Cairn overview
Defence · Tactical edge · DDIL

Trust and keys that survive losses, jamming and partition.

At the tactical edge there is no link home — and the enemy is actively destroying, capturing and jamming nodes. Cairn admits and revokes devices with no backhaul, post-quantum, and splits a unit’s master key across the force so it can be recovered from any few survivors — and not from any sub-threshold set of captured nodes.

WHY THIS MATTERS

Tactical units cannot assume continuous connectivity to a central authority. Cairn explores how trust and key custody can keep working when that assumption fails — when the link home is gone and the network is under attack.

THE EVIDENCE

Watch it, then check it on real data

Three runs: Cairn on a live ArduPilot drone fleet under real jamming, the battlefield key-recovery demo, and the same defence on the real NATO Anglova battalion. Pick a tab.

PROOF · REAL DRONE STACK

Cairn on a live drone fleet — admit, jam, revoke, recover

The real Cairn control plane governing a live ArduPilot MAVLink fleet under real jamming: it admits six drones, splits the fleet master key across them, drops a captured drone by the absence of a fresh vouch, and recovers the key from the survivors after real link losses.

cairn-mesh
CAIRN -- LIVE DRONE FLEET   (real ArduPilot SITL · real Cairn engine · real netem jamming)
  6 drones · admit: >=3 command vouches across 3 regions · fleet key split 3-of-6

REAL MAVLink telemetry under attack        (# = heartbeat received, . = link down)
  window      0 1 2 3 4 5 6 7 8 9 . . . . 15
  drone_3     # # . # # . . . . . . . . . . .   jammed  (real netem 60% loss)
  drone_4     # # # # . . . . . . # # # # # #   jammed  ->  recovers
  drone_6     # # # # # # # # # # . . . . . .   destroyed (SITL terminated)  @ w10

[1] ADMISSION   6 / 6 drones admitted (threshold-vouch, region-diverse)
[2] CUSTODY     fleet master key split 3-of-6 across the drones -- no ground holder
[3] REVOKE      drone_5 captured -> fresh vouches = 0 -> denied by ABSENCE (no message to jam)
[4] RECOVER     3 lost (1 captured + 2 off-link) -> KEY RECOVERED byte-for-byte from 3 survivors   OK
    ADVERSARY   captured share + every intercepted frame  ->  nothing                              OK
    AUDIT       signed custody ledger verifies                                                     OK

How this was validated

What it shows
A 6-drone fleet under attack: two links are jammed (one recovers) and one drone is destroyed mid-mission. Cairn admits the fleet, splits the master key t-of-n, revokes a captured drone by absence, and recovers the key byte-for-byte from the surviving quorum — while the captured share + every intercept yield nothing.
Real / synthetic
The drone firmware is REAL — ArduPilot SITL runs the same ArduCopter flight code that flies real drones. The Cairn control plane is the REAL engine, and the link loss is REAL: Linux tc/netem packet loss injected on the MAVLink links, plus a genuinely terminated SITL instance. This is software-in-the-loop simulation, not fielded flight hardware. Which drone is jammed/captured is the scripted scenario; the telemetry, the cryptography and every decision are real.
Adversarially tested
A 16-angle red-team battery against this exact engine returns 0 breaks — forged signatures, a million-identity Sybil flood on a real 841k-edge trust graph (1,000,000 fakes → just 4 admitted, bounded by the trust topology, not the attack size), region-collusion, jam-induced denial-of-service and threshold-capture are each defeated or a bounded, documented limit.
Software stack
Rust Cairn control plane (threshold-vouch admission, absence-based revocation, post-quantum threshold key custody) driving a real ArduPilot MAVLink fleet via pymavlink; real tc/netem jamming. No hand-rolled crypto.
How it was produced
Verbatim output of the real harness over telemetry captured from the live SITL fleet. Reproducible with ArduPilot SITL + the Cairn harness; mechanism under NDA.

Honest boundary: this is software-in-the-loop (real flight firmware + real Cairn engine + real jamming, in simulation), a research prototype at TRL ~4–5 — not a fielded deployment on flight hardware.

HOW IT COMPARES

Against how it’s done today

Tactical key management today relies on keys hand-loaded before a mission and slow over-the-air rekeying — with no way to refresh or revoke once the link to the certificate authority is gone.

Tactical key management todayCairn
Getting keys to the edgePre-placed keys hand-loaded before the mission (key-fill devices); slow, bandwidth-heavy over-the-air rekeying to update.Keys split across the force and refreshed in the field — no courier, no single point to capture.
Revocation when off-gridNo fresh revocation without reach-back; a credential is conditionally trusted until it simply expires.Revocation is the absence of a fresh vouch — a captured device drops automatically, with no message to jam.
Losing the keyholderThe key is compromised or lost.Any quorum of survivors recovers it — byte-for-byte.
CryptographyClassical.Post-quantum — aligned with Canada’s 2025 migration roadmap.

Cairn complements existing defence identity infrastructure — it isn't a replacement for it. The aim is to extend trust and key custody into the disconnected, contested environments where central services simply aren't reachable, and hand control back when the link returns.

Research basis & references

  • • Benchmark: NATO STO IST-124 “Anglova” tactical scenario — the community-standard, public-domain reference for tactical-network experimentation. anglova.net
  • • Status quo: ATP 6-02.75, Techniques for Communications Security (US Army) — pre-placed keys, key-fill devices, and over-the-air rekeying. armypubs.army.mil
  • • Direction of the field: DRDC-supported research finds threshold cryptography the simpler-than-PKI approach for tactical-MANET key management. Defence R&D Canada
  • • Mandate: Canadian Centre for Cyber Security (CSE), Roadmap for migration to post-quantum cryptography (ITSM.40.001), 2025. cyber.gc.ca

Evaluating Cairn for a defence programme?

Research prototype (TRL ~4–5). The full stack, datasets and tests are on the Technical Validation page; design, source and formal proofs are under NDA.