Slashdot Mirror
Crypto with Epoxy Tokens, Glass Balls and Lasers
Anonymous Coward writes "Scientists from MIT and ThingMagic have collaborated and developed an innovative crypto mechanism using epoxy tokens, glass spheres and lasers. They have actually created a physical one-way function that cannot be tampered, copied or faked! The full scoop can be found at MSNBC, and also at Nature, & TOI."
for random numbers with
Lava Lamps? Now there is Lava lamp cryptography.
Read about it at:
LavaLamp
Thanks and have a weekend !
I think the process involved mixing a bunch of little tinfoil sparkles into a clear epoxy resin, applying the resulting glue as a seal, and photographing it from several angles. Simple to create, yet darn near impossible to duplicate a second time. If the blob is missing or different, something fishy is going on.
The thing about things we don't know is we often don't know we don't know them.
Great. They use a laser to convert the 3D arrangement of glass spheres in an epoxy matrix to a 2D 'light/dark' pattern.
A crummy piece of film exposed at the sensor plane, then developed, could be used to get around this. Lay the film on the 2D sensor, and voila - the 2D pattern is duplicated!
Sounds like a kinky high-tech peep show.
Can't be tampered with? Give me a hammer, I'll tamper with it... If I can't have the data, no one can!!!
---
Programming is like sex... Make one mistake and support it the rest of your life.
One thing know once you read the article(s), that really should have been included in the story submisstion, is this technology is more geared toward replacing things such as magnetic stripes on credit cards, and em cards, and whatnot. The tiny crystals that will replace these stripes produce a one-way function that is currently impossible to duplicate, so if widely adopted this would (at least temporailiy) make card couterfitting impossible. It is not describing a new encryption mechanism for your PC, or any software for that matter.
how is stealing speckle patterns gonna be any different from stealing credit card numbers from "secure" servers?
mmm... yeah... You see, we're putting the cover sheets on all TPS reports now before they go out...
This seems like a really good system, one that for once is almost impossible to forge. However, it seems to have a major flaw: Durability. The Nature article states that "a token with a hole half a millimetre across drilled through it gives a speckle pattern clearly distinguishable from the original." So what happens when (not if!) the card gets scratched and worn? Will it immediately stop functioning? These secure cards won't be worth much if they have to be replaced every month because of wear and tear... and with the system they are using, error correction isn't an option (defeats the whole purpose of the tokens since tampering with them would then become possible).
McGuyver has made plans to begin work at MIT in their research department to create supercomputers from old ballpoint pens, and outdated telephone mechanisms.
If you're looking here for something insightful or thought provoking, you're probably looking in the wrong place.
Getting the 2D pattern is easy (anyone with access to a reader could simply get this pattern through software). You then have to manufacture a crystal which produces this pattern, so that you can use your new counterfit card at the Sony store, etc. This is the part that is currently impossible.
mmm... yeah... You see, we're putting the cover sheets on all TPS reports now before they go out...
...until it is tampered, copied, and faked. Never say never, especially with regards to crypto.
sarchasm: The gulf between the author of sarcastic wit and the person who doesn't get it.
actually, i have 3.
there are 50 or so of em lying around at home, making my wife mad.
so explain again why guitar picks are news?
(my apologies to westsky in advance)
guns kill people like spoons make Rosie O'Donnell fat.
So we have a one way function that happens to be based on a physical object rather than being calculated by a CPU. I don't see how this makes it more secure.
I also don't see why this is any different than any other hardware based authentication (RSA tokens, smart cards, etc.) The tokens might be cheaper, but I bet the scanner is not going to be cheap.
And as with most authentication systems the big problem is going to be protocol attacks, not attacks on the cryptography itself. I don't see little glass balls changing this fact.
Yes I'm cynical. But probably with good reason.
People couldn't type. We realized: Death would eventually take care of this.
Cheap trick secures secrets
Finally! Something to go hand-in-hand with my REO Speedwagon encryption algorithm.
Where does the school board find them and why do they keep sending them to ME?
It could also be used on bank cards, thus preventing people from counterfitting them. I once read about a ring which was using an aptly mounted hidden camera to monitor people's PIN numbers. They then grabbed some ATM slips the person threw away (most people rarely keep/destory them) and manufactured a fake card using their PIN and their account information.
And all these years my family has been persecuted in Salem, MA and it turns out all they wanted was our crystal balls!
Notice that one of the authors on this paper is Neil Gershenfeld, author of The Physics of Information Technology, reviewed here exactly a year ago yesterday (at least I think it was a year. The searched Slashdot postings have no year indication on them. Is this a Y0K bug?) I liked that book, actually. It had a very readable section on the fluctuation dissipation-theorem, though I think it gave short shrift to research on the underlying causes of the FDT.
* mild mannered physics grad student by day *
* daring code hacker by night *
http://www.silent-tristero.com
If the laser is shined through at a different angle, however slight, how can you get an accurate reading?
Would wear and tear change the shape of the token, rendering it useless?
If this stores a terrabit of info, how can we get it to store the info we want?
How will the government be able to demand a backdoor to this tech?
Will I ask any more questions?
The article claims that making a holographic forgery would be prohibitively difficult, but doesn't explain why.
You could almost certainly make one if you had the original card to duplicate.
If you had the verification information for the card - the list of patterns the scanner looks for - you could probably make a holographic reproduction with a bit of fiddling (the same multi-exposure technique is used for making aminated holographs that move as you change viewing angle).
You'd have a hard time duplicating the card just from observing one transaction, but the same holds true for electronic media (one challenge/response pair does not give you a smart card's key).
Does anyone have further details on why the researchers say this would be difficult to forge?
So, the next step is to manufacture CDs with copy prevent^H^H^H^H^H^H^Hprotection using these tokens. (Sigh.)
They've discovered the one-time pad!
No, they have not. That would mean that whoever receives a message sent with this data had the same pad, and that isn't the case.If it were, a 12-terabit stamp-size one-time pad would still be rather good.
I'm a bit unclear how this works in practice though. They say they can check the patterns the thing makes against a "secure" database. They can't store all the 12 terabits there.
So, I assume, they pick some number (say, 100) of ways to shine a laser at it at random, and store those in the server. When it's time for identification, the server tells the token reading gadget which position(s) the laser should be in, it sends the pattern back, and it can be checked.
One possible attack is obvious, it may be possible to find out which random spots for the laser have been stored for this token by asking for a verification enough times. However, that gives you the task of making an object that fits into a reader, that gives the right patterns for all the 100 ways... And that's Hard. So it may not even be necessary to randomize the laser positions, just check some number of standard patterns, and it will be too hard to make an item that can fake them all.
Thanks for listening to my train of thought. I think I get it now :)
I believe posters are recognized by their sig. So I made one.
In the first week, his research team added garage door openers and discarded pie tin plates to the mix.
When MIT announced that they would dedicate several old Apple IIs to the project, MacGyver was quoted as saying, "I'm excited, but it's still overkill for the project."
In the first week, he developed a quantum computer that can crack RSA 128 bit encryption in 0.034 seconds, predicts the weather with 97.5% accuracy up to 10 days in advance, located Jimmy Hoffa and solved the mystery of crop circles.
And then he built a beowolf cluster of them.
"Live Free or Die." Don't like it? Then keep out of the USA
If each one was unique then they (being whoever would want to) could track you via the usage of your epoxy token.
You mean, in the same way they can track you by the unique *number* on your credit card already?
I believe posters are recognized by their sig. So I made one.
will bill this as "Cryptography with balls."
I'd imagine it'll take a little work to keep these things from getting scuffed or otherwise damaged beyond recognition through regular handling, especially if they end up on your key chain.
Of course, a really sophisitcated system might take that into account, and update the key profile to recognize each key's unique wear and tear.
One of the nice things about a smart card system is that it doesn't have to go onlne for each transaction. From the descriptions it seems that this system does have to check with a database at the time of purchase. So the speedup from a smartcard is lost.
Lasers Controlled Games!
The MSNBC article goes on and on about how this is great for 'Smart Cards' but in reality it doesn't make them that much more secure that credit cards because most of the theft that happens with credit cards is not breaking into computers, rather it's physical theft of the cards themselves.
/. before? It seems vaguely familiar.
A 'smart card' isn't going to stop a pick pocket from theiving your wallet so we're back to square one.
And not to be troll but has this been on
The Anti-Blog
I recall reading something very similar in I believe Scientific American (which is not searchable, unfortunately), oh, ages ago. Used to identify ICBMs / warheads / other missiles during arms reduction discussions between the US & Russia (might even have been so far back as to make that USSR). Basically a splash of epoxy with sparkles mixed in on some disasterously-expensive-to-replace part of the device, snap a photograph and/or hologram, and the device is reliably tagged.
... unless of course Fritz [Hollings] gets his palladium-plated way and we at some point do get tamperproof, "trusted" hardware (... to play around with - I'm looking forward to that).
... it raises the price of duplicating a unique physical dongle.
... what was the author of this /. article taking? I want some.
So it's become cheaper, cheap enough even for everyday use. However, the possible uses I can see are rather limited: local authentication, and pretty much nothing else.
It's good for credit cards, but only if the card is physically read by the entity requestion authentication, and only if that entity is online (or has a local database of the speckle pattern of all cards worldwide, plus a magically updated revocation list).
For any non-local authentication it doesn't seem much good
So
But it definitely has nothing to do with crypto (i.e. encryption)
yes, we have no bananas
I did a lesson at college on Stereolithography about 10 years ago. The process of curing two-part epoxy resin with the heat generated with laser lights. It was very accurate back then; more than adequate for producing A1 models and patterns.
I'm wondering how accurate it is now or how accurate it could become.
This post contains benzene, nitrosamines, formaldehyde and hydrogen cyanide.
Although it is a very simple concept, the complexity of creating a transportable medium was the limiting factor. This could not have been done 20 years ago, as the lasers then looked like flashlight beams compared to today. Computer processing power was also a limiting factor.
Intelligence is only a small part of the equation. It is difficult to come up with a very simple solution to a problem that uses technology and manufacturing processes that are years away.
20 years ago, this thing would have had to be about the size of a brick, as beam density, laser accuracy, and manufacturing processes were not advanced enough to create something portable.
For other applications, the dream can drive technology. Weapons systems, space travel, and a utopian society are but a few things that can drive technology to create. A credit card that can't be copied is not a big enough dream to create technology, but it is big enough to take existing technology and innovate.
As for your second point, here's a thought.
The card currently would be useless to stop physical theft, right now. The scheme just relies on the frefraction of light to create patterns. Once you have the card, then Bam, you have the money.
But what if you could arrange these flakes into such a pattern that when light is passed through at a predetermined angle, it provides a composite of the card holder, which will appear on the POS terminal screen. Match the picture with the cardholder, then go ahead. The weakest link falls to the clerk.
-This idea has been released under the GPL. It may be freely distributed or modified under said terms.
You think that I'm crazy, you should see this guy!
... or simply bypassed.
series called the grey lensman by E.E. "doc" Smith IIRC. Law enforcement was struggling to find a non-forgable form of ID, and one of their failed attempts was a 3D crystal. Interesting that this idea has been around that long.
This is an improvement on an idea from the 1980s called "quantum subway tokens". There have also been a few schemes involving 2D speckle patterns as unique, hard to forge data items. But they're not challenge/response, like this. Challenge/response devices exist (Sun's Java-powered jewelry, the Dallas Semiconductor button) but they're more complex. On the other hand, their readers are simpler than this optical system will require.
The useful advancement in this thesis is in section 5.3.4, where the authors demonstrate that the registration of the scanning beam doesn't have to be extremely tight. You'd think this scheme would involve optical-bench precision, but it doesn't. (Well, actually it does, but not wavelength-precise optical bench precision. Still, it involves micrometers driven by computer-controlled stepping motors and a very rigid fixture. It's not a "just swipe the card" system.)
The trouble with this system is that there's no public key associated with the object - only a huge number of possible challenge/response pairs. Validation at an untrusted reader is done by probing the object using challenges previously performed at a trusted reader. Those challenges are "used up" as the object is validated, because otherwise, they could be replayed. This is much less convenient than a public/private key system. It's more like one of those systems where you have a wallet card with a long list of challenge/response pairs for logging in. The only advantage here is that the object isn't copyable. It's still stealable, of course.
It's kind of neat, but probably not commercially useful.
The idea was that the hull of each spacecraft was coated in embedded diamonds (cheap in the future because DeBeers' monopoly is gone). The police can then read your hull with a laser from 1 million miles away and you can't forge the "number plate".
TWW
"Encyclopedia" is to "Wikipedia" what "Library" is to "Some people at a bus stop"
I read two of the articles, and they don't answer my question of how is this useful?
The construction of the tokens is fairly random, so its not know what the results of X angle on Y token will result...
Another comment mentioned that they may do prescans with a trusted scanner, but then every scan by an untrusted scanner must be discarded... so each token is only valid for some limited number of untrusted scans.
Need a Catering Connection
No, the actual token will produce infinite variations. When you authenticate, you check a random source.
Your spoofing technique would only work if the angle you chose and the angle randomly selected were the same, so the chances of it working would depend on how many angles for which the results are stored.
Also, you could 'challenge' by requesting two different angles to be checked, in which case you're system wouldn't work at all.
(I can't believe this got a four, Mysterious obviously either didn't read the artical, or didn't understand it)
autopr0n is like, down and stuff.
They have actually created a physical one-way function that cannot be tampered, copied or faked!
should read cannot be tempered, copied or faked yet.
My little Universe is cool for the people who can fit inside it (being 250 6'4" there aren't that many who can)
No, it relies on the fact that it is difficult to recreate the media, not create it. If you were to put a hologram of sorts in the media, and salt it, then it would work. Shoot the laser in one way, voila! It's you. Shoot the laser in at a different angle, then you have a completely different pattern. The media, however thin it is, is still 3 dimensional, and can hold lots of data.
The problem is that if it becomes that easy to produce, how hard would it be to reproduce? Putting your visage on the card, and then getting the background noise right, I would have to say damned difficult, especially if the lasers relied on bouncing through your picture.
You think that I'm crazy, you should see this guy!
Drilling a small hole in the tokens changes their internal structure enough to unleash the avalanche effect, so that the outputs from the same token before and after drilling differ by roughly half of their bits. Yet the process that transforms the speckle pattern into a string of digits can be modified to ignore accidental surface scratches.
I would imagine that since it's the internal structure of the token which determines the output, surface scratches don't have as dramatic an effect.
It breaks my pluginses, my precious!
Also this stops mafia-types from mass producing fake cards. At CTST this year an IBM team presented a paper in which they read the keys off several cards through RF leakage, making it easy to make fake cards. This would prevent such fake cards, at least until a way of faking these patterns comes about.
Lasers Controlled Games!
except, the fob is a function, not a set of data, and can produce an infinite number of possible outputs. You only have the outputs for one input
One "obvious" solution to this is to encrypt the pattern at the device before it is sent, but now we're back into the standard encryption world, and we know that nothing is perfect there.
If by 'not perfict' you mean 'takes a million billion years to crack'
OK, so we change the pattern based on the date and time with a "protected" algorithm. Like that can't be solved.
huh, why? Did you have a million billion years of computer time to spare?
Well, then we'll use a system like the "SecureID" cards with each credit card unit including the random/automaticly generated token as part of the encryption effort. Well that would be a little more complex.
But in the end, all of these solutions can be applied to the current barcode read from credit cards before it is sent over the phone lines today. The use of a 3D number/key generator, which is really what this is, won't change that.
ok, not like any of that made any sense...
P.S. Don't ask me how this could be used at Websites.... Pardon me, while I send this huge bit representation of your 3D fob over this dinky 56Kb error prone phone line. Right....
Well, obviously we wouldn't as you. you don't even know what a hashcode is.
autopr0n is like, down and stuff.
"whoops, I though it was secure" (e.g. the example in Cryptonomicon of the woman who peeks at the bingo balls and "makes it more random").
Except, if she had had her eyes shut like she was supposed to, it would have worked. Thats not a failing of the 'physical world' crypto, but rather the human brain's randomness generator.
autopr0n is like, down and stuff.
If you know the motion pattern of the scanner, and can reproduce the same motion in a scanner of your own, scanning the victim's card, you can "easily" create a copy of the card. All of the supporting technology exists today.
Scan your victim's card, and record the pattern you see.
Place the recording on a similarly-sized device with any type of display. (LCD, LED, anything that can be powered by a small solar panel) "Cheap" copies targeted against "cheap" scanners won't need backlighting for the display.
Make sure the card-sized device has a solar panel on it that will be able to power the display and the supporting IC that controls the display.
When the illuminator turns on, the card has power. The card then immediately starts playing back the stored video, mimicking what the scanner would see had it been the real thing.
This assumes, however, that the scanner has only one "eyepiece." Camoflaging (sp) the card so it looks real to the human observer would probably be difficult.
What's this Submit thingy do?
Actualy, there's an easy way to get around what you're saying. Use phosphors or an LED or something so that your film is 'always' glowing.
Of course, none of this matters, since the above poster basicaly didn't understand what the whole thing does anyway.
autopr0n is like, down and stuff.
You just use the 'fob' as we're calling it here as any other one way function. Take say, 8 bits of data, and point the lazer at the fob at -128 to 127 degrees. Then take an 8 bit md5 hashcode of the result. Repeat as needed.
:)
It would actualy be a pretty cool encryption system, basicaly data would be locked forever unless you had the card. You'd never have to worry about anyone getting access to your data, since they would need the card to read it. And, if for example the FBI was on your ass, just throw the card in the microwave
autopr0n is like, down and stuff.
The secret isn't the speckle pattern, but rather the output of the speckle pattern when tested from an arbitrary angle. even if you know the speckle patern, you can't computational figure out what the output would be with todays computers (or tommorow's, or the next years, etc.)
autopr0n is like, down and stuff.
1) How do we know that determining the bubble pattern of the fob is difficult enough to determine? This seems to me to boil down a simple, but large, ray tracing problem. Comodity graphics cards today can do fantastic things with lighting that were dreamed by many as not even possible only 15 years ago. Perhaps it can be exploited to solve this problem in the near future. I'm not convinced that this is truely a one-way hash; the idea is too new to confidently rule out the possibility of a solution.
2) Duplication is perhaps beyond current technology, but maybe not far away. It isn't difficult to imagine a matarial that can have it's light refraction properties modified at an arbitrary point that is located at the intersection of two or more lasers. Holographic research has been focused on solving this problem for some time and may have already come up with a (albeit expensive) solution.
science is a religion
The government didn't know what buildings were going to have a plane imprint last time, dispite the fact that they already knew all about binladen and co.
autopr0n is like, down and stuff.
all of these "darn near impossible to reproduce" crypto systems are just variations on a one time pad .
Slashdot sucks. Sckienle should save himself before its to late!@
autopr0n is like, down and stuff.
1. sub-space projection
2. uniqueness
Think of it as the bubble patterns is one member of a very-very large set (the "bubble" set) and the laser is a projection or mapping function of this member of the bubble set on to a much smaller "diffraction pattern" set. Since the different laser angles can be used, that's like using different mapping functions.
A verification agency isn't gonna store which member of the bubble set each token is and do a diffraction simulaton with computers everytime the token is scanned, but more likely they will store the one or two projections on to the diffraction pattern set which are created by the one or two reader devices that are marketed. Also the whole diffraction pattern isn't gonna be stored, but just the part of the pattern sampled by the device.
This seems like a much easier problem to solve for the token forgers. All they have to do is make a token that when projected to the one or two sampled diffraction sets stored by the verification agency instead the the infinite possible diffraction patterns of arbitrary precision.
Then you have the uniqueness problem. Since the verification agencies are likely only storing sub-space projections which are finitely sampled, there's the possibility of collisions between two cards. At least with a non-one-way function, you can detect collisions beforehand, now you have to make the card with bubbles and project them to you subspaces and only then discover there's a collision and you have to throw the token away. This also defeats the feature alluded to that you can always use another projection. If you don't check for collisions ahead of time, they will inevitably occur (think of the birthday paradox).
There are fundamental mathematics working against any scheme that depends on low probability of collision. You don't have to duplicate a specific thing, but you hope for a collision (which is duplicating any one of a large set). This of course is much easier to do and is the known as the birthday paradox in probability theory. This has been used as theoretical fodder to break many encryption systems (meets in the middle attacks).
Here's another way to think of it. You have a zillion digit credit card number (token) and you apply a few different hash functions (laser angles) to the number to get a "signature" (diffraction pattern). The only advantage of this technology is that it's hard to duplicate this zillion digit number where most things electronic are easily duplicated. But some of the other "features" don't seem easy to take advantage of.
It's like the phreakers of yesteryear where they just guessed long-distance calling card codes if the set is large enough, collisions are inevitable. That's when companies invented PIN numbers. What it probably means that these tokens will probably end up being only as secure as your 4 digit ATM PIN... Something to think about...
Sometimes when you think outside the box, you realize that the box was green and the grass is really dead out there too...
The article seems to be missing the point of one way functions. If you don't change the inputs to a one-way function, it is exactly the same as constant (ie. no good for verification of anything).
An easy application is for keys. If the lock has N input/output pairs recorded, getting in with a fixed example output would be hard.
A more advanced use of these things would be to have some way standard way of encoding a bill of sale including a datestamp into bits that could drive the laser inputs. Then save the resulting pattern(s) as proof that the vob was there at the time of the transaction.
However, that leaves a major hole. If the user destroys the vob, the store can no longer check if the signature was valid. To combat this, the user needs to be identified at the time of the transaction. As long as the vobs are registered in a central identity server so that the store can make sure the person is who they claim to be at that point. Additionally users have to record lost or destroyed vobs. The central identity server could use the N known input/output pairs to authenticate the user.
This doesn't work that way. That's a good basic idea, though: an optical equivalent to digital signatures. Can somebody make it work?
This story has a misleading title. Basically, the article says that they've found a cheap way to implement a hashing function in hardware. Unlike a software hashing function that takes data to be hashed as input and produces the hash as output, the physical mechanism accepts a certain pattern of lasers as input and produces a speckled light pattern that can be observed from any angle as output. Since the position of the glass beads in the epoxy will be different for all cards, each glass and epoxy smear will have a different hash function that can be used to tell them apart.
There's no encryption/decryption going on here, just hashing, but that is an important concept in the field of cryptography.
The main application of this is to replace magnetic stripes on credit cards. Currently, the machine-readable part of a credit card produces a small amount of static output (16 or so decimal digits) and is easy to copy with readily available equipment. By switching to these new chips, the number and complexity of possible outputs that the card can produce would be increased and the output-producing device would be more difficult to duplicate.
For example, right now your electronics-geek waiter could slip your credit card through her palm pilot with home-made magnetic reader attachment on her way back to the register. Later, she could take a used or invalid credit card, and write your magnetic pattern onto the bar. Credit card machines wouldn't be able to tell the difference between the original and the duplicate, so she effectively stole your credit card and you wouldn't know until the bill came.
If you were using a glass and epoxy chip, there would be several problems with duplicating this kind of attack.
1. The waiter would have to read 125 gigabytes (1Tb=1TB/8=~125GB) of data into her intermediate storage device in a few seconds. That's a lot of fast memory to pack into a small space. Copying only a few possible outputs wouldn't work, as only the credit card company would know exactly which (laser position, card output) data pairs it had on file for use in a challenge-response protocol.
2. Assuming the waiter could read out the entire card before handing it back to you, she would have a hard time duplicating it later. She would have to construct a physical object taking laser position as input and producing specific light patterns as output. While hooking up a credit card shaped I/O device to a laptop with the 125GB database would be possible, chances are somebody would notice a suspicious person plugging their laptop into an ATM. Also, considering that the laptop would have to sift through 125GB of data before it could tell the I/O device to output a certain light pattern, whereas the true card would produce the "right answer" at the speed of light, a timeout function on the card reader would be effective in preventing this kind of attack.
I think most people here are missing the point of this.
I am not an optical engineer, but the important part of this is not "you cannot duplicate this token", since that didn't appear to be in anything I read; it's "you cannot duplicate this token _by reading the interference pattern or disassembling/probing inside_", which is a different problem entirely.
I suspect that with sufficiently high-quality materials and production controls, it _is_ possible to duplicate these in the production phase, which then makes it a useful toy; make two of them that have the same interference pattern, and given identical readers, you have a one-time pad that you can use for quite a while. I don't know how they're embedding the glass spheres in the epoxy, but with a finite number of positions for each glass ball in the epoxy (small enough to be useful, large enough to be secure), you might be able to have either coded duplicates (like keys; "2488210366" == "glass balls in pattern X") or a "mold" system where you position the balls identically for a pair of tokens and then destroy the mold, making it impossible to recreate the tokens. Either way has its useful features.
--
SD
I am Chaos. I am alive, and I tell you that you are Free. -Eris
In fairness, I disclose that I have not read the Nature paper. Have any of our resident holographers taken a stab at this? I couldn't find my copy of Goodman's book or notes from Leith and Upatnieks to save my life. But there is a whole sub-field of holography dedicated to speckle patterns. And it "magically" does all the hard work of inversion within a sufficient sub-space of the one-way hash-function implemented by the token. Seems to me that if you had access to the resultant speckle pattern(s) (one for each angle and wavelength of illumination used for authentication) and a photopolymerizable material moldable into the geometry of the "token," then you could synthetically create a functionally equivalent volume hologram. (In fact, more than one, as holography experts will explain in detail the requirements for uniqueness.) You don't even need access to the token you wish to forge! All you need is the set of all readout patterns actually on file. Forgery definitely requires more sophistication than magstripes. But it is doable in the lab. Hey, I'm only an optical physicist. (Really.) But what do I know?
Are these writeable?? If not, rule out smart card replacement. Also, if these were to replace credit card mag strips, why not capture the transaction past the reader and then re-transmit??
Any technology designed to help bypass scratches in the Media would inevitly make the cards easier to clone or fake. The would need to be less precise to compensate, hence your copy needs to be less precise. (Again, error correction defeats the purpose of the card. They have to shine laser light through at several angles, or expect the pattern to be less precise, most likely both.)
How would on-line ordering work?? Do I need a reader in my PC?? For those of you who say yes, reach over and get that mag strip reader out of your PC. Riiiiight....
I would guess that it would take 2-3 Years before cloning these cards is an option (Well, as much of an option as cloning mag strips) but thefts and fraud will still be happening in the interim. If I can record the transmitted pattern upstream, I can figure out how to re-transmit that pattern. If these cards have any of the conveniences we have become used to, like numbers printed on the card for online ordering, they are inherently insecure anyway, and Laser-Whoozie crypto won't help.
I can see some ways how this could be far more insecure than the current system. If there is a centralized database for authentication of these speckle patterns, there is a single point of attack. Also, there is a centralized location to watch for all transactions to take place.
This might make card duping harder, but not impossible. Also, the CC companies won't like the fact that these keys are totally "Random" and unduplicatible for them as well. Never expect a CEO to understand, "If you can duplicate them, so can other people." Hence, they will have a means of duplicating any particular token (or be unsuccessful), and it doesn't take long for that information to make it out into the wild.
Perfect Crypto??? Right over there next to my perpetual motion machine.
Hammy