Role of Public Key Cryptography in Self-Sovereign Identity

PKI is an encryption and digital signatures framework that ensure secure communication between two entities, and is a building block of SSI.

You must have heard the words “cryptography” and “public-private key” in the context of data security. But what are they really? And why should you care?

To answer these questions, let’s get a bit into the basics of Public Key Infrastructure (PKI) and its application in a digital identity framework called Self-Sovereign Identity (SSI).

What is Public Key Infrastructure?

In simple terms, public key infrastructure is a framework for encryption and digital signatures that ensure secure communication between two entities. The use of encryption algorithms and private-public key pair make this framework highly conducive for the secure transfer of data.


Encryption is done with a mathematical algorithm that takes a typed text as its input and runs it through mathematical permutations to create a long output with alphanumeric characters, thereby making it difficult to break or hack into.

Asymmetric encryption is a kind of encryption implemented with a private-public key pair.

Public and Private Keys

A pair of keys, called the public-private key pair, work in tandem with each other, such that you can’t use one without the other.

As the name suggests, the private key is kept private by an entity while the public key is shared with the recipient(s).

Let’s understand this with an example where John and Mary are communicating with each other.

  • John initiates a conversation with Mary and asks for her public key, which Mary shares with him.
  • John writes a message and encrypts it with Mary’s public key and sends it to her.
  • Since Mary has the associated private key, she decrypts John’s message using her private key and reads it.
  • To respond, she asks for John’s public key, which he shares
  • Mary encrypts the message with John’s public key and sends it to him.
  • John decrypts the message with his private key and reads the message.

Since it’s impossible to decrypt a message without the associated private key, there’s no motivation for hackers to intercept it. This is what makes PKI a secure way of communicating over open networks like the Internet.

Role of PKI in SSI

Self-Sovereign Identity (SSI) is a philosophy where you own your data, store it in a place of your choosing like a digital identity wallet, and share it with just the entities you want to.

There are many ways to implement SSI using cryptographic keys, and in this article, let’s look at two methods.

Using a Unique Digital Identifier

In this implementation, a unique digital identifier (typically a large number) is also generated along with your private-public key pair. You must register the public key and the unique digital identifier on the blockchain while the private key can be stored in a digital wallet.

At the time of authentication, the system looks up the unique identifier and the associated public key while you prove the ownership of this identifier with your private key.

Using Digital Signatures

Another implementation is through decentralized identifiers and verifiable credentials.

There are three parties to this process and they are:

  • Issuer — The entity issuing a credential such as a government ID
  • Holder — The owner of the credential, i.e., the entity on whom the issuer generates the credential.
  • Verifier — The entity that checks the validity and authenticity of the credential presented by the holder.

The issuer signs a verifiable credential with its private key, encrypts it with the holder’s public key, and sends it to the holder. Next, the holder stores this VC in an identity wallet and can decrypt it using his or her private key to access the VC.

At the time of verification, the holder creates a verifiable presentation that can include one or more credentials and digitally signs it with his or her private key, and encrypts it with the verifier’s public key.

The verifier decrypts the VC and checks for authenticity using the public keys of both the holder and the issuer.

Thus, these are how the public key infrastructure framework is used for implementing SSI-based applications.

Affinidi provides building blocks for an open and interoperable Self-Sovereign Identity ecosystem. Reach out to us on Discord if you want to build VC-based applications using our tech stack.

Follow us on LinkedIn, Facebook, or Twitter. You can also join our mailing list to stay on top of interesting developments in this space.

The information materials contained in this article is for general information and educational purposes only. It is not intended to constitute legal or other professional advice.

Get an email whenever Affinidi Publishes!