Securing 5G’s Future: Quantum-Resistant Open RAN Takes Shape

Author: Denis Avetisyan

Researchers demonstrate a viable path toward protecting Open RAN infrastructure from quantum computing threats by integrating a new cryptographic approach into a critical 5G interface.

This study presents the experimental evaluation of ML-KEM-based IPsec on the E2 interface, showing minimal performance impact and enabling quantum-safe migration for Open RAN deployments.

The increasing threat of quantum computing necessitates a proactive shift towards post-quantum cryptography, yet empirical data on the performance impact of such migrations remains scarce. This paper, ‘Towards Quantum-Safe O-RAN — Experimental Evaluation of ML-KEM-Based IPsec on the E2 Interface’, addresses this gap by presenting a practical evaluation of integrating a NIST-aligned module-lattice KEM (ML-KEM) into the IPsec protocol protecting the E2 interface of 5G Open Radio Access Networks. Our experiments, conducted on an open-source testbed, demonstrate a minimal overhead-approximately 3-5ms-for ML-KEM-based IPsec tunnel establishment, with stable operation of Near-RT RIC xApps under realistic workloads. Will these findings accelerate the adoption of quantum-safe security measures in the rapidly evolving landscape of O-RAN deployments?

The Inevitable Upgrade: Securing Networks Beyond Classical Cryptography

The foundation of modern network security, including protocols like IPsec that protect data transmission, rests upon mathematical problems considered difficult for conventional computers to solve. However, the anticipated arrival of sufficiently powerful quantum computers presents a significant challenge, as these machines leverage the principles of quantum mechanics to efficiently break many of the cryptographic algorithms currently in use. Specifically, Shor’s algorithm poses an existential threat to widely deployed public-key encryption and digital signature schemes, potentially exposing sensitive communications and data to interception and decryption. This vulnerability isn’t merely theoretical; proactive assessment and migration to quantum-resistant cryptography are crucial, as adversaries could harvest encrypted data today, anticipating the ability to decode it once quantum computers mature – a scenario that necessitates a fundamental reassessment of network security infrastructure and a swift transition to algorithms proven resilient against quantum attacks.

The relentless advance of quantum computing presents a fundamental challenge to modern data security, demanding a shift towards quantum-safe cryptography. Current encryption methods, while robust against classical attacks, are theoretically vulnerable to algorithms like Shor’s algorithm, which, when executed on a sufficiently powerful quantum computer, could break widely used public-key encryption schemes. This isn’t a distant threat; data encrypted today could be decrypted years later when quantum computers mature. Consequently, organizations and governments are increasingly focused on developing and deploying cryptographic algorithms that resist both classical and quantum attacks. This proactive approach includes researching and standardizing post-quantum cryptography (PQC) algorithms, like lattice-based cryptography and multivariate cryptography, and integrating them into existing security protocols to ensure continued confidentiality, integrity, and authenticity of sensitive information in a post-quantum world.

The foundation of much modern secure communication relies on key exchange protocols like Elliptic Curve Diffie-Hellman (ECDH), which allows parties to establish a shared secret over an insecure channel. However, the advent of sufficiently powerful quantum computers threatens to dismantle this security. Shor’s algorithm, a quantum algorithm, can efficiently solve the mathematical problems that ECDH’s security depends on, effectively rendering it useless. This isn’t a distant threat; ongoing advancements in quantum computing suggest that current encryption standards could be broken within the next decade or two. Consequently, the development and implementation of quantum-resistant alternatives – algorithms that remain secure even against quantum attacks – is no longer a matter of future preparedness, but a critical and immediate necessity for maintaining the confidentiality and integrity of networked communications. Without these replacements, sensitive data transmitted across the internet, financial transactions, and even national security infrastructure would be critically vulnerable.

A Controlled Environment: Building a Virtualized 5G Testbed

The developed 5G testbed utilizes the principles of Open Radio Access Network (OpenRAN) architecture to create a functional and representative 5G environment. This implementation moves away from traditional, monolithic network designs by disaggregating the Radio Unit (RU), Distributed Unit (DU), and Centralized Unit (CU) allowing for independent development and deployment. The testbed is specifically designed to facilitate the evaluation of quantum-safe security mechanisms within a realistic network context, enabling assessment of their performance and integration challenges. By emulating a live 5G network, researchers can analyze the impact of quantum-resistant cryptographic algorithms and protocols on key network functions, including user authentication, data encryption, and signaling security, without disrupting a production network.

The 5G testbed utilizes a disaggregated architecture comprised of srsRAN as the Radio Access Network (RAN), providing a software-defined implementation of the base station. The core network functionality is implemented using Open5GS, an open-source 5G core network stack compliant with 3GPP specifications. Near real-time control and management are enabled by FlexRIC, a flexible Radio Intelligent Controller. This combination allows for dynamic configuration of network parameters, automated testing scenarios, and scalability through the addition of virtualized network functions, facilitating comprehensive evaluation of security mechanisms under varying network conditions and loads.

The E2 Interface is a critical component of the testbed architecture, functioning as the standardized interface between the Radio Access Network (RAN) – implemented with srsRAN – and the RIC (RAN Intelligent Controller) utilizing FlexRIC. This interface enables near real-time control and management of the RAN, specifically facilitating the exchange of Radio Resource Management (RRM) and performance monitoring data. Our security evaluations are focused on the E2 Interface due to its role as the primary communication pathway for potentially vulnerable control signals; modifications or attacks targeting this interface could directly impact the RAN’s functionality and security posture. Data exchanged via the E2 Interface includes Application Programming Interfaces (APIs) for functions such as Radio Resource Status Request, Performance Measurement Report, and Control Policy Request, all of which are subject to rigorous testing within the testbed.

Reality Check: IPsec Performance on the E2 Interface

Performance evaluation of IPsec was conducted utilizing the E2 interface to quantify the impact of both currently deployed and prospective cryptographic algorithms. Key performance indicators, with a primary focus on latency, were measured to assess the overhead introduced by the security protocols. These tests involved establishing secure connections and transmitting data to determine the time required for packet processing and encryption/decryption cycles. The methodology allowed for comparative analysis between traditional IPsec implementations and those incorporating future-proof algorithms, providing data on the feasibility and performance characteristics of upgraded security measures within a 5G network context.

The Internet Key Exchange version 2 (IKEv2) protocol was employed for establishing the secure IPsec connections used in performance testing. IKEv2 is a widely adopted protocol standard [RFC 7296] for negotiating security associations, providing a framework for authentication, encryption, and key exchange. Its utilization ensures interoperability with existing network infrastructure and simplifies integration of the tested quantum-safe IPsec implementation. IKEv2’s design prioritizes efficiency and reliability, making it suitable for the demands of a 5G network environment and facilitating the secure tunneling of data between network components.

Experimental results indicate the practical feasibility of deploying quantum-safe IPsec within a 5G network infrastructure. Utilizing ML-KEM based IPsec, testing demonstrated a measured increase of approximately 3-5 milliseconds in tunnel setup latency when compared to traditional, classical IPsec implementations. Critically, this performance overhead did not negatively impact the stable operation of Near-RT Radio Intelligent Controller (RIC) functions, confirming the viability of integrating enhanced security protocols without disrupting network performance.

The measured 3-5ms increase in tunnel setup latency associated with the implementation of quantum-safe IPsec represents a negligible performance impact when considered against the enhanced security provided. This minimal overhead allows for the continued operation of latency-sensitive applications, such as Near-RT Radio Intelligent Controller (RIC) functions, without substantial degradation. The trade-off between performance and security is therefore favorable, providing a significant improvement in the overall security posture of the 5G network with a demonstrably small impact on key performance indicators.

The researchers meticulously demonstrate the integration of ML-KEM-based IPsec into the Open RAN E2 interface, boasting minimal performance overhead. It’s a neat trick, really. They’ll call it ‘quantum-safe’ and raise funding, naturally. But anyone who’s stared into the abyss of production knows that ‘minimal overhead’ today is ‘complete system meltdown’ tomorrow. It reminds one of John von Neumann’s observation: ‘If people do not believe that mathematics is simple, it is only because they do not realize how elegantly nature operates.’ This elegance, however, rarely survives contact with real-world deployments. They’ve solved a theoretical problem; the network will inevitably find a way to break it, and the documentation will, predictably, lie again.

What Breaks Next?

The demonstrated feasibility is… predictable. A marginal performance hit for post-quantum cryptography on the E2 interface simply shifts the problem. It doesn’t solve it. The bug tracker will, inevitably, fill with edge cases exposed by real-world deployments-the specific failure modes of ML-KEM under sustained load, the interaction with existing security protocols, the unanticipated cost of key rotation at scale. These are not theoretical concerns; they are guarantees. The elegance of a laboratory demonstration rarely survives contact with production.

Future work will, of course, focus on optimization – shaving off microseconds here and there. A more honest inquiry might address the fundamental question of trust. Trust not in the algorithms themselves, but in the processes surrounding them. Key management, secure enclaves, and the human element will become the primary attack surface, not the cryptography. The perimeter is always softer than imagined.

The research field will move on, chasing the next performance gain, the next marginally more secure algorithm. It always does. This isn’t progress, precisely. It’s a continual re-arrangement of deck chairs on the Titanic. The network doesn’t evolve – it accretes. It doesn’t deploy – it lets go.

Original article: https://arxiv.org/pdf/2601.20378.pdf

Contact the author: https://www.linkedin.com/in/avetisyan/

The Inevitable Upgrade: Securing Networks Beyond Classical Cryptography

A Controlled Environment: Building a Virtualized 5G Testbed

Reality Check: IPsec Performance on the E2 Interface

What Breaks Next?

See also: