Security
QryptChat is built so that only you and the people you talk to can read your messages. Encryption keys are generated on your device and never shared with our servers, giving QryptChat a zero-knowledge architecture: we cannot read your messages, calls, or files even if compelled to.
Cryptography
- Key encapsulation: ML-KEM-1024 (CRYSTALS-Kyber), a NIST-standardized post-quantum KEM (FIPS 203).
- Digital signatures: CRYSTALS-Dilithium (ML-DSA), NIST-standardized post-quantum signatures (FIPS 204).
- Coverage: text messages, file transfers, and 1:1 and group voice & video calls are all end-to-end encrypted.
- Key custody: private keys are created and stored on your device; the server only ever sees ciphertext.
Why post-quantum
Adversaries can record encrypted traffic today and decrypt it years later once large-scale quantum computers exist — the “harvest now, decrypt later” threat. Using NIST-approved post-quantum algorithms protects your conversations against that future, not just against classical attackers today.
Privacy & resilience
- Phone-number authentication with no email and no password to breach.
- No ads and no third-party advertising trackers.
- Accessible over Tor as a hidden service for censorship resistance.
- A public warrant canary and a privacy policy covering data minimization and GDPR rights.
- Open source under the MIT license so the cryptography can be independently audited and self-hosted.
Responsible disclosure
Found a vulnerability? Please report it to security@qrypt.chat. Our security contact is also published at /.well-known/security.txt. The full source is available on GitHub.