[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"doc-detail-83371-en":3,"doc-seo-83371-105":29,"detail-sidebar-cat-0-en-105":91},{"code":4,"msg":5,"data":6},0,"success",{"doc_id":7,"user_id":8,"nickname":9,"user_avatar":10,"doc_module":4,"category_id":11,"category_name":12,"doc_title":13,"doc_description":14,"doc_content":15,"file_id":16,"file_url":17,"file_type":18,"file_size":19,"view_count":20,"is_deleted":4,"is_public":20,"is_downloadable":20,"audit_status":20,"page_count":21,"language":22,"language_code":23,"site_id":24,"html_lang":23,"table_of_contents":25,"faqs":26,"seo_title":13,"seo_description":14,"update_tm":27,"read_time":28},83371,1099514068365,"Aurelia","https://ap-avatar.wpscdn.com/avatar/10000253d8d9f28188e?_k=1776742907772140068",6,"Technology","Secure QR Codes: Authenticity Verification via EdDSA Signatures and CBOR Certificates","QR codes are widely used yet lack built-in security, enabling spoofing and “quishing” attacks where malicious links or payloads are visually indistinguishable from legitimate codes. The work introduces secure QR code architectures based on EdDSA signatures (Ed25519), CBOR-encoded certificates, and ZLIB compression in a fully offline proof of concept that fits QR static capacity. To overcome offline scalability limits such as key revocation, a scalable Hybrid Web PKI design adds JWKS endpoints and a Central Trust Registry for dynamic real-time validation while maintaining backward compatibility with native cameras.","Secure QR Codes: Authenticity Verification via EdDSA Signatures and CBOR Certificates  \nWojciech Jonderko and Wojciech Wodo, Member, IEEE  \narXiv :2607 .08383v 1 [ cs .CR] 9 Jul 2026  \nAbstract—QR codes are a ubiquitous part of daily life, widely trusted by millions. However, their lack of inherent security features has given rise to critical attack vectors, such as spoofing (quishing) on public infrastructure like self-service parking machines. To address this, we present a comprehensive evolution of secure QR code architectures. First, we evaluate a fully offline proof-of-concept leveraging EdDSA signatures (instantiated on the Ed25519 curve), CBOR-encoded certificates, and ZLIB compression, demonstrating that robust cryptographic integrity can be achieved within the QR code’s strict static capacity. However, recognizing the scalability limitations of fully offline models—specifically the inability to perform immediate key revocation in massive smart-city IoT deployments—we subsequently propose a scalable Hybrid Web PKI architecture. This forward-looking model utilizes standardized JWKS endpoints, a Central Trust Registry, and URL fragments to ensure seamless backward compatibility with standard native cameras while providing dynamic, real-time validation for compliant applications. This dual-mode approach offers a practical, deployable path toward eliminating QR spoofing  \nIndex Terms—QR codes, security, digital signature, cryptography, spoofing, certificate, trust, EdDSA, Ed25519, CBOR  \nI. INTRODUCTION  \nThe widespread adoption of QR codes (Quick Response codes) has transcended their initial industrial purpose, embedding them deeply into the fabric of modern society. Today, they are ubiquitous in public spaces and digital environments alike. From restaurant menus and payment terminals to digital business cards, email signatures, and authentication promptson computer monitors, QR codes serve as critical bridges between the physical and digital worlds. Their integration into banking apps and government services (e.g. COVID-19 certificates) has fostered a habit of reflexive scanning among users, who often treat them as benign shortcuts to information.  \nHowever, this convenience creates a significant security vulnerability known as ”blind trust.” Unlike a URL explicitly written in text, which a user might inspect for typos or suspicious domains, a QR code is visually abstract. A legitimate payment code and a malicious phishing link look functionally identical to the human eye. Users possess no natural ability to decipher the matrix barcode or verify its content before scanning. This inability to visually verify the origin or integrity of the data exposes users to ”Quishing” (QR phishing) [1] and physical tampering attacks—such as criminals overlaying legitimate codes on parking meters with malicious stickers to divert payments [2] .  \nManuscript received March 30, 2026; revised XXX XX, 2026 .  \nW.Jonderko and W.Wodo are from Wroclaw University of Science and Technology, Wybrzeze Wyspianskiego 27, 50-370 Wroclaw, Poland, e-mail: [wojciech.jonderko@pwr.edu.pl](wojciech.jonderko@pwr.edu.pl); [wojciech.wodo@pwr.edu.pl](wojciech.wodo@pwr.edu.pl)  \nThe roots of this vulnerability are historical. Created in 1994 by Denso Wave, the QR standard was designed primarily for high-speed tracking of automotive parts in logistics. The priority was capacity and error tolerance, not security. Consequently, the standard lacks inherent cryptographic features; it includes no native mechanism for digital signatures, certificates, or issuer authentication. The data encoded is treated as trusted by default, leaving the validation burden entirely on the scanning application, which often simply executes the payload (e.g. opening a browser) .  \nExisting literature does not sufficiently address the challenge of verifying the QR code issuer. While many studies focus on data hiding (steganography), visual aesthetics, or using AI to detect malicious redir","cbCaipFAb5nmu5Pi","https://ap.wps.com/l/cbCaipFAb5nmu5Pi","pdf",704309,1,10,"English","en",105,"# Introduction\n## Motivation & Contribution","[{\"question\":\"What security problem do the authors target with secure QR codes?\",\"answer\":\"They target “blind trust” in QR codes, where legitimate and malicious QR payloads look identical to users, enabling spoofing and “quishing” attacks.\"},{\"question\":\"How does the offline approach verify authenticity?\",\"answer\":\"It uses EdDSA signatures instantiated on Ed25519, CBOR-encoded certificates, and ZLIB compression, demonstrating strong cryptographic integrity within the QR code’s static capacity constraints.\"},{\"question\":\"How does the hybrid online architecture address scalability and revocation?\",\"answer\":\"It adds a scalable Hybrid Web PKI using standardized JWKS endpoints, a Central Trust Registry, and URL fragments to support dynamic, real-time validation and enable key revocation in large smart-city IoT deployments while keeping backward compatibility with native camera scanning.\"}]",1784187054,25,{"code":4,"msg":30,"data":31},"ok",{"site_id":24,"language":23,"slug":32,"title":13,"keywords":33,"description":14,"schema_data":34,"social_meta":86,"head_meta":88,"extra_data":90,"updated_unix":27},"secure-qr-codes-authenticity-verification-via-eddsa-signatures-and-cbor-certificates","",{"@graph":35,"@context":85},[36,53,68],{"@type":37,"itemListElement":38},"BreadcrumbList",[39,43,47,50],{"item":40,"name":41,"@type":42,"position":20},"https://docshare.wps.com","Home","ListItem",{"item":44,"name":45,"@type":42,"position":46},"https://docshare.wps.com/document/","Document",2,{"item":48,"name":12,"@type":42,"position":49},"https://docshare.wps.com/document/technology/",3,{"item":51,"name":13,"@type":42,"position":52},"https://docshare.wps.com/document/secure-qr-codes-authenticity-verification-via-eddsa-signatures-and-cbor-certificates/83371/",4,{"url":51,"name":13,"@type":54,"author":55,"headline":13,"publisher":57,"fileFormat":60,"inLanguage":23,"description":14,"dateModified":61,"datePublished":62,"encodingFormat":60,"isAccessibleForFree":63,"interactionStatistic":64},"DigitalDocument",{"name":9,"@type":56},"Person",{"url":40,"name":58,"@type":59},"DocShare","Organization","application/pdf","2026-07-17","2026-07-16",true,{"@type":65,"interactionType":66,"userInteractionCount":20},"InteractionCounter",{"@type":67},"ViewAction",{"@type":69,"mainEntity":70},"FAQPage",[71,77,81],{"name":72,"@type":73,"acceptedAnswer":74},"What security problem do the authors target with secure QR codes?","Question",{"text":75,"@type":76},"They target “blind trust” in QR codes, where legitimate and malicious QR payloads look identical to users, enabling spoofing and “quishing” attacks.","Answer",{"name":78,"@type":73,"acceptedAnswer":79},"How does the offline approach verify authenticity?",{"text":80,"@type":76},"It uses EdDSA signatures instantiated on Ed25519, CBOR-encoded certificates, and ZLIB compression, demonstrating strong cryptographic integrity within the QR code’s static capacity constraints.",{"name":82,"@type":73,"acceptedAnswer":83},"How does the hybrid online architecture address scalability and revocation?",{"text":84,"@type":76},"It adds a scalable Hybrid Web PKI using standardized JWKS endpoints, a Central Trust Registry, and URL fragments to support dynamic, real-time validation and enable key revocation in large smart-city IoT deployments while keeping backward compatibility with native camera scanning.","https://schema.org",{"og:url":51,"og:type":87,"og:title":13,"og:site_name":58,"og:description":14},"article",{"robots":89,"canonical":51},"index,follow",{"doc_id":7,"site_id":24},{"code":4,"msg":5,"data":92},[93,97,101,105,110,113,118,123,128,131,134],{"id":20,"doc_module":4,"doc_module_name":45,"category_name":94,"show_sort_weight":95,"slug":96},"Story & Novel",90,"story-novel",{"id":46,"doc_module":4,"doc_module_name":45,"category_name":98,"show_sort_weight":99,"slug":100},"Literature",80,"literature",{"id":52,"doc_module":4,"doc_module_name":45,"category_name":102,"show_sort_weight":103,"slug":104},"Exam",70,"exam",{"id":106,"doc_module":4,"doc_module_name":45,"category_name":107,"show_sort_weight":108,"slug":109},5,"Comic",60,"comic",{"id":11,"doc_module":4,"doc_module_name":45,"category_name":12,"show_sort_weight":111,"slug":112},50,"technology",{"id":114,"doc_module":4,"doc_module_name":45,"category_name":115,"show_sort_weight":116,"slug":117},7,"Healthcare",40,"healthcare",{"id":119,"doc_module":4,"doc_module_name":45,"category_name":120,"show_sort_weight":121,"slug":122},8,"Research & Report",30,"research-report",{"id":124,"doc_module":4,"doc_module_name":45,"category_name":125,"show_sort_weight":126,"slug":127},9,"Religion & Spirituality",20,"religion-spirituality",{"id":126,"doc_module":4,"doc_module_name":45,"category_name":129,"show_sort_weight":126,"slug":130},"World Cup","world-cup",{"id":21,"doc_module":4,"doc_module_name":45,"category_name":132,"show_sort_weight":21,"slug":133},"Lifestyle","lifestyle",{"id":135,"doc_module":4,"doc_module_name":45,"category_name":136,"show_sort_weight":106,"slug":137},19,"General","general"]