Paper 2011/615

On the Joint Security of Encryption and Signature in EMV

Jean Paul Degabriele, Anja Lehmann, Kenneth G. Paterson, Nigel P. Smart, and Mario Strefler


We provide an analysis of current and future algorithms for signature and encryption in the EMV standards in the case where a single key-pair is used for both signature and encryption. We give a theoretical attack for EMV's current RSA-based algorithms, showing how access to a partial decryption oracle can be used to forge a signature on a freely chosen message. We show how the attack might be integrated into EMV's CDA protocol flow, enabling an attacker with a wedge device to complete an offline transaction without knowing the cardholder's PIN. Finally, the elliptic curve signature and encryption algorithms that are likely to be adopted in a forthcoming version of the EMV standards are analyzed in the single key-pair setting, and shown to be secure.

Note: Correction of "1968" to "1984" in Table 1 and text.

Available format(s)
Publication info
Published elsewhere. An abridged version of this work appears at CT-RSA 2012. This is the full version.
Contact author(s)
kenny paterson @ rhul ac uk
2011-12-16: last of 4 revisions
2011-11-15: received
See all versions
Short URL
Creative Commons Attribution


      author = {Jean Paul Degabriele and Anja Lehmann and Kenneth G.  Paterson and Nigel P.  Smart and Mario Strefler},
      title = {On the Joint Security of Encryption and Signature in EMV},
      howpublished = {Cryptology ePrint Archive, Paper 2011/615},
      year = {2011},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.