I’m very surprised that folks are still building critical security software like this while making elementary mistakes like not using constant time operations. This is a class of vulnerability almost as old as I can remember.
There was a post a few days ago about how the NSA is wrong in not recommending hybrid quantum+classical cryptography algorithms [0].
And here is Mullvad, using two quantum algorithms together, presumably on top of classical cryptography.
> We use two quantum-secure key encapsulation mechanisms (Kyber and Classic McEliece) and mix the secrets from both. This means that both algorithms must have exploitable vulnerabilities before the security of the VPN tunnel can become affected.
Seems to me like this would actually be much more likely to double their chances of being vulnerable, in that a break in either algorithm would lead to a weakness in their system.
I'd need to see some extraordinary evidence for that claim.
If an additional layer of symmetric-key crypto is required (for, say, post-quantum resistance), WireGuard also supports an optional pre-shared key that is mixed into the public key cryptography. When pre-shared key mode is not in use, the pre-shared key value used below is assumed to be an all-zero string of 32 bytes.
