Quantum cryptography: Securing networks before the storm hits

By David Close

As the era of quantum computing approaches, telecom networks and critical digital infrastructure face a fundamental rethinking of how secure communication is managed. Although practical quantum computers capable of breaking today’s public key encryption may still be a decade away, the threat is already forming through “harvest now, decrypt later” attacks.

Malicious actors are intercepting and storing encrypted traffic today, with the intent to decrypt it in the future. This means data protected now by conventional cryptographic systems could be compromised once quantum machines become viable, making proactive defences not optional, but essential.

The telecom sector—encompassing mobile network operators, ISPs, and 5G infrastructure providers—faces a unique risk. These systems must ensure the long-term confidentiality, integrity, and availability of sensitive information, yet much of the industry still depends on classical encryption methods such as RSA and ECC. These older algorithms are deeply embedded but will eventually fall short in a post-quantum environment.

The Calm Before the Quantum Storm

Key telecom assets—such as control plane signalling, subscriber identities, and spectrum authorisation credentials—are not ephemeral. If compromised, they could undermine network resilience, consumer privacy, and even national security. Already, adversaries are banking on future quantum decryption by collecting traffic now, underlining the urgency for change.

Experts predict that practical quantum computers may emerge between 2035 and 2040. However, because post-quantum cryptographic (PQC) defences cannot be retrofitted to historical data, networks must begin adapting now. Quantum readiness is not merely a best practice—it is a strategic necessity.

Complexity of PQC in Telecom Environments

Telecom networks are inherently complex, built layer by layer across generations of equipment and protocols. Many of these systems were never designed to handle the increased cryptographic demands of PQC. Classical encryption is embedded throughout—from SIM authentication and VPN tunnels to signalling protocols such as Diameter and SIP. Even protocols such as TLS, which secure management interfaces, face challenges in accommodating quantum-resistant encryption.

Transitioning to PQC presents a range of technical and operational challenges for telecom networks. One of the most immediate concerns is the significantly larger key sizes and digital signatures associated with PQC algorithms, which increase bandwidth consumption and storage requirements across the network. This can be particularly problematic for devices with limited resources.

Protocol compatibility also emerges as a critical hurdle. Many existing telecom protocols were not designed to accommodate the computational demands or structural changes introduced by PQC, meaning they may require complete redesigns or extensions to function effectively. At the hardware level, legacy infrastructure may lack the processing power or memory capacity to support PQC, necessitating costly upgrades or full equipment replacement.

Ensuring backward compatibility during the transition phase is equally important. Networks must be able to support both classical and quantum-safe cryptography simultaneously to avoid disruptions. This becomes even more challenging in constrained environments such as the Radio Access Network (RAN) or edge nodes, where devices often operate with minimal computing and memory headroom. In such settings, the integration of PQC can strain existing systems unless carefully optimised.

Hybrid Cryptography as the Transition Path

In response to these challenges, hybrid cryptography has emerged as a viable transition model. It involves the simultaneous use of classical and quantum-safe algorithms for encryption and signatures. This approach offers protection against both current and future threats while allowing continued compatibility with existing systems.

For instance, digital certificates can be designed to support RSA alongside quantum-safe alternatives such as Kyber or ML-DSA. These hybrid credentials can be deployed across various functions—including identity management, secure boot, firmware updates, and intra-network communications—allowing operators to introduce PQC incrementally without risking systemic failure.

Phased Implementation Roadmap for PQC Adoption

A structured and phased approach is crucial for transitioning to PQC in telecom environments. The process begins with a full asset inventory and classification, cataloguing all cryptographic instances across the network, from SIM/eSIM authentication to TLS in the management plane. Each asset should be tagged based on risk profile and expected lifespan.

Next, PQC requirements must be embedded into procurement and vendor contracts, specifying the algorithm suites like Kyber and Dilithium, and integration constraints. Operators can then conduct controlled proof-of-concept pilots, deploying hybrid classical plus PQC encryption in isolated, low-risk environments such as internal BSS/OSS interfaces. These trials help evaluate latency, interoperability, and operational impact.

This is followed by a gradual rollout of hybrid credentials to more critical areas—control plane components, lawful interception APIs, and subscriber provisioning systems. Performance should be closely monitored with the ability to roll back configurations if thresholds are exceeded.

Finally, once PQC adoption reaches maturity, classical-only cryptographic certificates and keys should be systematically retired, ensuring complete transition.

PQC Integration in 5G and Open RAN Networks

Real-world applications demonstrate that PQC integration can occur without disrupting operations. For example, in 5G authentication, operators can implement the 5G Authentication and Key Agreement (AKA) Hybrid Post-Quantum Cryptography protocol by layering a PQC key encapsulation mechanism such as Kyber over ECIES, the Elliptic Curve Integrated Encryption Scheme. This helps preserve forward secrecy and prevent linkability attacks, all while retaining the existing message flow of 5G AKA.

In Open RAN environments, Kyber can be embedded within IPsec tunnels between central and distributed units (CU and DU), using hardware-based crypto accelerators to preserve line-rate throughput and minimise jitter. Kyber’s efficiency and performance profile make it suitable even for constrained, latency-sensitive deployments.

Anticipating New Vulnerabilities and Threats

As with any transformation, PQC adoption introduces new risks. Telecom networks must guard against novel attack vectors associated with PQC technologies.

Side-channel leaks are a primary concern, especially since large lattice-based operations can expose timing and power patterns. Countermeasures include implementing hardware accelerators with constant-time execution and using masking techniques to obscure these patterns.

Crypto agility is another essential requirement. Devices lacking firmware update paths remain tethered to vulnerable classical-only stacks. Ensure all devices support secure firmware updates and mandate secure boot and remote attestation in chipset designs, enabling rapid migration to new cryptographic standards as threats evolve.

These considerations should be consolidated under network architecture design, reducing duplication across policy and implementation frameworks.

Hybrid fallback mechanisms pose yet another risk. Misconfigured clients may accept weaker classical signatures if PQC verification fails. Implement strict certificate-chain policies to prevent acceptance of weaker, legacy-only signatures, even if PQC verification fails.

Capacity Planning and Performance Benchmarking

Telecom operators must model compute and bandwidth overheads for PQC operations. Early benchmarking of PQC algorithms in a specific network environment is critical to anticipate performance impacts and right-size hardware investments.

Key generation using Kyber is typically three times slower than Elliptic Curve Digital Signature Algorithm (ECDSA) on CPU-only platforms, though performance improves significantly with AVX or Advanced Vector Extensions acceleration. Encryption and decryption (encapsulation and decapsulation) demand 1.5 to 2 times more CPU cycles than ECIES. These operations can be offloaded to cryptographic hardware in high-traffic gateways to minimise bottlenecks.

Signature verification with algorithms such as Dilithium may require up to 2 MB of RAM per session. Edge nodes must be appropriately provisioned to handle this load without service degradation.

Aligning with Standards and Regulations

Ensuring compliance and maintaining future readiness necessitate active participation in standards bodies and ongoing staff training. Regular training and active engagement with standards development organisations will help operators stay ahead of evolving requirements and best practices.

Operators should actively track developments in 3GPP SA3 workstreams related to signalling and ETSI TC CYBER guidance for secure network functions. Aligning PQC deployment timelines with NIST’s FIPS-approved module releases—such as support for Falcon and SPHINCS+ expected in 2025—is critical.

Regional mandates are also evolving. For example, the European Union Agency for Cybersecurity, or ENISA’s cybersecurity roadmap in Europe, requires PQC readiness across critical infrastructure by 2027. Similar regulatory moves are under consideration across APAC and North America.

The Urgency Behind Post-Quantum Preparedness

The shift to quantum-safe encryption will be one of the most consequential overhauls in telecom security. Waiting for quantum computing to become mainstream is not a viable option. Once functional machines are online, data encrypted today could already be compromised.

Yet this challenge also presents an opportunity. The transition requires years of planning, testing, and coordinated execution. The process of moving to PQC allows operators to modernise their cryptographic infrastructure holistically, replacing outdated practices, streamlining key management, and building trust across the telecom ecosystem.

Ultimately, it means embracing true crypto‑agility—recognising that evolving protocols and emerging threats are not one‑off challenges but an ongoing reality, requiring us to adopt a mindset and modus operandi to update our defences to the latest protective standards continuously.

Quantum Resilience Must Start Now

Telecom networks function as the digital nervous system of national economies. Their resilience must extend not just to current threats but also to those looming on the horizon. Quantum computing represents a disruptive force that could compromise the confidentiality of communications at scale unless addressed with urgency and foresight.

By adopting hybrid cryptography, following a phased implementation roadmap, testing real-world PQC integrations, mitigating new vulnerabilities, preparing for performance impact, and aligning with global standards, telecom operators can transform potential weaknesses into long-term strength.

The message is clear: the time to quantum-proof telecom is now. Because when the quantum storm arrives, only those who planned ahead will remain secure.

The author is the Chief Solutions Architect of Futurex.