Building a Post-Quantum E2EE Library: Introducing Paranoia.ts (searching contributors)

Matéo Callec — Fri, 15 May 2026 09:55:49 +0000

The web security landscape is about to change dramatically.

For years, modern cryptography has relied on algorithms like RSA and elliptic-curve cryptography (ECC). They are battle-tested and secure against classical computers — but quantum computing changes the equation entirely.

Once large-scale quantum computers become practical, many of today’s public-key systems will become vulnerable.

That future may still be years away, but encrypted data stolen today can still be decrypted later.

This is why post-quantum cryptography (PQC) matters now.

And yet, if you are a JavaScript or TypeScript developer, the ecosystem for PQC is still surprisingly small.

That’s why I built Paranoia.ts.

What is Paranoia.ts?

Paranoia.ts is a TypeScript-first cryptography library designed for frontend and full-stack applications that need:

End-to-end encryption (E2EE)
Post-quantum resistance
Optimization

The goal is simple:

Make post-quantum encryption practical and accessible for JavaScript developers.

Repositories:

GitHub: https://github.com/mateocallec/paranoia.ts
NPM: https://www.npmjs.com/package/paranoia-ts

Why hybrid cryptography matters

One of the biggest problems in modern PQC adoption is uncertainty.

Post-quantum algorithms are newer than classical cryptographic systems. While they are standardized and heavily researched, they do not yet have the same decades-long track record as ECC.

So Paranoia.ts does not force developers to choose between classical cryptography and post-quantum cryptography.

It combines both.

The library currently uses:

ML-KEM-1024 (NIST FIPS 203)
P-521 ECDH
HKDF-SHA-384
AES-256-GCM

The key idea is hybrid security:

Scenario	Classical ECC	PQC only	Paranoia.ts
Classical attacker	✅	⚠️	✅
Quantum attacker	❌	✅	✅
PQC algorithm weakness	❌	❌	✅
ECC weakness	✅	❌	✅

In practice:

An attacker would need to break both ML-KEM-1024 and P-521 simultaneously to recover plaintext.

That significantly improves resilience against future uncertainty.

Example: Post-Quantum E2EE in TypeScript

The library is intentionally designed to feel simple.

import { Paranoia } from 'paranoia-ts';

const paranoia = new Paranoia();

// Generate hybrid ML-KEM + P-521 keypair
const keyPair = await paranoia.generateKeyPair();

// Encrypt
const sealed = await paranoia.sealTo(
  new TextEncoder().encode('Top secret message'),
  keyPair.publicKey
);

// Decrypt
const plain = await paranoia.unsealWith(sealed, keyPair);

console.log(new TextDecoder().decode(plain));

The objective is to expose advanced cryptography through a developer-friendly API without sacrificing transparency.

Beyond PQC: Experimental security features

Paranoia.ts also explores ideas that are still relatively uncommon in web cryptography libraries.

Some are experimental by design.

Webcam-based TRNG

One of the most unusual features in the project is webcam entropy generation.

The library can harvest webcam sensor noise and pixel variation as an additional entropy source.

const stream = await navigator.mediaDevices.getUserMedia({ video: true });

await paranoia.enableWebcamEntropy(stream);

Internally:

Pixel noise is sampled from webcam frames
Data is hashed with SHA3-256
Mixed into the CSPRNG pool via HMAC

This does not replace the browser’s cryptographically secure RNG.

Instead, it augments entropy generation for environments where additional randomness is desirable.

WebAuthn PRF integration

Another major feature is WebAuthn PRF support.

This enables hardware-backed key unlocking using:

Biometrics
Security keys
Platform authenticators

The result is a workflow where users can unlock encrypted keypairs with a fingerprint or security key rather than repeatedly entering passwords.

const { credentialId, prfKey } = await registerWebAuthnPRF();
await storeKeyPair(keyPair, prfKey, 'my-key');

This brings together:

WebAuthn
Browser-native crypto
Post-quantum encryption
Secure local storage

…inside a single TypeScript library.

Security philosophy

One thing I want to make explicit:

Paranoia.ts does not pretend JavaScript is a perfect environment for high-assurance cryptography.

The README openly documents limitations such as:

Garbage collector memory copying
Non-wipeable JS strings
Browser implementation constraints

The project tries to balance:

Practicality
Browser compatibility
Transparency
Defense in depth

Security tooling should be honest about tradeoffs.

Reference implementation

To demonstrate real-world usage, I also built a complete encrypted messaging application using Paranoia.ts:

https://github.com/mateocallec/paranoia-messaging

It demonstrates:

End-to-end encrypted chat
Hybrid PQC encryption
WebAuthn biometric unlock
Secure key storage
Full-stack integration

Stack:

React
NestJS
Docker
TypeScript

Looking for contributors

This project is still early, and there is a lot to build.

I am currently looking for contributors interested in:

Security

Cryptographic review
Threat modeling
Side-channel analysis
Security auditing
Protocol analysis

Engineering

WebAssembly optimization
Browser compatibility
Performance improvements
DX improvements
Test coverage
API design

Research & experimentation

Additional PQC algorithms
Better entropy collection
Secure memory handling
Hardware integration
Advanced WebAuthn flows

Why contribute?

PQC is going to become one of the defining security challenges of the next decade.

JavaScript applications will eventually need:

Quantum-resistant encryption
Browser-native secure key management
Better client-side cryptography

The ecosystem around this is still very small.

This is an opportunity to help shape what post-quantum cryptography tooling looks like for the web.

All contributors will be publicly credited.

Final thoughts

I believe the future of web security will require:

Hybrid cryptography
Hardware-backed authentication
Better entropy systems
Developer-friendly APIs
Open-source collaboration

Paranoia.ts is an attempt to explore that future.

If this sounds interesting to you, feel free to contribute, review the code, open issues, or simply share feedback.