City of Hats

City of Hats — Secure Channels

End-to-end encrypted communication built entirely in-house. No third-party dependencies. No metadata collection. No trust required.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

SECURE CHANNELS
Create anonymous hat identities and pair them into encrypted two-way channels. Messages are protected with X25519 + ML-KEM-768 hybrid key exchange and AES-256-GCM encryption. Forward secrecy via Signal Double Ratchet protocol. No message history stored on our servers — ever.

DEAD DROPS
Send encrypted files and messages as self-destructing drops with time-lock expiry. Recipients retrieve them with a one-time code. Contents burn after retrieval or expiration. Full lifecycle controls: burn-after-read, limited retrievals, auto-destroy timers, and time-locked delivery.

GHOSTFRAME — ENCRYPTED STEGANOGRAPHY ★ PREMIUM
Hide AES-256-GCM encrypted messages inside ordinary images. Share the image through any platform — email, cloud storage, or messaging apps. The image looks completely ordinary. Only City of Hats Premium can decrypt what's inside. Our hybrid token architecture remains intact across WhatsApp, LINE, and other image-sharing platforms. Set access control: anyone with Premium or locked to a specific Hat identity. Full lifecycle: burn-after-read, time-lock, auto-destroy.

ECHODROP — VOICE-TRIGGERED RETRIEVAL ★ PREMIUM
Create encrypted messages retrieved by speaking a secret passphrase. Voice processing occurs locally on your device using the Web Speech API — only a hash of the resulting text is sent for verification. PBKDF2 key derivation with high iteration count (600,000+). Full lifecycle: burn-after-read, retrieval limits, time-lock, auto-destroy. Read Aloud option speaks decrypted messages on-device. System-generated passphrases or custom — your choice.

SEALED TIPS
One-way anonymous intake for whistleblowers, journalists, and sources. Submit tips to an organization's intake hat — no identity, no trace, no reply channel.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

ZERO THIRD PARTIES
All cryptography, authentication, and infrastructure is owned and operated by City of Hats. No AWS. No Firebase. No external auth providers. Passkey, Google, and native authentication options available.

POST-QUANTUM READY
Hybrid key exchange combines classical X25519 with ML-KEM-768 lattice-based cryptography to protect against future quantum threats. Your messages are secured against both current and future adversaries.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

CITY OF HATS PREMIUM
Unlock advanced capabilities: GhostFrame encrypted steganography, EchoDrop voice-triggered retrieval, Resident Hat persistent identity, and priority support. Manage your subscription directly in the app via Stripe.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

PRIVACY BY DESIGN
• Client-side AES-256-GCM encryption for all message types
• Zero-knowledge architecture — we cannot read your messages
• No metadata logging on our servers
• On-device voice processing for EchoDrop
• Burn-after-read with permanent server-side deletion
• No sender-recipient linking
• GDPR, PIPEDA, and Thailand PDPA aligned
• Public Warrant Canary for transparency

SECURITY ARCHITECTURE
• X25519 + ML-KEM-768 hybrid key exchange
• Signal Double Ratchet forward secrecy
• AES-256-GCM authenticated encryption
• PBKDF2 key derivation for voice passphrases
• LSB steganography with hybrid token architecture
• SHA-256 hash-only server storage for passphrases
• Client-side tamper-evident crypto audit log

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Built for journalists, legal teams, compliance departments, financial institutions, healthcare providers, and anyone who needs communication that leaves no trace.

https://cityofhats.com