DEV Community: numa

What Is Information Structure? Foundations of a New Security Architecture

numa — Sat, 31 Jan 2026 11:23:43 +0000

Even if we say that humans are made of information structures, few people would believe it.
After all, the human body is entirely a physical structure.

However, consider a person introducing themselves.
Is the content of that introduction a description of their physical structure? No.
When people introduce themselves, they convey information structures such as name, address, age, and other personal attributes.

In other words, the essence of a human being is an information structure built upon a physical structure.
Announcing one’s name is actually presenting a highly sophisticated information structure, though people take it for granted and rarely notice.

If we understand information structures, we can design more advanced security systems.
By applying the mechanisms of information structures, it is possible to achieve unprecedented defensive capabilities in security design.
Adding the perspective of information structures to the real world allows us to reconsider and improve security design.

Humans as Information

If humans are composed of information structures, then all interactions can be seen as handling information.
There is no contradiction here.

Communication between humans can be understood as the exchange of information.
Mutual understanding is built upon accumulated information.

When a person reads a book and comprehends its content, then acts upon it, this process involves receiving, interpreting, and executing information.
From this perspective, humans can be considered to be made of information.

There Is No Matter Without Information Structures

Furthermore, all matter inherently has information structures.
There is no matter without information.

Even when sunlight reaches us, we first perceive the information of the sun through light before feeling its heat.
Physically, our perception starts with information carried by light, followed by the heat and energy generated by the sun.

By analyzing the received information structures, we can understand the structures contained in the source.
The key point is that information (light) reaches us faster than heat or force.

The Apple Example

Let’s consider an apple.

Suppose you have a single apple and cut it in half.
Which comes first: the physical division or the information structure?

This may seem like wordplay, but in fact, the apple becomes “two” as an information state, determined when the apple’s identity (name) is divided.

Unless the information is divided, it remains a single apple in a divided state.

Information structures allow the two halves to exist conceptually before the physical act of cutting.

Once divided, the apple rarely returns to a single whole.
Moreover, the cut surface contains irreversible information about the division.

Physical Phenomena as Information

When we analyze physical phenomena, the data we collect may appear to be purely physical.
However, the essence of that data is an information structure.

That is, when we quantify physical phenomena, we are accessing the underlying information structure of the physical world.

You might then wonder: are humans able to process the information structures of matter?

In reality, humans only perceive an abstraction of information structures via the senses or measuring instruments.
We do not yet have a protocol to fully read information structures.

Humans can access only part of the information structures inherent in matter.
This is because we have not yet defined matter as inherently possessing information structures.

What Is “Identity”?

So, what exactly is an information structure? Let us analyze it.

Information structures contain what I call identity.
Identity determines ownership of an information structure.

Information without ownership cannot exist and is thus particularly important.
An information structure without a label cannot be realized.

Identity, Authority, Authentication

Take a driver’s license as an example to illustrate identity, authority, and authentication:

Identity = Name, birth date, photo — representing the person.

Authority = Permission, e.g., the right to drive a car

Authentication = Presentation to an external entity, e.g., a police officer

Each of these alone has no meaning.
Combined, they form a functional driver’s license.

Although a driver’s license is typically treated as a single object, it is in fact a collection of three information structures.

Identity alone is just a label.
Authority alone cannot act without identity.
Authentication alone is meaningless without the other two.

The driver’s license demonstrates how humans unconsciously embed and utilize information structures in society.

Applying Information Structures to Security

Earlier, I mentioned that information structures can be applied to security.
The principle is simple:

Physically separate identity and authority.

When physically separated, the parts seem unusable.
However, reconnect them momentarily when needed.

Measures like Zero Trust principles ensure security during connection.

Separating identity and authority in this manner is highly effective.
Even quantum computing cannot compromise this structural separation because no central secret exists.

All that remains is to make reconnection convenient for the user.
This is the foundation of a trust architecture.

Properties of Identity

Identity in information structures has properties similar to electrons in physics.

It can change instantaneously but retains the integrity of its structure.
In other words, identity maintains its uniqueness even when dynamically changing.

However, this property cannot be arbitrarily modified.

Unlike electrons, which exist in large numbers, identity is singular for each information structure.

Duplicating it creates multiple conflicting structures, breaking its singularity.

Therefore, there is not one identity per physical structure but one identity per information structure.

This property can be used to create information structures that cannot be copied.

Just as electrons occupy specific orbits, identity must have an authority orbit to manifest as authentication.

Authentication presents this structure to the outside world.

Information is dynamic, but identity retains its essence.

The relationship between identity, authority, and authentication resembles electron, orbital, and measurement in physics.

Identity and authority interact in a way analogous to minimal authentication units.

Physical Carriers

Information structures cannot exist alone except in a black hole.

They require a physical medium — hardware, body, paper, or device — to exist.

Exceptions exist where information structures are carried by light (photons).

Hence, the minimal unit for carrying information may be light.

Conclusion

Information structures are still unrecognized entities, but humans unconsciously use them in all sensory perception and communication.

They are invisible, yet they consistently manifest in our actions and conversations.

It is impossible to prove their nonexistence:
“not found” itself is information — proof that something exists as an information structure.

Information structures are not tangible entities; they are the rules underlying phenomena.

Various fields are beginning to recognize the presence of information structures.

This remains a cutting-edge topic.

While one can debate whether information or matter comes first, what matters is understanding the structures that humans unconsciously employ.

Exploring information structures is fundamental to human evolution.

Security Risks of Mobile Authentication: Smartphone Login Is Unsafe

numa — Mon, 26 Jan 2026 15:51:50 +0000

This model does not rely on cryptography or computational hardness.
It relies on physical and structural separation.

What do you think about the current situation where everything is concentrated in a single smartphone?

Modern smartphones have a structure in which identity, authority, and private keys are all concentrated in one device for authentication.
As a result, if a single smartphone is compromised or lost, everything is lost.
Putting everything into one smartphone is not necessarily bad.
Because it is convenient.
However, I want you to think about security.

Can the loss of one smartphone really be compensated easily?
Is the information that is lost or stolen really that insignificant?

I think this way:
A structure where one loss leads to total loss is dangerous.
By intentionally dividing this convenience, we may be able to maintain usability while improving structural security.
So how can we solve this problem?

A Two-Card Approach

I propose one improvement: using two cards.
In my system, instead of relying entirely on one smartphone, authentication functions and information are distributed across two cards.
With this design, even if one of the two cards or the smartphone is lost, secure operation can continue.
The idea of distributing information across two cards is based on intentionally separating the roles currently concentrated in smartphones, making the system more secure and easier to use.
Some may say that using two cards is inconvenient.
However, with current technology, automation is possible.
From an authentication perspective, I believe that presenting one card is still necessary. The process of "I am intentionally authenticating right now" is still important for humans.
The other card can stay in your wallet and operate automatically using Bluetooth Low Energy (BLE) or NFC. It only responds when identity confirmation is required.
With this automation, users only need to present one card, just like before.
Company gates, for example, can be fully automated. However, full automation must always be implemented carefully.

Security Strength with Two Cards

Although not widely known, using two cards can dramatically increase security strength.
This is a completely different level of security compared to one card or one smartphone.
The physical separation between the two cards creates a gap that cannot be exploited by computational attacks. Even quantum computer attacks become practically meaningless.
This extraordinary strength comes from the fact that there is no clear attack target.
When nothing meaningful exists in one place, there is nothing to steal.
This level of defense is achieved only when:

Two cards are used
Information is separated correctly

With a single card or smartphone, this level of security is impossible.
In other words, even inexpensive cards costing only a few hundred yen can provide strong structural security.

Separating Identity and Authority

In systems like driver's licenses, we have two concepts:

Identity (who you are)
Authority (what you are allowed to do)

Traditionally, these have been combined into one physical document.
But what happens if we physically separate them?

"Proof of identity" → Card1
"Proof of authority" → Card2

Identity alone cannot grant permission. Authority alone does not tell who the user is.
Each becomes meaningless on its own.
This loss of meaning is what we use for security.
Although the separated cards may look the same as before, structurally they have changed into individually unusable forms.
I call this transformation "information phase transition," similar to phase transitions in physics.
When the two cards reconnect, the information transitions again from a meaningless state to an executable identity-and-authority state.
This switching between separated and connected states becomes the foundation of security.

Beyond Secret Sharing and Zero Trust

This two-card model is inspired by secret sharing. However, reconstruction is never performed.
Reconstruction leaves traces and creates a new attack target.
We also apply Zero Trust: trust nothing.
The cards do not store sensitive personal data.

The identity card stores only a server-issued registration number
The authority card stores anonymous permission data

Even if stolen, neither reveals anything meaningful.
The goal is to ensure that stolen information is structurally useless.
If nothing valuable exists in one place, it cannot be stolen.

How Authentication Works
The two cards mutually authenticate each other using BLE and NFC.
Users only present one card, but in the background:

Card1 verifies identity
Card2 verifies authority
Both must approve

Neither can act alone.
Card2 always executes authority only with Card1's approval.

ATM Example

Traditional ATM:
Card2 (Authority / NFC) + PIN = Identity confirmation (estimated) → ATM

New ATM:
Card1 (Identity / BLE) + Card2 (Authority / NFC・BLE) = ATM (Authentication + PIN)

Look carefully at this structure.
Surprisingly, traditional ATMs have no real identity verification.
Card2 + PIN only means "probably the right person."
This is structurally close to 1.5-factor authentication and lacks true identity proof.
This absence of identity verification is a critical system flaw.

New ATM Flow (Card Perspective)

1. User presents Card2 to the ATM (NFC)
2. ATM requests identity proof from Card2
3. Card2 requests identity proof from Card1 (BLE)
4. Card1 provides identity proof to Card2 (BLE)
5. ATM receives proof from Card2 and starts service (NFC)
6. PIN may be requested if necessary

The key difference is that identity verification is now included.
Card1 is created through strict identity verification, making real identity proof possible.
Behind the scenes, NFC + BLE + Card1 + Card2 + ATM form a multi-layer defense system.
Users still present only one card.

Workplace Example (Dynamic Authority)

Card1 (Identity) always ON +
→ Entrance gate: (Card1 + Card2) automatic approval
Card2 (Authority): NFC or BLE
→ Arrival: Job-level permissions start (BLE)
→ Area access: Zone-based permissions (BLE/NFC)
→ Work start: Status change (BLE)
→ PC use: Login permissions (NFC)
→ Special equipment: Manager A approval (1/2)
→ Pending Manager B approval (2/2)
→ Active → Break: All permissions suspended (BLE)
→ PC sleep: Permissions paused
→ Resume work: Permissions restored
→ Leave: All permissions ended

Authority is not simply ON or OFF.
It changes dynamically based on:

Action
State
Time

Yet, no matter how complex these changes become, the overall structure remains stable.
Even changes beyond human intuition do not break the system.

Final Thoughts

The key is physically separating identity and authority.
Simply splitting data evenly does not achieve this security level.
Correct structural separation reveals hidden strength.

By combining:
Secret sharing
Zero Trust
Knowledge / Possession / Biometric factors

We can build a new security model.
Security may feel inconvenient, but strong structures should not be oversimplified.
Authority evolves through human intelligence.
Its freedom is not a weakness - it is its greatest strength.