Quantum computers are no longer a distant concept. In August 2024, NIST finalized three post-quantum cryptographic standards - ML-KEM, ML-DSA, and SLH-DSA - and issued a clear directive: begin migrating now. Yet as of April 2026, most consumer VPN services have not shipped quantum-resistant encryption to their users. Post-quantum encryption (PQE) is a new class of cryptographic algorithm designed to resist attacks from both classical and quantum computers. This guide explains what it is, why the threat is already active, and what VPN users need to do today.
What Is Post-Quantum Encryption?
Post-quantum encryption refers to cryptographic algorithms that remain secure even when attacked by a large-scale quantum computer. Unlike RSA or ECC - which protect most VPN traffic today - these algorithms rely on mathematical problems that quantum machines cannot solve efficiently.
The term covers several distinct algorithm families. The most widely adopted is lattice-based cryptography, which underlies the newly standardized ML-KEM and ML-DSA. A second family, hash-based cryptography, powers the SLH-DSA standard as a conservative backup option.
The table below shows how classical encryption compares to post-quantum alternatives across the criteria that matter most for VPN security:
|
Criteria |
Classical Encryption (RSA/ECC) |
Post-Quantum Encryption (ML-KEM) |
|
Threat from quantum computer |
Broken by Shor's algorithm in hours |
Resistant - based on lattice math |
|
NIST status (April 2026) |
Being deprecated by 2035 |
Fully standardized (FIPS 203) |
|
VPN adoption |
Universal - every VPN uses it |
Limited - fewer than 10 major providers |
|
Key size (example) |
RSA-2048: 256 bytes |
ML-KEM-768: 1,184 bytes |
|
Performance overhead |
Low |
Moderate - manageable on modern hardware |
|
Protection vs HNDL attacks |
None - data collected now is at risk |
Full - quantum decryption cannot work |
Note: HNDL = Harvest Now, Decrypt Later attacks, explained in the next section.
How Does Classical Encryption Work Today?
Classical encryption methods - including AES-256, RSA, and ECC - secure the vast majority of internet traffic, including every major VPN service. Understanding how they work reveals exactly where the quantum vulnerability lies.
For a full breakdown of how these methods differ, see our guide on types of encryption. The key distinction relevant here is between symmetric and asymmetric encryption:
- AES-256 (symmetric): Uses a single shared key to encrypt data. Quantum computers only marginally weaken it - doubling the key size from 128 to 256 bits restores security.
- RSA and ECC (asymmetric): Use mathematically linked public and private key pairs. These are the protocols that quantum computers break directly, using Shor's algorithm.
- VPN handshake: Most VPNs use RSA or ECC to exchange a session key, then switch to AES for bulk data encryption. The asymmetric handshake is the vulnerable step.
What Threat Do Quantum Computers Pose to Encryption?
A sufficiently powerful quantum computer running Shor's algorithm could factor the large prime numbers that protect RSA keys - reducing a calculation that takes classical computers thousands of years to one that takes hours. ECC faces the same threat via the discrete logarithm problem.
For a deeper understanding of why RSA and ECC differ fundamentally in their vulnerability, see our symmetric vs asymmetric encryption comparison. The bottom line for VPN users: the public-key handshake that every VPN performs when you connect is the single most exposed step in your encrypted session.
The Harvest Now, Decrypt Later Attack - Why the Danger Is Already Here
The most urgent argument for adopting post-quantum encryption today has nothing to do with quantum computers being ready. It is based on a strategy called Harvest Now, Decrypt Later (HNDL).
State actors and advanced persistent threat groups are currently intercepting and storing encrypted VPN traffic - including corporate communications, government data, and private browsing - with no intention of decrypting it yet. They are waiting for quantum computers to mature, then plan to unlock the archives.
Several major cybersecurity agencies have confirmed this threat is active. According to official guidance from the U.S. Department of Homeland Security, the NSA, and CISA, adversaries are already exfiltrating sensitive, long-lived data with the explicit intent of future decryption.
A peer-reviewed study published in December 2025 by MDPI found that high-retention sectors such as satellite and health networks face exposure windows extending decades under delayed PQC adoption, according to HNDL temporal risk research (MDPI, December 2025).
For a VPN user, this means the encrypted traffic you sent through a non-PQE provider in 2025 may be readable by an adversary in 2030. Migrating to a quantum-resistant VPN now is the only way to close that window.
What Are the NIST Post-Quantum Cryptographic Standards?
On August 13, 2024, NIST released three finalized Federal Information Processing Standards, according to the NIST post-quantum cryptography announcement (August 2024). All three are approved for immediate deployment:
|
Standard |
Algorithm Name |
Use Case |
Based On |
|
FIPS 203 |
ML-KEM (CRYSTALS-Kyber) |
Key encapsulation - replaces RSA/ECC in VPN handshakes |
Module lattice math |
|
FIPS 204 |
ML-DSA (CRYSTALS-Dilithium) |
Digital signatures - replaces RSA signatures |
Module lattice math |
|
FIPS 205 |
SLH-DSA (SPHINCS+) |
Digital signatures - conservative backup standard |
Hash-based math |
NIST has also begun standardizing HQC as an additional key encapsulation backup, with finalization expected in 2027. The U.S. government has directed all federal agencies to complete migration to PQC by 2035, with high-risk systems transitioning far earlier.
How Does Post-Quantum Encryption Work? (ML-KEM Explained Simply)
ML-KEM replaces the RSA or ECC key exchange step inside a VPN connection. It protects the same function - securely establishing a shared encryption key between your device and the VPN server - using a completely different mathematical foundation.
Lattice-based cryptography relies on the Module Learning With Errors (MLWE) problem: finding a specific vector in a high-dimensional grid of mathematical points. This problem remains computationally hard even for quantum computers. For a technical comparison of how this fits within modern modern encryption protocols, see our full protocols guide.
The ML-KEM key exchange works in three steps:
- Key generation: The VPN server generates a public-private ML-KEM key pair.
- Encapsulation: Your device uses the server's public key to generate and encrypt a shared secret, producing a small ciphertext.
- Decapsulation: The server decrypts the ciphertext using its private key, recovering the shared secret. Both sides now have an identical key for AES encryption - without ever transmitting it.
Which VPNs Have Implemented Post-Quantum Encryption in 2026?
Adoption remains limited, but the leaders have moved quickly. For VPN security standards context, here is where major providers stand as of April 2026:
|
VPN Provider |
PQE Implemented? |
Algorithm Used |
Deployment Scope |
|
ExpressVPN |
Yes |
ML-KEM (Lightway protocol) |
All servers, default on |
|
NordVPN |
Yes |
ML-KEM hybrid (NordLynx) |
Staged rollout |
|
Mullvad VPN |
Yes |
ML-KEM (WireGuard) |
All servers |
|
Cloudflare WARP |
Yes |
ML-KEM + X25519 hybrid |
All users |
|
ProtonVPN |
Partial |
Testing phase |
Limited beta |
|
Most other providers |
No |
RSA/ECC only |
Not scheduled |
Hybrid deployment - combining classical and post-quantum algorithms - is the current industry norm for providers that have made the transition. This protects against both classical and quantum attacks simultaneously during the migration period.
Why Most VPN Providers Have Not Shipped Post-Quantum Encryption
Most VPN providers cite three obstacles. Each is valid to a degree - but none justifies inaction given that the HNDL threat is already in motion.
- Performance overhead: ML-KEM keys are larger than RSA keys (~1,184 bytes vs ~256 bytes for RSA-2048). On modern hardware, this adds negligible latency - under 1ms for most connections.
- Protocol integration: WireGuard and OpenVPN were not designed with post-quantum in mind. Retrofitting requires engineering work, but Mullvad and ExpressVPN have both published working implementations.
- Certificate infrastructure: Post-quantum certificates for HTTPS connections are not yet widely deployed. NIST and Cloudflare both project the first PQC certificates will be standard by late 2026.
The common mistake is treating PQE as a future problem. The harvest-now-decrypt-later dynamic means the consequences of delayed adoption are already accumulating - even if they are not visible yet.
What Should Regular Users Do Right Now?
You do not need to understand lattice mathematics to protect yourself. Take these four steps:
- Switch to a VPN with confirmed ML-KEM support. ExpressVPN, Mullvad, and NordVPN all have working implementations. Avoid providers that cannot confirm PQE deployment.
- Enable hybrid mode where available. Some providers offer ML-KEM alongside classical encryption. This is the safest transition approach - it keeps classical protection while adding quantum resistance.
- Prioritize your most sensitive traffic. Corporate communications, legal documents, and financial data have long shelf lives. These are the primary targets of HNDL attacks. Protect them first.
- Stay informed about certificate migration. By late 2026, expect your browser and VPN to start offering post-quantum TLS. Keeping software updated ensures you benefit from this automatically.
The Window to Act Is Now - Not 2035
Post-quantum encryption is not a precaution for a future threat. It is the response to an attack already in progress. State actors are collecting encrypted VPN traffic today - including yours - on the assumption that quantum computers will eventually unlock it.
NIST finalized three ready-to-deploy standards in August 2024. Providers like Mullvad, ExpressVPN, and NordVPN have already shipped working implementations. The question is not whether post-quantum encryption is necessary - it is whether your current VPN has deployed it.
Check your provider's documentation for ML-KEM support. If it is not there, consider switching before more of your sensitive traffic ends up in an adversary's archive waiting for Q-Day.
Frequently Asked Questions
Is post-quantum encryption the same as quantum encryption?
No. Quantum encryption refers to physics-based methods like quantum key distribution (QKD), which transmit keys using quantum particles over specialized hardware. Post-quantum encryption uses standard mathematical algorithms designed to run on today's computers but resist quantum attacks. VPNs use post-quantum encryption - not QKD.
Can AES-256 survive quantum computing?
Largely yes. AES-256 is symmetric encryption and is only weakened - not broken - by Grover's algorithm on quantum computers. Doubling the effective security level from 128 to 256 bits compensates for the quantum speedup. The real risk is the asymmetric key exchange that precedes AES encryption - that is where ML-KEM becomes necessary.
How long until quantum computers can actually break RSA?
Estimates from the cryptography community range from 5 to 15 years for a cryptographically relevant quantum computer. However, HNDL attacks make this timeline irrelevant for long-lived data - traffic intercepted today is already at risk if decryption happens before its confidentiality window closes.
What is the NIST 2035 deprecation deadline?
Under NIST IR 8547, NIST will deprecate quantum-vulnerable algorithms - including RSA, ECC, and Diffie-Hellman - from its standards by 2035. Organizations handling classified or high-sensitivity data are expected to complete migration much earlier, likely by 2030.
Will post-quantum encryption slow down my VPN?
Minimally. The main overhead is a larger key exchange payload during the initial connection handshake. Once connected, your traffic still runs on AES-256. Real-world testing by Cloudflare shows ML-KEM adds under 1 millisecond of connection overhead in most scenarios.
Do I need post-quantum encryption if I use HTTPS?
Yes - for the same reasons as VPNs. HTTPS relies on RSA or ECC key exchange via TLS. The first post-quantum TLS certificates are expected in late 2026. Until then, HTTPS traffic is also susceptible to HNDL collection. NIST specifically urges organizations not to wait for the 2035 deadline.
