PRIVATE.ME · Technical White Paper

xOrbit: Satellite Ground Segment Security

Secure satellite commanding via split-channel XorIDA, xLink authenticated ground stations, and xChange unconditionally-secure key transport. Prevents single-ground-station hijacking. Production-ready, ~1,550 LOC, 103+ tests.

v1.0.0 103+ tests passing 4 core modules 32 error codes Gold Standard Bronze $6.2B TAM

Section 01

Executive Summary

xOrbit splits satellite commands and telemetry across independent ground stations using XorIDA threshold sharing, authenticated by xLink DIDs, with unconditionally-secure key transport via xChange. No single compromised station can command the satellite.

Four production modules cover the full ground segment lifecycle: command.ts (~494 LOC) issues digitally-signed commands and splits them K-of-N. telemetry.ts (~323 LOC) protects downlinks with per-share HMAC. orbit.ts (~331 LOC) performs verified orbit calculations with xProve integration. coordination.ts (~401 LOC) manages ground station identity, acquisition windows, and threshold authorization.

Result-based error handling with 32 structured codes. HMAC verification before reconstruction ensures integrity. XorIDA splits in ~5ms, reconstructs in ~3ms. All operations are quantum-secure by construction — XorIDA is information-theoretically unconditional.

Section 02

Developer Experience

xOrbit provides structured error codes, actionable error hints, and optional progress callbacks for debugging and monitoring satellite operations.

Error Codes & Structure

All operations return Result<T, E> with detailed error information: code, message, hint, field attribution, and documentation URL. No thrown exceptions in library code.

Category	Example Codes	When
Command	INVALID_SIGNATURE, EXPIRED_COMMAND	Command validation, signing, expiry
Split/Reconstruct	HMAC_FAILED, INSUFFICIENT_SHARES	XorIDA operations, integrity checks
Telemetry	PAYLOAD_TOO_LARGE, DOWNLINK_FAILED	Downlink processing, size limits
Orbit	INVALID_PARAMETERS, OUT_OF_RANGE	Orbital mechanics, xProve verification
Coordination	STATION_NOT_FOUND, INVALID_WINDOW	Ground station management, acquisition windows

STRUCTURED ERROR REFERENCE

Each error includes user-friendly hints, field attribution, and documentation links via the ERROR_DETAILS map. See Appendix A1 for complete taxonomy of all 32 error codes.

Section 03

The Problem

The 2022 Viasat KA-SAT attack demonstrated that a single compromised ground station can disable thousands of satellite terminals. Pre-shared commanding keys are a single point of failure.

Current satellite commanding uses shared keys. All ground stations hold the same commanding key. One station compromise = full constellation access.

Ground stations are geographically dispersed and physically hard to secure. Adversaries can target specific stations, inject malicious commands, or intercept telemetry.

No individual station has commanding authority. But current systems lack threshold-based authorization. Destructive commands (de-orbit, payload release) require multi-station approval.

The Old Way

The New Way

Section 04

Real-World Use Cases

Four scenarios where xOrbit prevents single-point-of-failure ground segment compromises.

🛰️

Space

LEO Satellite Commanding

Split commands across 3+ ground stations. Satellite reconstructs only after receiving K shares from authenticated stations.

Threshold K-of-N

🌍

Constellation

Fleet Telemetry Protection

Downlink splits via XorIDA to prevent single-channel interception. Receiver reconstructs from any K shares.

Telemetry Integrity

🔐

Defense

Destructive Command Authorization

De-orbit / payload release commands require threshold approval. No single operator can trigger satellite destruction.

Multi-Station Approval

🛡️

National Security

Classified Orbital Operations

Unconditionally-secure key transport via xChange. Verifiable orbit calculations with zero-knowledge proofs.

Information-Theoretic

Section 05

Solution Architecture

Four composable modules orchestrating authenticated, threshold-based satellite operations.

Command Module

~494 LOC

Issue digitally-signed commands

XorIDA split K-of-N

Per-share HMAC integrity

Threshold reconstruction

Telemetry Module

~323 LOC

XorIDA-split downlinks

Multi-station reception

Reconstruction from K shares

Per-share HMAC validation

Orbit Module

~331 LOC

Keplerian orbit mechanics

xProve verifiable proofs

Semi-major axis validation

Inclination/eccentricity checks

Coordination

~401 LOC

Ground station DIDs

Acquisition window scheduling

Threshold authorization gates

Station authentication

Core Properties

All modules use XorIDA threshold sharing over GF(2) with HMAC-SHA256 integrity before reconstruction. No computational assumptions — information-theoretically unconditional. Result-based error handling with 32 structured codes. Gold Standard Bronze certified.

Section 06

Integration & API

Quick Start

import {
  issueCommand,
  splitCommand,
  reconstructCommand,
} from '@private.me/xorbit';

// Ground station issues a command
const cmd = await issueCommand(
  {
    commandType: 'attitude-adjustment',
    satelliteId: 'sat-leo-001',
    issuerId: 'ground-station-a',
    payload: new Uint8Array([...]),
    expiresAt: Date.now() + 3600000,
  },
  signingFn,
);

// Split into 3 shares, require 2 to reconstruct
const split = splitCommand(cmd.value, {
  n: 3,
  k: 2,
});

// Satellite reconstructs from K shares
const reconstructed = reconstructCommand({
  shares: [share0, share1],
  n: split.value.n,
  k: split.value.k,
});

issueCommand(data, signFn): Promise<Result<Command, OrbitError>>

Issues a digitally-signed command. Returns a command structure ready for XorIDA splitting and multi-station distribution.

splitCommand(command, config): Result<SplitResult, OrbitError>

Splits a command using XorIDA threshold sharing. Returns K-of-N shares with per-share HMAC integrity tags.

reconstructCommand(opts): Result<Command, OrbitError>

Reconstructs a command from K authenticated shares after HMAC verification. Information-theoretically secure against up to K-1 compromised stations.

Section 07

Security & Threat Model

Threat	Defense	Guarantee
Single station compromise	XorIDA K-of-N split	✓ Attacker learns nothing with <K shares
Unauthorized commands	ED25519 DID signature	✓ Only authenticated stations issue
Destructive commands	Threshold authorization gate	✓ K-of-N approval required
Replay attacks	Command expiry + nonce	✓ 1-hour window, anti-replay
Telemetry interception	XorIDA downlink split	✓ Single channel reveals nothing
Key compromise	xChange unconditional security	✓ No computational assumptions

Implementation Details

103+ comprehensive tests — Command, telemetry, orbit, coordination, and abuse test suites
Gold Standard Bronze certified — SECURITY.md, threat-model.md, failure-modes.md
Result<T,E> error handling — No exceptions, structured 32 error codes with hints
HMAC before reconstruction — Always validate integrity before decoding XorIDA shares

~5ms

Command split

~3ms

Reconstruct

<1ms

Orbit calc

Section 08

Performance Benchmarks

Operation	Typical Time	Notes
Command issue	~10ms	ED25519 signature + validation
Command split (3-of-3)	~5ms	XorIDA + HMAC generation
Command reconstruct	~3ms	HMAC verify + XorIDA
Telemetry split	~2ms	Per 100 sensor points
Orbit calculation	<1ms	Keplerian mechanics
Key transport (xChange)	~15µs	Unconditionally secure

All measurements on Node.js 22.x on standard infrastructure. Split/reconstruct scales linearly with share count (typical 3-10 shares).

Section 09

Honest Limitations

Command Payload Size

Maximum 4 KB per command. Larger payloads require multi-part transmission (not yet implemented). Typical satellite commanding is <1 KB.

Threshold Configuration

Typical deployment is 3-5 stations with K=2 or K=3 threshold. Larger N increases latency and bandwidth. No practical limit beyond constellation size.

Ground Station Availability

Requires K stations online to reconstruct. If <K stations are available during acquisition window, commands are queued. Satellite cannot command itself.

Real-Time Constraints

Orbit calculations are <1ms, command reconstruction ~3ms. Not suitable for millisecond-scale control loops. Designed for command/telemetry on 1-60 second timescales.

Advanced Topics

Appendices & Implementation Details

Deep dives into error hierarchy, module design, technical specifications, and verifiable proofs.

Appendix A1

Error Codes (32 total)

All operations return structured errors with actionable hints and documentation links.

Command errors (6): INVALID_SIGNATURE, EXPIRED_COMMAND, PAYLOAD_TOO_LARGE, INVALID_COMMAND_TYPE, MALFORMED_COMMAND, UNKNOWN_SATELLITE

Split/Reconstruct errors (8): HMAC_VERIFICATION_FAILED, INSUFFICIENT_SHARES, XORIDA_ERROR, INVALID_SHARE_INDEX, CORRUPTED_SHARE, DUPLICATE_SHARE, OUT_OF_RANGE_INDEX, RECONSTRUCTION_FAILED

Telemetry errors (6): TELEMETRY_PAYLOAD_TOO_LARGE, TELEMETRY_DOWNLINK_FAILED, INVALID_DOWNLINK_FORMAT, TELEMETRY_PARSE_ERROR, RECONSTRUCTION_TIMEOUT, FRAME_DROPPED

Orbit errors (6): INVALID_SEMI_MAJOR_AXIS, INVALID_ECCENTRICITY, INVALID_INCLINATION, OUT_OF_RANGE_PARAMETERS, XPROVE_VERIFICATION_FAILED, ORBITAL_CALCULATION_ERROR

Coordination errors (6): GROUND_STATION_NOT_FOUND, INVALID_ACQUISITION_WINDOW, STATION_NOT_AUTHENTICATED, UNAUTHORIZED_COMMAND, THRESHOLD_NOT_MET, SIGNATURE_VERIFICATION_FAILED

Appendix A2

Module Architecture

Package Structure

packages/xorbit/
├── src/
│   ├── command.ts          // ~494 LOC
│   ├── telemetry.ts        // ~323 LOC
│   ├── orbit.ts            // ~331 LOC
│   ├── coordination.ts      // ~401 LOC
│   ├── types.ts            // ~291 LOC
│   ├── errors.ts           // ~430 LOC
│   ├── index.ts            // Barrel exports
│   └── __tests__/          // 103+ tests
├── docs/
│   ├── threat-model.md
│   └── failure-modes.md
└── SECURITY.md

Key design principle: All modules compose through Result<T, E>. XorIDA operations always validate HMAC before reconstruction. No state beyond request handling.

Appendix A3

Technical Specifications

Operational Limits

Command payload: Maximum 4 KB per command
Telemetry frame: Maximum 16 KB per downlink
Share count: Typical 3-10 shares, configurable K-of-N
Semi-major axis: 6,571-42,371 km (200-36,000 km altitude)
Eccentricity: 0-1 (circular to hyperbolic)
Inclination: 0-180° (equatorial to retrograde)
Command expiry: Default 1 hour, configurable
Share distribution: Independent encrypted channels, HTTPS or custom adapter

Cryptographic Algorithms

Threshold sharing: XorIDA over GF(2), information-theoretically unconditional
Integrity: HMAC-SHA256 per-share before reconstruction
Signatures: ED25519 for command authentication
Key transport: xChange unconditionally-secure (no KEM)
Verifiable proofs: xProve zero-knowledge proofs on orbits

GET STARTED

Ready to deploy xOrbit?

Talk to Sol, our AI platform engineer, or book a live demo with our team.

Book a Demo

Deployment Options

🌐

SaaS Recommended

Fully managed infrastructure. Call our REST API, we handle scaling, updates, and operations.

Zero infrastructure setup
Automatic updates
99.9% uptime SLA
Enterprise SLA available

View Pricing →

📦

SDK Integration

Embed directly in your application. Runs in your codebase with full programmatic control.

npm install @private.me/xorbit
TypeScript/JavaScript SDK
Full source access
Enterprise support available

Get Started →

🏢

On-Premise Upon Request

Enterprise CLI for compliance, air-gap, or data residency requirements.

Complete data sovereignty
Air-gap capable deployment
Custom SLA + dedicated support
Professional services included

Request Quote →

Enterprise On-Premise Deployment

While xOrbit is primarily delivered as SaaS or SDK, we build dedicated on-premise infrastructure for customers with:

Regulatory mandates — HIPAA, SOX, FedRAMP, CMMC requiring self-hosted processing
Air-gapped environments — SCIF, classified networks, offline operations
Data residency requirements — EU GDPR, China data laws, government mandates
Custom integration needs — Embed in proprietary platforms, specialized workflows

Includes: Enterprise CLI, Docker/Kubernetes orchestration, RBAC, audit logging, and dedicated support.

Contact sales for assessment and pricing →