BenchmarksH33 FHEH33 ZKAPIsPricingPQCTokenDocsBlogAboutSecurity Demo
Log InGet API Key
Post-Quantum · Shipped in Production

Post-Quantum Cryptography —
Shipped, Not Planned

Nested hybrid signatures. Graceful degradation. Algorithm-agnostic identity. 33 patent claims.

Get API Key Read the Docs

The Single-Algorithm Trap

Every post-quantum vendor ships Dilithium and calls it done. But what if Dilithium has a backdoor? What if lattice-based cryptography breaks? Your identity tokens, signed with a single algorithm, become worthless overnight.

H33 solves this with nested hybrid signatures: two or three algorithms from independent mathematical families, composed in a dependency chain that preserves identity even if one layer fails.

Signature Tiers

Four levels of post-quantum protection.

Choose the security tier that matches your threat model. Every tier uses nested composition, not simple concatenation.

Dev / Testing
H0
Single Dilithium. For development and testing environments only.
  • AlgorithmsDilithium-3
  • Sig Size2,420 B
  • Sign~92 µs
  • DiversityNone
Dev/testing only. No algorithm diversity.
Production
H33
Nested Ed25519 + Dilithium. Production default with classical + lattice diversity.
  • AlgorithmsEd25519 + Dilithium
  • Sig Size2,484 B
  • Sign~142 µs
  • Diversity2 families
Production default. Recommended for most deployments.
H-256-L
Triple nested with FALCON-512. Lattice-redundant for maximum lattice coverage.
  • AlgorithmsEd25519 + Dilithium + FALCON
  • Sig Size~4,063 B
  • Sign~2 ms
  • Diversity2 families (lattice redundant)
Lattice-redundant. Two independent lattice constructions.
Max Diversity
H-256-H
Triple nested with SPHINCS+. Maximum mathematical family diversity.
  • AlgorithmsEd25519 + Dilithium + SPHINCS+
  • Sig Size~11,229 B
  • Sign~14 ms
  • Diversity3 families (max)
Maximum diversity. ECC + lattice + hash-based.
Deep Dive

Nested signing, not concatenated.

The outer signature attests that the inner signature existed at sign time. This creates a cryptographic dependency chain that concatenated signatures cannot achieve.

Layer 1
Ed25519 signs payload
Layer 2
Dilithium signs (payload + Layer 1 sig)
Verify
AND logic — both must pass

Temporal binding: Because the outer Dilithium signature covers both the original payload and the inner Ed25519 signature, the outer layer attests that the inner signature existed at sign time. A forger cannot produce a valid outer signature without first having a valid inner signature.

Why concatenated is weaker

Concatenated signatures (Ed25519_sig || Dilithium_sig) sign the same payload independently. An attacker who breaks one algorithm can replace that signature without affecting the other. There is no dependency chain — no temporal binding — and no way for the surviving algorithm to detect the forgery. Nested signing makes the outer signature invalid if the inner is forged.

nested-sign.js
JavaScript
// 1. Generate a nested hybrid signature (H33 tier)
const { signature, metadata } = await h33.pqc.sign({
  payload: documentHash,
  tier: 'H33',          // Ed25519 + Dilithium nested
  privateKeys: keyPair,
});
// signature.size = 2,484 bytes | sign.time = ~142µs

// 2. Verify — AND logic: both layers must pass
const valid = await h33.pqc.verify({
  payload: documentHash,
  signature,
  publicKeys: keyPair.public,
});
// valid = true only if BOTH Ed25519 AND Dilithium pass

// 3. Upgrade to H-256-H for maximum diversity
const maxSig = await h33.pqc.sign({
  payload: documentHash,
  tier: 'H-256-H',      // Ed25519 + Dilithium + SPHINCS+
  privateKeys: tripleKeyPair,
});
// maxSig.size = ~11,229 bytes | 3 math families
Soulbound Identity

Non-transferable identity tokens.

On-chain identity bound to biometrics. No transfer function. Guardian recovery with 3-of-5 threshold nested hybrid signatures.

SoulboundIdentityToken

biometric_commitment Poseidon2 hash of biometric template, 32 bytes
public_keys Ed25519 + Dilithium public keys
guardian_commitments 3-of-5 threshold guardian hashes
revocation_root Merkle root for revocation checks
mint_signature Nested hybrid signature (H33 or H-256-H)

Non-transferable by design

The smart contract has no transfer function. The token is permanently bound to the biometric commitment and public key pair that minted it. There is no mechanism to reassign ownership — this is not a limitation, it is the core security property.

Guardian recovery: 3-of-5 threshold

If a user loses access to their keys, 3 of 5 pre-designated guardians can authorize key rotation. Each guardian signs the recovery request with their own nested hybrid signature. The smart contract verifies all guardian signatures and the threshold before executing rotation. Biometric commitment remains unchanged — the person is the identity.

Resilience

Graceful cryptographic degradation.

Algorithm-agnostic identity means your system survives a quantum break. No token re-issuance. No biometric re-enrollment.

"If Dilithium breaks tomorrow:"
  • 1

    Vulnerability detected

    Threat intelligence feed identifies a lattice-based cryptographic break affecting Dilithium key recovery or signature forgery.

  • 2

    Verification shifts to Ed25519-only

    Verification logic immediately falls back to the surviving inner signature (Ed25519). Sub-microsecond verification. No downtime.

  • 3

    Re-sign outer layer with replacement algorithm

    System re-signs the outer layer with a replacement algorithm (FALCON-512 or SPHINCS+) from a different mathematical family.

  • 4

    Identity preserved

    No token re-issuance. No biometric re-enrollment. The identity token's biometric commitment and inner signature remain valid. Only the outer cryptographic layer rotates.

Zero downtime. Zero re-enrollment. Identity survives a quantum break.

Side-Channel Resistance

Constant-Time Everything: Why Cache Timing Can't Touch H33

In 2005, Colin Percival demonstrated at BSDCan that a spy process sharing the same L1 data cache could extract ~310 bits from each 512-bit CRT exponent during a single RSA signing operation. This cache-timing attack — later formalized by Osvik, Shamir, and Tromer at CT-RSA 2006 — showed that any cryptographic implementation with secret-dependent memory access patterns is vulnerable. H33 eliminates this attack surface across every algorithm in the stack.

Constant-Time

Ed25519 (dalek)

The dalek library uses radix-16 scalar representation with conditional move (ct_select) for all table lookups. Every lookup touches the same cache lines regardless of the scalar bit value. No branching on secret key material. Timing-safe by construction.

Constant-Time

Dilithium NTT

Barrett and Montgomery reduction use fixed arithmetic paths with no branches on coefficient values. Rejection sampling in the signing loop discards entire attempts (not individual coefficients), and the signing loop is padded to a constant iteration count to prevent timing leakage through loop count variation.

Isolated

FALCON (ffSampling)

FALCON's ffSampling has inherent secret-dependent timing variation due to floating-point precision and tree-traversal depth. H33 isolates FALCON to a dedicated attestation service with exclusive physical-core allocation. FALCON is only used for one-time operations (SBT minting, key management) — never in the hot authentication path.

Inherently Safe

SPHINCS+ (Hash-Based)

SPHINCS+ is inherently constant-time. WOTS+ and FORS leaf computations use secret-dependent hash inputs, but the hash functions themselves (SHA3-256) are constant-time by nature. SPHINCS+ is the default for SBT minting at H-256-H tier for maximum side-channel resistance alongside maximum algorithm diversity.

FHE Protected

Biometric Matching (BFV FHE)

Biometric matching runs entirely inside BFV fully homomorphic encryption. The plaintext biometric template is never loaded into memory and never touches the CPU cache. A spy process observing cache access patterns sees only polynomial arithmetic over Ring-LWE coefficients — statistically indistinguishable from random memory access. The biometric data cannot be extracted from the computation trace.

References: Percival, "Cache missing for fun and profit," BSDCan 2005. Osvik, Shamir, Tromer, "Cache Attacks and Countermeasures: the Case of AES," CT-RSA 2006.

Algorithm Reference

Complete algorithm comparison.

Every signature algorithm in the H33 stack with key sizes, performance, NIST security levels, and tier assignments.

Algorithm Family Hardness Key Size Sig Size Sign Verify NIST H33 Tier
Ed25519 ECC ECDLP (Curve25519) 32 B 64 B 52 µs 32 µs All hybrid
Dilithium-2 Lattice MLWE / MSIS 1,312 B 2,420 B 92 µs 39 µs L2 H0, H1
Dilithium-3 Lattice MLWE / MSIS 1,952 B 3,293 B 132 µs 56 µs L3 H33
Dilithium-5 Lattice MLWE / MSIS 2,592 B 4,595 B 200 µs 83 µs L5 H-256
FALCON-512 Lattice / NTRU NTRU-SIS 897 B 690 B 1.5 ms 0.5 ms L1 H-256-L
SPHINCS+-128s Hash-Based Hash collision / preimage 32 B 7,856 B 12 ms 0.2 ms L1 H-256-H
Intellectual Property

33 patent claims. Fully protected.

Comprehensive patent coverage across nested signatures, soulbound identity, graceful degradation, and guardian recovery.

Nested Signature Composition

Methods for composing two or more digital signatures from independent mathematical families in a dependency chain, where each outer signature covers the payload and all inner signatures.

Claims 21–27

Non-Transferable Identity Tokens

On-chain identity token methods bound to biometric commitments with no transfer function. Smart contract enforced non-transferability.

Claims 28–31

Graceful Cryptographic Degradation

Systems and methods for detecting algorithm compromise and automatically falling back to surviving signature layers without token re-issuance.

Claims 23, 30, 32

Dual-Committed Guardian Recovery

Threshold-based key recovery using guardian commitments, where each guardian's recovery authorization is itself signed with nested hybrid signatures.

Claims 25–26, 31

Lattice-Redundant Triple Signing

Methods for triple-nested signatures incorporating FALCON alongside Dilithium for lattice-redundant protection from independent NTRU and MLWE hardness.

Claim 33

Computer-Readable Medium

Non-transitory computer-readable medium containing instructions for implementing the complete nested hybrid signature and soulbound identity system.

Claim 32
33
Patent claims covering the H33 post-quantum identity stack

Post-quantum identity, shipped today.

Nested hybrid signatures. Soulbound tokens. Graceful degradation. One API call. Zero license fees.

Get API Key → Read the Docs

View Per-Auth Pricing →

FIPS 203/204 Compliant
NIST PQC Standards
33 Patent Claims
Verify our benchmarks →