Post-Quantum Encryption

Post-quantum encryption messaging, built honestly

The cryptography that protects you today won't necessarily protect you in fifteen years. NoChat is engineered for the post-quantum transition — and we'll tell you exactly what's deployed and what's still on the roadmap.

Hybrid X25519 + ML-KEM for DMsDefends against harvest-now-decrypt-laterAuditable, verifiable status

“Harvest now, decrypt later” is a real strategy: adversaries are already capturing encrypted traffic in bulk, betting that practical quantum computers will arrive in the 2030s and retroactively decrypt it. NoChat is built to close that window. To be precise about where we are: direct messages today use a hybrid X25519 + ML-KEM (Kyber-1024) key exchange — so a break in either the classical or the post-quantum half alone doesn't compromise the session — with a classical AES-256-GCM fallback when a peer doesn't yet support it. Group chats and calls aren't post-quantum yet, and the full post-quantum double-ratchet is still on the roadmap. We won't claim more than that.

Why post-quantum encryption matters now

A sufficiently large quantum computer running Shor's algorithm would break RSA and elliptic-curve cryptography — the asymmetric primitives almost every messenger relies on for key exchange. Anything captured today and stored could be decrypted retroactively the moment that hardware exists. For conversations that need to stay private for a decade or more, classical-only key exchange is a ticking clock.

What NoChat actually uses today

We separate what's deployed from what's planned, because honesty about cryptography is the whole point.

  • Deployed — contentAES-256-GCM, a 256-bit symmetric cipher already considered quantum-resistant against Grover's algorithm.
  • Deployed — DM key exchangehybrid X25519 + ML-KEM (Kyber-1024) for direct messages, with HKDF-SHA256 derivation and a classical fallback when a peer doesn't yet support it.
  • Deployed — signaturesML-DSA-65 (FIPS 204) authenticates the post-quantum prekeys used in the DM handshake.
  • On the roadmapextending post-quantum key exchange to group chats and calls, plus a full post-quantum double-ratchet for per-message forward secrecy.

Why hybrid, and why NIST standards

Direct messages use hybrid key exchange: classical X25519 combined with a post-quantum KEM, so that a break in either primitive alone doesn't compromise the session. The post-quantum algorithms are the ones NIST standardized after years of public cryptanalysis — ML-KEM (formerly Kyber) for key encapsulation and ML-DSA-65 (FIPS 204, formerly Dilithium) for signatures. No homegrown crypto, no exotic assumptions.

Symmetric encryption is already quantum-safe

It's worth being clear that the symmetric layer doesn't need replacing. AES-256-GCM at a 256-bit key length retains a large security margin even against Grover's algorithm, which only offers a quadratic speedup. The quantum risk is concentrated in asymmetric key exchange — which is exactly the part ML-KEM addresses in NoChat's direct messages today.

Verify the status yourself

The crypto stack is built on open, standardized primitives, and the cryptographic inventory documents precisely which algorithms run where, including the deployed-versus-planned status for post-quantum. If you want to confirm what's live, the inventory describes the implementation rather than the marketing.

Frequently asked questions

Does NoChat have post-quantum encryption today?

Yes, for direct messages. DMs derive their session key through a hybrid X25519 + ML-KEM (Kyber-1024) key exchange, with a classical AES-256-GCM fallback when a peer doesn't yet support it. Group chats and calls aren't post-quantum yet, and the full post-quantum double-ratchet is on the roadmap.

What post-quantum algorithms does NoChat use?

ML-KEM (Kyber-1024) for key encapsulation and ML-DSA-65 (FIPS 204) for digital signatures — both NIST-standardized — alongside AES-256-GCM for content, which is already considered quantum-resistant at 256 bits.

What is 'harvest now, decrypt later'?

An adversary captures encrypted traffic today and stores it, betting that future quantum computers will retroactively decrypt it. Post-quantum key exchange is the defense, which is why NoChat is investing in it.

Is AES-256 safe against quantum computers?

Largely, yes. Grover's algorithm only offers a quadratic speedup against symmetric ciphers, so a 256-bit key retains a strong security margin. The quantum risk is concentrated in asymmetric key exchange, which is where ML-KEM comes in.

Do Signal or WhatsApp have post-quantum encryption?

Signal added PQXDH for initial key agreement, a good first step, though its message ratchet still relies on classical crypto. Apple's iMessage uses PQ3 on Apple devices. WhatsApp has no production post-quantum support. NoChat ships hybrid X25519 + ML-KEM key exchange for direct messages today, with groups, calls, and a post-quantum ratchet on the roadmap.

How can I verify what's actually enabled?

The crypto stack is built on open standards and the crypto inventory documents which algorithms run where, including deployed-versus-planned status, so you can confirm exactly what's live.

Try NoChat today

Free, private by design, and built on auditable cryptography. No phone number, no email required.

Related