Sage Journals: Discover world-class research

Abstract

In recent years, the incorporation of NFC (Near Field Communication) technology into mobile devices has led to changes in payment system environments. Currently, the NFC mobile payment service is leading the mobile payment market. In particular, most electronic payment services, such as those used by Google Inc. and Apple Inc., are adopting payment methods based on NFC to replace credit cards. In addition, related groups from the Republic of Korea have enhanced safety in communication by using standard techniques for activating NFC services. However, various security threats are still present in electronic payment methods that use NFC. In this paper, we propose a mutual authentication scheme based on a lattice for conditional anonymity in NFC-PCM (Near Field Communication-Passive Communication Mode) payment services environments.

1. Introduction

The inclusion of NFC (Near Field Communication) technology in mobile devices has resulted in changes in payment system environments that have been maintained over the past few years. As a result, payment methods based on NFC are currently leading the mobile payment market. In particular, companies such as Google, Apple, and Samsung have established new mobile payment services that have attracted attention as the means for replacing preexisting payment methods requiring the use of credit cards. Currently, most mobile payment services provide such services through the FIDO (Fast Identity Online) standard and tokenization technology. FIDO enables secure communication between mobile devices using wireless communication technology and supports the use of NFC. The disadvantage of mobile payment services is that such services cannot be used when the power is interrupted. Therefore, industry and academia have been conducting research on payment services that use NFC-PCM (Near Field Communication-Passive Communication Mode).

In payment services that use PCM, NFC tags draw their operating power from the electromagnetic field received from the reader of the NFC initiating device. A problem that might be encountered with this method would be low computing power and limited storage space in the NFC device. In particular, if the NFC-based device used in the payment service environment operates only through XOR, AND, and add operations, providing security for payment information might be difficult. Therefore, research that resolves this problem is understandably urgent. In recent years, many incidents related to privacy have occurred. Accordingly, companies that provide online services are demanding the appropriate level of information required to render the particular service they provide. That is, some companies do not require user information; for example, when registering in some domestic portal sites, these sites do not require social security numbers and may prefer to discard the social security numbers they have collected. Thus, personal information has emerged as an important social issue. Given the importance of privacy, problems associated with the disclosure of financial information can be seen as significant. According to the “Final Report of Measures on NFC Personal Information Protection” published by the Korea Internet and Security Agency, the information used for an NFC mobile credit card payment is collected and stored at shops, VAN (value-added network) companies, and card companies through networks. Thus, if POS (point-of-sale) terminals in shops are hacked, personal financial information can be stolen. In one case, the credit card information of almost 100,000 persons was leaked via the aforementioned attack method [1]. Even if an encryption algorithm with high cryptographic strength were to be applied, user identification or financial information could be exposed to a variety of attacks. Therefore, it is necessary to consider the application of anonymous authentication techniques that do not expose sensitive personal information.

Anonymous authentication technology is a type of technology that proves that the relevant parties have reasonable qualifications without the need for these parties to share any privacy information. Initial anonymous authentication technology was mainly utilized for the use of electronic money exchange or electronic voting. In recent years, research has been conducted on authentication methods for protecting personal information. Anonymous authentication techniques can distinguish between users depending on the level of anonymity provided by each technique. The anonymity level is determined by the availability of related information and the degree of anonymity required. In addition, related information can be divided into two categories: identifying information and connection information. Identifiable information is the information used by individuals who want to identify themselves, such as their name, social security number, and email address. Connection information is the information related to party-certification process handling. Examples of connection information are PKI-based digital signatures, where the name listed in the certificate can be considered an identity. The signature value generated from using the certificate cannot be easily decrypted by the user. Instead, the use of a signature value would require the generation of the same key to enable the recipient to access the connection information. Ki et al. [2] composed an anonymity level in six steps in order to separate the two types of information into complete, conditional, and no exposure. In this paper, we propose a new mutual user authentication scheme for privacy detection in NFC-PCM mobile payment environments. The remainder of this paper is organized as follows. Section 2 presents background research on lightweight NFC authentication for low-cost environments and NFC operating modes. Section 3 provides an analysis of the security requirements of NFC payment services. Section 4 proposes lightweight mutual authentication for NFC-PCM environments. Section 5 presents the security requirements and our analysis of the proposed scheme, and Section 6 concludes the paper.

2. Related Work

In this section, we describe related authentication schemes based on NFC operating modes and low-cost NFC authentication methods.

2.1. NFC Operating Modes

NFC is generally divided into PCM and ACM (Active Communication Mode). PCM is a method that enables a passive target device (e.g., an RFID tag) to respond to the initiator of the communication by using operating power obtained from the electromagnetic field provided by the initiator. In contrast, ACM is a method that enables communication between an initiator and a target device, both of which must be ACM-enabled such that both devices actively generate their own RF field on an alternating basis when communicating. While the target device waits for the initiator to send data through ACM, its RF field is temporarily deactivated. NFC-enabled devices can operate in three different communication modes, as depicted in the illustration in Figure 1. However, NFC mobile payment environments are required for payment services that use PCM-based NFC payment services. Nevertheless, PCM-based NFC mobile services are unsafe and can lead to privacy breaches.

Figure 1

NFC communication modes.

Our research focuses on PCM-based mutual authentication in low-cost NFC payment environments.

2.2. Business Models

The “LoopPay” solution is a solution for processing payments via electromagnetic waves in a noncontact manner, unlike traditional magnetic cards. It was developed in the US by the start-up company “LoopPay”, and the service is currently restricted to the United States. The characteristic of “LoopPay” is its ability to store multiple groups of plastic cards on one small payment device. It is known to be developed in a separate H/W and S/W system and is relatively safe in terms of security incidents. However, the internal structure of the system is not known. The COIN service was developed by the company “Only Coin” in San Francisco and is used in a similar manner as “LoopPay.” Such services are an example of the business model proposed in the present study.

2.3. Threat Models

Various studies [3, 4] have exposed security threats in the NFC service environment. In particular, the vulnerability of this study environment is attributable to the use of modulated NDEF (NFC Data Exchange Format) data. The exploitation of this vulnerability for attacks is possible because the user is required to make visual decisions. Accordingly, it is impossible to verify the reliability of a tag that is used to perform the payment. It would be possible to identify a genuine tag through the use of an authentication infrastructure and digital signature of an acceptable standard. However, this approach would be costly. Threats to which an NFC tag-based service is exposed are shown in Figure 2. Therefore, an NFC-PCM-based scheme should offer protection against the following security threats [5].

Figure 2

NFC tag attack scenario.

2.4. Related Work on Low-Cost NFCs

In most RFID application service environments, passive tags cannot easily perform complex calculations because of their limited processing capability. Consequently, a hash function-based protocol and lightweight cryptosystem technology have been proposed for solving the security and privacy issues of low-end RFID systems. Kaya et al., Batina et al., and Lee et al. [6–8] proposed an elliptic curve cryptography-based RFID authentication protocol. However, their proposal did not prove whether actual implementation is possible. In addition, their proposed methods have not been accepted by both NFC standards, and thus they are practically impossible to implement because of efficiency issues in RFID environments. In authentication studies conducted by Sekino et al. [9], the passive tag was enabled such that it has the ability to support the hash function to store information in large matrices and perform matrix operations. However, this method cannot be easily applied to a low-cost tag. Moreover, attackers can perform denial-of-service attacks on tags in low-cost environments. In particular, NFC storage, which accounts for high costs in terms of hardware, acts as a very important part of the same problems indicated above.

2.4.1. Jung

Jung [10] indicated that there is a risk for disguised attacks because user payment information remains on the tag reader. For low-cost NFC environments, Jung proposed an authentication mechanism that reduces the amount of computation through the use of the hash function and XOR operations. The objective of their proposed method was to employ the nonce value to prevent replay attacks. Because the nonce value changes in every session, the communication between devices is secured. However, the results from the XOR operations and simple hash function cannot easily provide safety to payment environments. Satisfying the various security requirements in payment environments is difficult. In addition, various similar studies were carried out, but their methods are not suitable for application in the NFC-PCM payment service environment [1, 11, 12].

2.4.2. Abughazalah et al.

Abughazalah et al. [13] proposed a protocol for the CasperFDR method that protects personal information and stores key information into the cloud. Their approach was to apply encryption using a certificate for the data exchange phase of every step of the protocol. However, this method is much less efficient in payment environments compared to nonpayment environments, and it is not applicable to the PCM environments proposed in this study.

2.5. NTRU

NTRU was proposed by Jeffrey Hoffstein during the Crypto Lump session of 1996. The public-key encryption scheme used by NTRU is based on a lattice problem. The basic operation is composed of a polynomial ring; the scheme was designated as a public-key encryption standard by IEEE as P1363.1. NTRU provides stability comparable to RSA and ECC, and its encryption and decryption speed is high (Table 1). Therefore, NTRU encryption technology is highly suitable for USN environments and devices with limited computational abilities that require lightweight encryption algorithms. ASC X9 in the United States has been designated as the standard with X.9.98 NTRUEncrypt for financial transaction data protection.

Table 1

NTRU key features.

Benefits	Details
Fast processing speed	(i) Providing faster than traditional methods (ii) RSA, ECC: exponentiation (iii) NTRU: polynomial (convolution add)

Safety	(i) NP-hard: CVP, SVP (ii) IEEE 1363.1 Standard Designation (iii) X9.98 Standard Designation in ASC X9

Easy implementation	(i) Addition, multiplication, and shift operation (ii) Most developers find NTRU easy to understand

Cost	(i) RSA, ECC (partially): license fees required (ii) NTRU: open source (license-free)

3. Security Requirements

NFC payment services should be provided with user authentication, integrity, and confidentiality functions in order to exchange data with external devices [10]. In addition, we need to consider the operational efficiency and safety of existing methods for PCM-based NFC environments. Therefore, our proposed scheme should satisfy the basic low-cost tag payment service security requirements of PCM-based NFC mobile payment environments. These requirements are as follows [14, 15]. (i)

Confidentiality. Because the data used for communication include sensitive billing information, only the legitimate communication object must be able to share this data. Even if sensitive data are exposed, an attacker should not be able to infer the value of the data.

(ii)

Integrity. It should not be possible to easily forge the data transmitted during communication because such data are the basis for financial transactions, for example, billing.

(iii)

Conditional Anonymous. The verifier should not need a separate verification protocol to be able to determine the personal information.

(iv)

Mutual Authentication. The idea is to provide mutual authentication of both communicating parties for legitimate user verification.

(v)

Safety. The idea is to satisfy basic requirements by providing a mutual authentication protocol and to maintain a high level of safety when communicating secret information.

(vi)

Efficiency. The idea is to provide high efficiency in terms of the amount of computation required by devices with limited computational abilities.

4. Proposed Schemes

In this section, we use the characteristics of the convolution multiplication operation of a polynomial to propose a lattice-based mutual authentication scheme for low-cost NFC-PCMs.

Our approach involves changing the method according to which the polynomials f, g are generated to create the user's secret key. The existing NTRU method chooses two small polynomials f, g from the truncated polynomial ring r; however, the existing method only calculated the inverse of f, whereas the proposed protocol requires the inverse of g. The parameter setting that was used for selecting f was also applied for selection of the precise small polynomial when g was generated.

4.1. System Parameters

The system parameters used in the proposed scheme are as follows: (i)

∗: object (A: user, B: bank or electronic payees),

(ii)

$H ()$ : hash function,

(iii)

Z: set of integers,

(iv)

g: group generator (primitive root),

(v)

$L_{f}$ , $L_{g}$ : subset of R (truncated polynomial ring),

(vi)

$f, g$ : private key polynomials of ∗ ( $f_{*} \in L_{f}$ , $g_{*} \in L_{g}$ ),

(vii)

$p, q$ : large prime numbers that satisfy $G C D (p, q) = 1$ , $p > q$ ,

(viii)

${g_{* p}}^{- 1}, {g_{* q}}^{- 1}$ : inverse polynomials of g,

(ix)

${f_{* p}}^{- 1}, {f_{* q}}^{- 1}$ : inverse polynomials of f,

(x)

I: the user's identity,

(xi)

$v_{*}$ : public key on truncated polynomial R ( $v_{*} = p {f_{* q}}^{- 1} \cdot g_{*} \in Z_{q} [X] / (X^{N} - 1)$ ),

(xii)

p: prime (1024 bits),

(xiii)

$r o t ()$ : rotate function; $r o t (x, y)$ is defined as “left rotating the value of $w (y)$ with x,” where $w (y)$ is the hamming weight of y [5].

4.2. Registration Phase

During initial registration, the user would be required to perform the steps indicated below on a dedicated application (app). The user uses the app to store their payment card information in the NFC tag. This information can later be changed if necessary. If the user's smartphone is shut down, it would be possible to use a credit card through the PCM that was set last. The following example considers a situation in which a user registers their mobile device with the bank to set up the device for making future payments.

Step 1.

The user chooses the secure key $f_{A}$ , $g_{A}$ and inverse function ${f_{A p}}^{- 1}$ , ${f_{A q}}^{- 1}$ of $f_{A}$ . Subsequently, the user computes his/her public key $v_{A}$ :

\begin{matrix} A : f_{A} \in L_{f}, g_{A} \in L_{g} \\ A : {f_{A p}}^{- 1}, {f_{A p}}^{- 1} \\ A : v_{A} = p {f_{A p}}^{- 1} \cdot g_{A} \in \frac{Z q [X]}{(X^{N} - 1)} . \end{matrix}

(1)

Step 2.

The user submits the user information and user public key $v_{A}$ to the bank, and the bank verifies the user's identity. The bank generates a public key certificate $C e r t (I, v_{A})$ through the user identity and public key $v_{A}$ generated by the user's information and issues it to the user. Next, the bank retains the user information:

\begin{matrix} A ⟶ B : U s e r I n f o, v_{A} \\ B : I d e n t i t y = T r u e ? \\ B : g e n e r a t e I u s i n g I d e n t i t y \\ B : g e n e r a t e C e r t (I, v_{A}) . \end{matrix}

(2)

4.3. User Verifying Phase

The user performs the steps indicated below in order to prove that he/she has valid financial payment information during financial transactions. $r o t ()$ is shown in Figure 3.

Figure 3

Proposed scheme.

$r o t (x, y)$ is defined as “left rotating the value of $w (y)$ with x,” where $w (y)$ is the hamming weight of y.

Step 1.

The user selects a random polynomial $r_{A}$ . Then, the user stores this polynomial safely by calculating the secret information $x = g_{A} \cdot r_{A}$ used to prove the user's identity. Subsequently, the user transmits identity I, user public key $v_{A}$ , and certificate $C e r t (I, v_{A})$ to the bank:

\begin{matrix} A : r_{A} \in L_{r} \\ A : x_{A} = g_{A} \cdot r_{A} \\ A ⟶ B : I_{A}, v_{A}, C e r t (I_{A}, v_{A}), x_{A} . \end{matrix}

(3)

Step 2.

The bank verifies the validity of identity I and user public key $v_{A}$ using certificate $C e r t (I, v_{A})$ and the public signature system by selecting random polynomial e transmitted to the user:

\begin{matrix} B : C e r t (I, v_{A}) = T r u e ? \\ B : e \in L_{e} \\ B ⟶ A : e . \end{matrix}

(4)

Step 3.

The user computes y through $f_{A}$ , $r_{A}$ and random polynomial e and transmits this information to the bank:

\begin{matrix} A : e ⟵ H_{k t} (e) \\ A : E = B 2 P (e) \\ A : r_{t} = e_{[0, s - 1]} \\ A : f_{A S} \cdot r_{A} = f_{A} \cdot r_{A} + r o t (f_{A} \cdot r_{A}, ⌈l o g_{2} (2 q - 1)⌉ r t) \\ A : y_{A} = f_{A S} \cdot r_{A} + e . \end{matrix}

(5)

Mathematical Background. Consider the following: (i)

${r o t}_{i} (f) = x^{i} \cdot f m o d (x^{N} - 1)$ ,

(ii)

$x^{N} \cdot f m o d (x^{N} - 1) = f$ ,

(iii)

$f^{'} \cdot g = x^{i} \cdot f \cdot g m o d (x^{N} - 1)$ ,

$f^{'} \cdot g = x^{i} \cdot (f \cdot g) m o d (x^{N} - 1)$ ,

$f^{'} \cdot g = {r o t}_{i} (f \cdot g) m o d (x^{N} - 1)$ ,

(iv)

${r o t}_{i} (f \cdot g) = {r o t}_{i} (f) \cdot g$ ,

(v)

$f \cdot g + {r o t}_{i} (f \cdot g) = (f + {r o t}_{i} (f)) \cdot g$ ,

(vi)

$y_{A} = f_{A S} \cdot g_{A} + e = (X^{H W (r t)} + 1) \cdot f_{A} \cdot g_{A} + e m o d (X^{N} - 1)$ .

Step 4.

The bank verifies the user's identity by checking whether $y \cdot v_{A} = x_{A} (e)$ :

\begin{matrix} B : y_{A} \cdot v_{A} = x_{A} (e) \\ B : (f_{A S} \cdot r_{A}) \cdot ({f_{A q}}^{- 1} \cdot g_{A}) = g_{A} \cdot r_{A} (e) \\ B : f_{A} \cdot r_{A} + r o t (f_{A} \cdot r_{A}, {⌈l o g_{2} 2 q - 1⌉}^{'} r t) \cdot ({f_{A q}}^{- 1} \cdot g_{A}) = g_{A S} \cdot r_{A} = g_{A S} \cdot r_{A} + r o t (g_{A S} \cdot r_{A}, {⌈l o g_{2} 2 q - 1⌉}^{'} r t) \\ B : ((X^{H W (r t)} - 1) \cdot f_{A} \cdot r_{A} \cdot ({f_{A q}}^{- 1} \cdot g_{A})) = g_{A S} \cdot r_{A} = ((X^{H W (r t)} - 1) \cdot g_{A S} \cdot r_{A}) m o d (X^{N} - 1) \\ B : (X^{H W (r t)} - 1) \cdot g_{A S} \cdot r_{A} = (X^{H W (r t)} - 1) \cdot g_{A S} \cdot r_{A} . \end{matrix}

(6)

4.4. Bank Authentication and Key Update Phase

The bank performs the steps indicated below in order to prove that it was the object of legitimate users. In this procedure, the bank generates new verification information based on user information by conducting the verification method provided in Step 4 in Section 4.3 and delivers the verification information to the user. Moreover, the user verifies the communication object that employs the information received from the bank.

Step 1.

The bank transmits the verification information to the user using $x = g_{A} \cdot r_{A}$ shared with the user. $r_{A}^{'}$ is new random polynomial information generated by the bank; this information is used in the future transaction steps:

\begin{matrix} B : r^{'} \in L_{r^{'}} \\ B : z_{B} = r o t (x, x) \oplus (r_{A}^{'} o r x^{'}) \\ B : z_{B} = r o t (g_{A} \cdot r_{A}, g_{A} \cdot r_{A}) \oplus (r_{A}^{'} o r x^{'}) \\ B : z 1_{B} = H (y_{A} ∥ r_{A}^{'} o r x^{'}) \\ B ⟶ A : z_{B}, z 1_{B} . \end{matrix}

(7)

Step 2.

The user verifies $z_{B}$ using x and $y_{A}$ stored in the memory of his/her device. The hash information is verified; then, the user updates the received information $r_{A}^{'}$ and proceeds to the current transaction:

\begin{matrix} A : r_{A}^{'} o r x^{'} = z_{B} \oplus r o t (x, x) \\ A : r_{A}^{'} o r x^{'} = z_{B} \oplus r o t (g_{A} \cdot r_{A}, g_{A} \cdot r_{A}) \\ A : v e r i f y z 1_{B} \\ A : u p d a t e r_{A}^{'} o r x^{'} . \end{matrix}

(8)

5. Proposed Scheme Analysis

Our proposed scheme satisfies the following requirements (see Table 2). (i)

Confidentiality. The attacker cannot know encrypted $z_{B}$ , $y_{S}$ between objects. Our idea is to provide confidentiality by using a randomly generated value for $r A$ in each session.

(ii)

Integrity. Data are delivered with certificate ${C e r t}_{A}$ in order to generate the signature value for the message. Therefore, we can even check forgery attempts through the verification process.

(iii)

Mutual Authentication. Our idea is to provide mutual authentication through verification of the NTRU-based public key and ${C e r t}_{A}$ .

(iv)

Conditional Anonymity. Banks are required to calculate the inverse permutation for each piece of encrypted information in order to find the legal user. In our proposed scheme, the probability of the attacker finding the user information is $1 / n$ by the safety trapdoor function based on the $r o t ()$ function. Therefore, our proposed approach can provide user anonymity.

(v)

Safety. The problems associated with finding confidential information about a user are equal to the math problem SVP (Shortest Vector Problem) that finds the shortest vector in a large-sized lattice. Therefore, the proposed method should satisfy the properties of the trapdoor function. In addition, even if g were to be exposed, an attacker capable of generating secret information would have to know the inverse function of one of the $g_{s}$ . Then, even if the attacker would be able to determine the value of y via a combination function, the confidential information would be safe because it would not be possible to know the inverse of the value-generated secret information.

(vi)

Efficiency. The exponentiation method used in the conventional method is rooted in the discrete logarithm problem. In contrast, our proposed method is based on the lattice problem. In addition, our idea is very efficient in terms of computational complexity because it performs only a simple addition, rotation function, NTRU (convolution multiplication), and hash operation. The feasibility of the method proposed in this paper is based on research suggested by Atici et al. [17]. These authors proved that the NTRU cryptosystem only requires 10.5 kgates for implementation. This is similar to the gate count used to implement a hash function. Therefore, our proposed approach can be used in practical low-cost tag environments.

Table 2

Analysis of proposed scheme.

Mutual authentication		×	○	×	△	×	○
Mutual authentication		Symmetric based	Certificate based	Symmetric based	Symmetric based	Symmetric based	Lattice based

Confidentiality		○	○	○	○	○	○
Confidentiality		Providing (shared secret key)	Providing (public & session key)	Providing (shared secret key)	Providing (shared secret key)	Providing (shared secret key)	Providing (shared secret key)

Integrity		△	○	△	△	△	○
Integrity		Providing (MAC based)	Providing (digital signature)	Providing (MAC based)	Providing (MAC based)	Providing (MAC based)	Providing (digital signature)

Nonreusable		○	○	○	○	○	○
Nonreusable		Nonce based	Time stamp based signature	Nonce based	Nonce based	Nonce based	Nonce based

Safety		×	○	○	○	○	○
Safety		Symmetric based	PKI based	Symmetric based	Symmetric based	Symmetric based	PKI based

Efficiency		○	×	○	○	○	○
Efficiency		Symmetric based	Exponential based	Symmetric based	Symmetric based	Symmetric based	Lattice based (efficiency in RFID card)

Comp. Qty.	Reg.	2H	2U	—	2E	—	2X
Comp. Qty.	Auth.	7H + 8⊕	5U + 2E + $2 (R_{T} * E)$	11E + 6H	1U + 7E	6E + 6H	3X + 4R + 4A + 4⊕ + 1H

Traffic	Reg.	Four rounds (secure channel)	Two rounds (secure channel)	Two rounds (secure channel)	Two rounds (secure channel)	Two rounds (secure channel)	Two rounds (secure channel)
Traffic	Auth.	Four rounds	Four rounds	Four rounds	Four rounds	Four rounds	Four rounds

×: no offer, insecure, △: usually offer, ○: offer, secure

E: symmetric key; H: hash algorithm; U: public key; X: convolution multiplication; and A: addition, ⊕: XOR, and R: rotate functions.

6. Conclusions

In this paper, we proposed a mutual lattice-based authentication scheme for secure financial payment services in NFC-PCM payment environments. Although this method is similar to those proposed in previous studies, it is comparatively efficient in terms of computational complexity because most of the proposed operations use lattice-based convolution multiplication.

In particular, our proposed method provides a level of safety that is similar to that of the public key-based scheme used in previous studies. Our approach provides safety by using the CVP (Closest Vector Problem) to find the closest vector problem and SVP to find the shortest vector in a large-sized lattice. Our proposed method satisfied the conditions NP-hard. Only a BFA (Brute Force Attack) would be possible on devices using our approach. Our method was shown to provide very high efficiency in payment environments using the passive communication mode of NFC.

Footnotes

Competing Interests

The authors declare that they have no competing interests.

Acknowledgments

This research was supported by Basic Science Research Program through the National Research Foundation of Korea (NRF) funded by the MEST (Ministry of Education, Science and Technology) (2013R1A1A2012940) and by the MSIP (Ministry of Science, ICT and Future Planning), Korea, under the ITRC (Information Technology Research Center) Support Program (IITP-2016-R0992-16-1006) supervised by the IITP (Institute for Information & Communications Technology Promotion).

References

2014, http://news.donga.com/East/3/all/20140411/62462956/1

J.-H.

Hwang

J.-Y.

Shim

M.-N.

Jeong

D.-K.

Lim

J.-I.

A study on the applicability of anonymous authentication schemes for fine-grained privacy protection

Journal of the Korea Institute of Information Security and Cryptology 2010 20 6 195 208

Mullioner

Attacking NFC Mobile Phones

EUSecWest 2008, 2008

Roland

Langer

Digital signature records for the NFC data exchange format

Proceedings of the 2nd International Workshop on Near Field Communication (NFC ′10)

April 2010

IEEE

71 76

10.1109/nfc.2010.10

2-s2.0-77954484045

Haselsteiner

Breitfuß

Security in near field communication (NFC)

Proceedings of the Workshop on RFID Security (RFIDSec ′06)

July 2006

Graz, Austria

Kaya

S. V.

Savaş

Levi

Erçetin

Ö.

Public key cryptography based privacy preserving multi-context RFID infrastructure

Ad Hoc Networks 2009 7 1 136 152

10.1016/j.adhoc.2007.12.004

2-s2.0-53749094694

Batina

Seys

Singelee

Verbauwhede

Hierarchical ECC-based RFID authentication protocol

RFID. Security and Privacy: 7th International Workshop, RFIDSec 2011, Amherst, USA, June 26–28, 2011, Revised Selected Papers 2011 7055

Berlin, Germany

Springer

183 201 Lecture Notes in Computer Science

10.1007/978-3-642-25286-0_12

Lee

Y. K.

Batina

Singelee

Verbauwhede

Low-cost untraceable authentication protocols for RFID

Proceedings of the 3rd ACM Conference on Wireless Network Security (WiSec ′10)

March 2010

Hoboken, NJ, USA

10.1145/1741866.1741877

Sekino

Cui

Kobara

Imai

Privacy enhanced RFID using Quasi-Dyadic fix domain shrinking

Proceedings of the IEEE Global Communication Conference (GLOBECOM ′10)

December 2010

Miami, Fla, USA

10.

Jung

M. S.

A study on electronic-money technology using near field communication

Symmetry 2015 7 1 1 14

10.3390/sym7010001

2-s2.0-84924137768

11.

Pourghomi

Saeed

M. Q.

Ghinea

A secure cloud-based NFC mobile payment protocol

International Journal of Advanced Computer Science and Applications 2014 5 10 24 31

12.

Sekhar

V. C.

Sarvabhatla

Secure lightweight mobile payment protocol using symmetric key techniques

Proceedings of the International Conference on Computer Communication and Informatics (ICCCI ′12)

January 2012

8 13

10.1109/iccci.2012.6158876

2-s2.0-84858736368

13.

Abughazalah

Markantonakis

Mayes

Secure mobile payment on NFC-enabled mobile phones formally analysed using CasperFDR

Proceedings of the13th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom ′14)

September 2014

Beijing, China

IEEE

422 431

10.1109/trustcom.2014.55

2-s2.0-84922979561

14.

Mobile NFC Technical Guidelines 2007

GSMA

15.

El Moustaine

Laurent

A lattice based authentication for low-cost RFID

Proceedings of the IEEE International Conference on RFID-Technologies and Applications (RFID-TA ′12)

November 2012

Nice, France

68 73

10.1109/rfid-ta.2012.6404569

2-s2.0-84873166867

16.

Thammarat

Chokngamwong

Techapanupreeda

Kungpisdan

A secure lightweight protocol for NFC communications with mutual authentication based on limited-use of session keys

Proceedings of the International Conference on Information Networking (ICOIN ′15)

January 2015

Siem Reap, Cambodia

133 138

10.1109/icoin.2015.7057870

2-s2.0-84930958036

17.

Atici

A. C.

Batina

Fan

Verbauwhede

Yalçin

S. B. Ö.

Low-cost implementations of NTRU for pervasive security

Proceedings of the IEEE 19th International Conference on Application-Specific Systems, Architectures and Processors (ASAP ′08)

July 2008

Leuven, Belgium

IEEE

79 84

10.1109/asap.2008.4580158

2-s2.0-51649129069

Mutual Authentication Scheme Based on Lattice for NFC-PCM Payment Service Environment

Abstract

1. Introduction

2. Related Work

2.1. NFC Operating Modes

2.2. Business Models

2.3. Threat Models

2.4. Related Work on Low-Cost NFCs

2.4.1. Jung

2.4.2. Abughazalah et al.

2.5. NTRU

3. Security Requirements

4. Proposed Schemes

4.1. System Parameters

4.2. Registration Phase

Step 1.

Step 2.

4.3. User Verifying Phase

Step 1.

Step 2.

Step 3.

Step 4.

4.4. Bank Authentication and Key Update Phase

Step 1.

Step 2.

5. Proposed Scheme Analysis

6. Conclusions

Footnotes

Competing Interests

Acknowledgments

References