<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//NLM//DTD JATS (Z39.96) Journal Publishing DTD v1.4 20241031//EN" "JATS-journalpublishing1-4.dtd">
<article xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink" article-type="research-article" dtd-version="1.4" xml:lang="en">
  <front>
    <journal-meta>
      <journal-id journal-id-type="publisher-id">jcc</journal-id>
      <journal-title-group>
        <journal-title>Journal of Computer and Communications</journal-title>
      </journal-title-group>
      <issn pub-type="epub">2327-5227</issn>
      <issn pub-type="ppub">2327-5219</issn>
      <publisher>
        <publisher-name>Scientific Research Publishing</publisher-name>
      </publisher>
    </journal-meta>
    <article-meta>
      <article-id pub-id-type="doi">10.4236/jcc.2026.143002</article-id>
      <article-id pub-id-type="publisher-id">jcc-149952</article-id>
      <article-categories>
        <subj-group>
          <subject>Article</subject>
        </subj-group>
        <subj-group>
          <subject>Computer Science</subject>
          <subject>Communications</subject>
        </subj-group>
      </article-categories>
      <title-group>
        <article-title>The Development of Electronic Signature Processes in Türkiye and an Analysis of the Requirements for the Transition to Elliptic Curve Cryptography (ECC)</article-title>
      </title-group>
      <contrib-group>
        <contrib contrib-type="author" corresp="yes">
          <contrib-id contrib-id-type="orcid">0000-0002-3482-9381</contrib-id>
          <name name-style="western">
            <surname>Uysal</surname>
            <given-names>Mutlu</given-names>
          </name>
          <xref ref-type="aff" rid="aff1">1</xref>
        </contrib>
        <contrib contrib-type="author">
          <contrib-id contrib-id-type="orcid">0000-0002-0393-6408</contrib-id>
          <name name-style="western">
            <surname>Yalçın</surname>
            <given-names>Nursel</given-names>
          </name>
          <xref ref-type="aff" rid="aff2">2</xref>
        </contrib>
      </contrib-group>
      <aff id="aff1"><label>1</label> Department of Computer Forensics, Institute of Informatics, Gazi University, Teknikokullar, Ankara </aff>
      <aff id="aff2"><label>2</label> Department of Computer and Instructional Technologies Education, Gazi Faculty of Education, Gazi University, Teknikokullar, Ankara </aff>
      <author-notes>
        <fn fn-type="conflict" id="fn-conflict">
          <p>The authors declare no conflicts of interest regarding the publication of this paper.</p>
        </fn>
      </author-notes>
      <pub-date pub-type="epub">
        <day>03</day>
        <month>03</month>
        <year>2026</year>
      </pub-date>
      <pub-date pub-type="collection">
        <month>03</month>
        <year>2026</year>
      </pub-date>
      <volume>14</volume>
      <issue>03</issue>
      <fpage>17</fpage>
      <lpage>26</lpage>
      <history>
        <date date-type="received">
          <day>21</day>
          <month>01</month>
          <year>2026</year>
        </date>
        <date date-type="accepted">
          <day>02</day>
          <month>03</month>
          <year>2026</year>
        </date>
        <date date-type="published">
          <day>05</day>
          <month>03</month>
          <year>2026</year>
        </date>
      </history>
      <permissions>
        <copyright-statement>© 2026 by the authors and Scientific Research Publishing Inc.</copyright-statement>
        <copyright-year>2026</copyright-year>
        <license license-type="open-access">
          <license-p> This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license ( <ext-link ext-link-type="uri" xlink:href="https://creativecommons.org/licenses/by/4.0/">https://creativecommons.org/licenses/by/4.0/</ext-link> ). </license-p>
        </license>
      </permissions>
      <self-uri content-type="doi" xlink:href="https://doi.org/10.4236/jcc.2026.143002">https://doi.org/10.4236/jcc.2026.143002</self-uri>
      <abstract>
        <p>This article mainly discusses the history of progress regarding the legislation and updates through scrutiny, its current architecture, and its standards applied around the world, such as eIDAS and eIDAS 2.0, which are used not only as technical but also as purely political standards. The penetration of the digital economy has largely promoted the evolution of cyber platforms for public and private use, so that e-signatures have become one of the pillars in the national IT architecture. 1) Legislation The e-signature operations in Türkiye are regulated by Electronic Signature Law No. 5070 and its secondary regulations. However, today, the infrastructure groundwork relies heavily on RSA-based cryptography. RSA is attracting greater and more debate these days, with concerns about whether it will continue to be useful given the increasing importance of security requirements for mobile devices, performance expectations, and the threat posed by quantum computing. This article also examines the extent to which Turkish law is compatible with the EU regulation of compliance. In this paper, we study whether the Turkish legislation complies with the European legislation. This covers security, performance, key size, and support for RSA and Elliptic Curve Cryptography (ECC) algorithms. This paper discusses technical, institutional, and legal requirements for the transition of the national e-signature infrastructure to ECC. Furthermore, ECC’s contribution is evaluated in terms of Post-Quantum Cryptography (PQC), and a roadmap is suggested for transitioning to hybrid (ECC + PQC) architectures. Finally, policy and technical suggestions are proposed to facilitate international electronic and mobile signature interoperability under eIDAS 2.0.</p>
      </abstract>
      <kwd-group kwd-group-type="author-generated" xml:lang="en">
        <kwd>Electronic Signature</kwd>
        <kwd>Elliptic Curve Cryptography (ECC)</kwd>
        <kwd>eIDAS 2.0</kwd>
        <kwd>Digital Identity</kwd>
        <kwd>Post-Quantum Cryptography</kwd>
        <kwd>Public Certification Authority</kwd>
      </kwd-group>
    </article-meta>
  </front>
  <body>
    <sec id="sec1">
      <title>1. Introduction</title>
      <p>In our digital age, electronic signatures have quickly become important instruments to ensure that transactions are secure and legally binding. Since the early 2000 s, various e-government initiatives and digital transformation projects in Türkiye have relied heavily on electronic signature systems [<xref ref-type="bibr" rid="B1">1</xref>]. As more people embrace digital communication, the need for efficiency, security, and legal certainty in our interactions has become paramount. </p>
      <p>But this, of course, presents some challenges as of today. As the volume of transactions increases, we are becoming aware of some areas of our existing infrastructure that are not well-suited. In particular, new opportunities with mobile devices, as well as the Internet of Things (IoT), are opening doors, and there is a pressing need for the alignment of our systems with international standards. Finally, quantum computers represent a long-term threat to classical asymmetric cryptography, which makes it imperative to fully reassess our current cryptographic systems. </p>
      <p>The primary focus of this research is to examine the development and current status of electronic signatures in Türkiye. We aim to explore the necessity and feasibility of transitioning from the existing RSA-based systems to elliptic-curve cryptographic (ECC) solutions. </p>
      <p>This paper will address several key areas: </p>
      <p>We will assess Türkiye’s Law No. 5070 in relation to the EU’s eIDAS and eIDAS 2.0 legislation [<xref ref-type="bibr" rid="B1">1</xref>]. We’ll evaluate the performance of the RSA and ECC algorithms in terms of speed, safety, and overall effectiveness [<xref ref-type="bibr" rid="B2">2</xref>][<xref ref-type="bibr" rid="B3">3</xref>]. The study will investigate the adoption of ECC within both the public and private sectors in Türkiye, identifying any technical and institutional obstacles that may exist [<xref ref-type="bibr" rid="B4">4</xref>]. We will analyze the significance of ECC in the context of post-quantum cryptography (PQC) design and propose hybrid architectures to enhance security [<xref ref-type="bibr" rid="B5">5</xref>]. Lastly, we will suggest strategies for implementing digital identity wallets and mobile signatures in line with eIDAS 2.0 [<xref ref-type="bibr" rid="B6">6</xref>]. </p>
      <p>Through this research, we hope to contribute valuable insights into the future of electronic signatures in Türkiye and their alignment with global standards. </p>
    </sec>
    <sec id="sec2">
      <title>2. Material and Method</title>
      <p>To this end, this research adopts a qualitative methodology, supported by document and literature reviews and comparative technical evaluation. This qualitative approach not only informs the study but also highlights how qualitative analysis can contribute to better public health. Legal texts, laws, and international conventions were reviewed comprehensively in the course of our research. </p>
      <sec id="sec2dot1">
        <title>2.1. Data Sources</title>
        <p>The main sources of data used in this study are as follows: </p>
        <p><bold>Source of</bold><bold>Legal</bold><bold>and</bold><bold>Regulatory Text</bold><bold>:</bold>Electronic Signature Law No. 5070 [<xref ref-type="bibr" rid="B7">7</xref>], publications of Information Technologies and Communication Authority (BTK) regulations [<xref ref-type="bibr" rid="B8">8</xref>]-[<xref ref-type="bibr" rid="B10">10</xref>], and Prime Ministry circulars concerning the Public Certification Authority [<xref ref-type="bibr" rid="B11">11</xref>]. <bold>International Standards:</bold>EU eIDAS and eIDAS 2 regulations [<xref ref-type="bibr" rid="B12">12</xref>][<xref ref-type="bibr" rid="B13">13</xref>], ETSI standards (EN 319 4xx series) [<xref ref-type="bibr" rid="B14">14</xref>][<xref ref-type="bibr" rid="B15">15</xref>], ISO/IEC 14888 [<xref ref-type="bibr" rid="B16">16</xref>], and ITU-T X.509 recommendations [<xref ref-type="bibr" rid="B17">17</xref>]. <bold>Technical Reports and Guides:</bold> NIST and NCCoE publications, reports on PQC transition [<xref ref-type="bibr" rid="B1">1</xref>][<xref ref-type="bibr" rid="B18">18</xref>], and Informatics and Information Security Research Center (TÜBİTAK BİLGEM) (Public Certification Authority) technical guides [<xref ref-type="bibr" rid="B19">19</xref>]. <bold>Academic Literature:</bold> Research addresses comparisons of RSA and ECC effectiveness and the legal perspective of e-signatures in Türkiye [<xref ref-type="bibr" rid="B1">1</xref>]-[<xref ref-type="bibr" rid="B6">6</xref>][<xref ref-type="bibr" rid="B20">20</xref>]. </p>
      </sec>
      <sec id="sec2dot2">
        <title>2.2. Analysis Method</title>
        <p>Comparative analysis was applied to the collected dataset. Comparing Türkiye’s legal framework with EU regulations revealed gaps. The technical performance parameters of the cryptographic algorithms were compared with respect to their theoretical security levels (bit strength) and practical performance indicators (signing speed and key size). Finally, a SWOT analysis was conducted to assess Türkiye’s readiness for ECC transition. </p>
      </sec>
    </sec>
    <sec id="sec3">
      <title>3. Legal and Institutional Framework in Türkiye</title>
      <sec id="sec3dot1">
        <title>3.1. Electronic Signature Law No. 5070</title>
        <p>Since 2004, Law No. 5070 of Türkiye has been the backbone of the country’s legal system for electronic signatures. It elaborates on the notion of a “secure electronic signature,” “qualified electronic certificate” (QEC), and “time stamp,” and accordingly states that a secure electronic signature receives the same legal significance that a handwritten signature does [<xref ref-type="bibr" rid="B7">7</xref>]. This regulation also governs Electronic Certificate Service Providers (ECSPs). </p>
      </sec>
      <sec id="sec3dot2">
        <title>3.2. Secondary Regulations and the Role of the BTK</title>
        <p>The Information Technologies and Communication Authority (BTK) is the agency responsible for regulating ESHS and establishing technical specifications. Secondary regulations, such as the “Electronic Signature and Certificate Services Regulation” [<xref ref-type="bibr" rid="B9">9</xref>], define ESHS responsibilities concerning key generation, storage, and key physical security. These regulations provide a stable, dependable infrastructure. </p>
      </sec>
      <sec id="sec3dot3">
        <title>3.3. Public Certification Authority (Kamu SM)</title>
        <p>Kamu SM, set up in TÜBİTAK BİLGEM, is the root certificate authority for all the public institutions in Türkiye. It issues qualified electronic certificates to public officials and manages the lifecycle of certificates in its e-government ecosystem [<xref ref-type="bibr" rid="B19">19</xref>]. </p>
      </sec>
    </sec>
    <sec id="sec4">
      <title>4. European Union Framework: eIDAS and eIDAS 2.0</title>
      <sec id="sec4dot1">
        <title>4.1. eIDAS Regulation</title>
        <p>eIDAS (Regulation [EU] No. 910/2014) establishes standard rules for legal frameworks for electronic identification and trust services (including electronic signature, seal, timestamp, electronic delivery service, etc.) within the European Union [<xref ref-type="bibr" rid="B12">12</xref>]. Regulation (EU) 2015/1509 sets out minimum requirements for qualified electronic signatures and trust service providers [<xref ref-type="bibr" rid="B14">14</xref>]. </p>
      </sec>
      <sec id="sec4dot2">
        <title>4.2. eIDAS 2.0 and the European Digital Identity Wallet</title>
        <p>eIDAS 2.0 (Regulation [EU] 2024/1183) defines the European Digital Identity Wallet, which will provide citizens with an opportunity to carry and make use of their digital identity assets within a secure environment using smartphones [<xref ref-type="bibr" rid="B15">15</xref>]. Through the stored secret in the hardware keys of such wallets, electronic signatures and identity authentication are completed [<xref ref-type="bibr" rid="B15">15</xref>]. </p>
      </sec>
      <sec id="sec4dot3">
        <title>4.3. Level of Compliance of Turkish Legislation with eIDAS</title>
        <p>It is established that Türkiye’s electronic signature laws, in general, are compatible with eIDAS, especially in connection with qualified electronic signatures, ESHS criteria, and legal aspects of electronic signatures [<xref ref-type="bibr" rid="B1">1</xref>]. Nevertheless, Türkiye needs to develop more legislation and technical infrastructure for the digital identity wallet, mobile signature, and cross-border recognition as defined under eIDAS 2.0. </p>
      </sec>
    </sec>
    <sec id="sec5">
      <title>5. Comparative Analysis of RSA and ECC Algorithms</title>
      <sec id="sec5dot1">
        <title>5.1. Cryptographic Fundamentals</title>
        <p>RSA security relies on the Integer Factorization Problem (IFP), whereas ECC depends on the Elliptic Curve Discrete Logarithm Problem (ECDLP). ECDLP is exponentially more challenging than IFP for the same key size, allowing ECC to offer similar security with far fewer keys than RSA. </p>
      </sec>
      <sec id="sec5dot2">
        <title>5.2. Key Size and Security Levels</title>
        <p>According to NIST recommendations, achieving a 128-bit security level (comparable to AES-128) requires a 3072-bit RSA key, whereas ECC requires only a 256-bit key (e.g., the P-256 curve) [<xref ref-type="bibr" rid="B18">18</xref>]. This discrepancy becomes even more glaring at higher security tiers; at 256-bit security, RSA must use a practically impossible 15360-bit key, while ECC requires only 521 bits. </p>
      </sec>
      <sec id="sec5dot3">
        <title>5.3. Performance Evaluation</title>
        <p>ECC’s efficiency compared to RSA has been demonstrated in multiple studies. As <bold>Table 1</bold> shows, ECC takes less time for signing, retains keys far more efficiently, and uses less memory and storage than RSA [<xref ref-type="bibr" rid="B2">2</xref>][<xref ref-type="bibr" rid="B3">3</xref>]. The data presented in the table have been derived from a compilation of the cited literature and various field tests. </p>
        <p><bold>Table 1</bold><bold>.</bold>Performance comparison of RSA and ECC algorithms.</p>
        <table-wrap id="tbl1">
          <label>Table 1</label>
          <table>
            <tbody>
              <tr>
                <td>
                  <bold>Parameter</bold>
                </td>
                <td>
                  <bold>RSA (2048 bits)</bold>
                </td>
                <td>
                  <bold>ECC (P-256)</bold>
                </td>
                <td>
                  <bold>Difference</bold>
                </td>
              </tr>
              <tr>
                <td>
                  <bold>Signing Time</bold>
                </td>
                <td>35 ms</td>
                <td>6 ms</td>
                <td>~6 times faster</td>
              </tr>
              <tr>
                <td>
                  <bold>Verification Tim</bold>
                </td>
                <td>9 ms</td>
                <td>3 ms</td>
                <td>~3 times faster</td>
              </tr>
              <tr>
                <td>
                  <bold>Key Storage Size</bold>
                </td>
                <td>256 bytes</td>
                <td>64 bytes</td>
                <td>~4 times smaller</td>
              </tr>
              <tr>
                <td>
                  <bold>Memory Usage</bold>
                </td>
                <td>12 MB</td>
                <td>3 MB</td>
                <td>~¼ reduction</td>
              </tr>
            </tbody>
          </table>
        </table-wrap>
        <p>The performance metrics of ECC demonstrate its effectiveness in resource-constrained environments such as mobile devices, smart cards, and Internet of Things sensors [<xref ref-type="bibr" rid="B4">4</xref>]. ECC is also advantageous for large-scale key generation operations. According to [<xref ref-type="bibr" rid="B3">3</xref>], minor key and signature sizes during the certificate lifecycle are said to be cost-effective for bandwidth and storage by diminishing the sizes of CRL and OCSP responses. RSA is the default in many legacy systems because it is older and more extensively used than the others. Nevertheless, current libraries and systems provide mature support for ECC. Mainly, web browsers and modern operating systems have native implementations of TLS certificates and code signatures based on ECC [<xref ref-type="bibr" rid="B1">1</xref>][<xref ref-type="bibr" rid="B4">4</xref>]. </p>
      </sec>
    </sec>
    <sec id="sec6">
      <title>6. Findings: Current Transition Status</title>
      <p>Traditionally, the e-signature infrastructure in Türkiye has primarily adopted RSA in the past. RSA keys are widely used to establish root and sub-root certificates by Kamu SM and private ESHS [<xref ref-type="bibr" rid="B1">1</xref>]. In the PR, the ECC-based root certificates were developed by Kamu SM in 2019 and were intended to become operational by 2020. Testing began in 2019 with Kamu SM using e-signatures for large-scale public-sector applications, and was intended to focus on ECC algorithm-based e-signatures in 2020; regulatory amendments were considered. </p>
      <p>Although the planning and transition schedule were clearly stipulated in the legislation, the actual transition could only be initiated in 2023 due to a multitude of factors. These included the delayed commencement of software compliance efforts within the specified timeframe, insufficient human resources, delays in software updates, and latency experienced in decommissioning legacy cards and transitioning to new ones following the requirement for card updates. Consequently, the production of e-signatures derived from ECC root certificates by the Public Certification Authority (Kamu SM) began in 2023. Furthermore, Kamu SM has been issuing ECC-based electronic seal certificates since 2024. Pilot studies conducted in public institutions utilizing Electronic Document Management Systems (EDMS) and Registered Electronic Mail (REM) systems have successfully achieved seamless ECC integration. However, while the transition in the public sector was accomplished within a five-year period, the transition among private Electronic Certificate Service Providers (ECSPs) remains incomplete due to challenges such as the lack of support for the required new cards across all field software and delays in the procurement of compatible tokens. </p>
      <p>Despite these efforts, widespread adoption is hindered by incompatibility with legacy hardware (e-signature cards, HSM, Turkish ID cards) and the need for software updates in client-side applications. In truth, based on the reasons explained, the authority institution BTK has extended the transition period to new generation algorithms in the second paragraph of Article 6 of the Communique on Processes and Technical Criteria Related to Electronic Signatures, published in the Official Gazette of the Republic of Türkiye, dated October 4, 2025, and numbered 33037. The transition to the new generation is now extended until December 31, 2027. </p>
    </sec>
    <sec id="sec7">
      <title>7. Discussion</title>
      <p>In Türkiye, the transition from RSA to ECC is not just a technical upgrade, but it is also a strategic necessity involving legal, institutional, and security aspects. In this section, we present the evidence-finding, the strategic status of Türkiye based on a SWOT analysis, the impact of post-quantum cryptography, as well as the roadmap for digital identity wallets. </p>
      <sec id="sec7dot1">
        <title>7.1. Strategic Analysis of the Transition (SWOT)</title>
        <p>A comparative SWOT analysis was performed, based on the existing system and regulatory infrastructure, to measure how the transition to the ECC would proceed. </p>
        <p><bold>Strengths:</bold>Türkiye has a strong legal system characterized by a robust legal framework embodied in Law No. 5070 and the Central Public Certification Authority (Kamu SM) [<xref ref-type="bibr" rid="B11">11</xref>]. BTK and TÜBİTAK BİLGEM should provide the technical expertise upon which to base such a transition. Moreover, the rapid diffusion of new technologies is promoted by citizens’ adoption of e-government services. <bold>Weaknesses:</bold>The law or technical circulars in force today rely predominantly on RSA, which results in regulatory lag. There are few staff trained in ECC and current cryptographic systems. Modern elliptic curves are not supported by hardware security modules (HSM) or smart cards today, which will then require expensive hardware upgrades. <bold>Opportunities:</bold>Adherence to eIDAS 2 can enable the European Digital Single Market. ECC performs better than other cryptographic techniques, which results in better end-user experiences for mobile applications. It also opens the way toward the development of domestic ECC libraries and crypto products and the phasing out of foreign technologies. <bold>Threats:</bold>One of the biggest threats to the development of the system is that there will exist a new threat of delay in the adoption of PQC (post-quantum cryptography), and it may potentially hinder the development of PQC. Lack of any focus on ECC individually could lead to a myth of long-term absolute security without consideration of the quantum implications. Rapidly changing cyber threats and the possibility of “collect now, solve later” attacks must be mitigated. </p>
      </sec>
      <sec id="sec7dot2">
        <title>7.2. Post-Quantum Cryptography (PQC) and Hybrid Strategy</title>
        <p>While it has all the advantages over RSA, ECC is susceptible to the Shor algorithm on fast quantum computers [<xref ref-type="bibr" rid="B5">5</xref>]. This poses an authentic conundrum: Should Türkiye adopt ECC now or wait for PQC standards to develop? The analysis of data shows that we are unable to support PQC due to the fast-paced, high-performance requirements of mobile/IoT systems, and this is compounded by the fact that PQC standards (e.g., CRYSTALS-Dilithium) continue to evolve and require larger key sizes than ECC [<xref ref-type="bibr" rid="B18">18</xref>]. ECC therefore acts as an essential “bridge” technology in the short- and medium-term (10 - 15 years). </p>
        <p><bold>We suggest a hybrid strategy:</bold></p>
        <p><bold>1) Transition Period:</bold>Replace RSA with ECC (P-256/P-384); reducing the bandwidth and improving mobile performance. </p>
        <p><bold>2) Transition Period:</bold>Hybrid certificates containing both an ECC key and a PQC key should be implemented. These certificates incorporate both a classical ECC key and a quantum-resistant PQC key within a single certificate structure as a dual-key mechanism. This dual-key architecture enables systems to continue utilizing ECC signatures, which are efficient and compatible with current verification processes, while the PQC signature ensures long-term validity against future quantum attacks [<xref ref-type="bibr" rid="B15">15</xref>]. </p>
        <p><bold>3) Long Term:</bold>The complete transition should be realized once standards, as well as support for the hardware technology, are mature and the PQC algorithms have been developed. </p>
      </sec>
      <sec id="sec7dot3">
        <title>7.3. Digital Identity Wallets and eIDAS 2.0 Compliance</title>
        <p>The “European Digital Identity Wallet” (EUDI Wallet) introduced by the eIDAS 2.0 regulation has changed from card-based to mobile digital wallets for identity information. The ecosystem in Türkiye depends on physical smart cards (Turkish ID Cards and Qualified Electronic Certificates on USB tokens). Türkiye needs to develop a “National Digital Identity Wallet” architecture to enable interoperability with the EU. The ECC framework is the de facto standard for mobile wallets across all these, mainly because smartphones do not support the limited Secure Elements (SE) and Trusted Execution Environments (TEE). RSA keys are often too large to be produced and stored effectively in secure regions. As a result, it is essential to adopt ECC for a practical, interoperability-respecting national digital wallet. The wallet needs to fuse its National ID card, e-Government login details, and qualified electronic signatures into one mobile facility and be able to facilitate protocols, like OpenID Connect for federation [<xref ref-type="bibr" rid="B6">6</xref>]. </p>
      </sec>
      <sec id="sec7dot4">
        <title>7.4. Roadmap for ECC Integration</title>
        <p>Based on this discovery, a roadmap is also suggested for the Turkish national infrastructure: </p>
        <p><bold>1</bold><bold>)</bold><bold>Policy and Regulatory Updates:</bold>Policy and Regulatory Updates: BTK should upgrade its secondary regulations to include ECC parameters and certificate profiles that are ETSI EN 319 412-5-compliant [<xref ref-type="bibr" rid="B15">15</xref>]. </p>
        <p><bold>2</bold><bold>)</bold><bold>Root Authority Transition:</bold>All ESHSs and the Kamu SM should establish ECC root CAs, and not only the Kamu SM. To maintain backward compatibility, a parallel operational period (dual stack) is necessary, during which RSA and ECC certificates remain valid. </p>
        <p><bold>3</bold><bold>)</bold><bold>Client-Side Modernization:</bold>Middleware that is used in EBYS and KEP software, e-signature-creating applications, and libraries should be updated to process ECC keys.</p>
        <p><bold>4) Pilot Deployments:</bold>Pilot projects undertaken by the Kamu SM shall be extended to include mobile signatures and national ID card digital certificate functions. </p>
        <p><bold>5) PQC Readiness:</bold>A nationwide “Crypto Agility” inventory should be maintained to determine all crypto assets, which would allow for future upgrading of the PQC. </p>
      </sec>
    </sec>
    <sec id="sec8">
      <title>8. Conclusions</title>
      <p>Nevertheless, the current study concluded that, although Türkiye has an excellent legal and institutional environment for electronic signatures, the RSA-based technology is becoming outdated. The move to Elliptic Curve Cryptography is essential to meet the performance requirements of today’s mobile revolution, ensure compliance with national standards, and ensure it is in the right place and at the right time, as also set by international standards such as eIDAS 2.0. </p>
      <p>Advantages of ECC: </p>
      <p>Smaller keys,Faster signing,Lower energy consumption.</p>
      <p>Resolving the key bottlenecks in the current system.</p>
      <p>That said, such a transition must be undertaken in a forward-looking way with post-quantum cryptography at the forefront. A hybrid strategy is currently being used in our country to manage the transition to e-signatures. However, ECC certificates cannot be loaded onto Turkish IDs or GSM lines at this stage, as existing card technologies are antiquated. Moreover, with years of experience and continuous work on the transition to ECC certificates, accelerating their issuance will be possible. With a progressive, modern legal framework to support digital wallets, the digital infrastructure can be built and integrated into the global digital economy. In its mission to comply with the eIDAS 2 regulatory framework, the technical and legal regulations our country will implement will ensure that the e-signatures it adopts are recognized and accepted across the European Union.</p>
    </sec>
  </body>
  <back>
    <ref-list>
      <title>References</title>
      <ref id="B1">
        <label>1.</label>
        <citation-alternatives>
          <mixed-citation publication-type="other">Seyirt, M., Özcan, T., Karabulut, B., Doğan, S.M. and Akman Harmancı, E. (2024) Elektronik İmza Standartlarındaki Güncellemeler ve Türkiye’deki Mevcut Durum. <italic>Bilgi Yönetimi</italic>, 7, 1-15. https://doi.org/10.33721/by.1473545 <pub-id pub-id-type="doi">10.33721/by.1473545</pub-id><ext-link ext-link-type="uri" xlink:href="https://doi.org/10.33721/by.1473545">https://doi.org/10.33721/by.1473545</ext-link></mixed-citation>
          <element-citation publication-type="other">
            <person-group person-group-type="author">
              <string-name>Seyirt, M.</string-name>
              <string-name>Karabulut, B.</string-name>
            </person-group>
            <year>2024</year>
            <article-title>Elektronik İmza Standartlarındaki Güncellemeler ve Türkiye’deki Mevcut Durum</article-title>
            <source>Bilgi Yönetimi</source>
            <volume>7</volume>
            <pub-id pub-id-type="doi">10.33721/by.1473545</pub-id>
          </element-citation>
        </citation-alternatives>
      </ref>
      <ref id="B2">
        <label>2.</label>
        <citation-alternatives>
          <mixed-citation publication-type="confproc">Gura, N., Patel, A., Wander, A., Eberle, H. and Shantz, S.C. (2004) Comparing Elliptic Curve Cryptography and RSA on 8-Bit CPUs. <italic>Proceedings of the</italic>6 <italic>th International Workshop on Cryptographic Hardware and Embedded Systems</italic> ( <italic>CHES</italic>), Cambridge, 11-13 August 2004, 119-132. https://doi.org/10.1007/978-3-540-28632-5_9 <pub-id pub-id-type="doi">10.1007/978-3-540-28632-5_9</pub-id><ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1007/978-3-540-28632-5_9">https://doi.org/10.1007/978-3-540-28632-5_9</ext-link></mixed-citation>
          <element-citation publication-type="confproc">
            <person-group person-group-type="author">
              <string-name>Gura, N.</string-name>
              <string-name>Patel, A.</string-name>
              <string-name>Wander, A.</string-name>
              <string-name>Eberle, H.</string-name>
              <string-name>Shantz, S.C.</string-name>
            </person-group>
            <year>2004</year>
            <article-title>Comparing Elliptic Curve Cryptography and RSA on 8-Bit CPUs</article-title>
            <source>Proceedings of the 6th International Workshop on Cryptographic Hardware and Embedded Systems (CHES)</source>
            <volume>11</volume>
            <pub-id pub-id-type="doi">10.1007/978-3-540-28632-5_9</pub-id>
          </element-citation>
        </citation-alternatives>
      </ref>
      <ref id="B3">
        <label>3.</label>
        <citation-alternatives>
          <mixed-citation publication-type="other">Kaya, A. and Türkoğlu, İ. (2023) Simetrik ve Asimetrik Şifreleme Algoritmalarının Performans Karşılaştırılması. <italic>Fırat Üniversitesi</italic><italic>Mühendislik</italic><italic>Bilimleri</italic><italic>Dergisi</italic>, 35, 891-900. https://doi.org/10.35234/fumbd.1296228 <pub-id pub-id-type="doi">10.35234/fumbd.1296228</pub-id><ext-link ext-link-type="uri" xlink:href="https://doi.org/10.35234/fumbd.1296228">https://doi.org/10.35234/fumbd.1296228</ext-link></mixed-citation>
          <element-citation publication-type="other">
            <person-group person-group-type="author">
              <string-name>Kaya, A.</string-name>
            </person-group>
            <year>2023</year>
            <article-title>Simetrik ve Asimetrik Şifreleme Algoritmalarının Performans Karşılaştırılması</article-title>
            <source>Fırat Üniversitesi Mühendislik Bilimleri Dergisi</source>
            <volume>35</volume>
            <pub-id pub-id-type="doi">10.35234/fumbd.1296228</pub-id>
          </element-citation>
        </citation-alternatives>
      </ref>
      <ref id="B4">
        <label>4.</label>
        <citation-alternatives>
          <mixed-citation publication-type="journal">Çekiş, İ.K., Toros, A., Apaydın, N. and Özçelik, İ. (2024) Performance Comparison of ECC Libraries for IoT Devices. <italic>Eskişehir</italic><italic>Technical University Journal of Science and Technology A</italic>— <italic>Applied Sciences and Engineering</italic>, 25, 278-288. https://doi.org/10.18038/estubtda.1427488 <pub-id pub-id-type="doi">10.18038/estubtda.1427488</pub-id><ext-link ext-link-type="uri" xlink:href="https://doi.org/10.18038/estubtda.1427488">https://doi.org/10.18038/estubtda.1427488</ext-link></mixed-citation>
          <element-citation publication-type="journal">
            <person-group person-group-type="author">
              <string-name>Toros, A.</string-name>
            </person-group>
            <year>2024</year>
            <article-title>Performance Comparison of ECC Libraries for IoT Devices</article-title>
            <source>Eskişehir Technical University Journal of Science and Technology A—Applied Sciences and Engineering</source>
            <volume>25</volume>
            <pub-id pub-id-type="doi">10.18038/estubtda.1427488</pub-id>
          </element-citation>
        </citation-alternatives>
      </ref>
      <ref id="B5">
        <label>5.</label>
        <citation-alternatives>
          <mixed-citation publication-type="other">National Cybersecurity Center of Excellence (NCCoE) (2021) Transitioning to Post-Quantum Cryptography (NIST SP 1800-36). NIST.</mixed-citation>
          <element-citation publication-type="other">
            <year>2021</year>
            <article-title>Transitioning to Post-Quantum Cryptography (NIST SP 1800-36)</article-title>
          </element-citation>
        </citation-alternatives>
      </ref>
      <ref id="B6">
        <label>6.</label>
        <citation-alternatives>
          <mixed-citation publication-type="other">Çimen, C., Akleylek, S. and Kılıç, E. (2023) Bilgi Güvenliği ve Kriptografi (5. Baskı). Papatya Bilim.</mixed-citation>
          <element-citation publication-type="other">
            <person-group person-group-type="author">
              <string-name>Akleylek, S.</string-name>
            </person-group>
            <year>2023</year>
            <article-title>Bilgi Güvenliği ve Kriptografi (5</article-title>
          </element-citation>
        </citation-alternatives>
      </ref>
      <ref id="B7">
        <label>7.</label>
        <citation-alternatives>
          <mixed-citation publication-type="journal">Electronic Signature Law No. 5070 (2004) Official Gazette of the Republic of Türkiye, No. 25355. https://www.mevzuat.gov.tr/mevzuat?MevzuatNo=5070&amp;MevzuatTur=1&amp;MevzuatTertip=5</mixed-citation>
          <element-citation publication-type="journal">
            <year>2004</year>
            <article-title>Official Gazette of the Republic of Türkiye, No</article-title>
            <volume>5070</volume>
            <issue>2004</issue>
          </element-citation>
        </citation-alternatives>
      </ref>
      <ref id="B8">
        <label>8.</label>
        <citation-alternatives>
          <mixed-citation publication-type="web">Bilgi Teknolojileri ve İletişim Kurumu (2006) Güvenli Elektronik İmza Oluşturma ve Doğrulama Uygulamaları ile Güvenli Elektronik İmza Formatlarına Dair Usul ve Esaslar. https://www.btk.gov.tr/uploads/pages/guvenli-elektronik-imza-formatlarina-dair-usul-ve-esaslar-5a33fef63b234.pdf</mixed-citation>
          <element-citation publication-type="web">
            <year>2006</year>
            <article-title>Güvenli Elektronik İmza Oluşturma ve Doğrulama Uygulamaları ile Güvenli Elektronik İmza Formatlarına Dair Usul ve Esaslar</article-title>
          </element-citation>
        </citation-alternatives>
      </ref>
      <ref id="B9">
        <label>9.</label>
        <citation-alternatives>
          <mixed-citation publication-type="web">Bilgi Teknolojileri ve İletişim Kurumu (2020) Elektronik İmza Kanununun Uygulamasına İlişkin Usul ve Esaslar Hakkında Yönetmelik. Official Gazette of the Republic of Türkiye, No. 31523. https://www.mevzuat.gov.tr/mevzuat?MevzuatNo=7224&amp;MevzuatTur=7&amp;MevzuatTertip=5</mixed-citation>
          <element-citation publication-type="web">
            <year>2020</year>
            <article-title>Elektronik İmza Kanununun Uygulamasına İlişkin Usul ve Esaslar Hakkında Yönetmelik</article-title>
            <source>Official Gazette of the Republic of Türkiye</source>
          </element-citation>
        </citation-alternatives>
      </ref>
      <ref id="B10">
        <label>10.</label>
        <citation-alternatives>
          <mixed-citation publication-type="journal">Bilgi Teknolojileri ve İletişim Kurumu (2005) Elektronik İmza İle İlgili Süreçlere Ve Teknik Kriterlere İlişkin Tebliğ. T.C. Resmi Gazete, Sayı: 25692. https://www.mevzuat.gov.tr/mevzuat?MevzuatNo=8716&amp;MevzuatTur=9&amp;MevzuatTertip=5</mixed-citation>
          <element-citation publication-type="journal">
            <person-group person-group-type="author">
              <string-name>Gazete, S</string-name>
            </person-group>
            <year>2005</year>
            <article-title>Elektronik İmza İle İlgili Süreçlere Ve Teknik Kriterlere İlişkin Tebliğ</article-title>
            <source>T.C. Resmi Gazete</source>
            <fpage>25692</fpage>
          </element-citation>
        </citation-alternatives>
      </ref>
      <ref id="B11">
        <label>11.</label>
        <citation-alternatives>
          <mixed-citation publication-type="journal">Mülga Başbakanlık (2006) Kamu Sertifikasyon Hizmetlerine İlişkin Usul ve Esaslar (2006/13). T.C. Resmi Gazete, Sayı: 2614. https://www.resmigazete.gov.tr/eskiler/2004/09/20040906.htm</mixed-citation>
          <element-citation publication-type="journal">
            <person-group person-group-type="author">
              <string-name>Gazete, S</string-name>
            </person-group>
            <year>2006</year>
            <article-title>Kamu Sertifikasyon Hizmetlerine İlişkin Usul ve Esaslar (2006/13)</article-title>
            <source>T.C. Resmi Gazete</source>
            <fpage>2614</fpage>
          </element-citation>
        </citation-alternatives>
      </ref>
      <ref id="B12">
        <label>12.</label>
        <citation-alternatives>
          <mixed-citation publication-type="journal">European Union (2014) Regulation (EU) No 910/2014 on Electronic Identification and Trust Services (eIDAS). <italic>Official Journal of the European Union</italic>, 57, L257.</mixed-citation>
          <element-citation publication-type="journal">
            <year>2014</year>
            <article-title>Regulation (EU) No 910/2014 on Electronic Identification and Trust Services (eIDAS)</article-title>
            <source>Official Journal of the European Union</source>
            <volume>57</volume>
          </element-citation>
        </citation-alternatives>
      </ref>
      <ref id="B13">
        <label>13.</label>
        <citation-alternatives>
          <mixed-citation publication-type="journal">European Union (2024) Regulation (EU) 2024/1183 Establishing a Framework for a European Digital Identity (eIDAS 2.0). <italic>Official Journal of the European Union</italic>,1-56.</mixed-citation>
          <element-citation publication-type="journal">
            <year>2024</year>
            <article-title>Regulation (EU) 2024/1183 Establishing a Framework for a European Digital Identity (eIDAS 2</article-title>
            <source>0). Official Journal of the European Union</source>
            <volume>1</volume>
          </element-citation>
        </citation-alternatives>
      </ref>
      <ref id="B14">
        <label>14.</label>
        <citation-alternatives>
          <mixed-citation publication-type="other">ETSI (2021) Electronic Signatures and Infrastructures (ESI); Policy and Security Requirements for Trust Service Providers (ETSI EN 319 401). ETSI.</mixed-citation>
          <element-citation publication-type="other">
            <year>2021</year>
            <article-title>Electronic Signatures and Infrastructures (ESI); Policy and Security Requirements for Trust Service Providers (ETSI EN 319 401)</article-title>
          </element-citation>
        </citation-alternatives>
      </ref>
      <ref id="B15">
        <label>15.</label>
        <citation-alternatives>
          <mixed-citation publication-type="other">ETSI (2024) Electronic Signatures and Infrastructures (ESI); Certificate Profiles Supporting ECDSA, Ed25519, and PQC Signatures (ETSI EN 319 412-5). Sophia Antipolis: ETSI.</mixed-citation>
          <element-citation publication-type="other">
            <person-group person-group-type="author">
              <string-name>ECDSA, E</string-name>
            </person-group>
            <year>2024</year>
            <article-title>Electronic Signatures and Infrastructures (ESI); Certificate Profiles Supporting ECDSA, Ed25519, and PQC Signatures (ETSI EN 319 412-5)</article-title>
          </element-citation>
        </citation-alternatives>
      </ref>
      <ref id="B16">
        <label>16.</label>
        <citation-alternatives>
          <mixed-citation publication-type="other">ISO (2020) Information Technology—Security Techniques—Digital Signatures (ISO/IEC 14888). ISO.</mixed-citation>
          <element-citation publication-type="other">
            <year>2020</year>
            <article-title>Information Technology—Security Techniques—Digital Signatures (ISO/IEC 14888)</article-title>
          </element-citation>
        </citation-alternatives>
      </ref>
      <ref id="B17">
        <label>17.</label>
        <citation-alternatives>
          <mixed-citation publication-type="other">ITU-T (2020) Information Technology—Open Systems Interconnection—The Directory: Public-Key and Attribute Certificate Frameworks (Recommendation X.509). ITU.</mixed-citation>
          <element-citation publication-type="other">
            <year>2020</year>
            <article-title>Information Technology—Open Systems Interconnection—The Directory: Public-Key and Attribute Certificate Frameworks (Recommendation X</article-title>
          </element-citation>
        </citation-alternatives>
      </ref>
      <ref id="B18">
        <label>18.</label>
        <citation-alternatives>
          <mixed-citation publication-type="journal">NIST (2022) Recommendation for Key Management: Part 1—General (SP 800-57 Part 1 Rev. 5). NIST.</mixed-citation>
          <element-citation publication-type="journal">
            <year>2022</year>
            <article-title>Recommendation for Key Management: Part 1—General (SP 800-57 Part 1 Rev</article-title>
          </element-citation>
        </citation-alternatives>
      </ref>
      <ref id="B19">
        <label>19.</label>
        <mixed-citation publication-type="web">TÜBİTAK BİLGEM Public Certification Center (n.d.) Qualified Electronic Certificate Certificate Policy (CP). https://kamusm.bilgem.tubitak.gov.tr/BilgiDeposu/KSM_NES_SI/KSM_NES_SI.pdf</mixed-citation>
      </ref>
      <ref id="B20">
        <label>20.</label>
        <citation-alternatives>
          <mixed-citation publication-type="other">Koç, Ç.K. (2009) Cryptographic Engineering. Springer.</mixed-citation>
          <element-citation publication-type="other">
            <year>2009</year>
            <article-title>Cryptographic Engineering</article-title>
          </element-citation>
        </citation-alternatives>
      </ref>
    </ref-list>
  </back>
</article>