Virtual Private Networks (VPNs) are a cornerstone of modern online security, shielding your IP address and encrypting your data. But the foundations of this security—the encryption algorithms that protect your connection—are facing a looming crisis: the arrival of powerful quantum computers. While full-scale quantum decryption isn’t here yet, the threat is real enough that leading VPN providers are already implementing post-quantum encryption (PQE) to future-proof their services. This isn’t a distant problem; malicious actors are already stockpiling encrypted data with the intent to decrypt it once quantum computing matures.
The Quantum Computing Challenge
Current VPNs rely on encryption standards like AES and ChaCha20, which, while secure today, will become vulnerable when quantum computers reach sufficient processing power. The key difference lies in how computers process information: standard computers use bits (0 or 1), while quantum computers leverage qubits, which can be 0, 1, or both simultaneously. This allows quantum machines to break traditional encryption much faster than any conventional supercomputer.
The US National Institute of Standards and Technology (NIST) has been working since 2016 to develop quantum-resistant algorithms, publishing four standards in 2022: CRYSTALS-Kyber, CRYSTALS-Dilithium, SPHINCS+, and FALCON. These new algorithms use mathematical structures that are believed to be resistant even to advanced quantum attacks. One example is ML-KEM, derived from NIST’s CRYSTALS-Kyber standard, which is now being adopted by several VPN providers.
Why This Matters for VPN Users
The core vulnerability lies in the handshake process. When you connect to a VPN, your device and the server must first establish a secure channel by exchanging cryptographic keys. Current methods, like RSA and Diffie-Hellman, are easily broken by quantum computers. This means that when quantum decryption arrives—predicted by some experts before 2030—VPNs could lose their ability to mask your IP or encrypt your data, rendering them useless.
The stakes are high: nearly half of Americans (47%) now use VPNs for privacy, and a failure to adapt could expose millions to surveillance and data breaches. The “Harvest Now, Decrypt Later” (HNDL) strategy used by some malicious actors underscores the urgency; stolen data is being stored today with the expectation of decrypting it in the future.
VPNs Leading the Way in Quantum Resistance
Several VPN providers have already begun integrating PQE:
- ExpressVPN: Offers PQE through its Lightway protocol and post-quantum WireGuard, using ML-KEM. Available on Android, iOS, Linux, Windows, and Mac.
- NordVPN: Implements PQE via its NordLynx protocol, also using ML-KEM. Supported on Linux, Windows, macOS, Android, iOS, Apple TV, and Android TV. PQE is not available when using dedicated IPs or obfuscated servers.
- Mullvad VPN: Enables quantum-resistant tunnels by default on all WireGuard connections across its apps. Also utilizes the ML-KEM standard.
Trade-offs and Limitations
PQE isn’t without drawbacks. It can slightly decrease connection speeds due to larger key sizes and heavier cryptographic operations. Compatibility is another issue: PQE may not work with older devices, dedicated IPs, or certain VPN features. Providers currently keep PQE optional because of these limitations.
Looking Ahead
While not immediately critical for all users, PQE will eventually become essential. Just as advanced security features like multi-hop servers are optional today, quantum-resistant encryption will likely be integrated into every VPN protocol by default once quantum threats materialize. For now, the early adopters are preparing for a future where the very foundations of online security must adapt to survive.
The transition to post-quantum encryption is underway, ensuring that VPNs remain a viable tool for privacy in a world increasingly threatened by quantum computing.
