eColabs Desenvolvimento de Pessoas e Organizacoes LTDA.

BR contato@ecolabs.com.br https://licet.dev

Security Individual Submission AI safety human oversight biometric authorization zero-knowledge proof autonomous agents coercion detection Autonomous AI agents executing consequential actions in high-stakes domains — medical prescribing, financial transactions, critical infrastructure control — require authorization mechanisms that go beyond classical identity verification. Existing mechanisms (passwords, static biometrics, digital signatures) verify who authorized an action but cannot verify whether the authorizing human was genuinely conscious, uncoerced, and cognitively capable at the moment of authorization. This document specifies LICET (Latin: "it is permitted"), a cryptographic middleware protocol that binds AI agent authorization events to the real-time physiological state of the authorizing human. LICET defines: (1) a biometric capture and coercion-detection procedure using wearable sensor data; (2) per-event session-key derivation using HKDF (RFC 5869); (3) a biometric temporal signature using HMAC (RFC 2104); (4) a Schnorr zero-knowledge proof over the BN128 elliptic curve enabling third-party audit without biometric data exposure; and (5) a SHA-256 hash-chained ledger for tamper-evident authorization records. A reference implementation is publicly deployed at https://licet.dev/v1/ and available as open source at https://github.com/christianrp45/licet-protocol.

Introduction Artificial intelligence agents are transitioning from passive tools to autonomous actors capable of executing actions with real, irreversible consequences. A medical AI agent may adjust medication dosages. A financial AI may execute wire transfers. An infrastructure AI may modify power-grid parameters. In each case, the assumed safeguard is human authorization.

The Intent Gap Contemporary authorization primitives are designed to answer one question: is this person who they claim to be? They are silent on a second, equally critical question: is this person currently in a state that constitutes genuinely free, conscious, and cognitively competent intent? This gap is the intent gap — the absence of a cryptographically verifiable mechanism to attest that a human was genuinely capable of and free to form the intent they expressed. The EU AI Act mandates human oversight for high-risk AI systems (Article 14) but specifies no technical standard for what constitutes verifiable human oversight. LICET provides the technical substrate for this regulatory requirement.

Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Authorizer (H):

The human whose physiological state and intent are being verified.

Agent (A):

An autonomous AI system requesting authorization to perform an action.

LICET Server (S):

The server that holds the master secret key and executes the protocol logic.

Auditor (V):

Any third party who may later verify that a valid authorization occurred, without accessing biometric data.

Wearable (W):

A biometric sensing device worn by the Authorizer.

Intent Hash (h):

A cryptographic binding of an action request to a specific moment in time.

Biometric Signature (sigma):

An HMAC commitment of biometric state to the intent hash.

Coercion Risk:

A categorical assessment (LOW, MEDIUM, HIGH) of the probability that the Authorizer is under duress.

Protocol Overview The LICET authorization protocol proceeds as follows:

1. Request. Agent A submits an authorization request to LICET Server S specifying: action descriptor (a), agent identifier (id_A), target entity (tgt), and Unix timestamp (ts).
2. Biometric Capture. Server S instructs Wearable W to capture physiological data over a window t_c (default: 10 seconds): heart rate (f_HR), peripheral oxygen saturation (s_O2), and heart rate variability (v_HRV).
3. Coercion Detection. Server S evaluates the captured signals according to . If Coercion Risk is MEDIUM or HIGH, or cognitive impairment is detected, authorization MUST be denied.
4. Intent Hash Generation. Server S computes: h = SHA-256(a || id_A || tgt || ts)
5. Session Key Derivation. Server S derives a per-event session key using HKDF : k_s = HKDF-SHA256(k_m, h)
6. Biometric Signature. Server S computes: sigma = HMAC-SHA256(h || f_HR || s_O2 || v_HRV || ts, k_s)
7. Zero-Knowledge Proof. Server S generates a Schnorr proof as specified in .
8. Ledger Append. Server S appends an entry to the hash-chained ledger as specified in .
9. Authorization Token. Server S returns to Agent A: intent hash h, biometric signature sigma, ZKP proof, ledger record identifier, and timestamp.

Biometric Capture and Coercion Detection

Biometric Sources LICET MUST accept biometric input from any of the following sources:

• BLE GATT Heart Rate Profile (IEEE 11073)
• Android Health Connect API
• Apple HealthKit
• Direct I2C sensor integration (e.g., MAX30102)
• Software simulation (development environments only)

Captured Signals Three signals MUST be captured over window t_c:

• f_HR: Heart rate in beats per minute (BPM)
• s_O2: Peripheral oxygen saturation in percent (%)
• v_HRV: Root mean square of successive differences (RMSSD) of inter-beat intervals in milliseconds (ms)

Coercion Detection Function The coercion detection function C maps physiological signals to a risk level: C(f_HR, v_HRV) = HIGH if f_HR > 130 AND v_HRV < 20 MEDIUM if f_HR > 100 AND v_HRV < 35 LOW otherwise Physiological basis: under acute psychological coercion, the sympathetic branch of the autonomic nervous system simultaneously elevates heart rate and suppresses HRV . This dual-axis collapse distinguishes coercion from aerobic exercise, where HRV may be maintained or recover rapidly.

Cognitive Impairment Detection I(s_O2) = IMPAIRED if s_O2 < 90 NORMAL otherwise

Authorization Decision Authorization MUST be denied if any of the following conditions hold:

• C(f_HR, v_HRV) is MEDIUM or HIGH
• I(s_O2) is IMPAIRED
• Captured signals are outside valid sensor ranges
• Capture window t_c produces insufficient data points

Intent Hash and Cryptographic Binding

Intent Hash The intent hash uniquely identifies the requested action: h = SHA-256(a || id_A || tgt || ts) where || denotes concatenation, a is the UTF-8 encoded action descriptor, id_A is the UTF-8 encoded agent identifier, tgt is the UTF-8 encoded target entity, and ts is the Unix timestamp encoded as a 64-bit big-endian integer.

Session Key Derivation A per-event session key SHALL be derived using HKDF : k_s = HKDF(hash=SHA-256, IKM=k_m, info=h, L=32) where k_m is the server master key (minimum 256 bits, generated using a cryptographically secure random number generator) and h is the intent hash. Session key isolation ensures that compromise of k_s for event i does not expose k_s for any other event j, nor the master key k_m.

Biometric Temporal Signature sigma = HMAC-SHA256(h || f_HR || s_O2 || v_HRV || ts, k_s) The biometric values f_HR, s_O2, v_HRV MUST be encoded as IEEE 754 double-precision (64-bit) big-endian floating-point values. Properties:

• Event-unique: ts ensures no replay across distinct events.
• Action-bound: h is embedded; sigma is cryptographically invalid for any action other than the one specified in h.
• Non-invertible: biometric values cannot be recovered from sigma without k_s.

Zero-Knowledge Proof LICET uses a non-interactive Schnorr proof over the BN128 elliptic curve with the Fiat-Shamir heuristic . Let G be the BN128 generator point and q the group order.

Proof Generation 1. w = SHA-256(sigma || h) mod q 2. PK = w * G 3. r randomly sampled from Z_q 4. R = r * G 5. c = SHA-256(R || PK || h) mod q 6. s = (r - c * w) mod q Proof: pi = (R, c, s, PK)

Proof Verification Given pi = (R, c, s, PK) and intent hash h, a verifier V checks: s * G + c * PK =?= R AND c =?= SHA-256(R || PK || h) mod q If both equalities hold, V is convinced that the prover possessed knowledge of the biometric signature sigma for this intent hash, without learning sigma, f_HR, s_O2, or v_HRV.

Tamper-Evident Ledger

Chaining L_0 = SHA-256(entry_0 || "LICET-GENESIS") L_n = SHA-256(entry_n || L_{n-1}), n >= 1 Any retroactive modification to entry i invalidates L_i through L_n, making tampering mathematically detectable by any party recomputing the chain.

Integrity Verification Implementations MUST provide a publicly accessible mechanism to verify the full hash chain and return a boolean integrity result, without requiring authentication.

Security Considerations

Replay Attack Prevention Each authorization event produces a unique intent hash h binding the action, agent identifier, target, and timestamp. Implementations MUST reject authorization requests with timestamps outside a configurable window (RECOMMENDED: 60 seconds).

Coercion Detection Limitations The concurrent HR/HRV threshold is a statistical, not absolute, protection. Population-level thresholds may produce false positives for individuals with baseline tachycardia or false negatives for highly trained individuals. Future versions of this protocol SHOULD define a personalized baseline calibration procedure.

Biometric Privacy Raw biometric values MUST NOT be stored in the ledger. The ZKP mechanism defined in ensures that auditors can verify authorization validity without accessing biometric data, satisfying data minimization principles of privacy regulations.

Master Key Protection Implementations MUST protect the master key k_m using hardware security modules or equivalent mechanisms. Key rotation procedures MUST be defined by each deployment.

IANA Considerations This document has no IANA actions at this time.

References Normative References Informative References European Parliament Neuroscience and Biobehavioral Reviews, 36(2):747-756 Advances in Cryptology - CRYPTO 1986, LNCS vol. 263, pp. 186-194 SSRN Abstract ID 7018458

Protocol Timestamp The LICET protocol was first documented and registered on the Bitcoin blockchain via OpenTimestamps on February 25, 2026. The SHA-256 hash of the original protocol document is publicly archived as a tamper-evident timestamp predating this Internet-Draft.

Reference Implementation A reference implementation of this protocol is publicly available:

• Live API: https://licet.dev/v1/
• Source code: https://github.com/christianrp45/licet-protocol
• Preprint: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=7018458