From 9a1f0ad532579c55f583c0ddb683a4ba85283bc9 Mon Sep 17 00:00:00 2001
From: Sumner Evans <sumner@beeper.com>
Date: Mon, 26 Feb 2024 09:26:34 -0700
Subject: [PATCH] sas: clarify ECDH process in step 12 (#1720)

Co-authored-by: Denis Kasak <dkasak@termina.org.uk>
---
 .../client_server/newsfragments/1720.clarification     |  1 +
 .../client-server-api/modules/end_to_end_encryption.md | 10 ++++++----
 2 files changed, 7 insertions(+), 4 deletions(-)
 create mode 100644 changelogs/client_server/newsfragments/1720.clarification

diff --git a/changelogs/client_server/newsfragments/1720.clarification b/changelogs/client_server/newsfragments/1720.clarification
new file mode 100644
index 00000000..e8c8a623
--- /dev/null
+++ b/changelogs/client_server/newsfragments/1720.clarification
@@ -0,0 +1 @@
+Clarify how to perform the ECDH exchange in step 12 of the SAS process.
diff --git a/content/client-server-api/modules/end_to_end_encryption.md b/content/client-server-api/modules/end_to_end_encryption.md
index 1126c648..6c3bbbea 100644
--- a/content/client-server-api/modules/end_to_end_encryption.md
+++ b/content/client-server-api/modules/end_to_end_encryption.md
@@ -660,10 +660,12 @@ The process between Alice and Bob verifying each other would be:
 11. Alice's device receives Bob's message and verifies the commitment
     hash from earlier matches the hash of the key Bob's device just sent
     and the content of Alice's `m.key.verification.start` message.
-12. Both Alice and Bob's devices perform an Elliptic-curve
-    Diffie-Hellman
-    (*ECDH(K<sub>A</sub><sup>private</sup>*, *K<sub>B</sub><sup>public</sup>*)),
-    using the result as the shared secret.
+12. Both Alice's and Bob's devices perform an Elliptic-curve Diffie-Hellman using
+    their private ephemeral key, and the other device's ephemeral public key
+    (*ECDH(K<sub>A</sub><sup>private</sup>*, *K<sub>B</sub><sup>public</sup>*)
+    for Alice's device and
+    *ECDH(K<sub>B</sub><sup>private</sup>*, *K<sub>A</sub><sup>public</sup>*)
+    for Bob's device), using the result as the shared secret.
 13. Both Alice and Bob's devices display a SAS to their users, which is
     derived from the shared key using one of the methods in this
     section. If multiple SAS methods are available, clients should allow