Introduction

Mobile communication networks are becoming more ubiquitous than ever, and evolving rapidly with increasing adoption beyond traditional services such as voice and data. With 5G, and emerging 6G standards, wireless communication networks are expected to play a critical role in various domains including AI-enabled services, robotics, industrial automation and human critical services. In this context, it is also critical to ensure that mobile networks are well-protected, and designed with a security-first approach. Present classical cryptosystems used in communication networks rely on the computational difficulty to solve mathematical problems, such as factoring large numbers (e.g., Rivest-Shamir-Adleman (RSA)) or solving discrete logarithm problem (e.g., Elliptic Curve cryptography (ECC)). It takes astronomical amounts of time for classical computers to solve the problems, making it practically impossible to crack them. With recent advancements in quantum computers, which exploits quantum mechanical phenomena such as superposition and entanglement to perform these kinds of calculations exponentially faster, they have an inherent potential to crack the existing asymmetric cryptographic algorithms such as RSA and ECC as shown in Figure 1. To mitigate the threats from the quantum computing, there are solutions like Quantum Key Distribution (QKD) and Post-Quantum Cryptography (PQC) algorithms, which make telecommunications quantum-resilient.

Figure 1. Need for Quantum security to protect future communication systems

QKD: Quantum Key Distribution

QKD is a method that utilizes the principles of quantum mechanics and entangled particles to generate and distribute secret keys for encryption and decryption. Any attempt to measure these particles will disturb their entangled state, making eavesdropping detectable. Hence, it provides a theoretical guarantee of security, making it a potential replacement for traditional encryption methods that are susceptible to attacks from quantum computers. However, this solution needs a hardware upgrade such as dedicated fiber optic cables and specialized equipment to generate, transmit, and detect quantum states, which is heavier on service provider’s pockets. Therefore, the monetization needs of network operators, vendors, and OEMs (Original Equipment Manufacturers) represent a notable barrier to the widespread adoption of QKD in telecommunication networks, paving the cryptographic migration path towards PQC, which can be run on classical machines so does not require a hardware upgrade.

PQC: NIST Standardization

PQC is a cryptosystem which relies on the difficulty of solving certain mathematical problems whose efficient solutions by quantum computers are not yet known. National Institute of Standards and Technology (NIST) [1] has been actively working on developing the PQC algorithms from 2016 and released final versions of the first three Post Quantum Crypto Standards: FIPS 203 (ML-KEM) [2], FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA), which specify algorithms derived from CRYSTALS-Dilithium, CRYSTALS-KYBER and SPHINCS+, in August 2024. ML-KEM and ML-DSA are based on complex mathematical concepts like lattice-based cryptography, where lattice grids-a repeating pattern of points in space are used to create complex and hard-to-break encryption schemes. NIST has recently announced a new non-lattice and code-based algorithm for PQC called HQC (Hamming Quasi-Cyclic) for which a finalized standard is expected in 2027. Active studies have started in standards bodies such as 3GPP and IETF to integrate the recommendations of NIST on the usage of PQC algorithms.

Study of Impact of PQC on 3GPP procedures

In the context of post-quantum cryptography (PQC), standardization efforts are crucial to ensure seamless integration into future communication networks, particularly within the 3GPP framework. To kick off the process, 3GPP TR 33.938 [3] provides a comprehensive inventory of security protocols that leverage cryptography within 3GPP specifications. This document meticulously outlines the applications of asymmetric cryptography across existing 3GPP systems, serving as a foundational reference for understanding the current landscape and identifying areas for PQC integration. For the next step, key focus would be the evaluation of hybrid, which combines PQC with classical cryptography, and standalone PQC algorithms, assessing their impact on existing 3GPP procedures. This includes evaluating the impacts due to the significantly larger key sizes, signatures, and message lengths inherent in PQC compared to traditional cryptographic methods, which may require procedural modifications to accommodate them. Additionally, determining the appropriate security levels (Level I to Level V) is essential to align with the assurance levels already established in 3GPP standards, ensuring robust protection against both classical and quantum threats. Furthermore, the suitability of various post-quantum signature algorithm classes, such as lattice-based and hash-based schemes, needs to be thoroughly assessed to identify their compatibility with 3GPP procedures. These efforts collectively aim to establish a secure and efficient framework for next-generation communication systems, leveraging the strengths of PQC while maintaining interoperability and efficiency.

Use cases

a) User Identity Security: SUCI Calculation

The Fifth Generation (5G) wireless communication system has taken significant steps to address the issue of UE's permanent identity protection against IMSI catchers. This is achieved through the processes of Subscription Permanent Identifier (SUPI) encryption to Subscription Concealed Identifier (SUCI) known as SUPI concealment. A key component of this process is the Elliptic Curve Integrated Encryption Scheme (ECIES) which facilitates secure authentication of the User Equipment (UE) by the Home Network (HN). ECIES is an encryption scheme that combines asymmetric key establishment, symmetric key encryption, and hashing functions. This asymmetric key establishment based on elliptical curve cryptography, is prone to attacks from quantum machines and the identity theft can be a threat to subscriber tracking and privacy. Therefore, it needs to be replaced with Post quantum secure ML-KEM [2] method as depicted in Figure 2.

Figure 2. SUPI concealment with EC-based shared key generation in present 5G systems

b) Mission Critical Services: MIKEY-SAKKE

MIKEY-SAKKE is used in the 5G system to securely transport cryptographic keys for Mission Critical Services for various scenarios such as Private Call Keys (PCKs) between Mission Critical (MC) UEs, Group Master Keys (GMKs) from a Group Management Server to a Group Management Client on a MC UE, Client-Server keys (CSKs) between MCX Server and MC client. The security mechanism as described in 3GPP TS 33.180 [4] allows a key, K, to be distributed from an initiating party to a receiving party. It provides confidentiality of the key, and integrity and authenticity of the payload. As the classical cryptographic methods SAKKE and ECCSI used are elliptical curve cryptography based and are at quantum risk, it jeopardizes the communication for mission critical system. To make it quantum safe, it is recommended to replace SAKKE (ID based encryption scheme) with ML-KEM and ECCSI with ML-DSA or SLH-DSA as illustrated in Figure 3. To achieve backward compatibility with the legacy mission critical devices, it is suggested to use the hybrid key exchange mechanism (ML-KEM+SAKKE, ML-DSA+ECCSI). However, the key and signature sizes for PQC poses implementation challenges compared to classical cryptography, which may require optimization of mission critical services bandwidth.

Figure 3. Common key distribution mechanism using MIKEY-SAKKE in Mission Critical Services

c) RAN and Core Network Security

In current 3GPP systems, IKEv2 is primarily utilized for establishing and managing Security Associations (SAs) within IPsec, a critical component for securing Internet Protocol (IP) communications. The 3GPP IKEv2 profile, as outlined in 3GPP TS 33.210, defines Network Domain Security and IP network layer security (NDS/IP). However, these implementations are not resistant to quantum attacks. Similarly, TLS and DTLS provide essential security features such as mutual authentication, integrity protection, replay protection, and confidentiality. Their implementation adheres to the TLS profile in TS 33.210 and the certificate profile in TS 33.310. Currently, communication between Network Functions (NFs) employs mTLS, which also lacks quantum resistance. To address these vulnerabilities, the Internet Engineering Task Force (IETF) is actively developing Post-Quantum Transport Layer Security (PQ-TLS) and Post-Quantum Internet Protocol Security (PQ-IPSec) solutions. These solutions aim to leverage homogeneous and hybrid post-quantum cryptographic algorithms, ensuring secure and quantum-safe communication across the future RAN and Core networks as depicted in Figure 4.

Figure 4. Security crypto algorithms in RAN and Core Networks

d) Protection of unsecured lower layers

To provide security for wireless telecommunication systems, 3GPP standards have introduced encryption and integrity protection to both control and user plane data between UE and RAN. So upper layers of protocol stack including, RRC and PDCP layers, are cryptographically protected and safe from adversaries. To meet the stringent latency demands, numerous control plane functionalities have been moved to the unsecured lower layers of the protocol stack i.e., MAC and PHY layers. The lack of security for RLC headers, MAC subheaders, and MAC CEs makes them vulnerable to various attacks, such as out of service and throughput degradation as shown in Figure 5. Among them, MAC CE is used to convey control information between the base station (e.g., eNodeB in LTE or gNB in 5G) and the user equipment (UE), so unprotected MAC CE possesses the major security threat. For illustration considering the 5G system, Figure 5 shows the unprotected lower layers (below PDCP) for control plane signalling, which are potential for security threats. While designing security for lower layers of future wireless communication systems like 6G, quantum-safe communications as discussed above is one of key points to consider. One of the major challenges in PQC adoption for lower layer security is its additional overhead on latency and utilization of network resources due to encryption-decryption time and increased size of key/ciphered text respectively, and needs further exploration.

Figure 5. Lower layer attacks on present wireless communication systems

Challenges, Considerations & Conclusion:

The transition from classical cryptography to post-quantum security in telecommunications is not merely an enhancement—it is an essential step to protect against the upcoming threats posed by advancements in quantum computing. One of the major challenges in PQC adoption for future communication system is its additional overhead on latency and utilization of network resources due to encryption-decryption time and increased size of key/ciphered text respectively. Hybrid solutions can be an option for seamless transition to quantum safe telecommunications. In conclusion, the integration of post-quantum cryptography will be essential in ensuring the security and dependability of our telecommunications systems for which standards bodies are actively working towards the goal.

Disclaimer

The views and opinions expressed in this article are solely those of the authors. These do not necessarily represent those of Samsung Research and its affiliates.