Introducing post-quantum keys for NymVPN

Post-quantum key exchange via the Lewes Protocol is live in the first phase of Nym's post-quantum security roadmap

April 20, 20267 mins read

The encryption protecting most internet traffic today will eventually be broken. Not this year, and maybe not this decade. But when quantum computers reach sufficient scale, the mathematical assumptions holding up most encryption in use today will collapse. Anyone who has recorded your encrypted traffic beforehand can start decrypting it.

This is not a theoretical scenario of academic papers. It's an active threat model that well-resourced adversaries are already operating under. ^1> ²

With NymVPN v2026.7, Nym is taking the first concrete step to defend against it. In the first stage of Nym’s post-quantum security roadmap, post-quantum key exchange is now live for testing across all platforms on the Fast mode via the Lewes Protocol, a novel protocol developed by Nym that makes Nym’s privacy protections general purpose even beyond NymVPN.

Note: The Lewes Protocol feature is currently optional and must be toggled on. Following a short period in production, it will become the default key exchange protocol.

Here's what that means, why the timing matters, and where we're headed next.

Post-quantum keys on NymVPN

Nym’s new post-quantum key exchange is part of a novel protocol we call the Lewes Protocol. It is named after the English town Lewes where Nym core devs met to set out the vision to transform Nym from application-level protections to a general purpose protocol for private communications.

The Lewes Protocol is a Noise-based part of a family of Post-Quantum Pre-Shared-Key Protocols (PSQs) that mix a pre-shared, symmetric secret into key exchange mechanisms like WireGuard used by NymVPN’s Fast mode. This adds post-quantum security to the earliest phase of your NymVPN connection.

Key exchange is where a VPN session begins. Before any of your traffic travels through the tunnel, your device and the network have to agree on shared cryptographic keys. That handshake is the foundation everything else sits on. If the handshake is vulnerable, it doesn't matter how strong the rest of the encryption is. Post-quantum keys harden that handshake against quantum attack.

But that’s not all that’s special about the Lewes Protocol. Post-quantum algorithms have historically come with performance costs. So with NymVPN, we designed it with a practical constraint: it has to be fast. The Lewes Protocol is built to reduce connection startup time compared to prior post-quantum approaches. This means not only a quantum secure connection, but a more optimized start-up.

Using post-quantum keys on NymVPN

The Lewes Protocol protects the key exchange on your 2-hop decentralized routing on the Fast mode. Before being enabled as the default for all users, it is now available as a toggle you can enable in Settings.

Give it a try and let the Nym devs know what you think about the difference.

Join us on Telegram

Now let’s take a step back and consider why this matters for data security.

What is post-quantum encryption?

Modern encryption is built on mathematical hardness. RSA relies on the near-impossibility of factoring very large numbers, while Elliptic curve cryptography (ECC) depends on a related assumption about discrete logarithms. Encryption protocols like these are the foundational security mechanisms protecting VPN tunnels, banking sessions, messaging apps, and most of web traffic.

Quantum computers attack these assumptions differently from classical computers. For example, Shor's algorithm, run on a sufficiently powerful quantum machine, can factor large numbers in polynomial time. The moment that becomes feasible at scale, RSA and ECC stop being hard problems: they become solvable ones. In effect, every system still relying on those primitives becomes retroactively readable.

Most discussions of post-quantum risk focus on the question of when quantum computers get there. From a privacy perspective, this is the wrong question because the real threat isn’t waiting for the hardware to arrive. That threat is mass surveillance and data harvesting already over two decades underway.

The “harvest now, decrypt later” problem

Sufficiently resourced adversaries – anywhere from ISPs to state intelligence agencies – don't need quantum computers to begin collecting value from your encrypted data. They can record it now, store it, and decrypt it once the hardware catches up. For traffic that needs to stay private for years or decades – from political organizing, financial activity, medical records, or journalism – the window of exposure is already open.

We know that surveillance programmes at scale have operated this way. The economics are straightforward: storage is cheap, and the contents of today’s encrypted traffic will still be valuable when decryption eventually becomes possible.

This is exactly why Nym built the Noise Generating Mixnet in the first place: to protect metadata from surveillance that is happening right now, not just in theoretical futures. Post-quantum encryption is an extension of the same logic.

The NIST timeline

In 2024, the U.S. National Institute of Standards and Technology (NIST) set a formal deprecation timeline for RSA and ECC-based systems, with a full transition to post-quantum algorithms required by 2035. Candidate algorithms – including CRYSTALS-Kyber (ML-KEM) for key exchange and CRYSTALS-Dilithium and FALCON for digital signatures – have been selected for standardization.

The 2035 deadline sounds distant. Building a post-quantum cryptographic stack across an entire architecture, tested and deployed at scale, does not happen quickly. For a decentralized VPN handling real user traffic in adversarial conditions, the right time to start is not when the mandate arrives. It was several years ago. The second-best time is now.

Nym's roadmap for post-quantum security

Nym's Chief Scientific Officer Ania Piotrowska outlined Nym’s roadmap for post-quantum security last year. The Lewes Protocol marks the completion of the first of three phases, each hardening a different layer of the architecture.

Phase 1: ✅ Post-quantum key exchange

The Lewes Protocol now makes post-quantum key exchange live across all platforms in NymVPN v2026.7. With quantum-resistant key exchange for channel establishment, the Lewes Protocol not only improves security against post-quantum threats but also significantly improves connection speed.

Phase 2: Post-quantum protection for mix node communications

The next step moves the protection inward to the communication channels between mix nodes themselves. Applying post-quantum key exchange at this level means messages routed through the network gain quantum resistance at every relay, not just at the entry point.

Phase 3: Post-quantum protection in the Sphinx packet format

Sphinx is the cryptographic packet format that makes the mixnet work. It provides metadata-private message routing by encapsulating traffic in layers that each node can peel without learning anything about the origin, destination, or content of the packet.

Enhancing Sphinx with post-quantum key exchange will close the final gap, ensuring the core of the Nym mixnet is as resistant to quantum cryptanalysis as it is to classical surveillance techniques. You can read more about Nym’s plans for post-quantum mixnet security here.

When all three phases are complete, post-quantum protection will run through every layer of a NymVPN connection: the entry handshake, the mixnet, and the packet routing mechanism.

Conclusion

The post-quantum era isn't something to prepare for after the fact. The adversaries Nym was built to protect against – mass surveillance programmes, intelligence agencies, authoritarian governments – are not waiting either. They're collecting. The Lewes Protocol is the first answer to that.

References

NIST Internal Report: Transition to Post-Quantum Cryptography Standards
Chen, Moody, Yi-Kai Liu (2022): Post-Quantum Cryptography: Additional Digital Signature Schemes

About the authors

Casey Ford, PhD

Communications Lead

Casey is the Head of Communications, lead writer, and editorial reviewer at Nym. He holds a PhD in Philosophy and researches the intersection of decentralized technologies and social life.