Shepherd writeup

Technical Summary

This document describes a PAKE (password-authenticated key agreement) protocol SPAKE2 which allows two parties sharing a password to establish a shared key. 
This document is a product of the Crypto Forum Research Group (CFRG) in the IRTF.

Working Group Summary

The document was adopted back in 2015. It predated the CFRG PAKE competition, it was one of the candidates (both in rounds 1 and 2) and it was not selected. Nevertheless, the chairs decided to publish the document with the corresponding disclaimer because KITTEN WG intends to use SPAKE2 .
There was a Research Group Last Call for the draft in October 2020. There was a concern about establishing the identities in-flow from Feng Hao and a possible implementation-security issue from Bjoern Haase. The first question is related to using the protocol in real-world applications and was  earlier discussed during the PAKE selection process. There was no major support of the concern from the implementers of the protocol. The second question was addressed in the updated version of the draft; Bjoern Haase confirmed that he does not have any further remarks about the document.
There were several reviews (regarding both security issues and applicability) during the PAKE selection process: by Scott Fluhrer, Valery Smyslov, Yoav Nir, Brian Warner, Karthik Bhargavan, Thyla van der Merwe, Stanislav Smyshlyaev, David Gotrik, Bjoern Tackmann, Russ Housley, Julia Hesse and Yaron Sheffer. Later in 2020 Liliya Akhmetzyanova and Scott Fluhrer (on behalf of Crypto Review Panel) did reviews for the draft before the Last Call. Comments from the reviewers have been addressed.
There is a related IPR submitted by Björn Haase to the datatracker.

Document Quality

There are at least two implementations with a different key derivation mechanism: for MIT krb5 and for the Magic Wormhole; there is at least one implementation for IoT by Davide Pesavento, which is not currently public, test vectors verified.
The draft has been thoroughly studied during the PAKE Selection Process (
The construction is used in KITTEN WG for one of Kerberos documents.


Stanislav Smyshlyaev is the Document Shepherd.
Colin Perkins is the IRTF Chair.