POST-QUANTUM SECURE EXCHANGE

Q-Paste

Q-Paste is a zero-knowledge secure exchange designed to resist long-term cryptographic compromise, including harvest-now, decrypt-later attacks by future quantum adversaries.

Security Model

Our security architecture is built on zero-trust principles where the server is never trusted with plaintext data.

TRUST ASSUMPTION

The server is assumed to be honest-but-curious or fully compromised. No confidentiality depends on server secrecy.

ZERO-KNOWLEDGE GUARANTEE

Plaintext data, encryption keys, and passwords are never transmitted or stored server-side. All cryptographic operations occur exclusively in the client browser.

KEY DISTRIBUTION

Decryption keys are embedded in the URL fragment and never sent over the network to any server.

Cryptographic Construction

Q-Paste uses a hybrid encryption scheme to ensure confidentiality as long as at least one cryptographic primitive remains secure.

Post-Quantum KEM: ML-KEM-768 (Kyber)
Symmetric Encryption: AES-256-GCM
Key Derivation: HKDF-SHA-256
Entropy Source: Web Crypto API CSPRNG
Authentication: TLS 1.3 + Client-Side Verification

Attack Surface & Data Flow

All cryptographic operations occur exclusively in the client's browser.

CLIENT (Secure Zone) Browser Plaintext Encrypt Cipher Key in URL Fragment (never sent) SERVER (Untrusted) Encrypted Storage Cipher Metadata TLS

Formal Guarantees vs. Non-Goals

What Q-Paste Guarantees

Guarantee Scope Assumptions
✓ End-to-End Encryption All data in transit and at rest Browser crypto APIs uncompromised
✓ Post-Quantum Confidentiality Protection against future quantum decryption ML-KEM-768 remains secure
✓ Server Zero-Knowledge Server never obtains plaintext or keys Client-side encryption working correctly
✓ Key Isolation Decryption keys never leave client device URL fragment not logged by intermediaries
✓ Metadata Privacy Shield No automated link analysis by scanners Privacy controls properly configured

What Q-Paste Explicitly Does NOT Protect Against

Client-Side Malware

If your endpoint is compromised with a keylogger or browser extension, Q-Paste cannot protect plaintext being typed.

Endpoint Forensics

Memory forensics or behavioral analysis on the client can reveal content after decryption and display.

Server Infrastructure Attacks

Denial-of-service, rate limiting, or resource exhaustion attacks on server infrastructure are not mitigated.

Network-Level Timing Attacks

Adversaries observing traffic patterns can infer some information about data size and timing.

Browser Zero-Days

Unpatched vulnerabilities in the JavaScript engine or Web Crypto API can be exploited before disclosure.

Social Engineering

No protection against phishing, credential theft, or users intentionally sharing decryption links.

Client Integrity Verification

Q-Paste uses Subresource Integrity (SRI) with SHA-384 hashing to cryptographically verify that JavaScript and client-side code has not been tampered with.

✓ How SRI Works

The server provides a cryptographic hash of the expected JavaScript bundle. Your browser automatically verifies that the downloaded code matches this hash before executing it. If even one byte is modified, the script fails to load.

Example SRI attribute:

<script src="https://q-paste.example.com/client.js" integrity="sha384-n4ZWlxp8RHzf6vNy/7h/8U4Xd9Xj4J..." crossorigin="anonymous"></script>

Benefits: Protects against CDN hijacking, ISP injection, and network-level tampering.

Threats Addressed

HARVEST-NOW / DECRYPT-LATER (HNDL)

An adversary records encrypted traffic today and decrypts it using quantum computers in the future. Q-Paste mitigates this via post-quantum hybrid encryption (ML-KEM-768 + AES-256-GCM).

SERVER COMPROMISE

If the server is breached, attackers gain access to encrypted data, but not the decryption keys (which are embedded in URL fragments). Encrypted data remains unintelligible.

METADATA LEAKAGE

Email clients, chat platforms, and web crawlers auto-preview links. Q-Paste's privacy shield prevents automated analysis through explicit user action requirement.

MAN-IN-THE-MIDDLE (MITM)

TLS 1.3 provides authenticated encryption in transit. Client-side encryption adds an additional layer: even if TLS is broken, plaintext is not exposed.

Deployment Models

Q-Paste supports three deployment architectures to meet your security, compliance, and operational requirements.

Cloud-Hosted (SaaS)

  • Zologic-managed infrastructure
  • Automatic updates & security patches
  • Global CDN distribution
  • Built-in monitoring & alerting
  • 99.9% SLA (Pro tier)

Ideal for teams prioritizing operational simplicity.

On-Premises (Self-Hosted)

  • Full data sovereignty
  • Private Docker containers
  • Custom domain & branding
  • Private encryption keys
  • Network isolation options

For enterprises with regulatory or compliance requirements.

Air-Gap (Disconnected)

  • Zero network connectivity
  • USB/media-based distribution
  • Standalone HTML+JS artifact
  • No external dependencies
  • Offline-first operation

For maximum security isolation in classified environments.

Pricing Plans

Choose the plan that fits your security and scale requirements. All plans include full post-quantum encryption.

Standard

€49/year

Cloud-Hosted · Standard limits

  • Up to 10 pastes/month
  • 5GB storage
  • 7-day retention
  • Email support
  • HTTPS + TLS

Professional

€99/year

Higher limits · Priority support

  • Unlimited pastes
  • 100GB storage
  • 90-day retention
  • Priority email & Slack
  • HTTPS + TLS + ML-KEM
  • Private instances available

Enterprise

Custom

Dedicated · SLA guaranteed

  • Unlimited everything
  • On-premises deployment
  • Air-gap configuration
  • 24/7 support
  • Custom integrations
  • Dedicated infrastructure
Q-Paste is based on PrivateBin (GPL-3.0) with substantial cryptographic and privacy-hardening enhancements by Zologic.

Join Waitlist

Standard Plan


Thank You!

You've been added to the waitlist for the Standard Plan.

We've sent a confirmation email to your inbox. Our team will contact you within 48 hours with an invoice link. Once payment is confirmed, you'll receive your secure Q-Paste instance URL and login credentials.

Join Waitlist

Professional Plan


Thank You!

You've been added to the waitlist for the Professional Plan.

We've sent a confirmation email to your inbox. Our team will contact you within 48 hours.

Enterprise Inquiry

Let's Discuss Your Needs


Thank You for Your Interest!

Your enterprise inquiry has been received.

Our enterprise team will contact you within 24 hours to discuss your specific security requirements, deployment options (Cloud, On-Premises, or Air-Gap), and provide a custom quote. After finalizing terms and payment, you'll receive a fully configured private instance at yourcompany.q-paste.io with dedicated support.

Scroll to Top