Neural Sensory Protocol v0.5
Brain-computer interfaces produce some of the most sensitive data in existence — raw neural signals that encode thoughts, intentions, and neurological health. Today, most BCI data streams are protected by classical cryptography that a sufficiently powerful quantum computer could break retroactively. This is the Harvest Now, Decrypt Later (HNDL) threat: an adversary records encrypted neural data today and decrypts it years from now when quantum hardware matures.
The Neural Sensory Protocol (NSP) is a wire-level specification designed to close that window. It defines how BCI devices compress, authenticate, encrypt, and sign neural data frames using post-quantum cryptography — ensuring that data captured today remains secure against both classical and quantum adversaries for the lifetime of the device.
NSP builds on four NIST-standardized algorithms:
- FIPS 203 (ML-KEM)
- FIPS 204 (ML-DSA)
- FIPS 205 (SLH-DSA)
- FIPS 197 (AES-256-GCM-SIV)
Together, these provide hybrid key exchange, lattice-based digital signatures, hash-based firmware authentication, and authenticated symmetric encryption — all within the power and bandwidth constraints of implanted and wearable neural devices.
5-Layer Neurosecurity Stack
NSP organizes its security controls into five independent defense layers. Each layer maps to a specific QIF hourglass band and activates based on device tier. The stack is ordered from the outermost environmental monitoring (Layer 5) down to the hardware root of trust (Layer 1).
EM Environment Monitoring
I0 (Neural Interface)Spectral scanning, resonance shield interface
Adaptive Per-User Detection (TTT)
N6 (Neural Semantics)Personalized baseline, test-time training
QI Signal Integrity
N3-N1 (Neural Signal Bands)Per-frame QI scoring, anomaly detection
Hybrid Post-Quantum Key Exchange
S1 (Protocol Security)ECDH + ML-KEM, ML-DSA signatures, AES-256-GCM-SIV encryption
Hardware Root of Trust
S3 (Physical Layer)SPHINCS+-signed secure boot, firmware attestation, TRNG
Device Tiers
Not every BCI device has the same compute budget, risk profile, or regulatory requirements. NSP defines three device tiers — each activating progressively more defense layers as the stakes increase from consumer headbands to surgically implanted neural interfaces.
Consumer
Examples
Consumer EEG headbands, Hobby-grade BCIs
Active Layers
Key Exchange
Hybrid ECDH-P256 + ML-KEM-768
Secure Enclave
Recommended
Clinical
Examples
Endovascular stent-electrodes, Research EEG
Active Layers
Key Exchange
Hybrid ECDH-P256 + ML-KEM-768 (minimum)
Secure Enclave
Required
Implanted
Examples
Cortical implants, Deep brain stimulators
Active Layers
Key Exchange
Hybrid ECDH-P384 + ML-KEM-1024
Secure Enclave
Required (dedicated co-processor)
Power Budget
Implanted BCIs operate on micro-watt budgets. NSP’s entire cryptographic stack — compression, QI scoring, encryption, and signing — must fit within a strict power ceiling to avoid reducing device battery life or increasing thermal dissipation near brain tissue.
3.25%
of 40 mW budget — 1.3 mW total overhead
Reference platform: Representative cortical implant (24.7 mW nominal)
| Operation | Power | Frequency | % of Budget |
|---|---|---|---|
| Delta + LZ4 compression | 0.2 mW | Per sample window | 0.5% |
| QI score computation | 0.5 mW | Per time window (~4 ms) | 1.25% |
| AES-256-GCM-SIV (hw accel.) | 0.1 mW | Per frame | 0.25% |
| ML-DSA-65 sign (amortized) | 0.5 mW | Per frame group | 1.25% |
| Total | 1.3 mW | 3.25% |
Maximum allowed: 5% — current overhead is well within budget.
Why PQC on BCI Is Hard
Post-quantum cryptography was not designed for devices with 40 mW power budgets, no internet connectivity, and 20-year operational lifetimes. Making it work on a brain-computer interface requires solving six distinct engineering problems. Compression alone does not get you there.
Signature Size
SPHINCS+ signatures are 7,856 to 16,224 bytes each. Signing every frame would be prohibitive over BLE. NSP amortizes this cost using Merkle trees: 100 frames are bundled into a binary tree, and only the root is signed. Per-frame cost drops to a single SHA-256 hash. This is an architectural solution, not a compression trick.
Spec: Section 3.6 (Merkle Hash Chain), Section 5.3 (SPHINCS+)
Power Budget
The hybrid key exchange (ECDH + ML-KEM) costs ~2 mW, but only fires at session start. Full SPHINCS+ signing costs ~10 mW but only fires at key rotation (every 30-90 days depending on tier). Steady-state crypto is AES-256-GCM-SIV on already-compressed payloads: ~0.1 mW with hardware acceleration. The pipeline order matters: compress first (3-5x reduction), then encrypt the smaller payload, then sign. Total modeled steady-state overhead: 3.25% of a 40 mW budget (hardware validation pending).
Spec: Section 9 (Power Budget), Section 9.4 (Pipeline Order)
Nonce Reuse After Power Loss
Implanted devices can lose power unexpectedly. Standard AES-GCM catastrophically leaks the authentication key if a nonce is reused. NSP uses AES-256-GCM-SIV (RFC 8452), which provides nonce-misuse resistance: the only information leaked on nonce reuse is whether the same plaintext was encrypted twice. For a device implanted in brain tissue that cannot be physically reset, this property is critical.
Spec: Section 5.4 (AES-256-GCM-SIV)
PKI on an Offline Device
An implanted BCI cannot download certificate revocation lists or query OCSP servers. Post-quantum signatures are 8-16 KB each; CRLs would consume significant bandwidth and battery. NSP delegates revocation checking to a gateway (smartphone or base station) that issues short-lived session credentials. The implant only verifies one signature per session establishment.
Spec: Section 7.4.1 (Gateway-Delegated Revocation)
20-Year Key Lifecycle
The device root key is provisioned at implant surgery and cannot be replaced without a clinical procedure. NSP provides crypto agility (algorithm substitution without re-keying) and monotonic firmware version counters to prevent rollback attacks. Key rotation happens on a 30-day maximum cycle for T3 implants and 90-day for T1/T2. If a key is compromised, forward secrecy from ephemeral session keys ensures past sessions remain protected.
Spec: Section 7 (Key Lifecycle), Section 7.5 (Crypto Agility), Section 7.6 (Rollback Protection)
Traffic Analysis
Even with perfect encryption, BLE packet timing reveals when a user is speaking, moving, sleeping, or having a seizure. This is a privacy catastrophe for neural data. NSP requires T3 (implanted) devices to transmit at a constant rate, padding idle periods with dummy frames, so packet timing carries no information about neural state.
Spec: Section 10.8 (Traffic Analysis)
Bottom line: Compression (Delta+LZ4) is step 1 of the pipeline. The real engineering is signature amortization via Merkle trees, pipeline ordering for power optimization, nonce-misuse resistant encryption, delegated PKI for offline devices, 20-year key lifecycle management, and constant-rate padding against traffic analysis.
Post-Quantum Key Sizes
Post-quantum algorithms trade larger key and signature sizes for resistance to quantum attacks. The table below shows the size cost of migrating from classical to post-quantum primitives — and why NSP uses hybrid schemes that combine both.
Key Exchange
| Property | Classical | Post-Quantum |
|---|---|---|
| Algorithm | ECDH-P256 | ML-KEM-768 |
| Public Key | 65 bytes | 1184 bytes |
| Ciphertext | — | 1088 bytes |
| Shared Secret | 32 bytes | 32 bytes |
Public key size increase: 18.2x
Digital Signatures
| Property | Classical | Post-Quantum |
|---|---|---|
| Algorithm | ECDSA-P256 | ML-DSA-65 |
| Public Key | 65 bytes | 1952 bytes |
| Signature | 72 bytes | 3309 bytes |
Signature size increase: 46x
Hash-Based Signatures
SPHINCS+-SHA2-192s (T2/T3) / 128s (T1)
Public key: 48 bytes
Signature: 16224 bytes
Firmware signing, key rotation, Merkle group sigs (clinical/implant)
Symmetric Encryption
AES-256-GCM-SIV
Key: 256 bits
Nonce: 12 bytes / Tag: 16 bytes
Grover reduces to 128-bit effective. Sufficient per NIST. Nonce-misuse resistant (RFC 8452). Key-committing via Bellare-Hoang transform.
Frame Pipeline
Every neural data frame passes through a fixed five-stage pipeline. The order is non-negotiable: compress first (to reduce ciphertext size), compute the QI integrity score (on raw data, before encryption obscures anomalies), build the frame header, encrypt the payload, then sign the entire frame with a Merkle tree for efficient batch verification.
Why this order? Compressing before encryption avoids ciphertext expansion. Computing QI before encryption ensures anomaly detection operates on plaintext signals. Signing last covers the entire frame — header, ciphertext, and QI score — so any tampering is detectable.
Technical Roadmap
Core Protocol Library (Rust)
Active
Implementation of the nsp crate in Rust for no_std targets. Includes ML-KEM handshake, frame pipeline, and NIST FIPS-standardized crypto wrappers.
Integration & Testing
NextSystem-wide benchmarking and integration with the TARA Atlas for real-time risk assessment and signal integrity validation.
Scientific Audit
25.2x
PQ Implementation Tax
90%
Compression Dividend
< 1
Pages to Breakeven
Audit Conclusion: The mathematical burden of Post-Quantum Cryptography (PQKC) is fully offset by the Runemate compression dividend in fewer than one page load. NSP ensures that BCI security is not just medically necessary, but computationally sustainable.
Specification
The full NSP specification is published as an open RFC-style document covering frame format, handshake protocol, key lifecycle, error handling, and compliance requirements. It is currently in Protocol Core & Handshake Complete status and open for peer review.
Key lifecycle parameters:
Device Lifetime
20 years
Session Key Rotation
30-60s
Key Rotation (T3 / T1-T2)
30d / 90d
Session Ticket (T3)
1h
Session Ticket (T2)
8h
Session Ticket (T1)
24h
The specification is maintained alongside the QIF framework. For the complete document, see the QIF Whitepaper which includes the NSP specification as a companion protocol.
How It All Fits Together
NSP doesn't exist in isolation. It's the wire-level implementation of the QIF security framework, and it's already integrated into Runemate as the encryption layer for neural UI delivery.
Framework
Defines the 11-band hourglass model, threat taxonomy, and NISS scoring. QIF says what to protect and where the attack surfaces are.
Protocol
Implements QIF's security requirements as a wire protocol. Handles the handshake, encryption, signing, and key lifecycle. The handshake is a fixed one-time cost (~10-12 KB); after that, the session is established and every subsequent operation is microseconds of AES-256-GCM-SIV.
Application
The first application built on NSP. Compiles neural UI definitions (Staves DSL) into compact bytecode and encrypts them using the established NSP session. Every stave compile-and-deliver cycle reuses the session key — the post-quantum handshake cost is paid once, amortized to zero.
Collaborate
NSP is active research. The protocol specification, reference implementation, and cryptographic analysis are being developed openly. As this work enters the academic landscape, formal collaboration with neuroscientists, cryptographers, and BCI engineers will further solidify the protocol.
If you're working in post-quantum cryptography, BCI security, neural signal processing, or embedded systems and are interested in contributing, we want to hear from you.
Areas for Collaboration
Formal Security Proof. Security reduction of the NSP handshake in the Bellare-Rogaway model. Mechanized verification (Tamarin/ProVerif) is the gold standard.
Hardware Validation. Power budget benchmarking on real BCI hardware. The spec's 3.25% overhead estimate needs hardware confirmation.
QI Scoring Validation. Testing QI anomaly detection against real neural datasets and adversarial signal injection.
Traffic Analysis Research. Evaluating constant-rate transmission effectiveness against ML-based classifiers on BCI traffic patterns.
Get in touch: Open an issue or start a discussion on GitHub Discussions. The full specification is at NSP-PROTOCOL-SPEC.md.