NordVPN, one of the world's leading VPN service providers, has launched its first application featuring quantum-resilient encryption.
Post-quantum cryptography support is currently available on NordVPN's Linux client, with plans to extend this security to all applications by the first quarter of 2025. The move represents a significant step toward preparing for potential future threats posed by quantum computing.
According to Marijus Briedis, CTO of NordVPN, quantum computers represent a looming challenge to cybersecurity. “Trends show that cybercriminals are intensifying what is known as ‘harvest now, decrypt later' attacks,” Briedis explained. “Simply put, they are trying to accumulate huge quantities of encrypted data and decrypt them once quantum technology is developed. Thus, the VPN industry must enter a new phase of development to defend against future quantum computing threats.”
The implementation of post-quantum encryption is timely, as the National Institute of Standards and Technology (NIST) recently announced its first post-quantum cryptographic standards. VPNs, which rely on cryptographic protocols to secure data and communications, must adopt these emerging standards to remain secure against the evolving capabilities of quantum computing.
You can learn more about NordVPN here.
A Hybrid Approach Using ML-KEM (Kyber)
NordVPN's quantum-resilient encryption uses the ML-KEM algorithm, also known as Kyber, and employs a hybrid approach. This process starts by establishing a standard WireGuard session, followed by a pre-shared key (PSK) exchange within the session based on the ML-KEM algorithm. Once the PSK is exchanged, both client and server use a non-zero-filled 32-byte PSK to add an additional layer of quantum-secure encryption to the session.
This hybrid implementation helps ensure robust protection without compromising performance. However, integrating post-quantum algorithms poses technical challenges, primarily due to their larger key sizes and signatures, which can increase computational overhead and affect the VPN's speed.
Why Start with Linux?
NordVPN chose to begin the rollout of post-quantum encryption with its Linux client to gather performance data and insights from an advanced user base. Linux users are generally more tech-savvy, which allows the NordVPN team to identify potential improvements or issues before deploying the solution to a broader audience. This approach will help fine-tune the post-quantum cryptography for performance metrics like connection times and speed.
“These technical challenges are the reason for the gradual implementation of post-quantum cryptography support to our applications. We want to be completely sure that we will keep the highest level of user experience in terms of connection time and speed during the transition,” said Briedis
NordVPN aims to introduce this post-quantum encryption capability to all its applications by 2025, ensuring that the company remains prepared for future quantum threats. The rollout on the Linux platform will serve as a testing ground to optimize the encryption's performance and ensure that the switch to quantum-resistant cryptography does not negatively impact user experience on platforms that have significantly larger userbases.
As Briedis mentions, agility will be key, “NordVPN aims to ensure that applications are both quantum-resistant and agile in cryptographic management. As cryptographic needs evolve, the demand for crypto-agility that enables systems to adapt to new cryptographic standards seamlessly will be essential.”
NordVPN is renowned for its focus on privacy, security, and performance, running an extensive network of 6,400 servers across 111 countries. Check out our in-depth NordVPN review for more details, and you can also take advantage of a limited-time 74% off deal on 2-year subscriptions.
Jack 805
It is my understanding that unless internet traffic is e2e encrypted all a vpn does is protect one from ISP snooping and obfuscates the user’s ip address to data mining, data selling websites and governments subpoenaing information from email providers and other ebusinesses.
I believe that in most cases email travels across the internet jungle wide open to view after leaving the vpn tunnel, and certainly metadata is not stripped by most email providers. Metadata can be just as compromising as content by what it reveals or infers.
An amazing number of people put their whole lives online with social media – regardless of greatly embarrassing revelations or incriminating information and scurrilous attacks on others, think of what most will reveal with texts and email if they are unaware or uncaring of the risks. Or worse, who they drag along with them into controversy and guilt by association.
Think about that last sentence.
But, not just cybercriminals are involved with “‘harvest now, decrypt later’ attacks,” government intelligence agencies around the globe are doing it too.
And the e2e encryption concerning bank accounts and transactions will be compromised and subject to future scrutiny, not to mention corporate affairs, small business and their customers, digital patient records and governmental activity… including defense concerns…
We all know just how securely business treats your credit card and financial information…
And how ignorant politicians and bureaucrats are with digital security…
While practically running their computing tasks with windows xp and smugly secure with the thought of “what could possibly go wrong?” or “Wow, that’s a lot of money I could use for pandering instead” …
While it may be too much information to go on data fishing expeditions, at least at this time with present technology, there is the future potential for every needle inside the global haystack to be laid bare.
I religiously use a vpn and won’t go online without using one, but vpns aren’t the cure all for everything that buggers internet security and privacy, no matter how quantum resistant they are.
Orlando Smith
Mullvad VPN has been there and done that since 6 April 2023, with full implementation on Windows, Linux, macOS, and Android, and recently iOS. So NordVPN is late to the party, and not fashionably late.
Fujeetsoo
Mullvad doesn’t do affiliate programs, which is why they don’t get mentioned on most VPN “review” sites.
BoBeX
Hi RP,
Great article!
I would add that there is potentially another advantage to going Linux first;
Though I don’t disagree with the stated argument there could be a second consideration:
That a cohort of tech savvy Linux users may also be very powerful influences in the privacy market.