The web security landscape is about to change dramatically.
For years, modern cryptography has relied on algorithms like RSA and elliptic-curve cryptography (ECC). They are battle-tested and secure against classical computers — but quantum computing changes the equation entirely.
Once large-scale quantum computers become practical, many of today’s public-key systems will become vulnerable.
That future may still be years away, but encrypted data stolen today can still be decrypted later.
This is why post-quantum cryptography (PQC) matters now.
And yet, if you are a JavaScript or TypeScript developer, the ecosystem for PQC is still surprisingly small.
That’s why I built Paranoia.ts.
What is Paranoia.ts?
Paranoia.ts is a TypeScript-first cryptography library designed for frontend and full-stack applications that need:
- End-to-end encryption (E2EE)
- Post-quantum resistance
- Optimization
The goal is simple:
Make post-quantum encryption practical and accessible for JavaScript developers.
Repositories:
Why hybrid cryptography matters
One of the biggest problems in modern PQC adoption is uncertainty.
Post-quantum algorithms are newer than classical cryptographic systems. While they are standardized and heavily researched, they do not yet have the same decades-long track record as ECC.
So Paranoia.ts does not force developers to choose between classical cryptography and post-quantum cryptography.
It combines both.
The library currently uses:
- ML-KEM-1024 (NIST FIPS 203)
- P-521 ECDH
- HKDF-SHA-384
- AES-256-GCM
The key idea is hybrid security:
| Scenario | Classical ECC | PQC only | Paranoia.ts |
|---|---|---|---|
| Classical attacker | ✅ | ⚠️ | ✅ |
| Quantum attacker | ❌ | ✅ | ✅ |
| PQC algorithm weakness | ❌ | ❌ | ✅ |
| ECC weakness | ✅ | ❌ | ✅ |
In practice:
An attacker would need to break both ML-KEM-1024 and P-521 simultaneously to recover plaintext.
That significantly improves resilience against future uncertainty.
Example: Post-Quantum E2EE in TypeScript
The library is intentionally designed to feel simple.
import { Paranoia } from 'paranoia-ts';
const paranoia = new Paranoia();
// Generate hybrid ML-KEM + P-521 keypair
const keyPair = await paranoia.generateKeyPair();
// Encrypt
const sealed = await paranoia.sealTo(
new TextEncoder().encode('Top secret message'),
keyPair.publicKey
);
// Decrypt
const plain = await paranoia.unsealWith(sealed, keyPair);
console.log(new TextDecoder().decode(plain));
The objective is to expose advanced cryptography through a developer-friendly API without sacrificing transparency.
Beyond PQC: Experimental security features
Paranoia.ts also explores ideas that are still relatively uncommon in web cryptography libraries.
Some are experimental by design.
Webcam-based TRNG
One of the most unusual features in the project is webcam entropy generation.
The library can harvest webcam sensor noise and pixel variation as an additional entropy source.
const stream = await navigator.mediaDevices.getUserMedia({ video: true });
await paranoia.enableWebcamEntropy(stream);
Internally:
- Pixel noise is sampled from webcam frames
- Data is hashed with SHA3-256
- Mixed into the CSPRNG pool via HMAC
This does not replace the browser’s cryptographically secure RNG.
Instead, it augments entropy generation for environments where additional randomness is desirable.
WebAuthn PRF integration
Another major feature is WebAuthn PRF support.
This enables hardware-backed key unlocking using:
- Biometrics
- Security keys
- Platform authenticators
The result is a workflow where users can unlock encrypted keypairs with a fingerprint or security key rather than repeatedly entering passwords.
const { credentialId, prfKey } = await registerWebAuthnPRF();
await storeKeyPair(keyPair, prfKey, 'my-key');
This brings together:
- WebAuthn
- Browser-native crypto
- Post-quantum encryption
- Secure local storage
…inside a single TypeScript library.
Security philosophy
One thing I want to make explicit:
Paranoia.ts does not pretend JavaScript is a perfect environment for high-assurance cryptography.
The README openly documents limitations such as:
- Garbage collector memory copying
- Non-wipeable JS strings
- Browser implementation constraints
The project tries to balance:
- Practicality
- Browser compatibility
- Transparency
- Defense in depth
Security tooling should be honest about tradeoffs.
Reference implementation
To demonstrate real-world usage, I also built a complete encrypted messaging application using Paranoia.ts:
It demonstrates:
- End-to-end encrypted chat
- Hybrid PQC encryption
- WebAuthn biometric unlock
- Secure key storage
- Full-stack integration
Stack:
- React
- NestJS
- Docker
- TypeScript
Looking for contributors
This project is still early, and there is a lot to build.
I am currently looking for contributors interested in:
Security
- Cryptographic review
- Threat modeling
- Side-channel analysis
- Security auditing
- Protocol analysis
Engineering
- WebAssembly optimization
- Browser compatibility
- Performance improvements
- DX improvements
- Test coverage
- API design
Research & experimentation
- Additional PQC algorithms
- Better entropy collection
- Secure memory handling
- Hardware integration
- Advanced WebAuthn flows
Why contribute?
PQC is going to become one of the defining security challenges of the next decade.
JavaScript applications will eventually need:
- Quantum-resistant encryption
- Browser-native secure key management
- Better client-side cryptography
The ecosystem around this is still very small.
This is an opportunity to help shape what post-quantum cryptography tooling looks like for the web.
All contributors will be publicly credited.
Final thoughts
I believe the future of web security will require:
- Hybrid cryptography
- Hardware-backed authentication
- Better entropy systems
- Developer-friendly APIs
- Open-source collaboration
Paranoia.ts is an attempt to explore that future.
If this sounds interesting to you, feel free to contribute, review the code, open issues, or simply share feedback.
Repositories:
- https://github.com/mateocallec/paranoia.ts
- https://www.npmjs.com/package/paranoia-ts
- https://www.npmjs.com/package/paranoia-cli
I’d love to hear thoughts from other developers and security researchers working in this space.
Top comments (0)