Digital Certificates on Shamwari

CERTIFICATE ARCHITECTURE

The first JVM-native quantum-safe certificate

ShamwariCertificate extends java.security.cert.Certificate directly. Any JVM application that accepts standard certificates e.g web servers, payment terminals, enterprise middleware, accepts Shamwari certificates without modification, while gaining post-quantum security underneath.

java.security.cert.Certificate Interface

ShamwariCertificate is not an X.509 wrapper. It implements the raw Java Certificate interface that all JVM applications rely on. Web servers using JSSE, payment terminals using JCE, and enterprise middleware using Bouncy Castle all call the same interface methods and accept Shamwari certificates natively.

Dilithium-Signed Certificates

Every ShamwariCertificate is signed by the issuing authority account's Dilithium key (NIST FIPS 204). The certificate contains the subject's Dilithium public key, issuer account ID, validity block height range, and Kyber-encrypted metadata. Verification uses the issuer's on-chain Dilithium public key.

Block-Height Validity

Certificate validity is expressed in block heights rather than calendar dates. expirationHeight is precise and deterministic with no timezone ambiguity, no clock synchronisation issues. The AFTER_BLOCK_APPLY handler transitions expired certificates to EXPIRED status automatically.

On-Chain Revocation Status

Certificate status (ACTIVE, EXPIRED, REVOKED) is blockchain state. Every node in the network holds the current status. No Certificate Revocation List to distribute. No OCSP server to poll. No propagation delay. Status is always accurate and independently verifiable.

Certificate Data Model

issuerAccountId : Authority account that issued the certificate
subjectPublicKey : Subject's Dilithium public key (1312 bytes)
validFromHeight : Block height when certificate becomes active
expirationHeight : Block height when certificate expires (0 = no expiry)
isGlobal : Valid across all chains if true; issuing chain only if false
encryptedMetadata : Kyber-encrypted certificate metadata (readable only by subject)
issuerSignature : Dilithium signature by issuing authority account
certificateType : KYC_CREDENTIAL, INSTITUTION_LICENCE, TLS_CERT, etc.

Global vs Chain-Scoped Validity

Setting isGlobal = true makes a certificate valid and verifiable across all BetaChains simultaneously from a single issuance transaction on the CAPITAL chain. Chain-scoped certificates (isGlobal = false) are valid only on the issuing chain enabling jurisdiction-specific credentials alongside globally-valid identity certificates.

CERTIFICATE LIFECYCLE

Issuance, renewal, and revocation at consensus

All certificate lifecycle operations are consensus transactions verifiable by any node, permanent in blockchain state, and effective at the next block confirmation.

●

CERT_ISSUANCE

Authority account submits CERT_ISSUANCE transaction specifying subject public key, validity period, certificate type, global/chain scope, and Kyber-encrypted metadata. Certificate entity created in blockchain state from the next block.

CERT_ISSUANCE transaction

●

ACTIVE (CERT_ACTIVE)

Certificate is valid and verifiable from validFromHeight to expirationHeight. Any JVM application calls ShamwariCertificate.verify() for standard interface and no custom code. Verification queries the issuer's on-chain Dilithium public key.

cert.verify() → Dilithium check

●

CERT_RENEWAL

CERT_RENEWAL transaction before expirationHeight extends validity. Creates a new versioned certificate record linked to the original and full renewal history preserved on-chain. Renewal requires a transaction from the original issuing authority account.

CERT_RENEWAL transaction

●

CERT_REVOCATION

Immediate revocation via consensus transaction. Effective at the next block of approximately 12 seconds. Certificate status transitions to REVOKED in blockchain state. No CRL propagation, no OCSP delay. All nodes see REVOKED status immediately after the next block.

CERT_REVOCATION → effective next block

CERTIFICATE ISSUANCE

Who can issue certificates

Certificate issuance is restricted to organizations and authorised institutional account types. The protocol validates the issuer's account type at gate 4 (Account Type Gate) before any certificate is written to state.

Central Bank

Issues operating licences as on-chain certificates with block-height expiry. Licence status verifiable by any counterparty in real time with no third-party registry, no manual verification, no stale data risk.

Securities Regulator

Issues dealer licences, fund manager authorisations, and securities professional credentials. All credentials verifiable on-chain with Dilithium-signature proof of issuance.

Developer Accounts

DEVELOPER-type accounts can issue certificates for their applications in the App Store. Used for code signing, API access credentials, and application identity within the CAPITAL chain developer ecosystem.

USE CASES

Quantum-safe certificates in production

Every use case benefits from instant on-chain revocation, global validity, JVM-native interface, and ML-DSA Dilithium signatures with zero migration effort for existing JVM infrastructure.

KYC Credentials

Issue verified identity credentials that any chain participant verifies on-chain. KYC data Kyber-encrypted through which counterparties confirm KYC status without seeing underlying identity information. Institution-issued, blockchain-anchored, quantum-resistant.

Institutional Licences

Central Banks issue operating licences as on-chain certificates with block-height expiry dates. Any participant e.g counterparty, regulator, or auditor etc, verifies current licence status in real time by querying any node.

TLS for Node Infrastructure

Node operators use Shamwari certificates for TLS mutual authentication between nodes. Accepted natively by JVM-based infrastructure without custom certificate authorities. Quantum-safe TLS for all inter-node communication.

Code Signing

Developer accounts on the CAPITAL chain sign their applications with Shamwari certificates. App Store installations verify the certificate before executing any code. Instant revocation for compromised or withdrawn applications.

JVM Integration Example

Any Java application that currently calls cert.verify(publicKey) works with ShamwariCertificate unchanged. The implementation handles Dilithium verification internally. Existing infrastructure requires zero modification to accept post-quantum certificates.

Spring Boot TLS: add ShamwariCertificate to JSSE KeyStore
Enterprise middleware: ShamwariCertificate in Java TrustStore
Payment terminals: standard JCE Certificate interface, no changes
Bouncy Castle: implements same Certificate base class, compatible

Revocation Speed Comparison

Shamwari: ~12 seconds effective at next block, all nodes updated simultaneously
CRL (traditional): Hours to days, depends on CRL distribution interval and client caching
OCSP: Real-time for online check, but requires OCSP server availability and polling
OCSP Stapling: Hours, depends on staple refresh frequency

COMPARISON

Shamwari certificates vs traditional PKI

Traditional X.509 PKI infrastructure is built on ECDSA and RSA which are both vulnerable to Shor's algorithm on a quantum computer. Shamwari certificates deploy Dilithium from genesis with no migration path required.

Property	Shamwari Certificate	X.509 / ECDSA
Signature algorithm	ML-DSA Dilithium (NIST FIPS 204)	ECDSA / RSA (quantum-vulnerable)
Quantum resistance	Full: lattice-based, no known quantum attack	Vulnerable to Shor's algorithm
JVM integration	Native java.security.cert.Certificate	Standard X.509 via JSSE/JCE
Revocation	Instant on-chain: in next block (~12s)	CRL (hours/days) or OCSP (polling)
Revocation infrastructure	Zero; blockchain state only	CRL servers, OCSP responders
Global validity	Single issuance, all chains	PKI hierarchy, multiple CAs
Expiry mechanism	Block height: deterministic, timezone-free	Calendar date: timezone, clock sync
Audit trail	Immutable blockchain state	CA logs, CT logs (optional)
Migration required	None: PQC from genesis	Full PKI migration required by 2030

Digital Certificates