W3C publishes first draft of quantum-resistant cryptosuites for verifiable credentials

The World Wide Web Consortium published the first public draft of Quantum-Resistant Cryptosuites v1.0 on 16 June 2026.

The specification is being developed by the W3C Verifiable Credentials Working Group. It defines several methods for digitally signing verifiable credentials using cryptographic algorithms designed to resist attacks from quantum computers.

A verifiable credential is a digital version of information such as a diploma, professional qualification, licence, or proof of identity. It contains a digital signature that allows another person or organisation to confirm that the credential was issued by a trusted source and has not been altered.

Many current digital signatures rely on mathematical problems that ordinary computers cannot solve efficiently. A sufficiently powerful quantum computer could solve some of these problems much faster, potentially allowing an attacker to discover private signing keys or create forged signatures.

The new draft applies quantum-resistant signature algorithms to the W3C Data Integrity framework. A cryptosuite is a defined set of technical rules describing how data is prepared, signed, and checked.

The work comes as governments and organisations begin replacing vulnerable cryptographic systems before large-scale quantum computers become available. Recent research cited by W3C suggests a small but significant possibility that some elliptic-curve keys could be broken during the early 2030s, while some migration deadlines begin as early as 2029.

The document is a First Public Working Draft, meaning it is an early proposal rather than a finished W3C standard. The Working Group is accepting technical comments through its GitHub issue tracker.