Comprehensive Explanation

pre-rotation

Process Definition

Pre-rotation is KERI's foundational innovation for secure key management, representing a cryptographic commitment mechanism where each establishment event (inception or rotation) includes a digest of the next rotation keys before those keys are ever exposed or used. This forward commitment creates a verifiable chain of key authority that persists even when current signing keys are compromised.

What It Accomplishes

Pre-rotation solves the fundamental vulnerability in traditional PKI systems: insecure key rotation. In conventional systems, rotation operations are signed by potentially compromised keys, creating an inherent security flaw. Pre-rotation eliminates this vulnerability by:

• Cryptographically binding future rotation authority before current keys are exposed
• Enabling recovery from key compromise through unexposed pre-committed keys
• Providing post-quantum security via collision-resistant hash functions
• Maintaining unbroken chain of control authority across key lifecycle changes

The mechanism assumes that private keys remain private until after issuance of the associated identifier, which is fundamental to the security model.

When It's Used

Pre-rotation occurs at two critical points in an AID's lifecycle:

1. Inception Event: The initial establishment event includes the first pre-rotation commitment, setting up the mechanism from identifier creation
2. Rotation Events: Each subsequent rotation both reveals the previously committed keys and commits to the next set of rotation keys

This creates a continuous chain where each rotation simultaneously:

• Proves possession of previously committed keys
• Establishes new signing authority
• Commits to future rotation keys

Key Participants

The pre-rotation process involves:

• Controller: Generates key pairs, creates pre-rotation commitments, and executes rotations
• Witnesses: Validate and receipt establishment events containing pre-rotation commitments
• Validators: Verify that rotation events correctly reveal previously committed keys
• Watchers: Monitor for duplicitous rotation attempts using different pre-committed keys

Process Flow

Step 1: Initial Key Generation (Inception)

At identifier inception, the controller generates two sets of asymmetric key pairs:

1. Current Key Set: Used for immediate signing operations

   • Public keys included in inception event k field
   • Private keys secured in controller's key storage

2. Next Key Set: Reserved for future rotation

   • Public keys hashed to create digest
   • Digest included in inception event n field
   • Private keys stored separately with highest security

The inception event structure includes:

{
  "v": "KERI10JSON...",
  "t": "icp",
  "d": "<event SAID>",
  "i": "<AID prefix>",
  "s": "0",
  "kt": "1",
  "k": ["<current public key>"],
  "n": ["<digest of next public key>"],
  "bt": "2",
  "b": ["<witness AIDs>"],
  "c": [],
  "a": []
}

The n field contains cryptographic digests (typically Blake3-256 or SHA3-256) of the next public keys, creating a forward blinded commitment that cannot be undone by an attacker.

Step 2: Secure Storage Separation

Critical to pre-rotation security is the physical and logical separation of key sets:

• Current signing keys: May reside in operational systems for day-to-day signing
• Pre-rotated keys: Stored in high-security environments (HSMs, cold storage, air-gapped systems)
• Separation prevents simultaneous compromise of both key sets

This separation is what enables recovery from live key compromise—an attacker who compromises current signing keys cannot forge a rotation because they don't possess the pre-committed rotation keys.

Step 3: Rotation Execution

When rotation is required (due to compromise, routine security hygiene, or cryptographic algorithm updates), the controller:

1. Retrieves pre-rotated keys from secure storage
2. Generates new next key set for subsequent rotation
3. Creates rotation event that:
   • References prior event via digest (p field)
   • Reveals previously committed keys in k field
   • Commits to new next keys in n field
   • Maintains or updates witness configuration

Rotation event structure:

{
  "v": "KERI10JSON...",
  "t": "rot",
  "d": "<event SAID>",
  "i": "<AID prefix>",
  "s": "1",
  "p": "<prior event digest>",
  "kt": "1",
  "k": ["<previously committed key, now revealed>"],
  "n": ["<digest of new next key>"],
  "bt": "2",
  "b": ["<witness AIDs>"],
  "br": [],
  "ba": [],
  "a": []
}

Step 4: Cryptographic Verification

Validators verify rotation legitimacy by:

1. Retrieving prior establishment event from KEL
2. Extracting n field (next key digest commitment)
3. Hashing revealed keys from rotation event's k field
4. Comparing computed digest with committed digest
5. Accepting rotation only if digests match

This verification proves the controller possessed the pre-committed keys at rotation time, establishing legitimate control authority transfer.

Step 5: Witness Receipting

Witnesses validate and receipt the rotation event, providing distributed consensus on the key state change. The receipting process:

1. Witnesses receive rotation event
2. Perform same cryptographic verification as validators
3. Generate signed receipts confirming event observation
4. Return receipts to controller
5. Store event in their KERL (Key Event Receipt Log)

This witness-based validation provides duplicity detection—if a controller attempts conflicting rotations, witnesses will detect and report the duplicity.

Technical Requirements

Cryptographic Requirements

Hash Function Properties:

• Collision resistance: Must be computationally infeasible to find two inputs producing same digest
• Pre-image resistance: Must be computationally infeasible to derive input from digest
• Second pre-image resistance: Must be computationally infeasible to find different input producing same digest

Approved Hash Functions (128+ bits cryptographic strength):

• Blake3-256 or greater
• Blake2-256 or greater
• SHA3-256 or greater
• SHA2-512

Key Generation Requirements:

• Minimum 128 bits of entropy for cryptographic strength
• Use of CSPRNG (Cryptographically Secure Pseudo-Random Number Generator)
• Proper key derivation from high-entropy seeds

Signature Schemes:

• Ed25519 (primary recommendation)
• ECDSA with secp256k1
• Post-quantum algorithms (future support)

Timing Considerations

Key Generation Timing:

• Pre-rotated keys should be generated before or during inception
• Keys should never be generated on-demand during rotation (indicates lack of pre-commitment)
• Generation should occur in secure environment with adequate entropy

Rotation Timing:

• Proactive rotation: Scheduled rotations before compromise (security hygiene)
• Reactive rotation: Emergency rotation after detected compromise
• Grace periods: Time allowed for witness receipting and propagation

Verification Timing:

• Validators must verify using key state at event issuance time
• Historical verification requires replaying KEL to determine authoritative keys
• Witness receipts provide temporal evidence of event observation

Error Handling

Digest Mismatch:

• If revealed keys don't match committed digest, rotation is invalid
• Validator must reject event and not update key state
• Potential indicator of compromise or implementation error

Missing Prior Event:

• Rotation cannot be validated without prior establishment event
• Requires KEL synchronization before validation
• May trigger OOBI resolution to obtain missing events

Witness Threshold Failure:

• If insufficient witnesses receipt rotation, event remains unconfirmed
• Controller may need to retry with different witnesses
• Threshold of Accountable Duplicity (TOAD) determines minimum receipts

Duplicity Detection:

• If conflicting rotations detected, both are marked duplicitous
• Validators must decide which version to trust (typically first-seen)
• Watchers propagate duplicity evidence throughout network

Usage Patterns

Pattern 1: Standard Single-Signature Rotation

Scenario: Individual controller with single signing key rotating for security hygiene.

Implementation:

1. Generate next key pair during inception
2. Store next private key in secure vault (HSM, hardware wallet)
3. Include next key digest in inception event
4. When rotating:
   • Retrieve next private key from vault
   • Generate new next key pair
   • Create rotation event with revealed key and new commitment
   • Sign with revealed (now current) key
   • Submit to witnesses

Best Practice: Rotate keys on regular schedule (annually, quarterly) even without compromise.

Pattern 2: Multi-Signature Rotation

Scenario: Organization with multiple key holders requiring threshold signatures.

Implementation:

1. Each member generates their key pairs
2. Collect all next key digests
3. Include all digests in inception n field as array
4. Set appropriate kt (current threshold) and nt (next threshold)
5. During rotation:
   • Each member reveals their pre-committed key
   • Collectively generate new next keys
   • Rotation requires threshold signatures from revealed keys

Best Practice: Use partial rotation to keep some keys in reserve, enabling graduated security responses.

Pattern 3: Partial Rotation (Reserve Keys)

Scenario: Controller wants to maintain backup keys that remain unexposed.

Implementation:

1. Commit to multiple next keys in n field array
2. During rotation, reveal only subset of committed keys
3. Unrevealed keys remain in reserve for future rotations
4. Enables defense in depth with multiple security layers

Best Practice: Reserve highest-security keys for emergency recovery scenarios.

Pattern 4: Custodial Rotation

Scenario: Delegating signing authority to custodian while retaining rotation authority.

Implementation:

1. Controller retains rotation authority (pre-rotated keys)
2. Custodian receives signing authority (current keys)
3. Controller can "fire" custodian by rotating to new keys
4. Custodian cannot rotate without controller's pre-committed keys

Best Practice: Use for enterprise scenarios where operational signing is delegated but ultimate control is retained.

Pattern 5: Cryptographic Agility

Scenario: Migrating from one cryptographic algorithm to another.

Implementation:

1. Generate next keys using new algorithm
2. Commit to new algorithm keys in current event
3. Rotation reveals keys and updates derivation code
4. Enables smooth transition to post-quantum algorithms

Best Practice: Plan algorithm migrations before current algorithms are broken.

Integration Considerations

KEL Management:

• Pre-rotation commitments are permanent KEL entries
• Cannot be modified after witness receipting
• Must maintain complete KEL for verification

Witness Coordination:

• Witnesses must validate digest matching
• Witness pool changes require careful coordination
• TOAD threshold must be satisfied for rotation acceptance

Watcher Networks:

• Watchers monitor for duplicitous rotations
• First-seen policy typically determines accepted version
• Ambient duplicity detection provides security

Delegation Hierarchies:

• Delegated identifiers inherit pre-rotation from delegator
• Delegation approval required for delegated rotations
• Creates nested security through delegation trees

Recovery Procedures:

• Pre-rotated keys enable recovery from signing key compromise
• Recovery requires access to securely stored next keys
• Social recovery possible through multi-sig with trusted parties

Security Properties

Post-Quantum Security: Pre-rotation provides post-quantum security because:

• Hash functions remain secure against quantum attacks
• Even if quantum computers break signature schemes, pre-committed digests remain secure
• Enables migration to quantum-resistant algorithms before current algorithms are broken

Forward Security:

• Compromise of current keys doesn't compromise future rotations
• Pre-committed keys remain secure if properly stored
• Enables recovery from live key compromise

Duplicity Evidence:

• Conflicting rotations using different pre-committed keys are detectable
• Witnesses and watchers provide distributed duplicity detection
• First-seen policy prevents post-facto key state manipulation

One-Time Use:

• Each pre-rotated key set used exactly once
• Minimizes exposure window
• Prevents replay attacks

Common Pitfalls

Insufficient Key Separation:

• Storing current and next keys together defeats pre-rotation security
• Compromise of storage compromises both key sets
• Solution: Use physically separate storage with different access controls

On-Demand Key Generation:

• Generating "next" keys during rotation indicates no pre-commitment
• Defeats security model
• Solution: Always generate next keys before or during inception

Weak Hash Functions:

• Using hash functions with insufficient collision resistance
• Enables pre-image attacks on commitments
• Solution: Use approved hash functions with 128+ bits strength

Inadequate Entropy:

• Weak random number generation compromises key security
• Predictable keys can be pre-computed
• Solution: Use CSPRNG with proper seeding

Missing Witness Receipts:

• Rotating without sufficient witness confirmation
• Enables duplicity attacks
• Solution: Wait for TOAD threshold before considering rotation complete