Physiological Provenance Receipt · PPR · Patent Pending

Prove the heartbeat was real — without ever seeing the heartbeat.

PPR proves an inference over physiological signal came from a real, on-body sensor, through the device capture path, from the enrolled subject, in an unspliced stream, read by the stated model — signed independently with ML-DSA-65 (FIPS 204), verifiable offline by any third party.

You keep your data. We keep the proof.

The wall: the raw physiological signal never touches Hive. Sealing happens capture-side, inside your trust boundary. Only commitments and verdicts cross the line — never a sample, never an inference plaintext, never a salt. Enforced in CI.

Device attestation says valid. PPR says broken.

A genuine sensor booted and passed attestation. Then someone spliced out a bad night before the review. Device attestation cannot see it. PPR does — because every interval is chained to the one before it.

Device / SDK attestation
✅ VALID

Genuine sensor. Cert chain Device→Vendor→Root verified. Firmware measurement MATCH. Revocation GOOD. The device really did boot clean.

✓ hardware genuine
✓ cert chain valid
✓ firmware measured
— stream contents: not checked
Hive PPR
❌ BROKEN

Signal stream spliced at interval 2,847. Timestamps no longer adjacent; the S-chain head does not reconcile against an independent re-derivation.

✓ origin healthy
✓ challenge fresh
✓ subject bound
✗ stream:chain_break@seq2847

Same in reverse for every attack below: the device still "passes," PPR fails, and the same receipt fails identically whether the subject or the relying party checks it.

Eight ways to fake it. PPR catches all eight.

These are the acceptance tests and the demo, one and the same. For every attack, device attestation passes and PPR fails. 19/19 tests green in the reference build.

01 · Synthetic injection

Software feeds a fabricated waveform to a real pipeline. No valid transducer capture assertion → origin unhealthy.

02 · Proxy wear

A fitter friend wears the band. On-body presence has a discontinuity → subject binding won't reconstruct.

03 · Stream splice

Excise the bad night before review. Surviving intervals don't link; timestamps don't reconcile.

04 · Duplication

Copy a healthy week over a bad one. Sample-count and timestamp collision breaks the chain.

05 · Replay

Re-present a prior healthy month as current. Hive's fresh challenge is absent from the origin commitment.

06 · Model substitution

A cheaper model produced the inference. Model identity mismatches; the inference commitment won't reconstruct.

07 · Inference alteration

Edit the output after the model ran. The output commitment won't reconstruct.

08 · Wrong-interval attribution

Claim the inference came from a different span. The named stream head isn't the head at the claimed range.

We never see a heartbeat.

Non-possession is architectural, not a policy promise. The build fails CI if any Hive-side code path references a raw sample, an inference plaintext, or a salt.

Capture-side sealing · boundary-crossing commitments only

Your trust boundary
Raw signal · holder salts · inference plaintext

Health app / hospital / trial sponsor. Sealing happens here. Nothing raw leaves.

▟ THE WALL ▙
commitments +
verdicts only
Hive (attestor)
Signs commitments · issues the receipt

Holds no signal. Cannot open a commitment — the salt never crossed.

Not a diagnosis

No code path evaluates whether the inference is medically correct. PPR proves origin, custody, and continuity — never truth of the conclusion.

Not biometric identity

On-body presence is discontinuity detection, not identification. We prove continuity of wear, not who you are.

Not possession

Hive never holds raw signal, plaintext, or salts. Verification is fully offline — zero network calls, enforced in test.

The five bindings

Every inference lives inside a capture epoch, hash-chained. Break any link and verification fails. The tier is committed into the origin binding — it cannot be relabeled.

# O binds sensor origin — the capture tier is committed IN, load-bearing
O   = commit(capture_tier ‖ device_attest ‖ cert_chain ‖ revocation ‖ measurement
             ‖ sensor_id ‖ capture_assertion ‖ capture_assertion_sig ‖ firmware ‖ challenge)
B   = commit(subject_id ‖ on_body_presence ‖ wear_continuity ‖ enrollment)
# Sⱼ — the anti-splice chain: each interval commits to its predecessor
Sⱼ  = commit(interval_commitmentⱼ ‖ t_start ‖ t_end ‖ sample_count ‖ channels ‖ Sⱼ₋₁)
I   = commit(model_digest ‖ version ‖ quantization ‖ config ‖ interval_range ‖ output_commit ‖ ts)
# Kᵢ — recursive continuity across the epoch
Kᵢ  = commit(O ‖ B ‖ Sⱼ ‖ I ‖ Kᵢ₋₁)
Receipt = Sign_MLDSA65(O ‖ B ‖ Sⱼ ‖ I ‖ Kᵢ ‖ epoch_metadata)

interval_commitment and output_commit are computed holder-side with a holder-side salt. The salt never leaves. Hive signs commitments only.

Honest by construction

v1 ships one tier and says so plainly. The tier is committed into the origin binding, so it can't be sold as something stronger. A relying party can set a required tier floor and honestly reject anything weaker.

Tierv1 trust floor for the capture assertionStatus
holder-ingest-signedThe holder's ingest key asserts the signal arrived through the device SDK — not device silicon. This is what v1 ships.v1 · shipping
secure-element-signedThe device secure element signs the capture assertion. Same receipt schema, stronger floor.the upgrade

Every verification banner states the tier in plain language. A holder-ingest receipt presented as secure-element fails verification.

Real numbers

Measured on-box against the actual primitives — not marketing screenshots. ML-DSA-65 sizes are exactly the FIPS 204 spec.

413k/s
commit() throughput · 2.4µs each
106k/s
interval sealing · 500 samples + reconcile + chain each
8.8ms
ML-DSA-65 verify · per receipt
3,309B
signature size · pk 1,952 B · FIPS 204

19/19 tests pass: 8 failure modes + quantization-swap + happy path + 9 invariants (non-possession CI, offline verify, tier-relabel, no-diagnosis, non-revealing commitments). Origin evidence in the reference build is flagged simulated=true until wired to a live device attestation feed. We never fake a receipt.

Who needs proof they can't fake

Clinical trials

Prove wearable endpoints came from the enrolled subject, on-body, unspliced — verifiable by the sponsor and the regulator without handing over raw signal.

Remote patient monitoring

Bind each risk inference to a real capture stream. Catch synthetic data, proxy wear, and after-the-fact edits before they reach a chart.

Insurance & wellness

Wearable-linked programs that need to know the steps, the sleep, the heart rate were real — without the insurer ever holding the raw data.

Pilot PPR

If you capture physiological signal and someone downstream has to trust the inference over it, PPR is the receipt that survives the audit.

PPR — Physiological Provenance Receipt. Patent Pending. Post-quantum signed (ML-DSA-65 / FIPS 204), verifiable offline. Hive never sees a raw physiological sample.