🔄 Changing the Lock
MLS Key Rotation Explained
In 10 minutes: How MLS protects group chats with key rotation
Prerequisite: Epochs
🎯 The Simple Story
Remember post-compromise security?
After a breach, we need to change the locks
Key rotation is like Alice changing the lock on her front door after losing her house keys.
🧠 Mental Model
Hold this picture in your head:
Key Rotation (Changing the Lock):
Before breach:
House Key: K₀
Lock: Locked with K₀
Alice, Bob, Charlie have K₀
Eve doesn't have K₀
✅ Secure
Breach happens:
Eve steals Alice's phone
Eve finds K₀
❌ Compromise
Key rotation:
Alice generates new key: K₁
Alice updates lock: Replaced with K₁
Alice, Bob, now need K₁
Eve only has K₀ (useless)
✅ Secure again
📊 See How MLS Rotates Keys
🎭 How Key Rotation Works
Step-by-Step
1. Detect breach or member change
Alice notices:
- Phone hacked (breach)
- Or Charlie leaves group
- Or new member joins
→ Need key rotation
2. Generate new group key
Alice creates commit:
- Update proposal (internal)
- MLS generates new secrets on path
- New group secret: K₁
3. Distribute to members
Alice sends commit to:
- Bob
- Charlie
Everyone processes commit:
- Update ratchet tree
- Derive new group secret K₁
- Delete old key K₀
4. New messages encrypted with new key
Alice: Hello → encrypt with K₁
Bob: decrypt with K₁ → Hello
Charlie: decrypt with K₁ → Hello
Eve: decrypt with K₀ → ❌ (doesn't work)
🔄 Forced vs. Member-Triggered Rotation
Forced Key Rotation (Update Commit)
Alice thinks:
I want to rotate keys (maybe my phone was hacked)
Alice creates:
- Update commit (internal propose)
- MLS generates new K₁
- MLS distributes commit
Everyone updates:
- Bob: K₀ → K₁
- Charlie: K₀ → K₁
- Eve: Has K₀ only (useless)
Result: Post-compromise security
Member-Triggered Rotation (Add/Remove)
Alice says:
Charlie is leaving the group
Alice creates:
- Remove commit (remove Charlie)
- MLS generates new K₁ (Charlie can't get it)
- MLS distributes commit
Alice and Bob update:
- K₀ → K₁
Charlie:
- Tries to find K₁
- Fails (not in ratchet tree)
- Can't read any more messages
Result: Forward secrecy + proper member removal
🎮 Try It Yourself
Question 1: Alice's phone gets hacked, Eve gets K₀. Alice does a key rotation to K₁. Eve tries to read a message encrypted with K₁. Can Eve read it?
Show Answer
Before rotation:
- Eve has K₀
- K₀ works on messages in epoch 0
Rotation happens:
- Alice creates update commit
- MLS generates K₁ (new)
- MLS distributes commit
- Bob, Charlie update: K₀ → K₁
After rotation:
- Alice sends: "Meeting at 2pm" (encrypted with K₁)
- Eve tries: K₀ on message
- Fails (Message uses K₁, not K₀)
Answer: No, Eve can't read the message (post-compromise security)
Question 2: Charlie leaves the group. Alice creates a remove commit. Eve tries to read a message after Charlie leaves. Can Eve read it?
Show Answer This
Before Charlie leaves:
- Alice, Bob, Charlie have K₀
Charlie leaves:
- Alice creates remove commit (remove Charlie)
- MLS generates new keys on path
- New group secret: K₁
- Alice, Bob update: K₀ → K₁
After Charlie leaves:
- Alice sends: "Welcome David" (encrypted with K₁)
- Charlie tries: K₀ on message
- Fails (Message uses K₁, Charlie doesn't have K₁!)
- Charlie also doesn't have K₁ (removed from ratchet tree)
Answer: No, Charlie can't read any more messages (proper member removal)
Question 3: What's the difference between forced rotation and member-triggered rotation?
Show Answer
Forced rotation (update commit):
- Alice wants fresh keys (maybe breach)
- No member changes
- Same members, new key
Member-triggered rotation (add/remove):
- Charlie leaves or David joins
- Membership changes
- New key, new ratchet tree
Both:
- Generate new group secret
- Distribute commit to members
- Everyone updates
- Old keys deleted
Answer: Same operation, different trigger
💡 Key Rotation Benefits
1. Post-Compromise Security
Breach happens:
→ Attacker gets K₀
→ Can read current messages
Key rotation:
→ New key K₁
→ Attacker still has K₀ (useless)
→ Can't read future messages
Result: Post-compromise security
2. Proper Member Removal
Charlie leaves:
→ Gets K₀ before leaving
Key rotation:
→ New key K₁
→ Charlie can't get K₁
→ Can't read new messages
Result: Charlie can't read after leaving
3. Periodic Freshness
Even without breach:
- Rotate periodically (every 100 messages)
- Guarantees forward secrecy
- Limits exposure
Best practice: Rotate regularly
✅ Quick Check
Can you explain key rotation to a 5-year-old?
Try saying this out loud:
"Key rotation is like changing your front door lock after losing your key. The old key doesn't work anymore, and only the people you want can open the door with the new key"
🎓 Key Takeaways
✅ Key rotation = Generate new group secret
✅ Update commit = Forced rotation (post-compromise security)
✅ Remove commit = Member-triggered rotation
✅ Old keys deleted = Can't use on new messages
✅ Post-compromise security = Future safe after breach
✅ Periodic rotation = Good practice
Now you understand key rotation. Next: How MLS makes decisions with proposals and commits