The Quantum Clock is Ticking: Why VPNs Must Embrace Post-Quantum Encryption Now

2. Quantum computers are advancing faster than most expected

The period from 2024 to 2026 marked a transformative shift in quantum computing, with breakthrough achievements in error correction, logical qubit demonstrations, and the transition from noisy intermediate-scale quantum systems toward fault-tolerant quantum computing.

Google's Willow chip breakthrough

Google's Willow chip, announced December 9, 2024, achieved below-threshold error correction (Google Quantum AI 2024)—a 30-year goal where errors decreased exponentially as qubit count increased. This 105-qubit system completed computational tasks in under five minutes that would take the fastest supercomputers 10 septillion years, with coherence times five times better than previous generations.

IBM's ambitious roadmap

IBM's updated roadmap to 2029 targets Starling, a system with 200 logical qubits capable of running 100 million quantum gates by 2029 (IBM Quantum 2024), with intermediate milestones including enhanced connectivity systems and processors supporting quantum low-density parity check codes. The company has already deployed systems with over 1,121 physical qubits and opened European quantum facilities in Germany.

IonQ's record-breaking performance

Meanwhile, IonQ achieved a world-record 99.99% two-qubit gate fidelity in October 2025 (IonQ 2025)—the first to cross the (Historical achievement date preserved)"four nines" benchmark that represents a performance increase of 10 billion times over previous standards. This trapped-ion technology breakthrough, using proprietary electronic qubit control instead of lasers, positions IonQ to scale to 256-qubit systems in 2026 and potentially two million qubits by 2030.

Microsoft and Atom Computing's logical qubits

Perhaps most significant for the quantum threat timeline, Microsoft and Atom Computing demonstrated 24 entangled logical qubits in November 2024 (Microsoft Azure 2024)—the highest number on record at that time. This neutral-atom system successfully demonstrated error detection, correction, and computation across 28 logical qubits, with the company making systems available for commercial delivery in 2026. Atom Computing raised $230 million in February 2025 from Google and SoftBank, signaling major tech companies' confidence (Historical funding date preserved)in near-term quantum capabilities.

Diverse approaches showing rapid progress

The diversity of approaches all showing rapid progress is particularly notable. Quantinuum's trapped-ion H2 system achieved a quantum volume of 33.5 million with 56 qubits and demonstrated logical error rates 800 times lower than physical error rates. PsiQuantum unveiled its Omega chipset in February 2025, demonstrating 99.98% single-qubit fidelity with silicon photonic quantum computing that (Historical announcement date preserved)leverages existing semiconductor manufacturing. The company, backed by over $750 million at a $6 billion valuation, targets million-qubit utility-scale systems by 2029 with facilities breaking ground in Brisbane and Chicago.

Investment reflects accelerating progress

Investment and government support reflect this accelerating progress. Global quantum computing funding exceeded $1.5 billion in 2024, nearly doubling 2023 levels (Network World 2024), with major deals including Quantinuum's $600 million raise at a $10 billion valuation and multiple government commitments exceeding $10 billion globally. Japan committed $7.4 billion, Spain pledged $900 million, and Australia invested nearly $1 billion in PsiQuantum's Brisbane facility alone.

3. Expert timelines converge on 2030-2035 for breaking current encryption

The consensus among quantum computing experts and intelligence agencies has crystallized around a critical window. Breaking RSA-2048 encryption requires approximately 4,000-6,000 logical qubits (RAND Corporation 2023), which translates to roughly one million to 20 million physical qubits depending on error rates and correction code efficiency. Using Shor's algorithm, such a system could break RSA-2048 in approximately one week of continuous operation, though recent algorithmic optimizations suggest both qubit requirements and runtime could decrease significantly.

Expert probability assessments

The Global Risk Institute's 2026 survey of quantum experts found that more than half assess greater than 5% probability of cryptographically relevant quantum computers within 10 years, with nearly one-third seeing significant probability by 2030. RAND Corporation's conservative analysis suggests "not until at least the 2030s," while NIST and industry experts commonly cite 10-20 years from 2026.

Company-specific projections are more aggressive

However, company-specific projections are more aggressive: IonQ's roadmap positions its 2028 system as potentially CRQC-capable with 1,600 logical qubits targeted (PostQuantum.com 2024), while IBM aims for 200 logical qubits by 2029 and scaling to 2,000-plus in the early 2030s.

Uncertainty itself drives urgency

Critically, these timelines assume steady progress—but breakthroughs could accelerate dramatically. NVIDIA CEO Jensen Huang dampened near-term expectations in January 2025, suggesting "very useful quantum computing" remains 15-20 years away, triggering a stock market correction in quantum computing companies. Yet this cautious view contrasts sharply with the rapid achievements of 2024-2026, where (Historical date preserved)multiple companies exceeded expectations in error correction and logical qubit scaling.

The uncertainty itself drives urgency. National Cyber Director Harry Coker stated in August 2024 that "the threat posed by quantum computing is not just on the horizon. It really is here now" (The Record 2024), noting that most actors are already using a "store now and break later" framework. Admiral Mike Rogers, former NSA Director, emphasized that "data that needs to be protected for decades needs protection from quantum computers today." This recognition that the harvest is already happening—even if decryption capabilities lie years ahead—fundamentally changes the risk calculus for any organization protecting sensitive information.

4. NIST standards provide the blueprint for quantum-resistant security

After an eight-year global effort beginning in 2016, NIST published the first three post-quantum cryptography standards on August 13, 2024, with two additional algorithms in standardization (NIST 2024). These finalized standards—FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA)—represent vetted, production-ready algorithms that organizations can deploy immediately to protect against future quantum threats.

ML-KEM: The primary key encapsulation mechanism

ML-KEM, originally CRYSTALS-Kyber, serves as the primary key encapsulation mechanism based on the Module Learning With Errors problem from lattice-based cryptography. The ML-KEM-768 variant, offering security equivalent to AES-192, requires 1,184-byte public keys and generates 1,088-byte ciphertexts—significantly larger than the 32 bytes used by classical elliptic curve cryptography, but offering security against known quantum attacks.

By October 2026, Cloudflare reported that 47% of its traffic used ML-KEM protection (Cloudflare 2026), with Google Chrome making it default in April 2024. This rapid adoption demonstrates that despite larger key sizes, the performance impact remains manageable with thousands of operations per second achievable on standard hardware.

ML-DSA: Digital signatures for post-quantum era

ML-DSA, derived from CRYSTALS-Dilithium, provides digital signatures based on lattice problems, with ML-DSA-65 requiring 1,952-byte public keys and generating 3,293-byte signatures—roughly 13 times larger than RSA-2048 (DigiCert 2024). While the size increase is substantial, signing and verification speeds remain comparable to RSA, making it practical for general use in TLS certificates and code signing.

SLH-DSA: The conservative backup

SLH-DSA, based on SPHINCS+, takes an entirely different approach using only hash functions rather than mathematical hardness assumptions. This conservative choice produces enormous signatures of 7-50 kilobytes but provides the highest confidence against future cryptanalytic breakthroughs, as security depends solely on the collision resistance of hash functions. It serves as a backup should lattice-based algorithms prove vulnerable, much like HQC—the code-based key encapsulation mechanism selected by NIST in March 2026 as a fifth algorithm to provide mathematical diversity from the lattice-based ML-KEM.

Technical foundations vary significantly

Lattice-based cryptography, underlying three of the five standards, relies on the difficulty of problems like the Shortest Vector Problem and Learning With Errors on lattice structures. These problems are believed to be hard even for quantum computers, with strong security proofs and relatively efficient implementations. Hash-based signatures depend on collision resistance, offering the most conservative security assumptions. Code-based cryptography, represented by HQC, has over 40 years of cryptanalysis history based on the difficulty of decoding random linear codes.

5. Federal mandates set aggressive migration deadlines

The U.S. government has established clear timelines reflecting the urgency of quantum threats. National Security Memorandum 10, issued in May 2022, prioritizes national defense against quantum threats and mandates that federal agencies transition away from quantum-vulnerable cryptography, with the goal to "mitigate as much of the quantum risk as is feasible by 2035."

NSA's Commercial National Security Algorithm Suite 2.0

More specifically, NSA's Commercial National Security Algorithm Suite 2.0 requires that all National Security Systems be quantum-resistant by 2035 (NSA 2022), with phased deadlines beginning January 1, 2027, when all new NSS must be CNSA 2.0 compliant.

NIST guidance and OMB directives

NIST's November 2024 guidance (NIST IR 8547) specifies that by 2030, classical algorithms should be deprecated, with complete disallowance after 2035 for federal systems. The Office of Management and Budget's directive M-23-02, issued in November 2022, requires federal agencies to conduct annual inventories of cryptographic systems and work toward 2030 targets (U.S. OMB 2022).

Biden's Executive Order 14144

Most significantly, President Biden's Executive Order 14144, issued January 16, 2025, requires federal procurement to incorporate post-quantum cryptography requirements within 90 days—a concrete mandate with immediate effect.

International coordination

Internationally, the European Commission's April 11, 2024 recommendation established similar timelines (European Commission 2024): all EU Member States should begin transitioning by the end of 2026, critical infrastructure must be PQC-protected by 2030, and complete transition for all feasible systems should occur by 2035. The UK's National Cyber Security Centre targets 2035 for complete UK transition, with detailed migration guidance published throughout 2024-2025. Germany, France, Sweden, Japan, and Canada have each published national strategies targeting the 2030-2035 window.

The mathematics of migration complexity

These timelines reflect the mathematics of migration complexity. Cryptography deployments historically require 10-20 years to achieve complete adoption due to the complexity of identifying all cryptographic implementations, updating protocols, coordinating with vendors, testing compatibility, and managing legacy systems. Organizations starting in 2025 face a race against both Q-Day and government compliance deadlines, making immediate action essential rather than optional.

6. VPNs currently rely on quantum-vulnerable key exchange

Understanding VPN encryption vulnerability requires distinguishing between two components: the symmetric encryption protecting data in transit and the asymmetric cryptography establishing session keys. Current VPN symmetric encryption using AES-256-GCM or ChaCha20-Poly1305 remains relatively quantum-safe—Grover's algorithm reduces 256-bit security to an effective 128-bit equivalent, still computationally infeasible. The critical vulnerability lies in the key exchange mechanisms that establish these symmetric session keys.

OpenVPN's quantum vulnerability

OpenVPN, the most widely deployed open-source VPN protocol since 2001, uses TLS for key exchange with configurable cipher suites including AES-128-GCM, AES-256-GCM, and ChaCha20-Poly1305 for data encryption (OpenVPN 2024). However, the TLS handshake establishing session keys relies on either RSA or elliptic curve Diffie-Hellman (ECDH), both completely vulnerable to Shor's algorithm. An adversary with a quantum computer could retroactively break the recorded TLS handshake, recover session keys, and decrypt all VPN traffic from that session—even though the AES-256 encryption itself would resist quantum attacks.

WireGuard's fixed cryptographic suite

WireGuard, the modern minimal-code protocol operating in kernel space, uses a fixed cryptographic suite: ChaCha20 for encryption, Poly1305 for authentication, Curve25519 for key exchange, BLAKE2s for hashing, and SipHash24 for hashtable keys. While elegant in its simplicity with just 4,000 lines of code compared to OpenVPN's 70,000, WireGuard's reliance on Curve25519—an elliptic curve key exchange—makes it fundamentally quantum-vulnerable. The protocol wasn't designed with post-quantum cryptography in mind, creating implementation challenges that several VPN providers are now addressing through various workarounds.

IKEv2/IPsec's separation of concerns

IKEv2/IPsec, developed by Microsoft and Cisco, separates concerns with IKEv2 handling Security Association establishment and IPsec providing encryption through Encapsulating Security Payload. While the IPsec encryption using AES-128/256 with HMAC-SHA-256/512 authentication remains quantum-resistant, the IKEv2 key exchange using Diffie-Hellman groups or ECDH groups creates the same vulnerability. The protocol does offer advantages for post-quantum migration through RFC 8784, which defines extensions for post-quantum pre-shared keys that can be mixed with traditional key exchanges to achieve quantum resistance (IETF 2020).

Perfect Forward Secrecy offers no protection against quantum attacks

Perfect Forward Secrecy, implemented through ephemeral Diffie-Hellman exchanges that generate unique session keys per connection, provides important protection against retrospective decryption from long-term key compromise. However, PFS offers no protection against quantum attacks, since an adversary with a quantum computer can break each ephemeral key exchange independently. This fundamentally changes the security calculus: whereas PFS protected historical communications if current keys were compromised, quantum computers threaten every recorded session regardless of PFS implementation.

7. Harvest now decrypt later attacks are already underway

The "harvest now, decrypt later" threat model represents one of the most insidious aspects of the quantum threat. Unlike ransomware or active intrusions that generate immediate alerts, HNDL attacks leave no traces—adversaries simply collect encrypted traffic and store it indefinitely. National Cyber Director Harry Coker stated explicitly in August 2024 that "most actors are already using a 'store now and break later' framework with the intention to decrypt it once they have quantum capability" (The Record 2024). This isn't a hypothetical future threat; the harvesting is happening now.

CISA identifies four primary nation-state actors

CISA officially identifies four primary nation-state actors conducting these operations (IBM 2024):

• • China: The most sophisticated and well-resourced threat, with 72% of attacks targeting North America, Taiwan, and Southeast Asia, focusing on critical infrastructure, intellectual property in technology, AI, pharmaceuticals, and biotechnology sectors.
• • Russia: Conducts broad-scope cyber espionage with 75% of 2023-2024 attacks targeting Ukraine or NATO members, combining intelligence gathering with destructive capabilities.
• • Iran: Has shifted focus with 50% of activity from October 2023 to June 2024 targeting Israel, while also conducting infrastructure attacks and domestic suppression operations.
• • North Korea: Lazarus Group pursues revenue generation through sophisticated attacks on financial institutions and cryptocurrency exchanges, including a $625 million cryptocurrency heist, driven by economic sanctions.

Real-world evidence of HNDL operations

Real-world evidence suggests active HNDL operations:

• • In 2016, Canadian internet traffic destined for South Korea was rerouted through China, demonstrating both capability and opportunity for mass encrypted data collection.
• • A 2019 incident saw large-scale European mobile phone traffic redirected through suspicious routes.
• • In 2020, data from Google, Amazon, Facebook, and over 200 networks was rerouted through Russia—a massive-scale operation consistent with HNDL data harvesting.
• • During the ongoing Russo-Ukrainian war, Russia routinely reroutes Ukrainian internet traffic, actively collecting government and military communications for potential future decryption.

Most vulnerable data categories

The data most vulnerable to HNDL attacks shares specific characteristics: long shelf life (remaining sensitive for 5-30+ years), high strategic value, regulatory retention requirements, evergreen nature where value doesn't diminish, and information that cannot be easily changed or invalidated. Healthcare records subject to HIPAA requirements, including genomic information that never changes, represent permanent vulnerabilities. Pharmaceutical research and development with 10-15 year timelines, trade secrets, military communications, financial transaction histories, and critical infrastructure control systems all fall into the highest-risk categories.

Timeline alignment is disturbingly precise

The timeline for when harvested data becomes decryptable aligns disturbingly well with the data's longevity. Google's Craig Gidney identifies 2030-2035 as the first credible threat window. PostQuantum.com analysis suggests 30-50% chance of CRQC capability by 2030, rising to near certainty by 2035. The Cloud Security Alliance strongly recommends full quantum-readiness by April 14, 2030 (QuantumXC 2024)—a specific date based on risk assessment modeling. For organizations in pharmaceuticals, healthcare, government, defense, or any sector with long-term sensitive data, the mathematics are stark: data encrypted today may remain sensitive in 2035, precisely when quantum decryption capability is most likely to materialize.

8. Signal leads consumer messaging in post-quantum protection

Signal Protocol, the cryptographic protocol providing end-to-end encryption for billions of users through Signal, WhatsApp, and other applications, has implemented comprehensive post-quantum protection through two major upgrades. The protocol's original architecture consists of X3DH for initial key agreement and the Double Ratchet Algorithm for ongoing message encryption, both relying on elliptic curve cryptography vulnerable to quantum attacks.

PQXDH deployment in September 2023

In September 2023, Signal deployed PQXDH (Post-Quantum Extended Diffie-Hellman), which augments X3DH with ML-KEM (originally CRYSTALS-Kyber). The hybrid approach combines classical elliptic curve shared secrets from multiple Diffie-Hellman calculations with a post-quantum shared secret from ML-KEM encapsulation, such that an attacker must break both the elliptic curve cryptography and the post-quantum algorithm to compromise the session key. This provides post-quantum forward secrecy, protecting session initiation against passive quantum adversaries—even if they record the entire handshake, they cannot derive the session key without breaking ML-KEM.

Triple Ratchet with SPQR in 2025

However, PQXDH addressed only the initial handshake. The ongoing communication security of the Double Ratchet, which combines symmetric-key ratcheting for deriving unique message keys with Diffie-Hellman ratcheting for post-compromise security, remained quantum-vulnerable in its DH ratchet component. In 2025, Signal deployed the Triple Ratchet with SPQR (Sparse Post-Quantum Ratchet), which runs alongside the existing Double Ratchet to provide quantum-resistant healing from compromise.

When a device is compromised and keys are captured, the quantum-vulnerable DH ratchet alone cannot provide post-compromise security against an adversary with a quantum computer, who could compute DH secrets from public keys and prevent the session from ever healing. SPQR adds ML-KEM-768 ratcheting that occurs sparsely rather than every message, using erasure coding to break large KEM payloads into small chunks distributed across multiple messages.

Unprecedented formal verification

The technical achievement is remarkable. SPQR maintains all classical security properties of the Double Ratchet while adding post-quantum forward secrecy and post-compromise security with minimal overhead—approximately 36 bytes per message during ratcheting periods. Signal's implementation has received unprecedented formal verification, including ProVerif symbolic model verification, CryptoVerif computational model verification, and continuous Hax+F* verification where Rust code is automatically translated to F* on every continuous integration run to prove correctness and panic-freedom. This represents the most extensively verified secure messaging protocol in existence.

Apple's PQ3 protocol

Apple implemented similar protections with PQ3 protocol for iMessage in February 2024, which Signal's researchers classify as "Level 3" security—the highest level, providing post-quantum protection for both initial key agreement and ongoing communication. The PQ3 implementation uses hybrid ECC plus Kyber/ML-KEM with rekeying every 50 messages or seven days maximum, creating what Apple's security team calls "the first messaging protocol to reach what we call Level 3 security—providing protocol protections that surpass those in all other widely deployed messaging apps."

9. VPN providers show dramatically different quantum readiness

The VPN industry's response to quantum threats reveals stark divisions between proactive leaders and providers that remain dangerously exposed.

Mullvad VPN: The pioneer

Mullvad VPN stands as the pioneer, implementing post-quantum protection experimentally in 2017 and making it default across platforms in 2025. The Swedish provider uses hybrid ML-KEM plus Classic McEliece code-based cryptography, injecting quantum-safe secrets via WireGuard's pre-shared key option. Migration from experimental Classic McEliece to standardized ML-KEM is planned, with CEO Jan Jonsson emphasizing that "the strength of a standard lies in the fact that it is open and gets audited and reviewed in a way that makes it secure." Performance impact remains minimal—just one to two seconds additional connection time with no throughput degradation.

ExpressVPN: First to implement final standards

ExpressVPN deployed post-quantum protection in October 2023 using Kyber, then migrated to NIST-standardized ML-KEM in January 2025, making it one of the first providers to implement final FIPS 203 standards in production. The implementation uses the company's proprietary Lightway protocol, which was designed with post-quantum considerations from inception. Lightway employs hybrid ML-KEM Security Level 5 combined with classical P-521 elliptic curve cryptography, migrating from the Open Quantum Safe library to WolfSSL's production-grade implementation. COO Pete Membrey stated, "We believe that by playing an active role in the transition to a quantum-safe world, we can future-proof ourselves and our users." The protocol operates across all platforms—Android, iOS, Linux, macOS, and Windows—with no noticeable performance impact.

NordVPN: Complete cross-platform deployment

NordVPN launched post-quantum encryption in September 2024 for Linux, completing rollout across all platforms by January 2025 (Quantum Computing Report 2025). The implementation uses NordLynx, the company's modified WireGuard protocol, with ML-KEM hybrid cryptography. The deployment covers Windows, macOS, iOS, Android, tvOS, and Android TV, though with limitations: it works only with the NordLynx protocol and is incompatible with Dedicated IP, OpenVPN, Obfuscated servers, and Meshnet features. CTO Marijus Briedis emphasized that "by integrating PQE into our VPN infrastructure, we're taking a proactive step to ensure long-term confidentiality and resilience for our customers' data, both now and in a post-quantum future."

ProtonVPN: The cautious approach

ProtonVPN has taken a notably cautious approach. The Swiss provider, known for its privacy focus, is developing PQC across its entire ecosystem but describes it as "a marathon, not a sprint," with "still some way off" remaining as of late 2024. CTO Bart Butler explained the conservative stance: "New cryptography is inherently risky, simply because it has not been battle-tested yet. Millions of users trust Proton every day with their communications and data, in some cases with their lives." The company is leading OpenPGP post-quantum standard development with Germany's BSI, suggesting deep technical involvement even as consumer deployment lags competitors.

Others in development

Surfshark and Private Internet Access have both announced active implementation of ML-KEM for their WireGuard implementations. Surfshark's Lead Engineer Karolis Kačiulis stated that NIST standardization "reassures us that we're on the right path. Providers that fail to embrace these new standards risk being left behind." PIA's VP of Engineering Jose Blaya confirmed the company is "fully committed to, and working towards, post-quantum encryption standards" and "will be moving quickly to take advantage of any possible improvements," though neither provider has announced deployment timelines. IVPN and IPVanish are also in development phases, with IPVanish targeting 2025 release after extensive testing.

Concerning absences

Notably absent are major providers including CyberGhost and TunnelBear, which have issued no public statements or documentation regarding post-quantum initiatives. Research from Germany's DGAP Institute lists CyberGhost among providers assessed as "quantum insecure," a concerning classification given the company's substantial user base.

10. Enterprise VPN solutions lead on quantum protection

The enterprise VPN market has moved faster than consumer providers in some respects.

Fortinet's comprehensive implementation

Fortinet deployed post-quantum protection in FortiOS 7.6.1 in November 2024, implementing ML-KEM (FIPS 203) for IPsec VPN with three security levels: ML-KEM-512, ML-KEM-768, and ML-KEM-1024. The implementation uses "Additional Key Exchanges" in Phase 1 and Phase 2 of IPsec negotiation, combining traditional DH or ECDH with post-quantum key encapsulation in a hybrid approach. FortiOS 7.6.3 added quantum key distribution support, and the platform includes post-quantum digital signature algorithms. The company's 2023 partnership with Arqit and BT Group demonstrated quantum-safe VPN protection for enterprise customers, with comprehensive technical documentation guiding implementation.

Palo Alto Networks' early adoption

Palo Alto Networks implemented post-quantum protection even earlier, with PAN-OS 11.1 in November 2023 supporting RFC 8784 for IKEv2 VPN quantum resistance (Palo Alto Networks 2023). The implementation uses post-quantum pre-shared keys mixed with Diffie-Hellman keys to create quantum-resistant session keys. The PQ PPKs are distributed out-of-band and then combined with standard DH exchanges—since the PPK is quantum-safe and the combination operation is quantum-safe, the resulting session key resists quantum attacks even if the DH component is broken. The system operates in mandatory mode when both peers support PQC or optional mode with automatic fallback. In November 2024, Palo Alto partnered with Singapore Telecom on a Quantum-Safe Network using ML-KEM, demonstrating enterprise-scale deployment.

Cisco's unclear position

Cisco's position remains less clear, with limited public information on AnyConnect's post-quantum roadmap. The company has referenced SKIP as quantum-safe VPN technology using TLS 1.2 with PSK-DHE, but comprehensive migration plans remain unpublished as many organizations migrate away from AnyConnect to competing solutions.

11. Implementation challenges slow but don't stop progress

VPN providers face several technical challenges implementing post-quantum cryptography.

Key size increases

The most immediate is key size: ML-KEM public keys require approximately 1-2 kilobytes compared to just 32 bytes for Curve25519, creating 5-10 times handshake bandwidth overhead. This translates to an additional one to three seconds for connection establishment, noticeable but manageable for most use cases. However, mobile devices switching between networks trigger new handshakes, potentially impacting user experience and data usage on metered connections.

Computational overhead

Computational overhead during handshake operations poses challenges for battery life on mobile devices and processing capacity on older hardware. ML-KEM algorithms require more intensive calculations than elliptic curve operations, though the impact occurs only during handshake—symmetric encryption performance remains unchanged since AES-256 or ChaCha20 continues protecting data in transit. Lack of hardware acceleration for post-quantum algorithms exacerbates the problem, though this will improve as processors add native PQC instructions similar to current AES-NI acceleration.

WireGuard's design challenges

WireGuard's design presents particular challenges. The protocol wasn't architected with post-quantum cryptography in mind, using fixed cryptographic primitives hardcoded into the specification. This forces providers to adopt workarounds: Mullvad injects quantum-safe secrets via WireGuard's pre-shared key option, while NordVPN modified WireGuard into NordLynx to enable seamless PQC integration. ExpressVPN avoided these limitations by designing Lightway from inception with post-quantum considerations, allowing native integration without protocol compromises.

Compatibility and interoperability

Compatibility and interoperability create deployment complexity. Both endpoints—client and server—must support identical post-quantum algorithms, necessitating coordinated updates across potentially millions of users with diverse device types and operating systems. Hybrid cryptography provides backwards compatibility during the transition, maintaining connections with non-PQC clients while offering enhanced protection for updated endpoints. However, this creates version fragmentation management challenges and introduces additional testing complexity.

Minimal practical impact

Despite these obstacles, the technical evidence demonstrates that well-implemented post-quantum VPN encryption imposes minimal practical impact. Mullvad reports one to two seconds connection overhead with zero throughput degradation. ExpressVPN describes "no noticeable impact" with Lightway's inherent performance advantages offsetting PQC overhead. NordVPN's testing showed performance acceptable for production deployment across all platforms. The primary barrier is not technical feasibility but organizational prioritization and implementation effort.

12. Quantum key distribution pursues a different path

While post-quantum cryptography focuses on mathematical algorithms resistant to quantum attacks, quantum key distribution takes an entirely different approach—using quantum mechanics itself for secure key exchange.

How QKD works

The BB84 protocol, introduced by Charles Bennett and Gilles Brassard in 1984, encodes key bits in photon polarizations transmitted through fiber optic or free-space channels. The fundamental laws of quantum mechanics—particularly the no-cloning theorem and measurement disturbance—ensure that any eavesdropper attempting to intercept and measure photons introduces detectable errors, allowing parties to verify the channel is secure before using derived keys.

QKD offers information-theoretic security based on physics rather than computational hardness, making it theoretically secure against adversaries with unlimited computing power, including quantum computers.

NSA's explicit non-support

However, QKD faces fundamental limitations that have led the cryptography community to prioritize post-quantum cryptography for general use. NSA explicitly states it "does not support the usage of QKD to protect communications in National Security Systems" and "does not anticipate certifying or approving any QKD products for usage by NSS customers unless these limitations are overcome." European security agencies including France's ANSSI, Germany's BSI, and the Netherlands' NLNCSA issue similar guidance—QKD is not recommended as a sole solution.

Practical limitations are severe

The practical limitations are severe. QKD requires dedicated fiber optic links or line-of-sight free-space channels, fundamentally limiting it to point-to-point connections or networks with trusted intermediate nodes that introduce security vulnerabilities. Distance remains restricted to approximately 100-300 kilometers in fiber without quantum repeaters, which remain a fundamental research challenge. The technology cannot work over standard internet routing, making it unsuitable for the billions of devices requiring cryptographic protection. QKD provides only key distribution—not encryption, authentication, or digital signatures—requiring classical cryptography for complete security, creating the irony that QKD systems typically depend on classical public key infrastructure for authentication.

Cost and scalability concerns

Cost and scalability concerns are equally significant. QKD hardware costs $100,000 or more per endpoint, compared to essentially zero marginal cost for software-based post-quantum cryptography. Key generation rates of kilobits per second limit throughput. For connecting N parties point-to-point, QKD requires N(N-1)/2 quantum links—45 links for just 10 parties—while PQC works over existing internet infrastructure with a single connection per party. Implementation attacks exploiting detector and source imperfections have demonstrated that real-world QKD security often falls short of theoretical guarantees.

Why the community chose PQC

The cryptography community has chosen post-quantum cryptography as the primary defense precisely because it solves the scalability, functionality, and cost problems that make QKD impractical for general use. PQC provides complete cryptographic functionality, works on existing hardware and networks, scales to billions of users, and benefits from open standardization and validation processes. QKD retains value for ultra-high-security government and military applications where dedicated links are justifiable and defense-in-depth combining QKD with PQC provides maximum assurance, but it cannot serve as the foundation for quantum-safe internet security.

13. Standards bodies accelerate protocol integration

Beyond algorithm standardization, implementing post-quantum cryptography across internet protocols requires extensive coordination.

IETF coordination efforts

The IETF Post-Quantum Use In Protocols (PQUIP) working group, launched in January 2025 with a two-year experimental charter, coordinates PQC integration across IETF protocol specifications. The TLS working group has standardized hybrid ML-KEM plus X25519 key exchange for TLS 1.3, with implementation guidance published in September 2025. By March 2025, Cloudflare reported that over 35% of human web traffic used ML-KEM hybrid protection—remarkable adoption just seven months after NIST standards finalization.

Supporting working groups

The LAMPS working group addresses post-quantum signatures in X.509 certificates and public key infrastructure, defining encodings for ML-DSA and SLH-DSA signatures that enable PQC certificate authorities and certificate-based authentication. The COSE working group standardizes post-quantum algorithm representations for constrained environments and IoT devices. Multiple working groups collaborate on post-quantum SSH, SFTP, and other secure communication protocols to ensure comprehensive ecosystem coverage.

International and industry coordination

ETSI's Quantum Safe Cryptography technical committee complements NIST's algorithm work with European perspectives, developing specifications including TS 103 744 for quantum-safe implementations. The QHKEX project provides open-source hybrid key exchange implementations. ISO/IEC coordinates international cryptographic standards to ensure global alignment with NIST's selections.The Linux Foundation's Post-Quantum Cryptography Alliance, launched February 6, 2024, brings together AWS, Cisco, Google, IBM, NVIDIA, and other industry leaders to develop production-ready CNSA 2.0-compliant open-source libraries including PQ Code Package and Open Quantum Safe, which integrated NVIDIA's GPU-accelerated cuPQC in January 2025 for high-performance implementations.

Browser vendors lead implementation

Browser vendors are implementing aggressively. Google Chrome made ML-KEM default in version 124 in April 2024—just four months before NIST's formal standard publication, based on confidence in the draft standard. Firefox and Edge followed with enabled support. This browser-first deployment creates immediate protection for HTTPS connections, though full VPN client support lags slightly as providers update applications and coordinate server deployments.

14. Migration timeline requires immediate action

The mathematics of migration create urgent imperatives. Historical cryptographic transitions require 10-20 years for complete deployment due to the complexity of discovering all cryptographic implementations across an organization's infrastructure, updating protocols and applications, coordinating with vendors, testing compatibility, managing legacy systems, and training staff.Organizations beginning migration in 2025 face approximately 5-10 years to complete the transition—assuming no major setbacks—putting completion around 2030-2035 precisely when expert consensus expects quantum threats to materialize.

NIST's phased approach

NIST's phased approach recommends immediate action. The discovery and inventory phase should occur now, with organizations identifying all quantum-vulnerable cryptography across IT and operational technology systems, creating cryptographic bills of materials, and classifying data by sensitivity and longevity. Data requiring protection beyond 5-10 years should be prioritized, with assessment of which information remains sensitive in 2035. High-priority systems include VPN tunnels, database backups, long-term log storage, software distribution systems, and core system communications.

Planning and implementation

The planning phase involves developing quantum-readiness roadmaps with established project management teams, vendor engagement to verify PQC roadmaps and timelines, and procurement policy updates to require PQC support in new contracts. Implementation should begin with hybrid approaches combining classical and post-quantum algorithms to provide both backwards compatibility and quantum resistance. Testing thoroughly in lab environments before production rollout, monitoring performance impacts, and building crypto-agility—flexible architecture enabling algorithm swapping—ensures organizations can respond rapidly to emerging threats or standard evolution.

Defense-in-depth strategies

Organizations must also recognize that post-quantum cryptography is necessary but not sufficient. Defense-in-depth strategies combining PQC with multi-factor authentication, hardware security modules, regular key rotation, zero trust architecture, network segmentation, data minimization, strong access controls, endpoint detection and response, and continuous monitoring provide comprehensive protection. The HNDL threat means that data encrypted today using quantum-vulnerable algorithms is already compromised if adversaries are collecting it—retroactive protection is impossible, making immediate transition to PQC for sensitive data non-negotiable.

15. Bottom line: The window to act is closing rapidly

The convergence of quantum computing progress, finalized post-quantum cryptography standards, and clear government mandates creates a decisive moment for VPN providers and all organizations relying on cryptographic protection. Early adopters including Mullvad, ExpressVPN, and NordVPN have demonstrated that post-quantum VPN protection is technically feasible with minimal performance impact—the barriers are organizational rather than technical. Providers that have implemented PQC report connection overhead of one to three seconds with no throughput degradation, acceptable for virtually all use cases.

The threat landscape leaves no room for complacency

The threat landscape leaves no room for complacency. Nation-state adversaries are actively harvesting encrypted traffic with the explicit intention of decrypting it once quantum computers become available. Intelligence agencies unanimously warn that the harvest is happening now, even as decryption capability may lie 5-15 years ahead. For data with long confidentiality requirements—healthcare records, intellectual property, government communications, financial information—the mathematics are unforgiving: encryption must be quantum-safe today to protect against decryption in 2035.

What VPN users should demand

VPN users should demand transparency from providers regarding post-quantum implementation status and timelines. Providers that have deployed PQC should be recognized and rewarded through user choices, while those remaining silent or issuing vague statements without concrete timelines should face scrutiny. The technical standards are published, the implementation patterns are proven, and the government mandates are clear—there are no remaining excuses for inaction.

Enterprise and government imperatives

For enterprises, government agencies, and critical infrastructure operators, the imperative is even clearer. Federal systems must achieve quantum resistance by 2035, with CNSA 2.0 requiring NSS compliance beginning January 1, 2027 for new systems.European Union Member States should begin transitions by the end of 2026 with critical infrastructure protected by 2030. These aren't aspirational targets but compliance requirements with potential legal and regulatory consequences for failure.

The outcome remains within our control

The quantum clock is ticking, but the outcome remains within our control. The cryptographic community has delivered the necessary tools. Government agencies have established the mandates and timelines. Early adopters have proven the technical feasibility. What remains is execution—organizations must begin migration immediately, prioritize based on data sensitivity and longevity, engage vendors aggressively, and build crypto-agile architectures that can adapt as standards evolve. The adversaries are patient, but we cannot afford to be. The data being encrypted today is the data they will decrypt tomorrow—unless we act now.

16. References