Plans for post-quantum security?

Demi Marie Obenour demiobenour at gmail.com
Wed Jan 14 05:45:38 UTC 2026 

Are there plans to make WireGuard post-quantum secure?  Post-quantum
cryptography is actually faster than X25519, and it is the default
in browsers and many libraries now [1].  It is also the default in
OpenSSH, which warns if it is not in use.

There is an academic paper [2] with a post-quantum VPN based on
WireGuard, but to keep the handshake packets inside the IPv6 MTU,
they had to make trade-offs:

1. The key-encapsulation mechanism used for forward secrecy
   is a modified version of Saber that is only secure against
   chosen-plaintext attack, not chosen-ciphertext attack.  This is
   (hopefully) sufficient for the task here, but this might take
   careful analysis to prove.  It also isn't standardized anywhere
   I am aware of.

2. Classic McEliece is used for long-term asymmetric keys.  It has
   small ciphertexts, but massive public keys.

I have some thoughts of my own, but first I'd like to know if there are
any plans from the developers and if suggestions would be appreciated.
I'd like to not need to switch to IPsec!

Of course, one can always repeatedly update the PresharedKey
field using a daemon running in userspace, but this loses some of
WireGuard's advantages.  It is also tricky to do without having to
send traffic outside the tunnel, and it only rekeys so long as the
daemon keeps running.

[1]: https://developers.cloudflare.com/ssl/post-quantum-cryptography/pqc-support/
[2]: https://eprint.iacr.org/2020/379.pdf
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xB288B55FFF9C22C1.asc
Type: application/pgp-keys
Size: 7140 bytes
Desc: OpenPGP public key
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20260114/c029df07/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20260114/c029df07/attachment.sig>

More information about the WireGuard mailing list