For anyone else wondering for what ZRTP is the acronym, apparently it isn't one. It is SRTP [1] with the S replaced with Z since it was developed by the Zfone Project [2].

[1]: http://duckduckgo.com/Secure_Real-time_Transport_Protocol

[2]: http://www.zfoneproject.com/

[3]: ZRTP spec: http://zfone.com/docs/ietf/rfc6189bis.html

Interesting overall. But I'm pretty sure that's not how the birthday paradox works. You have to put all the ~random elements into the same pool so that each one of your 2^16 values has 2^16 candidates to match against. This handshaking is always one on one. I mean yes it's possible that the same SAS will show up in completely unrelated calls but that won't help Eve.

I think what he is saying is that we can get lucky in guessing the correct hash even if we guessed the value wrong.

b can only be picked once, and we transmit g^b Attacker then needs to guess a g^a that will cause hmac(g^ab) to match. So we might guess an incorrect g^a that still manages to collide and give us the correct hmac.

This apparently close to doubles our chance of guessing correctly? Depending on the properties of hmac this sounds reasonable, but still doesn't affect security much, as he says - it would still be 1/2^{16} - not likely to happen.

I'm still waiting for ZRTP to catch up in normal XMPP/Jingle clients like Pidgin and etc. Somehow support for it is really lacking.

Jitsi supports it, among other encryption protocols:

https://jitsi.org/index.php/Main/Features

Yes, but it's still strongly lacking in most other clients to be useful.