• Tree gets updated — add/remove members, update keys, etc.
• add InitKey of new members to tree, send Welcome messages to new members
• Send Commit message to room, which can be decrypted by current members (but not members who were removed)
• Changing the tree creates a new "epoch"

• Private key at root (along previous initialization secret and pre-shared key) are used to derive several other secrets
  • encryption keys
  • initialization secret
  • and others...

• Welcome message 🡒 sent as a to-device event

e.g. type: org.matrix.msc2883.mls.v0.welcome

{
  "welcome": <base64-encoded MLS welcome message>,
  "resolves": [ <array of epochs that the commit resolves> ]
}

or possibly type: m.room.encrypted with an algorithm indicating it's a welcome message

• MLS messages sent as room messages

type: m.room.encrypted

{
  "algorithm": <MLS_ALGORITHM>,
  "ciphertext": <base64-encoded MLS-encrypted message>,
  "epoch_creator": [<userId>, <deviceId>],
  "resolves": [ <array of epochs that the commits resolves -- if this is a commit> ]
}

Verification/cross-signing

• MLS can use ed25519 keys, so we could just reuse the existing device keys

  {
    "user_id": <userId>,
    "device_id": <deviceId>,
    "algorithms": [ <MLS_ALGORITHM> ],
    "keys": {
      ["ed25519:${this.deviceId}"]: <base64 ed25519 key>
    }
  }
  

  or add another ed25519 key
• verification would not be affected much -- device keys (cross-)signed in same way, verification methods assert the public keys
• Or MLS could use ed448 keys -- should we switch to that for
  cross-signing keys?

Key backup/forwarding/re-sharing

• Need to determine the minimal information to keep about each epoch
• Do we back up our private keys too, or just the shared secrets?
• Need to be able to handle multiple algorithms/versions (e.g. a Megolm backup and an MLS backup)
• How do we determine which is the "better" key?

SSSS

• Shouldn't be affected directly by MLS