Keridemlia provides two fundamental mapping services that mirror DNS functionality but with KERI-specific semantics:

1. Transferable AID to Key Event State Mappings

For transferable identifiers, keridemlia stores mappings from Autonomic Identifiers (AIDs) to their current Key Event State (KES). This enables validators to:

• Discover the current authoritative key set for any identifier
• Verify the complete KEL history cryptographically
• Detect duplicity by comparing published states
• Validate rotation events and delegation chains

The KES includes critical information such as current signing keys, next key digests, witness configurations, and threshold requirements. By publishing this state to the DHT, controllers enable distributed discovery while maintaining cryptographic proof of authenticity.

2. Non-transferable Witness AID to IP Address Mappings

For non-transferable identifiers used by witnesses, keridemlia stores mappings from witness AIDs to their network endpoints (IP addresses and ports). This enables:

• Dynamic witness discovery without hardcoded endpoints
• Witness pool management and rotation
• Geographic distribution of witness infrastructure
• Resilience against witness endpoint changes

Witnesses use non-transferable identifiers because they don't require key rotation capabilities—if a witness's keys are compromised, the witness simply creates a new identifier rather than rotating keys. This simplifies the security model for witness infrastructure.

Cryptographic Verification Layer

The defining innovation of keridemlia is its mandatory cryptographic verification of all published data before storage. Unlike traditional DHTs where malicious nodes can publish arbitrary data, keridemlia implements verification logic that:

For KES Mappings:

• Verifies the KEL is internally consistent (proper hash chaining)
• Validates all establishment event signatures against current keys
• Confirms pre-rotation commitments match subsequent rotations
• Checks witness receipt thresholds are satisfied
• Rejects any KEL with detected duplicity

For IP Address Mappings:

• Requires signed commitments from the witness identifier
• Verifies signatures against the witness's public key
• Validates the witness AID is properly formed and self-certifying
• Ensures the mapping hasn't been tampered with in transit

After verification, keridemlia strips signatures before storage to optimize space and prevent signature reuse attacks. The verification happens at publication time, and subsequent retrievals rely on the DHT's content-addressable properties to ensure integrity.

API Design

Keridemlia exposes a simplified REST API over the underlying Kademlia DHT with four primary endpoints:

POST /id - Publish AID to KES mapping

• Accepts a complete KEL with signatures
• Performs full cryptographic verification
• Stores verified KES indexed by AID
• Returns success/failure with verification details

GET /id/<aid> - Retrieve KES for specific AID

• Returns the most recent verified KES for the identifier
• Includes current keys, thresholds, witnesses, and configuration
• Enables validators to bootstrap trust without prior knowledge

POST /ip - Publish witness AID to IP address mapping

• Accepts signed commitment from witness identifier
• Verifies signature against witness public key
• Stores mapping indexed by witness AID
• Supports multiple IP addresses per witness (IPv4/IPv6)

GET /ip/<witness_id> - Retrieve IP addresses for witness AID

• Returns all registered IP addresses for the witness
• Enables dynamic witness endpoint discovery
• Supports witness pool management and failover

This API design prioritizes simplicity and verifiability over feature richness, reflecting KERI's philosophy of minimizing attack surface through reduced complexity.

Integration with KERI Infrastructure

Keridemlia integrates with the broader KERI ecosystem through several mechanisms:

KERIpy Database Integration: The implementation modifies Kademlia's storage backend to use KERIpy's database classes, ensuring consistency with how KERI stores events and key state. This enables:

• Shared storage infrastructure between keridemlia nodes and KERI agents
• Consistent event serialization using CESR
• Unified key management across KERI components

Witness Discovery Protocol: Keridemlia serves as the discovery layer for KERI's witness protocol, enabling:

• Bootstrap discovery of witness pools
• Dynamic witness rotation without service interruption
• Geographic distribution of witness infrastructure
• Resilience against witness endpoint changes

Out-of-Band Introduction (OOBI) Enhancement: While OOBI provides initial bootstrap, keridemlia enables ongoing discovery without repeated out-of-band communication. Once an identifier is published to keridemlia, validators can discover current witness endpoints dynamically.

Architecture and Design Decisions

Why Kademlia?

The whitepaper documents extensive research comparing three distributed storage approaches:

Hierarchical Systems (DNS-like):

• Advantages: High performance through caching, mature infrastructure
• Disadvantages: Centralized control, single points of failure, censorship vulnerability
• Verdict: Incompatible with KERI's decentralization requirements

Blockchain-based Systems:

• Advantages: Strong consistency, immutability, censorship resistance
• Disadvantages: Poor scalability, high latency, transaction costs, energy consumption
• Verdict: Performance characteristics unsuitable for discovery infrastructure

DHT-based Systems (Kademlia):

• Advantages: Decentralized, scalable, efficient lookup (O(log n)), proven at scale
• Disadvantages: Eventual consistency, vulnerability to Sybil attacks, data poisoning
• Verdict: Best fit with KERI's cryptographic verification layer addressing weaknesses

Kademlia specifically was chosen because:

• Proven scalability: Successfully deployed in BitTorrent, IPFS, Ethereum
• Efficient routing: XOR-based distance metric enables O(log n) lookups
• Self-organizing: Nodes automatically maintain routing tables
• Resilient: Tolerates node churn and network partitions
• Mature implementation: Python Kademlia library provides solid foundation

Security Model

Keridemlia's security model addresses traditional DHT vulnerabilities through KERI's cryptographic primitives:

Sybil Attack Mitigation: While keridemlia doesn't prevent Sybil attacks (malicious actors creating many nodes), it renders them ineffective through cryptographic verification. Even if an attacker controls a majority of DHT nodes, they cannot:

• Forge valid KELs (requires private keys)
• Modify published KES (breaks hash chains)
• Impersonate witnesses (requires witness private keys)
• Inject false IP mappings (requires valid signatures)

Data Poisoning Prevention: Traditional DHTs accept any data, enabling poisoning attacks. Keridemlia's verification layer ensures:

• Only cryptographically valid KELs are stored
• IP mappings require valid witness signatures
• Invalid data is rejected at publication time
• Validators can independently verify retrieved data

Eclipse Attack Resistance: By distributing data across multiple DHT nodes and enabling validators to query multiple sources, keridemlia reduces vulnerability to eclipse attacks where an attacker isolates a victim from honest nodes.

Duplicity Detection: Keridemlia enables ambient duplicity detection by allowing validators to query multiple DHT nodes and compare results. If different nodes return conflicting KELs for the same identifier, duplicity is detected, triggering KERI's accountability mechanisms.

Performance Characteristics

The whitepaper analyzes keridemlia's performance profile:

Lookup Latency:

• Average: O(log n) network hops where n = number of DHT nodes
• Typical: 3-5 hops for networks with thousands of nodes
• Comparable to DNS for small-to-medium deployments
• Higher than DNS for very large deployments due to lack of caching hierarchy

Storage Requirements:

• Per-node storage: Proportional to number of identifiers / number of nodes
• Replication factor: Typically 20 nodes store each key-value pair
• KES size: ~1-10 KB depending on KEL length and witness configuration
• IP mapping size: ~100-500 bytes per witness

Network Bandwidth:

• Publication: Single broadcast to k closest nodes (typically k=20)
• Retrieval: Single query to k closest nodes with parallel requests
• Maintenance: Periodic keep-alive messages (low overhead)

Scalability:

• Horizontal: Adding nodes increases total storage capacity linearly
• Vertical: Individual node requirements remain constant regardless of network size
• Lookup complexity: Logarithmic growth with network size

Comparison to Traditional DNS

Keridemlia provides CNAME-like functionality but with fundamental differences:

Similarities:

• Maps human-meaningful identifiers to network locations
• Enables service discovery and endpoint resolution
• Supports dynamic updates as endpoints change

Differences:

• Decentralization: No root servers or centralized authorities
• Cryptographic verification: All mappings are cryptographically verifiable
• Self-certification: Identifiers are self-certifying, not administratively assigned
• Immutable history: KELs provide complete audit trail of identifier history
• Duplicity detection: Conflicting data is detectable rather than hidden

Implementation Status and Limitations

Based on the whitepaper (dated 2022), keridemlia was described as a research prototype demonstrating feasibility. The document does not provide:

• Production deployment guidelines
• Performance benchmarks from real-world testing
• Security audit results
• Operational procedures for running keridemlia nodes
• Integration examples with production KERI deployments

The implementation modifies the Python Kademlia library to integrate with KERIpy's database classes and adds verification logic, but the whitepaper focuses on architectural design rather than implementation details.

Relationship to KERI Protocol

Keridemlia is not part of the core KERI protocol specification. Instead, it represents one possible implementation of the discovery layer that KERI requires for indirect mode operations. The KERI protocol itself is agnostic to discovery mechanisms—implementations could use:

• Keridemlia (DHT-based discovery)
• Traditional DNS with DNSSEC
• Centralized registries
• OOBI (Out-of-Band Introduction) exclusively
• Blockchain-based registries
• Hybrid approaches

Keridemlia's value proposition is providing decentralized, verifiable discovery that aligns with KERI's trust model without introducing centralized dependencies.

Future Directions

The whitepaper identifies several areas for future development:

Enhanced Privacy:

• Private information retrieval techniques to hide which identifiers are being queried
• Onion routing for query anonymity
• Encrypted storage of sensitive mappings

Performance Optimization:

• Caching strategies for frequently accessed identifiers
• Geographic proximity routing for reduced latency
• Batch verification of multiple KELs

Governance Mechanisms:

• Reputation systems for DHT nodes
• Economic incentives for reliable node operation
• Slashing mechanisms for misbehaving nodes

Interoperability:

• Integration with other discovery protocols
• Bridges to traditional DNS infrastructure
• Support for multiple DHT implementations

Conclusion

Keridemlia represents a thoughtful application of DHT technology to KERI's discovery requirements, addressing traditional DHT vulnerabilities through cryptographic verification while maintaining decentralization and scalability. By combining Kademlia's proven routing algorithms with KERI's self-certifying identifiers and verifiable key event logs, keridemlia provides a discovery infrastructure that aligns with KERI's security model and decentralization philosophy.

The implementation demonstrates that decentralized discovery is feasible for KERI without sacrificing security or introducing centralized trust dependencies. While the whitepaper describes a research prototype rather than production-ready infrastructure, it establishes the architectural foundation for building scalable, verifiable discovery services in the KERI ecosystem.

Limitations and Alternatives

Keridemlia is one possible discovery mechanism—implementations should consider:

• OOBI-only: For small deployments, OOBI may suffice without DHT infrastructure
• Hybrid Approaches: Combine keridemlia with traditional DNS for different identifier types
• Centralized Registries: For enterprise deployments, centralized registries may be acceptable
• Blockchain-based: For high-value identifiers, blockchain storage may justify the cost

The choice depends on deployment scale, security requirements, and operational constraints.