Quantum Encryption in the Grocery Store

The Case for Quantum Encryption Transition Labels on Software Products

You might be one of these people, but if you aren’t, you’ve definitely seen them. The people who absentmindedly block the grocery aisles with their carts as they read the back of the packaging of a particular food item. They are reading the nutrition facts, which are required to appear on food packaging sold to the public by the US Food and Drug Administration. These labels are required to show specific facts about the food inside and an expiration date appears somewhere else on the labeling. Food labels let us make the right choices for ourselves and our families by knowing exactly what is in the food that we will use to sustain our lives. Nutrition labels are so ubiquitous that everyone takes them for granted, but their accuracy is rarely questioned, and the benefits are clear.

Executive Order 14028, Improving the Nation’s Cybersecurity required the National Institute for Standards and Technology (NIST) created a standardized “label” for internet of things (IoT) devices. These warning labels detail security rather than nutrition but allow consumers to make equally important choices. According to the order, the labels should:

• Encourage innovation in manufacturers’ consumer-oriented IoT and software security efforts, leaving room for changes in technologies and the security landscape.

• Be practical and not be burdensome to manufacturers and distributors.

• Factor in usability as a key consideration.

• Build on national and international experience.

• Allow for diversity of approaches and solutions across industries, verticals, and use cases – so long as they are deemed useful and effective for consumers.

These IoT labels are an excellent measure to increase awareness and permit choices for consumers even though they can still be improved upon. There is one ingredient missing; post quantum cryptography (PQC) readiness.

August 13, 2024 was the date that NIST released its new PQC standards. For years before the release, experts in government, academia, and the private sector were raising awareness about the threat PQC poses and the need to transition from our current asymmetric cryptographic standards to PQC standards. But how do consumers, individuals and organizations, know how much progress has been made in this transition? As the cybersecurity industry moves toward more public awareness and transparency, progress against the potentially largest cybersecurity challenge of our generation should be consistently and clearly communicated to consumers. As a next step in our PQC preparedness, cybersecurity and technology vendors that use cryptography should institute a labeling system like the IoT labels. This kind of transparency is how consumers will be able to choose products that align with their security requirements and preferences on one of the largest cybersecurity threats we will face.

Transition

Let’s not kid ourselves. This transition isn’t happening overnight. While the NIST standards have been available for months, the transition was never going to be instantaneous. The standards need to be built into products and those products (with their new encryption protocols) need to be integrated into our technology ecosystem. Transitioning the entire internet from the common use of RSA to its quantum resistant successor will be no small task. As technologies are built that include the PQC standards, issues and opportunities will be identified.

That is to say that transition is a process that will take time, not a single act.

Since transition will happen over time, it is important that consumers of products that connect to the internet and use encryption be informed about the progress of quantum cryptography transition as a matter of cyber health. The utility of nutrition labels is hardly in question and the cybersecurity community is coming around to the idea of a similar approach for software products. The IoT label is the most direct example but the discussions around software bill of materials (SBOM) accomplishes the same goal. SBOM is designed to give a full list of the third-party software integrations or connections that a piece of software must inform the consumer so they can make a risk decision. Using the analogy of food items for software products is not new. The analogy for PQC is that science has discovered a previously unknown nutrient that is likely to be deadly to humans. This is information you would want on your nutrition label, and it is information that must be carried on cybersecurity product labels throughout the life of the PQC transition.

For years, quantum experts have said the same thing; the arrival of a cryptoanalytically relevant quantum computer (that is a quantum computer with sufficient capacity to break our current encryption, also called a CRQC) is too late to start thinking about transition. Transition must take place before the arrival of such a machine and particularly before the arrival of a machine built by our geopolitical adversaries.

Malicious Actors

Malicious cyber actors around the world regardless of their national affiliation are all looking for the same thing, the next vulnerability. Some comb through lines of code for zero days, others use social engineering, and still others have teams designing and building customized tools for specific objectives. A consistent concern of the cybersecurity community is inadvertently providing malicious actors with the blueprint for the next attack. This is a valid concern, but it has also led to an appalling lack of information sharing during cyber events from which the community has learned. Sharing information on vulnerabilities has allowed the community to work closer together to mitigate and respond to threats. It has also led to greater transparency measures such as SBOM and the IoT security label system. While some may fear that a PQC readiness is a version of giving malicious actors the keys to the next attack, it is not a fair comparison.

Whether quantum computers can break current asymmetric encryption is not in question. Shor’s Algorithm proves mathematically that once enough compute capacity is available, encryption breaking can occur. The question is when (and in the opinion of some “if”) a quantum computer with that capacity will be ready. Western efforts to develop quantum computers are often public, but similar efforts in China are not. The urgency behind understanding how PQC is progressing is tied to the gap in our knowledge of Chinese PQC development. Publicizing PQC progress will not speed along the progress of fabricating and engineering a quantum computer and if a CRQC has been developed in secret by any nation, the jig is up. A CRQC does not need to seek out vulnerabilities. Any system that runs current asymmetric encryption is a target, like the entire internet as an example. These labels would, however, have the opposite effect. It would clearly communicate to malicious actors which organizations are NOT vulnerable to a CRQC attack as we understand it today.

A PQC labeling program would serve only to benefit consumers (individuals and organizations) by raising public awareness, creating more choice in risk decisions, and deterring malicious actors that seek a CRQC attack.

Building Incentives

Stating the painfully obvious, quantum computing is not intuitive and even causes quantum physicists to shrug their shoulders from time to time. The basic concepts are not, however, outside of the grasp of consumers or organizations as they start to prepare for this transition. Nutrition science is also a field that is not intuitive and is highly personal, but its value was recognized long ago so at least a basic understanding of calories, minerals, protein, and carbohydrates is shared across most consumers that have access to commercial grocery stores.

In the same way, the cybersecurity community should commit itself to raising public awareness about PQC and the cybersecurity threat posed by quantum computers. A ubiquitous and consistent labeling system that gives the consumer information on PQC transition using plain and consistent language will bring PQC awareness to the forefront and create opportunities for people learn about PQC, its effects, and what it means if a given product is not transitioning to PQC.

Trust in brands and products is increasingly tied to security and privacy. Companies that build software products have a real opportunity to showcase how forward leaning their commitment to security is by implementing a labeling system. The marketing value that companies will gain from the public display of quantum security will increase incentives to implement PQC faster. The faster our data is secured behind PQC, the safer we will be. Quantum computer or not, these algorithms are more secure and will help to secure our data against future threats. After all, no one thought RSA would be broken until the technology emerged to do so.

There is also the potential for a new industry with new economic value. This will not be the final cryptographic transition that humanity must undertake. As technology improves, there will be new unforeseen technologies that create new previously impossible effects. Manufacturing hardware that allows for a quick and easy transition from one encryption protocol to another will further increase security and help organizations build for the future.

These benefits require a simple predicate: the transition to PQC algorithms should be more transparent.

Consumers need the ability to choose products that prioritize quantum security and are building security beyond how we understand it today, like PQC and cryptography agility.

They also require increased public knowledge of PQC, which labels will enable.

Right now, consumers are forced to stand in the software grocery aisle but with nothing to read. IoT has already adopted this process and SBOM is gaining buy in. PQC needs to ride this momentum. That the transition will not be overnight is the reason tracking the progress is so important. Making a commitment to a software program is not unlike choosing something to eat. It will have effects on you, positive or negative. Knowing the ingredients will allow you to make the best choices and PQC transition is essential to the recipe of security.

Connect with us: Substack, LinkedIn, Bluesky, X, Website

To learn more about the services we offer, please visit our product page.

Nick Reese is the cofounder and COO of Frontier Foundry and an adjunct professor of emerging technology at NYU. He is a veteran and a former US government policymaker on cyber and technology issues. Visit his LinkedIn here.

This post was edited by Thomas Morin, Marketing Analyst at Frontier Foundry. View his LinkedIn here.