Veritas -

Veritas - Proof of Reality

Elevator Pitch

Hardware-signed photos that prove they're real, not AI.

The Problem

AI image generation has become scarily good. You can't tell what's real anymore just by looking and purported 'AI detection tools' are fighting a losing battle. We believe the problem is being approached the wrong way. Rather than trying to guess whether an image has been modified we have designed an unbreakable, formally verifiable, crytographic system to guarantee the authenticity of images.

We thought: 'What if every real photo came with cryptographic proof that it was actually taken by a camera, and anything without that proof was treated as suspicious?'

That's Veritas - meaning "truth" in Latin, and for Project Lazarus: we wanted to resurrect what AI killed... the ability to trust what you see.

The Solution

1) Capture App

The capture app connects to your webcam and takes the photo. As soon as an image is captured, it creates a unique fingerprint by computing a SHA-256 hash of the raw pixel data. That hash is then signed using the computer’s TPM chip, which holds a private key that cannot be extracted from the hardware. The resulting signature is embedded directly into the image file’s metadata.

2) Verification App

The verification app lets anyone check an image. You drag and drop a file, and the app extracts the embedded signature and the stored hash from the metadata.

It then reconstructs the image’s pixel data, reads every pixel as raw uint8 RGB values, and computes a new SHA-256 hash. If the new hash matches the signed hash in the metadata, the image is confirmed to be exactly the same as when it was captured.

If even a single pixel has changed, the hash will be completely different and the signature will fail to verify, indicating that the image has been modified and is no longer authentic to the original TPM-signed capture.

3) Rust Cryptography Engine

At the core of the system is a Rust-based engine responsible for the cryptographic and image-processing operations. This engine handles pixel extraction, SHA-256 hashing, metadata embedding, and signature verification.

Using Rust ensures the verification logic is memory-safe, deterministic, and fast, while also making it easier to reuse the core verification engine across different environments in the future (desktop apps, browser tools, or mobile clients).

The key insight is that AI-generated images can’t fake this proof. They don’t have access to a real device’s TPM and therefore can’t produce a valid hardware signature. And because cryptographic hashes are extremely sensitive to change, even a tiny edit to a verified image — a single pixel — breaks the signature and exposes the modification.

How we built it

We built two separate Electron apps because they serve different roles.

The capture app is a relatively lightweight Electron application that interfaces with the native webcam API. A significant amount of time went into designing the UI so that the capture experience feels polished and trustworthy rather than experimental.

The verification app is more complex. It’s built with Electron, React, and TypeScript to support a richer interface. It includes drag-and-drop image verification, a file explorer for managing trusted device certificates, and modals for inspecting key information. We spent a lot of time refining the file explorer so it behaves more like a real file manager rather than a basic web component.

Challenges we ran into

Working with TPM hardware turned out to be more complex than expected. Communicating with the TPM and managing key operations across platforms required digging into lower-level system interfaces that aren’t very well documented.

Image hashing also required careful handling. Hashing the encoded file doesn’t work because formats like JPEG can change slightly each time they’re saved due to compression. Instead, we had to reconstruct the raw pixel data and hash that consistently while still preserving the image’s metadata.

Finding a reliable way to embed the signature without breaking the image format was another challenge. JPEG EXIF fields and PNG text chunks have different constraints, so the metadata handling needed to account for both.

What we learned

Cryptography is actually not that complicated once you understand the underlying concepts. The real challenge is making it usable and integrating it into workflows people already understand.

Hardware-backed security like TPM is extremely powerful. Because the private key never leaves the hardware, it provides guarantees that software-only systems simply can’t offer.

The larger takeaway is that AI detection may not be the right long-term solution. It becomes an arms race between generation and detection. Veritas instead approaches the problem from the opposite direction: proving authenticity rather than trying to detect forgery.

We also learned that Electron apps can feel surprisingly polished when careful attention is given to UI details and workflow design.