Published on: January 29, 2025
Popular VPN provider ExpressVPN is taking another big step toward future-proofing its users’ security. It announced a full integration of the newly released NIST post-quantum encryption standard, ML-KEM, across its proprietary Lightway VPN protocol.
This upgrade replaces the former Kyber algorithm that ExpressVPN initially deployed in 2023, further strengthening the service against emerging quantum computing threats. For everyday users, that means an even higher level of protection for their data — well in advance of the moment when quantum computers could undermine traditional encryption.
“Encryption is always evolving, and so are we. When Kyber emerged as a trusted frontrunner in the race to secure the post-quantum world, we integrated it into Lightway to ensure your data stayed ahead of potential threats. Now, with ML-KEM – the newly minted NIST standard – we’re taking that protection even further,” said Pete Membrey, Chief Research Officer at ExpressVPN, in the official announcement.
ML-KEM builds upon Kyber’s groundwork, culminating in a strong cryptographic key exchange method that has earned global support from top cryptographers. It’s designed to safeguard VPN connections — and other secure communications — from increasingly advanced cyberattacks powered by quantum computing.
“Lightway is built to evolve, and ML-KEM represents the next step in its journey,” Membrey added, noting that ExpressVPN now uses NIST Security Level 5 key sizes for both TCP and UDP.
Despite the boost in security, the company promises that speed and reliability remain unaffected.
ExpressVPN also shifted away from the Open Quantum Safe (OQS) team’s implementation of Kyber to adopt the WolfSSL library, a move that brings additional optimizations. The company says WolfSSL’s lightweight infrastructure offers faster speeds and enhanced power efficiency across all platforms running Lightway.
“Unlike experimental libraries, WolfSSL provides enterprise-grade support and regular updates, making it the perfect fit for Lightway’s ongoing evolution,” Membrey said.
Cybersecurity analysts have long warned that current encryption could be broken by quantum computers as early as 2030. VPNs, encrypted messaging apps, and other security-dependent services all stand to benefit from adopting quantum-safe algorithms in advance. ExpressVPN’s latest upgrade places it among the earliest adopters, joining other top providers that are in the process of transitioning to the new NIST standards.