From PACE to PQC: The future of secure electronic passports – a conversation with Nouri Alnahawi
On December 3, 2025, Elektor is hosting a conference on post-quantum cryptography and its significance for embedded and IoT systems. Ahead of the event, we spoke with one of the speakers, Nouri Alnahawi, research assistant and PhD candidate at Darmstadt University of Applied Sciences, about the importance of PQC in electronic Machine Readable Travel Document (eMRTD) applications.
Alexander Neumann: Why is the field of eMRTDs particularly relevant for PQC?
Nouri Alnahawi: On the one hand, eMRTDs contain highly sensible personal data that is used to authenticate and verify both passports and their holders. On the other hand, this authentication is essential to detect passport theft, forgery and other types of impersonation attacks and is thus also essential for border control. The current security and authentication mechanisms in the ICAO (International Civil Aviation Organization) standards make use of DH (Diffie–Hellman) or ECDH (Elliptic-curve Diffie–Hellman) based cryptography including key agreement and signature verification. Therefore, eMRTDs are particularly affected by the threat of quantum computers.
Neumann: Can you briefly explain how PACE works and why it is currently used in eIDs and eMRTDs?
Alnahawi: Password Authenticated Connection Establishment (PACE) is essentially a password-based key exchange protocol (PAKE) and acts as the first line of defense in a sequence of complex protocols run between a passport and a reader (e.g., at an airport terminal). PACE ensures that a secure channel is established for that communication before the passport or the terminal exchange any meaningful or personal data including the certificates of both. That is, PACE lets both parties agree on a symmetric encryption key to protect the later on exchanged data, and also ensures that no attackers can access the highly sensible personal data read from the eMRTD protected memory sections and sent to the terminal for authentication.
Neumann: What are the particular challenges involved in replacing PACE with a PQC-based protocol?
Alnahawi: The most important challenge is the absence of a direct drop-in replacement for the famous DH key exchange in the PQC realm. Particularly, NIST KEMs (Key-Encapsulation Mechanism) are not directly applicable for a mutual non-interactive key agreement. Also, PQC schemes have higher memory demands and slower run times, which are probably too much for the resource constrained hardware to handle, at least for the current generation of micro-controllers. PACE regulations (by ICAO for example) pose requirements on the run time that cannot yet be met by PQC schemes.
Neumann: You tested ML-KEM as a PQC algorithm – why was it chosen?
Alnahawi: The choice of ML-KEM was primarily based on its early prospective standardization chances, even before the actual recent FIPS was published. That is, since no other NIST KEM was suggested concretely. More importantly, the performance and requirements for ML-KEM are much more suitable for small and embedded devices compared to the other KEMs (FrodoKEM or the code based ones). So in summary, we wanted a standardized KEM that we could actually run in practice. We experimented with FrodoKEM a little since it will be an ISO standard at some point, but it’s currently infeasible to run it on embedded devices, let alone eMRTD micro-controllers.
Neumann: What role will hardware accelerators and extended memory play in future generations of eMRTDs?
Alnahawi: I’m not really an expert in implementation and optimization, but obviously there are already dedicated HW modules and accelerators for many symmetric crypto parts in micro-chips, and recent progress in lattice implementations also managed to optimize many sub-routines such as poly multiplications, NTT, FFT etc. Therefore, I think run time is not really the biggest issue for eMRTDs. Memory requirements, and also message sizes are more of a problem, since current chips do not support costly computations for on chip RAM, which is mainly the biggest requirement to run a PQC KEM ephemerally.
The flash memory is rather easier to deal with for static components. The message sizes imply multiple rounds of communication, which is not desired in eMRTDs for security aspects rather than performance. I believe this is more related to side channel analysis or fault injection. But I cannot make a concrete statement, since we didn’t take the other crypto components (e.g., PKI certificates) into account in this short interview.
Neumann: How realistic is a global migration in the next few years – what are the biggest hurdles? Are there already initiatives or standards in place to prepare for this transition?
Alnahawi: To be honest, this is probably the hardest question to answer here. To illustrate, let’s first name a few stakeholders in this area: Chip manufacturers, crypto implementers, crypto designers and experts, governments and standardization bodies (e.g., BSI in Germany), certificate authorities nationally and internationally, the ICAO, service providers and subcontractors (Bundesdruckerei, cryptovision, eviden and others). Maybe there are others I’m not aware of as well…
So, I really don’t know how realistic it is to assume that all of those entities are going to coordinate a migration. Probably, the most complex part is deploying a new PQC PKI that is also supported by the next generation eMRTDs and airport terminals equipped with PQC as well. So far, all work on this topic is purely theoretical, and I think we were the first ones to actually try to implement a PQC PAKE as a PACE replacements on real-world devices. Our connections at the German BSI were clearly interested in our research, but they didn’t mention any concrete initiatives, to us at least.
For more information on Elektor’s online conference “Post-Quantum Cryptography” on 3 December, see the conference website.
Register today! (Early-Bird discount is active until 17 November.
Editor’s note: eeNews Europe is an Elektor International Media publication.
If you enjoyed this article, you will like the following ones: don't miss them by subscribing to :
