Plans for post-quantum security?

Plans for post-quantum security?

[Demi Marie Obenour]

[-- Attachment #1.1.1: Type: text/plain, Size: 1539 bytes --]

Are there plans to make WireGuard post-quantum secure?  Post-quantum
cryptography is actually faster than X25519, and it is the default
in browsers and many libraries now [1].  It is also the default in
OpenSSH, which warns if it is not in use.

There is an academic paper [2] with a post-quantum VPN based on
WireGuard, but to keep the handshake packets inside the IPv6 MTU,
they had to make trade-offs:

1. The key-encapsulation mechanism used for forward secrecy
   is a modified version of Saber that is only secure against
   chosen-plaintext attack, not chosen-ciphertext attack.  This is
   (hopefully) sufficient for the task here, but this might take
   careful analysis to prove.  It also isn't standardized anywhere
   I am aware of.

2. Classic McEliece is used for long-term asymmetric keys.  It has
   small ciphertexts, but massive public keys.

I have some thoughts of my own, but first I'd like to know if there are
any plans from the developers and if suggestions would be appreciated.
I'd like to not need to switch to IPsec!

Of course, one can always repeatedly update the PresharedKey
field using a daemon running in userspace, but this loses some of
WireGuard's advantages.  It is also tricky to do without having to
send traffic outside the tunnel, and it only rekeys so long as the
daemon keeps running.

[1]: https://developers.cloudflare.com/ssl/post-quantum-cryptography/pqc-support/
[2]: https://eprint.iacr.org/2020/379.pdf
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)


[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 7253 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]