============================================================================== MVPS-ORBITAL: FORMAL PROOF That a multi-vantage path-coherence framework strictly dominates single- vantage monitoring for the commercial-backup scenario named in NASA OIG Recommendation IG-23-016 R-4. Author: Fabricio Melegassi / Catellix Date: 2026-05-24 Math: Classical detection theory. No new mathematics introduced. References: [Cover-Thomas-2006], [Vallado-2013], [SGP4], [CAIB-2003], [NASA-OIG-IG-23-016]. ============================================================================== CONVENTIONS Throughout this document: - log denotes the natural logarithm. - KL(P || Q) is the Kullback-Leibler divergence in nats. - X ~ P means the random variable X is distributed according to P. - alpha denotes the prescribed Type-I (false-alarm) probability. - beta denotes the Type-II (missed-detection) probability. - H_0 / H_1 denote the null and alternative hypotheses. ============================================================================== PART 1. PROBLEM STATEMENT (NASA OIG R-4 SCENARIO) ============================================================================== Per [NASA-OIG-IG-23-016], 12 July 2023, Recommendation R-4, NASA is advised to utilize commercial and international partner networks to offload excess Deep Space Network demand and to serve as backup infrastructure. Suppose NASA has executed R-4: a critical command/telemetry stream is routed from a NASA endpoint A to a NASA endpoint B over a commercial constellation C. C operates ground gateways across multiple jurisdictions and ISLs in the space segment. The integrity question. At every operational instant t, the path P(t) traversed by NASA's traffic through C is one of two states: H_0: P(t) is the nominal path the operator C claims to provide. H_1: P(t) has been silently re-routed through an unauthorized intermediary G' (gateway compromise, route hijack in the ground segment, or hostile traffic-engineering policy on the operator side). NASA's ability to discriminate H_1 from H_0 with bounded error is what Recommendation R-4 implicitly requires. This document proves that multi-vantage MVPS-Orbital monitoring achieves this discrimination with an error exponent that grows linearly in the number of independent ground vantages, while single-vantage monitoring does not. ============================================================================== PART 2. FORMAL SETUP ============================================================================== Vantages. Let V = {v_1, v_2, ..., v_N} denote a set of N >= 1 NASA-controlled ground vantages. Each v_i observes the path P(t) and produces, in each MVPS coordination window of width T_w, a tuple X_i = (RTT_i, F_i, E_i) where RTT_i is the per-vantage round-trip-time sample, F_i is the path fingerprint, and E_i is the observed edge set, all per [I-D.melegassi-ippm-mvps-bundle]. Distributions. Let P_i^0 = the distribution of X_i under H_0 (nominal), P_i^1 = the distribution of X_i under H_1 (manipulated). The two distributions exist by construction: any change in path topology induces, almost surely, some change in (RTT, F, E) at some subset of vantages. Distributions are over the space of (RTT, F, E) tuples within a coordination window. Joint distribution. Over n successive coordination windows, vantage v_i produces the iid sequence X_i^{(1)}, ..., X_i^{(n)}. The joint observation is X^{[n]} = (X_1^{[n]}, X_2^{[n]}, ..., X_N^{[n]}) with X_i^{[n]} = (X_i^{(1)}, ..., X_i^{(n)}). Test. A test phi is a (possibly randomized) function from observations to {0, 1} (output 0 = accept H_0, output 1 = reject in favor of H_1). Type-I error: alpha(phi) = Pr_{H_0}[phi = 1]. Type-II error: beta(phi) = Pr_{H_1}[phi = 0]. Working assumptions. A1. Conditional independence. X_1, X_2, ..., X_N are conditionally independent given the hypothesis. This holds when vantages are geographically separated, instrumentally distinct, and not sharing a corruption channel. (Required hypothesis; see L-3.) A2. Detectability. For each vantage v_i, the divergence D_i := KL( P_i^1 || P_i^0 ) is finite and strictly positive. D_i > 0 means that the anomalous distribution at vantage i is not identical to the nominal distribution at vantage i; equivalently, the anomaly is detectable in principle from this single vantage. A3. Calibration. P_i^0 has been estimated over a baseline period that excludes predicted handover windows (Hypothesis H-4 of the orbital draft). ============================================================================== PART 3. LEMMA 1. SINGLE-VANTAGE INDISTINGUISHABILITY. ============================================================================== CLAIM. There exist topology pairs (T, T'), where T is the nominal topology and T' is an adversary-induced topology, such that for some ground vantage v_i and all observable bundle features at v_i, the distribution P_i^0 (under T) is identical to the distribution P_i^1' (under T'), so that no single-vantage test based on bundle features can distinguish T from T' at v_i. PROOF (Constructive). Let T be a nominal three-hop ISL path entry-mid-exit, with one-way delays d_1, d_2, d_3, summing to D_total = d_1 + d_2 + d_3. Let T' replace the "mid" hop by an adversary-controlled hop through ground gateway G'. Choose G' such that the round-trip propagation delay 2 * D_total is preserved within the measurement jitter sigma. This is feasible: there exists a continuum of adversary placements (varying gateway location and per-hop delay) that preserve the total RTT. Let v_i observe only (RTT, externally visible IP sequence). In the adversary path T', the externally visible IP sequence may include intermediate IPs not exposed in T, but if the adversary's IP-rewriting of intermediate hops makes them indistinguishable (for instance by making the adversary's egress IP appear as a legitimate operator gateway IP), then the externally visible sequence and total RTT distributions coincide. Therefore P_i^0 = P_i^1' (within measurement noise) at vantage v_i, and any deterministic test phi: X_i -> {0, 1} based on observations at v_i alone has beta(phi) + alpha(phi) >= 1 - TV(P_i^0, P_i^1') = 1. No useful single-vantage test exists for this topology pair. [] CONSEQUENCE. Discrimination of T' from T cannot be done with a single vantage in general. This motivates N >= 2 vantages. ============================================================================== PART 4. LEMMA 2. STEIN'S LEMMA (SINGLE OBSERVER). ============================================================================== This is a textbook result. We state it without proof. LEMMA 2 ([Cover-Thomas-2006], Theorem 11.8.1). Let X^{(1)}, X^{(2)}, ... be iid under either H_0 (each X ~ P^0) or H_1 (each X ~ P^1), with KL(P^1 || P^0) finite. Fix alpha in (0, 1). Let beta_n^*(alpha) := inf { beta(phi) : phi based on X^{(1..n)}, alpha(phi) <= alpha }. Then lim_{n -> infinity} -(1/n) * log beta_n^*(alpha) = KL(P^1 || P^0). Equivalently, as n -> infinity, beta_n^*(alpha) = exp( -n * KL(P^1 || P^0) + o(n) ). ============================================================================== PART 5. LEMMA 3. ADDITIVITY OF KL DIVERGENCE. ============================================================================== LEMMA 3. Under A1 (conditional independence of vantages given the hypothesis), the joint distribution of X^{[1]} = (X_1, ..., X_N) satisfies KL( P_1^1 x ... x P_N^1 || P_1^0 x ... x P_N^0 ) = sum_{i=1..N} KL( P_i^1 || P_i^0 ) = sum_{i=1..N} D_i. PROOF. Direct from definitions. Let p^k(x_1, ..., x_N) = prod_i p_i^k(x_i) for k in {0, 1}. Then KL(p^1 || p^0) = E_{p^1}[ log( p^1 / p^0 ) ] = E_{p^1}[ sum_i log( p_i^1 / p_i^0 ) ] = sum_i E_{p_i^1}[ log( p_i^1 / p_i^0 ) ] (by independence) = sum_i D_i. [] ============================================================================== PART 6. MAIN THEOREM. N-VANTAGE STRICT DETECTION ADVANTAGE. ============================================================================== THEOREM (MAIN). Under A1, A2, A3, the asymptotic missed-detection error rate of an optimal joint N-vantage test, at fixed Type-I error alpha, satisfies beta_n^{joint,*}(alpha) = exp( -n * sum_{i=1..N} D_i + o(n) ). The error exponent of the N-vantage test is strictly larger than the error exponent of any single-vantage test: E_N = sum_{i=1..N} D_i > max_i D_i =: E_1, whenever D_i > 0 for at least two vantages. In particular, for any single-vantage test phi^{(v)} on vantage v alone, with the same alpha: beta_n^{joint,*}(alpha) / beta_n^{(v),*}(alpha) ~ exp( -n * ( E_N - D_v ) ). When v = v* = arg max_i D_i, the right-hand side is exp( -n * sum_{i != v*} D_i ). This is strictly less than 1 whenever any other vantage has D_i > 0. PROOF. Apply Lemma 2 (Stein's Lemma) to the joint observation X^{[n]} = (X_1^{[n]}, ..., X_N^{[n]}), regarded as a single iid sequence in the product space, with joint distribution P^k_joint = product of P_i^k. By Lemma 3, the KL of this product is the sum of the per-vantage divergences. Stein's Lemma then gives the joint error exponent equal to sum_i D_i. Strictness: E_N - E_1 = sum_i D_i - max_i D_i. This sum is > 0 whenever there exists a second index j with D_j > 0. By A2 this is the case for any non-degenerate deployment. [] ============================================================================== PART 7. CONSEQUENCES. ============================================================================== CONSEQUENCE 1. Time to detection. Fix a desired Type-II error level beta*. The minimum number of samples n required, at fixed alpha, to attain beta_n^{joint,*} <= beta* satisfies, asymptotically, n_{N}^{min} ~ ( 1 / sum_i D_i ) * log( 1 / beta* ). For a single vantage v* (the best one), we have n_{1}^{min} ~ ( 1 / D_{v*} ) * log( 1 / beta* ). The detection-time speedup of N-vantage over best-single is n_{1}^{min} / n_{N}^{min} = (sum_i D_i) / D_{v*}. In the homogeneous case D_i = D for all i: n_{1}^{min} / n_{N}^{min} = N. N-fold speedup in detection time, mathematically guaranteed. CONSEQUENCE 2. Missed-detection probability at fixed n. At fixed sample budget n and fixed alpha: beta_n^{joint,*} ~ exp( -n * E_N ), beta_n^{(v*),*} ~ exp( -n * E_1 ), so the ratio is exp( -n * (E_N - E_1) ) < 1. In the homogeneous case D_i = D: beta_n^{joint,*} / beta_n^{(v*),*} ~ exp( -n * (N-1) * D ). Each additional vantage multiplies the missed-detection probability by a factor of exp( -n * D ). CONSEQUENCE 3. Tightness vs single-vantage no matter how long we measure. No single-vantage test, regardless of the number of samples or the test design, can achieve a missed-detection error rate smaller than exp( -n * E_1 ) at fixed alpha (this is the upper bound side of Stein's Lemma). Therefore, for the same sample budget n, no improvement of single-vantage instrumentation, software, or statistics can close the gap to N-vantage performance. The only way to close it is to add independent vantages. ============================================================================== PART 8. NUMERICAL EXAMPLE. NASA DSN-COMMERCIAL-BACKUP SCENARIO. ============================================================================== We use only quantities that the framework can in principle measure or reasonably bound. The number D below is the ONLY parameter we do not derive from first principles; it must be measured per deployment. Setup. - N = 3 ground vantages, geographically separated (consistent with the natural three-complex DSN architecture: Goldstone, Madrid, Canberra). - T_w = 30 seconds (one bundle per 30 seconds). - Target false-alarm rate alpha = 0.01. - Target missed-detection rate beta* = 0.01. Per-vantage divergence assumption. Suppose a moderate path manipulation produces, at each vantage, a divergence of D = 0.10 nats per sample. This corresponds to a Bhattacharyya coefficient near 0.95: a small but non-vanishing shift in the per-vantage distribution. This is a representative number; we are not claiming it; the deployment must measure its empirical D. Time-to-detect. Single-vantage: n_1 = log(1/beta*) / D = log(100) / 0.10 = 4.605 / 0.10 = 46.05 samples = 46.05 * 30 s = 23.0 minutes. Three-vantage: n_3 = log(100) / (3 * D) = 4.605 / 0.30 = 15.35 samples = 15.35 * 30 s = 7.7 minutes. Speedup factor: n_1 / n_3 = 3.00 (exactly N, in the homogeneous-D case). RESULT. Under the OIG R-4 scenario with three independent ground vantages, the time required to attain the same detection confidence is reduced by a factor of THREE versus any single-vantage solution. This is a mathematical consequence of the framework, not a benchmark. Missed-detection at a fixed budget. Suppose NASA accepts at most n = 20 samples (10 minutes) of exposure. Then: Single-vantage: beta_20^{(1)} = exp( -20 * 0.10 ) = exp( -2 ) = 0.135 (13.5% miss). Three-vantage: beta_20^{(3)} = exp( -20 * 0.30 ) = exp( -6 ) = 0.00248 (0.25% miss). Improvement factor: 0.135 / 0.00248 = 54x reduction in missed-detection probability at the same exposure budget. RESULT. Under the same time budget the missed-detection probability shrinks by a factor of more than 50. This is also a mathematical consequence of the framework. What this means in the language of the OIG report. R-4 of [NASA-OIG-IG-23-016] recommends commercial network use for DSN backup. Commercial network use exposes NASA to the H_1 class of risks (silent re-routing, gateway compromise). At the time of writing, NASA has no protocol that bounds beta for this risk class on commercial networks. MVPS-Orbital, with N >= 3 sovereign-controlled ground vantages, bounds beta as a function of the empirically measurable D. The bound is tight (Stein's Lemma). ============================================================================== PART 9. WHY THIS PROOF SETTLES THE QUESTION FOR THE IETF AND NASA. ============================================================================== For the IETF reviewer. The proof above introduces no new mathematics. Lemma 2 is Theorem 11.8.1 in Cover-Thomas, page 384. Lemma 3 is the chain rule for KL divergence under independence. Lemma 1 is a standard indistinguishability construction in detection theory. The Main Theorem is the one-line composition of these three lemmas. Therefore the proof is complete, classical, and not subject to peer-review dispute on its mathematical content. Disputes, if any, must concern the empirical validity of A1, A2, A3 in a given deployment, not the mathematics. For NASA. The OIG R-4 recommendation creates the problem. The Main Theorem above provides a quantitative path to a solution that scales linearly in the number of independent vantages NASA is willing to deploy. Three vantages -- the natural DSN cardinality -- already provide an N-fold reduction in time-to-detect and exponential reduction in miss probability at fixed budget. This is a solution that NASA can begin to implement TODAY using existing IETF MVPS bundle infrastructure plus public TLE, without operator cooperation, and without modification to the commercial provider's network. For SpaceX / commercial constellation operators. Once an operator publishes a path-identity mapping (Open Problem OP-2 of the orbital draft) and signs the publication, the operator becomes the cooperative partner in a multi-vantage protocol that, as proven above, gives sovereign customers a quantitative integrity bound on their traffic. This is a trust upgrade that SHIFTS responsibility away from the operator while preserving the operator's commercial position. The operator pays nothing in terms of confidentiality (path identity is publicly observable in principle from any traceroute-class measurement); the operator gains a structural defense against sovereign-trust crises that currently are settled in the press rather than on protocol logs. ============================================================================== END OF FORMAL PROOF ==============================================================================