[wgrover]

Here's some work I did a couple years ago using some of these principles to fight counterfeit medicines: https://www.nature.com/articles/s41598-022-11234-4

A side note: I think there's an unmet need for algorithms that can convert photos of these random patterns into text (or something similar) that can be stored in a database and searched quickly for matching patterns. I've tried image similarity algorithms like the ones used by e.g. Google Reverse Image Search, but they seem poorly suited for this task. I ended up writing my own crude algorithm in the paper above that converts a pattern into a set of strings, and it works OK, but surely there are better ways to do this.

[twerkmonsta]

Very cool! This seems almost like physical cryptography. Maybe there is a better term for it, but I’d be very interested in other work along these lines.

[walterbell]

A university spinoff using the interaction between RF and nearby devices, https://www.physec.de/en

https://www.sciencedirect.com/journal/computer-networks/vol/...

> We describe the first MITM-resistant device pairing protocol purely based on a single wireless interface with an extensive adversarial model and protocol analysis. We show that existing wireless devices can be retro-fitted with the VP protocol via software updates, i.e. without changes to the hardware.

[wgrover]

Thanks! There are related structures in electronic circuits called physical unclonable functions (PUFs) that find uses in cryptography - you might find them interesting: https://en.wikipedia.org/wiki/Physical_unclonable_function

[gorgoiler]

I once wondered if the colorful fibers in bank notes — which, like the nonpareil spheres, are distributed at random throughout the paper on which the notes a printed — can also be used to generate a unique number.

Examples (aha, including a teaser to an upcoming product called “Verifibre”!) can be seen here:

https://securityfibres.com/

Instead of a lookup table, that number could be signed and the signature printed onto the bank note itself. It would be impractical to either deduce the signing key or duplicate the pattern of fibers in a way that the signature was still valid.

I don’t know if there’s a signature algorithm though that is resilient to lossy and unreliable input data and which can also produce short enough output that could be printed on the face of a bank note.

[rocqua]

Fingerprint sensors probably do some kind of fuzzy hash. That might be a nice basis for such a signature algorithm.

[pedalpete]

I should think you could do this with fingerprinting the photo similar to how music is fingerprinted for things like Shazam or MusicBrainz. I used to work for MusicIP, which I believe developed the fingerprinting system MusicBrainz is using.

[wgrover]

Thanks for the suggestion - I looked into music recognition algorithms early on but struggled to adapt them for image use. But I'll revisit them.

[rkagerer]

Are there "fuzzy" fingerprint algorithms that tolerate some variation in pixel color / hues, edges, imaging quality, etc?

[kevindamm]

There are image-representation versions of wavelets that would work well in that context, with some tolerance/quantization of the frequency representation to accommodate fuzzy edges, and likewise for nearby hues.

Perceptual color representation gets a bit harder but if you're only looking at gamut differences on cameras/screens/printed media I think it's feasible.

Alternatively, if you know a lot about the source image you can train a NN for the specific application.

[the_svd_doctor]

Very cool. I actually learned something by reading just the abstract, which does not happen often.

[xandrius]

I read a bit the approach but wouldn't an attacker take 1 bottle for reference and just make 1 pill with the same exact pattern?

The manufacturer wouldn't know if there are conflicts or if the user wanted to check a pill twice.

[csande17]

It would be pretty hard for the attacker to precisely arrange a hundred tiny sprinkles on the surface of a pill to exactly match a known-good pattern. (At least compared to just throwing a bunch of assorted sprinkles on the pill randomly and taking a photo of the result, which is what legitimate manufacturers would be doing.)

[creer]

yeah, this is one common claim about sprinkles - that the pattern can't be reproduced. Is that so true? Manually, sure, probably, perhaps. But if sprinkles signing is common enough, or the attacker has enough budget - and they do - then sprinkles matching deserves a machine. A sprinkles printer.

And if you have a standard algorithm which converts a sprinkles picture or three into a hash. Then now you have a precise target for the machine to benchmark against.

[Z0rp]

I guess this would be easy to spot for the end user. Maybe the app that is used for checking the pills can alert the user if one pattern is scanned multiple times.

[Deathmax]

Showing how often an authenticity code has been checked is something manufacturers like Xiaomi do, where there's rampant counterfeiting.

[youainti]

I remember this and was really impressed by your approach.

[paulpauper]

If the feds ever had possession of your computer, you may as well just replace it. Why risk it. Your data should be encrypted and backed up anyway.

Now police are going to be looking for nail polish and other clues

[mr_mitm]

First you need to know they had possession. If they don't want you to know, how else could you tell if not for a tamper-evident seal?