An integrated .NET stack for decentralized identity: DIDs, verifiable credentials, selective disclosure, and hardware-backed cryptography.
Verifiable is a comprehensive .NET library implementing the W3C Decentralized Identifiers and Verifiable Credentials specifications, along with associated protocols from the Decentralized Identity Foundation. The library provides an integrated stack where cryptographic primitives, serialization, credential management, and hardware security work together cohesively.
The core value proposition is documents that can be distinctly identified, cryptographically signed, linked, timestamped, and selectively disclosed without requiring a central governing party while remaining compatible with regulated ecosystems like eIDAS.
| Library | Purpose | NuGet |
|---|---|---|
| Verifiable | CLI tool for library functionality |  |
| Verifiable.Core | DIDs, verifiable credentials, and data integrity proofs |  |
| Verifiable.Cryptography | Cryptographic primitives: salt generation, memory-safe key handling, hash functions |  |
| Verifiable.JCose | JOSE and COSE structures including SD-JWT and selective disclosure |  |
| Verifiable.Json | JSON serialization converters |  |
| Verifiable.Cbor | CBOR serialization for COSE envelopes |  |
| Verifiable.BouncyCastle | Cross-platform cryptography via BouncyCastle |  |
| Verifiable.NSec | High-performance cryptography via NSec |  |
| Verifiable.Microsoft | .NET standard cryptographic functions |  |
| Verifiable.Tpm | Trusted Platform Module integration |  |
| Verifiable.Sidetree | Sidetree protocol implementation |  |
| Verifiable.Jwt | JWT integration |  |
| Verifiable.Security.DataStorage | Secure storage utilities |  |
Decentralized identifiers and credentials. Full implementation of the W3C DID Core and Verifiable Credentials Data Model 2.0 specifications, including data integrity proofs with EdDSA-RDFC-2022, EdDSA-JCS-2022, and ECDSA-SD-2023 cryptosuites.
Selective disclosure. Support for privacy-preserving credential presentation through SD-JWT (RFC 9901), ECDSA-SD-2023 for JSON-LD credentials, and foundations for SD-CWT. Wallet operations include minimum disclosure computation, maximum disclosure bounds, and optimal selection algorithms.
Multiple cryptographic backends. Delegate-based architecture allows plugging in BouncyCastle for cross-platform support, NSec for high performance, .NET cryptographic functions, or hardware security modules.
Hardware security. TPM 2.0 integration for hardware-backed key storage, PCR reading, event log parsing,attestations and other TPM functionality to come. The architecture extends to HSMs and cloud KMS services through the delegate pattern.
Serialization flexibility. Core types remain agnostic to serialization format. JSON support via System.Text.Json and CBOR support via System.Formats.Cbor are provided in separate packages, enabling the same credential logic to work across both formats or any other.
Memory-safe key handling. Sensitive cryptographic material is ring-fenced using dedicated types with support for custom memory allocation through MemoryPool<T>, enabling scenarios like mlocked memory regions.
The library follows data-oriented programming principles where code is separate from immutable data, favoring generic data structures and general-purpose functions implemented as extension methods. Domain types contain raw cryptographic material without encoding artifacts, with encoding handled at serialization boundaries.
Cryptographic operations use a delegate-based extensibility model rather than direct implementations. This allows the same high-level API to work with software keys, TPM-backed keys, HSM keys, or cloud KMS without changing calling code. The SensitiveMemoryPool provides exact-size memory allocation for cryptographic material.
The three-party credential flow (Issuer → Holder → Verifier) is modeled explicitly, with clear separation between what each party knows and computes. Internal computation state is not passed between parties; instead, each party derives what it needs from the credential and proof structures.
Coming... See tests in the meanwhile.
Install the packages relevant to your use case:
# Core functionality
dotnet add package Verifiable.Core
# For JSON serialization
dotnet add package Verifiable.Json
# For BouncyCastle cryptography (cross-platform)
dotnet add package Verifiable.BouncyCastle
# For TPM integration
dotnet add package Verifiable.TpmThe codebase runs on Windows, Linux, and macOS. Some hardware-specific functionality such as TPM operations may only work on certain platforms.
Press . on the repository page to open the codebase in VS Code web editor for quick exploration.
For secure disclosure of security vulnerabilities, please see the security policy.
Please read the contribution guidelines for technical details.
The TPM.DEV community provides excellent TPM-related study materials and discussions.
- Open issues for bugs, suggestions, or improvements.
- Create pull requests following the contribution guidelines.
- Add tests, especially those using test vectors from other implementations for cross-checking.
- Expand TPM functionality including signing, encryption, and permissions.
- Add more cryptographic and security capabilities.
- Support additional protocols from the Decentralized Identity Foundation.
- Improve threat and privacy modeling using frameworks like LINDDUN.
See the LICENSE file for details.
Note: This is an early version under active development. APIs may change between versions.