Security Analysis of the PACE Key-Agreement Protocol

  • Jens Bender
  • Marc Fischlin
  • Dennis Kügler
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5735)


We analyze the Password Authenticated Connection Establishment (PACE) protocol for authenticated key agreement, recently proposed by the German Federal Office for Information Security (BSI) for the deployment in machine readable travel documents. We show that the PACE protocol is secure in the real-or-random sense of Abdalla, Fouque and Pointcheval, under a number-theoretic assumption related to the Diffie-Hellman problem and assuming random oracles and ideal ciphers.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Abdalla, M., Fouque, P.A., Pointcheval, D.: Password-based authenticated key exchange in the three-party setting. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 65–84. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  2. 2.
    Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 139–155. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  3. 3.
    Abdalla, M., Bresson, E., Möller, O.C.B., Pointcheval, D.: Provably secure password-based authentication in tls. In: ASIACCS 2006, pp. 35–45. ACM Press, New York (2006)Google Scholar
  4. 4.
    Federal Office for Information Security (BSI): Advanced security mechanism for machine readable travel documents – extended access control (eac), password authenticated connection establishment (pace), and restricted identification (ri) (2008)Google Scholar
  5. 5.
    Coron, J.S., Patarin, J., Seurin, Y.: The random oracle model and the ideal cipher model are equivalent. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 1–20. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  6. 6.
    Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited. In: STOC 1998, pp. 209–218. ACM Press, New York (1998)Google Scholar
  7. 7.
    Abdalla, M., Pointcheval, D.: Simple password-based authenticated key protocols. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 191–208. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  8. 8.
    Shoup, V.: Lower bounds for discrete logarithms and related problems. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 256–266. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  9. 9.
    Shallue, A., van de Woestijne, C.: Construction of rational points on elliptic curves over finite fields. In: Hess, F., Pauli, S., Pohst, M. (eds.) ANTS 2006. LNCS, vol. 4076, pp. 510–524. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  10. 10.
    Icart, T.: How to hash into elliptic curves. In: Crypto 2009. LNCS. Springer, Heidelberg (2009)Google Scholar
  11. 11.
    Abdalla, M., Pointcheval, D.: Interactive diffie-hellman assumptions with applications to password-based authentication. In: S. Patrick, A., Yung, M. (eds.) FC 2005. LNCS, vol. 3570, pp. 341–356. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  12. 12.
    Szydlo, M.: A note on chosen-basis decisional diffie-hellman assumptions. In: Di Crescenzo, G., Rubin, A. (eds.) FC 2006. LNCS, vol. 4107, pp. 166–170. Springer, Heidelberg (2006)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Jens Bender
    • 1
  • Marc Fischlin
    • 2
  • Dennis Kügler
    • 1
  1. 1.Bundesamt für Sicherheit in der Informationstechnik (BSI)Germany
  2. 2.Darmstadt University of TechnologyGermany

Personalised recommendations