Post-quantum cryptography (PQC) is a new family of encryption algorithms designed to remain secure even when powerful quantum computers eventually exist. Today's encryption protects most of the internet, but it's based on math problems that a sufficiently advanced quantum computer could one day solve. The threat that matters today is called "harvest now, decrypt later" — adversaries capturing encrypted traffic right now to decrypt years from now. In response, the U.S. National Institute of Standards and Technology finalized three post-quantum standards in 2024, and companies like Apple, Signal, Google, Cloudflare, and Mullvad have already deployed PQC in production. StandVPN is built PQC-ready on every connection, including the lifetime free plan.
- Why this matters now
- A simple analogy — the padlock
- What post-quantum cryptography actually is
- "Harvest now, decrypt later"
- When quantum computers might arrive
- The new NIST standards
- The four math families of PQC
- Hybrid mode — belt and suspenders
- Who has already deployed PQC
- What PQC means for a VPN specifically
- Government and standards bodies
- Five myths about post-quantum cryptography
- How to evaluate a PQC-ready VPN
- How StandVPN handles PQC
- Frequently asked questions
If you've come across the phrase "post-quantum cryptography" in a news article, a software update note, or a VPN comparison and wondered what exactly it means and whether it matters to you — this is the guide for you. Written in plain English, with real examples, by people who care about getting it right.
We won't pretend this is a topic with no nuance. It isn't. But the central ideas are accessible to anyone, and understanding them will change how you think about the encryption that runs almost every interaction you have online.
Why this matters now (not in ten years)
Here is a fact that surprises most people the first time they hear it: almost all sensitive traffic on the internet today is protected by a small number of cryptographic algorithms designed in the 1970s. RSA. Diffie-Hellman. Elliptic-curve variants of those. They have been adjusted, hardened, and re-implemented many times, but the underlying mathematics is from another era of computing.
Those algorithms have aged remarkably well. For half a century, they have resisted every serious attack that classical computers have thrown at them. The encryption that protects your bank login, your medical records, your encrypted messages, and your VPN tunnel rests on a small set of math problems that classical computers simply cannot solve in any reasonable amount of time.
The thing that changes the picture is quantum computing. A quantum computer is not just a faster classical computer; it is a fundamentally different kind of machine that can solve certain problems exponentially faster than any classical computer ever could. And as it turns out, several of those problems are exactly the ones that today's most common encryption algorithms rely on for their security.
That is why this matters now. The encryption that protects the internet was designed without quantum computers in mind. Replacing it is a generational engineering project, and it is well underway.
A simple analogy — the padlock
Forget the math for a moment. Imagine you are sending a small box across a long, unsafe journey. Anyone on the route can pick the box up, but they cannot open it without the key.
Today's internet uses a kind of digital padlock that requires solving a hard puzzle to open without the key. The puzzle is so hard that, with the best classical computers humanity has ever built, breaking the padlock would take longer than the age of the universe. So your box arrives safely.
A quantum computer is a new kind of puzzle-solver that, in theory, could open this particular padlock in hours instead of trillions of years. Quantum computers powerful enough to actually do this don't exist yet — but researchers are building them.
Post-quantum cryptography is a new family of padlocks, designed to resist this new kind of puzzle-solver. The puzzles are based on different math — math that researchers believe both classical and quantum computers will still find very hard to solve.
That is the whole story, in one paragraph. The rest is detail.
What post-quantum cryptography actually is
Two terms get confused in casual reading. Let's keep them straight.
- Quantum cryptography uses the physics of quantum mechanics to send keys in a way that physically cannot be intercepted without detection. It requires specialized hardware. It is not what we're discussing here.
- Post-quantum cryptography is software. It runs on ordinary computers — phones, laptops, routers, servers. It uses new math instead of new physics. This is the practical, near-term answer to the quantum threat.
Post-quantum cryptography is, in other words, the kind of fix the internet can actually deploy at scale. No new hardware. No specialized hardware. Just better math.
"Harvest now, decrypt later" — the threat that matters today
The most common misunderstanding about post-quantum cryptography is the idea that it only matters once quantum computers exist. That is wrong, and the reason is a deceptively simple pattern called "harvest now, decrypt later", sometimes abbreviated HNDL or "store now, decrypt later".
Here is the pattern in one sentence: capture the encrypted data today, store it, decrypt it when quantum computers are ready, even if that's ten or fifteen years from now.
This isn't a theoretical concern. The U.S. government, the European Union, and major intelligence services in friendly and unfriendly nations alike are widely understood to be doing exactly this — vacuuming up encrypted traffic for archival. The Federal Reserve has published research on HNDL risk. The U.S. National Security Agency has explicitly warned about it. Major cybersecurity vendors treat it as a routine part of their threat modeling.
The data that matters most under this threat model isn't the trivial. It's anything that will still be sensitive in ten or twenty years: medical records, financial histories, government cables, journalist-source communications, business strategy, intellectual property, personal photos and messages, identity documents. The encrypted version sits in some archive somewhere right now. The decrypted version, eventually, will be readable.
This is why the rollout of post-quantum cryptography is happening today, ahead of the threat. The encryption you use this year is protecting traffic against attackers who will have quantum computers years from now. The earlier the upgrade, the more of your past traffic remains permanently safe.
When quantum computers might actually arrive
Let's be honest about the timeline, because exaggerating it serves nobody.
Quantum computers exist today, in real labs, doing real work. IBM has built quantum processors with more than a thousand physical qubits. Companies including Google, IonQ, Quantinuum, and Atom Computing all run real machines. They are remarkable engineering achievements.
They are also, as of today, nowhere close to breaking RSA-2048 or the elliptic-curve cryptography that protects most of the internet. The reason is error correction. Quantum bits are extremely fragile, and one logical qubit — the kind you can actually do cryptographic work with — requires hundreds or thousands of physical qubits. Breaking modern encryption is estimated to need millions of error-corrected logical qubits, which means tens or hundreds of millions of physical qubits.
Mainstream expert estimates for when a cryptographically relevant quantum computer (CRQC) will exist:
- Optimistic forecasts: early 2030s
- Mainstream forecasts: 2035-2045
- Pessimistic forecasts: later than 2050, or maybe never at scale
Reasonable people disagree about the exact year. But almost everyone in the field agrees on two things: it will eventually happen, and the upgrade to post-quantum cryptography needs to happen well before it does, because rolling out new cryptography across the entire internet takes years.
The new NIST standards — the 2024 milestone
If post-quantum cryptography has felt fuzzy until now — a vague future thing — the reason it suddenly became concrete in 2024 is the finalization of formal standards. Standards are how the internet moves as a whole, not in pieces.
The body that did the work is the U.S. National Institute of Standards and Technology (NIST), which has run public competitions to standardize cryptography since the 1970s. AES — the symmetric encryption that protects most of the data on the internet today — came out of a NIST competition. SHA-2 and SHA-3 came out of NIST processes. NIST's PQC competition was started in 2016 and ran for eight years.
In August 2024, NIST finalized three post-quantum standards:
- FIPS 203 — ML-KEM (Module-Lattice-based Key-Encapsulation Mechanism, formerly known as Kyber). This is the most important one for everyday traffic. It replaces the part of a secure connection that exchanges a shared secret key.
- FIPS 204 — ML-DSA (Module-Lattice-based Digital Signature Algorithm, formerly Dilithium). This is for digital signatures — proving who signed something, like a software update or a TLS certificate.
- FIPS 205 — SLH-DSA (Stateless Hash-based Digital Signature Algorithm, formerly SPHINCS+). Another signature scheme, based on different math, kept as a backup in case lattice-based approaches turn out to have weaknesses.
A fourth algorithm, FN-DSA (formerly Falcon), is expected to be finalized soon. NIST is also running a fourth round to standardize HQC (a code-based algorithm) as an additional backup for key encapsulation.
What you should remember: the standards exist, the competition has finished, the math has been vetted by years of public cryptanalysis, and major implementations are now rolling out.
The four math families of post-quantum cryptography
The candidates in the NIST competition came from four broad mathematical families. You don't need to know the math, but knowing the names lets you read tech-news articles without feeling lost.
| Family | Based on | NIST-standardized examples |
|---|---|---|
| Lattice-based | Hard problems on geometric lattices in many dimensions | ML-KEM, ML-DSA, FN-DSA |
| Hash-based | The security of cryptographic hash functions (very well understood) | SLH-DSA |
| Code-based | Error-correcting codes; the basis of Classic McEliece (which Mullvad uses) | HQC (in fourth round) |
| Multivariate | Systems of multivariate polynomial equations | None (broken during competition) |
Lattice-based schemes have emerged as the practical default — they're fast, the keys aren't huge, and decades of mathematical study back them. Hash-based schemes are slower with larger signatures, but they are based on the most well-understood mathematical primitive in cryptography, so they're kept as conservative backups.
Hybrid mode — the belt-and-suspenders approach
One of the smartest moves the industry made early in the post-quantum rollout was the decision to use hybrid modes: combine a well-tested classical algorithm with a new post-quantum algorithm in the same handshake. The connection stays secure as long as either one remains unbroken.
The logic is simple. Post-quantum algorithms are new, and new algorithms occasionally turn out to have flaws that aren't visible until years of public scrutiny. We don't want to bet the entire internet on math that hasn't yet had decades of attempts to break it. So during the transition years — roughly 2023 through the early 2030s — most deployments combine the old and the new.
You'll see hybrids written like X25519Kyber768 (a classical X25519 key exchange combined with the post-quantum Kyber-768). Google Chrome uses exactly this hybrid in TLS. Cloudflare supports it. Signal's PQXDH does the same conceptual thing for messaging. Mullvad's quantum-resistant WireGuard tunnels combine Classic McEliece with the classical WireGuard handshake.
The cost of hybrids is small: a few extra kilobytes of data on the initial handshake and a few extra milliseconds of computation. The benefit is large: belt-and-suspenders protection during a period when nobody wants to commit fully to either side alone.
Who has already deployed post-quantum cryptography
This isn't theoretical. Here is what has actually shipped, in production, to billions of users.
If you've been wondering "is this real yet?" — the answer is unambiguously yes. The internet's encryption layer has begun the largest single upgrade since SSL/TLS itself.
What post-quantum cryptography means for a VPN specifically
Here is where post-quantum cryptography intersects directly with VPN choice.
A VPN's whole purpose is to encrypt your network traffic — to put it inside a tunnel that no one along the route between you and the VPN server can read. That tunnel is built on the same family of cryptographic algorithms that protects everything else on the internet. If the algorithms are vulnerable to quantum attack, the tunnel is too. If they're future-proofed against quantum attack, the tunnel is too.
Specifically, a modern VPN tunnel uses cryptography in two places:
- The initial handshake — when your device and the VPN server agree on a shared secret. This is the part that is most vulnerable to "harvest now, decrypt later," because the handshake is what an attacker would capture and replay against a future quantum computer to recover the session key.
- The symmetric encryption for the rest of the session. Most VPNs use AES-256 or ChaCha20 for this, both of which are much more resistant to quantum attack than public-key algorithms. Symmetric encryption needs roughly double the key length to maintain security against quantum attack — AES-256 is already strong enough.
The handshake is the thing that needs upgrading. Post-quantum-ready VPNs replace or supplement the handshake with PQC algorithms, while keeping the strong symmetric encryption already in place. The result is a tunnel that is genuinely future-ready end-to-end.
Government, standards bodies, and the regulatory picture
If you only ever read VPN marketing material, you might be forgiven for thinking post-quantum cryptography is a small-tech-company concern. It is not. Government bodies have been driving this transition aggressively for years.
- The White House issued National Security Memorandum 10 (May 2022), directing all federal agencies to begin migrating to PQC.
- The NSA published its Commercial National Security Algorithm Suite 2.0 in September 2022, requiring PQC adoption for national-security systems with a target completion date of 2033.
- NIST ran the multi-year PQC standardization competition and finalized the first standards in August 2024.
- The European Telecommunications Standards Institute (ETSI) has worked on PQC standards in parallel with NIST since 2014.
- The Internet Engineering Task Force (IETF) has been incorporating PQC into TLS, SSH, and other protocol standards.
This level of coordinated public-sector activity is what drives industry adoption. When the U.S. government tells contractors they have until 2033 to migrate, the migration happens — and it happens early, because nobody wants to be the last vendor without PQC support.
Five myths about post-quantum cryptography
Myth 1: "Quantum computers don't exist yet, so PQC is premature."
This misses the harvest-now-decrypt-later threat. Adversaries don't need quantum computers today — they only need patience. Storing encrypted data is cheap; future decryption is the bet. The earlier we upgrade, the more past traffic stays safe.
Myth 2: "Post-quantum encryption is much slower than regular encryption."
This was somewhat true for early experimental schemes. With the NIST-standardized algorithms, the performance cost is small — a few extra kilobytes on a handshake and a few milliseconds of computation. For VPNs, browsers, and messaging apps, it's imperceptible in everyday use.
Myth 3: "If quantum computers can break encryption, they can break everything."
Not really. Quantum computers are particularly effective against certain kinds of math problems (factoring, discrete logarithms). They have a smaller speedup against many other kinds of problems — including the ones that PQC algorithms rely on. PQC works because we deliberately chose math problems where quantum computers don't have a dramatic advantage.
Myth 4: "Symmetric encryption like AES needs to be replaced too."
AES is not broken by quantum attacks in the same way public-key encryption is. The relevant quantum algorithm (Grover's algorithm) provides a modest speedup, effectively halving the security margin of symmetric encryption. AES-256 is already strong enough that the post-quantum equivalent is — AES-256. The handshake is what needs upgrading, not the bulk encryption.
Myth 5: "PQC means switching to quantum hardware."
It does not. Post-quantum cryptography runs on ordinary computers. Your phone can do it. Your laptop can do it. A VPN server can do it. No new hardware is required — it's a pure software upgrade.
How to evaluate a PQC-ready VPN
Not every "post-quantum" claim is the same. Here's what actually matters when evaluating one.
The PQC-ready VPN checklist
- Explicit description of the post-quantum capability on the company's website or technical documentation — not just a vague mention. You should be able to find the algorithm names.
- Hybrid mode combining a classical and post-quantum algorithm — not a pure post-quantum-only mode (which is more aggressive than the industry consensus recommends today).
- Available on every connection by default, ideally without the user needing to flip any toggle. If PQC is buried in an advanced settings menu, most users won't ever benefit.
- No additional charge for PQC. Privacy upgrades should not be paywalled.
- Continued availability of standard features — kill switch, DNS leak protection, IPv6 handling — while PQC is enabled.
- An ongoing commitment to the standards. As NIST finalizes additional algorithms in coming years, the VPN's PQC mode should evolve to incorporate them.
If a VPN claims post-quantum support but the details are missing, vague, or paywalled, treat the claim with friendly skepticism.
How StandVPN handles post-quantum cryptography
We built StandVPN to answer one question: what should a modern, privacy-first VPN do automatically in 2026? When it comes to post-quantum cryptography, the answer is straightforward.
- Post-quantum cryptography is built in from day one, available on every connection. Not a roadmap item. Not a paid add-on. Not a setting buried three screens deep.
- Hybrid mode by default, combining the well-tested classical handshake with a post-quantum algorithm so your traffic stays protected as long as either one is unbroken.
- Available on the lifetime free plan. Privacy upgrades that matter aren't paywalled. Free users get the same future-readiness as paid users.
- An always-on kill switch that cannot be disabled. Privacy isn't a setting you should be able to accidentally turn off.
- DNS handled inside the encrypted tunnel by default — see our DNS leak guide for what that means.
- Ongoing commitment to the standards. As NIST finalizes additional PQC algorithms in coming years, StandVPN's mode will continue to evolve.
StandVPN — PQC-ready out of the box:
You can try the free plan right now — no email, no card, no upsell. The post-quantum protection is on from your first connection.
Frequently asked questions
What is post-quantum cryptography in simple terms?
Post-quantum cryptography (PQC) is a new family of encryption algorithms designed to remain secure even against future quantum computers. Today's most common encryption relies on math problems that classical computers can't solve quickly, but that a sufficiently powerful quantum computer eventually could. PQC algorithms are based on different math problems that researchers believe both classical and quantum computers will still struggle with.
What is "harvest now, decrypt later"?
Harvest now, decrypt later (HNDL) is the practice of capturing encrypted internet traffic today, storing it, and decrypting it years later once quantum computers are powerful enough. The U.S. government and major security companies treat HNDL as a real, ongoing risk. It's the central reason post-quantum cryptography matters now, not in ten years.
Do quantum computers exist that can break encryption today?
Not yet. Today's quantum computers have hundreds to a few thousand physical qubits, but breaking widely used encryption like RSA-2048 would require millions of error-corrected qubits. Mainstream estimates put the arrival of cryptographically relevant quantum computers somewhere between 2030 and 2045, though the precise date is uncertain.
What are the NIST post-quantum standards?
In August 2024, NIST finalized three post-quantum standards. FIPS 203 (ML-KEM, based on Kyber) is for key establishment. FIPS 204 (ML-DSA, based on Dilithium) and FIPS 205 (SLH-DSA, based on SPHINCS+) are for digital signatures. These standards now define what "post-quantum-ready" means in practice.
Which products already use post-quantum encryption?
Apple iMessage uses PQ3 (since February 2024). Signal launched PQXDH in September 2023. Google Chrome rolled out the X25519Kyber768 hybrid as default in 2024. Cloudflare has supported post-quantum TLS since 2022. Mullvad made post-quantum WireGuard tunnels the default on desktop in 2023.
Does my VPN need post-quantum cryptography?
If your threat model includes a well-resourced adversary who might be capturing your encrypted traffic today, the answer is yes. For most everyday users, post-quantum protection is a sensible long-term hedge rather than an immediate emergency. The good news is that adopting a PQC-ready VPN costs you nothing extra in speed or convenience.
What is a hybrid post-quantum encryption mode?
A hybrid mode combines a traditional encryption algorithm (like X25519) with a post-quantum algorithm (like ML-KEM) in the same handshake. The connection stays secure as long as either one remains unbroken. This belt-and-suspenders approach is what most major deployments use today.
When will quantum computers actually break current encryption?
Mainstream expert estimates range from the early 2030s to the mid-2040s. What is not uncertain is the timeline for migrating to post-quantum cryptography — that work needs to happen years ahead of the threat, which is why standardization happened in 2024 and major rollouts are happening now.
Will post-quantum cryptography slow down my VPN?
Not noticeably. Post-quantum key exchange adds a small amount of data to the initial connection handshake and a few extra milliseconds of computation. For everyday use, the difference is imperceptible. Once the handshake is complete, traffic flows at full VPN speed.
Is StandVPN post-quantum ready?
Yes. StandVPN is built post-quantum-ready from day one, available on every connection — free and paid alike — without any configuration. The same future-readiness is available to lifetime free users at no cost. You can try it without an email or card.