H33 produces portable privacy proofs that can be anchored on Solana, Bitcoin, Ethereum, or any chain that stores 32 bytes.
Most privacy solutions are chain-specific. A ZK proof generated for Ethereum cannot be verified on Solana. A credential issued on one chain has no validity on another. Your privacy is only as portable as the chain you chose.
H33 separates the commitment from the proof. The 32-byte SHA3-256 commitment goes on any chain. The full attestation lives off-chain. Verification requires only the commitment and the attestation bundle — no chain-specific logic.
The verifier does not need to talk to any blockchain. It takes the 32-byte commitment and the 74-byte attestation, and deterministically validates. Works offline. Works cross-chain. Works forever.
Any blockchain that can store 32 bytes can anchor an H33 attestation. No smart contract required. No chain-specific integration.
| Chain | Anchoring Method | Finality | Cost |
|---|---|---|---|
| Solana | Native program instruction | Sub-second | <$0.001 |
| Bitcoin | OP_RETURN (80 bytes available) | ~10 minutes | Variable (fee market) |
| Ethereum | Calldata (cheapest storage) | ~12 seconds | Variable (gas) |
| L2 Rollups | Calldata (Arbitrum, Optimism, Base) | Seconds | <$0.01 |
| Off-chain | No anchoring needed | Instant | Free |
Every H33-74 attestation is exactly 74 bytes. 32 bytes form the on-chain commitment. 42 bytes are cached off-chain for full verification.
| Field | Bytes | Location |
|---|---|---|
| SHA3-256 commitment hash | 32 | On-chain |
| Signer set identifier | 16 | Cached |
| Timestamp (compact) | 8 | Cached |
| Authority scope flags | 8 | Cached |
| Version + chain tag | 4 | Cached |
| Governance link | 6 | Cached |
H33 attestations are independently verifiable. You do not need H33 infrastructure, an API key, or even an internet connection to verify a proof.
$ h33 verify --commitment a3f8c1d2e4... --bundle attestation.h74
VALID
Signer: ML-DSA-65 + FALCON-512 + SLH-DSA-SHA2-128f
Timestamp: 2026-05-18T14:30:00Z
Chain commitment matches: true
Governance chain intact: true
Chain-agnostic privacy enables use cases that are impossible when proofs are locked to a single ecosystem.
Prove your identity once. Use it on Solana, Ethereum, Bitcoin, and L2s. The same 74-byte attestation works everywhere without re-verification.
A single compliance attestation covers all chains your organization operates on. Regulators verify one proof, regardless of which chain the activity occurred on.
Complete KYC once. Anchor the attestation on your primary chain. Present the same proof to any counterparty on any chain. No PII transmission. No re-verification.
Most privacy solutions are built for one chain and break the moment you need to operate across ecosystems. Chain-agnostic attested privacy eliminates this constraint with a single proof format that works everywhere.
| Property | Chain-Specific Privacy | Chain-Agnostic Attested Privacy (H33) |
|---|---|---|
| Chain lock-in | Proof format tied to one chain's verifier contract | No lock-in — same 74-byte bundle works on any chain |
| Proof portability | Must re-generate proof per chain, new verifier per chain | Generate once, anchor anywhere, verify everywhere |
| Cross-chain identity | Separate identity proofs per ecosystem | One identity attestation works across Solana, Ethereum, Bitcoin, L2s |
| Quantum resistance | Depends on chain's cryptographic primitives | Three independent PQ hardness assumptions, chain-independent |
| Verification independence | Requires chain node or specific RPC endpoint | Verify offline with public binary, no chain connection needed |
| Anchoring cost | Varies — full proof often stored on-chain | 32 bytes on-chain, constant cost regardless of proof complexity |
Chain-specific privacy creates an n-chain problem: every new chain requires a new proof format, a new verifier deployment, and a new integration. Chain-agnostic privacy reduces this to a one-time proof generation with universal anchoring. The engineering cost does not scale with the number of chains you support.
The H33-74 Post-Quantum Attestation Primitive produces a 32-byte SHA3-256 commitment hash that is designed to fit natively into every major blockchain's data model without adaptation layers or custom contracts.
Solana: Account Data. On Solana, the 32-byte commitment is stored in a program-derived account (PDA). Solana's account model natively stores arbitrary byte arrays, so the commitment fits directly into account data without serialization overhead. The anchoring transaction executes within a single Solana instruction, finalized in sub-second slot time. Verification reads the 32-byte value from the PDA and compares it against the off-chain attestation bundle. Because Solana accounts are indexed by program and seed, looking up a specific commitment is a single RPC call with deterministic addressing.
Bitcoin: OP_RETURN. On Bitcoin, the 32-byte commitment is embedded in an OP_RETURN output. OP_RETURN supports up to 80 bytes of arbitrary data per output, so the 32-byte commitment fits with room for a version prefix and chain tag. The commitment becomes part of Bitcoin's permanent UTXO history, inheriting Bitcoin's proof-of-work finality. Verification requires only an SPV proof of the transaction containing the OP_RETURN — a lightweight operation that does not require a full node.
Ethereum and EVM Chains: Calldata. On Ethereum and EVM-compatible chains, the 32-byte commitment is passed as calldata to a minimal anchoring contract. Calldata is the cheapest per-byte storage on EVM chains and is permanently available in transaction receipts. The anchoring contract is a single function that emits an event with the commitment value, enabling efficient indexing by off-chain verifiers. The same contract deploys identically on Arbitrum, Optimism, Base, Polygon, and any EVM L2.
L2 Blob Space. For rollups that support EIP-4844 blob transactions (Ethereum, Arbitrum, Optimism), the 32-byte commitment can be included in blob data for the lowest possible anchoring cost. Blobs are available for the data availability window (approximately 18 days on Ethereum), after which the on-chain commitment in calldata serves as the permanent record. This dual-anchoring pattern provides both low-cost immediate availability and permanent archival without additional engineering effort.
Common questions about portable, chain-independent privacy proofs.
Chain-agnostic means the privacy proof is not locked to any specific blockchain. The same 74-byte H33-74 Post-Quantum Attestation Primitive works on Solana, Bitcoin, Ethereum, any EVM L2, or entirely off-chain. You generate the proof once and anchor the 32-byte commitment anywhere. The proof format, verification process, and cryptographic guarantees are identical regardless of the destination chain. If a new chain launches tomorrow that can store 32 bytes, the proof works there too.
The H33-74 Post-Quantum Attestation Primitive is 74 bytes total. The first 32 bytes are a SHA3-256 commitment hash that gets written on-chain. This hash is a one-way function of the attestation contents — you cannot reverse-engineer the attestation from the hash. The remaining 42 bytes (signer set identifier, compact timestamp, authority scope flags, version and chain tag, governance link) are cached off-chain. To verify, anyone retrieves the 32-byte on-chain value, obtains the full 74-byte bundle from the cache or directly from the attesting party, and checks that the SHA3-256 hash of the bundle matches the on-chain commitment.
Yes. The proof itself is entirely chain-independent. A proof anchored on Solana produces the same 32-byte commitment hash as one anchored on Ethereum. Verification checks the commitment against the attestation bundle using SHA3-256 and three post-quantum signature families (ML-DSA-65, FALCON-512, SLH-DSA-SHA2-128f). No chain-specific logic is involved in verification. You can anchor on Solana for speed and low cost, then verify on Ethereum, or verify entirely off-chain with no blockchain connection at all.
L2 rollups (Arbitrum, Optimism, Base, zkSync, Scroll, and others) are fully supported. The 32-byte commitment is stored as calldata or in EIP-4844 blob space on the L2 at a fraction of Ethereum L1 cost. Verification works identically because the commitment format is chain-independent. For rollups that post transaction data to Ethereum L1, the commitment inherits Ethereum's settlement guarantees while benefiting from L2-level transaction costs — typically 10 to 100 times cheaper than L1 anchoring.
Bridges move assets or messages between chains, creating trust dependencies on bridge operators, relayers, and validator sets. Every major bridge hack in crypto history exploited these trust dependencies. Chain-agnostic privacy does not move anything between chains. It anchors a 32-byte commitment on any chain and verifies against the same attestation bundle regardless of where the commitment lives. There is no bridge operator, no relayer, no multisig, and no validator set beyond the destination chain's own consensus mechanism.
No. Only 32 bytes are stored on-chain. The full STARK proof, the three post-quantum signatures, and the complete attestation metadata are stored off-chain — either in H33's cache layer or in any storage system you control. On-chain storage holds only the SHA3-256 commitment hash. This design keeps anchoring costs constant and minimal (32 bytes regardless of proof complexity) while providing the same verifiability as if the full proof were stored on-chain. The commitment is cryptographically binding: any modification to the off-chain data produces a different hash that will not match the on-chain value.
Expanded scenarios where chain-agnostic privacy unlocks capabilities impossible with chain-specific approaches.
A DAO operates treasuries across Solana (for DeFi yield), Ethereum (for governance), and Bitcoin (for long-term reserves). With chain-specific privacy, proving aggregate solvency requires three separate proof systems, three verifier deployments, and three audit workflows. With chain-agnostic privacy, the DAO generates a single STARK proof of total treasury value, attests it with the H33-74 Post-Quantum Attestation Primitive, and anchors the 32-byte commitment on whichever chain the stakeholders prefer. The same proof is verifiable by Solana DeFi counterparties, Ethereum governance participants, and Bitcoin custody auditors — one proof, one attestation, verified everywhere.
A regulated exchange operates on multiple chains and needs to verify customer identity for every chain-specific product. Chain-specific approaches require the customer to re-verify on each chain, exposing PII multiple times and creating multiple data-breach surfaces. With chain-agnostic privacy, the customer completes KYC once. A ZK proof confirms compliance without exposing PII. The attestation is anchored on the customer's primary chain, and the same 32-byte commitment is used to verify identity on every other chain the exchange operates on. The customer's personal data is exposed exactly once, to exactly one verifier, regardless of how many chains they use.
A DeFi insurance provider covers protocols on Ethereum, Arbitrum, and Solana. When a claim occurs, the insurer needs to verify the claimant's position and the protocol's state at the time of the incident. With chain-agnostic attestation, the claimant provides a single attested proof of their position that the insurer can verify regardless of which chain the incident occurred on. The attestation includes the exact timestamp, the policy version in effect, and the governance state at the moment of the claim — independently verifiable by the insurer, the reinsurer, and the dispute resolution panel.
32 bytes on any chain. Full proof off-chain. Post-quantum attested. Independently verifiable. No chain-specific integration required.
Chain-specific privacy solutions lock proofs to a single blockchain ecosystem. Chain-agnostic attested privacy generates one proof that works everywhere — anchored on any chain, verified on any chain, or verified entirely off-chain.
| Property | Chain-Specific Privacy | H33 Chain-Agnostic Attested Privacy |
|---|---|---|
| Proof portability | Proof works only on the chain it was generated for | Same 74-byte attestation verifiable on any chain or off-chain |
| On-chain footprint | Varies — often kilobytes per proof depending on the ZK system | Constant 32 bytes regardless of proof complexity |
| Multi-chain operations | Requires separate proof systems per chain, separate verifiers, separate audits | One proof, one attestation, anchored and verified on any chain |
| Cross-chain verification | Not possible without bridges or relayers (which introduce trust assumptions) | Native — proof anchored on Solana verifiable on Ethereum with zero modification |
| Bridge dependency | Cross-chain use requires bridge operators, relayers, validator sets | No bridges — commitment is verified directly against the attestation bundle |
| L2 rollup support | Requires chain-specific L2 integration per rollup | 32-byte commitment stored as calldata or EIP-4844 blob on any L2 |
| Quantum resistance | Most chain-specific ZK systems use elliptic curves vulnerable to quantum attack | Three independent PQ families (MLWE, NTRU, hash-based) protect every proof |
| Off-chain verification | Typically requires on-chain verifier contract execution | Full offline verification with no blockchain connection required |
| Anchoring cost | Variable — depends on proof size and chain gas costs | Constant — 32 bytes on any chain, regardless of proof complexity |
| Identity binding | Proof is typically anonymous with no identity context | Attestation binds proof to signer identity, timestamp, and authority scope |
The architectural difference is separation of proof from anchoring. In chain-specific systems, the proof format is coupled to the chain's verifier contract, making portability impossible without re-proving. H33 separates the proof (STARK, chain-independent) from the commitment (32-byte SHA3-256 hash, universally anchored) from the attestation (74-byte PQ-signed bundle, independently verifiable). This separation means the proof is generated once and is valid forever, regardless of which chains exist today or in the future.
How the H33-74 Post-Quantum Attestation Primitive achieves universal chain portability with a 32-byte on-chain footprint and full off-chain verifiability.
The on-chain component is a single 32-byte SHA3-256 commitment hash. This hash is computed over the full attestation bundle, including the STARK proof, the three PQ signatures, the signer set, the timestamp, the authority scope, and the governance link. Any modification to any field in the off-chain bundle produces a different hash, making the commitment cryptographically binding. Because SHA3-256 is a 32-byte output regardless of input size, the on-chain footprint is constant whether the underlying proof is a simple age check or a complex multi-party computation result.
H33 provides native chain adapters for anchoring the 32-byte commitment. On Solana, the commitment is stored via a native program instruction with sub-second finality and transaction costs under $0.001. On Bitcoin, the commitment is embedded in an OP_RETURN output for permanent, immutable record. On Ethereum, the commitment is stored as calldata in a standard transaction. On EVM L2 rollups (Arbitrum, Optimism, Base, zkSync, Scroll), the commitment is stored as calldata or in EIP-4844 blob space at L2 transaction costs, typically 10 to 100 times cheaper than Ethereum L1. For off-chain-only use cases, the commitment is stored in any persistent storage system — no blockchain interaction required at all.
Verification does not depend on the anchoring chain. A verifier obtains the 32-byte commitment (from any chain or any data source), obtains the full 74-byte attestation bundle (from the H33 cache layer or any storage), and checks that the SHA3-256 hash of the bundle matches the commitment. Then the verifier independently checks all three PQ signatures against the published public key set. If the hash matches and all three signatures are valid, the proof is verified. This process is identical whether the commitment came from Solana, Bitcoin, Ethereum, an L2, or a local file system.
Every attestation includes a predecessor hash linking it to the previous attestation in the governance chain. This creates a hash-linked sequence of proofs that is independent of any blockchain. The governance chain itself is a pure data structure — it does not require consensus, mining, or staking. It is anchored to blockchains for public verifiability and permanence, but the governance chain's integrity is self-certifying: tampering with any entry invalidates all downstream entries. This design ensures that the privacy proof system is truly chain-agnostic, using blockchains as optional anchoring surfaces rather than required infrastructure.
When privacy proofs must work across ecosystems, jurisdictions, and time horizons, chain-agnostic attestation eliminates the single-chain bottleneck.
A trader completes KYC on Exchange A (Ethereum-native) and wants to trade on Exchange B (Solana-native) without re-submitting personal documents. With chain-agnostic privacy, Exchange A generates an attested ZK proof of KYC compliance. Exchange B verifies the same 74-byte attestation on Solana. The trader's PII is never exposed to Exchange B, and no bridge, relayer, or trust assumption connects the two exchanges. The attestation is independently verifiable by either exchange's compliance team, by regulators, or by the trader themselves.
A fund operates positions across Solana DeFi, Ethereum liquid staking, Bitcoin reserves, and Arbitrum yield vaults. End-of-quarter reporting requires proving aggregate positions without revealing individual strategies. A single STARK proof aggregates all positions. The attestation anchors on whichever chain the fund's prime broker prefers. The auditor verifies the same attestation offline without needing accounts on any of the underlying chains. One proof, one attestation, one audit workflow across four blockchains.
An aid organization distributes funds across multiple blockchain networks in different countries. Recipients must prove eligibility without revealing refugee status or personal details. Chain-agnostic privacy allows the issuing authority to generate one attested proof of eligibility that works on whichever local payment network the recipient has access to. The aid organization verifies distribution without collecting or storing personal data, and auditors verify the complete distribution record from attestation chains alone.
A player earns an in-game asset on a Solana-based game and wants to use it in an Ethereum-based metaverse. Chain-agnostic attestation proves the asset's provenance (earned legitimately, not duplicated, correct rarity tier) without requiring a bridge to move the asset between chains. The metaverse verifies the 74-byte attestation against any on-chain commitment. The asset's authenticity is cryptographically proven regardless of which blockchain ecosystem the verifier operates in.
Detailed answers about how H33 achieves chain-independent privacy proofs with universal verifiability.
Chain-agnostic means the privacy proof is not locked to any specific blockchain. The same 74-byte H33-74 Post-Quantum Attestation Primitive works on Solana, Bitcoin, Ethereum, any EVM L2, or entirely off-chain. You generate the proof once and anchor it anywhere. The proof format, verification process, and cryptographic guarantees are identical regardless of the destination chain. This eliminates the need to maintain separate proof systems, verifier contracts, and audit workflows for each blockchain you operate on.
The H33-74 Post-Quantum Attestation Primitive is 74 bytes total. The first 32 bytes are a SHA3-256 commitment hash that gets written on-chain. The remaining 42 bytes (signer set, timestamp, authority scope, version, governance link) are stored off-chain. To verify, anyone retrieves the 32-byte on-chain value, obtains the full 74-byte bundle, and checks that the commitment matches. This design keeps on-chain costs minimal and constant regardless of the underlying proof's complexity, while providing the same level of verifiability as storing the full proof on-chain.
Yes. The proof itself is entirely chain-independent. A proof anchored on Solana produces the same 32-byte commitment hash as one anchored on Ethereum. Verification checks the commitment against the attestation bundle using SHA3-256 and three post-quantum signature families (ML-DSA-65, FALCON-512, SLH-DSA-SHA2-128f). No chain-specific logic is involved in the verification process. You can anchor on Solana for speed and low cost, then verify on Ethereum, or verify entirely off-chain with no blockchain connection at all. The mathematics is the trust anchor, not the chain.
L2 rollups (Arbitrum, Optimism, Base, zkSync, Scroll, and others) are fully supported. The 32-byte commitment is stored as calldata or in EIP-4844 blob space on the L2 at a fraction of Ethereum L1 cost. Verification works identically because the commitment format is chain-independent. For rollups that post transaction data to Ethereum L1, the commitment inherits Ethereum's settlement guarantees while benefiting from L2-level transaction costs — typically 10 to 100 times cheaper than L1 anchoring. No additional integration is required beyond writing 32 bytes of calldata.
Bridges move assets or messages between chains, creating trust dependencies on bridge operators, relayers, and validator sets. Every major bridge hack in crypto history exploited these trust dependencies. Chain-agnostic privacy does not move anything between chains. It anchors a 32-byte commitment on any chain and verifies against the same attestation bundle regardless of where the commitment lives. There is no bridge operator, no relayer, no multisig, and no validator set beyond the destination chain's own consensus mechanism. The attack surface is limited to the mathematics of SHA3-256 and the three PQ signature families.
No. Only 32 bytes are stored on-chain. The full STARK proof, the three post-quantum signatures, and the complete attestation metadata are stored off-chain — either in the H33 cache layer or in any storage system you control. On-chain storage holds only the SHA3-256 commitment hash. This design keeps anchoring costs constant and minimal regardless of proof complexity, while providing the same verifiability as if the full proof were stored on-chain. The commitment is cryptographically binding: any modification to the off-chain data produces a different hash that will not match the on-chain value.