Skip to content

EPHEMERAL · DECENTRALISED · STATELESS · STRUCTURAL · AUTHENTICATION

Authentication for places authentication can’t reach.

EdSSA — the structural cousin of EdDSA, built for the post-quantum, post-CA era.

AI agents authenticating millions of times per second. Drones in jamming. Satellites between ground passes. Cold-chain shipments through three continents. Industrial sensors that will outlive RSA.

Patent pending · Filed 1 May 2026 · Standards-track for QUIC · Helsinki HQ

The Thesis

The 1995-era certificate authority model is collapsing — from two directions at once.

From above, the pressure is scale. AI agents now authenticate to other AI agents millions of times per second across services they have never met before. Non-human identities already outnumber human ones by more than a hundred to one, and the ratio is doubling roughly every eighteen months. No certificate authority on Earth can issue and validate that volume of credentials in the latency budgets autonomous systems actually run in.

From below, the pressure is reach. Drones operate under jamming. Satellites pass between ground stations. Wind farms sit 80 km offshore. Pharmaceutical containers traverse six handlers across three continents. Industrial sensors deployed today must outlive RSA and ECDSA. Each of these environments breaks the assumption that you can call home to a central authority before doing anything.

EdSSA is a stateless, post-quantum machine-to-machine authentication paradigm that needs no central authority in the hot path. Two computing nodes that have bootstrapped once can keep authenticating each other for years — through link drops, jamming, satellite handoffs, multi-day disconnects, AI-agent fan-out — without ever calling home.

The cryptography is post-quantum from the first handshake. The shared state lives only in volatile memory and never crosses the wire after bootstrap. Verification fits in a single CPU cache line and completes in sub-microsecond time. The protocol is on a standards track for QUIC; the reference implementation is shipping today.

Agentic AI

The scale problem the CA model cannot answer

Millions of agent-to-agent authentications per second, across services that have never met, with no human in the loop to click a consent button. OAuth, JWT and mTLS were not designed for non-human, ephemeral, high-frequency principals.

Harsh conditions

The reach problem the CA model cannot answer

Drone fleets under jamming. Satellite mesh between ground passes. Industrial sensors with twenty-five-year lifetimes. Cold-chain logistics across multi-day transit. Subsea operations with acoustic-only links.

Post-quantum

Designed for 2045, not 2025

Devices and sessions deployed today must outlive RSA and ECDSA. EdSSA bootstraps via NIST-standardised post-quantum primitives and then never transmits a quantum-vulnerable secret over the wire again. Harvest-now-decrypt-later attacks have nothing to harvest.

Sovereign by design

Built in Helsinki, for European critical infrastructure

No dependency on US-controlled key infrastructure. Aligned with EU NIS2, CER, DORA, and emerging post-quantum mandates. Sovereign-grade cryptographic primitives throughout.

A new paradigm

Structural Authentication.

Existing machine-to-machine authentication products fall into two camps: a centralised authority issues tokens and verifies signatures, or two parties exchange a shared secret and rotate it on a schedule. Both depend on something you call home for — a vault, a certificate authority, a key management service, a token-issuer round-trip. When the network is unreliable, contested, saturated, or simply not there, both camps degrade.

Structural Authentication is a third category. Two parties bootstrap once via a post-quantum handshake and derive identical state in volatile memory. From that point forward, each side independently constructs the same ephemeral credential from the shared state and from public ambient inputs — and authenticates the counterparty by matching what was independently constructed. There is no central authority in the hot path. There is no per-request call home. There is no shared message that has to traverse the network for authentication to succeed.

We coined the term because no existing category named what we built. DSSA — the protocol behind EdSSA — is the first family in this paradigm. The patent application “Decentralised Stateless Structural Authentication” (filed 1 May 2026, with continuations rolling through the May 2027 priority window) establishes the umbrella.

What it isn’t

Not a vault. Not a blockchain. Not a PUF.

No centralised credential authority in the per-request path. No multi-node consensus to issue or validate a credential. No dependency on physically-unclonable hardware. The architecture is its own category.

Where it goes next

Standards-track for QUIC.

An Internet-Draft positions EdSSA as the decentralised cryptographic layer alternative to TLS 1.3 inside QUIC — the same transport that already powers HTTP/3. Royalty-free for conforming implementations.

Strategy

Open protocol. Commercial reference implementation. Enterprise platform.

The protocol becomes the substrate the ecosystem builds on. The high-performance reference implementation and the operational platform around it are our commercial moat. The patent portfolio sits underneath all three, deepening through continuation filings throughout the priority window.

Protocol

Open, royalty-free, standards-track.

EdSSA-over-QUIC drafted as an IETF Internet-Draft. Royalty-free licensing for conforming implementations under BCP 79. Formal verification with an academic cryptography partner. CFRG presentation track. The protocol belongs to the ecosystem.

Implementation

High-performance, commercial.

Rust reference implementation shipping in named phases. Sub-microsecond verification, cache-resident. Hardware acceleration roadmap (NIC offload, ARM ISA extension). Commercial license for production deployment. This is where the engineering moat lives.

Platform

Enterprise-grade operations.

Fleet management panel. Regulator-grade audit emission (NIS2, DORA, IEC 62443). Compromise recovery and HSM integration. Managed deployment and support. Tiered from a free community edition to datacenter site licences.

Who we work with

Operators in markets that the vault model can't serve.

[CUSTOMER LOGO 1]
[CUSTOMER LOGO 2]
[CUSTOMER LOGO 3]
[CUSTOMER LOGO 4]
[CUSTOMER LOGO 5]
[CUSTOMER LOGO 6]
[CUSTOMER LOGO 7]
[CUSTOMER LOGO 8]

Agentic-AI platforms · Drone OEMs · Satellite operators · Pharmaceutical logistics · Central banks · Defence integrators · Industrial-edge platforms

Why EdSSA

Built for the operating envelope you actually run in.

Authentication that runs without a network.

Once two nodes have shared a single handshake, neither needs to talk to a third party to authenticate the other ever again. Suitable for environments where a central authority is unreachable for minutes, hours, or weeks — and for agentic AI traffic patterns where calling a token issuer on every request is simply not affordable at scale.

Sub-microsecond verification, in cache.

The verification path is branch-free, allocation-free, and fits in a single CPU cache line. Suitable for environments where a network round-trip to a credential authority is not affordable, and for high-frequency machine-to-machine traffic that AEAD ciphers on modern NIC offload can already saturate.

Post-quantum from the first handshake.

Bootstrapped via NIST-standardised post-quantum primitives. Bootstrap material discarded immediately. The in-memory state evolves cryptographically forward through one-way functions only. Long-lived state never crosses the wire after bootstrap, so harvest-now-decrypt-later attacks have nothing to harvest.

Adaptive resilience without compromise.

Independent design parameters control security level and operational resilience separately. Authentication absorbs transient key-rotation events, ambient-input variances, state transitions and clock drift transparently — without weakening the cryptographic guarantee.

AI agents don’t pause for a token issuer.
Drones don’t get to call home.
Industrial sensors won’t be calling home in 2045.

Let’s talk.

Talk to us →