A complete security platform combining post-quantum cryptography, real-time threat detection, and HSM-backed key management. HPKE encryption, BB84 key distribution, LSH-256 hashing, 11 runtime scanners, and multi-tenant RBAC — delivered as a modular API with only 2 dependencies.
Q = Quantum. Crypt = Cryptography. On = Always On.
NIST has set firm deadlines for deprecating quantum-vulnerable cryptography. Organizations must begin migration now to meet compliance requirements.
12 native modules — zero external crypto dependencies. Every algorithm implemented from scratch in pure JavaScript.
Full BB84 protocol implementation with eavesdrop detection. Qubits are encoded in rectilinear/diagonal bases, sifted to ~50%, and privacy-amplified through LSH-256. Error rates above 11% trigger automatic eavesdropper alerts. QKD-derived keys wrap detected secrets so they are never transmitted in plaintext.
BB84 + LSH-256 Privacy AmplificationRFC 9180 Hybrid Public Key Encryption with DHKEM(X25519) + AES-256-GCM or ChaCha20-Poly1305. Three modes: Base, PSK (quantum-hardened — survives Shor's algorithm), and Auth (sender authenticated). Plus symmetric AES-256-GCM with HKDF-SHA3-256 key derivation.
RFC 9180 + FIPS 197 + FIPS 202Prompt injection (21 patterns), tool poisoning, data exfiltration, brute force, credential stuffing, dictionary attacks, phishing (homoglyph detection), keylogger/malware, card fraud (NFC relay, skimming), server config audit, and quantum threat assessment. Express middleware blocks threats with 403 before they reach your code.
100+ Detection PatternsUnified interface for 6 providers: Entrust nShield, AWS KMS, Azure Key Vault, Google Cloud KMS, Thales Luna, and built-in Software HSM. 9 NIST PQC algorithms (ML-KEM, ML-DSA, SLH-DSA) with FIPS 140-3 Level 3 validation. CNSA 2.0 crypto-agility assessment with automated migration planning.
FIPS 203 + 204 + 205Source code crypto scanning across 6 languages (JS, Python, Go, Java, Rust, C/C++). 26 secret detection patterns with QKD-wrapped reporting. Binary crypto constant scanner (AES S-boxes, DES tables, SHA IVs). CycloneDX CBOM generation and CI/CD quality gate with configurable policy enforcement.
6 Languages + CycloneDXIsolated tenants with separate keys, policies, and scan data. 4 hierarchical roles (admin, manager, analyst, viewer) with 40 granular permissions. Role escalation prevention, tenant-scoped key listing, and SHA3-256 hashed API keys. HMAC-SHA3-256 signed webhook notifications with audit logging.
4 Roles + 40 PermissionsA modular, API-first platform with 55+ endpoints. Two npm dependencies (express, uuid). Everything else is native.
Generate an API key (qk-...) hashed with SHA3-256. Assign it to a tenant and role (admin/manager/analyst/viewer). All 55+ endpoints are protected by RBAC — viewers can read, analysts can scan, managers can create keys, admins manage tenants.
11 threat scanners analyze inputs in real-time: prompt injection, phishing, brute force, credential stuffing, keylogger, card fraud, and more. Code scanner audits your codebase across 6 languages for weak crypto and hardcoded secrets. CI/CD gate blocks builds with critical violations.
HPKE (RFC 9180) for public-key encryption with 3 modes. AES-256-GCM with HKDF-SHA3-256 for symmetric encryption. BB84 QKD generates quantum-safe session keys. LSH-256 and SHA3-256 for post-quantum hashing. HSM-backed ML-KEM/ML-DSA operations via 6 providers.
HMAC-SHA3-256 signed webhooks deliver real-time threat alerts to Slack, PagerDuty, or your SIEM. Full audit logging tracks every operation. CNSA 2.0 crypto-agility assessment maps your migration path from RSA/ECDSA to ML-DSA/ML-KEM with per-algorithm urgency ratings.
Classical cryptography is living on borrowed time. Quantum computers running Shor's algorithm will break RSA and ECC — the backbone of today's internet security.
Adversaries are already capturing encrypted data today, stockpiling it until quantum computers can break the encryption. QCrypton's HPKE PSK mode and BB84 QKD provide defense-in-depth — even if X25519 is broken by Shor's algorithm, the pre-shared key still protects the ciphertext.
MD5, SHA-1, DES, and RC4 remain in active use. QCrypton's code scanner detects these across 6 languages, flags them in CI/CD gates, and generates CycloneDX CBOMs. The crypto-agility assessment maps each algorithm to its NIST-approved replacement.
Prompt injection, tool poisoning, and data exfiltration target AI-powered systems. Card swap fraud, NFC relay attacks, and phishing impersonate trusted brands. QCrypton's 11 scanners detect 100+ attack patterns with behavioral analysis (IP velocity, geo-impossible transactions, credential stuffing detection).
Detected and blocked by QCrypton scanners
QCrypton's general-purpose tier
QCrypton's long-term security tier
Integrate quantum-resilient security into any application with 2 lines of code.
Quantum-safe systems, data protection, and payment card encryption. 11 scanners detect NFC relay attacks, card skimming, payment fraud, and data exfiltration.
HPKE-encrypted payment processing with HSM-backed ML-DSA signatures. Code scanner detects weak crypto in trading systems. QKD-wrapped secret reporting for compliance audits.
LSH-256 hashing for long-term patient record integrity. HPKE PSK mode protects genomic data against HNDL attacks. Multi-tenant RBAC isolates hospital departments with viewer/analyst/admin roles.
CNSA 2.0 crypto-agility assessment maps RSA/ECDSA migration to ML-DSA/ML-KEM. HSM integration with Entrust nShield (FIPS 140-3 Level 3, CAVP validated). CI/CD gate blocks quantum-vulnerable code.
Prompt injection scanner (21 patterns) protects AI assistants. Tool poisoning detector audits MCP tool definitions. Data exfiltration scanner prevents PII leaks from AI-generated responses.
Scan codebases across 6 languages for weak crypto and secrets. Generate CycloneDX CBOMs for supply chain compliance. CI/CD gate with configurable policy: fail on weak algorithms, secrets, or low PQC readiness.
QCrypton is built on a radical principle: a complete quantum-resilient security platform should require only 2 npm dependencies. Every cryptographic algorithm, every scanner, every protocol — implemented natively in JavaScript.
LSH-256 hash function — implemented from the KS X 3262 specification, not imported from a library. HPKE — built from RFC 9180, not wrapped around a C binding. BB84 QKD — the full protocol with eavesdrop detection and privacy amplification. 11 threat scanners with 100+ detection patterns. Multi-tenant RBAC with 40 permissions. All in ~9,000 lines of code with zero external crypto dependencies.
The result is a platform that is auditable, portable, and free from supply chain risk in its cryptographic core. When you npm install qcrypton, you get express for HTTP and uuid for identifiers. Everything else is QCrypton.
Quantum + Criptography + Always On. QCrypton is a quantum-resilient cryptography and threat detection platform delivered as a REST API. It combines post-quantum encryption (HPKE, AES-256-GCM, LSH-256), quantum key distribution (BB84), HSM/KMS integration (6 providers, 9 PQC algorithms), code scanning (6 languages), 11 runtime threat scanners, and multi-tenant RBAC — all with only 2 npm dependencies (express, uuid).
HIGH tier (post-quantum): LSH-256-256/224 (KS X 3262), HMAC-LSH-256, HPKE with AES-256-GCM or ChaCha20-Poly1305 (RFC 9180), BB84 QKD with LSH-256 privacy amplification.
MODERATE tier (quantum-resistant): SHA3-256/512 (FIPS 202), SHAKE256, HMAC-SHA3-256, AES-256-GCM (FIPS 197), HKDF-SHA3-256 (RFC 5869).
HSM-delegated: ML-KEM-512/768/1024 (FIPS 203), ML-DSA-44/65/87 (FIPS 204), SLH-DSA-SHA2-128s/192s/256s (FIPS 205).
HPKE (Hybrid Public Key Encryption, RFC 9180) uses DHKEM(X25519) for key agreement + AES-256-GCM for encryption. In PSK mode, a pre-shared key is mixed into the key schedule alongside the X25519 shared secret. Even if a quantum computer breaks X25519 via Shor's algorithm, the PSK still protects the ciphertext — the attacker would need both the X25519 private key AND the PSK to decrypt. This provides defense-in-depth against Harvest Now, Decrypt Later attacks.
BB84 (Bennett-Brassard 1984) distributes encryption keys using quantum mechanics. Alice encodes random bits in random bases (rectilinear or diagonal), Bob measures in random bases. They publicly compare bases and keep matching bits (~50%). A 25% sample is sacrificed to check for eavesdropping — error rates above 11% prove interception (guaranteed by the no-cloning theorem). The remaining bits are privacy-amplified through LSH-256 into a 256-bit key. QCrypton uses QKD to wrap detected secrets so they are never transmitted in plaintext.
QCrypton integrates with 6 providers: Entrust nShield (9 PQC algos, FIPS 140-3 Level 3, CAVP validated, FPGA acceleration), AWS KMS (ML-DSA-44/65/87), Azure Key Vault (ML-KEM + ML-DSA, FIPS 140-3 Level 3), Google Cloud KMS (ML-KEM-768, ML-DSA-65, SLH-DSA, X-Wing hybrid), Thales Luna HSM (ML-KEM + ML-DSA), and a built-in Software HSM for development/testing. All providers are FIPS 140-3 Level 3 validated.
Each API key belongs to a tenant and has a role. Tenants are isolated — keys can only access data within their own tenant. Four hierarchical roles: admin (40 permissions — manage tenants, users, all operations), manager (31 — manage keys/policies within tenant), analyst (18 — run scans, encrypt/decrypt), viewer (6 — read-only). Role escalation is prevented — a manager cannot create an admin key. The GET /api/whoami endpoint shows your current identity, tenant, role, and permissions.
No. All algorithms run on classical hardware. LSH-256, SHA3-256, AES-256-GCM, HPKE, and the BB84 QKD simulation use Node.js built-in crypto module. For PQC operations (ML-KEM, ML-DSA), you connect to a FIPS 140-3 validated HSM via the provider abstraction. The Software HSM provides a local simulation for development. You interact via standard REST APIs — no quantum expertise required.
Three options: (A) Express middleware — app.use('/api', defenderMiddleware()) scans every request. (B) Library import — const { scanners, quantumCrypto } = require('qcrypton') for in-process use. (C) REST API client — new DefenderClient('http://localhost:3000', { apiKey: 'qk-...' }) for remote calls. All three support the same 55+ operations.
Yes. Post-quantum cryptography (PQC) provides quantum-resistant encryption based on hard mathematical problems such as lattices and hash functions. Algorithms like ML-KEM, ML-DSA, SLH-DSA, and FN-DSA (FALCON) are being standardized by NIST as practical, software-compatible replacements for today's public-key encryption methods. QCrypton supports ML-KEM, ML-DSA, and SLH-DSA via HSM integration, and implements additional quantum-safe primitives natively including LSH-256, HPKE with PSK mode, and BB84 QKD.
12 native modules. 55+ API endpoints. 2 npm dependencies. Zero external crypto libraries.
$ npm install qcrypton