Verifiable trust

Trust that keeps working when everything else goes dark.

Almost every security system depends on a server in the cloud. Ransomware, an outage, jamming or an air-gap takes it down — and authentication dies with it. Cairn spreads trust across the devices themselves: they admit and revoke each other with no central server, offline and post-quantum — and a key can be split across the mesh and recovered from any few survivors.

Results shown here. Technical detail, methodology, and source under NDA.

THE IDEA, IN PLAIN TERMS

How it works

Almost every security system today has a single brain — a server in the cloud. Knock it out and everything stops. Cairn spreads trust across the devices themselves, so there is no brain to knock out — and the keys survive even when devices are lost.

Today: everything depends on one server
SERVER

Ransomware, an outage, jamming, or an air-gap takes the server down — and every device loses the ability to authenticate or be revoked.

Cairn: trust lives in the mesh — no center to kill

Devices vouch for and revoke each other directly — offline, post-quantum, with no server to take down, censor, or outlast.

Threshold key custody: one key, split across the mesh — recover it from any few survivors
KEYs1s2s3s4s5s6

No single node holds the key. Lose nodes to attack, capture, or jamming — any quorum of survivors still recovers it, byte-for-byte. Fewer than the threshold learn nothing.

The hard problems — and how Cairn solves them

What breaks today, and what Cairn does instead.

The cloud control plane goes down — ransomware, an outage, jamming, an air-gap.

Serverless: devices admit and revoke each other directly. There’s no central thing to take down — it keeps working offline.

A captured device keeps its access — and you can’t push a “revoke” when the link is jammed.

Revocation by absence: peers simply stop vouching. Nothing to jam, censor, or forge — the device drops automatically.

Lose the device holding the key and it’s gone forever — or capture it and the key is stolen.

Threshold custody: the key is split across the force. Any quorum of survivors recovers it; fewer than the threshold learn nothing.

Tomorrow’s quantum computer breaks today’s encryption — and migration is now mandated.

Post-quantum end to end — aligned with Canada’s 2025 government migration roadmap.

After an incident, you can’t prove who was admitted, when, or on whose authority.

A signed, hash-chained, replayable audit of every decision — tamper-evident down to the exact record.

An eavesdropper records all your traffic and later reconstructs the keys.

Shares cross the wire sealed to each recipient — a listener who captures everything recovers nothing.

Where it helps

One core engine (web-of-trust admission + withheld-vouch revocation), three validated applications — tactical edge, identity continuity, and OT/ICS & critical infrastructure (validated in emulation on real industrial data).

Defence & the tactical edge

Admit and revoke a captured device at the edge with no link home; split a unit’s master key t-of-n so any few survivors recover it byte-for-byte while captured shares yield nothing; and cut a compromised node per-mission without stranding the rest of the force. Validated on real NATO Anglova battalion-mobility data and a 520-vehicle VeReMi adversarial dataset, run against a live ArduPilot drone fleet under real jamming — with the partition-revocation bound machine-checked in Lean 4 (any force size) and a 16-angle red-team returning 0 breaks. Post-quantum throughout (hybrid Ed25519 + ML-DSA-65).

Identity continuity

Keep a workforce — or a government / defence department — authenticating, and lock out a compromised device, when the identity provider (Okta / Entra / AD, or the SAML/OIDC federation governments run on) is down. A productized, standards-complete OIDC + SAML issuer (proof-of-possession, admin-auth, signed audit, mesh-gated) — proven on real Keycloak + Grafana, a government-style SAML federation, and a Kubernetes API server on managed cloud; hardened, red-teamed, and algorithm-agile so it survives the post-quantum migration. Resilience, not prevention.

OT / IoT & critical infrastructure — in emulation

Detection alerts and microsegmentation blocks network paths; Cairn does a third job — decide which OT/IoT devices are trusted with no server in the loop, revoke a compromised one offline while the plant keeps running, and sign every decision to a byte-replayable audit anyone can verify. The system-of-record that CRA / NERC CIP / IEC 62443 audits demand. Demonstrated on real data (WUSTL-IIoT, 4sics S7comm, LANL) and integrated end-to-end against a live third-party ICS (GRFICS / Tennessee Eastman) with a Suricata attack→detect→enforce→prove loop, holding at ~45k proven decisions — strong TRL-4 / 5-in-emulation (real silicon + a real site remain the gate).

WHY WE BUILT IT

The world is getting more disconnected — security hasn’t caught up.

Outages, ransomware, jamming, war, the edge — more and more of the world runs where the cloud can’t reach. Yet our security still assumes a perfect connection to a perfect server. Cairn is built for the moment that assumption breaks: trust that keeps working when everything else goes dark, that no one can quietly take over, and that survives a future quantum computer.

Evaluating Cairn?

A research prototype (TRL ~4–5) — the results above are real. See exactly how they were produced on the Technical Validation page; the design, source, and formal proofs are available under NDA.