Hacker News new | past | comments | ask | show | jobs | submit login

The way I understand it (or at least the way I'd design it), only the tag itself stores the pattern (or the AI-generated hash thereof), there is no external "registry". Then the pattern hash is used to access a private key (e. g. the key is stored XOR-ed with the hash when the tag is installed) to authenticate a challenge. Recognizing similar patterns is to make sure the pattern always evaluates to the same hash as long as it's not tampered with.

The MIT link doesn't explain how exactly they've done it, so that's only speculation.




The "hashing" presents something of a challenge.

The input from a scan can be quite a lot of data, a high resolution photograph, a point cloud, a set of RF timings/phases or whatever.

The key for future matching must be something small that can be distributed or sent ahead of the delivery, so a hash seems the way to go.

But standard hash algorithms are designed for non-collision and sensitivity - any changes of input lead to wildly different outputs.

But the physical product has to endure;

  - handling by humans or machines
  
  - mechanical vibration and stress
  
  - temperature variations
  
  - gravity, natural creep, thermoplasticity
  
  - bleaching due to light
 
  - variations in the reader, angle, lighting, nearby metal objects
That means we need a threshold of fuzziness, where the hash is not broken, until suddenly it is. The more fuzzy we make it the more scope an attacker who knows the method has to craft a deliberate collision to repair tampering effects.


I understood it as: a signature of each pattern is stored as 'known' in a dataset. An AI learns which patterns are "known".

I don't believe their method has fine control of placement of the 'readable' parts under the glue; this cuts out methods where you're writing something in data as part of authentication. But, it also makes production MUCH cheaper - you can later just read what you "wrote" under a tag. I would guess in the price points they imagine, this method is "random + read later".

For your method - if you can write data, why not just write a digital signature of the item's serial number?


We write data into the tag's digital memory, not the pattern. The pattern is immutable.

We use the pattern to mask the tag's private key. The tag authenticates itself with that private key (which is installed on the tag by the manufacturer and can be signed with a CA cert to prove it comes from the manufacturer). The tag can't decrypt the key without the correct pattern, so simply peeling it off and sticking it onto a counterfeit won't work. There is no need for a database. The AI runs on the tag and makes sure tiny changes to the pattern won't make the private key unrecoverable by outputting a "low-res" version of the pattern that is immune to such tiny changes.

That's how I understood it.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: