Hop-History Relay

Mechanism

Hop-history relay operates by three composed actions at every relay node: append, sign, and bound. When a payload arrives at a mesh node configured as a relay, the node first inspects the existing hop-history field. If the field is absent (the payload is at its origin), the node initializes the field with an originating entry containing the originating device's credential, the origination timestamp, and a nonce binding the entry to the payload's content hash. If the field is present, the node verifies the prior signature chain against the credentialing fabric. Only after verification does the node proceed.

In the append action, the relaying node constructs a hop-record entry containing: its own credential identifier, the timestamp of relay, the reception channel (which radio interface, which optical link, which ingress port), the cumulative content hash of the payload-plus-prior-history, optional credentialed-position metadata if the relay device bears a position credential, and an optional received-signal-strength indicator. The entry is appended to the hop-history field in canonical order — newest entries at the tail — without rewriting any prior entry.

In the sign action, the relaying node signs the entire payload-plus-prior-history-plus-new-entry under its device credential. The signature is appended to the new hop-record entry. The signature binds the new entry to every prior entry by signing the cumulative content hash, so any modification to any earlier entry invalidates every subsequent signature. The chain of signatures is the tamper-evidence structure: any divergence between the cumulative hash signed by entry N and the cumulative hash actually present at validation time exposes the tampering.

In the bound action, the relaying node enforces a configured maximum hop depth. If the appended entry would exceed the configured depth, the node either drops the payload (in strict-bound configurations) or applies a sliding-window truncation that drops the oldest non-origin entries while preserving the origin entry and the most recent N-1 entries (in compaction configurations). The bound prevents unbounded growth of the hop-history field and is itself a credentialed configuration of the mesh.

Downstream observers perform three operations on the hop history. Path reconstruction walks the entries in order, producing a verified chronological trace of relay devices and timestamps. Tamper detection verifies the signature chain end-to-end; any failure localizes to the entry whose signature does not validate against its cumulative hash. Ring detection inspects the entries for credential-identifier repetition; a repeated credential within the bounded window indicates that the payload has traversed the same node twice, which in correctly functioning mesh routing should not occur. Repetition triggers either local suppression of further relay or an explicit ring-detected observation propagated upstream.

Operating Parameters

The hop-history maximum depth is parameterized per mesh policy. Typical depths range from four hops in tightly bounded local meshes to thirty-two hops in expansive expeditionary meshes. The depth is chosen to match the network's diameter; meshes with diameter D should configure depth at least D plus a small margin to cover routing variance. Depth larger than required wastes payload bandwidth but does not impair correctness; depth smaller than required forces compaction and can defeat ring detection in long paths.

The hop-record entry size is governed by the credential identifier length, the signature length, and the optional metadata. Typical entries range from sixty-four bytes to a few hundred bytes. The cumulative hop-history field size is bounded by depth times entry size, typically a few kilobytes at maximum. Mesh-substrate maximum-transmission units accommodate the bounded field by construction.

The signature algorithm is parameterized by the credentialing fabric. Common choices include Ed25519, ECDSA P-256, and post-quantum candidates such as Dilithium for forward-looking deployments. The choice is a mesh-policy configuration; relay nodes negotiate algorithm support during credential admission.

The compaction policy is parameterized by a retention rule. Strict-bound meshes drop payloads exceeding depth. Sliding-window meshes preserve origin plus most-recent-N-minus-one. Origin-preserving compaction always retains the originating entry, since downstream observers require origin authentication regardless of path completeness. The retention rule is itself a credentialed configuration and is recorded in the truncated entry's metadata so downstream observers can detect compaction.

The ring-detection window is the same as the hop-history depth. Repetition of a credential identifier within the bounded window is the ring signal. Detection produces an observation that may be consumed by routing logic, by intrusion-detection logic, or by forensic-replay infrastructure.

Alternative Embodiments

In a position-bearing embodiment, relay nodes that hold credentialed-position attestations include their position in the hop-record entry. Downstream observers reconstruct not just the topological path but the geographic trajectory of the payload. This embodiment supports geofence-based admissibility (admit messages whose path stays within a specified region) and adversarial-relay localization (correlate signature failures with geographic clusters of compromised relays).

In a quorum-relay embodiment, the mesh requires every payload to traverse at least M out of N designated quorum relays, each of which appends a quorum-witness signature in addition to its standard hop record. Downstream admissibility verifies the quorum-witness signatures, providing an architectural counterpart to multi-party endorsement protocols.

In a privacy-preserving embodiment, relay credential identifiers are replaced with credentialed pseudonyms whose binding to the underlying device is held by an admitted credentialing authority. Path reconstruction by ordinary observers reveals only the pseudonym chain; full path attribution requires the authority's cooperation. This embodiment supports forensic capability without exposing routine routing decisions to adversarial intelligence.

In an aggregated-signature embodiment, the hop-record signatures are combined under a multi-signature scheme — BLS aggregation, for instance — that compresses N hop signatures into a single constant-size aggregate. The aggregate retains tamper-evidence but reduces hop-history bandwidth. Path reconstruction still recovers the credential identifiers; only the signatures are aggregated.

In a mobile-mesh embodiment, hop-record entries include a credentialed-velocity attestation alongside the credentialed-position attestation. Downstream observers reconstruct not just the path but the kinematic state of the relays at the moment of relay, supporting mobile-network analytics and adversarial-mobility detection.

In a degraded-credential embodiment, relay nodes whose credentials are temporarily suspended or whose credentialing root is unavailable append entries marked as unverified. Downstream admissibility may admit the payload at reduced trust, may require quorum supplementation, or may reject. The embodiment makes degraded operation a first-class case rather than a failure case.

Composition

Hop-history relay is the lowest-layer primitive on which a wide range of higher-layer functions depend. Each higher-layer function consumes the hop history through a structurally identical interface — read the verified path, read the tamper-evidence verdict, read the ring-detection verdict — and emits its own observation through the credentialed observation framework. The composition is therefore both vertical, between layers, and horizontal, across functions at the same layer.

Hop-history relay composes with the credentialing fabric, with the spatial-mesh substrate, with adaptive routing logic, with intrusion-detection observation streams, with operator-intent admissibility, and with offline forensic-replay infrastructure. Each composition consumes the hop history as a verified observation about the path and emits its own observation about the consequences.

Adaptive routing consumes path-reconstructed observations to weight future routing decisions; routes whose hop histories show consistent integrity gain weight, routes with frequent tampering or ring incidence lose weight. Intrusion-detection consumes ring-detection and tamper-detection observations as primary signals. Operator-intent admissibility may forbid actions based on observations whose hop history intersects an adversarial credential set. Forensic replay reconstructs the path days or months after the event, since the hop history is reproducible from any persisted copy of the payload.

Prior-Art Distinction

IP-layer record-route options append hop addresses but do not sign them; modification by intermediate nodes is undetectable. Onion-routing protocols protect path confidentiality but do not produce tamper-evident path records observable by the receiving endpoint. BGPsec protects route announcements between routing peers but does not annotate transiting payloads with a verifiable hop history. Mesh-network forensics tools reconstruct paths post-hoc from logs collected at relays, requiring centralized log aggregation and trusting the relay logs themselves.

The architecture disclosed here annotates each payload with an in-band, cumulatively signed, bounded hop-history record. Path reconstruction, tamper detection, and ring detection are first-class capabilities of the receiving endpoint, requiring no out-of-band log collection and no trust in any single relay. The disclosure is owned by the provisional patent application 64/049,409.

Disclosure Scope

The disclosure covers any mesh-relay system in which transiting payloads accumulate a bounded, cumulatively signed hop-history record annotated by each relay node, in which the receiving endpoint reconstructs the path by walking the record, and in which signature-chain validation and credential-repetition inspection produce tamper-evidence and ring-detection observations as architectural primitives. Defense, expeditionary, sovereign-AI, regulated-industrial, agricultural, vehicular-mesh, and consumer embodiments are all within scope. The disclosure is independent of the specific signature algorithm, the specific physical substrate, and the specific routing logic.

The disclosure further covers compositions in which multiple physical substrates are bridged by a single relay — a node that ingests on a radio interface and re-emits on an optical link, for example. Bridging relays append a single hop-record entry that carries both the ingress and egress channel metadata, preserving cross-substrate path continuity in the verifiable record. Cross-administrative-domain bridging is similarly covered: a relay that crosses from one mesh's credentialing root to another's appends an entry that includes both root identifiers, and downstream observers reconstruct the inter-domain path with full attribution.

The load-bearing claims are the in-band annotation, the cumulative signature chain, the bounded depth, and the receiver-local reconstruction. Any system that satisfies all four properties falls within the disclosure regardless of whether it is described as mesh-routing, multi-hop authentication, chain-of-custody messaging, provenance-bearing transit, or audit-grade relay. Compositions that defer signing to a trusted aggregator, that perform path reconstruction at a centralized analyzer rather than at the receiving endpoint, or that omit the bounded-depth construction lack one or more of the load-bearing claims and are not the subject of this disclosure. The provisional 64/049,409 owns the primitive at the layer at which mesh forensics, adaptive routing, and ring detection share a single architectural substrate, and the disclosure spans every embodiment that exercises that primitive.