The KERI Infrastructure Revolution and the Advent of Autonomous Identity in the Digital Ecosystem.
Technical Paper — MindStack Research Division (Feb. 2026)
Prepared for protocol designers, security engineers, identity architects, and researchers working on decentralized identity, cryptographic trust systems, and distributed infrastructure.
From ledger-anchored DIDs to autonomic identity
Most first-generation decentralized identity systems bind identifiers to distributed ledgers. While this approach provides global ordering and immutability, it introduces structural coupling between identity lifecycle operations and blockchain consensus, cost models, and jurisdictional constraints.
KERI removes this coupling entirely. Identity validity is derived from cryptographic continuity rather than ledger inclusion. Each identifier maintains its own verifiable history, independent of any shared transaction log.
Key Event Logs as the identity primitive
At the core of KERI is the Key Event Log. Unlike blockchain transactions, KELs are identity-local, append-only sequences of signed events.
- Inception events create self-certifying identifiers derived from public keys.
- Rotation events update signing authority without breaking continuity.
- Interaction events bind external commitments without modifying key state.
There is no global ordering requirement. Verification depends solely on the internal consistency of a single KEL.
Pre-rotation and post-quantum resilience
KERI introduces native pre-rotation by committing future public keys in advance via cryptographic hashes. Control of an identifier therefore cannot be hijacked even if active keys are compromised.
This security model differs fundamentally from X.509, DID registries, and smart-contract-based identity, all of which rely on reactive revocation and external authorities.
Duplicity detection instead of consensus
Rather than preventing conflicting events through Byzantine consensus, KERI detects duplicity cryptographically. If an identifier signs two incompatible events at the same sequence number, the inconsistency is objectively detectable and renders the identity invalid.
This design eliminates mining, staking, and identity-specific smart contracts while preserving strong security guarantees.
Data and transport: ACDC and CESR
KERI is complemented by two protocol components.
ACDC defines cryptographically chained data containers, enabling provenance-preserving data flows across multi-party systems.
CESR provides a composable, streaming-oriented encoding for cryptographic events, avoiding JSON canonicalisation issues and enabling high-throughput verification in constrained environments.
Implications for identity infrastructure
KERI demonstrates that decentralized identity does not require decentralized ledgers. Identity operations become deterministic, offline-verifiable, cost-free at the margin, and portable across ecosystems.
For identity infrastructure, this marks a shift from ledger-centric designs to cryptography-centric architectures.
MindStack conclusion
“When identity no longer depends on global consensus, scalability becomes a property of cryptography, not infrastructure.”