Dual-Use Marker Article: Roadway Infrastructure as Credentialed Device

Mechanism

The marker is a sealed physical article installable in roadway, lane edge, shoulder, or other infrastructure positions and is built from four functional layers. The first is a retroreflective optical layer using established roadway-marker materials (3M, Avery Dennison, or comparable construction) that produces high-contrast return under headlight illumination for human drivers and for camera-based vehicle perception. The second is a passive RFID inlay housed in a sealed IC cavity, carrying both an immutable identity field and a credentialed payload region. The third is an optional photovoltaic-plus-LED active illumination subsystem providing night-time visibility enhancement and, in some embodiments, a modulated optical beacon that machine perception can synchronize to. The fourth is the weatherproof enclosure, rated for a typical roadway service life of ten to twenty years and for the mechanical loading produced by tire impact and snowplow contact.

The dual-use property is structural, not coincidental. A vehicle passing the marker may extract a positioning constraint from the optical return — the centroid of the retroreflective return, observed against the vehicle's calibrated camera or lidar geometry, constitutes a pose anchor — while simultaneously reading the RFID payload through an underbody antenna. The two extractions are independent measurement channels grounded in the same physical article. The article-level claim insists that the identity field be cryptographically bound across both channels: the optical signature (where embodiments support optical identity, e.g., modulated LEDs or coded retroreflective patterns) and the RFID identity must agree, and a vehicle that observes a mismatch is required to flag the marker as compromised rather than reconciling silently.

Both uses share a single governance class. The credentialing authority that attests to the marker's payload also attests to its physical placement and identity; a marker may not be governed as a positioning beacon by one authority and as a routing oracle by another. Cross-use audit is required: when a vehicle uses both a positioning reading and a payload reading from the same marker within a single decision, the lineage record must reference the marker's identity once and explicitly note both uses, so that downstream auditors can detect circular reinforcement (using a marker's payload to validate a position that was derived from the same marker's optics).

Operating Parameters

Read range for the passive RFID payload is typically one to three meters at vehicle-roadway geometries, which sets the temporal window during which a vehicle moving at highway speed can complete a read — on the order of fifty to one hundred milliseconds at 100 km/h. The credentialed payload size is bounded to fit within this window plus error correction, typically a few hundred bytes for the credential plus a signature.

The retroreflective coefficient meets or exceeds the relevant ASTM and EN classifications for the marker's installation context (roadway centerline, lane edge, or shoulder). The active illumination subsystem, when present, is duty-cycled to keep average draw within the photovoltaic budget for the deployment latitude and to prevent thermal stress on the IC cavity.

Governance-class binding is enforced through credential structure: the payload signature includes the credentialing authority identifier, the marker's geographic placement attestation, the issuance epoch, and a revocation pointer. Vehicles maintain a current revocation set and treat revoked credentials as invalid even if the marker is physically intact. The cross-use audit flag is a single bit in the credential header that, when set, requires the vehicle's lineage system to log every use of the marker's payload alongside any positioning reading derived from the same marker.

Alternative Embodiments

In the surface-mount embodiment, the article is bonded to the pavement with epoxy in the same workflow as conventional retroreflective road studs and requires no civil-works modification. In the embedded embodiment, the article is set into a milled pavement recess flush with the surface, which protects against snowplow shear and extends service life on routes with winter maintenance. In the post-mount embodiment, the article attaches to lane-edge delineator posts or to overhead gantry hardware for use in tunnels and grade-separated structures where pavement mounting is impractical.

In a powered-only embodiment, the active illumination subsystem and a more capable transceiver replace the passive RFID, supporting higher payload capacity, two-way handshake with the vehicle, and over-the-air credential rotation. This embodiment is intended for high-value installations such as toll points, port entries, and restricted-access lanes where the cost of powered hardware is justified by the operational value of dynamic credentials.

In a multi-modal-identity embodiment, the marker carries a coded retroreflective pattern (a small machine-readable modulation of the optical return) in addition to the RFID payload, giving the vehicle two independent identity channels. The cross-channel agreement requirement applies, and disagreement triggers the compromised-marker flag.

In a degraded-RFID embodiment, the article continues to function as a pure retroreflective marker even when the RFID inlay has failed, and the vehicle's admissibility framework gracefully degrades to camera-only positioning without payload anchoring. The governance class still applies — the marker is recorded as RFID-unavailable in the regional infrastructure registry — but human-driver function is preserved indefinitely.

In a non-roadway embodiment, the same article construction is applied to rail wayside, port apron, warehouse floor, or airport surface markings, where the dual-use property holds with a different reader population (human operators of marked vehicles plus autonomous yard equipment). The governance and audit requirements transpose directly.

Composition With Other Primitives

The dual-use article composes with the marker-track positioning primitive by contributing high-quality pose anchors and with the credentialed-payload primitive by delivering signed routing authority. The shared-governance-class requirement composes with the cross-use audit requirement to prevent a class of failure mode in which a single physical compromise (a relocated or counterfeit marker) silently corrupts both the vehicle's position estimate and its routing decisions.

The article composes with the vehicle's admissibility framework: a credentialed payload from a non-revoked marker, observed in a position consistent with the regional infrastructure registry, is admissible; the same payload from a marker observed in an inconsistent position is inadmissible regardless of credential validity. This is the structural defense against marker relocation attacks.

Threat Model and Audit Requirements

The dual-use construction admits a small set of structurally distinct attacks that the article's governance and audit requirements are intended to neutralize. The first is marker relocation, in which a physically valid marker is moved from its registered position to a different location. A vehicle reading the credentialed payload sees a valid signature, but the position implied by the marker's optical anchor disagrees with the regional infrastructure registry. The cross-use audit forces the lineage to record both the optical position estimate and the payload claim, and the admissibility framework rejects the combination. Without the cross-use audit requirement, a vehicle could accept the payload while computing position from independent sources, never noticing the inconsistency.

The second attack is identity spoofing, in which a counterfeit article presents a forged optical signature paired with a captured-and-replayed RFID payload. The shared-identity binding requirement forces the optical and RFID identity fields to agree under cryptographic check; a replayed payload, even if signature-valid, will fail to match the counterfeit's optical identity and the marker is flagged. The third is credential revocation lag, in which a marker's credential has been revoked centrally but the vehicle has not received the updated revocation set. The article specifies that credentials carry an issuance epoch and a maximum-trust-age parameter; payloads older than the deployment-configured age are treated as expired regardless of revocation state, which bounds the exposure window.

The audit requirement is not a logging convention but a structural commitment. A vehicle that uses both a marker's positioning role and its payload role within a single decision is required to emit a lineage record that names the marker exactly once and lists both uses, with timestamps. Auditors querying the lineage can detect circular reinforcement (positioning derived from optics is used to validate a payload from the same marker, and the payload is then used to validate the position) and reject the decision. This audit pattern is what licenses combining the two uses safely; without it, dual use becomes a vector for self-confirming errors.

Lifecycle, Installation, and Maintenance

The article is intended for installation through standard roadway-marking workflows: a crew applies markers using existing equipment, with no specialized civil works required for the surface-mount and post-mount embodiments. At installation time, the marker is registered to the regional infrastructure registry by reading its identity field with a handheld interrogator and capturing GPS-corrected position. The registry binds identity to attested position; from that moment forward, vehicles reading the marker can compare observed position to attested position and detect relocation.

Maintenance follows the same cadence as conventional retroreflective markers, with the addition of periodic credential refresh for installations using rotating credentials. Refresh is performed by a service vehicle equipped with a write-capable interrogator, or, for the powered-only embodiment, over the air. End-of-life is signaled by either the regional registry (decommission event) or by accumulated cross-use audit failures (the marker is reading inconsistently with itself). Decommissioned markers are physically removed and their identity fields are added to the revocation set so that any counterfeit reusing the identity is rejected.

Prior-Art Distinction

Retroreflective road studs are decades-old prior art. Passive RFID embedded in pavement is also known, primarily for asset-management uses (locating buried utilities, tracking pavement maintenance history). Smart road studs with LEDs and solar charging are commercially deployed. The novelty of the dual-use marker article is not in any individual layer but in the structural integration: a single sealed article serving both human-driver visibility and machine-credentialing, with cryptographic identity binding across optical and RFID channels, a shared governance class spanning both uses, and a cross-use audit requirement enforced in the vehicle's lineage. Prior-art smart road studs either serve a single role (visibility, or asset tracking, or beaconing) or stack independent roles without binding identity or governance across them; the article-level claim here covers the binding and the audit, not the layers individually.

Disclosure Scope

The disclosure covers the four-layer article construction, the shared-identity binding across optical and RFID channels, the shared governance class, the cross-use audit requirement, the operating parameters that make highway-speed reads feasible, the surface-mount, embedded, post-mount, powered-only, multi-modal-identity, degraded-RFID, and non-roadway embodiments, and the composition with the admissibility framework. The §112 strategy treats the article as a physical apparatus claim with a discrete bill of materials and explicit governance binding, which positions the disclosure for continuation as separate apparatus protection independent of the broader marker-track method claims.