Counterfeit protection often leans on the idea that physical materials have quirks no attacker can copy. A new study challenges that comfort by showing how systems built on paper surface fingerprints can be disrupted or bypassed.
The research comes from teams at the University of Maryland and North Carolina State University, and examines paper based physically unclonable functions, or paper PUFs, which rely on microscopic surface variations in paper to authenticate products.
Paper PUFs have attracted attention because they use ordinary packaging and common imaging devices such as scanners and phone cameras. Prior work focused on accuracy and ease of deployment. This study looks at a different question, what happens when an attacker actively targets the system.
Paper surfaces as identity checks
Paper looks smooth to the eye, but under magnification its surface shows tiny hills and valleys formed by tangled fibers. Those patterns differ from sheet to sheet and can act as a fingerprint.
Authentication systems capture several images of a small paper patch under different lighting angles. Software extracts a mathematical representation called a norm map, which describes surface orientation at each pixel. During verification, a newly captured norm map is compared to a stored reference. Very low error rates reported in earlier work helped drive interest in this approach.
The new study builds an operational framework that breaks the system into stages, image capture, feature extraction, reference storage, and decision making. This lets the researchers test where things break under pressure.
Geometrically aligned images of paper patches after the following physical attacks: (a) scratching, (b) physical patching, (c) scribbling with 25% and 50% attack strengths, respectively, and (d) crumpling.
Simple damage can break authentication
One set of experiments focuses on physical denial of service attacks. These do not aim to pass counterfeits as genuine. The goal is to make authentication unreliable.
The researchers tested four forms of tampering that could happen in real supply chains. These include scratching the paper with a metal key, covering parts of the surface with stickers, scribbling with a ballpoint pen, and crumpling or folding the paper.
At modest attack levels, the effect was sharp. When about 25 percent of the surface was scratched or covered, the similarity score between a genuine item and its reference dropped from an average of about 0.46 to roughly 0.2. Scribbling was more damaging. At the same 25 percent coverage, the score fell to around 0.09, which overlaps with scores seen for unrelated paper.
Crumpling and folding were even more disruptive. Those actions interfered with image alignment, a critical early step. In these cases, correlation values dropped close to zero even after the paper was smoothed out.
The result is ambiguity. Damaged genuine items start to look like counterfeits to the system. In large deployments, that can pressure operators to disable checks or add exceptions, which weakens protection overall.
Digital forgery without touching paper
The second half of the study addresses a more serious threat. Here the attacker wants a fake product to pass authentication.
Instead of copying paper microstructures, the attack targets software. The researchers assume the client side of the system, such as a mobile app, is observable and can be manipulated. The server only returns similarity scores.
Using those scores as feedback, the attacker runs optimization routines to generate synthetic norm maps that resemble the reference. This approach is known as hill climbing in biometric security.
A brute force attempt would be infeasible. The search space is enormous. The study shows that smarter methods change the equation. By compressing norm maps using techniques like principal component analysis, the attacker reduces tens of thousands of dimensions to a few dozen.
With that reduction, several optimization methods succeed quickly. In experiments, advanced optimizers reached the acceptance threshold in a few hundred iterations. One method authenticated counterfeit inputs successfully in 100% of trials. Another reached about 92% success.
This happens without access to the real paper patch. The system is convinced by digital artifacts alone.
Implications for real deployments
The study does not argue that paper PUFs are useless. It shows that accuracy under ideal conditions does not equal security under attack.
Physical damage is easy to inflict and hard to distinguish from normal handling. Digital forgery attacks exploit feedback channels that many systems expose by design. Both issues sit outside the narrow question of whether paper surfaces are unique.