Post-quantum MACsec in Ethernet Networks




MACsec, MKA, EAP, post-quantum cryptography, authentication


The demand on MACsec in Ethernet is increasing substantially since MACsec fits well for industrial applications which require strong security as well as efficiency. To provide a long-term security, the MACsec protocol should be resistant to future attacks including quantum attacks. In this paper, MACsec is analysed under a quantum attack scenario. To achieve 128-bit quantum security, AES (Advanced Encryption Standard) algorithms defined in MACsec should mandate to use 256-bit keys. On the other hand, classical public-key cryptosystems in MKA are not secure at all against quantum attacks so that they need to be replaced by post-quantum crypto schemes in a quantum world. We propose an authenticated post-quantum key establishment protocol which is suitable for long-term secure MACsec. The proposed protocol is used in the hybrid mode, an ephemeral key exchange, and an end-to-end encryption. We verified by experiments that the proposed protocol can be deployed in existing a MACsec-enabled Ethernet network.


Download data is not yet available.

Author Biographies

Joo Yeon Cho, ADVA Optical Networking SE, Fraunhoferstrasse 9a, Martinsried, 82152, Germany

Joo Yeon Cho received the Ph.D. degree in cryptography from the Macquarie University, Australia, in 2007. He has worked on the research and development of cryptography and data security for more than 10 years. He is currently a Principal Engineer in the Advanced Technology group at ADVA Optical Networking in Munich, Germany. His expertise comprises cryptography, network security, quantum security and cybersecurity.

Andrew Sergeev, ADVA Optical Networking SE, Fraunhoferstrasse 9a, Martinsried, 82152, Germany

Andrew Sergeev is currently a senior principal engineer in the Advanced Technology department at ADVA Optical Networking, actively participating in various projects in the field of Network Function Virtualization (NFV) and of modern cryptography. Andrew has a broad hands-on experience in software development, system engineering and design for data communications and wireless data services. He is the author of more than twenty inventions in the networking area. Andrew graduated from the Saint Petersburg State Electrotechnical University with a M.Sc. in electrical engineering.


I. 802.1AE-2018, “IEEE Standard for Local and metropolitan area networks-Media Access Control (MAC) Security,” 2018. [Online]. Available:

I. S. 802.1Q-2018, “IEEE Standard for Local and Metropolitan Area Network–Bridges and Bridged Networks,” IEEE.

J. Y. Cho, A. Sergeev and J. Zou, “Securing Ethernet-Based Optical Fronthaul for 5G Network,” in Proceedings of the 14th International Conference on Availability, Reliability and Security (ARES ’19), 2019.

I. 802.1X-2010, “Standard for local and metropolitan area network – port-based network access control,” IEEE.

P. W. Shor, “Algorithms for quantum computation: discrete logarithms and factoring.,” 35th annual IEEE symposium on the foundations of computer science, 1994.

802.1AEbn-2011, “Media Access Control (MAC) Security Amendment 1: Galois Counter Mode–Advanced Encryption Standard–256 (GCM-AES-256) Cipher Suite,” IEEE.

I. 802.1AEbw-2013, “Media Access Control (MAC) Security Amendment 2: Extended Packet Numbering”.

KernelNewbies, “802.1AE MAC-level encryption (MACsec), Linux 4.6,” 2016.

N. S. Agency, “Ethernet Security Specification, version 0.5,” 2011.

L. Chen, S. Jordan, Y. Liu, D. Moody, R. Peralta, R. Perlner and D. Smith-Tone, “Report on Post-Quantum Cryptography, NISTIR 8105,” 2016.

G. Alagic, J. Alperin-Sheriff, D. Apon, D. Cooper, Q. Dang, J. Kelsey, Y.-K. Liu, C. Miller, D. Moody, R. Peralta, R. Perlner, A. Robinson and D. Smith-Tone, “Status Report on the Second Round of the NIST Post-Quantum Cryptography Standardization Process,” 2020.

D. Cooper, D. Apon, Q. Dang, M. Davidson, M. Dworkin and C. Miller, “Recommendation for Stateful Hash-Based Signature Schemes, Draft NIST Special Publication 800-208”.

A. Huelsing, D. Butin, S. Gazdag, J. Rijneveld and A. Mohaisen, “XMSS: Extended Hash-Based Signatures,” Internet Engineering Task Force, 2018.

D. McGrew, S. Fluhrer and M. Curcio, “Leighton-Micali Hash-Based Signatures, RFC 8554,” RFC, 2019.

P. Schwabe, R. Avanzi, J. Bos, L. Ducas, E. Kiltz, T. Lepoint, V. Lyubashevsky, J. Schanck, G. Seiler and D. Stehle, “CRYSTALS-Kyber,” 2019.

C. Chen, O. Danba, J. Hoffstein, A. Hulsing, J. Rijneveld, J. Schanck, P. Schwabe, W. Whyte and Z. Zhang, “NTRU,” 2019.

J. D’Anvers, A. Karmakar, S. Roy and F. Vercauteren, “SABER: Mod-LWR based KEM”.

V. Lyubashevsky, L. Ducas, E. Kiltz, T. Lepoint, P. Schwabe, G. Seiler and D. Stehle, “CRYSTALS-Dilithium”.

T. Prest, P. Fouque, J. Hoffstein, P. Kirchner, V. Lyubashevsky, T. Pornin, T. Ricosset, G. Seiler, W. Whyte and Z. Zhang, “Falcon: Fast-Fourier Lattice-based Compact Signatures over NTRU”.

D. Bernstein, T. Chou, T. Lange, I. Maurich, R. Misoczki, R. Niederhagen, E. Persichetti, C. Peters, P. Schwabe, N. Sendrier, J. Szefer and W. Wang, “Classic McEliece: conservative code-based cryptography”.

J. Ding, M. Chen, A. Petzoldt, D. Schmidt and B. Yang, “Rainbow”.

L. K. Grover, “A Fast Quantum Mechanical Algorithm for Database Search,” in Proceedings of the Twenty-eighth Annual ACM Symposium on Theory of Computing, STOC ’96, 1996.

E. Alkim, J. Bos, L. Ducas, P. Longa, I. Mironov, M. Naehrig, V. Nikolaenko, C. Peikert, A. Ragunathan and D. Stebila, “FrodoKEM: Learning With Errors Key Encapsulation”.

BSI, “Kryptographische Verfahren: Empfehlungen und Schlüssellängen, BSI TR-02102-1,” Bundesamt für Sicherheit in der InformationstechniK, 2020.

R. J. McEliece, “A public-key cryptosystem based on algebraic coding theory,” Deep Space Network Progress Report, 1978.

N. Bindel, U. Herath, M. McKague and D. Stebila, “Transitioning to a Quantum-Resistant Public Key Infrastructure,” 2017.

P. Kampanakis, P. Panburana, E. Daw and D. V. Geest, “The Viability of Post-quantum X.509 Certificates,” 2018.

R. Merkle, “A Certified Digital Signature,” Advances in Cryptology – CRYPTO ’89, 1989.

C. Tjhai, M. Tomlinson, G. Bartlett, S. Fluhrer, D. V. Geest, O. Garcia-Morchon and V. Smyslov, “Multiple Key Exchanges in IKEv2, Internet-Draft”.

S. Fluhrer, P. Kampanakis, D. McGrew and V. Smyslov, “Mixing Preshared Keys in IKEv2 for Post-quantum Security”.

J. Appelbaum, C. Martindale and P. Wu, “Tiny WireGuard Tweak”.

D. Steblia, S. Fluhrer and S. Gueron, “Hybrid key exchange in TLS 1.3,” 2020.

ADVA, “FSP 150 ProVMe Series,” ADVA Optical Networking.

“Kernel NIC Interface, DPDK documentation,” [Online]. Available:

DPDK, “Data Plane Development Kit,” [Online]. Available:






ARES 2020 Workshops

Most read articles by the same author(s)