Implementation
Technical steps to implement the API
Last updated
Technical steps to implement the API
Last updated
This is the ExeQuantum API for post quantum encryption. It uses ML-KEM for key encapsulation, as it was the NIST's choice for its post quantum security standardization competition.
It also utilizes its digital signature counterpart, ML-DSA, to digitally sign the key and verify its origin.
Unlike other algorithms like RSA, ML-KEM doesn't perform the encryption per se. Rather, it uses key encapsulation to generate a shared secret for symmetric encryption-decryption.
If you want to test the API for yourself before doing anything, feel free to clone and check it out. See for yourself how you can implement ML-KEM in 50 lines of code!
End to End Encryption
TLS
Symmetric Encryption
Message verification
Blockchain/Cryptocurrency proof of ownership
PQCaaS uses an authentication token to allow calls into our API. When you sign up, you'll get a root token that does not expire (unless you reset it). It will appear in your dashboard, hidden until you choose to expose it, like so:
You can also copy it without showing it, if you need extra privacy.
It is highly recommended that you only use this token from secure environments, and only use temporary (ideally single use) tokens when making calls from more exposed environments like frontend. Steps to generate a temporary tokens will be described later in this documentation.
Below that, you'll see the dashboard that shows your API usage for the month. Keep an eye on it to track your usage.
In order to avoid overusing your sensitive authorization token, it's recommended to generate a temporary token that can be used for API calls.
You'll have to use the auth token for this call, so make sure to do it in a secure environment (i.e. backend)
This would be especially recommended when the API has to be called at areas where it has to be exposed to clients (i.e. frontend).
You can still use the auth token from your dashboard, at your own discretion.
You can determine how long the token should persist for (in seconds) through the expiry_time parameter. The default is 300 seconds or 5 minutes.
It's recommended to keep it relatively short (i.e. the average length of a session on your app) and handle switching as needed.
The token also has a limited number of times that it can get called. By default it's 1 attempt per token, and it's highly recommended
to keep it at 1, just to encapsulate the key in the frontend, but if you have to, you can set the number of retries allowed with the
parameter expire_after_attempts.
This generates a key pair that gets sent over for encapsulation and decapsulation. The secret key gets encrypted before being sent over, and can only be used by us.
The verification key and signature are necessary for the ML-DSA signature on the public key to prevent tampering. The private signature key does not need to be shared for verification.
Person A will sent the public key, verification key and verification signature to person B, while keeping the secret key secured with themselves.
This API endpoint generates a shared secret that will be used for symmetric encryption. It should not be shared.
The cipher and the encrypted secret key can be sent back for the key decapsulation.
This API point generates the same shared secret. The cipher and secret keys are used for it.
Now that both sides of the communications have a secured shared secret, the secure communication can commence.
It is recommended to use AES256 for the encryption and decryption, as they're considered Quantum secure.
AES encryption and decryption are offered as API endpoints for free (Key generation and encapsulations are $1 per 4,000 requests), but you can feel free to use your own encryption.
This API call encrypted the message. Now to decrypt, the decryptor can just use the shared secret created by ML-KEM to decrypt the message.
From the endpoint, you get the generated signature and the public key that is used to verify the signature, as well as the secret key used to generate it.
The data, public key and signature should be sent over to person B, while person A needs to keep the secret key secure.
The verified data will indicate whether the signature is valid. It returns false is the signature or data was tampered with and true if it's all good.
That's basically it for the dashboard. Now we can begin the integration steps. If you want to learn a bit more the high level overview of how ML-KEM and ML-DSA work, please refer to the page.
And that's it! You got your Quantum secure communication channel. If you want to learn more, feel free to .
To see the terms and conditions of our API .
Parameters: expiry_time (optional), expire_after_attempts (optional)
Headers: Authorization token
Response: { 'new_token': string }
Documentation: This API endpoint generates a temporary token, that lasts a set amount of time and can be used for a set amount of attempts.
3001No content
Parameters: None
Headers: Authorization token
Response: { 'pk': string, 'verification_key': string }
Documentation: This API endpoint generates a key pair, a public key (pk) and a secret key (sk). It also generates a verification key and a signature for digital verification purposes. The public key can be sent over to the message sender for encapsulation. The secret key gets stored privately for later retrieval.
Successful Response
No content
Body: pk, signature, verif_key
Headers: Authorization token
Response: { 'cipher': string, 'shared_key': string }
Documentation: This API endpoint uses the public key to encapsulate the key, which generates a random cipher and a shared secret. The cipher can be sent back to the message sender to use for decapsulation.
No content
Parameters: cipher, pk
Headers: Authorization token
Response: { 'shared_key': string }
Documentation: This API endpoint uses the the random cipher to generate a shared secret. If done correctly, this shared secret will now be only in the possession of the message sender and receiver and can be used as a symmetrical key to encrypt and decrypt any further data communication.
No content