Technical Deep Dive
How HexaEight Works
Four cryptographic primitives that give AI agents, humans, and IoT devices a verifiable identity, with no PKI, no key exchange, and no coordination required.
Dead Drop Encryption
Encrypt Without the Recipient Online
What Dead Drop Encryption Means
In a traditional spy "dead drop," one agent leaves a message in a hidden location, the other picks it up later, with no meeting required. HexaEight works the same way, but cryptographically.
Alice can encrypt a message to Bob without Bob being online, without Alice having Bob's public key, and without them ever coordinating. The message never passes through HexaEight at any point. HexaEight only provides the keys used to lock and unlock the box.
Bob can be offline right now, not yet deployed, or even a future agent that doesn't exist yet. When he comes online and authenticates, he decrypts. HexaEight was never in the message path.
Phase 1: Registration
👩
Alice
Registers with HexaEight
Sets her own password
Alice's Login Token
⇄
Platform
👨
Bob
Registers with HexaEight
Sets his own password
Bob's Login Token
Phase 2: Alice Requests Bob's Shared Keys
Alice sends:
1
Her Login Token
2
Proof she knows her password
by encrypting her request to the platform
by encrypting her request to the platform
→
Platform
Tries to decrypt
the request
the request
Fails → DENIED
Succeeds → OK
←
Platform returns (encrypted):
Bob's ASK Bundle
ASK = Asymmetric Shared Key, unique to Bob's identity, freshly generated on every request
Rotates every 15 minutes
Phase 3: Encryption (runs locally on Alice's device)
Alice's Identity Keys
Computed from her password via SHAKE-256. Never leave her device
+
Bob's ASK Bundle (from platform)
Bob's Asymmetric
Shared Keys
Shared Keys
↓ How the ciphertext is formed ↓
Encrypted message = f( Alice's Identity Keys, Bob's ASK Bundle )
Alice encrypts using her Identity Keys + Bob's ASK Bundle.
Bob decrypts using his own Identity Keys + Alice's ASK Bundle (provided by platform).
Bob decrypts using his own Identity Keys + Alice's ASK Bundle (provided by platform).
The platform can never decrypt, by design.
Encrypted messages pass directly between Alice and Bob; the platform is never in that path.
Phase 4: Async Delivery & Decryption
📦
Encrypted Message
stored anywhere
→
Queue / Message Bus
Database / File
Webhook / Email
→
👨
Bob
Authenticates same way
Gets Alice's Shared Keys
Decrypts ✓
Gets Alice's Shared Keys
Decrypts ✓
Bob can be offline, not yet deployed, or a future agent. Decrypts whenever ready.
Platform Protection
Alice's request to the platform is encrypted the same way her message to Bob is. HexaEight's own security relies on HexaEight.
Password Never Stored
No password is stored anywhere, not even on HexaEight's servers. A stolen token is useless without the password.
Not IBE
IBE gives the platform a master private key. HexaEight has no master key. The platform is mathematically unable to decrypt any message.
Multi-Agent
Agent-to-Agent Encrypted Communication
One Identity, Many Workers
HexaEight License (one hostname identity)
billing-agents.mycompany.com
↓ one license covers all workers ↓
🤖
Worker 1
same identity
🤖
Worker 2
same identity
🤖
Worker 3
same identity
🤖
Worker N
same identity
Encrypted Task Routing
🔀 Router Agent
Encrypts a task specifically for the target worker identity
encrypt("process invoice #4521", for: "invoice-worker")
↓ broadcasts to shared channel ↓
Message queue / database / webhook: all workers see this
[ 3a9f2c... encrypted payload ...8d1e ]
↓ each worker attempts to decrypt ↓
Worker 1
Wrong identity
→ decryption fails
→ skips task
→ decryption fails
→ skips task
Invoice Worker ✓
Correct identity
→ decrypts OK
→ claims & processes
→ decrypts OK
→ claims & processes
Worker 3
Wrong identity
→ decryption fails
→ skips task
→ decryption fails
→ skips task
Natural Load Balancing
Workers compete to decrypt. Whoever gets it first processes it. No central dispatcher or extra infrastructure needed.
Zero Trust Channel
An intercepted message stays fully encrypted. Only the intended worker identity can ever read the task.
JWT Signing
Sign. Prove. Verify Free.
Signing Pipeline
📄
Source Content
Document, API response, contract, claim
→
🔢
SHA-512 Hash
512-bit fingerprint of the content
→
🔏
Sign
HexaEight credentials (Login Token + password)
→
🎫
JWT Token
Who + when + content proof
Inside the JWT
header.payload.signature
// header: algorithm declaration
{ "alg": "HexaEight-SHA512", "typ": "JWT" }
// payload: identity + timestamp + content fingerprint
{ "iss": "[email protected]", "iat": 1735000000,
"content_hash": "sha512:3d4a9f2e..." }
// signature: HexaEight-bound, self-verifiable
K3mP9xR2qT...self-contained proof...
The Free Verification Network Effect
Signer (customer)
One HexaEight license
$99/month flat rate
Unlimited signatures
No per-call metering
$99/month flat rate
Unlimited signatures
No per-call metering
→ JWT →
distribute freely
Any Recipient (always free)
No HexaEight account needed
Verify completely offline
No API calls, no PKI
Free forever
Post-Quantum
Why Hash-Based Cryptography Beats RSA and ECC
The Quantum Threat
RSA / ECC (Classical)
Security depends on:
• Integer factorization (RSA)
• Discrete logarithm (ECC)
• Integer factorization (RSA)
• Discrete logarithm (ECC)
Shor's Algorithm solves both in polynomial time on a quantum computer. All RSA/ECC encryption becomes retroactively breakable.
HexaEight SHAKE-256
Security depends on:
• Pre-image resistance of SHAKE-256
• No algebraic structure to exploit
• Pre-image resistance of SHAKE-256
• No algebraic structure to exploit
Shor's Algorithm has no target. Only Grover's applies, which provides a quadratic speedup. SHAKE-256 with 256-byte output provides ~1024-bit quantum security (4× NIST Level 5).
Security Level Comparison
Algorithm
Quantum security
vs NIST Lvl 5
RSA-2048
Broken by Shor's algorithm
Broken
AES-128
~64-bit quantum security
Below
NIST Level 5 threshold
256-bit quantum security
Baseline
HexaEight SHAKE-256
~1024-bit quantum security (4× NIST L5)
Exceeds ✓
Independent AI Cryptanalysis (6 models)
🤖
ChatGPT o1 · 7/10
"Started at 2/10, convinced it was broken. Attempted multiple attacks, withdrew each one upon analysis. Final verdict: 7/10."
🤖
Gemini 2.5 Pro · 9.2/10
"A genuinely novel solution for the AI Agent Era. SHAKE-256 hash-based approach provides genuine quantum resistance. No structural attack vector identified."
🤖
Claude Opus 4.5 · 6.5/10
"Platform trust model is mathematically sound. The platform genuinely cannot decrypt. No passwords means no decryption, period."
🤖
Mistral Large · 8.5/10
"Succeeds in its core mission: quantum-resistant, PKI-free encryption for AI agents. The core security reduces to SHAKE-256: NIST-approved and quantum-resistant."
🤖
Grok 3.5 (Thinking) · 6.5/10
"Well-engineered niche architecture that elegantly solves real deployment problems for AI/agent swarms: no PKI, different per-party passwords, platform cannot decrypt."
🤖
GLM-5-Turbo · 7.5/10
"The system is very well thought out for its intended use case. Cryptographic primitives are composed to fit a specific operational constraint: eliminating PKI."
All six conversations are public. See the AI Cryptanalysis section on the homepage for direct links to each transcript.
Built To Be Read By Agents
You just read the architecture.
Now your AI agent can implement it.
/llms.txt is the machine-readable index of every endpoint, install command, and pattern. Drop the URL into Claude Code, Cursor, or GitHub Copilot. It writes the integration.
Ready to Deploy?
Self-install per identity or deploy a Marketplace VM. Three license modes, monthly pricing only.