PPR proves an inference over physiological signal came from a real, on-body sensor, through the device capture path, from the enrolled subject, in an unspliced stream, read by the stated model — signed independently with ML-DSA-65 (FIPS 204), verifiable offline by any third party.
You keep your data. We keep the proof.
A genuine sensor booted and passed attestation. Then someone spliced out a bad night before the review. Device attestation cannot see it. PPR does — because every interval is chained to the one before it.
Genuine sensor. Cert chain Device→Vendor→Root verified. Firmware measurement MATCH. Revocation GOOD. The device really did boot clean.
Signal stream spliced at interval 2,847. Timestamps no longer adjacent; the S-chain head does not reconcile against an independent re-derivation.
Same in reverse for every attack below: the device still "passes," PPR fails, and the same receipt fails identically whether the subject or the relying party checks it.
These are the acceptance tests and the demo, one and the same. For every attack, device attestation passes and PPR fails. 19/19 tests green in the reference build.
Software feeds a fabricated waveform to a real pipeline. No valid transducer capture assertion → origin unhealthy.
A fitter friend wears the band. On-body presence has a discontinuity → subject binding won't reconstruct.
Excise the bad night before review. Surviving intervals don't link; timestamps don't reconcile.
Copy a healthy week over a bad one. Sample-count and timestamp collision breaks the chain.
Re-present a prior healthy month as current. Hive's fresh challenge is absent from the origin commitment.
A cheaper model produced the inference. Model identity mismatches; the inference commitment won't reconstruct.
Edit the output after the model ran. The output commitment won't reconstruct.
Claim the inference came from a different span. The named stream head isn't the head at the claimed range.
Non-possession is architectural, not a policy promise. The build fails CI if any Hive-side code path references a raw sample, an inference plaintext, or a salt.
Health app / hospital / trial sponsor. Sealing happens here. Nothing raw leaves.
Holds no signal. Cannot open a commitment — the salt never crossed.
No code path evaluates whether the inference is medically correct. PPR proves origin, custody, and continuity — never truth of the conclusion.
On-body presence is discontinuity detection, not identification. We prove continuity of wear, not who you are.
Hive never holds raw signal, plaintext, or salts. Verification is fully offline — zero network calls, enforced in test.
Every inference lives inside a capture epoch, hash-chained. Break any link and verification fails. The tier is committed into the origin binding — it cannot be relabeled.
# O binds sensor origin — the capture tier is committed IN, load-bearing O = commit(capture_tier ‖ device_attest ‖ cert_chain ‖ revocation ‖ measurement ‖ sensor_id ‖ capture_assertion ‖ capture_assertion_sig ‖ firmware ‖ challenge) B = commit(subject_id ‖ on_body_presence ‖ wear_continuity ‖ enrollment) # Sⱼ — the anti-splice chain: each interval commits to its predecessor Sⱼ = commit(interval_commitmentⱼ ‖ t_start ‖ t_end ‖ sample_count ‖ channels ‖ Sⱼ₋₁) I = commit(model_digest ‖ version ‖ quantization ‖ config ‖ interval_range ‖ output_commit ‖ ts) # Kᵢ — recursive continuity across the epoch Kᵢ = commit(O ‖ B ‖ Sⱼ ‖ I ‖ Kᵢ₋₁) Receipt = Sign_MLDSA65(O ‖ B ‖ Sⱼ ‖ I ‖ Kᵢ ‖ epoch_metadata)
interval_commitment and output_commit are computed holder-side with a holder-side salt. The salt never leaves. Hive signs commitments only.
v1 ships one tier and says so plainly. The tier is committed into the origin binding, so it can't be sold as something stronger. A relying party can set a required tier floor and honestly reject anything weaker.
| Tier | v1 trust floor for the capture assertion | Status |
|---|---|---|
| holder-ingest-signed | The holder's ingest key asserts the signal arrived through the device SDK — not device silicon. This is what v1 ships. | v1 · shipping |
| secure-element-signed | The device secure element signs the capture assertion. Same receipt schema, stronger floor. | the upgrade |
Every verification banner states the tier in plain language. A holder-ingest receipt presented as secure-element fails verification.
Measured on-box against the actual primitives — not marketing screenshots. ML-DSA-65 sizes are exactly the FIPS 204 spec.
19/19 tests pass: 8 failure modes + quantization-swap + happy path + 9 invariants (non-possession CI, offline verify, tier-relabel, no-diagnosis, non-revealing commitments). Origin evidence in the reference build is flagged simulated=true until wired to a live device attestation feed. We never fake a receipt.
Prove wearable endpoints came from the enrolled subject, on-body, unspliced — verifiable by the sponsor and the regulator without handing over raw signal.
Bind each risk inference to a real capture stream. Catch synthetic data, proxy wear, and after-the-fact edits before they reach a chart.
Wearable-linked programs that need to know the steps, the sleep, the heart rate were real — without the insurer ever holding the raw data.
If you capture physiological signal and someone downstream has to trust the inference over it, PPR is the receipt that survives the audit.
PPR — Physiological Provenance Receipt. Patent Pending. Post-quantum signed (ML-DSA-65 / FIPS 204), verifiable offline. Hive never sees a raw physiological sample.