On the Joint Security of Encryption and Signature in EMVJean-Paul Degabriele, Anja Lehmann, Kenny Paterson, Nigel Smart, Mario Strefler, On the Joint Security of Encryption and Signature in EMV. Topics in Cryptology - CT-RSA 2012, pp. 116–135. February 2012. No electronic version available.
We provide an analysis of current and future algorithms for signature and encryption in the EMV standards in the case where a single key-pair is used for both signature and encryption. We give a theoretical attack for EMV's current RSA-based algorithms, showing how access to a partial decryption oracle can be used to forge a signature on a freely chosen message. We show how the attack might be integrated into EMV's CDA protocol flow, enabling an attacker with a wedge device to complete an offline transaction without knowing the cardholder's PIN. Finally, the elliptic curve signature and encryption algorithms that are likely to be adopted in a forthcoming version of the EMV standards are analyzed in the single key-pair setting, and shown to be secure.