Cisco Research Proves That One Post-Quantum Layer Can Protect Payload Confidentiality — But Authentication Requires Migrating Every Layer

April 12, 2026 – Researchers at Cisco have published a formal framework demonstrating that organizations can protect payload confidentiality against quantum attack by deploying post-quantum cryptography at just one layer of their network stack, while authentication security requires migrating every layer that uses public-key cryptography.

The paper, authored by Ashish Kundu (Head of Cybersecurity Research at Cisco Research, IEEE Fellow), Vishal Chakraborty, and Ramana Kompella (Head of Cisco Research), was released on arXiv on April 9. It provides the first mathematical treatment of how quantum vulnerability composes across multi-layer network communications.

The framework classifies every cryptographic operation into one of four quantum vulnerability levels: C-Unsafe (broken classically), Q-Unsafe (broken by Shor’s algorithm), Q-Weakened (reduced by Grover’s algorithm but retaining adequate security margin), and Q-Safe (resistant to known quantum attacks). The researchers then prove that these categories form a bounded lattice with distinct composition rules for different security properties.

The central results:

• Confidentiality follows a “max” rule. If any single layer in the stack implements post-quantum key exchange, the payload remains protected. An adversary who breaks the outer layers with a cryptographically relevant quantum computer (CRQC) still cannot decrypt data encrypted at the quantum-safe inner layer.
• Authentication follows a “min” rule. Every layer performing public-key authentication must independently migrate. A quantum adversary who forges credentials at any single layer can mount a man-in-the-middle attack at that layer’s scope, regardless of what the other layers do.
• Metadata protection depends solely on the outermost layer. Inner layers cannot compensate for an outer layer’s quantum vulnerability when it comes to connection metadata exposure.

The researchers validated these rules across five real-world communication scenarios, including iOS-to-iOS iMessage with Apple’s PQ3 protocol, Linux HTTPS over various WiFi configurations, and multi-layer VPN deployments. Apple’s PQ3 implementation achieves Q-Safe confidentiality despite operating beneath two Q-Unsafe layers (TLS 1.3 and WPA3), confirming the single-layer protection principle.

Among the counterintuitive findings: WPA2-Personal provides a strictly better post-quantum posture than WPA3-Personal. WPA3 introduced elliptic curve Diffie-Hellman key exchange via the SAE (Simultaneous Authentication of Equals) protocol, creating a direct target for Shor’s algorithm where WPA2’s purely symmetric approach (pre-shared keys, PBKDF2, HMAC-SHA1, AES) had none. The classically superior protocol is quantum-weaker.

The paper arrives as Cisco’s product teams are separately shipping what they describe as full-stack PQC in IOS XE 26, applying quantum-safe cryptography from device boot integrity through network traffic protection.

My Analysis

This paper delivers something the PQC migration conversation has badly needed: algebraic precision about how quantum threats actually propagate through real protocol stacks. The composition rules the Cisco team proves are intuitive once stated, but the industry has been operating on intuition alone until now. Having formal proofs turns migration planning from educated guessing into engineering.

The Confidentiality Result Changes Migration Sequencing

The single-layer confidentiality protection finding has immediate practical consequences for how organizations should sequence their PQC transitions. The conventional approach treats migration as a comprehensive infrastructure overhaul: identify every protocol, upgrade every layer, validate everything before declaring victory. This research demonstrates that for data protection against Harvest Now, Decrypt Later (HNDL) attacks, a single well-placed migration buys meaningful protection while the broader effort continues.

Consider a typical enterprise architecture running TLS over WiFi, possibly with a VPN layer. The paper’s Case Study 4 examines exactly this stack: WPA3 at Layer 2, WireGuard VPN at Layer 3, TLS 1.3 at Layers 5-6. Three layers of encryption, zero quantum protection. The HNDL exposure depth equals the total layer count, meaning an adversary recording that triply-encrypted traffic today recovers everything once a CRQC arrives. The VPN’s core value proposition (hiding browsing destinations from the local network) is itself defeated at depth 2, where the adversary recovers the inner IP headers and TLS SNI that WireGuard was meant to conceal. As the authors note, the additional protocol complexity and latency of the VPN tunnel deliver no quantum security benefit in this configuration.

Contrast that with Case Study 1, where Apple’s PQ3 protocol at the application layer transforms the entire chain from Q-Unsafe to Q-Safe for confidentiality, even with two Q-Unsafe layers beneath it. One deployment, one protocol, total payload protection.

The practical implication: organizations can and should identify their most feasible migration point and act on it now, rather than waiting for a comprehensive multi-layer migration plan to materialize. Maybe that means upgrading application-layer encryption. Maybe it means deploying PQC-enabled TLS termination. The specific layer matters less than making one layer quantum-safe for confidentiality purposes.

This aligns with the incremental approach I recommend in the PQC Migration Framework. Getting started with a targeted, achievable first step is categorically better than paralysis while planning the perfect migration.

The Authentication Result Is the Harder Problem

The asymmetry between confidentiality and authentication in this framework reinforces what I have been writing about under the concept of Trust Now, Forge Later (TNFL). While one quantum-safe layer locks down data confidentiality, authentication has no equivalent shortcut. Every layer with public-key authentication represents an independent attack surface that a quantum adversary can exploit in isolation.

In the iMessage case study, PQ3 achieves Q-Safe confidentiality, but the chain remains Q-Unsafe for authentication at every layer. Each layer authenticates a different entity (WPA3 authenticates the access point, TLS authenticates Apple’s relay server, PQ3 authenticates the sending user), and a quantum adversary who forges any one of these can insert themselves as a man-in-the-middle at that layer’s scope without disturbing the other layers. The message content stays encrypted; the recipient might just be having a perfectly secure conversation with the wrong party.

The “min” composition rule for authentication means that your PQC migration plan needs a complete inventory of every authentication point across every protocol layer. Miss one, and you leave a quantum-exploitable gap. This is a much harder operational problem than the confidentiality migration, and it validates why crypto-agility is essential for authentication infrastructure specifically.

Here is a finding from the paper that is worth emphasizing: across all four multi-layer case studies and all nine active layer instances examined, not a single layer uses post-quantum digital signatures. Even Apple’s PQ3, the only protocol achieving Q-Safe confidentiality, signs with ECDSA-P256. The industry has made measurable progress on post-quantum key exchange (confidentiality), but post-quantum authentication remains essentially undeployed in production systems.

The WPA2 vs. WPA3 Finding Illustrates a Systemic Pattern

The WPA2/WPA3 comparison will likely generate the most discussion, and rightly so. WPA3-Personal was designed as a strict security upgrade over WPA2-Personal. It resists offline dictionary attacks and provides forward secrecy. From a classical security perspective, the upgrade is unambiguous.

From a quantum perspective, it is a downgrade. WPA2-Personal uses pre-shared keys and derives all session keys through symmetric operations: PBKDF2 for the pairwise master key, HMAC-SHA1 for message integrity, AES-128-CCMP for data encryption. No public-key cryptography, no target for Shor’s algorithm. WPA3 replaced the 4-way handshake with SAE, which performs elliptic curve Diffie-Hellman on the P-256 curve. SAE solved real classical problems, but it introduced an elliptic curve operation that is a direct target for Shor’s algorithm where none existed before.

The same pattern applies to WPA2-Enterprise. Certificate-based EAP-TLS authentication provides strong classical security (per-user certificates, mutual authentication), but its reliance on ECDHE and RSA/ECDSA certificates makes it Q-Unsafe through Shor-class attacks. The remediation paths diverge sharply: upgrading WPA2-PSK’s AES-128 to AES-256 is a configuration change; upgrading WPA2-Enterprise requires replacing the entire EAP-TLS key exchange with post-quantum mechanisms, touching certificate infrastructure, RADIUS servers, and supplicant software.

This is a pattern I see repeated across the industry. Every time we replaced a symmetric mechanism with public-key cryptography for convenience, scalability, or stronger classical properties, we potentially created a new quantum attack surface. The migration to post-quantum cryptography is, in part, cleaning up the quantum debt accumulated through two decades of public-key deployment.

Organizations should audit their recent protocol upgrades through this lens. Where was public-key cryptography introduced in place of symmetric operations? Those are the points where classical improvements may have created quantum exposure.

What the Framework Does Not Cover

The Cisco team is transparent about the boundaries of their analysis, and those gaps matter for practitioners.

The framework treats each layer as implementing a fixed cryptographic profile for a given session. Real networks feature dynamic protocol negotiation where cipher suites change based on client capabilities, server configuration, and intermediary policies. A network that advertises PQC-capable TLS but falls back to classical suites for legacy clients may not achieve the quantum posture its administrators assume.

Side channels are not modeled. The composition rules address algorithmic vulnerability, not implementation-level attacks like timing leaks, cache attacks, or power analysis that could compromise even post-quantum implementations.

The five case studies analyze specific instantiated configurations, not all possible deployments of those protocols. As the authors carefully note, their conclusions are properties of the analyzed configurations, not universal claims.

The paper also focuses on data-in-transit scenarios. The broader PQC migration challenge includes data at rest, code signing, firmware verification, certificate infrastructure, and long-lived keys in hardware security modules, none of which are addressed by this cross-layer model. The framework answers an important question well, but it answers one question.

Practical Takeaways for Security Leaders

For CISOs, CTOs, and security architects, this paper provides a decision framework that can immediately inform PQC migration planning:

For HNDL protection, pick one layer and migrate it. Identify the layer where PQC deployment is most operationally feasible. Application-layer encryption gives you end-to-end protection that survives intermediary compromise. Outermost-layer migration protects both payload and metadata. Either delivers quantum-safe confidentiality for data in transit. Use this to build momentum while planning the broader migration, following the phased approach outlined in the PQC Migration Framework.

For authentication, map every layer and plan for complete coverage. There are no shortcuts here. Every public-key authentication point across every protocol layer needs to be inventoried and scheduled for migration. This is where crypto-agility earns its investment: if your authentication systems cannot be updated without replacing entire protocol stacks, your migration timeline extends by years.

For metadata protection, prioritize the outermost layer. Inner-layer PQC cannot compensate for an outer layer’s quantum vulnerability when it comes to metadata. If you are concerned about traffic analysis and connection pattern exposure, the outermost encryption layer demands priority attention.

Audit your “upgrades” for quantum regression. The WPA2/WPA3 finding should prompt a systematic review. Where in your infrastructure have you adopted protocols that trade symmetric operations for public-key mechanisms? Those transitions may have improved classical security while increasing quantum attack surface.

The Cisco team has also identified a practical tool need: scanners that analyze complete protocol stacks and compute quantum posture using these composition rules. Until such tooling exists, the framework at least gives security teams a systematic methodology for manual assessment.

Connecting to the Broader Migration Picture

This research lands at an important moment. Google has set a 2029 target for completing its PQC migration. NIST’s transition timeline (IR 8547) sets deprecation at 2030 and disallowance at 2035. Meta published its own PQC migration playbook in April 2026. And now Cisco Research has provided the formal underpinning for understanding which parts of that migration protect which security properties.

The composition rules also inform the ongoing debate about Q-Day urgency. The one-layer confidentiality rule means organizations can achieve meaningful HNDL protection with a targeted first step. The all-layers authentication requirement means that even organizations unconcerned about HNDL cannot defer authentication migration indefinitely. As I have argued, the deadlines are already set by regulators, insurers, and investors, regardless of when a CRQC actually materializes.

The paper’s most important contribution may be the simplest one: transforming “migrate to post-quantum cryptography” from a single undifferentiated mandate into three distinct problems (confidentiality, authentication, metadata) with three different urgency profiles, three different minimum-effort thresholds, and three different composition rules. That distinction enables smarter resource allocation. For an industry where most organizations are still in the inventory and assessment phase, knowing which migration delivers which protection is the difference between strategic action and expensive busywork.