⏰ Time Traveling Messages
Understanding MLS Epochs
In 10 minutes: How MLS tracks time and manages key evolution
Prerequisite: Ratchet trees
🎯 The Simple Story
Imagine a video game that has chapters or eras.
Chapter 1: Alice and Bob chat Chapter 2: Charlie joins Chapter 3: David joins, Charlie leaves
Each chapter has its own set of keys. You can't go back to Chapter 1 with Chapter 3's keys
MLS works the same way with epochs.
🧠 Mental Model
Hold this picture in your head:
MLS Epochs (like video game chapters):
Epoch 0:
┌─────────────────────┐
│ Alice, Bob │
│ Group secret: K₀ │
│ Messages: #1, #2, #3│
└─────────────────────┘
Charlie joins → Epoch 1:
┌─────────────────────┐
│ Alice, Bob, Charlie │
│ Group secret: K₁ (new)│
│ Messages: #4, #5, #6 │
└─────────────────────┘
David joins, Charlie leaves → Epoch 2:
┌─────────────────────┐
│ Alice, Bob, David │
│ Group secret: K₂ (new)│
│ Messages: #7, #8, #9 │
└─────────────────────┘
Each epoch:
- Has its own group secret
- Can't decrypt messages from other epochs
- Forward secrecy within each epoch
📊 See How Epochs Work
🔄 When Do Epochs Change?
Epochs change when:
- Add member - Someone joins the group
- Remove member - Someone leaves the group
- Update key - Manual key rotation
- External commit - Server-initiated changes
🔥 Why Epochs Matter
Problem: Stale Keys
Without epochs:
Alice sends message encrypted with K
Bob decrypts with K (old)
David joins the group later
David gets K (the OLD key)
David can read ALL old messages
Bad
With epochs:
Alice sends message encrypted with K₀ (epoch 0)
Bob decrypts with K₀ (epoch 0)
David joins
Epoch changes to 1
New group secret: K₁
David gets K₁ (the NEW key)
David tries to decrypt epoch 0 messages
Fails (doesn't have K₀)
Good
🎮 Try It Yourself
Question 1: Alice sends 5 messages in epoch 0. Charlie joins, starting epoch 1. Can Charlie read Alice's 5 old messages?
Show Answer
Epoch 0:
- Alice, Bob chat
- Group secret: K₀
- Messages #1-#5 encrypted with K₀
- Bob can decrypt with K₀
Epoch 1:
- Charlie joins
- New group secret: K₁
- Messages #6+ encrypted with K₁
Charlie:
- Gets K₁ when joining
- Can decrypt messages #6+
- Can NOT decrypt messages #1-#5 (needs K₀)
- Keys from epoch 0 deleted (forward secrecy)
Answer: No, Charlie can't read old epoch 0 messages
Question 2: David sends a message in epoch 1 with K₁. Later, everyone rotates to epoch 2 with K₂. Can David decrypt his old message from epoch 1?
Show Answer This
Epoch 1:
- David sends message: "Secret info"
- Encrypted with K₁
- David can decrypt with K₁
Epoch 2:
- Key rotates (update commit)
- New group secret: K₂
- K₁ deleted (forward secrecy)
Later:
- David has K₂ (current group secret)
- David tries to decrypt his epoch 1 message
- Needs K₁, but deleted
- Can't decrypt
Answer: No, David can't decrypt even his own old epoch 1 messages
Question 3: Why do epochs help with security?
Show Answer
-
Forward secrecy:
- Keys from old epochs deleted
- Can't decrypt past messages
-
Post-compromise security:
- Compromise in epoch X
- Rotate to epoch X+1
- Attacker can't read future messages
-
Member joins/leaves:
- New epoch = new group secret
- New members can't read old messages
- Old members can't read new messages
Answer: Epochs provide FS, PCS, and proper member isolation
💡 Real-World Examples
WhatsApp Group (without proper epochs)
Day 1: Alice creates group with Bob
- Shared key: K (never changes)
- Messages #1-#100 encrypted with K
Day 30: Charlie joins
- Alice gives Charlie the group key K
- Charlie reads all #1-#100 messages
- Alice doesn't know Charlie can read history
MLS Group (with epochs)
Epoch 0 (Day 1-29):
- Alice, Bob chat
- Group secret: K₀
- Messages #1-#95 encrypted with K₀
Epoch 1 starts (Day 30):
- Charlie joins
- New group secret: K₁
- Messages #96+ encrypted with K₁
Charlie:
- Gets K₁ (not K₀)
- Can read messages #96+
- Can NOT read messages #1-#95
✅ Quick Check
Can you explain epochs to a 5-year-old?
Try saying this out loud:
"An epoch is like a chapter in a book. Each chapter has different characters and different secrets. When a new person joins, we start a new chapter with new secrets. You can't use secrets from chapter 1 to read chapter 3"
🎓 Key Takeaways
✅ Epoch = Version/era of the group
✅ Epoch change = New group secret
✅ Can't cross epochs = Can't decrypt old messages
✅ Forward secrecy = Keys deleted after epoch
✅ Member changes trigger epochs = Proper key rotation
✅ Multiple epochs = Better security
Now you understand MLS epochs. Next: How MLS rotates keys for security