Cheap trick secures secrets

Your key fob could soon double as your credit card. Cheap, easy-to-make tokens of a new glass-studded epoxy resin hold encoded information in a form that's more tamper-resistant and harder to forge than the magnetic strips onswipe cards1.

Developed in the Massachusetts Institute of Technology's Media Lab, the transparent tokens contain tiny glass spheres, around half a millimetre across. Like a bar code, they are read by a laser beam. And each token costs only about one cent to make.

The glass spheres scatter laser light so that it falls in a speckle pattern on a surface on the far side that is divided into a grid of pixels. The intensity of light in each pixel is the fingerprint that is compared against a pre-recorded version to verify the token.

To forge a token like this is quite beyond today's technology. The speckle pattern is uniquely determined by the arrangement of the glass spheres. To work backwards from the speckle pattern to the spheres' arrangement is prohibitively hard.

Even if one were to use laborious analytical and microscopic techniques to find the positions of every sphere in a resin slab, say Ravikanth Pappu and colleagues, who developed the new material, current microfabrication techniques are very far from being able to reproduce such a structure.

They researchers show that attempting to mimic the speckle pattern using some other optical system, such as a hologram, is completely impractical. Tampering with a token also quickly destroys its validity: a token with a hole half a millimetre across drilled through it gives a speckle pattern clearly distinguishable from the original.

Moreover, the team points out, a token can produce a huge number of different output patterns, simply by changing the angle at which the laser beam passes through it. So even if the speckle pattern from one reading is stolen, the key remains just as secure as before if subsequent verifications use a different illumination angle.

One way

A Media Lab token acts as a 'one-way function' - one of the central components of cryptography today. A one-way function is like an answer to which the original question is very hard to guess.

Answering the question 'how many months in a year?' is easy. But working out what question elicited the answer '12' is almost impossible. It could have been how many eggs in a dozen, or how many disciples did Jesus have, for example.

Security tags such as computer passwords are generally encoded as one-way functions. The input word is converted to a string of digits in such a way that changing one letter in the input changes many digits in the output.

Creating physical embodiments of one-way functions is harder. If you have the technology for writing a sequence of digits into a magnetic strip, it is quite feasible to forge a swipe card once you know what you need to write. If you know what someonès photo or signature looks like, it isn't hard to copy.

Philip Ball