# Zero Trust nKode with aPAKE (OPAQUE)

```mermaid
sequenceDiagram
    participant Client
    participant Server
    Note over Client, Server: Enrollment
    Client ->> Server: Signup Session: email
    Client ->> Client: Create 128-bit Secret Key
    Note left of Client: Request user stores Secret Key in a safe place
    Client ->> Server: OPAQUE Register with Secret Key<br/>https://github.com/facebook/opaque-ke
    Client ->> Server: OPAQUE Login with email + Secret Key
    opt Secret Key OPAQUE tunnel
        Client ->> Server: Get New Icons
        Server -->> Client: icons
        Note left of Client: Icons are stored on Client
        Note left of Client: well-known nonce: 0x1 (or any number)
        Client ->> Client: Assign random names to icons from<br/>secret_key and well known nonce
        Client ->> Server: list of random icon names
        Note right of Server: Only a client with the secret key can request these icons.<br/>Server doesn't know the owner
        loop assign icons
            Client ->> Client: Regenerate 4-6 icons until user accepts them
        end

        Client ->> Client: Create new nonce
        Client ->> Client: ChaCha20 key derivation (pass_key, mask_key, prop_key, pos_key)
        Client ->> Client: Compute Mask
        Note left of Client: User Password is concat([list of assigned icon values])
        Client ->> Server: OPAQUE Register with User Password + nonce, mask
    end
    Note over Client, Server: Login
    Client ->> Server: OPAQUE Login with email + Secret Key
    opt Secret Key OPAQUE tunnel
        Server ->> Client: nonce, mask
        Client ->> Client: Display Keypad to User<br/>User makes key selection
        Client ->> Client: recover user password
        Client ->> Server: OPAQUE Password Login
    end
    Note over Client, Server: User Session
    opt Secret Key PAKE Key XOR nKode PAKE Key tunnel
        Client ->> Server: all communication goes through this double PAKE
    end
```