Replay attack prevention (preventing legitimate users from reusing the same ZKP) is NOT a responsibility of AMATELUS protocol. This is an application-layer responsibility.

Important distinction:

• Impersonation attacks (attacker with different secret key): PREVENTED by AMATELUS through DIDComm

• Replay attacks (legitimate user reusing same ZKP): NOT handled by AMATELUS. Applications requiring single-use semantics must implement nonce mechanisms.

Applications that require ZKP single-use guarantees should implement nonce handling at the application layer:

• Generate unique session nonces for each verification

• Record and verify nonce freshness (checking that the nonce has not been used before)

• Maintain nonce history in application database

Applications where ZKP reuse is acceptable (e.g., age verification, permission checks, one-time access grants) do not require additional replay prevention mechanisms.

Man-in-the-Middle attacks are mitigated at the transport layer.

While AMATELUS provides cryptographic identity verification, ECDH-1PU authenticated encryption and TLS/HTTPS are the responsibility of service providers.

Multiple DID possession is intentional protocol design for privacy protection.

While a single entity can control multiple DIDs, Anonymous Hash Identifiers (AHI) restrict per-audit-domain abuse through cryptographic binding to national identity systems.