Proposals should carefully consider the requirements and constraints, such as security level, performance and business continuity, in a broad range of applications relevant for critical societal sectors and processes (such as governmental services, telecom, banking, smart homes, e-Health, automotive, and other sectors).

Proposals should address functions such as key establishment, digital signatures, and secure communication protocols that require careful adaptation with post-quantum counterparts to ensure resilience against threats posed by quantum-capable adversaries.

Proposals should safeguard compatibility with existing legacy systems. To achieve this, a transition to PKIs that support both pre-quantum and post-quantum cryptography should be addressed. The proposed systems should be able to seamlessly interact with legacy systems by disabling the post-quantum component as needed while preventing downgrade attacks. Relying solely on PQC solutions in this intermediate transition phase could introduce security risks given that the security analysis of the cryptosystems and of their implementations is not as mature as for their pre-quantum counterparts. Proposals should therefore use combinations of PQC solutions and established pre-quantum solutions, making sure to provide strongest-link security, meaning that the system remains secure as long as at least one of the components of the combination is secure.

For certificates for protocols that support negotiation, such as X.509 certificates for the Transport Layer (TLS), the use of post-quantum key exchange has already been demonstrated and can be implemented in a decentralised manner. Many other protocols need to be migrated, and this process will be more complex when old and new configurations must coexist. Moreover, for applications in IoT, smartcards, identity documents and others, the migration strategies defined for the core use cases of X.509 may well not work.

Proposals should develop clear procedures to effectively guide the various stakeholders involved in PKIs across different usage domains through the transition process.

Effective consortia should comprise a diverse range of actors along the entire PKI chain, encompassing expertise in areas such as software development, hardware implementation, cryptographic research, standardisation, policy, and application deployment, as well as organisations that can provide user case studies and real-world applications.

Activities should include some or all of the following:

• Identification of requirements necessary to implement hybrid certificates.
• Development of approaches and techniques for constructing cryptographic combiners for different protocols.
• Testing of the combiners for issuance of new certificates for the different applications, taking into consideration the need to balance the growth of key, signature, and ciphertext sizes, which can lead to compatibility issues with standards, such as PKI certificates, revocation mechanisms, (privacy-friendly) certificate transparency mechanisms, the use of different cryptographic protocols across certificate chains, the applications requirements, such as security level, time-constraints in signing and verification steps, communication/computational and storage overhead, and hardware optimisation requirements.
• Development of and/or further improvement of open-source libraries.
• Development of novel protocols for Automatic Certificate Management and revocation, and of novel protocols for (privacy-friendly) certificate-transparency. Support to standardisation activities.
• Development of recipes for the design and deployment of the new PKIs, with analysis that depends on each component of a given PKI. • Tests on specialised uses of X.509 certificates other than the core cases using TLS, such as roots of trust, device integrity, firmware signing, and others.
• Design, improvement and testing of X.509 alternatives, such as, among others, Merkle tree ladders, the GNU Name System, older proposals such as SPKI and SDSI and the use of key encapsulation mechanisms for on-demand authentication in place of signatures.
• Awareness and training activities for stakeholders with different profiles, emphasising the interdependencies in the transition and facilitating a broader understanding of the technical standards amongst PKI users.