ZeqProof: Cryptographic Verification

ZeqProof is the HMAC-SHA256 cryptographic binding that proves three things about a computation:

1. Authenticity: The computation was performed by official Zeq infrastructure
2. Integrity: The result has not been modified or tampered with
3. Timestamp: The result was computed at a specific Zeqond, with specific operators, and produces a specific R(t)

ZeqProof is not just a hash—it is a mathematical certificate of computation genuineness.

info

Every API response that contains a numerical result includes a ZeqProof signature. It is your proof of authenticity.

What ZeqProof Signs

The ZeqProof signature is computed over a structured payload that includes:

{
  "zeqond_timestamp": 2245831.445,
  "unix_timestamp_s": 1743339600.125,
  "operators": ["QM1", "NM19", "KO42"],
  "operator_parameters": {
    "energy_level": 3,
    "particle_mass": 9.109e-31
  },
  "result_value": 8.472194128,
  "modulated_value": 8.471076453,
  "modulation_factor": 0.9998676,
  "phase_radians": 1.523,
  "master_equation_hash": "sha256_of_compiled_equation",
  "ko42_parameters": {
    "mode": "automatic",
    "amplitude": 0.00129,
    "frequency_hz": 1.287,
    "phase_radians": 1.523
  },
  "precision": {
    "relative_error": 0.00087,
    "convergence_status": "SUCCESS"
  },
  "api_version": "2.1.0",
  "infrastructure_id": "zeq-us-east-1-prod"
}

The ZeqProof is then computed as:

ZeqProof = HMAC-SHA256(secret_key, canonical_json_payload)

where:

• secret_key is Zeq's private signing key (never exposed)
• canonical_json_payload is the above JSON, serialized in a deterministic order

Typical API Response with ZeqProof

curl -X POST https://zeq.dev/api/zeq/compute \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "operators": ["QM1"],
    "parameters": {"energy_level": 2}
  }'

Response:

{
  "result": {
    "value": 4.852103847,
    "modulated_value": 4.851334562,
    "unit": "eV",
    "zeqond_timestamp": 2245831.445,
    "unix_timestamp_s": 1743339600.125
  },
  "zeqproof": {
    "signature": "a8f2c9e1d5b4a7c2f9e8d1b5a4c7f0e9d3a6b9c2e5f8a1b4c7d0e3f6a9b2c5",
    "algorithm": "HMAC-SHA256",
    "timestamp_signed": 2245831.445,
    "operators_signed": ["QM1", "KO42"],
    "result_signed": 4.852103847,
    "verification_endpoint": "https://zeq.dev/api/zeq/verify",
    "certificate_expires": 2245836.445,
    "issuer": "zeq-infrastructure-v2.1.0"
  },
  "metadata": {
    "computation_time_ms": 45.2,
    "solver_iterations": 187,
    "convergence_error": 0.00089
  }
}

Verification: Proving a Result is Authentic

You can verify a ZeqProof at any time, on any result you have from Zeq:

curl -X POST https://zeq.dev/api/zeq/verify \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "result": {
      "value": 4.852103847,
      "zeqond_timestamp": 2245831.445,
      "operators": ["QM1"]
    },
    "zeqproof": {
      "signature": "a8f2c9e1d5b4a7c2f9e8d1b5a4c7f0e9d3a6b9c2e5f8a1b4c7d0e3f6a9b2c5",
      "algorithm": "HMAC-SHA256"
    }
  }'

Response (Valid Signature):

{
  "verification_status": "VALID",
  "result_is_authentic": true,
  "zeqond_timestamp": 2245831.445,
  "operators_verified": ["QM1", "KO42"],
  "result_value_verified": 4.852103847,
  "modulation_factor_verified": 0.9998345,
  "phase_verified": true,
  "signature_matches": true,
  "issuer_trusted": true,
  "timestamp_in_range": true,
  "certificate_valid": true,
  "audit_trail": {
    "created_at_zeqond": 2245831.445,
    "verified_at_zeqond": 2245831.889,
    "time_elapsed_zeqonds": 0.444,
    "verification_count": 1,
    "all_verifications_successful": true
  }
}

Response (Invalid Signature):

{
  "verification_status": "INVALID",
  "result_is_authentic": false,
  "errors": [
    "Signature does not match payload. Result may have been tampered with.",
    "Operators in signature do not match claimed operators."
  ],
  "signature_matches": false,
  "issuer_trusted": false,
  "timestamp_out_of_range": false,
  "recommendation": "Do not use this result in scientific work or regulatory submissions. Contact Zeq support."
}

Use Cases for ZeqProof

Regulatory Compliance (1): FDA, EMA

For pharmaceutical companies using Zeq in clinical trials, ZeqProof provides:

• Tamper-evident audit trail: Proof that a specific computation was performed at a specific time
• Non-repudiation: Zeq cannot deny having signed the result
• Timestamping: The Zeqond timestamp is cryptographically bound to the result

Example FDA submission statement:

"All computational results were generated by Zeq v2.1.0 and are cryptographically signed via ZeqProof (HMAC-SHA256). 
Independent verification confirms all signatures are valid, confirming the authenticity and integrity of these calculations."

Scientific Reproducibility (2)

For researchers publishing in peer-reviewed journals:

• Include the ZeqProof signature in supplementary materials
• Provides proof that others can verify the exact computation that was performed
• Enables future independent verification of published results

Example supplement:

Computational Methods
All quantum mechanical calculations were performed using Zeq v2.1.0.
ZeqProof signatures for all reported values are provided in Appendix A.
Any researcher can independently verify these signatures using the public verification endpoint.

Audit and Compliance (3)

For companies auditing their own computational infrastructure:

• Verify that computational results were not modified between generation and storage
• Track all computations ever performed (via zeqond_timestamp)
• Detect unauthorized modifications to historical results

Forensic Analysis (4)

In disputes or investigations:

• Definitively prove that a specific computation was performed at a specific time
• Exclude the possibility of retroactive modification
• Establish chain of custody for computational artifacts

Technical Details: HMAC-SHA256

The ZeqProof signature uses HMAC-SHA256, which provides:

Property	Guarantee
Authenticity	Only Zeq (with the secret key) can generate valid signatures
Integrity	Any modification to the payload invalidates the signature
Non-repudiation	Zeq cannot deny signing a result (given its public key is trusted)
Cryptographic Strength	SHA256 produces 256-bit digests; HMAC is resistant to extension attacks

Security assumptions:

• The Zeq secret key is kept secure and never leaked
• The Zeq public key (implicit in the verification process) is trusted
• Network communication uses TLS (HTTPS) to prevent man-in-the-middle attacks

Batch Verification

To verify multiple results at once:

curl -X POST https://zeq.dev/api/zeq/verify-batch \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "results": [
      {
        "result": {"value": 4.852103847, "zeqond_timestamp": 2245831.445},
        "zeqproof": {"signature": "a8f2c9e1..."}
      },
      {
        "result": {"value": 8.472194128, "zeqond_timestamp": 2245832.222},
        "zeqproof": {"signature": "b9f3d0e2..."}
      }
    ]
  }'

Response:

{
  "batch_verification_status": "ALL_VALID",
  "total_results": 2,
  "valid_signatures": 2,
  "invalid_signatures": 0,
  "verification_details": [
    {
      "result_index": 0,
      "status": "VALID",
      "zeqond_timestamp": 2245831.445
    },
    {
      "result_index": 1,
      "status": "VALID",
      "zeqond_timestamp": 2245832.222
    }
  ]
}

Archival and Long-Term Storage

ZeqProof signatures remain valid indefinitely. To archive a result with proof:

curl -X POST https://zeq.dev/api/zeq/archive \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "result_id": "computation_12345",
    "metadata": {
      "project": "Drug Candidate X Phase 2 Trial",
      "researcher": "Dr. Jane Smith",
      "retention_policy": "indefinite"
    }
  }'

Response:

{
  "archived": true,
  "archive_id": "arch_5f9c4ab08d9c8e0b1b5b0c8e",
  "zeqond_archived": 2245831.445,
  "zeqproof_preserved": true,
  "retrieval_instructions": "Use archive_id to retrieve this result at any future time."
}

Later, you can retrieve and re-verify:

curl -X GET "https://zeq.dev/api/zeq/archive/arch_5f9c4ab08d9c8e0b1b5b0c8e" \
  -H "Authorization: Bearer YOUR_API_KEY"

Response:

{
  "result": {...},
  "zeqproof": {...},
  "archive_metadata": {
    "original_computation_zeqond": 2245831.445,
    "archived_zeqond": 2245831.445,
    "retrieval_count": 12,
    "last_verified": 2245999.000,
    "verification_status": "VALID"
  }
}

Cross-References

• R(t) Modulation: The phase information embedded in R(t) is signed by ZeqProof
• Zeqond: The timestamp in ZeqProof is a Zeqond value
• Seven-Step Protocol: Step 7 generates the ZeqProof

Cryptographic Properties

What "HMAC-Sealed" Means

ZeqProof uses HMAC-SHA256 over the canonical serialization of the ZeqState envelope (Zeqond tick, phase, operator chain, KO42 parameters, result digest). The HMAC provides two guarantees:

• Authenticity — only a holder of the kernel signing key can produce a valid HMAC for a given envelope, so a verifier can confirm the result was issued by the Zeq infrastructure.
• Integrity — any post-hoc modification of any field in the envelope (result, timestamp, phase, operator list) invalidates the HMAC. Verification is bit-exact: a one-byte change in the serialized state breaks the seal.

Verification requires only the public verification path, not the API key, so any third party (auditor, regulator, counterparty) can independently re-derive the phase from the recorded Zeqond and check the HMAC.

Why Does ZeqProof Matter?

Use Case 1: FDA Drug Trial (Regulatory Compliance)

You compute a dose-response curve for a new drug. The FDA asks: "How do we know you didn't modify this result after computing it?"

Without ZeqProof:

• You say: "Trust me, this is the result I computed."
• FDA says: "We can't verify that. Results could be fake."
• Your trial might be rejected.

With ZeqProof:

• You submit: Result + signature
• FDA verifies the signature: "This is authentic Zeq infrastructure output."
• FDA accepts: The result is scientifically valid.

ZeqProof is your cryptographic certificate of authenticity.

Use Case 2: Scientific Publication

You publish a quantum mechanics paper with 50 computed values. Reviewers want to verify one of them independently.

With ZeqProof:

• You include: result = 4.852103847, zeqproof_signature = "a8f2c9e1..."
• Reviewer verifies the signature using Zeq's public verification endpoint
• Reviewer sees: "This result was computed by Zeq infrastructure at Zeqond 2245831.445"
• Paper is accepted: Results are reproducible and verifiable.

Use Case 3: Internal Audit (Fraud Detection)

Your company's IT department periodically audits historical computational results to ensure they haven't been modified.

With ZeqProof:

• Audit tool fetches a result from 6 months ago
• Verifies the ZeqProof signature against a historical archive
• If signature is still valid: Result is unmodified, integrity confirmed
• If signature fails: Result was tampered with—investigate further

---

Who Verifies the Signature, and How?

The Verification Process (Technical)

1. You have:
   - result: 4.852103847
   - signature: "a8f2c9e1d5b4a7c2f9e8d1b5a4c7f0e9d3a6b9c2e5f8a1b4c7d0e3f6a9b2c5"
   - timestamp: 2245831.445
   - operators: ["QM1", "KO42"]

2. Zeq's verification server:
   a) Reconstructs the payload in canonical form (deterministic JSON ordering)
   b) Applies HMAC-SHA256 with Zeq's secret key
   c) Compares the result to the provided signature

3. If signatures match:
   verification_status = "VALID"  ✓

4. If signatures don't match:
   verification_status = "INVALID"  ✗
   (Result was tampered with or signature is forged)

Who Can Verify?

Anyone with:

• The result data
• The ZeqProof signature
• Access to the public verification endpoint (https://zeq.dev/api/zeq/verify)

No secret key is needed for verification—only Zeq's secret key is needed to create signatures.

This is the principle of public-key cryptography (HMAC is symmetric but the principle applies). Anyone can check the seal, but only the official source can create it.

---

Compliance Contexts

FDA (Food and Drug Administration)

Regulatory Standard: 21 CFR Part 11 (Electronic Records; Electronic Signatures)

Requirements:

• Electronic records must have "audit trails" showing who created them and when
• Signatures must be time-stamped and tamper-evident
• Must be reproducible and verifiable

How ZeqProof Helps:

• ZeqProof includes a Zeqond timestamp (cryptographically bound)
• Signature is tamper-evident (any modification breaks it)
• Results are reproducible (can be recomputed and signature re-verified)
• Infrastructure ID is logged (proves Zeq infrastructure generated it)

EMA (European Medicines Agency)

Regulatory Standard: ICH Q14 (Analytical Procedure Development)

Requirements:

• Computational results must be reproducible by independent parties
• Method validation must be documented
• System must be validated for intended use

How ZeqProof Helps:

• Reproducibility is guaranteed (same inputs + HulyaPulse phase = identical result)
• Signature proves the computation was validated by Zeq infrastructure
• Zeqond timestamp proves the exact moment of computation (key for validation records)

Financial (SEC, FINRA)

Regulatory Standard: SEC Rule 17a-4 (Preservation of Records)

Requirements:

• Financial records must be preserved with integrity
• Must be non-rewriteable, non-erasable
• Must support audit verification

How ZeqProof Helps:

• Signature is non-rewriteable (creating a valid signature requires Zeq's secret key)
• Signature is non-erasable (if deleted, data can't be verified)
• Archive endpoint preserves signatures indefinitely
• Verification can be audited as needed

---

Compliance Statement Template (For Your Submissions)

When submitting computational results to regulators, include this statement:

COMPUTATIONAL INTEGRITY AND VERIFICATION

All numerical computations reported herein were performed using the Zeq
computational framework (version 2.1.0) and are cryptographically signed
using the ZeqProof HMAC-SHA256 verification mechanism.

For each reported computational result:
1. A ZeqProof signature uniquely binds the result to:
   - The exact Zeqond timestamp of computation
   - The specific operators used (e.g., QM1, KO42)
   - The input parameters
   - The modulation factor and phase information

2. These signatures can be independently verified using the public
   verification endpoint at https://zeq.dev/api/zeq/verify

3. The verification confirms:
   - The result was computed by official Zeq infrastructure
   - The result has not been modified since computation
   - The computation occurred at a cryptographically-verified moment in time

[Optional] All ZeqProof signatures for this submission are provided in
Appendix A and may be independently verified at any time.

---

See Also

• KO42: ZeqProof signs the KO42 parameters used
• Master Equation: ZeqProof includes the master equation hash