pakery-cpace

CPace balanced PAKE protocol implementation (draft-irtf-cfrg-cpace).

Part of the pakery workspace.

CPace is a balanced (symmetric) PAKE: both parties share the same password and derive a shared session key. It is simple, efficient, and provably secure in the UC model.

Usage

[dependencies]
pakery-cpace = "0.1"
pakery-crypto = { version = "0.1", features = ["ristretto255"] }

Example

use pakery_cpace::{CpaceCiphersuite, CpaceInitiator, CpaceResponder, CpaceMode};
use pakery_crypto::{Ristretto255Group, Sha512Hash};

struct MyCpaceSuite;

impl CpaceCiphersuite for MyCpaceSuite {
    type Group = Ristretto255Group;
    type Hash = Sha512Hash;
    const DSI: &'static [u8] = b"CPaceRistretto255";
    const HASH_BLOCK_SIZE: usize = 128;
    const FIELD_SIZE_BYTES: usize = 32;
}

let mut rng = rand_core::OsRng;

// Initiator starts the exchange
let (ya, state) = CpaceInitiator::<MyCpaceSuite>::start(
    b"password", b"channel", b"session", b"ad_a", &mut rng,
).unwrap();

// Responder processes initiator's share and responds
let (yb, resp_out) = CpaceResponder::<MyCpaceSuite>::respond(
    &ya, b"password", b"channel", b"session",
    b"ad_a", b"ad_b", CpaceMode::InitiatorResponder, &mut rng,
).unwrap();

// Initiator finishes
let init_out = state.finish(&yb, b"ad_b", CpaceMode::InitiatorResponder).unwrap();

// Both sides derive the same intermediate session key
assert_eq!(init_out.isk.as_bytes(), resp_out.isk.as_bytes());

Features

Security

• #![forbid(unsafe_code)]
• Constant-time comparisons via subtle
• Secret values zeroized on drop via zeroize
• Validated against draft-irtf-cfrg-cpace test vectors

MSRV

The minimum supported Rust version is 1.79.

License

Licensed under either of Apache License, Version 2.0 or MIT License at your option.