H33 White Paper — Post-Quantum Identity and Authentication Platform

Abstract

H33 is a fully post-quantum secure identity and authentication platform that executes a complete cryptographic pipeline — Fully Homomorphic Encryption (FHE) biometric matching, zero-knowledge proof verification, and ML-DSA (Dilithium) attestation — in a single API call averaging 50 microseconds per authentication. The platform achieves 1.2 million sustained authentications per second on AWS Graviton4 hardware while maintaining NIST Post-Quantum Cryptography (PQC) compliance at every layer.

H33 introduces a three-token economic model on Solana: Token B (economic utility and deflationary burns), Token C (soulbound identity with hybrid post-quantum binding), and Token D (document attestation and encrypted credential management). Together, these components form a vertically integrated identity stack where biometric data is never decrypted during verification, private keys are split across threshold authorities, and on-chain identity is quantum-resistant from issuance through recovery.

Section 01

Introduction

The emergence of cryptographically relevant quantum computers poses an existential threat to public-key infrastructure underpinning digital identity, authentication, and document security. RSA, ECDSA, and ECDH — the foundations of TLS, SSH, and blockchain signatures — are vulnerable to Shor's algorithm on a sufficiently large quantum computer. The National Institute of Standards and Technology (NIST) finalized its first post-quantum cryptographic standards in 2024: ML-KEM (Kyber) for key encapsulation and ML-DSA (Dilithium) for digital signatures.

H33 addresses this threat comprehensively. Rather than retrofitting post-quantum algorithms onto classical architectures, H33 was designed from the ground up with lattice-based security at every layer:

Biometric data is encrypted using BFV Fully Homomorphic Encryption and never leaves the encrypted domain during matching. The FHE scheme’s security derives from the hardness of the Ring Learning With Errors (RLWE) problem.
Key exchange uses ML-KEM (Kyber768) at NIST Security Level 3, encapsulated with AES-256-GCM for symmetric encryption of data in transit and at rest.
Digital signatures use ML-DSA-65 (Dilithium3) in a hybrid scheme with Ed25519, providing defense-in-depth: both algorithms must be broken to compromise authentication.
Zero-knowledge proofs use hash-based STARK lookups with SHA3-256 commitments, avoiding elliptic curve pairings entirely.
On-chain identity binds soulbound tokens to dual-key pairs (Ed25519 + Dilithium), ensuring blockchain identity survives the quantum transition.

Section 02

Threat Model and Design Principles

2.1 Adversary Capabilities

Capability	Assumption
Quantum computation	Access to a fault-tolerant quantum computer capable of running Shor’s algorithm against 256-bit elliptic curves
Network position	Full man-in-the-middle on all network links
Biometric acquisition	Ability to capture high-resolution facial images, fingerprints, and voice recordings of the target
Server compromise	Compromise of up to k−1 threshold authority nodes
Storage access	Read access to encrypted biometric templates stored at rest
Timing analysis	Ability to measure sub-microsecond timing differences in cryptographic operations

2.2 Design Principles

Core Invariants

Never decrypt biometrics for comparison. Matching occurs entirely in the encrypted domain via FHE. No server, authority node, or process ever holds a plaintext biometric template during verification.
No single point of trust. Secret keys are Shamir-split across authority nodes. Threshold decryption ensures that compromising fewer than k nodes reveals nothing.
Post-quantum at every layer. Every cryptographic operation uses algorithms whose security reduces to problems believed hard for quantum computers.
Constant-time execution. All comparison, verification, and secret-dependent operations use constant-time implementations to prevent timing side-channel attacks.
Defense-in-depth. Hybrid schemes ensure that compromise of either the classical or post-quantum component alone does not break security.
Auditable computation. Every authentication produces a SHA3-256 transcript hash binding the computation. Transcripts are verifiable without access to plaintext data.

Section 03

Cryptographic Pipeline

The H33 authentication pipeline executes three stages in a single API call:

FHE Biometric Match

~1,375 μs / 32 users

→

ZK Proof Verify

~0.067 μs

→

Dilithium Attest

~240 μs / 32 users

3.1 BFV Fully Homomorphic Encryption

H33 implements the Brakerski/Fan-Vercauteren (BFV) scheme for integer arithmetic on encrypted data. The production configuration uses parameters tuned for biometric inner-product computation:

Parameter	Value	Purpose
N (ring dimension)	`4096`	Polynomial degree; determines security and SIMD slot count
t (plaintext modulus)	`65537`	Enables SIMD batching via CRT (t = 2¹⁶ + 1)
Q (ciphertext modulus)	Single NTT-friendly prime	Minimizes computation for depth-1 circuits
σ (noise std dev)	`3.2`	Gaussian error bound per coefficient
Security level	≥ 128 bits	Well below HE Standard max Q for n=4096

Key Generation

The secret key is sampled as a ternary polynomial (coefficients in {-1, 0, 1}) and stored in NTT form for efficient multiplication during decryption. The public key is computed as pk0 = -(a · sk + e) and pk1 = a, where a is uniformly random and e is sampled from a Centered Binomial Distribution. Both components are pre-converted to NTT form at key generation time, eliminating a forward NTT per encryption.

Encryption

// BFV Encryption: (c0, c1) ← Encrypt(plaintext, pk)
u  ~ Ternary({-1, 0, 1})
e0, e1 ~ CBD(η)
δ = floor(Q / t)

c0 = pk0 · u + e0 + δ · m    (mod q)
c1 = pk1 · u + e1                (mod q)

All polynomial multiplications use NTT-domain pointwise multiplication with Montgomery reduction. Ciphertexts are stored in coefficient form after inverse NTT.

Homomorphic Operations

The biometric pipeline requires one subtraction and one multiplication (depth-1 circuit). Addition and subtraction are element-wise in coefficient form. Multiplication uses NTT-domain pointwise multiply followed by relinearization. The single-modulus configuration provides sufficient noise budget for the depth-1 computation with a comfortable safety margin verified through production noise profiling.

3.2 Number Theoretic Transform

The NTT is the computational bottleneck of BFV operations. H33 implements a radix-4 Cooley-Tukey NTT with Montgomery arithmetic, achieving 25% fewer operations than the standard radix-2 butterfly.

Key NTT Optimizations

Montgomery multiplication: All twiddle factors precomputed in Montgomery form. Eliminates all modular division from the hot path.
Harvey lazy reduction: Butterfly outputs maintained in [0, 2q) between stages, deferring conditional subtractions.
Fused inverse post-processing: Final N^-1 scaling and inverse twiddle multiplication combined into a single precomputed table.
Platform-specific paths: Montgomery radix-4 with NEON acceleration on ARM (Graviton4); Shoup's method with AVX-512 on x86_64.

3.3 SIMD Batching Architecture

BFV supports SIMD operations through the Chinese Remainder Theorem when the plaintext modulus satisfies t ≡ 1 (mod 2N). With t = 65537 and N = 4096, the ring decomposes into 4096 independent plaintext slots. H33 packs biometric feature vectors (128 dimensions each) into these slots:

32 Users Per Ciphertext

4096 slots ÷ 128 dimensions = 32 users per ciphertext. All homomorphic operations execute simultaneously across all 32 users with no additional cost. Per-user template storage is reduced from ~32 MB to ~256 KB — a 128× compression.

Batch verification is constant-time: approximately 1.04 ms for 1 to 32 users. Whether the batch contains 1 or 32 active users, the cryptographic cost is identical.

3.4 Threshold Decryption (k-of-n)

H33 splits the FHE secret key across multiple authority nodes using Shamir secret sharing over the polynomial ring. A configurable threshold of authorities must participate in decryption — fewer than the threshold learn nothing about the secret key or biometric data. This is the information-theoretic guarantee of Shamir’s scheme.

Each participating authority computes a partial decryption using its key share. The combiner collects partial decryptions and reconstructs the full decryption via Lagrange interpolation with constant-time modular arithmetic (Fermat's little theorem for modular inverse).

Every threshold decryption produces a SHA3-256 transcript binding all ciphertext hashes, partial decryption hashes, participating party indices, and the final similarity score. This transcript is verifiable by any auditor without access to plaintext biometric data.

3.5 Zero-Knowledge Lookup Proofs

H33 implements hash-based zero-knowledge proofs using SHA3-256 commitments. Unlike SNARK/STARK systems that rely on elliptic curve pairings, H33’s ZK lookups derive their security entirely from the collision resistance of SHA3-256 — a property believed to hold against quantum adversaries.

Proofs demonstrate that a biometric similarity score falls within a valid range and exceeds a verification threshold, without revealing the underlying biometric data. Verification requires three hash comparisons and completes in approximately 0.067 microseconds.

3.6 ML-DSA Batch Attestation

Every authentication produces a Dilithium signature attesting to the match result. H33 batches attestation: a single Dilithium sign-and-verify operation covers all users in a SIMD batch, reducing per-user attestation cost by up to 31× compared to individual signing.

Section 04

Post-Quantum Cryptographic Primitives

4.1 ML-KEM (Kyber) Key Encapsulation

All key exchange operations use Kyber768 (ML-KEM-768), providing NIST Security Level 3 (equivalent to AES-192). Kyber’s security is based on the Module Learning With Errors (MLWE) problem.

Parameter	Value
Security level	NIST Level 3
Public key	1,184 bytes
Secret key	2,400 bytes
Ciphertext	1,088 bytes
Shared secret	32 bytes (256-bit)

4.2 ML-DSA (Dilithium) Signatures

H33 uses Dilithium3 (ML-DSA-65) as the default signature scheme, with support for all three NIST levels:

Level	Variant	Security	Signature	Public Key
2	ML-DSA-44	NIST L2	2,420 bytes	1,312 bytes
3	ML-DSA-65	NIST L3	3,309 bytes	1,952 bytes
5	ML-DSA-87	NIST L5	4,627 bytes	2,592 bytes

4.3 Hybrid Encryption

All data encryption uses a hybrid scheme combining Kyber key encapsulation with AES-256-GCM symmetric encryption. The encapsulated shared secret is expanded via HKDF with SHA3-256 and domain-separated context tags to derive the AES key and nonce. Domain separation prevents cross-module replay attacks: biometric, messaging, and document encryption contexts produce distinct keys from the same shared secret.

4.4 Hybrid Signing

H33 implements a hybrid signature scheme combining ML-DSA-65 (post-quantum) with Ed25519 (classical). Both signatures must verify for acceptance, providing defense-in-depth. The production default uses nested signing: the Dilithium signature covers the Ed25519 signature, creating a cryptographic dependency where forging either component requires breaking both algorithms.

Section 05

Biometric Authentication System

5.1 Encrypted Biometric Matching

H33’s biometric pipeline computes cosine similarity between feature vectors entirely in the encrypted domain. At no point during verification does any party — including the server, the threshold authorities, or the client — hold a plaintext biometric template.

Enrollment

Extract feature vector from biometric capture
L2-normalize to unit sphere
Quantize to integers with safe scaling (prevents modular overflow during inner product)
Pack into SIMD slots (up to 32 users per ciphertext)
BFV encrypt with public key
Store encrypted template — plaintext is discarded and never persisted

Verification

Encrypt fresh probe using same procedure
Compute encrypted difference: ct_diff = ct_enrolled - ct_probe
Compute encrypted squared distance: ct_sq = ct_diff × ct_diff
Threshold decrypt via k-of-n collective authority
Decode similarity score from plaintext slots
Compare against threshold

5.2 Collective Authority Protocol

Each authority holds only its Shamir share of the secret key. The combiner performs Lagrange interpolation to reconstruct the decryption without ever reconstructing the secret key itself.

5.3 Anti-Spoofing and Liveness Detection

H33 implements multi-modal anti-spoofing with challenge-response protocols including facial landmark tracking, depth confidence scoring, temporal consistency analysis, and deepfake detection. Risk-adaptive session management adjusts challenge difficulty and timeout based on detected threat level. Liveness challenges include blink detection, head movement, expression recognition, and voice verification.

5.4 Dynamic Request Batching

H33 employs a dynamic batching system that accumulates authentication requests within a short time window and dispatches them as a single SIMD-packed FHE operation. This ensures individual requests complete with minimal latency while heavy load saturates all 32 SIMD slots for maximum throughput.

Section 06

Token B: Economic Layer

Token B is the economic backbone of the H33 ecosystem, implemented as a Solana Token 2022 program with a fixed maximum supply and built-in deflationary mechanics.

6.1 Supply and Distribution

Total supply: 21 billion tokens with 6 decimal places. All tokens are minted during two distribution phases, after which the mint authority is permanently and irrevocably revoked. No additional tokens can ever be created.

Allocation	Amount	Percentage	Custody
Revenue Burn Reserve	5.25B	25%	PDA vault
Customer Rewards	3.15B	15%	PDA vault
Company & Team	2.625B	12.5%	Squads multisig
Accreditation & Security	2.1B	10%	Squads multisig
Liquidity & Exchange	2.625B	12.5%	PDA vault
Strategic Development	2.1B	10%	Squads multisig
Community & Ecosystem	1.575B	7.5%	PDA vault
Token D Operations	1.05B	5%	PDA vault
Token C Operations	0.525B	2.5%	PDA vault

6.2 Deflationary Burn Mechanics

Token B implements a three-tiered burn system that permanently removes tokens from circulation:

Revenue Burns (Stage-Based): The Revenue Burn Reserve (5.25B tokens) is burned across 7 stages, each triggered by verified revenue milestones. Stages must complete sequentially. Stage 7 burns whatever remains in the vault, ensuring complete depletion.
Unclaimed Rewards Burns: When advancing to the next stage, all unclaimed customer rewards from the current stage are permanently burned, creating urgency for claims.
Transfer Fee Burns: 70% of all collected transfer fees are permanently burned.

6.3 Transfer Fee Architecture

Every Token B transfer incurs a 1% fee, enforced at the protocol level via the Token 2022 TransferFeeConfig extension. Fees are withheld automatically at transfer time:

Recipient	Percentage	Purpose
Permanent Burn	70%	Deflationary pressure
Dev & Certifications	15%	Security audits, compliance
Treasury	12.5%	Operational reserves
Staker Rewards	2.5%	Distributed to stakers

6.4 Customer Rewards and Merkle Claims

Customer rewards (3.15B tokens) are distributed via Merkle tree proofs with Token C identity verification. Rewards are released in stages, with 50% available in Stage 1 and progressively smaller allocations in subsequent stages. Claims require:

A valid Merkle proof against the published root (double-hashed to prevent second-preimage attacks)
An active, unlocked Token C soulbound identity (cross-program verification)
A matching source vault for the reward round

Each claimant can claim once per round, enforced by on-chain PDA derivation.

6.5 Quarterly Enforcement

Token B enforces a 90-day cadence for customer reward distribution. The fee processing instruction rejects execution if more than 90 days have elapsed since the last reward round creation. This on-chain constraint ensures that fee revenue cannot accumulate indefinitely without corresponding customer rewards.

Section 07

Token C: Soulbound Identity

Token C implements non-transferable Soulbound Tokens (SBTs) that anchor on-chain identity to post-quantum cryptographic keys, biometric hashes, and verifiable credentials.

7.1 Non-Transferable SBT Mechanics

Token C’s non-transferability is enforced at the Solana token program level:

At identity initialization, a PDA-controlled mint creates exactly 1 NFT (0 decimals)
The NFT is minted to the owner’s associated token account
The token account is immediately frozen via the Solana token program
The freeze authority is held by the mint PDA, controlled exclusively by the Token C program
Frozen accounts cannot be transferred, even by the owner

Why This Is Soulbound

The only path to transfer a soulbound token is through the structured guardian recovery protocol, which requires multi-guardian consensus with cryptographic proof. Normal market transfers are impossible at the Solana protocol level.

7.2 Hybrid Post-Quantum Binding

Each identity is cryptographically bound to a dual-key pair at mint time:

Component	Algorithm	Purpose
Classical master key	Ed25519	Current-generation blockchain compatibility
Quantum master key	Dilithium (ML-DSA)	Post-quantum resilience
Mint signature (inner)	Ed25519	Classical binding proof
Mint signature (outer)	Dilithium over Ed25519 sig	Nested quantum binding

The nested signature creates a cryptographic dependency: Dilithium signs the Ed25519 signature, ensuring that forging the identity binding requires breaking both algorithms. An optional triple-signed mode adds a FALCON-512 hash for additional future-proofing.

7.3 Multi-Factor Authentication

Token C supports five MFA factor types, including post-quantum options:

Factor	Algorithm	Post-Quantum
Ed25519	Classical signature	No
Dilithium	ML-DSA signature	Yes
ZK Proof	SPARK Lookup (SHA3-256)	Yes
Biometric	Template hash comparison	Yes (hash-based)
TOTP	HMAC-SHA256 time-based OTP	Yes (symmetric)

The identity owner configures a threshold, and authentication requires that many distinct factor types to verify. This enables configurations like “require any 3 of: Ed25519 + Dilithium + biometric + TOTP” for high-security accounts.

7.4 Guardian Recovery Protocol

Identity recovery uses a multi-signature guardian system with dual-key commitments. Each guardian’s classical and quantum keys are bound at registration time via a hash commitment. Recovery requires threshold guardian approval, with each approval verified against the stored dual-key commitment. This prevents guardian substitution attacks where an adversary replaces a guardian’s quantum key.

The recovery flow thaws the old token account, transfers the NFT to the new owner, and refreezes at the new account — maintaining soulbound properties throughout.

7.5 Zero-Knowledge Identity Proofs

Age Verification: Proves the holder is above a minimum age without revealing date of birth
Data Access Authorization: ZK proofs for compliance-gated access with expiration and purpose fields
Travel/Event Access: Time-limited access proofs for identity verification at points of entry

All proofs use SHA3-256 SPARK Lookups — no elliptic curves, no pairings, fully post-quantum.

Section 08

Token D: Document Attestation

8.1 Content Attestation and Versioning

Documents are stored off-chain. On-chain, Token D stores a Keccak-256 content hash that cryptographically binds the off-chain content to an immutable audit trail. Every update creates an append-only version entry recording the content hash, timestamp, editor identity, and change description. Version history cannot be deleted, providing a complete forensic audit trail.

8.2 Role-Based Access Control

Role	Permissions
Owner	Full control: transfer, deactivate, role management
Admin	Grant/revoke roles, set payment tiers
Editor	Update content, modify metadata
Viewer	Read-only access
Auditor	Compliance review access

Access can be granted with time-based expiration, share links with revocation, and collection-based grouping.

8.3 Private NFTs with ZK Proofs

Token D supports private NFTs that prove document properties without revealing content. Private NFT operations (create, transfer, spend) require valid SPARK Lookup proofs, enabling privacy-preserving document transfers where the content remains confidential and the proof demonstrates ownership and validity. Spent NFTs are marked with a nullifier to prevent double-spending.

8.4 Staking and Mining Rewards

Document holders can stake documents to earn Token B rewards. A minimum staking period applies, with early withdrawal forfeiting pending rewards. A referral system provides bonus rewards for introducing new users to the ecosystem. Milestone rewards (in Token D) incentivize first-time staking and community fraud detection.

Section 09

Three-Token Ecosystem Integration

Token C (Identity / SBT) / \ Stakes / \ Grants access / \ Token B Token D (Economy / Burns) (Documents / NFTs) | | +—— Transfer fees (1%) —————————>+ +—— Mining rewards <———————————+ +—— Reward claims require Token C —>+

Token B → Token C: Token B can be staked into a Token C identity, increasing trust score and access level. Staked Token B acts as reputation collateral.
Token C → Token B: Token B reward claims require a valid, active Token C soulbound identity (cross-program verification).
Token C → Token D: Token C identities can be granted time-limited access to Token D documents with configurable access levels and expiration.
Token D → Token B: Document staking earns Token B mining rewards. The referral system creates viral growth incentives.
Token B → Token D: Token B serves as the payment currency for Token D premium services.

Section 10

Security Analysis

10.1 Post-Quantum Security Summary

Primitive	Standard	Hard Problem	NIST Level
BFV FHE	—	Ring-LWE	≥ 128-bit
Kyber768	ML-KEM	Module-LWE	Level 3
Dilithium3	ML-DSA-65	Module-LWE/SIS	Level 3
ZK Lookups	—	SHA3-256 collision	Level 1+
Hybrid Encryption	—	MLWE + AES-256	Level 3 + AES-256

10.2 FHE Security Margin

The BFV ciphertext modulus is substantially below the Homomorphic Encryption Standard’s maximum for the chosen ring dimension, providing over 50 bits of security margin above the 128-bit target. All parameters have been validated against the HE Standard and lattice estimator tools.

10.3 Side-Channel Resistance

All secret-dependent comparisons use constant-time implementations via the subtle crate. This includes share verification, field arithmetic, proof verification, modular inverse computation, and challenge-response validation. No branching on secret-dependent values occurs in any cryptographic code path.

10.4 Soulbound Token Security

Token C’s SBT security relies on three independent mechanisms:

Solana token-level freeze: Protocol-enforced; no application logic can bypass
Dual-key binding: Identity bound to both Ed25519 and Dilithium at mint
Guardian threshold: Recovery requires multi-guardian consensus with dual-key verification

Section 11

Performance

11.1 Single API Call Latency

~1,375 μs

FHE Batch (32 users)

~0.067 μs

ZK Proof Verify

~240 μs

Dilithium Attest

~50 μs

Per Authentication

11.2 Sustained Throughput

Metric	Value
Sustained throughput	1,291,207 auth/sec (measured Feb 2026)
Batch size	32 users/ciphertext (SIMD packing)
Workers	96 parallel workers
Efficiency	99.9% of theoretical maximum

11.3 Production Hardware

Specification	Value
Instance	AWS c8g.metal-48xl
Processor	Graviton4 (ARM Neoverse V2)
vCPUs	192
Memory	377 GiB

11.4 Native AI Security Agents

H33 includes three Rust-native AI agents executing in-line with authentication requests:

Agent	Purpose	Latency
Harvest Detection	Detect credential harvesting patterns	0.69 μs
Side-Channel Analysis	Monitor for timing/power analysis attacks	1.14 μs
Crypto Health	Assess cryptographic parameter health	0.52 μs

Section 12

KYC and Compliance

Tier	Price	Includes
Basic KYC	$49	Document verification, selfie match, OFAC screening
Enhanced KYC	$79	Basic + address verification, PEP/sanctions screening, Soulbound NFT
Full KYC/AML	$99	Enhanced + transaction screening, ongoing monitoring

KYC data is stored off-chain with on-chain hash commitments in the Token C identity account. The biometric template hash enables re-verification without storing plaintext biometric data. The FHE architecture is particularly well-suited for HIPAA compliance, as Protected Health Information in biometric templates is never decrypted during processing.

Compliance readiness: SOC 2, HIPAA, PCI DSS.

Section 13

Infrastructure and Deployment

13.1 AWS Architecture

Compute: ECS on Graviton4 (c8g.metal-48xl for crypto, standard for API)
Database: RDS PostgreSQL for user management and session state
Cache: ElastiCache Redis for session tokens and rate limiting
Load Balancing: Application Load Balancer with TLS 1.3
Storage: S3 with server-side encryption for documents
Secrets: AWS Secrets Manager for key material
Monitoring: CloudWatch metrics and logging

13.2 AWS Marketplace

H33 is available on AWS Marketplace as a SaaS product with usage-based metering across 7 dimensions: 4 authentication levels (base, H33-128, H-256, cached) and 3 KYC tiers (basic, enhanced, full AML).

13.3 Blockchain

Token programs deploy on Solana mainnet using the Anchor framework for safe account deserialization and constraint validation. All three programs are independently audited.

13.4 Test Coverage

1,628 tests passing across the full stack, covering FHE roundtrips, threshold decryption, biometric matching accuracy, all token program instructions, anti-spoofing protocols, ZK proof verification, hybrid encryption/signing, and constant-time property verification.

Section 14

Conclusion

H33 represents a comprehensive approach to post-quantum identity and authentication. By building on lattice-based cryptography at every layer — from FHE biometric matching to Kyber key exchange to Dilithium signatures — the platform provides security guarantees that hold against both classical and quantum adversaries.

The three-token ecosystem on Solana creates an economically sustainable model: Token B provides deflationary utility with built-in burn mechanics and transfer fees; Token C anchors identity to post-quantum soulbound tokens with multi-factor authentication and guardian recovery; Token D enables document attestation with privacy-preserving proofs and community-incentivized fraud detection.

The production system achieves 1.2 million authentications per second on standard cloud hardware, with each authentication executing a complete cryptographic pipeline in approximately 50 microseconds.

Available Today

H33 is not a theoretical proposal. Every component described in this paper is implemented, tested (1,628 tests), benchmarked on production hardware, and available on AWS Marketplace. The transition to post-quantum security need not wait for quantum computers to arrive.

References

NIST. Post-Quantum Cryptography Standardization. FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), 2024.
Brakerski, Z. Fully Homomorphic Encryption without Modulus Switching from Classical GapSVP. CRYPTO 2012.
Fan, J. and Vercauteren, F. Somewhat Practical Fully Homomorphic Encryption. IACR ePrint 2012/144.
Albrecht, M., et al. Homomorphic Encryption Standard. HomomorphicEncryption.org, 2018.
Shamir, A. How to Share a Secret. Communications of the ACM, 1979.
Montgomery, P. Modular Multiplication Without Trial Division. Mathematics of Computation, 1985.
Harvey, D. Faster Arithmetic for Number-Theoretic Transforms. Journal of Symbolic Computation, 2014.
Lyubashevsky, V., et al. CRYSTALS-Dilithium: A Lattice-Based Digital Signature Scheme. TCHES 2018.
Bos, J., et al. CRYSTALS-Kyber: A CCA-Secure Module-Lattice-Based KEM. Euro S&P 2018.