Post-Quantum Encrypted Messaging, File Vault & Document Notary
Built on NIST FIPS-203 (ML-KEM) and FIPS-204 (ML-DSA) — the 2024 post-quantum standards
Live Service · PQCToolkit · PostQuantum.Tools · OnionMail · OnionDrive
PQCServer is a zero-knowledge post-quantum cryptography platform that lets anyone send end-to-end encrypted messages, store files in a permanent encrypted vault, and notarize documents — all using NIST-standardized post-quantum algorithms.
The server never sees your data. All cryptographic operations happen in the browser. The server stores only ciphertext it cannot decrypt.
onionsearchengine.com → Privacy-focused search engine
onionmail.org → Anonymous encrypted email
oniondrive.org → Encrypted cloud storage
pqcserver.com → Post-quantum encryption platform ← this repo
pqctoolkit.com → Standalone browser crypto tool
postquantum.tools → Educational hub
- End-to-end encryption with ML-KEM + AES-256-GCM
- Share via shortlink (
pqcserver.com/m/xxxxxxxx) — paste anywhere - Works in any email, chat, SMS — no app required for recipients
- Burn after read and configurable TTL
- Embeddable widget — one line of code for any website
- Permanent encrypted file storage with MongoDB GridFS
- No file size limits — chunked upload (3MB/chunk)
- Files encrypted in browser before upload
- Generate shareable shortlinks per file
- Share with specific usernames or via public link
- Hash document locally (SHA-256 + SHA-512) — file never leaves browser
- Sign with ML-DSA private key
- Server co-signs with its own ML-DSA key + timestamp
- Publicly verifiable Notary Receipt (JSON)
- Permanent URL:
pqcserver.com/verify/NTR-xxxxxxxxxx
- Generate ML-KEM (encryption) + ML-DSA (signature) keypairs in browser
- Public keys stored on server — shareable profile
pqcserver.com/u/username - Private keys downloaded locally — never transmitted
- Auto-detect key variant from key length
Browser (sender) PQCServer Browser (recipient)
│ │ │
│ ML-KEM encapsulate │ │
│ AES-256-GCM encrypt │ │
├──── ciphertext ───────►│ MongoDB stores │
│◄─── shortlink ─────────│ encrypted envelope │
│ │ │
│ │◄── GET /m/:id ───────────│
│ ├──── ciphertext ─────────►│
│ │ ML-KEM decapsulate │
│ │ AES-256-GCM decrypt │
│ │ in browser ◄────│
│ │ delete if burn=true │
The server stores: encrypted JSON envelope, file chunks (GridFS), notary receipts
The server never sees: plaintext, private keys, decrypted content
| Layer | Technology |
|---|---|
| Web server | Nginx |
| Backend | PHP 8.3 |
| Database | MongoDB 7.0 + GridFS |
| Crypto (browser) | pqc — pure JS implementation of ML-KEM + ML-DSA |
| Symmetric encryption | AES-256-GCM (Web Crypto API) |
| File chunking | MongoDB GridFS (3MB chunks) |
| CDN/SSL | Cloudflare Flexible |
| Hashing | SHA-256 + SHA-512 (Web Crypto API) |
| Standard | Algorithm | Use |
|---|---|---|
| NIST FIPS-203 | ML-KEM (Kyber) 512/768/1024 | Key encapsulation, encryption |
| NIST FIPS-204 | ML-DSA (Dilithium) 44/65/87 | Digital signatures |
| NIST FIPS-205 | SLH-DSA (SPHINCS+) | Alternative signatures |
| — | AES-256-GCM | Symmetric encryption |
pqcserver/
├── config/
│ ├── db.php MongoDB connection + session management
│ └── server_keys.php Server ML-DSA signing keys (env vars)
│
├── api/
│ ├── register.php Create account
│ ├── login.php Login → session cookie
│ ├── logout.php Destroy session
│ ├── session.php Current user info
│ ├── update_keys.php Save public keys to profile
│ ├── pubkey.php Get public key by username
│ ├── store.php Save encrypted message → shortlink
│ ├── fetch.php Retrieve + burn ciphertext
│ ├── file_upload.php Chunked GridFS upload
│ ├── file_download.php Stream encrypted file from GridFS
│ ├── vault_upload.php Register file in permanent vault
│ ├── vault_list.php List vault files
│ ├── vault_delete.php Delete vault file
│ ├── vault_share.php Generate shortlink / share with user
│ ├── notary_sign.php Sign document + server timestamp
│ ├── notary_verify.php Public receipt verification
│ └── notary_list.php User's notarized documents
│
├── public/
│ ├── index.html Landing page
│ ├── register.html Create account
│ ├── login.html Login
│ ├── dashboard.html User dashboard
│ ├── keygen.html Generate keypairs + register profile
│ ├── encrypt.html Encrypt message/file → shortlink
│ ├── vault.html File vault dashboard
│ ├── vault_upload.html Upload file to vault
│ ├── notary.html Notary service landing
│ ├── sign.html Sign document
│ ├── verify.html Verify receipt
│ ├── about.html About + architecture
│ ├── m/index.html Decrypt page (/m/:id)
│ ├── u/index.html Public profile (/u/:username)
│ ├── verify/index.html Receipt page (/verify/NTR-xxx)
│ ├── features/
│ │ ├── messaging.html Messaging feature landing
│ │ └── vault.html Vault feature landing
│ ├── sitemap.xml
│ ├── robots.txt
│ └── assets/
│ ├── style.css Global dark theme
│ ├── auth.js Client session management
│ ├── crypto.js ML-KEM + ML-DSA + GridFS crypto module
│ ├── gridfs.js Chunked upload/download helpers
│ ├── seo.js Open Graph + Schema.org injection
│ └── widget.js Embeddable encrypt widget
│
├── scripts/
│ ├── cleanup.py Daily cleanup + stats (cron)
│ └── generate_server_keys.php One-time server key generation
│
├── mongo_indexes.js MongoDB indexes setup
├── nginx.conf Nginx virtual host config
├── composer.json PHP dependencies
├── install.sh Automated install script
├── INSTALL.md Manual installation guide
├── SECURITY.md Security policy + vulnerability reporting
└── CONTRIBUTING.md Contribution guidelines
Automated (recommended):
git clone https://github.com/onionsearchengine/pqcserver.git
cd pqcserver
chmod +x install.sh
sudo bash install.shRequirements: Ubuntu 22.04/24.04 · PHP 8.3 · MongoDB 7.0 · Nginx · Composer
See INSTALL.md for the complete manual installation guide.
Add post-quantum encryption to any website with one line:
<!-- Known recipient -->
<script src="https://pqcserver.com/assets/widget.js"
data-recipient="alice_smith"></script>
<!-- Unknown recipient — user picks -->
<script src="https://pqcserver.com/assets/widget.js"></script>
<!-- Direct public key -->
<script src="https://pqcserver.com/assets/widget.js"
data-pubkey="BASE64_ML_KEM_PUBLIC_KEY"></script>The widget opens an inline modal with a 3-step flow: recipient → message → shortlink.
No redirect, no new tab, no installation required for the recipient.
| Method | Endpoint | Auth | Description |
|---|---|---|---|
| POST | /api/register.php |
— | Create account |
| POST | /api/login.php |
— | Login |
| GET | /api/session.php |
— | Session info |
| POST | /api/update_keys.php |
✓ | Save public keys |
| GET | /api/pubkey.php?u=user |
— | Get public key |
| POST | /api/store.php |
— | Save ciphertext → shortlink |
| GET | /api/fetch.php?id=xxx |
— | Retrieve + burn message |
| POST | /api/file_upload.php |
— | Upload encrypted chunk |
| GET | /api/file_download.php?id=xxx |
— | Stream encrypted file |
| POST | /api/vault_upload.php |
✓ | Add file to vault |
| GET | /api/vault_list.php |
✓ | List vault files |
| DELETE | /api/vault_delete.php |
✓ | Delete vault file |
| POST | /api/vault_share.php |
✓ | Share vault file |
| POST | /api/notary_sign.php |
✓ | Notarize document |
| GET | /api/notary_verify.php?id=xxx |
— | Verify receipt |
After installation, generate the server's ML-DSA signing keys (required for Notary):
php scripts/generate_server_keys.phpSet the output as environment variables:
export PQCS_SERVER_DSA_SECRET="base64..."
export PQCS_SERVER_DSA_PUBLIC="base64..."All cryptographic operations happen client-side in the browser.
The server only stores ciphertext it cannot decrypt.
To report a vulnerability, see SECURITY.md.
We welcome contributions! See CONTRIBUTING.md for guidelines.
Areas where help is especially welcome:
- Security audit of the cryptographic implementation
- PHP / MongoDB performance improvements
- Additional language support (i18n)
- Mobile-friendly UI improvements
- Integration examples (onionmail, other privacy tools)
GNU Affero General Public License v3.0 (AGPL-3.0)
Copyright © 2026 OnionSearchEngine LLC
This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
See LICENSE for full text.
| Project | Description |
|---|---|
| OnionMail | Anonymous encrypted email |
| OnionDrive | Encrypted cloud storage |
| PQCToolkit | Standalone browser PQC tool |
| PostQuantum.Tools | Educational hub |
| OnionSearchEngine | Privacy search engine |
Made with ❤️ by OnionSearchEngine LLC
pqcserver.com ·
postquantum.tools
