Encrypted Messaging App

An encrypted messaging app where the server only sees ciphertext

NoChat encrypts every message on your device before it leaves it. We transport opaque blobs and nothing else — no plaintext, no keys, no readable metadata.

End-to-end encrypted by defaultAES-256-GCM authenticated encryptionZero-trust server

NoChat is an encrypted messaging app built on end-to-end encryption (E2EE). Every message is sealed with AES-256-GCM; direct messages derive their session key through a hybrid X25519 + ML-KEM (Kyber-1024) post-quantum key exchange, with a classical P-256 ECDH path as the fallback, while group chats and calls remain classical for now. The encryption happens in your browser or app using the Web Crypto API, so the NoChat server never handles a private key and never sees a single word you write.

What end-to-end encryption actually means here

End-to-end encryption means only the sender and the intended recipient can read a message. With NoChat, encryption and decryption happen locally on each device. The server's only job is to route a payload it cannot read.

  • Encrypted on-devicemessages are sealed before they touch the network.
  • Decrypts only for the recipientno one else holds the key, including us.
  • Tamper-evidentAES-256-GCM is authenticated, so any modification in transit is detected and rejected.
  • Server sees noisea database dump would yield ciphertext, not conversations.

The cryptography under the hood

NoChat uses standardized, auditable primitives — no homegrown crypto. Direct messages run a post-quantum key exchange today; group chats and calls use the classical stack for now.

  • AES-256-GCMsymmetric encryption for message and file content.
  • ML-KEM (Kyber-1024)post-quantum key encapsulation for direct messages, hybridized with X25519.
  • P-256 / X25519 ECDHclassical key agreement to derive a per-peer session key (and the fallback for DMs).
  • HKDF-SHA256key derivation, salted with sorted user IDs for deterministic per-pair keys.
  • SignaturesP-256 ECDSA for identity, plus ML-DSA-65 (FIPS 204) on the post-quantum prekeys used in the DM handshake.

Calls are encrypted too

Encryption isn't only for text. Video and audio calls run over WebRTC with DTLS-SRTP, and connect peer-to-peer where the network allows, so media doesn't pass through our servers.

Honest about what's shipped vs. planned

We describe our cryptography truthfully. Deployed today: AES-256-GCM E2EE for all messages, hybrid X25519 + ML-KEM post-quantum key exchange for direct messages, and DTLS-SRTP for calls. On the roadmap: post-quantum key exchange for group chats and calls, the Double Ratchet for per-message forward secrecy, and sealed sender for metadata protection. The full breakdown lives in our documented crypto inventory.

What to look for in an encrypted messaging app in 2026

Almost every app in the store calls itself an encrypted messaging app; very few clear the bar of a modern secure messenger. End-to-end encryption is the floor, not the ceiling. A serious encrypted messaging app must also authenticate every ciphertext — otherwise a network attacker can tamper with messages in flight. AES-256-GCM is an authenticated cipher, so any modification is detected and rejected immediately. That single design choice separates a serious app from a marketing one.

  • End-to-end encrypted contentonly the sender and recipient can read a message; the server transports ciphertext and nothing else.
  • Authenticated encryptiontamper detection (AEAD) so a hostile network can't silently alter messages.
  • Zero-knowledge key handlingthe service holds no private keys and could not derive them if it tried.
  • No required phone numberidentity isn't welded to a carrier-verified number.
  • Auditable, standards-based cryptoopen, standardized primitives you can verify instead of trusting a claim.

Zero-trust architecture: why our server can't help an attacker

An encrypted messaging app is only as strong as its server architecture. If the service holds your private keys, your encryption is theater. NoChat runs a strict zero-trust model: identity keys, exchange keys, and session keys are all generated on your device. The server never sees them and could not derive them if it tried.

Combined with the fact that we don't require a phone number or email to sign up, the worst-case scenario — a full database breach — yields nothing more than encrypted blobs and pseudonymous account IDs. There is nothing useful to steal.

Built against "harvest now, decrypt later"

Adversaries are already capturing encrypted traffic at scale, betting that practical quantum computers will arrive within the next decade or two and retroactively decrypt it. Messaging that relies only on classical RSA or elliptic-curve key exchange leaves conversations captured today open to being unsealed later. NoChat closes that window where it matters most: direct messages already run a hybrid X25519 + ML-KEM (Kyber-1024) post-quantum key exchange, and AES-256-GCM at 256 bits is itself considered quantum-resistant. Group chats and calls use the classical stack today, and extending post-quantum coverage to them is on the roadmap — we describe that scope honestly rather than overstating it.

Frequently asked questions

Is NoChat actually end-to-end encrypted?

Yes. Messages are encrypted on your device with AES-256-GCM using a session key derived from a P-256 ECDH exchange. Keys are generated client-side and the server only stores ciphertext. The cryptography is built on open, standardized primitives anyone can audit.

What encryption algorithms does this encrypted messaging app use?

AES-256-GCM for content, HKDF-SHA256 for key derivation, and P-256 ECDSA for identity signatures. Key exchange is classical ECDH (P-256 / X25519), with direct messages adding ML-KEM (Kyber-1024) for a hybrid post-quantum exchange and ML-DSA-65 (FIPS 204) signatures on the post-quantum prekeys.

Can NoChat read my messages?

No. Your private keys never leave your device, and the server only stores encrypted payloads. Even under legal order we could only hand over opaque ciphertext we cannot decrypt.

Does it require a phone number?

No. You can sign up with just a username and password, or start an anonymous session in one click — no phone number, no SMS verification.

Are video calls encrypted?

Yes. Calls use WebRTC with DTLS-SRTP and connect peer-to-peer where possible, so media never traverses our servers in the clear.

Is it post-quantum encrypted today?

Direct messages are: they use a hybrid X25519 + ML-KEM (Kyber-1024) key exchange today, with a classical AES-256-GCM fallback when a peer doesn't yet support it. Group chats and calls use the classical stack for now — extending post-quantum coverage to them is on the roadmap.

Try NoChat today

Free, private by design, and built on auditable cryptography. No phone number, no email required.

Related