Paper 2013/223

The PACE|AA Protocol for Machine Readable Travel Documents, and its Security

Jens Bender, Özgür Dagdelen, Marc Fischlin, and Dennis Kügler


We discuss an efficient combination of the cryptographic protocols adopted by the International Civil Aviation Organization (ICAO) for securing the communication of machine readable travel documents and readers. Roughly, in the original protocol the parties first run the Password-Authenticated Connection Establishment (PACE) protocol to establish a shared key and then the reader (optionally) invokes the Active Authentication (AA) protocol to verify the passport's validity. Here, we show that by carefully re-using some of the secret data of the PACE protocol for the AA protocol one can save one exponentiation on the passports's side. We call this the PACE|AA protocol. We then formally prove that this more efficient combination not only preserves the desirable security properties of the two individual protocols but also increases privacy by preventing misuse of the challenge in the Active Authentication protocol. We finally discuss a solution which allows deniable authentication in the sense that the interaction cannot be used as a proof towards third parties.

Available format(s)
Cryptographic protocols
Publication info
Published elsewhere. An extended abstract of this work appears in Financial Cryptography and Data Security - 16th International Conference (FC 2013).
ePassportskey exchangedeniability
Contact author(s)
oezguer dagdelen @ cased de
2013-05-05: last of 2 revisions
2013-04-29: received
See all versions
Short URL
Creative Commons Attribution


      author = {Jens Bender and Özgür Dagdelen and Marc Fischlin and Dennis Kügler},
      title = {The PACE|AA Protocol for Machine Readable Travel Documents, and its Security},
      howpublished = {Cryptology ePrint Archive, Paper 2013/223},
      year = {2013},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.