THEVPNMATRIX
    ← Back to Blog

    The State of Quantum, 2026: Where the Threat to Encryption Actually Stands

    The maths is settled. The standards are published. The migration is underway and nowhere near finished — and "Q-Day" is still a range, not a date on a calendar. Here is the honest mid-2026 state of play, and what it does and does not mean for the VPN protecting your traffic right now.

    EncryptionPublished · 15 min read· By Cryptography Research Desk

    Evidence-based review per our 28-criteria methodology · affiliate disclosure

    1. What's actually new since our last update

    When we last wrote about post-quantum cryptography, the headline was a promise. NIST was about to publish the first finished standards, and the long-feared "quantum apocalypse" would finally have an answer. That promise has been kept. The standards exist. The largest companies on the internet have already switched billions of connections over to them.

    So why does the threat still feel unresolved?

    Because the post-quantum story in 2026 is no longer about the cryptography. The algorithms are done, and by every public measure they are holding up. What remains unfinished is everything around them: a migration that has to touch essentially every encrypted system ever built, a hardware timeline nobody can pin down, and a form of data theft that is happening today because the threat is not yet here.

    The ground has moved in concrete, verifiable ways:

    • The standards graduated from draft to law of the land. NIST finalised its first three post-quantum standards in August 2024, and they are now the reference everyone builds against.(NIST, 2024)
    • A fifth algorithm was picked. In March 2025 NIST selected HQC as a backup key-encapsulation mechanism, built on different mathematics from the primary choice. It is insurance against the primary one being broken.(NIST, 2025)
    • Deployment crossed a symbolic line. By late 2025, more than half of human web traffic to Cloudflare was protected by post-quantum key exchange.(Cloudflare, 2025) This stopped being a lab demo and became the default plumbing of the web.
    • Encrypted messaging went quantum-safe by default. Apple's iMessage and Signal both shipped post-quantum key establishment to hundreds of millions of users.(Apple Security Research, 2024) (Signal, 2023)
    • The VPN industry split into movers and waiters. Several major providers now offer post-quantum key exchange. Others, including some of the most respected names in privacy, are taking their time. We name names below, with sources.
    • The hardware kept improving, and the goalposts kept their distance. Real milestones in quantum error correction arrived through 2025 and into 2026. None broke any encryption, and the expert estimates for when one might still span more than a decade.

    This is our 2026 refresh. We separate, as carefully as we can, three things that get blurred together in most coverage: what is proven, what is projected, and what is hype. We will end where it matters for our readers, with what a "post-quantum VPN" actually protects, what it does not, and what is worth doing about any of it.

    2. The threat that's already here: harvest now, decrypt later

    This is the part that is not speculative. It is also the single most important idea in the whole subject, and the one most often lost beneath the science-fiction framing.

    You do not need a working quantum computer to be harmed by one. You only need an adversary who believes a working quantum computer is coming, and who is willing to wait.

    This is "harvest now, decrypt later" (HNDL), sometimes called store-now-decrypt-later. An adversary intercepts your encrypted traffic today, when it is unbreakable, and files it away. The encryption protecting it (overwhelmingly RSA and elliptic-curve cryptography for the key exchange) is secure against every classical computer in existence. But it was never designed to resist a sufficiently large quantum computer running Shor's algorithm, which collapses exactly the mathematical problems that RSA and ECC rest on: integer factorisation and discrete logarithms. So the patient adversary's bet is simple. Capture the ciphertext now, decrypt it whenever the hardware arrives.(Wikipedia, 2024)

    What makes this matter in 2026 rather than some hazy future is the shelf life of secrets. Ask the one question that counts: how long does this data need to stay confidential? Health records, legal and financial files, source journalism, dissident communications, state secrets, the architecture of your own private life. Much of it carries a confidentiality requirement measured in decades, not months. If your data must stay secret for ten or fifteen years, and a quantum computer capable of breaking today's key exchange plausibly arrives inside that window, then for that data the threat is effectively here now. The clock started the moment the traffic was captured.

    This is not a fringe reading. The strategy is treated as active and consequential by the bodies whose job is to worry about it: the US NSA, CISA and NIST, the UK's National Cyber Security Centre, the EU's ENISA, Australia's ACSC. A note of proportion on the more breathless claims, though. There is no public, verifiable accounting of how much traffic is being hoarded, or by whom, and anyone quoting a precise figure is guessing. What is well-founded is the logic. Harvesting encrypted data you cannot yet read is cheap and quiet, and if you expect the decryption capability to arrive, entirely rational. The defensive response is the reason the rest of this article exists. Change the key exchange now, so that what is harvested today is still useless after Q-Day.

    3. The standards are done — the migration isn't

    Here is the settled part of the story.

    In August 2024, after an eight-year open competition, NIST published its first three finished post-quantum standards.(NIST, 2024) They are worth knowing by name, because you will increasingly see them in your software's release notes:

    • FIPS 203 — ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism), derived from the algorithm formerly known as CRYSTALS-Kyber. This is the workhorse. It protects key exchange, the act of two parties agreeing on a shared secret over a public network. For VPNs and for HNDL, this is the one that matters most.
    • FIPS 204 — ML-DSA (Module-Lattice-Based Digital Signature Algorithm), formerly CRYSTALS-Dilithium. The primary standard for digital signatures, the electronic equivalent of a tamper-evident seal that proves who sent something.
    • FIPS 205 — SLH-DSA (Stateless Hash-Based Digital Signature Algorithm), formerly SPHINCS+. A second, slower signature scheme whose security rests only on the properties of hash functions. It is a deliberately conservative backup that does not share the lattice mathematics of the other two.

    Two more pieces are in motion. NIST has indicated a fourth signature standard, FN-DSA (based on Falcon), is to be published as FIPS 206. And in March 2025 NIST selected HQC, built on error-correcting codes rather than lattices, as a backup key-encapsulation mechanism to stand alongside ML-KEM, with a draft standard expected in 2026 and finalisation projected for around 2027.(NIST, 2025) The point is diversification. If a future cryptanalytic breakthrough undermines lattice-based schemes, the world is not left with a single point of failure.

    That is the proven part. Now the unfinished part, which is most of the work.

    A cryptographic standard is a recipe, not a meal. Having ML-KEM written down does nothing until it is built into TLS libraries, operating systems, browsers, VPN clients, hardware security modules, payment terminals, embedded devices, and the long tail of bespoke systems that quietly run the world. Many will never be updated. Some, nobody still fully understands. This is the largest cryptographic transition ever attempted, and it is why the migration will run for years after the algorithms themselves stopped being the hard part.

    Governments have at least set the timetable. NIST's transition roadmap, published in late 2024 as the initial public draft of NIST IR 8547 and still in draft as of mid-2026 (so treat the exact dates as the current proposal rather than settled fact), sketches the direction of travel clearly. The quantum-vulnerable workhorses (RSA, ECDH, ECDSA, finite-field Diffie-Hellman) would be deprecated around 2030 and disallowed in 2035 within US federal standards.(NIST, 2024) In parallel, the NSA's CNSA 2.0 suite sets staggered deadlines for national-security systems, with software and firmware signing moving first and a requirement that new acquisitions support the suite from 1 January 2027. Networking equipment such as VPNs and routers is expected to support and prefer the new algorithms by 2026 under that schedule.(NSA, 2025)

    Read those dates as what they are. Not a prediction that a quantum computer arrives in 2030, but a deadline chosen to finish the migration comfortably before any plausible threat, and to shrink the HNDL window. The whole point of moving by 2030 is so that traffic captured in, say, 2027 is already protected by the time anyone could decrypt it.

    4. How close is Q-Day, really?

    Now the part where honesty matters most, because it is where the hype lives.

    "Q-Day" is shorthand for the day a cryptographically relevant quantum computer (CRQC), one large and reliable enough to break RSA-2048 or equivalent ECC, first exists. The temptation in this genre is to pick the scariest credible number and lead with it. We are not going to do that. The honest answer is a range with real disagreement inside it, and the disagreement is itself the most useful thing to understand.

    First, what is genuinely true about the hardware. The last eighteen months produced milestones that deserve respect rather than dismissal. Google's Willow chip, unveiled in December 2024 with 105 superconducting qubits, demonstrated below-threshold error correction: the long-theorised property in which adding more physical qubits makes the logical qubit more accurate rather than less.(Google, 2024) That is a real inflection point, the difference between error correction that helps and error correction that drowns. Through 2025 and into 2026, Google, IBM and others pushed further into real-time error correction and larger processors, and IBM has laid out a public roadmap toward a fault-tolerant machine: Starling, targeted for around 2029 and designed for roughly 200 logical qubits.(IBM, 2025)

    Now the reality check the headlines tend to skip. Breaking RSA-2048 with Shor's algorithm is estimated to need on the order of thousands of stable, error-corrected logical qubits, sustained through enormous numbers of operations. Today's machines are measured in the low hundreds of physical qubits, and the logical error rates, even after the recent gains, remain orders of magnitude away from what a long computation needs. Willow was a milestone in quality. It factored nothing of consequence and made no dent in any deployed cipher. The gap between below-threshold error correction on a hundred qubits and thousands of logical qubits running Shor's for hours is not a rounding error. It is the whole problem, and it is made of hard, unsolved engineering.

    So when will the gap close? Here the experts genuinely diverge, and we will give you the spread rather than a single figure:

    • A more aggressive camp argues a breakthrough in error correction or architecture could compress the timeline, putting a CRQC within reach around 2030, and some institutional risk assessments place better-than-even odds on one existing by 2035.
    • A more conservative camp points to the unforgiving scaling requirements and expects the mid-2030s to the 2040s, with serious voices holding that fault-tolerant machines at the necessary scale may be further still.

    The forecasts disagree for structural reasons, not careless ones. Quantum progress depends on engineering leaps that are inherently hard to schedule. One unexpected advance could pull the date forward by years. One stubborn physical barrier could push it back by a decade. Anyone offering you a confident single year, in either direction, is selling certainty the field does not possess.

    For a defender, the practical takeaway does not depend on resolving that argument, which is the reassuring part. You do not need to know the date. You need two things to be true at once: that the threat is plausible within your data's confidentiality lifetime, and that a fix already exists and is deployable today. Both are true, and that is enough to act on without panicking about the calendar.

    5. What this means for VPNs — and what it doesn't

    Now to the part our readers actually came for. A VPN's core job is to wrap your traffic in an encrypted tunnel between your device and the VPN server. That tunnel is established through a key exchange, and the classical key exchange (typically based on elliptic-curve Diffie-Hellman) is exactly the link a future quantum computer would target.

    So a "post-quantum VPN" means something quite specific, and it is worth being precise because the marketing rarely is. It means the VPN performs its key exchange using a post-quantum key-encapsulation mechanism, or more commonly a hybrid classical-plus-post-quantum one: in practice ML-KEM, usually combined with a classical algorithm such as X25519. The hybrid design is deliberate. An attacker would have to break both the classical and the post-quantum component to recover the shared secret, so you lose nothing if either turns out to have a flaw. This is the same belt-and-braces approach Cloudflare, Google, Apple and Signal adopted, and it is now the mainstream way to do it.

    Here is the important bit, the one that ties straight back to harvest-now-decrypt-later. Post-quantum key exchange protects today's traffic against future decryption. If your tunnel's shared secret is negotiated with ML-KEM today, an adversary who harvests that encrypted session and stores it cannot retroactively unlock it once a quantum computer arrives, because the key agreement never depended on the maths the quantum computer breaks. For a VPN user, that is the entire prize. Forward-looking insurance against the patient harvester.

    And here is what a post-quantum VPN does not do, because overselling it would be exactly the kind of hype this site exists to puncture:

    • It does not make you anonymous, and it does not change a provider's logging. Post-quantum cryptography is about the strength of the encryption, not about who can see your activity at the endpoints. A no-logs policy, an honest jurisdiction, and independent audits matter as much as they did before. Arguably more, since metadata is not protected by any of this.
    • It does not protect data after the tunnel ends. The VPN secures the hop between you and its server. What happens at the website, app or server beyond is governed by that system's cryptography, which is why the wider migration matters more than any single product.
    • It is not, today, an emergency. Nobody is decrypting your VPN session this year. The value is precisely and only against the long game. Anyone implying your current traffic is being cracked now is misrepresenting the threat.
    • The bulk symmetric encryption was already in reasonable shape. The data inside the tunnel is typically protected with AES-256, against which the best-known quantum attack (Grover's algorithm) offers only a modest, manageable speed-up, not the wholesale break Shor's poses to the key exchange. The key exchange is the exposed joint, which is why it is the focus.

    One technical wrinkle explains why so many providers built their support the way they did. WireGuard, the most popular modern VPN protocol, was not designed with post-quantum key exchange in mind. Its handshake uses the Noise framework, which has no native post-quantum mode, and assumes each handshake message fits in a single unfragmented packet, a constraint the comparatively large post-quantum ciphertexts struggle to honour. The widely used workaround is to run a post-quantum key agreement on top of WireGuard and feed the resulting secret into WireGuard's pre-shared-key slot. That is precisely how several providers deliver "quantum-resistant tunnels" today. It is a sound approach. It is just worth knowing that "post-quantum WireGuard" is usually this layered arrangement rather than a rewrite of the protocol.

    6. Provider scorecard: who has shipped post-quantum key exchange

    This is a moving target, and providers update frequently, so treat the table as a mid-2026 snapshot and always check the provider's own current documentation before relying on it. Every entry below is sourced to the provider or its primary reporting, and described in the provider's own terms.

    Provider / protocolPost-quantum key exchange?What, specificallyNotes
    Mullvad (WireGuard)Yes — default on desktopQuantum-resistant tunnels using ML-KEM (and Classic McEliece), via WireGuard's pre-shared-key mechanismAvailable across Windows, macOS, Linux, Android, iOS; made the default on desktop in early 2025(Mullvad, 2025)
    ExpressVPN (Lightway)Yes — by defaultLightway integrates ML-KEM at NIST Security Level 5 for both TCP and UDP; migrated from the OQS implementation to wolfSSLAnnounced Jan 2025; built on its earlier 2023 Kyber work(ExpressVPN, 2025)
    NordVPN (NordLynx)Yes — across all appsPost-quantum encryption built into NordLynx (its WireGuard-based protocol), enabled via a toggleRolled out from Linux in 2024 to all major platforms by mid-2025(Nord Security, 2025)
    Proton VPN (WireGuard)Not yet — groundwork in progressNew client-side WireGuard codebase explicitly built to "lay the groundwork for post-quantum encryption"; in beta on Android and WindowsProton states it will not set a firm date, prioritising a flawless implementation; see the Proton note below
    WireGuard (protocol itself)No native supportPQ added by layering on top and using the pre-shared-key slotDesign constraints (Noise framework, single-packet handshake) explain the workaround(WireGuard, 2024)

    A few honest caveats about the table. "Yes" means the provider offers post-quantum key exchange, not that it is necessarily on by default on every platform, nor that it has been independently audited end-to-end. Defaults and platform coverage vary, and we would always rather you verified the specific app you run. We have described mechanisms (ML-KEM via pre-shared key, Lightway at Level 5, and so on) rather than waving the phrase "quantum-proof" around, because no honest engineer would use that word. Hybrid post-quantum key exchange is a strong, standards-based hedge, not a guarantee against every future development.

    A necessary, disclosed note on Proton, because it is one we partner with, and because precision here is exactly the kind of thing our readers hold us to. As of mid-2026, the post-quantum protections Proton has shipped to users are in Proton Mail, not Proton VPN. In May 2026 Proton rolled out post-quantum encryption for email to all plans, including free, implementing ML-KEM, ML-DSA and SLH-DSA in combination with elliptic-curve cryptography via OpenPGP, and contributing the work toward cross-provider standardisation.(Proton, 2026) Proton VPN, by its own published roadmap (April 2026), is building a new WireGuard codebase that "lay[s] the groundwork for post-quantum encryption" but has not yet shipped it, and the company has said openly that it would rather get the implementation right than win a race.(Proton VPN, 2026) We think that candour is to its credit. But candour cuts both ways, so we will not let the headline "Proton is post-quantum" stand unqualified when the VPN, specifically, is not there yet. Proton VPN scores well in our evidence matrix — 4.39/5, behind NordVPN and Mullvad — on the strength of Swiss jurisdiction, independent audits and a genuine no-logs record, and that score is built from graded evidence on logging, jurisdiction and audits, not from where it happens to sit on the post-quantum timeline today. Our rankings are formula-driven and never moved by commission. The workings are public on our Methodology page.

    The broader, neutral point: if post-quantum key exchange is a hard requirement for you today, providers such as Mullvad, ExpressVPN and NordVPN already offer it. If your priority is an audited no-logs record in a strong jurisdiction, the calculus is different and post-quantum support is one factor among several. Both are legitimate ways to choose. Neither is hype if you understand what you are buying.

    7. What to actually do now

    No alarmism, no shopping list you do not need. Five proportionate steps.

    1. Match your action to your data's shelf life. This is the whole game. If nothing you transmit needs to stay secret for a decade, post-quantum readiness is a sensible nice-to-have and no more. If you handle anything with a long confidentiality horizon (legal, medical, financial, journalistic, activist), then harvest-now-decrypt-later is your actual threat model, and post-quantum key exchange today is the rational hedge. Decide which describes you before you change anything.
    2. Turn on post-quantum protections you already have. If your VPN, messenger or browser offers post-quantum or "quantum-resistant" key exchange, enable it. It is close to free, and for the long-lived-secret case it is the single most effective thing you can do. Several major VPNs ship it now, and modern browsers negotiate it automatically with sites that support it.
    3. Don't drop your existing criteria for a buzzword. Post-quantum support is one line in the ledger. An independently audited no-logs policy, a sensible jurisdiction, and a clean track record still matter at least as much, because none of them are replaced by better encryption. A "post-quantum VPN" that logs you has solved the wrong problem.
    4. Treat "quantum-proof" as a red flag, not a feature. The honest term is hybrid post-quantum key exchange, a strong, standards-based hedge. Any provider promising to make you immune to quantum computing is overselling, and overselling is the tell. Reward the providers who describe their mechanism plainly.
    5. Watch the migration, not the doomsday clock. The meaningful 2026–2030 story is not a single dramatic Q-Day. It is the unglamorous, verifiable progress of the world swapping out RSA and ECC before any threat materialises. The deadlines in NIST IR 8547 and CNSA 2.0 are the schedule to follow. If your providers and the services you depend on are migrating on roughly that timeline, the system is working as designed.
    The synthesis, stripped of both panic and complacency: the cryptography problem is solved, the deployment problem is being solved in public, and the hardware that would make any of it urgent does not yet exist and may not for years. The one time-sensitive idea is harvest-now-decrypt-later, and it has a clean answer you can switch on today. That is a rare thing in security, a future threat with a present-tense fix. Use it where it counts, ignore the countdown clocks, and get on with your life.

    We earn commission on some links. Rankings are formula-driven from graded evidence and are never influenced by commission. See our Methodology and Disclosure pages.

    8. References

    References

    1. [1]Apple Security Research (2024) 'iMessage with PQ3', Apple Security Research. Available at: https://security.apple.com/blog/imessage-pq3/ (Accessed: 13 June 2026).
    2. [2]Cloudflare (2025) 'State of the post-quantum Internet in 2025 and 2025 Radar Year in Review', Cloudflare Blog. Available at: https://blog.cloudflare.com/pq-2025/ (Accessed: 13 June 2026).
    3. [3]ExpressVPN (2025) 'Lightway upgrade: Integrating ML-KEM for post-quantum security', ExpressVPN Blog. Available at: https://www.expressvpn.com/blog/ml-kem-lightway-upgrade/ (Accessed: 13 June 2026).
    4. [4]Google (2024) 'Meet Willow, our state-of-the-art quantum chip', Google Blog. Available at: https://blog.google/technology/research/google-willow-quantum-chip/ (Accessed: 13 June 2026).
    5. [5]IBM (2025) 'IBM's path to fault-tolerant quantum computing', IBM Quantum Computing Blog. Available at: https://www.ibm.com/quantum/blog/large-scale-ftqc (Accessed: 14 June 2026).
    6. [6]Mullvad (2025) 'Quantum-resistant tunnels are now the default on desktop', Mullvad Blog. Available at: https://mullvad.net/en/blog/quantum-resistant-tunnels-are-now-the-default-on-desktop (Accessed: 13 June 2026).
    7. [7]NIST (2024) 'NIST Releases First 3 Finalized Post-Quantum Encryption Standards (FIPS 203/204/205)', NIST News and Events. Available at: https://www.nist.gov/news-events/news/2024/08/nist-releases-first-3-finalized-post-quantum-encryption-standards (Accessed: 13 June 2026).
    8. [8]NIST (2025) 'Post-Quantum Cryptography Project Hub', NIST Computer Security Resource Center. Available at: https://csrc.nist.gov/projects/post-quantum-cryptography (Accessed: 13 June 2026).
    9. [9]NIST (2025) 'NIST Selects HQC as Fifth Post-Quantum Algorithm', NIST Computer Security Resource Center. Available at: https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization (Accessed: 13 June 2026).
    10. [10]NIST (2024) 'NIST IR 8547 (Initial Public Draft) — Transition to Post-Quantum Cryptography Standards', NIST Computer Security Resource Center. Available at: https://csrc.nist.gov/pubs/ir/8547/ipd (Accessed: 13 June 2026).
    11. [11]Nord Security (2025) 'NordVPN launches post-quantum encryption across all its applications', Nord Security Press. Available at: https://nordsecurity.com/press-area/nordvpn-launches-post-quantum-encryption-across-all-its-applications (Accessed: 13 June 2026).
    12. [12]NSA (2025) 'Commercial National Security Algorithm Suite 2.0 (CNSA 2.0)', NSA / CISA. Available at: https://media.defense.gov/2025/May/30/2003728741/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS.PDF (Accessed: 13 June 2026).
    13. [13]Proton (2026) 'Proton Mail introduces post-quantum encryption', Proton Blog. Available at: https://proton.me/blog/introducing-post-quantum-encryption (Accessed: 13 June 2026).
    14. [14]Proton VPN (2026) '2026 spring and summer roadmap', Proton VPN Blog. Available at: https://protonvpn.com/blog/2026-spring-summer-roadmap (Accessed: 13 June 2026).
    15. [15]Signal (2023) 'Quantum Resistance and the Signal Protocol (PQXDH)', Signal Blog. Available at: https://signal.org/blog/pqxdh/ (Accessed: 13 June 2026).
    16. [16]Wikipedia (2024) 'Harvest now, decrypt later', Wikipedia. Available at: https://en.wikipedia.org/wiki/Harvest_now,_decrypt_later (Accessed: 13 June 2026).
    17. [17]WireGuard (2024) 'Known Limitations — no native post-quantum support; pre-shared-key workaround', WireGuard.com. Available at: https://www.wireguard.com/known-limitations/ (Accessed: 13 June 2026).

    NordVPN

    Top-rated VPN with excellent features

    Get Deal

    Cookie Preferences

    We use essential storage for site functionality. Optional analytics only run if you opt in.

    Learn more
    Questions or concerns?

    Contact us via X, Substack, or see our Cookie Policy for full details.