Securing 5G’s Wireless Edge with Quantum Encryption

by

Author: Denis Avetisyan

Researchers demonstrate a practical approach to bolstering 5G network security for non-3GPP devices by integrating Quantum Key Distribution with standard IPsec protocols.

The architecture accommodates non-3GPP access networks within the broader 5G framework, extending connectivity beyond traditional cellular infrastructure and suggesting a system designed for integration rather than isolation as it matures.
The architecture accommodates non-3GPP access networks within the broader 5G framework, extending connectivity beyond traditional cellular infrastructure and suggesting a system designed for integration rather than isolation as it matures.

This review details the implementation and experimental validation of a QKD-based IPsec mechanism for securing access in 5G networks, addressing vulnerabilities to quantum computing attacks.

The looming threat of quantum computing necessitates a fundamental re-evaluation of current cryptographic protocols underpinning modern communication networks. This paper, ‘IPsec based on Quantum Key Distribution: Adapting non-3GPP access to 5G Networks to the Quantum Era’, addresses this challenge by proposing and experimentally validating a novel mechanism integrating Quantum Key Distribution (QKD) with the IPsec protocol suite for securing non-3GPP access within 5G architectures. Results demonstrate that this QKD-based approach not only enhances security by leveraging Information-Theoretic Security but also accelerates connection establishment times compared to traditional pre-shared key and certificate-based systems. Will this integration of QKD with existing 5G infrastructure pave the way for truly quantum-safe mobile networks?

The Inevitable Shift: Securing 5G Against Quantum Threats

The security architecture of 5G networks relies heavily on established cryptographic protocols, notably Diffie-Hellman key exchange, to establish secure communications and authenticate devices. However, the advent of quantum computing introduces a paradigm shift in potential attacks against these methods. While currently theoretical, quantum algorithms, such as Shor’s algorithm, possess the capability to efficiently solve the mathematical problems that underpin the security of Diffie-Hellman, effectively breaking the encryption. This isn’t a matter of simply increasing key lengths; the fundamental mathematical principles are at risk. Consequently, the long-term confidentiality and integrity of 5G communications are jeopardized, necessitating proactive development and implementation of post-quantum cryptographic solutions to safeguard future network infrastructure. The transition is critical, as the time required to deploy new cryptographic standards across a vast network is substantial, and potential adversaries may already be harvesting encrypted data in anticipation of quantum decryption capabilities.

Shor’s algorithm, a quantum algorithm developed by Peter Shor in 1994, presents a critical vulnerability to the security infrastructure of 5G networks. This algorithm efficiently factors large numbers – a mathematical problem considered computationally intractable for classical computers, and the foundation of many public-key cryptosystems like RSA and Diffie-Hellman used to secure 5G communications. A sufficiently powerful quantum computer executing Shor’s algorithm could break the encryption protecting the confidentiality of user data, potentially exposing sensitive information transmitted over 5G. Beyond data breaches, the algorithm’s capacity to compromise key exchange mechanisms also threatens the integrity of network functions, enabling malicious actors to potentially disrupt services or inject false data. The implications extend to authentication protocols, signaling pathways, and overall network stability, demanding a proactive shift towards quantum-resistant cryptographic solutions within the 5G ecosystem.

The expanding scope of 5G networks, particularly with Massive Machine-Type Communications and Ultra-Reliable Low-Latency Communications, introduces a dramatically increased attack surface and necessitates a corresponding boost in security protocols. As billions of devices connect for applications ranging from smart cities to industrial automation, the sheer volume of data transmission creates more opportunities for malicious actors. Simultaneously, the demand for near-instantaneous, fail-safe communication in critical infrastructure – like autonomous vehicles or remote surgery – means even brief disruptions or data breaches could have catastrophic consequences. This heightened sensitivity, coupled with the escalating computational power threatening current encryption standards, means that vulnerabilities previously considered acceptable now pose unacceptable risks to the functionality and safety of these increasingly interconnected systems, demanding proactive and robust security measures.

The initial 5G security association is established through a message exchange during the IKEv2 handshake.
The initial 5G security association is established through a message exchange during the IKEv2 handshake.

Beyond Algorithms: Quantum Key Distribution for Network Resilience

Quantum Key Distribution (QKD) establishes a secure key between two parties by encoding information onto the quantum states of photons, rather than relying on mathematical algorithms. Unlike classical cryptography, which depends on computational complexity, QKD’s security is rooted in the fundamental laws of physics, specifically the principles of quantum mechanics and the Heisenberg uncertainty principle. Any attempt to intercept or measure the quantum key exchange inevitably introduces detectable disturbances, alerting the legitimate parties to the presence of an eavesdropper. This allows for the detection of any compromise during key distribution, ensuring that only a secure, uncompromised key is used for subsequent encryption and decryption of data. QKD systems do not provide confidentiality of the transmitted data itself; rather, they securely distribute a symmetric key that can then be used with conventional symmetric encryption algorithms, such as AES.

The application of Quantum Key Distribution (QKD) to Non-3GPP access technologies, specifically networks like Wi-Fi, broadens the scope of quantum-safe cryptographic key exchange beyond cellular infrastructure. Traditional QKD deployments have largely focused on securing 3GPP networks; however, extending QKD to Non-3GPP access points addresses a critical security gap in increasingly prevalent wireless environments. This expansion ensures secure key distribution for devices connecting via Wi-Fi, providing a quantum-resistant layer for authentication and data encryption in scenarios where reliance on conventional cryptographic methods is undesirable or insufficient. The implementation allows for the generation and distribution of cryptographic keys independent of computational assumptions, thereby mitigating risks associated with advancements in computational power, including the potential for cryptanalytic attacks on currently used algorithms.

The proposed QKD-Based Non-3GPP Access system employs the ETSI GS QKD 014 API as the standardized interface for delivering quantum-generated keys to requesting applications. This API facilitates a secure channel for key transfer, independent of classical cryptographic methods. Alongside the API, a Key Management Server (KMS) is integral to the system’s architecture, providing secure storage, access control, and lifecycle management of the QKD keys. The KMS ensures that keys are protected from unauthorized access and tampering, and manages key rotation and revocation policies, thus completing a robust quantum-safe key delivery and storage solution for Non-3GPP networks.

Traditional Non-3GPP access networks commonly employ Pre-Shared Key (PSK) and certificate-based authentication methods for secure network access. However, these systems are vulnerable to attacks leveraging advances in computational power, particularly against the asymmetric cryptography utilized in certificate validation, and brute-force attacks against PSK. The proposed QKD-based system eliminates these vulnerabilities by replacing algorithmic security with information-theoretic security. QKD generates and distributes encryption keys based on the laws of physics, guaranteeing key security regardless of computational advancements. This fundamentally shifts the security paradigm, removing reliance on the computational hardness assumptions that underpin PSK and certificate-based methods and thereby mitigating the risk of future cryptographic compromise.

PSK and certificate-based systems exhibit significantly faster connection establishment times during the authentication phase compared to quantum key distribution (QKD) systems.
PSK and certificate-based systems exhibit significantly faster connection establishment times during the authentication phase compared to quantum key distribution (QKD) systems.

Validation Through Implementation: A Working Testbed Demonstration

A dedicated testbed was constructed utilizing Supermicro server hardware to host all 5G Core Network Functions and the associated Non-3GPP network infrastructure. The implementation leveraged the open-source free5GC core network software, providing a functional and configurable environment for testing. This hardware and software combination allowed for complete control over the network elements and facilitated the integration of the Clavis XGR Quantum Key Distribution system. The testbed’s architecture was specifically designed to emulate a realistic deployment scenario, enabling the measurement of key performance indicators during the QKD-based Non-3GPP access demonstration.

The integration of the Clavis XGR Quantum Key Distribution (QKD) system facilitated the generation and distribution of symmetric keys for securing Non-3GPP access. This implementation utilized the inherent properties of quantum mechanics to establish a secure key exchange, providing a forward-secure communication channel. The QKD system generated keys which were then used to authenticate User Equipment (UE) connecting via Non-3GPP access points to the 5G Core network, replacing traditional Public Key Infrastructure (PKI) or Pre-Shared Key (PSK) methods. This enabled a practical demonstration of a QKD-secured network architecture, assessing its feasibility and performance within a live 5G testbed environment.

Connection establishment time was evaluated as a key performance indicator by dissecting the process into three distinct phases: the Internet Key Exchange (IKE) INIT Phase, the IKE AUTH Phase, and the Child Security Association (SA) Phase. Measurements were taken within each phase to quantify the time required for protocol exchanges and security negotiation. This phased approach allowed for granular analysis of performance bottlenecks and identification of specific areas where the implemented Quantum Key Distribution (QKD)-based system offered improvements. Communication overhead, measured in terms of data volume exchanged during these phases, was also monitored to assess the efficiency of the protocol implementation and the impact of QKD key distribution on overall network load.

Performance evaluation of the implemented system indicates a reduction in 5G New Radio (NR) Non-3GPP access connection establishment time of up to 5.17% when compared to conventional authentication methods utilizing either X.509 certificates or Pre-Shared Keys (PSK). This improvement is realized across multiple phases of the connection process, specifically the Internet Key Exchange (IKE) initialization, authentication, and Child Security Association (SA) establishment. Measured times for these phases were 29.61 milliseconds, 467.02 milliseconds, and 703.03 milliseconds respectively, demonstrating a 40%, 8.4%, and 5.17% performance gain over standard implementations for each phase.

During testing, the IKE (Internet Key Exchange) INIT phase, responsible for establishing a secure channel, completed in 29.61 milliseconds using the implemented quantum key distribution system. This represents a quantifiable 40% reduction in processing time when compared to standard implementations utilizing certificate-based or pre-shared key (PSK) authentication methods. The IKE INIT phase focuses on initial parameter negotiation and is a critical determinant of overall connection establishment latency; therefore, this reduction demonstrates a significant performance improvement in the initial stages of secure communication.

During testing, the IKE AUTH phase, responsible for mutual authentication between network entities, completed in 467.02 milliseconds. This represents an 8.4% performance improvement when compared to the same phase executed in standard, non-QKD implementations. This reduction in authentication time contributes to overall connection establishment efficiency and suggests a viable path for integrating quantum key distribution into 5G network security protocols. The measured time reflects the duration required for the exchange and verification of authentication data, demonstrably expedited through the use of the implemented QKD system.

During testing, the Child Security Association (SA) phase, responsible for establishing the secure session after authentication, completed in 703.03 milliseconds utilizing the implemented Quantum Key Distribution (QKD) system. This represents a 5.17% performance improvement when compared to connection establishment times observed in standard 5G deployments utilizing conventional certificate-based or Pre-Shared Key (PSK) authentication methods. The Child SA phase involves the negotiation of security parameters and the establishment of the secure tunnel for data transmission, and the observed reduction in time contributes to overall improvements in network efficiency and reduced latency.

The N3IWF (Non-3GPP Interworking Function) and NWu (Non-3GPP Wireless Access Network to 5G Core Network) interfaces are essential for establishing secure communication pathways between User Equipment (UE) accessing the 5G core network via non-3GPP radio technologies and the 5G core itself. The N3IWF specifically handles the translation and relay of signaling messages between the non-3GPP access network and the 5G core, ensuring compatibility and proper routing. The NWu interface then provides the dedicated connection between the N3IWF and the 5G core’s Access and Mobility Management Function (AMF), facilitating the secure transfer of user data and control information. Without these interfaces, seamless and secure connectivity for non-3GPP access to the 5G network would not be possible.

PSK and certificate-based systems exhibit faster connection establishment times during the Child SA phase compared to QKD-based systems.
PSK and certificate-based systems exhibit faster connection establishment times during the Child SA phase compared to QKD-based systems.

Towards a Resilient Future: Embracing Quantum Security in 5G

The escalating threat of quantum computing necessitates a proactive shift in securing modern communication networks, and the integration of Quantum Key Distribution (QKD) into Non-3GPP access points represents a significant advancement in 5G security. Traditional encryption methods, vulnerable to attacks from sufficiently powerful quantum computers, are bypassed by QKD’s reliance on the laws of physics to guarantee secure key exchange. This approach establishes a fundamentally secure communication channel, ensuring that even if a malicious actor intercepts the key transmission, the encryption remains unbroken. By extending this quantum-safe layer to Non-3GPP access – encompassing technologies like Wi-Fi and satellite connections – networks gain resilience against future quantum-based attacks, safeguarding critical infrastructure and sensitive data as the technology landscape evolves. This strategic implementation effectively bolsters the overall security architecture of 5G, providing a crucial defense against emerging threats and paving the way for a more secure future.

The escalating threat of quantum computing necessitates proactive security measures, and a promising solution lies in establishing a path to safeguard critical infrastructure and sensitive data. Current encryption methods, while secure today, are vulnerable to attacks from sufficiently powerful quantum computers, potentially exposing vast amounts of information. This approach focuses on preemptively fortifying digital defenses by leveraging quantum-resistant cryptography and technologies like Quantum Key Distribution (QKD). By transitioning to these methods, systems can maintain confidentiality and integrity even in a future where quantum computers pose a significant risk. This isn’t merely a theoretical exercise; it’s a pragmatic step towards ensuring the continued reliability and trustworthiness of essential services, from financial transactions to national security communications, effectively building a resilient digital ecosystem against the evolving quantum landscape.

The integration of quantum key distribution (QKD) extends beyond the core 5G network, crucially encompassing Non-3GPP access points – those utilizing technologies like Wi-Fi or satellite links – to establish a truly comprehensive security architecture. Traditional security protocols, vulnerable to attacks from future quantum computers, often overlook these access points, creating a significant weakness. By implementing QKD at these entry points, the entire network benefits from quantum-resistant encryption, preventing potential breaches even if the core network’s defenses are compromised. This approach ensures that data confidentiality and integrity are maintained throughout the entire communication pathway, bolstering resilience against evolving cyber threats and safeguarding sensitive information across a wider range of 5G applications and services.

Realizing the full potential of quantum key distribution (QKD) within 5G networks necessitates ongoing investigation into several key areas. Current efforts concentrate on enhancing system performance, specifically increasing key generation rates and extending transmission distances without compromising security. A significant hurdle remains the reduction of implementation costs; QKD systems currently require specialized hardware and infrastructure, limiting scalability. Researchers are actively exploring integrated photonic solutions and cost-effective device fabrication techniques to address this challenge. Moreover, standardization efforts and the development of interoperable protocols are vital to ensure seamless integration of QKD with existing 5G architectures, paving the way for widespread deployment and a truly quantum-safe communication infrastructure.

PSK and certificate-based systems exhibit significantly faster connection establishment times during the initial phase compared to quantum key distribution (QKD) systems.
PSK and certificate-based systems exhibit significantly faster connection establishment times during the initial phase compared to quantum key distribution (QKD) systems.

The pursuit of secure communication networks, as detailed in the study of IPsec and Quantum Key Distribution, inevitably reveals the transient nature of cryptographic defenses. Systems are not static fortresses, but rather evolving landscapes susceptible to the eroding forces of technological advancement – in this case, the looming threat of quantum computing. As John McCarthy observed, “It is better to have a good algorithm than a fast one.” This sentiment directly reflects the core idea of adapting existing infrastructure, like IPsec, with quantum-resistant solutions, prioritizing robust, future-proof security over temporary performance gains. The validation of QKD within 5G networks isn’t about achieving perfect, immutable protection, but establishing a resilient system capable of gracefully aging through the inevitable shifts in the technological landscape.

What Lies Ahead?

The demonstrated integration of Quantum Key Distribution with IPsec for non-3GPP access represents not a culmination, but a carefully managed deceleration of inevitable decay. Every failure in connection establishment, every photon lost to the channel, is a signal from time. This work doesn’t prevent the quantum threat; it buys space for adaptation. The question isn’t whether quantum computers will compromise current systems, but when, and whether the interval allows for graceful refactoring.

Future efforts will undoubtedly focus on increasing key rates and extending the reach of QKD networks. However, a more fundamental challenge lies in addressing the inherent limitations of point-to-point quantum communication. The pursuit of quantum repeaters, or the development of alternative quantum-safe cryptographic protocols that don’t rely on key exchange, will be crucial. The current architecture, while a pragmatic step, remains tethered to the physics of distance and signal degradation.

Ultimately, this research highlights a broader principle: security isn’t a static state, but an ongoing dialogue with the past. Refactoring is not merely updating code; it’s acknowledging the relentless march of entropy and building systems that can age, and perhaps even fail, with a measure of dignity. The true metric isn’t speed or efficiency, but resilience in the face of the unavoidable.

Original article: https://arxiv.org/pdf/2603.24426.pdf

Contact the author: https://www.linkedin.com/in/avetisyan/

See also:

2026-03-26 07:54