OA19973A

OA19973A - Digital file anti-forgery protection.

Info

Publication number: OA19973A
Application number: OA1202100056
Authority: OA
Inventors: Eric Decoux; Philippe Gillet; Philippe THEVOZ; Elisabeth WALLACE
Original assignee: Sicpa Holding Sa
Priority date: 2018-08-06
Filing date: 2019-07-15
Publication date: 2021-08-10

Abstract

The invention relates to securing of an original digital file against forgery and falsifying of its associated data, and particularly of data relating to its belonging to a specific batch of original digital files, while allowing offline or online checking of the authenticity of a secured digital file and conformity of its associated data with respect to that of a genuine original digital file. The invention is particularly useful for securing printready digital files.

Description

The présent invention relates to the technical field of protection of digital data against forgery or tampering, and traceability of digital files.

BACKGROUND ART

The problems of counterfeiting and tampering digital files are well known, serions, and growing. The example of falsifying data marked on an original digital document such as a digital identity document or a digital version of a diploma is well known, and the concem is even worse if considering a digital copy of the original (possibly genuine) digital document. Simply keeping track of identifiers such as serial numbers, or even including some digital watermarks, is in general a weak response, because counterfeiters can easily copy such numbers or digital watermarks as well.

One other drawback of most conventional methods for insuring the authenticity of digital files, or securing their digital data, is that they tend to view files in isolation, even if they are members of a well-defined group such as a batch of digital documents for example. This ignores valuable authenticating information.

It is therefore an object of the invention to secure a printable digital file against forgery and falsifying of its associated data, and particularly of data relating to its belonging to a spécifie batch of digital files. It is also an object of the invention to allow offline checking of the authenticity of a printable digital file secured according to the invention and conformity of its digital data content with respect to that of a genuine digital file. The invention is also aimed at securing printable digital files so that it is easy to check authenticity of the data content of both the printable digital files and their printed versions. Particularly, a goal of the invention is to secure print-ready digital files, a print ready digital file being known as a print file that meets the following criteria: ail (possible) RGB images are converted into CMYK color, the file is in proper format like PSD, EPS, AL, High-Resolition JPG, PDF or TIF, and final image has enough resolution (i.e. 300 dpi or higher).

SUMMARY OF THE INVENTION

According to one aspect the invention relates to a method of securing a given original digital file belonging to a batch of a plurality of original digital files against forgery or tampering, each original digital file including its own digital data, characterized by comprising the steps of:

- for each original digital file of the batch, calculating by means of a one-way fimction an associated digital file signature of its digital data;

- forming a tree based on the plurality of calculated digital file signatures for the original digital files of the batch and comprising nodes arranged according to a given nodes ordering in the tree, said tree comprising node levels from the leaf nodes, corresponding to the plurality of digital file signatures respectively associated to the plurality of original digital files in the batch, to the root node of the tree, every non-leaf node of the tree corresponding to a digital signature by means of the one-way fimction of a concaténation of the respective digital signatures of its child nodes according to a tree concaténation ordering, the root node corresponding to a reference root digital signature, i.e. a digital signature by means of the one-way fimction of a concaténation of the digital signatures of the nodes of a penultimate nodes level in the tree according to said tree concaténation ordering;

- associating with the given original digital file a corresponding digital vérification key being a sequence of the respective digital signatures, from the leaf nodes level to the penultimate nodes level, of every other leaf node having the same parent node in the tree that the leaf-node corresponding to the digital file signature of the given original digital file, and successively at each next level in the tree, of every non-leaf node having the same parent node in the tree that the previous same parent node considered at the preceding level;

- making available to a user the reference root digital signature of the tree; and

- including in the given original digital file a corresponding digital security marking comprising a machine readable représentation of its digital data and its corresponding digital vérification key, thereby obtaining a marked original digital file of which digital data are secured against forgery or tampering.

Thus, if the digital security marking included in the digital file is printable as a barcode, the printed document (including the printed barcode) obtained by printing the secured digital file (by means of a conventional printer) is also secured, i.e. its printed data are secured against forgery or tampering.

The reference root digital signature of the root node of the tree may either be published in a media accessible to the user, or stored in a searchable root database accessible to the user, or stored in a blockchain, or in a database secured by a blockchain, accessible to the user. Thus, the reference root digital signature is made immutable.

Thus, according to the invention, the entanglement of the digital signatures of ail the original digital files of a batch, due to the tree structure and use of robust one-way functions for calculating the node values of the tree, together with the root digital signature of the tree that is made immutable and the inclusion of the digital data and its associated digital vérification key in a digital security marking included in the corresponding original digital file, allow tracking and tracing the marked files and their copies, as well as their printed versions, with a very high level of reliability while preventing falsification of data and forgery of the marked files.

The marked original digital file may further comprise root node access data included thereto and containing information sufficient to allow the user to access to the reference root digital signature of the root node of the tree corresponding to the batch of original digital files, said information being a link to an access interface opérable to receive from the user a root request containing digital data, or digital file signature, obtained from a digital security marking of a marked original digital file, and send back a reference root digital signature of corresponding tree, the access interface allowing access to, respectively, one of the following: - the media wherein the reference root digital signature is published;

- the searchable root database wherein the reference root digital signature is stored; and

- the blockchain, or respectively the database secured by a blockchain, wherein the time-stamped reference root digital signature is stored.

According to the invention, it is also possible that:

- a Virtual digital file is counted as belonging to the batch of original digital files, said Virtual digital file including its own virtual digital data, and an associated virtual digital file signature obtained by means of the one-way function of the virtual digital data, said virtual digital file being not real but only used for generating the associated virtual digital file signature from its virtual digital data; and

- the reference root digital signature associated with said batch of original digital files being calculated from a tree having ail the digital files signatures of the original digital files of the batch, including the virtual digital file signature, as leaf nodes.

In order to hâve shorter signatures the one-way function may be a hash function and an a digital signature of an original digital file may be a sequence of a given plurality of bits of lower weights selected from the bits of a hash value of the corresponding digital data.

In the above method, additional digital data corresponding to the digital data associated with the marked original digital file may be stored in a searchable information database accessible to the user via an information database interface opérable to receive from the user an information request containing digital data, or a digital file signature, obtained from a digital security marking of a marked original digital file, and send back corresponding additional digital data.

The digital data of the marked original digital file may further include reference characteristic digital data of a corresponding unique physical characteristic of an associated object or individual. Moreover, the unique physical characteristic of the associated object or individual may be, respectively, that of a material-based security marking applied on the associated object or identifying biométrie feature of the associated individual.

In the above method, the sequence of digital signatures in the digital vérification key included in the digital security marking may be arranged according to a sequence ordering of the nodes which is distinct from the ordering of corresponding nodes defined by the tree concaténation ordering, and the digital security marking may further include an ordering code associated with said sequence ordering. These features increase the level of security with respect to code breaking attacks.

According to the invention, in case the digital data of the respective original digital files of the batch are spread between given fields common to ail the digital files of the batch, spécifie digital data relating to these fields may not be included in the digital data but may be clustered in a separate fields data block associated with the batch, wherein:

i) the digital file signature of an original digital file is calculated with the one-way function of a concaténation of the corresponding digital data and the fields data block; and ii) the reference root digital signature is made available to the user together with the associated fields data block.

Another aspect of the invention relates to a method of verifying the authenticity of a digital file secured according to the above securing method, or the conformity of a copy of such secured digital file with respect to the original one, comprising the steps of, upon Processing a test file being said digital file or said copy of the digital file by means of a Processing unit connected to a memory:

- having stored in the memory the test file;

- reading a représentation of digital data and of a digital vérification key on a digital security marking of the stored test file, and extracting respectively corresponding test digital data and test digital vérification key from said read représentation;

- having stored in the memory a reference root digital signature of a root node of a tree of the batch of original digital files, and having programmed in the processing unit the one-way function to calculate a digital signature of digital data and of a concaténation of digital signatures according to the nodes ordering in the tree and the tree concaténation ordering;

- verifying whether the extracted test digital data and associated test digital vérification key indeed correspond to the stored reference root digital signature by performing the steps of:

- calculating with the one-way function a test digital signature of the extracted test digital data, said test digital signature corresponding to a test leaf node in a test tree corresponding to the digital security marking of the test file;

- extracting from the sequence of digital signatures in the test digital vérification key, a digital signature of every other leaf node of the test tree having the same parent node than that of the test leaf node and calculating a digital signature of a concaténation of the test digital signature and the extracted digital signature of said every other leaf node, thus obtaining a digital signature of said same parent node of the test leaf node;

- successively at each next level in the test tree and up to the penultimate nodes level, extracting from the sequence of digital signatures in the test digital vérification key, a digital signature of every other non-leaf node of the test tree having the same parent node than that of the previous same parent node considered at the preceding step and calculating a digital signature of a concaténation of the digital signature of said respective every other non-leaf node and the obtained digital signature of said previous same parent node, thus obtaining a digital signature of said same parent node of said previous same parent node;

- calculating a digital signature of a concaténation of the obtained digital signatures of the non-leaf nodes corresponding to the penultimate nodes level of the test tree, thus obtaining a candidate root digital signature of the root node of the test tree; and

- checking whether the obtained candidate root digital signature matches the stored reference root digital signature, whereby, in case said root digital signatures match, the digital data of the test file are that of a genuine digital file.

If the marked original digital file is secured while having the above mentioned 5 separate fields data block, the memory of the processing unit may further store the associated fields data block, and the step of calculating a test digital signature corresponding to a test leaf node in a test tree corresponding to the digital security marking on the test file may comprise calculating with the one-way function a digital signature of a concaténation of the extracted test digital data and the stored fields data block.

If the digital file is has been secured by storing the reference root digital signature in a searchable root database accessible to the user as mentioned above, and the Processing unit is further connected to a communication unit opérable to send and receive back data via a communication link, the above verifying method may comprise the preliminary steps 15 of:

- sending with the communication unit via the communication link a request to said root database, and receiving back the reference root digital signature; and

- storing the received root digital signature in the memory of the memory.

If the secured digital file comprises root node access data as explained above, and the processing unit is further connected to a communication unit opérable to send and receive data via a communication link, the above verifying method may comprise the preliminary steps of:

- reading the root node access data included in the test file;

- sending with the communication unit via the communication link a root request to said access interface containing digital data, or a digital signature of said digital data, obtained from the digital security marking on the test file, and receiving back a corresponding reference root digital signature of associated batch; and

- storing the received reference root digital signature in the memory.

If the marked digital file has associated additional digital data stored in a searchable information database as mentioned above, the imager may further be equipped with communication means opérable to send to the information database interface an information request containing digital data, or a digital file signature, obtained from the digital security 3 5 marking of the test file, and receive back corresponding additional digital data.

In case the secured digital file includes reference characteristic digital data as mentioned above, and the imager is further equipped with a sensor opérable to detect a unique physical characteristic of respectively an associated object or individual, and the processing unit 5 is programmed to extract corresponding characteristic digital data from a détection signal received from the sensor, the imager having stored in the memory reference characteristic digital data CDD corresponding to said unique physical characteristic of respectively the associated object or individual, the verifying method may comprise the further steps of, upon viewing a subject being said associated object or individual:

- detecting with the sensor a unique physical characteristic of the subject and extracting corresponding candidate characteristic digital data CDD^C;

- comparing the obtained candidate characteristic digital data CDD^c with the stored reference characteristic digital data CDD; and

- in case the candidate characteristic digital data CDD^c is similar to the stored reference 15 characteristic digital data CDD, within a given tolérance criterion, the subject is considered as corresponding respectively to a genuine object or individual validly associated with a genuine digital file.

Another aspect of the invention relates to a digital file belonging to a batch of a 2 0 plurality of original digital files and secured according to the above mentioned securing method, each original digital file of the batch having its own digital data and corresponding digital vérification key, said batch having a corresponding reference root digital signature, the digital file comprising a machine readable security marking including a représentation of its digital data and its vérification key. The digital data of the digital file may further include reference 2 5 characteristic digital data CDD of a corresponding unique physical characteristic of an associated object or individual. Moreover, the unique physical characteristic of the associated object may be that of a material-based security marking applied on the associated object.

Another aspect of the invention relates to a System for verifying the 3 0 authenticity of a digital file, or the conformity of a copy of such digital file, with respect to a marked original digital file belonging to a batch of original digital files secured according to the above mentioned securing method, comprising an imager having an imaging unit, a processing unit with a memory, and an image processing unit, the memory storing a reference root digital signature of a tree corresponding to the batch of original digital files, and the one-way function 35 to calculate a digital signature of digital data and of a concaténation of digital signatures according to the nodes ordering of the tree and the tree concaténation ordering being programmed in the processing unit, said System being opérable to:

- hâve stored in the memory a test file being said digital file or said copy of the digital file;

- read a représentation of digital data and of a digital vérification key on a digital security marking of the stored test file, and extract respectively corresponding test digital data and test digital vérification key from said read représentation;

- verify whether the extracted test digital data and test digital vérification key indeed correspond to the stored reference root digital signature by performing on the processing unit the programmed operations of:

- checking whether the obtained candidate root digital signature matches the stored reference root digital signature, whereby, in case said root digital signatures match, the System is configured to deliver an indication that the digital data of the test file are that of a genuine digital file.

In the above System, if the marked original digital file has an associated fields data block as mentioned above, the memory of the processing unit further storing the associated fields data block, the programmed operations of calculating a test digital signature corresponding to a test leaf node in a test tree corresponding to the digital security marking of the test file then comprise calculating with the one-way fonction a digital signature of a concaténation of the extracted test digital data and the stored fields data block.

In case the marked original digital file belongs to a batch of original digital files secured by including reference characteristic digital data of a corresponding unique physical characteristic of an associated object or individual as mentioned above, the above System being forther equipped with a sensor connected to the processing unit and opérable to detect a unique physical characteristic of an associated object or individual, and the processing unit being 10 programmed to extract corresponding characteristic digital data from a détection signal received from the sensor, the System having stored in the memory reference characteristic digital data CDD corresponding to said unique physical characteristic of the associated object or individual, the System may forther be opérable to:

- detect with the sensor a unique physical characteristic of a subject being said associated object 15 or individual, and extract corresponding candidate characteristic digital data CDD^C;

- compare the obtained candidate characteristic digital data CDD^c with the stored reference characteristic digital data CDD; and

- in case the candidate characteristic digital data CDD^c is similar to the stored reference characteristic digital data CDD, within a given tolérance criterion, deliver an indication that the 2 0 subject is considered as genuine.

The présent invention will be described more folly hereinafter with reference to the accompanying drawings in which like numerals represent like éléments throughout the different figures, and in which prominent aspects and features of the invention are illustrated.

BRIEF DESCRIPTION OF THE DRAWINGS

Fig.l is a schematic view of a general concept of securing a batch of original digital files according to the invention.

Fig.2A illustrâtes a secured digital biométrie passport as an example of digital 3 0 biométrie identity document secured according to the invention.

Fig.2B illustrâtes a control of an individual having the secured digital biométrie passport of Fig.2A by an authorized officer.

Fig.3 illustrâtes a batch of digital documents relating to components of an aircraft secured according to the invention.

DETAILED DESCRIPTION

The présent disclosure is here described in detail with reference to non-limiting embodiments illustrated in the drawings.

Figure 1 illustrâtes a general concept of the invention relating to securing a batch of digital files and a method of computing an encoding of verifying information that may be associated with each digital file. Figure 1 illustrâtes a group or batch of digital files Ai,...,A₈, containing a digital représentation of a machine readable security marking 110 (here illustrated by a 2D barcode). In what follows, the expression “digital security marking 110” in fact means “digital représentation of a machine readable security marking 110”. Figure 1 in fact illustrâtes a group or batch of digital files and its associated tree wherein, for simplicity, only eight original digital files are shown: A],...,A₈. Also for simplicity, the tree associated with the batch of files Ai,...,A₈ is here a mere binary tree. A digital file may relate to a manufactured item or its packaging, a physical document or image, a package containing several items (such as a blister pack of medicine), or a container containing pallets of cartons of goods etc. Not only an object but even a person may be “associated” with a digital file in the sense of the embodiments of the invention; for example, authorized attendees at an event or members of a group, or members of a flock or herd, could carry some form of ID badge or be physically marked with some marking containing data recorded in a corresponding digital file.

A batch of digital files might, for example, relate to a common manufacturing run, items delivered by a particular supplier, items made or shipped during a time period, a set of related images, a group of people, a flock or herd, or any other user-defined grouping of any objects for which digital file Ai (having digital content Di) can be defined.

Any one of the articles shown on Figure 1 could be a virtual article A_v, which is an optional software construct that may be included to enable encoding of selected data. This is explained further below. For example, one of the eight articles, e.g. article A₈, may in fact be a virtual article A_v that is counted as belonging to the batch of eight articles, and is treated as any one of the other seven real articles since it may be processed substantially in the same way (although it does not correspond to a real object). Of course, a plurality of virtual articles Avi,A_V2,...,A_vk can be used for encoding digital data and produce more robust article digital signatures (see below).

For each article Ai,A2,...,A₇,As of the batch (possibly with Ag = A_v) respective article digital data Di,D₂,...,D₇,D₈ (possibly with D₈ = D_v) are associated or extracted (or, in the case of Virtual article A_v, created) using any appropriate method. This data might be some measure of physical characteristics, textual data such as completed form or product information, a serial number or other identifier, indications of content, a digital représentation of an image, or any other information that the System designer chooses to associate with an article. The article digital data Di may be extracted from human readable data (e.g. alphanumeric data) marked on an associated article (e.g. printed on the article or on a label affîxed on the article) by means of a reader capable to produce corresponding digital data of a digital file Aj. Further digital data (e.g. instruction for use of the associated article or safety instructions etc.) can be associated with the extracted data to constitute the article digital data Dj.

For the Virtual article A_v, the associated digital data may include, for example, a batch identification number, the number of articles in the batch, a (pseudo-) random number for the sake of increasing security by increasing data entropy, date and/or time information, etc. One other form of associated data might be indications of allowable or non-permissible operations rules, expiration dates, etc. In short, the digital data D_v may be anything that can be represented in digital form.

For each article of the batch, its respective digital article data Di,Ü2,. . .,D₇,D₈ is preferably transformed mathematically in such a way that it is essentially concealed, although this is not an absolute requirement for any embodiment. This transformation applied to the article digital data D, of an article Aj serves to create a corresponding digital signature Xj. This digital signature is produced by means of a one-way function, i.e. a function easy to compute but hard to invert (see S. Goldwasser and M. Bellare “Lecture Notes on Cryptography”, MIT, July 2008, http ://www-cse.ucsd. edu/users/mihir).

One such advantageous transformation is, for example, applying a hash function H( ) = hash( ) to the digital data, which generally has the property that it retums an output of a known bit length regardless of the size of the input: this technical effect is particularly useful for creating a digital signature of digital data of a digital file (e.g. associated to an article) regardless of the size of the digital data and that of the batch of corresponding digital files. The Hash function is a well-known example of a one-way function. If a cryptographie hash function such as the SHA (Secure Hash Algorithm) class of functions, for example, SHA-256, is used, then there are the additional benefits that the fonction is practically irréversible and collision résistant, that is, the probability is negligible that two different inputs will lead to the same output. As will be understood from the description below, this is also not a requirement of the invention, although it is advantageous for the same reasons as in other applications. As shown in Figure 1, the values xi,X2,X3,...,xs are the hash values, i.e. the associated article digital signatures, of the respective article datasets, that is, Xj = H(Dj), for j=l,.. .,8 (in case Ag = A_v, then Dg = D_v and xg = x_v = H(D_V)).

In order to shorten the signature, the article digital signature Xj of article Aj may even be just a sequence of a given plurality of bits of lower weights selected from the bits of the hash value H(Dj): for example, with the SHA-256 hash fonction of the SHA-2 family, it suffices to retain only the 128 bits of lower weights from the 256 bits of the signature to still hâve a robust signature with respect to codebreaking attack.

Fig.l shows a batch of eight marked original articles Ai,...,Ag, each having a corresponding security 110 marking applied on it, and illustrâtes the method of securing the articles and their respective associated article digital data Di,...Dg (symbolically represented on files Ai on Fig.l by a sequence of bits “0” and “1”) by means of a tree of digital signatures of the digital data. Trees associated with digital signatures are well known (binary hash trees, n-ary hash trees, or Merkle trees), they generally hâve base nodes, or leaf nodes, which are used to build next (intermediate) level nodes by digitally signing a concaténation of the digital signatures associated with the leaf nodes according to a certain grouping of the leaf nodes. In case of a binary tree, the digital signatures associated with the first intermediate level nodes are respectively calculated by digitally signing (e.g. with a one-way hash fonction H, or a one-way elliptic curve fonction...) a concaténation of the digital signatures associated with two consecutive leaf nodes. In case of a n-ary tree, the values of the first intermediate level nodes are obtained by concaténation of the values of n consecutive leaf nodes. A tree may as well hâve a more complex structure (mixed-trees) as the concaténation of the leaf nodes may be performed by pairs of consecutive nodes for certain leaf nodes, by triplet of nodes for other consecutive leaf nodes etc. For reasons of simplicity, a mere binary tree with eight leaf nodes is shown on Fig.l: the respective values of the eight leaf nodes a(l,l),...,a(l,8) of the tree, respectively corresponds to the article digital signatures xi = H(Di),..., xg = H(Dg). The value of the first index, i.e. “1”, for ail the leaf nodes indicates the first level (or base level) of the tree, and the second index running from 1 to eight indicates the (leaf) nodes ordering of the tree. The values of the next level (non-leaf) nodes, i.e. the four nodes of level two a(2,l), a(2,2), a(2,3) and a(2,4), are obtained by digitally signing a concaténation (symbolically represented by an operator “+”), here by means of a hash fimction, of the values of pairs of leaf nodes, i.e. pairs of their child nodes in the tree. This grouping of child nodes for obtaining the values of the nodes of the next level defines the tree concaténation ordering. For simplifying the notations, we use the node symbol a(ij) to also represent its associated value (i.e. its associated digital signature). Here, the tree has only two intermediate levels above the leaf nodes level, and the root node on top level. The root node level is in fact the last non-leaf node level of the tree. Thus, the values of the four non-leaf nodes of the next intermediate level are:

a(2,l) = H(a(l,l)+a(l,2)), i.e. a(2,l) = H(H(Di)+ H(H(D₂)), (as a(l,l) and a(l,2) are the child nodes of node a(2,l)) a(2,2) = H(a(l,3)+a(l,4)) a(2,3) = H(a(l,5)+a(l,6)) a(2,4) - H(a(l,7)+a(l,8)) and, for the next, penultimate, node level (here, level three) there are two node values:

a(3,l) = H(a(2,l)+a(2,2)) a(3,2) = H(a(2,3)+a(2,4)).

We remark that it is possible to choose a different tree concaténation ordering for each non-leaf node: for example, instead of having a(2,4) = H(a(l,7)+a(l,8)) we could define a(2,4) = H(a(l,8)+a(l,7)), which gives a different node value.

Finally, the value of the root node R of the tree, or reference root digital signature, is obtained as: R = H(a(3,l)+a(3,2)).

Due to the cascade of concaténations involved in a tree, it is practically impossible to retrieve a root value if any bit of digital data is changed in a node (particularly, in a leaf node). Moreover, if some Virtual articles are included in the batch (of which Virtual article digital data are only known to the System having produced the digital signatures of the leaf nodes of the tree), a counterfeiter will not be capable to retrieve the root digital signature even if knowing the digital data of ail the produced (and marked) articles of the batch.

According to the invention, the reference root digital signature R of the batch of original digital files is made immutable, and thus forgery-proof, by being published in a (public) media accessible to a user having to check the authenticity of an article (or its associated data), or stored in a searchable root database accessible to the user, or, in a preferred mode, stored in a blockchain (or in a database secured by a blockchain) accessible to the user. The user may then store the reference value R acquired from these available sources.

For each original digital file Ai of the batch, a corresponding digital vérification key k, (or vérification path) of the associated tree is then computed as a sequence of the respective digital signatures, from the leaf nodes level to the penultimate nodes level, of every other leaf node having the same parent node in the tree that the leaf-node corresponding to the digital signature of the original digital file Ai, and successively at each next level in the tree, of every non-leaf node having the same parent node in the tree that the previous same parent node considered at the preceding level. In the example of Fig.l, there are eight vérification keys ki,...,kg respectively corresponding to the eight articles Ai,...,Ag of the batch and their corresponding eight leaf nodes a(l,l),...,a(l,8):

1) for leaf node a(l,l) = Xi = H(Di) corresponding to article Ai, the vérification key is ki = {a(l,2),a(2,2),a(3,2)}, from which the root digital signature value R can be retrieved via the following steps (executed according to the nodes ordering in the tree and the tree concaténation ordering):

i) from leaf node a(l,l) = Xi and leaf node a(l,2) = x₂ in ki (a(l,2) is the other leaf node having the same parent node, i.e. node a(2,l), that the leaf node corresponding to the article digital signature x_b i.e. node a(l,l)), the parent node value a(2,l) is obtained by a(2,l) = H(a(l,l)+a(l,2)) (i.e. a(2,l) = H(xi + x₂)), ii) from the obtained a(2,l) and the next node value in k], i.e. a(2,2) of next non-leaf nodes level, which is a non-leaf node having the same parent node in the tree, i.e. node a(3,l), that the previous same parent node considered at the preceding level, i.e. node a(2,l), the parent node value a(3,l) is obtained by a(3,l) = H(a(2,l)+a(2,2)), iii) from the obtained a(3,l) and the next node value in k_b i.e. a(3,2) of the penultimate nodes level, which is a non-leaf node having the same parent node in the tree, i.e. the root node, that the previous same parent node considered at the preceding level, i.e. node a(3,l), the root node value R is obtained by R = H(a(3,l)+a(3,2)).

Remark: in this example we hâve three steps i),ii) and iii), because the tree has three levels below the root node level and thus, the vérification key contains three node values.

Thus, the value of the root node of the tree can be obtained as: R = H(H(H(a(l ,1 )+a(l ,2))+a(2,2))+a(3,2)).

2) for leaf node a(l,2) = x₂ = H(D₂) corresponding to article A₂, the vérification key is k₂ = {a(l,l),a(2,2),a(3,2)}, from which the root value R can be retrieved via the following steps (executed according to the nodes ordering in the tree and the tree concaténation ordering):

i) from a(l,2) = x₂ and a(l,l) = Xi in ki (a(l,l) is the other leaf node having the same parent node, i.e. node a(2,l), that the leaf node corresponding to the article digital signature x₂, i.e. node a(l,2)), the parent node value a(2,l) is obtained by a(2,l) = H(a(l,l)+a(l,2)), ii) from the obtained a(2,l) and the next node value in k₂, i.e. a(2,2) of next non-leaf nodes level, which is a non-leaf node having the same parent node in the tree, i.e. node a(3,l), that the previous same parent node considered at the preceding level, i.e. node a(2,l), the parent node value a(3,l) is obtained by a(3,l) = H(a(2,l)+a(2,2)), iii) from the obtained a(3,l) and the next node value in k₂, i.e. a(3,2) of the penultimate nodes level, which is a non-leaf node having the same parent node in the tree, i.e. the root node, that the previous same parent node considered at the preceding level, i.e. node a(3,l), the root node value R is obtained by R = H(a(3,l)+a(3,2)).

Thus, the value of the root node of the tree can be obtained as: R = H(H(H(a(l, 1 )+a(l ,2))+a(2,2))+a(3,2)).

3) for leaf node a(l,3) = x₃ = H(D₃) corresponding to article A₃, the vérification key is k₃ = {a(l,4),a(2,l),a(3,2)}, from which the root value R can be retrieved via the following steps (executed according to the nodes ordering in the tree and the tree concaténation ordering):

i) from a(l,3) = x₃ and a(l,4) = X4 in k₃ (a(l,4) is the other leaf node having the same parent node, i.e. node a(2,2), that the leaf node corresponding to the article digital signature x₃, i.e. node a(l,3)), the parent node value a(2,2) is obtained by a(2,2) = H(a(l,3)+a(l,4)), ii) from the obtained a(2,2) and the next node value in k₃, i.e. a(2,l) of next non-leaf nodes level, which is a non-leaf node having the same parent node in the tree, i.e. node a(3,l), that the previous same parent node considered at the preceding level, i.e. node a(2,2), the parent node value a(3,l) is obtained by a(3,l) = H(a(2,l)+a(2,2)), iii) from the obtained a(3,l) and the next node value in k₃, i.e. a(3,2) of the penultimate nodes level, which is a non-leaf node having the same parent node in the tree, i.e. the root node, that the previous same parent node considered at the preceding level, i.e. node a(3,l), the root node value R is obtained by R = H(a(3,l)+a(3,2)).

Thus, the value of the root node of the tree can be obtained as: R = H(H(a(2,l)+H(a(l,3)+a(l ,4)))+a(3,2)).

4) for leaf node a(l,4) = X4 = H(D4) corresponding to article A4, the vérification key is k4 = {a(l,3),a(2,l),a(3,2)}, from which the root value R can be retrieved via the following steps (executed according to the nodes ordering in the tree and the tree concaténation ordering):

i) from a(l,4) = X4 and a(l,3) = X3 in kg, the parent node value a(2,2) is obtained by a(2,2) = H(a(l,3)+a(l,4)), ii) from the obtained a(2,2) and the next node value in k4, i.e. a(2,l) of next non-leaf nodes level, the parent node value a(3,l) is obtained by a(3,l) = H(a(2,l)+a(2,2)), iii) from the obtained a(3,l) and the next node value in k4, i.e. a(3,2) of the penultimate nodes level, the root node value R is obtained by R = H(a(3,l)+a(3,2)).

Thus, the value of the root node of the tree can be obtained as: R = H(H(a(2,1 )+H(a( 1,3)+a( 1,4)))+a(3,2)).

5) for node a(l,5) = x₅ = H(D₅) corresponding to article A5, the vérification key is k₅ = {a(l,6),a(2,4),a(3,l)}, from which the root value R can be retrieved via the following steps (executed according to the nodes ordering in the tree and the tree concaténation ordering):

i) from a(l,5) = X5 and a(l,6) - X6 in kg, the parent node value a(2,3) is obtained by a(2,3) = H(a(l,5)+a(l,6)), ii) from the obtained a(2,3) and the next node value in k₅, i.e. a(2,4) of next non-leaf nodes level, the parent node value a(3,2) is obtained by a(3,2) = H(a(2,3)+a(2,4)), iii) from the obtained a(3,2) and the next node value in kg, i.e. a(3,l) of the penultimate nodes level, the root node value R is obtained by R = H(a(3,l)+a(3,2)).

Thus, the value of the root node of the tree can be obtained as: R = H(a(3,1 )+H(H(a( 1,5)+a( 1,6))+a(2,4))).

6) for node a(l,6) = xg = H(D₆) corresponding to article Ag, the vérification key is kg = {a(l,5),a(2,4),a(3,l)}, from which the root value R can be retrieved via the following steps (executed according to the nodes ordering in the tree and the tree concaténation ordering):

i) from a(l,6) = x₆ and a(l,5) = x₅ in kg, the parent node value a(2,3) is obtained by a(2,3) = H(a(l,5)+a(l,6)), ii) from the obtained a(2,3) and the next node value in kg, i.e. a(2,4) of next non-leaf nodes level, the parent node value a(3,2) is obtained by a(3,2) = H(a(2,3)+a(2,4)), iii) from the obtained a(3,2) and the next node value in kg, i.e. a(3,l) of the penultimate nodes level, the root node value R is obtained by R = H(a(3,l)+a(3,2)).

Thus, the value of the root node of the tree can be obtained as: R = H(a(3,1 )+H(H(a(l ,5)+a( 1,6))+a(2,4))).

7) for node a(l,7) = x₇ = H(D₇) corresponding to article A₇, the vérification key is k₇ = {a(l,8),a(2,3),a(3,l)}, from which the root value R can be retrieved via the following steps (executed according to the nodes ordering in the tree and the tree concaténation ordering):

i) from a(l,7) = x₇ and a(l,8) = x₈ in k₇, the parent node value a(2,4) is obtained by a(2,4) = H(a(l,7)+a(l,8)), ii) from the obtained a(2,4) and the next node value in k₇, i.e. a(2,3) of next non-leaf nodes level, the parent node value a(3,2) is obtained by a(3,2) = H(a(2,3)+a(2,4)), iii) from the obtained a(3,2) and the next node value in k₇, i.e. a(3,l) of the penultimate nodes level, the root node value R is obtained by R = H(a(3,l)+a(3,2)).

Thus, the value of the root node of the tree can be obtained as: R = H(a(3,1 )+H(a(2,3)+H(a( 1,7)+a(l ,8)))).

) for node a(l,8) = x₈ = H(D₈) corresponding to article A₈, the vérification key is k₈ = {a(l,7),a(2,3),a(3,l)}, from which the root value R can be retrieved via the following steps

0 (executed according to the nodes ordering in the tree and the tree concaténation ordering):

i) from a(l,8) = x₈ and a(l,7) = x₇ in k₈, the parent node value a(2,4) is obtained by a(2,4) = H(a(l,7)+a(l,8)), ii) from the obtained a(2,4) and the next node value in k₈, i.e. a(2,3) of next non-leaf nodes level, the parent node value a(3,2) is obtained by a(3,2) = H(a(2,3)+a(2,4)), iii) from the obtained a(3,2) and the next node value in k₈, i.e. a(3,l) of the penultimate nodes level, the root node value R is obtained by R = H(a(3,l)+a(3,2)).

Thus, the value of the root node of the tree can be obtained as: R = H(a(3,l)+H(a(2,3)+H(a(l,7)+a(l,8)))).

Generally, for retrieving a (candidate) root node value by starting from a given leaf node value and the node values specified in the vérification key associated with said given leaf node, the following steps are performed:

- extracting from the sequence of node values in the vérification key, a node value (i.e. a digital 3 5 signature value) of every other leaf node of the tree having the same parent node than that of the given leaf node and calculating a digital signature of a concaténation of the given node value and, respectively according to the ordering of nodes in the tree and the tree concaténation ordering, the extracted node value of said every other leaf node, thus obtaining a digital signature of said same parent node of the given leaf node;

- successively at each next level in the tree and up to the penultimate nodes level:

.extracting from the sequence of node values in the vérification key, a node value of every other non-leaf node of the tree having the same parent node than that of the previous same parent node considered at the preceding step, and .calculating a digital signature of a concaténation of the node value of said respective every other non-leaf node and the obtained digital signature of said previous same parent node, according to the ordering of nodes in the tree and the tree concaténation ordering, thus obtaining a node value of said same parent node of said previous same parent node; and

- calculating a digital signature of a concaténation of the obtained node values of the non-leaf nodes corresponding to the penultimate nodes level of the tree according to the ordering of nodes in the tree and the tree concaténation ordering, thus obtaining a root digital signature of the root node of the tree.

As it is clear from the above example, the root node value R can fmally be retrieved from any given leaf node value by a digital signature of a concaténation of this leaf node value with only the node values specified in the corresponding vérification key. Thus, the volume of data in the vérification information that is necessary for retrieving the root node value is clearly much lower than the volume of data necessary for calculating the reference root node value (i.e. based only on the leaf node values, by calculating ail the non-leaf node values of the intermediate levels of the tree): this is an advantage of the invention in view of the constraint of limited size available on a security marking (like a two-dimensional barcode).

According to the invention, the digital security marking 110 of a digital file Ai of a batch of articles includes the vérification information Vj that allows both online and offline checking operations of authenticity of the marked file, of conformity of its associated data with respect to that of the genuine marked file, by providing a unique, immutable and forgery-proof link between the digital data D, of Ai and the fact that the marked original digital file A, belongs to a given batch of genuine articles, while keeping a bit size of a digital représentation of this vérification information Vj at a level compatible with a data content of a two-dimensional machine readable barcode that can be easily read by a conventional reader: this vérification information comprises the article digital data Di and the corresponding vérification key kj, Vj = (Di,kj). The checking operations includes retrieving the batch value, or reference root digital signature R of the tree associated with the batch, by first reading the digital data Dj and the corresponding digital vérification key k, on the machine readable security marking 110 of digital 5 file Ai, then calculating a candidate digital signature Xi by means of a one-way function of the read digital data Dj as Xi = H(Dj), and calculating a candidate root digital signature R^c as explained above from a digital signature of a concaténation of Xi and node values of the tree according to the sequence of node values indicated in the digital vérification key kj. This securing scheme, which has the advantage of not necessitating data encryption and thus, 10 management of encryption/decryption keys (particularly, no cryptographie key is included in the digital security marking), is much more robust with respect to codebreaking attack compared to conventional encryption of data by means of public encryption key-private decryption key (like RSA “Rivest-Shamir-Adleman” System, for example). As a resuit, the size of digital data to be represented in the digital security marking according to the invention is compact and allows to 15 use conventional représentation of 2D barcodes (e.g. a QR code) (particularly useful for printready digital files), and thus conventional barcode readers (or even a mere programmed smartphone having a caméra), while providing a very high level of robustness against codebreaking attacks. Moreover, this security marking is compatible with both online (via a server communicating with a code reader) and offline (via a programmed code reader) check of 2 0 authenticity of a marked digital file and conformity of its data with respect to that of a genuine (original) digital file. Also, according to the invention, the représentation of digital data Dj and that of key data kj may differ, the data concaténation scheme and/or the one-way function may dépend on node level in the tree, which provide additional levels of robustness with respect to codebreaking attacks.

Preferably, in order to further reduce the size of digital data (i.e. vérification information V) to be included in a digital security marking, if the digital data D, of the respective original digital files Ai of the batch are spread between given fields that are common to ail the digital files of the batch, digital data relating to these fields are not included in each digital data 30 Di but are clustered in a separate fields data block FDB associated with the batch of digital files, and:

- the digital signature Xj of an original digital file Ai of the batch is then calculated with the oneway function H of a concaténation of the corresponding digital data Dj and the digital data of the fields data block FDB, i.e. x, = H(Dj+FDB); and

- the reference root digital signature R is made available to the user together with the associated fields data block FDB (which makes the fields data block also immutable).

In a variant of the invention, the fields data block FDB is made accessible to the user independently of the reference root digital signature.

The above size réduction is possible in most cases, as most of data associated with the digital files of a batch are classified in accordance with some fields for structuring the data: e.g. for a pharmaceutical product associated with a secured digital file, the indications “serial number”, “expiry data” etc., only the data associated with these fields are included in Di (e.g. 12603, May 2020 etc.) while the common names of the fields “serial number”, “expiry data” etc. are in the fields data block FDB.

There are many known methods for encoding information. Any such method may be used in implémentations of any embodiment of this invention. One common form of marking is a well-known QR code (as a représentation of a 2D image included in a digital file). As is well known, for a given area, the more data a QR code is able to encode, the higher the module density (roughly, density of black/white squares) it has and the greater resolution it requires to print and read. In addition to its density (in number of modules squared), QR codes are also generally classified depending on what level of error correction they include. At présent, the four different standard levels, L, M, Q, and H, each representing the degree of damage, that is, data loss, the QR code image can sustain and recover from. The levels L, M, Q, and H can sustain roughly 7%, 15%, 25% and 30% damage, respectively.

The following table shows at least approximate values for different QR code versions:

Version	Size (in modules)	Number of encodable bits
ECC level L	ECC level H
10	57x57	2192	J 976
25	117x117	10208	4 4304

40

177x177

23648

10208

Not ail of the bits may be used to encode a data load, however, since some modules are used for scan targets, a mask pattern, and the error-correction modules. There is thus a trade-off between the amount of information that a QR code (or whatever marking 110 is used) can encode, and how much information is included in a vérification information V and must be encoded.

For a chosen type of digital security marking 110 (such as a QR code), with a limited encoding capacity, a suitable one-way function H should therefore also be chosen: a fonction of which output is too large in terms of required bits may be impossible to use at ail, and a fonction of which range is too small may not be secure enough. Moreover, in many applications, scalability may be an issue. For example, some data security schemes involve signatures that grow as the number of members of a batch increases, and that could impermissibly limit the size of a batch from the perspective of how many bits the digital security marking 110 can encode. This is why, according to a preferred mode of the invention, the type of fonction chosen is the one-way hash fonction of the SHA-2 family.

A computation module (not shown) is preferably included within a securing System to execute the code provided for performing the computations for digitally signing the digital data of the original digital files of a batch, for determining the digital vérification keys for the different digital files, and for calculating the reference root digital signature of the corresponding tree. The securing System may also include suitable modules for inputting (preprogrammed) values corresponding to the digital data D_v of the Virtual digital file(s) A_v. It would also be possible to perform the file-related hashing computations extemally (e.g. on a connected distant server), for example, wherever the digital files are made, so as to avoid having to transmit raw digital data Di over a network from that site (or sites) to the securing System, if that is a concem. For each digital file Aj, corresponding vérification information V, is compiled and is encoded (represented) in some form of machine readable digital security marking 110 that is then included in the respective article.

For any virtual digital file A_v, its corresponding vérification information V_v = (D_v,k_v) may be associated intemally with it by the securing System. The vérification information generally at least includes, for any digital file A, of a batch of digital files, the corresponding digital data Dj and the corresponding digital vérification key kj: i.e. Vj = (Di,ki).

Additional digital data may fiirther be associated with a digital file and may include, for example, the batch value, i.e. reference root digital signature R, or any other information the System designer (or System administrator) chooses to include, such as, for example, an associated item serial number, batch ID, date/time information, product name, a URL that points to other, online information associated with either the individual item (such as an image of the item, or of its labelling or packaging, etc.), or the batch, or the supplier/manufacturer, a téléphoné number one may call for vérification, etc. The additional digital data may be stored in a searchable information database accessible to a user (via an information database interface).

Once the digital vérification kj of an original digital file A, has been calculated, and included (i.e. via encoding or any chosen data représentation), together with the corresponding digital data Dj, in the machine readable digital security marking 110 in the digital file Aj, the resulting marked original digital file and its associated digital data are in fact secured against forgery and tampering.

A user, récipient of a digital file such as Ai for example, may then scan (or otherwise read) with an imager (reader) the digital security marking of Ai and extract the digital data Di and the digital vérification key ki, (and any other information that may hâve been encoded into the marking). For the sake of vérification of the marked digital file Ai, the user must first retrieve the vérification information Vi=(Di,ki) from the digital security marking 110 of Ai and thus, calculate the digital signature xi from the extracted digital data Di: to do that the user must know the one-way function to be used for calculating a digital signature, here the oneway function H() (e.g. a SHA-256 hash), and then perform the operation xi=H(Di) to obtain the full data (xi,ki) necessary to calculate a corresponding candidate root digital signature R^c. The user may for example receive the one-way function securely (for example, using a public/private key pair) or by requesting this from the digital file provider or whichever entity having created the signatures and keys, or having it already programmed in a user’s processing unit of its imager.

Next, in order to calculate such candidate root digital signature R^c, the user will need to further know the type of data concaténation scheme (for concatenating node values via

H(a(ij)+a(i,k)) to be used for that: the user may receive this information in any known manner, either securely (for example, using a public/private key pair) or simply by requesting this from the digital file provider or whichever entity created the vérification data, or having it already programmed in the user’s processing unit. However, the concaténation scheme my in fact correspond to a mere conventional “joining end-to-end” of the two digital data blocks respectively corresponding to the two node values: in this case, no spécifie scheme must be transmitted to the user. In some variants, the concaténation scheme may further insert a concaténation block, which may contain data spécifie to the rank or level of the concatenated digital data blocks in the tree, with the resuit of making even more difficult a codebreaking attack.

Knowing the data concaténation scheme, the user can then compute (e.g. via the suitably programmed imager) the candidate root digital signature R^c as explained above by step by step digitally signing a concaténation of the digital signature xi and node values according to the sequence of nodes specified in the digital vérification key k_b see above the item “1)” relating to the node a(l,l), executed according to the nodes ordering in the tree and the tree concaténation ordering. Here, the candidate root digital signature is obtained as (the nodes ordering in the tree being given by the respective indexes (i,j) of the level and rank in the level):

R^c = H(H(H(a(l,l)+a(l,2))+a(2,2))+a(3,2)).

This calculated candidate root digital signature R^c should then be equal to the available (or published) reference R value: this value may hâve been previously acquired by the user and/or already stored in a memory of the imager’s processing unit, it could also be a value that the récipient requests and receives from the System administrator in any known manner. If the candidate R^c and the available reference root digital signatures R match, this computation then vérifiés the information in the digital secure marking 110 and confirms that the digital file Ai is from the right batch.

A link to access the reference root digital signature R for the batch corresponding to the digital file Ai could be included in the digital security marking 110 (for example, a web address, if R can be retrieved on a corresponding web site), although it is not a preferred variant.

A user, récipient of a digital file such as Ai for example, may then scan (or otherwise read) with a reader the digital security marking on Ai and extract the digital data Di and the digital vérification key k_b (and any other information that may hâve been encoded into the digital security marking). An example of reader is a computer with a display, or even a (programmable) smartphone. For the sake of vérification of the marked file Ai, the user must first retrieve the vérification information Vi=(Di,ki) from the digital security marking on Ai and thus, calculate the digital file signature xi from the extracted digital data Df to do that the user must know the one-way function to be used for calculating a digital signature, here the hash function H(), and then perform the operation xi=H(Di) to obtain the fiill data (xi,ki) necessary to calculate a corresponding candidate root digital signature B^c. The user may for example receive the one-way function securely (for example, using a public/private key pair) or by requesting this from the digital file provider or whichever entity having created the signatures and keys, or having it already programmed in a user’s processing unit of its reader.

Preferably, the reference root digital signature (i.e. “batch value”) R is stored in a searchable root database that can be accessed (via a communication link) by the user by means of its computer equipped with a communication unit, as this is the case with the above example of a smartphone. The user having to verify the digital file Ai can just send a root request with its smartphone to the address of the database, via an access interface of the database, the request containing the digital data Di read on the digital security marking 110 of Ai (or the calculated digital signature xi = H(Di)) allowing to retrieve the corresponding reference batch value R, and the access interface will retum the reference root digital signature R to the smart phone. The database may be secured by a blockchain in order to strengthen the immutability of the stored root digital signatures. An advantage of the invention is to make the link between a physical object, i.e. an original digital file stored in a memory, and its attributes, i.e. the associated digital data and its belonging to a spécifie batch of digital files, practically immutable through the corresponding root digital signature.

The above mentioned vérification process of a digital file Aj may also serve to authenticate human readable data content of Aj on a corresponding printed version of the digital file Aj. Indeed, a user can read on a display of a computer the corresponding digital data Di as decoded from the digital security marking in the digital file A, by the computer, and visually check that the displayed information is consistent with the printed data on the printed version of the digital file.

In a preferred embodiment, the digital data Dj further include characteristic digital data (CDD) of corresponding unique physical characteristic of an object, or an individual, associated with the marked original digital file Ai that can be used for (materially) authenticating the associated object, or the associated individual, by comparing the characteristic digital data extracted from the digital security marking and corresponding détection data of the unique physical characteristic obtained from a suitable sensor. Thus, with the characteristic digital data corresponding to the unique physical characteristic in a digital file Ai being CDD;, the 5 corresponding unique physical signature data UPSj can be obtained by encoding of CDD;

(preferably by means of a one-way function): for example, by taking a hash of the characteristic digital data CDD,, i.e. UPSj = H(CDDj). However, any other known encoding could be used instead: for example, in order to hâve a short signature, it is possible to use an elliptic curve digital signature algorithm. As an illustrative very simplified example of characteristic digital 10 data CDD; corresponding to a unique physical characteristic of an object OBJ, associated with a digital file Ai, we consider a mere digital image obtained by imaging the object OBJ; (or a spécifie zone on OBJj), for example by means of the caméra of a smartphone, the corresponding unique physical signature data UPS, being, for example, a hash of the digital image, UPSj = H(CDDj). The characteristic digital data CDDj having generated the signature UPS; is the 15 reference characteristic digital data for A, and the obtained signature UPSj is the corresponding reference unique physical signature data for Aj. Preferably, UPSj, i.e. the reference unique physical signature data for digital file Ai, is stored in a searchable database or in a blockchain (or in a database secured by a blockchain) accessible to the users (for example, via a request containing the digital data D, read on the digital security marking in the digital file Ai, or its 2 0 corresponding digital file signature Xi). Thus, the stored UPS, acquires an immutable character. A copy of CDDi may be further stored in the memory of the user’s smartphone (or reader or computer). In a variant of the embodiment, a copy of UPSi may also be further stored in the memory of the user’s smartphone (or reader or computer) to allow offline checking operation.

A check of authenticity of the digital file Ai may be performed by extracting candidate characteristic digital data CDDj^C from the digital data Dj read (here, with a decoding application running on the smartphone) on the digital security marking included in the digital file Aj, and comparing it with the reference characteristic digital data CDDj stored in the memory of the smartphone: in case of matching CDDj^C = CDDj, the digital file Ai is considered as genuine 3 0 (its digital content corresponds to that of a genuine marked original digital file). If the reference characteristic digital data CDDj is not stored in the memory of the smartphone, but instead the reference unique physical signature data UPSi is stored in the memory of the smartphone (with the advantage of taking up much less memory compared with CDD), then the authenticity of Ai can still be checked by verifying that the candidate unique physical signature data UPSj^C obtained 35 by calculating the hash value of the candidate characteristic digital data CDDi^C extracted from the digital data Di, i.e. UPSi^C = H(CDDj^C), matches the reference unique physical signature data UPS, stored in the memory.

A user may further check the authenticity of a received digital file Aj, still via offline (self-verifying) process, by detecting said unique physical characteristic on the object or individual associated with the digital file Aj, by means of a sensor capable to perforai such measurement (here, the caméra of the smartphone), and obtaining a candidate characteristic digital data CDD;^c from the detected characteristic (here, a digital image taken by the smartphone). Then, the user can compare (via the image processing unit of its smartphone, or visually on a display of the smartphone) the obtained CDDi^C with a copy of the reference CDDj (stored in the memory of the smartphone): in case of “reasonable” matching CDDj^C ~ CDDj (i.e. the two digital data agréé within some given tolérance or similarity criterion), the digital file Aj is considered as genuine (i.e. its digital content corresponds to that of a genuine marked original digital file).

Moreover, the user may also further calculate the corresponding candidate unique physical signature data from the copy of the reference CDD, stored in the memory of the smartphone as UPSi^C - H(CDDj), and compare it with the reference physical signature data UPSj stored in the memory of the smartphone: in case of matching UPS;^C = UPSj, the digital file Aj is confirmed as being genuine with an even higher degree of confidence (as merely one bit of différence is enough to cause a mismatch). Moreover, in case of matching, the digital data Dj associated with Ai, which has been verified as corresponding to that of a genuine digital file, as explained above by retrieving the corresponding batch value R from the read vérification information (Di,kj) stored in the digital security marking in Ai, is also authenticated.

In a variant of the embodiment, the checking of authenticity of a digital file Ai by a user may be performed via online process. In this case, the reference data, i.e. the characteristic digital data CDDi and/or the reference unique physical signature data UPSi, are stored in a searchable database accessible to the user wherein the reference data relating to a digital file Aj are stored in association with, respectively, the corresponding digital data D, (included in the digital security marking in Aj) or with the corresponding digital file signature Xj (that can be calculated by the user once the data D, is extracted from the digital security marking via the operation Xj=H(Di)): the reference data can be requested by sending to the database a query containing, respectively, Di or Xj.

A conventional way of securing an object is to apply on it a material-based security marking (possibly tamperproof), i.e. a marking having détectable intrinsic physical or Chemical property that is very hard (if not impossible) to reproduce. If an appropriate sensor detects this intrinsic property on a marking, this marking is then considered as genuine with a high degree of confidence, and thus also the corresponding marked object. There are many examples of such known authenticating intrinsic properties: the marking can include some particles, possibly randomly dispersed, or has a spécifie layered structure, having intrinsic optical reflection or transmission or absorption or even émission (luminescence, for example, or polarization or diffraction or interférence...) properties, possibly détectable upon spécifie illumination conditions with “light” of spécifie spectral content. This intrinsic property can resuit from the spécifie Chemical composition of the material of the marking: for example, luminescent pigments (possibly not commercially available) can be dispersed in an ink used for printing some pattern on the object and are used to émit spécifie light (for example, in a spectral window within the infrared range) upon illumination with a spécifie light (for example, with light in the UV spectral range). This is used for securing banknotes, for example. Other intrinsic properties can be used: for example, the luminescent particles in the marking can hâve a spécifie luminescence émission decay time after illumination with an appropriate excitation light puise. Other types of intrinsic properties are the magnetic property of included particles, or even a “fingerprint” property of the object itself such as, for example, the relative positioning of inherently randomly dispersed fibers of a paper substrate of a document, in a given zone on the document, which, when observed at suffîcient resolution, can serve to extract a unique characterizing signature, or some random printing artefacts of data printed on the object which, viewed with suffîcient magnifîcation, can also lead to a unique signature etc.... The main problem with an inhérent fingerprint property of an object is its robustness with respect to aging or wear. However, a material-based security marking does not always allow also securing data associated with the marked object: for example, even if a document is marked with a material-based security marking like a logo printed with a security ink in some zone of the document, data printed on the remaining part of the document can still be falsified. Moreover, too complex authenticating signatures often necessitate significant storage capabilities involving extemal databases, and communication links for querying such databases, so that offline authentication of an object is not possible. According to the invention, an object marked by means of a material-based security marking and associated with a (digitally) marked digital file is secured by the entanglement resulting from the fact that the characteristic digital data corresponding to the unique physical characteristic of the marked object, or its corresponding unique physical signature data, is immutably (thanks to the publication or storage of the aggregated digital signature in a blockchain) and forgery-proof linked with the digital data in the digital security marking being part of the associated digital file. The invention can thus be used for both securing a batch of objects and a corresponding batch of associated digital files.

Of course, any other known intrinsic physical/chemical property can be used to 5 obtain the characteristic digital data CDD; relating to a unique physical characteristic of an object

OBJj associated with a digital file Ai, and the corresponding unique physical signature data UPS;. As another illustrative example, it is possible to print a 2D barcode forming a material-based security marking on an object with a security ink including a luminescent pigment having its characteristic decay time constant as well as its light excitation wavelength window and its 10 luminescence émission wavelength window: the resuit is an ink having a spécifie reference decay time value τ that serves as a material “fingerprint’’ of the ink. It suffices to illuminate the barcode with excitation light in an illumination wavelength window covering the pigment excitation wavelength window, and collect a resulting luminescence light from the barcode with a sensor capable to detect light intensity within the luminescence émission wavelength window 15 in order to authenticate the barcode, and thus the object. For example, a user’s reader may be equipped with a flash capable to deliver the excitation light to the barcode, a photodiode capable to collect the corresponding luminescence light intensity profile I(t) (over a détection time interval) from the barcode, and the reader’s CPU being programmed to calculate a decay time value from the collected intensity profile I(t). For example, the excitation wavelength window

0 may be within the UV (ultra violet) band and the émission wavelength window within the IR (infrared) band. If, during vérification of the object, the luminescence light intensity collected by the user’s imager shows a characteristic decay over time corresponding to a candidate decay time t_c, then the ink, and consequently the object, is considered as genuine if t_c ~ τ (within a given range of tolérance). In this case, the characteristic digital data CDD, of a marked object OBJj 25 includes at least the reference decay time value τ (and possibly data relating to the excitation wavelength window and the émission wavelength window). As it is clear from the above examples, including reference (unique) characteristic digital data in the vérification information of a digital security marking of an associated digital file Ai has the technical effect of providing a forgery-proof link between the digital data of the digital file and the authentication data of its 30 associated object.

Another illustrative embodiment of the invention relates to a batch of biométrie identification documents, e.g. biométrie digital passports, as shown on Fig.2A. Each digital passport, as a digital file, is associated with a corresponding individual, i.e. the owner of the 3 5 passport. For clarity reason, the digital data of Ai is represented on Fig.2A as équivalent textual and alphanumerical information (i.e. human readable), for example, as it could be displayed from a digital pdf (“Portable Document Format”) file, and the digital security marking is shown as équivalent conventional QR code two-dimensional pattern. This embodiment of the invention is particularly useful for creating printable digital files, like print-ready digital files, to allow a printer to deliver a printed secured document directly from a corresponding secured printable digital file (e.g. a digital file relating to identity document, diploma, contract etc.).

In this example we still use a hash function as a one-way function for signing the passport digital data, preferably a SHA-256 hash function in view of its well-known robustness. Indeed, in view of a given size of the batch, the hash function that is selected (having its known bucket listing) for the purpose of signing the passport digital data is thus an example of a one-way encryption function such that each distinct digital passport has its distinct digital passport signature, which thus make the signature unique. The domain of a hash function (i.e. the set of possible keys) being larger than its range (i.e. the number of different table indices), it will map several different keys to a same index which could resuit in collisions: such collisions can be avoided, when the size of the batch is known, by considering the bucket listing associated with the hash table of a hash function and retaining only a function giving zéro collisions, or by independently choosing a hash-table collision resolution scheme (for example, such as coalesced hashing, cuckoo hashing, or hopscotch hashing).

Fig.2A shows an example of digital biométrie passport Ai secured with a machine readable digital security marking 210 (here a QR code) encoded in Ai, and comprising passport digital data 230 containing conventional passport data, e.g. digital data representing a title of the document 230a (“Passport”), a set of biography data of the owner of the passport 230b: last name (“Doe”), first name (“John”), gender (“M”), date of birth (“March 20, 1975”), citizenship (“USA”), origin (“Des Moines”), place of birth (“Oakland”), a date of émission of the passport 230c (“February 24, 2018”) and a validity period 230d (“February 23, 2020”). These passport digital data may further comprise some (unique) serial number(s) 235 assigned by the authority delivering the passport (here “12345”). The passport digital data further comprise biometry data of the owner of the passport as characteristic digital data (CDD) corresponding to a unique physical characteristic of an individual associated with the digital passport. A machine readable représentation 230e (e.g. an alphanumeric one) of data characterizing said unique physical characteristic (not shown), corresponding to said biometry data, is associated with the passport digital data 230. A représentation of digital data is to be understood in a broad sense of the term: this représentation of data only needs to enable retrieving the original digital data. The machine readable data représentation 230e, i.e. the biometry data, of the unique physical characteristic may correspond, for example, to fingerprint identification data or iris identification data of the owner of the digital passport. For example, biometry data 230e corresponding to a fingerprint of a person may resuit from an analysis of a set of spécifie minutia features of fingerprint ridges like ridge ending, bifurcation and short ridges (according to the conventional Henry System of Classification).

Thus, for a given digital passport Aj of the batch of μ delivered digital biométrie passports, here with μ = 1024, the associated passport digital data Dj includes the above mentioned digital data 230a-230e. In a variant of the embodiment, the associated passport digital data Dj may only include the values of the fields which are common to ail the delivered 10 passports, while the fields in common, i.e. “Passport”, “Last Name”, “Gender”, “Date of Birth”, “Citizenship”, “Origin”, “Place of Birth”, “Emission date” and “Validity” are included in a separate fields data block FDB as explained above: for example, Dj only contain a représentation of the field values “Doe”, “John”, “M”, “March 20, 1975”, “USA”, “Des Moines”, “Oakland”, “February 24, 2018” and “February 23, 2020”.

Preferably, additional passport digital data are associated with the above mentioned passport digital data 230. For example, a digital image of the fingerprint pattern of the owner of the passport, or a digital identity photograph etc. In a variant of the embodiment, these additional passport digital data are stored in a searchable information database 250 that can be 2 0 searched via an information request containing some passport data (for example, the name of the owner or the biometry data or data from the security marking or the unique serial number 235) to retrieve the corresponding fingerprint pattern data and receive it back. Preferably, a link to the information database 250 is included, as information access data 240, in the digital passport: here this information access data is encoded in a digital représentation of a QR code containing a 25 reference index to retrieve corresponding additional data in the information database 250.

However, in a variant of passport control operation involving access to a distant information database (online operation), the QR code could contain, for example, the URL of the information database that is accessible via the web.

A digital passport signature with a one-way hash function of the passport digital data Dj corresponding to the passport digital data 230a-230e of the digital passport Aj is then calculated by means, for example, of the above mentioned robust SHA-256 hash function to obtain the corresponding (unique) passport digital signature Xj=H(Dj). In a same way, the passport digital signatures of ail the digital passports in the batch, for ail the different owners, are 3 5 calculated.

From ail the signatures of the passports in the batch, a reference root digital signature R is calculated according to a tree ordering and tree concaténation ordering of an associated (binary) tree, as explained above. As there are μ = 1024 passports in the batch, the corresponding binary tree has 1024 leaf nodes a( 1,1 ),...,a(1024) for the first level, 512 non-leaf nodes a(2,l),...,a(2,512) for the second level, 256 non-leaf nodes a(3,l),...,a(3,256) for the third level etc..., up to the penultimate nodes level (here, level 10) with non-leaf nodes a(10,l) and a(10,2), and the top node corresponding to the root node R (level 11 of the tree). The leaf-node values are a(lj) = Xj = H(Dj), j=l,...,1024, the second level node values are a(2,l) = H(a(l,l)+a(l,2)),...., a(2,512) = H(a(l,1023)+a(l,1024)), etc., and the reference root digital signature R is R = H(a(10,l)+a(10,2)). Each digital vérification key kj is thus a sequence of 10 node values. The digital security marking 210 of the digital passport Aj includes the passport digital data Dj and the corresponding digital vérification key kj (i.e. the vérification information Vj^m».

The operation of checking that the passport digital data Dj and the digital vérification key kj in the digital security marking 210 of a biométrie digital passport Aj indeed correspond to passport data of a genuine biométrie digital passport belonging to the batch of μ biométrie digital passports having the batch value R only nécessitâtes calculating the passport digital signature Xj = H(Dj) and verifying that Xj and the digital vérification key kj allow retrieving the available corresponding reference root digital signature R via the composition of ten times (as here, the tree has ten levels below the root level) a hash function of a concaténation of the node value a(lj) and the node values in kj (according to the nodes ordering in the binary tree and the tree concaténation ordering with the conventional concaténation scheme). Consequently, a biométrie digital passport secured according to the invention provides both a forgery-proof link between the “personal data” and the “biometry data” of its holder, and a unique and forgery-proof link between the physical person of the holder and the holder’s identity.

Fig.2B illustrâtes a control process of the secured biométrie digital passport Ai of Fig.2A, with its passport data marking 230 corresponding to a certain John Doe, with its biometry data 230e corresponding to John Doe’s fingerprint, and with additional passport digital data corresponding to a digital identity photograph 255 of John Doe that is accessible via the link to the information database 250 included in the information access marking 240. The passport data further comprises the unique serial number 235 assigned by the authority having delivered the passport. The digital security marking 210 of the passport Ai contains the vérification information (D_bki), with passport digital data Di corresponding to the printed passport data 230a-230d, the biometry data 230e and the unique serial number 235, and the digital vérification key ki corresponding to the sequence of 10 node values {a(l,2),a(2,2),...,a(10,2)} which are necessary for retrieving the root value R from node value a(l,l) of digital passport Ai (with a(l,l) = xi = H(Di)). The reference root digital signature R may be time-stamped and stored in a blockchain 260. In this example, the biometry data 230e of the respective holders of the biométrie passports of the batch are also stored in the blockchain 260 in association with, respectively, their corresponding unique serial numbers (so as to make these data immutable). The stored biometry data of John Doe can be retrieved by sending a request to the blockchain 260 indicating the unique serial number 235 mentioned on his passport. The authorities in charge of controlling identity of people (for example, the police, the customs etc.) can access the blockchain 260 via a communication link, and, in this illustrative embodiment, hâve also local storage capabilities for storing the (published) root digital signatures of ail the delivered batches of biométrie digital passports. In the example shown on Fig.2B, the information database 250 is local (i.e. directly accessible to the authorities, without having to use a public communication network). Moreover, these authorities are equipped with fmgerprint scanners 270 to capture the fingerprints of individuals and calculate corresponding machine readable représentations of data characterizing the captured fingerprints, i.e. biometry data 230e.

During an identity control of John Doe, say by a police or a customs officer, the officer receives the secured biométrie digital passport Ai of John Doe, reads and décodés the vérification information (Di,ki) stored in the digital security marking 210 of the digital passport by means of an appropriate reader, that may be for example a suitably programmed computer 290, the computer being connected to the local storage capabilities 250. Having read the passport digital data Di and the digital vérification key ki and sent it to the computer 290, a dedicated application (with programmed hash function H and concaténation of node values) running on the computer 290 calculâtes the passport digital signature xi (as xi=H(Di)) and a candidate batch value R^c as: H(H(H(H(H(H(H(H(H(H(a(l,l)+a(l,2))+a(2,2))+..)+..)+..)+..)+..)+..)+a(9,2))+a(10,2)), i .e. the composition of ten times a hash function of a concaténation of the node value a(l, 1) and the node values in ki= {a(l,2),a(2,2),...,a(10,2)}. Then, the computer can, for example, search in the local information database 250 a reference root digital signature R matching the candidate value R^c: in case there is no matching, the passport is a forged one and “John Doe” (i.e. the screened individual claiming that his name is John Doe) may be arrested. In case R^c matches some stored reference root digital signature, the passport is considered as genuine and the officer may perform additional security checks:

- the officer retrieves the digital identity photograph 255 stored in the information database 250, by sending a request via the computer 290 containing the serial number 235 printed on Ai, receives it back and display the received identity photograph 255 on a screen of the computer 290: the officer can then visually compare the displayed visage (i.e. that of a certain John Doe) with that of the individual being checked and estimate if the two visages are similar or not; and - the officer retrieves the biometry data 230e on the passport Ai by reading these data on the digital security marking 210 with the computer 290, and scans the individual’s fingerprint by means of a fingerprint scanner 270 connected to the computer 290 and obtains the corresponding individual’s biometry data: the officer then checks by means of a program running on the computer 290 if the retrieved biometry data 230e is similar (within a given margin of error) to the obtained individual’s biometry data.

If the two visages and the biometry data are judged similar, everything is ail right and the checked individual is indeed the real John Doe, the owner of the genuine biométrie passport Ai.

In case of any one of the above additional security checks fails, clearly, the individual in front of the officer is not the true holder of the genuine biométrie passport Ai. Thus, with a secured biométrie digital passport according to the invention a mere offline check can quickly detect any fraud.

In fact, it is even possible to reduce a digital biométrie passport document to a mere digital file with just a digital représentation of a 2D barcode (like the above example of a QR code) including the vérification information V=(D,k): with V comprising the holder’s biography data and (unique) biometry data, like the holder’s fingerprint (within the passport digital data D) and the vérification key. Indeed, according to the invention, even this “reduced” secured digital passport takes full advantage of the above mentioned forgery-proof link created between the “personal biography data” and the “biometry data” of the passport holder, and the unique and forgery-proof link between the physical person of the holder and the holder’s identity.

Another illustrative embodiment of the invention relates to components of an aircraft, as shown on Fig.3. Due to the very high price of certain critical components from which failure could affect the security of the aircraft, like some parts of the reactors (e.g. turbine blades, pumps...) or of the landing gear, or batteries etc..., counterfeiters are interested to produce copies of these components but of course without complying with the required safety technical requirements due to their generally lower quality. Even if an aircraft component is generally marked with a corresponding unique serial number to identify it, that sort of marking may be easily counterfeited. These counterfeit airplane parts are generally defective and can cause severe damages or even plane crashes. This is a growing security problem today. Moreover, even if the components are genuine, they may not be convenient for certain versions of a same type of aircraft, and there is a serions risk that an inappropriate component is inadvertently used for repairing a given aircraft for example. It is thus important to secure at least the critical genuine components that are allowed for given aircraft.

Generally, each component has a corresponding (possibly digital) technical data sheet indicating e.g. the component technical name, the component unique serial number, the component manufacturer name, the manufacturing date of the component and certification information. Moreover, for a given aircraft, a corresponding record contains ail the (digital) technical data sheets of its respective components. However, counterfeited components may hâve their corresponding fake digital technical data sheet and thus, it is not obvious (unless by performing technical tests, for example) to detect fraud. For example, how to be sure that a digital technical data sheet corresponds well to a component mounted on a spécifie aircraft (and vice versa)?

According to an illustrative embodiment of the invention, the allowed parts to be used for manufacturing or repairing a given aircraft, or that are mounted on the aircraft, are considered as belonging to a batch of “components” (or “objects”) for that very aircraft.

In the spécifie illustrative embodiment shown on Fig.3, each component of an aircraft batch, i.e. each allowed aircraft component for mount or repair on a given aircraft, has a corresponding aircraft component digital identification document AC-ID that contains the same component digital data as in a conventional technical data sheet (e.g. the aircraft ID code, the aircraft manufacturer name, the component technical name, the component unique serial number, the component manufacturer name, and the manufacturing date of the component) together with additional digital data corresponding, to the aircraft ID code, the aircraft manufacturer name, the assembly date of the component on the aircraft, the name of the technician in charge of performing the conformity check together with the date of the conformity check, and the corresponding (unique) digital signature of the checker. Moreover, each aircraft component digital identification document AC-ID is secured by means of a machine readable digital security marking added to it. For clarity reason, the digital data of AC-ID:Ai25 is represented on Fig.3 as équivalent textual and alphanumerical information (i.e. human readable), and the digital security marking 310 is shown as équivalent conventional QR code two-dimensional pattern.

Preferably, each time a component or a set of components are replaced on the aircraft, corresponding secured digital AC-ID documents are created and a corresponding updated version of the aircraft batch is also created, with the above mentioned corresponding additional digital data (relating to the new mounting operations).

Thus, ail the (critical) mounted components on a spécifie aircraft (here, having the aircraft ID reference HB-SNO), belong to a corresponding batch of mounted components (here, having a total of μ components) and are documented in a corresponding batch of associated μ digital files, i.e. the digital identification document AC-ID. A digital security marking 310 (here in the form of a QR code) is included in each aircraft component digital identification document, for example AC-ID :Ai25, that is associated with the corresponding aircraft component, here A125, mounted on the aircraft HB-SNO. Fig.3 particularly shows the component A125 of the aircraft batch being a turbine blade adapted to the reactor type mounted on the aircraft HB-SNO and marked with a unique manufacturing serial number (here, 12781, generally engraved by the manufacturer). The component digital data D125 in the digital security marking 310 of the aircraft component digital identification document AC-ID: A125 associated with component A125 comprises the digital data corresponding to that of the technical data sheet: the aircraft ID code 330a (here, HB-SNO), the aircraft manufacturer name 330b (here, AeroABC), the component technical name 330c (here, turbine blade - l^st ring), the component serial number 330d (here, 12781), the component manufacturer name 330e (here, PCX), the manufacturing date of the component 330f (here, November 13, 2017), the assembly date of the component on the reactor 330g (here, February 24, 2018), the name of the technician in charge of performing the conformity check 330h (here, the checker is Martin White) together with the date of the conformity check 330i (here, March 20, 2018), and the (unique) digital signature of the checker 330j (here, 2w9s02u).

A component digital signature X125 of the component digital data D125 of the digital file AC-ID:Ai25 of component A125 is calculated by means of a one-way hash function H as X125 - H(D₁₂₅). In the same way, ail the component digital signatures Xj of the component digital data Di of component Aj are calculated by means of the one-way hash function H as Xj =

H(Di)(here, i = 1,...,μ). According to the invention, a tree associated with the batch of components Αι,...,Α_μ (here, a binary tree), and thus with the corresponding batch of digital files AC-ID:Ai,...,AC-ID:A_m, is built having μ leaf nodes a(l,l),...,a(l,p) respectively corresponding to the μ component digital signatures χι,...,χ_μ of respective component digital data ϋι,...,Ο_μ of the component digital identification documents AC-ID:Ai,...,AC-ID:A_g of components Αι,.,.,Αμ. Here, the nodes ordering of the binary tree is the conventional one, i.e. the nodes a(i,j) are arranged according to the values of the indexes (i,j): index i indicates the level in the tree, starting from the leaf nodes level (i=l) to the penultimate nodes level below the root node, and index j running from 1 to μ for the leaf nodes level (level 1), from 1 to μ/2 for the next (non-leaf) nodes level (level 2), etc. and from 1 to 2 for the penultimate nodes level. The tree comprising node levels from the leaf nodes to the root node, every non-leaf node of the tree corresponding to a digital signature by means of the one-way function H of a concaténation of the respective digital signatures of its child nodes according to the tree concaténation ordering.

A reference root digital signature R for the batch of μ aircraft components Ai,...Α_μ is calculated by means of a one-way function of a (conventional) concaténation of node values of the tree (as explained below). The reference root digital signature R is then stored in a searchable database (preferably a blockchain) accessible to technicians in charge of controlling or changing the mounted components. The tree thus comprises node levels from the leaf nodes to the root node of the tree, every non-leaf node of the tree corresponding to a digital signature by means of the one-way function H of a concaténation of the respective digital signatures of its (two) child nodes according to the tree concaténation ordering (here conventional), the root node corresponding to the reference root digital signature R, i.e. the digital signature by means of the one-way function H of a concaténation of the digital signatures of the nodes of the penultimate nodes level in the tree (according to the nodes ordering in the tree and the tree concaténation ordering).

For a given component A, of the batch, a digital vérification key kj, corresponding to the component digital signature x, (i.e. leaf node a(l,i)) of the component digital data D,, is calculated as the sequence of the respective digital signatures, from the leaf nodes level to the penultimate nodes level of the tree, of every other leaf node having the same parent node in the tree that the leaf-node a(l,i) corresponding to the digital signature Xi, and successively at each next level in the tree, of every non-leaf node having the same parent node in the tree that the previous same parent node considered at the preceding level. For each component A, mounted on the aircraft HB-SNO, the associated component digital data Dj and the corresponding digital vérification key kj are embedded in the digital security marking 310 included in the corresponding aircraft component digital identification document AC-ID:Aj.

For example, in case of a control operation of a component on the aircraft HBSNO, a technician may send a request to the searchable database containing the component serial number 12781 read on the digital file AC-ID:Ai25 of component A125 to be controlled, or its digital vérification key ki25 as read on the digital security marking 310 on the corresponding ACID :Ai25 document with an appropriate reader, as for example a computer programmed for decoding the content of the digital security marking,, and will receive back the corresponding batch value R. In a preferred variant allowing complété offline checking, the technician’s computer has a memory storing ail the root digital signatures relating to the aircrafts to be controlled. In this latter variant, the technician can then check if the component is genuine by reading the component digital data D125 on the digital security marking 310 of AC-ID:Ai25, checking that the unique serial number 330d (here, 12781) extracted from D125 matches the serial number physically marked on the mounted aircraft component A125, calculating the corresponding component digital signature X125 (for example, by running a programmed application on a processing unit CPU of the computer which calculâtes the signature X125 = H(D₁₂₅), from the read digital data D125), calculating a candidate batch value R^c via the one-way fiinction H programmed on the computer’s CPU as the hash of a concaténation of the leaf node value a(l,125)=xi25 and the node values given in the corresponding digital vérification key ki25, and checking that the candidate batch value R^c matches one of the reference root digital signatures stored in the computer’s memory (i.e. the reference value R, corresponding to the aircraft HB-SNO). In case of fiill matching (i.e. the serial numbers match and R^c = R), the component A125 is considered as genuine and belongs to the (up-to-date) aircraft batch of allowed components of the HB-SNO aircraft, if R^c does not match a stored reference root digital signature R, or if the serial numbers do not match, the component A125 is possibly counterfeit, or is a genuine component not allowed for the aircraft HB-SNO (e.g. A125 does not belong to the right batch for this aircraft), and must be changed.

In a same way, the invention would allow detecting fraud (or errors) from batches of secured AC-IDs of replacement parts stored in a warehouse by verifying the authenticity of the markings on the stored parts and checking that the component serial number from the digital security marking matches that marked on the corresponding component. In case of a highly critical component, a tamperproof material-based security marking may further be applied on the component, while the digital data relating to the corresponding reference unique physical characteristic, i.e. the characteristic digital data CDD (for example, as captured by a suitable sensor when applying the material-based security marking) of this marking is preferably made part of the component digital data D in the digital security marking of the aircraft component digital identification document for this component, and a corresponding reference 5 unique physical signature data UPS is calculated (for example, by taking a hash of the characteristic digital data CDD, i.e. UPS = H(CDD)) and may also be part of the component digital data D. This additional level of security improves the security provided by the unique serial number marked on the component by its manufacturer. Preferably, the reference UPC and UPS are stored in the blockchain (to make them immutable) and are accessible to the technician.

Moreover, these reference values may also be further stored in the memory of the technician’s computer in order to allow offline authentication of the material-based security marking on the highly critical component.

The further offline operation of authentication of this material-based security 15 marking may comprise measuring the unique physical characteristic on the component, by means of a suitable sensor connected to the computer, and obtaining a candidate characteristic digital data CDD^c from the measured characteristic (for example, via a spécifie application programmed in the CPU of the computer). Then, the technician (or the CPU of his computer, if suitably programmed) compares the obtained CDD^c with the copy of the reference CDD stored in the 20 memory of the computer: in case of “reasonable” matching CDD^c ~ CDD (i.e. within some predefined error tolérance criterion), the material-based security marking, and thus the component, are considered as genuine.

As above mentioned, a copy of the reference characteristic digital data CDD, 25 instead of being stored in the memory of the technician’s computer, is part of the digital data D included in the digital security marking in the aircraft component digital identification document AC-ID:A of the component A and can be obtained by direct reading of the digital security marking. The technician may then read the candidate CDD^c on the digital security marking and check that the signature UPS stored in the memory of the computer matches the candidate 30 signature UPS^C calculated from the read candidate CDD^c by computing UPS^C = H(CDD^C): in case of matching UPS^C = UPS, the material-based security marking, and thus the component, are confirmed as being genuine.

In a variant of the embodiment, the checking of authenticity of a component by a technician may altematively be performed via online process in a similar way as already explained with the first detailed embodiment of the invention, and will not be repeated here.

According to the invention, it is further possible to verify the authenticity of a copy of an aircraft component digital identification document, AC-ID:Ai25 for example, with respect to the original secured digital file. Indeed, if a technician in charge of control (or repair) operations has access to the digital file AC-ID:Ai25 on its computer (which may be, for example, a smartphone suitably programmed), he can check that the component digital data correspond to that of the original document by performing the following operations of:

- reading the component digital data D125 and the digital vérification key ki25 on the digital security marking 310 of the component digital identification document AC-ID:Ai25j

- acquiring a reference batch value R of the batch corresponding to the document AC-ID:Ai2s; this reference value may be already in the memory of the computer or may be acquired via a communication link from a database storing the reference batch values of aircraft component digital identification documents in case the computer is equipped with a communication unit, by sending a request containing, for example, the component (unique) serial number or merely the key ki25 read of the digital security marking 310, and receiving back the corresponding reference batch value R;

- calculating (with the programmed one-way function H) a component digital signature X125 from the read component digital data D125, with X125 = H(Di2s);

- calculating a candidate batch value R^c (by means of the programmed one-way hash function H and digital signature of a concaténation of digital signatures) as the digital signature by the hash function H of a concaténation of the leaf node value X125 and the node values indicated in the digital vérification key ki25 (according to the nodes ordering in the tree and the tree concaténation ordering); and

- verifying that the candidate batch value R^c matches the reference batch value R.

According to the above detailed description, the invention is clearly compatible with offline and local checking operations for verifying the authenticity of a secured digital file, or conformity of data of a copy of a secured digital file, with respect to the data associated with the original secured digital file. However, the invention is also compatible with online vérification process, for example by receiving (via a communication link) a reference batch value (or root digital signature) form an extemal source (e.g. server or blockchain), or performing some or ail the calculation steps involving the one-way function or the concaténation of digital signatures via extemal computing means (e.g. operating on a server), or even performing the vérification that a candidate root digital signature matches a reference root digital signature (and just receiving the resuit).

The above disclosed subject matter is to be considered illustrative, and not restrictive, and serves to provide a better understanding of the invention defined by the independent claims.

Claims

1. Method of securing a given original digital file belonging to a batch of a plurality of original digital files against forgery or tampering, each original digital file including its own digital data, characterized by comprising the steps of:

for each original digital file of the batch, calculating by means of a one-way function an associated digital file signature of its digital data;

forming a tree based on the plurality of calculated digital file signatures for the original digital files of the batch and comprising nodes arranged according to a given nodes ordering in the tree, said tree comprising node levels from the leaf nodes, corresponding to the plurality of digital file signatures respectively associated to the plurality of original digital files in the batch, to the root node of the tree, every non-leaf node of the tree corresponding to a digital signature by means of the one-way function of a concaténation of the respective digital signatures of its child nodes according to a tree concaténation ordering, the root node corresponding to a reference root digital signature, i.e. a digital signature by means of the one-way function of a concaténation of the digital signatures of the nodes of a penultimate nodes level in the tree according to said tree concaténation ordering;

associating with the given original digital file a corresponding digital vérification key being a sequence of the respective digital signatures, from the leaf nodes level to the penultimate nodes level, of every other leaf node having the same parent node in the tree that the leaf-node corresponding to the digital file signature of the given original digital file, and successively at each next level in the tree, of every non-leaf node having the same parent node in the tree that the previous same parent node considered at the preceding level;

making available to a user the reference root digital signature of the tree; and including in the given original digital file a corresponding machine readable digital security marking comprising a représentation of its digital data and its corresponding digital vérification key, thereby obtaining a marked original digital file of which digital data are secured against forgery or tampering.

2. Method according to claim 1, wherein the reference root digital signature of the root node of the tree is either published in a media accessible to the user, or stored in a searchable root database accessible to the user, or stored in a blockchain, or in a database secured by a blockchain, accessible to the user.

3. Method according to claim 2, wherein the marked original digital file further comprises root node access data included thereto and containing information sufficient to allow the user to access to the reference root digital signature of the root node of the tree corresponding to the batch of original digital files, said information being a link to an access interface opérable to 5 receive from the user a root request containing digital data, or digital file signature, obtained from a digital security marking of a marked original digital file, and send back a reference root digital signature of corresponding tree, the access interface allowing access to, respectively, one of the following:

- the media wherein the reference root digital signature is published;

10 - the searchable root database wherein the reference root digital signature is stored; and

4. Method according to any one of claims 1 to 3, wherein

15 a Virtual digital file is counted as belonging to the batch of original digital files, said virtual digital file including its own virtual digital data, and an associated virtual digital file signature obtained by means of the one-way function of the virtual digital data, said virtual digital file being not real but only used for generating the associated virtual digital file signature from its virtual digital data; and

2 0 the reference root digital signature associated with said batch of original digital files being calculated from a tree having ail the digital files signatures of the original digital files of the batch, including the virtual digital file signature, as leaf nodes.

5. Method according to any one of claims 1 to 4, wherein

2 5 additional digital data corresponding to the digital data associated with the marked original digital file are stored in a searchable information database accessible to the user via an information database interface opérable to receive from the user an information request containing digital data, or a digital file signature, obtained from a digital security marking of a marked original digital file, and send back corresponding additional digital data.

6. Method according to any one of claims 1 to 5, wherein the digital data of the marked original digital file include reference characteristic digital data of a corresponding unique physical characteristic of an associated object or individual.

7. Method according to claim 6, wherein the unique physical characteristic of the associated object or individual is, respectively, that of a material-based security marking applied on the associated object or identifying biométrie feature of the associated individual.

8. Method according to any one of daims 1 to 7, wherein the digital data of the respective original digital files of the batch are spread between given fields common to ail the digital files of the batch, and spécifie digital data relating to these fields are not included in the digital data but clustered in a separate fields data block associated with the batch, and wherein:

9. Method of verifying the authenticity of a digital file secured according to the method of any one of daims 1 to 7, or the conformity of a copy of such secured digital file with respect to the original one, characterized by comprising the steps of, upon processing a test file being said digital file or said copy of the digital file by means of a processing unit connected to a memory:

having stored in the memory the test file;

reading a représentation of digital data and of a digital vérification key on a digital security marking of the stored test file, and extracting respectively corresponding test digital data and test digital vérification key from said read représentation;

having stored in the memory a reference root digital signature of a root node of a tree of the batch of original digital files, and having programmed in the processing unit the one-way function to calculate a digital signature of digital data and of a concaténation of digital signatures according to the nodes ordering in the tree and the tree concaténation ordering;

verifying whether the extracted test digital data and associated test digital vérification key indeed correspond to the stored reference root digital signature by performing the steps of:

calculating with the one-way function a test digital signature of the extracted test digital data, said test digital signature corresponding to a test leaf node in a test tree corresponding to the digital security marking of the test file;

extracting from the sequence of digital signatures in the test digital vérification key, a digital signature of every other leaf node of the test tree having the same parent node than that of the test leaf node and calculating a digital signature of a concaténation of the test digital signature and the extracted digital signature of said every other leaf node, thus obtaining a digital signature of said same parent node of the test leaf node;

successively at each next level in the test tree and up to the penultimate nodes level, extracting from the sequence of digital signatures in the test digital vérification key, a digital signature of every other non-leaf node of the test tree having the same parent node than that of the previous same parent node considered at the preceding step and calculating a digital signature of a concaténation of the digital signature of said respective every other non-leaf node and the obtained digital signature of said previous same parent node, thus obtaining a digital signature of said same parent node of said previous same parent node;

calculating a digital signature of a concaténation of the obtained digital signatures of the non-leaf nodes corresponding to the penultimate nodes level of the test tree, thus obtaining a candidate root digital signature of the root node of the test tree; and checking whether the obtained candidate root digital signature matches the stored reference root digital signature, whereby, in case said root digital signatures match, the digital data of the test file are that of a genuine digital file.

10. Method according to claim 9, wherein the marked original digital file is secured according to the method of claim 8, the memory of the processing unit further storing the associated fields data block, and wherein:

the step of calculating a test digital signature corresponding to a test leaf node in a test tree corresponding to the digital security marking on the test file comprises calculating with the oneway function a digital signature of a concaténation of the extracted test digital data and the stored fields data block.

11. Method according to any one of daims 9 and 10, wherein the digital file is secured by storing the reference root digital signature in a searchable root database accessible to the user according to the method of claim 2, and the processing unit is further connected to a communication unit opérable to send and receive back data via a communication link, comprising the preliminary steps of:

sending with the communication unit via the communication link a request to said root database, and receiving back the reference root digital signature; and storing the received root digital signature in the memory of the memory.

12. Method according to any one of daims 9 and 10, wherein the digital file is secured according to the method of claim 3, the processing unit is further connected to a communication unit opérable to send and receive data via a communication link, comprising the preliminary steps of:

reading the root node access data included in the test file;

sending with the communication unit via the communication link a root request to said access interface containing digital data, or a digital signature of said digital data, obtained from the digital security marking on the test file, and receiving back a corresponding reference root digital signature of associated batch; and storing the received reference root digital signature in the memory.

13. Method according to any one of daims 9 to 12, wherein the digital file is secured according to the method of claim 5 and the imager is further equipped with communication means opérable to send to the information database interface an information request containing digital data, or a digital file signature, obtained from the digital security marking of the test file, and receive back corresponding additional digital data.

14. Method according to any one of daims 9 to 13, wherein the digital file is secured according to the method of any one of daims 6 and 7 and the imager is further equipped with a sensor opérable to detect a unique physical characteristic of respectively an associated object or individual, and the processing unit is programmed to extract corresponding characteristic digital data from a détection signal received from the sensor, the imager having stored in the memory reference characteristic digital data CDD corresponding to said unique physical characteristic of respectively the associated object or individual, comprising the further steps of, upon viewing a subject being said associated object or individual:

detecting with the sensor a unique physical characteristic of the subject and extracting corresponding candidate characteristic digital data CDD^c;

comparing the obtained candidate characteristic digital data CDD^c with the stored reference characteristic digital data CDD; and in case the candidate characteristic digital data CDD^c is similar to the stored reference characteristic digital data CDD, within a given tolérance criterion, the subject is considered as corresponding respectively to a genuine object or individual validly associated with a genuine digital file.

15. Digital file belonging to a batch of a plurality of original digital files and secured according to the method of any one of daims 1 to 8, each original digital file of the batch having its own digital data and corresponding digital vérification key, said batch having a corresponding reference root digital signature, comprising:

a machine readable security marking including a représentation of its digital data and its vérification key.

16. Digital file according to claim 15, wherein the digital data include reference characteristic digital data CDD of a corresponding unique physical characteristic of an associated object or individual.

17. Digital file according to claim 16, wherein the unique physical characteristic of the associated object is that of a material-based security marking applied on the associated object.

18. System for verifying the authenticity of a digital file, or the conformity of a copy of such digital file, with respect to a marked original digital file belonging to a batch of original digital files secured according to the method of any one of daims 1 to 7, comprising an imager having an imaging unit, a processing unit with a mernory, and an image processing unit, the memory storing a reference root digital signature of a tree corresponding to the batch of original digital files, and the one-way fimction to calculate a digital signature of digital data and of a concaténation of digital signatures according to the nodes ordering of the tree and the tree concaténation ordering being programmed in the processing unit, said System being opérable to:

hâve stored in the memory a test file being said digital file or said copy of the digital file;

read a représentation of digital data and of a digital vérification key on a digital security marking of the stored test file, and extract respectively corresponding test digital data and test digital vérification key from said read représentation;

verify whether the extracted test digital data and test digital vérification key indeed correspond to the stored reference root digital signature by performing on the processing unit the programmed operations of:

calculating with the one-way fimction a test digital signature of the extracted test digital data, said test digital signature corresponding to a test leaf node in a test tree corresponding to the digital security marking of the test file;

calculating a digital signature of a concaténation of the obtained digital signatures of the non-leaf nodes corresponding to the penultimate nodes level of the test tree, thus obtaining a candidate root digital signature of the root node of the test tree; and checking whether the obtained candidate root digital signature matches the stored reference root digital signature, whereby, in case said root digital signatures match, the System is configured to deliver an indication that the digital data of the test file are that of a genuine digital file.

19. System according to claim 18, wherein the marked original digital file is secured according to the method of claim 8, the memory of the processing unit further storing the associated fields data block, and wherein:

the programmed operations of calculating a test digital signature corresponding to a test leaf node in a test tree corresponding to the digital security marking of the test file comprise calculating with the one-way function a digital signature of a concaténation of the extracted test digital data and the stored fields data block.

20. System according to any one of daims 18 and 19, wherein the marked original digital file belongs to a batch of original digital files secured according to the method of any one of daims 6 and 7, the System being further equipped with a sensor connected to the processing unit and opérable to detect a unique physical characteristic of an associated object or individual, and the processing unit being programmed to extract corresponding characteristic digital data from a détection signal received from the sensor, the System having stored in the memory reference characteristic digital data CDD corresponding to said unique physical characteristic of the associated object or individual, the System being further opérable to:

detect with the sensor a unique physical characteristic of a subject being said associated object or individual, and extract corresponding candidate characteristic digital data CDD^c;

compare the obtained candidate characteristic digital data CDD^c with the stored reference characteristic digital data CDD; and in case the candidate characteristic digital data CDD^c is similar to the stored reference characteristic digital data CDD, within a given tolérance criterion, deliver an indication that the subject is considered as genuine.