pakery-spake2plus 0.1.0

SPAKE2+ augmented PAKE protocol (RFC 9383)
Documentation

pakery-spake2plus

crates.io docs.rs License: MIT OR Apache-2.0

SPAKE2+ augmented PAKE protocol implementation (RFC 9383).

Part of the pakery workspace.

SPAKE2+ is an augmented (asymmetric) PAKE: the server stores a verifier derived from the password rather than the password itself. It provides mutual explicit key confirmation with provable security.

Usage

[dependencies]
pakery-spake2plus = "0.1"
pakery-crypto = { version = "0.1", features = ["ristretto255"] }

Example

use pakery_spake2plus::{Spake2PlusCiphersuite, Prover, Verifier, compute_verifier};
use pakery_crypto::{Ristretto255Group, Sha512Hash, HkdfSha512, HmacSha512};
use pakery_crypto::{SPAKE2_M_COMPRESSED, SPAKE2_N_COMPRESSED};
use pakery_core::crypto::Hash;

struct MySpake2PlusSuite;

impl Spake2PlusCiphersuite for MySpake2PlusSuite {
    type Group = Ristretto255Group;
    type Hash = Sha512Hash;
    type Kdf = HkdfSha512;
    type Mac = HmacSha512;
    const NH: usize = 64;
    const M_BYTES: &'static [u8] = &SPAKE2_M_COMPRESSED;
    const N_BYTES: &'static [u8] = &SPAKE2_N_COMPRESSED;
}

let mut rng = rand_core::OsRng;

// Derive password scalars (w0, w1)
let h0 = Sha512Hash::digest(b"passwordw0");
let w0 = Ristretto255Group::scalar_from_wide_bytes(&h0).unwrap();
let h1 = Sha512Hash::digest(b"passwordw1");
let w1 = Ristretto255Group::scalar_from_wide_bytes(&h1).unwrap();

// Server stores the verifier L = w1 * G
let l_bytes = compute_verifier::<MySpake2PlusSuite>(&w1);

// Prover (client) starts
let (share_p, prover_state) = Prover::<MySpake2PlusSuite>::start(
    &w0, &w1, b"context", b"client", b"server", &mut rng,
).unwrap();

// Verifier (server) starts and produces confirmation
let (share_v, confirm_v, verifier_state) = Verifier::<MySpake2PlusSuite>::start(
    &share_p, &w0, &l_bytes, b"context", b"client", b"server", &mut rng,
).unwrap();

// Prover finishes and verifies server's confirmation
let prover_out = prover_state.finish(&share_v, &confirm_v).unwrap();

// Verifier finishes and verifies prover's confirmation
let verifier_out = verifier_state.finish(&prover_out.confirm_p).unwrap();

// Session keys match
assert_eq!(
    prover_out.session_key.as_bytes(),
    verifier_out.session_key.as_bytes(),
);

Features

Feature Description
std (default) Enable std support
getrandom Enable OS-backed RNG via rand_core/getrandom
test-utils Expose deterministic constructors for testing

Security

  • #![forbid(unsafe_code)]
  • Constant-time comparisons via subtle
  • Secret values zeroized on drop via zeroize
  • Validated against RFC 9383 test vectors

MSRV

The minimum supported Rust version is 1.79.

License

Licensed under either of Apache License, Version 2.0 or MIT License at your option.