Send email Copy Email Address

CTRL-PACE: Controlled Randomness for e-Passport Password Authentication


Security of many cryptographic protocols is conditioned by the quality of the random elements generated in the course of the protocol execution. On the other hand, cryptographic devices implementing these protocols are designed given technical limitations, usability requirements and cost constraints. This frequently results in a black box solution. Unfortunately, black box random number generators may enable creating backdoors for stealing signing keys, breaking authentication protocols and encrypted communication. In this paper we deal with this problem and extend our approach proposed during MYCRYPT’2016. The solution discussed is generating random parameters so that: (a) the protocols are backwards compatible (a user gets additional data that can be simply ignored), (b) verification of randomness might be executed any time without notice, so a device is forced to behave honestly, (c) the solution makes almost no intrusion in the existing protocols and is easy to implement, (d) the owner of a cryptographic device becomes secured against its designer and manufacturer that may even predict the output of the generator. In this paper we focus on a case when Diffie-Hellman protocol is executed for a generator that itself is a secret – this case has not been solved in our paper from MYCRYPT’2016. On the other hand, exactly this case occurs for the PACE protocol from the ICAO standard specifying electronic travel documents. For the sake of the proof we develop a framework of nested security games that aims to enable security proofs of modified protocols without redoing the proofs designed for their original versions.

Date published


Date last modified

2020-10-28 11:27:03