💾 Archived View for gemini.bortzmeyer.org › rfc-mirror › rfc9383.txt captured on 2024-06-16 at 13:41:08.
⬅️ Previous capture (2023-11-04)
-=-=-=-=-=-=-
Independent Submission T. Taubert Request for Comments: 9383 Apple Inc. Category: Informational C. A. Wood ISSN: 2070-1721 September 2023 SPAKE2+, an Augmented Password-Authenticated Key Exchange (PAKE) Protocol Abstract This document describes SPAKE2+, a Password-Authenticated Key Exchange (PAKE) protocol run between two parties for deriving a strong shared key with no risk of disclosing the password. SPAKE2+ is an augmented PAKE protocol, as only one party has knowledge of the password. This method is simple to implement, compatible with any prime-order group, and computationally efficient. This document was produced outside of the IETF and IRTF and represents the opinions of the authors. Publication of this document as an RFC in the Independent Submissions Stream does not imply endorsement of SPAKE2+ by the IETF or IRTF. Status of This Memo This document is not an Internet Standards Track specification; it is published for informational purposes. This is a contribution to the RFC Series, independently of any other RFC stream. The RFC Editor has chosen to publish this document at its discretion and makes no statement about its value for implementation or deployment. Documents approved for publication by the RFC Editor are not candidates for any level of Internet Standard; see Section 2 of RFC 7841. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at https://www.rfc-editor.org/info/rfc9383. Copyright Notice Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Table of Contents 1. Introduction 2. Requirements Notation 3. Definition of SPAKE2+ 3.1. Protocol Overview 3.2. Offline Registration 3.3. Online Authentication 3.4. Key Schedule and Key Confirmation 4. Ciphersuites 5. IANA Considerations 6. Security Considerations 7. References 7.1. Normative References 7.2. Informative References Appendix A. Protocol Flow A.1. Prover A.2. Verifier A.3. Transcript Computation A.4. Key Schedule Computation A.5. Protocol Run Appendix B. Algorithm Used for Point Generation Appendix C. Test Vectors Acknowledgements Authors' Addresses 1. Introduction This document describes SPAKE2+, a Password-Authenticated Key Exchange (PAKE) protocol run between two parties for deriving a strong shared key with no risk of disclosing the password. SPAKE2+ is an augmented PAKE protocol, as only one party makes direct use of the password during the execution of the protocol. The other party only needs a record corresponding to the first party's registration at the time of the protocol execution instead of the password. This record can be computed once, during an offline registration phase. The party using the password directly would typically be a client and would act as a Prover, while the other party would be a server and would act as a Verifier. The protocol is augmented in the sense that it provides some resilience against the compromise or extraction of the registration record. The design of the protocol forces the adversary to recover the password from the record to successfully execute the protocol. Hence, this protocol can be advantageously combined with a salted Password Hashing Function to increase the cost of the recovery and slow down attacks. The record cannot be used directly to successfully run the protocol as a Prover, making this protocol more robust than balanced PAKEs, which don't benefit from Password Hashing Functions to the same extent. This augmented property is especially valuable in scenarios where the execution of the protocol is constrained and the adversary cannot query the salt of the Password Hashing Function ahead of the attack. For example, a constraint may be when physical proximity through a local network is required or when a first authentication factor is required for initiation of the protocol. This document has content split out from a related document, [RFC9382], which specifies SPAKE2. SPAKE2 is a symmetric PAKE protocol, where both parties have knowledge of the password. SPAKE2+ is the asymmetric or augmented version of SPAKE2, wherein only one party has knowledge of the password. SPAKE2+ is specified separately in this document because the use cases for symmetric and augmented PAKEs are different and therefore warrant different technical specifications. Neither SPAKE2 nor SPAKE2+ was selected as the result of the Crypto Forum Research Group (CFRG) PAKE selection competition. However, this password-based key exchange protocol appears in [TDH] and is proven secure in [SPAKE2P-Analysis]. It is compatible with any prime-order group and relies only on group operations, making it simple and computationally efficient. Thus, it was felt that publication was beneficial to make the protocol available for wider consideration. This document was produced outside of the IETF and IRTF and represents the opinions of the authors. Publication of this document as an RFC in the Independent Submissions Stream does not imply endorsement of SPAKE2+ by the IETF or IRTF. 2. Requirements Notation The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. 3. Definition of SPAKE2+ Let G be a group in which the computational Diffie-Hellman (CDH) problem is hard. Suppose G has order p*h where p is a large prime; h will be called the cofactor. Let I be the unit element in G, e.g., the point at infinity if G is an elliptic curve group. We denote the operations in the group additively. We assume that there is a representation of elements of G as byte strings: common choices would be SEC 1 uncompressed or compressed [SEC1] for elliptic curve groups or big-endian integers of a fixed (per-group) length for prime field DH. We fix a generator P of the (large) prime-order subgroup of G. P is specified in the document defining the group, and so we do not repeat it here. || denotes concatenation of strings. We also let len(S) denote the length of a string in bytes, represented as an eight-byte little- endian number. Finally, let nil represent an empty string, i.e., len(nil) = 0. KDF is a key derivation function that takes as input a salt, input keying material (IKM), info string, and derived key length L to derive a cryptographic key of length L. MAC is a Message Authentication Code algorithm that takes a secret key and message as input to produce an output. Let Hash be a hash function from arbitrary strings to bit strings of a fixed length. Common choices for Hash are SHA256 or SHA512 [RFC6234]. Section 4 specifies variants of KDF, MAC, and Hash suitable for use with the protocols contained herein. Let there be two parties, a Prover and a Verifier. Their identities, denoted as idProver and idVerifier, may also have digital representations such as Media Access Control addresses or other names (hostnames, usernames, etc.). The parties may share additional data (the context) separate from their identities, which they may want to include in the protocol transcript. One example of additional data is a list of supported protocol versions if SPAKE2+ were used in a higher-level protocol that negotiates the use of a particular PAKE. Another example is the inclusion of the application name. Including these data points would ensure that both parties agree upon the same set of supported protocols and therefore prevents downgrade and cross-protocol attacks. Specification of precise context values is out of scope for this document. 3.1. Protocol Overview SPAKE2+ is a two-round protocol that establishes a shared secret with an additional round for key confirmation. Prior to invocation, both parties are provisioned with information such as the input password needed to run the protocol. The registration phase may include communicating identities, protocol version, and other parameters related to the registration record; see Section 3.2 for details. During the first round, the Prover sends a public share, shareP, to the Verifier, which in turn responds with its own public share, shareV. Both parties then derive a shared secret used to produce encryption and authentication keys. The latter are used during the second round for key confirmation. (Section 3.4 details the key derivation and confirmation steps.) In particular, the Verifier sends a key confirmation message, confirmV, to the Prover, which in turn responds with its own key confirmation message, confirmP. (Note that shareV and confirmV MAY be sent in the same message.) Both parties MUST NOT consider the protocol complete prior to receipt and validation of these key confirmation messages. A sample trace is shown below. Prover Verifier | (registration) | |<- - - - - - - - - - - - ->| | | | (set up the protocol) | (compute shareP) | shareP | |-------------------------->| | shareV | (compute shareV) |<--------------------------| | | | (derive secrets) | (compute confirmV) | confirmV | |<--------------------------| (compute confirmP) | confirmP | |-------------------------->| 3.2. Offline Registration The registration phase computes the values w0 and w1, as well as the registration record L=w1*P. w0 and w1 are derived by hashing the password pw with the identities of the two participants. w0 and the record L are then shared with the Verifier and stored as part of the registration record associated with the Prover. The Prover SHOULD derive w0 and w1 from the password before the protocol begins. Both w0 and w1 are derived using a function with range [0, p-1], which is modeled as a random oracle in [SPAKE2P-Analysis]. The registration phase also produces two random elements, M and N, in the prime-order subgroup of G. The algorithm for selecting M and N is defined in Appendix B. Importantly, this algorithm chooses M and N such that their discrete logs are not known. Precomputed values for M and N are listed in Section 4 for each group. Applications MAY use different M and N values, provided they are computed, e.g., using different input seeds to the algorithm in Appendix B, as random elements for which the discrete log is unknown. Applications using this specification MUST define the method used to compute w0 and w1. For example, it may be necessary to carry out various forms of normalization of the password before hashing [RFC8265]. This section contains requirements and default recommendations for computing w0 and w1. The RECOMMENDED method for generating w0 and w1 is via a Password- Based Key Derivation Function (PBKDF), which is a function designed to slow down brute-force attackers. Brute-force resistance may be obtained through various computation hardness parameters such as memory or CPU cycles and are typically configurable. The scrypt [RFC7914] function and the Argon2id [RFC9106] function are common examples of PBKDFs. Absent an application-specific profile, RECOMMENDED parameters (N, r, p) for scrypt are (32768,8,1), and RECOMMENDED parameters for Argon2id are in Section 4 of [RFC9106]. Each half of the output of the PBKDF will be interpreted as an integer and reduced modulo p. To control bias, each half must be of length at least ceil(log2(p)) + k bits, with k >= 64. Reducing such integers mod p gives bias at most 2^-k for any p; this bias is negligible for any k >= 64. The minimum total output length of the PBKDF then is 2 * (ceil(log2(p)) + k) bits. For example, given the prime order of the P-256 curve, the output of the PBKDF SHOULD be at least 640 bits or 80 bytes. Given a PBKDF, password pw, and identities idProver and idVerifier, the RECOMMENDED method for computing w0 and w1 is as follows: w0s || w1s = PBKDF(len(pw) || pw || len(idProver) || idProver || len(idVerifier) || idVerifier) w0 = w0s mod p w1 = w1s mod p If an identity is unknown at the time of computing w0s or w1s, its length is given as zero and the identity itself is represented as an empty octet string. If both idProver and idVerifier are unknown, then their lengths are given as zero and both identities will be represented as empty octet strings. idProver and idVerifier are included in the transcript TT as part of the protocol flow. 3.3. Online Authentication The online SPAKE2+ protocol runs between the Prover and Verifier to produce a single shared secret upon completion. To begin, the Prover selects x uniformly at random from the integers in [0, p-1], computes the public share shareP=X, and transmits it to the Verifier. x <- [0, p-1] X = x*P + w0*M Upon receipt of X, the Verifier checks the received element for group membership and aborts if X is not in the large prime-order subgroup of G; see Section 6 for details. The Verifier then selects y uniformly at random from the integers in [0, p-1], computes the public share shareV=Y, and transmits it to the Prover. Upon receipt of Y, the Prover checks the received element for group membership and aborts if Y is not in the large prime-order subgroup of G. y <- [0, p-1] Y = y*P + w0*N Both participants compute Z and V; Z and V are then shared as common values. The Prover computes: Z = h*x*(Y - w0*N) V = h*w1*(Y - w0*N) The Verifier computes: Z = h*y*(X - w0*M) V = h*y*L The multiplication by the cofactor h prevents small subgroup confinement attacks. All proofs of security hold even if the discrete log of the fixed group element N is known to the adversary. In particular, one MAY set N=I, i.e., set N to the unit element in G. It is essential that both Z and V be used in combination with the transcript to derive the keying material. The protocol transcript encoding is shown below. TT = len(Context) || Context || len(idProver) || idProver || len(idVerifier) || idVerifier || len(M) || M || len(N) || N || len(shareP) || shareP || len(shareV) || shareV || len(Z) || Z || len(V) || V || len(w0) || w0 Context is an application-specific customization string shared between both parties and MUST precede the remaining transcript. It might contain the name and version number of the higher-level protocol, or simply the name and version number of the application. The context MAY include additional data such as the chosen ciphersuite and PBKDF parameters like the iteration count or salt. The context and its length prefix MAY be omitted. If an identity is absent, its length is given as zero and the identity itself is represented as an empty octet string. If both identities are absent, then their lengths are given as zero and both are represented as empty octet strings. In applications where identities are not implicit, idProver and idVerifier SHOULD always be non-empty. Otherwise, the protocol risks unknown key-share attacks (discussion of unknown key-share attacks in a specific protocol is given in [RFC8844]). Upon completion of this protocol, both parties compute shared secrets K_main, K_shared, K_confirmP, and K_confirmV as specified in Section 3.4. The Verifier MUST send a key confirmation message, confirmV, to the Prover so both parties can confirm that they agree upon these shared secrets. After receipt and verification of the Verifier's confirmation message, the Prover MUST respond with its confirmation message. The Verifier MUST NOT send application data to the Prover until it has received and verified the confirmation message. Key confirmation verification requires recomputation of confirmP or confirmV and checking for equality against the data that was received. 3.4. Key Schedule and Key Confirmation The protocol transcript TT, as defined in Section 3.3, is unique and secret to the participants. Both parties use TT to derive the shared symmetric secret K_main from the protocol. The length of K_main is equal to the length of the digest output, e.g., 256 bits for Hash() = SHA-256. The confirmation keys K_confirmP and K_confirmV, as well as the shared key K_shared, are derived from K_main. K_main = Hash(TT) K_confirmP || K_confirmV = KDF(nil, K_main, "ConfirmationKeys") K_shared = KDF(nil, K_main, "SharedKey") Neither K_main nor its derived confirmation keys are used for anything except key derivation and confirmation and MUST be discarded after the protocol execution. Applications MAY derive additional keys from K_shared as needed. The length of each confirmation key is dependent on the MAC function of the chosen ciphersuite. For HMAC, the RECOMMENDED key length is equal to the output length of the digest output, e.g., 256 bits for Hash() = SHA-256. For CMAC-AES, each confirmation key MUST be of length k, where k is the chosen AES key size, e.g., 128 bits for CMAC-AES-128. Both endpoints MUST employ a MAC that produces pseudorandom tags for key confirmation. K_confirmP and K_confirmV are symmetric keys used to compute tags confirmP and confirmV over the public key shares received from the other peer earlier. confirmP = MAC(K_confirmP, shareV) confirmV = MAC(K_confirmV, shareP) Once key confirmation is complete, applications MAY use K_shared as an authenticated shared secret as needed. For example, applications MAY derive one or more keys and nonces from K_shared, for use with Authenticated Encryption with Associated Data (AEAD) and subsequent application data encryption. 4. Ciphersuites This section documents SPAKE2+ ciphersuite configurations. A ciphersuite indicates a group, cryptographic hash algorithm, and pair of KDF and MAC functions, e.g., P256-SHA256-HKDF-HMAC-SHA256. This ciphersuite indicates a SPAKE2+ protocol instance over P-256 that uses SHA256 along with HKDF [RFC5869] and HMAC [RFC2104] for G, Hash, KDF, and MAC functions, respectively. Since the choice of PBKDF, its parameters for computing w0 and w1, and the distribution of w0 and w1 do not affect interoperability, the PBKDF is not included as part of the ciphersuite. If no MAC algorithm is used in the key confirmation phase, its respective column in Table 1 can be ignored and the ciphersuite name will contain no MAC identifier. +==============+==================+=============+==============+ | G | Hash | KDF | MAC | +==============+==================+=============+==============+ | P-256 | SHA256 [RFC6234] | HKDF-SHA256 | HMAC-SHA256 | | | | [RFC5869] | [RFC2104] | +--------------+------------------+-------------+--------------+ | P-256 | SHA512 [RFC6234] | HKDF-SHA512 | HMAC-SHA512 | | | | [RFC5869] | [RFC2104] | +--------------+------------------+-------------+--------------+ | P-384 | SHA256 [RFC6234] | HKDF-SHA256 | HMAC-SHA256 | | | | [RFC5869] | [RFC2104] | +--------------+------------------+-------------+--------------+ | P-384 | SHA512 [RFC6234] | HKDF-SHA512 | HMAC-SHA512 | | | | [RFC5869] | [RFC2104] | +--------------+------------------+-------------+--------------+ | P-521 | SHA512 [RFC6234] | HKDF-SHA512 | HMAC-SHA512 | | | | [RFC5869] | [RFC2104] | +--------------+------------------+-------------+--------------+ | edwards25519 | SHA256 [RFC6234] | HKDF-SHA256 | HMAC-SHA256 | | | | [RFC5869] | [RFC2104] | +--------------+------------------+-------------+--------------+ | edwards448 | SHA512 [RFC6234] | HKDF-SHA512 | HMAC-SHA512 | | | | [RFC5869] | [RFC2104] | +--------------+------------------+-------------+--------------+ | P-256 | SHA256 [RFC6234] | HKDF-SHA256 | CMAC-AES-128 | | | | [RFC5869] | [RFC4493] | +--------------+------------------+-------------+--------------+ | P-256 | SHA512 [RFC6234] | HKDF-SHA512 | CMAC-AES-128 | | | | [RFC5869] | [RFC4493] | +--------------+------------------+-------------+--------------+ Table 1 The following points represent permissible point generation seeds for the groups listed in Table 1, using the algorithm presented in Appendix B. These byte strings are compressed points as in [SEC1] for curves from [SEC1] and [RFC8032]. Note that these values are identical to those used in the companion SPAKE2 specification [RFC9382]. For P-256: M = 02886e2f97ace46e55ba9dd7242579f2993b64e16ef3dcab95afd497333d8fa12f seed: 1.2.840.10045.3.1.7 point generation seed (M) N = 03d8bbd6c639c62937b04d997f38c3770719c629d7014d49a24b4f98baa1292b49 seed: 1.2.840.10045.3.1.7 point generation seed (N) For P-384: M = 030ff0895ae5ebf6187080a82d82b42e2765e3b2f8749c7e05eba366434b363d3dc 36f15314739074d2eb8613fceec2853 seed: 1.3.132.0.34 point generation seed (M) N = 02c72cf2e390853a1c1c4ad816a62fd15824f56078918f43f922ca21518f9c543bb 252c5490214cf9aa3f0baab4b665c10 seed: 1.3.132.0.34 point generation seed (N) For P-521: M = 02003f06f38131b2ba2600791e82488e8d20ab889af753a41806c5db18d37d85608 cfae06b82e4a72cd744c719193562a653ea1f119eef9356907edc9b56979962d7aa seed: 1.3.132.0.35 point generation seed (M) N = 0200c7924b9ec017f3094562894336a53c50167ba8c5963876880542bc669e494b25 32d76c5b53dfb349fdf69154b9e0048c58a42e8ed04cef052a3bc349d95575cd25 seed: 1.3.132.0.35 point generation seed (N) For edwards25519: M = d048032c6ea0b6d697ddc2e86bda85a33adac920f1bf18e1b0c6d166a5cecdaf seed: edwards25519 point generation seed (M) N = d3bfb518f44f3430f29d0c92af503865a1ed3281dc69b35dd868ba85f886c4ab seed: edwards25519 point generation seed (N) For edwards448: M = b6221038a775ecd007a4e4dde39fd76ae91d3cf0cc92be8f0c2fa6d6b66f9a12 942f5a92646109152292464f3e63d354701c7848d9fc3b8880 seed: edwards448 point generation seed (M) N = 6034c65b66e4cd7a49b0edec3e3c9ccc4588afd8cf324e29f0a84a072531c4db f97ff9af195ed714a689251f08f8e06e2d1f24a0ffc0146600 seed: edwards448 point generation seed (N) 5. IANA Considerations This document has no IANA actions. 6. Security Considerations SPAKE2+ appears in [TDH] and is proven secure in [SPAKE2P-Analysis]. The ephemeral randomness used by the Prover and Verifier MUST be generated using a cryptographically secure Pseudorandom Number Generator (PRNG). Elements received from a peer MUST be checked for group membership: failure to properly deserialize and validate group elements can lead to attacks. An endpoint MUST abort the protocol if any received public value is not a member of the large prime-order subgroup of G. Multiplication of a public value V by the cofactor h will yield the identity element I whenever V is an element of a small-order subgroup. Consequently, the Prover and Verifier MUST abort the protocol upon receiving any value V such that V*h = I. Failure to do so may lead to subgroup confinement attacks. 7. References 7.1. Normative References [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- Hashing for Message Authentication", RFC 2104, DOI 10.17487/RFC2104, February 1997, <https://www.rfc-editor.org/info/rfc2104>. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <https://www.rfc-editor.org/info/rfc2119>. [RFC4493] Song, JH., Poovendran, R., Lee, J., and T. Iwata, "The AES-CMAC Algorithm", RFC 4493, DOI 10.17487/RFC4493, June 2006, <https://www.rfc-editor.org/info/rfc4493>. [RFC5480] Turner, S., Brown, D., Yiu, K., Housley, R., and T. Polk, "Elliptic Curve Cryptography Subject Public Key Information", RFC 5480, DOI 10.17487/RFC5480, March 2009, <https://www.rfc-editor.org/info/rfc5480>. [RFC5869] Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand Key Derivation Function (HKDF)", RFC 5869, DOI 10.17487/RFC5869, May 2010, <https://www.rfc-editor.org/info/rfc5869>. [RFC6234] Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF)", RFC 6234, DOI 10.17487/RFC6234, May 2011, <https://www.rfc-editor.org/info/rfc6234>. [RFC8032] Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital Signature Algorithm (EdDSA)", RFC 8032, DOI 10.17487/RFC8032, January 2017, <https://www.rfc-editor.org/info/rfc8032>. [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, <https://www.rfc-editor.org/info/rfc8174>. [RFC8265] Saint-Andre, P. and A. Melnikov, "Preparation, Enforcement, and Comparison of Internationalized Strings Representing Usernames and Passwords", RFC 8265, DOI 10.17487/RFC8265, October 2017, <https://www.rfc-editor.org/info/rfc8265>. [RFC9382] Ladd, W., "SPAKE2, a Password-Authenticated Key Exchange", RFC 9382, DOI 10.17487/RFC9382, September 2023, <https://www.rfc-editor.org/info/rfc9382>. [SEC1] Standards for Efficient Cryptography Group, "SEC 1: Elliptic Curve Cryptography", version 2.0, May 2009, <https://secg.org/sec1-v2.pdf>. [SPAKE2P-Analysis] Shoup, V., "Security analysis of SPAKE2+", March 2020, <https://eprint.iacr.org/2020/313.pdf>. [TDH] Cash, D., Kiltz, E., and V. Shoup, "The Twin-Diffie Hellman Problem and Applications", EUROCRYPT 2008, Lecture Notes in Computer Science, Volume 4965, pages 127-145, Springer-Verlag, Berlin, Germany, DOI 10.1007/978-3-540-78967-3_8, April 2008, <https://doi.org/10.1007/978-3-540-78967-3_8>. 7.2. Informative References [RFC7914] Percival, C. and S. Josefsson, "The scrypt Password-Based Key Derivation Function", RFC 7914, DOI 10.17487/RFC7914, August 2016, <https://www.rfc-editor.org/info/rfc7914>. [RFC8844] Thomson, M. and E. Rescorla, "Unknown Key-Share Attacks on Uses of TLS with the Session Description Protocol (SDP)", RFC 8844, DOI 10.17487/RFC8844, January 2021, <https://www.rfc-editor.org/info/rfc8844>. [RFC9106] Biryukov, A., Dinu, D., Khovratovich, D., and S. Josefsson, "Argon2 Memory-Hard Function for Password Hashing and Proof-of-Work Applications", RFC 9106, DOI 10.17487/RFC9106, September 2021, <https://www.rfc-editor.org/info/rfc9106>. Appendix A. Protocol Flow This section describes the flow of the SPAKE2+ protocol, including computations and mandatory checks performed by the Prover and Verifier. The constants M, N, P, p, and h are defined by the chosen ciphersuite. A.1. Prover The Prover implements two functions, ProverInit and ProverFinish, which are described below. def ProverInit(w0): // Compute Prover key share x <- [0, p-1] X = x*P + w0*M return (x, X) def ProverFinish(w0, w1, x, Y): if not_in_subgroup(Y): raise "invalid input" // Compute shared values Z = h*x*(Y - w0*N) V = h*w1*(Y - w0*N) return (Y, Z, V) A.2. Verifier The Verifier implements a single function, VerifierFinish, which is described below. def VerifierFinish(w0, L, X): if not_in_subgroup(X): raise "invalid input" // Compute Verifier key share y <- [0, p-1] Y = y*P + w0*N // Compute shared values Z = h*y*(X - w0*M) V = h*y*L return (Z, V) A.3. Transcript Computation Both the Prover and the Verifier share the same function to compute the protocol transcript, ComputeTranscript, which is described below. def ComputeTranscript(Context, idProver, idVerifier, shareP, shareV, Z, V, w0): TT = len(Context) || Context || len(idProver) || idProver || len(idVerifier) || idVerifier || len(M) || M || len(N) || N || len(shareP) || shareP || len(shareV) || shareV || len(Z) || Z || len(V) || V || len(w0) || w0 A.4. Key Schedule Computation Both the Prover and the Verifier share the same function to compute the key schedule, ComputeKeySchedule, which is described below. def ComputeKeySchedule(TT): K_main = Hash(TT) K_confirmP || K_confirmV = KDF(nil, K_main, "ConfirmationKeys") K_shared = KDF(nil, K_main, "SharedKey") return K_confirmP, K_confirmV, K_shared A.5. Protocol Run A full SPAKE2+ protocol run initiated by the Prover will look as follows, where Transmit and Receive are shorthand for sending and receiving a message to the peer: Prover(Context, idProver, idVerifier, w0, w1): (x, X) = ProverInit(w0) Transmit(X) Y = Receive() (Z, V) = ProverFinish(w0, w1, x, Y) TT = ComputeTranscript(Context, idProver, idVerifier, X, Y, Z, V, w0) (K_confirmP, K_confirmV, K_shared) = ComputeKeySchedule(TT) expected_confirmV = MAC(K_confirmV, X) confirmV = Receive() if not_equal_constant_time(expected_confirmV, confirmV): raise "invalid confirmation message" confirmP = MAC(K_confirmP, Y) Transmit(confirmP) return K_shared Verifier(Context, idProver, idVerifier, w0, L): X = Receive() (Y, Z, V) = VerifierFinish(w0, L, X) Transmit(Y) TT = ComputeTranscript(Context, idProver, idVerifier, X, Y, Z, V, w0) (K_confirmP, K_confirmV, K_shared) = ComputeKeySchedule(TT) confirmV = MAC(K_confirmV, X) Transmit(confirmV) expected_confirmP = MAC(K_confirmP, Y) confirmP = Receive() if not_equal_constant_time(expected_confirmP, confirmP): raise "invalid confirmation message" return K_shared Appendix B. Algorithm Used for Point Generation This section describes the algorithm that was used to generate the points M and N in Table 1 (Section 4). This algorithm produces M and N such that they are indistinguishable from two random points in the prime-order subgroup of G, where the discrete log of these points is unknown. See [SPAKE2P-Analysis] for additional details on this requirement. For each curve in Table 1, we construct a string using the curve OID from [RFC5480] (as an ASCII string) or its name, combined with the needed constant -- for instance, "1.3.132.0.35 point generation seed (M)" for P-521. This string is turned into a series of blocks by hashing with SHA256, and hashing that output again to generate the next 32 bytes, and so on. This pattern is repeated for each group and value, with the string modified appropriately. A byte string of length equal to that of an encoded group element is constructed by concatenating as many blocks as are required, starting from the first block, and truncating to the desired length. The byte string is then formatted as required for the group. In the case of Weierstrass curves, we take the desired length as the length for representing a compressed point (Section 2.3.4 of [SEC1]) and use the low-order bit of the first byte as the sign bit. In order to obtain the correct format, the value of the first byte is set to 0x02 or 0x03 (clearing the first six bits and setting the seventh bit), leaving the sign bit as it was in the byte string constructed by concatenating hash blocks. For the curves described in [RFC8032], a different procedure is used. For edwards448, the 57-byte input has the least-significant 7 bits of the last byte set to zero, and for edwards25519, the 32-byte input is not modified. For both of the curves described in [RFC8032], the (modified) input is then interpreted as the representation of the group element. If this interpretation yields a valid group element with the correct order (p), the (modified) byte string is the output. Otherwise, the initial hash block is discarded and a new byte string constructed from the remaining hash blocks. The procedure for constructing a byte string of the appropriate length, formatting it as required for the curve, and checking to see if it is a valid point of the correct order is repeated until a valid element is found. The following Python snippet generates the above points, assuming an elliptic curve implementation following the interface of Edwards25519Point.stdbase() and Edwards448Point.stdbase() in Appendix A of [RFC8032]: def iterated_hash(seed, n): h = seed for i in range(n): h = hashlib.sha256(h).digest() return h def bighash(seed, start, sz): n = -(-sz // 32) hashes = [iterated_hash(seed, i) for i in range(start, start + n)] return b''.join(hashes)[:sz] def canon_pointstr(ecname, s): if ecname == 'edwards25519': return s elif ecname == 'edwards448': return s[:-1] + bytes([s[-1] & 0x80]) else: return bytes([(s[0] & 1) | 2]) + s[1:] def gen_point(seed, ecname, ec): for i in range(1, 1000): hval = bighash(seed, i, len(ec.encode())) pointstr = canon_pointstr(ecname, hval) try: p = ec.decode(pointstr) if p != ec.zero_elem() and p * p.l() == ec.zero_elem(): return pointstr, i except Exception: pass Appendix C. Test Vectors This section contains various test vectors for SPAKE2+. (The choice of PBKDF is omitted, and values for w0 and w1 are provided directly.) All points are encoded using the uncompressed format, i.e., with a 0x04 octet prefix, specified in [SEC1]. idProver and idVerifier identity strings are provided in the protocol invocation. [Context=b'SPAKE2+-P256-SHA256-HKDF-SHA256-HMAC-SHA256 Test Vectors '] [idProver=b'client'] [idVerifier=b'server'] w0 = 0xbb8e1bbcf3c48f62c08db243652ae55d3e5586053fca77102994f23ad9549 1b3 w1 = 0x7e945f34d78785b8a3ef44d0df5a1a97d6b3b460409a345ca7830387a74b1 dba L = 0x04eb7c9db3d9a9eb1f8adab81b5794c1f13ae3e225efbe91ea487425854c7f c00f00bfedcbd09b2400142d40a14f2064ef31dfaa903b91d1faea7093d835966efd x = 0xd1232c8e8693d02368976c174e2088851b8365d0d79a9eee709c6a05a2fad5 39 shareP = 0x04ef3bd051bf78a2234ec0df197f7828060fe9856503579bb17330090 42c15c0c1de127727f418b5966afadfdd95a6e4591d171056b333dab97a79c7193e3 41727 y = 0x717a72348a182085109c8d3917d6c43d59b224dc6a7fc4f0483232fa6516d8 b3 shareV = 0x04c0f65da0d11927bdf5d560c69e1d7d939a05b0e88291887d679fcad ea75810fb5cc1ca7494db39e82ff2f50665255d76173e09986ab46742c798a9a6843 7b048 Z = 0x04bbfce7dd7f277819c8da21544afb7964705569bdf12fb92aa388059408d5 0091a0c5f1d3127f56813b5337f9e4e67e2ca633117a4fbd559946ab474356c41839 V = 0x0458bf27c6bca011c9ce1930e8984a797a3419797b936629a5a937cf2f11c8 b9514b82b993da8a46e664f23db7c01edc87faa530db01c2ee405230b18997f16b68 TT = 0x38000000000000005350414b45322b2d503235362d5348413235362d484b4 4462d5348413235362d484d41432d534841323536205465737420566563746f72730 600000000000000636c69656e7406000000000000007365727665724100000000000 00004886e2f97ace46e55ba9dd7242579f2993b64e16ef3dcab95afd497333d8fa12 f5ff355163e43ce224e0b0e65ff02ac8e5c7be09419c785e0ca547d55a12e2d20410 000000000000004d8bbd6c639c62937b04d997f38c3770719c629d7014d49a24b4f9 8baa1292b4907d60aa6bfade45008a636337f5168c64d9bd36034808cd564490b1e6 56edbe7410000000000000004ef3bd051bf78a2234ec0df197f7828060fe98565035 79bb1733009042c15c0c1de127727f418b5966afadfdd95a6e4591d171056b333dab 97a79c7193e341727410000000000000004c0f65da0d11927bdf5d560c69e1d7d939 a05b0e88291887d679fcadea75810fb5cc1ca7494db39e82ff2f50665255d76173e0 9986ab46742c798a9a68437b048410000000000000004bbfce7dd7f277819c8da215 44afb7964705569bdf12fb92aa388059408d50091a0c5f1d3127f56813b5337f9e4e 67e2ca633117a4fbd559946ab474356c4183941000000000000000458bf27c6bca01 1c9ce1930e8984a797a3419797b936629a5a937cf2f11c8b9514b82b993da8a46e66 4f23db7c01edc87faa530db01c2ee405230b18997f16b682000000000000000bb8e1 bbcf3c48f62c08db243652ae55d3e5586053fca77102994f23ad95491b3 K_main = 0x4c59e1ccf2cfb961aa31bd9434478a1089b56cd11542f53d3576fb6c2 a438a29 K_confirmP = 0x871ae3f7b78445e34438fb284504240239031c39d80ac23eb5ab9 be5ad6db58a K_confirmV = 0xccd53c7c1fa37b64a462b40db8be101cedcf838950162902054e6 44b400f1680 HMAC(K_confirmP, shareV) = 0x926cc713504b9b4d76c9162ded04b5493e89109 f6d89462cd33adc46fda27527 HMAC(K_confirmV, shareP) = 0x9747bcc4f8fe9f63defee53ac9b07876d907d55 047e6ff2def2e7529089d3e68 K_shared = 0x0c5f8ccd1413423a54f6c1fb26ff01534a87f893779c6e68666d772 bfd91f3e7 [Context=b'SPAKE2+-P256-SHA512-HKDF-SHA512-HMAC-SHA512 Test Vectors '] [idProver=b'client'] [idVerifier=b'server'] w0 = 0x1cc5207d6e34b8f7828206fb64b86aa9c712bc952abf251bb9f5856b24d8c 8cc w1 = 0x4279649e62532b01dc27d2ed39100ba350518fb969672061a01edce752d0e 672 L = 0x043a348ad475d2200d46df876f1eb2e136056da31dafff52cc7762bf3be84d e0097c4e69b0b9321326af1f0af4a14561a9c7b640cb5afd6822d14cb34830fc4511 x = 0xb586ab83f175c1a2b56b6a1b6a283523f88a9befcf11e22efb48e2ee1fe69a 23 shareP = 0x04a7928c4b47f6b8657a5b8ebcb6f1bd266192e152fb9745a4180c946 57a2f323b4d50d536c0325cdb0ec42c9bd8db8d7af3ff6dc85edb4b5365375c62e09 def4a y = 0xac1fb828f041782d452ea9cc00c3fa34a55fa8f7f98c04be45a3d607b092d4 41 shareV = 0x04498c29e37dbd53ebf8db76679901d90c6be3af57f46ac3025b32420 839f0489c6c3b6bf5ddc8ecbc3d7c83d0891ad814a00ad23eba13197c9d96a5b1027 5e35d Z = 0x04a81e31be54283cee81bf7bdc877764b6b2ac6a399f1176380aac8a82172c 18051aa17dfcf438896ad253f53b52cd45ec2c7399488a919bcfcfecc0261cbf5284 V = 0x04de0a53f96cbe4abcd31c1e0a23ea6f169c162dc5a007393c8fcddd2abd5d 518bb2d9734b1d2dfce3fd916e991ab9dc3a2760d439c083eb39b65408857d2bb4aa TT = 0x38000000000000005350414b45322b2d503235362d5348413531322d484b4 4462d5348413531322d484d41432d534841353132205465737420566563746f72730 600000000000000636c69656e7406000000000000007365727665724100000000000 00004886e2f97ace46e55ba9dd7242579f2993b64e16ef3dcab95afd497333d8fa12 f5ff355163e43ce224e0b0e65ff02ac8e5c7be09419c785e0ca547d55a12e2d20410 000000000000004d8bbd6c639c62937b04d997f38c3770719c629d7014d49a24b4f9 8baa1292b4907d60aa6bfade45008a636337f5168c64d9bd36034808cd564490b1e6 56edbe7410000000000000004a7928c4b47f6b8657a5b8ebcb6f1bd266192e152fb9 745a4180c94657a2f323b4d50d536c0325cdb0ec42c9bd8db8d7af3ff6dc85edb4b5 365375c62e09def4a410000000000000004498c29e37dbd53ebf8db76679901d90c6 be3af57f46ac3025b32420839f0489c6c3b6bf5ddc8ecbc3d7c83d0891ad814a00ad 23eba13197c9d96a5b10275e35d410000000000000004a81e31be54283cee81bf7bd c877764b6b2ac6a399f1176380aac8a82172c18051aa17dfcf438896ad253f53b52c d45ec2c7399488a919bcfcfecc0261cbf5284410000000000000004de0a53f96cbe4 abcd31c1e0a23ea6f169c162dc5a007393c8fcddd2abd5d518bb2d9734b1d2dfce3f d916e991ab9dc3a2760d439c083eb39b65408857d2bb4aa20000000000000001cc52 07d6e34b8f7828206fb64b86aa9c712bc952abf251bb9f5856b24d8c8cc K_main = 0x527613439c279a375c116342a4216a8d92441d2fe1921dd1e60f140b2 855916ccac7db4dbf22bd56e344a8cd506d08949bde1e9d83c24d68ff4246458dc14 288 K_confirmP = 0x0aa129d7b82067c2a9607677c9c4fdedc1cd7cfed9ff72c54c0ae bb2b1a8aa915b96834b2986725c6040852ceaafbb17d638a715198f795654eac89bf 0739878 K_confirmV = 0xa1f1038de30a8c12d43d06c27d362daa9699249e941faa2d5cbc5 9a9683bf42aed9537818245677fdb54b5274506542994f4a83455f6d7b3af5ec017f aa58f61 HMAC(K_confirmP, shareV) = 0x6b2469b56cf8ac3f94a8d0b533380ea6b3d0f46 b3e12ee82550d49e129c2412728c9437a64ee5f80c8cdc5e8a30faa0a6deb8a52513 46ba81bb6fc955b2304fc HMAC(K_confirmV, shareP) = 0x154174fc278a935e290b3352ba877e179fa9281 c0a76928faea703c72d383b267511a5cf084cb07147efece94e3cfd91944e7baab85 6858fbebc087167b0f409 K_shared = 0x11887659d9e002f34fa6cc270d33570f001b2a3fc0522b643c07327 d09a4a9f47aab85813d13c585b53adf5ac9de5707114848f3dc31a4045f69a2cc197 2b098 [Context=b'SPAKE2+-P384-SHA256-HKDF-SHA256-HMAC-SHA256 Test Vectors '] [idProver=b'client'] [idVerifier=b'server'] w0 = 0x097a61cbb1cee72bb654be96d80f46e0e3531151003903b572fc193f23377 2c23c22228884a0d5447d0ab49a656ce1d2 w1 = 0x18772816140e6c3c3938a693c600b2191118a34c7956e1f1cd5b0d519b56e a5858060966cfaf27679c9182129949e74f L = 0x04f27dd5384d6b9beb4c5022c94b1978d632779e1d3abe458611e734a529d0 04e25053398e5dc9eeaa4ffa59743ca7ddbc0e7ce69155295cb2b846da83ee6a4449 0dd8e96bb0b0f6645281bfd978dd5f6836561ea0d8b2c045ff04cef2e5873d2c x = 0x2f1bdbeda162ff2beba0293d3cd3ae95f663c53663378c7e18ee8f56a4a48b 00d31ce0ef43606548da485058f12e8e73 shareP = 0x049fb0404ca7ce71fb85d3aaa8fd05fa054affac996135bc245149be0 9571e43e2bf76e00d6d52ac452b8224f6b9da31420a4f5e214b377546daad4d61da5 ca0cfdea59a5a92ebdb6b42da5d14663b8d1f9eb97050139ab89788e0ada27b048fc f y = 0xbbcaf02404a16ed4fa73b183f703a8d969386f3d34f5e98b3a904e760512f1 1757f07dfcf87a2ada8fc6d028445bd53e shareV = 0x0493b1c1f6a30eac4ac4a15711e44640bae3576787627ee2541104298 1e94b2e9604b9374f66bb247bc431759212ef3fa0a20c087863b89efb32219e1337c e94be2175f8cb9fd50cf0b84772717fd063c52b69de1229a01ab840b55993287f32e d Z = 0x048cd880e5147e49b42b5754c1bc6d2091ad414789bc3b030f2d787ea480f3 e35d0fa0d02d0dd06fee7f242b702a2d984efd79c76d99ab35b99e359a205cea56bb a8dd8f995c101a69a5157686d1cf6a7288d7cff2f2a9748db99b24f646ea7b37 V = 0x041c3c9cc38b03a06a49cf17cc5e7754cf1ccbbc6fffc0ddf1a6e23f57294a 25d96f7da5ce4ac0a617c78502f2f235a5fcf2f76a62385434ed2b6e95521b41eff3 c4ce93ecf8fb32005dd76335d0a7c78153257288d7fde1a22d404f5d73d068e2 TT = 0x38000000000000005350414b45322b2d503338342d5348413235362d484b4 4462d5348413235362d484d41432d534841323536205465737420566563746f72730 600000000000000636c69656e7406000000000000007365727665726100000000000 000040ff0895ae5ebf6187080a82d82b42e2765e3b2f8749c7e05eba366434b363d3 dc36f15314739074d2eb8613fceec285397592c55797cdd77c0715cb7df2150220a0 119866486af4234f390aad1f6addde5930909adc67a1fc0c99ba3d52dc5dd6100000 00000000004c72cf2e390853a1c1c4ad816a62fd15824f56078918f43f922ca21518 f9c543bb252c5490214cf9aa3f0baab4b665c10c38b7d7f4e7f320317cd717315a79 7c7e02933aef68b364cbf84ebc619bedbe21ff5c69ea0f1fed5d7e3200418073f406 100000000000000049fb0404ca7ce71fb85d3aaa8fd05fa054affac996135bc24514 9be09571e43e2bf76e00d6d52ac452b8224f6b9da31420a4f5e214b377546daad4d6 1da5ca0cfdea59a5a92ebdb6b42da5d14663b8d1f9eb97050139ab89788e0ada27b0 48fcf61000000000000000493b1c1f6a30eac4ac4a15711e44640bae3576787627ee 25411042981e94b2e9604b9374f66bb247bc431759212ef3fa0a20c087863b89efb3 2219e1337ce94be2175f8cb9fd50cf0b84772717fd063c52b69de1229a01ab840b55 993287f32ed6100000000000000048cd880e5147e49b42b5754c1bc6d2091ad41478 9bc3b030f2d787ea480f3e35d0fa0d02d0dd06fee7f242b702a2d984efd79c76d99a b35b99e359a205cea56bba8dd8f995c101a69a5157686d1cf6a7288d7cff2f2a9748 db99b24f646ea7b376100000000000000041c3c9cc38b03a06a49cf17cc5e7754cf1 ccbbc6fffc0ddf1a6e23f57294a25d96f7da5ce4ac0a617c78502f2f235a5fcf2f76 a62385434ed2b6e95521b41eff3c4ce93ecf8fb32005dd76335d0a7c78153257288d 7fde1a22d404f5d73d068e23000000000000000097a61cbb1cee72bb654be96d80f4 6e0e3531151003903b572fc193f233772c23c22228884a0d5447d0ab49a656ce1d2 K_main = 0x61370f8bf65e0df7e9a7b2c2289be1ee4b5dd6c21f4b85165730700c4 4ce30af K_confirmP = 0x2c8940419d94e53d5d240801e702c4658531aa7a9f14ec75f0d67 f12fa84196c K_confirmV = 0x8e74afe16c53a44590ad6bf43aa89324978b8f20014336675f618 387f99f3fdc HMAC(K_confirmP, shareV) = 0x7ae825e242a5a1f86ad7db172c2c12fcb458b6a 2b1ddfc96b2b7cfd2eed5f7ab HMAC(K_confirmV, shareP) = 0x1581062167d6a3d14493447cd170d408f6fdc58 e31225438db86214167426a7a K_shared = 0x99758e838ae1a856589689fb55b6befe4e2382e6ebbeca1a6232a68 f9dc04c1a [Context=b'SPAKE2+-P384-SHA512-HKDF-SHA512-HMAC-SHA512 Test Vectors '] [idProver=b'client'] [idVerifier=b'server'] w0 = 0xb8d44a0982b88abe19b724d4bdafba8c90dc93130e0bf4f8062810992326d a126fd01db53e40250ca33a3ff302044cb0 w1 = 0x2373e2071c3bb2a6d53ece57830d56f8080189816803c22375d6a4a514f9d 161b64d0f05b97735b98b348f9b33cc2e30 L = 0x049ca7217ff6456bb2e2bcf71b31d9b1e5ed6e0c9700936ae617e990cee87e e1ce3a03629dd5532948c39b89f38b39f13c7f513c5b1ada00f6533a4a8b02b9cd04 e1b2a5db1f24ec5fe959198a19666037e04b768cc02e75ac9da0048736db6e5b x = 0x5a835d52714f30d2ef539268b89df9558628400063dfa0e41eb979066f4caf 409bbf7aab3ddddea13f1b070a1827d3d4 shareP = 0x042f382eef464a2c9aecfdf4b81d25c4de2de113ba67405ce336c762c 69217ae7e27bda875144140d7536c4cc08b9b4dace5f872a6a2ed57f34042688ad3c 5d446c187dc0caf9cea812df3a4dd6fdbc64b9d7d7d7ff4bf6965abb06eeb108d55e e y = 0xc883ee5b08cf7ba122038c279459ab1a730f85f2d624a02732d519faab56a4 98e773a8dec6c447ed02d5c00303a18bc4 shareV = 0x04d72e11eee332305062454c0a058b8103a3304785d445510cd8d101e 9cb44cfb159cb7b72123abaf719ab1c42e0558c84c14b0886e8b446e4c880bff2f4b 291fafafc748cb4115824e66732bdeba7fae176388e228ab9d7546255994ca3fb5a5 2 Z = 0x043cb63f5fcb573cf3e2ee40bca5fbc1f00ff2554caab3790329184c45ed69 c39b2e1323bc13c8f821b844feb5921b1470e7b3f70bd10508e5de6db157305badf8 20fa28d68742d8287fb201383a8deec70d5bcf2a61498a481290ed8cc94ab3a0 V = 0x0468604d188f4da560ddaaece126abe40f5de255f8af093c7c3aff71f95d90 92804426127d73d46a817085e9095de6bcf30733a5124a98f567148efe92a7134994 0c7244623247d33a8b78cbc9a53cd45bb22430f318a635084d1840c905f236c8 TT = 0x38000000000000005350414b45322b2d503338342d5348413531322d484b4 4462d5348413531322d484d41432d534841353132205465737420566563746f72730 600000000000000636c69656e7406000000000000007365727665726100000000000 000040ff0895ae5ebf6187080a82d82b42e2765e3b2f8749c7e05eba366434b363d3 dc36f15314739074d2eb8613fceec285397592c55797cdd77c0715cb7df2150220a0 119866486af4234f390aad1f6addde5930909adc67a1fc0c99ba3d52dc5dd6100000 00000000004c72cf2e390853a1c1c4ad816a62fd15824f56078918f43f922ca21518 f9c543bb252c5490214cf9aa3f0baab4b665c10c38b7d7f4e7f320317cd717315a79 7c7e02933aef68b364cbf84ebc619bedbe21ff5c69ea0f1fed5d7e3200418073f406 100000000000000042f382eef464a2c9aecfdf4b81d25c4de2de113ba67405ce336c 762c69217ae7e27bda875144140d7536c4cc08b9b4dace5f872a6a2ed57f34042688 ad3c5d446c187dc0caf9cea812df3a4dd6fdbc64b9d7d7d7ff4bf6965abb06eeb108 d55ee610000000000000004d72e11eee332305062454c0a058b8103a3304785d4455 10cd8d101e9cb44cfb159cb7b72123abaf719ab1c42e0558c84c14b0886e8b446e4c 880bff2f4b291fafafc748cb4115824e66732bdeba7fae176388e228ab9d75462559 94ca3fb5a526100000000000000043cb63f5fcb573cf3e2ee40bca5fbc1f00ff2554 caab3790329184c45ed69c39b2e1323bc13c8f821b844feb5921b1470e7b3f70bd10 508e5de6db157305badf820fa28d68742d8287fb201383a8deec70d5bcf2a61498a4 81290ed8cc94ab3a061000000000000000468604d188f4da560ddaaece126abe40f5 de255f8af093c7c3aff71f95d9092804426127d73d46a817085e9095de6bcf30733a 5124a98f567148efe92a71349940c7244623247d33a8b78cbc9a53cd45bb22430f31 8a635084d1840c905f236c83000000000000000b8d44a0982b88abe19b724d4bdafb a8c90dc93130e0bf4f8062810992326da126fd01db53e40250ca33a3ff302044cb0 K_main = 0x571af2e9a0bf4b354cca18d713f8a84315a46c999ceb92ca6a88b8a6d 615795140862dbccd6fdc0abecc5956c43f8ab40343a22fc1b91752cb7c2737dab90 41e K_confirmP = 0x6c8c7fc6becf3bc07f081b4f7f867bec76fd8eeddbd7968356723 bae701e04f35f800e647dfa013b2876958efe0ce68e7595ba46f1de0b17adfc02dfe 3f18a18 K_confirmV = 0x2d0c9702a0f5536bacddd596eb6ea365d17f176db30081b97b83e 05bb87e9a36c0565b7616251c93bc76c76fc5c3531a28db40779d986d4e7b71a24c4 3fbc731 HMAC(K_confirmP, shareV) = 0x7f806ae56ea3e49a8b16ffee528086489418913 641f529d50ff92aa456ad4648e522f9540b403bff6bd94ee1adc95c7d1b2666f7ba6 f9c10748bc7bfb4181d27 HMAC(K_confirmV, shareP) = 0x8daa262decb79cceda4421f4f8dacf22ec027c0 8e036f071beea563c8e00813a29807963ff9d7d6bbff48dd5bdcdd9ca9fd7ffc272b 162258d981913f7253dcb K_shared = 0x31e0075a823b9269af5769d71ef3b2f5001cbfe044584fe8551124a 217dad078415630bf3eda16b5a38341d418a6d72b3960f818a0926f0de88784b59d6 a694b [Context=b'SPAKE2+-P521-SHA512-HKDF-SHA512-HMAC-SHA512 Test Vectors '] [idProver=b'client'] [idVerifier=b'server'] w0 = 0x009c79bcd7656716314fca5a6e2c5cda7ef86131399438e012a043051e863 f60b5aeb3c101731e1505e721580f48535a9b0456b231b9266ae6fff49ee90d25f72 f5f w1 = 0x01632c15f51fcd916cd79e19075f8a69b72b0099922ad62ff8d540b469569 f0aa027047aed2b3f242ea0ac4288b4e4db6a4e5946d8ad32b42192c5aa66d9ef8e1 b33 L = 0x040135072d0fa36f9e80031294cef5c3c35b882a0efa2c66570d64a49f8bec 6c66435bf65bb7c7b2a3e7dece491e02b4d567e7087dbc32fe0fae8af417dcb50be6 d704012a194588b690e6d3db492656f72ddea01fc1c7fcec0f5d34a5af0102939f6f deae39c20cff74fcdb7f09855f0fc9520d20b0520b0b096b8d42c7c3d68b4a66f751 x = 0x00b69e3bb15df82c9fa0057461334e2c66ab92fc9b8d3662eec81216ef5ddc 4a43f19e90dedaa2d72502f69673a115984ffcf88e03a9364b07102114c5602cd93c 69 shareP = 0x0400a14431edf6852ff5fe868f8683e16e9e0a45d9e27f9a96442285a c6b161fc0bf267362a5ffb06f9cbd14b7a37e492146d77cae4c77812df00a91dbae0 9e27e1fac00ae019317ef9768548325bca35ce258e6206fe03c6338b2eb889d09d9f 11400a36cf6328a7e1f81c6c7a2af7ff1d9b5210768318f27e57b75b39b9fbfc7b37 a60ab y = 0x0056d01c5246fbde964c0493934b7ece89eafd943eb27d357880a2a2202249 9e249528c5707b1afe8794c8a1d60ceedaeed96dd0dd904ea075f096c9fec5da7de4 96 shareV = 0x0401aa5af0f3027f63b7170572db5ff06dd1f3d6ea8ea771b26b434fb bc6c9de7d80975131c9c2e94d30c0ed2d62449c4c1b7e95037a85ed7598e415a2591 26365e89500d0f2156b551b70416d719944736990f346f6f9ba4fbaf2f63e0987369 0bcf730582e0a7b03ffede50f5787b631d5021a94287f0a29a081b62b9f5a3bf393b 001b3 Z = 0x0401e3015bf2811891a518d342c63541294dc80e0ee210e8220a5b9cab010d 77945724ef1185d739a62847fdada9da9b1bca6b9fa173fa551185c6084c3db26d3a f0ac01f9356d01beebebd5ff026ca19f9df5d614355f3498816ac20b63bc936eed82 8a7039d1e17dba740471d9afc0e0b4427d65b2d27a57a87e42300004e2b4620c23c9 V = 0x0401058b21ca71e4439281579d6df3b86ae874d70742fe8eae2de60e77e07e 6e1c31b9c277de36b38531f5b769e9e4030ba09258f510c83c5c21957610355ce920 1fe600672db35efd1d0903bc285d4e27e9fb4472c30f17118dfa028f182bc9361c6a 749f560e31b9c404624d24e68010f064101d4a1154e77be8f2105dbeb8b0349adb0e TT = 0x38000000000000005350414b45322b2d503532312d5348413531322d484b4 4462d5348413531322d484d41432d534841353132205465737420566563746f72730 600000000000000636c69656e7406000000000000007365727665728500000000000 00004003f06f38131b2ba2600791e82488e8d20ab889af753a41806c5db18d37d856 08cfae06b82e4a72cd744c719193562a653ea1f119eef9356907edc9b56979962d7a a01bdd179a3d547610892e9b96dea1eab10bdd7ac5ae0cf75aa0f853bfd185cf782f 894301998b11d1898ede2701dca37a2bb50b4f519c3d89a7d054b51fb84912192850 00000000000000400c7924b9ec017f3094562894336a53c50167ba8c596387688054 2bc669e494b2532d76c5b53dfb349fdf69154b9e0048c58a42e8ed04cef052a3bc34 9d95575cd2501c62bee650c9287a651bb75c7f39a2006873347b769840d261d17760 b107e29f091d556a82a2e4cde0c40b84b95b878db2489ef760206424b3fe7968aa8e 0b1f33485000000000000000400a14431edf6852ff5fe868f8683e16e9e0a45d9e27 f9a96442285ac6b161fc0bf267362a5ffb06f9cbd14b7a37e492146d77cae4c77812 df00a91dbae09e27e1fac00ae019317ef9768548325bca35ce258e6206fe03c6338b 2eb889d09d9f11400a36cf6328a7e1f81c6c7a2af7ff1d9b5210768318f27e57b75b 39b9fbfc7b37a60ab85000000000000000401aa5af0f3027f63b7170572db5ff06dd 1f3d6ea8ea771b26b434fbbc6c9de7d80975131c9c2e94d30c0ed2d62449c4c1b7e9 5037a85ed7598e415a259126365e89500d0f2156b551b70416d719944736990f346f 6f9ba4fbaf2f63e09873690bcf730582e0a7b03ffede50f5787b631d5021a94287f0 a29a081b62b9f5a3bf393b001b385000000000000000401e3015bf2811891a518d34 2c63541294dc80e0ee210e8220a5b9cab010d77945724ef1185d739a62847fdada9d a9b1bca6b9fa173fa551185c6084c3db26d3af0ac01f9356d01beebebd5ff026ca19 f9df5d614355f3498816ac20b63bc936eed828a7039d1e17dba740471d9afc0e0b44 27d65b2d27a57a87e42300004e2b4620c23c985000000000000000401058b21ca71e 4439281579d6df3b86ae874d70742fe8eae2de60e77e07e6e1c31b9c277de36b3853 1f5b769e9e4030ba09258f510c83c5c21957610355ce9201fe600672db35efd1d090 3bc285d4e27e9fb4472c30f17118dfa028f182bc9361c6a749f560e31b9c404624d2 4e68010f064101d4a1154e77be8f2105dbeb8b0349adb0e4200000000000000009c7 9bcd7656716314fca5a6e2c5cda7ef86131399438e012a043051e863f60b5aeb3c10 1731e1505e721580f48535a9b0456b231b9266ae6fff49ee90d25f72f5f K_main = 0xf672a73216568d20cc3433247bc43a3b875a421cbdba76cf1db8bfe57 2b658bf3f7a4ef8cc9ff1f6a2827ff7b19860454b775a4097009040f3b36b7420407 16e K_confirmP = 0xa211c60ea8d4b3b294bd6ca9515663b77f3caac28af3658b34fe1 512f25077f2f64b8de426caa662b4cbbdc9c2f8f12347993c8d57fdf68c177732d7d da7277b K_confirmV = 0x0e9bf6b9a37339144cb32a78a872f50b10839f81eda6c09a827dd bb158c47162bec274af920cdf809f162b98fa701efebada26cdfbeac408b5a35b052 d18f0c6 HMAC(K_confirmP, shareV) = 0xf0f5c903dfa42fe367659656a26058cd984b76a 8e91ae4d0fa4c13db149008e2ae57713fb230a627761174fefd263b9c10e9a4b6a37 46cde59c5943040c17133 HMAC(K_confirmV, shareP) = 0xa8f7ab43f3a800171d3a3fb26d742e1ed236c2d 5804ecd328f220a7d245cd2e3bfb6c0526983bff9229c94f70fe64ba9bb5a4d0dc10 afcda64a4c96d4c3d81ad K_shared = 0xd1c170e4e55efacb9db8abad286293ebd1dcf24f13973427b9632bb c323e42e447afca2aa7f74f2af3fb5f51684ec543db854b7002cde6799c330b032ba 8820a [Context=b'SPAKE2+-P256-SHA256-HKDF-SHA256-CMAC-AES-128 Test Vector s'] [idProver=b'client'] [idVerifier=b'server'] w0 = 0x9aad90c603cf16cec4ee40d81acd7a865130b28cc6d0664ae2e0f406aa47e d61 w1 = 0x872be859cec1e78d191882bd9c2f032af018a25016813788fe8954bfffc58 c8e L = 0x04d79a53698c5dd79e14b426e73b4a7f1b42469815fe24e8f53ce01579e902 eb198d59f05bc451c41826b88e3db5476a69e197fdf474c75b387f6d40361c3fda35 x = 0x9d39a3511a007a7d3fe6af5555cf60301bcda503f2bf6634b2caf9e4fd0743 a1 shareP = 0x04788218027ba4b17f7279ef0aef47a8733cf88b5bf65d6127ecadc78 b8a0f65b9001f7e54719fb63c072ddd1e1a4adfb376dde37ba1aa2082362b6c2ca14 a8e53 y = 0x9c3219841626325c68d89c22fb6c55611e3136442daa8b9b784db7242afff3 ed shareV = 0x04c05953ea9d1cd6248b8c61becd7d55e46237526d8b1e23495ea7566 b7f6bc24b3da1cfb2e88a975fcfb5dc4e72b5cbea509b1cfdd1ef8f8195fa8bf2bd5 ca1e5 Z = 0x049444a17ad5909548a084fa182275a89a496ec6669bd08892aa9c64a512d4 0212147e6005bf1d510e3bbcfee8efc38243acaf4c5f2decffa009341b1e330b0442 V = 0x0457a8919af393e2da1de209a01fdda275eab0a682d8931b0e6ee1b9339794 63a25ccbcda1956a6a555706f0b062aa880617bd219d09391ad8576d3a73e9233f57 TT = 0x39000000000000005350414b45322b2d503235362d5348413235362d484b4 4462d5348413235362d434d41432d4145532d313238205465737420566563746f727 30600000000000000636c69656e74060000000000000073657276657241000000000 0000004886e2f97ace46e55ba9dd7242579f2993b64e16ef3dcab95afd497333d8fa 12f5ff355163e43ce224e0b0e65ff02ac8e5c7be09419c785e0ca547d55a12e2d204 10000000000000004d8bbd6c639c62937b04d997f38c3770719c629d7014d49a24b4 f98baa1292b4907d60aa6bfade45008a636337f5168c64d9bd36034808cd564490b1 e656edbe7410000000000000004788218027ba4b17f7279ef0aef47a8733cf88b5bf 65d6127ecadc78b8a0f65b9001f7e54719fb63c072ddd1e1a4adfb376dde37ba1aa2 082362b6c2ca14a8e53410000000000000004c05953ea9d1cd6248b8c61becd7d55e 46237526d8b1e23495ea7566b7f6bc24b3da1cfb2e88a975fcfb5dc4e72b5cbea509 b1cfdd1ef8f8195fa8bf2bd5ca1e54100000000000000049444a17ad5909548a084f a182275a89a496ec6669bd08892aa9c64a512d40212147e6005bf1d510e3bbcfee8e fc38243acaf4c5f2decffa009341b1e330b044241000000000000000457a8919af39 3e2da1de209a01fdda275eab0a682d8931b0e6ee1b933979463a25ccbcda1956a6a5 55706f0b062aa880617bd219d09391ad8576d3a73e9233f5720000000000000009aa d90c603cf16cec4ee40d81acd7a865130b28cc6d0664ae2e0f406aa47ed61 K_main = 0x6002da6b2740056f2836ac0316ae9e02e2b24c5c109883136e90ed868 b2fcf62 K_confirmP = 0x857d0db7f5e06385853bf4b8abd43b5a K_confirmV = 0x268c75933332157118063550c6bfe846 CMAC(K_confirmP, shareV) = 0xd340bc94a03feafd14491e316514ca5f CMAC(K_confirmV, shareP) = 0x2b42d0fe76bcf9ccc208d06d60082f96 K_shared = 0xe832094adfc028bf288e49ab902fc208b7eeff084f259da7613c047 9869d4fc9 [Context=b'SPAKE2+-P256-SHA512-HKDF-SHA512-CMAC-AES-128 Test Vector s'] [idProver=b'client'] [idVerifier=b'server'] w0 = 0x56e0299ac95739b616a973276c1338e3651285345dde2f7faf74c25c0b50e b90 w1 = 0x462fe5b522a17d3d35b27323113bdd252de9cbfdd6f264b35721bf59a9a74 f0b L = 0x040540332ffec8a2faa8d17ae6da5973c11e078b8c10c89fd6af996726b802 3513eff2914c3ced64fbedd4e261438fb0ea6ef9fc1faef4ba1ead780636faac1bc1 x = 0x254dd22780eeb6af2464dd6a2bd026b46a34966d6933607f1be956314f74b0 ea shareP = 0x049661cfdb0f7bd24b637f8d1d0f464c17f0b9c15129ea31156dcc581 da6c840240b275d72f28ea73a5c088c99d73896af24a5ae26e036eb2dedaf26e511a 24a48 y = 0x695beec24305fbd5660bc200228598e7c891fdf60a55df4bdd3a57debc3847 4a shareV = 0x0461f580eb3eb4b2f412d5c07491f360ad6e4492d8f23e346f0ba999f bbcb9715a3c2485c3b250a6672e6698da3c9a9725645f607ee90a9b1b34fd44b9df6 e551a Z = 0x0406f77a4bca254219dc3eeca9989f377037407105540bfddc5bdeff3d27a8 7d68442e69d543a000077bd4c42e33930f890d29fb4be5e8dcc627f6811ace96c274 V = 0x0442952a531a2937e03808e74f6d65afbedb4cfb7fcf91991498f77db21b14 6f5c2249e727e374de03f32848465aba5c5ebfe6501d3537d09160c7f42e4b3f133d TT = 0x39000000000000005350414b45322b2d503235362d5348413531322d484b4 4462d5348413531322d434d41432d4145532d313238205465737420566563746f727 30600000000000000636c69656e74060000000000000073657276657241000000000 0000004886e2f97ace46e55ba9dd7242579f2993b64e16ef3dcab95afd497333d8fa 12f5ff355163e43ce224e0b0e65ff02ac8e5c7be09419c785e0ca547d55a12e2d204 10000000000000004d8bbd6c639c62937b04d997f38c3770719c629d7014d49a24b4 f98baa1292b4907d60aa6bfade45008a636337f5168c64d9bd36034808cd564490b1 e656edbe74100000000000000049661cfdb0f7bd24b637f8d1d0f464c17f0b9c1512 9ea31156dcc581da6c840240b275d72f28ea73a5c088c99d73896af24a5ae26e036e b2dedaf26e511a24a4841000000000000000461f580eb3eb4b2f412d5c07491f360a d6e4492d8f23e346f0ba999fbbcb9715a3c2485c3b250a6672e6698da3c9a9725645 f607ee90a9b1b34fd44b9df6e551a41000000000000000406f77a4bca254219dc3ee ca9989f377037407105540bfddc5bdeff3d27a87d68442e69d543a000077bd4c42e3 3930f890d29fb4be5e8dcc627f6811ace96c27441000000000000000442952a531a2 937e03808e74f6d65afbedb4cfb7fcf91991498f77db21b146f5c2249e727e374de0 3f32848465aba5c5ebfe6501d3537d09160c7f42e4b3f133d200000000000000056e 0299ac95739b616a973276c1338e3651285345dde2f7faf74c25c0b50eb90 K_main = 0x111790ae23de3fc5bb43bdc1f63106461dbd8d86360adf056bf117164 8bfb231503853db2625275b7136b5a823dd5a94482514fce7f791c4daca2b21c7bde 756 K_confirmP = 0xb234d2e152a03168b76c6474d5322070 K_confirmV = 0x683d62024626fe0c5126ef4df58b88ee CMAC(K_confirmP, shareV) = 0x0dc514d262e37470eb43e058e0d615f4 CMAC(K_confirmV, shareP) = 0xde076589efcd5d96c2ea6061d96772d9 K_shared = 0x488a34663d6be5e02590bb8e9ad9ad3e0f580dec41e8b99ed4ae4b7 34da49287638cac4c9f17fe3c3ae18dda0d6d7f14c17e4640d5a2aaab959efa0cbea 4e546 Acknowledgements Thanks to Ben Kaduk and Watson Ladd, from whom this specification originally emanated. Authors' Addresses Tim Taubert Apple Inc. One Apple Park Way Cupertino, California 95014 United States of America Email: ttaubert@apple.com Christopher A. Wood Email: caw@heapingbits.net