Internet-Draft LICET Human Intent Protocol June 2026
Pereira Expires 31 December 2026 [Page]
Workgroup:
Individual Submission
Internet-Draft:
draft-pereira-licet-human-intent-00
Published:
Intended Status:
Informational
Expires:
Author:
C. Pereira
eColabs Desenvolvimento de Pessoas e Organizacoes LTDA.

LICET: A Cryptographic Protocol for Physiological Human-Intent Verification in Autonomous AI Agent Authorization

Abstract

Autonomous AI agents executing consequential actions in high-stakes domains — medical prescribing, financial transactions, critical infrastructure control — require authorization mechanisms that go beyond classical identity verification. Existing mechanisms (passwords, static biometrics, digital signatures) verify who authorized an action but cannot verify whether the authorizing human was genuinely conscious, uncoerced, and cognitively capable at the moment of authorization.

This document specifies LICET (Latin: "it is permitted"), a cryptographic middleware protocol that binds AI agent authorization events to the real-time physiological state of the authorizing human. LICET defines: (1) a biometric capture and coercion-detection procedure using wearable sensor data; (2) per-event session-key derivation using HKDF (RFC 5869); (3) a biometric temporal signature using HMAC (RFC 2104); (4) a Schnorr zero-knowledge proof over the BN128 elliptic curve enabling third-party audit without biometric data exposure; and (5) a SHA-256 hash-chained ledger for tamper-evident authorization records.

A reference implementation is publicly deployed at https://licet.dev/v1/ and available as open source at https://github.com/christianrp45/licet-protocol.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 31 December 2026.

Table of Contents

1. Introduction

Artificial intelligence agents are transitioning from passive tools to autonomous actors capable of executing actions with real, irreversible consequences. A medical AI agent may adjust medication dosages. A financial AI may execute wire transfers. An infrastructure AI may modify power-grid parameters. In each case, the assumed safeguard is human authorization.

1.1. The Intent Gap

Contemporary authorization primitives are designed to answer one question: is this person who they claim to be? They are silent on a second, equally critical question: is this person currently in a state that constitutes genuinely free, conscious, and cognitively competent intent?

This gap is the intent gap — the absence of a cryptographically verifiable mechanism to attest that a human was genuinely capable of and free to form the intent they expressed. The EU AI Act [EUAIACT] mandates human oversight for high-risk AI systems (Article 14) but specifies no technical standard for what constitutes verifiable human oversight. LICET provides the technical substrate for this regulatory requirement.

1.2. Conventions and Definitions

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

Authorizer (H):
The human whose physiological state and intent are being verified.
Agent (A):
An autonomous AI system requesting authorization to perform an action.
LICET Server (S):
The server that holds the master secret key and executes the protocol logic.
Auditor (V):
Any third party who may later verify that a valid authorization occurred, without accessing biometric data.
Wearable (W):
A biometric sensing device worn by the Authorizer.
Intent Hash (h):
A cryptographic binding of an action request to a specific moment in time.
Biometric Signature (sigma):
An HMAC commitment of biometric state to the intent hash.
Coercion Risk:
A categorical assessment (LOW, MEDIUM, HIGH) of the probability that the Authorizer is under duress.

2. Protocol Overview

The LICET authorization protocol proceeds as follows:

  1. Request. Agent A submits an authorization request to LICET Server S specifying: action descriptor (a), agent identifier (id_A), target entity (tgt), and Unix timestamp (ts).

  2. Biometric Capture. Server S instructs Wearable W to capture physiological data over a window t_c (default: 10 seconds): heart rate (f_HR), peripheral oxygen saturation (s_O2), and heart rate variability (v_HRV).

  3. Coercion Detection. Server S evaluates the captured signals according to Section 3. If Coercion Risk is MEDIUM or HIGH, or cognitive impairment is detected, authorization MUST be denied.

  4. Intent Hash Generation. Server S computes:

    h = SHA-256(a || id_A || tgt || ts)

  5. Session Key Derivation. Server S derives a per-event session key using HKDF [RFC5869]:

    k_s = HKDF-SHA256(k_m, h)

  6. Biometric Signature. Server S computes:

    sigma = HMAC-SHA256(h || f_HR || s_O2 || v_HRV || ts, k_s)

  7. Zero-Knowledge Proof. Server S generates a Schnorr proof as specified in Section 5.

  8. Ledger Append. Server S appends an entry to the hash-chained ledger as specified in Section 6.

  9. Authorization Token. Server S returns to Agent A: intent hash h, biometric signature sigma, ZKP proof, ledger record identifier, and timestamp.

3. Biometric Capture and Coercion Detection

3.1. Biometric Sources

LICET MUST accept biometric input from any of the following sources:

  • BLE GATT Heart Rate Profile (IEEE 11073)
  • Android Health Connect API
  • Apple HealthKit
  • Direct I2C sensor integration (e.g., MAX30102)
  • Software simulation (development environments only)

3.2. Captured Signals

Three signals MUST be captured over window t_c:

  • f_HR: Heart rate in beats per minute (BPM)
  • s_O2: Peripheral oxygen saturation in percent (%)
  • v_HRV: Root mean square of successive differences (RMSSD) of inter-beat intervals in milliseconds (ms)

3.3. Coercion Detection Function

The coercion detection function C maps physiological signals to a risk level:

C(f_HR, v_HRV) =
  HIGH    if f_HR > 130 AND v_HRV < 20
  MEDIUM  if f_HR > 100 AND v_HRV < 35
  LOW     otherwise

Physiological basis: under acute psychological coercion, the sympathetic branch of the autonomic nervous system simultaneously elevates heart rate and suppresses HRV [THAYER2012]. This dual-axis collapse distinguishes coercion from aerobic exercise, where HRV may be maintained or recover rapidly.

3.4. Cognitive Impairment Detection 

I(s_O2) =
  IMPAIRED  if s_O2 < 90
  NORMAL    otherwise

3.5. Authorization Decision

Authorization MUST be denied if any of the following conditions hold:

  • C(f_HR, v_HRV) is MEDIUM or HIGH
  • I(s_O2) is IMPAIRED
  • Captured signals are outside valid sensor ranges
  • Capture window t_c produces insufficient data points

4. Intent Hash and Cryptographic Binding

4.1. Intent Hash

The intent hash uniquely identifies the requested action:

h = SHA-256(a || id_A || tgt || ts)

where || denotes concatenation, a is the UTF-8 encoded action descriptor, id_A is the UTF-8 encoded agent identifier, tgt is the UTF-8 encoded target entity, and ts is the Unix timestamp encoded as a 64-bit big-endian integer.

4.2. Session Key Derivation

A per-event session key SHALL be derived using HKDF [RFC5869]:

k_s = HKDF(hash=SHA-256, IKM=k_m, info=h, L=32)

where k_m is the server master key (minimum 256 bits, generated using a cryptographically secure random number generator) and h is the intent hash. Session key isolation ensures that compromise of k_s for event i does not expose k_s for any other event j, nor the master key k_m.

4.3. Biometric Temporal Signature 

sigma = HMAC-SHA256(h || f_HR || s_O2 || v_HRV || ts, k_s)

The biometric values f_HR, s_O2, v_HRV MUST be encoded as IEEE 754 double-precision (64-bit) big-endian floating-point values.

Properties:

  • Event-unique: ts ensures no replay across distinct events.
  • Action-bound: h is embedded; sigma is cryptographically invalid for any action other than the one specified in h.
  • Non-invertible: biometric values cannot be recovered from sigma without k_s.

5. Zero-Knowledge Proof

LICET uses a non-interactive Schnorr proof over the BN128 elliptic curve with the Fiat-Shamir heuristic [FIAT1987]. Let G be the BN128 generator point and q the group order.

5.1. Proof Generation 

1. w  = SHA-256(sigma || h) mod q
2. PK = w * G
3. r  randomly sampled from Z_q
4. R  = r * G
5. c  = SHA-256(R || PK || h) mod q
6. s  = (r - c * w) mod q

Proof: pi = (R, c, s, PK)

5.2. Proof Verification

Given pi = (R, c, s, PK) and intent hash h, a verifier V checks:

s * G + c * PK =?= R
AND
c =?= SHA-256(R || PK || h) mod q

If both equalities hold, V is convinced that the prover possessed knowledge of the biometric signature sigma for this intent hash, without learning sigma, f_HR, s_O2, or v_HRV.

6. Tamper-Evident Ledger

6.1. Chaining 

L_0 = SHA-256(entry_0 || "LICET-GENESIS")
L_n = SHA-256(entry_n || L_{n-1}),  n >= 1

Any retroactive modification to entry i invalidates L_i through L_n, making tampering mathematically detectable by any party recomputing the chain.

6.2. Integrity Verification

Implementations MUST provide a publicly accessible mechanism to verify the full hash chain and return a boolean integrity result, without requiring authentication.

7. Security Considerations

7.1. Replay Attack Prevention

Each authorization event produces a unique intent hash h binding the action, agent identifier, target, and timestamp. Implementations MUST reject authorization requests with timestamps outside a configurable window (RECOMMENDED: 60 seconds).

7.2. Coercion Detection Limitations

The concurrent HR/HRV threshold is a statistical, not absolute, protection. Population-level thresholds may produce false positives for individuals with baseline tachycardia or false negatives for highly trained individuals. Future versions of this protocol SHOULD define a personalized baseline calibration procedure.

7.3. Biometric Privacy

Raw biometric values MUST NOT be stored in the ledger. The ZKP mechanism defined in Section 5 ensures that auditors can verify authorization validity without accessing biometric data, satisfying data minimization principles of privacy regulations.

7.4. Master Key Protection

Implementations MUST protect the master key k_m using hardware security modules or equivalent mechanisms. Key rotation procedures MUST be defined by each deployment.

8. IANA Considerations

This document has no IANA actions at this time.

9. References

9.1. Normative References

[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/info/rfc2119>.
[RFC8174]
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/info/rfc8174>.
[RFC5869]
Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand Key Derivation Function (HKDF)", RFC 5869, DOI 10.17487/RFC5869, , <https://www.rfc-editor.org/info/rfc5869>.
[RFC2104]
Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-Hashing for Message Authentication", RFC 2104, DOI 10.17487/RFC2104, , <https://www.rfc-editor.org/info/rfc2104>.

9.2. Informative References

[EUAIACT]
European Parliament, "Regulation (EU) 2024/1689 on Artificial Intelligence (EU AI Act)", .
[THAYER2012]
Thayer, J.F., "A meta-analysis of heart rate variability and neuroimaging studies: Implications for heart rate variability as a marker of stress and health", Neuroscience and Biobehavioral Reviews, 36(2):747-756, .
[FIAT1987]
Fiat, A. and A. Shamir, "How to Prove Yourself: Practical Solutions to Identification and Signature Problems", Advances in Cryptology - CRYPTO 1986, LNCS vol. 263, pp. 186-194, .
[SSRN7018458]
Pereira, C., "LICET: A Biometric Intent Authorization Protocol for Autonomous AI Agents", SSRN Abstract ID 7018458, .

Protocol Timestamp

The LICET protocol was first documented and registered on the Bitcoin blockchain via OpenTimestamps on February 25, 2026. The SHA-256 hash of the original protocol document is publicly archived as a tamper-evident timestamp predating this Internet-Draft.

Reference Implementation

A reference implementation of this protocol is publicly available:

Author's Address

Christian Rodrigues Pereira
eColabs Desenvolvimento de Pessoas e Organizacoes LTDA.
Brazil
URI: https://licet.dev