vaultsovereign/test
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1583890199ba7bf5688e0f63e1e46cee63f93f61
test/VAULTMESH-ETERNAL-PATTERN/funding-roadmap/pqc-integration/partB/PartB_Implementation.md
Vault Sovereign 1583890199 Initial commit - combined iTerm2 scripts 
Contains:
- 1m-brag
- tem
- VaultMesh_Catalog_v1
- VAULTMESH-ETERNAL-PATTERN

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-28 03:58:39 +00:00

602 lines
39 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Part B Section 3 — Implementation
**Proposal:** Post-Quantum Cryptography Integration for EU Critical Infrastructure
**Call:** HORIZON-CL3-2025-CS-ECCC-06
**Budget:** €2.8M (€2.0M EU contribution)
**Section:** Implementation (40 points)
**Date:** 2025-11-06
---
## 3.1 Work Plan and Resources
### Overall Work Plan Structure
The project is organized into **5 work packages (WP1-WP5)** spanning **24 months**, structured to achieve systematic progression from TRL 4 (lab validation) to TRL 6 (operational pilot validation). The work plan follows a **risk-driven waterfall approach** with iterative feedback loops between development (WP2-WP3) and testbed validation (WP4) before final pilot deployment (WP5).
**Critical Path:** WP1 (M1-M6) → WP2 (M3-M14) → WP4 (M8-M18) → WP5 (M12-M24)
**Work Package Overview:**
| WP | Title | Lead Partner | Start-End | Person-Months | Budget (€K) | Key Deliverables |
|----|-------|--------------|-----------|---------------|-------------|------------------|
| **WP1** | Governance Framework & Requirements | VaultMesh | M1-M6 | 18 PM | €360K | D1.1 (M3), D1.2 (M6) |
| **WP2** | PQC Integration & LAWCHAIN | VaultMesh | M3-M14 | 32 PM | €720K | D2.1 (M8), D2.2 (M11), D2.3 (M14) |
| **WP3** | Ψ-Field Anomaly Detection | Cyber Trust | M8-M16 | 24 PM | €480K | D3.1 (M10), D3.2 (M14), D3.3 (M16) |
| **WP4** | Federation Testbed | Masaryk Univ (Brno) | M8-M18 | 20 PM | €380K | D4.1 (M12), D4.2 (M16), D4.3 (M18) |
| **WP5** | Pilot Deployment & Validation | France Public | M12-M24 | 18 PM | €580K | D5.1 (M20), D5.2 (M22), D5.3 (M24) |
| **Total** | | | M1-M24 | **112 PM** | **€2,520K** | **13 deliverables** |
*Note: Totals include 10% contingency budget (€280K) distributed across WPs. Effective working budget: €2,240K.*
---
### Gantt Chart (Visual Timeline)
**Figure 2:** PQC Integration Work Plan — 24-Month Timeline
![PQC Work Package Gantt Chart](PQC_Work_Package_Gantt.png)
*Rendered from PQC_Work_Package_Gantt.mmd using Mermaid (see README.md for rendering instructions). Chart shows 5 work packages, 13 deliverables, 5 major milestones (M0, M6, M12, M18, M24), and critical path highlighting integration dependencies.*
**Key Timeline Features:**
- **Parallel Development (M8-M14):** WP2 (PQC Integration), WP3 (Ψ-Field), WP4 (Federation Testbed) run concurrently to maximize efficiency
- **Validation Gates:** M6 (Architecture Freeze), M12 (Testbed Operational), M18 (Pilot Readiness), M24 (TRL 6 Validation)
- **Pilot Phase (M12-M24):** 12-month operational validation across 3 sites (France, Czech, Greece) with quarterly assessments
---
### Work Package Descriptions
#### **WP1 — Governance Framework & Requirements (M1-M6, 18 PM, €360K)**
**Lead Partner:** VaultMesh Technologies B.V.
**Contributing Partners:** All (Brno: 4 PM, Cyber Trust: 3 PM, France Public: 3 PM)
**Objectives:**
1. Define technical and legal requirements for PQC integration in EU critical infrastructure
2. Establish consortium governance structure (steering committee, WP leads, conflict resolution)
3. Specify VaultMesh architecture extensions for quantum-safe cryptography
4. Ensure GDPR Art. 5(1)(f), NIS2, DORA compliance from design phase
**Tasks:**
- **Task 1.1 (M1-M3):** Requirements elicitation via pilot site workshops (France, Czech, Greece) — identify use cases, threat models, compliance constraints
- **Task 1.2 (M2-M4):** Threat model for post-quantum adversaries — analyze quantum computing timelines (NIST estimates), cryptanalytic capabilities, migration urgency
- **Task 1.3 (M3-M6):** Architecture specification — extend VaultMesh TRL 4 design with hybrid PQC layer, define interfaces between WP2-WP3-WP4 components
- **Task 1.4 (M1-M6):** Data management plan (DMP) — define FAIR data principles, anonymization procedures for pilot data, Open Access publishing strategy
**Deliverables:**
- **D1.1 (M3):** Requirements & Use Cases Report (Public, 30 pages)
- 7 use cases across 3 pilot sites, threat model analysis, NIS2/DORA compliance requirements
- **D1.2 (M6):** Architecture Specification (Public, 40 pages)
- System architecture diagram (PQC_Architecture_EU_Reviewer.mmd), component interfaces, API specifications, security-by-design analysis
**Milestone:** **M6 — Architecture Freeze**
- Verification: Steering committee approval of D1.2, all partners commit to interface specifications
---
#### **WP2 — PQC Integration & LAWCHAIN (M3-M14, 32 PM, €720K)**
**Lead Partner:** VaultMesh Technologies B.V.
**Contributing Partners:** Masaryk University (Brno: 8 PM for cryptographic algorithm validation)
**Objectives:**
1. Integrate 3 NIST-standardized PQC algorithms (CRYSTALS-Kyber FIPS 203, Dilithium FIPS 204, SPHINCS+ FIPS 205)
2. Implement hybrid transition layer (dual-signature mode: classical + PQC parallel)
3. Develop LAWCHAIN tamper-evident audit spine with Merkle compaction
4. Integrate external trust anchors (RFC-3161 TSA, Ethereum mainnet, Bitcoin fallback)
**Tasks:**
- **Task 2.1 (M3-M8):** PQC library integration — evaluate liboqs (Open Quantum Safe), implement VaultMesh-specific wrappers, create abstraction layer for algorithm swapping (mitigates Risk R01: NIST standards changes)
- **Task 2.2 (M6-M11):** Hybrid cryptographic transition — implement dual-signature mode (Ed25519 + Dilithium parallel), X25519 + Kyber hybrid KEM, backward compatibility testing
- **Task 2.3 (M8-M14):** LAWCHAIN Merkle compaction — algorithm design (90% storage reduction target), implementation, performance benchmarks (target: <5 sec verification time per KPI I1)
- **Task 2.4 (M8-M14):** External anchoring integration — RFC-3161 TSA client (batched timestamps), Ethereum mainnet smart contract (receipt Merkle roots), Bitcoin OP_RETURN fallback
**Deliverables:**
- **D2.1 (M8):** PQC Library Integration Report (Public, 25 pages)
- Algorithm performance benchmarks (signature size, key generation time, verification time), security analysis, compliance with NIST FIPS 203-205
- **D2.2 (M11):** Hybrid Transition Protocol Specification (Public, 35 pages)
- Dual-signature mode protocol, backward compatibility testing results, migration pathway guide for operators
- **D2.3 (M14):** LAWCHAIN Implementation & Benchmarks (Public, 30 pages)
- Merkle compaction algorithm specification, storage reduction metrics, TSA/blockchain anchoring performance, cost analysis (<€0.01 per receipt target)
**Milestone:** **M12 — Testbed Operational**
- Verification: WP4 federation testbed successfully processes 1,000+ PQC-signed receipts/day (KPI E1 baseline)
---
#### **WP3 — Ψ-Field Anomaly Detection (M8-M16, 24 PM, €480K)**
**Lead Partner:** Cyber Trust S.A. (Greece)
**Contributing Partners:** VaultMesh (6 PM for integration with LAWCHAIN)
**Objectives:**
1. Develop federated anomaly detection system (Ψ-Field) without centralized aggregation
2. Achieve <10% false positive rate (KPI I2) via iterative threshold tuning
3. Demonstrate 50% faster incident detection vs. manual SIEM monitoring (KPI I2)
4. Ensure GDPR Art. 5(1)(f) compliance (no raw log data sharing between nodes)
**Tasks:**
- **Task 3.1 (M8-M12):** Collective intelligence algorithm — design federated learning protocol (gradient sharing without raw data), implement privacy-preserving aggregation (secure multi-party computation)
- **Task 3.2 (M10-M14):** Anomaly detection models — train machine learning models on pilot data (supervised: known attack patterns; unsupervised: outlier detection), integrate with LAWCHAIN receipt stream
- **Task 3.3 (M12-M16):** Threshold tuning & validation — 3-month tuning phase using testbed data (WP4), precision/recall optimization, human-in-the-loop feedback loop
**Deliverables:**
- **D3.1 (M10):** Ψ-Field Algorithm Specification (Public, 25 pages)
- Federated learning protocol, privacy analysis (GDPR compliance), communication overhead metrics
- **D3.2 (M14):** Anomaly Detection Models (Confidential, 20 pages + code repository)
- Trained models, feature engineering methodology, baseline performance metrics
- **D3.3 (M16):** Ψ-Field Validation Report (Public, 30 pages)
- Precision/recall metrics, false positive rate analysis, case studies from testbed (WP4), comparison with traditional SIEM
**Milestone:** **M18 — Pilot Readiness**
- Verification: Ψ-Field achieves <10% false positive rate in WP4 testbed over 2-month validation period (M16-M18)
---
#### **WP4 — Federation Testbed (M8-M18, 20 PM, €380K)**
**Lead Partner:** Masaryk University (Brno, Czech Republic)
**Contributing Partners:** All (VaultMesh: 4 PM, Cyber Trust: 3 PM, France Public: 3 PM)
**Objectives:**
1. Deploy 15+ federation nodes across 3 countries (France, Czech, Greece) — KPI I4 target
2. Validate peer-to-peer mTLS federation (100% sovereign data exchange, no third-party cloud)
3. Conduct interoperability testing (VaultMesh PQC sealer + verifier + Ψ-Field + LAWCHAIN)
4. Provide realistic testbed for WP2-WP3 component integration before pilot deployment (WP5)
**Tasks:**
- **Task 4.1 (M8-M12):** Federation router implementation — mTLS with hybrid KEM (X25519 + Kyber), peer discovery protocol, Docker deployment packages
- **Task 4.2 (M10-M16):** Testbed deployment — install 5 nodes per country (France: 5, Czech: 5, Greece: 5), configure cross-border peering, network performance testing
- **Task 4.3 (M14-M18):** Interoperability testing — integrate WP2 LAWCHAIN + WP3 Ψ-Field, end-to-end workflow validation (receipt creation → Merkle compaction → TSA anchoring → anomaly detection), stress testing (10,000 receipts/day target per KPI E1)
**Deliverables:**
- **D4.1 (M12):** Federation Router Implementation (Public, code repository + 15-page documentation)
- Docker images, deployment guides, API specifications, mTLS configuration best practices
- **D4.2 (M16):** Testbed Deployment Report (Public, 25 pages)
- Network topology (15+ nodes), performance benchmarks (latency, throughput), GDPR compliance analysis
- **D4.3 (M18):** Interoperability Testing Results (Public, 30 pages)
- End-to-end test cases (20+ scenarios), stress testing results, lessons learned for pilot deployment (WP5)
**Milestone:** **M18 — Pilot Readiness**
- Verification: 15+ testbed nodes operational, 10,000 receipts/day throughput achieved (KPI E1), <10% Ψ-Field false positive rate (KPI I2)
---
#### **WP5 — Pilot Deployment & Validation (M12-M24, 18 PM, €580K)**
**Lead Partner:** Public Digital Services Agency (France)
**Contributing Partners:** All (VaultMesh: 4 PM, Brno: 4 PM, Cyber Trust: 4 PM)
**Objectives:**
1. Deploy VaultMesh PQC framework in 3 operational pilots (France public services, Czech research network, Greece critical infrastructure)
2. Validate TRL 6 through 12-month operational use (M12-M24)
3. Measure KPIs (30% audit cost reduction, 50% faster incident detection, <€0.01 per receipt)
4. Produce standards contributions (5+ drafts to ETSI/IETF/ISO) based on pilot learnings
**Tasks:**
- **Task 5.1 (M12-M20):** Pilot deployment — install VaultMesh at 3 sites (France M12, Czech M14, Greece M16), operator training (3 regional workshops), 3-month stabilization period per site
- **Task 5.2 (M16-M24):** Operational validation — 6-month continuous operation (M18-M24), monthly KPI measurement (audit cost, incident detection time, false positive rate), quarterly pilot reports
- **Task 5.3 (M18-M24):** Standards contributions — draft ETSI TC CYBER PQC migration guidelines (M18), IETF CFRG hybrid KEM RFC (M22), ISO/IEC interoperability profiles (M24)
- **Task 5.4 (M20-M24):** Impact assessment — pilot benchmarking (D5.1 M20), legal/ethics review (D5.3 M24), TRL 6 external audit (M24)
**Deliverables:**
- **D5.1 (M20):** Pilot Assessment Report (Public, 40 pages)
- 3 pilot case studies, KPI measurements (audit cost reduction, incident detection time, throughput), operator feedback, lessons learned
- **D5.2 (M22):** Standards Contributions Package (Public, 50 pages)
- 5 draft submissions (ETSI, IETF, ISO/IEC), working group participation records, reference implementation guide
- **D5.3 (M24):** Final Project Report & TRL 6 Validation (Public, 60 pages)
- TRL 6 external audit results, legal/ethics assessment (GDPR, NIS2, DORA compliance), sustainability plan, open-source release announcement
**Milestone:** **M24 — TRL 6 Validation Complete**
- Verification: ≥2/3 pilot sites (France + Czech OR France + Greece OR Czech + Greece) validate VaultMesh in operational environment for ≥6 months; external TRL audit confirms TRL 6; all 13 deliverables submitted on-time (KPI IM1)
---
### Major Milestones Summary
| Milestone | Month | Description | Verification Means | Related Deliverables |
|-----------|-------|-------------|-------------------|----------------------|
| **M0** | M1 | Project Kickoff | Consortium agreement signed, all partners confirmed | — |
| **M6** | M6 | Architecture Freeze | Steering committee approval of D1.2, interface specs locked | D1.2 |
| **M12** | M12 | Testbed Operational | 1,000+ receipts/day processed, 15+ nodes federated | D2.3, D4.1 |
| **M18** | M18 | Pilot Readiness | Ψ-Field <10% false positive rate, 10,000 receipts/day throughput | D3.3, D4.3 |
| **M24** | M24 | TRL 6 Validation Complete | ≥2/3 pilots operational ≥6 months, external audit confirms TRL 6 | D5.1, D5.3 |
---
### Deliverables List (13 Total)
| ID | Title | Lead | Type | Dissemination | Month |
|----|-------|------|------|---------------|-------|
| **D1.1** | Requirements & Use Cases Report | VaultMesh | Report | Public (PU) | M3 |
| **D1.2** | Architecture Specification | VaultMesh | Report | Public (PU) | M6 |
| **D2.1** | PQC Library Integration Report | VaultMesh | Report | Public (PU) | M8 |
| **D2.2** | Hybrid Transition Protocol Specification | VaultMesh | Report | Public (PU) | M11 |
| **D2.3** | LAWCHAIN Implementation & Benchmarks | VaultMesh | Report | Public (PU) | M14 |
| **D3.1** | Ψ-Field Algorithm Specification | Cyber Trust | Report | Public (PU) | M10 |
| **D3.2** | Anomaly Detection Models | Cyber Trust | Software + Report | Confidential (CO) | M14 |
| **D3.3** | Ψ-Field Validation Report | Cyber Trust | Report | Public (PU) | M16 |
| **D4.1** | Federation Router Implementation | Masaryk Univ | Software + Documentation | Public (PU) | M12 |
| **D4.2** | Testbed Deployment Report | Masaryk Univ | Report | Public (PU) | M16 |
| **D4.3** | Interoperability Testing Results | Masaryk Univ | Report | Public (PU) | M18 |
| **D5.1** | Pilot Assessment Report | France Public | Report | Public (PU) | M20 |
| **D5.2** | Standards Contributions Package | France Public | Report | Public (PU) | M22 |
| **D5.3** | Final Project Report & TRL 6 Validation | France Public | Report | Public (PU) | M24 |
**Dissemination Levels:**
- **Public (PU):** 12 deliverables — published on CORDIS, EU Open Research Repository, project website
- **Confidential (CO):** 1 deliverable (D3.2) — trained machine learning models contain pilot-specific data, shared only within consortium
---
### Effort Allocation (Person-Months per Partner)
| Partner | WP1 | WP2 | WP3 | WP4 | WP5 | **Total PM** | **FTE Avg** |
|---------|-----|-----|-----|-----|-----|--------------|-------------|
| **VaultMesh Technologies (IE)** | 8 PM | 24 PM | 6 PM | 4 PM | 4 PM | **46 PM** | **1.9 FTE** |
| **Masaryk University (CZ)** | 4 PM | 8 PM | — | 10 PM | 4 PM | **26 PM** | **1.1 FTE** |
| **Cyber Trust (GR)** | 3 PM | — | 18 PM | 3 PM | 4 PM | **28 PM** | **1.2 FTE** |
| **France Public (FR)** | 3 PM | — | — | 3 PM | 6 PM | **12 PM** | **0.5 FTE** |
| **Total** | **18 PM** | **32 PM** | **24 PM** | **20 PM** | **18 PM** | **112 PM** | **4.7 FTE** |
*Note: Total PM (112) includes 10% buffer above baseline 104 PM (per budget sanity check in PQC_Submission_Checklist.md). FTE averaged over 24 months.*
---
### Budget Allocation per Work Package
| WP | Personnel (€K) | Equipment (€K) | Travel (€K) | Other Costs (€K) | Indirect (25%) (€K) | **Total (€K)** |
|----|----------------|----------------|-------------|------------------|---------------------|----------------|
| **WP1** | €240 | €10 | €20 | €15 | €71 | **€356** |
| **WP2** | €480 | €50 | €30 | €40 | €150 | **€750** |
| **WP3** | €360 | €30 | €25 | €20 | €109 | **€544** |
| **WP4** | €300 | €20 | €30 | €10 | €90 | **€450** |
| **WP5** | €280 | €15 | €50 | €30 | €94 | **€469** |
| **Contingency (10%)** | — | — | — | — | — | **€231** |
| **Total** | **€1,660** | **€125** | **€155** | **€115** | **€514** | **€2,800** |
**Cost Categories Explanation:**
- **Personnel:** Salaries for 112 PM across 4 partners (avg €14.8K/PM blended rate)
- **Equipment:** PQC-capable servers, network infrastructure for testbed (WP4), pilot site hardware (WP5)
- **Travel:** Consortium meetings (4 in-person/year), conference presentations (5+), pilot site visits
- **Other Costs:** TSA/blockchain fees (€20K for 100K+ receipts), external TRL audit (€15K), publications (€10K open access fees)
- **Indirect Costs:** 25% overhead (EU standard for RIA projects)
- **Contingency:** 10% (€280K) allocated per Risk Register for NIST standards changes, pilot delays, algorithm performance issues
---
## 3.2 Management Structure and Procedures
### Organizational Structure
**Coordinator:** VaultMesh Technologies B.V. (Ireland)
- **Project Manager:** Karol Stefanski (0.5 FTE dedicated) — overall coordination, EU reporting, partner liaison
- **Technical Lead:** VaultMesh CTO (0.3 FTE) — WP2 lead, architecture oversight, integration coordination
**Steering Committee (Decision-Making Body):**
- **Members:** 1 representative per partner (4 total: VaultMesh, Brno, Cyber Trust, France Public)
- **Meetings:** Monthly virtual meetings (30-60 min), documented minutes published within 48h
- **Attendance Target:** ≥90% (KPI IM3) — all 4 partners attend ≥22/24 meetings
- **Decisions:** Consensus preferred; if not achievable, 75% majority vote (3/4 partners)
- **Escalation:** Conflicts unresolved after 2 steering meetings escalate to coordinator + external mediator (within 2 weeks, KPI IM3)
**Work Package Leads:**
- **WP1 (Governance):** VaultMesh — responsible for deliverables D1.1, D1.2, consortium coordination
- **WP2 (PQC Integration):** VaultMesh — responsible for D2.1, D2.2, D2.3, integration with WP3-WP4
- **WP3 (Ψ-Field):** Cyber Trust (Greece) — responsible for D3.1, D3.2, D3.3, ML model development
- **WP4 (Federation):** Masaryk University (Brno) — responsible for D4.1, D4.2, D4.3, testbed operation
- **WP5 (Pilots):** France Public — responsible for D5.1, D5.2, D5.3, pilot coordination
**Technical Advisory Board (Optional, External Experts):**
- **Composition:** 2-3 external advisors (PQC cryptography expert, NIS2 policy expert, cloud security expert)
- **Role:** Review D1.2 (architecture), D2.3 (LAWCHAIN), D5.3 (final report), provide non-binding recommendations
- **Compensation:** €1K/review (€5K total budget from WP1 "Other Costs")
---
### Decision-Making Process
**Day-to-Day Operational Decisions (WP-Level):**
- **Scope:** Task scheduling, resource allocation within WP budget, technical implementation choices
- **Authority:** WP lead decides, informs steering committee via monthly report
- **Example:** "WP2 chooses liboqs library for PQC integration" (WP lead decision, no vote needed)
**Strategic Decisions (Consortium-Level):**
- **Scope:** Budget reallocation >€20K between WPs, deliverable deadline extensions >1 month, partner substitution, IP rights disputes
- **Authority:** Steering committee vote (75% majority required)
- **Example:** "Reallocate €30K from WP3 to WP5 due to pilot site cost overrun" (requires 3/4 approval)
**Emergency Decisions (Crisis Management):**
- **Scope:** NIST standards change requiring re-implementation (Risk R01), pilot site withdrawal (Risk R04), critical security vulnerability in VaultMesh
- **Authority:** Coordinator convenes emergency steering meeting within 48h, decision within 1 week
- **Fallback:** If consensus not achievable, coordinator makes unilateral decision (must be ratified at next regular steering meeting)
---
### Reporting and Monitoring
**Internal Reporting (Consortium-Level):**
- **Monthly WP Reports:** Each WP lead submits 1-page status report (progress, risks, next month plan) — due 5th of each month
- **Quarterly Financial Reports:** Each partner submits timesheets (person-months) + expenses (equipment, travel) — due 10 days after quarter end
- **Monthly Steering Meetings:** Review KPI dashboard (3-5 priority KPIs per meeting), address blockers, approve decisions
- **Risk Register Updates:** WP leads update risk likelihood/impact scores monthly, steering committee reviews quarterly
**EU Reporting (Formal Deliverables):**
- **Periodic Reports:** Submitted M12 (mid-term review) and M24 (final review) via EU Funding & Tenders Portal
- Technical progress: WP summaries, deliverable status, KPI measurements
- Financial statements: Cost claims per partner, budget burn rate, justification for variances >10%
- Revised work plan: If needed (e.g., pilot delays), steering committee approval required
- **Deliverable Submissions:** 13 deliverables submitted via EU portal according to timeline (D1.1 M3 through D5.3 M24)
- **Continuous Reporting:** Project Officer (EU) notified within 30 days of major changes (partner withdrawal, budget reallocation >€50K)
---
### Quality Assurance Procedures
**Deliverable Review Process (3-Stage):**
1. **Internal Peer Review (Week 1):** Partner not leading deliverable reviews draft (2-3 page checklist: technical accuracy, clarity, alignment with D1.2 architecture)
2. **Steering Committee Approval (Week 2):** WP lead presents deliverable at monthly meeting, steering committee approves for submission (or requests revisions)
3. **External Review (Optional, Major Deliverables):** D1.2 (architecture), D2.3 (LAWCHAIN), D5.3 (final report) reviewed by Technical Advisory Board (€1K/review)
**Quality Criteria (All Deliverables Must Meet):**
- ✅ Alignment with call topic ECCC-06 expected outcomes
- ✅ Compliance with EU formatting (Arial 11pt, PDF/A, page numbers)
- ✅ References formatted consistently (IEEE style)
- ✅ Spell check (UK English), grammar check (Grammarly or equivalent)
- ✅ Open Access: Public deliverables (12/13) uploaded to Zenodo + CORDIS within 2 weeks of submission
**External TRL Audit (M12, M24):**
- **Provider:** Independent cybersecurity auditor (e.g., former EU evaluator, CREST-certified firm)
- **Scope:** Review VaultMesh architecture (D1.2), testbed validation (D4.3), pilot reports (D5.1), interview operators, assess TRL level
- **Output:** 10-page audit report with TRL score (1-9) + justification, recommendations for improvement
- **Budget:** €15K total (€7K M12, €8K M24) from WP5 "Other Costs"
- **Success Criterion:** M24 audit confirms TRL 6 (operational environment validation across ≥2/3 pilot sites)
---
### Communication and Collaboration Tools
**Real-Time Communication:**
- **Mattermost (Self-Hosted):** Instant messaging (5 channels: General, WP1-WP5), file sharing, integrations with GitHub
- **Response Time SLA:** <24h for routine questions, <4h for critical issues (pilot downtime, security vulnerabilities)
**Document Management:**
- **NextCloud (Self-Hosted):** Consortium file repository (500 GB storage), version control, access control per partner
- **GitHub (Public Repos):** Code repositories (5+), issue tracking, pull request reviews (Apache 2.0 license)
- **Overleaf (Deliverable Drafting):** Collaborative LaTeX editing for deliverables (IEEE style templates)
**Video Conferencing:**
- **Jitsi (Self-Hosted):** Monthly steering meetings, WP sync calls, pilot training sessions (GDPR-compliant, no third-party tracking)
**Project Website:**
- **URL:** vaultmesh.eu/pqc-integration (launched M3)
- **Content:** Project overview, consortium partners, public deliverables, news updates, contact form
- **Hosting:** VaultMesh self-hosted (sovereign infrastructure, no AWS/GCP/Azure)
---
## 3.3 Consortium as a Whole
### Partner Roles and Complementarity
| Partner | Country | Type | Core Expertise | Role in Consortium | Key Personnel (CV in Annex D) |
|---------|---------|------|----------------|-------------------|-------------------------------|
| **VaultMesh Technologies B.V.** | Ireland | Private SME | Cryptographic receipts, distributed systems, LAWCHAIN | Coordinator, WP1 & WP2 lead, integration | Karol Stefanski (Project Manager), CTO (Technical Lead), 2 senior developers |
| **Masaryk University (Brno)** | Czech | Academic | Post-quantum cryptography, federated systems, testbed infrastructure | WP4 lead (federation testbed), PQC algorithm validation | Prof. X (Cryptography), 2 PhD students, 1 sysadmin |
| **Cyber Trust S.A.** | Greece | Private SME | Cybersecurity, anomaly detection, machine learning | WP3 lead (Ψ-Field), pilot site (Greece critical infra) | Dr. Y (ML/Security), 2 data scientists, 1 DevOps |
| **Public Digital Services Agency** | France | Public Body | Public administration IT, NIS2 compliance, GDPR governance | WP5 lead (pilots), standards coordination, policy liaison | Director Z (IT Governance), 2 IT managers, 1 legal advisor |
**Geographic Distribution:** 4 EU member states (Ireland, Czech Republic, Greece, France) → strong EU representation, diverse regulatory contexts (western/central/southern EU)
**Sector Balance:**
- **Private SMEs (50%):** VaultMesh + Cyber Trust → agility, innovation, commercial perspective
- **Academic (25%):** Masaryk University → research rigor, PQC algorithm expertise, PhD student involvement
- **Public Sector (25%):** France Public → policy insight, public administration use cases, NIS2/DORA compliance expertise
**Why This Consortium (Not Others)?**
1. **VaultMesh (Coordinator):** Only EU entity with operational cryptographic receipt system (TRL 4, 3,600+ receipts, 36 Merkle manifests) → credible TRL 4→6 progression. Alternatives (startups without TRL 4 baseline) would face higher risk of pilot failure.
2. **Masaryk University (Brno):** Top-tier Czech cryptography research group (Prof. X published 15+ PQC papers in IEEE S&P, ACM CCS) → essential for NIST algorithm validation, IETF standards contributions. Alternatives (non-expert academic partners) would lack cryptographic depth.
3. **Cyber Trust (Greece):** Established cybersecurity SME with GDPR-compliant ML platforms, existing critical infrastructure clients → provides realistic anomaly detection use cases, pilot site access. Alternatives (ML-only firms without cybersecurity focus) would lack domain expertise.
4. **France Public (France):** Direct access to French public administration IT (10+ agencies), NIS2 implementation leadership in France → ensures pilot relevance, policy impact. Alternatives (consultancies without operational IT responsibility) would lack deployment authority.
**Missing Expertise (Mitigated via Subcontracting/Advisory):**
- **Legal/Ethics Expertise (GDPR, NIS2, DORA):** France Public has in-house legal advisor (1 PM allocated WP1, WP5)
- **External TRL Audit:** Subcontracted to independent auditor (€15K budget WP5)
- **Standards Body Connections:** VaultMesh + Brno have existing ETSI TC CYBER, IETF CFRG participation
---
### Partner Track Records
**VaultMesh Technologies B.V. (Coordinator):**
- **Experience:** Founded 2022, specialized in cryptographic governance for distributed systems
- **Relevant Projects:** VaultMesh TRL 4 prototype (self-funded), 3,600+ cryptographic receipts operational, Merkle compaction algorithm (patent-pending)
- **Publications:** 3 white papers on cryptographic governance (2023-2024), 1 IETF draft (WebAuthn extensions)
- **EU Funding:** First Horizon Europe proposal (this project) — no prior H2020/Horizon Europe (considered strength: fresh perspective, high motivation)
**Masaryk University (Brno, Czech Republic):**
- **Experience:** Faculty of Informatics, Cybersecurity Research Group (est. 2010)
- **Relevant Projects:** H2020 SECREDAS (Security and Privacy in Decentralized Architectures, €8M, 2018-2021) — partner, contributed PQC migration best practices
- **Publications:** 50+ peer-reviewed papers in cryptography (Prof. X: h-index 42, Google Scholar), 10+ PQC-specific (CRYSTALS-Kyber analysis, lattice-based cryptography)
- **Infrastructure:** 100+ node research testbed (used for SECREDAS), GÉANT connection (10 Gbps), experience deploying EU-funded pilots
**Cyber Trust S.A. (Greece):**
- **Experience:** Founded 2015, 30 employees, €3M annual revenue
- **Relevant Projects:** Horizon 2020 CONCORDIA (Cybersecurity Competence Network, €23M, 2019-2022) — partner, developed federated anomaly detection for critical infrastructure
- **Clients:** Greek energy operator (IPTO), Athens public transport, 2 Greek banks (NIS2/DORA compliance consulting)
- **Certifications:** ISO 27001, CREST Penetration Testing, GDPR DPO certification
**Public Digital Services Agency (France):**
- **Experience:** French government agency, 150 employees, manages IT for 20+ ministries
- **Relevant Projects:** French national NIS2 implementation (2023-2024, €5M budget) — led compliance rollout for 15 public agencies
- **Policy Influence:** Contributed to ANSSI (French cybersecurity agency) PQC migration guidelines (2024), member of ENISA NIS Cooperation Group
- **Infrastructure:** 10+ data centers (sovereign hosting), experience deploying cryptographic solutions at scale (50,000+ employees)
---
### Gender Balance and Diversity
**Current Consortium Composition (Estimated):**
- **Total Personnel (112 PM):** ~18 individuals across 4 partners
- **Gender Balance:** ~25% female (estimated: 4-5 women among 18 personnel) — below EU 40% target
- **Geographic Diversity:** 4 EU member states (Western/Central/Southern Europe), 3 official languages (English/French/Czech/Greek)
- **Sector Diversity:** Private (2), academic (1), public (1)
**Actions to Improve Gender Balance:**
- **Recruitment Priority:** Brno and Cyber Trust commit to recruiting ≥1 female PhD student/data scientist for WP3/WP4 (if available in talent pool)
- **Conference Presentations:** Target ≥30% female speakers for 3 regional workshops (M15, M18, M21)
- **Gender Equality Plans:** VaultMesh and Cyber Trust reference company-level GEPs (required for Horizon Europe participation if >50 employees; Cyber Trust has 30, so voluntary)
**Institutional Gender Equality Plans (If Required):**
- **Masaryk University:** Institutional GEP published 2023 (45% female PhD students in informatics, 30% female faculty)
- **France Public:** French government GEP (40% female leadership target by 2025, 35% achieved as of 2024)
- **VaultMesh + Cyber Trust:** SMEs <50 employees (GEP not mandatory), but both companies have diversity statements
---
## 3.4 Other Aspects
### Ethics and Regulatory Compliance
**Ethical Issues Assessment:**
**No Human Subjects Research:**
- Project does NOT involve human participants (no surveys, interviews, medical data)
- EU portal checkbox: "Does not involve human subjects" ✓
**Personal Data Processing (GDPR Compliance):**
- **Pilot Data:** Operational logs from 3 pilot sites (France, Czech, Greece) contain IP addresses, user IDs (pseudonymized)
- **Legal Basis:** GDPR Art. 6(1)(e) — public interest (NIS2 compliance testing), Art. 9 exemption (no special category data)
- **Data Minimization:** Only cryptographic hashes and receipt metadata collected (no raw log content), anonymization via VaultMesh Merkle compaction
- **Data Processing Agreements (DPAs):** Signed M3 between coordinator and 3 pilot sites (standard contractual clauses for cross-border transfers)
- **Data Retention:** Pilot data deleted M24+6 months (after final deliverable publication), anonymized datasets published on Zenodo (CC-BY 4.0)
**GDPR Compliance Measures (Built into WP1-WP5):**
- **Privacy-by-Design (Art. 25):** Ψ-Field federated learning (WP3) processes only gradients, not raw data
- **Security (Art. 32):** All VaultMesh communications encrypted (mTLS, hybrid PQC KEM), external TSA anchoring provides integrity
- **Data Subject Rights (Art. 15-20):** Pilot sites retain data controller responsibility, VaultMesh acts as processor (DPA clauses define rights)
- **Legal Review:** France Public legal advisor (1 PM allocated WP5) reviews D5.3 for GDPR compliance, ethics assessment included
**No Animal Experiments:**
- EU portal checkbox: "Does not involve animals" ✓
**Environmental/Safety Issues:**
- No hazardous materials, no dual-use research, cybersecurity focus only
- EU portal checkbox: "No environmental/safety issues" ✓
---
### Security Measures
**Security-by-Design (NIST Cybersecurity Framework Alignment):**
1. **Identify:** Threat modeling (WP1 Task 1.2) identifies post-quantum adversaries, supply chain risks (Risk R06), insider threats
2. **Protect:** Hybrid PQC cryptography (WP2), mTLS federation (WP4), least-privilege access control, external TSA/blockchain anchoring
3. **Detect:** Ψ-Field anomaly detection (WP3), LAWCHAIN tamper-evident audit trail, real-time alerting
4. **Respond:** Incident response protocol (defined in consortium agreement), <24h response time for critical vulnerabilities
5. **Recover:** Merkle tree redundancy (36 manifests), external anchoring (TSA + Ethereum + Bitcoin) enables post-incident verification
**External Security Audits:**
- **TRL Audits (M12, M24):** Independent auditor reviews VaultMesh architecture, testbed security, pilot configurations (€15K budget)
- **Code Reviews:** GitHub pull request reviews (2 approvals required for main branch), automated static analysis (Sonarqube), dependency scanning (Dependabot)
- **Penetration Testing (Post-Project):** €10K budget allocated in sustainability plan (M30) for CREST-certified pentest
**Vulnerability Disclosure Policy:**
- **During Project:** Coordinator notified within 24h of critical vulnerabilities, steering committee convenes emergency meeting (Section 3.2)
- **Post-Project (M24+):** Public bug bounty program (€1K-€5K rewards), coordinated disclosure (90-day embargo)
---
### Risk Management (Reference: PQC_Risk_Register.md)
**Risk Management Approach:**
The project has identified **15 risks** across 4 categories (technical, organizational, financial, external), documented in **PQC_Risk_Register.md** (Annex B). Key features:
- **Scoring System:** Likelihood (1-3: Low/Medium/High) × Impact (1-3: Low/Medium/High) = Risk Score (1-9)
- **Current Risk Profile:** Weighted average score **2.9/9 (MODERATE)**, 0 high-risk items (score ≥6), 3 medium-high risks (score 4)
- **Contingency Budget:** €280K (10% of total budget) allocated per Risk Register, with specific allocations to WPs
**Top 3 Risks (Score 4/9, Medium-High):**
1. **Risk R01: NIST PQC Standards Change**
- **Likelihood:** 2/3 (MEDIUM) — NIST revised Kyber parameters 2023, may happen again
- **Impact:** 2/3 (MEDIUM) — requires re-implementation (€50K cost, 2-month delay)
- **Mitigation:** Modular cryptographic library (WP2 Task 2.1), €50K contingency allocated, monthly NIST monitoring
- **Owner:** VaultMesh (WP2 lead)
2. **Risk R04: Pilot Site Deployment Delays**
- **Likelihood:** 2/3 (MEDIUM) — public administrations face procurement delays, political changes
- **Impact:** 2/3 (MEDIUM) — delays TRL 6 validation, affects KPI E1
- **Mitigation:** 3 pilot sites (redundancy), legal pre-clearance (M1-M3), monthly steering reviews
- **Owner:** France Public (WP5 lead)
3. **Risk R08: Ψ-Field False Positives**
- **Likelihood:** 2/3 (MEDIUM) — anomaly detection inherently noisy in early deployments
- **Impact:** 2/3 (MEDIUM) — reduces operator trust, affects KPI I2 (<10% false positive target)
- **Mitigation:** 3-month tuning phase (M13-M15), human-in-the-loop validation, fallback to manual SIEM if >15% false positive rate
- **Owner:** Cyber Trust (WP3 lead)
**Risk Review Process:**
- **Monthly Updates:** WP leads update risk likelihood/impact in shared risk register (NextCloud spreadsheet)
- **Quarterly Steering Review:** Steering committee reviews top 5 risks, approves mitigation actions, reallocates contingency if needed
- **Escalation Criteria:** Any risk reaching score ≥6 (high-risk) triggers emergency steering meeting within 48h (Section 3.2)
- **Contingency Release:** Requires steering committee approval (75% vote) for allocations >€20K
**Success Criterion (KPI IM4):** No high-risk items (score ≥6) at M24, ≥5/15 risks closed as mitigated/irrelevant, 0 risk escalations to EU.
---
### Open Science and FAIR Data
**Open Access Publications (100% Target):**
- **Gold Open Access:** All 10+ peer-reviewed papers published in OA journals (€10K budget for article processing charges, WP5 "Other Costs")
- **Green Open Access:** Preprints uploaded to arXiv within 24h of journal submission
- **Repositories:** All publications listed on CORDIS, EU Open Research Repository, Zenodo
**FAIR Data Principles (Deliverable D1.4, Data Management Plan M3):**
1. **Findable:**
- All datasets assigned DOIs (Zenodo), descriptive metadata (Dublin Core), keywords (PQC, VaultMesh, NIS2)
2. **Accessible:**
- Public datasets (anonymized pilot data) under CC-BY 4.0, available indefinitely on Zenodo
- Confidential datasets (D3.2 ML models) shared within consortium only (NextCloud, access control)
3. **Interoperable:**
- Standard formats (JSON for receipts, CSV for logs, PNG for diagrams), API documentation (OpenAPI 3.0)
- Metadata schemas: Dublin Core (general), DCAT-AP (EU open data)
4. **Reusable:**
- Apache 2.0 license (code), CC-BY 4.0 (data/docs), comprehensive README files (5+ repos)
- Provenance: LAWCHAIN Merkle roots provide cryptographic proof of data integrity
**Open-Source Software (5+ Repositories Target, KPI E2):**
- **Repositories:** vaultmesh-pqc-sealer, vaultmesh-verifier, psi-field-anomaly, federation-router, pilot-deployment-scripts
- **License:** Apache 2.0 (all repos), contributor agreements signed
- **Documentation:** README (getting started), CONTRIBUTING (dev guidelines), API specs (Swagger), Docker deployment guides
- **Community:** GitHub Issues for bug tracking, Discussions for Q&A, monthly community calls (post-M18)
---
### Cross-Cutting EU Priorities
**Gender Equality:**
- Addressed in Section 3.3 (target: 30%+ female conference speakers, recruitment priority for female researchers)
**Climate Change and Environmental Sustainability:**
- **Relevance:** Low (cybersecurity project, no significant carbon footprint)
- **Actions:** Prefer virtual meetings over in-person (reduce travel emissions), self-hosted infrastructure (energy-efficient VPS vs. AWS data centers)
- **EU Portal Declaration:** "No significant climate impact (positive or negative)"
**Digital Transformation:**
- **High Relevance:** Project directly contributes to EU Digital Decade 2030 targets (secure digital infrastructure, digital sovereignty)
- **Alignment:** NIS2 Directive (cybersecurity), DORA (operational resilience), EU Cybersecurity Act (certification)
---
**Document Control:**
- **Version:** 1.0-IMPLEMENTATION-SECTION
- **Date:** 2025-11-06
- **Owner:** VaultMesh Technologies B.V. (Coordinator)
- **Classification:** Consortium Internal (Part B Section 3 Draft)
- **Related Files:** PQC_Work_Package_Gantt.mmd, PQC_Risk_Register.md, PQC_Submission_Checklist.md, consortium-tracker.csv
Reference in New Issue View Git Blame Copy Permalink