Yes I can guess an ID. So what? I don't understand the threat model here.
But if the goal is effectively unguessable, 64 bit numbers would be fine. That's less than a one in a million chance of guessing an ID, so trying to guess is harder than just looking at some real bottles and copying their numbers.
> simple self-sustained checker can confirm that bottle is indeed valid one
> Yes I can guess an ID. So what? I don't understand the threat model here.
can print fake cola codes for infinite refills :) and some other genuine cola buyer will be very angry because their mint-condition bottle already used up.
Also, "one in a million" assuming this tech is only being used by this specific product. if anyone else is going to use the same schema for anything else, numbers will dry up much faster. bringing oats as valid cola bottle is funny. if you add prefix, it'll eat up these sweet sweet bytes
also, 1/million is not that much - you can spam online check api (and you need one with just IDs) to filter out existing ones. All in all 64-bit or so IDs have too many downsides to consider them useful, one simple misstep and the whole model is broken
You misunderstood what kind of "refills" are being talked about here.
> Also, "one in a million" assuming this tech is only being used by this specific product. if anyone else is going to use the same schema for anything else, numbers will dry up much faster. bringing oats as valid cola bottle is funny. if you add prefix, it'll eat up these sweet sweet bytes
I completely disagree with how you're using numbers here. Whether a number is a valid coke ID has no relation to whether it's a valid oats ID.
The thing the ID is attached to already acts like a prefix, while costing 0 bits.
The only way this could possibly make a difference is if you're scanning through hundreds of thousands of other packages and checking if their numbers happen to be a valid coke ID so you can cut it out and stick it on a coke bottle, all to avoid printing it yourself. That sounds unlikely. In particular you still need to check every number, so you're basically using other packages as a very very slow RNG to save two cents of printing costs.
> also, 1/million is not that much - you can spam online check api (and you need one with just IDs) to filter out existing ones
Mass-spamming an API that has even the slightest of anti-spam measures is a pain in the ass, especially if you want more than a couple IDs. The threat of "just find one of the many billions of real bottles and copy the ID off it" is always there, so if technical attacks are orders of magnitude harder then they don't matter.
But if the goal is effectively unguessable, 64 bit numbers would be fine. That's less than a one in a million chance of guessing an ID, so trying to guess is harder than just looking at some real bottles and copying their numbers.
> simple self-sustained checker can confirm that bottle is indeed valid one
Unless the number was copied.