Securing 5G’s Future: Validating Post-Quantum Cryptography

Author: Denis Avetisyan

As quantum computing looms, this research details a new framework for ensuring 5G core networks are ready for a post-quantum world.

The PQC Validator establishes a layered architecture-comprising a cryptographic engine, conformance layer, robustness tester, and overhead meter-encapsulated within a 5G Core Integration Shell to orchestrate post-quantum handshakes, assess network function behavior, and ultimately attest runtime characteristics via extended Berkeley Packet Filter technology-a system designed not for construction, but for the inevitable revelation of its limitations.

PQC Validator provides a comprehensive methodology for testing the correct implementation and negotiation of post-quantum cryptography within cloud-native 5G architectures, leveraging TLS 1.3, IPsec, and eBPF.

While the deployment of post-quantum (PQ) cryptographic primitives in 5G core networks is increasing, assurances of actual PQ security remain elusive-a network function may advertise support while silently falling back to vulnerable classical algorithms. This paper introduces ‘PQC Validator: Validating Post-Quantum Readiness in Cloud-Native 5G Core Networks’, a layered framework designed to comprehensively validate the implementation and negotiation of PQ cryptography within cloud-native 5G architectures. PQC Validator delivers structured evidence classifying network functions based on their PQ posture-classical, hybrid-PQ, or full-PQ-through a combination of conformance testing, robustness evaluation, and wire-level attestation using eBPF. Can this approach establish a new baseline for trustworthy PQ transitions in critical telecommunications infrastructure and beyond?

The Inevitable Erosion of Trust: 5G’s Expanding Threat Surface

The foundations of modern network security, built upon algorithms like RSA and ECC, face an escalating crisis of vulnerability. While historically robust, these cryptographic standards are increasingly susceptible to attacks leveraging advancements in computational power and novel algorithms. Specifically, the looming threat of quantum computing presents an existential challenge, as quantum algorithms – such as Shor’s algorithm – can efficiently break the asymmetric encryption that underpins much of current digital security. Beyond quantum threats, increasingly sophisticated conventional attacks, including advanced persistent threats and AI-powered exploits, are probing and exploiting weaknesses in traditional protocols. This necessitates a proactive shift towards post-quantum cryptography and a layered security approach to mitigate risks and safeguard the integrity of 5G networks against both present and future threats.

The transition to cloud-native architectures in 5G networks fundamentally alters the threat landscape, demanding a significant security paradigm shift. Historically, mobile networks relied on perimeter-based security; however, the distributed and dynamic nature of cloud-native 5G expands the attack surface considerably. Virtualization, containerization, and microservices, while offering scalability and flexibility, introduce new vulnerabilities related to orchestration, API security, and the potential for lateral movement within the network. Traditional security tools are often ill-equipped to handle this dynamic environment, necessitating the adoption of zero-trust principles, enhanced monitoring, and automated threat detection and response systems. Securing these cloud-native 5G networks requires a move away from simply protecting the perimeter to continuously validating every access request and securing the entire data path, regardless of location.

The advent of 5G networks leverages a Service-Based Interface (SBI) architecture, a design prioritizing flexibility and scalability through modular network functions communicating via well-defined services. However, this very flexibility introduces substantial security complexities. Traditional perimeter-based security models prove inadequate when dealing with a dynamically changing network topology and numerous interconnected services. Each service exposed through the SBI represents a potential attack vector, demanding granular security policies and continuous monitoring. Furthermore, the distributed nature of SBI necessitates robust authentication and authorization mechanisms to prevent unauthorized access and lateral movement within the network. Securing SBI requires a paradigm shift towards zero-trust principles and a comprehensive understanding of inter-service dependencies, placing significant demands on network operators and security professionals.

Building Resilience: A Transitional Path to Post-Quantum Security

Hybrid key exchange mechanisms represent a practical approach to mitigating the threat of quantum computing to 5G networks by combining currently secure classical algorithms with emerging post-quantum cryptographic (PQC) algorithms. This strategy acknowledges the maturity of classical cryptography while proactively preparing for a future where quantum computers could break widely used algorithms like RSA and ECC. The hybrid approach ensures continued security even if one algorithm is compromised; if the classical algorithm fails, the PQC algorithm remains as a fallback, and vice versa. This provides a transitionary path, allowing for gradual adoption of PQC without requiring immediate and complete replacement of existing infrastructure, reducing disruption and implementation costs. Furthermore, it allows for continued interoperability with systems not yet updated to fully PQC solutions.

Module-Lattice Key Encapsulation Mechanism (ML-KEM) and Module-Lattice Digital Signature Algorithm (ML-DSA) represent a family of post-quantum cryptographic algorithms based on the hardness of solving the Module Learning With Errors (MLWE) problem over polynomial rings. These algorithms are considered promising candidates for 5G security due to their strong security properties and relatively efficient performance characteristics compared to other post-quantum schemes. ML-KEM is designed for key establishment, enabling secure exchange of symmetric keys, while ML-DSA provides digital signature capabilities for authentication and integrity. Both algorithms utilize lattice-based cryptography, which is believed to be resistant to attacks from both classical and quantum computers, making them suitable for long-term security in the evolving threat landscape.

The implementation of Post-Quantum Transport Layer Security (PQ-TLS) and PQ-IPsec is essential for future-proofing 5G communication channels against attacks from quantum computers. Recent validation efforts, specifically utilizing the PQC Validator, have demonstrated successful end-to-end implementation of these protocols. Testing across all evaluated network function endpoints achieved a 100% full post-quantum (PQ) negotiation rate, confirming the ability to seamlessly establish secure connections utilizing post-quantum cryptographic algorithms within existing 5G infrastructure. This signifies a critical step towards deploying quantum-resistant security measures in live 5G networks.

Implementation of post-quantum key exchange introduces a performance trade-off during the initial handshake phase of connection establishment. Testing demonstrates an increase in handshake latency ranging from 50 to 100 microseconds when utilizing post-quantum cryptography. Furthermore, the volume of data exchanged during this handshake is significantly increased; post-quantum handshakes transmit 1220 bytes compared to the 36 bytes transmitted during a classical handshake, representing a 1184-byte increase in data-on-wire. This expanded data transfer is a direct result of the larger key sizes and more complex cryptographic operations inherent in post-quantum algorithms.

Server-side certificate verification, particularly composite signature processing, constitutes the primary communication overhead during the handshake process, exceeding the cost of client-initiated key exchange.

Validating the Core: A Multi-Layered Approach to Security Assurance

Network Function (NF) validation is a critical process within the 5G core architecture, ensuring each component operates as designed and maintains the overall system’s integrity. This validation encompasses rigorous testing of all NFs – including the Access and Mobility Management Function (AMF), User Plane Function (UPF), and Session Management Function (SMF) – to verify correct implementation of 3GPP specifications and adherence to security protocols. Successful NF validation mitigates risks associated with malfunctioning components, prevents service disruptions, and safeguards against potential vulnerabilities that could compromise network performance or user data. It involves both functional testing – confirming NFs perform their intended tasks – and non-functional testing, such as performance, scalability, and resilience evaluations.

Conformance testing and protocol fuzzing are critical security validation techniques for 5G networks due to the increased attack surface introduced by network slicing, virtualization, and the Service-Based Architecture (SBA). Conformance testing verifies that 5G network functions (NFs) adhere to the 3GPP standards defined in specifications like 3GPP TS 23.501 and TS 23.502, ensuring interoperability and a baseline level of security. Protocol fuzzing, conversely, involves submitting malformed or unexpected inputs to 5G protocols – including those governing user plane function (UPF), access and session management function (AMF), and network repository function (NRF) interactions – to proactively identify potential vulnerabilities such as buffer overflows, denial-of-service conditions, and improper input validation. These methods complement each other; conformance testing establishes expected behavior, while fuzzing attempts to break it, creating a robust security assessment.

Extended Berkeley Packet Filter (eBPF) observability provides granular, real-time insights into 5G core network behavior by allowing the dynamic and safe injection of code into the kernel. This capability facilitates detailed monitoring of network function (NF) interactions, packet flows, and system calls, enabling proactive threat detection and faster incident response. Initial validation testing, conducted across all tested NFs operating under Post-Quantum (PQ) standards, has demonstrated a 100% compliance rate, indicating effective implementation and adherence to specified security protocols when utilizing eBPF for observation.

The Inevitable Ecosystem: Cloud-Native Security and the Future of 5G

Modern 5G deployments demand an infrastructure capable of handling exponentially increasing data volumes and diverse service requirements, a challenge traditional network architectures struggle to meet. Cloud-native platforms, such as Aether-SDCore and QORE, address this by leveraging containerization, microservices, and orchestration to create a highly scalable and flexible core network. These platforms allow operators to dynamically allocate resources, rapidly deploy new services, and adapt to fluctuating network demands with unprecedented agility. Unlike monolithic systems, cloud-native designs enable independent scaling of individual network functions, optimizing resource utilization and reducing operational costs. This approach not only supports the enhanced mobile broadband capabilities of 5G but also facilitates the implementation of advanced features like network slicing and edge computing, paving the way for innovative applications and a truly connected future.

Cilium emerges as a pivotal technology for securing and optimizing cloud-native 5G core networks, offering capabilities that extend far beyond traditional network security approaches. Leveraging eBPF, Cilium provides granular control over network traffic, enabling the implementation of fine-grained security policies and identity-based network segmentation. This allows operators to dynamically enforce access control based on user identity and application context, significantly reducing the attack surface. Furthermore, Cilium’s observability features deliver deep insights into network behavior, facilitating proactive threat detection and rapid troubleshooting. By seamlessly integrating with Kubernetes and other cloud-native tools, Cilium enables automated security enforcement and scalability, crucial for managing the complex and dynamic demands of modern 5G infrastructure, and ensuring consistent policy enforcement across the entire network lifecycle.

Secure access within the evolving 5G landscape necessitates a robust authentication and authorization framework, and integrating OAuth 2.0 with the established 5G-AKA protocol provides just that. This combined approach leverages the widespread adoption and flexibility of OAuth 2.0 – commonly used for securing APIs and web applications – while retaining the core security benefits of 5G-AKA, the 5G authentication and key agreement protocol. By bridging these two systems, platforms can verify user identities and grant granular access to network resources, enabling secure communication between devices, applications, and the 5G core. This integration isn’t simply about adding another layer of security; it allows for consistent identity management across diverse 5G services and facilitates interoperability with existing identity providers, creating a more seamless and secure experience for end-users and fostering trust within the expanding 5G ecosystem.

The pursuit of absolute security, as evidenced by the PQC Validator’s rigorous conformance testing, is a curious endeavor. One anticipates a future failure mode, not as a deficiency, but as inevitable proof of life within the system. Paul Erdős observed, “A mathematician knows a lot of things, but a physicist knows everything.” This sentiment echoes in the Validator’s design; it doesn’t build security, it cultivates an environment where vulnerabilities are revealed-a constant process of refinement. The framework acknowledges that a system which never undergoes validation is, effectively, already dead, incapable of adapting to the evolving threat landscape. The true measure isn’t the absence of flaws, but the capacity to discover and address them.

The Horizon Recedes

The PQC Validator, as described, doesn’t solve security; it merely postpones the inevitable dance with entropy. Each successful negotiation, each conformance test passed, is a temporary reprieve, a localized reduction in technical debt. Every dependency is a promise made to the past, and the past is rarely kind. The framework illuminates correct implementation today, but the surface area for misconfiguration, for subtle side-channel attacks, remains vast, shifting with every update to TLS 1.3 or IPsec. It is a lighthouse built on sand, constantly demanding reinforcement.

Future work will not be about achieving “post-quantum security,” but about building systems capable of absorbing cryptographic agility. The true challenge lies not in validating a specific algorithm, but in architecting networks that can seamlessly transition between them, treating cryptography as a fluid property rather than a fixed asset. Control is an illusion that demands SLAs. The goal shouldn’t be to prevent failure-it’s to orchestrate graceful degradation.

Everything built will one day start fixing itself. The next generation of validation tools will likely focus on automated anomaly detection, continuously monitoring cryptographic behavior in production, and learning to anticipate, rather than merely react to, emerging vulnerabilities. The real metric of success won’t be conformance, but resilience-the ability to remain functional, even when the foundations shift.

Original article: https://arxiv.org/pdf/2605.01454.pdf

Contact the author: https://www.linkedin.com/in/avetisyan/

The Inevitable Erosion of Trust: 5G’s Expanding Threat Surface

Building Resilience: A Transitional Path to Post-Quantum Security

Validating the Core: A Multi-Layered Approach to Security Assurance

The Inevitable Ecosystem: Cloud-Native Security and the Future of 5G

The Horizon Recedes

See also: