OA19924A

OA19924A - Article anti-forgery protection.

Info

Publication number: OA19924A
Application number: OA1202100003
Authority: OA
Inventors: Eric Decoux; Philippe Gillet; Philippe THEVOZ; Elisabeth WALLACE
Original assignee: Sicpa Holding Sa
Priority date: 2018-07-10
Filing date: 2019-06-03
Publication date: 2021-07-14

Abstract

The invention relates to securing of an article against forgery and falsifying of its associated data, and particularly of data relating to its belonging to a specific batch of articles, while allowing offline or online checking of the authenticity of a secured article and conformity of its associated data with respect to that of a genuine article.

Description

TECHNICAL FIELD

The présent invention relates to the technical field of protection of articles and 5 data marked on such articles against forgery or tampering, as well as of conformity of digital images of such marked articles with the original ones, and traceability of articles.

BACKGROUND ART

From mechanical parts, electronic components, pharmaceutics, and countless other articles, the problems of counterfeiting and tampering are well known, serious, and growing. Moreover, tampering of data associated with an article is also a serious concem. The example of falsifying data marked on an original printed document such as an identity document or a diploma (article) is well known, and the concem is even worse if considering a digital copy 15 or a photocopy of the original (possibly genuine) document. Simply keeping track of identifiers such as serial numbers is in general an insufficient response, because counterfeiters can easily copy such numbers as well.

There are many other security schemes for articles of manufacture but they 20 typically do not provide a sufficient level of security, they hâve too high an administrative overhead in terms of information that must be stored and accessed, they are often impractical for use except in well-controlled environments, or they simply cannot be implemented physically. For example, many schemes for digitally securing documents in a vérifiable manner are not suitable for use in contexts that involve many physical items on which it is impractical or 2 5 otherwise undesirable to mark them with corresponding signatures.

One other drawback of most conventional methods for insuring the authenticity of articles, or securing their associated data, is that they tend to view articles in isolation, even if they are members of a well-defined group such as a production batch for example. This ignores 3 0 valuable authenticating information.

A conventional way of securing an article is to apply on it a material-based security marking (possibly tamperproof), i.e. a marking having détectable intrinsic physical or Chemical property that is very hard (if not impossible) to reproduce. If an appropriate sensor detects this intrinsic property on a marking, this marking is then considered as genuine with a high degree of confidence, and thus also the corresponding marked article. There are many examples of such known authenticating intrinsic properties: the marking can include some particles, possibly randomly dispersed, or has a spécifie layered structure, having intrinsic optical reflection or transmission or absorption or even émission (luminescence, for example, or polarization or diffraction or interférence...) properties, possibly détectable upon spécifie illumination conditions with “light” of spécifie spectral content. This intrinsic property can resuit from the spécifie Chemical composition of the material of the marking: for example, luminescent pigments (possibly not commercially available) can be dispersed in an ink used for printing some pattern on the article and are used to émit spécifie light (for example, in a spectral window within the infrared range) upon illumination with a spécifie light (for example, with light in the UV spectral range). This is used for securing banknotes, for example. Other intrinsic properties can be used: for example, the luminescent particles in the marking can hâve a spécifie luminescence émission decay time after illumination with an appropriate excitation light puise. Other types of intrinsic properties are the magnetic property of included particles, or even a “fingerprint” property of the article itself such as, for example, the relative positioning of inherently randomly dispersed fibers of a paper substrate of a document, in a given zone on the document, which, when observed at sufficient resolution, can serve to extract a unique characterizing signature, or some random printing artefacts of data printed on the article which, viewed with sufficient magnification, can also lead to a unique signature etc.... The main problem with an inhérent fingerprint property of an article is its robustness with respect to aging or wear. However, a material-based security marking does not always allow also securing data associated with the marked article: for example, even if a document is marked with a materialbased security marking like a logo printed with a security ink in some zone of the document, data printed on the remaining part of the document can still be falsified. Moreover, too complex authenticating signatures often necessitate significant storage capabilities involving external databases, and communication links for querying such databases, so that offline authentication of an article is not possible.

It is therefore an object of the invention to secure an article against forgery and falsifying of its associated data, and particularly of data relating to its belonging to a spécifie batch of articles. It is also an object of the invention to allow offline checking of the authenticity of an object secured according to the invention and conformity of its associated data with respect to that of a genuine secured object.

SUMMARY OF THE INVENTION

According to one aspect the invention relates to a method of securing a given original article belonging to a batch of a plurality of original articles against forgery or tampering, each original article having its own associated article data and corresponding article digital data, comprising the steps of:

- for each original article of the batch, calculating by means of a one-way function an associated article digital signature of its corresponding article digital data;

- forming a tree based on the plurality of calculated article digital signatures for the original articles of the batch and comprising nodes arranged according to a given nodes ordering in the tree, said tree comprising node levels from the leaf nodes, corresponding to the plurality of article digital signatures respectively associated to the plurality of original articles in the batch, to the root node of the tree, every non-leaf node of the tree corresponding to a digital signature by means of the one-way function of a concaténation of the respective digital signatures of its child nodes according to a free concaténation ordering, the root node corresponding to a reference root digital signature, i.e. a digital signature by means of the one-way function of a concaténation of the digital signatures of the nodes of a penultimate nodes level in the tree according to said tree concaténation ordering;

- associating with the given original article a corresponding vérification key being a sequence of the respective digital signatures, from the leaf nodes level to the penultimate nodes level, of every other leaf node having the same parent node in the tree that the leaf-node corresponding to the article digital signature of the given original article, and successively at each next level in the tree, of every non-leaf node having the same parent node in the tree that the previous same parent node considered at the preceding level;

- making available to a user the reference root digital signature of the tree; and

- applying on the given original article a machine readable security marking including a représentation of its corresponding article digital data and its corresponding vérification key, thereby obtaining a marked original article of which article data is secured against forgery or tampering.

The reference root digital signature of the root node of the tree may either be published in a media accessible to the user, or stored in a searchable root database accessible to the user, or stored in a blockchain, or in a database secured by a blockchain, accessible to the user.

Thus, according to the invention, the entanglement of the article digital signatures of ail the articles of a batch, due to the tree structure and use of robust one-way functions for calculating the node values, together with the root digital signature of the tree made immutable and the inclusion of the article digital data and its associated vérification key in a security marking applied on the corresponding article, allow tracking and tracing the marked articles with a very high level of reliability while preventing falsification of data and forgery of the marked articles.

The marked original article may further comprise root node access data marked thereto and containing information sufficient to allow the user to access to the reference root digital signature of the root node of the tree corresponding to the batch of original articles, said information being a link to an access interface opérable to receive from the user a root request containing article digital data, or a digital signature of article digital data, obtained from a security marking of a marked original article, and send back a reference root digital signature of corresponding tree, the access interface allowing access to, respectively, one of the following: - the media wherein the reference root digital signature is published;

- the searchable root database wherein the reference root digital signature is stored; and

- the blockchain, or respectively the database secured by a blockchain, wherein the time-stamped reference root digital signature is stored.

According to the invention, it is also possible that:

- a virtual article is counted as belonging to the batch of original articles, said virtual article having associated virtual article data and its corresponding virtual article digital data, and an associated virtual article digital signature obtained by means of the one-way function of the virtual article digital data, said virtual article being not produced but only used for generating the associated virtual article digital signature; and

- the reference root digital signature associated with said batch of original articles being calculated from a tree having ail the article digital signatures of the original articles of the batch, including the virtual article digital signature, as leaf nodes.

In order to hâve shorter signatures the one-way function may be a hash function and an article digital signature of an original article may be a sequence of a given plurality of bits of lower weights selected from the bits of a hash value of the corresponding article digital data.

In the above method, additional article digital data corresponding to the article data associated with the marked original article may be stored in a searchable information database accessible to the user via an information database interface opérable to receive from the user an information request containing article digital data, or a digital signature of article digital data, obtained from a security marking of a marked original article, and send back corresponding additional article digital data. The additional article digital data corresponding to the article digital data associated with the marked original article may further be concatenated with said article digital data, whereby also the additional article digital data are secured against forgery or tampering.

Moreover, the marked original article may further comprise a corresponding article data marking applied thereto, said article data marking including the corresponding article data associated with said marked original article.

The above mentioned article digital data of the marked original article may include corresponding reference characteristic digital data of a unique physical characteristic of the marked original article, or of an associated object or individual. Moreover, the unique physical characteristic of the marked original article may be that of a material-based security marking applied on the original article, or on the associated object.

In the above method, the sequence of digital signatures of the vérification key included in the article security marking may be arranged according to a sequence ordering of the nodes which is distinct from the ordering of corresponding nodes defmed by the tree concaténation ordering, and the article security marking may further include an ordering code associated with said sequence ordering.

According to the invention, in case the article digital data of the respective original articles of the batch are spread between given fields common to ail the articles of the batch, digital data relating to these fields may not be included in the article digital data but may be clustered in a separate fields data block associated with the batch, and wherein:

i) the article digital signature of an original article is calculated with the one-way function of a concaténation of the corresponding article digital data and the digital data of the fields data block; and ii) the reference root digital signature is made available to the user together with the associated fields data block.

Another aspect of the invention relates to a method of verifying the authenticity of an article, or the conformity of a copy of such article, with respect to a marked original article belonging to a batch of original articles secured according to the above securing method, comprising the steps of, upon viewing a test object being said article or said copy of the article:

- acquiring a digital image of a security marking on the test object by means of an imager having an imaging unit, a processing unit with a memory, and an image processing unit;

- reading a représentation of article digital data and an associated vérification key on the acquired digital image of the security marking on the test object, and extracting respectively corresponding test article digital data and test vérification key from said read représentation;

- having stored in the memory a reference root digital signature of a root node of a tree of the batch of original articles, and having programmed in the processing unit the one-way function to calculate a digital signature of digital data and of a concaténation of digital signatures according to the nodes ordering in the tree and the tree concaténation ordering;

- verifying whether the extracted test article digital data and associated test vérification key indeed correspond to the stored reference root digital signature by performing the steps of:

- calculating with the one-way function a test digital signature of the extracted test article digital data, said test digital signature corresponding to a test leaf node in a test tree corresponding to the security marking on the test object;

- extracting from the sequence of digital signatures in the test vérification key, a digital signature of every other leaf node of the test tree having the same parent node than that of the test leaf node and calculating a digital signature of a concaténation of the test digital signature and the extracted digital signature of said every other leaf node, thus obtaining a digital signature of said same parent node of the test leaf node;

- successively at each next level in the test tree and up to the penultimate nodes level, extracting from the sequence of digital signatures in the test vérification key, a digital signature of every other non-leaf node of the test tree having the same parent node than that of the previous same parent node considered at the preceding step and calculating a digital signature of a concaténation of the digital signature of said respective every other non-leaf node and the obtained digital signature of said previous same parent node, thus obtaining a digital signature of said same parent node of said previous same parent node;

- calculating a digital signature of a concaténation of the obtained digital signatures of the non-leaf nodes corresponding to the penultimate nodes level of the test tree, thus obtaining a candidate root digital signature of the root node of the test tree; and

- checking whether the obtained candidate root digital signature matches the stored reference root digital signature, whereby, in case said root digital signatures match, the article data on the test object are that of a genuine article.

If the marked original article is secured while having the above mentioned separate fields data block, the memory of the processing unit may further store said associated fields data block, and the step of calculating a test digital signature corresponding to a test leaf node in a test tree corresponding to the security marking on the test object may comprise 15 calculating with the one-way function a digital signature of a concaténation of the extracted test article digital data and the digital data of the stored fields data block.

If the article has been secured by storing the reference root digital signature in a searchable root database accessible to the user, the imager being further equipped with a 2 0 communication unit opérable to send and receive back data via a communication link, the above verifying method may comprise the preliminary steps of:

- sending with the communication unit via the communication link a request to said root database, and receiving back the reference root digital signature; and

- storing the received root digital signature in the memory of the imager.

In case the secured article comprises root node access data as explained above, and the imager is further equipped with a communication unit opérable to send and receive data via a communication link, the above verifying method may comprise the preliminary steps of: - reading the root node access data marked on the test object with the imager;

- sending with the communication unit via the communication link a root request to said access interface containing the article digital data, or a digital signature of said article digital data, obtained from the security marking on the test object, and receiving back a corresponding reference root digital signature of associated batch; and

- storing the received reference root digital signature in the memory of the imager.

The secured article may comprise additional article digital data as explained above, and the imager may further be equipped with communication means opérable to send to the information database interface an information request containing article digital data, or corresponding article digital signature data, obtained from the security marking on the test object, and receive back corresponding additional article digital data.

If the secured article includes an article data marking as explained above, the method may comprise the further steps of:

- reading article data marked on an article data marking on the test object with the imager; and 10 - checking that the article data read from the article data marking correspond with the article digital data extracted from the security marking on the test object.

Moreover, if the secured article includes reference characteristic digital data as explained above, and the imager is further equipped with a sensor opérable to detect a unique 15 physical characteristic of respectively a marked original article, or of an associated object or individual, and the processing unit is programmed to extract corresponding characteristic digital data from a détection signal received from the sensor, the imager having stored in the memory reference characteristic digital data CDD corresponding to said unique physical characteristic of respectively the marked original article, or of the associated object or individual, the above method my comprise the further steps of, upon viewing a subject being said article or said associated object or individual:

- detecting with the sensor a unique physical characteristic of the subject and extracting corresponding candidate characteristic digital data CDD^C;

- comparing the obtained candidate characteristic digital data CDD^c with the stored reference 2 5 characteristic digital data CDD; and

- in case the candidate characteristic digital data CDD^c is similar to the stored reference characteristic digital data CDD, within a given tolérance criterion, the subject is considered as corresponding respectively to a genuine article, or an object or individual validly associated with a genuine article.

A further aspect of the invention relates to a method of verifying the conformity of an article digital image of an article with respect to a marked original article belonging to a batch of original articles secured according to the above mentioned securing method, comprising the steps of:

- obtaining the article digital image showing a security marking on the article by means of an imager having an imaging unit, a processing unit with a memory, and an image processing unit;

- reading a représentation of article digital data and of an associated vérification key on the obtained digital image of the security marking, and extracting respectively corresponding test article digital data and associated test vérification key from said read représentation;

- verifying whether the extracted test article digital data and test vérification key indeed correspond to the stored reference root digital signature by performing the steps of:

- checking whether the obtained candidate root digital signature matches the stored reference root digital signature, whereby, in case said root digital signatures match, the article digital image is that of a genuine marked original article.

In case the batch of secured marked original article has an associated fields data block as explained above, the memory of the processing unit further storing the associated fields data block, the step of calculating a test digital signature corresponding to a test leaf node in a test tree corresponding to the security marking on the test object may comprise calculating 5 with the one-way function a digital signature of a concaténation of the extracted test article digital data and the digital data of the stored fields data block.

If the original article has been secured by storing the reference root digital signature in a searchable root database accessible as mentioned above, and the imager is further 10 equipped with a communication unit opérable to send and receive back data via a communication link, the method may comprise the preliminary steps of:

- storing the received root digital signature in the memory of the imager.

If the original article includes root node access data as mentioned above, and the imager is further equipped with a communication unit opérable to send and receive data via a communication link, the method may comprise the preliminary steps of:

- reading root node access data marked on the article digital image with the imager;

- sending with the communication unit via the communication link a root request to the access interface containing the extracted test article digital data, or the calculated test digital signature, and receiving back a reference root digital signature of the root node of the tree of the batch of original articles; and

If the marked original article has associated additional article digital data stored in a searchable information database as mentioned above, the imager may further be equipped with communication means opérable to send to the information database interface an information request containing test article digital data, or test article digital signature data, and receive back 3 0 corresponding additional article digital data.

In case the secured original article includes reference characteristic digital data as mentioned above, and the imager is further equipped with a sensor opérable to detect a unique physical characteristic of respectively an object or an individual associated with a marked 35 original article, and the processing unit is programmed to extract corresponding characteristic digital data from a détection signal received from the sensor, the imager having stored in the memory reference characteristic digital data CDD corresponding to said unique physical characteristic of respectively the associated object or individual, the method may comprise the further steps of, upon viewing a subject being said associated object or individual:

- comparing the obtained candidate characteristic digital data CDD^C with the stored reference characteristic digital data CDD; and

- in case the candidate characteristic digital data CDD^c is similar to the stored reference characteristic digital data CDD, within a given tolérance criterion, the subject is considered as corresponding respectively to an object or individual validly associated with a genuine marked original article.

Another aspect of the invention relates to an article belonging to a batch of a plurality of original articles and secured against forgery or tampering according to the above mentioned securing method, each original article of the batch having its own article digital data and corresponding vérification key, said batch having a corresponding reference root digital signature, comprising:

- a machine readable security marking applied on the article and including a représentation of its article digital data and its vérification key.

The article digital data of the above article may include reference characteristic digital data CDD of a corresponding unique physical characteristic of the article, or of an associated object or individual. Moreover the unique physical characteristic of the article may be that of a material-based security marking applied on the article.

Another aspect of the invention relates to a system for verifying the authenticity of an article, or the conformity of a copy of such article, with respect to a marked original article belonging to a batch of original articles secured with dual material and digital protection against forgery or tampering, according to the above mentioned securing method, comprising an imager having an imaging unit, a processing unit with a memory, and an image processing unit, the memory storing a reference root digital signature of a tree corresponding to the batch of original articles, and the one-way function to calculate a digital signature of digital data and of a concaténation of digital signatures according to the nodes ordering in the tree and the tree concaténation ordering being programmed in the processing unit, said system being opérable to:

- acquire with the imager a digital image of a security marking on a test object being said article or said copy of the article;

- read with the imager a représentation of article digital data and of an associated vérification key on the acquired digital image of the security marking on the test object, and extract respectively corresponding test article digital data and test vérification key from said read représentation;

- verify whether the extracted test article digital data and associated vérification key indeed correspond to the stored reference root digital signature by executing on the processing unit the further programmed steps of:

- calculating with the one-way function a test digital signature from the calculated digital signature of the extracted test article digital data, said test digital signature corresponding to a test leaf node in a test tree corresponding to the security marking on the test object;

- checking whether the obtained candidate root digital signature matches the stored reference root digital signature, whereby, in case said root digital signatures match, the system is configured to deliver an indication that the article data on the test object are that of a genuine article.

If the marked original article has an associated fields data block as above mentioned, the memory of the processing unit further storing the associated fields data block, the step of calculating a test digital signature corresponding to a test leaf node in a test tree corresponding to the security marking on the test object then comprises calculating with the oneway function a digital signature of a concaténation of the extracted test article digital data and the digital data of the stored fields data block.

Another aspect of the invention relates to a system for verifying the conformity of an article digital image of an article with respect to a marked original article belonging to a batch of original articles secured according to the above securing method, comprising an imager having an imaging unit, a processing unit with a memory, and an image processing unit, the memory storing a reference root digital signature of a tree corresponding to the batch of original articles, and the one-way function to calculate a digital signature of digital data and of a concaténation of digital signatures according to the nodes ordering in the tree and the tree concaténation ordering being programmed in the processing unit, said system being opérable to: - obtain the article digital image showing a security marking on the article by means of the imager;

- read with the imager a représentation of article digital data and of an associated vérification key on the obtained digital image of the security marking, and extract respectively corresponding test article digital data and associated test vérification key from said read représentation;

- verify whether the extracted test article digital data and test vérification key indeed correspond to the stored reference root digital signature by executing on the processing unit the further programmed steps of:

- checking whether the obtained candidate root digital signature matches the stored reference root digital signature, whereby, in case said root digital signatures match, the System is configured to deliver an indication that the article digital image is that of a genuine marked original article.

If the marked original article has an associated fields data block as above mentioned, the memory of the processing unit further storing the associated fields data block, the step of calculating a test digital signature corresponding to a test leaf node in a test tree corresponding to the security marking on the test object may comprise calculating with the oneway function a digital signature of a concaténation of the extracted test article digital data and the digital data of the stored fields data block.

The présent invention will be described more fully hereinafter with reference to the accompanying drawings in which like numerals represent like éléments throughout the different figures, and in which prominent aspects and features of the invention are illustrated.

BRIEF DESCRIPTION OF THE DRAWINGS

Fig.l is a schematic view of a general concept of securing a batch of articles according to the invention.

Fig.2A illustrâtes a secured biométrie passport as an example of biométrie identity document secured according to the invention.

Fig.2B illustrâtes a control of an individual having the secured biométrie passport of Fig.2A by an authorized officer.

Fig.3 illustrâtes a batch of components of an aircraft secured according to the invention.

Fig.4 illustrâtes a batch of pharma products secured according to the invention.

DETAILED DESCRIPTION

The présent disclosure is here described in detail with reference to non-limiting embodiments illustrated in the drawings.

Figure 1 illustrâtes a general concept of the invention relating to securing a batch of articles and a method of computing an encoding of verifying information that may be associated with each article. Figure 1 illustrâtes a group or batch of articles and its associated tree wherein, for simplicity, only eight articles are shown: Ai,...,As, which may be anything capable of bearing or containing a physical machine readable security marking 110 (here illustrated by a 2D barcode, but could be a ID barcode or a RFID marking etc.) or of bearing something that in tum bears or contains the physical security marking. An article could be a manufactured item or its packaging, a physical document or image, a package containing several items (such as a blister pack of medicine), or a container containing pallets of cartons of goods etc. Even a person or animal could be an article in the sense of the embodiments of the invention; for example, authorized attendees at an event or members of a group, or members of a flock or herd, could carry some form of ID badge or (especially in the case of animais) be physically marked.

A batch might, for example, be a common manufacturing run, items delivered by a particular supplier, items made or shipped during a time period, a set of related images, a group of people, a flock or herd, or any other user-defined grouping of any objects for which data Ai can be defined. Any one of the articles shown on Figure 1 could be a virtual article A_v, which is an optional software construct that may be included to enable encoding of selected data. This is explained further below. For example, one of the eight articles, e.g. article A₈, may in fact be a virtual article A_v that is counted as belonging to the batch of eight articles, and is treated as any one of the other seven real articles since it may be processed substantially in the same way (although it does not correspond to a real object). Of course, a plurality of virtual articles A_vi,A_V2,...,Avk can be used for encoding digital data and produce more robust article digital signatures (see below).

For each article Ai,A2,...,A7,A_v of the batch (with A₈ = A_v) respective article digital data Di,D2,...,D7,D_v (with D₈ = D_v) are associated or extracted (or, in the case of virtual article A_v, created) using any appropriate method. This data might be some measure of physical characteristics, textual data such as completed form or product information, a serial number or other identifier, indications of content, a digital représentation of an image, or any other information that the System designer chooses to associate with an article. The article digital data Dj may be extracted from human readable data (e.g. alphanumeric data) marked on an article (e.g. printed on the article or on a label affîxed on the article) by means of a reader capable to produce a corresponding digital data file. Further digital data (e.g. instruction for use of the article or safety instructions etc.) can be associated with the extracted data to constitute the article digital data Dj.

For the virtual article A_v, the associated digital data may include, for example, a batch identification number, the number of articles in the batch, a (pseudo-) random number for the sake of increasing security by increasing data entropy, date and/or time information, etc. One other form of associated data might be indications of allowable or non-permissible operations rules, expiration dates, etc. In short, the digital data D_v may be anything that can be represented in digital form.

For each article ofthe batch, its respective digital article data Di,D2,...,D7,D_v is preferably transformed mathematically in such a way that it is essentially concealed, although this is not an absolute requirement for any embodiment. This transformation applied to the article digital data Di of an article Ai serves to create a corresponding digital signature χμ This digital signature is produced by means of a one-way function, i.e. a function easy to compute but hard to invert (see S. Goldwasser and M. Bellare “Lecture Notes on Cryptography”, MIT, July 2008, http ://www-cse.ucsd. edu/users/mihir).

One such advantageous transformation is, for example, applying a hash function H( ) = hash( ) to the article digital data, which generally has the property that it returns an output of a known bit length regardless of the size of the input: this technical effect is particularly useful for creating a digital signature of digital data associated to an article, regardless of the size of the associated article digital data and that of the batch. The Hash function is a well-known example of a one-way function. If a cryptographie hash function such as the SHA (Secure Hash Algorithm) class of functions, for example, SHA-256, is used, then there are the additional benefits that the function is practically irréversible and collision résistant, that is, the probability is negligible that two different inputs will lead to the same output. As will be understood from the description below, this is also not a requirement of the invention, although it is advantageous for the same reasons as in other applications. As shown in Figure 1, the values xi,X2,X3,...,xs are the hash values, i.e. the associated article digital signatures, of the respective article datasets, that is, Xj = H(Dj), for j=l,...,8 (in case A₈ ξ a_v, then D₈ ξ d_v and x₈ ξ x_v = H(D_v)).

In order to shorten the signature, the article digital signature Xj of article Aj may even be just a sequence of a given plurality of bits of lower weights selected from the bits of the hash value H(Dj): for example, with the SHA-256 hash function of the SHA-2 family, it suffices to retain only the 128 bits of lower weights from the 256 bits of the signature to still hâve a robust signature with respect to codebreaking attack.

Fig.l shows a batch of eight marked original articles Ai,...,A₈, each having a corresponding security 110 marking applied on it, and illustrâtes the method of securing the articles and their respective associated article digital data D1,...D8 by means of a tree of article digital signatures. Trees associated with digital signatures are well known (binary hash trees, nary hash trees, or Merkle trees), they generally hâve base nodes, or leaf nodes, which are used to build next (intermediate) level nodes by digitally signing a concaténation of the digital signatures associated with the leaf nodes according to a certain grouping of the leaf nodes. In case of a binary tree, the digital signatures associated with the first intermediate level nodes are respectively calculated by digitally signing (e.g. with a one-way hash function H, or a one-way elliptic curve function...) a concaténation of the digital signatures associated with two consecutive leaf nodes. In case of a n-ary tree, the values of the first intermediate level nodes are obtained by concaténation of the values of n consecutive leaf nodes. A tree may as well hâve a more complex structure (mixed-trees) as the concaténation of the leaf nodes may be performed by pairs of consecutive nodes for certain leaf nodes, by triplet of nodes for other consecutive leaf nodes etc. For reasons of simplicity, a mere binary tree with eight leaf nodes is shown on Fig. 1 : the respective values of the eight leaf nodes a(l,l),...,a(l,8) of the tree, respectively corresponds to the article digital signatures xi = H(Di),..., x₈ = H(D₈). The value of the first index, i.e. “1”, for ail the leaf nodes indicates the first level (or base level) of the tree, and the second index running from 1 to eight indicates the (leaf) nodes ordering of the tree. The values of the next level (non-leaf) nodes, i.e. the four nodes of level two a(2,l), a(2,2), a(2,3) and a(2,4), are obtained by digitally signing a concaténation (symbolically represented by an operator “+”), here by means of a hash function, of the values of pairs of leaf nodes, i.e. pairs of their child nodes in the tree. This grouping of child nodes for obtaining the values of the nodes of the next level defines the tree concaténation ordering. For simplifying the notations, we use the node symbol a(i,j) to also represent its associated value (i.e. its associated digital signature). Here, the tree has only two intermediate levels above the leaf nodes level, and the root node on top level. The root node level is in fact the last non-leaf node level of the tree. Thus, the values of the four non-leaf nodes of the next intermediate level are:

a(2,l) = H(a(l,l)+a(l,2)), i.e. a(2,l) = H(H(Di)+ H(H(D₂)), (as a(l,l) and a(l,2) are the child nodes of node a(2,l)) a(2,2) = H(a(l,3)+a(l,4)) a(2,3) = H(a(l,5)+a(l,6)) a(2,4) = H(a(l,7)+a(l,8)) and, for the next, penultimate, node level (here, level three) there are two node values:

a(3,l) = H(a(2,l)+a(2,2)) a(3,2) = H(a(2,3)+a(2,4)).

We remark that it is possible to choose a different tree concaténation ordering for each non-leaf node: for example, instead of having a(2,4) = H(a(l,7)+a(l,8)) we could define a(2,4) = H(a(l,8)+a(l,7)), which gives a different node value.

Finally, the value of the root node R of the tree, or reference root digital signature, is obtained as: R = H(a(3,l)+a(3,2)).

Due to the cascade of concaténations involved in a tree, it is practically impossible to retrieve a root value if any bit of digital data is changed in a node (particularly, in a leaf node). Moreover, if some virtual articles are included in the batch (of which virtual article digital data are only known to the System having produced the digital signatures of the leaf nodes of the tree), a counterfeiter will not be capable to retrieve the root digital signature even if knowing the digital data of ail the produced (and marked) articles of the batch.

According to the invention, the reference root digital signature R of the batch of articles is made immutable, and thus forgery-proof, by being published in a (public) media accessible to a user having to check the authenticity of an article (or its associated data), or stored in a searchable root database accessible to the user, or, in a preferred mode, stored in a blockchain (or in a database secured by a blockchain) accessible to the user. The user may then store the reference value R acquired from these available sources.

For each article Ai of the batch, a corresponding article vérification key kj (or vérification path) of the associated tree is then computed as a sequence of the respective digital signatures, from the leaf nodes level to the penultimate nodes level, of every other leaf node having the same parent node in the tree that the leaf-node corresponding to the article digital signature, and successively at each next level in the tree, of every non-leaf node having the same parent node in the tree that the previous same parent node considered at the preceding level. In the example of Fig.l, there are eight vérification keys k_b...,k₈ respectively corresponding to the eight articles Ai,...,A₈ of the batch and their corresponding eight leaf nodes a(l,l),...,a(l,8):

1) for leaf node a(l,l) = xi = H(Di) corresponding to article Ai, the vérification key is ki = {a(l,2),a(2,2),a(3,2)}, from which the root digital signature value R can be retrieved via the following steps (executed according to the nodes ordering in the tree and the tree concaténation ordering):

i) from leaf node a(l,l) = xi and leaf node a(l,2) = x₂ in ki (a(l,2) is the other leaf node having the same parent node, i.e. node a(2,l), that the leaf node corresponding to the article digital signature x_b i.e. node a(l,l)), the parent node value a(2,l) is obtained by a(2,l) = H(a(l,l)+a(l,2)) (i.e. a(2,l) = H(xi + x₂)), ii) from the obtained a(2,l) and the next node value in k_b i.e. a(2,2) of next non-leaf nodes level, which is a non-leaf node having the same parent node in the tree, i.e. node a(3,l), that the previous same parent node considered at the preceding level, i.e. node a(2,l), the parent node value a(3,l) is obtained by a(3,l) = H(a(2,l)+a(2,2)), iii) from the obtained a(3,l) and the next node value in k_b i.e. a(3,2) of the penultimate nodes level, which is a non-leaf node having the same parent node in the tree, i.e. the root node, that the previous same parent node considered at the preceding level, i.e. node a(3,l), the root node value R is obtained by R = H(a(3,l)+a(3,2)).

Remark: in this example we hâve three steps i),ii) and iii), because the tree has three levels below the root node level and thus, the vérification key contains three node values.

Thus, the value of the root node of the tree can be obtained as: R = H(H(H(a(l ,1 )+a(l ,2))+a(2,2))+a(3,2)).

2) for leaf node a(l,2) = x₂ = H(D₂) corresponding to article A₂, the vérification key is k₂ = {a(l,l),a(2,2),a(3,2)}, from which the root value R can be retrieved via the following steps (executed according to the nodes ordering in the tree and the tree concaténation ordering):

i) from a(l,2) = x₂ and a(l,l) = xi in ki (a(l,l) is the other leaf node having the same parent node, i.e. node a(2,l), that the leaf node corresponding to the article digital signature x₂, i.e. node a(l,2)), the parent node value a(2,l) is obtained by a(2,l) = H(a(l,l)+a(l,2)), ii) from the obtained a(2,l) and the next node value in k₂, i.e. a(2,2) of next non-leaf nodes level, which is a non-leaf node having the same parent node in the tree, i.e. node a(3,l), that the previous same parent node considered at the preceding level, i.e. node a(2,l), the parent node value a(3,l) is obtained by a(3,l) = H(a(2,l)+a(2,2)), iii) from the obtained a(3,l) and the next node value in k₂, i.e. a(3,2) of the penultimate nodes level, which is a non-leaf node having the same parent node in the tree, i.e. the root node, that the previous same parent node considered at the preceding level, i.e. node a(3,l), the root node value R is obtained by R = H(a(3,l)+a(3,2)).

Thus, the value of the root node of the tree can be obtained as: R = H(H(H(a(l, 1 )+a(l ,2))+a(2,2))+a(3,2)).

3) for leaf node a(l,3) = x₃ - H(D₃) corresponding to article A₃, the vérification key is k₃ = 10 {a(l,4),a(2,l),a(3,2)}, from which the root value R can be retrieved via the following steps (executed according to the nodes ordering in the tree and the tree concaténation ordering):

i) from a(l,3) = x₃ and a(l,4) = Χ4 in k₃ (a(l,4) is the other leaf node having the same parent node, i.e. node a(2,2), that the leaf node corresponding to the article digital signature x₃, i.e. node a(l,3)), the parent node value a(2,2) is obtained by a(2,2) = H(a(l,3)+a(l,4)), ii) from the obtained a(2,2) and the next node value in k₃, i.e. a(2,l) of next non-leaf nodes level, which is a non-leaf node having the same parent node in the tree, i.e. node a(3,l), that the previous same parent node considered at the preceding level, i.e. node a(2,2), the parent node value a(3,l) is obtained by a(3,l) = H(a(2,l)+a(2,2)), iii) from the obtained a(3,l) and the next node value in k₃, i.e. a(3,2) of the penultimate nodes 2 0 level, which is a non-leaf node having the same parent node in the tree, i.e. the root node, that the previous same parent node considered at the preceding level, i.e. node a(3,l), the root node value R is obtained by R = H(a(3,l)+a(3,2)).

Thus, the value of the root node of the tree can be obtained as: R = 2 5 H(H(a(2,l)+H(a(l,3)+a(l,4)))+a(3,2)).

4) for leaf node a(l,4) = X4 = H(D₄) corresponding to article A4, the vérification key is k4 = {a(l,3),a(2,l),a(3,2)}, from which the root value R can be retrieved via the following steps (executed according to the nodes ordering in the tree and the tree concaténation ordering):

i) from a(l,4) = Χ4 and a(l,3) = x₃ in kq, the parent node value a(2,2) is obtained by a(2,2) = H(a(l,3)+a(l,4)), ii) from the obtained a(2,2) and the next node value in kq, i.e. a(2,l) of next non-leaf nodes level, the parent node value a(3,l) is obtained by a(3,l) = H(a(2,l)+a(2,2)), iii) from the obtained a(3,l) and the next node value in k₄, i.e. a(3,2) of the penultimate nodes 3 5 level, the root node value R is obtained by R = H(a(3,l)+a(3,2)).

—

Thus, the value of the root node of the tree can be obtained as: R =

H(H(a(2,l)+H(a(l,3)+a(l,4)))+a(3,2)).

5) for node a(l,5) = Χ5 = H(Ds) corresponding to article A5, the vérification key is ks = {a(l,6),a(2,4),a(3,l)}, from which the root value R can be retrieved via the following steps (executed according to the nodes ordering in the tree and the tree concaténation ordering):

i) from a(l,5) = X5 and a(l,6) = xg in ks, the parent node value a(2,3) is obtained by a(2,3) = H(a(l,5)+a(l,6)), ii) from the obtained a(2,3) and the next node value in ks, i.e. a(2,4) of next non-leaf nodes level, the parent node value a(3,2) is obtained by a(3,2) = H(a(2,3)+a(2,4)), iii) from the obtained a(3,2) and the next node value in ks, i.e. a(3,l) of the penultimate nodes level, the root node value R is obtained by R = H(a(3,l)+a(3,2)).

Thus, the value of the root node of the tree can be obtained as: R = H(a(3,l )+H(H(a(l ,5)+a(l ,6))+a(2,4))).

6) for node a(l,6) = xg = H(Dg) corresponding to article Ag, the vérification key is kg = {a(l,5),a(2,4),a(3,l)}, from which the root value R can be retrieved via the following steps 2 0 (executed according to the nodes ordering in the tree and the tree concaténation ordering):

i) from a(l,6) = xg and a(l,5) = Χ5 in kg, the parent node value a(2,3) is obtained by a(2,3) = H(a(l,5)+a(l,6)), ii) from the obtained a(2,3) and the next node value in kg, i.e. a(2,4) of next non-leaf nodes level, the parent node value a(3,2) is obtained by a(3,2) = H(a(2,3)+a(2,4)), iii) from the obtained a(3,2) and the next node value in kg, i.e. a(3,l) of the penultimate nodes level, the root node value R is obtained by R = H(a(3,l)+a(3,2)).

Thus, the value of the root node of the tree can be obtained as: R = H(a(3,l)+H(H(a(l,5)+a(l,6))+a(2,4))).

7) for node a(l,7) = Χ7 = H(Dy) corresponding to article A7, the vérification key is k? = {a(l,8),a(2,3),a(3,l)}, from which the root value R can be retrieved via the following steps (executed according to the nodes ordering in the tree and the tree concaténation ordering):

i) from a(l,7) = Χ7 and a(l,8) = xs in k?, the parent node value a(2,4) is obtained by a(2,4) =

H(a(l,7)+a(l,8)), ii) from the obtained a(2,4) and the next node value in k₇, i.e. a(2,3) of next non-leaf nodes level, the parent node value a(3,2) is obtained by a(3,2) = H(a(2,3)+a(2,4)), iii) from the obtained a(3,2) and the next node value in k₇, i.e. a(3,l) of the penultimate nodes level, the root node value R is obtained by R = H(a(3,l)+a(3,2)).

Thus, the value of the root node of the tree can be obtained as: R = H(a(3,l)+H(a(2,3)+H(a(l,7)+a(l,8)))).

8) for node a(l,8) = x₈ = H(D₈) corresponding to article A₈, the vérification key is k₈ = {a(l,7),a(2,3),a(3,l)}, from which the root value R can be retrieved via the following steps (executed according to the nodes ordering in the tree and the tree concaténation ordering):

i) from a(l,8) = x₈ and a(l,7) = x₇ in k₈, the parent node value a(2,4) is obtained by a(2,4) = H(a(l,7)+a(l,8)), ii) from the obtained a(2,4) and the next node value in k₈, i.e. a(2,3) of next non-leaf nodes level, the parent node value a(3,2) is obtained by a(3,2) = H(a(2,3)+a(2,4)), iii) from the obtained a(3,2) and the next node value in k₈, i.e. a(3,l) of the penultimate nodes level, the root node value R is obtained by R = H(a(3,l)+a(3,2)).

Thus, the value of the root node of the tree can be obtained as: R = H(a(3,l )+H(a(2,3)+H(a(l ,7)+a(l ,8)))).

Generally, for retrieving a (candidate) root node value by starting from a given leaf node value and the node values specified in the vérification key associated with said given leaf node, the following steps are performed:

- extracting from the sequence of node values in the vérification key, a node value (i.e. a digital signature value) of every other leaf node of the tree having the same parent node than that of the given leaf node and calculating a digital signature of a concaténation of the given node value and, respectively according to the ordering of nodes in the tree and the tree concaténation ordering, the extracted node value of said every other leaf node, thus obtaining a digital signature of said same parent node of the given leaf node;

- successively at each next level in the tree and up to the penultimate nodes level:

.extracting from the sequence of node values in the vérification key, a node value of every other non-leaf node of the tree having the same parent node than that of the previous same parent node considered at the preceding step, and .calculating a digital signature of a concaténation of the node value of said respective every other non-leaf node and the obtained digital signature of said previous same parent node, according to the ordering of nodes in the tree and the tree concaténation ordering, thus obtaining a node value of said same parent node of said previous same parent node;

and

- calculating a digital signature of a concaténation of the obtained node values of the non-leaf nodes corresponding to the penultimate nodes level of the tree according to the ordering of nodes in the tree and the tree concaténation ordering, thus obtaining a root digital signature of the root node of the tree.

As it is clear from the above example, the root node value R can finally be retrieved from any given leaf node value by a digital signature of a concaténation of this leaf node value with only the node values specified in the corresponding vérification key. Thus, the volume of data in the vérification information that is necessary for retrieving the root node value is clearly much lower than the volume of data necessary for calculating the reference root node value (i.e. based only on the leaf node values, by calculating ail the non-leaf node values of the intermediate levels of the tree): this is an advantage of the invention in view of the constraint of limited size available on a security marking (like a two-dimensional barcode).

According to the invention, the security marking 110 (possibly tamperproof) applied on an article A, of a batch of articles includes the vérification information V, that allows both online and offline checking operations of authenticity of the marked article, of conformity of its associated data with respect to that of the genuine marked article, or even conformity of an image of the article with respect to that of the genuine marked article, by providing a unique, immutable and forgery-proof link between the article data Di and belonging of the marked article Ai to a given batch of genuine articles, while keeping a bit size of a digital représentation of this vérification information Vi at a level compatible with a data content of a two-dimensional machine readable barcode that can be easily read by a conventional reader: this vérification information comprises the article digital data Di and the corresponding vérification key kj, Vi = (Di,kj). The checking operations includes retrieving the batch value, or reference root digital signature R of the tree associated with the batch, by first reading the article digital data Dj and the corresponding vérification key kj on the machine readable security marking 110 (or on an image of the security marking) on article A, (respectively, on the image of Aj), then calculating a candidate article digital signature Xi by means of a one-way function of the read article digital data Dj as Xj = H(Dj), and calculating a candidate root digital signature R^c as explained above from a digital signature of a concaténation of Xj and node values of the tree according to the sequence of node values indicated in the vérification key kj. This securing scheme, which has the advantage of not necessitating data encryption and thus, management of encryption/decryption keys (particularly, no cryptographie key is included in the security marking), is much more robust with respect to codebreaking attack compared to conventional encryption of data by means of public encryption key-private decryption key (like RSA “Rivest-Shamir-Adleman” System, for example). As a resuit, the size of digital data to be represented in the security marking according to the invention is compact and allows to use conventional 2D barcodes (e.g. a QR code), and thus conventional barcode readers (or even a mere programmed smartphone having a caméra), while providing a very high level of robustness against codebreaking attacks. Moreover, this security marking is compatible with both online (via a server communicating with a code reader) and offline (via a programmed code reader) check of authenticity of a marked article and conformity of its data with respect to that of a genuine article. Also, according to the invention, the représentation of digital data Dj and that of key data k, may differ, the data concaténation scheme and/or the one-way function may dépend on node level in the tree, which provide additional levels of robustness with respect to codebreaking attacks.

Preferably, in order to further reduce the size of digital data (i.e. vérification information V) to be included in a security marking, if the article digital data D, of the respective original articles Ai of the batch are spread between given fields that are common to ail the articles of the batch, digital data relating to these fields are not included in each article digital data Di but are clustered in a separate fields data block FDB associated with the batch of articles, and:

- the article digital signature Xj of an original article Aj of the batch is then calculated with the one-way function H of a concaténation of the corresponding article digital data Dj and the digital data of the fields data block FDB, i.e. xj = H(Dj+FDB); and

- the reference root digital signature R is made available to the user together with the associated fields data block FDB (which makes the fields data block also immutable).

In a variant of the invention, the fields data block FDB is made accessible to the user independently of the reference root digital signature.

The above size réduction is possible in most cases, as most of data associated with the articles of a batch are classifîed in accordance with some fields for structuring the data: e.g. for a pharmaceutical product, the indications “serial number”, “expiry data” etc., only the data associated with these fields are included in Di (e.g. 12603, May 2020 etc.) while the common naines of the fields “serial number”, “expiry data” etc. are in the fields data block FDB.

There are different types of physical (security) markings that could be used to encode the vérification key and the article digital data (or any other data). Many marking

Systems that are practical for use on small items, however, or on services that are not able to receive physical markings with high resolution, cannot encode a large amount of data.

One way to solve this problem would be to include multiple markings, each including one or more of the éléments of the vérification vector. In many cases, this is impractical because of lack of physical space or unsuitability of the mark surface, or simply because it would be aesthetically unacceptable.

There are many known methods for encoding information in a way that it can be applied to physical surfaces. Any such method may be used in implémentations of any embodiment of this invention. One common form of physical marking is a well-known QR code. As is well known, for a given area, the more data a QR code is able to encode, the higher the 15 module density (roughly, density of black/white squares) it has and the greater resolution it requires to print and read. In addition to its density (in number of modules squared), QR codes are also generally classified depending on what level of error correction they include. At présent, the four different standard levels, L, M, Q, and H, each representing the degree of damage, that is, data loss, the QR code image can sustain and recover from. The levels L, M, Q, and H

0 can sustain roughly 7%, 15%, 25% and 30% damage, respectively.

The following table shows at least approximate values for different QR code versions:

Version	Size (in modules)	Number of encodable bits
ECC level L	ECC level H
10	57x57	2192	976
25	117x117	10208	4 4304
40	177x177	23648	1 10208

Not ail of the bits may be used to encode a data load, however, since some modules are used for scan targets, a mask pattern, and the error-correction modules. There is thus a trade-off between the amount of information that a QR code (or whatever marking 110 is used) can encode, and how much information is included in a vérification information V and must be encoded.

For a chosen type of security marking 110 (such as a QR code), with a limited encoding capacity, a suitable one-way function H should therefore also be chosen: a function of which output is too large in terms of required bits may be impossible to use at ail, and a function of which range is too small may not be secure enough. Moreover, in many applications, scalability may be an issue. For example, some data security schemes involve signatures that grow as the number of members of a batch increases, and that could impermissibly limit the size of a batch from the perspective of how many bits the security marking 110 can encode. This is why, according to a preferred mode of the invention, the type of function chosen is the one-way hash function of the SHA-2 family.

A computation module (not shown) is preferably included within a securing system to execute the code provided for performing the computations for digitally signing the article digital data of the articles of a batch, for determining the vérification keys for the different articles, and for calculating the reference root digital signature of the corresponding tree. The securing system may also include suitable modules for inputting (pre-programmed) values corresponding to the digital data D_v of the Virtual article(s) A_v. It would also be possible to perform the article-related hashing computations extemally (e.g. on a connected distant server), for example, wherever the articles are made, so as to avoid having to transmit raw article data Dj over a network from that site (or sites) to the securing system, if that is a concem.

For each article A,, corresponding vérification information Vj is compiled and is encoded (represented) in some form of machine readable security marking 110 that is then applied physically to or otherwise associated with the respective article. For example, Vj could be encoded on an optically or magnetically readable label, RFID tag, etc., that is attached to the article, or is printed directly on the article or its packaging. As another option, the marking could be on the inside of the article or its packaging if appropriate, either using direct application or, for example, being included on some form of documentation that is inside the packaging.

For any virtual article A_v, its corresponding vérification information V_v = (D_v,k_v) may be associated intemally with it by the securing system. The vérification information generally at least includes, for any article Aj of a batch of articles, the corresponding article digital data Dj and the corresponding vérification key kj: i.e. Vi = (Di,kj).

Additional article data may further be associated with an article and may include, for example, the batch value, i.e. reference root digital signature R, or any other information the system designer (or system administrator) chooses to include, such as an item serial number, batch ID, date/time information, product name, a URL that points to other, online information associated with either the individual item (such as an image of the article, or of its labelling or packaging, etc.), or the batch, or the supplier/manufacturer, a téléphoné number one may call for vérification, etc. The additional article data may be stored in a searchable information database accessible to a user (via an information database interface).

Once the vérification kj of an original article Aj has been calculated, and included (i.e. via encoding or any chosen data représentation), together with the corresponding article digital data Dj, in the machine readable article security marking 110 applied on the article Aj, the resulting marked original article and its associated article data are in fact secured against forgery and tampering.

A user, récipient of an article such as Ai for example, may then scan (or otherwise read) with an imager the security marking on Ai and extract the article digital data Di and the vérification key ki, (and any other information that may hâve been encoded into the marking). For the sake of vérification of the marked article Ai, the user must first retrieve the vérification information Vi=(Di,ki) from the security marking 110 on Ai and thus, calculate the digital signature xi from the extracted article digital data Di: to do that the user must know the one-way function to be used for calculating an article digital signature, here the one-way function HQ (e.g. a SHA-256 hash), and then perform the operation xi=H(Di) to obtain the full data (xi,ki) necessary to calculate a corresponding candidate root digital signature R^c. The user may for example receive the one-way function securely (for example, using a public/private key pair) or by requesting this from the article provider or whichever entity having created the signatures and keys, or having it already programmed in a user’s processing unit of its imager.

Next, in order to calculate such candidate root digital signature R^c, the user will need to further know the type of data concaténation scheme (for concatenating node values via H(a(i,j)+a(i,k)) to be used for that: the user may receive this information in any known manner, either securely (for example, using a public/private key pair) or simply by requesting this from the article provider or whichever entity created the vérification data, or having it already programmed in the user’s processing unit. However, the concaténation scheme my in fact correspond to a mere conventional joining end-to-end of the two digital data blocks respectively corresponding to the two node values: in this case, no spécifie scheme must be transmitted to the user. In some variants, the concaténation scheme may further insert a concaténation block, which may contain data spécifie to the rank or level of the concatenated digital data blocks in the tree, with the resuit of making even more difficult a codebreaking attack.

Knowing the data concaténation scheme, the user can then compute (e.g. via the suitably programmed imager) the candidate root digital signature R^c as explained above by step by step digitally signing a concaténation of the article digital signature xi and node values according to the sequence of nodes specified in the vérification key ki, see above item 1) relating to node a(l,l), executed according to the nodes ordering in the tree and the tree concaténation ordering. Here, the candidate root digital signature is obtained as (the nodes ordering in the tree being given by the respective indexes (ij) of the level and rank in the level):

R^c = H(H(H(a(l,l)+a(l,2))+a(2,2))+a(3,2)).

This calculated candidate root digital signature R^c should then be equal to the available (or published) reference R value: this value may hâve been previously acquired by the user and/or already stored in a memory of the imager’s processing unit, it could also be a value that the récipient requests and receives from the system administrator in any known manner. If the candidate R^c and the available reference root digital signatures R match, this computation then vérifiés the information in the secure marking 110 and confirms that the article Ai is from the right batch. The secure marking should preferably be made and/or applied to the article in any difficult-to-copy and/or difficult-to-remove (tamperproof) manner. In this case, a matching of the root digital signatures can then indicate to the user that the article is likely authentic. This is particularly interesting because authentication of article Ai does not necessitate its material authentication, i.e. via an intrinsic physical characteristic of Ai or by means of a spécifie material-based security marking applied on Ai.

A link to access the reference root digital signature R for the batch corresponding to the article Ai could be included in the security marking 110 (for example, a web address, if R can be retrieved on a corresponding web site), although it is not a preferred variant.

In some implémentations, récipients of an article Ai may be capable of “visually” extracting the article data corresponding to the digital article data Di directly from the article. For example, the article data might be textual, such as a serial number, or text in a descriptive writing, or some alphanumerical encoding elsewhere on the article or its packaging and human readable from the articles themselves or something attached to or included in them. Récipients of articles could also be provided with appropriate software, such as a module in an imager device such as a smart phone that either inputs data, or reads data optically via the phone caméra, and which then computes Xi=H(Dj) for the article at hand. For example, with a security marking 110 on article Ai being a standard QR code, a user could easily obtain by scanning the QR code with an imager, using a standard QR code reader application running on the imager, the digital data D] and ki, a vérification application in the user’s imager could then compute xi and R^c, and compare this value with the available reference batch value R, as explained above.

Preferably, the reference root digital signature (i.e. “batch value”) R is stored in a searchable root database that can be accessed (via a communication link) by the user by means of its imager equipped with a communication unit, as this is the case with the above example of a Smart phone. The user having to verify the article Ai can just send a root request with its smart phone to the address of the database, via an access interface of the database, the request containing the article data Di read on the security marking 110 on Ai (or the calculated digital signature xi = H(Di)) allowing to retrieve the corresponding reference batch value R, and the access interface will retum the reference root digital signature R to the smart phone. The database may be secured by a blockchain in order to strengthen the immutability of the stored root digital signatures. An advantage of the invention is to make the link between a physical object, i.e. an original article, and its attributes, i.e. the associated article data and its belonging to a spécifie batch of articles, practically immutable through the corresponding root digital signature.

The above mentioned vérification process of an article Ai may also serve to authenticate human readable article data further marked on Ai on a corresponding article data marking applied on Aj, or printed on a packaging of Aj, or on a leaflet. Indeed, a user can read, e.g. on a display of the imager, the corresponding article digital data Dj as read on the security marking on the article Ai and decoded by the imager, and visually check that the displayed information is consistent with the article data on the article data marking.

In a preferred embodiment, the article data, or its corresponding article digital data D,, further include (unique) characteristic digital data (CDD) of a unique physical characteristic of the marked original article A, that can be used for (materially) authenticating A,. Thus, with the characteristic digital data corresponding to the physical characteristic of an article Ai being CDD,, the corresponding unique physical signature data UPSj can be obtained by encoding of CDD; (preferably by means of a one-way function): for example, by taking a hash of the digital data CDDi, i.e. UPSj = H(CDDj). However, any other known encoding could be used instead: for example, in order to hâve a short signature, it is possible to use an elliptic curve digital signature algorithm. As an illustrative very simplified example of characteristic digital data CDD, corresponding to a unique physical characteristic of an article Ai, we consider a mere digital image obtained by imaging the article Aj (or a spécifie zone on Ai), the corresponding unique physical signature data UPSj being, for example, a hash of the digital image, UPSi = H(CDDj). The characteristic digital data CDDi having generated the signature UPS, constitutes the reference characteristic digital data for Ai and the obtained signature UPSj is the corresponding reference physical signature data for Aj. Preferably, UPSj, i.e. the reference physical signature data for article Ai, is stored in a searchable database or in a blockchain (or in a database secured by a blockchain) accessible to the users (for example, via a request containing the article digital data Dj read on the security marking of A,, or its corresponding digital signature x,). Thus, the stored UPSi acquires an immutable character. A copy of CDD; may be further stored in the memory of the user’s imager. In a variant of the embodiment, a copy of UPS, may also be further stored in the memory of the user’s imager (to allow offline checking operation).

A check of authenticity of an article Ai may be performed by extracting candidate characteristic digital data CDD/ from the digital data Dj read (here, with a decoding application running on the imager, which may be a smartphone for example)) on the security marking on article Ai, and comparing it with the reference characteristic digital data CDDi stored in the memory of the imager: in case of matching CDD, = CDD/ the article Ai is considered as genuine (its digital content corresponds to that of a genuine marked original article). If the reference characteristic digital data CDDj is not stored in the memory of the imager, but instead the reference unique physical signature data UPSj is stored in the memory of the imager (with the advantage of taking up much less memory compared with CDDj), then the authenticity of Ai can still be checked by verifying that the candidate unique physical signature data UPS/ obtained by calculating the hash value of the candidate unique physical characteristic digital data CDD/ extracted from the digital data Dj, i.e. UPS/ = H(CDD/), matches the reference unique physical signature data UPS, stored in the memory.

A user may further check the authenticity of a received article Ai, still via offline (self-verifying) process, by detecting said unique physical characteristic on Aj, by means of a sensor capable to perform such measurement (here, the imaging unit of the imager), and obtaining a candidate characteristic digital data CDD/ from the detected characteristic (here, a digital image taken by the imager). Then, the user can compare (via the image processing unit of its imager, or visually on a display of the imager) the obtained CDD/ with a copy of the reference CDD; (stored in the memory of the imager): in case of “reasonable” matching CDD/ ~ CDD, (i.e. the two digital data agréé within some given tolérance or similarity criterion), the article Ai is considered as genuine.

Moreover, the user may also further calculate the corresponding candidate physical signature data from the copy of the reference CDDj stored in the memory of the imager as UPS/ = H(CDDi), and compare it with the reference physical signature data UPSj stored in the memory of the imager: in case of matching UPS/ = UPSi, the article Ai is confirmed as being genuine with an even higher degree of confidence. Moreover, in case of matching, the article digital data D, associated with Ai, which has been verified as corresponding to that of a genuine article, as explained above by retrieving the corresponding reference batch value R from the read vérification information (Di,kj) on the security marking on Aj, is also authenticated. In a preferred mode, the copy of the reference characteristic digital data CDDj, instead of being stored in the memory of the user’s imager, is part of the article digital data Dj included in the security marking on article Aj and can be obtained by reading it on the security marking (with the imager). However, in a variant (still compatible with offline vérification), the copy of the reference characteristic digital data CDDj may instead be included in the article data marking applied on article Ai (and readable by the user’s imager).

In a variant of the embodiment, the checking of authenticity of an article Aj by a user may be performed via online process: in this case, the reference data CDDj and/or UPSi are stored in a searchable database accessible to the user wherein the reference data relating to an article A, is stored in association with, respectively, the corresponding article digital data Dj (included in the security marking on Ai) or with the corresponding article digital signature Xj (that can be calculated by the user once the data Dj is extracted from the security marking via the operation Xi=H(Di) and can be requested by sending to the database a query containing, respectively, Dj or Xj.

Of course, any other known intrinsic physical/chemical property can be used to obtain the characteristic digital data CDD, of an article Ai, and the corresponding unique physical signature data UPS;. As another illustrative example, it is possible to print the 2D barcode forming the security marking 110 on an original article with a security ink including a luminescent pigment having its characteristic decay time constant as well as its light excitation wavelength window and its luminescence émission wavelength window: the resuit is an ink having a spécifie reference decay time value τ that serves as a material “fingerprint” of the ink. It suffi ces to illuminate the security marking 110 with excitation light in an illumination wavelength window covering the pigment excitation wavelength window, and collect a resulting luminescence light from the security marking with a sensor capable to detect light intensity within the luminescence émission wavelength window in order to authenticate the security marking. For example, the user’s imager may be equipped with a flash capable to deliver the excitation light to the security marking, a photodiode capable to collect the corresponding luminescence light intensity profile I(t) (over a détection time interval) from the security marking, and the imager’s processing unit being programmed to calculate a decay time value from the collected intensity profile I(t). For example, the excitation wavelength window may be within the UV (ultra violet) band and the émission wavelength window within the IR (infra red) band. If, during vérification of the article, the luminescence light intensity collected by the user’s imager shows a characteristic decay over time corresponding to a candidate decay time x_c, then the ink, and consequently the security marking, is considered as genuine if x_c ~ τ (within a given range of tolérance). In this case, the digital data CDD; of a marked article Ai includes at least the reference decay time value τ (and possibly data relating to the excitation wavelength window and the émission wavelength window). As it is clear from the above examples, including reference characteristic digital data in the vérification information of a security marking has the technical effect of providing a forgery-proof link between the digital data of an article and the (material) authentication data of this very article.

Another illustrative embodiment of the invention relates to a batch of biométrie identification documents, e.g. biométrie passports, as shown on Fig.2A.

In this example we still use a hash function as a one-way function for signing the passport data, preferably a SHA-256 hash function in view of its well-known robustness.

Indeed, in view of a given size of the batch, the hash function that is selected (having its known bucket listing) for the purpose of signing the passport data is thus an example of a one-way encryption function such that each distinct passport has its distinct signature, which thus make the signature unique. The domain of a hash function (i.e. the set of possible keys) being larger than its range (i.e. the number of different table indices), it will map several different keys to a same index which could resuit in collisions: such collisions can be avoided, when the size of the batch is known, by considering the bucket listing associated with the hash table of a hash fonction and retaining only a fonction giving zéro collisions, or by independently choosing a hash-table collision resolution scheme (for example, such as coalesced hashing, cuckoo hashing, or hopscotch hashing).

Fig.2A shows an example of biométrie passport Ai secured with a machine readable security marking 210 (here a QR code), and comprising a passport data marking 230 containing conventional passport data, i.e. visible printed data such as a title of the document 230a (“Passport”), a set of biography data of the owner of the passport 230b: last name (“Doe”), first name (“John”), gender (“M”), date of birth (“March 20, 1975”), citizenship (“USA”), origin (“Des Moines”), place of birth (“Oakland”), a date of émission of the passport 230c (“February 24, 2018”) and a validity period 23 Od (“February 23, 2020”). These passport data may forther comprise some (unique) serial number(s) 235 assigned by the authority delivering the passport (here “12345”). The passport data forther comprise biometry data of the owner of the passport as data corresponding to a unique physical characteristic of an individual associated with the passport. A machine readable représentation 230e (e.g. an alphanumeric one) of data characterizing said unique physical characteristic (not shown), corresponding to said biometry data, is associated with the passport data 230. A représentation of digital data is to be understood in a broad sense of the term: this représentation of data only needs to enable retrieving the original digital data. The machine readable data représentation 230e, i.e. the biometry data, of the unique physical characteristic may correspond, for example, to fingerprint identification data or iris identification data of the owner of the passport. For example, biometry data 230e corresponding to a fingerprint of a person may resuit from an analysis of a set of spécifie minutia features of fingerprint ridges like ridge ending, bifurcation and short ridges (according to the conventional Henry System of Classification).

Thus, for a given passport Aj of a batch of μ delivered biométrie passports (here μ = 1024) the associated passport digital data Dj includes the digital data corresponding to the above mentioned data 230a-230e.

In a variant of the embodiment, the associated passport digital data Dj may only include the values of the fields which are common to ail the delivered passports, while the fields in common, i.e. “Passport”, “Last Name”, “Gender”, “Date of Birth”, “Citizenship”, “Origin”, “Place of Birth”, Emission date” and “Validity” are included in a separate fields data block FDB as explained above: for example, Di only contain a représentation of the field values “Doe”, “John”, “M”, “March 20, 1975”, “USA”, “Des Moines”, “Oakland”, “February 24, 2018” and “February 23, 2020”.

Preferably, additional passport digital data are associated with the above mentioned passport data 230. For example, a digital image of the fingerprint pattern of the owner of the passport, or a digital identity photograph etc. In a variant of the embodiment, these additional passport digital data are stored in a searchable information database 250 that can be searched via an information request containing some passport data (for example, the name of the owner or the biometry data or data from the security marking or the unique serial number 235) to retrieve the corresponding fingerprint pattern data and receive it back. Preferably, a link to the information database 250 is included in an information access marking 240 applied on the passport: here this is a QR code containing a reference index to retrieve corresponding additional data in the information database 250. However, in a variant of passport control operation involving access to a distant information database (online operation), the QR code could contain, for example, the URL of the information database that is accessible via the web.

A digital signature with a one-way hash function of the passport digital data Dj corresponding to the passport data 230a-230e of the passport Aj is then calculated by means, for example, of the above mentioned robust SHA-256 hash function to obtain the corresponding (unique) passport digital signature Xj=H(Dj). In a same way, the passport digital signatures of ail the passports in the batch, for ail the different owners, are calculated.

From ail the signatures of the passports in the batch, a reference root digital signature R is calculated according to a tree ordering and tree concaténation ordering of an associated (binary) tree, as explained above. As there are μ = 1024 passports in the batch, the corresponding binary tree has 1024 leaf nodes a( 1,1 ),...,a(1024) for the first level, 512 non-leaf nodes a(2,l),...,a(2,512) for the second level, 256 non-leaf nodes a(3,l),...,a(3,256) for the third level etc...., up to the penultimate nodes level (here, level 10) with non-leaf nodes a(10,l) and a(10,2), and the top node corresponding to the root node R (level 11 of the tree). The leaf-node values are a(lj) = Xj = H(Dj), j=l,...,1024, the second level node values are a(2,l) = H(a(l,l)+a(l,2)),...., a(2,512) = H(a(l,1023)+a(l,1024)), etc., and the reference root digital signature R is R = H(a(10,l)+a(10,2)). Each vérification key kj is thus a sequence of 10 node values. The security marking 210 applied of the passport Aj includes the passport digital data Dj and the corresponding vérification key kj (i.e. the vérification information Vj = (Dj,kj)).

The operation of checking that the passport digital data Dj and the vérification key kj in the security marking 210 of a biométrie passport Aj indeed correspond to passport data of a genuine biométrie passport belonging to the batch of μ biométrie passports having the batch value R only nécessitâtes calculating the passport digital signature Xj = H(Dj) and verifying that Xj and the vérification key kj allow retrieving the available corresponding reference root digital signature R via the composition of ten times (as here, the tree has ten levels below the root level) a hash function of a concaténation of the node value a(lj) and the node values in kj (according to the nodes ordering in the binary tree and the tree concaténation ordering with the conventional concaténation scheme). Consequently, a biométrie passport secured according to the invention provides both a forgery-proof link between the “personal data” and the “biometry data” of its holder, and a unique and forgery-proof link between the physical person of the holder and the holder’s identity.

Fig.2B illustrâtes a control process of the secured biométrie passport Ai of Fig.2A, with its passport data marking 230 corresponding to a certain John Doe, with its biometry data 230e corresponding to John Doe’s fingerprint, and with additional passport digital data corresponding to a digital identity photograph 255 of John Doe that is accessible via the link to the information database 250 included in the information access marking 240. The passport data further comprises the unique serial number 235 assigned by the authority having delivered the passport. The security marking 210 applied on the passport Ai contains the vérification information (Di,ki), with passport digital data Di corresponding to the printed passport data 230a-230d, the biometry data 230e and the unique serial number 235, and the vérification key ki corresponding to the sequence of 10 node values {a(l,2),a(2,2),...,a(10,2)} which are necessary for retrieving the root value R from node value a(l,l) of passport Ai (with a(l,l) = xi = H(Di)). The reference root digital signature R may be time-stamped and stored in a blockchain 260. In this example, the biometry data 230e of the respective holders of the biométrie passports of the batch are also stored in the blockchain 260 in association with, respectively, their corresponding unique serial numbers (so as to make these data immutable). The stored biometry data of John Doe can be retrieved by sending a request to the blockchain 260 indicating the unique serial number 235 mentioned on his passport. The authorities in charge of controlling identity of people (for example, the police, the customs etc.) can access the blockchain 260 via a communication link, and, in this illustrative embodiment, hâve also local storage capabilities for storing the (published) root digital signatures of ail the delivered batches of biométrie passports. In the example shown on Fig.2B, the information database 250 is local (i.e. directly accessible to the authorities, without having to use a public communication network). Moreover, these authorities are equipped with fingerprint scanners 270 to capture the fingerprints of individuals and calculate corresponding machine readable représentations of data characterizing the captured fingerprints, i.e. biometry data 230e.

During an identity control of John Doe, say by a police or a customs officer, the officer takes the secured biométrie passport Ai of John Doe, reads and décodés the vérification information (Di,ki) stored in the security marking 210 on the passport by means of an appropriate handheld reader 280 connected to a computer 290 (forming an imager), the computer being connected to the local storage capabilities 250. Having read the passport digital data Di and the vérification key ki and sent it to the computer 290, a dedicated application (with programmed hash function H and concaténation of node values) running on the computer 290 calculâtes the passport digital signature xi (as xi=H(Di)) and a candidate batch value R^c as: H(H(H(H(H(H(H(H(H(H(a(l,l)+a(l,2))+a(2,2))+..)+..)+..)+..)+..)+..)+a(9,2))+a(10,2)), i.e. the composition of ten times a hash function of a concaténation of the node value a(l,l) and the node values in ki= {a(l,2),a(2,2),...,a(10,2)}. Then, the computer can, for example, search in the local information database 250 a reference root digital signature R matching the candidate value R^c: in case there is no matching, the passport is a forged one and “John Doe” (i.e. the screened individual claiming that his name is John Doe) may be arrested. In case R^c matches some stored reference root digital signature, the passport is considered as genuine and the officer may perform additional security checks:

- the officer retrieves the digital identity photograph 255 stored in the information database 250, by sending a request via the computer 290 containing the serial number 235 printed on Ai, receives it back and display the received identity photograph 255 on a screen of the computer 290: the officer can then visually compare the displayed visage (i.e. that of a certain John Doe) with that of the individual being checked and estimate if the two visages are similar or not; and - the officer retrieves the biometry data 230e on the passport Ai by reading these data on the security marking 210 with the handheld reader 280 connected to the computer 290, and scans the individual’s fingerprint by means of a fingerprint scanner 270 connected to the computer 290 and obtains the corresponding individuaTs biometry data: the officer then checks by means of a program running on the computer 290 if the retrieved biometry data 230e is similar (within a given margin of error) to the obtained individuaTs biometry data.

If the two visages and the biometry data are judged similar, everything is ail right and the checked individual is indeed the real John Doe, the owner of the genuine biométrie passport Ai.

In case of any one of the above additional security checks fails, clearly, the individual in front of the officer is not the true holder of the genuine biométrie passport Ai and has probably stolen the passport of a certain John Doe. Thus, with a secured biométrie passport according to the invention a mere offline check can quickly detect any fraud.

In fact, it is even possible to reduce a biométrie passport document to a mere piece of paper with just a printed 2D barcode (like the above example of a QR code) including the vérification information V = (D,k): with V comprising the holder’s biography data and (unique) biometry data, like the holder’s fingerprint (within the passport digital data D) and the vérification key k. Indeed, according to the invention, even this “reduced” secured passport takes full advantage of the above mentioned forgery-proof link created between the “personal biography data” and the “biometry data” of the passport holder, and the unique and forgery-proof link between the physical person of the holder and the holder’s identity.

Another illustrative embodiment of the invention relates to components of an aircraft, as shown on Fig.3. Due to the very high price of certain critical components from which failure could affect the security of the aircraft, like some parts of the reactors (e.g. turbine blades, pumps...) or of the landing gear, or batteries etc..., counterfeiters are interested to produce copies of these components but of course without complying with the required safety technical requirements due to their generally lower quality. Even if an aircraft component is generally marked with a corresponding unique serial number to identify it, that sort of marking may be easily counterfeited. These counterfeit airplane parts are generally defective and can cause severe damages or even plane crashes. This is a growing security problem today. Moreover, even if the components are genuine, they may not be convenient for certain versions of a same type of aircraft, and there is a serions risk that an inappropriate component is inadvertently used for repairing a given aircraft for example. It is thus important to secure at least the critical genuine components that are allowed for given aircraft.

Generally, each component has a corresponding technical data sheet indicating e.g. the component technical name, the component unique serial number, the component manufacturer name, the manufacturing date of the component and certification information. Moreover, for a given aircraft, a corresponding record contains ail the technical data sheets of its respective components. However, counterfeited components may hâve their corresponding fake technical data sheet and thus, it is not obvious (unless by performing technical tests, for example) to detect fraud. For example, how to be sure that a technical data sheet corresponds well to a component mounted on a spécifie aircraft (and vice versa)?

According to an illustrative embodiment of the invention, the allowed parts to be used for manufacturing or repairing a given aircraft, or that are mounted on the aircraft, are considered as belonging to a batch of “articles” for that very aircraft.

In the spécifie illustrative embodiment shown on Fig.3, each article of an aircraft batch, i.e. each allowed aircraft component for mount or repair on a given aircraft, has a corresponding aircraft component identification document AC-ID that contains the same component data as in a conventional technical data sheet (e.g. the aircraft ID code, the aircraft manufacturer name, the component technical name, the component unique serial number, the component manufacturer name, and the manufacturing date of the component) together with additional digital data corresponding, to the aircraft ID code, the aircraft manufacturer name, the assembly date of the component on the aircraft, the name of the technician in charge of performing the conformity check together with the date of the conformity check, and the corresponding (unique) digital signature of the checker. Moreover, each aircraft component identification document AC-ID is secured by means of a machine readable security marking applied on it (preferably tamperproof). Preferably, each time a component or a set of components are replaced on the aircraft, corresponding secured AC-ID documents are created and a corresponding updated version of the aircraft batch is also created, with the above mentioned corresponding additional digital data (relating to the new mounting operations).

Thus, ail the (critical) mounted components on a spécifie aircraft (here, having the aircraft ID reference HB-SNO), belong to a corresponding batch of mounted components (here, having a total of μ components). A security marking 310 (here in the form of a QR code) is printed on each aircraft component identification document, for example AC-ID:Ai25, that is associated with the corresponding aircraft component, here A125, mounted on the aircraft HBSNO. Fig.3 particularly shows the component A125 of the aircraft batch being a turbine blade adapted to the reactor type mounted on the aircraft HB-SNO and marked with a unique manufacturing serial number (here, 12781, generally engraved by the manufacturer). The component digital data D125 (or article digital data) associated with component A125 comprises the digital data corresponding to that of the data marking 330 printed on the AC-ID:Ai25: the aircraft ID code 330a (here, HB-SNO), the aircraft manufacturer name 330b (here, AeroABC), the component technical name 330c (here, turbine blade - l^st ring), the component serial number 330d (here, 12781), the component manufacturer name 330e (here, PCX), the manufacturing date of the component 330f (here, November 13, 2017), the assembly date of the component on the reactor 330g (here, February 24, 2018), the name of the technician in charge of performing the conformity check 33Oh (here, the checker is Martin White) together with the date of the conformity check 330i (here, March 20, 2018), and the (unique) digital signature of the checker 330j (here, 2w9s02u).

A component digital signature X125 of the component digital data D125 of the AC-ID:Ai25 of component A125 is calculated by means of a one-way hash function H as X125 = H(Di2s). hi the same way, ail the component digital signatures Xj of the component digital data Dj of component A, are calculated by means of the one-way hash function H as Xj = H(Dj)(here, i = 1,...,μ). According to the invention, a tree associated with the batch of components (here, a binary tree) is built having μ leaf nodes a(l,l),...,a(l^) respectively corresponding to the μ component digital signatures χι,...,χ_μ of respective component digital data Di,...,D_g of the component identification documents AC-ID:Ai,...,AC-ID:A_g of components Αι,...,Α_μ. Here, the nodes ordering of the binary tree is the conventional one, i.e. the nodes a(i,j) are arranged according to the values of the indexes (i,j): index i indicates the level in the tree, starting from the leaf nodes level (i=l) to the penultimate nodes level below the root node, and index j running from 1 to μ for the leaf nodes level (level 1), from 1 to μ/2 for the next (non-leaf) nodes level (level 2), etc. and from 1 to 2 for the penultimate nodes level. The tree comprising node levels from the leaf nodes to the root node, every non-leaf node of the tree corresponding to a digital signature by means of the one-way function H of a concaténation of the respective digital signatures of its child nodes according to the tree concaténation ordering.

A reference root digital signature R for the batch of μ aircraft components Ai,... Α_μ is calculated by means of a one-way function of a (conventional) concaténation of node values of the tree (as explained below). The reference root digital signature R is then stored in a searchable database (preferably a blockchain) accessible to technicians in charge of controlling or changing the mounted components. The tree thus comprises node levels from the leaf nodes to the root node of the tree, every non-leaf node of the tree corresponding to a digital signature by means of the one-way function H of a concaténation of the respective digital signatures of its (two) child nodes according to the tree concaténation ordering (here conventional), the root node corresponding to the reference root digital signature R, i.e. the digital signature by means ofthe one-way function H of a concaténation of the digital signatures of the nodes of the penultimate nodes level in the tree (according to the nodes ordering in the tree and the tree concaténation ordering).

For a given component Ai of the batch, a vérification key kj, corresponding to the component digital signature Xj (i.e. leaf node a(l,i)) of the component digital data Dj, is calculated as the sequence of the respective digital signatures, from the leaf nodes level to the penultimate nodes level of the tree, of every other leaf node having the same parent node in the tree that the leaf-node a(l,i) corresponding to the article digital signature x_i} and successively at each next level in the tree, of every non-leaf node having the same parent node in the tree that the previous same parent node considered at the preceding level. For each component Ai mounted on the aircraft HB-SNO, the associated component digital data D, and the corresponding vérification key kj are embedded in the security marking applied on the corresponding aircraft component identification document AC-ID:Aj.

For example, in case of a control operation of a component on the aircraft HBSNO, a technician may send a request to the searchable database containing the component serial number 12781 read on the AC-ID:Ai25 of component A125 to be controlled, or its vérification key ki25 as read on the security marking 310 on the corresponding AC-ID:Ai25 document with an appropriate reader, and will receive back the corresponding batch value R. However, in a preferred variant allowing complété offline checking, the technician’s reader is connected to a computer having a memory storing ail the root digital signatures relating to the aircrafts to be controlled. In this latter variant, the technician can then check if the component is genuine by reading the component digital data D125 on the security marking 310, checking that the unique serial number 330d (here, 12781) extracted from D125 matches the serial number physically marked on the mounted aircraft component A125, calculating the corresponding component digital signature Χ125 (for example, by running a programmed application on a processing unit of the computer which calculâtes the signature X125 = H(Di2s), from the read digital data D125), calculating a candidate batch value R^c via the one-way function H programmed on the computer’s processing unit as the hash of a concaténation of the leaf node value a(l,125)=xi25 and the node values given in the corresponding vérification key ki25, and checking that the candidate batch value R^c matches one of the reference root digital signatures stored in the computer’s memory (i.e. R, corresponding to the aircraft HB-SNO). In case of full matching (i.e.

the serial numbers match and R^c = R), the component A125 is considered as genuine and belongs to the (up-to-date) aircraft batch of allowed components of the HB-SNO aircraft, if R^c does not match a stored reference root digital signature R, or if the serial numbers do not match, the component A125 is possibly counterfeit, or is a genuine component not allowed for the aircraft

HB-SNO (e.g. A125 does not belong to the right batch for this aircraft), and must be changed.

In a same way, the invention would allow detecting fraud (or errors) from batches of secured AC-IDs of replacement parts stored in a warehouse by verifying the authenticity of the secure markings on the stored parts and checking that the component serial number from the security marking matches that marked on the corresponding component. In case of a highly critical component, a tamperproof material-based security marking may further be applied on the component, while the digital data relating to the corresponding reference unique physical characteristic, i.e. the characteristic digital data CDD (for example, as captured by a suitable sensor when applying the material-based security marking) of this marking is preferably made part of the component digital data D in the security marking of this component, and a corresponding reference unique physical signature data UPS is calculated (for example, by taking a hash of the characteristic digital data CDD, i.e. UPS = H(CDD)) and may also be part of the component digital data. This additional level of security improves the security provided by the unique serial number marked on the component by its manufacturer. Preferably, the reference UPC and UPS are stored in the blockchain (to make them immutable) and are accessible to the technician. Moreover, these reference values may also be further stored in the memory of the technician’s computer in order to allow offline authentication of the material-based security marking on the highly critical component.

The further offline operation of authentication of this material-based security marking may comprise measuring the unique physical characteristic on the component, by means of a suitable sensor connected to the computer, and obtaining a candidate characteristic digital data CDD^c from the measured characteristic (for example, via a spécifie application programmed in the processing unit of his computer). Then, the technician (or the processing unit of his computer, if suitably programmed) compares the obtained CDD^c with the copy of the reference CDD stored in the memory of the computer: in case of “reasonable” matching CDD^c ~ CDD(i.e. within some predefmed error tolérance criterion), the material-based security marking, and thus the component, are considered as genuine.

As above mentioned, a copy of the reference characteristic digital data CDD, instead of being stored in the memory of the technician’s computer, is part of the article digital data D included in the security marking applied on the component and can be obtained by direct reading on the security marking (with the reader). The technician may then read the candidate CDD^c on the security marking and check that the signature UPS stored in the memory of the computer matches the candidate signature UPS^C calculated from the read candidate CDD^c by computing UPS^C = H(CDD^c): in case of matching UPS^C = UPS, the material-based security marking, and thus the component, are confirmed as being genuine.

In a variant of the embodiment, the checking of authenticity of a component by a technician may altematively be performed via online process in a similar way as already explained with the first detailed embodiment of the invention, and will not be repeated here.

According to the invention, it is further possible to verify the conformity of a digital image of a secured document, like an aircraft component identification document ACID:Ai25 for example, with respect to the original secured document. Indeed, if a technician in charge of control (or repair) operations has only access to a digital image of the secured document, for example by receiving the image of AC-ID :Ai25 on its reader (which may be, for example, a smartphone suitably programmed), he nevertheless can check that the component data printed on the received image of the document correspond to that of the original document by performing the following operations of:

- reading the component digital data D125 and the vérification key ki25 on the image of the security marking 310 on the digital image of the document AC-ID:A125;

- acquiring a reference batch value R of the batch corresponding to the document AC-ID:Ai2s; this reference value may be already in the memory of the reader (or the computer connected to the reader) or may be acquired via a communication link from a database storing the reference batch values of aircraft components in case the reader is equipped with a communication unit, by sending a request containing, for example, the component (unique) serial number or merely the key ki25 read of the image of the security marking 310, and receiving back the corresponding reference batch value R;

- calculating (with the programmed one-way function H) a component digital signature X125 from the read component digital data D125, with X125 = H(Di2s);

- calculating a candidate batch value R^c (by means of the programmed one-way hash function H) as the digital signature by the hash function H of a concaténation of the leaf node value X125 and the node values indicated in the vérification key k^s (according to the nodes ordering in the tree and the tree concaténation ordering); and

- verifying that the candidate batch value R^c matches the reference batch value R.

The above mentioned operations of vérification of conformity may also be performed on a mere photocopy of an original document AC-ID:Ai25. Indeed, even if an anticopy feature were on the security marking of the original document that would reveal that the technician has just a photocopy, he nevertheless could read the data on the security marking on the photocopy and perform the above operations of vérification of conformity of the data read on the copy with respect to the original data.

Another illustrative embodiment of the invention relates to self-secure serialization of pharmaceutical products like medicine packs, as shown on Fig.4. This embodiment relates to a production batch of medicine packs of a given type of médicament comprising μ boxes (or articles) Αι,...,Α_μ. In this illustrative example of a typical box Ai shown on Fig.4, tablets for patients are packaged in a set of serialized blister packs 401 (only one is shown) contained in the box Ai. Each blister pack 401 is marked with a unique serial number 435 (here, “12345”, applied by the manufacturer), and the box Ai has conventional information printed on it like the name of the medicine 430a, a logo 430b, a box unique serial number (box ID) 430c, an expiry date 430d. In this example, additional conventional data are possibly printed on the box (or, in a variant, on a package leaflet put in the box Ai): a recommended retail price 430e, a market country 430f, and a sale restriction indication 430g (e.g. to be sold only in pharmacy). The box Ai is secured by means of a machine readable security marking 410 in the form of a printed 2D barcode (or datamatrix) and further secured with a material-based security marking in the form of a separate tamperproof adhesive anti-copy stamp 415 including randomly dispersed particles which is applied on the box Ai. The (random and thus unique) positions of the particles on the stamp in fact are known to constitute a unique physical characteristic of the stamp 415 applied on the box Ai, and thus here also a unique physical characteristic of the box Ai itself. The detected positions of the dispersed particles on the stamp 415 are conventionally used to calculate corresponding reference characteristic digital data CDD-Αι of the box Ai. Usually, the détection of the dispersed particles, and their positions, is performed via image processing of a digital image of the stamp. Here, the particles can be detected upon illumination of the stamp with a mere white flash (a white LED for example), like the flash of a smartphone for example. Preferably, a spécifie image processing application can be downloaded on a smartphone to make it capable to image a stamp 415, detect the positions of the dispersed particles and calculate from these positions a corresponding characteristic digital data CDD.

According to the invention, the barcode 410 of a box Ai (i ε {1,...,μ}) of the batch contains box digital data Di corresponding to a digital représentation of the above mentioned conventional data 430a-430g of the box Ai, the respective serial numbers 435 of the blister packs 401 contained in the box A,, and the reference unique physical characteristic digital data CDD-Aj of the box Aj. For each box Aj of the batch, an associated box digital signature Xj of its box digital data Di is calculated by means of a one-way hash function H as x, = H(Di), i = Ι,.,.,μ.

A tree associated with the batch of boxes (here, a binary tree) is built having μ leaf nodes a(l,l),...,a(l,p) respectively corresponding to the μ box digital signatures χι,...,χ_μ of respective box digital data Di,...,D_g of the boxes Αι,...,Α_μ. Here, the nodes ordering of the binary tree is the conventional one, i.e. the nodes a(ij) are arranged according to the values of the indexes (ij): index i indicating the level in the tree, starting from the leaf nodes level (i=l) to the penultimate nodes level below the root node, and index j running from 1 to μ for the leaf nodes level (level 1), from 1 to μ/2 for the next (non-leaf) nodes level (level 2), etc. and finally from 1 to 2 for the penultimate nodes level. The tree comprises node levels from the leaf nodes, a(l,l),...,a(l,p), to the root node, every non-leaf node of the tree corresponding to a digital signature by means of the one-way hash function H of a concaténation of the respective digital signatures of its child nodes according to the nodes ordering in the tree and the tree concaténation ordering (the root node corresponding to a reference root digital signature).

A reference root digital signature R for ail the boxes of the batch is then calculated by means of a one-way hash function H as the digital signature of a concaténation of the digital signatures of the nodes of the penultimate nodes level in the tree (in accordance with the nodes ordering in the tree and the tree concaténation ordering).

The obtained reference root digital signature R is then either published in a media accessible to a user having to check the validity of a secured medicine pack Ai, or stored in a searchable root database accessible to the user, or stored in a blockchain (or in a database secured by a blockchain) accessible to the user. For example, the user may send a request containing the serial number 430c, read on the security marking 410 on said box Ai, to the searchable root database or blockckain and receive back the corresponding reference batch value

R. A link to access the searchable root database (via the web, for example), or the blockchain, may be included in a box data marking 440 (shown as a QR code on Fig.4) printed on the box Aj. Preferably, the reference root digital signature R is made available to the user locally, so that the user can perform the checking operations on offline mode (i.e. by not having to access distant storage means to obtain R): for example, the user has a reader such as a smartphone capable to read and décodé the data in the security marking 410 on box Aj (by means of a programed application opérable to run on the smartphone’s processing unit) and of which memory stores the reference root digital signature R.

To each box Ai of the batch of μ medicine packs corresponds a vérification key k,, associated with the box digital signature χμ i.e. with node a(l,i), and calculated as the sequence of the respective box digital signatures, from the leaf nodes level to the penultimate nodes level of the tree, of every other leaf node having the same parent node in the tree that the leaf-node a(l,i) corresponding to the article digital signature χμ and successively at each next level in the tree, of every non-leaf node having the same parent node in the tree that the previous same parent node considered at the preceding level.

The box digital data Dj and its corresponding box vérification key kj (together constituting the vérification information Vj of box Aj) are part of the digital data included in the security marking 410 applied on box Aj.

The vérification of authenticity of the secured box Ai of Fig.4, belonging to the batch of boxes having the reference root digital signature R, only nécessitâtes to read and décodé the box digital data Di on the security marking 410 on box Ai (with appropriate reader, for example with the above mentioned smartphone having a further programmed application for calculating a signature with the one-way hash function H and a retrieving a root node value from the vérification information Vi=(Di,ki)), calculating the corresponding box digital signature xi with the one-way function H as xi = H(Di), obtaining the reference root digital signature (batch value) R (in this example, the reference batch value R is stored in the memory of the reader), and checking if the obtained reference root digital signature R matches the candidate root digital signature R^c obtained from the read vérification information (Di,ki) as the digital signature by the one-way hash function H of a concaténation, according to the nodes ordering in the tree and the tree concaténation ordering, of the leaf node value xi (of leaf node a(l,l)) and the node values indicated in the vérification key ki. If R^c / R, the box Ai is counterfeit. If R^c = R, the security marking 410 corresponds to that of a genuine box. In this case, several additional security checks can be performed. For example, with a reader equipped with a display (like the above mentioned smartphone), it is possible to extract from the read box digital data Di any one of the information 430a-430d, display the extracted information and visually check that it matches the corresponding information printed on the box A_b If displayed information does not correspond to a printed one, the box is counterfeit.

A further authentication check of the box Ai is possible by verifying that the material-based security marking 415 is genuine. It suffi ces to detect the positions of the dispersed particles by imaging the stamp 415 (for example, with the above mentioned smartphone having image processing capabilities) and calculate from these positions a corresponding candidate characteristic digital data CDD^c-Ab and then check that this CDD^c-Ai is indeed similar (within a given margin of error) to the reference characteristic digital data CDD-Αι extracted from the box digital data Db if they agréé the stamp 415, and thus the box A_bis genuine, if they do not agréé the stamp 415, and thus the box Ai (the stamp being tamperproof), is counterfeit.

Still in case of verified matching of the root digital signatures (i.e. R^c = R), and even if the information 430a-430d hâve been verified and/or the material-based security marking 415 is genuine, it is further possible to check if the blister packs 401 contained in box Ai are the right ones: it suffîces to check if the unique serial numbers 435 marked on the blister packs match those indicated by the box digital data Di as read from the security marking 410. If these data do not match, this a proof of fraud: the blister packs of the genuine box Ai hâve been replaced with other ones (possibly counterfeited, or of another mark, or corresponding to a different medicine). Moreover, still in case of an authentic box Ai (i.e. with R^c = R), even if the blister packs 401 are the right ones, in case any one of the additional information extracted from the box digital data D_b recommended retail price 430e, market country 43 Of, and sale restriction indication 430g, does not correspond to the experienced sale conditions (for example if the medicine pack Ai is sold in a country different from that indicated by data 43 Of), the corresponding fraud can be detected. This further constitutes a serions alert that the batch itself, or at least a part of it, has been diverted.

Thus, both full track and trace operations and authentication checks of the secured medicine packs are possible due to the forgery-proof link provided according to the invention by the root digital signature between the box data, the blister packs data of the contained blister packs, the unique characterizing physical properties of the box and its blister packs, and the belonging of the box to a given batch.

According to the above detailed description, the invention is clearly compatible with offline and local checking operations for verifying the authenticity of a secured article or conformity of data on an image (or copy) of a secured article with respect to the data associated with the original secured article. However, the invention is also compatible with online vérification process, for example by receiving (via a communication link) a reference batch value form an external source (e.g. server or blockchain), or performing some or ail the calculation steps involving the one-way function or the one-way accumulator via external computing means (e.g. operating on a server), or even performing the vérification that a candidate root digital signature matches a reference root digital signature (and just receiving the resuit).

The above disclosed subject matter is to be considered illustrative, and not restrictive, and serves to provide a better understanding of the invention defined by the independent claims.

Claims

1. Method of securing a given original article belonging to a batch of a plurality of original articles against forgery or tampering, each original article having its own associated article data and corresponding article digital data, characterized by comprising the steps of:

for each original article of the batch, calculating by means of a one-way function an associated article digital signature of its corresponding article digital data;

forming a tree based on the plurality of calculated article digital signatures for the original articles of the batch and comprising nodes arranged according to a given nodes ordering in the tree, said tree comprising node levels from the leaf nodes, corresponding to the plurality of article digital signatures respectively associated to the plurality of original articles in the batch, to the root node of the tree, every non-leaf node of the tree corresponding to a digital signature by means of the one-way function of a concaténation of the respective digital signatures of its child nodes according to a tree concaténation ordering, the root node corresponding to a reference root digital signature, i.e. a digital signature by means of the one-way function of a concaténation of the digital signatures of the nodes of a penultimate nodes level in the tree according to said tree concaténation ordering;

associating with the given original article a corresponding vérification key being a sequence of the respective digital signatures, from the leaf nodes level to the penultimate nodes level, of every other leaf node having the same parent node in the tree that the leaf-node corresponding to the article digital signature of the given original article, and successively at each next level in the tree, of every non-leaf node having the same parent node in the tree that the previous same parent node considered at the preceding level;

making available to a user the reference root digital signature of the tree; and applying on the given original article a machine readable security marking including a représentation of its corresponding article digital data and its corresponding vérification key, thereby obtaining a marked original article of which article data is secured against forgery or tampering.

2. Method according to claim 1, wherein the reference root digital signature of the root node of the tree is either published in a media accessible to the user, or stored in a searchable root database accessible to the user, or stored in a blockchain, or in a database secured by a blockchain, accessible to the user.

3. Method according to claim 2, wherein the marked original article further comprises root node access data marked thereto and containing information sufficient to allow the user to access to the reference root digital signature of the root node of the tree corresponding to the batch of original articles, said information being a link to an access interface opérable to receive from the user a root request containing article digital data, or a digital signature of article digital data, obtained from a security marking of a marked original article, and send back a reference root digital signature of corresponding tree, the access interface allowing access to, respectively, one of the following:

- the media wherein the reference root digital signature is published;

4. Method according to any one of claims 1 to 3, wherein a virtual article is counted as belonging to the batch of original articles, said Virtual article having associated virtual article data and its corresponding virtual article digital data, and an associated virtual article digital signature obtained by means of the one-way function of the virtual article digital data, said virtual article being not produced but only used for generating the associated virtual article digital signature; and the reference root digital signature associated with said batch of original articles being calculated from a tree having ail the article digital signatures of the original articles of the batch, including the virtual article digital signature, as leaf nodes.

5. Method according to any one of claims 1 to 4, wherein additional article digital data corresponding to the article digital data associated with the marked original article are stored in a searchable information database accessible to the user via an information database interface opérable to receive from the user an information request containing article digital data, or a digital signature of article digital data, obtained from a security marking of a marked original article, and send back corresponding additional article digital data.

6. Method according to claim 5, wherein the additional article digital data corresponding to the article digital data associated with the marked original article are concatenated with said article digital data.

7. Method according to any one of claims 1 to 6, wherein the article digital data of the marked original article includes corresponding reference characteristic digital data of a unique physical characteristic of the marked original article, or of an associated object or individual.

8. Method according to claim 7, wherein the unique physical characteristic of the marked original article is that of a material-based security marking applied on the original article, or on the associated object.

9. Method according to any one of claims 1 to 8, wherein the article digital data of the respective original articles of the batch are spread between given fields common to ail the articles of the batch, and digital data relating to these fields are not included in the article digital data but clustered in a separate fields data block associated with the batch, and wherein:

10. Method of verifying the authenticity of an article, or the conformity of a copy of such article, with respect to a marked original article belonging to a batch of original articles secured according to the method of any one of claims 1 to 8, comprising the steps of, upon viewing a test object being said article or said copy of the article:

acquiring a digital image of a security marking on the test object by means of an imager having an imaging unit, a processing unit with a memory, and an image processing unit;

reading a représentation of article digital data and an associated vérification key on the acquired digital image of the security marking on the test object, and extracting respectively corresponding test article digital data and test vérification key from said read représentation;

having stored in the memory a reference root digital signature of a root node of a tree of the batch of original articles, and having programmed in the processing unit the one-way function to calculate a digital signature of digital data and of a concaténation of digital signatures according to the nodes ordering in the tree and the tree concaténation ordering;

verifying whether the extracted test article digital data and associated test vérification key indeed correspond to the stored reference root digital signature by performing the steps of:

calculating with the one-way function a test digital signature of the extracted test article digital data, said test digital signature corresponding to a test leaf node in a test tree corresponding to the security marking on the test object;

extracting from the sequence of digital signatures in the test vérification key, a digital signature of every other leaf node of the test tree having the same parent node than that of the test leaf node and calculating a digital signature of a concaténation of the test digital signature and the extracted digital signature of said every other leaf node, thus obtaining a digital signature of said same parent node of the test leaf node;

successively at each next level in the test tree and up to the penultimate nodes level, extracting from the sequence of digital signatures in the test vérification key, a digital signature of every other non-leaf node of the test tree having the same parent node than that of the previous same parent node considered at the preceding step and calculating a digital signature of a concaténation of the digital signature of said respective every other non-leaf node and the obtained digital signature of said previous same parent node, thus obtaining a digital signature of said same parent node of said previous same parent node;

calculating a digital signature of a concaténation of the obtained digital signatures of the non-leaf nodes corresponding to the penultimate nodes level of the test tree, thus obtaining a candidate root digital signature of the root node of the test tree; and checking whether the obtained candidate root digital signature matches the stored reference root digital signature, whereby, in case said root digital signatures match, the article data on the test object are that of a genuine article.

11. Method according to claim 10, wherein the marked original article is secured according to the method of claim 9, the memory of the processing unit further storing the associated fields data block, and wherein:

the step of calculating a test digital signature corresponding to a test leaf node in a test tree corresponding to the security marking on the test object comprises calculating with the one-way function a digital signature of a concaténation of the extracted test article digital data and the digital data of the stored fields data block.

12. Method according to any one of daims 10 and 11, wherein the article is secured by storing the reference root digital signature in a searchable root database accessible to the user according to the method of claim 2, and the imager is further equipped with a communication unit opérable to send and receive back data via a communication link, comprising the preliminary steps of:

sending with the communication unit via the communication link a request to said root database, and receiving back the reference root digital signature; and storing the received root digital signature in the memory of the imager.

13. Method according to any one of claims 10 and 11, wherein the article is secured according to the method of claim 3, the imager is further equipped with a communication unit opérable to send and receive data via a communication link, comprising the preliminary steps of:

reading the root node access data marked on the test object with the imager;

sending with the communication unit via the communication link a root request to said access interface containing the article digital data, or a digital signature of said article digital data, obtained from the security marking on the test object, and receiving back a corresponding reference root digital signature of associated batch; and storing the received reference root digital signature in the memory of the imager.

14. Method according to any one of claims 10 to 13, wherein the article is secured according to the method of any one of claims 5 and 6, and the imager is further equipped with communication means opérable to send to the information database interface an information request containing article digital data, or corresponding article digital signature data, obtained from the security marking on the test object, and receive back corresponding additional article digital data.

15. Method according to any one of claims 10 to 14, wherein the article is secured according to the method of any one of claims 7 and 8 and the imager is further equipped with a sensor opérable to detect a unique physical characteristic of respectively a marked original article, or of an associated object or individual, and the processing unit is programmed to extract corresponding characteristic digital data from a détection signal received from the sensor, the imager having stored in the memory reference characteristic digital data CDD corresponding to said unique physical characteristic of respectively the marked original article, or of the associated object or individual, comprising the further steps of, upon viewing a subject being said article or said associated object or individual:

detecting with the sensor a unique physical characteristic of the subject and extracting corresponding candidate characteristic digital data CDD^c;

comparing the obtained candidate characteristic digital data CDD^c with the stored reference characteristic digital data CDD; and in case the candidate characteristic digital data CDD^c is similar to the stored reference characteristic digital data CDD, within a given tolérance criterion, the subject is considered as corresponding respectively to a genuine article, or an object or individual validly associated with a genuine article.

16. Method of verifying the conformity of an article digital image of an article with respect to a marked original article belonging to a batch of original articles secured according to the method of any one of claims 1 to 8, comprising the steps of:

obtaining the article digital image showing a security marking on the article by means of an imager having an imaging unit, a processing unit with a memory, and an image processing unit;

reading a représentation of article digital data and of an associated vérification key on the obtained digital image of the security marking, and extracting respectively corresponding test article digital data and associated test vérification key from said read représentation;

verifying whether the extracted test article digital data and test vérification key indeed correspond to the stored reference root digital signature by performing the steps of:

calculating a digital signature of a concaténation of the obtained digital signatures of the non-leaf nodes corresponding to the penultimate nodes level of the test tree, thus obtaining a candidate root digital signature of the root node of the test tree; and checking whether the obtained candidate root digital signature matches the stored reference root digital signature, whereby, in case said root digital signatures match, the article digital image is that of a genuine marked original article.

17. Method according to claim 16, wherein the marked original article is secured according to the method of claim 9, the memory of the processing unit further storing the associated fields data block, and wherein:

18. Method according to any one of claims 16 and 17, wherein the original article is secured by storing the reference root digital signature in a searchable root database accessible to the user according to the method of claim 2, and the imager is further equipped with a communication unit opérable to send and receive back data via a communication link, comprising the preliminary steps of:

19. Method according to any one of claims 16 to 18, wherein the original article is secured according to the method of any one of claims 7 and 8 and the imager is further equipped with a sensor opérable to detect a unique physical characteristic of respectively an object or an individual associated with a marked original article, and the processing unit is programmed to extract corresponding characteristic digital data from a détection signal received from the sensor, the imager having stored in the memory reference characteristic digital data CDD corresponding to said unique physical characteristic of respectively the associated object or individual, comprising the further steps of, upon viewing a subject being said associated object or individual:

comparing the obtained candidate characteristic digital data CDD^c with the stored reference characteristic digital data CDD; and in case the candidate characteristic digital data CDD^c is similar to the stored reference characteristic digital data CDD, within a given tolérance criterion, the subject is considered as corresponding respectively to an object or individual validly associated with a genuine marked original article.

20. Article belonging to a batch of a plurality of original articles and secured against forgery or tampering according to the method of any one of claims 1 to 9, each original article of the batch having its own article digital data and corresponding vérification key, said batch having a corresponding reference root digital signature, comprising:

a machine readable security marking applied on the article and including a représentation of its article digital data and its vérification key.

21. Article according to claim 20, wherein the article digital data of the article include reference characteristic digital data CDD of a corresponding unique physical characteristic of the article, or of an associated object or individual.

22. Article according to claim 21, wherein the unique physical characteristic of the article is that of a material-based security marking applied on the article.

23. System for verifying the authenticity of an article, or the conformity of a copy of such article, with respect to a marked original article belonging to a batch of original articles secured according to the method of any one of claims 1 to 8, comprising an imager having an imaging unit, a processing unit with a memory, and an image processing unit, the memory storing a reference root digital signature of a tree corresponding to the batch of original articles, and the one-way function to calculate a digital signature of digital data and of a concaténation of digital signatures according to the nodes ordering in the tree and the tree concaténation ordering being programmed in the processing unit, said system being opérable to:

acquire with the imager a digital image of a security marking on a test object being said article or said copy of the article;

read with the imager a représentation of article digital data and of an associated vérification key on the acquired digital image of the security marking on the test object, and extract respectively corresponding test article digital data and test vérification key from said read représentation;

verify whether the extracted test article digital data and associated vérification key indeed correspond to the stored reference root digital signature by executing on the processing unit the

5 further programmed steps of:

calculating with the one-way function a test digital signature from the calculated digital signature of the extracted test article digital data, said test digital signature corresponding to a test leaf node in a test tree corresponding to the security marking on the test object;

10 extracting from the sequence of digital signatures in the test vérification key, a digital signature of every other leaf node of the test tree having the same parent node than that of the test leaf node and calculating a digital signature of a concaténation of the test digital signature and the extracted digital signature of said every other leaf node, thus obtaining a digital signature of said same parent node of the test leaf node;

15 successively at each next level in the test tree and up to the penultimate nodes level, extracting from the sequence of digital signatures in the test vérification key, a digital signature of every other non-leaf node of the test tree having the same parent node than that of the previous same parent node considered at the preceding step and calculating a digital signature of a concaténation of the digital signature of said respective every other

20 non-leaf node and the obtained digital signature of said previous same parent node, thus obtaining a digital signature of said same parent node of said previous same parent node;

calculating a digital signature of a concaténation of the obtained digital signatures of the non-leaf nodes corresponding to the penultimate nodes level of the test tree, thus obtaining a candidate root digital signature of the root node of the test tree; and

25 checking whether the obtained candidate root digital signature matches the stored reference root digital signature, whereby, in case said root digital signatures match, the system is configured to deliver an indication that the article data on the test object are that of a genuine article.

30

24. System according to claim 23, wherein the marked original article is secured according to the method of claim 9, the memory of the processing unit further storing the associated fields data block, and wherein:

25. System for verifying the conformity of an article digital image of an article with respect to a marked original article belonging to a batch of original articles secured according to the method of any one of claims 1 to 8, comprising an imager having an imaging unit, a processing unit with a memory, and an image processing unit, the memory storing a reference root digital signature of a tree corresponding to the batch of original articles, and the one-way function to calculate a digital signature of digital data and of a concaténation of digital signatures according to the nodes ordering in the tree and the tree concaténation ordering being programmed in the processing unit, said System being opérable to:

obtain the article digital image showing a security marking on the article by means of the imager;

read with the imager a représentation of article digital data and of an associated vérification key on the obtained digital image of the security marking, and extract respectively corresponding test article digital data and associated test vérification key from said read représentation;

verify whether the extracted test article digital data and test vérification key indeed correspond to the stored reference root digital signature by executing on the processing unit the further programmed steps of:

calculating a digital signature of a concaténation of the obtained digital signatures of the non-leaf nodes corresponding to the penultimate nodes level of the test tree, thus obtaining a candidate root digital signature of the root node of the test tree; and checking whether the obtained candidate root digital signature matches the stored

5 reference root digital signature, whereby, in case said root digital signatures match, the system is configured to deliver an indication that the article digital image is that of a genuine marked original article.

26. System according to claim 25, wherein the marked original article is secured according to

10 the method of claim 9, the memory of the processing unit further storing the associated fields data block, and wherein:

the step of calculating a test digital signature corresponding to a test leaf node in a test tree corresponding to the security marking on the test object comprises calculating with the one-way function a digital signature of a concaténation of the extracted test article digital data and the

15 digital data of the stored fields data block.