What This Application Specifies
Delay-tolerant networking (DTN) is the architecture built for links where the assumptions of ordinary networking do not hold: round-trip times measured in minutes or hours, contacts that open and close on an orbital or planetary schedule, and long stretches where a node holds data and forwards it later because there is no continuous end-to-end path. This is the regime of deep-space relays, planetary orbiters and landers, and the store-and-forward bundle transfers that move science and command traffic across an interplanetary network. The standardized bundle protocol used in this regime moves self-contained bundles hop by hop, and each receiving node must decide whether an arriving bundle is authentic before it acts on it or forwards it onward.
This application specifies how the Keyless Identity mechanism disclosed in United States Patent Application 19/388,580 supplies that authentication decision without requiring any node to reach an external authority at the moment of validation. In the disclosed model, a device or agent expresses its identity as a trust slope: an append-only sequence of dynamic hashes (a Dynamic Device Hash, DDH, or Dynamic Agent Hash, DAH), where each successor is computed from the immediately prior value and a source of locally retained unpredictability under a published update rule. A receiver validates a presented identity by checking that it is a valid successor of a state it has previously accepted, using only locally held materials and policy-bounded continuity checks. The specification names spaceborne links directly as a target environment, describing authentication under delayed verification and bounded proof windows for high-latency, disrupted, or disconnected networks including delay-tolerant, mesh, opportunistic, and spaceborne links.
Why It Matters
Every widely deployed authentication model that a ground network relies on assumes reachability, and a deep-space link is defined by its absence. Public-key infrastructure validates a certificate by checking it against an authority and, in practice, checking revocation status; on a link where the round trip is measured in minutes to hours and contacts are scheduled, the responder cannot be consulted inside any window that a live protocol allows. Session-oriented handshakes fail for a related reason: a challenge-response or asymmetric key exchange needs a timely round trip, and on a one-way or long-delayed link there is no timely round trip to complete. Pre-shared symmetric keys are reachable but brittle across a fleet, because a key distributed to every node so members can authenticate becomes a single point of catastrophic failure the moment any one node is compromised or its key is exposed over a long mission lifetime.
The consequence on a real mission is that authentication either degrades into trusting unvalidated traffic or refuses to operate when the link is exactly what it was designed to be. The disclosed mechanism matters here because it moves the proof of identity into something the node already carries and can reconstruct locally. There is no certificate to check against an unreachable registry, no live handshake to complete across a light-hour of delay, and no fleet-wide shared secret whose exposure unravels the constellation, because each node's trust slope is its own and advances only through the identity mutations it actually performed.
How It Composes With the Domain
A DTN bundle is self-contained and travels through custody transfers, held and forwarded by intermediate nodes until a contact opens. The disclosed mechanism maps onto this shape directly. A sending node advances its trust slope and constructs a message with the current dynamic hash placed in the transport header and the same value embedded inside the protected payload; the symmetric key that protects the payload is derived transiently from the recipient's current dynamic identity, so the message itself carries no key. On receipt, the node performs the disclosed two-stage validation: a fast, stateless continuity screen of the header hash against its last trusted successor lets it reject obvious spoofs and malformed traffic before spending any effort on decryption, and after decryption it validates the embedded sender hash against the reconstructed sender slope. Both stages use only locally retained state and policy-bounded continuity parameters.
The property that makes this work across a delayed or broken link is the disclosed delayed-validation and sparse-recovery path. A node that has been out of contact will not hold the sender's most recent trusted anchor. Rather than fail, the sender includes a bounded set of mutation proofs, per-step materials sufficient for the verifier to deterministically recompute the intervening successors from its last trusted anchor forward to the presented identity, optionally referencing a periodic anchor or checkpoint to bound the replay. The verifier replays those steps locally, and if the recomputed terminal value matches the presentation and opens to the trusted anchor, the presentation is accepted. Where the verifier's stored state predates the referenced anchor or the supplied proof is insufficient, it can defer final acceptance and request a bounded checkpoint on a later contact, without ever contacting an external registry. Because the identity process is append-only with periodic anchors, nodes retain only sparse selected identities and checkpoints and reconstruct the rest on demand, which suits the storage limits of a spacecraft avionics stack.
Several disclosed provisions compose naturally with the mission profile. Replay resistance is enforced by binding acceptance to monotonic progression along the slope and rejecting reuse of previously accepted successors within a policy horizon, which is exactly the protection a store-and-forward network needs when the same bundle may be seen more than once. Entropy-anchor rotation with recorded forward links lets a long-lived spacecraft refresh its identity epoch over a multi-year mission without breaking auditability, since a verifier bridges old and new epochs through the forward link under policy. Where a node must interoperate with legacy signature-based ground equipment, the disclosed fallback path confines a transient keypair to a segregated adapter whose materials never feed back into the trust slope, so interoperability does not dilute the no-persistent-keypair property among the space nodes themselves.
What This Enables
The composition enables authentication native to the link rather than fighting it. A relay node can accept a bundle on a scheduled contact, hold it, and forward it later, and the receiving custodian can validate its origin from carried proofs whenever it next processes the bundle, with no requirement that any authority be reachable at either moment. An orbiter that has been over the far side of a body, or a lander powered down through a night, can re-establish continuity from bounded proofs and, if it has lost state entirely, through the disclosed quorum recovery, in which previously trusted peers issue attestations that aggregate into a recovery token under a quorum policy, so a node rejoins the trust graph through a threshold of peer validations rather than a call home. Because security here reduces to the unpredictability of per-step inputs and the preimage resistance of the hashes and extractors rather than to hardness assumptions vulnerable to Shor-type attacks, the model is post-quantum aligned by construction, which matters for missions whose design lifetime outruns the migration timelines of certificate-based systems. And because no node holds a fleet-wide secret or a long-lived private key, the loss of one spacecraft is a contained, attributable event rather than a disclosure that compromises the constellation.
Boundary Conditions
This application is an enabling implementation, and its honest limits should be stated. The disclosed mechanism authenticates identity continuity and message provenance; it is not an orbital-mechanics or contact-scheduling system, and it presumes the underlying bundle transport delivers bundles eventually, however delayed. Delayed validation requires that a verifier hold, or be able to obtain on a later contact, a checkpoint or anchor from which to replay; a verifier whose trusted state is older than the available proof window must wait for a bounded checkpoint before it can accept, which trades immediate acceptance for the ability to operate disconnected. The strength of the guarantee depends on the min-entropy of the per-step unpredictability contribution, so a constrained spacecraft endpoint must be provisioned with an adequate unpredictability source, whether a hardware anchor with per-epoch volatile salt, a local-state derivation, or a hybrid of both. Continuity policy must be tuned to the mission: acceptance envelopes set too tightly will reject legitimate drift after long dormancy, while envelopes set too loosely weaken spoof rejection. None of the numbers, latencies, or mission parameters that a specific deployment would need are asserted here; they are engineering choices for the integrator, and this article does not claim any measured performance for the mechanism on a space link.
Disclosure Scope
The keyless identity mechanism described here, including the append-only trust slope of dynamic hashes advanced by locally retained unpredictability, the transiently derived symmetric keys and two-stage header-and-payload validation, the delayed validation and sparse recovery using bounded proof windows and periodic anchors, the replay resistance through monotonic slope progression, the entropy-anchor rotation with forward links, the predictive drift triage, the quorum-based recovery after state loss, and the strictly isolated legacy fallback path, is disclosed in United States Patent Application 19/388,580. This article applies those disclosed mechanisms to the delay-tolerant and interplanetary networking condition, in which links are high-latency, scheduled, frequently one-way, and disconnected for long intervals. References to delay-tolerant networking, the bundle protocol, and space communication architecture are to public standards and domain facts and are used for context only; they are external framing, not part of the disclosed technology. This article is an application of the disclosed technology and is not itself a patent claim.