Enhancing Regulatory Compliance in Digital Payments: Unlinkability and Privacy in EMV 2nd Gen Transactions

1. Introduction

The EMV standard [1], developed by Europay, Mastercard, and Visa, underpins most payment cards and terminals, ensuring secure financial transactions. Originally introduced in 1996 to replace magnetic stripe cards with integrated circuit cards for enhanced security, the EMV standard has since evolved to include contactless cards. These cards require no direct user intervention during transactions, making them susceptible to unauthorized interactions, posing privacy challenges.

This paper examines privacy vulnerabilities in payment cards, emphasizing the unlinkability of transactions. The EMV standard inherently lacks privacy features such as anonymity and unlinkability, as card numbers are transmitted in plaintext during transactions. Consequently, transaction data can be used to link multiple transactions to the same card, enabling tracking. Moreover, contactless cards readily disclose their identity without requiring actual transactions, further exacerbating privacy risks.

In 2011, EMVCo introduced the EMV 2nd Gen standard, aiming to counteract eavesdropping threats by implementing secret channels. These channels rely on symmetric keys established at the beginning of each transaction session via a variant of the Diffie-Hellman key exchange—Blinded Diffie-Hellman (BDH) [2]. BDH incorporates a freshly blinded, statically certified public key instead of an ephemeral public key, enhancing security. According to the EMV 2nd Gen architecture [3], BDH must meet the following criteria:

• Utilize elliptic-curve cryptography (ECC).
• Be computationally efficient for smart cards.
• Prevent passive eavesdroppers from reidentifying a card.

Security proofs [4,5] establish BDH’s effectiveness against passive eavesdroppers, granting it "external unlinkability" [4]. However, in contactless payment environments, attackers need not remain passive. Devices like smartphones can actively interact with cards, initiating unauthorized sessions. Wireless eavesdropping is feasible within a 20m radius [6], while attacks have been documented between 20m and 100cm [7,8]. Moreover, an active adversary within 100cm can power up a card and start communication [9], posing a significant privacy threat.

Under this stricter threat model, BDH no longer ensures unlinkability. To address this, I propose an enhancement leveraging anonymous credential schemes, such as Verheul certificates, to obscure card identities while maintaining computational efficiency. The approach builds upon the bisimilarity-based unlinkability framework of Horne and Mauw [10], employing quasi-open bisimilarity [11] for two key benefits:

• Simplifies verification by focusing solely on card interactions, aligning with EMV’s design principle of minimizing shared secrets between cards and terminals.
• Ensures robustness by extending results to weaker models like trace equivalence, as quasi-open bisimilarity is a finer equivalence relation.

Our key contributions include:

• A novel unlinkability definition for EMV payments that accommodates active adversaries.
• Identification of an unlinkability vulnerability in the original BDH protocol using a modal logic formula.
• A refined BDH protocol integrating blind certificates to enhance unlinkability.
• A formal proof of unlinkability for the improved BDH.
• Discussion on achieving unlinkable EMV transactions within the existing EMV infrastructure.

The remainder of this paper is structured as follows: Section II reviews prior research on EMV security and privacy. Section III details BDH and its susceptibility to active attackers. Section IV provides background on the applied $\pi$-calculus. Sections V and VI present the main contributions: a novel unlinkability definition, an improved BDH protocol, and its unlinkability proof. Section VII verifies that the enhancements preserve authentication properties. Section VIII discusses the implications of unlinkable EMV transactions under the threat model. Finally, Section IX concludes with future research directions.

2. Related Work

Extensive research on EMV has primarily addressed authentication and confidentiality challenges essential for preventing fraudulent activities. Basin, Sasse, and Toro-Pozo [12,13] conducted a comprehensive study on attacks that facilitate fraud, such as executing high-value transactions using a contactless Visa card without PIN verification. Various countermeasures, including distance-bounding techniques [14], have been investigated to mitigate relay-based threats. For example, Chothia, de Ruiter, and Smyth analyzed Mastercard’s RRP protocol [15], while Boureanu et al. examined relay-resistant EMV mechanisms designed to counter rogue readers [16]. Furthermore, Radu et al. demonstrated how a combination of relay and replay attacks could be used to bypass Apple Pay’s lock screen when linked to a Visa card [17].

A skimming attack enables an adversary to stealthily activate a contactless card and establish communication. This type of attack frequently serves as a preliminary step in relay attacks and forms the foundation of the investigation into BDH unlinkability. Habraken et al. illustrated a skimming setup employing a gate antenna with an operational range of up to 100 cm [9], whereas Engelhardt et al. successfully eavesdropped on EMV communication from as far as 18m [8].

To enhance privacy in EMV transactions, anonymous credential frameworks present a promising solution by enabling verification without disclosing the cardholder’s identity. However, such mechanisms remain underutilized in EMV systems. While Idemix [18] and U-Prove [19] are notable general-purpose credential schemes, they face practical limitations in EMV applications—Idemix suffers from inefficiencies on smart cards [20], whereas U-Prove is susceptible to transaction linkability attacks. A more feasible alternative is Verheul’s self-blindable attribute certificates [21], leveraging elliptic curve cryptography and optimized for EMV 2nd Gen smart card compatibility [22].

Arapinis et al. [23] formulated unlinkability as an equivalence-based problem, proposing strong unlinkability using bisimulation. Horne and Mauw [10] expanded this framework by incorporating session channels and demonstrating the advantages of bisimilarity. Hirschi, Baelde, and Delaune [24] redefined unlinkability as a trace equivalence issue and introduced automated verification techniques. Nevertheless, Filimonov et al. [25] caution that solely relying on trace equivalence might obscure certain attack vectors. The ongoing debate between bisimilarity and trace equivalence [24,25] persists, but in the analysis, either method is sufficient, as I establish security in the most rigorous model and detect vulnerabilities in the weakest.

Research on symbolic approaches for Diffie-Hellman (DH) group cryptanalysis is extensive. Modeling exponentiation and group operations often results in unification problems over specific fields [26], rendering the general case undecidable. Security verification tools such as Tamarin [27] and ProVerif [28] abstract prime order groups to facilitate analysis. Cremers and Jackson [29] refined these abstractions to improve the efficiency of automated security verification.

3. Blinded Diffie-Hellman and External Unlinkability

In this section, I present the Blinded Diffie-Hellman (BDH) protocol as outlined in the original EMVCo proposal [2] and analyze its limitations concerning unlinkability.

3.1. The Blinded Diffie-Hellman Protocol

The structure of BDH protocol messages is depicted in Figure 1.

The protocol relies on elliptic curve arithmetic, which I symbolically represent. Public parameters include a finite field ${\mathbb{F}}_p$, a DH group $\mathbb{G}$ over an elliptic curve $E_{{\mathbb{F}}_p}$, group order r, generator h, key-derivation function $\eta$, and payment system’s public key $p{k}_{sys}$. Scalar multiplication is denoted as $\theta :{\mathbb{F}}_r\times \mathbb{G}\to \mathbb{G}$, where $\theta (x,P)$ represents adding P to itself x times. The secret key x corresponds to public key $\theta (x,h)$, and blinding uses a fresh scalar b, defined as $\theta (b,P)$.

Equational theory ${\mathbb{E}}_0$, capturing cryptographic function properties, is presented in Figure 2.

The BDH protocol operates according to the sequence depicted in Figure 3. In this process, the card D and terminal U perform a key exchange, while the payment system, serving as a certification authority, maintains a confidential key y. Upon issuance, the card is provisioned with a static key pair $(y_D,\psi (y_D,h))$ and a certificate $\langle \psi (y_D,h),h,{\mathrm{sig}}_{y_D,h,y}\rangle$. To confirm authenticity, the terminal validates these credentials using the payment system’s public key $p{k}_{sys}$ [1,2].

The card initiates by sending its blinded public key $\theta (b,y_{D}h)$ to the terminal, which responds with its ephemeral key $\theta (y_U,h)$. This allows them to compute a shared secret $y_D{y}_U$. The card encrypts authentication data, including the blinding scalar b, its static public key, and the certificate. The terminal verifies the certificate using $p{k}_{sys}$ and ensures that the received blinded key matches $\theta (b,y_{D}h)$. If verification succeeds, authentication is complete.

3.2. BDH and Active Attackers

External unlinkability ensures that an observer cannot link a card’s sessions. However, a straightforward attack exists when malicious terminals are present:

• A rogue terminal establishes a key with an honest card, decrypts the response, and extracts $\theta (y_D,h)$.
• The attacker initiates another session with the same card to retrieve $\theta (y_D,h)$ again, thereby identifying the card.

Since activating a contactless card is trivial, external unlinkability is insufficient. This necessitates a stronger unlinkability definition that remains valid even in hostile environments. I propose an enhanced BDH protocol that conceals the public key within a blinded signature, eliminating the need for terminals to access it for verification. This improved protocol is presented in Section VI.

4. Background on Applied $\pi$-Calculus

This section introduces a foundational version of applied $\pi$-calculus [1], a framework for modeling concurrent processes and their interactions. The presented calculus is streamlined to align with the scope of this paper. I begin by outlining its syntax, followed by defining an equivalence relation on processes, which is later utilized in Section V for expressing unlinkability.

4.1. Syntax, Notation, and Conventions

The syntax for processes is depicted in Figure 4.

Processes represent system behaviors, particularly those of honest entities executing a protocol. They send and receive messages via channels; for instance, $M\langle N\rangle$ signifies message N sent over channel M. Messages adhere to a specified language and equational theory. I denote $M{\equiv }_{G}N$ for equivalence under an equational theory G.

Variables are bound in processes through new name binders or input operations, such as $\nu z.X$ and $M\left(z\right).X$, where z is local to X. Free variables, not bound by such constructs, are denoted $\mathrm{fv}\left(S\right)$ for a process or message term S.

Processes X and Y execute concurrently in $X\mid Y$, while $!X$ denotes infinite replication of X. The conditional construct $\mathrm{if}M=N\mathrm{then}X$ executes X if $M{\equiv }_{G}N$.

A substitution maps variables to message terms. I use $\tau ,\rho ,$ and $\kappa$ to denote substitutions, where applying $\tau$ to z results in $z\tau$. The substitution effect on process X is written as $X\tau$. When explicitly defined, I write $\tau =\{z\mapsto N\}$.

Substitutions must not alter bound variables; renaming is handled via $\alpha$-conversion [2], ensuring processes are considered modulo $\alpha$-conversion.

Definition 1 (Freshness, #) A set of variables $\mathbf{x}$ is fresh for another set $\mathbf{w}$ if $\mathbf{x}\cap \mathbf{w}=\varnothing$. A variable x is fresh for a term Q if $x\notin \mathrm{fv}\left(Q\right)$. Similarly, x is fresh for a substitution $\tau$ if it is fresh for both $\mathrm{dom}\left(\tau \right)$ and $\mathrm{fv}\left(v\tau \right)$ for any v fresh for x. Notation: $x\#w,x\#Q,x\#\tau$.

Thus, fresh variables do not appear in the free variables, substitution domain, or range. Throughout, I adopt conventions like writing $\nu y_1,y_2.P$ instead of nested $\nu y$ expressions and use ≜ for defining processes.

4.2. Semantics

A process state is modeled as an extended process $\nu y.\sigma \Vert P$. Figure 5 presents its syntax.

An extended process $\nu y.\sigma \Vert P$ evolves via transitions, represented with labeled arrows. Transition label syntax is shown in Figure 6. Bound names within transitions are defined as $\mathrm{bn}\left(\gamma \right)=y$ if $\gamma =A\left(y\right)$, otherwise $\mathrm{bn}\left(\gamma \right)=\varnothing$. The set of names for messages follows $m(A,B)=\mathrm{fv}\left(A\right)\cup \mathrm{fv}\left(B\right)$ and $m\left(A\right(y\left)\right)=\mathrm{fv}\left(A\right)\cup \left\{y\right\}$.

4.3. Equivalence Notion

Unlinkability in payment systems is formulated as an equivalence relation: a system is unlinkable if its behavior mirrors an ideal unlinkable model. Here, I define the exact equivalence relation applied to extended processes.

Equivalence captures both static and dynamic behaviors: two processes are indistinguishable if they produce identical message sequences and match corresponding actions. The required relation is bisimilarity, but a specific form relevant to the study is considered, as numerous bisimilarity notions exist [31]. I adopt a bisimilarity that is also a congruence.

Given the adversarial context of card unlinkability, I seek a robust equivalence that holds universally, independent of environmental conditions, such as the presence or absence of terminals. I begin with static equivalence—differentiating protocol execution snapshots—and subsequently extend to a bisimilarity congruence.

4.4. Static Equivalence

Definition 2. (Static Equivalence) Two extended processes $\nu x.\alpha M$ and $\nu y.\beta N$ are statically equivalent if, for all messages U and V such that $x,y\notin U,V$, I have

$$U\alpha \equiv V\alpha \mathrm{if}\mathrm{and}\mathrm{only}\mathrm{if}U\beta \equiv V\beta .$$

A message U is said to be a recipe for some message W under $\alpha$ if $U\in x$ and $U\alpha \equiv W$.

4.5. Open Relation

For bisimilarity to be a congruence relation, it must be open. A relation is open if it remains preserved under fresh substitutions relative to the domain of the frame of the extended process. This ensures that an attacker can manipulate messages bound to free variables without accessing recorded outputs, thus accounting for all possible attack scenarios.

Definition 3. (Open Relation) A relation R on extended processes is open if, for $C=\nu x.\alpha M$ and $D=\nu y.\beta N$ where $CRD$, it holds that for all $\sigma$ with $\mathrm{dom}\left(\alpha \right)$ fresh for $\sigma$, I have $C\sigma RD\sigma$.

The bisimilarity notion constrained to open relations is called quasi-open bisimilarity, which is the most abstract bisimilarity in the applied $\pi$-calculus that remains a congruence [11]. Coarseness is crucial here, as finer equivalences may introduce unnecessary attack vectors.

4.6. Quasi-Open Bisimilarity

Definition 4. (Quasi-Open Bisimilarity) An open symmetric relation R over extended processes is a quasi-open bisimulation if, whenever $ARB$, the following conditions hold:

• A and B are statically equivalent.
• If $A\stackrel{\pi }{\to }{A}^{\prime }$, then there exists $B^{\prime }$ such that $B\stackrel{\pi }{\to }{B}^{\prime }$ and $A^{\prime }R{B}^{\prime }$.

Processes P and Q are quasi-open bisimilar, denoted $P\sim Q$, if there exists a quasi-open bisimulation R such that $PRQ$.

4.7. Unlinkability and Bisimilarity

Quasi-open bisimilarity forms the foundation of the definition of unlinkability. This bisimilarity-based approach accounts for attacker decisions during protocol execution. Compared to trace equivalence, tools like DeepSec [32] can aid in verification, but bisimilarity provides a more secure alternative, as trace equivalence is coarser.

Specifically, if unlinkability is defined using bisimilarity, it remains valid under trace equivalence, but the reverse does not hold. Previous research on the BAC protocol for ePassport [10,25] illustrates this: while trace equivalence suggests unlinkability, bisimilarity exposes distinguishing strategies that can link sessions.

Furthermore, bisimilarity’s congruence property allows modular verification. If a smaller system satisfies an equivalence property, this property extends to larger systems without additional verification effort.

5. Describing Attacks via Modal Logic

I express bisimilarity attacks using a minimal modal logic [33,34]. The syntax is compact:

$$\psi ::=X\equiv Y|\langle \pi \rangle \psi$$

where $X\equiv Y$ represents equality, and $\langle \pi \rangle \psi$ denotes a diamond modality.

The semantics is as follows:

$$\nu a.\varphi P\vDash X\equiv Y\mathrm{iff}X\varphi \equiv Y\varphi \mathrm{and}a\notin X,Y.$$

$$A\vDash \langle \pi \rangle \psi \mathrm{iff}\exists B\mathrm{such}\mathrm{that}A\stackrel{\pi }{\to }B\mathrm{and}B\vDash \psi .$$

If a formula $\psi$ is satisfied by A but not B, i.e., $A\vDash \psi$ and $B\neg \vDash \psi$, then $A\neg \sim B$. This fragment suffices for the analysis of the BDH protocol, as it captures an attacker’s strategy—demonstrating a transition trace distinguishing two processes.

I employ this modal logic to present the attack on the BDH protocol in the proof of Theorem 1.

6. Unlinkability

This section establishes unlinkability through process equivalence and illustrates how the BDH protocol, as shown in Figure , does not fulfill this requirement.

6.1. Challenges in Verifying Unlinkability

A key complexity in the unlinkability definition by Arapinis et al. [1] is its reliance on weak transitions in bisimilarity. Given a process X and a transition label $\tau$, there may exist infinitely many states Y such that $X\stackrel{\tau }{\to }Y$, complicating the verification process.

To address this, I adopt the method of Horne and Mauw [2], which simplifies verification by reducing weak to strong bisimilarity while preserving unlinkability. Their approach expresses protocols in the applied $\pi$-calculus in a way that retains security properties while facilitating verification. This not only ensures safety—since bisimilarity is stronger than trace equivalence—but also opens avenues for automated verification, as discussed.

Alternatively, unlinkability verification could leverage trace equivalence with established tool support. Recent work by Baelde, Delaune, and Moreau [3] explores this approach for stateful protocols. However, the BDH analysis suggests that ignoring certain protocol components—such as the terminal, which shares no secret with the card—may undermine unlinkability by exposing reactions of honest participants.

6.2. Definition of Unlinkability

One simple way to achieve unlinkable payments is by using single-use cards that expire immediately after one transaction. These cards ensure payments remain unlinkable. I define unlinkability as follows: if a real-world system, where cards are reused, is indistinguishable from an ideal system where each card is discarded after use, then unlinkability is preserved.

Let $P_k,p,qh$ represent the card processing scheme parameterized by the system’s secret key k, communication channel $qh$, and the card’s secret key p. The formal definition follows:

Definition 1 

(Unlinkability). A card processing scheme P satisfies unlinkability if:

$$\begin{array}{cc}\hfill \nu k.{\mathsf{out}}_{\mathit{pkl}}& !\nu p.\nu qh.{\mathsf{card}}_{qh}.P_{k,p,qh}\hfill \\ \hfill & \equiv \nu k.{\mathsf{out}}_{\mathit{pkl}}!\nu p.!\nu qh.{\mathsf{card}}_{qh}.P_{k,p,qh}\hfill \end{array}$$

(1)

The left-hand process represents the ideal system where a card is used only once. It begins by generating the system’s secret key k, followed by making the public key $pkl$ accessible via the output on the public channel $\mathsf{out}$. Each new card p is limited to a single execution of the payment protocol.

The right-hand process represents the real-world case where a card can be used multiple times. If both processes are equivalent under quasi-open bisimilarity, then the payment system maintains unlinkability. Given that the equivalence notion is a congruence, unlinkability can be verified within a subsystem of only cards, ensuring the system remains unlinkable even in the presence of terminals. This is captured by the context:

$$\nu \mathsf{out}.{\mathsf{out}}_{\mathit{pkl}}.{\mathsf{out}}_{\mathit{pkl}}!\nu q{h}_t.{\mathsf{term}}_{q{h}_t}.T_{\mathit{pkl},q{h}_t}$$

(2)

where $\mathsf{out}$ is a public channel used to announce the system’s public key. A detailed proof of this context’s validity in representing a full system with cards and terminals is provided in [4], which covers quasi-open bisimilarity and proves as a sound and complete congruence.

In summary, the left-hand process in Equation (1) serves as the specification, and the right-hand process as the implementation. If a protocol satisfies this equivalence, it adheres to the specification. This aligns with unlinkability formulations in prior work [1], with the distinction that only cards are considered since terminals receive only the public key.

In both cases, the card uses a newly generated session channel $qh$, output via the public channel $\mathsf{card}$, allowing attackers to observe and influence radio frequency communication.

A unique session channel per transaction is mandated by ISO/IEC 14443 [36], which governs contactless EMV cards. This feature removes silent $\tau$-transitions in the studied protocols, enabling the use of strong bisimilarity and simplifying proofs.

7. BDH Is Not Unlinkable

With the unlinkability definition in place, I now demonstrate that the Blinded Diffie-Hellman (BDH) protocol from Figure 3 fails to achieve unlinkability.

Theorem 1.$\mathsf{Xyzs},\mathsf{p},\mathsf{qh}$ violates unlinkability.

Proof. The attack on BDH unlinkability follows the modal logic formula notation from Section IV-D. Consider the processes below, where $\mathsf{Xyz}$ is defined in Section IV-A.

$$\mathsf{XyzSpec}\equiv \nu k.\mathsf{outpkl}.!\nu p.\nu qh.\mathsf{cardqh}.\mathsf{Xyz}$$

$$\mathsf{XyzImpl}\equiv \nu k.\mathsf{outpkl}.!\nu p.!\nu qh.\mathsf{cardqh}.\mathsf{Xyz}$$

To show that $\mathsf{XyzSpec}\neg \sim \mathsf{XyzImpl}$, I define a formula satisfied by $\mathsf{XyzImpl}$ but not by $\mathsf{XyzSpec}$. Consider the formula $\varphi$:

$$\begin{array}{cc}& \langle \mathsf{outpkl}\rangle \hfill \\ & \langle {\mathsf{card}}_{z_1}\rangle \langle z_1{x}_1\rangle \langle z_1{\theta }_{m_1},r\rangle \langle z_1{y}_1\rangle \hfill \\ & \langle {\mathsf{card}}_{z_2}\rangle \langle z_2{x}_2\rangle \langle z_2{\theta }_{m_2},r\rangle \langle z_2{y}_2\rangle \hfill \\ & \left[\mathsf{snddec}(y_1,h{\theta }_{m_1},x_1)\mathsf{snddec}(y_2,h{\theta }_{m_2},x_2)\right]\hfill \end{array}$$

The formula captures two BDH protocol sessions. For $\mathsf{XyzImpl}$, both sessions can involve the same card, say $p_1$. The final equality test compares certificates obtained in each session. Since the terminal decrypts both, and the certificate is bound to the card identity $p_1$, the test holds in $\mathsf{XyzImpl}$. However, in $\mathsf{XyzSpec}$, each session uses a new card, ensuring the certificates differ and preventing equality.

Thus, $\mathsf{XyzImpl}\vDash \varphi$, but $\mathsf{XyzSpec}\neg \vDash \varphi$, proving that BDH does not satisfy unlinkability.

8. Enhancing Blinded Diffie-Hellman for True Unlinkability

In this section, I propose an improved version of the BDH protocol introduced by EMVCo, termed Secure Unlinkable BDH (SUBDH). This enhancement integrates a certification mechanism where certificates remain invariant under blinding operations. To achieve this, I leverage a certification scheme that preserves this property—the Verheul certification scheme—and present a formal proof demonstrating that the proposed modification ensures unlinkability for the BDH protocol [2].

8.1. Obscured Diffie-Hellman with Encrypted Certificates

As examined in Section III-B and formally proven in Theorem 1, the BDH protocol introduced by EMVCo does not achieve unlinkability due to the visibility of the card’s fixed certificate and associated blinding factor. While this architecture supports terminal verification, it inadvertently exposes the card’s public key, making it susceptible to tracking. To mitigate this issue, I propose an improved authentication framework that conceals both the public key and its corresponding cryptographic signature.

To realize this enhancement, I have refined the choice of signature algorithm (which was left unspecified in EMVCo’s original design) to enforce secure certificate verification. In particular, I ensure that the blinding function and the signature generation process remain interchangeable. This guarantees that the card’s public key can be blinded alongside its signature at the start of a transaction, allowing authentication to proceed without decryption. Consequently, only the obfuscated version of the public key is exposed during communication.

The equational theory $\mathcal{G}$ governing this protocol refinement extends the existing equational system ${\mathcal{G}}_0$ from Figure 2 by incorporating the relation depicted in Figure 7, which enforces the commutativity of scalar multiplication and signing.

$$\theta X,{\mathsf{sign}}_{P,Z}\equiv {\mathsf{sign}}_{\theta X,P},Z$$

Figure 7. Extended equational theory ensuring blinding preserves signatures.

This property guarantees that when a signature is obfuscated using a blinding factor, the corresponding message remains concealed by the same factor. This enables authentication without revealing the underlying public key. The modified BDH protocol is depicted informally below, with its formal specification in $\pi$-calculus provided below.

$${\mathsf{C}}_{\mathsf{mod}}(t,u,v)\equiv \nu b.v\langle \theta b,\theta u,g\rangle .vw.$$

$$\mathsf{let}{k}_u\equiv h\theta b·u,w\mathsf{in}$$

$$\mathsf{let}n\equiv (\theta b,\theta u,g,\theta b,{\mathsf{sign}}_{\theta u,g}),t\mathsf{in}$$

$$v\langle n,k_u\rangle$$

$${\mathsf{T}}_{\mathsf{mod}}(pku,v)\equiv \nu d.v{x}_1.v\langle \theta d,g\rangle .$$

$$v{x}_2.$$

$$\mathsf{let}{k}_d\equiv h\theta d,x_1\mathsf{in}$$

$$\mathsf{let}{n}_1,n_2\equiv (\mathsf{fstdec}(x_2,k_d),\mathsf{snddec}(x_2,k_d))\mathsf{in}$$

$$\mathsf{if}{n}_1=\mathsf{check}(n_2,pku)\mathsf{then}$$

$$\mathsf{if}{n}_1=x_1\mathsf{then}v\langle \mathsf{auth}\rangle$$

Our modification distinguishes itself from the original BDH protocol by ensuring that the message $y_2$, transmitted by the card, includes only the (encrypted) obfuscated certificate. The terminal never gains access to the card’s unobscured public key, as the masking factor $\lambda$ remains confidential and undisclosed.

A certification scheme that satisfies both the blinding condition depicted in Fig. 7 and the technical constraints of the BDH protocol is the Verheul certification scheme [21]. When deployed on smart cards [22] utilizing BN3 curves [38], it achieves a blinded certificate presentation time of 0.45 seconds, remaining within the 500ms threshold required by card readers [39]. Although EMVCo [2] recommends the adoption of the p256 curve, transitioning to a pairing-friendly BN curve does not degrade on-card performance. This has been empirically confirmed by Dzurenda et al. through their comparative assessment of elliptic curves in smart card implementations [40].

8.2. Self-Blindable Certificates and BDH Unlinkability

I now provide a formal proof of unlinkability for the Unlinkable BDH protocol, using the quasi-open bisimilarity equivalence (Def. 4). I define $UBD{H}_{\mathrm{spec}}$ and $UBD{H}_{\mathrm{impl}}$ as:

$$\begin{array}{cc}\hfill UBD{H}_{\mathrm{spec}}& \triangleq \nu t.\mathrm{outpku}.\nu u.\nu v.\mathrm{cardv}.{\mathcal{C}}_{\mathrm{mod}},u,v\hfill \\ \hfill UBD{H}_{\mathrm{impl}}& \triangleq \nu t.\mathrm{outpku}.\nu u.\nu v.\mathrm{cardv}.{\mathcal{C}}_{\mathrm{mod}},u,v\hfill \end{array}$$

Theorem 2.${\mathcal{C}}_{\mathrm{mod}},u,v$ ensures unlinkability.

Proof. By Def. 5, I must show:

$$UBD{H}_{\mathrm{spec}}\equiv UBD{H}_{\mathrm{impl}}.$$

To do so, I construct a quasi-open bisimulation Q such that $UBD{H}_{\mathrm{spec}}QUBD{H}_{\mathrm{impl}}$.

Previous work [21] used symmetric pairings on supersingular curves, but this method precedes the asymmetric approach, simplifying Decisional Diffie-Hellman problems and requiring larger field sizes (which slow down on-card computation) for equivalent security [37].

To construct Q, I introduce indices $r\in \{1,\dots ,R\}$ and $s\in \{1,\dots ,S\}$ to track sessions and cards.

Define $n_s^{b,w}$ as the encrypted blinded certificate:

$$n_s^{b,w}=({\theta }_b,{\theta }_{su,g},{\theta }_b,\mathrm{sign}({\theta }_{su,g},t))h\left({\theta }_{bsw}\right)$$

Partitioning sessions $\Xi =\{\rho ,\sigma ,\tau ,\omega \}$:

- $\rho$: Sessions where the channel is created, but no message sent. - $\sigma$: Sessions where the blinded key is sent, but no response received. - $\tau$: Sessions where a response is received, but no encrypted blinded certificate sent. - $\omega$: Sessions where the encrypted blinded certificate is sent.

Define a partition $\Lambda =\{{\xi }_1,\dots ,{\xi }_S\}$ for card-based session grouping.

Let $W=(W_1,\dots ,W_R)$ denote session inputs. Define:

$$\begin{array}{cc}\hfill A_s^v& \triangleq \nu b.v({\theta }_b,{\theta }_{su,g}).B_s^{v,b}\hfill \\ \hfill B_s^{v,b}& \triangleq v_w.C_s^{v,b,w}\hfill \\ \hfill C_s^{v,b,w}& \triangleq v\langle n_s^{b,w}\rangle \hfill \\ \hfill D_s& \triangleq 0\hfill \end{array}$$

The bisimulation relation Q satisfies constraints in Figure 9, ensuring $UBD{H}_{\mathrm{spec}}QUBD{H}_{\mathrm{impl}}$. Proofs for transitions are in [41], covering bisimulation, openness, and static equivalence.

Figure 8. Bisimulation relation conditions.

Figure 8. Bisimulation relation conditions.

Figure 9. Stages of the EMV 1st Gen protocol.

Figure 9. Stages of the EMV 1st Gen protocol.

8.3. Conditions for the Bisimulation Relation S

Case 1.$UP{R}_{\mathrm{spec}}SUP{R}_{\mathrm{impl}},outmsg$. The process $UP{R}_{\mathrm{spec}}$ transitions via $outmsg$ to state $UP{R}_{\mathrm{spec}}^{\prime }$. There exists a state $UP{R}_{\mathrm{impl}}^{\prime }$ to which $UP{R}_{\mathrm{impl}}$ transitions via $outmsg$. By definition of S, I have $UP{R}_{\mathrm{spec}}^{\prime }SUP{R}_{\mathrm{impl}}^{\prime }$.

Case 2.$UP{R}_{\Theta ,\mathrm{spec}}^{X}SUP{R}_{\Theta ,\Lambda ,\mathrm{impl}}^X,card{L}_A$. The process $UP{R}_{\Theta ,\mathrm{spec}}^X$ transitions via $card{L}_A$ to state

$$C{H}_{\mathrm{spec}}=UP{R}_{\mu L_A,\nu ,\xi ,\eta ,\mathrm{spec}}^{X_1,\dots ,X_N}$$

In $UP{R}_{\Theta ,\Lambda ,\mathrm{impl}}$, either a card e initiates a new session leading to state

$$C{H}_{\mathrm{impl}}=UP{R}_{\mu L_A,\nu ,\xi ,\eta ,\mathrm{impl}}^{X_1,\dots ,X_N,\kappa e{L}_A}$$

or a new card is generated, yielding state

$$CH{C}_{\mathrm{impl}}=UP{R}_{\mu L_A,\nu ,\xi ,\eta ,\Lambda L_A,\mathrm{impl}}^{X_1,\dots ,X_N}$$

By definition of S, I have $C{H}_{\mathrm{spec}}SC{H}_{\mathrm{impl}}$ and $C{H}_{\mathrm{spec}}SCH{C}_{\mathrm{impl}}$.

Case 3.$UP{R}_{\Theta ,\mathrm{spec}}^{X}SUP{R}_{\Theta ,\Lambda ,\mathrm{impl}}^X,lvlup,\mathrm{where}m=\mu$. The process $UP{R}_{\Theta ,\mathrm{spec}}^X$ transitions via $lvlup$ to state

$$AP{K}_{\mathrm{spec}}=UP{R}_{\mu m,\nu m,\xi ,\eta ,\mathrm{spec}}^X$$

with a corresponding state in the implementation:

$$AP{K}_{\mathrm{impl}}=UP{R}_{\mu m,\nu m,\xi ,\eta ,\Lambda ,\mathrm{impl}}^X$$

By definition of S, I have $AP{K}_{\mathrm{spec}}SAP{K}_{\mathrm{impl}}$.

Case 4.$UP{R}_{\Theta ,\mathrm{spec}}^{X}SUP{R}_{\Theta ,\Lambda ,\mathrm{impl}}^X,lvl{X}_m,\mathrm{where}m=\nu$. Let ${\psi }_m^{X,Z}$ denote the list obtained by replacing the m-th entry in X with Z. Then, $UP{R}_{\Theta ,\mathrm{spec}}^X$ transitions via $lvl{X}_m$ to state

$$I{N}_{\mathrm{spec}}=UP{R}_{\mu ,\nu m,\xi m,\eta ,\mathrm{spec}}^{{\psi }_m^{X,X_m}}$$

with a corresponding state in the implementation:

$$I{N}_{\mathrm{impl}}=UP{R}_{\mu ,\nu m,\xi m,\eta ,\Lambda ,\mathrm{impl}}^{{\psi }_m^{X,X_m}}$$

By definition of S, I have $I{N}_{\mathrm{spec}}SI{N}_{\mathrm{impl}}$.

Openness.S is open by definition: if $ASB$, then $A\sigma SB\sigma$ for any fresh substitution $\sigma$. No substitution $\sigma$ introduces transitions beyond those considered. Since

$$fv\left(UP{R}_{\mathrm{spec}}\right)=fv\left(UP{R}_{\mathrm{impl}}\right)\cup \{out,card\}$$

only $out$, $card$, and free variables in $X_m$ are affected. Modifying proof trees is straightforward [41].

Static Equivalence. I show that A and B are statically equivalent when $ASB$. For $UP{R}_{\mathrm{spec}}SUP{R}_{\mathrm{impl}}$, frames are empty, so there is nothing to prove. The proof for $UP{R}_{\Theta ,\mathrm{spec}}^{X}SUP{R}_{\Theta ,\Lambda ,\mathrm{impl}}^X$ follows in Lemma 3.

Lemma 3.$UP{R}_{\Theta ,\mathrm{spec}}^X$ and $UP{R}_{\Theta ,\Lambda ,\mathrm{impl}}^X$ are statically equivalent.

Proof. Let

$$\nu v.\zeta P=UP{R}_{\Theta ,\mathrm{spec}}^X,\nu w.\tau Q=UP{R}_{\Theta ,\Lambda ,\mathrm{impl}}^X.$$

I prove that for all messages M, N, where $v\#M,N$,

$$M\zeta {\equiv }_{E}N\zeta \mathrm{iff}M\tau {\equiv }_{E}N\tau .$$

Unlinkable Authentication for BDH

The BDH protocol ensures unlinkability of the card while allowing authentication by the terminal. I emphasize unlinkability, validated via ProVerif [42].

The system process is defined as:

$$\mathrm{SYS}=\nu r.!\nu d.!\nu c{h}_d.\mathrm{card}\langle c{h}_d\rangle .C_r,d,c{h}_d$$

$$\mathrm{out}\langle p{k}_r\rangle .!\nu c{h}_s.\mathrm{term}\langle c{h}_s\rangle .T_{p{k}_r},c{h}_s$$

Using $C_{\mathrm{ref}}$, $T_{\mathrm{ref}}$ or $C_{\mathrm{upd}}$, $T_{\mathrm{upd}}$, I derive ${\mathrm{SYS}}_{\mathrm{ref}}$ and ${\mathrm{SYS}}_{\mathrm{upd}}$. Each session advertises a fresh channel.

Definition 8. (Injective Agreement) Process SYS satisfies injective agreement if for every trace ${\pi }_0,{\pi }_1,...,{\pi }_n$,

$$\mathrm{SYS}⊢{\pi }_0\dots {\pi }_n⊢\mathrm{true}$$

there exists an injective function $g:N\to N$ ensuring:

- For $0\le b\le n$,

$${\pi }_b\equiv T_{b}u$$

and

$$\mathrm{SYS}⊢{\pi }_0\dots {\pi }_n⊢u_{\mathrm{auth}}$$

- For some $0\le j\le k\le b$,

$${\pi }_j=T_j{N}_j,{\pi }_k=T_k{N}_k$$

- For $0\le g\left(b\right)\le j\le k\le b$, with ${\pi }_{g\left(b\right)}=C_{\mathrm{fa}}c{h}_d$,

$${\pi }_j=C_j{u}_j,{\pi }_k=C_k{N}_k$$

and

$$\mathrm{SYS}⊢{\pi }_0\dots {\pi }_n⊢C_{\mathrm{fa}}\mathrm{card}{\psi }_j{\psi }_k$$

where $\psi \equiv uNc{h}_{d}C{T}_{b}T$.

9. Unlinkability Challenges in EMV 1st Gen

Despite the presence of UBDH key agreement, ensuring complete unlinkability in EMV 1st Gen transactions remains challenging without significant protocol and back-end modifications [1]. Notably, EMVCo has not explicitly defined the coexistence of BDH with the current EMV framework.

Assuming the key agreement precedes data transmission, I outline a generic EMV transaction, emphasizing points where card identification occurs. Sources of identity include unique identifiers (e.g., card number) and broader attributes (e.g., supported data formats). This section does not comprehensively describe the EMV protocol but focuses on key steps relevant to unlinkability.

9.1. EMV Transaction Flow

An EMV transaction involves terminal commands (optionally carrying data) and card responses, progressing through stages depicted in Figure 7. A successful transaction culminates in cryptogram generation, which the terminal submits to the bank for authorization. Below, I summarize each stage, addressing unlinkability concerns in both passive and active attack scenarios.

9.1.1. Initialization

Initially, the terminal queries the card for supported applications, and the card responds with a list (e.g., Visa Debit, Maestro). If BDH is applied after this step, a passive attacker can still differentiate cards based on selected applications, undermining unlinkability. A potential mitigation is assigning all cards the same identifier and incorporating group signatures, ensuring distinct keys per issuer while enabling unified verification. Such modifications may be considered in EMV 2nd Gen.

Next, the card transmits the PDOL (Processing Data Object List), specifying the transaction parameters (e.g., transaction amount, currency) that the terminal must supply. Upon receiving this request, the terminal provides the required data and subsequently requests the AIP (Application Interchange Profile) and AFL (Application File Locator) lists. The AIP defines the authentication mechanisms supported by the card, whereas the AFL identifies memory locations where essential transaction-related information, such as the card identifier and security certificate, are stored.

According to the EMV 1st Generation standard, the following elements must be retained:

• Expiration Date of the Application
• Card Identification Number (CIN)
• Card Risk Assessment Data Object Lists (CRADOLs): These define the terminal-supplied data necessary for generating cryptographic responses (e.g., country code, unpredictable number). Additionally, they often include digital certificates and indices for public keys used in the payment system.

Application selection already compromises unlinkability, as payment system lists act as coarse identifiers. While BDH protects PDOL and subsequent data from passive eavesdroppers, an active attacker can still fingerprint cards via AIP, AFL, and CDOL variations. Standardizing transaction details across all cards could make PDOL obsolete, but modifying application selection would necessitate extensive protocol revisions. The main challenge lies in concealing strong identifiers such as the card number, which is essential for routing cryptograms to the bank.

9.1.2. Offline Data Authentication

Offline Data Authentication (ODA) is an optional feature in the EMV 1st Generation standard, allowing the terminal to validate the authenticity of card-provided information [2]. Multiple approaches exist for performing this verification.

9.1.2.1. Dynamic Data Authentication (DDA)

When DDA is employed, the card may transmit the DDOL (Dynamic Data Object List), which defines the terminal-supplied parameters necessary for authentication. The DDOL itself functions as a subtle identifier, contributing to the card’s unique digital footprint. If the DDOL is unavailable, the terminal instead provides a random challenge (nonce), and the card responds with a cryptographic signature covering both the challenge and its own nonce. Although the signature alone does not explicitly disclose the card’s identity, its verification depends on the card’s public key and digital certificate, both of which are distinct for each card.

9.2. Combined Data Authentication (CDA)

CDA integrates authentication into the Transaction Authorization phase. It follows DDA principles but includes transaction-specific data such as the cryptogram.

Since supported ODA methods are disclosed during initialization via AIP, their selection does not introduce new identifiers. However, all ODA methods involve a unique card identifier, breaking unlinkability for an active attacker. Passive attackers are excluded at this stage due to session encryption.

With BDH or UBDH, ODA is inherently embedded in the key agreement, making it redundant in a potential EMV 2nd Gen protocol.

9.3. Cardholder Authentication

Cardholder authentication is an optional feature within the EMV framework. Cards that support this capability specify a set of permitted verification methods during the initialization phase, which becomes part of their security profile and is accessible only to active adversaries. Accepted authentication techniques include manual signature verification, PIN entry, or authentication through a consumer’s personal device (e.g., biometric recognition on a smartphone), with the latter falling outside the scope of the EMV standard.

For the threat model, I assume that PINs and signatures remain confidential and are disclosed solely to authorized entities. A PIN must never be entered into a compromised terminal, as doing so would expose it to potential misuse by malicious devices. Such an exposure would violate a core security principle of EMV—safeguarding the cardholder’s financial assets—thus compromising not only privacy but also transaction integrity.

9.4. Transaction Authorization

The final and obligatory stage of the transaction process is Transaction Authorization, where the terminal instructs the card to generate an Application Cryptogram (AC). This cryptographic value, often derived using an HMAC function, is computed over transaction-related data from both the card and terminal. The required data fields are determined by the Card Risk Management Data Object Lists (CDOLs) exchanged earlier during the initialization phase. The computation relies on a key derived from the shared secret $sk$ between the card and the issuing bank, combined with the Application Transaction Counter (ATC).

According to the EMVCo specifications in Book 2 of the EMV 1st Generation standard [1], the cryptogram must encapsulate essential elements such as the cryptogram type (e.g., approve, decline, online verification request), the card identifier, and the ATC. Notably, for security and transaction integrity, the cryptogram must always be transmitted alongside the dataset used in its computation. However, this transmission raises linkability concerns in adversarial scenarios, as the inclusion of both the ATC and card number introduces identifiable patterns that could be exploited by malicious entities.

10. The Future of Unlinkable EMV Transactions

Our analysis shows that even enhancing the anti-eavesdropping requirement to ensure full unlinkability against passive attackers (effective within 1m–20m) would necessitate updates at the application selection stage of EMV 1st Gen. However, such modifications would be impractical for incremental rollout due to the coordination required among EMVCo and its adopters.

Strengthening unlinkability against active attackers (within 1m) is even more challenging, as eliminating all card-identifying data from the terminal would require fundamental changes to the EMV standard. Direct card identifiers are essential for key EMV functionalities, including network routing (card number) and data authentication (card’s public key).

Ultimately, BDH only satisfies the anti-eavesdropping requirement during transaction data transmission. UBDH, aiming for stronger unlinkability, demands substantial infrastructural changes. The feasibility of a comprehensive unlinkable transaction protocol remains an open research question for future collaboration with EMVCo.

11. Conclusion

This paper analyzes the Blinded Diffie-Hellman (BDH) key exchange protocol (Fig. 3), introduced by EMVCo as a means to incorporate encryption into the 2nd Generation EMV payment framework. While BDH enables the establishment of a symmetric session key between the payment card and the terminal, thereby meeting the preliminary security requirements outlined by EMVCo, I demonstrate that it fails to safeguard cardholder privacy against adversarial entities capable of active attacks.

In particular, Theorem 1 demonstrates that an active adversary can compromise BDH’s unlinkability property. To mitigate this issue, the enhanced protocol (Fig. 8) incorporates a cryptographic signature scheme that adheres to the blinding compatibility requirement. Section VI-A discusses Verheul signatures as a suitable candidate that meets these conditions.

To validate the proposed enhancement, we define a formal unlinkability criterion (Definition 5) and apply it within the $\pi$-calculus framework to the improved Unlinkable Blinded Diffie-Hellman (UBDH) model (Theorem 2). Our analysis confirms that UBDH successfully achieves an unlinkable key agreement mechanism.

The first major insight from this study pertains to the security assumptions in EMVCo’s secure channel design [2]. The anti-eavesdropping protections embedded in the BDH protocol, as specified in the 2nd Generation EMV standards [2,3], provide a reasonable level of privacy reinforcement under the constraints of existing EMV infrastructure. However, by extending the analysis to include adversaries capable of active attacks (Definition 5), we expose vulnerabilities in BDH’s anti-tracking guarantees [2]. Through Theorem 1, I formally establish that unlinkable key exchange is feasible under these conditions, though complete transaction unlinkability in the presence of active adversaries remains unattainable within the EMV 1st Generation protocol framework (Section VIII).

The second significant takeaway concerns the verification methodology. Our refined unlinkability definition (Definition 5) leverages quasi-open bisimilarity, a congruence property that enables compositional reasoning in security protocol analysis. This advanced bisimilarity approach facilitates proving unlinkability across multiple protocol sessions. A key challenge lies in constructing the relational framework depicted in Fig. 9, after which our method verifies that it satisfies the criteria for quasi-open bisimulation. Furthermore, the equational theory underlying our approach extends beyond current equivalence verification tools, potentially informing future developments in automated verification methods.

As EMVCo continues refining the 2nd Generation EMV protocol [45], growing awareness of these privacy challenges and the development of advanced verification techniques like ours may influence decision-makers to place greater emphasis on unlinkable payment mechanisms.