SHA-1 Collisions: In 2017, Google and CWI Amsterdam demonstrated the first practical SHA-1 collision ("SHAttered" attack), requiring approximately 2^63 computations but proving the theoretical vulnerability was exploitable.

These breaks drove migration to stronger hash functions like SHA-256, SHA-3, and Blake2/Blake3, which provide sufficient collision resistance (128+ bits of security) to remain secure against current and foreseeable quantum computing threats.

In identifier systems, namespace collisions have plagued centralized systems where multiple authorities might independently assign the same identifier to different entities. The Domain Name System (DNS) addresses this through hierarchical delegation, but still suffers from potential collisions during domain transfers or administrative errors.

KERI's Approach

KERI's architecture fundamentally depends on collision resistance at multiple layers:

Self-Addressing Identifiers (SAIDs)

KERI's SAID protocol creates identifiers that are cryptographic digests of the content they identify. The security model requires:

• Strong collision resistance: SAIDs use hash functions with approximately 128 bits of cryptographic strength (Blake3-256, SHA3-256, or stronger)
• Content binding: Any collision would allow substitution of different content with the same identifier, breaking the self-addressing property
• Composability: SAIDs appear throughout KERI data structures (KELs, ACDCs), requiring collision resistance to maintain integrity across compositions

The SAID specification explicitly requires that "the digest algorithm employed for generating SAIDs MUST have an approximate cryptographic strength of 128 bits" to ensure collision resistance remains computationally infeasible.

Autonomic Identifiers (AIDs)

Autonomic Identifiers in KERI derive from public keys or digests of inception data. Collision resistance ensures:

• Identifier uniqueness: No two controllers can generate the same AID from different key material
• Namespace integrity: The autonomic namespace remains unambiguous
• Binding security: The cryptographic binding between identifier and controlling keys cannot be forged through collision attacks

KERI's use of qualified cryptographic primitives (via CESR encoding) includes derivation codes that specify the hash algorithm, enabling crypto-agility while maintaining collision resistance guarantees.

Key Event Logs (KELs)

The KEL structure uses hash chaining where each event includes a digest of the previous event. Collision resistance is critical because:

• Chain integrity: A collision in event digests could allow insertion of fraudulent events
• Duplicity detection: KERI's security model depends on detecting conflicting versions of KELs; collisions could mask duplicitous behavior
• Seal verification: Events include seals (digests) anchoring external data; collisions would allow seal forgery

Pre-Rotation Security

KERI's pre-rotation mechanism commits to next keys via cryptographic digests. The security model assumes:

• Digest binding: The commitment to next keys cannot be forged through collision attacks
• Post-quantum security: Collision resistance of hash functions provides protection even against quantum computers (unlike signature schemes)
• One-time use: Pre-rotated keys are revealed only once, but collision resistance ensures the commitment remains binding

Daniel J. Bernstein's research on collision costs demonstrates that quantum computers provide no significant advantage for finding hash collisions compared to classical computers, making digest-based commitments quantum-resistant.

Namespace Collision Prevention

KERI's autonomic namespace design prevents namespace collisions through:

• Cryptographic derivation: AIDs derived from high-entropy key material have negligible collision probability
• Self-certification: No central authority assigns identifiers, eliminating administrative collision risks
• Portable namespaces: Each AID establishes its own namespace, preventing cross-namespace collisions

Practical Implications

Security Guarantees

Collision resistance provides several critical security properties:

Integrity Protection: In KERI's ACDC credentials, the top-level SAID serves as a Merkle root. Signing the compact variant (containing only SAIDs) provides cryptographic commitment to the entire credential tree. Collision resistance ensures this commitment cannot be forged—an attacker cannot create different credential content that produces the same SAID.

Duplicity Evidence: KERI's security model makes duplicity (conflicting versions of a KEL) evident rather than hidden. This depends on collision resistance: if an attacker could create colliding event digests, they could mask duplicitous behavior by making conflicting events appear consistent.

Content Addressability: SAIDs enable content-addressable storage and retrieval. Collision resistance guarantees that retrieving content by its SAID returns the correct, unambiguous content.

Performance Considerations

Collision resistance comes with computational costs:

Hash Function Selection: KERI specifies Blake3-256 as a preferred hash function, balancing:

• Strong collision resistance (128-bit security)
• High performance (faster than SHA-256)
• Modern design (2020, incorporating lessons from earlier hash function breaks)

Digest Size: 256-bit digests (32 bytes) provide 128-bit collision resistance. CESR encoding represents these as 44-character Base64 strings in text domain, creating overhead in data structures but ensuring security.

Attack Vectors and Mitigations

Birthday Attacks: The birthday paradox means collision probability grows with the square of the number of hash computations. For 128-bit collision resistance:

• Requires approximately 2^64 hash computations to find a collision
• Computationally infeasible with current or foreseeable technology
• KERI's 256-bit hashes provide comfortable security margin

Rainbow Table Attacks: Pre-computed hash tables could enable collision searches for low-entropy inputs. KERI mitigates this through:

• High-entropy key material (128+ bits) for identifier generation
• Salty nonces (UUIDs) in private ACDCs to blind content
• Unique per-credential randomness preventing table reuse

Quantum Computing: While quantum computers threaten signature schemes (via Shor's algorithm), they provide no significant advantage for finding hash collisions. Grover's algorithm offers only quadratic speedup, meaning:

• 256-bit hashes provide ~128-bit post-quantum collision resistance
• KERI's digest-based commitments remain secure in post-quantum era
• Pre-rotation mechanism maintains security even if signature schemes are broken

Implementation Requirements

Systems implementing KERI must ensure:

Approved Hash Functions: Use only hash functions with proven collision resistance:

• Blake3-256 or greater
• SHA3-256 or greater
• SHA2-512 (SHA-256 provides only 128-bit output, less margin)

Proper Entropy Sources: Identifier generation requires high-quality randomness:

• Cryptographically secure pseudo-random number generators (CSPRNGs)
• Hardware random number generators where available
• Sufficient entropy (128+ bits) for key material

Derivation Code Verification: CESR-encoded primitives include derivation codes specifying the hash algorithm. Verifiers must:

• Check derivation codes match expected algorithms
• Reject weak or deprecated hash functions
• Support crypto-agility for future algorithm transitions

Trade-offs

Collision resistance involves inherent trade-offs:

Security vs. Efficiency: Stronger collision resistance (larger digests) increases:

• Storage requirements for identifiers and digests
• Bandwidth for transmitting credentials and events
• Computational cost for hash operations

KERI's choice of 256-bit hashes balances these factors, providing strong security (128-bit collision resistance) while maintaining reasonable efficiency.

Crypto-Agility vs. Simplicity: Supporting multiple hash algorithms enables:

• Migration to stronger algorithms as needed
• Accommodation of different security requirements
• But increases implementation complexity and potential for configuration errors

CESR's derivation code system provides crypto-agility while maintaining interoperability through standardized code tables.