ARIAv1.0

Post-Quantum Cryptography in ARIA

ARIA is post-quantum native from day one — not a migration target.

Why Post-Quantum Now?

NIST's timeline for post-quantum migration (NIST IR 8547) requires that classical-only cryptography be deprecated by 2030 and disallowed by 2035.

AI agent identity documents are long-lived (1 year) and the underlying trust relationships persist even longer. Harvest-now-decrypt-later attacks are already underway — intercepting encrypted traffic today to decrypt it once quantum computers become capable.

ARIA's stance: ship PQC-native in 2026, never migrate.

ARIA's Hybrid Composite Scheme

ARIA uses hybrid ML-DSA-65 + Ed25519 composite signatures:

| Component | Algorithm | Standard | Key Size | Signature Size | |-----------|-----------|----------|----------|----------------| | Post-Quantum (primary) | ML-DSA-65 | NIST FIPS 204 | 1,952 B pub / 4,032 B priv | 3,293 B | | Classical (compat) | Ed25519 | RFC 8032 | 32 B pub / 64 B priv | 64 B | | Composite | ML-DSA-65 + Ed25519 | IETF draft | 1,984 B pub | 3,357 B |

Both signatures must verify. If either fails, the composite verification fails.

Cryptosuite name: mldsa65-ed25519-2026

Why Hybrid?

  • Security: If ML-DSA-65 has a flaw, Ed25519 still protects
  • Compatibility: Systems that only understand Ed25519 can still verify the classical component
  • Transition: As the ecosystem adopts PQC, the Ed25519 component becomes vestigial

Why ML-DSA-65?

ML-DSA (Module Lattice Digital Signature Algorithm) is NIST FIPS 204 — the NIST-standardized post-quantum signature algorithm. Level 3 (Category 3, equivalent to AES-192 security level) was chosen as the right balance of security and performance for AID issuance.

Performance on modern hardware:

  • Key generation: ~0.5ms
  • Signing: ~3.7ms
  • Verification: ~1.8ms

DNS Anchoring Challenge

ML-DSA-65 signatures are ~3,293 bytes — far exceeding practical DNS TXT record limits (~255 bytes per string, ~4,000 bytes total). ARIA solves this with an indirection model:

The DNS TXT record contains a SHA-256 hash of the full AID and a resolution URL:

_aria.space.bar. TXT "v=ARIA1;id=did:aria:space.bar:agent-001;h=sha256:7f83b...;r=https://api.aria.bar/v1/aids/..."

Verifiers:

  1. Fetch DNS TXT record
  2. Follow resolution URL to get full AID
  3. Compute SHA-256 of fetched AID
  4. Compare with DNS hash (integrity check)
  5. Verify composite signature (authenticity check)

Libraries

ARIA uses @noble/post-quantum v0.5.4+ for ML-DSA-65 implementation.

import { ml_dsa65 } from '@noble/post-quantum/ml-dsa';
import { ed25519 } from '@noble/curves/ed25519';

// Both must verify
const pqValid = ml_dsa65.verify(pqPubKey, payload, pqSignature);
const classicValid = ed25519.verify(classicSig, payload, classicPubKey);
const valid = pqValid && classicValid;

Timeline Alignment

2026 — ARIA v1.0: ML-DSA-65 primary, Ed25519 hybrid companion
2030 — NIST deprecation: Classical-only AIDs rejected by ARIA registry
2035 — NIST disallowed: Hybrid deprecated, PQC-only enforced

ARIA is ahead of the curve — no migration needed.