The cryptography that protects you today won't necessarily protect you in fifteen years. NoChat is engineered for the post-quantum transition — and we'll tell you exactly what's deployed and what's still on the roadmap.
“Harvest now, decrypt later” is a real strategy: adversaries are already capturing encrypted traffic in bulk, betting that practical quantum computers will arrive in the 2030s and retroactively decrypt it. NoChat is built to close that window. To be precise about where we are: direct messages today use a hybrid X25519 + ML-KEM (Kyber-1024) key exchange — so a break in either the classical or the post-quantum half alone doesn't compromise the session — with a classical AES-256-GCM fallback when a peer doesn't yet support it. Group chats and calls aren't post-quantum yet, and the full post-quantum double-ratchet is still on the roadmap. We won't claim more than that.
A sufficiently large quantum computer running Shor's algorithm would break RSA and elliptic-curve cryptography — the asymmetric primitives almost every messenger relies on for key exchange. Anything captured today and stored could be decrypted retroactively the moment that hardware exists. For conversations that need to stay private for a decade or more, classical-only key exchange is a ticking clock.
We separate what's deployed from what's planned, because honesty about cryptography is the whole point.
Direct messages use hybrid key exchange: classical X25519 combined with a post-quantum KEM, so that a break in either primitive alone doesn't compromise the session. The post-quantum algorithms are the ones NIST standardized after years of public cryptanalysis — ML-KEM (formerly Kyber) for key encapsulation and ML-DSA-65 (FIPS 204, formerly Dilithium) for signatures. No homegrown crypto, no exotic assumptions.
It's worth being clear that the symmetric layer doesn't need replacing. AES-256-GCM at a 256-bit key length retains a large security margin even against Grover's algorithm, which only offers a quadratic speedup. The quantum risk is concentrated in asymmetric key exchange — which is exactly the part ML-KEM addresses in NoChat's direct messages today.
The crypto stack is built on open, standardized primitives, and the cryptographic inventory documents precisely which algorithms run where, including the deployed-versus-planned status for post-quantum. If you want to confirm what's live, the inventory describes the implementation rather than the marketing.
Yes, for direct messages. DMs derive their session key through a hybrid X25519 + ML-KEM (Kyber-1024) key exchange, with a classical AES-256-GCM fallback when a peer doesn't yet support it. Group chats and calls aren't post-quantum yet, and the full post-quantum double-ratchet is on the roadmap.
ML-KEM (Kyber-1024) for key encapsulation and ML-DSA-65 (FIPS 204) for digital signatures — both NIST-standardized — alongside AES-256-GCM for content, which is already considered quantum-resistant at 256 bits.
An adversary captures encrypted traffic today and stores it, betting that future quantum computers will retroactively decrypt it. Post-quantum key exchange is the defense, which is why NoChat is investing in it.
Largely, yes. Grover's algorithm only offers a quadratic speedup against symmetric ciphers, so a 256-bit key retains a strong security margin. The quantum risk is concentrated in asymmetric key exchange, which is where ML-KEM comes in.
Signal added PQXDH for initial key agreement, a good first step, though its message ratchet still relies on classical crypto. Apple's iMessage uses PQ3 on Apple devices. WhatsApp has no production post-quantum support. NoChat ships hybrid X25519 + ML-KEM key exchange for direct messages today, with groups, calls, and a post-quantum ratchet on the roadmap.
The crypto stack is built on open standards and the crypto inventory documents which algorithms run where, including deployed-versus-planned status, so you can confirm exactly what's live.
Free, private by design, and built on auditable cryptography. No phone number, no email required.