lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CA+HWTtBQ1nxLK0oO6MSe80vgPgAD3aVchjXqVpg-SrLDmiG7qw@mail.gmail.com>
Date: Sat, 2 Aug 2025 16:55:54 +0200
From: Jakub Godula <kuubbaa2@...il.com>
To: linux-kernel@...r.kernel.org
Subject: [RFC] Proposal: Distributed Kernel Identity Management via Algorand
 (PQC + ZK Proofs)

Hello kernel maintainers and community,

I would like to propose a new kernel feature: a blockchain-integrated
identity framework for users, services, and system entities,
leveraging the Algorand blockchain for its post-quantum cryptography
(PQC) capabilities and native support for zero-knowledge (ZK) proofs.
The aim is to introduce a distributed, tamper-resistant identity and
key management layer into the Linux kernel, inspired by the integrated
identity approach found in Harmony OS, while providing stronger
guarantees against future cryptographic threats.

Motivation and Problem Statement:
Current Linux identity and key management mechanisms (local keyrings,
PKI, external integration with LDAP/Kerberos) are robust but
inherently centralized or rely on third-party services. As scenarios
around distributed systems, edge devices, and secure IoT deployments
grow, there is demand for a built-in, decentralized mechanism that:

    Prevents single points of trust or compromise;

    Is resistant to next-generation (quantum) attacks;

    Facilitates secure, user-controllable key storage and management
at kernel level;

    Enables privacy-preserving authentication and access control
(using ZK proofs).

Proposed Solution:
Integrate an optional kernel subsystem that allows user and service
identities (and their keys) to be registered and/or validated via
either public or private blockchains. The default implementation would
use Algorand for its PQC primitives and support for efficient ZK
proofs, but the architecture would be designed to support other
blockchains as well. To allow identities from any other blockchain,
the module would strictly require that those blockchains provide both
PQC and ZK proofs for identity validation and authentication, ensuring
any integrated identity meets the highest standards for security and
privacy, even in cross-chain scenarios.

This would allow:

    The kernel to validate user/service identities and keys in a
trustless, distributed fashion;

    Support for cryptographically-strong, privacy-aware authentication
flows using ZK proofs, lowering the risk and exposure of key material
and metadata;

    A foundation for cross-device, cross-OS identity portability,
similar to Harmony OS but within the Linux ecosystem.

    Filesystem integration: Filesystems can make use of user/service
keys stored on Algorand (or another qualified blockchain) for access
control, encryption, and secure data sharing.

    Hardened module policy: Identities from other blockchains are only
permitted if those blockchains can deliver PQC-secured,
ZK-proof-verified identity material to the kernel.

Expanded Use Cases:

    Dynamic, Fine-Grained Data Sharing: Controlled sharing of data
streams (camera feeds, etc.) in on-chain organizations.

    Remote Control of Registered Devices: Unified, authenticated
control of devices registered to a user across ecosystems, secured and
audited on-chain.

    Enhanced Security and Detection: All inter-node communication is
zero-trust and ZK-proofed, minimizing compromise risks and increasing
anomaly detection.

    Distributed IdP (Identity Provider) Community: Enables federated,
rootless trust through distributed identity providers.

    Flexible Blockchain Backend: System can work with either public or
private blockchains as long as PQC and ZK requirements are satisfied.

Design Considerations:

    The subsystem is optional and modular.

    Minimal performance impact due to efficient proof validation and
intelligent caching.

    Failsafe modes and compatibility with classic Linux identity systems.

    Security: No privilege boundary weaknesses; privacy: ZK proofs
protect identity and key data from unnecessary disclosure.

    Interfaces for integration with various kernel components
(filesystems, device management, user/session management).

Potential Use Cases:

    Multi-device credentials, portable and auditably secure.

    IoT/edge identity autonomy.

    Filesystem-level encryption and access control using blockchain-based keys.

    Device fleet control with unified, on-chain identity management.

Request for Comments:
I am seeking feedback on feasibility, integration points (keyring,
LSM, PAM, filesystems, device management), interest among maintainers,
and architecture for multi-blockchain extensibility and policy
enforcement regarding PQC and ZK proofs. A preliminary prototype and
documentation will follow.

Thank you for your consideration and I look forward to your thoughts.

Best regards,

Jakub Godula

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ