[noise] question on Noise_KK and KCI

Trevor Perrin trevp at trevp.net
Sat Jun 24 12:09:37 PDT 2017


On Sat, Jun 24, 2017 at 5:57 PM, David Wong <davidwong.crypto at gmail.com> wrote:
> Hello all,
>
> The spec says that Noise_KK is vulnerable to KCI in the first message pattern:
>
>   -> e, es, ss              1                2
>
> But here, the key used also depends on the ephemeral key of the sender
> which is unknown to the attacker. So how does knowing the private key
> to sender's s helps here?

Other way around - knowing the recipient's private key allows
impersonation of the sender (the initiator, here).

Trevor


More information about the Noise mailing list