Virtual private networks, or VPNs, have become an essential part of today’s online security toolkit. A VPN hides your public IP address by routing your internet traffic through a remote server. It encrypts your data — scrambling it and making it unintelligible — to protect your sensitive information from prying eyes. 

Right now, VPNs, just like most modern internet infrastructure, rely on decades-old encryption standards like AES (some also use new ciphers like ChaCha20) for data encryption.

However, with the looming threat of Q-day — the day quantum computers become advanced enough to break today’s encryption algorithms — many of the best VPN services have started rolling out post-quantum encryption, or PQE, to future-proof their security credentials. 

Let’s explore the rising threat posed by quantum computers, why PQE could be a crucial safeguard, the trade-offs involved and which VPN services are already adopting quantum-safe protection.

Don’t miss any of our unbiased tech content and lab-based reviews. Add CNET as a preferred Google source.

What is post-quantum encryption?

Post-quantum cryptography, or PQC, represents a new generation of cryptographic algorithms designed specifically to resist the kinds of attacks that powerful future quantum computers are expected to enable. 

VPNs typically use two different types of encryption, AES or ChaCha20 for encrypting data, and RSA for the initial sharing of the cryptographic key. Note that current encryption standards, including AES, ChaCha20 and RSA, are more than sufficient for today’s use cases because it would take traditional supercomputers millions of years to break these algorithms — since they use binary bits that can either be zero or one at any given time. 

Quantum computers, however, rely on quantum bits, or qubits, which can be zero, one or both at the same time. Simply put, quantum computers carry sophisticated processing power, meaning they could crack today’s encryption algorithms in a matter of minutes.

The US National Institute of Standards and Technology, or NIST, started its Post-Quantum Cryptography project in 2016, inviting candidates from around the world to develop sophisticated algorithms that could withstand quantum computers. After years of research, NIST published four such standards in 2022, including CRYSTALS-Kyber, CRYSTALS-Dilithium, SPHINCS+ and FALCON. 

Instead of relying on traditional algorithms, quantum-proof algorithms use structured-lattice and hash-based cryptographic problems to secure data. These quantum-resistant algorithms relying on complex cryptography are mathematical challenges believed to be difficult even for the most advanced quantum computers. For instance, the ML-KEM algorithm that some VPN providers have adopted is derived from NIST’s CRYSTALS-Kyber post-quantum resistant standard.

But if you think that post-quantum encryption is not a “now” problem, think again. Malicious actors are already using techniques like Harvest Now, Decrypt Later or HNDL, (PDF) where they store sensitive — albeit encrypted — data today with the expectation of decrypting it later once quantum computing becomes powerful enough. 

Why does post-quantum encryption matter for VPNs?

Q-day threatens the very existence of VPNs. When you connect to a VPN, your device and the VPN server establish a secure tunnel. Consider this a dedicated channel of communication between the two systems. There may be two types of encryption: one for encrypting the data itself and one for the authentication, or key exchange.

However, to establish a secure tunnel, both systems must first share a secret key (known as the handshake), which is a random cryptographic key generated independently by each system. Once the handshake is successful, algorithms such as AES-256 or ChaCha20 (the gold standard for VPNs today) are used to encrypt the information traveling through that tunnel. This is how almost all modern VPN tunneling protocols, such as OpenVPN, IKEv2/IPsec and WireGuard, work.

The initial handshake is the most crucial part of the process, as it forms the base of your entire VPN connection. Right now, these handshake mechanisms are vulnerable to quantum attacks. 

It’s important to note that the handshake is the critical choke point. As opposed to symmetric algorithms like AES-256, which can only be weakened by quantum computers (meaning they would get easier to crack, but still take an unrealistic amount of time), public-key algorithms like RSA and Diffie-Hellman, which are used during the VPN handshake, can be fully broken. In other words, a quantum computer could solve the math behind them so quickly that the handshake offers no protection at all.

All in all, powerful quantum computers would make it virtually impossible for VPNs to establish an initial handshake, meaning they’d no longer be able to mask your IP or encrypt your data, defeating their entire purpose.

When Q-day finally arrives — experts believe it could be here before 2030 — it would compromise the privacy of hundreds of millions of people, essentially anyone who uses the internet, almost instantly. And worse, if VPNs — which 47% of Americans now use for privacy — fail to mitigate the threat posed to them, the consequences could be catastrophic.

Which VPNs implement PQE?

Thankfully, some VPNs have recognized the threat posed by quantum computers and have already begun rolling out PQE-enabled protocols.

ExpressVPN was one of the first VPNs to roll out post-quantum encryption. The company offers PQE (enabled by default) through its custom-built Lightway protocol as well as post-quantum WireGuard. ExpressVPN’s Lightway and WireGuard protocols have ML-KEM, meaning the VPN now uses a blend of traditional and post-quantum encryption standards. ExpressVPN’s quantum-proof technology is available to all users on Android, iOS, Linux and Windows, as well as Mac.

NordVPN offers post-quantum encryption through its proprietary NordLynx protocol. It uses the NIST-approved ML-KEM algorithm and is available on Linux, Windows, macOS, Android, iOS, Apple TV and Android TV. This means you won’t be able to benefit from the provider’s quantum-resistant encryption when using any protocol other than NordLynx, or when using a dedicated IP, Meshnet or obfuscated servers and the obfuscation-focused NordWhisper VPN protocol.

Mullvad VPN comes with quantum-resistant tunnels enabled by default on all WireGuard connections in its Windows, Mac, Linux, Android and iPhone apps. Similar to NordVPN and ExpressVPN, Mullvad has switched to the NIST standard ML-KEM.

Are there any drawbacks to post-quantum encryption?

While PQE is undoubtedly essential for long-term security, it’s worth discussing why VPNs still keep it optional rather than making it permanently enabled and invisible to the user. 

For starters, PQE can result in slightly slower connection speeds and a bit more latency, especially on lower-end devices, because its handshakes use larger key sizes and heavier cryptographic operations than standard encryption. Since VPNs slow down your internet connection even without post-quantum resistance, enabling PQE can drop your speeds even further, which could affect bandwidth-intensive activities, like streaming 4K videos or participating in Zoom calls.

A more significant limitation is compatibility. Providers like NordVPN explicitly say that PQE can’t be used alongside certain features, such as dedicated IPs, obfuscated servers, older devices or Meshnet. This by itself is a major reason why PQE hasn’t yet become an always-on standard.

Even when PQE is enabled by default, it may not be available in all situations. For example, you may lose PQE benefits if you’re connecting to older VPN servers or using protocols that don’t currently support post-quantum encryption.

You may not need PQE with your VPN connection right now, but you’ll be glad it’s there in the future

It’s also important to note that right now, PQE sits in the same territory as other advanced protection features that VPNs offer — like Proton VPN’s Secure Core servers or NordVPN and Surfshark’s multi-hop servers  — which provide an extra layer of privacy but are optional and not required every minute of the day. 

Post-quantum encryption, however, will be different in that respect. Once quantum threats become real, PQE will no longer remain optional and will likely be integrated into every VPN protocol by default.