Securing networks for a post-quantum era

Quantum-safe networks

Advances in quantum computing will bring new computational possibilities but also new security concerns. This is prompting the industry-wide migration to quantum-resistant cryptography today, making existing and future networks secure against even the most powerful threats.

Quantum-safe networks explained

Recent and regular advances in quantum computing are driving an industry-wide conversation around the potential of future quantum computers to break many of the cryptographic algorithms used in today’s public-key encryption, key exchange and digital signatures.

A large-scale cryptographically relevant quantum computer (CRQC) is the term given to future quantum computers that may one day be capable of breaking these algorithms. They may not be built anytime soon, or even at all, but it is a potential threat that needs to be taken seriously.

To address this threat, quantum-safe networks will rely on post-quantum cryptography, including the latest NIST-specified quantum-resistant algorithms that will replace vulnerable cryptographic algorithms such as RSA and ECC in the next decade.

Today, Ericsson is driving the advancement of quantum-safe networks, developing networks that are capable of withstanding potential future attacks by a CRQC. In doing so, we are actively collaborating across industries and standards fora to ensure a timely migration in line with regional timelines and directives.

Get to know the essential terms

Quantum computing vs. classical computing

Quantum computers are built on the principles of quantum mechanics and can solve mathematical challenges much faster and in entirely different ways to today’s classical computers.

Unlike classical computers, that process in bits (e.g. 0s and 1s), quantum computers process in quantum bits, known as qubits, that can be 0 and 1 at the same time. This makes them capable of solving several types of computational problems significantly faster than classical computers, reducing execution time to hours and days for tasks that would otherwise take hundreds of years to complete.

The world of quantum computing has made great strides since the first idea of a quantum computer was proposed back in the 1980s. Today, there are several promising quantum technologies under development across industry and academia with the goal of building either a 'universal' quantum computer or a specialised quantum machine that can speed up specific tasks.

Learn more in our introduction to quantum computing technology

Post-quantum cryptography (PQC)

Post-quantum cryptography (PQC) also typically referred to as quantum-resistant cryptography or quantum-safe cryptography refers to cryptographic algorithms that are resistant to attacks by cryptographically relevant quantum computers (CRQC). Such algorithms are designed to be run as similar software or hardware, just as any existing conventional cryptographic algorithm. Most symmetric cryptographic algorithms, such as AES, in use today are deemed to be quantum resistant.

Cryptographically relevant quantum computer (CRQC)

A cryptographically relevant quantum computer (CRQC) describes a special purpose quantum computer that is deemed capable of threatening existing cryptographic algorithms. This should not be confused with general purpose quantum computers which are expected to breakthrough well before CRQCs and do not pose a threat to conventional cryptographic algorithms. Assuming a Moore’s Law type scaling in qubit count, it could take 25-30 years to scale from today’s quantum computers to the typically millions of so-called physical qubits required to achieve a large-scale CRQC.

Significant improvements to fault tolerance will also be required, as even a small qubit error rate in the result cycle can compromise the computing result after many cycles.

Quantum key distribution (QKD)

Quantum key distribution (QKD) is a quantum-resistant mechanism for key distribution in which two parties agree on a secret key by sending photons between them with the help of a second (ordinary) authenticated communication channel. QKD requires a direct physical link between the communicating parties, such as an optical cable or a direct line of sight.

Today, QKD is not considered a viable alternative to post-quantum cryptography owing to inherent limitations and impracticalities, as well as a lagging maturity from a security perspective.

Unlike post-quantum cryptography, QKD cannot replace cryptography in existing products and solutions. QKD relies on a physical point-to-point link between the communicating parties which, in turn, requires specialized hardware, high maintenance and high associated costs. The development of QKD is also constrained by distance limitations as it is currently not possible to transmit quantum states via optical cables over long distances.

Timeline to quantum-safe networks

Widespread adoption of post-quantum cryptography is expected to happen in the near term, driven by organizations such as the US National Institute of Standards and Technology (NIST) and Internet Engineering Task Force (IETF). Today’s major Internet service companies have already upgraded the TLS protocols of most web browsers, ensuring support for PQC. In 3GPP, post-quantum cryptography will likely be introduced already in the 5G era as part of upcoming releases 20 and/or 21. This will also make 6G, expected from release 21, fully quantum-resistant from the start.

Assessing the threat level: Future CRQCs and the risks for today’s networks

If or when a CRQC becomes viable, there is a real risk that today’s public-key exchanges could serve as an attack vector for all manner of threats, including the decryption of network communication, the forging of private key certificates granting deeper access to networks, and the installation of fraudulent firmware and software enabling attackers to take control of the software in a network node.

Public-key cryptographic vulnerabilities

Conventional public-key encryption, key exchange and digital signatures – which secure many parts of today’s networks – are notoriously difficult to break. Even today’s most powerful classical computers would require thousands, millions and even billions of years to decrypt most of these algorithms.

Quantum computers, on the other hand, could potentially break today’s public-key cryptography in a matter of hours. CRQCs will be capable of factoring large integers and, in doing so, solving the discrete logarithm problem – the very fundaments on which most of today’s public-key encryptions, exchanges and digital signatures are based.

3GPP is well prepared for this, having already future-proofed protocols like 5G Subscription Concealed Identifier (SUCI) by allowing ciphertexts and public keys to be several thousands of bytes long. 3GPP is also expected to standardize NIST quantum-resistant algorithms ML-KEM, ML-DSA and SLH-DSA in coming years as a replacement to existing public-key algorithms Rivest-Shamir-Adleman (RSA) and Elliptic Curve Cryptography (ECC).

Harvest now, decrypt later

‘Harvest now, decrypt later’ is an attack vector whereby attackers collect and store encrypted data from today’s networks with the intention of decrypting it in future using a CRQC. This prospect has increased the urgency of a transition to post-quantum cryptography in the coming decade, ensuring that all encrypted network data remains protected while at rest, in transit and in use.

According to MITRE’s ATT&CK framework, there are several tactics and techniques that threat actors may seek to deploy to enable the harvesting of encrypted data already today. This includes adversary-in-the-middle attacks that can enable network sniffing or transmitted data manipulation, automated collection techniques based on set criteria such as file type or location, and data illegally obtained from cloud storage, local systems, or network shared drives.

Securing hardware root of trust

Given that firmware-signing algorithms are frequently locked in for the life of a system, upgrading to quantum-resistant software and firmware signing and ensuring the root of trust remains one of the key priorities for today’s service providers.

As part of its Commercial National Security Algorithm Suite (CNSA) 2.0, the US National Security Agency mandates that federal agencies update to quantum-resistant software and firmware signing already by 2025, with a complete phase-out of other encryption protocols by 2030.

Today’s networks are secured through two distinct cryptographic approaches: symmetric and asymmetric. Both approaches are suited to different deployment scenarios and differ primarily in how they use keys.

Most of today's computer systems and services such as digital identities, the Internet, cellular networks, and crypto currencies use a mixture of symmetric algorithms and asymmetric algorithms including RSA and ECC. The asymmetric parts of such systems would very likely be exposed to significant risk if we experience a breakthrough in CRQC in the coming decades.

Symmetric (private key) cryptography

Symmetric cryptography relies on the same key for both encryption and decryption, similar to having one key that can both lock and unlock a door. AES (Advanced Encryption Standard) is the most widely used symmetric cryptographic algorithm today, replacing older variants such as DES (Data Encryption Standard) and Triple DES (3DES) which have since become vulnerable to attacks by classical computers.

A CRQC, or even a cluster thereof, poses very little threat to AES cryptography. AES-128 qualifies as quantum resistant according to the evaluation criteria in the NIST PQC standardization project.

Asymmetric (public key) cryptography

Asymmetrical cryptography relies on two separate keys: a public key to encrypt data and a private key to decrypt. It’s like having a door that can be locked by anyone (public key encryption) but requires a different yet corresponding private key to open it.

There are different types of public key cryptography based on the same cryptographic principles of public-private key pairing, such as:

Signing algorithms used to verify digital identities using a digital signature created through a private key and verified through a public key. Common examples include RSA, DSA and the elliptic-curve-based ECDSA.
Encryption algorithms that protect sensitive data in transit using a public key for encryption and a private key for decryption. Common examples include RSA and the elliptic-curve-based ECIES.
Key agreement protocols that allow two parties to agree a shared secret over an insecure link, such as the TLS communication protocol. Common examples include the Diffie-Hellman (DH) key exchange and the elliptic-curve-based ECDH.

According to research, a quantum attacker running Shor’s algorithm could potentially break RSA-2048 in a matter of hours. All currently used key sizes in ECC would also be broken in a matter of hours or a few days.

Post-quantum cryptography

Post-quantum cryptography describes an algorithm that can withstand decryption from a CRQC, regardless of its composition. It can be symmetrical, asymmetrical or often hybrid.

As most if not all symmetric key encryptions are already deemed to be quantum resistant, the topic of post-quantum cryptography has largely focused on transitioning to quantum-resistant public key encryption.

In 2024, NIST finalized the standardization of the key encapsulation mechanism ML-KEM and the two signature algorithms ML-DSA and SLH-DSA. ML-KEM and ML-DSA are the primary chosen quantum-resistant algorithms and can be used instead of the currently used public-key algorithms like RSA and ECC. Standardization of a third signature algorithm, FN-DSA, is also underway.

Learn more about cryptography in mobile networks

Migration to quantum-resistant algorithms in mobile networks

The evolution of cryptography in mobile networks and how to secure them in future

Building a quantum key distribution network in Sweden

Hexa-X and data protection evolution in 6G

Cryptography and networks: FAQs

Which 3GPP systems are affected?

All systems using public-key cryptography such as RSA, DH, ECDSA, ECDH or pairing-based cryptography for authentication or key-exchange are considered vulnerable and must be replaced. This includes all systems using TLS, DTLS, IKEv2, certificates, MIKEY-SAKKE and ECIES version of SUCI. Symmetric algorithms such as AKA authentication and the radio encryption and integrity algorithms are not affected.

Does 3GPP need to replace all public-key algorithms?

Yes, even if the time estimates for quantum computers are uncertain, the threat is real, and 3GPP needs to be prepared. Government and industry transition will force also a 3GPP transition to quantum resistant public-key cryptography.

Are RSA and MODP groups less affected than elliptic curve cryptography?

No, while early results pointed to RSA being slightly harder to break on quantum computers than ECC, research taking reversibility into account shows that breaking ECC ends up requiring more qubits and more quantum operations than RSA (at the same classical security level). Quantum computers are not a reason to prefer RSA to ECC.

Does it help to increase the size of the public key?

In general no. The running time of Shor’s algorithm is 𝒪(n3) and the required number of qubits is 𝒪(n), so doubling the key length only makes key recovery require 8 times more operations and requires 2 times as many qubits. Achieving the same security level as AES-128 would require RSA keys lengths of several hundred million bits. Increasing the key length is therefore not a practical solution and all RSA, ECC, DH and pairing-based cryptography should be deprecated well in advance of the arrival of quantum computers (estimated to be around 2030).

Will symmetric algorithms with 128-bit security be affected?

No, all 128-bit algorithms such as A5/4, GEA4, GIA4, GEA5, GIA5, UEA1, UIA1, UEA2, UIA2, EEA1, EIA1, EEA2, EIA2, EEA3, EIA3, MILENAGE, TUAK, AES-128, and SHA-256 will still offer sufficient security, quantum computers will not change this. NIST plans to define their 128-bit algorithms AES-128 and SHA-256 as quantum safe.

Will symmetric algorithms with 64-bit security be affected?

No, all 64-bit algorithms such as A5/1, A5/2, A5/3, GEA1, GEA2, GEA3, COMP-128-1, COMP-128-2, and COMP-128-3 are already weak because of their very short key size, quantum computers will not change this.

Should 3GPP move to 256-bit algorithms for encryption and integrity?

Introducing symmetric 256-bit algorithms such as AES-256 may be a good idea as it is mandated by many governments (e.g. US government) and the processing overhead compared to 128-bit security is relatively small.

However, quantum computers mostly have theoretical impact on symmetric cryptography and NIST estimates that quantum computers will not reduce the lifetime of AES-128 and SHA-256. NIST plans to define both algorithms quantum safe. There are no practical needs to introduce 256-bit crypto because of quantum computers.

A new quantum-resistant key encapsulation mechanism ML-KEM (CRYSTALS-Kyber), together with two new quantum-resistant signature algorithms ML-DSA (CRYSTALS-Dilithium) and SLH-DSA (SPHINCS+) are set to be introduced in coming years to mitigate existing vulnerabilities in public-key encryption, key exchange and digital signatures. FN-DSA (Falcon), a third signature algorithm, is currently being standardized.

ML-KEM and ML-DSA are the primary chosen quantum-resistant algorithms and can be used instead of the currently used public-key algorithms RSA and ECC. Unlike RSA and ECC, which are based on logarithm-based cryptography, ML-KEM, ML-DSA and FN-DSA are all lattice-based algorithms and rely on well-known mathematical problems in 512-1024 dimensions. This makes them resistant to CRQC attack, supported by much larger public key, encapsulation and signature sizes. They are also a much faster alternative to even the fastest ECC algorithm.

ML-KEM, ML-DSA and FN-DSA are widely expected to be incorporated in Internet Engineering Task Force (IETF) protocols, and later included as part of the 3GPP standard in Release 19 or 20.

Learn more about the new quantum-resistant algorithms in our blog post: Migration to quantum-resistant algorithms in mobile networks

From standardization to live deployment: the three steps to quantum-safe networks

Standards development

Secure protocols and algorithms derived from NIST and IETF, are specified in 3GPP technical specifications ensuring interoperability of the networks and radio interfaces. Incorporating the new algorithms to the established standards will take some time, but is essential for ensuring the global interoperability.

Product integration and deployment

We ensure that the latest quantum-resistant cryptographic capabilities can be securely and speedily integrated across all product development lifecycles, including software and firmware updates. Security systems that are embedded in hardware, such as non-upgradeable field service units, require years or even decades of planning and gradual replacement.

Key lifecycle management of secure protocols

Secure network operations are ensured through the continuous managing and monitoring of security performance, vulnerability management and detection of attacks – including response and recovery after breach.

Get closer to quantum-safe networks

Learn about the impact of quantum computing on 5G and 6G security

Read the report

Ericsson and post-quantum cryptography: Driving the agenda for quantum-safe networks

For many years, 3GPP has been at the forefront in updating their security profiles in almost every release following recommendations from academia, IETF and other organizations. A large part of this work has been driven by Ericsson.

Today, Ericsson is active and collaborating with the relevant standardization and industry bodies which are developing technologies and guidelines to utilize quantum computing, quantum communication, and development of quantum-resistant cryptography. This includes contributions to NIST PQC standards, IETF, 3GPP, GSMA Post Quantum Task Network, CISA/DHS, ATIS, and many more.

We will remain active when standards used in 5G such as TLS (Transport Layer Security), IKEv2 (Internet Key Exchange version 2), X.509, JOSE (JavaScript Object Signing & Encryption) and 5G SUCI (Subscription Concealed Identifier) are updated with the finalized NIST algorithms.

While standards may be updated to support the new NIST quantum-resistant algorithms, it remains to be seen at what speed our current public-key cryptography is deprecated. This may, in part, depend on the progress in building quantum computers in the coming years. There is a balance between prudent preparations for switching to post-quantum cryptography and making sure that the investment in implementing post-quantum cryptography will be a long-term secure and good choice.