Hello all, The spec says that Noise_KK is vulnerable to KCI in the first message pattern: -> e, es, ss 1 2 But here, the key used also depends on the ephemeral key of the sender which is unknown to the attacker. So how does knowing the private key to sender's s helps here? David