<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<rfc
  xmlns:xi="http://www.w3.org/2001/XInclude"
  category="info"
  docName="draft-bezerra-anchors-command-provenance-00"
  ipr="trust200902"
  obsoletes=""
  updates=""
  submissionType="independent"
  xml:lang="en"
  tocInclude="true"
  tocDepth="4"
  symRefs="true"
  sortRefs="true"
  version="3">

  <front>
    <title abbrev="Anchors">
      Anchors: Post-Quantum Command Provenance for
      Autonomous Machine Links
    </title>

    <seriesInfo name="Internet-Draft"
                value="draft-bezerra-anchors-command-provenance-00"/>

    <author fullname="Cleiton Augusto Correa Bezerra" initials="C." surname="Bezerra">
      <organization>Independent Researcher</organization>
      <address>
        <postal>
          <country>Brazil</country>
        </postal>
        <email>augusto.cleiton@gmail.com</email>
        <uri>https://github.com/cleitonaugusto/CleitonQ</uri>
      </address>
    </author>

    <date year="2026" month="July" day="3"/>

    <area>Security</area>
    <workgroup>Individual Submission</workgroup>

    <keyword>post-quantum cryptography</keyword>
    <keyword>command provenance</keyword>
    <keyword>non-repudiation</keyword>
    <keyword>autonomous systems</keyword>
    <keyword>audit</keyword>
    <keyword>tamper-evident logging</keyword>
    <keyword>ML-DSA</keyword>
    <keyword>ML-KEM</keyword>
    <keyword>UAS security</keyword>
    <keyword>AI agents</keyword>

    <abstract>
      <t>
        Autonomous machines such as uncrewed aircraft, ground robots, and
        spacecraft execute commands issued by human operators and,
        increasingly, by AI agents.  When an incident occurs, no independent
        evidence exists of which commands the machine received: conventional
        logs are mutable by the operating party, symmetric message
        authentication codes cannot demonstrate origin to a third party,
        and records signed with elliptic-curve cryptography lose their
        evidentiary value once cryptographically relevant quantum computers
        exist.
      </t>
      <t>
        This document defines the Anchor: a post-quantum digital signature
        over a compact commitment to a window of authenticated machine
        traffic.  An anchor chain constitutes a tamper-evident,
        non-repudiable record of what a machine was commanded to do and what
        it reported back, verifiable by any third party without trusting the
        operator, without network access at recording time, and with
        security that survives the quantum transition.  The construction is
        protocol-agnostic and is designed for bandwidth-constrained links
        where per-message post-quantum signatures are impractical.
      </t>
    </abstract>
  </front>

  <middle>

    <section anchor="introduction">
      <name>Introduction</name>
      <t>
        Command-and-control (C2) links for autonomous machines increasingly
        require two distinct security services that current deployments
        conflate or omit:
      </t>
      <ol>
        <li>
          <em>Real-time authentication</em>: the machine must verify, at
          line rate, that each received command originates from an
          authorized party.  Symmetric constructions (HMAC) satisfy this
          within tight bandwidth and latency budgets.
        </li>
        <li>
          <em>Durable provenance</em>: after the fact, parties other than
          the operator -- insurers, accident investigators, regulators,
          courts -- must be able to verify which commands the machine
          received and which telemetry it emitted.  Symmetric constructions
          cannot provide this service: either session party could have
          generated any message, so proof to a third party is impossible.
        </li>
      </ol>
      <t>
        Per-message digital signatures would provide both services but are
        impractical on constrained links when post-quantum signature sizes
        are considered: an ML-DSA-87 signature <xref target="FIPS204"/> is
        4627 bytes, which at a 100 Hz telemetry rate implies 3.7 Mbit/s of
        signature traffic alone -- exceeding the total budget of most
        deployed C2 radio links by two orders of magnitude.
      </t>
      <t>
        This document specifies a construction, the Anchor, that decouples
        the two services: symmetric per-message authentication at line rate,
        plus one post-quantum signature per window of traffic that converts
        the accumulated symmetric authenticators into third-party-verifiable
        evidence.  Per-message overhead remains constant regardless of
        window size.
      </t>
      <t>
        The underlying problem of deploying authentication extensions
        across relay-mediated protocol stacks (MAVLink v2, ROS2/DDS,
        CAN/AUTOSAR) is documented in
        <xref target="I-D.bezerra-relay-auth-transparency"/>.  This document
        addresses the complementary question: once messages are
        authenticated, how is durable, quantum-resistant evidence of the
        traffic produced within the same link budget?
      </t>
    </section>

    <section anchor="terminology">
      <name>Conventions and Terminology</name>
      <t>
        The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>",
        "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>",
        "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>",
        "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>",
        "<bcp14>NOT RECOMMENDED</bcp14>", "<bcp14>MAY</bcp14>", and
        "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
        described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/>
        when, and only when, they appear in all capitals, as shown here.
      </t>
      <dl>
        <dt>Window:</dt>
        <dd>
          A contiguous sequence of authenticated messages delimited by a
          maximum message count W and a maximum duration T, whichever bound
          is reached first.
        </dd>
        <dt>Commitment:</dt>
        <dd>
          A cryptographic hash over the ordered concatenation of the MAC
          tags of all messages in a window.
        </dd>
        <dt>Anchor:</dt>
        <dd>
          A record comprising window metadata, the window commitment, and a
          post-quantum digital signature over both.
        </dd>
        <dt>Anchor chain:</dt>
        <dd>
          The ordered sequence of anchors emitted over a session or mission,
          linked by monotonic anchor sequence numbers.
        </dd>
        <dt>Auditor:</dt>
        <dd>
          Any party, possibly adversarial to the operator, that verifies an
          anchor chain after the fact.
        </dd>
      </dl>
    </section>

    <section anchor="gap">
      <name>The Accountability Gap</name>
      <section anchor="gap-logs">
        <name>Mutable Logs</name>
        <t>
          Flight logs and command histories are files under the operator's
          control.  In a liability dispute, the party producing the log is
          the party with both the motive and the means to alter it.  A log
          format without cryptographic binding to the traffic it claims to
          record has no evidentiary weight beyond the operator's testimony.
          Regulatory frameworks increasingly require more: high-risk AI
          systems, including AI safety components of regulated machinery,
          are required to automatically record events over their lifetime
          in a manner that enables post-hoc reconstruction of individual
          decisions <xref target="EU-AI-ACT"/>.
        </t>
      </section>
      <section anchor="gap-mac">
        <name>Authentication Without Non-Repudiation</name>
        <t>
          Symmetric MACs -- including quantum-resistant constructions such
          as HMAC with SHA-3 <xref target="FIPS202"/> -- prove authenticity
          only to the holder of the session key.  Because both session
          parties hold the same key, a MAC-authenticated archive proves
          nothing to an auditor: the operator could have fabricated the
          entire archive after the fact.
        </t>
      </section>
      <section anchor="gap-quantum">
        <name>Quantum-Expiring Evidence</name>
        <t>
          Records signed with ECDSA or EdDSA -- including records anchored
          to distributed ledgers, which inherit the elliptic-curve
          signatures of their underlying platforms -- become forgeable when
          a cryptographically relevant quantum computer exists.  Machines
          entering service today operate for one to three decades; their
          evidence trails must remain verifiable for at least as long,
          including for incidents litigated years after recording.
          Evidence whose integrity guarantee expires before the statute of
          limitations is structurally inadequate.  National guidance already
          mandates the transition away from quantum-vulnerable algorithms
          for security systems <xref target="CNSA2"/>.
        </t>
      </section>
      <section anchor="gap-agents">
        <name>AI Agents as Command Issuers</name>
        <t>
          When commands originate from AI agents rather than human
          operators, the provenance question acquires a second dimension:
          not only whether the machine received a given command, but which
          identity -- human or agent -- issued and authorized it.  Existing
          agent-authorization mechanisms bind tokens to software API calls;
          they do not extend to the physical machine boundary and do not
          employ post-quantum cryptography.  An anchor chain over the
          machine link records the authenticated command stream at exactly
          that boundary, regardless of whether the issuer was human or
          machine.
        </t>
      </section>
    </section>

    <section anchor="construction">
      <name>The Anchor Construction</name>
      <t>
        The construction assumes an established authenticated channel in
        which each message i carries a MAC tag mac_i computed with a session
        key (for example, established via ML-KEM-1024
        <xref target="FIPS203"/> and authenticated with HMAC-SHA3-256).
      </t>
      <sourcecode type="pseudocode"><![CDATA[
Given a window of n authenticated messages with MAC tags
mac_0 ... mac_{n-1}:

  commitment = H( mac_0 || mac_1 || ... || mac_{n-1} )

  anchor = ( metadata,
             commitment,
             Sig_sk( metadata || commitment ) )

where:
  H        = SHA3-256                      [FIPS202]
  Sig      = ML-DSA-87                     [FIPS204]
  metadata = anchor sequence number,
             window start identifier,
             window end identifier,
             message count
]]></sourcecode>
      <t>
        Window closure is governed by two parameters: W, the maximum number
        of messages per window, and T, the maximum window duration.  An
        anchor <bcp14>MUST</bcp14> be emitted when either bound is reached.
        The anchor sequence number <bcp14>MUST</bcp14> be strictly
        monotonic; a verifier <bcp14>MUST</bcp14> reject an anchor whose
        sequence number does not exceed that of the last verified anchor.
      </t>
      <t>
        The signer retains no per-message state beyond the running MAC
        accumulation for the current window.  Per-message overhead on the
        link is the MAC tag plus framing (32-44 bytes in the instantiations
        of <xref target="instantiations"/>), independent of W.
      </t>
    </section>

    <section anchor="properties">
      <name>Properties</name>
      <dl>
        <dt>Tamper evidence:</dt>
        <dd>
          Alteration, insertion, or deletion of any message MAC in a window
          changes the commitment; the anchor signature no longer verifies.
        </dd>
        <dt>Non-repudiation:</dt>
        <dd>
          The ML-DSA-87 signature binds the window to the holder of the
          signing key.  Neither session party can later disclaim an
          anchored window.
        </dd>
        <dt>Third-party verifiability:</dt>
        <dd>
          Verification requires only the MAC sequence, the anchor records,
          and the public verifying key -- not the session key and not the
          operator's cooperation.
        </dd>
        <dt>Offline operation:</dt>
        <dd>
          Anchors are generated and stored locally.  No network connection,
          ledger, consensus mechanism, or external service is required at
          recording time, making the construction suitable for
          disconnected, intermittent, and low-bandwidth environments.
        </dd>
        <dt>Quantum durability:</dt>
        <dd>
          ML-DSA-87 (NIST security category 5) and SHA3-256 remain secure
          against known quantum attacks; the evidentiary value of an anchor
          chain does not expire with the quantum transition.
        </dd>
        <dt>Constrained-link fit:</dt>
        <dd>
          One signature amortized over a window keeps per-message overhead
          constant.  Amortized anchor cost at W=256 is approximately 18
          bytes per message; at W=4096, approximately 1.1 bytes.
        </dd>
      </dl>
      <t>
        The construction is deliberately not a distributed ledger: it
        requires no consensus, no replication, and no energy cost beyond
        one signature per window.  It provides evidence, not
        confidentiality; a confidentiality layer composes independently.
      </t>
    </section>

    <section anchor="instantiations">
      <name>Instantiations</name>
      <t>
        Two instantiations have been specified by the author.  Both use the
        construction of <xref target="construction"/>; they differ only in
        metadata fields and windowing policy.
      </t>
      <table anchor="instantiation-table">
        <name>Anchor Instantiations</name>
        <thead>
          <tr>
            <th></th>
            <th>High-Rate Telemetry (TAP)</th>
            <th>CCSDS Telecommand</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td>Per-message overhead</td>
            <td>42 bytes</td>
            <td>44 bytes</td>
          </tr>
          <tr>
            <td>Window policy</td>
            <td>W=256 packets or T=10 s</td>
            <td>One ground contact window</td>
          </tr>
          <tr>
            <td>Anchor size</td>
            <td>4685 bytes</td>
            <td>4687 bytes (5 TC frames)</td>
          </tr>
          <tr>
            <td>Link budget fit</td>
            <td>48.2 kbit/s total at 100 Hz</td>
            <td>18.7 s at 2 kbit/s, once per pass</td>
          </tr>
        </tbody>
      </table>
      <t>
        Specifications for both instantiations are published in the
        repository referenced in the author's address block.  The same
        construction applies to ROS2/DDS topics and CAN buses; the
        relay-transparency considerations for those stacks are documented
        in <xref target="I-D.bezerra-relay-auth-transparency"/>.
      </t>
      <t>
        Session keys for the MAC layer are established via ML-KEM-1024
        <xref target="FIPS203"/>.  Signing-key revocation employs
        SLH-DSA-SHA2-128s <xref target="FIPS205"/> as a hash-based
        mechanism whose security is independent of lattice assumptions.
      </t>
    </section>

    <section anchor="verification">
      <name>Verification Model</name>
      <t>
        An auditor holding (1) the stored MAC sequence for the period in
        question, (2) the anchor records, and (3) the signer's ML-DSA-87
        verifying key -- distributed at provisioning time, for example
        through a documented key ceremony -- proceeds as follows:
      </t>
      <ol>
        <li>Partition the MAC sequence into windows according to the anchor
            metadata.</li>
        <li>Recompute each window commitment from the stored MACs.</li>
        <li>Verify each anchor signature over the recomputed commitment and
            metadata.</li>
        <li>Verify that anchor sequence numbers are strictly monotonic and
            gap-free for the claimed period.</li>
      </ol>
      <t>
        A verified anchor chain establishes that the recorded traffic is
        exactly what the signer authenticated at recording time.  The
        operator cannot retroactively insert, delete, or modify messages
        without breaking the chain.  Verification requires no live system
        and no trust in the party producing the archive.
      </t>
    </section>

    <section anchor="security">
      <name>Security Considerations</name>
      <dl>
        <dt>Signer compromise:</dt>
        <dd>
          An attacker holding the signing key can anchor forged windows
          from the moment of compromise onward.  Anchors emitted before the
          compromise remain valid evidence.  Deployments
          <bcp14>SHOULD</bcp14> provision a revocation mechanism; the
          instantiations referenced here use SLH-DSA-signed revocation
          certificates.
        </dd>
        <dt>Selective omission:</dt>
        <dd>
          An operator may withhold entire windows from an archive.  Because
          anchor sequence numbers are monotonic, gaps in the presented
          chain are themselves detectable and constitute evidence of
          omission.  An auditor <bcp14>MUST</bcp14> treat a gapped chain as
          an incomplete record.
        </dd>
        <dt>Commitment security:</dt>
        <dd>
          SHA3-256 provides 128-bit classical collision resistance.  Known
          quantum collision-search algorithms do not reduce this below
          practical security margins under realistic memory assumptions.
        </dd>
        <dt>Replay across sessions:</dt>
        <dd>
          Anchor metadata binds each window to session-scoped identifiers.
          A verifier <bcp14>MUST</bcp14> validate window boundary
          identifiers against the session context in addition to signature
          validity.
        </dd>
        <dt>Algorithm agility:</dt>
        <dd>
          The construction is parametric in H and Sig.  Migration to future
          signature standards changes the anchor format version, not the
          architecture.
        </dd>
      </dl>
    </section>

    <section anchor="iana">
      <name>IANA Considerations</name>
      <t>This document has no IANA actions.</t>
    </section>

  </middle>

  <back>
    <references>
      <name>References</name>
      <references>
        <name>Normative References</name>
        <reference anchor="FIPS202" target="https://doi.org/10.6028/NIST.FIPS.202">
          <front>
            <title>SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions</title>
            <author><organization>National Institute of Standards and Technology</organization></author>
            <date year="2015" month="August"/>
          </front>
          <seriesInfo name="NIST FIPS" value="202"/>
        </reference>
        <reference anchor="FIPS203" target="https://doi.org/10.6028/NIST.FIPS.203">
          <front>
            <title>Module-Lattice-Based Key-Encapsulation Mechanism Standard</title>
            <author><organization>National Institute of Standards and Technology</organization></author>
            <date year="2024" month="August"/>
          </front>
          <seriesInfo name="NIST FIPS" value="203"/>
        </reference>
        <reference anchor="FIPS204" target="https://doi.org/10.6028/NIST.FIPS.204">
          <front>
            <title>Module-Lattice-Based Digital Signature Standard</title>
            <author><organization>National Institute of Standards and Technology</organization></author>
            <date year="2024" month="August"/>
          </front>
          <seriesInfo name="NIST FIPS" value="204"/>
        </reference>
        <reference anchor="FIPS205" target="https://doi.org/10.6028/NIST.FIPS.205">
          <front>
            <title>Stateless Hash-Based Digital Signature Standard</title>
            <author><organization>National Institute of Standards and Technology</organization></author>
            <date year="2024" month="August"/>
          </front>
          <seriesInfo name="NIST FIPS" value="205"/>
        </reference>
        <reference anchor="RFC2119" target="https://www.rfc-editor.org/info/rfc2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author initials="S." surname="Bradner" fullname="S. Bradner"/>
            <date year="1997" month="March"/>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174" target="https://www.rfc-editor.org/info/rfc8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author initials="B." surname="Leiba" fullname="B. Leiba"/>
            <date year="2017" month="May"/>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
      </references>
      <references>
        <name>Informative References</name>
        <reference anchor="I-D.bezerra-relay-auth-transparency" target="https://datatracker.ietf.org/doc/draft-bezerra-relay-auth-transparency/">
          <front>
            <title>Authentication-Transparent Protocol Extensions in Middleware-Relayed Systems</title>
            <author initials="C." surname="Bezerra" fullname="Cleiton Augusto Correa Bezerra"/>
            <date year="2026" month="June"/>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-bezerra-relay-auth-transparency-00"/>
        </reference>
        <reference anchor="EU-AI-ACT" target="https://eur-lex.europa.eu/eli/reg/2024/1689/oj">
          <front>
            <title>Regulation (EU) 2024/1689 (Artificial Intelligence Act), Article 12: Record-keeping</title>
            <author><organization>European Parliament and Council</organization></author>
            <date year="2024" month="June"/>
          </front>
        </reference>
        <reference anchor="CNSA2" target="https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/3148990/">
          <front>
            <title>Commercial National Security Algorithm Suite 2.0</title>
            <author><organization>National Security Agency</organization></author>
            <date year="2022" month="September"/>
          </front>
        </reference>
      </references>
    </references>

    <section anchor="acknowledgements" numbered="false">
      <name>Acknowledgements</name>
      <t>
        This work builds on the relay-transparency analysis and the
        two-layer authentication protocols developed in the CleitonQ
        project.
      </t>
    </section>
  </back>
</rfc>
