HATS StandardSpecificationsProtocol Stability
PricingDemo
Log InGet API Key
Home / Specifications / Attestation Receipt Schema

Attestation Receipt Schema — Specification v1.0.0

Version: 1.0.0
Status: Production
Date: 2026-05-22
Editor: Eric Beans, H33.ai, Inc.
License: Proprietary (Patent Pending)
Canonical URL: https://h33.ai/specifications/attestation-receipt/

1. Abstract

This document specifies the attestation receipt: the full-fidelity record from which the compact H33-74 primitive is derived. A receipt contains all fields necessary for an independent verifier to reconstruct and validate the attestation without trusting the issuing system.

Receipts are JSON objects. They carry input and output commitments, policy and authority hashes, a chain position linking each receipt to its predecessor, a three-family post-quantum signature bundle, and the derived H33-74 commitment and cached receipt bytes. This specification defines the canonical field set, serialization rules for hash computation, chain-linking semantics, and the verification algorithm.

2. Status of This Document

This specification is at Production status. The receipt schema, hash computation rules, and chain-linking semantics defined herein are frozen per the H33 Protocol Stability policy.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.

3. Definitions

Receipt
A JSON object containing all fields necessary to independently verify an attestation. The receipt is the source of truth; the H33-74 primitive is a compact, derived representation.
Receipt Hash
The SHA3-256 digest of the canonical serialization of a receipt. This value is used as the receipt's unique identifier within a hash chain and as the commitment stored on-chain.
Predecessor Hash
The receipt hash of the immediately preceding receipt in the same tenant's chain. The first receipt in a chain uses the 32-byte zero value (0x00...00) as its predecessor hash.
Chain Position
A monotonically increasing uint64 counter representing the receipt's ordinal position within its tenant's chain. The first receipt has chain_position 0.
Domain Separator
A fixed byte prefix used in hash computation to prevent cross-context collisions. For receipt hashing, the domain separator is the UTF-8 encoding of H33:receipt:v1:hash: (21 bytes).
Signer Set
The ordered triple of public keys (ML-DSA-65, FALCON-512, SLH-DSA-SHA2-128f-simple) that signed the receipt. The signer set is identified by the authority_hash, which is the SHA3-256 digest of the concatenated public key bytes.

4. Receipt Structure

An attestation receipt is a JSON object with the following fields. All fields are REQUIRED unless marked OPTIONAL.

FieldTypeRequiredDescription
receipt_idstring (UUID v4)YesUnique identifier for this receipt. MUST be a valid UUID v4 in lowercase hyphenated form.
tenant_idstring (UUID v4)YesThe tenant that owns this receipt.
computation_typestringYesOne of the enumerated computation type names (e.g., "BIOMETRIC_AUTH"). MUST correspond to a value defined in H33-74 Section 5.
input_commitmentstring (hex, 64 chars)YesSHA3-256 digest of the computation input, hex-encoded. Lowercase.
output_commitmentstring (hex, 64 chars)YesSHA3-256 digest of the computation output, hex-encoded. Lowercase.
policy_hashstring (hex, 64 chars)YesSHA3-256 digest of the policy document under which the computation was evaluated.
authority_hashstring (hex, 64 chars)YesSHA3-256 digest of the concatenated signer set public key bytes (ML-DSA || FALCON || SLH-DSA).
timestampstring (ISO 8601)YesTime of attestation. MUST be in UTC with second precision and the Z suffix (e.g., 2026-05-18T09:14:22Z).
predecessor_hashstring (hex, 64 chars)YesReceipt hash of the preceding receipt in this tenant's chain. "0000...0000" (64 zeros) for the first receipt.
chain_positioninteger (uint64)YesOrdinal position in the tenant's chain. First receipt is 0. MUST be exactly predecessor.chain_position + 1 for all subsequent receipts.
domain_separatorstringYesThe domain separator used for this receipt's hash computation. MUST be "H33:receipt:v1:hash:".
signaturesobjectYesThe three-family PQ signature bundle. See Section 7.
h33_74_commitmentstring (hex, 64 chars)YesThe 32-byte commitment that appears in the H33-74 primitive, hex-encoded.
cached_receiptstring (hex, 84 chars)YesThe 42-byte cached receipt portion of the H33-74 primitive, hex-encoded.
metadataobjectOPTIONALImplementation-specific metadata. Verifiers MUST ignore unrecognized fields within this object. MUST NOT affect hash computation.

5. Hash Computation

The receipt hash is computed over a canonical byte serialization. This section defines the canonical form. Implementations MUST produce identical hash outputs for semantically identical receipts.

5.1. Canonicalization Rules

  1. Unicode normalization. All string values MUST be NFC-normalized (Unicode Normalization Form C) before serialization.
  2. Field ordering. Fields are serialized in the following fixed order: receipt_id, tenant_id, computation_type, input_commitment, output_commitment, policy_hash, authority_hash, timestamp, predecessor_hash, chain_position, domain_separator. The signatures, h33_74_commitment, cached_receipt, and metadata fields are excluded from hash computation.
  3. Length-prefixed encoding. Each field is serialized as a 4-byte little-endian length prefix followed by the UTF-8 byte representation of the value. For chain_position, the value is the 8-byte little-endian encoding of the uint64 integer (no length prefix).
  4. Concatenation. The serialized fields are concatenated in order with no separators.
  5. Domain separator. The domain separator string H33:receipt:v1:hash: (21 bytes, UTF-8, no null terminator) is prepended to the concatenated field bytes.
  6. Digest. The receipt hash is SHA3-256(domain_separator || serialized_fields).

The signatures, h33_74_commitment, and cached_receipt fields are excluded from hash computation because they are derived from the receipt data. Including them would create a circular dependency.

5.2. Pseudocode

fn compute_receipt_hash(receipt) -> [u8; 32] { let domain = b"H33:receipt:v1:hash:"; let mut buf = Vec::new(); buf.extend_from_slice(domain); for field in [receipt_id, tenant_id, computation_type, input_commitment, output_commitment, policy_hash, authority_hash, timestamp, predecessor_hash, domain_separator] { let bytes = field.as_utf8_nfc(); buf.extend_from_slice(&(bytes.len() as u32).to_le_bytes()); buf.extend_from_slice(bytes); } // chain_position: fixed 8-byte LE, no length prefix buf.extend_from_slice(&receipt.chain_position.to_le_bytes()); sha3_256(&buf) }

6. Chain Linking

Attestation receipts form a hash chain per tenant. Each receipt references the hash of its predecessor, creating an append-only, tamper-evident sequence.

6.1. Chain Invariants

  1. chain_position MUST start at 0 for the first receipt of a tenant.
  2. For all subsequent receipts: receipt.chain_position == predecessor.chain_position + 1.
  3. predecessor_hash MUST equal compute_receipt_hash(predecessor_receipt).
  4. The first receipt in a chain MUST use "0000000000000000000000000000000000000000000000000000000000000000" (64 hex zeros) as its predecessor_hash.
  5. Chain positions MUST NOT have gaps. A missing position breaks the chain.

6.2. Chain Verification

To verify a chain segment from position N to position M:

  1. Retrieve all receipts with chain_position in [N, M] for the given tenant_id.
  2. For each receipt at position i (where i > N), verify that receipt[i].predecessor_hash == compute_receipt_hash(receipt[i-1]).
  3. If N > 0, verify that receipt[N].predecessor_hash matches the known hash of the receipt at position N-1. If this receipt is unavailable, the chain segment cannot be fully anchored.
  4. The chain segment is INTACT if all predecessor hashes match. It is BROKEN if any mismatch is found.

7. Signature Bundle

The signatures field is a JSON object with three keys, each containing the hex-encoded signature bytes:

KeyAlgorithmStandardApprox. SizeDescription
ml_dsaML-DSA-65FIPS 2043,309 bytesModule-Lattice Digital Signature. MLWE hardness assumption.
falconFALCON-512NIST Round 3~690 bytesNTRU-lattice-based signature. Independent lattice assumption from ML-DSA.
slh_dsaSLH-DSA-SHA2-128f-simpleFIPS 20517,088 bytesStateless hash-based signature. Security depends only on hash function properties.

All three signatures MUST be computed over the canonical receipt bytes (the same byte sequence input to SHA3-256 in Section 5, without the domain separator prefix). Each signature MUST be hex-encoded in lowercase.

The signature input is the canonical serialization of fields (Step 5.1, rules 1-4) without the domain separator. The domain separator is used only for the hash computation, not for signing. This is intentional: the hash binds the domain context; the signatures bind the data.

8. Verification Algorithm

An independent verifier MUST execute the following steps in order. Failure at any step terminates verification with the corresponding error code.

  1. Schema validation. Verify that all REQUIRED fields are present and correctly typed. Error: RCPT_ERR_SCHEMA.
  2. UUID format. Verify receipt_id and tenant_id are valid UUID v4 in lowercase hyphenated form. Error: RCPT_ERR_UUID.
  3. Computation type. Verify computation_type is one of the defined values. Error: RCPT_ERR_COMP_TYPE.
  4. Hex fields. Verify all hex-encoded fields are exactly the expected length and contain only lowercase hex characters. Error: RCPT_ERR_HEX.
  5. Timestamp format. Verify timestamp is a valid ISO 8601 UTC string with the Z suffix. Verify it is not in the future by more than 300 seconds. Error: RCPT_ERR_TIMESTAMP.
  6. Domain separator. Verify domain_separator is exactly "H33:receipt:v1:hash:". Error: RCPT_ERR_DOMAIN.
  7. Recompute receipt hash. Serialize the receipt canonically per Section 5 and compute SHA3-256. Error: RCPT_ERR_HASH (used in the next step).
  8. Commitment match. Verify h33_74_commitment matches the commitment derivation defined in H33-74 Section 4.2. Error: RCPT_ERR_COMMITMENT.
  9. Chain linking. If the receipt is not the first in its chain (chain_position > 0), fetch the predecessor and verify predecessor_hash == compute_receipt_hash(predecessor). Error: RCPT_ERR_CHAIN.
  10. Signature verification. For each of the three signatures (ml_dsa, falcon, slh_dsa): decode the hex signature, obtain the corresponding public key from the authority identified by authority_hash, and verify the signature over the canonical receipt bytes. Error: RCPT_ERR_SIG_MLDSA, RCPT_ERR_SIG_FALCON, or RCPT_ERR_SIG_SLHDSA.
Example: Verify a receipt
$ h33 verify-receipt \ --input receipt.json \ --authority-keys /path/to/authority_keys.json \ --check-chain Schema: VALID [PASS] UUID format: VALID [PASS] Computation type: BIOMETRIC_AUTH [PASS] Hex fields: VALID [PASS] Timestamp: 2026-05-18T09:14:22Z [PASS] Domain separator: H33:receipt:v1:hash: [PASS] Receipt hash: a3f8c1d2... [COMPUTED] Commitment match: VALID [PASS] Chain link: pos 1427 -> pos 1426 [PASS] ML-DSA-65 sig: VALID [PASS] FALCON-512 sig: VALID [PASS] SLH-DSA sig: VALID [PASS] Result: VERIFIED (12/12 checks passed)

9. Failure Modes

Error CodeConditionSeverity
RCPT_ERR_SCHEMAMissing or incorrectly typed required fieldCritical
RCPT_ERR_UUIDInvalid UUID v4 format in receipt_id or tenant_idCritical
RCPT_ERR_COMP_TYPEUnrecognized computation type stringCritical
RCPT_ERR_HEXHex field has wrong length or contains non-hex charactersCritical
RCPT_ERR_TIMESTAMPInvalid ISO 8601 format or future timestamp exceeds toleranceCritical
RCPT_ERR_DOMAINDomain separator does not match expected valueCritical
RCPT_ERR_COMMITMENTRecomputed commitment does not match h33_74_commitmentCritical
RCPT_ERR_CHAINPredecessor hash mismatch or chain position gapCritical
RCPT_ERR_CHAIN_FETCHPredecessor receipt could not be retrievedWarning
RCPT_ERR_SIG_MLDSAML-DSA-65 signature verification failedCritical
RCPT_ERR_SIG_FALCONFALCON-512 signature verification failedCritical
RCPT_ERR_SIG_SLHDSASLH-DSA signature verification failedCritical
RCPT_ERR_AUTHORITYAuthority public keys not found for given authority_hashCritical

10. Conformance Requirements

An implementation claiming conformance to this specification MUST:

  1. Produce receipts containing all REQUIRED fields with correct types as defined in Section 4.
  2. Implement the canonical serialization and hash computation algorithm in Section 5 exactly, including NFC normalization, field ordering, and length-prefixed encoding.
  3. Use SHA3-256 (FIPS 202) for all hash computations. SHA-256 is not acceptable.
  4. Maintain chain invariants (Section 6.1) for all receipts within a tenant's chain.
  5. Sign all receipts with all three PQ families (Section 7).
  6. Implement the full verification algorithm (Section 8) including all 13 error codes (Section 9).
  7. Produce structured error output including the error code and severity for each failure.
  8. Reject receipts that fail any Critical-severity check.

Implementations SHOULD:

  1. Support chain segment verification (Section 6.2) for arbitrary position ranges.
  2. Emit Warning-severity results (e.g., RCPT_ERR_CHAIN_FETCH) as advisory information without halting verification of other checks.
  3. Validate the metadata field, if present, as a valid JSON object, but ignore its contents for hash computation.

11. JSON Schema

{ "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "https://h33.ai/schemas/attestation-receipt-v1.json", "title": "H33 Attestation Receipt v1.0.0", "type": "object", "required": [ "receipt_id", "tenant_id", "computation_type", "input_commitment", "output_commitment", "policy_hash", "authority_hash", "timestamp", "predecessor_hash", "chain_position", "domain_separator", "signatures", "h33_74_commitment", "cached_receipt" ], "properties": { "receipt_id": { "type": "string", "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$" }, "tenant_id": { "type": "string", "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$" }, "computation_type": { "type": "string", "enum": ["BIOMETRIC_AUTH","ZKP_VERIFY","DOCUMENT_SIGN","KEY_EXCHANGE","FHE_COMPUTE","GOVERNANCE_DECISION","CHAIN_ANCHOR","AI_INFERENCE","TOKEN_MINT","WIRE_PROOF","THRESHOLD_DECRYPT"] }, "input_commitment": { "type": "string", "pattern": "^[0-9a-f]{64}$" }, "output_commitment": { "type": "string", "pattern": "^[0-9a-f]{64}$" }, "policy_hash": { "type": "string", "pattern": "^[0-9a-f]{64}$" }, "authority_hash": { "type": "string", "pattern": "^[0-9a-f]{64}$" }, "timestamp": { "type": "string", "pattern": "^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}Z$" }, "predecessor_hash": { "type": "string", "pattern": "^[0-9a-f]{64}$" }, "chain_position": { "type": "integer", "minimum": 0 }, "domain_separator": { "type": "string", "const": "H33:receipt:v1:hash:" }, "signatures": { "type": "object", "required": ["ml_dsa", "falcon", "slh_dsa"], "properties": { "ml_dsa": { "type": "string", "pattern": "^[0-9a-f]+$" }, "falcon": { "type": "string", "pattern": "^[0-9a-f]+$" }, "slh_dsa": { "type": "string", "pattern": "^[0-9a-f]+$" } } }, "h33_74_commitment": { "type": "string", "pattern": "^[0-9a-f]{64}$" }, "cached_receipt": { "type": "string", "pattern": "^[0-9a-f]{84}$" }, "metadata": { "type": "object" } }, "additionalProperties": false }

12. Example: Valid Receipt

{ "receipt_id": "f47ac10b-58cc-4372-a567-0e02b2c3d479", "tenant_id": "a1b2c3d4-e5f6-4789-abcd-ef0123456789", "computation_type": "BIOMETRIC_AUTH", "input_commitment": "b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9", "output_commitment": "7d1a54127b222502f5b79b5fb0803061152a44f92b37e23c6527baf665d4da9a", "policy_hash": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "authority_hash": "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824", "timestamp": "2026-05-18T09:14:22Z", "predecessor_hash": "d7a8fbb307d7809469ca9abcb0082e4f8d5651e46d3cdb762d02d0bf37c9e592", "chain_position": 1427, "domain_separator": "H33:receipt:v1:hash:", "signatures": { "ml_dsa": "a1b2c3...truncated...f4e5d6", "falcon": "d6e5f4...truncated...c3b2a1", "slh_dsa": "1a2b3c...truncated...6f5e4d" }, "h33_74_commitment": "a3f8c1d2e4b5f67890abcdef1234567890abcdef1234567890abcdef12345678", "cached_receipt": "01010700e83a0900a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4a1b2c3d4e5f64789abcdef01234567f1a3" }

13. Example: Invalid Receipt (Chain Break)

The following receipt has chain_position: 1428 but its predecessor_hash does not match the hash of receipt 1427. A conformant verifier MUST produce RCPT_ERR_CHAIN.

{ "receipt_id": "c9d8e7f6-b5a4-4321-9876-fedcba987654", "tenant_id": "a1b2c3d4-e5f6-4789-abcd-ef0123456789", "computation_type": "BIOMETRIC_AUTH", "input_commitment": "abc123...valid...", "output_commitment": "def456...valid...", "policy_hash": "e3b0c4...valid...", "authority_hash": "2cf24d...valid...", "timestamp": "2026-05-18T09:14:23Z", "predecessor_hash": "0000000000000000000000000000000000000000000000000000000000000000", "chain_position": 1428, "domain_separator": "H33:receipt:v1:hash:", "signatures": { "ml_dsa": "...", "falcon": "...", "slh_dsa": "..." }, "h33_74_commitment": "...", "cached_receipt": "..." } // Verification output: // RCPT_ERR_CHAIN: predecessor_hash is 0x0000...0000 but chain_position // is 1428. Expected predecessor_hash to equal the receipt hash of // position 1427. Chain integrity: BROKEN.

14. Changelog

VersionDateChanges
1.0.02026-05-22Initial publication. Receipt schema frozen. Hash computation algorithm specified. Chain linking invariants defined. JSON Schema published. 13 error codes enumerated.

15. References

15.1. Normative References

15.2. Informative References

Related Specifications & Standards

H33-74 Primitive Governance Proof Model Protocol Stability HATS Standard Conformance Suite Continuous Attestation Agent Attestation Governance Replay Privacy Layer NIST FIPS 203/204