From a6b643bbc57f93baade8560d1d9556fa5aaf1692 Mon Sep 17 00:00:00 2001
From: Sumner Evans <sumner@beeper.com>
Date: Mon, 29 Jan 2024 23:32:26 -0700
Subject: [PATCH] sas: clarify ECDH process in step 12

As written, the spec is not clear what Bob's device is supposed to do as
that device does not have Alice's device's private key.

Signed-off-by: Sumner Evans <sumner@beeper.com>
---
 .../client_server/newsfragments/1720.clarification     |  1 +
 .../client-server-api/modules/end_to_end_encryption.md | 10 ++++++----
 2 files changed, 7 insertions(+), 4 deletions(-)
 create mode 100644 changelogs/client_server/newsfragments/1720.clarification

diff --git a/changelogs/client_server/newsfragments/1720.clarification b/changelogs/client_server/newsfragments/1720.clarification
new file mode 100644
index 000000000..e8c8a623e
--- /dev/null
+++ b/changelogs/client_server/newsfragments/1720.clarification
@@ -0,0 +1 @@
+Clarify how to perform the ECDH exchange in step 12 of the SAS process.
diff --git a/content/client-server-api/modules/end_to_end_encryption.md b/content/client-server-api/modules/end_to_end_encryption.md
index a4131d05f..a1e8406cd 100644
--- a/content/client-server-api/modules/end_to_end_encryption.md
+++ b/content/client-server-api/modules/end_to_end_encryption.md
@@ -660,10 +660,12 @@ The process between Alice and Bob verifying each other would be:
 11. Alice's device receives Bob's message and verifies the commitment
     hash from earlier matches the hash of the key Bob's device just sent
     and the content of Alice's `m.key.verification.start` message.
-12. Both Alice and Bob's devices perform an Elliptic-curve
-    Diffie-Hellman
-    (*ECDH(K<sub>A</sub><sup>private</sup>*, *K<sub>B</sub><sup>public</sup>*)),
-    using the result as the shared secret.
+12. Both Alice and Bob's devices perform an Elliptic-curve Diffie-Hellman using
+    their private ephemeral key, and the other device's ephemeral public key
+    (*ECDH(K<sub>A</sub><sup>private</sup>*, *K<sub>B</sub><sup>public</sup>*)
+    for Alice's device and
+    *ECDH(K<sub>B</sub><sup>private</sup>*, *K<sub>A</sub><sup>public</sup>*)
+    for Bob's device), using the result as the shared secret.
 13. Both Alice and Bob's devices display a SAS to their users, which is
     derived from the shared key using one of the methods in this
     section. If multiple SAS methods are available, clients should allow