Last year, Vanhoef and Piessens showed that WPA2 is vulnerable to key reinstallation attacks [50]. What made their attack surprising, apart from taking more than a decade to discover, is that the core components of WPA2 were formally proven secure. That is, both the 4-way handshake and the (AES-)CCMP encryption protocol had security proofs [19, 25]. However, the manner in which these two components interacted made it possible to reinstall an already-inuse key.