One of the leading VPN providers, Mullvad, now offers post-quantum protection across all its applications, namely Linux, Windows, macOS, Android, and finally bringing its iPhone VPN apps into the fray. The Swedish provider is one of the very few in the market to have already implemented a mix of quantum-safe and traditional encryption – kicking off its post-quantum strategy back in 2017 on Linux.
Quantum computers are improving every day, and we may only be a few years away from them breaking traditional RSA encryption altogether. While the wider industry is catching up, the transition to post-quantum VPNs is crucial to secure your privacy.
How Mullvad's post-quantum encryption works
Mullvad's solution works on its WireGuard protocol, harvesting the secret of two quantum-resistant algorithms: Classic McEliece and Kyber. The National Institute of Standards and Technology (NIST) has just officially included the latter in its first set of quantum-safe encryption standards – now renamed ML-KEM.
As the provider explains in its blog post: "A WireGuard tunnel is established and is used to share a secret in such a way that a quantum computer can’t figure out the secret even if it had access to the network traffic."
Quantum-Resistant Tunnels Now Available on iOS!https://t.co/arWEsu0n3nAugust 30, 2024
Post-quantum encryption doesn't come as default just yet, meaning you have to actively enable it to benefit from PQ encryption.
To activate the added protection, you need to head to your app's Settings, click on VPN settings, and toggle on the button next to Quantum-resistant tunnel. Once the connection is established, you should see a "QUANTUM SECURE CONNECTION" status in green text on the main view of the app,
"If it turns out to work as well as we hope it will, we will enable this by default on all platforms in the future," added Mullvad.
Why do we need post-quantum VPNs?
A virtual private network (VPN) is a security tool that protects your internet connections to ensure third parties cannot access users' data in transit. To do so, VPNs use encryption to scramble the data into an unreadable form that can be decoded only by using the assigned encrypted key.
Today's VPN protocols often leverage RSA-based key exchanges to ensure only you and your receiver can encrypt and decrypt the information. Yet, this way of protecting people's online activities is set to become obsolete with the advent of quantum computers.
This is because quantum computers are expected to process computations that today's computers can't handle, within minutes. In the future, attackers could use these machines to crack into today's encryption algorithms and compromise people's data.
Check the explainer from Veritasium below if you want to know the technical details of how these machines can break encryption:
As Mullvad explains: "Although strong enough quantum computers have yet to be demonstrated, having post-quantum secure tunnels today protects against attackers that record encrypted traffic with the hope of decrypting it with a future quantum computer."
Cybercriminals, state hackers, and more are already conducting what's called "store now, decrypt later (SNDL) attacks," in fact. Put simply, they collect vast amounts of encrypted data from the internet so they can crack it in the future when quantum computing is finally up to the task.
As mentioned, Mullvad was among the first in the industry to think about future threats and begin its PQ transition - way before NIST selected the algorithms that would later get standardized. In 2022, the team switched to one of the finalists (Classic McEliece), while continuing to follow the ongoing work at NIST.
"As Kyber (one of the standards) now has been updated (ML-KEM) we are planning to migrate to this in the near future," Jan Jonsson, CEO at Mullvad, told me.
Which VPNs are already quantum-resistant?
While the majority of VPN providers are still figuring out how to correctly implement quantum-resistant algorithms within their products, there are a few services alongside Mullvad that already offer such protection.
- Windscribe is another early adopter of quantum-resistant encryption. The company's aim is not just to meet PQ encryption standards, but rather surpass them to keep offering its users the best protection against future threats. The team is now in the process of boosting their KEM (Key Encapsulation Mechanism) in TLS and OpenVPN protocols.
- ExpressVPN added quantum-safe encryption based on the Kyber algorithm to its WireGuard-inspired protocol Lightway in October last year. Back in 2020, the in-house built VPN protocol was exactly designed to make the PQ transition easier. "Other VPN protocols would need extensive changes to support post-quantum," Pete Membrey, Chief Engineering Officer at ExpressVPN, told me at that time.
- PureVPN partnered with quantum computing company Quantinuum in 2022 to introduce a quantum-resistant feature on its OpenVPN protocol. At the time of writing, you can benefit from this extra protection only when connected to six server locations (US, UK, Australia, Germany, Canada, and the Netherlands).
A new era for VPN security
As mentioned earlier, NIST officially released the first three quantum-resistant encryption standards on August 13, 2024, after over a decade of testing more than 80 algorithms. This move is set to shape the future of cryptography, opening up a new era for VPN security.
These standardized algorithms come, in fact, with instructions on how to implement them and their intended uses. All this is crucial to support VPN providers in their PQ transition, de-facto raising the bar for VPN security standards.
"The strength of a standard lies in the fact that it is open and gets audited and reviewed in a way that makes it secure," Jonsson told me. "This increases trust and usage, which means the world can tackle the risks posed by quantum computers in a better way."
NIST now calls on all developers to start the post-quantum transition as the "full integration will take time."