Every major blockchain relies on elliptic curve cryptography (secp256k1, Ed25519, ECDSA) for transaction authorization. Shor's algorithm, running on a sufficiently capable quantum computer, breaks all of them. The post-quantum signature algorithms standardized by NIST—ML-DSA (Dilithium), FALCON, and SLH-DSA (SPHINCS+)—are mathematically secure against quantum adversaries but produce signatures 50 to 260 times larger than their classical counterparts. Adopting any of these algorithms directly would increase blockchain storage requirements by terabytes per year and require multi-year consensus-level governance changes that no major chain has completed.
This paper presents the H33 Substrate, a system that reduces the persistent footprint of a three-family post-quantum attestation—covering lattice/MLWE, lattice/NTRU, and hash-based hardness assumptions simultaneously—from 21,054 bytes to 74 bytes. The system requires zero consensus changes, zero validator modifications, and zero impact on block size. The 74-byte footprint consists of 32 bytes on-chain (a cryptographic hash in a standard transaction output) and 42 bytes off-chain (a verification receipt stored in Cachee, a high-speed verification layer that serves lookups in under a microsecond). The raw post-quantum signatures exist in memory for approximately 15 milliseconds during attestation and are securely erased after verification. The system is chain-agnostic, tested on Bitcoin (OP_RETURN), Solana (PDA), and Ethereum (storage slot), and is running in production with 3,696 tests passing across integrated products.
The security of blockchain transaction authorization depends on the computational hardness of the elliptic curve discrete logarithm problem (ECDLP). Bitcoin uses secp256k1 for both ECDSA and Schnorr signatures. Ethereum uses secp256k1 for ECDSA. Solana uses Ed25519 over Curve25519. Algorand, Cardano, Polkadot, Cosmos, Avalanche, NEAR, Aptos, and Sui all rely on either secp256k1 or Ed25519, or both.1
Shor's algorithm solves ECDLP in polynomial time on a quantum computer. The implication is total: given a public key (which is visible on-chain for any address that has sent a transaction), a quantum adversary can compute the private key and spend any funds associated with that address. This is not a theoretical weakness in a specific implementation—it is a mathematical property of the underlying problem that all elliptic curve schemes depend on.
The timeline for practical quantum attacks is debated. NIST has recommended that organizations begin migrating to post-quantum cryptography immediately and complete migration by 2035.2 The U.S. National Security Agency has mandated post-quantum migration for national security systems by 2030. Independent researchers estimate that cryptographically relevant quantum computers could emerge between 2029 and 2040.3
Regardless of the exact timeline, the vulnerability is architectural, not speculative. Every blockchain transaction signed today with secp256k1 or Ed25519 will be verifiable by a quantum computer at whatever future date such machines become available.
The following major blockchains are protected exclusively by algorithms that Shor's algorithm breaks:
| Blockchain | Signature Algorithm | Market Cap (Apr 2026) | Daily Transactions | PQ Migration Status |
|---|---|---|---|---|
| Bitcoin | secp256k1 ECDSA/Schnorr | ~$1.9T | ~600K | No active BIP |
| Ethereum | secp256k1 ECDSA | ~$380B | ~1.2M | Research only (EIP-7212 adjacent) |
| Solana | Ed25519 | ~$75B | ~56M | No active proposal |
| Cardano | Ed25519 | ~$24B | ~90K | Research phase |
| Avalanche | secp256k1 ECDSA | ~$12B | ~350K | No active proposal |
| Polkadot | Sr25519/Ed25519 | ~$9B | ~200K | No active RFC |
| Cosmos (Tendermint) | secp256k1/Ed25519 | ~$3B | ~150K | No active proposal |
| NEAR | Ed25519 | ~$5B | ~500K | No active NEP |
| Aptos | Ed25519 | ~$4B | ~200K | No active AIP |
| Sui | Ed25519/secp256k1 | ~$3B | ~300K | No active SIP |
Combined, these chains secure over $2.4 trillion in assets and process over 59 million transactions per day, all protected by cryptography with a known mathematical vulnerability.
NIST has standardized three post-quantum signature families, each based on a different mathematical hardness assumption:
| Algorithm | NIST Standard | Hardness Assumption | Signature Size | vs Schnorr (64 B) |
|---|---|---|---|---|
| ML-DSA-65 (Dilithium) | FIPS 204 | Module-LWE (lattice) | 3,309 bytes | 52x larger |
| FALCON-512 | FIPS 206 | SIS over NTRU (lattice) | ~657 bytes | 10x larger |
| SLH-DSA-128f (SPHINCS+) | FIPS 205 | Hash function security | 17,088 bytes | 267x larger |
| All three (3-family) | 3 independent families | ~21,054 bytes | 329x larger |
Using even one of these algorithms on-chain dramatically changes the economics of every blockchain:
| Scenario | On-Chain per TX | Bitcoin Daily Growth | Annual Growth | Solana Daily (56M TX) |
|---|---|---|---|---|
| Current (Schnorr/ECDSA) | 64 bytes | 38 MB | 14 GB | 3.5 GB |
| Dilithium only | 3,309 bytes | 1.98 GB | 727 GB | 185 GB |
| FALCON only | 657 bytes | 394 MB | 144 GB | 37 GB |
| SPHINCS+ only | 17,088 bytes | 10.2 GB | 3.7 TB | 957 GB |
| All 3 families | 21,054 bytes | 12.6 GB | 4.6 TB | 1.18 TB |
| H33 Substrate | 32 bytes | 19.2 MB | 7 GB | 1.8 GB |
The H33 Substrate adds less on-chain data per transaction than the Schnorr signatures Bitcoin already uses (32 bytes vs 64 bytes), while providing protection from three independent post-quantum families simultaneously.
Adding post-quantum signature verification to blockchain consensus requires protocol-level changes:
OP_CHECKPQSIG) requires a BIP, community review, reference implementation, testnet deployment, and 95% miner signaling. Historical precedent (SegWit: ~2 years; Taproot: ~3 years) suggests a minimum 2–4 year timeline.No major blockchain has an active, concrete proposal for adding post-quantum signature verification to consensus as of April 2026. Research exists. Proposals exist. Working code does not exist at the consensus layer for any chain listed in Section 1.1.
The H33 Substrate is a fixed-size canonical byte sequence that bridges any computation to any post-quantum signature algorithm. It operates at the application layer, requiring no changes to blockchain consensus, validator software, or block format.
The verification receipt is the compressed artifact that replaces 21,054 bytes of raw signatures. It contains:
The verification hash is the critical binding. It is a collision-resistant commitment to the exact inputs that produced the receipt. Any change to any input—different message, different key, different signature—produces a completely different hash. The receipt cannot be forged without producing valid signatures under all three families, which is equivalent to breaking all three mathematical hardness assumptions simultaneously.
The 42-byte receipt is stored in Cachee, H33's high-speed verification infrastructure. Cachee serves receipt lookups in 0.059 microseconds—approximately 17 million verifications per second per core. Receipts are stored encrypted (AES-256-GCM) with HMAC-SHA3-256 integrity protection. Even with full Cachee access, an attacker cannot read, forge, or modify receipts without the attestation service's cryptographic keys.
The Cachee key for each receipt is the 32-byte on-chain hash. A verifier reads 32 bytes from the blockchain, queries Cachee with those bytes, and receives the 42-byte receipt. The round-trip is under a microsecond.
| Chain | Anchoring Method | On-Chain Bytes | Transaction Weight / Cost | Consensus Change |
|---|---|---|---|---|
| Bitcoin | OP_RETURN (0x6a 0x20 + 32 bytes) | 32 | 172 WU = 43 vbytes (~430 sats @ 10 sat/vB) | None |
| Solana | PDA (Program Derived Address) | 32 | ~0.000005 SOL | None |
| Ethereum | Contract storage (SSTORE) | 32 | ~20,000 gas | None |
| Any EVM chain | Calldata | 32 | 512 gas (32 non-zero bytes) | None |
| Cosmos (IBC) | Memo field | 32 | Included in base fee | None |
Every anchoring method uses existing transaction capabilities. No new opcodes, precompiles, runtime functions, or message types are required on any chain.
The substrate attestation covers three post-quantum signature families from three independent mathematical foundations. This is a deliberate architectural choice, not redundancy for its own sake.
Each NIST-standardized family rests on a different hardness assumption:
Breaking the three-family attestation requires simultaneous breakthroughs in structured lattice cryptanalysis (MLWE), unstructured lattice cryptanalysis (NTRU/SIS), and hash function cryptanalysis. These are independent research domains with independent bodies of literature and independent communities of researchers. A breakthrough in one domain does not translate to progress in the others.
| Scenario | Single-Family System | Three-Family H33 Substrate |
|---|---|---|
| MLWE breakthrough (Dilithium falls) | Total compromise | FALCON + SPHINCS+ intact. Attestation degraded but valid. |
| All lattice schemes break | Total compromise | SPHINCS+ intact (hash-based, zero lattice dependence). |
| Hash function weakness | Depends on scheme | Both lattice families intact. |
| All three families break | Total compromise | Total compromise (requires 3 independent breakthroughs) |
In a conventional architecture, adding a second or third signature family multiplies the on-chain cost proportionally. Two families = 2x the bytes. Three families = 3x.
In the substrate architecture, the persistent footprint is constant regardless of how many families verify. The 32-byte on-chain hash and the 42-byte receipt are the same whether one family signed or three. The additional families add only to the ephemeral attestation-time computation (~15ms), not to the persistent storage. The cost of three-family protection over single-family is 26 additional bytes (the receipt is 42 bytes vs 16 bytes for a hash-only commitment) and zero additional on-chain bytes.
The substrate carries a computation type identifier from an append-only registry embedded within the signed boundary. This provides protocol-level replay prevention: a biometric authentication attestation cannot be presented as a payment authorization because the type identifier differs, and the identifier is covered by all three post-quantum signatures.
The registry is governed by three invariants:
These invariants enable cross-organizational interoperability. Two independent organizations implementing the same registry can verify each other's attestations without bilateral agreements or shared infrastructure.
The 42-byte receipt contains a 32-byte verification hash computed as SHA3-256 over the signing message, all three public keys, and all three signatures. Under the collision resistance of SHA3-256 (128-bit post-quantum security), no adversary can produce two different input sets that yield the same verification hash. The receipt is unforgeable without producing valid signatures under all three families.
When the substrate is used in conjunction with fully homomorphic encryption (FHE), the computation output is never decrypted at any stage of the attestation pipeline. The commitment is a hash of the encrypted ciphertext, not the plaintext. The signing message is a hash of the substrate. The signatures operate on the signing message. At no point does the attestation pipeline require or enable access to the plaintext computation result.
Receipts stored in Cachee are wrapped in a 102-byte security envelope consisting of a 12-byte AES-GCM nonce, 58 bytes of ciphertext (42-byte receipt + 16-byte authentication tag), and a 32-byte HMAC-SHA3-256 integrity tag. The encryption and HMAC keys are derived from a root secret held only by the attestation service via HKDF with domain-separated contexts. Even with full access to the Cachee storage layer, an adversary cannot read, forge, or modify receipts.
Each substrate contains an 8-byte millisecond-precision timestamp and a 16-byte cryptographically random nonce. Two substrates produced from identical computation outputs at the same millisecond are computationally distinguishable with probability at least 1 − 2−128. The timestamp enables verifiers to impose maximum-age constraints. The nonce prevents replay of identical computations.
| Component | Tests Passing | Status |
|---|---|---|
| h33-substrate crate (core) | 76 | Production, pushed to GitLab |
| scif-backend (biometric auth, identity, archive signing) | 2,504 | Production |
| V100 v100-turn (video infrastructure) | 1,079 | Integrated |
| V100 gateway (PQ artifact signing) | 27 | Integrated |
| h33-threshold-dilithium (deprecated) | 17 | Archived — replaced by substrate |
| Total | 3,703 | Zero regressions |
| Operation | Latency | Notes |
|---|---|---|
| Substrate construction | <1 µs | SHA3-256 + field packing |
| Dilithium sign | ~180 µs | ML-DSA-65, NIST Level 3 |
| FALCON sign | ~150 µs | FALCON-512, NIST Level 1 |
| SPHINCS+ sign | ~14.5 ms | SLH-DSA-SHA2-128f, stateless |
| Full 3-key attestation | ~16 ms | Sign + verify + compress + zeroize |
| Cachee receipt lookup | 0.059 µs | Sub-microsecond verification |
| Biometric auth pipeline (full) | ~35 µs | FHE + substrate + cached receipt |
| Sustained throughput | 2.2M auth/sec | 96-core Graviton4, production benchmark |
| Approach | On-Chain Bytes | PQ Families | Consensus Change | Available Today |
|---|---|---|---|---|
| Consensus soft fork (Dilithium opcode) | 3,309 | 1 | Required (years) | No |
| Taproot witness (inscription-style) | ~3,309+ | 1 | None (but high weight) | Yes |
| STARK-compressed signatures | ~440 | 2 | None | Yes |
| Hash commitment only (no verification) | 32 | 0 | None | Yes |
| H33 Substrate | 32 | 3 | None | Yes |
The H33 Substrate is the only approach that simultaneously achieves (a) under-100-byte total footprint, (b) three independent PQ families, (c) zero consensus changes, and (d) production availability.
The substrate is designed as a bridge to consensus-level post-quantum verification, not a permanent alternative to it. When blockchains eventually add native PQ signature opcodes or precompiles through their governance processes, the substrate architecture evolves without change:
The substrate works today. The consensus changes will work eventually. They are complementary, not competing.
Every blockchain in production today is protected by cryptography with a known expiration date. The post-quantum algorithms that fix the problem produce signatures too large for on-chain use, and the governance processes to add them to consensus take years that may not be available.
The H33 Substrate solves this by recognizing that post-quantum signatures don't need to persist. They need to be verified once, and the verification result—74 bytes binding three independent mathematical families to a specific computation at a specific time—is what the blockchain carries forward.
32 bytes on-chain. 42 bytes in Cachee. Three mathematical families. Zero consensus changes. Running in production. The quantum clock is ticking. The solution fits in 74 bytes.
H33.ai, Inc. · Riverview, Florida · h33.ai · Patent Pending