You generate two phrases (or import an encrypted QR). The phrases remain only on the device: they are not sent to the server and not stored in the cloud. From these phrases, MAX deterministically derives all module keys (Login, Chat, Lock, Signature) using Argon2id, HKDF and the MAX engine. No private key is ever stored on the server.

SPHINCS+ signatures for login and registration. When you access a website (MAX Login), the app signs a payload using SPHINCS+ and sends it to the server. The server verifies the signature but:

• it does not know your phrases,
• it never receives your private key,
• it cannot reconstruct the keys of the other modules.

Your identity is mathematical, not an account.

FrodoKEM + MX2 for E2E messages and local encryption. MAX Chat uses FrodoKEM (post-quantum) for key exchange between devices and MX2 (XChaCha20-Poly1305 + Argon2id) to encrypt messages. The server acts as a simple “blind postman”: it forwards encrypted packets that it cannot read. The MAX Lock vault also uses MX2 locally to protect files and notes.

MAX Prime Theory as the mathematical base for identities and signatures. The MAX engine uses numerical structures derived from the MAX Prime Theory to build part of the mathematical identity (MAX-ID), ensuring determinism, module separation, and making it impossible for the server to reconstruct the user’s keys. Everything is verifiable through external tools (even offline) using SPHINCS+ signatures and exported packets.