Building quantum-safe telecom infrastructure for 5G and beyond

coRAN Labs and Canonical at MWC Barcelona 2026

At MWC Barcelona 2026, coRAN Labs and Canonical are presenting a working demonstration of a cloud-native, quantum-safe telecom platform for 5G and beyond 5G networks.

This is not a conceptual exercise. It is a full 5G System (5GS) deployment with post-quantum cryptography embedded across the stack – from radio access to core, from transport interfaces to orchestration and public key infrastructure (PKI).

The objective is straightforward: show how telecommunications operators can modernize their networks using open source infrastructure while preparing for the cryptographic realities of the coming decade.

Why quantum-safe telecom matters now

The industry has long relied on the Rivest–Shamir–Adleman cryptosystem (RSA) and Elliptic Curve Digital Signature Algorithm (ECDSA) to secure signaling, control planes, APIs, and service communication. These algorithms remain critical to protect systems against classical computing attacks. They are not designed to resist large-scale quantum computers. Post-quantum cryptography (PQC) refers to a new class of cryptographic algorithms designed to run on conventional hardware while resisting attacks from both classical and quantum computers. Rather than relying on integer factorization or elliptic curve mathematics, PQC schemes are built on alternative hard mathematical problems, such as lattice-based constructions, that are believed to remain intractable even in a quantum computing era.

In regulated markets, post-quantum transition planning is already formalized in national guidance and government roadmaps. Authorities such as the US National Institute of Standards and Technology (NIST), the UK National Cyber Security Centre (NCSC), and the European Commission (EC) have issued timelines and migration guidance for adopting post-quantum cryptography. Notably, the EC summarizes the requirements, stating that “All Member States should start transitioning to post-quantum cryptography by the end of 2026. At the same time, the protection of critical infrastructures should be transitioned to PQC as soon as possible, no later than by the end of 2030.“ For operators serving government, finance, or critical infrastructure sectors, trust anchors and certificate authorities must align with these transition plans and support crypto-agility across their PKI and transport layers.

That being said, PQC isn’t only a matter of regulatory compliance. For telecom operators, the risk is not abstract. Network traffic often has a long confidentiality lifetime. Subscriber identity data, authentication exchanges, and inter-operator signaling may need to remain confidential for years. A “harvest now, decrypt later” threat model is realistic.

Preparing for post-quantum cryptography (PQC) is therefore an architectural challenge, not a patching exercise. It touches identity, certificates, transport security, service meshes, and automation pipelines.

The demo at MWC explores what that transition looks like in practice.

A full quantum-safe 5G system

The deployment implements PQC across the complete 5GS as defined by the 3rd generation partnership project (3GPP), the consortium of standards organizations that develop technical specifications for mobile networks, including 4G LTE, 5G and upcoming 6G. That includes:

• Radio access network (RAN) components
• 5G Core network functions
• Service-based interfaces (SBI)
• Transport security between distributed sites
• Authentication and identity flows
• Orchestration and lifecycle management channels
• PKI services and certificate issuance

The system uses NIST-standardized post-quantum algorithms and operates in hybrid mode. In hybrid mode, classical and post-quantum cryptography are combined within the same handshake. This preserves interoperability while introducing quantum-resistant protection.

Migrating to quantum-safe crypto requires a coordinated transformation of identity and trust across the telecom stack. Hybrid deployment as implemented in this system is thus critical for operators. It reduces migration risk, avoids sudden ecosystem breaks, and supports phased rollouts across brownfield environments. 

Built on open, cloud-native infrastructure

The platform runs on Canonical’s open infrastructure stack:

• Ubuntu LTS as the operating system foundation
• Canonical Kubernetes for workload orchestration
• Juju for automation and lifecycle management

Ubuntu LTS provides a stable, security-maintained base aligned with upstream Linux and hardware ecosystems. Canonical Kubernetes delivers a CNCF-conformant control plane suited to telco-grade deployments. Juju coordinates Day-0 to Day-2 operations across distributed environments.

In this architecture, cryptographic posture is built-in instead of being treated as an afterthought. PQC protects:

• Control plane communication
• Workload-to-workload interactions
• Orchestration channels
• Management interfaces

Automation channels are designed with post-quantum protection so that cryptographic controls extend consistently from core data centers to distributed edge locations.

For operators, this matters. A secure network that cannot be upgraded, rotated, or audited at scale is not operationally viable. The demo focuses on lifecycle as much as cryptography.

Post-quantum PKI and sovereign trust

A major constraint in telecom security is certificate management. Traditional telecom PKI relies on RSA or ECDSA certificates. Both are vulnerable to future quantum attacks.

The demonstration introduces a post-quantum PKI with:

• A PQ certificate authority issuing ML-DSA certificates
• Automated issuance and renewal integrated through Juju relations
• Hybrid certificate support for transition phases
• End-to-end lifecycle management

There are no classical-only certificates in the system. Every TLS handshake, every mTLS connection, and every signed token is backed by quantum-resistant cryptography in hybrid mode.

This approach supports sovereign trust chains. Operators retain full control over their root of trust, certificate issuance policies, and rotation strategies. They are not dependent on external certificate providers for core network functions.

Designed for brownfield reality

Telecom networks are dynamic. They evolve, instead of being rebuilt from scratch. 

The demo reflects this reality. Hybrid cryptography supports interoperability with legacy systems. Cloud-native packaging allows gradual adoption. Automation integrates with existing operational workflows.

This work outlines a controlled transition path from classical to post-quantum cryptography, designed for phased adoption in live networks.

Operators can begin introducing post-quantum protection in management planes and service-based interfaces, then expand coverage as vendor ecosystems mature.

Open collaboration for long-term resilience

coRAN Labs and Canonical share a commitment to open standards and upstream communities. Preparing telecom infrastructure for a post-quantum world should not be a proprietary exercise.

By building on open source software, standardized algorithms, and interoperable automation frameworks, the industry can avoid fragmentation. The transition to PQC will span years. It must remain transparent, testable, and vendor-neutral.

At MWC Barcelona 2026, this collaboration presents a practical reference architecture for quantum-safe telecom infrastructure. It demonstrates that cryptographic resilience, automation, and cloud-native design are compatible with telco-grade requirements for scale, determinism, and operational control.

Explore the demo at MWC Barcelona 2026

If you are evaluating how to introduce post-quantum cryptography into your 5G or beyond 5G infrastructure, we invite you to engage with the coRAN Labs and Canonical teams at MWC Barcelona 2026.

We look forward to seeing you there!