Inferensys

Glossary

KERI (Key Event Receipt Infrastructure)

A ledger-independent identity system that uses self-certifying identifiers and a chain of signed key event logs to establish cryptographic root-of-trust without a consensus ledger.
Developer building agentic RAG system, retrieval pipeline diagram on laptop, technical workspace with notes.
LEDGER-INDEPENDENT ROOT OF TRUST

What is KERI (Key Event Receipt Infrastructure)?

KERI is a cryptographic identity system that establishes trust through self-certifying identifiers and a chain of signed key events, eliminating dependency on consensus ledgers.

KERI (Key Event Receipt Infrastructure) is a ledger-independent identity protocol that establishes cryptographic root-of-trust using self-certifying identifiers and a verifiable, append-only log of signed key events. Unlike blockchain-based Decentralized Public Key Infrastructure (DPKI), KERI does not require a consensus ledger to anchor its trust fabric. Instead, it relies on the Key Event Log (KEL), a hash-chained data structure where each event is cryptographically signed by the controller's current private key, providing a self-contained proof of key state and rotation history without external validation.

The protocol's security derives from pre-rotated key pairs, where the hash of the next public key is committed in the current event before rotation occurs. This mechanism ensures that any subsequent compromise of a private key cannot be used to forge a prior, valid key state. KERI's architecture supports duplicity detection through witnesses—designated nodes that receive and propagate receipts of key events—allowing any verifier to detect conflicting logs without querying a global ledger, making it ideal for high-throughput, offline-capable Sovereign Identity Management systems.

ARCHITECTURAL PRINCIPLES

Key Features of KERI

KERI (Key Event Receipt Infrastructure) is a ledger-independent identity system that establishes cryptographic root-of-trust through a chain of signed key event logs, eliminating the need for consensus-based blockchains.

01

Self-Certifying Identifiers (AIDs)

KERI uses Autonomic Identifiers (AIDs) that are cryptographically self-certifying. The identifier is derived directly from the inception key pair, meaning the identifier itself proves control of the private key without requiring a third-party registry lookup.

  • Derivation: The AID is a cryptographic digest of the initial public key
  • Self-verification: Anyone can verify the binding between the identifier and its controller by checking the signature
  • No registration required: Unlike DIDs anchored to blockchains, AIDs establish trust purely through the key event log
0
External Ledger Dependencies
02

Key Event Log (KEL)

The Key Event Log is an append-only, cryptographically chained sequence of events that records every key state change for an AID. Each event is signed by the current controlling key and references the previous event's digest.

  • Tamper-evident: Any alteration to a prior event breaks the hash chain
  • Self-contained: The entire history of key rotations and delegations exists within the log itself
  • Portable: The KEL can be stored anywhere—a database, a file system, or replicated across witnesses—without dependency on any specific ledger
03

Pre-Rotated Key Management

KERI mandates pre-rotation of keys: each key event must commit to the hash of the next key before that key is used. This prevents post-compromise attacks where an attacker who steals a current key could rewrite history.

  • Forward security: Even if the current private key is compromised, the attacker cannot forge a valid prior rotation because the next key hash was already published
  • Non-repudiable: The cryptographic commitment chain proves the legitimate controller authorized every state change
  • Quantum-resistant readiness: The hash-based commitment structure provides a foundation for post-quantum key types
Pre-rotation
Key Compromise Protection
04

Witness Network for Duplicity Detection

KERI employs a witness network—a set of designated nodes that receive and acknowledge copies of key events. Witnesses do not validate transactions or reach consensus; they simply serve as neutral observers to detect duplicity.

  • Duplicity detection: If a controller signs two conflicting versions of the same event, witnesses can produce cryptographic proof of the equivocation
  • Minimal trust: Witnesses cannot alter the KEL; they can only expose misbehavior
  • Scalable: Unlike consensus validators, witnesses require no coordination overhead, enabling high throughput
05

Ledger-Independent Architecture

KERI is fundamentally ledger-agnostic. The KEL provides its own verifiable data structure, so anchoring to a blockchain or distributed ledger is optional and used only for ambient verifiability, not as a source of truth.

  • No gas fees: Operations do not require on-chain transactions
  • No throughput limits: Key events process at network speed, not block time
  • Optional anchoring: A digest of the KEL can be periodically anchored to any ledger for additional discoverability, but the KEL remains the authoritative record
06

Delegated and Multi-Sig Control

KERI supports sophisticated key management structures including delegated identifiers and threshold multi-signature schemes. An AID can delegate signing authority to another identifier with explicit constraints.

  • Hierarchical trust: Organizations can create subordinate identifiers with limited authority scoped to specific contexts
  • M-of-N signing: Require multiple parties to authorize key rotations or credential issuances
  • Recovery mechanisms: Designate recovery keys that can rotate compromised keys without losing control of the identifier
ARCHITECTURAL COMPARISON

KERI vs. Traditional DPKI

A technical comparison of Key Event Receipt Infrastructure against ledger-based Decentralized Public Key Infrastructure and traditional Certificate Authority models.

FeatureKERILedger-Based DPKITraditional PKI (CA)

Root of Trust Source

Self-certifying key event log (KEL)

Consensus ledger or blockchain

Centralized Certificate Authority

Ledger Dependency

KERI DEEP DIVE

Frequently Asked Questions

Explore the technical nuances of the Key Event Receipt Infrastructure, a ledger-independent identity system that establishes cryptographic root-of-trust through self-certifying identifiers and pre-rotated key event logs.

KERI (Key Event Receipt Infrastructure) is a ledger-independent identity system that establishes cryptographic trust through a self-contained, chained log of signed key events rather than relying on a consensus ledger. Unlike blockchain-based Decentralized Identifiers (DIDs), which require a distributed ledger to anchor state changes, KERI uses the identifier itself as the root of trust. The core mechanism involves a self-certifying identifier (Autonomic Identifier or AID) derived from a hash of the initial public key. Every subsequent key rotation or state change is recorded as a signed event in a Key Event Log (KEL). Trust is established by verifying the non-repudiable chain of signatures from inception to the current state. This eliminates the 'oracle problem' of querying an external ledger for the latest DID Document, providing a fully portable, witness-agnostic verification model that operates without transaction fees or block confirmation latency.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.