Production-ready, developer-friendly wrapper for NIST-standardized post-quantum cryptography (ML-KEM-768, ML-DSA-65).
Protect your applications against future quantum computer attacks with production-ready post-quantum cryptography. Built on NIST-standardized algorithms (FIPS 203/204) with comprehensive error handling, key management, and crypto-agility.
- Developers building secure communication or encryption systems
- Applications requiring long-term confidentiality (store-now-decrypt-later resistance)
- Projects that need post-quantum key exchange and signatures
- Teams looking for production-ready cryptographic infrastructure
npm install @zkim-platform/post-quantumimport { getZKIMPostQuantumService } from '@zkim-platform/post-quantum';
// 1. Get service instance (singleton)
const service = await getZKIMPostQuantumService();
// 2. Initialize (one-time setup)
await service.initialize();
// 3. Generate keys
const kemKeyPair = service.generateKEMKeyPair();
const dsaKeyPair = service.generateDSAKeyPair();
// 4. Use operations
const { cipherText, sharedSecret } = service.encapsulate(recipientPublicKey);
const signature = service.sign(message, dsaKeyPair.secretKey);
const isValid = service.verify(message, signature.signature, dsaKeyPair.publicKey);import { getZKIMPostQuantumService } from '@zkim-platform/post-quantum';
// Alice's side
const aliceService = await getZKIMPostQuantumService();
await aliceService.initialize();
const aliceKeys = aliceService.generateKEMKeyPair();
// Bob's side
const bobService = await getZKIMPostQuantumService();
await bobService.initialize();
const bobKeys = bobService.generateKEMKeyPair();
// Alice encapsulates to Bob
const { cipherText, sharedSecret: aliceSecret } = aliceService.encapsulate(bobKeys.publicKey);
// Bob decapsulates
const bobSecret = bobService.decapsulate(cipherText, bobKeys.secretKey);
// Both now have the same shared secret for encryptionimport { getZKIMPostQuantumService } from '@zkim-platform/post-quantum';
const service = await getZKIMPostQuantumService();
await service.initialize();
// Generate signing keys
const signingKeys = service.generateDSAKeyPair();
// Sign message
const message = new TextEncoder().encode('Hello, World!');
const signature = service.sign(message, signingKeys.secretKey);
// Verify signature
const isValid = service.verify(message, signature.signature, signingKeys.publicKey);π Full Documentation β Wiki
- Getting Started - Installation and first steps
- API Reference - Complete API documentation
- Examples - Real-world usage patterns
- Security - Security considerations, FIPS disclaimer
- ML-KEM-768 (FIPS 203) - Key Encapsulation Mechanism for secure key exchange
- ML-DSA-65 (FIPS 204) - Digital Signature Algorithm for message authentication
- Service Architecture - Singleton pattern with initialization/cleanup lifecycle
- Error Handling - Comprehensive validation with clear error messages
- Key Management - Serialization, fingerprinting, caching
- Crypto-Agility - Algorithm suite abstraction for future-proofing
- Type Safety - Full TypeScript support with complete type definitions
- Simple API - 3-4 methods for most use cases
- Well-Documented - Complete documentation with examples
- Battle-Tested - Used in production ZKIM platform
- Zero Dependencies on ZKIM - Fully standalone package
CRITICAL: This package uses NIST-standardized algorithms (FIPS 203/204), but the implementation itself is NOT FIPS 140-3 validated by an accredited laboratory.
What this means:
- β Uses NIST-standardized algorithms (ML-KEM-768, ML-DSA-65)
- β Follows FIPS 203/204 specifications
- β Implements algorithms according to NIST standards
- β Implementation not validated by accredited lab
- β Not certified for government use requiring FIPS validation
For FIPS-validated implementations:
- Use FIPS-validated cryptographic modules from accredited vendors
- Obtain FIPS 140-3 validation from accredited laboratory
- Follow government compliance requirements
See Security Documentation for details.
- Node.js: >= 18.0.0
- TypeScript: >= 5.0.0 (recommended)
- Browser: Modern browsers with ES2020+ support
import { serializeMLKEMKeyPair, deserializeMLKEMKeyPair } from '@zkim-platform/post-quantum';
// Serialize for storage/transport
const serialized = serializeMLKEMKeyPair(keyPair); // JSON-safe
// Deserialize later
const restored = deserializeMLKEMKeyPair(serialized);See the Examples Wiki for:
- Basic key generation
- Key exchange between parties
- Message signing and verification
- Crypto-agility framework usage
- Integration patterns
Contributions are welcome! Please see our Contributing Guide for details.
MIT License - see LICENSE for details.
- npm: https://www.npmjs.com/package/@zkim-platform/post-quantum
- GitHub: https://github.com/zkdotim/zkim-post-quantum
- Documentation: https://github.com/zkdotim/zkim-post-quantum/wiki
- Issues: https://github.com/zkdotim/zkim-post-quantum/issues
This package is published with npm Provenance (build attestation) to ensure authenticity and integrity.
What is Provenance? Provenance provides verifiable information about how and where this package was built:
- β Built and signed on: GitHub Actions
- β Source Commit: Links to exact GitHub commit
- β Build File: Links to GitHub Actions workflow
- β Public Ledger: Transparency log entry (immutable record)
Why it matters:
- Verifies package authenticity
- Shows exact source code used
- Provides build environment details
- Creates immutable audit trail
- Enhances supply chain security
Verify locally:
npm audit signaturesFor more information, see npm Provenance Documentation.
Built on top of:
- @noble/post-quantum - ML-KEM-768 and ML-DSA-65 algorithms
- @noble/hashes - BLAKE3 hashing
- libsodium-wrappers-sumo - Secure random generation
Made with β€οΈ by the ZKIM Team