Cryptographic Properties

Derivation Process

The cryptographic derivation of a cryptonym follows this general pattern:

1. Secret Generation: A random or pseudo-random secret seed or salt is generated with sufficient entropy
2. One-Way Function Application: A cryptographically strong one-way function is applied to the secret
3. Output Encoding: The resulting value is encoded as a character string

Cryptographic Strength Requirements

The specification mandates a "sufficiently high degree of cryptographic strength," with 128 bits provided as the minimum example threshold. This strength requirement ensures:

• Collision Resistance: The probability of two different secrets producing the same cryptonym is negligibly small
• Pre-image Resistance: Given a cryptonym, it is computationally infeasible to determine the original secret
• Second Pre-image Resistance: Given a secret and its cryptonym, it is computationally infeasible to find a different secret that produces the same cryptonym

One-Way Function Properties

The one-way nature of the cryptographic function is essential—it ensures that:

• The cryptonym can be publicly derived from the secret seed or salt
• The reverse operation (deriving the secret from the cryptonym) is computationally infeasible
• Only the holder of the secret can prove control over the cryptonym

Universal Uniqueness

Due to the entropy inherent in the derivation process, cryptonyms function as universally unique identifiers. This uniqueness property stems from:

• The randomness of the secret seed or salt used in derivation
• The collision-resistant properties of the cryptographic function
• The sufficiently large output space (minimum 128 bits = 2^128 possible values)

This enables cryptonyms to be generated in a completely decentralized manner without requiring centralized registration or coordination to ensure uniqueness.

Data Format & Encoding

CESR Encoding

As CESR primitives, cryptonyms are encoded in the Composable Event Streaming Representation format, which provides:

• Text Domain Representation: Using Base64 URL-safe encoding for human readability and text-based protocols
• Binary Domain Representation: Compact binary encoding for efficient transmission and storage
• Composability: Round-trip conversion between text and binary domains without information loss

Derivation Code Integration

The specification states that the derivation function MAY be encoded as part of the cryptonym itself. This is typically achieved through derivation codes—prepended codes that specify:

• The cryptographic algorithm used for derivation
• The output length and format
• Any additional parameters needed for verification

This self-describing property enables any party receiving a cryptonym to determine which cryptographic algorithm was used in its derivation, maintaining interoperability within the KERI ecosystem.

Character String Representation

Cryptonyms are represented as character strings, making them:

• Human-transmissible: Can be communicated through text-based channels
• URL-safe: Compatible with web protocols and URIs
• Parseable: Can be extracted from larger data structures

Usage in KERI/ACDC

Control Authority Establishment

A defining characteristic of cryptonyms is that only the controller who possesses the secret salt or seed from which the cryptonym was derived may prove control over that cryptonym. This creates a direct cryptographic binding between the identifier and its controller, establishing control authority through cryptographic means rather than through external authorities or registries.

This property enables:

• Self-sovereign control: No external party can claim or transfer control
• Cryptographic proof: Control can be proven through cryptographic operations using the secret
• Decentralized authority: No centralized registry is required to establish or verify control

Privacy-Preserving Identification

The cryptographic pseudonymous nature of cryptonyms provides specific privacy characteristics:

• Pseudonymity: The cryptonym itself does not reveal information about its controller or the secret from which it was derived
• Unlinkability: Different cryptonyms derived from different secrets cannot be linked to the same controller without additional information
• Selective Disclosure: Controllers can choose when and where to use specific cryptonyms

Distinction Between Seeds and Salts

The specification distinguishes between derivation from a "random or pseudo-random secret seed or salt," indicating that cryptonyms may be derived from either:

• Seeds: Typically used for hierarchical deterministic key derivation, enabling generation of multiple related cryptonyms from a single root secret
• Salts: Random values added to derivation processes to ensure uniqueness and prevent rainbow table attacks

While both serve as secret inputs to the derivation function, they represent different cryptographic materials that can be used to generate cryptonyms for different purposes.

Integration with Self-Certifying Identifiers

Cryptonyms form the foundation for self-certifying identifiers (SCIDs) in KERI. While basic SCIDs directly embed or derive from public keys, cryptonyms provide a more general mechanism for creating identifiers from any secret material. The relationship is:

• SCIDs are a specific type of cryptonym derived from public keys
• General cryptonyms can be derived from any secret seed or salt
• Both share the property of cryptographic binding to their derivation source

Use in Autonomic Identifiers

Within the KERI protocol, cryptonyms serve as components of autonomic identifiers (AIDs). The specification defines AIDs as "self-managing cryptonymous identifiers," explicitly incorporating the cryptonym concept into the definition of AIDs. This integration means:

• AIDs inherit the pseudonymous properties of cryptonyms
• AIDs maintain the cryptographic binding to controlling secrets
• AIDs extend cryptonyms with additional capabilities like key rotation

Application in ACDC Systems

In ACDC (Authentic Chained Data Container) systems, cryptonyms can be used for:

• Issuer identifiers: Pseudonymous identification of credential issuers
• Subject identifiers: Privacy-preserving identification of credential subjects
• Correlation prevention: Using unique cryptonyms for different contexts to prevent linkability

Related Primitives

Self-Certifying Identifiers (SCIDs)

Self-certifying identifiers represent a specialized form of cryptonym where the identifier is derived from a public key rather than an arbitrary secret. The relationship is:

• SCIDs are cryptonyms with specific derivation from asymmetric keypairs
• General cryptonyms can be derived from any secret material
• Both provide cryptographic binding and proof of control

Self-Addressing Identifiers (SAIDs)

Self-addressing identifiers are content-addressable identifiers derived from the content they identify. While not strictly cryptonyms (as they're derived from content rather than secrets), they share:

• One-way cryptographic derivation
• Self-describing properties
• Use as CESR primitives

Autonomic Identifiers (AIDs)

Autonomic identifiers are defined as "self-managing cryptonymous identifiers," explicitly building upon the cryptonym concept. AIDs extend cryptonyms by adding:

• Key event logs for tracking key state
• Pre-rotation mechanisms for key recovery
• Witness infrastructure for availability

Salts and Seeds

While not primitives themselves, salts and seeds are the cryptographic materials from which cryptonyms are derived. The relationship is:

• Salts/Seeds: Secret input material
• Cryptonyms: Public output identifiers
• One-way function: Irreversible transformation between them

Security Considerations

Secret Protection

The security of a cryptonym depends entirely on the secrecy of the seed or salt from which it was derived. If the secret is compromised:

• An attacker can prove control over the cryptonym
• The cryptonym must be considered compromised
• A new cryptonym must be generated from a new secret

Entropy Requirements

The specification's requirement for "sufficiently high degree of cryptographic strength" (minimum 128 bits) ensures:

• Resistance to brute-force attacks
• Sufficient uniqueness for global identifier space
• Long-term security against advancing computational capabilities

One-Time Use Considerations

For maximum privacy, cryptonyms should ideally be used in limited contexts:

• One-time use: Generate a new cryptonym for each interaction
• Context-specific: Use different cryptonyms for different relationships
• Ephemeral: Discard cryptonyms after their purpose is fulfilled

However, this must be balanced against practical considerations of identifier persistence and relationship continuity.

Exposure of Cryptonyms

The one-way derivation function ensures that exposure of the cryptonym does not compromise the secret seed or salt. This separation enables:

• Public use: Cryptonyms can be used publicly for identification
• Secret protection: The underlying secret remains protected
• Multiple derivations: Multiple cryptonyms can be derived from the same secret without cross-compromise

Implementation Patterns

Hierarchical Derivation

Cryptonyms can be organized hierarchically using hierarchical deterministic derivation schemes:

Root Secret → Cryptonym 1
           → Cryptonym 2
           → Cryptonym 3

This enables:

• Key management efficiency: Only the root secret needs secure storage
• Organizational structure: Cryptonyms can be organized by purpose or context
• Backup simplicity: Backing up the root secret backs up all derived cryptonyms

Context-Specific Generation

For privacy-preserving applications, cryptonyms can be generated on-demand for specific contexts:

1. Determine the interaction context
2. Generate a context-specific secret (or derive from root)
3. Apply the one-way function to create the cryptonym
4. Use the cryptonym for that context only

Proof of Control

To prove control over a cryptonym, the controller must demonstrate possession of the secret without revealing it. Common approaches include:

• Challenge-response protocols: Responding to challenges using the secret
• Zero-knowledge proofs: Proving knowledge of the secret without revealing it
• Signature schemes: If the secret is a private key, signing messages proves control

Conclusion

Cryptonyms represent a fundamental building block in KERI's architecture, providing cryptographically secure, pseudonymous identifiers that enable privacy-preserving yet verifiable identification. Their properties of universal uniqueness, cryptographic binding to secrets, and one-way derivation make them essential for building self-sovereign identity systems that don't rely on centralized authorities. As CESR primitives, cryptonyms integrate seamlessly into KERI's composable event streaming architecture, enabling efficient encoding and transmission while maintaining their security properties.

Choose cryptographic hash functions that provide:

• Pre-image resistance
• Second pre-image resistance
• Collision resistance
• Sufficient output length (minimum 128 bits)

Common choices include SHA-256, SHA-3, BLAKE2, or BLAKE3.

Hierarchical Derivation Support

For applications requiring multiple related cryptonyms:

• Implement hierarchical deterministic derivation schemes
• Use derivation paths to organize cryptonyms by purpose or context
• Store only the root secret, deriving child cryptonyms on-demand
• Document the derivation path structure for interoperability