Search papers, labs, and topics across Lattice.
This paper addresses the security vulnerabilities of QR codes, particularly their susceptibility to spoofing in public infrastructure, by proposing a dual-mode architecture that combines EdDSA signatures and CBOR certificates for robust integrity verification. The authors first demonstrate a fully offline proof-of-concept that successfully embeds cryptographic signatures within the limited capacity of QR codes, ensuring secure authentication. They then introduce a scalable Hybrid Web PKI architecture that allows for real-time key revocation and validation, making it suitable for large-scale IoT deployments in smart cities.
QR codes can now be secured against spoofing attacks with a dual-mode architecture that balances offline integrity and real-time validation.
QR codes are a ubiquitous part of daily life, widely trusted by millions. However, their lack of inherent security features has given rise to critical attack vectors, such as spoofing (quishing) on public infrastructure like self-service parking machines. To address this, we present a comprehensive evolution of secure QR code architectures. First, we evaluate a fully offline proof-of-concept leveraging EdDSA signatures (instantiated on the Ed25519 curve), CBOR-encoded certificates, and ZLIB compression, demonstrating that robust cryptographic integrity can be achieved within the QR code's strict static capacity. However, recognizing the scalability limitations of fully offline models-specifically the inability to perform immediate key revocation in massive smart-city IoT deployments-we subsequently propose a scalable Hybrid Web PKI architecture. This forward-looking model utilizes standardized JWKS endpoints, a Central Trust Registry, and URL fragments to ensure seamless backward compatibility with standard native cameras while providing dynamic, real-time validation for compliant applications. This dual-mode approach offers a practical, deployable path toward eliminating QR spoofing.