Home About Projects NoidChat

NOIDChat

Private. Encrypted. Anonymous.
A messaging app built for people who believe privacy isn't optional. No phone number. No email. No identity required. Direct messages are wrapped in post-quantum ML-KEM encryption — built to stay secret even against a quantum computer.
Open Web App Download Android APK

Post-Quantum Encryption

Direct messages, files, and voice notes are protected with ML-KEM — the NIST-standardised post-quantum key encapsulation mechanism (FIPS-203) — wrapped around AES-256-GCM. The same primitives the U.S. government recommends for protecting data against a future quantum computer. Two modes, both end-to-end.

Flash 768 — Default

Every direct message you send is encrypted with ML-KEM-768 (NIST Category 3) + AES-256-GCM. Post-quantum by default. No toggle required. Already running on the web app.

Flash 1024 — Opt-In

One tap in the chat menu upgrades a conversation to ML-KEM-1024 (NIST Category 5) — equivalent to AES-256 strength against quantum attackers. For the conversations that matter most.

Roulette Cascade — Experimental

A multi-cipher cascade mode (AES-GCM, ChaCha20-Poly1305, XChaCha20-Poly1305 with HMAC authentication and per-second rotation) remains available for group chats and as a transparent fallback when post-quantum isn't yet negotiated with a peer. Being phased out as ML-KEM coverage expands.

Built For Privacy

No Identity Required

Sign up with just a username. No phone number. No email. No tracking. Your display name is all anyone sees.

End-to-End Encrypted

Messages are encrypted on your device before sending. The server never sees your plaintext. Only you and the recipient can read them.

Encrypted Files

Photos, videos, audio, and documents are encrypted end-to-end on your device before upload — wrapped in the same ML-KEM-derived key as your messages.

Voice Notes

Hold the mic to record, release to send. Audio is encrypted on your device through the same pipeline as files — never uploaded as plaintext.

Hyper Protect

The ultimate panic button. Set a deactivation PIN — if entered, ALL your data is permanently destroyed. Your account ceases to exist. No trace.

Rotating QR Codes

Add friends securely with QR codes that change every 60 seconds. HMAC-signed so they can't be forged or replayed.

Biometric Lock

Lock the app with fingerprint or face recognition. Real WebAuthn cryptographic verification — not just a screen overlay.

Groups & Stories

End-to-end encrypted group chats and stories that disappear after 24 hours. Group conversations currently use the cascade mode; ML-KEM coverage for groups is on the roadmap.

Post-Quantum Calls

NoidChat voice and video calls are wrapped in ML-KEM (NIST FIPS-203) — the post-quantum key encapsulation standard. When the cryptographically relevant quantum computer arrives, your old NoidChat calls won't suddenly become readable — they were never vulnerable to begin with.

ML-KEM-768 — V1 Calls

The default call cipher: ML-KEM-768 (NIST Category 3) post-quantum key exchange. Derives a fresh shared secret for every call session.

ML-KEM-1024 — V2 Calls

One tap in the call menu upgrades the session to ML-KEM-1024 (NIST Category 5) — equivalent to AES-256 against quantum attackers.

Per-Frame AES-256-GCM

Once the PQC handshake derives a shared secret, every audio/video frame is encrypted in-browser with AES-256-GCM via WebRTC Insertable Streams. Zero plaintext ever touches the network.

Dual-Stack Pipelines

V1 and V2 call pipelines run in parallel and never cross-wire. If a future cryptanalysis breakthrough hits one, the other holds the line. Future-proofing built into the architecture.

Security Hardened

Continuous security review and regular vulnerability audits. Here's what's protected at the platform level:

XSS Protection

All user input escaped. Nicknames sanitized. No injection possible.

SSRF Protection

Link previews blocked from internal networks. DNS rebinding mitigated.

Rate Limiting

Brute force blocked. Upload limits. Message throttling. Connection timeouts.

Auth Security

JWT with pinned algorithms. Bcrypt password hashing. Reserved username blocking.

File Security

Uploads require authentication. Random filenames. MIME validation. Size limits.

Data Isolation

Channel membership checks on every operation. No cross-channel data leaks.

Encryption at Rest

Auth database encrypted with AES-256-GCM. SSL keys restricted to owner only.

Clean Logout

All keys, caches, cookies, and service workers wiped on logout. No residual data.

Coming Next

Privacy work is never finished. These are the hardening features actively in development:

Per-Message Forward Secrecy

A Double-Ratchet-style protocol so that compromise of a long-term key doesn't expose past messages. Each message will derive its own ephemeral key.

Out-of-Band Chat Verification

QR-code and shared-secret verification for one-to-one conversations — confirm out-of-band that nobody has swapped your peer's key.

Hardware-Backed Keys

Migrating private key storage from browser IndexedDB to WebAuthn-backed enclaves where the platform supports it. Keys you can't read even if your browser is compromised.

Group Key Rotation

Automatic re-keying of group conversations when a member leaves or is removed, so they lose access to all future messages.

ML-KEM for Groups

Extending post-quantum coverage from one-to-one conversations to group chats. Same Flash 768 / Flash 1024 modes, multi-recipient.

iOS Application

A native iOS build is in development. The web app already works on iOS via Safari; the App Store release is in the pipeline.

Get NOIDChat

Available now on web (works on iOS via Safari) and Android. Native iOS app in development.
Open in Browser Download APK (5.7MB)