Back to the blog

Security — 2017/12/08

Introducing a post-quantum VPN, Mullvad's strategy for a future problem

As the field of quantum computing progresses, it's possible that today's stored, encrypted information could be decrypted in the future. To mitigate this threat against privacy, we unveil our own post-quantum secure VPN tunnel.

If you're itching to try our beta solution, scroll to the bottom for the how-to guide. Otherwise, read on to learn more about this topic.

The big picture

As a result of the digital revolution, it has become cheaper and easier to store and process data. It is so easy, in fact, that these days almost everything we do online is saved forever.

Sometimes data is stored without personal information. However, if at any moment an anonymous set of data becomes linked to an identifiable one (such as when you pay for a drink with your Visa card), it is no longer anonymous. This applies to information not only in the present but also from the past as well as in the future.

We already know that nation- state actors are building huge data centers capable of storing extreme amounts of data. One example is found in the desert of Utah: "The data center is alleged to be able to process 'all forms of communication, including the complete contents of private emails, cell phone calls, and Internet searches, as well as all types of personal data trails'" (Wikipedia).

This begs the question: will VPN traffic encrypted with current state-of-the-art methods stay protected if it's saved by such a data center – and for how long?

The threat of quantum computing

Encryption algorithms and keys are currently strong enough to make it unrealistic to collect the computing power needed for cracking encryption within a meaningful time frame. There is, however, a looming problem on the horizon.

Quantum computing is still in its infancy, but many scientists now believe the field will see great progress over the coming years. These machines will exploit quantum mechanical phenomena to solve mathematical problems that are difficult for today's conventional computers.

Quantum computers hold enormous potential, but unfortunately they will also break essentially all conventional public key schemes and key exchange algorithms currently in use.

This means that if an organization were to save encrypted network traffic from today, it might very well be crackable in 20 years. This includes encrypted web traffic (HTTPS), VPN and Tor traffic, encrypted messaging apps such as Signal and WhatsApp, and mobile network traffic.

The promise of post-quantum cryptography

Fortunately, cryptographers realized this threat years ago and have since been working to develop cryptographic algorithms that are secure against both quantum and classical computers. You might even have used one of these new algorithms unwittingly.

In 2016, Google experimented with post-quantum cryptography in Chrome, specifically a very promising algorithm called New Hope. That experiment has since come to an end, and with great results.

In September of this year, Cloudflare announced that it had implemented another post-quantum secure algorithm called SIDH, but not for use in production.

In order for post-quantum crypto to be integrated into mainstream applications, such as web browsers, they will need to be extensively researched, evaluated, and finally standardized for working across products, such as Firefox, Safari, Chrome, and Edge. To that end, one major milestone was recently reached.

Working toward accepted standards

The National Institute of Standards and Technology (NIST) initiated a project with the final goal of standardizing quantum-resistant public-key cryptographic algorithms in 2018. The final deadline for submission of proposals was November 30, 2017.

Sometime next year, cryptographers from all over the world will meet to discuss which algorithms should be standardized. Eventually, these will make their way into browsers, mobile phones, VPN protocols, messaging applications, and any other products built to ensure the security of your data and communication.

This will take time. Quite some time, in fact.

To quote NIST, "Historically, it has taken almost two decades to deploy our modern public key cryptography infrastructure. Therefore, regardless of whether we can estimate the exact time of the arrival of the quantum computing era, we must begin now to prepare our information security systems to be able to resist quantum computing."

Mullvad's post-quantum strategy

Mullvad's goal is to make mass surveillance and internet censorship ineffective. While quantum computers are a great opportunity for science, they are also a big threat to privacy, one that needs to be mitigated as soon as possible.

With that in mind, we have been following the post-quantum cryptography field for a few years.

Today, we are happy to announce our public beta of a new feature – a post-quantum secure VPN tunnel.

The post-quantum cryptography field is rapidly evolving, and while a few of the underlying math problems of post-quantum crypto have been well researched, it is still somewhat of an open question as to which ones will turn out post-quantum secure.

The key exchange we are introducing support for today uses New Hope, just as Google did in its experiment last year. However, due to the nature of the threat of quantum computing, our strategy is much more conservative.

Our ambition is to develop a key exchange that uses at least three different algorithms, each based on a different math problem. Assuming that at least one of the algorithms turns out to be post-quantum secure, your traffic will be safe too.

Today's beta release (open source on GitHub) is more of a proof of concept than a finished product. It also currently exists only for the WireGuard protocol on Linux. But as WireGuard becomes available for other operating systems, we will extend this solution to them as well.

We look forward to receiving feedback from the community and to refining our solution, one that we intend to fully integrate with Mullvad on all platforms.

How to use Mullvad's post-quantum key exchange on Linux

Setting up and using our post-quantum secure VPN tunnel is easy. You'll need to have an active Mullvad account in order to do so.

Once you've successfully followed the instructions, you will be connected to SE-MMA-WG-PSK-001, our first server on which you can use post-quantum safe keys with WireGuard.

1. Install and run WireGuard
You will first need to install WireGuard and familiarize yourself with running it.

2. Disconnect from Wireguard
Disconnect from WireGuard before continuing.

3. Download post-quantum setup script
curl -LO

4. Run the setup script
The script will start WireGuard, then establish and register a post-quantum safe key.
chmod +x ./ && sudo ./

Assuming the script successfully completes, you are now connected! Test your connection with our Am I Mullvad tool.

5. Using the post-quantum tunnel
Now that you have everything set up, the following two commands are all you need for activating/deactivating the post-quantum tunnel as needed.

Activate post-quantum tunnel:
wg-quick up mullvad-pq

Deactivate post-quantum tunnel:
wg-quick down mullvad-pq