CPace, a balanced composable PAKE

Document Type Replaced Internet-Draft (cfrg RG)
Author Björn Haase 
Last updated 2020-07-14 (latest revision 2020-02-07)
Replaced by draft-irtf-cfrg-cpace
Stream Internet Research Task Force (IRTF)
Intended RFC status (None)
Expired & archived
pdf htmlized (tools) htmlized bibtex
Stream IRTF state Replaced
Consensus Boilerplate Unknown
Document shepherd No shepherd assigned
IESG IESG state Replaced by draft-irtf-cfrg-cpace
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


This document describes CPace which is a protocol for two parties that share a low-entropy secret (password) to derive a strong shared key without disclosing the secret to offline dictionary attacks. This method was tailored for constrained devices, is compatible with any group of both prime- and non-prime order, and comes with a security proof providing composability guarantees.


Björn Haase (

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)