Build vs Buy Post-Quantum Encryption: Why $2.1 Billion in FHE and ZK Startups Can't Beat One API Call

The $2.1 Billion Question

Between 2021 and 2026, the post-quantum cryptography startup ecosystem raised over $2.1 billion in venture capital and token sales. Zama alone raised $150 million to build FHE tooling. Aztec raised $180 million for zero-knowledge proofs. Polygon committed over $1 billion of its treasury to ZK development. Succinct, RISC Zero, Duality, Enveil, Fabric Cryptography, Niobium, Octra, Mind Network — the list stretches across dozens of companies, thousands of engineers, and millions of GPU-hours.

The question every CEO, CTO, and CISO should be asking: what did $2.1 billion buy?

Here's the honest answer: slower systems, running on more expensive hardware, that do less than what a single API call to H33 accomplishes in 38.5 microseconds.

The GPU Trap

The dominant strategy in FHE and ZK is to throw GPUs at the problem. Zama's TFHE-rs achieves its best throughput on 8x NVIDIA H100 GPUs — a cluster that costs $200,000-280,000 to purchase or $24-32 per hour to rent. Succinct's SP1 prover requires 16x RTX 5090 GPUs for real-time Ethereum block proving. RISC Zero needs approximately $120,000 in GPU hardware for near real-time proving.

The fundamental issue isn't just cost — it's economics at scale.

An H100 GPU costs $25,000-35,000 to purchase and $3-10 per hour to rent in the cloud. A team of cryptography engineers to build and maintain GPU-accelerated FHE or ZK systems costs $400,000-600,000 per engineer per year (fully loaded, with the PhD tax). A mid-sized team of 20 cryptographers — which is small by industry standards — represents $8-12 million per year in labor alone, before you buy a single GPU.

The math is not close. It's not even in the same universe. Building an in-house post-quantum cryptography pipeline costs 500-800x more than calling an API, produces worse latency, requires specialized hardware, and takes years instead of an afternoon.

Why the Industry Went Down This Path

If the API approach is so obviously better, why did $2.1 billion flow into companies building from scratch?

First, the academic incentive structure. FHE and ZK cryptography originated in universities where publication — not production deployment — is the success metric. The researchers who founded these companies carried the assumption that the hard problem was the cryptography itself. They optimized for algorithmic novelty, not for production throughput. That's how you end up with teams of 200 PhDs producing systems that can't match a single Rust binary on an ARM CPU.

Second, the GPU assumption. When FHE operations are inherently slow, the obvious solution is parallel hardware. GPUs offer massive parallelism. This is correct in theory and catastrophic in practice. GPU-accelerated FHE creates a dependency on hardware that costs $25,000-35,000 per unit, requires specialized hosting, has a 12-18 month procurement cycle, and makes your cryptographic infrastructure cost-prohibitive at scale. You've traded one hard problem (slow cryptography) for a harder one (expensive infrastructure that scales linearly with demand).

Third, cognitive dissonance. This is the one that kills companies. When you've raised $150 million, hired 200 engineers, and spent three years building a GPU-accelerated FHE system, the last thing you want to hear is that someone achieved the same result with Montgomery NTT optimizations on a $2/hour ARM CPU. The sunk cost isn't just financial — it's emotional, reputational, and structural. Entire organizations are built around the assumption that the problem requires the approach they chose. Admitting otherwise means admitting the foundation was wrong.

The Performance Gap Is Not Closing

Some will argue that GPU-accelerated approaches will eventually match CPU-optimized ones. The data says otherwise.

H33 runs the full post-quantum authentication pipeline — BFV fully homomorphic encryption, ZK-STARK proof generation, Dilithium digital signature, and three ML threat detection agents — in 38.5 microseconds. On a single ARM CPU. No GPU. Zama's best single bootstrap on an H100 is 800 microseconds, and that's just one gate-level operation — not a complete authentication flow.

The reason the gap won't close is architectural, not incremental. H33's performance comes from years of algorithmic optimization at the NTT level — Montgomery radix-4 with Harvey lazy reduction, NTT-domain fused inner products, pre-computed twiddle factors in Montgomery form, batch CBD sampling, NEON-accelerated Galois operations. These optimizations compound multiplicatively. They can't be replicated by throwing more GPUs at unoptimized algorithms.

GPU parallelism helps when the bottleneck is parallelizable computation. In FHE, the bottleneck is memory access patterns, cache utilization, and reduction arithmetic — all of which favor tight single-threaded code on CPUs with large caches over GPUs with high-throughput but high-latency memory hierarchies.

What CEOs Actually Need to Decide

Strip away the cryptography jargon and this is a straightforward build-vs-buy decision. The variables are cost, time, capability, and risk.

Cost: Building in-house costs $9-13 million per year minimum. The H33 API costs $14,988 per year for 25,000 authentications per month — the Growth plan. For most enterprises, this is the difference between a budget line item and a capital expenditure that requires board approval.

Time: Building from scratch takes 18-36 months to reach production quality, assuming you can hire the cryptographers (there are perhaps 500 qualified FHE engineers on the planet). The H33 API takes an afternoon to integrate. One REST call. SDKs for Python, Node, Rust, Go.

Capability: The in-house approach gives you exactly the cryptographic primitives your team can build. The API approach gives you FHE (4 engine variants), ZK-STARK proofs, Dilithium signatures, Kyber key exchange, encrypted biometric matching, threshold decryption, and three ML threat agents — all NIST FIPS 203/204 compliant, all running in a single API call.

Risk: A homegrown cryptographic system is a perpetual audit liability. Every line of cryptographic code is a potential vulnerability. Every parameter choice is a potential weakness. H33's implementation has been through independent cryptographic parameter review (10 findings, all published and resolved), 2,227 passing tests, and continuous benchmarking on production hardware.

The Cognitive Dissonance Problem

The hardest part of this decision is not the math. The math is obvious. The hardest part is admitting that the investment already made — in team, in infrastructure, in organizational identity — was the wrong approach.

This is not a criticism of the engineers at Zama, Duality, Enveil, or any other FHE company. They are brilliant cryptographers solving genuinely hard problems. The criticism is of the strategic assumption that every company needs to solve these problems themselves.

When electricity was first commercialized, factories built their own generators. When cloud computing emerged, companies ran their own data centers. In every case, the build-your-own approach was eventually replaced by a utility model — not because the builders were wrong, but because the economics of specialization always win at scale.

Post-quantum cryptography is reaching that inflection point. The question is not whether companies will switch from building to buying — it's whether your company will do it before or after your competitors.

One API Call

H33 runs the only complete post-quantum authentication pipeline at internet scale: 2.17 million authentications per second, 38.5 microseconds per auth, zero classical cryptography in the hot path, NIST FIPS 203/204 compliant.

One REST call. No GPUs. No PhD cryptographers. No $12 million annual infrastructure budget.

The decision should take less time than the API call itself.

← Back to Blog   ·   View Pricing →   ·   See Benchmarks →