Tiny WireGuard Tweak

  • Jacob AppelbaumEmail author
  • Chloe MartindaleEmail author
  • Peter WuEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11627)


We show that a future adversary with access to a quantum computer, historic network traffic protected by WireGuard, and knowledge of a WireGuard user’s long-term static public key can likely decrypt many of the WireGuard user’s historic messages. We propose a simple, efficient alteration to the WireGuard protocol that mitigates this vulnerability, with negligible additional computational and memory costs. Our changes add zero additional bytes of data to the wire format of the WireGuard protocol. Our alteration provides transitional post-quantum security for any WireGuard user who does not publish their long-term static public key – it should be exchanged out-of-band.


WireGuard Post-quantum cryptography Mass surveillance Network protocol Privacy VPN Security 



We would like to thank Jason A. Donenfeld for WireGuard and for insightful discussions about possible ways to improve WireGuard against quantum adversaries including for suggesting hashing of public keys. We would like to thank various anonymous helpers for their reviews of earlier drafts of this paper. We would also like to thank those in the TU/e coding theory and cryptology group and the cryptographic implementations group including Gustavo Banegas, Daniel J. Bernstein, and especially Tanja Lange for their valuable feedback.


  1. 1.
    Adams, A.A.: Report of a debate on Snowden’s actions by ACM members. SIGCAS Comput. Soc. 44(3), 5–7 (2014). Scholar
  2. 2.
    Aumasson, J.-P., Bernstein, D.J.: SipHash: a fast short-input PRF. In: Galbraith, S., Nandi, M. (eds.) INDOCRYPT 2012. LNCS, vol. 7668, pp. 489–508. Springer, Heidelberg (2012). Scholar
  3. 3.
    Barnes, R.L., Schneier, B., Jennings, C., Hardie, T., Trammell, B., Huitema, C., Borkmann, D.: Confidentiality in the face of pervasive surveillance: a threat model and problem statement. RFC 7624, pp. 1–24 (2015).
  4. 4.
    Gellman, B., Miller, G.: ‘Black budget’ summary details U.S. spy network’s successes, failures and objectives (2013)., news article
  5. 5.
    Bellare, M., Paterson, K.G., Rogaway, P.: Security of symmetric encryption against mass surveillance. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 1–19. Springer, Heidelberg (2014). Scholar
  6. 6.
    Bernstein, D.J.: Curve25519: new Diffie-Hellman speed records. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 207–228. Springer, Heidelberg (2006). Scholar
  7. 7.
    Bieker, F.: Can courts provide effective remedies against violations of fundamental rights by mass surveillance? The case of the United Kingdom. In: Aspinall, D., Camenisch, J., Hansen, M., Fischer-Hübner, S., Raab, C. (eds.) Privacy and Identity 2015. IAICT, vol. 476, pp. 296–311. Springer, Cham (2016). Scholar
  8. 8.
    Biondi, P.: Scapy (2010)., website
  9. 9.
    Cole, D.: Michael Hayden: “we kill people based on metadata” (2014)., David Cole quoting former director of the CIA Michael Hayden
  10. 10.
    Combs, G., et. al.: Wireshark (1998–2019).
  11. 11.
    Danezis, G., Clulow, J.: Compulsion resistant anonymous communications. In: Barni, M., Herrera-Joancomartí, J., Katzenbeisser, S., Pérez-González, F. (eds.) IH 2005. LNCS, vol. 3727, pp. 11–25. Springer, Heidelberg (2005). Scholar
  12. 12.
    Donenfeld, J.A.: WireGuard: next generation kernel network tunnel. In: 24th Annual Network and Distributed System Security Symposium, NDSS 2017, San Diego, California, USA, 26 February–1 March 2017. The Internet Society (2017).
  13. 13.
    Donenfeld, J.A.: Wireguard Black Hat 2018 talk slides (2018)., see slide 41
  14. 14.
    Donenfeld, J.A.: WireGuard: next generation kernel network tunnel (2018)., version 416d63b 2018–06-30
  15. 15.
    Donenfeld, J.A.: Source code for the Go implementation of WireGuard (2019)., commit c2a2b8d739cb
  16. 16.
    Donenfeld, J.A.: Source code for the Rust implementation of WireGuard (2019)., commit a7a2e5231571
  17. 17.
    Donenfeld, J.A.: WireGuard Android application source (2019).
  18. 18.
    Donenfeld, J.A.: WireGuard Linux kernel source (2019)., tag 0.0.20190227, commit ab146d92c353
  19. 19.
    Donenfeld, J.A.: WireGuard MacOS and iOS application source (2019).
  20. 20.
    Donenfeld, J.A.: WireGuard Windows application source (2019).
  21. 21.
    Dumazet, E.: Linux kernel patch: ipv6: Limit mtu to 65575 bytes (2014).
  22. 22.
    Dunbar, N.: IPsec networking standards – an overview. Inf. Sec. Techn. Report 6(1), 35–48 (2001). Scholar
  23. 23.
    Erwin, M.: The Latest Rules on How Long NSA Can Keep Americans’ Encrypted Data Look Too Familiar (2015)., blog entry
  24. 24.
    FreeBSD: Chapter 8. IPv6 Internals - Jumbo Payload.
  25. 25.
    Greenwald, G.: The crux of the NSA story in one phrase: ‘collect it all’ (2013)., news article
  26. 26.
    Greenwald, G.: XKeyscore: NSA tool collects ‘nearly everything a user does on the internet’ (2013).
  27. 27.
    Hogan, M.: Data flows and water woes: the Utah data center. Big Data Soc. 2(2), 2053951715592429 (2015). Scholar
  28. 28.
    Krawczyk, H., Eronen, P.: HMAC-based Extract-and-Expand Key Derivation Function (HKDF). RFC 5869, pp. 1–14 (2010).
  29. 29.
    Landau, S.: Making sense from Snowden: what’s significant in the NSA surveillance revelations. IEEE Secur. Priv. 11(4), 54–63 (2013). Scholar
  30. 30.
    Landau, S.: Highlights from making sense of Snowden, Part II: what’s significant in the NSA revelations. IEEE Secur. Priv. 12(1), 62–64 (2014). Scholar
  31. 31.
    Mullvad: Introducing a post-quantum VPN, Mullvad’s strategy for a future problem., blog post
  32. 32.
    Mullvad: mullvad-wg-establish-psk., source code post
  33. 33.
    Nir, Y., Langley, A.: ChaCha20 and Poly1305 for IETF Protocols. RFC 8439, pp. 1–46 (2018).
  34. 34.
    Perrin, T.: The Noise protocol framework (2018).
  35. 35.
    Preneel, B.: Post-Snowden threat models. In: Weippl, E.R., Kerschbaum, F., Lee, A.J. (eds.) Proceedings of the 20th ACM Symposium on Access Control Models and Technologies, Vienna, Austria, 1–3 June 2015, p. 1. ACM (2015).
  36. 36.
    Privacy and Civil Liberties Oversight Board: Report on the Surveillance Program Operated Pursuant to Section 702 of the Foreign Intelligence Surveillance Act (2014)., July 2nd, 2014; see page 12
  37. 37.
    Roetteler, M., Naehrig, M., Svore, K.M., Lauter, K.: Quantum resource estimates for computing elliptic curve discrete logarithms. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017, Part II. LNCS, vol. 10625, pp. 241–270. Springer, Cham (2017). Scholar
  38. 38.
    Rogaway, P.: The moral character of cryptographic work. IACR Cryptology ePrint Archive 2015, p. 1162 (2015).
  39. 39.
    Saarinen, M.O., Aumasson, J.: The BLAKE2 cryptographic hash and message authentication code (MAC). RFC 7693, pp. 1–30 (2015).
  40. 40.
    Schanck, J.M., Whyte, W., Zhang, Z.: Circuit-extension handshakes for Tor achieving forward secrecy in a quantum world. Proc. Priv. Enhancing Technol. 4, 219–236 (2016). Scholar
  41. 41.
    Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: 35th Annual Symposium on Foundations of Computer Science, Santa Fe, New Mexico, USA, 20–22 November 1994, pp. 124–134. IEEE Computer Society (1994).
  42. 42.
    Wiener, M.J.: The full cost of cryptanalytic attacks. J. Cryptol. 17(2), 105–124 (2004). Scholar
  43. 43.
    Wu, P.: Bug 15011 - Support for WireGuard VPN protocol (2018).
  44. 44.
    Yonan, J.: OpenVPN. Accessed 11 Nov 2018

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Department of Mathematics and Computer ScienceEindhoven University of TechnologyEindhovenNetherlands

Personalised recommendations