01 — NoidChat / Security

Post-Quantum Encrypted Messaging

NoidChat encrypts direct messages, files, voice notes and calls with ML-KEM, the NIST-standardised post-quantum key encapsulation mechanism, layered over AES-256-GCM. This page explains what that means, how the stack is built, and, because honesty is a security feature, what it does not protect you from.

02 — The Quantum Problem

Harvest Now, Decrypt Later

Most encrypted messengers protect your conversations with key exchanges built on elliptic-curve or RSA mathematics. That math has one known catastrophic failure mode: a large, fault-tolerant quantum computer running Shor's algorithm solves it efficiently. No such machine exists today. That is less reassuring than it sounds.

The attack that matters is already running. It is called harvest now, decrypt later: an adversary with enough storage records your encrypted traffic today and waits. When a cryptographically relevant quantum computer arrives, every classical key exchange in that archive becomes solvable, and everything behind it becomes readable, retroactively. If a conversation needs to stay private for ten years, protecting it with cryptography that may fail within ten years is a bad trade.

Post-quantum cryptography exists to close that window. In August 2024, NIST finalised FIPS-203, standardising ML-KEM (Module-Lattice-Based Key Encapsulation Mechanism, formerly CRYSTALS-Kyber) as the primary quantum-resistant key exchange. It rests on lattice problems that neither classical computers nor any known quantum algorithm can solve efficiently. Our plain-language explainer covers how ML-KEM works if you want the theory. NoidChat simply uses it. By default.

03 — The Stack

What Actually Encrypts Your Messages

Every layer below is end-to-end: keys are generated and held on your device, and the server only ever handles ciphertext.

L · 01 ML-KEM-768 The default key exchange — NIST security Category 3, FIPS-203. Encapsulates on every direct message and V1 call, deriving keys for AES-256-GCM. No toggle, no setup.
L · 02 ML-KEM-1024 The opt-in upgrade — NIST Category 5 parameter set, rated equivalent to AES-256 strength against quantum attackers. One tap per chat or call.
L · 03 AES-256-GCM The payload cipher under the ML-KEM-derived keys — messages, photos, videos, documents and voice notes, encrypted on your device before upload; per-frame on calls.
L · 04 Ciphertext Only What the wire and the server ever see. Keys never leave your device, and no plaintext frame touches the network.

M · 01 — THE DEFAULT

Flash 768

Every direct message is encrypted with ML-KEM-768 (NIST security Category 3) key encapsulation deriving keys for AES-256-GCM. Photos, videos, documents and voice notes run through the same pipeline, encrypted on your device before upload. No toggle, no setup. Post-quantum is the floor, not a feature tier.

M · 02 — OPT-IN

Flash 1024

One tap in the chat menu upgrades a conversation to ML-KEM-1024, the NIST Category 5 parameter set, rated equivalent to AES-256 strength against quantum attackers. For the conversations that warrant the heaviest standardised lattice parameters available.

M · 03 — CALLS

Post-Quantum Calls

Voice and video calls open with an ML-KEM handshake that derives a fresh shared secret per call session: ML-KEM-768 on V1 calls, ML-KEM-1024 opt-in on V2. Every audio and video frame is then encrypted in-browser with per-frame AES-256-GCM via WebRTC Insertable Streams. No plaintext frame touches the network.

M · 04 — REDUNDANCY

Dual-Stack Pipelines

The V1 and V2 call pipelines run in parallel and never cross-wire. If a future cryptanalysis breakthrough hits one stack, the other holds the line. Redundancy is part of the architecture, not an afterthought.

One more mode exists: Roulette Cascade, an experimental multi-cipher cascade (AES-GCM, ChaCha20-Poly1305 and XChaCha20-Poly1305 with HMAC authentication and per-second rotation). Today it covers group chats and acts as a transparent fallback when a peer has not yet negotiated post-quantum. It is classical cryptography, and it is being phased out as ML-KEM coverage expands. We list it because it is real, not because it is the headline.

04 — Spec Comparison

Flash 768 vs Flash 1024 vs Classical

Property Flash 768 Flash 1024 Classical-Only Messenger
Key exchange ML-KEM-768 (FIPS-203) ML-KEM-1024 (FIPS-203) RSA or ECDH (e.g. X25519)
NIST PQ category Category 3 Category 5 (~AES-256) None
Payload cipher AES-256-GCM AES-256-GCM AES or ChaCha20 variants
Survives Shor's algorithm Yes Yes No
Harvest-now-decrypt-later Protected Protected Exposed
How you get it Default on every DM and V1 call One tap per chat or call

"Classical-only" describes messengers whose key exchange has no post-quantum component. Not every competitor sits in that column: Signal deployed its PQXDH hybrid post-quantum key agreement in 2023. For a straight comparison, read NoidChat vs Signal.

05 — Beyond The Cipher

The Rest Of The Security Model

Encryption strength is wasted if the account around it leaks. NoidChat closes the obvious side doors.

S · 01

No Identity Required

Registration takes a username and a password. No phone number, no email, no contact-list upload. The strongest metadata policy is never collecting it. Details on the no-phone-number page.

S · 02

Hyper Protect

A deactivation PIN. Enter it and your account and all of its data are permanently destroyed, no trace left. Built for coerced-unlock scenarios: comply with the demand, and leave nothing for the person demanding.

S · 03

Rotating QR Codes

Friend-adding QR codes rotate every 60 seconds and are HMAC-signed, so they cannot be forged or replayed. Handles are exchanged on your terms, not scraped from a directory.

S · 04

Biometric Lock

Fingerprint or face lock backed by real WebAuthn cryptographic verification, not a cosmetic screen overlay. Groups and 24-hour stories run end-to-end encrypted too.

06 — Honest Limits

What Post-Quantum Encryption Does Not Do

ML-KEM protects one thing: the confidentiality of data in transit, including against a future quantum-equipped adversary. That is a strong claim and a narrow one. It does nothing about:

  • Endpoint compromise. Malware on your phone reads your messages the same way you do: after decryption. No cipher rescues an owned device.
  • Network-level metadata. Your ISP can see that you connected to NoidChat servers, when, and roughly how much traffic moved. Encryption hides content, not the fact of communication.
  • User error. Screenshots, shoulder surfing, weak passwords, and messaging the wrong person are all outside cryptography's jurisdiction.
  • Our own current gaps. NoidChat does not yet ship per-message forward secrecy (a Double-Ratchet-style protocol is in development), out-of-band key verification is on the roadmap, and group chats still ride the classical cascade rather than ML-KEM.

07 — FAQ

Common Questions

Q · 01Is ML-KEM actually a standard?

Yes. ML-KEM is FIPS-203, finalised by NIST in August 2024. It grew out of CRYSTALS-Kyber, the lattice-based scheme selected in NIST's post-quantum competition. Flash 768 uses the ML-KEM-768 parameter set (Category 3); Flash 1024 uses ML-KEM-1024 (Category 5). This is standardised cryptography, not a homebrew cipher.

Q · 02Do post-quantum messages work in group chats?

Not yet. Groups currently use the Roulette Cascade mode: classical multi-cipher encryption, still end-to-end, but not quantum-resistant. Extending Flash 768 and Flash 1024 to groups is on the active roadmap. Until it ships, treat direct messages and calls as the post-quantum surface.

Q · 03Has NoidChat been independently audited?

No. We do not claim third-party audits, because none have been published. Selected components of the encryption layer are public for review, but the app is not fully open source. If a long audit history is your bar, Signal clears it and we do not, yet.

Q · 04Will my old messages become readable when quantum computers arrive?

Traffic protected by ML-KEM key exchange is designed to withstand quantum attack, so ciphertext recorded off the wire today is not expected to become readable later. That protection does not extend to content that leaves the encrypted channel by other means: a compromised device, a screenshot, or an exported plaintext copy.

Q · 05What is the practical difference between Flash 768 and Flash 1024?

Larger lattice parameters. ML-KEM-1024 uses bigger keys and ciphertexts in exchange for Category 5 strength, the level rated equivalent to AES-256 against a quantum adversary. The overhead is bytes per handshake, not delay you will notice. If a conversation warrants it, turn it on.