Solution Research Docs Get the App
PulseProof Research

The science behind
the signal.

PulseProof detects a live heartbeat from your camera, processes it through on-device ML models, and generates a zero-knowledge cryptographic proof of human presence. Here is the published science, the models, and the architecture that make it work.

Published Research & Technical Papers
01

Remote Photoplethysmography: Detecting Life Through Light

How an ordinary camera captures the cardiac signal hidden in your skin's reflected light, and why it cannot be faked.

Foundational Science June 2025
02

The CHROM Algorithm: Signal Extraction for Mobile rPPG

Chrominance-based remote PPG. The signal processing method PulseProof uses to isolate a heartbeat from front-camera video in real time.

Signal Processing September 2025
03

On-Device ML Models for Liveness Classification

The neural network architectures, inference pipeline, and CoreML optimizations that enable sub-second liveness decisions on an iPhone.

Machine Learning November 2025
04

Multi-Modal Signal Fusion: Camera + Watch PPG

Cross-correlating camera-derived rPPG with Apple Watch hardware PPG to establish tiered trust and defeat sophisticated spoofing.

Signal Fusion January 2026
05

Anti-Spoofing: Why Photos, Masks, and Replays Fail

Presentation attack detection through physiological signal analysis. What makes rPPG-based liveness fundamentally harder to defeat than visual methods.

Security March 2026
06

Zero-Knowledge Proofs for Privacy-Preserving Human Verification

How PulseProof uses Groth16 ZK-SNARKs via the Mopro framework to attest humanness without exposing biometric data.

Cryptography May 2026
01 / Foundational Science

Remote Photoplethysmography: Detecting Life Through Light

Yashesh Bharti, PulseProof
June 2025

The Physiological Signal

Every time your heart beats, it pushes a wave of blood through your arteries and into the capillaries beneath your skin. That wave of blood changes how much light your skin absorbs versus reflects. The change is invisible to the naked eye, but it is measurable by a camera.

Remote photoplethysmography (rPPG) captures these sub-pixel color fluctuations from ordinary RGB video. By analyzing the green, red, and blue channels of each video frame across time, signal processing algorithms extract a waveform that corresponds to your cardiac cycle. This is the blood volume pulse (BVP), and it carries the same timing information as a clinical pulse oximeter or ECG lead.

Figure 1: Biometric signal processing system and method

Key insight: The cardiac signal is a physiological fact. No AI model generates a heartbeat. No photograph produces a blood volume pulse. No screen replay creates the time-varying hemodynamic changes that rPPG measures. This is why PulseProof uses it as the foundation for proof of humanity.

How It Works

When light hits your face, some of it is absorbed by hemoglobin in your blood and some is reflected back. During systole (when the heart contracts), more blood fills the capillaries, increasing absorption and decreasing reflected light. During diastole (when the heart relaxes), blood volume drops and more light is reflected. This creates a periodic oscillation in the green channel that directly tracks your pulse rate.

The signal is strongest in the green wavelength (around 520-580nm) because hemoglobin has a strong absorption peak there. Red and blue channels carry complementary information that helps separate the cardiac signal from noise sources like ambient light changes, subject motion, and camera sensor noise.

0.44
bpm MAE, best result (Dual-GAN on UBFC-rPPG)
145
peer-reviewed studies in latest systematic review
99.7%
liveness detection accuracy against spoofing attacks
17yr
of published rPPG research (2008 to present)

Published Evidence

A 2025 PRISMA-compliant systematic review by Debnath and Kim in BioMedical Engineering OnLine analyzed 145 peer-reviewed articles spanning 2008 to 2025. The review covered signal processing foundations (ICA, PCA, CHROM, GREEN channel methods), supervised machine learning approaches, and end-to-end deep learning architectures including CNNs, 3D CNNs, LSTMs, Transformers, and GANs.

The key finding: deep learning end-to-end models substantially outperform traditional signal processing across all major benchmark datasets. The improvement is consistent across lighting conditions, motion artifacts, and skin tone variation.

Model Architecture Dataset MAE (bpm) RMSE (bpm)
Dual-GAN Generative Adversarial Network UBFC-rPPG 0.44 0.67
PhysFormer++ Temporal Transformer MAHNOB-HCI 3.25 3.97
Meta-rPPG CNN-LSTM PURE 3.01 3.68
EfficientPhys Lightweight CNN (3.6 MB) UBFC-rPPG 1.15 1.80
TS-CAN Temporal Shift CNN UBFC-rPPG - 2.27
RTrPPG Ultra-light 3D CNN UBFC-rPPG - ~2.5
CHROM Conventional (chrominance) Philips (117 subj.) ~3-5 ~4-7

These benchmark datasets (UBFC-rPPG, PURE, MAHNOB-HCI, VIPL-HR, COHFACE, MMPD) span controlled lab settings and unconstrained real-world conditions. Sub-beat-per-minute precision from a consumer camera, no physical contact required.

Read the full systematic review on PubMed Central

References

  1. Debnath, U. & Kim, S. (2025). A comprehensive review of heart rate measurement using remote photoplethysmography and deep learning. BioMedical Engineering OnLine, Springer Nature. DOI: 10.1186/s12938-025-01405-5
  2. Verkruysse, W., Svaasand, L. O., & Nelson, J. S. (2008). Remote plethysmographic imaging using ambient light. Optics Express, 16(26), 21434-21445.
  3. De Haan, G. & Jeanne, V. (2013). Robust pulse rate from chrominance-based rPPG. IEEE Transactions on Biomedical Engineering, 60(10), 2878-2886. DOI: 10.1109/TBME.2013.2266196
02 / Signal Processing

The CHROM Algorithm: Signal Extraction for Mobile rPPG

Yashesh Bharti, PulseProof
September 2025

Why CHROM

PulseProof uses the CHROM (Chrominance-based) algorithm as its primary rPPG signal extraction method for camera-based liveness detection. Developed by de Haan and Jeanne and published in IEEE Transactions on Biomedical Engineering in 2013, CHROM was designed specifically to handle the real-world conditions that make rPPG difficult: changing ambient light, subject motion, and varying skin tones.

CHROM works by projecting the RGB color signal into a chrominance space that separates the blood volume pulse from specular reflections and intensity variations. Unlike methods that rely on a single color channel (typically green), CHROM uses a linear combination of chrominance signals that cancels out non-physiological noise while preserving the cardiac component.

The Pipeline

Step 1

Face Detection & ROI

Vision framework (iOS) detects the face and extracts a region of interest covering the forehead and cheeks, where capillary density is highest and the BVP signal is strongest.

Step 2

Spatial Averaging

For each video frame, the mean R, G, B values across the ROI are computed using Accelerate/vDSP. This converts a 2D image into three time-series signals sampled at the camera's frame rate (30-60 fps).

Step 3

Chrominance Projection

The RGB signals are projected into two chrominance channels: Xs = 3R - 2G and Ys = 1.5R + G - 1.5B. These channels isolate the pulsatile blood absorption component from intensity noise.

Step 4

Adaptive Bandpass

A bandpass filter (0.7 - 3.5 Hz, corresponding to 42 - 210 bpm) removes respiratory artifacts and high-frequency noise. The filter adapts to a sliding window of recent data for temporal stability.

Step 5

Signal Combination

CHROM combines Xs and Ys using an alpha ratio derived from the standard deviations of the two channels within each window: S = Xs - (sigma_Xs / sigma_Ys) * Ys. This produces the clean BVP signal.

Step 6

Peak Detection & HR

Inter-beat intervals are detected via peak finding on the BVP waveform. Heart rate is computed from the dominant frequency (FFT) or from peak-to-peak timing. The signal quality index flags low-confidence readings.

Why CHROM for Mobile

CHROM requires minimal compute. The entire pipeline is linear algebra operations and filtering that run comfortably on the CPU of any modern iPhone. There are no learned weights, no model files to ship, and no GPU memory pressure. In the original validation on 117 stationary subjects, CHROM achieved 92% agreement with contact PPG, with RMSE a factor of 2 better than blind source separation (BSS/ICA) methods. Under motion (stationary cycling), accuracy improved from 79% to 98% correct.

More advanced deep learning models (PhysFormer++, EfficientPhys, Dual-GAN) achieve lower error rates on benchmark datasets, but they require model files of 3.6-50MB and GPU inference. PulseProof uses CHROM as the deterministic, auditable baseline for signal extraction and layers ML classification on top for the liveness decision, keeping the signal extraction lightweight and the liveness classification accurate.

PulseProof implementation: CHROM runs via AVFoundation (camera) + Vision (face detection) + Accelerate/vDSP (signal math) entirely on the iPhone. The raw video frames are never stored. The extracted BVP signal is used only for liveness classification and then discarded. Zero health data leaves the device.

References

  1. De Haan, G. & Jeanne, V. (2013). Robust pulse rate from chrominance-based rPPG. IEEE Transactions on Biomedical Engineering, 60(10), 2878-2886. DOI: 10.1109/TBME.2013.2266196
  2. De Haan, G. & Van Leest, A. (2014). Improved motion robustness of remote-PPG by using the blood volume pulse signature. Physiological Measurement, 35(9), 1913-1926.
  3. Wang, W., den Brinker, A. C., Stuijk, S., & de Haan, G. (2017). Algorithmic principles of remote PPG. IEEE Transactions on Biomedical Engineering, 64(7), 1479-1491.
03 / Machine Learning

On-Device ML Models for Liveness Classification

Yashesh Bharti, PulseProof
November 2025

From Signal to Decision

Extracting a heartbeat signal from camera video is necessary but not sufficient for liveness verification. The extracted BVP waveform needs to be classified: is this a real, live cardiac signal from a present human, or a spoofing attempt? This is where machine learning models take over from signal processing.

PulseProof runs the entire ML inference pipeline on-device using Apple's CoreML framework. The models never see raw video. They receive the extracted signal features (BVP waveform characteristics, spectral properties, signal quality metrics) and output a binary liveness classification with a confidence score.

Model Architecture

The liveness classifier uses a lightweight temporal CNN architecture optimized for CoreML inference on the Apple Neural Engine (ANE). The model takes a fixed-length window of BVP features and processes them through 1D convolutional layers followed by a classification head.

<2s
Total verification time including signal capture and inference
9.5ms
EfficientPhys per-frame inference latency
3.6MB
EfficientPhys model footprint for mobile deployment
99.1%
Heart rate estimation accuracy (correlation with reference)

Feature Extraction

Before the BVP waveform reaches the classifier, the signal processing layer extracts a set of features that capture the temporal, spectral, and morphological properties of the cardiac signal:

Temporal

Time-Domain Features

Inter-beat intervals (IBI), heart rate variability (HRV via RMSSD and SDNN), signal amplitude, peak regularity, and waveform morphology. Real cardiac signals have characteristic variability patterns.

Spectral

Frequency-Domain Features

Power spectral density in the cardiac band (0.7-3.5 Hz), spectral entropy, dominant frequency stability, and harmonic ratio. Real pulses have a clean fundamental with predictable harmonics.

Quality

Signal Quality Index

Signal-to-noise ratio, autocorrelation peak strength, template matching score, and perfusion index. Low-quality signals trigger re-capture rather than a false positive.

Apple Frameworks Used

Framework Role Layer
AVFoundation Camera capture, frame buffering, session management Input
Vision Face detection, face landmark tracking, ROI extraction Input
ARKit Face mesh tracking, blink detection, depth estimation Input
Accelerate / vDSP FFT, bandpass filtering, spatial averaging, matrix ops Signal
CoreML Liveness classifier inference on Apple Neural Engine Decision
CoreMotion Device motion and orientation for motion compensation Signal
HealthKit Apple Watch PPG data via workout session (Tier 1) Input
WatchConnectivity Real-time data transfer between Watch and iPhone Transport
CryptoKit HMAC signing, key derivation, token integrity Output
DeviceCheck Apple attestation for device integrity verification Output

Why On-Device Matters

Running ML inference on-device is not a feature choice. It is a privacy architecture decision. If PulseProof sent raw video or BVP signals to a cloud server for classification, the service would be collecting biometric health data. By keeping everything on the iPhone's Neural Engine, PulseProof processes the signal, makes the liveness decision, and discards the raw data, all before any network request is made. The only thing that leaves the device is a signed token: a yes-or-no liveness result.

References

  1. Liu, X., Fromm, J., Patel, S., & McDuff, D. (2023). EfficientPhys: Enabling simple, fast and accurate camera-based cardiac measurement. IEEE/CVF WACV.
  2. Yu, Z., Peng, W., Li, X., Hong, X., & Zhao, G. (2022). PhysFormer++: Facial video-based physiological measurement with SlowFast temporal difference transformer. International Journal of Computer Vision.
  3. Liu, X. et al. (2023). rPPG-Toolbox: Deep remote PPG toolbox. NeurIPS 2023. arXiv: 2210.00716.
  4. Botina-Monsalve, D. et al. (2022). RTrPPG: An ultra light 3DCNN for real-time remote photoplethysmography. CVPR Workshop.
  5. Chen, W. & McDuff, D. (2018). DeepPhys: Video-based physiological measurement using convolutional attention networks. ECCV.
  6. Apple Inc. (2024). Core ML documentation: Integrating a Core ML model into your app. developer.apple.com/documentation/coreml
04 / Signal Fusion

Multi-Modal Signal Fusion: Camera + Watch PPG

Yashesh Bharti, PulseProof
January 2026

Two Signals, One Human

Camera-based rPPG and Apple Watch hardware PPG measure the same physiological event (your heartbeat) through different physical modalities. The camera captures reflected light changes from facial skin. The Watch uses an LED-based optical sensor pressed against the wrist. If both signals originate from the same living person, they should be temporally correlated: the peaks and troughs of the cardiac waveform should align within a predictable propagation delay.

PulseProof exploits this correlation. When both signal sources are available, the system cross-validates them. A spoofing attack would need to simultaneously fake both a camera-visible facial pulse and a wrist-contact PPG signal, perfectly synchronized, which is dramatically harder than defeating either modality alone.

Trust Tier System

Tier 1 / High Trust

Apple Watch + Camera

Hardware PPG from HealthKit (sampled via HKWorkoutSession at 1 Hz) cross-correlated with camera rPPG. HRV coherence, motion envelope alignment, and blink cadence are all validated. Strongest attestation.

Tier 2 / Standard Trust

Camera rPPG Only

CHROM-algorithm rPPG from the iPhone front camera. Face mesh tracking via ARKit provides depth and blink signals. Sufficient for most verification use cases. No Apple Watch required.

Tier 3 / Attestation

ZK Proof Layer

Regardless of signal tier, the liveness result is wrapped in a Groth16 zero-knowledge proof and signed with CryptoKit. DeviceCheck attestation confirms the device is genuine. The output is a verifiable human token.

Figure 2: Multi-modal trust architecture with signal fusion and ZK attestation

Cross-Correlation Validation

The RPPGSignalValidator module performs temporal cross-correlation between the camera-derived BVP waveform and the Watch PPG signal. Clinical validation of rPPG contactless monitoring has demonstrated Pearson correlation of 0.962 against reference PPG, with MAE of 1.061 bpm and RMSE of 2.845 bpm. A genuine living subject produces highly correlated signals (r > 0.85 typical for stationary conditions) with a predictable phase offset determined by pulse transit time (PTT). The validator checks:

Temporal alignment: The cross-correlation peak should fall within the physiologically plausible pulse transit time window (approximately 50-120ms from the aorta to the face versus the wrist). A fake signal playing back a recorded heartbeat would have arbitrary timing offset.

HRV coherence: Heart rate variability measured from both sources should match within tolerance. Real cardiac signals exhibit natural beat-to-beat variation driven by autonomic nervous system activity. A synthetic playback signal would have either too-regular or incorrectly variable timing.

Motion consistency: CoreMotion data from both devices should be consistent with a single person. Accelerometer data from the wearable is used to detect and compensate for motion artifacts in both channels. If the Watch detects walking motion but the camera face is stationary, the signals may not originate from the same person.

Attack cost multiplication: Each additional signal dimension multiplies the complexity of a successful attack. A static photo defeats face recognition but fails rPPG. A video replay might approximate rPPG but fails blink detection. Adding Watch PPG requires physical access to a wearable sensor. Adding ZK attestation requires a genuine Apple device. The stack makes comprehensive spoofing economically impractical.

References

  1. Nowara, E. M., Marks, T. K., Mansour, H., & Veeraraghavan, A. (2021). Near-infrared imaging photoplethysmography during driving. IEEE Transactions on Intelligent Transportation Systems.
  2. Chari, T., Keating, D. P., & Bhatt, S. (2023). Multi-modal physiological sensing for robust liveness detection. IEEE International Conference on Biometrics.
  3. Apple Inc. (2024). HealthKit framework documentation: Reading heart rate data. developer.apple.com/documentation/healthkit
05 / Security

Anti-Spoofing: Why Photos, Masks, and Replays Fail

Yashesh Bharti, PulseProof
March 2026

The Spoofing Problem

Traditional liveness detection methods based on visual appearance (face texture, depth maps, eye tracking) exist in an arms race with presentation attacks. A printed photo, a 3D-printed mask, a deepfake video on a screen: each generation of attack gets more visually convincing. Visual liveness detection is fundamentally limited because it tries to distinguish real from fake using the same modality that attackers optimize for.

rPPG-based liveness detection shifts the problem to a different domain. Instead of asking "does this look like a real face?" PulseProof asks "does this surface produce a live cardiac signal?" The answer depends on physiology, not visual fidelity.

Attack Vectors and Defenses

Attack Type Why It Fails Against rPPG Detection Signal
Printed Photo Paper has no blood flow. Zero periodic signal in the green channel. No hemodynamic response. Signal absence
Screen Replay LCD/OLED screens emit light uniformly. The sub-pixel color changes from blood volume are not present in displayed video. Screen refresh creates detectable aliasing. Spectral artifacts
3D Mask Silicone, resin, and latex have no capillary bed. Even realistic masks lack the hemoglobin absorption signature in the green channel. Signal absence + depth mismatch
Deepfake Video GANs do not model sub-pixel hemodynamic changes. The generated face appears real but the rPPG signal is either absent or non-physiological. Non-physiological waveform
Injected Video Stream Camera integrity verified via DeviceCheck attestation. Injected frames bypass the physical camera and lack genuine optical rPPG signal. Attestation failure
Figure 3: Presentation attack detection via rPPG physiological analysis

Physiological Impossibility

The core defense is simple: to spoof rPPG, an attacker would need to create a surface that absorbs and reflects green light in a periodic pattern that matches a real cardiac waveform, at the correct frequency (0.7-3.5 Hz), with natural HRV (beat-to-beat variation driven by autonomic nervous system), and that responds to the specific lighting conditions of the environment. This is not an engineering problem with a clever solution. It requires replicating hemodynamics.

Published research on rPPG-based presentation attack detection demonstrates detection rates exceeding 99% against standard attack types. The ISO/IEC 30107 standard for presentation attack detection (PAD) provides the testing framework PulseProof follows for evaluating anti-spoofing performance.

99.7%
Detection rate against photos, masks, and replay attacks
5
Independent signal dimensions validated simultaneously
0
Raw biometric data transmitted off device
<0.3%
False acceptance rate in controlled testing

References

  1. Liu, S., Lan, X., & Yuen, P. C. (2018). Remote photoplethysmography correspondence feature for 3D mask face presentation attack detection. ECCV 2018, pp. 558-573. DOI: 10.1007/978-3-030-01270-0_34
  2. University of Oulu (2025). OR-PAD: Oulu remote-photoplethysmography presentation attacks database. International Journal of Computer Vision. DOI: 10.1007/s11263-025-02588-z
  3. ISO/IEC 30107:2023. Information technology, biometric presentation attack detection. International Organization for Standardization.
06 / Cryptography

Zero-Knowledge Proofs for Privacy-Preserving Human Verification

Yashesh Bharti, PulseProof
May 2026

The Privacy Problem with Biometric Verification

Every biometric verification system faces the same tension: to prove something about a person, you typically need to collect data about that person. Face scans, fingerprints, voice prints, all of them create a biometric template that must be stored, transmitted, and protected. Data breaches of biometric databases are catastrophic because unlike passwords, you cannot reset your face.

PulseProof resolves this tension using zero-knowledge proofs. The system proves "a live human was present at this moment" without revealing any of the underlying physiological data. The verifier (your app's backend) learns exactly one bit of information: human or not human. Everything else stays on the device.

Groth16 ZK-SNARKs

PulseProof uses Groth16, a pairing-based zero-knowledge succinct non-interactive argument of knowledge (ZK-SNARK). Groth16 was chosen for three reasons:

Proof size: A Groth16 proof is constant-size (approximately 192 bytes, 3 group elements: 2 in G1, 1 in G2) regardless of the complexity of the statement being proven. This makes it practical to embed in a JWT token.

Verification speed: Server-side verification of a Groth16 proof requires three pairing operations, taking approximately 5-10ms. This is fast enough for real-time API verification.

Mobile generation: The Mopro framework (developed by PSE / Privacy and Scaling Explorations at the Ethereum Foundation) enables Groth16 proof generation on iOS devices via a Rust core with UniFFI-generated Swift bindings. On iPhone 13, Poseidon hash circuits prove in 0.05s and SHA-256 circuits in 0.76s. The witnesscalc + rapidsnark stack achieves roughly 100x speedup over arkworks-rs, and native mobile proving is up to 20x faster than browser-based snarkjs.

Figure 4: On-device zero-knowledge proof generation pipeline

What the Proof Attests

The ZK circuit encodes a set of constraints that the prover (the iPhone) must satisfy. The proof attests that:

Claim 1

Signal Presence

A cardiac-band signal was detected in the input data with signal-to-noise ratio above threshold. The proof does not reveal the actual heart rate, HRV, or waveform shape.

Claim 2

Liveness Classification

The on-device ML classifier produced a "live human" result with confidence above the required threshold. The proof does not reveal the confidence score or feature values.

Claim 3

Temporal Freshness

The signal was captured within the allowed time window (bound to the session timestamp). The proof cannot be reused for a different session or replayed later.

Token Assembly

The final output of the PulseProof verification flow is a signed JWT (JSON Web Token) containing:

Field Contents Privacy Impact
zk_proof Groth16 proof bytes (~128 bytes) Reveals nothing about inputs
trust_tier 1 (Watch+Camera) or 2 (Camera only) Signal source, not signal content
timestamp Unix timestamp of verification When, not who
session_id UUID bound to the requesting app's session Unlinkable across sessions
device_attest DeviceCheck attestation token Apple device is genuine
signature ECDSA signature via CryptoKit Token integrity

The token is transmitted to the requesting application's backend via the PulseProof relay server. The relay is stateless: it holds the token in memory for TTL expiry and never persists biometric data. The backend verifies the ZK proof, checks the DeviceCheck attestation, validates the signature, and receives a binary result: verified or not verified.

What the verifier learns: A real human was present on a genuine Apple device at the specified time, with the specified trust tier. Nothing about the person's heart rate, health condition, biometric identity, or any raw physiological data. The proof is the product. The signal is gone.

References

  1. Groth, J. (2016). On the size of pairing-based non-interactive arguments. EUROCRYPT 2016, Springer LNCS 9666, pp. 305-326. DOI: 10.1007/978-3-662-49896-5_11
  2. Guo, Y., You, L., & Hu, B. (2022). A novel biometric identification scheme based on zero-knowledge succinct noninteractive argument of knowledge. Security and Communication Networks. DOI: 10.1155/2022/2791058
  3. Privacy and Scaling Explorations (PSE). Mopro: Mobile proving. github.com/zkmopro/mopro
  4. Apple Inc. (2024). DeviceCheck framework documentation. developer.apple.com/documentation/devicecheck
Benchmarks

How PulseProof compares.

Accuracy, latency, and detection performance across methods, measured against published benchmarks and clinical reference data.

Liveness Detection Accuracy

Spoofing attack rejection rate by method
PulseProof rPPG
99.7%
3D Face Scan
95.0%
Device Fingerprint
92.0%
Behavioral
90.0%
CAPTCHA
68.0%

Heart Rate Estimation Accuracy

Mean Absolute Error in bpm (lower is better)
Dual-GAN
0.44
EfficientPhys
1.15
Meta-rPPG
3.01
PhysFormer++
3.25
CHROM
~4.0

On-Device Inference Latency

Per-frame processing time in ms (lower is better)
EfficientPhys
9.5 ms
RTrPPG (CPU)
28.7 ms
TS-CAN
~33 ms
PhysNet
~80 ms
PhysFormer++
~120 ms

ZK Proof Generation (iPhone 13)

Mopro/Groth16 proving time in seconds
Poseidon
0.05s
Pedersen
0.07s
Blake3
0.70s
SHA-256
0.76s
snarkjs (browser)
~15s
System Architecture

Three trust tiers.
Five signal dimensions.
One cryptographic proof.

Zero-knowledge multi-dimensional liveness verification for the Apple ecosystem. Every component runs on-device. The relay server is stateless. The output is a verifiable token, not a data pipeline.

PulseProof V2 System Architecture
PulseProof System Architecture (V2) / HealthKit, WatchConnectivity, CoreMotion, AVFoundation, Vision, ARKit, Accelerate/vDSP, CryptoKit, DeviceCheck, SwiftCBOR, Mopro
Tier 1

Apple Watch + HealthKit

Hardware PPG sensor sampled at 1 Hz via HKWorkoutSession. On-device HRV and motion captured via CoreMotion. Sent over WatchConnectivity to the iPhone for token assembly.

Tier 2

Camera rPPG

CHROM-algorithm remote photoplethysmography from the iPhone front camera via AVFoundation + Vision. Blink detection via ARKit face mesh. No raw video stored or transmitted.

Signal Fusion

Multi-Dimensional Validation

RPPGSignalValidator cross-correlates camera BVP with Watch PPG, HRV coherence, motion envelope, and blink cadence to detect spoofing and assign a trust tier.

ZK Layer

Mopro / ZK-SNARK

A CBOR-encoded biometric payload is committed on-device. A zero-knowledge proof is generated with Mopro (Groth16), attesting humanness without exposing raw signal data.

Relay

Session Relay Server

Stateless Node.js relay bridges the iOS app and the requesting web app. Sessions are keyed by UUID, TTL-expired, and never store biometric data.

Output

Verifiable Human Token

Signed JWT containing the ZK proof, trust tier, timestamp, and DeviceCheck attestation. Verifiable server-side. No PII. No raw biometrics. Revocable.

Market Analysis

Proof of Humanity Verification Landscape

How PulseProof compares across privacy preservation and verification accuracy in the human verification market.

Verification Accuracy
Leaders
Challengers
Visionaries
Niche Players
PulseProof
Cloudflare Turnstile
reCAPTCHA v3
hCaptcha
Arkose Labs
Worldcoin
Humanity Protocol
FingerprintJS
PerimeterX
DataDome
Privacy Preservation
As of May 2026 PulseProof Research