global: add PQC ML-KEM to handshake as PSK

aparcar · aparcar · commit 8c076d44d6db · 2025-05-26T22:41:57.000+02:00
This commit extends the handshake to generate a PQC-based PSK. The NIST-approved ML-KEM (formerly Kyber) is included in the initiator and responder messages to transport the encapsulation key and ciphertext, respectively. The generated shared secrets are directly injected as a pre-shared key (PSK), since PQC resilience is the intended purpose. The ML-KEM encapsulation key and ciphertext are piggybacked onto WireGuard message types 1 and 2, without altering the handshake itself. As a result, the initiation and response messages grow by about 1 kB (~10x) and the handshake takes ~5x longer (0.21s vs 0.93s[^1]), however, likely negligible, since the transported data stream is unaffected. This commit does not address PQC authentication. However, it offers a practical solution to mitigate retrospective decryption using quantum computers—namely, "store now, decrypt later" attacks. While more comprehensive approaches like "Post-quantum WireGuard"[^2] include PQC authentication and a full PQC handshake, the changes proposed here aim to be as minimal as possible, usable as soon as possible. [^1]: Naively running `go test -bench=TestNoiseHandshake -count=100` [^2]: https://eprint.iacr.org/2020/379.pdf Signed-off-by: Paul Spooren <mail@aparcar.org>
diff --git a/device/noise-protocol.go b/device/noise-protocol.go
@@ -11,6 +11,7 @@ import (
 	"sync"
 	"time"
 
+	"filippo.io/mlkem768"
 	"golang.org/x/crypto/blake2s"
 	"golang.org/x/crypto/chacha20poly1305"
 	"golang.org/x/crypto/poly1305"
@@ -60,8 +61,8 @@ const (
 )
 
 const (
-	MessageInitiationSize      = 148                                           // size of handshake initiation message
-	MessageResponseSize        = 92                                            // size of response message
+	MessageInitiationSize      = 1332                                          // size of handshake initiation message
+	MessageResponseSize        = 1180                                          // size of response message
 	MessageCookieReplySize     = 64                                            // size of cookie reply message
 	MessageTransportHeaderSize = 16                                            // size of data preceding content in transport message
 	MessageTransportSize       = MessageTransportHeaderSize + poly1305.TagSize // size of empty transport
@@ -82,23 +83,25 @@ const (
  */
 
 type MessageInitiation struct {
-	Type      uint32
-	Sender    uint32
-	Ephemeral NoisePublicKey
-	Static    [NoisePublicKeySize + poly1305.TagSize]byte
-	Timestamp [tai64n.TimestampSize + poly1305.TagSize]byte
-	MAC1      [blake2s.Size128]byte
-	MAC2      [blake2s.Size128]byte
+	Type        uint32
+	Sender      uint32
+	Ephemeral   NoisePublicKey
+	EphemeralPQ [mlkem768.EncapsulationKeySize]byte
+	Static      [NoisePublicKeySize + poly1305.TagSize]byte
+	Timestamp   [tai64n.TimestampSize + poly1305.TagSize]byte
+	MAC1        [blake2s.Size128]byte
+	MAC2        [blake2s.Size128]byte
 }
 
 type MessageResponse struct {
-	Type      uint32
-	Sender    uint32
-	Receiver  uint32
-	Ephemeral NoisePublicKey
-	Empty     [poly1305.TagSize]byte
-	MAC1      [blake2s.Size128]byte
-	MAC2      [blake2s.Size128]byte
+	Type         uint32
+	Sender       uint32
+	Receiver     uint32
+	Ephemeral    NoisePublicKey
+	CiphertextPQ [mlkem768.CiphertextSize]byte
+	Empty        [poly1305.TagSize]byte
+	MAC1         [blake2s.Size128]byte
+	MAC2         [blake2s.Size128]byte
 }
 
 type MessageTransport struct {
@@ -118,14 +121,16 @@ type MessageCookieReply struct {
 type Handshake struct {
 	state                     handshakeState
 	mutex                     sync.RWMutex
-	hash                      [blake2s.Size]byte       // hash value
-	chainKey                  [blake2s.Size]byte       // chain key
-	presharedKey              NoisePresharedKey        // psk
-	localEphemeral            NoisePrivateKey          // ephemeral secret key
-	localIndex                uint32                   // used to clear hash-table
-	remoteIndex               uint32                   // index for sending
-	remoteStatic              NoisePublicKey           // long term key, never changes, can be accessed without mutex
-	remoteEphemeral           NoisePublicKey           // ephemeral public key
+	hash                      [blake2s.Size]byte      // hash value
+	chainKey                  [blake2s.Size]byte      // chain key
+	presharedKey              NoisePresharedKey       // psk
+	localEphemeral            NoisePrivateKey         // ephemeral secret key
+	localEphemeralPQ          [mlkem768.SeedSize]byte // ephemeral secret PQC key
+	localIndex                uint32                  // used to clear hash-table
+	remoteIndex               uint32                  // index for sending
+	remoteStatic              NoisePublicKey          // long term key, never changes, can be accessed without mutex
+	remoteEphemeral           NoisePublicKey          // ephemeral public key
+	remoteEphemeralPQ         [mlkem768.EncapsulationKeySize]byte
 	precomputedStaticStatic   [NoisePublicKeySize]byte // precomputed shared secret
 	lastTimestamp             tai64n.Timestamp
 	lastInitiationConsumption time.Time
@@ -193,9 +198,16 @@ func (device *Device) CreateMessageInitiation(peer *Peer) (*MessageInitiation, e
 
 	handshake.mixHash(handshake.remoteStatic[:])
 
+	dk, err := mlkem768.GenerateKey()
+	if err != nil {
+		return nil, err
+	}
+	handshake.localEphemeralPQ = [64]byte(dk.Bytes())
+
 	msg := MessageInitiation{
-		Type:      MessageInitiationType,
-		Ephemeral: handshake.localEphemeral.publicKey(),
+		Type:        MessageInitiationType,
+		Ephemeral:   handshake.localEphemeral.publicKey(),
+		EphemeralPQ: [mlkem768.EncapsulationKeySize]byte(dk.EncapsulationKey()),
 	}
 
 	handshake.mixKey(msg.Ephemeral[:])
@@ -331,6 +343,8 @@ func (device *Device) ConsumeMessageInitiation(msg *MessageInitiation) *Peer {
 	handshake.chainKey = chainKey
 	handshake.remoteIndex = msg.Sender
 	handshake.remoteEphemeral = msg.Ephemeral
+	handshake.remoteEphemeralPQ = msg.EphemeralPQ
+
 	if timestamp.After(handshake.lastTimestamp) {
 		handshake.lastTimestamp = timestamp
 	}
@@ -392,6 +406,16 @@ func (device *Device) CreateMessageResponse(peer *Peer) (*MessageResponse, error
 	}
 	handshake.mixKey(ss[:])
 
+	// set preshared key
+
+	ciphertext, sspq, err := mlkem768.Encapsulate(handshake.remoteEphemeralPQ[:])
+	if err != nil {
+		return nil, err
+	}
+	msg.CiphertextPQ = [mlkem768.CiphertextSize]byte(ciphertext)
+
+	handshake.presharedKey = NoisePresharedKey(sspq)
+
 	// add preshared key
 
 	var tau [blake2s.Size]byte
@@ -468,6 +492,21 @@ func (device *Device) ConsumeMessageResponse(msg *MessageResponse) *Peer {
 		mixKey(&chainKey, &chainKey, ss[:])
 		setZero(ss[:])
 
+		// set preshared key
+
+		dk, err := mlkem768.NewKeyFromSeed(handshake.localEphemeralPQ[:])
+		if err != nil {
+			return false
+		}
+		sspq, err := mlkem768.Decapsulate(dk, msg.CiphertextPQ[:])
+		if err != nil {
+			return false
+		}
+		handshake.presharedKey = NoisePresharedKey(sspq)
+
+		setZero(sspq[:])
+		setZero(handshake.localEphemeralPQ[:])
+
 		// add preshared key (psk)
 
 		var tau [blake2s.Size]byte
diff --git a/go.mod b/go.mod
@@ -1,16 +1,19 @@
 module github.com/tailscale/wireguard-go
 
-go 1.20
+go 1.21.3
+
+toolchain go1.24.3
 
 require (
-	golang.org/x/crypto v0.13.0
-	golang.org/x/net v0.15.0
-	golang.org/x/sys v0.12.0
+	golang.org/x/crypto v0.26.0
+	golang.org/x/net v0.21.0
+	golang.org/x/sys v0.24.0
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2
 	gvisor.dev/gvisor v0.0.0-20230927004350-cbd86285d259
 )
 
 require (
+	filippo.io/mlkem768 v0.0.0-20241021091500-d85de16e2039 // indirect
 	github.com/google/btree v1.0.1 // indirect
 	golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect
 )
diff --git a/go.sum b/go.sum
@@ -1,11 +1,19 @@
+filippo.io/mlkem768 v0.0.0-20241021091500-d85de16e2039 h1:I/alPPIVzEkPeQKVU7Sl5gv/sQ0IC4zgqHiACrSgUW8=
+filippo.io/mlkem768 v0.0.0-20241021091500-d85de16e2039/go.mod h1:IkpYfciLz5fI/S4/Z0NlhR4cpv6ubCMDnIwAe0XiojA=
 github.com/google/btree v1.0.1 h1:gK4Kx5IaGY9CD5sPJ36FHiBJ6ZXl0kilRiiCj+jdYp4=
 github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA=
 golang.org/x/crypto v0.13.0 h1:mvySKfSWJ+UKUii46M40LOvyWfN0s2U+46/jDd0e6Ck=
 golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
+golang.org/x/crypto v0.26.0 h1:RrRspgV4mU+YwB4FYnuBoKsUapNIL5cohGAmSH3azsw=
+golang.org/x/crypto v0.26.0/go.mod h1:GY7jblb9wI+FOo5y8/S2oY4zWP07AkOJ4+jxCqdqn54=
 golang.org/x/net v0.15.0 h1:ugBLEUaxABaB5AJqW9enI0ACdci2RUd4eP51NTBvuJ8=
 golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
+golang.org/x/net v0.21.0 h1:AQyQV4dYCvJ7vGmJyKki9+PBdyvhkSd8EIx/qb0AYv4=
+golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/sys v0.12.0 h1:CM0HF96J0hcLAwsHPJZjfdNzs0gftsLfgKt57wWHJ0o=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.24.0 h1:Twjiwq9dn6R1fQcyiK+wQyHWfaz/BJB+YIpzU/Cv3Xg=
+golang.org/x/sys v0.24.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 h1:vVKdlvoWBphwdxWKrFZEuM0kGgGLxUOYcY4U/2Vjg44=
 golang.org/x/time v0.0.0-20220210224613-90d013bbcef8/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 h1:B82qJJgjvYKsXS9jeunTOisW56dUokqW/FOteYJJ/yg=
