Compare
Most VPNs were designed long before quantum computing was a realistic concern. Some are now experimenting with post-quantum key exchange, but often by grafting new algorithms onto older designs. SeraphVPN takes a different approach: it is built on PALISADE, a post-quantum–native protocol that rethinks the entire path from control plane to encrypted tunnel.
The table below highlights how SeraphVPN differs from both conventional VPNs and emerging "PQ-enhanced" solutions.
Feature
SeraphVPN (PALISADE)
Typical VPN (WireGuard / OpenVPN / IKEv2)
PQ-Enhanced VPN (Hybrid Add-on)
Cryptography in Security-Critical Path
Post-quantum native (ML-KEM-768 + Dilithium-3)
Classical (X25519, RSA, ECDSA, etc.)
Classical + experimental or hybrid PQ
Dependence on Classical Public-Key Crypto
None in critical path
Full dependence
Partial dependence (hybrid or fallback paths)
End-to-End PQ Coverage
Data plane and control plane
Neither (classical only)
Usually data plane only (control plane still classical TLS)
Handshake Design
Clean-slate PQ AKE + tunneling over UDP
Legacy protocols adapted for modern use
Legacy protocols with PQ grafted on
0-RTT / Resumption
PQ 0-RTT with bounded replay risk, formally specified
Sometimes 0-RTT / session resumption, rarely PQ-aware
PQ key exchange but classical 0-RTT semantics
Header / Metadata Protection
Encrypted headers, minimal fixed metadata
Exposed protocol headers and more observable metadata
Typically same as legacy; PQ does not change metadata
Traffic Shaping at Protocol Level
Slot-based constant-rate modes defined in protocol
Usually absent or left to external tools
Usually absent
Session Migration
Explicit epoch-bound migration and rekey semantics
Often ad-hoc or implementation-specific
Same limitations as underlying legacy protocol
Control-Plane Authentication
Post-quantum proof-of-possession; no long-lived bearer tokens
API keys, passwords, or classical TLS client auth
Classical auth, even where data plane uses PQ
Zero Traffic Logging
Designed for zero traffic logging by default
Varies widely by provider; often policy-based
Same as conventional; PQ does not affect logging
Standardized Primitives
NIST-selected ML-KEM-768 & Dilithium-3
NIST-standard classical primitives (e.g., AES, ECDH, RSA)
Mix of standardized classical and evolving PQ algorithms
Design Transparency
Public protocol specification, threat model, test vectors
Protocols public; provider implementations vary in transparency
PQ extensions often less documented and less widely reviewed
Quantum Threat Model Coverage
Designed explicitly for harvest-now/decrypt-later & future QC
Not designed for quantum adversaries
Partially addresses key exchange; rarely end-to-end
Cryptography in Security-Critical Path
SeraphVPN (PALISADE)
Post-quantum native (ML-KEM-768 + Dilithium-3)
Typical VPN (WireGuard / OpenVPN / IKEv2)
Classical (X25519, RSA, ECDSA, etc.)
PQ-Enhanced VPN (Hybrid Add-on)
Classical + experimental or hybrid PQ
Dependence on Classical Public-Key Crypto
SeraphVPN (PALISADE)
None in critical path
Typical VPN (WireGuard / OpenVPN / IKEv2)
Full dependence
PQ-Enhanced VPN (Hybrid Add-on)
Partial dependence (hybrid or fallback paths)
End-to-End PQ Coverage
SeraphVPN (PALISADE)
Data plane and control plane
Typical VPN (WireGuard / OpenVPN / IKEv2)
Neither (classical only)
PQ-Enhanced VPN (Hybrid Add-on)
Usually data plane only (control plane still classical TLS)
Handshake Design
SeraphVPN (PALISADE)
Clean-slate PQ AKE + tunneling over UDP
Typical VPN (WireGuard / OpenVPN / IKEv2)
Legacy protocols adapted for modern use
PQ-Enhanced VPN (Hybrid Add-on)
Legacy protocols with PQ grafted on
0-RTT / Resumption
SeraphVPN (PALISADE)
PQ 0-RTT with bounded replay risk, formally specified
Typical VPN (WireGuard / OpenVPN / IKEv2)
Sometimes 0-RTT / session resumption, rarely PQ-aware
PQ-Enhanced VPN (Hybrid Add-on)
PQ key exchange but classical 0-RTT semantics
Header / Metadata Protection
SeraphVPN (PALISADE)
Encrypted headers, minimal fixed metadata
Typical VPN (WireGuard / OpenVPN / IKEv2)
Exposed protocol headers and more observable metadata
PQ-Enhanced VPN (Hybrid Add-on)
Typically same as legacy; PQ does not change metadata
Traffic Shaping at Protocol Level
SeraphVPN (PALISADE)
Slot-based constant-rate modes defined in protocol
Typical VPN (WireGuard / OpenVPN / IKEv2)
Usually absent or left to external tools
PQ-Enhanced VPN (Hybrid Add-on)
Usually absent
Session Migration
SeraphVPN (PALISADE)
Explicit epoch-bound migration and rekey semantics
Typical VPN (WireGuard / OpenVPN / IKEv2)
Often ad-hoc or implementation-specific
PQ-Enhanced VPN (Hybrid Add-on)
Same limitations as underlying legacy protocol
Control-Plane Authentication
SeraphVPN (PALISADE)
Post-quantum proof-of-possession; no long-lived bearer tokens
Typical VPN (WireGuard / OpenVPN / IKEv2)
API keys, passwords, or classical TLS client auth
PQ-Enhanced VPN (Hybrid Add-on)
Classical auth, even where data plane uses PQ
Zero Traffic Logging
SeraphVPN (PALISADE)
Designed for zero traffic logging by default
Typical VPN (WireGuard / OpenVPN / IKEv2)
Varies widely by provider; often policy-based
PQ-Enhanced VPN (Hybrid Add-on)
Same as conventional; PQ does not affect logging
Standardized Primitives
SeraphVPN (PALISADE)
NIST-selected ML-KEM-768 & Dilithium-3
Typical VPN (WireGuard / OpenVPN / IKEv2)
NIST-standard classical primitives (e.g., AES, ECDH, RSA)
PQ-Enhanced VPN (Hybrid Add-on)
Mix of standardized classical and evolving PQ algorithms
Design Transparency
SeraphVPN (PALISADE)
Public protocol specification, threat model, test vectors
Typical VPN (WireGuard / OpenVPN / IKEv2)
Protocols public; provider implementations vary in transparency
PQ-Enhanced VPN (Hybrid Add-on)
PQ extensions often less documented and less widely reviewed
Quantum Threat Model Coverage
SeraphVPN (PALISADE)
Designed explicitly for harvest-now/decrypt-later & future QC
Typical VPN (WireGuard / OpenVPN / IKEv2)
Not designed for quantum adversaries
PQ-Enhanced VPN (Hybrid Add-on)
Partially addresses key exchange; rarely end-to-end