Network Working Group R. Barnes Internet-Draft Cisco Intended status: Informational B. Beurdouche Expires: 14 April 2022 Inria & Mozilla R. Robert J. Millican Facebook E. Omara Google K. Cohn-Gordon University of Oxford 11 October 2021 The Messaging Layer Security (MLS) Protocol draft-ietf-mls-protocol-12 Abstract Messaging applications are increasingly making use of end-to-end security mechanisms to ensure that messages are only accessible to the communicating endpoints, and not to any servers involved in delivering messages. Establishing keys to provide such protections is challenging for group chat settings, in which more than two clients need to agree on a key but may not be online at the same time. In this document, we specify a key establishment protocol that provides efficient asynchronous group key establishment with forward secrecy and post-compromise security for groups in size ranging from two to thousands. Discussion Venues This note is to be removed before publishing as an RFC. Source for this draft and an issue tracker can be found at https://github.com/mlswg/mls-protocol (https://github.com/mlswg/mls- protocol). Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Barnes, et al. Expires 14 April 2022 [Page 1] Internet-Draft MLS October 2021 Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 14 April 2022. Copyright Notice Copyright (c) 2021 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 1.1. Change Log . . . . . . . . . . . . . . . . . . . . . . . 5 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 10 3. Basic Assumptions . . . . . . . . . . . . . . . . . . . . . . 11 4. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 11 5. Ratchet Trees . . . . . . . . . . . . . . . . . . . . . . . . 14 5.1. Tree Computation Terminology . . . . . . . . . . . . . . 15 5.2. Ratchet Tree Nodes . . . . . . . . . . . . . . . . . . . 17 5.3. Views of a Ratchet Tree . . . . . . . . . . . . . . . . . 18 5.4. Ratchet Tree Evolution . . . . . . . . . . . . . . . . . 19 5.5. Synchronizing Views of the Tree . . . . . . . . . . . . . 21 6. Cryptographic Objects . . . . . . . . . . . . . . . . . . . . 22 6.1. Ciphersuites . . . . . . . . . . . . . . . . . . . . . . 22 6.2. Credentials . . . . . . . . . . . . . . . . . . . . . . . 23 7. Key Packages . . . . . . . . . . . . . . . . . . . . . . . . 25 7.1. Key Package IDs . . . . . . . . . . . . . . . . . . . . . 26 7.2. Client Capabilities . . . . . . . . . . . . . . . . . . . 27 7.3. Lifetime . . . . . . . . . . . . . . . . . . . . . . . . 27 7.4. KeyPackage Identifiers . . . . . . . . . . . . . . . . . 27 7.5. Parent Hash . . . . . . . . . . . . . . . . . . . . . . . 28 7.5.1. Using Parent Hashes . . . . . . . . . . . . . . . . . 28 7.5.2. Verifying Parent Hashes . . . . . . . . . . . . . . . 29 7.6. Tree Hashes . . . . . . . . . . . . . . . . . . . . . . . 30 7.7. Group State . . . . . . . . . . . . . . . . . . . . . . . 31 7.8. Update Paths . . . . . . . . . . . . . . . . . . . . . . 32 Barnes, et al. Expires 14 April 2022 [Page 2] Internet-Draft MLS October 2021 8. Key Schedule . . . . . . . . . . . . . . . . . . . . . . . . 33 8.1. External Initialization . . . . . . . . . . . . . . . . . 36 8.2. Pre-Shared Keys . . . . . . . . . . . . . . . . . . . . . 37 8.3. Secret Tree . . . . . . . . . . . . . . . . . . . . . . . 40 8.4. Encryption Keys . . . . . . . . . . . . . . . . . . . . . 41 8.5. Deletion Schedule . . . . . . . . . . . . . . . . . . . . 42 8.6. Exporters . . . . . . . . . . . . . . . . . . . . . . . . 43 8.7. Resumption Secret . . . . . . . . . . . . . . . . . . . . 44 8.8. State Authentication Keys . . . . . . . . . . . . . . . . 44 9. Message Framing . . . . . . . . . . . . . . . . . . . . . . . 44 9.1. Content Authentication . . . . . . . . . . . . . . . . . 47 9.2. Content Encryption . . . . . . . . . . . . . . . . . . . 49 9.3. Sender Data Encryption . . . . . . . . . . . . . . . . . 50 10. Group Creation . . . . . . . . . . . . . . . . . . . . . . . 51 10.1. Required Capabilities . . . . . . . . . . . . . . . . . 52 10.2. Linking a New Group to an Existing Group . . . . . . . . 53 10.2.1. Sub-group Branching . . . . . . . . . . . . . . . . 53 11. Group Evolution . . . . . . . . . . . . . . . . . . . . . . . 53 11.1. Proposals . . . . . . . . . . . . . . . . . . . . . . . 54 11.1.1. Add . . . . . . . . . . . . . . . . . . . . . . . . 54 11.1.2. Update . . . . . . . . . . . . . . . . . . . . . . . 56 11.1.3. Remove . . . . . . . . . . . . . . . . . . . . . . . 56 11.1.4. PreSharedKey . . . . . . . . . . . . . . . . . . . . 57 11.1.5. ReInit . . . . . . . . . . . . . . . . . . . . . . . 57 11.1.6. ExternalInit . . . . . . . . . . . . . . . . . . . . 58 11.1.7. AppAck . . . . . . . . . . . . . . . . . . . . . . . 58 11.1.8. GroupContextExtensions . . . . . . . . . . . . . . . 59 11.1.9. External Proposals . . . . . . . . . . . . . . . . . 60 11.2. Commit . . . . . . . . . . . . . . . . . . . . . . . . . 61 11.2.1. External Commits . . . . . . . . . . . . . . . . . . 68 11.2.2. Welcoming New Members . . . . . . . . . . . . . . . 71 11.3. Ratchet Tree Extension . . . . . . . . . . . . . . . . . 74 12. Extensibility . . . . . . . . . . . . . . . . . . . . . . . . 75 13. Sequencing of State Changes . . . . . . . . . . . . . . . . . 77 13.1. Server-Enforced Ordering . . . . . . . . . . . . . . . . 78 13.2. Client-Enforced Ordering . . . . . . . . . . . . . . . . 78 14. Application Messages . . . . . . . . . . . . . . . . . . . . 78 14.1. Message Encryption and Decryption . . . . . . . . . . . 79 14.2. Restrictions . . . . . . . . . . . . . . . . . . . . . . 80 14.3. Delayed and Reordered Application messages . . . . . . . 80 15. Security Considerations . . . . . . . . . . . . . . . . . . . 80 15.1. Confidentiality of the Group Secrets . . . . . . . . . . 80 15.2. Authentication . . . . . . . . . . . . . . . . . . . . . 81 15.3. Forward Secrecy and Post-Compromise Security . . . . . . 81 15.4. InitKey Reuse . . . . . . . . . . . . . . . . . . . . . 82 15.5. Group Fragmentation by Malicious Insiders . . . . . . . 82 16. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 83 16.1. MLS Ciphersuites . . . . . . . . . . . . . . . . . . . . 83 Barnes, et al. Expires 14 April 2022 [Page 3] Internet-Draft MLS October 2021 16.2. MLS Extension Types . . . . . . . . . . . . . . . . . . 86 16.3. MLS Proposal Types . . . . . . . . . . . . . . . . . . . 87 16.4. MLS Credential Types . . . . . . . . . . . . . . . . . . 88 16.5. MLS Designated Expert Pool . . . . . . . . . . . . . . . 89 17. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 90 18. References . . . . . . . . . . . . . . . . . . . . . . . . . 91 18.1. Normative References . . . . . . . . . . . . . . . . . . 91 18.2. Informative References . . . . . . . . . . . . . . . . . 92 Appendix A. Tree Math . . . . . . . . . . . . . . . . . . . . . 93 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 96 1. Introduction DISCLAIMER: This is a work-in-progress draft of MLS and has not yet seen significant security analysis. It should not be used as a basis for building production systems. RFC EDITOR: PLEASE REMOVE THE FOLLOWING PARAGRAPH The source for this draft is maintained in GitHub. Suggested changes should be submitted as pull requests at https://github.com/mlswg/mls-protocol. Instructions are on that page as well. Editorial changes can be managed in GitHub, but any substantive change should be discussed on the MLS mailing list. A group of users who want to send each other encrypted messages needs a way to derive shared symmetric encryption keys. For two parties, this problem has been studied thoroughly, with the Double Ratchet emerging as a common solution [doubleratchet] [signal]. Channels implementing the Double Ratchet enjoy fine-grained forward secrecy as well as post-compromise security, but are nonetheless efficient enough for heavy use over low-bandwidth networks. For a group of size greater than two, a common strategy is to unilaterally broadcast symmetric "sender" keys over existing shared symmetric channels, and then for each member to send messages to the group encrypted with their own sender key. Unfortunately, while this improves efficiency over pairwise broadcast of individual messages and provides forward secrecy (with the addition of a hash ratchet), it is difficult to achieve post-compromise security with sender keys. An adversary who learns a sender key can often indefinitely and passively eavesdrop on that member's messages. Generating and distributing a new sender key provides a form of post-compromise security with regard to that sender. However, it requires computation and communications resources that scale linearly with the size of the group. Barnes, et al. Expires 14 April 2022 [Page 4] Internet-Draft MLS October 2021 In this document, we describe a protocol based on tree structures that enable asynchronous group keying with forward secrecy and post- compromise security. Based on earlier work on "asynchronous ratcheting trees" [art], the protocol presented here uses an asynchronous key-encapsulation mechanism for tree structures. This mechanism allows the members of the group to derive and update shared keys with costs that scale as the log of the group size. 1.1. Change Log RFC EDITOR PLEASE DELETE THIS SECTION. draft-12 * Use the GroupContext to derive the joiner_secret (*) * Make PreSharedKeys non optional in GroupSecrets (*) * Update name for this particular key (*) * Truncate tree size on removal (*) * Use HPKE draft-08 (*) * Clarify requirements around identity in MLS groups (*) * Signal the intended wire format for MLS messages (*) * Inject GroupContext as HPKE info instead of AAD (*) * Clarify extension handling and make extension updatable (*) * Improve extensibility of Proposals (*) * Constrain proposal in External Commit (*) * Remove the notion of a 'leaf index' (*) * Add group_context_extensions proposal ID (*) * Add RequiredCapabilities extension (*) * Use cascaded KDF instead of concatenation to consolidate PSKs (*) * Use key package hash to index clients in message structs (*) * Don't require PublicGroupState for external init (*) Barnes, et al. Expires 14 April 2022 [Page 5] Internet-Draft MLS October 2021 * Make ratchet tree section clearer. * Handle non-member sender cases in MLSPlaintextTBS * Clarify encoding of signatures with NIST curves * Remove OPEN ISSUEs and TODOs * Normalize the description of the zero vector draft-11 * Include subtree keys in parent hash (*) * Pin HPKE to draft-07 (*) * Move joiner secret to the end of the first key schedule epoch (*) * Add an AppAck proposal * Make initializations of transcript hashes consistent draft-10 * Allow new members to join via an external Commit (*) * Enable proposals to be sent inline in a Commit (*) * Re-enable constant-time Add (*) * Change expiration extension to lifetime extension (*) * Make the tree in the Welcome optional (*) * PSK injection, re-init, sub-group branching (*) * Require the initial init_secret to be a random value (*) * Remove explicit sender data nonce (*) * Do not encrypt to joiners in UpdatePath generation (*) * Move MLSPlaintext signature under the confirmation tag (*) * Explicitly authenticate group membership with MLSPLaintext (*) * Clarify X509Credential structure (*) Barnes, et al. Expires 14 April 2022 [Page 6] Internet-Draft MLS October 2021 * Remove uneeded interim transcript hash from GroupInfo (*) * IANA considerations * Derive an authentication secret * Use Extract/Expand from HPKE KDF * Clarify that application messages MUST be encrypted draft-09 * Remove blanking of nodes on Add (*) * Change epoch numbers to uint64 (*) * Add PSK inputs (*) * Add key schedule exporter (*) * Sign the updated direct path on Commit, using "parent hashes" and one signature per leaf (*) * Use structured types for external senders (*) * Redesign Welcome to include confirmation and use derived keys (*) * Remove ignored proposals (*) * Always include an Update with a Commit (*) * Add per-message entropy to guard against nonce reuse (*) * Use the same hash ratchet construct for both application and handshake keys (*) * Add more ciphersuites * Use HKDF to derive key pairs (*) * Mandate expiration of ClientInitKeys (*) * Add extensions to GroupContext and flesh out the extensibility story (*) * Rename ClientInitKey to KeyPackage draft-08 Barnes, et al. Expires 14 April 2022 [Page 7] Internet-Draft MLS October 2021 * Change ClientInitKeys so that they only refer to one ciphersuite (*) * Decompose group operations into Proposals and Commits (*) * Enable Add and Remove proposals from outside the group (*) * Replace Init messages with multi-recipient Welcome message (*) * Add extensions to ClientInitKeys for expiration and downgrade resistance (*) * Allow multiple Proposals and a single Commit in one MLSPlaintext (*) draft-07 * Initial version of the Tree based Application Key Schedule (*) * Initial definition of the Init message for group creation (*) * Fix issue with the transcript used for newcomers (*) * Clarifications on message framing and HPKE contexts (*) draft-06 * Reorder blanking and update in the Remove operation (*) * Rename the GroupState structure to GroupContext (*) * Rename UserInitKey to ClientInitKey * Resolve the circular dependency that draft-05 introduced in the confirmation MAC calculation (*) * Cover the entire MLSPlaintext in the transcript hash (*) draft-05 * Common framing for handshake and application messages (*) * Handshake message encryption (*) * Convert from literal state to a commitment via the "tree hash" (*) * Add credentials to the tree and remove the "roster" concept (*) Barnes, et al. Expires 14 April 2022 [Page 8] Internet-Draft MLS October 2021 * Remove the secret field from tree node values draft-04 * Updating the language to be similar to the Architecture document * ECIES is now renamed in favor of HPKE (*) * Using a KDF instead of a Hash in TreeKEM (*) draft-03 * Added ciphersuites and signature schemes (*) * Re-ordered fields in UserInitKey to make parsing easier (*) * Fixed inconsistencies between Welcome and GroupState (*) * Added encryption of the Welcome message (*) draft-02 * Removed ART (*) * Allowed partial trees to avoid double-joins (*) * Added explicit key confirmation (*) draft-01 * Initial description of the Message Protection mechanism. (*) * Initial specification proposal for the Application Key Schedule using the per-participant chaining of the Application Secret design. (*) * Initial specification proposal for an encryption mechanism to protect Application Messages using an AEAD scheme. (*) * Initial specification proposal for an authentication mechanism of Application Messages using signatures. (*) * Initial specification proposal for a padding mechanism to improving protection of Application Messages against traffic analysis. (*) Barnes, et al. Expires 14 April 2022 [Page 9] Internet-Draft MLS October 2021 * Inversion of the Group Init Add and Application Secret derivations in the Handshake Key Schedule to be ease chaining in case we switch design. (*) * Removal of the UserAdd construct and split of GroupAdd into Add and Welcome messages (*) * Initial proposal for authenticating handshake messages by signing over group state and including group state in the key schedule (*) * Added an appendix with example code for tree math * Changed the ECIES mechanism used by TreeKEM so that it uses nonces generated from the shared secret draft-00 * Initial adoption of draft-barnes-mls-protocol-01 as a WG item. 2. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. Client: An agent that uses this protocol to establish shared cryptographic state with other clients. A client is defined by the cryptographic keys it holds. Group: A collection of clients with shared cryptographic state. Member: A client that is included in the shared state of a group, hence has access to the group's secrets. Key Package: A signed object describing a client's identity and capabilities, and including a hybrid public-key encryption (HPKE [I-D.irtf-cfrg-hpke]) public key that can be used to encrypt to that client. Initialization Key (InitKey): A key package that is prepublished by a client, which other clients can use to introduce the client to a new group. Signature Key: A signing key pair used to authenticate the sender of a message. Barnes, et al. Expires 14 April 2022 [Page 10] Internet-Draft MLS October 2021 Terminology specific to tree computations is described in Section 5. We use the TLS presentation language [RFC8446] to describe the structure of protocol messages. 3. Basic Assumptions This protocol is designed to execute in the context of a Service Provider (SP) as described in [I-D.ietf-mls-architecture]. In particular, we assume the SP provides the following services: * A signature key provider which allows clients to authenticate protocol messages in a group. * A broadcast channel, for each group, which will relay a message to all members of a group. For the most part, we assume that this channel delivers messages in the same order to all participants. (See Section 13 for further considerations.) * A directory to which clients can publish key packages and download key packages for other participants. 4. Protocol Overview The goal of this protocol is to allow a group of clients to exchange confidential and authenticated messages. It does so by deriving a sequence of secrets and keys known only to members. Those should be secret against an active network adversary and should have both forward secrecy and post-compromise security with respect to compromise of any members. We describe the information stored by each client as _state_, which includes both public and private data. An initial state is set up by a group creator, which is a group containing only itself. The creator then sends _Add_ proposals for each client in the initial set of members, followed by a _Commit_ message which incorporates all of the _Adds_ into the group state. Finally, the group creator generates a _Welcome_ message corresponding to the Commit and sends this directly to all the new members, who can use the information it contains to set up their own group state and derive a shared secret. Members exchange Commit messages for post-compromise security, to add new members, and to remove existing members. These messages produce new shared secrets which are causally linked to their predecessors, forming a logical Directed Acyclic Graph (DAG) of states. The protocol algorithms we specify here follow. Each algorithm specifies both (i) how a client performs the operation and (ii) how other clients update their state based on it. Barnes, et al. Expires 14 April 2022 [Page 11] Internet-Draft MLS October 2021 There are three major operations in the lifecycle of a group: * Adding a member, initiated by a current member; * Updating the leaf secret of a member; * Removing a member. Each of these operations is "proposed" by sending a message of the corresponding type (Add / Update / Remove). The state of the group is not changed, however, until a Commit message is sent to provide the group with fresh entropy. In this section, we show each proposal being committed immediately, but in more advanced deployment cases an application might gather several proposals before committing them all at once. Before the initialization of a group, clients publish InitKeys (as KeyPackage objects) to a directory provided by the Service Provider. Group A B C Directory Channel | | | | | | KeyPackageA | | | | |------------------------------------------------->| | | | | | | | | KeyPackageB | | | | |-------------------------------->| | | | | | | | | | KeyPackageC | | | | |--------------->| | | | | | | When a client A wants to establish a group with B and C, it first initializes a group state containing only itself and downloads KeyPackages for B and C. For each member, A generates an Add and Commit message adding that member, and broadcasts them to the group. It also generates a Welcome message and sends this directly to the new member (there's no need to send it to the group). Only after A has received its Commit message back from the server does it update its state to reflect the new member's addition. Upon receiving the Welcome message, the new member will be able to read and send new messages to the group. Messages received before the client has joined the group are ignored. Barnes, et al. Expires 14 April 2022 [Page 12] Internet-Draft MLS October 2021 Group A B C Directory Channel | | | | | | KeyPackageB, KeyPackageC | | |<-------------------------------------------| | |state.init() | | | | | | | | | | | | | Add(A->AB) | | | | | Commit(Add) | |--------------------------------------------------------------->| | | | | | | Welcome(B) | | | | |------------->|state.join() | | | | | | | | | | | | Add(A->AB) | | | | | Commit(Add) | |<---------------------------------------------------------------| |state.add(B) | | | | | | | | | | | | | | | | | | Add(AB->ABC) | | | | | Commit(Add) | |--------------------------------------------------------------->| | | | | | | | Welcome(C) | | | |---------------------------->|state.join() | | | | | | | | | | | Add(AB->ABC) | | | | | Commit(Add) | |<---------------------------------------------------------------| |state.add(C) |<------------------------------------------------| | |state.add(C) | | | | | | | | Subsequent additions of group members proceed in the same way. Any member of the group can download a KeyPackage for a new client and broadcast an Add message that the current group can use to update their state, and a Welcome message that the new client can use to initialize its state and join the group. To enforce the forward secrecy and post-compromise security of messages, each member periodically updates their leaf secret. Any member can update this information at any time by generating a fresh KeyPackage and sending an Update message followed by a Commit message. Once all members have processed both, the group's secrets will be unknown to an attacker that had compromised the sender's prior leaf secret. Barnes, et al. Expires 14 April 2022 [Page 13] Internet-Draft MLS October 2021 Update messages should be sent at regular intervals of time as long as the group is active, and members that don't update should eventually be removed from the group. It's left to the application to determine an appropriate amount of time between Updates. Group A B ... Z Directory Channel | | | | | | | Update(B) | | | | |------------------------------------------->| | Commit(Upd) | | | | |---------------------------------------------------------->| | | | | | | | | | Update(B) | | | | | Commit(Upd) | |<----------------------------------------------------------| |state.upd(B) |<-------------------------------------------| | |state.upd(B) |<----------------------------| | | |state.upd(B) | | | | | | | Members are removed from the group in a similar way. Any member of the group can send a Remove proposal followed by a Commit message, which adds new entropy to the group state that's known to all except the removed member. Note that this does not necessarily imply that any member is actually allowed to evict other members; groups can enforce access control policies on top of these basic mechanism. Group A B ... Z Directory Channel | | | | | | | | Remove(B) | | | | | Commit(Rem) | | | | |---------------------------->| | | | | | | | | | Remove(B) | | | | | Commit(Rem) | |<----------------------------------------------------------| |state.rem(B) | |<----------------------------| | | |state.rem(B) | | | | | | | | | | | | 5. Ratchet Trees The protocol uses "ratchet trees" for deriving shared secrets among a group of clients. Barnes, et al. Expires 14 April 2022 [Page 14] Internet-Draft MLS October 2021 5.1. Tree Computation Terminology Trees consist of _nodes_. A node is a _leaf_ if it has no children, and a _parent_ otherwise; note that all parents in our trees have precisely two children, a _left_ child and a _right_ child. A node is the _root_ of a tree if it has no parents, and _intermediate_ if it has both children and parents. The _descendants_ of a node are that node, its children, and the descendants of its children, and we say a tree _contains_ a node if that node is a descendant of the root of the tree. Nodes are _siblings_ if they share the same parent. A _subtree_ of a tree is the tree given by the descendants of any node, the _head_ of the subtree. The _size_ of a tree or subtree is the number of leaf nodes it contains. For a given parent node, its _left subtree_ is the subtree with its left child as head (respectively _right subtree_). All trees used in this protocol are left-balanced binary trees. A binary tree is _full_ (and _balanced_) if its size is a power of two and for any parent node in the tree, its left and right subtrees have the same size. A binary tree is _left-balanced_ if for every parent, either the parent is balanced, or the left subtree of that parent is the largest full subtree that could be constructed from the leaves present in the parent's own subtree. Given a list of n items, there is a unique left-balanced binary tree structure with these elements as leaves. (Note that left-balanced binary trees are the same structure that is used for the Merkle trees in the Certificate Transparency protocol [I-D.ietf-trans-rfc6962-bis].) The _direct path_ of a root is the empty list, and of any other node is the concatenation of that node's parent along with the parent's direct path. The _copath_ of a node is the node's sibling concatenated with the list of siblings of all the nodes in its direct path, excluding the root. For example, in the below tree: * The direct path of C is (CD, ABCD, ABCDEFG) * The copath of C is (D, AB, EFG) Barnes, et al. Expires 14 April 2022 [Page 15] Internet-Draft MLS October 2021 7 = root ______|______ / \ 3 11 __|__ __| / \ / \ 1 5 9 | / \ / \ / \ | A B C D E F G 1 1 1 0 1 2 3 4 5 6 7 8 9 0 1 2 Each node in the tree is assigned an _index_, starting at zero and running from left to right. A node is a leaf node if and only if it has an even index. The node indices for the nodes in the above tree are as follows: * 0 = A * 1 = AB * 2 = B * 3 = ABCD * 4 = C * 5 = CD * 6 = D * 7 = ABCDEFG * 8 = E * 9 = EF * 10 = F * 11 = EFG * 12 = G A tree with n leaves has 2*n - 1 nodes. For example, the above tree has 7 leaves (A, B, C, D, E, F, G) and 13 nodes. The root of a tree with n leaves is always the node with index 2^k - 1, where k is the largest number such that 2^k < n. Barnes, et al. Expires 14 April 2022 [Page 16] Internet-Draft MLS October 2021 5.2. Ratchet Tree Nodes A particular instance of a ratchet tree is defined by the same parameters that define an instance of HPKE, namely: * A Key Encapsulation Mechanism (KEM), including a DeriveKeyPair function that creates a key pair for the KEM from a symmetric secret * A Key Derivation Function (KDF), including Extract and Expand functions * An AEAD encryption scheme Each node in a ratchet tree contains up to five values: * A private key (only within the member's direct path, see below) * A public key * An ordered list of node indices for "unmerged" leaves (see Section 5.3) * A credential (only for leaf nodes) * A hash of certain information about the node's parent, as of the last time the node was changed (see Section 7.5). The conditions under which each of these values must or must not be present are laid out in Section 5.3. A node in the tree may also be _blank_, indicating that no value is present at that node. The _resolution_ of a node is an ordered list of non-blank nodes that collectively cover all non-blank descendants of the node. * The resolution of a non-blank node comprises the node itself, followed by its list of unmerged leaves, if any * The resolution of a blank leaf node is the empty list * The resolution of a blank intermediate node is the result of concatenating the resolution of its left child with the resolution of its right child, in that order For example, consider the following tree, where the "_" character represents a blank node and unmerged leaves are indicated in square brackets: Barnes, et al. Expires 14 April 2022 [Page 17] Internet-Draft MLS October 2021 _ __|__ / \ _ 5[C] / \ / \ A _ C D 0 1 2 3 4 5 6 In this tree, we can see all of the above rules in play: * The resolution of node 5 is the list [CD, C] * The resolution of node 2 is the empty list [] * The resolution of node 3 is the list [A, CD, C] Every node, regardless of whether the node is blank or populated, has a corresponding _hash_ that summarizes the contents of the subtree below that node. The rules for computing these hashes are described in Section 7.6. 5.3. Views of a Ratchet Tree We generally assume that each participant maintains a complete and up-to-date view of the public state of the group's ratchet tree, including the public keys for all nodes and the credentials associated with the leaf nodes. No participant in an MLS group knows the private key associated with every node in the tree. Instead, each member is assigned to a leaf of the tree, which determines the subset of private keys it knows. The credential stored at that leaf is one provided by the member. In particular, MLS maintains the members' views of the tree in such a way as to maintain the _tree invariant_: The private key for a node in the tree is known to a member of the group only if that member's leaf is a descendant of the node. In other words, if a node is not blank, then it holds a public key. The corresponding private key is known only to members occupying leaves below that node. The reverse implication is not true: A member may not know the private keys of all the intermediate nodes they're below. Such a member has an _unmerged_ leaf. Encrypting to an intermediate node Barnes, et al. Expires 14 April 2022 [Page 18] Internet-Draft MLS October 2021 requires encrypting to the node's public key, as well as the public keys of all the unmerged leaves below it. A leaf is unmerged when it is first added, because the process of adding the leaf does not give it access to all of the nodes above it in the tree. Leaves are "merged" as they receive the private keys for nodes, as described in Section 5.4. 5.4. Ratchet Tree Evolution A member of an MLS group advances the key schedule to provide forward secrecy and post-compromise security by providing the group with fresh key material to be added into the group's shared secret. To do so, one member of the group generates fresh key material, applies it to their local tree state, and then sends this key material to other members in the group via an UpdatePath message (see Section 7.8) . All other group members then apply the key material in the UpdatePath to their own local tree state to derive the group's now-updated shared secret. To begin, the generator of the UpdatePath updates its leaf KeyPackage and its direct path to the root with new secret values. The HPKE leaf public key within the KeyPackage MUST be derived from a freshly generated HPKE secret key to provide post-compromise security. The generator of the UpdatePath starts by sampling a fresh random value called "leaf_secret", and uses the leaf_secret to generate their leaf HPKE key pair (see Section 7) and to seed a sequence of "path secrets", one for each ancestor of its leaf. In this setting, path_secret[0] refers to the node directly above the leaf, path_secret[1] for its parent, and so on. At each step, the path secret is used to derive a new secret value for the corresponding node, from which the node's key pair is derived. leaf_node_secret = DeriveSecret(leaf_secret, "node") path_secret[0] = DeriveSecret(leaf_secret, "path") path_secret[n] = DeriveSecret(path_secret[n-1], "path") node_secret[n] = DeriveSecret(path_secret[n], "node") leaf_priv, leaf_pub = KEM.DeriveKeyPair(leaf_node_secret) node_priv[n], node_pub[n] = KEM.DeriveKeyPair(node_secret[n]) For example, suppose there is a group with four members, with C an unmerged leaf at node 5: Barnes, et al. Expires 14 April 2022 [Page 19] Internet-Draft MLS October 2021 3 __|__ / \ 1 5[C] / \ / \ A B C D 0 1 2 3 4 5 6 If member B subsequently generates an UpdatePath based on a secret "leaf_secret", then it would generate the following sequence of path secrets: path_secret[1] --> node_secret[1] --> node_priv[1], node_pub[1] ^ | path_secret[0] --> node_secret[0] --> node_priv[0], node_pub[0] ^ | leaf_secret --> leaf_node_secret --> leaf_priv, leaf_pub ~> leaf_key_package After applying the UpdatePath, the tree will have the following structure, where lp and np[i] represent the leaf_priv and node_priv values generated as described above: np[1] -> 3 __|__ / \ np[0] -> 1 5[C] / \ / \ A B C D ^ | lp 0 1 2 3 4 5 6 After performing these operations, the generator of the UpdatePath MUST delete the leaf_secret. Barnes, et al. Expires 14 April 2022 [Page 20] Internet-Draft MLS October 2021 5.5. Synchronizing Views of the Tree After generating fresh key material and applying it to ratchet forward their local tree state as described in the prior section, the generator must broadcast this update to other members of the group in a Commit message, who apply it to keep their local views of the tree in sync with the sender's. More specifically, when a member commits a change to the tree (e.g., to add or remove a member), it transmits an UpdatePath containing a set of public keys and encrypted path secrets for intermediate nodes in the direct path of its leaf. The other members of the group use these values to update their view of the tree, aligning their copy of the tree to the sender's. An UpdatePath contains the following information for each node in the direct path of the sender's leaf, including the root: * The public key for the node * Zero or more encrypted copies of the path secret corresponding to the node The path secret value for a given node is encrypted for the subtree corresponding to the parent's non-updated child, that is, the child on the copath of the sender's leaf node. There is one encryption of the path secret to each public key in the resolution of the non- updated child. The recipient of an UpdatePath processes it with the following steps: 1. Compute the updated path secrets. * Identify a node in the direct path for which the local member is in the subtree of the non-updated child. * Identify a node in the resolution of the copath node for which this node has a private key. * Decrypt the path secret for the parent of the copath node using the private key from the resolution node. * Derive path secrets for ancestors of that node using the algorithm described above. * The recipient SHOULD verify that the received public keys agree with the public keys derived from the new path_secret values. 2. Merge the updated path secrets into the tree. Barnes, et al. Expires 14 April 2022 [Page 21] Internet-Draft MLS October 2021 * For all updated nodes, - Replace the public key for each node with the received public key. - Set the list of unmerged leaves to the empty list. - Store the updated hash of the node's parent (represented as a ParentNode struct), going from root to leaf, so that each hash incorporates all the nodes above it. The root node always has a zero-length hash for this value. * For nodes where an updated path secret was computed in step 1, compute the corresponding node key pair and replace the values stored at the node with the computed values. For example, in order to communicate the example update described in the previous section, the sender would transmit the following values: +=============+====================================================+ | Public Key | Ciphertext(s) | +=============+====================================================+ | node_pub[1] | E(pk(5), path_secret[1]), E(pk(C), path_secret[1]) | +-------------+----------------------------------------------------+ | node_pub[0] | E(pk(A), path_secret[0]) | +-------------+----------------------------------------------------+ Table 1 In this table, the value pk(ns[X]) represents the public key derived from the node secret X, whereas pk(X) represents the public leaf key for user X. The value E(K, S) represents the public-key encryption of the path secret S to the public key K (using HPKE). After processing the update, each recipient MUST delete outdated key material, specifically: * The path secrets used to derive each updated node key pair. * Each outdated node key pair that was replaced by the update. 6. Cryptographic Objects 6.1. Ciphersuites Each MLS session uses a single ciphersuite that specifies the following primitives to be used in group key computations: Barnes, et al. Expires 14 April 2022 [Page 22] Internet-Draft MLS October 2021 * HPKE parameters: - A Key Encapsulation Mechanism (KEM) - A Key Derivation Function (KDF) - An AEAD encryption algorithm * A hash algorithm * A signature algorithm MLS uses draft-08 of HPKE [I-D.irtf-cfrg-hpke] for public-key encryption. The DeriveKeyPair function associated to the KEM for the ciphersuite maps octet strings to HPKE key pairs. Ciphersuites are represented with the CipherSuite type. HPKE public keys are opaque values in a format defined by the underlying protocol (see the Cryptographic Dependencies section of the HPKE specification for more information). opaque HPKEPublicKey<1..2^16-1>; The signature algorithm specified in the ciphersuite is the mandatory algorithm to be used for signatures in MLSPlaintext and the tree signatures. It MUST be the same as the signature algorithm specified in the credential field of the KeyPackage objects in the leaves of the tree (including the InitKeys used to add new members). The ciphersuites are defined in section Section 16.1. 6.2. Credentials A member of a group authenticates the identities of other participants by means of credentials issued by some authentication system, like a PKI. Each type of credential MUST express the following data in the context of the group it is used with: * The public key of a signature key pair matching the SignatureScheme specified by the CipherSuite of the group * The identity of the holder of the private key Credentials MAY also include information that allows a relying party to verify the identity / signing key binding. Additionally, Credentials SHOULD specify the signature scheme corresponding to each contained public key. Barnes, et al. Expires 14 April 2022 [Page 23] Internet-Draft MLS October 2021 // See RFC 8446 and the IANA TLS SignatureScheme registry uint16 SignatureScheme; // See IANA registry for registered values uint16 CredentialType; struct { opaque identity<0..2^16-1>; SignatureScheme signature_scheme; opaque signature_key<0..2^16-1>; } BasicCredential; struct { opaque cert_data<0..2^16-1>; } Certificate; struct { CredentialType credential_type; select (Credential.credential_type) { case basic: BasicCredential; case x509: Certificate chain<1..2^32-1>; }; } Credential; A BasicCredential is a raw, unauthenticated assertion of an identity/ key binding. The format of the key in the public_key field is defined by the relevant ciphersuite: the group ciphersuite for a credential in a ratchet tree, the KeyPackage ciphersuite for a credential in a KeyPackage object. For X509Credential, each entry in the chain represents a single DER- encoded X509 certificate. The chain is ordered such that the first entry (chain[0]) is the end-entity certificate and each subsequent certificate in the chain MUST be the issuer of the previous certificate. The algorithm for the public_key in the end-entity certificate MUST match the relevant ciphersuite. For ciphersuites using Ed25519 or Ed448 signature schemes, the public key is in the format specified [RFC8032]. For ciphersuites using ECDSA with the NIST curves P-256 or P-521, the public key is the output of the uncompressed Elliptic-Curve-Point-to-Octet-String conversion according to [SECG]. Barnes, et al. Expires 14 April 2022 [Page 24] Internet-Draft MLS October 2021 The signatures used throughout this document are encoded as specified in [RFC8446]. In particular, ECDSA signatures are DER-encoded and EdDSA signatures are defined as the concatenation of r and s as specified in [RFC8032]. Note that each new credential that has not already been validated by the application MUST be validated against the Authentication Service. 7. Key Packages In order to facilitate asynchronous addition of clients to a group, it is possible to pre-publish key packages that provide some public information about a user. KeyPackage structures provide information about a client that any existing member can use to add this client to the group asynchronously. A KeyPackage object specifies a ciphersuite that the client supports, as well as providing a public key that others can use for key agreement. The identity arising from the credential, together with the endpoint_id in the KeyPackage serve to uniquely identify a client in a group. When used as InitKeys, KeyPackages are intended to be used only once and SHOULD NOT be reused except in case of last resort. (See Section 15.4). Clients MAY generate and publish multiple InitKeys to support multiple ciphersuites. KeyPackages contain a public key chosen by the client, which the client MUST ensure uniquely identifies a given KeyPackage object among the set of KeyPackages created by this client. The value for hpke_init_key MUST be a public key for the asymmetric encryption scheme defined by cipher_suite. The whole structure is signed using the client's signature key. A KeyPackage object with an invalid signature field MUST be considered malformed. The input to the signature computation comprises all of the fields except for the signature field. Barnes, et al. Expires 14 April 2022 [Page 25] Internet-Draft MLS October 2021 enum { reserved(0), mls10(1), (255) } ProtocolVersion; // See IANA registry for registered values uint16 ExtensionType; struct { ExtensionType extension_type; opaque extension_data<0..2^32-1>; } Extension; struct { ProtocolVersion version; CipherSuite cipher_suite; HPKEPublicKey hpke_init_key; opaque endpoint_id<0..255>; Credential credential; Extension extensions<8..2^32-1>; opaque signature<0..2^16-1>; } KeyPackage; KeyPackage objects MUST contain at least two extensions, one of type capabilities, and one of type lifetime. The capabilities extension allow MLS session establishment to be safe from downgrade attacks on the parameters described (as discussed in Section 10), while still only advertising one version / ciphersuite per KeyPackage. As the KeyPackage is a structure which is stored in the Ratchet Tree and updated depending on the evolution of this tree, each modification of its content MUST be reflected by a change of its signature. This allow other members to control the validity of the KeyPackage at any time and in particular in the case of a newcomer joining the group. 7.1. Key Package IDs When it is necessary to refer to a specific KeyPackage, protocol messages incorporate a KeyPackageID: struct { opaque key_package_hash<0..255>; } KeyPackageID This value is the hash of the KeyPackage, using the hash indicated by the cipher_suite field. KeyPackage hashes are used in a Welcome message to indicate which KeyPackage is being used to include the new member. Since members of a group are uniquely identified by their Barnes, et al. Expires 14 April 2022 [Page 26] Internet-Draft MLS October 2021 leaf KeyPackages, messages within a group use the hash of this key package to refer to group members, e.g., to specify the target of a Remove proposal or the signer of an MLSPlaintext. 7.2. Client Capabilities The capabilities extension indicates what protocol versions, ciphersuites, protocol extensions, and non-default proposal types are supported by a client. Proposal types defined in this document are considered "default" and thus need not be listed. struct { ProtocolVersion versions<0..255>; CipherSuite ciphersuites<0..255>; ExtensionType extensions<0..255>; ProposalType proposals<0..255>; } Capabilities; This extension MUST be always present in a KeyPackage. Extensions that appear in the extensions field of a KeyPackage MUST be included in the extensions field of the capabilities extension. 7.3. Lifetime The lifetime extension represents the times between which clients will consider a KeyPackage valid. This time is represented as an absolute time, measured in seconds since the Unix epoch (1970-01-01T00:00:00Z). A client MUST NOT use the data in a KeyPackage for any processing before the not_before date, or after the not_after date. uint64 not_before; uint64 not_after; Applications MUST define a maximum total lifetime that is acceptable for a KeyPackage, and reject any KeyPackage where the total lifetime is longer than this duration. This extension MUST always be present in a KeyPackage. 7.4. KeyPackage Identifiers Within MLS, a KeyPackage is identified by its hash (see, e.g., Section 11.2.2). The external_key_id extension allows applications to add an explicit, application-defined identifier to a KeyPackage. opaque external_key_id<0..2^16-1>; Barnes, et al. Expires 14 April 2022 [Page 27] Internet-Draft MLS October 2021 7.5. Parent Hash The parent_hash extension carries information to authenticate the structure of the tree, as described below. opaque parent_hash<0..255>; Consider a ratchet tree with a parent node P and children V and S. The parent hash of P changes whenever an UpdatePath object is applied to the ratchet tree along a path traversing node V (and hence also P). The new "Parent Hash of P (with Co-Path Child S)" is obtained by hashing P's ParentHashInput struct using the resolution of S to populate the original_child_resolution field. This way, P's Parent Hash fixes the new HPKE public keys of all nodes on the path from P to the root. Furthermore, for each such key PK the hash also binds the set of HPKE public keys to which PK's secret key was encrypted in the commit packet that anounced the UpdatePath object. struct { HPKEPublicKey public_key; opaque parent_hash<0..255>; HPKEPublicKey original_child_resolution<0..2^32-1>; } ParentHashInput; The Parent Hash of P with Co-Path Child S is the hash of a ParentHashInput object populated as follows. The field public_key contains the HPKE public key of P. If P is the root, then parent_hash is set to a zero-length octet string. Otherwise parent_hash is the Parent Hash of P's parent with P's sibling as the co-path child. Finally, original_child_resolution is the array of HPKEPublicKey values of the nodes in the resolution of S but with the unmerged_leaves of P omitted. For example, in the ratchet tree depicted in Section 5.2 the ParentHashInput of node 5 with co-path child 4 would contain an empty original_child_resolution since 4's resolution includes only itself but 4 is also an unmerged leaf of 5. Meanwhile, the ParentHashInput of node 5 with co-path child 6 has an array with one element in it: the HPKE public key of 6. 7.5.1. Using Parent Hashes The Parent Hash of P appears in three types of structs. If V is itself a parent node then P's Parent Hash is stored in the parent_hash fields of both V's ParentHashInput struct and V's ParentNode struct. (The ParentNode struct is used to encapsulate all public information about V that must be conveyed to a new member joining the group as well as to define the Tree Hash of node V.) Barnes, et al. Expires 14 April 2022 [Page 28] Internet-Draft MLS October 2021 If, on the other hand, V is a leaf and its KeyPackage contains the parent_hash extension then the Parent Hash of P (with V's sibling as co-path child) is stored in that field. In particular, the extension MUST be present in the leaf_key_package field of an UpdatePath object. (This way, the signature of such a KeyPackage also serves to attest to which keys the group member introduced into the ratchet tree and to whom the corresponding secret keys were sent. This helps prevent malicious insiders from constructing artificial ratchet trees with a node V whose HPKE secret key is known to the insider yet where the insider isn't assigned a leaf in the subtree rooted at V. Indeed, such a ratchet tree would violate the tree invariant.) 7.5.2. Verifying Parent Hashes To this end, when processing a Commit message clients MUST recompute the expected value of parent_hash for the committer's new leaf and verify that it matches the parent_hash value in the supplied leaf_key_package. Moreover, when joining a group, new members MUST authenticate each non-blank parent node P. A parent node P is authenticated by performing the following check: * Let L and R be the left and right children of P, respectively * If L.parent_hash is equal to the Parent Hash of P with Co-Path Child R, the check passes * If R is blank, replace R with its left child until R is either non-blank or a leaf node * If R is a blank leaf node, the check fails * If R.parent_hash is equal to the Parent Hash of P with Co-Path Child L, the check passes * Otherwise, the check fails The left-child recursion under the right child of P is necessary because the expansion of the tree to the right due to Add proposals can cause blank nodes to be interposed between a parent node and its right child. Barnes, et al. Expires 14 April 2022 [Page 29] Internet-Draft MLS October 2021 7.6. Tree Hashes To allow group members to verify that they agree on the public cryptographic state of the group, this section defines a scheme for generating a hash value (called the "tree hash") that represents the contents of the group's ratchet tree and the members' KeyPackages. The tree hash of a tree is the tree hash of its root node, which we define recursively, starting with the leaves. As some nodes may be blank while others contain data we use the following struct to include data if present. struct { uint8 present; select (present) { case 0: struct{}; case 1: T value; } } optional; The tree hash of a leaf node is the hash of leaf's LeafNodeHashInput object which might include a Key Package depending on whether or not it is blank. struct { uint32 node_index; optional key_package; } LeafNodeHashInput; Now the tree hash of any non-leaf node is recursively defined to be the hash of its ParentNodeTreeHashInput. This includes an optional ParentNode object depending on whether the node is blank or not. struct { HPKEPublicKey public_key; opaque parent_hash<0..255>; uint32 unmerged_leaves<0..2^32-1>; } ParentNode; struct { uint32 node_index; optional parent_node; opaque left_hash<0..255>; opaque right_hash<0..255>; } ParentNodeTreeHashInput; The left_hash and right_hash fields hold the tree hashes of the node's left and right children, respectively. Barnes, et al. Expires 14 April 2022 [Page 30] Internet-Draft MLS October 2021 7.7. Group State Each member of the group maintains a GroupContext object that summarizes the state of the group: struct { opaque group_id<0..255>; uint64 epoch; opaque tree_hash<0..255>; opaque confirmed_transcript_hash<0..255>; Extension extensions<0..2^32-1>; } GroupContext; The fields in this state have the following semantics: * The group_id field is an application-defined identifier for the group. * The epoch field represents the current version of the group key. * The tree_hash field contains a commitment to the contents of the group's ratchet tree and the credentials for the members of the group, as described in Section 7.6. * The confirmed_transcript_hash field contains a running hash over the messages that led to this state. When a new member is added to the group, an existing member of the group provides the new member with a Welcome message. The Welcome message provides the information the new member needs to initialize its GroupContext. Different changes to the group will have different effects on the group state. These effects are described in their respective subsections of Section 11.1. The following general rules apply: * The group_id field is constant * The epoch field increments by one for each Commit message that is processed * The tree_hash is updated to represent the current tree and credentials * The confirmed_transcript_hash is updated with the data for an MLSPlaintext message encoding a Commit message in two parts: Barnes, et al. Expires 14 April 2022 [Page 31] Internet-Draft MLS October 2021 struct { WireFormat wire_format; opaque group_id<0..255>; uint64 epoch; Sender sender; opaque authenticated_data<0..2^32-1>; ContentType content_type = commit; Commit commit; opaque signature<0..2^16-1>; } MLSPlaintextCommitContent; struct { optional confirmation_tag; } MLSPlaintextCommitAuthData; interim_transcript_hash_[0] = ""; // zero-length octet string confirmed_transcript_hash_[n] = Hash(interim_transcript_hash_[n] || MLSPlaintextCommitContent_[n]); interim_transcript_hash_[n+1] = Hash(confirmed_transcript_hash_[n] || MLSPlaintextCommitAuthData_[n]); Thus the confirmed_transcript_hash field in a GroupContext object represents a transcript over the whole history of MLSPlaintext Commit messages, up to the confirmation tag field in the current MLSPlaintext message. The confirmation tag is then included in the transcript for the next epoch. The interim transcript hash is computed by new members using the confirmation tag in the GroupInfo struct, and enables existing members to incorporate a Commit message into the transcript without having to store the whole MLSPlaintextCommitAuthData structure. As shown above, when a new group is created, the interim_transcript_hash field is set to the zero-length octet string. 7.8. Update Paths As described in Section 11.2, each MLS Commit message may optionally transmit a KeyPackage leaf and node values along its direct path. The path contains a public key and encrypted secret value for all intermediate nodes in the path above the leaf. The path is ordered from the closest node to the leaf to the root; each node MUST be the parent of its predecessor. Barnes, et al. Expires 14 April 2022 [Page 32] Internet-Draft MLS October 2021 struct { opaque kem_output<0..2^16-1>; opaque ciphertext<0..2^16-1>; } HPKECiphertext; struct { HPKEPublicKey public_key; HPKECiphertext encrypted_path_secret<0..2^32-1>; } UpdatePathNode; struct { KeyPackage leaf_key_package; UpdatePathNode nodes<0..2^32-1>; } UpdatePath; For each UpdatePathNode, the resolution of the corresponding copath node MUST be filtered by removing all new leaf nodes added as part of this MLS Commit message. The number of ciphertexts in the encrypted_path_secret vector MUST be equal to the length of the filtered resolution, with each ciphertext being the encryption to the respective resolution node. The HPKECiphertext values are computed as kem_output, context = SetupBaseS(node_public_key, group_context) ciphertext = context.Seal("", path_secret) where node_public_key is the public key of the node that the path secret is being encrypted for, group_context is the current GroupContext object for the group, and the functions SetupBaseS and Seal are defined according to [I-D.irtf-cfrg-hpke]. Decryption is performed in the corresponding way, using the private key of the resolution node and the ephemeral public key transmitted in the message. 8. Key Schedule Group keys are derived using the Extract and Expand functions from the KDF for the group's ciphersuite, as well as the functions defined below: Barnes, et al. Expires 14 April 2022 [Page 33] Internet-Draft MLS October 2021 ExpandWithLabel(Secret, Label, Context, Length) = KDF.Expand(Secret, KDFLabel, Length) Where KDFLabel is specified as: struct { uint16 length = Length; opaque label<7..255> = "mls10 " + Label; opaque context<0..2^32-1> = Context; } KDFLabel; DeriveSecret(Secret, Label) = ExpandWithLabel(Secret, Label, "", KDF.Nh) The value KDF.Nh is the size of an output from KDF.Extract, in bytes. In the below diagram: * KDF.Extract takes its salt argument from the top and its IKM argument from the left * DeriveSecret takes its Secret argument from the incoming arrow * 0 represents an all-zero byte string of length KDF.Nh. When processing a handshake message, a client combines the following information to derive new epoch secrets: * The init secret from the previous epoch * The commit secret for the current epoch * The GroupContext object for current epoch Given these inputs, the derivation of secrets for an epoch proceeds as shown in the following diagram: Barnes, et al. Expires 14 April 2022 [Page 34] Internet-Draft MLS October 2021 init_secret_[n-1] | V commit_secret -> KDF.Extract | V ExpandWithLabel(., "joiner", GroupContext_[n], KDF.Nh) | V joiner_secret | V psk_secret (or 0) -> KDF.Extract | +--> DeriveSecret(., "welcome") | = welcome_secret | V ExpandWithLabel(., "epoch", GroupContext_[n], KDF.Nh) | V epoch_secret | +--> DeriveSecret(.,