Nextarp builds a future-ready
transparency log.
As part of CIF-NL, Nextarp is developing PQ-Transparency: a post-quantum ready, immutable transparency log for digital certificates, making certificate issuance auditable today and secure against the quantum computers of tomorrow.
Funded projects under CIF-NL 2025
The Cybersecurity Innovation Fund, 2025 round.
In December 2025, the CIF-NL 2025 scheme was opened to organisations developing innovative cybersecurity solutions, in the form of products and/or services. The 2025 funding round of CIF-NL focuses on two key sub-areas:
1 ยท Promoting crypto-agility
Enabling systems to switch flexibly and quickly to new cryptographic algorithms when existing ones become vulnerable, essential in the light of the quantum threat. This is the sub-area PQ-Transparency addresses.
2 ยท Simplifying cybersecurity solutions
Making cybersecurity easier to adopt and operate. PQ-Transparency contributes here too: one transparent platform with standardised proofs and open APIs simplifies auditing and mis-issuance detection.
Why this matters
Quantum computers will break today's certificates. Transparency keeps them honest.
RSA and ECC, the algorithms underpinning today's PKI and digital signatures, will eventually be broken by quantum algorithms. Meanwhile, "harvest-now-decrypt-later" attacks are already collecting encrypted material. Trust in digital identities depends on preparing now, and on being able to detect mis-issued certificates early.
Immutable, auditable log
An append-only transparency log built on Certificate Transparency principles (IETF RFC 9162): Merkle trees, Signed Tree Heads, and inclusion and consistency proofs that stay verifiable as the log grows.
Quantum-resistant by design
NIST-standardised post-quantum algorithms integrated throughout: ML-KEM for key establishment (FIPS 203), ML-DSA for log signing (FIPS 204), and SLH-DSA for long-term integrity (FIPS 205).
Hybrid, disruption-free migration
Classical and post-quantum algorithms run in parallel, dual signing (ECDSA + ML-DSA/SLH-DSA) and hybrid key establishment, so existing ecosystems keep working while they migrate.
Project highlights
PQ-Transparency, in highlights.
Engineering targets
- โฅ 5,000 log entries per minute, scalable further with sharding and batching
- P95 inclusion proof latency under 200 ms on reference infrastructure
- โฅ 95% verification success against external verifiers
- 100% traceability on the ETSI compliance matrix
- Verifier library, CLI and mis-issuance monitor with watchlists and notifications
Delivered over a 9-month, 6-phase programme: design, core log & PQ crypto, verification & monitoring, APIs & integrations, security & compliance, and pilots.
Who it serves
Built for the organisations that anchor digital trust.
CAs & trust service providers
Detect mis-issued certificates early and guarantee transparency towards browsers, auditors and customers.
Governments
Auditable PKI processes for eIDAS 2.0 and the EU Digital Identity Wallet, with pilots foreseen alongside services such as PKIoverheid.
Enterprise PKI
Finance, telecom and energy organisations that need a quantum-safe migration without disrupting running infrastructure.
Cloud & IoT platforms
Device certificates and authentication at scale, where harvest-now-decrypt-later is already a real risk.
Interested in a pilot or early integration?
Certificate authorities, trust service providers and public organisations are invited to join the user committee and pilot programme.
