Home About Projects NoidChat

01 — NoidChat / Security

Post-Quantum
Encrypted Messaging

NoidChat encrypts direct messages, files, voice notes and calls with ML-KEM, the NIST-standardised post-quantum key encapsulation mechanism, layered over AES-256-GCM. This page explains what that means, how the stack is built, and, because honesty is a security feature, what it does not protect you from.

02 — The Quantum Problem

Harvest Now, Decrypt Later

Most encrypted messengers protect your conversations with key exchanges built on elliptic-curve or RSA mathematics. That math has one known catastrophic failure mode: a large, fault-tolerant quantum computer running Shor's algorithm solves it efficiently. No such machine exists today. That is less reassuring than it sounds.

The attack that matters is already running. It is called harvest now, decrypt later: an adversary with enough storage records your encrypted traffic today and waits. When a cryptographically relevant quantum computer arrives, every classical key exchange in that archive becomes solvable, and everything behind it becomes readable, retroactively. If a conversation needs to stay private for ten years, protecting it with cryptography that may fail within ten years is a bad trade.

Post-quantum cryptography exists to close that window. In August 2024, NIST finalised FIPS-203, standardising ML-KEM (Module-Lattice-Based Key Encapsulation Mechanism, formerly CRYSTALS-Kyber) as the primary quantum-resistant key exchange. It rests on lattice problems that neither classical computers nor any known quantum algorithm can solve efficiently. Our plain-language explainer covers how ML-KEM works if you want the theory. NoidChat simply uses it. By default.

03 — The Stack

What Actually Encrypts Your Messages

Every layer below is end-to-end: keys are generated and held on your device, and the server only ever handles ciphertext.

Flash 768 — The Default

Every direct message is encrypted with ML-KEM-768 (NIST security Category 3) key encapsulation deriving keys for AES-256-GCM. Photos, videos, documents and voice notes run through the same pipeline, encrypted on your device before upload. No toggle, no setup. Post-quantum is the floor, not a feature tier.

Flash 1024 — Opt-In

One tap in the chat menu upgrades a conversation to ML-KEM-1024, the NIST Category 5 parameter set, rated equivalent to AES-256 strength against quantum attackers. For the conversations that warrant the heaviest standardised lattice parameters available.

Post-Quantum Calls

Voice and video calls open with an ML-KEM handshake that derives a fresh shared secret per call session: ML-KEM-768 on V1 calls, ML-KEM-1024 opt-in on V2. Every audio and video frame is then encrypted in-browser with per-frame AES-256-GCM via WebRTC Insertable Streams. No plaintext frame touches the network.

Dual-Stack Pipelines

The V1 and V2 call pipelines run in parallel and never cross-wire. If a future cryptanalysis breakthrough hits one stack, the other holds the line. Redundancy is part of the architecture, not an afterthought.

One more mode exists: Roulette Cascade, an experimental multi-cipher cascade (AES-GCM, ChaCha20-Poly1305 and XChaCha20-Poly1305 with HMAC authentication and per-second rotation). Today it covers group chats and acts as a transparent fallback when a peer has not yet negotiated post-quantum. It is classical cryptography, and it is being phased out as ML-KEM coverage expands. We list it because it is real, not because it is the headline.

04 — Spec Comparison

Flash 768 vs Flash 1024 vs Classical

Flash 768 Flash 1024 Classical-Only Messenger
Key exchange ML-KEM-768 (FIPS-203) ML-KEM-1024 (FIPS-203) RSA or ECDH (e.g. X25519)
NIST PQ category Category 3 Category 5 (~AES-256) None
Payload cipher AES-256-GCM AES-256-GCM AES or ChaCha20 variants
Survives Shor's algorithm Yes Yes No
Harvest-now-decrypt-later Protected Protected Exposed
How you get it Default on every DM and V1 call One tap per chat or call

"Classical-only" describes messengers whose key exchange has no post-quantum component. Not every competitor sits in that column: Signal deployed its PQXDH hybrid post-quantum key agreement in 2023. For a straight comparison, read NoidChat vs Signal.

05 — Beyond The Cipher

The Rest Of The Security Model

Encryption strength is wasted if the account around it leaks. NoidChat closes the obvious side doors.

No Identity Required

Registration takes a username and a password. No phone number, no email, no contact-list upload. The strongest metadata policy is never collecting it. Details on the no-phone-number page.

Hyper Protect

A deactivation PIN. Enter it and your account and all of its data are permanently destroyed, no trace left. Built for coerced-unlock scenarios: comply with the demand, and leave nothing for the person demanding.

Rotating QR Codes

Friend-adding QR codes rotate every 60 seconds and are HMAC-signed, so they cannot be forged or replayed. Handles are exchanged on your terms, not scraped from a directory.

Biometric Lock

Fingerprint or face lock backed by real WebAuthn cryptographic verification, not a cosmetic screen overlay. Groups and 24-hour stories run end-to-end encrypted too.

06 — Honest Limits

What Post-Quantum Encryption Does Not Do

ML-KEM protects one thing: the confidentiality of data in transit, including against a future quantum-equipped adversary. That is a strong claim and a narrow one. It does nothing about:

Choose Signal If...

Fairness costs nothing: Signal is fully open source, run by a nonprofit, carries years of published third-party audits, and ships a native iOS app today. NoidChat is none of those things yet. Selected components of our encryption layer are public for review, but the app is not fully open source, no independent audit has been published, and native iOS is still in development (the web app works on iOS via Safari).

If audit history and full source availability are your hard requirements, use Signal. If post-quantum encryption by default, registration with no phone number, and Hyper Protect matter more, that is the ground NoidChat holds. The full comparison pulls no punches either way.

07 — FAQ

Common Questions

Is ML-KEM actually a standard?

Yes. ML-KEM is FIPS-203, finalised by NIST in August 2024. It grew out of CRYSTALS-Kyber, the lattice-based scheme selected in NIST's post-quantum competition. Flash 768 uses the ML-KEM-768 parameter set (Category 3); Flash 1024 uses ML-KEM-1024 (Category 5). This is standardised cryptography, not a homebrew cipher.

Do post-quantum messages work in group chats?

Not yet. Groups currently use the Roulette Cascade mode: classical multi-cipher encryption, still end-to-end, but not quantum-resistant. Extending Flash 768 and Flash 1024 to groups is on the active roadmap. Until it ships, treat direct messages and calls as the post-quantum surface.

Has NoidChat been independently audited?

No. We do not claim third-party audits, because none have been published. Selected components of the encryption layer are public for review, but the app is not fully open source. If a long audit history is your bar, Signal clears it and we do not, yet.

Will my old messages become readable when quantum computers arrive?

Traffic protected by ML-KEM key exchange is designed to withstand quantum attack, so ciphertext recorded off the wire today is not expected to become readable later. That protection does not extend to content that leaves the encrypted channel by other means: a compromised device, a screenshot, or an exported plaintext copy.

What is the practical difference between Flash 768 and Flash 1024?

Larger lattice parameters. ML-KEM-1024 uses bigger keys and ciphertexts in exchange for Category 5 strength, the level rated equivalent to AES-256 against a quantum adversary. The overhead is bytes per handshake, not delay you will notice. If a conversation warrants it, turn it on.

08 — Get NoidChat

Run The Stack Yourself

Free on web and Android. No phone number. Post-quantum by default.