H33 lets enterprises add post-quantum authentication, signatures, attestation, and verification without rebuilding infrastructure.
NIST has finalized FIPS 203 and FIPS 204. Federal agencies face a 2035 deadline. But replacing cryptographic infrastructure is a multi-year project that touches every authentication flow, every signature, every certificate chain.
The quantum threat timeline is not 2035. Data encrypted today with classical algorithms can be harvested and decrypted when quantum computers reach sufficient scale. Migration needs to start now.
H33 wraps your existing authentication, signature, and verification workflows with post-quantum cryptographic layers. Your infrastructure stays in place. PQ security is added through API calls.
| Traditional Migration | H33 API Conversion |
|---|---|
| Replace PKI root certificates | Add PQ attestation layer via API |
| Update every TLS endpoint | PQ signatures on existing transport |
| Retrain cryptographic libraries | One SDK, three PQ families |
| 12-24 month migration timeline | Days to first PQ attestation |
| Vendor lock-in to new stack | Independent verification, no vendor trust |
Add ML-DSA-65 and FALCON-512 signatures to your existing authentication flows. Every auth event produces a post-quantum signed attestation that is independently verifiable.
H33 signs with three independent post-quantum families simultaneously. An attacker must break MLWE lattices, NTRU lattices, and stateless hash functions to compromise a single signature.
| Family | Algorithm | Hardness Assumption |
|---|---|---|
| Lattice (MLWE) | ML-DSA-65 | Module Learning With Errors |
| Lattice (NTRU) | FALCON-512 | NTRU lattice shortest vector |
| Hash-Based | SLH-DSA-SHA2-128f | Second preimage resistance of SHA-256 |
Three independent mathematical bets. Security breaks only if all three hardness assumptions fail simultaneously.
Every operation produces a 74-byte attestation: 32 bytes anchorable on-chain and 42 bytes cached. The full proof is independently verifiable without contacting H33.
The public verifier reproduces attestation validation independently. No API keys, no vendor infrastructure, no trust assumptions beyond the mathematics.
Every industry facing quantum risk can convert through the same API — no bespoke migration project required.
Convert wire authorization, account authentication, and transaction signing to post-quantum without touching core banking infrastructure.
Meet NIST PQ migration mandates with API-first conversion. Every authentication event and document signature becomes PQ-attested.
Protect patient records and clinical workflows with PQ attestation. HIPAA-compliant conversion without infrastructure replacement.
Insurers verify policyholder PQ posture through replayable attestation chains. Underwrite quantum risk with cryptographic evidence.
One API key. Three post-quantum signature families. No infrastructure changes. First attestation in minutes.
Organizations facing the quantum threat have two paths: tear out existing cryptographic infrastructure and rebuild from scratch, or wrap existing systems with post-quantum security through an API layer. The differences in cost, risk, and timeline are dramatic.
| Dimension | Rip-and-Replace | H33 API Conversion |
|---|---|---|
| Infrastructure Cost | Millions in new hardware, software licenses, HSM replacements, and certificate infrastructure overhaul | Zero infrastructure changes. Existing systems remain untouched. PQ security is added at the API boundary. |
| Timeline | 18-36 months for enterprise migrations. Requires coordination across every team that touches cryptography. | First PQ attestation in minutes. Full production rollout in days to weeks depending on integration surface. |
| Risk | High. Replacing cryptographic primitives in production systems risks breaking authentication, authorization, and data protection simultaneously. | Near zero. The API wraps existing flows. If the PQ layer has an issue, the underlying system continues operating. |
| Downtime | Requires maintenance windows for certificate rotations, HSM migrations, and protocol upgrades. | Zero downtime. The API layer is additive — it produces PQ attestations alongside existing classical signatures. |
| Legacy Compatibility | Older systems may not support PQ algorithms. Forced upgrades or decommissioning required. | Full compatibility. The API accepts classical inputs and produces PQ-attested outputs. No changes to legacy systems. |
| Rollback | Difficult. Once infrastructure is replaced, reverting requires another migration cycle. | Trivial. Remove the API integration and the underlying system is unchanged. |
| Signature Families | Typically one PQ algorithm per migration. Changing algorithms later requires another migration. | Three independent PQ families (MLWE, NTRU, stateless hash) per attestation. Algorithm agility is built in. |
| Verification | Requires the same infrastructure to verify. Vendor lock-in for the verification path. | Independently verifiable offline. Any party can verify without H33 infrastructure. |
NIST recommends organizations begin post-quantum migration now. The API conversion approach lets you start today without waiting for infrastructure budgets, hardware procurement, or cross-team coordination.
H33 post-quantum conversion wraps your existing authentication and signing flows with PQ attestations. The underlying system is never modified. Here is the technical flow from classical input to post-quantum output.
Intercept Layer. The H33 API sits between your application and its authentication or signing endpoint. When your application initiates an auth flow — a login, an MFA challenge, a document signature, a session token refresh — the request passes through the H33 API. The original request is forwarded to your existing endpoint unchanged. The response from your existing system is captured by H33 before being returned to the caller.
Hash Binding. H33 computes a SHA3-256 hash of the request and the response, creating a deterministic fingerprint of the authentication event. This hash binds the PQ attestation to the exact input/output pair of the original operation. The hash is computed on the raw payloads, ensuring that any tampering with the request or response after the fact would invalidate the attestation.
Triple Signing. The hash is signed using three independent post-quantum signature families: ML-DSA-65 (FIPS 204, lattice-based), FALCON-512 (NTRU lattice-based), and SLH-DSA-SHA2-128f (FIPS 205, stateless hash-based). Each signature is computed independently. Breaking the attestation requires compromising all three mathematical hardness assumptions simultaneously — MLWE lattices, NTRU lattices, and the security of stateless hash functions.
Compression to 74 Bytes. The three signatures (which total thousands of bytes in raw form) are compressed into the H33-74 Post-Quantum Attestation Primitive format: 32 bytes of on-chain commitment and 42 bytes of cached metadata. The 32-byte commitment is anchorable on Bitcoin, Solana, Ethereum, or any chain that supports data embedding. The 42-byte metadata is stored in Cachee and contains the information needed to locate and verify the full signature bundle.
Response Augmentation. The original response from your authentication system is returned to the caller with an additional header or field containing the attestation ID. The caller can use this ID to verify the PQ attestation independently, anchor it on-chain, or store it for governance and compliance purposes. Your existing system never sees or produces the PQ attestation — it operates exactly as before.
Post-quantum cryptography (PQC) refers to cryptographic algorithms designed to resist attacks from both classical computers and future quantum computers. Current widely-used algorithms like RSA and ECDSA can be broken by a sufficiently powerful quantum computer running Shor's algorithm. PQC algorithms are based on mathematical problems — such as lattice problems and hash functions — that remain hard even for quantum computers. NIST finalized its first PQC standards (FIPS 203, 204, 205) in 2024.
Estimates vary from 5 to 15 years for a cryptographically-relevant quantum computer. However, the threat is immediate due to "harvest now, decrypt later" attacks: adversaries are already collecting encrypted data today with the intention of decrypting it once quantum computers become available. Sensitive data with long confidentiality requirements — healthcare records, financial data, government communications — needs protection today, not when quantum computers arrive.
No. H33 API conversion adds post-quantum security to your existing infrastructure without modifying it. Your current authentication systems, signing workflows, HSMs, and certificate infrastructure remain in place. The H33 API wraps your existing flows with PQ attestations at the API boundary. This means zero downtime, zero hardware changes, and zero risk to your production systems.
H33 implements three NIST-standardized post-quantum signature families: ML-DSA-65 (FIPS 204, based on the CRYSTALS-Dilithium algorithm), SLH-DSA-SHA2-128f (FIPS 205, based on the SPHINCS+ algorithm), and FALCON-512 (selected by NIST, pending FIPS standardization). Every attestation is signed by all three families, meaning compromise requires breaking three independent mathematical hardness assumptions simultaneously.
Your first PQ attestation can be generated in minutes using a single API call. A production integration typically takes days to weeks depending on the number of authentication and signing flows you want to convert. There is no "big bang" migration — you can convert flows incrementally, starting with the most sensitive operations and expanding coverage over time.
The H33 attestation pipeline adds less than 42 microseconds per operation on Graviton4 hardware. In batch mode (32 operations per batch), the per-operation overhead drops further. The PQ signing is dominated by the SPHINCS+ hash-based signature, which provides the strongest long-term security guarantee. For most applications, the latency is invisible to end users.
A regional bank processes wire transfers through a 15-year-old core banking system that uses RSA-2048 for transaction signing. Replacing the core system is a multi-year, multi-million dollar project. With H33 API conversion, the bank wraps each wire authorization with a PQ attestation in a single afternoon. The core system continues to produce its RSA signatures unchanged. H33 captures each wire authorization at the API boundary, hashes the request and response, and produces a 74-byte PQ attestation. The bank now has quantum-resistant evidence for every wire transfer without touching the core banking system. Regulators can verify each attestation independently.
A hospital network uses an EHR system with classical ECDSA-based authentication. Patient records have a 50-year retention requirement, meaning data accessed today must remain confidential for decades. The hospital deploys H33 API conversion to attest every record access event with PQ signatures. When a provider accesses a patient record, the authentication event is hashed and PQ-attested. The attestation chain creates a quantum-resistant audit trail of who accessed which records, when, and under what authority — evidence that will survive the quantum era.
A federal agency is required to comply with NIST PQ migration mandates but operates dozens of legacy systems with embedded cryptographic dependencies. Rather than attempting a simultaneous migration across all systems, the agency deploys H33 API conversion as a PQ overlay. Every document signature, credential issuance, and authentication event across all systems is now PQ-attested through a single integration point. The agency meets the mandate immediately while planning long-term infrastructure modernization on its own timeline.
Most organizations assume post-quantum migration requires replacing their cryptographic infrastructure from the ground up. That assumption is wrong. API-first conversion wraps existing workflows with post-quantum attestations at the boundary, eliminating the need for disruptive infrastructure replacement. The table below compares both approaches across the dimensions that determine migration success.
| Dimension | Rip-and-Replace Migration | H33 API-First PQ Conversion |
|---|---|---|
| Timeline | 12-36 months. Requires replacing HSMs, certificate infrastructure, key management systems, and application-layer crypto libraries. | Minutes to first attestation. Days to weeks for production integration. No infrastructure replacement required. |
| Infrastructure impact | Total replacement. Every component that touches cryptographic operations must be upgraded or replaced. | Zero infrastructure change. H33 operates at the API boundary. Your existing HSMs, CAs, and key management systems remain in place. |
| Risk profile | High. Big-bang migrations introduce systemic risk. A single misconfiguration can break authentication, signing, or verification across the entire estate. | Incremental. Convert one workflow at a time. Roll back instantly. Existing and PQ-attested workflows run in parallel during migration. |
| Algorithm coverage | Typically one algorithm family per vendor. Vendor lock-in determines your quantum security posture. | Three independent NIST-standardized families per attestation: ML-DSA-65 (FIPS 204), FALCON-512, SLH-DSA-SHA2-128f (FIPS 205). Breaks only if three independent hardness assumptions fail simultaneously. |
| Cost model | Capital expenditure. Hardware replacements, professional services, extended testing cycles, and downtime costs. | Operational expenditure. Pay per attestation. No hardware, no professional services, no downtime. |
| Harvest-now protection | No protection until migration is complete. Data collected today remains vulnerable until the entire estate is upgraded. | Immediate. Your first API call produces a PQ-signed attestation. Data attested today is protected against future quantum decryption. |
| Verification model | Vendor-dependent. Verification requires the same vendor's software and configuration. | Open verification. The verifier CLI is open-source and runs offline. No H33 account, API key, or connectivity required. |
| Compliance evidence | Documentation-based. Compliance depends on attestation letters and audit reports from the vendor. | Cryptographic evidence. Every attestation is independently verifiable mathematical proof of PQ security. Auditors verify directly, not through vendor claims. |
API-first conversion does not eliminate the eventual need for infrastructure modernization. It eliminates the urgency. By wrapping existing workflows with PQ attestations today, organizations gain immediate protection against harvest-now-decrypt-later attacks while planning infrastructure upgrades on their own timeline.
H33 post-quantum conversion operates as an attestation wrapper around your existing cryptographic workflows. It does not replace your infrastructure -- it adds a post-quantum evidence layer at the API boundary.
When you submit a computation, signature, or authentication event to the H33 API, the conversion pipeline executes in three stages. First, the input is canonicalized into a deterministic frame that captures the computation type, the input hash, and the operational context. Second, this frame is signed with three independent post-quantum signature families -- ML-DSA-65 (FIPS 204), FALCON-512, and SLH-DSA-SHA2-128f (FIPS 205) -- producing a triple-signed attestation that is resilient against the failure of any two signature families. Third, the attestation is compressed into the H33-74 Post-Quantum Attestation Primitive: 74 bytes total, 32 of which can be anchored on any blockchain.
H33 attestations rely on three independent mathematical hardness assumptions. ML-DSA-65 is based on the Module Learning With Errors (MLWE) problem over structured lattices. FALCON-512 is based on the NTRU lattice problem with a different algebraic structure. SLH-DSA-SHA2-128f is based on the security of stateless hash functions. An adversary must break all three simultaneously to forge an attestation -- a fundamentally different security posture than relying on a single algorithm family.
Conversion is incremental by design. You start by identifying the workflows most vulnerable to harvest-now-decrypt-later attacks -- typically authentication tokens, signing events, and key exchanges. Each workflow is converted with a single API integration. Existing classical signatures continue to function unchanged; the H33 attestation runs in parallel, adding PQ evidence without disrupting the classical flow. Over time, you expand coverage to additional workflows at whatever pace your organization requires.
The H33 attestation pipeline adds less than 42 microseconds per operation on Graviton4 hardware. In batch mode, 32 operations are attested in a single 1,345-microsecond batch, reducing per-operation overhead further. The pipeline is dominated by the signature generation stage (29% of latency), with the FHE batch processing stage consuming 70% and the cached ZKP lookup consuming less than 1%. For most applications, the latency is invisible to end users.
Any organization that produces or consumes cryptographic signatures, authentication tokens, or verification evidence is a candidate for API-first post-quantum conversion.
Post-quantum cryptography (PQC) refers to cryptographic algorithms designed to resist attacks from both classical computers and future quantum computers. Current widely-used algorithms like RSA and ECDSA can be broken by a sufficiently powerful quantum computer running Shor's algorithm. NIST finalized its first PQC standards (FIPS 203, 204, 205) in 2024, establishing the algorithms that will protect data in the quantum era.
Estimates vary from 5 to 15 years for a cryptographically-relevant quantum computer. However, the threat is immediate due to harvest-now-decrypt-later attacks: adversaries are already collecting encrypted data today with the intention of decrypting it once quantum computers become available. Data with long-term sensitivity -- health records, financial transactions, government communications, intellectual property -- must be protected with PQ algorithms now.
No. H33 API-first conversion adds post-quantum security to your existing infrastructure without modifying it. Your current authentication systems, signing workflows, HSMs, and certificate infrastructure remain in place. The H33 API wraps your existing flows with PQ attestations at the API boundary. This means zero hardware changes, zero downtime, and zero disruption to your current operations.
H33 implements three NIST-standardized post-quantum signature families: ML-DSA-65 (FIPS 204, lattice-based), SLH-DSA-SHA2-128f (FIPS 205, hash-based), and FALCON-512 (selected by NIST, pending FIPS standardization). Every attestation is signed by all three families simultaneously, providing security against the failure of any two families.
Your first PQ attestation can be generated in minutes using a single API call. A production integration typically takes days to weeks depending on the number of authentication and signing flows you want to convert. There is no big-bang migration -- you convert flows incrementally, starting with the most sensitive data and expanding coverage over time.
The H33 attestation pipeline adds less than 42 microseconds per operation on Graviton4 hardware. In batch mode (32 operations per batch), the per-operation overhead drops further. The pipeline processes over 1.6 million attestations per second sustained on production hardware. For most applications, the latency is invisible to end users and adds no perceptible delay to existing workflows.