Dear All,
My group recently released Rosenpass – a post-quantum-secure add-on for WireGuard.
Website:
https://rosenpass.eu
Code:
https://github.com/rosenpass/rosenpass
Whitepaper:
https://rosenpass.eu/whitepaper.pdf
The implementation is written in Rust; it performs a key exchange and hands the resulting key to WireGuard using the PSK feature every two minutes, so there is no need to patch the kernel. We use primitives from libsodium and liboqs.
The protocol is based on the 2020 paper on Post-Quantum WireGuard[^0]; we continue to use Classic McEliece for authenticity and confidentiality, and all our packages sent as part of the handshake fit into an IPv6 UDP frame.
We use Kyber 512 for forward secrecy and confidentiality. This means security against “store now, decrypt later”-style attacks is guaranteed by a NIST-approved primitive.
We updated the protocol to have better properties w.r.t. DoS resistance: Our new version uses cookies to achieve stronger DoS-resistance; we are also secure against the attack on WireGuard CVE-2021-46873[^1][^2]. The protocol also contains some improvements in how domain separation and key derivation is done.
We have a symbolic verification in ProVerif[^3]; a scientific paper as well as a cryptographic proof using CryptoVerif are work in progress.
Best,
Karolin Varner
[^0]:
https://eprint.iacr.org/2020/379
[^1]:
https://nvd.nist.gov/vuln/detail/CVE-2021-46873
[^2]:
https://lists.zx2c4.com/pipermail/wireguard/2021-August/006916.html
[^3]:
https://github.com/rosenpass/rosenpass/tree/main/analysis