Security Analysis of the PACE Key-Agreement Protocol

The authors analyze the Password Authenticated Connection Establishment (PACE) protocol for authenticated key agreement, recently proposed by the German Federal Office for Information Security (BSI) for the deployment in machine readable travel documents. They show that the PACE protocol is secure in the real-or-random sense of Abdalla, Fouque and Pointcheval, under a number-theoretic assumption related to the Diffie-Hellman problem and assuming random oracles and ideal ciphers. Authenticated key exchange is a fundamental cryptographic protocol in which two parties, usually called the client and the server, establish a secure key.