In August 2024, the US National Institute of Standards and Technology published three finalized post-quantum cryptographic standards. This was the culmination of an eight-year standardization process that began when NIST put out a call for quantum-resistant algorithms in 2016. The publication was quiet, technical, and genuinely important. It is the clearest signal yet that the cryptographic infrastructure underpinning the modern internet will need to change.
The question for anyone running a VPN, using encrypted email, or relying on TLS for anything sensitive is: how long do I have, and what do I do with that time?
Why quantum computers threaten current encryption
The security of RSA, the dominant public-key cryptosystem since the 1970s, rests on a mathematical problem: factoring the product of two large prime numbers is computationally infeasible with classical computers at sufficient key sizes. An RSA-2048 key, the current minimum recommendation, would require roughly 300 trillion years to break with a conventional computer using the best known algorithms.
In 1994, mathematician Peter Shor published an algorithm that can factor large integers exponentially faster than any classical algorithm, provided it runs on a sufficiently powerful quantum computer. The same algorithm can solve the discrete logarithm problem that underpins elliptic curve cryptography, which is what modern VPNs and TLS primarily use. A quantum computer running Shor's algorithm would break both RSA-2048 and elliptic curve cryptography.
The relevant question is not whether quantum computers exist, they do, but whether they exist at a scale sufficient to run Shor's algorithm against RSA-2048. Estimates vary: breaking RSA-2048 would require on the order of 4 million error-corrected logical qubits. IBM's most advanced systems have over 1,000 physical qubits but these are noisy, error-prone qubits, not error-corrected logical qubits. The ratio of physical to logical qubits required for error correction is roughly 1,000:1 with current techniques. Experts place the arrival of a cryptographically relevant quantum computer (CRQC) at 10 to 20 years out, with meaningful uncertainty in both directions.
The harvest now, decrypt later problem
The timeline uncertainty creates an immediate problem. State-level adversaries with long time horizons, the NSA, GCHQ, FSB, MSS, are presumed to be collecting encrypted internet traffic now with the intention of decrypting it later once quantum computing capability arrives. This is called the "harvest now, decrypt later" strategy.
This matters for data with long confidentiality requirements. Medical records, state secrets, intellectual property with multi-decade relevance, long-term financial contracts. If any of that data is being transmitted over current TLS connections today, it may be decryptable in 15 years. For most web traffic, this does not matter. For some data, it matters enormously.
What NIST standardized
The three algorithms NIST published in August 2024 represent different functions. ML-KEM (based on CRYSTALS-Kyber) is a key encapsulation mechanism, the replacement for the RSA and ECDH key exchange that establishes a shared secret at the start of a TLS session. ML-DSA (based on CRYSTALS-Dilithium) is a digital signature algorithm. SLH-DSA (based on SPHINCS+) is an alternative signature algorithm with different security assumptions.
These algorithms are based on mathematical problems believed to be resistant to both classical and quantum attacks. The primary one is the hardness of lattice problems, specifically the learning with errors (LWE) problem. No efficient quantum algorithm is known for these problems.
A fourth algorithm, FALCON (now standardized as FN-DSA), was also published. NIST is continuing to evaluate additional candidates for diversity, given that cryptographic history suggests not putting all of civilization's data security on a single mathematical assumption.
What VPN providers are actually doing
Signal added post-quantum key establishment to its protocol in September 2023, using CRYSTALS-Kyber in a hybrid construction combined with the existing X25519 elliptic curve key exchange. The hybrid approach means both algorithms must be broken simultaneously to compromise the session, providing a safe migration path where the new quantum-resistant algorithm adds security without sacrificing the proven classical algorithm.
ProtonVPN announced post-quantum support in 2024, also using a hybrid approach with Kyber. Mullvad VPN has been experimenting with post-quantum WireGuard and published technical documentation of their testing.
WireGuard itself, as of mid-2026, does not include native post-quantum key establishment in its specification. The protocol is designed for simplicity and is deliberately conservative about adding complexity. Third-party wrappers and modified implementations exist, but they are not the standard distribution.
Cloudflare has been running post-quantum key agreement in TLS for its infrastructure since 2022, using their own testing deployments and X25519Kyber768 hybrid. Chrome added experimental support for the same hybrid in 2023.
OpenSSH and the practical migration
OpenSSH 9.0, released in April 2022, switched the default key exchange algorithm to sntrup761 combined with X25519, a hybrid construction that adds quantum resistance to SSH connections without breaking compatibility with older clients. This was a significant deployment: essentially every Linux server using OpenSSH for remote access got a meaningful step toward post-quantum security as part of a routine package update.
TLS 1.3, which is the current standard for web traffic, does not yet support post-quantum key exchange in the base specification, but the IETF is actively standardizing hybrid key exchange for TLS, and major implementations are adding support through extensions.
What you should actually do today
For most organizations and individuals, the immediate action is awareness rather than urgent migration. Classical cryptography is not broken today, and the infrastructure to replace it at scale does not yet fully exist.
The scenarios where action is warranted now: if you handle data with 15-plus year confidentiality requirements and that data traverses public networks, you should be investigating post-quantum TLS configurations and network encryption options. Government and defense organizations in most major countries are operating under formal mandates for PQC migration timelines.
For choosing a VPN specifically, the presence of post-quantum support is a positive signal about the provider's technical competence and forward thinking, but it should not override more immediate considerations: a verified no-logs policy, a published independent audit, and a business model that does not depend on monetizing your data.
Frequently asked questions
Is my current VPN vulnerable to quantum attacks?
Not today. The quantum computers that could attack current encryption do not exist yet. Your current VPN is secure against all known attacks. The concern is about long-term confidentiality of data that is intercepted and stored now.
What is a hybrid post-quantum approach?
Using a classical algorithm (X25519) combined with a quantum-resistant algorithm (Kyber) simultaneously. A session key is derived from both. An attacker must break both algorithms to compromise the session. This is the recommended migration path because it adds quantum resistance without removing classical security.
Does AES need to be replaced for quantum resistance?
AES-256 is believed to retain adequate security against quantum attacks. Grover's algorithm provides a quadratic speedup for brute-force searches, which halves the effective key length. AES-256 with Grover's is equivalent to AES-128 against classical attacks, still considered secure. The urgency is primarily for asymmetric cryptography (RSA, ECDH) not symmetric ciphers like AES.
When will my browser use post-quantum TLS automatically?
Chrome and Firefox are already deploying X25519Kyber768 for some TLS connections in experimental configurations. Broad deployment depends on server-side adoption, which will accelerate as NIST standards are integrated into major TLS libraries (OpenSSL, BoringSSL, NSS).
Check your connection's current security headers: Site Check.