Network Working Group H. Krawczyk Internet-Draft Algorand Foundation Intended status: Informational D. Bourdrez Expires: 4 November 2021 K. Lewi Novi Research C.A. Wood Cloudflare 3 May 2021 The OPAQUE Asymmetric PAKE Protocol draft-irtf-cfrg-opaque-04 Abstract This document describes the OPAQUE protocol, a secure asymmetric password-authenticated key exchange (aPAKE) that supports mutual authentication in a client-server setting without reliance on PKI and with security against pre-computation attacks upon server compromise. In addition, the protocol provides forward secrecy and the ability to hide the password from the server, even during password registration. This document specifies the core OPAQUE protocol and one instantiation based on 3DH. Discussion Venues This note is to be removed before publishing as an RFC. Source for this draft and an issue tracker can be found at https://github.com/cfrg/draft-irtf-cfrg-opaque. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 4 November 2021. Krawczyk, et al. Expires 4 November 2021 [Page 1] Internet-Draft OPAQUE May 2021 Copyright Notice Copyright (c) 2021 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 7 1.1. Requirements Notation . . . . . . . . . . . . . . . . . . 9 1.2. Notation . . . . . . . . . . . . . . . . . . . . . . . . 9 2. Cryptographic Dependencies . . . . . . . . . . . . . . . . . 10 3. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 12 4. Client Credential Storage . . . . . . . . . . . . . . . . . . 13 4.1. Envelope Structure . . . . . . . . . . . . . . . . . . . 15 4.2. Envelope Creation and Recovery . . . . . . . . . . . . . 15 4.3. Envelope Modes . . . . . . . . . . . . . . . . . . . . . 17 4.3.1. Internal mode . . . . . . . . . . . . . . . . . . . . 18 4.3.2. External mode . . . . . . . . . . . . . . . . . . . . 19 5. Offline Registration . . . . . . . . . . . . . . . . . . . . 21 5.1. Registration Messages . . . . . . . . . . . . . . . . . . 22 5.1.1. Registration Functions . . . . . . . . . . . . . . . 23 6. Online Authenticated Key Exchange . . . . . . . . . . . . . . 25 6.1. Credential Retrieval . . . . . . . . . . . . . . . . . . 27 6.1.1. Credential Retrieval Messages . . . . . . . . . . . . 27 6.1.2. Credential Retrieval Functions . . . . . . . . . . . 28 6.2. AKE Protocol . . . . . . . . . . . . . . . . . . . . . . 30 6.2.1. Protocol Messages . . . . . . . . . . . . . . . . . . 31 6.2.2. Key Schedule Functions . . . . . . . . . . . . . . . 32 6.2.3. External Client API . . . . . . . . . . . . . . . . . 34 6.2.4. External Server API . . . . . . . . . . . . . . . . . 38 7. Configurations . . . . . . . . . . . . . . . . . . . . . . . 40 8. Security Considerations . . . . . . . . . . . . . . . . . . . 42 8.1. Related Analysis . . . . . . . . . . . . . . . . . . . . 42 8.2. Identities . . . . . . . . . . . . . . . . . . . . . . . 43 8.3. Envelope Encryption . . . . . . . . . . . . . . . . . . . 44 8.4. Export Key Usage . . . . . . . . . . . . . . . . . . . . 44 8.5. Static Diffie-Hellman Oracles . . . . . . . . . . . . . . 44 8.6. Input Validation . . . . . . . . . . . . . . . . . . . . 45 8.7. OPRF Hardening . . . . . . . . . . . . . . . . . . . . . 45 Krawczyk, et al. Expires 4 November 2021 [Page 2] Internet-Draft OPAQUE May 2021 8.8. Preventing Client Enumeration . . . . . . . . . . . . . . 45 8.9. Password Salt and Storage Implications . . . . . . . . . 46 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 46 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 46 10.1. Normative References . . . . . . . . . . . . . . . . . . 46 10.2. Informative References . . . . . . . . . . . . . . . . . 47 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . 50 Appendix B. Alternate AKE Instantiations . . . . . . . . . . . . 50 B.1. HMQV Instantiation Sketch . . . . . . . . . . . . . . . . 50 B.2. SIGMA-I Instantiation Sketch . . . . . . . . . . . . . . 51 Appendix C. Test Vectors . . . . . . . . . . . . . . . . . . . . 51 C.1. OPAQUE-3DH Test Vector 1 . . . . . . . . . . . . . . . . 52 C.1.1. Configuration . . . . . . . . . . . . . . . . . . . . 52 C.1.2. Input Values . . . . . . . . . . . . . . . . . . . . 52 C.1.3. Intermediate Values . . . . . . . . . . . . . . . . . 53 C.1.4. Output Values . . . . . . . . . . . . . . . . . . . . 54 C.2. OPAQUE-3DH Test Vector 2 . . . . . . . . . . . . . . . . 55 C.2.1. Configuration . . . . . . . . . . . . . . . . . . . . 55 C.2.2. Input Values . . . . . . . . . . . . . . . . . . . . 56 C.2.3. Intermediate Values . . . . . . . . . . . . . . . . . 57 C.2.4. Output Values . . . . . . . . . . . . . . . . . . . . 58 C.3. OPAQUE-3DH Test Vector 3 . . . . . . . . . . . . . . . . 59 C.3.1. Configuration . . . . . . . . . . . . . . . . . . . . 59 C.3.2. Input Values . . . . . . . . . . . . . . . . . . . . 60 C.3.3. Intermediate Values . . . . . . . . . . . . . . . . . 61 C.3.4. Output Values . . . . . . . . . . . . . . . . . . . . 62 C.4. OPAQUE-3DH Test Vector 4 . . . . . . . . . . . . . . . . 63 C.4.1. Configuration . . . . . . . . . . . . . . . . . . . . 63 C.4.2. Input Values . . . . . . . . . . . . . . . . . . . . 64 C.4.3. Intermediate Values . . . . . . . . . . . . . . . . . 65 C.4.4. Output Values . . . . . . . . . . . . . . . . . . . . 66 C.5. OPAQUE-3DH Test Vector 5 . . . . . . . . . . . . . . . . 67 C.5.1. Configuration . . . . . . . . . . . . . . . . . . . . 67 C.5.2. Input Values . . . . . . . . . . . . . . . . . . . . 68 C.5.3. Intermediate Values . . . . . . . . . . . . . . . . . 69 C.5.4. Output Values . . . . . . . . . . . . . . . . . . . . 70 C.6. OPAQUE-3DH Test Vector 6 . . . . . . . . . . . . . . . . 71 C.6.1. Configuration . . . . . . . . . . . . . . . . . . . . 71 C.6.2. Input Values . . . . . . . . . . . . . . . . . . . . 72 C.6.3. Intermediate Values . . . . . . . . . . . . . . . . . 73 C.6.4. Output Values . . . . . . . . . . . . . . . . . . . . 74 C.7. OPAQUE-3DH Test Vector 7 . . . . . . . . . . . . . . . . 75 C.7.1. Configuration . . . . . . . . . . . . . . . . . . . . 75 C.7.2. Input Values . . . . . . . . . . . . . . . . . . . . 76 C.7.3. Intermediate Values . . . . . . . . . . . . . . . . . 77 C.7.4. Output Values . . . . . . . . . . . . . . . . . . . . 78 C.8. OPAQUE-3DH Test Vector 8 . . . . . . . . . . . . . . . . 79 C.8.1. Configuration . . . . . . . . . . . . . . . . . . . . 79 Krawczyk, et al. Expires 4 November 2021 [Page 3] Internet-Draft OPAQUE May 2021 C.8.2. Input Values . . . . . . . . . . . . . . . . . . . . 80 C.8.3. Intermediate Values . . . . . . . . . . . . . . . . . 81 C.8.4. Output Values . . . . . . . . . . . . . . . . . . . . 82 C.9. OPAQUE-3DH Test Vector 9 . . . . . . . . . . . . . . . . 83 C.9.1. Configuration . . . . . . . . . . . . . . . . . . . . 83 C.9.2. Input Values . . . . . . . . . . . . . . . . . . . . 84 C.9.3. Intermediate Values . . . . . . . . . . . . . . . . . 85 C.9.4. Output Values . . . . . . . . . . . . . . . . . . . . 85 C.10. OPAQUE-3DH Test Vector 10 . . . . . . . . . . . . . . . . 86 C.10.1. Configuration . . . . . . . . . . . . . . . . . . . 86 C.10.2. Input Values . . . . . . . . . . . . . . . . . . . . 87 C.10.3. Intermediate Values . . . . . . . . . . . . . . . . 87 C.10.4. Output Values . . . . . . . . . . . . . . . . . . . 88 C.11. OPAQUE-3DH Test Vector 11 . . . . . . . . . . . . . . . . 89 C.11.1. Configuration . . . . . . . . . . . . . . . . . . . 89 C.11.2. Input Values . . . . . . . . . . . . . . . . . . . . 89 C.11.3. Intermediate Values . . . . . . . . . . . . . . . . 90 C.11.4. Output Values . . . . . . . . . . . . . . . . . . . 91 C.12. OPAQUE-3DH Test Vector 12 . . . . . . . . . . . . . . . . 92 C.12.1. Configuration . . . . . . . . . . . . . . . . . . . 92 C.12.2. Input Values . . . . . . . . . . . . . . . . . . . . 92 C.12.3. Intermediate Values . . . . . . . . . . . . . . . . 93 C.12.4. Output Values . . . . . . . . . . . . . . . . . . . 94 C.13. OPAQUE-3DH Test Vector 13 . . . . . . . . . . . . . . . . 95 C.13.1. Configuration . . . . . . . . . . . . . . . . . . . 95 C.13.2. Input Values . . . . . . . . . . . . . . . . . . . . 95 C.13.3. Intermediate Values . . . . . . . . . . . . . . . . 96 C.13.4. Output Values . . . . . . . . . . . . . . . . . . . 97 C.14. OPAQUE-3DH Test Vector 14 . . . . . . . . . . . . . . . . 98 C.14.1. Configuration . . . . . . . . . . . . . . . . . . . 98 C.14.2. Input Values . . . . . . . . . . . . . . . . . . . . 99 C.14.3. Intermediate Values . . . . . . . . . . . . . . . . 100 C.14.4. Output Values . . . . . . . . . . . . . . . . . . . 101 C.15. OPAQUE-3DH Test Vector 15 . . . . . . . . . . . . . . . . 102 C.15.1. Configuration . . . . . . . . . . . . . . . . . . . 102 C.15.2. Input Values . . . . . . . . . . . . . . . . . . . . 103 C.15.3. Intermediate Values . . . . . . . . . . . . . . . . 104 C.15.4. Output Values . . . . . . . . . . . . . . . . . . . 105 C.16. OPAQUE-3DH Test Vector 16 . . . . . . . . . . . . . . . . 106 C.16.1. Configuration . . . . . . . . . . . . . . . . . . . 106 C.16.2. Input Values . . . . . . . . . . . . . . . . . . . . 107 C.16.3. Intermediate Values . . . . . . . . . . . . . . . . 108 C.16.4. Output Values . . . . . . . . . . . . . . . . . . . 109 C.17. OPAQUE-3DH Test Vector 17 . . . . . . . . . . . . . . . . 110 C.17.1. Configuration . . . . . . . . . . . . . . . . . . . 110 C.17.2. Input Values . . . . . . . . . . . . . . . . . . . . 111 C.17.3. Intermediate Values . . . . . . . . . . . . . . . . 112 C.17.4. Output Values . . . . . . . . . . . . . . . . . . . 113 Krawczyk, et al. Expires 4 November 2021 [Page 4] Internet-Draft OPAQUE May 2021 C.18. OPAQUE-3DH Test Vector 18 . . . . . . . . . . . . . . . . 114 C.18.1. Configuration . . . . . . . . . . . . . . . . . . . 114 C.18.2. Input Values . . . . . . . . . . . . . . . . . . . . 115 C.18.3. Intermediate Values . . . . . . . . . . . . . . . . 116 C.18.4. Output Values . . . . . . . . . . . . . . . . . . . 117 C.19. OPAQUE-3DH Test Vector 19 . . . . . . . . . . . . . . . . 118 C.19.1. Configuration . . . . . . . . . . . . . . . . . . . 118 C.19.2. Input Values . . . . . . . . . . . . . . . . . . . . 119 C.19.3. Intermediate Values . . . . . . . . . . . . . . . . 120 C.19.4. Output Values . . . . . . . . . . . . . . . . . . . 121 C.20. OPAQUE-3DH Test Vector 20 . . . . . . . . . . . . . . . . 122 C.20.1. Configuration . . . . . . . . . . . . . . . . . . . 122 C.20.2. Input Values . . . . . . . . . . . . . . . . . . . . 123 C.20.3. Intermediate Values . . . . . . . . . . . . . . . . 124 C.20.4. Output Values . . . . . . . . . . . . . . . . . . . 125 C.21. OPAQUE-3DH Test Vector 21 . . . . . . . . . . . . . . . . 126 C.21.1. Configuration . . . . . . . . . . . . . . . . . . . 126 C.21.2. Input Values . . . . . . . . . . . . . . . . . . . . 127 C.21.3. Intermediate Values . . . . . . . . . . . . . . . . 128 C.21.4. Output Values . . . . . . . . . . . . . . . . . . . 129 C.22. OPAQUE-3DH Test Vector 22 . . . . . . . . . . . . . . . . 130 C.22.1. Configuration . . . . . . . . . . . . . . . . . . . 130 C.22.2. Input Values . . . . . . . . . . . . . . . . . . . . 131 C.22.3. Intermediate Values . . . . . . . . . . . . . . . . 132 C.22.4. Output Values . . . . . . . . . . . . . . . . . . . 133 C.23. OPAQUE-3DH Test Vector 23 . . . . . . . . . . . . . . . . 134 C.23.1. Configuration . . . . . . . . . . . . . . . . . . . 134 C.23.2. Input Values . . . . . . . . . . . . . . . . . . . . 135 C.23.3. Intermediate Values . . . . . . . . . . . . . . . . 136 C.23.4. Output Values . . . . . . . . . . . . . . . . . . . 137 C.24. OPAQUE-3DH Test Vector 24 . . . . . . . . . . . . . . . . 138 C.24.1. Configuration . . . . . . . . . . . . . . . . . . . 138 C.24.2. Input Values . . . . . . . . . . . . . . . . . . . . 139 C.24.3. Intermediate Values . . . . . . . . . . . . . . . . 140 C.24.4. Output Values . . . . . . . . . . . . . . . . . . . 141 C.25. OPAQUE-3DH Test Vector 25 . . . . . . . . . . . . . . . . 142 C.25.1. Configuration . . . . . . . . . . . . . . . . . . . 142 C.25.2. Input Values . . . . . . . . . . . . . . . . . . . . 143 C.25.3. Intermediate Values . . . . . . . . . . . . . . . . 144 C.25.4. Output Values . . . . . . . . . . . . . . . . . . . 145 C.26. OPAQUE-3DH Test Vector 26 . . . . . . . . . . . . . . . . 146 C.26.1. Configuration . . . . . . . . . . . . . . . . . . . 146 C.26.2. Input Values . . . . . . . . . . . . . . . . . . . . 147 C.26.3. Intermediate Values . . . . . . . . . . . . . . . . 148 C.26.4. Output Values . . . . . . . . . . . . . . . . . . . 149 C.27. OPAQUE-3DH Test Vector 27 . . . . . . . . . . . . . . . . 150 C.27.1. Configuration . . . . . . . . . . . . . . . . . . . 150 C.27.2. Input Values . . . . . . . . . . . . . . . . . . . . 151 Krawczyk, et al. Expires 4 November 2021 [Page 5] Internet-Draft OPAQUE May 2021 C.27.3. Intermediate Values . . . . . . . . . . . . . . . . 152 C.27.4. Output Values . . . . . . . . . . . . . . . . . . . 153 C.28. OPAQUE-3DH Test Vector 28 . . . . . . . . . . . . . . . . 154 C.28.1. Configuration . . . . . . . . . . . . . . . . . . . 154 C.28.2. Input Values . . . . . . . . . . . . . . . . . . . . 155 C.28.3. Intermediate Values . . . . . . . . . . . . . . . . 156 C.28.4. Output Values . . . . . . . . . . . . . . . . . . . 157 C.29. OPAQUE-3DH Test Vector 29 . . . . . . . . . . . . . . . . 158 C.29.1. Configuration . . . . . . . . . . . . . . . . . . . 158 C.29.2. Input Values . . . . . . . . . . . . . . . . . . . . 159 C.29.3. Intermediate Values . . . . . . . . . . . . . . . . 160 C.29.4. Output Values . . . . . . . . . . . . . . . . . . . 161 C.30. OPAQUE-3DH Test Vector 30 . . . . . . . . . . . . . . . . 162 C.30.1. Configuration . . . . . . . . . . . . . . . . . . . 162 C.30.2. Input Values . . . . . . . . . . . . . . . . . . . . 162 C.30.3. Intermediate Values . . . . . . . . . . . . . . . . 163 C.30.4. Output Values . . . . . . . . . . . . . . . . . . . 164 C.31. OPAQUE-3DH Test Vector 31 . . . . . . . . . . . . . . . . 165 C.31.1. Configuration . . . . . . . . . . . . . . . . . . . 165 C.31.2. Input Values . . . . . . . . . . . . . . . . . . . . 165 C.31.3. Intermediate Values . . . . . . . . . . . . . . . . 166 C.31.4. Output Values . . . . . . . . . . . . . . . . . . . 167 C.32. OPAQUE-3DH Test Vector 32 . . . . . . . . . . . . . . . . 168 C.32.1. Configuration . . . . . . . . . . . . . . . . . . . 168 C.32.2. Input Values . . . . . . . . . . . . . . . . . . . . 168 C.32.3. Intermediate Values . . . . . . . . . . . . . . . . 169 C.32.4. Output Values . . . . . . . . . . . . . . . . . . . 170 C.33. OPAQUE-3DH Test Vector 33 . . . . . . . . . . . . . . . . 171 C.33.1. Configuration . . . . . . . . . . . . . . . . . . . 171 C.33.2. Input Values . . . . . . . . . . . . . . . . . . . . 171 C.33.3. Intermediate Values . . . . . . . . . . . . . . . . 172 C.33.4. Output Values . . . . . . . . . . . . . . . . . . . 173 C.34. OPAQUE-3DH Test Vector 34 . . . . . . . . . . . . . . . . 174 C.34.1. Configuration . . . . . . . . . . . . . . . . . . . 174 C.34.2. Input Values . . . . . . . . . . . . . . . . . . . . 175 C.34.3. Intermediate Values . . . . . . . . . . . . . . . . 176 C.34.4. Output Values . . . . . . . . . . . . . . . . . . . 177 C.35. OPAQUE-3DH Test Vector 35 . . . . . . . . . . . . . . . . 178 C.35.1. Configuration . . . . . . . . . . . . . . . . . . . 178 C.35.2. Input Values . . . . . . . . . . . . . . . . . . . . 179 C.35.3. Intermediate Values . . . . . . . . . . . . . . . . 180 C.35.4. Output Values . . . . . . . . . . . . . . . . . . . 181 C.36. OPAQUE-3DH Test Vector 36 . . . . . . . . . . . . . . . . 182 C.36.1. Configuration . . . . . . . . . . . . . . . . . . . 182 C.36.2. Input Values . . . . . . . . . . . . . . . . . . . . 183 C.36.3. Intermediate Values . . . . . . . . . . . . . . . . 184 C.36.4. Output Values . . . . . . . . . . . . . . . . . . . 185 C.37. OPAQUE-3DH Test Vector 37 . . . . . . . . . . . . . . . . 186 Krawczyk, et al. Expires 4 November 2021 [Page 6] Internet-Draft OPAQUE May 2021 C.37.1. Configuration . . . . . . . . . . . . . . . . . . . 186 C.37.2. Input Values . . . . . . . . . . . . . . . . . . . . 187 C.37.3. Intermediate Values . . . . . . . . . . . . . . . . 188 C.37.4. Output Values . . . . . . . . . . . . . . . . . . . 189 C.38. OPAQUE-3DH Test Vector 38 . . . . . . . . . . . . . . . . 191 C.38.1. Configuration . . . . . . . . . . . . . . . . . . . 191 C.38.2. Input Values . . . . . . . . . . . . . . . . . . . . 191 C.38.3. Intermediate Values . . . . . . . . . . . . . . . . 193 C.38.4. Output Values . . . . . . . . . . . . . . . . . . . 193 C.39. OPAQUE-3DH Test Vector 39 . . . . . . . . . . . . . . . . 195 C.39.1. Configuration . . . . . . . . . . . . . . . . . . . 195 C.39.2. Input Values . . . . . . . . . . . . . . . . . . . . 195 C.39.3. Intermediate Values . . . . . . . . . . . . . . . . 197 C.39.4. Output Values . . . . . . . . . . . . . . . . . . . 197 C.40. OPAQUE-3DH Test Vector 40 . . . . . . . . . . . . . . . . 199 C.40.1. Configuration . . . . . . . . . . . . . . . . . . . 199 C.40.2. Input Values . . . . . . . . . . . . . . . . . . . . 199 C.40.3. Intermediate Values . . . . . . . . . . . . . . . . 201 C.40.4. Output Values . . . . . . . . . . . . . . . . . . . 201 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 203 1. Introduction Password authentication is ubiquitous in many applications. In a common implementation, a client authenticates to a server by sending its client ID and password to the server over a secure connection. This makes the password vulnerable to server mishandling, including accidentally logging the password or storing it in plaintext in a database. Server compromise resulting in access to these plaintext passwords is not an uncommon security incident, even among security- conscious companies. Moreover, plaintext password authentication over secure channels like TLS is also vulnerable to cases where TLS may fail, including PKI attacks, certificate mishandling, termination outside the security perimeter, visibility to middleboxes, and more. Asymmetric (or Augmented) Password Authenticated Key Exchange (aPAKE) protocols are designed to provide password authentication and mutually authenticated key exchange in a client-server setting without relying on PKI (except during client/password registration) and without disclosing passwords to servers or other entities other than the client machine. A secure aPAKE should provide the best possible security for a password protocol. Namely, it should only be open to inevitable attacks, such as online impersonation attempts with guessed client passwords and offline dictionary attacks upon the compromise of a server and leakage of its password file. In the latter case, the attacker learns a mapping of a client's password under a one-way function and uses such a mapping to validate potential guesses for the password. Crucially important is for the Krawczyk, et al. Expires 4 November 2021 [Page 7] Internet-Draft OPAQUE May 2021 password protocol to use an unpredictable one-way mapping. Otherwise, the attacker can pre-compute a deterministic list of mapped passwords leading to almost instantaneous leakage of passwords upon server compromise. Despite the existence of multiple designs for (PKI-free) aPAKE protocols, none of these protocols are secure against pre-computation attacks. In particular, none of these protocols can use the standard technique against pre-computation that combines _secret_ random values ("salt") into the one-way password mappings. Either these protocols do not use a salt at all or, if they do, they transmit the salt from server to client in the clear, hence losing the secrecy of the salt and its defense against pre-computation. Furthermore, transmitting the salt may require additional protocol messages. This document describes OPAQUE, a PKI-free secure aPAKE that is secure against pre-computation attacks. OPAQUE provides forward secrecy (essential for protecting past communications in case of password leakage) and the ability to hide the password from the server, even during password registration. Furthermore, OPAQUE enjoys good performance and an array of additional features including the ability to increase the difficulty of offline dictionary attacks via iterated hashing or other hardening schemes, and offloading these operations to the client (that also helps against online guessing attacks); extensibility of the protocol to support storage and retrieval of client secrets solely based on a password; being amenable to a multi-server distributed implementation where offline dictionary attacks are not possible without breaking into a threshold of servers (such a distributed solution requires no change or awareness on the client-side relative to a single-server implementation). OPAQUE is defined and proven as the composition of two functionalities: an oblivious pseudorandom function (OPRF) and an authenticated key exchange (AKE) protocol. It can be seen as a "compiler" for transforming any suitable AKE protocol into a secure aPAKE protocol. (See Section 8 for requirements of the OPRF and AKE protocols.) This document specifies one OPAQUE instantiation based on 3DH [SIGNAL]. Other instantiations are possible, as discussed in Appendix B, but their details are out of scope for this document. In general, the modularity of OPAQUE's design makes it easy to integrate with additional AKE protocols, e.g., TLS, and with future ones such as those based on post-quantum techniques. Krawczyk, et al. Expires 4 November 2021 [Page 8] Internet-Draft OPAQUE May 2021 OPAQUE consists of two stages: registration and authenticated key exchange. In the first stage, a client registers its password with the server and stores its encrypted credentials on the server. In the second stage, a client obtains those credentials, recovers them using the client's password, and subsequently uses them as input to an AKE protocol. Currently, the most widely deployed PKI-free aPAKE is SRP [RFC2945], which is vulnerable to pre-computation attacks, lacks proof of security, and is less efficient relative to OPAQUE. Moreover, SRP requires a ring as it mixes addition and multiplication operations, and thus does not work over plain elliptic curves. OPAQUE is therefore a suitable replacement for applications that use SRP. This draft complies with the requirements for PAKE protocols set forth in [RFC8125]. 1.1. Requirements Notation The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. 1.2. Notation The following functions are used throughout this document: * I2OSP and OS2IP: Convert a byte string to and from a non-negative integer as described in Section 4 of [RFC8017]. Note that these functions operate on byte strings in big-endian byte order. * concat(x0, ..., xN): Concatenate byte strings. For example, "concat(0x01, 0x0203, 0x040506) = 0x010203040506". * random(n): Generate a cryptographically secure pseudorandom byte string of length "n" bytes. * xor(a,b): Apply XOR to byte strings. For example, "xor(0xF0F0, 0x1234) = 0xE2C4". It is an error to call this function with two arguments of unequal length. * ct_equal(a, b): Return "true" if "a" is equal to "b", and false otherwise. This function is constant-time in the length of "a" and "b", which are assumed to be of equal length, irrespective of the values "a" or "b". Krawczyk, et al. Expires 4 November 2021 [Page 9] Internet-Draft OPAQUE May 2021 Except if said otherwise, random choices in this specification refer to drawing with uniform distribution from a given set (i.e., "random" is short for "uniformly random"). Random choices can be replaced with fresh outputs from a cryptographically strong pseudorandom generator, according to the requirements in [RFC4086], or pseudorandom function. For convenience, we define "nil" as a lack of value. The name OPAQUE is a homonym of O-PAKE where O is for Oblivious. The name OPAKE was taken. 2. Cryptographic Dependencies OPAQUE relies on the following cryptographic protocols and primitives: * Oblivious Pseudorandom Function (OPRF, [I-D.irtf-cfrg-voprf], version -06): - Blind(x): Convert input "x" into an element of the OPRF group, randomize it by some scalar "r", producing "M", and output ("r", "M"). - Evaluate(k, M): Evaluate input element "M" using private key "k", yielding output element "Z". - Finalize(x, r, Z): Finalize the OPRF evaluation using input "x", random scalar "r", and evaluation output "Z", yielding output "y". - DeriveKeyPair(seed): Derive a private and public key pair deterministically from a seed. - Noe: The size of a serialized OPRF group element. - Nok: The size of an OPRF private key. Note that we only need the base mode variant (as opposed to the verifiable mode variant) of the OPRF described in [I-D.irtf-cfrg-voprf]. * Key Derivation Function (KDF): - Extract(salt, ikm): Extract a pseudorandom key of fixed length "Nx" bytes from input keying material "ikm" and an optional byte string "salt". Krawczyk, et al. Expires 4 November 2021 [Page 10] Internet-Draft OPAQUE May 2021 - Expand(prk, info, L): Expand a pseudorandom key "prk" using optional string "info" into "L" bytes of output keying material. - Nx: The output size of the "Extract()" function in bytes. * Message Authentication Code (MAC): - MAC(key, msg): Compute a message authentication code over input "msg" with key "key", producing a fixed-length output of "Nm" bytes. - Nm: The output size of the "MAC()" function in bytes. * Hash Function: - Hash(msg): Apply a cryptographic hash function to input "msg", producing a fixed-length digest of size "Nh" bytes. - Nh: The output size of the "Hash()" function in bytes. * Memory Hard Function (MHF): - Harden(msg, params): Repeatedly apply a memory-hard function with parameters "params" to strengthen the input "msg" against offline dictionary attacks. This function also needs to satisfy collision resistance. OPAQUE additionally depends on an Authenticated Key Exchange (AKE) protocol. This specification defines one particular AKE based on 3DH; see Section 6.2. We let "Npk" and "Nsk" denote the size of public and private keys, respectively, used in the AKE. The AKE protocol must provide the following functions: * RecoverPublicKey(private_key): Recover the public key related to the input "private_key". * DeriveAuthKeyPair(seed): Derive a private and public authentication key pair deterministically from the input "seed". * GenerateKeyPair(): Return a randomly generated private and public key pair. This can be implemented by generating a random private key "sk", then computing "pk = RecoverPublicKey(sk)". Finally, all random nonces used in this protocol are of length "Nn" = 32 bytes. Krawczyk, et al. Expires 4 November 2021 [Page 11] Internet-Draft OPAQUE May 2021 3. Protocol Overview OPAQUE consists of two stages: registration and authenticated key exchange. In the first stage, a client registers its password with the server and stores its encrypted credentials on the server. The client inputs its credentials, which includes its password and user identifier, and the server inputs its parameters, which includes its private key and other information. The client output of this stage is a single value "export_key" that the client may use for application-specific purposes, e.g., to encrypt additional information to the server. The server output of this stage is a record corresponding to the client's registration that it stores in a password file alongside other client registrations as needed. Registration is the only part in OPAQUE that requires an authenticated and confidential channel, either physical, out-of-band, PKI-based, etc. The registration flow is shown below: creds parameters | | v v Client Server ------------------------------------------------ registration request -------------------------> registration response <------------------------- record -------------------------> ------------------------------------------------ | | v v export_key record In the second stage, a client obtains credentials previously registered with the server, recovers private key material using the password, and subsequently uses them as input to an AKE protocol. As in the registration phase, the client inputs its credentials, including its password and user identifier, and the server inputs its parameters and password file record corresponding to the client. The client outputs two values, an "export_key" (matching that from registration) and a "session_key", the latter of which is the primary AKE output. The server outputs a single value "session_key" that matches that of the client. Upon completion, clients and servers can use these values as needed. Krawczyk, et al. Expires 4 November 2021 [Page 12] Internet-Draft OPAQUE May 2021 The authenticated key exchange flow is shown below: creds (parameters, record) | | v v Client Server ------------------------------------------------ AKE message 1 -------------------------> AKE message 2 <------------------------- AKE message 3 -------------------------> ------------------------------------------------ | | v v (export_key, session_key) session_key The rest of this document describes the details of these stages in detail. Section 4 describes how client credential information is generated, encoded, encrypted, and stored on the server. Section 5 describes the first registration stage of the protocol, and Section 6 describes the second authentication stage of the protocol. Section 7 describes how to instantiate OPAQUE using different cryptographic dependencies and parameters. 4. Client Credential Storage OPAQUE makes use of a structure "Envelope" to manage client credentials. This envelope holds information about its format and content for the client to obtain its authentication material. OPAQUE allows applications to either provide custom client private and public keys for authentication, or to generate them internally. Each public and private key value is encoded as a byte string, specific to the AKE protocol in which OPAQUE is instantiated. These two options are defined as the "internal" and "external" modes, respectively. See Section 4.3 for their specifications. Applications may pin key material to identities if desired. If no identity is given for a party, its value MUST default to its public key. The following types of application credential information are considered: * client_private_key: The encoded client private key for the AKE protocol. Krawczyk, et al. Expires 4 November 2021 [Page 13] Internet-Draft OPAQUE May 2021 * client_public_key: The encoded client public key for the AKE protocol. * server_public_key: The encoded server public key for the AKE protocol. * client_identity: The client identity. This is an application- specific value, e.g., an e-mail address or normal account name. If not specified, it defaults to the client's public key. * server_identity: The server identity. This is typically a domain name, e.g., example.com. If not specified, it defaults to the server's public key. See Section 8.2 for information about this identity. These credential values are used in the "CleartextCredentials" structure as follows: struct { uint8 server_public_key[Npk]; uint8 server_identity<1..2^16-1>; uint8 client_identity<1..2^16-1>; } CleartextCredentials; The function CreateCleartextCredentials constructs a "CleartextCredentials" structure given application credential information. CreateCleartextCredentials(server_public_key, client_public_key, server_identity, client_identity) Input: - server_public_key, The encoded server public key for the AKE protocol. - client_public_key, The encoded client public key for the AKE protocol. - server_identity, The optional encoded server identity. - client_identity, The optional encoded client identity. Output: - cleartext_credentials, a CleartextCredentials structure Steps: 1. if server_identity == nil 2. server_identity = server_public_key 3. if client_identity == nil 4. client_identity = client_public_key 5. Create CleartextCredentials cleartext_credentials with (server_public_key, server_identity, client_identity) 6. Output cleartext_credentials Krawczyk, et al. Expires 4 November 2021 [Page 14] Internet-Draft OPAQUE May 2021 During protocol execution, the identity values can be stored in an implementation-specific "Credentials" object with names matching the values. struct { uint8 server_identity; uint8 client_identity; } Credentials; 4.1. Envelope Structure A client "Envelope" is constructed based on the "EnvelopeMode", consisting of an "InnerEnvelope" entry whose structure is determined by the mode. Future modes MAY introduce alternate "InnerEnvelope" contents. "Envelope" is defined as follows: struct { uint8 nonce[Nn]; InnerEnvelope inner_env; uint8 auth_tag[Nm]; } Envelope; nonce: A unique nonce of length "Nn" used to protect this Envelope. auth_tag: Authentication tag protecting the contents of the envelope, covering the envelope nonce, "InnerEnvelope", and "CleartextCredentials". inner_env: A mode dependent "InnerEnvelope" structure. See Section 4.3 for its specifications. The size of the serialized envelope is denoted "Ne" and varies based on the mode. The exact value for "Ne" is specified in Section 4.3.1 and Section 4.3.2. 4.2. Envelope Creation and Recovery Clients create an "Envelope" at registration with the function "CreateEnvelope" defined below. For the "internal" mode, implementations can choose to leave out the "client_private_key" parameter, as it is not used. For the "external" mode, implementations are free to additionally provide "client_public_key" to this function. With this, the public key does not need to be recovered by "BuildInnerEnvelope()" and that function should be adapted accordingly. Krawczyk, et al. Expires 4 November 2021 [Page 15] Internet-Draft OPAQUE May 2021 CreateEnvelope(randomized_pwd, server_public_key, client_private_key, server_identity, client_identity) Parameter: - mode, the EnvelopeMode mode Input: - randomized_pwd, randomized password. - server_public_key, The encoded server public key for the AKE protocol. - client_private_key, The encoded client private key for the AKE protocol. This is nil in the internal key mode. - server_identity, The optional encoded server identity. - client_identity, The optional encoded client identity. Output: - envelope, the client's `Envelope` structure. - client_public_key, the client's AKE public key. - masking_key, a key used by the server to encrypt the envelope during login. - export_key, an additional client key. Steps: 1. envelope_nonce = random(Nn) 2. auth_key = Expand(randomized_pwd, concat(envelope_nonce, "AuthKey"), Nh) 3. export_key = Expand(randomized_pwd, concat(envelope_nonce, "ExportKey"), Nh) 4. masking_key = Expand(randomized_pwd, "MaskingKey", Nh) 5. inner_env, client_public_key = BuildInnerEnvelope(randomized_pwd, envelope_nonce, client_private_key) 6. cleartext_creds = CreateCleartextCredentials(server_public_key, client_public_key, server_identity, client_identity) 7. auth_tag = MAC(auth_key, concat(envelope_nonce, inner_env, cleartext_creds)) 8. Create Envelope envelope with (envelope_nonce, inner_env, auth_tag) 9. Output (envelope, client_public_key, masking_key, export_key) Clients recover their "Envelope" during authentication with the "RecoverEnvelope" function defined below. Krawczyk, et al. Expires 4 November 2021 [Page 16] Internet-Draft OPAQUE May 2021 RecoverEnvelope(randomized_pwd, server_public_key, creds, envelope) Input: - randomized_pwd, randomized password. - server_public_key, The encoded server public key for the AKE protocol. - creds, a Credentials structure. - envelope, the client's `Envelope` structure. Output: - client_private_key, The encoded client private key for the AKE protocol - export_key, an additional client key Steps: 1. auth_key = Expand(randomized_pwd, concat(envelope.nonce, "AuthKey"), Nh) 2. export_key = Expand(randomized_pwd, concat(envelope.nonce, "ExportKey", Nh) 3. (client_private_key, client_public_key) = RecoverKeys(randomized_pwd, envelope.nonce, envelope.inner_env) 4. cleartext_creds = CreateCleartextCredentials(server_public_key, client_public_key, creds.server_identity, creds.client_identity) 5. expected_tag = MAC(auth_key, concat(envelope.nonce, inner_env, cleartext_creds)) 6. If !ct_equal(envelope.auth_tag, expected_tag), raise MacError 7. Output (client_private_key, export_key) 4.3. Envelope Modes The "EnvelopeMode" specifies the structure and encoding of the corresponding "InnerEnvelope". This document specifies the values of the two aforementioned modes: enum { internal(1), external(2), (255) } EnvelopeMode; Each "EnvelopeMode" defines its own "InnerEnvelope" structure and must implement the following interface: * "inner_env, client_public_key = BuildInnerEnvelope(randomized_pwd, nonce, client_private_key)": Build and return the mode's "InnerEnvelope" structure and the client's public key. * "client_private_key, client_public_key = RecoverKeys(randomized_pwd, nonce, inner_env)": Recover and return the client's private and public keys for the AKE protocol. Krawczyk, et al. Expires 4 November 2021 [Page 17] Internet-Draft OPAQUE May 2021 The implementations of this interface for both "internal" and "external" modes are in Section 4.3.1 and Section 4.3.2, respectively. The size of the envelope may vary between modes. If applications implement Section 8.8, they MUST use the same envelope mode throughout their lifecycle in order to avoid activity leaks due to mode switching. 4.3.1. Internal mode In this mode, the client's private and public keys are deterministically derived from the OPRF output. With the internal key mode the "EnvelopeMode" value MUST be "internal" and the "InnerEnvelope" is empty, and the size "Ne" of the serialized "Envelope" is "Nn + Nm". To generate the private key OPAQUE-3DH implements "DeriveAuthKeyPair(seed)" as follows: DeriveAuthKeyPair(seed) Input: - seed, pseudo-random byte sequence used as a seed. Output: - private_key, a private key - public_key, the associated public key Steps: 1. private_key = HashToScalar(seed, dst="OPAQUE-HashToScalar") 2. public_key = private_key * G 3. Output (private_key, public_key) HashToScalar(msg, dst) is as specified in [I-D.irtf-cfrg-voprf], except that the "dst" parameter is "OPAQUE-HashToScalar". Krawczyk, et al. Expires 4 November 2021 [Page 18] Internet-Draft OPAQUE May 2021 BuildInnerEnvelope(randomized_pwd, nonce, client_private_key) Input: - randomized_pwd, randomized password. - nonce, a unique nonce of length `Nn`. - client_private_key, empty value. Not used in this function, it only serves to comply with the API. Output: - inner_env, nil value (serves to comply with the API). - client_public_key, the client's AKE public key. Steps: 1. seed = Expand(randomized_pwd, concat(nonce, "PrivateKey"), Nsk) 2. _, client_public_key = DeriveAuthKeyPair(seed) 3. Output (nil, client_public_key) Note that implementations are free to leave out the "client_private_key" parameter, as it is not used. RecoverKeys(randomized_pwd, nonce, inner_env) Input: - randomized_pwd, randomized password. - nonce, a unique nonce of length `Nn`. - inner_env, an InnerEnvelope structure. Not used in this function, it only serves to comply with the API. Output: - client_private_key, The encoded client private key for the AKE protocol - client_public_key, The encoded client public key for the AKE protocol Steps: 1. seed = Expand(randomized_pwd, concat(nonce, "PrivateKey"), Nsk) 2. client_private_key, client_public_key = DeriveAuthKeyPair(seed) 4. Output (client_private_key, client_public_key) Note that implementations are free to leave out the "inner_env" parameter, as it is not used. 4.3.2. External mode This mode allows applications to import or generate keys for the client. This specification only imports the client's private key and internally recovers the corresponding public key. Implementations are free to import both, in which case the functions "FinalizeRequest()", "CreateEnvelope()", and "BuildInnerEnvelope()" must be adapted accordingly. Krawczyk, et al. Expires 4 November 2021 [Page 19] Internet-Draft OPAQUE May 2021 With the external key mode the "EnvelopeMode" value MUST be "external", and the size "Ne" of the serialized "Envelope" is "Nn + Nm + Nsk". An encryption key is generated from the hardened OPRF output and used to encrypt the client's private key, which is then stored encrypted in the "InnerEnvelope". On key recovery, the client's public key is recovered using the private key. struct { uint8 encrypted_creds[Nsk]; } InnerEnvelope; encrypted_creds : Encrypted client_private_key. Authentication of this field is ensured with the "auth_tag" field in the envelope that covers this "InnerEnvelope". If the implementation provides the "client_public_key", then "BuildInnerEnvelope()" can skip the "RecoverPublicKey()" call. BuildInnerEnvelope(randomized_pwd, nonce, client_private_key) Input: - randomized_pwd, randomized password. - nonce, a unique nonce of length `Nn`. - client_private_key, the encoded client private key for the AKE protocol. Output: - inner_env, an InnerEnvelope structure. - client_public_key, The encoded client public key for the AKE protocol. Steps: 1. pseudorandom_pad = Expand(randomized_pwd, concat(nonce, "Pad"), len(client_private_key)) 2. encrypted_creds = xor(client_private_key, pseudorandom_pad) 3. Create InnerEnvelope inner_env with encrypted_creds 4. client_public_key = RecoverPublicKey(client_private_key) 5. Output (inner_env, client_public_key) Krawczyk, et al. Expires 4 November 2021 [Page 20] Internet-Draft OPAQUE May 2021 RecoverKeys(randomized_pwd, nonce, inner_env) Input: - randomized_pwd, randomized password. - nonce, a unique nonce of length `Nn`. - inner_env, an InnerEnvelope structure. Output: - client_private_key, the encoded client private key for the AKE protocol. - client_public_key, the client's AKE public key. Steps: 1. encrypted_creds = inner_env.encrypted_creds 2. pseudorandom_pad = Expand(randomized_pwd, concat(nonce, "Pad"), len(encrypted_creds)) 3. client_private_key = xor(encrypted_creds, pseudorandom_pad) 4. client_public_key = RecoverPublicKey(client_private_key) 5. Output (client_private_key, client_public_key) 5. Offline Registration This section describes the registration flow, message encoding, and helper functions. In a setup phase, the client chooses its password, and the server chooses its own pair of private-public AKE keys (server_private_key, server_public_key) for use with the AKE, along with a Nh-byte oprf_seed. The server can use the same pair of keys with multiple clients and can opt to use multiple seeds (so long as they are kept consistent for each client). These steps can happen offline, i.e., before the registration phase. If using "external" mode, the client provides a key pair (client_private_key, client_public_key) for an AKE protocol which is suitable for use with OPAQUE; See Section 6. The private-public keys (client_private_key, client_public_key) may be randomly generated (using a cryptographically secure pseudorandom number generator) for the account or provided by the calling client. Clients MUST NOT use the same key pair (client_private_key, client_public_key) for two different accounts. Once complete, the registration process proceeds as follows. The client inputs the following values: * password: client password. * creds: client credentials, as described in Section 4. The server inputs the following values: * server_private_key: server private key for the AKE protocol. Krawczyk, et al. Expires 4 November 2021 [Page 21] Internet-Draft OPAQUE May 2021 * server_public_key: server public key for the AKE protocol. * credential_identifier: client credential identifier. * oprf_seed: seed used to derive per-client OPRF keys. The registration protocol then runs as shown below: Client Server ------------------------------------------------------ (request, blind) = CreateRegistrationRequest(password) request -------------------------> (response, oprf_key) = CreateRegistrationResponse(request, server_public_key, credential_identifier, oprf_seed) response <------------------------- (record, export_key) = FinalizeRequest(client_private_key, password, blind, response) record -------------------------> Section 5.1.1 describes details of the functions and the corresponding parameters referenced above. Both client and server MUST validate the other party's public key before use. See Section 8.6 for more details. Upon completion, the server stores the client's credentials for later use. Moreover, the client MAY use the output "export_key" for further application- specific purposes; see Section 8.4. 5.1. Registration Messages struct { uint8 data[Noe]; } RegistrationRequest; data A serialized OPRF group element. Krawczyk, et al. Expires 4 November 2021 [Page 22] Internet-Draft OPAQUE May 2021 struct { uint8 data[Noe]; uint8 server_public_key[Npk]; } RegistrationResponse; data A serialized OPRF group element. server_public_key The server's encoded public key that will be used for the online authenticated key exchange stage. struct { uint8 client_public_key[Npk]; uint8 masking_key[Nh]; Envelope envelope; } RegistrationUpload; client_public_key The client's encoded public key, corresponding to the private key "client_private_key". masking_key A key used by the server to preserve confidentiality of the envelope during login. envelope The client's "Envelope" structure. 5.1.1. Registration Functions 5.1.1.1. CreateRegistrationRequest CreateRegistrationRequest(password) Input: - password, an opaque byte string containing the client's password. Output: - request, a RegistrationRequest structure. - blind, an OPRF scalar value. Steps: 1. (blind, M) = Blind(password) 2. Create RegistrationRequest request with M 3. Output (request, blind) 5.1.1.2. CreateRegistrationResponse Krawczyk, et al. Expires 4 November 2021 [Page 23] Internet-Draft OPAQUE May 2021 CreateRegistrationResponse(request, server_public_key, credential_identifier, oprf_seed) Input: - request, a RegistrationRequest structure. - server_public_key, the server's public key. - credential_identifier, an identifier that uniquely represents the credential being registered. - oprf_seed, the server-side seed of Nh bytes used to generate an oprf_key. Output: - response, a RegistrationResponse structure. - oprf_key, the per-client OPRF key known only to the server. Steps: 1. ikm = Expand(oprf_seed, concat(credential_identifier, "OprfKey"), Nok) 2. (oprf_key, _) = DeriveKeyPair(ikm) 3. Z = Evaluate(oprf_key, request.data) 4. Create RegistrationResponse response with (Z, server_public_key) 5. Output (response, oprf_key) 5.1.1.3. FinalizeRequest To create the user record used for further authentication, the client executes the following function. In the internal key mode, the "client_private_key" is nil. Depending on the mode, implementations are free to leave out the "client_private_key" parameter ("internal" mode), or to additionally include "client_public_key" ("external" mode). See {#envelope- creation-recovery} for more details. Krawczyk, et al. Expires 4 November 2021 [Page 24] Internet-Draft OPAQUE May 2021 FinalizeRequest(client_private_key, password, blind, response) Input: - client_private_key, the client's private key. In internal mode, this is nil. - password, an opaque byte string containing the client's password. - creds, a Credentials structure. - blind, the OPRF scalar value used for blinding. - response, a RegistrationResponse structure. Output: - record, a RegistrationUpload structure. - export_key, an additional client key. Steps: 1. y = Finalize(password, blind, response.data) 2. randomized_pwd = Extract("", Harden(y, params)) 3. (envelope, client_public_key, masking_key, export_key) = CreateEnvelope(randomized_pwd, response.server_public_key, client_private_key, creds.server_identity, creds.client_identity) 4. Create RegistrationUpload record with (client_public_key, masking_key, envelope) 5. Output (record, export_key) See Section 6 for details about the output export_key usage. Upon completion of this function, the client MUST send "record" to the server. 5.1.1.4. Finalize Registration The server stores the "record" object as the credential file for each client along with the associated "credential_identifier" and "client_identity" (if different). Note that the values "oprf_seed" and "server_private_key" from the server's setup phase must also be persisted. 6. Online Authenticated Key Exchange The generic outline of OPAQUE with a 3-message AKE protocol includes three messages ke1, ke2, and ke3, where ke1 and ke2 include key exchange shares, e.g., DH values, sent by the client and server, respectively, and ke3 provides explicit client authentication and full forward security (without it, forward secrecy is only achieved against eavesdroppers, which is insufficient for OPAQUE security). This section describes the online authenticated key exchange protocol flow, message encoding, and helper functions. This stage is composed of a concurrent OPRF and key exchange flow. The key exchange protocol is authenticated using the client and server credentials Krawczyk, et al. Expires 4 November 2021 [Page 25] Internet-Draft OPAQUE May 2021 established during registration; see Section 5. In the end, the client proves its knowledge of the password, and both client and server agree on a mutually authenticated shared secret key. In this stage, the client inputs the following values: * password: client password. * client_identity: client identity, as described in Section 4. * client_info: optional, application-specific information to send to the server during the handshake. The server inputs the following values: * server_private_key: server private for the AKE protocol. * server_public_key: server public for the AKE protocol. * server_identity: server identity, as described in Section 4. * record: RegistrationUpload corresponding to the client's registration. * credential_identifier: client credential identifier. * oprf_seed: seed used to derive per-client OPRF keys. * server_info: optional, application-specific information to send to the client during the handshake. The client receives two outputs: a session secret and an export key. The export key is only available to the client, and may be used for additional application-specific purposes, as outlined in Section 8.4. The output "export_key" MUST NOT be used in any way before the protocol completes successfully. See Section 8.3 for more details about this requirement. The server receives a single output: a session secret matching that of the client's. The protocol runs as shown below: Krawczyk, et al. Expires 4 November 2021 [Page 26] Internet-Draft OPAQUE May 2021 Client Server ------------------------------------------------------ ke1 = ClientInit(client_identity, password, client_info) ke1 -------------------------> ke2 = ServerInit(server_identity, server_private_key, server_public_key, record, credential_identifier, oprf_seed, ke1) ke2 <------------------------- (ke3, server_info, session_key, export_key) = ClientFinish(password, client_identity, server_identity, ke2) ke3 -------------------------> session_key = ServerFinish(ke3) The rest of this section describes these authenticated key exchange messages and their parameters in more detail. Section 6.1 discusses internal functions used for retrieving client credentials, and Section 6.2 discusses how these functions are used to execute the authenticated key exchange protocol. 6.1. Credential Retrieval 6.1.1. Credential Retrieval Messages struct { uint8 data[Noe]; } CredentialRequest; data A serialized OPRF group element. struct { uint8 data[Noe]; uint8 masking_nonce[Nn]; uint8 masked_response[Npk + Ne]; } CredentialResponse; data A serialized OPRF group element. Krawczyk, et al. Expires 4 November 2021 [Page 27] Internet-Draft OPAQUE May 2021 masking_nonce A nonce used for the confidentiality of the masked_response field masked_response An encrypted form of the server's public key and the client's "Envelope" structure 6.1.2. Credential Retrieval Functions 6.1.2.1. CreateCredentialRequest CreateCredentialRequest(password) Input: - password, an opaque byte string containing the client's password. Output: - request, a CredentialRequest structure. - blind, an OPRF scalar value. Steps: 1. (blind, M) = Blind(password) 2. Create CredentialRequest request with M 3. Output (request, blind) 6.1.2.2. CreateCredentialResponse There are two scenarios to handle for the construction of a CredentialResponse object: either the record for the client exists (corresponding to a properly registered client), or it was never created (corresponding to a client that has yet to register). In the case of an existing record with the corresponding identifier "credential_identifier", the server invokes the following function to produce a CredentialResponse: Krawczyk, et al. Expires 4 November 2021 [Page 28] Internet-Draft OPAQUE May 2021 CreateCredentialResponse(request, server_public_key, record, credential_identifier, oprf_seed) Input: - request, a CredentialRequest structure. - server_public_key, the public key of the server. - record, an instance of RegistrationUpload which is the server's output from registration. - credential_identifier, an identifier that uniquely represents the credential being registered. - oprf_seed, the server-side seed of Nh bytes used to generate an oprf_key. Output: - response, a CredentialResponse structure. Steps: 1. ikm = Expand(oprf_seed, concat(credential_identifier, "OprfKey"), Nok) 2. (oprf_key, _) = DeriveKeyPair(ikm) 3. Z = Evaluate(oprf_key, request.data) 4. masking_nonce = random(32) 5. credential_response_pad = Expand(record.masking_key, concat(masking_nonce, "CredentialResponsePad"), Npk + Ne) 6. masked_response = xor(credential_response_pad, concat(server_public_key, record.envelope)) 7. Create CredentialResponse response with (Z, masking_nonce, masked_response) 8. Output response In the case of a record that does not exist, the server invokes the CreateCredentialResponse function where the record argument is configured so that: * record.masking_key is set to a random byte string of length Nh, and * record.envelope is set to the byte string consisting only of zeros, of length Ne Note that the responses output by either scenario are indistinguishable to an adversary that is unable to guess the registered password for the client corresponding to credential_identifier. 6.1.2.3. RecoverCredentials Krawczyk, et al. Expires 4 November 2021 [Page 29] Internet-Draft OPAQUE May 2021 RecoverCredentials(password, blind, response, creds) Input: - password, an opaque byte string containing the client's password. - blind, an OPRF scalar value. - response, a CredentialResponse structure. - creds, a Credentials structure. Output: - client_private_key, the client's private key for the AKE protocol. - server_public_key, the public key of the server. - export_key, an additional client key. Steps: 1. y = Finalize(password, blind, response.data) 2. randomized_pwd = Extract("", Harden(y, params)) 3. masking_key = Expand(randomized_pwd, "MaskingKey", Nh) 4. credential_response_pad = Expand(masking_key, concat(response.masking_nonce, "CredentialResponsePad"), Npk + Ne) 5. concat(server_public_key, envelope) = xor(credential_response_pad, response.masked_response) 6. (client_private_key, export_key) = RecoverEnvelope(randomized_pwd, server_public_key, creds, envelope) 7. Output (client_private_key, response.server_public_key, export_key) 6.2. AKE Protocol This section describes the authenticated key exchange protocol for OPAQUE using 3DH, a 3-message AKE which satisfies the forward secrecy and KCI properties discussed in Section 8. The protocol consists of three messages sent between client and server, each computed using the following application APIs: * ke1 = ClientInit(client_identity, password, client_info) * ke2, client_info = ServerInit(server_identity, server_private_key, server_public_key, record, credential_identifier, oprf_seed, ke1) * ke3, server_info, session_key, export_key = ClientFinish(password, client_identity, server_identity, ke2) * session_key = ServerFinish(ke3) Krawczyk, et al. Expires 4 November 2021 [Page 30] Internet-Draft OPAQUE May 2021 Outputs "ke1", "ke2", and "ke3" are the three protocol messages sent between client and server. Outputs "client_info" and "server_info" correspond to the optional information exchanged between client and server during the key exchange protocol. And finally, "session_key" and "export_key" are outputs to be consumed by applications. Applications can use "session_key" to derive additional keying material as needed. Both ClientFinish and ServerFinish return an error if authentication failed. In this case, clients and servers MUST NOT use any outputs from the protocol, such as "session_key" or "export_key". ClientInit and ServerInit both implicitly return internal state objects "client_state" and "server_state", respectively, with the following named fields: struct { uint8 blind[Nok]; uint8 client_secret[Nsk]; KE1 ke1; } ClientState; struct { uint8 expected_client_mac[Nm]; uint8 session_key[Nx]; } ServerState; Section 6.2.3 and Section 6.2.4 specify the inner working of these functions and their parameters for clients and servers, respectively. Prior to the execution of these functions, both the client and the server MUST agree on a configuration; see Section 7 for details. 6.2.1. Protocol Messages struct { CredentialRequest request; uint8 client_nonce[Nn]; uint8 client_info<0..2^16-1>; uint8 client_keyshare[Npk]; } KE1; request A "CredentialRequest" generated according to Section 6.1.2.1. client_nonce A fresh randomly generated nonce of length "Nn". client_info Optional application-specific information to exchange during the protocol. Krawczyk, et al. Expires 4 November 2021 [Page 31] Internet-Draft OPAQUE May 2021 client_keyshare Client ephemeral key share of fixed size Npk, where Npk depends on the corresponding prime order group. struct { struct { CredentialResponse response; uint8 server_nonce[Nn]; uint8 server_keyshare[Npk]; } inner_ke2; uint8 enc_server_info<0..2^16-1>; uint8 server_mac[Nm]; } KE2; response A "CredentialResponse" generated according to Section 6.1.2.2. server_nonce A fresh randomly generated nonce of length "Nn". server_keyshare Server ephemeral key share of fixed size Npk, where Npk depends on the corresponding prime order group. enc_server_info Optional application-specific information to exchange during the protocol encrypted under key Ke2, defined below. server_mac An authentication tag computed over the handshake transcript computed using Km2, defined below. struct { uint8 client_mac[Nm]; } KE3; client_mac An authentication tag computed over the handshake transcript computed using Km2, defined below. 6.2.2. Key Schedule Functions 6.2.2.1. Transcript Functions The OPAQUE-3DH key derivation procedures make use of the functions below, re-purposed from TLS 1.3 [RFC8446]. Expand-Label(Secret, Label, Context, Length) = Expand(Secret, CustomLabel, Length) Where CustomLabel is specified as: Krawczyk, et al. Expires 4 November 2021 [Page 32] Internet-Draft OPAQUE May 2021 struct { uint16 length = Length; opaque label<8..255> = "OPAQUE-" + Label; uint8 context<0..255> = Context; } CustomLabel; Derive-Secret(Secret, Label, Transcript-Hash) = Expand-Label(Secret, Label, Transcript-Hash, Nx) Note that the Label parameter is not a NULL-terminated string. The OPAQUE-3DH key schedule requires a preamble, which is computed as follows. Preamble(client_identity, ke1, server_identity, inner_ke2) Input: - client_identity, the optional encoded client identity, which is set to client_public_key if not specified. - ke1, a KE1 message structure. - server_identity, the optional encoded server identity, which is set to server_public_key if not specified. - inner_ke2, an inner_ke2 structure as defined in KE2. Output: - preamble, the protocol transcript with identities and messages. Steps: 1. preamble = concat("3DH", I2OSP(len(client_identity), 2), client_identity, ke1, I2OSP(len(server_identity), 2), server_identity, inner_ke2) 2. Output preamble 6.2.2.2. Shared Secret Derivation The OPAQUE-3DH shared secret derived during the key exchange protocol is computed using the following function. Krawczyk, et al. Expires 4 November 2021 [Page 33] Internet-Draft OPAQUE May 2021 TripleDHIKM(sk1, pk1, sk2, pk2, sk3, pk3) Input: - skx, scalar to be multiplied with their corresponding pkx. - pkx, element to be multiplied with their corresponding skx. Output: - ikm, input key material. Steps: 1. dh1 = sk1 * pk1 2. dh2 = sk2 * pk2 3. dh3 = sk3 * pk3 4. Output concat(dh1, dh2, dh3) Using this shared secret, further keys used for encryption and authentication are computed using the following function. DeriveKeys(ikm, preamble) Input: - ikm, input key material. - preamble, the transcript as defined by Preamble(). Output: - Km2, a MAC authentication key. - Km3, a MAC authentication key. - handshake_encrypt_key, an encryption key for `enc_server_info`. - session_key, the shared session secret. Steps: 1. prk = Extract("", ikm) 2. handshake_secret = Derive-Secret(prk, "HandshakeSecret", Hash(preamble)) 3. session_key = Derive-Secret(prk, "SessionKey", Hash(preamble)) 4. Km2 = Derive-Secret(handshake_secret, "ServerMAC", "") 5. Km3 = Derive-Secret(handshake_secret, "ClientMAC", "") 6. handshake_encrypt_key = Derive-Secret(handshake_secret, "HandshakeKey", "") 7. Output (Km2, Km3, handshake_encrypt_key, session_key) 6.2.3. External Client API Krawczyk, et al. Expires 4 November 2021 [Page 34] Internet-Draft OPAQUE May 2021 ClientInit(client_identity, password, client_info) State: - state, a ClientState structure. Input: - client_identity, the optional encoded client identity, which is nil if not specified. - password, an opaque byte string containing the client's password. - client_info, the optional client_info sent unencrypted to the server, only authenticated with client_mac in KE3. Output: - ke1, a KE1 message structure. - blind, the OPRF blinding scalar. - client_secret, the client's Diffie-Hellman secret share for the session. Steps: 1. request, blind = CreateCredentialRequest(password) 2. state.blind = blind 3. ke1 = Start(request, client_info) 4. Output ke1 Krawczyk, et al. Expires 4 November 2021 [Page 35] Internet-Draft OPAQUE May 2021 ClientFinish(password, client_identity, server_identity, ke1, ke2) State: - state, a ClientState structure Input: - password, an opaque byte string containing the client's password. - client_identity, the optional encoded client identity, which is set to client_public_key if not specified. - server_identity, the optional encoded server identity, which is set to server_public_key if not specified. - ke1, a KE1 message structure. - ke2, a KE2 message structure. Output: - ke3, a KE3 message structure. - server_info, optional application-specific information sent encrypted and authenticated to the client. - session_key, the session's shared secret. Steps: 1. Create Credentials creds with (client_identity, server_identity) 2. (client_private_key, server_public_key, export_key) = RecoverCredentials(password, state.blind, ke2.CredentialResponse) 3. (ke3, server_info, session_key) = ClientFinalize(client_identity, client_private_key, server_identity, server_public_key, ke1, ke2) 4. Output (ke3, server_info, session_key) 6.2.3.1. Internal Client Functions Krawczyk, et al. Expires 4 November 2021 [Page 36] Internet-Draft OPAQUE May 2021 Start(credential_request, client_info) Parameters: - Nn, the nonce length. State: - state, a ClientState structure. Input: - credential_request, a CredentialRequest structure. - client_info, the optional client_info sent unencrypted to the server, only authenticated with client_mac in KE3. Output: - ke1, a KE1 structure. Steps: 1. client_nonce = random(Nn) 2. client_secret, client_keyshare = GenerateKeyPair() 3. Create KE1 ke1 with (credential_request, client_nonce, client_info, client_keyshare) 4. state.client_secret = client_secret 5. Output (ke1, client_secret) Krawczyk, et al. Expires 4 November 2021 [Page 37] Internet-Draft OPAQUE May 2021 ClientFinalize(client_identity, client_private_key, server_identity, server_public_key, ke1, ke2) State: - state, a ClientState structure. Input: - client_identity, the optional encoded client identity, which is set to client_public_key if not specified. - client_private_key, the client's private key. - server_identity, the optional encoded server identity, which is set to server_public_key if not specified. - server_public_key, the server's public key. - ke2, a KE2 message structure. Output: - ke3, a KE3 structure. - server_info, optional application-specific information sent encrypted and authenticated to the client. - session_key, the shared session secret. Steps: 1. ikm = TripleDHIKM(state.client_secret, ke2.server_keyshare, state.client_secret, server_public_key, client_private_key, ke2.server_keyshare) 2. preamble = Preamble(client_identity, state.ke1, server_identity, ke2.inner_ke2) 3. Km2, Km3, handshake_encrypt_key, session_key = DeriveKeys(ikm, preamble) 4. expected_server_mac = MAC(Km2, Hash(concat(preamble, ke2.enc_server_info)) 5. If !ct_equal(ke2.server_mac, expected_server_mac), raise MacError 6. client_mac = MAC(Km3, Hash(concat(preamble, ke2.enc_server_info, expected_server_mac)) 7. pad = Expand(handshake_encrypt_key, "EncryptionPad", len(ke2.enc_server_info)) 8. server_info = xor(pad, enc_server_info) 9. Create KE3 ke3 with client_mac 10. Output (ke3, server_info, session_key) 6.2.4. External Server API Krawczyk, et al. Expires 4 November 2021 [Page 38] Internet-Draft OPAQUE May 2021 ServerInit(server_identity, server_private_key, server_public_key, record, credential_identifier, oprf_seed, ke1) Input: - server_identity, the optional encoded server identity, which is set to server_public_key if nil. - server_private_key, the server's private key. - server_public_key, the server's public key. - server_info, the optional server info sent unencrypted to the client. - record, the client's RegistrationUpload structure. - credential_identifier, an identifier that uniquely represents the credential being registered. - oprf_seed, the server-side seed of Nh bytes used to generate an oprf_key. - ke1, a KE1 message structure. Output: - ke2, a KE2 structure. - client_info, the optional client_info sent unencrypted to the server, only authenticated with client_mac in KE3. Steps: 1. response = CreateCredentialResponse(ke1.request, server_public_key, record, credential_identifier, oprf_seed) 2. (ke2, client_info) = Response(server_identity, server_private_key, client_identity, record.client_public_key, server_info, ke1, response) 3. Output (ke2, client_info) ServerFinish(ke3) State: - state, a ServerState structure. Input: - ke3, a KE3 structure. Output: - session_key, the shared session secret if, and only if, KE3 is valid, nil otherwise. Steps: 1. if ct_equal(ke3.client_mac, state.expected_client_mac): 2. Output state.session_key 3. Output nil 6.2.4.1. Internal Server Functions Krawczyk, et al. Expires 4 November 2021 [Page 39] Internet-Draft OPAQUE May 2021 Response(server_identity, server_private_key, client_identity, client_public_key, server_info, ke1, credential_response) Parameters: - Nn, the nonce length. State: - state, a ServerState structure. Input: - server_identity, the optional encoded server identity, which is set to server_public_key if not specified. - server_private_key, the server's private key. - client_identity, the optional encoded client identity, which is set to client_public_key if not specified. - client_public_key, the client's public key. - server_info, optional application-specific information sent encrypted and authenticated to the client. - ke1, a KE1 message structure. - credential_response, a CredentialResponse structure. Output: - ke2, A KE2 structure. - client_info, the optional client_info sent unencrypted to the server, only authenticated with client_mac in KE3. Steps: 1. server_nonce = random(Nn) 2. server_secret, server_keyshare = GenerateKeyPair() 3. Create inner_ke2 ike2 with (credential_response, server_nonce, server_keyshare) 4. preamble = Preamble(client_identity, ke1, server_identity, ike2) 5. ikm = TripleDHIKM(server_secret, ke1.client_keyshare, server_private_key, ke1.client_keyshare, server_secret, client_public_key) 6. Km2, Km3, handshake_encrypt_key, session_key = DeriveKeys(ikm, preamble) 7. pad = Expand(handshake_encrypt_key, "EncryptionPad", len(server_info)) 8. enc_server_info = xor(pad, server_info) 9. server_mac = MAC(Km2, Hash(concat(preamble, enc_server_info)) 10. expected_client_mac = MAC(Km3, Hash(concat(preamble, enc_server_info, server_mac)) 11. Populate state with ServerState(expected_client_mac, session_key) 11. Create KE2 ke2 with (ike2, enc_server_info, server_mac) 12. Output (ke2, ke1.client_info) 7. Configurations An OPAQUE-3DH configuration is a tuple (OPRF, KDF, MAC, Hash, MHF, EnvelopeMode, Group) such that the following conditions are met: Krawczyk, et al. Expires 4 November 2021 [Page 40] Internet-Draft OPAQUE May 2021 * The OPRF protocol uses the "base mode" variant of [I-D.irtf-cfrg-voprf] and implements the interface in Section 2. Examples include OPRF(ristretto255, SHA-512) and OPRF(P-256, SHA- 256). * The KDF, MAC, and Hash functions implement the interfaces in Section 2. Examples include HKDF [RFC5869] for the KDF, HMAC [RFC2104] for the MAC, and SHA-256 and SHA-512 for the Hash functions. If an extensible output function such as SHAKE128 [FIPS202] is used then the output length "Nh" MUST be chosen to align with the target security level of the OPAQUE configuration. For example, if the target security parameter for the configuration is 128-bits, then "Nh" SHOULD be at least 32 bytes. * The MHF has fixed parameters, chosen by the application, and implements the interface in Section 2. Examples include Argon2 [I-D.irtf-cfrg-argon2], scrypt [RFC7914], and PBKDF2 [RFC2898] with fixed parameter choices. * EnvelopeMode value is as defined in Section 4, and is one of "internal" or "external". * The Group mode identifies the group used in the OPAQUE-3DH AKE. This SHOULD match that of the OPRF. For example, if the OPRF is OPRF(ristretto255, SHA-512), then Group SHOULD be ristretto255. Absent an application-specific profile, the following configurations are RECOMMENDED: * OPRF(ristretto255, SHA-512), HKDF-SHA-512, HMAC-SHA-512, SHA-512, Scrypt(32768,8,1), internal, ristretto255 * OPRF(P-256, SHA-256), HKDF-SHA-256, HMAC-SHA-256, SHA-256, Scrypt(32768,8,1), internal, P-256 Future configurations may specify different combinations of dependent algorithms, with the following considerations: 1. The size of AKE public and private keys - "Npk" and "Nsk", respectively - must adhere to the output length limitations of the KDF Expand function. If HKDF is used, this means Npk, Nsk <= 255 * Nx, where Nx is the output size of the underlying hash function. See [RFC5869] for details. 2. The output size of the Hash function SHOULD be long enough to produce a key for MAC of suitable length. For example, if MAC is HMAC-SHA256, then "Nh" could be the 32 bytes. Krawczyk, et al. Expires 4 November 2021 [Page 41] Internet-Draft OPAQUE May 2021 8. Security Considerations OPAQUE is defined and proven as the composition of two functionalities: an OPRF and an AKE protocol. It can be seen as a "compiler" for transforming any AKE protocol (with KCI security and forward secrecy - see below) into a secure aPAKE protocol. In OPAQUE, the client stores a secret private key at the server during password registration and retrieves this key each time it needs to authenticate to the server. The OPRF security properties ensure that only the correct password can unlock the private key while at the same time avoiding potential offline guessing attacks. This general composability property provides great flexibility and enables a variety of OPAQUE instantiations, from optimized performance to integration with TLS. The latter aspect is of prime importance as the use of OPAQUE with TLS constitutes a major security improvement relative to the standard password-over-TLS practice. At the same time, the combination with TLS builds OPAQUE as a fully functional secure communications protocol and can help provide privacy to account information sent by the client to the server prior to authentication. The KCI property required from AKE protocols for use with OPAQUE states that knowledge of a party's private key does not allow an attacker to impersonate others to that party. This is an important security property achieved by most public-key based AKE protocols, including protocols that use signatures or public key encryption for authentication. It is also a property of many implicitly authenticated protocols, e.g., HMQV, but not all of them. We also note that key exchange protocols based on shared keys do not satisfy the KCI requirement, hence they are not considered in the OPAQUE setting. We note that KCI is needed to ensure a crucial property of OPAQUE: even upon compromise of the server, the attacker cannot impersonate the client to the server without first running an exhaustive dictionary attack. Another essential requirement from AKE protocols for use in OPAQUE is to provide forward secrecy (against active attackers). 8.1. Related Analysis Jarecki et al. [OPAQUE] proved the security of OPAQUE in a strong aPAKE model that ensures security against pre-computation attacks and is formulated in the Universal Composability (UC) framework [Canetti01] under the random oracle model. This assumes security of the OPRF function and the underlying key exchange protocol. In turn, the security of the OPRF protocol from [I-D.irtf-cfrg-voprf] is proven in the random oracle model under the One-More Diffie-Hellman assumption [JKKX16]. Krawczyk, et al. Expires 4 November 2021 [Page 42] Internet-Draft OPAQUE May 2021 Very few aPAKE protocols have been proven formally, and those proven were analyzed in a weak security model that allows for pre- computation attacks (e.g., [GMR06]). This is not just a formal issue: these protocols are actually vulnerable to such attacks. This includes protocols that have recent analyses in the UC model such as AuCPace [AuCPace] and SPAKE2+ [SPAKE2plus]. We note that as shown in [OPAQUE], these protocols, and any aPAKE in the model from [GMR06], can be converted into an aPAKE secure against pre-computation attacks at the expense of an additional OPRF execution. OPAQUE's design builds on a line of work initiated in the seminal paper of Ford and Kaliski [FK00] and is based on the HPAKE protocol of Xavier Boyen [Boyen09] and the (1,1)-PPSS protocol from Jarecki et al. [JKKX16]. None of these papers considered security against pre- computation attacks or presented a proof of aPAKE security (not even in a weak model). 8.2. Identities AKE protocols generate keys that need to be uniquely and verifiably bound to a pair of identities. In the case of OPAQUE, those identities correspond to client_identity and server_identity. Thus, it is essential for the parties to agree on such identities, including an agreed bit representation of these identities as needed. Applications may have different policies about how and when identities are determined. A natural approach is to tie client_identity to the identity the server uses to fetch envelope (hence determined during password registration) and to tie server_identity to the server identity used by the client to initiate an offline password registration or online authenticated key exchange session. server_identity and client_identity can also be part of the envelope or be tied to the parties' public keys. In principle, identities may change across different sessions as long as there is a policy that can establish if the identity is acceptable or not to the peer. However, we note that the public keys of both the server and the client must always be those defined at the time of password registration. The client identity (client_identity) and server identity (server_identity) are optional parameters that are left to the application to designate as monikers for the client and server. If the application layer does not supply values for these parameters, then they will be omitted from the creation of the envelope during the registration stage. Furthermore, they will be substituted with client_identity = client_public_key and server_identity = server_public_key during the authenticated key exchange stage. Krawczyk, et al. Expires 4 November 2021 [Page 43] Internet-Draft OPAQUE May 2021 The advantage to supplying a custom client_identity and server_identity (instead of simply relying on a fallback to client_public_key and server_public_key) is that the client can then ensure that any mappings between client_identity and client_public_key (and server_identity and server_public_key) are protected by the authentication from the envelope. Then, the client can verify that the client_identity and server_identity contained in its envelope match the client_identity and server_identity supplied by the server. However, if this extra layer of verification is unnecessary for the application, then simply leaving client_identity and server_identity unspecified (and using client_public_key and server_public_key instead) is acceptable. 8.3. Envelope Encryption The analysis of OPAQUE from [OPAQUE] requires the authenticated encryption scheme used to produce the envelope in the external mode to have a special property called random key-robustness (or key- committing). This specification enforces this property by utilizing encrypt-then-MAC in the construction of the envelope. There is no option to use another authenticated encryption scheme with this specification. (Deviating from the key-robustness requirement may open the protocol to attacks, e.g., [LGR20].) We remark that export_key for authentication or encryption requires no special properties from the authentication or encryption schemes as long as export_key is used only after the envelope is validated, i.e., after the MAC in RecoverCredentials passes verification. 8.4. Export Key Usage The export key can be used (separately from the OPAQUE protocol) to provide confidentiality and integrity to other data which only the client should be able to process. For instance, if the server is expected to maintain any client-side secrets which require a password to access, then this export key can be used to encrypt these secrets so that they remain hidden from the server. 8.5. Static Diffie-Hellman Oracles While one can expect the practical security of the OPRF function (namely, the hardness of computing the function without knowing the key) to be in the order of computing discrete logarithms or solving Diffie-Hellman, Brown and Gallant [BG04] and Cheon [Cheon06] show an attack that slightly improves on generic attacks. For typical curves, the attack requires an infeasible number of calls to the OPRF or results in insignificant security loss; see [I-D.irtf-cfrg-voprf] Krawczyk, et al. Expires 4 November 2021 [Page 44] Internet-Draft OPAQUE May 2021 for more information. For OPAQUE, these attacks are particularly impractical as they translate into an infeasible number of failed authentication attempts directed at individual users. 8.6. Input Validation Both client and server MUST validate the other party's public key(s) used for the execution of OPAQUE. This includes the keys shared during the offline registration phase, as well as any keys shared during the online key agreement phase. The validation procedure varies depending on the type of key. For example, for OPAQUE instantiations using 3DH with P-256, P-384, or P-521 as the underlying group, validation is as specified in Section 5.6.2.3.4 of [keyagreement]. This includes checking that the coordinates are in the correct range, that the point is on the curve, and that the point is not the point at infinity. Additionally, validation MUST ensure the Diffie-Hellman shared secret is not the point at infinity. 8.7. OPRF Hardening Hardening the output of the OPRF greatly increases the cost of an offline attack upon the compromise of the password file at the server. Applications SHOULD select parameters that balance cost and complexity. 8.8. Preventing Client Enumeration Client enumeration refers to attacks where the attacker tries to learn extra information about the behavior of clients that have registered with the server. There are two types of attacks we consider: 1) An attacker tries to learn whether a given client identity is registered with a server, and 2) An attacker tries to learn whether a given client identity has recently completed registration, or has re-registered (e.g. after a password change). Preventing the first type of attack requires the server to act with unregistered client identities in a way that is indistinguishable from its behavior with existing registered clients. This is achieved in Section 6.1.2.2 for an unregistered client by simulating a CredentialResponse for unregistered clients through the sampling of a random masking_key value and relying on the semantic security provided by the XOR-based pad over the envelope. Implementations must employ care to avoid side-channel leakage (e.g., timing attacks) from helping differentiate these operations from a regular server response. Krawczyk, et al. Expires 4 November 2021 [Page 45] Internet-Draft OPAQUE May 2021 Preventing the second type of attack requires the server to supply a credential_identifier value for a given client identity, consistently between the Section 5.1.1.2 and Section 6.1.2.2 steps. Note that credential_identifier can be set to client_identity, for simplicity. In the event of a server compromise that results in a re-registration of credentials for all compromised clients, the oprf_seed value must be resampled, resulting in a change in the oprf_key value for each client. Although this change can be detected by an adversary, it is only leaked upon password rotation after the exposure of the credential files. Applications must use the same envelope mode when using this prevention throughout their lifecycle. The envelope size varies from one to another, and a switch in envelope mode could then be detected. Finally, note that server implementations may choose to forego the construction of a simulated credential response message for an unregistered client if these client enumeration attacks can be mitigated through other application-specific means. 8.9. Password Salt and Storage Implications In OPAQUE, the OPRF key acts as the secret salt value that ensures the infeasibility of pre-computation attacks. No extra salt value is needed. Also, clients never disclose their passwords to the server, even during registration. Note that a corrupted server can run an exhaustive offline dictionary attack to validate guesses for the client's password; this is inevitable in any aPAKE protocol. (OPAQUE enables defense against such offline dictionary attacks by distributing the server so that an offline attack is only possible if all - or a minimal number of - servers are compromised [OPAQUE].) Some applications may require learning the client's password for enforcing password rules. Doing so invalidates this important security property of OPAQUE and is NOT RECOMMENDED. Applications should move such checks to the client. Note that limited checks at the server are possible to implement, e.g., detecting repeated passwords. 9. IANA Considerations This document makes no IANA requests. 10. References 10.1. Normative References Krawczyk, et al. Expires 4 November 2021 [Page 46] Internet-Draft OPAQUE May 2021 [I-D.irtf-cfrg-voprf] Davidson, A., Faz-Hernandez, A., Sullivan, N., and C. A. Wood, "Oblivious Pseudorandom Functions (OPRFs) using Prime-Order Groups", Work in Progress, Internet-Draft, draft-irtf-cfrg-voprf-06, 21 February 2021, . [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- Hashing for Message Authentication", RFC 2104, DOI 10.17487/RFC2104, February 1997, . [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker, "Randomness Requirements for Security", BCP 106, RFC 4086, DOI 10.17487/RFC4086, June 2005, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . 10.2. Informative References [AuCPace] Haase, B. and B. Labrique, "AuCPace: Efficient verifier- based PAKE protocol tailored for the IIoT", http://eprint.iacr.org/2018/286 , 2018. [BG04] Brown, D. and R. Galant, "The static Diffie-Hellman problem", http://eprint.iacr.org/2004/306 , 2004. [Boyen09] Boyen, X., "HPAKE: Password Authentication Secure against Cross-Site User Impersonation", Cryptology and Network Security (CANS) , 2009. [Canetti01] Canetti, R., "Universally composable security: A new paradigm for cryptographic protocols", IEEE Symposium on Foundations of Computer Science (FOCS) , 2001. [Cheon06] Cheon, J.H., "Security analysis of the strong Diffie- Hellman problem", Euroctypt 2006 , 2006. Krawczyk, et al. Expires 4 November 2021 [Page 47] Internet-Draft OPAQUE May 2021 [FIPS202] National Institute of Standards and Technology (NIST), "SHA-3 Standard: Permutation-Based Hash and Extendable- Output Functions", August 2015, . [FK00] Ford, W. and B.S. Kaliski, Jr, "Server-assisted generation of a strong secret from a password", WETICE , 2000. [GMR06] Gentry, C., MacKenzie, P., and . Z, Ramzan, "A method for making password-based key exchange resilient to server compromise", CRYPTO , 2006. [HMQV] Krawczyk, H., "HMQV: A high-performance secure Diffie- Hellman protocol", CRYPTO , 2005. [I-D.irtf-cfrg-argon2] Biryukov, A., Dinu, D., Khovratovich, D., and S. Josefsson, "The memory-hard Argon2 password hash and proof-of-work function", Work in Progress, Internet-Draft, draft-irtf-cfrg-argon2-13, 11 March 2021, . [JKKX16] Jarecki, S., Kiayias, A., Krawczyk, H., and J. Xu, "Highly-efficient and composable password-protected secret sharing (or: how to protect your bitcoin wallet online)", IEEE European Symposium on Security and Privacy , 2016. [keyagreement] Barker, E., Chen, L., Roginsky, A., Vassilev, A., and R. Davis, "Recommendation for pair-wise key-establishment schemes using discrete logarithm cryptography", DOI 10.6028/nist.sp.800-56ar3, National Institute of Standards and Technology report, April 2018, . [LGR20] Len, J., Grubbs, P., and T. Ristenpart, "Partitioning Oracle Attacks", n.d., . [OPAQUE] Jarecki, S., Krawczyk, H., and J. Xu, "OPAQUE: An Asymmetric PAKE Protocol Secure Against Pre-Computation Attacks", Eurocrypt , 2018. Krawczyk, et al. Expires 4 November 2021 [Page 48] Internet-Draft OPAQUE May 2021 [RFC2898] Kaliski, B., "PKCS #5: Password-Based Cryptography Specification Version 2.0", RFC 2898, DOI 10.17487/RFC2898, September 2000, . [RFC2945] Wu, T., "The SRP Authentication and Key Exchange System", RFC 2945, DOI 10.17487/RFC2945, September 2000, . [RFC5869] Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand Key Derivation Function (HKDF)", RFC 5869, DOI 10.17487/RFC5869, May 2010, . [RFC7914] Percival, C. and S. Josefsson, "The scrypt Password-Based Key Derivation Function", RFC 7914, DOI 10.17487/RFC7914, August 2016, . [RFC8017] Moriarty, K., Ed., Kaliski, B., Jonsson, J., and A. Rusch, "PKCS #1: RSA Cryptography Specifications Version 2.2", RFC 8017, DOI 10.17487/RFC8017, November 2016, . [RFC8125] Schmidt, J., "Requirements for Password-Authenticated Key Agreement (PAKE) Schemes", RFC 8125, DOI 10.17487/RFC8125, April 2017, . [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, . [SIGNAL] "Signal recommended cryptographic algorithms", https://signal.org/docs/specifications/ doubleratchet/#recommended-cryptographic-algorithms , 2016. [SPAKE2plus] Shoup, V., "Security Analysis of SPAKE2+", http://eprint.iacr.org/2020/313 , 2020. Krawczyk, et al. Expires 4 November 2021 [Page 49] Internet-Draft OPAQUE May 2021 Appendix A. Acknowledgments The OPAQUE protocol and its analysis is joint work of the author with Stas Jarecki and Jiayu Xu. We are indebted to the OPAQUE reviewers during CFRG's aPAKE selection process, particularly Julia Hesse and Bjorn Tackmann. This draft has benefited from comments by multiple people. Special thanks to Richard Barnes, Dan Brown, Eric Crockett, Paul Grubbs, Fredrik Kuivinen, Payman Mohassel, Jason Resch, Greg Rubin, and Nick Sullivan. Appendix B. Alternate AKE Instantiations It is possible to instantiate OPAQUE with other AKEs, such as HMQV [HMQV] and SIGMA-I. HMQV is similar to 3DH but varies in its key schedule. SIGMA-I uses digital signatures rather than static DH keys for authentication. Specification of these instantiations is left to future documents. A sketch of how these instantiations might change is included in the next subsection for posterity. OPAQUE may also be instantiated with any post-quantum (PQ) AKE protocol that has the message flow above and security properties (KCI resistance and forward secrecy) outlined in Section 8. Note that such an instantiation is not quantum-safe unless the OPRF is quantum- safe. However, an OPAQUE instantiation where the AKE is quantum- safe, but the OPRF is not, would still ensure the confidentiality of application data encrypted under session_key (or a key derived from it) with a quantum-safe encryption function. B.1. HMQV Instantiation Sketch An HMQV instantiation would work similar to OPAQUE-3DH, differing primarily in the key schedule [HMQV]. First, the key schedule "preamble" value would use a different constant prefix - "HMQV" instead of "3DH" - as shown below. preamble = concat("HMQV", I2OSP(len(client_identity), 2), client_identity, KE1, I2OSP(len(server_identity), 2), server_identity, KE2.inner_ke2) Second, the IKM derivation would change. Assuming HMQV is instantiated with a cyclic group of prime order p with bit length L, clients would compute "IKM" as follows: u' = (eskU + u \* skU) mod p IKM = (epkS \* pkS^s)^u' Krawczyk, et al. Expires 4 November 2021 [Page 50] Internet-Draft OPAQUE May 2021 Likewise, servers would compute "IKM" as follows: s' = (eskS + s \* skS) mod p IKM = (epkU \* pkU^u)^s' In both cases, "u" would be computed as follows: hashInput = concat(I2OSP(len(epkU), 2), epkU, I2OSP(len(info), 2), info, I2OSP(len("client"), 2), "client") u = Hash(hashInput) mod L Likewise, "s" would be computed as follows: hashInput = concat(I2OSP(len(epkS), 2), epkS, I2OSP(len(info), 2), info, I2OSP(len("server"), 2), "server") s = Hash(hashInput) mod L Hash is the same hash function used in the main OPAQUE protocol for key derivation. Its output length (in bits) must be at least L. B.2. SIGMA-I Instantiation Sketch A SIGMA-I instantiation differs more drastically from OPAQUE-3DH since authentication uses digital signatures instead of Diffie Hellman. In particular, both KE2 and KE3 would carry a digital signature, computed using the server and client private keys established during registration, respectively, as well as a MAC, where the MAC is computed as in OPAQUE-3DH. The key schedule would also change. Specifically, the key schedule "preamble" value would use a different constant prefix - "SIGMA-I" instead of "3DH" - and the "IKM" computation would use only the ephemeral key shares exchanged between client and server. Appendix C. Test Vectors This section contains test vectors for the OPAQUE-3DH specification. Each test vector specifies the configuration information, protocol inputs, intermediate values computed during registration and authentication, and protocol outputs. All values are encoded in hexadecimal strings. The configuration information includes the (OPRF, Hash, MHF, EnvelopeMode, Group) tuple, where the Group matches that which is used in the OPRF. These test vectors were generated using draft-06 of [I-D.irtf-cfrg-voprf]. Krawczyk, et al. Expires 4 November 2021 [Page 51] Internet-Draft OPAQUE May 2021 C.1. OPAQUE-3DH Test Vector 1 C.1.1. Configuration OPRF: 0001 Hash: SHA512 MHF: Identity KDF: HKDF-SHA512 MAC: HMAC-SHA512 EnvelopeMode: 01 Group: ristretto255 Nh: 64 Npk: 32 Nsk: 32 Nm: 64 Nx: 64 Nok: 32 C.1.2. Input Values Krawczyk, et al. Expires 4 November 2021 [Page 52] Internet-Draft OPAQUE May 2021 oprf_seed: 7c16d1ec100aa62589ab11d89278f746d80aa123cf3ffafe0686814a4c 62573fe714a44e016a93470964c09e6b260f8574380deba0b04246512f1885a5727f8 8 credential_identifier: 31323334 password: 436f7272656374486f72736542617474657279537461706c65 envelope_nonce: ae4d1d2e52ca9067502964fb4e5eb4f4c64757bf3b699c579a760 312c86301ea masking_nonce: dd480a597c8a7053fa9189c41950bab52f33b9f52efca96b5e1b5e 221554d993 server_private_key: 3af5aec325791592eee4a8860522f8444c8e71ac33af5186a 9706137886dce08 server_public_key: 4c6dff3083c068b8ca6fec4dbaabc16b5fdac5d98832f25a5b 78624cbd10b371 client_info: 68656c6c6f20626f62 server_info: 6772656574696e677320616c696365 server_nonce: ccce80d99a21fa1cdcbd276f469f47921c079db97584bd5c7cdd9d7 d9abebee7 client_nonce: d4b95117d25f32b52f363be901b53095effc5340969ebfbfab7d20c 731485687 server_keyshare: ca372e52516d51c19763ad5eb1a5b60dafb68c264dcf6bcc692f 667a71c5a617 client_keyshare: 4c415eebd7a9bb5f921cbcfc5863e48c9e79fd2ecc1788e2b616 bea0853f627a server_private_keyshare: 080d0a4d352de92672ab709b1ae1888cb48dfabc2d6c a5b914b335512fe70508 client_private_keyshare: 7e5bcbf82a46109ee0d24e9bcab41fc830a6ce8b82fc 1e9213a043b743b95800 blind_registration: 8bcb0b70dac18de24eef12e737d6b28724d3e37774e0b092f 9f70b255defaf04 blind_login: f3a0829898a89239dce29ccc98ec8b449a34b255ba1e6f944829d18e 0d589b0f oprf_key: c15eacfb16da4b0e9761231701b7dbd42c00f2f768831cba82133bda779 a4c0d C.1.3. Intermediate Values Krawczyk, et al. Expires 4 November 2021 [Page 53] Internet-Draft OPAQUE May 2021 client_public_key: a4d473ab102b06c6c0c4908437d9186ef62d60f592609eafb8 9a8450e69fff51 auth_key: abe4ed20b06a9b6e552bf02f30f681618289b335fda5f6627f1f3ef315d 63725e5cb8b52d17ca54b88c5b7d472fb5973a5f53e6990356350608e20effa616ab3 randomized_pwd: 7f841ca7e57d0a715c75647ce7099f209456282d69c2b6391a98d f1c1d0adcaf1dccc37d778419946ca367aa79712cf85541679a574d78218a00b48f94 e0bf99 envelope: ae4d1d2e52ca9067502964fb4e5eb4f4c64757bf3b699c579a760312c86 301ea18b6fbd43b46747b84b16bc82c37cd57bb45e51d5970d233f4bc408e4e5af252 1b7601cfbe3897fd337bc9a6ff85a39c121ddd53948db2c137f0c096304bcee2 handshake_secret: 96b4956971637ab428be25208ff9448b91443aad347b55c3d2c 83d5a1db86a3ded0401faaa47000b3112ae4bea51906a54209e4064e74cbea6899cdf cef6e6e5 handshake_encrypt_key: 4375e9f85fd0f4234acf15c14d8d71ba690d311e7dce9c 841b9c477e5d1fd2201abf64c2cee9846142f53b1d1b773dd29283e13b3b3f9718ab4 c0b404600af6c server_mac_key: ddf8ee1b79ee721c61575b1a07a9659809f54c9a115b32e9f1231 db85f473defd5a3059d1df4a035a3e070cdfa400d03ee04bdde3e6048045743f5a4ed d50813 client_mac_key: c3fa63ae04bbfac917d62eee8cc7102e07ae78d442fc967aa7515 52ec50b706455d9232f81bcd6dbc6a79dfa0c645f6495defa410ad26d8c442e111664 740380 C.1.4. Output Values Krawczyk, et al. Expires 4 November 2021 [Page 54] Internet-Draft OPAQUE May 2021 registration_request: 24bbcabb15452642f709cb8567eff38f4cda6044aca3356 87a62b8453d849c18 registration_response: 4ad7080e8c0a1b6c25b613c7a7c7f038e9185895ff4f16 24252fce384d7c88494c6dff3083c068b8ca6fec4dbaabc16b5fdac5d98832f25a5b7 8624cbd10b371 registration_upload: a4d473ab102b06c6c0c4908437d9186ef62d60f592609eaf b89a8450e69fff51a1f68e5a03b5d945b64344e3c595b682b49ec144b2a7eb8bf246e c553197e9bcbef149245f48cbeeae8898a868df3384e54ce99ab77b69d6cebd3b889d e2dd96ae4d1d2e52ca9067502964fb4e5eb4f4c64757bf3b699c579a760312c86301e a18b6fbd43b46747b84b16bc82c37cd57bb45e51d5970d233f4bc408e4e5af2521b76 01cfbe3897fd337bc9a6ff85a39c121ddd53948db2c137f0c096304bcee2 KE1: 0e8eeeb2ca0dbf5f690cfe0b76783d7667245f399b874a989f168fdd3e572663 d4b95117d25f32b52f363be901b53095effc5340969ebfbfab7d20c73148568700096 8656c6c6f20626f624c415eebd7a9bb5f921cbcfc5863e48c9e79fd2ecc1788e2b616 bea0853f627a KE2: 084add8b95846e455b421eafff4c0626e846da1edf81bdfa015039a798a08b40 dd480a597c8a7053fa9189c41950bab52f33b9f52efca96b5e1b5e221554d993650b6 e353e554f9360b851a7c47da0a51d67b31df1a5e8203bc10ea0eb18a368ae19d33ea0 1951fe45316bc62a19853005acbf0f045389871e60070b355cb7b149b169e16aa6c1f 18ce2178cc4535cf42ef63644b998d3d98606007d6f7481c7b802311dca4f2dc04abc bc82e692e94e074ab35b030584f826069bfa677cc2f2ccce80d99a21fa1cdcbd276f4 69f47921c079db97584bd5c7cdd9d7d9abebee7ca372e52516d51c19763ad5eb1a5b6 0dafb68c264dcf6bcc692f667a71c5a617000feac6ccb9bd159dfd7a0804224a7a01d 9581b6e4166bc4262a1e4c16e97e085c80d291731258ec541be9a1c68012b46ced7f4 ab12b49739870b4643acd9bff5fc7dd5ff2655dee2bd1291a1dccf36dc KE3: 49e0c785d8cd9805179d52fb420c45aa74eb8cfa4a3bf1781be9b182448b5deb 48a232742e1c78bd361407e0e15f065612821b3c45f993b3758a408051e85a95 export_key: ff68ecc8c48408e44f803c1367b491c10c3359dc2bb30aba2f7e51938 918961d6a4a1879b8c7501c30bd5fae85b8925471910de4855ef1fd9dbd41bb47e9c6 c6 session_key: 96e256d482d1e0e7dad5f9231075fbdff8b2054c9ab78ad6bb4812a6 1c5a51b03ef81dac52799371328b0495dd45181be9ed0d26dd6fb244a2618e01e7ba0 9cd C.2. OPAQUE-3DH Test Vector 2 C.2.1. Configuration Krawczyk, et al. Expires 4 November 2021 [Page 55] Internet-Draft OPAQUE May 2021 OPRF: 0001 Hash: SHA512 MHF: Identity KDF: HKDF-SHA512 MAC: HMAC-SHA512 EnvelopeMode: 01 Group: ristretto255 Nh: 64 Npk: 32 Nsk: 32 Nm: 64 Nx: 64 Nok: 32 C.2.2. Input Values Krawczyk, et al. Expires 4 November 2021 [Page 56] Internet-Draft OPAQUE May 2021 client_identity: 616c696365 oprf_seed: 0ffdbc9874c751fc1a43ba11dda08ebcaeb7f999780804aff975df52c1 be7c11f7c665892b52c2e47bac3f2ed57ec9e6eb5ff09d385a374f3224d3f4838b740 a credential_identifier: 31323334 password: 436f7272656374486f72736542617474657279537461706c65 envelope_nonce: 0e51a98cf5748f021086da6a40c707f54a077831cc91a9bcf1804 103343a9282 masking_nonce: 8bd5a108e6a05affde823439a17a97f9c07b2c2a58f18a3cef371e e85b75a73c server_private_key: de2e98f422bf7b99be19f7da7cac62f1599d35a225ec63401 49a0aaff3102003 server_public_key: a4084c7296b1a3d5a5e4a24358750489575acfd8fcfa6e7874 92b98265a5e651 client_info: 68656c6c6f20626f62 server_info: 6772656574696e677320616c696365 server_nonce: 578e04e4205af9ae3b9fafa46d850767224a8887a85f474ebee6627 ad0869a0e client_nonce: b339b7a02983d128cd8a01545c6f4c5e1de982a65abf0e1115f641b a9fd58725 server_keyshare: 80d9b21c255bf04113a6d339fff579c68475e516c0c98f625a90 f6532a310f13 client_keyshare: 746987c9ba92c3636d92fa7afc0379009ed54a7fb2db3cf7e4c4 07d4ed2c6e35 server_private_keyshare: 0bb106c0e1aac79e92dd2d051e90efe4e2e093bc1e82 b80e8cce6afa4f519802 client_private_keyshare: e79a642b20f4c9118febffaf6b6a31471fe7794aa77c ed123f07e56cb8cf7c01 blind_registration: c4d002aa4cfcf281657cf36fe562bc60d9133e0e72a74432f 685b2b6a4b42a0c blind_login: 614bb578f29cc677ea9e7aea3e4839413997e020f9377b63c1358415 2d81b40d oprf_key: 1ea6ba49377190dac9adae5ec6471577c1d82253db9986d7a593c2c316a e0500 C.2.3. Intermediate Values Krawczyk, et al. Expires 4 November 2021 [Page 57] Internet-Draft OPAQUE May 2021 client_public_key: 28839665f903b654da8cbc1d8aef2528ab2c58794271a88949 cabe9e959b9723 auth_key: a30c05fc95db9f75f4db7533c5adb2a768b685a5668fb1a4892f604b357 54ad87653792f318784210157cbddcf25ee4519ca319066592c900a0bd9901e74619e randomized_pwd: 0984cc7624ed91e0bfef2a45a88e7c62b79f10a6d1c04c47e054e 93c3409b807cf7ac22f5bb5c7d59881d1ed7c8d36229b7dc817df6714fe847ff27be8 a4e8d3 envelope: 0e51a98cf5748f021086da6a40c707f54a077831cc91a9bcf1804103343 a9282fed1ed5d8977be01ec5a15f558dac5b5e98a55830efb98fca2fef2b022539369 d6c74aabea49d77a56f3afb271837cd03e58d99bcd0fa08aca825b746ea86ccf handshake_secret: ebc6d9468be0be65d84e3e41b3391b8a789a5bf6aa5adfa00f4 485d2569234200371a31dd3c96ce9ed257e791ee50c6b9955aaffe79e16009dbeb796 c639ad39 handshake_encrypt_key: 3d6a8dbee1df4dc5063191867e71c73d00a51b5fce5916 393d7f8a861f4f4135e2ee35211422d00b45a2ec800a21886d5a26de6db3f26e1bdf6 0f66675536169 server_mac_key: 9c1cd7167526b3d78f865b81559190c3f375c247880e357acb8a9 28728d2aab53e7dca4c6b0549c807c90c2965b1b5f59db2effea2672084f226cef417 fe6dbf client_mac_key: 78a98350f0be222f6ffcc552c7d88bf7e108366dcb09e4f911fb9 c5cdb852dcf4c4342cf8d20e4ccff108fd29a922be5cc0b3c2289b23ea35993f4f7e6 4fdaf1 C.2.4. Output Values Krawczyk, et al. Expires 4 November 2021 [Page 58] Internet-Draft OPAQUE May 2021 registration_request: fa8c0e0144f7b9cd1de1bfcf78104f94d63c0f90398c9df ceee06ab5593ec500 registration_response: 4050a6e95fdb81b47bfcda99524460e791a9b3e2960829 1ac5f0cca020d31260a4084c7296b1a3d5a5e4a24358750489575acfd8fcfa6e78749 2b98265a5e651 registration_upload: 28839665f903b654da8cbc1d8aef2528ab2c58794271a889 49cabe9e959b9723a62c7e51b5118d184c057979a334c8f338e44bbfb5364668ec2f3 1a4e54fa85408fa903d054c3092ac3994df118ab99cea5842ba13968717379eefe646 7df3610e51a98cf5748f021086da6a40c707f54a077831cc91a9bcf1804103343a928 2fed1ed5d8977be01ec5a15f558dac5b5e98a55830efb98fca2fef2b022539369d6c7 4aabea49d77a56f3afb271837cd03e58d99bcd0fa08aca825b746ea86ccf KE1: dedef709c5faf24970b4fa77480a2c640dc8c6b7a53ae78a2dbf3fc75134a250 b339b7a02983d128cd8a01545c6f4c5e1de982a65abf0e1115f641ba9fd5872500096 8656c6c6f20626f62746987c9ba92c3636d92fa7afc0379009ed54a7fb2db3cf7e4c4 07d4ed2c6e35 KE2: 985b8739594ed8a1cb4e03d74c4e630e8bebc0575f657f53b3e7ebf24317b927 8bd5a108e6a05affde823439a17a97f9c07b2c2a58f18a3cef371ee85b75a73ca6a60 3e6e934f7783a0b249cd6b3039b344bd01fdbb90210e516957512fb51842e287b812d fe74e93e86d39c49adb3bdc79e7d02c8d8a50b08c0dea9f2521f2d8bd180fff926804 d4dd364a0418f39c75c09959da811bbe12ad2fa3ec122a2151fd7b48a92cf1f582c1c 64408331c30f626a8cc05b16a6392ff72705ae20610a578e04e4205af9ae3b9fafa46 d850767224a8887a85f474ebee6627ad0869a0e80d9b21c255bf04113a6d339fff579 c68475e516c0c98f625a90f6532a310f13000ffc9c8e0bad2571c695aa85bf421d968 23e88c7cbd31e84fe468867cc286b0247c8abd0e87c5e8271100cd8af9082f055fb90 66aa3e2babb0ad80f14d2921225d2fa401f37245fec3d2735592bce641 KE3: 659ab46fe55da07b754d6024fc9c8c0a214cfcde32daf69b8245a1255fee8bad bbab800f55631dd721c6221b8c405476bbf3e543ee173a48e51da58ade1250af export_key: d2e30fe6be5bdf769fae2f29458a8a810beb22294131f113c70b61f17 3bf6ec6273c03fdc16d0dd810c16746fc5aaaa317de6f5641dd15190699a86e717004 73 session_key: 35c10904d5f497361f1f936b63e9436b485922860a4e4ca515b3d2c2 bda4ddefa8392d2b8dffe48b20ea1534cf9ea149d97b963d663aa545dad8ae997d2ae ea4 C.3. OPAQUE-3DH Test Vector 3 C.3.1. Configuration Krawczyk, et al. Expires 4 November 2021 [Page 59] Internet-Draft OPAQUE May 2021 OPRF: 0001 Hash: SHA512 MHF: Identity KDF: HKDF-SHA512 MAC: HMAC-SHA512 EnvelopeMode: 01 Group: ristretto255 Nh: 64 Npk: 32 Nsk: 32 Nm: 64 Nx: 64 Nok: 32 C.3.2. Input Values Krawczyk, et al. Expires 4 November 2021 [Page 60] Internet-Draft OPAQUE May 2021 server_identity: 626f62 oprf_seed: 8e0aaf4dfe21787fdb07badc15661ee8fd9b6f74987f80adaacf81cd01 bee833ffc46094e3178c8e8c4c675e9689e2d980e9a8faba64be082d472a7b40b978d a credential_identifier: 31323334 password: 436f7272656374486f72736542617474657279537461706c65 envelope_nonce: cb2ef5b3afed25cb6332e74ce40d3b8fb8aff0f3a029fec560adb ba41a907b97 masking_nonce: dd58cdd24ac0ac8083a305994a73948a5bd1e8e786507e8cdccb10 4de7c479f0 server_private_key: be81db28eb1e147561c478a3f84cbf77037f010272fd51abc ff08ac9537e750b server_public_key: 5ab8bfa5e626d2249e0aa9e9546cd2f9e30bb1e6f568334ef3 f459678b0e0d25 client_info: 68656c6c6f20626f62 server_info: 6772656574696e677320616c696365 server_nonce: 4c34797dec207e283260fa80e61ae932519e83028fa96f0ca4f73ef c94417bb8 client_nonce: 4953f4d7e2b908aabe90d35c139afcd340357aed9ff30231e6d5514 6a5d796f2 server_keyshare: a6d76012999541f1ec0c014ec1606f2bd2a517e51f731d595469 51d9699e1739 client_keyshare: 2e8a05799d3c524ede0482f39e047df99d9a53dc2dc30e8947eb 5da98b8c4354 server_private_keyshare: 14a08c384d74f6dcaed32bb9448c02865efb17a32b82 c7f06a9586c6e72e4b06 client_private_keyshare: 01229ee057507c3e53534ad9db9f6df6ce515d1b8017 923b65cada1973524d0c blind_registration: 27fa7b2a6d920c76cf03fb57bdeacc2ec39330fd6e7f9e5db dfcb571e271a60f blind_login: a4e7b12d5b712efcac9ba734d54c2b24bff0ef6310404b5c05d60d7c 8451bd0c oprf_key: 183899a56b7a5980a3adaf7a7bf55a8c516dad4a94ac232aa53815a982e 9490f C.3.3. Intermediate Values Krawczyk, et al. Expires 4 November 2021 [Page 61] Internet-Draft OPAQUE May 2021 client_public_key: c28fd47d9b71f4e427904c3f20f6148e9d7ac42acf3463f427 8aeaf8a267af5f auth_key: 2c31e524e4f5fb42e49afb9ec8dc63a717a89f2fb97bb566c2cff5f62e3 dd0ecef8fcbd23c06b66b1b03ddf807ddcb1b55fb77e860173dfee2dad6bf6f364380 randomized_pwd: 319579dc9218ceb2a1d0c48b39b3ada23bf78e4c7d48adcebed83 88ab4856dea3c806855fdde3eb66fcfdf58c3caa03c1d8f53670ef3d8c0e2617bc231 c0d22b envelope: cb2ef5b3afed25cb6332e74ce40d3b8fb8aff0f3a029fec560adbba41a9 07b971f770afa8fb6ac2dfae400dbe2a4c2c470c3eab8d40094f8bb867e3a1016952e 3117f8abfb252e8e684266b183d6094b126b3ea446ea3af9c7efa31297dcf0b2 handshake_secret: c8f6fb5083c8f165b4f5358ff0c3f190cab6aceaecd98b01df0 f384018885b12a90e9d81925eab8c1ec75dcacf3a41921ac7d4bc8a52caeb2ab9d4c2 ba7e5e90 handshake_encrypt_key: fb6dfcff6e7c608dcd4e959b568ac4834a8487a1b91729 ae36b387b2f5cef09bd94360355ae8b93c5d4cde6294ea04799e6856bb38bf707020d 45f1f7af7abae server_mac_key: 77b59b5c77b4433da90e8afcfc8cc5eaac139c072dfad8ecd6631 fdea7816da11b4a6a9788eb01b6889cd56769461373644178fd82ddf34013a163f18d 361080 client_mac_key: eba19966d1d66893a77e77c493bdaaac2b162912f7c5350d8122f 0db2dd66c5a66e07571648e396839b29ff62ad2ff65788a50139381265c8de0128eaa 431e30 C.3.4. Output Values Krawczyk, et al. Expires 4 November 2021 [Page 62] Internet-Draft OPAQUE May 2021 registration_request: fa39a478c220a89929613f9e65c9a4617da96b62509c42b 39d7e3606ed2e8031 registration_response: a0ffcffeb69e885c3983ae1ee7181ae6926b1daaa254b9 20ea8ea3207e6a5f325ab8bfa5e626d2249e0aa9e9546cd2f9e30bb1e6f568334ef3f 459678b0e0d25 registration_upload: c28fd47d9b71f4e427904c3f20f6148e9d7ac42acf3463f4 278aeaf8a267af5fadd651f79e277bac65b6ab94837502dcd550a4fd9760dd7732e7c 6ddafb55912eb004a364cccfc159826136fb15d0b3db10cc7270c705ef45854565b72 43c988cb2ef5b3afed25cb6332e74ce40d3b8fb8aff0f3a029fec560adbba41a907b9 71f770afa8fb6ac2dfae400dbe2a4c2c470c3eab8d40094f8bb867e3a1016952e3117 f8abfb252e8e684266b183d6094b126b3ea446ea3af9c7efa31297dcf0b2 KE1: 96f9f35ebc0ca71607fd2cfcd465e285eeeabdec61151b39b2b4fb735538aa0c 4953f4d7e2b908aabe90d35c139afcd340357aed9ff30231e6d55146a5d796f200096 8656c6c6f20626f622e8a05799d3c524ede0482f39e047df99d9a53dc2dc30e8947eb 5da98b8c4354 KE2: bed95c2e47175634a3b845cf3fc40bb4ddd9ef8e8a1b815bdded3500d898a45c dd58cdd24ac0ac8083a305994a73948a5bd1e8e786507e8cdccb104de7c479f0dd94c 8de23d83c7a29f934d4056bf905d2d284e9dfcf163110ccb516fe33bc27aa769e5788 6b45f3c486ff738a05194fccd044a0e1bcba7d3e029ee61d2aacc6be7f1e0b5590fb6 eaeb4758ad48ec455b09bbf3c9a6079c619d96e78a493e058fddbae195a62efea6786 a33f49f55645ebfdebca7ff97d348453a0547035206d4c34797dec207e283260fa80e 61ae932519e83028fa96f0ca4f73efc94417bb8a6d76012999541f1ec0c014ec1606f 2bd2a517e51f731d59546951d9699e1739000fa10f6bacd674e7bb72acf76ea2902b1 fcd7dde605e1b76b24caf4a912c73f3ffb26850099f51659307589034b5be92f71e20 18ab6df824eb9b3e691b69c4e4fc3f20112e61d2adf43a21bc6aa1424e KE3: 66c1ecc6a6028f188fbd563b1e594fd6fa9752518bdcf26dacc42144dd3a695d 320d098da9f94f9117b470bb8074c0e1df0c9d6fa4bb7de1ff18c3e7edb1e16e export_key: 29d05720560fa0d96af22fbef7cc6b5189e3d90bd5c58df93456c0851 76368662a92aa8767b1d9d20f854138f886e68007d6ffab1cf0bce39d1bad1e9120a6 73 session_key: 0a71a28002cf637dcc0cdbcb83c804ba5b3e9939f53ca932179d0285 91531059c5666c0fc23411bfed4128b66dbee4d267c17f6a5ec8c5e9efc911602eefa 86e C.4. OPAQUE-3DH Test Vector 4 C.4.1. Configuration Krawczyk, et al. Expires 4 November 2021 [Page 63] Internet-Draft OPAQUE May 2021 OPRF: 0001 Hash: SHA512 MHF: Identity KDF: HKDF-SHA512 MAC: HMAC-SHA512 EnvelopeMode: 01 Group: ristretto255 Nh: 64 Npk: 32 Nsk: 32 Nm: 64 Nx: 64 Nok: 32 C.4.2. Input Values Krawczyk, et al. Expires 4 November 2021 [Page 64] Internet-Draft OPAQUE May 2021 client_identity: 616c696365 server_identity: 626f62 oprf_seed: 389e8c2b070e95e0c5f183cddee8bff604cde897c7d4796614f322f070 ec05799f58aea870c5bd8d78a6a638dc5bd5b4cbc532345ebf6b1a847f85d8a535227 6 credential_identifier: 31323334 password: 436f7272656374486f72736542617474657279537461706c65 envelope_nonce: f3e01f0691b1bd96dd76b1ac0e3b162c01dead2d5a460996db61c 7cb6e06f054 masking_nonce: e98bd401befe1c3656af0335023eb4d39623d7709475baf2f97b61 96d500b0c3 server_private_key: d49399dc3bc1022938dfb0e79db523d4e4e41f494c3898eac 652bf95f6efa108 server_public_key: fc5638262d8f6ba5848b70dbe22394d6c346edcd2f889cce50 017dc037001c63 client_info: 68656c6c6f20626f62 server_info: 6772656574696e677320616c696365 server_nonce: 06e1342e124cec21e81844c070baffad06ae9639ba7644f312e87eb 90b1e60cd client_nonce: 3d92d44306392e9c01483550614cbfc9f9c166883845d4c17dd5859 952dc72ca server_keyshare: 6a398e50c4e395ee52ef332d6c2c0a77187e2e0b3564617eb66d 2878c41e6c47 client_keyshare: 14b434e33a39d7d9fd6dbe3638925edd7a0344a312a22971754b d075d8347342 server_private_keyshare: 5f4a55d2e8474fe0ec811b4cca7c0e51a886c4343d83 c4e5228b8739b3e37700 client_private_keyshare: 2928684a1796b559988623c12413cf511d13cb07ecb6 d54be4962fe2b1bd6f08 blind_registration: 89ae863bc6f3e8b59bbd1354548220e81cd0ffb6f9e4ec217 3870ae6107f8d03 blind_login: 07e41ecdb9ef83429e58098b8f30a6b49d414ad5e6073d177a1f0b69 cf537f05 oprf_key: cc5626bba30643d91feb3ea84169e1e317d5a5cc58f338333d3e15e0784 04b0e C.4.3. Intermediate Values Krawczyk, et al. Expires 4 November 2021 [Page 65] Internet-Draft OPAQUE May 2021 client_public_key: f02fc825a4bbbaa93194c8d8e3bef57bf7f7217ff526f89524 be78cf88326f36 auth_key: 77e1e98f362558d7f03c8f82211e1a3b3344c9d91fc3b84172da615173b 4223191030e408a36d42cee24f84033b8d85f1211dda7ced47ad4e2a891ec3ae818c8 randomized_pwd: a5f101b43f06680a15a28f8451919eebd962a257b438ae49a98bd 7e458da1b5901d2ddaff50b264bf5f218df074fc2bbabb8a64b32e8aae4a477085606 489f9d envelope: f3e01f0691b1bd96dd76b1ac0e3b162c01dead2d5a460996db61c7cb6e0 6f05479c0f198d63c785cd4be603103d77d62b033aef7d7ac70c28441dc3ece8ffcab 182460d77693a2cc20c52284f046541631f1ba14b023436d11bce8c421c661ed handshake_secret: ff94d02a713a89c44b47d837ec8e083859bb562d7476674a57e d14d0f81fd0463695b3386147625204204aff8f854acea3a06c14d99d6c0e7b5931b0 973deaa9 handshake_encrypt_key: 3669bfbffc3884a9e9753d8bd8e00336adfdde00c15176 47e7b0a6b1ce6fd1a6df9a37f476ceb0ab1ced5dffb9acdf0aaf1a14a8ac0ee067f83 b50a2480c97cf server_mac_key: 7fe6cf6ab68cb965216dbe58fe5169e906ee3d465e812c80d5020 c7ff922ff2b236a21460f0ac8f09ea2493c4fc555323b33e8f81cf40baa66823c4ab0 85b236 client_mac_key: e399874544be8a581c92aee5dcc3651f04467435baffe5a98192a 92e9d8b8125d692319462aa5b57605b5459d81531bd26d69599d15d18a0a897cd781f fe3113 C.4.4. Output Values Krawczyk, et al. Expires 4 November 2021 [Page 66] Internet-Draft OPAQUE May 2021 registration_request: 307ff12c023cb5ce33a04efd497252442fa899505732b4c 322b02d1e7a655f21 registration_response: 7adb55bef90bd68f344e20e78a70d6ee7142b7d99caf9d 21861befcec8124874fc5638262d8f6ba5848b70dbe22394d6c346edcd2f889cce500 17dc037001c63 registration_upload: f02fc825a4bbbaa93194c8d8e3bef57bf7f7217ff526f895 24be78cf88326f36d2a15a304bcb3a6e184b14d0ff5db92788d01d922e406d6d9e888 c1728fd1e20d43d3aecf9c5d2bb5796f8383522d2563370fe18caa392aa4850ce5060 0d3af3f3e01f0691b1bd96dd76b1ac0e3b162c01dead2d5a460996db61c7cb6e06f05 479c0f198d63c785cd4be603103d77d62b033aef7d7ac70c28441dc3ece8ffcab1824 60d77693a2cc20c52284f046541631f1ba14b023436d11bce8c421c661ed KE1: e6fb9b013986abe5f6e9586a0110395a97ad695dde622d58470adb0a0cdcb37e 3d92d44306392e9c01483550614cbfc9f9c166883845d4c17dd5859952dc72ca00096 8656c6c6f20626f6214b434e33a39d7d9fd6dbe3638925edd7a0344a312a22971754b d075d8347342 KE2: f056ba65d12e66794253220c6025157a66540ba67a154c78aa2c4d1829cf2f0e e98bd401befe1c3656af0335023eb4d39623d7709475baf2f97b6196d500b0c364f51 cb7aedd768ff45793dc630031914dcf80bc0983dbe690698c4ee8e9566b19c362eb89 323184a4e4a4ab2c94b97ad08c0a112d9676950855c01097759194cc6c801122d1876 24f0fe7e8704a94efafad7197106fbe07faafe9e2e111b828c6ffd076e755e0bb1c57 1b1f79fc837260d7f65c376d852e3b69ad13b8c335bf06e1342e124cec21e81844c07 0baffad06ae9639ba7644f312e87eb90b1e60cd6a398e50c4e395ee52ef332d6c2c0a 77187e2e0b3564617eb66d2878c41e6c47000ffe003e3a4f069652e7b4df4d93dd7fd d9f3c04b3f231e8e7df85424eaa6f3ab3cf62ca99b902d60ef66ffdf03ceb9c46b945 29edfbfde5128016fc18be803c6c65f8c687f96e40c7fd3dd9f74db4e5 KE3: de85e7818163d60a00ed1f11e7223be2a3ebb6d1894c60a7676ee6403a7326aa 827e327a41b8137a05a9705ab289744fa80ee177d33b289ba945da5db158a9a4 export_key: 8a7280e120dba669c07f39567e338fa0f56d20d5a4c0269469f345b45 b1d690400caf29bd3ac1b4083fb866eb63845416cefce6c00ac8f2dfe8047f2e2255f 35 session_key: 986c130fa4208a6a231272fad57f7cff370c893941e21affb7f1b773 9158081a50b9c040d7b665a74d55412e7a4c45d81fdb6d86f4f4bc58a4979c2f68625 b77 C.5. OPAQUE-3DH Test Vector 5 C.5.1. Configuration Krawczyk, et al. Expires 4 November 2021 [Page 67] Internet-Draft OPAQUE May 2021 OPRF: 0002 Hash: SHA512 MHF: Identity KDF: HKDF-SHA512 MAC: HMAC-SHA512 EnvelopeMode: 01 Group: decaf448 Nh: 64 Npk: 56 Nsk: 56 Nm: 64 Nx: 64 Nok: 56 C.5.2. Input Values Krawczyk, et al. Expires 4 November 2021 [Page 68] Internet-Draft OPAQUE May 2021 oprf_seed: 077906f7255b7391b91483968461626e9547b82a445cd6a9127d433ac4 f2037fea083ddab4782c8643dcbadf45ed25e4d6070414f9676cb9777efdab0dfcb61 5 credential_identifier: 31323334 password: 436f7272656374486f72736542617474657279537461706c65 envelope_nonce: b27e906182129a354335ef733e8f211e7f77c6ec70b1a05e45d2b 145ce938ef8 masking_nonce: 6c91ef10f0a12c9775dc03cef0d9f0aea07f22afa5d3b55802d7a4 9fa7c84049 server_private_key: 4b642526ef9910289315b71f7a977f7b265e46a6aea42c40b 78bd2f1281617519f3f790c8d0f42eacce68456c259202c352f233ae2dc6506 server_public_key: 7a9e44dda0839cf2fd0461eccb8fc704c39e3da227ceb4baaa 3e421385fd2194903385345e6ac39e2a9911b6e624b0928051af9a6834ce57 client_info: 68656c6c6f20626f62 server_info: 6772656574696e677320616c696365 server_nonce: dcd4a5a60406b4812c25a48e68f6756d20ae8f7feeaee936820ae80 6e922a21c client_nonce: e3392b2a02ac5be57a05df55afd9b3e79f13f9f7c91bcbf85ebe2ec 3bf1600f8 server_keyshare: b0fd650f0efdf4cec17e85b9cca2fa7ac7f1ff76ca94ed07e8ac 65afd6304ef8102bf24376fc5b064edb55fe02027d7fef41d05db3652db0 client_keyshare: de9bfa627cb161dd7098c8a582f5fb3a38641e8df3d6e7c40dff ec1adff5f0d148716cf15cd11a04b80b11cc12a1056493b23ee23267704c server_private_keyshare: b4c67a79b035b9887260399acc5f7083245d8adc40b8 f39f14cd8bd4ade8abbb95166afdc9e922203abe7a8539854c64b943b0b49bc7c611 client_private_keyshare: 2e28ff4c5f89353d25d6b5a8720734ed34a4a70f8e63 2de4046e64cee0b47cfcd9173c7ceb0d373234e06b81b5a3b316aec93a8212ba2c31 blind_registration: 26abc79daa9fcc06f6d3acf12df82de919be4937f28f531b1 4ac96b844320e7a66810c2d9391cbb877348301ab59a3a91b4a2129198aa12b blind_login: 5ea7839f2ac8cf1c5fa92703d4cff61ba2e896e126d371f6380ca417 57f6458b93b049e1b0d73ab5b8d914b08dff3e52e62ea889638dac21 oprf_key: 92d00609c97ae75e88e82690a1c8a7e63ed83508c7c8a451765d3b1bd4f b5b9c400ec86559bf673debc80bce7d31c8640234f1620e360834 C.5.3. Intermediate Values Krawczyk, et al. Expires 4 November 2021 [Page 69] Internet-Draft OPAQUE May 2021 client_public_key: 8eb67a9bf7cfcb736810c1827bd7c2923c06581a9836c77f02 1c0277e86172632307ca773b9c5a287636cde4a322a946e7abff65cd83a142 auth_key: 0ff33a4c0f8c42d74d7cebb13aab9507ce81e1ecda761242c10ebd242a7 7bd8be9d46f56588f224491e88356c148645f35917db91629adb9ca0e6623df2006f8 randomized_pwd: 4605dbf72bd606e0f456d2e8b26cec1e8761c3d151a89041ca8ce 6a5d27436da25251a3a252d8782afab349acdece1e1fe72a6a141fac69e51e7248193 d2a352 envelope: b27e906182129a354335ef733e8f211e7f77c6ec70b1a05e45d2b145ce9 38ef81637506a2dc0f1bbd7a13cc90b776730280d7fafc62b1d529036a505cc0203fc 3b788ac59d4b9287ffcbe63354ab6f4ced1df3e87a3cdf23a3cdae83e5aa920b handshake_secret: 7b69558cab8f3397c1a918b7f052696dafb5a7d28b9bf536352 f7fe73db49e2a662b629c2c834a1d0f4f0d0234255fb496dfbd84eafce9f308a34632 91802d80 handshake_encrypt_key: aa50678d3d271521e0ad9980696e46cbfa07b907499420 f85f5df4d1d58324400f7e681b8829d4de42b77833eb9ca4345531bed741a8e6cfb39 b26623794536c server_mac_key: 5f9a74f5c943cd04f6669ef047bf4c01d4d3ccec986cf1061fb84 f45ab9c722d922c48bd5844b45e3f00ee09cc78d8e41ae4ce3d9f6a9751d5dd446905 fe27b8 client_mac_key: d2d47efa98ff716de9b2d91756776fb984ee1ee5c1be8bdd5b9fb 8de99625a2ad6a2caf206d00e71ac54d6dcca2ed141e59f7b94ee892713723ce7613e d2b381 C.5.4. Output Values Krawczyk, et al. Expires 4 November 2021 [Page 70] Internet-Draft OPAQUE May 2021 registration_request: a2c1e08d638fa00bdd13a4a2ec5a3e2d9f31c7c4784188d 441b6a709f47e2196911ce68a8add9ee7dd6e488cd1a00b0301766dd02af2aa3c registration_response: 0cee15027c49c8a67a1c6e46196f5ab710239ff1c54cec 77b68bb68e9afa4997de355c35c03d4e9905651d563c2989d06d6ef4a0631d32f87a9 e44dda0839cf2fd0461eccb8fc704c39e3da227ceb4baaa3e421385fd219490338534 5e6ac39e2a9911b6e624b0928051af9a6834ce57 registration_upload: 8eb67a9bf7cfcb736810c1827bd7c2923c06581a9836c77f 021c0277e86172632307ca773b9c5a287636cde4a322a946e7abff65cd83a142095ff ef79ad465fb047386358d4d68e5ae6a42ac03cad226b27fa0a5404e4a867cfda8969e da8899440360d50783a66eeebd5bb777bae55b5760372367233124b27e906182129a3 54335ef733e8f211e7f77c6ec70b1a05e45d2b145ce938ef81637506a2dc0f1bbd7a1 3cc90b776730280d7fafc62b1d529036a505cc0203fc3b788ac59d4b9287ffcbe6335 4ab6f4ced1df3e87a3cdf23a3cdae83e5aa920b KE1: 08d74cf75888a3c22b52d9ba2070f43e699a1439c8a312178e1605bbe7479731 9ab7898faf4f2c33d19679a257bca53e27a7c295b50b0d87e3392b2a02ac5be57a05d f55afd9b3e79f13f9f7c91bcbf85ebe2ec3bf1600f8000968656c6c6f20626f62de9b fa627cb161dd7098c8a582f5fb3a38641e8df3d6e7c40dffec1adff5f0d148716cf15 cd11a04b80b11cc12a1056493b23ee23267704c KE2: 5e43757ee70502f4a7dfd8192d025587f75ad6b05f7a2dbc5286fc2368567a80 e30fc73f5b57fa21973a388b13a4978738dbdb40b04a955a6c91ef10f0a12c9775dc0 3cef0d9f0aea07f22afa5d3b55802d7a49fa7c840492f928e6582dc855eec7683bbac 2e51306942fc6000b4fc5a70d389e999993fc9946f293ae1f438e3abdd3c3d25b4fcf 6d8958eba9198a2c055f148de74f1c034e244f53f418286b067249cdb9dcf5d2017fe 12b79f1ae23fe5be88b4c43a7f47708492f45c6afd58766c8f1026bbfbe9365e7f3bc 981ae774d1646f694af8a5d9bb3efc6933df2500d78196ce5d74cb31824aeb9fc8881 cfdcd4a5a60406b4812c25a48e68f6756d20ae8f7feeaee936820ae806e922a21cb0f d650f0efdf4cec17e85b9cca2fa7ac7f1ff76ca94ed07e8ac65afd6304ef8102bf243 76fc5b064edb55fe02027d7fef41d05db3652db0000f5d1ab7b954489e21815dceb9f 3e1df67f1fa5a460c4a91e93db5614a03c48da57f4cdccfb3c55bbe9d163b7c3bf709 4621b24e1f529e7237e3685c0b7fdbac2d291055e50a46e33738a64c4c4b549b KE3: bb3204c71f1ad6e6f16807f5c44cb01fcdc662cebc0e0699f97d230c2b78e570 f85e5f4cd8d3d4c9c2f5045de5eab044965d7aa532d5233e29beebea09cb79e3 export_key: 09d1ab28781693795471eeee2d4c06a579ac59a5b80b552a0a8e1bcbf 90db6a788a8cec93dfd62d65759053ca48aa87fc0e781ad60d8f97e93d0e4e1845ec9 60 session_key: 1dee607190ed3ca16f6374a5d8bf97aa89453b47b3b64cd6cf796a6f 705e3c75dba0c5f192cd91a5a9591da949b2922854f8be73c9cf8b6c88c71960d8b90 b61 C.6. OPAQUE-3DH Test Vector 6 C.6.1. Configuration Krawczyk, et al. Expires 4 November 2021 [Page 71] Internet-Draft OPAQUE May 2021 OPRF: 0002 Hash: SHA512 MHF: Identity KDF: HKDF-SHA512 MAC: HMAC-SHA512 EnvelopeMode: 01 Group: decaf448 Nh: 64 Npk: 56 Nsk: 56 Nm: 64 Nx: 64 Nok: 56 C.6.2. Input Values Krawczyk, et al. Expires 4 November 2021 [Page 72] Internet-Draft OPAQUE May 2021 client_identity: 616c696365 oprf_seed: ce664d61ce8e6fad5fa2b6ce395ba0e396e9cc7fae28cd5b9167811010 06dd8260770815df83cd01d5744e07e4cf7b88e61e3393ae9b709019ef660abb23bb1 8 credential_identifier: 31323334 password: 436f7272656374486f72736542617474657279537461706c65 envelope_nonce: d435848ca1554f0e7bad7d1577a5cca9d620a83f4ef8939a21b03 a906c3dfe22 masking_nonce: f3dbff9d25947c274222060eb0cafa2c9f81a60b5dcb2dcb793ced c0d3ddfce1 server_private_key: f0a17b7f6b056dfcfbee5bd7db70a99bbabf1ebe98b192e93 cedceb9c0164e95b891bd8bc81721b8ea31835d6f9687a36c94592a6d591e3d server_public_key: 741b6d4ed36766c6996f8017ca9bd6fa5f83f648f2f17d1230 316ebd2b419ae2f0fbb21e308c1dfa0d745b702c2b375227b601859da5eb92 client_info: 68656c6c6f20626f62 server_info: 6772656574696e677320616c696365 server_nonce: 0964b779670cbfd504d4cce8ea37f2707b727b7236532cbcaab548f 529bb0a3f client_nonce: f98b5fc700740f05c5bb0d67545cb11f979a3531e73d1be85eeb87d bf111fc24 server_keyshare: 5cc2a00d1b42d14ac07e05dca2dbc20661a4f30909137bc3274a 25c3fb4310fc9c61d76fc6576c8ed1c9816719433acc81722a2a5e23357b client_keyshare: ee784169a2abed53764292f2e7385c5dd99ee21d09a4df244057 06a59abb6d91f3ed3dd8c6649807d11cb59ddfa23fad081ddda04ea49075 server_private_keyshare: 619befc22cca054c042da7b2eab01c59f99bc955df62 2548e247f7ef180732909ff3c5f87ff8c786d85b3c276550d64df70618a81e14d339 client_private_keyshare: ca6f309f131e21373228a44b09d4c00da9a6bbaf9a5e 54a1687c07f327833643112a8a5a2f1bd6a011fa82f705f20cf788d6b6741b158e26 blind_registration: 2de1be6961f0700496e71df806ebd5322aa0926b2f8f1d3fa 1fea402f3c90b04601274050a3c6f467387c2f48878823949820d4fad44da19 blind_login: ab0cb69c311b71343843ea041bae30e2bde41b548b8fbd8b77ceb623 25f25986ce21cef85c92e3399433661eeeb9c1150a9cc64c3fb53001 oprf_key: ca2e2837fdbac208e3d1fca1a8f435f1d1137ce4893e85cb906eb434c0a 5ddda5297295cc4d82e18bb5506988d208f06d9ec424a3f01f337 C.6.3. Intermediate Values Krawczyk, et al. Expires 4 November 2021 [Page 73] Internet-Draft OPAQUE May 2021 client_public_key: 186e80b2bf794cebbf9b8eaae4ab30f7f97ff8b4608f6015e6 09965ba5ca9a013efe4a33e6d74b0d5792eb953444d3c3412931954c5593d0 auth_key: 8ec795aa74327f4319213b9d24abbf50a127e7ebd7fae62e308012cc3ab 656bfca09be67727abe99677cee9e7efc353ea3bf8be6efa3bdedd50d39e0c1ec0eb7 randomized_pwd: b8222790bec472e0ac35dfec8c20985ae0fa78cd35b6441441d20 336dc8dc2c59197fb1024a4e7eb347ae1b8b85c9f6641a970705a0695e0d0854f010b b36cb9 envelope: d435848ca1554f0e7bad7d1577a5cca9d620a83f4ef8939a21b03a906c3 dfe2285ef3427a3828910f19b8eaa71e5f96fef52bcf42d6da50cad3c57e46bafd765 a8b5c43ae8c22e9191ac80d5de8fd03ef31f0b83a72fda6900b67768e6282efd handshake_secret: 175b48cadac266e0538eac4f95afd534cfded63fbaaa44954d6 d817a772aed0d744eb0c47d52fcb0862aae4187f37c92e3f267e46aefd941e6348d24 d41a6430 handshake_encrypt_key: 5abd7661e053e40cb906aaeb35ab0d6d0e8b66c395f408 072374bb6b8507f14f938083705ac3d269eafe8fd3dec25f501c9a715cdef507d3daf 9ec29c597961b server_mac_key: ad4070a2766f2e6f8bbc73409c500ece84dad628ecc38d10fbeac e6be33c07d4af4c2b9ebb587e6590fb37f912a13b141af696da2f58ed09630d75b5bd d57390 client_mac_key: aacc0bc86be130005d89727327c1a507b82efec7a92cf3a935643 94cd81de9e9928c839c0b16cd1c8ce46629bc1f81ebf54b0fabc857fb8a1467d05303 a78b4a C.6.4. Output Values Krawczyk, et al. Expires 4 November 2021 [Page 74] Internet-Draft OPAQUE May 2021 registration_request: 66660fc08075380d7c2d4728ed1a7b550647e8231d6d29e 60d3d1fa8fa3132c8dc445fa9c94de42e5f12e29de958e5daea84eba6a6410042 registration_response: ea812c4f71859e56aec9c59058f1b9bcd15a4ca107080b 78376a2f1adb637ace37eada25d433ab915aefa0abcaa823e4373c819a276bdfc7741 b6d4ed36766c6996f8017ca9bd6fa5f83f648f2f17d1230316ebd2b419ae2f0fbb21e 308c1dfa0d745b702c2b375227b601859da5eb92 registration_upload: 186e80b2bf794cebbf9b8eaae4ab30f7f97ff8b4608f6015 e609965ba5ca9a013efe4a33e6d74b0d5792eb953444d3c3412931954c5593d0391e3 a388ab9a83d94abc9bd7b08565fcea19b1a50e49891e1e818a114a4a8af1557c447c6 c7c3cb9d92c02753351c485bc00eb655bcb7fd4a4b66d70b42bcd0d435848ca1554f0 e7bad7d1577a5cca9d620a83f4ef8939a21b03a906c3dfe2285ef3427a3828910f19b 8eaa71e5f96fef52bcf42d6da50cad3c57e46bafd765a8b5c43ae8c22e9191ac80d5d e8fd03ef31f0b83a72fda6900b67768e6282efd KE1: 1c83acd948f714989a2276ef0c3bb16d5b637942e6d642da9826fbcba741291f 0b093b8c94888ff0ab621f90344f5b8b72159e2eb80651c1f98b5fc700740f05c5bb0 d67545cb11f979a3531e73d1be85eeb87dbf111fc24000968656c6c6f20626f62ee78 4169a2abed53764292f2e7385c5dd99ee21d09a4df24405706a59abb6d91f3ed3dd8c 6649807d11cb59ddfa23fad081ddda04ea49075 KE2: 284678bf91c8cbe62aa3ee0bab908ab4f738d1b9019f90586efdfca95163b25d ef3da3957ce9dc6764b1461c9ef1039918760f7bc31a44d8f3dbff9d25947c2742220 60eb0cafa2c9f81a60b5dcb2dcb793cedc0d3ddfce1100452e645f51a5f8ee104cb84 6f1ba962b900f5d28f63bbef21a60bf3bcb02131e83daceee0fe89a67b9ce703b2e8b abc581c8d4df72b4ce6c59688a3d60e2e58a2daaca302abcf6d32a8669f25c7e3032d bfae3be2cd1a0690dd8ef83abd179da490fb6f6dd623f1041f175aca82fb2fbae30c9 8f19eb9dfb1de9a4d661a7461721d4525624d800758afe20c7ab6d9c03d5c6f6f144a 4c0964b779670cbfd504d4cce8ea37f2707b727b7236532cbcaab548f529bb0a3f5cc 2a00d1b42d14ac07e05dca2dbc20661a4f30909137bc3274a25c3fb4310fc9c61d76f c6576c8ed1c9816719433acc81722a2a5e23357b000f843a4f5a9016bf4629f4dd77e 140462e90e037f7278315f286665552928db406e3f5f4c6494204c9e39b48cbbe0b8e 8d32c6f2c80afc18dfd50c7567041faddfa8789ebcb4473d0c4280dde2b51f7c KE3: 0e0e13e7da56e241bcf7e72bce9d82aabac647d5827350920d73caa0c173291e a9677bac1116c91b8c53abbd5b14aee07403e8e2bf16b76aefcad28aa4b6ae77 export_key: 2d76cb8eb36d6b52ca5548f18973bb3f4e16227dc4f402de3d8e7ed86 f675fd69e83d11080af9f5cbd1307b27324673010b72b6ac05bf33481d6693bfdb8f5 55 session_key: 25aebd6c39af42d10704abcf085d3a13a4cb6f13cbd444476cb3fabb 8a34dbdb7b7c8f4003e1901db34d7fa020cae3a313c42d3919a3a23ae2b4e4dedec4e 14a C.7. OPAQUE-3DH Test Vector 7 C.7.1. Configuration Krawczyk, et al. Expires 4 November 2021 [Page 75] Internet-Draft OPAQUE May 2021 OPRF: 0002 Hash: SHA512 MHF: Identity KDF: HKDF-SHA512 MAC: HMAC-SHA512 EnvelopeMode: 01 Group: decaf448 Nh: 64 Npk: 56 Nsk: 56 Nm: 64 Nx: 64 Nok: 56 C.7.2. Input Values Krawczyk, et al. Expires 4 November 2021 [Page 76] Internet-Draft OPAQUE May 2021 server_identity: 626f62 oprf_seed: bb646e39ddb426383f5030be0d7cd7d81b47c2b31878a610b0c0283780 9b62af192ac8b166e11cdc57f8af5941688b00e59a7a90625a06d81c178738530341e 1 credential_identifier: 31323334 password: 436f7272656374486f72736542617474657279537461706c65 envelope_nonce: 21f858c4575df153350ac12e48f10978fec8a180c7efcb6f51ca4 b80d44b0f54 masking_nonce: 61666249fe4ad8c10356c935a1320d656e9c8c248201d0ff1509c7 70df7420a4 server_private_key: 8cd37bf60927fafeca73ed8093538a994b1a8bd463666faa0 68e5ff9e00d588446b7d6cdc09ae8df069b30987a2cdd39286e0481e87ae227 server_public_key: 684e5378dc98d8e9d61e9dc02b77471318a1b15eb26272dd04 ef823fc5c55e19163c714071efcab7ec06ccce8e6b9eba74ca92444be54f3c client_info: 68656c6c6f20626f62 server_info: 6772656574696e677320616c696365 server_nonce: 354f3898c203edbe31f0db10c9df8d90f2001757caefdfe8dbe37d8 bb5d120de client_nonce: 0a60dcb6a59b88bcdbbe96bde209eed4df105a09a01a08ee0100f15 c919426a1 server_keyshare: 80f64e52526682c9d332c4cb517bb261e21b86bc7199223b962c 3d2906f90bbf3252a02bf2889a01d0cfcd6390b8567854107e38abb21033 client_keyshare: d0cecdcb40e68a8f2a3c472d1fb7f0d96ce9effb7b71281a588d f2ca0666ce00126e14b9a28bbe73ada49d059f7794e5da6be7e7bf0eee12 server_private_keyshare: 906707dee9b2e3ebd9842b0442e25d08ba2548c6a44c 0d7bf4ee396a0e4a3f023b35698aaa93a2be8bb632747671b3edeaedff0784da7e2d client_private_keyshare: da23a46519065977331abaa1e3c0d86545162d96e9ad ba538bf67207633a956ea71fbd02ea2dbfe7e195dbd26ea562c6f2406fe1f7c4593e blind_registration: 4f0db672264527a8115f176c53709a4f94d1cca39c557ee10 3479baef585ba8017f7659cdd0b804c0938525199d88853b52ccfc7604bc233 blind_login: 39ba35e36db24404602da8a616e7ad8f72142cdb97a5689edb98ed34 24fa5c8584423c6b047121fc36fcec934c8ad24a98c86d0078b8f534 oprf_key: e1d2159815c27712d61236cd201e0de254e948c13a1f43d6a2c2a458b68 717912d9164a3f79d4655e11b9941f56ca4971987f280d176fa00 C.7.3. Intermediate Values Krawczyk, et al. Expires 4 November 2021 [Page 77] Internet-Draft OPAQUE May 2021 client_public_key: c43abbc2fc929a784c3f764da5bbadb92be69d79eac950d110 9ae855c5e73a47fc6762ab8ea780d01ec30c093a70e30f00e889cbb1cb944b auth_key: 1fc18c2785eeca0340a5a67e0380b491455481e821268ea474c9f9d3133 56423ff828e4ad258935def799ffafb8505e8f2ecf4f37d57e9af3c60e133db752f6c randomized_pwd: 82c33b5df1031b36735360e7c03d829ee6a80fde9ef4f15ac586b 3bcc1539618839e94d80bbef9775bd99f17e820439b66a3b384041b871899b357fa6d e35981 envelope: 21f858c4575df153350ac12e48f10978fec8a180c7efcb6f51ca4b80d44 b0f5410f4a8a1a814066a13d8746935490f50dd1b355c988bbbc2d9d34f0dc99310e8 5efa3668018b80d563933aeeda4801051bb57c260285f5042e2c1ba6a7f3d605 handshake_secret: 8c1c07962eaaf949ccec104351ba7cb5bea04d1916990e1adad 7bbe567bd62f52534a4f0d0bae31cb5f2147b5a135122fb87cc08a5af99827a494104 3674f44b handshake_encrypt_key: 37684cc6a9fc72d474b3487d7a3b24aaa3d26a930cd4f4 a9bfe60d68438c4b36480453714a53d0bd5f13ed5e115009f2b737cb9c7f9459fccd2 316d1e5e38899 server_mac_key: 99c77d4cf69293572bfcad517dd1fd6aa71ff3897ad3ff8d0ed90 d2b46733f3d58e2eea3ff4de324979d020bfd365e6d1e4302b48f4e36f790f6a50496 bcafc4 client_mac_key: 11cf030cdf5f45ec4eb0bf6a62ea481f231e30c8c76d5c3383d83 f0bea47b8b0ce4419960b8a354bbcb0bb4e73993c660268a609cf477d50711c0f4408 61c2d9 C.7.4. Output Values Krawczyk, et al. Expires 4 November 2021 [Page 78] Internet-Draft OPAQUE May 2021 registration_request: 8a8f12abe7f223895549fd121f9d6124424273b7524e033 f610261caf6ff83eb92d848318e7574c06ccee189b8b447b0fd26a348942d787c registration_response: ccfc0bff52203f5f15da05ea4aef0590df0167de51d39b 472543c4abbb21da219c38c11182d66c1e2a28bbd6faba830419cddb69417f2474684 e5378dc98d8e9d61e9dc02b77471318a1b15eb26272dd04ef823fc5c55e19163c7140 71efcab7ec06ccce8e6b9eba74ca92444be54f3c registration_upload: c43abbc2fc929a784c3f764da5bbadb92be69d79eac950d1 109ae855c5e73a47fc6762ab8ea780d01ec30c093a70e30f00e889cbb1cb944b11aef d6ec42306c84501e6cbfb4e7e11efc54dfa2202422a0aab6b1cc29a05215d5dfbeeb7 41cacd654c54cbbb9643442d279e8612b9de4f89d8d961806f547521f858c4575df15 3350ac12e48f10978fec8a180c7efcb6f51ca4b80d44b0f5410f4a8a1a814066a13d8 746935490f50dd1b355c988bbbc2d9d34f0dc99310e85efa3668018b80d563933aeed a4801051bb57c260285f5042e2c1ba6a7f3d605 KE1: 442b8d7585abe08bbb6b03b3d73c7f5d81cba60845258a4174e7b8d25a6d7238 8ec7814b7f0a0559fff29ac97c329f2c7b0844c3adb1c6ba0a60dcb6a59b88bcdbbe9 6bde209eed4df105a09a01a08ee0100f15c919426a1000968656c6c6f20626f62d0ce cdcb40e68a8f2a3c472d1fb7f0d96ce9effb7b71281a588df2ca0666ce00126e14b9a 28bbe73ada49d059f7794e5da6be7e7bf0eee12 KE2: 8a63ae784c8af59cd2dd193d11de4f36fd26e3ce0f74e751110e3eec331fa940 4f5ad32d9a67be88737ef441b393bca26045955affd6484c61666249fe4ad8c10356c 935a1320d656e9c8c248201d0ff1509c770df7420a4d2740f4e1ebaf4c805b9256672 fc33d391a1f78f34ff4882e904ab84a6ac073f210be384f62c203e5ddb9b8781b55f3 19f7bc1f6be7c5b34445643503ce562c5a6734f4e4d8131b1335fbe59ae2463a5125a ca78d8d9957e7a73e00c1557f765def34dbdc4a15b786a897f3cdf6a7f312820addb5 7fa41b25cdc4f0368355f3797f3f18a8a6ed8c4fd0808014d6db777779d9f5afe6a3d 0a354f3898c203edbe31f0db10c9df8d90f2001757caefdfe8dbe37d8bb5d120de80f 64e52526682c9d332c4cb517bb261e21b86bc7199223b962c3d2906f90bbf3252a02b f2889a01d0cfcd6390b8567854107e38abb21033000fd52c2008c3a618c8e9c6786dc 86c517d60af9188c103668709f4bbc47297ad16d05ace1a8e6e89b0b623e9a4df42de f99316d7d48e03c33efdc71227bea6e62eb69f0fc617a5975a5ffa9181b55da8 KE3: 68384cab4a57e4f1ec93ebf8bff07b176999def6c4ea12daff73bc3c257946f2 042c4340c956dc0ff901c345ab6f999cf67ad53687e4dc1de91987a5bf0f4e48 export_key: 58c3a7a78c35b71bad6779f4cae5784bce53d51d711ff14aa6f4183f6 ec5b3cc5a8210df6c24194ef848ece3e48e5aa917226cecc14111efa46c66b6d5743b 4f session_key: 3d5c60fe73b69266f46c7a4a241a25c0e5296af9c94dc88b84e1141d 434cfbf85dde4013dbe8e8e5b70de24f1d166dfd10fc0b1e833cf59dff592ed279209 426 C.8. OPAQUE-3DH Test Vector 8 C.8.1. Configuration Krawczyk, et al. Expires 4 November 2021 [Page 79] Internet-Draft OPAQUE May 2021 OPRF: 0002 Hash: SHA512 MHF: Identity KDF: HKDF-SHA512 MAC: HMAC-SHA512 EnvelopeMode: 01 Group: decaf448 Nh: 64 Npk: 56 Nsk: 56 Nm: 64 Nx: 64 Nok: 56 C.8.2. Input Values Krawczyk, et al. Expires 4 November 2021 [Page 80] Internet-Draft OPAQUE May 2021 client_identity: 616c696365 server_identity: 626f62 oprf_seed: 5369e7ba363cc0ffd9f5435b87d13da37c69e70dd753d883a4581328a0 b1211b63870f94d19c970849e3f832d79a13cb8f17b3f699e0d44824c42ea9ed6673c 8 credential_identifier: 31323334 password: 436f7272656374486f72736542617474657279537461706c65 envelope_nonce: d70af1a254350f45be31d80eff65fd804988d535c163e90687b9f bdc5b49ab57 masking_nonce: c1eeacfb99f49efaae5dfd166cea7fb9952bda134f57f1104daf9b d2d288c584 server_private_key: 0fb0bff035e9b9cbae6cfca36aa4827ccbac66177b64fabef a67263087c0cb4e0d9cf547979e753c22548e3174abb5ac630d97dcd4af9830 server_public_key: 8071f74545bebb75f9b82ce1ee0949e7ed1ab5dedbb0e5444b a7ffe82aab916bc5ca6a11fd5fe1479e553040a8b724b6305c3f4289f3f39a client_info: 68656c6c6f20626f62 server_info: 6772656574696e677320616c696365 server_nonce: 40744099d9bad5836511cb1bd87730fad25cf96124a2a41a2efa8f9 a1af37fa2 client_nonce: 2d829f911233762b8429f4145c63e362568b1e40c6477cb709baa40 3c42893ad server_keyshare: d410d142e679aee86adbe57da4801741034120c59fa942ef44c1 9ffcf4a4d65200d5e17e7d287220037ab038ee08f96c9dee6db68f02cf18 client_keyshare: f2a67ee95170c51833a88419529748e55dd13e23ffed8fefdc1d 2b7c939b6371630031299800b01a99f83129aa986369e4a188220d056f0b server_private_keyshare: 2903816a392680424bf4d98a04bda8934e23b94f5279 08fb98aedb6906e3ad31ab455e2718f4bab54e74adf302faf75cac75b1ea07dda807 client_private_keyshare: 6c148fe1102c81c00f1c5d3bd8a90198b5acfd60fd83 0fada243e5edc9bb4d6a1c0e88ea960201be2765b54f75a40efa86f066e6d5680131 blind_registration: efd50ea4c9248eb1f1e96143a8a41c1a1ee2cfebb2f07ff75 5a6d9fcf090696cd8b70a6ef67bd77ed5d38cf293669c6073cb4da3add7972f blind_login: 7e134fa5223d965deb53441a7ab139fd35c83736b6eb89aae524dc5a 9fe6e16af18a4d33b1c9953fc1a7219dd6f81eac8b915a75e5fa3505 oprf_key: 7846997289e365bb95b8da4364b67ca6b9c2e6c5b1fcd4f624a37008820 12e38f1a67c7a622311de77a087c91abbc2ee65062c19236ee138 C.8.3. Intermediate Values Krawczyk, et al. Expires 4 November 2021 [Page 81] Internet-Draft OPAQUE May 2021 client_public_key: cc9ce87a51859068deec37fd6f7a6375c3874b466b44df61a2 24da792d495935e815c3025091ab758fcfb6732db61a28abbe7c9c25a59f7c auth_key: 200fd5916a6a5c4e76faa882f3e478c3abf4673e1181b758f14ef945372 0da57e9185418e7365b54b607d8530c5830a27576545b79f2bf3119298d170fdc53f7 randomized_pwd: 042f827c3c676da51206b07471f5d65926a932ccc5aa602bfc312 71b2c0653d3fe40b8bb8ad74ea78bc08c226961b306397c51b3606f9bc84a5b6ede0e f7cbe6 envelope: d70af1a254350f45be31d80eff65fd804988d535c163e90687b9fbdc5b4 9ab57020fcc9ce588e385c92cfb2d2caf5bf1532863b1b5dc77c8cecc0bdf705c6e69 c81febaaa364b5f69c57fc7716c17e7bcb44eb5a6ca42dfc3007c7ba49ef7184 handshake_secret: 2e7155c6b2f7ddda06ba72c4d9f0067246696ef855c952d9fa2 970fb162580bbbdaa546032a18de61b999c63a618ba6a885524c83df4b42d373fe460 9425c5a0 handshake_encrypt_key: ec57354e4588c741ca4bd0ae40b13dbeca873edd6b2548 36f8e07bcb76c9e653c145aaa97cae30bc25d6a771d7b910d76c088d67e18fc1bd55f 694022ccd1673 server_mac_key: 65febfac5cf04540ccd0c1e99115b8ac71d7bce95224cf338f8b9 1d1305367c5ffea21ce576756bbf3c6f7cf80e89001c61d2b6b9b5c511fd1fea415cc 94197e client_mac_key: ac27e4daf2316d958f475a65c07330b1259612f5fda6a02de3795 6aa931d9fba1ab1e9c1c6894cd98d7af31a76dcad19cc105836c00704685ab27595b6 c53c9d C.8.4. Output Values Krawczyk, et al. Expires 4 November 2021 [Page 82] Internet-Draft OPAQUE May 2021 registration_request: e499c1ea1a644df877a01f23ddc5dccbf3add4407605f67 dcc55f29c2ccec5daf9bc231dd62aa61cf2c9fdeaf59b3ed7a8f33af59ba20914 registration_response: 02d0a9b5d262d560b9839258ee696c78497c6f23624289 07d817439f72fe619496fa87b8c0427d600e8030851276e3df50be027bc86a45d3807 1f74545bebb75f9b82ce1ee0949e7ed1ab5dedbb0e5444ba7ffe82aab916bc5ca6a11 fd5fe1479e553040a8b724b6305c3f4289f3f39a registration_upload: cc9ce87a51859068deec37fd6f7a6375c3874b466b44df61 a224da792d495935e815c3025091ab758fcfb6732db61a28abbe7c9c25a59f7c3649c 55344cde7130181ab36e9dad95ad627a00c85f81fecd6cb07a34f2d3801818bb6944c df6737b6072a3d422ea2806629f28dddf8069d28c83827e2c5825bd70af1a254350f4 5be31d80eff65fd804988d535c163e90687b9fbdc5b49ab57020fcc9ce588e385c92c fb2d2caf5bf1532863b1b5dc77c8cecc0bdf705c6e69c81febaaa364b5f69c57fc771 6c17e7bcb44eb5a6ca42dfc3007c7ba49ef7184 KE1: 501e3dc8509cecfa36efadeba5efd0e4f66988ff9575c821b0128af06a2f5ebb d77362f2a9e63b5a76cf5a636bad31b7a86f6c6803a2c9952d829f911233762b8429f 4145c63e362568b1e40c6477cb709baa403c42893ad000968656c6c6f20626f62f2a6 7ee95170c51833a88419529748e55dd13e23ffed8fefdc1d2b7c939b6371630031299 800b01a99f83129aa986369e4a188220d056f0b KE2: 8e344a24535edcb94f862bdda3d5281e5821a7697d8169280df3a1b7f599aa27 472c381b67a594a6eadad3c48ac03cce1d0b67e946f826c7c1eeacfb99f49efaae5df d166cea7fb9952bda134f57f1104daf9bd2d288c584aab53685e458f2b3359ff7d317 06874edccde0d1fc5809244ed2ef42a9bfec732d0b0e910788fd8cb400feade5de6ff 16a8c01bbe9433529b3c33a4b3b69b9dfb067b85e6f956380cf29d1e37cda3395ff8c a3715a13a3ae5d2e49f97821ef4e94cbf79cfe6627ae47bdde41d47fb28a2f81d9933 9d4bf69b202c3bc899af72f494c156127dac299c9e6b345f3ce867000a7ad6043a86a d640744099d9bad5836511cb1bd87730fad25cf96124a2a41a2efa8f9a1af37fa2d41 0d142e679aee86adbe57da4801741034120c59fa942ef44c19ffcf4a4d65200d5e17e 7d287220037ab038ee08f96c9dee6db68f02cf18000f81562d32804f41b3314561920 c91fe27dde4271020d3a9d78365ed865128f0b715289b8a656741830a596a65682dd3 86b7e18c55d009e493021aa4c98148fcdfd76b600523534e164b976c204ac1e5 KE3: 6d21e161839d0529b5031b3eab2856f6106acf53d476c10f889eee8c566446a5 ec9278a8b0b5cb3e9fb18065f2a17e7e94d1d5c9a854b6c06d2bd9d54a14facd export_key: ece89a05e8d0a5cd7052e8e59b219ff4f553825450b0115b8ca377383 26b6ec6bac04c30359607d5b6442836de2ea6f3d7b4ee2bd166dbc14476cf42cad255 5c session_key: 26e3855833c5392729901f112b2c62f280c3e6a1548dafd4b9812e1b 6aea12906ce31c29fe27accb044dac14941d7a376c6be668439bb6fe5fdf3f9548033 231 C.9. OPAQUE-3DH Test Vector 9 C.9.1. Configuration Krawczyk, et al. Expires 4 November 2021 [Page 83] Internet-Draft OPAQUE May 2021 OPRF: 0003 Hash: SHA256 MHF: Identity KDF: HKDF-SHA256 MAC: HMAC-SHA256 EnvelopeMode: 01 Group: P256_XMD:SHA-256_SSWU_RO_ Nh: 32 Npk: 33 Nsk: 32 Nm: 32 Nx: 32 Nok: 32 C.9.2. Input Values oprf_seed: 222de1044eb3a2b1e0365c8f7d20cac72b212820f4212bfabbc7180eac 5e1f14 credential_identifier: 31323334 password: 436f7272656374486f72736542617474657279537461706c65 envelope_nonce: 65f0dc5ad3ce0b549202d5dd3867cc35670e6164cd3bf8a56f358 32c276ce5eb masking_nonce: 33ef31702b4b5adaf29b22cff288bfce7e363506046bb1da00857b ae9a12fbc1 server_private_key: b3c9b3d78588213957ea3a5dfd0f1fe3cda63dff3137c9597 47ec1d27852fce5 server_public_key: 02e175463b7aa67dac8a3e0b4b3f4aa259d2fc56dfad40398c 7100af2939f672bf client_info: 68656c6c6f20626f62 server_info: 6772656574696e677320616c696365 server_nonce: d355c4bb8ea252e88a22e03fb7f77f56e709a2a5409bf522c250467 a4c1739f9 client_nonce: fd9f7f07919823537dd02a3eeb22f400c97b5583d8cf9f64a9b2311 b905af4c0 server_keyshare: 03651207f3887f92cfec56edd9b9df0047c1d6b7bfc55b3650a9 579d44f435b092 client_keyshare: 03285470567bccdd3755aa8d00261e1ce65aa120e15571cc9772 789a361b4cafaf server_private_keyshare: f5685928c72d9dab8ddfe45de734ce0d4ff5823d2e40 c4fcf880e9a8272b46ef client_private_keyshare: a593b1095e7d38ba6ff37c42b3c4859761247a74d0c6 2c98ddff1365bb9b82b3 blind_registration: f9e066cf04a050c4fd762bff10c1b9bd5d37afc6f3644f854 5b9a09a6d7a3074 blind_login: 79e775b7220c673c782e351691bea8206a6b6856c044df390ab56839 64fc7aac oprf_key: 33d82b5c6d96b0e2eee646aee10193f83c8420211e07fae25095eb6f4df 369e6 Krawczyk, et al. Expires 4 November 2021 [Page 84] Internet-Draft OPAQUE May 2021 C.9.3. Intermediate Values client_public_key: 025d19e7faf171e0a39d8f3b872f53e98017d6c49a708da2e1 26b78c1a7169d4cf auth_key: 46ca67ab022b506c42b8be86baa0e19d1462762d182b1f8cc6f040ec253 a0409 randomized_pwd: e7b1a04736150f90afb666cdc04e868e86c100ee9ab2379d74e12 66030f45c22 envelope: 65f0dc5ad3ce0b549202d5dd3867cc35670e6164cd3bf8a56f35832c276 ce5eba93f34e6f73e5795912086ba07f113f0e14d7731850db1c2b38d3e46e8778c58 handshake_secret: 0d4bdf9a5dc37cfdf90f47c9e0bfa8f6b2bbafb5043b237de65 2a266f84cf27a handshake_encrypt_key: 5fc60179a58f729c5fe9716ee2864dbb0a73cbb5733dfc da4816349501b84fb1 server_mac_key: 253e6b00cfc920d8f7e491fc293ab7fb325ec4f5894033e51a9c3 1b5942e1959 client_mac_key: 506688d52612857c8e7dbc8150c73e3830abc0a4d2746f50f0e4a 3f5942f83e1 C.9.4. Output Values Krawczyk, et al. Expires 4 November 2021 [Page 85] Internet-Draft OPAQUE May 2021 registration_request: 03761c2597a039a535c3180bd3fb6ea9830baa50376dafa 6e98bb41be2aaae0e91 registration_response: 022c78531bce7284214b2a693c217dcdf4ca53ba4ca0fd 8679def7698b3b89be0502e175463b7aa67dac8a3e0b4b3f4aa259d2fc56dfad40398 c7100af2939f672bf registration_upload: 025d19e7faf171e0a39d8f3b872f53e98017d6c49a708da2 e126b78c1a7169d4cf8b3218ffb32c3c4e40542f9b81e5ad8472d4371bb9914165b77 5b94247c5eba165f0dc5ad3ce0b549202d5dd3867cc35670e6164cd3bf8a56f35832c 276ce5eba93f34e6f73e5795912086ba07f113f0e14d7731850db1c2b38d3e46e8778 c58 KE1: 021922b40d051877d0f03ccf2831eede9b328e22c8b173d5f28091af0b92421f 54fd9f7f07919823537dd02a3eeb22f400c97b5583d8cf9f64a9b2311b905af4c0000 968656c6c6f20626f6203285470567bccdd3755aa8d00261e1ce65aa120e15571cc97 72789a361b4cafaf KE2: 03c5dec0723bf62419a4572b9651b2000ed362b5e35266850468b7bc647530b6 6e33ef31702b4b5adaf29b22cff288bfce7e363506046bb1da00857bae9a12fbc14fa b54da44a07cff69e135f22cc5430f03b4757cdea284978709b2ea6b6fb4bc860daf24 d4fa24017d629a717cac436a74d389f9cfd00c7c4cfe1697de2b0158ba0ebb10e3beb 621b9045ce0a4e2ce63b937058732ac0261c23237adb4357cbc38d355c4bb8ea252e8 8a22e03fb7f77f56e709a2a5409bf522c250467a4c1739f903651207f3887f92cfec5 6edd9b9df0047c1d6b7bfc55b3650a9579d44f435b092000ffa88ce75b0eb1e6bf8ca 567aab76baed74be60749d008e3102ca12d7f8aec5e94e1e24e6a39ba808459e75df1 b1c71 KE3: 6b9e3bfa986cc8f17a47024275d4c86421e928e5f9aae9b65235555e2c529462 export_key: b15b8482f93486c6c611bfb425983b920e497595515d4aba60c36c98f d085585 session_key: eded1d0fc7840adbef00e47868707b13b01fa50e7d143b2d694ff428 67769ad9 C.10. OPAQUE-3DH Test Vector 10 C.10.1. Configuration OPRF: 0003 Hash: SHA256 MHF: Identity KDF: HKDF-SHA256 MAC: HMAC-SHA256 EnvelopeMode: 01 Group: P256_XMD:SHA-256_SSWU_RO_ Nh: 32 Npk: 33 Nsk: 32 Nm: 32 Nx: 32 Nok: 32 Krawczyk, et al. Expires 4 November 2021 [Page 86] Internet-Draft OPAQUE May 2021 C.10.2. Input Values client_identity: 616c696365 oprf_seed: 411231f4c1e2a61b4295bbc556c82b3200a5011eb95da458bc975074f8 c40f0c credential_identifier: 31323334 password: 436f7272656374486f72736542617474657279537461706c65 envelope_nonce: 7e28c4858849aba47c0f3a8788e263eb2992076d6e13ae1c31c95 bb425cf520e masking_nonce: d07690a0ea1027783695e907cf1977e9ccc7d9ae0ea3922417fe6c a99b1ea4fc server_private_key: 2bc92534ac475d6a3649f3e9cdf20a7e882066be571714f5d b073555bc1bfebf server_public_key: 0206964a921521c993120098916f5000b21104a59f22ff90ea 4452ca976a671554 client_info: 68656c6c6f20626f62 server_info: 6772656574696e677320616c696365 server_nonce: b954553c8c79d924a1c591f783ba1bd5d4815f54893e96f58bc469e be87758d6 client_nonce: 93dca0cec3925e275d0c790c25d6456b7f36d6f9bdecd6cf678263a c002d1296 server_keyshare: 036d85072a9cda8438f67dd81042861349f697c06ad4efb068dc eb58c98986409c client_keyshare: 031e7dcb77fdba4b7e7b1625e43dae84733b28eaf2b4fbd7df14 1b1ee353748b44 server_private_keyshare: 196708f773cf65852bda777210337d8b3b88754b881a a5fd937ec7932e725ac5 client_private_keyshare: 3a07cb3ea0e90b40e0501e6bdc3c97510cdd9475ad6d 9e630235ff21b634bc66 blind_registration: ef54a703503046d8272eaea47cfa963b696f07af04cbc6545 ca16de56540574f blind_login: 0bf837aaa273530dc66aa53bb9adb4f0ed499871eb81ae8c1af769a5 6d4fc42b oprf_key: 179b24e76ebd4e1be0e108bf006aa77232f2aebd2e64ec6e5fc15e6bbb1 0bd72 C.10.3. Intermediate Values Krawczyk, et al. Expires 4 November 2021 [Page 87] Internet-Draft OPAQUE May 2021 client_public_key: 03bb0ea77280040f08a1387541588a15626616bd6d5fbc5f86 5e336dc4239e073a auth_key: 1b46cf0d5e965018b3daf72888b446d2af2000555b725061975c91ac7ed 930bd randomized_pwd: cb2410d0b7d2c3868892a7ce491de10deba5ad3c51ce50cf38c35 83ca2a61575 envelope: 7e28c4858849aba47c0f3a8788e263eb2992076d6e13ae1c31c95bb425c f520efdb6d71170c02d62b42d4836c6e86111d001f3b8ee7a04800f964398928962fe handshake_secret: a23bff26bc68422cfe2f77d67d91d9966fc86f5c26202d1d4f3 0f6a2acca190f handshake_encrypt_key: c009b1a9f339868db545503890b28d73a97c51c3562846 7f8d87b9254d80fae7 server_mac_key: c482b5aa511c35013987032ae5fe6621d4b71bb98adbc17e1a8ea 32417047d52 client_mac_key: 4bdcf02f9f2b4bba2a2001b95c46bd776a027764f9fa0bc479eb9 9a320ace697 C.10.4. Output Values registration_request: 02cd04a4a3c6b37f6013d848e1c63c204c4593377e9a14c 68e95097b615d29c129 registration_response: 037087c8ee3db58c82f02bf4685572e3e48b9639417722 64f5436febc9d2e566a00206964a921521c993120098916f5000b21104a59f22ff90e a4452ca976a671554 registration_upload: 03bb0ea77280040f08a1387541588a15626616bd6d5fbc5f 865e336dc4239e073aebc552c85f3af13f76e12831012f33d891481a03556d64f51ac 6e4d5216a957e7e28c4858849aba47c0f3a8788e263eb2992076d6e13ae1c31c95bb4 25cf520efdb6d71170c02d62b42d4836c6e86111d001f3b8ee7a04800f96439892896 2fe KE1: 02e747d027881e63565ce0a611dae6da50c2a8b349010a52f5c936169be1e0f9 3693dca0cec3925e275d0c790c25d6456b7f36d6f9bdecd6cf678263ac002d1296000 968656c6c6f20626f62031e7dcb77fdba4b7e7b1625e43dae84733b28eaf2b4fbd7df 141b1ee353748b44 KE2: 023e69bd9f6ac2a9247a45cd6ece02734b01f4f097277cef4b651d292b92958a f0d07690a0ea1027783695e907cf1977e9ccc7d9ae0ea3922417fe6ca99b1ea4fc21b f6b965eb775c1ae1621d56b3b2a909524d755f09dfb5abfba139c38d03a06d7fbacdb 9362415cb82e80a426b2243c861a99ab96c375d638778555ae59497e3982f4a4f5f31 8ebd25b9135a613fdfb9c78b12a9fac85ab50502cb750e2e6f162b954553c8c79d924 a1c591f783ba1bd5d4815f54893e96f58bc469ebe87758d6036d85072a9cda8438f67 dd81042861349f697c06ad4efb068dceb58c98986409c000fbd84aa78e5bd91d5c371 3a82701f84eaf16cc8b383370374ad7ae365a2a5c4cbb5f807cedfb89f72a484b151e d86c3 KE3: 148aec24c974679b8f2b22545fe6b438919cfe17d5c01477506bd838af4e0070 export_key: ce386730106337ff5442cefb268e042f4018a254efec5afa042f6e317 84ff18d session_key: fb4663e7bf2c24bf84f39559f0fbc1a5461dc2eef52eb458cdbbb391 95fd806b Krawczyk, et al. Expires 4 November 2021 [Page 88] Internet-Draft OPAQUE May 2021 C.11. OPAQUE-3DH Test Vector 11 C.11.1. Configuration OPRF: 0003 Hash: SHA256 MHF: Identity KDF: HKDF-SHA256 MAC: HMAC-SHA256 EnvelopeMode: 01 Group: P256_XMD:SHA-256_SSWU_RO_ Nh: 32 Npk: 33 Nsk: 32 Nm: 32 Nx: 32 Nok: 32 C.11.2. Input Values Krawczyk, et al. Expires 4 November 2021 [Page 89] Internet-Draft OPAQUE May 2021 server_identity: 626f62 oprf_seed: 7ff9f5a010a39202ec8583b1af1667e39a790c8eeae3c8850cf1b22593 4b1bb7 credential_identifier: 31323334 password: 436f7272656374486f72736542617474657279537461706c65 envelope_nonce: 4b2ac56569cac13e4c94b3c5a661297b9507bce9cb4d61b988e79 cf66e7376d8 masking_nonce: 1c289200b0c01921d4367f7f5d6efdf313597a494e4652eed4fddb 640030ecc9 server_private_key: b0b4f35c14eb2477c52e1ffe177f193a485cccf5018abbf87 5b8e81c5ade0df0 server_public_key: 02e8d79aa24bcd2bea4e9bb7362b004daa0bb6be442d8557e5 59ae18b6bf7bb5b2 client_info: 68656c6c6f20626f62 server_info: 6772656574696e677320616c696365 server_nonce: 2348f61d807548ef1e7b35a914f52bfb9c2fdd799ac0f75333a17cf 266cc48f8 client_nonce: 95d6caca3088960f7e014beacaf854cf3c1f81ed707bcbd7cda660b 43f2cb8fa server_keyshare: 0222d4232635f4ee3706759740d7a0d8fb6a4068f2fbd34be7cf 065f9989b637cd client_keyshare: 026ab0dc783fb12c9427dd0bcb4d95f5b5212f092406dd581bd3 37c73468953226 server_private_keyshare: 9fc1965033654f34b06b578fe36ef23a5b9872ade82b 9261cc447670debcf784 client_private_keyshare: 18add682f6055089b0a2484abc37f110b36f4c2a140b 7a3c53dd8efb6171d3bc blind_registration: b0d53a6f8da29c3cf4f8695135d645424c747bec642bc9137 5ff142da4687427 blind_login: 4d73591be8483a1a38e40c13a04b0f2180dda3c36e3d43c3a8f12715 8d010945 oprf_key: bfcb3351d8cac1374c48d88262115a8ce447116f8d9659af4927e8ba473 b3860 C.11.3. Intermediate Values Krawczyk, et al. Expires 4 November 2021 [Page 90] Internet-Draft OPAQUE May 2021 client_public_key: 029ef859264f5bce3ce76ef33cea426c0868cb6cefdd40cc97 40530e4e2b8eb9ec auth_key: 794a4b51879f176d7535dc173209697e58adc5ba355071dec1c010c1a30 88267 randomized_pwd: 1d7413e513aae8db0fc7ecff608c5a8ee36ade8e19c03245d7848 886eb9e2f3e envelope: 4b2ac56569cac13e4c94b3c5a661297b9507bce9cb4d61b988e79cf66e7 376d8e8764cec8c7f0352bab2e22a52784068274a3d9bf6e867fb1174dad9fda451be handshake_secret: 9fd8f0f8e2faa0f5b09bb04b6b414b4d3a85bb7ce85e53ebcbc 44c9b0ffffbe4 handshake_encrypt_key: 0ad54a7aa1eba3c373884458aa42025bb707801dae3abb f8369a286aeddf0cd3 server_mac_key: a3c1a5b0dca01277cfd2357ad2102cbbe29620066c3c9bb9da6f3 c71044605c5 client_mac_key: 49deecc8c3abbd5974f12864c2145204866385bd8a74f642df192 1999dd6935b C.11.4. Output Values registration_request: 026aa49819f2c29b9543cefa0850db7fd36352c6ad8f47b 631b5b621266b670f7b registration_response: 03895ca32517359a907fc25fb7b60e63f0ae40422c4438 bc41129ffea836e306ec02e8d79aa24bcd2bea4e9bb7362b004daa0bb6be442d8557e 559ae18b6bf7bb5b2 registration_upload: 029ef859264f5bce3ce76ef33cea426c0868cb6cefdd40cc 9740530e4e2b8eb9ec93cf8a8e4931fda8a52ddf2713542e8959cf8ee995f42333a12 b36020697975d4b2ac56569cac13e4c94b3c5a661297b9507bce9cb4d61b988e79cf6 6e7376d8e8764cec8c7f0352bab2e22a52784068274a3d9bf6e867fb1174dad9fda45 1be KE1: 0223c6f12f3c763bdfea59c13d8f1e055b02277625aa06cb3d839e03a60268d7 c195d6caca3088960f7e014beacaf854cf3c1f81ed707bcbd7cda660b43f2cb8fa000 968656c6c6f20626f62026ab0dc783fb12c9427dd0bcb4d95f5b5212f092406dd581b d337c73468953226 KE2: 03d7c51c4c0911f7767034c5fa8e7de860e32ea2f5fd5bbb41dcdbe752cdfe38 d21c289200b0c01921d4367f7f5d6efdf313597a494e4652eed4fddb640030ecc98ef d62c96d1fa8326a148a19faf7e32eb023b0eba83cd72d5edc0d92a759c431784a5183 ae68962edb95ab18e1f920c8363cc3a47b60ac873e3b745df1ab0f4a100c8817b7a2f 569b9ba67b1f10a38c440bf178eb7129a8743f32071d4bfcbcb962348f61d807548ef 1e7b35a914f52bfb9c2fdd799ac0f75333a17cf266cc48f80222d4232635f4ee37067 59740d7a0d8fb6a4068f2fbd34be7cf065f9989b637cd000fee4f603aa29b2064b11b 07ac6deac7a32a58b59efe45afb77b097af2ec1942d2ffdcb44da599ef82cc5beed29 6be38 KE3: a271bf176d064d979545657cd8f6f53b3efbaa37aea6cd45782749f7c4744844 export_key: ce86f17a7720b70dcd4947c727dc48f549ca76bcae48837a6aff2ac88 65bb07d session_key: 315b45cc16fb96a1697decfaf732df3d5b539b9d67465a61eeab7f0e 06004702 Krawczyk, et al. Expires 4 November 2021 [Page 91] Internet-Draft OPAQUE May 2021 C.12. OPAQUE-3DH Test Vector 12 C.12.1. Configuration OPRF: 0003 Hash: SHA256 MHF: Identity KDF: HKDF-SHA256 MAC: HMAC-SHA256 EnvelopeMode: 01 Group: P256_XMD:SHA-256_SSWU_RO_ Nh: 32 Npk: 33 Nsk: 32 Nm: 32 Nx: 32 Nok: 32 C.12.2. Input Values Krawczyk, et al. Expires 4 November 2021 [Page 92] Internet-Draft OPAQUE May 2021 client_identity: 616c696365 server_identity: 626f62 oprf_seed: 7b79e836d42b66345781840b42a9475350106dd58ed1f2d9670e7b3430 052729 credential_identifier: 31323334 password: 436f7272656374486f72736542617474657279537461706c65 envelope_nonce: 972d1d19b3f76c5a53e1de821dc64cec826f716136c9397a7fd11 3bd04e6819c masking_nonce: 5a5ff17381f05c594745598e064751cfa87ef81ff8a3a05965a4c6 e700f2b060 server_private_key: f7493200a8a605644334de4987fb60d9aaec15b54fc65ef1e 10520556b439390 server_public_key: 021ab46fc27c946b526793af1134d77102e4f9579df6904360 4d75a3e087187a9f client_info: 68656c6c6f20626f62 server_info: 6772656574696e677320616c696365 server_nonce: f7877b506a288dfd45503bd89a48458aafc0971d3e8cddc4b54ab58 e23ebc079 client_nonce: 8ab09b516c0696e39295549d80b482aab2178688195ad806c922c66 26e98cf75 server_keyshare: 029ad3943fb8e838ed49e4d64e5f0b84e120f175f30115009f18 f009f7e35081b9 client_keyshare: 033b64a07786c37f90b1abc757bf074c18326773bc296ec69f38 c111e4274a4071 server_private_keyshare: 629de5cfea56c0532dd8254a5a6e7fcc9e51e20a1cf4 f254335ca57ce603ae7d client_private_keyshare: f03fc00b7a2d495298d84c8c83b686b67e82569cb56d 97e9c20e59311bac3a51 blind_registration: 9572d3a8a106f875023c9722b2de94efaa02c8e46a9e48f3e 2ee00241f9a75f4 blind_login: 735d573abb787b251879b77de4df554c91e25e117919a9db2af19b32 ce0d501d oprf_key: 3265323242d130d8ba66357c22520711b50ddebaf76449ad006a7c0e3e8 175ae C.12.3. Intermediate Values Krawczyk, et al. Expires 4 November 2021 [Page 93] Internet-Draft OPAQUE May 2021 client_public_key: 02e1b4141e364cf9ec579ad9ddff3ad17de4ed8d3b03d884a3 7ba0d3afec5b45c7 auth_key: d2fc33d0eaaba07cfca12b836586821ce7ebbd676271ba85cfd87d46914 4d8d8 randomized_pwd: a808d107c852b2670e12235fa548e71304ae6b75479871f805e1c 165921d23cb envelope: 972d1d19b3f76c5a53e1de821dc64cec826f716136c9397a7fd113bd04e 6819cee0781091b47d746f894ada27e2eda06ec56bedb2983407791d377f889321cd3 handshake_secret: 8f1f714cd4cc8db5eef700834df215cd65eb6a0fddb37b787db 23f76be56d710 handshake_encrypt_key: 6c45f6bcdef803c17bd82ef4b55f6b1f4e6d1c54f32af4 b43703607b5ed378d3 server_mac_key: a94bf39005d55b243d4b28a905cb950c0d9d98333dbb70cbe193e 13717985e92 client_mac_key: 7bed59107c599b2db2c0b8dc5beb9932c0335cc7dff01d53e78d5 5d162a0349d C.12.4. Output Values registration_request: 03a120f6f2a0b858f546d1e2b60f810ad0ed8511ef0791d c26d8413fe13b0181fe registration_response: 0236fceabfe2a4930814ca9a332ce07e68f2adc3716027 0451a702ac23512cfa1d021ab46fc27c946b526793af1134d77102e4f9579df690436 04d75a3e087187a9f registration_upload: 02e1b4141e364cf9ec579ad9ddff3ad17de4ed8d3b03d884 a37ba0d3afec5b45c721afeee74ac33d7723f75646579845bfbf12bfbdc50fe96d95d 60fab8cc547df972d1d19b3f76c5a53e1de821dc64cec826f716136c9397a7fd113bd 04e6819cee0781091b47d746f894ada27e2eda06ec56bedb2983407791d377f889321 cd3 KE1: 03edd5c0afa7257bbaeacab64837430929df9b36bc2784e47577e071a7abd9f2 ef8ab09b516c0696e39295549d80b482aab2178688195ad806c922c6626e98cf75000 968656c6c6f20626f62033b64a07786c37f90b1abc757bf074c18326773bc296ec69f 38c111e4274a4071 KE2: 0239e4df8488c462d1c224682a9d281f457308b93dd20c3f75c27b9f2b9c2500 a35a5ff17381f05c594745598e064751cfa87ef81ff8a3a05965a4c6e700f2b0600dc b0032c499f548c5c6d390e905d62e3de1e178162d2fcdcce28e342b9d37582fe5d99c 7894a64f74399525ccd83a4895ca3781e29df46a410b42a725fe4dab9e9c90342c5a6 7da914e89eb8194ac782511e937ce15aae294acf0f8db74408dd2f7877b506a288dfd 45503bd89a48458aafc0971d3e8cddc4b54ab58e23ebc079029ad3943fb8e838ed49e 4d64e5f0b84e120f175f30115009f18f009f7e35081b9000fee6e8c5e47d907f747ff 767394f8c8df4db2838bc5b92955d6038470a2069a6974b8909a6a956d1aea3563627 cde2f KE3: d0abcf6e885a567fa3ca78cd8ad21baee81efa2111c31266b63681453102196c export_key: a20bb894d3f92d728b18611e87219a5e10b65d46140d20c87337db9e1 5b3c258 session_key: 102c4211b41b0277245548e6b5640af480f0d7307264aa574067b4ce aa6d2496 Krawczyk, et al. Expires 4 November 2021 [Page 94] Internet-Draft OPAQUE May 2021 C.13. OPAQUE-3DH Test Vector 13 C.13.1. Configuration OPRF: 0004 Hash: SHA512 MHF: Identity KDF: HKDF-SHA512 MAC: HMAC-SHA512 EnvelopeMode: 01 Group: P384_XMD:SHA-512_SSWU_RO_ Nh: 64 Npk: 49 Nsk: 48 Nm: 64 Nx: 64 Nok: 48 C.13.2. Input Values Krawczyk, et al. Expires 4 November 2021 [Page 95] Internet-Draft OPAQUE May 2021 oprf_seed: 13800aba98225fd13ea9ede334af6f7b3a9c21e03aeb93a18a14b39684 a6889d2f79d4e8dc5feba7c45fd0e8c9150edb4d15f7814a4b06f99d8226f7c3e1384 5 credential_identifier: 31323334 password: 436f7272656374486f72736542617474657279537461706c65 envelope_nonce: 4a8a6e468f5d68d5b3fa677d48a3bec161f2c89322a873ea92662 3243af2ea2c masking_nonce: 42c2f63d5b5278536247f6ae675807d8bddcaaede623ced8a96cec b9844d7d79 server_private_key: 6b61028c0ce57aa6729d935ef02e2dd607cb7efcf4ae3bbac 5ec43774e65a9980f648a5af772f5e7337fbeefbee276ca server_public_key: 023713c6af0a60612224a7ec8f87af0a8bf8586a42104a617a b725ce73dc9fdb7aacbd21405bd0f7f6738504492c98b3e3 client_info: 68656c6c6f20626f62 server_info: 6772656574696e677320616c696365 server_nonce: 326453281b10997aa161dc84f134178efe6570781421afd7919aaee 7c4e2b2d2 client_nonce: 322435bbe19729913346a5e4afc400479667a0228c1c6e8e4f5444f d598b31f2 server_keyshare: 03196d22794e67e69232db19e4032d2f2daa09828c4ef71e5a4f 296a0edecaa5bf564c97a7e8c96a4977975a44eed2b37c client_keyshare: 037e9c1e7bbf41bff8ca6fabb630db2db73a92e57c6260f39d40 24c619f8b4f2807473ec0f715d83e88ad62b88ff3828f2 server_private_keyshare: c7a86f11c143a291e349b70b34e67b38fe9dc6f90b47 375087d72e891df74070810500dfd391282c15d87bacdc9867a5 client_private_keyshare: be210603388cbcabb8cb630aa1ad04d73e349009a438 ce248380bd4b7e6758211fe9692922fb61f00f1a39bc735cefce blind_registration: cfa46891dfa664a785675b2c95bbc2412ceae9d69a1860383 45f8ff704bc925f6818500615a825a9a6b5646a4e4f11b2 blind_login: ebd2fec41edafcba833ccaac567c14d2fa01f55b33a2fbbb37118f2f 5603b1298346e02cbdf55c95ef9b1aadda5ef281 oprf_key: f655c17978ae61bed13d01a1116fa75011a9e6191d46fc960606663dcf8 dae07ceee252875e658bb1d1c5b841d362062 C.13.3. Intermediate Values Krawczyk, et al. Expires 4 November 2021 [Page 96] Internet-Draft OPAQUE May 2021 client_public_key: 035de411e2fb5577953f30f87c4d9d3917523f45b566224508 cef53aa0945cb6a7ccce4dab6b7c7328d11d667efc6cfd0e auth_key: 9cee8f606fda00485838192d7e31fb2eae77f8304d7654af477cf23c78c 0fc5d9338274e67f9f06c8c97c3fb844986e99b11742a31d7c2513234a6ec8740290b randomized_pwd: 09be717bcbaec4e06df0b406fc9a05f079c3f77497ccad88fcc2b aa34a2349f8d0079ad5e28128e8a0ed8243b31232720beb178baff69e828ba88cee2f c15cac envelope: 4a8a6e468f5d68d5b3fa677d48a3bec161f2c89322a873ea926623243af 2ea2c6eb6c5b7f4fc402d2172d66fb490ef71a552934051511da40766f4ce4aa847d4 3c3c3ea55b117a1a5c48ddc55970ef3b64de1fe35e305b68ad636cf15dc4aaa8 handshake_secret: b18a5d52f7cd9bcbf618154ffd440bc7279dd5bb2ad4cfa8518 f00cc55a3208c05921899b07c08a7e7380f842bf330ec5fc916e1849f8a144750bf04 9056310f handshake_encrypt_key: a4c41abe175bf6d9258a3dceb3f2210b5519ccaaafcf33 7b0ba50b2ce841513326bfdcfdd8b3bcaaf6449a8de0919c31b72315285fc8a88a16f 41aa3d44974ff server_mac_key: cc2f7f60b051b72fabd39537c4dd60682dedcdb36cd04d291c948 00e94707d2bf85e4ace90a8c61a2894bd9bc65aee19d61ce144c2c873d6ca73e098fb 8fbacd client_mac_key: 027bcba9c75a1152c2a7c915f544c43f2be877d5608d8a1a676e7 301489c64eaf36271c404b70da768cb51ff642449cfbb2e51754619b0d70cb83a2332 31bffa C.13.4. Output Values Krawczyk, et al. Expires 4 November 2021 [Page 97] Internet-Draft OPAQUE May 2021 registration_request: 032a1ed9cba49c4f38f62e77ca295b8dd95d4d928aeb7ec db24e28d927909e4624e4ef5df6b729071abb6e557b809d5ae8 registration_response: 03c1da8bd060abc6e688aac947e3f849c0b4440e9ee9de f90ba7ad7f79c5a32627ebdf1d02c9768c8ab55a5638ef8033fc023713c6af0a60612 224a7ec8f87af0a8bf8586a42104a617ab725ce73dc9fdb7aacbd21405bd0f7f67385 04492c98b3e3 registration_upload: 035de411e2fb5577953f30f87c4d9d3917523f45b5662245 08cef53aa0945cb6a7ccce4dab6b7c7328d11d667efc6cfd0efcf452f9e40c4d9df2c 441d4a65aa2b6c73c12eeb0abc32d87cd5655b57c5c019997da030219eb51cf4468c4 92d0953aaaeb43f634cbb0ed5100cf95a2a2a75c4a8a6e468f5d68d5b3fa677d48a3b ec161f2c89322a873ea926623243af2ea2c6eb6c5b7f4fc402d2172d66fb490ef71a5 52934051511da40766f4ce4aa847d43c3c3ea55b117a1a5c48ddc55970ef3b64de1fe 35e305b68ad636cf15dc4aaa8 KE1: 036bb3b9d78c508490de49427658685d8a74bdb5acb7ca4fcfb6fa5488911b86 8e746c08a1260d828fc5fa7e4232a2e58f322435bbe19729913346a5e4afc40047966 7a0228c1c6e8e4f5444fd598b31f2000968656c6c6f20626f62037e9c1e7bbf41bff8 ca6fabb630db2db73a92e57c6260f39d4024c619f8b4f2807473ec0f715d83e88ad62 b88ff3828f2 KE2: 035e2060062e1fa5cbabafe394331fe40e84a7ee61ba0f00db18551adf53a3c3 80803b5d296e64a4ec298cead57dfa4d8a42c2f63d5b5278536247f6ae675807d8bdd caaede623ced8a96cecb9844d7d79a960a3b4f660a8b0df50469ee450e36b648a3913 d6f3ebb7bf1981a9edd6a425f13242e1bf5a529f7f472e776f8ef2dccf7af9c9785cf c23a20a17d75615d019399ce4b78a1a8b88353fc6aac945377f4f87e705a39c0ac017 d5226dcb15b118dd3c84b53c935dc648555e3ca33be2122633ea59d8f3d1374e63cdc df1217b8614bde3396183aba4d93f412f153c293018326453281b10997aa161dc84f1 34178efe6570781421afd7919aaee7c4e2b2d203196d22794e67e69232db19e4032d2 f2daa09828c4ef71e5a4f296a0edecaa5bf564c97a7e8c96a4977975a44eed2b37c00 0f473d1a939f630099a3272f271913ec909f1300f12da57d3d6ae33e0d587b2d16a5a 21200c2860321523950d6e59831c8056310e3a73b0bd9c49716310a69e3d2d043d646 96b3ebf52ab66e13a81e31 KE3: c9a4a4461e249f13a553edac3b86cb73c6944b15161a2f0d069eef5de7ffe73b 388d5497963b1f70a3158075e06e97db6c715be0f04d93980f63918170681408 export_key: 57baa1225a9bc0e5f97d9ac053fff44d488eac46326b99b385afa7471 3a6e0c57b0e1d83705db58aea52d169a7d782f3a3601dfbdd8709db37d8164c52cfa8 94 session_key: ce5fbf3d3645c21626073bd55802311a8ae168cf79a4826a7a55d543 c7ac170bb56a005a686b7643305d1c575f41e0e1ee4c35b888a9aec84f821082c188c dd3 C.14. OPAQUE-3DH Test Vector 14 C.14.1. Configuration Krawczyk, et al. Expires 4 November 2021 [Page 98] Internet-Draft OPAQUE May 2021 OPRF: 0004 Hash: SHA512 MHF: Identity KDF: HKDF-SHA512 MAC: HMAC-SHA512 EnvelopeMode: 01 Group: P384_XMD:SHA-512_SSWU_RO_ Nh: 64 Npk: 49 Nsk: 48 Nm: 64 Nx: 64 Nok: 48 C.14.2. Input Values Krawczyk, et al. Expires 4 November 2021 [Page 99] Internet-Draft OPAQUE May 2021 client_identity: 616c696365 oprf_seed: 2fa53469eadd73b1fa9887554db81fcc1dd326a364ddf58330f8174958 875763130077aee6e744624c72c29668535d30250d89a20cbc9e2654b08314da9245c 7 credential_identifier: 31323334 password: 436f7272656374486f72736542617474657279537461706c65 envelope_nonce: 9a1242e14caeb650b6db37478131f194c58aff77ae769388699ec c81f99b8820 masking_nonce: 1904aefee8a91aa363df4a775d4834c553c8ecbdef6c173403f066 8ac96a0bfa server_private_key: f5acc7b0dbee75bcd8bb50363ec640038177f06904f2476ad 5274e2f9d258659e80b0fbd20e4761b22298eba98ae9dc5 server_public_key: 03ca37ed36b0b311e3241e6e96f49a44edaa971419d91fcabf fbca0184afabd92827344da8379abfa84480d9ba3f9e4a99 client_info: 68656c6c6f20626f62 server_info: 6772656574696e677320616c696365 server_nonce: c5fe35951cf3cf6b68e388bed557b8ec848eb49ef719deaf56273b2 4190d8485 client_nonce: 30cf008c4abd83de383f29da8820d2868d106c347de88d5b7057c0a c79a1884a server_keyshare: 037b55471c1bb3a246d0030fda68aa80a79786fa060c0b56e7bc 7d0000886e3d661be0afcaa0cf69519eb528a11af48a9c client_keyshare: 021323ffcdb6e9971cb3d0516ac4f70f48c50ce81c897b4c3459 ab5aa664a410e20012f6a3eefc00044991282868648a0f server_private_keyshare: 181c9f03d5b5e51b3a90cc9da17604b2e59a93759eb0 985d2259c20e3783be009527adf47f8fb5b1437cba7731c34ac8 client_private_keyshare: 0bc6ab1b8c14ff4110afc54c9598d5f1544830f9d667 b683234c68ef3db95227fe3ebdfd963d03070055fef107bfeb3d blind_registration: 92e4dc9cd7f7aebfb1d3d2b8c7fa7904503aef20c694a01d3 e1154fe98e7232be9eaec5789a012a559367b1f99654ddf blind_login: 79c86b934061f894227b23a69eb0b53f168a4a2230ef6a7d703ac4cd 5b5e0fe438b3000884019316267eae9b424f8126 oprf_key: f375a6dd502549e0dd8c67060b1b3610a6c01fb78a2d4fc2555ef78f494 23393b7aa166a4d47b5526db558e6a818a93d C.14.3. Intermediate Values Krawczyk, et al. Expires 4 November 2021 [Page 100] Internet-Draft OPAQUE May 2021 client_public_key: 027fd481529fe30db35dbebb7bce46564920f5cd18221c7a31 265ff3ea9af5896f685cfa39d100dd9ddde1fdf0139b6f77 auth_key: c8873508331f03fa55a3157e3405b6358bc42270387a181b38a2f8faa8c ebb95eaa0f07af9589a1f6dbf5d5e1bc835a84dbc1b120dd647dcabbc2ef9f3fb1808 randomized_pwd: 08afd475c652f52c25433db458d79792f1205e22e23b2127ec992 bb10e4acf9d3b583128e59241fb64918756bfcb43c7189df8f5348303e0fde437bc7a 8d9e3d envelope: 9a1242e14caeb650b6db37478131f194c58aff77ae769388699ecc81f99 b88206ec6539fd339dab28daf5dcc962b240bed4776952de1a622d5dbb33e314f142a 4c7903cafbe5d3464c78552655e153bb3ff274e6a80a7c0560d2ad7bf243e682 handshake_secret: b562b476cbef308f37efa9fe4e9baef70b0435e3cb7ffdf940e 4e72881902999b3e62c76a573a44044bfe28ac82a77767df31cff79a35508df967061 d7b9c5a9 handshake_encrypt_key: 8e52d760aa23442270a6c880ea165e2b4d07eb15cfbcd1 07d27c9d2573fdc918e598397527895faa1565935cadea27ca415321019a3e6dd9555 6ccbbe08012d9 server_mac_key: bafd8cbd704a553c4859ba9cad35d024d8a14c35e9d1c26512995 bb47aac4147cbb9a927607e0dc4c1abe03265991ee982918b2a3a6b4a6bf9c9dfb75e e992e2 client_mac_key: 18dae5081243b3ae9f8ff3a400a413e0e33a4fc83e68174bf8aa6 b4e6b30881c38738d9bc3ce35db6caaef4fceb70d3af255c6120900c8dd21d1fe04c9 fdc016 C.14.4. Output Values Krawczyk, et al. Expires 4 November 2021 [Page 101] Internet-Draft OPAQUE May 2021 registration_request: 03c11a1b33c831ff085bea647c06bb354083adeaf4e7c25 d4ef17e90a25e590b275d412a48b83c064f75a6fd383e4730a1 registration_response: 032e2e2d79c4de3f578cf146419357b40c766356636712 310c3e787b768a90ad21500cb17a5715cc17e55b287a1ec4574703ca37ed36b0b311e 3241e6e96f49a44edaa971419d91fcabffbca0184afabd92827344da8379abfa84480 d9ba3f9e4a99 registration_upload: 027fd481529fe30db35dbebb7bce46564920f5cd18221c7a 31265ff3ea9af5896f685cfa39d100dd9ddde1fdf0139b6f77cff2cc696df1a036600 41b9c521a0ce6290e098168ffc27730118cf5ef4300ec692158ede08cfed5d64e4703 f2c375b7483cf210f5d3149d4b06e2721398dc349a1242e14caeb650b6db37478131f 194c58aff77ae769388699ecc81f99b88206ec6539fd339dab28daf5dcc962b240bed 4776952de1a622d5dbb33e314f142a4c7903cafbe5d3464c78552655e153bb3ff274e 6a80a7c0560d2ad7bf243e682 KE1: 03569da14f7d483ae405bdbd365b7bc7cd11968aa5c105d6fdf21d83cbc77050 7be9fb3aea6709f4a37e940900bccb4ca830cf008c4abd83de383f29da8820d2868d1 06c347de88d5b7057c0ac79a1884a000968656c6c6f20626f62021323ffcdb6e9971c b3d0516ac4f70f48c50ce81c897b4c3459ab5aa664a410e20012f6a3eefc000449912 82868648a0f KE2: 03c7b550c1f4a2ffdbce37b8c3048d6684972d3e145af0af6b4d9042c2c95a73 cc43c1b0d21e79e52096fd92936eea28351904aefee8a91aa363df4a775d4834c553c 8ecbdef6c173403f0668ac96a0bfa6fe644beeb3cc4b900ca849a68c6fe3cf0d2aa8d 7e994bb8dcd63455dd800f51fdaf741c489488ca6032ac215f83300c939b3ebec5294 8afb1db24771b2ebbbea5ae284140757302a75262fec7047687fec7ea92e622d3c561 546b9ef1627a0016a60a7a840da5834bac6c958a2637fdd0fdf658e1e9d8959730b27 8e897222982490739efacabe818b3e8c6e071d68928c5fe35951cf3cf6b68e388bed5 57b8ec848eb49ef719deaf56273b24190d8485037b55471c1bb3a246d0030fda68aa8 0a79786fa060c0b56e7bc7d0000886e3d661be0afcaa0cf69519eb528a11af48a9c00 0f075806cae72c6f1c14f022f7091dcc285c043a001c7a91300aac71bfec828623eb7 090d6daf98a2073a5194c0f4a2ea670de39b0e671dfdac3127141c0ebb02d771f7ed8 195d017ef635711a941a89 KE3: 0b23e8b3d9aec014f7b408bb096887fd163ed983d35e24dd0674566418679aca 55ca0346271b01ee5e5ee080a643b239b7c89402d406c86a25a99920aed79168 export_key: f7c4b9ce1da6bad2cd801d0896fcb9e2336214833174b405371886866 0de96f0641ebb441334c1330a4fd9ed07864436b7468efb38409d60499764b7736bc2 ba session_key: 660a911162675dddfe9d309bbf3169c7a4e52fc900a7eaf12cbd4001 1c93f1a3015e1323ee772a82ef32b5b67eb57ab3f894ddc655ebed71639f643190ebe 067 C.15. OPAQUE-3DH Test Vector 15 C.15.1. Configuration Krawczyk, et al. Expires 4 November 2021 [Page 102] Internet-Draft OPAQUE May 2021 OPRF: 0004 Hash: SHA512 MHF: Identity KDF: HKDF-SHA512 MAC: HMAC-SHA512 EnvelopeMode: 01 Group: P384_XMD:SHA-512_SSWU_RO_ Nh: 64 Npk: 49 Nsk: 48 Nm: 64 Nx: 64 Nok: 48 C.15.2. Input Values Krawczyk, et al. Expires 4 November 2021 [Page 103] Internet-Draft OPAQUE May 2021 server_identity: 626f62 oprf_seed: fc75fe0ccf7b66bead3c7df4578fdf22f1a5e412fdfb02240e98c23931 7e142e4555a81532c2c38bb2a359bff297e4eb371cb2c70e5d9f4baf6f4422a62c664 4 credential_identifier: 31323334 password: 436f7272656374486f72736542617474657279537461706c65 envelope_nonce: 611ffe4346ea4da5e6211dff6595c9a7180e89790a92ed156605f 633ca69fc17 masking_nonce: edea8ae70db1b219cdfa2e7a2f19490cee9f1bbba684d05e8ac7a3 e5c54ff287 server_private_key: 8099b50c7ed9444176251781b6a8575de7491bec330164821 b9b2a108e3ef8964622075015ac9ea0f8380dcce04b4c71 server_public_key: 03aa179347ce8e27d2122b8c2c43315635e5489dfe1a50ab77 186e4710cc489638b097b3302b550da04f5d76adfa826688 client_info: 68656c6c6f20626f62 server_info: 6772656574696e677320616c696365 server_nonce: 2d069de96e1151da43e0148ef707ab89f8d9f771d4e43a88e1fe08c aa45865cd client_nonce: 222efa759f00e0ab036835e37ab6ad3563188bce0dcbc42f39e5958 9c8419d24 server_keyshare: 03ed7dcbc8318a00c1f42c2b75682d0beb532636c2e03c524bb5 bf5af735812003bdc0d076ca0dc9aa7ea97273c7088f78 client_keyshare: 038d4077ad0d00842d0d621527f8225c405f80049752378a4e11 1b3dcd52857d35f464202f22a17d717d5a3be3455a93f9 server_private_keyshare: 3311ce41098e662e559a0599ff077b4ebcbe7f73e9fc 1bc25fff3fc5fd6c8bc664e27822fdece106def4a69460e97774 client_private_keyshare: 47a314fbbe5035803d3aa65819e81997c4d89909e25c e20d0bbbe0ad45a97be4680b39889979a8b4b432245062838a00 blind_registration: 2df429f90cf65d49d89d9289512729491e70dbcfef197f2df 475d05175e75fb25791f11a8f5484eb790492839c0c38ea blind_login: 2d90c0799597e99c926ae54b2fce5ca13daa8cabbd4da53324fbd205 54f2c56460442edb7d6ee76b64ab68d0a8f5b1cb oprf_key: c65f2080ce0134064252d414e5e13252a34f0e8b25da287edfc20175034 0ac3bbbdf5729aae5d6c788c38113d16c842d C.15.3. Intermediate Values Krawczyk, et al. Expires 4 November 2021 [Page 104] Internet-Draft OPAQUE May 2021 client_public_key: 03bad5466cf47b6ac4dc17d4ba64de8a1ac31d1c8a314b0509 c89e4e7738c93f2e12fae8aa7332f9f6c009576b29fa3959 auth_key: 2f3e95329ae7a2ff94f93d7442e54e522f2a4aa967d1ed9dfe0a2ede638 cfaf0a76d0e095b9d16a590f7ff16938d18bafec5ddaa769065e092f8cedad4356f5a randomized_pwd: 7e379dbebbb4baca152835f5212dfb0d581fe4d4c45762c4c8503 1859123a6c1a0ed2349e991825167f7d51290d444f050c56c4e5b5c33ef9b64a479f6 6cc1fd envelope: 611ffe4346ea4da5e6211dff6595c9a7180e89790a92ed156605f633ca6 9fc171c92b31b1184420dd2dfd9746c0778e0e290d944930a4348b0d496efd418dc3a 511955a202a9ec5195a49a0f43e480dbcac29ae734636aaa450d2921af5d3bd2 handshake_secret: a0f8d3b354c1911d782d0c8aa8bf154adf3dc513fb54767cb91 0f85c481c0ebacc67db9de9ce13c79a132ad24efc6bb4bd09b05edb6c364e9740756f b260fb32 handshake_encrypt_key: 73210a2c777df797e2f76bcb0d8caab8387fbce88c6620 f6b8aa3d1e2e46a8eb4b30970421c3b74e92b7002a0ec2d21894378aef76fa7abbbab 1e84481c37b27 server_mac_key: a40f5da4b2e8b6c3ae0d0f388fbf75c9cd541f163c8f28a17b1e6 38abd3f7cb91bd46fe787e2cccd7b7811d7e3f6664fcddb7a5f58a43deaadb9d4bc02 a8d345 client_mac_key: 86675536bc72d43f1deb1b829ebae685e3f7caf576b93eeea84b2 8ce81a729ab4d67a875049ba18b7f80c4d67a91378309d887d214aa083111bcc10c25 be4f96 C.15.4. Output Values Krawczyk, et al. Expires 4 November 2021 [Page 105] Internet-Draft OPAQUE May 2021 registration_request: 0399b76973449a299bd2ad6be1ca983c8a1eccc7e05a36c a120a30a8807d96bd4b98d076ddbd99e36adfd30b0886fe42f9 registration_response: 03a899022ac8527f0c325fc8efdf2204d09c2f49992356 5c083fea154155350707b32f7e995d74ca71e6a3b7fdf85bfef003aa179347ce8e27d 2122b8c2c43315635e5489dfe1a50ab77186e4710cc489638b097b3302b550da04f5d 76adfa826688 registration_upload: 03bad5466cf47b6ac4dc17d4ba64de8a1ac31d1c8a314b05 09c89e4e7738c93f2e12fae8aa7332f9f6c009576b29fa39597531c4c89226673b215 0ebe2393123efaf27c211f74342ce066e1248256036f6aa69cbfaae7d2c2434a5453c fc3566d5ca6aec0ee75d264a009894c05aa96c7d611ffe4346ea4da5e6211dff6595c 9a7180e89790a92ed156605f633ca69fc171c92b31b1184420dd2dfd9746c0778e0e2 90d944930a4348b0d496efd418dc3a511955a202a9ec5195a49a0f43e480dbcac29ae 734636aaa450d2921af5d3bd2 KE1: 03bb6ba53426efb2307df620440d09e1b503d3d2135dd0c845b59f135ab39bb3 00aad505641fdbc2725c31d221feb82d9a222efa759f00e0ab036835e37ab6ad35631 88bce0dcbc42f39e59589c8419d24000968656c6c6f20626f62038d4077ad0d00842d 0d621527f8225c405f80049752378a4e111b3dcd52857d35f464202f22a17d717d5a3 be3455a93f9 KE2: 020e9f886684004eddf958ee21389e9935e4d127e336e24fd1208f0d94944410 6db5a01f31dc322b67e6a640e8ace9206cedea8ae70db1b219cdfa2e7a2f19490cee9 f1bbba684d05e8ac7a3e5c54ff287a782199b1bce66b423d1920c4dd74be003ab175e 94766cbf0d5f909c9c39318b69b7d3def1d25091d4ac84906f5e6a52bf32158bd1f81 0b5ac56cea398d8b385dabfb51de1df1bc23116aa7824e2f17d8a1723abfdd468843e 3ef972d27db78fc56b79ba0c7b30ca5bbc3cf1feed3d160347b47d705145a2a0f61cb e0ae3d12ab4b5327b8eacff5b9040daf3674a9e6e482d069de96e1151da43e0148ef7 07ab89f8d9f771d4e43a88e1fe08caa45865cd03ed7dcbc8318a00c1f42c2b75682d0 beb532636c2e03c524bb5bf5af735812003bdc0d076ca0dc9aa7ea97273c7088f7800 0f52a1e35aa6b9ce5b2af65860ab82a57aa94bf37ee0bd7ac7e97655d29fca42cf032 c975f84f2f4cee58cea51b0b0e3d92856894b5e8008efe058d31776d76411c1bae7fc ec7ecbe924dc292e2fe009 KE3: a9a0310debd4c69755563868a7b88cf6558c787410beaac22ab8ef535ac2e3a6 10a51d1ba42a0f37b2c034d82cc2a84b7d5ad20e00504aecdd4a83ca91509141 export_key: df4875f440f3fc915fc1f6f66c167dfe368dfac89942b352db7bac0e6 e1029c96607d5b4ef9e391d24d6b2bd7da12cf16cf88b47de29c07bdf31fc14f2dcc4 0b session_key: c53bef385e9015d2fe40cc4c02d1cce7133f9fb8cda3d399c8f7d252 1c0cad5067ce2a7785c0923dfcaa85eed8f1e6f63bdca67976697830a3d26204e4866 025 C.16. OPAQUE-3DH Test Vector 16 C.16.1. Configuration Krawczyk, et al. Expires 4 November 2021 [Page 106] Internet-Draft OPAQUE May 2021 OPRF: 0004 Hash: SHA512 MHF: Identity KDF: HKDF-SHA512 MAC: HMAC-SHA512 EnvelopeMode: 01 Group: P384_XMD:SHA-512_SSWU_RO_ Nh: 64 Npk: 49 Nsk: 48 Nm: 64 Nx: 64 Nok: 48 C.16.2. Input Values Krawczyk, et al. Expires 4 November 2021 [Page 107] Internet-Draft OPAQUE May 2021 client_identity: 616c696365 server_identity: 626f62 oprf_seed: 2bdfd31fa072994aa6978c8dde8c5841326dc8b4a732cc70fe08a86535 a8e2941feab21cd6ddf3fb88c7d76f00df95f2c0e47ff21bd70820cd0f66459d66f29 7 credential_identifier: 31323334 password: 436f7272656374486f72736542617474657279537461706c65 envelope_nonce: 32d93989aeb49cae6efa3963bc9f55d727779dd2f72c0974acf04 333392a92d3 masking_nonce: 17cc538cdb5aa6e30dcc560737523284e78004ad5be2133e99c8cd bb3010773d server_private_key: c6c4dfa3a822d8f670e5aa46e733baaec9f93d5e14ad9ab99 dfcbcb2ad157a8aef1f3fec3f24bbc392c9755271e8792c server_public_key: 028cde89b6908e81425fa8a597e3103021475346a146b1f1dd ab47f09c76ed3b78a251cf390bdc086924bebd471063abec client_info: 68656c6c6f20626f62 server_info: 6772656574696e677320616c696365 server_nonce: 3e21d9300486633273041ef5f2a160c1a73b98addc5482c6a96c108 f84d34d57 client_nonce: a3d77a82779471cf9b98f8b7dcb5212a1f2edc9ecf6f8e8946bec9d 68ba6bffb server_keyshare: 030d570f50898367457561b3a5c707852633b4f9404cc45b4058 f52f5da1ebf67cb737bfe5c272bfeb65efe6bf7255116f client_keyshare: 0246ba00038cfa5105659e8c250d10618a2c7f9d09d174663bc5 689e4778f7054534d9a4200a447510023af3ad3c61ece7 server_private_keyshare: 8075bbd3ebb3097a0f9bdfb7430fa3490ab6c2790e3a d33faeef2365ebf9c1edbdb24825e5735614aaf644f03458a1f4 client_private_keyshare: 0c90229f8068bec0ae930eef110e98ea1cbc6d849b4c 9ca5b7a970d0320ba5f4f95f5cd4f501d71f00c654c50fddc636 blind_registration: a1bde3dbb840b3924c5ceba5bdb181a51679ed98960e4cee2 7f330d5d3dccebf40596dc7e8b057938841423f8b336f13 blind_login: 6f1aa3fb05702631e213b4bbbe8fe5176fff25526ed5b1772ba61649 52c3c2da8017fdf337f81f5cbd0ec805923a3360 oprf_key: 2f87ba23ed2b08e13fda5423b7fa525e4d51a7e3d334a4747409e6876fd 3e41960ef475d75108fbb9964c34bd8c81302 C.16.3. Intermediate Values Krawczyk, et al. Expires 4 November 2021 [Page 108] Internet-Draft OPAQUE May 2021 client_public_key: 03520d07d74259e58087a91bb199dd2434393202c882f969a9 cf4a725265c0d75c3747fc1be62b018001c0b27577efc201 auth_key: 3fdc19a161ad6919b37ddb1653014cd96fd1deb98e277330727829d9045 7ff08f816e685af01399144ccbb26f54c007ced38fb19a0be1d22f6865cc1ec0fbbd2 randomized_pwd: 0c1222bf0d77b3b103f6b40f84a83f2d78afba7e401c5747ad41f 4c850a5b61202c0acabb684b1fa56dd77cf435f917c561446030b9b241e0b6831bf0d e27909 envelope: 32d93989aeb49cae6efa3963bc9f55d727779dd2f72c0974acf04333392 a92d30b3cd05893b9312195f056aca4648f6728ea8f6a699107a02be0919ae296d0f8 5d2c504a3aff8827d4ae66cc686da46545ae18d8ddf70ca3967dce24c22a76f7 handshake_secret: d322173215751da05fa700355e019fb006fcfc91c55a07d1402 aa359b9da0a8033a20f65cfa583cb89f6d6887d1ace1600a3b1508535980e1d361bff 4f1ab4ec handshake_encrypt_key: 2a3b4627aa6bac7cc689ed6ba935e8dbb94f950fef73de 8fc68865ba1fa828e47a1fa0f227fa4db8a4d88e41c6e02aa7ed0ee5a40c66d6ac331 a8288340f8ee1 server_mac_key: d51679240895a92d8c9043a376e0f6fb8342040bb19316ad4fba7 e1255c33f8cae47ae5afa6499170860d07934077890d1e1bc3bd221f5b8aeb86d3866 59d2a9 client_mac_key: 720ead3623c388df8ec008fe90b5a2c4487fb2945c87558d671eb 1b0a5b391b37825e3c7c577aab365631c377647833730bc1801d804be60eede6da818 942f10 C.16.4. Output Values Krawczyk, et al. Expires 4 November 2021 [Page 109] Internet-Draft OPAQUE May 2021 registration_request: 03f8569ce50a023ad6518281322157e79e1207a96bb9214 95ccde8cf48eaf27895245a7b8f4b3b5c43ba54963a19cc488e registration_response: 03eb9df563b7315fcd8894fc37bf1476e968100040df1f 51367923f19a683157fd5223e0953b9471c4bacf90204c1da47b028cde89b6908e814 25fa8a597e3103021475346a146b1f1ddab47f09c76ed3b78a251cf390bdc086924be bd471063abec registration_upload: 03520d07d74259e58087a91bb199dd2434393202c882f969 a9cf4a725265c0d75c3747fc1be62b018001c0b27577efc20106e6f8dfc764d4aa2b6 654de97281e7ce747e5c98edb159028d68be2af2df21fb4a66721d5d5492ca72052b6 baedce841446a783ff71c5ce47d35103e3e209c932d93989aeb49cae6efa3963bc9f5 5d727779dd2f72c0974acf04333392a92d30b3cd05893b9312195f056aca4648f6728 ea8f6a699107a02be0919ae296d0f85d2c504a3aff8827d4ae66cc686da46545ae18d 8ddf70ca3967dce24c22a76f7 KE1: 0255b2107d1a2192eb54c25c98bb7a95e581d7d23a38e1fceac9f8ce99f568a4 fad6c9bbc5abe4ff08f8b22e31bdfd6971a3d77a82779471cf9b98f8b7dcb5212a1f2 edc9ecf6f8e8946bec9d68ba6bffb000968656c6c6f20626f620246ba00038cfa5105 659e8c250d10618a2c7f9d09d174663bc5689e4778f7054534d9a4200a447510023af 3ad3c61ece7 KE2: 030e286b95d83b077e53625276ad321ad65f5228ed34a14b54f41e26449a4385 d3a1267cf0bdb2d4ac262b08c07d123ad717cc538cdb5aa6e30dcc560737523284e78 004ad5be2133e99c8cdbb3010773d0881c3a5b9974d7b2c9dc8de2c2c4771961ae920 1903da36d7a4194782b61b5cfbd43328172c32612e8f0679998d92231b88c381011a7 dcabbc46d8f0db34675091028b13c9fdc0dc3fd6d0ec34689c2d1692208668ae2c655 10112e0b4f5197ecbe0bab9efc748610f185d660a748cf09664b0ac1ca99270bad2a2 0ca2dbf8ba711350db0fe6c526459facc3452fb1f233e21d9300486633273041ef5f2 a160c1a73b98addc5482c6a96c108f84d34d57030d570f50898367457561b3a5c7078 52633b4f9404cc45b4058f52f5da1ebf67cb737bfe5c272bfeb65efe6bf7255116f00 0f509b8349bbd798853b4bd3411ed1510754ef45a3a98746b80b1b03c143d3f68c7e2 41ce16d8c8c361e97d4d4972fba0a5f77765440f896084775695ff96ed009d02e3b51 f8c5bafd0ccc97e8be12ac KE3: 52bc1ef46ae8e519aa1b2f069c51513ca9413736612764b2234b0bce1ba368c4 ccd273b1140279c17f01c004f3c8f80dde7784b8a37f8b8ce3b0db89bb2aab03 export_key: 590ba54db51fcecd99b7736c972e54f0ef1c6e648837bd625552bc3ec bdbb06b7a82f32357719db9ff93c8b972144b681aee6b8dd6b2bc8a1a3787142fcfae 2b session_key: a3170d57e3dd49183ecfd8805b781bb64647abb5c68119da02bb1a1a d0c05742caf908e70d317bd10fb336eb4809c12ee9fc5f7c903f05e6829ae41d6e7fe af8 C.17. OPAQUE-3DH Test Vector 17 C.17.1. Configuration Krawczyk, et al. Expires 4 November 2021 [Page 110] Internet-Draft OPAQUE May 2021 OPRF: 0005 Hash: SHA512 MHF: Identity KDF: HKDF-SHA512 MAC: HMAC-SHA512 EnvelopeMode: 01 Group: P521_XMD:SHA-512_SSWU_RO_ Nh: 64 Npk: 67 Nsk: 66 Nm: 64 Nx: 64 Nok: 66 C.17.2. Input Values Krawczyk, et al. Expires 4 November 2021 [Page 111] Internet-Draft OPAQUE May 2021 oprf_seed: a2f0732043d4e8dc0909314ba2681df5eeed5a0c30b599c257b88037fe 2c6f8ba1e038930e003c2563d265c49c56d4d82a155d6b81e82cc46210869a68fa4d8 1 credential_identifier: 31323334 password: 436f7272656374486f72736542617474657279537461706c65 envelope_nonce: 8576a0c7c81f7a7575dbbabe910d8abd35258409dd4fedb8dacbe 0fbe1f99d8c masking_nonce: b9d3084eeafa7d20d841bdc80289111ec8aab7b1bdaa8f670051b1 04db229e88 server_private_key: 00648b7498e2122a7a6033b6261a1696a772404fce4089c8f e443c9749d5cc3851c9b2766e9d2dc8026da0b90d9398e669221297e75bfdea0b8c6b f74fcb24894335 server_public_key: 0200be1ff2041b4f0f5a8c110dfce0f002e6bcfc8fb4a36b4f bdcde40d8a20b470c62e20ec1f86edfdc571fa90fc6b04d78a621a96676570969ee2c b6461e06e2cb61e client_info: 68656c6c6f20626f62 server_info: 6772656574696e677320616c696365 server_nonce: 30af4fa64192a5338aeeeb43345b014348afd6f4cb7e2a103057dfb ac8cfb834 client_nonce: 1e3b093abca6b82059f2e0ba5ffafd8b54ebc7215eea7a556461d65 0a3c41199 server_keyshare: 02016c63c8e2b3feac6366e3dcf752a8c2a287c1fb4d648aedba 86aa0ee07d2b1133d3282584d7c66357bfcab76526f184f7ff9af506f9eec01645b99 b6918bdda600c client_keyshare: 030187b0369b07402c41744c664239d0f9fad568f0ea5c13e4e4 d80c770fda054cca7fdebd3f91a803a3efe7353969e388623c224a86cc32575ef8cd5 e0cdc3c467343 server_private_keyshare: 00746f74e77a62905a6d3e4b0b10600a7cbb4293a187 ad3fc8c91caec3bd7699591b10d6da93877a470e128f38030627dffcbbf1f576b3867 7841fc47af778f9d85b client_private_keyshare: 01939388ddf4607e295e64cea6f4f95078b7e30ca85c 4154cee4afed8403406502ed2f79ae56e032dcd5436254daeb0620f584755b22ff954 eb79ac24c8778dcf34f blind_registration: 01c14aba77e5e37d5ab1389e09b80a34cfa96e2d294e9f04f b076cffe7d179d692a05b0c2210b6c008c1062c1e54514ef654eefc0519dd1867571c 9d518e305fdf47 blind_login: 01448da2c02dab317d5175d73a1ff9d62286602e87d57a53a1c70f44 466b3861be4f8ef48c2bb1aec2e478e341c467fd4a2638aeca63ed6c4bc48d008bca3 f36f044 oprf_key: 01fcaac74a26d002c492c586fc16dcc83f0bb8dee9b991ab8adf9da3b9d 0551e28f64f2d39e244ae8da38949f0bd3b8828e0bf824c1101394bee7bc83a732837 acef C.17.3. Intermediate Values Krawczyk, et al. Expires 4 November 2021 [Page 112] Internet-Draft OPAQUE May 2021 client_public_key: 02015d849771c3ae0ea3af9f2462c822b605be212e05e83c3f 7d6e65551945636147da2b14e09c596ca154526b09ca9ce7b51b63185e016cf2aecc8 6d3800359151daf auth_key: 5fe6261467d324fe32b627478eca4b266a30d67d8b982e10c311c928ab8 c394ef17958502bbb650cd39035b18b393df1efd6037f98216caf96db3860dbb739b8 randomized_pwd: c1ebdbd0b7737dc8f747261671d106ed8a9ba8751198741e34147 91ddc11abe2900f8d3630454162e169228155670aca7960069900e9bf6fcca43a028a 5f9eb2 envelope: 8576a0c7c81f7a7575dbbabe910d8abd35258409dd4fedb8dacbe0fbe1f 99d8c089d602d3349adc7ef4fdf1ce7654d946ae6bf23f0a53a72e7836c07de92af79 e9e6aa5353a0f10b3f8314a88aaaa98695396dc5bd045a68d7647adf50dc2c77 handshake_secret: ac52ad048c93b646ed484dd29ddc35530ce69327a928a4ba134 11b9f222ca132443bd9174160ff72c65fe2555b507672510109ad718ef9d207468a34 534181a1 handshake_encrypt_key: 003b51400c880b90baa64a92347eb97f645f4e5f8fe986 fcb9e7f7810bec3d9be597f5467a388eb9df415b56272a36a59c67cf84cf16627c701 a0c1e5bdc2b2c server_mac_key: 998ba809cc34d7934f25c8f3c4b16917918577045b6ef805d76ea bb5d06d451c03185c5b0ee50d537310ffea3748d9c0eb18efdd119b6a56849dea5733 457ca0 client_mac_key: 559874ed898f25cb67b94c84b1355c5e5fbe58b903a3c9f1b3a22 22aa4a2dd92951be7848ea64cf8e94e4ce4d2e43f44f7fb5b96c3f0110a10c6f88ed2 37d172 C.17.4. Output Values Krawczyk, et al. Expires 4 November 2021 [Page 113] Internet-Draft OPAQUE May 2021 registration_request: 03019f508a03d6d883f28a0afa477eac4dfad2ae9052a82 ef5736b24eab85dfc40309c5d205bb94b9a6697ac7b97b9b63e057f163905ec396db8 fe250544bd94e90c13 registration_response: 02004e15d16f075d2de7e2ee6e203d5f4b4f2c176a1592 2d47bd5f8d2a7e94515ff328ea4f74331a293e1252d8ab4c04a778eed1234f6596baf 84afaf2b9fd43eb953a0200be1ff2041b4f0f5a8c110dfce0f002e6bcfc8fb4a36b4f bdcde40d8a20b470c62e20ec1f86edfdc571fa90fc6b04d78a621a96676570969ee2c b6461e06e2cb61e registration_upload: 02015d849771c3ae0ea3af9f2462c822b605be212e05e83c 3f7d6e65551945636147da2b14e09c596ca154526b09ca9ce7b51b63185e016cf2aec c86d3800359151daf832629d42f82e752f1a8b4014218402b034e6e26c239c33329eb 0258a42721688d990208a793a05f1d99e4f2116f11e06fb1af650ecf057f8cfaa5d68 9b1a8ec8576a0c7c81f7a7575dbbabe910d8abd35258409dd4fedb8dacbe0fbe1f99d 8c089d602d3349adc7ef4fdf1ce7654d946ae6bf23f0a53a72e7836c07de92af79e9e 6aa5353a0f10b3f8314a88aaaa98695396dc5bd045a68d7647adf50dc2c77 KE1: 0200001c8b7065b1f65b9e87150b85b32e6a13738dfcfe40a947a3868b0504a9 c0b8f2d2f8261af3c4507f583ac24caee8981b3c2e7c6a81192d383aec9fb93e64203 51e3b093abca6b82059f2e0ba5ffafd8b54ebc7215eea7a556461d650a3c411990009 68656c6c6f20626f62030187b0369b07402c41744c664239d0f9fad568f0ea5c13e4e 4d80c770fda054cca7fdebd3f91a803a3efe7353969e388623c224a86cc32575ef8cd 5e0cdc3c467343 KE2: 030035f08ea3de22b0376ff3721ba6d46701a9b5e5687d1ceb47e9f533d7f8a1 f60904eaf5125803327480d25a7107e9d895258b38c2462d102a8fdd56cb323854ca6 8b9d3084eeafa7d20d841bdc80289111ec8aab7b1bdaa8f670051b104db229e884e02 0fd59f017168a8c4ef61aef2b7510cc38b11ae0cf323d13ea9953f0340f9200206d0f 27fc6e7c1346dfeac1059b1bbed15d472783259fb867acd0ea79b58bc09f04ab5275f 6a476ed42a9205422848cc46dbf6962dc0ad425bc00739d542c540807023946ad4fad a727dd19813d1bfe7c9f30e97530827c1ef18c0057e062744e9263362f3649371bd1a 548382cc0a6afb69009021eda3a9254acb3bf680153c7730af4fa64192a5338aeeeb4 3345b014348afd6f4cb7e2a103057dfbac8cfb83402016c63c8e2b3feac6366e3dcf7 52a8c2a287c1fb4d648aedba86aa0ee07d2b1133d3282584d7c66357bfcab76526f18 4f7ff9af506f9eec01645b99b6918bdda600c000f8daa20d5162eea9d681b87661762 cd4f9ec59a54bcd56c8b3438642bed1c23b6c1fd39f267f9b905ecb2cab7a48cc1d5e 64d909c589cb7fca0c8cd5298deb4577dfed8797209246caaa3443ffabec9 KE3: e578e0b651f5124e89664cfdf7343c40c9bcc055705b9101c39ff2d4426242a7 3b30dadbb8684aa58d5c37c89afc1cdb81444e270c4f23b2dc60e48002751d9c export_key: fc013ef1b0425bee62b845c76823a5a38c361d0f9147266d2e58a6570 c8e27b13faee7bf59920ab94fc5d53d358d935b3f67be6e239a322792a18f4046de82 08 session_key: 444b5612450eca7cd77a214b6d0690ce8188f70468e4c28f3fca8e94 ccfa31e9ba3fedb9db0547185bdcdf95dd930d1edb08bfe632a8bce831372f8c4b52d b35 C.18. OPAQUE-3DH Test Vector 18 C.18.1. Configuration Krawczyk, et al. Expires 4 November 2021 [Page 114] Internet-Draft OPAQUE May 2021 OPRF: 0005 Hash: SHA512 MHF: Identity KDF: HKDF-SHA512 MAC: HMAC-SHA512 EnvelopeMode: 01 Group: P521_XMD:SHA-512_SSWU_RO_ Nh: 64 Npk: 67 Nsk: 66 Nm: 64 Nx: 64 Nok: 66 C.18.2. Input Values Krawczyk, et al. Expires 4 November 2021 [Page 115] Internet-Draft OPAQUE May 2021 client_identity: 616c696365 oprf_seed: cbf99f721bb05bbb38c3dff97984ba8cde188b3827bbd814cd7a42af6e 65a3b12067920609dc601239a238e23f40d75e1aaa3a509edf8c7cd2baa7f5c1f95e9 6 credential_identifier: 31323334 password: 436f7272656374486f72736542617474657279537461706c65 envelope_nonce: 71dc777337eef4e8ac3cac80a4180f926f029f2cb820b1a176b95 a945a44d784 masking_nonce: 73180d73a4c972db77ce27294dee5a2f9ab174d5409ada18b37fc8 a7f051ff9e server_private_key: 01e58f3492c6da02dd7387bd1dc40065b23155fcc16e56ed3 586c3c2d80245859235d872c5266668cd562a2bd7f34654235b1b9961485ae246256d f3935910d36507 server_public_key: 03000ac6fbea5abad2eff1e768bd39834b82166c06aa6021ee 7517b040d221966b827ca6162621a938d6fda5fd8e39b3b785cb477924b8a400fd285 f41c5c248574db8 client_info: 68656c6c6f20626f62 server_info: 6772656574696e677320616c696365 server_nonce: 982aad1d4df60e1ec7598ad90ee10d986d8ddd8986c4ef3b009b535 6a21f4375 client_nonce: 11034c017067f1258bc7720a174b559d38c2864d089c0cadca46134 598ce4ded server_keyshare: 03015da5c9a33d3168383837d8d2ae4d00f39a8a631cd126b4dc 1b01f06c32ac86ce29440df0e45650879f65ad94a3d752f265254f7d5861046cc0165 67f9e36b873d0 client_keyshare: 0301bcdfcaabb52a829a450fdeb63bf90b8c98c6b2717164f48e 27d4c737058feb556f81fe39aed7846313ff6a6fb9c4bf1d81083974f2babdb080048 cc67e12f8ce2e server_private_keyshare: 012dd5f057d34f77f82886ba9c12bf99b4c79e232e68 82168463a7d53d03090c1da44b4cb34efcf9e45a0e4f9ee14e00bab7a7ca19b6616b9 ea190d4a2db57bc6590 client_private_keyshare: 01b52f1d5c1c022ce72f0b4dc3405e239f2f85026764 82559ee5e4ba79c390c4033405e3f792bc49daa905c694707e7e0191104b34d68c7cc 81c2e392da60b838eae blind_registration: 01ec57a21c1fc56bf3514635ac7fb8618f72cebff14ed87eb abccec2627d4006b698d9ba57f6e207c989448d39fe0431e60c9a9a4110596d5a16fa 6cdf3f66467525 blind_login: 01e8d9b4f7c7beb31e37008156656c19382a56cc79b9aeeed48a6f9a 8fb57640c3bff88d3ab3cc52ef969f02beaba2c6e32c2f37baaf4ee9c691833dc081e 2a0fb70 oprf_key: 010c6e84907f48ee9ef1a2b06b0f62032fc716c2e6c253928e5d4f02d58 a15c7afe0ac4f35762ee53f04aa6477700f68832492781160eb1c6968c4ff7ff01aae 752a C.18.3. Intermediate Values Krawczyk, et al. Expires 4 November 2021 [Page 116] Internet-Draft OPAQUE May 2021 client_public_key: 02014e85db957b2e39c82d7ff67fd42f2f4689a1e999cadbf7 8606279d1ac5f593efb9e8ed8d4b5bb7fe80e3b5324a8cebcddc26319d7cbe05796dc 4a0e7b9d13ff933 auth_key: 3b430d33aa3d6b97fec63500eeec4f57a3783dce1a6e2bbafbcbfc60561 520ff806ad075983ba2b36263028683a5c5d4f5ec667ed8473db0d4cec1c389da097f randomized_pwd: a668c0639403d64a159f5657184c80027dd0738ce65b612b2398c 1e5f6390ae76a352763020e3f0189cebe0df03702c7835416598eb8b2df2d2eae2120 aef217 envelope: 71dc777337eef4e8ac3cac80a4180f926f029f2cb820b1a176b95a945a4 4d7846e31ef250b103d54bfcfb85b7a61587f8b3eada628c18ede52c1003d22a17cb9 ddc1ffb448e9adaf0bbcbab7c19302465dd2f1abd5b60e4938adbea4a13aa25c handshake_secret: fe9cf741d612210e48960231217e76d09312390c69529b781e0 2b7054d1114866f10adb3f1cfa3dfbdc25a8b4c737b0207d45479b2d635316ebf251d f33b324c handshake_encrypt_key: 926c324f94e5840c6356b5b298fc788081135bff19b27e 1ea75bf788ef1970d43a8c1d9a82917ae534a54aac91645eb383339512d1f3ac77587 983e6190476ac server_mac_key: e18734ad27c3f60c703600c29ad2d8242e9caf0f90f55e10aef7d a53e4a8ab5be905e31c15349e8b2dc40270af02957e4625bc8c01dbd7f1bfe60832df 9e6d28 client_mac_key: 1d3b2348afb25f8ec33fd07b992eeac8fa434a9dd5f7b091887a0 005cd46656ea9768551e5906c91a2122507e37421a11382c3f6fdee74dbe0d11492eb 6d8b8f C.18.4. Output Values Krawczyk, et al. Expires 4 November 2021 [Page 117] Internet-Draft OPAQUE May 2021 registration_request: 0200bce08f110a6634cd66b75c0721208df3d8c392f86f2 feb9c20fb62c9a30df00b37caba143386c7880a96301814e425ba9df870cfbf19724e b58411604b3a618f29 registration_response: 03004f08faa49284110ada3a43007ed1f3d7766748509a 5bb2d6317c14320a406eec518882ee4ea2863d1631c3b06b83f9d81ec1620759537ca 7f4170bc13a453bf50903000ac6fbea5abad2eff1e768bd39834b82166c06aa6021ee 7517b040d221966b827ca6162621a938d6fda5fd8e39b3b785cb477924b8a400fd285 f41c5c248574db8 registration_upload: 02014e85db957b2e39c82d7ff67fd42f2f4689a1e999cadb f78606279d1ac5f593efb9e8ed8d4b5bb7fe80e3b5324a8cebcddc26319d7cbe05796 dc4a0e7b9d13ff93389cdbf2bb199008e95e5ba25a49fdbadf09cf8ae13356bccf65e 85f689f73ba6bc37ee4375ff52e9dcdc73d14779468063e85981f41be04c8cdfbcec2 4040ef971dc777337eef4e8ac3cac80a4180f926f029f2cb820b1a176b95a945a44d7 846e31ef250b103d54bfcfb85b7a61587f8b3eada628c18ede52c1003d22a17cb9ddc 1ffb448e9adaf0bbcbab7c19302465dd2f1abd5b60e4938adbea4a13aa25c KE1: 0201e2974af3a0c9a479cf1589e9c7db8f3e04723123436453ec427f75974423 4a57a91a724879c5cfe93ed919501d567a6fad6ff5763647c351ad6dd925f39cdb04d d11034c017067f1258bc7720a174b559d38c2864d089c0cadca46134598ce4ded0009 68656c6c6f20626f620301bcdfcaabb52a829a450fdeb63bf90b8c98c6b2717164f48 e27d4c737058feb556f81fe39aed7846313ff6a6fb9c4bf1d81083974f2babdb08004 8cc67e12f8ce2e KE2: 0301c05496686104a7b82a151351b988f5ed4295ae73b0f8e47a32099806cdb7 9709b862abed66719debce0cf92fad9da0cbd045ce097fc5e27f947380dc513f5277d 273180d73a4c972db77ce27294dee5a2f9ab174d5409ada18b37fc8a7f051ff9ece11 3424e9770c02c879e86c1c243ed9aa1e3345b2e6a85e4ac5b886839cb9297853f364a a9c5bcc43f74f66665312dc74e7678366a34ca81aaf1030cc5f7b9b59ab1ecc9bc5a6 5e8f811fbcdf2796503f3838b7f788db8e11197d053e61a99010e8c495c3f14e4e4ed 9a153edc659dcff3c79946dc9371d4ea0cb88ed660785d3bd3fcb5477960dc3e12450 c6ce106afe8776cbfce9a09b5b4dc53257d16cf27f0f93982aad1d4df60e1ec7598ad 90ee10d986d8ddd8986c4ef3b009b5356a21f437503015da5c9a33d3168383837d8d2 ae4d00f39a8a631cd126b4dc1b01f06c32ac86ce29440df0e45650879f65ad94a3d75 2f265254f7d5861046cc016567f9e36b873d0000fff16bf58565186eacb93d146efac 63c093a7ab3b1f889f07ac032d6bcc0a284f9c52f980b98f9eff2f95631a109c0d145 dcd083c0422104cc927de843096461705556ff43d100664be619a495657c5 KE3: 74edc4d75d6bf38331d73e3de41b83c1a89fedf90a5f9c4e47dbfc604945909d 1979805a6fe2d38e2b533f47891c36004bdd591d5086dff115f0f980f50bd68e export_key: 1289e218d166d73784be0e138cb47769577dc9b923d6a6171e0bff476 74215b7493eac47496e2cacc8a1a6cc307591cf6f90717105e54f6e86d9cc67ca8f0f 1e session_key: a7835cc873095ac6909749c62293ed99c6014bf79a60f316e789e0d0 e30d3a7a53ee90a0037b9c00c9e30db3c25ca61eaabf7db18a0695068ff3a31e4bd07 83b C.19. OPAQUE-3DH Test Vector 19 C.19.1. Configuration Krawczyk, et al. Expires 4 November 2021 [Page 118] Internet-Draft OPAQUE May 2021 OPRF: 0005 Hash: SHA512 MHF: Identity KDF: HKDF-SHA512 MAC: HMAC-SHA512 EnvelopeMode: 01 Group: P521_XMD:SHA-512_SSWU_RO_ Nh: 64 Npk: 67 Nsk: 66 Nm: 64 Nx: 64 Nok: 66 C.19.2. Input Values Krawczyk, et al. Expires 4 November 2021 [Page 119] Internet-Draft OPAQUE May 2021 server_identity: 626f62 oprf_seed: b090a604a7d3281747950c012686f1be5ee87b8486e729e69c50ead57a 9d5b6ae3ec6ee58cd097ff5e3c30a2f99e304a3f7597fef8738a29714a9fc07c7189e e credential_identifier: 31323334 password: 436f7272656374486f72736542617474657279537461706c65 envelope_nonce: a814e5fe5234bc21018efd4f7e4c04313fd9e0b620d8c88de9538 2520e5c9861 masking_nonce: 258e8c4868e5d2db2aa035494fa4ac772de24d8c01c01e53bf888d a6074fa211 server_private_key: 00deb3fb5eef3871cfaef0953ac3482c88f2bb4849b6ac355 3c3609aa005b2cb37316964371a39548566c5e4e4dfbfbe5faca38a62651e9a519143 d04ac366bd3097 server_public_key: 0200c689bc30525e075588345866abebfc27a312bc2edb3222 3b95f7479534b02c139cee9475816987c9a3b12ea04984670c674f3d42f47ba7a3670 768f2bdbc7c7ad6 client_info: 68656c6c6f20626f62 server_info: 6772656574696e677320616c696365 server_nonce: d1ce234ade6c2215d7b13028d26549da6057d3f693defb346eb32e1 524617da0 client_nonce: db7b40b96e0627332f446bb00d6ab8dae8aabfc0e9efc44aa07de3c bd5a1bec9 server_keyshare: 0300f8b6a63f05a1a6f6e3c856d512860d5700cb3ad37bc1dbf4 ecfc4c77c3aab7bb6576f70be7b460143e577d02409524ef5fd5e82a85fec43cc2d66 adc312fb27a1c client_keyshare: 02018f831d92dd0355becccd11cc3904ddae5edc18d6e357ae43 a7dc3459335316f842771994b3b411da7ad3c8911c806b322a9fad184e8b5586926be 76313b87f3d9d server_private_keyshare: 015f117db2282bb2d11b833ca36711f28643a2fb2afe 4c3ac0692c402f2878e409eb94d01340491d9b1845c2c7c6c3512c359de4a62f9d890 1797659b3e5d47f317d client_private_keyshare: 00e3562e44a2df91376353e89693d62c238e11ce26bf e7eebd8e88410aad6046327ef267fd05717803c45c647f4a003b4ff428c9a21288025 cee0279eaec16e0fb7c blind_registration: 00d7057ba6488a9f8f33b362f9ea293381eb5aa20a58124e6 db14076aa4f7aae03e79e1345b87735b977981b0b53d33a2545b6f301e66a98d04212 7462fc69c7e5d9 blind_login: 0029bd129200e0656181aba1c2e7d839ec26e9579970c1d4ba1db609 28b9ac043a5b622404c46dbe17dd4304b9566fc77d5c202e5ed9689829d4d0a746d77 66ca057 oprf_key: 0012bf9958039dbbd0037e3c565a4e3f91a018e6132e1941b9a5b023d6b 38b68912e01ff86a6c62c85ea91f303c4a23f63744569768a22d2086712f9f764587a 53fe C.19.3. Intermediate Values Krawczyk, et al. Expires 4 November 2021 [Page 120] Internet-Draft OPAQUE May 2021 client_public_key: 0201797183ce928876fcf43b6d249e0e12aca4e99eefc4aec5 6cfdf1467a1d93e49ae362964c0ad76aa50f71f4fb7ba9cf353a8906e0dca73e66d54 c793c6d9bd1ecdb auth_key: fe067f7dc8bb1099dae60a5491359209a2453c7d03d7526700f2f4bf72e 965ead28a6e3bce76a5fca6e5351b17a54e6c930130d275446a214032fae8e82b114d randomized_pwd: 1f041980cd3e486eea2564bc313c3be962d176805443abed26165 9f3e0a123bb7fd7f78625da9738b8a29409e506e3e7087183edcde88126a19771b2cf c474a3 envelope: a814e5fe5234bc21018efd4f7e4c04313fd9e0b620d8c88de95382520e5 c98617550e08881bb945bd9354eafbb54906e6aead43ac002fabd7b89edee010c5491 6ba4e740808728d79bbd9b94c5864d21de0d3a654a7762e81b11266c7833c722 handshake_secret: 9db3e37f927129b5a5eb507d78f9bb93308aca1027a6dd00ac7 f0fed446161b472274badf054298401e917170d3452c9abc0d14b6bfc5b48353e964e ce3b807d handshake_encrypt_key: c6abdfc9be8bc8a059731e655700f3c732e6bd886d42b6 bb334277eef4e11b75585aa5b9abb5d93e24d15aef4783e077210580b66266eeb018e 17c9c0687cd88 server_mac_key: 7e924ee23fc473733159d1eb3977c286df21b1f6c775281c660e9 50b6891aa0b8fa682eccdda1613ba3fe4b69da5f46a1444d029ac63efd656fccd9cdd 1c8dd0 client_mac_key: 8d5ed81e71bf7748bbb97bda3ead9617e637a7d3379d055289234 9e1f7715da9501fca1cf79b8976b7d261faea1c081233ff5cfaca74ca0802469171eb cec53e C.19.4. Output Values Krawczyk, et al. Expires 4 November 2021 [Page 121] Internet-Draft OPAQUE May 2021 registration_request: 0301fca4ee81d22c8e8cab4cd5e1724bae3cede81109f61 7910beaee9771549cf0090692d4342f0045a99a0707e09e38838e611a3f19c81bba90 12ad6c67ba55f40b1a registration_response: 020017dc64d3918b41dc2c9c8e07a4608cf1a619036e9a 6d389ecb73f859f20fbbde3fdb70fbd799c58adb2f73a81a6d020930aa6ab04390c2e 2214fd151b7b97ab9ad0200c689bc30525e075588345866abebfc27a312bc2edb3222 3b95f7479534b02c139cee9475816987c9a3b12ea04984670c674f3d42f47ba7a3670 768f2bdbc7c7ad6 registration_upload: 0201797183ce928876fcf43b6d249e0e12aca4e99eefc4ae c56cfdf1467a1d93e49ae362964c0ad76aa50f71f4fb7ba9cf353a8906e0dca73e66d 54c793c6d9bd1ecdb7c8c1f1e587b532c918e27d9816554da9772e57ccd3a3f3bc2db 335be1bd687bfa050f53267d6bc780b0c61a4ee5190d426bdcf0176b4ba3c7eb064b8 46f4563a814e5fe5234bc21018efd4f7e4c04313fd9e0b620d8c88de95382520e5c98 617550e08881bb945bd9354eafbb54906e6aead43ac002fabd7b89edee010c54916ba 4e740808728d79bbd9b94c5864d21de0d3a654a7762e81b11266c7833c722 KE1: 020197ca02b425dfcae9aafd4608362a1dedd8998e6cf906191b4d888db30de6 dbbd22fb3a1bf310cc09f781d9c6fa0bf1f1e9a79c09eaf0df596801cb9a1030f9d2c fdb7b40b96e0627332f446bb00d6ab8dae8aabfc0e9efc44aa07de3cbd5a1bec90009 68656c6c6f20626f6202018f831d92dd0355becccd11cc3904ddae5edc18d6e357ae4 3a7dc3459335316f842771994b3b411da7ad3c8911c806b322a9fad184e8b5586926b e76313b87f3d9d KE2: 0200b6d24d300bcd70adacb93da7b564d129d1e61a5435efe37af3bf03494ea3 55113e3ea3d73650d53cb869bb523f7b229792cc17a106229c76679bb833cfd32ccec b258e8c4868e5d2db2aa035494fa4ac772de24d8c01c01e53bf888da6074fa211ee36 345d93da3ee2a6126d7ec76d3e810bf43d20c37b269c5ac7fc070c5eb16260ea98f56 27b6af42483a20f9fc898dc90efbf5b2efd558077c592621516e26f337303485ffbc8 cece4aaf04449d977b89dd6b8b7d24d1acf7079b5194ef4c7547c704112425fe1a6e7 23ef87d83f816f1f2cfbbf8757fe8bebfeb0f9f3509b2a99fb428ff1fb5ad260a5010 c99e703c3d723a3523768dbc8ede6140c5af6c2202fa3ed1ce234ade6c2215d7b1302 8d26549da6057d3f693defb346eb32e1524617da00300f8b6a63f05a1a6f6e3c856d5 12860d5700cb3ad37bc1dbf4ecfc4c77c3aab7bb6576f70be7b460143e577d0240952 4ef5fd5e82a85fec43cc2d66adc312fb27a1c000f053f575e011f389f77025472cb98 f154d99d1fafa6865cffc96b84d512133d02e67c0f9dcb6ee2d392ae8bffad4085e3c 215e732f7d4f8eb45a4ca9eeca722d53a48e0ca821dc817e326f6ad06137a KE3: 2106053b5b0fb08ea0b5a075a8a6b7060605a5749b0fa6ad04987870a2344ffd 42394f6a4825bd194f8ff6004eb32bc5add5a4c9f9cab726407172ebb9090bb3 export_key: 83805ffecd205e9669763235d7772070834ce6527210d4a76ca6f6c1d ea714cd08f53f25cd718b67542ca1ef0a8ed4c5565fd911d67b9d773b585ba3f447b1 74 session_key: 3fb67694db6985a49624a205ededeadefa45bfa1e0fb643eafcf641a ed1ce3c13d2a73a42aab02daae5ecd7cd45995d613bb3e1a2808c03831002ecc142cb 520 C.20. OPAQUE-3DH Test Vector 20 C.20.1. Configuration Krawczyk, et al. Expires 4 November 2021 [Page 122] Internet-Draft OPAQUE May 2021 OPRF: 0005 Hash: SHA512 MHF: Identity KDF: HKDF-SHA512 MAC: HMAC-SHA512 EnvelopeMode: 01 Group: P521_XMD:SHA-512_SSWU_RO_ Nh: 64 Npk: 67 Nsk: 66 Nm: 64 Nx: 64 Nok: 66 C.20.2. Input Values Krawczyk, et al. Expires 4 November 2021 [Page 123] Internet-Draft OPAQUE May 2021 client_identity: 616c696365 server_identity: 626f62 oprf_seed: a2c0c702a75378f6771ed1087cb27dd9f0869df8fa1ce77e253f226568 89bcead33b86d6c18261116288d4473eefce9bf39bed15fdb12e534aa4d2dbe10fb85 a credential_identifier: 31323334 password: 436f7272656374486f72736542617474657279537461706c65 envelope_nonce: dea8622b286f46198d18d6d98fed732d86bd910b3e2fc59f5ca02 4ae99be3c70 masking_nonce: 7ee13d13ee90a7b858d8b5656de79de860eb333bf12a568c32ae4c dea4333dc1 server_private_key: 012bc7471bdb9fa3e113b809a86dcc379b782052bce3fc9f9 62d373217b0c266b1e0932c7a0727030de9ce81d360d97fa94f7ca377aa6969e1748c 9f8b0a3f230c50 server_public_key: 0200c11aefb178441adf284549abd3bd4d21641252d611c178 f328e818165ef0f777865fc84dd96972650b007feea93c11738c499ebd5ba80b7be79 defa6a717da56d0 client_info: 68656c6c6f20626f62 server_info: 6772656574696e677320616c696365 server_nonce: 54e5ebe024150039f4ad50d12b5e966ac60420eac4177642d482938 f9100f0fe client_nonce: 104152a7d95e6b9fe3c397ba45cf5079086abc6d9ed12fd12b79019 9d10e0d4b server_keyshare: 030121f7821162fbe027849ad750dab6227d5633a7148e1b0910 7d200d7fe63219f09a4e96ba8cb734b5b20941196edb471863e1785c22e950e3ee34c 85aecc454fafb client_keyshare: 0301125c341b183c9ed98ad735039a5aeb7a9c99c6a90eb2dbd5 a02ffa442393c1de1a7f11ef5a7395a3881525c7fb8674d74d842f0cbece5069f98e2 528ec903ba7e4 server_private_keyshare: 00ec758fbb7a807a0b725c417256e9bad495f760d4bf 6aea0b7d2a2fe0f1660e30464e5955387c712d35d62960b00d071f63e3560802ba48d 4da12e2cd081925d11e client_private_keyshare: 0007c0fe9f79f95d3324731ad78ad2d84b9d2ca47765 5b1a09af067a58b841237e3264ebc5f2375483e3a71937f93e63620bd2c12c9b86f54 5fa4ce86844ad1e41d2 blind_registration: 0154817095006ebb66fdf789c9d0321035076dbcee1fa1a41 ea6de59cdace06668d5a3932570c74fb7a9fb779e38ccdb9b80f53bd3009d7e86289c d1b792e0abe00c blind_login: 016520486cf32cccea61ffe9fa97730d95ecfe264267499aba78d966 19996d938cbf6dd303a0093c7b426b1c63f7d78884489fbcee764bcd720068da3134a af107a3 oprf_key: 0100703932da18a28a76013efe6fcf9c388c2c680a0df18f187b31a13fd 32c2d1c1a4131b2b85fad42e87208f5b930740dc534a81face4573e9a9edf05d235a1 26a2 C.20.3. Intermediate Values Krawczyk, et al. Expires 4 November 2021 [Page 124] Internet-Draft OPAQUE May 2021 client_public_key: 0300eee979cc9628959506bb943bce5fc1901b8f1b2c0259f6 0a7e5f5d01af5a43706ca3f799290b4ce1abd23a32c7260b0f75606f3add4e768c611 3a570cb7ad0db30 auth_key: 4597f5622807e5c3b2fd6a9ad5dc487eb9d240af3f025083760352b263b 061161ea10dad253455dc75c4bbc8ab5e6bec06d205ebcedb841175f9b7552a4980df randomized_pwd: 198335ac6be7ab8ac7ba3a5160bbac64c69f4e348fc14190d58d6 2ebe002b325d5c33f92bc03953a711d59c200de2b6b43a22562a3be6422f8dc2da891 956f17 envelope: dea8622b286f46198d18d6d98fed732d86bd910b3e2fc59f5ca024ae99b e3c7093bdc73cbca4195fbf98d0b2f773ae1b8cb885c9c61a28cd87c1c8b128b22f35 241aa767c9b73508ebcdf18e3a03c4de549911b973651590454e3c1e22e01d95 handshake_secret: 79f29aef1ae37d0d217f78cc19a2a2aab0b70242bef27069cb0 6353df37148ba54f469dd345f3f154be0c4ddeca3ea3edf619e0e2b213cbecc24e252 1afbd13d handshake_encrypt_key: 532c242245e697d23a9759fd26546ee70803d9991a72f0 2e3c343d66d956964bbc8149da1d8a3c9e0ef279a0af8d20bed0c9c72ec3767bdc853 b4f0e21eb6711 server_mac_key: 868fad12525bfc183c4b3065a5cd9f99ab477821406cfc6eadbab e7990fd7a7bc5da8227a9f7d95fa9d59f931f09dcb2d3298a50942d863f305d017343 89bf28 client_mac_key: 645e4e9726ddb31d819d9655fc67e55347f57ea51ad4db4ee11af c5bb6b69b1ffc48b50fb30f495a345088a317973f9236eb580e7b4dbb49512d64cd0b 51d529 C.20.4. Output Values Krawczyk, et al. Expires 4 November 2021 [Page 125] Internet-Draft OPAQUE May 2021 registration_request: 020178d37274cd1fa2512ca1d238613727201561218673a d3fb6a391cf6dbe028dd8d953f0e36516eec3c69ab0293b19769074c4b16ca36d06ca 2765543e694fd8a2f5 registration_response: 0300571f1324c87ef36cfc5be06f0dbfccc3c6d324d4bd 2142df09e840f703bccb12308c9a761ec230f6a2510d31c86d61c0493523cd053559b 6f85bbfc9f95b06f1b10200c11aefb178441adf284549abd3bd4d21641252d611c178 f328e818165ef0f777865fc84dd96972650b007feea93c11738c499ebd5ba80b7be79 defa6a717da56d0 registration_upload: 0300eee979cc9628959506bb943bce5fc1901b8f1b2c0259 f60a7e5f5d01af5a43706ca3f799290b4ce1abd23a32c7260b0f75606f3add4e768c6 113a570cb7ad0db304d11e0950c55aa0894620fde4ca4200ad3259ec633e862327ad8 4452ff996950c96ccb00ab9d5960f9f97cc208dfb3c43cfeb5b1ad2b245e9710db845 74fcfdddea8622b286f46198d18d6d98fed732d86bd910b3e2fc59f5ca024ae99be3c 7093bdc73cbca4195fbf98d0b2f773ae1b8cb885c9c61a28cd87c1c8b128b22f35241 aa767c9b73508ebcdf18e3a03c4de549911b973651590454e3c1e22e01d95 KE1: 030041daee06de56612bc011e3fc1b5b1c5eb334b6cc0cd587b5c6fd9f94271f dade91de48e730d2499eefc313038c54e3ff0326da0afd4f5defd0e4f88eb9fe6dde4 f104152a7d95e6b9fe3c397ba45cf5079086abc6d9ed12fd12b790199d10e0d4b0009 68656c6c6f20626f620301125c341b183c9ed98ad735039a5aeb7a9c99c6a90eb2dbd 5a02ffa442393c1de1a7f11ef5a7395a3881525c7fb8674d74d842f0cbece5069f98e 2528ec903ba7e4 KE2: 0300f01dd603426fa47f34041bc81fc2c74aad672fb6229b5fbe1ca3ae5d6f03 2ecc470fc55ef79944e5b7de9eac051a37692174c809a5801cc2707492e962226ff04 57ee13d13ee90a7b858d8b5656de79de860eb333bf12a568c32ae4cdea4333dc1b43a 3d351df1a5df73d47603a78174f6aa19a52b054c4d3a3fa1a267eaa7b6320418c241c 084ea1aa5296fbfc238b1d38a602f82f44acf4a0e3cbd9c5976ee3734ddc0b4da5692 604145332dcdad50f8690d70007422e6b31a177ed2258d2e61f0846719ad1bd34e649 4b2db478b1b2920e3c22ec9884e99b990c7cf3fa62003eb013956745518e690659006 b7e028d98e6412db0974741738adf0a07d676bf90dd10254e5ebe024150039f4ad50d 12b5e966ac60420eac4177642d482938f9100f0fe030121f7821162fbe027849ad750 dab6227d5633a7148e1b09107d200d7fe63219f09a4e96ba8cb734b5b20941196edb4 71863e1785c22e950e3ee34c85aecc454fafb000f2288bed259d4c04f46bd66125ed6 a2df8d051d6e3c1c325a1fb9da4db176043e949bc6cc5fbbcc0eebfc712555cdca285 8cf492fab1d17745078b53bfd412f4944bf68535b8b499d29f334b9a2d92f KE3: 913e4e963b9d6adecbc64b5d997963042f647e4f2169fa099532eaa7d2b701b6 f13333498a95078084dc28d21985fba00cb44a72ad67f0a4f8ade46e2c328bae export_key: 90945205c08c63899a16b2e9932c9d56992ea97e463093251823d21ec 286ae60913e18d6cee485af823f252a405bf3cff0da58fffeb60f01c9ee56d337deb3 12 session_key: a1376439646b9b273e8780891406c692a930fe660540a40235ff6991 01339e8fe530072ca7e23bfb98d48de57fa0b08bc826afd60622c94d794348115f697 839 C.21. OPAQUE-3DH Test Vector 21 C.21.1. Configuration Krawczyk, et al. Expires 4 November 2021 [Page 126] Internet-Draft OPAQUE May 2021 OPRF: 0001 Hash: SHA512 MHF: Identity KDF: HKDF-SHA512 MAC: HMAC-SHA512 EnvelopeMode: 02 Group: ristretto255 Nh: 64 Npk: 32 Nsk: 32 Nm: 64 Nx: 64 Nok: 32 C.21.2. Input Values Krawczyk, et al. Expires 4 November 2021 [Page 127] Internet-Draft OPAQUE May 2021 oprf_seed: 953eb80562c4a252c8896399588db86af14f9587d082ec2f3e06d4621a 8c940984cd0ab83a2d396404e181076a005dc929d1fc18066a3b1a62226228d2fd47a 8 credential_identifier: 31323334 password: 436f7272656374486f72736542617474657279537461706c65 envelope_nonce: 22efea550c5ce8ee58c2b5c0d8a62c247fefb259bacc92efa68c7 2374da302df masking_nonce: 479e8543c72cffa59bdb524bd242c3440a32781caa3bd834e0dce4 d2df34debf client_private_key: 2d8cc16606d110ecf2ba00464406a0975452b63a3f27ce575 921f91146543b0a server_private_key: 5a673fae0015e31ccb70006aa21ae18853489bcfd11c0b796 0a3b37fc3654402 server_public_key: 0c8f3dc121e9f9bbbe76c4f1f664d2309e669b293597322afd 9d2f936a37f14e client_info: 68656c6c6f20626f62 server_info: 6772656574696e677320616c696365 server_nonce: 7476222fa83425d3b2259e3c44a665751dc2aa54e381a8a210505ce 56cf137a2 client_nonce: 062762c1650bc61c27c22782c1b09ac2018928721bd9de0765c776e 09f8e62dd server_keyshare: 34be8693c06fc0168040b3321043f40ad79648211e6604f883bd f23abb045813 client_keyshare: 9698728bd0febdc164c410a6738962b955c08a36b25c89058c38 d4575592c12d server_private_keyshare: 23c1313bcad4f689a23bc623bbd8f160301def2c2245 b5d6977e67dcc2048a03 client_private_keyshare: 7429e9b8592ba3e7d20b3bbee1bf0a0247c5f9c357b5 a7f029ebb222c4ad4a0b blind_registration: a60f751ce4fd2b8f4412cedce7bf9e19ee5800a95743d557a 44caa494840ec06 blind_login: 9e21bcfcc4c82070b5e27de6b540da38c9ba48d7840912dd2f860fad cc40d50d oprf_key: 31305d34c37c0902677f3cc5995660266a08ecd7d11fb0e9bcf2270a30b df307 C.21.3. Intermediate Values Krawczyk, et al. Expires 4 November 2021 [Page 128] Internet-Draft OPAQUE May 2021 client_public_key: e2a529d4f403f4c1712bc609c635b5c776a4285f86a51e4c79 787e2df91e2371 auth_key: e67f53d70097411ea5d25af74989768ed6d50777ef05c54ff3dfd15e5ea f96d3a9dfa75964a097b0787c9eeba5ad38669cf24573836c8ea5d42f167166508a92 randomized_pwd: a183bffb2d02e389de37e9bceabae59fe58d3a878c216f82c47d8 74ffcc5cb63ee7344f1f777a9b98ca87307dc670791605e58f864ba214593e07a2ddd f3ed0e envelope: 22efea550c5ce8ee58c2b5c0d8a62c247fefb259bacc92efa68c72374da 302df289b2a501579e986301b0acbbb2a27d370842890219b362956c892c8b6fd2c80 7c2229b8db3aa5789910d28806128b49a93ecae34e6bef5b380e74bed86d5be99bd69 149836d71924f05cc50d433ac93aeae849d50c5f4bc630cee6d5943e1dc handshake_secret: 68c7f99ebb56d8061f7972bfe0dab36493b84b40a939d2949ad d8ca11a57b34c6846d0c65e859cd5b08d0fe12adfd930afac48e0a054dac6ff995a37 140abc75 handshake_encrypt_key: 66fdebbde7462f9d2c3563ad6f015d618f0f033df391d1 8c260eae2ff3aa761f92885d83280855bd2b1098800355163d42a2094960d96ade7d5 e17441dbe8368 server_mac_key: 57b6d878cfbd58312060b7408cd5479b78b955f97064ef196c976 051d5c3d6a672b8dab5ad0b2cf875816eebc2b3f5b1eedff3d848ae339778e63ef91d 1bd8ae client_mac_key: a91f18e43c459c4b3d3c5ec48f45a9f8d86b6eb41f7e9649ffda4 132094b5cdaf7eb7e9f25a794f71c4e9aeb3c34c98deb7d027cd24e8548c601acdf40 056696 C.21.4. Output Values Krawczyk, et al. Expires 4 November 2021 [Page 129] Internet-Draft OPAQUE May 2021 registration_request: ac2882512f36bc4d5914964e782418271371fa9bd16878a 5fb6c3b6d29c54422 registration_response: ca4a3e5868d8dfbc625c7950d900a20cd8856fa9dc7213 40eec6b4fedc63a5670c8f3dc121e9f9bbbe76c4f1f664d2309e669b293597322afd9 d2f936a37f14e registration_upload: e2a529d4f403f4c1712bc609c635b5c776a4285f86a51e4c 79787e2df91e2371b016784d117cb3b97e4414fbeee94b6e1a4410b70fea7fad280f6 30bbfddcc581637e8351b006fbf04f56561ce68327cc844e35077063a8a09e8cceee7 0b5ab922efea550c5ce8ee58c2b5c0d8a62c247fefb259bacc92efa68c72374da302d f289b2a501579e986301b0acbbb2a27d370842890219b362956c892c8b6fd2c807c22 29b8db3aa5789910d28806128b49a93ecae34e6bef5b380e74bed86d5be99bd691498 36d71924f05cc50d433ac93aeae849d50c5f4bc630cee6d5943e1dc KE1: ecb46e5c31b4044876ccb2a689efc82231d2995561841156db449c71637d145f 062762c1650bc61c27c22782c1b09ac2018928721bd9de0765c776e09f8e62dd00096 8656c6c6f20626f629698728bd0febdc164c410a6738962b955c08a36b25c89058c38 d4575592c12d KE2: 2ec103925f086229f5d9c975fb39e9cb0f19854e51f9b413f80e682f868d973a 479e8543c72cffa59bdb524bd242c3440a32781caa3bd834e0dce4d2df34debf56bb1 8fb92639b503d662744626f911a3583a9fdd21127fd21748b4fc5c8030c41361dbe2b a0e32fdd0841a209047bb8873fba1d109bba2d757d357388f875ef3466f3aa4b029a2 1635a5f9e68a668d19f09b2f4ec70753aa7ba1aa620fb52730a1ec4d54efae9448304 c75c984042801c21436c6362298a58e1a06f05b0542009c81782ef947b51fc7849dee 4ba755b5e370ae25b7077e0543546c4b2ee8e5b7476222fa83425d3b2259e3c44a665 751dc2aa54e381a8a210505ce56cf137a234be8693c06fc0168040b3321043f40ad79 648211e6604f883bdf23abb045813000f688324213fdfab8fccff85ae23222d2ea602 43ac209971ccb7c5af08364773a59c789a6877354af62bb882c7be993cd8b9da89619 600eefab870f40666db1fd562a937360b565d625aa70c5647df16 KE3: 8a13ee354343c6ff379ee7480eef34556002df293869ebf23866e82cd60ae306 c8221164cb6abe54a64d49d3fde1ed6294f76fb0e30903725fdd69f5e63f5ad5 export_key: ada3fd8cc1a9b3cde08ddd7b2c5cbf468b6b51b182f7a6912e12d0338 7bf93104e4e1c919dec660703270a6a2d566f7a605c3311edd5097a7a328c33baaa9a c2 session_key: 701b8efd0fd9df983d3d39fd8ead85e95b5ee465748ee911c9b8f16e 1dad529fb46d07398831ed33ca0354a30af138ba14ce9ab799c6968b17ad637a09d18 15b C.22. OPAQUE-3DH Test Vector 22 C.22.1. Configuration Krawczyk, et al. Expires 4 November 2021 [Page 130] Internet-Draft OPAQUE May 2021 OPRF: 0001 Hash: SHA512 MHF: Identity KDF: HKDF-SHA512 MAC: HMAC-SHA512 EnvelopeMode: 02 Group: ristretto255 Nh: 64 Npk: 32 Nsk: 32 Nm: 64 Nx: 64 Nok: 32 C.22.2. Input Values Krawczyk, et al. Expires 4 November 2021 [Page 131] Internet-Draft OPAQUE May 2021 client_identity: 616c696365 oprf_seed: 5ab0bb73be6c353dc1f8e8bdc5e9ed9fee98106940df35fd5bced89570 f105dab968256cfd0141a9da054559a453c94ecdfc79622ec4942040bb11488c2812b c credential_identifier: 31323334 password: 436f7272656374486f72736542617474657279537461706c65 envelope_nonce: d7ad320966dfe48874bb962eb8b1efc258456ab764d7814e92c64 fd965be39ed masking_nonce: 4b54a15ba427f3354b1890f6fab4c9d0fd1e5749f3808b8be07440 b3117e885e client_private_key: 10b3066e47db372d6cd714fd308d056c349df63a477498b28 ad3f0e75ba47b0e server_private_key: b69bfaa8582bc1d07933c6354dace6674e72fb420b9c40cef 3a5fed717de1d03 server_public_key: 928eb99d8771526762cb6eff0ebaf085d10102934ab78d1cd9 f4389fecd57073 client_info: 68656c6c6f20626f62 server_info: 6772656574696e677320616c696365 server_nonce: b4109f26b436a2e40e589c4edd384559311f588db48c7b354ab850f 9ba069008 client_nonce: 529b15c72d4f19fe38e4aa1121f4ab142c2e46f73ff5f3a15d216be e59e0fb15 server_keyshare: 5ef3502cc40e7ba5006845c131b661ba6ebd0e6994b6f526e3b7 cc108635912f client_keyshare: 84a786fae7664759a8bae0cbe9065cd80b70cbf600efc695654c 93e356735c66 server_private_keyshare: d44dd3ee61cda55a67f2bf180b4cbb2b549f6bfddb1a 0e17ddb1936b678ff70b client_private_keyshare: e5b9002b44f14abc8e2bc5bbca09fe6bad94dc3a7f89 be6787674b64ee609d00 blind_registration: cc1ed755daf519e81c8a3ac073a357709d1c5946654b83476 9933c09c92cf805 blind_login: df67b103f15ba97ad4d7977a3a0779cf03b60362c2245bb1d2dc6093 49be3f09 oprf_key: 59d61982f48e931494a78cbf83fc325fb1df4e1cf04b8dc7d638e17feaa 4cd0e C.22.3. Intermediate Values Krawczyk, et al. Expires 4 November 2021 [Page 132] Internet-Draft OPAQUE May 2021 client_public_key: 88073089dcaf094d0d5d73105a99bc5e5c68bbe5173f80ae5b a927c3c6a9af07 auth_key: 0c8b9ef74972229b2eb8c2524a7da4451b5daa9bfa18928ba972faf1cbb ddcd7352fec57d316f6b93e3854e933b11671199f19b905cc0732884368d6b094c9e5 randomized_pwd: 2bcb002d2e5f1f34ceb4dfa99401d6f6cba8dea1cd287339c9e91 011c4802188ca619f7149b4786d7480a27b7f503ea80698ecc5614bcfbfb60f016fed 0cf752 envelope: d7ad320966dfe48874bb962eb8b1efc258456ab764d7814e92c64fd965b e39ed32f315c302c80c25ad8020575ab3a5464ccfa5164d0c765f83e9bf60a3dee00a 5ea20604733282d854ae0364637fa5b8867425cc22e31f0dc552220e2582caef91a06 a06db1a62911ec0b55f7cfb3f765f34e94c78ae621f417597786f4c766c handshake_secret: 3d855c2cc58aa1ed982f595652136d3973d3a9da5f91b7097a6 e5815c346d74fcbf8e5619cf6f2fb56327c7c00e02db6a73c96eb24a28ab5266946a6 6b12113a handshake_encrypt_key: 4978aa4ea99bcf2f3d9bdbb577322a72e4347141c536f5 5e52c0910f07871ae9e3e7c4e9c50542f6f5fe0deb4a71fbd35a3089ffd49adccd9be 4650f14859c4e server_mac_key: 68a86f0774244188d9508fac801e968926e01e4eb97e445e64036 77041839a003c3d122560ec33176520f12340f713eb3534996e05e9a3eaf40ebe7fc7 06a914 client_mac_key: 178a01c97d9a7aa67a21c3f0006d8ffef6289720d5c7e15f0a711 27f184dc32c7ef45be96f7bae75356e177919a68e78945e349d08784ab475f80095b6 b494f6 C.22.4. Output Values Krawczyk, et al. Expires 4 November 2021 [Page 133] Internet-Draft OPAQUE May 2021 registration_request: 34fb6ba29e60511d9ce2d2a644a58b8b34af6516cc54f20 f7ff605e8134c1213 registration_response: 12b14ed747acc293ac00e8480dc953b3f9516d6947002b 3e6b0db6c8c3698d79928eb99d8771526762cb6eff0ebaf085d10102934ab78d1cd9f 4389fecd57073 registration_upload: 88073089dcaf094d0d5d73105a99bc5e5c68bbe5173f80ae 5ba927c3c6a9af07983a2e0e4d1bdab25059b7ff55eee087f4ee41a53b396db0fdda0 b6975e33f4e323063245dff77e370fc7dea2479896c6ba03be021994921b3f2ae8e98 e6a632d7ad320966dfe48874bb962eb8b1efc258456ab764d7814e92c64fd965be39e d32f315c302c80c25ad8020575ab3a5464ccfa5164d0c765f83e9bf60a3dee00a5ea2 0604733282d854ae0364637fa5b8867425cc22e31f0dc552220e2582caef91a06a06d b1a62911ec0b55f7cfb3f765f34e94c78ae621f417597786f4c766c KE1: 9e642c6da6a475f89078708431aaa4e04d96097f7778b0de577bf4d08496ae5d 529b15c72d4f19fe38e4aa1121f4ab142c2e46f73ff5f3a15d216bee59e0fb1500096 8656c6c6f20626f6284a786fae7664759a8bae0cbe9065cd80b70cbf600efc695654c 93e356735c66 KE2: 40fb1dc1c9c8d7771e993ab1047c8ca9407e579c8d2873c1bf3ed8a41ab8b34c 4b54a15ba427f3354b1890f6fab4c9d0fd1e5749f3808b8be07440b3117e885e36ed9 11f1fb812ebb18a05e3b9af3fa13c50ac2bafafedcf2af9907b101527c9d2458cd916 6a6206ed89fca49a09e1ebfb4d30a08bc453a35add6f33c666d26c3a6d8e116efb01d 3ca3ac6fdd966d4fad04bb5ba71e873d70b20a02aa44ccc9809a03d93a7ed60df6943 227781f8b55267da68d3a616747b35c89a4f453d96eeef6f392931bca03904dc4c601 b15538ce41ab7417f9dae024c7f8c1d2d86f145b4109f26b436a2e40e589c4edd3845 59311f588db48c7b354ab850f9ba0690085ef3502cc40e7ba5006845c131b661ba6eb d0e6994b6f526e3b7cc108635912f000fbc69fa5154e7e449537c2607a5fd3d493bbb 783d5f1543604beed103e8cda5e60fe5cb4cd90ea10a75f359fb7cf9f3f6225741fd1 24bd89f4e5da45267ca3a826038b6b99b282c5d9100ece5e9114a KE3: e0897053f8a12731d6bec0a3d5b0634ee6e24f17db7fc1bcf3c09804e8e092fb 8963fa96de1dedea5243cb613b037caf3e96045439118a1dc620c7ec7ce6b877 export_key: f393b134080b770c9b7e2fcf4088c9cc3af90db172a8f0164196e4916 fe57621f021a8ffcdddff8c6976c01183d515441f043d9be76b3fa019015a30620f75 4b session_key: 6a2f7dcfa0421336e71b98a6657e719aee366b7a32a9af35bec2aa15 a3c06fe57fd78b6d364c671cd05115566528f999650239d2370b5c3dd9db3670b72a9 167 C.23. OPAQUE-3DH Test Vector 23 C.23.1. Configuration Krawczyk, et al. Expires 4 November 2021 [Page 134] Internet-Draft OPAQUE May 2021 OPRF: 0001 Hash: SHA512 MHF: Identity KDF: HKDF-SHA512 MAC: HMAC-SHA512 EnvelopeMode: 02 Group: ristretto255 Nh: 64 Npk: 32 Nsk: 32 Nm: 64 Nx: 64 Nok: 32 C.23.2. Input Values Krawczyk, et al. Expires 4 November 2021 [Page 135] Internet-Draft OPAQUE May 2021 server_identity: 626f62 oprf_seed: cdff706f61d92313589724d7726bd05f55f9d2b15ff0e1dcaa146e9af6 09f8e65eb747399d0778bd4fbb6b2889b6df683292a633038918154fe5d3e242719b7 a credential_identifier: 31323334 password: 436f7272656374486f72736542617474657279537461706c65 envelope_nonce: 4beeb15f5ccf589b9f8b39a185bc3e4985f1708293c22973caf32 74a9b319080 masking_nonce: 1d70046fc629cfc5252109848b60ad5fc1083539e6cfd463cafde9 4fb60d48c1 client_private_key: fee07a49ab54150e525557deebd0a14a8ea81876fdbbf94da f03d5a2e3cc8306 server_private_key: ad52e51fb993d6053fd960279d81b6111a367246256f87159 8aaa2367eb1770d server_public_key: c26c575e0048fed852257002c72e6cc0fddacc1df65e81d80d 9d5eda7943266e client_info: 68656c6c6f20626f62 server_info: 6772656574696e677320616c696365 server_nonce: cb1ed5ebd4350d9cf2a4fc5d97ccc81ce0848f55417a04436fe54cf a7b5d7943 client_nonce: 8a9560c4662fdf073d51d16012230b8bfe14a00e6bedb521ddcaa1f 4acd7c09b server_keyshare: 16041ea53924cafd460331043cb3ec0c7f17d6c246499b9c6381 18a606071e61 client_keyshare: c2b0aee89ec05d28e6f9638d2e056f7cb4bfb8b4d032239d3e4a 7960d7479e7c server_private_keyshare: 3593a6a9750f5d3573fd491ecddfa8bcd41036d3f822 b056878005902dfc4802 client_private_keyshare: 2a9fe9a4a28d0f41ac665d22d08577d7a546054f9c10 ad092180b669e8183605 blind_registration: 29fe2a69e6a588f230704cdb406004f763c86c685ca52b07c eebf891bd86510c blind_login: ad0703869a0fe935af28eda1b2c2ee62bc6b73edaf4d12d4580e9b1b 9b4cad07 oprf_key: 87fa0a7a2c834f8dd5edc65d0c536336488a129cfc6769b2858878028bd 6ba0b C.23.3. Intermediate Values Krawczyk, et al. Expires 4 November 2021 [Page 136] Internet-Draft OPAQUE May 2021 client_public_key: 8463bc96f84a2fcbcf67658a19b22ecaae9ecd976e8b58f21f 51945a636d180d auth_key: f8ff8b1baa2bac17972484bf9129e2830db7102d2cbd58d1948092812e7 95f9e295f2c6aefeb8787177118c62aea1ab27e6f4ed752fe948c89c8c5a1a098acf1 randomized_pwd: 6af83b726bbcfe7fb95c046ef79c59c19b325165080b8d504b1b5 92195ee18fba07bda135c9e477aafe359b496ba6e495b0853d2328f903296daacf61f 6bb232 envelope: 4beeb15f5ccf589b9f8b39a185bc3e4985f1708293c22973caf3274a9b3 1908075b1d83f75d5f179eddc74341d61769c701279fb2054416cdb7a4170f256eafb c0903a6da7151bb35c327435c51105ddc59be90299b9e6fc535d9a9c843f4def24a03 cd6d2ee7de7fcf59ff034b0634abfb8c1d35cf5947c4f4f8c4cefd340f0 handshake_secret: 5360a504f2653c67d76a34da3358882d8374df39002a589a883 86cfd250eb0dec22adfdc2ab55ee5ac9d56df5f6eddd49f06e6302f94bc3f89300c15 c71a48a3 handshake_encrypt_key: 221451330aea49dc3fea2a5c1848b696b2fa57c0599e73 13e590d81fbeac967dff8b4e2e4667218ac9b039322c794779ca25879d2650222d3a2 0b74cfc231ace server_mac_key: 97d7c19fc7a7215889e03a292476e252a75ea5b93857eebc36ddf feb81aab633d4f06a9d0efdaba5ecd03edf85a00bcda4a0d712a223e66584e7aeb7ff 343350 client_mac_key: 6a55854a1a4807fd3aab699385e988ae0801edc7e67df5b673534 26f5f548e85333fbad29c11e7524c6b0340a52f8efe0785694f759e71c4374aa1a22e 782e32 C.23.4. Output Values Krawczyk, et al. Expires 4 November 2021 [Page 137] Internet-Draft OPAQUE May 2021 registration_request: b02294ae456aa0e055e49a09a3a4cd7176d9b34778a4dd9 493eaace4883c0016 registration_response: b4e607d62a90a0a8496f73aa4e16a34eeff616b0c28d1f d1d17b6fb877ca760fc26c575e0048fed852257002c72e6cc0fddacc1df65e81d80d9 d5eda7943266e registration_upload: 8463bc96f84a2fcbcf67658a19b22ecaae9ecd976e8b58f2 1f51945a636d180d797a8fc5e5de0846dbab3f580a33e15365264f13da63dc0221e65 3ff32d0b56eb4164874c063ad64120c0b8a18062c996dcd21b7a2c8fd40dc08aca7a2 0b3ac64beeb15f5ccf589b9f8b39a185bc3e4985f1708293c22973caf3274a9b31908 075b1d83f75d5f179eddc74341d61769c701279fb2054416cdb7a4170f256eafbc090 3a6da7151bb35c327435c51105ddc59be90299b9e6fc535d9a9c843f4def24a03cd6d 2ee7de7fcf59ff034b0634abfb8c1d35cf5947c4f4f8c4cefd340f0 KE1: 7405ec93c531676eb9437f46cf3c3dbe9346fa83dda34a37da03d693a90e9f7e 8a9560c4662fdf073d51d16012230b8bfe14a00e6bedb521ddcaa1f4acd7c09b00096 8656c6c6f20626f62c2b0aee89ec05d28e6f9638d2e056f7cb4bfb8b4d032239d3e4a 7960d7479e7c KE2: 7cbdfc98edb75bfa3d9636771e5c9dbf9168b69966262d80f290950a682a8909 1d70046fc629cfc5252109848b60ad5fc1083539e6cfd463cafde94fb60d48c1a1fdf a8a4ecbf187a365734a283a26b697bf4214aedd1c8e723e921eea5b7e7a00a234ef19 bd9686f339739be234214baefb713cb69e3c13abd57738cb67b70c4a25b2601ed7dab 3e6b3665a7623e1ceeda030c3f148bc99d966b990e878dad9a0d59e258f6c0d73fd00 b2b8410fac749da23652247892ef7912f1e5a879590c997ca97a3ba6aefabf89ee749 e46b6a8426a4ac46e118afdc6229a3e2d7bb1e4cb1ed5ebd4350d9cf2a4fc5d97ccc8 1ce0848f55417a04436fe54cfa7b5d794316041ea53924cafd460331043cb3ec0c7f1 7d6c246499b9c638118a606071e61000f5f992cf6370573bf9a3d02dab6b13d6cf1fd 022417ac3dfe7ff855876b234813917dd3a92b823e19051f7fb93bb62ac9b2b83596d 0a362adb53bd40e0bb66a5cae9d0f112988269d3f8fd500396b35 KE3: e27202e021ea59a325bbe704085f357db251fd7527a9ac396dbc53371eeee3c4 e4990c23f0d920f03a16e064b6a3006e1c0335fc5670da49a3e96322366484ac export_key: b9df96a941b985e6ee63d271fb6625136a70839aa4823ff94eb48a3c2 a0535da46ce89ed91230c434e16118da578eed2ee1ffebefdf87f17531b0477170c2d ba session_key: 587dfda5fae9a29132a81fc3a77cb9a2909993a99c7699bb96a14a84 094e7312c49e37f03ccaa6662b0a54e9496ebab9a7ef0db20a6aa716a1d3dd8ff34b9 f94 C.24. OPAQUE-3DH Test Vector 24 C.24.1. Configuration Krawczyk, et al. Expires 4 November 2021 [Page 138] Internet-Draft OPAQUE May 2021 OPRF: 0001 Hash: SHA512 MHF: Identity KDF: HKDF-SHA512 MAC: HMAC-SHA512 EnvelopeMode: 02 Group: ristretto255 Nh: 64 Npk: 32 Nsk: 32 Nm: 64 Nx: 64 Nok: 32 C.24.2. Input Values Krawczyk, et al. Expires 4 November 2021 [Page 139] Internet-Draft OPAQUE May 2021 client_identity: 616c696365 server_identity: 626f62 oprf_seed: 857bf1908e1bd5a995004390be61b2b97a7b30ac36ebb8dc2071f69e7d 31517c455fa3a0b20372cd34cdab9b095bd9b37d3273fe448f8b3fa4bdd0a83de5971 b credential_identifier: 31323334 password: 436f7272656374486f72736542617474657279537461706c65 envelope_nonce: cdcf4a19a19ad7d40bad8804be0267fc4c82831c7374a4d8091a5 5b896fa1715 masking_nonce: 3a674793181723ee2f13807844cef144ceab2021a615301ab7e13c 41db9f1dbb client_private_key: 75da35392023fcbfaa87fcf458b0344248870cd73a38e3fcc d00a994e1a09e0e server_private_key: a7f4d763822fcc14bb91a7b36b0a6d30f1ae8c3ca1c36505a 02610dbec29260f server_public_key: 9023317b443158b83d4f4b49674209ad390595bd29758f5e86 b1fb217190e964 client_info: 68656c6c6f20626f62 server_info: 6772656574696e677320616c696365 server_nonce: 3d428d82363a0b92bd63fdf234271c884adb897fe7d9ea47e5e7935 781dc9999 client_nonce: 99653c99fa82f8232d14584e49201af116e9e14678cea3bcf2b6e18 b0c850c7c server_keyshare: 58a6c4fdb4b3da03df2e5b1f6ce1549402e209712e5bf9d31efb db82c00eef5c client_keyshare: 2c8ffcf1bbc02dab15df7834ebdf85841395f07c8e7317285ba8 574b6eee3910 server_private_keyshare: 67cd6d248d654a4f7b687e0c7eb2a02bf83796d422d0 857bc80b26e57574af08 client_private_keyshare: eb3b4ed65a30dd1ac8bd653f707b4cfa3e6b2698b2af 5cb5237235104958d109 blind_registration: 7910645dea4be0d8f6e45f39d3db7bc33d1573d18032ac63b 63afc6c3170cd04 blind_login: ed642fdcc98bbe29b7b93769cd75686cce64941bdfd686956b1a60ac 9f7d3a04 oprf_key: 54b0c41d68c4a7a978acc7dcdffc3908beaf97d4000ac53b2e3e5507caa 1840f C.24.3. Intermediate Values Krawczyk, et al. Expires 4 November 2021 [Page 140] Internet-Draft OPAQUE May 2021 client_public_key: 2e7f449922d1b7b73c979920fc5eaf21787a6a52e5b4def633 28bec3a4f21146 auth_key: 321da064406e79cf9963cdedf484a8b0c3812da356303080133ec0bcd1e 30d64f168325292c0c661154cac0733231c792d5d14dfd31e37dcd1b503d65a393af7 randomized_pwd: a61188761cd72985376a9b988cbb1696df046158d49e6874afb2b 8a3c5baa95d447c081ee0ce711d39d7550cc16e49d289d662af1211ec4fea507ee9b5 4fe66e envelope: cdcf4a19a19ad7d40bad8804be0267fc4c82831c7374a4d8091a55b896f a1715a7f71de44b67b178b02ba465f6d090eab194b53d2e84b049298e0d4cdbf10840 f6d234e5dfcb7ef83ee879d9afd93f2be74eb4d7195cacb0819b18e7f55a2e37065b2 f47e672372cdec7c83de33e54e06dbe7837fb90c2853c2ca2ed59487e5e handshake_secret: e1cba61a067d33368bd1e26a7c3bc4cffdd916a38affe4a7349 008881063985955ef1ef19a25b31f18637f353fde61aa5c39a10914346341e0f02304 773aad60 handshake_encrypt_key: d3d98cafecadb46b4d508b599a36084e2590c1db39a676 731e5c545944dad35e496b1acd3aa30f6c98fe4f6d030bd805e9475fed5c37ff58387 fa5cc682212cb server_mac_key: aa94da7ac4668b921db447c2c74460d7e80f4b85ff620e772a0f6 ac3f7db3d44f6a3f4f105c534ae61b33394f7ac4c1eda1e79dd4644d8f0ad9010328d 142e97 client_mac_key: 07a6d9a46f5f1b84096615f84c9e9542178dcac1f8ff12f12ff64 c3e269f6d2f5897220cc8eac0c299b874380d295e80caf91627ca233681cc9df9f481 68f4ad C.24.4. Output Values Krawczyk, et al. Expires 4 November 2021 [Page 141] Internet-Draft OPAQUE May 2021 registration_request: 6a525dc9419e2d0261fbcd6033f9d500503a27027a48d91 27ca1209e01690d29 registration_response: 06ad8201e34d8e1eea1de904c484fc493df7b6ce11ac09 d490ab7305b539b9789023317b443158b83d4f4b49674209ad390595bd29758f5e86b 1fb217190e964 registration_upload: 2e7f449922d1b7b73c979920fc5eaf21787a6a52e5b4def6 3328bec3a4f211467a0eefbd8a4b69df36d9a29d4e8393f49fd1dc32f64af2d7f7fa2 ab81f3023c80e3b1d847258efe8cdc1ae0aaa975256f0624a79caf9d1cc2b9fd4058a 9e03a5cdcf4a19a19ad7d40bad8804be0267fc4c82831c7374a4d8091a55b896fa171 5a7f71de44b67b178b02ba465f6d090eab194b53d2e84b049298e0d4cdbf10840f6d2 34e5dfcb7ef83ee879d9afd93f2be74eb4d7195cacb0819b18e7f55a2e37065b2f47e 672372cdec7c83de33e54e06dbe7837fb90c2853c2ca2ed59487e5e KE1: d6a8af82258885688aada828f32e04463c3739c7da0e63c5246711520dc16e37 99653c99fa82f8232d14584e49201af116e9e14678cea3bcf2b6e18b0c850c7c00096 8656c6c6f20626f622c8ffcf1bbc02dab15df7834ebdf85841395f07c8e7317285ba8 574b6eee3910 KE2: 14ec99860a47e2ef0ee0a896bd65234669149b67dd23c32e595ad895d1028c57 3a674793181723ee2f13807844cef144ceab2021a615301ab7e13c41db9f1dbb04b8f 1067ecad6b35eb7f0538671dbdcf3171876dc4a5120bbe65fbba8830ea8d4f342ef60 e07c0e7441bb80744fe68717225306e47557592903a94453ea32cd3a1f8e74d59456d 8d7eb2bb2d0d3540f30b6273e73684b82bfe8f59e990a197299ac8ee84f0e01a7deb7 c7c5cb65db6ae5a9b955a6d39352a34eb26bc6e239dfa35dcee20ca03e58962ce66a1 6ca522e518c530f56b1e2a1786d39d0c1afbbb13d428d82363a0b92bd63fdf234271c 884adb897fe7d9ea47e5e7935781dc999958a6c4fdb4b3da03df2e5b1f6ce1549402e 209712e5bf9d31efbdb82c00eef5c000f1e14d47ff11c4dd61751e4b521af2fde2903 5df0e8f2616676342a152bd17781886b2c9c1844b1016cab6810f5de1b09321ed728e 79955d08f9e6b40215cc4e52d05d4d5d0e7021973a163d540d033 KE3: 01fbabd1475c7c254fcfc01a167241a414ca01e368671f650dc82598c38774f6 b7ee8674318f995d13d50c79bb0ab4b681deaf4402d4b3c459154660abf9ed3f export_key: bc324fcf39c2076ae28bd99b695dbfdec525a413c5644ef66ea331716 e407979591473722bbc11e3ba15b604017df611b082ce980cfcff2f220c814cb5f591 42 session_key: a0d263d5e1f4aa6abb16929f20490f91e193322c25946521b78a8097 cfcfa6f5be61db2e48b77a22cc50243c88e1063451f96415ab32f6440b72aca514f86 4da C.25. OPAQUE-3DH Test Vector 25 C.25.1. Configuration Krawczyk, et al. Expires 4 November 2021 [Page 142] Internet-Draft OPAQUE May 2021 OPRF: 0002 Hash: SHA512 MHF: Identity KDF: HKDF-SHA512 MAC: HMAC-SHA512 EnvelopeMode: 02 Group: decaf448 Nh: 64 Npk: 56 Nsk: 56 Nm: 64 Nx: 64 Nok: 56 C.25.2. Input Values Krawczyk, et al. Expires 4 November 2021 [Page 143] Internet-Draft OPAQUE May 2021 oprf_seed: 2d8f83b63ef32c9adfe9f9c430b1cac00f49ba284bc52f0c9f1f7c38b7 1001dacd1bddd63cfe8967fd13c55bbdf25e8b6cc087ee23a38f7485b2eeed2648eff 3 credential_identifier: 31323334 password: 436f7272656374486f72736542617474657279537461706c65 envelope_nonce: cca755b1341937e284043a2c88bf3d69b2761077d84981a37d555 01d5a514873 masking_nonce: dae2cd69425f7a341e2a51f5177e565fef6c3fecd2864b2b228239 b82c5aca36 client_private_key: f4ff0c84bacb98d40ef1b543bdec5009b450e4fea1c8aeefa 6022540fde3cac20b940bc918b0a16389fe160a1e6ae09a48d235acaa1d3735 server_private_key: a762ac7f6fc2f643032abc43fbb2ad4e6e012f48d106d10ed ddb5b69d9e36d59b08eaa6830c6bfe473f50ccfb5c033b97885214dfe740e35 server_public_key: fcbb8bbe6f857883e38783acf58dcd6de556530055a2353c4e 584320e0916d28b8278212bd6405864ae84a5cd2508f09ea1185f82c9ba518 client_info: 68656c6c6f20626f62 server_info: 6772656574696e677320616c696365 server_nonce: 483fd0e4b908c66c202500357e2491f1462af3776667129d118bca4 61790b288 client_nonce: 7fa76459168d148209a19f65ae653e294bcb559b1f535116594d3f1 9a566a92a server_keyshare: 5898c178da53ad329a001103a6f2b4ec6e0966c665fff16d88b8 7a83aa267c2be161d1a36a39b7b184828166f721b83ee15fe4753b05755e client_keyshare: d25b52b3af68ebda6905d0db5d964660ec9ec81066ef7955559a a302e012006b1ce049556666231483f56af9dcd1c27fdbafb4d954060091 server_private_keyshare: be35304a0559db2bb6c9e25206ba0fc53b33226b8024 79acd16c975c6cf2dd688fc9a0dad8b6ec9dbc18b90c704a53626c5baf9094cd0c3b client_private_keyshare: d4bce964deba5ebdfa17b366504278e82626cfed3d19 06ad0e990e08c94faa134d3842d167394a1ae296300bcc9818b8373f191382ae5124 blind_registration: 83a353c6d832a563b5706dbdfdb9f3e711ee26a9c31b896d0 da0433f4f6eb32221c3c90388e170f8ed58afce06edf6625440f4e552502839 blind_login: 31c8ad493e51f27fff7955175d8b2606fa4f81f8d116d2a9e8e49578 715881238aa712a6fea64bbe268869aa0e6c166754e0b3cc45f4fe0b oprf_key: 113e070de69c20f96dd6565cc617a736807b518cf49b312a04e1dcd49ad ab8176f895732193028cac0367c25bc486a79ce5777dd09a36514 C.25.3. Intermediate Values Krawczyk, et al. Expires 4 November 2021 [Page 144] Internet-Draft OPAQUE May 2021 client_public_key: aca7c206bb8f25ac19b3436b1f4c8022f03e13c7763edf9fb6 86b00b2c04b999f40d3f01507342017e83ef917616358cbf50d2d86063b2aa auth_key: d6c51857cdf177529419946ab6fe5a08f50ebdeef0d88ccee5f05862946 e397bdc326c39ed86eca82d2cb13b5b4642a4efa50fd97a65946f32a48f82d8b8594c randomized_pwd: 43ca8e9fc4658fff4275bcf84450b6f2787458d4ee53c387aba45 70d8e84c91c5117b3ba93669f1431d3ef9d8a57a1269faef765c593be33ea66e7ff94 ad3369 envelope: cca755b1341937e284043a2c88bf3d69b2761077d84981a37d55501d5a5 14873659eb13e14fc7ef6a77136d1eb63bda85baf00c336515630d48c4d037304d7bf 38f7b95d4f5a124f475c018645b17448b3ae776f0c5f86bc2232a074f9dd90e7d394e c83ecbbe64da8359a745e9768705ece4714205acb8b86597f4e8d6a0f089287adfaca bc5270ff8fb62d22f6418ccfe81d18ffbeef19 handshake_secret: 7176e3d5471625f5fe5ea2bd17ec5dc4b6e00467448e72ddee4 9b8edd6ff11f36e7e6aa7f976c157426c0ecb192f4d1503a8efd1211434573f0168b1 779ebfde handshake_encrypt_key: 812f5c30fd8d09d895a8099192e8f822422b5bc5518610 ec3f33e5e49f042d54ad88ca0324d8acefca3559a1030f53d5ed1c4f62d4484583b4d 4713b3b75c8db server_mac_key: fa2d39fd3d030276683ee3de4adb4934d4bd6551a824446a49620 42ec036a469c71fb81ac5be2e981070e74653b6606c1885f78328519637b8b63da249 05ee78 client_mac_key: 6e76c94f60b8e7609be2be03a624bed130a82acdd84341764b4cd 04f7ef02ec751d39b4c63886759f6e0d8c6b198319eed12c3b08f549b96e6bd472041 4274bb C.25.4. Output Values Krawczyk, et al. Expires 4 November 2021 [Page 145] Internet-Draft OPAQUE May 2021 registration_request: 56eba0e757af33e634107f2da32fbe987af1d37bfec1918 a2d42ed2f6b3714bdc1dd190ed6dc6da310536bb748cad363e76ad2fb1b05f1c3 registration_response: 5261c7f2f21aaf3ba2c3897f3a44dcc2beabea6f4abb5f 10a64c401d1481e309d14c54affffb9116e903c4ec36551752fdb0206748fadd96fcb b8bbe6f857883e38783acf58dcd6de556530055a2353c4e584320e0916d28b8278212 bd6405864ae84a5cd2508f09ea1185f82c9ba518 registration_upload: aca7c206bb8f25ac19b3436b1f4c8022f03e13c7763edf9f b686b00b2c04b999f40d3f01507342017e83ef917616358cbf50d2d86063b2aa7d742 6306a4962a57d06cd6be47a7c8f795437e86a50dc71f0c9035b543ae436d13f9c67f1 ee9157ebe46d28372869439c8d0b48ab26c0692b2e7ff66fd0e29acca755b1341937e 284043a2c88bf3d69b2761077d84981a37d55501d5a514873659eb13e14fc7ef6a771 36d1eb63bda85baf00c336515630d48c4d037304d7bf38f7b95d4f5a124f475c01864 5b17448b3ae776f0c5f86bc2232a074f9dd90e7d394ec83ecbbe64da8359a745e9768 705ece4714205acb8b86597f4e8d6a0f089287adfacabc5270ff8fb62d22f6418ccfe 81d18ffbeef19 KE1: 16ecbe71c272b0b9cce77059395154ae766c95a7f10ad0e699aa0c773877225b a13e0a8ace5007c53ce3631c7e7cee782a6c44cad6832e0a7fa76459168d148209a19 f65ae653e294bcb559b1f535116594d3f19a566a92a000968656c6c6f20626f62d25b 52b3af68ebda6905d0db5d964660ec9ec81066ef7955559aa302e012006b1ce049556 666231483f56af9dcd1c27fdbafb4d954060091 KE2: d672a158bd9178546c287befff0c4789ece9a84071a98f9146ce5449b5a19c2a 7160862145916b3e56627abcde87d163964edd7727907353dae2cd69425f7a341e2a5 1f5177e565fef6c3fecd2864b2b228239b82c5aca36d0824c4440d1d7f15e0d722c07 24f97041a5b88b9f30a7263f49bc562227561b3847efbadaea5a286d7d24d112dde27 83772e7c697fa472addadbdb9d833d76053086be08e3a27df16724c7c365f0a8d0eb3 1833e7b5988a4dd14f8768eb2da6605eacb7ba01b913afc33081453945f36e74ff12b f599e1013f1e08ad4acb65845599fff72629a418a51b1f89cf96c81f44228b44bcf55 7c42b9239e84e2ba2e425c80fe4c713a8ed5195aca8c43d3aa203271c9e7b01eff85f 2beb8a70c0b4baec22e95712ea0a03707073b91fa60b7483fd0e4b908c66c20250035 7e2491f1462af3776667129d118bca461790b2885898c178da53ad329a001103a6f2b 4ec6e0966c665fff16d88b87a83aa267c2be161d1a36a39b7b184828166f721b83ee1 5fe4753b05755e000f9fa4f4dbfdbe9b2f15c28fba6c0bdb0fad3c99de5035d0f9af0 59311aab2a69975ea5c0925db497649349bd356c7a4f41c4d0d3aebbf92aba3522e83 ebadf9bf3220de92f5ecb10ff439a35519bfb5 KE3: 9b61f2bf14953304f7a52a3e40c089aa0b9723abe6f10f8df4d1d97d0197c30b e7cde1b5d2871046d8b5d72b63dba1ebe926319b8cb256256db5b4a202fbd63e export_key: e9db9e65c49aeca60415f412f3511040e0f0debc8114d6752c0172b1c a0a5f420c61a8a46aed0fdec06757a7d1ecca05de761ec676046a0e6d192ed038715c 7b session_key: 1e296c1baac73f1df293b131f351d58fffe6fbd622e5f37ae002dc48 2829775cc721a6d3db4df8cb032fcc4e0d954f9065b0964c5ab6eea58a98b430b8b83 172 C.26. OPAQUE-3DH Test Vector 26 C.26.1. Configuration Krawczyk, et al. Expires 4 November 2021 [Page 146] Internet-Draft OPAQUE May 2021 OPRF: 0002 Hash: SHA512 MHF: Identity KDF: HKDF-SHA512 MAC: HMAC-SHA512 EnvelopeMode: 02 Group: decaf448 Nh: 64 Npk: 56 Nsk: 56 Nm: 64 Nx: 64 Nok: 56 C.26.2. Input Values Krawczyk, et al. Expires 4 November 2021 [Page 147] Internet-Draft OPAQUE May 2021 client_identity: 616c696365 oprf_seed: 408b58278566cf765109018e203e2e6e6a8f255698c1bdeebb14bc22e1 c2a1cde4ace22c8300adc036177c2dd26d2fda16c5f78b6de5b72898fa377be3a5bca 0 credential_identifier: 31323334 password: 436f7272656374486f72736542617474657279537461706c65 envelope_nonce: 10241f737e77bcc1ed216c9a367950a7ef43678f9ee29b309544d f34298d472c masking_nonce: b2ea57c79da7ced6dfda2dc6c6c0402cd96b329f7fcd183bf9d1d7 e5a716d42a client_private_key: 4f4b1b91c6a9c0dab6a8ad279201e00d358aed1a0ba88c458 589796b05ac19101d1119df1070dbd0911ca74b4634a51b9b1b093b74e1873c server_private_key: 6ab03a76f031abde2e7d1f987c101064757d6133445217316 02876c29cc7d2652a7329cb8513ddcebb66b178194206a61256f5e14e70d23f server_public_key: 2ef8f9560867402d20f9c34942bb26e63d2cc667851473334c 6cdf1f89ec0ea218e3ce0f73f9f1fd303f140bff958f80b7d4dd22a150a0aa client_info: 68656c6c6f20626f62 server_info: 6772656574696e677320616c696365 server_nonce: 2aa2944a2fac12229bb22b6b63389635f6102d71fbf95b4a8a6cbf7 8e6b2814d client_nonce: a7d04cb60ee0f6ea96a3dc44160f7db4b22d2652c4461577685d5f8 0450a0aea server_keyshare: 32751cb95f97035f22d498ed57a8af0d2495075aace642f15244 2da8485211d6a551142d9bc6771619ecf80ca8b4def396f706ce555e2896 client_keyshare: d87899f024ee66ed5b8718f9966f2f34dde445da12078789f1e6 208028cbc9b7ac7cff5ae937856aa01321310e1858f0e3b89492e9e49f42 server_private_keyshare: ee1fee6fc5ad0f317b2639067b1ef7796b5caa6e94d7 9390dd16061e4dc69508c2913424b3a6b84133223db6c51c01b054e8dcd2f32e6724 client_private_keyshare: 071e199a022ce8c6cb0005eb1e2fd4703582c35881f2 64ce05ec18365cea6b66423035e531a19194e5934618e546215460f66eed7d0b6f0b blind_registration: 0db98607cff12cd2badef2406e0491ecd3d6bb96a4335ee7f 0c504e5cbe48ef5daa3a2b717e4009bfc8c60f6a0ad5e73607538ee51807c3a blind_login: 24ff7adb77a75a1f02efa6633339b91ae4a42dd0b52fb5f997673263 f7f5af9ed39730c2d1a09d12123d1bee3f550acb33790d70b0123815 oprf_key: 3d1e92b4ddb6bee3cf32ba6c0b16addc525da38f13266939d8961fc3cdd 1437673e1be929c75d3679b22a9145205d2c1719bb44a7983832e C.26.3. Intermediate Values Krawczyk, et al. Expires 4 November 2021 [Page 148] Internet-Draft OPAQUE May 2021 client_public_key: 30b7ffad2fdce2c282ec205685afe5d9e0551773c14c23ec2a f04c13af62b8df5558f6dbd310fd41bb2fb37c8377796be92aaa21bf60f357 auth_key: 3bde34bb68300e7843d79c1bfc63e5cae9fff249b00557348442d81c59b ccdf5f13db9e59da32f6b25a4fcc76dca3e90021fc1553614b71cd1982d33dd95c07b randomized_pwd: 351cad5b1f66d74e7f6beb7ef2e02234ef37775800b0ac91de427 af72ec6cf5a0c2920099005247e1cb7c77ed91cd094d3bf6a97e99201f1f1c58b2241 0623ac envelope: 10241f737e77bcc1ed216c9a367950a7ef43678f9ee29b309544df34298 d472c8e46164d8929ae397121cff467322b1dd47bdd5f714f1dc5c04ae8230a274a36 eb9574040d6baf198c5599c69c346f8e12c1fd4a2e558365d23260f6ba5c75901fc9f 34c675288fc52648f964c4270c7936a0bed5e36df70184c187af486f5f2a3c0ebea06 38dc5dc2a7567cda68ee2654f7691c03ce3011 handshake_secret: 727af8282b3f529691b3914a6735286c1abd31415a1276abfbd 734e77a6bf6aceae95c4661b6cc0f1bf7c918e841154ff7ea7153e4f47639b8e581c2 4ec02c65 handshake_encrypt_key: 9891ad2af01d57842cfc10f959d1e1a3592f1b86529f44 1411c8fc9451e90e6b379085645e6a01f93f63106b116e10788c244f57c28a0f75b09 4d4c34e80cd16 server_mac_key: 6c3c56402e8ab595f1c72bb2c01813205f302c6b557773c7a233f 1c7c02dd7257fefcbc0feff679df81c11ec0c63b866b20cddd0beaef7a8ea627d5725 16f036 client_mac_key: c4e85273ca8aa64e109b4cb05089c16bcab3d9b11ef1225464e2a 5585f7d60911675649025b3a54292ae64b00c0407ee5cbc9c2bca3a642f87ac6cdc16 feceb2 C.26.4. Output Values Krawczyk, et al. Expires 4 November 2021 [Page 149] Internet-Draft OPAQUE May 2021 registration_request: d287a62ca4d452ff3b5e2d800121dbb5785bb383db9bdb0 c541f8e643443dfe2ddb1162b8b7c758893fde1131a84ae57935e7b60b14058c1 registration_response: 6cd7ab8b0bdc800c66c217d22ef729c08465e5df1a6b5c c01c0cfe5d9d7b4adc6e40dc1013b8b8f8094b386530e673a179735e0cedee0d1e2ef 8f9560867402d20f9c34942bb26e63d2cc667851473334c6cdf1f89ec0ea218e3ce0f 73f9f1fd303f140bff958f80b7d4dd22a150a0aa registration_upload: 30b7ffad2fdce2c282ec205685afe5d9e0551773c14c23ec 2af04c13af62b8df5558f6dbd310fd41bb2fb37c8377796be92aaa21bf60f357c1549 7051bcca080dd4a5566430fa8850bac4abf66fc2df50c6dba2f29c9ad9bc3616ff533 a202e553070f3f4dd45e53931ed02c151cecbbdcfbf66277acd1a710241f737e77bcc 1ed216c9a367950a7ef43678f9ee29b309544df34298d472c8e46164d8929ae397121 cff467322b1dd47bdd5f714f1dc5c04ae8230a274a36eb9574040d6baf198c5599c69 c346f8e12c1fd4a2e558365d23260f6ba5c75901fc9f34c675288fc52648f964c4270 c7936a0bed5e36df70184c187af486f5f2a3c0ebea0638dc5dc2a7567cda68ee2654f 7691c03ce3011 KE1: e4420dd6be305be0776f14c1140f0b36ca304c007827a8c5b4910c5432dd4caa 6214b4077d4a99e6d6dd7f756bb3531bd010eec2253afd1ba7d04cb60ee0f6ea96a3d c44160f7db4b22d2652c4461577685d5f80450a0aea000968656c6c6f20626f62d878 99f024ee66ed5b8718f9966f2f34dde445da12078789f1e6208028cbc9b7ac7cff5ae 937856aa01321310e1858f0e3b89492e9e49f42 KE2: 564606d70bd3fa461bee6e06ae9412f4c49b505ed6559cbc9d17c02072931636 2975c2e2fd560f68032c93ac7ea5357c892b32ea0dcc6050b2ea57c79da7ced6dfda2 dc6c6c0402cd96b329f7fcd183bf9d1d7e5a716d42a81d354f006c5e4d63eb73de41d 39abf0c44b9891362030c679bdca90e2f2467681509c612d390a5fa831e9db97b9226 b6f0468c142c3ea47d0e86da34855965e257d610666aaf29cefabd4f0067c624abc3b 9990c6bf06c874579f9dd0717c1c52cafa52b108a301a7f1e727e252d1a6295eb3635 feab6b65374441f28dd2ee501b0fed3ea88ec7dbed28ba544fc94977b5f1754f7ed92 7409f3e0e0f44a9f40ace2e37e4865d3ae9085befadbb8a30d0ee3307d90328776b26 c3c95861fd5d9c961820f84617d430d04f5e9f94e27082aa2944a2fac12229bb22b6b 63389635f6102d71fbf95b4a8a6cbf78e6b2814d32751cb95f97035f22d498ed57a8a f0d2495075aace642f152442da8485211d6a551142d9bc6771619ecf80ca8b4def396 f706ce555e2896000f96681a27592a697a734b1a00b338429d06d94788d9f450de709 1a4f3c7f3bee1f0bb8e62aa8cb2d34a1ec009da7e61ba8de473c06b33e09e16565fa7 2be1f642bef88dfabca88b21b095f165eb6c01 KE3: 3a978eb658c077997e8544b1cf52dfaf2b152956db661139afbc34e05fe8cc15 be7f1dd6544789e3452275f40de05653f98e86122f74253e22c7768de653a3ee export_key: 12d1b25d6990128ffdc8cbf21832b96d55bc64be7ab2cc967d0c04814 835d23e4b183319d369cd3955f992126fb3b8d130a2f65cf2ac9ca0750f0acac1031f e8 session_key: f5ca4e7189e76679957f386672f82aac0cd8972402817600ef2d578d 79c38156a80f9e7443c63439c3674242b54b28e829780f729463e20dc6fe9f21d423d 53c C.27. OPAQUE-3DH Test Vector 27 C.27.1. Configuration Krawczyk, et al. Expires 4 November 2021 [Page 150] Internet-Draft OPAQUE May 2021 OPRF: 0002 Hash: SHA512 MHF: Identity KDF: HKDF-SHA512 MAC: HMAC-SHA512 EnvelopeMode: 02 Group: decaf448 Nh: 64 Npk: 56 Nsk: 56 Nm: 64 Nx: 64 Nok: 56 C.27.2. Input Values Krawczyk, et al. Expires 4 November 2021 [Page 151] Internet-Draft OPAQUE May 2021 server_identity: 626f62 oprf_seed: 256d4027516b703d2dfa1ded7a8c46870c7236091776781e8927dee64b 6675a65292295706a43c1848e82eb6825692b2528bc7ca6dbed9e7c29c02dcc2ada74 3 credential_identifier: 31323334 password: 436f7272656374486f72736542617474657279537461706c65 envelope_nonce: ce9053d023afa73f0b28c64e4322207a28921ec1ae96b9ee0bad8 f87187a0ad4 masking_nonce: eec732470af6e228628f3ae80e3e90c64c51f83a41cc42d2f2c73c 7f81a9131b client_private_key: 80b8326dd0c2b506b88b0b4025c0db89bb624a8b94861078d 88f88515adfc5374ba9326bc531c7ec458fa14a482339ce7854b1c044ba083b server_private_key: 5315b843996e1c8dab628f7848b29fd8d4368a414eaaa9110 da1cc53752548548f132674a235f9ee105780d4ece5e1a760c147f744bb450d server_public_key: bcd8a3897346eb85679f52067ff50f69dfb9fc0ae776fcac93 c99e1e9dc14db5c9c26b09e1980f7f5b45774012be6234ac5a8953ff69ef28 client_info: 68656c6c6f20626f62 server_info: 6772656574696e677320616c696365 server_nonce: 075e1b74c7eeb1dffa6ba8f304340956b3aa3bf6d2a43e5ebd616b5 9cd439d6b client_nonce: cec96d9c640c98d9aca9792007035c7e9daf29343ea0b9ebb7d73e8 f210b2584 server_keyshare: 3ab8469c97f3394c729de0b4f980ac06ea6a90dd077f924aac42 10ce65521a90aa1ed82f46ad5cd948d1d96a179409a020f8a01cc86cb7b2 client_keyshare: 6e0974f24da70adf24d24b5e267c80f6335a5cba9442a5658cdb 76b3a2bc569d39ec6fedc1a162f4e6c6a460b0978684aa5f30b3304cf04c server_private_keyshare: 3aa67989ec3df11a5dc574b914e150f5abd7cccc551c 0aa34e6667a1636de9926e6bc4a4bdc21ba549ae8b93b848051abd4dd80242f57d1d client_private_keyshare: 03d97c90df43947879a326b5b22372e3cb561aaee6d5 8bab4f4a884a8f62a58ab60476b6d0c460e7dd6726866ff416874521249aaaaaa70e blind_registration: 5a58b6378e03f24937ae6ebb685ba39f43d99b2f6fdbe00a8 c754c0d6d7ed824d2b5c8afca5b1cdbf7c3248fd9f16400508eecb6b7894a12 blind_login: dfbc42d70013abe2cb8ebcf6de5b275aa83525d606424339cb500346 6051f19cedbf00b0f680b7435bb165c340da077f8acc37c0a2594119 oprf_key: 96ef1f565460533723a129c4fd59e70192471cb1591f5a18a06954b9236 ff89543ebe7582493cf9fd7254eeacc5cfacba0a10c00660d252a C.27.3. Intermediate Values Krawczyk, et al. Expires 4 November 2021 [Page 152] Internet-Draft OPAQUE May 2021 client_public_key: 06b7fb8ec9beee7a168a7a820bd710d1b72d05a433fcf53e5f 4ee0a2a5c3a1d48d16121594b272656efcc614aff77386030ae72e47d948ef auth_key: de033180dde10c04d68198d94217bdc178ec07adac74e5a7a1a33a808c8 44f5e13136ee12e46cfc76ddb739b75189f485b202b05ff921ae170230fe226447986 randomized_pwd: 03d2fcd5b13cf0d6877bcad567de4e6036a1a51ac7006c2a496ce 538985100c8a190a240d59e69a0582918b578f51fab18c19842d796aa4668e1a6bc66 ea4e9c envelope: ce9053d023afa73f0b28c64e4322207a28921ec1ae96b9ee0bad8f87187 a0ad47da721931582ed0eef7eca8b1eae0ce21244afcb7c2d324849df09e314cae97c d449a9c67d2c8266c4083d004e7d572a481bb10dd9614b0d95c56ea5b687882b18135 8565c5f27dbd0d1bfc27b1d34d6a529ef9c16e58e947610ceb09471b768b1542eeb85 78aaa37e9b93e2c37ec21e531088a36297fcaa handshake_secret: 66f51cefa898ae9486ccdf092f5ad47eaadfd6db2f76e3adfab 9407ea37b44448b7036f0b1b1e268fa823b8244b7780e3be115e004e9d931c9c0d033 67d9abf5 handshake_encrypt_key: 4c54e8d80bfb35bd90c365aa360bdfc985b56f1e8bdb84 a61df27b1470f7a5b5e887da6c151c9e8cef1064be46444aafc6f799ad53ae726f30d 619620067eae4 server_mac_key: 18d7bc4872a86d2ea01caf299fb7e5d9c4e587ad374d57debf119 85f0914c4730776e6894522c5df770a2267faafd7442388b4784dfee5b9c2a9ecfc78 c3d08b client_mac_key: e9a6bfdcbc5943bfe9d7cf0642e103c096eaaed1f6c4216cd0a6c e3f47a32b0b98cd02dd9ad589b2cf2bb2d3febc0ae66501ba6ceded570efa769b0e03 1c38a1 C.27.4. Output Values Krawczyk, et al. Expires 4 November 2021 [Page 153] Internet-Draft OPAQUE May 2021 registration_request: cc1b854bfac5f36d7f09d18975d26bd031490a8810722e5 e84d13320bc6cc1ad88f2faefeeb84ac706985e2784da104dcfa376ea200241d6 registration_response: e04b3c954f1d6d709a83bff990215ec498fb9c7935bcc1 d340e7ac899ecbde26fd98cac559fa0183baed54d1185e32132b68c672d80ab6dbbcd 8a3897346eb85679f52067ff50f69dfb9fc0ae776fcac93c99e1e9dc14db5c9c26b09 e1980f7f5b45774012be6234ac5a8953ff69ef28 registration_upload: 06b7fb8ec9beee7a168a7a820bd710d1b72d05a433fcf53e 5f4ee0a2a5c3a1d48d16121594b272656efcc614aff77386030ae72e47d948ef3ca0f 22b76379fccff1ed10ba860afee6db14441177b8ccf0d1f08e4bfd7e691704f8e973b 3c0c56479677dfb7004325e75ace6b7f0699baf642947a4aec1fb0ce9053d023afa73 f0b28c64e4322207a28921ec1ae96b9ee0bad8f87187a0ad47da721931582ed0eef7e ca8b1eae0ce21244afcb7c2d324849df09e314cae97cd449a9c67d2c8266c4083d004 e7d572a481bb10dd9614b0d95c56ea5b687882b181358565c5f27dbd0d1bfc27b1d34 d6a529ef9c16e58e947610ceb09471b768b1542eeb8578aaa37e9b93e2c37ec21e531 088a36297fcaa KE1: 8447080996dd1f729709b137aa45b6a6e68651f7f5794ec80d7aabca6f171226 e8c5ac7aadfe6b9ace4bc355d7b891907d50282031c15d9fcec96d9c640c98d9aca97 92007035c7e9daf29343ea0b9ebb7d73e8f210b2584000968656c6c6f20626f626e09 74f24da70adf24d24b5e267c80f6335a5cba9442a5658cdb76b3a2bc569d39ec6fedc 1a162f4e6c6a460b0978684aa5f30b3304cf04c KE2: 7a4ca243be6375b2f474a8d1a15bf6811ce899e22562942c3501f6bebcdbdfac 4654b2ea096da25687958252fea11562d31ce1983ba50e8beec732470af6e228628f3 ae80e3e90c64c51f83a41cc42d2f2c73c7f81a9131b6072d400f79d38df5ee84c74e4 a6261049d4d9683edb7c5899a62d61060369ced1858f37a662981a6052c886e6aada7 6110b5a65d19aaf793c4428e096e31ab7f1dc89985e0a375fac698c9a6f1252618426 1fbaf37fb056f1448ae1c7aa751184bd2f0b8a0e784cdd93890ab06c6efda58ee8646 85d61af752c6cb42d738c03b7c9a27388a40dd9d6fe5b287d05c1e35a05593ff7bb10 b2b730d692e3e47974a5a5f001c31fb7e22a3b4e4ac3606e8a4c9542bce8738baeb4b bc69c2e8c4cc41ee4f34325fd053ab5140775fe6793ed075e1b74c7eeb1dffa6ba8f3 04340956b3aa3bf6d2a43e5ebd616b59cd439d6b3ab8469c97f3394c729de0b4f980a c06ea6a90dd077f924aac4210ce65521a90aa1ed82f46ad5cd948d1d96a179409a020 f8a01cc86cb7b2000f450aed233507678afed7293a894422dde5c7174b91cbc297d89 85315579b3cef14b155bb28e313ce6e2f07f6e5318096c98a0a9dd7ab9ce747c09381 4a2f9181d3d28ffd4c1bd814266024c25b7709 KE3: cbd323005e96f5a89734c1ef409359e117c8acf3a1d7e6c136ddc423d40998e0 ad7307913d2b83bca249c91c6da75a72572a96f669153ca57f4b5562d3bb5b7c export_key: 93270b252a4b1e08488be7e3ae9594e0b8fe9192a540c73402b16233d 01ed59867ce4c3e8d579966c2c2c20a7d64939aac3b63ccaf71de487262d129d5f674 0b session_key: 0435267dec4eaeefaf46b4524b7ace609d26f803bf22a35d2e3d9788 4af225c41ced72f826cf1c7e9ead18f9e21553d28b54653381354d6a64d3d36f8e254 ccc C.28. OPAQUE-3DH Test Vector 28 C.28.1. Configuration Krawczyk, et al. Expires 4 November 2021 [Page 154] Internet-Draft OPAQUE May 2021 OPRF: 0002 Hash: SHA512 MHF: Identity KDF: HKDF-SHA512 MAC: HMAC-SHA512 EnvelopeMode: 02 Group: decaf448 Nh: 64 Npk: 56 Nsk: 56 Nm: 64 Nx: 64 Nok: 56 C.28.2. Input Values Krawczyk, et al. Expires 4 November 2021 [Page 155] Internet-Draft OPAQUE May 2021 client_identity: 616c696365 server_identity: 626f62 oprf_seed: b4d286e6e3f6225fa137f4686d0f34ad52eae2a96fc35e8cb1f6da569c 5d8a87b2e25e3347b5b0baa692d9f4e08e40f423a524638dfd264856245e1154f07cc 4 credential_identifier: 31323334 password: 436f7272656374486f72736542617474657279537461706c65 envelope_nonce: a186e2babdfdca646623f073cec9d6d1e8d64e66b99cc4fd14ff9 3fa41654317 masking_nonce: 67fa0025edb3233e4ad7c3c620d5941addcbdef0b8203effafd77e 0006dcb38e client_private_key: 771370125ea54cd3f86666bcf4155379dc1e0d5e6a8fbaa4c 0e0a570b44a311701b936a442f340c21a65638fe11c0e7b3bd1c3528e632d19 server_private_key: 7d455931c4f4efa18d5731a27e8ddbe8eac8be6eae6175f91 137a8cffccfcd6cb52345e2bf2ad8995f69ba5a19ffa1afe3cba5f538b0e629 server_public_key: 9cc2b31fb6677ce38ad340c70ad2a48fb8a11dfff6537994a8 e42262e63634ec59d0431f3878051eca9888bb45c17a68359bb55071e6f6e7 client_info: 68656c6c6f20626f62 server_info: 6772656574696e677320616c696365 server_nonce: 9c759396ff32036ca0f46e4f94dfb1420e0a372e533fc26ebf06954 e502ec0ef client_nonce: 5850a05d1746b701f3ae10f0f992c2bee512b396f4d1f4ac4a071f5 4dcc150a9 server_keyshare: b886b2c735272aa37e700b602edcdfcf53f73ae463d94139dfd0 e173feda40f8ec315c59dabf8b7db0a77cf9c3e5b3528688b01849fd3523 client_keyshare: b8de36842175636d346164767aa834a4bd1a0abe805678ced434 06c4a09ce40145f03cd1d620d6b3932243017098851f7003f34a849e6c46 server_private_keyshare: 3ed756eed880d3de7c18dccba6b3cf4e50a1e6b4afdf c46bc0aba90513085e532370a16b0e93d9805376f144775a662ef08423826eb76436 client_private_keyshare: 567e1a4dd379827702cbf43273917f368325b5ff3e29 353d5c0f1fab7fc092bcb7dfa7aa7596b1d670da83d996a9990af5ba44b0d7b5f630 blind_registration: 1b121a9a0c3105a83ea792da07521422552c83edaf183ee32 959f966fa8956b647b7c5d00ae7e1b60633bfccd44243649644143e6177763d blind_login: b38d2f5fc9a95095a10bc711cf190e7749518aff1f7207b6ba2daef2 162a03cfcae4ba482b466a135440f1a813185f7dc14e970097e66335 oprf_key: 47d4e7986915d99639c87166202023361ed0079370a237be49af7387ba0 1130addbdff507ad0d46c644d9976b1007bec3358083db036c33f C.28.3. Intermediate Values Krawczyk, et al. Expires 4 November 2021 [Page 156] Internet-Draft OPAQUE May 2021 client_public_key: 7a9df676f00d588a90e562ab1ddb58fc1a860a3e6b6abcf0c4 0dd4f64a94c634a1dd46ab02d02ca293f601406d881538bcc122cc61844549 auth_key: 3ea9ebf52a60b3a129e79263dc9be81a8dde6edfeed0307b76910284dbe 9ece059e5d9bda8bf13c101ae8d6c003039559943dcdfb5b5d18f1f5c195aca519b00 randomized_pwd: a5313a9b69388094685dd8b977a37ce88f3940b3d5fbacefd8c8f fc7bf5a57f3198a6f71b7d77d731dd2c265d020d256e0684962e0a1a9ba7485abb953 bbd2f8 envelope: a186e2babdfdca646623f073cec9d6d1e8d64e66b99cc4fd14ff93fa416 5431744575c4f68efbc2d4610872a498baee8d8f8165c20090e1d7d28e79775605792 4c93a6a1edfcd504f5da77bb58fdbd63f1e84e2e6a1b4f5ca9ff55bf33fa5fe11ba66 5f8f0479f788dbb47ec236c7731913a7958d554cd9f8a955350c627ffb5c21a9a9c07 375b0fcb20cc120e7fd02e092692470fa8dab4 handshake_secret: 969906025c4b246bc804d1ee495cda9907da66c708ba1b03298 a4f1d58ce8da905bba4d75e512d4dbd104d58a915207439ba8e4960dba1eed409fe5c 0e734b6f handshake_encrypt_key: ea333818b24fe6d6b0f136bef8981db80f2d6bc679223f b986de8bdd4573a8e1aa0d2af9a9de01eeb4022cc11e6e13ded4d78609c007b092445 8ed30b216b5cf server_mac_key: 7f159bf11622720b3c0af3a831828ab43bd27be6ca2459536bb29 2a014bd69f5cea21ac64995976acb96e7d4f66943fb33082da10a426e3c2a01b0cab1 870455 client_mac_key: 67773fecc9c4984aade4d537d1a645268cf5236afd82c9bc0bf0f b384cb03a69cd350f926aef4e10b00c649ca01c30b42c31bc6eac8fe30fe8568fac63 341bd7 C.28.4. Output Values Krawczyk, et al. Expires 4 November 2021 [Page 157] Internet-Draft OPAQUE May 2021 registration_request: 88c032a418dfb1e1cd1a3324ba5992452f93c66edbec9c3 65e92c1ea793cf76c05ae910ae194ca9c51e885d3c2bcba7d76989d0d824ace6e registration_response: ce808e991bdac9a449cf4357ed54879d5b7d0d3df64e04 8a1ffe074dbaf6365c8cf096923240bf9df5889749603ad0acc18c111d5666e8319cc 2b31fb6677ce38ad340c70ad2a48fb8a11dfff6537994a8e42262e63634ec59d0431f 3878051eca9888bb45c17a68359bb55071e6f6e7 registration_upload: 7a9df676f00d588a90e562ab1ddb58fc1a860a3e6b6abcf0 c40dd4f64a94c634a1dd46ab02d02ca293f601406d881538bcc122cc6184454953d62 aef94f33c58f8f1bf792fa721c30cd74a8936609f0a5f096709d86dc155701a724133 c17b61b968503f7166e4920a5eeb40e11288ff8a247951ee149806a186e2babdfdca6 46623f073cec9d6d1e8d64e66b99cc4fd14ff93fa4165431744575c4f68efbc2d4610 872a498baee8d8f8165c20090e1d7d28e797756057924c93a6a1edfcd504f5da77bb5 8fdbd63f1e84e2e6a1b4f5ca9ff55bf33fa5fe11ba665f8f0479f788dbb47ec236c77 31913a7958d554cd9f8a955350c627ffb5c21a9a9c07375b0fcb20cc120e7fd02e092 692470fa8dab4 KE1: b4f7627e7bdcfa7d9112301dd0081a3f51cf7e8853eb48a16c9078aeb0dd99b1 6e691ec45b6dacb2dc05b62f0e09c124c94b1b5390a68abf5850a05d1746b701f3ae1 0f0f992c2bee512b396f4d1f4ac4a071f54dcc150a9000968656c6c6f20626f62b8de 36842175636d346164767aa834a4bd1a0abe805678ced43406c4a09ce40145f03cd1d 620d6b3932243017098851f7003f34a849e6c46 KE2: 2edc7ca204555431a8ac43aba0d4edf5894595ed38786df7b685c426d95d4bb0 0bc9d867c48723b75f9cbb23e31274b549f5ebea8448a21267fa0025edb3233e4ad7c 3c620d5941addcbdef0b8203effafd77e0006dcb38e76498ed9375714df930d7715d7 5b27cede703f9e07e18a1ae08f35ace7e0f530e2cb38e8501d8ef37320ec646b3769d 6ba622d5252e8a08f6da52c8ef0e27766bd0041f46412b8704fcbbe0c1f84fe1fcbb7 81a463887d181b548f53c5adccc1bf3c249846facc22d3fc855725c49d2f103daa17f 21b092885ec78580792fd8ffb545cb26bcea0987853c19a04aa43d511a1dea0e588ac 2999f1d7fcdb513b7ca39c65ea5561555ba9605c987b8fd82ea83df14d09a0000aff0 61112ef8a360a4918d1df4a3da734967cee64b8302ced9c759396ff32036ca0f46e4f 94dfb1420e0a372e533fc26ebf06954e502ec0efb886b2c735272aa37e700b602edcd fcf53f73ae463d94139dfd0e173feda40f8ec315c59dabf8b7db0a77cf9c3e5b35286 88b01849fd3523000ff6c5c1545b52e898a91178d9689a6ee6fc59bd10034889a8f47 ceee0b3cf2c04687446e48df78ddeef3e85ff812ee522e60849a1764c39d3dd7bc274 0f7b0c476e8c60532e5df9c6628b65f4e42116 KE3: ec135e1c78f31bcacbf8ebb446bc9959be5f0133e5d5d19822c3d77d58ed226c a074503dd96e6b0a7bbff00914a599bf10e726c7972c8c37ee03c131120a1f74 export_key: d5623f7b35d664df8435cbd73a6d651bb96109fac75b673a7bff53728 13e41bf91d430cb0215ffcc72fbe47027632465094cfebe01e4a8a6ab424689540c0d 57 session_key: 990b91912884bd34b13093596066df5f371b13088e3349f99e4b6a77 9313bc9319c658b8f923abcd3650ae7b048f783847706377d68e54bf784c1c9aa885c 35c C.29. OPAQUE-3DH Test Vector 29 C.29.1. Configuration Krawczyk, et al. Expires 4 November 2021 [Page 158] Internet-Draft OPAQUE May 2021 OPRF: 0003 Hash: SHA256 MHF: Identity KDF: HKDF-SHA256 MAC: HMAC-SHA256 EnvelopeMode: 02 Group: P256_XMD:SHA-256_SSWU_RO_ Nh: 32 Npk: 33 Nsk: 32 Nm: 32 Nx: 32 Nok: 32 C.29.2. Input Values Krawczyk, et al. Expires 4 November 2021 [Page 159] Internet-Draft OPAQUE May 2021 oprf_seed: ca3dcc6f809ebbdec499a453e64168cc772eec040ce22cba6286e0bda6 edd27a credential_identifier: 31323334 password: 436f7272656374486f72736542617474657279537461706c65 envelope_nonce: 817da7eb95c282c39e6716521f9f2dcf1908cb3cb60082e99d1e2 65009d9275f masking_nonce: 1b9fdbc44c3491e52d5abab23fba7a97c6589898152f0babee3e36 d2e415a671 client_private_key: 5b1a8d0d1f59318d1a325244e784530a56f15f95cd7594b41 1ea8f7ac77652db server_private_key: 40e02b1164d21f51b8022acbceb26069ac5ad37af70212b20 1e18725cb41a5e7 server_public_key: 02c136a2fc727c674b2e49783d5a79bee0c6ff8ccee9190d1b f7dafca0807eb046 client_info: 68656c6c6f20626f62 server_info: 6772656574696e677320616c696365 server_nonce: 6520475f364bcda5edc971af216bfd1c3cbff6f22077018a212a518 9254ac886 client_nonce: a543212613ca62b7c9e35677951e46fda946f782d75122ca19b2db0 ea23cc35b server_keyshare: 02c5583ec9a10dfa32344fe8000007904dacd5e6be9eef27b0f9 4b50605b017126 client_keyshare: 02496d129c40fe6d255d57f6d92af5c0cf0ba277e8a0e7b67a61 df2dccd9b02c5f server_private_keyshare: b1d0433877efe00464be6b896d06f05ca36e9fd8d6e0 2ff17435e6a4f4bbecd5 client_private_keyshare: ddd367c02e495b689d91a556eba0702d16e92e891a87 04d094e67d684ab53321 blind_registration: 6418ab119b59a01aa2a2d0fc7658c372a2ca039410fb968eb ed2ba1d2991d9dc blind_login: 74b8f4b1411f14fe35c4f40e826c546bd9cabd9e4ef380108359988d 4ec5165a oprf_key: 275c9ec4ecf98cc541bdd9572d43f316d1d799bc11c281f377d56030060 fcf62 C.29.3. Intermediate Values Krawczyk, et al. Expires 4 November 2021 [Page 160] Internet-Draft OPAQUE May 2021 client_public_key: 02ea5098f6b7283d5481f1500a7b589214499b26484c4430b5 2d36b1ccc475cc8d auth_key: c64828f188bb72f48c655a7f9d428d524baf80ea24bdce20a1f43a64bba a692c randomized_pwd: ae2e16dff4c105ef4319edd0b8d89fd0cd8666895843b530712fc 958b9b649be envelope: 817da7eb95c282c39e6716521f9f2dcf1908cb3cb60082e99d1e265009d 9275f38c11ca420422ac49aa2815d5ed221280430ad4e972171a614bdd899a3e4831d 428bba482f9d7d78a07fba0d271432b7971acd4cc8a0d898c4cc4b07044e4c6f handshake_secret: c59958e430578214b37c9ee29de08f682c676d00115e36108e8 c8f7c376f56b8 handshake_encrypt_key: 8b4722b266a742dd6627f2bb9777c0192b7ba18c1bf701 dcc6b2d7003aeaee0f server_mac_key: 3e440be6032e1d22644678c2215c3cebe6e574733ce1a74b1582d f4cdab62a83 client_mac_key: ec3b8660322fffd7bda47211aae564e24602f7c3936e609cc42bc dceb1ac2fb6 C.29.4. Output Values registration_request: 039ae9435af572249db38975b192f1beeac30ed093c4d9f 40bb5236d3521035ab9 registration_response: 03c9cd90478b17e18e1098c8ebbc9642a7b1c576241476 563108391e39b1ba982202c136a2fc727c674b2e49783d5a79bee0c6ff8ccee9190d1 bf7dafca0807eb046 registration_upload: 02ea5098f6b7283d5481f1500a7b589214499b26484c4430 b52d36b1ccc475cc8d7993e8446626bb099af7800aaf9dc9cd6d0e92982bed8633365 c36d78b2e8963817da7eb95c282c39e6716521f9f2dcf1908cb3cb60082e99d1e2650 09d9275f38c11ca420422ac49aa2815d5ed221280430ad4e972171a614bdd899a3e48 31d428bba482f9d7d78a07fba0d271432b7971acd4cc8a0d898c4cc4b07044e4c6f KE1: 03f86d270a693da19f82b655d8ffe6a26ac2b79ef779de92012d7fad3e15a7d1 5da543212613ca62b7c9e35677951e46fda946f782d75122ca19b2db0ea23cc35b000 968656c6c6f20626f6202496d129c40fe6d255d57f6d92af5c0cf0ba277e8a0e7b67a 61df2dccd9b02c5f KE2: 0311fb6fdb33bfeda7c01479d378ac90e2362efd1c8d69406be3243c65fbf3c6 e01b9fdbc44c3491e52d5abab23fba7a97c6589898152f0babee3e36d2e415a671804 99afbb55a152d5e8deeb5f19bf5106849ea4eebe5783b45613755e6d4eba236f4e847 6b6387a219e5a7642b7b7b93cc806898098fec251c8a4fec922edc5770b18da58f9cb e4882389d47cea2165674122d5d1f77f2a9b5fd4bfea427832985e23a269c402960b0 5dcdbbd970ccc0e488ca59f12c5d71aaa4d4b719a931d4c76520475f364bcda5edc97 1af216bfd1c3cbff6f22077018a212a5189254ac88602c5583ec9a10dfa32344fe800 0007904dacd5e6be9eef27b0f94b50605b017126000f478605d9f8e07d5fa988c5373 7c9fcab0085b6d9e84ba237caf3370257cca26175d7cefa2e18f0186a9aa3460a1b6f KE3: 6c39dc33096cda62c23c60d6e03c29ffda2062400299a2f2a52c7df4c5deba68 export_key: dac545de97f7d8a27dc9062bf42b3b6c02c3cd7a7fdb08251736c5aeb 59a1a36 session_key: b59169165e64e5c00474dcb2b3aea2922a4fe06aa6418fb020309037 5e48bea5 Krawczyk, et al. Expires 4 November 2021 [Page 161] Internet-Draft OPAQUE May 2021 C.30. OPAQUE-3DH Test Vector 30 C.30.1. Configuration OPRF: 0003 Hash: SHA256 MHF: Identity KDF: HKDF-SHA256 MAC: HMAC-SHA256 EnvelopeMode: 02 Group: P256_XMD:SHA-256_SSWU_RO_ Nh: 32 Npk: 33 Nsk: 32 Nm: 32 Nx: 32 Nok: 32 C.30.2. Input Values Krawczyk, et al. Expires 4 November 2021 [Page 162] Internet-Draft OPAQUE May 2021 client_identity: 616c696365 oprf_seed: dca8ac4c4c4d080a4b441cbde52ac9159398f983e91c0ff1ead4922f81 3665c1 credential_identifier: 31323334 password: 436f7272656374486f72736542617474657279537461706c65 envelope_nonce: be560b984659185632de94b35bf6f59ffda8f0601c72f1e4e5e41 d22ec81ff60 masking_nonce: c8c9df3983aa76316a8a491436e41036a00244ce40b29c7035f8f9 aeaead3f2a client_private_key: 03be3245a3830887fbce88f3eccc26f1639b91aa8f043ae61 75d146de19bef1d server_private_key: 6a62ab611cc2ea77a7fcb3565850ac22c6d3a18b19541fce8 3b070cfa802882c server_public_key: 02e1249c0906886b33b0ae59c981001448f2541fb718a158c4 b4f37d391e813fed client_info: 68656c6c6f20626f62 server_info: 6772656574696e677320616c696365 server_nonce: 862a717c0bb5285de381a7d49ba23557dcdf2f408f7b75f032c4226 1d555a077 client_nonce: f0c231edf5b97f8c6886c26a5f60147c7fcdac76fc29f6562eebc97 af4d5d45a server_keyshare: 02178e9554d669786c2e9349f1e178eb84961a7f8073d9ecbc5c f52bc2fef7791f client_keyshare: 026ec987d3b7ea3ef8cfdca092b9d6994d134e933a5fb7892953 35d5f6956399b6 server_private_keyshare: 9269aa286624945b3ff399dafe30f3edd53adf2184d6 8c94007a2ad0ba0472d5 client_private_keyshare: b93132abc198000cabf47020290b885f6bdef29aea8a 6169bf50dca978827f64 blind_registration: b93db502618c7ed6facd1b2d033bf401d74b2c8b13b2da213 802025522072622 blind_login: d30953abfe724ce286487ba13f12ffa86adb64f66c99f58a465d8cd3 16a5d496 oprf_key: 8f811da0d5810756052762d6061215c3e13e8abe75f2dba291e830d9dcf a2cd6 C.30.3. Intermediate Values Krawczyk, et al. Expires 4 November 2021 [Page 163] Internet-Draft OPAQUE May 2021 client_public_key: 028ed3215a26f2763d4f9211ab13c415ba0e228fea364a264e 65baa2434709f808 auth_key: 2a21ddfc9f9ef354ede473b1841c61b56091faeb0d56867ede7d40fa9a7 ffbb5 randomized_pwd: bf91e6be126cc5d5386accf3ee28be9faacac99a7c715e3d01cc2 6978fd4039e envelope: be560b984659185632de94b35bf6f59ffda8f0601c72f1e4e5e41d22ec8 1ff60f9c21a88bb8070c7a4870bfd36773b64a6e77162c60873e2304cdc6ba8286a47 14ebcaef275654e13d38a167a91d7cf89a037b20d5c18235b9f3faad55a4f6b5 handshake_secret: 5e940bebc34e2fe2ab3e4fcac683c594f3691cea77f1aa02522 d476507136535 handshake_encrypt_key: 9b0c4f4fb660f6dd8ad268278673fced3f8452f25b9201 79824aef0166b5b6ae server_mac_key: e380b3517496df4fc34cecf13282cbc8cb673aa8b8d9f8d77a010 742146e6fe5 client_mac_key: f36ef042a728b8564553293cc778c42b34525e07578cfdecceaea e2af71e821b C.30.4. Output Values registration_request: 037a055d502f2a882c021fda1ec2fe8e5d8cd0d2a913e5a 03b1e27e0fd06308275 registration_response: 03c37a7ddb6f23c6af97247bba7bebc62a71ad1bf1e2cf 6fad1bd816732070c4c702e1249c0906886b33b0ae59c981001448f2541fb718a158c 4b4f37d391e813fed registration_upload: 028ed3215a26f2763d4f9211ab13c415ba0e228fea364a26 4e65baa2434709f80811b7eb6d15140bacbb18c954bfa176f9819e105802ed2eb3441 ef6484a935df8be560b984659185632de94b35bf6f59ffda8f0601c72f1e4e5e41d22 ec81ff60f9c21a88bb8070c7a4870bfd36773b64a6e77162c60873e2304cdc6ba8286 a4714ebcaef275654e13d38a167a91d7cf89a037b20d5c18235b9f3faad55a4f6b5 KE1: 02e532d2687a979f0a75112437e1f4c6d5411c555b2330a8d6c45c7c7c657aeb b9f0c231edf5b97f8c6886c26a5f60147c7fcdac76fc29f6562eebc97af4d5d45a000 968656c6c6f20626f62026ec987d3b7ea3ef8cfdca092b9d6994d134e933a5fb78929 5335d5f6956399b6 KE2: 03895f049933a11baec47a6240ef25d45a150be742c46a1fafcecb1d286aec5a 0dc8c9df3983aa76316a8a491436e41036a00244ce40b29c7035f8f9aeaead3f2a77c 2f90b224115f60a13f2d5a71ae1b4ea6add852c818bb94a02f4a7417632c5cd0f0c41 e87601e077898b5e2b25c6d2336d9f2b58384a225b8993dea499d5c8156d14011d6cf f78c26f103d8b8dbabbc7b587e702b358d5a20c30ce127925e9b08e7b4d3acc9a1c13 d8fe07bb3619a0be799307c6b463bb6b2a764f5db62e59ba862a717c0bb5285de381a 7d49ba23557dcdf2f408f7b75f032c42261d555a07702178e9554d669786c2e9349f1 e178eb84961a7f8073d9ecbc5cf52bc2fef7791f000fa8ef70781cd05b0711e77278c 87e4267a355b70cfa90ccf69210474178db4ac8c3b0d445cb73f00ec05114700a1c54 KE3: eb9233923ea58877b958553e860fec7721f367ffd1b6a37d01ab7454ff1d806c export_key: e54b8d82f23782f4bbf7fa4f63cb4fb84096a7de28ece53f5bf40da50 5697a40 session_key: b2af2995c6c177963a066c23b26ef750710a0344b8de57564070f7f1 b57c6de5 Krawczyk, et al. Expires 4 November 2021 [Page 164] Internet-Draft OPAQUE May 2021 C.31. OPAQUE-3DH Test Vector 31 C.31.1. Configuration OPRF: 0003 Hash: SHA256 MHF: Identity KDF: HKDF-SHA256 MAC: HMAC-SHA256 EnvelopeMode: 02 Group: P256_XMD:SHA-256_SSWU_RO_ Nh: 32 Npk: 33 Nsk: 32 Nm: 32 Nx: 32 Nok: 32 C.31.2. Input Values Krawczyk, et al. Expires 4 November 2021 [Page 165] Internet-Draft OPAQUE May 2021 server_identity: 626f62 oprf_seed: 7f7b085a6dd65b2336cf2152c3ad9b17d4220a0ff2fe6d63ee20335837 df3329 credential_identifier: 31323334 password: 436f7272656374486f72736542617474657279537461706c65 envelope_nonce: be37b298e8c5c46aa08e6fc6d816ad4b36b97a2db7b670c1ccb4e bcadad20477 masking_nonce: 73ff4d5ed3f2d1662316a9dbb7f1fbc5de9df5fa10d767e94e267b e4b7e74f01 client_private_key: eb7d0ea4bf06b78e3ed83cb2d3feb9683cece55d800eb5196 e9304e50ac61518 server_private_key: b4cd2e42c0bbef01350751994440026574a20f677965ad056 1acb622a32651dc server_public_key: 025cbaa4ddfc060bb49a281a97663ce9e20bfdcd9d11bb10a2 5b74538d149fc226 client_info: 68656c6c6f20626f62 server_info: 6772656574696e677320616c696365 server_nonce: 5d87ade9bd39d623e7507cef77f5e0261a0dcc5f69431a0f61cd68b 7122f0290 client_nonce: e565ffa2b4aaa7dedf48a20dc758dbc5a8a3989757d3ded74daef4a 6f986448b server_keyshare: 03981bb9a42c6f60750d2c9098ec0e64d52dc1ef0b4d02a20b2a e9ce40b425a389 client_keyshare: 02736055b3c97c36bc8e7bfe53ae65bc38c5be6b46adf3d48681 df7bcfeb96770a server_private_keyshare: cd95a821cc128dfb687ff3f9e730721712454f271dbb f2f76022ae85ae56b481 client_private_keyshare: 27a18769e08a1cfb22e03d2d98e62ef8ab50db505d5e 28afc93cc3c289c5646c blind_registration: e1891039c8ca2bb5a8591dfa6e02d8bf4bb7eb3e3861cbe29 cd03197fd5f6733 blind_login: 9ed684a129b5e704cdd2a770bcc863c9f1f44d7e3e90c233aae441c7 cb8da45d oprf_key: cfa04176753d0b38555dde5205b8dcbadb069510b61ae5819430fbedd93 b372a C.31.3. Intermediate Values Krawczyk, et al. Expires 4 November 2021 [Page 166] Internet-Draft OPAQUE May 2021 client_public_key: 031049be572a6e15f68e2d758a7ca7926e7ff85ab351ce2b00 3b652dc03e8b5304 auth_key: 5654fc11468d38a1a963c8f51fa4bd0f082be96a76aa750ddf97646c787 6a5f6 randomized_pwd: 19c0377846322b2147dc14ac0014036e102b8458238f117bf5612 41a4cdf352f envelope: be37b298e8c5c46aa08e6fc6d816ad4b36b97a2db7b670c1ccb4ebcadad 20477eccda5b0bc3320bec5db504ec64b2bdaa22f7e83a668d894c2e72e816a734bc4 500cd039810a832de1bc2a769c0ef5d3cb06fa49e5818751571b42e176607508 handshake_secret: 9e01e6b408544997779441b7e42f31dd45ee38edb08d55b2f5b 4cd5ef0790548 handshake_encrypt_key: 110ddb279a11da46fefa06a565abc650230ce9883e1964 7463c92d057d11731a server_mac_key: 52e714943f9b85c110fb523542d5a1e63516b63dd4acfdfbb36be 2075fa3107b client_mac_key: e8ad048b660269216d7ab6a65ee1061a8fdee4097a7567571d4b0 2e8d5c1773a C.31.4. Output Values registration_request: 029ead8cb71d9f802fc71737e16f75eda7843e5b961c9ef 0bdf8da0cb97a6364db registration_response: 024d8f3cda5f4dc58936784c6b5377bea3c819c72b12ca 3d90d59acb74fe183009025cbaa4ddfc060bb49a281a97663ce9e20bfdcd9d11bb10a 25b74538d149fc226 registration_upload: 031049be572a6e15f68e2d758a7ca7926e7ff85ab351ce2b 003b652dc03e8b530443424bef487a5b3f29fe001d5e172f14b4320537aa10a63005e 201e98e6ea239be37b298e8c5c46aa08e6fc6d816ad4b36b97a2db7b670c1ccb4ebca dad20477eccda5b0bc3320bec5db504ec64b2bdaa22f7e83a668d894c2e72e816a734 bc4500cd039810a832de1bc2a769c0ef5d3cb06fa49e5818751571b42e176607508 KE1: 03fbe22a5b37f7345b2370c51a5290091f5af7b21cea757ca017b2a32279b543 f6e565ffa2b4aaa7dedf48a20dc758dbc5a8a3989757d3ded74daef4a6f986448b000 968656c6c6f20626f6202736055b3c97c36bc8e7bfe53ae65bc38c5be6b46adf3d486 81df7bcfeb96770a KE2: 0399d8305f2ce775a6cf3f97a83aa67b2b1e1fe01866f324eb27263bb46dc0f9 fb73ff4d5ed3f2d1662316a9dbb7f1fbc5de9df5fa10d767e94e267be4b7e74f014ff 39c134da493d71343eb35013108546f149432808fad33aec65629d2d9ce4d6b288ec1 6b3fbf51de7c4a049786d270050e3925e0504efd91ea52f7bead0814ad20402679bca eaf43e488ab9af1545cacca3578a79c1e9404e7401f42085dfbf11fa18c9265c54b3b 928dbd7167000a5c6bc1338d8c96c3e6e6289c812c50520f5d87ade9bd39d623e7507 cef77f5e0261a0dcc5f69431a0f61cd68b7122f029003981bb9a42c6f60750d2c9098 ec0e64d52dc1ef0b4d02a20b2ae9ce40b425a389000feeb52595f8b5ad3920c1d59ce 375a1a2a944d0ca4b28328547d65a23e9603d540813aa9b61bfbf3bd22e7a9ae1e8ea KE3: 7055a1786c3c39a920bc77558911719a2feeee4270fe38ebba22d8f09910f90b export_key: 2b79ac3f3ee4e6f097f7e589075575856af3a1b203ccc51b418e5cd4a 07dc912 session_key: b26257f43cc2012162126a2640e03e79de4be7cae81542622a1c7e10 e7d11721 Krawczyk, et al. Expires 4 November 2021 [Page 167] Internet-Draft OPAQUE May 2021 C.32. OPAQUE-3DH Test Vector 32 C.32.1. Configuration OPRF: 0003 Hash: SHA256 MHF: Identity KDF: HKDF-SHA256 MAC: HMAC-SHA256 EnvelopeMode: 02 Group: P256_XMD:SHA-256_SSWU_RO_ Nh: 32 Npk: 33 Nsk: 32 Nm: 32 Nx: 32 Nok: 32 C.32.2. Input Values Krawczyk, et al. Expires 4 November 2021 [Page 168] Internet-Draft OPAQUE May 2021 client_identity: 616c696365 server_identity: 626f62 oprf_seed: 480a89408820aafa632df740b00cd8b002ac00086bc9211fdab8bfa95d 2ad5fd credential_identifier: 31323334 password: 436f7272656374486f72736542617474657279537461706c65 envelope_nonce: 471701d52712c910049f9daf2852017e785ce123d9562769ea055 496ac41c997 masking_nonce: b3fb4943667c6106d10803ead63c46128dc9f1737b61f3de206f07 45f949f999 client_private_key: 02c14f564a29a05e39d4b9382c20686e41faa8407f03f5d2b 2b111efcb64be89 server_private_key: 759ebff988d2878fc2ac6619807ac6625d0ba08ab0d6c5a67 e15fdbd8e329839 server_public_key: 0249b8ed908a9b67d5f5f2f409502ad1b0e08b5dda755c15c5 e37937a9187772af client_info: 68656c6c6f20626f62 server_info: 6772656574696e677320616c696365 server_nonce: 4eed2237b8fc1f9aea48e112847cdc4a3d9867b0c523bbec033adb9 68e5ac898 client_nonce: fe61b550c07d1f74f56c99d9f5e7e74d0ca6eeeadd324d1f0076696 f9e66a47e server_keyshare: 03a05823236f8f28bd60569e51b83712e6371b7006059bb85422 16c9b9ec73ae8a client_keyshare: 03eeb46969c8d3c0ff2160547e2ab719958b7e8686ca4d9b12f6 04883194bb90a1 server_private_keyshare: 3fe67cd510f555773e65e85deab5aa1a8b54deb7605a 6dcdbbd0fa19154ba659 client_private_keyshare: b61c995dc5041f841785ac17ee8510cf3adc1db17814 2267fb32cb31f5faa46f blind_registration: 3edf1af7e06163a5711bdb94b2df8e91003824a359d0902c1 4ceae7aff5a3ced blind_login: e10bb5610ececbde9ff768f649d22bfb588782c804b553e33fec1789 41510c4f oprf_key: 263ecc204db759f8518b2cb2e026c43bf51d563906856b80c889a32cefa a84b7 C.32.3. Intermediate Values Krawczyk, et al. Expires 4 November 2021 [Page 169] Internet-Draft OPAQUE May 2021 client_public_key: 02148f47b6a57019ddb58b5f1feaeefccd9f5e979c1364f89a da3ab1d4b3f89098 auth_key: 3e1cd2f71ccd7343633b94ac259e1b3d8fea684d9e0570c88e41f809d16 2755b randomized_pwd: 25a1b355f6bafd8f26c8739e81df14cfc466d9961c765779de48a dce7ad0f12c envelope: 471701d52712c910049f9daf2852017e785ce123d9562769ea055496ac4 1c99793e65765a55bc0903531ed834e7c44744871638e818d7d770fd099a4e3c78d4d 5a4119040126166f137ff8b788ac56bf24b7aa706c8e458b609954651dce60c9 handshake_secret: 356020eff008cc7346cd9d6640e52ea2c88da63b2afaebd9541 d78380ef4fb27 handshake_encrypt_key: 02d2724f9d9d6dd75b3f73915a79ef3c67d9c9a719aac9 28797b63a2d30623b5 server_mac_key: 657ef04028a61b854c7a2964215c160d0ecbde0788934073d7c80 15b30d84b82 client_mac_key: c477f239d12bf21a0cd23599f4bc6f7dd047442f11352f2f0f10e a0823530752 C.32.4. Output Values registration_request: 024ff8b8c3636b93127c0c5350c4d2e64b47c78837d6edd ece7dd67a260bde8085 registration_response: 02b553b15de8c06a8a37dbd2c8a5f7887e6fbc566adc65 b9c5bfd928b4ba84e07c0249b8ed908a9b67d5f5f2f409502ad1b0e08b5dda755c15c 5e37937a9187772af registration_upload: 02148f47b6a57019ddb58b5f1feaeefccd9f5e979c1364f8 9ada3ab1d4b3f8909805ec1d8daa73f13643575a6cd8eccf0e2fd83f24b8427308add 4b947d56c37ef471701d52712c910049f9daf2852017e785ce123d9562769ea055496 ac41c99793e65765a55bc0903531ed834e7c44744871638e818d7d770fd099a4e3c78 d4d5a4119040126166f137ff8b788ac56bf24b7aa706c8e458b609954651dce60c9 KE1: 027694e256efc51327333fba8ab1927b511c4152f93ddb0771370995407b4b25 fefe61b550c07d1f74f56c99d9f5e7e74d0ca6eeeadd324d1f0076696f9e66a47e000 968656c6c6f20626f6203eeb46969c8d3c0ff2160547e2ab719958b7e8686ca4d9b12 f604883194bb90a1 KE2: 03bf099eaf5dd6d79aefafe7d5d78e8861ef676bc0e2338161503dcd6f83cd7e 8bb3fb4943667c6106d10803ead63c46128dc9f1737b61f3de206f0745f949f9990c1 e77e6164e1e9d051f44973c41dfbc7ec25570cdd988cf5242abcb263cf555687ee9cd a65e3e32c5cbbaab8c67b1af9d8f6bf0b0b171906d07f451dee32f6127b3e0a396435 25508e40a4dc2121982bedf331788180846513497a09e982cd26b789b1e12b17ddfd8 91cd50a304a948ff5bd0cf206072bbc95c4191aa5bb417134eed2237b8fc1f9aea48e 112847cdc4a3d9867b0c523bbec033adb968e5ac89803a05823236f8f28bd60569e51 b83712e6371b7006059bb8542216c9b9ec73ae8a000faf8083bd50717813bae4ccb51 bdcf6eb9e28b09e0cdc739d4761cbb643707b3d5ca413584252967410d53fa21cca53 KE3: 2d7fd750fc7c745519ccda0a16739dcca6c0b7840249e842c1e88ee4725cc232 export_key: fae999d5e1e9a1a4da3441f2350af64ac65d2c8d4eb478ff9d0d6e370 ca1464f session_key: a927afa80f591e67c8682b085f569cae857f9aef025c6c5fb8528a05 cf474ebe Krawczyk, et al. Expires 4 November 2021 [Page 170] Internet-Draft OPAQUE May 2021 C.33. OPAQUE-3DH Test Vector 33 C.33.1. Configuration OPRF: 0004 Hash: SHA512 MHF: Identity KDF: HKDF-SHA512 MAC: HMAC-SHA512 EnvelopeMode: 02 Group: P384_XMD:SHA-512_SSWU_RO_ Nh: 64 Npk: 49 Nsk: 48 Nm: 64 Nx: 64 Nok: 48 C.33.2. Input Values Krawczyk, et al. Expires 4 November 2021 [Page 171] Internet-Draft OPAQUE May 2021 oprf_seed: beb10ac3b42697e6051e52a53d35efe2fc47ec41b073d12ce14498ca16 2e51894adb660e8986bd7d688e5954e23024a6ea4cfcd7e29a289026df92c9cfcb3dd 6 credential_identifier: 31323334 password: 436f7272656374486f72736542617474657279537461706c65 envelope_nonce: 3eeab156aeafbfe321af3f9b0cc37599a4dae19e4efa1dd237b60 3a156e7f989 masking_nonce: e2d42a43bd2b6116c1a01bbf3b0f402b21b74215854da1ec99ddd9 3fddd67bd2 client_private_key: a052da1e7263802eb5ea90bc30ebd07510b7997e0563f04cd b0173a862ea1adfe5ebc2d261008f3dfe97647b8ae9d6d8 server_private_key: 32a099b199f3eae54592db460c87aa23e9dc4f969294ee264 5b5184d63c0e7f19fcbfb025d7dd9e32e4906883081c997 server_public_key: 02094306eaa9c62c5a873fee4afdf81c91a91556be8286e7c8 f5fadc077f810adb6bb760faf2e46f85cb0b7649ebdfc524 client_info: 68656c6c6f20626f62 server_info: 6772656574696e677320616c696365 server_nonce: 293a21b2cd156f63b878ae387145e13dd2cc825a3ae7afb90b00529 bb48e54a1 client_nonce: d74391b27c45ed6d7474a131b4647492fbfa7aadf7a2c3ceec4b73b 7f790f159 server_keyshare: 0218bb6548593c38236dd6991a1c556a5cfa81be6c235891e5a0 0cf4eef1bb3ab6d653e03abcfe1634908971d19b9959f7 client_keyshare: 03f58c4669321d580f98b4b166fbccd6da300ef7c4f0fe19d557 6d3debceb23e50b5405ac264c31691e4517154d993fbe1 server_private_keyshare: ea4680672ef4148df846b9ad206a7dbe9494ec584139 b85ec522c8e1524572ce5fc608d150037efb2f7a8940d9e7535f client_private_keyshare: 9f48d31a5dbdef09d8fbef92e6ead8f67fc2d6b4a976 38ead320a94d15f2cf3d3f2dd9c2f64d068f4a2a6aace580d391 blind_registration: 1cb9b5ceeaff77653d67f2a897fa9364f72142c751dc724db 566bc1edc57dca409d1c2c7f5247c62530ba0d92b779aeb blind_login: b1cd2d3b0027787f8d37c70cf5cfac66388fc090290dd4a2ef28559b 88a3654fd3ad4d159273ad92f8c9b0f154e87dd7 oprf_key: 46d4111433f6dff59e4416c66c62a1b660c0417df102c47562cbeed2fc8 e02bc0fff80d6e9731bccb2f65c16bbbf5a42 C.33.3. Intermediate Values Krawczyk, et al. Expires 4 November 2021 [Page 172] Internet-Draft OPAQUE May 2021 client_public_key: 0215d10d7067b3567d5a7ae9317329da934296ce40fc0132f2 2abd78a05172adde74d97f453b902fb2c454718c91fe403e auth_key: f5bae69be60e9fd74d576bcdba6b2decfdeeef3449e6e6e1e3a0a4ea7be cea2510a24f44c83cac8b95d233da18540d8c6b4c485d6809ff7a088be9bc41cb58dd randomized_pwd: 7a3de06fc6a8760d7b191e8c7276dc30c8759df3d3e6d62608f55 a4c3136e5386e8aea6988faa18afc5eb2f8a9983887045a421df22b7f5bd25ea2c11f 347584 envelope: 3eeab156aeafbfe321af3f9b0cc37599a4dae19e4efa1dd237b603a156e 7f989c022b97d98026dc42e5cd49846b0232d8bb3f47446e7545670149b07ad7711da 9f23dad096b382ccd88f28b9baa8a8a8e8bea6db90ab9eed81fa9f54f8027b17951b1 227dba04410074cf6de71b600f00828b43056652037c78a8248a678356dfaa984fddf 99c3b021fda54808820518 handshake_secret: adf7938f9464d6cdf6e40d67a0d3c67a875d491d693db48a843 60fa5c7a20a5b5621f3a60381222cc85661e6c800d8d37cebdff6e5b74fccc07e8b2e ef8d127a handshake_encrypt_key: 2f06fc9f4cd70407dd6f1bb2f1c0789872d00622c154bb 329a49e269459ebe6603029a18a386ce72a809717953a8410f4b484b6e02a7d5352b7 3ba6f1cf461e4 server_mac_key: 870c5a716263c7e815eb4ad1ac30b2301e173090f89f8bb54dac5 9ffda4c487d5aa85e036469452635a4c6e0f677f6f36108256575b518912d2b9eafc4 1255ae client_mac_key: 235dd0d8f601f4ba6251cc97858300a0af80eb6b9f2281b8a5212 2a0220a3c687e909ec8384e16ac950d6ba7b72d6bba3686152ff6d5277c7a5a05ff6e 5b6f45 C.33.4. Output Values Krawczyk, et al. Expires 4 November 2021 [Page 173] Internet-Draft OPAQUE May 2021 registration_request: 032b5a44024063a5644913f145e01c5b787a77804a5ec25 588320d5ecea9d524c1f9321b9ae76a6bc168b1f99e7305b9ec registration_response: 023980ddfefbc0d729af050999b1996e41c0a54816ff1a 1b0b2823ead24de0a07a893cb8e62685a7173ac52caf85c821f802094306eaa9c62c5 a873fee4afdf81c91a91556be8286e7c8f5fadc077f810adb6bb760faf2e46f85cb0b 7649ebdfc524 registration_upload: 0215d10d7067b3567d5a7ae9317329da934296ce40fc0132 f22abd78a05172adde74d97f453b902fb2c454718c91fe403e0c46eb0f213ce4eb3b7 3fdccf63cc47d6c93ca5a854f3c57f3b49142bc793638f49dacdf1bbf127abec2c0fa 286b741192a7dc8a55f156c44da36fe41a25faf93eeab156aeafbfe321af3f9b0cc37 599a4dae19e4efa1dd237b603a156e7f989c022b97d98026dc42e5cd49846b0232d8b b3f47446e7545670149b07ad7711da9f23dad096b382ccd88f28b9baa8a8a8e8bea6d b90ab9eed81fa9f54f8027b17951b1227dba04410074cf6de71b600f00828b4305665 2037c78a8248a678356dfaa984fddf99c3b021fda54808820518 KE1: 03cc36ccf48d3e8018af55ce86c309bf23f2789bac1bc8f6b4163fc107fbbc47 b92184dbba18bc9b984f29c7730463fba9d74391b27c45ed6d7474a131b4647492fbf a7aadf7a2c3ceec4b73b7f790f159000968656c6c6f20626f6203f58c4669321d580f 98b4b166fbccd6da300ef7c4f0fe19d5576d3debceb23e50b5405ac264c31691e4517 154d993fbe1 KE2: 02e611c63390d2dcb729d941be385aa6a7000aec51db33ce8a374dea4847e0a5 c70f36b133acfd628ccc68d019712a574ce2d42a43bd2b6116c1a01bbf3b0f402b21b 74215854da1ec99ddd93fddd67bd239da742d19ea722e5a99996cc70165bfc012d816 bd51365c464bed0f7342a980b3f529be5aba66e682b376dc991e62f957c59e817c09f e0fbb54c9f7c31b675cf5b651441095e489480131eea0fe539b13435b1390633d57ef 297a70ee3a9efc6602f55943669548231bcc7380176af93faa4636ec4b8d7be54448b 91d50a1b45d8778b62880ae15f74f69a915ae9a43154e22169893241556319e4e8cbd 801f4f386539ec6d9cb519aef5dc19cf793922c093a879d021a4aa863bc494d38b6ad 1293a21b2cd156f63b878ae387145e13dd2cc825a3ae7afb90b00529bb48e54a10218 bb6548593c38236dd6991a1c556a5cfa81be6c235891e5a00cf4eef1bb3ab6d653e03 abcfe1634908971d19b9959f7000fc2caa91e5b33c2d942fb34f9b537f80a66be5426 911c3457f51862cc247877e684ab8558d5569126753cbd79e109bb0277a511e1810c5 f3d43039c77a5c0e57cd3d900eb3ef6b3a8ed718e5a1312e9 KE3: afedae80de7270f58f14ce58b30de7ea476888e016ff0ebeb777e3d71778c362 2b94c0398dc126025fa2500880415fba262cda14be92ce2f019af97561bd9098 export_key: 78ccfdae5b3a53da59acca3948632f8a0fabe6e078ec0949bd1735f48 e12147bffdac90a5c2136b0dbdeda8b223fc83401a40b1df2011f2aa58ffdea39c765 e1 session_key: 2f77adc009cefd0a839bd9fdbe00dfcb63124ac774cbbd7fdc4c788e c34f2de60ac0e5e99136ee9acb79360673d6eb9a74d85debff6cc1f09afa4f25669b1 fea C.34. OPAQUE-3DH Test Vector 34 C.34.1. Configuration Krawczyk, et al. Expires 4 November 2021 [Page 174] Internet-Draft OPAQUE May 2021 OPRF: 0004 Hash: SHA512 MHF: Identity KDF: HKDF-SHA512 MAC: HMAC-SHA512 EnvelopeMode: 02 Group: P384_XMD:SHA-512_SSWU_RO_ Nh: 64 Npk: 49 Nsk: 48 Nm: 64 Nx: 64 Nok: 48 C.34.2. Input Values Krawczyk, et al. Expires 4 November 2021 [Page 175] Internet-Draft OPAQUE May 2021 client_identity: 616c696365 oprf_seed: 640f999af3686324f919a5b1dce195a1bdca03f6ec65647c5beea478fc ccf7a94d6217e8575dd70d97904a2e2592468ff70aad1a796f2161a9513d0c35455e1 a credential_identifier: 31323334 password: 436f7272656374486f72736542617474657279537461706c65 envelope_nonce: 3d3a7e297878e15a21bbd0a04e9af8923fbaad2ae66244ba153c6 5c16bd52d19 masking_nonce: e37668d36ca5e43465081d1269c3263d5df4caf14e67dd032fb837 28c3691cf8 client_private_key: 194f9a720f11c3f0f1613cef116e218267201ce0aa4f4f55b 68c5393aaa4101699ae3b0dfa984cb954913dea02087eab server_private_key: d650dcda20f27d7bf4673d820cbf71e498ec903e4b3959af8 52f6d9edfa68f06f4d7ff89d5897912df4f9c633a6d925b server_public_key: 030278df9fe8759989883c2ef9047b2449abcdbe9f508aad83 f227836ddda86b3dfe0aea33995cd76243a4319800bf8ff7 client_info: 68656c6c6f20626f62 server_info: 6772656574696e677320616c696365 server_nonce: 815012d1a13337bebc5c63adb386376cc81351657d969edfe09e4d2 048c72c45 client_nonce: 12057fc0f4e3e52951458bc3a0b37d95a5ea0b5832712b169588eb8 f29eabf73 server_keyshare: 03ba3e99f4c2f39463fe214e7607ca3e9b1f6112d565d80bbdb3 88f52437ec89f0da6b80279e10382bacc7cdab25a3a830 client_keyshare: 02313f18385e0f0c3c88f3e60178a6727c9023e1044973eeb676 b9a17a398424b1074d5e35246fc25be83028853dc22f1d server_private_keyshare: 418e3a79ede03e259ed68dcdfc20e12ba1dee7f0f3f1 ca2fc4be708da7456b2d769111ae0ddc0a45eb159eb5dd3bf78d client_private_keyshare: 4de164be05c824711f0208bc191f1871f41f874af27b 36b15b94b87abdb6bcfbb35769429178d602612cef394d6477f2 blind_registration: f69c6179ddb976b981abec905a0bdb649e99e5441bc707cfe 3c966a87b253bb94ee1be97f8d0e0f99e4862e483b7e00b blind_login: b71e35cbe26e4ab93794edaa2ea66295456005572a7096070f6b551f 0032de9749f7c6675eec2432a64c88d99c56fe1f oprf_key: 17dd112310250b970793add4f66b282f6cfe897ef2b23c3ea329e211c00 457358cdff5666d771243f6cf840de47579d3 C.34.3. Intermediate Values Krawczyk, et al. Expires 4 November 2021 [Page 176] Internet-Draft OPAQUE May 2021 client_public_key: 02592ee25abd015bd1f2ab94e91e0c6ab9decc55ae84a6d1b0 a881e04fd39eebd626f3bc5edd60555e18d62dc84d81ff59 auth_key: 6125a9980f29e44cf4f11f8768f7b0a5d6ac48df20744706b74160224bc 23aba90d5caeb2ad370af373dc19828671e72ee1d73df636712255fbfa2f6979c4e69 randomized_pwd: d7abfb75209139cf2dcbf8f0e286ba6e8539e9213b21548cbef7c 7bd23d351299fac735657da8388fd3769946591b5ac6c60ef1cb06e168ae647358db3 d55a8d envelope: 3d3a7e297878e15a21bbd0a04e9af8923fbaad2ae66244ba153c65c16bd 52d19f1b8c0c2819090ee52c8a27c2d95c8a39ea62a8f2a1c31f2f7b41390cc93c33b a44b16247d69c96080089d9ddb15dbbb3d77b7e64f4fcd5c906b2ecb03b7dd2aaf6b5 e7e62507de037aae56f02b0baf69d2676bb6ae6e3cbd10ea7f2648c2ba826d999c618 2e77c15c59cf6461d37099 handshake_secret: 866d1c8338e9e512f12936ab6936a69e6701faa45e62ff6a9e6 76133d4eed5062631068eae2e8ac24e1e5011df5fa02800719be864a66635a2986024 a09a8d86 handshake_encrypt_key: 177d3304ea30e45e0ae9c23805ed3ec253a734c06fc26a 8e4769aebc0fafb813fc15743c7b1eca07fbc67094649b51c1478371cfa5b514a1f2e b96a5270338b0 server_mac_key: d81ccff3ee63aa7e0c4338daf3d26287f434da478fd374988332f 8a7ee9d93a57caaa7a8348b1fb5bd9c281af7758e903c43686c23a4de05d9022aff05 ce7f5f client_mac_key: d00c50bf828bf23a3f0e8b95849d5bb52f5be0a7937f076d2f6b1 e315c2d18ec856a079157f5bc286d9a06ab1f00fa8a9e44212e0763dc9ce1e0efd439 f4879c C.34.4. Output Values Krawczyk, et al. Expires 4 November 2021 [Page 177] Internet-Draft OPAQUE May 2021 registration_request: 02bc8b8b2d8b96ba8f527f59dc0054349f0fbf4c7cda280 480d643909db6a8dbd4bcb455cc374050d8cce29147fab0a020 registration_response: 0221657ecbc73b1307b23125dc470f66ed99526833c17f 39520fae6202a8e951a54334e19cf0514ede5fb784606039b3d8030278df9fe875998 9883c2ef9047b2449abcdbe9f508aad83f227836ddda86b3dfe0aea33995cd76243a4 319800bf8ff7 registration_upload: 02592ee25abd015bd1f2ab94e91e0c6ab9decc55ae84a6d1 b0a881e04fd39eebd626f3bc5edd60555e18d62dc84d81ff590593860a6e70bf7c24f 842f664a51f866234f71a973ee8a5e50079d0ea1ddf46c043f53ca1b2908b3e1914c3 a55427ba44b09256680d97bdb37745d2b4462bf33d3a7e297878e15a21bbd0a04e9af 8923fbaad2ae66244ba153c65c16bd52d19f1b8c0c2819090ee52c8a27c2d95c8a39e a62a8f2a1c31f2f7b41390cc93c33ba44b16247d69c96080089d9ddb15dbbb3d77b7e 64f4fcd5c906b2ecb03b7dd2aaf6b5e7e62507de037aae56f02b0baf69d2676bb6ae6 e3cbd10ea7f2648c2ba826d999c6182e77c15c59cf6461d37099 KE1: 0258fdc4ba750f504274ff4644f2f43a75759b77adb1817c8686340bb28059b2 af91d82801b94bbcb8326cc2e046a4df5112057fc0f4e3e52951458bc3a0b37d95a5e a0b5832712b169588eb8f29eabf73000968656c6c6f20626f6202313f18385e0f0c3c 88f3e60178a6727c9023e1044973eeb676b9a17a398424b1074d5e35246fc25be8302 8853dc22f1d KE2: 036abecaa6e3d83acbc1fab89ea644b295e27db1483c252179ec6d7262c0df04 bf25da68b0cec348229734bebe50a136a9e37668d36ca5e43465081d1269c3263d5df 4caf14e67dd032fb83728c3691cf8c7d320d57547bac4a459e419072afb91e6b5d892 e2af83d49e89df18e54503d1ec3e08daefbffbca02816e16829b54bcbb9aabc9a9553 8f338c6f7f786ee846e09a5bbfb65533febab20a97cc3bb59632619bc24cee27bb3b9 0cc424367b7cc823c1483b32f7b9f504ae2a976934100c9b8b7aeb86794eaf8653b86 57e41580229ea1bbc8d4be53fe7d5b14939049dc34e31f4986433677a4f10ea332286 96b1225b4f3f411b383e73f5913f140a89d53bbc9a6e9ba820136ec6a71e47d5f350b 2815012d1a13337bebc5c63adb386376cc81351657d969edfe09e4d2048c72c4503ba 3e99f4c2f39463fe214e7607ca3e9b1f6112d565d80bbdb388f52437ec89f0da6b802 79e10382bacc7cdab25a3a830000f693f933fdebd5562530fe0ddb9f3fa7689b8d8ba bdbef59ea4be0950e1cdcd595101aed70aa60619caaa5c16bde228bdf7ab089ae40d1 3313c99fcc667de70d5627151a7d13a5dc8009aec669d858b KE3: 5ee0b226dea45969a341bf68b5db2efa281e3af87a093fc33e3725a1e0f08929 a0ebe4d1504ffcfad9e4435bb5f1b66b0cc3dfacd094630239fd4d9283c09e1d export_key: 60056150c995824db0ee2d19ce26c539e905732a63d4303ab0f2a6d59 1f1eb223300142eb6dd9e03ab895b96b92451e4e3a1da0f588c10ffbc6a516deb6956 0a session_key: 9af68830e6f83d7817d1d163a3b4e0345f1399273495596c309cfee4 b2e6924365f6a611e01c1761299a35e0c99cffb298bd5b056a4b5bc027847765e8748 c9f C.35. OPAQUE-3DH Test Vector 35 C.35.1. Configuration Krawczyk, et al. Expires 4 November 2021 [Page 178] Internet-Draft OPAQUE May 2021 OPRF: 0004 Hash: SHA512 MHF: Identity KDF: HKDF-SHA512 MAC: HMAC-SHA512 EnvelopeMode: 02 Group: P384_XMD:SHA-512_SSWU_RO_ Nh: 64 Npk: 49 Nsk: 48 Nm: 64 Nx: 64 Nok: 48 C.35.2. Input Values Krawczyk, et al. Expires 4 November 2021 [Page 179] Internet-Draft OPAQUE May 2021 server_identity: 626f62 oprf_seed: 8e252ab570f6b5c498ea83ee732c8dfb1862300010b6f78e5ce27c8b26 f122c6240c0fcc25fd6f82899bb72605a60c047c44a22b75ef4aaff304f407eab3bf5 9 credential_identifier: 31323334 password: 436f7272656374486f72736542617474657279537461706c65 envelope_nonce: e1652155f9d7fb49b4075645a89c1c9986562a3f5598c3181fbf8 7686f5a2e62 masking_nonce: 14a2164d3310b595689981b58a47cdd52a8a7e5b6c5f7ea5327925 046488a2c6 client_private_key: fd62874455ee10870acb5cd728e1e21943e18c3afc1fc668e 18c48250da37feea7768de6574b8b152dc64790a0fbd8ef server_private_key: 9364031f78d6cfc1aec5bed89c718d3c8ff87115ed1526fde d4495afe150eeeabc6195e48de31f2a5b24f798faea51fb server_public_key: 03b73b7125c1d9517a42d63bf21b0c3eeed2b4f76005f72478 de3440dda2a2a580ef58077c145719505764689842231b65 client_info: 68656c6c6f20626f62 server_info: 6772656574696e677320616c696365 server_nonce: 5aeb5b6767569fa0b0f2e9f532d950d57e93504daa86e7eb98c9914 e11f84511 client_nonce: 3c17162106541a7fa8a078a71dec020fb9f5c3c7c55eba13590023b 477a3461d server_keyshare: 02bb887f84a3158bd1a95c26114059d1064a69dd87c8813ad1ab 19b0cff29b48d0e945af14537ac16d8f4160bb027fdeae client_keyshare: 03f07983f1b0b62e778918e7b15aa899a5c5c9fce3af75c5a424 e114f3c9bc539cb3b290c4c4705829c21e2185ab3eefcf server_private_keyshare: ca2d8735a3913f363a1f95b46cd40278b59de5c08b9e b5a845eb4a9d49d86edf2505a0b18bf6a4a8cd933a140349496d client_private_keyshare: 4ae162607c624388974273d4e1e77d96184bb50a0e39 a863c7c69376f4571ba904d7c7db930f11f0789361e5e7db3327 blind_registration: 43ecbe67abd4b7d730867cbd85f758e9921a8614816cbeb5c d80d0aaefbd98c6e6b26643af7d92581e62be316ad49bc3 blind_login: 087dcfc60cb02473a6148e636c3e87edb4da112f01b7bb4ac4e13e81 c6a757191c9256cc0c7282d7b27fb62a60b63756 oprf_key: ccc3b06e0951d90ca1a650e46adff561370e3f0c63d30f166b4876daa95 2a69d0fd6b9f6224a36d0742b434ee446634a C.35.3. Intermediate Values Krawczyk, et al. Expires 4 November 2021 [Page 180] Internet-Draft OPAQUE May 2021 client_public_key: 03f9f34e551fc2ca9b36f4c44dbe6189a22ae0bcfa6213ab18 f3a4dc31ac55508e7fe05c28cf0734536fafb05c6eafdef0 auth_key: 7a5ff225b2fa269726c3cb32bf7e90a5a5c6768e494108914a9d576c0c4 b990a798f56b93453f5e675a479f7f1a91aa0f6dac7d913dadf05a87be39616d011ea randomized_pwd: 7191b7c8468b2f999d5a4dd05624f7a863059f281412c34fa0e78 73ca64c8b57bf0bb928b0feb767dc0cc2a4f8e15413bb863d714ffd118166a1fe4407 1ac9f6 envelope: e1652155f9d7fb49b4075645a89c1c9986562a3f5598c3181fbf87686f5 a2e622d9cdced2931217a953fe4c55ea97ebf09b511684241f2f70c3f865a597b7239 1e71d3c7720a0ddc5afd082f00a4a1fda91712c5f359f225d40258b354bc8cce9a601 1ae404a182515ae143ce297865f57ad42599c35cd45271ab6aefba5784abcebfe03cc c37859aeee8230f60c483c handshake_secret: c93dbd78345272018cb1dd8ee664b1d000643450391df67591e 02a26ffdf5bd2ebf2c6a8aa29a2a1fbb8bee0b147197a46e2e4fc7e3da406c465ab1d 7aad6168 handshake_encrypt_key: b688efc53cfdf84a512fa517c65d9683ac35603fc152df 6fc23edb9bde091ef22e8dd55696c783700ac683dc15574bcafdbc290357b54efccbc 01b5b98eb7750 server_mac_key: 5d5b968068d5602b64120c9e8f20b24e1ab0417784a713102d26c c08c51741f6b9bf71b8d70fa03bdbdfd1c73b349061e0c902cae424c07a91eb9cbacf dd20fd client_mac_key: 59b2567c186ef41c86892ce7b91a88b43253771bf930bf63342e8 b14386c7a38aa688b5862034695db9a3465da0636816bd4f3242434ac8674d7e548d9 5e54b6 C.35.4. Output Values Krawczyk, et al. Expires 4 November 2021 [Page 181] Internet-Draft OPAQUE May 2021 registration_request: 03e0ffa19f9860931638c2a6a3fbcd8e0ec673cd39615a9 d80959edda6fc8d269bfc206586f1a10b46a895f8f17e730174 registration_response: 039397ace4ba63ee72514740cfc5d5009813c4ec52cd8d 7e1f8fe502606aa07aa36c1694b4fbc11ec74b15aec94b611b2903b73b7125c1d9517 a42d63bf21b0c3eeed2b4f76005f72478de3440dda2a2a580ef58077c145719505764 689842231b65 registration_upload: 03f9f34e551fc2ca9b36f4c44dbe6189a22ae0bcfa6213ab 18f3a4dc31ac55508e7fe05c28cf0734536fafb05c6eafdef0b46168c87b26ff18533 1659cc779b95a102b2c1c97a7a15047b4707cde0bf9a6a7246cb311e87502be15ba26 bb98f94243d523e2013f5d98b0a3bd8277510f35e1652155f9d7fb49b4075645a89c1 c9986562a3f5598c3181fbf87686f5a2e622d9cdced2931217a953fe4c55ea97ebf09 b511684241f2f70c3f865a597b72391e71d3c7720a0ddc5afd082f00a4a1fda91712c 5f359f225d40258b354bc8cce9a6011ae404a182515ae143ce297865f57ad42599c35 cd45271ab6aefba5784abcebfe03ccc37859aeee8230f60c483c KE1: 027b40080d3b93d00403d4e7ce1944644d57cce6241c69181216ba7323afc9c6 2054300441470c06aff071717754a2fd603c17162106541a7fa8a078a71dec020fb9f 5c3c7c55eba13590023b477a3461d000968656c6c6f20626f6203f07983f1b0b62e77 8918e7b15aa899a5c5c9fce3af75c5a424e114f3c9bc539cb3b290c4c4705829c21e2 185ab3eefcf KE2: 029dab1f20e6a59e6234f17c1f2eed472fd81c30578cafee7f0ab2060b86e392 a9309dd72b902392d70416bdf61f53952414a2164d3310b595689981b58a47cdd52a8 a7e5b6c5f7ea5327925046488a2c6f9881e2b928048679dec8e164f50c9cd6b975377 d1cb9b4f82c39de1cdc5143b41daf6c77f1a7afdb1bfc71ba1e71100ca3ff05f09062 ece5f8b529ceeb30629e8e38cfb92d3bc1edba5c457d2a3e8d145fd72f343173bb8f1 072113edb9f514dfb570969a7bf7b8afb827dbb750ee8d9bfd947e8c12ced4e0a37c5 59f76037a346e6d42d840dd46c204021e48f8eaa51f3e62c16c32e5bb23c9092366e3 f9472ea527d3c86edeae5b8920655c52f4bef5dd3b05ed9e78a9208504cfaecec68b5 a5aeb5b6767569fa0b0f2e9f532d950d57e93504daa86e7eb98c9914e11f8451102bb 887f84a3158bd1a95c26114059d1064a69dd87c8813ad1ab19b0cff29b48d0e945af1 4537ac16d8f4160bb027fdeae000fa1a1ced50f1157c5b6a5acd3fc1a57bb2bcc270b abb06d28bb271e2224586bf00e9834b288aaea492804c47cbb536cb591709693074a4 dcaec37b2142f3e72bb567d57f811243e07266526a5240836 KE3: c0d6c30d020c3bca62a96d102c9d3779725c2b17020fc9299fac2ec288bb8a53 d2abf77b8b69d288a7f4f37e39de4b578ec9668f5aca2c8d58f565519eeee219 export_key: 110362dde3383750324ff0cfd36b278d01a047141ffeef775ea085a87 644c14b0add828919cf8441629f90d00b3a6ed8f21303b9519f8550b919b8d1ed603b 43 session_key: be4ea315cb6a384b1c454e3d471401fbacb2972546b3608e3bb5b4d3 dc71750bc48b09b996e7a2f9cc68641a1f63fb596ecd4267fde40b5d9e917ad891ef3 465 C.36. OPAQUE-3DH Test Vector 36 C.36.1. Configuration Krawczyk, et al. Expires 4 November 2021 [Page 182] Internet-Draft OPAQUE May 2021 OPRF: 0004 Hash: SHA512 MHF: Identity KDF: HKDF-SHA512 MAC: HMAC-SHA512 EnvelopeMode: 02 Group: P384_XMD:SHA-512_SSWU_RO_ Nh: 64 Npk: 49 Nsk: 48 Nm: 64 Nx: 64 Nok: 48 C.36.2. Input Values Krawczyk, et al. Expires 4 November 2021 [Page 183] Internet-Draft OPAQUE May 2021 client_identity: 616c696365 server_identity: 626f62 oprf_seed: cdf705a27cad39d13fb419c1357dd1a03dc528b2838fd1221194d65955 4c5e54adfce25be5c79f1a47ba8c991fe72ab43178385b069180dd6f58f644cca5cc8 c credential_identifier: 31323334 password: 436f7272656374486f72736542617474657279537461706c65 envelope_nonce: f25e66ee00f3c599aa38144edc4ef9eb3fcae001ea928d9f37426 310b3336e88 masking_nonce: 01041eb8344ea0a627a97dee712e364c08ad4d8dc6562524dad344 509e2520a1 client_private_key: 4bbeadefc59f6beea6a2a9557781f5e37bb6ad6f76e66c82f 37070b975ef988bee3486703e469e30348af71c1050d94a server_private_key: 8e510d60a068ab453634d9f74837185ea0d5483ac4f1dfd38 2792f1299390d98ffcd4e956fc02fe35df273276b75bd2e server_public_key: 028beb3ce19f449deb6aa31eb19c661d4c4ba0fd08b4cc1e91 416b0c5b5ae74de003a76d68ac4f59b64b954717c4d843ba client_info: 68656c6c6f20626f62 server_info: 6772656574696e677320616c696365 server_nonce: 372979bdfee525d1b0534f6377e9d1f17adcceb0b8430c1463d0e7f 297d187ff client_nonce: 7b9317e5b3bff2aeaffbc337d0872f3e28780cee6f1d99f191d9170 56afdb2c5 server_keyshare: 036357745dab9026251b2bfb2ccd847536219da8e475cd1f2dc4 842206a8452c720e3ee24c0abe77452903c64985b76a27 client_keyshare: 02a39a8a45c68e977db2ff70778f0d34c28f7cf430ca1045d4c4 8e6e749429f0f10b226c26cb0ab71bf2445f6b9ccb81cb server_private_keyshare: efbb63d13c3b79c8b75df372608ee07c6b51dce7c4aa f335e9d9c353cd09807924175d0014cc8055da3bb705ad8f3e4a client_private_keyshare: d7c5782b343f60ed63eb22730d7c8a2d3e9786b30da2 f907359ff2db863e2796c0866f3257aca9fc06a029fb3921c93d blind_registration: da4e681eeb61cbcb455e0f0c71af34cda3415ec62af58fea7 52ae033f75706f6b00936445c37439ea821d4b515d8f9aa blind_login: 701a9cfae365aded9dc31c1bf34648023fdb53b284f0101d6612f750 6b1471b67bd1a8eb1183844268c128bb84aec1fb oprf_key: f2ba0f4b7a9294318dbc2587ba44688d0bad3c7a56901c8f839e7c15fb5 e0170cb0ca01946f79a2a818c4956e277638a C.36.3. Intermediate Values Krawczyk, et al. Expires 4 November 2021 [Page 184] Internet-Draft OPAQUE May 2021 client_public_key: 024954440156358f8db7a32b042020404c7918cfd0003699aa 1e783ba913f31f54abbde5bfa0cb6c26ca9aa90fce906040 auth_key: 7507cead2b6d76ae3cb7f9b996329b43609fda2d0cd9bfb6b5eb8be695b 5c39a8b78d4d4ac6195253bbd5db5104bac78a02520080b737f325d37dc91883fd625 randomized_pwd: 22b18716fc52fe4cd68300851779be88ee4cad287627cbf688530 38e2c441146201b2c9d16a8138efde88c5aef70524dac433d6bb367e99875a3d84ebb 5cf451 envelope: f25e66ee00f3c599aa38144edc4ef9eb3fcae001ea928d9f37426310b33 36e88acfa8ce7d0a9a42fcf021e43b12ada8788ce532074d3e93c5970e0138607dfe0 2135b1f825d9876f90d3c5381326e9dd2cd88dd456b5e162ec4a55ed1b9e4d7926710 2f4e24beb39868b1c3b3444451971c7c04a17b668a2a7d2930d7f9c1ff8f37ae58938 de7281ea1c5b6de2fa032b handshake_secret: 9ae241dd2e9a22abc2353f5642792c858dca178101a5812eefe be79d3c449b7e0a99bd1f793ef355d60a2f6192a1eb37f18236ff91b43162753718ed 9ddb6128 handshake_encrypt_key: e0c2ef835367b056a8f698a39f79b363f4f43fac371199 76244fecf47cc9143f227d656798d7bbb03b062a38116902877e90d69029a871451b3 a04a12492a5a4 server_mac_key: 8671eb3b156eae0ab2858dda5bebae296b32d5a5db5b0ee7f5b98 9d6e37e354202cd6b85ad65a8f6c2ff8e7fef0ae999fdae8e2e858461cd930bff1e67 cc5f8f client_mac_key: 7b46531121397cd3104b08356019ffa4f4982fe2c40d5d025845c 877bc763bc111471931f1a6d0a87f83a3afa6e449d17c4a4b63dfa164fa34e6cd4e68 23eb43 C.36.4. Output Values Krawczyk, et al. Expires 4 November 2021 [Page 185] Internet-Draft OPAQUE May 2021 registration_request: 03a2e55f8d839d6b162d179f9b4f886337188f731db9ffe 0ac206b54096e6a9a8f30785c33d207ece91c4fb97530fd491d registration_response: 0337b5fa736ebc11eee695b3170d795ee7e7a880f9b4d6 926f5398188c15c8abe811a72c745e7ea31664564b83d277b0b2028beb3ce19f449de b6aa31eb19c661d4c4ba0fd08b4cc1e91416b0c5b5ae74de003a76d68ac4f59b64b95 4717c4d843ba registration_upload: 024954440156358f8db7a32b042020404c7918cfd0003699 aa1e783ba913f31f54abbde5bfa0cb6c26ca9aa90fce90604000d376a8a86206ec69f 11f6156104f0c388271ebb6e288c3237e79547be0c81b697c63acd30baf0bd0e2c36f 14230cee83ebcbf1128f74619add17e123d1e822f25e66ee00f3c599aa38144edc4ef 9eb3fcae001ea928d9f37426310b3336e88acfa8ce7d0a9a42fcf021e43b12ada8788 ce532074d3e93c5970e0138607dfe02135b1f825d9876f90d3c5381326e9dd2cd88dd 456b5e162ec4a55ed1b9e4d79267102f4e24beb39868b1c3b3444451971c7c04a17b6 68a2a7d2930d7f9c1ff8f37ae58938de7281ea1c5b6de2fa032b KE1: 031b4f459c984d8a56589785181e03b93108602ccb92ef3e247651d9a9e72d36 0a93afc86dd79490fa621685779408ba327b9317e5b3bff2aeaffbc337d0872f3e287 80cee6f1d99f191d917056afdb2c5000968656c6c6f20626f6202a39a8a45c68e977d b2ff70778f0d34c28f7cf430ca1045d4c48e6e749429f0f10b226c26cb0ab71bf2445 f6b9ccb81cb KE2: 03378f329bf4531c7448e2b3bca2c2beacaa2967b8dac6332bb96b9bd80c843d 1e34c88f7927bfc21750c7367d0bd39f4a01041eb8344ea0a627a97dee712e364c08a d4d8dc6562524dad344509e2520a13f41f07c3a6f2c51b6ba614ac8a2e79eb142a8c7 dd1d8930b7325e43fbf0e1001d13841f3a223456cb8b634b0eb24bc1ab8b636efa5df bf029b98f213593b770d80a26ff4034e300b35a5d61079bb180dde5cfb5aac3fdec59 9d5b7263388a478ac0300767c7e15e6efa6c32559f9c96fb815d87c86192055b76da1 01aeee332683bb404b44e64042586b843fde1140919d0f448b0f776d6132761a0d106 2aeeae8862933f95991d3b81819235017832d306b3fb94ed5a36146321b26ee4ef40a c372979bdfee525d1b0534f6377e9d1f17adcceb0b8430c1463d0e7f297d187ff0363 57745dab9026251b2bfb2ccd847536219da8e475cd1f2dc4842206a8452c720e3ee24 c0abe77452903c64985b76a27000fe2f83feb675429bfff4f855ee99f043e67752fcd 6c87d1b5f194baa75be19ecb868576ff8dde0cf70f3a72e77b0f134ab881167f8ad8f 040b08cfb1ddbd3a08f88fca6fbf404a78b1727484154417b KE3: 26aa67e26763bea08dd41ca4bbd5a380eeed2c460b16fee171582e9e5a173608 75f40626a15f4043a9c254268714f453da6a70e1fb620bbb24b9de1fb6b6845b export_key: dd200510aef3a243f4428aa5cabe380d27a8b8dd20a88c3292534a51b a06c6af5d9de9d43b54396ca9ad9c563bcb3ac0487ca302a59d4ee339de3d45b436e9 65 session_key: 60f3b8b89b5a6c3040053b3b43a7d41ca015596af8a635f9b83b56ec 81b4fb82698ee28a07256edde2cbb6a4877c0079f572809165a09810cdd3aad1f728c 7c0 C.37. OPAQUE-3DH Test Vector 37 C.37.1. Configuration Krawczyk, et al. Expires 4 November 2021 [Page 186] Internet-Draft OPAQUE May 2021 OPRF: 0005 Hash: SHA512 MHF: Identity KDF: HKDF-SHA512 MAC: HMAC-SHA512 EnvelopeMode: 02 Group: P521_XMD:SHA-512_SSWU_RO_ Nh: 64 Npk: 67 Nsk: 66 Nm: 64 Nx: 64 Nok: 66 C.37.2. Input Values Krawczyk, et al. Expires 4 November 2021 [Page 187] Internet-Draft OPAQUE May 2021 oprf_seed: 66273da68a367439446a81c9102dc59538e18853d39fca38096d8f1f2e 0dea70a894a0146efcf6df476cd0847ccbd0af4efa8e1713c61c7536318321cfb94ec 4 credential_identifier: 31323334 password: 436f7272656374486f72736542617474657279537461706c65 envelope_nonce: 0262a7e6fd5d77b0b04c5ef1ed302c4bab0b4818e9b3fefcc6886 ee6dcb35923 masking_nonce: ce3f6fdd39eec1869f23eda9f9c16229d4ae07618d47b48d6b7fe0 205c8f292a client_private_key: 01e4eb0ddc00ee9c2e21a17727dd82145f8d42ce298b1b66f 34284b8c5f884619f8ff53ea8f950ef4306d01fe5610b278f19d0acc0e752f86eb4b5 3eb5acffbd5e7c server_private_key: 0180674b4b34953199004d4c6ab21b6667721b3ce89a5f440 f7f2b6ff1e3748041e66ebdcb789e3bbe63ce391c04598cab4ee6b5ea710911272f2a 8ff2de75057d81 server_public_key: 03018fc6a77bc4127886d67871c03462740fc4d6fe66dc2226 365e994f8392a0b4c43cd6e67ce90ad594cb63c146011dc56b213bd42ef677cb6a5f0 1d0bd9944a9161a client_info: 68656c6c6f20626f62 server_info: 6772656574696e677320616c696365 server_nonce: 74256da53ee823c1cf83f3ce4bdadf2e5785766a62a1b301bccdf50 1c79dda23 client_nonce: 62ae28bb5390b267e4663d10960997362214446de4f323ff806b365 3a1b6dd1a server_keyshare: 0301ff9a97a3a4733b144d38330209bcea5a6401eb4e08e0697a c4dcb8369e20d76d32c34b619c424d643dc47bd680c0ef665404643d2961ad051a792 0c318ecd948f0 client_keyshare: 030080bf524d28ba64b134c0bd0c860c8b1f976e55d94eb35d42 aa0cae1935a185c9f7c517875877aac4aa4e909dd5f25cc6ccfe125d031dcfe024597 af1f7bfb5ed89 server_private_keyshare: 01963f6398d6481485f24f7ca088d1bb75216f8de622 9572036ef4b8eec58c7856203ad458e0422acb38d481a4231e1507ee52958825e18ca ee20f50b2ac1d4e9719 client_private_keyshare: 00e0d68f7382c7400deea8c1ebff0e76870bc490f1ba 271a357887901a9c3be411b68d57be69b7b9c27b352ae86d42a5cfdbbf15984b35a67 33ede918146c06e2a0f blind_registration: 000de48e5ce653decb9dacdec7bc0aea97cc85749b792cc26 1c551bf7e26c34d252d034137c4fa435e4ee55bb53a5ce21384293834fc48a93c97e4 31b60d5f22aab2 blind_login: 00933d069bf9f5ac0439cb60de65fbe75c0096db58b875f19390d61c 1e3a6d240c943f951b5b3fd7eedb2b9861f5cd3642ad0fa46b92b65fa5e3fe2999e32 cd1822e oprf_key: 009a077112d891176b71738e4a577fff40c9ccf217daa81ffab5dccb171 652a6b354699f7a004ded89e1eb011d86cbda59d424ba20823680daa9a8b10629f7a5 c182 C.37.3. Intermediate Values Krawczyk, et al. Expires 4 November 2021 [Page 188] Internet-Draft OPAQUE May 2021 client_public_key: 0201d6bd681715e3d330475e72471c1218aa718d96be735325 1c9564f7be3a506b77361670f9a05f1e9bd648751b8494f78c4f1c788951efbf1831f 811d49d120a8d45 auth_key: 1092eb1d54fd516d81d887a37bd0e00df4c6f588b95848141748a49ec9f 85ae3a1b74671d585986771fa5aca0bc9860d9b8290dfd747343812de66a00dfc180b randomized_pwd: ff857dd0c19fb58de8eaea7ed405ac104d5dfcf89257c60c57075 58c820cad77c54b50bab383d7477c8c2a1abe171105f67c1e795d97d6f217855979df 6100b3 envelope: 0262a7e6fd5d77b0b04c5ef1ed302c4bab0b4818e9b3fefcc6886ee6dcb 35923b74db084f802cbea5fa213c4a03eb660bb35ab03b7c0f8902b25e66c23b85335 2de5f38981bbd80a6347e4e4b231846c1515c9a1605139a129f37a1007d1b4309e4b7 b718d194f035908f1307f8c2c9619437ef672c9bc01f3cd9e4335bfb67e5f973ddcaa a7881f4a5dce93f854940099b133b223b7acad9a64987529bafe3ed698 handshake_secret: b77e928c3376e7ce958062997c7c4ce1415adc6b15e9a3a7141 58e69f72e521d3002a937841834e78122dfac526674e11bb16d2acbca9fa1f665c23a 61c4f013 handshake_encrypt_key: c41bbb3c0bfb65e53aecce4b206d19706fbf440cd877e1 6e6aa6c5d11ed11cd8c19ab457a13118029053eb3423b634a8ed818614db7245d065c 696a95cd1808a server_mac_key: d1840c0cf16e7b246890d123a51614f53a49f64bef55f915459c0 d937987f4cf9888b4cd6f4dbd9ab92ed443aa2c5a27d513488338813e488d77a7a334 832fcd client_mac_key: e76dbcd14d22cc30ec2ff91c4a272abe3c90d9afb66c086caa696 7fe351452660f48c8fda7ce4b46daffc71dfbafc0e75b1209e50897543a7acd0a1222 62d37a C.37.4. Output Values Krawczyk, et al. Expires 4 November 2021 [Page 189] Internet-Draft OPAQUE May 2021 registration_request: 02015d0cf2aa22e0448949416bb4b3c246429439d4cee47 a52b3b9874aaf727dbde7f34b5112e91e97e1d98c9cb0fb58e015721456160aadd16a d4f9a9ef2fa3d0ad8e registration_response: 02019b6376e69e60d1da3d7aca82faaf34bec65c155ad7 cd232007f118bb83178ef81fdda7ee2c85f14c1a24bf786362db41cf019d2a1ed4dbc 1b64c273388d9eb45c103018fc6a77bc4127886d67871c03462740fc4d6fe66dc2226 365e994f8392a0b4c43cd6e67ce90ad594cb63c146011dc56b213bd42ef677cb6a5f0 1d0bd9944a9161a registration_upload: 0201d6bd681715e3d330475e72471c1218aa718d96be7353 251c9564f7be3a506b77361670f9a05f1e9bd648751b8494f78c4f1c788951efbf183 1f811d49d120a8d4550f57da81a52148659beadc46eb4a7e742d53a1aadab386929a9 c5168ab982a8108f7c316bea8a3bc9b919770b17934f0a3ffc6e503b9b95898f5862e d9be3ab0262a7e6fd5d77b0b04c5ef1ed302c4bab0b4818e9b3fefcc6886ee6dcb359 23b74db084f802cbea5fa213c4a03eb660bb35ab03b7c0f8902b25e66c23b853352de 5f38981bbd80a6347e4e4b231846c1515c9a1605139a129f37a1007d1b4309e4b7b71 8d194f035908f1307f8c2c9619437ef672c9bc01f3cd9e4335bfb67e5f973ddcaaa78 81f4a5dce93f854940099b133b223b7acad9a64987529bafe3ed698 KE1: 0200c3bce8c2c7da1856b486576082a136f031304eeba82c3e582d920469621b 9657d018aabad67dd15d32492f0155ec944d11593c079c64c5d19088a72cddb12baaa 462ae28bb5390b267e4663d10960997362214446de4f323ff806b3653a1b6dd1a0009 68656c6c6f20626f62030080bf524d28ba64b134c0bd0c860c8b1f976e55d94eb35d4 2aa0cae1935a185c9f7c517875877aac4aa4e909dd5f25cc6ccfe125d031dcfe02459 7af1f7bfb5ed89 KE2: 03001268a7de1c5203c0dc088b56fd06119acb2edb79ff5539bde0fe4a057a5c 53e20d71eec6973f996583aa9c4f3f4c5c0e136145c9c84f2f5db934f6c4bfc32ea49 ace3f6fdd39eec1869f23eda9f9c16229d4ae07618d47b48d6b7fe0205c8f292aab7e 96d72577ccd82bfbeb1051127cce8f6dd6d6ab49bda83effc19a614c2b9304447c78a 88597c3d25ab201331e348fc130689cd8f3830132bc99f16300e8a012b70f159fa065 6c18b5677e508caeca6900cd827beb7e533be71b8ea42d9b42dcb68c470f0418b88d8 3c1cef9dc4e2a4fdebae420dfe6f1491a378b07476f22dc79d02a2661f2927f3c7e10 77e6f138ea164e5ab5759393dc193b918b43aa01b2a2c9ca463a986cc869b572950ff f36740a723ed2630e154c49a306c1d0e94377d41773dea8ec8d849f8ec16cf5757277 58306250f4bfeed1cd92500e50c08ad5a6844d0374256da53ee823c1cf83f3ce4bdad f2e5785766a62a1b301bccdf501c79dda230301ff9a97a3a4733b144d38330209bcea 5a6401eb4e08e0697ac4dcb8369e20d76d32c34b619c424d643dc47bd680c0ef66540 4643d2961ad051a7920c318ecd948f0000f14a99b8e58944d0f7cdf6392bf6d69642b 515f3559d4f2d5eb523ceaf9289b43ee67d96edfb99a24412b5e150aa51e017509d22 d2f90226b58f3daf3c9ab0aaad9ded6e4a1a2055edc11ef0939a501 KE3: df34eb9095fc7d4e6fd067a9b8a885675b07d5c1d061ead5fa0978e7cd60c1af 665a1205a29a4d167d33759e45d7d561bcb67d3bfb60572f861f70f26e7c3f79 export_key: db55c71638fd194a740842ea1902313bb11225a6c90c15dc1474622fe 97d9e36cdb35673bb5b9b3f51f71db369bb20f9d492e6d4ee6806990058c40fe4cb20 51 session_key: 713e0b4accd1a906d4d81521e279eb2cd908feacc29beec58eb9c9c6 baf487b0b6f8dc5681aca449435e9686ae25678990a0c2652471dadc0c0570b6a2de5 7e1 Krawczyk, et al. Expires 4 November 2021 [Page 190] Internet-Draft OPAQUE May 2021 C.38. OPAQUE-3DH Test Vector 38 C.38.1. Configuration OPRF: 0005 Hash: SHA512 MHF: Identity KDF: HKDF-SHA512 MAC: HMAC-SHA512 EnvelopeMode: 02 Group: P521_XMD:SHA-512_SSWU_RO_ Nh: 64 Npk: 67 Nsk: 66 Nm: 64 Nx: 64 Nok: 66 C.38.2. Input Values Krawczyk, et al. Expires 4 November 2021 [Page 191] Internet-Draft OPAQUE May 2021 client_identity: 616c696365 oprf_seed: e118ca0800d385798e78f2830f95008dadd82a04cf98cc970e40f509e3 efe6f58283b13638643fc0b81d865b5d6a8b00f1c6f2c58ceb340229a79deee88ef6c f credential_identifier: 31323334 password: 436f7272656374486f72736542617474657279537461706c65 envelope_nonce: f7103f1060ae779631da2a2ca29f7876b823836a3551f29480588 0396baabd6e masking_nonce: 78970b409b43b2dd60c174fd9acc783cc73d62be52f5252165f597 689fca9daa client_private_key: 01dbf86c586f691ca14b9ab40d70a9e5c73c0b8c027fb639c 9affddf316a4f24a457b33e0273c41c71c5ca880a54ed88d6eb7176277593cbb29d44 bb9daf835f3133 server_private_key: 015d65d73dfd2c51951ac649bb19095f1d02a822b02e5a86b ae37e79a3ac7d05f1d1a02f58c3cc57af7318bd8c3aef01e27f343d5f8aa5197e80d7 2ed5ceacb845a9 server_public_key: 0200e85b446310593c25258991eeb8da130df718df2efeee93 29b6d6c7a3906749464ffb90f8e43122192f8e77b9f04f708aa5f9ecca9cbeab701f4 9929d82395d9928 client_info: 68656c6c6f20626f62 server_info: 6772656574696e677320616c696365 server_nonce: 5f3134280d4b9b4b2bb8132f57ad1eb53c2b7b558e2de883f3b4b92 c1744bdac client_nonce: c92ec3f315ee9acf4c8224b97991aef4bc413f0e63e3a18980a0380 123fa1241 server_keyshare: 0300ffcefd89e8ee736b4e6149934a1040b8691ba4bc58b160d8 c526e73cb99d7c45ce09264ae268a5afd07c1a3db59c5feb9203ecffc694a41b1138d eb9a11d6fecbd client_keyshare: 03001f619d901664fc0a4916b616bf340eafded4dec3c9af08a7 d89f9442bf41048a8824f22d5ce906558f99250ba96a112c5ccf2ff02e062cf9158df bd1abc4a48e92 server_private_keyshare: 0114c08e5500caa1ef91b2c4c242d628edc59e6b9f42 a97767c678c27ead0f9fc3bc1a20f078365ae8e7c313e612cd9f648be2bd0084e1416 a7c8277fb5c7c832749 client_private_keyshare: 00166500743a98b5bb899e595d818845bd0d927fe4f1 e28d0b87d7ac285fc0e432dd1a20ede64a560bce514ccf868c41a759b6d24d47856bf ae0cd231ee605249991 blind_registration: 000b01864a7e1e45075a976e1d797dc58bbb07ff85aa36e8f c57f1dbe4de36c40141c93b2bb304e7718ebcd7bd9978981955e4d6b6addb9cc52a45 04ca40584d5ec0 blind_login: 01d230b755d2262f548f495004d64322b827dcd30baa2d3960769310 cb55be07bbe2b70eb67bc27a11714cc90e5296b68e7e316be4c1d9b09393deb3e724c 349b971 oprf_key: 00cda4e8e3a42a1a3d1fd6e8742bc2b3ac008970a238dd5b464349a1d35 07bf006e95578ecfd411cbf68b547a15517570795515a23c3ed0846d227b329bd4e29 f02e Krawczyk, et al. Expires 4 November 2021 [Page 192] Internet-Draft OPAQUE May 2021 C.38.3. Intermediate Values client_public_key: 0301347c5fb96ce61b57ab45d42005522f77483664bd260ec7 f6a0c6bf4e7b9f2a6c873193d8ee75f62ba7d4b36d93cda144fd99dae7422a31a8290 cee86e55fe23462 auth_key: 8ce329e79dd2e249507917ed33cea41f99b79939889f16fc9b98dc891a6 e9b331c111bef6b1532642f4871839dcaf0ac1574854e4f3eeb0adc20a7a21f7c3ab3 randomized_pwd: 2827e964b768a1c12bdd09b7369c220613bf82f9fa224c37a4912 19e29aaf3cfe912ab0b4de925ea3bcd3562d4d0f19966a89a0442c571b867f3d960f7 b74508 envelope: f7103f1060ae779631da2a2ca29f7876b823836a3551f294805880396ba abd6e95dfb01c73ef18e272ee824814cb5a029c4dbbbcabb9afff9ee2d600f8202e0e 43ef0a98c36c3d3acd9545ac06523819641c8134135708d8bebe63fc2996040115351 1824d8819532b65268b1ad954afa1ff546f9e914258dedee38aae971d31acd8828125 646b74a0a01d524a19defb11c1679c2506ab3e922528aa004467815fc7 handshake_secret: bafd0fd64f9b41de2f660a7f48faf0af91293169ea1f68f782f 6d29c1487d3ea5d24e19b79ccf95c4c6cb7b0a77d9b6fff80cd7aeffd7b03e8af2f89 dc02783f handshake_encrypt_key: b173d0b996d68bca28bdeb03dc5ef4cb3ab3462ee6023a 8e4aad0bca6f38a7e7d4d82832da13d9eaec316320f92204f8fa65f7ff934f4265498 540a209c9dd49 server_mac_key: de912aa4a249015304eb26a0e50bb9a4d464e43cb86e8e787e9ec a370a980abb8b4158c27edbcdb5ec82b4039518604dedc842e04cd8d2628efce51fa7 0b5f5e client_mac_key: 0150d70801143bee3c7e3f452fd1b69c60eeb6351cfd2996c7806 0a26361c6efacfb4989331b443e1f4030daf5a6352cf9dddbc582c4359cdbf4c3387d 1bff9a C.38.4. Output Values Krawczyk, et al. Expires 4 November 2021 [Page 193] Internet-Draft OPAQUE May 2021 registration_request: 0200572541736c54fb88d0f50d1080d98cc390cec131e56 c5e3d038122c6655d23defe37f0946f3d3b5dcf73545a6df6277e20f9b377591bd443 034fdf53d008028969 registration_response: 020075a39ff76f444258cbb875db3ee78db1bdb809885f f7675d40b608820a9446483a596fe7e9368e0c031fbe47a2a05d687637adb2effefd2 4ccb13648414553e4310200e85b446310593c25258991eeb8da130df718df2efeee93 29b6d6c7a3906749464ffb90f8e43122192f8e77b9f04f708aa5f9ecca9cbeab701f4 9929d82395d9928 registration_upload: 0301347c5fb96ce61b57ab45d42005522f77483664bd260e c7f6a0c6bf4e7b9f2a6c873193d8ee75f62ba7d4b36d93cda144fd99dae7422a31a82 90cee86e55fe23462aa44090453c6efc9691b184a31fd890f8e564f14a27db513609f 2b81f15c2479a29caf2498a3415022ddb6649f82e4c08a2e96642a808dd08c4ca6ea9 cc9ac61f7103f1060ae779631da2a2ca29f7876b823836a3551f294805880396baabd 6e95dfb01c73ef18e272ee824814cb5a029c4dbbbcabb9afff9ee2d600f8202e0e43e f0a98c36c3d3acd9545ac06523819641c8134135708d8bebe63fc2996040115351182 4d8819532b65268b1ad954afa1ff546f9e914258dedee38aae971d31acd8828125646 b74a0a01d524a19defb11c1679c2506ab3e922528aa004467815fc7 KE1: 0201147f07392ddb5ab846130ce65a4c16d1eb26735fec1de7716b2c8bc935ad 1c65ebc30a6449adb8504b41fe61b9634a1ac3e429e03db700e6e6f852469e8e83bec 4c92ec3f315ee9acf4c8224b97991aef4bc413f0e63e3a18980a0380123fa12410009 68656c6c6f20626f6203001f619d901664fc0a4916b616bf340eafded4dec3c9af08a 7d89f9442bf41048a8824f22d5ce906558f99250ba96a112c5ccf2ff02e062cf9158d fbd1abc4a48e92 KE2: 0200a8894e451ac2fcaf5504adce52cb1e6a4d302f105df23878c3b897e5b0b8 ac0f4a4978288dbe6ee92efe0d87b1d5bd2249873fa48c4f79eff423632223bbe025f 278970b409b43b2dd60c174fd9acc783cc73d62be52f5252165f597689fca9daa8a12 b244e728a2dd390529b7e8ec312f77f671ee88f932cfb9a1a9dbd425b5070afbb72b9 e9f0ddd97d4102853ac935a684591b3733cc37ec5b21aeff9c9a0b66a8bae4334d602 91a06755b44c794d5de4dde803f5782c991b42679007a4b5a9dd02ac65b1fe2b33794 641a7deaea6b605caecae7c1a65050b73825aeba2ce9d1a4085e603ec5bb240574143 87d274492cacf3e47af05fe7ddab84dc64dac6ca9cfb4d8da216d6bdb887b24500676 ec53d171232360c17ff81407d6c7ac48f2768c8ca4b5a5ec36c09e5ed18b31124c000 404d3981952ffee21a76ee798e34805ebe9315175f3134280d4b9b4b2bb8132f57ad1 eb53c2b7b558e2de883f3b4b92c1744bdac0300ffcefd89e8ee736b4e6149934a1040 b8691ba4bc58b160d8c526e73cb99d7c45ce09264ae268a5afd07c1a3db59c5feb920 3ecffc694a41b1138deb9a11d6fecbd000f2433ed6462cf9384da1fb0a6a988cd14a2 0830bceb61ddbc37e1ff3ca50d69ee1bc5d769e0cf69aa30665587f74e985b304f5c9 d6440c31cacc81c9cdb077d56c35c4b38c5b07151ab79e1c9cfa59c KE3: 20d38ebbc756b7ec1b6cd5ba62a9717fb04119a42c54ccf0a4ed86e831c5ff62 f4a2c7aca9d9b1d87d1c191dfec74efb61602c4011959dd04aa23c83f0265858 export_key: 2a0e9c9083941677c7147e86af79ef365cb23579d7719b1fe336ac750 cd0a059ce946a6091978f326eb7ed57fadfab69db86e228232697486c2f7c9b65db87 fc session_key: 8951727a6a070813459bfc2f9820e955e02a5315524d6d228a2dc28e 8a9b66b1a9dec50f48a499979194f1522c3a0dd505e9c85b6e16bddb533722f9f49a9 3bf Krawczyk, et al. Expires 4 November 2021 [Page 194] Internet-Draft OPAQUE May 2021 C.39. OPAQUE-3DH Test Vector 39 C.39.1. Configuration OPRF: 0005 Hash: SHA512 MHF: Identity KDF: HKDF-SHA512 MAC: HMAC-SHA512 EnvelopeMode: 02 Group: P521_XMD:SHA-512_SSWU_RO_ Nh: 64 Npk: 67 Nsk: 66 Nm: 64 Nx: 64 Nok: 66 C.39.2. Input Values Krawczyk, et al. Expires 4 November 2021 [Page 195] Internet-Draft OPAQUE May 2021 server_identity: 626f62 oprf_seed: e4033259ef1ace9df3f85dce94677e67ada095af242eb4801840e4399c 544f6b1220fba7db31caf6664b5156ce39bc7c0e416f5cb725454fc7417779a6b13d7 4 credential_identifier: 31323334 password: 436f7272656374486f72736542617474657279537461706c65 envelope_nonce: b40d2f90448536e7fd0cca3823f6c686d328a5be128de587d483c 682eeb327c3 masking_nonce: fdc5df65f9471bc9e684e36cc2a77b845de2f61917dbc0bd944b23 ac501fb242 client_private_key: 01aa0739d3c390e0df1d6a83419001361e6494e0958c6268e 9a64bc44109b2f8e1784d38719b913380fff07f6d1fe601f5560987bb2828a484cf42 b97e93965448d3 server_private_key: 00ac7137ef41e45bd9f1cf40ea91380647ac28462ad98e22b 5326fc0adc6757c67e0fdfb9fb3141a5595e168f85adb13e86ecbd0e8af169868d1c9 4aeadca2d95be0 server_public_key: 0201a6573b69f46bf93cb3f18e2510c753f689097b7b96059c 3ca8f8e45c66a03b694fd8618c9a52c4104ca42186438849e73613cb25fbd4ecc16c5 a65f95345686984 client_info: 68656c6c6f20626f62 server_info: 6772656574696e677320616c696365 server_nonce: fce0d7665ebb10c9620d750061f7e4696d172dc739650c7e723e893 236389b30 client_nonce: 0dd58467372e1363bed48bf972bffdee3a2f2b4b323c83feeb59f3f ca09f40a6 server_keyshare: 030029562d54d53c7c51651334989bcc95b45a1a07484448ef72 bab708b55322b49a43736afc60bf85fc05d3c1d8b60a0b55a83e37befa115e9625e00 f35c1eeae27ba client_keyshare: 0201e2f40c1d877219e9512862469e31da268ab014fdce9cb3f9 ed6b27fc01fe6d9b1ec37c6cee76131139ccc3eee0a35438250e9ecaff6cf223ad9fa 469dfaaa0f0a5 server_private_keyshare: 00dcc0dafbe3cd1ab45d51d228ce608b3ce3ef8f0c54 3bb26ae91e9fce8497136b9a3da744973ce025f709315e46f49890bddf7724692f218 f46c3fd03990c335ac3 client_private_keyshare: 001f5307985d5b5248e235cc8e3bc1b489790ce1cc4f 0ee46f4b2ae5dc4e19cfd401632a4120949cbe776376d560a74cc6d59307ef8bc37fc 596bf6c0c180dfb80dd blind_registration: 00f4bdd1521b23adce41b680898d5524610afc314961ae68f 1d3716f62c76cfb98a8beffaa25acf7c637fb43a96971009630887739963dacff0be2 8625faf6333a25 blind_login: 00291beead7120bd93250d96aa3a7e5945f5b2e1f8955e6ae5645915 40c8f92ad668d4ab1ac65eace7d1f74d34335b389d3e6ea3da84a830cd902bf1bd8fd 5879b10 oprf_key: 01fadcdfb7d893cccb13deb7c952a27830e311579087068d2de4a0647d6 ff05a409b5a087972ff5190b49f76a61d50423cde30793662bd1501825dcf5788ac75 bb46 Krawczyk, et al. Expires 4 November 2021 [Page 196] Internet-Draft OPAQUE May 2021 C.39.3. Intermediate Values client_public_key: 0300ddde60161dc32b29345ac9ce18ecf102284bde1013e4ca 15d2e6cef0207da6b4099be218142b531926f99a2f1112392aff5a985d451b37dc1e7 ee4c024556f0808 auth_key: c44d010187fa2c73f57726c22a6e71da26b1d1791cc2c13a51af85b71ef 4899e1c3d203ccfc19f8c8e7765656da2fe8fdae7992385261a28b5474280940d3d75 randomized_pwd: bd58368f9f84ea07f5f6daee041b86dfb8291966fb6a9db24b1de 1bdcc49c40e4e284bb4916b539fb07d5519a63375dfb43993ced83bfaf433d71f678f ee835a envelope: b40d2f90448536e7fd0cca3823f6c686d328a5be128de587d483c682eeb 327c378591c399e877d4798e6ea62aa8eecc63fa2b8dc7f558babb0f9b20287eb1053 93c4a980d7bce12249b02b22ef562090db01f5f67b4a5dd85165920abe5516c5b6cc8 b3f757c6220b145a5bec199a16187851c19d8c5d891ffa8a30610163bc2e3da696958 add3b6a5db827e0e1d9bc038829e64a8fa474b6cfb3bf2d9f5d0d40d36 handshake_secret: 1a98dd20a434d72b1b84b4de5e447498ceaa739a46c2f18a030 151d3a7637c83b6a4b09ce09aca7ff8d7155746f4bca2d269525f775c915e8b894e00 8777bc99 handshake_encrypt_key: dfeb781312fa8068c623181aba7260a5e62f08ee7f51c9 680d98ae411bb05b7d759cdc6c847a696f4e169c5ad4fff8704af2aac0f2987d399c8 ad78e40ee1c93 server_mac_key: 2367b97b2b1de79e2eff9bdaad70e8782a8fcce9b0c43873dc614 d9ef2c90b7bfa96d33015906a53ddb13120de0d6386bd309c6eb230c4ad501f120e7b 3401d9 client_mac_key: 1c97a97fe1d28750ec8f848a94531c88361d9fb263190aa1649c3 e37d0d268011f3c58da3e387d4f3c068720d9c4dd6973c54026f2cac5ff7767f1610c d1a261 C.39.4. Output Values Krawczyk, et al. Expires 4 November 2021 [Page 197] Internet-Draft OPAQUE May 2021 registration_request: 02000c53a2fa3c1dd1ed747b297b82020f316ee5b38d5ad d8bfa68d9c6eb9b22ac651badd5d5751e7371cae832503f66442cdc156414f4a5ba0c 2db08b33530cde8dec registration_response: 0201b5220da8916269548ac1de516fe90b9b6560afbeee 8d940fac786ad9ce565915750665e57181ecfa062c5255b84a62c89241f2a7d2725a1 f02e2dcd0f582eb24c70201a6573b69f46bf93cb3f18e2510c753f689097b7b96059c 3ca8f8e45c66a03b694fd8618c9a52c4104ca42186438849e73613cb25fbd4ecc16c5 a65f95345686984 registration_upload: 0300ddde60161dc32b29345ac9ce18ecf102284bde1013e4 ca15d2e6cef0207da6b4099be218142b531926f99a2f1112392aff5a985d451b37dc1 e7ee4c024556f080806c8834822aa404c713f8f559b2057ab9400fb7c3c011af054f2 65c84a9c128b3b459f21d8c6dc6f877f3b5c93c485760efdfcc0f25ac9faa43dedc58 c44a603b40d2f90448536e7fd0cca3823f6c686d328a5be128de587d483c682eeb327 c378591c399e877d4798e6ea62aa8eecc63fa2b8dc7f558babb0f9b20287eb105393c 4a980d7bce12249b02b22ef562090db01f5f67b4a5dd85165920abe5516c5b6cc8b3f 757c6220b145a5bec199a16187851c19d8c5d891ffa8a30610163bc2e3da696958add 3b6a5db827e0e1d9bc038829e64a8fa474b6cfb3bf2d9f5d0d40d36 KE1: 03014f2799259882d01af61644db264602a3486a32f6b510aecb336456ce58af 6cdf6f5630ab4e3e7081f1e99b1688558f0a1bf15da34b7c0252f1036d916928a0f33 20dd58467372e1363bed48bf972bffdee3a2f2b4b323c83feeb59f3fca09f40a60009 68656c6c6f20626f620201e2f40c1d877219e9512862469e31da268ab014fdce9cb3f 9ed6b27fc01fe6d9b1ec37c6cee76131139ccc3eee0a35438250e9ecaff6cf223ad9f a469dfaaa0f0a5 KE2: 0301aec61ca3ce7c9d7adbbb2e30371de2e6216477739f50aa09de3d239d45dc 37f906f34422aa0b845ed70802f3b5be77d4b3f4512ffe4eb8e99be207831666fbff3 4fdc5df65f9471bc9e684e36cc2a77b845de2f61917dbc0bd944b23ac501fb242da36 0e3bc5a3a2babe9871d3e90c5f57b3baf46e6a215444cc0a586026e45239768467aed 7f90c8dc8562ecfd1e6ce5fadb937ad944229e1523de20e3d4ebd6a74c48eb28148e0 71d77981b0a4671fda7768ba136a34b70fcf267f1c403f8484a74234022c2218d9a20 95a653ae88f4ebce7066d8944c71c0b6f670bc2e41bd7d1e846ddfd890f614574aabd 24dbf8cdf8fe83b37c4dfff041fd42118b6aa2fed7aae3418f0a6399dcd1ff130453c ba9daf76468c6a77746a3847cbb5b6f9528feb92be06e4b7928460ce1d418924b5197 f2c409b936482b2daabb151f93dbb78d696cd56cfce0d7665ebb10c9620d750061f7e 4696d172dc739650c7e723e893236389b30030029562d54d53c7c51651334989bcc95 b45a1a07484448ef72bab708b55322b49a43736afc60bf85fc05d3c1d8b60a0b55a83 e37befa115e9625e00f35c1eeae27ba000f8fa2e9a2692290d48e6acaab14d5e266b0 b8dca0ba048f22443bb89a80a91c6e8213f6cdb430f0685dbb84571f05a0dc3d1a4c9 75b0d0145cdaaae50d31b665bcea1bd2783d3a4866ec441313a6cdb KE3: 58e6876a60b74ee229f2b85f91038c6adee4c0cc0029115a4bfad6b5ac6e1a96 b977e1eb51f5ccb4cad0f9f80508c93bb6376ebb3c84b1736cd7c89eb1675c70 export_key: 296647dba41d525309e59855880d41250f3e2bc78fdea25cd169522bf 0f3f06fb96f729880a5c648f1118d5084b70776a231bd9cca8fcc823f8fba7cf140c5 9e session_key: 29f5c0aa51eb65d9ab09bb3bc4b72330ae56da16b8df4dcbcd653eca 48e3af5e7e619c182f4f230e360790b79750441ed0aceb653c6471f48bc28bd60eb35 e84 Krawczyk, et al. Expires 4 November 2021 [Page 198] Internet-Draft OPAQUE May 2021 C.40. OPAQUE-3DH Test Vector 40 C.40.1. Configuration OPRF: 0005 Hash: SHA512 MHF: Identity KDF: HKDF-SHA512 MAC: HMAC-SHA512 EnvelopeMode: 02 Group: P521_XMD:SHA-512_SSWU_RO_ Nh: 64 Npk: 67 Nsk: 66 Nm: 64 Nx: 64 Nok: 66 C.40.2. Input Values Krawczyk, et al. Expires 4 November 2021 [Page 199] Internet-Draft OPAQUE May 2021 client_identity: 616c696365 server_identity: 626f62 oprf_seed: fbf260b2fefb6b873f200a672a8cad12238939b8d8d9a0f5ac3968b607 a5b61c7c31e3385c64ee91e2923fa816cc8b9f71cd19bc8c03f0a0c1472703b15241e d credential_identifier: 31323334 password: 436f7272656374486f72736542617474657279537461706c65 envelope_nonce: 148680a2ed9221cce00118e45854b7a7bdf7a7413fef7901fda93 30f23b74537 masking_nonce: 10e071046caa5653285f2d6157a395159b3b397d24faf2795d4a39 2809efd933 client_private_key: 008fb26f2c88d274661db787733c175d7034e4da200a4ebb0 1c9589fd7a0d54771e479fce2a99af6a64f80e4106dcef77a750147dcf14217936a74 679455ddadece4 server_private_key: 00b78f376d4dee066fa82592ffb702498326c37dadf63135c ca8df4d8e19f5dc6e830163ea683e19a507b15a66ed74b1ce6ebbd902a5c74a51eeaa 2ec2bfc113d4fc server_public_key: 0200f944f464cfcbdfe94b720c0a59487456cca17580dd1982 4532d540642aa4017edec0b9308bf4f4fc00611115a145c1374680847e4815f6c8dd7 febdecef64998dc client_info: 68656c6c6f20626f62 server_info: 6772656574696e677320616c696365 server_nonce: 12d249aed7235d544e9dcca2a84c170a4ee3f06b2476e3a277bdc2d b6656b3fc client_nonce: 95e8256fb398e5b9b108c80976b3d52ab0e1daf76b1c4c3b60cc7b5 6ca02c567 server_keyshare: 0300ed0fdc747de2ff4797c4b18da821ae9ec83376c51d00a51b 2d1701e5689e8dd720cca6fdd1a548b5b3ad34015006ce4f7548be73295e07f15f8b0 c60331cb65160 client_keyshare: 0300c566f59e65c950d86356e925ce1f87b3d4a7a9b2e556ecef 17041679c76f8afd8f7b1e9fb82549886fdedf29e4e86564475b0c2c200a9c7a4e089 e846932e07d36 server_private_keyshare: 000edecf9fb5e59078188296e515e4ca73bbe621fba3 5f6c96d3864ea0bd2e0456d416426fae1344e0fc3b40fedaf785bf4d7c8b08424b6a3 4a2a343d0a0f288f4d4 client_private_keyshare: 01f63ed931f59a0368288ac23921775322360ce0c6d6 96e76eb046a5b04a05c1a16272e0b8c22ee595320c808337e5804daf7a463c23f1f40 7b77dca84824b4657fc blind_registration: 002a6e47e6eb00445978d7a0f5e876189839fce07fa4c3f5e e73f71b7054c673a45711b4be7a89fee03569a6a058f9dda2294315a167fa19af3279 769bdb191cfc70 blind_login: 011646fd1eb67204c84e2be0273c76e96a29d0f20428bcb157922105 599e83b939f76446fb738af8d38a00fae287d39a8d7234b7b8a704076e51cfacd73bb 24554bc oprf_key: 01296ee14ded1e15d1475342ec5ca999d6b06da34d21c032e983c8798f3 83713e826d20a87579166b896fa22835171d491010aa0ae233cb8364a37fbc67fcd76 a7e7 Krawczyk, et al. Expires 4 November 2021 [Page 200] Internet-Draft OPAQUE May 2021 C.40.3. Intermediate Values client_public_key: 0201ef259e80ef427390cf74d1cf31778645e53d0ab4a7fef6 f57a56a0c2b5f4b602d0dd906fa77bdf011b9b7e6bb4098102bb9806b3d74d12bea03 e0379fb9127abe5 auth_key: 06fdbb3eac5a64969d5b9d706d42f5bf4974e8cb384045cbf1635d4c38e b4d40ab510794bfb080ace09afc515b607c655a98a9d574e3540d236eb11e2a33ae5a randomized_pwd: ab42f356f88a289e39db5ad0c3000f61e218377a38eb5bdd7e5c3 4a49515af35139fd03bf7766b388658d3f97013e682e8b03312cb132e1b6ad38b9de5 f2c541 envelope: 148680a2ed9221cce00118e45854b7a7bdf7a7413fef7901fda9330f23b 7453701def71a3293a7da19c084e4d8c2455ec701a6e4dc3a7306c4167fdd647596bf dc5c6c55c65f3580211522c87bd1e637eac225a3724d720bb9fe5a672070c1044a8f8 1fc9747a6236b83782a0cbced17fc42f1f1341998bedae5c3514f719c42025bc652a3 e33565f3d0ea4f85d432b8699d45cd6feea8c991d0839f064be2829213 handshake_secret: 45ffe957a00d84c425c78bcc80913316da6f6e5b203ebef3153 69aa437aa6d69ff4c6ef75d2b3b44015eee8bd4e9f5fb372a9acedb1a137a0230c169 1d72897f handshake_encrypt_key: 575eb190b6c33011ed4f2d3712be61557b8cef58f76d55 4d10a18c541a240b419b0eb71283463708d26c34e768f8de56b2f00dc2894c4b723c5 d0afedb23369a server_mac_key: 1c11f159aef9b208ffcbaf9e94954bad25c4db5d53023dfdbe1e5 c190a6cc7678bd2d439e1ff473925eb53f4ebc1409561bda0ff1dd9d464753574685c 9ae768 client_mac_key: ac527810534c51e15db0ea3b5523a4bcdddedb25822235d48d6b2 fd603d3e24ea439b8a35e6498282737e4c343c62ae7f4c76caa2d6fdc23b8b3e74b72 f33780 C.40.4. Output Values Krawczyk, et al. Expires 4 November 2021 [Page 201] Internet-Draft OPAQUE May 2021 registration_request: 0201d22759697d1d91f6b1812d14acfee093886e889d913 cdffc78de009924d3d80a7aa9384149f163fd706498375c34402df2ccd8c1283cd250 477ce032c9e7c78ef8 registration_response: 030056fb0c3756244faf6dd675c12f4b60ffe048b95fa3 b01e7eefc55cee0bd563984101048808fa2549626efc2de0b1bfba47219946c4bdd6f 1a76d2ef795c10877250200f944f464cfcbdfe94b720c0a59487456cca17580dd1982 4532d540642aa4017edec0b9308bf4f4fc00611115a145c1374680847e4815f6c8dd7 febdecef64998dc registration_upload: 0201ef259e80ef427390cf74d1cf31778645e53d0ab4a7fe f6f57a56a0c2b5f4b602d0dd906fa77bdf011b9b7e6bb4098102bb9806b3d74d12bea 03e0379fb9127abe5b236c94348d63a9b4f6d7a0c29d141cb2f370e58fd49ef257ec0 0f85e3626224e8c473c05ffb7737dd3d8177be3a478ffef34e9c898c141dbbdd1ac93 0fb6287148680a2ed9221cce00118e45854b7a7bdf7a7413fef7901fda9330f23b745 3701def71a3293a7da19c084e4d8c2455ec701a6e4dc3a7306c4167fdd647596bfdc5 c6c55c65f3580211522c87bd1e637eac225a3724d720bb9fe5a672070c1044a8f81fc 9747a6236b83782a0cbced17fc42f1f1341998bedae5c3514f719c42025bc652a3e33 565f3d0ea4f85d432b8699d45cd6feea8c991d0839f064be2829213 KE1: 02002c6e65b998d160fbbde62484f39c2678bda170db547005889379b570e83e 4f6aa45200a183dc5cbf014bc7f94f28064bae53132dfb3a0736bf7b806b1091ce541 895e8256fb398e5b9b108c80976b3d52ab0e1daf76b1c4c3b60cc7b56ca02c5670009 68656c6c6f20626f620300c566f59e65c950d86356e925ce1f87b3d4a7a9b2e556ece f17041679c76f8afd8f7b1e9fb82549886fdedf29e4e86564475b0c2c200a9c7a4e08 9e846932e07d36 KE2: 0201357df114b1c70a0fc8bd2959be6f8665c8d678d9bec2adeb659f6b0dc13d 362d923d1dc12abf35950aa6394a35b6b098d6ce00f19fdfe74130eeaaa05a94a03bd c10e071046caa5653285f2d6157a395159b3b397d24faf2795d4a392809efd9338172 75c06ae88cfc284404d0a1e2fbd980a3fc279422cc02900e736924bd0e92ad10a041f 5e7fb4ed14ad05835884b15ccce805d6cb1d98c205e728c75c0340c91b10fe0b6f4a3 e6ed72da929e19e01b2dd954205389fd8785cf68bf1f8a1b7bdd21c1880aef17e6aac 821d1cf935d241fbbafab51c70895a8632c90524340e10b353fe8d6a59e30f55b476b 7c999c6a3db8dfca675da4a9406b4bf203025cfbee27d48724595c417419afb70ff17 d5545728ec4db9b94ca06f76cf1b8a00a14d128c6ee8c4f14c8ed7165e10a784ae3ea 4f4133c43fe605f930ad908f7ad1302a9866285e12d249aed7235d544e9dcca2a84c1 70a4ee3f06b2476e3a277bdc2db6656b3fc0300ed0fdc747de2ff4797c4b18da821ae 9ec83376c51d00a51b2d1701e5689e8dd720cca6fdd1a548b5b3ad34015006ce4f754 8be73295e07f15f8b0c60331cb65160000fa617cd8614963cc4a93daa6f9f39af7de5 c14264be441bccb88f4a8ecf0bc02e6a00cc865fe075ef0a26e5bd30ecfc33e0e54f7 4e5f321a064d00936b7dcb794e1b9e9beea94724085999472211d15 KE3: b8d4c9fec7e500686d441a87e104f95d70b444a605100736d0159a2ed24ea759 75320d73dc63c0e14fa20b68567f922a20f99f0215d40a467d95f5967971e4ab export_key: 0c54bc0aaa31c4537fa2bad1b952405c388ea0af4aee0f19b314f0cac b24fcd51a9ac25cef1aa54ebe08cb7e460e48e26ed78045b82df4763a2e4cdea4a252 8c session_key: c529e3877be75151e9fd18f1dee4e1bcb27f81b7277e06a5ded2296f 7d0fc8ca13b8f23116e34a2ab83f644a5c9ce94b74d574667f679463d51a9db41200e 0a9 Krawczyk, et al. Expires 4 November 2021 [Page 202] Internet-Draft OPAQUE May 2021 Authors' Addresses Hugo Krawczyk Algorand Foundation Email: hugokraw@gmail.com Daniel Bourdrez Email: dan@bytema.re Kevin Lewi Novi Research Email: lewi.kevin.k@gmail.com Christopher A. Wood Cloudflare Email: caw@heapingbits.net Krawczyk, et al. Expires 4 November 2021 [Page 203]