The Condition: No Path to Any Authority

In a contested electromagnetic environment, a drone swarm operates under denial. The radio link to the operator is jammed or intermittent, satellite navigation is degraded or spoofed, and the path back to any command post is unreliable by design, because an adversary who can deny it will. Yet the drones still have to function as a swarm, and functioning as a swarm requires identity. Each drone must be able to prove to its siblings that it is a legitimate member, and each must be able to validate that an incoming instruction or observation actually came from a sibling rather than from an adversary spoofing one. This is the defense doctrine of denied, degraded, intermittent, and limited operations stated as an identity problem: identity has to work when there is no path to any authority that could vouch for it. The companion case essay, what drone jamming proves about trustworthy autonomy, makes the operational argument; this article is the identity mechanism underneath it.

Why Every Stored-Secret Model Fails Here

Public-key infrastructure fails because it depends on reachability. Validating a certificate means checking it against an authority and, in practice, checking revocation, and a certificate authority that cannot be reached cannot be consulted; the swarm is left either trusting unvalidated certificates or refusing to operate. Pre-shared keys fail for the opposite reason: they are reachable but brittle. A symmetric key distributed across the swarm so that members can authenticate to each other is a single point of catastrophic failure, because the capture of one drone, an expected event in a contested environment, compromises the key and therefore every member that shares it. External attestation services fail for the same reason PKI does: if a drone proves its integrity by presenting an attestation from a cloud or platform provider, and that provider is unreachable, the proof cannot be produced. Every model that locates the proof of identity in a stored secret or an external issuer inherits a dependency that the contested environment is specifically designed to sever.

Why Keyless Continuity Holds

Keyless identity holds in this environment because the proof is carried, not fetched. A drone's identity is an append-only chain of dynamic hashes advanced by validated interaction, and its trust value is a computed property of that chain that any verifier can reconstruct by replaying it. A sibling validates an incoming message by checking that the sender's present chained state is the legitimate successor of states it has previously witnessed, locally, with no authority in the loop. There is no certificate to check against an unreachable registry and no shared secret whose capture unravels the swarm, because each drone's chain is its own and advances only through interactions it actually participated in.

Two further properties make this survivable under capture. Device entanglement binds the identity chain to the physical platform, so a chain cannot be lifted off a captured drone and replayed from adversary hardware; the proof is anchored in locally sourced unpredictability that does not travel. Quorum recovery handles the temporary state loss that contested operation produces: a drone that loses connectivity or part of its state for a period can re-establish its standing through a threshold of peer validations rather than through a call home, so the swarm heals from within. Capture remains a real event with real consequences, but it is a contained, attributable one, the loss of one member, rather than a key disclosure that compromises the whole.

The General Point

The jamming case is the sharpest illustration of a general principle that the white paper Autonomy You Can Trust develops in full: when a system must act with no round-trip to authority, the things authority would have supplied, including identity, have to be carried inside the acting unit. PKI, pre-shared keys, and attestation services are all ways of supplying identity from outside, and outside is exactly what the adversary removes. Keyless continuity is identity that needs nothing it cannot carry, which is why it is the architecture that holds when the link dies.

Disclosure Scope

The keyless identity mechanism, including the append-only chain of validated dynamic hashes, the device entanglement that binds a chain to its physical platform, and the quorum recovery that re-establishes standing through peer validation rather than an issuer, is disclosed in the identity filing (U.S. Application No. 19/388,580, published as US 2026/0126730 A1), including its claims directed to entanglement. This article applies those disclosed mechanisms to the contested-link, denied-environment condition described in defense doctrine for denied, degraded, intermittent, and limited operations, and is the identity-mechanism companion to the case essay on drone jamming and to the autonomy white paper. References to operational doctrine are to public sources and are used for context only.