Enregistré dans:
Détails bibliographiques
Auteurs principaux: Chopra, Lakshya, Rathi, Vipin Kumar
Format: Preprint
Publié: 2026
Sujets:
Accès en ligne:https://arxiv.org/abs/2605.01454
Tags: Ajouter un tag
Pas de tags, Soyez le premier à ajouter un tag!
_version_ 1866914526330355712
author Chopra, Lakshya
Rathi, Vipin Kumar
author_facet Chopra, Lakshya
Rathi, Vipin Kumar
contents 5G Core networks are entering a decisive phase of post-quantum (PQ) migration: operators and vendors are beginning to advertise PQ-TLS 1.3, PQ-IPsec, and hybrid KEM support across the Service-Based Interface (SBI) and N2, N3, N4 reference points, in line with 3GPP TS 33.501, emerging IETF drafts, and NIST FIPS 203, 204, 205. Yet deploying PQ primitives does not guarantee PQ security. A Network Function may advertise ML-KEM-768 and silently fall back to X25519; negotiate a hybrid KEM but authenticate with ECDSA-P256; present an ML-DSA leaf on a classical chain; or skip mutual TLS altogether. These failures are silent on the wire, and today scanners (testssl.sh, sslyze, Qualys) together with 5G-specific fuzzers are PQ-unaware and telecom-blind. We present PQC Validator, a layered PQC assurance framework purpose-built for the cloud-native 5G Core, comprising a PQ Crypto Engine (L1), a PQ Conformance Prober (L2), a PQ Robustness Tester (L3), a PQ Overhead Meter (L4), and an eBPF Attestation Plane for wire-level ground truth. Its scope spans the full control-plane cryptographic surface: an independent PQ-TLS 1.3 client and server, a strongSwan-driven PQ-IPsec harness for N2/N3/N4, an eBPF/XDP/TC monitoring plane that extracts wire-level ground truth on negotiated groups and signatures, and a Kubernetes-native UI that auto-discovers NFs and emits structured PQ evidence classifying every endpoint as classical, hybrid-pq, or full-pq. A compliance suite spans TLS, PQC, 3GPP SBI, NRF OpenAPI, and security hardening, while a protocol fuzzer exercises CVE-class regressions and downgrade paths.
format Preprint
id arxiv_https___arxiv_org_abs_2605_01454
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle PQC Validator: Validating Post-Quantum Readiness in Cloud-Native 5G Core Networks
Chopra, Lakshya
Rathi, Vipin Kumar
Cryptography and Security
5G Core networks are entering a decisive phase of post-quantum (PQ) migration: operators and vendors are beginning to advertise PQ-TLS 1.3, PQ-IPsec, and hybrid KEM support across the Service-Based Interface (SBI) and N2, N3, N4 reference points, in line with 3GPP TS 33.501, emerging IETF drafts, and NIST FIPS 203, 204, 205. Yet deploying PQ primitives does not guarantee PQ security. A Network Function may advertise ML-KEM-768 and silently fall back to X25519; negotiate a hybrid KEM but authenticate with ECDSA-P256; present an ML-DSA leaf on a classical chain; or skip mutual TLS altogether. These failures are silent on the wire, and today scanners (testssl.sh, sslyze, Qualys) together with 5G-specific fuzzers are PQ-unaware and telecom-blind. We present PQC Validator, a layered PQC assurance framework purpose-built for the cloud-native 5G Core, comprising a PQ Crypto Engine (L1), a PQ Conformance Prober (L2), a PQ Robustness Tester (L3), a PQ Overhead Meter (L4), and an eBPF Attestation Plane for wire-level ground truth. Its scope spans the full control-plane cryptographic surface: an independent PQ-TLS 1.3 client and server, a strongSwan-driven PQ-IPsec harness for N2/N3/N4, an eBPF/XDP/TC monitoring plane that extracts wire-level ground truth on negotiated groups and signatures, and a Kubernetes-native UI that auto-discovers NFs and emits structured PQ evidence classifying every endpoint as classical, hybrid-pq, or full-pq. A compliance suite spans TLS, PQC, 3GPP SBI, NRF OpenAPI, and security hardening, while a protocol fuzzer exercises CVE-class regressions and downgrade paths.
title PQC Validator: Validating Post-Quantum Readiness in Cloud-Native 5G Core Networks
topic Cryptography and Security
url https://arxiv.org/abs/2605.01454