[Cryptography] WireGuard

Thierry Moreau thierry.moreau at connotech.com
Tue Sep 4 11:31:25 EDT 2018

On 30/08/18 05:54 PM, Peter Gutmann wrote:
> Jerry Leichter <leichter at lrw.com> writes:
>> The white paper reveals what appears to be really good and clever design and
>> engineering.  Some of the basic principles are things we've discussed (and
>> argued about) repeatedly here - e.g., *one* choice of crypto configuration, no
>> "algorithm agility", no negotiation at startup.
>> I'm wondering if others here have looked at WireGuard and have any insight
>> into the reality.
> I looked at it a while back and pretty much agree with the quoted paragraph
> above, it's a very nice design.  A good independent analysis is:
> https://eprint.iacr.org/2018/080

Here is the result of looking into this very significant contribution.

Looking at the fundamental public key crypto arrangement, Wireguard is 
an application of DH-based schemes combining long term (authenticating) 
and ephemeral key pairs in an authenticated key agreement protocol.

Lein Harn et al. pioneered this approach (e.g. [1]). The MQV and HMQV 
schemes also fall into this category. In contrast to these, the 
Wireguard proposal (in its adaptation of the Noise protocol) heavily 
relies on symmetric integrity algorithms for binding together the 
authenticating and ephemeral DH primitives.

The other fundamental public key crypto arrangement for the same 
protocol services (authenticated key agreement) is work derived from 
station-to-station and SIGMA schemes ([2]) and includes IKEv2 and HIPSEC.

I never figured out an equivalent public key foundation summary for 
either TLS or SSH.

Clearly Wireguard has a much wider relevance than this fundamental 
public key scheme analysis (Wireguarg is encompassing an impressive lot 
of implementation aspects).

- Thierry Moreau


[1] L. Harn, W.-J. Hsin, and M. Manish, "Authenticated Diffie-Hellman 
key agreement protocol using single cryptographic assumption", IEE 
Proceedings Communications, Vol. 152, No. 4, pp. 404-410, Aug 2005, 
available at http://h.web.umkc.edu/harnl/publications.html.

[2] Hugo Krawczyk, "SIGMA: the 'SIGn-and-MAc' Approach to Authenticated 
Diffie-Hellman and its Use in the IKE Protocols", 2003, proceedings of 
Crypto'03 (LNCS Series, Vol. 2729), extended version available at 

More information about the cryptography mailing list