Quantum Resistant Cryptography (QRC)

Overview

QRC enhances Keeper's API security by combining traditional elliptic curve cryptography (ECDH-P256) with NIST-standardized post-quantum ML-KEM-1024 (Module-Lattice-based Key Encapsulation Mechanism). This hybrid approach ensures both current security and future quantum resistance.

When QRC is enabled, all API requests from Commander use a dual-layer encryption scheme that protects data even if one cryptographic algorithm is compromised.

Requirements

QRC is automatically enabled when requirements are met. No additional configuration is needed.

How It Works

When Commander makes an API request with QRC enabled:

1. ECDH Key Exchange: Commander generates an ephemeral EC key pair and performs ECDH with the server's public key

2. ML-KEM Encapsulation: Commander encapsulates a shared secret using the server's ML-KEM-1024 public key

3. Key Derivation: Both secrets are combined using HKDF-SHA256 to derive an AES-256 key

4. Encryption: The transmission key is encrypted with AES-GCM using the derived key

Fallback Behavior

Commander automatically falls back to standard EC encryption when:

• Python version is below 3.11

• The keeper-mlkem package is not installed

• Any QRC-related error occurs during encryption

All fallbacks are transparent to the user—connections continue without interruption.

Verifying QRC Status

To verify QRC is active, enable debug logging:

When QRC is active, you will see:

Security Benefits