Category Definition

The Only Privacy That Survives.

Every privacy system built on elliptic curves has an expiration date. This one does not.

Post-quantum privacy is not a feature. It is the only privacy that will still function after the quantum transition. Every other blockchain privacy system -- Zcash, Tornado Cash, zkSync, Polygon zkEVM, Scroll, Aztec, Mina -- relies on the hardness of the discrete logarithm problem on elliptic curves. That hardness has an expiration date.

Schedule Demo Privacy Layer Hub

The Problem

Every existing blockchain privacy system relies on elliptic curve cryptography.

This is not a theoretical concern. NIST has published post-quantum standards (FIPS 203, 204, 205) and set migration timelines because the threat is assessed as real and near-term. The question is not whether these systems need post-quantum security. The question is whether they will have it before retroactive exposure begins.

System	Proof System	Curve / Commitment	Quantum Status
Zcash	Groth16	BN254 pairing	Vulnerable
Tornado Cash	Groth16	BN254 pairing	Vulnerable
zkSync Era	PLONK	KZG on BN254	Vulnerable
Polygon zkEVM	PLONK + FRI	KZG on BN254	Vulnerable
Scroll	PLONK	KZG on BN254	Vulnerable
Aztec	Honk	KZG on BN254	Vulnerable
Mina	Kimchi	IPA on Pasta curves	Vulnerable
H33	STARK	Hash-based (SHA3-256)	Post-Quantum

NIST Migration

NIST has published post-quantum standards. Migration deadlines are coming.

In August 2024, NIST published three post-quantum cryptography standards: FIPS 203 (ML-KEM, formerly Kyber), FIPS 204 (ML-DSA, formerly Dilithium), and FIPS 205 (SLH-DSA, formerly SPHINCS+). NIST has recommended that organizations begin migration immediately and has set 2030 as the target date for deprecating classical algorithms in federal systems. The implication for blockchain privacy is direct: every system relying on elliptic curve cryptography is on a deprecation timeline.

2024

Standards Published

NIST FIPS 203, 204, 205 finalized. Post-quantum algorithms standardized for key encapsulation and digital signatures.

2030

Deprecation Target

NIST target for deprecating classical algorithms in federal systems. Organizations must have migration plans in place.

20??

Quantum Capability

The exact date is unknown. What is known: data recorded today will be decryptable when that date arrives. Harvest now, decrypt later.

Retroactive Exposure

When quantum arrives, historical privacy is retroactively broken.

This is the critical point that distinguishes the quantum threat from other security concerns. A database breach exposes current data. A quantum computer exposes all historical data that was protected by now-broken cryptography. Every Zcash shielded transaction ever made. Every Tornado Cash deposit and withdrawal. Every zkSync transaction that relied on KZG commitments for privacy. The attack does not require access to private keys. It requires only the public proof data, which is already on-chain. Nation-state adversaries are already recording this data today under the "harvest now, decrypt later" strategy.

Not Just Future Transactions

A quantum computer does not just break future privacy. It breaks all historical privacy that relied on elliptic curves. Every shielded transaction, every anonymous deposit, every private proof -- all retroactively exposed.

Harvest Now, Decrypt Later

Nation-state intelligence agencies are already recording encrypted traffic and on-chain data. When quantum capability arrives, they decrypt the archive. The collection is happening now. The exposure happens later.

The H33 STARK Engine

Hash-based. No pairings. No elliptic curves. 128-bit post-quantum security.

H33 uses STARKs -- Scalable Transparent Arguments of Knowledge. STARK proofs rely on the collision resistance of cryptographic hash functions (SHA3-256), not on the hardness of any number-theoretic problem. There are no elliptic curves in the proof system. There are no pairings. There is no trusted setup. The security guarantee is 128-bit post-quantum -- matching NIST Level 1 requirements for post-quantum algorithms.

No Elliptic Curves

STARKs use algebraic intermediate representations verified through hash-based polynomial commitments. The only cryptographic primitive is a collision-resistant hash function. SHA3-256 is quantum-resistant.

No Trusted Setup

Unlike Groth16 and PLONK with KZG, STARKs require no trusted setup ceremony. No trapdoor. No ceremony participants. No possibility that a compromised ceremony undermines all proofs.

Three Hardness Assumptions

Three independent mathematical bets. All three must be broken simultaneously.

Every H33-74 attestation is signed by three post-quantum signature families. Each relies on a different mathematical hardness assumption. An attacker must break MLWE lattices, NTRU lattices, AND stateless hash functions simultaneously to forge an attestation. This is defense in depth at the mathematical level.

ML-DSA-65

MLWE Lattice

Based on the Module Learning With Errors problem. NIST FIPS 204. The standard lattice-based signature scheme.

FALCON-512

NTRU Lattice

Based on the NTRU lattice problem. Compact signatures. Independent mathematical assumption from ML-DSA.

SLH-DSA-128f

Hash-Based

NIST FIPS 205. Stateless hash-based signatures. Security relies only on the collision resistance of SHA-256. The most conservative assumption.

Build on the only privacy that survives.

STARK proofs. Three PQ signature families. 32 bytes on any chain. No elliptic curves. No expiration date.

Schedule Demo

H33.ai, Inc. · Patents Pending · HATS Standard · Privacy Layer · H33-74