Post-Quantum Cryptographic Analysis of Message Transformations Across the Network Stack

TL;DR

This paper introduces a formal framework to analyze how cryptographic transformations across network layers impact post-quantum security, revealing key vulnerabilities and dependencies in wireless protocols.

Contribution

It develops a lattice-based model for composing per-layer post-quantum cryptographic statuses and applies it to real-world scenarios, highlighting critical security insights.

Findings

WPA2-Personal offers better PQC security than WPA3-Personal and WPA2-Enterprise.

A single post-quantum layer suffices for payload confidentiality.

Complete authentication requires migration of all layers.

Abstract

When a user sends a message over a wireless network, the message does not travel as-is. It is encrypted, authenticated, encapsulated, and transformed as it descends the protocol stack from the application layer to the physical medium. Each layer may apply its own cryptographic operations using its own algorithms, and these algorithms differ in their vulnerability to quantum computers. The security of the overall communication depends not on any single layer but on the \emph{composition} of transformations across all layers. We develop a preliminary formal framework for analyzing these cross-layer cryptographic transformations with respect to post-quantum cryptographic (PQC) readiness. We classify every per-layer cryptographic operation into one of four quantum vulnerability categories, define how per-layer PQC statuses compose across the full message transformation chain, and prove that this composition forms a bounded lattice with confidentiality composing via the join (max) operator and authentication via the meet (min). We apply the framework to five communication scenarios spanning Linux and iOS platforms, and identify several research challenges. Among our findings: WPA2-Personal provides strictly better PQC posture than both WPA3-Personal and WPA2-Enterprise; a single post-quantum layer suffices for payload confidentiality but \emph{every} layer must migrate for complete authentication; and metadata protection depends solely on the outermost layer.