Device, system and method for verifying the authenticity integrity and/or physical condition of an item

Abstract

A physical uncloneable function (PUF) pattern is used for verifying a physical condition of an item. The PUF pattern is arranged to be damaged in the event that said item is exposed to a predetermined environmental condition. Verification of the physical condition of the item, is carried out by obtaining a measured response from the PUF pattern, and comparing the measured response with a stored response in respect of the PUF.

Claims

1. A physical uncloneable function (PUF) device, comprising: an RFID arrangement comprising: a processor, communication means, a memory, and a PUF arrangement comprising: an environmentally fragile label including a random distribution of a plurality of physically detectable particles, wherein the random distribution is achieved by mixing pre-selected physically detectable particles with main material elements of which the label is made during the production of the label to form a characteristic PUF pattern, wherein said characteristic PUF pattern is unique for each label, such that it cannot be reliably reproduced and is therefore uniquely verifiable, wherein said PUF pattern is configured to verify a physical condition of said item to which said PUF device is formed in or attached to, wherein said physically detectable particles are pre-selected such that said PUF pattern is arranged to be damaged in the event that said item to which said PUF device is formed in or attached to is exposed to a preselected undesirable environmental influence that is known to cause a measurable change in said physically detectable particles based on physical properties of the particles, wherein said damage does not result from human physical contact with the PUF device, and wherein said preselected undesirable environmental influence comprises one of a chemical environmental influence, a biochemical environmental influence, a moisture environmental influence, a light environmental influence, an electromagnetic environmental influence, and a pressure environmental influence.

2. A PUF device according to claim 1, wherein said PUF pattern is arranged to be damaged when using said item for the first time.

3. A PUF device according to claim 1, wherein said PUF pattern is formed in or on a label.

4. A PUF device according to claim 1, wherein said PUF pattern is provided in or on a passive or active sensor.

5. A PUF device according to claim 4, wherein said sensor comprises a radioactivity sensor, an accelerometer, shock or vibration sensor, a chemical or biochemical sensor, a moisture sensor, a light sensor, an electromagnetic field sensor, or a pressure sensor.

6. A PUF device according to claim 1, wherein said PUF pattern is formed in or on a light or moisture sensitive material.

7. A system for verifying a physical condition of an item to which a physical uncloneable function (PUF) device is formed in or attached to, the system comprising: A PUF device comprising: an RFID arrangement further comprising: a processor, communication means, a memory, and a PUF arrangement comprising: an environmentally fragile label including a random distribution of a plurality of physically detectable particles, wherein the random distribution is achieved by mixing pre-selected physically detectable particles with main material elements of which the label is made during the production of the label to form a characteristic PUF pattern, wherein said characteristic PUF pattern is unique for each label, such that it cannot be reliably reproduced and is therefore uniquely verifiable, wherein said PUF pattern is configured to verify a physical condition of said item to which said PUF device is formed in or attached to, wherein said physically detectable particles are pre-selected such that said PUF pattern is arranged to be damaged in the event that said item to which said PUF device is formed in or attached to is exposed to a preselected undesirable environmental influence that is known to cause a measurable change in said physically detectable particles based on physical properties of the particles, wherein said damage does not result from human physical contact with the PUF device, wherein said preselected undesirable environmental influence comprises one of a chemical environmental influence, a biochemical environmental influence, a moisture environmental influence, a light environmental influence, an electromagnetic environmental influence, and a pressure environmental influence, a verification device for verifying a physical condition of an item to which the PUF device is formed in or attached to, the verification device comprising: a) a measurement unit for obtaining a measured response from a PUF pattern, b) a comparison unit for comparing said measured response with a stored response in respect of said PUF, and wherein the verification device determines whether said PUF pattern has been exposed to said predetermined undesirable environmental influence based on said comparison.

8. A system according to claim 7, wherein the verification device verifies the authenticity of enrollment data stored in a memory of said PUF during an enrolment phase.

9. A method of enabling verification of a physical condition of an item including a PUF device attached to or integrated within said item, the method comprising: obtaining, by a control device, a measured response from a PUF pattern of said item, wherein said PUF pattern is comprised of one or more pre-selected materials and is arranged to be damaged in the event said item is exposed to a pre-selected undesirable environmental influence, wherein said PUF pattern is a characteristic pattern that is formed in or on an environmentally fragile label, the label including a random distribution of a plurality of physically detectable particles, wherein the random distribution is achieved by mixing pre-selected physically detectable particles with main material elements of which the label is made during the production of the label to form said characteristic PUF pattern, wherein said characteristic PUF pattern is unique for each label, such that it cannot be reliably reproduced and is therefore uniquely verifiable, wherein said PUF pattern is configured to verify a physical condition of said item to which said PUF device is formed in or attached to, wherein said physically detectable particles are pre-selected such that said PUF pattern is arranged to be damaged in the event that said item to which said PUF device is formed in or attached to is exposed to the pre-selected undesirable environmental influence that is known to cause a measurable change in said physically detectable particles based on physical properties of the particles, wherein said damage does not result from human physical contact with the PUF device, forming authentication data based on information derived from the measured response from said PUF pattern, wherein formation of said authentication data comprises: signing a commitment C(S) by a trusted third party with a public key to a unique identifier S, and using a private key by the trusted third party, and storing the signed commitment as authentication data into a memory of the PUF device, checking, by the control device, the authenticity of the stored authentication data by asserting one or more challenge response pairs to measure a single property of the item, comprising: generating, by the control device, at least one random challenge for which the PUF device generates at least one response, sending, by the PUF device, the response back to the control device, checking, by the control device, whether the response is correct and whether the commitment was signed by the trusted third party, and accepting the item as authentic as not having been exposed to a preselected undesirable environmental influence if the asserted one or more challenge-response pairs are satisfied.

10. A method according to claim 9, further comprising signing said authentication data prior to storage thereof.

11. A method according to claim 9, wherein the step of forming said authentication data comprises a sub-step of generating a first helper data for use during verification of a physical condition of an item.

12. A PUF device according to claim 1, wherein said PUF pattern is arranged to degrade over time.

13. A system according to claim 7, wherein said PUF pattern is arranged to degrade over time.

14. A method according to claim 9, wherein said PUF pattern is arranged to degrade over time.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

(1) Embodiments of the present invention will now be described by way of examples only and with reference to the accompanying drawings, in which:

(2) FIG. 1 diagrammatically illustrates a coating PUF arrangement;

(3) FIG. 2 diagrammatically illustrates a PUF device;

(4) FIG. 3 diagrammatically illustrates a passive, tamper-evident, environmentally-fragile PUF in the form of a label;

(5) FIG. 4 diagrammatically illustrates a system for off-line verification of authenticity;

(6) FIG. 5 shows a flow diagram for a method for off-line verification of authenticity;

(7) FIG. 6 diagrammatically illustrates a system for on-line verification of authenticity; and

(8) FIG. 7 shows a flow diagram for a method for on-line verification of authenticity.

DETAILED DESCRIPTION OF THE EMBODIMENTS

(9) Physical arrangements produced in an uncontrolled production process, that is a production process containing some sort of randomness, are suitable for being used as PUF arrangements.

(10) Examples of such PUF arrangements are:

(11) Optical PUF arrangementa transparent medium containing disordered structures producing a speckle pattern when being illuminated by a laser beam.

(12) Coating PUF arrangementa coating on an integrated circuit containing random dielectric particles from which local capacitance values may be measured.

(13) Acoustical PUF arrangementa physical structure probed with acoustic waves.

(14) Silicon PUF arrangementan integrated circuit produced in silicon having differences in circuit delays due to manufacturing variations.

(15) In all cases, the materials used to form the PUF arrangement can be selected so as to cause the PUF pattern to be damaged in the event that the item to which it is attached, or in which it is incorporated, is exposed to a predetermined environmental condition.

(16) For example, if it is required to determine exposure to excessive temperature, two or more materials of different expansion coefficients can be used so as to cause breakage in the event of exposure to temperature extremes. If extreme temperature or pressure is to be determined, chemicals which react, mix or melt in the presence of such conditions could be used. If exposure to light is to be identified, the device could be formed with a light-sensitive material.

(17) Because of the randomness in the manufacturing process, there is an extremely high probability that each individual arrangement will generate their own unique identifier.

(18) Referring now to FIG. 1, a coating PUF arrangement is diagrammatically shown. An integrated circuit (IC) 100 has a coating 102 containing random dielectric particles. In this specific case, two types of dielectric particles 104, 106 with different dielectric constants are present. The dielectric constant, as well as size, shape and placement for each of the particles affect the capacitance.

(19) By measuring several different local capacitance values of the coating a characteristic pattern is achieved. This characteristic pattern may be read out with a matrix of sensor structures 108 comprised in the top metal layer of the IC 100, placed above an insulation layer 110.

(20) Referring to FIG. 3 of the drawings, there is illustrated a tamper evident, environment fragile label. The label 110 includes a random distribution of a plurality of physically detectable particles 112. Preferably, the random distribution is achieved by mixing the particles with the main material elements of which the label is made (e.g. plastic particles or paper fibers) during the production of the label. This will give a random distribution, unique for each label. In this context, a main characteristic of the random distribution is that it cannot be reliably reproduced (i.e. uncloneable), such that each label is uniquely identifiable.

(21) Advantageously, the particles are of a different material (or treated differently, e.g. painted or coated) than the main label particles, not only to enable reliable and simple detection of the particles, but also to ensure that the PUF pattern is damaged in the event that the item to which the label is attached, or in which it is incorporated, is exposed to a predetermined condition.

(22) Other suitable methods of providing a tamper-evident, environmentally fragile PUF are also envisaged and the present invention is not necessarily intended to be limited in this regard.

(23) In any event, the characteristic pattern for a PUF arrangement will be referred to as a PUF pattern, and the data generated by this PUF pattern will be referred to as a cryptographic key or unique identifier.

(24) Radio Frequency Identification (RFID) tags are integrated circuits (IC), which may be used for wireless identification of items. Today, RFID tags are widely used in supply chain management, and in the future the barcode system may be replaced by an RFID arrangement.

(25) By combining an RFID arrangement with a PUF arrangement, a system for wireless identification and verification of authenticity is achieved. A device to be used in such a system is presented in FIG. 2.

(26) The overall device, herein referred to as a PUF device 200, may be in the form of a label in order to be easily attached to items.

(27) The PUF device 200 comprises a PUF arrangement 202, preferably a coating PUF arrangement, and an RFID arrangement 204. The RFID arrangement 204 comprises, in turn, a processor 206, communication means 208 and a memory 210.

(28) The memory 210 may be divided into a volatile memory 212, such as a RAM, and a non-volatile memory 214, such as an EEPROM, or other suitable type of ROM, wherein the volatile memory 212 may be used for temporary storing of a PUF pattern and the non-volatile memory 214 may be used for storing software instructions and data for identification purposes. Alternatively, the enrollment data may be stored on non-volatile memory.

(29) Alternatively, the PUF pattern maybe provided in the form of a completely passive, tamper-evident label or the like.

(30) Referring to FIG. 4, a system for off-line verification 300 of authenticity is presented. The system comprises a PUF device 302 and a control device 304.

(31) The PUF device 302 may be comprised within a label attached to an item in such a way that when the item is used for the first time the PUF pattern, within the PUF device, is destroyed, for example: opening a box push-through-strip glued milk pack PUF-covered electronic component PUF-covered screw.

(32) Alternatively, the PUF pattern is damaged, such that the PUF device is no longer able to authenticate the item, but the PUF device can still be used for identification of the item, e.g. in a home environment. Damaging the PUF then gives it a new identity. Either way, if the PUF device has been exposed to the preselected undesirable environmental condition, the PUF pattern will be damaged, and authentication will not be possible.

(33) The control device 304 may be a hand-held device adapted to near field communication (NFC), such as a NFC-enabled mobile phone.

(34) Now referring to FIG. 5, the method of an off-line verification system is described. However, before an off-line verification may be carried out, the PUF device must be enrolled. In the enrollment phase, a trusted third party with public key e signs a commitment C(S) to the unique identifier S, using its private key d, and stores the signed commitment $.sub.dC(S) into the PUF device, preferably in the non-volatile memory 214. Note, the pair e,d. is a public/private key pair of which the public key e is publicly known and the private key d is kept secret by the signer. The notation $.sub.d denotes a signature created with the private key d, which can be verified (by anyone) using public key e.

(35) The signed commitment $.sub.dC(S) or the commitment C(S) do not reveal any information about the unique identifier S. Furthermore, since the private key d (of the key pair e.d.) has been used, it is possible for anyone to check the signature of the commitment $.sub.dC(S), using public key e.

(36) Firstly in the off-line verification, in step 400, an instantiation message is sent from the control device to the PUF device. If the PUF device is externally powered, this step also includes powering the PUF device.

(37) Secondly, in step 402, the commitment $.sub.dC(S) is sent from the PUF device to the control device.

(38) Thirdly, in step 404, the control device receives the commitment $.sub.eC(S) and verifies that the signature is valid.

(39) Fourthly, in step 406, the PUF device creates a secret cryptographic key S.sub.temp using its incorporated PUF pattern and stores this key S.sub.temp temporarily in the volatile memory.

(40) Fifthly, in step 408, the PUF device and the control device interacts in order to check if the secret cryptographic key S, used in the commitment $.sub.eC(S), corresponds to the temporarily stored secret key S.sub.temp. In order not to reveal any secret information, such as the temporarily stored secret key S.sub.temp, a zero-knowledge (ZK) protocol is utilized for communication between the PUF device and the control device. Below, ZK protocol will be described in more detail.

(41) If S.sub.temp and S turn out to be the same, the PUF device has not been changed since the enrollment, which implies that the item is authentic, and that it has not been exposed to an undesirable environmental condition (i.e. the re-sale conditions in respect of the item are met).

(42) However, for instance, if someone has opened or used the item in such a way that the label which comprises the PUF device, especially the PUF pattern, has been damaged, this will be detected due to the fact that S.sub.temp will not be the same as S. Similarly, if the re-sale conditions are not met, this will be detected because S.sub.temp will not be the same as S.

(43) The basic idea with a ZK protocol is to prove the possession of a secret without revealing it. In this case the secret key S, used in order to get the commitment $.sub.dC(S), and the temporarily stored secret key S.sub.temp should be proven to be equal without revealing any of them.

(44) The signed commitment $.sub.dC(S) is preferably stored in the memory of the RFID device containing the PUF. In order to securely link the RFID device with a certain physical object or item, an additional signature $'($.sub.dC(S),ItemText) on both the signed commitment and a value ItemText is preferably stored in the RFID device as well. Here ItemText denotes a certain characteristic of the item like text on the item, serial number, barcode type of product, expiry date etc. The second signature $' is created using public key cryptography by the party that embeds the RFID. The reader device could check whether this second signature $' is valid and whether the ItemText matches with the scanned item before starting the ZK protocol. Alternatively the ItemText could be displayed on the reader device such that the user can check that the scanned RFID tag with PUF is the correct tag that matches with the item that he is scanning.

(45) One possible ZK protocol is Schnorr's identification protocol. In brief, Schnorr's identification protocol goes as follows: three public numbers, denoted p, q and g are chosen where p is a 1024 bit prime number, q is 160 bit prime number and g is a generator of multipliable order of q, and determine the commitment to S by C(S)=g.sup.S mod p, where S may be assumed to be a number between 0 and q.

(46) Thereafter, a random number r, fulfilling 1rq1, may be generated by the PUF device, and, next, a corresponding public value x, according to x=g.sup.r mod p, may be determined.

(47) After that, the control device generates a random challenge e for which the PUF device generates a response y, according to y=S*e+r mod q.

(48) This response is sent back to the control device who can then check that the response is correct with regard to the values x, e and the commitment C(S) that was signed by the trusted third party, according to

(49) g.sup.y==x*(C(S)).sup.e mod p.

(50) In terms of ZK protocols, the PUF device has the role of the prover, the control device has the role of the verifier and S functions as the witness.

(51) In the case of a completely passive PUF, e.g. a tamper-evident label with embedded physical structure (e.g. that illustrated in FIG. 2), an off-line verification method may also be used.

(52) In this case, a digital representation of the PUF measurement is stored during an enrolment phase, on the item itself together with information about the item). As before, the digital representation may be signed or encrypted. In any event, it is stored in a suitable form to enable verification by a verification device.

(53) The verification device reads the enrolment data from the label and checks the authenticity thereof.

(54) A measurement unit determines, in respect of a label in or on an item, a digital representation (hereinafter referred to as measured representation) based on measurements of physical properties of the particles. The measured properties include information on an actual distribution of at least some of the particles and are measured.

(55) The verification device also includes a comparison unit for comparing the measured representation with the stored representation. The product is only accepted as authentic and has not been exposed to an undesirable environmental condition (i.e. the re-sale conditions in respect of item are met) if these two representations match. If OK, the product is accepted; otherwise, it is rejected. The user is notified of the outcome.

(56) Instead of using an off-line verification system, an on-line verification system may be used.

(57) Referring to FIG. 6, an on-line verification system comprising a PUF device 500, a verification device 502 and a database 504 is shown. The database may be held on a trusted external server.

(58) The control device 502 may communicate with the database (DB) 504 via a Secure Authenticated Channel (SAC) 506.

(59) The DB 504 may contain a number of pairs of challenges C.sub.i and responses R.sub.i, wherein the response R.sub.i may be determined by using a cryptographic one-way hash function h( ) taking the challenge C.sub.i and the secret key S as input parameter, according to R.sub.i=h(C.sub.i,S). Optionally, the data in the DB 504 is signed by the enrolment authority.

(60) Now referring to FIG. 7, the method of an on-line verification system is described.

(61) Firstly, in step 600, an instantiation message is sent from the control device to the PUF device. If the PUF device is externally powered, this step also includes powering the PUF device.

(62) Secondly, in step 602, the PUF device sends an ID to the control device.

(63) Thirdly, in step 604, the control device receives the ID and forwards this ID via the SAC to the DB.

(64) Fourthly, in step 606, the database receives the ID and finds an unused C.sub.i/R.sub.i pair and sends this back to the control device. Alternatively, a new C.sub.i/R.sub.i pair is generated and sent back to the control device. Another alternative is that the DB sends the complete list of enrolled challenge-response pairs to the control device.

(65) Fifthly, in step 608, the control device receives the C.sub.i/R.sub.i pair and forwards the challenge C.sub.i to the PUF device.

(66) Sixthly, in step 610, the PUF device receives the C.sub.i. Thereafter, the PUF device creates S using the PUF pattern and stores this S in the volatile memory. If a coating PUF arrangement is used the S is created by measuring the local capacitance values of the coating.

(67) Seventhly, in step 612, the PUF device reconstructs a response R by using the previously mentioned cryptographic one-way hash-function, R=h(C.sub.i,S).

(68) Eighthly, in step 614, the PUF device sends the reconstructed response R to the control device.

(69) Ninthly, in step 616, the control device receives the reconstructed response R and checks whether this reconstructed response equals the response R.sub.i. If the responses are equal, the PUF pattern is considered being unchanged, which implies that the item is authentic, and the re-sale conditions are met.

(70) It will be appreciated that the number of challenge-response pairs could, in fact, be 1. In this case, one single physical property is measured (but the response is not necessarily secret) and the authenticity of the enrolment data is checked by the verifier. Unclonability guarantees that nobody can make a fake.

(71) Again, in the case of a completely passive, tamper-evident, environmentally fragile PUF, an on-line verification system could be used.

(72) In this case, a verification device measures an ID in respect of the PUF and forwards this ID via the SAC to the DB. Next, the database receives the ID and finds an unused C.sub.i/R.sub.i pair and sends this back to the verification device. Alternatively, a new C.sub.i/R.sub.i pair is generated and sent back to the verification device. Another alternative is that the DB sends the complete list of enrolled challenge-response pairs to the verification device.

(73) Next, the control device receives the C.sub.i/R.sub.i pair and applies the challenge C.sub.i to the PUF and creates S using the PUF pattern and stores this S in the volatile memory. If a coating PUF arrangement is used the S is created by measuring the local capacitance values of the coating.

(74) The verification device then reconstructs a response R by using the previously mentioned cryptographic one-way hash-function, R=h(C.sub.i,S) and checks whether this reconstructed response equals the response R.sub.i. If the responses are equal, the PUF pattern is considered being unchanged, which implies that the item is authentic, and the re-sale conditions are met.

(75) It will be appreciated that the number of challenge-response pairs could, in fact, be 1. In this case, one single physical property is measured (but the response is not necessarily secret) and the authenticity of the enrolment data is checked by the verifier. Unclonability guarantees that nobody can make a fake.

(76) It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be capable of designing many alternative embodiments without departing from the scope of the invention as defined by the appended claims. In the claims, any reference signs placed in parentheses shall not be construed as limiting the claims. The word comprising and comprises, and the like, does not exclude the presence of elements or steps other than those listed in any claim or the specification as a whole. The singular reference of an element does not exclude the plural reference of such elements and vice-versa. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In a device claim enumerating several means, several of these means may be embodied by one and the same item of hardware. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage.