To address privacy problems with the EMV standard, EMVco proposed a Blinded Diffie-Hellman key establishment protocol. We point out that active attackers were not previously accounted for in the privacy requirements of this proposed protocol, despite the fact that an active attacker can compromise unlinkability. Here, we adopt a strong definition of unlinkability that does account for active attackers and propose an enhancement of the protocol proposed by EMVco where we make use of Verheul certificates. We prove that our protocol does satisfy strong unlinkability, while preserving authentication.
Download