Empowering Mobile Networks Security Resilience by using Post-Quantum Cryptography

TL;DR

This paper demonstrates the practical integration of post-quantum cryptography into 5G core networks using a sidecar approach, quantifying latency impacts and showing a feasible path for quantum-resistant 5G security.

Contribution

It presents an experimental implementation of NIST-standardized PQC in an open-source 5G core, analyzing latency overheads and proposing a non-disruptive migration strategy.

Findings

PQC increases end-to-end SBI latency by approximately 54 ms.

Latency overhead is about 48-49 ms compared to classical TLS.

Certificate validation significantly impacts overall delay.

Abstract

The transition to a cloud-native 5G Service-Based Architecture (SBA) improves scalability but exposes control-plane signaling to emerging quantum threats, including Harvest-Now, Decrypt-Later (HNDL) attacks. While NIST has standardized post-quantum cryptography (PQC), practical, deployable integration in operational 5G cores remains underexplored. This work experimentally integrates NIST-standardized ML-KEM-768 and ML-DSA into an open-source 5G core (free5GC) using a sidecar proxy pattern that preserves unmodified network functions (NFs). Implemented on free5GC, we compare three deployments: (i) native HTTPS/TLS, (ii) TLS sidecar, and (iii) PQC-enabled sidecar. Measurements at the HTTP/2 request-response boundary over repeated independent runs show that PQC increases end-to-end Service-Based Interface (SBI) latency to approximately 54 ms, adding a deterministic 48-49 ms overhead relative to the classical baseline, while maintaining tightly bounded variance (IQR <= 0.2 ms, CV < 0.4%). We also quantify the impact of Certification Authority (CA) security levels, identifying certificate validation as a tunable contributor to overall delay. Overall, the results demonstrate that sidecar-based PQC insertion enables a non-disruptive and operationally predictable migration path for quantum-resilient 5G signaling.