Quantum computers aren't the only threat. Autonomous AI systems discover and exploit cryptographic vulnerabilities without human guidance, at industrial scale, across every major platform simultaneously. A single security layer is no longer enough. Regardless of who breaks it.

We built an architecture that survives. Not for a specific adversary, but for any adversary capable of compromising any individual layer.

The Problem: One Layer Falls, Everything Falls

WireGuard encrypts all traffic with Curve25519 (key exchange) and ChaCha20-Poly1305 (symmetric encryption). It's fast, elegant, proven. But Curve25519 is vulnerable to a quantum computer. And cryptographic implementations have bugs that autonomous systems find faster than humans can patch them.

WireGuard's creator, Jason Donenfeld, anticipated this. The protocol includes a slot for a 256-bit pre-shared key (PSK), mixed into the handshake's HKDF chain. A "post-quantum safety hatch", as he called it. A symmetric barrier independent of any asymmetric operation.

But nobody had shown how to implement this at mesh scale. Nobody had published a formal threat model. Nobody had measured the operational cost. Nobody had built the tooling.

Until now.

Three Independent Layers. Operator Decides.

We designed three strategies that compose independently. Each uses different keys, different protocols, different trust anchors. Compromising one layer provides no information about the others.

Strategy A: PSK Symmetric Barrier. Standard WireGuard, one 256-bit PSK per pair of nodes. No protocol modification. Overhead under 1 microsecond per handshake. 128-bit computational security under quantum adversary (Grover's bound). Every tunnel gets this treatment.

Strategy B: Rosenpass PQ Sidecar. Post-quantum key exchange (Classic McEliece + ML-KEM), injected into the PSK slot every 2 minutes. Closes the authentication gap. Provides post-quantum forward secrecy. Clean security audit (Radically Open Security, February 2024).

Strategy C: Inner-Layer Independence. mTLS between services, with its own Certificate Authority. Independent keys. Survives transport layer compromise.

The operator chooses what runs on each node, based on the threat profile. Critical servers get all three. Relays get A + B. IoT devices get only A, isolated on a VLAN. It's not a platform constraint. It's an architectural choice.

$5 Per Node. Hardware-Backed. Keys Never Leave.

A PSK stored on disk is vulnerable. A key stored in hardware is not.

We built a 5-tier architecture, all through the same PKCS#11 interface. Same code, different hardware, different security properties:

• Tier 1: SoftHSM (free) for development and testing
• Tier 2: Pico HSM on RP2350 ($5), non-extractable keys, on-device HKDF, ChaCha20
• Tier 3: Pico HSM + ATECC608A ($7), tamper-resistant secure element
• Tier 4: YubiHSM 2 ($650), FIPS 140-2 Level 3, tamper-evident audit log
• Tier 5: Thales Luna / ATOS Trustway ($15,000+), ANSSI CC EAL4+ certification, sovereign requirements

7 nodes across 3 continents. 21 PSK pairs. $35 in hardware. The same architecture scales to 38 nodes for $190. Changing the tier is a configuration decision, not an engineering one.

89 Tests. Zero Failures.

We published the code as an open-source reference implementation. 8 modules, each mapped to a section of the academic paper. The tests read like the threat model:

• Mesh topology: 22 tests (pairs, tiers, strategies, validation)
• PKCS#11 key store: 15 tests (generation, derivation, destruction, persistence)
• Signed audit log: 12 tests (recording, chain integrity, tampering detection)
• Rotation engine: 15 tests (initialisation, scheduled, emergency)
• End-to-end: 23 tests (full cycle: init, rotation, emergency revocation, audit verification)

The E2E tests found two real bugs: loss of the rotation epoch on regeneration, and missing validation for non-existent nodes during emergency rotation. We fixed them. That's why you test.

What We Claim and What We Don't

The full academic paper declares every security property and every gap explicitly, before any reviewer finds them.

What we can demonstrate:

• PSK provides post-quantum computational confidentiality (128 bits under Grover)
• Independent layers with independent cryptographic material survive the compromise of any individual layer
• A bug in a PQ-KEM implementation degrades to classical security, not total failure
• The architecture is operational today, on stock WireGuard, on any platform

What we cannot demonstrate (yet):

• Post-quantum forward secrecy in the PSK path (limited by rotation frequency)
• Post-quantum authentication from PSK alone (requires Strategy B or PQ certificates)
• Mechanised formal proof (the security argument is correct; the CryptoVerif artefact doesn't exist yet)

The gaps are declared because they are real. And for each one, the path to resolution is identified.

Why It Matters Now

CNSA 2.0 (US/NSA) mandates post-quantum cryptography for new systems from January 2027. BSI, ANSSI, ENISA target 2030 for critical infrastructure. NIS2 requires "state-of-the-art" cryptography. And autonomous AI systems are already demonstrating that cryptographic vulnerabilities can be discovered and exploited without human guidance.

The architecture isn't designed for a specific adversary. It's designed for a class of adversaries capable of breaking any individual cryptographic primitive, whether through quantum computation, autonomous vulnerability discovery, or implementation-level exploitation.

Three independent layers survive because no individual compromise provides access to all layers.

Conclusion

The device is a commodity. You buy it anywhere. But the way you encrypt, how you rotate keys, how you control each layer independently, how you ensure a breach at one point doesn't propagate throughout the entire system - that's not something you buy off the shelf.

The device is a commodity. The architecture is the moat.

Need post-quantum security for your WireGuard network? Get in touch.