Quantum Computing and EMV® Chip – What’s the Threat?

It is hard not to get excited about the theoretical possibilities of quantum computing. At the leading edge of human endeavours, it has the potential to fundamentally revolutionise how we address and solve complex problems. With aspirations and ambitions comes uncertainty and threats. EMVCo is taking very seriously the threat of quantum computers undermining the security of RSA (Rivest, Shamir and Adleman) and ECC (Elliptic-Curve Cryptography) and is exploring future mitigation strategies. In this EMV® Insight Post, we ask Michael Ward, EMVCo Security Working Group Chair, what threat quantum computing poses to EMV Chip and what the technical body is doing to address this. Firstly, what part of a payment transaction does EMV Chip technology secure? EMV Chip technology secures the data exchange between the payment device, such as a plastic card, smartphone or wearable, and the payment terminal and issuing bank. It does this by integrating security features into the EMV transaction, such as cardholder verification and card authentication. To maintain the integrity of the payment process, the payment device and transaction data are also authenticated. The merchant terminal and issuing bank cryptographically authenticate the payment device and its data by verifying cryptographic signatures that have been generated by the payment device. In EMV these signatures are often referred to as ‘cryptograms’. What threat does quantum computing present to EMV technology today? It is important to note that we don’t expect quantum computing to start posing a threat to the EMV infrastructure until at least 2040. While there is a lot of hype, and varying timelines, no one actually knows when quantum computing will become a reality, and currently no quantum attacks exist. Harvest Now Decrypt Later, which aims to steal encrypted data today in the view that it can be decrypted and used for malicious purposes in the future, has driven a requirement in some industries and governments to deploy quantum resistant cryptography. This, however, does not apply to EMV Chip transactions, as chip authentication does not require long-term data confidentiality. Can you explain further the role of EMV cryptograms? During a transaction the cardholder’s payment device responds to an unpredictable number from the terminal to create two types of cryptograms: An online cryptogram (symmetric cryptography) is used in most payment scenarios for remote authentication and verified by the card issuer. It is based on either Triple DES cryptography (Data Encryption Standard) or AES cryptography (Advanced Encryption Standard). An offline cryptogram (public key cryptography) is used for local authentication and verified by the terminal. The payment device uses its private key to authenticate itself and the transaction data to the terminal and this avoids the payment device and terminal having to share secret keys. A transit network is a prominent example of where this is needed, as often terminals can be without online real-time connectivity, and they need to support mass turnstile throughput at peak times so speed is essential. In this payment scenario, EMV supports the use of ECC and RSA cryptography. In summary the EMV Chip cryptograms support the universal payment business requirement of ‘source authentication’, ‘message authentication’ and ‘non-repudiation’ underpinning a customer’s payment instruction to the bank. Are both cryptograms potentially vulnerable to quantum threats? No, online cryptograms use symmetric cryptography, which is resistant to quantum attacks. AES is a quantum resistant symmetric cipher that has been included in EMV Specifications since 2010 and effectively future proofs EMV against quantum attacks as explained in our published position paper. Furthermore, the legacy EMV symmetric cipher 2-key Triple DES in popular use today does enjoy a significant security margin against any potential quantum attack, albeit with a smaller mar