Crypto API Reference
Complete reference for H33's cryptographic API suite. Post-quantum signatures (ML-DSA, ML-KEM), fully homomorphic encryption (BFV, CKKS), zero-knowledge proofs (ZK-STARK), and secure multi-party computation.
Dilithium (ML-DSA) NIST PQC
NIST FIPS 204 standardized post-quantum digital signatures. Lattice-based security resistant to quantum attacks. Three security levels: ML-DSA-44 (NIST Level 2), ML-DSA-65 (Level 3), ML-DSA-87 (Level 5).
Generate a new Dilithium keypair for post-quantum digital signatures.
Request
{
"security_level": "ML-DSA-65" // ML-DSA-44 | ML-DSA-65 | ML-DSA-87
}
Response
{
"public_key": "base64...",
"secret_key": "base64...",
"algorithm": "ML-DSA-65"
}
Sign a message using Dilithium secret key.
Request
{
"message": "base64_encoded_message",
"secret_key": "base64_encoded_secret_key"
}
Response
{
"signature": "base64..."
}
Verify a Dilithium signature against a message and public key.
Request
{
"message": "base64_encoded_message",
"signature": "base64_encoded_signature",
"public_key": "base64_encoded_public_key"
}
Response
{
"valid": true
}
Kyber (ML-KEM) NIST PQC
NIST FIPS 203 standardized post-quantum key encapsulation mechanism. Provides quantum-resistant key exchange. Three security levels: ML-KEM-512, ML-KEM-768, ML-KEM-1024.
Generate a new Kyber keypair for quantum-resistant key encapsulation.
Request
{
"security_level": "ML-KEM-768" // ML-KEM-512 | ML-KEM-768 | ML-KEM-1024
}
Response
{
"public_key": "base64...",
"secret_key": "base64...",
"algorithm": "ML-KEM-768"
}
Encapsulate a shared secret using the recipient's public key.
Request
{
"public_key": "base64_encoded_public_key"
}
Response
{
"ciphertext": "base64...",
"shared_secret": "base64..." // 32 bytes
}
Decapsulate the shared secret using your secret key.
Request
{
"ciphertext": "base64_encoded_ciphertext",
"secret_key": "base64_encoded_secret_key"
}
Response
{
"shared_secret": "base64..." // Same 32 bytes as sender
}
Hybrid Signature Modes PQC
H33 supports three signature modes. The mode is selected automatically based on your security level (H0–H256),
or you can override it per-request via the signatureMode parameter.
Concatenated (H2, standard auth)
// Concatenated: two independent signatures side by side const result = await h33.auth.verify({ biometric: captureData, signatureMode: "concatenated" // default for H2/H33 }); // result.signatures.ed25519 → 64 bytes // result.signatures.dilithium → 2,420 bytes // result.verified: true (both must pass)
Nested (H33-128, identity ops)
// Nested: Dilithium wraps (payload + Ed25519 sig) const result = await h33.auth.verify({ biometric: captureData, signatureMode: "nested" // default for H33-128 }); // result.signatures.inner → Ed25519 over payload (64 bytes) // result.signatures.outer → Dilithium over (payload || inner) (2,420 bytes) // result.signatureScheme: "NESTED_ED25519_DILITHIUM3" // Temporal binding: outer attests inner existed at sign time
Triple-Nested (H-256, SBT mint)
// Triple-nested: third algorithm wraps the nested pair const sbt = await h33.identity.mintSoulbound({ biometricCommitment: commitment, guardians: guardianList, signatureMode: "triple-nested", tripleVariant: "hash-diversified" // "lattice-redundant" = Ed25519 + Dilithium-5 + FALCON-512 (~2ms) // "hash-diversified" = Ed25519 + Dilithium-5 + SPHINCS+ (~14ms) }); // result.signatures.layer1 → Ed25519 (64 bytes) // result.signatures.layer2 → Dilithium over (payload || layer1) // result.signatures.layer3 → FALCON or SPHINCS+ over full composite // result.layer3OnChainHash → SHA3-256 hash (32 bytes, stored on-chain)
Wire Format
| Mode | Layer 1 | Layer 2 | Layer 3 | Total | Latency |
|---|---|---|---|---|---|
| Concatenated | Ed25519 64B | Dilithium-3 2,420B | — | 2,484B | ~142µs |
| Nested | Ed25519 64B | Dilithium-3 2,420B | — | 2,484B | ~142µs |
| Triple (H-256-L) | Ed25519 64B | Dilithium-5 3,309B | FALCON-512 690B * | ~4,063B | ~2ms |
| Triple (H-256-H) | Ed25519 64B | Dilithium-5 3,309B | SPHINCS+ 7,856B * | ~11,229B | ~14ms |
Create a hybrid multi-layer signature. Supports nested and triple-nested modes with configurable algorithm variants.
Request
{
"message": "base64_encoded_message",
"signatureMode": "nested", // "nested" | "triple-nested"
"tripleVariant": "lattice-redundant" // "lattice-redundant" | "hash-diversified" (triple-nested only)
}
Response
{
"signatures": {
"layer1": "base64...",
"layer2": "base64...",
"layer3": "base64..." // present only for triple-nested
},
"scheme": "NESTED_ED25519_DILITHIUM3",
"onChainHash": "base64..." // SHA3-256, present only for triple-nested
}
Verify a hybrid multi-layer signature. Validates each layer independently and returns per-layer results.
Request
{
"message": "base64_encoded_message",
"signatures": {
"layer1": "base64...",
"layer2": "base64...",
"layer3": "base64..."
},
"scheme": "TRIPLE_ED25519_DILITHIUM5_FALCON512"
}
Response
{
"valid": true,
"layers": {
"layer1": true,
"layer2": true,
"layer3": true
}
}
List available hybrid signature algorithms and their configurations per security level.
Response
{
"available": {
"classical": ["ed25519"],
"lattice": ["dilithium2", "dilithium3", "dilithium5", "falcon512"],
"hashBased": ["sphincsPlus128s"]
},
"configurations": {
"H0": { "layers": ["dilithium3"] },
"H33": { "layers": ["ed25519", "dilithium3"] },
"H-256-L": { "layers": ["ed25519", "dilithium5", "falcon512"] },
"H-256-H": { "layers": ["ed25519", "dilithium5", "sphincsPlus128s"], "status": "planned" }
}
}
FHE - BFV Scheme FHE
Brakerski/Fan-Vercauteren scheme for fully homomorphic encryption over integers. Ideal for exact integer arithmetic on encrypted data. Supports addition and multiplication.
Generate BFV encryption keys including public key, secret key, and relinearization key.
Request
{
"security_level": "128" // 128 | 192 | 256
}
Response
{
"public_key": "base64...",
"secret_key": "base64...",
"relin_key": "base64...",
"session_id": "uuid..."
}
Encrypt an integer vector. Supports batching for SIMD-style operations.
Request
{
"plaintext": [1, 2, 3, 4, 5], // i64 array
"public_key": "base64..."
}
Response
{
"ciphertext": "base64..."
}
Decrypt a BFV ciphertext back to plaintext integers.
Request
{
"ciphertext": "base64...",
"secret_key": "base64..."
}
Response
{
"plaintext": [1, 2, 3, 4, 5]
}
Homomorphically add two ciphertexts. Result decrypts to sum of plaintexts.
Request
{
"ciphertext_a": "base64...",
"ciphertext_b": "base64..."
}
Homomorphically multiply two ciphertexts. Requires relinearization key to maintain ciphertext size.
Request
{
"ciphertext_a": "base64...",
"ciphertext_b": "base64...",
"relin_key": "base64..."
}
FHE - CKKS Scheme FHE
Cheon-Kim-Kim-Song scheme for fully homomorphic encryption over approximate numbers. Ideal for machine learning and floating-point computations on encrypted data. Supports bootstrapping for unlimited computation depth.
Create a new CKKS session with encryption keys and context. Returns session_id for subsequent operations.
Request
{
"security_level": "q-128", // q-dev, q-128, q-256
"scale_bits": 40, // Precision: 2^40
"poly_modulus_degree": 8192 // Ring dimension
}
Response
{
"session_id": "ckks_abc123...",
"public_key": "base64...",
"relin_key": "base64...",
"galois_keys": "base64...",
"max_slots": 4096
}
Encrypt float vectors into a CKKS ciphertext. Supports batching up to max_slots values.
Request
{
"session_id": "ckks_abc123...",
"plaintext": [1.5, 2.7, 3.14159, -0.5] // f64 array
}
Response
{
"ciphertext": "base64...",
"scale": 1099511627776 // 2^40
}
Decrypt a CKKS ciphertext to float values. Returns approximate real numbers.
Request
{
"session_id": "ckks_abc123...",
"ciphertext": "base64..."
}
Response
{
"plaintext": [1.4999998, 2.7000001, 3.1415899, -0.5000001]
}
Perform homomorphic operations on encrypted data. Supports add, sub, multiply, multiply_lazy, rescale, relinearize, and dot_product.
Request
{
"session_id": "ckks_abc123...",
"operation": "multiply", // add, sub, multiply, multiply_lazy, rescale, relinearize, dot_product
"ciphertext_a": "base64...",
"ciphertext_b": "base64..." // Optional for unary ops
}
Response
{
"result": "base64...",
"scale": 1208925819614629174706176, // After multiply: 2^80
"needs_rescale": true
}
Operations
| Op | Description | Notes |
|---|---|---|
add |
Element-wise addition | Scales must match |
sub |
Element-wise subtraction | Scales must match |
multiply |
Element-wise multiplication | Auto-relinearizes |
multiply_lazy |
Multiply without relin | Faster, defer relin |
rescale |
Reduce scale after multiply | Required after mult |
relinearize |
Reduce ciphertext size | After multiply_lazy |
dot_product |
Vector dot product | Uses rotations |
Fused dot product with automatic rescaling. Optimized for ML inference — computes inner product of encrypted vectors in a single call.
Request
{
"session_id": "ckks_abc123...",
"ciphertext_a": "base64...", // Encrypted vector A
"ciphertext_b": "base64..." // Encrypted vector B
}
Response
{
"result": "base64...", // Encrypted scalar (dot product)
"scale": 1099511627776
}
Compute encrypted cosine similarity for ML matching. Perfect for biometric feature comparison without decryption.
Request
{
"encrypted_vector_a": "base64...",
"encrypted_vector_b": "base64...",
"relin_key": "base64..."
}
Response
{
"encrypted_similarity": "base64..." // Decrypt to get 0.0-1.0
}
ZKP - ZK-STARK ZKP
ZK-STARK is H33's production ZK proof system. STARK Lookup with SHA3-256 hash, optimized for authentication: 0.067µs prove, 2.09ns (cached) verify, 105-byte proofs. Post-quantum safe. No trusted setup.
Generate a ZK-STARK zero-knowledge proof. Prove statements about data without revealing it. STARK Lookup with SHA3-256 hash, optimized for authentication workloads. Post-quantum safe, no trusted setup.
Request
{
"statement": "identity", // identity | age | credential | hash-preimage
"private_inputs": {
"secret": "base64...",
"salt": "base64..."
},
"public_inputs": {
"commitment": "base64..."
}
}
Response
{
"proof": "base64...", // 105 bytes
"public_inputs": {
"commitment": "base64..."
},
"prove_time_ms": 18.2
}
Verify a ZK-STARK proof against public inputs. 2.09ns cached verification.
Request
{
"proof": "base64...",
"statement": "identity",
"public_inputs": {
"commitment": "base64..."
}
}
Response
{
"valid": true,
"verify_time_ns": 2.09
}
MPC - Secure Multi-Party Computation MPC
Secure multi-party computation allows multiple parties to jointly compute a function over their inputs while keeping those inputs private.
Initialize a new MPC session with specified participants and computation type.
Request
{
"participants": 3,
"threshold": 2, // t-of-n threshold
"computation": "sum" // sum | average | max | min | custom
}
Response
{
"session_id": "uuid...",
"participant_ids": ["p1", "p2", "p3"],
"public_params": "base64..."
}
Submit an encrypted share to the MPC session.
Request
{
"participant_id": "p1",
"encrypted_share": "base64..."
}
Trigger computation once threshold shares are collected. Returns result to all participants.
Response
{
"result": 42, // The computed result
"proof": "base64..." // Proof of correct computation
}