Trust and keys that survive losses, jamming and partition.
At the tactical edge there is no link home — and the enemy is actively destroying, capturing and jamming nodes. Cairn admits and revokes devices with no backhaul, post-quantum, and splits a unit’s master key across the force so it can be recovered from any few survivors — and not from any sub-threshold set of captured nodes.
WHY THIS MATTERS
Tactical units cannot assume continuous connectivity to a central authority. Cairn explores how trust and key custody can keep working when that assumption fails — when the link home is gone and the network is under attack.
THE EVIDENCE
Watch it, then check it on real data
Three runs: Cairn on a live ArduPilot drone fleet under real jamming, the battlefield key-recovery demo, and the same defence on the real NATO Anglova battalion. Pick a tab.
PROOF · REAL DRONE STACK
Cairn on a live drone fleet — admit, jam, revoke, recover
The real Cairn control plane governing a live ArduPilot MAVLink fleet under real jamming: it admits six drones, splits the fleet master key across them, drops a captured drone by the absence of a fresh vouch, and recovers the key from the survivors after real link losses.
CAIRN -- LIVE DRONE FLEET (real ArduPilot SITL · real Cairn engine · real netem jamming)
6 drones · admit: >=3 command vouches across 3 regions · fleet key split 3-of-6
REAL MAVLink telemetry under attack (# = heartbeat received, . = link down)
window 0 1 2 3 4 5 6 7 8 9 . . . . 15
drone_3 # # . # # . . . . . . . . . . . jammed (real netem 60% loss)
drone_4 # # # # . . . . . . # # # # # # jammed -> recovers
drone_6 # # # # # # # # # # . . . . . . destroyed (SITL terminated) @ w10
[1] ADMISSION 6 / 6 drones admitted (threshold-vouch, region-diverse)
[2] CUSTODY fleet master key split 3-of-6 across the drones -- no ground holder
[3] REVOKE drone_5 captured -> fresh vouches = 0 -> denied by ABSENCE (no message to jam)
[4] RECOVER 3 lost (1 captured + 2 off-link) -> KEY RECOVERED byte-for-byte from 3 survivors OK
ADVERSARY captured share + every intercepted frame -> nothing OK
AUDIT signed custody ledger verifies OKHow this was validated
- What it shows
- A 6-drone fleet under attack: two links are jammed (one recovers) and one drone is destroyed mid-mission. Cairn admits the fleet, splits the master key t-of-n, revokes a captured drone by absence, and recovers the key byte-for-byte from the surviving quorum — while the captured share + every intercept yield nothing.
- Real / synthetic
- The drone firmware is REAL — ArduPilot SITL runs the same ArduCopter flight code that flies real drones. The Cairn control plane is the REAL engine, and the link loss is REAL: Linux tc/netem packet loss injected on the MAVLink links, plus a genuinely terminated SITL instance. This is software-in-the-loop simulation, not fielded flight hardware. Which drone is jammed/captured is the scripted scenario; the telemetry, the cryptography and every decision are real.
- Adversarially tested
- A 16-angle red-team battery against this exact engine returns 0 breaks — forged signatures, a million-identity Sybil flood on a real 841k-edge trust graph (1,000,000 fakes → just 4 admitted, bounded by the trust topology, not the attack size), region-collusion, jam-induced denial-of-service and threshold-capture are each defeated or a bounded, documented limit.
- Software stack
- Rust Cairn control plane (threshold-vouch admission, absence-based revocation, post-quantum threshold key custody) driving a real ArduPilot MAVLink fleet via pymavlink; real tc/netem jamming. No hand-rolled crypto.
- How it was produced
- Verbatim output of the real harness over telemetry captured from the live SITL fleet. Reproducible with ArduPilot SITL + the Cairn harness; mechanism under NDA.
Honest boundary: this is software-in-the-loop (real flight firmware + real Cairn engine + real jamming, in simulation), a research prototype at TRL ~4–5 — not a fielded deployment on flight hardware.
HOW IT COMPARES
Against how it’s done today
Tactical key management today relies on keys hand-loaded before a mission and slow over-the-air rekeying — with no way to refresh or revoke once the link to the certificate authority is gone.
| Tactical key management today | Cairn | |
|---|---|---|
| Getting keys to the edge | Pre-placed keys hand-loaded before the mission (key-fill devices); slow, bandwidth-heavy over-the-air rekeying to update. | Keys split across the force and refreshed in the field — no courier, no single point to capture. |
| Revocation when off-grid | No fresh revocation without reach-back; a credential is conditionally trusted until it simply expires. | Revocation is the absence of a fresh vouch — a captured device drops automatically, with no message to jam. |
| Losing the keyholder | The key is compromised or lost. | Any quorum of survivors recovers it — byte-for-byte. |
| Cryptography | Classical. | Post-quantum — aligned with Canada’s 2025 migration roadmap. |
Cairn complements existing defence identity infrastructure — it isn't a replacement for it. The aim is to extend trust and key custody into the disconnected, contested environments where central services simply aren't reachable, and hand control back when the link returns.
Research basis & references
- • Benchmark: NATO STO IST-124 “Anglova” tactical scenario — the community-standard, public-domain reference for tactical-network experimentation. anglova.net
- • Status quo: ATP 6-02.75, Techniques for Communications Security (US Army) — pre-placed keys, key-fill devices, and over-the-air rekeying. armypubs.army.mil
- • Direction of the field: DRDC-supported research finds threshold cryptography the simpler-than-PKI approach for tactical-MANET key management. Defence R&D Canada
- • Mandate: Canadian Centre for Cyber Security (CSE), Roadmap for migration to post-quantum cryptography (ITSM.40.001), 2025. cyber.gc.ca
Evaluating Cairn for a defence programme?
Research prototype (TRL ~4–5). The full stack, datasets and tests are on the Technical Validation page; design, source and formal proofs are under NDA.