PQC Integration in eIDs

Currently, an almost overlooked, yet still one of the important usages of public key cryptography is also to be found in securing the communication of electronic personal documents such as the German electronic identity card (ePA) and electronic passport (ePassport). The connection establishment, authentication and encryption of the communication between the so called eCards and the service terminals depends on the security mechanisms of their security protocols and the underlying used cryptography. Normally, these documents are issued for citizens once every ten years. Therefore, these protocols need to soon adapt to the new PQC schemes, as the long term security of the data stored on them must not be jeopardized in the case of a sudden breakthrough in breaking the used cryptographic schemes.

The authenticity, as well as the security of the data stored on electronic documents is provided by means of several mechanisms and protocols. As defined in the specification documents of the BSI, Extended Access Control (EAC), Password Authenticated Connection Establishment (PACE), and Passive Authentication (PA) are currently the standard European Union (EU) protocols for establishing secure communication between electronic identity cards (eID), machine readable travel documents (MRTD), and service terminals. They serve the mutual authentication of the communication parties, as well as the verification of the terminal’s access to data stored on the proximity integrated circuit cards (PICC i.e. Chip Card). These protocols utilize different cryptographic procedures and primitives including hashing and compression, symmetric encryption, DH and ECDH key agreement, and RSA and ECDSA signatures.