PQCS L+ — Post-Quantum Security MCP

Module 01 · Digital ID

Dilithium3 signing & verification

Generate a quantum-resistant identity, sign a message with the secret key, verify with the public key.

Public key (base64)Secret key (base64)MessageSignature (base64)

Export / Import

include secret

Exported JWKPaste JWK or PEM to import

Module 02 · KEM

ML-KEM-768 shared secret

Recipient generates a keypair. Sender encapsulates to the public key. Both derive the same shared secret.

Recipient public key (base64)Recipient secret key (base64)Ciphertext (base64)

Sender shared secretReceiver shared secret

Secure channel · AES-256-GCM(shared secret)

Plaintext

IV (base64)Ciphertext (base64)

Verify HTTP API

Public signature verification endpoint

Stateless POST /api/public/verify for third parties to verify a PQCS L+ Digital ID signature. CORS-enabled, no auth.

uses current public key, message & signature

curl -X POST $ORIGIN/api/public/verify \
  -H 'Content-Type: application/json' \
  -d '{"publicKey":"<b64>","message":"hello","signature":"<b64>"}'

# → {"algorithm":"ML-DSA-65 (Dilithium3)","valid":true}

MCP Server

Connect any MCP client

Streamable HTTP transport. Six tools exposed:

· pqcs_id_keygen
· pqcs_kem_keygen
· pqcs_id_sign
· pqcs_kem_encapsulate
· pqcs_id_verify
· pqcs_kem_decapsulate

curl -X POST $ORIGIN/api/mcp \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json, text/event-stream' \
  -d '{"jsonrpc":"2.0","id":1,"method":"tools/list"}'