Lakshya Chopra

Lakshya Chopra, Vipin Kumar Rathi

5G Core networks are entering a decisive phase of post-quantum (PQ) migration: operators and vendors are beginning to advertise PQ-TLS 1.3, PQ-IPsec, and hybrid KEM support across the Service-Based Interface (SBI) and N2, N3, N4 reference points, in line with 3GPP TS 33.501, emerging IETF drafts, and NIST FIPS 203, 204, 205. Yet deploying PQ primitives does not guarantee PQ security. A Network Function may advertise ML-KEM-768 and silently fall back to X25519; negotiate a hybrid KEM but authenticate with ECDSA-P256; present an ML-DSA leaf on a classical chain; or skip mutual TLS altogether. These failures are silent on the wire, and today scanners (testssl.sh, sslyze, Qualys) together with 5G-specific fuzzers are PQ-unaware and telecom-blind. We present PQC Validator, a layered PQC assurance framework purpose-built for the cloud-native 5G Core, comprising a PQ Crypto Engine (L1), a PQ Conformance Prober (L2), a PQ Robustness Tester (L3), a PQ Overhead Meter (L4), and an eBPF Attestation Plane for wire-level ground truth. Its scope spans the full control-plane cryptographic surface: an independent PQ-TLS 1.3 client and server, a strongSwan-driven PQ-IPsec harness for N2/N3/N4, an eBPF/XDP/TC monitoring plane that extracts wire-level ground truth on negotiated groups and signatures, and a Kubernetes-native UI that auto-discovers NFs and emits structured PQ evidence classifying every endpoint as classical, hybrid-pq, or full-pq. A compliance suite spans TLS, PQC, 3GPP SBI, NRF OpenAPI, and security hardening, while a protocol fuzzer exercises CVE-class regressions and downgrade paths.

Lakshya Chopra, Vipin Kumar Rathi

Post-quantum signature schemes such as ML-DSA-65 produce signatures of 3,309 bytes and public keys of 1,952 bytes over 50 times larger than classical Ed25519. In TLS-authenticated environments like Kubernetes control planes and 5G Core networks, where every inter-component connection is mutually authenticated, this overhead compounds across thousands of handshakes per second. Merkle Tree Certificates (MTC), currently under development at IETF, replace per-certificate issuer signatures with Merkle inclusion proofs and, in the landmark mode, eliminate on-wire signatures from certificate authentication entirely. We present MTC-based PKI architectures for Kubernetes and 3GPP 5G Service-Based Architecture. Starting from the infrastructure layer, we replace the Kubernetes cluster CA with an MTCA deployment that issues MTC certificates to control plane components, with cosigners and a DaemonSet-based landmark distributor. Building on this, we design a certificate lifecycle for 5G Network Functions deployed against QORE, a post-quantum 5G Core. We implement MTC proof construction and verification in Go crypto/tls and crypto/x509 packages. Our measurements on an Intel i9-12900 show MTC landmark verification completing in under 2 μs compared to 24 microseconds for ECDSA signature verification-with no measurable impact on TLS handshake time. We further propose a 6G-native architecture where the NRF serves as the MTCA and the SCP as witness cosigner, and discuss applicability to Non-Terrestrial Networks.