Post-quantum encryption messaging, shipping today.

Messaging that uses cryptographic algorithms believed to be secure against attacks by quantum computers. NoChat uses ML-KEM for direct-message key exchange and AES-256-GCM for content — both are considered quantum-resistant at current parameter sizes.

'Harvest now, decrypt later': adversaries are already capturing encrypted traffic in bulk, betting that quantum computers in the 2030s will retroactively decrypt it. Post-quantum encryption messaging closes that window for messages you send today.

ML-KEM (also known as Kyber-1024) for key encapsulation on direct messages, the NIST-standardized post-quantum KEM. Digital signatures use ML-DSA-65 (FIPS 204). Symmetric content encryption uses AES-256-GCM.

Signal added PQXDH for initial key agreement, a good first step, though its message ratchet still relies on classical crypto. Apple's iMessage uses PQ3 on Apple devices. WhatsApp has no production post-quantum support. NoChat ships hybrid X25519 + ML-KEM key exchange for direct messages today, with groups, calls, and a post-quantum ratchet on the roadmap.

ML-KEM is based on the Module Learning With Errors problem and was selected by NIST after years of public cryptanalysis. It's the current state of the art for post-quantum key encapsulation.

The overhead is negligible in interactive messaging. Key encapsulation happens once per session, and content is encrypted with AES-256-GCM which is hardware-accelerated on modern devices.

Yes. The E2EE status indicator in each chat shows the algorithm in use and a fingerprint you can compare with your peer, and the crypto inventory documents which algorithms run where.

No special step is needed. Post-quantum key exchange is on by default for direct messages across web, iOS, Android, and desktop, and applies when both parties support it (with a classical AES-256-GCM fallback otherwise). Group chats and calls aren't post-quantum yet — they're on the roadmap.