1 Introduction

As an international specification for debit and credit card payments [1, 7, 25], the EMV system has been widely deployed in more than 1.6 million credit cards [24]. The current EMV system is based on RSA public key cryptography, and symmetric-key cryptography (such as DES and AES) [912]. The system is recognized as of great significance in providing secure transaction and reducing card payment fraud [26].

Due to the practical significance of EMV system, many researchers have made efforts to investigate its security [1, 58, 25, 26, 28]. Most of the works focused on the RSA-based EMV system, while the EMV consortium are planning to upgraded the existing RSA-based EMV system to ECC-based system. In November 2012, the EMV consortium released a Request-For-Comments [13] on a draft specification for the ECC-based EMV channel establishment protocol, which is used for establishing a common secret seed and a channel to protect all subsequent messages between a Card and a Terminal.

According to the EMV consortium, the protocols are designed to (i) provide authentication of the Card (the authenticated parties) by the Terminal (the unauthenticated parties), (ii) detect modifications to the communications, (iii) and protect against eavesdropping and card tracking [13].

As far as we know, there is only one work [3] by Brzuska et al. which analyzes the security of the protocol. They suggested minor changes to the protocol by choosing the ephemeral secret key of the Card entity from a larger space, and establishing two keys instead of one key for the authenticated encryption scheme. They proved the modified protocol (we will call it ECC-based EMV protocol in our paper) is secure in a carefully designed channel establishment security model. However, in their model, adversaries are not allowed to get the participants’ ephemeral secret keys.

1.1 Security Model

Bellare and Rogaway [2] proposed the first formal security model for key establishment protocols, known as the BR model. The BR model captures basic security requirements for authenticated key establishment protocols such as known key security and impersonation resilience. Canetti and Krawczyk [4] consider the leakage of the parties’ static secret keys and sessions’ state (i.e., CK model). Whereas, both above two models fail to capture several advanced attacks such as key compromise impersonation (given a static secret key, an adversary tries to impersonate some honest party in order to fool the owner of the leaked secret key), the breaking of weak perfect forward secrecy (given the static secret keys of participants of the protocol, the adversary tries to recover a previous session key) and maximal exposure attacks (an adversary tries to distinguish the session key from a random value under the disclosure of any pair of secret static keys and ephemeral secret keys of the participants in the session except for both the secret keys of a single participant) [15, 20]. In order to capture the advanced attacks mentioned above, LaMacchia et al. [22] proposed a well known security model, (i.e., eCK model [14, 17, 27, 29]) which allows the adversary to obtain the ephemeral secret keys.

However, the above security models seem not fit for the practical requirement in real word protocols such as the TLS protocol [3, 18]. Therefore, researchers started to focus on the study of more accurate portrayal of the widely used channel establishment protocols. In 2012, Jager et al. [18] defined the security model for authenticated and confidential channel establishment (ACCE) protocol in which they proved the TLS-DHE is secure under the assumption that the TLS record layer is a stateful length hiding authenticated encryption (sLHAE) scheme.

Later, Krawczyk et al. [21] and Kohlar et al. [19] proved the security of TLS-RSA, TLS-DHE and TLS-DH in the ACCE model respectively. Giesen et al. [16] extended the ACCE model to give the formal treatment of renegotiation in secure channel establishment protocols and analyzed the security of TLS renegotiation in the extended model. Li et al. [23] introduced the definition of ACCE security for authentication protocols with pre-shared keys and proved the security of the Pre-Shared Key Ciphersuites of TLS in the model. Following the similar idea, Brzuska et al. [3] analyzed the ECC-based EMV protocol in a channel establishment security model, which captures one-way authentication key agreement followed by composition with a secure channel and unlinkability property. Nevertheless, the model doesn’t describe the situations for the leakage of the ephemeral secret keys and leakage of static secret keys for the parties involved in the target session, which seems not meet the practical requirement [14, 20, 22].

1.2 Our Contribution

In this paper, we propose a strong security model for one-way authentication channel establishment protocols and point that the ECC-based EMV protocol is not secure in our security model. Concretely, if the adversary can get ephemeral keys and session keys of the sessions, he can impersonate a valid Card entity to Terminals. We make slight modification almost without addition of computation cost to the protocol and show that the modified protocol is secure in our security model.

In our security model, we strengthen the adversaries’ ability by allowing them to obtain the ephemeral keys of the sessions through EphemeralKeyReveal queries. In particular, we allow the adversary to obtain either the static or the ephemeral secret keys of the authenticated party involved in the target session, but not both the static and ephemeral secrets of that party. This enables us to capture the forward security property in one-way authentication setting which means that the compromise of the authenticated party’s static secret key can not help the adversary to recover the party’s previously established session keys. We note that this property is not captured in the previous one-way authentication channel establishment security models [3, 21].

The security proof is given in the random oracle model under standard cryptographic assumptions, i.e., Gap Diffie-Hellman assumptions, the existence of EUF-CMA digital signatures, and the existence of IND-sfCCA secure and INT-sfPTXT secure authenticated encryption schemes (see Sect. 2).

2 Preliminaries and Definitions

We denote \(\mathbb {G} = E(\mathbb {F}_p)\) to be a Diffie-Hellman group defined over an elliptic curve of prime order q, which uses a base point \(P \in \mathbb {G}\). The prime q is a function of an implicit security parameter \(\lambda \). Denote with \(\emptyset \) the empty string. Assume that messages in a transcript s are represented as binary strings. Let |s| denote the number of messages of s. \(Prefix(s_1,s_2)=true\) if the first \(|s_1|\) messages (provided not empty) in transcripts \(s_1\) and \(s_2\) are pairwise equivalent as binary strings, and false otherwise. \(\xleftarrow {r}\) means that the value on the left is chosen uniformly at random from the set that on the right of the notion.

Definition 1

(Computational Diffie-Hellman (CDH)). The CDH problem asks that given \(P, rP, sP \in \mathbb {G}\), where \(r, s \xleftarrow {r} \mathbb {F}_q\), compute rsP. We say that the CDH problem is \((t,\epsilon _{CDH})\) hard if for any adversary \(\mathcal {A}\) that runs in time t it holds that

$$Pr[r, s \xleftarrow {r} \mathbb {F}_q: \mathcal {A}(rP, sP ) = rsP]\le \epsilon _{CDH}$$

Definition 2

(Gap-Diffie-Hellman(Gap-DH)). Let \(\mathcal {O}_{DDH}\) be an oracle that solves the DDH problem in \(\mathbb {G}\), i.e. takes as input \(rP, sP, uP \in \mathbb {G}\), and outputs one if \(uP = rsP\) and zero otherwise. The Gap Diffie-Hellman problem then asks that given \(P,aP, bP \in \mathbb {G}\) where \(a, b \xleftarrow {r} \mathbb {F}_q\), and access to \(\mathcal {O}_{DDH}\), compute abP (i.e. solve CDH). We say that the Gap-DH problem is \((t,\epsilon _{Gap\text {-}DH})\) hard if for any adversary \(\mathcal {A}\) that runs in time t it holds that

$$Pr[a,b \xleftarrow {r} \mathbb {F}_q: \mathcal {A}^{\mathcal {O}_{DDH}}(P, aP, bP) = abP]\le \epsilon _{Gap\text {-}DH}$$

A digital signature scheme is a triple \(SIG = (SIG.Gen,SIG.Sign, SIG.Vfy)\), consisting of a key generation algorithm \((sk,pk) \xleftarrow {\$} SIG.Gen(1^ {\lambda })\) generating a (public) verification key pk and a secret signing key sk on input of security parameter \(\lambda \), signing algorithm \(\sigma \leftarrow SIG.Sign(sk,m)\) generating a signature for message m, and verification algorithm \(SIG.Vfy(pk,\sigma ,m)\) returning 1, if \(\sigma \) is a valid signature for m under key pk, and 0 otherwise. Consider the following security experiment played between a challenger \(\mathcal {C}\) and an adversary \(\mathcal {A}\).

  1. 1.

    The challenger generates a public/secret key pair \((sk, pk) \xleftarrow {\$} SIG.Gen(1^{\lambda })\), the adversary receives pk as input.

  2. 2.

    The adversary may query arbitrary messages \(m_i\) to the challenger. The challenger replies to each query with a signature \(\sigma _i = SIG.Sign(sk,m_i)\). Here i is an index, ranging between \(1 \le i \le q\) for some \(q \in \mathbb {N}\). Queries can be made adaptively.

  3. 3.

    Eventually, the adversary outputs a message/signature pair \((m, \sigma )\).

Definition 3

(EUF-CMA). We say that SIG is \((t, \epsilon _{SIG})\) EUF-CMA secure against existential forgeries under adaptive chosen-message attacks, if for all adversaries \(\mathcal {A}\) that run in time t it holds that

$$Pr[(m,\sigma ) \leftarrow \mathcal {A}^{Sign(sk,\cdot )}(1^{\lambda }, pk) \text{ such } \text{ that } SIG.Vfy(pk, m, \sigma ) = 1 \wedge m \notin \{m_1, \cdots ,m_q\}]\le \epsilon _{SIG}$$

Note that we have \(q \le t\), i.e., the number of allowed queries q is bounded by the running time t of the adversary.

An authenticated encryption (AE) scheme \(AE = (\mathcal {K},enc, dec)\) consists of three algorithms. The randomized key generation algorithm \(\mathcal {K}\) returns a key K. The encryption algorithm enc, takes key K and a plaintext and returns a ciphertext. The decryption algorithm dec takes key K and a ciphertext and returns either a plaintext or a special symbol \(\bot \) indicating failure. The following two properties are variants of the stateful security models of AE scheme [3]. \(enc_{\kappa }(h,m;st_e)\) is a symmetric encryption oracle for \({\kappa }\), which takes as input a header h, message m, outputs ciphertext c and updated state \(st_e\). \(dec_{\kappa }(h,c;st_d)\) is a symmetric decryption oracle for \({\kappa }\) which takes a header h, a ciphertext c as input, outputs message m or \(\perp \) and updated state \(st_d\). \(LR_b(m_0,m_1)\) for \(b \in \{0,1\}\) outputs \(m_b\). So a left-or-right encryption oracle \(enc_{\kappa }(h,LR_b(m_0,m_1);st_e)\) outputs \(enc_{\kappa }(h,m_b;st_e)\) if \(m_0=m_1\) and \(\perp \) otherwise. \(C\text {-}E\) (\(C\text {-}D\)) is the set of ciphertexts output by (input to) the left-or-right encryption (decryption) oracle. \(M\text {-}E\) (\(M\text {-}D\)) is the set of messages input to (output by) the encryption (decryption) oracle.

Definition 4

IND-sfCCA [3]. Consider the authenticated encryption scheme \(AE = \{enc_{\kappa }, dec_{\kappa }\}\). Let \(\mathcal {A}\) be an adversary with access to a left-or-right encryption oracle \(enc_{\kappa }(h,\) \( LR_b(m_0,m_1);st_e)\) and a decryption oracle \(dec_{\kappa }(h, c; st_d)\). It is mandated that any two messages queried to \(enc_{\kappa }(h, LR_b(m_0,m_1); st_e)\) have equal length. The \(ind\text {-}sfcca\) experiment is defined as in Fig. 1. The attacker wins when \(b' = b\), and his advantage is defined as

$$Adv^{ind\text {-}sfcca}_{AE}(\mathcal {A})=Pr[Exec^{ind\text {-}sfcca\text {-}1}_{AE}(\mathcal {A})=1]-Pr[Exec^{ind\text {-}sfcca\text {-}0}_{AE}(\mathcal {A})=1].$$

We say that AE is \((t, \epsilon _{ind\text {-}sfcca})\) IND-sfCCA secure, if for all adversaries \(\mathcal {A}\) that run in time t it holds that

$$Adv^{ind\text {-}sfcca}_{AE}(\mathcal {A}) \le \epsilon _{ind\text {-}sfcca}.$$
Fig. 1.
figure 1

The \(ind\text {-}sfcca\) (resp. \(int\text {-}sfptxt\)) experiment

Definition 5

INT-sfPTXT [3]. Consider the scheme \(AE = \{enc_{\kappa }, dec_{\kappa }\}\). Let \(\mathcal {A}\) be an adversary with oracle access to \(enc_{\kappa }(h,m; st_e)\) and \(dec_{\kappa }(h, c; st_d)\). The \(int\text {-}sfptxt\) experiment is defined as in Fig. 1. The advantage \(Adv^{int\text {-}sfptxt}_{AE} (\mathcal {A}) \) of an adversary is defined as

$$Adv^{int\text {-}sfptxt}_{AE} (\mathcal {A}) = Pr[Exec^{int\text {-}sfptxt}_{AE} (\mathcal {A}) = 1].$$

We say that AE is \((t, \epsilon _{int\text {-}sfptxt})\) INT-sfPTXT secure, if for all adversaries \(\mathcal {A}\) that run in time t it holds that

$$Adv^{int\text {-}sfptxt}_{AE}(\mathcal {A}) \le \epsilon _{int\text {-}sfptxt}.$$

3 EMV Channel Establishment Protocol

The original specification of the EMV channel establishment protocol can be found in [13]. In this section, the EMV channel establishment protocol modified by [3] is presented. There are two kinds of participants in the system: Card and Terminal. Each Card holds a certificate which is a digital signature of its public key \(Q_C=dP \in \mathbb {G}\). The secret key of the Card participant is \(d \xleftarrow {r} \mathbb {F}_q\). The protocol uses a hash function H that takes elements in the group \(\mathbb {G}\) and maps them onto a pair of keys for the authenticated encryption scheme.

After the protocol has established secret keys, it uses them in a secure channel protocol (SendChReceiveCh). On input an application message m and state \(st_e\), SendCh returns a channel message ch. On input a channel message ch and state \(st_d\), ReceiveCh returns an application message m. The secure channel protocol is based on a stateful AE scheme \(AE = \{enc, dec\}\). Assume that all plaintext headers used by the secure channel are unauthenticated, implying that no header is sent in clear as part of the AE scheme. The states \(st_e\) and \(st_d\) here model the fact that in practice sequence numbers are used to ensure that messages are delivered in order, thus the operations are stateful. The protocol is presented in Fig. 2. The static key of the Card is d, the ephemeral key of the Card is a, the ephemeral key of the Terminal is e, and the session keys are \((\kappa _e^C,\kappa _d^C)=(\kappa _d^T,\kappa _e^T)=H(eadP)\).

Fig. 2.
figure 2

ECC-based EMV channel establishment protocol

4 The Enhanced Security Model

In this section we present a stronger security model for one-way authentication channel establishment protocols which is inspired by the security models of [3] and [22]. We enhance the channel establishment security model [3] by considering EphemeralKeyReveal queries and using stronger freshness definition. This enhancement enables us to capture the forward security property in one-way authentication setting which is not captured in the previous one-way authentication channel establishment security models [3, 21].

4.1 Preliminaries

Let \(n_C,n_T,n_S \in N\) be positive integers. Assume that there are \(n_C\) authenticated entities and \(n_T\) unauthenticated entities in the system. Each party can establish at most \(n_S\) sessions. Each party in the system has a distinct identity i.

The protocol description is defined by two efficiently computable stateful (sub)-protocols \(P=\{\varPi ,\mathcal {G}\}\). The protocol \(\varPi \) defines how honest parties behave and \(\mathcal {G}\) is the key generation algorithm. Each execution of the protocol can be modeled as an oracle \(\varPi _i^s\), which means that the session is party i’s s-th instance of carrying out the protocol with some partner j (which is determined during the protocol execution). The oracle has access to its owner’s private key and independently maintains a list of internal state information as follows:

  • \(\delta \in \{derived,accept,reject,\bot \}\) is current state of the key exchange (initialized to \(\bot \)). When the session owner derives a session key, he marks the session as derived. When the key establishment protocol ends successfully (and stipulates that no further messages are to be received), the session owner marks the session as accepted. An accepted session must be derived. \(\delta =reject\) means that the session rejects.

  • \(\rho \in \{initiator,responder\}\) is the role of the participant.

  • pid is the partner identifier which is determined during the protocol execution.

  • sid is the session identifier which can be defined by a transcript of all the messages the session receives and sends.

  • \(\kappa =(\kappa _e^{\rho },\kappa _d^{\rho }) \in (\{0,1\}^* \cup \{\bot \})^2\) is the agreed pair of keys. The order of the keys depends on the role. It is initialized as \((\bot ,\bot )\). \(\kappa \) is set to be the derived session key when \(\delta =derived\).

  • \(T_i^s\) records the transcript of messages sent and received by oracle \(\varPi _i^s\). Initialized as \(\emptyset \).

  • \(kst_i^s \in \{exposed,fresh\}\) denotes the freshness of the session key. Initialized as fresh.

  • \(st_k\in \{0,1\}^*\) is the session state after the session key/channel is established. Initialized as \(\emptyset \).

To distinguish the different types of messages that may occur in an execution, there are three different execution “modes"of protocols: establishing a key, sending, respectively receiving messages from the established channel. Formally, the honest operation of a participant is defined by a triple \(\varPi =(KeyExch,SendCh,ReceiveCh)\).

Some of the messages sent during the key-exchange may travel over the channel. So, strictly speaking, KeyExch may make use of the latter algorithms. To facilitate the description of the resulting complex interaction we define the algorithm EstChannel which, essentially , is in charge of establishing the channel. This algorithm may make calls to the algorithms defining \(\varPi \).

During the execution of a protocol an oracle can receive two types of input, an application message (user input) or a channel message (received from the wire). At any point during its execution, protocol \(\varPi \) takes as input a message m and a message type \(type \in \{ap,ch\}\) indicating the message was received from the user’s application or the channel, respectively, runs the appropriate algorithm, and returns the output of that algorithm. The execution of protocol \(\varPi \) is summarized in Fig. 3.

After the channel has been established whenever the input message type is ch then ReceiveCh will be called. This models messages that are received from the channel (for decryption). It takes as input a message m and state \(st_d\) and outputs a message \(m'\) for output to the user’s application. ReceiveCh rejects and outputs \(\perp \) if the received messages are “out of state" messages (e.g., format error, invalid message).

When the message type is ap then SendCh will be called. This models application messages that are input to be sent (encrypted) on the channel. It takes as input a message m and state \(st_e\) and outputs a message \(m'\) for output to the channel. Note that if keys have not yet been established (\(\delta \ne accept\)) then such a call to SendCh will output \(\perp \).

Fig. 3.
figure 3

Honest protocol execution

4.2 Matching Conversations

Denote \(TEstCha^s_i\) and \(TEstCha^t_j\) to be the transcript involved in the execution of Estchannel for oracles \(\varPi _i^s\) and \(\varPi _j^t\) respectively.

Definition 6

(Matching Conversation). We say that an oracle \(\varPi ^s_i\) has a matching conversation to oracle \(\varPi ^t_j\), if \(Prefix(TEstCha^t_j,TEstCha^s_i)=true\) or \(Prefix(TEstCha^s_i,\) \(TEstCha^t_j)=true\).

To keep the correctness of the protocol, two matching sessions which accept should always establish the same session key.

Definition 7

(Correctness). For any two oracles \(\varPi _i^s\) and \(\varPi _j^t\) that have matching conversation with \(pid_i^s=j\), \(pid_j^t=i\), \(\delta _i^s=accept\) and \(\delta ^t_j=accept\) it always holds that \(\kappa _i^s=\kappa _j^t\).

4.3 Adversarial Capabilities

The adversary \(\mathcal {A}\) is a probabilistic polynomial Turing machine taking as input the security parameter \(\lambda \) and the public information, and controls the communication and network. \(\mathcal {A}\) can issue the following queries to oracles \(\varPi _i^s\) for \(i\in [1,n_C+n_T],s\in [1,n_S]\).

  • \(Newsession(i,\rho )\). Create a session for user i with role \(\rho \).

  • \(Send(\varPi _i^s,m,type)\). Send a message m to \(\varPi _i^s\) with type type. As a result \(\varPi _i^s\) will run \(\varPi \) on input (mtype) (as in Fig. 3) and respond with the outputting message \(m^*\) (if there is any) that should be sent according to the protocol specification and its internal states. The state information of \(\varPi _i^s\) will be updated depending on the protocol specification. After the session accepted, this query may initiate ReceiveCh or SendCh algorithms. Note that the session will not send message to the channel when it just invokes the ReceiveCh algorithms.

  • StaticKeyReveal(i). \(\mathcal {A}\) obtains the long-term private key of i if it is an authenticated entity.

  • \(EphemeralKeyReveal(\varPi _i^s)\). \(\mathcal {A}\) obtains the ephemeral private key of session \(\varPi _i^s\).

  • \(SessionKeyReveal(\varPi _i^s)\). \(\mathcal {A}\) gets the derived session key of \(\varPi _i^s\) if \(\delta \) is derived or accepted, at the same time, \(kst_i^s\) is set to be exposed. If at the point when this query is issued, there exists another oracle \(\varPi _j^t\) having matching conversation to \(\varPi _i^s\), then \(kst_j^t\) is also set to be exposed.

Following the routine of [3], to define the security experiments for message authentication and privacy latter, the following notations for each \(\varPi _i^s\) is maintained:

  • Application messages sent \(Ap\text {-}S^s_i\), i.e. the list of all messages m input to \(Send(\varPi ^s_i, m, ap)\).

  • Channel messages sent \(Ch\text {-}S^s_i\), i.e. the list of all outputs from \(Send(\varPi ^s_i , m, ap)\).

  • Channel messages received \(Ch\text {-}R^s_i\), i.e. the list of all messages m input to \(Send(\varPi ^s_i, m, ch)\).

  • Application messages received \(Ap\text {-}R^s_i\), i.e. the list of all outputs from \(Send(\varPi ^s_i, m, ch)\).

Once a channel is established, whenever an application message is input to Send, the protocol \(\varPi \) is executed and a channel message will be output and sent on the channel. Similarly whenever a channel message is input to Send, the protocol \(\varPi \) is run and an application message will be output to the user. The above lists help us keep track of these messages and facilitate checking necessary in the following security models.

4.4 Security Definitions

In this subsection, we consider the security of one-way authentication secure channel establishment protocols, which is the scenario of EMV channel establishment protocol. The parties in the system are classified into two sets. Let C be the set of authenticated participants (the Cards) and let T be the set of unauthenticated participants (the Terminals), where unauthenticated participants do not hold long-term private/public key pairs.

In our model, a Terminal \(i \in T\) wishes to authenticate a Card \(j \in C\) and establish a key (additionally a secure channel) with this Card. For a session \(\varPi _j^t\) owned by party \(j \in C\) with public/secret key pairs, the adversary \(\mathcal {A}\) needs to obtain both static and ephemeral secret keys to get the session key. But if the session has a matching conversation with another session \(\varPi _i^s\) with \(i \in T\), knowing the session’s ephemeral key enables the adversary to get the session key. Since all \(i \in T\) have no long-term secret, it would always be possible for an adversary to impersonate an unauthenticated participant and establish a session with a real Card. So, in our model, the target session should always be a session owned by a Terminal.

We give the freshness definition for a session of a Terminal as follows. The session that the adversary attacks should keep fresh to make sense. In our model, the freshness definition enlarges the scope of sessions the adversary can attack compared to the previous security model [3]. That is, we allow the adversary to obtain either static key or ephemeral key of the Card party involved in the target session. While in [3], the adversary can ask neither keys of this party. So, the forward security property in one-way setting is captured in our model.

Definition 8

(One-Sided Freshness). Let \(\varPi _i^s\) be an accepted session held by a party \(i \in T\) with other party \(j \in C\), and both parties are honest. Session \(\varPi _j^t\) (if it exists) is the matching conversation of \(\varPi _i^s\). Then the session \(\varPi _i^s\) is said to be fresh if none of the following conditions hold:

  1. 1.

    \(\varPi _i^s\) has internal state \(kst_i^s=exposed\).

  2. 2.

    \(\varPi _j^t\) exists and \(\mathcal {A}\) issued one of the following:

    • EphemeralKeyReveal(\(\varPi _i^s\)).

    • Both StaticKeyReveal(j) and EphemeralKeyReveal(\(\varPi _j^t\)).

  3. 3.

    \(\varPi _j^t\) doesn’t exist and \(\mathcal {A}\) issued one of the following:

    • EphemeralKeyReveal(\(\varPi _i^s\)).

    • StaticKeyReveal(j) before session \(\varPi _i^s\) accepts.

As in [3], we formulate three levels of security: Entity Authentication (EA), Message Authentication (MA) and Message Privacy (MP).

Entity Authentication. An adversary violates entity authentication if he can get a session to accept even if there is no unique session of its intended partner that has a matching conversation to it. More formally, the security is defined via an experiment ent played between a challenger \(\mathcal {C}\) and an adversary \(\mathcal {A}\). At the beginning, \(\mathcal {C}\) generates the long-term key pairs \((pk_U,sk_U)\) for all the parties \(U \in C\) and sends the public keys \(pk_U\) for \(U \in C\) to \(\mathcal {A}\). Then the adversary can issue the oracle queries we defined above to the oracles.

Definition 9

(EA). We say that protocol \(P = \{\varPi ,\mathcal {G}\}\) is a \((t,\epsilon _{EA})\)-secure EA protocol if for all adversaries \(\mathcal {A}\) running in time at most t, when \(\mathcal {A}\) terminates, then with probability at most \(\epsilon _{EA}\) there exists a fresh oracle \(\varPi ^s_i\) such that \(\varPi _i^s\) accepts, but there is no unique oracle \(\varPi _j^t\) such that \(\varPi _i^s\) has a matching conversation to \(\varPi _j^t\) for \(i \in T, j \in C\).

Message Authentication. The message authentication property ensures the integrity and authenticity of all messages sent over the channel. For any two partner oracles \(\varPi ^s_i\) and \(\varPi _j^t\), the oracle \(\varPi ^s_i\) should only successfully receive messages which were output by \(\varPi ^t_j\) and vice versa. That is formalized by requiring that for any fresh oracle \(\varPi ^s_i\) with unique partner \(\varPi ^t_j\), \(Prefix(Ap\text {-}R^s_i, Ap\text {-}S^t_j) = true\). If this does not hold then the adversary successfully fools \(\varPi ^s_i\) into receiving an application message which was not output by the partnered oracle \(\varPi ^t_j\).

The authentication experiment auth generates public/private key pairs for each user \(i \in C\) (by running \(\mathcal {G}\)) and returns the public keys to \(\mathcal {A}\). The adversary is permitted to make the queries \(NewSession(i, \rho )\), \(SessionKeyReveal(\varPi ^s_i)\), StaticKeyReveal(i), EphemeralKey \(Reveal(\varPi _i^s)\) as well as \(Send(\varPi ^s_i, m, type)\) with message \(type \in \{ap, ch\}\). On querying \(Send(\varPi ^s_i, m, type)\), the game behaves as in Fig. 4.

Fig. 4.
figure 4

The Send (resp. SendLR) query for the auth (resp. priv) games

The game \(Exec^{auth}_{\varPi } (\mathcal {A})\) between an adversary \(\mathcal {A}\) and challenger \(\mathcal {C}\) is defined as follows:

  1. 1.

    The challenger \(\mathcal {C}\) generates public/private key pairs for each user \(U \in C\) (by running \(\mathcal {G}\)) and returns the public keys to \(\mathcal {A}\).

  2. 2.

    \(\mathcal {A}\) is allowed to make as many NewSession, SessionKeyReveal, \(StaticKeyReveal\), EphemeralKeyReveal, Send queries as it likes.

  3. 3.

    The adversary stops with no output.

We say that an adversary \(\mathcal {A}\) wins the game if there exists \(\varPi ^s_i\) with unique partner \(\varPi ^t_j\) such that they are matching conversations and the list \(Ap\text {-}R^s_i\) is not a prefix of \(Ap\text {-}S^t_j\). The adversary’s advantage is \(Adv^{auth}_{\varPi }(\mathcal {A}) = Pr[\exists \varPi ^s_i, \varPi ^t_j \text { for } i\in T, j\in C: \varPi ^s_i \text{ is } \text{ fresh } \wedge \varPi ^s_i, \varPi ^t_j \text{ are } \text{ matching } \wedge Prefix(Ap\text {-}R^s_i, Ap\text {-}S^t_j) = false]\).

Definition 10

(MA). A protocol \(P = \{\varPi ,\mathcal {G}\}\) is a \((t,\epsilon _{MA})\)-secure MA protocol if for all adversaries \(\mathcal {A}_{auth}\) running in time at most t, \(Adv^{auth}_{\varPi } (\mathcal {A}_{auth}) \le \epsilon _{MA}\).

Message Privacy. The message privacy property ensures that the adversary should not be able to determine which set of messages \(\{m_{01},m_{02},m_{03},\cdots \}\) and \(\{m_{11},m_{12},m_{13},\cdots \}\) has been transmitted on the secure channel.

The message privacy experiment priv initializes the states as in the authentication experiment auth, except that each session now also holds a random secret bit \(b^s_i\). As before, the adversary can make the queries NewSession, SessionKeyReveal, StaticKeyReveal, EphemeralKeyReveal. In addition, the adversary can issue a left-right version of \(Send(\varPi ^s_i,\) mtype) which is used to model message privacy. Specifically, the query \(SendLR(\varPi ^s_i ,m_0,m_1,\) type) takes as input two messages and returns \(Send(\varPi ^s_i,m_{b^s_i}, type)\). When \(type \ne ap\) these two messages are equal, \(SendLR(\varPi ^s_i, m, m, type)\) \(= Send(\varPi ^s_i, m, type)\).

As before, two sessions are matching conversations. On the \(SendLR(\varPi ^s_i\), \(m_0,m_1, type)\) query, the game behaves as in Fig. 4. Once the channel is established, whenever \(SendLR(\varPi ^s_i,\) mmch) is called, we allow the protocol to run as normal but check the lists \(Ch\text {-}R^s_i\) and \(Ch\text {-}S^t_j\). If the message m was a channel output from \(\varPi ^s_i\)’s partner \(\varPi ^t_j\), then SendLR will not return anything. This allows the adversary to progress the state of an oracle but prevents them from trivially winning the game.

Game \(Exec^{priv}_{\varPi }(\mathcal {A})\) between an adversary \(\mathcal {A}\) and challenger \(\mathcal {C}\):

  1. 1.

    The challenger \(\mathcal {C}\), generates public/private key pairs for each user \(U \in C\) (by running \(\mathcal {G}\)) and returns the public keys to \(\mathcal {A}\).

  2. 2.

    \(\mathcal {A}\) is allowed to make as many NewSession, SessionKeyReveal, \(StaticKeyReveal\), EphemeralKeyReveal, SendLR queries as it likes.

  3. 3.

    Finally \(\mathcal {A}\) outputs a tuple \((i, s, b_0)\) for \(i \in T\).

We say the adversary \(\mathcal {A}\) wins if its output \(b_0 = b_i^s\) and \(\varPi ^s_i\) is fresh (and has a unique partner) and the output of \(Exec^{priv}_{\varPi }(\mathcal {A})\) is set to 1. Otherwise the output is 0. Formally we define the advantage of \(\mathcal {A}\) as \(Adv^{priv}_{\varPi } (\mathcal {A}) = | Pr[Exec^{priv}_{\varPi } (\mathcal {A})=1] -1/2|\).

Definition 11

(MP). A protocol \(P =\{\varPi , \mathcal {G}\}\) is a \((t,\epsilon _{MP})\)-secure MP protocol if for all adversaries \(\mathcal {A}_{priv}\) running in time at most t, \(Adv^{priv}_{\varPi }(\mathcal {A}_{priv}) \le \epsilon _{MP}\).

A channel establishment protocol is secure if it satisfies all of the three notions above.

Definition 12

(eEAMAP). Protocol \(P =\{\varPi , \mathcal {G}\}\) is a \((t,\epsilon )\)-secure eEAMAP protocol if it is a \((t,\epsilon )\)-secure EA protocol, a \((t,\epsilon )\)-secure MA protocol and a \((t,\epsilon )\)-secure MP protocol.

4.5 Unlinkability

In practice, the Card holders may also want to have a property that their two independent transactions can not be linked. Actually, this property is formally captured by a notion called unlinkability. In this paper, we adapt the idea of [3] to define our unlinkability definition (see full version of our paper), which means that it should be hard for an adversary to determine whether two particular sessions are linked with the same Card. Note that this property only holds against an eavesdropper adversary who is not a Terminal.

5 Security Analysis of EMV Channel Establishment Protocol in Our Security Model

In our security model, the adversary controls all the communications and can get the ephemeral keys and session keys of sessions, so he can impersonate a valid Card through the following steps (see Fig. 5):

  1. 1.

    Card entity C chooses \(a \in _R\mathbb {F}_{q}\) and sends out \(A=aQ_C\).

  2. 2.

    The adversary \(\mathcal {M}\) intercepts the message A, computes \(2\cdot A\) and sends it to Terminal T.

  3. 3.

    The Terminal T selects \(e \in _R\mathbb {F}_{q}\) and sends out \(E=eP\).

  4. 4.

    \(\mathcal {M}\) intercepts E, computes \(2\cdot E\) and sends it to the Card C.

  5. 5.

    After that, \(\mathcal {M}\) issues EphemeralKeyReveal to the Card session and obtains a.

  6. 6.

    After the Card session accepts, \(\mathcal {M}\) issues SessionKeyReveal query to the Card’s session and obtains its session key \((\kappa _e^C,\kappa _d^C)=H(2adE)=H(2deaP)\!=\!(\kappa _d^T,\kappa _e^T)\).

  7. 7.

    \(\mathcal {M}\) can obtain \(Q_C,cert_C\) by impersonating a Terminal to C in a different session.Footnote 1

  8. 8.

    \(\mathcal {M}\) computes and sends \(ch'=SendCh_{\kappa _e^C}(cert_C||2a||Q_C;st_e^C)\) which will pass the verification of the Terminal.

Fig. 5.
figure 5

Security analysis of ECC-based EMV channel establishment protocol in the enhanced security model

So, the adversary successfully impersonates the Card to the Terminal which breaks the EA property.

6 The Enhanced Protocol

The enhanced protocol is presented as follows in Fig. 6. The only difference lies in the computation of the session key. We add the ephemeral public keys of the session to the inputs of the hash function.

7 Security

Theorem 1

If the Gap-DH problem is \((\mathbf t ,\epsilon _{Gap\text {-} DH})\) hard over \(\mathbb {G}\), \(AE = (enc,dec)\) is \((\mathbf t ,\epsilon _{ind\text {-}sfcca})\) IND-sfCCA secure and \((\mathbf t ,\epsilon _{int\text {-}sfptxt})\) INT-sfPTXT secure, and the signature scheme (sigver) used to produce card certificates is \((\mathbf t ,\epsilon _{sig})\) EUF-CMA secure, then the Enhanced EMV protocol \(P = (\varPi , \mathcal {G})\) in Fig. 6 is secure in the sense of eEAMAP and unlinkability.

The proof of the theorem is given in the full version of the paper.

Fig. 6.
figure 6

Enhanced ECC-based EMV channel establishment protocol