Univ.-Prof. Dr. Michael Hutter Dr. Axel Y. Poschmann Uwe Herzog
University of the Bundeswehr Munich PQShield Ltd Eurescom GmbH
The secure boot process is the cornerstone of modern cybersecurity, ensuring only trusted software runs on a device. With the advent of quantum computing, traditional cryptographic algorithms won’t be appropriate any longer. The EC-funded FORTRESS project will develop a solution that will enable achieving the required security level in the post quantum era.
The objective of a secure boot process is to ensure that only trusted software runs on a device, done by validating code integrity with cryptographic signatures. It upholds the Confidentiality, Integrity, and Availability (CIA) triad, protecting devices from tampering, malware, and unauthorised changes. As connected devices increasingly integrate with cloud services, secure boot must validate integrity across both hardware endpoints and cloud environments.
Traditional cryptographic algorithms long relied upon for secure boot as, e.g. RSA and ECC face obsolescence with the advent of quantum computing. Shor’s algorithm enables quantum computers to break RSA, ECC, and similar cryptosystems, necessitating a transition to Post-Quantum Cryptography (PQC). Global efforts are underway to develop quantum-resistant standards with EU agencies like ANSSI and BSI advocating for Post-Quantum/Traditional (PQ/T) hybrid cryptographic models. These models combine traditional and quantum-safe algorithms, offering added resilience during the transition. However, PQ/T implementation poses challenges including algorithm limitations, performance trade-offs and compliance issues. Aiming at addressing these, organisations like ETSI, CISA and NCSC have issued guidance on PQ/T hybrid cryptography deployment. ETSI emphasises standardisation and optimization to manage PQ/T hybrid system complexities, while CISA and NCSC highlight proactive collaboration for safeguarding infrastructure and planning PQC transitions.
A robust and scalable solution is critical for quantum-safe secure boot. This includes developing a PQ/T Hybrid Root of Trust (RoT) that integrates traditional and post-quantum algorithms, minimising performance overheads, and enabling secure boot across diverse platforms. The solution has to take into account aspects of security, performance and cost, and must align with regulatory requirements. The FORTRESS project will develop a solution that will enable embedded systems, edge devices, and Critical National Infrastructure (CNI) to seamlessly transition to quantum-resistant architectures which will be an essential element in ensuring the future security of digital systems in Europe.
What tools and technologies will be used?
To deliver on its objectives, FORTRESS will develop a comprehensive set of tools and technologies designed to support the secure integration of post-quantum and PQ/T hybrid cryptographic mechanisms across diverse platforms. First, an open-source benchmarking framework will be created that includes performance profiling scripts, analytical models, and automated evaluation pipelines to assess RoT implementations against key performance indicators (KPIs) such as latency, area, memory usage, and security. This tool set will enable stakeholders to make data-driven decisions when selecting or designing quantum-resistant secure boot mechanisms. Second, FORTRESS will design PQ/T hybrid cryptographic cores using HW/SW co-design methodologies that integrate traditional algorithms (e.g. RSA, ECDSA) with post-quantum schemes (e.g. FN-DSA, LMS, ML-DSA), optimized for efficiency, scalability, as well as fault and side-channel resistance. These cores will be evaluated in both embedded and cloud-connected environments. To address real-world deployment needs, FORTRESS will produce reference implementations of PQ/T hybrid secure boot flows, accompanied by integration guidelines, performance baselines, and compliance checklists. In parallel, the project will develop a threat-informed attack library and conduct research on active and passive attacks targeting PQC schemes, to support hardening efforts. All tools and findings will be shared with the wider community under open or appropriately licensed terms, ensuring transparency, reproducibility, and long-term impact.
How it will benefit the stakeholders/business at large?
FORTRESS will benefit stakeholders and the broader business landscape by providing the tools, technologies, and guidance needed to securely transition to post-quantum cryptography without disrupting existing operations. The project delivers practical solutions for deploying PQ/T hybrid cryptographic models ensuring long-term security while maintaining compatibility with current systems. Businesses and technology providers will gain access to an open-source benchmarking framework to evaluate Root of Trust (RoT) implementations against defined performance and security metrics, enabling informed decisions on secure boot integration and system design. Operators of embedded systems, edge devices, and critical national infrastructure (CNI) will be able to assess quantum-safe secure boot mechanisms with minimal performance and cost impact. By focusing on PQ/T hybrid schemes such as ML-DSA/ECDSA and FN-DSA/ECDSA, FORTRESS supports real-world migration strategies that avoid disruptive system overhauls. The project also addresses key implementation challenges such as overhead, interoperability, and compliance by aligning with international recommendations from ETSI, CISA, and NCSC. Stakeholders will benefit from reduced cybersecurity risk, improved regulatory readiness, and increased trust in digital systems. With additional resources like reference architectures, evaluation tools, and research on PQC-specific threats, FORTRESS empowers businesses to future-proof their security infrastructure while staying competitive in a rapidly evolving threat landscape.
Conclusion
As we enter the quantum era, trustworthiness of devices and infrastructures needs a fundamental overhaul of secure boot processes. Traditional cryptography can no longer assure long-term resilience, thus the transition to post-quantum and PQ/T hybrid models is both urgent and strategic. The FORTRESS project positions Europe at the forefront of this evolution by delivering an integrated framework of tools, methodologies, and reference implementations that enable a smooth, standards-aligned migration to quantum-resistant architectures.
By combining research on post-quantum algorithms with practical implementation pathways — from frameworks to hybrid Root of Trust (RoT) designs — FORTRESS bridges the gap between theoretical security and operational applicability. Its open and collaborative approach will ensure its adoption by industry, regulators, and critical infrastructure operators alike.
FORTRESS will empower stakeholders to build systems that remain secure, compliant, and trusted in a post-quantum world. This effort prepares for quantum disruption, which is not only a technical necessity but a strategic investment in the resilience and competitiveness of future digital ecosystems.
Further information
• FORTRESS website: https://pq-fortress.eu/