For production use, see opaque-ke - the audited, RFC 9807-compliant Rust implementation from Meta.
This repository is a historical reference implementation of the OPAQUE protocol targeting draft-krawczyk-cfrg-opaque-03 (October 2019).
OPAQUE has since been finalized as RFC 9807 (July 2025) with significant protocol changes. This codebase documents what the early draft looked like before the CFRG working group refined it into the final standard.
A Rust implementation of draft-03 OPAQUE featuring:
- Custom DH-OPRF with multiplicative blinding
- SIGMA-I key exchange (signature-based)
- AES-GCM-SIV encrypted envelopes
- Ristretto group operations via curve25519-dalek
The final RFC is essentially a complete rewrite:
| Aspect | This Implementation (draft-03) | RFC 9807 |
|---|---|---|
| Key Exchange | SIGMA-I (signatures) | 3DH (MACs only) |
| Envelope | Encrypted credentials | Auth-only, derived keys |
| OPRF | Custom with v=g^k in hash |
RFC 9497 standard |
| Password stretch | Optional | Required (Argon2id) |
See docs/specs/SPEC_DIFF.md for the full breakdown.
Use opaque-ke:
[dependencies]
opaque-ke = "4.0"It's:
- RFC 9807 compliant
- Audited by NCC Group (sponsored by WhatsApp)
- Battle-tested in production
- Actively maintained
OPAQUE is an asymmetric password-authenticated key exchange (aPAKE) where only the client knows the password - the server never sees it, even during registration.
I discovered OPAQUE through Matthew Green's blog post: Let's talk about PAKE
OPAQUE lends itself to threshold schemes to mitigate database compromise. A threshold protocol distributes a private key amongst servers - a certain number (the threshold) is needed to participate.
In the OPRF case, each server acts as an OPRF signer of the blinded salt from the client. Each server holds a share of the larger private key. The OPRF output requires a threshold number of servers to participate in its generation.
Each server runs a Distributed Key Generation protocol to generate their share. Torben Pedersen first specified such a protocol in 1991: https://pdfs.semanticscholar.org/642b/d1bbc86c7750cef9fa770e9e4ba86bd49eb9.pdf
The Feldman VSS (verifiable secret sharing) is a way to participate in DKG: https://ieeexplore.ieee.org/abstract/document/4568297/
More references:
OPAQUE has a formal security proof showing resilience against pre-computation attacks and forward secrecy. Main attack vectors are online brute force (mitigate with rate-limiting) and offline attacks on stolen envelopes (mitigate with password stretching).
This implementation targets draft-03 (October 2019). The spec evolved significantly:
Draft 4 (May 2020): Envelope construction clarified (AES-CTR + HMAC), 3DH added, OPRF simplified (removed v=g^k from hash).
Draft 5 (May 2020): Clarifications, prep for formal spec.
RFC 9807 (July 2025): Complete rewrite - 3DH as primary KE, authentication-only envelope with derived keys, mandatory Argon2id, RFC 9497 OPRF.
- Original OPAQUE paper (Jarecki, Krawczyk, Xu - Eurocrypt 2018)
- CFRG PAKE selection
- RFC 9807 - OPAQUE
- RFC 9497 - OPRF
The docs/specs/ directory contains:
draft-krawczyk-cfrg-opaque-03.txt- the spec this implementation targetsrfc9807.txt- the final RFCSPEC_DIFF.md- detailed migration analysis
BSD 3-Clause
