The cryptography that protects you today won't necessarily protect you in fifteen years. NoChat is engineered for the post-quantum transition — and we'll tell you exactly what's deployed and what's still on the roadmap.
“Harvest now, decrypt later” is a real strategy: adversaries are already capturing encrypted traffic in bulk, betting that practical quantum computers will arrive in the 2030s and retroactively decrypt it. NoChat is built to close that window. To be precise about where we are: the server-side crypto domain implements ML-KEM (Kyber) and ML-DSA (Dilithium) using the cloudflare/circl library, while the message-encryption path shipped to clients today uses classical P-256 ECDH + AES-256-GCM. The post-quantum primitives are prepared on the backend and on the roadmap for the frontend — we don't claim full client-side post-quantum messaging is live yet.
A sufficiently large quantum computer running Shor's algorithm would break RSA and elliptic-curve cryptography — the asymmetric primitives almost every messenger relies on for key exchange. Anything captured today and stored could be decrypted retroactively the moment that hardware exists. For conversations that need to stay private for a decade or more, classical-only key exchange is a ticking clock.
We separate what's deployed from what's planned, because honesty about cryptography is the whole point.
The intended design is hybrid key exchange: combine classical ECDH with a post-quantum KEM so that a break in either primitive alone doesn't compromise the session. The post-quantum algorithms are the ones NIST standardized after years of public cryptanalysis — ML-KEM (formerly Kyber) for key encapsulation and ML-DSA (formerly Dilithium) for signatures. No homegrown crypto, no exotic assumptions.
It's worth being clear that the symmetric layer doesn't need replacing. AES-256-GCM at a 256-bit key length retains a large security margin even against Grover's algorithm, which only offers a quadratic speedup. The quantum risk is concentrated in asymmetric key exchange — which is exactly the part the ML-KEM roadmap targets.
The entire crypto stack is open source at github.com/kindlyrobotics/nochat, and the cryptographic inventory documents precisely which algorithms run where, including the deployed-versus-planned status for post-quantum. If you want to confirm what's live, read the code rather than the marketing.
Partially. The backend implements ML-KEM (Kyber) and ML-DSA (Dilithium), but the message encryption shipped to clients today uses classical P-256 ECDH + AES-256-GCM. Full client-side post-quantum messaging is on the roadmap, not yet deployed on the frontend.
ML-KEM (Kyber) for key encapsulation and ML-DSA (Dilithium) for digital signatures — both NIST-standardized — alongside AES-256-GCM for content, which is already considered quantum-resistant at 256 bits.
An adversary captures encrypted traffic today and stores it, betting that future quantum computers will retroactively decrypt it. Post-quantum key exchange is the defense, which is why NoChat is investing in it.
Largely, yes. Grover's algorithm only offers a quadratic speedup against symmetric ciphers, so a 256-bit key retains a strong security margin. The quantum risk is concentrated in asymmetric key exchange, which is where ML-KEM comes in.
Signal added PQXDH for initial key agreement, a good first step, though message content still relies on classical ratcheting. WhatsApp has no production post-quantum support. NoChat's backend supports the post-quantum primitives with client integration on the roadmap.
The crypto stack is open source and the crypto inventory documents which algorithms run where, including deployed-versus-planned status. Read the code to confirm exactly what's live.
Free, open source, and private by design. No phone number, no email required.