H33 Blog Quantum-Attested Scores
STARK DILITHIUM HICS March 30, 2026 · 6 min read
EB
Eric Beans
CEO · H33.ai, Inc.

Quantum-Attested Software Scores.
Why a Number Isn't Enough.

Every security vendor has a score. A rating. A certification badge on their website. None of them can prove it's real. We can.

The Problem with Software Scores

A vendor puts "SOC 2 Certified" on their website. You trust it. But did you verify the certificate? Did you check if it expired? Did you confirm the scope covers what you're actually buying? In most procurement cycles, the answer is no. The badge is a JPEG. The trust is assumed.

Static analysis tools generate scores. Penetration test reports assign ratings. Compliance audits produce letters. All of them share the same fundamental weakness: the score is a claim, not a proof. The vendor tells you what they scored. You believe them or you don't.

HICS changes this. Every score is cryptographically attested with post-quantum algorithms that cannot be forged, altered, or faked — not by the vendor, not by H33, not by a future quantum computer.

The Attestation Chain

When a vendor runs HICS, four cryptographic operations produce an unforgeable certificate:

1
SHA3-256 Merkle Tree. Every file in the codebase is hashed. The hashes form a Merkle tree. The root commits the exact state of the code at scan time. Change one character in one file and the root changes completely. This binds the score to a specific codebase version.
2
STARK Proof. A Scalable Transparent Argument of Knowledge proves the scoring algorithm executed correctly on the committed codebase. The proof is zero-knowledge — it reveals nothing about the source code. It only proves: "this score was computed by this algorithm on this codebase." No trusted setup. Hash-based. Quantum-resistant.
3
Dilithium ML-DSA-65 Signature. H33's post-quantum private key signs the proof, the score, the Merkle root, and the timestamp. NIST FIPS 204. Lattice-based. A quantum computer running Shor's algorithm cannot forge this signature. The vendor cannot self-sign — only H33's key produces a valid attestation.
4
Proof ID. A 32-byte SHA3-256 hash of the complete certificate serves as a unique, permanent identifier. This is what appears on the verification badge. Anyone with the Proof ID can verify the entire chain independently.

The result is a .h33 certificate file. The vendor keeps it. The buyer verifies it. The code never leaves the vendor's machine. The proof speaks for itself.

The Verification Badge

Vendors who earn a HICS attestation can embed a verification badge on their website. This is not a static image. It's a live cryptographic check.

Live HICS Verification Badge
HICS Verified
100/100 Grade A
STARK PROOF DILITHIUM ML-DSA-65 Post-Quantum Attested

When a buyer clicks the badge, the verification endpoint checks five things in real time:

1. Does the Proof ID exist? If a vendor copies a badge image without a valid attestation, the check fails immediately. "UNVERIFIED — No valid attestation found."

2. Does the STARK proof verify? Mathematical verification that the scoring algorithm ran correctly. Cannot be forged without solving a hash preimage problem.

3. Does the Dilithium signature validate? Confirms H33 signed this specific certificate. The vendor cannot self-sign. A quantum computer cannot forge the signature.

4. Does the Merkle root match? The committed codebase fingerprint must be consistent. If the vendor changed their code after scanning, the root won't match a re-scan.

5. Is the certificate current? Attestations expire after 90 days. A stale badge shows its age. Buyers see exactly when the last scan ran.

If all five checks pass: green shield, verified score, full chain of trust. If any check fails: red badge, specific failure reason, no ambiguity.

Why Post-Quantum Matters Here

An ECDSA or RSA signature on a software score has a shelf life. When cryptographically relevant quantum computers arrive — estimates range from 10 to 30 years — every classical signature becomes forgeable. An attacker could retroactively create fake attestation certificates for any vendor.

Dilithium ML-DSA-65 (NIST FIPS 204) is lattice-based. Shor's algorithm doesn't apply to lattice problems. A HICS attestation signed today will still be unforgeable in 2056. The STARK proof uses SHA3-256 — hash-based, no algebraic structure to exploit. Both layers survive the quantum transition.

This isn't theoretical future-proofing. It's a practical statement: an attestation should outlast the software it attests. If your compliance certificate can be forged before your contract expires, the certificate is worthless.

What a Badge Proves

A HICS verification badge on a vendor's website is a statement of five facts, each independently verifiable:

This codebase was scanned. The Merkle root commits the exact files.

The scan ran this algorithm. The STARK proof attests correct execution.

The score was not altered. The Dilithium signature seals the result.

The attestation is current. The timestamp is part of the signed payload.

The code was never seen by anyone. Zero-knowledge. The proof reveals the score and nothing else. No source code. No architecture details. No proprietary logic. Complete transparency about quality without any transparency about implementation.

H33's Score

H33 is the first company to carry a HICS verification badge. Our score is 100/100 (Grade A), STARK-proven and Dilithium-signed. The full journey from 70 to 100 is documented in "From a C to 100." We published the C. We published the 100. We'll publish every score in between for every re-scan.

Embed It

Vendors who run HICS and purchase attestation receive an embeddable badge — a single script tag that renders the live verification widget. Three sizes:

Full badge — logo, score, grade, attestation chain, shield icon. For homepage footers, security pages, and procurement portals.

Compact badge — logo, score, shield. For headers, sidebars, and documentation sites.

Inline badge — text-only with shield. For README files, proposals, and contract appendices.

Every badge links to the public verification page. Every click runs the full cryptographic check. No trust required. The math does the work.

HICS scoring is free. Run it on any codebase, unlimited, no account required. The attestation — the STARK proof, the Dilithium signature, the verifiable badge — is what costs money. The score is a claim. The proof is a fact. That's the product.

Get started or read the HICS formula.

Get Your HICS Attestation

One command. The code stays yours. The proof speaks for itself.

Get API Key → Our Journey to 100 HICS Standard

Related Articles

HICS
From a C to 100: Our HICS Journey
Transparency
We Scored a C. Here's Why We Published It.
HICS
The HICS Formula: How We Score Software Without Seeing the Code