IOTA Identity 1.7 Beta

Post-Quantum Security and Public Verifiable Credentials

TL;DR:
IOTA Identity 1.7 Beta ensures credentials issued today stay secure in the future. It introduces post-quantum and hybrid signatures for Verifiable Credentials, developed with the LINKS Foundation. It also adds on-chain public credentials for transparency and streamlined key handling, making digital identity more efficient, interoperable, and ready for real-world adoption.

In the future, computers that use the laws of quantum mechanics could break much of today’s widely used public-key cryptography – the cryptographic foundation that secures blockchains, digital identities, and most internet communications. Algorithms considered secure today could be vulnerable to quantum attacks, allowing malicious actors to forge signatures, impersonate identities, or alter records.

The release of the 1.7 Beta version of IOTA Identity introduces post-quantum cryptography to protect digital credentials from these future threats before they become a reality. This proactive approach means that credentials issued today could remain secure for decades, ensuring that secrets stored today won’t be unveiled in the future.

Secure Signatures for a Post-Quantum Era

In collaboration with the non-profit research center LINKS Foundation, this release brings two new signature methods for Verifiable Credentials – digital certificates that can be instantly verified without relying on a central authority.

Post-Quantum Signatures are built on algorithms specifically designed to resist attacks from quantum computers. This release implements ML-DSA, an algorithm recommended by NIST (the US National Institute of Standards and Technology) for post-quantum cryptography. Credentials signed this way are designed to remain secure even decades into a post-quantum future, ensuring long-term protection for digital identities.
Hybrid Signatures combine traditional cryptographic algorithms with post-quantum algorithms like ML-DSA. This “best of both worlds” approach offers strong future-proofing while maintaining full compatibility with today’s infrastructure. Organizations using hybrid signatures can begin adopting post-quantum security gradually, without replacing their existing systems.

Note: post-quantum signatures are included in this release as an experimental feature. They are ready for testing and developer experimentation, but not yet recommended for production deployments. This allows the community to start exploring while testing and alignment with NIST standards evolves.

On-Chain Credentials

Until now, Verifiable Credentials in IOTA Identity were typically exchanged privately off-chain – fine for personal data, but not for credentials that benefit from being publicly available.

With IOTA Identity 1.7, organizations can now publish Verifiable Credentials directly on-chain to a public IOTA address.

This makes Credentials instantly discoverable and verifiable through a DID Document, turning them into publicly accessible proofs – enabling anyone to confirm their authenticity without needing a private exchange.

This is especially useful for organizational or product-related credentials such as certifications, technical specifications, or proofs of origin — cases where transparency and broad accessibility matter. At the same time, sensitive personal data remains unsuitable for this feature due to privacy regulations like GDPR.