Vehicle-to-Vehicle Communication With Intrinsic Governance

1. Regulatory and Standards Framework

Vehicle-to-vehicle communication is governed by an interlocking stack of federal regulation, spectrum policy, and consensus standards. In the United States, the Federal Motor Vehicle Safety Standards (FMVSS) administered by NHTSA under 49 CFR Part 571 set the safety baseline for any equipment installed on motor vehicles, and NHTSA's 2023 V2X waiver decision and subsequent FMVSS-150 deliberations condition how connected-vehicle safety messages may be relied upon for crash avoidance functions. The Federal Communications Commission's First Report and Order in FCC 20-164 reallocated the 5.9 GHz band, retaining 30 MHz (5.895–5.925 GHz) for cellular V2X (C-V2X) and sunsetting the legacy DSRC allocation, requiring all current deployments to migrate to 3GPP Release 14/16 PC5-mode sidelink operation.

On the credential side, the IEEE 1609.2-2022 standard defines the security services for wireless access in vehicular environments, and the SAE J2945/1 minimum performance requirements for V2V safety communications specify the basic safety message (BSM) format, transmission rate, and authentication obligations. The Security Credential Management System (SCMS) operated under the umbrella of the V2X Security Credential Management System Manager (SCMS Manager LLC) issues short-lived pseudonym certificates under a privacy-preserving butterfly key expansion scheme. In Europe, ETSI EN 302 637-2 (Cooperative Awareness Messages), ETSI EN 302 637-3 (Decentralized Environmental Notification Messages), and ETSI TS 103 097 governing security headers play the analogous role, with the EU C-ITS Certificate Policy and the C-ROADS platform coordinating cross-border trust.

Layered above are the UNECE WP.29 regulations: UN R155 (cybersecurity management system), UN R156 (software update management), and UN R157 (automated lane keeping systems), each binding in the 64 contracting parties to the 1958 Agreement and translating into type-approval requirements that any V2V-equipped vehicle must satisfy before sale. The ISO/SAE 21434 cybersecurity engineering standard and ISO 26262 functional-safety standard impose process-level obligations across the V2V design lifecycle. The EU Cyber Resilience Act, in force from late 2027, adds product-level cybersecurity obligations including a duty to issue free security updates and to maintain a software bill of materials for the connected components.

2. Architectural Requirement

Read together, these instruments demand a V2V architecture in which trust, routing, and propagation decisions can be made authoritatively at the vehicle, in the time window between the receipt of a safety-critical message and the moment the vehicle's planner must act on it — typically less than ten milliseconds for a forward-collision warning at highway speed under SAE J2945/1. The architecture must additionally produce a tamper-evident record of every trust decision sufficient to satisfy UN R155 incident-response obligations, ISO/SAE 21434 cybersecurity case maintenance, and the post-incident reconstructibility expectations of NHTSA's Standing General Order 2021-01 on automated-driving-system crash reporting.

What that means structurally is that authority over a message's admissibility cannot live in an external system that the vehicle must contact. It must live in the substrate the message travels through. The architecture must carry the credential, the trust scope, the propagation policy, and the lineage anchor with the message itself, and the vehicle must be able to evaluate all of them deterministically without external dependency. Any architecture that defers any of these properties to roadside infrastructure, cellular backhaul, or cloud services fails the latency budget under nominal conditions and fails outright when infrastructure is unavailable.

3. Why Procedural Compliance Fails

The dominant procedural answer is the SCMS pseudonym pool: vehicles pre-load thousands of short-lived certificates and use them in rotation, refreshing the pool when connectivity permits. This pattern is procedurally compliant with IEEE 1609.2 and SAE J2945/1, and it satisfies the FCC and NHTSA requirements for the message-format and authentication elements of V2V. It does not satisfy the architectural requirement.

First, the SCMS model defers infrastructure dependency rather than eliminating it. A vehicle that has been disconnected from the SCMS for weeks — a common condition for fleets operating in rural service areas, tunnels with no cellular coverage, or extended off-road deployment — exhausts its valid pseudonym pool and degrades to either uncredentialed transmission (which receivers reject under J2945/1) or to certificate reuse (which violates the privacy properties the butterfly scheme was designed to provide). The infrastructure dependency surfaces as a hard failure at exactly the moment the safety case needs the network most.

Second, certificate revocation under the SCMS Certificate Revocation List (CRL) model is structurally too slow for the threat model. When a compromised vehicle begins injecting false BSMs, the misbehavior must be detected by a Misbehavior Authority, a revocation must be issued, and the CRL delta must propagate to receivers — a process measured in hours to days. During that interval, the compromised credential remains admissible to every receiver that has not yet pulled the updated CRL. There is no structural mechanism in the SCMS architecture for the receiver fleet to contain a compromise locally and in real time.

Third, the SCMS produces an audit trail of certificate issuance, not a lineage of trust decisions. When a UN R155 cybersecurity incident requires post-event reconstruction of which messages were admitted by which vehicles under which credentials with which corroborating context, the SCMS records show only that a credential was valid at issuance. The receiver-side evidential reasoning — which messages corroborated which, which were down-weighted on observation history, which actually drove the planner — is not preserved in any standardized form.

Fourth, peer-only proximity-trust schemes proposed as SCMS alternatives swap one problem for another. Without a structural authority taxonomy, peer trust collapses to whoever shouts loudest, and a single compromised vehicle can inject arbitrary state into the mesh. The procedural fixes — reputation systems, behavioral anomaly detection — are wraparound controls, not substrate properties.

4. What the AQ Memory-Native Protocol Provides

The Adaptive Query memory-native protocol primitive, disclosed under USPTO provisional 64/049,409, specifies a transport substrate in which routing policy, trust scope, and propagation rules are first-class properties of the message rather than properties of an external lookup. Each V2V transmission is an authority-credentialed observation: it carries an authority identifier within a published taxonomy (vehicle manufacturer, fleet operator, infrastructure provider, regulatory authority), a credential continuity record sufficient for receivers to evaluate the slope of trust over recent history, and a propagation envelope (geographic scope, temporal scope, urgency class, re-propagation rules) that travels with the message.

Receivers evaluate incoming observations through the five-property chain locally and deterministically. Property one rejects uncredentialed inputs at the substrate level. Property two composes the credential, the corroborating-observation set from neighboring vehicles, and the operational context into a structured weighting. Property three produces a graduated admissibility outcome — admit fully, admit with planner-side caveat, defer pending corroboration, reject — within the latency budget. Property four governs the actuation: a forward-collision warning that has been admitted with caveat triggers a planner response that is itself reversibility-evaluated and harm-minimized. Property five records every observation, weighting, decision, and response as lineage with credentials, providing the post-incident reconstructibility that UN R155 and NHTSA SGO 2021-01 require.

Trust is structurally local and structurally portable. A vehicle accumulates a trust slope over its observation history with each peer authority; that slope is encoded in the protocol and travels in lineage records, so when a vehicle joins a new mesh, its history is admissible without re-establishment. Compromise containment is a substrate property: when a vehicle's observations diverge from the corroborating set under the local weighting, its trust slope decays in real time at every receiver independently, without requiring a central revocation. Recovery, when the misbehavior was caused by sensor fault rather than compromise, is symmetric: the slope re-accumulates as the vehicle rejoins corroborating consensus.

The substrate is transport-neutral. It runs over C-V2X PC5 sidelink, over 802.11bd, over satellite backhaul, over wired fleet networks, and over hybrid combinations. Infrastructure, where present, is admitted as just another credentialed authority with its own trust slope, enhancing the network without being a precondition for it.

5. Compliance Mapping

The mapping to regulatory obligation is direct. IEEE 1609.2 security-services obligations are satisfied by the property-one credentialing layer, which subsumes pseudonym-certificate semantics as a special case while extending them with continuity history. SAE J2945/1 minimum-performance requirements are met by the deterministic local-evaluation pipeline operating within the per-message latency budget. FCC 5.9 GHz operating rules are unaffected because the substrate composes over C-V2X PC5; ETSI EN 302 637 message formats are accommodated as an authority-namespaced encoding within the property-one envelope.

UN R155 cybersecurity-management-system obligations are satisfied by the property-five lineage record, which provides the auditable incident-response evidence the regulation requires. UN R156 software-update obligations compose naturally because update events are themselves credentialed observations with their own propagation envelopes. ISO/SAE 21434 cybersecurity-case maintenance is supported by the same lineage record serving as the contemporaneous evidence of design-time assumptions versus field behavior. ISO 26262 functional-safety arguments are preserved because the substrate's deterministic local evaluation does not introduce non-determinism into the safety chain.

EU Cyber Resilience Act software-bill-of-materials and free-security-update obligations are accommodated because each component's credential and update history is itself a chain of credentialed observations, and NHTSA SGO 2021-01 crash-reporting requirements are satisfied by replay of the lineage record to the moment of the event.

6. Adoption Pathway

Adoption layers over an existing C-V2X PC5 deployment without forklift replacement. In the first stage, the memory-native protocol runs as a parallel envelope around standard BSM and DENM traffic: vehicles continue to transmit J2945/1- and ETSI-compliant messages on the existing 30 MHz allocation, while the substrate adds the credential-continuity, trust-slope, and lineage fields as a 1609.2-extension header. Receivers that understand the extension perform local five-property evaluation; receivers that do not fall back to standard SCMS-style validation. The fleet operates in mixed mode without safety regression.

In the second stage, the substrate becomes authoritative for trust-decay and compromise-containment, with the SCMS retained as one credentialing authority among several within the published taxonomy. Misbehavior detection migrates from a centralized Misbehavior Authority pulling reports from the fleet to a distributed property-two weighting that operates at every receiver independently and in real time, while the SCMS continues to handle long-horizon revocation and audit. Type-approval evidence under UN R155 is produced from the lineage record as a structural by-product.

In the third stage, mixed-fleet and cross-jurisdiction operation becomes the default. Vehicles from different manufacturers, with different SAE-level autonomy, operating in different regulatory regimes, communicate through the same substrate because authority is namespaced and trust is locally evaluated. The substrate composes hierarchically — vehicle, fleet, region, jurisdiction — so a coalition or treaty-level authority taxonomy can be added without re-architecting the lower levels. The result is a V2V network whose governance integrity does not depend on any single infrastructure operator and whose compliance evidence is continuously produced rather than retrospectively assembled.