Let’s take a step back from Module-Lattice-Based Digital Signature Standards (NIST FIPS 204) and see what quantum-infused fraudsters can do to bypass your security protections. Your “practically unbreakable” security system today may be wide open in 10 years…or 5 years.
Shor’s Algorithm
To understand how fraud can occur, you need to understand (Peter) Shor’s Factoring Algorithm.
According to Classiq, Shor’s Factoring Algorithm can find the prime factors of any number, including very large numbers.
“Factoring numbers with Shor’s algorithm begins with selecting a random integer smaller than the number to be factored. The classically-calculated greatest common divisor (GCD) of these two numbers, the random number and the target number, is then used to determine whether the target number has already been factored accidentally. For smaller numbers, that’s a possibility. For larger numbers, a supercomputer could be needed. And for numbers that are believed to be cryptographically secure, a quantum computer will be needed.”
So what? I appreciate that people like the late Richard Crandall were into finding prime numbers with 20th century technology, but how does that relate to whether a fraudster can drain my bank account?
Breaking RSA encryption
It definitely relates, according to the MIT Technology Review. This article was written back in 2019.
“[C]omputer scientists consider it practically impossible for a classical computer to factor numbers that are longer than 2048 bits, which is the basis of the most commonly used form of RSA encryption.
“Shor showed that a sufficiently powerful quantum computer could do this with ease, a result that sent shock waves through the security industry.
“And since then, quantum computers have been increasing in power. In 2012, physicists used a four-qubit quantum computer to factor 143. Then in 2014 they used a similar device to factor 56,153.”
The largest recent record number that I found was 261,980,999,226,229, as described in this paper. It should be noted that many of these numbers were factored by a variety of methods: using a pure Shor’s Factoring Algorithm, the maximum number factored so far is 21.
What does this mean?
So what does this mean for 2048-bit encryption? 2048 bits is equivalent to hundreds of decimal digits. I’ve found different numbers of decimal digits, but for all practical purposes I can’t calculate them anyway. Heck, I can’t calculate trillions in my head. And there’s RSA-4096 encryption, but…well, we’ll get to that.
But when quantum calculating abilities can crack algorithms, then it’s trivial to compute the number of combinations to crack an encryption…or guess a password…or generate a face.
“Brute force attacks function by calculating every possible combination of passwords. As the password’s strength increases, the amount of time to crack it increases exponentially. So, in theory, if hackers tried to brute force their way into a key with AES-128 encryption, it would take approximately 1 billion years to crack with the best hardware available today [2023].
“But what if we lived in a post-quantum computing world? How long would a brute-force attack on popular cypher technologies take?…[We’re] likely still a decade or two away from Quantum computers that can easily break many of the cypher technologies in use today….
“[I]n a recently published report from Global Risk Institute (GRI), the time to break RSA-4096, which is practically impossible to break with classical computing technology, is under three days with a theoretical 1 megaqubit computer. While we are still a long way from a 1 megaqubit computer, the resources and time required are reducing rapidly at the same time we see advancements in Quantum computing which are in development.”
I have no idea how much lattice-based access control mitigates these threats, but if you go around saying that strong encryption will never be broken, you are a fool.
In this edition of The Repurposeful Life, I’m revisiting a prior post (“Is the Quantum Security Threat Solved Before It Arrives? Probably Not.“) and extracting just the part that deals with the National Institute of Standards and Technology (NIST) Federal Information Processing Standard (FIPS) 204.
Thales used the NIST “FIPS 204 standard to define a digital signature algorithm for a new quantum-resistant smartcard: MultiApp 5.2 Premium PQC.”
The NIST FIPS 204 standard, “Module-Lattice-Based Digital Signature Standard,” can be found here. This is the abstract:
“Digital signatures are used to detect unauthorized modifications to data and to authenticate the identity of the signatory. In addition, the recipient of signed data can use a digital signature as evidence in demonstrating to a third party that the signature was, in fact, generated by the claimed signatory. This is known as non-repudiation since the signatory cannot easily repudiate the signature at a later time. This standard specifies ML-DSA, a set of algorithms that can be used to generate and verify digital signatures. ML-DSA is believed to be secure, even against adversaries in possession of a large-scale quantum computer.”
ML-DSA stands for “Module-Lattice-Based Digital Signature Algorithm.”
Now I’ll admit I don’t know a lattice from a vertical fence post, especially when it comes to quantum computing, so I’ll have to take NIST’s word for it that modules and lattice are super-good security.
“A lattice is a hierarchical structure that consists of levels, each representing a set of access rights. The levels are ordered based on the level of access they grant, from more restrictive to more permissive.”
You can see how this fits into an access control mechanism, whether you’re talking about a multi-tenant cloud (NordVPN’s example) or a smartcard (Thales’ example).
Because there are some things that Tom Sawyer can access, but Injun Joe must not access.
In reality, job applicant deepfake detection is (so far) unable to determine who the fraudster really is, but it can determine who the fraudster is NOT.
Something to remember when hiring people for sensitive positions. You don’t want to unknowingly hire a North Korean spy.
Another SoCal Tech Forum presentation on Saturday, this one on banking technology from Carey Ransom of BankTech Ventures.
FoundrSpace.
Only a small reference to financial identity, but excellent nonetheless. While I live-posted the event here on my personal LinkedIn account, I wanted to summarize my three main takeaways from Bredemarket’s perspective.
One: Differentiate
Yes, community banks need to differentiate. Perhaps back in the 1980s before the advent of national banks, community banks could offer a standard suite of services for their communities. But now they’re competing against national banks that do business in their prospects’ communities, and in their prospects’ phones. (We will get to phones in a minute.)
One example Ransom gave: why do community banks offer credit cards? Are their credit cards better than the credit cards from the Really Big (Banking) Bunch? Probably not.
But unlike the Capital Ones and Chimes of the world, community banks know their communities. And they know what local businesses need, and are ideally suited to deliver this. (We will get to services in two minutes.)
Yes, I know that Bank of America may have someone attending and sponsoring your local events, but that person is not Brian Moynihan. And if you don’t know who Moynihan is, your prospects don’t know him either.
But John, you may be saying to yourself, you can’t bank on a phone. How do you deposit checks? And how do you get cash?
Well, let’s look at this:
Bredemarket hasn’t received a check in over three years, but when one of my clients was paying me by check, I would use my phone to take a picture of it and deposit it.
And as for cash, this is needed less and less, especially since many merchants take Apple Pay and Google Pay.
In fact, bank branches are so irrelevant to today’s—and tomorrow’s—bank prospects and customers that Ransom referred to a $3 million dollar bank branch as a really expensive billboard. Probably none of the people who are reading this post WANT to go into a bank branch.
And those that do? Here’s a little secret: if the average age of the people who bank at your bank is in their 70s, they will…um…not be long-term bank customers. The 18 year olds that will bank for decades? They’re opening accounts on their phones. Can they use a phone to open an account at your bank? And why would they do so? (See the differentiation discussion above.)
Three: Supplement
One way a bank can differentiate is via the services they offer.
At the most basic level, a bank can make money by loaning the funds they receive from deposits.
But they can offer many more services to 21st century clients, thanks to legislation such as the Gramm-Leach-Billey Act that allow financial holding companies to own financial or complementary firms.
And not just investments and wealth management.
Ransom provided an illustrative example: cybersecurity.
Banks need to have expertise in cybersecurity to stay alive, and to comply with Know Your Customer and other financial regulations.
So why not offer cybersecurity services to their customers?
This not only gives the banks another revenue stream, but also reduces the risk that their own customers will experience fraud from hacks.
Four: Market
I know I said there were three takeaways. I lied.
Ransom also noted that CapitalOne spends 20% on marketing, including everything from TV ads to cafes. Your typical community bank spends much less, maybe 1%.
How are your prospects going to know what differentiates your bank if they don’t have awareness of those differentiators?
Or perhaps you need proposal or analysis services.
Bredemarket, a provider of content, proposal, and analysis services to technology (and identity) firms, can work with you to create the words you need. Learn about my offerings and book a free meeting here.
(Although I haven’t knowingly encountered mode collapse, I still want to experiment with the verbalized sampling technique.)
“Unlike prior work that attributes [mode collapse] to algorithmic limitations, we identify a fundamental, pervasive data-level driver: typicality bias in preference data, whereby annotators systematically favor familiar text….
“[W]e introduce Verbalized Sampling (VS), a simple, training-free prompting method to circumvent mode collapse. VS prompts the model to verbalize a probability distribution over a set of responses (e.g., “Generate 5 jokes about coffee and their corresponding probabilities”).”
“Generate three AEO-friendly titles for a blog post about using Verbalized Sampling to generate better LLM responses, and their corresponding probabilities”
The response:
Google Gemini.
And now you know where I got the title for this post.
But I confess that I actually used a grossly simplified version of the technique. The authors of the Verbalized Sampling paper recommend this format:
I’ll have to remember to try this technique for future prompts. I have no idea whether the probability estimates have any basis in reality, but at least the LLM attempts to justify the probabilities with a rationale.
Not because it’s wrong in any way. It accurately covered several topics.
Such as the need for RFx response services.
“RFx” is shorthand for a number of “request for” items, including requests for proposals, requests for information, and requests for comment. These RFx documents ask entities to submit a formal response in the format dictated by the RFx document. The response may be one page long, five pages long, or one thousand pages long.
And the differences between Requests for Information (RFIs) and Requests for Proposal (RFPs).
In the Request for Information stage, you still have an opportunity to shape the final procurement (if a final procurement takes place). For example, if you offer a green widget and your competitors do not, your RFI response will make an important point about how the customer will benefit from a green widget, and a solution without a green widget is substandard.
(One important point here. I didn’t say that the RFI response should say that XYZ Company offers a green widget that is a technological marvel. I said that the RFI response should say that the customer will benefit from a green widget.)
In the Request for Proposal stage, the time to shape the final procurement has already passed. (This is why you engage with a customer years before the customer issues an RFP.) At this stage you have to go all out and win the business, telling the customer how they will benefit from your solution.
And some of the mechanics that Bredemarket uses to assist my proposal clients.
The mechanics of writing an RFx response have varied between my clients. In some cases, I have worked with one or two people to come up with the response, and the client then sent it out. In other cases, I have worked as part of a team of dozens of people in multiple companies to come up with the response, and followed multiple processes to ensure that the proposal is not only sound, but is approved at the corporate level of the client. Some processes are dictated by the client, but some clients have no processes which means that I need to implement a simple one to get the job done.
Google Gemini.
I guess you can be forgiven for thinking, like Ed McMahon did many times in the past, that John (actually Johnny) covered EVERYTHING that there was to say about RFx responses.
Because I never talked about full-fledged proposal MANAGEMENT.
Six examples of proposal management
It’s one thing to write a little piece of a proposal. Subject matter experts do it all the time. They turn in their little bit, and then they’re done.
But I have also spent years managing proposals, including these six aspects.
1: Project management
An RFx response is an entire project, and just like any other project, it has deadlines.
But these deadlines are not internally set; they’re externally set.
If your company is working on a brochure for April 10, your CMO has the authority to change the date to April 20.
But if you’re submitting a proposal to the Department of Wrecking Historic Buildings, you can’t change the due date; only the DWHB can change that date.
I’ve run into many times where the DWHB or its equivalent has set due dates to their own convenience. For example, a proposal will be due on January 2. The DWHB doesn’t care that this means you’ll lose your Christmas holiday to complete the proposal. The DWHB wants completed proposals to read when they get back from their holiday.
Combine that with your company’s internal processes. For large companies, those can become very onerous. If you work for the U.S. branch of a multinational that is headquartered in a European country, then proposals with certain prices and/or margins require headquarters approval. And that doesn’t happen in an hour.
So how do you ensure that your RFx response reaches the customer by the due date?
By managing the project.
Work backwards. If the proposal must be submitted electronically by 4:00 pm Eastern Time on January 2, and if you want to account for issues with the electronic submission system, and if your proposal needs approval from Paris, plus all the executive approvals at your own firm, and if people need to review it, and if subject matter experts need to contribute to it, and if you have to account for modificiations to the RFx from the question and answer period…well, you’d better get started in November.
Anyway, someone needs to look at what needs to be done, set a schedule, communicate the schedule, and force people (including executives) to stick to the schedule.
Google Gemini.
Often, that project manager has been me. And over the years I may have sent a strongly worded email or two when people don’t get their act together for my proposal.
Yes, MY PROPOSAL. Often the proposal manager is the only person who can focus on the project. So I do.
2: Questions and answers
I previously alluded to the question and answer period. For most RFx documents, potential bidders get the opportunity to ask clarification questions. The dates for this process are outlined in the RFx schedule:
December 1: Agency releases RFx.
December 10: Last day for bidders to submit questions.
December 25: RFX releases answers to questions, some of which may change the entire scope of the RFx.
January 2: Proposals due.
And between you and me, sometimes these answers are very helpful, and sometimes they’re not.
Bidder question 35: Section 7 of the RFx says that the system will process 100 subjects an hour, while section 9 says that the system will process 200 subjects an hour. Which is correct?
Answer to bidder question 35: Please refer to RFx sections 7 and 9.
Normally the answers aren’t that bad, and sometimes the answers provide important clarifications, or perhaps even a relaxation of onerous requirements.
And let me spill one secret: sometimes, even when my company had decided NOT to submit a proposal, we ended up asking questions anyway, just to make things difficult for the competitors who WERE responding.
3: Compliance
Now if you talk to the Shipley folks and everyone else, a winning proposal has to tell a story that sets the bidder apart from the competition. But you still have to make sure you meet the basic requirements or you’ll get thrown out.
Some of you have heard this story before, but once upon a time I was managing a proposal in which the RFx clearly stated that the agency would not pay a dime until the system was completely delivered and operational.
I was told by management that my proposal HAD to include a down payment at contract signature…so I submitted our proposal that way.
Well, in the same way that bidders can ask agencies questions before the proposal is submitted, agencies can ask bidders questions after the proposal is submitted. And the first question we received from the agency was basically, “Didn’t you read our RFx, you idiots? No down payment!”
Anyway, someone needs to read the RFx, figure out what is necessary to be compliant, and determine whether the bidder and the bidder’s solution actually IS compliant.
Google Gemini.
That someone has been me. I won’t go into details, but I’ve had to raise red flags when our proposal would NOT be compliant. Sometimes we changed the proposal. Sometimes, such as in the case above, we didn’t…and paid the price.
4: Writing
Rather than go into detail here, I’ll just make a single point: your proposal has to read as if it came from a single company. Yes, proposals usually DO come from a single company, but if you have a lot of subject matter experts, they’re all going to write differently. They may even use different names for your product or your company itself. Yes, you can issue a style guide for all proposal writers, but that’s no guarantee that the writers will follow it or even read it. So allow some time for edits.
5: Submission
Sometimes proposal submission stories are scarier than any Halloween story. It doesn’t matter whether you’re submitting by paper as we did in the 1990s, or if you’re submitting electronically as we do today. Something can always go wrong.
Such as the time when two companies were working together on a proposal, and the work took up to the very last minute. As in “assembling the proposal in the taxicab” last minute. And the companies didn’t deliver the proposal before the deadline. Sorry.
I’ll share one that has a happier ending. I recently worked on a proposal that was due at a particular date and time. EASTERN time. Just to ensure no hiccups, I decided early on that we would submit the proposal the day before the due date. Which is good, because as we were filling out the electronic submission forms…we encountered something unexpected that prevented us from submitting the proposal that day. We stepped back and requested rework from a subject matter expert, and regrouped on the due date…early in the morning Pacific time, to make sure it was done before the expiration. (We were.)
Google Gemini.
6: After proposal submission
One of the drawbacks of the proposal world, and the reason why I left Proposals twice, is because there are too many cases in which you’re called in when the RFx drops, and dismissed when the proposal is submitted.
That can be really unfulfilling, which is why I once became a product manager (to manage things for successful proposals) and I once became a strategic/product markter (to set the stage for successful proposals).
But sometimes I’ve had the opportunity to continue with a customer after a successful proposal. There are benefits to everyone from this, because I already know the subject matter from working on the proposal and don’t need a lot of time to get up to speed.
One way to employ proposal managers post-proposal is to have them work on the requirements.
“Wait a minute, John,” you may be saying. “There’s already an RFx, and already your proposal. Don’t those two documents dictate EVERYTHING about what needs to be done?
Cue Johnny.
Often there are further clarifications that are required above and beyond the proposal, and a document (such as a requirements document) resolves those nagging issues.
I’ve been writing requirements documents for decades, dating back to my days as Omnitrak product manager, so I’m a natural at writing requirements documents for a particular customer implementation.
Especially when I’m already familiar with the underlying proposal.
Oh yeah, Bredemarket received a new testimonial
For the past year-plus, Bredemarket has worked on multiple proposals for fingerprint hardware and software company Integrated Biometrics.
Before you jump to conclusions, let me point out a couple of things.
Integrated Biometrics, as a South Carolina business, never required overseas proposal approval. That was…another firm.
Integrated Biometrics never submitted a proposal with a down payment when a down payment was prohibited. That was…another firm.
Integrated Biometrics never tried to assemble a proposal in a taxicab, missing the due date and time. That was…another firm.
But Bredemarket has managed multiple proposals, including successful ones, for Integrated Biometrics. This work has included project management, questions and answers, compliance, writing, submission, and post-proposal requirements management.
And David Deady, “The Fresh ‘Prints” and Director of Marketing for Integrated Biometrics, was kind enough to provide Bredemarket with this endorsement.
(From David Deady, Director of Marketing at Bredemarket client Integrated Biometrics, October 2025)
John,
You got big props on the huddle tonight (our exec team meeting). We are very grateful for the quality of your work and your ability to know what needs to be done with a quick turnaround. The FBI RFI response was mentioned specifically, but all projects have been equally appreciated. Thank you.
And thank YOU.
But what about YOU?
If you are with a fingerprint firm and need support for federal government proposals, I probably can’t help you.
But if you need proposal support that doesn’t create a conflict of interest for me, let’s talk.
Usually you create a checklist of what you need. Or better still, a go-to-market processs that defines the internal and external collateral you need for different tiers of releases. For example, a Tier 1 go-to-market effort may warrant a press release, but a Tier 3 effort may not.
In the best case scenario, the product marketer is able to coordinate the necesary content so that all external stakeholders (prospects, customers, others) and internal stakeholders (sales, customer success, others) have all the information they need, at the right time.
In the worst case scenario, some content is shared before other necessary parts of the content are ready.
Google Gemini.
For example, it’s conceivable that a company may host a public webinar about its product…even though the company website has absolutely no information about the product for prospects who want to know more. Yes, this can happen.
Google Gemini.
If you need help with go-to-market strategy, Bredemarket has done this before and can discuss your needs with you.
Bredemarket 