Post-Quantum Cryptography Libraries

Signal-Android is an end-to-end encrypted messaging platform designed to ensure that only the sender and recipient can access communication content. The project provides a comprehensive framework for secure, asynchronous message initiation and key agreement, allowing users to establish private channels without requiring simultaneous online presence. It relies on a state machine architecture to manage communication epochs and authentication, ensuring consistent security transitions throughout the messaging lifecycle. The platform distinguishes itself through a hybrid cryptographic approach that combines multiple mathematical protocols to defend against potential security compromises. It implements advanced ratcheting mechanisms to provide forward secrecy and automatic recovery from breaches, while incorporating quantum-resistant layers to protect against future computing threats. Furthermore, the system supports secure multi-device synchronization, enabling users to maintain consistent identity keys and session history across multiple hardware devices. Beyond its core messaging capabilities, the project includes robust mechanisms for data integrity and transmission reliability. It utilizes erasure-coded chunking to ensure that large data packets can be reconstructed over unstable network connections and employs deterministic elliptic curve signing to verify message authenticity. The system also manages session lifecycles by rotating keys and expiring inactive connections to minimize windows of vulnerability.

Anoma is a distributed operating system designed to abstract the complexities of blockchain networks into a unified interface for cross-chain coordination. At its core, the platform utilizes a resource-based state machine and an intent-centric execution model, where user-defined goals are processed and settled by decentralized solvers rather than through direct, manual execution. This architecture enables the creation of applications that operate across heterogeneous distributed networks while maintaining a consistent developer and user experience. The platform distinguishes itself through a privacy-preserving framework that leverages zero-knowledge proofs to hide transaction details, sender identities, and asset amounts on public ledgers. Security is managed through hardware-backed passkeys, which derive hierarchical cryptographic keyrings in session memory to eliminate the need for persistent local storage. Furthermore, Anoma employs protocol adapters—smart contracts deployed to external chains—to act as secure gateways for cross-chain asset interoperability and shielded transaction management. The system includes a comprehensive toolkit for building decentralized applications, featuring high-performance cryptographic operations executed via WebAssembly modules. Developers can access diagnostic utilities like the Anoma Explorer to monitor protocol activity, indexed transactions, and resource logic. The infrastructure also supports private resource retrieval through discovery-key-based indexing, ensuring that encrypted data is routed securely to the appropriate user keyring. Documentation and developer resources include practical tutorials for building applications, such as guides for implementing passkey-based identity management and shielded token deposit workflows.

Signal-Desktop is a cross-platform messaging application that provides end-to-end encrypted communication. It implements the Signal Protocol to secure messages and voice calls, ensuring that only intended recipients can access content. The application manages asynchronous key exchange and session initialization to maintain secure communication channels between parties who are not online simultaneously. The project distinguishes itself through advanced cryptographic protections, including hybrid post-quantum security that combines classical elliptic curve cryptography with lattice-based algorithms to defend against future decryption threats. It further protects user privacy by obfuscating message headers with rotating keys, which prevents traffic analysis and the correlation of conversation participants. To ensure reliability over constrained networks, the application utilizes erasure-coded data transmission to reconstruct messages despite potential packet loss. The software provides comprehensive data management and synchronization capabilities, allowing users to link desktop clients to mobile accounts for consistent conversation history. It secures local data through encrypted message archives and provides automated lifecycle management to handle message retention. The application also includes robust identity verification mechanisms, enabling users to authenticate correspondents via public key fingerprint comparison to prevent impersonation.

This project is a comprehensive cryptographic toolkit that provides a collection of standard security algorithms and protocols for implementing data encryption and network communication. It serves as a foundational library for securing software applications through a wide range of cryptographic functions. The architecture is defined by a modular provider system that allows for the dynamic loading of external cryptographic implementations without requiring modifications to the core application binary. It supports metadata-driven algorithm querying, which resolves security primitives by matching requested properties against available provider capabilities. Furthermore, the library enables the creation of isolated security contexts, allowing different application components to maintain independent configuration states and security parameters within the same process. The toolkit includes support for FIPS-validated module encapsulation, which restricts cryptographic operations to a hardened boundary to meet strict government and industry compliance standards. It also utilizes a dispatch-table abstraction to decouple high-level security requests from underlying algorithm logic. Comprehensive technical documentation is available to assist with security operations, migration, and compliance validation.

Signal-iOS is an encrypted messaging client that provides secure communication for voice calls, media, and text. It functions as a complete implementation of the Signal Protocol, utilizing end-to-end encryption to ensure that only intended recipients can access transmitted data. The application distinguishes itself through the integration of advanced cryptographic standards, including the use of elliptic curve cryptography for identity verification and digital signature validation. It employs a double ratchet key exchange mechanism to rotate encryption keys for every individual message, ensuring forward secrecy. Furthermore, the client incorporates post-quantum key encapsulation to protect communications against future decryption threats from large-scale quantum computers. Beyond its core messaging capabilities, the project maintains consistent security states across multiple linked devices through a synchronization mechanism that distributes encrypted key material. All local message history and metadata are protected by persistent database encryption managed by the operating system. The software is distributed as a native application for the iOS platform.

Cosmos SDK is a modular blockchain application framework and software development kit used to build sovereign layer-one networks. It provides a foundation for creating customizable blockchains featuring native interoperability, sovereign governance, and Byzantine Fault Tolerant consensus engines. The framework is distinguished by its inter-blockchain communication protocol, which enables the transfer of byte-encoded data and digital assets between independent blockchain networks. It supports multiple consensus models, including Proof of Stake and Proof of Authority, and allows for the integration of diverse virtual machines to execute smart contracts. The SDK covers a broad range of capabilities, including typed state management, on-chain proposal governance, account and key management, and validator stake slashing. It also includes developer tooling for transaction simulation, binary compilation, and the orchestration of containerized test networks. Observability is integrated through structured logging and telemetry data export via OpenTelemetry.

This project is a command-line tool that automates the entire lifecycle of security certificates using standard domain validation protocols. It functions as a background service to manage the issuance, renewal, and installation of certificates, ensuring that encrypted web traffic remains active without requiring manual intervention. The tool distinguishes itself through extensive support for automated domain ownership verification, including the ability to issue wildcard certificates by programmatically interacting with external domain name system providers. It provides flexible validation options, such as using a temporary, ephemeral web server to handle challenges in isolated environments, which allows for certificate generation without needing an existing web server or active website. Beyond issuance, the system includes robust deployment capabilities that integrate directly with server environments. Through customizable hooks, it can automatically update server configuration files and reload services to apply new cryptographic assets immediately upon renewal. The software is built as a modular collection of POSIX-compliant scripts that leverage standard system utilities and support various cryptographic key types to meet diverse security requirements.

NetBird is a zero-trust networking platform that builds secure, encrypted peer-to-peer overlay networks using the WireGuard protocol. It functions as a software-defined perimeter, connecting distributed infrastructure across cloud environments and physical locations while hiding network resources from the public internet. By integrating with external identity providers, the platform enforces granular access control and identity-based segmentation for every user and device. The platform distinguishes itself through extensive automation and programmatic management capabilities. It provides a centralized control plane for orchestrating network resources, automating device enrollment, and managing peer lifecycles at scale. Administrators can define complex routing policies, manage internal DNS resolution, and expose services securely without manual firewall modifications. The system also supports advanced security postures, including post-quantum cryptography, compliance-based access enforcement, and integration with endpoint security platforms to isolate non-compliant devices. Beyond core connectivity, the project offers a comprehensive suite of tools for infrastructure management, including support for hybrid cloud bridging, Kubernetes cluster integration, and multi-tenant administrative scoping. It provides deep observability through traffic event streaming, network topology visualization, and diagnostic utilities. The software is designed for flexible deployment, offering headless agents for servers, containerized sidecars for orchestration environments, and support for mobile and desktop operating systems.

Ente is a privacy-focused platform for end-to-end encrypted storage and two-factor authentication management. It functions as a zero-knowledge identity provider, ensuring that all cryptographic operations, key derivation, and data encryption occur locally on the user's device. By maintaining this architecture, the service provider remains unable to access or decrypt any stored personal information or authentication credentials. The platform distinguishes itself through a combination of on-device intelligence and resilient data distribution. It utilizes a local machine learning engine to perform resource-intensive tasks such as semantic image searching and facial recognition directly on the user's hardware, ensuring that sensitive visual data never leaves the device. To guarantee high availability and data permanence, the system replicates encrypted information across multiple independent cloud providers and geographic regions, protecting against provider outages or regional failures. Beyond its core storage and security capabilities, the project includes sophisticated resource scheduling that monitors device telemetry to manage background processing tasks efficiently. It also provides a comprehensive authentication manager that supports secure token imports and offline operation, allowing users to maintain control over their credentials with or without cloud synchronization.

This project is a cross-platform credential management suite designed to store sensitive information in encrypted local databases. It functions as a secure desktop application that provides a unified environment for organizing secrets, generating passwords, and managing multi-factor authentication tokens. By utilizing industry-standard file formats, the application ensures that stored credentials remain secure and interoperable across different operating systems. The software distinguishes itself through deep integration with hardware-backed security and system-level services. It supports physical security tokens for challenge-response authentication, requiring hardware-based verification to unlock databases. Additionally, the application features an automated bridge for browser extensions to facilitate form filling and credential retrieval, alongside a system agent integration that dynamically manages SSH keys based on the current lock state of the database. Beyond core credential storage, the project includes a modular engine for performing administrative tasks such as security audits and data migrations. It also supports secondary protection layers, allowing users to require specific key files alongside master passwords to authorize access. The development process relies on containerized build environments to ensure consistent and reproducible native binaries for Windows, macOS, and Linux.

This project is a C++ SDK and command-line interface designed for executing smart contract operations and managing blockchain wallet transactions. It functions as a toolkit for deploying and administering smart contract wallets through direct blockchain calls. The software incorporates a quantum-resistant cryptography library to generate and implement signatures designed to protect transactions against quantum computing threats. The SDK covers blockchain contract automation and administrative tooling, enabling the invocation of smart contract functions, fund transfers, and the automation of wallet deployment tasks.

mkcert is a command-line utility designed to simplify local development by generating and managing locally-trusted development certificates. It creates a unique, self-signed root certificate authority on the local machine, which serves as a trusted source for issuing development credentials. By automating the generation of these certificates, the tool enables secure encrypted connections that browsers and operating systems accept without security warnings. The utility distinguishes itself by automatically configuring local trust stores, programmatically injecting the generated root certificate into system and browser databases. It supports complex development workflows through environment-variable-based configuration, allowing users to manage multiple certificate authorities across different projects and specify custom storage paths. This infrastructure ensures consistent security across diverse environments, including support for mobile device trust and remote machine installation. Beyond standard HTTPS testing, the tool provides capabilities for generating secure email certificates and integrating with specific application runtimes. It handles the underlying cryptographic key material generation and cross-platform path resolution required to maintain trust across various operating systems and development environments.

AdguardFilters is a collection of curated adblock filter lists, content blocking rulesets, and DNS blocklists. Its primary purpose is to provide the rules necessary to identify and remove advertisements, tracking scripts, and intrusive elements across web browsers and applications. The project includes specialized rules for cosmetic filtering to hide layout gaps and a malware domain database to block phishing and spyware destinations. It provides distinct filtering sets for different regions and purposes, such as social media blocking. The repository covers broad capability areas including malware and phishing defense, parental content control, and web privacy protection through the blocking of telemetry and analytics. It also provides rules for web content modification, such as restoring disabled page actions and suppressing site annoyances. The filter lists are organized using preprocessor directives and support delta-based updating to reduce bandwidth.

Nanoid is a library for generating unique, fixed-length identifiers designed for distributed systems and database indexing. It produces compact, URL-safe strings by mapping random byte values to a custom character set, allowing for consistent memory allocation and predictable indexing performance across independent nodes without the need for central coordination. The library distinguishes itself by utilizing system-level, cryptographically secure entropy sources to ensure that every generated identifier is statistically unpredictable. This approach provides resistance against collision attacks, making the output suitable for sensitive security contexts such as session tokens or temporary access keys. Beyond core generation, the project includes analytical utilities that allow developers to calculate collision probabilities based on identifier length and character set size. This ensures data integrity in environments where large volumes of unique keys are required. The library is distributed as a lightweight utility package compatible with various JavaScript environments.

rustls is a memory-safe implementation of the Transport Layer Security protocol written in Rust. It provides a cryptographic stack for secure network communication, supporting both TLS 1.3 and 1.2 standards for client and server implementations. The project is designed as a modular cryptographic library that allows swapping underlying cryptographic backends and primitive providers to meet specific security or performance requirements. It incorporates a post-quantum cryptography stack, utilizing hybrid key exchanges and signatures to protect data against future quantum computing threats. The library includes capabilities for secure connection management, client authentication via digital certificates or raw public keys, and OS-delegated trust verification. It further implements latency optimizations such as zero round-trip time handshakes, certificate compression, and early data transmission. Quality is maintained through protocol compliance validation, fuzz testing, and performance benchmarking.

The framework is a comprehensive penetration testing platform designed for the development, testing, and execution of security exploits. It serves as a research toolkit and automated assessment environment, enabling security professionals to identify and validate vulnerabilities within networked systems and infrastructure through repeatable, standardized procedures. The platform distinguishes itself through a modular architecture that supports reflective payload injection, allowing for the execution of code directly in memory without writing to disk. It utilizes an asynchronous event loop to manage high-performance, concurrent network connections and features a transport-agnostic communication layer that abstracts protocols to maintain persistent command and control. Users can extend the core functionality through a plugin system and define complex exploit logic using a domain-specific language. The framework provides robust capabilities for remote payload management, including the configuration of network settings like sleep intervals and timeout thresholds. It maintains state persistence across long-running sessions by storing discovered host information and vulnerability data in a relational database. The software is designed for cross-platform deployment, with installation support available for Linux, macOS, and Windows environments.

Boulder is a production-grade implementation of the ACME (Automated Certificate Management Environment) protocol, built around the same infrastructure that powers Let's Encrypt. It functions as a full certificate authority that automates the issuance, renewal, and revocation of TLS certificates, supporting multiple key algorithms including RSA, ECDSA, and experimental post-quantum ML-DSA keys. The project distinguishes itself through its multi-algorithm PKI hierarchy, which builds separate RSA and ECDSA root chains with cross-signing to support dual-algorithm trust paths. It includes a CRL-based revocation model that generates and publishes Certificate Revocation Lists to S3-compatible storage for offline revocation checking, and implements gRPC service authentication by issuing per-service certificates with multiple Subject Alternative Names for internal microservice communication. Private keys are managed through SoftHSM, a software PKCS#11 module that provides hardware-like security without requiring physical HSM hardware. Boulder provides a complete certificate lifecycle management system, handling domain ownership validation through automated challenges, certificate issuance, revocation processing, and CRL publishing. The project includes a local development CA that runs inside Docker containers for testing ACME client workflows against a real certificate authority, and generates test PKI hierarchies with deterministic key regeneration to avoid redundant creation across test runs. It also supports experimental post-quantum cryptography testing by generating ML-DSA keys and certificates for hybrid cryptographic readiness evaluation.

Certbot is a command-line client designed to automate the lifecycle of digital security certificates. By implementing the ACME protocol, it manages the communication between a local server and a certificate authority to verify domain ownership and issue transport layer security certificates without manual intervention. The tool distinguishes itself through a modular plugin architecture that allows it to interact directly with various web server configurations and DNS providers. This framework enables the software to perform automated domain validation, modify server settings, and configure virtual hosts to establish encrypted connections. Beyond initial issuance, the software provides automated renewal and persistent tracking of certificate lifecycles, private keys, and configuration history. It functions as a comprehensive utility for web server security hardening and the management of public key infrastructure across distributed environments.