The OPAQUE Asymmetric PAKE Protocol
draft-irtf-cfrg-opaque-04

The information below is for an old version of the document
Document Type Active Internet-Draft (cfrg RG)
Authors Hugo Krawczyk  , Daniel Bourdrez  , Kevin Lewi  , Christopher Wood 
Last updated 2021-05-03 (latest revision 2021-02-21)
Replaces draft-krawczyk-cfrg-opaque
Stream Internet Research Task Force (IRTF)
Formats plain text html xml pdf htmlized bibtex
Stream IRTF state Active RG Document
Consensus Boilerplate Yes
Document shepherd No shepherd assigned
IESG IESG state I-D Exists
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                        H. Krawczyk
Internet-Draft                                       Algorand Foundation
Intended status: Informational                               D. Bourdrez
Expires: 4 November 2021                                                
                                                                 K. Lewi
                                                           Novi Research
                                                               C.A. Wood
                                                              Cloudflare
                                                              3 May 2021

                  The OPAQUE Asymmetric PAKE Protocol
                       draft-irtf-cfrg-opaque-04

Abstract

   This document describes the OPAQUE protocol, a secure asymmetric
   password-authenticated key exchange (aPAKE) that supports mutual
   authentication in a client-server setting without reliance on PKI and
   with security against pre-computation attacks upon server compromise.
   In addition, the protocol provides forward secrecy and the ability to
   hide the password from the server, even during password registration.
   This document specifies the core OPAQUE protocol and one
   instantiation based on 3DH.

Discussion Venues

   This note is to be removed before publishing as an RFC.

   Source for this draft and an issue tracker can be found at
   https://github.com/cfrg/draft-irtf-cfrg-opaque.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 4 November 2021.

Krawczyk, et al.         Expires 4 November 2021                [Page 1]
Internet-Draft                   OPAQUE                         May 2021

Copyright Notice

   Copyright (c) 2021 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Simplified BSD License text
   as described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   7
     1.1.  Requirements Notation . . . . . . . . . . . . . . . . . .   9
     1.2.  Notation  . . . . . . . . . . . . . . . . . . . . . . . .   9
   2.  Cryptographic Dependencies  . . . . . . . . . . . . . . . . .  10
   3.  Protocol Overview . . . . . . . . . . . . . . . . . . . . . .  12
   4.  Client Credential Storage . . . . . . . . . . . . . . . . . .  13
     4.1.  Envelope Structure  . . . . . . . . . . . . . . . . . . .  15
     4.2.  Envelope Creation and Recovery  . . . . . . . . . . . . .  15
     4.3.  Envelope Modes  . . . . . . . . . . . . . . . . . . . . .  17
       4.3.1.  Internal mode . . . . . . . . . . . . . . . . . . . .  18
       4.3.2.  External mode . . . . . . . . . . . . . . . . . . . .  19
   5.  Offline Registration  . . . . . . . . . . . . . . . . . . . .  21
     5.1.  Registration Messages . . . . . . . . . . . . . . . . . .  22
       5.1.1.  Registration Functions  . . . . . . . . . . . . . . .  23
   6.  Online Authenticated Key Exchange . . . . . . . . . . . . . .  25
     6.1.  Credential Retrieval  . . . . . . . . . . . . . . . . . .  27
       6.1.1.  Credential Retrieval Messages . . . . . . . . . . . .  27
       6.1.2.  Credential Retrieval Functions  . . . . . . . . . . .  28
     6.2.  AKE Protocol  . . . . . . . . . . . . . . . . . . . . . .  30
       6.2.1.  Protocol Messages . . . . . . . . . . . . . . . . . .  31
       6.2.2.  Key Schedule Functions  . . . . . . . . . . . . . . .  32
       6.2.3.  External Client API . . . . . . . . . . . . . . . . .  34
       6.2.4.  External Server API . . . . . . . . . . . . . . . . .  38
   7.  Configurations  . . . . . . . . . . . . . . . . . . . . . . .  40
   8.  Security Considerations . . . . . . . . . . . . . . . . . . .  42
     8.1.  Related Analysis  . . . . . . . . . . . . . . . . . . . .  42
     8.2.  Identities  . . . . . . . . . . . . . . . . . . . . . . .  43
     8.3.  Envelope Encryption . . . . . . . . . . . . . . . . . . .  44
     8.4.  Export Key Usage  . . . . . . . . . . . . . . . . . . . .  44
     8.5.  Static Diffie-Hellman Oracles . . . . . . . . . . . . . .  44
     8.6.  Input Validation  . . . . . . . . . . . . . . . . . . . .  45
     8.7.  OPRF Hardening  . . . . . . . . . . . . . . . . . . . . .  45

Krawczyk, et al.         Expires 4 November 2021                [Page 2]
Internet-Draft                   OPAQUE                         May 2021

     8.8.  Preventing Client Enumeration . . . . . . . . . . . . . .  45
     8.9.  Password Salt and Storage Implications  . . . . . . . . .  46
   9.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  46
   10. References  . . . . . . . . . . . . . . . . . . . . . . . . .  46
     10.1.  Normative References . . . . . . . . . . . . . . . . . .  46
     10.2.  Informative References . . . . . . . . . . . . . . . . .  47
   Appendix A.  Acknowledgments  . . . . . . . . . . . . . . . . . .  50
   Appendix B.  Alternate AKE Instantiations . . . . . . . . . . . .  50
     B.1.  HMQV Instantiation Sketch . . . . . . . . . . . . . . . .  50
     B.2.  SIGMA-I Instantiation Sketch  . . . . . . . . . . . . . .  51
   Appendix C.  Test Vectors . . . . . . . . . . . . . . . . . . . .  51
     C.1.  OPAQUE-3DH Test Vector 1  . . . . . . . . . . . . . . . .  52
       C.1.1.  Configuration . . . . . . . . . . . . . . . . . . . .  52
       C.1.2.  Input Values  . . . . . . . . . . . . . . . . . . . .  52
       C.1.3.  Intermediate Values . . . . . . . . . . . . . . . . .  53
       C.1.4.  Output Values . . . . . . . . . . . . . . . . . . . .  54
     C.2.  OPAQUE-3DH Test Vector 2  . . . . . . . . . . . . . . . .  55
       C.2.1.  Configuration . . . . . . . . . . . . . . . . . . . .  55
       C.2.2.  Input Values  . . . . . . . . . . . . . . . . . . . .  56
       C.2.3.  Intermediate Values . . . . . . . . . . . . . . . . .  57
       C.2.4.  Output Values . . . . . . . . . . . . . . . . . . . .  58
     C.3.  OPAQUE-3DH Test Vector 3  . . . . . . . . . . . . . . . .  59
       C.3.1.  Configuration . . . . . . . . . . . . . . . . . . . .  59
       C.3.2.  Input Values  . . . . . . . . . . . . . . . . . . . .  60
       C.3.3.  Intermediate Values . . . . . . . . . . . . . . . . .  61
       C.3.4.  Output Values . . . . . . . . . . . . . . . . . . . .  62
     C.4.  OPAQUE-3DH Test Vector 4  . . . . . . . . . . . . . . . .  63
       C.4.1.  Configuration . . . . . . . . . . . . . . . . . . . .  63
       C.4.2.  Input Values  . . . . . . . . . . . . . . . . . . . .  64
       C.4.3.  Intermediate Values . . . . . . . . . . . . . . . . .  65
       C.4.4.  Output Values . . . . . . . . . . . . . . . . . . . .  66
     C.5.  OPAQUE-3DH Test Vector 5  . . . . . . . . . . . . . . . .  67
       C.5.1.  Configuration . . . . . . . . . . . . . . . . . . . .  67
       C.5.2.  Input Values  . . . . . . . . . . . . . . . . . . . .  68
       C.5.3.  Intermediate Values . . . . . . . . . . . . . . . . .  69
       C.5.4.  Output Values . . . . . . . . . . . . . . . . . . . .  70
     C.6.  OPAQUE-3DH Test Vector 6  . . . . . . . . . . . . . . . .  71
       C.6.1.  Configuration . . . . . . . . . . . . . . . . . . . .  71
       C.6.2.  Input Values  . . . . . . . . . . . . . . . . . . . .  72
       C.6.3.  Intermediate Values . . . . . . . . . . . . . . . . .  73
       C.6.4.  Output Values . . . . . . . . . . . . . . . . . . . .  74
     C.7.  OPAQUE-3DH Test Vector 7  . . . . . . . . . . . . . . . .  75
       C.7.1.  Configuration . . . . . . . . . . . . . . . . . . . .  75
       C.7.2.  Input Values  . . . . . . . . . . . . . . . . . . . .  76
       C.7.3.  Intermediate Values . . . . . . . . . . . . . . . . .  77
       C.7.4.  Output Values . . . . . . . . . . . . . . . . . . . .  78
     C.8.  OPAQUE-3DH Test Vector 8  . . . . . . . . . . . . . . . .  79
       C.8.1.  Configuration . . . . . . . . . . . . . . . . . . . .  79

Krawczyk, et al.         Expires 4 November 2021                [Page 3]
Internet-Draft                   OPAQUE                         May 2021

       C.8.2.  Input Values  . . . . . . . . . . . . . . . . . . . .  80
       C.8.3.  Intermediate Values . . . . . . . . . . . . . . . . .  81
       C.8.4.  Output Values . . . . . . . . . . . . . . . . . . . .  82
     C.9.  OPAQUE-3DH Test Vector 9  . . . . . . . . . . . . . . . .  83
       C.9.1.  Configuration . . . . . . . . . . . . . . . . . . . .  83
       C.9.2.  Input Values  . . . . . . . . . . . . . . . . . . . .  84
       C.9.3.  Intermediate Values . . . . . . . . . . . . . . . . .  85
       C.9.4.  Output Values . . . . . . . . . . . . . . . . . . . .  85
     C.10. OPAQUE-3DH Test Vector 10 . . . . . . . . . . . . . . . .  86
       C.10.1.  Configuration  . . . . . . . . . . . . . . . . . . .  86
       C.10.2.  Input Values . . . . . . . . . . . . . . . . . . . .  87
       C.10.3.  Intermediate Values  . . . . . . . . . . . . . . . .  87
       C.10.4.  Output Values  . . . . . . . . . . . . . . . . . . .  88
     C.11. OPAQUE-3DH Test Vector 11 . . . . . . . . . . . . . . . .  89
       C.11.1.  Configuration  . . . . . . . . . . . . . . . . . . .  89
       C.11.2.  Input Values . . . . . . . . . . . . . . . . . . . .  89
       C.11.3.  Intermediate Values  . . . . . . . . . . . . . . . .  90
       C.11.4.  Output Values  . . . . . . . . . . . . . . . . . . .  91
     C.12. OPAQUE-3DH Test Vector 12 . . . . . . . . . . . . . . . .  92
       C.12.1.  Configuration  . . . . . . . . . . . . . . . . . . .  92
       C.12.2.  Input Values . . . . . . . . . . . . . . . . . . . .  92
       C.12.3.  Intermediate Values  . . . . . . . . . . . . . . . .  93
       C.12.4.  Output Values  . . . . . . . . . . . . . . . . . . .  94
     C.13. OPAQUE-3DH Test Vector 13 . . . . . . . . . . . . . . . .  95
       C.13.1.  Configuration  . . . . . . . . . . . . . . . . . . .  95
       C.13.2.  Input Values . . . . . . . . . . . . . . . . . . . .  95
       C.13.3.  Intermediate Values  . . . . . . . . . . . . . . . .  96
       C.13.4.  Output Values  . . . . . . . . . . . . . . . . . . .  97
     C.14. OPAQUE-3DH Test Vector 14 . . . . . . . . . . . . . . . .  98
       C.14.1.  Configuration  . . . . . . . . . . . . . . . . . . .  98
       C.14.2.  Input Values . . . . . . . . . . . . . . . . . . . .  99
       C.14.3.  Intermediate Values  . . . . . . . . . . . . . . . . 100
       C.14.4.  Output Values  . . . . . . . . . . . . . . . . . . . 101
     C.15. OPAQUE-3DH Test Vector 15 . . . . . . . . . . . . . . . . 102
       C.15.1.  Configuration  . . . . . . . . . . . . . . . . . . . 102
       C.15.2.  Input Values . . . . . . . . . . . . . . . . . . . . 103
       C.15.3.  Intermediate Values  . . . . . . . . . . . . . . . . 104
       C.15.4.  Output Values  . . . . . . . . . . . . . . . . . . . 105
     C.16. OPAQUE-3DH Test Vector 16 . . . . . . . . . . . . . . . . 106
       C.16.1.  Configuration  . . . . . . . . . . . . . . . . . . . 106
       C.16.2.  Input Values . . . . . . . . . . . . . . . . . . . . 107
       C.16.3.  Intermediate Values  . . . . . . . . . . . . . . . . 108
       C.16.4.  Output Values  . . . . . . . . . . . . . . . . . . . 109
     C.17. OPAQUE-3DH Test Vector 17 . . . . . . . . . . . . . . . . 110
       C.17.1.  Configuration  . . . . . . . . . . . . . . . . . . . 110
       C.17.2.  Input Values . . . . . . . . . . . . . . . . . . . . 111
       C.17.3.  Intermediate Values  . . . . . . . . . . . . . . . . 112
       C.17.4.  Output Values  . . . . . . . . . . . . . . . . . . . 113

Krawczyk, et al.         Expires 4 November 2021                [Page 4]
Internet-Draft                   OPAQUE                         May 2021

     C.18. OPAQUE-3DH Test Vector 18 . . . . . . . . . . . . . . . . 114
       C.18.1.  Configuration  . . . . . . . . . . . . . . . . . . . 114
       C.18.2.  Input Values . . . . . . . . . . . . . . . . . . . . 115
       C.18.3.  Intermediate Values  . . . . . . . . . . . . . . . . 116
       C.18.4.  Output Values  . . . . . . . . . . . . . . . . . . . 117
     C.19. OPAQUE-3DH Test Vector 19 . . . . . . . . . . . . . . . . 118
       C.19.1.  Configuration  . . . . . . . . . . . . . . . . . . . 118
       C.19.2.  Input Values . . . . . . . . . . . . . . . . . . . . 119
       C.19.3.  Intermediate Values  . . . . . . . . . . . . . . . . 120
       C.19.4.  Output Values  . . . . . . . . . . . . . . . . . . . 121
     C.20. OPAQUE-3DH Test Vector 20 . . . . . . . . . . . . . . . . 122
       C.20.1.  Configuration  . . . . . . . . . . . . . . . . . . . 122
       C.20.2.  Input Values . . . . . . . . . . . . . . . . . . . . 123
       C.20.3.  Intermediate Values  . . . . . . . . . . . . . . . . 124
       C.20.4.  Output Values  . . . . . . . . . . . . . . . . . . . 125
     C.21. OPAQUE-3DH Test Vector 21 . . . . . . . . . . . . . . . . 126
       C.21.1.  Configuration  . . . . . . . . . . . . . . . . . . . 126
       C.21.2.  Input Values . . . . . . . . . . . . . . . . . . . . 127
       C.21.3.  Intermediate Values  . . . . . . . . . . . . . . . . 128
       C.21.4.  Output Values  . . . . . . . . . . . . . . . . . . . 129
     C.22. OPAQUE-3DH Test Vector 22 . . . . . . . . . . . . . . . . 130
       C.22.1.  Configuration  . . . . . . . . . . . . . . . . . . . 130
       C.22.2.  Input Values . . . . . . . . . . . . . . . . . . . . 131
       C.22.3.  Intermediate Values  . . . . . . . . . . . . . . . . 132
       C.22.4.  Output Values  . . . . . . . . . . . . . . . . . . . 133
     C.23. OPAQUE-3DH Test Vector 23 . . . . . . . . . . . . . . . . 134
       C.23.1.  Configuration  . . . . . . . . . . . . . . . . . . . 134
       C.23.2.  Input Values . . . . . . . . . . . . . . . . . . . . 135
       C.23.3.  Intermediate Values  . . . . . . . . . . . . . . . . 136
       C.23.4.  Output Values  . . . . . . . . . . . . . . . . . . . 137
     C.24. OPAQUE-3DH Test Vector 24 . . . . . . . . . . . . . . . . 138
       C.24.1.  Configuration  . . . . . . . . . . . . . . . . . . . 138
       C.24.2.  Input Values . . . . . . . . . . . . . . . . . . . . 139
       C.24.3.  Intermediate Values  . . . . . . . . . . . . . . . . 140
       C.24.4.  Output Values  . . . . . . . . . . . . . . . . . . . 141
     C.25. OPAQUE-3DH Test Vector 25 . . . . . . . . . . . . . . . . 142
       C.25.1.  Configuration  . . . . . . . . . . . . . . . . . . . 142
       C.25.2.  Input Values . . . . . . . . . . . . . . . . . . . . 143
       C.25.3.  Intermediate Values  . . . . . . . . . . . . . . . . 144
       C.25.4.  Output Values  . . . . . . . . . . . . . . . . . . . 145
     C.26. OPAQUE-3DH Test Vector 26 . . . . . . . . . . . . . . . . 146
       C.26.1.  Configuration  . . . . . . . . . . . . . . . . . . . 146
       C.26.2.  Input Values . . . . . . . . . . . . . . . . . . . . 147
       C.26.3.  Intermediate Values  . . . . . . . . . . . . . . . . 148
       C.26.4.  Output Values  . . . . . . . . . . . . . . . . . . . 149
     C.27. OPAQUE-3DH Test Vector 27 . . . . . . . . . . . . . . . . 150
       C.27.1.  Configuration  . . . . . . . . . . . . . . . . . . . 150
       C.27.2.  Input Values . . . . . . . . . . . . . . . . . . . . 151

Krawczyk, et al.         Expires 4 November 2021                [Page 5]
Internet-Draft                   OPAQUE                         May 2021

       C.27.3.  Intermediate Values  . . . . . . . . . . . . . . . . 152
       C.27.4.  Output Values  . . . . . . . . . . . . . . . . . . . 153
     C.28. OPAQUE-3DH Test Vector 28 . . . . . . . . . . . . . . . . 154
       C.28.1.  Configuration  . . . . . . . . . . . . . . . . . . . 154
       C.28.2.  Input Values . . . . . . . . . . . . . . . . . . . . 155
       C.28.3.  Intermediate Values  . . . . . . . . . . . . . . . . 156
       C.28.4.  Output Values  . . . . . . . . . . . . . . . . . . . 157
     C.29. OPAQUE-3DH Test Vector 29 . . . . . . . . . . . . . . . . 158
       C.29.1.  Configuration  . . . . . . . . . . . . . . . . . . . 158
       C.29.2.  Input Values . . . . . . . . . . . . . . . . . . . . 159
       C.29.3.  Intermediate Values  . . . . . . . . . . . . . . . . 160
       C.29.4.  Output Values  . . . . . . . . . . . . . . . . . . . 161
     C.30. OPAQUE-3DH Test Vector 30 . . . . . . . . . . . . . . . . 162
       C.30.1.  Configuration  . . . . . . . . . . . . . . . . . . . 162
       C.30.2.  Input Values . . . . . . . . . . . . . . . . . . . . 162
       C.30.3.  Intermediate Values  . . . . . . . . . . . . . . . . 163
       C.30.4.  Output Values  . . . . . . . . . . . . . . . . . . . 164
     C.31. OPAQUE-3DH Test Vector 31 . . . . . . . . . . . . . . . . 165
       C.31.1.  Configuration  . . . . . . . . . . . . . . . . . . . 165
       C.31.2.  Input Values . . . . . . . . . . . . . . . . . . . . 165
       C.31.3.  Intermediate Values  . . . . . . . . . . . . . . . . 166
       C.31.4.  Output Values  . . . . . . . . . . . . . . . . . . . 167
     C.32. OPAQUE-3DH Test Vector 32 . . . . . . . . . . . . . . . . 168
       C.32.1.  Configuration  . . . . . . . . . . . . . . . . . . . 168
       C.32.2.  Input Values . . . . . . . . . . . . . . . . . . . . 168
       C.32.3.  Intermediate Values  . . . . . . . . . . . . . . . . 169
       C.32.4.  Output Values  . . . . . . . . . . . . . . . . . . . 170
     C.33. OPAQUE-3DH Test Vector 33 . . . . . . . . . . . . . . . . 171
       C.33.1.  Configuration  . . . . . . . . . . . . . . . . . . . 171
       C.33.2.  Input Values . . . . . . . . . . . . . . . . . . . . 171
       C.33.3.  Intermediate Values  . . . . . . . . . . . . . . . . 172
       C.33.4.  Output Values  . . . . . . . . . . . . . . . . . . . 173
     C.34. OPAQUE-3DH Test Vector 34 . . . . . . . . . . . . . . . . 174
       C.34.1.  Configuration  . . . . . . . . . . . . . . . . . . . 174
       C.34.2.  Input Values . . . . . . . . . . . . . . . . . . . . 175
       C.34.3.  Intermediate Values  . . . . . . . . . . . . . . . . 176
       C.34.4.  Output Values  . . . . . . . . . . . . . . . . . . . 177
     C.35. OPAQUE-3DH Test Vector 35 . . . . . . . . . . . . . . . . 178
       C.35.1.  Configuration  . . . . . . . . . . . . . . . . . . . 178
       C.35.2.  Input Values . . . . . . . . . . . . . . . . . . . . 179
       C.35.3.  Intermediate Values  . . . . . . . . . . . . . . . . 180
       C.35.4.  Output Values  . . . . . . . . . . . . . . . . . . . 181
     C.36. OPAQUE-3DH Test Vector 36 . . . . . . . . . . . . . . . . 182
       C.36.1.  Configuration  . . . . . . . . . . . . . . . . . . . 182
       C.36.2.  Input Values . . . . . . . . . . . . . . . . . . . . 183
       C.36.3.  Intermediate Values  . . . . . . . . . . . . . . . . 184
       C.36.4.  Output Values  . . . . . . . . . . . . . . . . . . . 185
     C.37. OPAQUE-3DH Test Vector 37 . . . . . . . . . . . . . . . . 186

Krawczyk, et al.         Expires 4 November 2021                [Page 6]
Internet-Draft                   OPAQUE                         May 2021

       C.37.1.  Configuration  . . . . . . . . . . . . . . . . . . . 186
       C.37.2.  Input Values . . . . . . . . . . . . . . . . . . . . 187
       C.37.3.  Intermediate Values  . . . . . . . . . . . . . . . . 188
       C.37.4.  Output Values  . . . . . . . . . . . . . . . . . . . 189
     C.38. OPAQUE-3DH Test Vector 38 . . . . . . . . . . . . . . . . 191
       C.38.1.  Configuration  . . . . . . . . . . . . . . . . . . . 191
       C.38.2.  Input Values . . . . . . . . . . . . . . . . . . . . 191
       C.38.3.  Intermediate Values  . . . . . . . . . . . . . . . . 193
       C.38.4.  Output Values  . . . . . . . . . . . . . . . . . . . 193
     C.39. OPAQUE-3DH Test Vector 39 . . . . . . . . . . . . . . . . 195
       C.39.1.  Configuration  . . . . . . . . . . . . . . . . . . . 195
       C.39.2.  Input Values . . . . . . . . . . . . . . . . . . . . 195
       C.39.3.  Intermediate Values  . . . . . . . . . . . . . . . . 197
       C.39.4.  Output Values  . . . . . . . . . . . . . . . . . . . 197
     C.40. OPAQUE-3DH Test Vector 40 . . . . . . . . . . . . . . . . 199
       C.40.1.  Configuration  . . . . . . . . . . . . . . . . . . . 199
       C.40.2.  Input Values . . . . . . . . . . . . . . . . . . . . 199
       C.40.3.  Intermediate Values  . . . . . . . . . . . . . . . . 201
       C.40.4.  Output Values  . . . . . . . . . . . . . . . . . . . 201
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . . 203

1.  Introduction

   Password authentication is ubiquitous in many applications.  In a
   common implementation, a client authenticates to a server by sending
   its client ID and password to the server over a secure connection.
   This makes the password vulnerable to server mishandling, including
   accidentally logging the password or storing it in plaintext in a
   database.  Server compromise resulting in access to these plaintext
   passwords is not an uncommon security incident, even among security-
   conscious companies.  Moreover, plaintext password authentication
   over secure channels like TLS is also vulnerable to cases where TLS
   may fail, including PKI attacks, certificate mishandling, termination
   outside the security perimeter, visibility to middleboxes, and more.

   Asymmetric (or Augmented) Password Authenticated Key Exchange (aPAKE)
   protocols are designed to provide password authentication and
   mutually authenticated key exchange in a client-server setting
   without relying on PKI (except during client/password registration)
   and without disclosing passwords to servers or other entities other
   than the client machine.  A secure aPAKE should provide the best
   possible security for a password protocol.  Namely, it should only be
   open to inevitable attacks, such as online impersonation attempts
   with guessed client passwords and offline dictionary attacks upon the
   compromise of a server and leakage of its password file.  In the
   latter case, the attacker learns a mapping of a client's password
   under a one-way function and uses such a mapping to validate
   potential guesses for the password.  Crucially important is for the

Krawczyk, et al.         Expires 4 November 2021                [Page 7]
Internet-Draft                   OPAQUE                         May 2021

   password protocol to use an unpredictable one-way mapping.
   Otherwise, the attacker can pre-compute a deterministic list of
   mapped passwords leading to almost instantaneous leakage of passwords
   upon server compromise.

   Despite the existence of multiple designs for (PKI-free) aPAKE
   protocols, none of these protocols are secure against pre-computation
   attacks.  In particular, none of these protocols can use the standard
   technique against pre-computation that combines _secret_ random
   values ("salt") into the one-way password mappings.  Either these
   protocols do not use a salt at all or, if they do, they transmit the
   salt from server to client in the clear, hence losing the secrecy of
   the salt and its defense against pre-computation.  Furthermore,
   transmitting the salt may require additional protocol messages.

   This document describes OPAQUE, a PKI-free secure aPAKE that is
   secure against pre-computation attacks.  OPAQUE provides forward
   secrecy (essential for protecting past communications in case of
   password leakage) and the ability to hide the password from the
   server, even during password registration.  Furthermore, OPAQUE
   enjoys good performance and an array of additional features including
   the ability to increase the difficulty of offline dictionary attacks
   via iterated hashing or other hardening schemes, and offloading these
   operations to the client (that also helps against online guessing
   attacks); extensibility of the protocol to support storage and
   retrieval of client secrets solely based on a password; being
   amenable to a multi-server distributed implementation where offline
   dictionary attacks are not possible without breaking into a threshold
   of servers (such a distributed solution requires no change or
   awareness on the client-side relative to a single-server
   implementation).

   OPAQUE is defined and proven as the composition of two
   functionalities: an oblivious pseudorandom function (OPRF) and an
   authenticated key exchange (AKE) protocol.  It can be seen as a
   "compiler" for transforming any suitable AKE protocol into a secure
   aPAKE protocol.  (See Section 8 for requirements of the OPRF and AKE
   protocols.)  This document specifies one OPAQUE instantiation based
   on 3DH [SIGNAL].  Other instantiations are possible, as discussed in
   Appendix B, but their details are out of scope for this document.  In
   general, the modularity of OPAQUE's design makes it easy to integrate
   with additional AKE protocols, e.g., TLS, and with future ones such
   as those based on post-quantum techniques.

Krawczyk, et al.         Expires 4 November 2021                [Page 8]
Internet-Draft                   OPAQUE                         May 2021

   OPAQUE consists of two stages: registration and authenticated key
   exchange.  In the first stage, a client registers its password with
   the server and stores its encrypted credentials on the server.  In
   the second stage, a client obtains those credentials, recovers them
   using the client's password, and subsequently uses them as input to
   an AKE protocol.

   Currently, the most widely deployed PKI-free aPAKE is SRP [RFC2945],
   which is vulnerable to pre-computation attacks, lacks proof of
   security, and is less efficient relative to OPAQUE.  Moreover, SRP
   requires a ring as it mixes addition and multiplication operations,
   and thus does not work over plain elliptic curves.  OPAQUE is
   therefore a suitable replacement for applications that use SRP.

   This draft complies with the requirements for PAKE protocols set
   forth in [RFC8125].

1.1.  Requirements Notation

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in
   BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

1.2.  Notation

   The following functions are used throughout this document:

   *  I2OSP and OS2IP: Convert a byte string to and from a non-negative
      integer as described in Section 4 of [RFC8017].  Note that these
      functions operate on byte strings in big-endian byte order.

   *  concat(x0, ..., xN): Concatenate byte strings.  For example,
      "concat(0x01, 0x0203, 0x040506) = 0x010203040506".

   *  random(n): Generate a cryptographically secure pseudorandom byte
      string of length "n" bytes.

   *  xor(a,b): Apply XOR to byte strings.  For example, "xor(0xF0F0,
      0x1234) = 0xE2C4".  It is an error to call this function with two
      arguments of unequal length.

   *  ct_equal(a, b): Return "true" if "a" is equal to "b", and false
      otherwise.  This function is constant-time in the length of "a"
      and "b", which are assumed to be of equal length, irrespective of
      the values "a" or "b".

Krawczyk, et al.         Expires 4 November 2021                [Page 9]
Internet-Draft                   OPAQUE                         May 2021

   Except if said otherwise, random choices in this specification refer
   to drawing with uniform distribution from a given set (i.e., "random"
   is short for "uniformly random").  Random choices can be replaced
   with fresh outputs from a cryptographically strong pseudorandom
   generator, according to the requirements in [RFC4086], or
   pseudorandom function.  For convenience, we define "nil" as a lack of
   value.

   The name OPAQUE is a homonym of O-PAKE where O is for Oblivious.  The
   name OPAKE was taken.

2.  Cryptographic Dependencies

   OPAQUE relies on the following cryptographic protocols and
   primitives:

   *  Oblivious Pseudorandom Function (OPRF, [I-D.irtf-cfrg-voprf],
      version -06):

      -  Blind(x): Convert input "x" into an element of the OPRF group,
         randomize it by some scalar "r", producing "M", and output
         ("r", "M").

      -  Evaluate(k, M): Evaluate input element "M" using private key
         "k", yielding output element "Z".

      -  Finalize(x, r, Z): Finalize the OPRF evaluation using input
         "x", random scalar "r", and evaluation output "Z", yielding
         output "y".

      -  DeriveKeyPair(seed): Derive a private and public key pair
         deterministically from a seed.

      -  Noe: The size of a serialized OPRF group element.

      -  Nok: The size of an OPRF private key.

   Note that we only need the base mode variant (as opposed to the
   verifiable mode variant) of the OPRF described in
   [I-D.irtf-cfrg-voprf].

   *  Key Derivation Function (KDF):

      -  Extract(salt, ikm): Extract a pseudorandom key of fixed length
         "Nx" bytes from input keying material "ikm" and an optional
         byte string "salt".

Krawczyk, et al.         Expires 4 November 2021               [Page 10]
Internet-Draft                   OPAQUE                         May 2021

      -  Expand(prk, info, L): Expand a pseudorandom key "prk" using
         optional string "info" into "L" bytes of output keying
         material.

      -  Nx: The output size of the "Extract()" function in bytes.

   *  Message Authentication Code (MAC):

      -  MAC(key, msg): Compute a message authentication code over input
         "msg" with key "key", producing a fixed-length output of "Nm"
         bytes.

      -  Nm: The output size of the "MAC()" function in bytes.

   *  Hash Function:

      -  Hash(msg): Apply a cryptographic hash function to input "msg",
         producing a fixed-length digest of size "Nh" bytes.

      -  Nh: The output size of the "Hash()" function in bytes.

   *  Memory Hard Function (MHF):

      -  Harden(msg, params): Repeatedly apply a memory-hard function
         with parameters "params" to strengthen the input "msg" against
         offline dictionary attacks.  This function also needs to
         satisfy collision resistance.

   OPAQUE additionally depends on an Authenticated Key Exchange (AKE)
   protocol.  This specification defines one particular AKE based on
   3DH; see Section 6.2.  We let "Npk" and "Nsk" denote the size of
   public and private keys, respectively, used in the AKE.  The AKE
   protocol must provide the following functions:

   *  RecoverPublicKey(private_key): Recover the public key related to
      the input "private_key".

   *  DeriveAuthKeyPair(seed): Derive a private and public
      authentication key pair deterministically from the input "seed".

   *  GenerateKeyPair(): Return a randomly generated private and public
      key pair.  This can be implemented by generating a random private
      key "sk", then computing "pk = RecoverPublicKey(sk)".

   Finally, all random nonces used in this protocol are of length "Nn" =
   32 bytes.

Krawczyk, et al.         Expires 4 November 2021               [Page 11]
Internet-Draft                   OPAQUE                         May 2021

3.  Protocol Overview

   OPAQUE consists of two stages: registration and authenticated key
   exchange.  In the first stage, a client registers its password with
   the server and stores its encrypted credentials on the server.  The
   client inputs its credentials, which includes its password and user
   identifier, and the server inputs its parameters, which includes its
   private key and other information.  The client output of this stage
   is a single value "export_key" that the client may use for
   application-specific purposes, e.g., to encrypt additional
   information to the server.  The server output of this stage is a
   record corresponding to the client's registration that it stores in a
   password file alongside other client registrations as needed.

   Registration is the only part in OPAQUE that requires an
   authenticated and confidential channel, either physical, out-of-band,
   PKI-based, etc.

   The registration flow is shown below:

       creds                                   parameters
         |                                         |
         v                                         v
       Client                                    Server
       ------------------------------------------------
                   registration request
                ------------------------->
                   registration response
                <-------------------------
                         record
                ------------------------->
      ------------------------------------------------
         |                                         |
         v                                         v
     export_key                                 record

   In the second stage, a client obtains credentials previously
   registered with the server, recovers private key material using the
   password, and subsequently uses them as input to an AKE protocol.  As
   in the registration phase, the client inputs its credentials,
   including its password and user identifier, and the server inputs its
   parameters and password file record corresponding to the client.  The
   client outputs two values, an "export_key" (matching that from
   registration) and a "session_key", the latter of which is the primary
   AKE output.  The server outputs a single value "session_key" that
   matches that of the client.  Upon completion, clients and servers can
   use these values as needed.

Krawczyk, et al.         Expires 4 November 2021               [Page 12]
Internet-Draft                   OPAQUE                         May 2021

   The authenticated key exchange flow is shown below:

       creds                             (parameters, record)
         |                                         |
         v                                         v
       Client                                    Server
       ------------------------------------------------
                      AKE message 1
                ------------------------->
                      AKE message 2
                <-------------------------
                      AKE message 3
                ------------------------->
      ------------------------------------------------
         |                                         |
         v                                         v
   (export_key, session_key)                  session_key

   The rest of this document describes the details of these stages in
   detail.  Section 4 describes how client credential information is
   generated, encoded, encrypted, and stored on the server.  Section 5
   describes the first registration stage of the protocol, and Section 6
   describes the second authentication stage of the protocol.  Section 7
   describes how to instantiate OPAQUE using different cryptographic
   dependencies and parameters.

4.  Client Credential Storage

   OPAQUE makes use of a structure "Envelope" to manage client
   credentials.  This envelope holds information about its format and
   content for the client to obtain its authentication material.

   OPAQUE allows applications to either provide custom client private
   and public keys for authentication, or to generate them internally.
   Each public and private key value is encoded as a byte string,
   specific to the AKE protocol in which OPAQUE is instantiated.  These
   two options are defined as the "internal" and "external" modes,
   respectively.  See Section 4.3 for their specifications.

   Applications may pin key material to identities if desired.  If no
   identity is given for a party, its value MUST default to its public
   key.  The following types of application credential information are
   considered:

   *  client_private_key: The encoded client private key for the AKE
      protocol.

Krawczyk, et al.         Expires 4 November 2021               [Page 13]
Internet-Draft                   OPAQUE                         May 2021

   *  client_public_key: The encoded client public key for the AKE
      protocol.

   *  server_public_key: The encoded server public key for the AKE
      protocol.

   *  client_identity: The client identity.  This is an application-
      specific value, e.g., an e-mail address or normal account name.
      If not specified, it defaults to the client's public key.

   *  server_identity: The server identity.  This is typically a domain
      name, e.g., example.com.  If not specified, it defaults to the
      server's public key.  See Section 8.2 for information about this
      identity.

   These credential values are used in the "CleartextCredentials"
   structure as follows:

   struct {
     uint8 server_public_key[Npk];
     uint8 server_identity<1..2^16-1>;
     uint8 client_identity<1..2^16-1>;
   } CleartextCredentials;

   The function CreateCleartextCredentials constructs a
   "CleartextCredentials" structure given application credential
   information.

CreateCleartextCredentials(server_public_key, client_public_key,
                           server_identity, client_identity)

Input:
- server_public_key, The encoded server public key for the AKE protocol.
- client_public_key, The encoded client public key for the AKE protocol.
- server_identity, The optional encoded server identity.
- client_identity, The optional encoded client identity.

Output:
- cleartext_credentials, a CleartextCredentials structure

Steps:
1. if server_identity == nil
2.    server_identity = server_public_key
3. if client_identity == nil
4.    client_identity = client_public_key
5. Create CleartextCredentials cleartext_credentials
   with (server_public_key, server_identity, client_identity)
6. Output cleartext_credentials

Krawczyk, et al.         Expires 4 November 2021               [Page 14]
Internet-Draft                   OPAQUE                         May 2021

   During protocol execution, the identity values can be stored in an
   implementation-specific "Credentials" object with names matching the
   values.

   struct {
     uint8 server_identity;
     uint8 client_identity;
   } Credentials;

4.1.  Envelope Structure

   A client "Envelope" is constructed based on the "EnvelopeMode",
   consisting of an "InnerEnvelope" entry whose structure is determined
   by the mode.  Future modes MAY introduce alternate "InnerEnvelope"
   contents.  "Envelope" is defined as follows:

   struct {
     uint8 nonce[Nn];
     InnerEnvelope inner_env;
     uint8 auth_tag[Nm];
   } Envelope;

   nonce: A unique nonce of length "Nn" used to protect this Envelope.

   auth_tag: Authentication tag protecting the contents of the envelope,
   covering the envelope nonce, "InnerEnvelope", and
   "CleartextCredentials".

   inner_env: A mode dependent "InnerEnvelope" structure.  See
   Section 4.3 for its specifications.

   The size of the serialized envelope is denoted "Ne" and varies based
   on the mode.  The exact value for "Ne" is specified in Section 4.3.1
   and Section 4.3.2.

4.2.  Envelope Creation and Recovery

   Clients create an "Envelope" at registration with the function
   "CreateEnvelope" defined below.

   For the "internal" mode, implementations can choose to leave out the
   "client_private_key" parameter, as it is not used.  For the
   "external" mode, implementations are free to additionally provide
   "client_public_key" to this function.  With this, the public key does
   not need to be recovered by "BuildInnerEnvelope()" and that function
   should be adapted accordingly.

Krawczyk, et al.         Expires 4 November 2021               [Page 15]
Internet-Draft                   OPAQUE                         May 2021

CreateEnvelope(randomized_pwd, server_public_key, client_private_key,
               server_identity, client_identity)

Parameter:
- mode, the EnvelopeMode mode

Input:
- randomized_pwd, randomized password.
- server_public_key, The encoded server public key for
  the AKE protocol.
- client_private_key, The encoded client private key for
  the AKE protocol. This is nil in the internal key mode.
- server_identity, The optional encoded server identity.
- client_identity, The optional encoded client identity.

Output:
- envelope, the client's `Envelope` structure.
- client_public_key, the client's AKE public key.
- masking_key, a key used by the server to encrypt the
  envelope during login.
- export_key, an additional client key.

Steps:
1. envelope_nonce = random(Nn)
2. auth_key = Expand(randomized_pwd, concat(envelope_nonce, "AuthKey"), Nh)
3. export_key = Expand(randomized_pwd, concat(envelope_nonce, "ExportKey"), Nh)
4. masking_key = Expand(randomized_pwd, "MaskingKey", Nh)
5. inner_env, client_public_key = BuildInnerEnvelope(randomized_pwd, envelope_nonce, client_private_key)
6. cleartext_creds = CreateCleartextCredentials(server_public_key, client_public_key, server_identity, client_identity)
7. auth_tag = MAC(auth_key, concat(envelope_nonce, inner_env, cleartext_creds))
8. Create Envelope envelope with (envelope_nonce, inner_env, auth_tag)
9. Output (envelope, client_public_key, masking_key, export_key)

   Clients recover their "Envelope" during authentication with the
   "RecoverEnvelope" function defined below.

Krawczyk, et al.         Expires 4 November 2021               [Page 16]
Internet-Draft                   OPAQUE                         May 2021

RecoverEnvelope(randomized_pwd, server_public_key, creds, envelope)

Input:
- randomized_pwd, randomized password.
- server_public_key, The encoded server public key for the AKE protocol.
- creds, a Credentials structure.
- envelope, the client's `Envelope` structure.

Output:
- client_private_key, The encoded client private key for the AKE protocol
- export_key, an additional client key

Steps:
1. auth_key = Expand(randomized_pwd, concat(envelope.nonce, "AuthKey"), Nh)
2. export_key = Expand(randomized_pwd, concat(envelope.nonce, "ExportKey", Nh)
3. (client_private_key, client_public_key) =
    RecoverKeys(randomized_pwd, envelope.nonce, envelope.inner_env)
4. cleartext_creds = CreateCleartextCredentials(server_public_key,
                      client_public_key, creds.server_identity,
                      creds.client_identity)
5. expected_tag = MAC(auth_key, concat(envelope.nonce, inner_env, cleartext_creds))
6. If !ct_equal(envelope.auth_tag, expected_tag),
     raise MacError
7. Output (client_private_key, export_key)

4.3.  Envelope Modes

   The "EnvelopeMode" specifies the structure and encoding of the
   corresponding "InnerEnvelope".  This document specifies the values of
   the two aforementioned modes:

   enum {
     internal(1),
     external(2),
     (255)
   } EnvelopeMode;

   Each "EnvelopeMode" defines its own "InnerEnvelope" structure and
   must implement the following interface:

   *  "inner_env, client_public_key = BuildInnerEnvelope(randomized_pwd,
      nonce, client_private_key)": Build and return the mode's
      "InnerEnvelope" structure and the client's public key.

   *  "client_private_key, client_public_key =
      RecoverKeys(randomized_pwd, nonce, inner_env)": Recover and return
      the client's private and public keys for the AKE protocol.

Krawczyk, et al.         Expires 4 November 2021               [Page 17]
Internet-Draft                   OPAQUE                         May 2021

   The implementations of this interface for both "internal" and
   "external" modes are in Section 4.3.1 and Section 4.3.2,
   respectively.

   The size of the envelope may vary between modes.  If applications
   implement Section 8.8, they MUST use the same envelope mode
   throughout their lifecycle in order to avoid activity leaks due to
   mode switching.

4.3.1.  Internal mode

   In this mode, the client's private and public keys are
   deterministically derived from the OPRF output.

   With the internal key mode the "EnvelopeMode" value MUST be
   "internal" and the "InnerEnvelope" is empty, and the size "Ne" of the
   serialized "Envelope" is "Nn + Nm".

   To generate the private key OPAQUE-3DH implements
   "DeriveAuthKeyPair(seed)" as follows:

   DeriveAuthKeyPair(seed)

   Input:
   - seed, pseudo-random byte sequence used as a seed.

   Output:
   - private_key, a private key
   - public_key, the associated public key

   Steps:
   1. private_key = HashToScalar(seed, dst="OPAQUE-HashToScalar")
   2. public_key = private_key * G
   3. Output (private_key, public_key)

   HashToScalar(msg, dst) is as specified in [I-D.irtf-cfrg-voprf],
   except that the "dst" parameter is "OPAQUE-HashToScalar".

Krawczyk, et al.         Expires 4 November 2021               [Page 18]
Internet-Draft                   OPAQUE                         May 2021

   BuildInnerEnvelope(randomized_pwd, nonce, client_private_key)

   Input:
   - randomized_pwd, randomized password.
   - nonce, a unique nonce of length `Nn`.
   - client_private_key, empty value. Not used in this function,
     it only serves to comply with the API.

   Output:
   - inner_env, nil value (serves to comply with the API).
   - client_public_key, the client's AKE public key.

   Steps:
   1. seed = Expand(randomized_pwd, concat(nonce, "PrivateKey"), Nsk)
   2. _, client_public_key = DeriveAuthKeyPair(seed)
   3. Output (nil, client_public_key)

   Note that implementations are free to leave out the
   "client_private_key" parameter, as it is not used.

RecoverKeys(randomized_pwd, nonce, inner_env)

Input:
- randomized_pwd, randomized password.
- nonce, a unique nonce of length `Nn`.
- inner_env, an InnerEnvelope structure. Not used in this
  function, it only serves to comply with the API.

Output:
- client_private_key, The encoded client private key for the AKE protocol
- client_public_key, The encoded client public key for the AKE protocol

Steps:
1. seed = Expand(randomized_pwd, concat(nonce, "PrivateKey"), Nsk)
2. client_private_key, client_public_key = DeriveAuthKeyPair(seed)
4. Output (client_private_key, client_public_key)

   Note that implementations are free to leave out the "inner_env"
   parameter, as it is not used.

4.3.2.  External mode

   This mode allows applications to import or generate keys for the
   client.  This specification only imports the client's private key and
   internally recovers the corresponding public key.  Implementations
   are free to import both, in which case the functions
   "FinalizeRequest()", "CreateEnvelope()", and "BuildInnerEnvelope()"
   must be adapted accordingly.

Krawczyk, et al.         Expires 4 November 2021               [Page 19]
Internet-Draft                   OPAQUE                         May 2021

   With the external key mode the "EnvelopeMode" value MUST be
   "external", and the size "Ne" of the serialized "Envelope" is "Nn +
   Nm + Nsk".

   An encryption key is generated from the hardened OPRF output and used
   to encrypt the client's private key, which is then stored encrypted
   in the "InnerEnvelope".  On key recovery, the client's public key is
   recovered using the private key.

   struct {
     uint8 encrypted_creds[Nsk];
   } InnerEnvelope;

   encrypted_creds : Encrypted client_private_key.  Authentication of
   this field is ensured with the "auth_tag" field in the envelope that
   covers this "InnerEnvelope".

   If the implementation provides the "client_public_key", then
   "BuildInnerEnvelope()" can skip the "RecoverPublicKey()" call.

BuildInnerEnvelope(randomized_pwd, nonce, client_private_key)

Input:
- randomized_pwd, randomized password.
- nonce, a unique nonce of length `Nn`.
- client_private_key, the encoded client private key for the AKE protocol.

Output:
- inner_env, an InnerEnvelope structure.
- client_public_key, The encoded client public key for the AKE protocol.

Steps:
1. pseudorandom_pad = Expand(randomized_pwd, concat(nonce, "Pad"), len(client_private_key))
2. encrypted_creds = xor(client_private_key, pseudorandom_pad)
3. Create InnerEnvelope inner_env with encrypted_creds
4. client_public_key = RecoverPublicKey(client_private_key)
5. Output (inner_env, client_public_key)

Krawczyk, et al.         Expires 4 November 2021               [Page 20]
Internet-Draft                   OPAQUE                         May 2021

RecoverKeys(randomized_pwd, nonce, inner_env)

Input:
- randomized_pwd, randomized password.
- nonce, a unique nonce of length `Nn`.
- inner_env, an InnerEnvelope structure.

Output:
- client_private_key, the encoded client private key for the AKE protocol.
- client_public_key, the client's AKE public key.

Steps:
1. encrypted_creds = inner_env.encrypted_creds
2. pseudorandom_pad = Expand(randomized_pwd, concat(nonce, "Pad"), len(encrypted_creds))
3. client_private_key = xor(encrypted_creds, pseudorandom_pad)
4. client_public_key = RecoverPublicKey(client_private_key)
5. Output (client_private_key, client_public_key)

5.  Offline Registration

   This section describes the registration flow, message encoding, and
   helper functions.  In a setup phase, the client chooses its password,
   and the server chooses its own pair of private-public AKE keys
   (server_private_key, server_public_key) for use with the AKE, along
   with a Nh-byte oprf_seed.  The server can use the same pair of keys
   with multiple clients and can opt to use multiple seeds (so long as
   they are kept consistent for each client).  These steps can happen
   offline, i.e., before the registration phase.

   If using "external" mode, the client provides a key pair
   (client_private_key, client_public_key) for an AKE protocol which is
   suitable for use with OPAQUE; See Section 6.  The private-public keys
   (client_private_key, client_public_key) may be randomly generated
   (using a cryptographically secure pseudorandom number generator) for
   the account or provided by the calling client.  Clients MUST NOT use
   the same key pair (client_private_key, client_public_key) for two
   different accounts.

   Once complete, the registration process proceeds as follows.  The
   client inputs the following values:

   *  password: client password.

   *  creds: client credentials, as described in Section 4.

   The server inputs the following values:

   *  server_private_key: server private key for the AKE protocol.

Krawczyk, et al.         Expires 4 November 2021               [Page 21]
Internet-Draft                   OPAQUE                         May 2021

   *  server_public_key: server public key for the AKE protocol.

   *  credential_identifier: client credential identifier.

   *  oprf_seed: seed used to derive per-client OPRF keys.

   The registration protocol then runs as shown below:

     Client                                         Server
    ------------------------------------------------------
    (request, blind) = CreateRegistrationRequest(password)

                           request
                 ------------------------->

   (response, oprf_key) = CreateRegistrationResponse(request,
                             server_public_key,
                             credential_identifier,
                             oprf_seed)

                           response
                 <-------------------------

    (record, export_key) = FinalizeRequest(client_private_key,
                                           password,
                                           blind,
                                           response)

                           record
                 ------------------------->

   Section 5.1.1 describes details of the functions and the
   corresponding parameters referenced above.

   Both client and server MUST validate the other party's public key
   before use.  See Section 8.6 for more details.  Upon completion, the
   server stores the client's credentials for later use.  Moreover, the
   client MAY use the output "export_key" for further application-
   specific purposes; see Section 8.4.

5.1.  Registration Messages

   struct {
     uint8 data[Noe];
   } RegistrationRequest;

   data  A serialized OPRF group element.

Krawczyk, et al.         Expires 4 November 2021               [Page 22]
Internet-Draft                   OPAQUE                         May 2021

   struct {
     uint8 data[Noe];
     uint8 server_public_key[Npk];
   } RegistrationResponse;

   data  A serialized OPRF group element.

   server_public_key  The server's encoded public key that will be used
      for the online authenticated key exchange stage.

   struct {
     uint8 client_public_key[Npk];
     uint8 masking_key[Nh];
     Envelope envelope;
   } RegistrationUpload;

   client_public_key  The client's encoded public key, corresponding to
      the private key "client_private_key".

   masking_key  A key used by the server to preserve confidentiality of
      the envelope during login.

   envelope  The client's "Envelope" structure.

5.1.1.  Registration Functions

5.1.1.1.  CreateRegistrationRequest

   CreateRegistrationRequest(password)

   Input:
   - password, an opaque byte string containing the client's password.

   Output:
   - request, a RegistrationRequest structure.
   - blind, an OPRF scalar value.

   Steps:
   1. (blind, M) = Blind(password)
   2. Create RegistrationRequest request with M
   3. Output (request, blind)

5.1.1.2.  CreateRegistrationResponse

Krawczyk, et al.         Expires 4 November 2021               [Page 23]
Internet-Draft                   OPAQUE                         May 2021

CreateRegistrationResponse(request, server_public_key, credential_identifier, oprf_seed)

Input:
- request, a RegistrationRequest structure.
- server_public_key, the server's public key.
- credential_identifier, an identifier that uniquely represents the credential being
  registered.
- oprf_seed, the server-side seed of Nh bytes used to generate an oprf_key.

Output:
- response, a RegistrationResponse structure.
- oprf_key, the per-client OPRF key known only to the server.

Steps:
1. ikm = Expand(oprf_seed, concat(credential_identifier, "OprfKey"), Nok)
2. (oprf_key, _) = DeriveKeyPair(ikm)
3. Z = Evaluate(oprf_key, request.data)
4. Create RegistrationResponse response with (Z, server_public_key)
5. Output (response, oprf_key)

5.1.1.3.  FinalizeRequest

   To create the user record used for further authentication, the client
   executes the following function.  In the internal key mode, the
   "client_private_key" is nil.

   Depending on the mode, implementations are free to leave out the
   "client_private_key" parameter ("internal" mode), or to additionally
   include "client_public_key" ("external" mode).  See {#envelope-
   creation-recovery} for more details.

Krawczyk, et al.         Expires 4 November 2021               [Page 24]
Internet-Draft                   OPAQUE                         May 2021

FinalizeRequest(client_private_key, password, blind, response)

Input:
- client_private_key, the client's private key. In internal mode, this is nil.
- password, an opaque byte string containing the client's password.
- creds, a Credentials structure.
- blind, the OPRF scalar value used for blinding.
- response, a RegistrationResponse structure.

Output:
- record, a RegistrationUpload structure.
- export_key, an additional client key.

Steps:
1. y = Finalize(password, blind, response.data)
2. randomized_pwd = Extract("", Harden(y, params))
3. (envelope, client_public_key, masking_key, export_key) =
    CreateEnvelope(randomized_pwd, response.server_public_key, client_private_key,
                   creds.server_identity, creds.client_identity)
4. Create RegistrationUpload record with (client_public_key, masking_key, envelope)
5. Output (record, export_key)

   See Section 6 for details about the output export_key usage.

   Upon completion of this function, the client MUST send "record" to
   the server.

5.1.1.4.  Finalize Registration

   The server stores the "record" object as the credential file for each
   client along with the associated "credential_identifier" and
   "client_identity" (if different).  Note that the values "oprf_seed"
   and "server_private_key" from the server's setup phase must also be
   persisted.

6.  Online Authenticated Key Exchange

   The generic outline of OPAQUE with a 3-message AKE protocol includes
   three messages ke1, ke2, and ke3, where ke1 and ke2 include key
   exchange shares, e.g., DH values, sent by the client and server,
   respectively, and ke3 provides explicit client authentication and
   full forward security (without it, forward secrecy is only achieved
   against eavesdroppers, which is insufficient for OPAQUE security).

   This section describes the online authenticated key exchange protocol
   flow, message encoding, and helper functions.  This stage is composed
   of a concurrent OPRF and key exchange flow.  The key exchange
   protocol is authenticated using the client and server credentials

Krawczyk, et al.         Expires 4 November 2021               [Page 25]
Internet-Draft                   OPAQUE                         May 2021

   established during registration; see Section 5.  In the end, the
   client proves its knowledge of the password, and both client and
   server agree on a mutually authenticated shared secret key.

   In this stage, the client inputs the following values:

   *  password: client password.

   *  client_identity: client identity, as described in Section 4.

   *  client_info: optional, application-specific information to send to
      the server during the handshake.

   The server inputs the following values:

   *  server_private_key: server private for the AKE protocol.

   *  server_public_key: server public for the AKE protocol.

   *  server_identity: server identity, as described in Section 4.

   *  record: RegistrationUpload corresponding to the client's
      registration.

   *  credential_identifier: client credential identifier.

   *  oprf_seed: seed used to derive per-client OPRF keys.

   *  server_info: optional, application-specific information to send to
      the client during the handshake.

   The client receives two outputs: a session secret and an export key.
   The export key is only available to the client, and may be used for
   additional application-specific purposes, as outlined in Section 8.4.
   The output "export_key" MUST NOT be used in any way before the
   protocol completes successfully.  See Section 8.3 for more details
   about this requirement.  The server receives a single output: a
   session secret matching that of the client's.

   The protocol runs as shown below:

Krawczyk, et al.         Expires 4 November 2021               [Page 26]
Internet-Draft                   OPAQUE                         May 2021

     Client                                         Server
    ------------------------------------------------------
     ke1 = ClientInit(client_identity, password, client_info)

                            ke1
                 ------------------------->

     ke2 = ServerInit(server_identity, server_private_key,
                       server_public_key, record,
                       credential_identifier, oprf_seed, ke1)

                            ke2
                 <-------------------------

       (ke3,
       server_info,
       session_key,
       export_key) = ClientFinish(password, client_identity,
                                 server_identity, ke2)

                            ke3
                 ------------------------->

                          session_key = ServerFinish(ke3)

   The rest of this section describes these authenticated key exchange
   messages and their parameters in more detail.  Section 6.1 discusses
   internal functions used for retrieving client credentials, and
   Section 6.2 discusses how these functions are used to execute the
   authenticated key exchange protocol.

6.1.  Credential Retrieval

6.1.1.  Credential Retrieval Messages

   struct {
     uint8 data[Noe];
   } CredentialRequest;

   data  A serialized OPRF group element.

   struct {
     uint8 data[Noe];
     uint8 masking_nonce[Nn];
     uint8 masked_response[Npk + Ne];
   } CredentialResponse;

   data  A serialized OPRF group element.

Krawczyk, et al.         Expires 4 November 2021               [Page 27]
Internet-Draft                   OPAQUE                         May 2021

   masking_nonce  A nonce used for the confidentiality of the
      masked_response field

   masked_response  An encrypted form of the server's public key and the
      client's "Envelope" structure

6.1.2.  Credential Retrieval Functions

6.1.2.1.  CreateCredentialRequest

   CreateCredentialRequest(password)

   Input:
   - password, an opaque byte string containing the client's password.

   Output:
   - request, a CredentialRequest structure.
   - blind, an OPRF scalar value.

   Steps:
   1. (blind, M) = Blind(password)
   2. Create CredentialRequest request with M
   3. Output (request, blind)

6.1.2.2.  CreateCredentialResponse

   There are two scenarios to handle for the construction of a
   CredentialResponse object: either the record for the client exists
   (corresponding to a properly registered client), or it was never
   created (corresponding to a client that has yet to register).

   In the case of an existing record with the corresponding identifier
   "credential_identifier", the server invokes the following function to
   produce a CredentialResponse:

Krawczyk, et al.         Expires 4 November 2021               [Page 28]
Internet-Draft                   OPAQUE                         May 2021

CreateCredentialResponse(request, server_public_key, record,
                         credential_identifier, oprf_seed)

Input:
- request, a CredentialRequest structure.
- server_public_key, the public key of the server.
- record, an instance of RegistrationUpload which is the server's
  output from registration.
- credential_identifier, an identifier that uniquely represents the credential
  being registered.
- oprf_seed, the server-side seed of Nh bytes used to generate an oprf_key.

Output:
- response, a CredentialResponse structure.

Steps:
1. ikm = Expand(oprf_seed, concat(credential_identifier, "OprfKey"), Nok)
2. (oprf_key, _) = DeriveKeyPair(ikm)
3. Z = Evaluate(oprf_key, request.data)
4. masking_nonce = random(32)
5. credential_response_pad = Expand(record.masking_key,
     concat(masking_nonce, "CredentialResponsePad"), Npk + Ne)
6. masked_response = xor(credential_response_pad,
                         concat(server_public_key, record.envelope))
7. Create CredentialResponse response with (Z, masking_nonce, masked_response)
8. Output response

   In the case of a record that does not exist, the server invokes the
   CreateCredentialResponse function where the record argument is
   configured so that:

   *  record.masking_key is set to a random byte string of length Nh,
      and

   *  record.envelope is set to the byte string consisting only of
      zeros, of length Ne

   Note that the responses output by either scenario are
   indistinguishable to an adversary that is unable to guess the
   registered password for the client corresponding to
   credential_identifier.

6.1.2.3.  RecoverCredentials

Krawczyk, et al.         Expires 4 November 2021               [Page 29]
Internet-Draft                   OPAQUE                         May 2021

 RecoverCredentials(password, blind, response, creds)

 Input:
 - password, an opaque byte string containing the client's password.
 - blind, an OPRF scalar value.
 - response, a CredentialResponse structure.
 - creds, a Credentials structure.

 Output:
 - client_private_key, the client's private key for the AKE protocol.
 - server_public_key, the public key of the server.
 - export_key, an additional client key.

 Steps:
 1. y = Finalize(password, blind, response.data)
 2. randomized_pwd = Extract("", Harden(y, params))
 3. masking_key = Expand(randomized_pwd, "MaskingKey", Nh)
 4. credential_response_pad = Expand(masking_key,
      concat(response.masking_nonce, "CredentialResponsePad"), Npk + Ne)
 5. concat(server_public_key, envelope) = xor(credential_response_pad,
                                               response.masked_response)
 6. (client_private_key, export_key) =
     RecoverEnvelope(randomized_pwd, server_public_key, creds, envelope)
 7. Output (client_private_key, response.server_public_key, export_key)

6.2.  AKE Protocol

   This section describes the authenticated key exchange protocol for
   OPAQUE using 3DH, a 3-message AKE which satisfies the forward secrecy
   and KCI properties discussed in Section 8.  The protocol consists of
   three messages sent between client and server, each computed using
   the following application APIs:

   *  ke1 = ClientInit(client_identity, password, client_info)

   *  ke2, client_info = ServerInit(server_identity, server_private_key,
      server_public_key, record, credential_identifier, oprf_seed, ke1)

   *  ke3, server_info, session_key, export_key = ClientFinish(password,
      client_identity, server_identity, ke2)

   *  session_key = ServerFinish(ke3)

Krawczyk, et al.         Expires 4 November 2021               [Page 30]
Internet-Draft                   OPAQUE                         May 2021

   Outputs "ke1", "ke2", and "ke3" are the three protocol messages sent
   between client and server.  Outputs "client_info" and "server_info"
   correspond to the optional information exchanged between client and
   server during the key exchange protocol.  And finally, "session_key"
   and "export_key" are outputs to be consumed by applications.
   Applications can use "session_key" to derive additional keying
   material as needed.

   Both ClientFinish and ServerFinish return an error if authentication
   failed.  In this case, clients and servers MUST NOT use any outputs
   from the protocol, such as "session_key" or "export_key".  ClientInit
   and ServerInit both implicitly return internal state objects
   "client_state" and "server_state", respectively, with the following
   named fields:

   struct {
     uint8 blind[Nok];
     uint8 client_secret[Nsk];
     KE1 ke1;
   } ClientState;

   struct {
     uint8 expected_client_mac[Nm];
     uint8 session_key[Nx];
   } ServerState;

   Section 6.2.3 and Section 6.2.4 specify the inner working of these
   functions and their parameters for clients and servers, respectively.

   Prior to the execution of these functions, both the client and the
   server MUST agree on a configuration; see Section 7 for details.

6.2.1.  Protocol Messages

   struct {
     CredentialRequest request;
     uint8 client_nonce[Nn];
     uint8 client_info<0..2^16-1>;
     uint8 client_keyshare[Npk];
   } KE1;

   request  A "CredentialRequest" generated according to
      Section 6.1.2.1.

   client_nonce  A fresh randomly generated nonce of length "Nn".

   client_info  Optional application-specific information to exchange
      during the protocol.

Krawczyk, et al.         Expires 4 November 2021               [Page 31]
Internet-Draft                   OPAQUE                         May 2021

   client_keyshare  Client ephemeral key share of fixed size Npk, where
      Npk depends on the corresponding prime order group.

   struct {
     struct {
       CredentialResponse response;
       uint8 server_nonce[Nn];
       uint8 server_keyshare[Npk];
     } inner_ke2;
     uint8 enc_server_info<0..2^16-1>;
     uint8 server_mac[Nm];
   } KE2;

   response  A "CredentialResponse" generated according to
      Section 6.1.2.2.

   server_nonce  A fresh randomly generated nonce of length "Nn".

   server_keyshare  Server ephemeral key share of fixed size Npk, where
      Npk depends on the corresponding prime order group.

   enc_server_info  Optional application-specific information to
      exchange during the protocol encrypted under key Ke2, defined
      below.

   server_mac  An authentication tag computed over the handshake
      transcript computed using Km2, defined below.

   struct {
     uint8 client_mac[Nm];
   } KE3;

   client_mac  An authentication tag computed over the handshake
      transcript computed using Km2, defined below.

6.2.2.  Key Schedule Functions

6.2.2.1.  Transcript Functions

   The OPAQUE-3DH key derivation procedures make use of the functions
   below, re-purposed from TLS 1.3 [RFC8446].

   Expand-Label(Secret, Label, Context, Length) =
       Expand(Secret, CustomLabel, Length)

   Where CustomLabel is specified as:

Krawczyk, et al.         Expires 4 November 2021               [Page 32]
Internet-Draft                   OPAQUE                         May 2021

   struct {
     uint16 length = Length;
     opaque label<8..255> = "OPAQUE-" + Label;
     uint8 context<0..255> = Context;
   } CustomLabel;

   Derive-Secret(Secret, Label, Transcript-Hash) =
       Expand-Label(Secret, Label, Transcript-Hash, Nx)

   Note that the Label parameter is not a NULL-terminated string.

   The OPAQUE-3DH key schedule requires a preamble, which is computed as
   follows.

   Preamble(client_identity, ke1, server_identity, inner_ke2)

   Input:
   - client_identity, the optional encoded client identity, which is set
     to client_public_key if not specified.
   - ke1, a KE1 message structure.
   - server_identity, the optional encoded server identity, which is set
     to server_public_key if not specified.
   - inner_ke2, an inner_ke2 structure as defined in KE2.

   Output:
   - preamble, the protocol transcript with identities and messages.

   Steps:
   1. preamble = concat("3DH",
                        I2OSP(len(client_identity), 2), client_identity,
                        ke1,
                        I2OSP(len(server_identity), 2), server_identity,
                        inner_ke2)
   2. Output preamble

6.2.2.2.  Shared Secret Derivation

   The OPAQUE-3DH shared secret derived during the key exchange protocol
   is computed using the following function.

Krawczyk, et al.         Expires 4 November 2021               [Page 33]
Internet-Draft                   OPAQUE                         May 2021

   TripleDHIKM(sk1, pk1, sk2, pk2, sk3, pk3)

   Input:
   - skx, scalar to be multiplied with their corresponding pkx.
   - pkx, element to be multiplied with their corresponding skx.

   Output:
   - ikm, input key material.

   Steps:
   1. dh1 = sk1 * pk1
   2. dh2 = sk2 * pk2
   3. dh3 = sk3 * pk3
   4. Output concat(dh1, dh2, dh3)

   Using this shared secret, further keys used for encryption and
   authentication are computed using the following function.

DeriveKeys(ikm, preamble)

Input:
- ikm, input key material.
- preamble, the transcript as defined by Preamble().

Output:
- Km2, a MAC authentication key.
- Km3, a MAC authentication key.
- handshake_encrypt_key, an encryption key for `enc_server_info`.
- session_key, the shared session secret.

Steps:
1. prk = Extract("", ikm)
2. handshake_secret = Derive-Secret(prk, "HandshakeSecret", Hash(preamble))
3. session_key = Derive-Secret(prk, "SessionKey", Hash(preamble))
4. Km2 = Derive-Secret(handshake_secret, "ServerMAC", "")
5. Km3 = Derive-Secret(handshake_secret, "ClientMAC", "")
6. handshake_encrypt_key = Derive-Secret(handshake_secret, "HandshakeKey", "")
7. Output (Km2, Km3, handshake_encrypt_key, session_key)

6.2.3.  External Client API

Krawczyk, et al.         Expires 4 November 2021               [Page 34]
Internet-Draft                   OPAQUE                         May 2021

ClientInit(client_identity, password, client_info)

State:
- state, a ClientState structure.

Input:
- client_identity, the optional encoded client identity, which is nil
  if not specified.
- password, an opaque byte string containing the client's password.
- client_info, the optional client_info sent unencrypted to the server,
  only authenticated with client_mac in KE3.

Output:
- ke1, a KE1 message structure.
- blind, the OPRF blinding scalar.
- client_secret, the client's Diffie-Hellman secret share for the session.

Steps:
1. request, blind = CreateCredentialRequest(password)
2. state.blind = blind
3. ke1 = Start(request, client_info)
4. Output ke1

Krawczyk, et al.         Expires 4 November 2021               [Page 35]
Internet-Draft                   OPAQUE                         May 2021

ClientFinish(password, client_identity, server_identity, ke1, ke2)

State:
- state, a ClientState structure

Input:
- password, an opaque byte string containing the client's password.
- client_identity, the optional encoded client identity, which is set
  to client_public_key if not specified.
- server_identity, the optional encoded server identity, which is set
  to server_public_key if not specified.
- ke1, a KE1 message structure.
- ke2, a KE2 message structure.

Output:
- ke3, a KE3 message structure.
- server_info, optional application-specific information sent encrypted
  and authenticated to the client.
- session_key, the session's shared secret.

Steps:
1. Create Credentials creds with (client_identity, server_identity)
2. (client_private_key, server_public_key, export_key) =
    RecoverCredentials(password, state.blind, ke2.CredentialResponse)
3. (ke3, server_info, session_key) =
    ClientFinalize(client_identity, client_private_key, server_identity,
                    server_public_key, ke1, ke2)
4. Output (ke3, server_info, session_key)

6.2.3.1.  Internal Client Functions

Krawczyk, et al.         Expires 4 November 2021               [Page 36]
Internet-Draft                   OPAQUE                         May 2021

 Start(credential_request, client_info)

 Parameters:
 - Nn, the nonce length.

 State:
 - state, a ClientState structure.

 Input:
 - credential_request, a CredentialRequest structure.
 - client_info, the optional client_info sent unencrypted to the server,
   only authenticated with client_mac in KE3.

 Output:
 - ke1, a KE1 structure.

 Steps:
 1. client_nonce = random(Nn)
 2. client_secret, client_keyshare = GenerateKeyPair()
 3. Create KE1 ke1 with (credential_request, client_nonce,
                         client_info, client_keyshare)
 4. state.client_secret = client_secret
 5. Output (ke1, client_secret)

Krawczyk, et al.         Expires 4 November 2021               [Page 37]
Internet-Draft                   OPAQUE                         May 2021

ClientFinalize(client_identity, client_private_key, server_identity,
               server_public_key, ke1, ke2)

State:
- state, a ClientState structure.

Input:
- client_identity, the optional encoded client identity, which is
  set to client_public_key if not specified.
- client_private_key, the client's private key.
- server_identity, the optional encoded server identity, which is
  set to server_public_key if not specified.
- server_public_key, the server's public key.
- ke2, a KE2 message structure.

Output:
- ke3, a KE3 structure.
- server_info, optional application-specific information sent
  encrypted and authenticated to the client.
- session_key, the shared session secret.

Steps:
1. ikm = TripleDHIKM(state.client_secret, ke2.server_keyshare,
    state.client_secret, server_public_key, client_private_key, ke2.server_keyshare)
2. preamble = Preamble(client_identity, state.ke1, server_identity, ke2.inner_ke2)
3. Km2, Km3, handshake_encrypt_key, session_key = DeriveKeys(ikm, preamble)
4. expected_server_mac = MAC(Km2, Hash(concat(preamble, ke2.enc_server_info))
5. If !ct_equal(ke2.server_mac, expected_server_mac),
     raise MacError
6. client_mac = MAC(Km3, Hash(concat(preamble, ke2.enc_server_info, expected_server_mac))
7. pad = Expand(handshake_encrypt_key, "EncryptionPad", len(ke2.enc_server_info))
8. server_info = xor(pad, enc_server_info)
9. Create KE3 ke3 with client_mac
10. Output (ke3, server_info, session_key)

6.2.4.  External Server API

Krawczyk, et al.         Expires 4 November 2021               [Page 38]
Internet-Draft                   OPAQUE                         May 2021

ServerInit(server_identity, server_private_key, server_public_key,
           record, credential_identifier, oprf_seed, ke1)

Input:
- server_identity, the optional encoded server identity, which is set to
  server_public_key if nil.
- server_private_key, the server's private key.
- server_public_key, the server's public key.
- server_info, the optional server info sent unencrypted to the client.
- record, the client's RegistrationUpload structure.
- credential_identifier, an identifier that uniquely represents the credential
  being registered.
- oprf_seed, the server-side seed of Nh bytes used to generate an oprf_key.
- ke1, a KE1 message structure.

Output:
- ke2, a KE2 structure.
- client_info, the optional client_info sent unencrypted to the server, only
  authenticated with client_mac in KE3.

Steps:
1. response = CreateCredentialResponse(ke1.request, server_public_key, record,
    credential_identifier, oprf_seed)
2. (ke2, client_info) = Response(server_identity, server_private_key,
    client_identity, record.client_public_key, server_info, ke1, response)
3. Output (ke2, client_info)

ServerFinish(ke3)

State:
- state, a ServerState structure.

Input:
- ke3, a KE3 structure.

Output:
- session_key, the shared session secret if, and only if, KE3 is valid, nil otherwise.

Steps:
1. if ct_equal(ke3.client_mac, state.expected_client_mac):
2.    Output state.session_key
3. Output nil

6.2.4.1.  Internal Server Functions

Krawczyk, et al.         Expires 4 November 2021               [Page 39]
Internet-Draft                   OPAQUE                         May 2021

Response(server_identity, server_private_key, client_identity,
         client_public_key, server_info, ke1, credential_response)

Parameters:
- Nn, the nonce length.

State:
- state, a ServerState structure.

Input:
- server_identity, the optional encoded server identity, which is set to
  server_public_key if not specified.
- server_private_key, the server's private key.
- client_identity, the optional encoded client identity, which is set to
  client_public_key if not specified.
- client_public_key, the client's public key.
- server_info, optional application-specific information sent encrypted and
  authenticated to the client.
- ke1, a KE1 message structure.
- credential_response, a CredentialResponse structure.

Output:
- ke2, A KE2 structure.
- client_info, the optional client_info sent unencrypted to the server,
  only authenticated with client_mac in KE3.

Steps:
1. server_nonce = random(Nn)
2. server_secret, server_keyshare = GenerateKeyPair()
3. Create inner_ke2 ike2 with (credential_response, server_nonce, server_keyshare)
4. preamble = Preamble(client_identity, ke1, server_identity, ike2)
5. ikm = TripleDHIKM(server_secret, ke1.client_keyshare, server_private_key, ke1.client_keyshare, server_secret, client_public_key)
6. Km2, Km3, handshake_encrypt_key, session_key = DeriveKeys(ikm, preamble)
7. pad = Expand(handshake_encrypt_key, "EncryptionPad", len(server_info))
8. enc_server_info = xor(pad, server_info)
9. server_mac = MAC(Km2, Hash(concat(preamble, enc_server_info))
10. expected_client_mac = MAC(Km3, Hash(concat(preamble, enc_server_info, server_mac))
11. Populate state with ServerState(expected_client_mac, session_key)
11. Create KE2 ke2 with (ike2, enc_server_info, server_mac)
12. Output (ke2, ke1.client_info)

7.  Configurations

   An OPAQUE-3DH configuration is a tuple (OPRF, KDF, MAC, Hash, MHF,
   EnvelopeMode, Group) such that the following conditions are met:

Krawczyk, et al.         Expires 4 November 2021               [Page 40]
Internet-Draft                   OPAQUE                         May 2021

   *  The OPRF protocol uses the "base mode" variant of
      [I-D.irtf-cfrg-voprf] and implements the interface in Section 2.
      Examples include OPRF(ristretto255, SHA-512) and OPRF(P-256, SHA-
      256).

   *  The KDF, MAC, and Hash functions implement the interfaces in
      Section 2.  Examples include HKDF [RFC5869] for the KDF, HMAC
      [RFC2104] for the MAC, and SHA-256 and SHA-512 for the Hash
      functions.  If an extensible output function such as SHAKE128
      [FIPS202] is used then the output length "Nh" MUST be chosen to
      align with the target security level of the OPAQUE configuration.
      For example, if the target security parameter for the
      configuration is 128-bits, then "Nh" SHOULD be at least 32 bytes.

   *  The MHF has fixed parameters, chosen by the application, and
      implements the interface in Section 2.  Examples include Argon2
      [I-D.irtf-cfrg-argon2], scrypt [RFC7914], and PBKDF2 [RFC2898]
      with fixed parameter choices.

   *  EnvelopeMode value is as defined in Section 4, and is one of
      "internal" or "external".

   *  The Group mode identifies the group used in the OPAQUE-3DH AKE.
      This SHOULD match that of the OPRF.  For example, if the OPRF is
      OPRF(ristretto255, SHA-512), then Group SHOULD be ristretto255.

   Absent an application-specific profile, the following configurations
   are RECOMMENDED:

   *  OPRF(ristretto255, SHA-512), HKDF-SHA-512, HMAC-SHA-512, SHA-512,
      Scrypt(32768,8,1), internal, ristretto255

   *  OPRF(P-256, SHA-256), HKDF-SHA-256, HMAC-SHA-256, SHA-256,
      Scrypt(32768,8,1), internal, P-256

   Future configurations may specify different combinations of dependent
   algorithms, with the following considerations:

   1.  The size of AKE public and private keys - "Npk" and "Nsk",
       respectively - must adhere to the output length limitations of
       the KDF Expand function.  If HKDF is used, this means Npk, Nsk <=
       255 * Nx, where Nx is the output size of the underlying hash
       function.  See [RFC5869] for details.

   2.  The output size of the Hash function SHOULD be long enough to
       produce a key for MAC of suitable length.  For example, if MAC is
       HMAC-SHA256, then "Nh" could be the 32 bytes.

Krawczyk, et al.         Expires 4 November 2021               [Page 41]
Internet-Draft                   OPAQUE                         May 2021

8.  Security Considerations

   OPAQUE is defined and proven as the composition of two
   functionalities: an OPRF and an AKE protocol.  It can be seen as a
   "compiler" for transforming any AKE protocol (with KCI security and
   forward secrecy - see below) into a secure aPAKE protocol.  In
   OPAQUE, the client stores a secret private key at the server during
   password registration and retrieves this key each time it needs to
   authenticate to the server.  The OPRF security properties ensure that
   only the correct password can unlock the private key while at the
   same time avoiding potential offline guessing attacks.  This general
   composability property provides great flexibility and enables a
   variety of OPAQUE instantiations, from optimized performance to
   integration with TLS.  The latter aspect is of prime importance as
   the use of OPAQUE with TLS constitutes a major security improvement
   relative to the standard password-over-TLS practice.  At the same
   time, the combination with TLS builds OPAQUE as a fully functional
   secure communications protocol and can help provide privacy to
   account information sent by the client to the server prior to
   authentication.

   The KCI property required from AKE protocols for use with OPAQUE
   states that knowledge of a party's private key does not allow an
   attacker to impersonate others to that party.  This is an important
   security property achieved by most public-key based AKE protocols,
   including protocols that use signatures or public key encryption for
   authentication.  It is also a property of many implicitly
   authenticated protocols, e.g., HMQV, but not all of them.  We also
   note that key exchange protocols based on shared keys do not satisfy
   the KCI requirement, hence they are not considered in the OPAQUE
   setting.  We note that KCI is needed to ensure a crucial property of
   OPAQUE: even upon compromise of the server, the attacker cannot
   impersonate the client to the server without first running an
   exhaustive dictionary attack.  Another essential requirement from AKE
   protocols for use in OPAQUE is to provide forward secrecy (against
   active attackers).

8.1.  Related Analysis

   Jarecki et al.  [OPAQUE] proved the security of OPAQUE in a strong
   aPAKE model that ensures security against pre-computation attacks and
   is formulated in the Universal Composability (UC) framework
   [Canetti01] under the random oracle model.  This assumes security of
   the OPRF function and the underlying key exchange protocol.  In turn,
   the security of the OPRF protocol from [I-D.irtf-cfrg-voprf] is
   proven in the random oracle model under the One-More Diffie-Hellman
   assumption [JKKX16].

Krawczyk, et al.         Expires 4 November 2021               [Page 42]
Internet-Draft                   OPAQUE                         May 2021

   Very few aPAKE protocols have been proven formally, and those proven
   were analyzed in a weak security model that allows for pre-
   computation attacks (e.g., [GMR06]).  This is not just a formal
   issue: these protocols are actually vulnerable to such attacks.  This
   includes protocols that have recent analyses in the UC model such as
   AuCPace [AuCPace] and SPAKE2+ [SPAKE2plus].  We note that as shown in
   [OPAQUE], these protocols, and any aPAKE in the model from [GMR06],
   can be converted into an aPAKE secure against pre-computation attacks
   at the expense of an additional OPRF execution.

   OPAQUE's design builds on a line of work initiated in the seminal
   paper of Ford and Kaliski [FK00] and is based on the HPAKE protocol
   of Xavier Boyen [Boyen09] and the (1,1)-PPSS protocol from Jarecki et
   al.  [JKKX16].  None of these papers considered security against pre-
   computation attacks or presented a proof of aPAKE security (not even
   in a weak model).

8.2.  Identities

   AKE protocols generate keys that need to be uniquely and verifiably
   bound to a pair of identities.  In the case of OPAQUE, those
   identities correspond to client_identity and server_identity.  Thus,
   it is essential for the parties to agree on such identities,
   including an agreed bit representation of these identities as needed.

   Applications may have different policies about how and when
   identities are determined.  A natural approach is to tie
   client_identity to the identity the server uses to fetch envelope
   (hence determined during password registration) and to tie
   server_identity to the server identity used by the client to initiate
   an offline password registration or online authenticated key exchange
   session. server_identity and client_identity can also be part of the
   envelope or be tied to the parties' public keys.  In principle,
   identities may change across different sessions as long as there is a
   policy that can establish if the identity is acceptable or not to the
   peer.  However, we note that the public keys of both the server and
   the client must always be those defined at the time of password
   registration.

   The client identity (client_identity) and server identity
   (server_identity) are optional parameters that are left to the
   application to designate as monikers for the client and server.  If
   the application layer does not supply values for these parameters,
   then they will be omitted from the creation of the envelope during
   the registration stage.  Furthermore, they will be substituted with
   client_identity = client_public_key and server_identity =
   server_public_key during the authenticated key exchange stage.

Krawczyk, et al.         Expires 4 November 2021               [Page 43]
Internet-Draft                   OPAQUE                         May 2021

   The advantage to supplying a custom client_identity and
   server_identity (instead of simply relying on a fallback to
   client_public_key and server_public_key) is that the client can then
   ensure that any mappings between client_identity and
   client_public_key (and server_identity and server_public_key) are
   protected by the authentication from the envelope.  Then, the client
   can verify that the client_identity and server_identity contained in
   its envelope match the client_identity and server_identity supplied
   by the server.

   However, if this extra layer of verification is unnecessary for the
   application, then simply leaving client_identity and server_identity
   unspecified (and using client_public_key and server_public_key
   instead) is acceptable.

8.3.  Envelope Encryption

   The analysis of OPAQUE from [OPAQUE] requires the authenticated
   encryption scheme used to produce the envelope in the external mode
   to have a special property called random key-robustness (or key-
   committing).  This specification enforces this property by utilizing
   encrypt-then-MAC in the construction of the envelope.  There is no
   option to use another authenticated encryption scheme with this
   specification.  (Deviating from the key-robustness requirement may
   open the protocol to attacks, e.g., [LGR20].)  We remark that
   export_key for authentication or encryption requires no special
   properties from the authentication or encryption schemes as long as
   export_key is used only after the envelope is validated, i.e., after
   the MAC in RecoverCredentials passes verification.

8.4.  Export Key Usage

   The export key can be used (separately from the OPAQUE protocol) to
   provide confidentiality and integrity to other data which only the
   client should be able to process.  For instance, if the server is
   expected to maintain any client-side secrets which require a password
   to access, then this export key can be used to encrypt these secrets
   so that they remain hidden from the server.

8.5.  Static Diffie-Hellman Oracles

   While one can expect the practical security of the OPRF function
   (namely, the hardness of computing the function without knowing the
   key) to be in the order of computing discrete logarithms or solving
   Diffie-Hellman, Brown and Gallant [BG04] and Cheon [Cheon06] show an
   attack that slightly improves on generic attacks.  For typical
   curves, the attack requires an infeasible number of calls to the OPRF
   or results in insignificant security loss; see [I-D.irtf-cfrg-voprf]

Krawczyk, et al.         Expires 4 November 2021               [Page 44]
Internet-Draft                   OPAQUE                         May 2021

   for more information.  For OPAQUE, these attacks are particularly
   impractical as they translate into an infeasible number of failed
   authentication attempts directed at individual users.

8.6.  Input Validation

   Both client and server MUST validate the other party's public key(s)
   used for the execution of OPAQUE.  This includes the keys shared
   during the offline registration phase, as well as any keys shared
   during the online key agreement phase.  The validation procedure
   varies depending on the type of key.  For example, for OPAQUE
   instantiations using 3DH with P-256, P-384, or P-521 as the
   underlying group, validation is as specified in Section 5.6.2.3.4 of
   [keyagreement].  This includes checking that the coordinates are in
   the correct range, that the point is on the curve, and that the point
   is not the point at infinity.  Additionally, validation MUST ensure
   the Diffie-Hellman shared secret is not the point at infinity.

8.7.  OPRF Hardening

   Hardening the output of the OPRF greatly increases the cost of an
   offline attack upon the compromise of the password file at the
   server.  Applications SHOULD select parameters that balance cost and
   complexity.

8.8.  Preventing Client Enumeration

   Client enumeration refers to attacks where the attacker tries to
   learn extra information about the behavior of clients that have
   registered with the server.  There are two types of attacks we
   consider: 1) An attacker tries to learn whether a given client
   identity is registered with a server, and 2) An attacker tries to
   learn whether a given client identity has recently completed
   registration, or has re-registered (e.g. after a password change).

   Preventing the first type of attack requires the server to act with
   unregistered client identities in a way that is indistinguishable
   from its behavior with existing registered clients.  This is achieved
   in Section 6.1.2.2 for an unregistered client by simulating a
   CredentialResponse for unregistered clients through the sampling of a
   random masking_key value and relying on the semantic security
   provided by the XOR-based pad over the envelope.

   Implementations must employ care to avoid side-channel leakage (e.g.,
   timing attacks) from helping differentiate these operations from a
   regular server response.

Krawczyk, et al.         Expires 4 November 2021               [Page 45]
Internet-Draft                   OPAQUE                         May 2021

   Preventing the second type of attack requires the server to supply a
   credential_identifier value for a given client identity, consistently
   between the Section 5.1.1.2 and Section 6.1.2.2 steps.  Note that
   credential_identifier can be set to client_identity, for simplicity.

   In the event of a server compromise that results in a re-registration
   of credentials for all compromised clients, the oprf_seed value must
   be resampled, resulting in a change in the oprf_key value for each
   client.  Although this change can be detected by an adversary, it is
   only leaked upon password rotation after the exposure of the
   credential files.

   Applications must use the same envelope mode when using this
   prevention throughout their lifecycle.  The envelope size varies from
   one to another, and a switch in envelope mode could then be detected.

   Finally, note that server implementations may choose to forego the
   construction of a simulated credential response message for an
   unregistered client if these client enumeration attacks can be
   mitigated through other application-specific means.

8.9.  Password Salt and Storage Implications

   In OPAQUE, the OPRF key acts as the secret salt value that ensures
   the infeasibility of pre-computation attacks.  No extra salt value is
   needed.  Also, clients never disclose their passwords to the server,
   even during registration.  Note that a corrupted server can run an
   exhaustive offline dictionary attack to validate guesses for the
   client's password; this is inevitable in any aPAKE protocol.  (OPAQUE
   enables defense against such offline dictionary attacks by
   distributing the server so that an offline attack is only possible if
   all - or a minimal number of - servers are compromised [OPAQUE].)

   Some applications may require learning the client's password for
   enforcing password rules.  Doing so invalidates this important
   security property of OPAQUE and is NOT RECOMMENDED.  Applications
   should move such checks to the client.  Note that limited checks at
   the server are possible to implement, e.g., detecting repeated
   passwords.

9.  IANA Considerations

   This document makes no IANA requests.

10.  References

10.1.  Normative References

Krawczyk, et al.         Expires 4 November 2021               [Page 46]
Internet-Draft                   OPAQUE                         May 2021

   [I-D.irtf-cfrg-voprf]
              Davidson, A., Faz-Hernandez, A., Sullivan, N., and C. A.
              Wood, "Oblivious Pseudorandom Functions (OPRFs) using
              Prime-Order Groups", Work in Progress, Internet-Draft,
              draft-irtf-cfrg-voprf-06, 21 February 2021,
              <https://www.ietf.org/archive/id/draft-irtf-cfrg-voprf-
              06.txt>.

   [RFC2104]  Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
              Hashing for Message Authentication", RFC 2104,
              DOI 10.17487/RFC2104, February 1997,
              <https://www.rfc-editor.org/info/rfc2104>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC4086]  Eastlake 3rd, D., Schiller, J., and S. Crocker,
              "Randomness Requirements for Security", BCP 106, RFC 4086,
              DOI 10.17487/RFC4086, June 2005,
              <https://www.rfc-editor.org/info/rfc4086>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

10.2.  Informative References

   [AuCPace]  Haase, B. and B. Labrique, "AuCPace: Efficient verifier-
              based PAKE protocol tailored for the IIoT",
              http://eprint.iacr.org/2018/286 , 2018.

   [BG04]     Brown, D. and R. Galant, "The static Diffie-Hellman
              problem", http://eprint.iacr.org/2004/306 , 2004.

   [Boyen09]  Boyen, X., "HPAKE: Password Authentication Secure against
              Cross-Site User Impersonation", Cryptology and Network
              Security (CANS) , 2009.

   [Canetti01]
              Canetti, R., "Universally composable security: A new
              paradigm for cryptographic protocols", IEEE Symposium on
              Foundations of Computer Science (FOCS) , 2001.

   [Cheon06]  Cheon, J.H., "Security analysis of the strong Diffie-
              Hellman problem", Euroctypt 2006 , 2006.

Krawczyk, et al.         Expires 4 November 2021               [Page 47]
Internet-Draft                   OPAQUE                         May 2021

   [FIPS202]  National Institute of Standards and Technology (NIST),
              "SHA-3 Standard: Permutation-Based Hash and Extendable-
              Output Functions", August 2015,
              <https://nvlpubs.nist.gov/nistpubs/FIPS/
              NIST.FIPS.202.pdf>.

   [FK00]     Ford, W. and B.S. Kaliski, Jr, "Server-assisted generation
              of a strong secret from a password", WETICE , 2000.

   [GMR06]    Gentry, C., MacKenzie, P., and . Z, Ramzan, "A method for
              making password-based key exchange resilient to server
              compromise", CRYPTO , 2006.

   [HMQV]     Krawczyk, H., "HMQV: A high-performance secure Diffie-
              Hellman protocol", CRYPTO , 2005.

   [I-D.irtf-cfrg-argon2]
              Biryukov, A., Dinu, D., Khovratovich, D., and S.
              Josefsson, "The memory-hard Argon2 password hash and
              proof-of-work function", Work in Progress, Internet-Draft,
              draft-irtf-cfrg-argon2-13, 11 March 2021,
              <https://www.ietf.org/internet-drafts/draft-irtf-cfrg-
              argon2-13.txt>.

   [JKKX16]   Jarecki, S., Kiayias, A., Krawczyk, H., and J. Xu,
              "Highly-efficient and composable password-protected secret
              sharing (or: how to protect your bitcoin wallet online)",
              IEEE European Symposium on Security and Privacy , 2016.

   [keyagreement]
              Barker, E., Chen, L., Roginsky, A., Vassilev, A., and R.
              Davis, "Recommendation for pair-wise key-establishment
              schemes using discrete logarithm cryptography",
              DOI 10.6028/nist.sp.800-56ar3, National Institute of
              Standards and Technology report, April 2018,
              <https://doi.org/10.6028/nist.sp.800-56ar3>.

   [LGR20]    Len, J., Grubbs, P., and T. Ristenpart, "Partitioning
              Oracle Attacks", n.d.,
              <https://eprint.iacr.org/2020/1491.pdf>.

   [OPAQUE]   Jarecki, S., Krawczyk, H., and J. Xu, "OPAQUE: An
              Asymmetric PAKE Protocol Secure Against Pre-Computation
              Attacks", Eurocrypt , 2018.

Krawczyk, et al.         Expires 4 November 2021               [Page 48]
Internet-Draft                   OPAQUE                         May 2021

   [RFC2898]  Kaliski, B., "PKCS #5: Password-Based Cryptography
              Specification Version 2.0", RFC 2898,
              DOI 10.17487/RFC2898, September 2000,
              <https://www.rfc-editor.org/info/rfc2898>.

   [RFC2945]  Wu, T., "The SRP Authentication and Key Exchange System",
              RFC 2945, DOI 10.17487/RFC2945, September 2000,
              <https://www.rfc-editor.org/info/rfc2945>.

   [RFC5869]  Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand
              Key Derivation Function (HKDF)", RFC 5869,
              DOI 10.17487/RFC5869, May 2010,
              <https://www.rfc-editor.org/info/rfc5869>.

   [RFC7914]  Percival, C. and S. Josefsson, "The scrypt Password-Based
              Key Derivation Function", RFC 7914, DOI 10.17487/RFC7914,
              August 2016, <https://www.rfc-editor.org/info/rfc7914>.

   [RFC8017]  Moriarty, K., Ed., Kaliski, B., Jonsson, J., and A. Rusch,
              "PKCS #1: RSA Cryptography Specifications Version 2.2",
              RFC 8017, DOI 10.17487/RFC8017, November 2016,
              <https://www.rfc-editor.org/info/rfc8017>.

   [RFC8125]  Schmidt, J., "Requirements for Password-Authenticated Key
              Agreement (PAKE) Schemes", RFC 8125, DOI 10.17487/RFC8125,
              April 2017, <https://www.rfc-editor.org/info/rfc8125>.

   [RFC8446]  Rescorla, E., "The Transport Layer Security (TLS) Protocol
              Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
              <https://www.rfc-editor.org/info/rfc8446>.

   [SIGNAL]   "Signal recommended cryptographic algorithms",
              https://signal.org/docs/specifications/
              doubleratchet/#recommended-cryptographic-algorithms ,
              2016.

   [SPAKE2plus]
              Shoup, V., "Security Analysis of SPAKE2+",
              http://eprint.iacr.org/2020/313 , 2020.

Krawczyk, et al.         Expires 4 November 2021               [Page 49]
Internet-Draft                   OPAQUE                         May 2021

Appendix A.  Acknowledgments

   The OPAQUE protocol and its analysis is joint work of the author with
   Stas Jarecki and Jiayu Xu.  We are indebted to the OPAQUE reviewers
   during CFRG's aPAKE selection process, particularly Julia Hesse and
   Bjorn Tackmann.  This draft has benefited from comments by multiple
   people.  Special thanks to Richard Barnes, Dan Brown, Eric Crockett,
   Paul Grubbs, Fredrik Kuivinen, Payman Mohassel, Jason Resch, Greg
   Rubin, and Nick Sullivan.

Appendix B.  Alternate AKE Instantiations

   It is possible to instantiate OPAQUE with other AKEs, such as HMQV
   [HMQV] and SIGMA-I.  HMQV is similar to 3DH but varies in its key
   schedule.  SIGMA-I uses digital signatures rather than static DH keys
   for authentication.  Specification of these instantiations is left to
   future documents.  A sketch of how these instantiations might change
   is included in the next subsection for posterity.

   OPAQUE may also be instantiated with any post-quantum (PQ) AKE
   protocol that has the message flow above and security properties (KCI
   resistance and forward secrecy) outlined in Section 8.  Note that
   such an instantiation is not quantum-safe unless the OPRF is quantum-
   safe.  However, an OPAQUE instantiation where the AKE is quantum-
   safe, but the OPRF is not, would still ensure the confidentiality of
   application data encrypted under session_key (or a key derived from
   it) with a quantum-safe encryption function.

B.1.  HMQV Instantiation Sketch

   An HMQV instantiation would work similar to OPAQUE-3DH, differing
   primarily in the key schedule [HMQV].  First, the key schedule
   "preamble" value would use a different constant prefix - "HMQV"
   instead of "3DH" - as shown below.

   preamble = concat("HMQV",
                     I2OSP(len(client_identity), 2), client_identity,
                     KE1,
                     I2OSP(len(server_identity), 2), server_identity,
                     KE2.inner_ke2)

   Second, the IKM derivation would change.  Assuming HMQV is
   instantiated with a cyclic group of prime order p with bit length L,
   clients would compute "IKM" as follows:

   u' = (eskU + u \* skU) mod p
   IKM = (epkS \* pkS^s)^u'

Krawczyk, et al.         Expires 4 November 2021               [Page 50]
Internet-Draft                   OPAQUE                         May 2021

   Likewise, servers would compute "IKM" as follows:

   s' = (eskS + s \* skS) mod p
   IKM = (epkU \* pkU^u)^s'

   In both cases, "u" would be computed as follows:

   hashInput = concat(I2OSP(len(epkU), 2), epkU,
                      I2OSP(len(info), 2), info,
                      I2OSP(len("client"), 2), "client")
   u = Hash(hashInput) mod L

   Likewise, "s" would be computed as follows:

   hashInput = concat(I2OSP(len(epkS), 2), epkS,
                      I2OSP(len(info), 2), info,
                      I2OSP(len("server"), 2), "server")
   s = Hash(hashInput) mod L

   Hash is the same hash function used in the main OPAQUE protocol for
   key derivation.  Its output length (in bits) must be at least L.

B.2.  SIGMA-I Instantiation Sketch

   A SIGMA-I instantiation differs more drastically from OPAQUE-3DH
   since authentication uses digital signatures instead of Diffie
   Hellman.  In particular, both KE2 and KE3 would carry a digital
   signature, computed using the server and client private keys
   established during registration, respectively, as well as a MAC,
   where the MAC is computed as in OPAQUE-3DH.

   The key schedule would also change.  Specifically, the key schedule
   "preamble" value would use a different constant prefix - "SIGMA-I"
   instead of "3DH" - and the "IKM" computation would use only the
   ephemeral key shares exchanged between client and server.

Appendix C.  Test Vectors

   This section contains test vectors for the OPAQUE-3DH specification.
   Each test vector specifies the configuration information, protocol
   inputs, intermediate values computed during registration and
   authentication, and protocol outputs.  All values are encoded in
   hexadecimal strings.  The configuration information includes the
   (OPRF, Hash, MHF, EnvelopeMode, Group) tuple, where the Group matches
   that which is used in the OPRF.  These test vectors were generated
   using draft-06 of [I-D.irtf-cfrg-voprf].

Krawczyk, et al.         Expires 4 November 2021               [Page 51]
Internet-Draft                   OPAQUE                         May 2021

C.1.  OPAQUE-3DH Test Vector 1

C.1.1.  Configuration

   OPRF: 0001
   Hash: SHA512
   MHF: Identity
   KDF: HKDF-SHA512
   MAC: HMAC-SHA512
   EnvelopeMode: 01
   Group: ristretto255
   Nh: 64
   Npk: 32
   Nsk: 32
   Nm: 64
   Nx: 64
   Nok: 32

C.1.2.  Input Values

Krawczyk, et al.         Expires 4 November 2021               [Page 52]
Internet-Draft                   OPAQUE                         May 2021

   oprf_seed: 7c16d1ec100aa62589ab11d89278f746d80aa123cf3ffafe0686814a4c
   62573fe714a44e016a93470964c09e6b260f8574380deba0b04246512f1885a5727f8
   8
   credential_identifier: 31323334
   password: 436f7272656374486f72736542617474657279537461706c65
   envelope_nonce: ae4d1d2e52ca9067502964fb4e5eb4f4c64757bf3b699c579a760
   312c86301ea
   masking_nonce: dd480a597c8a7053fa9189c41950bab52f33b9f52efca96b5e1b5e
   221554d993
   server_private_key: 3af5aec325791592eee4a8860522f8444c8e71ac33af5186a
   9706137886dce08
   server_public_key: 4c6dff3083c068b8ca6fec4dbaabc16b5fdac5d98832f25a5b
   78624cbd10b371
   client_info: 68656c6c6f20626f62
   server_info: 6772656574696e677320616c696365
   server_nonce: ccce80d99a21fa1cdcbd276f469f47921c079db97584bd5c7cdd9d7
   d9abebee7
   client_nonce: d4b95117d25f32b52f363be901b53095effc5340969ebfbfab7d20c
   731485687
   server_keyshare: ca372e52516d51c19763ad5eb1a5b60dafb68c264dcf6bcc692f
   667a71c5a617
   client_keyshare: 4c415eebd7a9bb5f921cbcfc5863e48c9e79fd2ecc1788e2b616
   bea0853f627a
   server_private_keyshare: 080d0a4d352de92672ab709b1ae1888cb48dfabc2d6c
   a5b914b335512fe70508
   client_private_keyshare: 7e5bcbf82a46109ee0d24e9bcab41fc830a6ce8b82fc
   1e9213a043b743b95800
   blind_registration: 8bcb0b70dac18de24eef12e737d6b28724d3e37774e0b092f
   9f70b255defaf04
   blind_login: f3a0829898a89239dce29ccc98ec8b449a34b255ba1e6f944829d18e
   0d589b0f
   oprf_key: c15eacfb16da4b0e9761231701b7dbd42c00f2f768831cba82133bda779
   a4c0d

C.1.3.  Intermediate Values

Krawczyk, et al.         Expires 4 November 2021               [Page 53]
Internet-Draft                   OPAQUE                         May 2021

   client_public_key: a4d473ab102b06c6c0c4908437d9186ef62d60f592609eafb8
   9a8450e69fff51
   auth_key: abe4ed20b06a9b6e552bf02f30f681618289b335fda5f6627f1f3ef315d
   63725e5cb8b52d17ca54b88c5b7d472fb5973a5f53e6990356350608e20effa616ab3
   randomized_pwd: 7f841ca7e57d0a715c75647ce7099f209456282d69c2b6391a98d
   f1c1d0adcaf1dccc37d778419946ca367aa79712cf85541679a574d78218a00b48f94
   e0bf99
   envelope: ae4d1d2e52ca9067502964fb4e5eb4f4c64757bf3b699c579a760312c86
   301ea18b6fbd43b46747b84b16bc82c37cd57bb45e51d5970d233f4bc408e4e5af252
   1b7601cfbe3897fd337bc9a6ff85a39c121ddd53948db2c137f0c096304bcee2
   handshake_secret: 96b4956971637ab428be25208ff9448b91443aad347b55c3d2c
   83d5a1db86a3ded0401faaa47000b3112ae4bea51906a54209e4064e74cbea6899cdf
   cef6e6e5
   handshake_encrypt_key: 4375e9f85fd0f4234acf15c14d8d71ba690d311e7dce9c
   841b9c477e5d1fd2201abf64c2cee9846142f53b1d1b773dd29283e13b3b3f9718ab4
   c0b404600af6c
   server_mac_key: ddf8ee1b79ee721c61575b1a07a9659809f54c9a115b32e9f1231
   db85f473defd5a3059d1df4a035a3e070cdfa400d03ee04bdde3e6048045743f5a4ed
   d50813
   client_mac_key: c3fa63ae04bbfac917d62eee8cc7102e07ae78d442fc967aa7515
   52ec50b706455d9232f81bcd6dbc6a79dfa0c645f6495defa410ad26d8c442e111664
   740380

C.1.4.  Output Values

Krawczyk, et al.         Expires 4 November 2021               [Page 54]
Internet-Draft                   OPAQUE                         May 2021

   registration_request: 24bbcabb15452642f709cb8567eff38f4cda6044aca3356
   87a62b8453d849c18
   registration_response: 4ad7080e8c0a1b6c25b613c7a7c7f038e9185895ff4f16
   24252fce384d7c88494c6dff3083c068b8ca6fec4dbaabc16b5fdac5d98832f25a5b7
   8624cbd10b371
   registration_upload: a4d473ab102b06c6c0c4908437d9186ef62d60f592609eaf
   b89a8450e69fff51a1f68e5a03b5d945b64344e3c595b682b49ec144b2a7eb8bf246e
   c553197e9bcbef149245f48cbeeae8898a868df3384e54ce99ab77b69d6cebd3b889d
   e2dd96ae4d1d2e52ca9067502964fb4e5eb4f4c64757bf3b699c579a760312c86301e
   a18b6fbd43b46747b84b16bc82c37cd57bb45e51d5970d233f4bc408e4e5af2521b76
   01cfbe3897fd337bc9a6ff85a39c121ddd53948db2c137f0c096304bcee2
   KE1: 0e8eeeb2ca0dbf5f690cfe0b76783d7667245f399b874a989f168fdd3e572663
   d4b95117d25f32b52f363be901b53095effc5340969ebfbfab7d20c73148568700096
   8656c6c6f20626f624c415eebd7a9bb5f921cbcfc5863e48c9e79fd2ecc1788e2b616
   bea0853f627a
   KE2: 084add8b95846e455b421eafff4c0626e846da1edf81bdfa015039a798a08b40
   dd480a597c8a7053fa9189c41950bab52f33b9f52efca96b5e1b5e221554d993650b6
   e353e554f9360b851a7c47da0a51d67b31df1a5e8203bc10ea0eb18a368ae19d33ea0
   1951fe45316bc62a19853005acbf0f045389871e60070b355cb7b149b169e16aa6c1f
   18ce2178cc4535cf42ef63644b998d3d98606007d6f7481c7b802311dca4f2dc04abc
   bc82e692e94e074ab35b030584f826069bfa677cc2f2ccce80d99a21fa1cdcbd276f4
   69f47921c079db97584bd5c7cdd9d7d9abebee7ca372e52516d51c19763ad5eb1a5b6
   0dafb68c264dcf6bcc692f667a71c5a617000feac6ccb9bd159dfd7a0804224a7a01d
   9581b6e4166bc4262a1e4c16e97e085c80d291731258ec541be9a1c68012b46ced7f4
   ab12b49739870b4643acd9bff5fc7dd5ff2655dee2bd1291a1dccf36dc
   KE3: 49e0c785d8cd9805179d52fb420c45aa74eb8cfa4a3bf1781be9b182448b5deb
   48a232742e1c78bd361407e0e15f065612821b3c45f993b3758a408051e85a95
   export_key: ff68ecc8c48408e44f803c1367b491c10c3359dc2bb30aba2f7e51938
   918961d6a4a1879b8c7501c30bd5fae85b8925471910de4855ef1fd9dbd41bb47e9c6
   c6
   session_key: 96e256d482d1e0e7dad5f9231075fbdff8b2054c9ab78ad6bb4812a6
   1c5a51b03ef81dac52799371328b0495dd45181be9ed0d26dd6fb244a2618e01e7ba0
   9cd

C.2.  OPAQUE-3DH Test Vector 2

C.2.1.  Configuration

Krawczyk, et al.         Expires 4 November 2021               [Page 55]
Internet-Draft                   OPAQUE                         May 2021

   OPRF: 0001
   Hash: SHA512
   MHF: Identity
   KDF: HKDF-SHA512
   MAC: HMAC-SHA512
   EnvelopeMode: 01
   Group: ristretto255
   Nh: 64
   Npk: 32
   Nsk: 32
   Nm: 64
   Nx: 64
   Nok: 32

C.2.2.  Input Values

Krawczyk, et al.         Expires 4 November 2021               [Page 56]
Internet-Draft                   OPAQUE                         May 2021

   client_identity: 616c696365
   oprf_seed: 0ffdbc9874c751fc1a43ba11dda08ebcaeb7f999780804aff975df52c1
   be7c11f7c665892b52c2e47bac3f2ed57ec9e6eb5ff09d385a374f3224d3f4838b740
   a
   credential_identifier: 31323334
   password: 436f7272656374486f72736542617474657279537461706c65
   envelope_nonce: 0e51a98cf5748f021086da6a40c707f54a077831cc91a9bcf1804
   103343a9282
   masking_nonce: 8bd5a108e6a05affde823439a17a97f9c07b2c2a58f18a3cef371e
   e85b75a73c
   server_private_key: de2e98f422bf7b99be19f7da7cac62f1599d35a225ec63401
   49a0aaff3102003
   server_public_key: a4084c7296b1a3d5a5e4a24358750489575acfd8fcfa6e7874
   92b98265a5e651
   client_info: 68656c6c6f20626f62
   server_info: 6772656574696e677320616c696365
   server_nonce: 578e04e4205af9ae3b9fafa46d850767224a8887a85f474ebee6627
   ad0869a0e
   client_nonce: b339b7a02983d128cd8a01545c6f4c5e1de982a65abf0e1115f641b
   a9fd58725
   server_keyshare: 80d9b21c255bf04113a6d339fff579c68475e516c0c98f625a90
   f6532a310f13
   client_keyshare: 746987c9ba92c3636d92fa7afc0379009ed54a7fb2db3cf7e4c4
   07d4ed2c6e35
   server_private_keyshare: 0bb106c0e1aac79e92dd2d051e90efe4e2e093bc1e82
   b80e8cce6afa4f519802
   client_private_keyshare: e79a642b20f4c9118febffaf6b6a31471fe7794aa77c
   ed123f07e56cb8cf7c01
   blind_registration: c4d002aa4cfcf281657cf36fe562bc60d9133e0e72a74432f
   685b2b6a4b42a0c
   blind_login: 614bb578f29cc677ea9e7aea3e4839413997e020f9377b63c1358415
   2d81b40d
   oprf_key: 1ea6ba49377190dac9adae5ec6471577c1d82253db9986d7a593c2c316a
   e0500

C.2.3.  Intermediate Values

Krawczyk, et al.         Expires 4 November 2021               [Page 57]
Internet-Draft                   OPAQUE                         May 2021

   client_public_key: 28839665f903b654da8cbc1d8aef2528ab2c58794271a88949
   cabe9e959b9723
   auth_key: a30c05fc95db9f75f4db7533c5adb2a768b685a5668fb1a4892f604b357
   54ad87653792f318784210157cbddcf25ee4519ca319066592c900a0bd9901e74619e
   randomized_pwd: 0984cc7624ed91e0bfef2a45a88e7c62b79f10a6d1c04c47e054e
   93c3409b807cf7ac22f5bb5c7d59881d1ed7c8d36229b7dc817df6714fe847ff27be8
   a4e8d3
   envelope: 0e51a98cf5748f021086da6a40c707f54a077831cc91a9bcf1804103343
   a9282fed1ed5d8977be01ec5a15f558dac5b5e98a55830efb98fca2fef2b022539369
   d6c74aabea49d77a56f3afb271837cd03e58d99bcd0fa08aca825b746ea86ccf
   handshake_secret: ebc6d9468be0be65d84e3e41b3391b8a789a5bf6aa5adfa00f4
   485d2569234200371a31dd3c96ce9ed257e791ee50c6b9955aaffe79e16009dbeb796
   c639ad39
   handshake_encrypt_key: 3d6a8dbee1df4dc5063191867e71c73d00a51b5fce5916
   393d7f8a861f4f4135e2ee35211422d00b45a2ec800a21886d5a26de6db3f26e1bdf6
   0f66675536169
   server_mac_key: 9c1cd7167526b3d78f865b81559190c3f375c247880e357acb8a9
   28728d2aab53e7dca4c6b0549c807c90c2965b1b5f59db2effea2672084f226cef417
   fe6dbf
   client_mac_key: 78a98350f0be222f6ffcc552c7d88bf7e108366dcb09e4f911fb9
   c5cdb852dcf4c4342cf8d20e4ccff108fd29a922be5cc0b3c2289b23ea35993f4f7e6
   4fdaf1

C.2.4.  Output Values

Krawczyk, et al.         Expires 4 November 2021               [Page 58]
Internet-Draft                   OPAQUE                         May 2021

   registration_request: fa8c0e0144f7b9cd1de1bfcf78104f94d63c0f90398c9df
   ceee06ab5593ec500
   registration_response: 4050a6e95fdb81b47bfcda99524460e791a9b3e2960829
   1ac5f0cca020d31260a4084c7296b1a3d5a5e4a24358750489575acfd8fcfa6e78749
   2b98265a5e651
   registration_upload: 28839665f903b654da8cbc1d8aef2528ab2c58794271a889
   49cabe9e959b9723a62c7e51b5118d184c057979a334c8f338e44bbfb5364668ec2f3
   1a4e54fa85408fa903d054c3092ac3994df118ab99cea5842ba13968717379eefe646
   7df3610e51a98cf5748f021086da6a40c707f54a077831cc91a9bcf1804103343a928
   2fed1ed5d8977be01ec5a15f558dac5b5e98a55830efb98fca2fef2b022539369d6c7
   4aabea49d77a56f3afb271837cd03e58d99bcd0fa08aca825b746ea86ccf
   KE1: dedef709c5faf24970b4fa77480a2c640dc8c6b7a53ae78a2dbf3fc75134a250
   b339b7a02983d128cd8a01545c6f4c5e1de982a65abf0e1115f641ba9fd5872500096
   8656c6c6f20626f62746987c9ba92c3636d92fa7afc0379009ed54a7fb2db3cf7e4c4
   07d4ed2c6e35
   KE2: 985b8739594ed8a1cb4e03d74c4e630e8bebc0575f657f53b3e7ebf24317b927
   8bd5a108e6a05affde823439a17a97f9c07b2c2a58f18a3cef371ee85b75a73ca6a60
   3e6e934f7783a0b249cd6b3039b344bd01fdbb90210e516957512fb51842e287b812d
   fe74e93e86d39c49adb3bdc79e7d02c8d8a50b08c0dea9f2521f2d8bd180fff926804
   d4dd364a0418f39c75c09959da811bbe12ad2fa3ec122a2151fd7b48a92cf1f582c1c
   64408331c30f626a8cc05b16a6392ff72705ae20610a578e04e4205af9ae3b9fafa46
   d850767224a8887a85f474ebee6627ad0869a0e80d9b21c255bf04113a6d339fff579
   c68475e516c0c98f625a90f6532a310f13000ffc9c8e0bad2571c695aa85bf421d968
   23e88c7cbd31e84fe468867cc286b0247c8abd0e87c5e8271100cd8af9082f055fb90
   66aa3e2babb0ad80f14d2921225d2fa401f37245fec3d2735592bce641
   KE3: 659ab46fe55da07b754d6024fc9c8c0a214cfcde32daf69b8245a1255fee8bad
   bbab800f55631dd721c6221b8c405476bbf3e543ee173a48e51da58ade1250af
   export_key: d2e30fe6be5bdf769fae2f29458a8a810beb22294131f113c70b61f17
   3bf6ec6273c03fdc16d0dd810c16746fc5aaaa317de6f5641dd15190699a86e717004
   73
   session_key: 35c10904d5f497361f1f936b63e9436b485922860a4e4ca515b3d2c2
   bda4ddefa8392d2b8dffe48b20ea1534cf9ea149d97b963d663aa545dad8ae997d2ae
   ea4

C.3.  OPAQUE-3DH Test Vector 3

C.3.1.  Configuration

Krawczyk, et al.         Expires 4 November 2021               [Page 59]
Internet-Draft                   OPAQUE                         May 2021

   OPRF: 0001
   Hash: SHA512
   MHF: Identity
   KDF: HKDF-SHA512
   MAC: HMAC-SHA512
   EnvelopeMode: 01
   Group: ristretto255
   Nh: 64
   Npk: 32
   Nsk: 32
   Nm: 64
   Nx: 64
   Nok: 32

C.3.2.  Input Values

Krawczyk, et al.         Expires 4 November 2021               [Page 60]
Internet-Draft                   OPAQUE                         May 2021

   server_identity: 626f62
   oprf_seed: 8e0aaf4dfe21787fdb07badc15661ee8fd9b6f74987f80adaacf81cd01
   bee833ffc46094e3178c8e8c4c675e9689e2d980e9a8faba64be082d472a7b40b978d
   a
   credential_identifier: 31323334
   password: 436f7272656374486f72736542617474657279537461706c65
   envelope_nonce: cb2ef5b3afed25cb6332e74ce40d3b8fb8aff0f3a029fec560adb
   ba41a907b97
   masking_nonce: dd58cdd24ac0ac8083a305994a73948a5bd1e8e786507e8cdccb10
   4de7c479f0
   server_private_key: be81db28eb1e147561c478a3f84cbf77037f010272fd51abc
   ff08ac9537e750b
   server_public_key: 5ab8bfa5e626d2249e0aa9e9546cd2f9e30bb1e6f568334ef3
   f459678b0e0d25
   client_info: 68656c6c6f20626f62
   server_info: 6772656574696e677320616c696365
   server_nonce: 4c34797dec207e283260fa80e61ae932519e83028fa96f0ca4f73ef
   c94417bb8
   client_nonce: 4953f4d7e2b908aabe90d35c139afcd340357aed9ff30231e6d5514
   6a5d796f2
   server_keyshare: a6d76012999541f1ec0c014ec1606f2bd2a517e51f731d595469
   51d9699e1739
   client_keyshare: 2e8a05799d3c524ede0482f39e047df99d9a53dc2dc30e8947eb
   5da98b8c4354
   server_private_keyshare: 14a08c384d74f6dcaed32bb9448c02865efb17a32b82
   c7f06a9586c6e72e4b06
   client_private_keyshare: 01229ee057507c3e53534ad9db9f6df6ce515d1b8017
   923b65cada1973524d0c
   blind_registration: 27fa7b2a6d920c76cf03fb57bdeacc2ec39330fd6e7f9e5db
   dfcb571e271a60f
   blind_login: a4e7b12d5b712efcac9ba734d54c2b24bff0ef6310404b5c05d60d7c
   8451bd0c
   oprf_key: 183899a56b7a5980a3adaf7a7bf55a8c516dad4a94ac232aa53815a982e
   9490f

C.3.3.  Intermediate Values

Krawczyk, et al.         Expires 4 November 2021               [Page 61]
Internet-Draft                   OPAQUE                         May 2021

   client_public_key: c28fd47d9b71f4e427904c3f20f6148e9d7ac42acf3463f427
   8aeaf8a267af5f
   auth_key: 2c31e524e4f5fb42e49afb9ec8dc63a717a89f2fb97bb566c2cff5f62e3
   dd0ecef8fcbd23c06b66b1b03ddf807ddcb1b55fb77e860173dfee2dad6bf6f364380
   randomized_pwd: 319579dc9218ceb2a1d0c48b39b3ada23bf78e4c7d48adcebed83
   88ab4856dea3c806855fdde3eb66fcfdf58c3caa03c1d8f53670ef3d8c0e2617bc231
   c0d22b
   envelope: cb2ef5b3afed25cb6332e74ce40d3b8fb8aff0f3a029fec560adbba41a9
   07b971f770afa8fb6ac2dfae400dbe2a4c2c470c3eab8d40094f8bb867e3a1016952e
   3117f8abfb252e8e684266b183d6094b126b3ea446ea3af9c7efa31297dcf0b2
   handshake_secret: c8f6fb5083c8f165b4f5358ff0c3f190cab6aceaecd98b01df0
   f384018885b12a90e9d81925eab8c1ec75dcacf3a41921ac7d4bc8a52caeb2ab9d4c2
   ba7e5e90
   handshake_encrypt_key: fb6dfcff6e7c608dcd4e959b568ac4834a8487a1b91729
   ae36b387b2f5cef09bd94360355ae8b93c5d4cde6294ea04799e6856bb38bf707020d
   45f1f7af7abae
   server_mac_key: 77b59b5c77b4433da90e8afcfc8cc5eaac139c072dfad8ecd6631
   fdea7816da11b4a6a9788eb01b6889cd56769461373644178fd82ddf34013a163f18d
   361080
   client_mac_key: eba19966d1d66893a77e77c493bdaaac2b162912f7c5350d8122f
   0db2dd66c5a66e07571648e396839b29ff62ad2ff65788a50139381265c8de0128eaa
   431e30

C.3.4.  Output Values

Krawczyk, et al.         Expires 4 November 2021               [Page 62]
Internet-Draft                   OPAQUE                         May 2021

   registration_request: fa39a478c220a89929613f9e65c9a4617da96b62509c42b
   39d7e3606ed2e8031
   registration_response: a0ffcffeb69e885c3983ae1ee7181ae6926b1daaa254b9
   20ea8ea3207e6a5f325ab8bfa5e626d2249e0aa9e9546cd2f9e30bb1e6f568334ef3f
   459678b0e0d25
   registration_upload: c28fd47d9b71f4e427904c3f20f6148e9d7ac42acf3463f4
   278aeaf8a267af5fadd651f79e277bac65b6ab94837502dcd550a4fd9760dd7732e7c
   6ddafb55912eb004a364cccfc159826136fb15d0b3db10cc7270c705ef45854565b72
   43c988cb2ef5b3afed25cb6332e74ce40d3b8fb8aff0f3a029fec560adbba41a907b9
   71f770afa8fb6ac2dfae400dbe2a4c2c470c3eab8d40094f8bb867e3a1016952e3117
   f8abfb252e8e684266b183d6094b126b3ea446ea3af9c7efa31297dcf0b2
   KE1: 96f9f35ebc0ca71607fd2cfcd465e285eeeabdec61151b39b2b4fb735538aa0c
   4953f4d7e2b908aabe90d35c139afcd340357aed9ff30231e6d55146a5d796f200096
   8656c6c6f20626f622e8a05799d3c524ede0482f39e047df99d9a53dc2dc30e8947eb
   5da98b8c4354
   KE2: bed95c2e47175634a3b845cf3fc40bb4ddd9ef8e8a1b815bdded3500d898a45c
   dd58cdd24ac0ac8083a305994a73948a5bd1e8e786507e8cdccb104de7c479f0dd94c
   8de23d83c7a29f934d4056bf905d2d284e9dfcf163110ccb516fe33bc27aa769e5788
   6b45f3c486ff738a05194fccd044a0e1bcba7d3e029ee61d2aacc6be7f1e0b5590fb6
   eaeb4758ad48ec455b09bbf3c9a6079c619d96e78a493e058fddbae195a62efea6786
   a33f49f55645ebfdebca7ff97d348453a0547035206d4c34797dec207e283260fa80e
   61ae932519e83028fa96f0ca4f73efc94417bb8a6d76012999541f1ec0c014ec1606f
   2bd2a517e51f731d59546951d9699e1739000fa10f6bacd674e7bb72acf76ea2902b1
   fcd7dde605e1b76b24caf4a912c73f3ffb26850099f51659307589034b5be92f71e20
   18ab6df824eb9b3e691b69c4e4fc3f20112e61d2adf43a21bc6aa1424e
   KE3: 66c1ecc6a6028f188fbd563b1e594fd6fa9752518bdcf26dacc42144dd3a695d
   320d098da9f94f9117b470bb8074c0e1df0c9d6fa4bb7de1ff18c3e7edb1e16e
   export_key: 29d05720560fa0d96af22fbef7cc6b5189e3d90bd5c58df93456c0851
   76368662a92aa8767b1d9d20f854138f886e68007d6ffab1cf0bce39d1bad1e9120a6
   73
   session_key: 0a71a28002cf637dcc0cdbcb83c804ba5b3e9939f53ca932179d0285
   91531059c5666c0fc23411bfed4128b66dbee4d267c17f6a5ec8c5e9efc911602eefa
   86e

C.4.  OPAQUE-3DH Test Vector 4

C.4.1.  Configuration

Krawczyk, et al.         Expires 4 November 2021               [Page 63]
Internet-Draft                   OPAQUE                         May 2021

   OPRF: 0001
   Hash: SHA512
   MHF: Identity
   KDF: HKDF-SHA512
   MAC: HMAC-SHA512
   EnvelopeMode: 01
   Group: ristretto255
   Nh: 64
   Npk: 32
   Nsk: 32
   Nm: 64
   Nx: 64
   Nok: 32

C.4.2.  Input Values

Krawczyk, et al.         Expires 4 November 2021               [Page 64]
Internet-Draft                   OPAQUE                         May 2021

   client_identity: 616c696365
   server_identity: 626f62
   oprf_seed: 389e8c2b070e95e0c5f183cddee8bff604cde897c7d4796614f322f070
   ec05799f58aea870c5bd8d78a6a638dc5bd5b4cbc532345ebf6b1a847f85d8a535227
   6
   credential_identifier: 31323334
   password: 436f7272656374486f72736542617474657279537461706c65
   envelope_nonce: f3e01f0691b1bd96dd76b1ac0e3b162c01dead2d5a460996db61c
   7cb6e06f054
   masking_nonce: e98bd401befe1c3656af0335023eb4d39623d7709475baf2f97b61
   96d500b0c3
   server_private_key: d49399dc3bc1022938dfb0e79db523d4e4e41f494c3898eac
   652bf95f6efa108
   server_public_key: fc5638262d8f6ba5848b70dbe22394d6c346edcd2f889cce50
   017dc037001c63
   client_info: 68656c6c6f20626f62
   server_info: 6772656574696e677320616c696365
   server_nonce: 06e1342e124cec21e81844c070baffad06ae9639ba7644f312e87eb
   90b1e60cd
   client_nonce: 3d92d44306392e9c01483550614cbfc9f9c166883845d4c17dd5859
   952dc72ca
   server_keyshare: 6a398e50c4e395ee52ef332d6c2c0a77187e2e0b3564617eb66d
   2878c41e6c47
   client_keyshare: 14b434e33a39d7d9fd6dbe3638925edd7a0344a312a22971754b
   d075d8347342
   server_private_keyshare: 5f4a55d2e8474fe0ec811b4cca7c0e51a886c4343d83
   c4e5228b8739b3e37700
   client_private_keyshare: 2928684a1796b559988623c12413cf511d13cb07ecb6
   d54be4962fe2b1bd6f08
   blind_registration: 89ae863bc6f3e8b59bbd1354548220e81cd0ffb6f9e4ec217
   3870ae6107f8d03
   blind_login: 07e41ecdb9ef83429e58098b8f30a6b49d414ad5e6073d177a1f0b69
   cf537f05
   oprf_key: cc5626bba30643d91feb3ea84169e1e317d5a5cc58f338333d3e15e0784
   04b0e

C.4.3.  Intermediate Values

Krawczyk, et al.         Expires 4 November 2021               [Page 65]
Internet-Draft                   OPAQUE                         May 2021

   client_public_key: f02fc825a4bbbaa93194c8d8e3bef57bf7f7217ff526f89524
   be78cf88326f36
   auth_key: 77e1e98f362558d7f03c8f82211e1a3b3344c9d91fc3b84172da615173b
   4223191030e408a36d42cee24f84033b8d85f1211dda7ced47ad4e2a891ec3ae818c8
   randomized_pwd: a5f101b43f06680a15a28f8451919eebd962a257b438ae49a98bd
   7e458da1b5901d2ddaff50b264bf5f218df074fc2bbabb8a64b32e8aae4a477085606
   489f9d
   envelope: f3e01f0691b1bd96dd76b1ac0e3b162c01dead2d5a460996db61c7cb6e0
   6f05479c0f198d63c785cd4be603103d77d62b033aef7d7ac70c28441dc3ece8ffcab
   182460d77693a2cc20c52284f046541631f1ba14b023436d11bce8c421c661ed
   handshake_secret: ff94d02a713a89c44b47d837ec8e083859bb562d7476674a57e
   d14d0f81fd0463695b3386147625204204aff8f854acea3a06c14d99d6c0e7b5931b0
   973deaa9
   handshake_encrypt_key: 3669bfbffc3884a9e9753d8bd8e00336adfdde00c15176
   47e7b0a6b1ce6fd1a6df9a37f476ceb0ab1ced5dffb9acdf0aaf1a14a8ac0ee067f83
   b50a2480c97cf
   server_mac_key: 7fe6cf6ab68cb965216dbe58fe5169e906ee3d465e812c80d5020
   c7ff922ff2b236a21460f0ac8f09ea2493c4fc555323b33e8f81cf40baa66823c4ab0
   85b236
   client_mac_key: e399874544be8a581c92aee5dcc3651f04467435baffe5a98192a
   92e9d8b8125d692319462aa5b57605b5459d81531bd26d69599d15d18a0a897cd781f
   fe3113

C.4.4.  Output Values

Krawczyk, et al.         Expires 4 November 2021               [Page 66]
Internet-Draft                   OPAQUE                         May 2021

   registration_request: 307ff12c023cb5ce33a04efd497252442fa899505732b4c
   322b02d1e7a655f21
   registration_response: 7adb55bef90bd68f344e20e78a70d6ee7142b7d99caf9d
   21861befcec8124874fc5638262d8f6ba5848b70dbe22394d6c346edcd2f889cce500
   17dc037001c63
   registration_upload: f02fc825a4bbbaa93194c8d8e3bef57bf7f7217ff526f895
   24be78cf88326f36d2a15a304bcb3a6e184b14d0ff5db92788d01d922e406d6d9e888
   c1728fd1e20d43d3aecf9c5d2bb5796f8383522d2563370fe18caa392aa4850ce5060
   0d3af3f3e01f0691b1bd96dd76b1ac0e3b162c01dead2d5a460996db61c7cb6e06f05
   479c0f198d63c785cd4be603103d77d62b033aef7d7ac70c28441dc3ece8ffcab1824
   60d77693a2cc20c52284f046541631f1ba14b023436d11bce8c421c661ed
   KE1: e6fb9b013986abe5f6e9586a0110395a97ad695dde622d58470adb0a0cdcb37e
   3d92d44306392e9c01483550614cbfc9f9c166883845d4c17dd5859952dc72ca00096
   8656c6c6f20626f6214b434e33a39d7d9fd6dbe3638925edd7a0344a312a22971754b
   d075d8347342
   KE2: f056ba65d12e66794253220c6025157a66540ba67a154c78aa2c4d1829cf2f0e
   e98bd401befe1c3656af0335023eb4d39623d7709475baf2f97b6196d500b0c364f51
   cb7aedd768ff45793dc630031914dcf80bc0983dbe690698c4ee8e9566b19c362eb89
   323184a4e4a4ab2c94b97ad08c0a112d9676950855c01097759194cc6c801122d1876
   24f0fe7e8704a94efafad7197106fbe07faafe9e2e111b828c6ffd076e755e0bb1c57
   1b1f79fc837260d7f65c376d852e3b69ad13b8c335bf06e1342e124cec21e81844c07
   0baffad06ae9639ba7644f312e87eb90b1e60cd6a398e50c4e395ee52ef332d6c2c0a
   77187e2e0b3564617eb66d2878c41e6c47000ffe003e3a4f069652e7b4df4d93dd7fd
   d9f3c04b3f231e8e7df85424eaa6f3ab3cf62ca99b902d60ef66ffdf03ceb9c46b945
   29edfbfde5128016fc18be803c6c65f8c687f96e40c7fd3dd9f74db4e5
   KE3: de85e7818163d60a00ed1f11e7223be2a3ebb6d1894c60a7676ee6403a7326aa
   827e327a41b8137a05a9705ab289744fa80ee177d33b289ba945da5db158a9a4
   export_key: 8a7280e120dba669c07f39567e338fa0f56d20d5a4c0269469f345b45
   b1d690400caf29bd3ac1b4083fb866eb63845416cefce6c00ac8f2dfe8047f2e2255f
   35
   session_key: 986c130fa4208a6a231272fad57f7cff370c893941e21affb7f1b773
   9158081a50b9c040d7b665a74d55412e7a4c45d81fdb6d86f4f4bc58a4979c2f68625
   b77

C.5.  OPAQUE-3DH Test Vector 5

C.5.1.  Configuration

Krawczyk, et al.         Expires 4 November 2021               [Page 67]
Internet-Draft                   OPAQUE                         May 2021

   OPRF: 0002
   Hash: SHA512
   MHF: Identity
   KDF: HKDF-SHA512
   MAC: HMAC-SHA512
   EnvelopeMode: 01
   Group: decaf448
   Nh: 64
   Npk: 56
   Nsk: 56
   Nm: 64
   Nx: 64
   Nok: 56

C.5.2.  Input Values

Krawczyk, et al.         Expires 4 November 2021               [Page 68]
Internet-Draft                   OPAQUE                         May 2021

   oprf_seed: 077906f7255b7391b91483968461626e9547b82a445cd6a9127d433ac4
   f2037fea083ddab4782c8643dcbadf45ed25e4d6070414f9676cb9777efdab0dfcb61
   5
   credential_identifier: 31323334
   password: 436f7272656374486f72736542617474657279537461706c65
   envelope_nonce: b27e906182129a354335ef733e8f211e7f77c6ec70b1a05e45d2b
   145ce938ef8
   masking_nonce: 6c91ef10f0a12c9775dc03cef0d9f0aea07f22afa5d3b55802d7a4
   9fa7c84049
   server_private_key: 4b642526ef9910289315b71f7a977f7b265e46a6aea42c40b
   78bd2f1281617519f3f790c8d0f42eacce68456c259202c352f233ae2dc6506
   server_public_key: 7a9e44dda0839cf2fd0461eccb8fc704c39e3da227ceb4baaa
   3e421385fd2194903385345e6ac39e2a9911b6e624b0928051af9a6834ce57
   client_info: 68656c6c6f20626f62
   server_info: 6772656574696e677320616c696365
   server_nonce: dcd4a5a60406b4812c25a48e68f6756d20ae8f7feeaee936820ae80
   6e922a21c
   client_nonce: e3392b2a02ac5be57a05df55afd9b3e79f13f9f7c91bcbf85ebe2ec
   3bf1600f8
   server_keyshare: b0fd650f0efdf4cec17e85b9cca2fa7ac7f1ff76ca94ed07e8ac
   65afd6304ef8102bf24376fc5b064edb55fe02027d7fef41d05db3652db0
   client_keyshare: de9bfa627cb161dd7098c8a582f5fb3a38641e8df3d6e7c40dff
   ec1adff5f0d148716cf15cd11a04b80b11cc12a1056493b23ee23267704c
   server_private_keyshare: b4c67a79b035b9887260399acc5f7083245d8adc40b8
   f39f14cd8bd4ade8abbb95166afdc9e922203abe7a8539854c64b943b0b49bc7c611
   client_private_keyshare: 2e28ff4c5f89353d25d6b5a8720734ed34a4a70f8e63
   2de4046e64cee0b47cfcd9173c7ceb0d373234e06b81b5a3b316aec93a8212ba2c31
   blind_registration: 26abc79daa9fcc06f6d3acf12df82de919be4937f28f531b1
   4ac96b844320e7a66810c2d9391cbb877348301ab59a3a91b4a2129198aa12b
   blind_login: 5ea7839f2ac8cf1c5fa92703d4cff61ba2e896e126d371f6380ca417
   57f6458b93b049e1b0d73ab5b8d914b08dff3e52e62ea889638dac21
   oprf_key: 92d00609c97ae75e88e82690a1c8a7e63ed83508c7c8a451765d3b1bd4f
   b5b9c400ec86559bf673debc80bce7d31c8640234f1620e360834

C.5.3.  Intermediate Values

Krawczyk, et al.         Expires 4 November 2021               [Page 69]
Internet-Draft                   OPAQUE                         May 2021

   client_public_key: 8eb67a9bf7cfcb736810c1827bd7c2923c06581a9836c77f02
   1c0277e86172632307ca773b9c5a287636cde4a322a946e7abff65cd83a142
   auth_key: 0ff33a4c0f8c42d74d7cebb13aab9507ce81e1ecda761242c10ebd242a7
   7bd8be9d46f56588f224491e88356c148645f35917db91629adb9ca0e6623df2006f8
   randomized_pwd: 4605dbf72bd606e0f456d2e8b26cec1e8761c3d151a89041ca8ce
   6a5d27436da25251a3a252d8782afab349acdece1e1fe72a6a141fac69e51e7248193
   d2a352
   envelope: b27e906182129a354335ef733e8f211e7f77c6ec70b1a05e45d2b145ce9
   38ef81637506a2dc0f1bbd7a13cc90b776730280d7fafc62b1d529036a505cc0203fc
   3b788ac59d4b9287ffcbe63354ab6f4ced1df3e87a3cdf23a3cdae83e5aa920b
   handshake_secret: 7b69558cab8f3397c1a918b7f052696dafb5a7d28b9bf536352
   f7fe73db49e2a662b629c2c834a1d0f4f0d0234255fb496dfbd84eafce9f308a34632
   91802d80
   handshake_encrypt_key: aa50678d3d271521e0ad9980696e46cbfa07b907499420
   f85f5df4d1d58324400f7e681b8829d4de42b77833eb9ca4345531bed741a8e6cfb39
   b26623794536c
   server_mac_key: 5f9a74f5c943cd04f6669ef047bf4c01d4d3ccec986cf1061fb84
   f45ab9c722d922c48bd5844b45e3f00ee09cc78d8e41ae4ce3d9f6a9751d5dd446905
   fe27b8
   client_mac_key: d2d47efa98ff716de9b2d91756776fb984ee1ee5c1be8bdd5b9fb
   8de99625a2ad6a2caf206d00e71ac54d6dcca2ed141e59f7b94ee892713723ce7613e
   d2b381

C.5.4.  Output Values

Krawczyk, et al.         Expires 4 November 2021               [Page 70]
Internet-Draft                   OPAQUE                         May 2021

   registration_request: a2c1e08d638fa00bdd13a4a2ec5a3e2d9f31c7c4784188d
   441b6a709f47e2196911ce68a8add9ee7dd6e488cd1a00b0301766dd02af2aa3c
   registration_response: 0cee15027c49c8a67a1c6e46196f5ab710239ff1c54cec
   77b68bb68e9afa4997de355c35c03d4e9905651d563c2989d06d6ef4a0631d32f87a9
   e44dda0839cf2fd0461eccb8fc704c39e3da227ceb4baaa3e421385fd219490338534
   5e6ac39e2a9911b6e624b0928051af9a6834ce57
   registration_upload: 8eb67a9bf7cfcb736810c1827bd7c2923c06581a9836c77f
   021c0277e86172632307ca773b9c5a287636cde4a322a946e7abff65cd83a142095ff
   ef79ad465fb047386358d4d68e5ae6a42ac03cad226b27fa0a5404e4a867cfda8969e
   da8899440360d50783a66eeebd5bb777bae55b5760372367233124b27e906182129a3
   54335ef733e8f211e7f77c6ec70b1a05e45d2b145ce938ef81637506a2dc0f1bbd7a1
   3cc90b776730280d7fafc62b1d529036a505cc0203fc3b788ac59d4b9287ffcbe6335
   4ab6f4ced1df3e87a3cdf23a3cdae83e5aa920b
   KE1: 08d74cf75888a3c22b52d9ba2070f43e699a1439c8a312178e1605bbe7479731
   9ab7898faf4f2c33d19679a257bca53e27a7c295b50b0d87e3392b2a02ac5be57a05d
   f55afd9b3e79f13f9f7c91bcbf85ebe2ec3bf1600f8000968656c6c6f20626f62de9b
   fa627cb161dd7098c8a582f5fb3a38641e8df3d6e7c40dffec1adff5f0d148716cf15
   cd11a04b80b11cc12a1056493b23ee23267704c
   KE2: 5e43757ee70502f4a7dfd8192d025587f75ad6b05f7a2dbc5286fc2368567a80
   e30fc73f5b57fa21973a388b13a4978738dbdb40b04a955a6c91ef10f0a12c9775dc0
   3cef0d9f0aea07f22afa5d3b55802d7a49fa7c840492f928e6582dc855eec7683bbac
   2e51306942fc6000b4fc5a70d389e999993fc9946f293ae1f438e3abdd3c3d25b4fcf
   6d8958eba9198a2c055f148de74f1c034e244f53f418286b067249cdb9dcf5d2017fe
   12b79f1ae23fe5be88b4c43a7f47708492f45c6afd58766c8f1026bbfbe9365e7f3bc
   981ae774d1646f694af8a5d9bb3efc6933df2500d78196ce5d74cb31824aeb9fc8881
   cfdcd4a5a60406b4812c25a48e68f6756d20ae8f7feeaee936820ae806e922a21cb0f
   d650f0efdf4cec17e85b9cca2fa7ac7f1ff76ca94ed07e8ac65afd6304ef8102bf243
   76fc5b064edb55fe02027d7fef41d05db3652db0000f5d1ab7b954489e21815dceb9f
   3e1df67f1fa5a460c4a91e93db5614a03c48da57f4cdccfb3c55bbe9d163b7c3bf709
   4621b24e1f529e7237e3685c0b7fdbac2d291055e50a46e33738a64c4c4b549b
   KE3: bb3204c71f1ad6e6f16807f5c44cb01fcdc662cebc0e0699f97d230c2b78e570
   f85e5f4cd8d3d4c9c2f5045de5eab044965d7aa532d5233e29beebea09cb79e3
   export_key: 09d1ab28781693795471eeee2d4c06a579ac59a5b80b552a0a8e1bcbf
   90db6a788a8cec93dfd62d65759053ca48aa87fc0e781ad60d8f97e93d0e4e1845ec9
   60
   session_key: 1dee607190ed3ca16f6374a5d8bf97aa89453b47b3b64cd6cf796a6f
   705e3c75dba0c5f192cd91a5a9591da949b2922854f8be73c9cf8b6c88c71960d8b90
   b61

C.6.  OPAQUE-3DH Test Vector 6

C.6.1.  Configuration

Krawczyk, et al.         Expires 4 November 2021               [Page 71]
Internet-Draft                   OPAQUE                         May 2021

   OPRF: 0002
   Hash: SHA512
   MHF: Identity
   KDF: HKDF-SHA512
   MAC: HMAC-SHA512
   EnvelopeMode: 01
   Group: decaf448
   Nh: 64
   Npk: 56
   Nsk: 56
   Nm: 64
   Nx: 64
   Nok: 56

C.6.2.  Input Values

Krawczyk, et al.         Expires 4 November 2021               [Page 72]
Internet-Draft                   OPAQUE                         May 2021

   client_identity: 616c696365
   oprf_seed: ce664d61ce8e6fad5fa2b6ce395ba0e396e9cc7fae28cd5b9167811010
   06dd8260770815df83cd01d5744e07e4cf7b88e61e3393ae9b709019ef660abb23bb1
   8
   credential_identifier: 31323334
   password: 436f7272656374486f72736542617474657279537461706c65
   envelope_nonce: d435848ca1554f0e7bad7d1577a5cca9d620a83f4ef8939a21b03
   a906c3dfe22
   masking_nonce: f3dbff9d25947c274222060eb0cafa2c9f81a60b5dcb2dcb793ced
   c0d3ddfce1
   server_private_key: f0a17b7f6b056dfcfbee5bd7db70a99bbabf1ebe98b192e93
   cedceb9c0164e95b891bd8bc81721b8ea31835d6f9687a36c94592a6d591e3d
   server_public_key: 741b6d4ed36766c6996f8017ca9bd6fa5f83f648f2f17d1230
   316ebd2b419ae2f0fbb21e308c1dfa0d745b702c2b375227b601859da5eb92
   client_info: 68656c6c6f20626f62
   server_info: 6772656574696e677320616c696365
   server_nonce: 0964b779670cbfd504d4cce8ea37f2707b727b7236532cbcaab548f
   529bb0a3f
   client_nonce: f98b5fc700740f05c5bb0d67545cb11f979a3531e73d1be85eeb87d
   bf111fc24
   server_keyshare: 5cc2a00d1b42d14ac07e05dca2dbc20661a4f30909137bc3274a
   25c3fb4310fc9c61d76fc6576c8ed1c9816719433acc81722a2a5e23357b
   client_keyshare: ee784169a2abed53764292f2e7385c5dd99ee21d09a4df244057
   06a59abb6d91f3ed3dd8c6649807d11cb59ddfa23fad081ddda04ea49075
   server_private_keyshare: 619befc22cca054c042da7b2eab01c59f99bc955df62
   2548e247f7ef180732909ff3c5f87ff8c786d85b3c276550d64df70618a81e14d339
   client_private_keyshare: ca6f309f131e21373228a44b09d4c00da9a6bbaf9a5e
   54a1687c07f327833643112a8a5a2f1bd6a011fa82f705f20cf788d6b6741b158e26
   blind_registration: 2de1be6961f0700496e71df806ebd5322aa0926b2f8f1d3fa
   1fea402f3c90b04601274050a3c6f467387c2f48878823949820d4fad44da19
   blind_login: ab0cb69c311b71343843ea041bae30e2bde41b548b8fbd8b77ceb623
   25f25986ce21cef85c92e3399433661eeeb9c1150a9cc64c3fb53001
   oprf_key: ca2e2837fdbac208e3d1fca1a8f435f1d1137ce4893e85cb906eb434c0a
   5ddda5297295cc4d82e18bb5506988d208f06d9ec424a3f01f337

C.6.3.  Intermediate Values

Krawczyk, et al.         Expires 4 November 2021               [Page 73]
Internet-Draft                   OPAQUE                         May 2021

   client_public_key: 186e80b2bf794cebbf9b8eaae4ab30f7f97ff8b4608f6015e6
   09965ba5ca9a013efe4a33e6d74b0d5792eb953444d3c3412931954c5593d0
   auth_key: 8ec795aa74327f4319213b9d24abbf50a127e7ebd7fae62e308012cc3ab
   656bfca09be67727abe99677cee9e7efc353ea3bf8be6efa3bdedd50d39e0c1ec0eb7
   randomized_pwd: b8222790bec472e0ac35dfec8c20985ae0fa78cd35b6441441d20
   336dc8dc2c59197fb1024a4e7eb347ae1b8b85c9f6641a970705a0695e0d0854f010b
   b36cb9
   envelope: d435848ca1554f0e7bad7d1577a5cca9d620a83f4ef8939a21b03a906c3
   dfe2285ef3427a3828910f19b8eaa71e5f96fef52bcf42d6da50cad3c57e46bafd765
   a8b5c43ae8c22e9191ac80d5de8fd03ef31f0b83a72fda6900b67768e6282efd
   handshake_secret: 175b48cadac266e0538eac4f95afd534cfded63fbaaa44954d6
   d817a772aed0d744eb0c47d52fcb0862aae4187f37c92e3f267e46aefd941e6348d24
   d41a6430
   handshake_encrypt_key: 5abd7661e053e40cb906aaeb35ab0d6d0e8b66c395f408
   072374bb6b8507f14f938083705ac3d269eafe8fd3dec25f501c9a715cdef507d3daf
   9ec29c597961b
   server_mac_key: ad4070a2766f2e6f8bbc73409c500ece84dad628ecc38d10fbeac
   e6be33c07d4af4c2b9ebb587e6590fb37f912a13b141af696da2f58ed09630d75b5bd
   d57390
   client_mac_key: aacc0bc86be130005d89727327c1a507b82efec7a92cf3a935643
   94cd81de9e9928c839c0b16cd1c8ce46629bc1f81ebf54b0fabc857fb8a1467d05303
   a78b4a

C.6.4.  Output Values

Krawczyk, et al.         Expires 4 November 2021               [Page 74]
Internet-Draft                   OPAQUE                         May 2021

   registration_request: 66660fc08075380d7c2d4728ed1a7b550647e8231d6d29e
   60d3d1fa8fa3132c8dc445fa9c94de42e5f12e29de958e5daea84eba6a6410042
   registration_response: ea812c4f71859e56aec9c59058f1b9bcd15a4ca107080b
   78376a2f1adb637ace37eada25d433ab915aefa0abcaa823e4373c819a276bdfc7741
   b6d4ed36766c6996f8017ca9bd6fa5f83f648f2f17d1230316ebd2b419ae2f0fbb21e
   308c1dfa0d745b702c2b375227b601859da5eb92
   registration_upload: 186e80b2bf794cebbf9b8eaae4ab30f7f97ff8b4608f6015
   e609965ba5ca9a013efe4a33e6d74b0d5792eb953444d3c3412931954c5593d0391e3
   a388ab9a83d94abc9bd7b08565fcea19b1a50e49891e1e818a114a4a8af1557c447c6
   c7c3cb9d92c02753351c485bc00eb655bcb7fd4a4b66d70b42bcd0d435848ca1554f0
   e7bad7d1577a5cca9d620a83f4ef8939a21b03a906c3dfe2285ef3427a3828910f19b
   8eaa71e5f96fef52bcf42d6da50cad3c57e46bafd765a8b5c43ae8c22e9191ac80d5d
   e8fd03ef31f0b83a72fda6900b67768e6282efd
   KE1: 1c83acd948f714989a2276ef0c3bb16d5b637942e6d642da9826fbcba741291f
   0b093b8c94888ff0ab621f90344f5b8b72159e2eb80651c1f98b5fc700740f05c5bb0
   d67545cb11f979a3531e73d1be85eeb87dbf111fc24000968656c6c6f20626f62ee78
   4169a2abed53764292f2e7385c5dd99ee21d09a4df24405706a59abb6d91f3ed3dd8c
   6649807d11cb59ddfa23fad081ddda04ea49075
   KE2: 284678bf91c8cbe62aa3ee0bab908ab4f738d1b9019f90586efdfca95163b25d
   ef3da3957ce9dc6764b1461c9ef1039918760f7bc31a44d8f3dbff9d25947c2742220
   60eb0cafa2c9f81a60b5dcb2dcb793cedc0d3ddfce1100452e645f51a5f8ee104cb84
   6f1ba962b900f5d28f63bbef21a60bf3bcb02131e83daceee0fe89a67b9ce703b2e8b
   abc581c8d4df72b4ce6c59688a3d60e2e58a2daaca302abcf6d32a8669f25c7e3032d
   bfae3be2cd1a0690dd8ef83abd179da490fb6f6dd623f1041f175aca82fb2fbae30c9
   8f19eb9dfb1de9a4d661a7461721d4525624d800758afe20c7ab6d9c03d5c6f6f144a
   4c0964b779670cbfd504d4cce8ea37f2707b727b7236532cbcaab548f529bb0a3f5cc
   2a00d1b42d14ac07e05dca2dbc20661a4f30909137bc3274a25c3fb4310fc9c61d76f
   c6576c8ed1c9816719433acc81722a2a5e23357b000f843a4f5a9016bf4629f4dd77e
   140462e90e037f7278315f286665552928db406e3f5f4c6494204c9e39b48cbbe0b8e
   8d32c6f2c80afc18dfd50c7567041faddfa8789ebcb4473d0c4280dde2b51f7c
   KE3: 0e0e13e7da56e241bcf7e72bce9d82aabac647d5827350920d73caa0c173291e
   a9677bac1116c91b8c53abbd5b14aee07403e8e2bf16b76aefcad28aa4b6ae77
   export_key: 2d76cb8eb36d6b52ca5548f18973bb3f4e16227dc4f402de3d8e7ed86
   f675fd69e83d11080af9f5cbd1307b27324673010b72b6ac05bf33481d6693bfdb8f5
   55
   session_key: 25aebd6c39af42d10704abcf085d3a13a4cb6f13cbd444476cb3fabb
   8a34dbdb7b7c8f4003e1901db34d7fa020cae3a313c42d3919a3a23ae2b4e4dedec4e
   14a

C.7.  OPAQUE-3DH Test Vector 7

C.7.1.  Configuration

Krawczyk, et al.         Expires 4 November 2021               [Page 75]
Internet-Draft                   OPAQUE                         May 2021

   OPRF: 0002
   Hash: SHA512
   MHF: Identity
   KDF: HKDF-SHA512
   MAC: HMAC-SHA512
   EnvelopeMode: 01
   Group: decaf448
   Nh: 64
   Npk: 56
   Nsk: 56
   Nm: 64
   Nx: 64
   Nok: 56

C.7.2.  Input Values

Krawczyk, et al.         Expires 4 November 2021               [Page 76]
Internet-Draft                   OPAQUE                         May 2021

   server_identity: 626f62
   oprf_seed: bb646e39ddb426383f5030be0d7cd7d81b47c2b31878a610b0c0283780
   9b62af192ac8b166e11cdc57f8af5941688b00e59a7a90625a06d81c178738530341e
   1
   credential_identifier: 31323334
   password: 436f7272656374486f72736542617474657279537461706c65
   envelope_nonce: 21f858c4575df153350ac12e48f10978fec8a180c7efcb6f51ca4
   b80d44b0f54
   masking_nonce: 61666249fe4ad8c10356c935a1320d656e9c8c248201d0ff1509c7
   70df7420a4
   server_private_key: 8cd37bf60927fafeca73ed8093538a994b1a8bd463666faa0
   68e5ff9e00d588446b7d6cdc09ae8df069b30987a2cdd39286e0481e87ae227
   server_public_key: 684e5378dc98d8e9d61e9dc02b77471318a1b15eb26272dd04
   ef823fc5c55e19163c714071efcab7ec06ccce8e6b9eba74ca92444be54f3c
   client_info: 68656c6c6f20626f62
   server_info: 6772656574696e677320616c696365
   server_nonce: 354f3898c203edbe31f0db10c9df8d90f2001757caefdfe8dbe37d8
   bb5d120de
   client_nonce: 0a60dcb6a59b88bcdbbe96bde209eed4df105a09a01a08ee0100f15
   c919426a1
   server_keyshare: 80f64e52526682c9d332c4cb517bb261e21b86bc7199223b962c
   3d2906f90bbf3252a02bf2889a01d0cfcd6390b8567854107e38abb21033
   client_keyshare: d0cecdcb40e68a8f2a3c472d1fb7f0d96ce9effb7b71281a588d
   f2ca0666ce00126e14b9a28bbe73ada49d059f7794e5da6be7e7bf0eee12
   server_private_keyshare: 906707dee9b2e3ebd9842b0442e25d08ba2548c6a44c
   0d7bf4ee396a0e4a3f023b35698aaa93a2be8bb632747671b3edeaedff0784da7e2d
   client_private_keyshare: da23a46519065977331abaa1e3c0d86545162d96e9ad
   ba538bf67207633a956ea71fbd02ea2dbfe7e195dbd26ea562c6f2406fe1f7c4593e
   blind_registration: 4f0db672264527a8115f176c53709a4f94d1cca39c557ee10
   3479baef585ba8017f7659cdd0b804c0938525199d88853b52ccfc7604bc233
   blind_login: 39ba35e36db24404602da8a616e7ad8f72142cdb97a5689edb98ed34
   24fa5c8584423c6b047121fc36fcec934c8ad24a98c86d0078b8f534
   oprf_key: e1d2159815c27712d61236cd201e0de254e948c13a1f43d6a2c2a458b68
   717912d9164a3f79d4655e11b9941f56ca4971987f280d176fa00

C.7.3.  Intermediate Values

Krawczyk, et al.         Expires 4 November 2021               [Page 77]
Internet-Draft                   OPAQUE                         May 2021

   client_public_key: c43abbc2fc929a784c3f764da5bbadb92be69d79eac950d110
   9ae855c5e73a47fc6762ab8ea780d01ec30c093a70e30f00e889cbb1cb944b
   auth_key: 1fc18c2785eeca0340a5a67e0380b491455481e821268ea474c9f9d3133
   56423ff828e4ad258935def799ffafb8505e8f2ecf4f37d57e9af3c60e133db752f6c
   randomized_pwd: 82c33b5df1031b36735360e7c03d829ee6a80fde9ef4f15ac586b
   3bcc1539618839e94d80bbef9775bd99f17e820439b66a3b384041b871899b357fa6d
   e35981
   envelope: 21f858c4575df153350ac12e48f10978fec8a180c7efcb6f51ca4b80d44
   b0f5410f4a8a1a814066a13d8746935490f50dd1b355c988bbbc2d9d34f0dc99310e8
   5efa3668018b80d563933aeeda4801051bb57c260285f5042e2c1ba6a7f3d605
   handshake_secret: 8c1c07962eaaf949ccec104351ba7cb5bea04d1916990e1adad
   7bbe567bd62f52534a4f0d0bae31cb5f2147b5a135122fb87cc08a5af99827a494104
   3674f44b
   handshake_encrypt_key: 37684cc6a9fc72d474b3487d7a3b24aaa3d26a930cd4f4
   a9bfe60d68438c4b36480453714a53d0bd5f13ed5e115009f2b737cb9c7f9459fccd2
   316d1e5e38899
   server_mac_key: 99c77d4cf69293572bfcad517dd1fd6aa71ff3897ad3ff8d0ed90
   d2b46733f3d58e2eea3ff4de324979d020bfd365e6d1e4302b48f4e36f790f6a50496
   bcafc4
   client_mac_key: 11cf030cdf5f45ec4eb0bf6a62ea481f231e30c8c76d5c3383d83
   f0bea47b8b0ce4419960b8a354bbcb0bb4e73993c660268a609cf477d50711c0f4408
   61c2d9

C.7.4.  Output Values

Krawczyk, et al.         Expires 4 November 2021               [Page 78]
Internet-Draft                   OPAQUE                         May 2021

   registration_request: 8a8f12abe7f223895549fd121f9d6124424273b7524e033
   f610261caf6ff83eb92d848318e7574c06ccee189b8b447b0fd26a348942d787c
   registration_response: ccfc0bff52203f5f15da05ea4aef0590df0167de51d39b
   472543c4abbb21da219c38c11182d66c1e2a28bbd6faba830419cddb69417f2474684
   e5378dc98d8e9d61e9dc02b77471318a1b15eb26272dd04ef823fc5c55e19163c7140
   71efcab7ec06ccce8e6b9eba74ca92444be54f3c
   registration_upload: c43abbc2fc929a784c3f764da5bbadb92be69d79eac950d1
   109ae855c5e73a47fc6762ab8ea780d01ec30c093a70e30f00e889cbb1cb944b11aef
   d6ec42306c84501e6cbfb4e7e11efc54dfa2202422a0aab6b1cc29a05215d5dfbeeb7
   41cacd654c54cbbb9643442d279e8612b9de4f89d8d961806f547521f858c4575df15
   3350ac12e48f10978fec8a180c7efcb6f51ca4b80d44b0f5410f4a8a1a814066a13d8
   746935490f50dd1b355c988bbbc2d9d34f0dc99310e85efa3668018b80d563933aeed
   a4801051bb57c260285f5042e2c1ba6a7f3d605
   KE1: 442b8d7585abe08bbb6b03b3d73c7f5d81cba60845258a4174e7b8d25a6d7238
   8ec7814b7f0a0559fff29ac97c329f2c7b0844c3adb1c6ba0a60dcb6a59b88bcdbbe9
   6bde209eed4df105a09a01a08ee0100f15c919426a1000968656c6c6f20626f62d0ce
   cdcb40e68a8f2a3c472d1fb7f0d96ce9effb7b71281a588df2ca0666ce00126e14b9a
   28bbe73ada49d059f7794e5da6be7e7bf0eee12
   KE2: 8a63ae784c8af59cd2dd193d11de4f36fd26e3ce0f74e751110e3eec331fa940
   4f5ad32d9a67be88737ef441b393bca26045955affd6484c61666249fe4ad8c10356c
   935a1320d656e9c8c248201d0ff1509c770df7420a4d2740f4e1ebaf4c805b9256672
   fc33d391a1f78f34ff4882e904ab84a6ac073f210be384f62c203e5ddb9b8781b55f3
   19f7bc1f6be7c5b34445643503ce562c5a6734f4e4d8131b1335fbe59ae2463a5125a
   ca78d8d9957e7a73e00c1557f765def34dbdc4a15b786a897f3cdf6a7f312820addb5
   7fa41b25cdc4f0368355f3797f3f18a8a6ed8c4fd0808014d6db777779d9f5afe6a3d
   0a354f3898c203edbe31f0db10c9df8d90f2001757caefdfe8dbe37d8bb5d120de80f
   64e52526682c9d332c4cb517bb261e21b86bc7199223b962c3d2906f90bbf3252a02b
   f2889a01d0cfcd6390b8567854107e38abb21033000fd52c2008c3a618c8e9c6786dc
   86c517d60af9188c103668709f4bbc47297ad16d05ace1a8e6e89b0b623e9a4df42de
   f99316d7d48e03c33efdc71227bea6e62eb69f0fc617a5975a5ffa9181b55da8
   KE3: 68384cab4a57e4f1ec93ebf8bff07b176999def6c4ea12daff73bc3c257946f2
   042c4340c956dc0ff901c345ab6f999cf67ad53687e4dc1de91987a5bf0f4e48
   export_key: 58c3a7a78c35b71bad6779f4cae5784bce53d51d711ff14aa6f4183f6
   ec5b3cc5a8210df6c24194ef848ece3e48e5aa917226cecc14111efa46c66b6d5743b
   4f
   session_key: 3d5c60fe73b69266f46c7a4a241a25c0e5296af9c94dc88b84e1141d
   434cfbf85dde4013dbe8e8e5b70de24f1d166dfd10fc0b1e833cf59dff592ed279209
   426

C.8.  OPAQUE-3DH Test Vector 8

C.8.1.  Configuration

Krawczyk, et al.         Expires 4 November 2021               [Page 79]
Internet-Draft                   OPAQUE                         May 2021

   OPRF: 0002
   Hash: SHA512
   MHF: Identity
   KDF: HKDF-SHA512
   MAC: HMAC-SHA512
   EnvelopeMode: 01
   Group: decaf448
   Nh: 64
   Npk: 56
   Nsk: 56
   Nm: 64
   Nx: 64
   Nok: 56

C.8.2.  Input Values

Krawczyk, et al.         Expires 4 November 2021               [Page 80]
Internet-Draft                   OPAQUE                         May 2021

   client_identity: 616c696365
   server_identity: 626f62
   oprf_seed: 5369e7ba363cc0ffd9f5435b87d13da37c69e70dd753d883a4581328a0
   b1211b63870f94d19c970849e3f832d79a13cb8f17b3f699e0d44824c42ea9ed6673c
   8
   credential_identifier: 31323334
   password: 436f7272656374486f72736542617474657279537461706c65
   envelope_nonce: d70af1a254350f45be31d80eff65fd804988d535c163e90687b9f
   bdc5b49ab57
   masking_nonce: c1eeacfb99f49efaae5dfd166cea7fb9952bda134f57f1104daf9b
   d2d288c584
   server_private_key: 0fb0bff035e9b9cbae6cfca36aa4827ccbac66177b64fabef
   a67263087c0cb4e0d9cf547979e753c22548e3174abb5ac630d97dcd4af9830
   server_public_key: 8071f74545bebb75f9b82ce1ee0949e7ed1ab5dedbb0e5444b
   a7ffe82aab916bc5ca6a11fd5fe1479e553040a8b724b6305c3f4289f3f39a
   client_info: 68656c6c6f20626f62
   server_info: 6772656574696e677320616c696365
   server_nonce: 40744099d9bad5836511cb1bd87730fad25cf96124a2a41a2efa8f9
   a1af37fa2
   client_nonce: 2d829f911233762b8429f4145c63e362568b1e40c6477cb709baa40
   3c42893ad
   server_keyshare: d410d142e679aee86adbe57da4801741034120c59fa942ef44c1
   9ffcf4a4d65200d5e17e7d287220037ab038ee08f96c9dee6db68f02cf18
   client_keyshare: f2a67ee95170c51833a88419529748e55dd13e23ffed8fefdc1d
   2b7c939b6371630031299800b01a99f83129aa986369e4a188220d056f0b
   server_private_keyshare: 2903816a392680424bf4d98a04bda8934e23b94f5279
   08fb98aedb6906e3ad31ab455e2718f4bab54e74adf302faf75cac75b1ea07dda807
   client_private_keyshare: 6c148fe1102c81c00f1c5d3bd8a90198b5acfd60fd83
   0fada243e5edc9bb4d6a1c0e88ea960201be2765b54f75a40efa86f066e6d5680131
   blind_registration: efd50ea4c9248eb1f1e96143a8a41c1a1ee2cfebb2f07ff75
   5a6d9fcf090696cd8b70a6ef67bd77ed5d38cf293669c6073cb4da3add7972f
   blind_login: 7e134fa5223d965deb53441a7ab139fd35c83736b6eb89aae524dc5a
   9fe6e16af18a4d33b1c9953fc1a7219dd6f81eac8b915a75e5fa3505
   oprf_key: 7846997289e365bb95b8da4364b67ca6b9c2e6c5b1fcd4f624a37008820
   12e38f1a67c7a622311de77a087c91abbc2ee65062c19236ee138

C.8.3.  Intermediate Values

Krawczyk, et al.         Expires 4 November 2021               [Page 81]
Internet-Draft                   OPAQUE                         May 2021

   client_public_key: cc9ce87a51859068deec37fd6f7a6375c3874b466b44df61a2
   24da792d495935e815c3025091ab758fcfb6732db61a28abbe7c9c25a59f7c
   auth_key: 200fd5916a6a5c4e76faa882f3e478c3abf4673e1181b758f14ef945372
   0da57e9185418e7365b54b607d8530c5830a27576545b79f2bf3119298d170fdc53f7
   randomized_pwd: 042f827c3c676da51206b07471f5d65926a932ccc5aa602bfc312
   71b2c0653d3fe40b8bb8ad74ea78bc08c226961b306397c51b3606f9bc84a5b6ede0e
   f7cbe6
   envelope: d70af1a254350f45be31d80eff65fd804988d535c163e90687b9fbdc5b4
   9ab57020fcc9ce588e385c92cfb2d2caf5bf1532863b1b5dc77c8cecc0bdf705c6e69
   c81febaaa364b5f69c57fc7716c17e7bcb44eb5a6ca42dfc3007c7ba49ef7184
   handshake_secret: 2e7155c6b2f7ddda06ba72c4d9f0067246696ef855c952d9fa2
   970fb162580bbbdaa546032a18de61b999c63a618ba6a885524c83df4b42d373fe460
   9425c5a0
   handshake_encrypt_key: ec57354e4588c741ca4bd0ae40b13dbeca873edd6b2548
   36f8e07bcb76c9e653c145aaa97cae30bc25d6a771d7b910d76c088d67e18fc1bd55f
   694022ccd1673
   server_mac_key: 65febfac5cf04540ccd0c1e99115b8ac71d7bce95224cf338f8b9
   1d1305367c5ffea21ce576756bbf3c6f7cf80e89001c61d2b6b9b5c511fd1fea415cc
   94197e
   client_mac_key: ac27e4daf2316d958f475a65c07330b1259612f5fda6a02de3795
   6aa931d9fba1ab1e9c1c6894cd98d7af31a76dcad19cc105836c00704685ab27595b6
   c53c9d

C.8.4.  Output Values

Krawczyk, et al.         Expires 4 November 2021               [Page 82]
Internet-Draft                   OPAQUE                         May 2021

   registration_request: e499c1ea1a644df877a01f23ddc5dccbf3add4407605f67
   dcc55f29c2ccec5daf9bc231dd62aa61cf2c9fdeaf59b3ed7a8f33af59ba20914
   registration_response: 02d0a9b5d262d560b9839258ee696c78497c6f23624289
   07d817439f72fe619496fa87b8c0427d600e8030851276e3df50be027bc86a45d3807
   1f74545bebb75f9b82ce1ee0949e7ed1ab5dedbb0e5444ba7ffe82aab916bc5ca6a11
   fd5fe1479e553040a8b724b6305c3f4289f3f39a
   registration_upload: cc9ce87a51859068deec37fd6f7a6375c3874b466b44df61
   a224da792d495935e815c3025091ab758fcfb6732db61a28abbe7c9c25a59f7c3649c
   55344cde7130181ab36e9dad95ad627a00c85f81fecd6cb07a34f2d3801818bb6944c
   df6737b6072a3d422ea2806629f28dddf8069d28c83827e2c5825bd70af1a254350f4
   5be31d80eff65fd804988d535c163e90687b9fbdc5b49ab57020fcc9ce588e385c92c
   fb2d2caf5bf1532863b1b5dc77c8cecc0bdf705c6e69c81febaaa364b5f69c57fc771
   6c17e7bcb44eb5a6ca42dfc3007c7ba49ef7184
   KE1: 501e3dc8509cecfa36efadeba5efd0e4f66988ff9575c821b0128af06a2f5ebb
   d77362f2a9e63b5a76cf5a636bad31b7a86f6c6803a2c9952d829f911233762b8429f
   4145c63e362568b1e40c6477cb709baa403c42893ad000968656c6c6f20626f62f2a6
   7ee95170c51833a88419529748e55dd13e23ffed8fefdc1d2b7c939b6371630031299
   800b01a99f83129aa986369e4a188220d056f0b
   KE2: 8e344a24535edcb94f862bdda3d5281e5821a7697d8169280df3a1b7f599aa27
   472c381b67a594a6eadad3c48ac03cce1d0b67e946f826c7c1eeacfb99f49efaae5df
   d166cea7fb9952bda134f57f1104daf9bd2d288c584aab53685e458f2b3359ff7d317
   06874edccde0d1fc5809244ed2ef42a9bfec732d0b0e910788fd8cb400feade5de6ff
   16a8c01bbe9433529b3c33a4b3b69b9dfb067b85e6f956380cf29d1e37cda3395ff8c
   a3715a13a3ae5d2e49f97821ef4e94cbf79cfe6627ae47bdde41d47fb28a2f81d9933
   9d4bf69b202c3bc899af72f494c156127dac299c9e6b345f3ce867000a7ad6043a86a
   d640744099d9bad5836511cb1bd87730fad25cf96124a2a41a2efa8f9a1af37fa2d41
   0d142e679aee86adbe57da4801741034120c59fa942ef44c19ffcf4a4d65200d5e17e
   7d287220037ab038ee08f96c9dee6db68f02cf18000f81562d32804f41b3314561920
   c91fe27dde4271020d3a9d78365ed865128f0b715289b8a656741830a596a65682dd3
   86b7e18c55d009e493021aa4c98148fcdfd76b600523534e164b976c204ac1e5
   KE3: 6d21e161839d0529b5031b3eab2856f6106acf53d476c10f889eee8c566446a5
   ec9278a8b0b5cb3e9fb18065f2a17e7e94d1d5c9a854b6c06d2bd9d54a14facd
   export_key: ece89a05e8d0a5cd7052e8e59b219ff4f553825450b0115b8ca377383
   26b6ec6bac04c30359607d5b6442836de2ea6f3d7b4ee2bd166dbc14476cf42cad255
   5c
   session_key: 26e3855833c5392729901f112b2c62f280c3e6a1548dafd4b9812e1b
   6aea12906ce31c29fe27accb044dac14941d7a376c6be668439bb6fe5fdf3f9548033
   231

C.9.  OPAQUE-3DH Test Vector 9

C.9.1.  Configuration

Krawczyk, et al.         Expires 4 November 2021               [Page 83]
Internet-Draft                   OPAQUE                         May 2021

   OPRF: 0003
   Hash: SHA256
   MHF: Identity
   KDF: HKDF-SHA256
   MAC: HMAC-SHA256
   EnvelopeMode: 01
   Group: P256_XMD:SHA-256_SSWU_RO_
   Nh: 32
   Npk: 33
   Nsk: 32
   Nm: 32
   Nx: 32
   Nok: 32

C.9.2.  Input Values

   oprf_seed: 222de1044eb3a2b1e0365c8f7d20cac72b212820f4212bfabbc7180eac
   5e1f14
   credential_identifier: 31323334
   password: 436f7272656374486f72736542617474657279537461706c65
   envelope_nonce: 65f0dc5ad3ce0b549202d5dd3867cc35670e6164cd3bf8a56f358
   32c276ce5eb
   masking_nonce: 33ef31702b4b5adaf29b22cff288bfce7e363506046bb1da00857b
   ae9a12fbc1
   server_private_key: b3c9b3d78588213957ea3a5dfd0f1fe3cda63dff3137c9597
   47ec1d27852fce5
   server_public_key: 02e175463b7aa67dac8a3e0b4b3f4aa259d2fc56dfad40398c
   7100af2939f672bf
   client_info: 68656c6c6f20626f62
   server_info: 6772656574696e677320616c696365
   server_nonce: d355c4bb8ea252e88a22e03fb7f77f56e709a2a5409bf522c250467
   a4c1739f9
   client_nonce: fd9f7f07919823537dd02a3eeb22f400c97b5583d8cf9f64a9b2311
   b905af4c0
   server_keyshare: 03651207f3887f92cfec56edd9b9df0047c1d6b7bfc55b3650a9
   579d44f435b092
   client_keyshare: 03285470567bccdd3755aa8d00261e1ce65aa120e15571cc9772
   789a361b4cafaf
   server_private_keyshare: f5685928c72d9dab8ddfe45de734ce0d4ff5823d2e40
   c4fcf880e9a8272b46ef
   client_private_keyshare: a593b1095e7d38ba6ff37c42b3c4859761247a74d0c6
   2c98ddff1365bb9b82b3
   blind_registration: f9e066cf04a050c4fd762bff10c1b9bd5d37afc6f3644f854
   5b9a09a6d7a3074
   blind_login: 79e775b7220c673c782e351691bea8206a6b6856c044df390ab56839
   64fc7aac
   oprf_key: 33d82b5c6d96b0e2eee646aee10193f83c8420211e07fae25095eb6f4df
   369e6

Krawczyk, et al.         Expires 4 November 2021               [Page 84]
Internet-Draft                   OPAQUE                         May 2021

C.9.3.  Intermediate Values

   client_public_key: 025d19e7faf171e0a39d8f3b872f53e98017d6c49a708da2e1
   26b78c1a7169d4cf
   auth_key: 46ca67ab022b506c42b8be86baa0e19d1462762d182b1f8cc6f040ec253
   a0409
   randomized_pwd: e7b1a04736150f90afb666cdc04e868e86c100ee9ab2379d74e12
   66030f45c22
   envelope: 65f0dc5ad3ce0b549202d5dd3867cc35670e6164cd3bf8a56f35832c276
   ce5eba93f34e6f73e5795912086ba07f113f0e14d7731850db1c2b38d3e46e8778c58
   handshake_secret: 0d4bdf9a5dc37cfdf90f47c9e0bfa8f6b2bbafb5043b237de65
   2a266f84cf27a
   handshake_encrypt_key: 5fc60179a58f729c5fe9716ee2864dbb0a73cbb5733dfc
   da4816349501b84fb1
   server_mac_key: 253e6b00cfc920d8f7e491fc293ab7fb325ec4f5894033e51a9c3
   1b5942e1959
   client_mac_key: 506688d52612857c8e7dbc8150c73e3830abc0a4d2746f50f0e4a
   3f5942f83e1

C.9.4.  Output Values

Krawczyk, et al.         Expires 4 November 2021               [Page 85]
Internet-Draft                   OPAQUE                         May 2021

   registration_request: 03761c2597a039a535c3180bd3fb6ea9830baa50376dafa
   6e98bb41be2aaae0e91
   registration_response: 022c78531bce7284214b2a693c217dcdf4ca53ba4ca0fd
   8679def7698b3b89be0502e175463b7aa67dac8a3e0b4b3f4aa259d2fc56dfad40398
   c7100af2939f672bf
   registration_upload: 025d19e7faf171e0a39d8f3b872f53e98017d6c49a708da2
   e126b78c1a7169d4cf8b3218ffb32c3c4e40542f9b81e5ad8472d4371bb9914165b77
   5b94247c5eba165f0dc5ad3ce0b549202d5dd3867cc35670e6164cd3bf8a56f35832c
   276ce5eba93f34e6f73e5795912086ba07f113f0e14d7731850db1c2b38d3e46e8778
   c58
   KE1: 021922b40d051877d0f03ccf2831eede9b328e22c8b173d5f28091af0b92421f
   54fd9f7f07919823537dd02a3eeb22f400c97b5583d8cf9f64a9b2311b905af4c0000
   968656c6c6f20626f6203285470567bccdd3755aa8d00261e1ce65aa120e15571cc97
   72789a361b4cafaf
   KE2: 03c5dec0723bf62419a4572b9651b2000ed362b5e35266850468b7bc647530b6
   6e33ef31702b4b5adaf29b22cff288bfce7e363506046bb1da00857bae9a12fbc14fa
   b54da44a07cff69e135f22cc5430f03b4757cdea284978709b2ea6b6fb4bc860daf24
   d4fa24017d629a717cac436a74d389f9cfd00c7c4cfe1697de2b0158ba0ebb10e3beb
   621b9045ce0a4e2ce63b937058732ac0261c23237adb4357cbc38d355c4bb8ea252e8
   8a22e03fb7f77f56e709a2a5409bf522c250467a4c1739f903651207f3887f92cfec5
   6edd9b9df0047c1d6b7bfc55b3650a9579d44f435b092000ffa88ce75b0eb1e6bf8ca
   567aab76baed74be60749d008e3102ca12d7f8aec5e94e1e24e6a39ba808459e75df1
   b1c71
   KE3: 6b9e3bfa986cc8f17a47024275d4c86421e928e5f9aae9b65235555e2c529462
   export_key: b15b8482f93486c6c611bfb425983b920e497595515d4aba60c36c98f
   d085585
   session_key: eded1d0fc7840adbef00e47868707b13b01fa50e7d143b2d694ff428
   67769ad9

C.10.  OPAQUE-3DH Test Vector 10

C.10.1.  Configuration

   OPRF: 0003
   Hash: SHA256
   MHF: Identity
   KDF: HKDF-SHA256
   MAC: HMAC-SHA256
   EnvelopeMode: 01
   Group: P256_XMD:SHA-256_SSWU_RO_
   Nh: 32
   Npk: 33
   Nsk: 32
   Nm: 32
   Nx: 32
   Nok: 32

Krawczyk, et al.         Expires 4 November 2021               [Page 86]
Internet-Draft                   OPAQUE                         May 2021

C.10.2.  Input Values

   client_identity: 616c696365
   oprf_seed: 411231f4c1e2a61b4295bbc556c82b3200a5011eb95da458bc975074f8
   c40f0c
   credential_identifier: 31323334
   password: 436f7272656374486f72736542617474657279537461706c65
   envelope_nonce: 7e28c4858849aba47c0f3a8788e263eb2992076d6e13ae1c31c95
   bb425cf520e
   masking_nonce: d07690a0ea1027783695e907cf1977e9ccc7d9ae0ea3922417fe6c
   a99b1ea4fc
   server_private_key: 2bc92534ac475d6a3649f3e9cdf20a7e882066be571714f5d
   b073555bc1bfebf
   server_public_key: 0206964a921521c993120098916f5000b21104a59f22ff90ea
   4452ca976a671554
   client_info: 68656c6c6f20626f62
   server_info: 6772656574696e677320616c696365
   server_nonce: b954553c8c79d924a1c591f783ba1bd5d4815f54893e96f58bc469e
   be87758d6
   client_nonce: 93dca0cec3925e275d0c790c25d6456b7f36d6f9bdecd6cf678263a
   c002d1296
   server_keyshare: 036d85072a9cda8438f67dd81042861349f697c06ad4efb068dc
   eb58c98986409c
   client_keyshare: 031e7dcb77fdba4b7e7b1625e43dae84733b28eaf2b4fbd7df14
   1b1ee353748b44
   server_private_keyshare: 196708f773cf65852bda777210337d8b3b88754b881a
   a5fd937ec7932e725ac5
   client_private_keyshare: 3a07cb3ea0e90b40e0501e6bdc3c97510cdd9475ad6d
   9e630235ff21b634bc66
   blind_registration: ef54a703503046d8272eaea47cfa963b696f07af04cbc6545
   ca16de56540574f
   blind_login: 0bf837aaa273530dc66aa53bb9adb4f0ed499871eb81ae8c1af769a5
   6d4fc42b
   oprf_key: 179b24e76ebd4e1be0e108bf006aa77232f2aebd2e64ec6e5fc15e6bbb1
   0bd72

C.10.3.  Intermediate Values

Krawczyk, et al.         Expires 4 November 2021               [Page 87]
Internet-Draft                   OPAQUE                         May 2021

   client_public_key: 03bb0ea77280040f08a1387541588a15626616bd6d5fbc5f86
   5e336dc4239e073a
   auth_key: 1b46cf0d5e965018b3daf72888b446d2af2000555b725061975c91ac7ed
   930bd
   randomized_pwd: cb2410d0b7d2c3868892a7ce491de10deba5ad3c51ce50cf38c35
   83ca2a61575
   envelope: 7e28c4858849aba47c0f3a8788e263eb2992076d6e13ae1c31c95bb425c
   f520efdb6d71170c02d62b42d4836c6e86111d001f3b8ee7a04800f964398928962fe
   handshake_secret: a23bff26bc68422cfe2f77d67d91d9966fc86f5c26202d1d4f3
   0f6a2acca190f
   handshake_encrypt_key: c009b1a9f339868db545503890b28d73a97c51c3562846
   7f8d87b9254d80fae7
   server_mac_key: c482b5aa511c35013987032ae5fe6621d4b71bb98adbc17e1a8ea
   32417047d52
   client_mac_key: 4bdcf02f9f2b4bba2a2001b95c46bd776a027764f9fa0bc479eb9
   9a320ace697

C.10.4.  Output Values

   registration_request: 02cd04a4a3c6b37f6013d848e1c63c204c4593377e9a14c
   68e95097b615d29c129
   registration_response: 037087c8ee3db58c82f02bf4685572e3e48b9639417722
   64f5436febc9d2e566a00206964a921521c993120098916f5000b21104a59f22ff90e
   a4452ca976a671554
   registration_upload: 03bb0ea77280040f08a1387541588a15626616bd6d5fbc5f
   865e336dc4239e073aebc552c85f3af13f76e12831012f33d891481a03556d64f51ac
   6e4d5216a957e7e28c4858849aba47c0f3a8788e263eb2992076d6e13ae1c31c95bb4
   25cf520efdb6d71170c02d62b42d4836c6e86111d001f3b8ee7a04800f96439892896
   2fe
   KE1: 02e747d027881e63565ce0a611dae6da50c2a8b349010a52f5c936169be1e0f9
   3693dca0cec3925e275d0c790c25d6456b7f36d6f9bdecd6cf678263ac002d1296000
   968656c6c6f20626f62031e7dcb77fdba4b7e7b1625e43dae84733b28eaf2b4fbd7df
   141b1ee353748b44
   KE2: 023e69bd9f6ac2a9247a45cd6ece02734b01f4f097277cef4b651d292b92958a
   f0d07690a0ea1027783695e907cf1977e9ccc7d9ae0ea3922417fe6ca99b1ea4fc21b
   f6b965eb775c1ae1621d56b3b2a909524d755f09dfb5abfba139c38d03a06d7fbacdb
   9362415cb82e80a426b2243c861a99ab96c375d638778555ae59497e3982f4a4f5f31
   8ebd25b9135a613fdfb9c78b12a9fac85ab50502cb750e2e6f162b954553c8c79d924
   a1c591f783ba1bd5d4815f54893e96f58bc469ebe87758d6036d85072a9cda8438f67
   dd81042861349f697c06ad4efb068dceb58c98986409c000fbd84aa78e5bd91d5c371
   3a82701f84eaf16cc8b383370374ad7ae365a2a5c4cbb5f807cedfb89f72a484b151e
   d86c3
   KE3: 148aec24c974679b8f2b22545fe6b438919cfe17d5c01477506bd838af4e0070
   export_key: ce386730106337ff5442cefb268e042f4018a254efec5afa042f6e317
   84ff18d
   session_key: fb4663e7bf2c24bf84f39559f0fbc1a5461dc2eef52eb458cdbbb391
   95fd806b

Krawczyk, et al.         Expires 4 November 2021               [Page 88]
Internet-Draft                   OPAQUE                         May 2021

C.11.  OPAQUE-3DH Test Vector 11

C.11.1.  Configuration

   OPRF: 0003
   Hash: SHA256
   MHF: Identity
   KDF: HKDF-SHA256
   MAC: HMAC-SHA256
   EnvelopeMode: 01
   Group: P256_XMD:SHA-256_SSWU_RO_
   Nh: 32
   Npk: 33
   Nsk: 32
   Nm: 32
   Nx: 32
   Nok: 32

C.11.2.  Input Values

Krawczyk, et al.         Expires 4 November 2021               [Page 89]
Internet-Draft                   OPAQUE                         May 2021

   server_identity: 626f62
   oprf_seed: 7ff9f5a010a39202ec8583b1af1667e39a790c8eeae3c8850cf1b22593
   4b1bb7
   credential_identifier: 31323334
   password: 436f7272656374486f72736542617474657279537461706c65
   envelope_nonce: 4b2ac56569cac13e4c94b3c5a661297b9507bce9cb4d61b988e79
   cf66e7376d8
   masking_nonce: 1c289200b0c01921d4367f7f5d6efdf313597a494e4652eed4fddb
   640030ecc9
   server_private_key: b0b4f35c14eb2477c52e1ffe177f193a485cccf5018abbf87
   5b8e81c5ade0df0
   server_public_key: 02e8d79aa24bcd2bea4e9bb7362b004daa0bb6be442d8557e5
   59ae18b6bf7bb5b2
   client_info: 68656c6c6f20626f62
   server_info: 6772656574696e677320616c696365
   server_nonce: 2348f61d807548ef1e7b35a914f52bfb9c2fdd799ac0f75333a17cf
   266cc48f8
   client_nonce: 95d6caca3088960f7e014beacaf854cf3c1f81ed707bcbd7cda660b
   43f2cb8fa
   server_keyshare: 0222d4232635f4ee3706759740d7a0d8fb6a4068f2fbd34be7cf
   065f9989b637cd
   client_keyshare: 026ab0dc783fb12c9427dd0bcb4d95f5b5212f092406dd581bd3
   37c73468953226
   server_private_keyshare: 9fc1965033654f34b06b578fe36ef23a5b9872ade82b
   9261cc447670debcf784
   client_private_keyshare: 18add682f6055089b0a2484abc37f110b36f4c2a140b
   7a3c53dd8efb6171d3bc
   blind_registration: b0d53a6f8da29c3cf4f8695135d645424c747bec642bc9137
   5ff142da4687427
   blind_login: 4d73591be8483a1a38e40c13a04b0f2180dda3c36e3d43c3a8f12715
   8d010945
   oprf_key: bfcb3351d8cac1374c48d88262115a8ce447116f8d9659af4927e8ba473
   b3860

C.11.3.  Intermediate Values

Krawczyk, et al.         Expires 4 November 2021               [Page 90]
Internet-Draft                   OPAQUE                         May 2021

   client_public_key: 029ef859264f5bce3ce76ef33cea426c0868cb6cefdd40cc97
   40530e4e2b8eb9ec
   auth_key: 794a4b51879f176d7535dc173209697e58adc5ba355071dec1c010c1a30
   88267
   randomized_pwd: 1d7413e513aae8db0fc7ecff608c5a8ee36ade8e19c03245d7848
   886eb9e2f3e
   envelope: 4b2ac56569cac13e4c94b3c5a661297b9507bce9cb4d61b988e79cf66e7
   376d8e8764cec8c7f0352bab2e22a52784068274a3d9bf6e867fb1174dad9fda451be
   handshake_secret: 9fd8f0f8e2faa0f5b09bb04b6b414b4d3a85bb7ce85e53ebcbc
   44c9b0ffffbe4
   handshake_encrypt_key: 0ad54a7aa1eba3c373884458aa42025bb707801dae3abb
   f8369a286aeddf0cd3
   server_mac_key: a3c1a5b0dca01277cfd2357ad2102cbbe29620066c3c9bb9da6f3
   c71044605c5
   client_mac_key: 49deecc8c3abbd5974f12864c2145204866385bd8a74f642df192
   1999dd6935b

C.11.4.  Output Values

   registration_request: 026aa49819f2c29b9543cefa0850db7fd36352c6ad8f47b
   631b5b621266b670f7b
   registration_response: 03895ca32517359a907fc25fb7b60e63f0ae40422c4438
   bc41129ffea836e306ec02e8d79aa24bcd2bea4e9bb7362b004daa0bb6be442d8557e
   559ae18b6bf7bb5b2
   registration_upload: 029ef859264f5bce3ce76ef33cea426c0868cb6cefdd40cc
   9740530e4e2b8eb9ec93cf8a8e4931fda8a52ddf2713542e8959cf8ee995f42333a12
   b36020697975d4b2ac56569cac13e4c94b3c5a661297b9507bce9cb4d61b988e79cf6
   6e7376d8e8764cec8c7f0352bab2e22a52784068274a3d9bf6e867fb1174dad9fda45
   1be
   KE1: 0223c6f12f3c763bdfea59c13d8f1e055b02277625aa06cb3d839e03a60268d7
   c195d6caca3088960f7e014beacaf854cf3c1f81ed707bcbd7cda660b43f2cb8fa000
   968656c6c6f20626f62026ab0dc783fb12c9427dd0bcb4d95f5b5212f092406dd581b
   d337c73468953226
   KE2: 03d7c51c4c0911f7767034c5fa8e7de860e32ea2f5fd5bbb41dcdbe752cdfe38
   d21c289200b0c01921d4367f7f5d6efdf313597a494e4652eed4fddb640030ecc98ef
   d62c96d1fa8326a148a19faf7e32eb023b0eba83cd72d5edc0d92a759c431784a5183
   ae68962edb95ab18e1f920c8363cc3a47b60ac873e3b745df1ab0f4a100c8817b7a2f
   569b9ba67b1f10a38c440bf178eb7129a8743f32071d4bfcbcb962348f61d807548ef
   1e7b35a914f52bfb9c2fdd799ac0f75333a17cf266cc48f80222d4232635f4ee37067
   59740d7a0d8fb6a4068f2fbd34be7cf065f9989b637cd000fee4f603aa29b2064b11b
   07ac6deac7a32a58b59efe45afb77b097af2ec1942d2ffdcb44da599ef82cc5beed29
   6be38
   KE3: a271bf176d064d979545657cd8f6f53b3efbaa37aea6cd45782749f7c4744844
   export_key: ce86f17a7720b70dcd4947c727dc48f549ca76bcae48837a6aff2ac88
   65bb07d
   session_key: 315b45cc16fb96a1697decfaf732df3d5b539b9d67465a61eeab7f0e
   06004702

Krawczyk, et al.         Expires 4 November 2021               [Page 91]
Internet-Draft                   OPAQUE                         May 2021

C.12.  OPAQUE-3DH Test Vector 12

C.12.1.  Configuration

   OPRF: 0003
   Hash: SHA256
   MHF: Identity
   KDF: HKDF-SHA256
   MAC: HMAC-SHA256
   EnvelopeMode: 01
   Group: P256_XMD:SHA-256_SSWU_RO_
   Nh: 32
   Npk: 33
   Nsk: 32
   Nm: 32
   Nx: 32
   Nok: 32

C.12.2.  Input Values

Krawczyk, et al.         Expires 4 November 2021               [Page 92]
Internet-Draft                   OPAQUE                         May 2021

   client_identity: 616c696365
   server_identity: 626f62
   oprf_seed: 7b79e836d42b66345781840b42a9475350106dd58ed1f2d9670e7b3430
   052729
   credential_identifier: 31323334
   password: 436f7272656374486f72736542617474657279537461706c65
   envelope_nonce: 972d1d19b3f76c5a53e1de821dc64cec826f716136c9397a7fd11
   3bd04e6819c
   masking_nonce: 5a5ff17381f05c594745598e064751cfa87ef81ff8a3a05965a4c6
   e700f2b060
   server_private_key: f7493200a8a605644334de4987fb60d9aaec15b54fc65ef1e
   10520556b439390
   server_public_key: 021ab46fc27c946b526793af1134d77102e4f9579df6904360
   4d75a3e087187a9f
   client_info: 68656c6c6f20626f62
   server_info: 6772656574696e677320616c696365
   server_nonce: f7877b506a288dfd45503bd89a48458aafc0971d3e8cddc4b54ab58
   e23ebc079
   client_nonce: 8ab09b516c0696e39295549d80b482aab2178688195ad806c922c66
   26e98cf75
   server_keyshare: 029ad3943fb8e838ed49e4d64e5f0b84e120f175f30115009f18
   f009f7e35081b9
   client_keyshare: 033b64a07786c37f90b1abc757bf074c18326773bc296ec69f38
   c111e4274a4071
   server_private_keyshare: 629de5cfea56c0532dd8254a5a6e7fcc9e51e20a1cf4
   f254335ca57ce603ae7d
   client_private_keyshare: f03fc00b7a2d495298d84c8c83b686b67e82569cb56d
   97e9c20e59311bac3a51
   blind_registration: 9572d3a8a106f875023c9722b2de94efaa02c8e46a9e48f3e
   2ee00241f9a75f4
   blind_login: 735d573abb787b251879b77de4df554c91e25e117919a9db2af19b32
   ce0d501d
   oprf_key: 3265323242d130d8ba66357c22520711b50ddebaf76449ad006a7c0e3e8
   175ae

C.12.3.  Intermediate Values

Krawczyk, et al.         Expires 4 November 2021               [Page 93]
Internet-Draft                   OPAQUE                         May 2021

   client_public_key: 02e1b4141e364cf9ec579ad9ddff3ad17de4ed8d3b03d884a3
   7ba0d3afec5b45c7
   auth_key: d2fc33d0eaaba07cfca12b836586821ce7ebbd676271ba85cfd87d46914
   4d8d8
   randomized_pwd: a808d107c852b2670e12235fa548e71304ae6b75479871f805e1c
   165921d23cb
   envelope: 972d1d19b3f76c5a53e1de821dc64cec826f716136c9397a7fd113bd04e
   6819cee0781091b47d746f894ada27e2eda06ec56bedb2983407791d377f889321cd3
   handshake_secret: 8f1f714cd4cc8db5eef700834df215cd65eb6a0fddb37b787db
   23f76be56d710
   handshake_encrypt_key: 6c45f6bcdef803c17bd82ef4b55f6b1f4e6d1c54f32af4
   b43703607b5ed378d3
   server_mac_key: a94bf39005d55b243d4b28a905cb950c0d9d98333dbb70cbe193e
   13717985e92
   client_mac_key: 7bed59107c599b2db2c0b8dc5beb9932c0335cc7dff01d53e78d5
   5d162a0349d

C.12.4.  Output Values

   registration_request: 03a120f6f2a0b858f546d1e2b60f810ad0ed8511ef0791d
   c26d8413fe13b0181fe
   registration_response: 0236fceabfe2a4930814ca9a332ce07e68f2adc3716027
   0451a702ac23512cfa1d021ab46fc27c946b526793af1134d77102e4f9579df690436
   04d75a3e087187a9f
   registration_upload: 02e1b4141e364cf9ec579ad9ddff3ad17de4ed8d3b03d884
   a37ba0d3afec5b45c721afeee74ac33d7723f75646579845bfbf12bfbdc50fe96d95d
   60fab8cc547df972d1d19b3f76c5a53e1de821dc64cec826f716136c9397a7fd113bd
   04e6819cee0781091b47d746f894ada27e2eda06ec56bedb2983407791d377f889321
   cd3
   KE1: 03edd5c0afa7257bbaeacab64837430929df9b36bc2784e47577e071a7abd9f2
   ef8ab09b516c0696e39295549d80b482aab2178688195ad806c922c6626e98cf75000
   968656c6c6f20626f62033b64a07786c37f90b1abc757bf074c18326773bc296ec69f
   38c111e4274a4071
   KE2: 0239e4df8488c462d1c224682a9d281f457308b93dd20c3f75c27b9f2b9c2500
   a35a5ff17381f05c594745598e064751cfa87ef81ff8a3a05965a4c6e700f2b0600dc
   b0032c499f548c5c6d390e905d62e3de1e178162d2fcdcce28e342b9d37582fe5d99c
   7894a64f74399525ccd83a4895ca3781e29df46a410b42a725fe4dab9e9c90342c5a6
   7da914e89eb8194ac782511e937ce15aae294acf0f8db74408dd2f7877b506a288dfd
   45503bd89a48458aafc0971d3e8cddc4b54ab58e23ebc079029ad3943fb8e838ed49e
   4d64e5f0b84e120f175f30115009f18f009f7e35081b9000fee6e8c5e47d907f747ff
   767394f8c8df4db2838bc5b92955d6038470a2069a6974b8909a6a956d1aea3563627
   cde2f
   KE3: d0abcf6e885a567fa3ca78cd8ad21baee81efa2111c31266b63681453102196c
   export_key: a20bb894d3f92d728b18611e87219a5e10b65d46140d20c87337db9e1
   5b3c258
   session_key: 102c4211b41b0277245548e6b5640af480f0d7307264aa574067b4ce
   aa6d2496

Krawczyk, et al.         Expires 4 November 2021               [Page 94]
Internet-Draft                   OPAQUE                         May 2021

C.13.  OPAQUE-3DH Test Vector 13

C.13.1.  Configuration

   OPRF: 0004
   Hash: SHA512
   MHF: Identity
   KDF: HKDF-SHA512
   MAC: HMAC-SHA512
   EnvelopeMode: 01
   Group: P384_XMD:SHA-512_SSWU_RO_
   Nh: 64
   Npk: 49
   Nsk: 48
   Nm: 64
   Nx: 64
   Nok: 48

C.13.2.  Input Values

Krawczyk, et al.         Expires 4 November 2021               [Page 95]
Internet-Draft                   OPAQUE                         May 2021

   oprf_seed: 13800aba98225fd13ea9ede334af6f7b3a9c21e03aeb93a18a14b39684
   a6889d2f79d4e8dc5feba7c45fd0e8c9150edb4d15f7814a4b06f99d8226f7c3e1384
   5
   credential_identifier: 31323334
   password: 436f7272656374486f72736542617474657279537461706c65
   envelope_nonce: 4a8a6e468f5d68d5b3fa677d48a3bec161f2c89322a873ea92662
   3243af2ea2c
   masking_nonce: 42c2f63d5b5278536247f6ae675807d8bddcaaede623ced8a96cec
   b9844d7d79
   server_private_key: 6b61028c0ce57aa6729d935ef02e2dd607cb7efcf4ae3bbac
   5ec43774e65a9980f648a5af772f5e7337fbeefbee276ca
   server_public_key: 023713c6af0a60612224a7ec8f87af0a8bf8586a42104a617a
   b725ce73dc9fdb7aacbd21405bd0f7f6738504492c98b3e3
   client_info: 68656c6c6f20626f62
   server_info: 6772656574696e677320616c696365
   server_nonce: 326453281b10997aa161dc84f134178efe6570781421afd7919aaee
   7c4e2b2d2
   client_nonce: 322435bbe19729913346a5e4afc400479667a0228c1c6e8e4f5444f
   d598b31f2
   server_keyshare: 03196d22794e67e69232db19e4032d2f2daa09828c4ef71e5a4f
   296a0edecaa5bf564c97a7e8c96a4977975a44eed2b37c
   client_keyshare: 037e9c1e7bbf41bff8ca6fabb630db2db73a92e57c6260f39d40
   24c619f8b4f2807473ec0f715d83e88ad62b88ff3828f2
   server_private_keyshare: c7a86f11c143a291e349b70b34e67b38fe9dc6f90b47
   375087d72e891df74070810500dfd391282c15d87bacdc9867a5
   client_private_keyshare: be210603388cbcabb8cb630aa1ad04d73e349009a438
   ce248380bd4b7e6758211fe9692922fb61f00f1a39bc735cefce
   blind_registration: cfa46891dfa664a785675b2c95bbc2412ceae9d69a1860383
   45f8ff704bc925f6818500615a825a9a6b5646a4e4f11b2
   blind_login: ebd2fec41edafcba833ccaac567c14d2fa01f55b33a2fbbb37118f2f
   5603b1298346e02cbdf55c95ef9b1aadda5ef281
   oprf_key: f655c17978ae61bed13d01a1116fa75011a9e6191d46fc960606663dcf8
   dae07ceee252875e658bb1d1c5b841d362062

C.13.3.  Intermediate Values

Krawczyk, et al.         Expires 4 November 2021               [Page 96]
Internet-Draft                   OPAQUE                         May 2021

   client_public_key: 035de411e2fb5577953f30f87c4d9d3917523f45b566224508
   cef53aa0945cb6a7ccce4dab6b7c7328d11d667efc6cfd0e
   auth_key: 9cee8f606fda00485838192d7e31fb2eae77f8304d7654af477cf23c78c
   0fc5d9338274e67f9f06c8c97c3fb844986e99b11742a31d7c2513234a6ec8740290b
   randomized_pwd: 09be717bcbaec4e06df0b406fc9a05f079c3f77497ccad88fcc2b
   aa34a2349f8d0079ad5e28128e8a0ed8243b31232720beb178baff69e828ba88cee2f
   c15cac
   envelope: 4a8a6e468f5d68d5b3fa677d48a3bec161f2c89322a873ea926623243af
   2ea2c6eb6c5b7f4fc402d2172d66fb490ef71a552934051511da40766f4ce4aa847d4
   3c3c3ea55b117a1a5c48ddc55970ef3b64de1fe35e305b68ad636cf15dc4aaa8
   handshake_secret: b18a5d52f7cd9bcbf618154ffd440bc7279dd5bb2ad4cfa8518
   f00cc55a3208c05921899b07c08a7e7380f842bf330ec5fc916e1849f8a144750bf04
   9056310f
   handshake_encrypt_key: a4c41abe175bf6d9258a3dceb3f2210b5519ccaaafcf33
   7b0ba50b2ce841513326bfdcfdd8b3bcaaf6449a8de0919c31b72315285fc8a88a16f
   41aa3d44974ff
   server_mac_key: cc2f7f60b051b72fabd39537c4dd60682dedcdb36cd04d291c948
   00e94707d2bf85e4ace90a8c61a2894bd9bc65aee19d61ce144c2c873d6ca73e098fb
   8fbacd
   client_mac_key: 027bcba9c75a1152c2a7c915f544c43f2be877d5608d8a1a676e7
   301489c64eaf36271c404b70da768cb51ff642449cfbb2e51754619b0d70cb83a2332
   31bffa

C.13.4.  Output Values

Krawczyk, et al.         Expires 4 November 2021               [Page 97]
Internet-Draft                   OPAQUE                         May 2021

   registration_request: 032a1ed9cba49c4f38f62e77ca295b8dd95d4d928aeb7ec
   db24e28d927909e4624e4ef5df6b729071abb6e557b809d5ae8
   registration_response: 03c1da8bd060abc6e688aac947e3f849c0b4440e9ee9de
   f90ba7ad7f79c5a32627ebdf1d02c9768c8ab55a5638ef8033fc023713c6af0a60612
   224a7ec8f87af0a8bf8586a42104a617ab725ce73dc9fdb7aacbd21405bd0f7f67385
   04492c98b3e3
   registration_upload: 035de411e2fb5577953f30f87c4d9d3917523f45b5662245
   08cef53aa0945cb6a7ccce4dab6b7c7328d11d667efc6cfd0efcf452f9e40c4d9df2c
   441d4a65aa2b6c73c12eeb0abc32d87cd5655b57c5c019997da030219eb51cf4468c4
   92d0953aaaeb43f634cbb0ed5100cf95a2a2a75c4a8a6e468f5d68d5b3fa677d48a3b
   ec161f2c89322a873ea926623243af2ea2c6eb6c5b7f4fc402d2172d66fb490ef71a5
   52934051511da40766f4ce4aa847d43c3c3ea55b117a1a5c48ddc55970ef3b64de1fe
   35e305b68ad636cf15dc4aaa8
   KE1: 036bb3b9d78c508490de49427658685d8a74bdb5acb7ca4fcfb6fa5488911b86
   8e746c08a1260d828fc5fa7e4232a2e58f322435bbe19729913346a5e4afc40047966
   7a0228c1c6e8e4f5444fd598b31f2000968656c6c6f20626f62037e9c1e7bbf41bff8
   ca6fabb630db2db73a92e57c6260f39d4024c619f8b4f2807473ec0f715d83e88ad62
   b88ff3828f2
   KE2: 035e2060062e1fa5cbabafe394331fe40e84a7ee61ba0f00db18551adf53a3c3
   80803b5d296e64a4ec298cead57dfa4d8a42c2f63d5b5278536247f6ae675807d8bdd
   caaede623ced8a96cecb9844d7d79a960a3b4f660a8b0df50469ee450e36b648a3913
   d6f3ebb7bf1981a9edd6a425f13242e1bf5a529f7f472e776f8ef2dccf7af9c9785cf
   c23a20a17d75615d019399ce4b78a1a8b88353fc6aac945377f4f87e705a39c0ac017
   d5226dcb15b118dd3c84b53c935dc648555e3ca33be2122633ea59d8f3d1374e63cdc
   df1217b8614bde3396183aba4d93f412f153c293018326453281b10997aa161dc84f1
   34178efe6570781421afd7919aaee7c4e2b2d203196d22794e67e69232db19e4032d2
   f2daa09828c4ef71e5a4f296a0edecaa5bf564c97a7e8c96a4977975a44eed2b37c00
   0f473d1a939f630099a3272f271913ec909f1300f12da57d3d6ae33e0d587b2d16a5a
   21200c2860321523950d6e59831c8056310e3a73b0bd9c49716310a69e3d2d043d646
   96b3ebf52ab66e13a81e31
   KE3: c9a4a4461e249f13a553edac3b86cb73c6944b15161a2f0d069eef5de7ffe73b
   388d5497963b1f70a3158075e06e97db6c715be0f04d93980f63918170681408
   export_key: 57baa1225a9bc0e5f97d9ac053fff44d488eac46326b99b385afa7471
   3a6e0c57b0e1d83705db58aea52d169a7d782f3a3601dfbdd8709db37d8164c52cfa8
   94
   session_key: ce5fbf3d3645c21626073bd55802311a8ae168cf79a4826a7a55d543
   c7ac170bb56a005a686b7643305d1c575f41e0e1ee4c35b888a9aec84f821082c188c
   dd3

C.14.  OPAQUE-3DH Test Vector 14

C.14.1.  Configuration

Krawczyk, et al.         Expires 4 November 2021               [Page 98]
Internet-Draft                   OPAQUE                         May 2021

   OPRF: 0004
   Hash: SHA512
   MHF: Identity
   KDF: HKDF-SHA512
   MAC: HMAC-SHA512
   EnvelopeMode: 01
   Group: P384_XMD:SHA-512_SSWU_RO_
   Nh: 64
   Npk: 49
   Nsk: 48
   Nm: 64
   Nx: 64
   Nok: 48

C.14.2.  Input Values

Krawczyk, et al.         Expires 4 November 2021               [Page 99]
Internet-Draft                   OPAQUE                         May 2021

   client_identity: 616c696365
   oprf_seed: 2fa53469eadd73b1fa9887554db81fcc1dd326a364ddf58330f8174958
   875763130077aee6e744624c72c29668535d30250d89a20cbc9e2654b08314da9245c
   7
   credential_identifier: 31323334
   password: 436f7272656374486f72736542617474657279537461706c65
   envelope_nonce: 9a1242e14caeb650b6db37478131f194c58aff77ae769388699ec
   c81f99b8820
   masking_nonce: 1904aefee8a91aa363df4a775d4834c553c8ecbdef6c173403f066
   8ac96a0bfa
   server_private_key: f5acc7b0dbee75bcd8bb50363ec640038177f06904f2476ad
   5274e2f9d258659e80b0fbd20e4761b22298eba98ae9dc5
   server_public_key: 03ca37ed36b0b311e3241e6e96f49a44edaa971419d91fcabf
   fbca0184afabd92827344da8379abfa84480d9ba3f9e4a99
   client_info: 68656c6c6f20626f62
   server_info: 6772656574696e677320616c696365
   server_nonce: c5fe35951cf3cf6b68e388bed557b8ec848eb49ef719deaf56273b2
   4190d8485
   client_nonce: 30cf008c4abd83de383f29da8820d2868d106c347de88d5b7057c0a
   c79a1884a
   server_keyshare: 037b55471c1bb3a246d0030fda68aa80a79786fa060c0b56e7bc
   7d0000886e3d661be0afcaa0cf69519eb528a11af48a9c
   client_keyshare: 021323ffcdb6e9971cb3d0516ac4f70f48c50ce81c897b4c3459
   ab5aa664a410e20012f6a3eefc00044991282868648a0f
   server_private_keyshare: 181c9f03d5b5e51b3a90cc9da17604b2e59a93759eb0
   985d2259c20e3783be009527adf47f8fb5b1437cba7731c34ac8
   client_private_keyshare: 0bc6ab1b8c14ff4110afc54c9598d5f1544830f9d667
   b683234c68ef3db95227fe3ebdfd963d03070055fef107bfeb3d
   blind_registration: 92e4dc9cd7f7aebfb1d3d2b8c7fa7904503aef20c694a01d3
   e1154fe98e7232be9eaec5789a012a559367b1f99654ddf
   blind_login: 79c86b934061f894227b23a69eb0b53f168a4a2230ef6a7d703ac4cd
   5b5e0fe438b3000884019316267eae9b424f8126
   oprf_key: f375a6dd502549e0dd8c67060b1b3610a6c01fb78a2d4fc2555ef78f494
   23393b7aa166a4d47b5526db558e6a818a93d

C.14.3.  Intermediate Values

Krawczyk, et al.         Expires 4 November 2021              [Page 100]
Internet-Draft                   OPAQUE                         May 2021

   client_public_key: 027fd481529fe30db35dbebb7bce46564920f5cd18221c7a31
   265ff3ea9af5896f685cfa39d100dd9ddde1fdf0139b6f77
   auth_key: c8873508331f03fa55a3157e3405b6358bc42270387a181b38a2f8faa8c
   ebb95eaa0f07af9589a1f6dbf5d5e1bc835a84dbc1b120dd647dcabbc2ef9f3fb1808
   randomized_pwd: 08afd475c652f52c25433db458d79792f1205e22e23b2127ec992
   bb10e4acf9d3b583128e59241fb64918756bfcb43c7189df8f5348303e0fde437bc7a
   8d9e3d
   envelope: 9a1242e14caeb650b6db37478131f194c58aff77ae769388699ecc81f99
   b88206ec6539fd339dab28daf5dcc962b240bed4776952de1a622d5dbb33e314f142a
   4c7903cafbe5d3464c78552655e153bb3ff274e6a80a7c0560d2ad7bf243e682
   handshake_secret: b562b476cbef308f37efa9fe4e9baef70b0435e3cb7ffdf940e
   4e72881902999b3e62c76a573a44044bfe28ac82a77767df31cff79a35508df967061
   d7b9c5a9
   handshake_encrypt_key: 8e52d760aa23442270a6c880ea165e2b4d07eb15cfbcd1
   07d27c9d2573fdc918e598397527895faa1565935cadea27ca415321019a3e6dd9555
   6ccbbe08012d9
   server_mac_key: bafd8cbd704a553c4859ba9cad35d024d8a14c35e9d1c26512995
   bb47aac4147cbb9a927607e0dc4c1abe03265991ee982918b2a3a6b4a6bf9c9dfb75e
   e992e2
   client_mac_key: 18dae5081243b3ae9f8ff3a400a413e0e33a4fc83e68174bf8aa6
   b4e6b30881c38738d9bc3ce35db6caaef4fceb70d3af255c6120900c8dd21d1fe04c9
   fdc016

C.14.4.  Output Values

Krawczyk, et al.         Expires 4 November 2021              [Page 101]
Internet-Draft                   OPAQUE                         May 2021

   registration_request: 03c11a1b33c831ff085bea647c06bb354083adeaf4e7c25
   d4ef17e90a25e590b275d412a48b83c064f75a6fd383e4730a1
   registration_response: 032e2e2d79c4de3f578cf146419357b40c766356636712
   310c3e787b768a90ad21500cb17a5715cc17e55b287a1ec4574703ca37ed36b0b311e
   3241e6e96f49a44edaa971419d91fcabffbca0184afabd92827344da8379abfa84480
   d9ba3f9e4a99
   registration_upload: 027fd481529fe30db35dbebb7bce46564920f5cd18221c7a
   31265ff3ea9af5896f685cfa39d100dd9ddde1fdf0139b6f77cff2cc696df1a036600
   41b9c521a0ce6290e098168ffc27730118cf5ef4300ec692158ede08cfed5d64e4703
   f2c375b7483cf210f5d3149d4b06e2721398dc349a1242e14caeb650b6db37478131f
   194c58aff77ae769388699ecc81f99b88206ec6539fd339dab28daf5dcc962b240bed
   4776952de1a622d5dbb33e314f142a4c7903cafbe5d3464c78552655e153bb3ff274e
   6a80a7c0560d2ad7bf243e682
   KE1: 03569da14f7d483ae405bdbd365b7bc7cd11968aa5c105d6fdf21d83cbc77050
   7be9fb3aea6709f4a37e940900bccb4ca830cf008c4abd83de383f29da8820d2868d1
   06c347de88d5b7057c0ac79a1884a000968656c6c6f20626f62021323ffcdb6e9971c
   b3d0516ac4f70f48c50ce81c897b4c3459ab5aa664a410e20012f6a3eefc000449912
   82868648a0f
   KE2: 03c7b550c1f4a2ffdbce37b8c3048d6684972d3e145af0af6b4d9042c2c95a73
   cc43c1b0d21e79e52096fd92936eea28351904aefee8a91aa363df4a775d4834c553c
   8ecbdef6c173403f0668ac96a0bfa6fe644beeb3cc4b900ca849a68c6fe3cf0d2aa8d
   7e994bb8dcd63455dd800f51fdaf741c489488ca6032ac215f83300c939b3ebec5294
   8afb1db24771b2ebbbea5ae284140757302a75262fec7047687fec7ea92e622d3c561
   546b9ef1627a0016a60a7a840da5834bac6c958a2637fdd0fdf658e1e9d8959730b27
   8e897222982490739efacabe818b3e8c6e071d68928c5fe35951cf3cf6b68e388bed5
   57b8ec848eb49ef719deaf56273b24190d8485037b55471c1bb3a246d0030fda68aa8
   0a79786fa060c0b56e7bc7d0000886e3d661be0afcaa0cf69519eb528a11af48a9c00
   0f075806cae72c6f1c14f022f7091dcc285c043a001c7a91300aac71bfec828623eb7
   090d6daf98a2073a5194c0f4a2ea670de39b0e671dfdac3127141c0ebb02d771f7ed8
   195d017ef635711a941a89
   KE3: 0b23e8b3d9aec014f7b408bb096887fd163ed983d35e24dd0674566418679aca
   55ca0346271b01ee5e5ee080a643b239b7c89402d406c86a25a99920aed79168
   export_key: f7c4b9ce1da6bad2cd801d0896fcb9e2336214833174b405371886866
   0de96f0641ebb441334c1330a4fd9ed07864436b7468efb38409d60499764b7736bc2
   ba
   session_key: 660a911162675dddfe9d309bbf3169c7a4e52fc900a7eaf12cbd4001
   1c93f1a3015e1323ee772a82ef32b5b67eb57ab3f894ddc655ebed71639f643190ebe
   067

C.15.  OPAQUE-3DH Test Vector 15

C.15.1.  Configuration

Krawczyk, et al.         Expires 4 November 2021              [Page 102]
Internet-Draft                   OPAQUE                         May 2021

   OPRF: 0004
   Hash: SHA512
   MHF: Identity
   KDF: HKDF-SHA512
   MAC: HMAC-SHA512
   EnvelopeMode: 01
   Group: P384_XMD:SHA-512_SSWU_RO_
   Nh: 64
   Npk: 49
   Nsk: 48
   Nm: 64
   Nx: 64
   Nok: 48

C.15.2.  Input Values

Krawczyk, et al.         Expires 4 November 2021              [Page 103]
Internet-Draft                   OPAQUE                         May 2021

   server_identity: 626f62
   oprf_seed: fc75fe0ccf7b66bead3c7df4578fdf22f1a5e412fdfb02240e98c23931
   7e142e4555a81532c2c38bb2a359bff297e4eb371cb2c70e5d9f4baf6f4422a62c664
   4
   credential_identifier: 31323334
   password: 436f7272656374486f72736542617474657279537461706c65
   envelope_nonce: 611ffe4346ea4da5e6211dff6595c9a7180e89790a92ed156605f
   633ca69fc17
   masking_nonce: edea8ae70db1b219cdfa2e7a2f19490cee9f1bbba684d05e8ac7a3
   e5c54ff287
   server_private_key: 8099b50c7ed9444176251781b6a8575de7491bec330164821
   b9b2a108e3ef8964622075015ac9ea0f8380dcce04b4c71
   server_public_key: 03aa179347ce8e27d2122b8c2c43315635e5489dfe1a50ab77
   186e4710cc489638b097b3302b550da04f5d76adfa826688
   client_info: 68656c6c6f20626f62
   server_info: 6772656574696e677320616c696365
   server_nonce: 2d069de96e1151da43e0148ef707ab89f8d9f771d4e43a88e1fe08c
   aa45865cd
   client_nonce: 222efa759f00e0ab036835e37ab6ad3563188bce0dcbc42f39e5958
   9c8419d24
   server_keyshare: 03ed7dcbc8318a00c1f42c2b75682d0beb532636c2e03c524bb5
   bf5af735812003bdc0d076ca0dc9aa7ea97273c7088f78
   client_keyshare: 038d4077ad0d00842d0d621527f8225c405f80049752378a4e11
   1b3dcd52857d35f464202f22a17d717d5a3be3455a93f9
   server_private_keyshare: 3311ce41098e662e559a0599ff077b4ebcbe7f73e9fc
   1bc25fff3fc5fd6c8bc664e27822fdece106def4a69460e97774
   client_private_keyshare: 47a314fbbe5035803d3aa65819e81997c4d89909e25c
   e20d0bbbe0ad45a97be4680b39889979a8b4b432245062838a00
   blind_registration: 2df429f90cf65d49d89d9289512729491e70dbcfef197f2df
   475d05175e75fb25791f11a8f5484eb790492839c0c38ea
   blind_login: 2d90c0799597e99c926ae54b2fce5ca13daa8cabbd4da53324fbd205
   54f2c56460442edb7d6ee76b64ab68d0a8f5b1cb
   oprf_key: c65f2080ce0134064252d414e5e13252a34f0e8b25da287edfc20175034
   0ac3bbbdf5729aae5d6c788c38113d16c842d

C.15.3.  Intermediate Values

Krawczyk, et al.         Expires 4 November 2021              [Page 104]
Internet-Draft                   OPAQUE                         May 2021

   client_public_key: 03bad5466cf47b6ac4dc17d4ba64de8a1ac31d1c8a314b0509
   c89e4e7738c93f2e12fae8aa7332f9f6c009576b29fa3959
   auth_key: 2f3e95329ae7a2ff94f93d7442e54e522f2a4aa967d1ed9dfe0a2ede638
   cfaf0a76d0e095b9d16a590f7ff16938d18bafec5ddaa769065e092f8cedad4356f5a
   randomized_pwd: 7e379dbebbb4baca152835f5212dfb0d581fe4d4c45762c4c8503
   1859123a6c1a0ed2349e991825167f7d51290d444f050c56c4e5b5c33ef9b64a479f6
   6cc1fd
   envelope: 611ffe4346ea4da5e6211dff6595c9a7180e89790a92ed156605f633ca6
   9fc171c92b31b1184420dd2dfd9746c0778e0e290d944930a4348b0d496efd418dc3a
   511955a202a9ec5195a49a0f43e480dbcac29ae734636aaa450d2921af5d3bd2
   handshake_secret: a0f8d3b354c1911d782d0c8aa8bf154adf3dc513fb54767cb91
   0f85c481c0ebacc67db9de9ce13c79a132ad24efc6bb4bd09b05edb6c364e9740756f
   b260fb32
   handshake_encrypt_key: 73210a2c777df797e2f76bcb0d8caab8387fbce88c6620
   f6b8aa3d1e2e46a8eb4b30970421c3b74e92b7002a0ec2d21894378aef76fa7abbbab
   1e84481c37b27
   server_mac_key: a40f5da4b2e8b6c3ae0d0f388fbf75c9cd541f163c8f28a17b1e6
   38abd3f7cb91bd46fe787e2cccd7b7811d7e3f6664fcddb7a5f58a43deaadb9d4bc02
   a8d345
   client_mac_key: 86675536bc72d43f1deb1b829ebae685e3f7caf576b93eeea84b2
   8ce81a729ab4d67a875049ba18b7f80c4d67a91378309d887d214aa083111bcc10c25
   be4f96

C.15.4.  Output Values

Krawczyk, et al.         Expires 4 November 2021              [Page 105]
Internet-Draft                   OPAQUE                         May 2021

   registration_request: 0399b76973449a299bd2ad6be1ca983c8a1eccc7e05a36c
   a120a30a8807d96bd4b98d076ddbd99e36adfd30b0886fe42f9
   registration_response: 03a899022ac8527f0c325fc8efdf2204d09c2f49992356
   5c083fea154155350707b32f7e995d74ca71e6a3b7fdf85bfef003aa179347ce8e27d
   2122b8c2c43315635e5489dfe1a50ab77186e4710cc489638b097b3302b550da04f5d
   76adfa826688
   registration_upload: 03bad5466cf47b6ac4dc17d4ba64de8a1ac31d1c8a314b05
   09c89e4e7738c93f2e12fae8aa7332f9f6c009576b29fa39597531c4c89226673b215
   0ebe2393123efaf27c211f74342ce066e1248256036f6aa69cbfaae7d2c2434a5453c
   fc3566d5ca6aec0ee75d264a009894c05aa96c7d611ffe4346ea4da5e6211dff6595c
   9a7180e89790a92ed156605f633ca69fc171c92b31b1184420dd2dfd9746c0778e0e2
   90d944930a4348b0d496efd418dc3a511955a202a9ec5195a49a0f43e480dbcac29ae
   734636aaa450d2921af5d3bd2
   KE1: 03bb6ba53426efb2307df620440d09e1b503d3d2135dd0c845b59f135ab39bb3
   00aad505641fdbc2725c31d221feb82d9a222efa759f00e0ab036835e37ab6ad35631
   88bce0dcbc42f39e59589c8419d24000968656c6c6f20626f62038d4077ad0d00842d
   0d621527f8225c405f80049752378a4e111b3dcd52857d35f464202f22a17d717d5a3
   be3455a93f9
   KE2: 020e9f886684004eddf958ee21389e9935e4d127e336e24fd1208f0d94944410
   6db5a01f31dc322b67e6a640e8ace9206cedea8ae70db1b219cdfa2e7a2f19490cee9
   f1bbba684d05e8ac7a3e5c54ff287a782199b1bce66b423d1920c4dd74be003ab175e
   94766cbf0d5f909c9c39318b69b7d3def1d25091d4ac84906f5e6a52bf32158bd1f81
   0b5ac56cea398d8b385dabfb51de1df1bc23116aa7824e2f17d8a1723abfdd468843e
   3ef972d27db78fc56b79ba0c7b30ca5bbc3cf1feed3d160347b47d705145a2a0f61cb
   e0ae3d12ab4b5327b8eacff5b9040daf3674a9e6e482d069de96e1151da43e0148ef7
   07ab89f8d9f771d4e43a88e1fe08caa45865cd03ed7dcbc8318a00c1f42c2b75682d0
   beb532636c2e03c524bb5bf5af735812003bdc0d076ca0dc9aa7ea97273c7088f7800
   0f52a1e35aa6b9ce5b2af65860ab82a57aa94bf37ee0bd7ac7e97655d29fca42cf032
   c975f84f2f4cee58cea51b0b0e3d92856894b5e8008efe058d31776d76411c1bae7fc
   ec7ecbe924dc292e2fe009
   KE3: a9a0310debd4c69755563868a7b88cf6558c787410beaac22ab8ef535ac2e3a6
   10a51d1ba42a0f37b2c034d82cc2a84b7d5ad20e00504aecdd4a83ca91509141
   export_key: df4875f440f3fc915fc1f6f66c167dfe368dfac89942b352db7bac0e6
   e1029c96607d5b4ef9e391d24d6b2bd7da12cf16cf88b47de29c07bdf31fc14f2dcc4
   0b
   session_key: c53bef385e9015d2fe40cc4c02d1cce7133f9fb8cda3d399c8f7d252
   1c0cad5067ce2a7785c0923dfcaa85eed8f1e6f63bdca67976697830a3d26204e4866
   025

C.16.  OPAQUE-3DH Test Vector 16

C.16.1.  Configuration

Krawczyk, et al.         Expires 4 November 2021              [Page 106]
Internet-Draft                   OPAQUE                         May 2021

   OPRF: 0004
   Hash: SHA512
   MHF: Identity
   KDF: HKDF-SHA512
   MAC: HMAC-SHA512
   EnvelopeMode: 01
   Group: P384_XMD:SHA-512_SSWU_RO_
   Nh: 64
   Npk: 49
   Nsk: 48
   Nm: 64
   Nx: 64
   Nok: 48

C.16.2.  Input Values

Krawczyk, et al.         Expires 4 November 2021              [Page 107]
Internet-Draft                   OPAQUE                         May 2021

   client_identity: 616c696365
   server_identity: 626f62
   oprf_seed: 2bdfd31fa072994aa6978c8dde8c5841326dc8b4a732cc70fe08a86535
   a8e2941feab21cd6ddf3fb88c7d76f00df95f2c0e47ff21bd70820cd0f66459d66f29
   7
   credential_identifier: 31323334
   password: 436f7272656374486f72736542617474657279537461706c65
   envelope_nonce: 32d93989aeb49cae6efa3963bc9f55d727779dd2f72c0974acf04
   333392a92d3
   masking_nonce: 17cc538cdb5aa6e30dcc560737523284e78004ad5be2133e99c8cd
   bb3010773d
   server_private_key: c6c4dfa3a822d8f670e5aa46e733baaec9f93d5e14ad9ab99
   dfcbcb2ad157a8aef1f3fec3f24bbc392c9755271e8792c
   server_public_key: 028cde89b6908e81425fa8a597e3103021475346a146b1f1dd
   ab47f09c76ed3b78a251cf390bdc086924bebd471063abec
   client_info: 68656c6c6f20626f62
   server_info: 6772656574696e677320616c696365
   server_nonce: 3e21d9300486633273041ef5f2a160c1a73b98addc5482c6a96c108
   f84d34d57
   client_nonce: a3d77a82779471cf9b98f8b7dcb5212a1f2edc9ecf6f8e8946bec9d
   68ba6bffb
   server_keyshare: 030d570f50898367457561b3a5c707852633b4f9404cc45b4058
   f52f5da1ebf67cb737bfe5c272bfeb65efe6bf7255116f
   client_keyshare: 0246ba00038cfa5105659e8c250d10618a2c7f9d09d174663bc5
   689e4778f7054534d9a4200a447510023af3ad3c61ece7
   server_private_keyshare: 8075bbd3ebb3097a0f9bdfb7430fa3490ab6c2790e3a
   d33faeef2365ebf9c1edbdb24825e5735614aaf644f03458a1f4
   client_private_keyshare: 0c90229f8068bec0ae930eef110e98ea1cbc6d849b4c
   9ca5b7a970d0320ba5f4f95f5cd4f501d71f00c654c50fddc636
   blind_registration: a1bde3dbb840b3924c5ceba5bdb181a51679ed98960e4cee2
   7f330d5d3dccebf40596dc7e8b057938841423f8b336f13
   blind_login: 6f1aa3fb05702631e213b4bbbe8fe5176fff25526ed5b1772ba61649
   52c3c2da8017fdf337f81f5cbd0ec805923a3360
   oprf_key: 2f87ba23ed2b08e13fda5423b7fa525e4d51a7e3d334a4747409e6876fd
   3e41960ef475d75108fbb9964c34bd8c81302

C.16.3.  Intermediate Values

Krawczyk, et al.         Expires 4 November 2021              [Page 108]
Internet-Draft                   OPAQUE                         May 2021

   client_public_key: 03520d07d74259e58087a91bb199dd2434393202c882f969a9
   cf4a725265c0d75c3747fc1be62b018001c0b27577efc201
   auth_key: 3fdc19a161ad6919b37ddb1653014cd96fd1deb98e277330727829d9045
   7ff08f816e685af01399144ccbb26f54c007ced38fb19a0be1d22f6865cc1ec0fbbd2
   randomized_pwd: 0c1222bf0d77b3b103f6b40f84a83f2d78afba7e401c5747ad41f
   4c850a5b61202c0acabb684b1fa56dd77cf435f917c561446030b9b241e0b6831bf0d
   e27909
   envelope: 32d93989aeb49cae6efa3963bc9f55d727779dd2f72c0974acf04333392
   a92d30b3cd05893b9312195f056aca4648f6728ea8f6a699107a02be0919ae296d0f8
   5d2c504a3aff8827d4ae66cc686da46545ae18d8ddf70ca3967dce24c22a76f7
   handshake_secret: d322173215751da05fa700355e019fb006fcfc91c55a07d1402
   aa359b9da0a8033a20f65cfa583cb89f6d6887d1ace1600a3b1508535980e1d361bff
   4f1ab4ec
   handshake_encrypt_key: 2a3b4627aa6bac7cc689ed6ba935e8dbb94f950fef73de
   8fc68865ba1fa828e47a1fa0f227fa4db8a4d88e41c6e02aa7ed0ee5a40c66d6ac331
   a8288340f8ee1
   server_mac_key: d51679240895a92d8c9043a376e0f6fb8342040bb19316ad4fba7
   e1255c33f8cae47ae5afa6499170860d07934077890d1e1bc3bd221f5b8aeb86d3866
   59d2a9
   client_mac_key: 720ead3623c388df8ec008fe90b5a2c4487fb2945c87558d671eb
   1b0a5b391b37825e3c7c577aab365631c377647833730bc1801d804be60eede6da818
   942f10

C.16.4.  Output Values

Krawczyk, et al.         Expires 4 November 2021              [Page 109]
Internet-Draft                   OPAQUE                         May 2021

   registration_request: 03f8569ce50a023ad6518281322157e79e1207a96bb9214
   95ccde8cf48eaf27895245a7b8f4b3b5c43ba54963a19cc488e
   registration_response: 03eb9df563b7315fcd8894fc37bf1476e968100040df1f
   51367923f19a683157fd5223e0953b9471c4bacf90204c1da47b028cde89b6908e814
   25fa8a597e3103021475346a146b1f1ddab47f09c76ed3b78a251cf390bdc086924be
   bd471063abec
   registration_upload: 03520d07d74259e58087a91bb199dd2434393202c882f969
   a9cf4a725265c0d75c3747fc1be62b018001c0b27577efc20106e6f8dfc764d4aa2b6
   654de97281e7ce747e5c98edb159028d68be2af2df21fb4a66721d5d5492ca72052b6
   baedce841446a783ff71c5ce47d35103e3e209c932d93989aeb49cae6efa3963bc9f5
   5d727779dd2f72c0974acf04333392a92d30b3cd05893b9312195f056aca4648f6728
   ea8f6a699107a02be0919ae296d0f85d2c504a3aff8827d4ae66cc686da46545ae18d
   8ddf70ca3967dce24c22a76f7
   KE1: 0255b2107d1a2192eb54c25c98bb7a95e581d7d23a38e1fceac9f8ce99f568a4
   fad6c9bbc5abe4ff08f8b22e31bdfd6971a3d77a82779471cf9b98f8b7dcb5212a1f2
   edc9ecf6f8e8946bec9d68ba6bffb000968656c6c6f20626f620246ba00038cfa5105
   659e8c250d10618a2c7f9d09d174663bc5689e4778f7054534d9a4200a447510023af
   3ad3c61ece7
   KE2: 030e286b95d83b077e53625276ad321ad65f5228ed34a14b54f41e26449a4385
   d3a1267cf0bdb2d4ac262b08c07d123ad717cc538cdb5aa6e30dcc560737523284e78
   004ad5be2133e99c8cdbb3010773d0881c3a5b9974d7b2c9dc8de2c2c4771961ae920
   1903da36d7a4194782b61b5cfbd43328172c32612e8f0679998d92231b88c381011a7
   dcabbc46d8f0db34675091028b13c9fdc0dc3fd6d0ec34689c2d1692208668ae2c655
   10112e0b4f5197ecbe0bab9efc748610f185d660a748cf09664b0ac1ca99270bad2a2
   0ca2dbf8ba711350db0fe6c526459facc3452fb1f233e21d9300486633273041ef5f2
   a160c1a73b98addc5482c6a96c108f84d34d57030d570f50898367457561b3a5c7078
   52633b4f9404cc45b4058f52f5da1ebf67cb737bfe5c272bfeb65efe6bf7255116f00
   0f509b8349bbd798853b4bd3411ed1510754ef45a3a98746b80b1b03c143d3f68c7e2
   41ce16d8c8c361e97d4d4972fba0a5f77765440f896084775695ff96ed009d02e3b51
   f8c5bafd0ccc97e8be12ac
   KE3: 52bc1ef46ae8e519aa1b2f069c51513ca9413736612764b2234b0bce1ba368c4
   ccd273b1140279c17f01c004f3c8f80dde7784b8a37f8b8ce3b0db89bb2aab03
   export_key: 590ba54db51fcecd99b7736c972e54f0ef1c6e648837bd625552bc3ec
   bdbb06b7a82f32357719db9ff93c8b972144b681aee6b8dd6b2bc8a1a3787142fcfae
   2b
   session_key: a3170d57e3dd49183ecfd8805b781bb64647abb5c68119da02bb1a1a
   d0c05742caf908e70d317bd10fb336eb4809c12ee9fc5f7c903f05e6829ae41d6e7fe
   af8

C.17.  OPAQUE-3DH Test Vector 17

C.17.1.  Configuration

Krawczyk, et al.         Expires 4 November 2021              [Page 110]
Internet-Draft                   OPAQUE                         May 2021

   OPRF: 0005
   Hash: SHA512
   MHF: Identity
   KDF: HKDF-SHA512
   MAC: HMAC-SHA512
   EnvelopeMode: 01
   Group: P521_XMD:SHA-512_SSWU_RO_
   Nh: 64
   Npk: 67
   Nsk: 66
   Nm: 64
   Nx: 64
   Nok: 66

C.17.2.  Input Values

Krawczyk, et al.         Expires 4 November 2021              [Page 111]
Internet-Draft                   OPAQUE                         May 2021

   oprf_seed: a2f0732043d4e8dc0909314ba2681df5eeed5a0c30b599c257b88037fe
   2c6f8ba1e038930e003c2563d265c49c56d4d82a155d6b81e82cc46210869a68fa4d8
   1
   credential_identifier: 31323334
   password: 436f7272656374486f72736542617474657279537461706c65
   envelope_nonce: 8576a0c7c81f7a7575dbbabe910d8abd35258409dd4fedb8dacbe
   0fbe1f99d8c
   masking_nonce: b9d3084eeafa7d20d841bdc80289111ec8aab7b1bdaa8f670051b1
   04db229e88
   server_private_key: 00648b7498e2122a7a6033b6261a1696a772404fce4089c8f
   e443c9749d5cc3851c9b2766e9d2dc8026da0b90d9398e669221297e75bfdea0b8c6b
   f74fcb24894335
   server_public_key: 0200be1ff2041b4f0f5a8c110dfce0f002e6bcfc8fb4a36b4f
   bdcde40d8a20b470c62e20ec1f86edfdc571fa90fc6b04d78a621a96676570969ee2c
   b6461e06e2cb61e
   client_info: 68656c6c6f20626f62
   server_info: 6772656574696e677320616c696365
   server_nonce: 30af4fa64192a5338aeeeb43345b014348afd6f4cb7e2a103057dfb
   ac8cfb834
   client_nonce: 1e3b093abca6b82059f2e0ba5ffafd8b54ebc7215eea7a556461d65
   0a3c41199
   server_keyshare: 02016c63c8e2b3feac6366e3dcf752a8c2a287c1fb4d648aedba
   86aa0ee07d2b1133d3282584d7c66357bfcab76526f184f7ff9af506f9eec01645b99
   b6918bdda600c
   client_keyshare: 030187b0369b07402c41744c664239d0f9fad568f0ea5c13e4e4
   d80c770fda054cca7fdebd3f91a803a3efe7353969e388623c224a86cc32575ef8cd5
   e0cdc3c467343
   server_private_keyshare: 00746f74e77a62905a6d3e4b0b10600a7cbb4293a187
   ad3fc8c91caec3bd7699591b10d6da93877a470e128f38030627dffcbbf1f576b3867
   7841fc47af778f9d85b
   client_private_keyshare: 01939388ddf4607e295e64cea6f4f95078b7e30ca85c
   4154cee4afed8403406502ed2f79ae56e032dcd5436254daeb0620f584755b22ff954
   eb79ac24c8778dcf34f
   blind_registration: 01c14aba77e5e37d5ab1389e09b80a34cfa96e2d294e9f04f
   b076cffe7d179d692a05b0c2210b6c008c1062c1e54514ef654eefc0519dd1867571c
   9d518e305fdf47
   blind_login: 01448da2c02dab317d5175d73a1ff9d62286602e87d57a53a1c70f44
   466b3861be4f8ef48c2bb1aec2e478e341c467fd4a2638aeca63ed6c4bc48d008bca3
   f36f044
   oprf_key: 01fcaac74a26d002c492c586fc16dcc83f0bb8dee9b991ab8adf9da3b9d
   0551e28f64f2d39e244ae8da38949f0bd3b8828e0bf824c1101394bee7bc83a732837
   acef

C.17.3.  Intermediate Values

Krawczyk, et al.         Expires 4 November 2021              [Page 112]
Internet-Draft                   OPAQUE                         May 2021

   client_public_key: 02015d849771c3ae0ea3af9f2462c822b605be212e05e83c3f
   7d6e65551945636147da2b14e09c596ca154526b09ca9ce7b51b63185e016cf2aecc8
   6d3800359151daf
   auth_key: 5fe6261467d324fe32b627478eca4b266a30d67d8b982e10c311c928ab8
   c394ef17958502bbb650cd39035b18b393df1efd6037f98216caf96db3860dbb739b8
   randomized_pwd: c1ebdbd0b7737dc8f747261671d106ed8a9ba8751198741e34147
   91ddc11abe2900f8d3630454162e169228155670aca7960069900e9bf6fcca43a028a
   5f9eb2
   envelope: 8576a0c7c81f7a7575dbbabe910d8abd35258409dd4fedb8dacbe0fbe1f
   99d8c089d602d3349adc7ef4fdf1ce7654d946ae6bf23f0a53a72e7836c07de92af79
   e9e6aa5353a0f10b3f8314a88aaaa98695396dc5bd045a68d7647adf50dc2c77
   handshake_secret: ac52ad048c93b646ed484dd29ddc35530ce69327a928a4ba134
   11b9f222ca132443bd9174160ff72c65fe2555b507672510109ad718ef9d207468a34
   534181a1
   handshake_encrypt_key: 003b51400c880b90baa64a92347eb97f645f4e5f8fe986
   fcb9e7f7810bec3d9be597f5467a388eb9df415b56272a36a59c67cf84cf16627c701
   a0c1e5bdc2b2c
   server_mac_key: 998ba809cc34d7934f25c8f3c4b16917918577045b6ef805d76ea
   bb5d06d451c03185c5b0ee50d537310ffea3748d9c0eb18efdd119b6a56849dea5733
   457ca0
   client_mac_key: 559874ed898f25cb67b94c84b1355c5e5fbe58b903a3c9f1b3a22
   22aa4a2dd92951be7848ea64cf8e94e4ce4d2e43f44f7fb5b96c3f0110a10c6f88ed2
   37d172

C.17.4.  Output Values

Krawczyk, et al.         Expires 4 November 2021              [Page 113]
Internet-Draft                   OPAQUE                         May 2021

   registration_request: 03019f508a03d6d883f28a0afa477eac4dfad2ae9052a82
   ef5736b24eab85dfc40309c5d205bb94b9a6697ac7b97b9b63e057f163905ec396db8
   fe250544bd94e90c13
   registration_response: 02004e15d16f075d2de7e2ee6e203d5f4b4f2c176a1592
   2d47bd5f8d2a7e94515ff328ea4f74331a293e1252d8ab4c04a778eed1234f6596baf
   84afaf2b9fd43eb953a0200be1ff2041b4f0f5a8c110dfce0f002e6bcfc8fb4a36b4f
   bdcde40d8a20b470c62e20ec1f86edfdc571fa90fc6b04d78a621a96676570969ee2c
   b6461e06e2cb61e
   registration_upload: 02015d849771c3ae0ea3af9f2462c822b605be212e05e83c
   3f7d6e65551945636147da2b14e09c596ca154526b09ca9ce7b51b63185e016cf2aec
   c86d3800359151daf832629d42f82e752f1a8b4014218402b034e6e26c239c33329eb
   0258a42721688d990208a793a05f1d99e4f2116f11e06fb1af650ecf057f8cfaa5d68
   9b1a8ec8576a0c7c81f7a7575dbbabe910d8abd35258409dd4fedb8dacbe0fbe1f99d
   8c089d602d3349adc7ef4fdf1ce7654d946ae6bf23f0a53a72e7836c07de92af79e9e
   6aa5353a0f10b3f8314a88aaaa98695396dc5bd045a68d7647adf50dc2c77
   KE1: 0200001c8b7065b1f65b9e87150b85b32e6a13738dfcfe40a947a3868b0504a9
   c0b8f2d2f8261af3c4507f583ac24caee8981b3c2e7c6a81192d383aec9fb93e64203
   51e3b093abca6b82059f2e0ba5ffafd8b54ebc7215eea7a556461d650a3c411990009
   68656c6c6f20626f62030187b0369b07402c41744c664239d0f9fad568f0ea5c13e4e
   4d80c770fda054cca7fdebd3f91a803a3efe7353969e388623c224a86cc32575ef8cd
   5e0cdc3c467343
   KE2: 030035f08ea3de22b0376ff3721ba6d46701a9b5e5687d1ceb47e9f533d7f8a1
   f60904eaf5125803327480d25a7107e9d895258b38c2462d102a8fdd56cb323854ca6
   8b9d3084eeafa7d20d841bdc80289111ec8aab7b1bdaa8f670051b104db229e884e02
   0fd59f017168a8c4ef61aef2b7510cc38b11ae0cf323d13ea9953f0340f9200206d0f
   27fc6e7c1346dfeac1059b1bbed15d472783259fb867acd0ea79b58bc09f04ab5275f
   6a476ed42a9205422848cc46dbf6962dc0ad425bc00739d542c540807023946ad4fad
   a727dd19813d1bfe7c9f30e97530827c1ef18c0057e062744e9263362f3649371bd1a
   548382cc0a6afb69009021eda3a9254acb3bf680153c7730af4fa64192a5338aeeeb4
   3345b014348afd6f4cb7e2a103057dfbac8cfb83402016c63c8e2b3feac6366e3dcf7
   52a8c2a287c1fb4d648aedba86aa0ee07d2b1133d3282584d7c66357bfcab76526f18
   4f7ff9af506f9eec01645b99b6918bdda600c000f8daa20d5162eea9d681b87661762
   cd4f9ec59a54bcd56c8b3438642bed1c23b6c1fd39f267f9b905ecb2cab7a48cc1d5e
   64d909c589cb7fca0c8cd5298deb4577dfed8797209246caaa3443ffabec9
   KE3: e578e0b651f5124e89664cfdf7343c40c9bcc055705b9101c39ff2d4426242a7
   3b30dadbb8684aa58d5c37c89afc1cdb81444e270c4f23b2dc60e48002751d9c
   export_key: fc013ef1b0425bee62b845c76823a5a38c361d0f9147266d2e58a6570
   c8e27b13faee7bf59920ab94fc5d53d358d935b3f67be6e239a322792a18f4046de82
   08
   session_key: 444b5612450eca7cd77a214b6d0690ce8188f70468e4c28f3fca8e94
   ccfa31e9ba3fedb9db0547185bdcdf95dd930d1edb08bfe632a8bce831372f8c4b52d
   b35

C.18.  OPAQUE-3DH Test Vector 18

C.18.1.  Configuration

Krawczyk, et al.         Expires 4 November 2021              [Page 114]
Internet-Draft                   OPAQUE                         May 2021

   OPRF: 0005
   Hash: SHA512
   MHF: Identity
   KDF: HKDF-SHA512
   MAC: HMAC-SHA512
   EnvelopeMode: 01
   Group: P521_XMD:SHA-512_SSWU_RO_
   Nh: 64
   Npk: 67
   Nsk: 66
   Nm: 64
   Nx: 64
   Nok: 66

C.18.2.  Input Values

Krawczyk, et al.         Expires 4 November 2021              [Page 115]
Internet-Draft                   OPAQUE                         May 2021

   client_identity: 616c696365
   oprf_seed: cbf99f721bb05bbb38c3dff97984ba8cde188b3827bbd814cd7a42af6e
   65a3b12067920609dc601239a238e23f40d75e1aaa3a509edf8c7cd2baa7f5c1f95e9
   6
   credential_identifier: 31323334
   password: 436f7272656374486f72736542617474657279537461706c65
   envelope_nonce: 71dc777337eef4e8ac3cac80a4180f926f029f2cb820b1a176b95
   a945a44d784
   masking_nonce: 73180d73a4c972db77ce27294dee5a2f9ab174d5409ada18b37fc8
   a7f051ff9e
   server_private_key: 01e58f3492c6da02dd7387bd1dc40065b23155fcc16e56ed3
   586c3c2d80245859235d872c5266668cd562a2bd7f34654235b1b9961485ae246256d
   f3935910d36507
   server_public_key: 03000ac6fbea5abad2eff1e768bd39834b82166c06aa6021ee
   7517b040d221966b827ca6162621a938d6fda5fd8e39b3b785cb477924b8a400fd285
   f41c5c248574db8
   client_info: 68656c6c6f20626f62
   server_info: 6772656574696e677320616c696365
   server_nonce: 982aad1d4df60e1ec7598ad90ee10d986d8ddd8986c4ef3b009b535
   6a21f4375
   client_nonce: 11034c017067f1258bc7720a174b559d38c2864d089c0cadca46134
   598ce4ded
   server_keyshare: 03015da5c9a33d3168383837d8d2ae4d00f39a8a631cd126b4dc
   1b01f06c32ac86ce29440df0e45650879f65ad94a3d752f265254f7d5861046cc0165
   67f9e36b873d0
   client_keyshare: 0301bcdfcaabb52a829a450fdeb63bf90b8c98c6b2717164f48e
   27d4c737058feb556f81fe39aed7846313ff6a6fb9c4bf1d81083974f2babdb080048
   cc67e12f8ce2e
   server_private_keyshare: 012dd5f057d34f77f82886ba9c12bf99b4c79e232e68
   82168463a7d53d03090c1da44b4cb34efcf9e45a0e4f9ee14e00bab7a7ca19b6616b9
   ea190d4a2db57bc6590
   client_private_keyshare: 01b52f1d5c1c022ce72f0b4dc3405e239f2f85026764
   82559ee5e4ba79c390c4033405e3f792bc49daa905c694707e7e0191104b34d68c7cc
   81c2e392da60b838eae
   blind_registration: 01ec57a21c1fc56bf3514635ac7fb8618f72cebff14ed87eb
   abccec2627d4006b698d9ba57f6e207c989448d39fe0431e60c9a9a4110596d5a16fa
   6cdf3f66467525
   blind_login: 01e8d9b4f7c7beb31e37008156656c19382a56cc79b9aeeed48a6f9a
   8fb57640c3bff88d3ab3cc52ef969f02beaba2c6e32c2f37baaf4ee9c691833dc081e
   2a0fb70
   oprf_key: 010c6e84907f48ee9ef1a2b06b0f62032fc716c2e6c253928e5d4f02d58
   a15c7afe0ac4f35762ee53f04aa6477700f68832492781160eb1c6968c4ff7ff01aae
   752a

C.18.3.  Intermediate Values

Krawczyk, et al.         Expires 4 November 2021              [Page 116]
Internet-Draft                   OPAQUE                         May 2021

   client_public_key: 02014e85db957b2e39c82d7ff67fd42f2f4689a1e999cadbf7
   8606279d1ac5f593efb9e8ed8d4b5bb7fe80e3b5324a8cebcddc26319d7cbe05796dc
   4a0e7b9d13ff933
   auth_key: 3b430d33aa3d6b97fec63500eeec4f57a3783dce1a6e2bbafbcbfc60561
   520ff806ad075983ba2b36263028683a5c5d4f5ec667ed8473db0d4cec1c389da097f
   randomized_pwd: a668c0639403d64a159f5657184c80027dd0738ce65b612b2398c
   1e5f6390ae76a352763020e3f0189cebe0df03702c7835416598eb8b2df2d2eae2120
   aef217
   envelope: 71dc777337eef4e8ac3cac80a4180f926f029f2cb820b1a176b95a945a4
   4d7846e31ef250b103d54bfcfb85b7a61587f8b3eada628c18ede52c1003d22a17cb9
   ddc1ffb448e9adaf0bbcbab7c19302465dd2f1abd5b60e4938adbea4a13aa25c
   handshake_secret: fe9cf741d612210e48960231217e76d09312390c69529b781e0
   2b7054d1114866f10adb3f1cfa3dfbdc25a8b4c737b0207d45479b2d635316ebf251d
   f33b324c
   handshake_encrypt_key: 926c324f94e5840c6356b5b298fc788081135bff19b27e
   1ea75bf788ef1970d43a8c1d9a82917ae534a54aac91645eb383339512d1f3ac77587
   983e6190476ac
   server_mac_key: e18734ad27c3f60c703600c29ad2d8242e9caf0f90f55e10aef7d
   a53e4a8ab5be905e31c15349e8b2dc40270af02957e4625bc8c01dbd7f1bfe60832df
   9e6d28
   client_mac_key: 1d3b2348afb25f8ec33fd07b992eeac8fa434a9dd5f7b091887a0
   005cd46656ea9768551e5906c91a2122507e37421a11382c3f6fdee74dbe0d11492eb
   6d8b8f

C.18.4.  Output Values

Krawczyk, et al.         Expires 4 November 2021              [Page 117]
Internet-Draft                   OPAQUE                         May 2021

   registration_request: 0200bce08f110a6634cd66b75c0721208df3d8c392f86f2
   feb9c20fb62c9a30df00b37caba143386c7880a96301814e425ba9df870cfbf19724e
   b58411604b3a618f29
   registration_response: 03004f08faa49284110ada3a43007ed1f3d7766748509a
   5bb2d6317c14320a406eec518882ee4ea2863d1631c3b06b83f9d81ec1620759537ca
   7f4170bc13a453bf50903000ac6fbea5abad2eff1e768bd39834b82166c06aa6021ee
   7517b040d221966b827ca6162621a938d6fda5fd8e39b3b785cb477924b8a400fd285
   f41c5c248574db8
   registration_upload: 02014e85db957b2e39c82d7ff67fd42f2f4689a1e999cadb
   f78606279d1ac5f593efb9e8ed8d4b5bb7fe80e3b5324a8cebcddc26319d7cbe05796
   dc4a0e7b9d13ff93389cdbf2bb199008e95e5ba25a49fdbadf09cf8ae13356bccf65e
   85f689f73ba6bc37ee4375ff52e9dcdc73d14779468063e85981f41be04c8cdfbcec2
   4040ef971dc777337eef4e8ac3cac80a4180f926f029f2cb820b1a176b95a945a44d7
   846e31ef250b103d54bfcfb85b7a61587f8b3eada628c18ede52c1003d22a17cb9ddc
   1ffb448e9adaf0bbcbab7c19302465dd2f1abd5b60e4938adbea4a13aa25c
   KE1: 0201e2974af3a0c9a479cf1589e9c7db8f3e04723123436453ec427f75974423
   4a57a91a724879c5cfe93ed919501d567a6fad6ff5763647c351ad6dd925f39cdb04d
   d11034c017067f1258bc7720a174b559d38c2864d089c0cadca46134598ce4ded0009
   68656c6c6f20626f620301bcdfcaabb52a829a450fdeb63bf90b8c98c6b2717164f48
   e27d4c737058feb556f81fe39aed7846313ff6a6fb9c4bf1d81083974f2babdb08004
   8cc67e12f8ce2e
   KE2: 0301c05496686104a7b82a151351b988f5ed4295ae73b0f8e47a32099806cdb7
   9709b862abed66719debce0cf92fad9da0cbd045ce097fc5e27f947380dc513f5277d
   273180d73a4c972db77ce27294dee5a2f9ab174d5409ada18b37fc8a7f051ff9ece11
   3424e9770c02c879e86c1c243ed9aa1e3345b2e6a85e4ac5b886839cb9297853f364a
   a9c5bcc43f74f66665312dc74e7678366a34ca81aaf1030cc5f7b9b59ab1ecc9bc5a6
   5e8f811fbcdf2796503f3838b7f788db8e11197d053e61a99010e8c495c3f14e4e4ed
   9a153edc659dcff3c79946dc9371d4ea0cb88ed660785d3bd3fcb5477960dc3e12450
   c6ce106afe8776cbfce9a09b5b4dc53257d16cf27f0f93982aad1d4df60e1ec7598ad
   90ee10d986d8ddd8986c4ef3b009b5356a21f437503015da5c9a33d3168383837d8d2
   ae4d00f39a8a631cd126b4dc1b01f06c32ac86ce29440df0e45650879f65ad94a3d75
   2f265254f7d5861046cc016567f9e36b873d0000fff16bf58565186eacb93d146efac
   63c093a7ab3b1f889f07ac032d6bcc0a284f9c52f980b98f9eff2f95631a109c0d145
   dcd083c0422104cc927de843096461705556ff43d100664be619a495657c5
   KE3: 74edc4d75d6bf38331d73e3de41b83c1a89fedf90a5f9c4e47dbfc604945909d
   1979805a6fe2d38e2b533f47891c36004bdd591d5086dff115f0f980f50bd68e
   export_key: 1289e218d166d73784be0e138cb47769577dc9b923d6a6171e0bff476
   74215b7493eac47496e2cacc8a1a6cc307591cf6f90717105e54f6e86d9cc67ca8f0f
   1e
   session_key: a7835cc873095ac6909749c62293ed99c6014bf79a60f316e789e0d0
   e30d3a7a53ee90a0037b9c00c9e30db3c25ca61eaabf7db18a0695068ff3a31e4bd07
   83b

C.19.  OPAQUE-3DH Test Vector 19

C.19.1.  Configuration

Krawczyk, et al.         Expires 4 November 2021              [Page 118]
Internet-Draft                   OPAQUE                         May 2021

   OPRF: 0005
   Hash: SHA512
   MHF: Identity
   KDF: HKDF-SHA512
   MAC: HMAC-SHA512
   EnvelopeMode: 01
   Group: P521_XMD:SHA-512_SSWU_RO_
   Nh: 64
   Npk: 67
   Nsk: 66
   Nm: 64
   Nx: 64
   Nok: 66

C.19.2.  Input Values

Krawczyk, et al.         Expires 4 November 2021              [Page 119]
Internet-Draft                   OPAQUE                         May 2021

   server_identity: 626f62
   oprf_seed: b090a604a7d3281747950c012686f1be5ee87b8486e729e69c50ead57a
   9d5b6ae3ec6ee58cd097ff5e3c30a2f99e304a3f7597fef8738a29714a9fc07c7189e
   e
   credential_identifier: 31323334
   password: 436f7272656374486f72736542617474657279537461706c65
   envelope_nonce: a814e5fe5234bc21018efd4f7e4c04313fd9e0b620d8c88de9538
   2520e5c9861
   masking_nonce: 258e8c4868e5d2db2aa035494fa4ac772de24d8c01c01e53bf888d
   a6074fa211
   server_private_key: 00deb3fb5eef3871cfaef0953ac3482c88f2bb4849b6ac355
   3c3609aa005b2cb37316964371a39548566c5e4e4dfbfbe5faca38a62651e9a519143
   d04ac366bd3097
   server_public_key: 0200c689bc30525e075588345866abebfc27a312bc2edb3222
   3b95f7479534b02c139cee9475816987c9a3b12ea04984670c674f3d42f47ba7a3670
   768f2bdbc7c7ad6
   client_info: 68656c6c6f20626f62
   server_info: 6772656574696e677320616c696365
   server_nonce: d1ce234ade6c2215d7b13028d26549da6057d3f693defb346eb32e1
   524617da0
   client_nonce: db7b40b96e0627332f446bb00d6ab8dae8aabfc0e9efc44aa07de3c
   bd5a1bec9
   server_keyshare: 0300f8b6a63f05a1a6f6e3c856d512860d5700cb3ad37bc1dbf4
   ecfc4c77c3aab7bb6576f70be7b460143e577d02409524ef5fd5e82a85fec43cc2d66
   adc312fb27a1c
   client_keyshare: 02018f831d92dd0355becccd11cc3904ddae5edc18d6e357ae43
   a7dc3459335316f842771994b3b411da7ad3c8911c806b322a9fad184e8b5586926be
   76313b87f3d9d
   server_private_keyshare: 015f117db2282bb2d11b833ca36711f28643a2fb2afe
   4c3ac0692c402f2878e409eb94d01340491d9b1845c2c7c6c3512c359de4a62f9d890
   1797659b3e5d47f317d
   client_private_keyshare: 00e3562e44a2df91376353e89693d62c238e11ce26bf
   e7eebd8e88410aad6046327ef267fd05717803c45c647f4a003b4ff428c9a21288025
   cee0279eaec16e0fb7c
   blind_registration: 00d7057ba6488a9f8f33b362f9ea293381eb5aa20a58124e6
   db14076aa4f7aae03e79e1345b87735b977981b0b53d33a2545b6f301e66a98d04212
   7462fc69c7e5d9
   blind_login: 0029bd129200e0656181aba1c2e7d839ec26e9579970c1d4ba1db609
   28b9ac043a5b622404c46dbe17dd4304b9566fc77d5c202e5ed9689829d4d0a746d77
   66ca057
   oprf_key: 0012bf9958039dbbd0037e3c565a4e3f91a018e6132e1941b9a5b023d6b
   38b68912e01ff86a6c62c85ea91f303c4a23f63744569768a22d2086712f9f764587a
   53fe

C.19.3.  Intermediate Values

Krawczyk, et al.         Expires 4 November 2021              [Page 120]
Internet-Draft                   OPAQUE                         May 2021

   client_public_key: 0201797183ce928876fcf43b6d249e0e12aca4e99eefc4aec5
   6cfdf1467a1d93e49ae362964c0ad76aa50f71f4fb7ba9cf353a8906e0dca73e66d54
   c793c6d9bd1ecdb
   auth_key: fe067f7dc8bb1099dae60a5491359209a2453c7d03d7526700f2f4bf72e
   965ead28a6e3bce76a5fca6e5351b17a54e6c930130d275446a214032fae8e82b114d
   randomized_pwd: 1f041980cd3e486eea2564bc313c3be962d176805443abed26165
   9f3e0a123bb7fd7f78625da9738b8a29409e506e3e7087183edcde88126a19771b2cf
   c474a3
   envelope: a814e5fe5234bc21018efd4f7e4c04313fd9e0b620d8c88de95382520e5
   c98617550e08881bb945bd9354eafbb54906e6aead43ac002fabd7b89edee010c5491
   6ba4e740808728d79bbd9b94c5864d21de0d3a654a7762e81b11266c7833c722
   handshake_secret: 9db3e37f927129b5a5eb507d78f9bb93308aca1027a6dd00ac7
   f0fed446161b472274badf054298401e917170d3452c9abc0d14b6bfc5b48353e964e
   ce3b807d
   handshake_encrypt_key: c6abdfc9be8bc8a059731e655700f3c732e6bd886d42b6
   bb334277eef4e11b75585aa5b9abb5d93e24d15aef4783e077210580b66266eeb018e
   17c9c0687cd88
   server_mac_key: 7e924ee23fc473733159d1eb3977c286df21b1f6c775281c660e9
   50b6891aa0b8fa682eccdda1613ba3fe4b69da5f46a1444d029ac63efd656fccd9cdd
   1c8dd0
   client_mac_key: 8d5ed81e71bf7748bbb97bda3ead9617e637a7d3379d055289234
   9e1f7715da9501fca1cf79b8976b7d261faea1c081233ff5cfaca74ca0802469171eb
   cec53e

C.19.4.  Output Values

Krawczyk, et al.         Expires 4 November 2021              [Page 121]
Internet-Draft                   OPAQUE                         May 2021

   registration_request: 0301fca4ee81d22c8e8cab4cd5e1724bae3cede81109f61
   7910beaee9771549cf0090692d4342f0045a99a0707e09e38838e611a3f19c81bba90
   12ad6c67ba55f40b1a
   registration_response: 020017dc64d3918b41dc2c9c8e07a4608cf1a619036e9a
   6d389ecb73f859f20fbbde3fdb70fbd799c58adb2f73a81a6d020930aa6ab04390c2e
   2214fd151b7b97ab9ad0200c689bc30525e075588345866abebfc27a312bc2edb3222
   3b95f7479534b02c139cee9475816987c9a3b12ea04984670c674f3d42f47ba7a3670
   768f2bdbc7c7ad6
   registration_upload: 0201797183ce928876fcf43b6d249e0e12aca4e99eefc4ae
   c56cfdf1467a1d93e49ae362964c0ad76aa50f71f4fb7ba9cf353a8906e0dca73e66d
   54c793c6d9bd1ecdb7c8c1f1e587b532c918e27d9816554da9772e57ccd3a3f3bc2db
   335be1bd687bfa050f53267d6bc780b0c61a4ee5190d426bdcf0176b4ba3c7eb064b8
   46f4563a814e5fe5234bc21018efd4f7e4c04313fd9e0b620d8c88de95382520e5c98
   617550e08881bb945bd9354eafbb54906e6aead43ac002fabd7b89edee010c54916ba
   4e740808728d79bbd9b94c5864d21de0d3a654a7762e81b11266c7833c722
   KE1: 020197ca02b425dfcae9aafd4608362a1dedd8998e6cf906191b4d888db30de6
   dbbd22fb3a1bf310cc09f781d9c6fa0bf1f1e9a79c09eaf0df596801cb9a1030f9d2c
   fdb7b40b96e0627332f446bb00d6ab8dae8aabfc0e9efc44aa07de3cbd5a1bec90009
   68656c6c6f20626f6202018f831d92dd0355becccd11cc3904ddae5edc18d6e357ae4
   3a7dc3459335316f842771994b3b411da7ad3c8911c806b322a9fad184e8b5586926b
   e76313b87f3d9d
   KE2: 0200b6d24d300bcd70adacb93da7b564d129d1e61a5435efe37af3bf03494ea3
   55113e3ea3d73650d53cb869bb523f7b229792cc17a106229c76679bb833cfd32ccec
   b258e8c4868e5d2db2aa035494fa4ac772de24d8c01c01e53bf888da6074fa211ee36
   345d93da3ee2a6126d7ec76d3e810bf43d20c37b269c5ac7fc070c5eb16260ea98f56
   27b6af42483a20f9fc898dc90efbf5b2efd558077c592621516e26f337303485ffbc8
   cece4aaf04449d977b89dd6b8b7d24d1acf7079b5194ef4c7547c704112425fe1a6e7
   23ef87d83f816f1f2cfbbf8757fe8bebfeb0f9f3509b2a99fb428ff1fb5ad260a5010
   c99e703c3d723a3523768dbc8ede6140c5af6c2202fa3ed1ce234ade6c2215d7b1302
   8d26549da6057d3f693defb346eb32e1524617da00300f8b6a63f05a1a6f6e3c856d5
   12860d5700cb3ad37bc1dbf4ecfc4c77c3aab7bb6576f70be7b460143e577d0240952
   4ef5fd5e82a85fec43cc2d66adc312fb27a1c000f053f575e011f389f77025472cb98
   f154d99d1fafa6865cffc96b84d512133d02e67c0f9dcb6ee2d392ae8bffad4085e3c
   215e732f7d4f8eb45a4ca9eeca722d53a48e0ca821dc817e326f6ad06137a
   KE3: 2106053b5b0fb08ea0b5a075a8a6b7060605a5749b0fa6ad04987870a2344ffd
   42394f6a4825bd194f8ff6004eb32bc5add5a4c9f9cab726407172ebb9090bb3
   export_key: 83805ffecd205e9669763235d7772070834ce6527210d4a76ca6f6c1d
   ea714cd08f53f25cd718b67542ca1ef0a8ed4c5565fd911d67b9d773b585ba3f447b1
   74
   session_key: 3fb67694db6985a49624a205ededeadefa45bfa1e0fb643eafcf641a
   ed1ce3c13d2a73a42aab02daae5ecd7cd45995d613bb3e1a2808c03831002ecc142cb
   520

C.20.  OPAQUE-3DH Test Vector 20

C.20.1.  Configuration

Krawczyk, et al.         Expires 4 November 2021              [Page 122]
Internet-Draft                   OPAQUE                         May 2021

   OPRF: 0005
   Hash: SHA512
   MHF: Identity
   KDF: HKDF-SHA512
   MAC: HMAC-SHA512
   EnvelopeMode: 01
   Group: P521_XMD:SHA-512_SSWU_RO_
   Nh: 64
   Npk: 67
   Nsk: 66
   Nm: 64
   Nx: 64
   Nok: 66

C.20.2.  Input Values

Krawczyk, et al.         Expires 4 November 2021              [Page 123]
Internet-Draft                   OPAQUE                         May 2021

   client_identity: 616c696365
   server_identity: 626f62
   oprf_seed: a2c0c702a75378f6771ed1087cb27dd9f0869df8fa1ce77e253f226568
   89bcead33b86d6c18261116288d4473eefce9bf39bed15fdb12e534aa4d2dbe10fb85
   a
   credential_identifier: 31323334
   password: 436f7272656374486f72736542617474657279537461706c65
   envelope_nonce: dea8622b286f46198d18d6d98fed732d86bd910b3e2fc59f5ca02
   4ae99be3c70
   masking_nonce: 7ee13d13ee90a7b858d8b5656de79de860eb333bf12a568c32ae4c
   dea4333dc1
   server_private_key: 012bc7471bdb9fa3e113b809a86dcc379b782052bce3fc9f9
   62d373217b0c266b1e0932c7a0727030de9ce81d360d97fa94f7ca377aa6969e1748c
   9f8b0a3f230c50
   server_public_key: 0200c11aefb178441adf284549abd3bd4d21641252d611c178
   f328e818165ef0f777865fc84dd96972650b007feea93c11738c499ebd5ba80b7be79
   defa6a717da56d0
   client_info: 68656c6c6f20626f62
   server_info: 6772656574696e677320616c696365
   server_nonce: 54e5ebe024150039f4ad50d12b5e966ac60420eac4177642d482938
   f9100f0fe
   client_nonce: 104152a7d95e6b9fe3c397ba45cf5079086abc6d9ed12fd12b79019
   9d10e0d4b
   server_keyshare: 030121f7821162fbe027849ad750dab6227d5633a7148e1b0910
   7d200d7fe63219f09a4e96ba8cb734b5b20941196edb471863e1785c22e950e3ee34c
   85aecc454fafb
   client_keyshare: 0301125c341b183c9ed98ad735039a5aeb7a9c99c6a90eb2dbd5
   a02ffa442393c1de1a7f11ef5a7395a3881525c7fb8674d74d842f0cbece5069f98e2
   528ec903ba7e4
   server_private_keyshare: 00ec758fbb7a807a0b725c417256e9bad495f760d4bf
   6aea0b7d2a2fe0f1660e30464e5955387c712d35d62960b00d071f63e3560802ba48d
   4da12e2cd081925d11e
   client_private_keyshare: 0007c0fe9f79f95d3324731ad78ad2d84b9d2ca47765
   5b1a09af067a58b841237e3264ebc5f2375483e3a71937f93e63620bd2c12c9b86f54
   5fa4ce86844ad1e41d2
   blind_registration: 0154817095006ebb66fdf789c9d0321035076dbcee1fa1a41
   ea6de59cdace06668d5a3932570c74fb7a9fb779e38ccdb9b80f53bd3009d7e86289c
   d1b792e0abe00c
   blind_login: 016520486cf32cccea61ffe9fa97730d95ecfe264267499aba78d966
   19996d938cbf6dd303a0093c7b426b1c63f7d78884489fbcee764bcd720068da3134a
   af107a3
   oprf_key: 0100703932da18a28a76013efe6fcf9c388c2c680a0df18f187b31a13fd
   32c2d1c1a4131b2b85fad42e87208f5b930740dc534a81face4573e9a9edf05d235a1
   26a2

C.20.3.  Intermediate Values

Krawczyk, et al.         Expires 4 November 2021              [Page 124]
Internet-Draft                   OPAQUE                         May 2021

   client_public_key: 0300eee979cc9628959506bb943bce5fc1901b8f1b2c0259f6
   0a7e5f5d01af5a43706ca3f799290b4ce1abd23a32c7260b0f75606f3add4e768c611
   3a570cb7ad0db30
   auth_key: 4597f5622807e5c3b2fd6a9ad5dc487eb9d240af3f025083760352b263b
   061161ea10dad253455dc75c4bbc8ab5e6bec06d205ebcedb841175f9b7552a4980df
   randomized_pwd: 198335ac6be7ab8ac7ba3a5160bbac64c69f4e348fc14190d58d6
   2ebe002b325d5c33f92bc03953a711d59c200de2b6b43a22562a3be6422f8dc2da891
   956f17
   envelope: dea8622b286f46198d18d6d98fed732d86bd910b3e2fc59f5ca024ae99b
   e3c7093bdc73cbca4195fbf98d0b2f773ae1b8cb885c9c61a28cd87c1c8b128b22f35
   241aa767c9b73508ebcdf18e3a03c4de549911b973651590454e3c1e22e01d95
   handshake_secret: 79f29aef1ae37d0d217f78cc19a2a2aab0b70242bef27069cb0
   6353df37148ba54f469dd345f3f154be0c4ddeca3ea3edf619e0e2b213cbecc24e252
   1afbd13d
   handshake_encrypt_key: 532c242245e697d23a9759fd26546ee70803d9991a72f0
   2e3c343d66d956964bbc8149da1d8a3c9e0ef279a0af8d20bed0c9c72ec3767bdc853
   b4f0e21eb6711
   server_mac_key: 868fad12525bfc183c4b3065a5cd9f99ab477821406cfc6eadbab
   e7990fd7a7bc5da8227a9f7d95fa9d59f931f09dcb2d3298a50942d863f305d017343
   89bf28
   client_mac_key: 645e4e9726ddb31d819d9655fc67e55347f57ea51ad4db4ee11af
   c5bb6b69b1ffc48b50fb30f495a345088a317973f9236eb580e7b4dbb49512d64cd0b
   51d529

C.20.4.  Output Values

Krawczyk, et al.         Expires 4 November 2021              [Page 125]
Internet-Draft                   OPAQUE                         May 2021

   registration_request: 020178d37274cd1fa2512ca1d238613727201561218673a
   d3fb6a391cf6dbe028dd8d953f0e36516eec3c69ab0293b19769074c4b16ca36d06ca
   2765543e694fd8a2f5
   registration_response: 0300571f1324c87ef36cfc5be06f0dbfccc3c6d324d4bd
   2142df09e840f703bccb12308c9a761ec230f6a2510d31c86d61c0493523cd053559b
   6f85bbfc9f95b06f1b10200c11aefb178441adf284549abd3bd4d21641252d611c178
   f328e818165ef0f777865fc84dd96972650b007feea93c11738c499ebd5ba80b7be79
   defa6a717da56d0
   registration_upload: 0300eee979cc9628959506bb943bce5fc1901b8f1b2c0259
   f60a7e5f5d01af5a43706ca3f799290b4ce1abd23a32c7260b0f75606f3add4e768c6
   113a570cb7ad0db304d11e0950c55aa0894620fde4ca4200ad3259ec633e862327ad8
   4452ff996950c96ccb00ab9d5960f9f97cc208dfb3c43cfeb5b1ad2b245e9710db845
   74fcfdddea8622b286f46198d18d6d98fed732d86bd910b3e2fc59f5ca024ae99be3c
   7093bdc73cbca4195fbf98d0b2f773ae1b8cb885c9c61a28cd87c1c8b128b22f35241
   aa767c9b73508ebcdf18e3a03c4de549911b973651590454e3c1e22e01d95
   KE1: 030041daee06de56612bc011e3fc1b5b1c5eb334b6cc0cd587b5c6fd9f94271f
   dade91de48e730d2499eefc313038c54e3ff0326da0afd4f5defd0e4f88eb9fe6dde4
   f104152a7d95e6b9fe3c397ba45cf5079086abc6d9ed12fd12b790199d10e0d4b0009
   68656c6c6f20626f620301125c341b183c9ed98ad735039a5aeb7a9c99c6a90eb2dbd
   5a02ffa442393c1de1a7f11ef5a7395a3881525c7fb8674d74d842f0cbece5069f98e
   2528ec903ba7e4
   KE2: 0300f01dd603426fa47f34041bc81fc2c74aad672fb6229b5fbe1ca3ae5d6f03
   2ecc470fc55ef79944e5b7de9eac051a37692174c809a5801cc2707492e962226ff04
   57ee13d13ee90a7b858d8b5656de79de860eb333bf12a568c32ae4cdea4333dc1b43a
   3d351df1a5df73d47603a78174f6aa19a52b054c4d3a3fa1a267eaa7b6320418c241c
   084ea1aa5296fbfc238b1d38a602f82f44acf4a0e3cbd9c5976ee3734ddc0b4da5692
   604145332dcdad50f8690d70007422e6b31a177ed2258d2e61f0846719ad1bd34e649
   4b2db478b1b2920e3c22ec9884e99b990c7cf3fa62003eb013956745518e690659006
   b7e028d98e6412db0974741738adf0a07d676bf90dd10254e5ebe024150039f4ad50d
   12b5e966ac60420eac4177642d482938f9100f0fe030121f7821162fbe027849ad750
   dab6227d5633a7148e1b09107d200d7fe63219f09a4e96ba8cb734b5b20941196edb4
   71863e1785c22e950e3ee34c85aecc454fafb000f2288bed259d4c04f46bd66125ed6
   a2df8d051d6e3c1c325a1fb9da4db176043e949bc6cc5fbbcc0eebfc712555cdca285
   8cf492fab1d17745078b53bfd412f4944bf68535b8b499d29f334b9a2d92f
   KE3: 913e4e963b9d6adecbc64b5d997963042f647e4f2169fa099532eaa7d2b701b6
   f13333498a95078084dc28d21985fba00cb44a72ad67f0a4f8ade46e2c328bae
   export_key: 90945205c08c63899a16b2e9932c9d56992ea97e463093251823d21ec
   286ae60913e18d6cee485af823f252a405bf3cff0da58fffeb60f01c9ee56d337deb3
   12
   session_key: a1376439646b9b273e8780891406c692a930fe660540a40235ff6991
   01339e8fe530072ca7e23bfb98d48de57fa0b08bc826afd60622c94d794348115f697
   839

C.21.  OPAQUE-3DH Test Vector 21

C.21.1.  Configuration

Krawczyk, et al.         Expires 4 November 2021              [Page 126]
Internet-Draft                   OPAQUE                         May 2021

   OPRF: 0001
   Hash: SHA512
   MHF: Identity
   KDF: HKDF-SHA512
   MAC: HMAC-SHA512
   EnvelopeMode: 02
   Group: ristretto255
   Nh: 64
   Npk: 32
   Nsk: 32
   Nm: 64
   Nx: 64
   Nok: 32

C.21.2.  Input Values

Krawczyk, et al.         Expires 4 November 2021              [Page 127]
Internet-Draft                   OPAQUE                         May 2021

   oprf_seed: 953eb80562c4a252c8896399588db86af14f9587d082ec2f3e06d4621a
   8c940984cd0ab83a2d396404e181076a005dc929d1fc18066a3b1a62226228d2fd47a
   8
   credential_identifier: 31323334
   password: 436f7272656374486f72736542617474657279537461706c65
   envelope_nonce: 22efea550c5ce8ee58c2b5c0d8a62c247fefb259bacc92efa68c7
   2374da302df
   masking_nonce: 479e8543c72cffa59bdb524bd242c3440a32781caa3bd834e0dce4
   d2df34debf
   client_private_key: 2d8cc16606d110ecf2ba00464406a0975452b63a3f27ce575
   921f91146543b0a
   server_private_key: 5a673fae0015e31ccb70006aa21ae18853489bcfd11c0b796
   0a3b37fc3654402
   server_public_key: 0c8f3dc121e9f9bbbe76c4f1f664d2309e669b293597322afd
   9d2f936a37f14e
   client_info: 68656c6c6f20626f62
   server_info: 6772656574696e677320616c696365
   server_nonce: 7476222fa83425d3b2259e3c44a665751dc2aa54e381a8a210505ce
   56cf137a2
   client_nonce: 062762c1650bc61c27c22782c1b09ac2018928721bd9de0765c776e
   09f8e62dd
   server_keyshare: 34be8693c06fc0168040b3321043f40ad79648211e6604f883bd
   f23abb045813
   client_keyshare: 9698728bd0febdc164c410a6738962b955c08a36b25c89058c38
   d4575592c12d
   server_private_keyshare: 23c1313bcad4f689a23bc623bbd8f160301def2c2245
   b5d6977e67dcc2048a03
   client_private_keyshare: 7429e9b8592ba3e7d20b3bbee1bf0a0247c5f9c357b5
   a7f029ebb222c4ad4a0b
   blind_registration: a60f751ce4fd2b8f4412cedce7bf9e19ee5800a95743d557a
   44caa494840ec06
   blind_login: 9e21bcfcc4c82070b5e27de6b540da38c9ba48d7840912dd2f860fad
   cc40d50d
   oprf_key: 31305d34c37c0902677f3cc5995660266a08ecd7d11fb0e9bcf2270a30b
   df307

C.21.3.  Intermediate Values

Krawczyk, et al.         Expires 4 November 2021              [Page 128]
Internet-Draft                   OPAQUE                         May 2021

   client_public_key: e2a529d4f403f4c1712bc609c635b5c776a4285f86a51e4c79
   787e2df91e2371
   auth_key: e67f53d70097411ea5d25af74989768ed6d50777ef05c54ff3dfd15e5ea
   f96d3a9dfa75964a097b0787c9eeba5ad38669cf24573836c8ea5d42f167166508a92
   randomized_pwd: a183bffb2d02e389de37e9bceabae59fe58d3a878c216f82c47d8
   74ffcc5cb63ee7344f1f777a9b98ca87307dc670791605e58f864ba214593e07a2ddd
   f3ed0e
   envelope: 22efea550c5ce8ee58c2b5c0d8a62c247fefb259bacc92efa68c72374da
   302df289b2a501579e986301b0acbbb2a27d370842890219b362956c892c8b6fd2c80
   7c2229b8db3aa5789910d28806128b49a93ecae34e6bef5b380e74bed86d5be99bd69
   149836d71924f05cc50d433ac93aeae849d50c5f4bc630cee6d5943e1dc
   handshake_secret: 68c7f99ebb56d8061f7972bfe0dab36493b84b40a939d2949ad
   d8ca11a57b34c6846d0c65e859cd5b08d0fe12adfd930afac48e0a054dac6ff995a37
   140abc75
   handshake_encrypt_key: 66fdebbde7462f9d2c3563ad6f015d618f0f033df391d1
   8c260eae2ff3aa761f92885d83280855bd2b1098800355163d42a2094960d96ade7d5
   e17441dbe8368
   server_mac_key: 57b6d878cfbd58312060b7408cd5479b78b955f97064ef196c976
   051d5c3d6a672b8dab5ad0b2cf875816eebc2b3f5b1eedff3d848ae339778e63ef91d
   1bd8ae
   client_mac_key: a91f18e43c459c4b3d3c5ec48f45a9f8d86b6eb41f7e9649ffda4
   132094b5cdaf7eb7e9f25a794f71c4e9aeb3c34c98deb7d027cd24e8548c601acdf40
   056696

C.21.4.  Output Values

Krawczyk, et al.         Expires 4 November 2021              [Page 129]
Internet-Draft                   OPAQUE                         May 2021

   registration_request: ac2882512f36bc4d5914964e782418271371fa9bd16878a
   5fb6c3b6d29c54422
   registration_response: ca4a3e5868d8dfbc625c7950d900a20cd8856fa9dc7213
   40eec6b4fedc63a5670c8f3dc121e9f9bbbe76c4f1f664d2309e669b293597322afd9
   d2f936a37f14e
   registration_upload: e2a529d4f403f4c1712bc609c635b5c776a4285f86a51e4c
   79787e2df91e2371b016784d117cb3b97e4414fbeee94b6e1a4410b70fea7fad280f6
   30bbfddcc581637e8351b006fbf04f56561ce68327cc844e35077063a8a09e8cceee7
   0b5ab922efea550c5ce8ee58c2b5c0d8a62c247fefb259bacc92efa68c72374da302d
   f289b2a501579e986301b0acbbb2a27d370842890219b362956c892c8b6fd2c807c22
   29b8db3aa5789910d28806128b49a93ecae34e6bef5b380e74bed86d5be99bd691498
   36d71924f05cc50d433ac93aeae849d50c5f4bc630cee6d5943e1dc
   KE1: ecb46e5c31b4044876ccb2a689efc82231d2995561841156db449c71637d145f
   062762c1650bc61c27c22782c1b09ac2018928721bd9de0765c776e09f8e62dd00096
   8656c6c6f20626f629698728bd0febdc164c410a6738962b955c08a36b25c89058c38
   d4575592c12d
   KE2: 2ec103925f086229f5d9c975fb39e9cb0f19854e51f9b413f80e682f868d973a
   479e8543c72cffa59bdb524bd242c3440a32781caa3bd834e0dce4d2df34debf56bb1
   8fb92639b503d662744626f911a3583a9fdd21127fd21748b4fc5c8030c41361dbe2b
   a0e32fdd0841a209047bb8873fba1d109bba2d757d357388f875ef3466f3aa4b029a2
   1635a5f9e68a668d19f09b2f4ec70753aa7ba1aa620fb52730a1ec4d54efae9448304
   c75c984042801c21436c6362298a58e1a06f05b0542009c81782ef947b51fc7849dee
   4ba755b5e370ae25b7077e0543546c4b2ee8e5b7476222fa83425d3b2259e3c44a665
   751dc2aa54e381a8a210505ce56cf137a234be8693c06fc0168040b3321043f40ad79
   648211e6604f883bdf23abb045813000f688324213fdfab8fccff85ae23222d2ea602
   43ac209971ccb7c5af08364773a59c789a6877354af62bb882c7be993cd8b9da89619
   600eefab870f40666db1fd562a937360b565d625aa70c5647df16
   KE3: 8a13ee354343c6ff379ee7480eef34556002df293869ebf23866e82cd60ae306
   c8221164cb6abe54a64d49d3fde1ed6294f76fb0e30903725fdd69f5e63f5ad5
   export_key: ada3fd8cc1a9b3cde08ddd7b2c5cbf468b6b51b182f7a6912e12d0338
   7bf93104e4e1c919dec660703270a6a2d566f7a605c3311edd5097a7a328c33baaa9a
   c2
   session_key: 701b8efd0fd9df983d3d39fd8ead85e95b5ee465748ee911c9b8f16e
   1dad529fb46d07398831ed33ca0354a30af138ba14ce9ab799c6968b17ad637a09d18
   15b

C.22.  OPAQUE-3DH Test Vector 22

C.22.1.  Configuration

Krawczyk, et al.         Expires 4 November 2021              [Page 130]
Internet-Draft                   OPAQUE                         May 2021

   OPRF: 0001
   Hash: SHA512
   MHF: Identity
   KDF: HKDF-SHA512
   MAC: HMAC-SHA512
   EnvelopeMode: 02
   Group: ristretto255
   Nh: 64
   Npk: 32
   Nsk: 32
   Nm: 64
   Nx: 64
   Nok: 32

C.22.2.  Input Values

Krawczyk, et al.         Expires 4 November 2021              [Page 131]
Internet-Draft                   OPAQUE                         May 2021

   client_identity: 616c696365
   oprf_seed: 5ab0bb73be6c353dc1f8e8bdc5e9ed9fee98106940df35fd5bced89570
   f105dab968256cfd0141a9da054559a453c94ecdfc79622ec4942040bb11488c2812b
   c
   credential_identifier: 31323334
   password: 436f7272656374486f72736542617474657279537461706c65
   envelope_nonce: d7ad320966dfe48874bb962eb8b1efc258456ab764d7814e92c64
   fd965be39ed
   masking_nonce: 4b54a15ba427f3354b1890f6fab4c9d0fd1e5749f3808b8be07440
   b3117e885e
   client_private_key: 10b3066e47db372d6cd714fd308d056c349df63a477498b28
   ad3f0e75ba47b0e
   server_private_key: b69bfaa8582bc1d07933c6354dace6674e72fb420b9c40cef
   3a5fed717de1d03
   server_public_key: 928eb99d8771526762cb6eff0ebaf085d10102934ab78d1cd9
   f4389fecd57073
   client_info: 68656c6c6f20626f62
   server_info: 6772656574696e677320616c696365
   server_nonce: b4109f26b436a2e40e589c4edd384559311f588db48c7b354ab850f
   9ba069008
   client_nonce: 529b15c72d4f19fe38e4aa1121f4ab142c2e46f73ff5f3a15d216be
   e59e0fb15
   server_keyshare: 5ef3502cc40e7ba5006845c131b661ba6ebd0e6994b6f526e3b7
   cc108635912f
   client_keyshare: 84a786fae7664759a8bae0cbe9065cd80b70cbf600efc695654c
   93e356735c66
   server_private_keyshare: d44dd3ee61cda55a67f2bf180b4cbb2b549f6bfddb1a
   0e17ddb1936b678ff70b
   client_private_keyshare: e5b9002b44f14abc8e2bc5bbca09fe6bad94dc3a7f89
   be6787674b64ee609d00
   blind_registration: cc1ed755daf519e81c8a3ac073a357709d1c5946654b83476
   9933c09c92cf805
   blind_login: df67b103f15ba97ad4d7977a3a0779cf03b60362c2245bb1d2dc6093
   49be3f09
   oprf_key: 59d61982f48e931494a78cbf83fc325fb1df4e1cf04b8dc7d638e17feaa
   4cd0e

C.22.3.  Intermediate Values

Krawczyk, et al.         Expires 4 November 2021              [Page 132]
Internet-Draft                   OPAQUE                         May 2021

   client_public_key: 88073089dcaf094d0d5d73105a99bc5e5c68bbe5173f80ae5b
   a927c3c6a9af07
   auth_key: 0c8b9ef74972229b2eb8c2524a7da4451b5daa9bfa18928ba972faf1cbb
   ddcd7352fec57d316f6b93e3854e933b11671199f19b905cc0732884368d6b094c9e5
   randomized_pwd: 2bcb002d2e5f1f34ceb4dfa99401d6f6cba8dea1cd287339c9e91
   011c4802188ca619f7149b4786d7480a27b7f503ea80698ecc5614bcfbfb60f016fed
   0cf752
   envelope: d7ad320966dfe48874bb962eb8b1efc258456ab764d7814e92c64fd965b
   e39ed32f315c302c80c25ad8020575ab3a5464ccfa5164d0c765f83e9bf60a3dee00a
   5ea20604733282d854ae0364637fa5b8867425cc22e31f0dc552220e2582caef91a06
   a06db1a62911ec0b55f7cfb3f765f34e94c78ae621f417597786f4c766c
   handshake_secret: 3d855c2cc58aa1ed982f595652136d3973d3a9da5f91b7097a6
   e5815c346d74fcbf8e5619cf6f2fb56327c7c00e02db6a73c96eb24a28ab5266946a6
   6b12113a
   handshake_encrypt_key: 4978aa4ea99bcf2f3d9bdbb577322a72e4347141c536f5
   5e52c0910f07871ae9e3e7c4e9c50542f6f5fe0deb4a71fbd35a3089ffd49adccd9be
   4650f14859c4e
   server_mac_key: 68a86f0774244188d9508fac801e968926e01e4eb97e445e64036
   77041839a003c3d122560ec33176520f12340f713eb3534996e05e9a3eaf40ebe7fc7
   06a914
   client_mac_key: 178a01c97d9a7aa67a21c3f0006d8ffef6289720d5c7e15f0a711
   27f184dc32c7ef45be96f7bae75356e177919a68e78945e349d08784ab475f80095b6
   b494f6

C.22.4.  Output Values

Krawczyk, et al.         Expires 4 November 2021              [Page 133]
Internet-Draft                   OPAQUE                         May 2021

   registration_request: 34fb6ba29e60511d9ce2d2a644a58b8b34af6516cc54f20
   f7ff605e8134c1213
   registration_response: 12b14ed747acc293ac00e8480dc953b3f9516d6947002b
   3e6b0db6c8c3698d79928eb99d8771526762cb6eff0ebaf085d10102934ab78d1cd9f
   4389fecd57073
   registration_upload: 88073089dcaf094d0d5d73105a99bc5e5c68bbe5173f80ae
   5ba927c3c6a9af07983a2e0e4d1bdab25059b7ff55eee087f4ee41a53b396db0fdda0
   b6975e33f4e323063245dff77e370fc7dea2479896c6ba03be021994921b3f2ae8e98
   e6a632d7ad320966dfe48874bb962eb8b1efc258456ab764d7814e92c64fd965be39e
   d32f315c302c80c25ad8020575ab3a5464ccfa5164d0c765f83e9bf60a3dee00a5ea2
   0604733282d854ae0364637fa5b8867425cc22e31f0dc552220e2582caef91a06a06d
   b1a62911ec0b55f7cfb3f765f34e94c78ae621f417597786f4c766c
   KE1: 9e642c6da6a475f89078708431aaa4e04d96097f7778b0de577bf4d08496ae5d
   529b15c72d4f19fe38e4aa1121f4ab142c2e46f73ff5f3a15d216bee59e0fb1500096
   8656c6c6f20626f6284a786fae7664759a8bae0cbe9065cd80b70cbf600efc695654c
   93e356735c66
   KE2: 40fb1dc1c9c8d7771e993ab1047c8ca9407e579c8d2873c1bf3ed8a41ab8b34c
   4b54a15ba427f3354b1890f6fab4c9d0fd1e5749f3808b8be07440b3117e885e36ed9
   11f1fb812ebb18a05e3b9af3fa13c50ac2bafafedcf2af9907b101527c9d2458cd916
   6a6206ed89fca49a09e1ebfb4d30a08bc453a35add6f33c666d26c3a6d8e116efb01d
   3ca3ac6fdd966d4fad04bb5ba71e873d70b20a02aa44ccc9809a03d93a7ed60df6943
   227781f8b55267da68d3a616747b35c89a4f453d96eeef6f392931bca03904dc4c601
   b15538ce41ab7417f9dae024c7f8c1d2d86f145b4109f26b436a2e40e589c4edd3845
   59311f588db48c7b354ab850f9ba0690085ef3502cc40e7ba5006845c131b661ba6eb
   d0e6994b6f526e3b7cc108635912f000fbc69fa5154e7e449537c2607a5fd3d493bbb
   783d5f1543604beed103e8cda5e60fe5cb4cd90ea10a75f359fb7cf9f3f6225741fd1
   24bd89f4e5da45267ca3a826038b6b99b282c5d9100ece5e9114a
   KE3: e0897053f8a12731d6bec0a3d5b0634ee6e24f17db7fc1bcf3c09804e8e092fb
   8963fa96de1dedea5243cb613b037caf3e96045439118a1dc620c7ec7ce6b877
   export_key: f393b134080b770c9b7e2fcf4088c9cc3af90db172a8f0164196e4916
   fe57621f021a8ffcdddff8c6976c01183d515441f043d9be76b3fa019015a30620f75
   4b
   session_key: 6a2f7dcfa0421336e71b98a6657e719aee366b7a32a9af35bec2aa15
   a3c06fe57fd78b6d364c671cd05115566528f999650239d2370b5c3dd9db3670b72a9
   167

C.23.  OPAQUE-3DH Test Vector 23

C.23.1.  Configuration

Krawczyk, et al.         Expires 4 November 2021              [Page 134]
Internet-Draft                   OPAQUE                         May 2021

   OPRF: 0001
   Hash: SHA512
   MHF: Identity
   KDF: HKDF-SHA512
   MAC: HMAC-SHA512
   EnvelopeMode: 02
   Group: ristretto255
   Nh: 64
   Npk: 32
   Nsk: 32
   Nm: 64
   Nx: 64
   Nok: 32

C.23.2.  Input Values

Krawczyk, et al.         Expires 4 November 2021              [Page 135]
Internet-Draft                   OPAQUE                         May 2021

   server_identity: 626f62
   oprf_seed: cdff706f61d92313589724d7726bd05f55f9d2b15ff0e1dcaa146e9af6
   09f8e65eb747399d0778bd4fbb6b2889b6df683292a633038918154fe5d3e242719b7
   a
   credential_identifier: 31323334
   password: 436f7272656374486f72736542617474657279537461706c65
   envelope_nonce: 4beeb15f5ccf589b9f8b39a185bc3e4985f1708293c22973caf32
   74a9b319080
   masking_nonce: 1d70046fc629cfc5252109848b60ad5fc1083539e6cfd463cafde9
   4fb60d48c1
   client_private_key: fee07a49ab54150e525557deebd0a14a8ea81876fdbbf94da
   f03d5a2e3cc8306
   server_private_key: ad52e51fb993d6053fd960279d81b6111a367246256f87159
   8aaa2367eb1770d
   server_public_key: c26c575e0048fed852257002c72e6cc0fddacc1df65e81d80d
   9d5eda7943266e
   client_info: 68656c6c6f20626f62
   server_info: 6772656574696e677320616c696365
   server_nonce: cb1ed5ebd4350d9cf2a4fc5d97ccc81ce0848f55417a04436fe54cf
   a7b5d7943
   client_nonce: 8a9560c4662fdf073d51d16012230b8bfe14a00e6bedb521ddcaa1f
   4acd7c09b
   server_keyshare: 16041ea53924cafd460331043cb3ec0c7f17d6c246499b9c6381
   18a606071e61
   client_keyshare: c2b0aee89ec05d28e6f9638d2e056f7cb4bfb8b4d032239d3e4a
   7960d7479e7c
   server_private_keyshare: 3593a6a9750f5d3573fd491ecddfa8bcd41036d3f822
   b056878005902dfc4802
   client_private_keyshare: 2a9fe9a4a28d0f41ac665d22d08577d7a546054f9c10
   ad092180b669e8183605
   blind_registration: 29fe2a69e6a588f230704cdb406004f763c86c685ca52b07c
   eebf891bd86510c
   blind_login: ad0703869a0fe935af28eda1b2c2ee62bc6b73edaf4d12d4580e9b1b
   9b4cad07
   oprf_key: 87fa0a7a2c834f8dd5edc65d0c536336488a129cfc6769b2858878028bd
   6ba0b

C.23.3.  Intermediate Values

Krawczyk, et al.         Expires 4 November 2021              [Page 136]
Internet-Draft                   OPAQUE                         May 2021

   client_public_key: 8463bc96f84a2fcbcf67658a19b22ecaae9ecd976e8b58f21f
   51945a636d180d
   auth_key: f8ff8b1baa2bac17972484bf9129e2830db7102d2cbd58d1948092812e7
   95f9e295f2c6aefeb8787177118c62aea1ab27e6f4ed752fe948c89c8c5a1a098acf1
   randomized_pwd: 6af83b726bbcfe7fb95c046ef79c59c19b325165080b8d504b1b5
   92195ee18fba07bda135c9e477aafe359b496ba6e495b0853d2328f903296daacf61f
   6bb232
   envelope: 4beeb15f5ccf589b9f8b39a185bc3e4985f1708293c22973caf3274a9b3
   1908075b1d83f75d5f179eddc74341d61769c701279fb2054416cdb7a4170f256eafb
   c0903a6da7151bb35c327435c51105ddc59be90299b9e6fc535d9a9c843f4def24a03
   cd6d2ee7de7fcf59ff034b0634abfb8c1d35cf5947c4f4f8c4cefd340f0
   handshake_secret: 5360a504f2653c67d76a34da3358882d8374df39002a589a883
   86cfd250eb0dec22adfdc2ab55ee5ac9d56df5f6eddd49f06e6302f94bc3f89300c15
   c71a48a3
   handshake_encrypt_key: 221451330aea49dc3fea2a5c1848b696b2fa57c0599e73
   13e590d81fbeac967dff8b4e2e4667218ac9b039322c794779ca25879d2650222d3a2
   0b74cfc231ace
   server_mac_key: 97d7c19fc7a7215889e03a292476e252a75ea5b93857eebc36ddf
   feb81aab633d4f06a9d0efdaba5ecd03edf85a00bcda4a0d712a223e66584e7aeb7ff
   343350
   client_mac_key: 6a55854a1a4807fd3aab699385e988ae0801edc7e67df5b673534
   26f5f548e85333fbad29c11e7524c6b0340a52f8efe0785694f759e71c4374aa1a22e
   782e32

C.23.4.  Output Values

Krawczyk, et al.         Expires 4 November 2021              [Page 137]
Internet-Draft                   OPAQUE                         May 2021

   registration_request: b02294ae456aa0e055e49a09a3a4cd7176d9b34778a4dd9
   493eaace4883c0016
   registration_response: b4e607d62a90a0a8496f73aa4e16a34eeff616b0c28d1f
   d1d17b6fb877ca760fc26c575e0048fed852257002c72e6cc0fddacc1df65e81d80d9
   d5eda7943266e
   registration_upload: 8463bc96f84a2fcbcf67658a19b22ecaae9ecd976e8b58f2
   1f51945a636d180d797a8fc5e5de0846dbab3f580a33e15365264f13da63dc0221e65
   3ff32d0b56eb4164874c063ad64120c0b8a18062c996dcd21b7a2c8fd40dc08aca7a2
   0b3ac64beeb15f5ccf589b9f8b39a185bc3e4985f1708293c22973caf3274a9b31908
   075b1d83f75d5f179eddc74341d61769c701279fb2054416cdb7a4170f256eafbc090
   3a6da7151bb35c327435c51105ddc59be90299b9e6fc535d9a9c843f4def24a03cd6d
   2ee7de7fcf59ff034b0634abfb8c1d35cf5947c4f4f8c4cefd340f0
   KE1: 7405ec93c531676eb9437f46cf3c3dbe9346fa83dda34a37da03d693a90e9f7e
   8a9560c4662fdf073d51d16012230b8bfe14a00e6bedb521ddcaa1f4acd7c09b00096
   8656c6c6f20626f62c2b0aee89ec05d28e6f9638d2e056f7cb4bfb8b4d032239d3e4a
   7960d7479e7c
   KE2: 7cbdfc98edb75bfa3d9636771e5c9dbf9168b69966262d80f290950a682a8909
   1d70046fc629cfc5252109848b60ad5fc1083539e6cfd463cafde94fb60d48c1a1fdf
   a8a4ecbf187a365734a283a26b697bf4214aedd1c8e723e921eea5b7e7a00a234ef19
   bd9686f339739be234214baefb713cb69e3c13abd57738cb67b70c4a25b2601ed7dab
   3e6b3665a7623e1ceeda030c3f148bc99d966b990e878dad9a0d59e258f6c0d73fd00
   b2b8410fac749da23652247892ef7912f1e5a879590c997ca97a3ba6aefabf89ee749
   e46b6a8426a4ac46e118afdc6229a3e2d7bb1e4cb1ed5ebd4350d9cf2a4fc5d97ccc8
   1ce0848f55417a04436fe54cfa7b5d794316041ea53924cafd460331043cb3ec0c7f1
   7d6c246499b9c638118a606071e61000f5f992cf6370573bf9a3d02dab6b13d6cf1fd
   022417ac3dfe7ff855876b234813917dd3a92b823e19051f7fb93bb62ac9b2b83596d
   0a362adb53bd40e0bb66a5cae9d0f112988269d3f8fd500396b35
   KE3: e27202e021ea59a325bbe704085f357db251fd7527a9ac396dbc53371eeee3c4
   e4990c23f0d920f03a16e064b6a3006e1c0335fc5670da49a3e96322366484ac
   export_key: b9df96a941b985e6ee63d271fb6625136a70839aa4823ff94eb48a3c2
   a0535da46ce89ed91230c434e16118da578eed2ee1ffebefdf87f17531b0477170c2d
   ba
   session_key: 587dfda5fae9a29132a81fc3a77cb9a2909993a99c7699bb96a14a84
   094e7312c49e37f03ccaa6662b0a54e9496ebab9a7ef0db20a6aa716a1d3dd8ff34b9
   f94

C.24.  OPAQUE-3DH Test Vector 24

C.24.1.  Configuration

Krawczyk, et al.         Expires 4 November 2021              [Page 138]
Internet-Draft                   OPAQUE                         May 2021

   OPRF: 0001
   Hash: SHA512
   MHF: Identity
   KDF: HKDF-SHA512
   MAC: HMAC-SHA512
   EnvelopeMode: 02
   Group: ristretto255
   Nh: 64
   Npk: 32
   Nsk: 32
   Nm: 64
   Nx: 64
   Nok: 32

C.24.2.  Input Values

Krawczyk, et al.         Expires 4 November 2021              [Page 139]
Internet-Draft                   OPAQUE                         May 2021

   client_identity: 616c696365
   server_identity: 626f62
   oprf_seed: 857bf1908e1bd5a995004390be61b2b97a7b30ac36ebb8dc2071f69e7d
   31517c455fa3a0b20372cd34cdab9b095bd9b37d3273fe448f8b3fa4bdd0a83de5971
   b
   credential_identifier: 31323334
   password: 436f7272656374486f72736542617474657279537461706c65
   envelope_nonce: cdcf4a19a19ad7d40bad8804be0267fc4c82831c7374a4d8091a5
   5b896fa1715
   masking_nonce: 3a674793181723ee2f13807844cef144ceab2021a615301ab7e13c
   41db9f1dbb
   client_private_key: 75da35392023fcbfaa87fcf458b0344248870cd73a38e3fcc
   d00a994e1a09e0e
   server_private_key: a7f4d763822fcc14bb91a7b36b0a6d30f1ae8c3ca1c36505a
   02610dbec29260f
   server_public_key: 9023317b443158b83d4f4b49674209ad390595bd29758f5e86
   b1fb217190e964
   client_info: 68656c6c6f20626f62
   server_info: 6772656574696e677320616c696365
   server_nonce: 3d428d82363a0b92bd63fdf234271c884adb897fe7d9ea47e5e7935
   781dc9999
   client_nonce: 99653c99fa82f8232d14584e49201af116e9e14678cea3bcf2b6e18
   b0c850c7c
   server_keyshare: 58a6c4fdb4b3da03df2e5b1f6ce1549402e209712e5bf9d31efb
   db82c00eef5c
   client_keyshare: 2c8ffcf1bbc02dab15df7834ebdf85841395f07c8e7317285ba8
   574b6eee3910
   server_private_keyshare: 67cd6d248d654a4f7b687e0c7eb2a02bf83796d422d0
   857bc80b26e57574af08
   client_private_keyshare: eb3b4ed65a30dd1ac8bd653f707b4cfa3e6b2698b2af
   5cb5237235104958d109
   blind_registration: 7910645dea4be0d8f6e45f39d3db7bc33d1573d18032ac63b
   63afc6c3170cd04
   blind_login: ed642fdcc98bbe29b7b93769cd75686cce64941bdfd686956b1a60ac
   9f7d3a04
   oprf_key: 54b0c41d68c4a7a978acc7dcdffc3908beaf97d4000ac53b2e3e5507caa
   1840f

C.24.3.  Intermediate Values

Krawczyk, et al.         Expires 4 November 2021              [Page 140]
Internet-Draft                   OPAQUE                         May 2021

   client_public_key: 2e7f449922d1b7b73c979920fc5eaf21787a6a52e5b4def633
   28bec3a4f21146
   auth_key: 321da064406e79cf9963cdedf484a8b0c3812da356303080133ec0bcd1e
   30d64f168325292c0c661154cac0733231c792d5d14dfd31e37dcd1b503d65a393af7
   randomized_pwd: a61188761cd72985376a9b988cbb1696df046158d49e6874afb2b
   8a3c5baa95d447c081ee0ce711d39d7550cc16e49d289d662af1211ec4fea507ee9b5
   4fe66e
   envelope: cdcf4a19a19ad7d40bad8804be0267fc4c82831c7374a4d8091a55b896f
   a1715a7f71de44b67b178b02ba465f6d090eab194b53d2e84b049298e0d4cdbf10840
   f6d234e5dfcb7ef83ee879d9afd93f2be74eb4d7195cacb0819b18e7f55a2e37065b2
   f47e672372cdec7c83de33e54e06dbe7837fb90c2853c2ca2ed59487e5e
   handshake_secret: e1cba61a067d33368bd1e26a7c3bc4cffdd916a38affe4a7349
   008881063985955ef1ef19a25b31f18637f353fde61aa5c39a10914346341e0f02304
   773aad60
   handshake_encrypt_key: d3d98cafecadb46b4d508b599a36084e2590c1db39a676
   731e5c545944dad35e496b1acd3aa30f6c98fe4f6d030bd805e9475fed5c37ff58387
   fa5cc682212cb
   server_mac_key: aa94da7ac4668b921db447c2c74460d7e80f4b85ff620e772a0f6
   ac3f7db3d44f6a3f4f105c534ae61b33394f7ac4c1eda1e79dd4644d8f0ad9010328d
   142e97
   client_mac_key: 07a6d9a46f5f1b84096615f84c9e9542178dcac1f8ff12f12ff64
   c3e269f6d2f5897220cc8eac0c299b874380d295e80caf91627ca233681cc9df9f481
   68f4ad

C.24.4.  Output Values

Krawczyk, et al.         Expires 4 November 2021              [Page 141]
Internet-Draft                   OPAQUE                         May 2021

   registration_request: 6a525dc9419e2d0261fbcd6033f9d500503a27027a48d91
   27ca1209e01690d29
   registration_response: 06ad8201e34d8e1eea1de904c484fc493df7b6ce11ac09
   d490ab7305b539b9789023317b443158b83d4f4b49674209ad390595bd29758f5e86b
   1fb217190e964
   registration_upload: 2e7f449922d1b7b73c979920fc5eaf21787a6a52e5b4def6
   3328bec3a4f211467a0eefbd8a4b69df36d9a29d4e8393f49fd1dc32f64af2d7f7fa2
   ab81f3023c80e3b1d847258efe8cdc1ae0aaa975256f0624a79caf9d1cc2b9fd4058a
   9e03a5cdcf4a19a19ad7d40bad8804be0267fc4c82831c7374a4d8091a55b896fa171
   5a7f71de44b67b178b02ba465f6d090eab194b53d2e84b049298e0d4cdbf10840f6d2
   34e5dfcb7ef83ee879d9afd93f2be74eb4d7195cacb0819b18e7f55a2e37065b2f47e
   672372cdec7c83de33e54e06dbe7837fb90c2853c2ca2ed59487e5e
   KE1: d6a8af82258885688aada828f32e04463c3739c7da0e63c5246711520dc16e37
   99653c99fa82f8232d14584e49201af116e9e14678cea3bcf2b6e18b0c850c7c00096
   8656c6c6f20626f622c8ffcf1bbc02dab15df7834ebdf85841395f07c8e7317285ba8
   574b6eee3910
   KE2: 14ec99860a47e2ef0ee0a896bd65234669149b67dd23c32e595ad895d1028c57
   3a674793181723ee2f13807844cef144ceab2021a615301ab7e13c41db9f1dbb04b8f
   1067ecad6b35eb7f0538671dbdcf3171876dc4a5120bbe65fbba8830ea8d4f342ef60
   e07c0e7441bb80744fe68717225306e47557592903a94453ea32cd3a1f8e74d59456d
   8d7eb2bb2d0d3540f30b6273e73684b82bfe8f59e990a197299ac8ee84f0e01a7deb7
   c7c5cb65db6ae5a9b955a6d39352a34eb26bc6e239dfa35dcee20ca03e58962ce66a1
   6ca522e518c530f56b1e2a1786d39d0c1afbbb13d428d82363a0b92bd63fdf234271c
   884adb897fe7d9ea47e5e7935781dc999958a6c4fdb4b3da03df2e5b1f6ce1549402e
   209712e5bf9d31efbdb82c00eef5c000f1e14d47ff11c4dd61751e4b521af2fde2903
   5df0e8f2616676342a152bd17781886b2c9c1844b1016cab6810f5de1b09321ed728e
   79955d08f9e6b40215cc4e52d05d4d5d0e7021973a163d540d033
   KE3: 01fbabd1475c7c254fcfc01a167241a414ca01e368671f650dc82598c38774f6
   b7ee8674318f995d13d50c79bb0ab4b681deaf4402d4b3c459154660abf9ed3f
   export_key: bc324fcf39c2076ae28bd99b695dbfdec525a413c5644ef66ea331716
   e407979591473722bbc11e3ba15b604017df611b082ce980cfcff2f220c814cb5f591
   42
   session_key: a0d263d5e1f4aa6abb16929f20490f91e193322c25946521b78a8097
   cfcfa6f5be61db2e48b77a22cc50243c88e1063451f96415ab32f6440b72aca514f86
   4da

C.25.  OPAQUE-3DH Test Vector 25

C.25.1.  Configuration

Krawczyk, et al.         Expires 4 November 2021              [Page 142]
Internet-Draft                   OPAQUE                         May 2021

   OPRF: 0002
   Hash: SHA512
   MHF: Identity
   KDF: HKDF-SHA512
   MAC: HMAC-SHA512
   EnvelopeMode: 02
   Group: decaf448
   Nh: 64
   Npk: 56
   Nsk: 56
   Nm: 64
   Nx: 64
   Nok: 56

C.25.2.  Input Values

Krawczyk, et al.         Expires 4 November 2021              [Page 143]
Internet-Draft                   OPAQUE                         May 2021

   oprf_seed: 2d8f83b63ef32c9adfe9f9c430b1cac00f49ba284bc52f0c9f1f7c38b7
   1001dacd1bddd63cfe8967fd13c55bbdf25e8b6cc087ee23a38f7485b2eeed2648eff
   3
   credential_identifier: 31323334
   password: 436f7272656374486f72736542617474657279537461706c65
   envelope_nonce: cca755b1341937e284043a2c88bf3d69b2761077d84981a37d555
   01d5a514873
   masking_nonce: dae2cd69425f7a341e2a51f5177e565fef6c3fecd2864b2b228239
   b82c5aca36
   client_private_key: f4ff0c84bacb98d40ef1b543bdec5009b450e4fea1c8aeefa
   6022540fde3cac20b940bc918b0a16389fe160a1e6ae09a48d235acaa1d3735
   server_private_key: a762ac7f6fc2f643032abc43fbb2ad4e6e012f48d106d10ed
   ddb5b69d9e36d59b08eaa6830c6bfe473f50ccfb5c033b97885214dfe740e35
   server_public_key: fcbb8bbe6f857883e38783acf58dcd6de556530055a2353c4e
   584320e0916d28b8278212bd6405864ae84a5cd2508f09ea1185f82c9ba518
   client_info: 68656c6c6f20626f62
   server_info: 6772656574696e677320616c696365
   server_nonce: 483fd0e4b908c66c202500357e2491f1462af3776667129d118bca4
   61790b288
   client_nonce: 7fa76459168d148209a19f65ae653e294bcb559b1f535116594d3f1
   9a566a92a
   server_keyshare: 5898c178da53ad329a001103a6f2b4ec6e0966c665fff16d88b8
   7a83aa267c2be161d1a36a39b7b184828166f721b83ee15fe4753b05755e
   client_keyshare: d25b52b3af68ebda6905d0db5d964660ec9ec81066ef7955559a
   a302e012006b1ce049556666231483f56af9dcd1c27fdbafb4d954060091
   server_private_keyshare: be35304a0559db2bb6c9e25206ba0fc53b33226b8024
   79acd16c975c6cf2dd688fc9a0dad8b6ec9dbc18b90c704a53626c5baf9094cd0c3b
   client_private_keyshare: d4bce964deba5ebdfa17b366504278e82626cfed3d19
   06ad0e990e08c94faa134d3842d167394a1ae296300bcc9818b8373f191382ae5124
   blind_registration: 83a353c6d832a563b5706dbdfdb9f3e711ee26a9c31b896d0
   da0433f4f6eb32221c3c90388e170f8ed58afce06edf6625440f4e552502839
   blind_login: 31c8ad493e51f27fff7955175d8b2606fa4f81f8d116d2a9e8e49578
   715881238aa712a6fea64bbe268869aa0e6c166754e0b3cc45f4fe0b
   oprf_key: 113e070de69c20f96dd6565cc617a736807b518cf49b312a04e1dcd49ad
   ab8176f895732193028cac0367c25bc486a79ce5777dd09a36514

C.25.3.  Intermediate Values

Krawczyk, et al.         Expires 4 November 2021              [Page 144]
Internet-Draft                   OPAQUE                         May 2021

   client_public_key: aca7c206bb8f25ac19b3436b1f4c8022f03e13c7763edf9fb6
   86b00b2c04b999f40d3f01507342017e83ef917616358cbf50d2d86063b2aa
   auth_key: d6c51857cdf177529419946ab6fe5a08f50ebdeef0d88ccee5f05862946
   e397bdc326c39ed86eca82d2cb13b5b4642a4efa50fd97a65946f32a48f82d8b8594c
   randomized_pwd: 43ca8e9fc4658fff4275bcf84450b6f2787458d4ee53c387aba45
   70d8e84c91c5117b3ba93669f1431d3ef9d8a57a1269faef765c593be33ea66e7ff94
   ad3369
   envelope: cca755b1341937e284043a2c88bf3d69b2761077d84981a37d55501d5a5
   14873659eb13e14fc7ef6a77136d1eb63bda85baf00c336515630d48c4d037304d7bf
   38f7b95d4f5a124f475c018645b17448b3ae776f0c5f86bc2232a074f9dd90e7d394e
   c83ecbbe64da8359a745e9768705ece4714205acb8b86597f4e8d6a0f089287adfaca
   bc5270ff8fb62d22f6418ccfe81d18ffbeef19
   handshake_secret: 7176e3d5471625f5fe5ea2bd17ec5dc4b6e00467448e72ddee4
   9b8edd6ff11f36e7e6aa7f976c157426c0ecb192f4d1503a8efd1211434573f0168b1
   779ebfde
   handshake_encrypt_key: 812f5c30fd8d09d895a8099192e8f822422b5bc5518610
   ec3f33e5e49f042d54ad88ca0324d8acefca3559a1030f53d5ed1c4f62d4484583b4d
   4713b3b75c8db
   server_mac_key: fa2d39fd3d030276683ee3de4adb4934d4bd6551a824446a49620
   42ec036a469c71fb81ac5be2e981070e74653b6606c1885f78328519637b8b63da249
   05ee78
   client_mac_key: 6e76c94f60b8e7609be2be03a624bed130a82acdd84341764b4cd
   04f7ef02ec751d39b4c63886759f6e0d8c6b198319eed12c3b08f549b96e6bd472041
   4274bb

C.25.4.  Output Values

Krawczyk, et al.         Expires 4 November 2021              [Page 145]
Internet-Draft                   OPAQUE                         May 2021

   registration_request: 56eba0e757af33e634107f2da32fbe987af1d37bfec1918
   a2d42ed2f6b3714bdc1dd190ed6dc6da310536bb748cad363e76ad2fb1b05f1c3
   registration_response: 5261c7f2f21aaf3ba2c3897f3a44dcc2beabea6f4abb5f
   10a64c401d1481e309d14c54affffb9116e903c4ec36551752fdb0206748fadd96fcb
   b8bbe6f857883e38783acf58dcd6de556530055a2353c4e584320e0916d28b8278212
   bd6405864ae84a5cd2508f09ea1185f82c9ba518
   registration_upload: aca7c206bb8f25ac19b3436b1f4c8022f03e13c7763edf9f
   b686b00b2c04b999f40d3f01507342017e83ef917616358cbf50d2d86063b2aa7d742
   6306a4962a57d06cd6be47a7c8f795437e86a50dc71f0c9035b543ae436d13f9c67f1
   ee9157ebe46d28372869439c8d0b48ab26c0692b2e7ff66fd0e29acca755b1341937e
   284043a2c88bf3d69b2761077d84981a37d55501d5a514873659eb13e14fc7ef6a771
   36d1eb63bda85baf00c336515630d48c4d037304d7bf38f7b95d4f5a124f475c01864
   5b17448b3ae776f0c5f86bc2232a074f9dd90e7d394ec83ecbbe64da8359a745e9768
   705ece4714205acb8b86597f4e8d6a0f089287adfacabc5270ff8fb62d22f6418ccfe
   81d18ffbeef19
   KE1: 16ecbe71c272b0b9cce77059395154ae766c95a7f10ad0e699aa0c773877225b
   a13e0a8ace5007c53ce3631c7e7cee782a6c44cad6832e0a7fa76459168d148209a19
   f65ae653e294bcb559b1f535116594d3f19a566a92a000968656c6c6f20626f62d25b
   52b3af68ebda6905d0db5d964660ec9ec81066ef7955559aa302e012006b1ce049556
   666231483f56af9dcd1c27fdbafb4d954060091
   KE2: d672a158bd9178546c287befff0c4789ece9a84071a98f9146ce5449b5a19c2a
   7160862145916b3e56627abcde87d163964edd7727907353dae2cd69425f7a341e2a5
   1f5177e565fef6c3fecd2864b2b228239b82c5aca36d0824c4440d1d7f15e0d722c07
   24f97041a5b88b9f30a7263f49bc562227561b3847efbadaea5a286d7d24d112dde27
   83772e7c697fa472addadbdb9d833d76053086be08e3a27df16724c7c365f0a8d0eb3
   1833e7b5988a4dd14f8768eb2da6605eacb7ba01b913afc33081453945f36e74ff12b
   f599e1013f1e08ad4acb65845599fff72629a418a51b1f89cf96c81f44228b44bcf55
   7c42b9239e84e2ba2e425c80fe4c713a8ed5195aca8c43d3aa203271c9e7b01eff85f
   2beb8a70c0b4baec22e95712ea0a03707073b91fa60b7483fd0e4b908c66c20250035
   7e2491f1462af3776667129d118bca461790b2885898c178da53ad329a001103a6f2b
   4ec6e0966c665fff16d88b87a83aa267c2be161d1a36a39b7b184828166f721b83ee1
   5fe4753b05755e000f9fa4f4dbfdbe9b2f15c28fba6c0bdb0fad3c99de5035d0f9af0
   59311aab2a69975ea5c0925db497649349bd356c7a4f41c4d0d3aebbf92aba3522e83
   ebadf9bf3220de92f5ecb10ff439a35519bfb5
   KE3: 9b61f2bf14953304f7a52a3e40c089aa0b9723abe6f10f8df4d1d97d0197c30b
   e7cde1b5d2871046d8b5d72b63dba1ebe926319b8cb256256db5b4a202fbd63e
   export_key: e9db9e65c49aeca60415f412f3511040e0f0debc8114d6752c0172b1c
   a0a5f420c61a8a46aed0fdec06757a7d1ecca05de761ec676046a0e6d192ed038715c
   7b
   session_key: 1e296c1baac73f1df293b131f351d58fffe6fbd622e5f37ae002dc48
   2829775cc721a6d3db4df8cb032fcc4e0d954f9065b0964c5ab6eea58a98b430b8b83
   172

C.26.  OPAQUE-3DH Test Vector 26

C.26.1.  Configuration

Krawczyk, et al.         Expires 4 November 2021              [Page 146]
Internet-Draft                   OPAQUE                         May 2021

   OPRF: 0002
   Hash: SHA512
   MHF: Identity
   KDF: HKDF-SHA512
   MAC: HMAC-SHA512
   EnvelopeMode: 02
   Group: decaf448
   Nh: 64
   Npk: 56
   Nsk: 56
   Nm: 64
   Nx: 64
   Nok: 56

C.26.2.  Input Values

Krawczyk, et al.         Expires 4 November 2021              [Page 147]
Internet-Draft                   OPAQUE                         May 2021

   client_identity: 616c696365
   oprf_seed: 408b58278566cf765109018e203e2e6e6a8f255698c1bdeebb14bc22e1
   c2a1cde4ace22c8300adc036177c2dd26d2fda16c5f78b6de5b72898fa377be3a5bca
   0
   credential_identifier: 31323334
   password: 436f7272656374486f72736542617474657279537461706c65
   envelope_nonce: 10241f737e77bcc1ed216c9a367950a7ef43678f9ee29b309544d
   f34298d472c
   masking_nonce: b2ea57c79da7ced6dfda2dc6c6c0402cd96b329f7fcd183bf9d1d7
   e5a716d42a
   client_private_key: 4f4b1b91c6a9c0dab6a8ad279201e00d358aed1a0ba88c458
   589796b05ac19101d1119df1070dbd0911ca74b4634a51b9b1b093b74e1873c
   server_private_key: 6ab03a76f031abde2e7d1f987c101064757d6133445217316
   02876c29cc7d2652a7329cb8513ddcebb66b178194206a61256f5e14e70d23f
   server_public_key: 2ef8f9560867402d20f9c34942bb26e63d2cc667851473334c
   6cdf1f89ec0ea218e3ce0f73f9f1fd303f140bff958f80b7d4dd22a150a0aa
   client_info: 68656c6c6f20626f62
   server_info: 6772656574696e677320616c696365
   server_nonce: 2aa2944a2fac12229bb22b6b63389635f6102d71fbf95b4a8a6cbf7
   8e6b2814d
   client_nonce: a7d04cb60ee0f6ea96a3dc44160f7db4b22d2652c4461577685d5f8
   0450a0aea
   server_keyshare: 32751cb95f97035f22d498ed57a8af0d2495075aace642f15244
   2da8485211d6a551142d9bc6771619ecf80ca8b4def396f706ce555e2896
   client_keyshare: d87899f024ee66ed5b8718f9966f2f34dde445da12078789f1e6
   208028cbc9b7ac7cff5ae937856aa01321310e1858f0e3b89492e9e49f42
   server_private_keyshare: ee1fee6fc5ad0f317b2639067b1ef7796b5caa6e94d7
   9390dd16061e4dc69508c2913424b3a6b84133223db6c51c01b054e8dcd2f32e6724
   client_private_keyshare: 071e199a022ce8c6cb0005eb1e2fd4703582c35881f2
   64ce05ec18365cea6b66423035e531a19194e5934618e546215460f66eed7d0b6f0b
   blind_registration: 0db98607cff12cd2badef2406e0491ecd3d6bb96a4335ee7f
   0c504e5cbe48ef5daa3a2b717e4009bfc8c60f6a0ad5e73607538ee51807c3a
   blind_login: 24ff7adb77a75a1f02efa6633339b91ae4a42dd0b52fb5f997673263
   f7f5af9ed39730c2d1a09d12123d1bee3f550acb33790d70b0123815
   oprf_key: 3d1e92b4ddb6bee3cf32ba6c0b16addc525da38f13266939d8961fc3cdd
   1437673e1be929c75d3679b22a9145205d2c1719bb44a7983832e

C.26.3.  Intermediate Values

Krawczyk, et al.         Expires 4 November 2021              [Page 148]
Internet-Draft                   OPAQUE                         May 2021

   client_public_key: 30b7ffad2fdce2c282ec205685afe5d9e0551773c14c23ec2a
   f04c13af62b8df5558f6dbd310fd41bb2fb37c8377796be92aaa21bf60f357
   auth_key: 3bde34bb68300e7843d79c1bfc63e5cae9fff249b00557348442d81c59b
   ccdf5f13db9e59da32f6b25a4fcc76dca3e90021fc1553614b71cd1982d33dd95c07b
   randomized_pwd: 351cad5b1f66d74e7f6beb7ef2e02234ef37775800b0ac91de427
   af72ec6cf5a0c2920099005247e1cb7c77ed91cd094d3bf6a97e99201f1f1c58b2241
   0623ac
   envelope: 10241f737e77bcc1ed216c9a367950a7ef43678f9ee29b309544df34298
   d472c8e46164d8929ae397121cff467322b1dd47bdd5f714f1dc5c04ae8230a274a36
   eb9574040d6baf198c5599c69c346f8e12c1fd4a2e558365d23260f6ba5c75901fc9f
   34c675288fc52648f964c4270c7936a0bed5e36df70184c187af486f5f2a3c0ebea06
   38dc5dc2a7567cda68ee2654f7691c03ce3011
   handshake_secret: 727af8282b3f529691b3914a6735286c1abd31415a1276abfbd
   734e77a6bf6aceae95c4661b6cc0f1bf7c918e841154ff7ea7153e4f47639b8e581c2
   4ec02c65
   handshake_encrypt_key: 9891ad2af01d57842cfc10f959d1e1a3592f1b86529f44
   1411c8fc9451e90e6b379085645e6a01f93f63106b116e10788c244f57c28a0f75b09
   4d4c34e80cd16
   server_mac_key: 6c3c56402e8ab595f1c72bb2c01813205f302c6b557773c7a233f
   1c7c02dd7257fefcbc0feff679df81c11ec0c63b866b20cddd0beaef7a8ea627d5725
   16f036
   client_mac_key: c4e85273ca8aa64e109b4cb05089c16bcab3d9b11ef1225464e2a
   5585f7d60911675649025b3a54292ae64b00c0407ee5cbc9c2bca3a642f87ac6cdc16
   feceb2

C.26.4.  Output Values

Krawczyk, et al.         Expires 4 November 2021              [Page 149]
Internet-Draft                   OPAQUE                         May 2021

   registration_request: d287a62ca4d452ff3b5e2d800121dbb5785bb383db9bdb0
   c541f8e643443dfe2ddb1162b8b7c758893fde1131a84ae57935e7b60b14058c1
   registration_response: 6cd7ab8b0bdc800c66c217d22ef729c08465e5df1a6b5c
   c01c0cfe5d9d7b4adc6e40dc1013b8b8f8094b386530e673a179735e0cedee0d1e2ef
   8f9560867402d20f9c34942bb26e63d2cc667851473334c6cdf1f89ec0ea218e3ce0f
   73f9f1fd303f140bff958f80b7d4dd22a150a0aa
   registration_upload: 30b7ffad2fdce2c282ec205685afe5d9e0551773c14c23ec
   2af04c13af62b8df5558f6dbd310fd41bb2fb37c8377796be92aaa21bf60f357c1549
   7051bcca080dd4a5566430fa8850bac4abf66fc2df50c6dba2f29c9ad9bc3616ff533
   a202e553070f3f4dd45e53931ed02c151cecbbdcfbf66277acd1a710241f737e77bcc
   1ed216c9a367950a7ef43678f9ee29b309544df34298d472c8e46164d8929ae397121
   cff467322b1dd47bdd5f714f1dc5c04ae8230a274a36eb9574040d6baf198c5599c69
   c346f8e12c1fd4a2e558365d23260f6ba5c75901fc9f34c675288fc52648f964c4270
   c7936a0bed5e36df70184c187af486f5f2a3c0ebea0638dc5dc2a7567cda68ee2654f
   7691c03ce3011
   KE1: e4420dd6be305be0776f14c1140f0b36ca304c007827a8c5b4910c5432dd4caa
   6214b4077d4a99e6d6dd7f756bb3531bd010eec2253afd1ba7d04cb60ee0f6ea96a3d
   c44160f7db4b22d2652c4461577685d5f80450a0aea000968656c6c6f20626f62d878
   99f024ee66ed5b8718f9966f2f34dde445da12078789f1e6208028cbc9b7ac7cff5ae
   937856aa01321310e1858f0e3b89492e9e49f42
   KE2: 564606d70bd3fa461bee6e06ae9412f4c49b505ed6559cbc9d17c02072931636
   2975c2e2fd560f68032c93ac7ea5357c892b32ea0dcc6050b2ea57c79da7ced6dfda2
   dc6c6c0402cd96b329f7fcd183bf9d1d7e5a716d42a81d354f006c5e4d63eb73de41d
   39abf0c44b9891362030c679bdca90e2f2467681509c612d390a5fa831e9db97b9226
   b6f0468c142c3ea47d0e86da34855965e257d610666aaf29cefabd4f0067c624abc3b
   9990c6bf06c874579f9dd0717c1c52cafa52b108a301a7f1e727e252d1a6295eb3635
   feab6b65374441f28dd2ee501b0fed3ea88ec7dbed28ba544fc94977b5f1754f7ed92
   7409f3e0e0f44a9f40ace2e37e4865d3ae9085befadbb8a30d0ee3307d90328776b26
   c3c95861fd5d9c961820f84617d430d04f5e9f94e27082aa2944a2fac12229bb22b6b
   63389635f6102d71fbf95b4a8a6cbf78e6b2814d32751cb95f97035f22d498ed57a8a
   f0d2495075aace642f152442da8485211d6a551142d9bc6771619ecf80ca8b4def396
   f706ce555e2896000f96681a27592a697a734b1a00b338429d06d94788d9f450de709
   1a4f3c7f3bee1f0bb8e62aa8cb2d34a1ec009da7e61ba8de473c06b33e09e16565fa7
   2be1f642bef88dfabca88b21b095f165eb6c01
   KE3: 3a978eb658c077997e8544b1cf52dfaf2b152956db661139afbc34e05fe8cc15
   be7f1dd6544789e3452275f40de05653f98e86122f74253e22c7768de653a3ee
   export_key: 12d1b25d6990128ffdc8cbf21832b96d55bc64be7ab2cc967d0c04814
   835d23e4b183319d369cd3955f992126fb3b8d130a2f65cf2ac9ca0750f0acac1031f
   e8
   session_key: f5ca4e7189e76679957f386672f82aac0cd8972402817600ef2d578d
   79c38156a80f9e7443c63439c3674242b54b28e829780f729463e20dc6fe9f21d423d
   53c

C.27.  OPAQUE-3DH Test Vector 27

C.27.1.  Configuration

Krawczyk, et al.         Expires 4 November 2021              [Page 150]
Internet-Draft                   OPAQUE                         May 2021

   OPRF: 0002
   Hash: SHA512
   MHF: Identity
   KDF: HKDF-SHA512
   MAC: HMAC-SHA512
   EnvelopeMode: 02
   Group: decaf448
   Nh: 64
   Npk: 56
   Nsk: 56
   Nm: 64
   Nx: 64
   Nok: 56

C.27.2.  Input Values

Krawczyk, et al.         Expires 4 November 2021              [Page 151]
Internet-Draft                   OPAQUE                         May 2021

   server_identity: 626f62
   oprf_seed: 256d4027516b703d2dfa1ded7a8c46870c7236091776781e8927dee64b
   6675a65292295706a43c1848e82eb6825692b2528bc7ca6dbed9e7c29c02dcc2ada74
   3
   credential_identifier: 31323334
   password: 436f7272656374486f72736542617474657279537461706c65
   envelope_nonce: ce9053d023afa73f0b28c64e4322207a28921ec1ae96b9ee0bad8
   f87187a0ad4
   masking_nonce: eec732470af6e228628f3ae80e3e90c64c51f83a41cc42d2f2c73c
   7f81a9131b
   client_private_key: 80b8326dd0c2b506b88b0b4025c0db89bb624a8b94861078d
   88f88515adfc5374ba9326bc531c7ec458fa14a482339ce7854b1c044ba083b
   server_private_key: 5315b843996e1c8dab628f7848b29fd8d4368a414eaaa9110
   da1cc53752548548f132674a235f9ee105780d4ece5e1a760c147f744bb450d
   server_public_key: bcd8a3897346eb85679f52067ff50f69dfb9fc0ae776fcac93
   c99e1e9dc14db5c9c26b09e1980f7f5b45774012be6234ac5a8953ff69ef28
   client_info: 68656c6c6f20626f62
   server_info: 6772656574696e677320616c696365
   server_nonce: 075e1b74c7eeb1dffa6ba8f304340956b3aa3bf6d2a43e5ebd616b5
   9cd439d6b
   client_nonce: cec96d9c640c98d9aca9792007035c7e9daf29343ea0b9ebb7d73e8
   f210b2584
   server_keyshare: 3ab8469c97f3394c729de0b4f980ac06ea6a90dd077f924aac42
   10ce65521a90aa1ed82f46ad5cd948d1d96a179409a020f8a01cc86cb7b2
   client_keyshare: 6e0974f24da70adf24d24b5e267c80f6335a5cba9442a5658cdb
   76b3a2bc569d39ec6fedc1a162f4e6c6a460b0978684aa5f30b3304cf04c
   server_private_keyshare: 3aa67989ec3df11a5dc574b914e150f5abd7cccc551c
   0aa34e6667a1636de9926e6bc4a4bdc21ba549ae8b93b848051abd4dd80242f57d1d
   client_private_keyshare: 03d97c90df43947879a326b5b22372e3cb561aaee6d5
   8bab4f4a884a8f62a58ab60476b6d0c460e7dd6726866ff416874521249aaaaaa70e
   blind_registration: 5a58b6378e03f24937ae6ebb685ba39f43d99b2f6fdbe00a8
   c754c0d6d7ed824d2b5c8afca5b1cdbf7c3248fd9f16400508eecb6b7894a12
   blind_login: dfbc42d70013abe2cb8ebcf6de5b275aa83525d606424339cb500346
   6051f19cedbf00b0f680b7435bb165c340da077f8acc37c0a2594119
   oprf_key: 96ef1f565460533723a129c4fd59e70192471cb1591f5a18a06954b9236
   ff89543ebe7582493cf9fd7254eeacc5cfacba0a10c00660d252a

C.27.3.  Intermediate Values

Krawczyk, et al.         Expires 4 November 2021              [Page 152]
Internet-Draft                   OPAQUE                         May 2021

   client_public_key: 06b7fb8ec9beee7a168a7a820bd710d1b72d05a433fcf53e5f
   4ee0a2a5c3a1d48d16121594b272656efcc614aff77386030ae72e47d948ef
   auth_key: de033180dde10c04d68198d94217bdc178ec07adac74e5a7a1a33a808c8
   44f5e13136ee12e46cfc76ddb739b75189f485b202b05ff921ae170230fe226447986
   randomized_pwd: 03d2fcd5b13cf0d6877bcad567de4e6036a1a51ac7006c2a496ce
   538985100c8a190a240d59e69a0582918b578f51fab18c19842d796aa4668e1a6bc66
   ea4e9c
   envelope: ce9053d023afa73f0b28c64e4322207a28921ec1ae96b9ee0bad8f87187
   a0ad47da721931582ed0eef7eca8b1eae0ce21244afcb7c2d324849df09e314cae97c
   d449a9c67d2c8266c4083d004e7d572a481bb10dd9614b0d95c56ea5b687882b18135
   8565c5f27dbd0d1bfc27b1d34d6a529ef9c16e58e947610ceb09471b768b1542eeb85
   78aaa37e9b93e2c37ec21e531088a36297fcaa
   handshake_secret: 66f51cefa898ae9486ccdf092f5ad47eaadfd6db2f76e3adfab
   9407ea37b44448b7036f0b1b1e268fa823b8244b7780e3be115e004e9d931c9c0d033
   67d9abf5
   handshake_encrypt_key: 4c54e8d80bfb35bd90c365aa360bdfc985b56f1e8bdb84
   a61df27b1470f7a5b5e887da6c151c9e8cef1064be46444aafc6f799ad53ae726f30d
   619620067eae4
   server_mac_key: 18d7bc4872a86d2ea01caf299fb7e5d9c4e587ad374d57debf119
   85f0914c4730776e6894522c5df770a2267faafd7442388b4784dfee5b9c2a9ecfc78
   c3d08b
   client_mac_key: e9a6bfdcbc5943bfe9d7cf0642e103c096eaaed1f6c4216cd0a6c
   e3f47a32b0b98cd02dd9ad589b2cf2bb2d3febc0ae66501ba6ceded570efa769b0e03
   1c38a1

C.27.4.  Output Values

Krawczyk, et al.         Expires 4 November 2021              [Page 153]
Internet-Draft                   OPAQUE                         May 2021

   registration_request: cc1b854bfac5f36d7f09d18975d26bd031490a8810722e5
   e84d13320bc6cc1ad88f2faefeeb84ac706985e2784da104dcfa376ea200241d6
   registration_response: e04b3c954f1d6d709a83bff990215ec498fb9c7935bcc1
   d340e7ac899ecbde26fd98cac559fa0183baed54d1185e32132b68c672d80ab6dbbcd
   8a3897346eb85679f52067ff50f69dfb9fc0ae776fcac93c99e1e9dc14db5c9c26b09
   e1980f7f5b45774012be6234ac5a8953ff69ef28
   registration_upload: 06b7fb8ec9beee7a168a7a820bd710d1b72d05a433fcf53e
   5f4ee0a2a5c3a1d48d16121594b272656efcc614aff77386030ae72e47d948ef3ca0f
   22b76379fccff1ed10ba860afee6db14441177b8ccf0d1f08e4bfd7e691704f8e973b
   3c0c56479677dfb7004325e75ace6b7f0699baf642947a4aec1fb0ce9053d023afa73
   f0b28c64e4322207a28921ec1ae96b9ee0bad8f87187a0ad47da721931582ed0eef7e
   ca8b1eae0ce21244afcb7c2d324849df09e314cae97cd449a9c67d2c8266c4083d004
   e7d572a481bb10dd9614b0d95c56ea5b687882b181358565c5f27dbd0d1bfc27b1d34
   d6a529ef9c16e58e947610ceb09471b768b1542eeb8578aaa37e9b93e2c37ec21e531
   088a36297fcaa
   KE1: 8447080996dd1f729709b137aa45b6a6e68651f7f5794ec80d7aabca6f171226
   e8c5ac7aadfe6b9ace4bc355d7b891907d50282031c15d9fcec96d9c640c98d9aca97
   92007035c7e9daf29343ea0b9ebb7d73e8f210b2584000968656c6c6f20626f626e09
   74f24da70adf24d24b5e267c80f6335a5cba9442a5658cdb76b3a2bc569d39ec6fedc
   1a162f4e6c6a460b0978684aa5f30b3304cf04c
   KE2: 7a4ca243be6375b2f474a8d1a15bf6811ce899e22562942c3501f6bebcdbdfac
   4654b2ea096da25687958252fea11562d31ce1983ba50e8beec732470af6e228628f3
   ae80e3e90c64c51f83a41cc42d2f2c73c7f81a9131b6072d400f79d38df5ee84c74e4
   a6261049d4d9683edb7c5899a62d61060369ced1858f37a662981a6052c886e6aada7
   6110b5a65d19aaf793c4428e096e31ab7f1dc89985e0a375fac698c9a6f1252618426
   1fbaf37fb056f1448ae1c7aa751184bd2f0b8a0e784cdd93890ab06c6efda58ee8646
   85d61af752c6cb42d738c03b7c9a27388a40dd9d6fe5b287d05c1e35a05593ff7bb10
   b2b730d692e3e47974a5a5f001c31fb7e22a3b4e4ac3606e8a4c9542bce8738baeb4b
   bc69c2e8c4cc41ee4f34325fd053ab5140775fe6793ed075e1b74c7eeb1dffa6ba8f3
   04340956b3aa3bf6d2a43e5ebd616b59cd439d6b3ab8469c97f3394c729de0b4f980a
   c06ea6a90dd077f924aac4210ce65521a90aa1ed82f46ad5cd948d1d96a179409a020
   f8a01cc86cb7b2000f450aed233507678afed7293a894422dde5c7174b91cbc297d89
   85315579b3cef14b155bb28e313ce6e2f07f6e5318096c98a0a9dd7ab9ce747c09381
   4a2f9181d3d28ffd4c1bd814266024c25b7709
   KE3: cbd323005e96f5a89734c1ef409359e117c8acf3a1d7e6c136ddc423d40998e0
   ad7307913d2b83bca249c91c6da75a72572a96f669153ca57f4b5562d3bb5b7c
   export_key: 93270b252a4b1e08488be7e3ae9594e0b8fe9192a540c73402b16233d
   01ed59867ce4c3e8d579966c2c2c20a7d64939aac3b63ccaf71de487262d129d5f674
   0b
   session_key: 0435267dec4eaeefaf46b4524b7ace609d26f803bf22a35d2e3d9788
   4af225c41ced72f826cf1c7e9ead18f9e21553d28b54653381354d6a64d3d36f8e254
   ccc

C.28.  OPAQUE-3DH Test Vector 28

C.28.1.  Configuration

Krawczyk, et al.         Expires 4 November 2021              [Page 154]
Internet-Draft                   OPAQUE                         May 2021

   OPRF: 0002
   Hash: SHA512
   MHF: Identity
   KDF: HKDF-SHA512
   MAC: HMAC-SHA512
   EnvelopeMode: 02
   Group: decaf448
   Nh: 64
   Npk: 56
   Nsk: 56
   Nm: 64
   Nx: 64
   Nok: 56

C.28.2.  Input Values

Krawczyk, et al.         Expires 4 November 2021              [Page 155]
Internet-Draft                   OPAQUE                         May 2021

   client_identity: 616c696365
   server_identity: 626f62
   oprf_seed: b4d286e6e3f6225fa137f4686d0f34ad52eae2a96fc35e8cb1f6da569c
   5d8a87b2e25e3347b5b0baa692d9f4e08e40f423a524638dfd264856245e1154f07cc
   4
   credential_identifier: 31323334
   password: 436f7272656374486f72736542617474657279537461706c65
   envelope_nonce: a186e2babdfdca646623f073cec9d6d1e8d64e66b99cc4fd14ff9
   3fa41654317
   masking_nonce: 67fa0025edb3233e4ad7c3c620d5941addcbdef0b8203effafd77e
   0006dcb38e
   client_private_key: 771370125ea54cd3f86666bcf4155379dc1e0d5e6a8fbaa4c
   0e0a570b44a311701b936a442f340c21a65638fe11c0e7b3bd1c3528e632d19
   server_private_key: 7d455931c4f4efa18d5731a27e8ddbe8eac8be6eae6175f91
   137a8cffccfcd6cb52345e2bf2ad8995f69ba5a19ffa1afe3cba5f538b0e629
   server_public_key: 9cc2b31fb6677ce38ad340c70ad2a48fb8a11dfff6537994a8
   e42262e63634ec59d0431f3878051eca9888bb45c17a68359bb55071e6f6e7
   client_info: 68656c6c6f20626f62
   server_info: 6772656574696e677320616c696365
   server_nonce: 9c759396ff32036ca0f46e4f94dfb1420e0a372e533fc26ebf06954
   e502ec0ef
   client_nonce: 5850a05d1746b701f3ae10f0f992c2bee512b396f4d1f4ac4a071f5
   4dcc150a9
   server_keyshare: b886b2c735272aa37e700b602edcdfcf53f73ae463d94139dfd0
   e173feda40f8ec315c59dabf8b7db0a77cf9c3e5b3528688b01849fd3523
   client_keyshare: b8de36842175636d346164767aa834a4bd1a0abe805678ced434
   06c4a09ce40145f03cd1d620d6b3932243017098851f7003f34a849e6c46
   server_private_keyshare: 3ed756eed880d3de7c18dccba6b3cf4e50a1e6b4afdf
   c46bc0aba90513085e532370a16b0e93d9805376f144775a662ef08423826eb76436
   client_private_keyshare: 567e1a4dd379827702cbf43273917f368325b5ff3e29
   353d5c0f1fab7fc092bcb7dfa7aa7596b1d670da83d996a9990af5ba44b0d7b5f630
   blind_registration: 1b121a9a0c3105a83ea792da07521422552c83edaf183ee32
   959f966fa8956b647b7c5d00ae7e1b60633bfccd44243649644143e6177763d
   blind_login: b38d2f5fc9a95095a10bc711cf190e7749518aff1f7207b6ba2daef2
   162a03cfcae4ba482b466a135440f1a813185f7dc14e970097e66335
   oprf_key: 47d4e7986915d99639c87166202023361ed0079370a237be49af7387ba0
   1130addbdff507ad0d46c644d9976b1007bec3358083db036c33f

C.28.3.  Intermediate Values

Krawczyk, et al.         Expires 4 November 2021              [Page 156]
Internet-Draft                   OPAQUE                         May 2021

   client_public_key: 7a9df676f00d588a90e562ab1ddb58fc1a860a3e6b6abcf0c4
   0dd4f64a94c634a1dd46ab02d02ca293f601406d881538bcc122cc61844549
   auth_key: 3ea9ebf52a60b3a129e79263dc9be81a8dde6edfeed0307b76910284dbe
   9ece059e5d9bda8bf13c101ae8d6c003039559943dcdfb5b5d18f1f5c195aca519b00
   randomized_pwd: a5313a9b69388094685dd8b977a37ce88f3940b3d5fbacefd8c8f
   fc7bf5a57f3198a6f71b7d77d731dd2c265d020d256e0684962e0a1a9ba7485abb953
   bbd2f8
   envelope: a186e2babdfdca646623f073cec9d6d1e8d64e66b99cc4fd14ff93fa416
   5431744575c4f68efbc2d4610872a498baee8d8f8165c20090e1d7d28e79775605792
   4c93a6a1edfcd504f5da77bb58fdbd63f1e84e2e6a1b4f5ca9ff55bf33fa5fe11ba66
   5f8f0479f788dbb47ec236c7731913a7958d554cd9f8a955350c627ffb5c21a9a9c07
   375b0fcb20cc120e7fd02e092692470fa8dab4
   handshake_secret: 969906025c4b246bc804d1ee495cda9907da66c708ba1b03298
   a4f1d58ce8da905bba4d75e512d4dbd104d58a915207439ba8e4960dba1eed409fe5c
   0e734b6f
   handshake_encrypt_key: ea333818b24fe6d6b0f136bef8981db80f2d6bc679223f
   b986de8bdd4573a8e1aa0d2af9a9de01eeb4022cc11e6e13ded4d78609c007b092445
   8ed30b216b5cf
   server_mac_key: 7f159bf11622720b3c0af3a831828ab43bd27be6ca2459536bb29
   2a014bd69f5cea21ac64995976acb96e7d4f66943fb33082da10a426e3c2a01b0cab1
   870455
   client_mac_key: 67773fecc9c4984aade4d537d1a645268cf5236afd82c9bc0bf0f
   b384cb03a69cd350f926aef4e10b00c649ca01c30b42c31bc6eac8fe30fe8568fac63
   341bd7

C.28.4.  Output Values

Krawczyk, et al.         Expires 4 November 2021              [Page 157]
Internet-Draft                   OPAQUE                         May 2021

   registration_request: 88c032a418dfb1e1cd1a3324ba5992452f93c66edbec9c3
   65e92c1ea793cf76c05ae910ae194ca9c51e885d3c2bcba7d76989d0d824ace6e
   registration_response: ce808e991bdac9a449cf4357ed54879d5b7d0d3df64e04
   8a1ffe074dbaf6365c8cf096923240bf9df5889749603ad0acc18c111d5666e8319cc
   2b31fb6677ce38ad340c70ad2a48fb8a11dfff6537994a8e42262e63634ec59d0431f
   3878051eca9888bb45c17a68359bb55071e6f6e7
   registration_upload: 7a9df676f00d588a90e562ab1ddb58fc1a860a3e6b6abcf0
   c40dd4f64a94c634a1dd46ab02d02ca293f601406d881538bcc122cc6184454953d62
   aef94f33c58f8f1bf792fa721c30cd74a8936609f0a5f096709d86dc155701a724133
   c17b61b968503f7166e4920a5eeb40e11288ff8a247951ee149806a186e2babdfdca6
   46623f073cec9d6d1e8d64e66b99cc4fd14ff93fa4165431744575c4f68efbc2d4610
   872a498baee8d8f8165c20090e1d7d28e797756057924c93a6a1edfcd504f5da77bb5
   8fdbd63f1e84e2e6a1b4f5ca9ff55bf33fa5fe11ba665f8f0479f788dbb47ec236c77
   31913a7958d554cd9f8a955350c627ffb5c21a9a9c07375b0fcb20cc120e7fd02e092
   692470fa8dab4
   KE1: b4f7627e7bdcfa7d9112301dd0081a3f51cf7e8853eb48a16c9078aeb0dd99b1
   6e691ec45b6dacb2dc05b62f0e09c124c94b1b5390a68abf5850a05d1746b701f3ae1
   0f0f992c2bee512b396f4d1f4ac4a071f54dcc150a9000968656c6c6f20626f62b8de
   36842175636d346164767aa834a4bd1a0abe805678ced43406c4a09ce40145f03cd1d
   620d6b3932243017098851f7003f34a849e6c46
   KE2: 2edc7ca204555431a8ac43aba0d4edf5894595ed38786df7b685c426d95d4bb0
   0bc9d867c48723b75f9cbb23e31274b549f5ebea8448a21267fa0025edb3233e4ad7c
   3c620d5941addcbdef0b8203effafd77e0006dcb38e76498ed9375714df930d7715d7
   5b27cede703f9e07e18a1ae08f35ace7e0f530e2cb38e8501d8ef37320ec646b3769d
   6ba622d5252e8a08f6da52c8ef0e27766bd0041f46412b8704fcbbe0c1f84fe1fcbb7
   81a463887d181b548f53c5adccc1bf3c249846facc22d3fc855725c49d2f103daa17f
   21b092885ec78580792fd8ffb545cb26bcea0987853c19a04aa43d511a1dea0e588ac
   2999f1d7fcdb513b7ca39c65ea5561555ba9605c987b8fd82ea83df14d09a0000aff0
   61112ef8a360a4918d1df4a3da734967cee64b8302ced9c759396ff32036ca0f46e4f
   94dfb1420e0a372e533fc26ebf06954e502ec0efb886b2c735272aa37e700b602edcd
   fcf53f73ae463d94139dfd0e173feda40f8ec315c59dabf8b7db0a77cf9c3e5b35286
   88b01849fd3523000ff6c5c1545b52e898a91178d9689a6ee6fc59bd10034889a8f47
   ceee0b3cf2c04687446e48df78ddeef3e85ff812ee522e60849a1764c39d3dd7bc274
   0f7b0c476e8c60532e5df9c6628b65f4e42116
   KE3: ec135e1c78f31bcacbf8ebb446bc9959be5f0133e5d5d19822c3d77d58ed226c
   a074503dd96e6b0a7bbff00914a599bf10e726c7972c8c37ee03c131120a1f74
   export_key: d5623f7b35d664df8435cbd73a6d651bb96109fac75b673a7bff53728
   13e41bf91d430cb0215ffcc72fbe47027632465094cfebe01e4a8a6ab424689540c0d
   57
   session_key: 990b91912884bd34b13093596066df5f371b13088e3349f99e4b6a77
   9313bc9319c658b8f923abcd3650ae7b048f783847706377d68e54bf784c1c9aa885c
   35c

C.29.  OPAQUE-3DH Test Vector 29

C.29.1.  Configuration

Krawczyk, et al.         Expires 4 November 2021              [Page 158]
Internet-Draft                   OPAQUE                         May 2021

   OPRF: 0003
   Hash: SHA256
   MHF: Identity
   KDF: HKDF-SHA256
   MAC: HMAC-SHA256
   EnvelopeMode: 02
   Group: P256_XMD:SHA-256_SSWU_RO_
   Nh: 32
   Npk: 33
   Nsk: 32
   Nm: 32
   Nx: 32
   Nok: 32

C.29.2.  Input Values

Krawczyk, et al.         Expires 4 November 2021              [Page 159]
Internet-Draft                   OPAQUE                         May 2021

   oprf_seed: ca3dcc6f809ebbdec499a453e64168cc772eec040ce22cba6286e0bda6
   edd27a
   credential_identifier: 31323334
   password: 436f7272656374486f72736542617474657279537461706c65
   envelope_nonce: 817da7eb95c282c39e6716521f9f2dcf1908cb3cb60082e99d1e2
   65009d9275f
   masking_nonce: 1b9fdbc44c3491e52d5abab23fba7a97c6589898152f0babee3e36
   d2e415a671
   client_private_key: 5b1a8d0d1f59318d1a325244e784530a56f15f95cd7594b41
   1ea8f7ac77652db
   server_private_key: 40e02b1164d21f51b8022acbceb26069ac5ad37af70212b20
   1e18725cb41a5e7
   server_public_key: 02c136a2fc727c674b2e49783d5a79bee0c6ff8ccee9190d1b
   f7dafca0807eb046
   client_info: 68656c6c6f20626f62
   server_info: 6772656574696e677320616c696365
   server_nonce: 6520475f364bcda5edc971af216bfd1c3cbff6f22077018a212a518
   9254ac886
   client_nonce: a543212613ca62b7c9e35677951e46fda946f782d75122ca19b2db0
   ea23cc35b
   server_keyshare: 02c5583ec9a10dfa32344fe8000007904dacd5e6be9eef27b0f9
   4b50605b017126
   client_keyshare: 02496d129c40fe6d255d57f6d92af5c0cf0ba277e8a0e7b67a61
   df2dccd9b02c5f
   server_private_keyshare: b1d0433877efe00464be6b896d06f05ca36e9fd8d6e0
   2ff17435e6a4f4bbecd5
   client_private_keyshare: ddd367c02e495b689d91a556eba0702d16e92e891a87
   04d094e67d684ab53321
   blind_registration: 6418ab119b59a01aa2a2d0fc7658c372a2ca039410fb968eb
   ed2ba1d2991d9dc
   blind_login: 74b8f4b1411f14fe35c4f40e826c546bd9cabd9e4ef380108359988d
   4ec5165a
   oprf_key: 275c9ec4ecf98cc541bdd9572d43f316d1d799bc11c281f377d56030060
   fcf62

C.29.3.  Intermediate Values

Krawczyk, et al.         Expires 4 November 2021              [Page 160]
Internet-Draft                   OPAQUE                         May 2021

   client_public_key: 02ea5098f6b7283d5481f1500a7b589214499b26484c4430b5
   2d36b1ccc475cc8d
   auth_key: c64828f188bb72f48c655a7f9d428d524baf80ea24bdce20a1f43a64bba
   a692c
   randomized_pwd: ae2e16dff4c105ef4319edd0b8d89fd0cd8666895843b530712fc
   958b9b649be
   envelope: 817da7eb95c282c39e6716521f9f2dcf1908cb3cb60082e99d1e265009d
   9275f38c11ca420422ac49aa2815d5ed221280430ad4e972171a614bdd899a3e4831d
   428bba482f9d7d78a07fba0d271432b7971acd4cc8a0d898c4cc4b07044e4c6f
   handshake_secret: c59958e430578214b37c9ee29de08f682c676d00115e36108e8
   c8f7c376f56b8
   handshake_encrypt_key: 8b4722b266a742dd6627f2bb9777c0192b7ba18c1bf701
   dcc6b2d7003aeaee0f
   server_mac_key: 3e440be6032e1d22644678c2215c3cebe6e574733ce1a74b1582d
   f4cdab62a83
   client_mac_key: ec3b8660322fffd7bda47211aae564e24602f7c3936e609cc42bc
   dceb1ac2fb6

C.29.4.  Output Values

   registration_request: 039ae9435af572249db38975b192f1beeac30ed093c4d9f
   40bb5236d3521035ab9
   registration_response: 03c9cd90478b17e18e1098c8ebbc9642a7b1c576241476
   563108391e39b1ba982202c136a2fc727c674b2e49783d5a79bee0c6ff8ccee9190d1
   bf7dafca0807eb046
   registration_upload: 02ea5098f6b7283d5481f1500a7b589214499b26484c4430
   b52d36b1ccc475cc8d7993e8446626bb099af7800aaf9dc9cd6d0e92982bed8633365
   c36d78b2e8963817da7eb95c282c39e6716521f9f2dcf1908cb3cb60082e99d1e2650
   09d9275f38c11ca420422ac49aa2815d5ed221280430ad4e972171a614bdd899a3e48
   31d428bba482f9d7d78a07fba0d271432b7971acd4cc8a0d898c4cc4b07044e4c6f
   KE1: 03f86d270a693da19f82b655d8ffe6a26ac2b79ef779de92012d7fad3e15a7d1
   5da543212613ca62b7c9e35677951e46fda946f782d75122ca19b2db0ea23cc35b000
   968656c6c6f20626f6202496d129c40fe6d255d57f6d92af5c0cf0ba277e8a0e7b67a
   61df2dccd9b02c5f
   KE2: 0311fb6fdb33bfeda7c01479d378ac90e2362efd1c8d69406be3243c65fbf3c6
   e01b9fdbc44c3491e52d5abab23fba7a97c6589898152f0babee3e36d2e415a671804
   99afbb55a152d5e8deeb5f19bf5106849ea4eebe5783b45613755e6d4eba236f4e847
   6b6387a219e5a7642b7b7b93cc806898098fec251c8a4fec922edc5770b18da58f9cb
   e4882389d47cea2165674122d5d1f77f2a9b5fd4bfea427832985e23a269c402960b0
   5dcdbbd970ccc0e488ca59f12c5d71aaa4d4b719a931d4c76520475f364bcda5edc97
   1af216bfd1c3cbff6f22077018a212a5189254ac88602c5583ec9a10dfa32344fe800
   0007904dacd5e6be9eef27b0f94b50605b017126000f478605d9f8e07d5fa988c5373
   7c9fcab0085b6d9e84ba237caf3370257cca26175d7cefa2e18f0186a9aa3460a1b6f
   KE3: 6c39dc33096cda62c23c60d6e03c29ffda2062400299a2f2a52c7df4c5deba68
   export_key: dac545de97f7d8a27dc9062bf42b3b6c02c3cd7a7fdb08251736c5aeb
   59a1a36
   session_key: b59169165e64e5c00474dcb2b3aea2922a4fe06aa6418fb020309037
   5e48bea5

Krawczyk, et al.         Expires 4 November 2021              [Page 161]
Internet-Draft                   OPAQUE                         May 2021

C.30.  OPAQUE-3DH Test Vector 30

C.30.1.  Configuration

   OPRF: 0003
   Hash: SHA256
   MHF: Identity
   KDF: HKDF-SHA256
   MAC: HMAC-SHA256
   EnvelopeMode: 02
   Group: P256_XMD:SHA-256_SSWU_RO_
   Nh: 32
   Npk: 33
   Nsk: 32
   Nm: 32
   Nx: 32
   Nok: 32

C.30.2.  Input Values

Krawczyk, et al.         Expires 4 November 2021              [Page 162]
Internet-Draft                   OPAQUE                         May 2021

   client_identity: 616c696365
   oprf_seed: dca8ac4c4c4d080a4b441cbde52ac9159398f983e91c0ff1ead4922f81
   3665c1
   credential_identifier: 31323334
   password: 436f7272656374486f72736542617474657279537461706c65
   envelope_nonce: be560b984659185632de94b35bf6f59ffda8f0601c72f1e4e5e41
   d22ec81ff60
   masking_nonce: c8c9df3983aa76316a8a491436e41036a00244ce40b29c7035f8f9
   aeaead3f2a
   client_private_key: 03be3245a3830887fbce88f3eccc26f1639b91aa8f043ae61
   75d146de19bef1d
   server_private_key: 6a62ab611cc2ea77a7fcb3565850ac22c6d3a18b19541fce8
   3b070cfa802882c
   server_public_key: 02e1249c0906886b33b0ae59c981001448f2541fb718a158c4
   b4f37d391e813fed
   client_info: 68656c6c6f20626f62
   server_info: 6772656574696e677320616c696365
   server_nonce: 862a717c0bb5285de381a7d49ba23557dcdf2f408f7b75f032c4226
   1d555a077
   client_nonce: f0c231edf5b97f8c6886c26a5f60147c7fcdac76fc29f6562eebc97
   af4d5d45a
   server_keyshare: 02178e9554d669786c2e9349f1e178eb84961a7f8073d9ecbc5c
   f52bc2fef7791f
   client_keyshare: 026ec987d3b7ea3ef8cfdca092b9d6994d134e933a5fb7892953
   35d5f6956399b6
   server_private_keyshare: 9269aa286624945b3ff399dafe30f3edd53adf2184d6
   8c94007a2ad0ba0472d5
   client_private_keyshare: b93132abc198000cabf47020290b885f6bdef29aea8a
   6169bf50dca978827f64
   blind_registration: b93db502618c7ed6facd1b2d033bf401d74b2c8b13b2da213
   802025522072622
   blind_login: d30953abfe724ce286487ba13f12ffa86adb64f66c99f58a465d8cd3
   16a5d496
   oprf_key: 8f811da0d5810756052762d6061215c3e13e8abe75f2dba291e830d9dcf
   a2cd6

C.30.3.  Intermediate Values

Krawczyk, et al.         Expires 4 November 2021              [Page 163]
Internet-Draft                   OPAQUE                         May 2021

   client_public_key: 028ed3215a26f2763d4f9211ab13c415ba0e228fea364a264e
   65baa2434709f808
   auth_key: 2a21ddfc9f9ef354ede473b1841c61b56091faeb0d56867ede7d40fa9a7
   ffbb5
   randomized_pwd: bf91e6be126cc5d5386accf3ee28be9faacac99a7c715e3d01cc2
   6978fd4039e
   envelope: be560b984659185632de94b35bf6f59ffda8f0601c72f1e4e5e41d22ec8
   1ff60f9c21a88bb8070c7a4870bfd36773b64a6e77162c60873e2304cdc6ba8286a47
   14ebcaef275654e13d38a167a91d7cf89a037b20d5c18235b9f3faad55a4f6b5
   handshake_secret: 5e940bebc34e2fe2ab3e4fcac683c594f3691cea77f1aa02522
   d476507136535
   handshake_encrypt_key: 9b0c4f4fb660f6dd8ad268278673fced3f8452f25b9201
   79824aef0166b5b6ae
   server_mac_key: e380b3517496df4fc34cecf13282cbc8cb673aa8b8d9f8d77a010
   742146e6fe5
   client_mac_key: f36ef042a728b8564553293cc778c42b34525e07578cfdecceaea
   e2af71e821b

C.30.4.  Output Values

   registration_request: 037a055d502f2a882c021fda1ec2fe8e5d8cd0d2a913e5a
   03b1e27e0fd06308275
   registration_response: 03c37a7ddb6f23c6af97247bba7bebc62a71ad1bf1e2cf
   6fad1bd816732070c4c702e1249c0906886b33b0ae59c981001448f2541fb718a158c
   4b4f37d391e813fed
   registration_upload: 028ed3215a26f2763d4f9211ab13c415ba0e228fea364a26
   4e65baa2434709f80811b7eb6d15140bacbb18c954bfa176f9819e105802ed2eb3441
   ef6484a935df8be560b984659185632de94b35bf6f59ffda8f0601c72f1e4e5e41d22
   ec81ff60f9c21a88bb8070c7a4870bfd36773b64a6e77162c60873e2304cdc6ba8286
   a4714ebcaef275654e13d38a167a91d7cf89a037b20d5c18235b9f3faad55a4f6b5
   KE1: 02e532d2687a979f0a75112437e1f4c6d5411c555b2330a8d6c45c7c7c657aeb
   b9f0c231edf5b97f8c6886c26a5f60147c7fcdac76fc29f6562eebc97af4d5d45a000
   968656c6c6f20626f62026ec987d3b7ea3ef8cfdca092b9d6994d134e933a5fb78929
   5335d5f6956399b6
   KE2: 03895f049933a11baec47a6240ef25d45a150be742c46a1fafcecb1d286aec5a
   0dc8c9df3983aa76316a8a491436e41036a00244ce40b29c7035f8f9aeaead3f2a77c
   2f90b224115f60a13f2d5a71ae1b4ea6add852c818bb94a02f4a7417632c5cd0f0c41
   e87601e077898b5e2b25c6d2336d9f2b58384a225b8993dea499d5c8156d14011d6cf
   f78c26f103d8b8dbabbc7b587e702b358d5a20c30ce127925e9b08e7b4d3acc9a1c13
   d8fe07bb3619a0be799307c6b463bb6b2a764f5db62e59ba862a717c0bb5285de381a
   7d49ba23557dcdf2f408f7b75f032c42261d555a07702178e9554d669786c2e9349f1
   e178eb84961a7f8073d9ecbc5cf52bc2fef7791f000fa8ef70781cd05b0711e77278c
   87e4267a355b70cfa90ccf69210474178db4ac8c3b0d445cb73f00ec05114700a1c54
   KE3: eb9233923ea58877b958553e860fec7721f367ffd1b6a37d01ab7454ff1d806c
   export_key: e54b8d82f23782f4bbf7fa4f63cb4fb84096a7de28ece53f5bf40da50
   5697a40
   session_key: b2af2995c6c177963a066c23b26ef750710a0344b8de57564070f7f1
   b57c6de5

Krawczyk, et al.         Expires 4 November 2021              [Page 164]
Internet-Draft                   OPAQUE                         May 2021

C.31.  OPAQUE-3DH Test Vector 31

C.31.1.  Configuration

   OPRF: 0003
   Hash: SHA256
   MHF: Identity
   KDF: HKDF-SHA256
   MAC: HMAC-SHA256
   EnvelopeMode: 02
   Group: P256_XMD:SHA-256_SSWU_RO_
   Nh: 32
   Npk: 33
   Nsk: 32
   Nm: 32
   Nx: 32
   Nok: 32

C.31.2.  Input Values

Krawczyk, et al.         Expires 4 November 2021              [Page 165]
Internet-Draft                   OPAQUE                         May 2021

   server_identity: 626f62
   oprf_seed: 7f7b085a6dd65b2336cf2152c3ad9b17d4220a0ff2fe6d63ee20335837
   df3329
   credential_identifier: 31323334
   password: 436f7272656374486f72736542617474657279537461706c65
   envelope_nonce: be37b298e8c5c46aa08e6fc6d816ad4b36b97a2db7b670c1ccb4e
   bcadad20477
   masking_nonce: 73ff4d5ed3f2d1662316a9dbb7f1fbc5de9df5fa10d767e94e267b
   e4b7e74f01
   client_private_key: eb7d0ea4bf06b78e3ed83cb2d3feb9683cece55d800eb5196
   e9304e50ac61518
   server_private_key: b4cd2e42c0bbef01350751994440026574a20f677965ad056
   1acb622a32651dc
   server_public_key: 025cbaa4ddfc060bb49a281a97663ce9e20bfdcd9d11bb10a2
   5b74538d149fc226
   client_info: 68656c6c6f20626f62
   server_info: 6772656574696e677320616c696365
   server_nonce: 5d87ade9bd39d623e7507cef77f5e0261a0dcc5f69431a0f61cd68b
   7122f0290
   client_nonce: e565ffa2b4aaa7dedf48a20dc758dbc5a8a3989757d3ded74daef4a
   6f986448b
   server_keyshare: 03981bb9a42c6f60750d2c9098ec0e64d52dc1ef0b4d02a20b2a
   e9ce40b425a389
   client_keyshare: 02736055b3c97c36bc8e7bfe53ae65bc38c5be6b46adf3d48681
   df7bcfeb96770a
   server_private_keyshare: cd95a821cc128dfb687ff3f9e730721712454f271dbb
   f2f76022ae85ae56b481
   client_private_keyshare: 27a18769e08a1cfb22e03d2d98e62ef8ab50db505d5e
   28afc93cc3c289c5646c
   blind_registration: e1891039c8ca2bb5a8591dfa6e02d8bf4bb7eb3e3861cbe29
   cd03197fd5f6733
   blind_login: 9ed684a129b5e704cdd2a770bcc863c9f1f44d7e3e90c233aae441c7
   cb8da45d
   oprf_key: cfa04176753d0b38555dde5205b8dcbadb069510b61ae5819430fbedd93
   b372a

C.31.3.  Intermediate Values

Krawczyk, et al.         Expires 4 November 2021              [Page 166]
Internet-Draft                   OPAQUE                         May 2021

   client_public_key: 031049be572a6e15f68e2d758a7ca7926e7ff85ab351ce2b00
   3b652dc03e8b5304
   auth_key: 5654fc11468d38a1a963c8f51fa4bd0f082be96a76aa750ddf97646c787
   6a5f6
   randomized_pwd: 19c0377846322b2147dc14ac0014036e102b8458238f117bf5612
   41a4cdf352f
   envelope: be37b298e8c5c46aa08e6fc6d816ad4b36b97a2db7b670c1ccb4ebcadad
   20477eccda5b0bc3320bec5db504ec64b2bdaa22f7e83a668d894c2e72e816a734bc4
   500cd039810a832de1bc2a769c0ef5d3cb06fa49e5818751571b42e176607508
   handshake_secret: 9e01e6b408544997779441b7e42f31dd45ee38edb08d55b2f5b
   4cd5ef0790548
   handshake_encrypt_key: 110ddb279a11da46fefa06a565abc650230ce9883e1964
   7463c92d057d11731a
   server_mac_key: 52e714943f9b85c110fb523542d5a1e63516b63dd4acfdfbb36be
   2075fa3107b
   client_mac_key: e8ad048b660269216d7ab6a65ee1061a8fdee4097a7567571d4b0
   2e8d5c1773a

C.31.4.  Output Values

   registration_request: 029ead8cb71d9f802fc71737e16f75eda7843e5b961c9ef
   0bdf8da0cb97a6364db
   registration_response: 024d8f3cda5f4dc58936784c6b5377bea3c819c72b12ca
   3d90d59acb74fe183009025cbaa4ddfc060bb49a281a97663ce9e20bfdcd9d11bb10a
   25b74538d149fc226
   registration_upload: 031049be572a6e15f68e2d758a7ca7926e7ff85ab351ce2b
   003b652dc03e8b530443424bef487a5b3f29fe001d5e172f14b4320537aa10a63005e
   201e98e6ea239be37b298e8c5c46aa08e6fc6d816ad4b36b97a2db7b670c1ccb4ebca
   dad20477eccda5b0bc3320bec5db504ec64b2bdaa22f7e83a668d894c2e72e816a734
   bc4500cd039810a832de1bc2a769c0ef5d3cb06fa49e5818751571b42e176607508
   KE1: 03fbe22a5b37f7345b2370c51a5290091f5af7b21cea757ca017b2a32279b543
   f6e565ffa2b4aaa7dedf48a20dc758dbc5a8a3989757d3ded74daef4a6f986448b000
   968656c6c6f20626f6202736055b3c97c36bc8e7bfe53ae65bc38c5be6b46adf3d486
   81df7bcfeb96770a
   KE2: 0399d8305f2ce775a6cf3f97a83aa67b2b1e1fe01866f324eb27263bb46dc0f9
   fb73ff4d5ed3f2d1662316a9dbb7f1fbc5de9df5fa10d767e94e267be4b7e74f014ff
   39c134da493d71343eb35013108546f149432808fad33aec65629d2d9ce4d6b288ec1
   6b3fbf51de7c4a049786d270050e3925e0504efd91ea52f7bead0814ad20402679bca
   eaf43e488ab9af1545cacca3578a79c1e9404e7401f42085dfbf11fa18c9265c54b3b
   928dbd7167000a5c6bc1338d8c96c3e6e6289c812c50520f5d87ade9bd39d623e7507
   cef77f5e0261a0dcc5f69431a0f61cd68b7122f029003981bb9a42c6f60750d2c9098
   ec0e64d52dc1ef0b4d02a20b2ae9ce40b425a389000feeb52595f8b5ad3920c1d59ce
   375a1a2a944d0ca4b28328547d65a23e9603d540813aa9b61bfbf3bd22e7a9ae1e8ea
   KE3: 7055a1786c3c39a920bc77558911719a2feeee4270fe38ebba22d8f09910f90b
   export_key: 2b79ac3f3ee4e6f097f7e589075575856af3a1b203ccc51b418e5cd4a
   07dc912
   session_key: b26257f43cc2012162126a2640e03e79de4be7cae81542622a1c7e10
   e7d11721

Krawczyk, et al.         Expires 4 November 2021              [Page 167]
Internet-Draft                   OPAQUE                         May 2021

C.32.  OPAQUE-3DH Test Vector 32

C.32.1.  Configuration

   OPRF: 0003
   Hash: SHA256
   MHF: Identity
   KDF: HKDF-SHA256
   MAC: HMAC-SHA256
   EnvelopeMode: 02
   Group: P256_XMD:SHA-256_SSWU_RO_
   Nh: 32
   Npk: 33
   Nsk: 32
   Nm: 32
   Nx: 32
   Nok: 32

C.32.2.  Input Values

Krawczyk, et al.         Expires 4 November 2021              [Page 168]
Internet-Draft                   OPAQUE                         May 2021

   client_identity: 616c696365
   server_identity: 626f62
   oprf_seed: 480a89408820aafa632df740b00cd8b002ac00086bc9211fdab8bfa95d
   2ad5fd
   credential_identifier: 31323334
   password: 436f7272656374486f72736542617474657279537461706c65
   envelope_nonce: 471701d52712c910049f9daf2852017e785ce123d9562769ea055
   496ac41c997
   masking_nonce: b3fb4943667c6106d10803ead63c46128dc9f1737b61f3de206f07
   45f949f999
   client_private_key: 02c14f564a29a05e39d4b9382c20686e41faa8407f03f5d2b
   2b111efcb64be89
   server_private_key: 759ebff988d2878fc2ac6619807ac6625d0ba08ab0d6c5a67
   e15fdbd8e329839
   server_public_key: 0249b8ed908a9b67d5f5f2f409502ad1b0e08b5dda755c15c5
   e37937a9187772af
   client_info: 68656c6c6f20626f62
   server_info: 6772656574696e677320616c696365
   server_nonce: 4eed2237b8fc1f9aea48e112847cdc4a3d9867b0c523bbec033adb9
   68e5ac898
   client_nonce: fe61b550c07d1f74f56c99d9f5e7e74d0ca6eeeadd324d1f0076696
   f9e66a47e
   server_keyshare: 03a05823236f8f28bd60569e51b83712e6371b7006059bb85422
   16c9b9ec73ae8a
   client_keyshare: 03eeb46969c8d3c0ff2160547e2ab719958b7e8686ca4d9b12f6
   04883194bb90a1
   server_private_keyshare: 3fe67cd510f555773e65e85deab5aa1a8b54deb7605a
   6dcdbbd0fa19154ba659
   client_private_keyshare: b61c995dc5041f841785ac17ee8510cf3adc1db17814
   2267fb32cb31f5faa46f
   blind_registration: 3edf1af7e06163a5711bdb94b2df8e91003824a359d0902c1
   4ceae7aff5a3ced
   blind_login: e10bb5610ececbde9ff768f649d22bfb588782c804b553e33fec1789
   41510c4f
   oprf_key: 263ecc204db759f8518b2cb2e026c43bf51d563906856b80c889a32cefa
   a84b7

C.32.3.  Intermediate Values

Krawczyk, et al.         Expires 4 November 2021              [Page 169]
Internet-Draft                   OPAQUE                         May 2021

   client_public_key: 02148f47b6a57019ddb58b5f1feaeefccd9f5e979c1364f89a
   da3ab1d4b3f89098
   auth_key: 3e1cd2f71ccd7343633b94ac259e1b3d8fea684d9e0570c88e41f809d16
   2755b
   randomized_pwd: 25a1b355f6bafd8f26c8739e81df14cfc466d9961c765779de48a
   dce7ad0f12c
   envelope: 471701d52712c910049f9daf2852017e785ce123d9562769ea055496ac4
   1c99793e65765a55bc0903531ed834e7c44744871638e818d7d770fd099a4e3c78d4d
   5a4119040126166f137ff8b788ac56bf24b7aa706c8e458b609954651dce60c9
   handshake_secret: 356020eff008cc7346cd9d6640e52ea2c88da63b2afaebd9541
   d78380ef4fb27
   handshake_encrypt_key: 02d2724f9d9d6dd75b3f73915a79ef3c67d9c9a719aac9
   28797b63a2d30623b5
   server_mac_key: 657ef04028a61b854c7a2964215c160d0ecbde0788934073d7c80
   15b30d84b82
   client_mac_key: c477f239d12bf21a0cd23599f4bc6f7dd047442f11352f2f0f10e
   a0823530752

C.32.4.  Output Values

   registration_request: 024ff8b8c3636b93127c0c5350c4d2e64b47c78837d6edd
   ece7dd67a260bde8085
   registration_response: 02b553b15de8c06a8a37dbd2c8a5f7887e6fbc566adc65
   b9c5bfd928b4ba84e07c0249b8ed908a9b67d5f5f2f409502ad1b0e08b5dda755c15c
   5e37937a9187772af
   registration_upload: 02148f47b6a57019ddb58b5f1feaeefccd9f5e979c1364f8
   9ada3ab1d4b3f8909805ec1d8daa73f13643575a6cd8eccf0e2fd83f24b8427308add
   4b947d56c37ef471701d52712c910049f9daf2852017e785ce123d9562769ea055496
   ac41c99793e65765a55bc0903531ed834e7c44744871638e818d7d770fd099a4e3c78
   d4d5a4119040126166f137ff8b788ac56bf24b7aa706c8e458b609954651dce60c9
   KE1: 027694e256efc51327333fba8ab1927b511c4152f93ddb0771370995407b4b25
   fefe61b550c07d1f74f56c99d9f5e7e74d0ca6eeeadd324d1f0076696f9e66a47e000
   968656c6c6f20626f6203eeb46969c8d3c0ff2160547e2ab719958b7e8686ca4d9b12
   f604883194bb90a1
   KE2: 03bf099eaf5dd6d79aefafe7d5d78e8861ef676bc0e2338161503dcd6f83cd7e
   8bb3fb4943667c6106d10803ead63c46128dc9f1737b61f3de206f0745f949f9990c1
   e77e6164e1e9d051f44973c41dfbc7ec25570cdd988cf5242abcb263cf555687ee9cd
   a65e3e32c5cbbaab8c67b1af9d8f6bf0b0b171906d07f451dee32f6127b3e0a396435
   25508e40a4dc2121982bedf331788180846513497a09e982cd26b789b1e12b17ddfd8
   91cd50a304a948ff5bd0cf206072bbc95c4191aa5bb417134eed2237b8fc1f9aea48e
   112847cdc4a3d9867b0c523bbec033adb968e5ac89803a05823236f8f28bd60569e51
   b83712e6371b7006059bb8542216c9b9ec73ae8a000faf8083bd50717813bae4ccb51
   bdcf6eb9e28b09e0cdc739d4761cbb643707b3d5ca413584252967410d53fa21cca53
   KE3: 2d7fd750fc7c745519ccda0a16739dcca6c0b7840249e842c1e88ee4725cc232
   export_key: fae999d5e1e9a1a4da3441f2350af64ac65d2c8d4eb478ff9d0d6e370
   ca1464f
   session_key: a927afa80f591e67c8682b085f569cae857f9aef025c6c5fb8528a05
   cf474ebe

Krawczyk, et al.         Expires 4 November 2021              [Page 170]
Internet-Draft                   OPAQUE                         May 2021

C.33.  OPAQUE-3DH Test Vector 33

C.33.1.  Configuration

   OPRF: 0004
   Hash: SHA512
   MHF: Identity
   KDF: HKDF-SHA512
   MAC: HMAC-SHA512
   EnvelopeMode: 02
   Group: P384_XMD:SHA-512_SSWU_RO_
   Nh: 64
   Npk: 49
   Nsk: 48
   Nm: 64
   Nx: 64
   Nok: 48

C.33.2.  Input Values

Krawczyk, et al.         Expires 4 November 2021              [Page 171]
Internet-Draft                   OPAQUE                         May 2021

   oprf_seed: beb10ac3b42697e6051e52a53d35efe2fc47ec41b073d12ce14498ca16
   2e51894adb660e8986bd7d688e5954e23024a6ea4cfcd7e29a289026df92c9cfcb3dd
   6
   credential_identifier: 31323334
   password: 436f7272656374486f72736542617474657279537461706c65
   envelope_nonce: 3eeab156aeafbfe321af3f9b0cc37599a4dae19e4efa1dd237b60
   3a156e7f989
   masking_nonce: e2d42a43bd2b6116c1a01bbf3b0f402b21b74215854da1ec99ddd9
   3fddd67bd2
   client_private_key: a052da1e7263802eb5ea90bc30ebd07510b7997e0563f04cd
   b0173a862ea1adfe5ebc2d261008f3dfe97647b8ae9d6d8
   server_private_key: 32a099b199f3eae54592db460c87aa23e9dc4f969294ee264
   5b5184d63c0e7f19fcbfb025d7dd9e32e4906883081c997
   server_public_key: 02094306eaa9c62c5a873fee4afdf81c91a91556be8286e7c8
   f5fadc077f810adb6bb760faf2e46f85cb0b7649ebdfc524
   client_info: 68656c6c6f20626f62
   server_info: 6772656574696e677320616c696365
   server_nonce: 293a21b2cd156f63b878ae387145e13dd2cc825a3ae7afb90b00529
   bb48e54a1
   client_nonce: d74391b27c45ed6d7474a131b4647492fbfa7aadf7a2c3ceec4b73b
   7f790f159
   server_keyshare: 0218bb6548593c38236dd6991a1c556a5cfa81be6c235891e5a0
   0cf4eef1bb3ab6d653e03abcfe1634908971d19b9959f7
   client_keyshare: 03f58c4669321d580f98b4b166fbccd6da300ef7c4f0fe19d557
   6d3debceb23e50b5405ac264c31691e4517154d993fbe1
   server_private_keyshare: ea4680672ef4148df846b9ad206a7dbe9494ec584139
   b85ec522c8e1524572ce5fc608d150037efb2f7a8940d9e7535f
   client_private_keyshare: 9f48d31a5dbdef09d8fbef92e6ead8f67fc2d6b4a976
   38ead320a94d15f2cf3d3f2dd9c2f64d068f4a2a6aace580d391
   blind_registration: 1cb9b5ceeaff77653d67f2a897fa9364f72142c751dc724db
   566bc1edc57dca409d1c2c7f5247c62530ba0d92b779aeb
   blind_login: b1cd2d3b0027787f8d37c70cf5cfac66388fc090290dd4a2ef28559b
   88a3654fd3ad4d159273ad92f8c9b0f154e87dd7
   oprf_key: 46d4111433f6dff59e4416c66c62a1b660c0417df102c47562cbeed2fc8
   e02bc0fff80d6e9731bccb2f65c16bbbf5a42

C.33.3.  Intermediate Values

Krawczyk, et al.         Expires 4 November 2021              [Page 172]
Internet-Draft                   OPAQUE                         May 2021

   client_public_key: 0215d10d7067b3567d5a7ae9317329da934296ce40fc0132f2
   2abd78a05172adde74d97f453b902fb2c454718c91fe403e
   auth_key: f5bae69be60e9fd74d576bcdba6b2decfdeeef3449e6e6e1e3a0a4ea7be
   cea2510a24f44c83cac8b95d233da18540d8c6b4c485d6809ff7a088be9bc41cb58dd
   randomized_pwd: 7a3de06fc6a8760d7b191e8c7276dc30c8759df3d3e6d62608f55
   a4c3136e5386e8aea6988faa18afc5eb2f8a9983887045a421df22b7f5bd25ea2c11f
   347584
   envelope: 3eeab156aeafbfe321af3f9b0cc37599a4dae19e4efa1dd237b603a156e
   7f989c022b97d98026dc42e5cd49846b0232d8bb3f47446e7545670149b07ad7711da
   9f23dad096b382ccd88f28b9baa8a8a8e8bea6db90ab9eed81fa9f54f8027b17951b1
   227dba04410074cf6de71b600f00828b43056652037c78a8248a678356dfaa984fddf
   99c3b021fda54808820518
   handshake_secret: adf7938f9464d6cdf6e40d67a0d3c67a875d491d693db48a843
   60fa5c7a20a5b5621f3a60381222cc85661e6c800d8d37cebdff6e5b74fccc07e8b2e
   ef8d127a
   handshake_encrypt_key: 2f06fc9f4cd70407dd6f1bb2f1c0789872d00622c154bb
   329a49e269459ebe6603029a18a386ce72a809717953a8410f4b484b6e02a7d5352b7
   3ba6f1cf461e4
   server_mac_key: 870c5a716263c7e815eb4ad1ac30b2301e173090f89f8bb54dac5
   9ffda4c487d5aa85e036469452635a4c6e0f677f6f36108256575b518912d2b9eafc4
   1255ae
   client_mac_key: 235dd0d8f601f4ba6251cc97858300a0af80eb6b9f2281b8a5212
   2a0220a3c687e909ec8384e16ac950d6ba7b72d6bba3686152ff6d5277c7a5a05ff6e
   5b6f45

C.33.4.  Output Values

Krawczyk, et al.         Expires 4 November 2021              [Page 173]
Internet-Draft                   OPAQUE                         May 2021

   registration_request: 032b5a44024063a5644913f145e01c5b787a77804a5ec25
   588320d5ecea9d524c1f9321b9ae76a6bc168b1f99e7305b9ec
   registration_response: 023980ddfefbc0d729af050999b1996e41c0a54816ff1a
   1b0b2823ead24de0a07a893cb8e62685a7173ac52caf85c821f802094306eaa9c62c5
   a873fee4afdf81c91a91556be8286e7c8f5fadc077f810adb6bb760faf2e46f85cb0b
   7649ebdfc524
   registration_upload: 0215d10d7067b3567d5a7ae9317329da934296ce40fc0132
   f22abd78a05172adde74d97f453b902fb2c454718c91fe403e0c46eb0f213ce4eb3b7
   3fdccf63cc47d6c93ca5a854f3c57f3b49142bc793638f49dacdf1bbf127abec2c0fa
   286b741192a7dc8a55f156c44da36fe41a25faf93eeab156aeafbfe321af3f9b0cc37
   599a4dae19e4efa1dd237b603a156e7f989c022b97d98026dc42e5cd49846b0232d8b
   b3f47446e7545670149b07ad7711da9f23dad096b382ccd88f28b9baa8a8a8e8bea6d
   b90ab9eed81fa9f54f8027b17951b1227dba04410074cf6de71b600f00828b4305665
   2037c78a8248a678356dfaa984fddf99c3b021fda54808820518
   KE1: 03cc36ccf48d3e8018af55ce86c309bf23f2789bac1bc8f6b4163fc107fbbc47
   b92184dbba18bc9b984f29c7730463fba9d74391b27c45ed6d7474a131b4647492fbf
   a7aadf7a2c3ceec4b73b7f790f159000968656c6c6f20626f6203f58c4669321d580f
   98b4b166fbccd6da300ef7c4f0fe19d5576d3debceb23e50b5405ac264c31691e4517
   154d993fbe1
   KE2: 02e611c63390d2dcb729d941be385aa6a7000aec51db33ce8a374dea4847e0a5
   c70f36b133acfd628ccc68d019712a574ce2d42a43bd2b6116c1a01bbf3b0f402b21b
   74215854da1ec99ddd93fddd67bd239da742d19ea722e5a99996cc70165bfc012d816
   bd51365c464bed0f7342a980b3f529be5aba66e682b376dc991e62f957c59e817c09f
   e0fbb54c9f7c31b675cf5b651441095e489480131eea0fe539b13435b1390633d57ef
   297a70ee3a9efc6602f55943669548231bcc7380176af93faa4636ec4b8d7be54448b
   91d50a1b45d8778b62880ae15f74f69a915ae9a43154e22169893241556319e4e8cbd
   801f4f386539ec6d9cb519aef5dc19cf793922c093a879d021a4aa863bc494d38b6ad
   1293a21b2cd156f63b878ae387145e13dd2cc825a3ae7afb90b00529bb48e54a10218
   bb6548593c38236dd6991a1c556a5cfa81be6c235891e5a00cf4eef1bb3ab6d653e03
   abcfe1634908971d19b9959f7000fc2caa91e5b33c2d942fb34f9b537f80a66be5426
   911c3457f51862cc247877e684ab8558d5569126753cbd79e109bb0277a511e1810c5
   f3d43039c77a5c0e57cd3d900eb3ef6b3a8ed718e5a1312e9
   KE3: afedae80de7270f58f14ce58b30de7ea476888e016ff0ebeb777e3d71778c362
   2b94c0398dc126025fa2500880415fba262cda14be92ce2f019af97561bd9098
   export_key: 78ccfdae5b3a53da59acca3948632f8a0fabe6e078ec0949bd1735f48
   e12147bffdac90a5c2136b0dbdeda8b223fc83401a40b1df2011f2aa58ffdea39c765
   e1
   session_key: 2f77adc009cefd0a839bd9fdbe00dfcb63124ac774cbbd7fdc4c788e
   c34f2de60ac0e5e99136ee9acb79360673d6eb9a74d85debff6cc1f09afa4f25669b1
   fea

C.34.  OPAQUE-3DH Test Vector 34

C.34.1.  Configuration

Krawczyk, et al.         Expires 4 November 2021              [Page 174]
Internet-Draft                   OPAQUE                         May 2021

   OPRF: 0004
   Hash: SHA512
   MHF: Identity
   KDF: HKDF-SHA512
   MAC: HMAC-SHA512
   EnvelopeMode: 02
   Group: P384_XMD:SHA-512_SSWU_RO_
   Nh: 64
   Npk: 49
   Nsk: 48
   Nm: 64
   Nx: 64
   Nok: 48

C.34.2.  Input Values

Krawczyk, et al.         Expires 4 November 2021              [Page 175]
Internet-Draft                   OPAQUE                         May 2021

   client_identity: 616c696365
   oprf_seed: 640f999af3686324f919a5b1dce195a1bdca03f6ec65647c5beea478fc
   ccf7a94d6217e8575dd70d97904a2e2592468ff70aad1a796f2161a9513d0c35455e1
   a
   credential_identifier: 31323334
   password: 436f7272656374486f72736542617474657279537461706c65
   envelope_nonce: 3d3a7e297878e15a21bbd0a04e9af8923fbaad2ae66244ba153c6
   5c16bd52d19
   masking_nonce: e37668d36ca5e43465081d1269c3263d5df4caf14e67dd032fb837
   28c3691cf8
   client_private_key: 194f9a720f11c3f0f1613cef116e218267201ce0aa4f4f55b
   68c5393aaa4101699ae3b0dfa984cb954913dea02087eab
   server_private_key: d650dcda20f27d7bf4673d820cbf71e498ec903e4b3959af8
   52f6d9edfa68f06f4d7ff89d5897912df4f9c633a6d925b
   server_public_key: 030278df9fe8759989883c2ef9047b2449abcdbe9f508aad83
   f227836ddda86b3dfe0aea33995cd76243a4319800bf8ff7
   client_info: 68656c6c6f20626f62
   server_info: 6772656574696e677320616c696365
   server_nonce: 815012d1a13337bebc5c63adb386376cc81351657d969edfe09e4d2
   048c72c45
   client_nonce: 12057fc0f4e3e52951458bc3a0b37d95a5ea0b5832712b169588eb8
   f29eabf73
   server_keyshare: 03ba3e99f4c2f39463fe214e7607ca3e9b1f6112d565d80bbdb3
   88f52437ec89f0da6b80279e10382bacc7cdab25a3a830
   client_keyshare: 02313f18385e0f0c3c88f3e60178a6727c9023e1044973eeb676
   b9a17a398424b1074d5e35246fc25be83028853dc22f1d
   server_private_keyshare: 418e3a79ede03e259ed68dcdfc20e12ba1dee7f0f3f1
   ca2fc4be708da7456b2d769111ae0ddc0a45eb159eb5dd3bf78d
   client_private_keyshare: 4de164be05c824711f0208bc191f1871f41f874af27b
   36b15b94b87abdb6bcfbb35769429178d602612cef394d6477f2
   blind_registration: f69c6179ddb976b981abec905a0bdb649e99e5441bc707cfe
   3c966a87b253bb94ee1be97f8d0e0f99e4862e483b7e00b
   blind_login: b71e35cbe26e4ab93794edaa2ea66295456005572a7096070f6b551f
   0032de9749f7c6675eec2432a64c88d99c56fe1f
   oprf_key: 17dd112310250b970793add4f66b282f6cfe897ef2b23c3ea329e211c00
   457358cdff5666d771243f6cf840de47579d3

C.34.3.  Intermediate Values

Krawczyk, et al.         Expires 4 November 2021              [Page 176]
Internet-Draft                   OPAQUE                         May 2021

   client_public_key: 02592ee25abd015bd1f2ab94e91e0c6ab9decc55ae84a6d1b0
   a881e04fd39eebd626f3bc5edd60555e18d62dc84d81ff59
   auth_key: 6125a9980f29e44cf4f11f8768f7b0a5d6ac48df20744706b74160224bc
   23aba90d5caeb2ad370af373dc19828671e72ee1d73df636712255fbfa2f6979c4e69
   randomized_pwd: d7abfb75209139cf2dcbf8f0e286ba6e8539e9213b21548cbef7c
   7bd23d351299fac735657da8388fd3769946591b5ac6c60ef1cb06e168ae647358db3
   d55a8d
   envelope: 3d3a7e297878e15a21bbd0a04e9af8923fbaad2ae66244ba153c65c16bd
   52d19f1b8c0c2819090ee52c8a27c2d95c8a39ea62a8f2a1c31f2f7b41390cc93c33b
   a44b16247d69c96080089d9ddb15dbbb3d77b7e64f4fcd5c906b2ecb03b7dd2aaf6b5
   e7e62507de037aae56f02b0baf69d2676bb6ae6e3cbd10ea7f2648c2ba826d999c618
   2e77c15c59cf6461d37099
   handshake_secret: 866d1c8338e9e512f12936ab6936a69e6701faa45e62ff6a9e6
   76133d4eed5062631068eae2e8ac24e1e5011df5fa02800719be864a66635a2986024
   a09a8d86
   handshake_encrypt_key: 177d3304ea30e45e0ae9c23805ed3ec253a734c06fc26a
   8e4769aebc0fafb813fc15743c7b1eca07fbc67094649b51c1478371cfa5b514a1f2e
   b96a5270338b0
   server_mac_key: d81ccff3ee63aa7e0c4338daf3d26287f434da478fd374988332f
   8a7ee9d93a57caaa7a8348b1fb5bd9c281af7758e903c43686c23a4de05d9022aff05
   ce7f5f
   client_mac_key: d00c50bf828bf23a3f0e8b95849d5bb52f5be0a7937f076d2f6b1
   e315c2d18ec856a079157f5bc286d9a06ab1f00fa8a9e44212e0763dc9ce1e0efd439
   f4879c

C.34.4.  Output Values

Krawczyk, et al.         Expires 4 November 2021              [Page 177]
Internet-Draft                   OPAQUE                         May 2021

   registration_request: 02bc8b8b2d8b96ba8f527f59dc0054349f0fbf4c7cda280
   480d643909db6a8dbd4bcb455cc374050d8cce29147fab0a020
   registration_response: 0221657ecbc73b1307b23125dc470f66ed99526833c17f
   39520fae6202a8e951a54334e19cf0514ede5fb784606039b3d8030278df9fe875998
   9883c2ef9047b2449abcdbe9f508aad83f227836ddda86b3dfe0aea33995cd76243a4
   319800bf8ff7
   registration_upload: 02592ee25abd015bd1f2ab94e91e0c6ab9decc55ae84a6d1
   b0a881e04fd39eebd626f3bc5edd60555e18d62dc84d81ff590593860a6e70bf7c24f
   842f664a51f866234f71a973ee8a5e50079d0ea1ddf46c043f53ca1b2908b3e1914c3
   a55427ba44b09256680d97bdb37745d2b4462bf33d3a7e297878e15a21bbd0a04e9af
   8923fbaad2ae66244ba153c65c16bd52d19f1b8c0c2819090ee52c8a27c2d95c8a39e
   a62a8f2a1c31f2f7b41390cc93c33ba44b16247d69c96080089d9ddb15dbbb3d77b7e
   64f4fcd5c906b2ecb03b7dd2aaf6b5e7e62507de037aae56f02b0baf69d2676bb6ae6
   e3cbd10ea7f2648c2ba826d999c6182e77c15c59cf6461d37099
   KE1: 0258fdc4ba750f504274ff4644f2f43a75759b77adb1817c8686340bb28059b2
   af91d82801b94bbcb8326cc2e046a4df5112057fc0f4e3e52951458bc3a0b37d95a5e
   a0b5832712b169588eb8f29eabf73000968656c6c6f20626f6202313f18385e0f0c3c
   88f3e60178a6727c9023e1044973eeb676b9a17a398424b1074d5e35246fc25be8302
   8853dc22f1d
   KE2: 036abecaa6e3d83acbc1fab89ea644b295e27db1483c252179ec6d7262c0df04
   bf25da68b0cec348229734bebe50a136a9e37668d36ca5e43465081d1269c3263d5df
   4caf14e67dd032fb83728c3691cf8c7d320d57547bac4a459e419072afb91e6b5d892
   e2af83d49e89df18e54503d1ec3e08daefbffbca02816e16829b54bcbb9aabc9a9553
   8f338c6f7f786ee846e09a5bbfb65533febab20a97cc3bb59632619bc24cee27bb3b9
   0cc424367b7cc823c1483b32f7b9f504ae2a976934100c9b8b7aeb86794eaf8653b86
   57e41580229ea1bbc8d4be53fe7d5b14939049dc34e31f4986433677a4f10ea332286
   96b1225b4f3f411b383e73f5913f140a89d53bbc9a6e9ba820136ec6a71e47d5f350b
   2815012d1a13337bebc5c63adb386376cc81351657d969edfe09e4d2048c72c4503ba
   3e99f4c2f39463fe214e7607ca3e9b1f6112d565d80bbdb388f52437ec89f0da6b802
   79e10382bacc7cdab25a3a830000f693f933fdebd5562530fe0ddb9f3fa7689b8d8ba
   bdbef59ea4be0950e1cdcd595101aed70aa60619caaa5c16bde228bdf7ab089ae40d1
   3313c99fcc667de70d5627151a7d13a5dc8009aec669d858b
   KE3: 5ee0b226dea45969a341bf68b5db2efa281e3af87a093fc33e3725a1e0f08929
   a0ebe4d1504ffcfad9e4435bb5f1b66b0cc3dfacd094630239fd4d9283c09e1d
   export_key: 60056150c995824db0ee2d19ce26c539e905732a63d4303ab0f2a6d59
   1f1eb223300142eb6dd9e03ab895b96b92451e4e3a1da0f588c10ffbc6a516deb6956
   0a
   session_key: 9af68830e6f83d7817d1d163a3b4e0345f1399273495596c309cfee4
   b2e6924365f6a611e01c1761299a35e0c99cffb298bd5b056a4b5bc027847765e8748
   c9f

C.35.  OPAQUE-3DH Test Vector 35

C.35.1.  Configuration

Krawczyk, et al.         Expires 4 November 2021              [Page 178]
Internet-Draft                   OPAQUE                         May 2021

   OPRF: 0004
   Hash: SHA512
   MHF: Identity
   KDF: HKDF-SHA512
   MAC: HMAC-SHA512
   EnvelopeMode: 02
   Group: P384_XMD:SHA-512_SSWU_RO_
   Nh: 64
   Npk: 49
   Nsk: 48
   Nm: 64
   Nx: 64
   Nok: 48

C.35.2.  Input Values

Krawczyk, et al.         Expires 4 November 2021              [Page 179]
Internet-Draft                   OPAQUE                         May 2021

   server_identity: 626f62
   oprf_seed: 8e252ab570f6b5c498ea83ee732c8dfb1862300010b6f78e5ce27c8b26
   f122c6240c0fcc25fd6f82899bb72605a60c047c44a22b75ef4aaff304f407eab3bf5
   9
   credential_identifier: 31323334
   password: 436f7272656374486f72736542617474657279537461706c65
   envelope_nonce: e1652155f9d7fb49b4075645a89c1c9986562a3f5598c3181fbf8
   7686f5a2e62
   masking_nonce: 14a2164d3310b595689981b58a47cdd52a8a7e5b6c5f7ea5327925
   046488a2c6
   client_private_key: fd62874455ee10870acb5cd728e1e21943e18c3afc1fc668e
   18c48250da37feea7768de6574b8b152dc64790a0fbd8ef
   server_private_key: 9364031f78d6cfc1aec5bed89c718d3c8ff87115ed1526fde
   d4495afe150eeeabc6195e48de31f2a5b24f798faea51fb
   server_public_key: 03b73b7125c1d9517a42d63bf21b0c3eeed2b4f76005f72478
   de3440dda2a2a580ef58077c145719505764689842231b65
   client_info: 68656c6c6f20626f62
   server_info: 6772656574696e677320616c696365
   server_nonce: 5aeb5b6767569fa0b0f2e9f532d950d57e93504daa86e7eb98c9914
   e11f84511
   client_nonce: 3c17162106541a7fa8a078a71dec020fb9f5c3c7c55eba13590023b
   477a3461d
   server_keyshare: 02bb887f84a3158bd1a95c26114059d1064a69dd87c8813ad1ab
   19b0cff29b48d0e945af14537ac16d8f4160bb027fdeae
   client_keyshare: 03f07983f1b0b62e778918e7b15aa899a5c5c9fce3af75c5a424
   e114f3c9bc539cb3b290c4c4705829c21e2185ab3eefcf
   server_private_keyshare: ca2d8735a3913f363a1f95b46cd40278b59de5c08b9e
   b5a845eb4a9d49d86edf2505a0b18bf6a4a8cd933a140349496d
   client_private_keyshare: 4ae162607c624388974273d4e1e77d96184bb50a0e39
   a863c7c69376f4571ba904d7c7db930f11f0789361e5e7db3327
   blind_registration: 43ecbe67abd4b7d730867cbd85f758e9921a8614816cbeb5c
   d80d0aaefbd98c6e6b26643af7d92581e62be316ad49bc3
   blind_login: 087dcfc60cb02473a6148e636c3e87edb4da112f01b7bb4ac4e13e81
   c6a757191c9256cc0c7282d7b27fb62a60b63756
   oprf_key: ccc3b06e0951d90ca1a650e46adff561370e3f0c63d30f166b4876daa95
   2a69d0fd6b9f6224a36d0742b434ee446634a

C.35.3.  Intermediate Values

Krawczyk, et al.         Expires 4 November 2021              [Page 180]
Internet-Draft                   OPAQUE                         May 2021

   client_public_key: 03f9f34e551fc2ca9b36f4c44dbe6189a22ae0bcfa6213ab18
   f3a4dc31ac55508e7fe05c28cf0734536fafb05c6eafdef0
   auth_key: 7a5ff225b2fa269726c3cb32bf7e90a5a5c6768e494108914a9d576c0c4
   b990a798f56b93453f5e675a479f7f1a91aa0f6dac7d913dadf05a87be39616d011ea
   randomized_pwd: 7191b7c8468b2f999d5a4dd05624f7a863059f281412c34fa0e78
   73ca64c8b57bf0bb928b0feb767dc0cc2a4f8e15413bb863d714ffd118166a1fe4407
   1ac9f6
   envelope: e1652155f9d7fb49b4075645a89c1c9986562a3f5598c3181fbf87686f5
   a2e622d9cdced2931217a953fe4c55ea97ebf09b511684241f2f70c3f865a597b7239
   1e71d3c7720a0ddc5afd082f00a4a1fda91712c5f359f225d40258b354bc8cce9a601
   1ae404a182515ae143ce297865f57ad42599c35cd45271ab6aefba5784abcebfe03cc
   c37859aeee8230f60c483c
   handshake_secret: c93dbd78345272018cb1dd8ee664b1d000643450391df67591e
   02a26ffdf5bd2ebf2c6a8aa29a2a1fbb8bee0b147197a46e2e4fc7e3da406c465ab1d
   7aad6168
   handshake_encrypt_key: b688efc53cfdf84a512fa517c65d9683ac35603fc152df
   6fc23edb9bde091ef22e8dd55696c783700ac683dc15574bcafdbc290357b54efccbc
   01b5b98eb7750
   server_mac_key: 5d5b968068d5602b64120c9e8f20b24e1ab0417784a713102d26c
   c08c51741f6b9bf71b8d70fa03bdbdfd1c73b349061e0c902cae424c07a91eb9cbacf
   dd20fd
   client_mac_key: 59b2567c186ef41c86892ce7b91a88b43253771bf930bf63342e8
   b14386c7a38aa688b5862034695db9a3465da0636816bd4f3242434ac8674d7e548d9
   5e54b6

C.35.4.  Output Values

Krawczyk, et al.         Expires 4 November 2021              [Page 181]
Internet-Draft                   OPAQUE                         May 2021

   registration_request: 03e0ffa19f9860931638c2a6a3fbcd8e0ec673cd39615a9
   d80959edda6fc8d269bfc206586f1a10b46a895f8f17e730174
   registration_response: 039397ace4ba63ee72514740cfc5d5009813c4ec52cd8d
   7e1f8fe502606aa07aa36c1694b4fbc11ec74b15aec94b611b2903b73b7125c1d9517
   a42d63bf21b0c3eeed2b4f76005f72478de3440dda2a2a580ef58077c145719505764
   689842231b65
   registration_upload: 03f9f34e551fc2ca9b36f4c44dbe6189a22ae0bcfa6213ab
   18f3a4dc31ac55508e7fe05c28cf0734536fafb05c6eafdef0b46168c87b26ff18533
   1659cc779b95a102b2c1c97a7a15047b4707cde0bf9a6a7246cb311e87502be15ba26
   bb98f94243d523e2013f5d98b0a3bd8277510f35e1652155f9d7fb49b4075645a89c1
   c9986562a3f5598c3181fbf87686f5a2e622d9cdced2931217a953fe4c55ea97ebf09
   b511684241f2f70c3f865a597b72391e71d3c7720a0ddc5afd082f00a4a1fda91712c
   5f359f225d40258b354bc8cce9a6011ae404a182515ae143ce297865f57ad42599c35
   cd45271ab6aefba5784abcebfe03ccc37859aeee8230f60c483c
   KE1: 027b40080d3b93d00403d4e7ce1944644d57cce6241c69181216ba7323afc9c6
   2054300441470c06aff071717754a2fd603c17162106541a7fa8a078a71dec020fb9f
   5c3c7c55eba13590023b477a3461d000968656c6c6f20626f6203f07983f1b0b62e77
   8918e7b15aa899a5c5c9fce3af75c5a424e114f3c9bc539cb3b290c4c4705829c21e2
   185ab3eefcf
   KE2: 029dab1f20e6a59e6234f17c1f2eed472fd81c30578cafee7f0ab2060b86e392
   a9309dd72b902392d70416bdf61f53952414a2164d3310b595689981b58a47cdd52a8
   a7e5b6c5f7ea5327925046488a2c6f9881e2b928048679dec8e164f50c9cd6b975377
   d1cb9b4f82c39de1cdc5143b41daf6c77f1a7afdb1bfc71ba1e71100ca3ff05f09062
   ece5f8b529ceeb30629e8e38cfb92d3bc1edba5c457d2a3e8d145fd72f343173bb8f1
   072113edb9f514dfb570969a7bf7b8afb827dbb750ee8d9bfd947e8c12ced4e0a37c5
   59f76037a346e6d42d840dd46c204021e48f8eaa51f3e62c16c32e5bb23c9092366e3
   f9472ea527d3c86edeae5b8920655c52f4bef5dd3b05ed9e78a9208504cfaecec68b5
   a5aeb5b6767569fa0b0f2e9f532d950d57e93504daa86e7eb98c9914e11f8451102bb
   887f84a3158bd1a95c26114059d1064a69dd87c8813ad1ab19b0cff29b48d0e945af1
   4537ac16d8f4160bb027fdeae000fa1a1ced50f1157c5b6a5acd3fc1a57bb2bcc270b
   abb06d28bb271e2224586bf00e9834b288aaea492804c47cbb536cb591709693074a4
   dcaec37b2142f3e72bb567d57f811243e07266526a5240836
   KE3: c0d6c30d020c3bca62a96d102c9d3779725c2b17020fc9299fac2ec288bb8a53
   d2abf77b8b69d288a7f4f37e39de4b578ec9668f5aca2c8d58f565519eeee219
   export_key: 110362dde3383750324ff0cfd36b278d01a047141ffeef775ea085a87
   644c14b0add828919cf8441629f90d00b3a6ed8f21303b9519f8550b919b8d1ed603b
   43
   session_key: be4ea315cb6a384b1c454e3d471401fbacb2972546b3608e3bb5b4d3
   dc71750bc48b09b996e7a2f9cc68641a1f63fb596ecd4267fde40b5d9e917ad891ef3
   465

C.36.  OPAQUE-3DH Test Vector 36

C.36.1.  Configuration

Krawczyk, et al.         Expires 4 November 2021              [Page 182]
Internet-Draft                   OPAQUE                         May 2021

   OPRF: 0004
   Hash: SHA512
   MHF: Identity
   KDF: HKDF-SHA512
   MAC: HMAC-SHA512
   EnvelopeMode: 02
   Group: P384_XMD:SHA-512_SSWU_RO_
   Nh: 64
   Npk: 49
   Nsk: 48
   Nm: 64
   Nx: 64
   Nok: 48

C.36.2.  Input Values

Krawczyk, et al.         Expires 4 November 2021              [Page 183]
Internet-Draft                   OPAQUE                         May 2021

   client_identity: 616c696365
   server_identity: 626f62
   oprf_seed: cdf705a27cad39d13fb419c1357dd1a03dc528b2838fd1221194d65955
   4c5e54adfce25be5c79f1a47ba8c991fe72ab43178385b069180dd6f58f644cca5cc8
   c
   credential_identifier: 31323334
   password: 436f7272656374486f72736542617474657279537461706c65
   envelope_nonce: f25e66ee00f3c599aa38144edc4ef9eb3fcae001ea928d9f37426
   310b3336e88
   masking_nonce: 01041eb8344ea0a627a97dee712e364c08ad4d8dc6562524dad344
   509e2520a1
   client_private_key: 4bbeadefc59f6beea6a2a9557781f5e37bb6ad6f76e66c82f
   37070b975ef988bee3486703e469e30348af71c1050d94a
   server_private_key: 8e510d60a068ab453634d9f74837185ea0d5483ac4f1dfd38
   2792f1299390d98ffcd4e956fc02fe35df273276b75bd2e
   server_public_key: 028beb3ce19f449deb6aa31eb19c661d4c4ba0fd08b4cc1e91
   416b0c5b5ae74de003a76d68ac4f59b64b954717c4d843ba
   client_info: 68656c6c6f20626f62
   server_info: 6772656574696e677320616c696365
   server_nonce: 372979bdfee525d1b0534f6377e9d1f17adcceb0b8430c1463d0e7f
   297d187ff
   client_nonce: 7b9317e5b3bff2aeaffbc337d0872f3e28780cee6f1d99f191d9170
   56afdb2c5
   server_keyshare: 036357745dab9026251b2bfb2ccd847536219da8e475cd1f2dc4
   842206a8452c720e3ee24c0abe77452903c64985b76a27
   client_keyshare: 02a39a8a45c68e977db2ff70778f0d34c28f7cf430ca1045d4c4
   8e6e749429f0f10b226c26cb0ab71bf2445f6b9ccb81cb
   server_private_keyshare: efbb63d13c3b79c8b75df372608ee07c6b51dce7c4aa
   f335e9d9c353cd09807924175d0014cc8055da3bb705ad8f3e4a
   client_private_keyshare: d7c5782b343f60ed63eb22730d7c8a2d3e9786b30da2
   f907359ff2db863e2796c0866f3257aca9fc06a029fb3921c93d
   blind_registration: da4e681eeb61cbcb455e0f0c71af34cda3415ec62af58fea7
   52ae033f75706f6b00936445c37439ea821d4b515d8f9aa
   blind_login: 701a9cfae365aded9dc31c1bf34648023fdb53b284f0101d6612f750
   6b1471b67bd1a8eb1183844268c128bb84aec1fb
   oprf_key: f2ba0f4b7a9294318dbc2587ba44688d0bad3c7a56901c8f839e7c15fb5
   e0170cb0ca01946f79a2a818c4956e277638a

C.36.3.  Intermediate Values

Krawczyk, et al.         Expires 4 November 2021              [Page 184]
Internet-Draft                   OPAQUE                         May 2021

   client_public_key: 024954440156358f8db7a32b042020404c7918cfd0003699aa
   1e783ba913f31f54abbde5bfa0cb6c26ca9aa90fce906040
   auth_key: 7507cead2b6d76ae3cb7f9b996329b43609fda2d0cd9bfb6b5eb8be695b
   5c39a8b78d4d4ac6195253bbd5db5104bac78a02520080b737f325d37dc91883fd625
   randomized_pwd: 22b18716fc52fe4cd68300851779be88ee4cad287627cbf688530
   38e2c441146201b2c9d16a8138efde88c5aef70524dac433d6bb367e99875a3d84ebb
   5cf451
   envelope: f25e66ee00f3c599aa38144edc4ef9eb3fcae001ea928d9f37426310b33
   36e88acfa8ce7d0a9a42fcf021e43b12ada8788ce532074d3e93c5970e0138607dfe0
   2135b1f825d9876f90d3c5381326e9dd2cd88dd456b5e162ec4a55ed1b9e4d7926710
   2f4e24beb39868b1c3b3444451971c7c04a17b668a2a7d2930d7f9c1ff8f37ae58938
   de7281ea1c5b6de2fa032b
   handshake_secret: 9ae241dd2e9a22abc2353f5642792c858dca178101a5812eefe
   be79d3c449b7e0a99bd1f793ef355d60a2f6192a1eb37f18236ff91b43162753718ed
   9ddb6128
   handshake_encrypt_key: e0c2ef835367b056a8f698a39f79b363f4f43fac371199
   76244fecf47cc9143f227d656798d7bbb03b062a38116902877e90d69029a871451b3
   a04a12492a5a4
   server_mac_key: 8671eb3b156eae0ab2858dda5bebae296b32d5a5db5b0ee7f5b98
   9d6e37e354202cd6b85ad65a8f6c2ff8e7fef0ae999fdae8e2e858461cd930bff1e67
   cc5f8f
   client_mac_key: 7b46531121397cd3104b08356019ffa4f4982fe2c40d5d025845c
   877bc763bc111471931f1a6d0a87f83a3afa6e449d17c4a4b63dfa164fa34e6cd4e68
   23eb43

C.36.4.  Output Values

Krawczyk, et al.         Expires 4 November 2021              [Page 185]
Internet-Draft                   OPAQUE                         May 2021

   registration_request: 03a2e55f8d839d6b162d179f9b4f886337188f731db9ffe
   0ac206b54096e6a9a8f30785c33d207ece91c4fb97530fd491d
   registration_response: 0337b5fa736ebc11eee695b3170d795ee7e7a880f9b4d6
   926f5398188c15c8abe811a72c745e7ea31664564b83d277b0b2028beb3ce19f449de
   b6aa31eb19c661d4c4ba0fd08b4cc1e91416b0c5b5ae74de003a76d68ac4f59b64b95
   4717c4d843ba
   registration_upload: 024954440156358f8db7a32b042020404c7918cfd0003699
   aa1e783ba913f31f54abbde5bfa0cb6c26ca9aa90fce90604000d376a8a86206ec69f
   11f6156104f0c388271ebb6e288c3237e79547be0c81b697c63acd30baf0bd0e2c36f
   14230cee83ebcbf1128f74619add17e123d1e822f25e66ee00f3c599aa38144edc4ef
   9eb3fcae001ea928d9f37426310b3336e88acfa8ce7d0a9a42fcf021e43b12ada8788
   ce532074d3e93c5970e0138607dfe02135b1f825d9876f90d3c5381326e9dd2cd88dd
   456b5e162ec4a55ed1b9e4d79267102f4e24beb39868b1c3b3444451971c7c04a17b6
   68a2a7d2930d7f9c1ff8f37ae58938de7281ea1c5b6de2fa032b
   KE1: 031b4f459c984d8a56589785181e03b93108602ccb92ef3e247651d9a9e72d36
   0a93afc86dd79490fa621685779408ba327b9317e5b3bff2aeaffbc337d0872f3e287
   80cee6f1d99f191d917056afdb2c5000968656c6c6f20626f6202a39a8a45c68e977d
   b2ff70778f0d34c28f7cf430ca1045d4c48e6e749429f0f10b226c26cb0ab71bf2445
   f6b9ccb81cb
   KE2: 03378f329bf4531c7448e2b3bca2c2beacaa2967b8dac6332bb96b9bd80c843d
   1e34c88f7927bfc21750c7367d0bd39f4a01041eb8344ea0a627a97dee712e364c08a
   d4d8dc6562524dad344509e2520a13f41f07c3a6f2c51b6ba614ac8a2e79eb142a8c7
   dd1d8930b7325e43fbf0e1001d13841f3a223456cb8b634b0eb24bc1ab8b636efa5df
   bf029b98f213593b770d80a26ff4034e300b35a5d61079bb180dde5cfb5aac3fdec59
   9d5b7263388a478ac0300767c7e15e6efa6c32559f9c96fb815d87c86192055b76da1
   01aeee332683bb404b44e64042586b843fde1140919d0f448b0f776d6132761a0d106
   2aeeae8862933f95991d3b81819235017832d306b3fb94ed5a36146321b26ee4ef40a
   c372979bdfee525d1b0534f6377e9d1f17adcceb0b8430c1463d0e7f297d187ff0363
   57745dab9026251b2bfb2ccd847536219da8e475cd1f2dc4842206a8452c720e3ee24
   c0abe77452903c64985b76a27000fe2f83feb675429bfff4f855ee99f043e67752fcd
   6c87d1b5f194baa75be19ecb868576ff8dde0cf70f3a72e77b0f134ab881167f8ad8f
   040b08cfb1ddbd3a08f88fca6fbf404a78b1727484154417b
   KE3: 26aa67e26763bea08dd41ca4bbd5a380eeed2c460b16fee171582e9e5a173608
   75f40626a15f4043a9c254268714f453da6a70e1fb620bbb24b9de1fb6b6845b
   export_key: dd200510aef3a243f4428aa5cabe380d27a8b8dd20a88c3292534a51b
   a06c6af5d9de9d43b54396ca9ad9c563bcb3ac0487ca302a59d4ee339de3d45b436e9
   65
   session_key: 60f3b8b89b5a6c3040053b3b43a7d41ca015596af8a635f9b83b56ec
   81b4fb82698ee28a07256edde2cbb6a4877c0079f572809165a09810cdd3aad1f728c
   7c0

C.37.  OPAQUE-3DH Test Vector 37

C.37.1.  Configuration

Krawczyk, et al.         Expires 4 November 2021              [Page 186]
Internet-Draft                   OPAQUE                         May 2021

   OPRF: 0005
   Hash: SHA512
   MHF: Identity
   KDF: HKDF-SHA512
   MAC: HMAC-SHA512
   EnvelopeMode: 02
   Group: P521_XMD:SHA-512_SSWU_RO_
   Nh: 64
   Npk: 67
   Nsk: 66
   Nm: 64
   Nx: 64
   Nok: 66

C.37.2.  Input Values

Krawczyk, et al.         Expires 4 November 2021              [Page 187]
Internet-Draft                   OPAQUE                         May 2021

   oprf_seed: 66273da68a367439446a81c9102dc59538e18853d39fca38096d8f1f2e
   0dea70a894a0146efcf6df476cd0847ccbd0af4efa8e1713c61c7536318321cfb94ec
   4
   credential_identifier: 31323334
   password: 436f7272656374486f72736542617474657279537461706c65
   envelope_nonce: 0262a7e6fd5d77b0b04c5ef1ed302c4bab0b4818e9b3fefcc6886
   ee6dcb35923
   masking_nonce: ce3f6fdd39eec1869f23eda9f9c16229d4ae07618d47b48d6b7fe0
   205c8f292a
   client_private_key: 01e4eb0ddc00ee9c2e21a17727dd82145f8d42ce298b1b66f
   34284b8c5f884619f8ff53ea8f950ef4306d01fe5610b278f19d0acc0e752f86eb4b5
   3eb5acffbd5e7c
   server_private_key: 0180674b4b34953199004d4c6ab21b6667721b3ce89a5f440
   f7f2b6ff1e3748041e66ebdcb789e3bbe63ce391c04598cab4ee6b5ea710911272f2a
   8ff2de75057d81
   server_public_key: 03018fc6a77bc4127886d67871c03462740fc4d6fe66dc2226
   365e994f8392a0b4c43cd6e67ce90ad594cb63c146011dc56b213bd42ef677cb6a5f0
   1d0bd9944a9161a
   client_info: 68656c6c6f20626f62
   server_info: 6772656574696e677320616c696365
   server_nonce: 74256da53ee823c1cf83f3ce4bdadf2e5785766a62a1b301bccdf50
   1c79dda23
   client_nonce: 62ae28bb5390b267e4663d10960997362214446de4f323ff806b365
   3a1b6dd1a
   server_keyshare: 0301ff9a97a3a4733b144d38330209bcea5a6401eb4e08e0697a
   c4dcb8369e20d76d32c34b619c424d643dc47bd680c0ef665404643d2961ad051a792
   0c318ecd948f0
   client_keyshare: 030080bf524d28ba64b134c0bd0c860c8b1f976e55d94eb35d42
   aa0cae1935a185c9f7c517875877aac4aa4e909dd5f25cc6ccfe125d031dcfe024597
   af1f7bfb5ed89
   server_private_keyshare: 01963f6398d6481485f24f7ca088d1bb75216f8de622
   9572036ef4b8eec58c7856203ad458e0422acb38d481a4231e1507ee52958825e18ca
   ee20f50b2ac1d4e9719
   client_private_keyshare: 00e0d68f7382c7400deea8c1ebff0e76870bc490f1ba
   271a357887901a9c3be411b68d57be69b7b9c27b352ae86d42a5cfdbbf15984b35a67
   33ede918146c06e2a0f
   blind_registration: 000de48e5ce653decb9dacdec7bc0aea97cc85749b792cc26
   1c551bf7e26c34d252d034137c4fa435e4ee55bb53a5ce21384293834fc48a93c97e4
   31b60d5f22aab2
   blind_login: 00933d069bf9f5ac0439cb60de65fbe75c0096db58b875f19390d61c
   1e3a6d240c943f951b5b3fd7eedb2b9861f5cd3642ad0fa46b92b65fa5e3fe2999e32
   cd1822e
   oprf_key: 009a077112d891176b71738e4a577fff40c9ccf217daa81ffab5dccb171
   652a6b354699f7a004ded89e1eb011d86cbda59d424ba20823680daa9a8b10629f7a5
   c182

C.37.3.  Intermediate Values

Krawczyk, et al.         Expires 4 November 2021              [Page 188]
Internet-Draft                   OPAQUE                         May 2021

   client_public_key: 0201d6bd681715e3d330475e72471c1218aa718d96be735325
   1c9564f7be3a506b77361670f9a05f1e9bd648751b8494f78c4f1c788951efbf1831f
   811d49d120a8d45
   auth_key: 1092eb1d54fd516d81d887a37bd0e00df4c6f588b95848141748a49ec9f
   85ae3a1b74671d585986771fa5aca0bc9860d9b8290dfd747343812de66a00dfc180b
   randomized_pwd: ff857dd0c19fb58de8eaea7ed405ac104d5dfcf89257c60c57075
   58c820cad77c54b50bab383d7477c8c2a1abe171105f67c1e795d97d6f217855979df
   6100b3
   envelope: 0262a7e6fd5d77b0b04c5ef1ed302c4bab0b4818e9b3fefcc6886ee6dcb
   35923b74db084f802cbea5fa213c4a03eb660bb35ab03b7c0f8902b25e66c23b85335
   2de5f38981bbd80a6347e4e4b231846c1515c9a1605139a129f37a1007d1b4309e4b7
   b718d194f035908f1307f8c2c9619437ef672c9bc01f3cd9e4335bfb67e5f973ddcaa
   a7881f4a5dce93f854940099b133b223b7acad9a64987529bafe3ed698
   handshake_secret: b77e928c3376e7ce958062997c7c4ce1415adc6b15e9a3a7141
   58e69f72e521d3002a937841834e78122dfac526674e11bb16d2acbca9fa1f665c23a
   61c4f013
   handshake_encrypt_key: c41bbb3c0bfb65e53aecce4b206d19706fbf440cd877e1
   6e6aa6c5d11ed11cd8c19ab457a13118029053eb3423b634a8ed818614db7245d065c
   696a95cd1808a
   server_mac_key: d1840c0cf16e7b246890d123a51614f53a49f64bef55f915459c0
   d937987f4cf9888b4cd6f4dbd9ab92ed443aa2c5a27d513488338813e488d77a7a334
   832fcd
   client_mac_key: e76dbcd14d22cc30ec2ff91c4a272abe3c90d9afb66c086caa696
   7fe351452660f48c8fda7ce4b46daffc71dfbafc0e75b1209e50897543a7acd0a1222
   62d37a

C.37.4.  Output Values

Krawczyk, et al.         Expires 4 November 2021              [Page 189]
Internet-Draft                   OPAQUE                         May 2021

   registration_request: 02015d0cf2aa22e0448949416bb4b3c246429439d4cee47
   a52b3b9874aaf727dbde7f34b5112e91e97e1d98c9cb0fb58e015721456160aadd16a
   d4f9a9ef2fa3d0ad8e
   registration_response: 02019b6376e69e60d1da3d7aca82faaf34bec65c155ad7
   cd232007f118bb83178ef81fdda7ee2c85f14c1a24bf786362db41cf019d2a1ed4dbc
   1b64c273388d9eb45c103018fc6a77bc4127886d67871c03462740fc4d6fe66dc2226
   365e994f8392a0b4c43cd6e67ce90ad594cb63c146011dc56b213bd42ef677cb6a5f0
   1d0bd9944a9161a
   registration_upload: 0201d6bd681715e3d330475e72471c1218aa718d96be7353
   251c9564f7be3a506b77361670f9a05f1e9bd648751b8494f78c4f1c788951efbf183
   1f811d49d120a8d4550f57da81a52148659beadc46eb4a7e742d53a1aadab386929a9
   c5168ab982a8108f7c316bea8a3bc9b919770b17934f0a3ffc6e503b9b95898f5862e
   d9be3ab0262a7e6fd5d77b0b04c5ef1ed302c4bab0b4818e9b3fefcc6886ee6dcb359
   23b74db084f802cbea5fa213c4a03eb660bb35ab03b7c0f8902b25e66c23b853352de
   5f38981bbd80a6347e4e4b231846c1515c9a1605139a129f37a1007d1b4309e4b7b71
   8d194f035908f1307f8c2c9619437ef672c9bc01f3cd9e4335bfb67e5f973ddcaaa78
   81f4a5dce93f854940099b133b223b7acad9a64987529bafe3ed698
   KE1: 0200c3bce8c2c7da1856b486576082a136f031304eeba82c3e582d920469621b
   9657d018aabad67dd15d32492f0155ec944d11593c079c64c5d19088a72cddb12baaa
   462ae28bb5390b267e4663d10960997362214446de4f323ff806b3653a1b6dd1a0009
   68656c6c6f20626f62030080bf524d28ba64b134c0bd0c860c8b1f976e55d94eb35d4
   2aa0cae1935a185c9f7c517875877aac4aa4e909dd5f25cc6ccfe125d031dcfe02459
   7af1f7bfb5ed89
   KE2: 03001268a7de1c5203c0dc088b56fd06119acb2edb79ff5539bde0fe4a057a5c
   53e20d71eec6973f996583aa9c4f3f4c5c0e136145c9c84f2f5db934f6c4bfc32ea49
   ace3f6fdd39eec1869f23eda9f9c16229d4ae07618d47b48d6b7fe0205c8f292aab7e
   96d72577ccd82bfbeb1051127cce8f6dd6d6ab49bda83effc19a614c2b9304447c78a
   88597c3d25ab201331e348fc130689cd8f3830132bc99f16300e8a012b70f159fa065
   6c18b5677e508caeca6900cd827beb7e533be71b8ea42d9b42dcb68c470f0418b88d8
   3c1cef9dc4e2a4fdebae420dfe6f1491a378b07476f22dc79d02a2661f2927f3c7e10
   77e6f138ea164e5ab5759393dc193b918b43aa01b2a2c9ca463a986cc869b572950ff
   f36740a723ed2630e154c49a306c1d0e94377d41773dea8ec8d849f8ec16cf5757277
   58306250f4bfeed1cd92500e50c08ad5a6844d0374256da53ee823c1cf83f3ce4bdad
   f2e5785766a62a1b301bccdf501c79dda230301ff9a97a3a4733b144d38330209bcea
   5a6401eb4e08e0697ac4dcb8369e20d76d32c34b619c424d643dc47bd680c0ef66540
   4643d2961ad051a7920c318ecd948f0000f14a99b8e58944d0f7cdf6392bf6d69642b
   515f3559d4f2d5eb523ceaf9289b43ee67d96edfb99a24412b5e150aa51e017509d22
   d2f90226b58f3daf3c9ab0aaad9ded6e4a1a2055edc11ef0939a501
   KE3: df34eb9095fc7d4e6fd067a9b8a885675b07d5c1d061ead5fa0978e7cd60c1af
   665a1205a29a4d167d33759e45d7d561bcb67d3bfb60572f861f70f26e7c3f79
   export_key: db55c71638fd194a740842ea1902313bb11225a6c90c15dc1474622fe
   97d9e36cdb35673bb5b9b3f51f71db369bb20f9d492e6d4ee6806990058c40fe4cb20
   51
   session_key: 713e0b4accd1a906d4d81521e279eb2cd908feacc29beec58eb9c9c6
   baf487b0b6f8dc5681aca449435e9686ae25678990a0c2652471dadc0c0570b6a2de5
   7e1

Krawczyk, et al.         Expires 4 November 2021              [Page 190]
Internet-Draft                   OPAQUE                         May 2021

C.38.  OPAQUE-3DH Test Vector 38

C.38.1.  Configuration

   OPRF: 0005
   Hash: SHA512
   MHF: Identity
   KDF: HKDF-SHA512
   MAC: HMAC-SHA512
   EnvelopeMode: 02
   Group: P521_XMD:SHA-512_SSWU_RO_
   Nh: 64
   Npk: 67
   Nsk: 66
   Nm: 64
   Nx: 64
   Nok: 66

C.38.2.  Input Values

Krawczyk, et al.         Expires 4 November 2021              [Page 191]
Internet-Draft                   OPAQUE                         May 2021

   client_identity: 616c696365
   oprf_seed: e118ca0800d385798e78f2830f95008dadd82a04cf98cc970e40f509e3
   efe6f58283b13638643fc0b81d865b5d6a8b00f1c6f2c58ceb340229a79deee88ef6c
   f
   credential_identifier: 31323334
   password: 436f7272656374486f72736542617474657279537461706c65
   envelope_nonce: f7103f1060ae779631da2a2ca29f7876b823836a3551f29480588
   0396baabd6e
   masking_nonce: 78970b409b43b2dd60c174fd9acc783cc73d62be52f5252165f597
   689fca9daa
   client_private_key: 01dbf86c586f691ca14b9ab40d70a9e5c73c0b8c027fb639c
   9affddf316a4f24a457b33e0273c41c71c5ca880a54ed88d6eb7176277593cbb29d44
   bb9daf835f3133
   server_private_key: 015d65d73dfd2c51951ac649bb19095f1d02a822b02e5a86b
   ae37e79a3ac7d05f1d1a02f58c3cc57af7318bd8c3aef01e27f343d5f8aa5197e80d7
   2ed5ceacb845a9
   server_public_key: 0200e85b446310593c25258991eeb8da130df718df2efeee93
   29b6d6c7a3906749464ffb90f8e43122192f8e77b9f04f708aa5f9ecca9cbeab701f4
   9929d82395d9928
   client_info: 68656c6c6f20626f62
   server_info: 6772656574696e677320616c696365
   server_nonce: 5f3134280d4b9b4b2bb8132f57ad1eb53c2b7b558e2de883f3b4b92
   c1744bdac
   client_nonce: c92ec3f315ee9acf4c8224b97991aef4bc413f0e63e3a18980a0380
   123fa1241
   server_keyshare: 0300ffcefd89e8ee736b4e6149934a1040b8691ba4bc58b160d8
   c526e73cb99d7c45ce09264ae268a5afd07c1a3db59c5feb9203ecffc694a41b1138d
   eb9a11d6fecbd
   client_keyshare: 03001f619d901664fc0a4916b616bf340eafded4dec3c9af08a7
   d89f9442bf41048a8824f22d5ce906558f99250ba96a112c5ccf2ff02e062cf9158df
   bd1abc4a48e92
   server_private_keyshare: 0114c08e5500caa1ef91b2c4c242d628edc59e6b9f42
   a97767c678c27ead0f9fc3bc1a20f078365ae8e7c313e612cd9f648be2bd0084e1416
   a7c8277fb5c7c832749
   client_private_keyshare: 00166500743a98b5bb899e595d818845bd0d927fe4f1
   e28d0b87d7ac285fc0e432dd1a20ede64a560bce514ccf868c41a759b6d24d47856bf
   ae0cd231ee605249991
   blind_registration: 000b01864a7e1e45075a976e1d797dc58bbb07ff85aa36e8f
   c57f1dbe4de36c40141c93b2bb304e7718ebcd7bd9978981955e4d6b6addb9cc52a45
   04ca40584d5ec0
   blind_login: 01d230b755d2262f548f495004d64322b827dcd30baa2d3960769310
   cb55be07bbe2b70eb67bc27a11714cc90e5296b68e7e316be4c1d9b09393deb3e724c
   349b971
   oprf_key: 00cda4e8e3a42a1a3d1fd6e8742bc2b3ac008970a238dd5b464349a1d35
   07bf006e95578ecfd411cbf68b547a15517570795515a23c3ed0846d227b329bd4e29
   f02e

Krawczyk, et al.         Expires 4 November 2021              [Page 192]
Internet-Draft                   OPAQUE                         May 2021

C.38.3.  Intermediate Values

   client_public_key: 0301347c5fb96ce61b57ab45d42005522f77483664bd260ec7
   f6a0c6bf4e7b9f2a6c873193d8ee75f62ba7d4b36d93cda144fd99dae7422a31a8290
   cee86e55fe23462
   auth_key: 8ce329e79dd2e249507917ed33cea41f99b79939889f16fc9b98dc891a6
   e9b331c111bef6b1532642f4871839dcaf0ac1574854e4f3eeb0adc20a7a21f7c3ab3
   randomized_pwd: 2827e964b768a1c12bdd09b7369c220613bf82f9fa224c37a4912
   19e29aaf3cfe912ab0b4de925ea3bcd3562d4d0f19966a89a0442c571b867f3d960f7
   b74508
   envelope: f7103f1060ae779631da2a2ca29f7876b823836a3551f294805880396ba
   abd6e95dfb01c73ef18e272ee824814cb5a029c4dbbbcabb9afff9ee2d600f8202e0e
   43ef0a98c36c3d3acd9545ac06523819641c8134135708d8bebe63fc2996040115351
   1824d8819532b65268b1ad954afa1ff546f9e914258dedee38aae971d31acd8828125
   646b74a0a01d524a19defb11c1679c2506ab3e922528aa004467815fc7
   handshake_secret: bafd0fd64f9b41de2f660a7f48faf0af91293169ea1f68f782f
   6d29c1487d3ea5d24e19b79ccf95c4c6cb7b0a77d9b6fff80cd7aeffd7b03e8af2f89
   dc02783f
   handshake_encrypt_key: b173d0b996d68bca28bdeb03dc5ef4cb3ab3462ee6023a
   8e4aad0bca6f38a7e7d4d82832da13d9eaec316320f92204f8fa65f7ff934f4265498
   540a209c9dd49
   server_mac_key: de912aa4a249015304eb26a0e50bb9a4d464e43cb86e8e787e9ec
   a370a980abb8b4158c27edbcdb5ec82b4039518604dedc842e04cd8d2628efce51fa7
   0b5f5e
   client_mac_key: 0150d70801143bee3c7e3f452fd1b69c60eeb6351cfd2996c7806
   0a26361c6efacfb4989331b443e1f4030daf5a6352cf9dddbc582c4359cdbf4c3387d
   1bff9a

C.38.4.  Output Values

Krawczyk, et al.         Expires 4 November 2021              [Page 193]
Internet-Draft                   OPAQUE                         May 2021

   registration_request: 0200572541736c54fb88d0f50d1080d98cc390cec131e56
   c5e3d038122c6655d23defe37f0946f3d3b5dcf73545a6df6277e20f9b377591bd443
   034fdf53d008028969
   registration_response: 020075a39ff76f444258cbb875db3ee78db1bdb809885f
   f7675d40b608820a9446483a596fe7e9368e0c031fbe47a2a05d687637adb2effefd2
   4ccb13648414553e4310200e85b446310593c25258991eeb8da130df718df2efeee93
   29b6d6c7a3906749464ffb90f8e43122192f8e77b9f04f708aa5f9ecca9cbeab701f4
   9929d82395d9928
   registration_upload: 0301347c5fb96ce61b57ab45d42005522f77483664bd260e
   c7f6a0c6bf4e7b9f2a6c873193d8ee75f62ba7d4b36d93cda144fd99dae7422a31a82
   90cee86e55fe23462aa44090453c6efc9691b184a31fd890f8e564f14a27db513609f
   2b81f15c2479a29caf2498a3415022ddb6649f82e4c08a2e96642a808dd08c4ca6ea9
   cc9ac61f7103f1060ae779631da2a2ca29f7876b823836a3551f294805880396baabd
   6e95dfb01c73ef18e272ee824814cb5a029c4dbbbcabb9afff9ee2d600f8202e0e43e
   f0a98c36c3d3acd9545ac06523819641c8134135708d8bebe63fc2996040115351182
   4d8819532b65268b1ad954afa1ff546f9e914258dedee38aae971d31acd8828125646
   b74a0a01d524a19defb11c1679c2506ab3e922528aa004467815fc7
   KE1: 0201147f07392ddb5ab846130ce65a4c16d1eb26735fec1de7716b2c8bc935ad
   1c65ebc30a6449adb8504b41fe61b9634a1ac3e429e03db700e6e6f852469e8e83bec
   4c92ec3f315ee9acf4c8224b97991aef4bc413f0e63e3a18980a0380123fa12410009
   68656c6c6f20626f6203001f619d901664fc0a4916b616bf340eafded4dec3c9af08a
   7d89f9442bf41048a8824f22d5ce906558f99250ba96a112c5ccf2ff02e062cf9158d
   fbd1abc4a48e92
   KE2: 0200a8894e451ac2fcaf5504adce52cb1e6a4d302f105df23878c3b897e5b0b8
   ac0f4a4978288dbe6ee92efe0d87b1d5bd2249873fa48c4f79eff423632223bbe025f
   278970b409b43b2dd60c174fd9acc783cc73d62be52f5252165f597689fca9daa8a12
   b244e728a2dd390529b7e8ec312f77f671ee88f932cfb9a1a9dbd425b5070afbb72b9
   e9f0ddd97d4102853ac935a684591b3733cc37ec5b21aeff9c9a0b66a8bae4334d602
   91a06755b44c794d5de4dde803f5782c991b42679007a4b5a9dd02ac65b1fe2b33794
   641a7deaea6b605caecae7c1a65050b73825aeba2ce9d1a4085e603ec5bb240574143
   87d274492cacf3e47af05fe7ddab84dc64dac6ca9cfb4d8da216d6bdb887b24500676
   ec53d171232360c17ff81407d6c7ac48f2768c8ca4b5a5ec36c09e5ed18b31124c000
   404d3981952ffee21a76ee798e34805ebe9315175f3134280d4b9b4b2bb8132f57ad1
   eb53c2b7b558e2de883f3b4b92c1744bdac0300ffcefd89e8ee736b4e6149934a1040
   b8691ba4bc58b160d8c526e73cb99d7c45ce09264ae268a5afd07c1a3db59c5feb920
   3ecffc694a41b1138deb9a11d6fecbd000f2433ed6462cf9384da1fb0a6a988cd14a2
   0830bceb61ddbc37e1ff3ca50d69ee1bc5d769e0cf69aa30665587f74e985b304f5c9
   d6440c31cacc81c9cdb077d56c35c4b38c5b07151ab79e1c9cfa59c
   KE3: 20d38ebbc756b7ec1b6cd5ba62a9717fb04119a42c54ccf0a4ed86e831c5ff62
   f4a2c7aca9d9b1d87d1c191dfec74efb61602c4011959dd04aa23c83f0265858
   export_key: 2a0e9c9083941677c7147e86af79ef365cb23579d7719b1fe336ac750
   cd0a059ce946a6091978f326eb7ed57fadfab69db86e228232697486c2f7c9b65db87
   fc
   session_key: 8951727a6a070813459bfc2f9820e955e02a5315524d6d228a2dc28e
   8a9b66b1a9dec50f48a499979194f1522c3a0dd505e9c85b6e16bddb533722f9f49a9
   3bf

Krawczyk, et al.         Expires 4 November 2021              [Page 194]
Internet-Draft                   OPAQUE                         May 2021

C.39.  OPAQUE-3DH Test Vector 39

C.39.1.  Configuration

   OPRF: 0005
   Hash: SHA512
   MHF: Identity
   KDF: HKDF-SHA512
   MAC: HMAC-SHA512
   EnvelopeMode: 02
   Group: P521_XMD:SHA-512_SSWU_RO_
   Nh: 64
   Npk: 67
   Nsk: 66
   Nm: 64
   Nx: 64
   Nok: 66

C.39.2.  Input Values

Krawczyk, et al.         Expires 4 November 2021              [Page 195]
Internet-Draft                   OPAQUE                         May 2021

   server_identity: 626f62
   oprf_seed: e4033259ef1ace9df3f85dce94677e67ada095af242eb4801840e4399c
   544f6b1220fba7db31caf6664b5156ce39bc7c0e416f5cb725454fc7417779a6b13d7
   4
   credential_identifier: 31323334
   password: 436f7272656374486f72736542617474657279537461706c65
   envelope_nonce: b40d2f90448536e7fd0cca3823f6c686d328a5be128de587d483c
   682eeb327c3
   masking_nonce: fdc5df65f9471bc9e684e36cc2a77b845de2f61917dbc0bd944b23
   ac501fb242
   client_private_key: 01aa0739d3c390e0df1d6a83419001361e6494e0958c6268e
   9a64bc44109b2f8e1784d38719b913380fff07f6d1fe601f5560987bb2828a484cf42
   b97e93965448d3
   server_private_key: 00ac7137ef41e45bd9f1cf40ea91380647ac28462ad98e22b
   5326fc0adc6757c67e0fdfb9fb3141a5595e168f85adb13e86ecbd0e8af169868d1c9
   4aeadca2d95be0
   server_public_key: 0201a6573b69f46bf93cb3f18e2510c753f689097b7b96059c
   3ca8f8e45c66a03b694fd8618c9a52c4104ca42186438849e73613cb25fbd4ecc16c5
   a65f95345686984
   client_info: 68656c6c6f20626f62
   server_info: 6772656574696e677320616c696365
   server_nonce: fce0d7665ebb10c9620d750061f7e4696d172dc739650c7e723e893
   236389b30
   client_nonce: 0dd58467372e1363bed48bf972bffdee3a2f2b4b323c83feeb59f3f
   ca09f40a6
   server_keyshare: 030029562d54d53c7c51651334989bcc95b45a1a07484448ef72
   bab708b55322b49a43736afc60bf85fc05d3c1d8b60a0b55a83e37befa115e9625e00
   f35c1eeae27ba
   client_keyshare: 0201e2f40c1d877219e9512862469e31da268ab014fdce9cb3f9
   ed6b27fc01fe6d9b1ec37c6cee76131139ccc3eee0a35438250e9ecaff6cf223ad9fa
   469dfaaa0f0a5
   server_private_keyshare: 00dcc0dafbe3cd1ab45d51d228ce608b3ce3ef8f0c54
   3bb26ae91e9fce8497136b9a3da744973ce025f709315e46f49890bddf7724692f218
   f46c3fd03990c335ac3
   client_private_keyshare: 001f5307985d5b5248e235cc8e3bc1b489790ce1cc4f
   0ee46f4b2ae5dc4e19cfd401632a4120949cbe776376d560a74cc6d59307ef8bc37fc
   596bf6c0c180dfb80dd
   blind_registration: 00f4bdd1521b23adce41b680898d5524610afc314961ae68f
   1d3716f62c76cfb98a8beffaa25acf7c637fb43a96971009630887739963dacff0be2
   8625faf6333a25
   blind_login: 00291beead7120bd93250d96aa3a7e5945f5b2e1f8955e6ae5645915
   40c8f92ad668d4ab1ac65eace7d1f74d34335b389d3e6ea3da84a830cd902bf1bd8fd
   5879b10
   oprf_key: 01fadcdfb7d893cccb13deb7c952a27830e311579087068d2de4a0647d6
   ff05a409b5a087972ff5190b49f76a61d50423cde30793662bd1501825dcf5788ac75
   bb46

Krawczyk, et al.         Expires 4 November 2021              [Page 196]
Internet-Draft                   OPAQUE                         May 2021

C.39.3.  Intermediate Values

   client_public_key: 0300ddde60161dc32b29345ac9ce18ecf102284bde1013e4ca
   15d2e6cef0207da6b4099be218142b531926f99a2f1112392aff5a985d451b37dc1e7
   ee4c024556f0808
   auth_key: c44d010187fa2c73f57726c22a6e71da26b1d1791cc2c13a51af85b71ef
   4899e1c3d203ccfc19f8c8e7765656da2fe8fdae7992385261a28b5474280940d3d75
   randomized_pwd: bd58368f9f84ea07f5f6daee041b86dfb8291966fb6a9db24b1de
   1bdcc49c40e4e284bb4916b539fb07d5519a63375dfb43993ced83bfaf433d71f678f
   ee835a
   envelope: b40d2f90448536e7fd0cca3823f6c686d328a5be128de587d483c682eeb
   327c378591c399e877d4798e6ea62aa8eecc63fa2b8dc7f558babb0f9b20287eb1053
   93c4a980d7bce12249b02b22ef562090db01f5f67b4a5dd85165920abe5516c5b6cc8
   b3f757c6220b145a5bec199a16187851c19d8c5d891ffa8a30610163bc2e3da696958
   add3b6a5db827e0e1d9bc038829e64a8fa474b6cfb3bf2d9f5d0d40d36
   handshake_secret: 1a98dd20a434d72b1b84b4de5e447498ceaa739a46c2f18a030
   151d3a7637c83b6a4b09ce09aca7ff8d7155746f4bca2d269525f775c915e8b894e00
   8777bc99
   handshake_encrypt_key: dfeb781312fa8068c623181aba7260a5e62f08ee7f51c9
   680d98ae411bb05b7d759cdc6c847a696f4e169c5ad4fff8704af2aac0f2987d399c8
   ad78e40ee1c93
   server_mac_key: 2367b97b2b1de79e2eff9bdaad70e8782a8fcce9b0c43873dc614
   d9ef2c90b7bfa96d33015906a53ddb13120de0d6386bd309c6eb230c4ad501f120e7b
   3401d9
   client_mac_key: 1c97a97fe1d28750ec8f848a94531c88361d9fb263190aa1649c3
   e37d0d268011f3c58da3e387d4f3c068720d9c4dd6973c54026f2cac5ff7767f1610c
   d1a261

C.39.4.  Output Values

Krawczyk, et al.         Expires 4 November 2021              [Page 197]
Internet-Draft                   OPAQUE                         May 2021

   registration_request: 02000c53a2fa3c1dd1ed747b297b82020f316ee5b38d5ad
   d8bfa68d9c6eb9b22ac651badd5d5751e7371cae832503f66442cdc156414f4a5ba0c
   2db08b33530cde8dec
   registration_response: 0201b5220da8916269548ac1de516fe90b9b6560afbeee
   8d940fac786ad9ce565915750665e57181ecfa062c5255b84a62c89241f2a7d2725a1
   f02e2dcd0f582eb24c70201a6573b69f46bf93cb3f18e2510c753f689097b7b96059c
   3ca8f8e45c66a03b694fd8618c9a52c4104ca42186438849e73613cb25fbd4ecc16c5
   a65f95345686984
   registration_upload: 0300ddde60161dc32b29345ac9ce18ecf102284bde1013e4
   ca15d2e6cef0207da6b4099be218142b531926f99a2f1112392aff5a985d451b37dc1
   e7ee4c024556f080806c8834822aa404c713f8f559b2057ab9400fb7c3c011af054f2
   65c84a9c128b3b459f21d8c6dc6f877f3b5c93c485760efdfcc0f25ac9faa43dedc58
   c44a603b40d2f90448536e7fd0cca3823f6c686d328a5be128de587d483c682eeb327
   c378591c399e877d4798e6ea62aa8eecc63fa2b8dc7f558babb0f9b20287eb105393c
   4a980d7bce12249b02b22ef562090db01f5f67b4a5dd85165920abe5516c5b6cc8b3f
   757c6220b145a5bec199a16187851c19d8c5d891ffa8a30610163bc2e3da696958add
   3b6a5db827e0e1d9bc038829e64a8fa474b6cfb3bf2d9f5d0d40d36
   KE1: 03014f2799259882d01af61644db264602a3486a32f6b510aecb336456ce58af
   6cdf6f5630ab4e3e7081f1e99b1688558f0a1bf15da34b7c0252f1036d916928a0f33
   20dd58467372e1363bed48bf972bffdee3a2f2b4b323c83feeb59f3fca09f40a60009
   68656c6c6f20626f620201e2f40c1d877219e9512862469e31da268ab014fdce9cb3f
   9ed6b27fc01fe6d9b1ec37c6cee76131139ccc3eee0a35438250e9ecaff6cf223ad9f
   a469dfaaa0f0a5
   KE2: 0301aec61ca3ce7c9d7adbbb2e30371de2e6216477739f50aa09de3d239d45dc
   37f906f34422aa0b845ed70802f3b5be77d4b3f4512ffe4eb8e99be207831666fbff3
   4fdc5df65f9471bc9e684e36cc2a77b845de2f61917dbc0bd944b23ac501fb242da36
   0e3bc5a3a2babe9871d3e90c5f57b3baf46e6a215444cc0a586026e45239768467aed
   7f90c8dc8562ecfd1e6ce5fadb937ad944229e1523de20e3d4ebd6a74c48eb28148e0
   71d77981b0a4671fda7768ba136a34b70fcf267f1c403f8484a74234022c2218d9a20
   95a653ae88f4ebce7066d8944c71c0b6f670bc2e41bd7d1e846ddfd890f614574aabd
   24dbf8cdf8fe83b37c4dfff041fd42118b6aa2fed7aae3418f0a6399dcd1ff130453c
   ba9daf76468c6a77746a3847cbb5b6f9528feb92be06e4b7928460ce1d418924b5197
   f2c409b936482b2daabb151f93dbb78d696cd56cfce0d7665ebb10c9620d750061f7e
   4696d172dc739650c7e723e893236389b30030029562d54d53c7c51651334989bcc95
   b45a1a07484448ef72bab708b55322b49a43736afc60bf85fc05d3c1d8b60a0b55a83
   e37befa115e9625e00f35c1eeae27ba000f8fa2e9a2692290d48e6acaab14d5e266b0
   b8dca0ba048f22443bb89a80a91c6e8213f6cdb430f0685dbb84571f05a0dc3d1a4c9
   75b0d0145cdaaae50d31b665bcea1bd2783d3a4866ec441313a6cdb
   KE3: 58e6876a60b74ee229f2b85f91038c6adee4c0cc0029115a4bfad6b5ac6e1a96
   b977e1eb51f5ccb4cad0f9f80508c93bb6376ebb3c84b1736cd7c89eb1675c70
   export_key: 296647dba41d525309e59855880d41250f3e2bc78fdea25cd169522bf
   0f3f06fb96f729880a5c648f1118d5084b70776a231bd9cca8fcc823f8fba7cf140c5
   9e
   session_key: 29f5c0aa51eb65d9ab09bb3bc4b72330ae56da16b8df4dcbcd653eca
   48e3af5e7e619c182f4f230e360790b79750441ed0aceb653c6471f48bc28bd60eb35
   e84

Krawczyk, et al.         Expires 4 November 2021              [Page 198]
Internet-Draft                   OPAQUE                         May 2021

C.40.  OPAQUE-3DH Test Vector 40

C.40.1.  Configuration

   OPRF: 0005
   Hash: SHA512
   MHF: Identity
   KDF: HKDF-SHA512
   MAC: HMAC-SHA512
   EnvelopeMode: 02
   Group: P521_XMD:SHA-512_SSWU_RO_
   Nh: 64
   Npk: 67
   Nsk: 66
   Nm: 64
   Nx: 64
   Nok: 66

C.40.2.  Input Values

Krawczyk, et al.         Expires 4 November 2021              [Page 199]
Internet-Draft                   OPAQUE                         May 2021

   client_identity: 616c696365
   server_identity: 626f62
   oprf_seed: fbf260b2fefb6b873f200a672a8cad12238939b8d8d9a0f5ac3968b607
   a5b61c7c31e3385c64ee91e2923fa816cc8b9f71cd19bc8c03f0a0c1472703b15241e
   d
   credential_identifier: 31323334
   password: 436f7272656374486f72736542617474657279537461706c65
   envelope_nonce: 148680a2ed9221cce00118e45854b7a7bdf7a7413fef7901fda93
   30f23b74537
   masking_nonce: 10e071046caa5653285f2d6157a395159b3b397d24faf2795d4a39
   2809efd933
   client_private_key: 008fb26f2c88d274661db787733c175d7034e4da200a4ebb0
   1c9589fd7a0d54771e479fce2a99af6a64f80e4106dcef77a750147dcf14217936a74
   679455ddadece4
   server_private_key: 00b78f376d4dee066fa82592ffb702498326c37dadf63135c
   ca8df4d8e19f5dc6e830163ea683e19a507b15a66ed74b1ce6ebbd902a5c74a51eeaa
   2ec2bfc113d4fc
   server_public_key: 0200f944f464cfcbdfe94b720c0a59487456cca17580dd1982
   4532d540642aa4017edec0b9308bf4f4fc00611115a145c1374680847e4815f6c8dd7
   febdecef64998dc
   client_info: 68656c6c6f20626f62
   server_info: 6772656574696e677320616c696365
   server_nonce: 12d249aed7235d544e9dcca2a84c170a4ee3f06b2476e3a277bdc2d
   b6656b3fc
   client_nonce: 95e8256fb398e5b9b108c80976b3d52ab0e1daf76b1c4c3b60cc7b5
   6ca02c567
   server_keyshare: 0300ed0fdc747de2ff4797c4b18da821ae9ec83376c51d00a51b
   2d1701e5689e8dd720cca6fdd1a548b5b3ad34015006ce4f7548be73295e07f15f8b0
   c60331cb65160
   client_keyshare: 0300c566f59e65c950d86356e925ce1f87b3d4a7a9b2e556ecef
   17041679c76f8afd8f7b1e9fb82549886fdedf29e4e86564475b0c2c200a9c7a4e089
   e846932e07d36
   server_private_keyshare: 000edecf9fb5e59078188296e515e4ca73bbe621fba3
   5f6c96d3864ea0bd2e0456d416426fae1344e0fc3b40fedaf785bf4d7c8b08424b6a3
   4a2a343d0a0f288f4d4
   client_private_keyshare: 01f63ed931f59a0368288ac23921775322360ce0c6d6
   96e76eb046a5b04a05c1a16272e0b8c22ee595320c808337e5804daf7a463c23f1f40
   7b77dca84824b4657fc
   blind_registration: 002a6e47e6eb00445978d7a0f5e876189839fce07fa4c3f5e
   e73f71b7054c673a45711b4be7a89fee03569a6a058f9dda2294315a167fa19af3279
   769bdb191cfc70
   blind_login: 011646fd1eb67204c84e2be0273c76e96a29d0f20428bcb157922105
   599e83b939f76446fb738af8d38a00fae287d39a8d7234b7b8a704076e51cfacd73bb
   24554bc
   oprf_key: 01296ee14ded1e15d1475342ec5ca999d6b06da34d21c032e983c8798f3
   83713e826d20a87579166b896fa22835171d491010aa0ae233cb8364a37fbc67fcd76
   a7e7

Krawczyk, et al.         Expires 4 November 2021              [Page 200]
Internet-Draft                   OPAQUE                         May 2021

C.40.3.  Intermediate Values

   client_public_key: 0201ef259e80ef427390cf74d1cf31778645e53d0ab4a7fef6
   f57a56a0c2b5f4b602d0dd906fa77bdf011b9b7e6bb4098102bb9806b3d74d12bea03
   e0379fb9127abe5
   auth_key: 06fdbb3eac5a64969d5b9d706d42f5bf4974e8cb384045cbf1635d4c38e
   b4d40ab510794bfb080ace09afc515b607c655a98a9d574e3540d236eb11e2a33ae5a
   randomized_pwd: ab42f356f88a289e39db5ad0c3000f61e218377a38eb5bdd7e5c3
   4a49515af35139fd03bf7766b388658d3f97013e682e8b03312cb132e1b6ad38b9de5
   f2c541
   envelope: 148680a2ed9221cce00118e45854b7a7bdf7a7413fef7901fda9330f23b
   7453701def71a3293a7da19c084e4d8c2455ec701a6e4dc3a7306c4167fdd647596bf
   dc5c6c55c65f3580211522c87bd1e637eac225a3724d720bb9fe5a672070c1044a8f8
   1fc9747a6236b83782a0cbced17fc42f1f1341998bedae5c3514f719c42025bc652a3
   e33565f3d0ea4f85d432b8699d45cd6feea8c991d0839f064be2829213
   handshake_secret: 45ffe957a00d84c425c78bcc80913316da6f6e5b203ebef3153
   69aa437aa6d69ff4c6ef75d2b3b44015eee8bd4e9f5fb372a9acedb1a137a0230c169
   1d72897f
   handshake_encrypt_key: 575eb190b6c33011ed4f2d3712be61557b8cef58f76d55
   4d10a18c541a240b419b0eb71283463708d26c34e768f8de56b2f00dc2894c4b723c5
   d0afedb23369a
   server_mac_key: 1c11f159aef9b208ffcbaf9e94954bad25c4db5d53023dfdbe1e5
   c190a6cc7678bd2d439e1ff473925eb53f4ebc1409561bda0ff1dd9d464753574685c
   9ae768
   client_mac_key: ac527810534c51e15db0ea3b5523a4bcdddedb25822235d48d6b2
   fd603d3e24ea439b8a35e6498282737e4c343c62ae7f4c76caa2d6fdc23b8b3e74b72
   f33780

C.40.4.  Output Values

Krawczyk, et al.         Expires 4 November 2021              [Page 201]
Internet-Draft                   OPAQUE                         May 2021

   registration_request: 0201d22759697d1d91f6b1812d14acfee093886e889d913
   cdffc78de009924d3d80a7aa9384149f163fd706498375c34402df2ccd8c1283cd250
   477ce032c9e7c78ef8
   registration_response: 030056fb0c3756244faf6dd675c12f4b60ffe048b95fa3
   b01e7eefc55cee0bd563984101048808fa2549626efc2de0b1bfba47219946c4bdd6f
   1a76d2ef795c10877250200f944f464cfcbdfe94b720c0a59487456cca17580dd1982
   4532d540642aa4017edec0b9308bf4f4fc00611115a145c1374680847e4815f6c8dd7
   febdecef64998dc
   registration_upload: 0201ef259e80ef427390cf74d1cf31778645e53d0ab4a7fe
   f6f57a56a0c2b5f4b602d0dd906fa77bdf011b9b7e6bb4098102bb9806b3d74d12bea
   03e0379fb9127abe5b236c94348d63a9b4f6d7a0c29d141cb2f370e58fd49ef257ec0
   0f85e3626224e8c473c05ffb7737dd3d8177be3a478ffef34e9c898c141dbbdd1ac93
   0fb6287148680a2ed9221cce00118e45854b7a7bdf7a7413fef7901fda9330f23b745
   3701def71a3293a7da19c084e4d8c2455ec701a6e4dc3a7306c4167fdd647596bfdc5
   c6c55c65f3580211522c87bd1e637eac225a3724d720bb9fe5a672070c1044a8f81fc
   9747a6236b83782a0cbced17fc42f1f1341998bedae5c3514f719c42025bc652a3e33
   565f3d0ea4f85d432b8699d45cd6feea8c991d0839f064be2829213
   KE1: 02002c6e65b998d160fbbde62484f39c2678bda170db547005889379b570e83e
   4f6aa45200a183dc5cbf014bc7f94f28064bae53132dfb3a0736bf7b806b1091ce541
   895e8256fb398e5b9b108c80976b3d52ab0e1daf76b1c4c3b60cc7b56ca02c5670009
   68656c6c6f20626f620300c566f59e65c950d86356e925ce1f87b3d4a7a9b2e556ece
   f17041679c76f8afd8f7b1e9fb82549886fdedf29e4e86564475b0c2c200a9c7a4e08
   9e846932e07d36
   KE2: 0201357df114b1c70a0fc8bd2959be6f8665c8d678d9bec2adeb659f6b0dc13d
   362d923d1dc12abf35950aa6394a35b6b098d6ce00f19fdfe74130eeaaa05a94a03bd
   c10e071046caa5653285f2d6157a395159b3b397d24faf2795d4a392809efd9338172
   75c06ae88cfc284404d0a1e2fbd980a3fc279422cc02900e736924bd0e92ad10a041f
   5e7fb4ed14ad05835884b15ccce805d6cb1d98c205e728c75c0340c91b10fe0b6f4a3
   e6ed72da929e19e01b2dd954205389fd8785cf68bf1f8a1b7bdd21c1880aef17e6aac
   821d1cf935d241fbbafab51c70895a8632c90524340e10b353fe8d6a59e30f55b476b
   7c999c6a3db8dfca675da4a9406b4bf203025cfbee27d48724595c417419afb70ff17
   d5545728ec4db9b94ca06f76cf1b8a00a14d128c6ee8c4f14c8ed7165e10a784ae3ea
   4f4133c43fe605f930ad908f7ad1302a9866285e12d249aed7235d544e9dcca2a84c1
   70a4ee3f06b2476e3a277bdc2db6656b3fc0300ed0fdc747de2ff4797c4b18da821ae
   9ec83376c51d00a51b2d1701e5689e8dd720cca6fdd1a548b5b3ad34015006ce4f754
   8be73295e07f15f8b0c60331cb65160000fa617cd8614963cc4a93daa6f9f39af7de5
   c14264be441bccb88f4a8ecf0bc02e6a00cc865fe075ef0a26e5bd30ecfc33e0e54f7
   4e5f321a064d00936b7dcb794e1b9e9beea94724085999472211d15
   KE3: b8d4c9fec7e500686d441a87e104f95d70b444a605100736d0159a2ed24ea759
   75320d73dc63c0e14fa20b68567f922a20f99f0215d40a467d95f5967971e4ab
   export_key: 0c54bc0aaa31c4537fa2bad1b952405c388ea0af4aee0f19b314f0cac
   b24fcd51a9ac25cef1aa54ebe08cb7e460e48e26ed78045b82df4763a2e4cdea4a252
   8c
   session_key: c529e3877be75151e9fd18f1dee4e1bcb27f81b7277e06a5ded2296f
   7d0fc8ca13b8f23116e34a2ab83f644a5c9ce94b74d574667f679463d51a9db41200e
   0a9

Krawczyk, et al.         Expires 4 November 2021              [Page 202]
Internet-Draft                   OPAQUE                         May 2021

Authors' Addresses

   Hugo Krawczyk
   Algorand Foundation

   Email: hugokraw@gmail.com

   Daniel Bourdrez

   Email: dan@bytema.re

   Kevin Lewi
   Novi Research

   Email: lewi.kevin.k@gmail.com

   Christopher A. Wood
   Cloudflare

   Email: caw@heapingbits.net

Krawczyk, et al.         Expires 4 November 2021              [Page 203]