What Continuous Attestation Means
Attestation, in its precise cryptographic sense, is the production of a signed, verifiable statement binding a specific piece of evidence to a specific point in time. Continuous attestation extends this to every state transition in a system, without exception.
The word "continuous" is not metaphorical. It does not mean "frequent." It does not mean "every hour" or "every five minutes." It means that the attestation pipeline fires on every observable state change: every configuration mutation, every policy update, every agent action, every access decision, every data transformation. If the system's state changed, there is a receipt. If there is no receipt, the state did not change through authorized channels.
This is a fundamentally different assurance model than periodic auditing. Periodic auditing samples system state at intervals and hopes that nothing went wrong between samples. Continuous attestation makes the absence of evidence structurally impossible by binding evidence production to the state transition mechanism itself.
The Attestation Pipeline
H33's attestation pipeline has five stages. Each stage is deterministic. Given the same input, every stage produces byte-identical output regardless of which machine, which language, or which implementation executes it.
Stage 1: Detect
The detection layer monitors system state surfaces for transitions. This is not log scraping. Detection is integrated into the state mutation pathway itself. When a configuration value changes, when an agent executes an action, when a policy boundary is crossed, the detection hook fires before the mutation commits.
Detection produces a state transition record: a structured object containing the pre-state hash, the post-state hash, the transition type, the actor identity, and the timestamp. This record is the input to the attestation pipeline.
Stage 2: Hash
The state transition record is canonicalized (deterministic field ordering, no whitespace ambiguity, no floating-point representation variance) and hashed with SHA3-256. SHA3 is used rather than SHA-256 because SHA3 is a sponge construction with no length extension vulnerability, making it suitable for domain-separated hashing without HMAC wrapping.
The hash also incorporates the previous attestation's hash, creating a chain. This is the mechanism that makes retroactive tampering detectable: modifying any historical attestation invalidates every subsequent chain link.
canonical_input = serialize_deterministic(transition_record)
chain_input = previous_attestation_hash || canonical_input
attestation_hash = SHA3-256(domain_separator || chain_input)
Stage 3: Sign
The attestation hash is signed using three independent post-quantum signature families simultaneously:
- ML-DSA-65 (NIST FIPS 204) — Module-Lattice Digital Signature Algorithm. Security relies on the hardness of the Module Learning With Errors (MLWE) problem. Signature size: 3,309 bytes.
- FALCON-512 — Fast Fourier Lattice-based Compact Signatures over NTRU. Security relies on the hardness of the Short Integer Solution problem over NTRU lattices. Signature size: ~690 bytes.
- SLH-DSA-SHA2-128f (NIST FIPS 205) — Stateless hash-based signatures. Security relies solely on the collision resistance of the underlying hash function. Signature size: 17,088 bytes.
Three independent mathematical hardness assumptions. An attacker must break all three simultaneously to forge a single attestation. Breaking MLWE does not help with NTRU. Breaking NTRU does not help with hash collision resistance. This is defense in depth at the mathematical level.
Stage 4: Chain
The signed attestation is appended to the attestation chain. The chain is an append-only data structure where each entry references its predecessor by hash. The chain state is maintained in memory for the active session and persisted to durable storage.
Chain integrity can be verified by any party with access to the chain: start at any attestation, walk backward by following predecessor hashes, and verify that each hash matches the recomputed hash of its predecessor's content. If any entry has been modified, the chain breaks at that point.
Stage 5: Anchor
Periodically (configurable, default every 60 seconds), the current chain head is anchored to an external immutable store. In the H33 production deployment, the anchor target is the Bitcoin network via the Substrate attestation endpoint. The anchor consists of a 74-byte H33-74 proof bundle: 32 bytes on-chain, 42 bytes in Cachee.
Anchoring creates a publicly verifiable timestamp. Anyone can verify that the attestation chain existed in its current state at the anchor time by checking the on-chain record. This prevents an operator from silently rewriting attestation history.
Why Periodic Audits Fail
The failure mode of periodic auditing is not that auditors are incompetent. It is that the information-theoretic structure of periodic sampling cannot prove what happened between samples.
Consider a SOC 2 Type II audit. The auditor examines a sample of controls over a period (typically 6-12 months). They select a subset of events, verify that those events show the controls operating effectively, and issue a report. The report says: "Based on our examination, the controls were operating effectively."
What the report cannot say: "Nothing went wrong between the events we examined." Because the auditor did not observe those intervals. They cannot. The audit methodology is structurally incapable of making that claim.
| Property | Periodic Audit | Continuous Attestation |
|---|---|---|
| Coverage | Sampled subset of events | Every state transition, no exceptions |
| Gap risk | Unlimited between samples | Zero — no unattested transitions possible |
| Tamper evidence | Relies on log integrity (assumed) | Cryptographic chain — tamper breaks chain hash |
| Verification model | Trust the auditor | Independent mathematical verification |
| Latency | Weeks to months for report | 42 microseconds per attestation |
| Evidence lifespan | Until next audit cycle | Cryptographically verifiable indefinitely |
| Quantum resistance | RSA/ECDSA signatures expire | Three PQ families, independent hardness |
The Three-Family Architecture
Using a single post-quantum signature family is a bet on a single mathematical problem remaining hard. H33 does not make that bet.
The three-family architecture means that attestation evidence remains valid unless lattice problems (two independent families: MLWE and NTRU) and hash collision resistance are all broken simultaneously. These are three independent areas of mathematics. A breakthrough in one does not imply progress in the others.
Each attestation receipt carries all three signatures. Verification checks all three. The attestation is valid only if all three signatures verify. This means the security guarantee is the conjunction of three independent assumptions, not the disjunction.
Independence matters. ML-DSA and FALCON both use lattice structures but rely on different hardness assumptions (MLWE vs. NTRU-SIS). SLH-DSA uses no lattice mathematics at all. A lattice-specific quantum algorithm would not affect hash-based signatures. A hash collision breakthrough would not affect lattice signatures.
Performance: Not a Tradeoff
The conventional assumption is that stronger cryptography means slower execution. H33's pipeline demonstrates otherwise.
The attestation pipeline processes 24.79 million attestations per second on production hardware. This is not a theoretical peak. It is a measured, sustained throughput over 30-second benchmarking runs on a Graviton4 c8g.metal-48xl instance (192 vCPUs, 371 GiB RAM).
Per-attestation latency is 42 microseconds. This includes SHA3-256 hashing, all three PQ signature generations, all three verifications, and chain extension. The FHE batch stage (BFV inner product for 32 users) takes 943 microseconds. Batch attestation (SHA3 + Dilithium sign + verify) takes 391 microseconds. Cached ZKP lookup takes 0.358 microseconds.
These numbers mean that continuous attestation can be deployed in latency-sensitive production paths without measurable impact on user experience. A 42-microsecond overhead is invisible in any system where network round-trip time is measured in milliseconds.
Chain Integrity and Tamper Detection
The attestation chain is not a log. It is a cryptographic data structure with a specific integrity property: any modification to any entry is detectable by any verifier with access to the chain.
This works because each attestation includes the hash of the previous attestation in its signed content. To modify attestation N, an attacker must also re-sign attestation N+1 (because its chain hash would change), which requires re-signing N+2, and so on through the entire chain. The attacker cannot re-sign without the private keys for all three PQ signature families.
And even if they could re-sign the entire chain, the periodic on-chain anchors create external checkpoints. The anchor hash published to Bitcoin at time T cannot be retroactively changed. If the rewritten chain does not match the anchor, the tampering is detected.
This creates a layered defense: chain hashing for immediate detection, PQ signatures for forgery resistance, and on-chain anchoring for external checkpoint verification.
Frequently Asked Questions
What is continuous attestation?
Continuous attestation generates a cryptographic receipt for every state change in a system. Each receipt includes a SHA3-256 hash of the state transition, a post-quantum digital signature from three independent families, and a chain link to the previous attestation. This creates an immutable, independently verifiable evidence chain with no gaps.
How fast is H33's continuous attestation pipeline?
24.79 million attestations per second on production hardware (Graviton4 c8g.metal-48xl, 192 vCPUs). Per-attestation latency is approximately 42 microseconds including hashing, signing with three PQ families, verification, and chain extension.
Why do periodic audits fail to prove integrity?
Periodic audits sample system state at intervals. Between samples, any number of state changes can occur without evidence. A clean audit report cannot prove compliance during unobserved periods. Continuous attestation eliminates this structural gap by binding evidence production to the state transition mechanism itself.
What post-quantum signature families does H33 use?
Three independent families: ML-DSA-65 (NIST FIPS 204, MLWE hardness), FALCON-512 (NTRU lattice hardness), and SLH-DSA-SHA2-128f (NIST FIPS 205, hash-based). An attestation is valid only if all three verify, meaning all three mathematical hardness assumptions must be broken simultaneously to forge evidence.
How does attestation chaining prevent tampering?
Each attestation includes the hash of its predecessor. Modifying any attestation invalidates all subsequent chain hashes. Even if an attacker could recompute the chain, periodic on-chain anchors (74-byte H33-74 proof bundles to Bitcoin) create external checkpoints that cannot be retroactively altered.