Transition to post-quantum Public Key Infrastructures

Opened

Programme Category

EU Competitive Programmes

Programme Name

Digital Europe Programme

Programme Description

Digital Europe Programme is the first EU programme that aims to accelerate the recovery and drive the digital transformation of Europe.

Worth €7.6 billion (in current prices), the Programme is a part of the next long-term EU budget, (the Multiannual Financial Framework), and it covers 2021 to 2027. It will provide funding for projects in five crucial areas: supercomputing, artificial intelligence, cybersecurity, advanced digital skills, and ensuring the wide use of digital technologies across the economy and society.

The Programme is fine-tuned to fill the gap between the research of digital technologies and their deployment, and to bring the results of research to the market – for the benefit of Europe’s citizens and businesses, and in particular SMEs. Investments under the Digital Europe programme supports the Union’s twin objectives of a green transition and digital transformation and strengthens the Union’s resilience and strategic autonomy.

Programme Details

Identifier Code

DIGITAL-ECCC-2025-DEPLOY-CYBER-08-PUBLICPQC

Call

Transition to post-quantum Public Key Infrastructures

Summary

Proposals shall target activities on the following subjects:

  • design of digital signature combiners and key encapsulation mechanism combiners.
  • the testing of deployment of certificates in protocols that use those certificates.
  • the development of novel protocols for Automatic Certificate Management and revocation and of novel protocols for (privacy-friendly) certificate-transparency.
  • the development of methods and tools that can be used by experts across various PKI domains, including all aspects of key management of asymmetric systems.

Detailed Call Description

Proposals should carefully consider the requirements and constraints, such as security level, performance and business continuity, in a broad range of applications relevant for critical societal sectors and processes (such as governmental services, telecom, banking, smart homes, e-Health, automotive, and other sectors).

Proposals should address functions such as key establishment, digital signatures, and secure communication protocols that require careful adaptation with post-quantum counterparts to ensure resilience against threats posed by quantum-capable adversaries.

Proposals should safeguard compatibility with existing legacy systems. To achieve this, a transition to PKIs that support both pre-quantum and post-quantum cryptography should be addressed. The proposed systems should be able to seamlessly interact with legacy systems by disabling the post-quantum component as needed while preventing downgrade attacks. Relying solely on PQC solutions in this intermediate transition phase could introduce security risks given that the security analysis of the cryptosystems and of their implementations is not as mature as for their pre-quantum counterparts. Proposals should therefore use combinations of PQC solutions and established pre-quantum solutions, making sure to provide strongest-link security, meaning that the system remains secure as long as at least one of the components of the combination is secure.

For certificates for protocols that support negotiation, such as X.509 certificates for the Transport Layer (TLS), the use of post-quantum key exchange has already been demonstrated and can be implemented in a decentralised manner. Many other protocols need to be migrated, and this process will be more complex when old and new configurations must coexist. Moreover, for applications in IoT, smartcards, identity documents and others, the migration strategies defined for the core use cases of X.509 may well not work.

Proposals should develop clear procedures to effectively guide the various stakeholders involved in PKIs across different usage domains through the transition process.

Effective consortia should comprise a diverse range of actors along the entire PKI chain, encompassing expertise in areas such as software development, hardware implementation, cryptographic research, standardisation, policy, and application deployment, as well as organisations that can provide user case studies and real-world applications.

Activities should include some or all of the following:

  • Identification of requirements necessary to implement hybrid certificates.
  • Development of approaches and techniques for constructing cryptographic combiners for different protocols.
  • Testing of the combiners for issuance of new certificates for the different applications, taking into consideration the need to balance the growth of key, signature, and ciphertext sizes, which can lead to compatibility issues with standards, such as PKI certificates, revocation mechanisms, (privacy-friendly) certificate transparency mechanisms, the use of different cryptographic protocols across certificate chains, the applications requirements, such as security level, time-constraints in signing and verification steps, communication/computational and storage overhead, and hardware optimisation requirements.
  • Development of and/or further improvement of open-source libraries.
  • Development of novel protocols for Automatic Certificate Management and revocation, and of novel protocols for (privacy-friendly) certificate-transparency. Support to standardisation activities.
  • Development of recipes for the design and deployment of the new PKIs, with analysis that depends on each component of a given PKI. • Tests on specialised uses of X.509 certificates other than the core cases using TLS, such as roots of trust, device integrity, firmware signing, and others.
  • Design, improvement and testing of X.509 alternatives, such as, among others, Merkle tree ladders, the GNU Name System, older proposals such as SPKI and SDSI and the use of key encapsulation mechanisms for on-demand authentication in place of signatures.
  • Awareness and training activities for stakeholders with different profiles, emphasising the interdependencies in the transition and facilitating a broader understanding of the technical standards amongst PKI users.

Call Total Budget

€15.000.000

Financing percentage by EU or other bodies / Level of Subsidy or Loan

50%

Requested grant amount per project: indicatively between €3 and €4 million, but other amounts are not excluded if duly justified.

Thematic Categories

  • Information and Communication Technologies
  • Information Technology
  • Public Administration

Eligibility for Participation

  • Businesses
  • Central Government
  • Large Enterprises
  • Legal Entities
  • Other Beneficiaries
  • Private Bodies
  • State-owned Enterprises

Eligibility For Participation Notes

In order to be eligible, applicants (beneficiaries and affiliated entities) must:

  • Be legal entities (public or private bodies).

  • Be established in one of the eligible countries, namely:

    • EU Member States (including overseas countries and territories (OCTs)).

    • EEA countries (Norway, Iceland, Liechtenstein).

Beneficiaries and affiliated entities must register in the Participant Register before submitting the proposal and will need to be validated by the Central Validation Service (REA Validation). For the validation, they will be required to upload documents proving their legal status and origin.

Other entities may participate in different consortium roles, such as associated partners, subcontractors, or third parties providing in-kind contributions (see section 13).

Please note, however, that all topics of this call are subject to restrictions for security reasons. Therefore, entities must not be directly or indirectly controlled by a country that is not considered an eligible country. All entities must complete and submit a declaration on ownership and control.

Call Opening Date

12/06/2025

Call Closing Date

07/10/2025

National Contact Point(s)

Ministry of Research, Innovation and Digital Policy
Directorate of Research and Innovation

Eleana Gabriel
Telephone: +357 22 691918
Email: egabriel@dmrid.gov.cy

EU Contact Point

For help related to this call, please contact ECCC Applicants Direct Contact Centre at applicants@eccc.europa.eu