On the joint security of encryption and signature in EMV

Authors:
Jean Paul Degabriele;Anja Lehmann;Kenneth G. Paterson;Nigel P. Smart;Mario Strefler
Affiliations:
Information Security Group, Royal Holloway, University of London, UK;IBM Research --- Zurich, Switzerland;Information Security Group, Royal Holloway, University of London, UK;Department of Computer Science, University of Bristol, UK;INRIA / ENS / CNRS, Paris, France
Venue:
CT-RSA'12 Proceedings of the 12th conference on Topics in Cryptology
Year:
2012

Citing 17
Cited 0

A chosen text attack on the RSA cryptosystem and some discrete logarithm schemes

Lecture notes in computer sciences; 218 on Advances in cryptology---CRYPTO 85
Securely combining public-key cryptosystems

CCS '01 Proceedings of the 8th ACM conference on Computer and Communications Security
The Oracle Diffie-Hellman Assumptions and an Analysis of DHIES

CT-RSA 2001 Proceedings of the 2001 Conference on Topics in Cryptology: The Cryptographer's Track at RSA
On the Security of RSA Padding

CRYPTO '99 Proceedings of the 19th Annual International Cryptology Conference on Advances in Cryptology
Universal Padding Schemes for RSA

CRYPTO '02 Proceedings of the 22nd Annual International Cryptology Conference on Advances in Cryptology
Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1

CRYPTO '98 Proceedings of the 18th Annual International Cryptology Conference on Advances in Cryptology
On the Security of Joint Signature and Encryption

EUROCRYPT '02 Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques: Advances in Cryptology
The Exact Security of ECIES in the Generic Group Model

Proceedings of the 8th IMA International Conference on Cryptography and Coding
Further Results and Considerations on Side Channel Attacks on RSA

CHES '02 Revised Papers from the 4th International Workshop on Cryptographic Hardware and Embedded Systems
Design and Analysis of Practical Public-Key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack

SIAM Journal on Computing
Generic Groups, Collision Resistance, and ECDSA

Designs, Codes and Cryptography
Practical Cryptanalysis of iso/iec 9796-2 and emv Signatures

CRYPTO '09 Proceedings of the 29th Annual International Cryptology Conference on Advances in Cryptology
Chip and PIN is Broken

SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
Discrete-Log-Based signatures may not be equivalent to discrete log

ASIACRYPT'05 Proceedings of the 11th international conference on Theory and Application of Cryptology and Information Security
Errors matter: breaking RSA-Based PIN encryption with thirty ciphertext validity queries

CT-RSA'10 Proceedings of the 2010 international conference on Topics in Cryptology
Fault attacks against EMV signatures

CT-RSA'10 Proceedings of the 2010 international conference on Topics in Cryptology
On the joint security of encryption and signature, revisited

ASIACRYPT'11 Proceedings of the 17th international conference on The Theory and Application of Cryptology and Information Security

Quantified Score

Hi-index	0.00

Visualization

Abstract

We provide an analysis of current and future algorithms for signature and encryption in the EMV standards in the case where a single key-pair is used for both signature and encryption. We give a theoretical attack for EMV's current RSA-based algorithms, showing how access to a partial decryption oracle can be used to forge a signature on a freely chosen message. We show how the attack might be integrated into EMV's CDA protocol flow, enabling an attacker with a wedge device to complete an offline transaction without knowing the cardholder's PIN. Finally, the elliptic curve signature and encryption algorithms that are likely to be adopted in a forthcoming version of the EMV standards are analyzed in the single key-pair setting, and shown to be secure.