Skip to main content

The OPAQUE Asymmetric PAKE Protocol

Document Type Replaced Internet-Draft (cfrg RG)
Expired & archived
Author Dr. Hugo Krawczyk
Last updated 2020-07-14 (Latest revision 2020-06-19)
Replaced by draft-irtf-cfrg-opaque
RFC stream Internet Research Task Force (IRTF)
Intended RFC status Informational
Additional resources Mailing list discussion
Stream IRTF state Replaced
Consensus boilerplate Unknown
Document shepherd (None)
IESG IESG state Replaced by draft-irtf-cfrg-opaque
Telechat date (None)
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:


This draft describes the OPAQUE protocol, a secure asymmetric password authenticated key exchange (aPAKE) that supports mutual authentication in a client-server setting without reliance on PKI and with security against pre-computation attacks upon server compromise. Prior aPAKE protocols did not use salt and if they did, the salt was transmitted in the clear from server to user allowing for the building of targeted pre-computed dictionaries. OPAQUE security has been proven by Jarecki et al. (Eurocrypt 2018) in a strong and universally composable formal model of aPAKE security. In addition, the protocol provides forward secrecy and the ability to hide the password from the server even during password registration. Strong security, versatility through modularity, good performance, and an array of additional features make OPAQUE a natural candidate for practical use and for adoption as a standard. To this end, this draft presents several instantiations of OPAQUE and ways of integrating OPAQUE with TLS. This draft presents a high-level description of OPAQUE, highlighting its components and modular design. It also provides the basis for a specification for standardization but a detailed specification ready for implementation is beyond the scope of this document. Implementers of OPAQUE should ONLY follow the precise specification in the upcoming draft-irtf-cfrg-opaque.


Dr. Hugo Krawczyk

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)