Skip to main content

Shepherd writeup

Technical Summary

This document describes a PAKE (password-authenticated key agreement) protocol
SPAKE2 which allows two parties sharing a password to establish a shared key.
This document is a product of the Crypto Forum Research Group (CFRG) in the

Working Group Summary

The document was adopted back in 2015. It predated the CFRG PAKE competition,
it was one of the candidates (both in rounds 1 and 2) and it was not selected.
Nevertheless, the chairs decided to publish the document with the corresponding
disclaimer because KITTEN WG intends to use SPAKE2 . There was a Research Group
Last Call for the draft in October 2020. There was a concern about establishing
the identities in-flow from Feng Hao and a possible implementation-security
issue from Bjoern Haase. The first question is related to using the protocol in
real-world applications and was  earlier discussed during the PAKE selection
process. There was no major support of the concern from the implementers of the
protocol. The second question was addressed in the updated version of the
draft; Bjoern Haase confirmed that he does not have any further remarks about
the document. There were several reviews (regarding both security issues and
applicability) during the PAKE selection process: by Scott Fluhrer, Valery
Smyslov, Yoav Nir, Brian Warner, Karthik Bhargavan, Thyla van der Merwe,
Stanislav Smyshlyaev, David Gotrik, Bjoern Tackmann, Russ Housley, Julia Hesse
and Yaron Sheffer. Later in 2020 Liliya Akhmetzyanova and Scott Fluhrer (on
behalf of Crypto Review Panel) did reviews for the draft before the Last Call.
Comments from the reviewers have been addressed. There is a related IPR
submitted by Björn Haase to the datatracker.

Document Quality

There are at least two implementations with a different key derivation
mechanism: for MIT krb5 and for the Magic Wormhole; there is at least one
implementation for IoT by Davide Pesavento, which is not currently public, test
vectors verified. The draft has been thoroughly studied during the PAKE
Selection Process ( The construction is
used in KITTEN WG for one of Kerberos documents.


Stanislav Smyshlyaev is the Document Shepherd.
Colin Perkins is the IRTF Chair.