Abstract
The most prevalent smart card-based payment method, EMV, currently offers no privacy to its users. Transaction details and the card number are sent in cleartext, enabling the profiling and tracking of cardholders. Since public awareness of privacy issues is growing and legislation, such as GDPR, is emerging, we believe it is necessary to investigate the possibility of making payments anonymous and unlinkable without compromising essential security guarantees and functional properties of EMV. This paper draws attention to trade-offs between functional and privacy requirements in the design of such a protocol. We present the UTX protocol - an enhanced payment protocol satisfying such requirements, and we formally certify key security and privacy properties using techniques based on the applied π-calculus.
| Original language | English |
|---|---|
| Title of host publication | CCS '23 |
| Subtitle of host publication | Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security |
| Place of Publication | New York, NY |
| Pages | 1392-1406 |
| Number of pages | 15 |
| ISBN (Electronic) | 9798400700507 |
| DOIs | |
| Publication status | Published - 15 Nov 2023 |
| Event | 30th ACM SIGSAC Conference on Computer and Communications Security, CCS 2023 - Copenhagen, Denmark Duration: 26 Nov 2023 → 30 Nov 2023 |
Conference
| Conference | 30th ACM SIGSAC Conference on Computer and Communications Security, CCS 2023 |
|---|---|
| Country/Territory | Denmark |
| City | Copenhagen |
| Period | 26/11/23 → 30/11/23 |
Funding
Semen Yurkov is supported by the Luxembourg National Research Fund through grant PRIDE15/10621687/SPsquared. We thank the reviewers for their thorough analysis of our threat model and assessment of the scope of related work on tools.
Keywords
- payment protocols
- protocol design
- security analysis