Parsimoni Demonstrates First Post-Quantum Satellite Protocol in Orbit
The Borealis project has successfully booted a pure OCaml CCSDS protocol stack in low Earth orbit, marking the first public demonstration of post-quantum Over-The-Air Rekeying (OTAR) on a hosted satellite platform.
On 23 April, the Borealis project, developed by Parsimoni, successfully booted a pure OCaml CCSDS protocol stack in low Earth orbit aboard DPhi Space's ClusterGate-2 payload module. The system features end-to-end encryption and post-quantum key rotation using ML-DSA-65, with Over-The-Air Rekeying (OTAR) capabilities. This deployment represents the first public in-orbit demonstration of post-quantum OTAR, addressing security risks associated with shared satellite hardware and untrusted code execution.
The implementation utilises OxCaml, a compiler branch of OCaml maintained by Jane Street, to optimise performance. This approach reduced p99.9 latency from 29 ns to 9 ns per packet and eliminated garbage collection pressure on the dispatch hot path. The satellite-side software runs as a guest on an Arm SoC with four Cortex-A53 cores and 4 GB RAM, operating within a Linux environment. The flight binary is statically linked and packaged as a FROM scratch Docker image, ensuring a minimal attack surface.
Security is critical in hosted-payload environments where multiple tenants share a single bus. The Borealis system treats the filesystem upload and download via DPhi's API as a delay-tolerant network. Data is serialised into BPv7 bundles wrapped in BPSec for encryption and authentication. This cryptographic envelope ensures that the satellite operator sees only opaque bundle bytes, preventing the routing path from reading, modifying, or forging contents. This design mitigates risks from kernel-level vulnerabilities that could otherwise break tenant boundaries on shared hardware.
The project addresses the long-term threat model of space missions, where post-quantum command authentication is increasingly viewed as a requirement rather than a future option. OTAR allows for the rotation of post-quantum signing keys without re-flashing the satellite, a crucial capability for missions lasting ten to fifteen years. The core libraries originate from MirageOS, which has been in production on the ground for a decade, providing a robust foundation for this orbital demonstration.
Parsimoni plans to exercise the post-quantum key rotation on a later satellite pass. The team highlights that while hardware delivery to orbit is becoming routine, the software stack running on it presents the more complex challenges. By leveraging OCaml’s type system and OxCaml’s performance features, the project aims to provide a safe, predictable, and high-performance solution for future satellite communications.
