Unlinkability of an Improved Key Agreement Protocol for EMV 2nd Gen Payments

TL;DR

This paper analyzes the privacy of a proposed EMV 2nd Gen key agreement protocol, demonstrating its vulnerability to active attacks and proposing an enhanced protocol that achieves strong unlinkability without sacrificing authentication.

Contribution

It identifies active attacker vulnerabilities in the EMVCo protocol and introduces an improved protocol that guarantees strong unlinkability under active attack scenarios.

Findings

Active attackers can compromise unlinkability within 100cm in the original protocol.

The proposed enhancement achieves strong unlinkability while maintaining authentication.

The protocol's security is formally proven under the new definition.

Abstract

To address known privacy problems with the EMV standard, EMVCo have proposed a Blinded Diffie-Hellman key establishment protocol, which is intended to be part of a future 2nd Gen EMV protocol. We point out that active attackers were not previously accounted for in the privacy requirements of this proposal protocol, and demonstrate that an active attacker can compromise unlinkability within a distance of 100cm. Here, we adopt a strong definition of unlinkability that does account for active attackers and propose an enhancement of the protocol proposed by EMVCo. We prove that our protocol does satisfy strong unlinkability, while preserving authentication.