Quantum computers have not yet broken a single VPN - but the race has already begun. In 2024, NIST approved the first post-quantum cryptography standards in history, and leading VPN providers have started implementing them. This changes everything: the encryption that protected you yesterday may become obsolete tomorrow.
What is post-quantum encryption
Modern VPNs use cryptography based on mathematical problems that are practically impossible for classical computers to solve - factoring large numbers into prime factors (RSA) or discrete logarithms (ECC). A quantum computer with a sufficient number of qubits will solve these problems in minutes using Shor's algorithm.
Post-quantum cryptography (PQC) is a new generation of algorithms resistant to attacks from both classical and quantum machines. They are built on different kinds of mathematical problems: lattice-based cryptography, hash functions, coding theory - problems for which quantum computers have no equivalent of Shor's algorithm.
NIST standards: August 2024
In August 2024, the U.S. National Institute of Standards and Technology (NIST) published the first three finalized PQC standards:
- ML-KEM (CRYSTALS-Kyber) - key encapsulation mechanism, replacing RSA/ECDH in key exchange
- ML-DSA (CRYSTALS-Dilithium) - digital signature algorithm
- SLH-DSA (SPHINCS+) - hash-based signature, backup option
In March 2025, NIST selected the HQC (Hamming Quasi-Cyclic) algorithm for standardization as a backup KEM - insurance in case vulnerabilities are found in ML-KEM. Finalization of documentation is ongoing.
Who has already implemented it: NordVPN and ExpressVPN lead the way
NordVPN was one of the first commercial VPN providers to implement PQC. In 2024, ML-KEM support appeared in the NordLynx protocol (based on WireGuard) for Linux, and in 2025 coverage expanded to all platforms: Windows, macOS, iOS, Android, Android TV, and tvOS. Post-quantum authentication is planned for 2026 - so that protection covers not only encryption but also identity verification.
ExpressVPN integrated ML-KEM into its proprietary Lightway protocol, using keys at NIST Security Level 5 - the maximum protection level. Implementation rolled out simultaneously across all platforms (Android, iOS, Linux, Mac, Windows) without a noticeable impact on connection speed.
WireGuard + Rosenpass: open standard
For WireGuard users, there is an open extension called Rosenpass - a separate daemon that adds post-quantum key exchange on top of standard WireGuard. Rosenpass uses Classic McEliece and Kyber/ML-KEM simultaneously, implementing the principle of hybrid cryptography: even if one of the algorithms is compromised, the connection is protected by the other.
Most providers are falling behind
Despite the standards being finalized, the majority of commercial VPNs as of early 2026 have still not implemented post-quantum protection. Cisco plans to support ML-KEM in enterprise products (ASA, FTD, AnyConnect/Secure Client) within IKEv2 - rollout expected with upcoming updates. Cloudflare applies ML-KEM in both HTTPS and its WARP VPN client - one of the first in the industry to do so.
This means: if your VPN provider does not mention ML-KEM or post-quantum protection - there is a high probability you have not received it yet.
What this means for you
- When choosing a VPN, check for ML-KEM / post-quantum encryption support in the protocols
- Hybrid schemes (classical + PQC simultaneously) are currently safer than classical-only
- If you work with data that is sensitive over a 10+ year horizon - act now
- Changing standards requires updating client applications - keep your VPN updated
• NIST Releases First 3 Finalized Post-Quantum Encryption Standards - NIST
• NordVPN aims for world-first post-quantum security milestones in 2026 - TechRadar
• ExpressVPN: Early Adopter of ML-KEM for Quantum Encryption - ExpressVPN Blog
• State of the post-quantum Internet in 2025 - Cloudflare Blog
• Post-Quantum VPN Encryption Arrived in 2025. Most Providers Still Don't Have It
