When a user returns to your application, why make them wait? H33's new session resume feature re-authenticates returning users in just 50 microseconds--that's 4.4x faster than a full authentication and essentially instant from a user's perspective.
Session Resume Performance
Session Resume: 50µs
Full Auth (Turbo): 1.36ms
Speedup: 4.4x faster
User perception: Instant
How Session Resume Works
Traditional authentication re-verifies everything on each request: biometrics, cryptographic proofs, and attestations. This is wasteful when the user's context hasn't changed.
Session resume takes a smarter approach:
- Context preservation: Session state is encrypted and cached server-side
- Cryptographic binding: Session tokens are bound to device fingerprints
- Proof reuse: Valid ZK proofs are cached and verified in 32µs
- Delta detection: Only re-verify what's actually changed
// First authentication - full verification
const initial = await h33.auth.fullStack({
userId: 'user_123',
biometric: faceData,
mode: 'turbo'
});
// 1.36ms - creates session context
// Session resume - lightning fast
const resumed = await h33.session.resume({
sessionId: initial.sessionId,
deviceFingerprint: fingerprint
});
// 50µs - verifies cached contextInside the Resume Pipeline
A full H33 authentication runs three stages in sequence: BFV fully homomorphic encryption for biometric matching, a ZK proof lookup for identity verification, and a Dilithium attestation signature. On our production Graviton4 cluster (c8g.metal-48xl, 96 vCPUs), this pipeline processes 32 users per ciphertext batch in approximately 1,109µs--yielding the 1.595 million authentications per second figure shown above.
Session resume bypasses the two most expensive stages. The BFV inner product alone accounts for roughly 1,109µs of the full-stack latency, and Dilithium sign-plus-verify adds another 244µs. By caching the results of both operations and validating only the session binding, resume drops the per-request cost to the in-process DashMap lookup (0.085µs) plus a SHA3-256 HMAC over the session token and device fingerprint. The combined overhead lands at approximately 42-50µs depending on payload size.
Session resume does not weaken the cryptographic guarantee. The FHE biometric match result and ZK proof are computed once during full authentication and stored in an encrypted session context signed with Dilithium3 (ML-DSA-65). Resuming simply verifies that the signature is valid and the session has not been tampered with--a single Dilithium verify() call, not a full sign+verify cycle.
Session Context Architecture
Each session context is a compact binary structure containing the original authentication verdict, a monotonic timestamp, the device fingerprint hash, and a Dilithium3 signature over all preceding fields. The context is encrypted at rest with AES-256-GCM keyed from the server's Kyber-derived session master key, ensuring that even if an attacker obtains the raw cache contents, they cannot forge or replay a session.
| Field | Size | Description |
|---|---|---|
| Auth Verdict | 1 byte | Pass/fail + confidence level (3 bits) |
| Timestamp | 8 bytes | Monotonic nanosecond counter |
| Device Hash | 32 bytes | SHA3-256 of fingerprint components |
| User Batch Index | 2 bytes | Slot within 32-user BFV ciphertext |
| Proof Digest | 32 bytes | SHA3-256 of cached ZK proof |
| Dilithium3 Sig | 3,293 bytes | ML-DSA-65 signature over fields above |
| Total | 3,368 bytes | Per-session overhead |
At 3,368 bytes per session, storing one million active sessions requires just 3.2 GB--comfortably within the 377 GiB available on a Graviton4 metal instance. The in-process DashMap holding these contexts adds zero network latency and zero serialization cost, which is critical: we measured that switching to a TCP-based cache (even on localhost) caused an 11x throughput regression at 96 workers due to connection serialization overhead.
Security Without Compromise
Speed doesn't mean sacrificing security. Session resume maintains full cryptographic verification:
- Session tokens are signed with Dilithium3 (post-quantum secure)
- Device binding prevents session hijacking across devices
- Time-limited validity with configurable expiration
- Anomaly detection triggers full re-authentication when needed
Every component in the resume path is post-quantum secure. The session signature uses ML-DSA-65 (CRYSTALS-Dilithium3, FIPS 204), the session encryption uses AES-256-GCM with Kyber-derived keys, and the proof digest uses SHA3-256. There is no classical-only cryptography anywhere in the chain, which means session resume is resistant to harvest-now-decrypt-later attacks from day one.
When Full Auth is Required
Session resume automatically falls back to full authentication when:
- Session has expired
- Device fingerprint doesn't match
- IP geolocation changes significantly
- Risk score exceeds threshold
- Sensitive operation is requested
This adaptive approach gives you speed for normal operations and full security when it matters. In practice, approximately 85-90% of requests within a session window qualify for resume, meaning the effective per-auth cost across a typical session drops well below the ~42µs full-stack average.
Performance Comparison
| Operation | Latency | Pipeline Stages |
|---|---|---|
| Full Auth (Turbo) | 1.36ms | FHE + ZKP + Attestation |
| Full Auth (Standard) | 633µs | FHE + ZKP + Attestation |
| Session Resume | 42µs | DashMap lookup + Dilithium verify |
| Cached Proof Verify | 32µs | DashMap lookup only |
Implementation Guide
// Configure session management
const sessionManager = h33.createSessionManager({
ttl: '24h', // Session lifetime
resumeWindow: '1h', // Resume without re-auth
deviceBinding: true, // Require device match
riskThreshold: 0.7 // Trigger full auth above this
});
// Middleware for automatic session handling
app.use(sessionManager.middleware());
// In your routes, authentication is automatic
app.get('/dashboard', async (req, res) => {
// req.auth is populated - either from resume (50µs)
// or full auth (1.36ms) based on context
const user = req.auth.user;
// ...
});The resumeWindow parameter controls how long a session context remains eligible for fast-path verification. After the window expires, the next request triggers a full FHE+ZKP+attestation pipeline, refreshing the cached context. Setting this value involves a direct trade-off: shorter windows mean more frequent full auths (higher average latency) but tighter security bounds; longer windows reduce compute load but widen the window in which a compromised device fingerprint could be replayed.
Real-World Impact
For a typical user session with 50 API calls:
- Without session resume: 50 x 1.36ms = 11,000µs total auth overhead
- With session resume: 1 x 1.36ms + 49 x 50µs = 2,670µs total
- Savings: 76% reduction in authentication latency (see benchmarks)
For high-frequency applications like real-time collaboration or gaming, this difference is transformative. Consider a multiplayer game server authenticating 10,000 concurrent users at 60 actions per second. Without resume, the auth layer alone would consume 816 milliseconds of CPU time per second per user. With resume enabled, that drops to 40.3 milliseconds--freeing over 95% of the auth budget for actual game logic.
Session resume pairs naturally with H33's SIMD batching architecture. Because BFV with N=4096 packs 32 users per ciphertext (4,096 slots divided by 128 biometric dimensions), a full auth batch already amortizes the FHE cost across 32 users. Session resume then eliminates that batch entirely for returning users, creating a two-tier optimization: batch amortization for first-time auths, and sub-50µs resume for everything after.
Enable 50µs Session Resume
Upgrade your authentication with instant session resume. Get started with 1,000 free auths.
Get Free API Key