Supplemental Access Control (PACE v2): Security Analysis of PACE Integrated Mapping

  • Jean-Sébastien Coron
  • Aline Gouget
  • Thomas Icart
  • Pascal Paillier
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6805)


We describe and analyze the password-based key establishment protocol PACE v2 Integrated Mapping (IM), an evolution of PACE v1 jointly proposed by Gemalto and Sagem Sécurité. PACE v2 IM enjoys the following properties:

  • patent-freeness (to the best of current knowledge in the field);

  • full resistance to dictionary attacks, secrecy and forward secrecy in the security model agreed upon by the CEN TC224 WG16 group;

  • optimal performances.

The PACE v2 IM protocol is intended to provide an alternative to the German PACE v1 protocol, which is also the German PACE v2 Generic Mapping (GM) protocol, proposed by the German Federal Office for Information Security (BSI). In this document, we provide

  • a description of PACE v2 IM,

  • a description of the security requirements one expects from a password-based key establishment protocol in order to support secure applications,

  • a security proof of PACE v2 IM in the so-called Bellare-Pointcheval-Rogaway (BPR) security model.


Integrate Mapping Elliptic Curve Random Oracle Security Model Random Oracle Model 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Patent Statement and Licensing Declaration Form for ITU-T/ITU-R Recommendation ISO/IEC Deliverable. Letter from Sagem Sécurité to ICAO New Technologies Working Group Iternational Civil Aviation Organization, Paris, (May 4, 2010)Google Scholar
  2. 2.
    Abdalla, M., Fouque, P.-A., Pointcheval, D.: Password-Based Authenticated Key Exchange in the Three-Party Setting. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 65–84. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  3. 3.
    Abdalla, M., Pointcheval, D.: Simple Password-Based Encrypted Key Exchange Protocols. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 191–208. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  4. 4.
    Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated Key Exchange Secure Against Dictionary Attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 139–155. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  5. 5.
    Bellovin, S.M., Merritt, M.: Encrypted Key Exchange: Password-Based Protocols Secure Against Dictionary Attacks. In: Proceedings of the IEEE Symposium on Research in Security and Privacy, Oakland (1992)Google Scholar
  6. 6.
    Bellovin, S.M., Merritt, M.: Augmented Encrypted Key Exchange: A Password-Based Protocol Secure Against Dictionary Attacks and Password File Compromise. In: Proceedings of the 1st ACM Conference on Computer and Communications Security. ACM Press (1993)Google Scholar
  7. 7.
    Bender,J., Fischlin, M., Kuegler, D.: Security analysis of the pace key-agreement protocol. Cryptology ePrint Archive, Report 2009/624 (2009),
  8. 8.
    Boneh, D., Franklin, M.K.: Identity-Based Encryption From the Weil Pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  9. 9.
    Brier, E., Coron, J.S., Icart, T., Madore, D., Randriam, H., Tibouchi, M.: Efficient indifferentiable hashing into ordinary elliptic curves,
  10. 10.
    Federal Office for Information Security (BSI). Advanced security mechanism for Machine Readable Travle Documents – Extended Access Control (EAC), Password Authenticated Connection Establishment (PACE), and Restricted Identification (RI). BSI-TR-03110, Version 2.0 (2008)Google Scholar
  11. 11.
    ISO/IEC JTC1 SC17 WG3/TF5 for the International Civil Aviation Organization. Supplemental Access Control for Machine Readable Travel Documents. Technical Report (November 11, 2010)Google Scholar
  12. 12.
    Icart, T.: How to Hash into Elliptic Curves. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 303–316. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  13. 13.
    Jablon, D.: Cryptographic methods for remote authentication. Patent Number 6226383, Filed by Integrity Sciences, Inc. (2001)Google Scholar
  14. 14.
    Katz, J., Ostrovsky, R., Yung, M.: Efficient password-authenticated key exchange using human-memorable passwords. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 475. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  15. 15.
    Shoup, S.: Sequences of games: a tool for taming complexity in security proofs. Cryptology ePrint Archive, Report 2004/332 (2004),

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Jean-Sébastien Coron
    • 1
  • Aline Gouget
    • 2
  • Thomas Icart
    • 1
  • Pascal Paillier
    • 2
  1. 1.Université du LuxembourgLuxembourgLuxembourg
  2. 2.GemaltoMeudonFrance

Personalised recommendations