Security Analysis of the PACE Key-Agreement Protocol

We analyze the Password Authenticated Connection Establishment (PACE) protocol for authenticated key agreement, recently proposed by the German Federal Office for Information Security (BSI) for the deployment in machine readable travel documents. We show that the PACE protocol is secure in the real-or-random sense of Abdalla, Fouque and Pointcheval, under a number-theoretic assumption related to the Diffie-Hellman problem and assuming random oracles and ideal ciphers.

[1]  Mihir Bellare,et al.  Authenticated Key Exchange Secure against Dictionary Attacks , 2000, EUROCRYPT.

[2]  Ran Canetti,et al.  The random oracle methodology, revisited , 2000, JACM.

[3]  David Pointcheval,et al.  Simple Password-Based Encrypted Key Exchange Protocols , 2005, CT-RSA.

[4]  David Pointcheval,et al.  Interactive Diffie-Hellman Assumptions with Applications to Password-Based Authentication , 2005, Financial Cryptography.

[5]  Christiaan E. van de Woestijne,et al.  Construction of Rational Points on Elliptic Curves over Finite Fields , 2006, ANTS.

[6]  Victor Shoup,et al.  Lower Bounds for Discrete Logarithms and Related Problems , 1997, EUROCRYPT.

[7]  Michael Szydlo,et al.  A Note on Chosen-Basis Decisional Diffie-Hellman Assumptions , 2006, Financial Cryptography.

[8]  Bodo Möller,et al.  Provably secure password-based authentication in TLS , 2005, ASIACCS '06.

[9]  Yehuda Lindell,et al.  Universally Composable Password-Based Key Exchange , 2005, EUROCRYPT.

[10]  Marc Fischlin,et al.  Delayed-Key Message Authentication for Streams , 2010, TCC.

[11]  Ran Canetti,et al.  The random oracle methodology, revisited , 2000, JACM.

[12]  David Pointcheval,et al.  Password-Based Authenticated Key Exchange in the Three-Party Setting , 2005, Public Key Cryptography.

[13]  Thomas Icart,et al.  How to Hash into Elliptic Curves , 2009, IACR Cryptol. ePrint Arch..

[14]  Jean-Sébastien Coron,et al.  The Random Oracle Model and the Ideal Cipher Model Are Equivalent , 2008, CRYPTO.