How Quantum Computers Actually Work (Without Making Your Brain Hurt)
I'll be straight with you: quantum computing is one of those topics where bad explainers cause more confusion than understanding. So let's keep this very grounded in what actually matters for privacy.
Regular computers use bits. Each bit is either 0 or 1. Every calculation happens by manipulating these bits in sequences. This is the foundation of everything your laptop, phone, and every server on earth does.
Quantum computers use qubits. A qubit can be 0 or 1 but also, through a property called superposition, it can be both at the same time until it's observed. This sounds like science fiction and honestly kind of is, but it's measurably real. And it means a quantum computer can explore many possible answers to a problem simultaneously rather than checking them one by one.
For certain specific types of mathematical problems, this is an enormous advantage. Not all problems. Not general computation. Quantum computers are not just "faster computers." They're different computers that excel at a narrow category of tasks.
One of the problems they're extremely good at, in theory, is factoring very large numbers. And that matters because factoring large numbers is exactly the hard math problem that most internet encryption relies on.
The Real Threat to Your VPN Encryption
Here's how most VPN encryption works, simplified to the parts that are relevant here.
When you connect to a VPN server, your device and the server need to agree on an encryption key without that key being visible to anyone watching the connection. They do this through a process called a key exchange. The most common methods, including RSA and Elliptic Curve Diffie-Hellman, rely on mathematical operations that are easy to do in one direction and practically impossible to reverse.
Specifically: multiplying two huge prime numbers together is easy. Factoring the result back into those two primes is, with classical computers, computationally infeasible for numbers large enough. It would take longer than the age of the universe. So the key exchange is safe because nobody can crack it in any practical timeframe.
A quantum computer running an algorithm called Shor's algorithm could factor those numbers efficiently. What takes a classical computer millions of years takes a quantum computer with enough stable qubits a matter of hours or days. If that kind of quantum computer existed and had internet access, every RSA and elliptic curve protected connection would be vulnerable.
The good news: that quantum computer doesn't exist yet. Not close to existing. The most powerful quantum computers we have today are noisy, error-prone machines with a few hundred to a few thousand qubits. To crack modern encryption keys, you'd need millions of stable, error-corrected qubits. We're multiple orders of magnitude away from that.
The not-so-good news: we're moving in that direction. And the time to prepare for it is before it arrives, not after.
AES-256, the symmetric encryption standard that protects your actual VPN traffic data after the key exchange, is much more resistant to quantum attacks. Grover's algorithm gives quantum computers an advantage against symmetric encryption, but only roughly halving the effective key length. AES-256 against a quantum attack is roughly equivalent to AES-128 against a classical one. Still very strong. The vulnerable part is the key exchange, not the data encryption itself.
Harvest Now, Decrypt Later: Why This Matters Right Now
Here's the part that actually makes post-quantum encryption urgent even though the quantum threat is still years away. And it's something most people haven't considered.
Intelligence agencies and other sophisticated adversaries are recording internet traffic today. All of it. Or as much of it as they can reach. This is documented. PRISM, MUSCULAR, upstream collection, submarine cable taps. These programs have been disclosed, reported on, and in some cases confirmed in court. The scale is enormous.
Most of this traffic is encrypted and therefore useless to them right now. But they're storing it anyway. The strategy is called "harvest now, decrypt later." Store the encrypted traffic today, and when quantum computers become powerful enough to crack the key exchange, go back and decrypt everything you've stored.
Think about what that means practically. A conversation you have over a VPN today, encrypted with current methods, might be stored somewhere and decrypted in fifteen years. If what you're protecting only needs to stay private for six months, that's not a concern. If you're protecting something that needs to remain confidential for decades, you have a problem with current encryption right now, even though the quantum computer that will crack it doesn't exist yet.
Governments themselves are taking this seriously enough to act on it now. The US National Security Agency began requiring post-quantum algorithms for classified communications as of 2025. The US National Institute of Standards and Technology finalized its first post-quantum encryption standards in August 2024. When the organizations that both run and protect the most sensitive communications infrastructure on earth are actively switching, that's signal worth paying attention to.
Who this actually concerns most
If you're using a VPN to watch Netflix from another region, post-quantum encryption is genuinely not your most pressing concern. Your streaming session from three years ago being decrypted by a government quantum computer is not a meaningful threat model.
But if you're a journalist protecting a source, an activist in a country with an aggressive government, a lawyer protecting client communications, a business handling competitive intelligence, a whistleblower, or anyone else whose private communications from today need to remain private indefinitely, harvest now decrypt later is a real threat worth taking seriously.
Most people are somewhere in the middle. You probably don't have state-level adversaries recording all your traffic. But you might, depending on your circumstances. And the point is that current VPN encryption's vulnerability to future quantum attacks is a question worth at least understanding.
What Post-Quantum Encryption Actually Is
Post-quantum cryptography doesn't use quantum mechanics. That's a common misconception. It's classical cryptography, running on classical computers, but using mathematical problems that quantum computers cannot solve efficiently.
The key insight: while Shor's algorithm breaks factoring-based and discrete logarithm-based cryptography, it doesn't break everything. There are other hard mathematical problems that remain hard even for quantum computers. Post-quantum algorithms are built on these.
ML-KEM (CRYSTALS-Kyber)
The primary key encapsulation mechanism standardized by NIST. Based on the hardness of the Learning With Errors problem over module lattices. This is what Mullvad and ProtonVPN are using. The name changed to ML-KEM when it was finalized, but you'll still see Kyber referenced in older documentation.
ML-DSA (CRYSTALS-Dilithium)
Digital signature algorithm, also lattice-based. Used for authentication rather than key exchange. Part of the same NIST post-quantum standards package. Replacing ECDSA in contexts where post-quantum signatures are needed.
SLH-DSA (SPHINCS+)
Hash-based signature scheme. More conservative design than the lattice-based options. Larger signature sizes but relies on hash function security rather than lattice assumptions, which some cryptographers prefer as a belt-and-suspenders approach.
The approach most VPN providers are taking is hybrid: combining traditional elliptic curve key exchange with a post-quantum key encapsulation mechanism. The result is that you're protected by both. If the classical part is somehow broken, the quantum part still holds. If the post-quantum algorithm has an undiscovered weakness, the classical part still holds. You need to break both to break the connection. This is sensible engineering.
Which VPNs Are Actually Implementing Post-Quantum Encryption
This is where marketing and reality start to diverge a bit, so I want to be specific about what each provider has actually shipped versus what they've announced versus what they're vaguely gesturing at.
Mullvad VPN
Implemented post-quantum key exchange using Kyber (now ML-KEM) combined with their WireGuard implementation. Available as "Post-Quantum VPN" feature in their apps. Not just announced. You can turn it on right now.
ProtonVPN
Rolled out post-quantum support using ML-KEM combined with Curve25519. Available in their apps across platforms. Their blog published detailed technical documentation of the implementation, which is always a good sign.
ExpressVPN
Has publicly announced post-quantum roadmap. As of mid-2026, still in development rather than full production rollout for all users. Watch for app updates.
NordVPN
Has implemented quantum-resistant encryption in some of their mesh networking features. Full integration into their main VPN connections is in progress. Not fully deployed yet.
Most Other Providers
The majority of VPN providers have not implemented post-quantum cryptography as of 2026. Some are working on it. Many have made no announcement. This is going to change over the next two to three years as standards mature.
A word on WireGuard and post-quantum
WireGuard, the modern VPN protocol that's become the speed standard, uses Curve25519 for its key exchange. Curve25519 is an elliptic curve algorithm and is theoretically vulnerable to quantum attacks via Shor's algorithm. This is a known limitation.
Mullvad solved this by layering a post-quantum key exchange on top of WireGuard. The underlying protocol stays the same, but before the WireGuard handshake completes, an additional PQ key encapsulation step occurs. The session key incorporates both. It's cleverly engineered and shows that WireGuard's quantum limitation is solvable without replacing the entire protocol.
OpenVPN, being more configurable, can have post-quantum algorithms swapped in as cipher suites, though this requires specific configuration rather than just toggling a setting in an app.
How Worried Should You Actually Be Right Now
Okay, real talk time. Because I've given you a lot of technical context and I don't want you walking away thinking you need to panic about your VPN connection being cracked by a quantum computer tomorrow.
You don't. Here's the honest timeline as best as cryptographers and quantum computing researchers currently understand it.
NIST finalizes post-quantum standards
ML-KEM, ML-DSA, and SLH-DSA officially standardized. The algorithms are settled. Now it's an implementation question.
Early adopter VPN providers implementing
Mullvad and ProtonVPN live. Others following. NSA requires PQ for classified comms. Harvest-now-decrypt-later is active at state level. This is where we are.
Industry-wide adoption expected
Most major VPN providers will have implemented PQ. It becomes a standard feature rather than a differentiator. Browsers and operating systems will handle the web side.
Quantum computers remain insufficient
Conservative estimates put cryptographically relevant quantum computers at 10 to 15 years away from today. By the time they arrive, post-quantum encryption will be ubiquitous.
So the situation is actually pretty reassuring for most people. The threat is real but distant. The solution is already being built and deployed. By the time quantum computers are powerful enough to crack today's encryption, the encryption will have already been updated. This is cryptographic defense in depth working as intended.
But if you do need to care right now
If your threat model includes nation-state adversaries who might be doing harvest-now-decrypt-later against your specific traffic, then yes, PQ-enabled VPN is worth choosing today. The incremental cost is zero. Mullvad and ProtonVPN charge the same whether you enable the PQ feature or not. If it's available, just turn it on. There's genuinely no downside.
There's a small performance overhead to adding the PQ key encapsulation step. We're talking about a few milliseconds added to connection setup time, not something you'd notice in actual use. It's not a reason to avoid it.
What actually matters more right now
Here's the thing I want to leave you with. Post-quantum encryption is genuinely interesting and worth understanding. But for the vast majority of people choosing a VPN in 2026, the quantum threat is not their biggest privacy problem.
Their biggest privacy problems are probably: their VPN provider actually logging despite claiming not to, DNS leaks exposing their real browsing activity despite the VPN, WebRTC leaks revealing their real IP, or their browser fingerprint making them identifiable regardless of VPN use. These are present-tense problems happening right now to real users. The quantum threat is future-tense.
So by all means, choose a provider with post-quantum support if they're otherwise good. But don't choose a provider with shaky logging practices and poor leak test results just because they've announced a quantum roadmap. Getting the fundamentals right matters more than future-proofing an insecure foundation.
A VPN that leaks your DNS queries today is a bigger problem than one that might be theoretically crackable by a quantum computer in 2035.
Both things can be true: post-quantum VPN encryption is a real development worth tracking, and also you should check your VPN for leaks before worrying about Shor's algorithm. Start with the VPN leak test guide. Then feel free to appreciate the post-quantum cryptography.