On August 13, the National Institute of Standards and Technology (NIST) made history by officially releasing the first three quantum-resistant encryption standards set to shape the future of cryptography. NIST tested more than 80 algorithms over the last decade to get here and now calls on all developers to start the post-quantum transition.
The implementation of quantum computing may still be a ways off, but the "full integration will take time," according to the organization. It's just a matter of time before current encryption methods become obsolete – potentially broken by the ability of these machines to process computations that today's computers can't handle, within minutes.
Among the best VPN providers, only a handful of services have already implemented quantum-safe encryption. NIST's work is set to be crucial for reversing this trend, officially raising the bar for VPN security standards. I spoke to all the top providers to understand what's next for our security.
A blueprint for VPNs
"VPNs rely heavily on cryptographic protocols for securing communication, so the industry must now prepare to adopt these new standards to ensure long-term security against future quantum computer threats," Marijus Briedis, CTO at NordVPN, told me.
A VPN, short for virtual private network, is a security software indeed designed to encrypt internet connections. Encryption refers to the process of scrambling the data into an unreadable form to prevent third parties from accessing the data in transit.
Today's VPN protocols often leverage RSA-based key exchanges to so only you and whoever you're sending stuff to can actually see what's going on. Because of the way quantum computers work, this is no longer safe for the future.
Cybercriminals, state hackers, and more are all conducting what's called "store now, decrypt later (SNDL) attacks" – scooping up all your encrypted data so they can crack it in the future when quantum computing is finally up to the task.
This is where NIST's quantum-safe standards come in.
As Subbu Sthanu, Chief Commercial Officer at IPVanish, put it, this set of standardized algorithms "serves as a blueprint" for VPN developers to strengthen their software security against future tech threats. This is because, alongside the three quantum-resistant algorithms, NIST also offers instructions on implementing them and their intended uses.
"They're a crucial resource for us," Tom Cohar, Head of Infrastructure at Hide.me told me. "Just by following these standards, we can support post-quantum cryptography, maintain compatibility and interoperability, meet regulatory requirements, and ultimately protect our users' data against future cryptographic threats."
Quantum computers could imperil the security of confidential electronic information, such as emails. To counter this threat, NIST has finalized its set of three encryption algorithms designed to withstand a future quantum computer’s cyberattacks: https://t.co/WYNO9j7Owz pic.twitter.com/o8TjLzv43pAugust 13, 2024
The winning standards are based on three key algorithms designed for specific tasks. ML-KEM (formerly known as CRYSTALS-Kyber algorithm) is the primary standard for cryptographic key exchanges – protecting the exchange of information across a public network like in the case of VPNs. ML-DSA (using the CRYSTALS-Dilithium algorithm) and SLH-DSA (based on the Sphincs+ algorithm) are designed to protect digital signatures used for identity authentication online.
If you want a simple explanation of how quantum computing breaks encryption, and how these new standards fight back, check out this amazing explainer from Veritasium:
Most VPN providers eagerly welcome the final decision as it corroborates the work their developers have been doing behind the scenes.
For example, Bart Butler, CTO at Proton VPN, told me the team has already been using the draft NIST algorithms before getting standardized on their research stage. The recent announcement then "increases our confidence in them," he added.
The same goes for Surfshark which already picked the Kyber key encapsulation mechanism for its post-quantum encryption design. "Its standardization reassures us that we're on the right path," Karolis Kačiulis, Leading System Engineer at Surfshark, told me.
NIST finalized standards have been a long time coming, in fact. Experts first selected some of these algorithms back in 2022 – releasing draft specifications for each of them at the time. The organization is now set to release a fourth algorithm standard (FALCON) later this year.
For Yegor Sak, one of the founders and CEO at Windscribe – one of the very few providers that already supports quantum-safe encryption – the recent announcement is rather an evolution than a revolution.
He said: "While it’s significant that these standards are now set in stone, it doesn’t represent a groundbreaking shift for the industry– especially for those who have been keeping up with post-quantum cryptography developments. For VPN providers, it’s a reminder to stay on top of these changes, but it’s not the game-changer that some might make it out to be."
For ExpressVPN, which launched post-quantum protection last October, this moment "isn’t just a validation of Kyber but also our proactive approach to security" Pete Membrey, Chief Engineering Officer at ExpressVPN, wrote in a blog post.
Swedish-based provider Mullvad sees standardization as a way to increase trust and usage across the industry. The firm was one of the first to introduce experimental post-quantum encryption back in 2017. Yet, "The strength of a standard lies in the fact that it is open and gets audited and reviewed in a way that makes it secure," Jan Jonsson, CEO at Mullvad, told me.
Technical challenges
We may now have standardized post-quantum encryption standards and implementation processes, however, the work is anything but done.
The truth is that the transition to a quantum-safe VPN product is filled with technical challenges that developers need to overcome. Below are the main issues providers have to deal with:
- Risk of security flaws: according to Surfhsark, the biggest challenge lies in implementing the NIST standards correctly within your own VPN environment. "Ensuring that there are no security flaws or vulnerabilities during this process is crucial," Kačiulis told me.
- Lack of VPN protocol integration: another obstacle to overcome is that current VPN protocols - which are responsible for defining the encryption method - don't support post-quantum algorithms. Commenting on this point, Cohar from Hide.me said: "It will take time for the entire ecosystem to adopt these new standards."
- Inconsistent browser support: besides finding a way to integrate post-quantum protections within the VPN infrastructure, these also need to work within the whole online environment where they operate. PrivadoVPN notes that web browser support for post-quantum encryption is still rather spotty at this time. "Cloudflare recently shared that just over 16% of traffic was PQ encrypted," the provider told me.
- Matching security and performance: perhaps the biggest elephant in the room, which worries most of the providers I've spoken to, is ensuring that PQ algorithms are performant enough for real-world deployment. As Briedis from NordVPN explained, they require much larger key sizes and signatures that could negatively impact VPN speed. Sthanu from IPVanish believes extensive testing will be the key to finding the right balance.
As always, the cat-and-mouse game of cybersecurity trundles onward.
A hybrid approach
Once developers manage to address all the technical challenges and finally implement the quantum-safe algorithms, it will be time to review their effectiveness. Remember, full integration will take time.
As Butler from Proton VPN explains, new cryptography is always inherently risky. This is simply because it lacks the amount of public analysis and scrutiny that current methods have undergone. "That’s why we will be using a hybrid approach – meaning our users will be safe from attacks from classical computers, as well as quantum computers," he added.
This dual-layered defense means that quantum-resistant algorithms will be implemented alongside classic encryption methods so that, even if the PQ protections end up being compromised, users' data won't get compromised.
That's exactly the approach the likes of ExpressVPN and other quantum-safe providers have already employed – and it's likely to become the golden standard for all to follow during the PQ transition. Outside the VPN world, encrypted email Tuta (formerly known as Tutanota) and Signal used the same approach when they added quantum-resistant protections.
Today we are proud to announce the launch of the world's first #postquantum secure email platform! 🥳🎉With TutaCrypt your data is safe against quantum computer attacks at rest & in transit. ⚛️ 🔒Learn more about this quantum leap in #security here: https://t.co/Nq7ePZ2ctb pic.twitter.com/XeycBQpBYnMarch 11, 2024
Which VPNs are already post-quantum resistant?
While most VPN providers are currently in the first stage of the PQ transition - aka, figuring out how to correctly implement quantum-resistant algorithms within their product - some services already offer such protection.
As we mentioned earlier, Mullvad was the first to embrace post-quantum cryptography way before NIST selected the algorithms that would later get standardized. In 2022, they switched to one of the finalists (Classic McEliece), while continuing to follow the ongoing work at NIST. Today, the provider integrates the strengths of both Kyber and Classic McEliece into its WireGuard protocol.
"As Kyber (one of the standards) now has been updated (ML-KEM) we are planning to migrate to this in the near future," Jonsson told me, adding that the team will keep following the ongoing standardization and might add support for other algorithms in the future.
Windsdcribe is another early adopter of quantum-resistant encryption. While it's not yet in full support of the specific algorithms selected by NIST, the team is actively working toward integrating these into their offerings. "Our aim is to not just meet but exceed these standards, ensuring our users are protected against future threats," said Sak.
In 2022, PureVPN partnered with quantum computing company Quantinuum to introduce a quantum-resistant feature on its OpenVPN protocol. A year later, ExpressVPN entered the PQ game adding the Kyber algorithms to its open-source Lightway protocol.
How quickly will other VPNs get quantum-secure?
It was difficult to get a sense of when other top VPN providers will officially get their post-quantum protections up and running.
Among all the companies I spoke with, NordVPN was the only one that gave me a precise deadline for public implementation. The team plans to roll out the first PQ iteration for its WireGuard-based NordLynx protocol on its Linux app by the end of September and, from there, evaluate performance levels.
"Based on these insights, we aim to extend PQC support to our other applications in 2025 Q1 [the end of March] at the latest," Briedis told me.
PrivadoVPN said its engineering team is busy testing the addition of a pre-shared key to their Wireguard implementation, as well as an enhanced KEM (Key Encapsulation Mechanism) for TLS and OpenVPN protocols.
"We have not announced our plans to make quantum-resistant VPN service available but expect to do so soon," said the provider.
A few services, including Proton VPN, Surfshark, and Hide.me, stressed the importance of getting the implementation right without flaws instead of winning the race over competitors. This is why they cannot set a firm deadline at the time of writing.
"It’s a marathon, not a sprint," Butler at Proton VPN told me. "We already have a head start, and we are working alongside the community to develop and review implementations of the NIST standards."
On top of this, Private Internet Access (PIA) confirmed that integrating hybrid quantum-resilient cryptography methods is on the company's roadmap. "Standardization is hugely useful to guide our approach," said John Mair, Principal Software Engineer at PIA.
We might not know exactly when, but that's certain. Quantum-resistant encryption is set to dominate the VPN and cryptography landscape in the years to come, becoming very much what AES encryption is today.
As Kačiulis from Surfhsark put it: "Providers that fail to embrace these new standards risk being left behind."