Device and system for tamper-proof verification of digital media
The system addresses vulnerabilities in existing digital media authentication by using a physical device to generate imperceptible patterns and multi-anchor anchoring, ensuring tamper-proof verification and manipulation localization, enhancing security against AI forgeries and display capture attacks.
Patent Information
- Authority / Receiving Office
- DE · DE
- Patent Type
- Utility models
- Current Assignee / Owner
- ETTER DANIEL
- Filing Date
- 2026-04-12
- Publication Date
- 2026-07-02
Abstract
Description
Technical field The invention relates to a method, device, and system for the tamper-proof verification of digital media, in particular photographs and videos. A physical device or a permanently installed signaling system within a spatially defined area generates a cryptographically signed pattern and transmits it by means of a physical signal that is imperceptible or only partially perceptible to humans. A digital image capture device records the pattern during the recording process. The verification data is stored in a tamper-proof data storage device. The invention is suitable both for individual verification using a portable device and for the simultaneous verification of all recordings within a spatially defined area, such as an event venue. State of the art Known methods and their disadvantages 1. EXIF metadata and digital watermarks Traditional methods for authenticating digital media relied on EXIF metadata or digital watermarks. These are easily manipulated: EXIF data can be altered with freely available software, and digital watermarks can be removed or corrupted through image editing, compression, or format conversion. 2. Content Credentials / C2PA Standard The C2PA standard signs metadata directly in the camera or editing software. The signature is tied to the camera hardware and cannot be independently verified. There is no protection against manipulation of the content after signing, no mechanism for locating manipulations, and no protection against AI-generated media that mimics the signing process. 3. Blockchain-based media hashes Existing systems store cryptographic hashes of media on a blockchain. A single hash cannot distinguish between technical changes and content manipulation. It lacks a link to a physical recording time and location, and therefore cannot pinpoint the location of manipulation. 4. Hardware Attestation Systems that rely on the hardware attestation of the recording device itself depend on the security of the operating system and do not provide an independent piece of physical evidence. 5. Visible physical pattern generators Existing approaches using visible pattern generators have two main problems: aesthetic limitations in recording and vulnerability to display-capture attacks, where an attacker photographs the pattern and displays it on a screen. SUMMARY OF THE INVENTION The invention is based on the objective of providing a method, a device, and a system that: 1. Independently and tamper-proof verify the authenticity of digital media; 2. Distinguish between technical alterations and content manipulations; 3. Locate the area of manipulation; 4. Are physically protected against AI-generated forgeries and display capture attacks; 5. Do not require any aesthetic limitations during recording; 6. Function in any environmental condition; 7. Ensure long-term cryptographic evidentiary value; 8. Optionally verify the recording location in a tamper-proof manner; 9. Can be used both individually (portable device) and in spatially defined areas (permanently installed system); 10. Are compatible with commercially available digital capture devices. The invention comprises a system of four main components: 1. A physical device or a permanently installed signaling system that transmits a cryptographically signed pattern by means of a physical signal that is not perceptible to humans or only perceptible to a limited extent. 2. An application for media detection, pattern extraction, and integrity verification. 3. A backend system anchored in a tamper-proof data storage system. 4. A verification interface for third parties (application or browser extension). The system works on the principle of multi-anchor anchoring: Independent chains of evidence - the device anchor (or installation anchor) and the media anchor - are generated separately and linked in a tamper-proof data storage system. The invention relates to a method, a device, and a system for the tamper-proof verification of digital media. A physical device or a permanently installed signaling system generates cryptographically signed patterns and transmits them by means of a physical signal imperceptible to humans, preferably in the near-infrared range (700-1400 nm) or as ultrasound above the audible range. Digital capture devices record the pattern during recording. The physical property of commercially available screens and loudspeakers, that they are not reproducible outside the perceptible spectrum, practically eliminates display capture attacks. For capture devices with signal-blocking filters, the device optionally includes a visible display element as a fallback with automatic mode selection. A challenge-response protocol via short-range wireless communication ensures physical presence.Media integrity is verified using a multi-stage hashing strategy with complementary algorithms. A block hashing method enables the localization of manipulations as a visual heatmap. Independent device / installation anchors and media anchors are linked in a tamper-proof data storage system (multi-anchor principle). In a venue configuration, multiple synchronized signal transmitters are installed within a spatially defined area, allowing for the automatic verification of all digital media recorded there. The system supports video verification through temporal pattern sequences and optional geo-verification with selectable accuracy. 1. Physical device (equipment) The physical device comprises: (a) a cryptographic security element with a non-extractable private key and physical tamper protection. The key is generated during manufacturing and never leaves the security element. (b) a signal transmitter for emitting the pattern as a physical signal that is not perceptible to humans or only partially perceptible. In a preferred embodiment, the signal transmitter comprises an array of individually controllable LEDs that emit electromagnetic radiation outside the visible spectrum, preferably in the near-infrared range (700–1400 nm). Alternatively or additionally, the signal transmitter can generate acoustic signals above the range of human hearing (preferably above 18 kHz).**(c) Optional: Visible electronic display element (such as an E-Ink display, an OLED display, or an LED matrix) to display an alternative visible pattern as a fallback for detection devices that cannot detect the non-visible signal.**(d) Pattern generation processor: The pattern is generated from a timestamp, a unique device identifier, a random value, and optionally an externally transmitted challenge. The pattern is renewed periodically.**(e) Cryptographic signature: Each generated pattern is signed using a cryptographic signature scheme with the private key stored in the security element. A post-quantum signature algorithm is preferably used (such as Dilithium according to FIPS 204).**(f) Wireless communication interface for communication with the application, in particular for receiving challenge values and transmitting the pattern log.**(g) Optional: Positioning device** (such as a GPS receiver) for recording the geographic position. 2. Imperceptible signal as primary signal carrier A key feature of the invention is the transmission of the cryptographic pattern by means of a physical signal that is not perceptible or only partially perceptible to humans.**(a) Electromagnetic radiation outside the visible spectrum** In a preferred embodiment, the device emits infrared radiation in the range of 700-1400 nm. Alternatively, ultraviolet radiation in the range of 300-400 nm can be used. Modern CMOS image sensors in digital acquisition devices are partially sensitive in these wavelength ranges and can detect the signal.**(b) Acoustic signal above the audible range:** In an alternative complementary embodiment, the device generates an ultrasonic pattern above 18 kHz, which is recorded by the microphone of a digital acquisition device but is not perceptible to the human ear.**(b2) Magnet-based signal.**In another alternative embodiment, the device generates a time-varying magnetic pattern that is detected by the magnetometer (compass sensor) of a digital acquisition device but is imperceptible to humans. The magnetic field pattern is correlated with the timestamp of the recording.**(c) Pattern Encoding:** The pattern preferably combines several independent encoding dimensions: - Spatial encoding: spatial arrangement of the active signal generators - Temporal encoding: temporal sequence of pattern changes and phase shifts - Intensity encoding: graded signal strength through modulation**(d) Physical Defense Against Display Capture Attacks** Commercially available display technologies (LCD, OLED, LED displays) do not physically emit any significant radiation outside the visible spectrum. An attacker who photographs the pattern and displays it on a screen cannot physically reproduce the signal.Similarly, loudspeakers cannot reproduce ultrasound patterns with sufficient precision.**(e) Exploiting the rolling shutter effect:** High-frequency modulation of the optical signal (preferably 500-5000 Hz) in combination with the line-by-line readout method of modern CMOS sensors creates characteristic band patterns in the recorded image. The exact shape of these patterns depends on the device-specific readout rate and serves as an additional hardware-related identification feature.**(f) Automatic mode selection:** The application performs a compatibility test on first launch and automatically selects the strongest available mode: imperceptible signal (primary) - visible display element (fallback) - wireless short-range connection alone (ultra-fallback). 3. Installation in a defined area (venue) The invention also includes a permanently installed signaling system for verifying all recordings within a spatially defined area: (a) Principle: Instead of a single portable device, several signal transmitters are installed at fixed or variable positions within a spatially defined area. These signal transmitters synchronously emit a common, time-varying cryptographic pattern. Every recording made within an area during operation automatically captures the signal and can be verified as authentic without the recording person having to interact with the system. (b) Spatially defined areas include: Venues such as sports stadiums, concert halls, and conference centers; public buildings such as museums, parliaments, and government buildings; means of transport such as airplanes, trains, and buses; public squares and outdoor areas; as well as military and security-related facilities.**(c) Hardware:** A central pattern generator with cryptographic security; several (preferably at least two) high-power signal transmitters at strategic locations; a synchronization system (preferably GPS-disciplined oscillator, Precision Time Protocol, or wired sync signal) for simultaneous transmission; a data connection for anchoring the pattern sequence.**(d) Daylight Compatibility:** With optical signal transmitters, the pattern is embossed onto the signal using high-frequency modulation (preferably 500–5000 Hz). The application performs a frequency analysis during pattern extraction to distinguish the modulated pattern from the natural background.**(e) Redundancy:** Distributing the signal transmitters across multiple positions ensures that the pattern can be adequately captured even with partial obstruction. The application only requires a fraction of the total pattern.**(f) Compatibility:** Venue installation and portable device can be used in parallel, capturing both patterns simultaneously and enabling dual verification (venue authenticity + personal authenticity). 4. Challenge-response protocol **(a)** The application generates a cryptographically secure random value (challenge) and transmits it to the physical device via short-range wireless communication.**(b) The device calculates a response value as a function of the challenge, the stored key, and the current timestamp.**(c) The device encodes the response value into the physical signal and / or the visible display element.**(d)** The application verifies that the pattern detected in the medium matches the expected response pattern and that the device is within communication range. 5. Multi-stage integrity check **(a) Cryptographic Hash:** A cryptographic hash of the entire medium that changes completely with every modification (preferably SHA3-256).**(b) Perceptual Hashes:** At least two perceptual hash algorithms with complementary properties that tolerate technical changes but detect content manipulation.**(c) Graduated Verification:** A multi-level verification is derived from the combination of hashes (for example: Original, Verified, Tampered, Unknown). 6. Block hashing for manipulation localization **(a)** The medium is divided into a regular grid of at least four blocks.**(b)** An individual hash is calculated for each block.**(c)** The block hashes are aggregated into a Merkle tree. Only the root is stored in the tamper-proof data storage. The individual block hashes are stored on a decentralized storage system.**(d)** During verification, the individual block hashes are compared. Blocks with differing hashes are marked as manipulated and displayed as a visual heatmap. 7. Multi-anchor anchorage The invention links independent chains of evidence in a tamper-proof data storage system: (a) Device or installation anchor: The physical device or installation generates a signed pattern log, which is aggregated and anchored in a Merkle tree. (b) Media anchor: The application calculates the hashes and block hashes of the medium, extracts the pattern, and cryptographically signs everything. This data is anchored separately. (c) Optional geo-anchor: GPS coordinates are encoded in a variable-precision format and cryptographically signed and anchored. (d) Linking: The anchors reference the same pattern. Verification checks the match. 8. Video verification **(a)** During video recordings, keyframes are extracted at regular intervals.**(b)** Each keyframe contains a snapshot of the pattern, a set of hashes, and block hashes.**(c)** The temporal sequence of the patterns forms a sequence that serves as proof of temporal continuity.**(d)** The audio track is hashed separately and anchored to the keyframe hashes.**(e)** Manipulations (removing, inserting, or reordering frames) are detectable by breaks in the pattern sequence. 9. Optional Geo-verification **(a)** The user selects a level of accuracy (for example: no location data, country level, city level, exact position).**(b)** The coordinates are encoded in a variable-precision format.**(c)** If available, location data from two independent sources (physical device and acquisition device) are checked for consistency.**(d)** The geographic anchor is set and cryptographically signed at the time of acquisition. Subsequent changes are not possible. 10. Optical analysis and sensor function **(a)** Optical analysis of the signal area in the recorded medium to distinguish the actual signal source from a screen (moiré detection, subpixel analysis, reflection analysis, refresh detection).**(b)** Sensor fusion: depth sensor verification, parallax analysis, light consistency check. One aspect of the invention is a method for the tamper-proof verification of digital media, comprising the following steps: a) generating a cryptographic pattern by a physical device, wherein the pattern is derived from a timestamp, a device identification, and a random value, and signed using a cryptographic signature method with a non-extractable key stored in a security element; b) transmitting the pattern by the physical device by means of a physical signal that is not perceptible or only partially perceptible to humans; c) capturing the pattern by a digital capture device during the recording of a digital medium; d) recognizing and extracting the pattern from the recorded digital medium by an application; e) calculating at least one cryptographic hash and at least one perceptual hash of the digital medium;f) Anchoring the verification data in a tamper-proof data storage device; g) Verification of the digital medium by comparing the calculated hashes with the anchored values and checking the match between the extracted pattern and the generated pattern. One aspect of the invention is a method according to claim 1, characterized in that the anchoring is carried out as independent anchors, comprising at least: a) a device anchor based on the signed pattern log generated by the physical device; b) a media anchor based on the calculated hashes and the extracted pattern, wherein both anchors are generated independently of each other and linked in the tamper-proof data storage, such that an attacker would have to forge both anchors simultaneously. One aspect of the invention is a method according to claim 1, characterized in that the physical signal comprises electromagnetic radiation outside the spectrum visible to humans, preferably in the near-infrared range (700-1400 nm) or in the near-ultraviolet range (300-400 nm). One aspect of the invention is a method according to claim 3, characterized in that the radiation is generated by an arrangement of individually controllable emitters and the pattern is encoded in at least two of the following dimensions: a) spatial encoding by selecting individual active emitters in an arrangement; b) temporal encoding by temporal sequence of pattern changes and phase shift between individual emitters; c) intensity encoding by modulation with graded signal strengths per emitter. One aspect of the invention is a method according to claim 4, characterized in that the emitters are modulated with a frequency of preferably 500 to 5000 Hz, so that in combination with the line-by-line readout method of the image sensor characteristic band patterns are created in the recorded image, the exact shape of which depends on the device-specific readout rate and serves as an additional hardware-bound fingerprint for verification. One aspect of the invention is a method according to claim 1, characterized in that the physical signal comprises an acoustic signal above the human hearing range (preferably above 18 Hz), which is recorded by the microphone of the digital acquisition device and extracted and decoded by the application, wherein the limited playback quality of commercially available loudspeakers in the ultrasound range makes it difficult to reproduce the signal by playing back a recording. One aspect of the invention is a method according to claim 1, characterized in that the physical signal comprises a time-varying magnetic field pattern which is detected by the magnetometer of a digital acquisition device and correlated and decoded by the application with the timestamp of the recording. One aspect of the invention is a method according to claim 1, characterized in that the physical device, in addition to the imperceptible signal transmitter, comprises a visible electronic display element which displays an alternative pattern recognizable in the visible spectrum, wherein the application automatically selects the strongest available mode between the imperceptible signal and the visible pattern, and wherein the application performs a compatibility test on first start to determine the sensitivity of the detection device to the imperceptible signal. One aspect of the invention is a method according to claim 1, characterized in that, prior to recording, a challenge-response protocol is carried out between the application and the physical device via a wireless communication interface, wherein: a) the application generates a cryptographically secure random value and transmits it to the physical device; b) the physical device calculates the response value as a function of the random value, the stored key, and the current timestamp; c) the physical device encodes the response value into the physical signal and / or the visible display element; d) the application verifies that the pattern detected in the medium matches the expected response pattern and that the physical device is within communication range. One aspect of the invention is a method according to claim 1, characterized in that the calculation of the hashes comprises at least three complementary hash algorithms: a) at least one cryptographic hash for determining the bit-for-bit identity; b) at least two perceptual hash algorithms with complementary properties for detecting content changes while tolerating technical changes; wherein a graded verification is derived from the combination of the hash results. One aspect of the invention is a method according to claim 1, characterized in that the digital medium is divided into a regular grid of at least four blocks, an individual hash is calculated for each block, the block hashes are summarized in a Merkle tree, wherein only the root of the Merkle tree is anchored in the tamper-proof data storage, and during verification the individual block hashes are compared in order to locate the area of manipulation and to display it as a visual heatmap. One aspect of the invention is a method according to claim 1, characterized in that keyframes are extracted at regular intervals during video recordings, wherein each keyframe contains a snapshot of the pattern, the temporal sequence of the extracted patterns forms a pattern sequence which serves as proof of the temporal continuity of the video, and manipulations of the video become recognizable through breaks in the pattern sequence, and wherein the audio track of the video is hashed separately and anchored together with the keyframe hash. One aspect of the invention is a method according to claim 8, characterized in that the application in fallback mode performs an optical analysis of the signal area to distinguish whether the visible pattern is displayed on the actual display element or on a reproduced screen, wherein the analysis comprises at least one of the following methods: moiré pattern recognition, subpixel structure analysis, reflection analysis, refresh detection by means of multiple exposures, depth sensor verification, parallax analysis and / or light consistency testing. One aspect of the invention is a method according to claim 1, characterized in that optional location verification is performed, wherein: a) the user selects an accuracy level; b) the coordinates are encoded in a variable accuracy format; c) if available, the location data from two independent sources are checked for consistency; d) the geo-anchor is set and cryptographically signed at the time of recording, whereby subsequent modification is excluded. One aspect of the invention is a physical device for generating a tamper-proof verification signal for digital media, comprising: a) a cryptographic security element with a non-extractable private key and physical tamper protection; b) a processor for generating cryptographic patterns from a timestamp, device identification, random value, and optionally an externally transmitted challenge; c) at least one signal transmitter for emitting the pattern as a physical signal that is not perceptible to humans or only perceptible to a limited extent; d) optionally, a visible electronic display element; e) a wireless communication interface; f) an internal memory for logging generated patterns and associated signatures; g) a power supply One aspect of the invention is a physical device according to claim 15, characterized in that the signal generator comprises an arrangement of individually controllable emitters in the near-infrared range (700-1400 nm) which can be controlled independently in intensity and flashing state by pulse width modulation. One aspect of the invention is a physical device according to claim 15, characterized in that it additionally comprises a positioning unit whose location data are signed and logged together with the cryptographic pattern. One aspect of the invention is an installation for generating a tamper-proof verification signal in a spatially defined area, comprising: a) a central pattern generator with a cryptographic security element for generating time-varying cryptographic patterns; b) several, preferably at least two, signal transmitters arranged at fixed or variable positions within the spatially defined area and emitting a physical signal that is not perceptible or only partially perceptible to humans; c) a synchronization system for the simultaneous emission of the same pattern by all signal transmitters; d) a data connection for anchoring the generated pattern sequence in a tamper-proof data storage device; wherein each digital capture device within the spatially defined area automatically captures the pattern during a recording without requiring any interaction between the capturing person and the system. One aspect of the invention is an installation according to claim 18, characterized in that the signal transmitters comprise emitters in the near-infrared range and the pattern is imprinted on the signal by means of high-frequency modulation (preferably 500-5000 Hz) in order to enable differentiation from natural background light by means of frequency analysis. One aspect of the invention is a method using an installation according to claim 18, characterized in that at least one additional portable physical device according to one of claims 15 to 17 is used, wherein both patterns are simultaneously captured by the digital capture device and a double verification is performed: a) verification of the area authenticity by comparing the installation pattern; b) verification of the personal authenticity by comparing the device pattern. One aspect of the invention is a system for the tamper-proof verification of digital media, comprising: a) at least one physical device according to any one of claims 15 to 17 and / or an installation according to any one of claims 18 to 19; b) an application for extracting the pattern from recorded digital media, calculating hashes, and transmitting verification data to a backend system; c) a backend system for summarizing the verification data in Merkle trees and anchoring the roots in a tamper-proof data storage device; d) optionally, a verification interface for third parties that recognizes patterns embedded in digital media and performs the verification against the data storage device. One aspect of the invention is a method or installation according to a preceding claim, characterized in that the cryptographic signature method is a post-quantum signaling algorithm, preferably dilithium according to FIPS 204.
Claims
A system for the tamper-proof verification of digital media, comprising the following functions: a) generating a cryptographic pattern by a physical device, wherein the pattern is derived from a timestamp, a device identification, and a random value, and signed using a cryptographic signature procedure with a non-extractable key stored in a security element; b) transmitting the pattern by the physical device using a physical signal that is not perceptible or only partially perceptible to humans; c) capturing the pattern by a digital capture device during the recording of a digital medium; d) recognizing and extracting the pattern from the recorded digital medium by an application; e) calculating at least one cryptographic hash and at least one perceptual hash of the digital medium; f) anchoring the verification data in a tamper-proof data storage device;g) Verification of the digital medium by comparing the calculated hashes with the anchored values and checking the match of the extracted pattern with the generated pattern. System according to claim 1, characterized in that the anchoring is performed as independent anchors, comprising at least: a) a device anchor based on the signed pattern log generated by the physical device; b) a media anchor based on the calculated hashes and the extracted pattern, wherein both anchors are generated independently of each other and linked in the tamper-proof data storage, such that an attacker would have to forge both anchors simultaneously. System according to claim 1, characterized in that the physical signal comprises electromagnetic radiation outside the spectrum visible to humans, preferably in the near-infrared range (700-1400 nm) or in the near-ultraviolet range (300-400 nm). System according to claim 3, characterized in that the radiation is generated by an arrangement of individually controllable emitters and the pattern is encoded in at least two of the following dimensions: a) spatial encoding by selecting individual active emitters in an arrangement; b) temporal encoding by temporal sequence of pattern changes and phase shift between individual emitters; c) intensity encoding by modulation with graded signal strengths per emitter. System according to claim 4, characterized in that the emitters are modulated with a frequency of preferably 500 to 5000 Hz, so that in combination with the line-by-line readout method of the image sensor characteristic band patterns are created in the recorded image, the exact shape of which depends on the device-specific readout rate and serves as an additional hardware-bound fingerprint for verification. System according to claim 1, characterized in that the physical signal comprises an acoustic signal above the human hearing range (preferably above 18 Hz), which is recorded by the microphone of the digital acquisition device and extracted and decoded by the application, wherein the limited playback quality of commercially available loudspeakers in the ultrasound range makes it difficult to reproduce the signal by playing back a recording. System according to claim 1, characterized in that the physical signal comprises a time-varying magnetic field pattern which is detected by the magnetometer of a digital acquisition device and correlated and decoded by the application with the timestamp of the recording. System according to claim 1, characterized in that the physical device, in addition to the imperceptible signal transmitter, comprises a visible electronic display element which displays an alternative pattern recognizable in the visible spectrum, wherein the application automatically selects the strongest available mode between the imperceptible signal and the visible pattern, and wherein the application performs a compatibility test on first start to determine the sensitivity of the detection device to the imperceptible signal. System according to claim 1, characterized in that prior to recording, a challenge-response protocol is carried out between the application and the physical device via a wireless communication interface, wherein: a) the application generates a cryptographically secure random value and transmits it to the physical device; b) the physical device calculates the response value as a function of the random value, the stored key, and the current timestamp; c) the physical device encodes the response value into the physical signal and / or the visible display element; d) the application verifies that the pattern detected in the medium matches the expected response pattern and that the physical device is within communication range. System according to claim 1, characterized in that the calculation of the hashes comprises at least three complementary hash algorithms: a) at least one cryptographic hash for determining the bit-for-bit identity; b) at least two perceptual hash algorithms with complementary properties for detecting content changes while tolerating technical changes; wherein a graded verification is derived from the combination of the hash results.