01 — Learn
Post-quantum encryption is cryptography built to survive an adversary with a quantum computer. This guide covers what a quantum machine actually breaks, what it does not, why the recording of today's traffic already started, what ML-KEM and FIPS 203 mean, and how to judge any product that claims to be ready.
02 — The Break
Nearly all of today's public-key cryptography rests on two math problems: factoring enormous numbers (RSA) and computing discrete logarithms on elliptic curves (the ECDH and X25519 exchanges behind most secure apps). For a classical computer, both are hopeless at real key sizes.
In 1994, mathematician Peter Shor showed that a large, fault-tolerant quantum computer solves both efficiently — turning "billions of years" into a bad afternoon. A machine big enough to run Shor's algorithm against real keys is called a CRQC: a cryptographically relevant quantum computer.
No CRQC exists yet; estimates range from a decade to never. But cryptography plans around the adversary's best day — and key exchange, the exact layer Shor breaks, protects everything else.
03 — The Survivors
Symmetric cryptography mostly survives. Grover's algorithm, the other famous quantum result, speeds up brute-force search only quadratically, effectively halving a key length. AES-128 drops to roughly 64-bit security, which is uncomfortable. AES-256 drops to roughly 128-bit, which remains completely out of reach.
So post-quantum migration is not "replace all encryption". It is: replace key exchange and signatures (the Shor-vulnerable parts) and keep AES-256 for the data itself. Every serious post-quantum design, in TLS or in messengers, has exactly this shape — a quantum-safe way to agree on keys, followed by AES.
04 — The Deadline
Why act before the machine exists? Because interception and decryption do not have to happen at the same time.
Encrypted traffic can be recorded today and stored indefinitely — storage is cheap. Anything captured under RSA or elliptic-curve key exchange stays sealed only until a CRQC comes online, then unseals retroactively. The practice has a name: harvest now, decrypt later.
Mosca's theorem compresses this: if the years your data must stay secret plus the years migration takes exceed the years until a CRQC, you are already late. For anything with a ten-year shelf life — medical records, legal work, sources — "later" means "now".
05 — The Standards
NIST, the US standards body, did the right thing: a public, worldwide competition instead of a secret design. The 2016 call drew 82 candidate submissions; anyone on Earth was invited to break them. Many fell — SIKE, a late-round candidate, went down in 2022 to an ordinary computer in about an hour. That is the process working: better a public break in review than a private one in production.
In August 2024, the survivors became the first finalized US federal post-quantum standards:
| Standard | Algorithm | Derived from | Job |
|---|---|---|---|
| FIPS 203 | ML-KEM | CRYSTALS-Kyber | Key encapsulation — establishing shared secret keys |
| FIPS 204 | ML-DSA | CRYSTALS-Dilithium | Digital signatures — the primary signing standard |
| FIPS 205 | SLH-DSA | SPHINCS+ | Digital signatures — hash-based, conservative backup |
For messaging, FIPS 203 is the one that matters: it standardizes how a shared secret key reaches the other end of a conversation without anyone in between learning it.
06 — The Mechanism
ML-KEM is a key encapsulation mechanism, and the concept is simpler than the name.
Classic Diffie-Hellman is a conversation: both parties contribute halves and interactively converge on a shared secret. A KEM is a delivery. You publish a public key. Anyone who wants to talk to you generates a fresh random secret, seals it against that key (encapsulation), and sends the resulting ciphertext. Only your private key opens it (decapsulation). Both ends now hold the same 32-byte secret; nobody watching the wire can recover it.
The secret is never used raw: a key derivation function turns it into the symmetric keys — typically AES-256-GCM — that encrypt the actual messages, files, and call frames. The KEM's whole job is that one safe delivery. Deliberately small, deliberately auditable.
07 — The Sizes
NIST grades post-quantum parameter sets against known benchmarks instead of abstract bit counts: Category 1 is at least as hard to break as brute-forcing AES-128, Category 3 matches AES-192, Category 5 matches AES-256. ML-KEM ships in three sizes:
| Parameter set | NIST category | As hard as breaking | Public key | Ciphertext |
|---|---|---|---|---|
| ML-KEM-512 | Category 1 | AES-128 | 800 bytes | 768 bytes |
| ML-KEM-768 | Category 3 | AES-192 | 1,184 bytes | 1,088 bytes |
| ML-KEM-1024 | Category 5 | AES-256 | 1,568 bytes | 1,568 bytes |
ML-KEM-768 is the pragmatic industry default — the parameter set inside the hybrid key exchange major browsers now use for TLS. ML-KEM-1024 buys maximum margin for long-lived secrets at slightly larger key and ciphertext sizes.
08 — The Math
A lattice is an endless, regular grid of points. In two dimensions — graph paper — finding the grid point nearest an arbitrary dot is trivial. Stretch the grid into hundreds of dimensions and skew it, and the same question becomes brutally hard. ML-KEM builds on a related problem, Module Learning With Errors: a secret hidden inside equations, each deliberately nudged by small random noise. Recovering it means un-noising high-dimensional linear algebra, and after decades of trying nobody — classical or quantum — has found an efficient way in. Unlike factoring, there is no known quantum shortcut.
09 — The Checklist
Marketing has discovered the word "quantum". Six questions cut through it — any serious vendor can answer them in plain language. Including us.
A vendor who answers all six plainly takes the problem seriously. A vendor who answers "military-grade encryption" does not.
10 — Worked Example
Here is that checklist run against our own product, gaps included.
NoidChat encrypts direct messages with ML-KEM-768 — Category 3, FIPS 203 — by default, no toggle (Q1, Q2). The encapsulated secret drives AES-256-GCM for messages, files, and voice notes; calls run the same handshake, then encrypt every media frame with AES-256-GCM (Q3). One tap raises a conversation to ML-KEM-1024, Category 5. Group chats still run a classical multi-cipher cascade; ML-KEM for groups is on the roadmap — a real coverage gap, and we say so.
NoidChat runs pure ML-KEM rather than a hybrid (Q4). Per-message forward secrecy is in development, not shipped (Q5). Selected encryption-layer components are public, but NoidChat is not fully open source — on Q6, Signal is straightforwardly stronger today.
The full protocol breakdown is in the NoidChat security deep-dive, the honest head-to-head in NoidChat vs Signal; if signing up without an identity matters, start with messaging without a phone number.
11 — Glossary
| Term | Meaning |
|---|---|
| CRQC | Cryptographically relevant quantum computer — large enough to break real-world keys, not a lab demo. |
| Shor's algorithm | Quantum algorithm (1994) that efficiently factors and computes discrete logs, breaking RSA and elliptic-curve crypto. |
| Grover's algorithm | Quantum search speedup that halves effective symmetric key length. AES-256 stays safe. |
| Harvest now, decrypt later | Recording encrypted traffic today to decrypt retroactively once a CRQC exists. |
| KEM | Key encapsulation mechanism — seals a fresh shared secret against a public key for safe one-way delivery. |
| ML-KEM / FIPS 203 | The NIST-standardized lattice-based KEM, finalized August 2024, derived from CRYSTALS-Kyber. |
| Security category | NIST's strength scale: Category 1 ≈ breaking AES-128, Category 3 ≈ AES-192, Category 5 ≈ AES-256. |
| Hybrid key exchange | Running a classical exchange (e.g. X25519) and ML-KEM together, so both must break before the traffic does. |
12 — FAQ
Yes, if anything you send must stay private for years. Encrypted traffic captured today can be stored and decrypted retroactively once a CRQC arrives — harvest now, decrypt later. Adopting post-quantum key exchange after the machine arrives is too late for everything already recorded.
ML-KEM is the finalized standard, published as FIPS 203 in August 2024; CRYSTALS-Kyber is the submission it was derived from. NIST made small changes during standardization, so the two are not interoperable, but the lattice foundation and years of analysis carry over. "Kyber" in older writing is ML-KEM's pre-standard name.
Not meaningfully. Grover's algorithm only halves effective key length, leaving AES-256 with roughly 128-bit security against a quantum attacker — far beyond any feasible attack. That is why post-quantum systems handle key establishment and hand the data itself to AES-256.
Security margin. ML-KEM-768 is NIST Category 3 (comparable to breaking AES-192) and the industry default. ML-KEM-1024 is Category 5 (AES-256) with modestly larger keys and ciphertexts. For most conversations 768 is ample; 1024 exists for secrets that must hold for decades.
Signal added a hybrid of X25519 and Kyber to its key agreement in 2023. Apple shipped hybrid PQ3 for iMessage in 2024. NoidChat runs ML-KEM-768 by default on direct messages and calls, with ML-KEM-1024 opt-in. Different approaches — hybrid versus pure — so the checklist above still applies.
13 — Try It
NoidChat wraps direct messages and calls in ML-KEM by default before they leave your device. No phone number, no email, no toggle to find. Free, on web and Android.