• Five years of receipts
• What everyone else shipped
• What Nostr currently does
• Where this puts you on Apple’s scale
• The signature problem nobody is touching
• Why every proposal stalls
• A note for whoever decrypts this in 2035

§Five years of receipts

Open your DM history on #nostr today. Every NIP-17 gift wrap you’ve sent or received is sitting on a handful of inbox relays. The metadata is hidden. The sender is behind a one-time ephemeral key. The content is encrypted with NIP-44 v2, which Cure53 audited in December 2023 and which holds up fine against any classical attacker.

It also says, in the spec text itself: “a powerful quantum computer would be able to decrypt the messages.”

I wrote about NIP-17’s tradeoffs in detail already. This is a different concern. NIP-17 hides metadata well. The #cryptography underneath is exactly what was state of the art in 2009. Signal moved off that floor in 2023. Apple moved off it in 2024. WhatsApp got carried along with the Signal Protocol in 2025. Nostr is still standing there.

§What everyone else shipped

Signal announced PQXDH on September 19, 2023, in a blog post by ehrenkret. The X3DH initial handshake got upgraded to a hybrid of X25519 and CRYSTALS-Kyber-1024, where an attacker has to break both the elliptic curve component and the post-quantum KEM to recover the shared secret. Signal has since disabled X3DH entirely for new chats. Every conversation started on Signal in the last two years opens under a hybrid handshake.

Apple announced PQ3 on February 21, 2024. iOS 17.4, iPadOS 17.4, macOS 14.4, and watchOS 10.4 shipped it to every iMessage user. PQ3 goes further than PQXDH did: it uses post-quantum cryptography for both the initial key establishment and for periodic rekeying during the conversation. If a key gets compromised, the protocol regenerates fresh quantum-resistant material and the attacker loses access. David Basin’s group at ETH Zurich, the same people behind the Tamarin prover, ran a formal verification of the protocol. Felix Linker published a follow-up analysis at USENIX Security 2025.

Apple introduced a four-level scale in the PQ3 announcement to compare messaging protocols.

• Level 0: no end-to-end encryption by default. Telegram, Skype, QQ, WeChat.
• Level 1: end-to-end encryption, no quantum security. WhatsApp, Line, Viber, iMessage before PQ3.
• Level 2: post-quantum cryptography for initial key establishment only. Signal with PQXDH.
• Level 3: post-quantum for both initial handshake and ongoing rekeying. iMessage with PQ3.

Signal didn’t sit at Level 2 for long. On October 2, 2025, they published the Triple Ratchet, which runs the existing Double Ratchet alongside a new Sparse Post-Quantum Ratchet (SPQR) and mixes the outputs through a key derivation function. The work was done with PQShield, AIST, and New York University. WhatsApp gets it for free, since it licenses the Signal Protocol.

NIST helped this happen. FIPS 203 (ML-KEM, formerly CRYSTALS-Kyber), FIPS 204 (ML-DSA, formerly Dilithium), and FIPS 205 (SLH-DSA, formerly SPHINCS+) were all finalized on August 13, 2024. As of early 2026, Cloudflare reports that more than 60% of human-generated TLS traffic on its network already runs hybrid ML-KEM. AWS pulled standalone Kyber from its endpoints in favor of standard ML-KEM the same year. Hybrid post-quantum is no longer a research project. It’s deployed plumbing.

§What Nostr currently does

NIP-44 v2 is what the protocol uses for encrypted direct messages and for the inner layer of NIP-17 gift wrapping. It uses ChaCha20 with HMAC-SHA256, derived from an ECDH on secp256k1 via HKDF-SHA256. It is not bad cryptography. Cure53 audited it. It does not have the padding-oracle or MAC-skip vulnerabilities NIP-04 had.

The spec is also explicit about what it does not provide. From the Limitations section: “No forward secrecy: when a key is compromised, it is possible to decrypt all previous conversations.” And: “No post-quantum security: a powerful quantum computer would be able to decrypt the messages.”

That second line is honest. It’s also the reason this article exists.

paulmillr opened issue #1971 on the nostr-protocol/nips repository on July 10, 2025, proposing a hybrid combining NIP-44’s ECDH with one of ML-KEM, sntrup761, or HQC. Same pattern Signal, WhatsApp, Apple, and OpenSSH all use. The issue is open. There is no merged spec. There is no v3 of NIP-44. As of April 2026, the only Nostr DM cryptography that ships is the version that says it cannot defend against a quantum attacker.

The earlier attempt died years before that one. eznix86 opened PR #391 in March 2023, proposing NIP-101 as a generic algorithm transition method, specifically to give Nostr a path away from secp256k1 when the time came. mikedilger pushed back. The PR was closed in May 2025 with no successor. The argument was that signature forgery is not currently a threat. That is true in April 2026. It is the wrong frame for harvest-now-decrypt-later.

§Where this puts you on Apple’s scale

If you map Nostr DMs onto Apple’s Level 0 to 3 scale, the result is not flattering for a protocol that markets itself on cryptographic identity.

NIP-04 is end-to-end encrypted but leaks every piece of metadata around it, and Damus on iOS still uses it. The clients that have moved to NIP-17 gift-wrap the inner message and hide who’s talking to whom from relay operators. Either way, the encryption underneath is classical elliptic curve. There’s no post-quantum component anywhere.

That’s Level 1. Same shelf as WhatsApp before WhatsApp got the Signal Protocol’s post-quantum upgrade. WhatsApp now sits between Level 2 and Level 3 depending on how you count the Triple Ratchet. Nostr has not moved.

I am not going to pretend the comparison is exactly fair. iMessage runs on Apple’s centralized infrastructure. Signal runs dedicated servers. They can ship a protocol upgrade, deprecate the old one, and force a transition window over a few quarters. Nostr is a permissionless protocol with no central anything. Migrating ciphersuites means coordinating thousands of clients and relays around a spec change that hasn’t been written yet.

That coordination cost is the price of being a permissionless protocol. The hard part is supposed to be the political coordination. The cryptography itself was supposed to be the easy part.

§The signature problem nobody is touching

NIP-44 hybrid encryption would close half the door. The other half is harder.

Every Nostr event is signed with a Schnorr signature on secp256k1. Same curve as #bitcoin. Recent academic estimates put the lower bound for breaking secp256k1 at roughly 523 logical qubits, with realistic implementations needing somewhere between 523 and 2,500. Craig Gidney’s May 2025 paper revised the qubit count for factoring RSA-2048 down to roughly 900,000 noisy qubits running for less than a week, which is a 20x reduction from his 2019 estimate of 20 million. Bitcoin’s curve takes fewer qubits and 148x fewer gates than RSA-2048 because the key is shorter. The Bitcoin threshold likely arrives before the RSA threshold does.

When that happens, every signed Nostr event ever published becomes forgeable. Anyone with the public key can derive the private key. Reputation, identity, profile metadata, every kind:1 note, every long-form article like this one, all of it becomes indistinguishable from forgeries. Bitcoin has the same exposure on roughly 25% of its supply through reused P2PKH and P2WPKH addresses. Bitcoin can also coordinate a hard fork to add a quantum-resistant signature scheme. Every node operator and miner has skin in that game.

Nostr does not have a hard-fork mechanism. There’s no consensus to coordinate around. The closest attempt was ice-orestes opening PR #1522 in September 2024, proposing that Nostr support multiple public key types and signature algorithms. vitorpamplona pointed at the DID ecosystem and its 200-plus methods. pablof7z called the proposal insanity. The PR is still open and likely to stay that way.

That’s not a criticism of vitorpamplona or pablof7z. They are correct that supporting arbitrary curves invites fragmentation. They are also leaving the protocol with no migration path.

§Why every proposal stalls

Here is where I push back on my own argument, because the threat model is not “a quantum computer breaks Nostr tomorrow.” Google’s Willow chip, announced December 9, 2024, has 105 physical qubits with logical error rates around 0.14% per cycle. Willow showed below-threshold error correction, which actually does matter, but it is orders of magnitude away from the 10⁻⁶ logical error rate needed for cryptographically relevant computation. The shorthand for that threshold is CRQC, a cryptographically relevant quantum computer. IBM’s roadmap has Heron at 156 physical qubits, Condor at 1,121 from December 2023, with Starling (the first error-corrected machine) targeted for 2029 and the 100,000-qubit Blue Jay targeted for 2033. Roadmaps slip.

The Signal team’s own framing is honest about the uncertainty. From the PQXDH announcement: “On the low end, some argue it is only a couple of years away. On the high end some say 30+ years… The middle ground seems to be around the 5 to 10 year time horizon.” Signal shipped anyway. The threat model is not “a CRQC exists this year.” The threat model is harvest now, decrypt later.

The NSA’s CNSA 2.0 framework requires quantum-safe algorithms for new national security systems by January 2027, full application migration by 2030, and complete infrastructure migration by 2035. The U.S. Department of Homeland Security, the UK’s National Cyber Security Centre, the EU’s Agency for Cybersecurity, and the Australian Cyber Security Centre have all built their official guidance on the assumption that adversaries are currently exfiltrating long-lived encrypted data. That isn’t speculative threat modeling. It’s the working assumption of the agencies who have to plan for it.

A NIP-17 gift wrap sent today, harvested by a relay operator or a passive listener, sits in storage. The encrypted blob does not expire. The day the curve breaks, every one of those messages turns into plaintext, and the metadata NIP-17 hides falls out as a side effect once you correlate the decrypted contents. If you trust your DM with a five-year time horizon, you are making two bets at once: that no CRQC arrives in five years, and that no archive of your relay traffic exists.

§A note for whoever decrypts this in 2035

Nostr is not unique in having this gap. It is unique in being a protocol explicitly designed around cryptographic identity that has not even agreed on a transition plan. NIP-17 and the MLS-on-Nostr work I wrote about both target metadata privacy and forward secrecy. Both matter. Neither addresses the secp256k1 dependency underneath.

The honest answer is I do not know whether the timeline matters. The exact year a CRQC arrives is unknowable. What is knowable is that every other major encrypted messaging system has shipped a post-quantum upgrade in the last three years, and Nostr has not. The gap between what the protocol’s marketing claims and what the protocol actually defends against is widening every quarter.

A pseudonymous Nostr account whose entire identity is a secp256k1 keypair is leaving a long-lived signature trail. Every gift-wrapped DM is a future plaintext. Acknowledging that is not a reason to stop using the protocol. It is a reason to stop pretending the cryptographic decentralization story is finished. The story stops at 2009-era cryptography, and the rest of the Internet is already three layers further along.

#nostr #cryptography #bitcoin #privacy