The telecom and 5G networking landscape demands solutions that can keep pace with increasing data rates, operational efficiency, and emerging cybersecurity threats such as quantum computing. Traditional encryption methods, while foundational, impose significant latency and complexity, and fail to meet modern performance and futureproofing requirements.

Post-quantum cryptography (PQC) is emerging as the critical safeguard, enabling carriers to secure data in motion against both today’s attacks and tomorrow’s quantum breakthroughs. A new generation of solutions, from hardware-accelerated platforms like Sitehop’s through to other flexible software-defined approaches, are reshaping how operators think about latency, scalability, and resilience.

This article explores the leading post-quantum encryption technologies that will define the secure future of telecom and 5G infrastructure.

 

Why telcos/5G providers need quantum‑safe encryption now

5G networks rely heavily on public‑key cryptography for device authentication and key exchange mechanisms for encryption. This cryptography (RSA and elliptic‑curve schemes) depends on mathematical problems that are hard for classical computers to solve but could be solved quickly by a quantum computer. Experts warn that such a cryptographically relevant quantum computer (CRQC) could arrive within the decade nist.gov, yet updating cryptography across modern networks typically takes 10–20 years (nist.gov).

Unlike the Y2K bug, which had a fixed date, the arrival of quantum computers is uncertain, and the threat may materialise before many systems have been upgraded. To make matters worse, adversaries are already collecting encrypted data in the hope of decrypting it later with quantum machines – a tactic known as “harvest now, decrypt later” nist.gov.

Nation‑states are believed to be stockpiling sensitive encrypted traffic techtarget.com, so critical data exchanged on 5G networks could be compromised years down the line if providers do not start adopting post‑quantum cryptography (PQC) soon.

 

How we compared the top solutions

We have compared the top solutions using a range of evaluation criteria including latency, throughput, tunnel capacity, standards support (RFC 8784, 9242, 9370), crypto‑agility, integration with existing routing hardware and post quantum readiness.

Across high-speed enterprise platforms, hardware acceleration is common, vendors use ASICs, NPUs, or FPGAs to offload cryptography. The key distinction is data-path placement (where packets land first). In FPGA-first encryptors, frames enter the hardware pipeline directly, so the latency sensitive bulk crypto executes entirely in silicon with minimal queuing, delivering deterministic ultra-low latency/jitter and very low CPU load. In feature-first security gateways, even with powerful crypto ASICs, packets typically traverse classification, policy/session handling, and service frameworks before/around the IPsec engine (with controlled CPU assist for complex cases), yielding rich L4–L7 capabilities, application ID, IDS/IPS, SD-WAN, service chaining, with modestly higher and more variable latency than a pure hardware pipeline. Both approaches are valid: the former fits high-fan-in backhaul and line-rate encryption, while the latter excels at edge and service layers where policy and application context matter.

 

The best post‑quantum solutions for telecoms

Sitehop SAFEcore 1000: Benchmark for deterministic Post Quantum Encryption

• Positioning: FPGA‑powered IPsec aggregator offering sub‑microsecond latency, 8,000 tunnels and 200 Gb/s full duplex (per 1U) and optional ML‑KEM + RFC 9370 support.
• Key advantages: Deterministic latency under load; crypto‑agile updates; compact 1U form factor; ideal for high‑fan‑in IPsec aggregation.
• Deployment: Offload encryption in the core/backhaul while using existing gateways/NGFWs for policy and application control.

 

Fortinet FortiGate (FortiOS 7.6+): Flexible NGFW with PQC & QKD

• Positioning: Widely deployed NGFW/SD‑WAN platform with built‑in quantum‑safe features.
• Key features: IPsec key exchange now supports NIST‑approved ML‑KEM‑512/768/1024 docs.fortinet.com; FortiOS allows stacking multiple KEMs to create hybrid keys and includes UI/CLI controls for additional key exchanges docs.fortinet.com.
• QKD readiness: Fortinet introduced QKD integration starting with FortiOS 7.4; the platform works with leading QKD vendors to provide quantum‑generated keys thefastmode.com.
• Use case: Good for edge/regional deployments needing policy inspection and multiple PQC on‑ramps (e.g., RFC 8784 mixing, ML‑KEM hybrid).

 

Palo Alto Networks PAN‑OS 11.2: Multi‑KEM IKEv2 and NGFW features

• Positioning: NGFW with advanced VPN controls enabling hybrid key exchange.
• Key features: Uses RFC 9242 and RFC 9370 to perform multiple successive key exchanges; by combining classical (EC)DH with one or more post‑quantum KEMs, the shared key remains secure if any algorithm holds.
• Flexibility: Administrators can specify up to seven additional KEMs and optionally mix in RFC 8784 pre‑shared keys; ideal for phased migration.
• Considerations: Provides deep policy and threat‑inspection capabilities but may introduce higher latency compared with purpose‑built hardware accelerators.

 

Juniper SRX/vSRX (Junos 22.4R1+): QKD integration & quantum‑safe IPsec

• Positioning: Carrier‑class firewall platform with IPsec, MACsec and QKD capabilities.
• Quantum key manager: Junos Key Manager supports quantum key manager profiles; these profiles access QKD devices to generate fresh quantum keys for each connection and use them as post‑quantum pre‑shared keys.
  PPK mixing & QKD: Static key profiles can be used to inject post‑quantum pre‑shared keys (RFC 8784), while dynamic profiles fetch keys from QKD devices; QKD uses quantum channels to generate identical keys and protect both data and control planes.
• Real‑world validation: A 2025 proof‑of‑concept with Turkcell, Juniper and ID Quantique demonstrated that integrating QKD with Juniper’s MACsec/IPsec frameworks protected mobile backhaul without performance loss.
• Use case: Suitable for operators seeking QKD‑ready solutions and strong service‑chain functions (firewall, NAT, QoS) alongside PQC.

 

Nokia IPsec Security Gateway: Carrier‑grade scale with integrated PKI

• Positioning: Runs on the 7750 SR platform with tight integration into 3GPP PKI flows via the NetGuard Certificate Manager.
• Capacity & throughput: Each line card can support 20Gb/s full duplex encryption at large packet sizes. By combining this with 16 slots a total of 320 Gb/s can be achieved in 17U.
• Considerations: Ideal for operators standardized on Nokia routers; Quantum protect provided through ANYsec

 

Choosing the right solution for your network

Key differences

• Latency vs features: SAFEcore = deterministic sub-µs latency; NGFWs = richer L7 features but higher/variable latency.
• Hardware vs software: Hardware offload for line-rate crypto; NGFWs are flexible but become the bottleneck at scale, as all encrypted traffic goes through software even when offload ASICs are used.
• Throughput density vs cost/power: Purpose-built aggregators pack far more encryption density per RU; NGFW capacity scales with SKU/licence/RU/power.
• QKD readiness: Plan QKD only on crown-jewel links; use standards-based hybrid IKEv2 elsewhere.

 

Quick compare

 

Conclusion & next steps

Regulators such as CISA, NSA and NIST stress that a successful PQC migration “will take time to plan and conduct” and urge organisations to begin developing quantum‑readiness roadmaps cisa.gov.

History shows that changing cryptography at scale takes longer than seven to ten years, meaning organisations that wait risk running out of time. For 5G operators, this means inventorying every protocol, device and service that uses public‑key encryption, prioritising those protecting long‑lived secrets, and working with equipment suppliers on crypto‑agility – the ability to swap algorithms quickly, techtarget.com.

CISA recommends starting with a cryptographic inventory and engaging vendors to identify technologies that must migrate to PQC cisa.gov. At the same time, engineers should begin testing NIST’s standardised PQC algorithms for key encapsulation and digital signatures and consider hybrid deployments that combine classical and quantum‑resistant methods.

By acting now, telecom and 5G providers can avoid a last‑minute scramble and ensure that future quantum breakthroughs do not undermine the trust and resilience of their networks. As HSBC noted in recent podcasts, “if you think security is expensive, have a breach” – the cost of inaction could be far greater than the investment needed to become quantum‑ready.

We’re proud to announce that Sitehop has raised an additional £7.5 million, led by Northern Gritstone, bringing our total funding to £13.5 million. The round also included continued support from our existing investors, Amadeus Capital Partners, Manta Ray, Mercia Ventures, and NPIF – Mercia Equity Finance, managed by Mercia as part of the first Northern Powerhouse Investment Fund (NPIF).

 

Building UK Sovereign Encryption for a Quantum Future

As cyberattacks grow in scale and sophistication, the risk of quantum-enabled breaches becomes more urgent. Today’s software-based encryption methods create latency and slow data transfers, a critical weakness in performance-sensitive networks.

At Sitehop, we’re solving this with our SAFEseries™ system, which performs encryption in hardware rather than software. This approach enables ultra-low latency, quantum-resilient security, and up to 90% lower energy use compared with conventional systems.

Even in the most demanding environments, like telecoms, our hardware encryption delivers high-speed performance with near-zero impact on network efficiency.

 

Proven and Trusted by Industry Leaders

Founded in Sheffield by Melissa Chambers (CEO) and Ben Harper (CTO), Sitehop is already working with major partners including BT.

We recently completed a successful proof-of-concept trial at BT’s Gemini test facility, a replica of BT’s live network and one of Europe’s most advanced telecoms testing environments. Sitehop is also the first external company ever granted access to Gemini, a facility typically reserved for BT’s internal development teams.

Our technology is now live with a tier-one carrier across five countries, proving its scalability and reliability in real-world deployments.

 

Strengthening the UK’s Sovereign Capability

“Sitehop is proving the critical need for future-proof encryption, demonstrated by our early customer traction globally,” said Melissa Chambers, Co-founder and CEO. “As a Sheffield-founded company, this investment from Northern Gritstone supports our mission to grow and scale in the region and build world-leading sovereign encryption capability right here in the UK, accelerating international expansion while keeping the UK at the forefront of cybersecurity innovation.”

“Our mission has always been to deliver world-class security that is ultra-low latency, hardware-enforced, and resilient against future threats like quantum computing,” added Ben Harper, Co-founder and CTO. “Partnering with Northern Gritstone enables us to accelerate our mission while strengthening the UK’s sovereign capability in critical network security. Their ‘profit with purpose’ ethos resonates strongly with us, creating technology that drives global growth and delivers lasting social and economic value.”

 

Backed by Leading Deeptech Investors

Duncan Johnson, CEO, Northern Gritstone, said: “Our focus is always on ‘profit with purpose’, helping to support visionary companies with strong intellectual property to grow out of the North of England. Sitehop is an example of the incredible deep tech innovation coming out of Sheffield’s innovation cluster, providing game-changing technology to support businesses in future-proofing their cybersecurity protection. We’re delighted to be backing Melissa and Ben in an area as important as cryptography.”

 

Nick Kingsbury, Partner, Amadeus Capital Partners, said: “As data volumes and cyber threats grow, the need for the ultra-high throughput and low latency that Sitehop delivers means that the company is seeing strong demand from customers in many sectors. This funding gives the company the ability to deliver on that demand.”

 

Chris Borrett, Mercia Ventures, said: “Melissa and Ben have addressed a problem that even the biggest tech companies have failed to solve. We believe Sitehop is poised to become a major UK success story, and we are excited to partner with them on this journey.” NPIF and Mercia first invested in Sitehop in 2022.

 

Debbie Sorby, Senior Manager at British Business Bank, said: “Eight years on from the launch of the first Northern Powerhouse Investment Fund, we continue to see the remarkable impact businesses are making on the Northern economy. The Fund was designed to support innovative companies across the region, helping them to grow and thrive. Sitehop is a standout example of this success, now one of the UK’s leading technology businesses.”