<p dir="ltr">This sounds like what KDF:s were invented for. You can send public key hashes before the public keys in your key exchange to verify that the keypairs was generated prior to learning the public key of the counterpart, then use a KDF like scrypt or the new Argon2 on the shared secret which was generated to derive the SAS. </p> <p dir="ltr">- Sent from my tablet</p> <div class="gmail_quote">Den 20 feb 2016 21:21 skrev "Van Gegel" <<a href="mailto:torfone@ukr.net">torfone@ukr.net</a>>:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><span>I want to perform DH on the EC25519 and verify the secret using a short fingerprint (32 bits SAS). Typically in this case the commitment needed for preventing MitM by influence the responder's key after originator's key was received. <br>To be securely the following scheme instead commitment:<br>first exchange parts of the keys (first 224 bits) and then the remaining 32 bits during second pass?<br><br></span><img src="https://mail.ukr.net/api/public/message_read?a=gKmgv9dJOFKr1qfkfopsNCLgD9YzHsbrVFJOfbjAIxCpei1Lt5WL_vBmkaGOcFv9xXRtWaid46LYmeQ0bqNo41zdzwCsUvBEicgkBvmAEw==" alt="" width="1" height="1" style="width:1px;min-height:1px"> </div> <br>_______________________________________________<br> Messaging mailing list<br> <a href="mailto:Messaging@moderncrypto.org">Messaging@moderncrypto.org</a><br> <a href="https://moderncrypto.org/mailman/listinfo/messaging" rel="noreferrer" target="_blank">https://moderncrypto.org/mailman/listinfo/messaging</a><br> <br></blockquote></div>