Geodesic
On cryptographic properties of the $CVV$ and $PVV$ parameters generation procedures in payment systems
Matematičeskie voprosy kriptografii, Tome 9 (2018) no. 2, pp. 23-46 
L. R. Ahmetzyanova; E. K. Alekseev; G. A. Karpunin; S. V. Smyshlyaev. On cryptographic properties of the $CVV$ and $PVV$ parameters generation procedures in payment systems. Matematičeskie voprosy kriptografii, Tome 9 (2018) no. 2, pp. 23-46. http://geodesic.mathdoc.fr/item/MVK_2018_9_2_a2/
@article{MVK_2018_9_2_a2,
     author = {L. R. Ahmetzyanova and E. K. Alekseev and G. A. Karpunin and S. V. Smyshlyaev},
     title = {On cryptographic properties of the $CVV$ and $PVV$ parameters generation procedures in payment systems},
     journal = {Matemati\v{c}eskie voprosy kriptografii},
     pages = {23--46},
     year = {2018},
     volume = {9},
     number = {2},
     language = {en},
     url = {http://geodesic.mathdoc.fr/item/MVK_2018_9_2_a2/}
}
TY  - JOUR
AU  - L. R. Ahmetzyanova
AU  - E. K. Alekseev
AU  - G. A. Karpunin
AU  - S. V. Smyshlyaev
TI  - On cryptographic properties of the $CVV$ and $PVV$ parameters generation procedures in payment systems
JO  - Matematičeskie voprosy kriptografii
PY  - 2018
SP  - 23
EP  - 46
VL  - 9
IS  - 2
UR  - http://geodesic.mathdoc.fr/item/MVK_2018_9_2_a2/
LA  - en
ID  - MVK_2018_9_2_a2
ER  - 
%0 Journal Article
%A L. R. Ahmetzyanova
%A E. K. Alekseev
%A G. A. Karpunin
%A S. V. Smyshlyaev
%T On cryptographic properties of the $CVV$ and $PVV$ parameters generation procedures in payment systems
%J Matematičeskie voprosy kriptografii
%D 2018
%P 23-46
%V 9
%N 2
%U http://geodesic.mathdoc.fr/item/MVK_2018_9_2_a2/
%G en
%F MVK_2018_9_2_a2

Voir la notice de l'article provenant de la source Math-Net.Ru

Two important mechanisms to provide security of payment systems are the checks made with parameters $CVV$ and $PVV$. In the current paper the provable security approach is exploited to analyze the two-pass decimalization procedure used, for example, by VISA. It is shown that the standard method of upper estimating the insecurity does not allow to claim security of this procedure since it provides not very good bounds for probabilistic characteristics of practical parameters. Therefore this procedure is not recommended to be used in the MIR payment system. We propose a simple procedure as a replacement that turns out to be much more secure.

[1] Bellare M., Kilian J., Rogaway P., “The security of the cipher block chaining Message Authentication Code”, J. Comput. Syst. Sci., 61:3 (2000), 362–399 | DOI | MR | Zbl

[2] Nandi M., A simple and unified method of proving unpredictability, Cryptology eprint archive 2006/264, 2006 | MR

[3] Application Programmer's Guide, Appendix F. Cryptographic Algorithms and Processes, PIN Formats and Algorithms, VISA PIN Algorithms, , 2011 http://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.1.0/com.ibm.zos.v2r1.csfb400/csfb4za2598.htm

[4] Iwata T., Comments on “On the security of XCBC, TMAC and OMAC” by Mitchell, , 2003 https://pdfs.semanticscholar.org/21b0/c40d3a08ffce60b11721b3fdd2516f37dce8.pdf

[5] Bellare M., Rogaway P., Introduction to Modern Cryptography: Lecture Notes, , 2005, 283 pp. http://web.cs.ucdavis.edu/r̃ogaway/classes/227/spring05/book/main.pdf

[6] Dolmatov V., GOST 28147-89: Encryption, Decryption, and Message Authentication Code (MAC) Algorithms, RFC 5830, March 2010 https://tools.ietf.org/html/rfc5830