BenchmarksStack RankingHICS (Free)
H33-VaultH33-ShareH33-ShieldH33-HealthH33-KeyH33-128H33-CKKSH33-256H33-FHE-IQFHE OverviewH33-CompileZK LookupsBiometricsH33-3-KeyH33-MPCZK-TrustlessZK-PhishZK-VerifyPQC ArchitecturePQ VideoStorage EncryptionAI DetectionEncrypted Search
APIsPricingDocsWhite PaperTokenBlogAboutSecurity Demo
Log InGet API Key
Post-Quantum · Shipped in Production

Post-Quantum Cryptography —
Shipped, Not Planned

Nested hybrid signatures. Graceful degradation. Algorithm-agnostic identity. 108 patent claims.

Get API Key Read the Docs

The Single-Algorithm Trap

Every post-quantum vendor ships Dilithium and calls it done. But what if Dilithium has a backdoor? What if lattice-based cryptography breaks? Your identity tokens, signed with a single algorithm, become worthless overnight.

H33 solves this with nested hybrid signatures: two or three algorithms from independent mathematical families, composed in a dependency chain that preserves identity even if one layer fails.

Signature Tiers

Four levels of post-quantum protection.

Choose the security tier that matches your threat model. Every tier uses nested composition, not simple concatenation.

Dev / Testing
H0
Single Dilithium. For development and testing environments only.
  • AlgorithmsDilithium-3
  • Sig Size2,420 B
  • Sign~92 µs
  • DiversityNone
Dev/testing only. No algorithm diversity.
Production
H33
Nested Ed25519 + Dilithium. Production default with classical + lattice diversity.
  • AlgorithmsEd25519 + Dilithium
  • Sig Size2,484 B
  • Sign~142 µs
  • Diversity2 families
Production default. Recommended for most deployments.
H-256-L
Triple nested with FALCON-512. Lattice-redundant for maximum lattice coverage.
  • AlgorithmsEd25519 + Dilithium + FALCON
  • Sig Size~4,063 B
  • Sign~2 ms
  • Diversity2 families (lattice redundant)
Lattice-redundant. Two independent lattice constructions.
Max Diversity
H-256-H
Triple nested with SPHINCS+. Maximum mathematical family diversity.
  • AlgorithmsEd25519 + Dilithium + SPHINCS+
  • Sig Size~11,229 B
  • Sign~14 ms
  • Diversity3 families (max)
Maximum diversity. ECC + lattice + hash-based.
Deep Dive

Nested signing, not concatenated.

The outer signature attests that the inner signature existed at sign time. This creates a cryptographic dependency chain that concatenated signatures cannot achieve.

Layer 1
Ed25519 signs payload
Layer 2
Dilithium signs (payload + Layer 1 sig)
Verify
AND logic — both must pass

Temporal binding: Because the outer Dilithium signature covers both the original payload and the inner Ed25519 signature, the outer layer attests that the inner signature existed at sign time. A forger cannot produce a valid outer signature without first having a valid inner signature.

Why concatenated is weaker

Concatenated signatures (Ed25519_sig || Dilithium_sig) sign the same payload independently. An attacker who breaks one algorithm can replace that signature without affecting the other. There is no dependency chain — no temporal binding — and no way for the surviving algorithm to detect the forgery. Nested signing makes the outer signature invalid if the inner is forged.

nested-sign.js
JavaScript
// 1. Generate a nested hybrid signature (H33 tier)
const { signature, metadata } = await h33.pqc.sign({
  payload: documentHash,
  tier: 'H33',          // Ed25519 + Dilithium nested
  privateKeys: keyPair,
});
// signature.size = 2,484 bytes | sign.time = ~142µs

// 2. Verify — AND logic: both layers must pass
const valid = await h33.pqc.verify({
  payload: documentHash,
  signature,
  publicKeys: keyPair.public,
});
// valid = true only if BOTH Ed25519 AND Dilithium pass

// 3. Upgrade to H-256-H for maximum diversity
const maxSig = await h33.pqc.sign({
  payload: documentHash,
  tier: 'H-256-H',      // Ed25519 + Dilithium + SPHINCS+
  privateKeys: tripleKeyPair,
});
// maxSig.size = ~11,229 bytes | 3 math families
Soulbound Identity

Non-transferable identity tokens.

On-chain identity bound to biometrics. No transfer function. Guardian recovery with 3-of-5 threshold nested hybrid signatures.

SoulboundIdentityToken

biometric_commitment Poseidon2 hash of biometric template, 32 bytes
public_keys Ed25519 + Dilithium public keys
guardian_commitments 3-of-5 threshold guardian hashes
revocation_root Merkle root for revocation checks
mint_signature Nested hybrid signature (H33 or H-256-H)

Non-transferable by design

The smart contract has no transfer function. The token is permanently bound to the biometric commitment and public key pair that minted it. There is no mechanism to reassign ownership — this is not a limitation, it is the core security property.

Guardian recovery: 3-of-5 threshold

If a user loses access to their keys, 3 of 5 pre-designated guardians can authorize key rotation. Each guardian signs the recovery request with their own nested hybrid signature. The smart contract verifies all guardian signatures and the threshold before executing rotation. Biometric commitment remains unchanged — the person is the identity.

Resilience

Graceful cryptographic degradation.

Algorithm-agnostic identity means your system survives a quantum break. No token re-issuance. No biometric re-enrollment.

"If Dilithium breaks tomorrow:"
  • 1

    Vulnerability detected

    Threat intelligence feed identifies a lattice-based cryptographic break affecting Dilithium key recovery or signature forgery.

  • 2

    Verification shifts to Ed25519-only

    Verification logic immediately falls back to the surviving inner signature (Ed25519). Sub-microsecond verification. No downtime.

  • 3

    Re-sign outer layer with replacement algorithm

    System re-signs the outer layer with a replacement algorithm (FALCON-512 or SPHINCS+) from a different mathematical family.

  • 4

    Identity preserved

    No token re-issuance. No biometric re-enrollment. The identity token's biometric commitment and inner signature remain valid. Only the outer cryptographic layer rotates.

Zero downtime. Zero re-enrollment. Identity survives a quantum break.

Side-Channel Resistance

Constant-Time Everything: Why Cache Timing Can't Touch H33

In 2005, Colin Percival demonstrated at BSDCan that a spy process sharing the same L1 data cache could extract ~310 bits from each 512-bit CRT exponent during a single RSA signing operation. This cache-timing attack — later formalized by Osvik, Shamir, and Tromer at CT-RSA 2006 — showed that any cryptographic implementation with secret-dependent memory access patterns is vulnerable. H33 eliminates this attack surface across every algorithm in the stack.

Constant-Time

Ed25519 (dalek)

The dalek library uses radix-16 scalar representation with conditional move (ct_select) for all table lookups. Every lookup touches the same cache lines regardless of the scalar bit value. No branching on secret key material. Timing-safe by construction.

Constant-Time

Dilithium NTT

Barrett and Montgomery reduction use fixed arithmetic paths with no branches on coefficient values. Rejection sampling in the signing loop discards entire attempts (not individual coefficients), and the signing loop is padded to a constant iteration count to prevent timing leakage through loop count variation.

Isolated

FALCON (ffSampling)

FALCON's ffSampling has inherent secret-dependent timing variation due to floating-point precision and tree-traversal depth. H33 isolates FALCON to a dedicated attestation service with exclusive physical-core allocation. FALCON is only used for one-time operations (SBT minting, key management) — never in the hot authentication path.

Inherently Safe

SPHINCS+ (Hash-Based)

SPHINCS+ is inherently constant-time. WOTS+ and FORS leaf computations use secret-dependent hash inputs, but the hash functions themselves (SHA3-256) are constant-time by nature. SPHINCS+ is the default for SBT minting at H-256-H tier for maximum side-channel resistance alongside maximum algorithm diversity.

FHE Protected

BFV Biometric Matching

Biometric matching runs entirely inside BFV fully homomorphic encryption. The plaintext biometric template is never loaded into memory and never touches the CPU cache. A spy process observing cache access patterns sees only polynomial arithmetic over Ring-LWE coefficients — statistically indistinguishable from random memory access.

FHE Protected

CKKS Encrypted ML

CKKS approximate arithmetic FHE runs ML inference, scoring, and analytics on encrypted floating-point data. Complex number encoding via canonical embedding means the computation operates on noise-masked lattice elements — no plaintext values touch memory. Full bootstrapping enables unlimited multiplicative depth without decryption.

Intelligent Routing

FHE-IQ — Adaptive Multi-Backend Routing

FHE-IQ automatically selects the optimal FHE backend — BFV-64, CKKS, or BFV-32 — based on workload type, security tier, and hardware platform. A two-phase policy router (hard filters + weighted scoring) makes its decision in under 500 nanoseconds. All three backends are lattice-based and post-quantum secure. Session-sticky ciphertexts ensure cryptographic correctness across the session lifetime.

References: Percival, "Cache missing for fun and profit," BSDCan 2005. Osvik, Shamir, Tromer, "Cache Attacks and Countermeasures: the Case of AES," CT-RSA 2006.

Algorithm Reference

Complete algorithm comparison.

Every cryptographic algorithm in the H33 stack — signatures, FHE schemes, and key exchange — with key sizes, performance, NIST security levels, and tier assignments.

Algorithm Family Hardness Key Size Sig Size Sign Verify NIST H33 Tier
Ed25519 ECC ECDLP (Curve25519) 32 B 64 B 52 µs 32 µs All hybrid
Dilithium-2 Lattice MLWE / MSIS 1,312 B 2,420 B 92 µs 39 µs L2 H0, H1
Dilithium-3 Lattice MLWE / MSIS 1,952 B 3,293 B 132 µs 56 µs L3 H33
Dilithium-5 Lattice MLWE / MSIS 2,592 B 4,595 B 200 µs 83 µs L5 H-256
FALCON-512 Lattice / NTRU NTRU-SIS 897 B 690 B 1.5 ms 0.5 ms L1 H-256-L
SPHINCS+-128s Hash-Based Hash collision / preimage 32 B 7,856 B 12 ms 0.2 ms L1 H-256-H
H33 BFV (u64) FHE Ring-LWE / RLWE ~1.2 MB ~32 KB/ct 0.42 ms 0.33 ms L1–L5 H0–H256
H33 CKKS (f64) FHE Ring-LWE / RLWE ~1.5 MB ~64 KB/ct 45.2 µs ~0.3 ms L1–L3 H0–H33
H33 BFV-32 (u32) FHE Ring-LWE / RLWE ~600 KB ~16 KB/ct ~0.2 ms ~0.15 ms L1 H0–H1
Intellectual Property

108 patent claims. Fully protected.

Comprehensive patent coverage across nested signatures, soulbound identity, graceful degradation, and guardian recovery.

Nested Signature Composition

Methods for composing two or more digital signatures from independent mathematical families in a dependency chain, where each outer signature covers the payload and all inner signatures.

Claims 21–27

Non-Transferable Identity Tokens

On-chain identity token methods bound to biometric commitments with no transfer function. Smart contract enforced non-transferability.

Claims 28–31

Graceful Cryptographic Degradation

Systems and methods for detecting algorithm compromise and automatically falling back to surviving signature layers without token re-issuance.

Claims 23, 30, 32

Dual-Committed Guardian Recovery

Threshold-based key recovery using guardian commitments, where each guardian's recovery authorization is itself signed with nested hybrid signatures.

Claims 25–26, 31

Lattice-Redundant Triple Signing

Methods for triple-nested signatures incorporating FALCON alongside Dilithium for lattice-redundant protection from independent NTRU and MLWE hardness.

Claim 33

Computer-Readable Medium

Non-transitory computer-readable medium containing instructions for implementing the complete nested hybrid signature and soulbound identity system.

Claim 32
33
Patent claims covering the H33 post-quantum identity stack
FAQ

Frequently Asked Questions

What is a nested hybrid signature?
An inner Ed25519 signature wrapped inside an outer Dilithium signature. If quantum computers break Ed25519, the Dilithium layer remains secure. If Dilithium has an undiscovered weakness, Ed25519 still protects.
Why not just use Dilithium alone?
Dilithium is new (NIST standardized 2024). Ed25519 has 10+ years of cryptanalysis. Nesting provides defense-in-depth: neither algorithm's failure compromises the system.
What are the four signature tiers?
Tier 1: Ed25519 only (classical). Tier 2: Dilithium-3 only (PQ). Tier 3: Nested hybrid Ed25519 + Dilithium-3 (recommended). Tier 4: Nested hybrid Ed25519 + Dilithium-5 (maximum security).
What is "graceful degradation"?
If one algorithm is compromised, the system automatically falls back to the remaining secure algorithm. No code changes, no downtime. The nested structure makes this possible.
How does algorithm-agnostic identity work?
Your identity (public key hash) is derived from the nested signature, not from either individual algorithm. When NIST approves new PQ algorithms, H33 can swap the inner/outer algorithms without changing your identity.
What is the signature size overhead?
Nested hybrid: Ed25519 (64 bytes) + Dilithium-3 (3,293 bytes) = ~3.4 KB total. Compared to Dilithium-3 alone (3,293 bytes), the Ed25519 layer adds only 64 bytes.
How does H33 protect against side-channel attacks?
Constant-time implementations for both Ed25519 and Dilithium. Memory zeroization (Zeroize + ZeroizeOnDrop). No branch-dependent timing in the signing path.
What are Soulbound Tokens (SBTs) and how do they relate?
SBTs are non-transferable on-chain identity tokens. H33 uses Dilithium-signed SBTs on Solana as immutable audit trails. Each authentication event can be attested on-chain.
Are the 108 patent claims specific to PQC?
The patent portfolio covers: nested hybrid signature composition, graceful degradation protocols, algorithm-agnostic identity binding, FHE-based biometric processing, and ZK-compressed attestation logging.
When will quantum computers actually threaten current cryptography?
NIST estimates 2030–2035 for cryptographically relevant quantum computers. The "harvest now, decrypt later" threat means sensitive data encrypted today with classical algorithms is already at risk.

Post-quantum identity, shipped today.

Nested hybrid signatures. Soulbound tokens. Graceful degradation. One API call. Zero license fees.

Get API Key → Read the Docs

View Per-Auth Pricing →

FIPS 203/204 Compliant
NIST PQC Standards
114 Patent Claims
3 FHE Engines (BFV + CKKS + BFV-32)
FHE-IQ Intelligent Routing → Verify our benchmarks →
Verify It Yourself