The shift from "if" to "when"
For most of the public-key era...
NIST's response, started in 2016...
For VPNs, the relevant standard is FIPS 203...
Harvest Now, Decrypt Later
The threat model has a name...
Estimates for cryptographically relevant...
If your communications would be sensitive ten years from now, you need post-quantum protection ten years ago. The next best time is today.
Why lattice-based
ML-KEM rests on the hardness...
- No known quantum speedup.
- Mature analysis.
- Reasonable performance.
Other candidates...
Why hybrid construction matters
A pure ML-KEM handshake...
The pragmatic answer is hybrid construction...
The encryption suite ProxysVPN uses...
- mlkem768
- x25519
- plus
- native
- 0rtt
0-RTT and why it matters operationally
Post-quantum keys are larger...
For a mobile VPN client...
What this looks like on the wire
VLESS Reality plus ML-KEM...
An adversary capturing this traffic in 2026 sees:
- TCP connection to port 443
- TLS ClientHello with SNI
- Apparently valid certificate exchange
- Encrypted application data
If they store this and bring a CRQC online in 2035...
Limitations and honest caveats
Post-quantum is not magic. Some honest limitations:
- It does not protect endpoints.
- Implementation matters.
- Authentication is separate.
- Larger handshake.
Why this is not yet standard
NIST published FIPS 203 in August 2024...
- WireGuard's reference implementation...
- OpenVPN has draft RFCs...
- The Xray ecosystem...
The lag is not technical...
That last reason is also why...
What to do
If you operate under any of the following threat models...
- You are a journalist, researcher, or activist...
- You operate in a jurisdiction with state-level traffic capture...
- You handle commercial information...
For ordinary streaming and casual use...
For a side-by-side review...