Blockchains, IoT devices, API headers, TLS handshakes, identity credentials, legal documents, medical records, video provenance — every system that needs post-quantum signatures today was built for 64-byte signatures. The replacements are 3,000 to 17,000 bytes. Nothing fits.
Bitcoin, Ethereum, Solana, Cardano, Avalanche, Polkadot, Cosmos, NEAR, Aptos, Sui — all use elliptic curve signatures that Shor's algorithm breaks. The NIST replacements (Dilithium: 3,309 bytes, SPHINCS+: 17,088 bytes) make every transaction 50–260x larger. Bitcoin's chain would grow by 12.6 GB per day with three PQ families. That breaks fee models, block size limits, and storage economics. And the governance to add PQ opcodes takes 2–4 years that may not be available.
An IoT sensor with 64KB of flash can't store a 21KB PQ signature. A TLS handshake that adds 17KB per certificate in the chain makes connection setup unacceptable on mobile. API authentication headers carrying 3,309 bytes per request triples bandwidth for every call. QR codes for identity credentials max out at ~4KB. None of these systems were designed for post-quantum signature sizes, and none of them can be redesigned fast enough.
Most PQ proposals pick one algorithm. If that algorithm breaks — and every algorithm called "unbreakable" has eventually been weakened — every signature ever produced is retroactively insecure. RSA was "unbreakable" until Shor's algorithm. SHA-1 was a "standard" until Google produced a collision. Betting critical infrastructure on one mathematical assumption is the same mistake we're trying to fix.
Three post-quantum signature families. 74 bytes total. 32 on-chain, 42 in Cachee. No consensus changes. No block size impact. Works on every chain today.
At Bitcoin's 600,000 daily transactions. The numbers speak for themselves.
| Approach | Per Transaction | Daily Chain Growth | Annual Growth | PQ Families |
|---|---|---|---|---|
| Current (Schnorr) | 64 bytes | 38 MB | 14 GB | 0 (broken by Shor) |
| Dilithium on-chain | 3,309 bytes | 1.98 GB | 727 GB | 1 |
| All 3 families on-chain | 21,054 bytes | 12.6 GB | 4.6 TB | 3 |
| H33 Substrate | 32 bytes | 19.2 MB | 7 GB | 3 |
The H33 Substrate adds less data per transaction than the Schnorr signatures Bitcoin already uses (32 bytes vs 64 bytes), while covering three independent post-quantum families.
Every blockchain already carries 64–65 bytes of classical signature per transaction. The substrate replaces that with 32 bytes covering three PQ families. You don't add cost. You subtract it.
| Schnorr signature | 64 bytes |
| Math families protected | 1 (secp256k1 — broken by Shor) |
| Daily sig data (600K tx) | 38.4 MB |
| Annual sig data | 14 GB |
| Weight per sig output | 256 WU (64 × 4) |
| Fee per sig @ 10 sat/vB | 640 sats |
| On-chain hash | 32 bytes |
| Math families protected | 3 (MLWE + NTRU + Hash) |
| Daily sig data (600K tx) | 19.2 MB (−50%) |
| Annual sig data | 7 GB (−50%) |
| Weight per OP_RETURN | 172 WU (−33%) |
| Fee per attestation @ 10 sat/vB | 430 sats (−33%) |
| Ed25519 signature | 64 bytes |
| Math families protected | 1 (Curve25519 — broken by Shor) |
| Daily sig data (56M tx) | 3.58 GB |
| Annual sig data | 1.31 TB |
| Cost per transaction | 0.000005 SOL (base fee) |
| Validator sig verify load | 56M Ed25519 verifies/day |
| On-chain hash | 32 bytes |
| Math families protected | 3 (MLWE + NTRU + Hash) |
| Daily sig data (56M tx) | 1.79 GB (−50%) |
| Annual sig data | 654 GB (−50%) |
| Cost per transaction | Same base fee (32B in PDA) |
| Validator PQ verify load | 0 — verification is off-chain |
58 bytes. Fixed size. Hand-serialized. No framework. Every byte at a defined offset. Patent pending.
VER = schema version (frozen per version). TYPE = computation category from append-only registry (0x01=Biometric, 0x06=BitcoinUTXO, etc.). Commitment = SHA3-256 of FHE ciphertext output (never decrypted). Timestamp = millisecond Unix time, big-endian. Nonce = 128-bit random, ensures uniqueness even for identical inputs at the same millisecond.
The signing message is SHA3-256 of these 58 bytes. That 32-byte hash is what all three PQ algorithms sign. Same message, three independent signatures, three independent mathematical families.
How a verifier confirms a PQ attestation. Four steps. No trust assumptions beyond the hash function and the public keys.
The verifier reads 32 bytes from the OP_RETURN (Bitcoin), PDA (Solana), or storage slot (Ethereum). This is the SHA3-256 of the 58-byte substrate.
// Read 32-byte commitment from OP_RETURN output let on_chain_hash: [u8; 32] = tx.outputs[1].script[2..34];
Use the 32-byte hash as the lookup key. Cachee returns 42 bytes: a verification hash, a timestamp, and algorithm flags.
// Cachee lookup: 0.059µs let receipt = cachee.get(&on_chain_hash)?; // 42 bytes assert_eq!(receipt.len(), 42);
Byte 41 of the receipt is a bitmask: bit 0 = Dilithium verified, bit 1 = FALCON verified, bit 2 = SPHINCS+ verified. All three set = 0x07.
let flags = receipt[41]; assert!(flags & 0x01 != 0, "Dilithium verified"); assert!(flags & 0x02 != 0, "FALCON verified"); assert!(flags & 0x04 != 0, "SPHINCS+ verified");
The 32-byte verification hash at receipt[1..33] is SHA3-256(signing_message || all_public_keys || all_signatures). For full re-verification, recompute from the original inputs. For trust-the-pipeline verification, confirm the hash is non-zero and the timestamp is within acceptable freshness.
// Full re-verification (optional — requires original sigs) let expected = sha3_256(msg, dil_pk, fal_pk, sph_pk, dil_sig, fal_sig, sph_sig); assert_eq!(&receipt[1..33], &expected); // Trust-the-pipeline verification (standard path) assert!(receipt[1..33] != [0; 32], "verification hash present"); assert!(timestamp_ms > now_ms - 300_000, "within 5 minutes");
Add and remove PQ families. Watch the raw signature size change. Watch the persistent footprint stay at 74 bytes.
Formally stated. Not claims — properties of the underlying cryptographic constructions.
No adversary can produce two different sets of (message, public keys, signatures) that yield the same 32-byte verification hash in the receipt.
The 32-byte on-chain commitment reveals nothing about the underlying FHE computation output, the substrate fields, or the raw signatures. The hash is one-way.
A BiometricAuth substrate (type 0x01) cannot be confused with a BitcoinUTXO substrate (type 0x06) even under adversarial conditions. The type byte is inside the signed boundary.
The 16-byte random nonce ensures two substrates from identical inputs at the same millisecond are computationally distinguishable with probability at least 1 − 2−128.
Breaking the attestation requires breaking Dilithium (MLWE) AND FALCON (NTRU/SIS) AND SPHINCS+ (hash security) simultaneously. These are independent mathematical problems.
Receipts in Cachee are HMAC-SHA3-256 protected and AES-256-GCM encrypted. Tampering, forgery, or read access requires the attestation service's root secret, which Cachee never holds.
Security means failing loudly and clearly. Here's what happens when an adversary tampers with the attestation.
Attacker flips one bit in the on-chain 32-byte hash.
Attacker replays a BiometricAuth attestation as a payment.
Attacker injects a fake 42-byte receipt into Cachee.
Receipt is valid but timestamp exceeds verifier's freshness policy.
Shor's algorithm breaks elliptic curve signatures (Ed25519, secp256k1) by solving the discrete logarithm problem in polynomial time. It does not affect hash functions. The best known quantum attack on SHA3-256 is Grover's algorithm, which reduces effective security from 256 bits to 128 bits. 128-bit security against a quantum adversary is the baseline that NIST considers adequate for post-quantum cryptographic systems.
The 32-byte on-chain hash produced by the H33 Substrate is SHA3-256. A quantum computer that breaks every Ed25519 key on Solana in seconds cannot invert, forge, or collision-attack this hash. The on-chain anchor is quantum-resistant by construction, independent of the off-chain PQ signatures that bind to it.
Four lines. Full 3-family PQ attestation. 74 bytes.
// Full substrate pipeline — 3 PQ families, 74 bytes total
let substrate = SigningSubstrate::new(ComputationType::BiometricAuth, &fhe_output, now_ms())?;
let result = attest(&substrate, sigs, &dil_pk, &fal_pk, &sph_pk, now_ms());
let anchor = result.on_chain_hash; // 32 bytes — goes in OP_RETURN / PDA / storage
let receipt = result.receipt.to_bytes(); // 42 bytes — goes in Cachee
// Raw signatures (~21KB) are already zeroized. They never existed on disk.The attest() function signs with Dilithium, FALCON, and SPHINCS+, verifies all three, compresses to a 42-byte receipt, and securely erases the raw signatures. The entire operation takes ~16ms. Every subsequent verification is a Cachee lookup at 0.059µs.
| Chain | Anchor Method | On-Chain | Cost | Consensus Change |
|---|---|---|---|---|
| Bitcoin | OP_RETURN | 32 bytes | ~430 sats | None |
| Solana | PDA | 32 bytes | ~0.000005 SOL | None |
| Ethereum | SSTORE | 32 bytes | ~20K gas | None |
Watch blocks form in real time. Each block is a transaction getting PQ-attested through the substrate pipeline.
Post-quantum attestation that works today without waiting for consensus changes.