Three-family post-quantum signatures — Dilithium + FALCON + SPHINCS+ — committed to Bitcoin itself via a 32-byte OP_RETURN write, with a 42-byte compact receipt held off-chain by you. When quantum computing breaks classical ECDSA, your UTXOs will still be provably yours.
A quantum adversary has to break all three — module-lattice, NTRU-lattice, and hash-based — independently. No single algorithmic breakthrough compromises the attestation.
The on-chain commitment is a single 32-byte hash that fits comfortably inside Bitcoin's existing 80-byte OP_RETURN with room to spare. No consensus changes. No hard fork. No soft fork. Deployable on Bitcoin today.
The 32-byte commitment lives in Bitcoin's OP_RETURN forever. Your 42-byte receipt lives wherever you put it. H33 does not need to exist for the attestation to remain valid — Bitcoin's ledger plus your receipt are sufficient to verify.
Bitcoin holders don't want recurring charges on something that needs to be permanent. Pay once for the mint, verifiable forever. The OP_RETURN write is permanent the moment Bitcoin confirms the transaction.
| Tier | Price | Capacity | What you get |
|---|---|---|---|
| Free beta | $0 | 1 UTXO | First 50 holders before May 15, 2026 |
| Single | $49 | 1 UTXO | Bitcoin OP_RETURN permanent · 42-byte receipt to keep · verification for life |
| Wallet | $249 | 50 UTXOs | Bulk attestation from one wallet · dashboard access · batch operations |
| Custody | $2,499 | Unlimited / address | Custody providers · API access · white-label verification pages · SLA on verification uptime |
| Enterprise | Custom | Institutional | Exchanges · sovereign funds · managed receipt custody · multi-region failover |
Not yet. But "yet" is the whole issue. Cryptographically relevant quantum computers are estimated 5–15 years away. When they arrive, every UTXO whose public key has been exposed becomes spendable by the quantum attacker. The window to post-quantum-protect your holdings closes gradually — the earlier you attest, the longer your provable chain of custody before Q-day. Attestation is a hedge, not a cure.
Not attested: If your address has ever signed a transaction (revealing your public key), a quantum attacker who solves the discrete log problem can derive your private key and spend your UTXO.
Attested: You have a cryptographic proof from before Q-day showing that you controlled this specific UTXO at a specific time using post-quantum-secure signatures. In any post-Q-day migration window, this attestation is the evidence that the UTXO belongs to you, not the attacker.
Yes. The attestation is a point-in-time proof of control, not a lock. You can spend, consolidate, or transfer the UTXO normally. The attestation remains valid as historical evidence of your control at the time of attestation. For the new UTXO resulting from the spend, you can attest again.
No. H33 issues the attestation, Bitcoin anchors the 32-byte commitment in its own ledger forever, and you hold the 42-byte compact receipt off-chain. Two independent systems plus your own custody — none of which can be unilaterally taken down. If H33 goes dark tomorrow, the on-chain commitment still exists on Bitcoin and your receipt still validates against it via any licensed verifier.
Taproot's Schnorr signatures are still classical — they rely on the elliptic curve discrete log problem, which is breakable by Shor's algorithm on a sufficiently large quantum computer. Taproot helps with privacy and script efficiency but does nothing to protect against quantum attacks on the signature scheme itself. H33's triple-key approach adds post-quantum signatures alongside your existing classical signature, so both systems must break for your UTXO to be compromised.
Cryptographic diversity. Each of the three NIST-standardized post-quantum families (ML-DSA, FALCON, SLH-DSA) rests on a different mathematical hardness assumption. If a future cryptanalytic breakthrough breaks one family, the other two still hold. This is the same defense-in-depth principle as wearing a seatbelt and having an airbag — redundancy is the point.
32 bytes go on-chain in Bitcoin's OP_RETURN as a hash commitment binding the three-family post-quantum signatures to your specific UTXO. 42 bytes go off-chain in your hands as a compact receipt that lets a verifier check the commitment against the on-chain record. 32 + 42 = 74 bytes of permanent footprint per UTXO. The full ~33 KB raw signature bundle is verified once at mint time and then discarded — only the commitment and the receipt persist. Patent pending — H33 substrate Claims 124–125.
The 42-byte compact receipt is the only thing you need to keep — and at 42 bytes, it fits in a tweet, a password manager, a piece of paper, iCloud, or alongside your seed-phrase backup. Make multiple copies. The on-chain commitment lives in Bitcoin's ledger forever regardless. For users who don't want to be their own custodian of the receipt, the Custody and Enterprise tiers include H33-managed receipt custody as a backup.