This work exposes critical security vulnerabilities in practical deployments of paper-based Physical Unclonable Function (PUF) anti-counterfeiting authentication systems. Addressing the lack of systematic security modeling and susceptibility to cross-domain attacks in existing approaches, we propose the first end-to-end formal security model for paper PUFs. We identify and implement two novel attack paradigms: physical-layer denial-of-service attacks and digital-layer image forgery attacks, and establish a phased security analysis framework. Experimental evaluation demonstrates significant authentication bypass risks across mainstream paper PUF schemes. Our study not only uncovers a previously underexplored physical–digital co-attack vector but also provides a reusable, methodology-driven security assessment framework. The results lay both theoretical foundations and practical guidelines for designing robust, attack-resilient PUF systems.

Counterfeit products pose significant risks to public health and safety through infiltrating untrusted supply chains. Among numerous anti-counterfeiting techniques, leveraging inherent, unclonable microscopic irregularities of paper surfaces is an accurate and cost-effective solution. Prior work of this approach has focused on enabling ubiquitous acquisition of these physically unclonable features (PUFs). However, we will show that existing authentication methods relying on paper surface PUFs may be vulnerable to adversaries, resulting in a gap between technological feasibility and secure real-world deployment. This gap is investigated through formalizing an operational framework for paper-PUF-based authentication. Informed by this framework, we reveal system-level vulnerabilities across both physical and digital domains, designing physical denial-of-service and digital forgery attacks to disrupt proper authentication. The effectiveness of the designed attacks underscores the strong need for security countermeasures for reliable and resilient authentication based on paper PUFs. The proposed framework further facilitates a comprehensive, stage-by-stage security analysis, guiding the design of future counterfeit prevention systems. This analysis delves into potential attack strategies, offering a foundational understanding of how various system components, such as physical features and verification processes, might be exploited by adversaries.