Three independent hardness assumptions. NIST FIPS 203/204/205 compliant. Breaks only if MLWE lattices, NTRU lattices, AND stateless hash functions are simultaneously broken. Production-grade: 2.2M auth/sec sustained on ARM64 Graviton4.
Post-quantum cryptography (PQC) is the field of cryptographic algorithms designed to resist attacks by both classical and quantum computers. Every widely deployed public-key cryptosystem today -- RSA, ECDSA, ECDH, EdDSA -- relies on the hardness of integer factorization or discrete logarithm problems. Shor's algorithm, running on a sufficiently large quantum computer, solves both problems in polynomial time. When that computer arrives, every RSA key ever generated, every ECDSA signature ever produced, and every Diffie-Hellman key exchange ever completed becomes retroactively breakable.
This is not a future concern. It is a present one. The harvest-now-decrypt-later (HNDL) attack model means that encrypted communications captured today can be stored and decrypted when quantum computers become available. Intelligence agencies, well-funded adversaries, and state actors are already collecting encrypted traffic at scale. Any data that needs to remain confidential for more than 5-10 years -- medical records, financial transactions, government communications, intellectual property -- is at risk right now.
The National Institute of Standards and Technology (NIST) recognized this threat and initiated the Post-Quantum Cryptography Standardization Process in 2016. After eight years of evaluation, public comment, and cryptanalysis, NIST published three post-quantum cryptographic standards in 2024: FIPS 203 (ML-KEM for key encapsulation), FIPS 204 (ML-DSA for digital signatures), and FIPS 205 (SLH-DSA for hash-based signatures). These standards represent the foundation of the post-quantum transition.
Estimating when cryptographically relevant quantum computers (CRQCs) will arrive is inherently uncertain, but the trajectory is clear. IBM's quantum roadmap targets 100,000+ qubit systems by 2033. Google's Willow chip demonstrated below-threshold error correction in 2024. Multiple nation-state quantum programs operate with classified capability levels that may exceed public knowledge.
The relevant metric is not when a perfect quantum computer arrives but when a noisy intermediate-scale quantum (NISQ) device can be combined with classical error correction to achieve the approximately 4,000 logical qubits needed to run Shor's algorithm against RSA-2048. Current estimates place this capability between 2030 and 2040, though breakthroughs in quantum error correction could accelerate the timeline significantly.
For organizations making security decisions today, the math is straightforward: if your data needs to remain confidential for N years, and the quantum threat might arrive in M years, then you need to begin post-quantum migration when N + migration_time exceeds M. For most enterprises, that calculation already resolves to "now."
NIST's three post-quantum standards address different cryptographic functions:
FIPS 203 (ML-KEM, formerly CRYSTALS-Kyber) provides key encapsulation -- the mechanism by which two parties establish a shared secret over an insecure channel. ML-KEM is based on the Module Learning With Errors (MLWE) problem, a lattice-based hardness assumption. H33 implements ML-KEM for all key exchange operations, ensuring that encrypted channels established today remain secure against future quantum attack.
FIPS 204 (ML-DSA, formerly CRYSTALS-Dilithium) provides digital signatures. ML-DSA is the primary signature algorithm in H33's pipeline, used for batch attestation of FHE computation results. Every 32-user batch produces a single ML-DSA signature, enabling the 2.2M auth/sec throughput that defines H33's production performance. ML-DSA is also based on lattice hardness (MLWE and SelfTargetMSIS).
FIPS 205 (SLH-DSA, formerly SPHINCS+) provides stateless hash-based signatures. SLH-DSA's security rests entirely on the properties of hash functions -- a completely different mathematical foundation than lattice-based schemes. H33 uses SLH-DSA-SHA2-128f-simple as one of three signature families in its three-key signing architecture, ensuring that an advance in lattice cryptanalysis does not compromise signature integrity.
Most post-quantum deployments rely on a single hardness assumption. If that assumption falls -- if someone discovers an efficient quantum or classical algorithm for the underlying mathematical problem -- every signature and key exchange in the system is broken.
H33 takes a fundamentally different approach. The three-family signature model combines ML-DSA (MLWE lattice hardness), FALCON (NTRU lattice hardness), and SLH-DSA (stateless hash function hardness) into a single attestation bundle. An attacker would need to simultaneously break MLWE lattices, NTRU lattices, AND stateless hash functions to forge an H33 signature. These are three independent mathematical bets. A breakthrough against lattice cryptography (which would break both ML-DSA and FALCON) still leaves SLH-DSA intact. A breakthrough against hash functions (which would break SLH-DSA) still leaves both lattice-based schemes intact.
The three-key signature bundle is distilled through H33-74 into a 74-byte attestation that can be anchored to any blockchain, stored in any database, or transmitted over any channel. The distillation is not compression -- it is a fundamentally different representation that preserves the full cryptographic binding of all three families in a fraction of the space.
Post-quantum cryptography has a reputation for being slow. H33 disproves this at production scale. On a Graviton4 c8g.metal-48xl (192 vCPUs, 371 GiB RAM), the full authentication pipeline -- BFV homomorphic encryption, SHA3-256 hashing, ML-DSA signing and verification, and ZK-STARK proof lookup -- sustains 2,209,429 authentications per second over 120-second measurement windows. Per-authentication latency is 42 microseconds.
These numbers include the entire pipeline, not just the signature operation. The FHE batch processes 32 users in 943 microseconds. The batch attestation (SHA3 + ML-DSA sign + verify) completes in 391 microseconds. The ZK cached lookup takes 0.358 microseconds. This is achieved on ARM64 hardware running pure Rust with zero external FHE or ZK dependencies.
| Property | Classical (RSA/ECC) | H33 Post-Quantum |
|---|---|---|
| Quantum resistance | None -- broken by Shor's algorithm | Three independent hardness assumptions |
| Signature standard | RSA-2048 / ECDSA P-256 | ML-DSA-65 + FALCON-512 + SLH-DSA-SHA2-128f |
| Key exchange | ECDH / RSA-KEM | ML-KEM-768 (FIPS 203) |
| NIST status | Legacy (migration mandated) | FIPS 203/204/205 standardized |
| Signature size (raw) | 256 bytes (ECDSA) / 256 bytes (RSA-2048) | ~6,800 bytes (three families combined) |
| Attestation size (distilled) | N/A | 74 bytes (H33-74) |
| Harvest-now-decrypt-later | Vulnerable | Immune |
| Production throughput | ~100K ops/sec (typical ECDSA) | 2.2M auth/sec (H33 full pipeline) |
| Hardware | x86 / general purpose | ARM64 Graviton4 (optimized) |
| Regulatory trajectory | Deprecated by 2030 (NSA CNSA 2.0) | Required for new systems (CNSA 2.0) |
NSA CNSA 2.0 requires all National Security Systems to transition to post-quantum algorithms by 2030 for software signatures and 2033 for firmware. The clock is running.
Post-quantum cryptography refers to cryptographic algorithms designed to resist attacks by both classical and quantum computers. Unlike RSA and elliptic curve cryptography, which can be broken by Shor's algorithm, PQC algorithms are based on mathematical problems that remain hard even for quantum computers -- such as lattice problems, structured lattice problems, and hash function inversion.
The consensus among cryptographers and intelligence agencies is that cryptographically relevant quantum computers could arrive between 2030 and 2040. However, the threat is already real today through harvest-now-decrypt-later attacks. Any data needing confidentiality for more than 5-10 years should already be protected with post-quantum cryptography.
H33's three-family signature model is built on MLWE lattices (ML-DSA), NTRU lattices (FALCON), and stateless hash functions (SLH-DSA). An attacker would need to simultaneously break all three independent mathematical problems to forge an H33 signature.
H33 implements NIST FIPS 203 (ML-KEM for key encapsulation), FIPS 204 (ML-DSA for digital signatures), and FIPS 205 (SLH-DSA for hash-based signatures), plus FALCON from NIST's signature portfolio. All implementations are KAT-validated against official NIST test vectors.
H33 achieves 2.2M authentications per second sustained on Graviton4 hardware. Per-authentication latency is 42 microseconds through the full pipeline. These are 120-second sustained measurements, not burst benchmarks.
Test post-quantum signatures, key encapsulation, and attestation through the live API. One endpoint. Three hardness assumptions. 74 bytes.