Post-quantum encryption standards are here – a new era for VPN security begins
Now we’re just waiting for VPN providers to get up to speed
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
On August 13, the National Institute of Standards and Technology (NIST) made history byofficially releasingthe first three quantum-resistant encryption standards set to shape the future of cryptography. NIST tested more than 80 algorithms over the last decade to get here and now calls on all developers to start the post-quantum transition.
The implementation of quantum computing may still be a ways off, but the “full integration will take time,” according to the organization. It’s just a matter of time before current encryption methods become obsolete – potentially broken by the ability of these machines to process computations that today’s computers can’t handle, within minutes.
Among thebest VPNproviders, only a handful of services have already implemented quantum-safe encryption. NIST’s work is set to be crucial for reversing this trend, officially raising the bar for VPN security standards. I spoke to all the top providers to understand what’s next for our security.
A blueprint for VPNs
“VPNs rely heavily on cryptographic protocols for securing communication, so the industry must now prepare to adopt these new standards to ensure long-term security against future quantum computer threats,” Marijus Briedis, CTO at NordVPN, told me.
A VPN, short forvirtual private network, is a security software indeed designed to encrypt internet connections. Encryption refers to the process of scrambling the data into an unreadable form to prevent third parties from accessing the data in transit.
Today’sVPN protocolsoften leverage RSA-based key exchanges to so only you and whoever you’re sending stuff to can actually see what’s going on. Because of the way quantum computers work, this is no longer safe for the future.
Cybercriminals, state hackers, and more are all conducting what’s called “store now, decrypt later (SNDL) attacks” – scooping up all your encrypted data so they can crack it in the future when quantum computing is finally up to the task.
This is where NIST’s quantum-safe standards come in.
As Subbu Sthanu, Chief Commercial Officer atIPVanish, put it, this set of standardized algorithms “serves as a blueprint” for VPN developers to strengthen their software security against future tech threats. This is because, alongside the three quantum-resistant algorithms, NIST also offers instructions on implementing them and their intended uses.
“They’re a crucial resource for us,” Tom Cohar, Head of Infrastructure atHide.metold me. “Just by following these standards, we can support post-quantum cryptography, maintain compatibility and interoperability, meet regulatory requirements, and ultimately protect our users' data against future cryptographic threats.”
Quantum computers could imperil the security of confidential electronic information, such as emails. To counter this threat, NIST has finalized its set of three encryption algorithms designed to withstand a future quantum computer’s cyberattacks: https://t.co/WYNO9j7Owz pic.twitter.com/o8TjLzv43pAugust 13, 2024
The winning standards are based on three key algorithms designed for specific tasks.ML-KEM(formerly known as CRYSTALS-Kyber algorithm) is the primary standard for cryptographic key exchanges – protecting the exchange of information across a public network like in the case of VPNs.ML-DSA(using the CRYSTALS-Dilithium algorithm) andSLH-DSA(based on the Sphincs+ algorithm) are designed to protect digital signatures used for identity authentication online.
If you want a simple explanation of how quantum computing breaks encryption, and how these new standards fight back, check out this amazing explainer from Veritasium:
Most VPN providers eagerly welcome the final decision as it corroborates the work their developers have been doing behind the scenes.
For example, Bart Butler, CTO atProton VPN, told me the team has already been using the draft NIST algorithms before getting standardized on their research stage. The recent announcement then “increases our confidence in them,” he added.
The same goes forSurfsharkwhich already picked the Kyber key encapsulation mechanism for its post-quantum encryption design. “Its standardization reassures us that we’re on the right path,” Karolis Kačiulis, Leading System Engineer at Surfshark, told me.
For VPN providers, it’s a reminder to stay on top of these changes
NIST finalized standards have been a long time coming, in fact. Experts first selected some of these algorithms back in 2022 – releasing draft specifications for each of them at the time. The organization is now set to release a fourth algorithm standard (FALCON) later this year.
For Yegor Sak, one of the founders and CEO atWindscribe– one of the very few providers that already supports quantum-safe encryption – the recent announcement is rather an evolution than a revolution.
He said: “While it’s significant that these standards are now set in stone, it doesn’t represent a groundbreaking shift for the industry– especially for those who have been keeping up with post-quantum cryptography developments. For VPN providers, it’s a reminder to stay on top of these changes, but it’s not the game-changer that some might make it out to be.”
For ExpressVPN, which launchedpost-quantum protection last October, this moment “isn’t just a validation of Kyber but also our proactive approach to security” Pete Membrey, Chief Engineering Officer at ExpressVPN, wrote in ablog post.
Swedish-based providerMullvadsees standardization as a way to increase trust and usage across the industry. The firm was one of the first to introduce experimental post-quantum encryption back in 2017. Yet, “The strength of a standard lies in the fact that it is open and gets audited and reviewed in a way that makes it secure,” Jan Jonsson, CEO at Mullvad, told me.
Technical challenges
We may now have standardized post-quantum encryption standards and implementation processes, however, the work is anything but done.
The truth is that the transition to a quantum-safe VPN product is filled with technical challenges that developers need to overcome. Below are the main issues providers have to deal with:
As always, the cat-and-mouse game of cybersecurity trundles onward.
A hybrid approach
Once developers manage to address all the technical challenges and finally implement the quantum-safe algorithms, it will be time to review their effectiveness. Remember, full integration will take time.
As Butler from Proton VPN explains, new cryptography is always inherently risky. This is simply because it lacks the amount of public analysis and scrutiny that current methods have undergone. “That’s why we will be using a hybrid approach – meaning our users will be safe from attacks from classical computers, as well as quantum computers,” he added.
This dual-layered defense means that quantum-resistant algorithms will be implemented alongside classic encryption methods so that, even if the PQ protections end up being compromised, users' data won’t get compromised.
That’s exactly the approach the likes of ExpressVPN and other quantum-safe providers have already employed – and it’s likely to become the golden standard for all to follow during the PQ transition. Outside the VPN world, encrypted emailTuta(formerly known as Tutanota) andSignalused the same approach when they added quantum-resistant protections.
Today we are proud to announce the launch of the world’s first #postquantum secure email platform! 🥳🎉With TutaCrypt your data is safe against quantum computer attacks at rest & in transit. ⚛️ 🔒Learn more about this quantum leap in #security here: https://t.co/Nq7ePZ2ctb pic.twitter.com/XeycBQpBYnMarch 11, 2024
Which VPNs are already post-quantum resistant?
While most VPN providers are currently in the first stage of the PQ transition - aka, figuring out how to correctly implement quantum-resistant algorithms within their product - some services already offer such protection.
As we mentioned earlier,Mullvadwas the first to embrace post-quantum cryptography way before NIST selected the algorithms that would later get standardized. In 2022, they switched to one of the finalists (Classic McEliece), while continuing to follow the ongoing work at NIST. Today, the provider integrates the strengths of both Kyber and Classic McEliece into its WireGuard protocol.
“As Kyber (one of the standards) now has been updated (ML-KEM) we are planning to migrate to this in the near future,” Jonsson told me, adding that the team will keep following the ongoing standardization and might add support for other algorithms in the future.
Windsdcribeis another early adopter of quantum-resistant encryption. While it’s not yet in full support of the specific algorithms selected by NIST, the team is actively working toward integrating these into their offerings. “Our aim is to not just meet but exceed these standards, ensuring our users are protected against future threats,” said Sak.
In 2022,PureVPNpartnered with quantum computing company Quantinuum tointroduce a quantum-resistant featureon its OpenVPN protocol. A year later,ExpressVPNentered the PQ game adding the Kyber algorithms to its open-source Lightway protocol.
Get one of the best quantum-secure VPNsExpressVPN isn’t just quantum secure, it’s also one of our top picks for the best VPNs on the market. Automating all of the setup so you don’t have to go tweaking your settings, Express is by far the best VPN for beginners. At$6.67 per month, it’s one of the more expensive options, but if you want peace of mind, great speeds, and reliable streaming, I’d recommend taking advantage of its 30-day money-back guarantee.
How quickly will other VPNs get quantum-secure?
It was difficult to get a sense ofwhenother top VPN providers will officially get their post-quantum protections up and running.
Among all the companies I spoke with,NordVPNwas the only one that gave me a precise deadline for public implementation. The team plans to roll out the first PQ iteration for its WireGuard-based NordLynx protocol on its Linux app by the end of September and, from there, evaluate performance levels.
“Based on these insights, we aim to extend PQC support to our other applications in 2025 Q1 [the end of March] at the latest,” Briedis told me.
PrivadoVPNsaid its engineering team is busy testing the addition of a pre-shared key to their Wireguard implementation, as well as an enhanced KEM (Key Encapsulation Mechanism) for TLS and OpenVPN protocols.
“We have not announced our plans to make quantum-resistant VPN service available but expect to do so soon,” said the provider.
A few services, includingProton VPN,Surfshark, andHide.me, stressed the importance of getting the implementation right without flaws instead of winning the race over competitors. This is why they cannot set a firm deadline at the time of writing.
“It’s a marathon, not a sprint,” Butler at Proton VPN told me. “We already have a head start, and we are working alongside the community to develop and review implementations of the NIST standards.”
On top of this,Private Internet Access (PIA)confirmed that integrating hybrid quantum-resilient cryptography methods is on the company’s roadmap. “Standardization is hugely useful to guide our approach,” said John Mair, Principal Software Engineer at PIA.
We might not know exactly when, but that’s certain. Quantum-resistant encryption is set to dominate the VPN and cryptography landscape in the years to come, becoming very much what AES encryption is today.
As Kačiulis from Surfhsark put it: “Providers that fail to embrace these new standards risk being left behind.”
Chiara is a multimedia journalist committed to covering stories to help promote the rights and denounce the abuses of the digital side of life—wherever cybersecurity, markets and politics tangle up.She mainly writes news, interviews and analysis on data privacy, online censorship, digital rights, cybercrime, and security software, with a special focus on VPNs, for TechRadar Pro, TechRadar and Tom’s Guide. Got a story, tip-off or something tech-interesting to say? Reach out to chiara.castro@futurenet.com
3 reasons why PIA fell in our best VPN rankings
Is it still worth using Proton VPN Free?
Belkin’s Travel Bag for Vision Pro has pockets and is way cheaper than Apple’s own case
