diff --git a/src/h2load.h b/src/h2load.h
index b6ef65c8..270ee23b 100644
--- a/src/h2load.h
+++ b/src/h2load.h
@@ -332,8 +332,6 @@ struct Client {
     std::array<Crypto, 2> crypto;
     size_t max_pktlen;
     bool close_requested;
-    std::vector<uint8_t> rx_secret;
-    std::vector<uint8_t> tx_secret;
   } quic;
   ev_timer request_timeout_watcher;
   addrinfo *next_addr;
diff --git a/src/h2load_quic.cc b/src/h2load_quic.cc
index 5f69d278..f845b845 100644
--- a/src/h2load_quic.cc
+++ b/src/h2load_quic.cc
@@ -226,38 +226,6 @@ int get_new_connection_id(ngtcp2_conn *conn, ngtcp2_cid *cid, uint8_t *token,
 }
 } // namespace
 
-namespace {
-int update_key(ngtcp2_conn *conn, uint8_t *rx_key, uint8_t *rx_iv,
-               uint8_t *tx_key, uint8_t *tx_iv, void *user_data) {
-  auto c = static_cast<Client *>(user_data);
-
-  if (c->quic_update_key(rx_key, rx_iv, tx_key, tx_iv) != 0) {
-    return NGTCP2_ERR_CALLBACK_FAILURE;
-  }
-
-  return 0;
-}
-} // namespace
-
-int Client::quic_update_key(uint8_t *rx_key, uint8_t *rx_iv, uint8_t *tx_key,
-                            uint8_t *tx_iv) {
-  std::array<uint8_t, 64> rx_secret, tx_secret;
-
-  if (ngtcp2_crypto_update_key(quic.conn, rx_secret.data(), tx_secret.data(),
-                               rx_key, rx_iv, tx_key, tx_iv,
-                               quic.rx_secret.data(), quic.tx_secret.data(),
-                               quic.rx_secret.size()) != 0) {
-    return -1;
-  }
-
-  quic.rx_secret.assign(std::begin(rx_secret),
-                        std::begin(rx_secret) + quic.rx_secret.size());
-  quic.tx_secret.assign(std::begin(tx_secret),
-                        std::begin(tx_secret) + quic.tx_secret.size());
-
-  return 0;
-}
-
 namespace {
 void debug_log_printf(void *user_data, const char *fmt, ...) {
   va_list ap;
@@ -398,7 +366,7 @@ int Client::quic_init(const sockaddr *local_addr, socklen_t local_addrlen,
       nullptr, // rand
       get_new_connection_id,
       nullptr, // remove_connection_id
-      update_key,
+      ngtcp2_crypto_update_key_cb,
       nullptr, // path_validation
       select_preferred_addr,
       h2load::stream_reset,
@@ -533,9 +501,6 @@ int Client::quic_on_key(ngtcp2_crypto_level level, const uint8_t *rx_secret,
       return -1;
     }
     session = std::move(s);
-
-    quic.rx_secret.assign(rx_secret, rx_secret + secretlen);
-    quic.tx_secret.assign(tx_secret, tx_secret + secretlen);
   }
 
   return 0;
diff --git a/third-party/neverbleed b/third-party/neverbleed
index b967ca05..5cf5da80 160000
--- a/third-party/neverbleed
+++ b/third-party/neverbleed
@@ -1 +1 @@
-Subproject commit b967ca054f48a36f82d8fcdd32e54ec5144f2751
+Subproject commit 5cf5da80b715223d2614374aec40f2663dc68d6a