Does Nulkratos-Core require an account or phone number?

No account, no phone number, no email address required. You only need a shared channel ID and a PIN agreed with your contact. Zero identity linkage.

How is Nulkratos-Core different from other secure messaging apps?

Nulkratos-Core requires no phone number, no account, and no app install — just a shared channel ID and PIN agreed out-of-band. Everything runs in your browser with zero identity linkage. Purpose-built for maximum privacy and anonymity.

What encryption does Nulkratos-Core use?

AES-256-GCM authenticated encryption, Argon2id 64MB memory-hard key derivation, HKDF forward-secret message ratchet, chaff traffic injection, and timestamp blinding. All cryptography runs in your browser via the WebCrypto API.

🛡 Nulkratos-Core

Nulkratos-Core

Q: Can Nulkratos-Core read my messages?

No. All encryption and decryption happens entirely inside your browser. Your PIN and derived encryption key never leave your device. The server receives only AES-256-GCM ciphertext that is mathematically impossible to decrypt without your PIN.

Q: What happens if I forget my PIN?

Your messages are permanently unrecoverable. The PIN is the only key — there is no password reset, no recovery code, and no backdoor. This is by design: zero-knowledge means we genuinely have no way to help.

AES-256-GCM · Argon2id · HKDF Ratchet · Zero-Knowledge

⬡ End-to-End Encrypted · PIN-Derived Key

Secure Private Encrypted Messenger — No Account Required

Nulkratos-Core is a free, browser-based, zero-knowledge encrypted messaging app. Send private messages with AES-256-GCM encryption and Argon2id key derivation. No account, no phone number, no email needed. Start a secure anonymous chat channel instantly. Your PIN never leaves your device. All cryptography runs client-side in your browser. Compatible with Tor Browser and VPN for maximum anonymity. No metadata, no identity, no plaintext ever stored on any server.

End-to-end encrypted chat without registration
Anonymous messaging app — zero identity required
Private browser chat with AES-256 encryption
Secure PIN-based messaging, no phone number
Zero-knowledge architecture — server sees only ciphertext
Works with Tor Browser for maximum privacy
VPN compatible private chat application
No data collection, no tracking, no analytics
HKDF forward-secret message ratchet
Chaff traffic injection to defeat metadata analysis

establishing secure channel…

Open Zero-Knowledge Secure Channel

Channel ID

Your Name

6-Digit PIN (shared secret with your contact)

🔐 Deriving key (Argon2id)…

⚖️ Legal Statement & Privacy Commitment Binding

🚫

No plaintext is ever storedNulkratos-Core never writes your messages, names, or any readable content to any server or database. The server receives only AES-256-GCM ciphertext — random-looking bytes indistinguishable from noise.

🔑

Your PIN never leaves your deviceAll encryption and decryption happens exclusively in your browser. Your PIN, your derived key, and your decrypted messages never touch any network. Anthropic, Firebase, or any third party cannot access them.

👁‍🗨

No user data is collected or soldWe collect no analytics, no identifiers, no IP addresses, and no usage data tied to you. There is no account system and no user profile. We cannot identify you.

🗄️

Firebase is a blind relayThe underlying database (Google Firebase Firestore) stores only ciphertext, hashed IDs, and bucketed timestamps. Google and we cannot read any message content — ever.

📜

No logging, no backdoorsThis application contains no telemetry, no crash reporting tied to identity, and no law-enforcement backdoors. The full source code is verifiable via the Page Integrity tool inside the app.

⬡ What is Nulkratos-Core? Overview

Nulkratos-Core is a zero-knowledge, browser-based encrypted messenger. It lets two people communicate privately using nothing more than a shared Channel ID and a 6-digit PIN — no account, no phone number, no app install required.

Every message is encrypted with AES-256-GCM directly inside your browser before it ever reaches the internet. The server only ever sees random-looking ciphertext — it is technically impossible for us, Google Firebase, or any third party to read your conversations. Your PIN never leaves your device.

It is designed for situations where maximum privacy matters more than convenience — no identity, no metadata, no backdoors.

📖 Complete User Guide How To Use

Step 1 — Create a Channel

Tap Create New Channel. Enter a unique Channel ID (like a room name), your name, your contact's name, and choose a 6-digit PIN. This PIN is your shared encryption key — both of you must use the same one. Share it in person or via a phone call, never in a message.

Step 2 — Share the Channel ID

After creating the channel, use the 🔗 Share button or copy the Channel ID and send it to your contact. The Channel ID is not secret — only the PIN unlocks the messages.

Step 3 — Your Contact Joins

Your contact opens Nulkratos-Core, enters the same Channel ID, their name, and the same 6-digit PIN. They do not need to create a new channel — they just enter the existing one.

Step 4 — Send Encrypted Messages

Type in the message box and hit Send. Every message is encrypted in your browser before transmission. You can long-press any message to copy, reply, or delete it. Tap ↩️ Reply to quote a specific message.

Step 5 — Using the ⋯ Menu

Inside a chat, the ⋯ (three-dots) button opens extra options:

Locking & Unlocking

Tap 🔒 Lock to immediately wipe the session key from memory. Your messages remain encrypted on the server — re-enter the same Channel ID, name, and PIN to access them again. No data is lost.

⚠ Important — PIN Safety

If you forget your PIN, your messages are permanently unrecoverable. There is no reset, no recovery code, and no way for us to help — this is by design. Always share your PIN via a trusted offline channel (face-to-face or phone call) and never forget it.

My Channels

Tap · my channels · on the home screen to view channels you have previously accessed on this device. This list is stored locally in your browser and never sent to any server.

Security Architecture

🔑

Argon2id Key Derivation (64MB RAM)

Memory-hard KDF from PIN + channel ID. Shared by both users — same PIN = same key.

64MB/attempt

🔒

AES-256-GCM Encryption

Each message encrypted with authenticated AEAD. Tampering is detected and rejected.

256-bit

⚙️

Forward-Secret Message Ratchet

Each message derives a unique sub-key via HKDF. Compromising one key never exposes others.

Per-msg key

👻

Chaff Injection + Timestamp Blinding

Random dummy messages + bucketed timestamps. Traffic analysis reveals nothing.

Anti-analysis

Argon2

KDF

256

AES-GCM bits

64MB

Argon2 RAM

Plaintext stored

🗄️What the database seesZero Plaintext

channel_idSHA-256 blind hash of your ID — original never stored

message.cAES-256-GCM ciphertext (random bytes) ▪ unreadable

message.iRandom 96-bit IV — different every message

sender.sc/siEncrypted sender name — server cannot identify who

_btBucketed timestamp ± 5min — exact time hidden

_chaffDummy entries mixed in — server can't tell real from fake

_x / _y / _zRandom decoy fields — obscures message structure

pinArgon2 / pinFPArgon2id hash of PIN — original PIN never stored

names / contentNever stored in plaintext — ever

The server is a blind relay. Without the PIN — which never leaves your device — all data is indistinguishable from random noise.

💻 Device Requirements Minimum Spec

BrowserChrome 90+, Firefox 88+, Safari 15+, Edge 90+Required

WebCrypto APIMust be available — all modern browsers support itRequired

RAM256 MB free minimum — Argon2id uses 64 MB per loginImportant

CPUAny modern processor — key derivation takes 1–4 secondsAny

JavaScriptMust be enabled — the entire app runs client-sideRequired

ConnectionInternet required for message sync onlyAny speed

StorageLocalStorage for device ID only — no messages storedMinimal

ProtocolHTTPS strongly recommended — HTTP works but is unsafeHTTPS

Argon2id is intentionally memory-hard. On very low-end devices (<1 GHz or <256 MB RAM) the login step may take longer — this is by design to resist brute-force attacks.

🛡️ Boost Your Privacy: VPN & Tor Maximum Anonymity

Step 1Enable a trusted VPN — Connect through a no-log VPN before opening this app. Your ISP and network observer will see only encrypted traffic to the VPN server, not to this site.VPN

Step 2Use Tor Browser — Open this app in Tor Browser for full IP anonymisation. Your real IP address becomes completely unknown to Firebase, Cloudflare, or any observer. JavaScript must remain enabled for the app to function.Tor

Step 3Stack VPN over Tor — For the highest level of anonymity, connect your VPN first, then use Tor Browser. This hides your Tor usage from your ISP and hides your VPN from the exit node.Both

Step 4Share channel ID out-of-band — Never send the channel ID or PIN over the same channel you are trying to protect. Use a face-to-face meeting, an offline note, or a phone call.Critical

Step 5Verify Page Integrity — After loading the app, both parties should open the ⋯ menu → Page Integrity and compare the SHA-256 hash of the page. A match confirms neither side is running a tampered version.Verify

Step 6Use a private browsing session — Open the app in a private / incognito window to prevent browser history, cached data, or autofill from leaking information about your session.Recommended

Combined with Nulkratos-Core's AES-256-GCM encryption, Argon2id key derivation, chaff injection, and zero-knowledge architecture, following these steps makes your communication virtually untraceable at every layer — network, metadata, and content.

❓Frequently Asked Questions

Can Nulkratos-Core read my messages?▾

No. All encryption and decryption happens entirely inside your browser. Your PIN and derived encryption key never leave your device — not even as a hash we could reverse. We receive only ciphertext that is mathematically impossible to decrypt without your PIN.

What happens if I forget my PIN?▾

Your messages are permanently unrecoverable. The PIN is the only key that can decrypt your data — there is no password reset, no recovery code, and no backdoor. This is by design: zero-knowledge means we genuinely have no way to help. Always share your PIN through a secure out-of-band channel (phone call, in person) and remember it.

Is the connection secure if I use HTTP instead of HTTPS?▾

Always use HTTPS. While messages are encrypted before leaving your device, an active network attacker on a plain HTTP connection could serve you a tampered version of this page. You can also use the Page Integrity tool (in the ⋯ menu inside a chat) to verify the app hash with your contact.

How is this different from other secure messaging apps?▾

Nulkratos-Core is a zero-install, browser-based, PIN-derived encrypted messenger. Unlike most other security apps, it requires no phone number, no account, and no installation — just a shared channel ID and PIN agreed out-of-band. Everything runs entirely in your browser with no identity linkage whatsoever. It is purpose-built for scenarios where maximum privacy, anonymity, and zero metadata exposure matter most.

What is chaff injection and why does it matter?▾

Chaff injection means the app periodically sends random encrypted dummy messages alongside your real ones. Combined with bucketed timestamps (rounded to ± 5 minutes), a network observer cannot tell when you actually sent a message or how long your conversation pauses were. This protects metadata, not just content.

Security Stack

Argon2id 64MB key derivation Message Ratchet (HKDF chain) Chaff Traffic Injection Timestamp Blinding AES-256-GCM Page Integrity Verifier Non-extractable CryptoKey Zero-knowledge architecture Auto session lock

Nulkratos-Core

Secure Private Encrypted Messenger — No Account Required

My Channels

Create Secure Channel