🔄 Changing the Lock

MLS Key Rotation Explained

In 10 minutes: How MLS protects group chats with key rotation
Prerequisite: Epochs

🎯 The Simple Story

Remember post-compromise security?

After a breach, we need to change the locks

Key rotation is like Alice changing the lock on her front door after losing her house keys.

🧠 Mental Model

Hold this picture in your head:

Key Rotation (Changing the Lock):

Before breach:
House Key: K₀
Lock: Locked with K₀
Alice, Bob, Charlie have K₀
Eve doesn't have K₀
✅ Secure

Breach happens:
Eve steals Alice's phone
Eve finds K₀
❌ Compromise

Key rotation:
Alice generates new key: K₁
Alice updates lock: Replaced with K₁
Alice, Bob, now need K₁
Eve only has K₀ (useless)
✅ Secure again

📊 See How MLS Rotates Keys

🎭 How Key Rotation Works

Step-by-Step

1. Detect breach or member change

Alice notices:
- Phone hacked (breach)
- Or Charlie leaves group
- Or new member joins
→ Need key rotation

2. Generate new group key

Alice creates commit:
- Update proposal (internal)
- MLS generates new secrets on path
- New group secret: K₁

3. Distribute to members

Alice sends commit to:
- Bob
- Charlie

Everyone processes commit:
- Update ratchet tree
- Derive new group secret K₁
- Delete old key K₀

4. New messages encrypted with new key

Alice: Hello → encrypt with K₁
Bob: decrypt with K₁ → Hello
Charlie: decrypt with K₁ → Hello

Eve: decrypt with K₀ → ❌ (doesn't work)

🔄 Forced vs. Member-Triggered Rotation

Forced Key Rotation (Update Commit)

Alice thinks:
I want to rotate keys (maybe my phone was hacked)

Alice creates:
- Update commit (internal propose)
- MLS generates new K₁
- MLS distributes commit

Everyone updates:
- Bob: K₀ → K₁
- Charlie: K₀ → K₁
- Eve: Has K₀ only (useless)

Result: Post-compromise security

Member-Triggered Rotation (Add/Remove)

Alice says:
Charlie is leaving the group

Alice creates:
- Remove commit (remove Charlie)
- MLS generates new K₁ (Charlie can't get it)
- MLS distributes commit

Alice and Bob update:
- K₀ → K₁

Charlie:
- Tries to find K₁
- Fails (not in ratchet tree)
- Can't read any more messages

Result: Forward secrecy + proper member removal

🎮 Try It Yourself

Question 1: Alice's phone gets hacked, Eve gets K₀. Alice does a key rotation to K₁. Eve tries to read a message encrypted with K₁. Can Eve read it?

Show Answer

Before rotation:

Eve has K₀
K₀ works on messages in epoch 0

Rotation happens:

Alice creates update commit
MLS generates K₁ (new)
MLS distributes commit
Bob, Charlie update: K₀ → K₁

After rotation:

Alice sends: "Meeting at 2pm" (encrypted with K₁)
Eve tries: K₀ on message
Fails (Message uses K₁, not K₀)

Answer: No, Eve can't read the message (post-compromise security)

Question 2: Charlie leaves the group. Alice creates a remove commit. Eve tries to read a message after Charlie leaves. Can Eve read it?

Show Answer This

Before Charlie leaves:

Alice, Bob, Charlie have K₀

Charlie leaves:

Alice creates remove commit (remove Charlie)
MLS generates new keys on path
New group secret: K₁
Alice, Bob update: K₀ → K₁

After Charlie leaves:

Alice sends: "Welcome David" (encrypted with K₁)
Charlie tries: K₀ on message
Fails (Message uses K₁, Charlie doesn't have K₁!)
Charlie also doesn't have K₁ (removed from ratchet tree)

Answer: No, Charlie can't read any more messages (proper member removal)

Question 3: What's the difference between forced rotation and member-triggered rotation?

Show Answer

Forced rotation (update commit):

Alice wants fresh keys (maybe breach)
No member changes
Same members, new key

Member-triggered rotation (add/remove):

Charlie leaves or David joins
Membership changes
New key, new ratchet tree

Both:

Generate new group secret
Distribute commit to members
Everyone updates
Old keys deleted

Answer: Same operation, different trigger

💡 Key Rotation Benefits

1. Post-Compromise Security

Breach happens:
→ Attacker gets K₀
→ Can read current messages

Key rotation:
→ New key K₁
→ Attacker still has K₀ (useless)
→ Can't read future messages

Result: Post-compromise security

2. Proper Member Removal

Charlie leaves:
→ Gets K₀ before leaving

Key rotation:
→ New key K₁
→ Charlie can't get K₁
→ Can't read new messages

Result: Charlie can't read after leaving

3. Periodic Freshness

Even without breach:
- Rotate periodically (every 100 messages)
- Guarantees forward secrecy
- Limits exposure

Best practice: Rotate regularly

✅ Quick Check

Can you explain key rotation to a 5-year-old?

Try saying this out loud:

"Key rotation is like changing your front door lock after losing your key. The old key doesn't work anymore, and only the people you want can open the door with the new key"

🎓 Key Takeaways

✅ Key rotation = Generate new group secret
✅ Update commit = Forced rotation (post-compromise security)
✅ Remove commit = Member-triggered rotation
✅ Old keys deleted = Can't use on new messages
✅ Post-compromise security = Future safe after breach
✅ Periodic rotation = Good practice

Now you understand key rotation. Next: How MLS makes decisions with proposals and commits

MLS Key Rotation Explained​

🎯 The Simple Story​

🧠 Mental Model​

📊 See How MLS Rotates Keys​

🎭 How Key Rotation Works​

Step-by-Step​

🔄 Forced vs. Member-Triggered Rotation​

Forced Key Rotation (Update Commit)​

Member-Triggered Rotation (Add/Remove)​

🎮 Try It Yourself​

💡 Key Rotation Benefits​

1. Post-Compromise Security​

2. Proper Member Removal​

3. Periodic Freshness​

✅ Quick Check​

🎓 Key Takeaways​