Home About Projects NoidChat

01 — Learn

Post-Quantum Encryption, Explained

Post-quantum encryption is cryptography built to survive an adversary with a quantum computer. This guide covers what a quantum machine actually breaks, what it does not, why the recording of today's traffic already started, what ML-KEM and FIPS 203 mean, and how to judge any product that claims to be ready.

02 — The Break

What Quantum Computers Actually Break

Nearly all of today's public-key cryptography rests on two math problems: factoring enormous numbers (RSA) and computing discrete logarithms on elliptic curves (the ECDH and X25519 exchanges behind most secure apps). For a classical computer, both are hopeless at real key sizes.

In 1994, mathematician Peter Shor showed that a large, fault-tolerant quantum computer solves both efficiently — turning "billions of years" into a bad afternoon. A machine big enough to run Shor's algorithm against real keys is called a CRQC: a cryptographically relevant quantum computer.

No CRQC exists yet; estimates range from a decade to never. But cryptography plans around the adversary's best day — and key exchange, the exact layer Shor breaks, protects everything else.

03 — The Survivors

What Quantum Computers Don't Break

Symmetric cryptography mostly survives. Grover's algorithm, the other famous quantum result, speeds up brute-force search only quadratically, effectively halving a key length. AES-128 drops to roughly 64-bit security, which is uncomfortable. AES-256 drops to roughly 128-bit, which remains completely out of reach.

So post-quantum migration is not "replace all encryption". It is: replace key exchange and signatures (the Shor-vulnerable parts) and keep AES-256 for the data itself. Every serious post-quantum design, in TLS or in messengers, has exactly this shape — a quantum-safe way to agree on keys, followed by AES.

04 — The Deadline

Harvest Now, Decrypt Later

Why act before the machine exists? Because interception and decryption do not have to happen at the same time.

Encrypted traffic can be recorded today and stored indefinitely — storage is cheap. Anything captured under RSA or elliptic-curve key exchange stays sealed only until a CRQC comes online, then unseals retroactively. The practice has a name: harvest now, decrypt later.

Mosca's theorem compresses this: if the years your data must stay secret plus the years migration takes exceed the years until a CRQC, you are already late. For anything with a ten-year shelf life — medical records, legal work, sources — "later" means "now".

05 — The Standards

The NIST Competition: 2016 to 2024

NIST, the US standards body, did the right thing: a public, worldwide competition instead of a secret design. The 2016 call drew 82 candidate submissions; anyone on Earth was invited to break them. Many fell — SIKE, a late-round candidate, went down in 2022 to an ordinary computer in about an hour. That is the process working: better a public break in review than a private one in production.

In August 2024, the survivors became the first finalized US federal post-quantum standards:

Standard Algorithm Derived from Job
FIPS 203 ML-KEM CRYSTALS-Kyber Key encapsulation — establishing shared secret keys
FIPS 204 ML-DSA CRYSTALS-Dilithium Digital signatures — the primary signing standard
FIPS 205 SLH-DSA SPHINCS+ Digital signatures — hash-based, conservative backup

For messaging, FIPS 203 is the one that matters: it standardizes how a shared secret key reaches the other end of a conversation without anyone in between learning it.

06 — The Mechanism

What a KEM Actually Is

ML-KEM is a key encapsulation mechanism, and the concept is simpler than the name.

Classic Diffie-Hellman is a conversation: both parties contribute halves and interactively converge on a shared secret. A KEM is a delivery. You publish a public key. Anyone who wants to talk to you generates a fresh random secret, seals it against that key (encapsulation), and sends the resulting ciphertext. Only your private key opens it (decapsulation). Both ends now hold the same 32-byte secret; nobody watching the wire can recover it.

The secret is never used raw: a key derivation function turns it into the symmetric keys — typically AES-256-GCM — that encrypt the actual messages, files, and call frames. The KEM's whole job is that one safe delivery. Deliberately small, deliberately auditable.

07 — The Sizes

Security Categories: 1, 3 and 5

NIST grades post-quantum parameter sets against known benchmarks instead of abstract bit counts: Category 1 is at least as hard to break as brute-forcing AES-128, Category 3 matches AES-192, Category 5 matches AES-256. ML-KEM ships in three sizes:

Parameter set NIST category As hard as breaking Public key Ciphertext
ML-KEM-512 Category 1 AES-128 800 bytes 768 bytes
ML-KEM-768 Category 3 AES-192 1,184 bytes 1,088 bytes
ML-KEM-1024 Category 5 AES-256 1,568 bytes 1,568 bytes

ML-KEM-768 is the pragmatic industry default — the parameter set inside the hybrid key exchange major browsers now use for TLS. ML-KEM-1024 buys maximum margin for long-lived secrets at slightly larger key and ciphertext sizes.

08 — The Math

Lattices, in One Paragraph

A lattice is an endless, regular grid of points. In two dimensions — graph paper — finding the grid point nearest an arbitrary dot is trivial. Stretch the grid into hundreds of dimensions and skew it, and the same question becomes brutally hard. ML-KEM builds on a related problem, Module Learning With Errors: a secret hidden inside equations, each deliberately nudged by small random noise. Recovering it means un-noising high-dimensional linear algebra, and after decades of trying nobody — classical or quantum — has found an efficient way in. Unlike factoring, there is no known quantum shortcut.

09 — The Checklist

How to Evaluate a Post-Quantum Messenger

Marketing has discovered the word "quantum". Six questions cut through it — any serious vendor can answer them in plain language. Including us.

  1. Which standard, and which parameter set? "Quantum-safe" means nothing. "ML-KEM-768 per FIPS 203" is an answer. So is a pre-standard Kyber build with a stated migration plan.
  2. Is it on by default? Security that lives behind a toggle protects almost no one. Ask what an ordinary user gets without touching a setting.
  3. What exactly is covered? Messages only? Attachments, voice notes, calls, group chats? Coverage claims shrink under specific questioning. Make the vendor enumerate.
  4. Hybrid or pure? Signal, Apple, and TLS pair ML-KEM (or Kyber) with a classical elliptic-curve exchange so both must fail before the traffic does. Pure ML-KEM is leaner; hybrid is more conservative. Either is defensible — the vendor should say which and why.
  5. What is the forward secrecy story? Post-quantum key establishment does not automatically give every message its own ephemeral key. Ask what a stolen device key exposes.
  6. Can anyone verify it? Published protocol documentation, source you can read (at minimum the encryption layer), independent audits. The gold standard is all three.

A vendor who answers all six plainly takes the problem seriously. A vendor who answers "military-grade encryption" does not.

10 — Worked Example

The Checklist, Run Against NoidChat

Here is that checklist run against our own product, gaps included.

NoidChat encrypts direct messages with ML-KEM-768 — Category 3, FIPS 203 — by default, no toggle (Q1, Q2). The encapsulated secret drives AES-256-GCM for messages, files, and voice notes; calls run the same handshake, then encrypt every media frame with AES-256-GCM (Q3). One tap raises a conversation to ML-KEM-1024, Category 5. Group chats still run a classical multi-cipher cascade; ML-KEM for groups is on the roadmap — a real coverage gap, and we say so.

NoidChat runs pure ML-KEM rather than a hybrid (Q4). Per-message forward secrecy is in development, not shipped (Q5). Selected encryption-layer components are public, but NoidChat is not fully open source — on Q6, Signal is straightforwardly stronger today.

The full protocol breakdown is in the NoidChat security deep-dive, the honest head-to-head in NoidChat vs Signal; if signing up without an identity matters, start with messaging without a phone number.

11 — Glossary

Terms Worth Knowing

Term Meaning
CRQC Cryptographically relevant quantum computer — large enough to break real-world keys, not a lab demo.
Shor's algorithm Quantum algorithm (1994) that efficiently factors and computes discrete logs, breaking RSA and elliptic-curve crypto.
Grover's algorithm Quantum search speedup that halves effective symmetric key length. AES-256 stays safe.
Harvest now, decrypt later Recording encrypted traffic today to decrypt retroactively once a CRQC exists.
KEM Key encapsulation mechanism — seals a fresh shared secret against a public key for safe one-way delivery.
ML-KEM / FIPS 203 The NIST-standardized lattice-based KEM, finalized August 2024, derived from CRYSTALS-Kyber.
Security category NIST's strength scale: Category 1 ≈ breaking AES-128, Category 3 ≈ AES-192, Category 5 ≈ AES-256.
Hybrid key exchange Running a classical exchange (e.g. X25519) and ML-KEM together, so both must break before the traffic does.

12 — FAQ

Common Questions

Do I need post-quantum encryption before quantum computers exist?

Yes, if anything you send must stay private for years. Encrypted traffic captured today can be stored and decrypted retroactively once a CRQC arrives — harvest now, decrypt later. Adopting post-quantum key exchange after the machine arrives is too late for everything already recorded.

What is the difference between ML-KEM and Kyber?

ML-KEM is the finalized standard, published as FIPS 203 in August 2024; CRYSTALS-Kyber is the submission it was derived from. NIST made small changes during standardization, so the two are not interoperable, but the lattice foundation and years of analysis carry over. "Kyber" in older writing is ML-KEM's pre-standard name.

Can a quantum computer break AES-256?

Not meaningfully. Grover's algorithm only halves effective key length, leaving AES-256 with roughly 128-bit security against a quantum attacker — far beyond any feasible attack. That is why post-quantum systems handle key establishment and hand the data itself to AES-256.

What is the practical difference between ML-KEM-768 and ML-KEM-1024?

Security margin. ML-KEM-768 is NIST Category 3 (comparable to breaking AES-192) and the industry default. ML-KEM-1024 is Category 5 (AES-256) with modestly larger keys and ciphertexts. For most conversations 768 is ample; 1024 exists for secrets that must hold for decades.

Which messaging apps use post-quantum encryption today?

Signal added a hybrid of X25519 and Kyber to its key agreement in 2023. Apple shipped hybrid PQ3 for iMessage in 2024. NoidChat runs ML-KEM-768 by default on direct messages and calls, with ML-KEM-1024 opt-in. Different approaches — hybrid versus pure — so the checklist above still applies.

13 — Try It

Post-Quantum, By Default

NoidChat wraps direct messages and calls in ML-KEM by default before they leave your device. No phone number, no email, no toggle to find. Free, on web and Android.