achieving a post-quantum lattice root, persona-level unlinkability under Module-LWE, Sybil resistance with lattice-independent nullifiers, context-separated identity, and financial compartmentalization – simultaneously, without blockchain dependency.

Acknowledgments

The architectural foundations of SKH trace to the Mosaic DID project – a blockchain-agnostic self-sovereign identity system built on the Substrate SDK within the Polkadot ecosystem, developed jointly by the author and Attila Vagvolgyi (Dlabs Kft.). The did:mosaic method [Maiwald, 2026] demonstrated multicipher HD key derivation, JSON Digest selective disclosure, and anti-censorship DID operations anchored to on-chain proof of existence. SKH departs from this lineage in two fundamental directions: first, it eliminates all blockchain dependency – replacing on-chain anchoring with gossip-based key event resolution and cryptographic Sybil resistance via context-scoped nullifiers; second, it roots the identity hierarchy in post-quantum lattice cryptography (ML-DSA-65, ML-KEM-768), providing quantum safety from genesis rather than as an extension point. The transition from blockchain-anchored to blockchain-free identity was a deliberate architectural choice informed by the operational experience of deploying did:mosaic in the Polkadot parachain environment.

The author thanks the Self Sovereign Society Foundation for supporting this research, and the anonymous reviewers for their constructive feedback.

Appendix A: Reference Implementation Mapping

The reference implementation is available as part of an open-source sovereign computing stack. The following table maps paper terminology to implementation-specific names for reproducibility. The implementation uses the DID method name did:sovereign-skh1: for namespace disambiguation; the canonical method name used throughout this paper is did:skh1:.

Paper Concept	Implementation	Spec
SKH cryptographic core	Zig (l1-identity/skh)	SPEC-040
ML-DSA-65 DNAKey	Zig (l1-identity/skh/dnakey.zig)	SPEC-040 S3
Lattice HD Persona derivation	Zig (l1-identity/skh/crypto.zig)	ePrint 2026/380
Application layer	Janus (compiles to Zig; skh.jan)	ADR-005
DID Document V3	Zig (l1-identity/ssi/did_document_v3.zig)	DID-V3 Spec
Gossip-based routing protocol	LRP (Libertaria Routing Protocol)	—
Transport frame	LWF (Lightweight Wire Frame)	—
Weighted trust graph	QVL (Quasar Vector Lattice)	RFC-0120
Admission control agent	Membrane Agent	RFC-0110
Proof-of-cost token	Entropy Stamp	RFC-0100
Governance federation unit	Chapter	—
Key event gossip protocol	KEF (Key Event Framework)	—
ZK proof primitive layer	ZK-STARK Primitive Layer	RFC-0130
Financial key derivation	BIP-32/BIP-39 (independent seed)	BIP-32/39
Citizenship tiers	Chapter governance (policy, not protocol)	—

The cryptographic core is written in Zig with zero dynamic allocation. The ML-DSA-65 DNAKey, Lattice HD Persona derivation, and STARK proof circuits are implemented in Zig at the L1-identity layer. The application layer uses Janus, which compiles directly to Zig (same compiler backend, single native binary, no FFI overhead) – ensuring that the benchmarks reported in Section 8 are identical to production performance. The DID Document V3 implementation supports the full SKH key hierarchy including Persona-level metadata.

References

[1] {Ethereum Foundation. Semaphore: Zero-Knowledge Signaling on {Ethereum. \url{https://semaphore.pse.dev/, 2020.
[2] {European Parliament, Council. Regulation ({EU. 2014.
[3] {Hyperledger Foundation. {AnonCreds. \url{https://hyperledger.github.io/anoncreds-spec/, 2023.
[4] {Kleros Cooperative. Proof of Humanity: A Sybil-Resistant Registry of Humans on {Ethereum. \url{https://proofofhumanity.id/, 2021.
[5] {National Institute of Standards, Technology. {FIPS. 2024. [link]
[6] {National Institute of Standards, Technology. {FIPS. 2024. [link]
[7] {National Institute of Standards, Technology. {FIPS. 2024. [link]
[8] {SatoshiLabs. {SLIP-0010. \url{https://github.com/satoshilabs/slips/blob/master/slip-0010.md, 2016.
[9] {SatoshiLabs. {SLIP-39. \url{https://github.com/satoshilabs/slips/blob/master/slip-0039.md, 2019.
[10] {Worldcoin Foundation. Worldcoin Whitepaper. \url{https://whitepaper.worldcoin.org/, 2023.
[11] Abhiram Kothapalli, Srinath Setty, Ioanna Tzialla. Nova: Recursive Zero-Knowledge Arguments from Folding Schemes. Advances in Cryptology -- CRYPTO 2022, 2022. [link]
[12] Adam Stallard, others. {BrightID. \url{https://www.brightid.org/whitepaper, 2019.
[13] Alberto Sonnino, Mustafa Al-Bassam, Shehar Bano, Sarah Meiklejohn, George Danezis. Coconut: Threshold Issuance Selective Disclosure Credentials with Applications to Distributed Ledgers. Proceedings of the 26th ACM Conference on Computer and Communications Security (CCS), 2019. [link]
[14] Alessandro Chiesa, Yuncong Hu, Mary Maller, Pratyush Mishra, Noah Vesely, Nicholas Ward. Marlin: Preprocessing {zkSNARKs. Cryptology ePrint Archive, Report 2019/1047, 2019.
[15] Alex Biryukov, Daniel Dinu, Dmitry Khovratovich. Argon2: New Generation of Memory-Hard Functions for Password Hashing and Other Applications. Proceedings of the 2016 IEEE European Symposium on Security and Privacy (EuroS\&P), 2016. [link]
[16] Amos Fiat, Adi Shamir. How to Prove Yourself: Practical Solutions to Identification and Signature Problems. Advances in Cryptology -- CRYPTO '86, 1987. [link]
[17] Ariel Gabizon, Zachary J. Williamson, Oana Ciobotaru. {PLONK. Cryptology ePrint Archive, Report 2019/953, 2019.
[18] Barry WhiteHat, Kobi Gurkan, Onur K{\i. {RLN. \url{https://rate-limiting-nullifier.github.io/rln-docs/, 2022.
[19] Benedikt B{\"u. Bulletproofs: Short Proofs for Confidential Transactions and More. Proceedings of the 2018 IEEE Symposium on Security and Privacy (S\&P), 2018. [link]
[20] Brent Waters. Ciphertext-Policy Attribute-Based Encryption: An Expressive, Efficient, and Provably Secure Realization. Public Key Cryptography -- PKC 2011, 2011. [link]
[21] Christopher Allen. The Path to Self-Sovereign Identity. \url{http://www.lifewithalacrity.com/2016/04/the-path-to-self-sovereign-identity.html, 2016.
[22] Claus-Peter Schnorr. Efficient Identification and Signatures for Smart Cards. Advances in Cryptology -- CRYPTO '89, 1990. [link]
[23] Craig Gentry, Alice Silverberg. Hierarchical {ID. Advances in Cryptology -- ASIACRYPT 2002, 2002. [link]
[24] Dan Boneh, Xavier Boyen, Hovav Shacham. Short Group Signatures. Advances in Cryptology -- CRYPTO 2004, 2004. [link]
[25] Dan Boneh, Matthew Franklin. Identity-Based Encryption from the {Weil. Advances in Cryptology -- CRYPTO 2001, 2001. [link]
[26] Daniel J. Bernstein, Niels Duif, Tanja Lange, Peter Schwabe, Bo-Yin Yang. High-Speed High-Security Signatures. Journal of Cryptographic Engineering, 2012. [link]
[27] Daniel J. Bernstein. Curve25519: New {Diffie-Hellman. Public Key Cryptography -- PKC 2006, 2006. [link]
[28] David Chaum, Eug{\`e. Group Signatures. Advances in Cryptology -- EUROCRYPT '91, 1991. [link]
[29] David Pointcheval, Olivier Sanders. Short Randomizable Signatures. Topics in Cryptology -- CT-RSA 2016, 2016. [link]
[30] Douglas Stebila, Michele Mosca. Post-Quantum Key Exchange for the {Internet. Selected Areas in Cryptography -- SAC 2016, 2017. [link]
[31] Eli Ben-Sasson, Iddo Bentov, Yinon Horesh, Michael Riabzev. Scalable, Transparent, and Post-Quantum Secure Computational Integrity. Cryptology ePrint Archive, Report 2018/046, 2018.
[32] Eli Ben-Sasson, Alessandro Chiesa, Christina Garman, Matthew Green, Ian Miers, Eran Tromer, Madars Virza. Zerocash: Decentralized Anonymous Payments from {Bitcoin. Proceedings of the 2014 IEEE Symposium on Security and Privacy (S\&P), 2014. [link]
[33] Hugo Krawczyk. Cryptographic Extraction and Key Derivation: The {HKDF. Advances in Cryptology -- CRYPTO 2010, 2010. [link]
[34] Jack O'Connor, Jean-Philippe Aumasson, Samuel Neves, Zooko Wilcox-O'Hearn. {BLAKE3. \url{https://github.com/BLAKE3-team/BLAKE3-specs/blob/master/blake3.pdf, 2020.
[35] Jacqueline Brendel, Marc Fischlin, Felix G{\"u. {PRF-ODH. Advances in Cryptology -- CRYPTO 2017, 2017. [link]
[36] Jan Camenisch, Anna Lysyanskaya. Signature Schemes and Anonymous Credentials from Bilinear Maps. Advances in Cryptology -- CRYPTO 2004, 2004. [link]
[37] Jan Camenisch, Els Van Herreweghen. Design and Implementation of the {idemix. Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS), 2002. [link]
[38] Jean-Philippe Aumasson, Daniel J. Bernstein. {SipHash. Progress in Cryptology -- INDOCRYPT 2012, 2012. [link]
[39] Jens Groth. On the Size of Pairing-Based Non-interactive Arguments. Advances in Cryptology -- EUROCRYPT 2016, 2016. [link]
[40] Jeremy Horwitz, Ben Lynn. Toward Hierarchical Identity-Based Encryption. Advances in Cryptology -- EUROCRYPT 2002, 2002. [link]
[41] John R. Douceur. The {Sybil. Revised Papers from the 1st International Workshop on Peer-to-Peer Systems (IPTPS), 2002. [link]
[42] Joseph K. Liu, Victor K. Wei, Duncan S. Wong. Linkable Spontaneous Anonymous Group Signature for Ad Hoc Groups. Information Security and Privacy -- ACISP 2004, 2004. [link]
[43] Josh Benaloh. Ballot Casting Assurance via Voter-Initiated Poll Station Auditing. Proceedings of the 2006 USENIX/ACCURATE Electronic Voting Technology Workshop (EVT), 2006.
[44] Lyubashevsky, Vadim, Peikert, Chris, Regev, Oded. Lattice-Based Hierarchical Deterministic Key Derivation with Provable Unlinkability. Cryptology ePrint Archive, Report 2026/380, 2026.
[45] Manu Sporny, Dave Longley, Markus Sabadello, Drummond Reed, Orie Steele, Christopher Allen. Decentralized Identifiers ({DIDs. 2022.
[46] Manu Sporny, Dave Longley, David Chadwick. Verifiable Credentials Data Model v1.1. 2022.
[47] Manuel Blum, Paul Feldman, Silvio Micali. Non-Interactive Zero-Knowledge and Its Applications. Proceedings of the 20th Annual ACM Symposium on Theory of Computing (STOC), 1988. [link]
[48] Marek Palatinus, Pavol Rusnak, Aaron Voisine, Sean Bowe. {BIP-39. \url{https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki, 2013.
[49] Maria Borge, Eleftherios Kokoris-Kogias, Philipp Jovanovic, Linus Gasser, Nicolas Gailly, Bryan Ford. Proof-of-Personhood: Redemocratizing Permissionless Cryptocurrencies. Proceedings of the 2nd IEEE European Symposium on Security and Privacy Workshops (EuroS\&PW), 2017. [link]
[50] Markus Maiwald, Attila V\'{a. Mosaic {DID. 2026.
[51] Melissa Chase, Sarah Meiklejohn, Greg Zaverucha. Algebraic {MACs. Proceedings of the 21st ACM Conference on Computer and Communications Security (CCS), 2014. [link]
[52] Mihir Bellare, Daniele Micciancio, Bogdan Warinschi. Foundations of Group Signatures: Formal Definitions, Simplified Requirements, and a Construction Based on General Assumptions. Advances in Cryptology -- EUROCRYPT 2003, 2003. [link]
[53] Nina Bindel, Jacqueline Brendel, Marc Fischlin, Brian Goncalves, Douglas Stebila. Hybrid Key Encapsulation Mechanisms and Authenticated Key Exchange. Post-Quantum Cryptography -- PQCrypto 2019, 2019. [link]
[54] Peter Schwabe, Douglas Stebila, Thom Wiggers. Post-Quantum {TLS. Proceedings of the 27th ACM Conference on Computer and Communications Security (CCS), 2020. [link]
[55] Peter W. Shor. Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer. SIAM Journal on Computing, 1997. [link]
[56] Pieter Wuille. {BIP-32. \url{https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki, 2012.
[57] Qiang Cao, Michael Sirivianos, Xiaowei Yang, Tiago Pregueiro. Aiding the Detection of Fake Accounts in Large Scale Social Online Services. Proceedings of the 9th USENIX Symposium on Networked Systems Design and Implementation (NSDI), 2012.
[58] Ronald L. Rivest, Adi Shamir, Yael Tauman. How to Leak a Secret. Advances in Cryptology -- ASIACRYPT 2001, 2001. [link]
[59] Samuel M. Smith. Key Event Receipt Infrastructure ({KERI. \url{https://keri.one/, 2021.
[60] Sean Bowe, Jack Grigg, Daira Hopwood. Recursive Proof Composition without a Trusted Setup. Cryptology ePrint Archive, Report 2019/1021, 2020.
[61] Shafi Goldwasser, Silvio Micali, Charles Rackoff. The Knowledge Complexity of Interactive Proof Systems. SIAM Journal on Computing, 1989. [link]
[62] Torben Pryds Pedersen. Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing. Advances in Cryptology -- CRYPTO '91, 1992. [link]
[63] Vadim Lyubashevsky, Gregor Seiler, Patrick Steuer. {LaZer. Proceedings of the 2024 ACM SIGSAC Conference on Computer and Communications Security (CCS), 2024. [link]
[64] Vipul Goyal, Omkant Pandey, Amit Sahai, Brent Waters. Attribute-Based Encryption for Fine-Grained Access Control of Encrypted Data. Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS), 2006. [link]
[65] Ward Beullens, Gregor Seiler. {LaBRADOR. Advances in Cryptology -- CRYPTO 2023, 2023. [link]
[66] Wayne Whinfrey. Accumulator-Based Anonymous Credentials and Their Application to Identity Management. Cryptology ePrint Archive, Report 2023/414, 2023.
[67] Whitfield Diffie, Martin E. Hellman. New Directions in Cryptography. IEEE Transactions on Information Theory, 1976. [link]