How can AI classify a document it cannot read?

H33-Agent-Zero uses CKKS fully homomorphic encryption to perform neural network inference directly on encrypted feature vectors. The document is converted to an embedding on the client side, encrypted with CKKS, and sent to H33 as a ciphertext. The classifier's weights operate as polynomial coefficients in the RLWE ring, computing the inference as a homomorphic operation. The output is an encrypted classification that only the customer can decrypt. At no point does H33 or any intermediate system see the plaintext document.

What is the difference between Agent-Zero and tokenization?

Tokenization requires a system to read the document first in order to identify what needs to be masked or replaced. That reading step is the exposure. H33-Agent-Zero eliminates this entirely. The classifier operates on ciphertexts — it never sees the document, so there is nothing to redact, mask, or substitute. FHE is the enabling technology. The AI IS cryptography — the inference IS a homomorphic computation.

Who defines the document classes and trains the model?

The customer does. H33-Agent-Zero includes a Customer Taxonomy SDK that lets organizations define their own classification labels (e.g., CLIENT_PII, PRIVILEGED_LEGAL, PHI_RESTRICTED), provide labeled training examples, and deploy trained weights. H33 never sees the training data or the taxonomy definitions. The customer retains full control of their classification model.

How is each classification secured?

Every classification is post-quantum attested via H33-74, which uses three independent cryptographic families: ML-DSA-65 (lattice-based), FALCON-512 (NTRU lattice-based), and SLH-DSA (hash-based). Breaking the attestation requires simultaneously breaking three independent hardness assumptions. The attestation is distilled into 74 bytes — 32 on-chain, 42 in Cachee.

Can human reviewers override the AI classification?

Yes. H33-Agent-Zero includes a human override and feedback loop. When a reviewer corrects a classification, that correction feeds back into the customer's private model for retraining. The corrected document remains encrypted throughout this process. Over time, the model improves based on the customer's domain-specific corrections without H33 ever seeing the underlying data.

What are the CKKS FHE performance characteristics?

CKKS FHE on Graviton4: multiply + relinearization at 14,341 microseconds, dot product (4 terms) at 23,636 microseconds, with 4,096 SIMD slots per ciphertext. The Operation Planner reduces unnecessary relinearization by 75-87%, significantly improving throughput for multi-step inference computations.

CKKS FHE • ENCRYPTED CLASSIFICATION

Attested by H33-74 →

The AI That Classifies Documents It Cannot Read.

A compact, customer-trained classifier that runs entirely on encrypted data. The document is encrypted with CKKS FHE before the classifier touches it. At no point does any system — including H33 — see the plaintext.

Schedule Demo → View Docs Get API Key

4,096

SIMD Slots

74B

PQ Attestation

Zero

Data Exposure

3-Key

PQ Signing

The Problem

Every System That "Protects" Your Data Still Reads It

AI copilots ingest contracts. Vendors process financials. Tools scan PII for compliance. Every one of them requires access to your plaintext at some point. That access is the exposure.

📄

AI Copilots Read Everything

Your AI assistant processes every contract, every financial document, every piece of PII in the clear. It has to — that's how language models work. Every inference is an exposure event.

🔍

Compliance Requires Exposure

To classify a document for SOX, HIPAA, or GDPR, you must read it first. Automated classification tools scan plaintext to produce labels. The scan itself is the risk.

🛡️

Tokenization Reads Before Masking

Tokenization replaces sensitive data with tokens so downstream systems don't see it. But someone still had to read the document to decide what to tokenize. That's the window.

How It Works

Document to Policy Tag — Zero Plaintext

The document never decrypts. The classifier's weights operate as polynomial coefficients in the RLWE ring. The inference IS a homomorphic computation. The output IS a ciphertext.

📄

→

Step 1

Document

Customer's document enters the pipeline as a feature vector

🔒

→

Step 2

Encrypt (Client)

CKKS FHE encryption on the client side. 4,096 SIMD slots per ciphertext

🧠

→

Step 3

CKKS Classify

Server runs inference on ciphertext. Neural network weights as RLWE polynomials

✔️

→

Step 4

H33-74 Attest

3-key PQ attestation: ML-DSA-65 + FALCON-512 + SLH-DSA. 74 bytes

🏷️

→

Step 5

Policy Tag

Policy engine receives encrypted classification, produces actionable tag

📨

Step 6

Customer Receives

Customer gets the tag. Server never saw the document. Nothing to leak

Why Tokenization Dies

The AI IS the Cryptography

Tokenization is a band-aid. It requires reading the document to decide what to mask. Agent-Zero never reads the document. FHE is the enabling technology. CKKS lets you run neural network inference on ciphertexts.

Traditional Tokenization

Read, Then Mask

✗ System reads the full document
✗ Identifies sensitive fields in plaintext
✗ Replaces sensitive data with tokens
✗ Downstream systems see tokens, not data
✗ But the tokenizer saw everything
✗ Exposure window exists during tokenization

H33-Agent-Zero

Never Read at All

✓ Document encrypted before transmission
✓ Classifier runs on ciphertexts only
✓ Weights operate as RLWE polynomials
✓ Output is an encrypted classification
✓ Nothing to redact, mask, or substitute
✓ Zero exposure window. Zero.

The classifier's weights operate as polynomial coefficients in the RLWE ring.

The inference IS a homomorphic computation. The output IS a ciphertext. The AI doesn't avoid reading your data — it is mathematically incapable of doing so.

Confidence Output

Three Modes. Customer Controls Disclosure.

The encrypted score vector exists inside the ciphertext, but H33 cannot read it without the customer's boundary decision. Confidence disclosure is optional and customer-controlled.

🎯

DEFAULT

HardClassification

Returns a deterministic policy tag with no probability score. The classifier produces a label, not a confidence interval. This is the default for all deployments.

Document matched Customer Policy Class:
CLIENT_PII

🔐

OPTIONAL

ThresholdProof

Uses TFHE to prove that the classification score exceeded a customer-defined threshold without revealing the score itself. A zero-knowledge proof that the classifier is confident enough.

Classification: CLIENT_PII
Threshold: EXCEEDED
Score: [encrypted]

🔑

OPTIONAL

CustomerDecrypt

The customer decrypts the full score vector at their own boundary. Only the customer holds the decryption key. H33 never sees the probability distribution.

Classification: CLIENT_PII
Confidence: 0.973 (decrypted at customer boundary)

Customer Taxonomy SDK

Your Classes. Your Data. Your Model.

Customers define their own classification taxonomy, train on their own labeled examples, and deploy weights to H33. We never see the training data. We never see the taxonomy. The model is private.

📋

Define Classes

Create your taxonomy: CLIENT_PII, PRIVILEGED_LEGAL, PHI_RESTRICTED, TRADE_SECRET — whatever your business needs

📚

Train on Your Data

Provide labeled training examples. The SDK trains the classifier locally. Training data never leaves your environment

🚀

Deploy Weights

Encrypted weights are deployed to H33 for inference. The weights are RLWE polynomials — unreadable without your key

🔄

Feedback Loop

Human corrections retrain the model. Every override improves accuracy. The corrected document remains encrypted throughout

H33 never sees your training data, your taxonomy, or your documents. The classifier is yours. We just run it on ciphertext.

Use Cases

Encrypted Classification Across Industries

Any industry where documents contain sensitive data and classification is required. Agent-Zero eliminates the exposure that every other classification system accepts as inevitable.

⚖️

Legal

Classify contracts, briefs, and privileged communications without exposing terms, clauses, or client information. Attorney-client privilege never broken by the classifier.

🩺

Healthcare

Tag PHI without touching patient data. Classify medical records, lab results, and clinical notes while maintaining HIPAA compliance at the mathematical level.

🏦

Banking

Detect PII and risk signals in loan applications, transaction records, and customer correspondence without leaking financial data to the classification layer.

📈

Insurance

Evaluate and classify claims documents without exposing the underlying policy details, medical records, or settlement amounts to the AI.

🤖

Enterprise AI

Train private classifiers on proprietary data without giving up the data. Internal document classification that stays internal — cryptographically enforced.

📜

Compliance

Automated document classification for SOX, HIPAA, and GDPR without data exposure. The audit trail is PQ-attested. The document was never read by the classifier.

Technical Specifications

CKKS FHE + Post-Quantum Attestation

Every classification runs on CKKS approximate arithmetic FHE, optimized for ML inference on encrypted vectors. Every output is attested by three independent cryptographic families.

CKKS FHE Parameters

Scheme	CKKS (Approximate Arithmetic)
SIMD Slots	4,096 per ciphertext
Multiply + Relin	14,341 µs
Dot Product (4 terms)	23,636 µs
Hardware	AWS Graviton4 (ARM)
Operation Planner	75-87% relin reduction
Security Basis	RLWE lattice problem

H33-74 Attestation

Attestation Size	74 bytes (32 on-chain + 42 Cachee)
Key 1	ML-DSA-65 (lattice)
Key 2	FALCON-512 (NTRU lattice)
Key 3	SLH-DSA (hash-based)
Security Model	Three independent hardness assumptions
Method	Distillation (not compression)
Patent	Pending — 144 claims

Classification Pipeline

Input	Encrypted feature vector (CKKS)
Default Output	Hard classification tag
Confidence Modes	3 (Hard / Threshold / Decrypt)
Taxonomy	Customer-defined
Training	Customer-side, private
Feedback Loop	Human override + retrain
Plaintext Exposure	None. Zero. Never.

Auto-Tagging Pipeline

Step 1	Document → Feature Vector
Step 2	FHE Encrypt (client-side)
Step 3	CKKS Classify (server, encrypted)
Step 4	H33-74 Attest (3-key PQ)
Step 5	Policy Engine → Tags
Step 6	Customer receives tag
Server Access	Ciphertexts only

Encrypted AI Classification

Classify Without Exposure. Mathematically Guaranteed.

The document never decrypts. The classifier never reads. The attestation is post-quantum. This is what AI security looks like when the AI IS the cryptography.

Schedule Demo → View Pricing API Documentation

Questions? support@h33.ai