Rosenpass – Post-quantum security for WireGuard
294 views
Skip to first unread message
Karolin Varner
Mar 10, 2023, 2:51:38 AM3/10/23
to pqc-...@list.nist.gov
Dear All,
My group recently released Rosenpass – a post-quantum-secure add-on for WireGuard.
Website: https://rosenpass.eu
Code: https://github.com/rosenpass/rosenpass
Whitepaper: https://rosenpass.eu/whitepaper.pdf
The implementation is written in Rust; it performs a key exchange and hands the resulting key to WireGuard using the PSK feature every two minutes, so there is no need to patch the kernel. We use primitives from libsodium and liboqs.
The protocol is based on the 2020 paper on Post-Quantum WireGuard[^0]; we continue to use Classic McEliece for authenticity and confidentiality, and all our packages sent as part of the handshake fit into an IPv6 UDP frame.
We use Kyber 512 for forward secrecy and confidentiality. This means security against “store now, decrypt later”-style attacks is guaranteed by a NIST-approved primitive.
We updated the protocol to have better properties w.r.t. DoS resistance: Our new version uses cookies to achieve stronger DoS-resistance; we are also secure against the attack on WireGuard CVE-2021-46873[^1][^2]. The protocol also contains some improvements in how domain separation and key derivation is done.
We have a symbolic verification in ProVerif[^3]; a scientific paper as well as a cryptographic proof using CryptoVerif are work in progress.
Best,
Karolin Varner
[^0]: https://eprint.iacr.org/2020/379
[^1]: https://nvd.nist.gov/vuln/detail/CVE-2021-46873
[^2]: https://lists.zx2c4.com/pipermail/wireguard/2021-August/006916.html
[^3]: https://github.com/rosenpass/rosenpass/tree/main/analysis
My group recently released Rosenpass – a post-quantum-secure add-on for WireGuard.
Website: https://rosenpass.eu
Code: https://github.com/rosenpass/rosenpass
Whitepaper: https://rosenpass.eu/whitepaper.pdf
The implementation is written in Rust; it performs a key exchange and hands the resulting key to WireGuard using the PSK feature every two minutes, so there is no need to patch the kernel. We use primitives from libsodium and liboqs.
The protocol is based on the 2020 paper on Post-Quantum WireGuard[^0]; we continue to use Classic McEliece for authenticity and confidentiality, and all our packages sent as part of the handshake fit into an IPv6 UDP frame.
We use Kyber 512 for forward secrecy and confidentiality. This means security against “store now, decrypt later”-style attacks is guaranteed by a NIST-approved primitive.
We updated the protocol to have better properties w.r.t. DoS resistance: Our new version uses cookies to achieve stronger DoS-resistance; we are also secure against the attack on WireGuard CVE-2021-46873[^1][^2]. The protocol also contains some improvements in how domain separation and key derivation is done.
We have a symbolic verification in ProVerif[^3]; a scientific paper as well as a cryptographic proof using CryptoVerif are work in progress.
Best,
Karolin Varner
[^0]: https://eprint.iacr.org/2020/379
[^1]: https://nvd.nist.gov/vuln/detail/CVE-2021-46873
[^2]: https://lists.zx2c4.com/pipermail/wireguard/2021-August/006916.html
[^3]: https://github.com/rosenpass/rosenpass/tree/main/analysis
Thomas Braun
Mar 10, 2023, 7:41:30 AM3/10/23
to pqc-forum, Karolin Varner
Hi Karolin,
Congratulations on your release. This will be a useful addition to the community.
There is a proprietary/paid version of a post-quantum wireguard out there that your software will help replace (https://www.ambit.inc/products/maxkyber/). For the past 5 years, I have been a firm believer that in the face of the danger of retroactive decryption (i.e., "store now, decrypt later"), hiding these products behind paywalls and closed-sources only hurts our security and trust as a society.
I invite you to work with me on The Citadel Protocol (see: https://www.reddit.com/r/crypto/comments/107owld/after_5_years_of_development_i_am_releasing_the/). I am currently working on finding a cross-platform way to add a VPN ontop of The Citadel Protocol. If you have any questions, please reach out to me via email or here.
Thank you,
Thomas Braun
Congratulations on your release. This will be a useful addition to the community.
There is a proprietary/paid version of a post-quantum wireguard out there that your software will help replace (https://www.ambit.inc/products/maxkyber/). For the past 5 years, I have been a firm believer that in the face of the danger of retroactive decryption (i.e., "store now, decrypt later"), hiding these products behind paywalls and closed-sources only hurts our security and trust as a society.
I invite you to work with me on The Citadel Protocol (see: https://www.reddit.com/r/crypto/comments/107owld/after_5_years_of_development_i_am_releasing_the/). I am currently working on finding a cross-platform way to add a VPN ontop of The Citadel Protocol. If you have any questions, please reach out to me via email or here.
Thank you,
Thomas Braun
Reply all
Reply to author
Forward
0 new messages