diff --git a/internal/handshake/initial_aead.go b/internal/handshake/initial_aead.go
index 2c519314..fa97156c 100644
--- a/internal/handshake/initial_aead.go
+++ b/internal/handshake/initial_aead.go
@@ -21,8 +21,8 @@ func newInitialAEAD(connID protocol.ConnectionID, pers protocol.Perspective) (Se
 		mySecret = serverSecret
 		otherSecret = clientSecret
 	}
-	myKey, myIV := computeInitialKeyAndIV(mySecret)
-	otherKey, otherIV := computeInitialKeyAndIV(otherSecret)
+	myKey, _, myIV := computeInitialKeyAndIV(mySecret)
+	otherKey, _, otherIV := computeInitialKeyAndIV(otherSecret)
 
 	encrypterCipher, err := aes.NewCipher(myKey)
 	if err != nil {
@@ -50,8 +50,9 @@ func computeSecrets(connID protocol.ConnectionID) (clientSecret, serverSecret []
 	return
 }
 
-func computeInitialKeyAndIV(secret []byte) (key, iv []byte) {
+func computeInitialKeyAndIV(secret []byte) (key, pnKey, iv []byte) {
 	key = crypto.HkdfExpandLabel(gocrypto.SHA256, secret, "key", 16)
+	pnKey = crypto.HkdfExpandLabel(gocrypto.SHA256, secret, "pn", 16)
 	iv = crypto.HkdfExpandLabel(gocrypto.SHA256, secret, "iv", 12)
 	return
 }
diff --git a/internal/handshake/initial_aead_test.go b/internal/handshake/initial_aead_test.go
index 26d0554f..1001354f 100644
--- a/internal/handshake/initial_aead_test.go
+++ b/internal/handshake/initial_aead_test.go
@@ -30,11 +30,15 @@ var _ = Describe("Initial AEAD using AES-GCM", func() {
 
 		It("computes the client key and IV", func() {
 			clientSecret, _ := computeSecrets(connID)
-			key, iv := computeInitialKeyAndIV(clientSecret)
+			key, pnKey, iv := computeInitialKeyAndIV(clientSecret)
 			Expect(key).To(Equal([]byte{
 				0xf2, 0x92, 0x8f, 0x26, 0x14, 0xad, 0x6c, 0x20,
 				0xb9, 0xbd, 0x00, 0x8e, 0x9c, 0x89, 0x63, 0x1c,
 			}))
+			Expect(pnKey).To(Equal([]byte{
+				0x68, 0xc3, 0xf6, 0x4e, 0x2d, 0x66, 0x34, 0x41,
+				0x2b, 0x8e, 0x32, 0x94, 0x62, 0x8d, 0x76, 0xf1,
+			}))
 			Expect(iv).To(Equal([]byte{
 				0xab, 0x95, 0x0b, 0x01, 0x98, 0x63, 0x79, 0x78,
 				0xcf, 0x44, 0xaa, 0xb9,
@@ -43,11 +47,15 @@ var _ = Describe("Initial AEAD using AES-GCM", func() {
 
 		It("computes the server key and IV", func() {
 			_, serverSecret := computeSecrets(connID)
-			key, iv := computeInitialKeyAndIV(serverSecret)
+			key, pnKey, iv := computeInitialKeyAndIV(serverSecret)
 			Expect(key).To(Equal([]byte{
 				0xf5, 0x68, 0x17, 0xd0, 0xfc, 0x59, 0x5c, 0xfc,
 				0x0a, 0x2b, 0x0b, 0xcf, 0xb1, 0x87, 0x35, 0xec,
 			}))
+			Expect(pnKey).To(Equal([]byte{
+				0xa3, 0x13, 0xc8, 0x6d, 0x13, 0x73, 0xec, 0xbc,
+				0xcb, 0x32, 0x94, 0xb1, 0x49, 0x74, 0x22, 0x6c,
+			}))
 			Expect(iv).To(Equal([]byte{
 				0x32, 0x05, 0x03, 0x5a, 0x3c, 0x93, 0x7c, 0x90,
 				0x2e, 0xe4, 0xf4, 0xd6,