KERI & vLEI Concepts

A replay attack occurs when an attacker intercepts a valid authenticated message or transaction and fraudulently retransmits it at a later time to deceive the receiver into performing unintended actions, exploiting the fact that the message itself remains cryptographically valid despite being used out of its intended temporal context.

A receipt-log is an ordered, append-only record of all key event receipts for a given set of witnesses, providing cryptographic evidence that witnesses have observed and attested to specific key events in a KERI identifier's history.

A non-transferable identifier is a KERI autonomic identifier (AID) whose controlling keys cannot be rotated, making control authority permanently fixed to the initial key pair established at inception. This immutability prevents transfer of control to other entities, making these identifiers inherently ephemeral and suitable for short-lived, peer-to-peer, or one-time-use scenarios.

A witness pool is a collection of witnesses available for selection by an AID controller to provide key event witnessing services, forming part of the KERI infrastructure for distributed consensus. Controllers designate witnesses from the pool to verify, sign, and store key events, with the pool providing redundancy, fault tolerance, and protection against compromise through threshold-based agreement mechanisms.

CBOR (Concise Binary Object Representation) is a binary data serialization format defined in RFC 8949 that provides a compact alternative to JSON, maintaining similar structural flexibility while achieving greater efficiency through binary encoding at the cost of human readability.

An optional field map in the Edge section of an ACDC that enables expression of edge logic on edge subgraphs, functioning either as a unary operator on a single edge or an m-ary operator on an edge group.

Zero-trust is a security architecture principle that assumes no entity (user, device, or network component) is inherently trustworthy, requiring continuous cryptographic verification of every interaction regardless of location or previous authentication status.

A property indicating that control authority over a digital identifier or asset cannot be transferred to another entity in an unobstructed or loss-less manner, either due to technical constraints (non-rotatable keys) or legal/governance restrictions.

Secure attribution is the cryptographic proof that a statement, message, or data originated from a specific controller, enabling verifiable answers to "whodunit?" in cyberspace through non-repudiable digital signatures and verifiable key state, independent of whether the content is true.

A public verifiable credential registry is a KERI-based infrastructure using Transaction Event Logs (TELs) anchored to Key Event Logs (KELs) to track the issuance and revocation state of verifiable credentials issued by an AID controller, enabling anyone to verify credential status through cryptographically verifiable, append-only data structures.

A derivation code is a compact, prepended character sequence in CESR encoding that specifies the cryptographic algorithm, key type, or operation used to derive a cryptographic primitive, enabling self-describing, composable representations of keys, digests, and signatures without external schema information.

A trusted data source that provides a complete, authoritative picture of a data object. In KERI/ACDC, the source-of-truth is the cryptographically verifiable record of control authority operations (KEL) and transaction state (TEL), which establishes secure attribution of statements but does not determine the veracity (truthfulness) of their content.

A delegated inception event (dip) is a special type of KERI establishment event that creates a new Autonomic Identifier (AID) under the authority of a delegating identifier, establishing a cryptographically verifiable hierarchical trust relationship.

Post-quantum cryptography refers to cryptographic algorithms designed to remain secure against attacks from quantum computers. In KERI, post-quantum security is achieved through the pre-rotation mechanism, which uses cryptographic hash digests to commit to future keys before they are exposed, providing quantum resistance at the protocol level even when individual key pairs may not be inherently quantum-resistant.

Pipelining is a computing architecture where data processing elements are connected in series, with each element's output feeding the next element's input, enabling parallel or time-sliced execution with buffer storage between stages. In CESR, pipelining enables efficient stream processing by allowing parsers to extract logical atomic data chunks and distribute them across multiple processor cores without sequential parsing bottlenecks.

In cryptography and identity systems, a collision occurs when two different inputs produce identical outputs (such as hash digests or identifiers), creating ambiguity about which source the result represents. Collision resistance—the computational infeasibility of finding such pairs—is a fundamental security property for cryptographic hash functions, self-addressing identifiers, and namespace systems.

A key management infrastructure that does not rely on a single entity for the integrity and security of the system as a whole, using technologies that enable geographically and politically disparate entities to reach agreement on the key state of an identifier through cryptographic verification rather than centralized trust.

Byzantine Fault Tolerance (BFT) is a property of distributed computing systems that enables them to reach consensus and maintain correct operation despite the presence of Byzantine faults—failures where components may behave arbitrarily, provide inconsistent information to different observers, or act maliciously. A BFT system can continue functioning correctly as long as at least two-thirds of the network reaches consensus, tolerating up to one-third faulty or malicious nodes.

A backer is an alternative to a traditional KERI witness that commonly uses Distributed Ledger Technology (DLT) to store the Key Event Log (KEL) for an identifier, providing a secondary root-of-trust through blockchain-based verification rather than native KERI witness infrastructure.

The minimum number of valid signatures (or fractional weights of signatures) required from a given set of keys to successfully verify a message or authorize an operation in KERI's multi-signature schemes.

Ambient verifiability is the property where cryptographic verification can be performed by anyone, anywhere, at any time without restrictions on verifier identity, location, or temporal constraints—enabling universal, unrestricted validation of digital signatures and event logs.

Signing authority is the delegated right to create digital signatures on behalf of the controller of an authoritative key pair, explicitly excluding rotation authority. This limited authority enables custodial arrangements where operational signing can be delegated while the original controller retains ultimate control through exclusive rotation rights.

In CESR, concatenation is the operation of joining self-framing primitives end-to-end to form streams, where the composability property ensures that concatenated primitives can be converted en-masse between text and binary domains without loss while maintaining individual primitive separability.

A cryptonym is a cryptographic pseudonymous identifier represented by a string of characters derived from a random or pseudo-random secret seed or salt via a one-way cryptographic function with sufficiently high cryptographic strength (e.g., 128 bits), functioning as a universally unique identifier where only the controller possessing the secret can prove control.