Security Parameters Appendix

BFV operates on polynomial rings R_Q = Z_Q[X]/(X^N + 1), where N is the polynomial degree, Q is the ciphertext modulus, and t is the plaintext modulus. Security depends primarily on the ratio N/log2(Q) -- larger N and smaller Q yield higher security. H33 provides five tiers, each targeting a specific use case and NIST security level.

The production pipeline uses H33-128 (biometric_fast mode) for high-throughput authentication, achieving 2,209,429 auth/sec sustained on Graviton4 hardware. Higher tiers are available for applications requiring NIST Level 5 security or larger computation depth.

CKKS encodes complex numbers into polynomial coefficients with a scaling factor (Delta). Each multiplication consumes one level of the modulus chain, so the number of available levels determines the maximum multiplicative depth. Rescaling after each multiplication maintains precision by reducing the ciphertext modulus.

H33-CKKS supports configurable precision from 20-bit to 50-bit mantissa accuracy, depending on the tier and depth requirements. The H33-CKKS engine page provides detailed benchmarks for each tier on Graviton4 hardware.

TFHE operates on the torus T = R/Z. Each gate operation (AND, OR, XOR, NAND, NOR, XNOR, NOT) produces a ciphertext with bounded noise. Programmable Bootstrapping (PBS) resets the noise to a fixed level while applying a lookup table, enabling unbounded computation depth. H33-TFHE includes multi-bit optimizations for 8-bit, 16-bit, 32-bit, and 64-bit integer operations.

ML-DSA-65 (formerly CRYSTALS-Dilithium Level 3) is the first of H33's three post-quantum signature families. It provides NIST Security Level 3, meaning it offers at least as much security against quantum attacks as AES-192 does against classical attacks. ML-DSA is the mandatory signature algorithm in NIST FIPS 204 and is expected to see the broadest adoption across government and industry.

ML-KEM-1024 (formerly CRYSTALS-Kyber-1024) provides NIST Security Level 5 key encapsulation, ensuring that key exchange remains secure even against the most powerful quantum adversaries. H33 uses ML-KEM-1024 for all session key establishment, API key exchange, and inter-service key agreement within the post-quantum API infrastructure.

FALCON-512 is based on the NTRU lattice problem, which is mathematically independent from the Module-LWE problem underlying ML-DSA. This independence is critical for H33's defense-in-depth strategy: even if a future cryptanalytic breakthrough compromises MLWE, FALCON's NTRU-based security remains intact. FALCON produces the most compact signatures of H33's three families, making it particularly valuable for bandwidth-constrained applications.

SLH-DSA (formerly SPHINCS+) is unique among H33's signature families because its security depends only on the properties of the underlying hash function (SHA-256 in this configuration), not on any structured mathematical problem. If hash functions remain secure, SLH-DSA remains secure -- regardless of advances in lattice cryptanalysis or quantum computing. This makes it the ultimate fallback in H33's defense-in-depth strategy.

The "-128f" variant is optimized for fast signing at NIST Level 1 security. The "f" designation indicates the "fast" parameter set, which trades larger signature sizes for faster signing speed. H33 uses the SHA2 variant for compatibility with the OpenSSL SHA-256 acceleration shim deployed on Graviton4 (4.33x speedup vs. generic implementation).

Every hash computation in H33's infrastructure includes a domain separator prefix that identifies the context of the operation. This prevents an attacker from using a hash computed in one context (e.g., an attestation transcript) as a valid hash in another context (e.g., a key derivation). Domain separators are frozen as part of H33's protocol stability guarantee and cannot be modified without a major version increment.