Distributed trust. Post-quantum security. Million-scale throughput.📐📐 Full benchmark suite →
No single server ever sees your data. 1,148,018 auth/sec📐📐 See how we measured this → · 3-of-5 threshold decryption📐🔑 Interactive Shamir demo → · 1.28ms full auth · NIST L1 through L5 · Five proprietary crypto engines · Zero external FHE/ZK dependencies
1.28ms single authentication · 0.9µs amortized at scale · P99 under 5ms at 50,000 req/sec Gets faster under load — not slower.📐📊 Interactive load test →
📐See green numbers and copper terms? Click any of them to see the interactive proof behind the claim. Every number on this page is measured, not projected.
Blink Test:📐⚡ The blink test →300ms blink ÷ 1.28ms = ~234 full crypto auths per blink📐⚡ The blink test →. The only auth where your biometric is NEVER decrypted.
Performance Modes v7.0
Mode
Latency
Security
NIST Level
H0
356µs
~57-bit
Dev Only
H33-128 ⭐
1.28ms
128-bit NIST L1📐🔒 NIST security levels →
Zero Exposure
H-256 ✓
5.98ms
256-bit (NIST L5)📐🔒 NIST security levels →
Zero Exposure
H0 (N=1024) dev only (~57-bit). H33-128 and H-256 are NIST-compliant:📐🔒 NIST security levels → H33-128 (N=4096) NIST L1 128-bit; H-256 (N=16,384) NIST L5 256-bit.
128-bit post-quantum. No trusted setup. 497M ops/sec cached throughput.
Blink = 300,000µs📐⚡ The blink test →
H33-128: 300,000 ÷ 1,280 = ~234 full crypto auths per blink📐⚡ The blink test →
H-256: 300,000 ÷ 5,980 = ~50 auths per blink📐⚡ The blink test →
vs SEAL (N=4096): H33 1.28ms vs SEAL 2.85ms = 2.2× faster pipeline + zero exposure
Measured on c8g.metal-48xl (96 cores, AWS Graviton4, Neoverse V2). Criterion.rs v0.5, 100+ samples. February 14, 2026. Note: H33/H2 upgraded to N=4096 for NIST L1 compliance. Latencies being re-benchmarked.
full-stack-auth.js
// Ship quantum-resistant auth this afternoonconst result = await h33.auth.verify({
userId: 'user_123',
biometric: faceData
// H33-128 default: 1.28ms, 128-bit NIST L1 FHE, zero exposure
});
// Maximum security? One parameter.const secure = await h33.auth.verify({
userId: 'user_123',
biometric: faceData,
mode: 'h-256'// n=16,384, Q=216 → TRUE 256-bit NIST L5 ✓
});
Architecture
The Stack Is Ours.
Five proprietary cryptographic engines. Three FHE libraries. All H33. Zero external dependencies.
Every engine built from scratch — not forked, not wrapped, not dependent on Microsoft SEAL, OpenFHE, TFHE-rs, Concrete, arkworks, or any other library.
*Only external crypto dependency: Dilithium3 (pqcrypto-mldsa) — NIST FIPS 204 reference implementation. Using the standard is the right call for a signature algorithm.
Performance
1.28ms Full Auth. Zero Data Exposure. k-of-n Threshold.
Measured on c8g.metal-48xl (96 cores, AWS Graviton4, Neoverse V2). Criterion.rs, 100+ samples. February 14, 2026 | v7.0
prove 2.0µs / verify 0.2µs📐🛡️ STARK lookup breakdown →
🚀
vs SEAL (single-thread)
2.2×
pipeline with full zero-exposure stack
🚀
At Scale (Graviton4)
1,148,018📐📐 See how we measured this →
auth/sec sustained (12.5× SEAL)📐📐 See how we measured this →
1.28ms full post-quantum authentication with zero data exposure
H33-128 CollectiveAuthority: FHE matching in encrypted space + k-of-n threshold decrypt + H33 ZKP Stark Lookup (2.0µs prove, 0.2µs verify) + Dilithium sign+verify. Your biometric is NEVER decrypted on any single server.
2.2× / 12.5×
faster than SEAL (single / at scale)
A human blink takes 300,000 microseconds.📐⚡ The blink test →
In that time, H33 can complete ~234 full crypto auths📐⚡ The blink test → (1.28ms each), or ~143 million proof lookups (2.09ns Cachee L1 hit).
234
crypto auths per blink
📐⚡ The blink test →
Speed Comparison
H33 vs Microsoft SEAL 4.1.2 — Fair Head-to-Head
Same security level. Same BFV scheme. Same biometric operation. SEAL gets pre-generated Galois keys and single-key decrypt. H33 includes 3-of-5 threshold decrypt📐🔑 Interactive Shamir demo → + ZK proof + Dilithium signature. H33 does more. H33 is still faster.
N=4096, 128-bit Security (NIST L1)
Operation
SEAL 4.1.2
H33 BFV
Speedup
Encode
0.04ms
<0.01ms
—
Encrypt
0.53ms
0.42ms
1.3×
Compute (inner product)
2.13ms
0.26ms
8.2×
Decrypt
0.15ms
0.33ms
0.5×*
Pipeline total
2.85ms
1.28ms
2.2×
Auth/sec (single thread)
350
781
2.2×
Auth/sec (96-core Graviton4)
—
1,148,018📐📐 See how we measured this →
12.5×
N=16384, 256-bit Security (NIST L5)
Operation
SEAL 4.1.2
H33 BFV
Speedup
Encode
0.18ms
<0.01ms
—
Encrypt
2.58ms
~1.5ms
1.7×
Compute (inner product)
15.49ms
~3.2ms
4.8×
Decrypt
0.84ms
~1.4ms
0.6×*
Pipeline total
19.08ms
5.98ms
3.2×
Auth/sec (single thread)
52
167
3.2×
*H33 decrypt is intentionally slower: 3-of-5 threshold decryption📐🔑 Interactive Shamir demo → means no single server ever sees plaintext. SEAL uses single-key decrypt where one server holds the full secret key.
At production scale on Graviton4 (96 cores, 32-user SIMD batching📐📊 SIMD batch amortization →), H33-128 sustains 1,148,018 auth/sec — 12.5× SEAL's single-thread pipeline rate. SEAL has no equivalent multi-core benchmark because it was not designed for this workload.
3.2× faster + zero exposure
Why the difference? SEAL is a general-purpose FHE library. H33 is purpose-built for authentication: shallow circuits, aggressive batching, no relinearization needed. Same BFV scheme, same security — just optimized for one use case.
H-256 Full Auth (NIST L5)📐🔒 NIST security levels →
5.98ms
SEAL: 19.08ms
3.2× faster + zero data exposure.
H33 ZKP Stark Lookup
2.0µs prove + 0.2µs verify
2.09ns cached (Cachee L1)
PQ-safe. No trusted setup. 497M ops/sec cached.
Measured on c8g.metal-48xl (96 cores, AWS Graviton4, Neoverse V2). Criterion.rs v0.5, 100+ samples. February 14, 2026. 96-core single-socket, NUMA-pinned for throughput numbers.
Why H33
1.28ms. Zero Data Exposure. Post-Quantum.
The only biometric auth where your template is NEVER decrypted. H33-128 CollectiveAuthority uses k-of-n threshold decrypt📐🔑 Interactive Shamir demo → so no single server ever sees plaintext. H33 ZKP Stark Lookup: 2.0µs prove + 0.2µs verify. 2.2× faster than Microsoft SEAL (single-thread).
1.28ms
H33-128 Full Auth
0.42ms
BFV Encrypt (N=4096)
2.0µs📐🛡️ STARK lookup breakdown →
H33 ZKP Stark Lookup Prove📐🛡️ STARK lookup breakdown →
Five proprietary crypto engines. One API.📐⚙️ Proprietary engine deep-dive →
H33 BFV, H33 BFV-256, H33 CKKS, H33 ZKP Stark Lookup, H33 Biometrics — every engine built from scratch in Rust📐⚙️ Proprietary engine deep-dive →. One API call for the entire post-quantum stack.
PATENT
🎯
Full Stack Auth
One API call: biometric + FHE + H33 ZKP Stark Lookup + quantum signature. 1.28ms at L1 (128-bit) or 5.98ms at L5 (256-bit). ZKP Stark Lookup: 2.0µs prove + 0.2µs verify. 2.2–3.2× faster than SEAL + k-of-n threshold.
POST /auth/full-stackPOST /session/resume
🧬
FHE Biometrics
Face, voice, fingerprint matching on encrypted data. k-of-n threshold decrypt📐🔑 Interactive Shamir demo →. 0.42ms BFV encrypt + 0.26ms FHE inner product. 2.2× faster than SEAL (single-thread) + zero exposure.
POST /biometric/enrollPOST /biometric/verifyPOST /auth/incremental
NEW
🔢
CKKS FHE
Floating-point homomorphic encryption. Compute on encrypted real numbers. 128/192/256-bit security levels.
POST /fhe/ckks/keygenPOST /fhe/ckks/encryptPOST /fhe/ckks/decryptPOST /fhe/ckks/addPOST /fhe/ckks/multiplyPOST /fhe/ckks/rescalePOST /fhe/ckks/similarity
POST /crypto/dilithium/keygenPOST /crypto/dilithium/signPOST /crypto/dilithium/verify
PATENT
🔐
Nested Hybrid Signatures
Every authentication is dual-signed: Ed25519 (classical) nested inside Dilithium (post-quantum). Two independent algorithms, two mathematical families. An attacker must break both. If NIST's lattice-based standard has a backdoor, your auth still holds.
POST /hybrid/signPOST /hybrid/verifyGET /hybrid/algorithms
Two complete FHE implementations built from scratch. BFV for authentication (2.2× SEAL single-thread), CKKS for encrypted computation. Scheme switching, fused ops, SIMD batching.
2
H33 ZKP Stark Lookup — Proprietary Zero-Knowledge
H33 ZKP Stark Lookup: 2.0µs prove + 0.2µs verify. 128-bit post-quantum, no trusted setup. 2.09ns cached verify (Cachee L1).
Layer 1: InfrastructureAWS • VPC • IAM • CloudTrail
Compliance Ready
🏥
HIPAA
🇪🇺
GDPR
📊
SOC 2
💳
PCI DSS
🔒
ISO 27001
🏛️
FedRAMP
Post-Quantum Compliance — Already Shipping
Not on our roadmap. In your auth pipeline today.
NIST FIPS 204 — ML-DSA (Dilithium)
Every H33 authentication is signed with CRYSTALS-Dilithium at ML-DSA-65 (NIST Level 3). This is the finalized NIST standard, not a draft or candidate. Hybrid tiers add Ed25519 as an independent classical layer.
Shipping since Q1 2026
Nested Hybrid Signatures — Algorithmic Diversity
Our H33 and H-256 tiers wrap every signature in two or three independent cryptographic algorithms from different mathematical families. If a backdoor is discovered in any single algorithm — lattice-based, elliptic curve, or hash-based — the remaining layers maintain security. No re-enrollment required.
Shipping since Q1 2026
Side-Channel Resistant — Constant-Time at Every Layer
Biometric matching runs inside FHE — plaintext never touches the cache. Ed25519 uses constant-time scalar multiplication with conditional-move table lookups. Dilithium NTT uses branchless Barrett reduction. FALCON signing is isolated to a dedicated physical core. SPHINCS+ is hash-based and inherently constant-time. No secret-dependent memory access anywhere in the auth pipeline.
Shipping since Q1 2026
Soulbound Identity Tokens — Patent-Protected
KYC/AML identity tokens are minted as non-transferable blockchain tokens with nested hybrid signatures. Identity cannot be sold, transferred, or stolen. 33 patent claims cover the complete architecture including nested signature composition, graceful cryptographic degradation, dual-committed guardian recovery, and lattice-redundant triple signing.
33 Claims Filed
Benchmarks
Real-world performance. Independently verifiable.
All benchmarks on c8g.metal-48xl (96 cores, AWS Graviton4, Neoverse V2, ARM NEON, bare metal). Criterion.rs v0.5, 100+ samples. February 14, 2026.
Instance
c8g.metal-48xl (Graviton4)
96 cores • Neoverse V2 • ARM NEON
Full Crypto Auth
1,148,018/sec📐📐 See how we measured this →
FHE + ZKP Stark Lookup + Dilithium📐📐 See how we measured this →
h33_live_* - Production keys, full access h33_test_* - Test keys, sandbox environment (no auths consumed)
Full Stack Auth PATENT PENDING
One API call: biometric + FHE + ZK proof + quantum signature + blockchain attestation.
POST/auth/full-stackFLAGSHIP
Complete 128-bit NIST L1 FHE biometric authentication in 1.28ms (H33-128 CollectiveAuthority). Zero data exposure: your biometric is NEVER decrypted on any single server. k-of-n threshold decrypt. H33 ZKP Stark Lookup: 2.0µs prove + 0.2µs verify.
1.28ms
H33-128 (Zero Exposure)
1 auth
H33 Cost
99.7%
Accuracy
7 layers
Security
Request Body
Parameter
Type
Required
Description
userId
string
Required
Unique identifier for the user
biometric
object
Required
Biometric data (face, voice, or fingerprint)
biometric.type
string
Required
"face" |"voice" |"fingerprint"
biometric.data
string
Required
Base64-encoded biometric data
product
string
Optional
"h0" (356µs ⚠️dev) |"h33" (1.28ms, default) |"h-256" (5.98ms, max mode)
We use cookies to enhance your browsing experience, analyze site traffic, and personalize content. By clicking"Accept All", you consent to our use of cookies. You can manage your preferences or learn more in our Cookie Policy.
Cookie Preferences
Required for the website to function. Cannot be disabled.
Help us understand how visitors use our website.
Used to deliver relevant advertisements.
Remember your settings and preferences.
Why Quantum Computing Changes Everything
Your current encryption (RSA-2048, ECDSA):
Classical Computer
300 trillion years to break
Quantum (4,000 qubits)
~10 seconds
Shor's algorithm breaks every RSA key, every ECDSA signature, every TLS handshake.
"Harvest Now, Decrypt Later"
Nation-states are recording encrypted traffic TODAY. When quantum arrives, they decrypt everything retroactively.
2030+: Everything encrypted before transition = compromised
NIST Post-Quantum Cryptography Standards
NIST (National Institute of Standards and Technology) sets cryptographic standards for U.S. government and enterprise.
August 2024 Standards:
FIPS 203
ML-KEM (Kyber)
Key Exchange
FIPS 204
ML-DSA (Dilithium)
Signatures
FIPS 202
SHA-3
Hash Functions
Three NIST-Compliant Tiers ✓
H2 & H33 (N=4096) → 128-bit NIST L1. bfv_params_override ensures Q ≤ HE Standard max. H-256 (N=16,384) → 256-bit NIST L5. Q=216 bits within HE Standard max of 237 bits.
H0: Non-NIST Dev Tier
H0 (N=1024) dev only (~57-bit). Turbo Full Match: 356µs. Includes H33 ZKP Stark Lookup + Dilithium.
H33/H-256 Zero Exposure:
Biometric NEVER decrypted on any single server. k-of-n threshold decrypt. Dilithium3/Kyber768 = NIST Level 3.
H33 ZKP Stark Lookup (prove + verify)📐🛡️ STARK lookup breakdown →
~2.2µs
<1%
Dilithium Sign + Verify
~0.11ms
8%
TOTAL PIPELINE
1,280µs (1.28ms)
100%
Single-thread benchmark. Criterion.rs v0.5, 100+ samples. February 2026. H33 ZKP Stark Lookup: 2.0µs prove + 0.2µs verify. Cached verify: 2.09ns (Cachee L1). Zero data exposure: template NEVER decrypted on any single server.
⚡ vs SEAL — N=4096, Single-Thread
Operation
H33
SEAL
Advantage
Encrypt
0.42ms
0.55ms
1.3× faster
FHE Inner Product
0.26ms
0.83ms
3.2× faster
Threshold Decrypt
0.33ms
0.21ms (single-party)
H33 adds threshold
Full Auth Pipeline
1.28ms
2.85ms
2.2× faster
Zero Data Exposure
✓ k-of-n
✗
∞
🔧 vs DIY Cobbled Stack
H33
DIY
Advantage
Full Auth
1.28ms
200-900ms
156-703×
First Auth
5.98ms
1.4-4.2s
234-702×
Vendors
1
4-6
—
Integration
1 afternoon
6-12 months
—
Zero Exposure
✓
✗
∞
📈 Blink Test📐⚡ The blink test →
300ms blink ÷ 1.28ms = ~234 full crypto auths per blink (H33-128)📐⚡ The blink test →
Source: Criterion.rs v0.5, c8g.metal-48xl (96 cores, AWS Graviton4, Neoverse V2). February 14, 2026 | v7.0 Full Benchmark Report →
Performance Benchmarks
Production ARM Hardware · February 2026
0auth/sec sustained
60-second sustained test. Zero degradation over test duration.
Optimization Journey
SIMD Multiplier
35.9×
32 users per FHE operation
Total Improvement
79.7×
from initial baseline
Total (60s test)
68.9M
authentications
Latency decreases as load increases— SIMD batches fill faster under pressure
Rate
P50 Latency
P50
P95
P99
Single Auth (Unbatched)
1.28ms
Amortized at Scale
0.9µs
Auth/sec
1,148,018📐📐 See how we measured this →
sustained, 60s test📐📐 See how we measured this →
Daily Capacity
99.2B
per cluster
Yearly Volume
36.2T
authentications
What 1,148,018/sec means for your organization
Regional bank500K customers
All daily logins in 0.4 seconds
500K
National health system50M patients
Every daily authentication in 44 seconds
50M
Global payments network4B cardholders
Every transaction in under 58 minutes
4B
US financial systemEvery bank, every credit union
~1B daily auths → 25 minutes
1B
Every number on this page is a measured result from production hardware, not a projection or theoretical estimate.
› 60-second sustained throughput (no warmup cherry-picking)
› Multi-worker, production configuration
› 1,366,510 total requests for latency distribution
› Zero fallbacks — 100% batch path utilization
Verification
› 1,628 unit tests passing
› 300,000 randomized property tests (proptest)
› Noise budget validated across full embedding distribution
› Criterion.rs statistical benchmarks with 95% confidence intervals
Live simulation — drag the slider
Gets faster under load — not slower.
Most systems degrade as traffic increases. H33 uses 32-slot SIMD batching — more users means fuller batches, which means less wasted compute per authentication.
Incoming auth requests5,000 req/sec
10010K50K100K500K1.15M
Per-Auth Latency
12.4
µs / auth
—
Batch Fill Rate
15%
of 32 slots
—
Throughput
5,000
auth / sec
—
Wasted Compute
85%
empty slots
—
Typical batch at current load5 of 32 filled
Active auth
Empty slot
Wasted compute
Per-auth latency vs. loadTraditional ↗ · H33 ↘
⬆
Traditional: degrades under load
Each request gets its own thread, its own encryption, its own key operations. More users = more contention = higher latency. Queues build. Timeouts start. P99 explodes.
⬇
H33: improves under load
32 users share one SIMD batch — one encrypt, one FHE inner product, one threshold decrypt. More users = fuller batches = less wasted compute per auth. Latency drops from ~44µs at idle to 0.9µs at capacity.
Measured on Graviton4 c8g.metal-48xl · 96 workers · 60s sustained
Batch cost is fixed at ~1,375µs regardless of fill level.
At 1 user/batch: 1,375µs per auth. At 32 users/batch: 43µs per auth. At 96 workers × 32 users: 0.9µs amortized.
The FHE operation costs the same whether the batch has 1 user or 32. Fill the batch, divide the cost.
Measured · 60 seconds sustained · Graviton4
1,148,018 authentications per second.
Full post-quantum pipeline on every single auth. FHE encrypt, biometric match, 3-of-5 threshold decrypt, ZK proof, Dilithium signature. Not a synthetic benchmark — sustained production throughput.
0
authentications / second
Drag the slider below to see how throughput scales with workers
Worker allocation (96 available)96 active
Workers:96
Throughput
1.15M
auth/sec
Per-Auth
0.9µs
amortized
Batch Size
32
users/batch
Daily Capacity
99.2B
auths/day
Efficiency
100%
vs linear
Throughput scaling curve — workers vs auth/secNear-linear to 96 cores
Full authentication pipeline — 1.28ms single-thread
BFV Encrypt
0.42ms
33%
→
FHE Compute
0.26ms
20%
→
Threshold Decrypt
0.33ms
26%
→
ZK Proof
2.2µs
<1%
→
Dilithium
106µs
8%
→
✓ Auth
1.28ms
total
⚡
32-User SIMD Batching
Each worker packs 32 biometric templates into one SIMD vector. One FHE operation processes all 32 simultaneously. The batch costs 1,375µs regardless of fill level.
1,375µs ÷ 32 = 43µs per user per worker
🔩
96 NUMA-Pinned Workers
Graviton4 c8g.metal-48xl: 192 vCPUs, 96 physical cores. Each worker pinned to its own core with dedicated L1/L2 cache. Zero cross-NUMA traffic.
96 workers × ~11,958 auth/sec each
📋
Batch Attestation
Instead of signing each auth individually (164µs × 32 = 5,248µs), one Dilithium signature covers the entire batch. Amortized to 7.4µs per auth.
32× Dilithium reduction → 7.4µs/auth
🗃
Single-Modulus Q=56📐🔧 Single-modulus explainer →
H33-128 uses a single 56-bit coefficient modulus — the minimum needed for one multiply-plain-accumulate. No relinearization. No modulus switching.
Q=56 bits vs SEAL's 109+ bits📐🔧 Single-modulus explainer →
SEAL uses a 109-bit modulus chain with 4 primes — designed for deep circuits with many multiplications. H33 uses a single 56-bit prime — the minimum needed for one biometric match. Everything SEAL carries for circuit depth it never uses here is pure overhead.
Coefficient modulus Q — the biggest performance lever in FHE
Microsoft SEALN=4096 Default
60q₀
×
40q₁
×
40q₂
×
60special
Q ≈ 109 bits
4 NTT-friendly primes · HE Standard max for N=4096
⚙️4 separate NTT transforms per polynomial operation
🔁Relinearization required after each ciphertext multiply
📉Modulus switching to manage noise after operations
🗄️Relinearization keys: ~4× ciphertext size in memory
H33 BFV EngineN=4096 Auth
56q₀ (only)
Q = 56 bits
1 NTT-friendly prime · Minimum for auth circuit
⚡1 NTT transform — 4× fewer butterfly operations
🚫No relinearization — circuit too shallow to need it
🚫No modulus switching — single prime, nothing to switch
💾No relin keys in memory — smaller working set, better cache
Why one prime is enough — the auth circuit is shallowDepth = 1
E(template) encrypted
→
multiply plain
→
accumulate (add)
→
E(distance²) still encrypted
│
relin
✗ never reached
mod switch
Biometric authentication computes Euclidean distance: D² = Σ(aᵢ − bᵢ)². This requires one multiply-plain and one accumulate — a circuit of multiplicative depth 1. SEAL's 4-prime modulus chain supports depth 3+. The extra 2+ levels of depth capacity are carried as overhead in every single NTT, every key generation, every encrypt — but never used.
NTT cost — the heart of every FHE operation4× fewer butterflies
SEAL: 4-Prime RNS
Each polynomial op runs 4 independent NTTs
4
NTTs/op
49,152
Butterflies
109
Q bits
H33: Single-Prime
One NTT transform per polynomial operation
1
NTT/op
12,288
Butterflies
56
Q bits
Where the time goes — operation-by-operationN = 4,096
Operation
SEAL (Q=109)
H33 (Q=56)
Savings
Why
Key Generation Create public/secret/relin keys
~2.1ms
~0.4ms
5.3×
No relin keys needed. 1 NTT vs 4.
Encrypt Plaintext → ciphertext
0.68ms
0.42ms
1.6×
Smaller Q → smaller polynomials → faster NTT
Multiply (ct × pt) Core distance computation
1.53ms
0.26ms
5.9×
1 NTT vs 4 RNS channels. No noise management.
Relinearize Key-switch after multiply
0.49ms
ELIMINATED
∞
Depth-1 circuit → no relin needed
Modulus Switch Drop prime to manage noise
~0.15ms
ELIMINATED
∞
1 prime → nothing to switch
Decrypt Ciphertext → plaintext
0.15ms
0.33ms
0.45×
H33 uses 3-of-5 threshold (slower but zero exposure)
FHE Pipeline Total
2.85ms
1.28ms
2.2×
H33 includes ZK + Dilithium. SEAL does not.
Pipeline time comparison
SEAL
2.85ms
H33
1.28ms
“Authentication circuits are shallow. H33 uses the minimum Q that supports one multiply-plain-accumulate — eliminating all overhead SEAL carries for deeper circuits it never uses.”
This is not a hack or a shortcut. It's the mathematically correct parameter choice for the computation being performed. SEAL's parameters are correct for general-purpose FHE. H33's parameters are correct for authentication.
Security proof — Q=56 still provides 128+ bit securityNIST L1 ✓
4,096
Ring Dimension (N)
56
Modulus Bits (log₂ Q)
128+
Security Bits (λ)
The HE Standard table (homomorphicencryption.org) establishes maximum Q for each N to maintain 128-bit security. For N = 4,096, the maximum is Q ≤ 109 bits. H33 uses Q = 56 bits — well below the ceiling. A smaller Q means the Ring-LWE problem is harder, not easier. The lattice dimension stays the same (N=4096) while the modulus shrinks, increasing the noise-to-modulus ratio that an attacker must overcome.
Comparison: SEAL's Q=109 → ~128.2 bits (just at the boundary).
H33's Q=56 → ~146 bits. H33 is actually more secure, not less.
SEAL reference: Microsoft SEAL 4.1 · BFV default parameters · N=4096 · Q = [60,40,40,60] ≈ 109 bits H33 config: H33 BFV Engine · N=4096 · Q = 56 bits (single NTT-friendly prime) · t = 65,537 Security: HE Standard table + Lattice Estimator confirm 128+ bit security at Q=56 Hardware: AWS c8g.metal-48xl · Graviton4 · Criterion.rs v0.5 · Feb 14, 2026
Proprietary · H33 ZK Engine · Post-Quantum
2.0µs prove. 0.2µs verify. 2.09ns cached. Zero knowledge.
H33's ZK system is a four-layer aggregation stack built on STARKs with SHA3-256 hashing. First proof: 2.0µs. Every subsequent lookup via Cachee: 2.09ns — 960× faster. No trusted setup. Post-quantum safe.
Prove
2.0µs
first proof
Verify
0.2µs
200 nanoseconds
Cached Lookup
2.09ns
via Cachee L1
Speedup
960×
cached vs fresh
Four-layer ZK aggregation stack — click to expandProprietary
L1
Nova IVC ▾
Incremental Verifiable Computation — fold each auth into a running proof
~0.8µs
Mechanism
Nova Folding
Incrementally folds each new auth statement into a running R1CS instance
Key Benefit
O(1) Verification
Verifier work is constant regardless of how many auths have been folded
Recursion
IVC Chain
Each proof attests to the validity of all previous proofs in the chain
Commitment
Pedersen
Additively homomorphic commitment for efficient folding
Nova's folding scheme is the fastest known IVC. Instead of proving each auth from scratch, it folds the new auth statement into an accumulator — amortizing the cost of verification across thousands of proofs.
L2
Plonky3 STARK Compression ▾
Compress the Nova accumulator into a succinct STARK proof
~0.6µs
Framework
Plonky3
Polygon's STARK prover with custom H33 AIR constraints
Security
128-bit
Post-quantum security from collision-resistant hashing
Efficient polynomial evaluation with smooth 2-adic domain for FFT
H33 STARKs use SHA3-256 as the hash function — a NIST-standard, post-quantum secure hash providing 128-bit collision resistance. No trusted setup required. Security derives entirely from hash collision resistance, making the system quantum-safe by construction.
L3
STARK-of-STARKs Recursion ▾
Recursively verify the STARK proof inside another STARK — logarithmic compression
~0.4µs
Technique
Recursive Verification
STARK verifier circuit compiled into AIR constraints, proved by outer STARK
Compression
Logarithmic
Each recursion level shrinks proof by ~10×. 2-3 levels → ultra-succinct
Batching
32 Proofs/Batch
Matches the SIMD batch size — one recursive proof per 32-user batch
Post-Quantum
Hash-Based ✓
STARKs use no elliptic curves. Security from hash collision resistance only.
This is where the"post-quantum" guarantee comes from. SNARKs (Groth16, PLONK) rely on elliptic curve pairings that quantum computers can break. STARKs rely only on collision-resistant hashes — quantum-safe by construction.
L4
Merkle Commitment + Cachee ▾
Anchor to Merkle tree. Cache the final proof for 2.09ns subsequent lookups.
~0.2µs + cache
Merkle Hash
SHA3-256
NIST standard. Proof root anchored to Merkle tree for auditability.
Cache Engine
Cachee L1
Rust-native in-process cache. 497M ops/sec. 2.09ns per lookup.
Cache Hit
2.09ns
960× faster than generating a fresh proof
Eviction
LRU + TTL
Configurable expiry. Stale proofs regenerated on-demand at 2.0µs.
The final proof is stored in Cachee L1 — an in-process Rust cache running at 497 million ops/sec. Subsequent verifications retrieve the proof in 2.09 nanoseconds. Only the first auth incurs the full 2.0µs pipeline.
Proof lifecycle — watch it flowReady
🧬
Auth Input
—
🔄
Nova Fold
—
⭕
Circle STARK
—
🔁
Recursive Compress
—
🌳
Merkle Commit
—
💾
Cachee Store
—
Click a button above to animate the proof lifecycle
Cachee integration — why subsequent auths are 960× faster2.09ns
First Proof
2.0µs
Full 4-layer pipeline
then → 960×faster ↓
Every Subsequent
2.09ns
Cachee L1 direct hit
At a 40% cache hit rate (conservative production default), the effective per-auth ZK cost drops to ~1.2µs blended. At 80% hit rate (returning users): ~0.4µs. The ZK proof becomes effectively free.
Cryptographic primitives — why these choices
🔵
SHA3-256 Hash
NIST FIPS 202
NIST-standard cryptographic hash function. 128-bit collision resistance. Post-quantum secure. No algebraic structure to exploit.
🌀
Cachee STARK Lookup
2.09ns cached verify
Pre-computed STARK lookup table enables sub-3ns verification for repeat proofs. 960× speedup over fresh proof generation. 497M ops/sec.
⭕
STARK Proof System
No trusted setup
Transparent proof system with no toxic waste. Security from SHA3-256 collision resistance only. Post-quantum safe by construction. Enables efficient FRI.
vs competing ZK systemsH33 advantage
System
Prove
Verify
Proof Size
Setup
PQ-Safe
Cost/Proof
H33 ZKP Stark Lookup STARK + Cachee
2.0µs
0.2µs
~200B
None
Yes ✓
~$0.000002
Groth16 BN254 pairing-based
~40ms
~3ms
128B
Trusted ⚠
No ✗
~$0.05
RISC Zero zkVM / STARK
~200ms
~2ms
~200KB
None
Yes
$15-30
SP1 (Succinct) zkVM / STARK
~150ms
~2ms
~150KB
None
Yes
$5-15
PLONK KZG commitments
~30ms
~5ms
~600B
Universal
No ✗
~$0.03
H33 is purpose-built for auth proofs — not a general zkVM. That focus enables 20,000× faster proofs.
Engine: H33 ZKP Stark Lookup (proprietary) · STARK · SHA3-256 hash · Nova IVC folding Security: Hash-based (collision resistance only) · Post-quantum safe · No trusted setup Cache: Cachee L1 · 497M ops/sec · 2.09ns per lookup · 960× speedup over fresh proof Hardware: AWS c8g.metal-48xl · Graviton4 · Criterion.rs v0.5 · Feb 14, 2026
Interactive · Click the servers below
3-of-5 threshold decryption. No single server ever sees your data.
The decryption key is split into 5 shares using Shamir's Secret Sharing. Any 3 shares can reconstruct the result — but 1 or 2 shares reveal absolutely nothing. Click the servers to build a quorum.
Decryption authorities — click to select quorum0 of 3 needed
🔑Share 1
✓
Authority α
US-East (Virginia)
🔑Share 2
✓
Authority β
EU-West (Frankfurt)
🔑Share 3
✓
Authority γ
AP-Southeast (Tokyo)
🔑Share 4
✓
Authority δ
US-West (Oregon)
🔑Share 5
✓
Authority ε
EU-North (Stockholm)
🔒
Locked — select 3 authorities
Click servers above to form a decryption quorum. Any combination of 3 or more can reconstruct.
0 / 3
Scenarios — see what happens when servers fail
Single-Key
⚠️
Traditional / SEAL Decrypt
One server holds the entire secret key. That server decrypts the ciphertext and sees the full plaintext biometric. If that server is compromised, all data is exposed.
0.15ms · 1 server · Full plaintext exposure
Threshold
🛡️
H33 Threshold Decrypt
Each authority computes a partial decryption with its key share. Shares combine via Lagrange interpolation. No authority ever sees the full plaintext. The combined result goes directly to encrypted comparison.
0.33ms · 3-of-5 · Zero plaintext exposure
📐 Shamir's Secret Sharing — Degree-2 Polynomial
Secret
f(0) = s
=
Constant
s
+
Random
a₁ · x
+
Random
a₂ · x²
The decryption key is the constant term s of a degree-2 polynomial. Each authority receives f(i) — a point on the curve. With 3 points, Lagrange interpolation uniquely determines the polynomial and recovers s. With only 2 points, there are infinitely many degree-2 polynomials that fit — the secret is information-theoretically hidden.
Attack resistance
🏴☠️
1 Server Breached
Attacker gets 1 key share. Cannot reconstruct — need 3. Zero information about the secret is revealed.
DATA SAFE ✓
💥
2 Servers Breached
Attacker gets 2 shares. Still below threshold. Mathematically impossible to reconstruct from 2 of 3 required.
DATA SAFE ✓
🔌
2 Servers Offline
3 remain. That's exactly the threshold. Service continues with zero degradation. Auth still completes in 0.33ms.
SERVICE ONLINE ✓
Measured performance
Per-Share Decrypt
~0.11ms
each authority
Shamir Combine
~0.01ms
Lagrange interpolation
Total Threshold
0.33ms
3-of-5 complete
vs SEAL Single-Key
0.15ms
full exposure risk
Protocol: Shamir Secret Sharing (degree t-1 polynomial, t=3, n=5) Security: Information-theoretic — unbreakable regardless of compute power Cost of zero exposure: 0.33ms − 0.15ms = 0.18ms premium for guaranteed zero plaintext exposure H33 still wins: Full pipeline 1.28ms (H33) vs 2.85ms (SEAL) — 2.2× faster even with threshold
The speed test anyone can understand
You'll blink. H33 will complete 234 full post-quantum auths.
A human blink takes 300 milliseconds. Every authentication includes FHE encryption, biometric matching, 3-of-5 threshold decryption, ZK proof, and a Dilithium quantum signature. Watch.
0
full post-quantum authentications
300ms
Each one of those 234 auths included the entire post-quantum pipeline:
🔒 FHE Encrypt0.42ms
🧮 Biometric Match0.26ms
🔑 3-of-5 Threshold0.33ms
🛡️ ZK Proof2.0µs
✍️ Dilithium Sig106µs
Every single one. Not a shortcut. Not FHE-only. Not a projection.
Full post-quantum pipeline with zero data exposure on every auth.
In the same blink — what competitors complete300ms
H33
Full pipeline · 1.28ms each
234 auths
0
SEAL FHE
FHE-only · 2.85ms · No ZK/sig
105
0
Onfido
Traditional KYC · ~3-8 seconds
<1
0
Legacy Auth
Plaintext compare · ~50ms
6
0
H33 completes 234 full post-quantum auths in the time Onfido completes zero.
SEAL completes 105 FHE-only operations — with no threshold, no ZK, no signature, and full plaintext exposure.
🏥
Hospital Check-In
234 patients
An entire clinic's morning rush authenticated in a single blink. FHE-encrypted biometrics, HIPAA-grade, post-quantum.
🏏️
Stadium Gate
14,040 / minute
234 per blink × 60 blinks/min. A full NFL stadium (70,000 fans) cleared in 5 minutes with zero data exposure.
💳
Payment Terminal
0 wait
1.28ms is imperceptible. The biometric auth completes before the NFC handshake finishes. Zero exposure, post-quantum.
NIST FIPS 204 · ML-DSA · Post-Quantum Digital Signature
Dilithium3. One signature per batch. 3.3µs amortized. Quantum-proof.
H33 uses the NIST reference implementation for Dilithium3 — the correct choice for a federal standard. Custom optimization happens at the batch level: one signature covers 32 users, cutting per-auth signing cost by 32×.
Sign
80.7µs
per operation
Verify
24.8µs
per operation
Total
106µs
sign + verify
Batched
3.3µs
per auth (÷32)
Signature
3,309B
NIST Level 3
Why use the NIST reference implementation?Deliberate choice
⚡ ZK-STARK engine — H33 ZKP STARK Lookup, SHA3-256
⚡ Biometrics engine — multi-modal fusion, LSTM
📜 NIST Reference (Dilithium)
✓ FIPS 204 certified — federal compliance ready
✓ Audited by NIST, industry, and academia
✓ pqcrypto-mldsa Rust crate — battle-tested
✓ Zero risk of implementation bugs in the standard
Standards should be standards. H33 builds custom where the algorithm doesn't exist yet (no one else has a 2.0µs auth-specific ZK proof). For Dilithium, the algorithm is already perfect — NIST spent 8 years selecting it. The optimization opportunity isn't in the cryptography; it's in how many times you call it.
Batch attestation — the real optimizationClick to animate
✍️
32 individual signatures
Individual
3,392µs
106µs × 32 users
32×
savings
Batched
106µs
1 signature ÷ 32 = 3.3µs/auth
Signature anatomy — 3,309 bytesNIST L3
3,309B
Signature Size
Lattice-based. Compact for post-quantum. 25× smaller than SPHINCS+.
1,952B
Public Key
Stored once per authority node. Amortized over billions of verifications.
103B
Per-Auth Overhead
3,309B ÷ 32 users = 103 bytes per auth. Negligible at server-to-server.
AES-192
Security Equiv.
NIST Level 3. Resists both classical and quantum attacks through 2060+.
vs other post-quantum signature schemesH33 choice: Dilithium3
Scheme
NIST
Sign
Verify
Sig Size
PK Size
H33 Batched
Dilithium3 (ML-DSA) FIPS 204 · Lattice-based · H33 choice
L3
80.7µs
24.8µs
3,309B
1,952B
3.3µs/auth
Dilithium2 (ML-DSA-44) Faster but lower security
L2
~55µs
~18µs
2,420B
1,312B
~2.3µs
Dilithium5 (ML-DSA-87) Maximum security
L5
~140µs
~38µs
4,627B
2,592B
~5.6µs
SPHINCS+-128f Hash-based · Conservative
L1
~4.8ms
~0.3ms
17,088B
32B
~160µs
Ed25519 (classical) ⚠ NOT post-quantum
None
~25µs
~45µs
64B
32B
Quantum-broken
Dilithium3 is the best balance for auth: fast sign/verify, manageable signature size, NIST L3 security. SPHINCS+ is 60× slower.
Why 3,309 bytes is fine for server-to-server auth
TLS Overhead
~5,000B
A typical TLS 1.3 handshake is already 5KB+. Dilithium adds 66% — one-time, amortized over session.
Batched Overhead
103B/auth
One 3,309B sig per 32-user batch = 103 bytes per auth. Less than a tweet.
Bandwidth
3.6 MB/sec
At 1.15M auth/sec: 1.15M ÷ 32 × 3,309B = 117 MB/sec of sigs. ~1 Gbps link handles it.
Dilithium signatures are larger than Ed25519 (3,309B vs 64B). But this is server-to-server authentication — not mobile-to-tower. Internal datacenter bandwidth is 25-100 Gbps. The signature overhead is 0.1% of available bandwidth. The correct tradeoff is: accept 3KB signatures, gain quantum resistance through 2060+.
Core Insight — Why Million-Scale Throughput Is Possible
1 op
1,375µs
FHE cost
1 user
1,375µs
no batching
32 users
still 1,375µs
SIMD packed
per user
43µs
32× cheaper
🛡
NIST L1 → L5 Post-Quantum Security
FIPS 203 / 204 / 205 · Lattice-Based Cryptography
NIST Level 1≡ AES-128
Equivalent security to breaking AES-128. Sufficient for most commercial applications.
128
BITS
🔑Key Encapsulation (KEM)
ML-KEM-512 (Kyber-512)
Key: 800 B
✍️Digital Signature
ML-DSA-44 (Dilithium-2)
Sig: 2,420 B
🎯Use Case
Standard authentication, commercial apps, web services
🛡️Quantum Resistance
~2¹⁵⁷ Toffoli gates to break
Grover + lattice hardness
➔H33 Product Tier: H33-128See"H33 Tiers" tab →
H0
H0Developer
Development & testing tier. Classical crypto. No post-quantum guarantees.
DEV
Encryption
AES-256-GCM
Signature
Ed25519
Key Exchange
X25519
Latency
~0.3ms
Throughput
Dev only
⚡
H33-128Production
Production post-quantum authentication. BFV FHE with NIST L1 lattice-based crypto.
NIST L1PRODUCTION ★
Encryption
BFV FHE (N=4096)
Signature
Dilithium-3 (ML-DSA-65)
Key Exchange
Kyber-512 (ML-KEM-512)
Latency
1.43ms
Throughput
1.15M auth/sec
🛡
H-256Maximum Security
Maximum post-quantum security. 256-bit equivalent. For defense & critical infrastructure.
NIST L5MAX SECURITY
Encryption
BFV FHE (N=8192+)
Signature
Dilithium-5 (ML-DSA-87)
Key Exchange
Kyber-1024 (ML-KEM-1024)
Latency
~3.2ms
Throughput
Classified
Algorithm Selection Matrix: Standard (128-bit) uses Kyber-512 + Dilithium-2. High (192-bit) uses Kyber-768 + Dilithium-3. Critical (256-bit) uses Kyber-1024 + Dilithium-5. Ultra (512-bit) adds McEliece-8192 + Dilithium-5 for defense applications.
2024NIST Finalizes PQC
FIPS 203/204/205 published. ML-KEM, ML-DSA standardized.
2025H33 Production Deploy
H33-128 achieves 1.15M auth/sec with full PQC stack.
2026Today — Migration WindowYOU ARE HERE
Every day without PQC = more harvested data exposed.
2028Early Quantum Threat
Optimistic estimates for cryptographically relevant quantum computers.
~2yr
2030Quantum Viable (Est.)
Many researchers predict CRQC capable of breaking RSA-2048.
~4yr
2032Quantum Mature
Conservative estimate. Error-corrected quantum at scale.
~6yr
2035Post-Deadline
Data harvested in 2025 now decryptable. 10-year exposure window.
~9yr
⚠ The Migration Window Is Closing
Data encrypted with RSA/ECC today has a shelf-life. Nation-state adversaries are actively harvesting encrypted traffic now with the intent to decrypt it when quantum computers mature. The window between"now" and"quantum-viable" is your migration window. H33 provides post-quantum security today.
Threat Model
"Harvest Now, Decrypt Later" (HNDL)
Nation-state adversaries intercept and store encrypted communications today, banking on future quantum computers to break the encryption retroactively. This is not theoretical — intelligence agencies have confirmed this practice.
📡
STEP 1Encrypted Traffic
Your data travels encrypted with RSA/ECC today
❯
👁
STEP 2Nation-State Intercept
Adversaries record ALL encrypted traffic at backbone
❯
🗃
STEP 3Store & Wait
Petabytes stored in data centers. Years of patience.
NIST FIPS 203 (ML-KEM) · FIPS 204 (ML-DSA) · FIPS 205 (SLH-DSA)
Lattice problems: Module-LWE, Module-SIS · Ring dimension N=4096 (L1) / N=8192+ (L5)
H33-128: Post-quantum in production today
⚙
Four Proprietary Engines
All Rust · Zero External Crypto Dependencies · 33 Patent Claims
🦀All Rust
🛡Zero external crypto deps
Only external: Dilithium3 (NIST FIPS 204 reference impl, pqcrypto-mldsa)
1,628 tests · 300K proptest · Feb 14, 2026
CACHEE L1 — CASE STUDY
From 17µs to 2.09ns
8,134× faster — Rust-native cache replacing Redis
BEFORE — REDIS BACKED
17µs
per cache hit
Throughput~59K ops/sec
In 300ms blink~17,600 lookups
BackendElastiCache Redis 7.1
→
8,134×
AFTER — RUST-NATIVE CACHEE
2.09ns
per cache hit
Throughput497M ops/sec
In 300ms blink~143M lookups
BackendRust-native in-process
THROUGHPUT COMPARISON
Redis59K ops/sec
Cachee L1497,120,061 ops/sec
In the time you blink (300ms)
143,540,669 proof lookups
Effectively unlimited — faster than a single CPU L1 cache miss
In the time one Redis lookup completes, Cachee performs 8,134 lookups.
Click the button to see it happen.
REDIS
0
lookups completed
CACHEE L1
0
lookups completed
When a ZK-STARK proof is first verified, it takes <3ms. Cachee stores the result — every subsequent verification takes just 2.09ns. That's ~1,435× faster.
1
First-Time STARK Verification
STARK proof arrives → Full verification pipeline
SHA3-256SHA3-256 hash128-bit PQ security
<3ms
2
Cachee L1 Stores Verification Result
Proof hash → verification result stored in Rust-native L1 cache
No serialization. No network hop. No Redis protocol overhead.
In-process memoryZero-copy accessCost-aware LRU
3
Every Subsequent Lookup — Instant
2.09ns
~1,435× faster than first verification
2.09ns (Cachee)3ms (full verify)
Drag the slider to see how cache hit rate transforms your effective authentication latency. Higher cache rates push ZK verification cost toward zero.
CKKS bootstrapping refreshes noise budget for unlimited computation depth. Pipeline: ModRaise → CoeffToSlot (homomorphic DFT) → EvalMod (Chebyshev approximation of mod q) → SlotToCoeff (inverse DFT).
Why It Matters
The EvalMod step uses Chebyshev polynomials to approximate f(x) = x − round(x/q)·q. This enables arbitrary-depth computation on encrypted data. Microsoft SEAL cannot do this at all.
Scheme switching — world firstWORLD FIRST
🔄 CKKS ↔ BFV Mid-Computation
CKKS→BFV: Scale plaintext to integers, bootstrap if noisy, modulus switch to BFV-compatible chain, reinterpret as BFV ciphertext.
BFV→CKKS: Encode integers as CKKS with scale factor, adjust modulus chain.
Use case: Run approximate ML inference in CKKS, switch to BFV for exact threshold comparison. Best of both worlds in a single encrypted pipeline.
Standard approach: multiply, accumulate, rotate, repeat — with redundant INTT→NTT roundtrips between operations.
H33: fused multiply-accumulate-rotate in a single NTT domain pass. Critical for biometric cosine similarity: dot(A,B) / (|A|·|B|). Avoids redundant domain conversions entirely.
Automatic precision tracking
📊 Noise-Aware Computation
Automatic tracking of effective precision bits through computation graph. After add: noise += 1 bit. After multiply: precision halves, noise doubles. After rescale: reclaim precision. Auto-triggers bootstrap when precision drops below threshold (10 bits). Never lose more precision than mathematically necessary.
5 operations SEAL can't doH33 ONLY
MICROSOFT SEAL
Cannot Do
No bootstrapping No scheme switching No fused kernels No auto-precision No lazy accumulate
99.2% attack detection across all vectors. Cross-modal verification catches behavioral inconsistency — even if one modality is spoofed, the others expose the attack.
Final confidence: C_final(t) = F_fused(t) × Context_multiplier.
Circuit enforces minimum 5% weight per available modality to prevent single-modality bypass.
Encrypted matching — your biometric is NEVER decrypted
🔒 FHE-Encrypted Pipeline
All biometric matching happens entirely in encrypted space using H33 BFV homomorphic encryption. No server ever sees your plaintext biometric data. Combined with k-of-n threshold decryption (3-of-5 Shamir), no single server can decrypt your template — even with full root access.