Petra Enables Encrypted, Redacted SBOM Exchange for Secure Software Supply Chains

Global: Petra: Encrypted Redacted SBOM Exchange System

A team of researchers has introduced Petra, a software bill of materials (SBOM) exchange system that uses selective encryption to allow vendors to share redacted SBOM data while preserving confidentiality. The prototype, described in a recent arXiv preprint (arXiv:2509.13217v2), aims to reconcile regulatory demands for transparency with the need to protect proprietary or vulnerability information. Petra supports searches on encrypted SBOMs, enabling consumers to obtain answers to specific security queries without exposing unauthorized details. The system generates tamper‑evident integrity proofs and requires less than 1 KB of additional data per SBOM, with decryption accounting for at most 1 % of query overhead.

Regulatory Push for SBOM Transparency

Governments and standards bodies worldwide have begun mandating SBOMs as part of software supply‑chain security programs, seeking greater visibility into the components that comprise software products. Compliance frameworks such as the U.S. Executive Order on Improving the Nation’s Cybersecurity and the European Union’s Cybersecurity Act reference SBOMs as essential artifacts for risk assessment and incident response.

Balancing Openness and Confidentiality

While SBOMs enhance traceability, they also expose sensitive information about proprietary code, third‑party dependencies, and known vulnerabilities. Vendors often fear that unrestricted access could reveal trade secrets or provide attackers with a roadmap for exploitation, leading many to limit SBOM distribution to trusted parties.

Petra’s Selective Encryption Architecture

Petra addresses this tension by representing SBOMs in a format‑agnostic, tamper‑evident structure and applying selective encryption to confidential fields. Authorized consumers receive cryptographic keys that unlock only the data needed to answer specific security questions, while the remainder of the SBOM remains encrypted. The system also produces integrity proofs that can be audited without revealing hidden content.

Performance and Overhead Assessment

Experimental evaluation of the Petra prototype shows that adding encrypted redaction introduces less than 1 KB of overhead per SBOM. Decryption operations contribute at most 1 % of the total time required to execute an SBOM query, indicating that the approach scales to large software inventories.

Potential Impact and Future Directions

By enabling secure, searchable SBOM exchange, Petra could facilitate broader adoption of supply‑chain transparency mandates without compromising intellectual property. The authors suggest extending the framework to support dynamic policy‑based access controls and integration with existing SBOM tooling ecosystems.

This report is based on information from arXiv, licensed under Academic Preprint / Open Access. Based on the abstract of the research paper. Full text available via ArXiv.