Quantum-Safe 6G: the protocol bill, and the photons coming up behind it

Reports

Quantum-Safe 6G: the protocol bill, and the photons coming up behind it

by Simon McCorkindale May 12, 2026

6G standardisation is still years away, but the cryptographic choices that will shape it are being made now. Every Five Eyes PQC migration deadline falls before the first commercial 6G radios are expected. A new paper from Toshiba’s Bristol research lab benchmarks how the NIST-standardised primitives behave on actual telecom-relevant hardware — desktop-class, ARM-class edge, and under deliberate network impairment. The findings are useful for anyone planning 6G migration. The paper’s closing sentence — pointing to QKD as the physical-layer complement to lattice-based crypto — is arguably more useful, because three other pieces published in the same fortnight suggest that physical layer is moving out of the lab faster than most operators have noticed.

Reference: arXiv 2605.06881v1, Kudaloor & Aijaz (Toshiba Bristol Research and Innovation Laboratory), accepted IEEE Communications Standards Magazine, 7 May 2026.

What the paper measures

The authors run the NIST-standardised PQC primitives — the underlying cryptographic algorithms themselves (ML-KEM / Kyber, ML-DSA / Dilithium, Falcon), distinct from the protocols like TLS that call them — through liboqs (the Open Quantum Safe project’s reference C library), openssl speed, and full TLS 1.3 handshakes on two reference platforms: an Intel Core i7 standing in for the core, and a Raspberry Pi 4 standing in for ARM-class edge/IoT silicon. Handshakes are measured without session resumption — i.e., every connection is a full key exchange and certificate verification, not a fast-path reuse of a prior session ticket — which is the conservative case for migration costing. They benchmark primitives in isolation, full handshakes under ideal conditions, and handshakes under deliberate network impairment via tc netem (a Linux kernel utility that injects controlled latency, packet loss and reordering into a network interface, used to simulate real wireless conditions in the lab). They also tabulate ciphertext expansion at the algorithm level and the corresponding TCP payload growth at the protocol layer.

Three results are worth carrying out of the paper.

The handshake bill is manageable, but it isn’t zero. Hybrid X25519MLKEM768 adds roughly 2 KB to a TLS 1.3 handshake versus classical X25519. Adding an ML-DSA signature pushes that to nearly 10 KB. CPU utilisation barely moves on a desktop-class core; energy consumption is about 36% higher per connection. Per session that’s nothing. Across the billions of short-lived sessions a national 6G network will mint daily, it’s a power-budget line item.

Constrained hardware sees a different paper. On the i7, ML-KEM keygen runs comparable to classical X25519. On the Raspberry Pi 4, classical retains a clear edge across every ML-KEM variant, and the i7 is roughly 2× the Pi everywhere — the gap is microarchitecture and SIMD width (single-instruction-multiple-data vector units, which x86 has wider and more mature than embedded ARM). None of that is abundant on the silicon inside a sensor, a meter, or a handset. The authors are clear: PQC is competitive on high-performance platforms; on constrained ones, parameter choice and ciphertext size are decisive.

The wire is fine, until the wire isn’t. Under loss-free lab conditions, PQC-enabled TLS is broadly comparable to classical. Introduce 50 ms of delay, or 20 ms with 0.5% packet loss, and Falcon-512 handshake throughput collapses from 5,600 down to dozens. Handshake scalability becomes, in the authors’ phrase, “strongly network-limited.” Vendor benchmarks are typically run on loopback; the deployment is a radio.

The consequences land on standards bodies, not just engineers. PQC is not a drop-in replacement: different key sizes, different handshake semantics, different failure modes. 3GPP has to specify how PQC and hybrid schemes are negotiated in authentication and key agreement. ETSI has to publish migration profiles operators can phase in. GSMA has to translate that into guidance for roaming and certificate management during transition. None of this is finished. All of it is on the critical path for 6G.

The closing sentence is doing real work

The paper’s last line — “combining lattice-based schemes such as ML-KEM with physical-layer approaches like QKD can support long-term secure and resilient 6G networks” — is worth re-reading. PQC is a layer-7 problem with a bounded, knowable handshake bill. QKD is a layer-1 option for the legs of the network where the fibre belongs to one operator and the threat model is harvest-now-decrypt-later by a state-level adversary. They aren’t substitutes. They sit on different layers of the same network. And the physical layer is moving.

Three weeks, three steps out of the lab

IonQ + Florida LambdaRail, 27 April 2026. A Master Service Agreement to deploy IonQ’s QKD across FLR’s 1,540-mile research-and-education (R&E) dark-fibre backbone — the kind of dedicated NREN infrastructure that universities and research labs run between themselves, parallel to the commercial telco network. The first phase is a 100-mile three-node corridor between Palm Beach and Miami-Dade, the first US statewide quantum-safe network initiative. Following IonQ’s existing deployments in Switzerland and Romania (RoNaQCI). Production fibre, not a testbed.

Wang et al., Light: Science & Applications, 9 May 2026. Time-bin QKD over 120 km of standard fibre using a telecom C-band on-demand quantum-dot single-photon source. Sustained ~15 bps secure key rate over six hours of continuous unattended operation. Modest rate, but solid-state, intrinsically robust against environmental drift, and a system that ran without manual realignment.

Albrechtsen et al., arXiv 2510.09251 (Niels Bohr / Sparrow Quantum / Bochum / Basel, Oct 2025) and Anisimov et al., arXiv 2605.03717v1 (HZDR Dresden, May 2026). Two complementary pieces of hardware. The first is a telecom-band quantum dot photon source in a waveguide compatible with silicon photonics and standard CMOS drive voltages — the source side of long-haul QKD, on industrial substrates. The second is chlorine-defect quantum memory in silicon carbide with telecom O- and C-band emission, spin-active at room temperature, on a wafer-scalable platform — the memory side of the quantum-repeater problem.

Source telecom-band, memory telecom-band, both on industrial substrates, on the same fibre carrying your ML-KEM hybrid TLS today.

Where the rest of the world actually sits

It would be easy, reading the QKD news, to assume operators globally are well ahead of where they are. The data says otherwise. GSMA Intelligence’s 2025 Operator Quantum Survey, covering 100+ mobile operators worldwide, found 20% have rolled out some form of QKD and 8% of IoT devices in active service are quantum-safe — meaning roughly 80% of surveyed operators haven’t started on QKD, and over 90% of IoT devices remain exposed. The GSMA Post-Quantum Telecom Network task force, initiated by IBM and Vodafone in 2022 and now the centre of gravity for the industry conversation, lists 50+ telcos and 20+ major operators among its members. Significant, but a fraction of the global operator base.

The visible leaders are a small group. Telefónica stood up a Quantum Technology Centre of Excellence in 2025. Deutsche Telekom has been running its Berlin Quantum Lab since 2023. Vodafone co-founded the GSMA task force. Singtel sells a managed quantum-safe security service to enterprises. KDDI, NTT, BT, Orange and SK Telecom have all run QKD pilots. A Tier-1 carrier QuSecure presented at MWC Barcelona in March 2026 has X25519+ML-KEM-768 hybrid TLS deployed across a brownfield estate via a proxy-mesh approach — the first published case study of post-quantum TLS in production telecom infrastructure. On the GSMA’s own numbers, the rest of the global field is mostly still in cryptographic inventory and planning.

The NZ read

New Zealand’s position is broadly the position of an average global operator — neither a leader nor uniquely behind. The April scan showed no NZ telco running origin-side post-quantum TLS on the public web edge, the easiest surface to migrate; the 5G core and signalling planes the Kudaloor and Aijaz paper actually benchmarks sit several layers deeper, and we have no public data on those. No operator here has yet published the kind of quantum-safe roadmap that Telefónica, Deutsche Telekom or Vodafone have, and no NZ analogue to Florida LambdaRail, the Australian Quantum Network or Singapore’s National Quantum-Safe Network exists today. REANNZ — New Zealand’s NREN, equivalent in role to FLR — runs 100 Gbps fibre across both islands; Chorus and the Local Fibre Companies operate the commercial access fibre; submarine cables run to Sydney, Hawaii and beyond. None of it currently carries quantum keys, and quantum-safe network infrastructure appears in neither NZIAT’s Quantum Technology Discovery Process scope (as currently signalled) nor in DPMC’s critical infrastructure consultation — which, as we submitted in April, doesn’t mention cryptography at all.

The point isn’t that NZ is uniquely behind — on the GSMA numbers, the global bar is low and most operators are still planning rather than deploying. The point is that the bar is moving, the leaders are pulling away, and the planning is more useful done now than later. The Kudaloor and Aijaz paper is a useful artefact for the 6G PQC migration conversation NZ operators should be having on the same timetable as everyone else. The three QKD developments behind it are a useful artefact for a quantum-network conversation we don’t yet appear to be having at all.

There is no prize for going last.

Kaysec is the post-quantum security practice of Spinsphere, a New Zealand-based quantum technology company. We help NZ organisations with cryptographic inventory, HNDL risk assessment, and PQC migration planning. Get in touch.