Why three signatures instead of one?
Defense in depth. Each signature algorithm relies on a different mathematical hardness assumption. If a future breakthrough (quantum computing, novel attack) breaks one algorithm, the remaining two still protect the document. One algorithm failing is survivable. Two failing simultaneously is extraordinarily unlikely because they are from independent mathematical families (elliptic curves, structured lattices, and hash functions). This is the cryptographic equivalent of three independent locks on a vault door.
What does temporal binding mean?
Temporal binding chains the three signatures in sequence so each signature covers the previous one. The ECDSA signature signs the document. The Dilithium signature signs the document plus the ECDSA signature. The FALCON signature signs the document plus both prior signatures. This creates a tamper-evident chain where modifying or removing any layer invalidates all subsequent layers. It also embeds a timestamp at each layer, proving the exact order and time of signing.
Which three algorithms are used?
Layer 1: Ed25519 (elliptic curve, immediate backwards compatibility with existing systems). Layer 2: Dilithium-5 / ML-DSA (structured lattice, NIST PQC standard, primary post-quantum layer). Layer 3: FALCON-512 (NTRU lattice, hash-based structure, independent lattice family from Dilithium). Each layer is from a different mathematical family, maximizing cryptographic diversity.
What happens if one algorithm is broken?
The document remains protected by the two surviving algorithms. For example, if a quantum computer breaks Ed25519, the Dilithium and FALCON layers still provide full post-quantum security. If a novel lattice attack weakens Dilithium, Ed25519 and FALCON still hold. The temporal binding chain means an attacker must break all three algorithms to forge a signature. Verification succeeds as long as at least one layer is intact, with the verifier reporting which layers are valid.
What is the performance overhead of triple signing?
The full triple sign cycle takes approximately ~690 microseconds on Graviton4. Broken down: Ed25519 sign is ~30 microseconds, Dilithium-5 sign is ~280 microseconds, and FALCON-512 sign is ~380 microseconds. Verification is faster at roughly 450 microseconds total. For comparison, a single Dilithium sign alone is ~280 microseconds, so the overhead of adding two more layers is roughly 2.5x, not 3x, due to pipelining.
When should I use 3-Key vs single Dilithium?
Use 3-Key for long-lived artifacts that must remain valid for decades: regulatory filings, legal contracts, certificate chains, notarized documents, and archival records. Use single Dilithium for short-lived tokens, session authentication, and real-time API attestation where the signature only needs to be valid for hours or days. The cost difference is 5 credits (3-Key) vs 1 credit (single Dilithium sign).
How large is a triple-nested signature?
Ed25519 signature: 64 bytes. Dilithium-5 signature: ~4,627 bytes. FALCON-512 signature: ~690 bytes. Total: approximately ~5.4 KB for the complete triple signature envelope. The envelope also includes timestamps, algorithm identifiers, and the temporal binding chain metadata, bringing the total to roughly 6 KB. This is compact enough to embed in PDF metadata, X.509 certificates, or blockchain transactions.
What is the verification time?
Full triple verification takes approximately ~450 microseconds: Ed25519 verify (~15 microseconds), Dilithium-5 verify (~130 microseconds), and FALCON-512 verify (~305 microseconds). The verifier can optionally perform early-exit verification, checking only the first layer for quick validation and deferring the full chain for audit. Parallel verification of all three layers is also supported, reducing wall-clock time to roughly 310 microseconds.
Is triple signing overkill for short-lived tokens?
Yes, generally. For JWT tokens, session cookies, and API request signatures that expire in hours, a single Dilithium signature provides sufficient post-quantum security. The threat model for short-lived tokens does not include "adversary breaks a NIST-standardized algorithm within the token's lifetime." Reserve 3-Key for artifacts where the cost of a future signature break would be catastrophic, such as land titles, medical records, or financial instruments.
How does H33-3-Key align with the NIST PQC transition timeline?
NIST recommends organizations begin transitioning to post-quantum algorithms by 2025 and complete migration by 2035. H33-3-Key exceeds this guidance by providing two post-quantum layers (Dilithium + FALCON) alongside a classical layer (Ed25519) for backwards compatibility. This means documents signed today will be valid through the entire NIST transition period and beyond, regardless of which algorithms are deprecated or broken during the transition.
Can I choose which algorithms to include?
The default triple stack (Ed25519 + Dilithium-5 + FALCON-512) is recommended for maximum security diversity. Custom configurations are available for enterprise customers. You can substitute Ed25519 with ECDSA P-256 for FIPS compliance, or replace FALCON with SPHINCS+ for a hash-based alternative. The API accepts an algorithm_config parameter to specify the desired triple stack. Minimum two layers are required; single-algorithm signing uses the standard H33-128 endpoints.
Is H33-3-Key backwards compatible with ECDSA-only verifiers?
Yes. The triple signature envelope includes the Ed25519/ECDSA signature as an independently verifiable first layer. Legacy verifiers that only understand ECDSA can extract and verify the first layer while ignoring the Dilithium and FALCON layers. This means you can deploy 3-Key today without waiting for every verifier in your ecosystem to support post-quantum algorithms. Full-chain verifiers validate all three layers.
How does H33-3-Key work in certificate chains?
Each certificate in the chain carries its own triple signature. The root CA signs with 3-Key, intermediate CAs sign with 3-Key, and end-entity certificates carry a 3-Key signature from the issuing CA. Verification walks the chain, checking all three layers at each level. If a future algorithm break compromises one layer, the chain remains valid through the surviving layers. This provides quantum-resistant PKI without a forklift upgrade of existing X.509 infrastructure.
Can H33-3-Key be used with TLS?
H33-3-Key is designed for document and artifact signing, not TLS handshakes. TLS requires real-time key exchange and session establishment where triple signing would add unnecessary latency. For TLS, H33 offers Kyber (ML-KEM) key encapsulation with Dilithium server authentication through the post-quantum TLS product. However, TLS server certificates can be signed with 3-Key if you want the certificate itself to carry triple protection for its validity period.
What does a triple signature cost?
A single 3-Key sign operation costs 5 credits. Verification is free (verifiers do not consume credits). The free tier includes 1,000 credits per month, which covers 200 triple signatures. For bulk document signing (contracts, certificates, regulatory filings), volume pricing reduces the per-signature cost. Compare to single Dilithium at 1 credit per sign, the 3-Key premium is 4 credits for the additional two algorithm layers and temporal binding chain.