[noise] question on Noise_KK and KCI

David Wong davidwong.crypto at gmail.com
Sat Jun 24 10:57:31 PDT 2017

Hello all,

The spec says that Noise_KK is vulnerable to KCI in the first message pattern:

  -> e, es, ss              1                2

But here, the key used also depends on the ephemeral key of the sender
which is unknown to the attacker. So how does knowing the private key
to sender's s helps here?


More information about the Noise mailing list