Ephemeral · Decentralised · Stateless · Structural · Authentication

Authentication for places authentication can’t reach.

EdSSA — the structural cousin of EdDSA, built for the post-quantum era.
Drones in jamming. Satellites between ground passes. Cold-chain shipments through three continents. Industrial sensors that will outlive RSA.

Talk to usSee how it works

Patent pending · Filed 1 May 2026 · Helsinki HQ · EdSSA.io

The Thesis

Centralised credential vaults don’t reach Mars.

Or low Earth orbit. Or a drone swarm under jamming. Or a wind farm 80 km offshore. Or a sealed pharmaceutical container traversing six handlers across three continents. Yet every existing M2M authentication product assumes you can call home to a central authority — that the network is always there, that the auth server always responds, that the cryptography you choose today will still be unbroken in 2045.

EdSSA Nano is a stateless, post-quantum machine-to-machine authentication protocol that needs no central authority in the hot path. Two computing nodes that have spoken once can keep authenticating each other for years — through link drops, jamming, satellite handoffs, multi-day disconnects — without ever calling home. The cryptography is post-quantum from the first handshake. The state lives only in volatile memory. The verification fits in a single CPU cache line.

Harsh conditions

Where vault-based auth doesn't reach

Drone fleets under jamming. Satellite mesh between ground passes. Industrial sensors with twenty-five-year lifetimes. Cold-chain logistics across multi-day transit. Subsea operations with acoustic-only links.

Post-quantum

Designed for 2045, not 2025

Devices deployed today must outlive RSA and ECDSA. EdSSA Nano bootstraps via post-quantum primitives standardised by NIST and discards the bootstrap material immediately, so even a future quantum break of the handshake cannot compromise active authentication state.

Sovereign by design

Built in Helsinki, for European critical infrastructure

No dependency on US-controlled key infrastructure. Aligned with EU NIS2, CER, and emerging post-quantum mandates. Sovereign-grade cryptographic primitives throughout.

A new paradigm

Structural Authentication.

Existing M2M authentication products fall into two camps: a centralised authority issues tokens and verifies signatures, or two parties exchange a shared secret and renew it on a schedule. Both depend on something you call home for — a vault, a certificate authority, a key management service. When the network is unreliable, contested, or simply not there, both camps degrade.

Structural Authentication is a third category. Two parties bootstrap once via a post-quantum handshake and derive identical state in volatile memory. From that point forward, each side independently constructs the same ephemeral credential from the shared state and from public ambient inputs — and authenticates the counterparty by matching what was independently constructed. There is no central authority in the hot path. There is no per-request call home. There is no shared message that has to traverse the network for authentication to succeed.

We coined the term because no existing category named what we built. DSSA — the protocol behind EdSSA — is the first family in this paradigm. The patent application “Decentralised Stateless Structural Authentication” establishes the umbrella.

What it isn’t

Not a vault. Not a blockchain. Not a PUF.

No centralised credential authority in the per-request path. No multi-node consensus to issue or validate a credential. No dependency on physically-unclonable hardware. The architecture is its own category.

Who we work with

Operators in markets that the vault model can't serve.

[CUSTOMER LOGO 1]
[CUSTOMER LOGO 2]
[CUSTOMER LOGO 3]
[CUSTOMER LOGO 4]
[CUSTOMER LOGO 5]
[CUSTOMER LOGO 6]
[CUSTOMER LOGO 7]
[CUSTOMER LOGO 8]

Drone OEMs · Satellite operators · Pharmaceutical logistics · Central banks · Defence integrators · Industrial-edge platforms

Why EdSSA

Built for the operating envelope you actually run in.

Authentication that runs without a network.

Once two nodes have shared a single handshake, neither needs to talk to a third party to authenticate the other ever again. Suitable for environments where a central authority is unreachable for minutes, hours, or weeks.

Sub-microsecond verification, in cache.

The verification path is branch-free, allocation-free, and fits in a single CPU cache line. Suitable for environments where a network round-trip to a credential authority is not affordable.

Post-quantum from the first handshake.

Bootstrapped via NIST-standardised post-quantum primitives. Bootstrap material discarded immediately. The in-memory state evolves cryptographically forward through one-way functions only.

Adaptive resilience without compromise.

Independent design parameters control security level and operational resilience separately. Authentication absorbs transient ratchet ticks, oracle hiccups, schema transitions, and clock drift transparently — without weakening the cryptographic guarantee.

As featured in

Press

[PRESS LOGO 1]
[PRESS LOGO 2]
[PRESS LOGO 3]
[PRESS LOGO 4]
[PRESS LOGO 5]

Drones don’t get to call home.
Satellites don’t get to call home.
Industrial sensors won’t be calling home in 2045.

Let’s talk.

Talk to us →