Solana Is Now Quantum Resistant. It Just Needs Adoption.

On April 14, we anchored an H33-74 signing message to Bitcoin mainnet. On April 20, we anchored the same signing message to Solana mainnet. Identical bytes. Two different blockchains. Both transactions are live on their respective explorers right now, and anyone with an internet connection can verify that the 32-byte value committed on Bitcoin is the same 32-byte value committed on Solana.

Here are the receipts:

Bitcoin mainnet (April 14, 2026):
TX: 7f8d9ef2d5625d7e3acbc269daac21087ce6b7d77f8e4ec369aabdcdb028b4a7
View on Mempool.space

Solana mainnet (April 20, 2026):
TX: 3xdZyPeWPxfauZ6tVBTiSLjtWV7hCaWEfjeKym6LrEnAktU5fob19ngd8eMS48vQMkT4RkJSowsj4gVwdq14XwW1
View on Solana Explorer

The signing message embedded in both transactions is:

1624756140f31ecd61c19d5c1427f221809a11893257b39bf601684e629d7af3

That hex string is the SHA3-256 hash of an H33-74 primitive. The primitive does not know which chain it was anchored to. It does not care. The same 32 bytes would work on Ethereum, Avalanche, Cosmos, Aptos, or any future blockchain that supports embedding at least 32 bytes of arbitrary data in a transaction. This is what chain-agnostic attestation looks like: not a theoretical compatibility matrix, but two independently verifiable mainnet transactions containing identical cryptographic commitments.

What we did

The workflow was straightforward. We constructed a single H33-74 primitive: a 58-byte canonical commitment containing a version byte, a computation type byte, a 32-byte SHA3-256 content hash, an 8-byte millisecond timestamp, and a 16-byte nonce. We then computed the SHA3-256 hash of that 58-byte primitive to produce the 32-byte signing message. We signed the signing message under the full three-family post-quantum signature bundle (ML-DSA-65, FALCON-512, SLH-DSA-SHA2-128f). And then we anchored that 32-byte signing message to two separate blockchains.

On Bitcoin, we used a Taproot key-path tweak combined with an OP_RETURN output. The signing message was committed directly in the transaction output. No soft fork required. No new opcodes. No protocol modifications of any kind. The Bitcoin network processed it as an ordinary transaction, because that is exactly what it is — an ordinary Bitcoin transaction that happens to carry 32 bytes of post-quantum attestation data.

On Solana, we used a standard Memo instruction. The signing message was included as the memo payload in a standard Solana transaction. Again, no protocol modifications, no custom programs, no special permissions. The Solana runtime processed it as an ordinary memo transaction.

The critical fact: the signing message is identical on both chains. Not "equivalent." Not "derived from the same source." Identical. The same 32 bytes. 1624756140f31ecd61c19d5c1427f221809a11893257b39bf601684e629d7af3 on Bitcoin mainnet. 1624756140f31ecd61c19d5c1427f221809a11893257b39bf601684e629d7af3 on Solana mainnet. A verifier who checks one can check the other. A verifier who checks both sees that they match. The H33-74 primitive that produced this signing message is the same primitive regardless of which chain a verifier chooses to look at.

Why chain-agnostic attestation matters

The post-quantum blockchain conversation has been fragmented by chain specificity. Bitcoin developers build Bitcoin-specific solutions. Solana developers build Solana-specific solutions. Ethereum developers build Ethereum-specific solutions. Each chain has its own scripting model, its own transaction format, its own data embedding conventions. The result is that any post-quantum construction built for one chain is typically unusable on any other chain.

This fragmentation creates real problems for the organizations that need post-quantum attestation the most. A bank operating under OCC guidance does not want to bet its compliance infrastructure on a single chain. A defense contractor subject to CNSA 2.0 requirements cannot assume that the chain it picks today will be the chain its auditors require in five years. A multinational insurer operating across jurisdictions may face regulatory mandates that require attestation on specific ledgers in specific countries. An enterprise building cross-chain DeFi infrastructure needs attestations that are verifiable regardless of which chain a counterparty uses.

Chain-agnostic attestation resolves this. The H33-74 persistent footprint is 74 bytes regardless of chain: 32 bytes on-chain (the signing message) and 42 bytes off-chain (the compact receipt, stored in Cachee). The format is identical whether the on-chain portion lives on Bitcoin, Solana, Ethereum, or any other ledger. The verification procedure is identical. The security properties are identical. The enterprise picks the chain based on the criteria that matter for its use case — Bitcoin for immutability and censorship resistance, Solana for throughput and finality speed, Ethereum for smart contract composability — and the attestation format stays the same.

No protocol modifications are needed on any chain. That point deserves emphasis. H33-74 does not require a soft fork on Bitcoin. It does not require a custom Solana program. It does not require a new Ethereum precompile. It requires only that the chain can store 32 bytes of arbitrary data in a transaction. Every major blockchain satisfies this requirement today.

How it works

The H33-74 primitive is a 58-byte canonical commitment with a fixed wire format:

• 1 byte — version (format evolution)
• 1 byte — computation type (from the append-only registry)
• 32 bytes — content hash (SHA3-256 of the computation output)
• 8 bytes — millisecond timestamp
• 16 bytes — nonce (collision resistance)

The signing message is the SHA3-256 hash of these 58 bytes. That hash is 32 bytes. This is the value that goes on-chain.

The compact receipt is a 42-byte structure stored off-chain:

• 1 byte — version
• 1 byte — signature family bitfield (which PQ families are active)
• 32 bytes — cryptographic commitment to the full signature bundle
• 8 bytes — timestamp

Together: 32 bytes on-chain + 42 bytes off-chain = 74 bytes persistent. This is the H33-74.

The chain anchor is just the 32-byte signing message. The chain does not need to understand H33-74. It does not need to parse the primitive. It does not need to verify the post-quantum signatures. It just stores 32 bytes. The cryptographic meaning of those 32 bytes is entirely external to the chain — it lives in the H33-74 protocol, not in the chain's consensus rules.

This is why chain-agnostic attestation works. The chain is a bulletin board. The H33-74 primitive is the cryptographic object pinned to that bulletin board. Any bulletin board that can hold a 32-byte note is compatible.

On Bitcoin: the 32-byte signing message is committed via Taproot key-path tweak (zero marginal witness weight) or OP_RETURN output. Both methods are standard Bitcoin transactions.

On Solana: the 32-byte signing message is committed via Memo instruction. Standard Solana transaction, no custom program deployment.

On Ethereum: the 32-byte signing message would be committed via calldata or event log. Standard EVM transaction.

On any future chain: the same 32 bytes, embedded via whatever data-carrying primitive that chain provides.

Post-quantum security on every chain

Here is the part that changes the calculus for enterprises evaluating post-quantum blockchain strategies: the chain itself does not need to support post-quantum cryptography.

Bitcoin's transaction signatures are ECDSA and Schnorr. Solana's transaction signatures are Ed25519. Ethereum's are ECDSA over secp256k1. None of these are post-quantum. A sufficiently powerful quantum computer running Shor's algorithm could forge signatures on all three chains. This is the threat that the entire post-quantum blockchain conversation is about.

H33-74 provides post-quantum attestation without requiring the chain to upgrade its signature scheme. The three-family post-quantum signature bundle — ML-DSA-65 (NIST FIPS 204, module-lattice signatures), FALCON-512 (NTRU-lattice signatures), and SLH-DSA-SHA2-128f (NIST FIPS 205, stateless hash-based signatures) — lives entirely off-chain, in the compact receipt and the associated signature data. The chain stores only the 32-byte hash commitment. There is nothing quantum-vulnerable in the 32-byte hash. SHA3-256 pre-image resistance degrades only to 128-bit security under Grover's algorithm, which remains firmly in the intractable range.

What this means in practice: even a chain running entirely classical signatures gets post-quantum attestation through H33-74. The PQ security is a property of the primitive, not a property of the chain. An organization anchoring H33-74 to Bitcoin today gets the same three-family PQ protection as an organization anchoring to Solana or Ethereum or a hypothetical future chain with native PQ signatures. The primitive carries its own security. It does not inherit the chain's vulnerabilities.

The three independent mathematical hardness assumptions — Module Learning With Errors (ML-DSA-65), Short Integer Solution over NTRU lattices (FALCON-512), and hash pre-image resistance (SLH-DSA-SHA2-128f) — mean that forging an H33-74 attestation requires breaking all three simultaneously. A cryptanalytic breakthrough against lattice-based schemes does not compromise the hash-based signature. A breakthrough against hash-based schemes does not compromise the lattice-based signatures. The security degrades gracefully rather than catastrophically. This is NIST Level 1 by default, with Level 5 optional (ML-DSA-87, FALCON-1024, SLH-DSA-SHA2-256f) for applications that require it.

What this means for real applications

Chain-agnostic post-quantum attestation is not an abstract capability. It has immediate, concrete implications for applications that are being built or evaluated right now.

BitBonds and sovereign debt instruments. A custody proof anchored on Bitcoin for immutability, with settlement attestation on Solana for speed. Both attestations share the same H33-74 primitive. An auditor verifying the custody chain on Bitcoin and the settlement chain on Solana sees a single, consistent attestation format across both ledgers. No translation layer. No chain-specific verification tools. One primitive, two chains, same proof.

Cross-chain DeFi. A liquidity provider operating across Bitcoin (via wrapped assets), Solana, and Ethereum can produce a single H33-74 attestation for a position and anchor it to whichever chain the counterparty prefers to verify against. The attestation is not "ported" or "bridged" — it is the same 32 bytes on every chain. Cross-chain verification becomes byte-level comparison, not protocol translation.

Enterprise compliance. A regulated institution can anchor attestations on the chain that its regulators recognize, without rebuilding its attestation infrastructure when regulatory guidance shifts from one chain to another. If OCC guidance favors Bitcoin anchoring for bank custody and MAS guidance favors Ethereum for Singapore-domiciled assets, the same H33-74 primitive serves both — only the anchoring target changes. The FHE-encrypted computation, the verification pipeline, and the PQ signature bundle remain identical.

Insurance and banking audit trails. Auditors verify on whichever chain the institution uses. A global insurer anchoring European attestations to one chain and North American attestations to another still uses the same 74-byte format, the same verification tooling, and the same PQ security properties everywhere. The chain is a deployment detail. The attestation is the constant.

AI inference provenance. A model inference attested by H33-74 can be anchored to the chain most appropriate for the use case — Bitcoin for long-term archival, Solana for real-time verifiability at scale. The provenance record is identical regardless of where it is anchored.

Verify it yourself

Both transactions are on mainnet. Both are publicly accessible. Here is exactly what you will see.

On Bitcoin: Navigate to the Bitcoin transaction on Mempool.space. Look at the OP_RETURN output. The data field contains the signing message: 1624756140f31ecd61c19d5c1427f221809a11893257b39bf601684e629d7af3. This is the SHA3-256 hash of the H33-74 primitive.

On Solana: Navigate to the Solana transaction on Solana Explorer. Look at the Memo instruction data. The memo contains the same signing message: 1624756140f31ecd61c19d5c1427f221809a11893257b39bf601684e629d7af3.

Same bytes. Two chains. The H33-74 primitive that produced this signing message existed before either transaction was broadcast. The primitive does not reference Bitcoin or Solana. It references a computation result via SHA3-256. The chains are witnesses to the same cryptographic fact.

If you want to go further: take the signing message, reconstruct the expected SHA3-256 preimage structure (version + type + content hash + timestamp + nonce), and verify that the hash matches. Then verify the three-family signature bundle against the H33 public key set. The verification is a pure function — no runtime dependency on H33 infrastructure, no API call, no token. Just the bytes and the math.

The design principle

H33-74 was designed from the beginning to be computation-agnostic and chain-agnostic. The computation type byte in the 58-byte primitive selects the domain (biometric authentication, fraud scoring, Bitcoin UTXO, Solana transaction, AI inference, document signing, and others in the append-only registry). The chain anchor is deliberately the simplest possible construction: a 32-byte hash commitment. No chain-specific logic leaks into the primitive. No primitive-specific logic is required from the chain.

This design principle — the primitive carries its own security and does not depend on properties of the anchoring chain — is what makes today's announcement possible. We did not build a "Bitcoin H33-74" and then port it to Solana. We built H33-74, and then pointed it at two different bulletin boards. The pointing is trivial. The primitive is the work.

The persistent footprint is always 74 bytes. On Bitcoin, 32 bytes in an OP_RETURN and 42 bytes in Cachee. On Solana, 32 bytes in a Memo and 42 bytes in Cachee. On Ethereum, 32 bytes in calldata and 42 bytes in Cachee. On a chain that does not exist yet, 32 bytes in whatever data field it provides and 42 bytes in Cachee. The number does not change. The format does not change. The verification does not change.

What comes next

Bitcoin and Solana are the first two mainnet anchors. They will not be the last. Any chain that can embed 32 bytes in a transaction is a candidate, and we will be expanding the set of actively anchored chains based on customer demand and ecosystem readiness. The H33-74 specification, the verification tooling, and the commercial API are live today.

Chain-agnostic post-quantum attestation is no longer a whitepaper claim. It is two mainnet transactions, independently verifiable, carrying identical 32-byte commitments backed by three independent post-quantum signature families. The primitive does not care which chain you choose. It just works.

Read the H33-74 whitepaper for the full specification and security argument. See pricing for API access. Questions: support@h33.ai.