up:: In the Protocols MOC

PQC in 5G and Mobile Networks

PQC in 5G and mobile networks is the migration of the concrete cryptographic surfaces inside the 5G core onto post-quantum algorithms, and it reaches technical mechanisms the governance-level GSMA PQ.1 assessment frames but doesn’t specify. The 5G security architecture (3GPP TS 33.501) rests on classical elliptic-curve cryptography in three load-bearing places: the SUCI (Subscription Concealed Identifier), which uses ECIES on the SIM to conceal the subscriber’s permanent identity behind the home network’s public key; the 5G-AKA authentication that establishes trust between the device and the network; and the inter-operator SEPP-to-SEPP N32 interface, protected by TLS, that carries roaming signaling between networks.

Each of these is either harvestable now or quantum-forgeable later, so a 5G estate has real quantum exposure below the policy layer, on the 3GPP and ETSI standardization timeline.

The short version:

  1. 5G’s core cryptography rests on classical elliptic-curve schemes, so a quantum computer breaks the same subscriber-privacy, authentication, and inter-operator surfaces the technical view exposes.
  2. SUCI is the subscriber-privacy surface. It uses ECIES (an elliptic-curve encryption scheme) on the SIM to conceal the permanent identity (the SUPI) under the home network’s public key, and it’s harvestable.
  3. 5G-AKA is the authentication surface, establishing keys between the device and the network, and its long-term-key handling is where the deeper protocol change lands.
  4. The SEPP-to-SEPP N32 interface between operators is protected by TLS (with PRINS application-layer protection on top), so it migrates like any inter-domain TLS channel.
  5. This complements GSMA PQ.1: PQ.1 is the five-phase governance assessment, and this note is the technical surfaces it points a telco at, standardized by 3GPP and ETSI.

Picture a subscriber walking up to any cell tower as handing over an ID card. In old mobile networks that card was shown in the clear, so anyone with a scanner could read who you were and track you. 5G puts the card in a sealed envelope that only the subscriber’s home carrier can open, and the seal is an elliptic-curve lock. That’s SUCI. Separately, when you roam onto a partner network, the two carriers exchange messages about you through a diplomatic pouch protected by TLS, which is the N32 link. A quantum computer is a device that can open the sealed envelope after the fact and pick the diplomatic pouch’s lock, so the migration is replacing both locks with post-quantum ones, on the SIM and on the inter-carrier link.

Where does cryptography live in the 5G core?

Cryptography lives in three primary places in the 5G security architecture defined by 3GPP TS 33.501, each protecting a different relationship: the subscriber to the network (identity privacy), the device to the network (authentication), and one operator to another (roaming). Assuming familiarity with the 5G core, the surfaces are:

  1. SUCI, subscriber identity privacy. The permanent subscriber identifier (the SUPI, which for a SIM-based subscription is IMSI-based) is never sent in the clear. The device conceals it into a SUCI using ECIES with the home network’s public key, so only the home network can recover the identity, which fixes the identity-catcher exposure of earlier generations.
  2. 5G-AKA, authentication and key agreement. The device and the network mutually authenticate and derive session keys, detailed in TS 33.501 sub-clause 6.1.3.2, anchored in the long-term key on the SIM.
  3. SEPP and the N32 interface, inter-operator security. The Security Edge Protection Proxy (SEPP) sits at the edge of each operator’s network, and the N32 interface between two SEPPs carries all inter-operator (roaming) signaling, protected by TLS.

Source: 3GPP, “Security architecture and procedures for 5G System,” TS 33.501 (SUCI and ECIES in Annex C, 5G-AKA in §6.1.3.2, SEPP and N32 in §13), 3gpp.org.

SurfaceWhat’s cryptographicQuantum exposureMigration
SUCI (subscriber privacy)ECIES concealment of the SUPI on the SIM, over classical curvesHarvestable: de-conceal identities retroactivelyPost-quantum key establishment on the SIM (constrained-device)
5G-AKA (authentication)Symmetric long-term key on the SIM, plus surrounding public-key materialSymmetric core resistant; public-key surfaces exposedMigrate the public-key surfaces; enlarge symmetric keys
SEPP / N32 (roaming)TLS between operators’ edge proxies, plus PRINS app-layer protectionHarvestable key exchangeHybrid TLS handshake, coordinated between operators

Naming the three separately matters because they carry different quantum clocks and migrate differently: SUCI is a harvestable confidentiality surface, 5G-AKA is an authentication surface, and the N32 link is an inter-domain TLS surface. A telco that treats “5G security” as one thing misses that the migration has three distinct fronts.

How does SUCI use ECIES, and why is it harvestable?

SUCI conceals the subscriber’s permanent identity using ECIES, the Elliptic Curve Integrated Encryption Scheme, and it’s harvestable because the concealment rests on classical elliptic-curve cryptography a quantum computer breaks, exposing the subscriber identity retroactively. To compute a fresh SUCI, the device generates a fresh ephemeral elliptic-curve key pair and combines it with the home network’s provisioned public key to encrypt the SUPI, and the home network uses the received ephemeral public key with its own private key to de-conceal it. 3GPP’s ECIES profiles use the elliptic curves Curve25519 (Profile A) and secp256r1 (Profile B).

Source: 3GPP TS 33.501, Annex C (Protection schemes for concealing the SUPI), which specifies ECIES with Curve25519 and secp256r1, 3gpp.org.

The quantum exposure is a harvest-now-decrypt-later problem for subscriber privacy. An adversary that records concealed SUCIs today and later runs Shor’s algorithm against the home network’s public key (or the ephemeral keys) could de-conceal the permanent identities retroactively, undoing exactly the identity-privacy protection SUCI was introduced to provide. Because the privacy of who was on the network is a long-lived secret for many subscribers, this is a genuine harvesting surface, and the migration replaces the ECIES scheme with a post-quantum key-establishment scheme, a change that reaches down onto the SIM or secure element and inherits the constrained-device size and fit constraints, since the concealment runs on the card.

How does 5G-AKA migrate?

5G-AKA migrates by moving the public-key-dependent parts of its authentication and key agreement onto post-quantum schemes, while its symmetric core, anchored in the long-term key shared between the SIM and the home network, is more resistant. 5G-AKA (TS 33.501 §6.1.3.2) mutually authenticates the device and the network and derives the session key hierarchy, and much of its strength rests on a symmetric long-term key, which Grover’s algorithm only weakens rather than breaks, so a sufficiently long key survives.

The quantum-relevant exposure sits where public-key cryptography enters: the SUCI concealment that precedes authentication (the ECIES surface above), and any certificate or public-key material used in the network functions and their interfaces. So the honest framing is that 5G-AKA’s symmetric authentication core is in better shape than the surrounding public-key surfaces, and the migration priority is the concealment and the inter-operator links rather than the symmetric key agreement itself. This mirrors the pattern in PQC in Kerberos and Active Directory, where a symmetric authentication core is largely resistant and the exposed surface is the public-key pre-authentication around it.

Source: 3GPP TS 33.501, §6.1.3.2 (Authentication procedure for 5G AKA), 3gpp.org; the symmetric-survives, public-key-migrates split follows NIST’s finalized standards and their intended use, NISTIR 8105.

The SEPP-to-SEPP N32 interface migrates like any inter-domain TLS channel, by moving its handshake onto a hybrid post-quantum key exchange, because N32 security rests on TLS between the two operators’ edge proxies. The N32 interface has two parts: N32-c, the control handshake established first between the SEPPs, which negotiates the protection policy and is protected by Mutual TLS; and N32-f, the forwarding plane that carries the actual roaming signaling, which can add PRINS (Protocol for N32 Interconnect Security) application-layer protection on top of the transport-layer TLS for selective encryption of JSON elements.

Source: 3GPP TS 33.501, §13 (Security for the N32 interface, SEPP, N32-c and N32-f, PRINS), 3gpp.org.

The migration is two-layered, matching the two protection layers:

  1. The TLS layer moves onto a hybrid handshake, closing the harvest-now-decrypt-later window on inter-operator signaling, exactly as TLS 1.3 Hybrid Key Exchange describes for any TLS channel.
  2. The PRINS application layer, where used, has its own cryptographic protection of the message elements, which migrates to post-quantum algorithms alongside the transport.

The deployment reality is the weakest-endpoint rule applied across operators: both SEPPs, run by different companies in a roaming relationship, have to support the post-quantum handshake, so the N32 migration is coordinated between operators rather than executed by one, which is the same lockstep problem inter-organization IPsec tunnels face.

What is the 3GPP and ETSI timeline for 5G PQC?

The standardization runs through 3GPP (which owns the 5G security architecture in TS 33.501) and ETSI (which produces European telecom PQC and quantum-safe specifications), and the migration timeline for a telco is anchored more in the broad national and NIST deadlines than in a single binding 5G date. GSMA PQ.1 is explicit that its own assessment is non-binding and borrows its deadlines from NIST and national mandates, so the practical clock for a mobile operator is the same mandate landscape that governs everyone else, applied to the specific 5G surfaces above.

The sequencing that falls out of the surfaces is the familiar one: the harvestable pieces first (the SUCI concealment and the N32 TLS key exchange, both harvestable today), and the authentication and signature pieces on the slower track. The distinctive hard part for telco is the SIM. Because SUCI concealment runs on the subscriber’s SIM or embedded secure element, migrating it is a constrained-device problem across a huge installed base of cards, some of which can’t be updated over the air, which makes the subscriber-privacy surface both the most exposed and the slowest to fully close. That combination is exactly why a telco needs the inventory-and-assessment discipline PQ.1 frames before it sequences the technical work.

Common misconceptions

  1. “5G is new, so it’s already quantum-safe.” 5G’s core cryptography rests on classical elliptic-curve schemes (ECIES for SUCI, ECDH-based key agreement, TLS on N32), all of which a quantum computer breaks. Being a recent standard doesn’t make it post-quantum.
  2. “GSMA PQ.1 covers the technical migration.” PQ.1 is a governance and impact-assessment framework with a five-phase plan. The concrete cryptographic surfaces, SUCI, 5G-AKA, and N32, are specified by 3GPP TS 33.501, which is what actually migrates.
  3. “SUCI protects subscriber identity, so it’s fine.” SUCI’s concealment uses ECIES on classical curves, so it’s harvestable: a recorded SUCI can be de-concealed retroactively once a quantum computer exists, undoing the privacy it provides.
  4. “5G-AKA needs a complete redesign for quantum.” Its symmetric authentication core, anchored in the SIM’s long-term key, is more resistant, weakened rather than broken by Grover’s algorithm. The urgent surfaces are the public-key concealment and the inter-operator TLS around it.
  5. “The operator can migrate N32 on its own.” N32 is a TLS link between two operators’ SEPPs, so both operators in a roaming relationship have to support the post-quantum handshake, which makes it a coordinated migration rather than a unilateral one.

Questions people ask

Is 5G vulnerable to quantum computers? Yes, in specific places. The SUCI subscriber-privacy concealment uses classical ECIES, the inter-operator N32 link uses TLS, and public-key material appears across the core, all of which a quantum computer breaks, so a 5G estate has real quantum exposure below the policy layer.

What is SUCI and why does it matter for quantum? SUCI is the Subscription Concealed Identifier, the encrypted form of the permanent subscriber identity, computed on the SIM using ECIES with the home network’s public key. It matters because that concealment is harvestable: recorded SUCIs can be de-concealed retroactively once a quantum computer exists.

Does 5G-AKA need to migrate? Its symmetric authentication core, anchored in the SIM’s long-term key, is largely resistant because Grover’s algorithm only weakens symmetric keys. The migration priority is the public-key surfaces around it, the SUCI concealment and the inter-operator TLS, rather than the symmetric key agreement itself.

How does the SEPP N32 interface migrate? By moving its TLS handshake onto a hybrid post-quantum key exchange, and migrating any PRINS application-layer protection alongside it. Because N32 links two different operators’ edge proxies, both have to support the new handshake, so it’s a coordinated migration.

How is this different from GSMA PQ.1? PQ.1 is the non-binding governance assessment with a five-phase plan (inventory and risk first). This note is the technical cryptographic surfaces that assessment points at, specified in 3GPP TS 33.501 and standardized with ETSI.

What’s the hardest part of 5G PQC? The SIM. Because SUCI concealment runs on the subscriber’s SIM or secure element, migrating it is a constrained-device problem across a huge installed base of cards, some unable to update over the air, which makes the subscriber-privacy surface both the most exposed and the slowest to close.

When does a mobile operator have to do this? The 5G standards don’t set a single binding PQC date; the practical clock comes from the national and NIST mandates that govern the operator, which PQ.1 explicitly borrows its deadlines from, applied to the specific 5G surfaces.


Everything here is the map, given freely. When your team needs its 5G core surfaces inventoried, its harvestable SUCI concealment and N32 links prioritized, and the SIM-side constrained-device migration sequenced across the installed base, that’s the work I do, and there’s an alignment briefing for it.

Last verified 2026-07-14 · Maintained by Addie LaMarr, LaMarr Labs.