Credentialed Range Observations With Lineage

Mechanism

A range observation is constructed at the contributing unit at the moment of measurement. The unit holds keying material provisioned through the network's governance subsystem; this material is bound to the unit's declared identity and to the operational tier under which the unit is admitted to the mesh. When the unit produces a range estimate from any of its supported modalities — ultra-wideband time-of-flight, lidar return, radar pulse compression, RFID round-trip timing, optical fiducial geometry — the unit packages the estimate together with the modality identifier, the declared 1-sigma uncertainty under that modality's error model, the measurement timestamp drawn from the unit's governance-clock, and the unit's certificate identifier. The unit then signs the bundle with the keying material, producing a credentialed observation.

The credentialed observation traverses whatever transport links it to the solver. The transport is untrusted; the credential is what the solver verifies. On arrival, the solver's admissibility stage performs four independent checks. First, signature validity confirms that the observation was produced by the claimed unit and has not been altered in transit. Second, modality acceptance confirms that the declared modality is presently admitted under the operating context (some modalities may be excluded by jamming-mitigation policy, regulatory restriction, or solution-class requirement). Third, uncertainty acceptance confirms that the declared uncertainty falls within the bounds the current solution requires; an observation declaring 50-meter uncertainty is rejected from a solution targeting sub-meter fix. Fourth, freshness acceptance confirms that the observation timestamp falls within the operating window of the solution being computed.

An observation that fails any check is rejected and recorded as rejected with the reason. An observation that passes all checks proceeds to the integration stage carrying its full credential record. The integration stage applies tier-governed admissibility weight: a tier-A credential (high-assurance unit) contributes at full weight, while a tier-C credential (low-assurance unit) contributes at attenuated weight even when geometrically advantageous. The position estimate that emerges from the solver carries a manifest of contributing observation identifiers, and each identifier resolves to the full credential record retained for the lineage retention period.

Why Credential Binding Must Occur At Measurement

It is tempting to add credentials at the network edge — a gateway that signs incoming sensor traffic before relaying it to the solver. Such edge-attestation schemes solve the transport-authentication problem but leave intact the more consequential weakness: the gateway has no first-hand knowledge of what the sensor actually measured. A compromised or merely faulty gateway can sign whatever range estimate it pleases, and the solver cannot tell the difference. The disclosed mechanism binds the credential at the unit, at measurement, against keying material the unit holds. The signed bundle that arrives at the solver is the same bundle the unit produced; any in-flight alteration is detectable, and any synthesis by an intermediary is rejected for lack of valid signature against the claimed unit.

Binding modality and uncertainty into the credentialed bundle is equally load-bearing. A range estimate without modality declaration is uninterpretable: a 12-meter UWB return and a 12-meter lidar return have entirely different error structures, and a solver that conflates them produces a position estimate whose uncertainty bound is at best meaningless and at worst dangerous. By binding the modality into the signed bundle, the solver knows not only what was claimed to be measured but under which physical assumptions and which error model. The uncertainty bound is then interpretable rather than nominal, and the solver's admissibility logic can reject observations whose declared uncertainty exceeds what the solution requires.

Operating Parameters

The freshness window is configured per solution class. A real-time tactical fix may admit observations no older than fifty milliseconds; a deliberate post-event reconstruction may admit observations from a window of seconds or minutes. The window is enforced at admission and is not relaxed in flight. The uncertainty acceptance threshold is similarly configured per solution class: a sub-meter solution rejects observations declaring uncertainty above a configured bound, while a coarse-fix solution admits broader uncertainty in exchange for greater geometric coverage.

Tier weighting is parameterized as a mapping from credential tier to admissibility weight. Deployments may select binary mappings (admit at full weight or reject), graduated mappings (full weight, half weight, quarter weight, reject), or continuous mappings (weight as a function of attested unit-assurance score). The lineage retention period is configured per operating jurisdiction and per operational class: civilian autonomous-vehicle deployments may retain for the statutory liability period, defense deployments may retain under classified retention schedules, and medical-robotics deployments retain under applicable regulatory schedules. The retention authority — the entity authorized to release lineage records under audit — is declared structurally as part of the retention configuration.

Modality acceptance is governed by a policy expressed as a set of modality identifiers admissible under the current operating context. The policy itself is governance-credentialed: a change to modality policy requires a signed governance update, and the solver records which policy version was in effect at the time of admission. This permits later audit to determine whether an observation was admitted or rejected under the policy in force at the time, even if the policy has since been updated.

Alternative Embodiments

One embodiment performs credential verification at the solver only, accepting raw signed bundles from the transport. A second embodiment interposes credential verification at one or more relay points, attaching relay attestations that record the verification outcome and allowing the solver to short-circuit re-verification when a trusted relay has already attested. A third embodiment binds credentials to per-session ephemeral keys derived from the unit's long-term keying material, reducing exposure of the long-term key while preserving credential traceability through the derivation chain.

A further embodiment supports composite observations in which a single signed bundle carries multiple range estimates produced by the same unit at the same instant across multiple modalities. The composite credential admits or rejects as a unit, simplifying admissibility logic for multi-modal sensors. A complementary embodiment supports collaborative observations in which two units co-sign a single range estimate produced through their joint geometry (for example, time-difference-of-arrival between paired receivers); the collaborative credential carries both units' identities and is admissible only when both credentials independently satisfy admissibility.

An embodiment substitutes hardware-rooted attestation for software-issued credentials, binding the credential to a hardware security module's attestation chain. This embodiment is appropriate for deployments where tamper-resistance of the unit itself is a solution requirement. Another embodiment layers a privacy-preserving credential mode in which the unit's identity is replaced at the credential layer with a pseudonymous identifier resolvable only by the lineage authority, suitable for deployments balancing audit requirements against participant anonymity.

Composition With Other Subsystems

Credentialed range observations compose directly with the governance subsystem that issues unit credentials and maintains the tier registry. The solver does not authenticate units directly; it relies on the governance subsystem's credential issuance and revocation discipline. A revoked credential is rejected at admission once the revocation has propagated to the solver's credential-status cache, and the revocation propagation interval is itself a governed parameter.

Composition with the multilateration solver is structural: the solver consumes credentialed observations as its sole input class and emits position estimates that link back to the contributing observation manifest. The solver does not strip credentials in flight; the manifest is preserved as part of the position record. This permits downstream consumers — autopilots, engagement-decision systems, surgical guidance — to inspect not only the position but the basis for the position before acting on it.

Composition with the lineage retention subsystem governs the persistence of the credential records beyond the immediate solver computation. The retention subsystem stores credential records under the declared retention authority and releases them only under signed audit requests. The solver itself need not retain credentials beyond the operating window; long-term retention is the responsibility of the retention subsystem.

Distinction From Prior Art

Prior-art multilateration treats range observations as scalar measurements. Where authentication is applied at all, it is applied at the link layer (authenticated transport between sensor and solver) rather than at the observation layer (authenticated bundle traveling with the measurement). Link-layer authentication establishes that a message arrived through a trusted channel; it does not establish that the measurement reported in the message was produced by the claimed sensor under the claimed modality with the claimed uncertainty. The disclosed mechanism binds these declarations to the measurement at the moment of measurement, surviving any subsequent transport.

Prior-art audit systems for sensor networks reconstruct provenance from server-side logs after the fact. Such reconstructions are best-effort: log records may be incomplete, time-skewed, or unstructured for the audit purpose. The disclosed mechanism produces structured lineage as a first-class artifact at the moment of admission, so that audit reads the lineage rather than reconstructing it. The distinction is between defensible audit and best-effort reconstruction, and it is architecturally rather than procedurally established.

Prior-art tier-weighted sensor fusion exists in the form of variance-based weighting (lower-variance sensors contribute more) but does not bind tier to credential. The disclosed mechanism makes tier a structural property of the credential rather than an inferential property of the measurement statistics, so that tier is determinable at admission rather than requiring statistical estimation over an observation history.

Disclosure Scope

The disclosure encompasses any range observation entering a multilateration or related geometric solver in which the observation carries a credential binding the producing unit's identity, the modality, the uncertainty, the timestamp, and a signature, and in which admissibility at the solver is governed by credential validity, modality acceptance, uncertainty acceptance, and freshness. The disclosure is not limited to multilateration; it applies to any geometric or temporal solver consuming sensor observations where lineage retention is a solution requirement.

The disclosure includes embodiments in which credentials are software-issued or hardware-attested, in which verification occurs at the solver or at relays, in which observations are individual, composite, or collaborative, and in which lineage retention is operated under any governance authority consistent with the deployment's regulatory and operational context. It is the binding of credential to observation at the point of measurement — not any specific cryptographic primitive — that defines the inventive contribution.

The disclosure further encompasses embodiments in which the credential bundle additionally carries declared environmental qualifiers (multipath conditions, weather state, electromagnetic interference indicators) that participate in admissibility evaluation, and embodiments in which the admissibility decision itself is recorded as a credentialed artifact attesting to the policy version, the timestamp of the decision, and the identity of the deciding solver. The disclosure encompasses solvers operating in real-time, deferred-batch, or hybrid modes, and applies wherever the solver's output position is consumed by a downstream subsystem that may later require structural traversal back to the contributing observations. The structural commitments — that observations are signed at measurement, that admissibility is governed at the solver, that tier modulates weight rather than only acceptance, and that lineage is retained as a first-class artifact — are jointly definitive of the inventive contribution and are intended to be read in their structural conjunction.