Hi, my client (osns-client, see: https://github.com/stefbon/OSNS) cannot finish the keyexchange. After sending the newkeys message, the other side (openssh 8.4p1) disconnects. It has the ecdh curve25519-sha256 at libssh.org implemented, and chacga20-poly1305 at openssh.com. Now the length required to init this cypher is 64 bytes, and the hash length is 32 bytes. So two hashes appended (2 x 32 = 64) should be enough. Other key derivations work (64 bytes required, hash is 20 bytes). Now looking at it since 64 is e neat multiple of 32, it's possible that openssh just does an extra hash round, and that seems to be the case: in file kex.c line 1033 the algorithm to create the required length does not stop when need==have, which it should. RFC4253 says in section 7.2: "If the key length needed is longer than the output of the HASH, the key is extended by computing HASH of the concatenation of K and H and the entire key so far, and appending the resulting bytes (as many as HASH generates) to the key. This process is repeated until enough key material is available; the key is taken from the beginning of this value. " In other words if the key length is not longer than there is enough. Not longer means less or equal. What do you think? I'll make my algo work like the one of openssh (still doing an extra hash until hashed length > required) and report back. Stef Bon the Netherlands