Confidentiality in KERI refers to the protection of message content and data from unauthorized access through encryption and access control mechanisms, ensuring that only authorized parties can view disclosed information. It is the second priority in KERI's security model after authenticity, and is constrained by the PAC Theorem which states that systems cannot simultaneously maximize privacy, authenticity, and confidentiality.
Related Concepts
No related concepts available
Comprehensive Explanation
Confidentiality in KERI
Conceptual Definition
Confidentiality is a fundamental security property that ensures all statements in a conversation are only known by the parties to that conversation. In the context of KERI and digital identity systems, confidentiality specifically addresses the protection of content data - what information is disclosed and to whom - through cryptographic mechanisms like encryption and access control.
The concept extends beyond simple encryption to encompass:
Content protection: Ensuring message payloads remain private to authorized recipients
Access control: Restricting who can decrypt and view information
Authorized disclosure: Enabling controlled sharing based on permissions
End-to-end protection: Maintaining confidentiality throughout data lifecycle (in motion and at rest)
Confidentiality is distinct from but complementary to authenticity (proving who said what) and privacy (protecting metadata about who participated in communications). These three properties form an interconnected security framework where confidentiality specifically addresses the "what" of information protection.
The PAC Theorem and Security Trade-offs
A critical theoretical foundation for understanding confidentiality in KERI is the PAC Theorem (Privacy, Authenticity, Confidentiality), which establishes a fundamental constraint:
Implementation Notes
Cryptographic Implementation
Encryption Standards: KERI implementations should use:
HPKE (RFC-9180) for hybrid public key encryption with authenticated encryption
Libsodium sealed boxes as baseline for simpler use cases
ChaCha20/Poly1305 for AEAD (Authenticated Encryption with Associated Data)
Legal language: Express usage constraints in enforceable legal terms
Ricardian contracts: Embed legal agreements in machine-readable format
"One can have any two of the three (privacy, authenticity, confidentiality) at the highest level but not all three."
This theorem, central to KERI's design philosophy, means that:
Trade-offs are mandatory: No cryptographic system can simultaneously maximize all three properties
Layering introduces vulnerabilities: Since no single cryptographic operation provides all three properties, systems must layer operations, and separation between layers creates potential attack surfaces
Prioritization is necessary: System designers must explicitly choose which properties to emphasize
The Trust over IP (ToIP) design goals that guide KERI establish a clear priority ordering:
Authenticity first: Verifiable origin and integrity as the foundation
Confidentiality second: Protection of content from unauthorized access
Privacy third: Maximized within constraints imposed by the first two properties
This ordering reflects KERI's architectural philosophy: build on a foundation of cryptographically verifiable authenticity, layer confidentiality mechanisms on top, and then maximize privacy without compromising the first two properties. The rationale is that privacy protections are meaningless without authentic attribution - you cannot have meaningful privacy if you cannot verify who you're communicating with.
KERI's Approach to Confidentiality
Cryptographic Foundations
KERI implements confidentiality through well-established cryptographic primitives rather than complex zero-knowledge proofs or novel cryptographic constructions. The SPAC (Secure Private Authentic Confidentiality) framework specifies:
Strong Confidentiality via IND-CCA2: KERI requires IND-CCA2 (Indistinguishability under Adaptive Chosen Ciphertext Attack) security for confidential communications. This is achieved through:
ECIES/HPKE implementations (RFC-9180) for hybrid public key encryption
Libsodium sealed boxes as a baseline implementation
End-only viewability: Only the intended recipient can decrypt; even the sender cannot decrypt after encryption
Ephemeral X25519 key pairs combined with long-term recipient keys
Combined Security: ESSR Protocol: For scenarios requiring both authenticity and confidentiality, KERI specifies the ESSR (Encrypt Sender Sign Receiver) protocol:
Protects against key-compromise impersonation attacks
Provides multiple security properties: TUF-PTXT, TUF-CTXT, RUF-PTXT, and RUF-CTXT
Enables non-repudiation through authenticated encryption
Uses HPKE-Auth with Ed25519 signatures for authentication
Graduated Disclosure in ACDCs
KERI's ACDC (Authentic Chained Data Container) credential framework implements sophisticated confidentiality mechanisms through graduated disclosure:
Compact Disclosure: ACDCs can be disclosed in compact form where only SAIDs (Self-Addressing Identifiers) are revealed instead of full content. This provides:
Minimal information leakage: Only cryptographic commitments are shared initially
Verifiable commitments: SAIDs cryptographically bind to undisclosed content
Progressive revelation: Full content can be disclosed later with verifiable linkage to earlier commitments
Partial Disclosure: Specific sections of an ACDC can be revealed while others remain as SAIDs, enabling:
Selective section disclosure: Reveal only necessary field maps
Cryptographic equivalence: Compact and full variants are cryptographically equivalent
Backward verifiability: Later full disclosure verifies against earlier partial disclosure
Selective Disclosure: Individual attributes can be disclosed independently through:
Blinded attribute blocks: Each selectively disclosable attribute has its own cryptographic commitment
Non-correlation: Undisclosed attributes remain unlinkable to disclosed ones
Flexible revelation: Attributes can be revealed incrementally as needed
Private ACDCs: For maximum confidentiality, ACDCs can include high-entropy UUIDs as "salty nonces" that:
Prevent rainbow table attacks: Even with schema knowledge, content cannot be discovered
Enable correlation resistance: Different presentations cannot be linked
Support confidential registries: Issuance/revocation state can be hidden
Contractually Protected Disclosure
KERI extends technical confidentiality with legal frameworks through contractually protected disclosure:
Chain-Link Confidentiality: This mechanism creates legally binding confidentiality obligations that:
Chain downstream: Each recipient inherits confidentiality obligations
Express usage constraints: Legal language specifies permitted uses
Apply to third parties: Constraints bind both direct recipients and downstream parties
This separation enables KERI to provide strong confidentiality guarantees while acknowledging that privacy is a "hot war" requiring ongoing tactical adaptation against evolving correlation techniques. Confidentiality can be achieved with arbitrarily strong cryptographic protection, while privacy faces resource-constrained adversaries with rapidly evolving capabilities.
Practical Implications
Use Cases
Enterprise Credential Exchange: Organizations using vLEI credentials can:
Least disclosure principle: Share only what's necessary
Progressive authorization: Reveal more as trust is established
Contextual access: Disclosure based on specific transaction needs
End-to-End Security: KERI's requirement for signed/encrypted data:
Eliminates trust in intermediaries: Confidentiality maintained regardless of infrastructure
Enables ambient verifiability: Anyone can verify without compromising confidentiality
Supports portability: Confidential data can move between systems without re-encryption
Conclusion
Confidentiality in KERI represents a carefully architected balance between cryptographic protection, practical usability, and legal enforceability. By prioritizing authenticity first and building confidentiality on that foundation, KERI creates systems where confidential information can be shared with strong guarantees about both origin and protection. The graduated disclosure mechanisms in ACDCs, combined with contractual protections and end-to-end encryption, provide a comprehensive framework for confidential data exchange in decentralized identity systems.
The explicit acknowledgment of the PAC Theorem and the prioritization of authenticity over privacy reflects a pragmatic approach: meaningful confidentiality requires verifiable attribution, and privacy protections are most effective when built on a foundation of authentic, confidential communication. This design philosophy enables KERI to provide strong confidentiality guarantees while remaining honest about the inherent trade-offs in cryptographic identity systems.
Signature requirements: Require recipients to sign confidentiality agreements before disclosure
Audit trails: Maintain records of who received what information under which terms
IPEX Protocol: When implementing contractually protected disclosure:
Disclose schema before content to establish technical transparency
Present legal contracts for agreement before sensitive data sharing
Support multi-step disclosure with progressive revelation
Verify agreement signatures before proceeding with disclosure
Security Considerations
Threat Model: Confidentiality implementations must address:
Eavesdropping: All communications must be encrypted end-to-end
Man-in-the-middle: Combine encryption with authentication (ESSR pattern)
Key compromise: Use forward secrecy and key rotation
Rainbow table attacks: Use high-entropy salts in private ACDCs
Correlation attacks: Implement selective disclosure to minimize linkability
Performance Trade-offs: Consider:
Encryption overhead: Balance security with performance requirements
Key management complexity: More keys require more secure storage and handling
Disclosure state: Track what has been disclosed to whom
Bandwidth: Encrypted data and multiple disclosure rounds increase network usage
Integration with KERI Infrastructure
KEL Anchoring: Confidential data should be:
Sealed in KEL events: Use cryptographic digests, not plaintext
Verifiable without disclosure: KEL verification doesn't require access to confidential content
Bound to key state: Confidential data tied to specific key state in KEL
Witness Considerations: When using witnesses:
Witnesses see commitments: Not confidential content
Public verification: KEL can be publicly verified without compromising confidentiality
Seal integrity: Witnesses verify seal structure, not sealed content
TEL Integration: For credential management:
Blinded registries: Use salty nonce blinding for confidential issuance/revocation state
Selective state disclosure: Reveal registry state only to authorized parties
Registry anchoring: Anchor TEL to KEL without exposing confidential registry content