Independent Submission                                        T. Taubert
Request for Comments: 9383                                    Apple Inc.
Category: Informational                                       C. A. Wood
ISSN: 2070-1721                                               April                                           September 2023

    SPAKE2+, an Augmented Password-Authenticated Key Exchange (PAKE)
                                Protocol

Abstract

   This document describes SPAKE2+, a Password-Authenticated Key
   Exchange (PAKE) protocol run between two parties for deriving a
   strong shared key with no risk of disclosing the password.  SPAKE2+
   is an augmented PAKE protocol, as only one party has knowledge of the
   password.  This method is simple to implement, compatible with any
   prime-order group, and computationally efficient.

   This document was produced outside of the IETF and IRTF and
   represents the opinions of the authors.  Publication of this document
   as an RFC in the Independent Submissions Stream does not imply
   endorsement of SPAKE2+ by the IETF or IRTF.

Status of This Memo

   This document is not an Internet Standards Track specification; it is
   published for informational purposes.

   This is a contribution to the RFC Series, independently of any other
   RFC stream.  The RFC Editor has chosen to publish this document at
   its discretion and makes no statement about its value for
   implementation or deployment.  Documents approved for publication by
   the RFC Editor are not candidates for any level of Internet Standard;
   see Section 2 of RFC 7841.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   https://www.rfc-editor.org/info/rfc9383.

Copyright Notice

   Copyright (c) 2023 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.

Table of Contents

   1.  Introduction
   2.  Requirements Notation
   3.  Definition of SPAKE2+
     3.1.  Protocol Overview
     3.2.  Offline Registration
     3.3.  Online Authentication
     3.4.  Key Schedule and Key Confirmation
   4.  Ciphersuites
   5.  IANA Considerations
   6.  Security Considerations
   7.  References
     7.1.  Normative References
     7.2.  Informative References
   Appendix A.  Protocol Flow
     A.1.  Prover
     A.2.  Verifier
     A.3.  Transcript Computation
     A.4.  Key Schedule Computation
     A.5.  Protocol Run
   Appendix B.  Algorithm Used for Point Generation
   Appendix C.  Test Vectors
   Acknowledgements
   Authors' Addresses

1.  Introduction

   This document describes SPAKE2+, a Password-Authenticated Key
   Exchange (PAKE) protocol run between two parties for deriving a
   strong shared key with no risk of disclosing the password.  SPAKE2+
   is an augmented PAKE protocol, as only one party makes direct use of
   the password during the execution of the protocol.  The other party
   only needs a record corresponding to the other first party's registration
   at the time of the protocol execution instead of the password.  This
   record can be computed once, during an offline registration phase.
   The party using the password directly would typically be a client and
   would act as a prover, Prover, while the other party would be a server and
   would act as a verifier. Verifier.

   The protocol is augmented in the sense that it provides some
   resilience against the compromise or extraction of the registration
   record.  The design of the protocol forces the adversary to recover
   the password from the record to successfully execute the protocol.
   Hence, this protocol can be advantageously combined with a salted
   Password Hashing Function to increase the cost of the recovery and
   slow down attacks.  The record cannot be used directly to
   successfully run the protocol as a prover, Prover, making this protocol more
   robust than balanced PAKEs PAKEs, which don't benefit from Password Hashing
   Functions to the same extent.

   This augmented property is especially valuable in scenarios where the
   execution of the protocol is constrained and the adversary cannot
   query the salt of the password hash function Password Hashing Function ahead of the attack.
   Constraints
   For example, a constraint may consist in being in be when physical proximity through a
   local network is required or when initiation of the protocol requires a first authentication factor. factor is
   required for initiation of the protocol.

   This document has content split out from a related document,
   [RFC9382], which specifies SPAKE2.  SPAKE2 is a symmetric PAKE
   protocol, where both parties have knowledge of the password.  SPAKE2+
   is the asymmetric or augmented version of SPAKE2, wherein only one
   party has knowledge of the password.  SPAKE2+ is specified separately
   in this document because the use cases for symmetric and augmented
   PAKEs are different and therefore warrant different technical
   specifications.  Neither SPAKE2 nor SPAKE2+ was selected as the
   result of the Crypto Forum Research Group (CFRG) PAKE selection
   competition.  However, this password-based key exchange protocol
   appears in [TDH] and is proven secure in [SPAKE2P-Analysis].  It is
   compatible with any prime-order group and relies only on group
   operations, making it simple and computationally efficient.  Thus, it
   was felt that publication was beneficial to make the protocol
   available for wider consideration.

   This document was produced outside of the IETF and IRTF and
   represents the opinions of the authors.  Publication of this document
   as an RFC in the Independent Submissions Stream does not imply
   endorsement of SPAKE2+ by the IETF or IRTF.

2.  Requirements Notation

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in
   BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

3.  Definition of SPAKE2+

   Let G be a group in which the computational Diffie-Hellman (CDH)
   problem is hard.  Suppose G has order p*h where p is a large prime; h
   will be called the cofactor.  Let I be the unit element in G, e.g.,
   the point at infinity if G is an elliptic curve group.  We denote the
   operations in the group additively.  We assume that there is a
   representation of elements of G as byte strings: common choices would
   be SEC 1 uncompressed or compressed [SEC1] for elliptic curve groups
   or big-endian integers of a fixed (per-group) length for prime field
   DH.  We fix a generate generator P of the (large) prime-order subgroup of G.
   P is specified in the document defining the group, and so we do not
   repeat it here.

   || denotes concatenation of strings.  We also let len(S) denote the
   length of a string in bytes, represented as an eight-byte little-
   endian number.  Finally, let nil represent an empty string, i.e.,
   len(nil) = 0.

   KDF is a key derivation function that takes as input a salt,
   intermediate input
   keying material (IKM), info string, and derived key length L to
   derive a cryptographic key of length L.  MAC is a Message
   Authentication Code algorithm that takes a secret key and message as
   input to produce an output.  Let Hash be a hash function from
   arbitrary strings to bit strings of a fixed length.  Common choices
   for Hash are SHA256 or SHA512 [RFC6234].  Section 4 specifies
   variants of KDF, MAC, and Hash suitable for use with the protocols
   contained herein.

   Let there be two parties, a prover Prover and a verifier. Verifier.  Their identities,
   denoted as idProver and idVerifier, may also have digital
   representations such as Media Access Control addresses or other names
   (hostnames, usernames, etc.).  The parties may share additional data
   (the context) separate from their identities identities, which they may want to
   include in the protocol transcript.  One example of additional data
   is a list of supported protocol versions if SPAKE2+ were used in a
   higher-level protocol which that negotiates the use of a particular PAKE.
   Another example is the inclusion of the application name.  Including
   these data points would ensure that both parties agree upon the same
   set of supported protocols and therefore prevent prevents downgrade and cross-
   protocol
   cross-protocol attacks.  Specification of precise context values is
   out of scope for this document.

3.1.  Protocol Overview

   SPAKE2+ is a two-round protocol that establishes a shared secret with
   an additional round for key confirmation.  Prior to invocation, both
   parties are provisioned with information such as the input password
   needed to run the protocol.  The registration phase may include
   communicating identities, protocol version, and other parameters
   related to the registration record; see Section 3.2 for details.

   During the first round, the prover Prover sends a public share, shareP, to
   the verifier, Verifier, which in turn responds with its own public share,
   shareV.  Both parties then derive a shared secret used to produce
   encryption and authentication keys.  The latter are used during the
   second round for key confirmation.  (Section 3.4 details the key
   derivation and confirmation steps.)  In particular, the verifier Verifier
   sends a key confirmation message, confirmV, to the prover, Prover, which in
   turn responds with its own key confirmation message, confirmP.  (Note
   that shareV and confirmV MAY be sent in the same message.)  Both
   parties MUST NOT consider the protocol complete prior to receipt and
   validation of these key confirmation messages.

   A sample trace is shown below.

                    Prover                     Verifier

                      |        (registration)     |
                      |<- - - - - - - - - - - - ->|
                      |                           |
                      |       (setup   (set up the protocol)   |
   (compute shareP)   |            shareP         |
                      |-------------------------->|
                      |            shareV         | (compute shareV)
                      |<--------------------------|
                      |                           |
                      |       (derive secrets)    | (compute confirmV)
                      |           confirmV        |
                      |<--------------------------|
   (compute confirmP) |           confirmP        |
                      |-------------------------->|

3.2.  Offline Registration

   The registration phase computes the values w0 and w1, as well as the
   registration record L=w1*P.  w0 and w1 are derived by hashing the
   password pw with the identities of the two participants.  w0 and the
   record L are then shared with the verifier Verifier and stored as part of the
   registration record associated with the prover. Prover.  The prover Prover SHOULD
   derive w0 and w1 from the password before the protocol begins.  Both
   w0 and w1 are derived using a function with range [0, p-1], which is
   modeled as a random oracle in [SPAKE2P-Analysis].

   The registration phase also produces two random elements, M and N, in
   the prime-order subgroup of G.  The algorithm for selecting M and N
   is defined in Appendix B.  Importantly, this algorithm chooses M and
   N such that their discrete logs are not known.  Precomputed values
   for M and N are listed in Section 4 for each group.  Applications MAY
   use different M and N values, provided they are computed, e.g., using
   different input seeds to the algorithm in Appendix B, as random
   elements for which the discrete log is unknown.

   Applications using this specification MUST define the method used to
   compute w0 and w1.  For example, it may be necessary to carry out
   various forms of normalization of the password before hashing
   [RFC8265].  This section contains requirements and default
   recommendations for computing w0 and w1.

   The RECOMMENDED method for generating w0 and w1 is via a Password-
   Based Key Derivation Function (PBKDF), which is a function designed
   to slow down brute-force attackers.  Brute-force resistance may be
   obtained through various computation hardness parameters such as
   memory or CPU cycles and are typically configurable.  The scrypt
   [RFC7914] function and the Argon2id [RFC9106] function are common
   examples of PBKDFs.  Absent an application-specific profile,
   RECOMMENDED parameters (N, r, p) for scrypt are (32768,8,1), and
   RECOMMENDED parameters for Argon2id are in Section 4 of [RFC9106].

   Each half of the output of the PBKDF will be interpreted as an
   integer and reduced modulo p.  To control bias, each half must be of
   length at least ceil(log2(p)) + k bits, with k >= 64.  Reducing such
   integers mod p gives bias at most 2^-k for any p; this bias is
   negligible for any k >= 64.

   The minimum total output length of the PBKDF then is 2 *
   (ceil(log2(p)) + k) bits.  For example, given the prime order of the
   P-256 curve, the output of the PBKDF SHOULD be at least 640 bits or
   80 bytes.

   Given a PBKDF, password pw, and identities idProver and idVerifier,
   the RECOMMENDED method for computing w0 and w1 is as follows:

   w0s || w1s = PBKDF(len(pw) || pw ||
                      len(idProver) || idProver ||
                      len(idVerifier) || idVerifier)
   w0 = w0s mod p
   w1 = w1s mod p

   If an identity is unknown at the time of computing w0s or w1s, its
   length is given as zero and the identity itself is represented as the an
   empty octet string.  If both idProver and idVerifier are unknown,
   then their lengths are given as zero and both identities will be
   represented as empty octet strings.  idProver and idVerifier are
   included in the transcript TT as part of the protocol flow.

3.3.  Online Authentication

   The online SPAKE2+ protocol runs between the prover Prover and verifier Verifier to
   produce a single shared secret upon completion.  To begin, the prover Prover
   selects x uniformly at random from the integers in [0, p-1], computes
   the public share shareP=X, and transmits it to the verifier. Verifier.

   x <- [0, p-1]
   X = x*P + w0*M

   Upon receipt of X, the verifier Verifier checks the received element for group
   membership and aborts if X is not in the large prime-order subgroup
   of G; see Section 6 for details.  The verifier Verifier then selects y
   uniformly at random from the integers in [0, p-1], computes the
   public share shareV=Y, and transmits it to the prover. Prover.  Upon receipt
   of Y, the prover Prover checks the received element for group membership and
   aborts if Y is not in the large prime-order subgroup of G.

   y <- [0, p-1]
   Y = y*P + w0*N

   Both participants compute Z and V; Z and V that are now then shared as common
   values.  The prover Prover computes:

   Z = h*x*(Y - w0*N)
   V = h*w1*(Y - w0*N)

   The verifier Verifier computes:

   Z = h*y*(X - w0*M)
   V = h*y*L

   The multiplication by the cofactor h prevents small subgroup
   confinement attacks.  All proofs of security hold even if the
   discrete log of the fixed group element N is known to the adversary.
   In particular, one MAY set N=I, i.e., set N to the unit element in G.

   It is essential that both Z and V be used in combination with the
   transcript to derive the keying material.  The protocol transcript
   encoding is shown below.

   TT = len(Context) || Context
     || len(idProver) || idProver
     || len(idVerifier) || idVerifier
     || len(M) || M
     || len(N) || N
     || len(shareP) || shareP
     || len(shareV) || shareV
     || len(Z) || Z
     || len(V) || V
     || len(w0) || w0

   Context is an application-specific customization string shared
   between both parties and MUST precede the remaining transcript.  It
   might contain the name and version number of the higher-level
   protocol, or simply the name and version number of the application.
   The context MAY include additional data such as the chosen
   ciphersuite and PBKDF parameters like the iteration count or salt.
   The context and its length prefix MAY be omitted.

   If an identity is absent, its length is given as zero and the
   identity itself is represented as the an empty octet string.  If both
   identities are absent, then their lengths are given as zero and both
   are represented as empty octet strings.  In applications where
   identities are not implicit, idProver and idVerifier SHOULD always be
   non-empty.  Otherwise, the protocol risks unknown key-share attacks
   (discussion of unknown key-share attacks in a specific protocol is
   given in [RFC8844]).

   Upon completion of this protocol, both parties compute shared secrets
   K_main, K_shared, K_confirmP, and K_confirmV as specified in
   Section 3.4.  The verifier Verifier MUST send a key confirmation message,
   confirmV, to the prover Prover so both parties can confirm that they agree
   upon these shared secrets.  After receipt and verification of the
   verifier's
   Verifier's confirmation message, the prover Prover MUST respond with its
   confirmation message.  The verifier Verifier MUST NOT send application data to
   the prover Prover until it has received and verified the confirmation
   message.  Key confirmation verification requires recomputation of
   confirmP or confirmV and checking for equality against the data that which
   was received.

3.4.  Key Schedule and Key Confirmation

   The protocol transcript TT, as defined in Section 3.3, is unique and
   secret to the participants.  Both parties use TT to derive the shared
   symmetric secret K_main from the protocol.  The length of K_main is
   equal to the length of the digest output, e.g., 256 bits for Hash() =
   SHA-256.  The confirmation keys K_confirmP and K_confirmV, as well as
   the shared key K_shared, are derived from K_main.

   K_main = Hash(TT)
   K_confirmP || K_confirmV = KDF(nil, K_main, "ConfirmationKeys")
   K_shared = KDF(nil, K_main, "SharedKey")

   Neither K_main nor its derived confirmation keys are used for
   anything except key derivation and confirmation and MUST be discarded
   after the protocol execution.  Applications MAY derive additional
   keys from K_shared as needed.

   The length of each confirmation key is dependent on the MAC function
   of the chosen ciphersuite.  For HMAC, the RECOMMENDED key length is
   equal to the output length of the digest output, e.g., 256 bits for
   Hash() = SHA-256.  For CMAC-AES, each confirmation key MUST be of
   length k, where k is the chosen AES key size, e.g., 128 bits for
   CMAC-AES-128.

   Both endpoints MUST employ a MAC that produces pseudorandom tags for
   key confirmation.  K_confirmP and K_confirmV are symmetric keys used
   to compute tags confirmP and confirmV over the public key shares
   received from the other peer earlier.

   confirmP = MAC(K_confirmP, shareV)
   confirmV = MAC(K_confirmV, shareP)

   Once key confirmation is complete, applications MAY use K_shared as
   an authenticated shared secret as needed.  For example, applications
   MAY derive one or more keys and nonces from K_shared, for use with
   Authenticated Encryption with Associated Data (AEAD) keys and nonces from K_shared for subsequent
   application data encryption.

4.  Ciphersuites

   This section documents SPAKE2+ ciphersuite configurations.  A
   ciphersuite indicates a group, cryptographic hash algorithm, and pair
   of KDF and MAC functions, e.g., P256-SHA256-HKDF-HMAC-SHA256.  This
   ciphersuite indicates a SPAKE2+ protocol instance over P-256 that
   uses SHA256 along with HKDF [RFC5869] and HMAC [RFC2104] for G, Hash,
   KDF, and MAC functions, respectively.  Since the choice of PBKDF and PBKDF, its
   parameters for computing w0 and w1 w1, and distributing does the distribution of w0 and w1
   do not affect interoperability, the PBKDF is not included as part of
   the ciphersuite.

   If no MAC algorithm is used in the key confirmation phase, its
   respective column in Table 1 can be ignored and the ciphersuite name
   will contain no MAC identifier.

     +==============+==================+=============+==============+
     | G            |       Hash       |     KDF     |     MAC      |
     +==============+==================+=============+==============+
     | P-256        | SHA256 [RFC6234] | HKDF-SHA256 | HMAC-SHA256  |
     |              |                  |  [RFC5869]  |  [RFC2104]   |
     +--------------+------------------+-------------+--------------+
     | P-256        | SHA512 [RFC6234] | HKDF-SHA512 | HMAC-SHA512  |
     |              |                  |  [RFC5869]  |  [RFC2104]   |
     +--------------+------------------+-------------+--------------+
     | P-384        | SHA256 [RFC6234] | HKDF-SHA256 | HMAC-SHA256  |
     |              |                  |  [RFC5869]  |  [RFC2104]   |
     +--------------+------------------+-------------+--------------+
     | P-384        | SHA512 [RFC6234] | HKDF-SHA512 | HMAC-SHA512  |
     |              |                  |  [RFC5869]  |  [RFC2104]   |
     +--------------+------------------+-------------+--------------+
     | P-521        | SHA512 [RFC6234] | HKDF-SHA512 | HMAC-SHA512  |
     |              |                  |  [RFC5869]  |  [RFC2104]   |
     +--------------+------------------+-------------+--------------+
     | edwards25519 | SHA256 [RFC6234] | HKDF-SHA256 | HMAC-SHA256  |
     |              |                  |  [RFC5869]  |  [RFC2104]   |
     +--------------+------------------+-------------+--------------+
     | edwards448   | SHA512 [RFC6234] | HKDF-SHA512 | HMAC-SHA512  |
     |              |                  |  [RFC5869]  |  [RFC2104]   |
     +--------------+------------------+-------------+--------------+
     | P-256        | SHA256 [RFC6234] | HKDF-SHA256 | CMAC-AES-128 |
     |              |                  |  [RFC5869]  |  [RFC4493]   |
     +--------------+------------------+-------------+--------------+
     | P-256        | SHA512 [RFC6234] | HKDF-SHA512 | CMAC-AES-128 |
     |              |                  |  [RFC5869]  |  [RFC4493]   |
     +--------------+------------------+-------------+--------------+

                                 Table 1

   The following points represent permissible point generation seeds for
   the groups listed in Table 1, using the algorithm presented in
   Appendix B.  These byte strings are compressed points as in [SEC1]
   for curves from [SEC1] and [RFC8032].  Note that these values are
   identical to those used in the companion SPAKE2 specification
   [RFC9382].

   For P256: P-256:

   M =
   02886e2f97ace46e55ba9dd7242579f2993b64e16ef3dcab95afd497333d8fa12f
   seed: 1.2.840.10045.3.1.7 point generation seed (M)

   N =
   03d8bbd6c639c62937b04d997f38c3770719c629d7014d49a24b4f98baa1292b49
   seed: 1.2.840.10045.3.1.7 point generation seed (N)

   For P384: P-384:

   M =
   030ff0895ae5ebf6187080a82d82b42e2765e3b2f8749c7e05eba366434b363d3dc
   36f15314739074d2eb8613fceec2853
   seed: 1.3.132.0.34 point generation seed (M)

   N =
   02c72cf2e390853a1c1c4ad816a62fd15824f56078918f43f922ca21518f9c543bb
   252c5490214cf9aa3f0baab4b665c10
   seed: 1.3.132.0.34 point generation seed (N)

   For P521: P-521:

   M =
   02003f06f38131b2ba2600791e82488e8d20ab889af753a41806c5db18d37d85608
   cfae06b82e4a72cd744c719193562a653ea1f119eef9356907edc9b56979962d7aa
   seed: 1.3.132.0.35 point generation seed (M)

   N =
   0200c7924b9ec017f3094562894336a53c50167ba8c5963876880542bc669e494b25
   32d76c5b53dfb349fdf69154b9e0048c58a42e8ed04cef052a3bc349d95575cd25
   seed: 1.3.132.0.35 point generation seed (N)

   For edwards25519:

   M =
   d048032c6ea0b6d697ddc2e86bda85a33adac920f1bf18e1b0c6d166a5cecdaf
   seed: edwards25519 point generation seed (M)

   N =
   d3bfb518f44f3430f29d0c92af503865a1ed3281dc69b35dd868ba85f886c4ab
   seed: edwards25519 point generation seed (N)

   For edwards448:

   M =
   b6221038a775ecd007a4e4dde39fd76ae91d3cf0cc92be8f0c2fa6d6b66f9a12
   942f5a92646109152292464f3e63d354701c7848d9fc3b8880
   seed: edwards448 point generation seed (M)

   N =
   6034c65b66e4cd7a49b0edec3e3c9ccc4588afd8cf324e29f0a84a072531c4db
   f97ff9af195ed714a689251f08f8e06e2d1f24a0ffc0146600
   seed: edwards448 point generation seed (N)

5.  IANA Considerations

   This document has no IANA actions.

6.  Security Considerations

   SPAKE2+ appears in [TDH] and is proven secure in [SPAKE2P-Analysis].

   The ephemeral randomness used by the prover Prover and verifier Verifier MUST be
   generated using a cryptographically secure Pseudorandom Number
   Generator (PRNG).

   Elements received from a peer MUST be checked for group membership:
   failure to properly deserialize and validate group elements can lead
   to attacks.  An endpoint MUST abort the protocol if any received
   public value is not a member of the large prime-order subgroup of G.
   Multiplication of a public value V by the cofactor h will yield the
   identity element I whenever V is an element of a small-order
   subgroup.  Consequently, the prover Prover and verifier Verifier MUST abort the
   protocol upon receiving any value V such that V*h = I.  Failure to do
   so may lead to subgroup confinement attacks.

7.  References

7.1.  Normative References

   [RFC2104]  Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
              Hashing for Message Authentication", RFC 2104,
              DOI 10.17487/RFC2104, February 1997,
              <https://www.rfc-editor.org/info/rfc2104>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC4493]  Song, JH., Poovendran, R., Lee, J., and T. Iwata, "The
              AES-CMAC Algorithm", RFC 4493, DOI 10.17487/RFC4493, June
              2006, <https://www.rfc-editor.org/info/rfc4493>.

   [RFC5480]  Turner, S., Brown, D., Yiu, K., Housley, R., and T. Polk,
              "Elliptic Curve Cryptography Subject Public Key
              Information", RFC 5480, DOI 10.17487/RFC5480, March 2009,
              <https://www.rfc-editor.org/info/rfc5480>.

   [RFC5869]  Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand
              Key Derivation Function (HKDF)", RFC 5869,
              DOI 10.17487/RFC5869, May 2010,
              <https://www.rfc-editor.org/info/rfc5869>.

   [RFC6234]  Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms
              (SHA and SHA-based HMAC and HKDF)", RFC 6234,
              DOI 10.17487/RFC6234, May 2011,
              <https://www.rfc-editor.org/info/rfc6234>.

   [RFC8032]  Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital
              Signature Algorithm (EdDSA)", RFC 8032,
              DOI 10.17487/RFC8032, January 2017,
              <https://www.rfc-editor.org/info/rfc8032>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

   [RFC8265]  Saint-Andre, P. and A. Melnikov, "Preparation,
              Enforcement, and Comparison of Internationalized Strings
              Representing Usernames and Passwords", RFC 8265,
              DOI 10.17487/RFC8265, October 2017,
              <https://www.rfc-editor.org/info/rfc8265>.

   [RFC9382]  Ladd, W. and B. Kaduk, Ed., W., "SPAKE2, a PAKE", Password-Authenticated Key Exchange",
              RFC 9382, DOI 10.17487/RFC9382, April September 2023,
              <https://www.rfc-editor.org/info/rfc9382>.

   [SEC1]     Standards for Efficient Cryptography Group, "SEC 1:
              Elliptic Curve Cryptography", version 2.0, May 2009,
              <https://secg.org/sec1-v2.pdf>.

   [SPAKE2P-Analysis]
              Shoup, V., "Security analysis of SPAKE2+", March 2020,
              <https://eprint.iacr.org/2020/313.pdf>.

   [TDH]      Cash, D., Kiltz, E., and V. Shoup, "The Twin-Diffie
              Hellman Problem and Applications", EUROCRYPT 2008, Lecture
              Notes in Computer Science, Volume 4965, pages 127-145,
              Springer-Verlag, Berlin, Germany,
              DOI 10.1007/978-3-540-78967-3_8, April 2008,
              <https://doi.org/10.1007/978-3-540-78967-3_8>.

7.2.  Informative References

   [RFC7914]  Percival, C. and S. Josefsson, "The scrypt Password-Based
              Key Derivation Function", RFC 7914, DOI 10.17487/RFC7914,
              August 2016, <https://www.rfc-editor.org/info/rfc7914>.

   [RFC8844]  Thomson, M. and E. Rescorla, "Unknown Key-Share Attacks on
              Uses of TLS with the Session Description Protocol (SDP)",
              RFC 8844, DOI 10.17487/RFC8844, January 2021,
              <https://www.rfc-editor.org/info/rfc8844>.

   [RFC9106]  Biryukov, A., Dinu, D., Khovratovich, D., and S.
              Josefsson, "Argon2 Memory-Hard Function for Password
              Hashing and Proof-of-Work Applications", RFC 9106,
              DOI 10.17487/RFC9106, September 2021,
              <https://www.rfc-editor.org/info/rfc9106>.

Appendix A.  Protocol Flow

   This section describes the flow of the SPAKE2+ protocol, including
   computations and mandatory checks performed by the prover Prover and
   verifier.
   Verifier.  The constants M, N, P, p, and h are defined by the chosen
   ciphersuite.

A.1.  Prover

   The Prover's behavior consists of Prover implements two functions, ProverInit and ProverFinish,
   which are described below.

   def ProverInit(w0):
      // Compute prover Prover key share
      x <- [0, p-1]
      X = x*P + w0*M
      return (x, X)

   def ProverFinish(w0, w1, x, Y):
      if not_in_subgroup(Y):
         raise "invalid input"

      // Compute shared values
      Z = h*x*(Y - w0*N)
      V = h*w1*(Y - w0*N)

      return (Y, Z, V)

A.2.  Verifier

   The Verifier's behavior consists of Verifier implements a single function, VerifierFinish, which is
   described below.

   def VerifierFinish(w0, L, X):
      if not_in_subgroup(X):
         raise "invalid input"

      // Compute verifier Verifier key share
      y <- [0, p-1]
      Y = y*P + w0*N

      // Compute shared values
      Z = h*y*(X - w0*M)
      V = h*y*L

      return (Z, V)

A.3.  Transcript Computation

   Both the Prover and the Verifier share the same function to compute
   the protocol transcript, ComputeTranscript, which is described below.

   def ComputeTranscript(Context, idProver, idVerifier,
                         shareP, shareV, Z, V, w0):
      TT = len(Context) || Context
        || len(idProver) || idProver
        || len(idVerifier) || idVerifier
        || len(M) || M
        || len(N) || N
        || len(shareP) || shareP
        || len(shareV) || shareV
        || len(Z) || Z
        || len(V) || V
        || len(w0) || w0

A.4.  Key Schedule Computation

   Both the Prover and the Verifier share the same function to compute
   the key schedule, ComputeKeySchedule, which is described below.

   def ComputeKeySchedule(TT):
      K_main = Hash(TT)
      K_confirmP || K_confirmV = KDF(nil, K_main, "ConfirmationKeys")
      K_shared = KDF(nil, K_main, "SharedKey")
      return K_confirmP, K_confirmV, K_shared

A.5.  Protocol Run

   A full SPAKE2+ protocol run initiated by the prover Prover will look as
   follows, where Transmit and Receive are shorthand for sending and
   receiving a message to the peer:

   Prover(Context, idProver, idVerifier, w0, w1):
      (x, X) = ProverInit(w0)
      Transmit(X)
      Y = Receive()
      (Z, V) = ProverFinish(w0, w1, x, Y)
      TT = ComputeTranscript(Context, idProver, idVerifier, X, Y,
                             Z, V, w0)
      (K_confirmP, K_confirmV, K_shared) = ComputeKeySchedule(TT)
      expected_confirmV = MAC(K_confirmV, X)
      confirmV = Receive()
      if not_equal_constant_time(expected_confirmV, confirmV):
         raise "invalid confirmation message"

      confirmP = MAC(K_confirmP, Y)
      Transmit(confirmP)

      return K_shared

   Verifier(Context, idProver, idVerifier, w0, L):
      X = Receive()
      (Y, Z, V) = VerifierFinish(w0, L, X)
      Transmit(Y)
      TT = ComputeTranscript(Context, idProver, idVerifier, X, Y,
                             Z, V, w0)
      (K_confirmP, K_confirmV, K_shared) = ComputeKeySchedule(TT)
      confirmV = MAC(K_confirmV, X)
      Transmit(confirmV)

      expected_confirmP = MAC(K_confirmP, Y)
      confirmP = Receive()
      if not_equal_constant_time(expected_confirmP, confirmP):
         raise "invalid confirmation message"

      return K_shared

Appendix B.  Algorithm Used for Point Generation

   This section describes the algorithm that was used to generate the
   points M and N in Table 1 (Section 4).  This algorithm produces M and
   N such that they are indistinguishable from two random points in the
   prime-order subgroup of G, where the discrete log of these points is
   unknown.  See [SPAKE2P-Analysis] for additional details on this
   requirement.

   For each curve in the table below, Table 1, we construct a string using the curve OID
   from [RFC5480] (as an ASCII string) or its name, combined with the
   needed constant -- for instance, "1.3.132.0.35 point generation seed
   (M)" for P-512. P-521.  This string is turned into a series of blocks by
   hashing with SHA256, and hashing that output again to generate the
   next 32 bytes, and so on.  This pattern is repeated for each group
   and value, with the string modified appropriately.

   A byte string of length equal to that of an encoded group element is
   constructed by concatenating as many blocks as are required, starting
   from the first block, and truncating to the desired length.  The byte
   string is then formatted as required for the group.  In the case of
   Weierstrass curves, we take the desired length as the length for
   representing a compressed point (Section 2.3.4 of [SEC1]) and use the
   low-order bit of the first byte as the sign bit.  In order to obtain
   the correct format, the value of the first byte is set to 0x02 or
   0x03 (clearing the first six bits and setting the seventh bit),
   leaving the sign bit as it was in the byte string constructed by
   concatenating hash blocks.  For the curves described in [RFC8032], a
   different procedure is used.  For edwards448, the 57-byte input has
   the least-significant 7 bits of the last byte set to zero, and for
   edwards25519, the 32-byte input is not modified.  For both of the
   curves described in [RFC8032], the (modified) input is then
   interpreted as the representation of the group element.  If this
   interpretation yields a valid group element with the correct order
   (p), the (modified) byte string is the output.  Otherwise, the
   initial hash block is discarded and a new byte string constructed
   from the remaining hash blocks.  The procedure for constructing a
   byte string of the appropriate length, formatting it as required for
   the curve, and checking to see if it is a valid point of the correct
   order is repeated until a valid element is found.

   The following Python snippet generates the above points, assuming an
   elliptic curve implementation following the interface of
   Edwards25519Point.stdbase() and Edwards448Point.stdbase() in
   Appendix A of [RFC8032]:

   def iterated_hash(seed, n):
     h = seed
     for i in range(n):
       h = hashlib.sha256(h).digest()
     return h

   def bighash(seed, start, sz):
     n = -(-sz // 32)
     hashes = [iterated_hash(seed, i) for i in range(start, start + n)]
     return b''.join(hashes)[:sz]

   def canon_pointstr(ecname, s):
     if ecname == 'edwards25519':
       return s
     elif ecname == 'edwards448':
       return s[:-1] + bytes([s[-1] & 0x80])
     else:
       return bytes([(s[0] & 1) | 2]) + s[1:]

   def gen_point(seed, ecname, ec):
     for i in range(1, 1000):
       hval = bighash(seed, i, len(ec.encode()))
       pointstr = canon_pointstr(ecname, hval)
       try:
         p = ec.decode(pointstr)
         if p != ec.zero_elem() and p * p.l() == ec.zero_elem():
           return pointstr, i
       except Exception:
         pass

Appendix C.  Test Vectors

   This section contains various test vectors for SPAKE2+. (The choice
   of PBKDF is omitted, and values for w0 and w1 are provided directly.)
   All points are encoded using the uncompressed format, i.e., with a
   0x04 octet prefix, specified in [SEC1].  idProver and idVerifier
   identity strings are provided in the protocol invocation.

   [Context=b'SPAKE2+-P256-SHA256-HKDF-SHA256-HMAC-SHA256 Test Vectors
   ']
   [idProver=b'client']
   [idVerifier=b'server']
   w0 = 0xbb8e1bbcf3c48f62c08db243652ae55d3e5586053fca77102994f23ad9549
   1b3
   w1 = 0x7e945f34d78785b8a3ef44d0df5a1a97d6b3b460409a345ca7830387a74b1
   dba
   L = 0x04eb7c9db3d9a9eb1f8adab81b5794c1f13ae3e225efbe91ea487425854c7f
   c00f00bfedcbd09b2400142d40a14f2064ef31dfaa903b91d1faea7093d835966efd
   x = 0xd1232c8e8693d02368976c174e2088851b8365d0d79a9eee709c6a05a2fad5
   39
   shareP = 0x04ef3bd051bf78a2234ec0df197f7828060fe9856503579bb17330090
   42c15c0c1de127727f418b5966afadfdd95a6e4591d171056b333dab97a79c7193e3
   41727
   y = 0x717a72348a182085109c8d3917d6c43d59b224dc6a7fc4f0483232fa6516d8
   b3
   shareV = 0x04c0f65da0d11927bdf5d560c69e1d7d939a05b0e88291887d679fcad
   ea75810fb5cc1ca7494db39e82ff2f50665255d76173e09986ab46742c798a9a6843
   7b048
   Z = 0x04bbfce7dd7f277819c8da21544afb7964705569bdf12fb92aa388059408d5
   0091a0c5f1d3127f56813b5337f9e4e67e2ca633117a4fbd559946ab474356c41839
   V = 0x0458bf27c6bca011c9ce1930e8984a797a3419797b936629a5a937cf2f11c8
   b9514b82b993da8a46e664f23db7c01edc87faa530db01c2ee405230b18997f16b68
   TT = 0x38000000000000005350414b45322b2d503235362d5348413235362d484b4
   4462d5348413235362d484d41432d534841323536205465737420566563746f72730
   600000000000000636c69656e7406000000000000007365727665724100000000000
   00004886e2f97ace46e55ba9dd7242579f2993b64e16ef3dcab95afd497333d8fa12
   f5ff355163e43ce224e0b0e65ff02ac8e5c7be09419c785e0ca547d55a12e2d20410
   000000000000004d8bbd6c639c62937b04d997f38c3770719c629d7014d49a24b4f9
   8baa1292b4907d60aa6bfade45008a636337f5168c64d9bd36034808cd564490b1e6
   56edbe7410000000000000004ef3bd051bf78a2234ec0df197f7828060fe98565035
   79bb1733009042c15c0c1de127727f418b5966afadfdd95a6e4591d171056b333dab
   97a79c7193e341727410000000000000004c0f65da0d11927bdf5d560c69e1d7d939
   a05b0e88291887d679fcadea75810fb5cc1ca7494db39e82ff2f50665255d76173e0
   9986ab46742c798a9a68437b048410000000000000004bbfce7dd7f277819c8da215
   44afb7964705569bdf12fb92aa388059408d50091a0c5f1d3127f56813b5337f9e4e
   67e2ca633117a4fbd559946ab474356c4183941000000000000000458bf27c6bca01
   1c9ce1930e8984a797a3419797b936629a5a937cf2f11c8b9514b82b993da8a46e66
   4f23db7c01edc87faa530db01c2ee405230b18997f16b682000000000000000bb8e1
   bbcf3c48f62c08db243652ae55d3e5586053fca77102994f23ad95491b3
   K_main = 0x4c59e1ccf2cfb961aa31bd9434478a1089b56cd11542f53d3576fb6c2
   a438a29
   K_confirmP = 0x871ae3f7b78445e34438fb284504240239031c39d80ac23eb5ab9
   be5ad6db58a
   K_confirmV = 0xccd53c7c1fa37b64a462b40db8be101cedcf838950162902054e6
   44b400f1680
   HMAC(K_confirmP, shareV) = 0x926cc713504b9b4d76c9162ded04b5493e89109
   f6d89462cd33adc46fda27527
   HMAC(K_confirmV, shareP) = 0x9747bcc4f8fe9f63defee53ac9b07876d907d55
   047e6ff2def2e7529089d3e68
   K_shared = 0x0c5f8ccd1413423a54f6c1fb26ff01534a87f893779c6e68666d772
   bfd91f3e7

   [Context=b'SPAKE2+-P256-SHA512-HKDF-SHA512-HMAC-SHA512 Test Vectors
   ']
   [idProver=b'client']
   [idVerifier=b'server']
   w0 = 0x1cc5207d6e34b8f7828206fb64b86aa9c712bc952abf251bb9f5856b24d8c
   8cc
   w1 = 0x4279649e62532b01dc27d2ed39100ba350518fb969672061a01edce752d0e
   672
   L = 0x043a348ad475d2200d46df876f1eb2e136056da31dafff52cc7762bf3be84d
   e0097c4e69b0b9321326af1f0af4a14561a9c7b640cb5afd6822d14cb34830fc4511
   x = 0xb586ab83f175c1a2b56b6a1b6a283523f88a9befcf11e22efb48e2ee1fe69a
   23
   shareP = 0x04a7928c4b47f6b8657a5b8ebcb6f1bd266192e152fb9745a4180c946
   57a2f323b4d50d536c0325cdb0ec42c9bd8db8d7af3ff6dc85edb4b5365375c62e09
   def4a
   y = 0xac1fb828f041782d452ea9cc00c3fa34a55fa8f7f98c04be45a3d607b092d4
   41
   shareV = 0x04498c29e37dbd53ebf8db76679901d90c6be3af57f46ac3025b32420
   839f0489c6c3b6bf5ddc8ecbc3d7c83d0891ad814a00ad23eba13197c9d96a5b1027
   5e35d
   Z = 0x04a81e31be54283cee81bf7bdc877764b6b2ac6a399f1176380aac8a82172c
   18051aa17dfcf438896ad253f53b52cd45ec2c7399488a919bcfcfecc0261cbf5284
   V = 0x04de0a53f96cbe4abcd31c1e0a23ea6f169c162dc5a007393c8fcddd2abd5d
   518bb2d9734b1d2dfce3fd916e991ab9dc3a2760d439c083eb39b65408857d2bb4aa
   TT = 0x38000000000000005350414b45322b2d503235362d5348413531322d484b4
   4462d5348413531322d484d41432d534841353132205465737420566563746f72730
   600000000000000636c69656e7406000000000000007365727665724100000000000
   00004886e2f97ace46e55ba9dd7242579f2993b64e16ef3dcab95afd497333d8fa12
   f5ff355163e43ce224e0b0e65ff02ac8e5c7be09419c785e0ca547d55a12e2d20410
   000000000000004d8bbd6c639c62937b04d997f38c3770719c629d7014d49a24b4f9
   8baa1292b4907d60aa6bfade45008a636337f5168c64d9bd36034808cd564490b1e6
   56edbe7410000000000000004a7928c4b47f6b8657a5b8ebcb6f1bd266192e152fb9
   745a4180c94657a2f323b4d50d536c0325cdb0ec42c9bd8db8d7af3ff6dc85edb4b5
   365375c62e09def4a410000000000000004498c29e37dbd53ebf8db76679901d90c6
   be3af57f46ac3025b32420839f0489c6c3b6bf5ddc8ecbc3d7c83d0891ad814a00ad
   23eba13197c9d96a5b10275e35d410000000000000004a81e31be54283cee81bf7bd
   c877764b6b2ac6a399f1176380aac8a82172c18051aa17dfcf438896ad253f53b52c
   d45ec2c7399488a919bcfcfecc0261cbf5284410000000000000004de0a53f96cbe4
   abcd31c1e0a23ea6f169c162dc5a007393c8fcddd2abd5d518bb2d9734b1d2dfce3f
   d916e991ab9dc3a2760d439c083eb39b65408857d2bb4aa20000000000000001cc52
   07d6e34b8f7828206fb64b86aa9c712bc952abf251bb9f5856b24d8c8cc
   K_main = 0x527613439c279a375c116342a4216a8d92441d2fe1921dd1e60f140b2
   855916ccac7db4dbf22bd56e344a8cd506d08949bde1e9d83c24d68ff4246458dc14
   288
   K_confirmP = 0x0aa129d7b82067c2a9607677c9c4fdedc1cd7cfed9ff72c54c0ae
   bb2b1a8aa915b96834b2986725c6040852ceaafbb17d638a715198f795654eac89bf
   0739878
   K_confirmV = 0xa1f1038de30a8c12d43d06c27d362daa9699249e941faa2d5cbc5
   9a9683bf42aed9537818245677fdb54b5274506542994f4a83455f6d7b3af5ec017f
   aa58f61
   HMAC(K_confirmP, shareV) = 0x6b2469b56cf8ac3f94a8d0b533380ea6b3d0f46
   b3e12ee82550d49e129c2412728c9437a64ee5f80c8cdc5e8a30faa0a6deb8a52513
   46ba81bb6fc955b2304fc
   HMAC(K_confirmV, shareP) = 0x154174fc278a935e290b3352ba877e179fa9281
   c0a76928faea703c72d383b267511a5cf084cb07147efece94e3cfd91944e7baab85
   6858fbebc087167b0f409
   K_shared = 0x11887659d9e002f34fa6cc270d33570f001b2a3fc0522b643c07327
   d09a4a9f47aab85813d13c585b53adf5ac9de5707114848f3dc31a4045f69a2cc197
   2b098

   [Context=b'SPAKE2+-P384-SHA256-HKDF-SHA256-HMAC-SHA256 Test Vectors
   ']
   [idProver=b'client']
   [idVerifier=b'server']
   w0 = 0x097a61cbb1cee72bb654be96d80f46e0e3531151003903b572fc193f23377
   2c23c22228884a0d5447d0ab49a656ce1d2
   w1 = 0x18772816140e6c3c3938a693c600b2191118a34c7956e1f1cd5b0d519b56e
   a5858060966cfaf27679c9182129949e74f
   L = 0x04f27dd5384d6b9beb4c5022c94b1978d632779e1d3abe458611e734a529d0
   04e25053398e5dc9eeaa4ffa59743ca7ddbc0e7ce69155295cb2b846da83ee6a4449
   0dd8e96bb0b0f6645281bfd978dd5f6836561ea0d8b2c045ff04cef2e5873d2c
   x = 0x2f1bdbeda162ff2beba0293d3cd3ae95f663c53663378c7e18ee8f56a4a48b
   00d31ce0ef43606548da485058f12e8e73
   shareP = 0x049fb0404ca7ce71fb85d3aaa8fd05fa054affac996135bc245149be0
   9571e43e2bf76e00d6d52ac452b8224f6b9da31420a4f5e214b377546daad4d61da5
   ca0cfdea59a5a92ebdb6b42da5d14663b8d1f9eb97050139ab89788e0ada27b048fc
   f
   y = 0xbbcaf02404a16ed4fa73b183f703a8d969386f3d34f5e98b3a904e760512f1
   1757f07dfcf87a2ada8fc6d028445bd53e
   shareV = 0x0493b1c1f6a30eac4ac4a15711e44640bae3576787627ee2541104298
   1e94b2e9604b9374f66bb247bc431759212ef3fa0a20c087863b89efb32219e1337c
   e94be2175f8cb9fd50cf0b84772717fd063c52b69de1229a01ab840b55993287f32e
   d
   Z = 0x048cd880e5147e49b42b5754c1bc6d2091ad414789bc3b030f2d787ea480f3
   e35d0fa0d02d0dd06fee7f242b702a2d984efd79c76d99ab35b99e359a205cea56bb
   a8dd8f995c101a69a5157686d1cf6a7288d7cff2f2a9748db99b24f646ea7b37
   V = 0x041c3c9cc38b03a06a49cf17cc5e7754cf1ccbbc6fffc0ddf1a6e23f57294a
   25d96f7da5ce4ac0a617c78502f2f235a5fcf2f76a62385434ed2b6e95521b41eff3
   c4ce93ecf8fb32005dd76335d0a7c78153257288d7fde1a22d404f5d73d068e2
   TT = 0x38000000000000005350414b45322b2d503338342d5348413235362d484b4
   4462d5348413235362d484d41432d534841323536205465737420566563746f72730
   600000000000000636c69656e7406000000000000007365727665726100000000000
   000040ff0895ae5ebf6187080a82d82b42e2765e3b2f8749c7e05eba366434b363d3
   dc36f15314739074d2eb8613fceec285397592c55797cdd77c0715cb7df2150220a0
   119866486af4234f390aad1f6addde5930909adc67a1fc0c99ba3d52dc5dd6100000
   00000000004c72cf2e390853a1c1c4ad816a62fd15824f56078918f43f922ca21518
   f9c543bb252c5490214cf9aa3f0baab4b665c10c38b7d7f4e7f320317cd717315a79
   7c7e02933aef68b364cbf84ebc619bedbe21ff5c69ea0f1fed5d7e3200418073f406
   100000000000000049fb0404ca7ce71fb85d3aaa8fd05fa054affac996135bc24514
   9be09571e43e2bf76e00d6d52ac452b8224f6b9da31420a4f5e214b377546daad4d6
   1da5ca0cfdea59a5a92ebdb6b42da5d14663b8d1f9eb97050139ab89788e0ada27b0
   48fcf61000000000000000493b1c1f6a30eac4ac4a15711e44640bae3576787627ee
   25411042981e94b2e9604b9374f66bb247bc431759212ef3fa0a20c087863b89efb3
   2219e1337ce94be2175f8cb9fd50cf0b84772717fd063c52b69de1229a01ab840b55
   993287f32ed6100000000000000048cd880e5147e49b42b5754c1bc6d2091ad41478
   9bc3b030f2d787ea480f3e35d0fa0d02d0dd06fee7f242b702a2d984efd79c76d99a
   b35b99e359a205cea56bba8dd8f995c101a69a5157686d1cf6a7288d7cff2f2a9748
   db99b24f646ea7b376100000000000000041c3c9cc38b03a06a49cf17cc5e7754cf1
   ccbbc6fffc0ddf1a6e23f57294a25d96f7da5ce4ac0a617c78502f2f235a5fcf2f76
   a62385434ed2b6e95521b41eff3c4ce93ecf8fb32005dd76335d0a7c78153257288d
   7fde1a22d404f5d73d068e23000000000000000097a61cbb1cee72bb654be96d80f4
   6e0e3531151003903b572fc193f233772c23c22228884a0d5447d0ab49a656ce1d2
   K_main = 0x61370f8bf65e0df7e9a7b2c2289be1ee4b5dd6c21f4b85165730700c4
   4ce30af
   K_confirmP = 0x2c8940419d94e53d5d240801e702c4658531aa7a9f14ec75f0d67
   f12fa84196c
   K_confirmV = 0x8e74afe16c53a44590ad6bf43aa89324978b8f20014336675f618
   387f99f3fdc
   HMAC(K_confirmP, shareV) = 0x7ae825e242a5a1f86ad7db172c2c12fcb458b6a
   2b1ddfc96b2b7cfd2eed5f7ab
   HMAC(K_confirmV, shareP) = 0x1581062167d6a3d14493447cd170d408f6fdc58
   e31225438db86214167426a7a
   K_shared = 0x99758e838ae1a856589689fb55b6befe4e2382e6ebbeca1a6232a68
   f9dc04c1a

   [Context=b'SPAKE2+-P384-SHA512-HKDF-SHA512-HMAC-SHA512 Test Vectors
   ']
   [idProver=b'client']
   [idVerifier=b'server']
   w0 = 0xb8d44a0982b88abe19b724d4bdafba8c90dc93130e0bf4f8062810992326d
   a126fd01db53e40250ca33a3ff302044cb0
   w1 = 0x2373e2071c3bb2a6d53ece57830d56f8080189816803c22375d6a4a514f9d
   161b64d0f05b97735b98b348f9b33cc2e30
   L = 0x049ca7217ff6456bb2e2bcf71b31d9b1e5ed6e0c9700936ae617e990cee87e
   e1ce3a03629dd5532948c39b89f38b39f13c7f513c5b1ada00f6533a4a8b02b9cd04
   e1b2a5db1f24ec5fe959198a19666037e04b768cc02e75ac9da0048736db6e5b
   x = 0x5a835d52714f30d2ef539268b89df9558628400063dfa0e41eb979066f4caf
   409bbf7aab3ddddea13f1b070a1827d3d4
   shareP = 0x042f382eef464a2c9aecfdf4b81d25c4de2de113ba67405ce336c762c
   69217ae7e27bda875144140d7536c4cc08b9b4dace5f872a6a2ed57f34042688ad3c
   5d446c187dc0caf9cea812df3a4dd6fdbc64b9d7d7d7ff4bf6965abb06eeb108d55e
   e
   y = 0xc883ee5b08cf7ba122038c279459ab1a730f85f2d624a02732d519faab56a4
   98e773a8dec6c447ed02d5c00303a18bc4
   shareV = 0x04d72e11eee332305062454c0a058b8103a3304785d445510cd8d101e
   9cb44cfb159cb7b72123abaf719ab1c42e0558c84c14b0886e8b446e4c880bff2f4b
   291fafafc748cb4115824e66732bdeba7fae176388e228ab9d7546255994ca3fb5a5
   2
   Z = 0x043cb63f5fcb573cf3e2ee40bca5fbc1f00ff2554caab3790329184c45ed69
   c39b2e1323bc13c8f821b844feb5921b1470e7b3f70bd10508e5de6db157305badf8
   20fa28d68742d8287fb201383a8deec70d5bcf2a61498a481290ed8cc94ab3a0
   V = 0x0468604d188f4da560ddaaece126abe40f5de255f8af093c7c3aff71f95d90
   92804426127d73d46a817085e9095de6bcf30733a5124a98f567148efe92a7134994
   0c7244623247d33a8b78cbc9a53cd45bb22430f318a635084d1840c905f236c8
   TT = 0x38000000000000005350414b45322b2d503338342d5348413531322d484b4
   4462d5348413531322d484d41432d534841353132205465737420566563746f72730
   600000000000000636c69656e7406000000000000007365727665726100000000000
   000040ff0895ae5ebf6187080a82d82b42e2765e3b2f8749c7e05eba366434b363d3
   dc36f15314739074d2eb8613fceec285397592c55797cdd77c0715cb7df2150220a0
   119866486af4234f390aad1f6addde5930909adc67a1fc0c99ba3d52dc5dd6100000
   00000000004c72cf2e390853a1c1c4ad816a62fd15824f56078918f43f922ca21518
   f9c543bb252c5490214cf9aa3f0baab4b665c10c38b7d7f4e7f320317cd717315a79
   7c7e02933aef68b364cbf84ebc619bedbe21ff5c69ea0f1fed5d7e3200418073f406
   100000000000000042f382eef464a2c9aecfdf4b81d25c4de2de113ba67405ce336c
   762c69217ae7e27bda875144140d7536c4cc08b9b4dace5f872a6a2ed57f34042688
   ad3c5d446c187dc0caf9cea812df3a4dd6fdbc64b9d7d7d7ff4bf6965abb06eeb108
   d55ee610000000000000004d72e11eee332305062454c0a058b8103a3304785d4455
   10cd8d101e9cb44cfb159cb7b72123abaf719ab1c42e0558c84c14b0886e8b446e4c
   880bff2f4b291fafafc748cb4115824e66732bdeba7fae176388e228ab9d75462559
   94ca3fb5a526100000000000000043cb63f5fcb573cf3e2ee40bca5fbc1f00ff2554
   caab3790329184c45ed69c39b2e1323bc13c8f821b844feb5921b1470e7b3f70bd10
   508e5de6db157305badf820fa28d68742d8287fb201383a8deec70d5bcf2a61498a4
   81290ed8cc94ab3a061000000000000000468604d188f4da560ddaaece126abe40f5
   de255f8af093c7c3aff71f95d9092804426127d73d46a817085e9095de6bcf30733a
   5124a98f567148efe92a71349940c7244623247d33a8b78cbc9a53cd45bb22430f31
   8a635084d1840c905f236c83000000000000000b8d44a0982b88abe19b724d4bdafb
   a8c90dc93130e0bf4f8062810992326da126fd01db53e40250ca33a3ff302044cb0
   K_main = 0x571af2e9a0bf4b354cca18d713f8a84315a46c999ceb92ca6a88b8a6d
   615795140862dbccd6fdc0abecc5956c43f8ab40343a22fc1b91752cb7c2737dab90
   41e
   K_confirmP = 0x6c8c7fc6becf3bc07f081b4f7f867bec76fd8eeddbd7968356723
   bae701e04f35f800e647dfa013b2876958efe0ce68e7595ba46f1de0b17adfc02dfe
   3f18a18
   K_confirmV = 0x2d0c9702a0f5536bacddd596eb6ea365d17f176db30081b97b83e
   05bb87e9a36c0565b7616251c93bc76c76fc5c3531a28db40779d986d4e7b71a24c4
   3fbc731
   HMAC(K_confirmP, shareV) = 0x7f806ae56ea3e49a8b16ffee528086489418913
   641f529d50ff92aa456ad4648e522f9540b403bff6bd94ee1adc95c7d1b2666f7ba6
   f9c10748bc7bfb4181d27
   HMAC(K_confirmV, shareP) = 0x8daa262decb79cceda4421f4f8dacf22ec027c0
   8e036f071beea563c8e00813a29807963ff9d7d6bbff48dd5bdcdd9ca9fd7ffc272b
   162258d981913f7253dcb
   K_shared = 0x31e0075a823b9269af5769d71ef3b2f5001cbfe044584fe8551124a
   217dad078415630bf3eda16b5a38341d418a6d72b3960f818a0926f0de88784b59d6
   a694b

   [Context=b'SPAKE2+-P521-SHA512-HKDF-SHA512-HMAC-SHA512 Test Vectors
   ']
   [idProver=b'client']
   [idVerifier=b'server']
   w0 = 0x009c79bcd7656716314fca5a6e2c5cda7ef86131399438e012a043051e863
   f60b5aeb3c101731e1505e721580f48535a9b0456b231b9266ae6fff49ee90d25f72
   f5f
   w1 = 0x01632c15f51fcd916cd79e19075f8a69b72b0099922ad62ff8d540b469569
   f0aa027047aed2b3f242ea0ac4288b4e4db6a4e5946d8ad32b42192c5aa66d9ef8e1
   b33
   L = 0x040135072d0fa36f9e80031294cef5c3c35b882a0efa2c66570d64a49f8bec
   6c66435bf65bb7c7b2a3e7dece491e02b4d567e7087dbc32fe0fae8af417dcb50be6
   d704012a194588b690e6d3db492656f72ddea01fc1c7fcec0f5d34a5af0102939f6f
   deae39c20cff74fcdb7f09855f0fc9520d20b0520b0b096b8d42c7c3d68b4a66f751
   x = 0x00b69e3bb15df82c9fa0057461334e2c66ab92fc9b8d3662eec81216ef5ddc
   4a43f19e90dedaa2d72502f69673a115984ffcf88e03a9364b07102114c5602cd93c
   69
   shareP = 0x0400a14431edf6852ff5fe868f8683e16e9e0a45d9e27f9a96442285a
   c6b161fc0bf267362a5ffb06f9cbd14b7a37e492146d77cae4c77812df00a91dbae0
   9e27e1fac00ae019317ef9768548325bca35ce258e6206fe03c6338b2eb889d09d9f
   11400a36cf6328a7e1f81c6c7a2af7ff1d9b5210768318f27e57b75b39b9fbfc7b37
   a60ab
   y = 0x0056d01c5246fbde964c0493934b7ece89eafd943eb27d357880a2a2202249
   9e249528c5707b1afe8794c8a1d60ceedaeed96dd0dd904ea075f096c9fec5da7de4
   96
   shareV = 0x0401aa5af0f3027f63b7170572db5ff06dd1f3d6ea8ea771b26b434fb
   bc6c9de7d80975131c9c2e94d30c0ed2d62449c4c1b7e95037a85ed7598e415a2591
   26365e89500d0f2156b551b70416d719944736990f346f6f9ba4fbaf2f63e0987369
   0bcf730582e0a7b03ffede50f5787b631d5021a94287f0a29a081b62b9f5a3bf393b
   001b3
   Z = 0x0401e3015bf2811891a518d342c63541294dc80e0ee210e8220a5b9cab010d
   77945724ef1185d739a62847fdada9da9b1bca6b9fa173fa551185c6084c3db26d3a
   f0ac01f9356d01beebebd5ff026ca19f9df5d614355f3498816ac20b63bc936eed82
   8a7039d1e17dba740471d9afc0e0b4427d65b2d27a57a87e42300004e2b4620c23c9
   V = 0x0401058b21ca71e4439281579d6df3b86ae874d70742fe8eae2de60e77e07e
   6e1c31b9c277de36b38531f5b769e9e4030ba09258f510c83c5c21957610355ce920
   1fe600672db35efd1d0903bc285d4e27e9fb4472c30f17118dfa028f182bc9361c6a
   749f560e31b9c404624d24e68010f064101d4a1154e77be8f2105dbeb8b0349adb0e
   TT = 0x38000000000000005350414b45322b2d503532312d5348413531322d484b4
   4462d5348413531322d484d41432d534841353132205465737420566563746f72730
   600000000000000636c69656e7406000000000000007365727665728500000000000
   00004003f06f38131b2ba2600791e82488e8d20ab889af753a41806c5db18d37d856
   08cfae06b82e4a72cd744c719193562a653ea1f119eef9356907edc9b56979962d7a
   a01bdd179a3d547610892e9b96dea1eab10bdd7ac5ae0cf75aa0f853bfd185cf782f
   894301998b11d1898ede2701dca37a2bb50b4f519c3d89a7d054b51fb84912192850
   00000000000000400c7924b9ec017f3094562894336a53c50167ba8c596387688054
   2bc669e494b2532d76c5b53dfb349fdf69154b9e0048c58a42e8ed04cef052a3bc34
   9d95575cd2501c62bee650c9287a651bb75c7f39a2006873347b769840d261d17760
   b107e29f091d556a82a2e4cde0c40b84b95b878db2489ef760206424b3fe7968aa8e
   0b1f33485000000000000000400a14431edf6852ff5fe868f8683e16e9e0a45d9e27
   f9a96442285ac6b161fc0bf267362a5ffb06f9cbd14b7a37e492146d77cae4c77812
   df00a91dbae09e27e1fac00ae019317ef9768548325bca35ce258e6206fe03c6338b
   2eb889d09d9f11400a36cf6328a7e1f81c6c7a2af7ff1d9b5210768318f27e57b75b
   39b9fbfc7b37a60ab85000000000000000401aa5af0f3027f63b7170572db5ff06dd
   1f3d6ea8ea771b26b434fbbc6c9de7d80975131c9c2e94d30c0ed2d62449c4c1b7e9
   5037a85ed7598e415a259126365e89500d0f2156b551b70416d719944736990f346f
   6f9ba4fbaf2f63e09873690bcf730582e0a7b03ffede50f5787b631d5021a94287f0
   a29a081b62b9f5a3bf393b001b385000000000000000401e3015bf2811891a518d34
   2c63541294dc80e0ee210e8220a5b9cab010d77945724ef1185d739a62847fdada9d
   a9b1bca6b9fa173fa551185c6084c3db26d3af0ac01f9356d01beebebd5ff026ca19
   f9df5d614355f3498816ac20b63bc936eed828a7039d1e17dba740471d9afc0e0b44
   27d65b2d27a57a87e42300004e2b4620c23c985000000000000000401058b21ca71e
   4439281579d6df3b86ae874d70742fe8eae2de60e77e07e6e1c31b9c277de36b3853
   1f5b769e9e4030ba09258f510c83c5c21957610355ce9201fe600672db35efd1d090
   3bc285d4e27e9fb4472c30f17118dfa028f182bc9361c6a749f560e31b9c404624d2
   4e68010f064101d4a1154e77be8f2105dbeb8b0349adb0e4200000000000000009c7
   9bcd7656716314fca5a6e2c5cda7ef86131399438e012a043051e863f60b5aeb3c10
   1731e1505e721580f48535a9b0456b231b9266ae6fff49ee90d25f72f5f
   K_main = 0xf672a73216568d20cc3433247bc43a3b875a421cbdba76cf1db8bfe57
   2b658bf3f7a4ef8cc9ff1f6a2827ff7b19860454b775a4097009040f3b36b7420407
   16e
   K_confirmP = 0xa211c60ea8d4b3b294bd6ca9515663b77f3caac28af3658b34fe1
   512f25077f2f64b8de426caa662b4cbbdc9c2f8f12347993c8d57fdf68c177732d7d
   da7277b
   K_confirmV = 0x0e9bf6b9a37339144cb32a78a872f50b10839f81eda6c09a827dd
   bb158c47162bec274af920cdf809f162b98fa701efebada26cdfbeac408b5a35b052
   d18f0c6
   HMAC(K_confirmP, shareV) = 0xf0f5c903dfa42fe367659656a26058cd984b76a
   8e91ae4d0fa4c13db149008e2ae57713fb230a627761174fefd263b9c10e9a4b6a37
   46cde59c5943040c17133
   HMAC(K_confirmV, shareP) = 0xa8f7ab43f3a800171d3a3fb26d742e1ed236c2d
   5804ecd328f220a7d245cd2e3bfb6c0526983bff9229c94f70fe64ba9bb5a4d0dc10
   afcda64a4c96d4c3d81ad
   K_shared = 0xd1c170e4e55efacb9db8abad286293ebd1dcf24f13973427b9632bb
   c323e42e447afca2aa7f74f2af3fb5f51684ec543db854b7002cde6799c330b032ba
   8820a

   [Context=b'SPAKE2+-P256-SHA256-HKDF-SHA256-CMAC-AES-128 Test Vector
   s']
   [idProver=b'client']
   [idVerifier=b'server']
   w0 = 0x9aad90c603cf16cec4ee40d81acd7a865130b28cc6d0664ae2e0f406aa47e
   d61
   w1 = 0x872be859cec1e78d191882bd9c2f032af018a25016813788fe8954bfffc58
   c8e
   L = 0x04d79a53698c5dd79e14b426e73b4a7f1b42469815fe24e8f53ce01579e902
   eb198d59f05bc451c41826b88e3db5476a69e197fdf474c75b387f6d40361c3fda35
   x = 0x9d39a3511a007a7d3fe6af5555cf60301bcda503f2bf6634b2caf9e4fd0743
   a1
   shareP = 0x04788218027ba4b17f7279ef0aef47a8733cf88b5bf65d6127ecadc78
   b8a0f65b9001f7e54719fb63c072ddd1e1a4adfb376dde37ba1aa2082362b6c2ca14
   a8e53
   y = 0x9c3219841626325c68d89c22fb6c55611e3136442daa8b9b784db7242afff3
   ed
   shareV = 0x04c05953ea9d1cd6248b8c61becd7d55e46237526d8b1e23495ea7566
   b7f6bc24b3da1cfb2e88a975fcfb5dc4e72b5cbea509b1cfdd1ef8f8195fa8bf2bd5
   ca1e5
   Z = 0x049444a17ad5909548a084fa182275a89a496ec6669bd08892aa9c64a512d4
   0212147e6005bf1d510e3bbcfee8efc38243acaf4c5f2decffa009341b1e330b0442
   V = 0x0457a8919af393e2da1de209a01fdda275eab0a682d8931b0e6ee1b9339794
   63a25ccbcda1956a6a555706f0b062aa880617bd219d09391ad8576d3a73e9233f57
   TT = 0x39000000000000005350414b45322b2d503235362d5348413235362d484b4
   4462d5348413235362d434d41432d4145532d313238205465737420566563746f727
   30600000000000000636c69656e74060000000000000073657276657241000000000
   0000004886e2f97ace46e55ba9dd7242579f2993b64e16ef3dcab95afd497333d8fa
   12f5ff355163e43ce224e0b0e65ff02ac8e5c7be09419c785e0ca547d55a12e2d204
   10000000000000004d8bbd6c639c62937b04d997f38c3770719c629d7014d49a24b4
   f98baa1292b4907d60aa6bfade45008a636337f5168c64d9bd36034808cd564490b1
   e656edbe7410000000000000004788218027ba4b17f7279ef0aef47a8733cf88b5bf
   65d6127ecadc78b8a0f65b9001f7e54719fb63c072ddd1e1a4adfb376dde37ba1aa2
   082362b6c2ca14a8e53410000000000000004c05953ea9d1cd6248b8c61becd7d55e
   46237526d8b1e23495ea7566b7f6bc24b3da1cfb2e88a975fcfb5dc4e72b5cbea509
   b1cfdd1ef8f8195fa8bf2bd5ca1e54100000000000000049444a17ad5909548a084f
   a182275a89a496ec6669bd08892aa9c64a512d40212147e6005bf1d510e3bbcfee8e
   fc38243acaf4c5f2decffa009341b1e330b044241000000000000000457a8919af39
   3e2da1de209a01fdda275eab0a682d8931b0e6ee1b933979463a25ccbcda1956a6a5
   55706f0b062aa880617bd219d09391ad8576d3a73e9233f5720000000000000009aa
   d90c603cf16cec4ee40d81acd7a865130b28cc6d0664ae2e0f406aa47ed61
   K_main = 0x6002da6b2740056f2836ac0316ae9e02e2b24c5c109883136e90ed868
   b2fcf62
   K_confirmP = 0x857d0db7f5e06385853bf4b8abd43b5a
   K_confirmV = 0x268c75933332157118063550c6bfe846
   CMAC(K_confirmP, shareV) = 0xd340bc94a03feafd14491e316514ca5f
   CMAC(K_confirmV, shareP) = 0x2b42d0fe76bcf9ccc208d06d60082f96
   K_shared = 0xe832094adfc028bf288e49ab902fc208b7eeff084f259da7613c047
   9869d4fc9

   [Context=b'SPAKE2+-P256-SHA512-HKDF-SHA512-CMAC-AES-128 Test Vector
   s']
   [idProver=b'client']
   [idVerifier=b'server']
   w0 = 0x56e0299ac95739b616a973276c1338e3651285345dde2f7faf74c25c0b50e
   b90
   w1 = 0x462fe5b522a17d3d35b27323113bdd252de9cbfdd6f264b35721bf59a9a74
   f0b
   L = 0x040540332ffec8a2faa8d17ae6da5973c11e078b8c10c89fd6af996726b802
   3513eff2914c3ced64fbedd4e261438fb0ea6ef9fc1faef4ba1ead780636faac1bc1
   x = 0x254dd22780eeb6af2464dd6a2bd026b46a34966d6933607f1be956314f74b0
   ea
   shareP = 0x049661cfdb0f7bd24b637f8d1d0f464c17f0b9c15129ea31156dcc581
   da6c840240b275d72f28ea73a5c088c99d73896af24a5ae26e036eb2dedaf26e511a
   24a48
   y = 0x695beec24305fbd5660bc200228598e7c891fdf60a55df4bdd3a57debc3847
   4a
   shareV = 0x0461f580eb3eb4b2f412d5c07491f360ad6e4492d8f23e346f0ba999f
   bbcb9715a3c2485c3b250a6672e6698da3c9a9725645f607ee90a9b1b34fd44b9df6
   e551a
   Z = 0x0406f77a4bca254219dc3eeca9989f377037407105540bfddc5bdeff3d27a8
   7d68442e69d543a000077bd4c42e33930f890d29fb4be5e8dcc627f6811ace96c274
   V = 0x0442952a531a2937e03808e74f6d65afbedb4cfb7fcf91991498f77db21b14
   6f5c2249e727e374de03f32848465aba5c5ebfe6501d3537d09160c7f42e4b3f133d
   TT = 0x39000000000000005350414b45322b2d503235362d5348413531322d484b4
   4462d5348413531322d434d41432d4145532d313238205465737420566563746f727
   30600000000000000636c69656e74060000000000000073657276657241000000000
   0000004886e2f97ace46e55ba9dd7242579f2993b64e16ef3dcab95afd497333d8fa
   12f5ff355163e43ce224e0b0e65ff02ac8e5c7be09419c785e0ca547d55a12e2d204
   10000000000000004d8bbd6c639c62937b04d997f38c3770719c629d7014d49a24b4
   f98baa1292b4907d60aa6bfade45008a636337f5168c64d9bd36034808cd564490b1
   e656edbe74100000000000000049661cfdb0f7bd24b637f8d1d0f464c17f0b9c1512
   9ea31156dcc581da6c840240b275d72f28ea73a5c088c99d73896af24a5ae26e036e
   b2dedaf26e511a24a4841000000000000000461f580eb3eb4b2f412d5c07491f360a
   d6e4492d8f23e346f0ba999fbbcb9715a3c2485c3b250a6672e6698da3c9a9725645
   f607ee90a9b1b34fd44b9df6e551a41000000000000000406f77a4bca254219dc3ee
   ca9989f377037407105540bfddc5bdeff3d27a87d68442e69d543a000077bd4c42e3
   3930f890d29fb4be5e8dcc627f6811ace96c27441000000000000000442952a531a2
   937e03808e74f6d65afbedb4cfb7fcf91991498f77db21b146f5c2249e727e374de0
   3f32848465aba5c5ebfe6501d3537d09160c7f42e4b3f133d200000000000000056e
   0299ac95739b616a973276c1338e3651285345dde2f7faf74c25c0b50eb90
   K_main = 0x111790ae23de3fc5bb43bdc1f63106461dbd8d86360adf056bf117164
   8bfb231503853db2625275b7136b5a823dd5a94482514fce7f791c4daca2b21c7bde
   756
   K_confirmP = 0xb234d2e152a03168b76c6474d5322070
   K_confirmV = 0x683d62024626fe0c5126ef4df58b88ee
   CMAC(K_confirmP, shareV) = 0x0dc514d262e37470eb43e058e0d615f4
   CMAC(K_confirmV, shareP) = 0xde076589efcd5d96c2ea6061d96772d9
   K_shared = 0x488a34663d6be5e02590bb8e9ad9ad3e0f580dec41e8b99ed4ae4b7
   34da49287638cac4c9f17fe3c3ae18dda0d6d7f14c17e4640d5a2aaab959efa0cbea
   4e546

Acknowledgements

   Thanks to Ben Kaduk and Watson Ladd, from whom this specification
   originally emanated.

Authors' Addresses

   Tim Taubert
   Apple Inc.
   One Apple Park Way
   Cupertino, California 95014
   United States of America
   Email: ttaubert@apple.com

   Christopher A. Wood
   Email: caw@heapingbits.net