The telecom and 5G networking landscape demands solutions that can keep pace with increasing data rates, operational efficiency, and emerging cybersecurity threats such as quantum computing. Traditional encryption methods, while foundational, impose significant latency and complexity, and fail to meet modern performance and futureproofing requirements.

Post-quantum cryptography (PQC) is emerging as the critical safeguard, enabling carriers to secure data in motion against both today’s attacks and tomorrow’s quantum breakthroughs. A new generation of solutions, from hardware-accelerated platforms like Sitehop’s through to other flexible software-defined approaches, are reshaping how operators think about latency, scalability, and resilience.

This article explores the leading post-quantum encryption technologies that will define the secure future of telecom and 5G infrastructure.

 

Why telcos/5G providers need quantum‑safe encryption now

5G networks rely heavily on public‑key cryptography for device authentication and key exchange mechanisms for encryption. This cryptography (RSA and elliptic‑curve schemes) depends on mathematical problems that are hard for classical computers to solve but could be solved quickly by a quantum computer. Experts warn that such a cryptographically relevant quantum computer (CRQC) could arrive within the decade nist.gov, yet updating cryptography across modern networks typically takes 10–20 years (nist.gov).

Unlike the Y2K bug, which had a fixed date, the arrival of quantum computers is uncertain, and the threat may materialise before many systems have been upgraded. To make matters worse, adversaries are already collecting encrypted data in the hope of decrypting it later with quantum machines – a tactic known as “harvest now, decrypt later” nist.gov.

Nation‑states are believed to be stockpiling sensitive encrypted traffic techtarget.com, so critical data exchanged on 5G networks could be compromised years down the line if providers do not start adopting post‑quantum cryptography (PQC) soon.

 

How we compared the top solutions

We have compared the top solutions using a range of evaluation criteria including latency, throughput, tunnel capacity, standards support (RFC 8784, 9242, 9370), crypto‑agility, integration with existing routing hardware and post quantum readiness.

Across high-speed enterprise platforms, hardware acceleration is common, vendors use ASICs, NPUs, or FPGAs to offload cryptography. The key distinction is data-path placement (where packets land first). In FPGA-first encryptors, frames enter the hardware pipeline directly, so the latency sensitive bulk crypto executes entirely in silicon with minimal queuing, delivering deterministic ultra-low latency/jitter and very low CPU load. In feature-first security gateways, even with powerful crypto ASICs, packets typically traverse classification, policy/session handling, and service frameworks before/around the IPsec engine (with controlled CPU assist for complex cases), yielding rich L4–L7 capabilities, application ID, IDS/IPS, SD-WAN, service chaining, with modestly higher and more variable latency than a pure hardware pipeline. Both approaches are valid: the former fits high-fan-in backhaul and line-rate encryption, while the latter excels at edge and service layers where policy and application context matter.

 

The best post‑quantum solutions for telecoms

Sitehop SAFEcore 1000: Benchmark for deterministic Post Quantum Encryption

• Positioning: FPGA‑powered IPsec aggregator offering sub‑microsecond latency, 8,000 tunnels and 200 Gb/s full duplex (per 1U) and optional ML‑KEM + RFC 9370 support.
• Key advantages: Deterministic latency under load; crypto‑agile updates; compact 1U form factor; ideal for high‑fan‑in IPsec aggregation.
• Deployment: Offload encryption in the core/backhaul while using existing gateways/NGFWs for policy and application control.

 

Fortinet FortiGate (FortiOS 7.6+): Flexible NGFW with PQC & QKD

• Positioning: Widely deployed NGFW/SD‑WAN platform with built‑in quantum‑safe features.
• Key features: IPsec key exchange now supports NIST‑approved ML‑KEM‑512/768/1024 docs.fortinet.com; FortiOS allows stacking multiple KEMs to create hybrid keys and includes UI/CLI controls for additional key exchanges docs.fortinet.com.
• QKD readiness: Fortinet introduced QKD integration starting with FortiOS 7.4; the platform works with leading QKD vendors to provide quantum‑generated keys thefastmode.com.
• Use case: Good for edge/regional deployments needing policy inspection and multiple PQC on‑ramps (e.g., RFC 8784 mixing, ML‑KEM hybrid).

 

Palo Alto Networks PAN‑OS 11.2: Multi‑KEM IKEv2 and NGFW features

• Positioning: NGFW with advanced VPN controls enabling hybrid key exchange.
• Key features: Uses RFC 9242 and RFC 9370 to perform multiple successive key exchanges; by combining classical (EC)DH with one or more post‑quantum KEMs, the shared key remains secure if any algorithm holds.
• Flexibility: Administrators can specify up to seven additional KEMs and optionally mix in RFC 8784 pre‑shared keys; ideal for phased migration.
• Considerations: Provides deep policy and threat‑inspection capabilities but may introduce higher latency compared with purpose‑built hardware accelerators.

 

Juniper SRX/vSRX (Junos 22.4R1+): QKD integration & quantum‑safe IPsec

• Positioning: Carrier‑class firewall platform with IPsec, MACsec and QKD capabilities.
• Quantum key manager: Junos Key Manager supports quantum key manager profiles; these profiles access QKD devices to generate fresh quantum keys for each connection and use them as post‑quantum pre‑shared keys.
  PPK mixing & QKD: Static key profiles can be used to inject post‑quantum pre‑shared keys (RFC 8784), while dynamic profiles fetch keys from QKD devices; QKD uses quantum channels to generate identical keys and protect both data and control planes.
• Real‑world validation: A 2025 proof‑of‑concept with Turkcell, Juniper and ID Quantique demonstrated that integrating QKD with Juniper’s MACsec/IPsec frameworks protected mobile backhaul without performance loss.
• Use case: Suitable for operators seeking QKD‑ready solutions and strong service‑chain functions (firewall, NAT, QoS) alongside PQC.

 

Nokia IPsec Security Gateway: Carrier‑grade scale with integrated PKI

• Positioning: Runs on the 7750 SR platform with tight integration into 3GPP PKI flows via the NetGuard Certificate Manager.
• Capacity & throughput: Each line card can support 20Gb/s full duplex encryption at large packet sizes. By combining this with 16 slots a total of 320 Gb/s can be achieved in 17U.
• Considerations: Ideal for operators standardized on Nokia routers; Quantum protect provided through ANYsec

 

Choosing the right solution for your network

Key differences

• Latency vs features: SAFEcore = deterministic sub-µs latency; NGFWs = richer L7 features but higher/variable latency.
• Hardware vs software: Hardware offload for line-rate crypto; NGFWs are flexible but become the bottleneck at scale, as all encrypted traffic goes through software even when offload ASICs are used.
• Throughput density vs cost/power: Purpose-built aggregators pack far more encryption density per RU; NGFW capacity scales with SKU/licence/RU/power.
• QKD readiness: Plan QKD only on crown-jewel links; use standards-based hybrid IKEv2 elsewhere.

 

Quick compare

Conclusion & next steps

Regulators such as CISA, NSA and NIST stress that a successful PQC migration “will take time to plan and conduct” and urge organisations to begin developing quantum‑readiness roadmaps cisa.gov.

History shows that changing cryptography at scale takes longer than seven to ten years, meaning organisations that wait risk running out of time. For 5G operators, this means inventorying every protocol, device and service that uses public‑key encryption, prioritising those protecting long‑lived secrets, and working with equipment suppliers on crypto‑agility – the ability to swap algorithms quickly, techtarget.com.

CISA recommends starting with a cryptographic inventory and engaging vendors to identify technologies that must migrate to PQC cisa.gov. At the same time, engineers should begin testing NIST’s standardised PQC algorithms for key encapsulation and digital signatures and consider hybrid deployments that combine classical and quantum‑resistant methods.

By acting now, telecom and 5G providers can avoid a last‑minute scramble and ensure that future quantum breakthroughs do not undermine the trust and resilience of their networks. As HSBC noted in recent podcasts, “if you think security is expensive, have a breach” – the cost of inaction could be far greater than the investment needed to become quantum‑ready.

Why Secure Network Performance Defines Customer Loyalty

The modern digital economy runs on trust. Whether you’re streaming an encrypted video call or executing high-value transactions, the expectation is simple: fast, seamless, and secure connectivity, all at once. But behind the scenes, telcos are often wrestling with an invisible enemy, the performance trade-offs introduced by encryption.

 

When Encryption Becomes a Bottleneck

As mobile data volumes surge, end-to-end encryption protocols like IPsec have become non-negotiable. They’re the backbone of privacy, compliance, and cyber resilience for telcos and their customers. But encrypting every packet of data takes a heavy toll on legacy security gateways. These older systems struggle to process high volumes of small packets, the kind that dominate real-time traffic like Zoom calls, VoIP, and financial transactions. The result?

• Packet loss, leading to frozen video streams and dropped calls
• Latency spikes, which cause time-sensitive applications to stutter or fail
• Jitter and retransmissions, degrading user experiences and increasing operational costs

For enterprises and consumers alike, these issues are more than technical nuisances. They erode confidence and trust in a brand. A single failed video pitch, delayed payment, or slow market trading insight can be the difference between success and failure.

 

The Loyalty Factor

In today’s always-on world, secure network performance is a customer loyalty and business growth driver. A recent shift in business and consumer behaviour shows that connectivity issues, especially on encrypted services, are among the top reasons for switching providers. People are highly intolerant of downtime or lag, particularly when sensitive data is at stake.

Telcos now face a simple but daunting equation, can they deliver high-speed, low-latency services without compromising on encryption strength? Those that can’t, will see customers migrate to competitors that can.

 

A Call to Modernize

The pressure is on telcos to overhaul their mobile-to-fixed network edge. Modern, high-throughput solutions are capable of handling encryption at speed, ensuring:

• Zero compromise on data security
• Consistent performance for real-time apps
• Smoother digital experiences that build trust

 

The outcome?  Video calls that don’t stutter, transactions that complete instantly, and information at someone’s fingertips at high speed. For businesses, it means operational resilience and fewer headaches. For telcos, it means retaining customers in an era where loyalty is earned by securing performance, not just providing it.

To find out more, request our Telco focused white paper: info@sitehop.com

Sitehop. Engineered for speed.
Built for the future.

Or call us on: +44 (0)114 478 2366

 

 

With the explosion of data, increased risk, and customers demanding trusted high-speed communications, there’s never been a better time to evolve the networks the UK needs. Secure, fast, future-proof and trusted. That’s why we’re proud to announce Sitehop’s involvement in a first-of-its-kind Proof of Concept (PoC) with BT at the Gemini test facility within Adastral Park, home to BT’s global R&D.

This collaboration represents more than a technical validation. It signals a shift, a growing belief that agile, sovereign innovators have a critical role to play in securing and accelerating the UK’s digital infrastructure with a foundation of engineering and innovation. Keeping people connected. At speed. Safely.

 

A New Model for Collaboration

The Gemini facility is a replica of BT’s live network, Europe’s largest and most advanced telecom test environment. Until now, access to Gemini has been limited to BT and its tier-one vendors. This week, Sitehop is the first SME to be invited in. Our mission is to demonstrate how our high-speed, low-power, post-quantum-ready encryption hardware and Network Management can meet BT’s performance, interoperability and security standards, and potentially qualify for Safe to Connect certification, BT’s highest trust benchmark.

For both sides, this trial is about more than devices. It is about testing an approach for the future where the UK’s network leaders and security innovators work together to create the kind of infrastructure the country, and the world, needs.

 

Built to Support BT’s Transformation

BT has made clear its strategic intent:

• To build the best, most trusted digital networks
• To connect customers so they thrive, as we grow, in a digital world.
• To accelerate modernisation to restore leadership in everything BT does

At Sitehop, our technology has been engineered to do exactly that.

Build: We remove legacy bottlenecks with ultra-low latency, FPGA-based encryption, delivering 100 Gbps performance with crypto agility built in.

Connect: Our plug-and-play devices support scalable deployments from the core to the edge, without sacrificing simplicity or cost-efficiency.

Accelerate: We enable faster, greener, more secure network growth. Sitehop uses just a tenth of the power of traditional solutions while delivering 10,000x lower latency than software-based alternatives.

These are not incremental improvements. They are exponential gains, the kind that can help us unlock the next generation of UK connectivity.

 

Why Telcos Choose Sitehop

Telecom networks are evolving rapidly, becoming more dynamic and security critical. Sitehop enables operators to keep pace and stay ahead.

• Zero trade-offs: Add robust, real-time encryption without sacrificing network performance, customer experience or cost efficiency.
• End-to-end flexibility: From 1 Gbps to 100 Gbps, classical encryption to post-quantum cryptography, Sitehop scales to fit any architecture.
• Easy to deploy and manage: Pre-integrated with existing network infrastructure, with cloud-ready, centralised management through Sitehop SAFEnms.
• Future-proof by design: Post-quantum ready, crypto agile, and engineered to support the demands of AI, 5G, edge and hyperscaler environments.
• Sustainable and efficient: A fraction of the energy consumption of software-based solutions, helping operators hit sustainability targets while boosting performance.
• Trusted and sovereign: Built entirely in the UK, Sitehop helps reduce supplier dependency while strengthening national and commercial security posture.

For telcos, this is a smarter way to secure networks.

 

Supporting a Stronger UK Ecosystem

Sitehop is a UK-born, UK-backed business with global vision. But our mission starts here, protecting the nation’s networks and data at the speed modern business, and we as consumers demand.

This Proof of Concept reflects a broader opportunity, to create space for mission-led, sovereign innovators within national infrastructure to give the UK a more competitive, more resilient and more sustainable digital foundation.

We are proud to be the first company to take part in this type of PoC. But we are even more excited about what happens next.

 

The Future Is Now

As BT says in its 2025 Strategic Report – the world is getting louder, faster and more complex. Networks are evolving. Threats are multiplying. Expectations are rising. And the UK has the chance to lead, by building trusted digital infrastructure backed by trusted innovation. That’s exactly where Sitehop thrives.

Sitehop. Engineered for speed. Built for the future.

Call us on: +44 (0)114 478 2366

Or email info@sitehop.com

Categories: BT, Infrastructure, Security