H.

Eun et al: Conditional Privacy Preserving Security Protocol for NFC Applications 153

Contributed Paper
Manuscript received 01/01/13
Current version published 03/25/13
Electronic version published 03/25/13. 0098 3063/13/$20.00 2013 IEEE
Conditional Privacy Preserving Security Protocol
for NFC Applications
Hasoo Eun, Member, IEEE, Hoonjung Lee, Member, IEEE, and Heekuck Oh, Member, IEEE

Abstract In recent years, various mobile terminals
equipped with NFC (Near Field Communication) have been
released. The combination of NFC with smart devices has led
to widening the utilization range of NFC. It is expected to
replace credit cards in electronic payment, especially. In this
regard, security issues need to be addressed to vitalize NFC
electronic payment. The NFC security standards currently
being applied require the use of user's public key at a fixed
value in the process of key agreement. The relevance of the
message occurs in the fixed elements such as the public key of
NFC. An attacker can create a profile based on user's public
key by collecting the associated messages. Through the
created profile, users can be exposed and their privacy can be
compromised. In this paper, we propose conditional privacy
protection methods based on pseudonyms to solve these
problems. In addition, PDU (Protocol Data Unit) for
conditional privacy is defined. Users can inform the other
party that they will communicate according to the protocol
proposed in this paper by sending the conditional privacy
preserved PDU through NFC terminals. The proposed method
succeeds in minimizing the update cost and computation
overhead by taking advantage of the physical characteristics
of NFC
1
.

Index Terms NFC security, Pseudonym,
Unlinkability, Conditional privacy protection.
I. INTRODUCTION
NFC (Near field Communication) is a short-range wireless
communication technology whose technology distance is
around 4 inches, and it operates in the 13.56MHz frequency
band at a speed of 106Kbps to 424Kbps. The combination of
NFC with smart devices resulted in widening the range of
NFC, which includes data exchange, service discovery,
connection, e-payment, and ticketing. It is expected to replace
credit cards in electronic payment, especially. According to
Gartner, a market research company, the number of NFC-

1
This research was supported in part by the Ministry of Knowledge
Economy, Korea, under the Information Technology Research Center support
program (NIPA-2012-H0301-12-4004) supervised by the National IT Industry
Promotion Agency
This work was also supported in part by the National Research Foundation
of Korea grant funded by the Ministry of Education, Science and Technology
(No. 2012-R1A2A2A01046986)
Hasoo Eun is with the Dept. of Computer Science & Engineering,
Hanyang University, South Korea (e-mail: hseun@infosec.hanyang.ac.kr).
Hoonjung Lee is with the Dept. of Computer Science & Engineering,
Hanyang University, South Korea (e-mail: hjlee@infosec.hanyang.ac.kr).
Heekuck Oh is with the Dept. of Computer Science & Engineering,
Hanyang University, South Korea (e-mail: hkoh@hanyang.ac.kr).
based payment services is expected to increase by 11.3 times
from $316 million in 2010 to $3.572 billion in 2015 [1], and
Juniper research predicted that the global NFC payment
market size would be increased to $180 billion in 2017 [2].
To use NFC in electronic payment, security is a prerequisite
to be addressed. Presently, NFC security standards define data
exchange format, tag types, and security protocols, centering
on NFC forum. It is expressly stipulated in the NFC security
standards that key agreement is required for secret
communications between users [3]-[5]. In the process of key
agreement, both users should exchange their public keys. The
public key is received from CA (Certificate Authority), and it
uses a fixed value until reissued.
Malicious internal attackers can create profiles of users
through the acquisition of public keys of other users in the
process of key agreement. If NFC is used in e-payment in this
way, the privacy of users can be infringed through profiles
created by attackers. Suppose Alice purchases items such as
cloths, food, and medicine several times at a supermarket, the
supermarket can get information about her tastes, preferences,
and health conditions. The collected information can help her
to purchase products more efficiently, but it may contain
information that nobody wants to announce to others such as
his or her health conditions.
In this paper, we propose privacy protection methods based
on pseudonyms to protect privacy of users. The proposed
methods provide conditional privacy in which the identity of
users can be verified by the TTP (Trusted Third Party) to
resolve disputes when necessary. In addition, the PDU
(Protocol Data Unit) for the conditional privacy is proposed in
this paper. The data used to help a future purchase uses
protected PDU of NFC-SEC, and data not wanted to be
recorded uses conditional privacy PDU selectively, which
makes it possible to remove the connectivity with the existing
messages. This paper is the extended version of [6]. It covers
background, security requirements, and differences between
pseudonym-based method and the proposed method.
According to survey conducted so far, this paper has its
significance in the sense it is the first research on the
conditional privacy protection of users in NFC.
In this paper, section 2 describes standards and privacy
protection methods related to NFC, and the NFC environments
that are currently applied are introduced in section 3. In
section 4, an analysis on the security threats that can occur in
the current NFC environment is conducted, and the security
requirements necessary for NFC are deduced. In section 5, the
conditional privacy methods for NFC are proposed, and a
154 IEEE Transactions on Consumer Electronics, Vol. 59, No. 1, February 2013
comparative analysis with existing method is carried out in
section 6. Finally, section 7 concludes the paper.
II. BACKGROUND
In this section, the current NFC standards are introduced,
and the pseudonyms are also introduced as conditional privacy
protection methods. In the current NFC standards, a variety of
standards ranging from the basic interface protocols to testing
and security methods are defined. This section also introduces
NFCIP-1, the basic interface and NFC-SEC, the security
method.
A. NFCIP-1: Near Field Communication Interface and
Protocol
In NFC, the object of communication is divided into an
initiator and a target. An initiator generates RF field (Radio
Frequency field) and starts NFCIP-1. A target that receives
signals from initiator responds to the initiator through the RF
field. When target communicates using RF field of initiator, it
is called passive communication mode, and using self-
generated RF field is referred to as active communication
mode. Communication mode is determined according to
applications when transaction starts. Once the transaction is
started, the communication mode cannot be changed until the
target becomes disabled or removed.
The major mechanism provided by NFCIP-1 is SDD
(Single Device Detection) and RFCA (Radio Field Collision
Avoidance) [7]. The SDD is an algorithm for initiator to find
a specific target among multiple targets in the RF field. In
existing RFID system, collision problem may occur. The
collision is referred to as a state in which more than two
initiators or targets transmit data at the same time, and it is
impossible to distinguish which data is real. The collision
problem is solved by NFC standard using algorithm named
RFCA [8]. RFCA is an algorithm that detects other RF fields
and prevents collision using carrier frequency. RFCA begins
by confirming the presence of other RF fields. If other RF
fields exist, the NFC does not generate its own RF field.
Thanks to the SDD that finds specific target within the range
and RFCA that does not permit 2 RF fields, the NFC can be
safe from MITM (Man-In-The-Middle) attacks [9]. The
detailed information about this is discussed in section IV-A.
B. NFC-SEC: NFCIP-1 Security Services and Protocol
NFC-SEC defines SSE (Shared SEcret service) and SCH
(Secure CHannel service) for NFCIP-1 [4]. SSE generates a
secret key for secure communication between NFC devices
and in this process, key agreement and key confirmation is
performed. SCH service provides the communication between
NFC devices with confidentiality and integrity using a key
generated through SSE service.
Also NFC-SEC defines the procedures of key agreement
using ECSDVP-DH (Elliptic Curve Secret Value Derivation
Primitive, Diffie-Hellman version) for SCH between NFC
terminals in SSE [5], [10]. To achieve the above, NFC
terminal must have public key and private key based on
Elliptic curve. SCH makes three keys hierarchically by using
the key generated through SSE and provides confidentiality
and integrity to the messages using generated keys. The three
keys created in SCH are used to provide the confidentiality
and integrity of the message. The key agreement and
confirmation protocols are implemented as shown in Figure 1,
and the notation follows Table I.

TABLE I
NOTATION
Notation Description
|| Concatenation symbol
N
X
Nonce of user X
ID
X
Random ID of user X for the activation of transport protocols
QX, QX, QX Compressed elliptic curve public key of user X
Q
X
, Q
X
, Q
X
Elliptic curve public key of user X
d
X
Elliptic curve private key of user X
G Elliptic curve base point
KDF Key derivation function
MacTag
X
Key verification tag received from X
MK Shared secret key
z Unsigned integer
r
X
Random integer generated by user X
PN Pseudonym set
Enc(k, m) Encrypt m with k
Sig(k, m) Signature on m with k
ID
X
follows NFCID format. NFCID is generated dynamically and used in
SDD and RFCA.

Figure 1. Key agreement and confirmation protocol in NFC-SEC

User A generates a random number N
A
before
communication. When communication starts, user A sends
compressed public key QA to user B. User B who receives the
message creates a random number N
B
and sends it to user A
along with the compressed public key QB. The two users get
point P through multiplying the other party's public key by
their private key. The x coordinate of the point P becomes
secrete value z of two users. The two users who generate z
obtain the secret key MK by using their ID, random numbers,
H. Eun et al: Conditional Privacy Preserving Security Protocol for NFC Applications 155
and secrete value z. To verify that same MK is generated; they
send MacTag reciprocally. Each user can generate their
MacTag using MK, IDs, and public keys.
The ID
X
used in NFC-SEC follows NFCID format. NFCID
is dynamically generated in accordance with the application
and used for SDD and RFCA. Accordingly, NFC can identify
each other through the NFCID but they cannot figure out the
definite identity. Since the NFCID is updated each time, the
connectivity between messages is not provided. However, the
public key Q
X
used with ID
X
is a fixed value. Accordingly, if
an attacker collects communication history based on the public
key, an invasion of user's privacy breaks out due to the
occurrence of the connectivity between messages.
C. Pseudonyms
Pseudonym represents ID that changes randomly, and it has
widely been studied in VANET (Vehicle Adhoc NETwork) to
remove the linkage between messages [11]-[16]. The general
pseudonym-based privacy protection method uses pseudonym
set received from TTP [11]-[14]. The pseudonyms are
composed of public key, private key, and a certificate. Users
can be assured of their anonymity through pseudonym and
authenticated as normal users through a certificate. The TTP
stores pseudonyms and actual ID of users to reveal the
anonymity in case of a problem. However, the method using
the pseudonym requires additional costs for storage and
communication [17]. Users should maintain data in devices for
pseudonyms. In addition, when the pseudonym set owned by
users is all used, additional communication needs to be done
for reissuance. To improve this, recent studies have been
conducted to generate pseudonyms without the help of TTP
[15], [16].
III. NFC ENVIRONMENT
In this section, NFC environment and features currently
being applied are introduced. In particular, the suitability of
applying pseudonym to NFC is demonstrated through
comparison between NFC environment and VANET
environment in which pseudonym has widely been studied.
A. TSM: Trusted Service Manager
TSM (Trusted Service Manager) is an institution that
transfers mobile financial data of customers to financial
institutions safely. The GSMA (Global System for Mobile
Communications Association) proposed TSM to facilitate the
provision of NFC services in 2007 [18], [19]. TSM serves as
CA (Certification Authority) and RA (Registration Authority)
at the market of certification services. In this paper, the TSM
is considered as TTP for mobile payment services, and the
public key used in NFC devices is assumed to be issued from
TSM.
B. SE: Secure Element
SE is a security area that can safely store important data such
as financial information, authentication information, and service
applications as a secure smart chip. In SE, the range of functions
varies depending on the type of implementation, but the storage
features and secure domain is certainly included. The secure
domain is a unique area separated to safety store important
information such as service applications and access key, etc.
Since each secure domain exists independently, it cannot have
access to the secure domain in which other services are
installed. Users can be provided with payment services from
various financial companies through a NFC device.
C. NFC Features
NFC provides TRH (Tamper Resistamt Hardware) called
SE, along with TSM, the trusted third party, which is similar
to the VANET environment. However, NFC is somehow
different from VANET in communication environment. In the
NFC, attacker's actions are further limited compared to
VANET. Accordingly, the pseudonyms used in VANET are
improved to meet the NFC features and the protection of user's
privacy can be achieved at low cost. The NFC features noted
in this paper are as follows.
One-to-One communication: In VANET, all vehicles within
the range of RSU (Road-Side Unit) perform communication
with one RSU. However, in case all vehicles are anonymized,
RSU cannot communicate with specific vehicles. Accordingly,
if a certificate is not provided, an attacker can make an attack
more easily by mingling. On the other hand, since only one-
to-one communication is possible in case of NFC, it is easy to
identify with whom you communicate.
Near field Communication: VANET features
communication between vehicles and RSU, and it is
implemented during driving, which makes it difficult for users
to check the contents of the communication. On the other
hand, NFC is a near field communication, and communication
is conducted with the target in front of our eyes. Two users
can identify whether the communication is properly
progressed through each other's device.
Sporadic Communication: VANET performs
communication consistently until users arrive at their
destination, while updating pseudonym periodically. On the
other hand, since NFC performs sporadic communication for
payment, it is advantageous to use one-time ID such as
pseudonym. In addition, it is not necessary to store a large
amount of pseudonyms in advance due to plenty of time
before next-payment.
IV. SECURITY THREATS IN THE NFC
NFC is a short-range wireless communication technology.
Due to its distance limitations, the short-range wireless
communication technology seems to be safer than wired
communication technology, which really is not. In case
communication is performed through RF field, along with
NFC, data can be obtained even when users stay near the
transmitter. In this section, the security requirements met by
methods that analyze security threats of NFC are deduced.
A. MITM attack: Man-In-The-Middle attack
MITM attack means an attacker's obtaining data between
two users by spoofing. Suppose that Alice and Bob try to
156 IEEE Transactions on Consumer Electronics, Vol. 59, No. 1, February 2013
exchange their keys, and Carol is an attacker. Carol obtains
key K
AC
by performing key agreement after disguising her as
Bob, and key K
BC
after disguising her as Alice. When user
Alice sends data encrypted with K
AC
to Carol disguised as Bob,
Carol can obtain data m. Carol transfer m encrypted with K
BC

to Bob. Attacker can modify data of the two users through
MITM attack.
However, it is known that the MITM attack is generally
impossible in NFC [9] due to physical characteristics that
protocols performs in close proximity as well as SDD and
RFCA described in section II-A. To identify the impossibility
of MITM attacks in NFC, let us suppose an environment in
which NFC-SEC is not applied (attackers can perform
eavesdropping).
In case Alice is in active communication mode, and Bob is
in passive communication mode: Alice generates RF field and
transfers data to Bob. Carol, an attacker, can prevent Bob from
receiving data, while watching the data of Alice. In this case,
Alice can detect an attack and stop key agreement. Though
Alice cannot detect the attack, Carol needs to generate her
own RF field to transfer data to Bob. However, since Alice
and Bob are in communication with active-passive mode,
Alice does not reap the RF field until NFC of Bob becomes
disabled or removed. Since two RF fields cannot exist
simultaneously according to RFCA, it is impossible for Carol
to transfer data to Bob. Accordingly, a MITM attack is
impossible.
In case both Alice and Bob are in active communication
modes: If Alice's data is blocked, Alice can detect attacks as in
case of active-passive mode. If not, Alice comes to reap her
own RF field to receive data from Bob, when Carol can
generate her own RF field successfully and transfer data to
Bob. However, Alice waiting for Bob's data can detect attacks
after receiving Carol's data. Alice discontinues protocols after
detecting attacks, and Carol's MITM attack fails.
B. Eavesdropping and Data modulation
Eavesdropping on wireless communication is a major threat,
which is true in the NFC. It is generally considered that
eavesdropping is difficult in the NFC since the recognition
distance of NFC is within 4 inches. However, there are many
factors that can affect recognition distance in the NFC unlike
RFID with mere relationship of a tag and a reader. In
particular, eavesdropping is possible up to 10m in active
communication mode and up to 1m in passive communication
mode depending on the performance of attacker's receiver,
antenna, and RF signal decoder. An attacker can modulate
data arbitrarily using a jammer in the same situation as in
eavesdropping. The modulated data can be arbitrary data or
regular data depending on the purpose of attackers.
Fortunately, the data that is being transmitted can be easily
protected from eavesdropping by using secure channel. In
NFC-SEC, key agreement is performed through SSE and SCH
is generated by using the key obtained from results. The user's
data is encrypted when it is transmitted through secure channel,
when an attacker only obtains the encrypted data, and he fails
to get meaningful data. The SCH service of NFC-SEC
performs an integrity check by calculating MacTag through
hierarchy keys. Therefore, a user can be aware of data
modulation. The user can respond to data modulation attacks
by asking for retransmission or discontinuing protocols.
C. Privacy
In order to preserve privacy, one would like to do things
when nobody else could see or disturb him or her. In case of
NFC which can be used in overall life, an attacker can infringe
the privacy of users easily by tracking usage history. Suppose
that Alice purchases items such as cloths, food, and medicine
several times at a supermarket. The supermarket can get
information about her tastes, preferences, and health
conditions. The collected information may help her to
efficiently purchase products; however, it may contain
information which she does not want others to know such as
her health conditions.
However, it is impossible to authenticate users in case all
information is hidden to protect the privacy of users, which
leads to vulnerability to spoofing attacks such as MITM. In
case complete anonymity is provided, even honest users may
distinguish to be someone else, and it is impossible to predict
their actions behind the anonymity. Therefore, it is required to
formulate conditional privacy protection methods that can
protect the privacy of users and reveal the real identity of users
by trusted third party when problems occur.
D. Security Requirement
In response to the security threats covered in this section,
NFC security protocols should satisfy the following
properties. In general, the key agreement protocol should be
robust to the MITM attack. However, as mentioned in section
IV-A, the NFC is robust to the MITM attack itself; it is not
included in the security requirements in this paper.

Data Confidentiality: It is required to protect data from
unauthorized users.
Data Integrity: The transmitted data should be identical to
the source data.
Unobservability: The data of specific users should not be
distinguished from multiple data.
Unlinkability: When two data generated by the same user is
presented, the connectivity between the two data should not be
identified.
Tracability: It is required to enable to find out who
generated the data if a problem occurs.

For example Alice purchased items at a supermarket. Here,
the confidentiality means that if Alice's purchase information
is assumed as P
A
, the contents of P
A
should not be revealed to
an unauthorized user. Integrity means it is guaranteed that data
is not modulated in the process of transferring Alice's
purchase information P
A
. Unobservability means that Alice's
purchase information P
A
should not be distinguished from
purchase information collected at the market. Unlinkability
H. Eun et al: Conditional Privacy Preserving Security Protocol for NFC Applications 157
means that P
A2
should not be identified as Alice's purchase
information through Alice's last purchase information P
A1
.
Lastly, TSM should be able to be identified as Alice's
purchase information by withdrawal of anonymity when
problem occurs.
V. PROPOSED METHOD
The conditional privacy method has widely been studied in
the light of pseudonyms when the privacy protection is
required. In this paper, conditional privacy protection methods
tailored to the NFC environment are proposed. Since the
proposed method can reuse NFCIP-1 and NFC-SEC, the NFC
standards in most cases, more efficient production is possible
in the implementation and chip design sector. Let us suppose
that a user stores the long-term public key issued by TSM in
the SE.
A. MuPM: Multiple pseudonym based method
If user A requests TSM for pseudonyms, TSM generates n
pseudonyms and transmit it to user A. Then, the TSM stores
the transmitted pseudonyms and ID of user A. A pseudonym
composed of public key, private key (that is encrypted with
long-term public key of user A), ID of the TSM, and signature
of the TSM. Pseudonym is generated as follows:

( , ( , ) )
i i i
TSM TSM A A A TSM
S Sig d Q Enc Q d id
( ( , ) )
i i i i
A A A A TSM TSM
PN Q Enc Q d id S

Here, J
A

represents user A's private key of order i,

A

is the
public key of order i and S
1SM

represents TSM's signature on

the message of order i. When pseudonyms are requested, TSM
generates n number of random values J
A

and then generates n

number of public keys through multiplying them by base point
G respectively. Then, TSM creates pseudonym set based on
the generated data and delivers it to user A, who conducts SSE
protocols by selecting one of pseudonyms to be delivered. The
used pseudonym is managed through revocation list. This
method has its advantage of simple protocol and easy
authentication of the users. However, it has disadvantages for
instance; it requires a storage space to maintain the
pseudonyms, overhead of managing revocation list, and
communication costs for issuance of pseudonyms.
B. uPM: Self-updateable pseudonym based method
If we consider the NFC features in the protocol design
process, the protocol can be configured so that it can update
pseudonym without the need to communicate with TSM. The
communication with the TSM can be used only to keep track
of the message constructor. The proposed protocol is shown in
Figure 2, and the notation follows Table I in section II-B.
QA||N
A
of Figure 1 is changed as in (1) so that TSM can
identify the identity.

A
QA QA N
(1)
Sender A Recipient B
Generate N
A
Generate r
A
Compute Q'
A
=r
A
Q
A
Compute Q''
A
=r
A
d
A
Q
S
+Q
A
P=r
A
d
A
Q'
B
Compute z from P
Compute MK
=KDF(N
A
, N
B
, ID
A
, ID
B
, z)
Compute MacTag
A
=f(MK, ID
A
, ID
B
, QA'', QB'')
Check MacTag
B
For SSE,
Set SharedSecret=MK
QA'|| QA''||N
A
Generate N
B
Generate r
B
Compute Q'
B
=r
B
Q
B
Compute Q''
B
=r
B
d
B
Q
S
+Q
B
QB'||QB''||N
B
P=r
B
d
B
Q'
A
Compute z from P
Compute MK
=KDF(N
A
, N
B
, ID
A
, ID
B
, z)
MacTag
A
Check MacTag
A
Compute MacTag
B
=f(MK, ID
B
, ID
A
, QB'', QA'')
MacTag
B
For SSE,
Set SharedSecret=MK

Figure 2. Proposed key agreement and confirmation protocol using self-
updatable pseudonym based method

User B can obtain Q'
A
and Q
A
by decompressing QA' and
QA. Q'
A
and Q
A
are the points on the elliptic curve, and they
are developed as in (2) and (3).

A A A A A
Q r Q r d G (2)
A A A S A A A S A
Q r d Q Q r d d G d G (3)

According to ECDLP (Elliptic Curve Discrete Logarithm
Problem), user B cannot find that Q'
A
is Q
A
which is the
message made by same person, even if user B knows Q
A
.
Likewise, in Q
A
, user B cannot find r
A
d
A
Q
S
because user B
does not know r
A
d
A
. Thus, user B cannot remove r
A
d
A
Q
S
from
Q
A
, and cannot recognize that the message was constructing
by user A. In contrast, the TSM can recognize who made of
this message by (4).

( ( )) ( ( ))
A S A A A S A S A A A
Q d Q r d d G Q d r d G Q (4)

Two users can obtain the common values by using the
exchanged messages of Q'
A
and Q'
B
. To obtain the same value,
multiply private key and the random value to Q'
A
and Q'
B
. The
random value is the same number used when making Q
A
and
Q
B
. Equation (5) expresses the process in which the two users
get the same value.
158 IEEE Transactions on Consumer Electronics, Vol. 59, No. 1, February 2013
( )
( )
A A B A A B B A A B B
B B A A B B A
P r d Q r d r d G r d r d G
r d r d G r d Q



(5)

Two users can get a shared secret value z by taking x
coordinate value at point P. When compared with the existing
protocols based on the above process, Q'
A
and Q'
B
can replace
Q
A
and Q
B
, the existing public keys. In other words, the
anonymity of users can be guaranteed by replacing the public
key alone, while retaining the existing protocols.
This method cannot be used to specify the owner of the
public key, but it can identify whether the public key is
regularly generated or not [4]. Therefore, it can be identified
that the message is generated by using the public key received
from TSM. In case the user's public key doesn't pass the
verification, the NFC communication is discontinued. When the
protocol is discontinued in the process of one-to-one short range
communication, users suspect the involvement of attackers, and
they can discontinue or restart the communication.
C. Conditional privacy PDU
The methods proposed in this paper allow users to hide their
information. However, in case information is hidden in all
situations, there arises a problem where the personalized
service is not provided. Therefore, additional instruction is
needed so that the methods proposed in this paper can be used
selectively. For this, purpose this paper defines Conditional
privacy PDU, which performs the role of instruction in the
NFC protocol.
Table II
CODING OF THE CONDITIONAL PRIVACY PDU
Bit 7 Bit 6 Bit 5 Bit 4 Bit 3 Bit 2 Bit 1 Bit 0
RFU ONE ONE MI NAD DID PNI PNI

- Bit 7: Reserved for future use. The initiator will set it to Zero.
- Bit 6 to Bit 5: Will be set ONE.
- Bit 4: If bit is set to ONE then it indicates multiple information
chaining activated.
- Bit 3: If bit is set to ONE then it indicates node address is available.
- Bit 2: If bit is set to ONE then it indicates Device ID is available.
- Bit 1 and Bit 0: Packet number information.

Coding of the PFB (Control information for transaction) bit 7 to 5
Bit 7 Bit 6 Bit5 PFB
0 0 0 Information PDU
0 0 1 Protected PDU
0 1 0 Acknowledge PDU
0 1 1 Conditional privacy PDU
1 0 0 Supervisory PDU
Other setting are reserved for future use

In this paper, the conditional privacy PDU is defined as
shown in Table II. Users can request services through
protected PDU if they want to receive the personalized
service, while protecting their data from third-party attackers
and through conditional privacy PDU if they want to be
guaranteed to receive the conditional privacy additionally. For
instance, if users want to receive the personalized services
such as product recommendations, they need to use the
protected PDU. When the users want to hide purchase
information they need to use the conditional privacy PDU.
VI. ANALYSIS
MuPM needs additional storage to maintain the pseudonym
set and communication cost for issuance of pseudonym. SuPM
does not need any communication cost for the issuance of
pseudonyms, but it needs additional computation time and
transfer time. In this section, the proposed methods are
analyzed in terms of additional cost for maintaining and using
the pseudonyms.
A. Additional storage to maintain the pseudonyms
A pseudonym is composed of public key, private key
(encrypted with long-term key of user), ID of TSM, and
signature on the message. TSM should generate a number of
pseudonyms and send to user. The size of the fields generally
used in NFC protocol is shown in Table III [6].

Table III
SIZE OF THE FIELDS
Field Size
ID
TSM

16bits
N
X
, r
X 96bits
NacTagX 96bits
NK 128bits
d
X
, z 192bits
QX, QX', QX
200bits
Enc(Q
A
, d
A
) 352bits
Q
X
384bits
S
TSM
448bits
Enciypteu message size is baseu on ECIES, anu signatuie size is baseu on
EBCSA
The size of single pseudonym is computed as follows:

Size of PN = Public key + Encrypted Private Key
+ ID of TSM + Signature = 1200 bits


Suppose the number of pseudonyms is 1000, the memory
needed to store these much pseudonyms is 146.484Kbytes.
However it is not a big deal, when considering the recent
trends of combining mobile device and NFC. But updated
environment is limited because of the billing charges of
mobile device.
B. Additional computation time
Table IV shows the computation time of affine coordinates
of GF(q) like elliptic curve P-192 used in NFC-SEC [4]. The
multiplication, square and inverse notation are represented as
M, S, and I respectively, the time taken to add two points is
(p
3
=p
1
+p
2
) and computation time required for doubling is
(p
2
=2p
1
).
Table IV
COMPUTATION TIME OF
AFFINE COORDINATES OF 6F(q) WITH P > 3
Operation Format Computation time
Doubling t(2p
1
) 2M+2S+I
Addition t(p
1
+p
2
) 2M+S+I
H. Eun et al: Conditional Privacy Preserving Security Protocol for NFC Applications 159
To create Q'
X
, Q
X
should be added r
X
times. And to create
Q
X
, the point Q
S
should be added r
X
d
X
+1 times. In Q
X
, d
X
Q
S

is a fixed value, it needs to be calculated in advance.
Therefore, to create Q
X
, the addition operation is requested
r
X
+1 times. In the addition operation, computation time can be
reduced through doubling. As identified in Table IV, adding
and doubling have one difference in squaring. In this regard, it
is more efficient to replace addition with doubling in terms of
computation time. As Table III shows, r
X
is 96 bits.
Accordingly, the maximum size of r
X
is 2
96
. If the addition of
2
96
times is replaced with doubling, the number of operations
decrease to 96(= log
2
2
96
) times. Therefore, to calculate Q'
X
,
maximum 96 times of doubling is required, and to calculate
Q
X
, 96 times of doubling and 1 addition is required. Later, to
obtain the common point P, user A has to calculate r
A
d
A
Q'
B
,
and user B has to calculate r
B
d
B
Q'
A
. The number of doubling
operations required for each user to perform the operation is
shown in (6).

96 192
2 2 2
log log 2 log 2 288
X X
r d
(6)

Accordingly, a total of 288 times of doubling operations is
required, which is an increase of 96 times compared to NFC-
SEC.
C. Additional transference time
SuPM requires each user to transfer points on the elliptic
curve additionally in the key agreement process. Therefore,
200 bits are additionally transmitted by user. In comparison
with the transfer time based on the lowest 106 kbps NFC, the
standard method requires 2.727 ns, and 4.569 ns is needed for
the proposed method. In the assumption that the transfer time
required by each user is the same, transfer of 3.628 ns is
additionally required.
Even when random value r
X
and updated public key are
created, additional time is required, but it does not have an
effect on the transfer time itself since pre-computation is
possible. On the other hand, user A and user B cannot be
allowed to calculate point P in advance. The doubling
operation takes 0.08 ms in Pentium III process of 548 MHz
[20]. The proposed method takes 7.680003628 ms, because it
performs 288 doubling operations to calculate point P. When
compared with NFC-SEC, 7.68 ms turned out to be increased.
Accordingly, since conditional anonymity is provided, the
additional transfer time required is 7.680003628 ms.
VII. CONCLUSION
With recent release of various terminals equipped with NFC
(Near Field Communication), e-payment market using NFC is
expected to be activated. In such situation, the user's
transaction information leaks can lead to the invasion of
privacy. In this paper, the conditional privacy protection
methods are proposed to solve the aforementioned problems.
The proposed method uses random public key like
pseudonyms. Since the public key is updated, fewer burdens
are imposed on the administration. The update is made based
on the long-term public key issued from TSM (Trusted
Service Manager), and safe management is achieved by
storing the long-term public key in the SE (Secure Element).
Unlike VANET (Vehicle Adhoc NETwork) environment in
which pseudonym methods have been studied for long time,
NFC is a short range one-to-one communication technology,
and it has the robust characteristics to MITM (Man In The
Middle) attack. Due to its design based on NFC features, the
proposed method can provide conditional privacy with less
overhead.
The proposed methods follows standard systems,
additionally can hide user's identity, and if necessary, the
user's identity can be confirmed by the TSM. Also the user can
get personalized services by the selective use of our proposed
method. In conclusion, it is expected that the proposed method
will help users to protect their privacy and use personalized
services. It will contribute to the promotion of mobile payment
services through NFC.
REFERENCES
[1] Gartner, "Market Insight: The Outlook on Mobile Payment," Market
Analysis and Statistics, May 2010.
[2] Juniper Research, "NFC Mobile Payments & Retail Marketing
Business Models & Forecasts 2012-2017," May 2012.
[3] ISO/IEC 15946-1:2008, "Information technology Security methods
Cryptographic methods based on elliptic curves Part 1: General," Apr.
2008.
[4] ISO/IEC 13157-1:2010, "Information technology Telecommunications
and information exchange between systems NFC Security Part 1:
NFC-SEC NFCIP-1 security service and protocol," ISO/IEC, May 2010.
[5] ISO/IEC 13157-2:2010, "Information technology Telecommunications
and information exchange between systems NFC Security Part 2:
NFC-SEC cryptography standard using ECDH and AES," ISO/IEC,
May 2010.
[6] H. Eun, H. Lee, J. Son, S. Kim, and H. Oh, "Conditional privacy
preserving security protocol for NFC applications," IEEE International
Conference on Consumer Electronics (ICCE), pp. 380-381, Jan. 2012.
[7] ISO/IEC 18092:2004, "Information technology Telecommunications
and information exchange between systems Near field Communication
Interface and Protocol (NFCIP-1)," ISO/IEC, Apr. 2004.
[8] J. Yu, W. Lee, and D.-Z. Du, "Reducing Reader Collision for Mobile
RFID," IEEE Transactions on Consumer Electronics, Vol. 57, No. 2, pp.
574-582, May 2011.
[9] E. Haselsteiner and K. Breitfu, "Security in Near field Communication
(NFC) Strengths and Weaknesses ," RFIDSec 2006, Jul. 2006.
[10] IEEE Std. 1363-2000, IEEE Standard Specifications for Public-Key
Cryptography, Jan. 2000.
[11] G. Calandriello, P. Papadimitratos, J.P. Hubaux, and A. Lioy, Efficient
and robust pseudonymous authentication in VANET," Proceedings of
the fourth ACM international workshop on Vehicular ad hoc networks
(VANET 2007), pp. 19-28, 2007.
[12] J.C.M. Teo, L.H. Ngoh, and H. Guo, "An Anonymous DoS-Resistant
Password-Based Authentication, Key Exchange and Pseudonym
Delivery Protocol for Vehicular Networks," Proceedings of the 2009
International Conference on Advanced Information Networking and
Applications (AINA 2009), pp. 675-682, May 2009.
[13] D. Eckhoff, C. Sommer, T. Gansen, R. German, and F. Dressler, "Strong
and affordable location privacy in VANETs: Identity diffusion using
time-slots and swapping," Proceedings of the 2010 IEEE Vehicular
Networking Conference (VNC 2010), pp. 174-181, Dec. 2010.
[14] J.-H. Lee, J. Chen, and T. Ernst, "Securing mobile network prefix
provisioning for NEMO based vehicular networks," Mathematical and
Computer Modelling, vol. 55, No. 1, pp. 170-187, Jan. 2012.
[15] R. Lu, X. Lin, H. Zhu, P.H. Ho, and X. Shen, "ECPP: Efficient
Conditional Privacy Preservation Protocol for Secure Vehicular
Communications," Proceedings of The27th Conference on Computer
Communications (INFOCOM 2008), pp. 1229-1237, Apr. 2008.
160 IEEE Transactions on Consumer Electronics, Vol. 59, No. 1, February 2013
[16] D. Huang, S. Misra, M. Verma, and G.Xue, "PACP: An Efficient
Pseudonymous Authentication-Based Conditional Privacy Protocol for
VANETs," IEEE Transactions on Intelligent Transportation Systems,
Vol. 12, No. 3, pp. 736-746, Sept. 2011.
[17] R.-J. Hwang, Y.-K. Hsiao, and Y.-F. Liu, "Secure Communication
Scheme of VANET with Privacy Preserving," Proceedings of the 2011
IEEE 17th International Conference on Parallel and Distributed Systems
(ICPADS 2011), pp. 654-659, Dec. 2011.
[18] GSMA, "Mobile NFC Technical Guidelines Version 1.0," Apr. 2007.
[19] GSMA, "Pay-Buy-Mobile Business Opportunity Analysis Public
White Paper Version 1.0," Nov. 2007.
[20] A. Chandrasekar, V.R. Rajasekar, and V. Vaasudevan, "Improved
authentication and key agreement protocol using elliptic curve
cryptography," International Journal of Computer Science and Security
(IJCSS), Vol. 3, Issue 4, pp. 325-333, Oct. 2009.


BIOGRAPHIES

Hasoo Eun (M'11) received the B.S. and M.S. degree in
Computer Science and Engineering from Hanyang
University, Korea, in 2010 and 2012, respectively. He is
currently working toward for the Ph.D. degree in
Computer Science and Engineering, Hanyang University,
Korea. His current research interests include mobile
security, NFC, and cryptography.















































Hoonjung Lee (M'10) received the B.S. degree in
computer science from Dankook University, Korea, in
2003, and received M.S. degree in computer science and
engineering from Hanyang University, Korea, in 2005.
He was a researcher at Handan BroadInfoCom, Korea,
from 2005 to 2009. He is currently working toward for
the Ph.D. degree in computer science and engineering,
Hanyang University. His research interests include Key
management, IPTV/DTV conditional access system, and cryptography.

Heekuck Oh (M'94) received his B.S. degree in
Electronics Engineering from Hanyang University in
1983. He received his M.S. and Ph.D. degrees in
Computer Science from Iowa State University in 1989
and 1992, respectively. In 1994, he joined the faculty of
the Department of Computer Science and Engineering,
Hanyang University, ERICA campus, where he is
currently a professor. His current research interests
include network security and cryptography. Prof. Oh is the senior executive
vice president of Korea Institute of Information Security & Cryptology, and is
a member of Advisory Committee for Digital Investigation in Supreme
Prosecutors' Office of the Republic of Korea. He is also a member of
Advisory Committee for Internet Security under Korea Communications
Commission. He is the corresponding author of this paper.