JPWO2020100704A1 - Camera system and how to drive the camera system - Google Patents

Abstract

The camera system (10) receives a swallowable capsule (20) equipped with a solid-state image sensor (21) as a camera (CMR) and video data captured by the capsule (20) and transmitted wirelessly. A device (30), the capsule (20) comprising a device ID circuit (24) for transmitting the device ID to the receiving device (30), the receiving device (30) at least receiving the device for presetting. A memory (32) for storing an ID is included. For example, the capsule (20) transmits the device ID to the receiving device (30) at least once when the camera (CMR) is powered before being swallowed. This provides at least one of device authentication implementation, data integrity and reliability protection, data encryption, and prevention of incorrect data exchange between the capsule and at least the receiver on the receiver side. It becomes possible.

Description

The present invention relates to a camera system for transmitting video data captured by a solid-state imaging device mounted on a swallowable capsule to a receiving system, and a method for driving the camera system.

CCD (Charge Coupled Device) image sensors and CMOS (Complementary Metal Oxide Semiconductor) image sensors are put into practical use as solid-state image sensors (image sensors) that use photoelectric conversion elements that detect light and generate electric charges.
CCD image sensors and CMOS image sensors are used as part of various electronic devices such as digital cameras, video cameras, surveillance cameras, medical endoscopes, personal computers (PCs), and mobile terminal devices (mobile devices) such as mobile phones. Widely applied.

As a camera system for a medical device equipped with such a solid-state image sensor, an in-vivo camera system that transmits video data captured by the solid-state image sensor mounted on a swallowable capsule to a receiving device has been proposed (for example, a patent). Reference 1).
In this in-vivo camera system, raw video data is wirelessly transmitted to a receiver and then image processed to minimize capsule size and power consumption.

Further, in this type of in-vivo camera system, a signal receiver can be provided on the capsule side (see, for example, Patent Document 2).
In this camera system, the capsule is configured to wirelessly receive a control signal from a receiving device (control device) so that the camera, the irradiation unit, and the like can be controlled.

USP 5,604,531 Japanese Unexamined Patent Publication No. 2013-66694

Okura, Nagura, Shirahata, Shiozaki, Kubota, Ishikawa, Takayanagi, Fujino, "Proposal of PUF (CIS-PUF) utilizing pixel variation of CMOS image sensor (1) -Basic concept and simulation study-", 2017 Cryptography Information Security Symposium (SCIS2017), 3C4-4, 2017. Nagura, Okura, Shirahata, Shiozaki, Kubota, Ishikawa, Takayanagi, Fujino, "Proposal of PUF (CIS-PUF) utilizing pixel variation of CMOS image sensor (2) -PUF performance evaluation by actual data-", 2017 cipher And Information Security Symposium (SCIS2017), 3C4-5, 2017. D. Lim, J. et al. W. Lee, B. Gassend, G.M. E. Shu, M.M. van Dijk, S.M. Devadas, “Extracting secret keys from integrated circuits”, IEEE Trans. on VLSI System, vol 13, no. 10, pp. 1200-1205, 2005. G. E. Shu, S.M. Devadas, "Physical Uncle Functions for Device Authentication and Secret Key Generation" DAC'07, pp. 9-14, 2007.

However, in the above-mentioned in-vivo camera system, the system is vulnerable to attacks such as interception and camouflage due to wireless transmission of raw data (raw data) by an image sensor (solid-state image sensor).
As a result, in the above-mentioned in-vivo camera system, there is a possibility that a security risk of personal information may occur.

In view of this situation, in the in-vivo camera system, device authentication implementation, data integrity and reliability protection, data encryption, incorrect data, at least between the capsule and the receiver on the receiver side. There is a high demand for the realization of a function that prevents the exchange of data.

In recent years, a technology called PUF (Physically Unclonable Function) has been attracting attention as an LSI security technology. PUF is a technology that extracts variations in semiconductors as physical features to obtain device-specific outputs.
Further, in a semiconductor device, the PUF is a circuit that extracts a minute performance deviation caused by a variation in the threshold value of a transistor generated at the time of manufacturing and outputs it as a unique ID.
Information falsification can be prevented by authenticating the device using the unique ID generated by the PUF or by assigning a message authentication code (MAC) to the acquired data to ensure authenticity.

In the above situation, the CMOS image sensor PUF (CIS) can be provided with a security function by extracting the pixel variation of the CIS and using it as individual-specific information without adding an extra circuit to the CMOS image sensor (CIS). CIS-PUF) has been proposed.

For example, Non-Patent Documents 1 and 2 describe a CMOS image sensor PUF (CIS-PUF) that generates a PUF unique ID from pixel variation information in a CMOS image sensor as a measure for sensor device authentication and prevention of falsification of image data. Has been proposed.

When generating a PUF response, these CIS-PUFs output a multi-bit digital value corresponding to the variation of pixel transistors, and obtain a 1/0 response from the magnitude relationship of the threshold voltage of adjacent transistors.
When the difference between the values of the pixel transistors to be compared in magnitude is large, it can be judged that the bit is stable because the magnitude relationship of the threshold voltage is not inverted even if the environmental conditions such as noise and temperature / voltage fluctuate. ..

It should be noted that, when a PUF response is generated, the property of being able to predict a bit that is likely to become an error bit in the response has been conventionally proposed as a typical PUF (see Non-Patent Documents 3 and 4).

By the way, as an application of PUF that utilizes the variation peculiar to each device for security, challenge and response authentication (Challenge & Response (CR authentication) or device authentication), data integrity authentication, and data encryption (encryption key (unique key) generation) ) Is used.

However, the signal processing for advanced information security of the CMOS image sensor (CIS) such as these authentications causes a decrease in the image data frame rate due to the processing time, and causes an increase in the device cost due to the processing circuit.

The present invention implements at least one of device authentication implementation, data integrity and reliability protection, data encryption, and prevention of erroneous data exchange between the capsule and at least the receiver on the receiver side. It is an object of the present invention to provide a camera system and a method of driving the camera system.

The present invention implements at least one of device authentication implementation, data integrity and reliability protection, data encryption, and prevention of erroneous data exchange between the capsule and at least the receiver on the receiver side. It is possible to drive a camera system and a camera system that can prevent a decrease in the image data frame rate due to the processing time of signal processing for information security and prevent an increase in device cost due to a processing circuit. To provide a method.

The camera system according to the first aspect of the present invention includes a swallowable capsule equipped with a solid-state imaging device as a camera, and a receiving device that receives video data captured by the capsule and transmitted wirelessly. The capsule includes a device ID circuit that transmits the device ID to the receiving device, and the receiving device includes at least a memory that stores the device ID received for the preset.

A second aspect of the present invention is to drive a camera system having a swallowable capsule equipped with a solid-state image sensor as a camera and a receiving device that receives video data captured by the capsule and transmitted wirelessly. In a method, the capsule transmits the device ID to the receiving device at least once in response to a predetermined trigger, and the receiving device stores the received device ID in a memory for presetting. Then, for example, when the receiving device performs authentication, the capsule transmits an authentication request to the capsule, and the capsule transmits the device ID generated by the device ID circuit in response to the authentication request by the receiving device. Then, the receiving device receives the device ID transmitted from the capsule in response to the authentication request, evaluates the received device ID and the device ID preset in the memory, and both IDs are the same. If so, the capsule is requested to transmit video data, and the capsule transmits the video data captured by the camera to the receiving device in response to the transmission request from the receiving device.

According to the present invention, at least one of the implementation of device authentication, protection of data integrity and reliability, data encryption, and prevention of incorrect data exchange between the capsule and at least the receiver on the receiver side. Can be realized.
Further, according to the present invention, it is possible to prevent a decrease in the image data frame rate due to the processing time of signal processing for information security, and it is possible to prevent an increase in device cost due to the processing circuit.

FIG. 1 is a block diagram showing a first configuration example of the in-vivo camera system according to the first embodiment of the present invention. FIG. 2 is a block diagram showing a second configuration example of the in-vivo camera system according to the first embodiment of the present invention. FIG. 3 is a diagram for explaining a preset tail of a device ID and a device authentication operation in the camera system according to the first embodiment. FIG. 4 is a diagram for explaining a device ID preset and data integrity and reliability protection operation in the camera system according to the first embodiment. FIG. 5 is a diagram for explaining a device ID preset and encryption operation in the camera system according to the first embodiment. FIG. 6 is a block diagram showing a configuration example of the solid-state image sensor according to the embodiment of the present invention. FIG. 7 is a diagram for explaining an outline of a challenge & response authentication (CR authentication) system. 8 (A) and 8 (B) are diagrams for explaining device authentication in the present embodiment. 9 (A) and 9 (B) are diagrams for explaining the data integrity authentication in the present embodiment. 10 (A) and 10 (B) are FIGS. 1 for explaining the data encryption process in the present embodiment. 11 (A) to 11 (C) are FIGS. 11 (A) to FIG. 11 (C) for explaining the data encryption process in the present embodiment. FIG. 12 is a circuit diagram showing an example of pixels according to the present embodiment. 13 (A) to 13 (C) are diagrams for explaining a configuration example of a read-out system for the column output of the pixel portion of the solid-state image sensor according to the embodiment of the present invention. FIG. 14 is a block diagram showing an overall outline of response data creation, which is an encryption processing system according to the present embodiment. 15 (A) to 15 (E) are diagrams showing operation waveforms of main parts in the normal operation mode and the response creation mode when the variation information of the threshold value of the source follower transistor is adopted as the variation information of the pixels. Is. FIG. 16 shows a pixel portion according to the present embodiment and a column read-out arranged for each column, including an information acquisition unit suitable for acquiring variation information forming a main part of the CMOS image sensor PUF (CIS-PUF). It is a figure which shows the outline of a circuit. FIG. 17 is a diagram showing a state of PUF response generation using the pixel variation of the CIS-PUF of FIG. FIG. 18 is a diagram showing the reproducibility and uniqueness of PUF performance obtained by the response generation method as shown in FIGS. 16 and 17. FIG. 19 is a diagram showing FPR and FNR obtained from uniqueness and reproducibility. FIG. 20 is a block diagram showing a configuration example of an in-vivo camera system according to a second embodiment of the present invention. FIG. 21 is a block diagram showing a configuration example of an in-vivo camera system according to a third embodiment of the present invention.

10, 10A, 10B, 10C ... In-vivo camera system, 20, 20A, 20B ... Capsule, 21,21A, 21B ... Solid imaging device, 22 ... Transmitter, 24 ... Device ID Circuit, 26 ... power receiver, CMR ... camera, 30 ... receiver, 31 ... receiver, 32 ... memory, 33 ... transmitter, 35 ... power transmitter , 220, 220A ... Pixel part, 230 ... Vertical scanning circuit, 240 ... Reading circuit, 244 ... Clip circuit, 250 ... Horizontal scanning circuit, 260 ... Timing control circuit, 270.・ ・ Signal processing circuit, 710 ・ ・ ・ Video I / F, 720 ・ ・ ・ Multi-bit unit, 280 ・ ・ ・ Response data generation unit (encryption processing system), 281 ・ ・ ・ Information acquisition unit, 282, 282A ... key generation unit, 283 ... image data generation unit, 284 ... identification data generation unit, 285 ... integration unit, 286 ... memory, 290 ... reading unit, 100 ... CR authentication system, 200 ... CIS-PUF chip, 300 ... Microcomputer (microcomputer).

Hereinafter, embodiments of the present invention will be described in association with the drawings.

(First Embodiment)
FIG. 1 is a block diagram showing a first configuration example of the in-vivo camera system according to the first embodiment of the present invention.
FIG. 2 is a block diagram showing a second configuration example of the in-vivo camera system according to the first embodiment of the present invention.

The in-vivo camera system 10 basically includes a swallowable capsule 20 and a receiving device 30 capable of wireless communication with the capsule 20.

In the camera system 10, raw data (raw) by an image sensor (solid-state image sensor) is used.
Due to the wireless transmission of data), the system is vulnerable to attacks such as interception and camouflage, which may pose a security risk for personal information.
Therefore, in the in-vivo camera system 10 of the present embodiment, device authentication is implemented, data integrity and reliability are protected, data encryption, and error are made between the capsule 20 and the receiver on the receiving device 30 side at least. It is configured to be able to achieve at least one of the prevention of data exchange.

The capsule 20 of FIG. 1 has a solid-state image sensor 21 and an optical system (lens system) 22 and a transmitter (TX) 23 that constitute the camera CMR.
The capsule 20A of FIG. 2 further has a receiver (RX) 25.

The solid-state image sensor 21 according to the present embodiment is formed by, for example, a CMOS image sensor.

The solid-state image sensor 21 is a CMOS image sensor having a function of a device ID circuit 24 that generates a PUF unique ID from pixel variations in the CMOS image sensor as a measure for device authentication of the capsules 20 and 20A and prevention of falsification of image data. It is formed as PUF (CIS-PUF).
When the CIS-PUF generates a PUF response (hereinafter, may be referred to as a PUF response), the solid-state imaging device 21 is unique in association with at least one of pixel variation information and readout unit variation information. It is configured to be able to generate response data including the key.

Further, as will be described in detail later, the solid-state image sensor 21 includes a signal processing circuit capable of information security signal processing including response data generation processing in a security mode different from the normal operation mode MDU that generates a normal image. Consists of.
The information security signal processing performed by this signal processing circuit is at least one of response data generation processing, device authentication, protection of data integrity and reliability (data integrity authentication), and data encryption.
The information security signal processing includes, for example, an authentication process in which the pixel address of the solid-state imaging device 21 is used as a challenge and the response data generated in a predetermined procedure is used as a response.

The optical system (lens or the like) 22 guides incident light to the pixel region of the CMOS image sensor (images a subject image).

The transmitter 23 wirelessly transmits the device ID generated by the device ID circuit 24, the video data captured by the camera CMR, and the like to the receiving device 30 (30A).

In response to a predetermined trigger, the capsule 20 (20A) transmits the device ID generated by the device ID circuit 24 to the receiving device 30 (30A) at least once. The method of generating the device ID will be described in detail later.
The device ID for the preset needs to be transmitted in advance before the capsule 20 is swallowed (swallowed).

For example, the capsule 20 (20A) transmits the device ID generated by the device ID circuit 24 to the receiving device 30 at least once when power is supplied to the camera CMR.

For example, the capsule 20 (20A) transmits the device ID generated by the device ID circuit 24 to the receiving device 30 at least once when the bluish light is exposed to the camera CMR.
This bluish light includes green light and cyan light.

For example, when the capsule 20 (20A) receives the preset request from the receiving device 30 (30A), the capsule 20 (20A) transmits the device ID generated by the device ID circuit 24 to the receiving device 30 at least once.

The device ID circuit 24 is formed by a fuse of the solid-state image sensor 21, a fuse of the transmission device, a PUF system circuit, or a PUF system circuit of the solid-state image sensor 21.

The receiving device 30 has a receiver 31 and a memory 32.
The receiver 30A of FIG. 2 further includes a transmitter 33.

The receiver 31 receives the device ID generated by the device ID circuit 24, the video data captured by the camera CMR, and the like, which are wirelessly transmitted from the transmitter 23 of the capsule 20.

The memory 32 is formed of, for example, a non-volatile memory, and under the control of the controller of the receiving device 30 (30A), the device ID for the preset received by the receiver 31 is stored.

In the camera systems 10 and 10A of the present embodiment, as described above, the device ID for the preset needs to be set in advance before the capsule 20 is swallowed (swallowed).
The receiving device 30 (30A) stores the device ID to be preset in the secure memory 32.

The transmitter 33 wirelessly transmits an authentication request to the capsule 20 (20A) under the control of the controller of the receiving device 30 (30A).

In the camera system 10, device authentication is implemented between the capsule 20 (20A) and the receiver 31 on the receiving device 30 (30A) side at least, data integrity and reliability protection, data encryption, and error. It works as follows to prevent the exchange of data.

(Device authentication)
FIG. 3 is a diagram for explaining a device ID preset and a device authentication operation in the camera system according to the first embodiment. Note that FIG. 3 corresponds to the second configuration example of FIG.

preset:
The receiving device 30A stores the device ID transmitted from the capsule 20A and received in the secure memory 32. As described above, the device ID needs to be set in advance before the capsule 20A is swallowed (swallowed) in the living body.

certification:
When the capsule 20A is in the living body, the receiving device 30A transmits an authentication request to the capsule 20A (ID request (Challenge): ST1 in FIG. 3).
The capsule 20A transmits the device ID generated by the device ID circuit 24 in response to the authentication request by the receiving device 30A (Response: ST2 in FIG. 3).
The receiving device 30A evaluates (compares) the received device ID and the device ID preset in the memory 32. If both IDs are the same, the receiving device 30A requests the capsule 20A to transmit video data (okay, ST3 in FIG. 3).
The capsule 20A transmits the video data captured by the camera CMR to the receiving device 30A in response to the transmission request from the receiving device 30A (video in FIG. 3, ST4).
If both the received device ID and the device ID preset in the memory 32 are not the same, the receiving device 30 outputs a warning signal without issuing a request to transmit video data to the capsule 20A.

As described above, challenge and response authentication are preferable for device authentication. Further, the capsule 20A needs to be equipped with a receiver (RX) or a power receiving device as shown in FIG.

(Protection of data integrity and reliability)
FIG. 4 is a diagram for explaining a device ID preset and data integrity and reliability protection operation in the camera system according to the first embodiment. Note that FIG. 4 corresponds to the first configuration example of FIG.

preset:
The receiving device 30 stores the device ID transmitted from the capsule 20 and received in the secure memory 32. As described above, the device ID needs to be set in advance before the capsule 20 is swallowed (swallowed) in the living body.

Data protection:
The capsule 20 includes a key generation circuit 26 that generates a key KY based on a device ID, and transmits video data VD and coded data by the key KY (ST11 in FIG. 4).
The receiving device 30 evaluates the video data and the key based on the device ID preset in the memory 32 to protect the integrity and reliability of the video data (ST12 in FIG. 4).
In this case, MAC (message authentication code) can be used.

(encryption)
FIG. 5 is a diagram for explaining a device ID preset and encryption operation in the camera system according to the first embodiment. Note that FIG. 5 corresponds to the first configuration example of FIG.

preset:
The receiving device 30 stores the device ID transmitted from the capsule 20 and received in the secure memory 32. As described above, the device ID needs to be set in advance before the capsule 20 is swallowed (swallowed) in the living body.

encryption:
The capsule 20 includes a key generation circuit 26 that generates a key KY based on a device ID, and transmits encrypted video data VD together with the key KY (ST21 in FIG. 5).
In order to protect the video data, the receiving device 30 decrypts the encrypted video data with a key based on the device ID preset in the memory 32 (ST22 in FIG. 5).
In this case, AES (Advanced Encryption Standard) can be used.

As mentioned above, implementation of device authentication, protection of data integrity and reliability, data encryption, prevention of erroneous data exchange between the capsule 20 (20A) and the receiver on the receiving device 30 (30A) side at least. The basic configurations and functions of the in-vivo camera systems 10 and 10A capable of realizing at least one of the above have been described.
The following implements at least one of device authentication implementation, data integrity and reliability protection, data encryption, and prevention of incorrect data exchange between the capsule and at least the receiver on the receiver side. Moreover, it is possible to prevent a decrease in the image data frame rate due to the processing time of signal processing for information security, it is possible to prevent an increase in device cost due to the processing circuit, and it requires complicated labor. Regarding the specific configuration of the solid-state imaging device 21, the authentication system, etc. formed as the CMOS image sensor PUF (CIS-PUF) that realizes a camera system that can increase the number of CR authentications while ensuring the authentication accuracy. explain.

(Structure example of solid-state image sensor 21)
FIG. 6 is a block diagram showing a configuration example of the solid-state image sensor according to the embodiment of the present invention.
In the present embodiment, the solid-state image sensor 21 is composed of, for example, a CMOS image sensor.

As shown in FIG. 6, the solid-state image sensor 21 includes a pixel unit 220 as an image pickup unit, a vertical scanning circuit (row scanning circuit) 230, a readout circuit (column (column) readout circuit) 240, and a horizontal scanning circuit (column scanning). Circuit) 250, a timing control circuit 260, and a signal processing circuit 270 are included as main components.
Among these components, for example, a vertical scanning circuit 230, a reading circuit 240, a horizontal scanning circuit 250, and a timing control circuit 260 constitute a pixel signal reading unit 290.

As described above, the solid-state image sensor 21 according to the present embodiment determines the unique ID of the PUF from the pixel variation in the CMOS image sensor as a measure for device authentication of the capsule 20 (20A), which is a sensor, and for preventing falsification of image data. It is formed as a CMOS image sensor PUF (CIS-PUF) to be generated.
When the CIS-PUF generates a PUF response (hereinafter, may be referred to as a PUF response), the solid-state imaging device 21 is unique in association with at least one of pixel variation information and readout unit variation information. It is configured to be able to generate response data including the key.

As will be described in detail later, the solid-state imaging device 21 according to the present embodiment has, as an example, a plurality of bits corresponding to the variation information of the pixel transistor when generating the variation information of the pixel or the reading unit 290 which is the PUF response. The digital value (LSB value) of is output, and 1/0 of the response data is acquired from the magnitude relation of the threshold voltage of the adjacent transistor.
When the difference between the digital values of the pixel transistors to be compared is large, the solid-state image sensor 21 does not reverse the magnitude relationship with the threshold voltage VTH even if the environmental conditions such as noise and temperature / voltage fluctuate. It can be judged that the bit is stable.

Further, in the present embodiment, the CMOS image sensor PUF (CIS-PUF) extracts at least one of the pixel variation of the CMOS image sensor and the variation information of the reading unit and applies it to the PUF.
Originally, most of the pixel variation is removed by the CDS circuit, but CIS-PUF has a normal imaging mode (normal operation mode) in which a Correlated Double Sampling (CDS) circuit is operated to take a picture, and a CDS circuit. It has a security mode (PUF mode or response creation mode MDR) for shooting without operating.

Then, in the solid-state image sensor 21 according to the present embodiment, the signal processing circuit 270 is configured to include the response data generation unit 280, and the response data generation processing is performed in a security mode different from the normal operation mode MDU that generates a normal image. Information security signal processing including is possible.
The signal processing circuit 270 of the present embodiment has a wireless video interface (I / F) 710 capable of performing communication related to authentication processing and the like with a microcomputer (hereinafter referred to as a microcomputer) on the receiving device 30 side. There is.
The signal processing circuit 270 performs information security signal processing so that it is possible to prevent a decrease in the image data frame rate due to the processing time of signal processing for information security and prevent an increase in device cost due to the processing circuit. , It is executed as signal processing during the blanking period of image signal processing or signal processing for each line.

In the present embodiment, the information security signal processing performed by the signal processing circuit 270 is at least one of response data generation processing, device authentication, data integrity authentication, and data encryption.
The information security signal processing includes an authentication process in which the pixel address is a challenge and the response data generated in a predetermined procedure is a response.

As will be described in detail later, the authentication accuracy to be ensured when performing authentication is the probability FPR (probability of recognizing a fake as genuine) as an index of authentication accuracy based on the uniqueness and reproducibility data of information security signal processing. False Positive Rate) and the probability of recognizing the real thing as a fake FNR (False Negative)
Rate) can be obtained and evaluated (determined, selected) by probability FPR and probability FNR.

Further, the CIS-PUF is a PUF in which the pixel address is used as a challenge and the 1/0 data generated in a predetermined procedure is used as a response.
Here, an outline of challenge and response authentication (Challenge & Response (CR authentication)) as an application of PUF that utilizes individual device-specific variations for security will be described.
After that, each process of device authentication, data integrity authentication, and data encryption, which is one of the features of the present embodiment, will be described.

(Overview of response authentication system)
FIG. 7 is a diagram for explaining an outline of a challenge & response authentication (CR authentication) system.

The CR authentication system 100 of FIG. 7 includes a CIS-PUF chip 200 on the capsule 20 (20A) side and a microcomputer 300 on the receiving device 30 (30A) side on which the solid-state image sensor 21 according to the present embodiment is mounted. ing.
The CIS-PUF chip 200 has a video interface (Video I / F) 210 as the video interface 710 of FIG. 6, and the microcomputer 300 has a control interface (Control I / F) 310.

The CR authentication system 100 using CIS-PUF has a pre-registration mode and an authentication mode, and it is necessary to register (preset) the information of the CIS-PUF chip 200 on the microcomputer 300 side before performing authentication.
In the pre-registration mode, IDs of all pixels are generated from the PUF mode side and stored in the memory 32, which is a safe area of the microcomputer 300.

In the CR authentication system 100 using the CIS-PUF, in the authentication mode, the microcomputer 300 on the authentication side first transmits a PUF mode command to the CIS-PUF chip 200 (step ST101).
In response to this, the CIS-PUF chip 200 takes a picture in the PUF mode and obtains a PUF mode image.
Next, the microcomputer 300 determines which pixel is used to generate the ID by the random number generator (RNG) 301 with a random number, and transmits the address designation to the CIS-PUF chip 200 as challenge information (step ST102). ..
The CIS-PUF chip 200 cuts out a PUF mode image according to the received address designation and generates 1/0 data. The CIS-PUF chip 200 transmits this ID to the microcomputer 300 as a response to the challenge (step ST103).
The microcomputer 300 cuts out the ID of the specified address from the 1/0 data registered in advance and compares it with the ID received from the CIS-PUF chip 200. If the IDs match, the authentication is successful (step ST104).

Based on the communication processing of the CR authentication system 100, device authentication, data integrity authentication, and device authentication, which are one of the features of the present embodiment in the signal processing circuit 270 and the microcomputer 300, which are a part of the CIS-PUF chip 200, and Each process of data encryption will be described more specifically.

(Device authentication)
8 (A) and 8 (B) are diagrams for explaining device authentication in the present embodiment.

In device authentication, the signal processing circuit 270, which is a part of the CIS-PUF chip 200, receives the challenge of the pixel address XY from the microcomputer 300 as the control device on the receiving device 30 side during pixel reading, and the CIS-PUF. Write the received address to the register inside the chip.
Next, in the security mode (PUF mode), the pixels are accessed according to the Y address received during the vertical blanking period PVB.
Pixel signals are processed during the vertical blanking period PVB to obtain device IDs with improved reproducibility and uniqueness.
Then, the device ID acquired during the vertical blanking period PVB or the next pixel reading period is transmitted to the microcomputer 300 as a response to the challenge.
The microcomputer 300 checks the device ID for authentication.
For streaming video data, authentication is performed for a period of one frame, one second, one minute, one hour, or one day.

(Data integrity authentication)
9 (A) and 9 (B) are diagrams for explaining the data integrity authentication in the present embodiment.

In the data integrity authentication, the signal processing circuit 270, which is a part of the CIS-PUF chip 200, sets the pixel address for acquiring the device ID.
The device ID is acquired from the variation information of the pixels addressed during the vertical blanking period PVB.
Then, the line pixel signal is read, and the message authentication code (MAC) function generates a data tag in which the device ID is the unique key and the line pixel signal is the message.
Next, during the horizontal blanking period PHB via video I / F210 or control I / F310 or during the vertical blanking period PVB via video I / F210 or control I / F310, the pixel address, line pixel signal, and The data tag is transferred to the microcomputer 300 side, which is the control device of the receiving device 30 that performs consistency authentication.
The microcomputer 300 on the receiving device 30 side executes MAC processing using the same key generated together with the pixel address and the pixel data for consistency verification.
The pixel address can be arbitrarily changed at any time.

(Data encryption)
10 (A) and 10 (B) are FIGS. 1 for explaining the data encryption process in the present embodiment.
11 (A) to 11 (C) are FIGS. 11 (A) to FIG. 11 (C) for explaining the data encryption process in the present embodiment.

In the data encryption process, the signal processing circuit 270, which is a part of the CIS-PUF chip 200, sets the pixel address for acquiring the device ID.
The device ID is acquired from the variation information of the pixels addressed during the vertical blanking period PVB.
The pixel signal of the first line (Line 1) is read from the pixel unit 220, and the pixel signal is stored in the internal line memory.
While reading the pixel signal of the second line (Line2) from the pixel unit 220, the pixel signal of the first line (Line1) is encrypted with the key which is the device ID.
While reading the pixel signal of the third line (Line 3) from the pixel unit 220, the encrypted pixel signal and pixel address of the first line (Line 1) are subjected to the decryption process as the ISP (Image Signal Processor) on the control device side. Transfer to the microcomputer 300 of.
The microcomputer 300 decrypts the encrypted pixel value of the first line (Line 1) with the same key.

Note that the encryption can be applied only to a part of the line pixels, and it is not necessary to apply the encryption to the entire pixel array of the pixel portion.
The background encryption process takes more time, but does not have to be done during the read period of one line.
Usually, a CMOS image sensor (CIS) is equipped with several lines of memory, and by reusing this line memory, line-by-line encryption also realizes a negligible small circuit cost.

As described above, in the present embodiment, information security signal processing such as device authentication, data integrity authentication, and data encryption is used as signal processing during the blanking period of image signal processing or signal processing for each line. Since it is executed, it is possible to prevent a decrease in the image data frame rate due to the processing time of signal processing for information security, and it is possible to prevent an increase in device cost due to the processing circuit.

The processing of the authentication system has been described above.
Hereinafter, an outline of the configuration and functions of each part of the solid-state image sensor 21, particularly the configuration and functions of the pixel unit 220, and the like will be described.
After that, regarding the characteristic configuration and function of the solid-state imaging device 21 of the present embodiment, a so-called encryption process is performed in which a unique key is generated and identification data including the unique key and image data are integrated to create response data. The explanation will focus on the response data creation process and the like.

(Basic configuration of pixels and pixel unit 220)
In the pixel unit 220, a plurality of pixels including a photodiode (photoelectric conversion element) and an intra-pixel amplifier are arranged in a two-dimensional matrix of n rows × m columns.

FIG. 12 is a circuit diagram showing an example of pixels according to the present embodiment.

This pixel PXL has, for example, a photodiode (PD) which is a photoelectric conversion element.
Then, the photodiode PD has one transfer transistor TG-Tr, one reset transistor RST-Tr, one source follower transistor SF-Tr, and one selection transistor SEL-Tr.

The photodiode PD generates and accumulates a signal charge (here, an electron) in an amount corresponding to the amount of incident light.
Hereinafter, the case where the signal charge is an electron and each transistor is an n-type transistor will be described, but the signal charge may be a hole or each transistor may be a p-type transistor.
Further, in the present embodiment, as illustrated later, when each transistor of the reset transistor RST-Tr, the source follower transistor SF-Tr, and the selection transistor SEL-Tr is shared among the plurality of photodiodes. Is also effective, and is also effective when a 3-transistor (3Tr) pixel that does not have a selection transistor is adopted.

The transfer transistor TG-Tr is connected between the photodiode PD and the floating diffusion FD (floating diffusion layer), and is controlled through the control signal TG.
In the transfer transistor TG-Tr, the control signal TG is selected during the high level (H) period and becomes conductive, and the electrons photoelectrically converted by the photodiode PD are transferred to the floating diffusion FD.

The reset transistor RST-Tr is connected between the power supply line VRst and the floating diffusion FD, and is controlled through the control signal RST.
The reset transistor RST-Tr may be connected between the power supply line VDD and the floating diffusion FD and may be configured to be controlled through the control signal RST.
The reset transistor RST-Tr resets the floating diffusion FD to the potential of the power supply line VRst (or VDD) when the control signal RST is selected during the H level period and becomes conductive.

The source follower transistor SF-Tr and the selection transistor SEL-Tr are connected in series between the power supply line VDD and the vertical signal line LSGN.
A floating diffusion FD is connected to the gate of the source follower transistor SF-Tr, and the selection transistor SEL-Tr is controlled through the control signal SEL.
The selection transistor SEL-Tr is selected during the period when the control signal SEL is H and becomes conductive. As a result, the source follower transistor SF-Tr outputs a column output analog signal VSL corresponding to the potential of the floating diffusion FD to the vertical signal line LSGN.
These operations are performed simultaneously and in parallel for each pixel of one row because, for example, the gates of the transfer transistor TG-Tr, the reset transistor RST-Tr, and the selection transistor SEL-Tr are connected in row units. It is said.

Since the pixels PXL are arranged in n rows × m columns in the pixel unit 220, there are n control lines for each control signal SEL, RST, and TG, and m vertical signal lines LSGN.
In FIG. 6, each control signal SEL, RST, and TG is represented as one row scanning control line.

The vertical scanning circuit 230 drives the pixels through the row scanning control lines in the shutter row and the readout row according to the control of the timing control circuit 260.
Further, the vertical scanning circuit 230 outputs a row selection signal of the row address of the read row for reading the signal and the row address of the shutter row for resetting the charge accumulated in the photodiode PD according to the address signal.

The readout circuit 240 includes a plurality of column signal processing circuits (not shown) arranged corresponding to the output of each column of the pixel unit 220, and is configured to enable column parallel processing by the plurality of column signal processing circuits. May be done.

The readout circuit 240 can be configured to include a Correlated Double Sampling (CDS) circuit, an ADC (analog digital converter; AD converter), an amplifier (AMP, amplifier), a sample hold (S / H) circuit, and the like. Is.

As described above, the readout circuit 240 may be configured to include an ADC 241 that converts each column output analog signal VSL of the pixel unit 220 into a digital signal, for example, as shown in FIG. 13 (A).
Alternatively, as shown in FIG. 13B, for example, the readout circuit 240 may include an amplifier (AMP) 242 that amplifies each column output analog signal VSL of the pixel unit 220.
Further, as shown in FIG. 13C, for example, the reading circuit 240 may include a sample hold (S / H) circuit 243 that samples and holds each column output analog signal VSL of the pixel unit 220.
Further, the readout circuit 240 may be arranged with an SRAM as a column memory for storing a signal obtained by performing a predetermined process on a pixel signal output from each column of the pixel unit 220.

The horizontal scanning circuit 250 scans signals processed by a plurality of row signal processing circuits such as the ADC of the readout circuit 240, transfers them in the horizontal direction, and outputs the signals to the signal processing circuit 270.

The timing control circuit 260 generates timing signals necessary for signal processing of the pixel unit 220, the vertical scanning circuit 230, the reading circuit 240, the horizontal scanning circuit 250, and the like.

In the normal read mode MDU, the signal processing circuit 270 generates two-dimensional image data by predetermined signal processing for the read signal read by the read circuit 240 and subjected to the predetermined processing.

As described above, in the solid-state image sensor (CMOS image sensor), the electrons generated by photoelectric conversion with a small amount of light are converted into a voltage with a small capacitance, and further output by using a source follower transistor SF-Tr with a small area. doing. Therefore, it is necessary to remove minute noise such as noise generated when resetting the capacitance and transistor element variation, and the difference between the reset level (VRST) and the brightness level (signal level: VSIG) for each pixel is output. ing.
As described above, the CMOS image sensor can remove the reset noise and the threshold variation by outputting the difference between the reset level and the brightness level for each pixel, and can detect the signal of several electrons. The operation of detecting this difference is called CDS (correlated double sampling), which is a widely used technique. CDS reading is sequentially performed for all pixels arranged in an array, and one frame's worth of data is read. Outputs normal 2D image data.

In the solid-state image sensor 21 of the present embodiment, the operation for generating the normal two-dimensional image data is configured to be operable in the normal operation mode MDU.

However, in the signal processing circuit 270 of the present embodiment, in order to prevent unauthorized use, falsification, falsification, etc. of the image, the variation information peculiar to the solid-state imaging device 21 (variation of pixels and readout circuit). The unique key is generated from the information), the unique key and the acquired data obtained from the solid-state imaging device 21 are combined to generate the identification data, and this identification data is integrated with the image data and output as the response data RPD. It is configured so that identification data cannot be created correctly if the information is not recognized.

In the solid-state image sensor 21 of the present embodiment, the operation related to the generation of the unique key is configured to be operable in the response creation mode MDR (PUF mode, security mode).

In the response creation mode MDR of the present embodiment, a pixel variation pattern (variation information) unique to each chip, which does not depend on the peripheral brightness, is output as a unique ID.
As described above, in the response creation mode MDR of the present embodiment, only the variation pattern for each pixel is output. Since the brightness level is not output, it is possible to output a pattern image that does not depend on the exposure conditions of the image sensor. Further, the output of each pixel contains FPN and thermal noise that randomly fluctuates for each frame, but since FPN in the response creation mode MDR is 10 times or more larger than the thermal noise, a stable fixed variation pattern is responded. It can be output as data RPD.

In the response creation mode MDR of the present embodiment, when the unique key is generated, the response data including the unique key is generated in association with at least one of the variation information of the pixel and the variation information of the reading unit.

The outline of the configuration and functions of each part of the solid-state image sensor 21, in particular, the basic configuration and functions of the pixel unit 220 and the like have been described above.
Hereinafter, with respect to the characteristic configuration and function of the solid-state imaging device 21 of the present embodiment, so-called encryption processing is performed in which a unique key is generated and identification data including the unique key and image data are integrated to create response data. The response data creation process is mainly described.

FIG. 14 is a block diagram showing an overall outline of response data creation, which is an encryption processing system according to the present embodiment.

The response data creation unit 280, which is the encryption processing system of FIG. 14, has the information acquisition unit 281, the key generation unit 282, the image data generation unit 283, the identification data generation unit 284, the integration unit 285, and the memory 286 as main components. Have as.
In the example of FIG. 14, the information acquisition unit 281 and the key generation unit 282 are configured as separate functional blocks, but the information acquisition unit 281 and the key generation unit 282 can also be configured as one functional block. ..

The information acquisition unit 281 acquires at least one of the variation information PFLC of the pixel PXL and the variation information CFLC of the constituent circuits of the read circuit 240, and supplies the acquired variation information to the key generation unit 282.

Here, as an example, the outline of the variation information PFLC of the pixel PXL will be described.

(Threshold of source follower transistor SF)
The information acquisition unit 281 can adopt the variation information of the threshold value VTH of the source follower transistor SF as the variation information of the pixels.

15 (A) to 15 (E) show the operation waveforms of the main parts in the normal operation mode and the response creation mode when the variation information of the threshold value VTH of the source follower transistor SF is adopted as the variation information of the pixels. It is a figure which shows.
FIG. 15 (A) shows a circuit diagram of a pixel PXL readout system, FIG. 15 (B) shows an operation waveform in the normal operation mode MDU, and FIG. 15 (C) shows an operation waveform in the response creation mode MDR. D) shows a key pattern image obtained by binarizing the variation information, and FIG. 15 (E) shows the relationship between the output signal, the number of pixels, and the threshold value VTH.
In the pixel PXL reading system of FIG. 15A, the CDS circuit 244 is connected to the vertical signal line LSGN via one terminal of the switch SW0. The other terminals of switch SW0 are connected to the supply line of the reference voltage Vref.

In the normal operation mode MDU, as shown in FIG. 15B, the difference signal is used as the output signal of the pixels to eliminate the variation in the threshold value of the source follower transistor SF included in each pixel PXL.

In the response creation mode MDR, as shown in FIG. 15C, the latter-stage circuit captures the reference voltage level (Vref) at time t1 and the latter-stage circuit captures the pixel reset voltage level at time t2.
By reading the difference between these signals, it is possible to extract the variation in the reset voltage of each pixel PXL.
In this example, this variation distribution is used as a key.
Since the above variation is about 100 mV, it may be amplified by an amplifier or the like.

The key generation unit 282 (FIG. 14) generates a unique key by using at least one of the pixel variation information acquired and supplied by the information acquisition unit 281 and the variation information of the reading circuit 240.
The key generation unit 282 supplies the generated unique key KY to the identification data generation unit 284.
The key generation unit 282 generates the unique key KY in a period other than the time when the effective pixels of the pixel unit 220 are read out (for example, a blanking period).

The image data generation unit 283 of FIG. 14 generates the image data IMG by a predetermined signal processing for the read signal read through the read circuit 240 in the normal read mode and subjected to the predetermined processing.
The image data generation unit 283 supplies the generated image data IMG to the integration unit 285.

The image data generation unit 283 supplies the acquired data AQD acquired from the solid-state image sensor 21 to the identification data generation unit 284.
Here, the acquired data AQD is all or a part of the image data.

The identification data generation unit 284 generates the identification data DSCD by combining the unique key KY generated by the key generation unit 282 and the acquired data AQD acquired by the solid-state image sensor 21.
The identification data generation unit 284 supplies the generated identification data DSCD to the integration unit 285.

As described above, the solid-state image sensor 21 according to the present embodiment is a CMOS image sensor PUF (PUF) that generates a unique ID of the PUF from pixel variations in the CMOS image sensor as a measure for device authentication of the sensor and prevention of falsification of image data. It is formed as CIS-PUF).
Next, when generating a PUF response (hereinafter, may be referred to as a PUF response), response data including a unique key is generated in association with at least one of pixel variation information and reading unit variation information. A suitable configuration example of the CIS-PUF that can be used will be described.
After that, regarding the characteristic configuration and function of the solid-state imaging device 21 of the present embodiment, a so-called encryption process is performed in which a unique key is generated and identification data including the unique key and image data are integrated to create response data. The explanation will focus on the response data creation process and the like.

FIG. 16 shows a pixel portion according to the present embodiment and a column read-out arranged for each column, including an information acquisition unit suitable for acquiring variation information forming a main part of the CMOS image sensor PUF (CIS-PUF). It is a figure which shows the outline of a circuit.

In order to improve the reproducibility of the variation signal and improve the uniqueness of the variation pattern, the pixel portion 220A and the column reading circuit 240 of FIG. 16 determine the magnitude (subtraction) between the two vertical pixels (upper and lower in the figure). Etc.), and it is configured so that binarization can be performed.

The pixel portion 220A of FIG. 16 has one floating diffusion FD, one source follower transistor SF-Tr as one source follower element, a reset transistor RST-Tr as one reset element, and a selection transistor SEL as one selection element. It has a pixel sharing structure in which −Tr is shared by a plurality of (2 in this example) photodiodes PD1 and PD2 and transfer transistors TG-Tr1 and TG-Tr2 as transfer elements.

That is, the pixel PXLA of the CMOS image sensor of FIG. 16 is driven by the photodiodes PD1 and PD2, the transfer transistors TG-Tr1 and TG-Tr2 driven by the control signals TG1 and TG2 which are transfer clocks, and the control signal RST which is a reset clock. It is composed of a reset transistor RST-Tr, a source follower (SF) transistor SF-Tr, and a selection transistor SEL-Tr driven by a control signal SEL which is a selection clock.
Here, the two photodiodes PD1 and PD2 share a reset transistor RST-Tr, a source follower (SF) transistor SF-Tr, and a selection transistor SEL-Tr.
This is a method widely used for fine pixels in recent years, and by sharing each transistor between PDs, the area of PDs is increased with respect to a predetermined elementary size, and the region capable of photoelectric conversion is expanded. This enhances the detection sensitivity to incident light.

In the pixel in which the selection transistor SEL-Tr is turned on, the power supply line VDD of the power supply voltage Vdd, the source follower (SF) transistor SF-Tr, and the current source Id are connected in series to form a source follower circuit.
By this source follower circuit, the voltage of the floating diffusion FD is input to the ADC 241 via the AMP 242 of the read circuit 240, digitally converted, and output to an interface circuit (not shown).
Further, the clip circuit 245 is arranged at the end of the pixel array, and the clip gate CG and the diode connection transistor M0 driven by the control signal CLIP which is the clip clock are arranged at the end of the pixel array to limit the pixel output voltage amplitude. It is used for stable operation.

(Outline of CIS-PUF in FIG. 16)
Here, the outline of the CIS-PUF of FIG. 16 will be described.
The CIS-PUF generates a PUF response (pixel variation information) unique to each device by utilizing the characteristic variation of each pixel of the CMOS image sensor. As described above, the characteristic variation includes fixed pattern noise (FPN: Fixed Pattern Noise) generated at a fixed position and random noise generated randomly regardless of the position of a pixel or the like.
In the normal operation mode MDU, the CMOS image sensor takes the difference between the reset potential (VRST) and the signal potential (VSIG) for each pixel in order to eliminate these characteristic variations. CDS (Correlated Double Sampling) It is carried out.

On the other hand, the CIS-PUF has a response creation mode (PUF mode) MDR which is a signal read mode in which the CDS is not operated in order to obtain variation information for the purpose of generating a PUF response. With this PUF mode, it is possible to obtain an output in which pixel variation is dominant.

The solid-state image sensor (CMOS image sensor) 21A as the CIS-PUF shown in FIG. 16 has an array structure having 1,920 × 1,080 pixels (Full HD).
This solid-state image sensor (CMOS image sensor) 21A shares the source follower transistor SF-Tr with two pixels adjacent to each other in the vertical direction (upper and lower in the figure), and the number of source follower transistors SF-Tr is 1,920 × 540. be.

In the PUF mode, the potential obtained from the clip circuit 245 existing in each row is used as a reference potential, and the variation in each pixel is extracted by taking the difference from the reset potential of each pixel.
In the PUF mode, the clip circuits 244 arranged for each row are first selected. At this time, the gate voltage of the diode-connected transistor M0 is VDD, and the voltage shifted from the power supply voltage by the offset voltage via the amplifier 242 is held in the ADC 241. Next, the target pixel is selected, and the reset transistor RST-Tr and the transfer transistor TG-Tr are turned on at the same time to discharge the electric charge accumulated in the photodiode PD. At this time, the potential of the floating diffusion FD, which is a minute capacitance, becomes VDD, and similarly, the voltage dropped by the offset voltage from the power supply voltage is held in the ADC 241.
By taking the difference between these voltages in the ADC 41, the offset variation between the source follower transistor SF-Tr of the pixel and the transistor CG of the clip circuit 244 is a fixed pattern noise with high reproducibility, and an ID is generated by using this. do.

(Generation of PUF response in CIS-PUF of FIG. 16)
Next, the outline of the generation of the PUF response in the CIS-PUF of FIG. 16 will be described.
FIG. 17 is a diagram showing a state of PUF response generation using the pixel variation of the CIS-PUF of FIG.

PUF response generation using the pixel variation of CIS-PUF compares the output values (LSB values) of two source follower transistors SF-Tr adjacent to each other in the vertical direction (upper and lower), and generates 1/0 data.
In the example of FIG. 17, the upper and lower output values are compared in magnitude, and when the upper output value is larger than the lower output value (upper> lower) "1", and when the upper output value is smaller than the lower output value. (Top <Bottom) Set to "0".

In this example, as described above, the source follower transistor SF-Tr is shared by the upper and lower two pixels. Therefore, first, by averaging the outputs adjacent to the top and bottom, one output value is taken for each source follower transistor SF-Tr, and a map of the output of 540 × 1,920 is obtained.
Furthermore, the outputs adjacent to the top and bottom are compared in magnitude to generate 1/0 data of 270 × 1,920.
As described above, the CIS-PUF is a PUF in which the pixel address is used as a challenge and the 1/0 data generated in the above procedure is used as a response.

(Evaluation of uniqueness and reproducibility)
Next, the evaluation results of uniqueness and reproducibility will be described.
FIG. 18 is a diagram showing the reproducibility and uniqueness of PUF performance obtained by the response generation method as shown in FIGS. 16 and 17.

Uniqueness and reproducibility were evaluated as the performance evaluation of CIS-PUF.
Uniqueness is an index showing how different the IDs of two chips are when compared. Uniqueness is obtained by creating 3,840 blocks of 128-bit long IDs from images obtained by averaging 100 images on each chip, calculating the HD (humming stance) between IDs generated by two different chips, and calculating the average value. You can get it.
When the ID length is L, the average of the unique HD distribution is L / 2, and the standard deviation is √L / 2.

Reproducibility is an index showing how stable the ID generated by a certain chip is, and 3,840 blocks of 128-bit long IDs are created from the averaged image of 100 images on each chip. Is obtained by calculating the HD of the reference ID and the ID created from each of the 100 images and calculating the average value.
When the output of PUF is used for authentication, it is required that the ID is output stably. Therefore, it is ideal that the reproducible HD is widely distributed near 0.

FIG. 18 shows the distribution of uniqueness and reproducibility when the five prepared chips are evaluated with the ID length set to 128 bits.
The unique HD has an average value of μ = 63.9 and a standard deviation of σ = 5.66, which are almost ideal values (μ = 64, σ = 5.66). The reproducibility of HD is an average value of μ = 1.49 and a standard deviation of σ = 1.21, indicating that the ID generated by CIS-PUF has high reproducibility.

(Certification evaluation by FPR and FNR)
Next, the results of certification evaluation by FPR and FNR will be described.

As described above, in CR authentication using PUF, authentication is performed by verifying whether the ID registered in advance on the microcomputer 300 side and the ID generated by PUF match.
However, as can be seen from the reproducibility evaluation results described above, the PUF does not output the exact same ID each time, and some bit inversion occurs. Therefore, it is necessary to tolerate some errors during authentication.

Here, in order to evaluate how much authentication accuracy can be achieved by CR authentication using CIS-PUF and how many bits should be set to allow errors, False Positive from uniqueness and reproducibility. Two indexes, Rate (FPR) and False Negative Rate (FNR), were derived and evaluated.
FPR represents the probability of recognizing a fake as genuine, and FNR represents the probability of recognizing a genuine fake. If the ID length used for authentication is L, the probability that the unique HD becomes M bits is Pu (M), and the probability that the reproducible HD becomes M bits is Ps (M), then the error tolerance bit (threshold value) FNR and FPR when is set to T can be derived by Eqs. (1) and (2).

FIG. 19 is a diagram showing FPR and FNR determined from uniqueness and reproducibility.
In FIG. 19, the horizontal axis represents the threshold value, and the vertical axis represents the FPR and FNR values at that time.

The authentication accuracy to be secured when performing authentication was determined with reference to the authentication accuracy of biometric authentication. The biometric authentication system currently in operation has an authentication accuracy of 0.1 ppm or less. The target of biometric authentication is human beings, and the total number is about 7.5 billion. On the other hand, the target of CR authentication using CIS-PUF is a sensor, and the total number is estimated to be about 1 trillion.
Therefore, considering the difference in the number of objects, both FPR and FNR were set to 0.001 ppm or less. For example, if the number of bits that allow errors is set between 9 and 29 bits, the error rate can be set to 0.001 ppm or less.

As described above, the camera systems 10 and 10A receive the swallowable capsules 20 and 20A equipped with the solid-state image sensor 21 as the camera CMR and the video data captured by the capsules 20 and 20A and transmitted wirelessly. Capsules 20, 20A include a device ID circuit 24 that transmits the device ID to the receivers 30, 30A, and the receivers 30, 30A are at least the devices received for the preset. The memory 32 for storing the ID is included. For example, the capsules 20, 20A transmit the device ID to the receivers 30, 30A at least once when the camera CMR is powered before being swallowed. Further, for example, when the capsule 20, 20A light is exposed to the camera CMR, the device ID generated by the device ID circuit 24 is transmitted to the receiving devices 30 and 30A at least once.
The receiving devices 30 and 30A store the device ID transmitted from the capsules 20 and 20A and received in the secure memory 32. As described above, the device ID needs to be set in advance before the capsules 20 and 20A are swallowed (swallowed) in the living body.

For example, when the capsule 20 is in the living body, the receiving device 30 transmits an authentication request to the capsule 20 (ID request (Challenge) in FIG. 3).
The capsule 20 transmits the device ID generated by the device ID circuit 24 in response to the authentication request by the receiving device 30 (Response F2 in FIG. 3).
The receiving device 30 evaluates (compares) the received device ID and the device ID preset in the memory 32. If both IDs are the same, the receiving device 30 requests that the video data be transmitted to the capsule 20.
The capsule 20 transmits the video data captured by the camera CMR to the receiving device 30 in response to the transmission request from the receiving device 30.

Further, the capsule 20 includes a key generation circuit 26 that generates a key KY based on the device ID, and transmits video data VD and coded data with the key KY.
The receiving device 30 evaluates the video data and the key based on the device ID preset in the memory 32 to protect the integrity and reliability of the video data.
Further, the capsule 20 includes a key generation circuit 26 that generates a key KY based on the device ID, and transmits the encrypted video data VD with the key KY.
In order to protect the video data, the receiving device 30 decrypts the encrypted video data with a key based on the device ID preset in the memory 32.

As described above, according to the first embodiment, in the in-vivo camera systems 10 and 10A, device authentication is implemented between the capsule 20 and the receiver on the receiver 30 side, and data integrity and reliability. It is possible to protect the data, encrypt data, and prevent erroneous data exchange.

Further, according to the first embodiment, a predetermined response data generation process, at least one of device authentication, data integrity authentication, and data encryption, with the pixel address as a challenge. Information security signal processing including authentication processing using the response data generated in the procedure as a response is executed as signal processing during the blanking period of image signal processing or signal processing for each line.
As a result, it is possible to prevent a decrease in the image data frame rate due to the processing time of signal processing for information security, and it is possible to prevent an increase in device cost due to the processing circuit.

As described above, according to the first embodiment, it is possible to prevent a decrease in the image data frame rate due to the processing time of signal processing for information security, and it is possible to prevent an increase in device cost due to the processing circuit. In addition, it is possible to increase the number of CR authentications while ensuring authentication accuracy without requiring complicated work, and it is possible to generate unique response data with high confidentiality, which in turn ensures image falsification and falsification. It is possible to prevent it.

Although the above-mentioned key generation unit 282 has described an example of generating a unique key based on the variation information of the pixel or the reading circuit 240, the key generation unit 282 performs an operation between the unique keys generated based on the variation information of the different variation information to perform the final unique. It can also be configured to get the key.
For example, it can be configured as follows.

That is, the key generation unit 282 has, for example, the first function of generating the first unique key by using the variation information of the ADC 241 of the read circuit 240, the amplifier (AMP) 242, or the S / H circuit 243, and the read circuit 240. A second function for generating a second unique key using the output of the SRAM of the column memory 245, a first unique key generated by the first function, and a second unique key generated by the second function. It can also be configured to generate the final unique key by computing.

This configuration can be similarly applied to pixel variation information.

The integration unit 285 may be configured to include a function of hierarchically masking the image portion using the integrated key information.
Further, the integration unit 285 may be configured to include a function of inserting a digital watermark into the image using the integrated key information.

In this embodiment, it is possible to adopt a configuration in which each component of the solid-state image sensor 21 is mounted in the same package.

Further, in a SoC (System on Chip) equipped with an image sensor and a signal processing circuit, signal processing for generating key and identification data is completed inside the chip, and identification is performed without outputting unique key data to the outside of the chip. A configuration that can generate data can be adopted.

Further, as described above, the solid-state image sensor 21 of the present embodiment can be configured to include a drive timing for accumulating a leak current or the like for a long time in addition to the normal read-out drive timing. Further, the full-scale voltage of the analog amplifier, the digital amplifier, or the ADC may be reduced to emphasize the accumulated voltage of the leak voltage for output. Further, the random noise component may be reduced by averaging or adding the data of a plurality of lines or a plurality of frames.

Further, regarding the variation information CFLC of the constituent circuits of the readout circuit 240, the information acquisition unit 281 can adopt the variation information of the ADC as the variation information CFLC of the constituent circuits of the readout circuit 240.
Further, the information acquisition unit 281 can adopt the variation information of the amplifier (AMP, amplifier) as the variation information CFLC of the constituent circuits of the read circuit 240.
Further, the information acquisition unit 281 can adopt the variation information of the S / H circuit as the variation information CFLC of the constituent circuits of the read circuit 240.
Further, the information acquisition unit 281 can adopt the output (variation) information of the SRAM of the column memory as the variation information CFLC of the constituent circuits of the read circuit 240.

(Second Embodiment)
FIG. 20 is a block diagram showing a configuration example of an in-vivo camera system according to a second embodiment of the present invention.

The in-vivo camera system 10B according to the second embodiment is different from the in-vivo camera systems 10 and 10A of the first embodiment as follows.
The in-vivo camera system 10B uses power line communication, and a power receiver 26 is provided on the capsule 20B, and a power transmitter 35 is provided on the receiving device 30B side.

When the capsule 20B receives a preset request from the power transmitter 35 on the receiving device 30B side using the power line communication, the capsule 20B transmits the device ID to the receiving device 30B at least once.

According to the second embodiment, the same effect as that of the first embodiment described above can be obtained.

(Third Embodiment)
FIG. 21 is a block diagram showing a configuration example of an in-vivo camera system according to a third embodiment of the present invention.

The in-vivo camera system 10C according to the third embodiment is different from the in-vivo camera systems 10, 10A and 10B of the first and second embodiments as follows.
In the camera system 10C of the third embodiment, the capsule data CPDT is embedded in the header HD of the video data VD so as to prevent erroneous data exchange.

Claims (24)

A swallowable capsule equipped with a solid-state image sensor as a camera,
It has a receiving device that receives video data captured by the capsule and transmitted wirelessly.
The capsule
Includes a device ID circuit that transmits the device ID to the receiver.
The receiving device is
A camera system that includes at least a memory that stores the device ID received for the preset. The capsule
The camera system according to claim 1, wherein when power is supplied to the camera, the device ID is transmitted to the receiving device at least once. The capsule
The camera system according to claim 1, wherein when the blue light is exposed to the camera, the device ID is transmitted to the receiving device at least once. The capsule
The camera system according to claim 1, wherein when a preset request is received from the receiving device, the device ID is transmitted to the receiving device at least once. The capsule
The camera system according to claim 1, wherein when a preset request is received from the power transmitter on the receiving device side using wireless power supply communication, the device ID is transmitted to the receiving device at least once. The capsule
In response to the authentication request by the receiving device, the device ID generated by the device ID circuit is transmitted.
The receiving device is
In response to the authentication request, the device ID transmitted from the capsule is received, the received device ID and the device ID preset in the memory are evaluated, and if both IDs are the same, the device ID is transmitted from the capsule. The camera system according to claim 1, wherein the camera system receives video data but outputs a warning signal if both IDs are not the same. The receiving device is
When performing authentication, an authentication request is sent to the capsule, a device ID transmitted from the capsule is received in response to the authentication request, and the received device ID and the device ID preset in the memory are received. If both IDs are the same, request that the video data be sent to the capsule.
The capsule
In response to the authentication request by the receiving device, the device ID generated by the device ID circuit is transmitted.
The camera system according to claim 1, wherein the video data captured by the camera in response to the transmission request from the receiving device is transmitted to the receiving device. The capsule
Equipped with a key generation circuit that generates a key based on the device ID
When data protection is performed, video data and coded data are transmitted to the receiving device with a key, and the data is protected.
The receiving device is
The camera system according to claim 1, wherein the received video data and the key are evaluated based on the device ID preset in the memory, and the integrity and reliability of the video data are protected. The capsule
Equipped with a key generation circuit that generates a key based on the device ID
The encrypted video data is transmitted to the receiving device with the key, and the encrypted video data is transmitted with the key.
The receiving device is
The camera system according to claim 1, wherein the received encrypted video data is decrypted with a key based on a device ID preset in the memory in order to protect the video data. The device ID circuit
The camera system according to claim 1, wherein the fuse of the solid-state imaging device, the fuse of the transmitting device, the PUF system circuit, or the PUF system circuit of the solid-state imaging device is formed. The PUF circuit of the solid-state image sensor that forms the device ID circuit is
A pixel portion in which a plurality of pixels having a photoelectric conversion function are arranged in a matrix, and
A reading unit that reads a pixel signal from the pixel unit, and a reading unit.
Response data is generated in a security mode different from the normal operation mode, which includes a response data generation unit that generates response data in association with at least one of the pixel variation information and the reading unit variation information. It has a signal processing circuit capable of processing information security signals including processing, and has.
The signal processing circuit
The camera system according to claim 10, wherein the information security signal processing is executed as signal processing during a blanking period of image signal processing or signal processing for each line. The information security signal processing
The camera system according to claim 11, which is at least one of device authentication, data integrity authentication, and data encryption. The information security signal processing
Includes authentication processing in which the pixel address is a challenge and the response data generated in a predetermined procedure is a response.
The signal processing circuit
In the device authentication,
Generates a pixel address challenge during pixel read,
In security mode, access the pixels according to the generated address during the vertical blanking period,
During the vertical blanking period, the pixel signal is processed to acquire the device ID,
The camera system according to claim 12, wherein the acquired device ID is transmitted as a response by using the generated address as a challenge during the vertical blanking period or the next pixel read-out period. The information security signal processing
Includes authentication processing in which the pixel address is a challenge and the response data generated in a predetermined procedure is a response.
The signal processing circuit
In the device authentication,
Receives a pixel address challenge from the controller during pixel readout and
In security mode, the pixels are accessed according to the received address during the vertical blanking period.
During the vertical blanking period, the pixel signal is processed to acquire the device ID,
The camera system according to claim 12, wherein the device ID acquired during the vertical blanking period or the next pixel reading period is transmitted as a response to the challenge. The signal processing circuit
In the data integrity authentication,
Set the pixel address to acquire the device ID,
The device ID is acquired from the variation information of the pixel specified by the address during the vertical blanking period, and the device ID is acquired.
The line pixel signal is read, and the message authentication code (MAC) function generates a data tag with the device ID as the unique key and the line pixel signal as the message.
12. The camera system according to claim 12, wherein the pixel address, line pixel signal, and data tag are transferred to the receiving device side for consistency authentication during the horizontal blanking period or the vertical blanking period. The signal processing circuit
In the data encryption,
Set the pixel address to acquire the device ID,
The device ID is acquired from the variation information of the pixel specified by the address during the vertical blanking period, and the device ID is acquired.
The pixel signal of the first line is read from the pixel portion, and the pixel signal is stored in the internal line memory.
While reading the pixel signal of the second row from the pixel portion, the pixel signal of the first row is encrypted with the key which is the device ID.
The camera system according to claim 12, wherein while reading the pixel signal of the third row from the pixel unit, the encrypted pixel signal and pixel address of the first row are transferred to the receiving device side for decryption processing. The pixel is
A photoelectric conversion element that accumulates the electric charge generated by photoelectric conversion during the storage period,
A transfer element capable of transferring the electric charge accumulated in the photoelectric conversion element during the transfer period, and
Floating diffusion in which the electric charge accumulated in the photoelectric conversion element is transferred through the transfer element, and
A source follower element that converts the charge of the floating diffusion into a voltage signal with a gain corresponding to the amount of charge, and
The camera system according to claim 12, further comprising a reset element that resets the floating diffusion to a predetermined potential. The pixel part is
The camera system according to claim 17, further comprising a pixel sharing structure in which one floating diffusion element, one source follower element, and one reset element are shared by a plurality of the photoelectric conversion elements and the transfer element. The camera system according to claim 18, wherein a clip circuit for limiting the pixel output voltage amplitude is arranged at the end of the pixel array. A swallowable capsule equipped with a solid-state image sensor as a camera,
A method of driving a camera system comprising a receiving device that receives video data captured by the capsule and transmitted wirelessly.
The capsule sends the device ID to the receiving device at least once in response to a predetermined trigger.
A method of driving a camera system in which the receiving device stores the received device ID in a memory for presetting. The capsule transmits an authentication request, a device ID generated by the device ID circuit, and subsequently video data captured by the camera to the receiving device.
The receiving device receives the authentication request and the device ID transmitted from the capsule, evaluates the device ID received in response to the authentication request, and the device ID preset in the memory, and both IDs are used. The method for driving a camera system according to claim 20, wherein if they are the same, the video data is received and processed. When the receiving device performs authentication, it sends an authentication request to the capsule and
The capsule transmits the device ID generated by the device ID circuit in response to the authentication request by the receiving device.
The receiving device receives the device ID transmitted from the capsule in response to the authentication request, evaluates the received device ID and the device ID preset in the memory, and both IDs are the same. For example, requesting the capsule to send video data,
The method for driving a camera system according to claim 20, wherein the capsule transmits video data captured by the camera in response to a transmission request from the receiving device to the receiving device. For data protection, the capsule key-transmits video and coded data to the receiver.
The method of driving a camera system according to claim 20, wherein the receiving device evaluates the received video data and the key based on the device ID preset in the memory to protect the integrity and reliability of the video data. The capsule key-transmits encrypted video data to the receiver.
The method for driving a camera system according to claim 20, wherein the receiving device decrypts the received encrypted video data with a key based on a device ID preset in the memory in order to protect the video data.

Images