• Efficient verification: Verifiers can check signatures on compact digests rather than large content
• Content integrity: Any modification to content produces a different digest, breaking the signature
• Non-repudiation: The signature cryptographically binds the commitment to the signer's key pair
• Privacy preservation: Content can remain confidential while its commitment is publicly verifiable

Type Classification

Signed digests are classified as cryptographic commitment primitives within KERI's architecture. They represent a specific pattern of combining:

• Hash functions (one-way cryptographic functions producing fixed-size digests)
• Digital signature schemes (asymmetric cryptography for authentication)

This combination creates what KERI documentation refers to as "trust who said it not what was said" - establishing consistent attribution as the foundation for trust.

Cryptographic Properties

Underlying Algorithms

Signed digests in KERI leverage multiple cryptographic algorithm families:

Hash Functions

KERI supports various cryptographic hash functions through its derivation code system in CESR:

• SHA-256: 256-bit output, widely deployed, NIST standard
• SHA-512: 512-bit output, higher security margin
• SHA3-256: 256-bit output, Keccak-based, quantum-resistant properties
• SHA3-512: 512-bit output, maximum security
• BLAKE3: High-performance modern hash function with 256-bit output
• BLAKE2b: 512-bit output variant
• BLAKE2s: 256-bit output variant

All hash functions used must be collision-resistant, meaning it is computationally infeasible to find two different inputs that produce the same digest.

Signature Schemes

KERI's signed digests support multiple signature algorithms:

• Ed25519: Edwards-curve Digital Signature Algorithm, 256-bit security
• ECDSA (secp256k1): Elliptic Curve Digital Signature Algorithm used in Bitcoin
• ECDSA (secp256r1): NIST P-256 curve variant
• Ed448: Higher security Edwards-curve variant

The KERI whitepaper emphasizes that the protocol is designed to be cryptographically agile, allowing migration to new algorithms as cryptographic research advances or quantum computing threats materialize.

Security Properties

Signed digests provide multiple security guarantees:

Integrity Protection

The digest component ensures cryptographic integrity through collision resistance. For a hash function H and content C:

• Computing D = H(C) produces a fixed-size digest
• Any modification C' ≠ C produces D' = H(C') where D' ≠ D (with overwhelming probability)
• An attacker cannot find C' such that H(C') = H(C) (collision resistance)

This property is fundamental to KERI's append-only event logs, where each event includes a digest of the previous event, creating an immutable chain.

Authentication and Non-Repudiation

The signature component provides cryptographic authentication:

• Only the holder of the private key can generate valid signatures
• Anyone with the public key can verify signatures
• Signatures are non-repudiable: the signer cannot later deny having signed

In KERI's context, this enables end-verifiable statements where validators can cryptographically verify that a specific AID controller made a commitment without trusting intermediaries.

Forward Security Through Pre-Rotation

KERI's pre-rotation mechanism leverages signed digests of future keys. As documented in the KERI whitepaper:

• Current establishment events include signed digests of next key commitments
• These digests commit to keys that remain unexposed until the next rotation
• Compromise of current signing keys cannot affect pre-rotated keys (they remain hidden)
• This provides post-quantum security properties since quantum computers cannot break commitments to hidden keys

Key/Output Sizes

Typical sizes for signed digest components:

Digest Sizes

• SHA-256, SHA3-256, BLAKE3, BLAKE2s: 32 bytes (256 bits)
• SHA-512, SHA3-512, BLAKE2b: 64 bytes (512 bits)

Signature Sizes

• Ed25519: 64 bytes (512 bits)
• ECDSA (secp256k1/secp256r1): 64-72 bytes (variable DER encoding)
• Ed448: 114 bytes (912 bits)

Combined Signed Digest

A complete signed digest primitive consists of:

• Digest: 32-64 bytes
• Signature: 64-114 bytes
• Derivation codes: 1-4 bytes (CESR encoding overhead)

Total size typically ranges from 97 to 182 bytes depending on algorithm choices.

Data Format & Encoding

CESR Encoding Format

Signed digests in KERI are encoded using CESR (Composable Event Streaming Representation), which provides dual text-binary encoding with composability properties.

Qualified Primitives

CESR represents cryptographic primitives as qualified primitives that include:

1. Derivation code: Prepended code indicating the cryptographic algorithm and encoding
2. Raw cryptographic material: The actual digest or signature bytes

This creates self-framing primitives where parsers can determine type and length without external context.

Derivation Codes for Digests

CESR uses specific derivation codes for different hash algorithms:

• E: SHA-256 digest (32 bytes)
• F: SHA-512 digest (64 bytes)
• G: SHA3-256 digest (32 bytes)
• H: SHA3-512 digest (64 bytes)
• I: BLAKE3-256 digest (32 bytes)
• 0D: BLAKE2b-256 digest (32 bytes)
• 0E: BLAKE2s-256 digest (32 bytes)

Derivation Codes for Signatures

Signatures use different code families:

• B: Ed25519 signature (64 bytes)
• 0B: ECDSA secp256k1 signature (64 bytes)
• C: Ed448 signature (114 bytes)

For indexed signatures (used in multi-sig scenarios), additional codes indicate the signing key index.

Text and Binary Representations

CESR provides text-binary concatenation composability, meaning primitives can be converted between domains without loss:

Text Domain (Base64 URL-Safe)

In the text domain, signed digests are encoded as Base64 URL-safe strings:

EABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_

Example SHA-256 digest in text domain:

EL1L56LyoKrIofnn0oPChS4EyzMHEEk75INJohDS_-DT

Where:

• E = SHA-256 derivation code
• Remaining 43 characters = Base64-encoded 32-byte digest

Binary Domain

In the binary domain, the same primitive is encoded as raw bytes:

• First byte(s): Binary derivation code
• Remaining bytes: Raw cryptographic material

The binary encoding is more compact and efficient for storage and transmission.

Composability Properties

CESR's composability means:

• Multiple primitives can be concatenated in either domain
• The entire concatenation can be converted to the other domain
• Round-trip conversion preserves all information
• Parsers can process streams without external framing

This enables pipelining and streaming of cryptographic operations at scale.

Derivation Codes in Practice

The KERI whitepaper emphasizes that derivation codes serve multiple purposes:

1. Algorithm identification: Specifies which cryptographic algorithm was used
2. Length determination: Enables parsers to extract the correct number of bytes
3. Cryptographic agility: Allows protocol evolution without breaking changes
4. Self-describing data: Primitives carry their own type information

This design supports KERI's goal of minimally sufficient means - providing just enough information for verification without unnecessary overhead.

Usage in KERI/ACDC

In Key Event Logs (KELs)

Signed digests are fundamental to KEL structure:

Event Chaining

Each key event includes a signed digest of the previous event, creating a backward-chained log:

• Inception events: First event, no previous digest
• Rotation events: Include digest of previous establishment event
• Interaction events: Include digest of previous event

This chaining makes the KEL tamper-evident - any modification breaks the digest chain.

Pre-Rotation Commitments

Establishment events include signed digests of next key commitments:

• The next field contains digests of pre-rotated public keys
• These digests commit to keys that will be revealed in the next rotation
• Compromise of current keys cannot affect these hidden commitments

As the KERI whitepaper explains, this provides forward security and post-quantum protection.

Event Signatures

Every key event is signed by the current authoritative keys:

• The event content is serialized (typically as JSON or CBOR)
• A digest of the serialized content is computed
• The digest is signed by the controller's private key(s)
• Signatures are attached to the event as CESR-encoded primitives

Validators verify these signed digests to confirm event authenticity.

In Authentic Chained Data Containers (ACDCs)

ACDCs extensively use signed digests for verifiable credentials:

SAID (Self-Addressing Identifier)

ACDCs use SAIDs - self-addressing identifiers that are digests of the ACDC content:

• The ACDC structure includes a d field for its SAID
• The SAID is computed as a digest of the entire ACDC (with the d field set to a dummy value)
• This creates a content-addressable credential
• Any modification changes the SAID, breaking references

Compact Disclosure

ACDCs support compact disclosure using signed digests:

• Instead of revealing full attribute values, only SAIDs are disclosed
• Recipients receive signed commitments to undisclosed content
• Later, full content can be revealed and verified against the SAID
• This enables graduated disclosure and privacy preservation

Chained Credentials

ACDCs form directed acyclic graphs (DAGs) through signed digest references:

• Edge sections contain SAIDs of other ACDCs
• These create verifiable chains of credentials
• The entire chain can be verified through digest validation
• This enables authentic provenance chains

In Seals and Anchoring

Seals are signed digest commitments that anchor external data to KELs:

Event Seals

Interaction events can include seals that commit to:

• External documents or data
• Transaction event log (TEL) events
• ACDC issuance or revocation
• Arbitrary application data

The seal contains a signed digest, creating a cryptographic anchor from the KEL to external data.

Registry Anchoring

The TEL system uses signed digests to anchor credential state to KELs:

• Issuance events are sealed in the issuer's KEL
• Revocation events are sealed in subsequent KEL events
• This creates an end-verifiable credential registry
• No trusted third-party registry is required

Common Usage Patterns

Pattern 1: Event Verification

1. Receive a key event with attached signatures
2. Extract the event content (body)
3. Compute digest of the content
4. Verify signatures on the digest using current authoritative keys
5. Confirm digest matches previous event's commitment (for chaining)

Pattern 2: Pre-Rotation Validation

1. Receive a rotation event
2. Extract the new current keys
3. Compute digests of these keys
4. Verify digests match the previous event's next commitments
5. Confirm signatures on rotation event use the newly revealed keys

Pattern 3: ACDC Verification

1. Receive an ACDC with SAID
2. Compute digest of ACDC content
3. Verify computed digest matches the SAID field
4. Verify issuer's signature on the ACDC
5. Validate issuer's AID through KEL verification

Verification Procedures

The KERI whitepaper emphasizes end-verifiable validation:

Signature Verification Algorithm

1. Parse: Extract CESR-encoded signature primitive
2. Identify: Determine algorithm from derivation code
3. Extract: Get raw signature bytes
4. Compute: Hash the signed content
5. Verify: Apply signature verification algorithm with public key
6. Validate: Confirm public key is authoritative for the AID at this point in the KEL

Chain Verification Algorithm

1. Start: Begin with inception event
2. Verify: Check event signature and structure
3. Extract: Get digest commitment to next event
4. Advance: Move to next event
5. Validate: Confirm event digest matches previous commitment
6. Repeat: Continue through entire KEL
7. Confirm: Validate final key state

This process ensures the entire KEL is internally consistent and cryptographically verifiable.

Related Primitives

Digests (Digers)

Signed digests build upon basic digest primitives:

• Relationship: A signed digest is a digest plus a signature
• Usage: Digests alone provide integrity; signatures add authentication
• CESR encoding: Both use qualified primitive format

Signatures (Sigers/Cigars)

Signed digests incorporate signature primitives:

• Indexed signatures (Sigers): Used in multi-sig scenarios with key index
• Non-indexed signatures (Cigars): Used for single-sig scenarios
• Composition: Signed digest = digest + signature(s)

SAIDs (Self-Addressing Identifiers)

SAIDs are specialized signed digests:

• Relationship: SAIDs are self-referential digests embedded in content
• Usage: Content-addressable identifiers for ACDCs and other structures
• Verification: SAID verification confirms content integrity

Seals

Seals are signed digest commitments in KELs:

• Relationship: Seals anchor external data via signed digests
• Usage: Create cryptographic links from KEL events to external content
• Verification: Seal verification confirms anchored data authenticity

Pre-Rotation Commitments

Pre-rotation uses signed digests of future keys:

• Relationship: Next key digests are signed commitments to unexposed keys
• Usage: Enables secure key rotation and recovery
• Security: Provides forward security and post-quantum protection

Implementation Notes

Critical Implementation Details

Canonicalization Requirements

Before computing digests, content must be canonicalized:

• JSON: Use consistent field ordering and formatting
• CBOR/MessagePack: Use deterministic encoding
• Whitespace: Remove or normalize consistently
• Field order: Maintain consistent ordering

Failure to canonicalize identically will produce different digests, breaking verification.

Signature Attachment

KERI uses attached signatures rather than embedded:

• Signatures are CESR-encoded primitives appended to messages
• Multiple signatures can be attached for multi-sig scenarios
• Attachments are separated from message body for clean verification

Multi-Signature Handling

For multi-sig AIDs:

• Each signer produces a signature on the same digest
• Signatures include indices indicating which key signed
• Threshold validation confirms sufficient signatures
• Weighted thresholds are supported for complex scenarios

Performance Considerations

Signed digest operations have performance implications:

• Hashing: Generally fast (SHA-256: ~500 MB/s on modern CPUs)
• Signing: Slower (Ed25519: ~10,000 signs/sec)
• Verification: Faster than signing (Ed25519: ~30,000 verifies/sec)
• Batch verification: Can optimize multi-signature scenarios

Security Best Practices

The KERI whitepaper emphasizes:

• One-time key use: Minimize key exposure through single-use patterns
• Key separation: Use different keys for signing vs. rotation
• Entropy quality: Use cryptographically strong random number generators
• Algorithm agility: Design for future algorithm migration

Common Implementation Pitfalls

Pitfall 1: Inconsistent Canonicalization

Different implementations may canonicalize differently, causing verification failures. Solution: Use standardized serialization libraries and test cross-implementation compatibility.

Pitfall 2: Signature Malleability

Some signature schemes allow multiple valid signatures for the same message. Solution: Use non-malleable schemes (Ed25519) or canonical signature encoding.

Pitfall 3: Timing Attacks

Signature verification timing can leak information. Solution: Use constant-time comparison operations for cryptographic values.

Pitfall 4: Key State Confusion

Verifying signatures with wrong key state (e.g., rotated keys). Solution: Always validate key state at the specific KEL sequence number being verified.

Integration with KERI Infrastructure

Signed digests integrate with broader KERI components:

• Witnesses: Verify and sign event digests to create receipts
• Watchers: Monitor for duplicitous signed digests (duplicity detection)
• Validators: Perform end-to-end verification of signed digest chains
• Registries: Use signed digests to anchor credential state

Proper implementation requires understanding these interactions and maintaining consistency across the entire KERI stack.

Security Considerations

Constant-Time Operations

Use constant-time comparison for all cryptographic values to prevent timing attacks:

# BAD - timing attack vulnerable
if computed_digest == expected_digest:
    return True

# GOOD - constant-time comparison
import hmac
if hmac.compare_digest(computed_digest, expected_digest):
    return True

Entropy Quality

For key generation and signing:

• Use cryptographically secure random number generators (CSPRNG)
• On Unix systems: /dev/urandom or getrandom() syscall
• Never use rand(), random(), or predictable seeds
• Ensure sufficient entropy before key generation

Algorithm Agility

Design implementations to support algorithm migration:

• Parse derivation codes to determine algorithms dynamically
• Support multiple hash and signature algorithms simultaneously
• Implement algorithm negotiation for new key generation
• Plan for post-quantum algorithm integration

Common Pitfalls

Pitfall 1: Signature Malleability

Some ECDSA implementations allow signature malleability (multiple valid signatures for same message). Solution: Use Ed25519 (non-malleable) or enforce canonical ECDSA encoding.

Pitfall 2: JSON Field Ordering

JavaScript objects and Python dicts may not preserve insertion order in older versions. Solution: Use ordered dictionaries or explicit field ordering during serialization.

Pitfall 3: Base64 Padding

CESR uses Base64 URL-safe encoding without padding characters. Solution: Ensure Base64 encoding/decoding strips = padding and uses URL-safe alphabet (-_ instead of +/).

Pitfall 4: Digest Algorithm Confusion

Mixing digest algorithms between commitment and verification. Solution: Always extract and respect derivation codes; never assume algorithm.

Integration Testing

Implementations should include:

• Cross-implementation tests: Verify signed digests created by one implementation can be verified by others
• Test vectors: Use official KERI test vectors for digest and signature verification
• Fuzzing: Test parser robustness with malformed CESR primitives
• Timing tests: Verify constant-time operations don't leak information

Reference Implementations

Consult these authoritative implementations:

• KERIpy: Python reference implementation (most complete)
• KERIox: Rust implementation (performance-focused)
• Signify: TypeScript/JavaScript implementation (web-focused)

When in doubt about specification interpretation, defer to KERIpy behavior as the reference standard.