Is Koaich post-quantum?

"Post-quantum" is a fair thing for a security-conscious buyer to ask about, and it's easy to answer dishonestly, so here's the precise version. A large quantum computer running Shor's algorithm would break the public-key cryptography (elliptic-curve key exchange and signatures) that secures most of today's internet. It does not exist yet — but the relevant risk is "harvest now, decrypt later": an adversary records your encrypted data today and decrypts it once such a machine exists. For data with a long secrecy lifetime, that's a real concern now.

Where Koaich stands: messaging is genuinely post-quantum today; stored data is being migrated. We'll walk through both, including what is still classical, because the honest scope is the whole point.

Koaich's 1:1 message key agreement is hybrid post-quantum. The initial key exchange combines the classical X25519 Diffie-Hellman secret with an ML-KEM-1024 encapsulation (NIST FIPS 203, formerly CRYSTALS-Kyber-1024), mixed together with HKDF. "Hybrid" means an attacker would have to break both X25519 and ML-KEM-1024 to recover the session secret — so you're no worse off than classical even if one scheme is later weakened.

The post-quantum public key is signed by the sender's identity key, which closes the downgrade vector — a server can't silently force a classical session or swap in its own ML-KEM key. This is the same class and scope as Signal's PQXDH and Apple iMessage's PQ3: post-quantum on the key agreement, not on every subsequent message key (the per-message ratchet continues with classical X25519, exactly as PQ3 does). Among major messengers, only Signal and Apple iMessage have shipped end-to-end post-quantum key agreement — WhatsApp and Messenger have not announced it (Meta's post-quantum work is in transport/infrastructure, not the E2E layer), so Koaich is a peer of Signal/Apple here and ahead of the rest.

Post-quantum hybrid key agreement is real and strong — but it is not the same as "no one can ever intercept your messages," and we won't let the term imply that. Koaich does not yet have out-of-band key verification — the "safety numbers" you'd compare with a contact to confirm there's no machine-in-the-middle.

Until that ships, the server acts as the key directory, so an active *malicious* server could substitute a contact's identity key and machine-in-the-middle a conversation — the post-quantum math doesn't prevent that. So the honest scope today is: strong against a passive breach and an honest-but-curious server; not yet proof against an active malicious server. Out-of-band key verification is the next item in the security build, and we'll update this page when it lands rather than imply it early.

These surfaces still use classical elliptic-curve cryptography (X25519 / Ed25519) today, and we do not imply they're post-quantum:

Stored vault data — partly post-quantum now. New documents' content keys are wrapped with the same X25519 + ML-KEM-1024 hybrid (shipped), so document bodies created from here forward get post-quantum protection at rest. Still classical today: vault labels and document metadata (the vault key), documents created before the change (intentionally not re-wrapped — there's no production data yet), and group keys. Stored data is the largest "harvest now, decrypt later" surface for a vault product, which is why new-document content keys were the first to migrate.

Group messaging via MLS stays on standards-track classical cryptography, because post-quantum MLS is not yet standardized (no finalized ciphersuite exists to adopt). Its symmetric layer is AES-128 — NIST post-quantum Level 1, which Grover's algorithm doesn't meaningfully threaten; the part awaiting post-quantum MLS is its classical key exchange. We'll move when the standard lands, and we say so rather than claim it early. Signatures (Ed25519) are also classical — but breaking a signature enables future forgery, not retroactive decryption, so it isn't a harvest-now risk.

The post-quantum algorithms are newer and less battle-tested than X25519. Combining them (rather than replacing) means a flaw discovered in ML-KEM doesn't drop you below today's classical security, and a quantum computer that breaks X25519 doesn't drop you below post-quantum security. Belt and suspenders. It's the same conservative choice the IETF, Signal, and Apple made.

There is no such thing as "quantum-proof," and any vendor who says it should lose your trust. The accurate statement for Koaich today: post-quantum hybrid key agreement protects one-to-one messaging (between up-to-date clients), and new documents' content keys are wrapped with the same hybrid at rest — Signal/Apple-tier messaging cryptography, ahead of WhatsApp and Messenger. Vault labels, older documents, group keys, and group MLS remain classical for now, and out-of-band key verification isn't shipped yet — so this is top-tier privacy-first encryption with a trust-the-server key directory, not an unconditional guarantee. We'd rather state that precisely than overclaim. For the key-management terms behind this, see DEK, KEK, EKM, CMK explained and key custody.