Scope and Boundaries

A live attack is bounded by the current key state of an identifier. Once a rotation event successfully changes the authoritative keypairs, any compromise of the previous keys transitions from a live attack to a dead attack. This temporal boundary is enforced through KERI's key event log (KEL) structure, where each establishment event cryptographically commits to the next set of keys through pre-rotation.

The scope of a live attack is limited to operations that the compromised keys are authorized to perform. Current signing keys can only sign interaction events, while pre-rotated keys can only be used for the next rotation event. This separation of concerns is a fundamental security property of KERI's architecture.

Historical Context

The concept of live key compromise has been a persistent challenge in public key infrastructure (PKI) systems since their inception. Traditional PKI systems using Certificate Authorities (CAs) face the problem that once a private key is compromised, the attacker can impersonate the legitimate key holder until the compromise is detected and the certificate is revoked.

Evolution in Identity Systems

Early self-certifying identifier systems, which cryptographically bind identifiers to public keys, faced a fundamental limitation: if the private key was compromised, the identifier itself became permanently compromised because there was no mechanism for key rotation. This made live attacks catastrophic—once an attacker gained control of the private key, they permanently controlled the identifier.

Blockchain-based identity systems attempted to address this through on-chain key rotation mechanisms, but these introduced new vulnerabilities. The rotation authority typically resided in the currently exposed keys, meaning a live attack could compromise not just current operations but also the ability to rotate to new keys, effectively locking out the legitimate controller.

Certificate Transparency and Detection

Certificate Transparency (CT) systems introduced the concept of public logs that could detect fraudulent certificate issuance, but these systems operate at the certificate level rather than the key level. They can detect when a CA issues a duplicate certificate, but they cannot prevent an attacker who has compromised a private key from using that key to sign fraudulent data.

KERI's Approach

KERI's architecture provides sophisticated defenses against live attacks through multiple complementary mechanisms that work together to detect, prevent, and recover from key compromise.

Pre-Rotation as Primary Defense

Pre-rotation is KERI's foundational defense against live attacks. In each establishment event, the controller commits to the next set of keys by including cryptographic digests of those keys in the current event. Critically, these next keys are not exposed until they are actually used in a subsequent rotation event.

This creates a powerful security property: even if an attacker compromises the current signing keys and the current pre-rotated keys (a complete live attack), they cannot prevent the legitimate controller from rotating to a new set of keys if the controller has additional pre-rotated keys held in reserve through partial rotation.

The pre-rotation mechanism provides post-quantum security against live attacks because the unexposed pre-rotated keys are protected by one-way hash functions. An attacker who compromises current keys cannot work backward to discover the pre-images of the committed key digests, even with a quantum computer.

Witness-Based Duplicity Detection

KERI's witness infrastructure provides real-time detection of live attacks through duplicity detection. When an attacker uses compromised keys to sign fraudulent events, they must choose between two strategies:

1. Attempt to hide the attack: Create fraudulent events but not promulgate them to the legitimate controller's witnesses. This limits the attack's effectiveness because validators will not see the fraudulent events.

2. Promulgate fraudulent events: Send the fraudulent events to witnesses, but this creates detectable duplicity when the legitimate controller also sends events to the same witnesses.

The KAACE (KERI's Agreement Algorithm for Control Establishment) consensus mechanism ensures that witnesses maintain consistent views of the KEL. When duplicity is detected—meaning two different versions of the same event exist—this provides immediate evidence of a live attack.

The threshold of accountable duplicity (TOAD) parameter allows controllers to specify how many witnesses must confirm an event before it is considered established. This creates a security threshold where an attacker must compromise not just the controller's keys but also a sufficient number of witnesses to successfully execute a live attack without detection.

Watcher Networks for Ambient Detection

Watchers operate in "promiscuous mode," maintaining copies of KELs without being designated by controllers. This creates an ambient duplicity detection network where any validator can query multiple independent watchers to verify KEL consistency.

For live attacks, watcher networks provide a critical defense: even if an attacker compromises a controller's keys and successfully promulgates fraudulent events to the controller's designated witnesses, independent watchers may detect the duplicity by comparing their copies of the KEL with the fraudulent version.

The first-seen policy implemented by honest watchers creates an immutable record of the first version of each event they observe. This makes it impossible for an attacker to retroactively change the historical record—once a watcher has seen the legitimate version of an event, any subsequent fraudulent version will be detected as duplicity.

Multi-Signature Thresholds

KERI supports multi-signature configurations where multiple keypairs must sign each event. This exponentially increases the difficulty of live attacks because an attacker must compromise multiple independent keys simultaneously.

The signing threshold and rotation threshold can be configured independently, allowing controllers to require different numbers of signatures for different types of events. For example, a controller might require 2-of-3 signatures for interaction events but 3-of-3 signatures for rotation events, making live attacks on rotation authority more difficult.

Delegation Hierarchies

KERI's delegation mechanism enables hierarchical key management where a root identifier delegates authority to subsidiary identifiers. This creates a bivalent key management infrastructure where compromise of a delegated identifier's keys (a live attack at the delegated level) does not compromise the delegating identifier.

The delegating identifier can revoke the delegation through a rotation event, effectively recovering from the live attack on the delegated identifier. This provides organizational resilience where different operational contexts can use different identifiers with different security profiles, and compromise of lower-security identifiers does not cascade to higher-security root identifiers.

Practical Implications

Detection and Response

In practice, live attacks in KERI systems are detected through duplicity evidence. When a validator queries witnesses or watchers and receives conflicting versions of events, this indicates either a live attack or a network partition. The validator must then:

1. Collect evidence: Gather signed receipts from multiple witnesses and watchers
2. Analyze duplicity: Determine which version of events is legitimate based on first-seen policies and witness agreement
3. Suspend trust: Temporarily suspend trust in the identifier until the duplicity is resolved
4. Await resolution: Wait for the legitimate controller to rotate keys and establish a new consistent key state

The legitimate controller, upon detecting that their keys have been compromised (evidenced by duplicity detection), must immediately rotate to new keys using their pre-rotated keypairs. This rotation event, when properly witnessed and confirmed, establishes a new key state that the attacker cannot forge because they do not possess the pre-rotated keys.

Security Trade-offs

Live attack protection involves several practical trade-offs:

Witness Configuration: More witnesses provide better duplicity detection but increase operational complexity and latency. Controllers must balance security requirements against operational efficiency.

Key Storage Security: Pre-rotated keys must be stored securely but remain accessible for rotation. This often involves using hardware security modules (HSMs) or trusted execution environments (TEEs) for high-security applications.

Rotation Frequency: More frequent rotations reduce the window of vulnerability for live attacks but increase operational overhead. Controllers must determine appropriate rotation schedules based on their threat model.

Multi-Signature Complexity: While multi-signature configurations provide stronger protection against live attacks, they increase the complexity of key management and the risk of losing access if multiple keys are lost.

Use Cases and Applications

Different applications have different live attack threat models:

High-Value Identifiers: Root organizational identifiers or identifiers controlling significant assets should use maximum protection: multi-signature configurations, large witness pools, frequent rotation, and HSM-based key storage.

Operational Identifiers: Identifiers used for day-to-day operations might use delegated identifiers with moderate security, accepting higher live attack risk in exchange for operational flexibility.

Ephemeral Identifiers: Short-lived identifiers for specific transactions might use minimal protection, as the temporal window for live attacks is inherently limited.

Custodial Arrangements: Custodial rotation enables splitting signing authority (held by a custodian) from rotation authority (held by the owner), limiting the impact of live attacks on custodial keys while preserving owner control.

Recovery Procedures

When a live attack is detected, KERI's recovery procedure leverages pre-rotation:

1. Immediate Rotation: The legitimate controller uses their pre-rotated keys to sign a rotation event establishing new key state
2. Witness Promulgation: The rotation event is sent to all witnesses to establish consensus on the new key state
3. Duplicity Resolution: Validators observe both the fraudulent events (signed with compromised keys) and the legitimate rotation event, resolving the duplicity in favor of the legitimate controller
4. Key State Advancement: The new key state supersedes the compromised state, rendering the attacker's keys useless for future operations

This recovery mechanism is post-quantum secure because the attacker cannot forge the rotation event without the pre-rotated keys, which are protected by one-way hash functions committed in previous events.