Why do you need three post-quantum algorithms instead of one?

NIST standardized three families of post-quantum algorithms, each based on a different mathematical hardness assumption: lattice problems (ML-KEM, ML-DSA), NTRU lattice problems (FALCON), and hash function security (SLH-DSA). If a breakthrough breaks one assumption, the others remain secure. Running a single algorithm is a bet on one mathematical problem. Running three is insurance against cryptanalytic breakthroughs.

What is three-key signing and how does it work?

Three-key signing produces nested signatures from three independent post-quantum families. ML-DSA signs the message first. FALCON signs over the message concatenated with the ML-DSA signature. SLH-DSA signs over everything. Verification checks all three independently. If any single family is broken by a future cryptanalytic advance, the remaining two still authenticate the message.

How does H33-74 compress three PQ signatures into 74 bytes?

The three ephemeral signatures total approximately 21KB. H33-74 compresses this to 74 bytes (32 bytes on-chain, 42 bytes in Cachee) via the substrate patent. The full signatures are verified at attestation time, then a cryptographic commitment anchors the result. The permanent record is 74 bytes. The ephemeral signatures are large but transient. This achieves 285x compression.

How do you migrate from RSA/ECDSA to post-quantum key management?

You do not rip and replace. The migration path adds PQ keys alongside existing RSA or ECDSA keys. During the transition period, both classical and post-quantum signatures are generated and verified. Verifiers check both. When confidence in the PQ stack is established and classical algorithms are deprecated, you drop the classical keys. H33's hybrid approach supports this with zero downtime and no flag day.

← Blog

April 28, 2026 · Engineering

Post-Quantum Key Management: The Three-Key Problem

NIST standardized three families of post-quantum algorithms. Each rests on a different mathematical hardness assumption. If one family breaks, the others hold. Running one algorithm is a bet. Running three is insurance. Here is how three-key signing works, why key hierarchies matter, and how 74 bytes anchor the entire system.

One Algorithm Is a Single Point of Failure

The most common mistake in post-quantum migration is picking one algorithm and deploying it everywhere. ML-DSA for signatures. ML-KEM for key exchange. Done. Ship it.

That approach replaces one single point of failure (RSA or ECDSA, both breakable by Shor's algorithm) with another single point of failure (lattice-based cryptography, breakable if the Module Learning With Errors problem falls). You have not eliminated the structural risk. You have moved it.

NIST did not standardize one algorithm. NIST standardized three families, deliberately chosen to rest on independent mathematical foundations:

Lattice-based (MLWE): ML-KEM (FIPS 203) for key encapsulation, ML-DSA (FIPS 204) for digital signatures. Both rely on the hardness of structured lattice problems over polynomial rings.
NTRU lattice-based: FALCON (selected in Round 3, standardization in progress). Relies on the hardness of short integer solution problems over NTRU lattices — a related but distinct mathematical structure from MLWE.
Hash-based: SLH-DSA (FIPS 205), formerly SPHINCS+. Security reduces entirely to the collision resistance and preimage resistance of the underlying hash function. No algebraic structure. No lattice. No number theory. Just hashing.

The point is not that any single family is weak. Each passed years of NIST evaluation. The point is that cryptanalysis is unpredictable. Lattice cryptography is younger than RSA was when it was deployed at scale. A breakthrough against MLWE — however unlikely — would break ML-KEM and ML-DSA simultaneously. But it would not touch SLH-DSA, which has nothing to do with lattices. And it would not break FALCON, whose NTRU structure requires a different attack strategy even though both involve lattices.

Three families. Three independent mathematical bets. Breaks if and only if MLWE lattices, NTRU lattices, and stateless hash functions are simultaneously broken. That is the security model.

This is not theoretical caution. The history of cryptography is a history of confident assumptions that turned out to be wrong. MD5 was secure until it was not. SHA-1 was secure until it was not. Dual_EC_DRBG passed NIST standardization and had a backdoor. The lesson: never bet everything on one mathematical assumption, no matter how confident the community is today.

The Three Families

Each family offers different tradeoffs in key size, signature size, signing speed, and verification speed. Understanding these tradeoffs is essential for designing a key management system that uses all three without creating a performance bottleneck.

Property	ML-DSA-65	FALCON-512	SLH-DSA-SHA2-128f
Standard	FIPS 204	Round 3 (pending)	FIPS 205
Hardness assumption	MLWE lattice	NTRU lattice	Hash only
Public key size	1,952 bytes	897 bytes	32 bytes
Signature size	3,309 bytes	690 bytes	17,088 bytes
Sign time (Graviton4)	~0.12 ms	~0.8 ms	~8.5 ms
Verify time (Graviton4)	~0.05 ms	~0.1 ms	~0.4 ms
NIST security level	Level 3	Level 1	Level 1

ML-DSA-65 is the workhorse. Fast signing, fast verification, moderate sizes. It is the default choice for high-throughput attestation where you need millions of signatures per second. The lattice structure allows efficient batch operations.

FALCON-512 has the most compact signatures — 690 bytes versus 3,309 for ML-DSA. The tradeoff is implementation complexity: FALCON requires high-precision floating-point sampling during key generation and signing, which makes constant-time implementation harder. It occupies a distinct mathematical niche from ML-DSA because NTRU lattices have different algebraic structure than MLWE lattices.

SLH-DSA-SHA2-128f is the conservative anchor. Its signatures are large — 17KB — and signing is slow relative to the lattice schemes. But its security rests on the most battle-tested assumption in all of cryptography: hash functions work. No algebraic structure to attack. No polynomial rings. No number theory. If SHA-256 is collision-resistant and preimage-resistant, SLH-DSA is secure. That simplicity is the point.

Three-Key Signing: How It Works

Three-key signing is not three independent signatures stapled together. It is a nested construction where each layer signs over all previous layers, creating a chain of commitments that cannot be selectively peeled apart.

The signing procedure:

Layer 1 — ML-DSA. Sign the message M with ML-DSA-65 to produce signature S1. This is the fast path. ML-DSA dominates throughput in batch scenarios.
Layer 2 — FALCON. Sign the concatenation M || S1 with FALCON-512 to produce signature S2. FALCON now commits to both the original message and the ML-DSA signature. An attacker who breaks ML-DSA and forges a different S1' cannot use it without also forging S2.
Layer 3 — SLH-DSA. Sign the concatenation M || S1 || S2 with SLH-DSA-SHA2-128f to produce signature S3. The hash-based signature now commits to the entire chain. This is the anchor of last resort.

The combined signature bundle is (S1, S2, S3) — approximately 21,087 bytes total (3,309 + 690 + 17,088).

Verification checks all three independently:

Verify S1 against M with ML-DSA public key
Verify S2 against M || S1 with FALCON public key
Verify S3 against M || S1 || S2 with SLH-DSA public key

All three must pass. If any single family is compromised, the attacker still cannot produce valid signatures for the other two families. The nesting ensures that a forged inner signature propagates into a verification failure at the outer layers.

~21 KB

Combined three-key signature bundle (ML-DSA + FALCON + SLH-DSA) · ephemeral · verified at attestation time

Key Exchange: ML-KEM

Signing authenticates. Key exchange establishes shared secrets. These are separate concerns with separate key material, and conflating them is a design error that classical cryptography made routinely (RSA was used for both, leading to decades of confused key management).

ML-KEM (FIPS 203) handles key encapsulation. The sender encapsulates a shared secret under the recipient's public key. The recipient decapsulates with their private key. The shared secret feeds into AES-256-GCM for symmetric encryption.

Parameter Set	Public Key	Ciphertext	Shared Secret	Security Level
ML-KEM-768	1,184 bytes	1,088 bytes	32 bytes	Level 3
ML-KEM-1024	1,568 bytes	1,568 bytes	32 bytes	Level 5

ML-KEM-768 is the default for most applications. Encapsulation takes approximately 0.05ms on Graviton4. Decapsulation takes approximately 0.06ms. These are fast enough that key exchange is never the bottleneck in a post-quantum protocol.

The critical design point: ML-KEM keys are separate from ML-DSA keys. An entity that holds your ML-KEM public key can send you encrypted messages. An entity that holds your ML-DSA public key can verify your signatures. These are different capabilities, managed by different key hierarchies, with different rotation schedules and different access controls.

Key Hierarchy: Separation of Concerns

A post-quantum system has three distinct key hierarchies, and they must remain independent. Mixing them — deriving signing keys from exchange keys, or using FHE keys for attestation — creates cross-hierarchy dependencies that amplify the impact of any single compromise.

Hierarchy 1: FHE Keys (Computation)

BFV, CKKS, and TFHE key material. These keys enable encrypted computation — addition, multiplication, rotation on ciphertexts. They are large (megabytes for evaluation keys), computationally expensive to generate, and never leave the computation boundary. An entity with FHE keys can compute on encrypted data. It cannot read the plaintext. It cannot forge attestations. It cannot intercept transport.

Hierarchy 2: PQ Signing Keys (Attestation)

ML-DSA, FALCON, and SLH-DSA key material. These keys produce the three-key signature bundle that attests computation results. An entity with signing keys can prove that a computation happened, that it was authorized, and that the result has not been tampered with. It cannot decrypt data. It cannot perform encrypted computation.

Hierarchy 3: PQ Exchange Keys (Transport)

ML-KEM key material plus AES-256-GCM session keys. These keys protect data in transit. An entity with exchange keys can establish secure channels and encrypt payloads. It cannot verify attestations. It cannot compute on encrypted data.

The separation is the security model. An entity that can verify attestations cannot decrypt data. An entity that can compute on encrypted data cannot forge attestations. An entity that can decrypt transport cannot impersonate signers. No single compromise breaks more than one capability.

HD Key Derivation for Post-Quantum

Managing three key hierarchies with three families each means managing at least nine key pairs per entity. In a multi-tenant system with key rotation, the number grows rapidly. Without hierarchical deterministic (HD) derivation, key management becomes operationally intractable.

HD key derivation follows the BIP-32 pattern adapted for post-quantum key structures:

Master seed. One 256-bit random seed per entity, generated from a CSPRNG with at least 256 bits of entropy. This is the single backup target.
Family derivation. The master seed derives three family-specific sub-seeds via HKDF-SHA3-256 with domain-separated labels: "h33/mldsa", "h33/falcon", "h33/slhdsa". Each sub-seed generates key material appropriate to its family's key generation algorithm.
Purpose derivation. Within each family, child keys are derived for specific purposes: attestation, transport, rotation, revocation. The derivation path encodes the purpose, allowing selective key exposure without compromising the master seed.
Index derivation. Sequential indices generate an unlimited number of child keys per purpose. Key rotation creates a new index. Old keys are revoked but the derivation tree is preserved for audit.

One seed. Unlimited key tree. Backup one seed, recover everything. The HD structure means that a key management system does not store thousands of independent keys — it stores one seed and derives on demand.

The adaptation from BIP-32 to post-quantum is non-trivial. BIP-32 derives 256-bit scalars for elliptic curve keys. Post-quantum keys have different structures: ML-DSA keys involve polynomial vectors over module lattices, FALCON keys involve NTRU basis pairs, SLH-DSA keys are seeds for hash-based tree generation. The derivation function must output sufficient entropy for each family's key generation algorithm, which is why HKDF with family-specific labels is used rather than direct BIP-32 child key derivation.

H33-74: Three Keys in 74 Bytes

The three-key signature bundle is approximately 21KB. That is not a permanent storage cost. It is a transient verification cost.

Every computation in the H33 platform is attested with all three families. The full three-key signature is verified at attestation time — all 21KB are generated, transmitted, and checked. Then the H33-74 substrate compresses the commitment to 74 bytes: 32 bytes anchored on-chain, 42 bytes stored in Cachee.

74 bytes

Permanent substrate commitment · 285x compression from ~21KB ephemeral signatures · patent pending

The 285x compression is not lossy. The 74-byte commitment cryptographically binds the full three-key signature, the computation result, the authorization context, and the routing decision. Anyone with the 74-byte commitment can verify that a specific computation was attested by all three families at a specific time. The ephemeral signatures are large but transient. The permanent record is 74 bytes. Forever.

This matters for cost. On Bitcoin, storing 21KB per attestation is economically prohibitive. Storing 32 bytes is routine. The substrate patent makes three-key signing economically viable for high-throughput systems by decoupling verification cost (21KB, paid once) from storage cost (74 bytes, paid forever).

Migration Path: Classical to Post-Quantum

You do not rip and replace. Every production system that has attempted a flag-day cryptographic migration has either failed or caused an outage. The correct approach is hybrid: run both classical and post-quantum in parallel, then phase out classical when ready.

The migration has four phases:

Inventory. Catalog every key, every algorithm, every certificate, every signing operation in the system. You cannot migrate what you cannot find. Most organizations discover 3–5x more cryptographic touchpoints than they expected.
Hybrid generation. Generate PQ key pairs alongside existing RSA/ECDSA keys. Every entity now has classical keys (for backward compatibility) and PQ keys (for forward security). Key management systems must track both.
Dual verification. Produce both classical and PQ signatures. Verifiers check both. If either fails, the operation fails. This phase catches integration bugs, performance regressions, and key management errors without risking availability. The dual signature is larger, but the tradeoff is safety.
Classical deprecation. When the PQ stack has been in production long enough to establish confidence — and when classical algorithms are formally deprecated or quantum computers reach sufficient scale — stop generating classical signatures. Verifiers accept PQ-only. Classical keys are archived for historical verification but no longer used for new operations.

H33's hybrid approach supports all four phases with zero downtime. The three-key signing infrastructure accepts classical co-signatures during the transition period. The substrate commitment anchors both the PQ attestation and the classical co-signature in the same 74-byte record. When classical keys are dropped, the substrate format does not change — the classical fields become zero-filled.

The migration is not optional. CNSA 2.0 requires post-quantum algorithms for national security systems by 2030. NIST's migration guidance recommends beginning now. Harvest-now-decrypt-later attacks mean that data encrypted today with classical algorithms is already at risk from future quantum computers. The question is not whether to migrate. It is whether you migrate on your schedule or on an adversary's.

The Design Principle

Post-quantum key management is not "use ML-DSA instead of ECDSA." It is a structural redesign of how keys are generated, derived, stored, rotated, and used. Three families for signing. One family for exchange. Independent hierarchies for computation, attestation, and transport. Hierarchical deterministic derivation from a single seed. Hybrid migration with no flag day.

And at the end of the pipeline: 74 bytes. Three independent mathematical bets, compressed into a permanent commitment that costs less to store than a tweet.

That is the three-key problem, solved.

Eric Beans

CEO, H33.ai, Inc.

Patent pending. U.S. Patent Application Nos. 19/309,560 and 19/645,499. Additional applications pending.
All benchmarks measured on AWS c8g.metal-48xl (Graviton4, 192 vCPUs, Neoverse V2), April 2026. Rust 1.94.0.
All NIST security tests passed: FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), FIPS 205 (SLH-DSA). FIPS 140-3 KATs operational. 20,000+ tests across the platform.
H33-74 is a trademark of H33.ai, Inc. AWS and Graviton4 are trademarks of Amazon Web Services, Inc.