Assessing the Real-World Impact of Post-Quantum Cryptography on WPA-Enterprise Networks

The advent of large-scale quantum computers poses a significant threat to contemporary network security protocols, including Wi-Fi Protected Access (WPA)-Enterprise authentication. To mitigate this threat, the adoption of Post-Quantum Cryptography (PQC) is critical. In this work, we investigate the performance impact of PQC algorithms on WPA-Enterprise-based authentication. To this end, we conduct an experimental evaluation of authentication latency using a testbed built with the open-source tools FreeRADIUS and hostapd, measuring the time spent at the client, access point, and RADIUS server. We evaluate multiple combinations of PQC algorithms and analyze their performance overhead in comparison to currently deployed cryptographic schemes. Beyond performance, we assess the security implications of these algorithm choices by relating authentication mechanisms to the quantum effort required for their exploitation. This perspective enables a systematic categorization of PQ-relevant weaknesses in WPA-Enterprise according to their practical urgency. The evaluation results show that, although PQC introduces additional authentication latency, combinations such as ML-DSA-65 and Falcon-1024 used in conjunction with ML-KEM provide a favorable trade-off between security and performance. Furthermore, we demonstrate that the resulting overhead can be effectively mitigated through session resumption. Overall, this work presents a first real-world performance evaluation of PQC-enabled WPA-Enterprise authentication and demonstrates its practical feasibility for enterprise Wi-Fi deployments.

💡 Research Summary

The paper addresses the looming threat that large‑scale quantum computers pose to the cryptographic primitives used in WPA‑Enterprise authentication, namely RSA and Diffie‑Hellman based key exchange and digital signatures. To protect enterprise Wi‑Fi networks against future quantum adversaries, the authors integrate NIST‑standardized post‑quantum cryptography (PQC) algorithms into the EAP‑TLS/EAP‑TTLS authentication flow and evaluate the resulting performance impact in a realistic wireless environment.

A testbed is built using the open‑source RADIUS server FreeRADIUS and the hostapd access‑point daemon. The setup emulates both 2.4 GHz and 5 GHz WLANs and measures latency at three logical points: the client, the access point (AP), and the RADIUS server. For each point the authors record the time spent in the EAP round‑trip, the CPU cycles consumed by cryptographic operations, memory usage, and the size of transmitted packets.

The study evaluates several PQC key‑encapsulation mechanisms (KEMs) and signature schemes that have been standardized or are in the final stages of standardization: ML‑KEM (parameter sets 512, 768, 1024) as the KEM, and ML‑DSA (levels 44, 65, 87), Falcon (512, 1024), and SLH‑DSA (various hash‑based variants) as signature algorithms. The authors also construct hybrid schemes that concatenate a classical algorithm (RSA or ECDH) with a PQC algorithm, to explore a risk‑aware transition path.

Performance results show that PQC artifacts are substantially larger than their classical counterparts. For example, ML‑KEM public keys range from 800 bytes (level 1) to 1 568 bytes (level 5), a growth of more than 12× compared with the 64‑byte X25519 key. Consequently, TLS handshake messages often exceed the 1 KB limit of a single EAP packet, forcing fragmentation and additional EAP round‑trips. Measured authentication latency rises from roughly 45 ms with RSA/ECDH to 80–120 ms with the PQC combinations, depending on the specific algorithms and the wireless band.

In terms of computational overhead, ML‑KEM key generation, encapsulation, and decapsulation require between 1.2 × 10⁵ and 3.9 × 10⁵ CPU cycles, whereas RSA‑2048 key generation needs on the order of 2.7 × 10⁷ cycles. Signature generation with ML‑DSA‑65 consumes about 4 × 10⁵ cycles and verification about 1 × 10⁵ cycles; Falcon‑1024 is even faster, with roughly 2 × 10⁵ cycles for signing and 8 × 10⁴ cycles for verification. By contrast, SLH‑DSA signatures are larger and slower, making them less attractive for bandwidth‑constrained Wi‑Fi.

Security analysis introduces a “quantum annoyance” metric that maps the effort required by a quantum adversary to the NIST security levels (1–5). The selected PQC suite (ML‑KEM + ML‑DSA‑65 + Falcon‑1024) corresponds to security level 3, implying that a quantum attacker would need roughly 2⁸⁰–2⁹⁰ quantum operations to break the scheme—far beyond the capabilities of any foreseeable quantum computer. Hybrid constructions, while offering a safety net if one component is compromised, double the data transmitted and increase processing time, rendering them impractical for most enterprise deployments.

A key practical contribution is the demonstration that TLS 1.3 session resumption can mitigate the added latency. By caching the result of the expensive PQC handshake, subsequent re‑authentications only perform the lightweight TLS resumption, cutting average authentication time by more than 40 %. This is especially beneficial in environments with frequent roaming or short‑lived sessions.

The authors release all patches to FreeRADIUS and hostapd, along with configuration files and scripts, on a public GitHub repository, enabling reproducibility and further research.

In conclusion, the paper provides the first comprehensive, real‑world performance evaluation of PQC‑enabled WPA‑Enterprise authentication. It identifies ML‑DSA‑65 combined with Falcon‑1024 and ML‑KEM as the most balanced configuration, offering strong quantum‑resistant security while keeping authentication latency within acceptable limits for enterprise Wi‑Fi. The work serves as a practical guide for network operators planning a transition to post‑quantum secure wireless authentication.