2019 International Seminar on Intelligent Technology and Its Applications (ISITIA)

Authentication of Printed Document

Using Quick Response (QR) Code
Ahmad Tasyrif Arief
Department of Electrical Engineering,
Faculty of Electrical Technology
Institut Teknologi Sepuluh Nopember
Surabaya, East Java
tasyrif17071@mhs.its.ac.id
Yoyon Kusnendar Suprapto
Wirawan
Department of Computer Engineering,
Department of Electrical Engineering,
Faculty of Electrical Technology
Faculty of Electrical Technology
Institut Teknologi Sepuluh Nopember
Institut Teknologi Sepuluh Nopember
Surabaya, East Java
Surabaya, East Java
yoyonsuprapto@ee.its.ac.id
wirawan@ee.its.ac.id

Abstract—Implementation of information systems in the public
service has an impact on increasing the use of digital documents.
Digital documents replace function of printed documents because
they are legally recognised. In reality, printed documents are still
considered relevant because it is still considered necessary as
legitimate evidence; one example is the permit document. Permit
documents are essential because they are needed as
administrative requirements. The importance of permit
documents has resulted in many falsifications of these
documents. Therefore guaranteeing the authenticity of these
documents is needed. The use of Quick Response (QR) Code is
present as a guarantor of authenticity document because it is
considered capable of being an effortless way to validate the
authenticity of printed documents. Authentication of QR codes is
difficult to determine by using the human senses because they
cannot know the original and fake codes. This inability causes
QR Code to be vulnerable to counterfeiting. To guarantee
authenticity, a unique QR code that is easily validated is needed.
This study creates a unique QR Code by utilising AES and SHA-
256 that are difficult to produce by other people so that the
authenticity of information about document content can be
guaranteed and easily validated.
Keywords— authentication, printed document, validation, QR
code
I. INTRODUCTION
Today, the use and ease of technology change our
paradigm for storing data in digital form other than in printed
documents. In an era of fast internet connection and
increasingly sophisticated data storage technology, the
exchange of data or digital information has become
increasingly fast and easy. This convenience causes the use
of printed documents to be abandoned.
In Indonesia, it has implemented an electronic-based
government system. The application is also increasingly
widespread, starting from internal needs and then developing
towards public services. At present, the regions have
implemented information systems to improve the quality of
services to the public. One example is a one-stop integrated
service system. One-stop integrated services serve the people
regarding the issuance of permit documents. Permission
documents include Building Construction Permit, Business
Place Permit, Doctor's Practice License, Construction
Service Business License and Company Registration
Certificate and other permit documents. The need for printed
documents is still needed as valid evidence and is a condition
for completeness in administrative matters.
The need for permit documents is considered very
important, so fraud often occurs by parties who want to take
advantage of the use of these documents. Some parties try to
manipulate permit documents by changing the information
recorded in the document. This fraud can cause substantial
material and non-material losses for the country.
There is much vulnerability to forgery documents
because permit documents in the form of printed documents
are straightforward to duplicate and change. Therefore
special techniques are needed to guarantee the authenticity of
a printed document so that it is not easy to fake. To
overcome the threat of forgery and information changes in a
printed document, we can use the QR Code technique that
can show that the document content is authentic.
Many studies discuss related to the use of QR Code
related to securing printed documents. In the study conducted
[1] where they made a scheme for reading the QR Code with
the results of decoding so that the existing information is
challenging to know using an ordinary scanner. Another
case, [2] modified the QR Code using the code Two Level
Quick Response (2LQR) to overcome the lack of a standard
QR Code for coding capacity that is resistant to the printing
and scanning process. This QR Code consists of two, which
at the first level maintains the characteristics of a standard
QR code so that a regular QR code scanner can still identify
it; and the second level increases the capacity and
characteristics of QR codes by replacing black modules with
texture patterns. This texture can survive from degradation
due to the printing and scanning process.
Cryptographic applications are also widely used in
improvisation of the manufacture of QR Code such as [3]
which utilises Advance Enforcement Standard (AES)
encryption on digital legality systems and [4] uses a modified
SHA-1 algorithm in the manufacture of the QR Code. Print
document protection can use a combination of QR Code and
invisible digital signature [5]. Whereas in other techniques
by combining watermark and QR Code techniques [6] [7] by
inserting an image into the image QR Code.
The vulnerability of a QR Code is duplication; this is
because the human sense of sight cannot distinguish between
original and fake code. In general, scanning a QR Code
produces text that leads to the URL address of the database
to verify a document. This vulnerability can be used by other
parties to direct to another URL address by creating a fake
QR Code attached to the document so that it can easily
manipulate a document. To guarantee a QR Code from its
authenticity, quickly validation of a unique QR code is
needed.
This study consists of several parts, i.e: Part 2 explains
the theories with research. Part 3 describes the methods used

978-1-7281-3749-0/19/$31.00 ©2019 IEEE 228

in the research conducted. Part 4 describes the test results 1085, where 224 is the error correction codewords and 861
and experiments and Part 5 concludes research and future codewords are ignored). 224 password codes error correction
works for the development of this research. can fix 7% of the capacity symbol, e.g. 7% x 1085 or 76
code errors or replacement errors.
II. FUNDAMENTAL THEORY B. Advanced Encryption Standart (AES)
A. Quick Response Code (QR Code) The AES algorithm is an encryption algorithm with
symmetric keys and block cyphers. The Rijndael algorithm
QR Code is evolution of a barcode; First introduced by proposed by Vincent Rijment and Joan Daemen is the AES
the 1994 Denso Wave, The QR Code is a two-dimensional standardisation algorithm from the National Technology
matrix code [8]. This code can encode all data types for 1817 Standardization Institute (NIST) [3]. Because this algorithm
characters for Japanese Kanji and Cana data, 2953 bytes for uses symmetric keys, the key used to encrypt is the same as
binary data, 4296 characters for alphanumeric data, and 7089 decrypting the ciphertext. This algorithm uses fixed block
characters for numeric data. Structure of the QR Code is a sizes and key lengths of 128, 192, and 256 bits, so commonly
nominal square module array, all of which are arranged in a referred to as AES-128, AES-192, and AES-256. In general,
square pattern, where the black module represents the value the encryption process in AES is divided into two. Namely,
of 1 binary and the white module represents the value of 0 the encryption process itself (Encryption Process) and key
binary. The QR Code consists of two parts, i.e: 1. The coding generate (Key Expansion / Key Schedule) or round key). In
section; and 2. The function section. For the coding, section general, the AES algorithm operates as follows (outside the
consists of format information, version information, data process of making a round key):
password, error correction code (ECC). Whereas for the
function part consists of position detection patterns, quiet 1. Add Round Key. Plain Text in XOR with a
zones, time patterns, and alignment patterns. password lock.
2. Turn as many as NR-1 times. The process of each
The QR Code standard has 40 different versions when round is:
viewed from the structure of data storage density. The QR a. Sub Bytes: byte substitution using a
Code version is shown in Table 1. For the QR Code version substitution table (S-box).
for every 1 version increase, the module increases by 4 b. Rows Shift: Extend array state lines by
modules at each length and width. The first version consists wrapping.
of 21 × 21 modules while the giant version of the QR Code c. Mix Columns: Randomizing data in each
consists of 177 × 177 modules. With fault tolerance column array state.
capabilities, the QR Code can still be translated even if parts d. Add Round Key: performs XOR between
of the QR code are destroyed or damaged. There are four the current state and the round button.
fault tolerance levels in the QR Code, i.e: 3. Final Round. The process for the last stage:
1. Level L has ECC capability of 7%% a. Sub Bytes
2. Level M has ECC capability of 15% b. Shift Rows
3. Level Q has ECC capability of 25% c. Add Round Key
4. Level H has ECC capability of 30%
Where a codeword is a unit in a QR tag that is equal to C. Secure Hash Algorithm (SHA-256)
eight modules. [1]. In cryptology, SHA-256 is the most widely used
Table 1. Capacity of different versions of QR Code cryptographic hash function of existing SHA hash functions
Recovery Number of and is used in several widely used security applications and
Error Number of protocols [9]. The SHA-256 algorithm functions in 32-bit
Capacity Error
Versions Correction Data
Level
% Correction
Codewords
words, so that each 512-bit block M(i) from the stage padding
(approx) Codewords is considered as 16 blocks 32-bit denoted by Mt(i), 0 ≤ t ≤
L 7% 7 19 15. Expander messages (message scheduler) take each M(i)
M 15% 10 16 and expand it to 64 blocks 32-bit Wt, can be seen in the
1 equation (1), (2), (3):
Q 25% 13 13
σ0(x) = ROT7(x) ⊕ ROT18(x) ⊕ SHF3(x) (1)
H 30% 17 9
σ1(x) = ROT17(x) ⊕ ROT19(x) ⊕ SHF10(x) (2)
L 7% 224 861
(3)
M 15% 416 669
20
Q 25% 600 485 Where the ROTn (x) function shows the circular rotation of x
H 30% 700 385
from position n to the right, while the function SHFn (x)
shows a rightward shift of x from position n. All summations
L 7% 750 2956 of the SHA-256 algorithm are modulo 232.
M 15% 1372 2334
40 III. PROPOSED METHOD
Q 25% 2040 1666
H 30% 2430 1276
This study uses prototype models as a method of
developing an Android-based application to produce a QR
Code that can provide information about the contents of
Table 1 shows the recovery capacity and error correction printed documents and is not easy to fake and can be
capabilities of the QR code version. In the table showing the validated authenticity. The document authentication process
QR code in the 20-L version, the number of codewords is can be seen in Figure 1. This research has two stages; the

229
first stage is the authentication of documents in the form of
doc or pdf files as input documents, which are then affixed
with a QR Code. The second stage is the validation of the
authenticity of the document. The QR code attached to the
printed document is then scanned to get the results in the
form of text that matches the data entered in the first stage.
Document Athentication  (AES)
Authentication  Document with
Start Document Document Using
QR Code
Authentic  Scanning
Yes Validation
Document
End
Fake  No
Document
Validity Document Athentication
Figure 1. Process of document authentication
Explanation of the document authentication process and
document authentication validation can be seen as figure 2:
A. Document Authentication
Document Pdf
Input Document 
Start Attachment with QR Code
(doc/pdf)
Image
QR Code
Figure 2. Process of document authentication
Figure 2 shows the scheme of document authentication.
From the scheme above, the steps taken are straightforward.
First, upload the document to be affixed with the QR Code
with the file format in pdf or doc. Then the document is
affixed with an image QR Code produced from a QR Code
Generator. The results obtained are in the form of PDF files
that have added to the image QR Code.
Data input QR Code Generator is the result of encryption
from previously entered data. The data entered consists of six
data in the form of text consisting of valuable information
from the document. This data includes the name of the
document, the name of the agency that issued the document,
records in the form of important information contained in the
document, and validation passwords. The validation
password is a keyword, where the keyword is encrypted
using the AES algorithm and converted to hexadecimal form.
While other data is in the form of a time stamp and the
number of pages of the document entered.
After obtaining all the data, the data is changed in to form
script notation. This script stores all input data and then
encrypts it with a hash function using SHA-256. Then the
results are encoded to base64 form. The result of the
encryption that changed to becomes an array of bits. These
bits then transformed into a bitmap-shaped image QR Code.
This image is formed from black pixels with a value of 1 and
white pixels worth 0. The QR Code generator is made
flexible with several versions; this is to anticipate the number
of input characters that affect the number of pixels produced
for making a QR Code image. Encryption results also used to
create a unique text inserted into the QR Code image. This
unique text takes several characters from the results of the
encryption where we can arrange the sequencing process.
Scheme Production of Image QR Code can be seen in Figure
3.
Data Input :
Document Name, Owner  Hashing QR Code 
Name, Time Stamp, and
 page number of document.
(SHA 256) Generator
Image 
QR Code
Note
Encryption Unique Teks  
Key Validation 
(Hexadecimal)
 
QR Code
Figure 3. Scheme Production of Image QR Code
B. Validation of Document Authentication
In the second stage is the reverse of the first stage
QR Code Image
process. The scheme of the validation process from
document authentication can be illustrated in Figure 4.
 
Start
Decryption 
Check Digital  Verification  Get Signature 
Upload Document Yes using public 
Signature Hash Value Info
key
No
Digital 
Change to JSON 
End Authentic Yes Validation Signature 
Info
Form
Not  No
Authentic
Figure 4. Schema of validation of Document Authentication
 
End
The QR Code image on the printed document is scanned
using the scanner/camera. After the QR Code is detected, so
the results obtained are text. If it is not detected, the QR
Code is illegible or invalid. The results obtained cannot be
read directly because these results are the result of encryption
at the time of manufacture and are still in base64 format.
Therefore the results are then decrypted, and the hashing
value is checked. After the hash function is given, it gets a
script notation. From this script displayed information that
has been entered in making the QR code, and also gets the
same unique text in the QR Code image.
For validation, the information and unique texts that have
been obtained are matched with printed documents; if the
results obtained are different, it means that the QR Code is
considered invalid. Moreover, if the results obtained are the
same, then the QR Code can be said to be genuine. The next
validation is by entering a valid password. The validation
password is decrypted using the AES algorithm whose key
has been installed in the application. If the condition is
prosperous, the QR Code is declared to be genuine.
IV. RESULT AND EXPERIMENT
This study uses an Android version 4.2 based application
using java scripts for implementation. The scanning device
uses a camera from a mobile phone that has been installed on
the device. The device used is a mobile phone with a model
number SM-G953FD (Samsung S7 Edge) with an Android
8.0 version that has a 12-megapixel camera resolution.
The stages of this research consist of document
authentication and document validation. In the stage of
document authentication is a unique QR code production
process using encryption techniques with the AES algorithm
and the SHA-256 Hash function. Whereas at the stage of
document validation, the author detects the authenticity of
the QR Code by matching between information and unique
text as a result of scanning the image of the QR code and
printed documents.
230
A. Document Authentication Implementation
The implementation of the scheme in Figure 2 can be seen in
Figure 5.
Upload File Input Data Doc with QR Code
Figure 5. Results of document authentication implementation
The application display is made simple to determine
which file is attached to the QR Code image, by pressing the
"upload file" button and then selecting the file on the screen.
After that, storage of documents come into sight on the
screen. Then the selected document opens. In this study,
using a licensing document that is a Doctor's Practice
License (SIPD) as seen in Figure 6. This document is a
requirement that must be owned by a doctor in opening a
practice site. Information contained in this document
includes:
1. Name of the doctor;
2. Place of birth date;
3. Address of residence;
4. Registration Certificate Number (STR);
5. Period of validity of STR;
6. Number of Professional Organization
Recommendations (OP);
7. Location of Practice;
8. Specialisation Practices carried out; and
9. Period of validity of practice permits.
Figure 6. Permit Document
For the data that is input, there are four; the first data is
the name of the document in the form of a letter number, the
following data is the name of the agency that issued the
letter. The third data in the form of records that are
considered critical, the information includes the name of the
doctor, Registration Certificate number (STR), type of
practice, and validity period of practice permit. The data
entered combines into the form of a script notation with the
data arrangement as follows:
 Document Name: SIPD No.8/SIPD/01.03/DPMPTSP
/I/2019 (35 characters)
 Name of Agency: DPMPTSP Kota Palopo
(17 characters)
231
 Notes : dr. ABDUL SYUKUR KUDDUS, Sp.B
7311101214057474
Dokter Spesialis Bedah
10-7-2019 (79 characters)
 Code of Validation: 12345678 (8 characters)
 Barcode Placement on the Last Page Lower Right
Angle.
The validation password encrypted using the AES
algorithm encoded in hexadecimal format. The value
obtained from encoding is "BDB06C937F52942849CC2
84220A857F4". After the data is complete, all data is
combined, including the time stamp and the number of pages
of the document. The number of characters entered is 163
characters.
The combined data is entered into the JavaScript Object
Notation (JSON) format. The JSON value encrypted with
SHA-256 and saves with base64 format. The string length of
the encoding is 334 strings with string values, i.e.
“NtaRpfbAwIVqCmdIU8FkaFtE/wecb+6tiAVgGPDyBq4A3n
1/h8ADJ4BysUIar1+SV16idOSIcSeFCNUnbeVtc1kCWqaoB
VcLS4rWzzjOqertJjG1I6IO+/AqHV8mujOSjdG00NWKJKyV
iYgOMmiDbun/lyWNv4jm3ohiVG2hSTQoqOMfVDBDZN7g
5lcLsrIR2HOLjsTNcyaFEF+2wbRmg1KzfaUc/sHrUACLYu
0hXRrz4w11kZAVI1sTpaUjbOULsg2ELpq2hlWdxiEn/XH4w
4wf2PX/jJX9YrLrjBIsiYq/D0YYvfhKuouqhcsU6pnzVFKCOi
BzPMSD0GKypgnV0g==”. This value is converted into bits
which are then generated to form a QR code.
The unique text produced is "KYBAQOM". This text is
composed of 7 characters from the string above, with the
following character arrangements:
 Characters 1 and 2 are taken from the 10th and 9th
strings in the back;
 Characters 3 and 4 are taken from the 7th and 8th
strings in the front;
 Characters 5, 6 and 7 are taken from the 3 middle
strings.
This text and the QR code image is combined. Images
from QR codes have a depth of pixels per inch of 500 dpi,
the size of the image attached to the document is 150 x 150
pixels equivalent to the size of 1.65 x 165 inches. The results
of documents with image QR Code save in the form of pdf
files.
B. Implementation of Document Validation
The results of the document validation implementation
can be seen in Figure 7. Investigating the authenticity of
printed documents can be done by scanning directly on the
image from the QR Code or uploading the QR Code image
file. In this study scan directly with the smartphone camera
that has installed the application. If scanning uses a standard
application, for example, the barcode scanner app, the results
obtained are in the form of strings as seen in Figure 7.
The results obtained with general scanning only read
strings. The string length obtained is 334. The reading of the
QR code with the error correction level is level H (30%)

Figure 7. Result of scanned with general application
Whereas by using the application for validation, it
immediately read the data display by the input data, as shown
in Figure 8. To check the similarity of the data is done
manually by comparing the results obtained with the printed
document.
Image QR Code Scanning Result of Scanning
Figure 8. Results of validation implementation
For further validation, we can enter an existing password.
If correct, successful notifications appear on the screen with
"Success" notifications. If the password key entered is
incorrect, then the notification on the screen displays
"Failed".
C. Experiments
After the implementation of the authentication process
and implementation of validation, several experiments were
conducted; the first, a falsification trial was conducted of QR
Code on the document. By changing the QR Code but still
using the original unique text, the results obtained are shown
in figure 8.
Fake QR Code Results of Scanning
Figure 8. Scanning Results
From the results of scanning the QR Code that has been
changed, we can find differences in the unique text on the
QR Code so that it can be stated that the document and QR
Code is fake. To be more convincing, you can validate the
Password Key; if the key used is different, it is inevitable
that the document is not authentic. This method proves that
232
the QR Code using encryption techniques is robust against
counterfeiting.
The next experiment was measuring coding capacity
contained in QR code images with a varying number of text
entries. Measuring the QR Code capacity is done by making
four QR codes with different amounts of data input. The
results can be seen in table 2.
Table 2. Comparison of QR codes based on data input
From the table above we can see the number of
characters that affect the length of the string. The more
characters on a string cause the QR code image to be more
challenging to detect by the scanner. The scanner is difficult
to detect because the distance between pixels is getting tight.
The scanner can still detect QR Code with a string length
smaller than 334, while above this value the QR code is
challenging to detect and even undetectable.
V. CONCLUSION
Conclusions that can be drawn from this study include:
1. This security application utilises cryptographic
functions in the form of AES / CBC / 7 No padding
and SHA-256 hashing functions and uses a time
stamp for authentication of the data.
2. Methods Security of printed documents utilises
cryptographic, authentication, and integrity aspects.
3. The QR Code used is good enough in authenticating
a printed document but is limited to the information
provided.
 4. Because the QR Code is straightforward to produce,
the QR Generate methods and algorithms must not
be published, the authentication implementation
should be separate from the implementation of the
validation.
5. The symmetric key management process is still
manual so that further development needs to be
done.
REFERENCES
[1] H. Peng-Cheng, L. Yung-Hui, C. Chin-Chen, and L.
Yanjun, ‘Efficient Scheme for Secret Hiding in QR
Code by Improving Exploiting Modification Direction’,
KSII Trans. Internet Inf. Syst., vol. 12, no. 5, pp. 2348–
2365, May 2018.
[2] I. Tkachenko, W. Puech, O. Strauss, C. Destruel, and
J.- Gaudin, ‘Printed document authentication using
two-level or code’, in 2016 IEEE International
Conference on Acoustics, Speech and Signal
Processing (ICASSP), 2016, pp. 2149–2153.
[3] Okfalisa, N. Yanti, W. A. D. Surya, A. Akhyar, and A.
A. Frica, ‘Implementation of Advanced Encryption
Standard (AES) and QR Code Algorithm on Digital
Legalization System’, E3S Web Conf., vol. 73, p.
13009, 2018.
233
[4] H. Keni, M. Earle, and M. Min, ‘Product authentication
using hash chains and printed QR codes’, in 2017 14th
IEEE Annual Consumer Communications &
Networking Conference (CCNC), Las Vegas, NV,
USA, 2017, pp. 319–324.
[5] M. Warasart and P. Kuacharoen, ‘Paper-based
Document Authentication using Digital Signature and
QR Code’, Int. Conf. Comput. Eng. Technol. ICCET,
2012, vol. 4, p. 5, 2012.
[6] H. P. Nguyen, A. Delahaies, F. Restraint, D. H.
Nguyen, M. Pic, and F. Morain-Nicolier, ‘A
watermarking technique to secure printed QR codes
using a statistical test’, presented at the Global
Conference on Signal and Information Processing
(GlobalSIP), 2017, pp. 288–292.
[7] L. Li, R. Wang, and C. Chang, ‘A Digital Watermark
Algorithm for QR Code’, Int. J. Intell. Inf. Process.,
vol. 2, no. 2, pp. 29–36, Jun. 2011.
[8] Z. Gao, G. Zhai, and C. Hu, ‘The Invisible QR Code’,
presented at the MM ’15 Proceedings of the 23rd ACM
international conference on Multimedia, Brisbane,
Australia., 2015, pp. 1047–1050.
[9] F. Patil and Auricle Technologies Pvt. Ltd., ‘QR Code
Approach for Examination Process’, Int. J. Recent
Innov. Trends Comput. Commun., vol. 3, no. 2, pp.
633–636, 2015.