QAVACH
Post-Quantum
Armour.

QAVACH is a next-generation digital service delivery framework designed for the future of Indian e-governance. It addresses the "Triple Threat" of modern digital states—Data Integrity, Availability, and Privacy—by implementing a Zero-Trust Architecture powered by NIST-standardized Post-Quantum Cryptography (PQC).

View GitHub Repo Explore Architecture
FIPS 204
ML-DSA Signatures
FIPS 205
SLH-DSA Archival
FIPS 203
ML-KEM Exchange
LIVE
CBOM Dashboard
00 / What is Qavach

TRUST NO ONE
ZERO KNOWLEDGE. ZERO TRUST

Core Concept

Policy-Gated
Attestation

QAVACH decentralizes proofs using Policy-Gated Credential Attestation (PGCA), where verification happens on the citizen's device, not a server. By decoupling Identity from Attestation, citizens can prove eligibility without sharing the original document or PII.

● Zero-Trust Architecture
Compliance

Live CBOM
Dashboard

Provides a real-time compliance dashboard for government CISOs to track the migration of state departments to PQC. The system exposes which departments are using vulnerable classical algorithms versus resilient PQC algorithms.

GET /api/cbom/status
→ Revenue: RSA (Warning)
✓ ITD: ML-DSA (Safe)
01 / The Verification Flow

Selective Disclosure
in Three Steps

Verifier Challenge

The verifier transmits an Open Policy Agent (OPA) Compiled Policy (WASM) and a unique challenge (nonce).

Local Execution

The QAVACH app executes this policy against the citizen's decrypted record in a local secure context.

Attestation

The resulting signature (ML-DSA-44) mathematically proves that a trusted document satisfied a specific policy without revealing any document attributes to the verifier.

02 / System Architecture

A Multi-Layered
PQC Ecosystem

Verifier Ecosystem

Three Layers,
One Architecture

Constituting three layers, GovSign - a singlle API that any government calls to issue creds, The CBOM dashboard - A Crypto bill of services, and QAVACH - the citizen wallet.

Modular Deployment
Citizen Enclave

Flutter Mobile
Wallet

Acts as a secure container for citizen credentials. It uses an On-Device Policy Engine to run Open Policy Agent (OPA) Rego policies to evaluate claims locally.

Android Local Execution
FIPS 203

ML-KEM
(Kyber)

Used for key encapsulation in secure document storage. It enables the derivation of a shared symmetric key (AES-256).

FIPS 204

ML-DSA
(Dilithium)

Used for citizen attestation and real-time signing, providing a balance of signature size and computational efficiency.

FIPS 205

SLH-DSA
(SPHINCS+)

Stateless hash-based signatures used for long-term document archival. It relies solely on the security of the underlying cryptographic hash function.

03 / Setup & Deployment

Deploy the
Stack

Quick-Start Guide

01 Clone the repo — git clone https://github.com/DarkLead-Hub/QAVACH
02 Run FastAPI GovSign — Boot the PQC signing microservice
03 Deploy React CBOM — Launch the compliance dashboard
04 Launch Flutter Wallet — Compile the mobile application

Terminal View

$ cd services/govsign
$ uvicorn main:app --reload
▶ GovSign PQC Service Live
Module: ML-DSA-65 Active

$ cd ../../dashboard
$ npm start
✓ CBOM Dashboard deployed successfully.
04 / Security

Defense for the
Quantum Era

KEM

Zero-Trust Storage

Documents are stored in a Locked and Encrypted state where a unique AES-256-GCM key is encapsulated via ML-KEM-768 using the citizen's public key.

AES-256-GCM + ML-KEM
HASH

Stateless Recovery

SLH-DSA allows for signature verification without needing to maintain complex state, simplifying disaster recovery.

SPHINCS+ HYPERTREE
TLS

MitM Prevention

All communications are over TLS, and signed QR challenges ensure portal authenticity.

OWASP MITIGATION
05 / Compliance

"The impending 'Quantum Harvest' (Store now, Decrypt later) threat makes today's RSA and ECDSA-based signatures vulnerable to future decryption."

Threat Briefing · Security Operations

"We assume the network is hostile and that central databases are primary targets."

Architecture Principle · QAVACH Sec Team