KERI's implementation of commitment schemes relies primarily on cryptographic hash functions rather than more complex commitment constructions like Pedersen commitments or polynomial commitments. The commitment to a value v is simply:

commitment = Hash(v)

Where Hash is a collision-resistant cryptographic hash function such as:

• SHA-256: 256-bit output, widely used in KERI
• SHA3-256: 256-bit output, alternative hash function
• BLAKE3: High-performance hash function with 256-bit output

The security properties derive from the hash function's characteristics:

Collision Resistance: Computationally infeasible to find two different values v1 and v2 such that Hash(v1) = Hash(v2). This ensures the binding property - once committed to v1, the committer cannot later claim they committed to v2.

Preimage Resistance: Given a commitment c = Hash(v), it is computationally infeasible to find v. This ensures the hiding property - the commitment reveals no information about the committed value.

Second Preimage Resistance: Given v1 and c1 = Hash(v1), it is computationally infeasible to find a different v2 such that Hash(v2) = c1. This reinforces the binding property.

Cryptographic Strength

KERI commitment schemes achieve cryptographic strength through:

• Minimum 128-bit security level: All hash functions used provide at least 128 bits of security against collision attacks
• 256-bit digest outputs: Standard digest size across KERI implementations
• Post-quantum considerations: Hash-based commitments are generally considered quantum-resistant, unlike many public-key cryptographic schemes

Randomness and Salting

For enhanced hiding properties, KERI commitment schemes may incorporate:

• Salts: Random data concatenated with the value before hashing
• Nonces: One-time random values to prevent rainbow table attacks
• High-entropy seeds: Cryptographically secure random number generation (CSPRNG)

The commitment becomes:

commitment = Hash(value || salt)

Where || denotes concatenation. The salt must be revealed along with the value during the reveal phase.

Data Format & Encoding

CESR Representation

Commitments in KERI are encoded using CESR (Composable Event Streaming Representation), which provides dual text/binary encoding with self-framing properties.

Digest Primitives: Commitments are represented as qualified cryptographic digests with derivation codes that specify:

• Hash algorithm used (SHA-256, SHA3-256, BLAKE3, etc.)
• Output size
• Encoding format

Example CESR-encoded commitment (SHA-256 digest):

EABCDE...  (Base64 URL-safe encoding)
│└─────── 44-character Base64 digest
└──────── Derivation code 'E' indicates SHA-256 digest

Derivation Code Structure:

• 'E': SHA-256 digest (256 bits)
• 'F': SHA3-256 digest (256 bits)
• 'G': BLAKE3-256 digest (256 bits)
• 'H': BLAKE2b-256 digest (256 bits)

The derivation code is prepended to the Base64 URL-safe encoded digest, creating a primitive that is:

• Self-describing: The code indicates the hash algorithm
• Self-framing: The code implies the length (44 characters for 256-bit digests in text domain)
• Composable: Can be concatenated with other CESR primitives in streams

Text and Binary Domains

CESR supports dual text-binary encoding:

Text Domain (Base64 URL-safe):

• Human-readable
• 44 characters for 256-bit digests (1 code + 43 Base64 chars)
• Used in JSON serializations, URLs, human-facing interfaces

Binary Domain (raw bytes):

• Compact representation
• 33 bytes for 256-bit digests (1 code byte + 32 digest bytes)
• Used in binary protocols, storage optimization

Composability: CESR ensures that any set of concatenated primitives can be converted between text and binary domains without loss, maintaining text-binary concatenation composability.

SAID Integration

Commitments are often embedded as SAIDs (Self-Addressing Identifiers) within KERI data structures. A SAID is a special commitment where:

• The identifier IS the digest of the content
• The content includes a field containing the SAID itself
• This creates a self-referential commitment

SAID construction:

1. Serialize data structure with SAID field set to dummy value
2. Compute digest of serialization
3. Replace dummy value with computed digest
4. The resulting digest is both the identifier and commitment to the content

This pattern is extensively used in ACDCs for compact disclosure and selective disclosure.

Usage in KERI/ACDC

Pre-Rotation Mechanism

The most critical use of commitment schemes in KERI is pre-rotation, which provides forward security for key rotation.

Commitment Phase (Inception or prior Rotation Event):

• Controller commits to the digest of the next public key (or set of keys)
• This commitment is included in the current establishment event
• The actual next keys remain secret and offline

Reveal Phase (subsequent Rotation Event):

• Controller reveals the actual next public keys
• Validators verify that Hash(revealed_keys) = committed_digest
• If verification succeeds, the rotation is accepted

This scheme ensures that even if current signing keys are compromised, an attacker cannot rotate to keys they control because they don't know the pre-committed next keys. The commitment binds the controller to specific future keys before those keys are exposed.

Example KEL Structure:

{
  "v": "KERI10JSON00011c_",
  "t": "icp",
  "d": "EAB...",
  "i": "EAB...",
  "s": "0",
  "kt": "1",
  "k": ["DPrI..."],  // Current public key
  "nt": "1",
  "n": ["EQoU..."],  // Commitment to next key (digest)
  "bt": "0",
  "b": [],
  "c": [],
  "a": []
}

The "n" field contains the commitment (digest) to the next key. In a subsequent rotation event, the "k" field will contain the revealed key, which must hash to the committed digest.

Seal Commitments

KERI seals are cryptographic commitments that anchor external data to key events:

Event Seal: Commits to another event by including its SAID

{
  "i": "EAB...",  // Identifier of sealed event
  "s": "3",       // Sequence number
  "d": "ECD..."   // Digest (commitment) to event
}

Digest Seal: Commits to arbitrary data

{
  "d": "EFG..."   // Digest of sealed data
}

Merkle Tree Root Seal: Commits to a set of data items via Merkle root

{
  "rd": "EHI..."  // Merkle root digest
}

Seals enable:

• Anchoring: Binding external data to the KEL timeline
• Proof of existence: Demonstrating data existed at a specific key state
• Verifiable provenance: Creating auditable chains of data transformations

ACDC Compact Disclosure

ACDCs use commitment schemes for privacy-preserving disclosure:

Compact Variant: Top-level fields contain SAIDs (commitments) instead of full data

{
  "v": "ACDC10JSON00011c_",
  "d": "EAB...",  // SAID of entire ACDC
  "i": "ECD...",  // Issuer AID
  "s": "EEF...",  // Schema SAID
  "a": "EGH..."   // Commitment to attributes (SAID)
}

Full Disclosure: Attributes are revealed and verified against commitment

{
  "v": "ACDC10JSON00011c_",
  "d": "EAB...",
  "i": "ECD...",
  "s": "EEF...",
  "a": {
    "d": "EGH...",  // SAID must match compact variant
    "name": "Alice",
    "role": "Engineer"
  }
}

The commitment scheme enables:

• Selective disclosure: Reveal only necessary attributes
• Partial disclosure: Progressive revelation of information
• Graduated disclosure: Multi-step disclosure with contractual protections

Transaction Event Log (TEL) Commitments

TELs use commitments to anchor credential state to the KEL:

Registry Inception: Commits to registry configuration Issuance Events: Commit to issued credential SAIDs Revocation Events: Commit to revoked credential SAIDs

Each TEL event is anchored to a KEL event via a seal, creating a verifiable chain from credential state back to the root-of-trust in the controller's key state.

Related Primitives

Cryptographic Digests

Commitment schemes in KERI are implemented using cryptographic digests, which are the actual primitive type. The commitment scheme is the protocol pattern, while digests are the cryptographic tool.

Relationship: Digests provide the binding and hiding properties required for commitments through collision resistance and preimage resistance.

Self-Addressing Identifiers (SAIDs)

SAIDs are a specialized form of commitment where the identifier is the digest of the content, and the content includes the identifier itself.

Relationship: SAIDs extend basic commitment schemes with self-referential properties, enabling content-addressable data structures with built-in integrity verification.

Pre-Rotation Keys

The pre-rotation mechanism is the primary application of commitment schemes in KERI's security model.

Relationship: Pre-rotation uses digest commitments to next keys, providing forward security and enabling recovery from key compromise.

Seals

Seals are commitment structures embedded in key events to anchor external data.

Relationship: Seals implement commitment schemes to bind arbitrary data to specific points in the KEL timeline, creating verifiable provenance chains.

Blinded Attributes

In ACDCs, blinded attributes use commitments to hide attribute values while maintaining verifiability.

Relationship: Attribute blinding applies commitment schemes to individual credential fields, enabling fine-grained privacy controls.

Security Considerations

Commitment Strength

The security of KERI commitment schemes depends on:

• Hash function collision resistance: Must remain computationally infeasible to find collisions
• Sufficient output size: 256-bit digests provide 128-bit security against birthday attacks
• Proper randomness: Salts and nonces must use CSPRNG sources

Binding Guarantees

The binding property ensures:

• Non-repudiation: Commitments cannot be denied or altered
• Duplicity detection: Conflicting commitments are cryptographically detectable
• Forward security: Pre-rotation commitments protect against future key compromise

Hiding Limitations

While commitments hide values, they don't prevent:

• Dictionary attacks: If the value space is small, attackers can hash all possibilities
• Rainbow tables: Pre-computed hash tables can reveal common values
• Correlation: Multiple commitments to the same value are identical

Mitigations:

• Use high-entropy salts
• Employ salty nonce blinding factors
• Implement chain-link confidentiality for sensitive data

Quantum Resistance

Hash-based commitment schemes are generally considered post-quantum secure because:

• Grover's algorithm provides only quadratic speedup for preimage search
• 256-bit hashes maintain ~128-bit security against quantum attacks
• No known quantum algorithm breaks collision resistance efficiently

This makes KERI's commitment schemes more future-proof than many public-key cryptographic constructions.

Performance Optimization

• Cache computed digests to avoid redundant hashing
• Use hardware acceleration for hash functions when available
• Batch verification of multiple commitments
• Optimize CESR encoding/decoding for high-throughput applications