Quantum Crypto: WPA2 Beats WPA3 Against Attacks

A formal framework to analyse cryptographic transformations across the entire network stack, from application to physical transmission, has been developed by Ashish Kundu and colleagues. The framework reveals that overall communication security depends on the combined vulnerability of each layer, mathematically establishing how post-quantum cryptographic statuses combine. Applying this set of tools to common communication scenarios on Linux and iOS, the team reveals surprising insights, such as WPA2-Personal offering key post-quantum security compared to newer WPA3-Personal and WPA2-Enterprise. The analysis highlights that complete authentication requires post-quantum cryptography at every layer.

Comparative Post-Quantum Security of Wireless Protocols Reveals Unexpected Resilience in

WPA2-Personal currently exhibits a stronger post-quantum cryptographic (PQC) posture than both WPA3-Personal and WPA2-Enterprise, a result that challenges expectations of newer protocols offering enhanced security. This finding is particularly noteworthy given the widespread assumption that newer protocols inherently provide superior security characteristics. Previously, assessments of network security largely focused on individual protocol layers, evaluating each cryptographic implementation in isolation. This approach hindered accurate evaluation of overall network durability, as it failed to account for the complex interplay between layers. The discovery represents an important threshold in understanding the holistic security of wireless communications. Establishing a comparative metric enables proactive identification of vulnerabilities in widely deployed systems, something impossible with layer-by-layer analysis alone. The implications extend to network administrators and security professionals, suggesting a need to reassess the perceived security benefits of newer wireless protocols and potentially prioritise updates to older, seemingly less secure, systems based on this new understanding of layered cryptographic weaknesses.

The developed framework demonstrates that a single post-quantum layer is sufficient to maintain payload confidentiality, meaning the message content itself can be protected even if other layers are vulnerable. However, complete authentication, verifying the identity of communicating parties, necessitates post-quantum cryptography across every layer of the communication stack. This is because authentication relies on a chain of trust, and a compromised layer can invalidate the entire process. Metadata protection, in particular, relies entirely on the security of the outermost layer, highlighting a specific area for focused improvement. Metadata includes information about the message, such as the sender, receiver, and timing of the communication, and its compromise can reveal sensitive information even if the message content remains encrypted. Analysis of five communication scenarios, encompassing both Linux and iOS platforms, showed that authentication strength is limited by the weakest link in the chain, and the security of metadata, such as communication timing and endpoints, is entirely dependent on the cryptographic strength of the outermost network layer. While this framework establishes a clear metric for assessing PQC readiness, it currently does not account for the computational overhead introduced by these algorithms, a key factor for widespread deployment on resource-constrained devices such as mobile phones and embedded systems. The computational cost of PQC algorithms is significantly higher than traditional algorithms, potentially impacting performance and battery life.

Formalising Quantum Vulnerability Across Network Protocol Stacks

This work centres on a formal analysis of cryptographic composition, treating network security like a layered set of rules, similar to the layers in a cake where each contributes to the overall flavour. This analogy highlights the importance of considering the entire system, rather than individual components. The method mapped how security properties change as data moves down the protocol stack, from application to physical transmission, rather than assessing each encryption method in isolation. This involved classifying each layer’s cryptographic operations into quantum vulnerability categories, and a ‘bounded lattice’ was then constructed to represent the hierarchical relationships between these statuses, allowing for a systematic evaluation of combined security. The lattice structure allows for a clear visualisation of how different levels of quantum resistance interact, providing a powerful tool for security analysis. The concept of a ‘bounded lattice’ is derived from order theory in mathematics, providing a rigorous foundation for the framework.

To assess post-quantum cryptographic readiness across network layers, five communication scenarios utilising Linux and iOS platforms were analysed. Each layer’s cryptographic operations were categorised into four quantum vulnerability levels, forming a ‘bounded lattice’ to map combined security. These levels represent the degree to which a layer is susceptible to attacks from quantum computers, ranging from fully vulnerable to fully resistant. This lattice-based approach offered a systematic alternative to evaluating encryption in isolation, considering how security changes as data traverses the protocol stack, and identified Kyber-1024 as a post-quantum algorithm based on lattice problems. Kyber-1024 is a key encapsulation mechanism (KEM) considered a leading candidate for standardisation by the National Institute of Standards and Technology (NIST) due to its performance and security characteristics. Lattice-based cryptography is particularly promising as it is believed to be resistant to attacks from both classical and quantum computers, relying on the hardness of mathematical problems related to lattices.

Identifying systemic vulnerability in post-quantum cryptographic network defences

Network security has long operated on the principle of layering defences, but this work reveals a key dependency: the weakest link truly dictates overall durability. This principle underscores the importance of a holistic approach to security, where all layers are equally robust. The framework currently analyses only five communication scenarios, raising questions about how widely these findings apply to diverse network architectures, despite offering a clear method for assessing post-quantum cryptographic (PQC) readiness. The authors acknowledge this limitation, pointing to the need for broader testing to validate the framework’s generalisability, a significant undertaking given the sheer complexity of modern networks. Different network topologies, such as those found in industrial control systems or satellite communications, may exhibit different vulnerabilities. The authors suggest that future work should focus on expanding the scope of the analysis to encompass a wider range of scenarios.

This research moves beyond simply recommending algorithm upgrades, detailing how vulnerabilities combine across multiple layers of network communication, a crucial consideration often overlooked. A new analytical framework demonstrates that overall network security isn’t determined by the strongest encryption used, but by the combined vulnerabilities of each layer in the communication process. The work establishes a formal method for evaluating how cryptographic transformations interact across the entire network stack, from application to physical transmission, revealing that while a single layer utilising post-quantum cryptography can protect message content, complete authentication requires it at every stage. This has significant implications for the development of future secure communication systems, emphasising the need for a layered approach to PQC implementation. The findings contribute to a deeper understanding of the complex interplay between cryptographic algorithms and network protocols, paving the way for more resilient and secure communication infrastructure in the face of evolving quantum threats.

This research demonstrated that the overall security of network communication depends on the combined vulnerabilities of each layer, not just the strongest encryption used. The framework classifies cryptographic operations by quantum vulnerability and defines how these statuses combine across the entire message transformation chain, revealing that complete authentication requires post-quantum cryptography at every layer. Analysis of five communication scenarios showed WPA2-Personal offered a better post-quantum cryptographic posture than both WPA3-Personal and WPA2-Enterprise. The authors suggest further work is needed to broaden testing and validate the framework’s applicability to diverse network architectures.