NoChat encrypts every message on your device before it leaves it. We transport opaque blobs and nothing else — no plaintext, no keys, no readable metadata.
NoChat is an encrypted messaging app built on end-to-end encryption (E2EE). Every message is sealed with AES-256-GCM; direct messages derive their session key through a hybrid X25519 + ML-KEM (Kyber-1024) post-quantum key exchange, with a classical P-256 ECDH path as the fallback, while group chats and calls remain classical for now. The encryption happens in your browser or app using the Web Crypto API, so the NoChat server never handles a private key and never sees a single word you write.
End-to-end encryption means only the sender and the intended recipient can read a message. With NoChat, encryption and decryption happen locally on each device. The server's only job is to route a payload it cannot read.
NoChat uses standardized, auditable primitives — no homegrown crypto. Direct messages run a post-quantum key exchange today; group chats and calls use the classical stack for now.
Encryption isn't only for text. Video and audio calls run over WebRTC with DTLS-SRTP, and connect peer-to-peer where the network allows, so media doesn't pass through our servers.
We describe our cryptography truthfully. Deployed today: AES-256-GCM E2EE for all messages, hybrid X25519 + ML-KEM post-quantum key exchange for direct messages, and DTLS-SRTP for calls. On the roadmap: post-quantum key exchange for group chats and calls, the Double Ratchet for per-message forward secrecy, and sealed sender for metadata protection. The full breakdown lives in our documented crypto inventory.
Almost every app in the store calls itself an encrypted messaging app; very few clear the bar of a modern secure messenger. End-to-end encryption is the floor, not the ceiling. A serious encrypted messaging app must also authenticate every ciphertext — otherwise a network attacker can tamper with messages in flight. AES-256-GCM is an authenticated cipher, so any modification is detected and rejected immediately. That single design choice separates a serious app from a marketing one.
An encrypted messaging app is only as strong as its server architecture. If the service holds your private keys, your encryption is theater. NoChat runs a strict zero-trust model: identity keys, exchange keys, and session keys are all generated on your device. The server never sees them and could not derive them if it tried.
Combined with the fact that we don't require a phone number or email to sign up, the worst-case scenario — a full database breach — yields nothing more than encrypted blobs and pseudonymous account IDs. There is nothing useful to steal.
Adversaries are already capturing encrypted traffic at scale, betting that practical quantum computers will arrive within the next decade or two and retroactively decrypt it. Messaging that relies only on classical RSA or elliptic-curve key exchange leaves conversations captured today open to being unsealed later. NoChat closes that window where it matters most: direct messages already run a hybrid X25519 + ML-KEM (Kyber-1024) post-quantum key exchange, and AES-256-GCM at 256 bits is itself considered quantum-resistant. Group chats and calls use the classical stack today, and extending post-quantum coverage to them is on the roadmap — we describe that scope honestly rather than overstating it.
Yes. Messages are encrypted on your device with AES-256-GCM using a session key derived from a P-256 ECDH exchange. Keys are generated client-side and the server only stores ciphertext. The cryptography is built on open, standardized primitives anyone can audit.
AES-256-GCM for content, HKDF-SHA256 for key derivation, and P-256 ECDSA for identity signatures. Key exchange is classical ECDH (P-256 / X25519), with direct messages adding ML-KEM (Kyber-1024) for a hybrid post-quantum exchange and ML-DSA-65 (FIPS 204) signatures on the post-quantum prekeys.
No. Your private keys never leave your device, and the server only stores encrypted payloads. Even under legal order we could only hand over opaque ciphertext we cannot decrypt.
No. You can sign up with just a username and password, or start an anonymous session in one click — no phone number, no SMS verification.
Yes. Calls use WebRTC with DTLS-SRTP and connect peer-to-peer where possible, so media never traverses our servers in the clear.
Direct messages are: they use a hybrid X25519 + ML-KEM (Kyber-1024) key exchange today, with a classical AES-256-GCM fallback when a peer doesn't yet support it. Group chats and calls use the classical stack for now — extending post-quantum coverage to them is on the roadmap.
Free, private by design, and built on auditable cryptography. No phone number, no email required.
How the zero-trust design holds up against real-world threats.
Sign up with no identity — no phone number, no email.
Why we mathematically cannot read your messages.
What's deployed today and what's on the roadmap.