Three Math Families, One Attestation

Cryptography has a history of humbling confidence. Algorithms that the entire industry trusted have fallen, sometimes gradually through incremental attacks, sometimes suddenly through theoretical breakthroughs. MD5 lasted 15 years as a trusted hash before collision attacks rendered it obsolete. SHA-1 followed a similar arc. The Dual_EC_DRBG random number generator was standardized by NIST before it was revealed to contain a likely backdoor. Every generation of cryptographers inherits the lessons of the previous generation's overconfidence.

The post-quantum transition presents a unique version of this challenge. The NIST standardization process selected algorithms based on mathematical problems believed to be hard for quantum computers. The keyword is "believed." These algorithms have been studied intensively, but they are fundamentally newer and less battle-tested than the classical schemes they replace. Lattice-based cryptography has been studied since the late 1990s, which sounds like a long time until you compare it to the decades of analysis behind RSA and elliptic curve cryptography.

The responsible engineering approach to this uncertainty is not to avoid post-quantum algorithms. The quantum threat is real and growing. The responsible approach is to avoid betting everything on a single mathematical assumption, no matter how strong it appears today. This is the principle behind H33's three-family attestation architecture.

The Three Families

H33 attestations are signed with three independent signature schemes, each based on a different class of mathematical problem.

ML-DSA (Module-Lattice-Based Digital Signature Algorithm) derives its security from the Module Learning With Errors (MLWE) problem. This problem involves distinguishing between random noise and structured noise in a high-dimensional lattice. The best known quantum algorithms for lattice problems offer at most a polynomial speedup over classical algorithms, compared to the exponential speedup that Shor's algorithm provides against RSA and ECDSA. ML-DSA is the NIST FIPS 204 standard and the most widely deployed post-quantum signature scheme.

FALCON derives its security from the NTRU lattice problem, which is related to but mathematically distinct from MLWE. NTRU was proposed in 1996 and has withstood over 30 years of cryptanalysis. While both MLWE and NTRU are lattice problems, the specific mathematical structures they rely on are different. A breakthrough against MLWE would not necessarily apply to NTRU, and vice versa. FALCON uses a hash-and-sign approach with NTRU trapdoors, producing compact signatures that are particularly efficient for verification.

SLH-DSA (Stateless Hash-Based Digital Signature Algorithm) derives its security from the collision resistance of hash functions, specifically SHA-256 or SHAKE-256. This is the most conservative security assumption in all of cryptography. Hash-based signatures have been studied since the 1970s (Lamport signatures were proposed in 1979), and their security reduces directly to the properties of the underlying hash function. If SHA-256 is collision-resistant, SLH-DSA is secure. That is the entire assumption. No lattice structure, no algebraic group theory, no number theory. Just hashing.

Why Three Families Specifically

The choice of three families is not arbitrary. It reflects a careful analysis of the mathematical landscape of post-quantum cryptography and the correlations between different hardness assumptions.

If you only use one family, you are making a single bet. If that bet is wrong, you lose everything. This is the current situation with classical cryptography: most systems use either RSA (based on factoring) or ECDSA (based on discrete logarithms). Both fall to Shor's algorithm. A single mathematical breakthrough breaks everything.

If you use two families, you have better diversity, but two families from the same mathematical domain (say, two different lattice problems) might share common vulnerabilities. A breakthrough in lattice reduction algorithms could potentially affect both MLWE and NTRU simultaneously, even though the specific problems are different.

Three families from three truly independent mathematical domains provide maximum diversity with practical engineering tradeoffs. The hash-based family serves as the ultimate backstop: even if all lattice-based cryptography falls (which would be a profound mathematical event), the hash-based signatures remain secure as long as SHA-256 is collision-resistant.

To compromise an H33 attestation, an adversary would need to break MLWE lattices, NTRU lattices, AND stateless hash functions simultaneously. This is not merely "three times harder" than breaking one scheme. These are independent mathematical problems from different domains of mathematics. A breakthrough in one provides no leverage against the others. The security is multiplicative, not additive.

The Engineering of Three-Family Signing

Combining three signature schemes into a single attestation workflow introduces engineering challenges that go beyond simply calling three signing functions in sequence.

Key generation must produce key pairs for all three schemes with independent, high-quality randomness. The entropy sources for each scheme must be uncorrelated; using the same random seed for all three would create a correlation that could be exploited. H33's key generation draws from independent entropy pools for each scheme, with each pool audited for bias and predictability.

Signing must produce three signatures over the same payload in a way that binds them cryptographically. A naive approach of simply concatenating three signatures would allow an attacker to mix and match signatures from different attestations. H33 uses a domain-separated signing approach where each scheme signs a payload that includes the identity of the other two schemes and the attestation context, preventing cross-attestation signature grafting.

Verification checks all three signatures and rejects the attestation if any single signature fails. This is a strict AND policy: all three must pass. A lenient approach (accepting if two out of three pass) would weaken the security properties because it would allow an attacker who breaks one scheme to produce apparently valid attestations. The strict AND policy ensures that the full strength of all three families is always required.

Performance is managed through parallelization. The three verification operations are independent and can run on separate CPU cores simultaneously. On H33's production hardware, the three verifications complete in the time of the slowest single scheme (typically SLH-DSA), not the sum of all three. The total attestation time per batch, including all three signatures, is approximately 391 microseconds.

Historical Precedent: Why Single-Assumption Systems Fail

The argument for cryptographic diversity is not theoretical. History provides concrete examples of single-assumption failures that affected entire industries.

In 2017, researchers demonstrated practical SHA-1 collision attacks (the SHAttered paper). Organizations that relied solely on SHA-1 for document integrity were immediately vulnerable. Those that had migrated to SHA-256 were unaffected. Those that used both SHA-1 and SHA-256 in parallel were protected even before they completed their migration.

The Dual_EC_DRBG backdoor affected every system that used it as a random number generator, including products from major security vendors. Organizations that used alternative RNG implementations alongside Dual_EC_DRBG had a fallback. Those that relied on it exclusively had none.

In the post-quantum context, the risk is amplified by the "harvest now, decrypt later" attack. Adversaries are already collecting encrypted data with the intention of decrypting it once quantum computers are available. If a single-family post-quantum scheme is later found to be vulnerable, all data encrypted or signed under that scheme during the collection period is compromised. Three-family attestation provides insurance against this scenario: even if one family falls, the attestation remains valid under the other two.

Comparing Approaches: Single-Scheme vs Multi-Scheme

Most organizations migrating to post-quantum cryptography plan to adopt ML-DSA as their primary signature scheme. This is a reasonable starting point but an insufficient endpoint. Let us compare the risk profiles of different approaches.

Single-scheme (ML-DSA only): If MLWE is broken, all attestations are compromised. The probability of this is low but nonzero. The consequence is total loss of trust in all historical attestations.

Dual-scheme (ML-DSA + FALCON): Both are lattice-based, though they rely on different lattice problems. A general breakthrough in lattice reduction could potentially affect both. The correlation between the two assumptions reduces the diversity benefit compared to truly independent schemes.

Three-family (ML-DSA + FALCON + SLH-DSA): The hash-based scheme (SLH-DSA) has zero mathematical correlation with the lattice-based schemes. A lattice breakthrough affects ML-DSA and possibly FALCON, but SLH-DSA remains secure. An attestation is compromised only if lattice problems AND hash functions both fall simultaneously.

The three-family approach is the only configuration that provides genuine mathematical independence between all components. It is also the configuration that H33 deploys in production.

The Cost of Diversity

Three-family signing is not free. The raw signature bundle is larger (approximately 55 KB for all three schemes combined). Key generation is more expensive (three key pairs instead of one). Storage requirements are higher. Network bandwidth for signature transmission increases.

H33-74 distillation addresses the size concern by reducing the 55 KB bundle to 74 bytes for transport and storage. The full bundle is retained in the Cachee infrastructure layer and expanded only when verification is needed. This makes the three-family approach practical for high-throughput, bandwidth-constrained deployments.

The computational overhead of three-family signing is real but manageable. On production hardware, the full three-scheme signing and verification pipeline runs in under 400 microseconds per batch. For most enterprise workloads, this latency is invisible within the overall request processing time.

The tradeoff is clear: a modest increase in computational and storage cost buys a dramatic increase in long-term security confidence. Given the stakes of protecting data against quantum computers for decades, the cost of diversity is trivial compared to the cost of being wrong about a single mathematical assumption.

Looking Forward: What Breaks Iff Everything Breaks

The defining property of three-family attestation is that it breaks if and only if all three mathematical foundations break simultaneously. This is an extraordinarily unlikely event by any reasonable assessment of the mathematical landscape.

Breaking MLWE would require a fundamental advance in lattice reduction algorithms that has eluded researchers for over 25 years. Breaking NTRU would require a separate advance in structured lattice cryptanalysis. Breaking hash-based signatures would require breaking the collision resistance of SHA-256, which would also compromise the integrity of virtually every system on the internet, including Bitcoin, TLS, and code signing.

The probability of all three events occurring simultaneously is so low that it is effectively zero for practical threat modeling. This is the gold standard of post-quantum security: protection that does not depend on any single mathematical conjecture, but on the conjunction of three independent ones.

Three independent hardness assumptions. One attestation. That is the engineering response to mathematical uncertainty.