[Linux-aus] Fwd: Fwd: Re: Grant application

Michael Van Delft michael at hybr.id.au
Fri Oct 16 20:30:52 AEDT 2015

For those that are interested, Darren's response to my questions is below.

For what it's worth I do not think that Linux Australia should sponsor
this because I don't feel that the solution actually dose anything to
solve any of the problems that it attempts to address.


---------- Forwarded message ----------
From: Derren Desouza <derrend at yahoo.co.uk>
Date: 16 October 2015 at 16:03
Subject: Re: [Linux-aus] Fwd: Re: Grant application
To: Michael Van Delft <michael at hybr.id.au>

Hi Michael,

    Thanks for the email, I'll try to answer your questions as best as
 I can.

#the pill bottle is scanned by the courier who picks it up
from a manufacturing plant the way to the chemist. Then by the chemist
when they received the pills from the courier (because they want to
verify they are from the manufacturer and the courier hasn't done a
switch). Then by the customer when they get the bottle

I think in this case the the courier wouldn't need to verify the
originator of the product because they collected it from the source
and when delivered to the chemist the pill bottles would likely be in
a bulk box of some kind which would have its own barcode thus allowing
the bottles to make their journey to the shelf unscanned.

#I don’t see how knowing that a subkey has been queried
1, 2, 3 or 27 times proves whether it’s unique or not.
a) It could be one bottle that's been checked 27 times,
b) or 27 identical bottles that have been checked once.
c) Or 1000 identical bottles but only 27 customers that care enough to

Each master key has 2146483647 subkeys (the words subkey and serial
number are absolutely interchangeable here) and so each 'bottle' would
have a unique qrcode.

a) Yes it could, hopefully though you were the person who performed
scan number one and every subsequent scan since. In fact it would be
prudent even if you did perform the first scan to periodically scan it
again to make sure the count isn't continuing increment whilst you are
not watching it as this would be an indication that your
barcode/subkey/serial number has been copied.

b) This is what cryptoproof is designed to detect, if you are not the
first person to scan an item you are under the impression is brand new
then this is a clear indication that your item is a copy or has been
copied since each serial number is assumed to be unique.

c) You have identified something important here which is that the
system works only if people bother to scan the items in question,
there is nothing to prevent two counterfeit items existing undetected
at the same time but this is a fundamental problem that cannot be
dispelled regardless of which ever system you use because you cannot
know if the cat is dead or alive inside the box until you look at it.
Or in other words you cannot tell a genuine form a fake until you have
examined one of each, which is a property of reality and not a flaw in
the system.

#Also checking the count of how many times a subkey has been queried
relies on a single central authority (i.e. your website) that must be
trusted. There is no way others can verify the count you have is

That is the million$ question isn't it, which leads to:

How do we decentralise the database without having to worry that other
custodians aren't going to change records within it?
A blockchain suggests itself here but launching another altcoin is not
the way to go in my opinion.

Can we log hits directly to the BTC blockchain?
Possibly, and it's a solution I would be willing to explore but
hopefully there is a more elegant way to do it than that because the
blockchain is already growing too quickly.

I don't have the ultimate solution to this yet, I require time and
funding to find it.

#And if part A doesn’t hold up, you can't prove something is unique, I
don’t think part B holds up either. I can’t see what would stop
someone from just opening up one bottle of pills, and replacing the
contents (with or without querying the subkey) and then passing it off
as genuine. Or simply copying the label (assuming it’s a QR code with
the public key) and producing several copies of the bottle passing
them off as genuine.

Part A holds up, you can prove (to a very high degree of probability)
if an item is unique or not.

Someone could take a genuine bottle of pills, replace the contents and
pass that off as genuine but this person would almost certainly be a
murderer and I don't believe there is a way to combat that, if there
is perhaps it can be discovered with further research :)
(actually the answer to this one is marking each individual pill,
though the prospect presents itself as a tedious endevour to both
of us it remains correct.)

Thank you for your questions, I'm always happy to talk about the
project, please feel free to contact me with any other queries you may
have :)


More information about the linux-aus mailing list