hammer/notes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Migrate Markdown-Notes: projects, meetings, reference, personal

Browse Source
This commit is contained in:
Hammer
2026-01-26 22:05:01 +00:00
parent 9507ddf856
commit 49025b3586
93 changed files with 3422 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
projects/arcanum/NSF/1.16.26 NSF meeting.md Normal file
View File

@@ -0,0 +1,3 @@
- Maybe a simple table that shows our claim of 5 observation
- Need to show why we are different: we don't specify an exact code we are probablistic
- Thyaga thinks this is weak: Defensible competitive advantage. we need to explain why we are different from other systems

42
projects/arcanum/NSF/Clarifying nKode v2.md Normal file
View File

@@ -0,0 +1,42 @@
Proposed high-risk technical innovation:
nKode is an observation-resistant “something-you-know” authentication method that replaces direct entry of a static secret (a PIN or password). The users long-term secret is a short sequence of memorable attributes (for example four icons). At each authentication, the terminal displays a shuffled layout that groups many attributes into a small number of selectable keys. The user does not enter their secret attributes directly. Instead, they enter the key IDs that currently contain their secret attributes.
Example:
Secret attributes: 😍🤢🤐🥸
```
_key1_ _key2_
| 😃😍 | | 🥸🤩 |
| 😇😎 | | 🤓🥳 |
----- -----
_key3_ _key4_
| 🥺🤯 | | 🫥🤥 |
| 😡🥶 | | 🤢🤐 |
----- -----
enter: 1,4,4,2
```
After authentication, the keypad is shuffled.
```
_key1_ _key2_
| 🫥😍 | | 🥸🤥 |
| 😇🤐 | | 🤢🥳 |
----- -----
_key3_ _key4_
| 😃🤯 | | 🥺🤩 |
| 😡😎 | | 🤓🥶 |
----- -----
enter: 1,2,1,1
```
The user experience remains “type four digits,” but the meaning of those digits changes each time based on the on-screen challenge.
Why this is materially different from prior studied approaches:
We recognize that observation-resistant PIN entry and graphical password systems have been studied extensively. nKodes novelty is not “using pictures,” and not merely “shuffling a keypad.” The core difference is the combination of (a) a stable, memorable secret defined over attributes, (b) randomized grouping of a larger displayed attribute set into a small fixed input alphabet (key IDs), and (c) parametrizable resistance to capture and inference via repeated sessions, while remaining compatible with high-throughput PoS and ATM constraints (small screens, fast entry, minimal user training, no extra sensors).
Security motivation and threat model fit for PoS:
Todays PoS skimmers typically steal card data and capture a static ZIP code or PIN. With nKode, a simple tap-and-log skimmer that records key presses is insufficient because the key press sequence is only meaningful when paired with the corresponding on-screen challenge. An attacker would need to add a camera (or equivalent screen capture) and then solve an inference problem across multiple observations of the same user to recover the underlying attributes. Based on our work with McCrary, we target configurations where an attacker needs on the order of 5 or more sequential observations to reliably recover a users nKode.
*comparied to static data....*
High-risk, high-reward R&D:
The technical risk is achieving a strong securityusability frontier concurrently: fast entry time, low error rate, accessibility variants, and quantified resistance to recording and inference attacks. Our Phase I work will produce (1) formal parameterization of layouts, group sizes, and session policies, (2) empirical usability results on realistic PoS/ATM workflows, and (3) measured attack resistance against key-logging, shoulder surfing, and screen-recording plus inference baselines.
Defensible competitive advantage:
Our patent claims cover a broad design space of attribute types (images/emojis, alphanumeric symbols, audio cues for visually impaired users, tactile patterns such as braille-like textures) and the grouping/shuffling mechanism across spatial, auditory, tactile, or label-based key groupings. This makes “simple re-skins” and modality pivots harder for fast followers.

64
projects/arcanum/NSF/Clarifying nKode v3.md Normal file
View File

@@ -0,0 +1,64 @@
_Please clarify the specific new high-risk technical innovation you are proposing to develop, and explain how you will be able to create a defensible competitive advantage. Many systems of this general type have been studied in the past._
??? of 3,500 characters w/ spaces
Proposed high-risk technical innovation: 
nKode is an observation-resistant “something-you-know” authentication method that replaces direct entry of a static secret (a PIN or password). The users long-term secret is a short sequence of memorable attributes (for example four icons). At each authentication, the terminal displays a randomized layout to protect against key loggers and social engineering attacks, such as shoulder surfing, that groups many attributes into a small number of selectable keys. The user does not enter their secret attributes directly. Instead, they enter the key IDs that currently contain their secret attributes.
Example:
Secret attributes: 😍🤢🤐🥸
 _key1_   _key2_
| 😃😍 |  | 🥸🤩 |
| 😇😎 |  | 🤓🥳 |
 -----          -----
 _key3_   _key4_
| 🥺🤯 |  | 🫥🤥 |
| 😡🥶 |  | 🤢🤐 |
enter: 1,4,4,2
After authentication, the keypad is shuffled.
 _key1_   _key2_
| 🫥😍 |  | 🥸🤥 |
| 😇🤐 |  | 🤢🥳 |
 -----          -----
 _key3_   _key4_
| 😃🤯 |  | 🥺🤩 |
| 😡😎 |  | 🤓🥶 |
 -----          -----
enter: 1,2,1,1
The user experience remains “type four digits,” but the meaning of those digits changes each time based on the on-screen challenge.
Why this is materially different from prior studied approaches:
We recognize that observation-resistant PIN entry methods and graphical password families have been studied extensively. nKode differentiates on two practical dimensions that matter in PoS/ATM settings:
(a) Fast, low-friction entry compatible with checkout throughput. Unlike many shoulder-surfing-resistant schemes that require multiple challenge rounds or complex mental transformations, nKode preserves a “type-a-short-code” interaction: users enter a short sequence of key IDs derived from a single on-screen layout. While we will quantify entry time and error rate in Phase I, prior work on shuffled keypads suggests that small increases in entry time relative to a static keypad can be achieved without fundamentally changing the interaction model.
(b) Designed to remain resistant under multiple recorded observations (not just one). A common limitation of observation-resistant schemes is that they degrade quickly when an attacker can record several sessions. In contrast, based on our work with McCrary, we are targeting nKode configurations in which an attacker must record on the order of 5 or more sequential authentications of the same users nKode to recover the underlying secret with high confidence.
Defensible competitive advantage:
Our defensible advantage is that our IP covers a family of nKode implementations, not a single keypad skin. The same mechanism can ship in regulated payment settings as a virtual keypad that mirrors physical keys, and in software and accessibility variants by grouping and reshuffling visual, alphanumeric, audio, or tactile attributes. Because the claims cover both the attribute types and the grouping mechanism that defines the challenge, a fast follower cannot avoid the core invention through cosmetic substitutions (for example, swapping emojis for letters/numbers).
Future Work:
nKode is not limited to PoS and ATMs. It can replace passwords in apps and websites by presenting unique AI-generated icons for each user. This eliminates password reuse, keyloggers, and dictionary attacks. These properties make it a strong candidate for healthcare (where authentication happens frequently on shared or semi-public workstations) and defense (where adversaries may capture keystrokes and recorded logins).

62
projects/arcanum/NSF/Clarifying nKode v5.md Normal file
View File

@@ -0,0 +1,62 @@
_Please clarify the specific new high-risk technical innovation you are proposing to develop, and explain how you will be able to create a defensible competitive advantage. Many systems of this general type have been studied in the past._
??? of 3,500 characters w/ spaces
Proposed high-risk technical innovation: 
nKode is an observation-resistant “something-you-know” authentication method that replaces direct entry of a static secret (a PIN or password). The users long-term secret is a short sequence of memorable attributes (for example four icons). At each authentication, the terminal displays a randomized layout to protect against key loggers and social engineering attacks, such as shoulder surfing, that groups many attributes into a small number of selectable keys. The user does not enter their secret attributes directly. Instead, they enter the key IDs that currently contain their secret attributes.
Example:
Secret attributes: 😍🤢🤐🥸
 _key1_   _key2_
| 😃😍 |  | 🥸🤩 |
| 😇😎 |  | 🤓🥳 |
 -----          -----
 _key3_   _key4_
| 🥺🤯 |  | 🫥🤥 |
| 😡🥶 |  | 🤢🤐 |
enter: 1,4,4,2
After authentication, the keypad is shuffled.
 _key1_   _key2_
| 🫥😍 |  | 🥸🤥 |
| 😇🤐 |  | 🤢🥳 |
 -----          -----
 _key3_   _key4_
| 😃🤯 |  | 🥺🤩 |
| 😡😎 |  | 🤓🥶 |
 -----          -----
enter: 1,2,1,1
The user experience remains “type four digits,” but the meaning of those digits changes each time based on the on-screen challenge.
Why this is materially different from prior studied approaches:
We recognize that observation-resistant PIN entry methods and graphical password families have been studied extensively. nKode differentiates on two practical dimensions that matter in PoS/ATM settings:
(a) Designed to remain resistant under multiple recorded observations (not just one). A common limitation of observation-resistant schemes is that they are designed to resist human observation not video or screen recordings. In contrast, based on our work with McCrary, we are targeting nKode configurations in which an attacker must record on the order of 5 or more sequential authentications of the same users nKode to recover the underlying secret. See our work on https://github.com/Arcanum-Technology/nkode-shuffle.
b ) nKode does not require the user to enter an exact passcode sequence. Consider a keypad with 10 keys, each key displaying 10 possible icons, that can be used in a 4 icon sequence. Across all possible configurations, a user's nKode is one of 100,000,000 distinct 4-icon sequences. However, in any single login attempt, the users correct response maps to one of only 10,000 possible key-entry sequences. No other system works like this.
Defensible competitive advantage:
Our defensible advantage is that our IP covers a family of nKode implementations, not a single keypad skin. The same mechanism can ship in regulated payment settings as a virtual keypad that mirrors physical keys, and in software and accessibility variants by grouping and reshuffling visual, alphanumeric, audio, or tactile attributes. Because the claims cover both the attribute types and the grouping mechanism that defines the challenge, a fast follower cannot avoid the core invention through cosmetic substitutions (for example, swapping emojis for letters/numbers).
Future Work:
nKode is not limited to PoS and ATMs. It can replace passwords in apps and websites by presenting unique AI-generated icons for each user. This eliminates password reuse, keyloggers, and dictionary attacks. These properties make it a strong candidate for healthcare (where authentication happens frequently on shared or semi-public workstations) and defense (where adversaries may capture keystrokes and recorded logins).

46
projects/arcanum/NSF/Clarifying nKode.md Normal file
View File

@@ -0,0 +1,46 @@
_Please clarify the specific new high-risk technical innovation you are proposing to develop, and explain how you will be able to create a defensible competitive advantage. Many systems of this general type have been studied in the past._
Below is an example of a virtual keypad with 4 keys and 4 emojis per key. Suppose my icons are 😍🤢🤐🥸. At the keypad terminal, I'd enter: 1,4,4,2
```
_key1_ _key2_
| 😃😍 | | 🥸🤩 |
| 😇😎 | | 🤓🥳 |
----- -----
_key3_ _key4_
| 🥺🤯 | | 🫥🤥 |
| 😡🥶 | | 🤢🤐 |
----- -----
```
After I successfully authenticate, my keypad gets shuffled. When I make another purchase, I'd enter 1,2,1,1
```
_key1_ _key2_
| 🫥😍 | | 🥸🤥 |
| 😇🤐 | | 🤢🥳 |
----- -----
_key3_ _key4_
| 😃🤯 | | 🥺🤩 |
| 😡😎 | | 🤓🥶 |
----- -----
```
This design thwarts credit card (cc) skimmers because they steal the cc number and log the zip code or debit card PIN. With nKode, skimmers would have to incorporate a camera to monitor the screen as well. What's more, they'd have to watch a user enter their nKode 5 times (based on our work with McCrary) to determine the nKode. Most skimmers are left on a cc terminal for at most a day. Thieves try to collect a few hours' worth of transactions, retrieve their skimmer, and move on to the next store to avoid getting caught and losing their skimmer (and the stolen data). The combination of requiring a camera and requiring multiple observations of the same cc/debit card on the same terminal over the course of a day is impractical. It's rare for one person to use a cc on the same terminal 5 times over the course of a week, let alone a day.
There aren't any authentication systems that work like nKode. It is the first change to something-you-know authentication since MIT first invented username/password. At Arcanum, we advertise nKode, a pictographic passcode in the shape of a keypad, but our patent covers a broad range of designs and attributes. The keypad design is well-suited for PoS/ATMs, with a virtual keypad on the screen that mirrors the physical keypad on the terminal; however, nKode is not limited to icons or keypad shapes. For the visually impaired, our patent covers audio attributes grouped into keys. For numeric data such as SSNs, keypad attributes can be entirely numeric. In desktop/mobile applications, icons can remain static while key numbers move to them. For example, the nKode displayed below can be entered on a keyboard. With icons 😍🤢🤐🥸, a user would type 1,2,1,1, the same as the second keypad above.
```
😃:3, 🥸:2, 🥺:4, 🫥:1
😍:1, 🤩:4, 🤯:3, 🤥:2
😇:1, 🤓:4, 😡:3, 🤢:2
😎:3, 🥳:2, 🥶:4, 🤐:1
```
With the keypad arranged like it is above, the keys don't need to be numeric either.
```
😃:c, 🥸:b, 🥺:d, 🫥:a
😍:a, 🤩:d, 🤯:c, 🤥:b
😇:a, 🤓:d, 😡:c, 🤢:b
😎:c, 🥳:b, 🥶:d, 🤐:a
```
In summary, nKode's moat is that we have a patent that covers a broad range of attributes: images, emojis, alphanumeric symbols, sounds, textures (like braille), and shuffles them in spatial(keys), auditory, tactile, or alphanumeric groups. CISOs and users want nKode. Users like nKode because it's easy to remember. CISOs want it because it eliminates key-logging, shoulder surfing, and password reuse.

21
projects/arcanum/NSF/NSF Section 1.md Normal file
View File

@@ -0,0 +1,21 @@
## Prompt
Explain the core high-risk technical innovation to be researched and developed during a Phase I project.
NSF must understand what research and development is required and how this technical innovation differs from and is significantly better than existing solutions.
It may also be that the proposed innovation creates a new market.
In this case, why will it be adopted?
Describing features or benefits of the proposed technology is not sufficient.
The FBI estimates that more than a billion dollars are lost every year to credit card skimmers. Thevies steal card information and PIN numbers to steal from unsuspecting customers. Skimmers are esencially keyloggers. They steal the debit/credit card number along with they customers PIN or zip code. nKode is designed to stop the lose of information on the keypad. The users nKode is a pictographic passcode that can be entered either directly on the screen or with the keypad. Since scimmers can't see or record the screen, the pincode entered by the user is useless. Even if the skimmer could record the screen and process the infomation, an nKode can handle 4 observation before the skimmer could learn the nKode on the 5th observation. nKode can be intergrated into existing ATM/PoS(Point-of-sales) systems. nKode uses the same standards for hashing and encrypting as password/passcodes too. There is a $1billion dollar per year insentive to use nKode a a replacement for pins. A 4 icon nKode has orders of magnatude more entropy than a pincode of equvalent length......
nKode represents a fundamental reinvention of authentication through a dynamic, pictographic passcode system that eliminates dependence on traditional alphanumeric passwords or static biometric inputs.
At its core, nKode is a patented, keyboard-less authentication interface using a randomized, icon-based keypad. This innovation addresses a long-standing vulnerability in digital security—the reliance on memorized text strings that are prone to reuse, theft, and human error.
Unlike conventional systems, nKode leverages an AI-generated icon set assigned to each user, where icons are grouped and reshuffled across a virtual keypad on each login. The technical novelty lies in the backend use of transient, system-assigned values that are detached from what the user visually selects. This separation allows the system to change internal mappings without disrupting the user experience.
nKode's security is further bolstered by high entropy in user-selected passcodes, drawing from password entropy research that emphasizes the importance of randomness and resistance to guessing attacks. Research is still need to determine the minimum passcode length. With a minimum set of 54 unique AI-generated icons and order-dependent selection, a 4-icon nKode has over 23-bits of entropy (exceeding the NIST recommendation of at least 20-bits for randomly generated memorized secrets). nKode complies with NIST guidelines by enforcing non-dictionary-searchable patterns, eliminating keyboard-based input (eliminating keylogger risk), and supporting periodic backend renewal without user intervention. When nKode is entered with a keyboard, the numbers entered appear random to keyloggers.
The platform uses multiple layers of security: dynamic reshuffling, ciphering of user inputs, renewable backend attributes, and passcode hashing. Together, these form an authentication process resilient to phishing, replay attacks, and keyloggers that is capable of functioning securely over unencrypted or degraded channels.
nKodes architectural model enables a new market of secure, portable, and infrastructure-light authentication—extending MFA into environments (tactical, industrial, mobile) where traditional methods fail. It also offers a scalable and user-centric alternative for commercial applications like fintech, healthcare, and identity-first zero trust systems.

9
projects/arcanum/NSF/NSF feedback.md Normal file
View File

@@ -0,0 +1,9 @@
- nkode should be opt-in
- old atms shouldn't use nkode (use your old pin on legacy hardware)
- we won't hit every user. just like magnetic card strips are still used...
- we've done preliminary test for such and such a case... We are interested in studying other things...
# Arcanum
- usability study 68% approval rating in usability study. after creating their first nKode it was 63% approval rating. 35% approval for new technology is a very high score.
- FIS MVP out of their venture center accelerator
- Need to better describe nKode
-