# Cellular SIM and eSIM PQC

**Source**: https://quantumsequrity.com/blog/cellular-sim-esim-pqc
**Category**: Industry & Use Cases

---

[← Back to Blog](../../blog.html) Industry & Use Cases

# Cellular SIM and eSIM PQC

11 min read

The SIM card is the most distributed cryptographic device on the planet. There are over eight billion active mobile subscriptions worldwide, and almost every one of them has a SIM (Subscriber Identity Module) somewhere: either a physical chip in the phone, or an embedded SIM (eSIM) provisioned electronically. The SIM holds a secret key that authenticates the subscriber to the mobile network. Without that key, your phone cannot make calls, send texts, or use mobile data. With it, the network can verify exactly who you are.

Every cellular generation since 2G has used the SIM as the root of subscriber trust. The cryptographic algorithms inside the SIM have evolved (Comp128, Milenage, Tuak), but the basic model has stayed the same: a long-term symmetric key shared between the SIM and the operator. Post-quantum cryptography matters here for two reasons. First, the public-key infrastructure that provisions SIMs and delivers OTA updates uses RSA and ECDSA today, and that infrastructure must migrate. Second, eSIM and the GSMA SGP specifications introduce more public-key cryptography directly into the provisioning flow, and that public-key cryptography must also migrate.

## How a SIM Authenticates to the Network

The fundamental model is shared-secret authentication. The SIM stores a key K (Ki in 3G/4G terminology, K_AUSF derivation in 5G). The operator's authentication server stores the same K. When the phone tries to attach to the network, the network sends a challenge. The SIM computes a response using K and a cryptographic algorithm (Milenage in most modern deployments, Tuak in some). The network verifies the response.

This protocol is symmetric, and AES-based Milenage and Tuak are quantum-resistant in the relevant sense. Symmetric cryptography is broken in half (Grover's algorithm) by quantum computers, which means a 256-bit key has 128 bits of effective security against quantum attack. Standard SIM keys are 128 bits, which means under Grover the effective security drops to 64 bits. This is why some operators are evaluating 256-bit keys for new deployments.

The bigger PQC concern is not the authentication itself but the surrounding infrastructure: how the SIM gets provisioned, how the operator's CA signs SIM profiles, and how OTA updates are authenticated.

## Physical SIM and Pre-Personalization

A physical SIM is manufactured in a SIM personalization facility. During pre-personalization, the manufacturer loads cryptographic material onto the chip: the long-term key K, the operator's network identifier, the operator's IMSI range allocation, and any additional applications (banking, transit, identity).

The cryptographic protection during this process is critical. If an attacker gets access to the K values being loaded onto SIMs, they can impersonate any subscriber whose SIM was processed at that facility. Real-world attacks have happened: the 2013 Snowden disclosures included documents about the NSA and GCHQ stealing SIM keys from a major SIM manufacturer.

The protection of the pre-personalization data flow today uses RSA and ECDSA for authentication and AES for confidentiality. PQC migration here means upgrading the digital signature algorithm used to sign SIM profile orders, the key wrapping used to deliver K material from the operator to the SIM facility, and the certificates used to authenticate parties in the provisioning flow.

## OTA Updates and SIM Toolkit

Once a SIM is in a phone in a customer's pocket, the operator can still update it via Over-The-Air (OTA) commands. These commands can update SIM applications, modify allowed networks, change configuration, or even rotate the long-term authentication key in some advanced deployments.

OTA updates are protected by cryptographic signatures. The operator signs an update with their key, and the SIM verifies the signature. Today these signatures use RSA-2048 or ECDSA. PQC migration means moving to ML-DSA-65 or, for stateful long-term signing, LMS or HSS as defined in NIST SP 800-208.

Read more about the broader 5G-Advanced and 6G PQC roadmap in [PQC telecom 5G and 6G](pqc-telecom-5g-6g.html).

## The eSIM Revolution and GSMA SGP

The eSIM (embedded SIM) replaces the physical SIM card with a chip soldered into the device. The user does not insert a card; instead, they download a profile electronically. This is convenient but it requires a much more complex provisioning flow than physical SIMs, and that flow uses public-key cryptography in places where physical SIMs do not.

The GSMA defines the eSIM standards. The two key documents are:

- **GSMA SGP.22**: The "Remote SIM Provisioning Architecture for consumer devices" specification, used for smartphones, tablets, smartwatches, etc. SGP.22 defines how a phone discovers and downloads an eSIM profile.

- **GSMA SGP.32**: The "eSIM IoT Architecture and Requirements" specification, used for IoT devices. SGP.32 is newer and addresses the scale and constraints of IoT (massive numbers of devices, intermittent connectivity, low power).

Both specifications use TLS, certificates, and digital signatures throughout the provisioning flow. PQC migration affects every certificate, every signature, and every TLS connection in the eSIM ecosystem.

## SGP.22 and Consumer Provisioning

In SGP.22, when a user wants to activate an eSIM, the flow is roughly:

1. The user gets an activation code (a QR code or manual entry) from the operator
2. The phone's Local Profile Assistant (LPA) connects to the operator's SM-DP+ (Subscription Manager Data Preparation Plus) over TLS
3. The SM-DP+ authenticates the device using the eUICC's certificate
4. The operator authorizes the profile download
5. The SM-DP+ generates an encrypted profile for the eUICC
6. The eUICC decrypts and installs the profile

Every step here uses public-key cryptography. The eUICC has its own certificate, signed by the eUICC manufacturer's CA, which is signed by the GSMA root CA (the GSMA Certificate Issuer or GSMA CI). The SM-DP+ has its own certificate, also signed by GSMA CI. The TLS connection between the phone and the SM-DP+ uses these certificates.

For PQC, every one of these certificates needs to migrate. The GSMA root CA needs to issue PQC root certificates, the eUICC manufacturers need to issue PQC certificates for new chips, and the SM-DP+ servers need PQC server certificates. The TLS sessions need to support hybrid ML-KEM key exchange.

The GSMA has been working on this. GSMA SGP.27, "eSIM Specifications Update", and various working group outputs discuss PQC migration timing. The realistic deployment of PQC in production eSIM provisioning is expected around 2027 to 2029.

## SGP.32 and IoT Provisioning

SGP.32 is the IoT-focused specification. It addresses problems that SGP.22 does not, like:

- IoT devices may not have a user interface for QR code scanning
- IoT devices may have intermittent connectivity, especially during activation
- IoT devices have very long lifetimes (10 to 25 years)
- IoT devices are often resource-constrained

The SGP.32 architecture introduces the IoT Profile Assistant (IPA) that runs on the device and handles provisioning, plus the eIM (eSIM IoT Manager) that orchestrates fleet-scale provisioning. The cryptographic flows are similar to SGP.22 but with adaptations for IoT scale.

For PQC, SGP.32 has the bigger long-term concern because IoT device lifetimes can stretch past Q-day. An IoT device deployed in 2025 might still be operating in 2045. The cryptographic infrastructure that authenticates that device needs to survive that long, which means PQC is mandatory rather than optional.

For more on IoT PQC, see [PQC IoT smart home devices](pqc-iot-smart-home-devices.html).

## The eUICC and Its Constraints

The eUICC is the physical chip that holds the eSIM profiles. It is a secure element similar to a SIM card, with limited compute power and limited memory. Typical eUICCs have:

- 32-bit microcontroller, often Cortex-M class
- 256 KB to 1 MB of flash memory
- 32 KB to 256 KB of RAM
- Hardware accelerators for AES, sometimes for RSA/ECC

Implementing PQC on an eUICC is harder than on a phone or laptop. ML-KEM-768 implementations on Cortex-M class hardware exist and are workable, taking 10 to 30 milliseconds per operation. ML-DSA-65 is similar. The challenge is that eUICCs have to support both classical and PQC algorithms during the transition, which roughly doubles the cryptographic code footprint.

Storage is another constraint. ML-DSA-65 public keys are about 2 KB, signatures are about 3.3 KB, and a typical certificate carries multiple keys and signatures. The total storage cost of PQC certificates compared to classical ECDSA certificates can be 5 to 10 times larger. This matters when the eUICC has to store multiple profiles, each with their own certificates.

## Hybrid Mode During Migration

Like every other PQC migration, the eSIM ecosystem will move through a hybrid phase. New certificates will carry both a classical signature (for backward compatibility with deployed devices that do not support PQC) and a PQC signature (for forward security). Hybrid TLS modes (X25519 + ML-KEM) will be supported during connection establishment.

This hybrid phase may last 5 to 10 years. The trick is that eUICCs are deployed for the lifetime of the device, which means hybrid support needs to last as long as the longest-lived eUICC currently in service. For consumer eSIM, this is typically 5 to 7 years. For IoT eSIM, it can be 20+ years.

For the algorithmic background on hybrid, see [hybrid encryption](hybrid-encryption.html) and [ML-KEM explained](ml-kem-explained.html).

## OTA Updates Carry Their Own Risk

Even after a SIM or eSIM is provisioned, OTA updates continue throughout the lifetime of the device. These updates can change SIM applications, modify network configuration, or update cryptographic algorithms.

The cryptography that protects OTA updates is exactly the same as software signing for any other connected device: a digital signature that the SIM verifies before applying the update. PQC migration here is mandatory because if the OTA signing key is broken by a quantum computer, an attacker can forge updates that take over every SIM the operator manages.

For long-term security, NIST SP 800-208 stateful hash-based signatures (LMS, HSS) are attractive for OTA signing because their security depends only on hash function security and they are already approved for use. The trade-off is that stateful signatures require careful key management to never reuse a one-time signing key.

## Frequently Asked Questions

**Will I need a new SIM card when PQC arrives?**
For physical SIMs, probably not. The authentication core is symmetric and quantum-resistant. New SIMs may have PQC-aware OTA signing keys, but old SIMs continue to work. For eSIM, new device profiles may use PQC certificates, but the eUICC itself may need to be PQC-capable to install new profiles. Most eUICC chips manufactured from 2025 onwards are designed to be PQC-capable.

**Does PQC slow down phone activation?**
Marginally. The eSIM provisioning flow involves several TLS handshakes and certificate chain validations. Hybrid PQC adds tens of milliseconds at each handshake and a few KB of additional data transfer. For users, this is not noticeable.

**What about IoT eSIM at scale?**
SGP.32 is designed for IoT scale, and PQC will roll out as part of the SGP.32 ecosystem evolution. Operators provisioning millions of IoT eSIMs will need to budget for the additional bandwidth and compute that PQC requires, but the per-device cost is small.

**Is GSMA mandating PQC?**
Not yet, but PQC is on the roadmap. Operators that need to comply with national security mandates (CNSA 2.0 in the US, equivalent regulations elsewhere) are pushing for PQC support. Mandatory adoption timelines are likely to be set by national regulators rather than GSMA, with GSMA aligning specifications to those mandates.

**Can existing eUICCs be updated to support PQC?**
Some can, depending on the chip and the firmware update mechanism. Others cannot because they lack the compute or storage for PQC algorithms. New eUICCs designed for 2025 and beyond are typically PQC-capable. Older eUICCs may be limited to hybrid modes that fit their existing capabilities.

## Sources

- GSMA SGP.22, "RSP Architecture - Consumer Devices", https://www.gsma.com/esim/esim-specification/
- GSMA SGP.32, "eSIM IoT Architecture and Requirements", https://www.gsma.com/esim/esim-iot/
- 3GPP TS 33.501, "Security architecture and procedures for 5G System", https://www.3gpp.org/DynaReport/33501.htm
- NIST FIPS 203, "Module-Lattice-Based Key-Encapsulation Mechanism Standard", https://csrc.nist.gov/pubs/fips/203/final
- NIST FIPS 204, "Module-Lattice-Based Digital Signature Standard", https://csrc.nist.gov/pubs/fips/204/final
- NIST SP 800-208, "Recommendation for Stateful Hash-Based Signature Schemes", https://csrc.nist.gov/pubs/sp/800/208/final

## Related Articles

- [What is Post-Quantum Cryptography?](what-is-post-quantum-cryptography.html)
- [ML-KEM Explained](ml-kem-explained.html)
- [PQC for Telecom 5G and 6G](pqc-telecom-5g-6g.html)
- [PQC IoT Smart Home Devices](pqc-iot-smart-home-devices.html)
- [Hybrid Encryption](hybrid-encryption.html)

---

### Protect Your Data Before Q-Day Arrives

QNSQY's NIST-standardized post-quantum encryption protects files against both current and quantum-era threats.

[Try QNSQY](../../pricing.html)