Protocol Whitepaper — AstraCipher

Abstract

The proliferation of autonomous AI agents — now exceeding 3 million active deployments in the US and UK alone — has created an identity crisis in software systems. Unlike human users, AI agents lack standardized mechanisms for proving who they are, what they are authorized to do, and who is accountable for their actions.

AstraCipher is an open-source protocol that provides every AI agent with a verifiable, quantum-safe cryptographic identity. Built on W3C Decentralized Identifiers (DIDs), W3C Verifiable Credentials, and NIST-standardized post-quantum cryptography (FIPS 203/204), the protocol enables:

Agent identity — globally unique, self-sovereign DIDs with hybrid post-quantum signing
Capability-bounded authorization — verifiable credentials that define exactly what an agent can do
Delegated trust — cryptographic trust chains from human sponsors to autonomous sub-agents
Offline verification — credential verification without contacting a central authority

1. Introduction

1.1 The Agent Economy

The year 2025-2026 marks a transition from AI assistants — models that respond to human prompts — to AI agents: autonomous systems that plan, execute, and delegate tasks across organizational boundaries. Gartner predicts that by 2028, 33% of enterprise software applications will include agentic AI, up from less than 1% in 2024.

This transition creates a fundamental identity problem. When a human uses an API, the identity chain is clear: the human authenticates, obtains a session token, and the API trusts the token. When an AI agent acts autonomously — spawning sub-agents, calling external APIs, modifying data — the identity chain breaks:

Who is this agent? There is no standardized way for an agent to prove its identity.
What can it do? Bearer tokens grant binary access (all or nothing), with no fine-grained capability boundaries.
Who authorized it? When an agent spawns a sub-agent, there is no cryptographic proof of the delegation chain back to a human sponsor.
Can we audit it? Without identity, agent actions cannot be attributed or traced.

1.2 Why Existing Solutions Fail

Mechanism	Limitation for Agents
API Keys	Static shared secrets; no identity, no capability boundaries
OAuth 2.0	Requires human-in-the-loop for consent; short-lived tokens need refresh
mTLS	Certificate-based but no capability model; cumbersome rotation
JWT	Issuer-dependent verification; no post-quantum resistance
SPIFFE/SPIRE	Workload identity, not agent identity; no credential model

None of these provide the combination of: (a) autonomous agent identity, (b) capability-bounded authorization, (c) delegated trust chains, and (d) post-quantum cryptographic security.

1.3 AstraCipher Approach

AstraCipher addresses this gap with a layered protocol:

┌─────────────────────────────────────────────────┐
│             Application Layer                    │
│  MCP Server · A2A Adapter · CLI · REST API      │
├─────────────────────────────────────────────────┤
│             Trust Layer                          │
│  Trust Chains · Delegation · Revocation         │
├─────────────────────────────────────────────────┤
│             Credential Layer                     │
│  Verifiable Credentials · Capabilities          │
├─────────────────────────────────────────────────┤
│             Identity Layer                       │
│  W3C DIDs · DID Documents · Key Management      │
├─────────────────────────────────────────────────┤
│             Cryptographic Layer                  │
│  ML-DSA-65 · ML-KEM-768 · ECDSA P-256          │
└─────────────────────────────────────────────────┘

2. Problem Statement

2.1 Scale of the Identity Gap

According to the Gravitee State of AI Agent Security Report (2026):

3 million AI agents are active in the US and UK, with 1.5 million running without oversight
88% of organizations report confirmed or suspected AI agent security incidents
44% still authenticate agents using static API keys
Only 22% of teams treat agents as independent, identity-bearing entities

2.2 Threat Landscape

The absence of agent identity enables several attack vectors:

Agent impersonation — An adversary creates a rogue agent that claims to be a trusted service.
Privilege escalation — Agents authenticated with static API keys inherit the full permissions of the key.
Unauthorized delegation — An agent spawns sub-agents that inherit its full permissions. A single compromised agent can poison 87% of downstream decisions within 4 hours.
Accountability gap — Without identity, agent actions cannot be traced back to a responsible human or organization.
Quantum harvest attacks — Nation-state adversaries are recording encrypted agent communications today for future decryption with quantum computers.

2.3 Design Requirements

Requirement	Description
R1	Self-sovereign identity — Agents must have globally unique identifiers that do not depend on a central authority
R2	Cryptographic authentication — Identity claims must be provable via digital signatures
R3	Capability bounding — Credentials must define specific capabilities and permissions
R4	Delegated trust — Trust must be delegable with monotonically decreasing permissions
R5	Offline verification — Credentials must be verifiable without contacting the issuer
R6	Quantum resistance — Cryptographic primitives must resist quantum computer attacks
R7	Auditability — All agent actions must be traceable to a verified identity
R8	Interoperability — The protocol must integrate with existing agent frameworks (MCP, A2A)

3. Protocol Architecture

3.1 System Model

The AstraCipher protocol defines four roles:

Creator — The root of trust, typically a human or organization.
Authorizer — An entity that issues credentials and delegates trust. Must itself have a valid trust chain.
Agent — An autonomous AI agent with a DID and one or more credentials.
Sub-agent — An agent spawned by another agent, with strictly fewer permissions.

3.2 Protocol Flow

1. IDENTITY:   Creator generates hybrid keypair → creates DID document
2. CREDENTIAL: Authorizer issues verifiable credential → defines capabilities
3. DELEGATION: Agent delegates to sub-agent → trust chain extends
4. ACTION:     Agent presents credential → verifier checks offline
5. AUDIT:      Action logged with DID → cryptographic audit trail
6. REVOCATION: Creator/Authorizer revokes credential → agent loses access

3.3 Network Model

AstraCipher supports three network modes: Mainnet (production), Testnet (development), and Local (air-gapped). The DID method is did:astracipher:<network>:<unique-id>.

4. Cryptographic Design

4.1 Algorithm Selection

Function	Algorithm	Standard	Security Level
Digital signatures (PQC)	ML-DSA-65	FIPS 204	NIST Level 3
Digital signatures (Classical)	ECDSA P-256	FIPS 186-5	128-bit classical
Key encapsulation	ML-KEM-768	FIPS 203	NIST Level 3
Hashing	SHA-256	FIPS 180-4	128-bit
Key derivation	HKDF-SHA-256	RFC 5869	128-bit

4.2 Hybrid Signature Scheme

The protocol uses a hybrid signature scheme that combines ML-DSA-65 and ECDSA P-256. Both signatures must verify for the overall verification to succeed.

HybridSign(message, hybridKey):
  1. canonicalMsg = CanonicalJSON(message)
  2. msgBytes = UTF8Encode(canonicalMsg)
  3. pqcSig = ML-DSA-65.Sign(hybridKey.pqc.secretKey, msgBytes)
  4. msgHash = SHA-256(msgBytes)
  5. classicalSig = ECDSA-P256.Sign(hybridKey.classical.secretKey, msgHash)
  6. return { pqcSignature, classicalSignature, timestamp, messageHash }

HybridVerify(message, signature, publicKeys):
  1. Check signature freshness (< 24 hours by default)
  2. canonicalMsg = CanonicalJSON(message)
  3. msgBytes = UTF8Encode(canonicalMsg)
  4. pqcValid = ML-DSA-65.Verify(publicKeys.pqc, msgBytes, signature.pqc)
  5. msgHash = SHA-256(msgBytes)
  6. classicalValid = ECDSA-P256.Verify(publicKeys.classical, msgHash, signature.classical)
  7. return pqcValid AND classicalValid

4.3 Key Sizes

Key Type	Public Key	Secret Key	Signature
ML-DSA-65	1,952 bytes	4,032 bytes	3,309 bytes
ECDSA P-256	33 bytes	32 bytes	64 bytes
ML-KEM-768	1,184 bytes	2,400 bytes	N/A

5. Decentralized Identifiers for Agents

5.1 DID Method: `did:astracipher`

Each agent identity is a W3C DID conforming to the DID Core specification. The unique ID is derived from the SHA-256 hash of the combined public key material.

did:astracipher:<network>:<unique-id>

Examples:
  did:astracipher:mainnet:c2e3d421c83a3cbe7faf6738
  did:astracipher:testnet:48ead5c80fd55b31ee2d354f

5.2 DID Document Structure

{
  "@context": ["https://www.w3.org/ns/did/v1", "https://astracipher.com/ns/v1"],
  "id": "did:astracipher:testnet:c2e3d421c83a3cbe",
  "controller": "did:astracipher:testnet:c2e3d421c83a3cbe",
  "verificationMethod": [
    { "id": "...#key-pqc-1", "type": "ML-DSA-65-2024", "publicKeyMultibase": "u..." },
    { "id": "...#key-classical-1", "type": "EcdsaSecp256r1VerificationKey2019", "publicKeyMultibase": "u..." }
  ],
  "authentication": ["...#key-pqc-1", "...#key-classical-1"],
  "assertionMethod": ["...#key-pqc-1", "...#key-classical-1"]
}

5.3 DID Operations

Operation	Description
Create	Generate hybrid keypair, construct DID document, self-sign
Resolve	Look up DID document from registry or cache
Verify	Verify the DID document's self-signature
Update	Modify service endpoints or add verification methods (signed by controller)
Deactivate	Mark DID as revoked (signed by controller)

6. Verifiable Credentials

6.1 Agent Identity Credential

An Agent Identity Credential is a W3C Verifiable Credential that binds an agent's DID to a set of capabilities, permissions, and constraints.

{
  "@context": ["https://www.w3.org/2018/credentials/v1", "https://astracipher.com/credentials/v1"],
  "type": ["VerifiableCredential", "AgentIdentityCredential"],
  "issuer": "did:astracipher:testnet:<issuer-id>",
  "credentialSubject": {
    "id": "did:astracipher:testnet:<agent-id>",
    "name": "trading-bot-alpha",
    "capabilities": ["market-data:read", "orders:execute"],
    "permissions": [{ "resource": "equity/*", "actions": ["read", "execute"] }],
    "trustLevel": 7,
    "rateLimits": { "requestsPerMinute": 100 }
  },
  "proof": { /* hybrid signature by issuer */ }
}

6.2 Capability Model

Capabilities are coarse-grained labels (e.g., market-data:read). Permissions are fine-grained resource-action pairs with glob pattern matching: equity/* matches equity/RELIANCE, equity/TCS, etc.

6.3 Trust Levels

Trust levels range from 1 (minimal) to 10 (maximum). They are advisory and can be used by verifiers to make risk-based decisions.

7. Trust Chain Model

7.1 Chain Structure

Creator (depth 0) → Authorizer (depth 1) → Agent (depth 2) → Sub-agent (depth 3)

7.2 Monotonic Capability Reduction

Each link in the trust chain can only have equal or fewer capabilities than its parent. This is enforced by intersecting capabilities at each delegation step.

7.3 Chain Verification

Verifying a trust chain requires: (1) the root link has no parent and is self-signed, (2) each subsequent link has a valid authorization signature from its parent, (3) capabilities monotonically decrease, (4) delegation depth limits are respected, and (5) no credentials are expired or revoked.

8. Threat Model and Security Analysis

8.1 Security Properties

Property	Mechanism
Identity unforgeability	Hybrid signatures; forging requires breaking both ML-DSA-65 AND ECDSA P-256
Credential integrity	Signed by issuer; any modification invalidates the signature
Replay protection	Nonces and signature freshness checks
Delegation bounding	Monotonic capability reduction and depth limits
Forward secrecy	ML-KEM-768 key encapsulation for ephemeral shared secrets
Quantum resistance	ML-DSA-65 and ML-KEM-768 resist quantum attacks

9. Protocol Integration

9.1 Model Context Protocol (MCP)

AstraCipher provides an MCP Server that exposes identity operations as tools: create_agent_identity, verify_agent_credential, and check_agent_permission. Any MCP-compatible AI agent can use these tools to establish and verify identity.

9.2 Google Agent-to-Agent (A2A)

The A2A adapter enriches the Agent Card (.well-known/agent-card.json) with agent DID, verification methods, trust chain metadata, and credential-based skill declarations.

10. Regulatory Compliance

Framework	Key Requirement	AstraCipher Mapping
EU AI Act	Traceability and human oversight	Trust chains trace to human creators
DPDP Act (India)	Data processor accountability	DID-based audit trail per agent
SEBI CSCRF	Cybersecurity controls for financial data	Capability-bounded access with rate limits
SOC 2	Access controls and audit logging	Verifiable credentials + signed audit logs
HIPAA	PHI access controls	Permission-based resource scoping
GDPR	Data processing accountability	DID-linked processing records

11. Implementation and Performance

11.1 SDK Packages

Package	Description
`@astracipher/crypto`	Post-quantum cryptographic primitives
`@astracipher/core`	DID, Credential, Trust Chain management
`@astracipher/cli`	Command-line interface
`@astracipher/compliance-core`	Regulatory compliance engine
`@astracipher/mcp-server`	MCP protocol integration
`@astracipher/a2a-adapter`	Google A2A protocol adapter
`astracipher` (Python)	Async Python client bindings

11.2 Performance Benchmarks

Measured on Apple M2 Pro, Node.js 22:

Operation	Time
ML-DSA-65 key generation	~15ms
ECDSA P-256 key generation	~1ms
Hybrid key generation	~16ms
DID creation (with key gen)	~100ms
Credential issuance (with signing)	~30ms
Credential verification	~45ms
Trust chain verification (4 links)	~120ms

SPIFFE/SPIRE — Workload identity for microservices. Focuses on infrastructure-level identity, not agent capabilities or trust chains.
Teleport Machine ID — Machine identity with certificate-based auth. Does not provide post-quantum security.
CyberArk Machine Identity — Enterprise secrets management. Centralized model incompatible with decentralized agent ecosystems.
DIDComm — Secure messaging over DIDs. Complementary to AstraCipher; could be used as a transport layer.
Veramo — DID toolkit. Provides DID infrastructure but no agent-specific credential model or trust chains.

13. Future Work

Formal verification of the trust chain model using TLA+ or Lean 4
DID resolution protocol with gossip-based discovery for decentralized networks
Revocation lists using Merkle-tree accumulators for efficient credential revocation
Multi-party credentials where multiple issuers co-sign a credential
Threshold signatures for high-security agent operations
Hardware key storage integration (TPM, HSM, WebAuthn)
Cross-chain DID anchoring for tamper-evident identity records

14. References

W3C. "Decentralized Identifiers (DIDs) v1.0." W3C Recommendation, July 2022.
W3C. "Verifiable Credentials Data Model v2.0." W3C Recommendation, March 2025.
NIST. "FIPS 204: Module-Lattice-Based Digital Signature Standard (ML-DSA)." August 2024.
NIST. "FIPS 203: Module-Lattice-Based Key-Encapsulation Mechanism Standard (ML-KEM)." August 2024.
OWASP. "Top 10 for Agentic Applications." December 2025.
Gravitee. "State of AI Agent Security 2026." February 2026.
NSA. "CNSA 2.0: Cybersecurity Advisory on Post-Quantum Cryptography." September 2022.
Strata Identity / CSA. "The State of Machine (Non-Human) Identity Security." 2026.
Gartner. "Predicts 2026: Agentic AI." October 2025.
NIST. "AI 600-1: Artificial Intelligence Risk Management Framework." July 2024.

AstraCipher is open-source software under the BSL 1.1 license (converts to Apache 2.0 on February 18, 2030). For more information, visit astracipher.com.

AstraCipher Protocol Whitepaper

Table of Contents