Network Working Group                                             J. Vos
Internet-Draft                                                          
Intended status: Informational                                S. Jarecki
Expires: 17 October 2025                University of California, Irvine
                                                              C. A. Wood
                                                             Apple, Inc.
                                                           15 April 2025


        Hybrid Post-Quantum Password Authenticated Key Exchange
                        draft-vos-cfrg-pqpake-00

Abstract

   This document describes the CPaceOQUAKE+ protocol, a hybrid
   asymmetric password-authenticated key exchange (aPAKE) that supports
   mutual authentication in a client-server setting secure against
   quantum-capable attackers.  CPaceOQUAKE+ is the result of a KEM-based
   transformation from the hybrid symmetric PAKE protocol called
   CPaceOQUAKE that is also described in this document.  This document
   recommends configurations for CPaceOQUAKE+.

About This Document

   This note is to be removed before publishing as an RFC.

   The latest revision of this draft can be found at
   https://example.com/LATEST.  Status information for this document may
   be found at https://datatracker.ietf.org/doc/draft-vos-cfrg-pqpake/.

   Discussion of this document takes place on the CFRG Crypto Forum
   Research Group mailing list (mailto:WG@example.com), which is
   archived at https://example.com/WG.

   Source for this draft and an issue tracker can be found at
   https://github.com/USER/REPO.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.





Vos, et al.              Expires 17 October 2025                [Page 1]

Internet-Draft               Hybrid PQ-PAKE                   April 2025


   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 17 October 2025.

Copyright Notice

   Copyright (c) 2025 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
   2.  Conventions and Definitions . . . . . . . . . . . . . . . . .   4
     2.1.  Notation and Terminology  . . . . . . . . . . . . . . . .   4
   3.  Overview  . . . . . . . . . . . . . . . . . . . . . . . . . .   5
   4.  Cryptographic Dependencies  . . . . . . . . . . . . . . . . .   6
     4.1.  Key Encapsulation Mechanism . . . . . . . . . . . . . . .   7
     4.2.  Binary Uniform KEM  . . . . . . . . . . . . . . . . . . .   7
     4.3.  Key Derivation Function . . . . . . . . . . . . . . . . .   8
     4.4.  Key Stretching Function . . . . . . . . . . . . . . . . .   8
   5.  CPaceOQUAKE Protocol  . . . . . . . . . . . . . . . . . . . .   8
     5.1.  CPace Specification . . . . . . . . . . . . . . . . . . .   9
       5.1.1.  Initiation  . . . . . . . . . . . . . . . . . . . . .  10
       5.1.2.  Response  . . . . . . . . . . . . . . . . . . . . . .  10
       5.1.3.  Finish  . . . . . . . . . . . . . . . . . . . . . . .  11
     5.2.  OQUAKE Specification  . . . . . . . . . . . . . . . . . .  12
       5.2.1.  Initiation  . . . . . . . . . . . . . . . . . . . . .  13
       5.2.2.  Response  . . . . . . . . . . . . . . . . . . . . . .  15
       5.2.3.  Finish  . . . . . . . . . . . . . . . . . . . . . . .  16
     5.3.  Composition of CPace & OQUAKE . . . . . . . . . . . . . .  17
       5.3.1.  Client Initiation . . . . . . . . . . . . . . . . . .  19
       5.3.2.  Server Response . . . . . . . . . . . . . . . . . . .  20
       5.3.3.  Client Finish . . . . . . . . . . . . . . . . . . . .  21
       5.3.4.  Server Finish . . . . . . . . . . . . . . . . . . . .  23
   6.  CPaceOQUAKE+ Protocol . . . . . . . . . . . . . . . . . . . .  23
     6.1.  Registering Clients . . . . . . . . . . . . . . . . . . .  24
       6.1.1.  Generating Verifiers  . . . . . . . . . . . . . . . .  24
       6.1.2.  Registration  . . . . . . . . . . . . . . . . . . . .  25
     6.2.  The Password Confirmation Stage . . . . . . . . . . . . .  26



Vos, et al.              Expires 17 October 2025                [Page 2]

Internet-Draft               Hybrid PQ-PAKE                   April 2025


       6.2.1.  Server Challenge  . . . . . . . . . . . . . . . . . .  27
       6.2.2.  Client Response . . . . . . . . . . . . . . . . . . .  28
       6.2.3.  Server Verify . . . . . . . . . . . . . . . . . . . .  30
     6.3.  Composition of CPaceOQUAKE & Password Confirmation  . . .  30
   7.  CPaceOQUAKE+ Configurations . . . . . . . . . . . . . . . . .  32
   8.  Implementation Considerations . . . . . . . . . . . . . . . .  34
   9.  Security Considerations . . . . . . . . . . . . . . . . . . .  34
     9.1.  Identities  . . . . . . . . . . . . . . . . . . . . . . .  35
       9.1.1.  Symmetric PAKE identities . . . . . . . . . . . . . .  35
       9.1.2.  Asymmetric PAKE identities  . . . . . . . . . . . . .  36
   10. IANA Considerations . . . . . . . . . . . . . . . . . . . . .  36
   11. References  . . . . . . . . . . . . . . . . . . . . . . . . .  36
     11.1.  Normative References . . . . . . . . . . . . . . . . . .  36
     11.2.  Informative References . . . . . . . . . . . . . . . . .  38
   Appendix A.  Deriving parameters  . . . . . . . . . . . . . . . .  39
     A.1.  Parameters for CPaceOQUAKE+ . . . . . . . . . . . . . . .  39
     A.2.  Parameters for CPaceOQUAKE  . . . . . . . . . . . . . . .  40
     A.3.  Parameters for CPace  . . . . . . . . . . . . . . . . . .  40
     A.4.  Parameters for OQUAKE . . . . . . . . . . . . . . . . . .  40
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  41

1.  Introduction

   Asymmetric (or Augmented) Password Authenticated Key Exchange (aPAKE)
   protocols are designed to provide password authentication and
   mutually authenticated key exchange in a client-server setting
   without relying on a public key infrastructure (PKI) and without
   disclosing passwords to servers or other entities other than the
   client machine.  The only stage where PKI is required is during a
   client's registration.

   In the asymmetric PAKE setting, the client first registers a password
   verifier with the server.  A verifier is a value that is derived from
   the password and which the server will later use to verify the client
   knowledge of the password.  After registration, the client uses its
   password and the server uses the corresponding verifier to establish
   an authenticated shared secret such that the server learns nothing of
   the client's password.

   OPAQUE-3DH [OPAQUE] and SPAKE2+ [SPAKE2PLUS] are two examples of
   specified aPAKE protocols.  These protocols provide security in
   classical threat models.  However, in the presence of a quantum-
   capable attacker, both OPAQUE and SPAKE2+ fail to provide the desired
   level of security.  Both protocols are vulnerable to a Harvest Now,
   Decrypt Later attack executed by a quantum-capable attacker, in which
   the attacker learns the shared secret and uses it to compromise
   application traffic.  Upgrading both protocols to provide post-
   quantum security is non-trivial, especially as there are no known



Vos, et al.              Expires 17 October 2025                [Page 3]

Internet-Draft               Hybrid PQ-PAKE                   April 2025


   efficient constructions for certain building blocks used in these
   protocols (such as the OPRF used in OPAQUE-3DH).  As the threat of
   quantum-capable attackers looms, the viability of existing aPAKE
   protocols in practice diminishes in time.

   This document describes the CPaceOQUAKE+ protocol, an aPAKE that
   supports mutual authentication in a client-server setting secure
   against quantum-capable attackers.  CPaceOQUAKE+ is the result of a
   KEM-based transformation from the hybrid symmetric PAKE protocol
   called CPaceOQUAKE.

   This document fully specifies CPaceOQUAKE+ and all dependencies
   necessary to implement it.  Section 7 provides recommended
   configurations.

2.  Conventions and Definitions

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in
   BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

2.1.  Notation and Terminology

   The following functions and operators are used throughout the
   document.

   *  The function random(n) generates a cryptographically secure
      pseudorandom byte string of length n bytes.

   *  The associative binary operator || denotes concatenation of two
      byte strings.

   *  The binary function XOR(a, b) denotes an element-wise XOR
      operation between two byte strings a and b of the same length.

   *  The functions bytes_to_int and int_to_bytes convert byte strings
      to and from non-negative integers. bytes_to_int and int_to_bytes
      are implemented as OS2IP and I2OSP as described in [RFC8017],
      respectively.










Vos, et al.              Expires 17 October 2025                [Page 4]

Internet-Draft               Hybrid PQ-PAKE                   April 2025


   *  The function lv_encode encodes a byte string with a two-byte, big-
      endian length prefix.  For example, lv_enode((0x00, 0x01, 0x02)) =
      (0x00, 0x03, 0x00, 0x01, 0x02).  The function lv_decode parses a
      byte string that is expected to be encoded with a two-byte length
      preceding the remaining bytes, e.g., lv_decode((0x00, 0x03, 0x00,
      0x01, 0x02)) = (0x00, 0x01, 0x02).  Note that lv_decode can fail
      when the length of the actual bytes does not match that encoded in
      the prefix.  For example, lv_decode((0xFF, 0xFF, 0x00)) will fail.

   *  The notation bytes[l..h] refers to the slice of byte array bytes
      starting at index l and ending at index h-1.  For example, given
      bytes = (0x00, 0x01, 0x02), then bytes[0..1] = 0x00 and
      bytes[0..3] = (0x00, 0x01, 0x02).  Similarly, the notation
      bytes[l..] refers to the slice of the byte array bytes starting at
      l until the end of bytes, i.e.., bytes[l..] =
      bytes[l..len(bytes)].

   All algorithms and procedures described in this document are laid out
   in a Python-like pseudocode.  Each function takes a set of inputs and
   parameters and produces a set of output values.  Parameters become
   constant values once the protocol variant and the configuration are
   fixed.

3.  Overview

   This document aims to specify two protocols: a symmetric and an
   asymmetric hybrid PAKE.  In the symmetric PAKE setting, the client
   and server share a password and use it to establish an authenticated
   shared secret.  In the asymmetric PAKE setting, the client first
   registers a password verifier with the server.  A verifier is a value
   that is derived from the password and which the client will later use
   to demonstrate knowledge of the password.  After registration, the
   client uses its password and the server uses the corresponding
   verifier to establish an authenticated shared secret such that the
   server learns nothing of the client's password.

   The aPAKE specified in this document is composed of multiple smaller
   protocols, including the hybrid symmetric PAKE protocol called
   CPaceOQUAKE.  CPaceOQUAKE is in turn a composition of two other PAKE
   protocols: the existing CPace [CPACE] and a new post-quantum PAKE
   called OQUAKE.  To achieve the asymmetric property, the aPAKE also
   builds upon a password confirmation sub-protocol as specified in
   Section 6.2.

   We refer to the fully composed aPAKE as CPaceOQUAKE+. An abstract
   overview of the composition of this protocol is shown in the figure
   below.  In the subsequent sections we break down the sub-protocols
   into even smaller building blocks.



Vos, et al.              Expires 17 October 2025                [Page 5]

Internet-Draft               Hybrid PQ-PAKE                   April 2025


               +--------------------+
               | CPaceOQUAKE+       |
               |  +--------------+  |
               |  | CPaceOQUAKE  |  |
               |  | +----------+ |  |
               |  | |  CPace   | |  |
   Client's    |  | | protocol | |  |
   password -->|  | +----------+ |  |<-- Verifier
               |  |              |  |
               |  | +----------+ |  |
               |  | |  OQUAKE  | |  |
               |  | | protocol | |  |
               |  | +----------+ |  |
               |  +--------------+  |
               |   .------------.   |
               |  |   Password   |  |
   Session <---+  | confirmation |  +---> Session
     key       |   '------------'   |       key
               +--------------------+

   We note that this standard only specifies the composition of CPace
   and OQUAKE.  It is not necessarily true that one can securely compose
   all PAKEs this way.

   The rest of this document specifies CPaceOQUAKE+ and its
   dependencies.  Section 5 specifies the CPaceOQUAKE protocol, and
   Section 6 specifies the CPaceOQUAKE+ protocol, incorporating the
   former protocol.  Each of these pieces build upon the cryptographic
   dependencies specified in Section 4.

4.  Cryptographic Dependencies

   The protocols in this document have four primary dependencies:

   *  Key Encapsulation Mechanism (KEM); Section 4.1

   *  Binary Uniform Key Encapsulation Mechanism (BUKEM); Section 4.2

   *  Key Derivation Function (KDF); Section 4.3

   *  Key Stretching Function (KSF); Section 4.4

   Section 7 specifies different combinations of each of these
   dependencies that are suitable for implementation.







Vos, et al.              Expires 17 October 2025                [Page 6]

Internet-Draft               Hybrid PQ-PAKE                   April 2025


4.1.  Key Encapsulation Mechanism

   A Key Encapsulation Mechanism (KEM) is an algorithm that is used for
   exchanging a secret from one party to another.  We require an IND-
   CCA-secure KEM with key derivation from a seed.  It consists of the
   following syntax.

   *  DeriveKeyPair(seed): Deterministic algorithm to derive a key pair
      (sk, pk) from the byte string seed, where seed SHOULD have Nseed
      bytes.

   *  Encaps(pk): Randomized algorithm to generate an ephemeral, fixed-
      length symmetric key (the KEM shared secret) and a fixed-length
      encapsulation of that key that can be decapsulated by the holder
      of the secret key corresponding to pk.  This function can raise an
      EncapsError on encapsulation failure.

   *  Decaps(ct, skR): Deterministic algorithm using the secret key sk
      to recover the ephemeral symmetric key (the KEM shared secret)
      from its encapsulated representation ct.  This function can raise
      a DecapsError on decapsulation failure.

   *  Nseed: The length in bytes of the seed used to derive a key pair.

   *  Nct: The length in bytes of an encapsulated key produced by this
      KEM.

   *  Npk: The length in bytes of a public key for this KEM.

   This specification uses X-Wing [XWING].

4.2.  Binary Uniform KEM

   A binary uniform KEM supports the same functions as defined above for
   a KEM, and it must also be IND-CCA secure, but it must also achieve
   two additional security properties.  Namely, in addition to IND-CCA
   security, a binary uniform KEM requires that:

   1.  Public keys are indistinguishable from random strings of bytes
       (of the same length); and

   2.  Ciphertexts are anonymous in the presence of chosen ciphertext
       attack (ANO-CCA).

   These additional properties are crucial for the security of OQUAKE.
   In other words, one MUST NOT use a KEM that has no uniform public
   keys and no anonymous ciphertexts in place of a uniform KEM.




Vos, et al.              Expires 17 October 2025                [Page 7]

Internet-Draft               Hybrid PQ-PAKE                   April 2025


   This specification uses a variant of ML-KEM768 [FIPS203], denoted ML-
   BUKEM768.  This is instantiated with "KemeleonNR - ML-KEM768"
   [KEMELEON].  Note that, while Kemeleon provides uniform encoding for
   KEM ciphertexts and public keys, we only require uniform enoding for
   public keys.  Future specifications can replace use of Kemeleon with
   a binary uniform KEM that is more efficient if one becomes available.

4.3.  Key Derivation Function

   A Key Derivation Function (KDF) is a function that takes some source
   of initial keying material and uses it to derive one or more
   cryptographically strong keys.  This specification uses a KDF with
   the following API and parameters:

   *  Extract(salt, ikm): Extract a pseudorandom key of fixed length Nx
      bytes from input keying material ikm and an optional byte string
      salt.

   *  Expand(prk, info, L): Expand a pseudorandom key prk using the
      optional string info into L bytes of output keying material.

   *  Nx: The output size of the Extract() function in bytes.

4.4.  Key Stretching Function

   This specification makes use of a Key Stretching Function (KSF),
   which is a slow and expensive cryptographic hash function with the
   following API:

   *  Stretch(msg, salt, L): Apply a key stretching function to stretch
      the input msg and salt salt, hardening it against offline
      dictionary attacks.  This function also needs to satisfy collision
      resistance.  The output is a string of L bytes.

5.  CPaceOQUAKE Protocol

   The hybrid, symmetric PAKE protocol, denoted CPaceOQUAKE consists of
   CPace [CPACE] combined with OQUAKE [ABJ25].  OQUAKE is a PAKE built
   from a BUKEM and KDF, using a 2-rounds of Feistel network to
   password-encrypt the BUKEM public key.  The OQUAKE protocol is based
   on the "NoIC" protocol analyzed in [ABJ25].

   The CPaceOQUAKE protocol is based on the `Sequential PAKE Combiner'
   protocol proposed by [HR24].  A very close variant of this protocol
   was also analyzed in [LL24].






Vos, et al.              Expires 17 October 2025                [Page 8]

Internet-Draft               Hybrid PQ-PAKE                   April 2025


   At a high level, CPaceOQUAKE is a two-round protocol that runs
   between client and server wherein, upon completion, both parties
   share the same session key if they agree on the password-related
   string (PRS).  Otherwise, they obtain random session keys.  This is
   summarized in the diagram below.

               +----------------------------------------+
               | CPaceOQUAKE  +----------+              |
               |              |  CPace   |              |
   Client's    |              | protocol |              |    Server's
   password -->|              +----------+              |<-- password
               |                                        |
               |              +----------+              |
               |              |  OQUAKE  |              |
   Session <---+              | protocol |              +--> Session
     key       |              +----------+              |      key
               +----------------------------------------+

   CPaceOQUAKE composes CPace and OQUAKE by first running CPace between
   client and server, and then incorporating the CPace session key into
   the password before running OQUAKE between the server and client.  We
   explain the composition in more detail in Section 5.3.

   As describes in Section 5.1 and Section 5.2, both CPace and OQUAKE
   take as input optional client and server identifiers, denoted U and
   S, respectively.  See Section 9.1 for more discussion about these
   identities and how they are chosen in practice.

5.1.  CPace Specification

   CPace is a classical elliptic curve-based PAKE [CPACE].  This section
   wraps the CPace specification in a consistent interface.  We use an
   interactive version of CPace that takes two rounds, in which there is
   a designated initiator and responder.  In other words, the responder
   only starts executing the protocol after it received the first
   message from the initiator.

   The flow of the protocol consists of three messages sent between
   initiator and responder, produced by the functions Init, Respond, and
   Finish, described below.  Both parties take as input a password-
   related string PRS, an optional unique shared session identifier sid,
   and an optional client identifier U and server identifier S (e.g., a
   device identifier, an IP address, or URL pertaining to the client and
   server).  Upon completion, both parties obtain matching session keys
   if their PRS, sid, key length (specified by N), and client and server
   identifiers match.  Otherwise, they obtain random keys.  In
   exceptional cases, the protocol aborts.




Vos, et al.              Expires 17 October 2025                [Page 9]

Internet-Draft               Hybrid PQ-PAKE                   April 2025


5.1.1.  Initiation

   The initiator starts the protocol using its password-related string
   PRS.  Additionally, it may bind the session to an existing shared
   session identifier sid.  CPace also allows to bind the session to an
   existing channel identifier.  To remain consistent with the other
   PAKEs in this specification, the channel identifier is the
   concatenation of optional client and server identifiers.

CPace.Init

Input:
- PRS, password-related string, a byte string
- sid, session identifier, a byte string
- U and S, client and server identifiers

Output:
- ya, discrete logarithm intended to be stored in secret until the protocol finishes
- Ya, public point, intended to be sent to the responder

Parameters:
- G, a group environment as specified in CPace

def Init(PRS, sid, U, S):
  g = G.calculate_generator(H, PRS, U || S, sid)
  ya = G.sample_scalar()
  Ya = G.scalar_mult(ya, g)
  return ya, Ya

5.1.2.  Response

   The responder performs the same actions as the initiator.  Since it
   already received the initiator's message, it can immediately finish
   its execution of the protocol.  It outputs the shared secret and a
   message Yb intended to be sent to the initiator.
















Vos, et al.              Expires 17 October 2025               [Page 10]

Internet-Draft               Hybrid PQ-PAKE                   April 2025


  CPace.Respond

  Input:
  - PRS, password-related string, a byte string
  - Ya, public point, received from the initiator
  - sid, session identifier, a byte string
  - U and S, client and server identifiers

  Output:
  - ISK, the established shared secret
  - Yb, public point, intended to be sent to the initiator

  Parameters:
  - G, a group environment as specified in CPace
  - H, a hash function as specified in CPace

  Exceptions:
  - CPaceError, raised when an invalid value was encountered in CPace

  def Respond(PRS, Ya, sid, U, S):
    g = G.calculate_generator(H, PRS, U || S, sid)
    yb = G.sample_scalar()
    Yb = G.scalar_mult(yb, g)

    K = G.scalar_mult_vfy(yb, Ya)
    If K = G.I, raise CPaceError

    ISK = H.hash(lv_cat(G.DSI || b"_ISK", sid, K) || transcript(Ya, Yb))

    return ISK, Yb

   The functions lv_cat and transcript are defined in [CPACE].

5.1.3.  Finish

   The initiator finishes the protocol by combining the discrete
   logarithm ya generated by CPace.Init and the message Yb received from
   the responder.













Vos, et al.              Expires 17 October 2025               [Page 11]

Internet-Draft               Hybrid PQ-PAKE                   April 2025


  CPace.Finish

  Input:
  - ya, discrete logarithm that was generated using CPace.Init
  - Yb, public point, received from the responder
  - sid, session identifier, a byte string

  Output:
  - ISK, the established shared secret

  Parameters:
  - G, a group environment as specified in CPace
  - H, a hash function as specified in CPace

  Exceptions:
  - CPaceError, raised when an invalid value was encountered in CPace

  def Finish(ya, Yb, sid):
    K = G.scalar_mult_vfy(ya, Yb)
    If K = G.I, raise CPaceError

    ISK = H.hash(lv_cat(G.DSI || b"_ISK", sid, K) || transcript(Ya, Yb))

    return ISK

5.2.  OQUAKE Specification

   OQUAKE is a PAKE built on a BUKEM and KDF.  If the BUKEM provides
   security against quantum-enabled attacks, then so does OQUAKE.  It
   consists of three messages sent between initiator and responder,
   produced by the functions Init, Respond, and Finish, described below.
   Both parties take as input a password-related string PRS, an optional
   session identifier sid, and an optional client identifier U and
   server identifier S.  Upon completion, both parties obtain matching
   session keys if their PRS, sid, key length (specified by N), and
   client and server identifiers match.  Otherwise, they obtain random
   session keys.

   The shared session identifier has the following requirements.  If a
   client and server identifier are provided:

   *  The session identifier must match between the client and server

   *  This session identifier has not been used before in a session
      between the client and server

   If no client and server identifiers are provided:




Vos, et al.              Expires 17 October 2025               [Page 12]

Internet-Draft               Hybrid PQ-PAKE                   April 2025


   *  The session identifier must match between the client and server

   *  This session identifier has not been used before by the client or
      server in any session with any other party

   These requirements originate from the security proof for OQUAKE.  If
   these requirements are not met, the proof does not apply, but this
   does not mean that the protocol becomes vulnerable.

5.2.1.  Initiation

   Init takes as input the initiator's PRS, an optional session
   identifier sid, and optional client and server identifiers U and S.
   It produces a context for the initiator to store, as well as a
   protocol message that is sent to the responder.  Its implementation
   is as follows.



































Vos, et al.              Expires 17 October 2025               [Page 13]

Internet-Draft               Hybrid PQ-PAKE                   April 2025


OQUAKE.Init

Input:
- PRS, password-related string, a byte string
- sid, session identifier, a byte string
- U and S, client and server identifiers

Output:
- context, opaque state for the initiator to store
- msg, an encoded protocol message for the initiator to send to the responder

Parameters:
- BUKEM, a BUKEM instance
- KDF, a KDF instance
- DST, domain separation tag, a byte string

def Init(PRS, sid, U, S):
  seed = random(BUKEM.Nseed)
  (pk, sk) = BUKEM.DeriveKeyPair(seed)

  r = random(3 * Nsec)

  fullsid = encode_sid(sid, U, S)

  // T = XOR(pk, H(fullsid, PRS, r))
  prk_T_pad = KDF.Extract(PRS, DST || "OQUAKE" || fullsid || r)
  T_pad = KDF.Expand(prk_T_pad, DST || "T_pad", Npk)
  T = XOR(pk, T_pad)

  // s = XOR(r, H(fullsid, PRS, T))
  prk_s_pad = KDF.Extract(PRS, DST || "OQUAKE" || fullsid || T)
  s_pad = KDF.Expand(prk_s_pad, DST || "s_pad", 3 * Nsec)
  s = XOR(r, s_pad)

  init_msg = s || T

  return Context(PRS, sk, s, T, fullsid), init_msg

   The encode_sid function is defined below.












Vos, et al.              Expires 17 October 2025               [Page 14]

Internet-Draft               Hybrid PQ-PAKE                   April 2025


   encode_sid

   Input:
   - sid, session identifier, a byte string
   - U and S, client and server identifiers

   Output:
   - fullsid, a byte string

   Parameters:
   - BUKEM, a BUKEM instance
   - KDF, a KDF instance

   def encode_sid(sid, U, U):
     fullsid =
       bytes_to_int(len(sid), 4) || sid ||
       bytes_to_int(len(U), 4) || U ||
       bytes_to_int(len(S), 4) || S
     return fullsid

5.2.2.  Response

   Respond takes as input the PRS, the initiator's protocol message, an
   optional session identifier, and optional client and server
   identifiers.  It produces a 32-byte symmetric key and a protocol
   message intended to be sent to the initiator.  Its implementation is
   as follows.
























Vos, et al.              Expires 17 October 2025               [Page 15]

Internet-Draft               Hybrid PQ-PAKE                   April 2025


   OQUAKE.Respond

   Input:
   - PRS, password-related string, a byte string
   - init_msg, encoded protocol message, a byte string
   - sid, session identifier, a byte string
   - U and S, client and server identifiers

   Output:
   - ss, output shared secret, a byte string of 32 bytes
   - resp_msg, encoded protocol message, a byte string

   Parameters:
   - BUKEM, a BUKEM instance
   - KDF, a KDF instance
   - DST, domain separation tag, a byte string

   def Respond(PRS, init_msg, sid, U, S):
     (s, T) = init_msg[0..(3 * Nsec)], init_msg[(3 * Nsec)..]

     fullsid = encode_sid(sid, U, S)
     prk_s_pad = KDF.Extract(PRS, DST || "OQUAKE" || fullsid || T)
     s_pad = KDF.Expand(prk_s_pad, DST || "s_pad", 3 * Nsec)
     r = XOR(s, s_pad)

     prk_T_pad = KDF.Extract(PRS, DST || "OQUAKE" || fullsid || r)
     T_pad = KDF.Expand(prk_T_pad, DST || "T_pad", Npk)
     pk = XOR(T, T_pad)

     (ct, k) = BUKEM.Encaps(pk)

     prk_sk = KDF.Extract(PRS, DST || "OQUAKE" || fullsid || k)
     key = KDF.Expand(prk_sk, DST || "sk", Nkey)

     h = KDF.Expand(prk_sk, DST || "confirm", Nkc)

     resp_msg = ct || h

     return resp_msg, key

5.2.3.  Finish

   Finish takes as input the initiator-created context that is output
   from Init as well as the responder's reply message resp_msg.  It
   produces a symmetric key that is output to the initiator.  Its
   implementation is as follows.





Vos, et al.              Expires 17 October 2025               [Page 16]

Internet-Draft               Hybrid PQ-PAKE                   April 2025


   OQUAKE.Finish

   Input:
   - context, opaque state for the initiator to store TODO
   - resp_msg, encoded protocol message, a byte string

   Output:
   - ss, output shared secret, a byte string of 32 bytes

   Parameters:
   - BUKEM, a BUKEM instance
   - KDF, a KDF instance
   - DST, domain separation tag, a byte string

   Exceptions:
   - AuthenticationError, raised when the key confirmation fails

   def Finish(context, resp_msg):
     (PRS, sk, s, T, fullsid) = context
     ct, h = resp_msg[0..Npk], resp_msg[Npk..]

     try:
       k = BUKEM.Decaps(sk, ct)
       prk_sk = KDF.Extract(PRS, DST || "OQUAKE" || fullsid || k)
       key = KDF.Expand(prk_sk, DST || "sk", Nkey)

       h_expected = KDF.Expand(prk_sk, DST || "confirm", Nkc)
       if h != h_expected:
         return random(Nkey)

       return key
     catch DecapsError:
       return random(Nkey)

5.3.  Composition of CPace & OQUAKE

   CPaceOQUAKE is a sequential composition of CPace (see Section 5.1)
   and OQUAKE (see Section 5.2).  Whereas running CPace and OQUAKE in
   parallel realizes a worst-of-both worlds PAKE, this sequential
   composition realizes a best-of-both worlds PAKE.  In other words,
   CPaceOQUAKE remains as secure as the strongest PAKE, resisting
   attacks that break the classical CPace (e.g. by a quantum-capable
   attacker) or attacks that break the quantum-resistant OQUAKE (e.g. by
   a flaw in the BUKEM).  This assumes that OQUAKE is instantiated with
   a quantum-resistant BUKEM.






Vos, et al.              Expires 17 October 2025               [Page 17]

Internet-Draft               Hybrid PQ-PAKE                   April 2025


   To be precise, CPaceOQUAKE first runs CPace using password-related
   string PRS, establishing a session key SK1 with the associated
   transcript tr1.  It then initiates OQUAKE using the password-related
   string H(fullsid, PRS, tr1, SK1); a secret derived from the the
   original password-related string and the outputs from the CPace
   instance.  Here, fullsid is the output of encode_sid(sid, U, S).  The
   final session key is then a hash of fullsid, the original password-
   related string, both CPace and OQUAKE transcripts (tr1 and tr2,
   respectively), and both session keys output from CPace and OQUAKE
   (SK1 and SK2, respectively), i.e., H(fullsid, tr1, tr2, SK1, SK2).

   This is outlined in the diagram below.  In CPaceOQUAKE, CPace is
   initiated by the first party, while OQUAKE is initiated by the other
   party.  This results in a protocol that requires three messages.

            +-------------------------------------------------------------------------------+
Client's    | CPaceOQUAKE                     +----------+                                  |    Server's
password ---)-------------+---PRS------------>|  CPace   +<--PRS---------+------------------(--- password
            |             |         +---------+ protocol +-+             |                  |
            |             |         |         +----------+ |             |                  |
            |             |         |                      +-------------(---------+        |
            |             v         v         +----------+               v         v        |
            | H(fullsid, PRS, tr1, SK1)------>|  OQUAKE  +<--H(fullsid, PRS, tr1, SK1)      |
Session <---)-H(fullsid, tr1, tr2, SK1, SK2)--+ protocol +---H(fullsid, tr1, tr2, SK1, SK2)-(--> Session
  key       |                                 +----------+                                  |      key
            +-------------------------------------------------------------------------------+

   Unlike OQUAKE, CPaceOQUAKE does not require a shared session
   identifier sid, although this is strongly recommended.  If no sid is
   provided, CPace will run without an sid, and OQUAKE will use a random
   string generated with random material provided by both parties.  If
   an sid is provided, both CPace and OQUAKE will use this sid.

   An overview of the protocol flow is shown below.  The protocol has
   four functions.  Init and InitiatorFinish are intended to be called
   by the initiator, and Respond and ResponderFinish are intended to be
   called by the responder.  The following subsections specify these
   functions.













Vos, et al.              Expires 17 October 2025               [Page 18]

Internet-Draft               Hybrid PQ-PAKE                   April 2025


   Client: PRS,sid,U,S       Server: PRS,sid,U,S
           -----------------------------------------
        ctx1, (s1, msg1) =                    |
   CPaceOQUAKE.Init(PRS,sid,U,S)              |
                |                             |
                |         (s1, msg1)          |
                |---------------------------->|
                |                             |
                |                ctx2, (s2, msg2, msg3) =
                |     CPaceOQUAKE.Respond(PRS,(s1,msg1),sid,U,S)
                |                             |
                |       s2, msg2, msg3        |
                |<----------------------------|
                |                             |
       client_key, msg4 =                     |
   CPaceOQUAKE.InitiatorFinish(PRS, ...       |
   (ctx1,s1),(s2,msg2,msg3),sid,U,S)          |
                |            msg4             |
                |---------------------------->|
                |                             |
                |                       server_key =
                |           CPaceOQUAKE.ResponderFinish(ctx2, msg4)
                |                             |
           -----------------------------------------
        output client_key              output server_key

5.3.1.  Client Initiation

   The client initiates a CPace exchange with the server using input
   PRS, an optional session identifier sid, and optional client and
   server identifiers U and S.  The output of this process is some
   context for completing the protocol and a protocol message.  The
   client sends this message to the server.


















Vos, et al.              Expires 17 October 2025               [Page 19]

Internet-Draft               Hybrid PQ-PAKE                   April 2025


CPaceOQUAKE.Init

Input:
- PRS, password-related string, a byte string
- sid, session identifier, a byte string
- U and S, client and server identifiers

Output:
- context, opaque state for the initiator to store
- msg, an encoded protocol message for the initiator to send to the responder

Parameters:
- CPace, parameterized instance of CPace

def Init(PRS, sid, U, S):
  ctx1, msg1 = CPace.Init(PRS, sid, U, S)
  s1 = random(32)
  init_msg = s1 || lv_encode(msg1)

  return (ctx1, s1), init_msg

5.3.2.  Server Response

   The server processes the client message using its input PRS, an
   optional session identifier sid, and optional client and server
   identifiers U and S.  The first output of this function is a context
   that is used to finish the protocol later.  The second output is a
   protocol message intended for the client.

   The server responds to the CPace session that the client initiated,
   and it initiates a new OQUAKE session using both the PRS and the key
   established by CPace.

   The server MUST ensure that exactly one of s1 and sid exists.  It
   MUST abort if the message does not have the correct length.
















Vos, et al.              Expires 17 October 2025               [Page 20]

Internet-Draft               Hybrid PQ-PAKE                   April 2025


CPaceOQUAKE.Respond

Input:
- PRS, password-related string, a byte string
- init_msg, the message received from the client
- sid, session identifier, a byte string
- U and S, client and server identifiers

Output:
- context, opaque state for the responder to store
- msg, an encoded protocol message for the responder to send to the initiator

Parameters:
- CPace, parameterized instance of CPace
- OQUAKE, parameterized instance of OQUAKE
- DST, domain separation tag, a byte string

def Respond(PRS, init_msg, sid, U, S):
  s1, msg1 = init_msg[0..32], lv_decode(init_msg[32..])

  key1, msg2 = CPace.Respond(PRS, msg1, sid, U, S)
  key1A = KDF.Expand(key1, DST || "prskey", Nkey)
  key1B = KDF.Expand(key1, DST || "outputkey", Nkey)

  s2 = random(32)
  prk_extended_sid = KDF.Extract(s1 || s2, DST || "CPaceOQUAKE")
  extended_sid = KDF.Expand(prk_extended_sid, DST || "SID", 32)

  fullsid = encode_sid(extended_sid, U, S)

  prk_PRS2 = KDF.Extract(PRS, DST || "CPaceOQUAKE" || fullsid || msg1 || msg2 || key1A)
  PRS2 = KDF.Expand(prk_PRS2, DST || "PRS2", Nkey)

  ctx2, msg3 = OQUAKE.Init(PRS2, extended_sid, U, S)

  resp_msg = s2 || lv_encode(msg2) || lv_encode(msg3)

  return Context(fullsid, PRS, msg1, msg2, msg3, key1B, ctx2), resp_msg

5.3.3.  Client Finish

   The client finishes the protocol by processing the server response.
   The client obtains a shared secret and a final message intended for
   the server.  It does so by finishing the CPace session and responding
   to the OQUAKE session.






Vos, et al.              Expires 17 October 2025               [Page 21]

Internet-Draft               Hybrid PQ-PAKE                   April 2025


   The client must ensure that exactly one of (s1, s2) and sid exists.
   The client should abort when the message does not have the correct
   length.

CPaceOQUAKE.InitiatorFinish

Input:
- PRS, password-related string, a byte string
- (ctx1, s1), the context generated by CPaceOQUAKE.Init
- resp_msg, the message received from the server
- sid, session identifier, a byte string
- U and S, client and server identifiers

Output:
- key, an N-byte shared secret
- msg, an encoded protocol message for the initiator to send to the responder

Parameters:
- CPace, parameterized instance of CPace
- OQUAKE, parameterized instance of OQUAKE
- DST, domain separation tag, a byte string

def InitiatorFinish(PRS, (ctx1, s1), resp_msg, sid, U, S):
  s2 = resp_msg[0..32]
  msg2 = lv_decode(resp_msg[32..])
  msg3 = lv_decode(resp_msg[32+len(msg2)..])

  key1 = CPace.Finish(ctx1, msg2, sid)
  key1A = KDF.Expand(key1, DST || "prskey", Nkey)
  key1B = KDF.Expand(key1, DST || "outputkey", Nkey)

  prk_extended_sid = KDF.Extract(s1 || s2, DST || "CPaceOQUAKE")
  extended_sid = KDF.Expand(prk_extended_sid, DST || "SID", 32)

  fullsid = encode_sid(extended_sid, U, S)
  prk_PRS2 = KDF.Extract(PRS, DST || "CPaceOQUAKE" || fullsid || msg1 || msg2 || key1A)
  PRS2 = KDF.Expand(prk_PRS2, DST || "PRS2", Nkey)

  key2, msg4 = OQUAKE.Respond(PRS2, msg3, extended_sid, U, S)

  prk_sessionkey = KDF.Extract(PRS, DST || "CPaceOQUAKE" || fullsid || msg1 || msg2 || msg3 || msg4 || key1B || key2)
  client_key = KDF.Expand(prk_sessionkey, DST || "sessionkey", Nkey)

  return client_key, msg4







Vos, et al.              Expires 17 October 2025               [Page 22]

Internet-Draft               Hybrid PQ-PAKE                   April 2025


5.3.4.  Server Finish

   The server finishes the protocol by finising OQUAKE using the
   client's response, outputting a shared secret of N bytes.  It should
   abort when the message does not have the correct length.

CPaceOQUAKE.ResponderFinish

Input:
- ctx, context from the server's Response
- msg4, the message received from the server, a byte string

Output:
- key, an N-byte shared secret

Parameters:
- OQUAKE, parameterized instance of OQUAKE
- DST, domain separation tag, a byte string

def ResponderFinish(ctx, msg4):
  (fullsid, PRS, msg1, msg2, msg3, key1B, ctx2) = ctx

  key2 = OQUAKE.Finish(ctx2, msg4)

  prk_sessionkey = KDF.Extract(PRS, DST || "CPaceOQUAKE" || fullsid || msg1 || msg2 || msg3 || msg4 || key1B || key2)
  server_key = KDF.Expand(prk_sessionkey, DST || "sessionkey", Nkey)

  return server_key

6.  CPaceOQUAKE+ Protocol

   CPaceOQUAKE+ is the 5 message aPAKE resulting from applying a KEM-
   based PAKE-to-aPAKE transformation to CPaceOQUAKE.  At a high level,
   this involves running CPaceOQUAKE on a verifier of the client's
   password.  To ensure that the client does indeed know the password
   pertaining to that verifier, there is an additional password
   confirmation stage that uses seed derived from the password.  Both
   the verifier and the seed are derived from the password using a key
   stretching function.  The seed is later used to derive a KEM public
   key.  We refer to the collection of the verifier and this public key
   as 'the verifiers'.

   The CPaceOQUAKE+ protocol can be seen as a close variant (and a
   specific instance) of the `augmented PAKE' construction presented in
   [LLH24] and in [Gu24].






Vos, et al.              Expires 17 October 2025               [Page 23]

Internet-Draft               Hybrid PQ-PAKE                   April 2025


6.1.  Registering Clients

   This subsection specifies functions for generating the verifiers and
   a protocol for registering clients.

6.1.1.  Generating Verifiers

   Verifiers are random-looking value derived from password-related
   strings from which it is computionally impractical to derive the
   password-related string.  To make verifiers unique between different
   users with the same password or servers that they interact with, we
   employ a salt, a user account identifier, and an optional server
   identifier.  The material required for the verifiers is generated as
   follows:

GenVerifierMaterial

Input:
- PRS, password-related string, a byte string
- salt, client-specific salt, a byte string
- U and S, client and server identifiers

Output:
- ss, output shared secret, a byte string of 32 bytes
- resp_msg, encoded protocol message, a byte string

Parameters:
- KEM, a KEM instance
- KSF, a parameterized KSF instance
- DST, domain separation tag, a byte string

def GenVerifierMaterial(PRS, salt, U, S):
  verifier_seed = KSF.Stretch(DST || PRS || U || S, salt, Nverifier + KEM.Nseed)
  verifier = verifier_seed[0:Nverifier]
  seed = verifier_seed[Nverifier:Nverifier + KEM.Nseed]
  return verifier, seed

   To derive an actual public key from the verifier material, we use the
   following function:












Vos, et al.              Expires 17 October 2025               [Page 24]

Internet-Draft               Hybrid PQ-PAKE                   April 2025


   GenVerifiers

   Input:
   - PRS, password-related string, a byte string
   - salt, client-specific salt, a byte string
   - U and S, client and server identifiers

   Output:
   - ss, output shared secret, a byte string of 32 bytes
   - resp_msg, encoded protocol message, a byte string

   Parameters:
   - KEM, a KEM instance

   def GenVerifiers(PRS, salt, U, S):
     verifier, seed = GenVerifierMaterial(PRS, salt, U, S)
     (pk, sk) = KEM.DeriveKeyPair(seed)
     return verifier, pk

   The server MUST store pk; it MUST NOT store seed.

6.1.2.  Registration

   The registration phase consists of one message sent from the client
   to the server.  This message contains the verifier, a public key, and
   32-byte salt.  The server stores this information corresponding to
   the client for future use in the verification flow.  This phase
   requires a secure channel from client to server in order to transfer
   the password verifier and public key.  The salt can be sent in plain
   text.

   We recommend that the salt is a random byte string: salt =
   random(32).  However, in practice this may require an additional
   communication flow, used by the server to send the salt to the client
   before protocol CPaceOQUAKE+ starts.  Instead, one may consider
   deriving the salt from some client-specific value that it knows and
   can retain locally.

   A high level flow overview of the registration flow is below.












Vos, et al.              Expires 17 October 2025               [Page 25]

Internet-Draft               Hybrid PQ-PAKE                   April 2025


   Client: PRS, salt, U, S              Server: N/A
          ---------------------------------------
    (v, pk) = GenVerifiers(PRS, salt, U, S)
               |                           |
               |    salt, v, pk, U, S      |
               |-------------------------->|
               |                           |
               |                Store (salt, v, pk, U, S)
               |                           |
          ---------------------------------------

6.2.  The Password Confirmation Stage

   In the password confirmation (PC) stage, the client proves knowledge
   of its password without revealing it.  It uses the registered
   verifiers from the previous subsection.  To do so securely, it uses
   the key established by CPaceOQUAKE, which allows it to realize a
   confidential but unauthenticated channel.  In other words, this
   password confirmation stage cannot be used by itself.  This PC stage
   is parameterized by a KEM, KDF, KSF, and is additionally bound to the
   preceding protocol via an agreed-upon transcript (tx); see Section 7
   for specific parameter configurations.

   The password confirmation is a two-round challenge-response flow
   between the server and client.  In particular, the server challenges
   the client to prove knowledge of its password.  More precisely, it
   challenges the client to prove knowledge of a seed, derived from the
   GenVerifierMaterial function (and in turn derived from the password
   using a key stretching function).  Both client and server share a
   symmetric key as input.  Additionally, the server has the client's
   public key and salt stored from the previous registration flow.

   A high level overview of this flow is below.


















Vos, et al.              Expires 17 October 2025               [Page 26]

Internet-Draft               Hybrid PQ-PAKE                   April 2025


  Client: SK, tx, seed, sid, U, S      Server: SK, tx, pk, sid, U, S
         ---------------------------------------
            ctx, challenge = PC-Challenge(SK, tx, pk, sid, U, S)
              |                           |
              |         challenge         |
              |<--------------------------|
              |                           |
  client_key, response = PC-Response(SK, tx, seed, challenge, sid, U, S)
              |                           |
              |         response          |
              |-------------------------->|
              |                           |
                  server_key = PC-Verify(ctx, response)
              |                           |
         ---------------------------------------
    output client_key            output server_key

6.2.1.  Server Challenge

   To construct the challenge, the server encapsulates to the client's
   public key.  From the resulting shared secret, it then derives
   password confirmation values and a new shared secret.  The challenge
   message is the ciphertext encrypted using a one-time pad derived from
   the shared secret.  The password confirmation values are byte strings
   of length Nkc.

   The implementation MUST NOT reveal server_key from the context.
























Vos, et al.              Expires 17 October 2025               [Page 27]

Internet-Draft               Hybrid PQ-PAKE                   April 2025


PC-Challenge

Input:
- SK, 32-byte symmetric key, a byte string
- transcript, the transcript from previously executed protocols to which this protocol is bound, a byte string
- pk, client-registered public key, a KEM public key
- sid, session identifier, a byte string
- U and S, client and server identifiers

Output:
- context, opaque state for the server to store values to complete the protocol
- challenge, an encoded protocol message for the server to send to the client

Parameters:
- KEM, a KEM instance
- KDF, a KDF instance
- DST, domain separation tag, a byte string

def PC-Challenge(SK, transcript, pk, sid, U, S):
  (c, k) = KEM.Encaps(pk)
  r = KDF.Expand(SK, DST || "OTP", Nct)
  enc_c = XOR(c, r)

  confirm_input = encode_sid(sid, U, S) || enc_c || transcript

  prk_k_h1 = KDF.Extract(SK, DST || "h1" || confirm_input)
  prk_k_h2 = KDF.Extract(SK, DST || "h2" || confirm_input || k)

  // Derive h1 from the full transcript excluding k
  client_confirm = KDF.Expand(prk_k_h1, DST || "client_confirm", Nkc)

  // Derive h2 || SK from the full transcript including k
  server_confirm = KDF.Expand(prk_k_h2, DST || "server_confirm", Nkc)
  server_key = KDF.Expand(prk_k_h2, DST || "key", Nkey)

  challenge = (enc_c, client_confirm)

  return Context(server_confirm, server_key), challenge

6.2.2.  Client Response

   Upon receipt of the challenge, the client recovers the KEM ciphertext
   by decrypting the one-time pad ciphertext included in the challenge,
   using the key derived from the shared secret.  It then uses the seed
   to re-derive the KEM key pair, using the same procedure followed
   during the registration flow.  The client then decapsulates the KEM
   ciphertext to recover the shared secret and derive the same password
   confirmation values and new shared secret as the server.



Vos, et al.              Expires 17 October 2025               [Page 28]

Internet-Draft               Hybrid PQ-PAKE                   April 2025


   The client then checks that the server-provided confirmation value
   matches its own and aborts if not.  Otherwise, it returns its own
   password confirmation value.  The client outputs the new shared
   secret as its output.

PC-Response

Input:
- SK, 32-byte symmetric key, a byte string
- transcript, the transcript from previously executed protocols to which this protocol is bound, a byte string
- seed, seed used to derive KEM public key
- challenge, an encoded protocol message for the server to send to the client
- sid, session identifier, a byte string
- U and S, client and server identifiers

Output:
- client_key, a 32-byte string
- response, an encoded protocol message for the client to send to the server

Exceptions:
- AuthenticationError, raised when the password confirmation values do not match

Parameters:
- KEM, a KEM instance
- KDF, a KDF instance
- DST, domain separation tag, a byte string

def PC-Response(SK, transcript, seed, challenge, sid, U, S):
  (enc_c, client_confirm_target) = challenge
  r = KDF.Expand(SK, DST || "OTP", Nct)
  c = XOR(enc_c, r)

  (pk, sk) = KEM.DeriveKeyPair(seed)

  try:
    k = KEM.Decaps(sk, c)

    confirm_input = encode_sid(sid, U, S) || enc_c || transcript

    prk_k_h1 = KDF.Extract(SK, DST || "h1" || confirm_input)
    prk_k_h2 = KDF.Extract(SK, DST || "h2" || confirm_input || k)

    // Derive h1 from the full transcript excluding k
    client_confirm = KDF.Expand(prk_k_h1, DST || "client_confirm", Nkc)

    // Derive h2 || SK from the full transcript including k
    server_confirm = KDF.Expand(prk_k_h2, DST || "server_confirm", Nkc)
    client_key = KDF.Expand(prk_k_h2, DST || "key", Nkey)



Vos, et al.              Expires 17 October 2025               [Page 29]

Internet-Draft               Hybrid PQ-PAKE                   April 2025


    if client_confirm != client_confirm_target:
      raise AuthenticationError

    return client_key, server_confirm
  catch DecapsError:
    raise AuthenticationError

6.2.3.  Server Verify

   Upon receipt of the response, the server validates that the password
   confirmation value matches its own value.  If the value does not
   match, the server aborts.  Otherwise, the server outputs the new
   shared secret as its output.

PC-Verify

Input:
- context, opaque context produced by Challenge
- server_confirm_target, client's response message, a byte string

Output:
- server_key, a 32-byte string

Exceptions:
- AuthenticationError, raised when the password confirmation values do not match

Parameters:

def PC-Verify(context, server_confirm_target):
  (server_confirm, server_key) = context
  if server_confirm != server_confirm_target:
    raise AuthenticationError
  return server_key

6.3.  Composition of CPaceOQUAKE & Password Confirmation

   The composition of CPaceOQUAKE and the password confirmation stage is
   strictly sequential.  First, the parties run CPaceOQUAKE using the
   verifier.  The client recovers this verifier using the
   GenVerifierMaterial function.  After that, the parties proceed with
   password confirmation, which is initiated by the server using the
   stored public key.  The client uses the seed that was also produced
   by GenVerifierMaterial to prove knowledge of the password.  This seed
   MUST remain secret to prevent impersonation.  An overview of the
   composition is below.






Vos, et al.              Expires 17 October 2025               [Page 30]

Internet-Draft               Hybrid PQ-PAKE                   April 2025


           +----------------------------------------------+
           | CPaceOQUAKE+                                 |
           |                          +--------------+    |
Client's   |   .-------------------.  | CPaceOQUAKE  |    |
password --)->| GenVerifierMaterial + | +----------+ |    |
           |   '----+---+----------'  | |  CPace   | |    |
           |        |   |             | | protocol | |    |
           |        |   +--Verifier-->| +----------+ |<---(-- Verifier
           |        |                 |              |    |
           |        |                 | +----------+ |    |
           |        |                 | |  OQUAKE  | |    |
           |        |               +-+ | protocol | +-+  |
           |        |               | | +----------+ | |  |
           |        |               | +--------------+ |  |
           |        |              SK  .------------.  SK |
           |        |               | |              | |  |
           |        |               | |              | |  |
           |        |               +->   Password   <-+  |
           |        +------seed-------> confirmation <----(-- Public key
           |                          |              |    |
Session <--)--------------------------+              +----(--> Session
  key      |                           '------------'     |      key
           +----------------------------------------------+

   Upon successful completion of the entire protocol, the client and
   server will share a symmetric key that was authenticated by knowledge
   of the password.  The protocol aborts if the password did not match.
   The protocol flows are shown below.  Note here that if the client
   does not know the salt, the server must send it to the client before
   the protocol starts, which it can do in plain text.





















Vos, et al.              Expires 17 October 2025               [Page 31]

Internet-Draft               Hybrid PQ-PAKE                   April 2025


  Client: PRS,salt,U,S,sid      Server: v,pk,U,S,sid
            ----------------------------------------
  (v, seed) = GenVerifierMaterial(PRS,salt,U,S)  |
  ctx1, msg1 = CPaceOQUAKE.Init(v,sid,U,S)       |
              |                                  |
              |               msg1               |
              |--------------------------------->|
              |                                  |
              | ctx2, msg2 = CPaceOQUAKE.Respond(v,msg1,sid,U,S)
              |                                  |
              |               msg2               |
              |<---------------------------------|
              |                                  |
  SK, msg3 = CPaceOQUAKE.InitiatorFinish(        |
    v,ctx1,msg2,sid,U,S)                         |
              |                                  |
              |               msg3               |
              |--------------------------------->|
              |                                  |
              |              SK = CPaceOQUAKE.ResponderFinish(ctx2,msg3)
              |              tx = msg1 || msg2 || msg3
              |             ctx3, chal = PC-Challenge(SK,tx,pk,sid,U,S)
              |                                  |
              |               chal               |
              |<---------------------------------|
              |                                  |
        tx = msg1 || msg2 || msg3                |
  client_key, resp = PC-Response(SK,tx,seed,chal,sid,U,S)
              |                                  |
              |               resp               |
              |--------------------------------->|
              |                                  |
              |                   server_key = PC-Verify(ctx2, resp)
              |                                  |
            ----------------------------------------
        output client_key                 output server_key

7.  CPaceOQUAKE+ Configurations

   CPaceOQUAKE+ is instantiated by selecting a configuration of a group
   and hash function for the CPace protocol, a KEM, KDF, KSF, for
   password confirmation, and a KEM and KDF for CPaceOQUAKE, and a
   general purpose cryptographic hash function H.  The KEM, KDF, are not
   required to be the same, so they are distinguished by "PC-" and
   "PAKE-" prefixes, e.g., PC-KDF and PAKE-KDF are the KDFs for the
   password confirmation stage and the CPaceOQUAKE protocol,
   respectively.




Vos, et al.              Expires 17 October 2025               [Page 32]

Internet-Draft               Hybrid PQ-PAKE                   April 2025


   The RECOMMENDED configuration is below.

   *  CPace-Group: CPACE-RISTR255-SHA512 Section 4 of [CPACE]

   *  CPace-Hash: SHA-512

   *  KEM: X-Wing [XWING], where Nseed = 32, Nct = 1120, and Npk = 1216.

   *  PC-KDF: HKDF-SHA-256

   *  PC-KSF: Argon2id(S = zeroes(16), p = 4, T = Nh, m = 2^21, t = 1, v
      = 0x13, K = nil, X = nil, y = 2) [ARGON2]

   *  BUKEM: ML-BUKEM768 Section 4.2, where Nseed = 64, Nct = 1514, and
      Npk = 1172.

   *  PAKE-KDF: HKDF-SHA-256

   *  H: SHA256

   *  DST:
      "1b3abc3cd05e8054e8399bc38dfcbc1321d2e1b02da335ed1e8031ef5199f672"
      (a randomly generated 32-byte string)

   The RECOMMENDED parameters are (see Appendix A):

   *  Nverifier = 32

   *  Nkc = 64

   *  Nsec = 32

   *  Nkey = 32, this is achieved by choosing H in CPace with
      H.b_in_bytes = 32

   Other documents can define configurations as needed for their use
   case, subject to the following requirements:

   1.  KEM MUST be a hybrid KEM, i.e., one that achieves both classical
       and post-quantum security.

   2.  The parameters must be chosen so they correspond with this KEM.
       E.g., Nseed must have the correct length.

   For instance, one possible additional configuration is as follows.

   *  CPace-Group: CPACE-P256_XMD:SHA-256_SSWU_NU_-SHA256 Section 4 of
      [CPACE]



Vos, et al.              Expires 17 October 2025               [Page 33]

Internet-Draft               Hybrid PQ-PAKE                   April 2025


   *  CPace-Hash: SHA-256

   *  KEM: X-Wing [XWING], where Nseed = 32, Nct = 1120, and Npk = 1216.

   *  PC-KDF: HKDF-SHA-256

   *  PC-KSF: Scrypt(N = 32768, r = 8, p = 1) [SCRYPT]

   *  BUKEM: ML-BUKEM768 Section 4.2, where Nseed = 64, Nct = 1514, and
      Npk = 1172.

   *  PAKE-KDF: HKDF-SHA-256

   *  H: SHA256

   *  DST:
      "b840fa4d4b4caec9e25d13d8c016cfe93e7468d54e936490bd0b0a3ffca1a01b"
      (a randomly generated 32-byte string)

8.  Implementation Considerations

   Some functions included in this specification are fallible (as noted
   by their ability to raise exceptions).  The explicit errors generated
   throughout this specification, along with conditions that lead to
   each error, are as follows:

   *  AuthenticationError: The PC protocol fails password confirmation
      checks at the client or server; Section 6.2

   Beyond these explicit errors, CPaceOQUAKE+ implementations can
   produce implicit errors.  For example, if protocol messages sent
   between client and server do not match their expected size, an
   implementation should produce an error.

   The errors in this document are meant as a guide for implementors.
   They are not an exhaustive list of all the errors an implementation
   might emit.  For example, an implementation might run out of memory.

9.  Security Considerations

   This section discusses security considerations for the protocols
   specified in this document.









Vos, et al.              Expires 17 October 2025               [Page 34]

Internet-Draft               Hybrid PQ-PAKE                   April 2025


9.1.  Identities

   Client and server identities are essential to authenticated key
   exchange protocols, and PAKEs are no exception.  This section
   discusses the role and importance of identities in the PAKE protocols
   specified in this document.

9.1.1.  Symmetric PAKE identities

   PAKEs are often analyzed in the universal composability (UC)
   framework, which imposes several requirements on the protocols: (1)
   the existence of a globally-unique session identifer associated with
   each protocol invocation, and (2) unique party identifiers.  Both are
   considered as inputs to PAKEs, along with the password itself.  In
   practice, however, computing or agreeing on session and party
   identifiers is non-trivial and cumbersome.  For example, agreeing on
   a globally unique session identifier requires a protocol to run
   before the PAKE.  Moreover, assigning identifiers to parties --
   especially in symmetric PAKE settings -- is problematic as there are
   rarely pragmatic choices to be made for each party's identifier.  IP
   addresses are not always unique, PKI or some other registry mechanism
   for assigning names may not exist, and so on.

   Intuitively, in symmetric settings, passwords are the only secret
   input to the PAKE protocol; party identities are assumed to be
   public.  As such, an adversary is assumed to know these identifiers.
   Fortunately, there exists a UC model in which symmetric PAKEs such as
   CPace are proven secure without requiring party or session
   identifiers -- the bare PAKE model [BARE-PAKE].  The UC bare PAKE
   model, and proof of security for CPace in this model, demonstrate
   that PAKEs are universally composable without relying on unique party
   or session identifiers.  We believe that the current proof of
   security of OQUAKE in [ABJ25] can be extended to show that NoIC, the
   basis of OQUAKE, realizes the Bare PAKE model as well, although we
   note that that this proof has not been published yet.

   As such, for the PAKEs in Section 5, both the party and session
   identifier are optional.  Applications are free to choose values for
   these identifiers if applicable, but they are not required for
   security.

   [[OPEN ISSUE: adjust the requirements for the identities in OQUAKE on
   the basis on the bare PAKE analysis]]








Vos, et al.              Expires 17 October 2025               [Page 35]

Internet-Draft               Hybrid PQ-PAKE                   April 2025


9.1.2.  Asymmetric PAKE identities

   In contrast to the symmetric PAKE setting, party identities in the
   asymmetric PAKE setting play a different role.  The very nature of
   the asymmetric PAKE is that one server, with many different
   registered passwords, can authenticate many different clients.
   Consequently, when the protocol runs, the server needs some way to
   determine which password registration to use in the protocol.  Beyond
   ensuring that the server is authenticating the correct client, the
   client's identity is what helps the server make this selection.

   However, the server identifier carries a similar burden.  Indeed, the
   server identifier is used to distinguish distinct server instances
   from each other so, for example, a client cannot mistakenly
   authenticate with server A when communicating with server B.  This is
   especially important if the client re-uses their identifier across
   server instances, since a password registration for server A would
   then be valid for server B if the server identity were not
   incorporated into the protocol.

   Based on this, client and server identities are RECOMMENDED for the
   asymmetric PAKEs specified in this document (in Section 6).  Both
   client and server identities can be long-lived, e.g., a client
   identity could be an email address and a server identity could be a
   domain name.

   Practically, applications should be mindful of what happens when
   these identities change.  Since they are both included in the
   password verifier (see Section 6.1.1), changing either identifier
   will require the veirifer to be re-computed and the client to be re-
   registered.  For a single client, this change is minimal, but for a
   single server, which can have many registered clients, this change
   can be expensive.  Applications therefore ought to consider the
   longevitiy and uniqueness of their party identifiers when
   instantiating these protocols.

10.  IANA Considerations

   This document has no IANA actions.

11.  References

11.1.  Normative References








Vos, et al.              Expires 17 October 2025               [Page 36]

Internet-Draft               Hybrid PQ-PAKE                   April 2025


   [ARGON2]   Biryukov, A., Dinu, D., Khovratovich, D., and S.
              Josefsson, "Argon2 Memory-Hard Function for Password
              Hashing and Proof-of-Work Applications", RFC 9106,
              DOI 10.17487/RFC9106, September 2021,
              <https://www.rfc-editor.org/rfc/rfc9106>.

   [CPACE]    Abdalla, M., Haase, B., and J. Hesse, "CPace, a balanced
              composable PAKE", Work in Progress, Internet-Draft, draft-
              irtf-cfrg-cpace-13, 14 October 2024,
              <https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-
              cpace-13>.

   [FIPS202]  National Institute of Standards and Technology (NIST),
              "SHA-3 Standard: Permutation-Based Hash and Extendable-
              Output Functions", August 2015,
              <https://nvlpubs.nist.gov/nistpubs/FIPS/
              NIST.FIPS.202.pdf>.

   [FIPS203]  National Institute of Standards and Technology (NIST),
              "Module-Lattice-Based Key-Encapsulation Mechanism
              Standard", August 2024,
              <https://csrc.nist.gov/pubs/fips/203/final>.

   [KEMELEON] Günther, F., Stebila, D., and S. Veitch, "Kemeleon
              Encodings", Work in Progress, Internet-Draft, draft-
              veitch-kemeleon-00, 29 November 2024,
              <https://datatracker.ietf.org/doc/html/draft-veitch-
              kemeleon-00>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/rfc/rfc2119>.

   [RFC8017]  Moriarty, K., Ed., Kaliski, B., Jonsson, J., and A. Rusch,
              "PKCS #1: RSA Cryptography Specifications Version 2.2",
              RFC 8017, DOI 10.17487/RFC8017, November 2016,
              <https://www.rfc-editor.org/rfc/rfc8017>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/rfc/rfc8174>.

   [SCRYPT]   Percival, C. and S. Josefsson, "The scrypt Password-Based
              Key Derivation Function", RFC 7914, DOI 10.17487/RFC7914,
              August 2016, <https://www.rfc-editor.org/rfc/rfc7914>.





Vos, et al.              Expires 17 October 2025               [Page 37]

Internet-Draft               Hybrid PQ-PAKE                   April 2025


   [XWING]    Connolly, D., Schwabe, P., and B. Westerbaan, "X-Wing:
              general-purpose hybrid post-quantum KEM", Work in
              Progress, Internet-Draft, draft-connolly-cfrg-xwing-kem-
              06, 21 October 2024,
              <https://datatracker.ietf.org/doc/html/draft-connolly-
              cfrg-xwing-kem-06>.

11.2.  Informative References

   [ABJ25]    Arriaga, A., Barbosa, M., and S. Jarecki, "NoIC: PAKE from
              KEM without Ideal Ciphers", n.d.,
              <https://eprint.iacr.org/2025/231>.

   [BARE-PAKE]
              Barbosa, M., Gellert, K., Hesse, J., and S. Jarecki, "Bare
              PAKE: Universally Composable Key Exchange from Just
              Passwords", Springer Nature Switzerland, Lecture Notes in
              Computer Science pp. 183-217,
              DOI 10.1007/978-3-031-68379-4_6, ISBN ["9783031683787",
              "9783031683794"], 2024,
              <https://doi.org/10.1007/978-3-031-68379-4_6>.

   [Gu24]     Gu, Y., "New Paradigms For Efficient Password
              Authentication Protocols", n.d.,
              <https://www.escholarship.org/uc/item/7qm0220s>.

   [HR24]     Hesse, J. and M. Rosenberg, "PAKE Combiners and Efficient
              Post-Quantum Instantiations", n.d.,
              <https://eprint.iacr.org/2024/1621>.

   [LL24]     Lyu, Y. and S. Liu, "Hybrid Password Authentication Key
              Exchange in the UC Framework", n.d.,
              <https://eprint.iacr.org/2024/1630>.

   [LLH24]    Lyu, Y., Liu, S., and S. Han, "Efficient Asymmetric PAKE
              Compiler from KEM and AE", n.d.,
              <https://eprint.iacr.org/2024/1400>.

   [OPAQUE]   Bourdrez, D., Krawczyk, H., Lewi, K., and C. A. Wood, "The
              OPAQUE Augmented PAKE Protocol", Work in Progress,
              Internet-Draft, draft-irtf-cfrg-opaque-18, 21 November
              2024, <https://datatracker.ietf.org/doc/html/draft-irtf-
              cfrg-opaque-18>.








Vos, et al.              Expires 17 October 2025               [Page 38]

Internet-Draft               Hybrid PQ-PAKE                   April 2025


   [SPAKE2PLUS]
              Taubert, T. and C. A. Wood, "SPAKE2+, an Augmented
              Password-Authenticated Key Exchange (PAKE) Protocol",
              RFC 9383, DOI 10.17487/RFC9383, September 2023,
              <https://www.rfc-editor.org/rfc/rfc9383>.

Appendix A.  Deriving parameters

   This section discusses how to generate parameters, given an upper
   bound on an adversary's advantage in breaking the hybrid (a)PAKE.
   The parameters in this standard correspond to a classical hardness of
   117 bits (considering the attacker can break CPace) and a quantum
   hardness of 100 bits.  We assume that an adversary can perform at
   most 2^qq queries to random oracles or (a)PAKE sessions.  We use qq =
   64.  The derivation below uses some approximations, ignoring small
   constants in the exponent such as 1 and 1.6.  We also only study
   dominant terms in the advantage equations.

A.1.  Parameters for CPaceOQUAKE+

   We have the following requirements:

   *  Nseed * 8 + Nverifier * 8 >= 2 * qq + classical hardness

   *  Nverifier * 8 >= qq + classical hardness

   *  Nkc * 8 >= qq + classical hardness

   *  KEM failure <= -qq - classical hardness

   *  KEM ind vs classical <= -qq - classical hardness

   *  KEM ind vs quantum <= -qq - quantum hardness

   *  CPaceOQUAKE vs classical <= classical hardness

   *  CPaceOQUAKE vs quantum <= quantum hardness

   For ML-KEM we have Nseed = 32.  For consistency, the spec uses
   Nverifier = 32.  ML-KEM768's failure probability is 2^-165.2 and ML-
   KEM1024's failure probability is 2^-175.2.  Both are slightly too
   large, but we deem them acceptable: the chance that an adversary
   encounters a failure is purely statistical and very small.

   The following subsection discusses the parameters and hardness of
   CPaceOQUAKE.





Vos, et al.              Expires 17 October 2025               [Page 39]

Internet-Draft               Hybrid PQ-PAKE                   April 2025


A.2.  Parameters for CPaceOQUAKE

   For the security of CPaceOQUAKE+, we require that CPaceOQUAKE
   provides:

   *  CPaceOQUAKE vs classical <= classical hardness

   *  CPaceOQUAKE vs quantum <= quantum hardness

   We have the following requirements when CPaceOQUAKE relies on CPace's
   security:

   *  CPace vs classical <= classical hardness

   *  Nkey * 8 >= qq + classical hardness

   *  KEM failure <= -qq - classical hardness

   We have the following requirements when CPaceOQUAKE relies on
   OQUAKE's security:

   *  OQUAKE vs classical <= classical hardness

   *  OQUAKE vs quantum <= quantum hardness

   *  Nkey * 8 >= 2*qq + classical hardness

   So, the smallest Nkey = 32.  We ignore the KEM failure following the
   same reasoning as above.

   The following subsections discuss the parameters and hardness of
   CPace and OQUAKE.

A.3.  Parameters for CPace

   We refer to the CPace [CPACE].  This standard requires Nkey, the
   number of bytes in CPace's session key, to be 32, so one must set
   H.bmax_in_bytes = 32.

A.4.  Parameters for OQUAKE

   We have the following requirements:

   *  BUKEM ind vs classical <= -qq - classical hardness

   *  BUKEM ind vs quantum <= -qq - quantum hardness





Vos, et al.              Expires 17 October 2025               [Page 40]

Internet-Draft               Hybrid PQ-PAKE                   April 2025


   *  BUKEM public key uniformity vs classical <= -qq - classical
      hardness

   *  BUKEM public key uniformity vs quantum <= -qq - quantum hardness

   *  BUKEM ciphertext uniformity vs classical <= -qq - classical
      hardness

   *  BUKEM ciphertext uniformity vs quantum <= -qq - quantum hardness

   *  BUKEM key * 8 >= qq + classical hardness

   *  KEM failure <= -qq - classical hardness

   For, ML-BUKEM it is as hard or harder to break public key and
   ciphertext uniformity as it is to break indistinguishability, so we
   discuss all three properties at once.

   For ML-BUKEM768, the resistance to classical attacks is approximately
   181 - qq bits of security.  So for qq = 64, classical hardness is
   approximately 117 bits of security.  The resistance to quantum
   attacks is approximately 164 - qq bits of security.  So for qq = 64,
   quantum hardness is approximately 100 bits of security.

   For ML-BUKEM1024, this would come out to 253 - 64 = 189 bits of
   security for classical attacks and 230 - 64 = 166 bits of security
   for quantum attacks.

   The ML-BUKEM key is 32 bytes, so this satisfies the requirements.  We
   ignore the KEM failure following the same reasoning as above.

Authors' Addresses

   Jelle Vos
   Email: jvos@apple.com


   Stanislaw Jarecki
   University of California, Irvine
   Email: sjarecki@ics.uci.edu


   Christopher A. Wood
   Apple, Inc.
   Email: caw@heapingbits.net






Vos, et al.              Expires 17 October 2025               [Page 41]