idnits 2.17.1 draft-ietf-mls-protocol-10.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 24 instances of too long lines in the document, the longest one being 20 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (31 October 2020) is 1272 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '
' and
     '' lines.


  Checking references for intended status: Informational
  ----------------------------------------------------------------------------

  == Missing Reference: 'C' is mentioned on line 762, but not defined

  == Missing Reference: 'CD' is mentioned on line 762, but not defined

  == Missing Reference: 'A' is mentioned on line 762, but not defined

  -- Looks like a reference, but probably isn't: '0' on line 1055

  -- Looks like a reference, but probably isn't: '1' on line 944

  == Missing Reference: 'X' is mentioned on line 951, but not defined

  -- Looks like a reference, but probably isn't: '4' on line 2042

  == Outdated reference: A later version (-12) exists of
     draft-irtf-cfrg-hpke-06

  == Outdated reference: A later version (-13) exists of
     draft-ietf-mls-architecture-05

  == Outdated reference: A later version (-42) exists of
     draft-ietf-trans-rfc6962-bis-34


     Summary: 1 error (**), 0 flaws (~~), 8 warnings (==), 5 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	Network Working Group                                          R. Barnes
3	Internet-Draft                                                     Cisco
4	Intended status: Informational                             B. Beurdouche
5	Expires: 4 May 2021                                                Inria
6	                                                             J. Millican
7	                                                                Facebook
8	                                                                E. Omara
9	                                                                  Google
10	                                                          K. Cohn-Gordon
11	                                                    University of Oxford
12	                                                               R. Robert
13	                                                                    Wire
14	                                                         31 October 2020

16	              The Messaging Layer Security (MLS) Protocol
17	                       draft-ietf-mls-protocol-10

19	Abstract

21	   Messaging applications are increasingly making use of end-to-end
22	   security mechanisms to ensure that messages are only accessible to
23	   the communicating endpoints, and not to any servers involved in
24	   delivering messages.  Establishing keys to provide such protections
25	   is challenging for group chat settings, in which more than two
26	   clients need to agree on a key but may not be online at the same
27	   time.  In this document, we specify a key establishment protocol that
28	   provides efficient asynchronous group key establishment with forward
29	   secrecy and post-compromise security for groups in size ranging from
30	   two to thousands.

32	Status of This Memo

34	   This Internet-Draft is submitted in full conformance with the
35	   provisions of BCP 78 and BCP 79.

37	   Internet-Drafts are working documents of the Internet Engineering
38	   Task Force (IETF).  Note that other groups may also distribute
39	   working documents as Internet-Drafts.  The list of current Internet-
40	   Drafts is at https://datatracker.ietf.org/drafts/current/.

42	   Internet-Drafts are draft documents valid for a maximum of six months
43	   and may be updated, replaced, or obsoleted by other documents at any
44	   time.  It is inappropriate to use Internet-Drafts as reference
45	   material or to cite them other than as "work in progress."

47	   This Internet-Draft will expire on 4 May 2021.

49	Copyright Notice

51	   Copyright (c) 2020 IETF Trust and the persons identified as the
52	   document authors.  All rights reserved.

54	   This document is subject to BCP 78 and the IETF Trust's Legal
55	   Provisions Relating to IETF Documents (https://trustee.ietf.org/
56	   license-info) in effect on the date of publication of this document.
57	   Please review these documents carefully, as they describe your rights
58	   and restrictions with respect to this document.  Code Components
59	   extracted from this document must include Simplified BSD License text
60	   as described in Section 4.e of the Trust Legal Provisions and are
61	   provided without warranty as described in the Simplified BSD License.

63	Table of Contents

65	   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   4
66	     1.1.  Change Log  . . . . . . . . . . . . . . . . . . . . . . .   4
67	   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   8
68	   3.  Basic Assumptions . . . . . . . . . . . . . . . . . . . . . .   9
69	   4.  Protocol Overview . . . . . . . . . . . . . . . . . . . . . .  10
70	   5.  Ratchet Trees . . . . . . . . . . . . . . . . . . . . . . . .  13
71	     5.1.  Tree Computation Terminology  . . . . . . . . . . . . . .  14
72	     5.2.  Ratchet Tree Nodes  . . . . . . . . . . . . . . . . . . .  16
73	     5.3.  Views of a Ratchet Tree . . . . . . . . . . . . . . . . .  17
74	     5.4.  Ratchet Tree Evolution  . . . . . . . . . . . . . . . . .  18
75	     5.5.  Synchronizing Views of the Tree . . . . . . . . . . . . .  20
76	   6.  Cryptographic Objects . . . . . . . . . . . . . . . . . . . .  21
77	     6.1.  Ciphersuites  . . . . . . . . . . . . . . . . . . . . . .  21
78	     6.2.  Credentials . . . . . . . . . . . . . . . . . . . . . . .  22
79	   7.  Key Packages  . . . . . . . . . . . . . . . . . . . . . . . .  24
80	     7.1.  Client Capabilities . . . . . . . . . . . . . . . . . . .  25
81	     7.2.  Lifetime  . . . . . . . . . . . . . . . . . . . . . . . .  26
82	     7.3.  KeyPackage Identifiers  . . . . . . . . . . . . . . . . .  26
83	     7.4.  Parent Hash . . . . . . . . . . . . . . . . . . . . . . .  26
84	     7.5.  Tree Hashes . . . . . . . . . . . . . . . . . . . . . . .  27
85	     7.6.  Group State . . . . . . . . . . . . . . . . . . . . . . .  28
86	     7.7.  Update Paths  . . . . . . . . . . . . . . . . . . . . . .  29
87	   8.  Key Schedule  . . . . . . . . . . . . . . . . . . . . . . . .  30
88	     8.1.  External Initialization . . . . . . . . . . . . . . . . .  33
89	     8.2.  Pre-Shared Keys . . . . . . . . . . . . . . . . . . . . .  34
90	     8.3.  Secret Tree . . . . . . . . . . . . . . . . . . . . . . .  36
91	     8.4.  Encryption Keys . . . . . . . . . . . . . . . . . . . . .  37
92	     8.5.  Deletion Schedule . . . . . . . . . . . . . . . . . . . .  38
93	     8.6.  Exporters . . . . . . . . . . . . . . . . . . . . . . . .  39
94	     8.7.  Resumption Secret . . . . . . . . . . . . . . . . . . . .  40
95	     8.8.  State Authentication Keys . . . . . . . . . . . . . . . .  40
96	   9.  Message Framing . . . . . . . . . . . . . . . . . . . . . . .  40
97	     9.1.  Content Authentication  . . . . . . . . . . . . . . . . .  43
98	     9.2.  Content Encryption  . . . . . . . . . . . . . . . . . . .  44
99	     9.3.  Sender Data Encryption  . . . . . . . . . . . . . . . . .  45
100	   10. Group Creation  . . . . . . . . . . . . . . . . . . . . . . .  46
101	     10.1.  Linking a New Group to an Existing Group . . . . . . . .  47
102	       10.1.1.  Sub-group Branching  . . . . . . . . . . . . . . . .  48
103	   11. Group Evolution . . . . . . . . . . . . . . . . . . . . . . .  48
104	     11.1.  Proposals  . . . . . . . . . . . . . . . . . . . . . . .  48
105	       11.1.1.  Add  . . . . . . . . . . . . . . . . . . . . . . . .  49
106	       11.1.2.  Update . . . . . . . . . . . . . . . . . . . . . . .  50
107	       11.1.3.  Remove . . . . . . . . . . . . . . . . . . . . . . .  50
108	       11.1.4.  PreSharedKey . . . . . . . . . . . . . . . . . . . .  51
109	       11.1.5.  ReInit . . . . . . . . . . . . . . . . . . . . . . .  51
110	       11.1.6.  ExternalInit . . . . . . . . . . . . . . . . . . . .  52
111	       11.1.7.  External Proposals . . . . . . . . . . . . . . . . .  52
112	     11.2.  Commit . . . . . . . . . . . . . . . . . . . . . . . . .  53
113	       11.2.1.  External Commits . . . . . . . . . . . . . . . . . .  59
114	       11.2.2.  Welcoming New Members  . . . . . . . . . . . . . . .  60
115	     11.3.  Ratchet Tree Extension . . . . . . . . . . . . . . . . .  63
116	   12. Extensibility . . . . . . . . . . . . . . . . . . . . . . . .  64
117	   13. Sequencing of State Changes . . . . . . . . . . . . . . . . .  66
118	     13.1.  Server-Enforced Ordering . . . . . . . . . . . . . . . .  67
119	     13.2.  Client-Enforced Ordering . . . . . . . . . . . . . . . .  67
120	   14. Application Messages  . . . . . . . . . . . . . . . . . . . .  67
121	     14.1.  Message Encryption and Decryption  . . . . . . . . . . .  68
122	     14.2.  Restrictions . . . . . . . . . . . . . . . . . . . . . .  69
123	     14.3.  Delayed and Reordered Application messages . . . . . . .  69
124	   15. Security Considerations . . . . . . . . . . . . . . . . . . .  69
125	     15.1.  Confidentiality of the Group Secrets . . . . . . . . . .  69
126	     15.2.  Authentication . . . . . . . . . . . . . . . . . . . . .  70
127	     15.3.  Forward Secrecy and Post-Compromise Security . . . . . .  70
128	     15.4.  InitKey Reuse  . . . . . . . . . . . . . . . . . . . . .  70
129	   16. IANA Considerations . . . . . . . . . . . . . . . . . . . . .  71
130	     16.1.  MLS Ciphersuites . . . . . . . . . . . . . . . . . . . .  71
131	     16.2.  MLS Extension Types  . . . . . . . . . . . . . . . . . .  74
132	     16.3.  MLS Credential Types . . . . . . . . . . . . . . . . . .  75
133	     16.4.  MLS Designated Expert Pool . . . . . . . . . . . . . . .  76
134	   17. Contributors  . . . . . . . . . . . . . . . . . . . . . . . .  77
135	   18. References  . . . . . . . . . . . . . . . . . . . . . . . . .  78
136	     18.1.  Normative References . . . . . . . . . . . . . . . . . .  78
137	     18.2.  Informative References . . . . . . . . . . . . . . . . .  79
138	   Appendix A.  Tree Math  . . . . . . . . . . . . . . . . . . . . .  81
139	   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  84

141	1.  Introduction

143	   DISCLAIMER: This is a work-in-progress draft of MLS and has not yet
144	   seen significant security analysis.  It should not be used as a basis
145	   for building production systems.

147	   RFC EDITOR: PLEASE REMOVE THE FOLLOWING PARAGRAPH The source for this
148	   draft is maintained in GitHub.  Suggested changes should be submitted
149	   as pull requests at https://github.com/mlswg/mls-protocol.
150	   Instructions are on that page as well.  Editorial changes can be
151	   managed in GitHub, but any substantive change should be discussed on
152	   the MLS mailing list.

154	   A group of users who want to send each other encrypted messages needs
155	   a way to derive shared symmetric encryption keys.  For two parties,
156	   this problem has been studied thoroughly, with the Double Ratchet
157	   emerging as a common solution [doubleratchet] [signal].  Channels
158	   implementing the Double Ratchet enjoy fine-grained forward secrecy as
159	   well as post-compromise security, but are nonetheless efficient
160	   enough for heavy use over low-bandwidth networks.

162	   For a group of size greater than two, a common strategy is to
163	   unilaterally broadcast symmetric "sender" keys over existing shared
164	   symmetric channels, and then for each member to send messages to the
165	   group encrypted with their own sender key.  Unfortunately, while this
166	   improves efficiency over pairwise broadcast of individual messages
167	   and provides forward secrecy (with the addition of a hash ratchet),
168	   it is difficult to achieve post-compromise security with sender keys.
169	   An adversary who learns a sender key can often indefinitely and
170	   passively eavesdrop on that member's messages.  Generating and
171	   distributing a new sender key provides a form of post-compromise
172	   security with regard to that sender.  However, it requires
173	   computation and communications resources that scale linearly with the
174	   size of the group.

176	   In this document, we describe a protocol based on tree structures
177	   that enable asynchronous group keying with forward secrecy and post-
178	   compromise security.  Based on earlier work on "asynchronous
179	   ratcheting trees" [art], the protocol presented here uses an
180	   asynchronous key-encapsulation mechanism for tree structures.  This
181	   mechanism allows the members of the group to derive and update shared
182	   keys with costs that scale as the log of the group size.

184	1.1.  Change Log

186	   RFC EDITOR PLEASE DELETE THIS SECTION.

188	   draft-10
189	   *  Allow new members to join via an external Commit (*)

191	   *  Enable proposals to be sent inline in a Commit (*)

193	   *  Re-enable constant-time Add (*)

195	   *  Change expiration extension to lifetime extension (*)

197	   *  Make the tree in the Welcome optional (*)

199	   *  PSK injection, re-init, sub-group branching (*)

201	   *  Require the initial init_secret to be a random value (*)

203	   *  Remove explicit sender data nonce (*)

205	   *  Do not encrypt to joiners in UpdatePath generation (*)

207	   *  Move MLSPlaintext signature under the confirmation tag (*)

209	   *  Explicitly authenticate group membership with MLSPLaintext (*)

211	   *  Clarify X509Credential structure (*)

213	   *  Remove uneeded interim transcript hash from GroupInfo (*)

215	   *  IANA considerations

217	   *  Derive an authentication secret

219	   *  Use Extract/Expand from HPKE KDF

221	   *  Clarify that application messages MUST be encrypted

223	   draft-09

225	   *  Remove blanking of nodes on Add (*)

227	   *  Change epoch numbers to uint64 (*)

229	   *  Add PSK inputs (*)

231	   *  Add key schedule exporter (*)

233	   *  Sign the updated direct path on Commit, using "parent hashes" and
234	      one signature per leaf (*)

236	   *  Use structured types for external senders (*)
237	   *  Redesign Welcome to include confirmation and use derived keys (*)

239	   *  Remove ignored proposals (*)

241	   *  Always include an Update with a Commit (*)

243	   *  Add per-message entropy to guard against nonce reuse (*)

245	   *  Use the same hash ratchet construct for both application and
246	      handshake keys (*)

248	   *  Add more ciphersuites

250	   *  Use HKDF to derive key pairs (*)

252	   *  Mandate expiration of ClientInitKeys (*)

254	   *  Add extensions to GroupContext and flesh out the extensibility
255	      story (*)

257	   *  Rename ClientInitKey to KeyPackage

259	   draft-08

261	   *  Change ClientInitKeys so that they only refer to one ciphersuite
262	      (*)

264	   *  Decompose group operations into Proposals and Commits (*)

266	   *  Enable Add and Remove proposals from outside the group (*)

268	   *  Replace Init messages with multi-recipient Welcome message (*)

270	   *  Add extensions to ClientInitKeys for expiration and downgrade
271	      resistance (*)

273	   *  Allow multiple Proposals and a single Commit in one MLSPlaintext
274	      (*)

276	   draft-07

278	   *  Initial version of the Tree based Application Key Schedule (*)

280	   *  Initial definition of the Init message for group creation (*)

282	   *  Fix issue with the transcript used for newcomers (*)

284	   *  Clarifications on message framing and HPKE contexts (*)
285	   *  Reorder blanking and update in the Remove operation (*)

287	   *  Rename the GroupState structure to GroupContext (*)

289	   *  Rename UserInitKey to ClientInitKey

291	   *  Resolve the circular dependency that draft-05 introduced in the
292	      confirmation MAC calculation (*)

294	   *  Cover the entire MLSPlaintext in the transcript hash (*)

296	   draft-05

298	   *  Common framing for handshake and application messages (*)

300	   *  Handshake message encryption (*)

302	   *  Convert from literal state to a commitment via the "tree hash" (*)

304	   *  Add credentials to the tree and remove the "roster" concept (*)

306	   *  Remove the secret field from tree node values

308	   draft-04

310	   *  Updating the language to be similar to the Architecture document

312	   *  ECIES is now renamed in favor of HPKE (*)

314	   *  Using a KDF instead of a Hash in TreeKEM (*)

316	   draft-03

318	   *  Added ciphersuites and signature schemes (*)

320	   *  Re-ordered fields in UserInitKey to make parsing easier (*)

322	   *  Fixed inconsistencies between Welcome and GroupState (*)

324	   *  Added encryption of the Welcome message (*)

326	   draft-02

328	   *  Removed ART (*)

330	   *  Allowed partial trees to avoid double-joins (*)
331	   *  Added explicit key confirmation (*)

333	   draft-01

335	   *  Initial description of the Message Protection mechanism. (*)

337	   *  Initial specification proposal for the Application Key Schedule
338	      using the per-participant chaining of the Application Secret
339	      design. (*)

341	   *  Initial specification proposal for an encryption mechanism to
342	      protect Application Messages using an AEAD scheme. (*)

344	   *  Initial specification proposal for an authentication mechanism of
345	      Application Messages using signatures. (*)

347	   *  Initial specification proposal for a padding mechanism to
348	      improving protection of Application Messages against traffic
349	      analysis. (*)

351	   *  Inversion of the Group Init Add and Application Secret derivations
352	      in the Handshake Key Schedule to be ease chaining in case we
353	      switch design. (*)

355	   *  Removal of the UserAdd construct and split of GroupAdd into Add
356	      and Welcome messages (*)

358	   *  Initial proposal for authenticating handshake messages by signing
359	      over group state and including group state in the key schedule (*)

361	   *  Added an appendix with example code for tree math

363	   *  Changed the ECIES mechanism used by TreeKEM so that it uses nonces
364	      generated from the shared secret

366	   draft-00

368	   *  Initial adoption of draft-barnes-mls-protocol-01 as a WG item.

370	2.  Terminology

372	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
373	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
374	   "OPTIONAL" in this document are to be interpreted as described in BCP
375	   14 [RFC2119] [RFC8174] when, and only when, they appear in all
376	   capitals, as shown here.

378	   Client:  An agent that uses this protocol to establish shared
379	      cryptographic state with other clients.  A client is defined by
380	      the cryptographic keys it holds.

382	   Group:  A collection of clients with shared cryptographic state.

384	   Member:  A client that is included in the shared state of a group,
385	      hence has access to the group's secrets.

387	   Key Package:  A signed object describing a client's identity and
388	      capabilities, and including a hybrid public-key encryption (HPKE
389	      [I-D.irtf-cfrg-hpke] ) public key that can be used to encrypt to
390	      that client.

392	   Initialization Key (InitKey):  A key package that is prepublished by
393	      a client, which other clients can use to introduce the client to a
394	      new group.

396	   Signature Key:  A signing key pair used to authenticate the sender of
397	      a message.

399	   Terminology specific to tree computations is described in Section 5.

401	   We use the TLS presentation language [RFC8446] to describe the
402	   structure of protocol messages.

404	3.  Basic Assumptions

406	   This protocol is designed to execute in the context of a Service
407	   Provider (SP) as described in [I-D.ietf-mls-architecture].  In
408	   particular, we assume the SP provides the following services:

410	   *  A signature key provider which allows clients to authenticate
411	      protocol messages in a group.

413	   *  A broadcast channel, for each group, which will relay a message to
414	      all members of a group.  For the most part, we assume that this
415	      channel delivers messages in the same order to all participants.
416	      (See Section 13 for further considerations.)

418	   *  A directory to which clients can publish key packages and download
419	      key packages for other participants.

421	4.  Protocol Overview

423	   The goal of this protocol is to allow a group of clients to exchange
424	   confidential and authenticated messages.  It does so by deriving a
425	   sequence of secrets and keys known only to members.  Those should be
426	   secret against an active network adversary and should have both
427	   forward secrecy and post-compromise security with respect to
428	   compromise of any members.

430	   We describe the information stored by each client as _state_, which
431	   includes both public and private data.  An initial state is set up by
432	   a group creator, which is a group containing only itself.  The
433	   creator then sends _Add_ proposals for each client in the initial set
434	   of members, followed by a _Commit_ message which incorporates all of
435	   the _Adds_ into the group state.  Finally, the group creator
436	   generates a _Welcome_ message corresponding to the Commit and sends
437	   this directly to all the new members, who can use the information it
438	   contains to set up their own group state and derive a shared secret.
439	   Members exchange Commit messages for post-compromise security, to add
440	   new members, and to remove existing members.  These messages produce
441	   new shared secrets which are causally linked to their predecessors,
442	   forming a logical Directed Acyclic Graph (DAG) of states.

444	   The protocol algorithms we specify here follow.  Each algorithm
445	   specifies both (i) how a client performs the operation and (ii) how
446	   other clients update their state based on it.

448	   There are three major operations in the lifecycle of a group:

450	   *  Adding a member, initiated by a current member;

452	   *  Updating the leaf secret of a member;

454	   *  Removing a member.

456	   Each of these operations is "proposed" by sending a message of the
457	   corresponding type (Add / Update / Remove).  The state of the group
458	   is not changed, however, until a Commit message is sent to provide
459	   the group with fresh entropy.  In this section, we show each proposal
460	   being committed immediately, but in more advanced deployment cases an
461	   application might gather several proposals before committing them all
462	   at once.

464	   Before the initialization of a group, clients publish InitKeys (as
465	   KeyPackage objects) to a directory provided by the Service Provider.

467	                                                                 Group
468	  A                B                C            Directory       Channel
469	  |                |                |                |              |
470	  | KeyPackageA    |                |                |              |
471	  |------------------------------------------------->|              |
472	  |                |                |                |              |
473	  |                | KeyPackageB    |                |              |
474	  |                |-------------------------------->|              |
475	  |                |                |                |              |
476	  |                |                | KeyPackageC    |              |
477	  |                |                |--------------->|              |
478	  |                |                |                |              |

480	   When a client A wants to establish a group with B and C, it first
481	   initializes a group state containing only itself and downloads
482	   KeyPackages for B and C.  For each member, A generates an Add and
483	   Commit message adding that member, and broadcasts them to the group.
484	   It also generates a Welcome message and sends this directly to the
485	   new member (there's no need to send it to the group).  Only after A
486	   has received its Commit message back from the server does it update
487	   its state to reflect the new member's addition.

489	   Upon receiving the Welcome message and the corresponding Commit, the
490	   new member will be able to read and send new messages to the group.
491	   Messages received before the client has joined the group are ignored.

493	                                                                  Group
494	   A              B              C          Directory            Channel
495	   |              |              |              |                   |
496	   |         KeyPackageB, KeyPackageC           |                   |
497	   |<-------------------------------------------|                   |
498	   |state.init()  |              |              |                   |
499	   |              |              |              |                   |
500	   |              |              |              | Add(A->AB)        |
501	   |              |              |              | Commit(Add)       |
502	   |--------------------------------------------------------------->|
503	   |              |              |              |                   |
504	   |  Welcome(B)  |              |              |                   |
505	   |------------->|state.init()  |              |                   |
506	   |              |              |              |                   |
507	   |              |              |              | Add(A->AB)        |
508	   |              |              |              | Commit(Add)       |
509	   |<---------------------------------------------------------------|
510	   |state.add(B)  |<------------------------------------------------|
511	   |              |state.join()  |              |                   |
512	   |              |              |              |                   |
513	   |              |              |              | Add(AB->ABC)      |
514	   |              |              |              | Commit(Add)       |
515	   |--------------------------------------------------------------->|
516	   |              |              |              |                   |
517	   |              |  Welcome(C)  |              |                   |
518	   |---------------------------->|state.init()  |                   |
519	   |              |              |              |                   |
520	   |              |              |              | Add(AB->ABC)      |
521	   |              |              |              | Commit(Add)       |
522	   |<---------------------------------------------------------------|
523	   |state.add(C)  |<------------------------------------------------|
524	   |              |state.add(C)  |<---------------------------------|
525	   |              |              |state.join()  |                   |

527	   Subsequent additions of group members proceed in the same way.  Any
528	   member of the group can download a KeyPackage for a new client and
529	   broadcast an Add message that the current group can use to update
530	   their state, and a Welcome message that the new client can use to
531	   initialize its state.

533	   To enforce the forward secrecy and post-compromise security of
534	   messages, each member periodically updates their leaf secret.  Any
535	   member can update this information at any time by generating a fresh
536	   KeyPackage and sending an Update message followed by a Commit
537	   message.  Once all members have processed both, the group's secrets
538	   will be unknown to an attacker that had compromised the sender's
539	   prior leaf secret.

541	   Update messages should be sent at regular intervals of time as long
542	   as the group is active, and members that don't update should
543	   eventually be removed from the group.  It's left to the application
544	   to determine an appropriate amount of time between Updates.

546	                                                             Group
547	   A              B     ...      Z          Directory        Channel
548	   |              |              |              |              |
549	   |              | Update(B)    |              |              |
550	   |              |------------------------------------------->|
551	   | Commit(Upd)  |              |              |              |
552	   |---------------------------------------------------------->|
553	   |              |              |              |              |
554	   |              |              |              | Update(B)    |
555	   |              |              |              | Commit(Upd)  |
556	   |<----------------------------------------------------------|
557	   |state.upd(B)  |<-------------------------------------------|
558	   |              |state.upd(B)  |<----------------------------|
559	   |              |              |state.upd(B)  |              |
560	   |              |              |              |              |

562	   Members are removed from the group in a similar way.  Any member of
563	   the group can send a Remove proposal followed by a Commit message,
564	   which adds new entropy to the group state that's known to all except
565	   the removed member.  Note that this does not necessarily imply that
566	   any member is actually allowed to evict other members; groups can
567	   enforce access control policies on top of these basic mechanism.

569	                                                             Group
570	   A              B     ...      Z          Directory       Channel
571	   |              |              |              |              |
572	   |              |              | Remove(B)    |              |
573	   |              |              | Commit(Rem)  |              |
574	   |              |              |---------------------------->|
575	   |              |              |              |              |
576	   |              |              |              | Remove(B)    |
577	   |              |              |              | Commit(Rem)  |
578	   |<----------------------------------------------------------|
579	   |state.rem(B)  |              |<----------------------------|
580	   |              |              |state.rem(B)  |              |
581	   |              |              |              |              |
582	   |              |              |              |              |

584	5.  Ratchet Trees

586	   The protocol uses "ratchet trees" for deriving shared secrets among a
587	   group of clients.

589	5.1.  Tree Computation Terminology

591	   Trees consist of _nodes_. A node is a _leaf_ if it has no children,
592	   and a _parent_ otherwise; note that all parents in our trees have
593	   precisely two children, a _left_ child and a _right_ child.  A node
594	   is the _root_ of a tree if it has no parents, and _intermediate_ if
595	   it has both children and parents.  The _descendants_ of a node are
596	   that node, its children, and the descendants of its children, and we
597	   say a tree _contains_ a node if that node is a descendant of the root
598	   of the tree.  Nodes are _siblings_ if they share the same parent.

600	   A _subtree_ of a tree is the tree given by the descendants of any
601	   node, the _head_ of the subtree.  The _size_ of a tree or subtree is
602	   the number of leaf nodes it contains.  For a given parent node, its
603	   _left subtree_ is the subtree with its left child as head
604	   (respectively _right subtree_).

606	   All trees used in this protocol are left-balanced binary trees.  A
607	   binary tree is _full_ (and _balanced_) if its size is a power of two
608	   and for any parent node in the tree, its left and right subtrees have
609	   the same size.

611	   A binary tree is _left-balanced_ if for every parent, either the
612	   parent is balanced, or the left subtree of that parent is the largest
613	   full subtree that could be constructed from the leaves present in the
614	   parent's own subtree.  Given a list of "n" items, there is a unique
615	   left-balanced binary tree structure with these elements as leaves.

617	   (Note that left-balanced binary trees are the same structure that is
618	   used for the Merkle trees in the Certificate Transparency protocol
619	   [I-D.ietf-trans-rfc6962-bis].)

621	   The _direct path_ of a root is the empty list, and of any other node
622	   is the concatenation of that node's parent along with the parent's
623	   direct path.  The _copath_ of a node is the node's sibling
624	   concatenated with the list of siblings of all the nodes in its direct
625	   path, excluding the root.

627	   For example, in the below tree:

629	   *  The direct path of C is (CD, ABCD, ABCDEFG)

631	   *  The copath of C is (D, AB, EFG)
632	               ABCDEFG
633	              /      \
634	             /        \
635	            /          \
636	        ABCD            EFG
637	       /    \          /  \
638	      /      \        /    \
639	     AB      CD      EF    |
640	    / \     / \     / \    |
641	   A   B   C   D   E   F   G

643	                       1 1 1
644	   0 1 2 3 4 5 6 7 8 9 0 1 2

646	   Each node in the tree is assigned a _node index_, starting at zero
647	   and running from left to right.  A node is a leaf node if and only if
648	   it has an even index.  The node indices for the nodes in the above
649	   tree are as follows:

651	   *  0 = A

653	   *  1 = AB

655	   *  2 = B

657	   *  3 = ABCD

659	   *  4 = C

661	   *  5 = CD

663	   *  6 = D

665	   *  7 = ABCDEFG

667	   *  8 = E

669	   *  9 = EF

671	   *  10 = F

673	   *  11 = EFG

675	   *  12 = G

677	   The leaves of the tree are indexed separately, using a _leaf index_,
678	   since the protocol messages only need to refer to leaves in the tree.
679	   Like nodes, leaves are numbered left to right.  The node with leaf
680	   index "k" is also called the "k-th" leaf.  Note that given the above
681	   numbering, a node is a leaf node if and only if it has an even node
682	   index, and a leaf node's leaf index is half its node index.  The leaf
683	   indices in the above tree are as follows:

685	   *  0 = A

687	   *  1 = B

689	   *  2 = C

691	   *  3 = D

693	   *  4 = E

695	   *  5 = F

697	   *  6 = G

699	5.2.  Ratchet Tree Nodes

701	   A particular instance of a ratchet tree is defined by the same
702	   parameters that define an instance of HPKE, namely:

704	   *  A Key Encapsulation Mechanism (KEM), including a "DeriveKeyPair"
705	      function that creates a key pair for the KEM from a symmetric
706	      secret

708	   *  A Key Derivation Function (KDF), including "Extract" and "Expand"
709	      functions

711	   *  An AEAD encryption scheme

713	   Each node in a ratchet tree contains up to five values:

715	   *  A private key (only within the member's direct path, see below)

717	   *  A public key

719	   *  An ordered list of leaf indices for "unmerged" leaves (see
720	      Section 5.3)

722	   *  A credential (only for leaf nodes)

724	   *  A hash of the node's parent, as of the last time the node was
725	      changed.

727	   The conditions under which each of these values must or must not be
728	   present are laid out in Section 5.3.

730	   A node in the tree may also be _blank_, indicating that no value is
731	   present at that node.  The _resolution_ of a node is an ordered list
732	   of non-blank nodes that collectively cover all non-blank descendants
733	   of the node.

735	   *  The resolution of a non-blank node comprises the node itself,
736	      followed by its list of unmerged leaves, if any

738	   *  The resolution of a blank leaf node is the empty list

740	   *  The resolution of a blank intermediate node is the result of
741	      concatenating the resolution of its left child with the resolution
742	      of its right child, in that order

744	   For example, consider the following tree, where the "_" character
745	   represents a blank node:

747	         _
748	       /   \
749	      /     \
750	     _       CD[C]
751	    / \     / \
752	   A   _   C   D

754	   0 1 2 3 4 5 6

756	   In this tree, we can see all of the above rules in play:

758	   *  The resolution of node 5 is the list [CD, C]

760	   *  The resolution of node 2 is the empty list []

762	   *  The resolution of node 3 is the list [A, CD, C]

764	   Every node, regardless of whether the node is blank or populated, has
765	   a corresponding _hash_ that summarizes the contents of the subtree
766	   below that node.  The rules for computing these hashes are described
767	   in Section 7.5.

769	5.3.  Views of a Ratchet Tree

771	   We generally assume that each participant maintains a complete and
772	   up-to-date view of the public state of the group's ratchet tree,
773	   including the public keys for all nodes and the credentials
774	   associated with the leaf nodes.

776	   No participant in an MLS group knows the private key associated with
777	   every node in the tree.  Instead, each member is assigned to a leaf
778	   of the tree, which determines the subset of private keys it knows.
779	   The credential stored at that leaf is one provided by the member.

781	   In particular, MLS maintains the members' views of the tree in such a
782	   way as to maintain the _tree invariant_:

784	   The private key for a node in the tree is known to a member of
785	   the group only if that member's leaf is a descendant of
786	   the node.

788	   In other words, if a node is not blank, then it holds a public key.
789	   The corresponding private key is known only to members occupying
790	   leaves below that node.

792	   The reverse implication is not true: A member may not know the
793	   private keys of all the intermediate nodes they're below.  Such a
794	   member has an _unmerged_ leaf.  Encrypting to an intermediate node
795	   requires encrypting to the node's public key, as well as the public
796	   keys of all the unmerged leaves below it.  A leaf is unmerged when it
797	   is first added, because the process of adding the leaf does not give
798	   it access to all of the nodes above it in the tree.  Leaves are
799	   "merged" as they receive the private keys for nodes, as described in
800	   Section 5.4.

802	5.4.  Ratchet Tree Evolution

804	   A member of an MLS group advances the key schedule to provide forward
805	   secrecy and post-compromise security by providing the group with
806	   fresh key material to be added into the group's shared secret.  To do
807	   so, one member of the group generates fresh key material, applies it
808	   to their local tree state, and then sends this key material to other
809	   members in the group via an UpdatePath message (see Section 7.7) .
810	   All other group members then apply the key material in the UpdatePath
811	   to their own local tree state to derive the group's now-updated
812	   shared secret.

814	   To begin, the generator of the UpdatePath updates its leaf KeyPackage
815	   and its direct path to the root with new secret values.  The HPKE
816	   leaf public key within the KeyPackage MUST be derived from a freshly
817	   generated HPKE secret key to provide post-compromise security.

819	   The generator of the UpdatePath starts by sampling a fresh random
820	   value called "leaf_secret", and uses the leaf_secret to generate
821	   their leaf HPKE key pair (see Section 7) and to seed a sequence of
822	   "path secrets", one for each ancestor of its leaf.  In this setting,
823	   path_secret[0] refers to the node directly above the leaf,
824	   path_secret[1] for its parent, and so on.  At each step, the path
825	   secret is used to derive a new secret value for the corresponding
826	   node, from which the node's key pair is derived.

828	   leaf_node_secret = DeriveSecret(leaf_secret, "node")
829	   path_secret[0] = DeriveSecret(leaf_secret, "path")

831	   path_secret[n] = DeriveSecret(path_secret[n-1], "path")
832	   node_secret[n] = DeriveSecret(path_secret[n], "node")

834	   leaf_priv, leaf_pub = KEM.DeriveKeyPair(leaf_node_secret)
835	   node_priv[n], node_pub[n] = KEM.DeriveKeyPair(node_secret[n])

837	   For example, suppose there is a group with four members:

839	         G
840	        / \
841	       /   \
842	      /     \
843	     E       _
844	    / \     / \
845	   A   B   C   D

847	   If member B subsequently generates an UpdatePath based on a secret
848	   "leaf_secret", then it would generate the following sequence of path
849	   secrets:

851	   path_secret[1] --> node_secret[1] --> node_priv[1], node_pub[1]
852	        ^
853	        |
854	   path_secret[0] --> node_secret[0] --> node_priv[0], node_pub[0]
855	        ^
856	        |
857	   leaf_secret    --> leaf_node_secret --> leaf_priv, leaf_pub
858	                                        ~> leaf_key_package

860	   After applying the UpdatePath, the tree will have the following
861	   structure, where "np[i]" represents the node_priv values generated as
862	   described above:

864	             np[1]
865	            /     \
866	        np[0]      _
867	        /  \      / \
868	       A    B    C   D

870	   After performing these operations, the generator of the UpdatePath
871	   MUST delete the leaf_secret.

873	5.5.  Synchronizing Views of the Tree

875	   After generating fresh key material and applying it to ratchet
876	   forward their local tree state as described in the prior section, the
877	   generator must broadcast this update to other members of the group in
878	   a Commit message, who apply it to keep their local views of the tree
879	   in sync with the sender's.  More specifically, when a member commits
880	   a change to the tree (e.g., to add or remove a member), it transmits
881	   an UpdatePath message containing a set of public and encrypted
882	   private values for intermediate nodes in the direct path of a leaf.
883	   The other members of the group use these values to update their view
884	   of the tree, aligning their copy of the tree to the sender's.

886	   To transmit this update, the sender broadcasts to the group the
887	   following information for each node in the direct path of the leaf,
888	   including the root:

890	   *  The public key for the node

892	   *  Zero or more encrypted copies of the path secret corresponding to
893	      the node

895	   The path secret value for a given node is encrypted for the subtree
896	   corresponding to the parent's non-updated child, that is, the child
897	   on the copath of the leaf node.  There is one encrypted path secret
898	   for each public key in the resolution of the non-updated child.

900	   The recipient of a path update processes it with the following steps:

902	   1.  Compute the updated path secrets.

904	       *  Identify a node in the direct path for which the local member
905	          is in the subtree of the non-updated child.

907	       *  Identify a node in the resolution of the copath node for which
908	          this node has a private key.

910	       *  Decrypt the path secret for the parent of the copath node
911	          using the private key from the resolution node.

913	       *  Derive path secrets for ancestors of that node using the
914	          algorithm described above.

916	       *  The recipient SHOULD verify that the received public keys
917	          agree with the public keys derived from the new path_secret
918	          values.

920	   2.  Merge the updated path secrets into the tree.

922	       *  For all updated nodes,

924	          -  Replace the public key for each node with the received
925	             public key.

927	          -  Set the list of unmerged leaves to the empty list.

929	          -  Store the updated hash of the node's parent (represented as
930	             a ParentNode struct), going from root to leaf, so that each
931	             hash incorporates all the nodes above it.  The root node
932	             always has a zero-length hash for this value.

934	       *  For nodes where an updated path secret was computed in step 1,
935	          compute the corresponding node key pair and replace the values
936	          stored at the node with the computed values.

938	   For example, in order to communicate the example update described in
939	   the previous section, the sender would transmit the following values:

941	             +============+==================================+
942	             | Public Key | Ciphertext(s)                    |
943	             +============+==================================+
944	             | pk(ns[1])  | E(pk(C), ps[1]), E(pk(D), ps[1]) |
945	             +------------+----------------------------------+
946	             | pk(ns[0])  | E(pk(A), ps[0])                  |
947	             +------------+----------------------------------+

949	                                  Table 1

951	   In this table, the value pk(ns[X]) represents the public key derived
952	   from the node secret X, whereas pk(X) represents the public leaf key
953	   for user X.  The value E(K, S) represents the public-key encryption
954	   of the path secret S to the public key K.

956	   After processing the update, each recipient MUST delete outdated key
957	   material, specifically:

959	   *  The path secrets used to derive each updated node key pair.

961	   *  Each outdated node key pair that was replaced by the update.

963	6.  Cryptographic Objects

965	6.1.  Ciphersuites

967	   Each MLS session uses a single ciphersuite that specifies the
968	   following primitives to be used in group key computations:

970	   *  HPKE parameters:

972	      -  A Key Encapsulation Mechanism (KEM)

974	      -  A Key Derivation Function (KDF)

976	      -  An AEAD encryption algorithm

978	   *  A hash algorithm

980	   *  A signature algorithm

982	   The HPKE parameters are used to instantiate HPKE [I-D.irtf-cfrg-hpke]
983	   for the purpose of public-key encryption.  The "DeriveKeyPair"
984	   function associated to the KEM for the ciphersuite maps octet strings
985	   to HPKE key pairs.

987	   Ciphersuites are represented with the CipherSuite type.  HPKE public
988	   keys are opaque values in a format defined by the underlying protocol
989	   (see the Cryptographic Dependencies section of the HPKE specification
990	   for more information).

992	   opaque HPKEPublicKey<1..2^16-1>;

994	   The signature algorithm specified in the ciphersuite is the mandatory
995	   algorithm to be used for signatures in MLSPlaintext and the tree
996	   signatures.  It MUST be the same as the signature algorithm specified
997	   in the credential field of the KeyPackage objects in the leaves of
998	   the tree (including the InitKeys used to add new members).

1000	   The ciphersuites are defined in section Section 16.1.

1002	6.2.  Credentials

1004	   A member of a group authenticates the identities of other
1005	   participants by means of credentials issued by some authentication
1006	   system, like a PKI.  Each type of credential MUST express the
1007	   following data in the context of the group it is used with:

1009	   *  The public key of a signature key pair matching the
1010	      SignatureScheme specified by the CipherSuite of the group

1012	   *  The identity of the holder of the private key

1014	   Credentials MAY also include information that allows a relying party
1015	   to verify the identity / signing key binding.

1017	   Additionally, Credentials SHOULD specify the signature scheme
1018	   corresponding to each contained public key.

1020	   // See RFC 8446 and the IANA TLS SignatureScheme registry
1021	   uint16 SignatureScheme;

1023	   // See IANA registry for registered values
1024	   uint16 CredentialType;

1026	   struct {
1027	       opaque identity<0..2^16-1>;
1028	       SignatureScheme signature_scheme;
1029	       opaque signature_key<0..2^16-1>;
1030	   } BasicCredential;

1032	   struct {
1033	       opaque cert_data<0..2^16-1>;
1034	   } Certificate;

1036	   struct {
1037	       CredentialType credential_type;
1038	       select (Credential.credential_type) {
1039	           case basic:
1040	               BasicCredential;

1042	           case x509:
1043	               Certificate chain<1..2^32-1>;
1044	       };
1045	   } Credential;

1047	   A BasicCredential is a raw, unauthenticated assertion of an identity/
1048	   key binding.  The format of the key in the "public_key" field is
1049	   defined by the relevant ciphersuite: the group ciphersuite for a
1050	   credential in a ratchet tree, the KeyPackage ciphersuite for a
1051	   credential in a KeyPackage object.

1053	   For X509Credential, each entry in the chain represents a single DER-
1054	   encoded X509 certificate.  The chain is ordered such that the first
1055	   entry (chain[0]) is the end-entity certificate and each subsequent
1056	   certificate in the chain MUST be the issuer of the previous
1057	   certificate.  The algorithm for the "public_key" in the end-entity
1058	   certificate MUST match the relevant ciphersuite.

1060	   For ciphersuites using Ed25519 or Ed448 signature schemes, the public
1061	   key is in the format specified [RFC8032].  For ciphersuites using
1062	   ECDSA with the NIST curves P-256 or P-521, the public key is the
1063	   output of the uncompressed Elliptic-Curve-Point-to-Octet-String
1064	   conversion according to [SECG].

1066	   Note that each new credential that has not already been validated by
1067	   the application MUST be validated against the Authentication Service.

1069	7.  Key Packages

1071	   In order to facilitate asynchronous addition of clients to a group,
1072	   it is possible to pre-publish key packages that provide some public
1073	   information about a user.  KeyPackage structures provide information
1074	   about a client that any existing member can use to add this client to
1075	   the group asynchronously.

1077	   A KeyPackage object specifies a ciphersuite that the client supports,
1078	   as well as providing a public key that others can use for key
1079	   agreement.  The client's signature key can be updated throughout the
1080	   lifetime of the group by sending a new KeyPackage with a new
1081	   Credential.  However, the identity MUST be the same in both
1082	   Credentials and the new Credential MUST be validated by the
1083	   authentication service.

1085	   When used as InitKeys, KeyPackages are intended to be used only once
1086	   and SHOULD NOT be reused except in case of last resort.  (See
1087	   Section 15.4).  Clients MAY generate and publish multiple InitKeys to
1088	   support multiple ciphersuites.

1090	   KeyPackages contain a public key chosen by the client, which the
1091	   client MUST ensure uniquely identifies a given KeyPackage object
1092	   among the set of KeyPackages created by this client.

1094	   The value for hpke_init_key MUST be a public key for the asymmetric
1095	   encryption scheme defined by cipher_suite.  The whole structure is
1096	   signed using the client's signature key.  A KeyPackage object with an
1097	   invalid signature field MUST be considered malformed.  The input to
1098	   the signature computation comprises all of the fields except for the
1099	   signature field.

1101	   enum {
1102	       reserved(0),
1103	       mls10(1),
1104	       (255)
1105	   } ProtocolVersion;

1107	   // See IANA registry for registered values
1108	   uint16 ExtensionType;

1110	   struct {
1111	       ExtensionType extension_type;
1112	       opaque extension_data<0..2^16-1>;
1113	   } Extension;

1115	   struct {
1116	       ProtocolVersion version;
1117	       CipherSuite cipher_suite;
1118	       HPKEPublicKey hpke_init_key;
1119	       Credential credential;
1120	       Extension extensions<8..2^32-1>;
1121	       opaque signature<0..2^16-1>;
1122	   } KeyPackage;

1124	   KeyPackage objects MUST contain at least two extensions, one of type
1125	   "capabilities", and one of type "lifetime".  The "capabilities"
1126	   extension allow MLS session establishment to be safe from downgrade
1127	   attacks on the parameters described (as discussed in Section 10),
1128	   while still only advertising one version / ciphersuite per
1129	   KeyPackage.

1131	   As the "KeyPackage" is a structure which is stored in the Ratchet
1132	   Tree and updated depending on the evolution of this tree, each
1133	   modification of its content MUST be reflected by a change of its
1134	   signature.  This allow other members to control the validity of the
1135	   KeyPackage at any time and in particular in the case of a newcomer
1136	   joining the group.

1138	7.1.  Client Capabilities

1140	   The "capabilities" extension indicates what protocol versions,
1141	   ciphersuites, and protocol extensions are supported by a client.

1143	   struct {
1144	       ProtocolVersion versions<0..255>;
1145	       CipherSuite ciphersuites<0..255>;
1146	       ExtensionType extensions<0..255>;
1147	   } Capabilities;
1148	   This extension MUST be always present in a KeyPackage.  Extensions
1149	   that appear in the "extensions" field of a KeyPackage MUST be
1150	   included in the "extensions" field of the "capabilities" extension.

1152	7.2.  Lifetime

1154	   The "lifetime" extension represents the times between which clients
1155	   will consider a KeyPackage valid.  This time is represented as an
1156	   absolute time, measured in seconds since the Unix epoch
1157	   (1970-01-01T00:00:00Z).  A client MUST NOT use the data in a
1158	   KeyPackage for any processing before the "not_before" date, or after
1159	   the "not_after" date.

1161	   uint64 not_before;
1162	   uint64 not_after;

1164	   Applications MUST define a maximum total lifetime that is acceptable
1165	   for a KeyPackage, and reject any KeyPackage where the total lifetime
1166	   is longer than this duration.

1168	   This extension MUST always be present in a KeyPackage.

1170	7.3.  KeyPackage Identifiers

1172	   Within MLS, a KeyPackage is identified by its hash (see, e.g.,
1173	   Section 11.2.2).  The "key_id" extension allows applications to add
1174	   an explicit, application-defined identifier to a KeyPackage.

1176	   opaque key_id<0..2^16-1>;

1178	7.4.  Parent Hash

1180	   The "parent_hash" extension serves to bind a KeyPackage to all the
1181	   nodes above it in the group's ratchet tree.  This enforces the tree
1182	   invariant, meaning that malicious members can't lie about the state
1183	   of the ratchet tree when they send Welcome messages to new members.

1185	   opaque parent_hash<0..255>;

1187	   This extension MUST be present in all Updates that are sent as part
1188	   of a Commit message.  If the extension is present, clients MUST
1189	   verify that "parent_hash" matches the hash of the leaf's parent node
1190	   when represented as a ParentNode struct.

1192	7.5.  Tree Hashes

1194	   To allow group members to verify that they agree on the public
1195	   cryptographic state of the group, this section defines a scheme for
1196	   generating a hash value that represents the contents of the group's
1197	   ratchet tree and the members' KeyPackages.

1199	   The hash of a tree is the hash of its root node, which we define
1200	   recursively, starting with the leaves.

1202	   Elements of the ratchet tree are called "Node" objects and the leaves
1203	   contain an optional "KeyPackage", while the parents contain an
1204	   optional "ParentNode".

1206	   struct {
1207	       uint8 present;
1208	       select (present) {
1209	           case 0: struct{};
1210	           case 1: T value;
1211	       }
1212	   } optional;

1214	   struct {
1215	       HPKEPublicKey public_key;
1216	       uint32 unmerged_leaves<0..2^32-1>;
1217	       opaque parent_hash<0..255>;
1218	   } ParentNode;

1220	   When computing the hash of a parent node, the "ParentNodeHashInput"
1221	   structure is used:

1223	   struct {
1224	       uint32 node_index;
1225	       optional parent_node;
1226	       opaque left_hash<0..255>;
1227	       opaque right_hash<0..255>;
1228	   } ParentNodeHashInput;

1230	   The "left_hash" and "right_hash" fields hold the hashes of the node's
1231	   left and right children, respectively.  When computing the hash of a
1232	   leaf node, the hash of a "LeafNodeHashInput" object is used:

1234	   struct {
1235	       uint32 node_index;
1236	       optional key_package;
1237	   } LeafNodeHashInput;
1238	   Note that the "node_index" field contains the index of the leaf among
1239	   the nodes in the tree, not its index among the leaves; "node_index =
1240	   2 * leaf_index".

1242	7.6.  Group State

1244	   Each member of the group maintains a GroupContext object that
1245	   summarizes the state of the group:

1247	   struct {
1248	       opaque group_id<0..255>;
1249	       uint64 epoch;
1250	       opaque tree_hash<0..255>;
1251	       opaque confirmed_transcript_hash<0..255>;
1252	       Extension extensions<0..2^32-1>;
1253	   } GroupContext;

1255	   The fields in this state have the following semantics:

1257	   *  The "group_id" field is an application-defined identifier for the
1258	      group.

1260	   *  The "epoch" field represents the current version of the group key.

1262	   *  The "tree_hash" field contains a commitment to the contents of the
1263	      group's ratchet tree and the credentials for the members of the
1264	      group, as described in Section 7.5.

1266	   *  The "confirmed_transcript_hash" field contains a running hash over
1267	      the messages that led to this state.

1269	   When a new member is added to the group, an existing member of the
1270	   group provides the new member with a Welcome message.  The Welcome
1271	   message provides the information the new member needs to initialize
1272	   its GroupContext.

1274	   Different changes to the group will have different effects on the
1275	   group state.  These effects are described in their respective
1276	   subsections of Section 11.1.  The following general rules apply:

1278	   *  The "group_id" field is constant

1280	   *  The "epoch" field increments by one for each Commit message that
1281	      is processed

1283	   *  The "tree_hash" is updated to represent the current tree and
1284	      credentials

1286	   *  The "confirmed_transcript_hash" is updated with the data for an
1287	      MLSPlaintext message encoding a Commit message in two parts:

1289	   struct {
1290	       opaque group_id<0..255>;
1291	       uint64 epoch;
1292	       Sender sender;
1293	       ContentType content_type = commit;
1294	       Commit commit;
1295	       opaque signature<0..2^16-1>;
1296	   } MLSPlaintextCommitContent;

1298	   struct {
1299	       MAC confirmation_tag;
1300	   } MLSPlaintextCommitAuthData;

1302	   interim_transcript_hash_[0] = ""; // zero-length octet string

1304	   confirmed_transcript_hash_[n] =
1305	       Hash(interim_transcript_hash_[n] ||
1306	           MLSPlaintextCommitContent_[n]);

1308	   interim_transcript_hash_[n+1] =
1309	       Hash(confirmed_transcript_hash_[n] ||
1310	           MLSPlaintextCommitAuthData_[n]);

1312	   Thus the "confirmed_transcript_hash" field in a GroupContext object
1313	   represents a transcript over the whole history of MLSPlaintext Commit
1314	   messages, up to the confirmation tag field in the current
1315	   MLSPlaintext message.  The confirmation tag is then included in the
1316	   transcript for the next epoch.  The interim transcript hash is passed
1317	   to new members in the GroupInfo struct, and enables existing members
1318	   to incorporate a Commit message into the transcript without having to
1319	   store the whole MLSPlaintextCommitAuthData structure.

1321	   As shown above, when a new group is created, the
1322	   "interim_transcript_hash" field is set to the zero-length octet
1323	   string.

1325	7.7.  Update Paths

1327	   As described in Section 11.2, each MLS Commit message may optionally
1328	   transmit a KeyPackage leaf and node values along its direct path.
1329	   The path contains a public key and encrypted secret value for all
1330	   intermediate nodes in the path above the leaf.  The path is ordered
1331	   from the closest node to the leaf to the root; each node MUST be the
1332	   parent of its predecessor.

1334	   struct {
1335	       opaque kem_output<0..2^16-1>;
1336	       opaque ciphertext<0..2^16-1>;
1337	   } HPKECiphertext;

1339	   struct {
1340	       HPKEPublicKey public_key;
1341	       HPKECiphertext encrypted_path_secret<0..2^32-1>;
1342	   } UpdatePathNode;

1344	   struct {
1345	       KeyPackage leaf_key_package;
1346	       UpdatePathNode nodes<0..2^32-1>;
1347	   } UpdatePath;

1349	   For each "UpdatePathNode", the resolution of the corresponding copath
1350	   node MUST be filtered by removing all new leaf nodes added as part of
1351	   this MLS Commit message.  The number of ciphertexts in the
1352	   "encrypted_path_secret" vector MUST be equal to the length of the
1353	   filtered resolution, with each ciphertext being the encryption to the
1354	   respective resolution node.

1356	   The HPKECiphertext values are computed as

1358	   kem_output, context = SetupBaseS(node_public_key, "")
1359	   ciphertext = context.Seal(group_context, path_secret)

1361	   where "node_public_key" is the public key of the node that the path
1362	   secret is being encrypted for, group_context is the current
1363	   GroupContext object for the group, and the functions "SetupBaseS" and
1364	   "Seal" are defined according to [I-D.irtf-cfrg-hpke].

1366	   Decryption is performed in the corresponding way, using the private
1367	   key of the resolution node and the ephemeral public key transmitted
1368	   in the message.

1370	8.  Key Schedule

1372	   Group keys are derived using the "Extract" and "Expand" functions
1373	   from the KDF for the group's ciphersuite, as well as the functions
1374	   defined below:

1376	   ExpandWithLabel(Secret, Label, Context, Length) =
1377	       KDF.Expand(Secret, KDFLabel, Length)

1379	   Where KDFLabel is specified as:

1381	   struct {
1382	       uint16 length = Length;
1383	       opaque label<7..255> = "mls10 " + Label;
1384	       opaque context<0..2^32-1> = Context;
1385	   } KDFLabel;

1387	   DeriveSecret(Secret, Label) =
1388	       ExpandWithLabel(Secret, Label, "", KDF.Nh)

1390	   The value "KDF.Nh" is the size of an output from "KDF.Extract", in
1391	   bytes.  In the below diagram:

1393	   *  KDF.Extract takes its salt argument from the top and its IKM
1394	      argument from the left

1396	   *  DeriveSecret takes its Secret argument from the incoming arrow

1398	   When processing a handshake message, a client combines the following
1399	   information to derive new epoch secrets:

1401	   *  The init secret from the previous epoch

1403	   *  The commit secret for the current epoch

1405	   *  The GroupContext object for current epoch

1407	   Given these inputs, the derivation of secrets for an epoch proceeds
1408	   as shown in the following diagram:

1410	                   init_secret_[n-1]
1411	                         |
1412	                         V
1413	    commit_secret -> KDF.Extract = joiner_secret
1414	                         |
1415	                         V
1416	                   Derive-Secret(., "member")
1417	                         |
1418	                         V
1419	psk_secret (or 0) -> KDF.Extract = member_secret
1420	                         |
1421	                         +--> Derive-Secret(., "welcome")
1422	                         |    = welcome_secret
1423	                         |
1424	                         V
1425	                   ExpandWithLabel(., "epoch", GroupContext_[n], KDF.Nh)
1426	                         |
1427	                         V
1428	                    epoch_secret
1429	                         |
1430	                         +--> Derive-Secret(., )
1431	                         |    = 
1432	                         |
1433	                         V
1434	                   Derive-Secret(., "init")
1435	                         |
1436	                         V
1437	                   init_secret_[n]

1439	   A number of secrets are derived from the epoch secret for different
1440	   purposes:

1442	               +=======================+==================+
1443	               | Secret                | Label            |
1444	               +=======================+==================+
1445	               | sender_data_secret    | "sender data"    |
1446	               +-----------------------+------------------+
1447	               | encryption_secret     | "encryption"     |
1448	               +-----------------------+------------------+
1449	               | exporter_secret       | "exporter"       |
1450	               +-----------------------+------------------+
1451	               | authentication_secret | "authentication" |
1452	               +-----------------------+------------------+
1453	               | external_secret       | "external"       |
1454	               +-----------------------+------------------+
1455	               | confirmation_key      | "confirm"        |
1456	               +-----------------------+------------------+
1457	               | membership_key        | "membership"     |
1458	               +-----------------------+------------------+
1459	               | resumption_secret     | "resumption"     |
1460	               +-----------------------+------------------+

1462	                                 Table 2

1464	   The "external secret" is used to derive an HPKE key pair whose
1465	   private key is held by the entire group:

1467	   external_priv, external_pub = KEM.DeriveKeyPair(external_secret)

1469	   The public key "external_pub" can be published as part of the
1470	   "PublicGroupState" struct in order to allow non-members to join the
1471	   group using an external commit.

1473	8.1.  External Initialization

1475	   In addition to initializing a new epoch via KDF invocations as
1476	   described above, an MLS group can also initialize a new epoch via an
1477	   asymmetric interaction using the external key pair for the previous
1478	   epoch.  This is done when an new member is joining via an external
1479	   commit.

1481	   In this process, the joiner sends a new "init_secret" value to the
1482	   group using the HPKE export method.  The joiner then uses that
1483	   "init_secret" with information provided in the PublicGroupState and
1484	   an external Commit to initialize their copy of the key schedule for
1485	   the new epoch.

1487	   kem_output, context = SetupBaseS(external_pub, PublicGroupState)
1488	   init_secret = context.export("MLS 1.0 external init secret", KDF.Nh)
1489	   Members of the group receive the "kem_output" in an ExternalInit
1490	   proposal and preform the corresponding calculation to retrieve the
1491	   "init_secret" value.

1493	   context = SetupBaseR(kem_output, external_priv, PublicGroupState)
1494	   init_secret = context.export("MLS 1.0 external init secret", KDF.Nh)

1496	   In both cases, the "info" input to HPKE is set to the
1497	   PublicGroupState for the previous epoch, encoded using the TLS
1498	   serialization.

1500	8.2.  Pre-Shared Keys

1502	   Groups which already have an out-of-band mechanism to generate shared
1503	   group secrets can inject those into the MLS key schedule to seed the
1504	   MLS group secrets computations by this external entropy.

1506	   Injecting an external PSK can improve security in the case where
1507	   having a full run of updates across members is too expensive, or if
1508	   the external group key establishment mechanism provides stronger
1509	   security against classical or quantum adversaries.

1511	   Note that, as a PSK may have a different lifetime than an update, it
1512	   does not necessarily provide the same Forward Secrecy (FS) or Post-
1513	   Compromise Security (PCS) guarantees as a Commit message.

1515	   Each PSK in MLS has a type that designates how it was provisioned.
1516	   External PSKs are provided by the application, while recovery and re-
1517	   init PSKs are derived from the MLS key schedule and used in cases
1518	   where it is necessary to authenticate a member's participation in a
1519	   prior group state.  In particular, in addition to external PSK types,
1520	   a PSK derived from within MLS may be used in the following cases:

1522	   *  Re-Initialization: If during the lifetime of a group, the group
1523	      members decide to switch to a more secure ciphersuite or newer
1524	      protocol version, a PSK can be used to carry entropy from the old
1525	      group forward into a new group with the desired parameters.

1527	   *  Branching: A PSK may be used to bootstrap a subset of current
1528	      group members into a new group.  This applies if a subset of
1529	      current group members wish to branch based on the current group
1530	      state.

1532	   The injection of one or more PSKs into the key schedule is signaled
1533	   in two ways: 1) as a "PreSharedKey" proposal, and 2) in the
1534	   "GroupSecrets" object of a Welcome message sent to new members added
1535	   in that epoch.

1537	   enum {
1538	     reserved(0),
1539	     external(1),
1540	     reinit(2),
1541	     branch(3),
1542	     (255)
1543	   } PSKType;

1545	   struct {
1546	     PSKType psktype;
1547	     select (PreSharedKeyID.psktype) {
1548	       case external:
1549	         opaque psk_id<0..255>;

1551	       case reinit:
1552	         opaque psk_group_id<0..255>;
1553	         uint64 psk_epoch;

1555	       case branch:
1556	         opaque psk_group_id<0..255>;
1557	         uint64 psk_epoch;
1558	     }
1559	     opaque psk_nonce<0..255>;
1560	   } PreSharedKeyID;

1562	   struct {
1563	       PreSharedKeyID psks<0..2^16-1>;
1564	   } PreSharedKeys;

1566	   On receiving a Commit with a "PreSharedKey" proposal or a
1567	   GroupSecrets object with the "psks" field set, the receiving Client
1568	   includes them in the key schedule in the order listed in the Commit,
1569	   or in the "psks" field respectively.  For resumption PSKs, the PSK is
1570	   defined as the "resumption_secret" of the group and epoch specified
1571	   in the "PreSharedKeyID" object.  Specifically, "psk_secret" is
1572	   computed as follows:

1574	struct {
1575	    PreSharedKeyID id;
1576	    uint16 index;
1577	    uint16 count;
1578	} PSKLabel;

1580	psk_input_[i] = KDF.Extract(0, psk_[i])
1581	psk_secret_[i] = ExpandWithLabel(psk_input_[i], "derived psk", PSKLabel, KDF.Nh)
1582	psk_secret     = psk_secret_[0] || ... || psk_secret_[n-1]
1583	   The "index" field in "PSKLabel" corresponds to the index of the PSK
1584	   in the "psk" array, while the "count" field contains the total number
1585	   of PSKs.

1587	8.3.  Secret Tree

1589	   For the generation of encryption keys and nonces, the key schedule
1590	   begins with the "encryption_secret" at the root and derives a tree of
1591	   secrets with the same structure as the group's ratchet tree.  Each
1592	   leaf in the Secret Tree is associated with the same group member as
1593	   the corresponding leaf in the ratchet tree.  Nodes are also assigned
1594	   an index according to their position in the array representation of
1595	   the tree (described in Appendix A).  If N is a node index in the
1596	   Secret Tree then left(N) and right(N) denote the children of N (if
1597	   they exist).

1599	   The secret of any other node in the tree is derived from its parent's
1600	   secret using a call to DeriveTreeSecret:

1602	   DeriveTreeSecret(Secret, Label, Node, Generation, Length) =
1603	       ExpandWithLabel(Secret, Label, TreeContext, Length)

1605	   Where TreeContext is specified as:

1607	   struct {
1608	       uint32 node = Node;
1609	       uint32 generation = Generation;
1610	   } TreeContext;

1612	   If N is a node index in the Secret Tree then the secrets of the
1613	   children of N are defined to be:

1615	   tree_node_[N]_secret
1616	           |
1617	           |
1618	           +--> DeriveTreeSecret(., "tree", left(N), 0, KDF.Nh)
1619	           |    = tree_node_[left(N)]_secret
1620	           |
1621	           +--> DeriveTreeSecret(., "tree", right(N), 0, KDF.Nh)
1622	                = tree_node_[right(N)]_secret

1624	   The secret in the leaf of the Secret Tree is used to initiate two
1625	   symmetric hash ratchets, from which a sequence of single-use keys and
1626	   nonces are derived, as described in Section 8.4.  The root of each
1627	   ratchet is computed as:

1629	   tree_node_[N]_secret
1630	           |
1631	           |
1632	           +--> DeriveTreeSecret(., "handshake", N, 0, KDF.Nh)
1633	           |    = handshake_ratchet_secret_[N]_[0]
1634	           |
1635	           +--> DeriveTreeSecret(., "application", N, 0, KDF.Nh)
1636	                = application_ratchet_secret_[N]_[0]

1638	8.4.  Encryption Keys

1640	   As described in Section 9, MLS encrypts three different types of
1641	   information:

1643	   *  Metadata (sender information)

1645	   *  Handshake messages (Proposal and Commit)

1647	   *  Application messages

1649	   The sender information used to look up the key for content encryption
1650	   is encrypted with an AEAD where the key and nonce are derived from
1651	   both "sender_data_secret" and a sample of the encrypted message
1652	   content.

1654	   For handshake and application messages, a sequence of keys is derived
1655	   via a "sender ratchet".  Each sender has their own sender ratchet,
1656	   and each step along the ratchet is called a "generation".

1658	   A sender ratchet starts from a per-sender base secret derived from a
1659	   Secret Tree, as described in Section 8.3.  The base secret initiates
1660	   a symmetric hash ratchet which generates a sequence of keys and
1661	   nonces.  The sender uses the j-th key/nonce pair in the sequence to
1662	   encrypt (using the AEAD) the j-th message they send during that
1663	   epoch.  Each key/nonce pair MUST NOT be used to encrypt more than one
1664	   message.

1666	   Keys, nonces, and the secrets in ratchets are derived using
1667	   DeriveTreeSecret.  The context in a given call consists of the index
1668	   of the sender's leaf in the ratchet tree and the current position in
1669	   the ratchet.  In particular, the node index of the sender's leaf in
1670	   the ratchet tree is the same as the node index of the leaf in the
1671	   Secret Tree used to initialize the sender's ratchet.

1673	   ratchet_secret_[N]_[j]
1674	         |
1675	         +--> DeriveTreeSecret(., "nonce", N, j, AEAD.Nn)
1676	         |    = ratchet_nonce_[N]_[j]
1677	         |
1678	         +--> DeriveTreeSecret(., "key", N, j, AEAD.Nk)
1679	         |    = ratchet_key_[N]_[j]
1680	         |
1681	         V
1682	   DeriveTreeSecret(., "secret", N, j, KDF.Nh)
1683	   = ratchet_secret_[N]_[j+1]

1685	   Here, AEAD.Nn and AEAD.Nk denote the lengths in bytes of the nonce
1686	   and key for the AEAD scheme defined by the ciphersuite.

1688	8.5.  Deletion Schedule

1690	   It is important to delete all security-sensitive values as soon as
1691	   they are _consumed_. A sensitive value S is said to be _consumed_ if

1693	   *  S was used to encrypt or (successfully) decrypt a message, or if

1695	   *  a key, nonce, or secret derived from S has been consumed.  (This
1696	      goes for values derived via DeriveSecret as well as
1697	      ExpandWithLabel.)

1699	   Here, S may be the "init_secret", "commit_secret", "epoch_secret",
1700	   "encryption_secret" as well as any secret in a Secret Tree or one of
1701	   the ratchets.

1703	   As soon as a group member consumes a value they MUST immediately
1704	   delete (all representations of) that value.  This is crucial to
1705	   ensuring forward secrecy for past messages.  Members MAY keep
1706	   unconsumed values around for some reasonable amount of time to handle
1707	   out-of-order message delivery.

1709	   For example, suppose a group member encrypts or (successfully)
1710	   decrypts an application message using the j-th key and nonce in the
1711	   ratchet of node index N in some epoch n.  Then, for that member, at
1712	   least the following values have been consumed and MUST be deleted:

1714	   *  the "commit_secret", "joiner_secret", "member_secret",
1715	      "epoch_secret", "encryption_secret" of that epoch n as well as the
1716	      "init_secret" of the previous epoch n-1,

1718	   *  all node secrets in the Secret Tree on the path from the root to
1719	      the leaf with node index N,

1721	   *  the first j secrets in the application data ratchet of node index
1722	      N and

1724	   *  "application_ratchet_nonce_[N]_[j]" and
1725	      "application_ratchet_key_[N]_[j]".

1727	   Concretely, suppose we have the following Secret Tree and ratchet for
1728	   participant D:

1730	          G
1731	        /   \
1732	       /     \
1733	      E       F
1734	     / \     / \
1735	    A   B   C   D
1736	               / \
1737	             HR0  AR0 -+- K0
1738	                   |   |
1739	                   |   +- N0
1740	                   |
1741	                  AR1 -+- K1
1742	                   |   |
1743	                   |   +- N1
1744	                   |
1745	                  AR2

1747	   Then if a client uses key K1 and nonce N1 during epoch n then it must
1748	   consume (at least) values G, F, D, AR0, AR1, K1, N1 as well as the
1749	   key schedule secrets used to derive G (the "encryption_secret"),
1750	   namely "init_secret" of epoch n-1 and "commit_secret",
1751	   "joiner_secret", "member_secret", "epoch_secret" of epoch n.  The
1752	   client MAY retain (not consume) the values K0 and N0 to allow for
1753	   out-of-order delivery, and SHOULD retain AR2 for processing future
1754	   messages.

1756	8.6.  Exporters

1758	   The main MLS key schedule provides an "exporter_secret" which can be
1759	   used by an application as the basis to derive new secrets called
1760	   "exported_value" outside the MLS layer.

1762	   MLS-Exporter(Label, Context, key_length) =
1763	          ExpandWithLabel(DeriveSecret(exporter_secret, Label),
1764	                            "exporter", Hash(Context), key_length)

1766	   Each application SHOULD provide a unique label to "MLS-Exporter" that
1767	   identifies its use case.  This is to prevent two exported outputs
1768	   from being generated with the same values and used for different
1769	   functionalities.

1771	   The exported values are bound to the group epoch from which the
1772	   "exporter_secret" is derived, hence reflects a particular state of
1773	   the group.

1775	   It is RECOMMENDED for the application generating exported values to
1776	   refresh those values after a Commit is processed.

1778	8.7.  Resumption Secret

1780	   The main MLS key schedule provides a "resumption_secret" which can
1781	   provide extra security in some cross-group operations.

1783	   The application SHOULD specify an upper limit on the number of past
1784	   epochs for which the "resumption_secret" may be stored.

1786	   There are two ways in which a "resumption_secret" can be used: to re-
1787	   initialize the group with different parameters, or to create a sub-
1788	   group of an existing group as detailed in Section 8.2.

1790	   Resumption keys are distinguished from exporter keys in that they
1791	   have specific use inside the MLS protocol, whereas the use of
1792	   exporter secrets may be decided by an external application.  They are
1793	   thus derived separately to avoid key material reuse.

1795	8.8.  State Authentication Keys

1797	   The main MLS key schedule provides a per-epoch
1798	   "authentication_secret".  If one of the parties is being actively
1799	   impersonated by an attacker, their "authentication_secret" will
1800	   differ from that of the other group members.  Thus, members of a
1801	   group MAY use their "authentication_secrets" within an out-of-band
1802	   authentication protocol to ensure that they share the same view of
1803	   the group.

1805	9.  Message Framing

1807	   Handshake and application messages use a common framing structure.
1808	   This framing provides encryption to ensure confidentiality within the
1809	   group, as well as signing to authenticate the sender within the
1810	   group.

1812	   The two main structures involved are MLSPlaintext and MLSCiphertext.
1813	   MLSCiphertext represents a signed and encrypted message, with
1814	   protections for both the content of the message and related metadata.
1815	   MLSPlaintext represents a message that is only signed, and not
1816	   encrypted.  Applications MUST use MLSCiphertext to encrypt
1817	   application messages and SHOULD use MLSCiphertext to encode handshake
1818	   messages, but MAY transmit handshake messages encoded as MLSPlaintext
1819	   objects in cases where it is necessary for the Delivery Service to
1820	   examine such messages.

1822	   enum {
1823	       reserved(0),
1824	       application(1),
1825	       proposal(2),
1826	       commit(3),
1827	       (255)
1828	   } ContentType;

1830	   enum {
1831	       reserved(0),
1832	       member(1),
1833	       preconfigured(2),
1834	       new_member(3),
1835	       (255)
1836	   } SenderType;

1838	   struct {
1839	       SenderType sender_type;
1840	       uint32 sender;
1841	   } Sender;

1843	   struct {
1844	       opaque mac_value<0..255>;
1845	   } MAC;

1847	   struct {
1848	       opaque group_id<0..255>;
1849	       uint64 epoch;
1850	       Sender sender;
1851	       opaque authenticated_data<0..2^32-1>;

1853	       ContentType content_type;
1854	       select (MLSPlaintext.content_type) {
1855	           case application:
1856	             opaque application_data<0..2^32-1>;

1858	           case proposal:
1859	             Proposal proposal;

1861	           case commit:
1862	             Commit commit;
1863	       }

1865	       opaque signature<0..2^16-1>;
1866	       optional confirmation_tag;
1867	       optional membership_tag;
1868	   } MLSPlaintext;

1870	   struct {
1871	       opaque group_id<0..255>;
1872	       uint64 epoch;
1873	       ContentType content_type;
1874	       opaque authenticated_data<0..2^32-1>;
1875	       opaque encrypted_sender_data<0..255>;
1876	       opaque ciphertext<0..2^32-1>;
1877	   } MLSCiphertext;

1879	   The field "confirmation_tag" MUST be present if "content_type" equals
1880	   commit.  Otherwise, it MUST NOT be present.

1882	   External sender types are sent as MLSPlaintext, see Section 11.1.7
1883	   for their use.

1885	   The remainder of this section describes how to compute the signature
1886	   of an MLSPlaintext object and how to convert it to an MLSCiphertext
1887	   object for "member" sender types.  The steps are:

1889	   *  Set group_id, epoch, content_type and authenticated_data fields
1890	      from the MLSPlaintext object directly

1892	   *  Identify the key and key generation depending on the content type

1894	   *  Encrypt an MLSCiphertextContent for the ciphertext field using the
1895	      key identified and MLSPlaintext object

1897	   *  Encrypt the sender data using a key and nonce derived from the
1898	      "sender_data_secret" for the epoch and a sample of the encrypted
1899	      MLSCiphertextContent.

1901	   Decryption is done by decrypting the sender data, then the message,
1902	   and then verifying the content signature.

1904	   The following sections describe the encryption and signing processes
1905	   in detail.

1907	9.1.  Content Authentication

1909	   The "signature" field in an MLSPlaintext object is computed using the
1910	   signing private key corresponding to the credential at the leaf of
1911	   the tree indicated by the sender field.  The signature covers the
1912	   plaintext metadata and message content, which is all of MLSPlaintext
1913	   except for the "signature", the "confirmation_tag" and
1914	   "membership_tag" fields.  If the sender is a member of the group, the
1915	   signature also covers the GroupContext for the current epoch, so that
1916	   signatures are specific to a given group and epoch.

1918	   struct {
1919	       select (MLSPlaintextTBS.sender.sender_type) {
1920	           case member:
1921	               GroupContext context;
1922	       }

1924	       opaque group_id<0..255>;
1925	       uint64 epoch;
1926	       Sender sender;
1927	       opaque authenticated_data<0..2^32-1>;

1929	       ContentType content_type;
1930	       select (MLSPlaintextTBS.content_type) {
1931	           case application:
1932	             opaque application_data<0..2^32-1>;

1934	           case proposal:
1935	             Proposal proposal;

1937	           case commit:
1938	             Commit commit;
1939	       }
1940	   } MLSPlaintextTBS;

1942	   The "membership_tag" field in the MLSPlaintext object authenticates
1943	   the sender's membership in the group.  For an MLSPlaintext with a
1944	   sender type other than "member", this field MUST be omitted.  For
1945	   messages sent by members, it MUST be present and set to the following
1946	   value:

1948	   struct {
1949	     MLSPlaintextTBS tbs;
1950	     opaque signature<0..2^16-1>;
1951	     optional confirmation_tag;
1952	   } MLSPlaintextTBM;

1954	   membership_tag = MAC(membership_key, MLSPlaintextTBM);
1955	   Note that the "membership_tag" only needs to be computed for
1956	   MLSPlaintext messages that will be sent over the wire, and isn't
1957	   needed for those that will be encrypted and transmitted as
1958	   MLSCiphertext messages.

1960	9.2.  Content Encryption

1962	   The "ciphertext" field of the MLSCiphertext object is produced by
1963	   supplying the inputs described below to the AEAD function specified
1964	   by the ciphersuite in use.  The plaintext input contains the content
1965	   and signature of the MLSPlaintext, plus optional padding.  These
1966	   values are encoded in the following form:

1968	   struct {
1969	       select (MLSCiphertext.content_type) {
1970	           case application:
1971	             opaque application_data<0..2^32-1>;

1973	           case proposal:
1974	             Proposal proposal;

1976	           case commit:
1977	             Commit commit;
1978	       }

1980	       opaque signature<0..2^16-1>;
1981	       optional confirmation_tag;
1982	       opaque padding<0..2^16-1>;
1983	   } MLSCiphertextContent;

1985	   In the MLS key schedule, the sender creates two distinct key ratchets
1986	   for handshake and application messages for each member of the group.
1987	   When encrypting a message, the sender looks at the ratchets it
1988	   derived for its own member and chooses an unused generation from
1989	   either the handshake or application ratchet depending on the content
1990	   type of the message.  This generation of the ratchet is used to
1991	   derive a provisional nonce and key.

1993	   Before use in the encryption operation, the nonce is XORed with a
1994	   fresh random value to guard against reuse.  Because the key schedule
1995	   generates nonces deterministically, a client must keep persistent
1996	   state as to where in the key schedule it is; if this persistent state
1997	   is lost or corrupted, a client might reuse a generation that has
1998	   already been used, causing reuse of a key/nonce pair.

2000	   To avoid this situation, the sender of a message MUST generate a
2001	   fresh random 4-byte "reuse guard" value and XOR it with the first
2002	   four bytes of the nonce from the key schedule before using the nonce
2003	   for encryption.  The sender MUST include the reuse guard in the
2004	   "reuse_guard" field of the sender data object, so that the recipient
2005	   of the message can use it to compute the nonce to be used for
2006	   decryption.

2008	   +-+-+-+-+---------...---+
2009	   |   Key Schedule Nonce  |
2010	   +-+-+-+-+---------...---+
2011	              XOR
2012	   +-+-+-+-+---------...---+
2013	   | Guard |       0       |
2014	   +-+-+-+-+---------...---+
2015	              ===
2016	   +-+-+-+-+---------...---+
2017	   | Encrypt/Decrypt Nonce |
2018	   +-+-+-+-+---------...---+

2020	   The Additional Authenticated Data (AAD) input to the encryption
2021	   contains an object of the following form, with the values used to
2022	   identify the key and nonce:

2024	   struct {
2025	       opaque group_id<0..255>;
2026	       uint64 epoch;
2027	       ContentType content_type;
2028	       opaque authenticated_data<0..2^32-1>;
2029	   } MLSCiphertextContentAAD;

2031	9.3.  Sender Data Encryption

2033	   The "sender data" used to look up the key for the content encryption
2034	   is encrypted with the ciphersuite's AEAD with a key and nonce derived
2035	   from both the "sender_data_secret" and a sample of the encrypted
2036	   content.  Before being encrypted, the sender data is encoded as an
2037	   object of the following form:

2039	   struct {
2040	       uint32 sender;
2041	       uint32 generation;
2042	       opaque reuse_guard[4];
2043	   } MLSSenderData;

2045	   MLSSenderData.sender is assumed to be a "member" sender type.  When
2046	   constructing an MLSSenderData from a Sender object, the sender MUST
2047	   verify Sender.sender_type is "member" and use Sender.sender for
2048	   MLSSenderData.sender.

2050	   The "reuse_guard" field contains a fresh random value used to avoid
2051	   nonce reuse in the case of state loss or corruption, as described in
2052	   Section 9.2.

2054	   The key and nonce provided to the AEAD are computed as the KDF of the
2055	   first "KDF.Nh" bytes of the ciphertext generated in the previous
2056	   section.  If the length of the ciphertext is less than "KDF.Nh", the
2057	   whole ciphertext is used without padding.  In pseudocode, the key and
2058	   nonce are derived as:

2060	ciphertext_sample = ciphertext[0..KDF.Nh-1]

2062	sender_data_key = ExpandWithLabel(sender_data_secret, "key", ciphertext_sample, AEAD.Nk)
2063	sender_data_nonce = ExpandWithLabel(sender_data_secret, "nonce", ciphertext_sample, AEAD.Nn)

2065	   The Additional Authenticated Data (AAD) for the SenderData ciphertext
2066	   is all the fields of MLSCiphertext excluding "encrypted_sender_data":

2068	   struct {
2069	       opaque group_id<0..255>;
2070	       uint64 epoch;
2071	       ContentType content_type;
2072	   } MLSSenderDataAAD;

2074	   When parsing a SenderData struct as part of message decryption, the
2075	   recipient MUST verify that the sender field represents an occupied
2076	   leaf in the ratchet tree.  In particular, the sender index value MUST
2077	   be less than the number of leaves in the tree.

2079	10.  Group Creation

2081	   A group is always created with a single member, the "creator".  The
2082	   other members are added when the creator effectively sends itself an
2083	   Add proposal and commits it, then sends the corresponding Welcome
2084	   message to the new participants.  These processes are described in
2085	   detail in Section 11.1.1, Section 11.2, and Section 11.2.2.

2087	   The creator of a group MUST take the following steps to initialize
2088	   the group:

2090	   *  Fetch KeyPackages for the members to be added, and select a
2091	      version and ciphersuite according to the capabilities of the
2092	      members.  To protect against downgrade attacks, the creator MUST
2093	      use the "capabilities" extensions in these KeyPackages to verify
2094	      that the chosen version and ciphersuite is the best option
2095	      supported by all members.

2097	   *  Initialize a one-member group with the following initial values
2098	      (where "0" represents an all-zero vector of size KDF.Nh):

2100	      -  Ratchet tree: A tree with a single node, a leaf containing an
2101	         HPKE public key and credential for the creator

2103	      -  Group ID: A value set by the creator

2105	      -  Epoch: 0

2107	      -  Tree hash: The root hash of the above ratchet tree

2109	      -  Confirmed transcript hash: 0

2111	      -  Interim transcript hash: 0

2113	      -  Init secret: a fresh random value of size "KDF.Nh"

2115	   *  For each member, construct an Add proposal from the KeyPackage for
2116	      that member (see Section 11.1.1)

2118	   *  Construct a Commit message that commits all of the Add proposals,
2119	      in any order chosen by the creator (see Section 11.2)

2121	   *  Process the Commit message to obtain a new group state (for the
2122	      epoch in which the new members are added) and a Welcome message

2124	   *  Transmit the Welcome message to the other new members

2126	   The recipient of a Welcome message processes it as described in
2127	   Section 11.2.2.

2129	   In principle, the above process could be streamlined by having the
2130	   creator directly create a tree and choose a random value for first
2131	   epoch's epoch secret.  We follow the steps above because it removes
2132	   unnecessary choices, by which, for example, bad randomness could be
2133	   introduced.  The only choices the creator makes here are its own
2134	   KeyPackage, the leaf secret from which the Commit is built, and the
2135	   intermediate key pairs along the direct path to the root.

2137	10.1.  Linking a New Group to an Existing Group

2139	   A new group may be tied to an already existing group for the purpose
2140	   of re-initializing the existing group, or to branch into a sub-group.
2141	   Re-initializing an existing group may be used, for example, to
2142	   restart the group with a different ciphersuite or protocol version.
2143	   Branching may be used to bootstrap a new group consisting of a subset
2144	   of current group members, based on the current group state.

2146	   In both cases, the "psk_nonce" included in the "PreSharedKeyID"
2147	   object must be a randomly sampled nonce of length "KDF.Nh" to avoid
2148	   key re-use.

2150	10.1.1.  Sub-group Branching

2152	   If a client wants to create a subgroup of an existing group, they MAY
2153	   choose to include a "PreSharedKeyID" in the "GroupSecrets" object of
2154	   the Welcome message choosing the "psktype" "branch", the "group_id"
2155	   of the group from which a subgroup is to be branched, as well as an
2156	   epoch within the number of epochs for which a "resumption_secret" is
2157	   kept.

2159	11.  Group Evolution

2161	   Over the lifetime of a group, its membership can change, and existing
2162	   members might want to change their keys in order to achieve post-
2163	   compromise security.  In MLS, each such change is accomplished by a
2164	   two-step process:

2166	   1.  A proposal to make the change is broadcast to the group in a
2167	       Proposal message

2169	   2.  A member of the group or a new member broadcasts a Commit message
2170	       that causes one or more proposed changes to enter into effect

2172	   The group thus evolves from one cryptographic state to another each
2173	   time a Commit message is sent and processed.  These states are
2174	   referred to as "epochs" and are uniquely identified among states of
2175	   the group by eight-octet epoch values.  When a new group is
2176	   initialized, its initial state epoch is 0x0000000000000000.  Each
2177	   time a state transition occurs, the epoch number is incremented by
2178	   one.

2180	11.1.  Proposals

2182	   Proposals are included in an MLSPlaintext by way of a Proposal
2183	   structure that indicates their type:

2185	   enum {
2186	       reserved(0),
2187	       add(1),
2188	       update(2),
2189	       remove(3),
2190	       psk(4),
2191	       reinit(5),
2192	       external_init(6),
2193	       (255)
2194	   } ProposalType;

2196	   struct {
2197	       ProposalType msg_type;
2198	       select (Proposal.msg_type) {
2199	           case add:           Add;
2200	           case update:        Update;
2201	           case remove:        Remove;
2202	           case psk:           PreSharedKey;
2203	           case reinit:        ReInit;
2204	           case external_init: ExternalInit;
2205	       };
2206	   } Proposal;

2208	   On receiving an MLSPlaintext containing a Proposal, a client MUST
2209	   verify the signature on the enclosing MLSPlaintext.  If the signature
2210	   verifies successfully, then the Proposal should be cached in such a
2211	   way that it can be retrieved by hash (as a ProposalOrRef object) in a
2212	   later Commit message.

2214	11.1.1.  Add

2216	   An Add proposal requests that a client with a specified KeyPackage be
2217	   added to the group.

2219	   struct {
2220	       KeyPackage key_package;
2221	   } Add;

2223	   The proposer of the Add does not control where in the group's ratchet
2224	   tree the new member is added.  Instead, the sender of the Commit
2225	   message chooses a location for each added member and states it in the
2226	   Commit message.

2228	   An Add is applied after being included in a Commit message.  The
2229	   position of the Add in the list of proposals determines the leaf
2230	   index "index" where the new member will be added.  For the first Add
2231	   in the Commit, "index" is the leftmost empty leaf in the tree, for
2232	   the second Add, the next empty leaf to the right, etc.

2234	   *  If necessary, extend the tree to the right until it has at least
2235	      index + 1 leaves

2237	   *  For each non-blank intermediate node along the path from the leaf
2238	      at position "index" to the root, add "index" to the
2239	      "unmerged_leaves" list for the node.

2241	   *  Set the leaf node in the tree at position "index" to a new node
2242	      containing the public key from the KeyPackage in the Add, as well
2243	      as the credential under which the KeyPackage was signed

2245	11.1.2.  Update

2247	   An Update proposal is a similar mechanism to Add with the distinction
2248	   that it is the sender's leaf KeyPackage in the tree which would be
2249	   updated with a new KeyPackage.

2251	   struct {
2252	       KeyPackage key_package;
2253	   } Update;

2255	   A member of the group applies an Update message by taking the
2256	   following steps:

2258	   *  Replace the sender's leaf KeyPackage with the one contained in the
2259	      Update proposal

2261	   *  Blank the intermediate nodes along the path from the sender's leaf
2262	      to the root

2264	11.1.3.  Remove

2266	   A Remove proposal requests that the client at a specified index in
2267	   the tree be removed from the group.

2269	   struct {
2270	       uint32 removed;
2271	   } Remove;

2273	   A member of the group applies a Remove message by taking the
2274	   following steps:

2276	   *  Replace the leaf node at position "removed" with a blank node

2278	   *  Blank the intermediate nodes along the path from the removed leaf
2279	      to the root

2281	11.1.4.  PreSharedKey

2283	   A PreSharedKey proposal can be used to request that a pre-shared key
2284	   be injected into the key schedule in the process of advancing the
2285	   epoch.

2287	   struct {
2288	       PreSharedKeyID psk;
2289	   } PreSharedKey;

2291	   The "psktype" of the pre-shared key MUST be "external" and the
2292	   "psk_nonce" MUST be a randomly sampled nonce of length "KDF.Nh".
2293	   When processing a Commit message that includes one or more
2294	   PreSharedKey proposals, group members derive "psk_secret" as
2295	   described in Section 8.2, where the order of the PSKs corresponds to
2296	   the order of the "PreSharedKey" proposals in the Commit.

2298	11.1.5.  ReInit

2300	   A ReInit proposal represents a request to re-initialize the group
2301	   with different parameters, for example, to increase the version
2302	   number or to change the ciphersuite.  The re-initialization is done
2303	   by creating a completely new group and shutting down the old one.

2305	   struct {
2306	       opaque group_id<0..255>;
2307	       ProtocolVersion version;
2308	       CipherSuite cipher_suite;
2309	       Extension extensions<0..2^32-1>;
2310	   } ReInit;

2312	   A member of the group applies a ReInit proposal by waiting for the
2313	   committer to send the Welcome message and by checking that the
2314	   "group_id" and the parameters of the new group corresponds to the
2315	   ones specified in the proposal.  The Welcome message MUST specify
2316	   exactly one pre-shared key with "psktype = reinit", and with
2317	   "psk_group_id" and "psk_epoch" equal to the "group_id" and "epoch" of
2318	   the existing group after the Commit containing the "reinit" Proposal
2319	   was processed.  The Welcome message may specify the inclusion of
2320	   other pre-shared keys with a "psktype" different from "reinit".

2322	   If a ReInit proposal is included in a Commit, it MUST be the only
2323	   proposal referenced by the Commit.  If other non-ReInit proposals
2324	   have been sent during the epoch, the committer SHOULD prefer them
2325	   over the ReInit proposal, allowing the ReInit to be resent and
2326	   applied in a subsequent epoch.  The "version" field in the ReInit
2327	   proposal MUST be no less than the version for the current group.

2329	11.1.6.  ExternalInit

2331	   An ExternalInit proposal is used by new members that want to join a
2332	   group by using an external commit.  This propsal can only be used in
2333	   that context.

2335	   struct {
2336	     opaque kem_output<0..2^16-1>;
2337	   } ExternalInit;

2339	   A member of the group applies an ExternalInit message by initializing
2340	   the next epoch using an init secret computed as described in
2341	   Section 8.1.  The "kem_output" field contains the required KEM
2342	   output.

2344	11.1.7.  External Proposals

2346	   Add and Remove proposals can be constructed and sent to the group by
2347	   a party that is outside the group.  For example, a Delivery Service
2348	   might propose to remove a member of a group who has been inactive for
2349	   a long time, or propose adding a newly-hired staff member to a group
2350	   representing a real-world team.  Proposals originating outside the
2351	   group are identified by a "preconfigured" or "new_member" SenderType
2352	   in MLSPlaintext.

2354	   ReInit proposals can also be sent to the group by a "preconfigured"
2355	   sender, for example to enforce a changed policy regarding MLS version
2356	   or ciphersuite.

2358	   The "new_member" SenderType is used for clients proposing that they
2359	   themselves be added.  For this ID type the sender value MUST be zero
2360	   and the Proposal type MUST be Add. The MLSPlaintext MUST be signed
2361	   with the private key corresponding to the KeyPackage in the Add
2362	   message.  Recipients MUST verify that the MLSPlaintext carrying the
2363	   Proposal message is validly signed with this key.

2365	   The "preconfigured" SenderType is reserved for signers that are pre-
2366	   provisioned to the clients within a group.  If proposals with these
2367	   sender IDs are to be accepted within a group, the members of the
2368	   group MUST be provisioned by the application with a mapping between
2369	   these IDs and authorized signing keys.  Recipients MUST verify that
2370	   the MLSPlaintext carrying the Proposal message is validly signed with
2371	   the corresponding key.  To ensure consistent handling of external
2372	   proposals, the application MUST ensure that the members of a group
2373	   have the same mapping and apply the same policies to external
2374	   proposals.

2376	   An external proposal MUST be sent as an MLSPlaintext object, since
2377	   the sender will not have the keys necessary to construct an
2378	   MLSCiphertext object.

2380	11.2.  Commit

2382	   A Commit message initiates a new epoch for the group, based on a
2383	   collection of Proposals.  It instructs group members to update their
2384	   representation of the state of the group by applying the proposals
2385	   and advancing the key schedule.

2387	   Each proposal covered by the Commit is included by a ProposalOrRef
2388	   value, which identifies the proposal to be applied by value or by
2389	   reference.  Proposals supplied by value are included directly in the
2390	   Commit object.  Proposals supplied by reference are specified by
2391	   including the hash of the MLSPlaintext in which the Proposal was
2392	   sent, using the hash function from the group's ciphersuite.  For
2393	   proposals supplied by value, the sender of the proposal is the same
2394	   as the sender of the Commit.  Conversely, proposals sent by people
2395	   other than the committer MUST be included by reference.

2397	   enum {
2398	     reserved(0),
2399	     proposal(1)
2400	     reference(2),
2401	     (255)
2402	   } ProposalOrRefType;

2404	   struct {
2405	     ProposalOrRefType type;
2406	     select (ProposalOrRef.type) {
2407	       case proposal:  Proposal proposal;
2408	       case reference: opaque hash<0..255>;
2409	     }
2410	   } ProposalOrRef;

2412	   struct {
2413	       ProposalOrRef proposals<0..2^32-1>;
2414	       optional path;
2415	   } Commit;

2417	   A group member that has observed one or more proposals within an
2418	   epoch MUST send a Commit message before sending application data.
2419	   This ensures, for example, that any members whose removal was
2420	   proposed during the epoch are actually removed before any application
2421	   data is transmitted.

2423	   The sender of a Commit MUST include all valid proposals that it has
2424	   received during the current epoch.  Invalid proposals include, for
2425	   example, proposals with an invalid signature or proposals that are
2426	   semantically invalid, such as an Add when the sender does not have
2427	   the application-level permission to add new users.  If there are
2428	   multiple proposals that apply to the same leaf, the committer chooses
2429	   one and includes only that one in the Commit, considering the rest
2430	   invalid.  The committer MUST prefer any Remove received, or the most
2431	   recent Update for the leaf if there are no Removes.  If there are
2432	   multiple Add proposals for the same client, the committer again
2433	   chooses one to include and considers the rest invalid.

2435	   The Commit MUST NOT combine proposals sent within different epochs.
2436	   In the event that a valid proposal is omitted from the next Commit,
2437	   the sender of the proposal SHOULD retransmit it in the new epoch.

2439	   A member of the group MAY send a Commit that references no proposals
2440	   at all, which would thus have an empty "proposals" vector.  Such a
2441	   Commit resets the sender's leaf and the nodes along its direct path,
2442	   and provides forward secrecy and post-compromise security with regard
2443	   to the sender of the Commit.  An Update proposal can be regarded as a
2444	   "lazy" version of this operation, where only the leaf changes and
2445	   intermediate nodes are blanked out.

2447	   The "path" field of a Commit message MUST be populated if the Commit
2448	   covers at least one Update or Remove proposal.  The "path" field MUST
2449	   also be populated if the Commit covers no proposals at all (i.e., if
2450	   the proposals vector is empty).  The "path" field MAY be omitted if
2451	   the Commit covers only Add proposals.  In pseudocode, the logic for
2452	   validating a Commit is as follows:

2454	   hasUpdates = false
2455	   hasRemoves = false

2457	   for i, id in commit.proposals:
2458	       proposal = proposalCache[id]
2459	       assert(proposal != null)

2461	       hasUpdates = hasUpdates || proposal.msg_type == update
2462	       hasRemoves = hasRemoves || proposal.msg_type == remove

2464	   if len(commit.proposals) == 0 || hasUpdates || hasRemoves:
2465	     assert(commit.path != null)

2467	   To summarize, a Commit can have three different configurations, with
2468	   different uses:

2470	   1.  An "empty" Commit that references no proposals, which updates the
2471	       committer's contribution to the group and provides PCS with
2472	       regard to the committer.

2474	   2.  An "add-only" Commit that references only Add proposals, in which
2475	       the path is optional.  Such a commit provides PCS with regard to
2476	       the committer only if the path field is present.

2478	   3.  A "full" Commit that references proposals of any type, which
2479	       provides FS with regard to any removed members and PCS for the
2480	       committer and any updated members.

2482	   A member of the group creates a Commit message and the corresponding
2483	   Welcome message at the same time, by taking the following steps:

2485	   *  Construct an initial Commit object with the "proposals" field
2486	      populated from Proposals received during the current epoch, and
2487	      empty "key_package" and "path" fields.

2489	   *  Generate a provisional GroupContext object by applying the
2490	      proposals referenced in the initial Commit object, as described in
2491	      Section 11.1.  Update proposals are applied first, followed by
2492	      Remove proposals, and then finally Add proposals.  Add proposals
2493	      are applied in the order listed in the "proposals" vector, and
2494	      always to the leftmost unoccupied leaf in the tree, or the right
2495	      edge of the tree if all leaves are occupied.

2497	      -  Note that the order in which different types of proposals are
2498	         applied should be updated by the implementation to include any
2499	         new proposals added by negotiated group extensions.

2501	      -  PreSharedKey proposals are processed later when deriving the
2502	         "psk_secret" for the Key Schedule.

2504	   *  Decide whether to populate the "path" field: If the "path" field
2505	      is required based on the proposals that are in the commit (see
2506	      above), then it MUST be populated.  Otherwise, the sender MAY omit
2507	      the "path" field at its discretion.

2509	   *  If populating the "path" field: Create a UpdatePath using the new
2510	      tree.  Any new member (from an add proposal) MUST be exluded from
2511	      the resolution during the computation of the UpdatePath.  The
2512	      GroupContext for this operation uses the "group_id", "epoch",
2513	      "tree_hash", and "confirmed_transcript_hash" values in the initial
2514	      GroupContext object.

2516	      -  Assign this UpdatePath to the "path" field in the Commit.

2518	      -  Apply the UpdatePath to the tree, as described in Section 5.5.
2519	         Define "commit_secret" as the value "path_secret[n+1]" derived
2520	         from the "path_secret[n]" value assigned to the root node.

2522	   *  If not populating the "path" field: Set the "path" field in the
2523	      Commit to the null optional.  Define "commit_secret" as the all-
2524	      zero vector of the same length as a "path_secret" value would be.

2526	   *  Generate a new KeyPackage for the Committer's own leaf, with a
2527	      "parent_hash" extension.  Store it in the ratchet tree and assign
2528	      it to the "key_package" field in the Commit object.

2530	   *  If one or more PreSharedKey proposals are part of the commit,
2531	      derive the "psk_secret" as specified in Section 8.2, where the
2532	      order of PSKs in the derivation corresponds to the order of
2533	      PreSharedKey proposals in the "proposals" vector.  Otherwise, set
2534	      "psk_secret" to a zero-length octet string.

2536	   *  Construct an MLSPlaintext object containing the Commit object.
2537	      Sign the MLSPlaintext using the current epoch's GroupContext as
2538	      context.  Use the signature, the "commit_secret" and the
2539	      "psk_secret" to advance the key schedule and compute the
2540	      "confirmation_tag" value in the MLSPlaintext.

2542	   *  Update the tree in the provisional state by applying the direct
2543	      path

2545	   *  Construct a GroupInfo reflecting the new state:

2547	      -  Group ID, epoch, tree, confirmed transcript hash, and interim
2548	         transcript hash from the new state

2550	      -  The confirmation_tag from the MLSPlaintext object

2552	      -  Sign the GroupInfo using the member's private signing key

2554	      -  Encrypt the GroupInfo using the key and nonce derived from the
2555	         "joiner_secret" for the new epoch (see Section 11.2.2)

2557	   *  For each new member in the group:

2559	      -  Identify the lowest common ancestor in the tree of the new
2560	         member's leaf node and the member sending the Commit

2562	      -  If the "path" field was populated above: Compute the path
2563	         secret corresponding to the common ancestor node

2565	      -  Compute an EncryptedGroupSecrets object that encapsulates the
2566	         "init_secret" for the current epoch and the path secret (if
2567	         present).

2569	   *  Construct a Welcome message from the encrypted GroupInfo object,
2570	      the encrypted key packages, and any PSKs for which a proposal was
2571	      included in the Commit.  The order of the "psks" MUST be the same
2572	      as the order of PreSharedKey proposals in the "proposals" vector.

2574	   *  If a ReInit proposal was part of the Commit, the committer MUST
2575	      create a new group with the parameters specified in the ReInit
2576	      proposal, and with the same members as the original group.  The
2577	      Welcome message MUST include a "PreSharedKeyID" with "psktype"
2578	      "reinit" and with "psk_group_id" and "psk_epoch" corresponding to
2579	      the current group and the epoch after the commit was processed.

2581	   A member of the group applies a Commit message by taking the
2582	   following steps:

2584	   *  Verify that the "epoch" field of the enclosing MLSPlaintext
2585	      message is equal to the "epoch" field of the current GroupContext
2586	      object

2588	   *  Verify that the signature on the MLSPlaintext message verifies
2589	      using the public key from the credential stored at the leaf in the
2590	      tree indicated by the "sender" field.

2592	   *  Verify that all PSKs specified in any PreSharedKey proposals in
2593	      the "proposals" vector are available.

2595	   *  Generate a provisional GroupContext object by applying the
2596	      proposals referenced in the initial Commit object, as described in
2597	      Section 11.1.  Update proposals are applied first, followed by
2598	      Remove proposals, and then finally Add proposals.  Add proposals
2599	      are applied in the order listed in the "proposals" vector, and
2600	      always to the leftmost unoccupied leaf in the tree, or the right
2601	      edge of the tree if all leaves are occupied.

2603	      -  Note that the order in which different types of proposals are
2604	         applied should be updated by the implementation to include any
2605	         new proposals added by negotiated group extensions.

2607	   *  Verify that the "path" value is populated if the "proposals"
2608	      vector contains any Update or Remove proposals, or if it's empty.
2609	      Otherwise, the "path" value MAY be omitted.

2611	   *  If the "path" value is populated: Process the "path" value using
2612	      the ratchet tree the provisional GroupContext, to update the
2613	      ratchet tree and generate the "commit_secret":

2615	      -  Apply the UpdatePath to the tree, as described in Section 5.5,
2616	         and store "key_package" at the Committer's leaf.

2618	      -  Verify that the KeyPackage has a "parent_hash" extension and
2619	         that its value matches the new parent of the sender's leaf
2620	         node.

2622	      -  Define "commit_secret" as the value "path_secret[n+1]" derived
2623	         from the "path_secret[n]" value assigned to the root node.

2625	   *  If the "path" value is not populated: Define "commit_secret" as
2626	      the all-zero vector of the same length as a "path_secret" value
2627	      would be.

2629	   *  Update the new GroupContext's confirmed and interim transcript
2630	      hashes using the new Commit.

2632	   *  If the "proposals" vector contains any PreSharedKey proposals,
2633	      derive the "psk_secret" as specified in Section 8.2, where the
2634	      order of PSKs in the derivation corresponds to the order of
2635	      PreSharedKey proposals in the "proposals" vector.  Otherwise, set
2636	      "psk_secret" to 0.

2638	   *  Use the "commit_secret", the "psk_secret", the provisional
2639	      GroupContext, and the init secret from the previous epoch to
2640	      compute the epoch secret and derived secrets for the new epoch.

2642	   *  Use the "confirmation_key" for the new epoch to compute the
2643	      confirmation tag for this message, as described below, and verify
2644	      that it is the same as the "confirmation_tag" field in the
2645	      MLSPlaintext object.

2647	   *  If the above checks are successful, consider the updated
2648	      GroupContext object as the current state of the group.

2650	   *  If the Commit included a ReInit proposal, the client MUST NOT use
2651	      the group to send messages anymore.  Instead, it MUST wait for a
2652	      Welcome message from the committer and check that

2654	      -  The "version", "cipher_suite" and "extensions" fields of the
2655	         new group corresponds to the ones in the "ReInit" proposal, and
2656	         that the "version" is greater than or equal to that of the
2657	         original group.

2659	      -  The "psks" field in the Welcome message includes a
2660	         "PreSharedKeyID" with "psktype" = "reinit", and "psk_epoch" and
2661	         "psk_group_id" equal to the epoch and group ID of the original
2662	         group after processing the Commit.

2664	   The confirmation tag value confirms that the members of the group
2665	   have arrived at the same state of the group:

2667	   MLSPlaintext.confirmation_tag =
2668	       MAC(confirmation_key, GroupContext.confirmed_transcript_hash)

2670	11.2.1.  External Commits

2672	   External Commits are a mechanism for new members (external parties
2673	   that want to become members of the group) to add themselves to a
2674	   group, without requiring that an existing member has to come online
2675	   to issue a Commit that references an Add Proposal.

2677	   Whether existing members of the group will accept or reject an
2678	   External Commit follows the same rules that are applied to other
2679	   handshake messages.

2681	   New members can create and issue an External Commit if they have
2682	   access to the following information for the group's current epoch:

2684	   *  group ID

2686	   *  epoch ID

2688	   *  ciphersuite

2690	   *  public tree hash

2692	   *  interim transcript hash

2694	   *  group extensions

2696	   *  external public key

2698	   This information is aggregated in a "PublicGroupState" object as
2699	   follows:

2701	   "struct { CipherSuite cipher_suite; opaque group_id<0..255>; uint64
2702	   epoch; opaque tree_hash<0..255>; opaque
2703	   interim_transcript_hash<0..255>; Extension extensions<0..2^32-1>;
2704	   HPKEPublicKey external_pub; } PublicGroupState;"
2705	   Note that the "tree_hash" field is used the same way as in the
2706	   Welcome message.  The full tree can be included via the
2707	   "ratchet_tree" extension Section 11.3.

2709	   The information above are not deemed public data in general, but
2710	   applications can choose to make them available to new members in
2711	   order to allow External Commits.

2713	   External Commits work like regular Commits, with a few differences:

2715	   *  External Commits MUST reference an Add Proposal that adds the
2716	      issuing new member to the group

2718	   *  External Commits MUST contain a "path" field (and is therefore a
2719	      "full" Commit)

2721	   *  External Commits MUST be signed by the new member.  In particular,
2722	      the signature on the enclosing MLSPlaintext MUST verify using the
2723	      public key for the credential in the "leaf_key_package" of the
2724	      "path" field.

2726	   *  An external commit MUST reference no more than one ExternalInit
2727	      proposal, and the ExternalInit proposal MUST be supplied by value,
2728	      not by reference.  When processing a Commit, both existing and new
2729	      members MUST use the external init secret as described in
2730	      Section 8.1.

2732	   *  The sender type for the MLSPlaintext encapsulating the External
2733	      Commit MUST be "new_member"

2735	   *  If the Add Proposal is also issued by the new member, its member
2736	      SenderType MUST be "new_member"

2738	11.2.2.  Welcoming New Members

2740	   The sender of a Commit message is responsible for sending a Welcome
2741	   message to any new members added via Add proposals.  The Welcome
2742	   message provides the new members with the current state of the group,
2743	   after the application of the Commit message.  The new members will
2744	   not be able to decrypt or verify the Commit message, but will have
2745	   the secrets they need to participate in the epoch initiated by the
2746	   Commit message.

2748	   In order to allow the same Welcome message to be sent to all new
2749	   members, information describing the group is encrypted with a
2750	   symmetric key and nonce randomly chosen by the sender.  This key and
2751	   nonce are then encrypted to each new member using HPKE.  In the same
2752	   encrypted package, the committer transmits the path secret for the
2753	   lowest node contained in the direct paths of both the committer and
2754	   the new member.  This allows the new member to compute private keys
2755	   for nodes in its direct path that are being reset by the
2756	   corresponding Commit.

2758	   If the sender of the Welcome message wants the receiving member to
2759	   include a PSK in the derivation of the "epoch_secret", they can
2760	   populate the "psks" field indicating which PSK to use.

2762	   struct {
2763	     opaque group_id<0..255>;
2764	     uint64 epoch;
2765	     opaque tree_hash<0..255>;
2766	     opaque confirmed_transcript_hash<0..255>;
2767	     Extension extensions<0..2^32-1>;
2768	     MAC confirmation_tag;
2769	     uint32 signer_index;
2770	     opaque signature<0..2^16-1>;
2771	   } GroupInfo;

2773	   struct {
2774	     opaque path_secret<1..255>;
2775	   } PathSecret;

2777	   struct {
2778	     opaque joiner_secret<1..255>;
2779	     optional path_secret;
2780	     optional psks;
2781	   } GroupSecrets;

2783	   struct {
2784	     opaque key_package_hash<1..255>;
2785	     HPKECiphertext encrypted_group_secrets;
2786	   } EncryptedGroupSecrets;

2788	   struct {
2789	     ProtocolVersion version = mls10;
2790	     CipherSuite cipher_suite;
2791	     EncryptedGroupSecrets secrets<0..2^32-1>;
2792	     opaque encrypted_group_info<1..2^32-1>;
2793	   } Welcome;

2795	   The client processing a Welcome message will need to have a copy of
2796	   the group's ratchet tree.  The tree can be provided in the Welcome
2797	   message, in an extension of type "ratchet_tree".  If it is sent
2798	   otherwise (e.g., provided by a caching service on the Delivery
2799	   Service), then the client MUST download the tree before processing
2800	   the Welcome.

2802	   On receiving a Welcome message, a client processes it using the
2803	   following steps:

2805	   *  Identify an entry in the "secrets" array where the
2806	      "key_package_hash" value corresponds to one of this client's
2807	      KeyPackages, using the hash indicated by the "cipher_suite" field.
2808	      If no such field exists, or if the ciphersuite indicated in the
2809	      KeyPackage does not match the one in the Welcome message, return
2810	      an error.

2812	   *  Decrypt the "encrypted_group_secrets" using HPKE with the
2813	      algorithms indicated by the ciphersuite and the HPKE private key
2814	      corresponding to the GroupSecrets.  If a "PreSharedKeyID" is part
2815	      of the GroupSecrets and the client is not in possession of the
2816	      corresponding PSK, return an error.

2818	   *  From the "joiner_secret" in the decrypted GroupSecrets object and
2819	      the PSKs specified in the "GroupSecrets", derive the
2820	      "member_secret" and using that the "welcome_secret",
2821	      "welcome_key", and "welcome_nonce".  Use the key and nonce to
2822	      decrypt the "encrypted_group_info" field.

2824	   welcome_secret = Derive-Secret(member_secret, "welcome")
2825	   welcome_nonce = KDF.Expand(welcome_secret, "nonce", nonce_length)
2826	   welcome_key = KDF.Expand(welcome_secret, "key", key_length)

2828	   *  Verify the signature on the GroupInfo object.  The signature input
2829	      comprises all of the fields in the GroupInfo object except the
2830	      signature field.  The public key and algorithm are taken from the
2831	      credential in the leaf node at position "signer_index".  If this
2832	      verification fails, return an error.

2834	   *  Verify the integrity of the ratchet tree.

2836	      -  Verify that the tree hash of the ratchet tree matches the
2837	         "tree_hash" field in the GroupInfo.

2839	      -  For each non-empty parent node, verify that exactly one of the
2840	         node's children are non-empty and have the hash of this node
2841	         set as their "parent_hash" value (if the child is another
2842	         parent) or has a "parent_hash" extension in the KeyPackage
2843	         containing the same value (if the child is a leaf).

2845	      -  For each non-empty leaf node, verify the signature on the
2846	         KeyPackage.

2848	   *  Identify a leaf in the "tree" array (any even-numbered node) whose
2849	      "key_package" field is identical to the the KeyPackage.  If no
2850	      such field exists, return an error.  Let "index" represent the
2851	      index of this node among the leaves in the tree, namely the index
2852	      of the node in the "tree" array divided by two.

2854	   *  Construct a new group state using the information in the GroupInfo
2855	      object.  The new member's position in the tree is "index", as
2856	      defined above.  In particular, the confirmed transcript hash for
2857	      the new state is the "prior_confirmed_transcript_hash" in the
2858	      GroupInfo object.

2860	      -  Update the leaf at index "index" with the private key
2861	         corresponding to the public key in the node.

2863	      -  If the "path_secret" value is set in the GroupSecrets object:
2864	         Identify the lowest common ancestor of the leaves at "index"
2865	         and at "GroupInfo.signer_index".  Set the private key for this
2866	         node to the private key derived from the "path_secret".

2868	      -  For each parent of the common ancestor, up to the root of the
2869	         tree, derive a new path secret and set the private key for the
2870	         node to the private key derived from the path secret.  The
2871	         private key MUST be the private key that corresponds to the
2872	         public key in the node.

2874	   *  Use the "joiner_secret" from the GroupSecrets object to generate
2875	      the epoch secret and other derived secrets for the current epoch.

2877	   *  Set the confirmed transcript hash in the new state to the value of
2878	      the "confirmed_transcript_hash" in the GroupInfo.

2880	   *  Verify the confirmation tag in the GroupInfo using the derived
2881	      confirmation key and the "confirmed_transcript_hash" from the
2882	      GroupInfo.

2884	   *  Use the confirmed transcript hash and confirmation tag to compute
2885	      the interim transcript hash in the new state.

2887	11.3.  Ratchet Tree Extension

2889	   By default, a GroupInfo message only provides the joiner with a
2890	   commitment to the group's ratchet tree.  In order to process or
2891	   generate handshake messages, the joiner will need to get a copy of
2892	   the ratchet tree from some other source.  (For example, the DS might
2893	   provide a cached copy.)  The inclusion of the tree hash in the
2894	   GroupInfo message means that the source of the ratchet tree need not
2895	   be trusted to maintain the integrity of tree.

2897	   In cases where the application does not wish to provide such an
2898	   external source, the whole public state of the ratchet tree can be
2899	   provided in an extension of type "ratchet_tree", containing a
2900	   "ratchet_tree" object of the following form:

2902	   enum {
2903	       reserved(0),
2904	       leaf(1),
2905	       parent(2),
2906	       (255)
2907	   } NodeType;

2909	   struct {
2910	       NodeType node_type;
2911	       select (Node.node_type) {
2912	           case leaf:   KeyPackage key_package;
2913	           case parent: ParentNode node;
2914	       };
2915	   } Node;

2917	   optional ratchet_tree<1..2^32-1>;

2919	   The presence of a "ratchet_tree" extension in a GroupInfo message
2920	   does not result in any changes to the GroupContext extensions for the
2921	   group.  The ratchet tree provided is simply stored by the client and
2922	   used for MLS operations.

2924	   If this extension is not provided in a Welcome message, then the
2925	   client will need to fetch the ratchet tree over some other channel
2926	   before it can generate or process Commit messages.  Applications
2927	   should ensure that this out-of-band channel is provided with security
2928	   protections equivalent to the protections that are afforded to
2929	   Proposal and Commit messages.  For example, an application that
2930	   encrypts Proposal and Commit messages might distribute ratchet trees
2931	   encrypted using a key exchanged over the MLS channel.

2933	12.  Extensibility

2935	   This protocol includes a mechanism for negotiating extension
2936	   parameters similar to the one in TLS [RFC8446].  In TLS, extension
2937	   negotiation is one-to-one: The client offers extensions in its
2938	   ClientHello message, and the server expresses its choices for the
2939	   session with extensions in its ServerHello and EncryptedExtensions
2940	   messages.  In MLS, extensions appear in the following places:

2942	   *  In KeyPackages, to describe client capabilities and aspects of
2943	      their participation in the group (once in the ratchet tree)

2945	   *  In the Welcome message, to tell new members of a group what
2946	      parameters are being used by the group

2948	   *  In the GroupContext object, to ensure that all members of the
2949	      group have the same view of the parameters in use

2951	   In other words, clients advertise their capabilities in KeyPackage
2952	   extensions, the creator of the group expresses its choices for the
2953	   group in Welcome extensions, and the GroupContext confirms that all
2954	   members of the group have the same view of the group's extensions.

2956	   This extension mechanism is designed to allow for secure and forward-
2957	   compatible negotiation of extensions.  For this to work,
2958	   implementations MUST correctly handle extensible fields:

2960	   *  A client that posts a KeyPackage MUST support all parameters
2961	      advertised in it.  Otherwise, another client might fail to
2962	      interoperate by selecting one of those parameters.

2964	   *  A client initiating a group MUST ignore all unrecognized
2965	      ciphersuites, extensions, and other parameters.  Otherwise, it may
2966	      fail to interoperate with newer clients.

2968	   *  A client adding a new member to a group MUST verify that the
2969	      KeyPackage for the new member contains extensions that are
2970	      consistent with the group's extensions.  For each extension in the
2971	      GroupContext, the KeyPackage MUST have an extension of the same
2972	      type, and the contents of the extension MUST be consistent with
2973	      the value of the extension in the GroupContext, according to the
2974	      semantics of the specific extension.

2976	   *  If any extension in a GroupInfo message is unrecognized (i.e., not
2977	      contained in the corresponding KeyPackage), then the client MUST
2978	      reject the Welcome message and not join the group.

2980	   *  The extensions populated into a GroupContext object are drawn from
2981	      those in the GroupInfo object, according to the definitions of
2982	      those extensions.

2984	   Note that the latter two requirements mean that all MLS extensions
2985	   are mandatory, in the sense that an extension in use by the group
2986	   MUST be supported by all members of the group.

2988	   This document does not define any way for the parameters of the group
2989	   to change once it has been created; such a behavior could be
2990	   implemented as an extension.

2992	13.  Sequencing of State Changes

2994	   Each Commit message is premised on a given starting state, indicated
2995	   by the "epoch" field of the enclosing MLSPlaintext message.  If the
2996	   changes implied by a Commit messages are made starting from a
2997	   different state, the results will be incorrect.

2999	   This need for sequencing is not a problem as long as each time a
3000	   group member sends a Commit message, it is based on the most current
3001	   state of the group.  In practice, however, there is a risk that two
3002	   members will generate Commit messages simultaneously, based on the
3003	   same state.

3005	   When this happens, there is a need for the members of the group to
3006	   deconflict the simultaneous Commit messages.  There are two general
3007	   approaches:

3009	   *  Have the Delivery Service enforce a total order

3011	   *  Have a signal in the message that clients can use to break ties

3013	   As long as Commit messages cannot be merged, there is a risk of
3014	   starvation.  In a sufficiently busy group, a given member may never
3015	   be able to send a Commit message, because he always loses to other
3016	   members.  The degree to which this is a practical problem will depend
3017	   on the dynamics of the application.

3019	   It might be possible, because of the non-contributivity of
3020	   intermediate nodes, that Commit messages could be applied one after
3021	   the other without the Delivery Service having to reject any Commit
3022	   message, which would make MLS more resilient regarding the
3023	   concurrency of Commit messages.  The Messaging system can decide to
3024	   choose the order for applying the state changes.  Note that there are
3025	   certain cases (if no total ordering is applied by the Delivery
3026	   Service) where the ordering is important for security, ie. all
3027	   updates must be executed before removes.

3029	   Regardless of how messages are kept in sequence, implementations MUST
3030	   only update their cryptographic state when valid Commit messages are
3031	   received.  Generation of Commit messages MUST NOT modify a client's
3032	   state, since the endpoint doesn't know at that time whether the
3033	   changes implied by the Commit message will succeed or not.

3035	13.1.  Server-Enforced Ordering

3037	   With this approach, the Delivery Service ensures that incoming
3038	   messages are added to an ordered queue and outgoing messages are
3039	   dispatched in the same order.  The server is trusted to break ties
3040	   when two members send a Commit message at the same time.

3042	   Messages should have a counter field sent in clear-text that can be
3043	   checked by the server and used for tie-breaking.  The counter starts
3044	   at 0 and is incremented for every new incoming message.  If two group
3045	   members send a message with the same counter, the first message to
3046	   arrive will be accepted by the server and the second one will be
3047	   rejected.  The rejected message needs to be sent again with the
3048	   correct counter number.

3050	   To prevent counter manipulation by the server, the counter's
3051	   integrity can be ensured by including the counter in a signed message
3052	   envelope.

3054	   This applies to all messages, not only state changing messages.

3056	13.2.  Client-Enforced Ordering

3058	   Order enforcement can be implemented on the client as well, one way
3059	   to achieve it is to use a two step update protocol: the first client
3060	   sends a proposal to update and the proposal is accepted when it gets
3061	   50%+ approval from the rest of the group, then it sends the approved
3062	   update.  Clients which didn't get their proposal accepted, will wait
3063	   for the winner to send their update before retrying new proposals.

3065	   While this seems safer as it doesn't rely on the server, it is more
3066	   complex and harder to implement.  It also could cause starvation for
3067	   some clients if they keep failing to get their proposal accepted.

3069	14.  Application Messages

3071	   The primary purpose of the Handshake protocol is to provide an
3072	   authenticated group key exchange to clients.  In order to protect
3073	   Application messages sent among the members of a group, the
3074	   Application secret provided by the Handshake key schedule is used to
3075	   derive nonces and encryption keys for the Message Protection Layer
3076	   according to the Application Key Schedule.  That is, each epoch is
3077	   equipped with a fresh Application Key Schedule which consist of a
3078	   tree of Application Secrets as well as one symmetric ratchet per
3079	   group member.

3081	   Each client maintains their own local copy of the Application Key
3082	   Schedule for each epoch during which they are a group member.  They
3083	   derive new keys, nonces and secrets as needed while deleting old ones
3084	   as soon as they have been used.

3086	   Application messages MUST be protected with the Authenticated-
3087	   Encryption with Associated-Data (AEAD) encryption scheme associated
3088	   with the MLS ciphersuite using the common framing mechanism.  Note
3089	   that "Authenticated" in this context does not mean messages are known
3090	   to be sent by a specific client but only from a legitimate member of
3091	   the group.  To authenticate a message from a particular member,
3092	   signatures are required.  Handshake messages MUST use asymmetric
3093	   signatures to strongly authenticate the sender of a message.

3095	14.1.  Message Encryption and Decryption

3097	   The group members MUST use the AEAD algorithm associated with the
3098	   negotiated MLS ciphersuite to AEAD encrypt and decrypt their
3099	   Application messages according to the Message Framing section.

3101	   The group identifier and epoch allow a recipient to know which group
3102	   secrets should be used and from which Epoch secret to start computing
3103	   other secrets and keys.  The sender identifier is used to identify
3104	   the member's symmetric ratchet from the initial group Application
3105	   secret.  The application generation field is used to determine how
3106	   far into the ratchet to iterate in order to reproduce the required
3107	   AEAD keys and nonce for performing decryption.

3109	   Application messages SHOULD be padded to provide some resistance
3110	   against traffic analysis techniques over encrypted traffic.  [CLINIC]
3111	   [HCJ16] While MLS might deliver the same payload less frequently
3112	   across a lot of ciphertexts than traditional web servers, it might
3113	   still provide the attacker enough information to mount an attack.  If
3114	   Alice asks Bob: "When are we going to the movie ?" the answer
3115	   "Wednesday" might be leaked to an adversary by the ciphertext length.
3116	   An attacker expecting Alice to answer Bob with a day of the week
3117	   might find out the plaintext by correlation between the question and
3118	   the length.

3120	   Similarly to TLS 1.3, if padding is used, the MLS messages MUST be
3121	   padded with zero-valued bytes before AEAD encryption.  Upon AEAD
3122	   decryption, the length field of the plaintext is used to compute the
3123	   number of bytes to be removed from the plaintext to get the correct
3124	   data.  As the padding mechanism is used to improve protection against
3125	   traffic analysis, removal of the padding SHOULD be implemented in a
3126	   "constant-time" manner at the MLS layer and above layers to prevent
3127	   timing side-channels that would provide attackers with information on
3128	   the size of the plaintext.  The padding length length_of_padding can
3129	   be chosen at the time of the message encryption by the sender.
3130	   Recipients can calculate the padding size from knowing the total size
3131	   of the ApplicationPlaintext and the length of the content.

3133	14.2.  Restrictions

3135	   During each epoch senders MUST NOT encrypt more data than permitted
3136	   by the security bounds of the AEAD scheme used.

3138	   Note that each change to the Group through a Handshake message will
3139	   also set a new "encryption_secret".  Hence this change MUST be
3140	   applied before encrypting any new application message.  This is
3141	   required both to ensure that any users removed from the group can no
3142	   longer receive messages and to (potentially) recover confidentiality
3143	   and authenticity for future messages despite a past state compromise.

3145	14.3.  Delayed and Reordered Application messages

3147	   Since each Application message contains the group identifier, the
3148	   epoch and a message counter, a client can receive messages out of
3149	   order.  If they are able to retrieve or recompute the correct AEAD
3150	   decryption key from currently stored cryptographic material clients
3151	   can decrypt these messages.

3153	   For usability, MLS clients might be required to keep the AEAD key and
3154	   nonce for a certain amount of time to retain the ability to decrypt
3155	   delayed or out of order messages, possibly still in transit while a
3156	   decryption is being done.

3158	15.  Security Considerations

3160	   The security goals of MLS are described in
3161	   [I-D.ietf-mls-architecture].  We describe here how the protocol
3162	   achieves its goals at a high level, though a complete security
3163	   analysis is outside of the scope of this document.

3165	15.1.  Confidentiality of the Group Secrets

3167	   Group secrets are partly derived from the output of a ratchet tree.
3168	   Ratchet trees work by assigning each member of the group to a leaf in
3169	   the tree and maintaining the following property: the private key of a
3170	   node in the tree is known only to members of the group that are
3171	   assigned a leaf in the node's subtree.  This is called the _ratchet
3172	   tree invariant_ and it makes it possible to encrypt to all group
3173	   members except one, with a number of ciphertexts that's logarithmic
3174	   in the number of group members.

3176	   The ability to efficiently encrypt to all members except one allows
3177	   members to be securely removed from a group.  It also allows a member
3178	   to rotate their keypair such that the old private key can no longer
3179	   be used to decrypt new messages.

3181	15.2.  Authentication

3183	   The first form of authentication we provide is that group members can
3184	   verify a message originated from one of the members of the group.
3185	   For encrypted messages, this is guaranteed because messages are
3186	   encrypted with an AEAD under a key derived from the group secrets.
3187	   For plaintext messages, this is guaranteed by the use of a
3188	   "membership_tag" which constitutes a MAC over the message, under a
3189	   key derived from the group secrets.

3191	   The second form of authentication is that group members can verify a
3192	   message originated from a particular member of the group.  This is
3193	   guaranteed by a digital signature on each message from the sender's
3194	   identity key.

3196	15.3.  Forward Secrecy and Post-Compromise Security

3198	   Post-compromise security is provided between epochs by members
3199	   regularly updating their leaf key in the ratchet tree.  Updating
3200	   their leaf key prevents group secrets from continuing to be encrypted
3201	   to previously compromised public keys.

3203	   Forward-secrecy between epochs is provided by deleting private keys
3204	   from past version of the ratchet tree, as this prevents old group
3205	   secrets from being re-derived.  Forward secrecy _within_ an epoch is
3206	   provided by deleting message encryption keys once they've been used
3207	   to encrypt or decrypt a message.

3209	   Post-compromise security is also provided for new groups by members
3210	   regularly generating new InitKeys and uploading them to the Delivery
3211	   Service, such that compromised key material won't be used when the
3212	   member is added to a new group.

3214	15.4.  InitKey Reuse

3216	   InitKeys are intended to be used only once.  That is, once an InitKey
3217	   has been used to introduce the corresponding client to a group, it
3218	   SHOULD be deleted from the InitKey publication system.  Reuse of
3219	   InitKeys can lead to replay attacks.

3221	   An application MAY allow for reuse of a "last resort" InitKey in
3222	   order to prevent denial of service attacks.  Since an InitKey is
3223	   needed to add a client to a new group, an attacker could prevent a
3224	   client being added to new groups by exhausting all available
3225	   InitKeys.

3227	16.  IANA Considerations

3229	   This document requests the creation of the following new IANA
3230	   registries:

3232	   *  MLS Ciphersuites (Section 16.1)

3234	   *  MLS Extension Types (Section 16.2)

3236	   *  MLS Credential Types (Section 16.3)

3238	   All of these registries should be under a heading of "Messaging Layer
3239	   Security", and assignments are made via the Specification Required
3240	   policy [RFC8126].  See Section 16.4 for additional information about
3241	   the MLS Designated Experts (DEs).

3243	   RFC EDITOR: Please replace XXXX throughout with the RFC number
3244	   assigned to this document

3246	16.1.  MLS Ciphersuites

3248	   A ciphersuite is a combination of a protocol version and the set of
3249	   cryptographic algorithms that should be used.

3251	   Ciphersuite names follow the naming convention:

3253	   CipherSuite MLS_LVL_KEM_AEAD_HASH_SIG = VALUE;

3255	   Where VALUE is represented as a sixteen-bit integer:

3257	   uint16 CipherSuite;
3258	          +===========+========================================+
3259	          | Component | Contents                               |
3260	          +===========+========================================+
3261	          | MLS       | The string "MLS" followed by the major |
3262	          |           | and minor version, e.g.  "MLS10"       |
3263	          +-----------+----------------------------------------+
3264	          | LVL       | The security level                     |
3265	          +-----------+----------------------------------------+
3266	          | KEM       | The KEM algorithm used for HPKE in     |
3267	          |           | TreeKEM group operations               |
3268	          +-----------+----------------------------------------+
3269	          | AEAD      | The AEAD algorithm used for HPKE and   |
3270	          |           | message protection                     |
3271	          +-----------+----------------------------------------+
3272	          | HASH      | The hash algorithm used for HPKE and   |
3273	          |           | the MLS transcript hash                |
3274	          +-----------+----------------------------------------+
3275	          | SIG       | The Signature algorithm used for       |
3276	          |           | message authentication                 |
3277	          +-----------+----------------------------------------+

3279	                                 Table 3

3281	   The columns in the registry are as follows:

3283	   *  Value: The numeric value of the ciphersuite

3285	   *  Name: The name of the ciphersuite

3287	   *  Recommended: Whether support for this extension is recommended by
3288	      the IETF MLS WG.  Valid values are "Y" and "N".  The "Recommended"
3289	      column is assigned a value of "N" unless explicitly requested, and
3290	      adding a value with a "Recommended" value of "Y" requires
3291	      Standards Action [RFC8126].  IESG Approval is REQUIRED for a Y->N
3292	      transition.

3294	   *  Reference: The document where this ciphersuite is defined

3296	   Initial contents:

3298	   +======+=====================================================+===========+=========+
3299	   |Value |Name                                                 |Recommended|Reference|
3300	   +======+=====================================================+===========+=========+
3301	   |0x0000|RESERVED                                             |N/A        |RFC XXXX |
3302	   +------+-----------------------------------------------------+-----------+---------+
3303	   |0x0001|MLS10_128_DHKEMX25519_AES128GCM_SHA256_Ed25519       |Y          |RFC XXXX |
3304	   +------+-----------------------------------------------------+-----------+---------+
3305	   |0x0002|MLS10_128_DHKEMP256_AES128GCM_SHA256_P256            |Y          |RFC XXXX |
3306	   +------+-----------------------------------------------------+-----------+---------+
3307	   |0x0003|MLS10_128_DHKEMX25519_CHACHA20POLY1305_SHA256_Ed25519|Y          |RFC XXXX |
3308	   +------+-----------------------------------------------------+-----------+---------+
3309	   |0x0004|MLS10_256_DHKEMX448_AES256GCM_SHA512_Ed448           |Y          |RFC XXXX |
3310	   +------+-----------------------------------------------------+-----------+---------+
3311	   |0x0005|MLS10_256_DHKEMP521_AES256GCM_SHA512_P521            |Y          |RFC XXXX |
3312	   +------+-----------------------------------------------------+-----------+---------+
3313	   |0x0006|MLS10_256_DHKEMX448_CHACHA20POLY1305_SHA512_Ed448    |Y          |RFC XXXX |
3314	   +------+-----------------------------------------------------+-----------+---------+
3315	   |0xff00|Reserved for Private Use                             |N/A        |RFC XXXX |
3316	   |-     |                                                     |           |         |
3317	   |0xffff|                                                     |           |         |
3318	   +------+-----------------------------------------------------+-----------+---------+

3320	                                  Table 4

3322	   All of these ciphersuites use HMAC [RFC2104] as their MAC function,
3323	   with different hashes per ciphersuite.  The mapping of ciphersuites
3324	   to HPKE primitives, HMAC hash functions, and TLS signature schemes is
3325	   as follows [I-D.irtf-cfrg-hpke] [RFC8446]:

3327	   +======+========+========+========+========+========================+
3328	   |Value | KEM    | KDF    | AEAD   | Hash   | Signature              |
3329	   +======+========+========+========+========+========================+
3330	   |0x0001| 0x0020 | 0x0001 | 0x0001 | SHA256 | ed25519                |
3331	   +------+--------+--------+--------+--------+------------------------+
3332	   |0x0002| 0x0010 | 0x0001 | 0x0001 | SHA256 | ecdsa_secp256r1_sha256 |
3333	   +------+--------+--------+--------+--------+------------------------+
3334	   |0x0003| 0x0020 | 0x0001 | 0x0003 | SHA256 | ed25519                |
3335	   +------+--------+--------+--------+--------+------------------------+
3336	   |0x0004| 0x0021 | 0x0003 | 0x0002 | SHA512 | ed448                  |
3337	   +------+--------+--------+--------+--------+------------------------+
3338	   |0x0005| 0x0012 | 0x0003 | 0x0002 | SHA512 | ecdsa_secp521r1_sha512 |
3339	   +------+--------+--------+--------+--------+------------------------+
3340	   |0x0006| 0x0021 | 0x0003 | 0x0003 | SHA512 | ed448                  |
3341	   +------+--------+--------+--------+--------+------------------------+

3343	                                  Table 5

3345	   The hash used for the MLS transcript hash is the one referenced in
3346	   the ciphersuite name.  In the ciphersuites defined above, "SHA256"
3347	   and "SHA512" refer to the SHA-256 and SHA-512 functions defined in
3348	   [SHS].

3350	   It is advisable to keep the number of ciphersuites low to increase
3351	   the chances clients can interoperate in a federated environment,
3352	   therefore the ciphersuites only inlcude modern, yet well-established
3353	   algorithms.  Depending on their requirements, clients can choose
3354	   between two security levels (roughly 128-bit and 256-bit).  Within
3355	   the security levels clients can choose between faster X25519/X448
3356	   curves and FIPS 140-2 compliant curves for Diffie-Hellman key
3357	   negotiations.  Additionally clients that run predominantly on mobile
3358	   processors can choose ChaCha20Poly1305 over AES-GCM for performance
3359	   reasons.  Since ChaCha20Poly1305 is not listed by FIPS 140-2 it is
3360	   not paired with FIPS 140-2 compliant curves.  The security level of
3361	   symmetric encryption algorithms and hash functions is paired with the
3362	   security level of the curves.

3364	   The mandatory-to-implement ciphersuite for MLS 1.0 is
3365	   "MLS10\_128\_HPKE25519\_AES128GCM\_SHA256\_Ed25519" which uses
3366	   Curve25519 for key exchange, AES-128-GCM for HPKE, HKDF over
3367	   SHA2-256, AES for metadata masking, and Ed25519 for signatures.

3369	   Values with the first byte 255 (decimal) are reserved for Private
3370	   Use.

3372	   New ciphersuite values are assigned by IANA as described in
3373	   Section 16.

3375	16.2.  MLS Extension Types

3377	   This registry lists identifiers for extensions to the MLS protocol.
3378	   The extension type field is two bytes wide, so valid extension type
3379	   values are in the range 0x0000 to 0xffff.

3381	   Template:

3383	   *  Value: The numeric value of the extension type

3385	   *  Name: The name of the extension type

3387	   *  Message(s): The messages in which the extension may appear, drawn
3388	      from the following list:

3390	      -  KP: KeyPackage messages

3392	      -  GI: GroupInfo objects

3394	   *  Recommended: Whether support for this extension is recommended by
3395	      the IETF MLS WG.  Valid values are "Y" and "N".  The "Recommended"
3396	      column is assigned a value of "N" unless explicitly requested, and
3397	      adding a value with a "Recommended" value of "Y" requires
3398	      Standards Action [RFC8126].  IESG Approval is REQUIRED for a Y->N
3399	      transition.

3401	   *  Reference: The document where this extension is defined

3403	   Initial contents:

3405	    +==========+==============+============+=============+===========+
3406	    | Value    | Name         | Message(s) | Recommended | Reference |
3407	    +==========+==============+============+=============+===========+
3408	    | 0x0000   | RESERVED     | N/A        | N/A         | RFC XXXX  |
3409	    +----------+--------------+------------+-------------+-----------+
3410	    | 0x0001   | capabilities | KP         | Y           | RFC XXXX  |
3411	    +----------+--------------+------------+-------------+-----------+
3412	    | 0x0002   | lifetime     | KP         | Y           | RFC XXXX  |
3413	    +----------+--------------+------------+-------------+-----------+
3414	    | 0x0003   | key_id       | KP         | Y           | RFC XXXX  |
3415	    +----------+--------------+------------+-------------+-----------+
3416	    | 0x0004   | parent_hash  | KP         | Y           | RFC XXXX  |
3417	    +----------+--------------+------------+-------------+-----------+
3418	    | 0x0005   | ratchet_tree | GI         | Y           | RFC XXXX  |
3419	    +----------+--------------+------------+-------------+-----------+
3420	    | 0xff00 - | Reserved for | N/A        | N/A         | RFC XXXX  |
3421	    | 0xffff   | Private Use  |            |             |           |
3422	    +----------+--------------+------------+-------------+-----------+

3424	                                 Table 6

3426	16.3.  MLS Credential Types

3428	   This registry lists identifiers for types of credentials that can be
3429	   used for authentication in the MLS protocol.  The extension type
3430	   field is two bytes wide, so valid extension type values are in the
3431	   range 0x0000 to 0xffff.

3433	   Template:

3435	   *  Value: The numeric value of the credential type

3437	   *  Name: The name of the credential type

3439	   *  Recommended: Whether support for this extension is recommended by
3440	      the IETF MLS WG.  Valid values are "Y" and "N".  The "Recommended"
3441	      column is assigned a value of "N" unless explicitly requested, and
3442	      adding a value with a "Recommended" value of "Y" requires
3443	      Standards Action [RFC8126].  IESG Approval is REQUIRED for a Y->N
3444	      transition.

3446	   *  Reference: The document where this extension is defined

3448	   Initial contents:

3450	       +=================+==============+=============+===========+
3451	       | Value           | Name         | Recommended | Reference |
3452	       +=================+==============+=============+===========+
3453	       | 0x0000          | RESERVED     | N/A         | RFC XXXX  |
3454	       +-----------------+--------------+-------------+-----------+
3455	       | 0x0001          | basic        | Y           | RFC XXXX  |
3456	       +-----------------+--------------+-------------+-----------+
3457	       | 0x0002          | x509         | Y           | RFC XXXX  |
3458	       +-----------------+--------------+-------------+-----------+
3459	       | 0xff00 - 0xffff | Reserved for | N/A         | RFC XXXX  |
3460	       |                 | Private Use  |             |           |
3461	       +-----------------+--------------+-------------+-----------+

3463	                                 Table 7

3465	16.4.  MLS Designated Expert Pool

3467	   Specification Required [RFC8126] registry requests are registered
3468	   after a three-week review period on the MLS DEs' mailing list: mls-
3469	   reg-review@ietf.org (mailto:mls-reg-review@ietf.org), on the advice
3470	   of one or more of the MLS DEs.  However, to allow for the allocation
3471	   of values prior to publication, the MLS DEs may approve registration
3472	   once they are satisfied that such a specification will be published.

3474	   Registration requests sent to the MLS DEs mailing list for review
3475	   SHOULD use an appropriate subject (e.g., "Request to register value
3476	   in MLS Bar registry").

3478	   Within the review period, the MLS DEs will either approve or deny the
3479	   registration request, communicating this decision to the MLS DEs
3480	   mailing list and IANA.  Denials SHOULD include an explanation and, if
3481	   applicable, suggestions as to how to make the request successful.
3482	   Registration requests that are undetermined for a period longer than
3483	   21 days can be brought to the IESG's attention for resolution using
3484	   the iesg@ietf.org (mailto:iesg@ietf.org) mailing list.

3486	   Criteria that SHOULD be applied by the MLS DEs includes determining
3487	   whether the proposed registration duplicates existing functionality,
3488	   whether it is likely to be of general applicability or useful only
3489	   for a single application, and whether the registration description is
3490	   clear.  For example, the MLS DEs will apply the ciphersuite-related
3491	   advisory found in Section 6.1.

3493	   IANA MUST only accept registry updates from the MLS DEs and SHOULD
3494	   direct all requests for registration to the MLS DEs' mailing list.

3496	   It is suggested that multiple MLS DEs be appointed who are able to
3497	   represent the perspectives of different applications using this
3498	   specification, in order to enable broadly informed review of
3499	   registration decisions.  In cases where a registration decision could
3500	   be perceived as creating a conflict of interest for a particular MLS
3501	   DE, that MLS DE SHOULD defer to the judgment of the other MLS DEs.

3503	17.  Contributors

3505	   *  Joel Alwen

3507	      Wickr

3509	      joel.alwen@wickr.com

3511	   *  Karthikeyan Bhargavan

3513	      INRIA

3515	      karthikeyan.bhargavan@inria.fr

3517	   *  Cas Cremers

3519	      University of Oxford

3521	      cas.cremers@cs.ox.ac.uk

3523	   *  Alan Duric

3525	      Wire

3527	      alan@wire.com

3529	   *  Britta Hale

3531	      Naval Postgraduate School

3533	      britta.hale@nps.edu

3535	   *  Srinivas Inguva

3537	      Twitter

3539	      singuva@twitter.com

3541	   *  Konrad Kohbrok

3543	      Aalto University

3545	      konrad.kohbrok@datashrine.de

3547	   *  Albert Kwon

3549	      MIT

3551	      kwonal@mit.edu

3553	   *  Brendan McMillion

3555	      Cloudflare

3557	      brendan@cloudflare.com

3559	   *  Eric Rescorla

3561	      Mozilla

3563	      ekr@rtfm.com

3565	   *  Michael Rosenberg

3567	      Trail of Bits

3569	      michael.rosenberg@trailofbits.com

3571	   *  Thyla van der Merwe

3573	      Royal Holloway, University of London

3575	      thyla.van.der@merwe.tech

3577	18.  References

3579	18.1.  Normative References

3581	   [I-D.irtf-cfrg-hpke]
3582	              Barnes, R., Bhargavan, K., Lipp, B., and C. Wood, "Hybrid
3583	              Public Key Encryption", Work in Progress, Internet-Draft,
3584	              draft-irtf-cfrg-hpke-06, 23 October 2020,
3585	              .

3588	   [RFC2104]  Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
3589	              Hashing for Message Authentication", RFC 2104,
3590	              DOI 10.17487/RFC2104, February 1997,
3591	              .

3593	   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
3594	              Requirement Levels", BCP 14, RFC 2119,
3595	              DOI 10.17487/RFC2119, March 1997,
3596	              .

3598	   [RFC8126]  Cotton, M., Leiba, B., and T. Narten, "Guidelines for
3599	              Writing an IANA Considerations Section in RFCs", BCP 26,
3600	              RFC 8126, DOI 10.17487/RFC8126, June 2017,
3601	              .

3603	   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
3604	              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
3605	              May 2017, .

3607	   [RFC8446]  Rescorla, E., "The Transport Layer Security (TLS) Protocol
3608	              Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
3609	              .

3611	18.2.  Informative References

3613	   [art]      Cohn-Gordon, K., Cremers, C., Garratt, L., Millican, J.,
3614	              and K. Milner, "On Ends-to-Ends Encryption: Asynchronous
3615	              Group Messaging with Strong Security Guarantees", 18
3616	              January 2018, .

3618	   [CLINIC]   Miller, B., Huang, L., Joseph, A., and J. Tygar, "I Know
3619	              Why You Went to the Clinic: Risks and Realization of HTTPS
3620	              Traffic Analysis", Privacy Enhancing Technologies pp.
3621	              143-163, DOI 10.1007/978-3-319-08506-7_8, 2014,
3622	              .

3624	   [doubleratchet]
3625	              Cohn-Gordon, K., Cremers, C., Dowling, B., Garratt, L.,
3626	              and D. Stebila, "A Formal Security Analysis of the Signal
3627	              Messaging Protocol", 2017 IEEE European Symposium on
3628	              Security and Privacy (EuroS&P),
3629	              DOI 10.1109/eurosp.2017.27, April 2017,
3630	              .

3632	   [HCJ16]    Husak, M., Cermak, M., Jirsik, T., and P. Celeda, "HTTPS
3633	              traffic analysis and client identification using passive
3634	              SSL/TLS fingerprinting", EURASIP Journal on Information
3635	              Security Vol. 2016, DOI 10.1186/s13635-016-0030-7,
3636	              February 2016,
3637	              .

3639	   [I-D.ietf-mls-architecture]
3640	              Omara, E., Beurdouche, B., Rescorla, E., Inguva, S., Kwon,
3641	              A., and A. Duric, "The Messaging Layer Security (MLS)
3642	              Architecture", Work in Progress, Internet-Draft, draft-
3643	              ietf-mls-architecture-05, 26 July 2020,
3644	              .

3647	   [I-D.ietf-trans-rfc6962-bis]
3648	              Laurie, B., Langley, A., Kasper, E., Messeri, E., and R.
3649	              Stradling, "Certificate Transparency Version 2.0", Work in
3650	              Progress, Internet-Draft, draft-ietf-trans-rfc6962-bis-34,
3651	              4 November 2019, .

3654	   [RFC8032]  Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital
3655	              Signature Algorithm (EdDSA)", RFC 8032,
3656	              DOI 10.17487/RFC8032, January 2017,
3657	              .

3659	   [SECG]     "Elliptic Curve Cryptography, Standards for Efficient
3660	              Cryptography Group, ver. 2", 2009,
3661	              .

3663	   [SHS]      Dang, Q., "Secure Hash Standard", National Institute of
3664	              Standards and Technology report,
3665	              DOI 10.6028/nist.fips.180-4, July 2015,
3666	              .

3668	   [signal]   Perrin(ed), T. and M. Marlinspike, "The Double Ratchet
3669	              Algorithm", 20 November 2016,
3670	              .

3673	Appendix A.  Tree Math

3675	   One benefit of using left-balanced trees is that they admit a simple
3676	   flat array representation.  In this representation, leaf nodes are
3677	   even-numbered nodes, with the n-th leaf at 2*n.  Intermediate nodes
3678	   are held in odd-numbered nodes.  For example, an 11-element tree has
3679	   the following structure:

3681	                                                X
3682	                        X
3683	            X                       X                       X
3684	      X           X           X           X           X
3685	   X     X     X     X     X     X     X     X     X     X     X
3686	   0  1  2  3  4  5  6  7  8  9 10 11 12 13 14 15 16 17 18 19 20

3688	   This allows us to compute relationships between tree nodes simply by
3689	   manipulating indices, rather than having to maintain complicated
3690	   structures in memory, even for partial trees.  The basic rule is that
3691	   the high-order bits of parent and child nodes have the following
3692	   relation (where "x" is an arbitrary bit string):

3694	   parent=01x => left=00x, right=10x

3696	   The following python code demonstrates the tree computations
3697	   necessary for MLS.  Test vectors can be derived from the diagram
3698	   above.

3700	# The exponent of the largest power of 2 less than x. Equivalent to:
3701	#   int(math.floor(math.log(x, 2)))
3702	def log2(x):
3703	    if x == 0:
3704	        return 0

3706	    k = 0
3707	    while (x >> k) > 0:
3708	        k += 1
3709	    return k-1

3711	# The level of a node in the tree. Leaves are level 0, their parents are
3712	# level 1, etc. If a node's children are at different levels, then its
3713	# level is the max level of its children plus one.
3714	def level(x):
3715	    if x & 0x01 == 0:
3716	        return 0

3718	    k = 0
3719	    while ((x >> k) & 0x01) == 1:
3720	        k += 1

3722	    return k

3724	# The number of nodes needed to represent a tree with n leaves.
3725	def node_width(n):
3726	    if n == 0:
3727	        return 0
3728	    else:
3729	        return 2*(n - 1) + 1

3731	# The index of the root node of a tree with n leaves.
3732	def root(n):
3733	    w = node_width(n)
3734	    return (1 << log2(w)) - 1

3736	# The left child of an intermediate node. Note that because the tree is
3737	# left-balanced, there is no dependency on the size of the tree.
3738	def left(x):
3739	    k = level(x)
3740	    if k == 0:
3741	        raise Exception('leaf node has no children')

3743	    return x ^ (0x01 << (k - 1))

3745	# The right child of an intermediate node. Depends on the number of
3746	# leaves because the straightforward calculation can take you beyond the
3747	# edge of the tree.
3748	def right(x, n):
3749	    k = level(x)
3750	    if k == 0:
3751	        raise Exception('leaf node has no children')

3753	    r = x ^ (0x03 << (k - 1))
3754	    while r >= node_width(n):
3755	        r = left(r)
3756	    return r

3758	# The immediate parent of a node. May be beyond the right edge of the
3759	# tree.
3760	def parent_step(x):
3761	    k = level(x)
3762	    b = (x >> (k + 1)) & 0x01
3763	    return (x | (1 << k)) ^ (b << (k + 1))

3765	# The parent of a node. As with the right child calculation, we have to
3766	# walk back until the parent is within the range of the tree.
3767	def parent(x, n):
3768	    if x == root(n):
3769	        raise Exception('root node has no parent')

3771	    p = parent_step(x)
3772	    while p >= node_width(n):
3773	        p = parent_step(p)
3774	    return p

3776	# The other child of the node's parent.
3777	def sibling(x, n):
3778	    p = parent(x, n)
3779	    if x < p:
3780	        return right(p, n)
3781	    else:
3782	        return left(p)

3784	# The direct path of a node, ordered from leaf to root.
3785	def direct_path(x, n):
3786	    r = root(n)
3787	    if x == r:
3788	        return []

3790	    d = []
3791	    while x != r:
3792	        x = parent(x, n)
3793	        d.append(x)
3794	    return d

3796	# The copath of a node, ordered from leaf to root.
3797	def copath(x, n):
3798	    if x == root(n):
3799	        return []

3801	    d = direct_path(x, n)
3802	    d.insert(0, x)
3803	    d.pop()
3804	    return [sibling(y, n) for y in d]

3806	# The common ancestor of two nodes is the lowest node that is in the
3807	# direct paths of both leaves.
3808	def common_ancestor_semantic(x, y, n):
3809	    dx = set([x]) | set(direct_path(x, n))
3810	    dy = set([y]) | set(direct_path(y, n))
3811	    dxy = dx & dy
3812	    if len(dxy) == 0:
3813	        raise Exception('failed to find common ancestor')

3815	    return min(dxy, key=level)

3817	# The common ancestor of two nodes is the lowest node that is in the
3818	# direct paths of both leaves.

3820	def common_ancestor_direct(x, y, _):
3821	    # Handle cases where one is an ancestor of the other
3822	    lx, ly = level(x)+1, level(y)+1
3823	    if (lx <= ly) and (x>>ly == y>>ly):
3824	      return y
3825	    elif (ly <= lx) and (x>>lx == y>>lx):
3826	      return x

3828	    # Handle other cases
3829	    xn, yn = x, y
3830	    k = 0
3831	    while xn != yn:
3832	       xn, yn = xn >> 1, yn >> 1
3833	       k += 1
3834	    return (xn << k) + (1 << (k-1)) - 1

3836	Authors' Addresses

3838	   Richard Barnes
3839	   Cisco

3841	   Email: rlb@ipv.sx

3843	   Benjamin Beurdouche
3844	   Inria

3846	   Email: benjamin.beurdouche@inria.fr

3848	   Jon Millican
3849	   Facebook

3851	   Email: jmillican@fb.com

3853	   Emad Omara
3854	   Google

3856	   Email: emadomara@google.com

3858	   Katriel Cohn-Gordon
3859	   University of Oxford

3861	   Email: me@katriel.co.uk
3862	   Raphael Robert
3863	   Wire

3865	   Email: raphael@wire.com