Q-RAN Architecture Secures O-RAN Networks Against Future Cryptanalytically Relevant Quantum Computers

The future of mobile networks, built on increasingly flexible and open architectures known as Open Radio Access Networks, now faces a significant security challenge from the rapidly advancing field of quantum computing. Vipin Rathi, Lakshya Chopra, and Madhav Agarwal, along with their colleagues, address this threat by presenting Q-RAN, a comprehensive security framework designed to protect disaggregated O-RAN ecosystems. Their research demonstrates how to integrate newly standardised post-quantum cryptographic algorithms, including ML-KEM and ML-DSA, with robust random number generation, to safeguard networks against the ‘Harvest Now, Decrypt Later’ attack strategy. By deploying these algorithms across all O-RAN interfaces and establishing a centralised post-quantum certificate authority, this work provides a complete blueprint for securing the next generation of mobile communications against powerful, future adversaries.

The team systematically integrates NIST-standardized post-quantum cryptography, specifically the ML-KEM and ML-DSA algorithms, into key telecommunications security protocols including mTLS, DTLS, and IPsec. This proactive approach addresses vulnerabilities created by the disaggregated architecture of O-RAN and the potential for “Harvest Now, Decrypt Later” attacks, where encrypted data is intercepted and stored for future decryption with quantum computers.

The team developed Q-RAN, a system combining classical and post-quantum cryptography for a gradual and minimally disruptive transition, leveraging the xFAPI interface to seamlessly integrate post-quantum algorithms into the network architecture. A key innovation is the use of composite signatures, combining established classical algorithms with the ML-DSA post-quantum algorithm for enhanced security and compatibility, further supported by composite certificates facilitating a smooth transition to a fully quantum-resistant network. Q-RAN incorporates principles of Zero Trust architecture to enhance overall security and aligns with the ongoing NIST post-quantum cryptography standardization process, contributing to relevant IETF standards including those governing TLS, DTLS, and IKEv2 to ensure interoperability. Recognizing the performance overhead associated with post-quantum algorithms, the research emphasizes the need for optimization and addresses the challenges of IP fragmentation in a post-quantum environment.

The team utilized software libraries like OpenSSL, liboqs, wolfSSL, and NVIDIA cuPQC to accelerate post-quantum cryptographic operations, also exploring the use of hardware acceleration, such as NVIDIA DOCA, to further improve performance.

The team engineered a system integrating NIST-standardized Post-Quantum Cryptography (PQC) algorithms, notably ML-KEM and ML-DSA, with Quantum Random Number Generators (QRNGs) to bolster cryptographic entropy, ensuring robust entropy pools and resistance against advanced attacks targeting randomness prediction. The study deployed a QRNG infrastructure consisting of hardware generators strategically positioned within the network architecture, with a primary unit provisioned within the Service Management and Orchestration (SMO) to provide high-entropy randomness for the Post-Quantum Certificate Authority’s (PQ-CA) root key generation and certificate issuance. Network functions incorporate these QRNGs into their local entropy pools, accessing them via FIPS validated cryptographic modules for use in TLS connections and long-lived IPsec sessions. The researchers utilized QRNG chips that underwent rigorous NIST’s Entropy Validation Programs, ensuring the quality and unpredictability of the generated randomness. To secure O-RAN interfaces, the team implemented PQ-IPsec, extending the classical IKEv2 protocol with Post-Quantum Hybrid KEMs like ECDHE+ML-KEM-768 for shared key establishment, simultaneously mixing Post-Quantum Pre-Shared Keys to mitigate HNDL risks and enhance IPsec tunnel security. Furthermore, the study integrated PQ-TLS and PQ-DTLS protocols, employing hybrid handshakes that combine post-quantum and classical algorithms to ensure crypto-agility, backward compatibility, and quantum resistance. A PQ-CA was established to issue and validate certificates using PQ signatures, replacing RSA/ECC-based roots of trust and providing long-term authenticity for devices and applications within O-RAN trust domains. Researchers detail the implementation of ML-KEM and ML-DSA algorithms, integrated with Quantum Random Number Generators (QRNGs) to ensure cryptographic entropy, establishing a robust foundation for quantum-resistant security. Experiments demonstrate a complete roadmap for securing disaggregated O-RAN ecosystems, utilizing open-source tools like strongSwan and OpenSSL with the OQS provider.

The team successfully implemented PQ-CA within the SMO, functioning as a unified trust anchor for the network and a quantum-secure counterpart to traditional Public Key Infrastructure (PKI). Analysis of O-RAN interfaces revealed critical security requirements, with the A1 and Open Fronthaul interfaces all requiring quantum-resistant upgrades. Researchers meticulously mapped security protocols to each interface, ensuring comprehensive protection across the entire network. The F1 interface, connecting the O-CU and O-DU, is secured with both PQ-IPsec and PQ-DTLS, while the A1 interface utilizes PQ-mTLS for authenticated policy exchange.

The team confirms that the SMO’s central function makes it ideally suited to serve as both the PQ-CA and a Post-Quantum Authorization Server. This work delivers a practical, end-to-end tested solution, paving the way for a realistic evolution from classical to quantum-safe O-RAN setups. 👉 More information 🗞 Q-RAN: Quantum-Resilient O-RAN Architecture 🧠 ArXiv: https://arxiv.org/abs/2510.19968 Tags: