What is AMATELUS?

AMATELUS is a decentralized identity protocol that enables secure, privacy-preserving identity verification without relying on blockchain, centralized authorities, or external registries. The protocol's cryptographic and architectural properties are formally verified using the Lean 4 theorem prover, ensuring mathematical correctness and security guarantees that go beyond standard implementation testing.

🔐

Cryptographically Secure

DID (Decentralized Identifier) generation using SHA3-512 hash functions ensures permanent uniqueness and post-quantum collision resistance.

👤

Privacy-First Design

No central registry means your identities cannot be enumerated or tracked across services. Use different DIDs with different service providers.

🤝

Zero-Knowledge Proofs

Prove attributes and credentials without revealing personal information. Verify that you meet requirements without disclosing the details.

Offline-First Resolution

DIDs resolve locally. No network calls to central authorities. You can verify identities completely offline when needed.

✔️

Formally Verified

Cryptographic and architectural properties are formally proven using Lean 4. Mathematical correctness goes beyond implementation testing.

🧮

Mathematically Proven

Security guarantees are mathematically sound. Replay resistance, impersonation prevention, and Sybil attack resilience are all formally verified.

Challenges of Traditional DID/VC Systems

Existing DID and Verifiable Credential approaches face significant real-world implementation challenges, particularly in government and administrative contexts. AMATELUS addresses these issues:

🔗

Centralized Registry Dependency

Traditional Approach: Many DID systems rely on blockchain (Ethereum, Hyperledger) or IPFS for storing DID documents and resolution.

Problem: Government and administrative agencies struggle to adopt technologies that require external infrastructure, cryptocurrency knowledge, or distributed ledger participation. Regulatory barriers and operational complexity make deployment difficult.

AMATELUS Solution: DIDs resolve locally using only cryptographic mathematics. No blockchain, no IPFS, no external dependencies. Self-sovereign by design—perfect for government deployment.

👥

Linkability Through Selective Disclosure

Traditional Approach: Selective disclosure in standard VC systems allows proving specific claims while hiding others. However, the set of disclosed attributes can become a unique fingerprint.

Problem: When multiple credentials are presented with selective disclosure, verifiers can correlate the same person across different transactions by matching disclosed attributes and patterns. This inadvertently enables name-matching (name-linking attacks) and reveals unnecessary personal information despite privacy claims.

AMATELUS Solution: Zero-knowledge proofs allow you to prove claims without revealing the underlying attributes. Different proofs for different services cannot be linked. You prove "I meet the requirement" without revealing "what requirement" or "how many times" you proved it.

📋

Audit Trail vs. Privacy Trade-off

Traditional Approach: When zero-knowledge proofs are used extensively, administrators cannot audit who proved what credentials to whom. The system becomes cryptographically opaque.

Problem: Government agencies and regulated institutions need audit mechanisms for fraud detection and accountability. Yet full cryptographic privacy (via ZKPs) eliminates the possibility of conducting post-hoc audits or investigations, creating a false choice between privacy and governance.

AMATELUS Solution: AMATELUS supports optional, context-specific audit mechanisms. Verifiers can optionally record proof metadata (timestamp, which credential was proved, to whom). This enables auditing for government services while users can still use different DIDs with different providers to maintain privacy across contexts. Audit capability is decoupled from cryptographic privacy.

Clean Protocol Design: Protocol Layer vs. Application Layer

AMATELUS makes a clear distinction between what the cryptographic protocol guarantees and what applications must implement. This separation of concerns creates a minimal, focused protocol while allowing applications to add features without protocol complexity.

🔐

AMATELUS Protocol Layer (Mandatory)

What AMATELUS Guarantees:

  • Impersonation Attack Prevention: DIDComm's secret key correspondence certainty makes impersonation cryptographically impossible. Attackers with different secret keys cannot reuse legitimate ZKPs.
  • Privacy through Decentralization: No blockchain, no IPFS, no external registries. Complete local resolution.
  • Formal Verification: Cryptographic properties proven with Lean 4 theorem prover.
  • Zero-Knowledge Proofs: Prove attributes without revealing identity or personal details.
🏗️

Application Layer

What Your Application Implements:

  • Session Management: Create new communication DIDs for each session to maintain privacy.
  • Audit Logging: Record proof metadata (timestamp, which credential, to whom) as needed for compliance or fraud detection.
  • Service-Specific Policies: Implement authorization, rate limiting, fraud detection specific to your service.

Core Components

1. Decentralized Identifiers (DIDs)

Format: did:amt:XXXXXXXXXXXXX

A unique identifier algorithmically generated from your public key and version number. No registration required. Generated and controlled entirely by you.

  • Uses Ed25519 cryptographic signatures (v0)
  • Encoded with Crockford's Base32 for human readability
  • Immutable once created
  • Ready for post-quantum cryptography upgrade (PQC)

2. Verifiable Credentials (VCs)

Digital certificates issued by trusted parties (governments, banks, employers, etc.) that attest to your attributes or qualifications.

  • Cryptographically signed by the issuer
  • Can be stored in your wallet application
  • Includes validity periods and revocation information
  • Interoperable with W3C VC standards

Examples: Government ID, University degree, Banking certificate, Age verification

3. Zero-Knowledge Proofs (ZKPs)

Cryptographic proofs that allow you to prove claims about yourself without revealing the underlying information.

  • Prove "I am over 18" without revealing your birth date
  • Prove "I am a resident of Japan" without revealing your address
  • Prove "I have a valid license" without showing the license number

Service providers can verify these claims instantly, locally, without contacting authorities.

How It Works

1

Generate Your Identity

You create a DID by generating a cryptographic key pair on your device. Your public key is hashed to create a unique identifier.

2

Obtain Credentials

Trusted issuers (governments, financial institutions, etc.) can issue Verifiable Credentials to your DID, attesting to your attributes or qualifications.

3

Store in Your Wallet

Your DIDs and credentials are stored in a wallet application on your device. You maintain complete control—nothing is stored on centralized servers.

4

Prove Your Claims

When a service requires verification, use zero-knowledge proofs to prove you have the necessary credentials without revealing unnecessary details.

5

Instant Verification

Service providers verify your proofs using your public key—completely offline and without contacting any central authority.

Why AMATELUS is Different

Feature
AMATELUS
Blockchain DIDs
Centralized Systems
External Registry
Not needed
Blockchain required
Central server
Privacy
Excellent
Public ledger
Surveilled
Resolution Cost
Free (local)
Network fees
Infrastructure costs
Offline Capability
Full support
No
No
Scalability
Unlimited
Limited
Limited

Use Cases

🏦 Banking & Finance

Customers prove identity and compliance requirements to banks without the bank accessing centralized databases. KYC verification becomes instant and private.

🏛️ Government Services

Citizens can prove eligibility for benefits, licenses, or permits without revealing sensitive personal information. Complete audit trail with privacy.

🎓 Education

Universities issue digital diplomas and credentials. Graduates can prove their qualifications to employers without the employer contacting the university.

🏥 Healthcare

Patients prove medical qualifications or eligibility for treatments while keeping sensitive health records completely private.

🗳️ Voting Systems

Voters prove eligibility (citizenship, age, residency) with zero knowledge of individual identity. Complete privacy with verifiable outcomes.

🏷️ Access Control

Physical or digital access (venues, facilities, networks) can verify claims about visitors without storing personal data.

Formal Properties (Proven with Lean 4)

Cryptographic Integrity

DID generation, VC issuance, and ZKP generation are cryptographically secure and mathematically verified.

Trust Propagation

Trust chains through credential issuance are mathematically sound. You can verify the entire chain of trust.

Privacy Protection

Using different DIDs prevents cross-service linking. No central authority can track your activities across platforms.

Audit Mechanism

Appropriate audit capabilities exist for specific contexts (like government service fraud prevention) without compromising privacy.

External Independence

DID resolution doesn't depend on external services, blockchains, or DNS. Complete self-sovereignty.

Revocation Independence

Credential verification doesn't require checking real-time revocation lists. Security is independent of revocation service availability.

What AMATELUS Does NOT Provide

It's important to understand the protocol's scope and limitations:

Directory Service

There's no central registry to "look up" someone's identity. This is intentional—it protects privacy. DIDs are only known to those the owner shares them with.

Message Transport Layer

AMATELUS doesn't handle how messages get from your wallet to a service provider. That's the responsibility of each service. (Usually HTTPS/TLS)

Authorization Decisions

After identity is verified, whether to grant access or services is entirely up to the service provider. AMATELUS only handles identity verification.

Endpoint Management

How to contact a service provider (email, phone, API endpoint) is not part of AMATELUS. Each service manages its own contact methods.

Technical Specifications

Current Version (v0)

  • Hash Function: SHA3-512 (post-quantum resistant)
  • Signature Algorithm: Ed25519 (modern, efficient)
  • Encoding: Crockford's Base32 (human-readable)
  • Data Format: JSON-LD (W3C compliant)
  • Standards: W3C DID Core, W3C Verifiable Credentials

Future Direction (Post-Quantum)

AMATELUS is designed with "cryptographic agility" for future evolution:

  • v1+ Planned: Post-Quantum Cryptography (PQC) signatures
  • Format Evolution: CBOR binary format for PQC large key sizes
  • Backward Compatibility: Version numbers enable interoperability during transition

Resources & Documentation

📖 Full Specification (Blueprint)

Complete technical documentation with formal proofs, cryptographic definitions, and detailed protocol specifications.

📄 PDF Version

Downloadable PDF of the complete blueprint for offline reading.

🔗 Dependency Graph

Visual representation of how different components and definitions relate to each other.

📚 API Documentation

Developer documentation for implementation and integration.

💻 GitHub Repository

Source code and open issues. Community contributions welcome.