Core Constraint

The trilemma exists because no single cryptographic operation can inherently provide all three properties. Each cryptographic primitive—whether digital signatures, encryption, hashing, or zero-knowledge proofs—optimizes for one or two properties but cannot simultaneously maximize all three.

For example:

• Digital signatures provide strong authenticity but reveal the signer's public key, potentially compromising privacy
• Encryption provides confidentiality but requires key exchange mechanisms that may expose metadata
• Anonymous credentials maximize privacy but may weaken authenticity guarantees or require trusted setup ceremonies

Historical Context

The security overlay properties trilemma emerged from decades of research in cryptographic identity systems and the persistent challenges of balancing competing security objectives.

Evolution of Identity Systems

Traditional public key infrastructure (PKI) systems prioritized authenticity through certificate authorities and digital signatures, but often sacrificed privacy by creating persistent, correlatable identifiers. Early attempts to add privacy through pseudonymous identifiers frequently weakened authenticity guarantees or introduced trusted intermediaries.

The development of privacy-enhancing technologies like anonymous credentials, mix networks, and zero-knowledge proofs demonstrated that privacy could be strengthened, but often at the cost of reduced authenticity (requiring trusted setup) or increased complexity that impacted confidentiality guarantees.

Theoretical Foundation

Samuel Smith's Universal Identifier Theory formalized these observed trade-offs into the trilemma framework, providing theoretical grounding for understanding why certain architectural decisions are necessary and why no "perfect" solution exists that maximizes all three properties simultaneously.

KERI's Approach

KERI explicitly acknowledges the security overlay properties trilemma and makes deliberate architectural choices based on a clear priority ordering established in the Trust over IP (ToIP) design goals:

1. High authenticity (primary priority)
2. High confidentiality (secondary priority)
3. As high as possible privacy (tertiary priority, without compromising the first two)

Authenticity as Foundation

KERI prioritizes authenticity through its core architecture:

• Self-certifying identifiers: AIDs are cryptographically bound to their controlling key pairs, providing inherent authenticity without relying on external authorities
• Key event logs: The KEL provides an append-only, cryptographically verifiable history of all key state changes, making any attempt to forge or alter identity history detectable
• Duplicity detection: The witness infrastructure and ambient verifiability enable detection of conflicting claims about key state
• Pre-rotation: Cryptographic commitment to future keys protects against key compromise and enables secure key rotation

This foundational authenticity layer is non-negotiable in KERI's design—it forms the root-of-trust upon which all other security properties are built.

Layering Confidentiality

With authenticity established at the foundation, KERI layers confidentiality through:

• End-to-end encryption: Communications between KERI agents can be encrypted using established cryptographic protocols
• CESR encoding: Supports both text and binary domains, enabling efficient encrypted streaming
• Secure channels: Integration with transport-layer security mechanisms for confidential message exchange

Confidentiality is achieved through standard cryptographic techniques applied on top of the authentic identifier foundation, ensuring that encrypted communications can be attributed to verified identities.

Maximizing Privacy Within Constraints

KERI maximizes privacy within the constraints imposed by prioritizing authenticity and confidentiality:

• Selective disclosure: ACDCs enable fine-grained control over which attributes are revealed in credential presentations
• Graduated disclosure: Progressive revelation of information based on negotiated terms and conditions
• Compact disclosure: Revealing only SAIDs of field maps rather than full content, enabling verification without full disclosure
• Partial disclosure: Disclosing some fields while keeping others cryptographically committed but hidden
• Minimized correlation: Design patterns that reduce unnecessary linkability between interactions
• Ephemeral identifiers: Support for short-lived, context-specific identifiers when appropriate

These privacy mechanisms operate within the framework established by the authenticity and confidentiality priorities. KERI does not sacrifice authenticity to achieve privacy—instead, it provides tools for controllers to manage their own privacy through selective disclosure and careful identifier management.

Why Layering Creates Vulnerabilities

The trilemma manifests in KERI's architecture through the necessity of layering different cryptographic operations:

Layer Separation: Each layer (authenticity, confidentiality, privacy) uses different cryptographic primitives. The boundaries between these layers create potential attack surfaces where vulnerabilities might be exploited.

Property Isolation: Each cryptographic operation optimizes for specific properties. Digital signatures provide authenticity but expose public keys. Encryption provides confidentiality but requires key exchange. Privacy-enhancing techniques like blinding may weaken direct cryptographic binding.

Sequential Dependencies: Upper layers depend on lower layers. If the authenticity foundation is compromised, confidentiality and privacy guarantees built on top become meaningless. This dependency chain means that the weakest layer determines overall security.

Complexity Accumulation: Layering multiple cryptographic operations increases system complexity, expanding the attack surface and making security analysis more difficult.

KERI's design philosophy accepts these inherent vulnerabilities as unavoidable consequences of the trilemma, then mitigates them through:

• Rigorous cryptographic design at each layer
• Clear separation of concerns between layers
• Explicit threat modeling for layer interactions
• Preference for simpler, well-understood cryptographic primitives

Practical Implications

Design Decision Framework

The trilemma provides a framework for evaluating identifier system designs:

For High-Stakes Identity: Systems requiring strong authenticity (financial transactions, legal agreements, credential issuance) should follow KERI's priority ordering: authenticity first, then confidentiality, then privacy. This ensures that identity claims are verifiable and non-repudiable, even if some privacy is sacrificed.

For Privacy-Critical Applications: Systems prioritizing anonymity (whistleblowing, political dissent, sensitive communications) may need to accept weaker authenticity guarantees or rely on different trust models. These use cases might prioritize privacy and confidentiality over strong cryptographic binding to persistent identifiers.

For Public Information: Systems dealing with public data may prioritize authenticity and confidentiality while accepting minimal privacy, since the information is intended for broad disclosure anyway.

Governance Implications

The trilemma has profound implications for governance frameworks:

vLEI Ecosystem: The GLEIF vLEI ecosystem prioritizes authenticity (verifiable legal entity identity) and confidentiality (secure credential exchange), while providing privacy through selective disclosure mechanisms. This aligns with the use case of business-to-business interactions where legal accountability is paramount.

Regulatory Compliance: Regulations requiring strong identity verification (KYC/AML) inherently prioritize authenticity over privacy. The trilemma explains why privacy-maximizing systems may struggle with regulatory compliance—the trade-off is fundamental, not merely a technical implementation detail.

User Consent and Control: Understanding the trilemma helps users make informed decisions about which systems to trust for which purposes. A system claiming to provide maximum authenticity, privacy, and confidentiality simultaneously should be viewed with skepticism.

Trade-offs in Practice

Credential Issuance: When a QVI issues a Legal Entity vLEI Credential, authenticity is paramount—the credential must be cryptographically verifiable to the issuer. Confidentiality is maintained through secure issuance protocols. Privacy is provided through selective disclosure when the credential is presented, but the issuance itself prioritizes authenticity.

Witness Infrastructure: KERI witnesses prioritize authenticity by maintaining verifiable key event receipt logs. This requires witnesses to observe and sign events, which inherently limits privacy (witnesses know about key events). The trade-off is accepted because authenticity is the primary goal.

Anonymous Credentials: Systems using anonymous credentials (like certain zero-knowledge proof schemes) maximize privacy but may weaken authenticity by requiring trusted setup ceremonies or limiting the strength of cryptographic binding between credentials and identifiers. KERI's approach accepts less privacy in exchange for stronger authenticity guarantees.

Architectural Patterns

The trilemma suggests specific architectural patterns:

Foundation-First Design: Start with the highest-priority property at the foundation layer. KERI starts with authenticity through self-certifying identifiers and verifiable event logs.

Layered Enhancement: Add additional properties through carefully designed layers on top of the foundation. KERI adds confidentiality through encryption and privacy through selective disclosure.

Explicit Trade-off Documentation: Clearly document which properties are prioritized and what trade-offs are accepted. KERI's design goals explicitly state the priority ordering.

Use-Case Specific Optimization: Different use cases may require different priority orderings. KERI provides flexibility through features like ephemeral identifiers and non-transferable identifiers for use cases where different trade-offs are appropriate.

Security Analysis

The trilemma provides a lens for security analysis:

Threat Modeling: Analyze threats against each property separately, then consider interactions between layers. An attack that compromises authenticity may cascade to undermine confidentiality and privacy.

Vulnerability Assessment: Evaluate whether vulnerabilities exploit the necessary separation between layers or represent implementation flaws. Layer-boundary vulnerabilities are inherent to the trilemma; implementation flaws can be fixed.

Comparative Evaluation: Compare identifier systems by examining their priority ordering and how they navigate the trilemma trade-offs. Systems making different trade-offs are not necessarily "better" or "worse"—they're optimized for different use cases.

Future Considerations

The trilemma is a fundamental constraint, but ongoing cryptographic research may shift the boundaries:

Advanced Cryptography: Techniques like fully homomorphic encryption, secure multi-party computation, and advanced zero-knowledge proofs may enable new points in the trade space, though they cannot eliminate the trilemma entirely.

Quantum Resistance: Post-quantum cryptography will require re-evaluation of trade-offs as new cryptographic primitives replace current ones. The trilemma will persist, but the specific trade-offs may shift.

Hybrid Approaches: Combining multiple identifier systems with different trade-offs for different contexts may provide practical solutions that navigate the trilemma more effectively than any single system.

The security overlay properties trilemma is not a limitation to be overcome but a fundamental constraint to be understood and navigated. KERI's explicit acknowledgment of the trilemma and deliberate priority ordering represents a mature approach to identifier system design, providing strong authenticity and confidentiality while maximizing privacy within those constraints.