🎟️ The VIP Ticket
Welcome Messages Explained
In 10 minutes: How new members join MLS groups securely
Prerequisite: Proposals and commits
🎯 The Simple Story
Remember the VIP ticket metaphor?
Alice creates a "Secret Meeting Room" for her group. To let Charlie join, she sends him a VIP ticket that contains:
- The secret to enter the room
- Proof the ticket is real
- Instructions on how to use it
That's what a welcome message is in MLS
🧠 Mental Model
Hold this picture in your head:
Welcome Message (VIP Ticket):
Alice creates group:
┌──────────────────────────────┐
│ Secret Meeting Room │
│ Group secret: K₀ │
│ Members: Alice, Bob │
└──────────────────────────────┘
Alice wants Charlie to join:
Step 1: Alice adds Charlie (add proposal → commit)
┌──────────────────────────────┐
│ New group secret: K₁ │
│ Welcome created for Charlie │
├──��────────────────────────────┤
│ VIP Ticket Contents: │
│ - Group ID │
│ - Ratchet tree state │
│ - Epoch │
│ - Group secret (K₁) │
│ - Ciphersuite │
│ - Extensions │
└──────────────────────────────┘
Step 2: Charlie receives welcome
┌──────────────────────────────┐
│ Charlie uses VIP ticket │
│ - Decrypts group secret K₁ │
│ - Builds ratchet tree │
│ - Enters the room │
│ - Can now chat securely │
└──────────────────────────────┘
📊 See How Welcome Messages Work
🎭 What's in a Welcome Message?
Welcome Message Structure
Welcome Message Contents:
1. Version (MLS version)
└─ mls10
2. Ciphersuite
└─ e.g., MLS_128_DHKEMX25519_AES128GCM_SHA256_Ed25519
3. Group Info
├─ Group ID
├─ Epoch number
└─ Tree hash (verifies ratchet tree)
4. Ratchet Tree (or reference)
├─ Alice's leaf node (key package)
├─ Bob's leaf node (key package)
└─ Charlie's leaf node (placeholder)
5. Group Secrets
├─ Group secret K₁ (encrypted for Charlie)
├─ Path secrets (on the path)
└─ Derived for Charlie's leaf index
6. Extensions (optional)
└─ Additional metadata
🔒 How Welcome Messages Are Encrypted
The Encryption Trick
Problem: Charlie needs the group secret K₁, but we can't send it in plaintext
Solution: Encrypt it using Charlie's key package
Step 1: Charlie generates key package
Charlie → MLS: GenerateKeyPackage()
├─ Public key package (pk_c)
└─ Private key package (sk_c)
Step 2: Alice creates welcome
Alice → MLS: Welcome = CreateWelcome(
group_secret = K₁,
leaf_index = 2 (Charlie's position),
key_package = pk_c
)
Step 3: MLS encrypts K₁ for Charlie
MLS → Welcome: Encrypt(
message = K₁,
public_key = pk_c (Charlie's key package)
)
└─ ciphertext = EncrytK₁(pk_c)
Step 4: Welcome sent to Charlie
Alice → Charlie: Welcome message
Step 5: Charlie decrypts
Charlie → MLS: Decrypt(
ciphertext,
private_key = sk_c
)
└─ K₁ (group secret) ✓
Now Charlie has K₁ and can join the chat
🎮 Try It Yourself
Question 1: Alice creates a group with Bob (K₀). Alice wants Charlie to join. She creates a welcome message. What key does the welcome use to encrypt the group secret K₁?
Show Answer
Charlie's key package contains:
- Public key package (pk_c)
- Private key package (sk_c)
Alice encrypts the welcome for Charlie:
- Alice has pk_c (from Charlie's key package)
- Alice encrypts K₁ with pk_c
- Charlie receives welcome
- Charlie decrypts with sk_c
- Charlie gets K₁
Answer: Charlie's public key (pk_c) from his key package
Question 2: Eve intercepts a welcome message meant for Charlie. Can Eve decrypt it and get the group secret?
Show Answer This
Welcome message:
- Encrypted for Charlie's public key (pk_c)
- Contains group secret K₁
Eve tries to decrypt:
- Has no private key for pk_c
- Tries all her keys → None work
- Can't decrypt welcome
- Can't get K₁
Answer: No, Eve can't decrypt (Charlie's private key required)
Question 3: Why doesn't Alice send the group secret K₁ in plaintext to Charlie?
Show Answer
If Alice sends K₁ in plaintext:
Eve intercepts:
- Reads K₁
- Now Eve has K₁
- Can read all messages in this group
With encryption:
- Alice encrypts K₁ for Charlie
- Eve sees encrypted blob
- Can't decrypt (no key)
- K₁ stays secret
Answer: Plaintext would let Eve read everything
💡 Welcome Message Benefits
1. Secure Onboarding
Without welcome messages:
Scenario: Alice, Bob, Charlie have group
David wants to join:
- Alice tells everyone: Give David the key
- Problems:
- How to share K₁ securely?
- Who tells David?
- What if Eve intercepts?
With welcome messages:
David wants to join:
- Alice has David's key package
- Alice creates welcome (encrypted for David)
- Alice sends welcome
- David decrypts → gets K₁
- No one else can read
2. Out-of-Band Distribution
Welcome messages can use any transport:
1. HTTPS server:
Alice → Server → Charlie → Welcome
2. Email:
Alice → Email → Charlie → Welcome
3. P2P signaling:
Alice → P2P → Charlie → Welcome
4. SMS/QR code:
Alice → QR code →扫码 → Welcome
MLS doesn't care how you deliver welcomes
3. One-Way Join
Charlie joins group:
1. Receives welcome
2. Decrypts → gets K₁
3. Sends first message
Charlie doesn't need to:
- Call Alice
- Call Bob
- Negotiate keys
- Request anything
Just decrypt welcome → done
✅ Quick Check
Can you explain welcome messages to a 5-year-old?
Try saying this out loud:
"A welcome message is like a VIP ticket to enter a secret club. The ticket is written in a secret code that only you can read using your special decoder ring (private key). Once you decode it, you can enter the club and talk with everyone inside"
🎓 Key Takeaways
✅ Welcome message = VIP ticket for new members
✅ Encrypted for recipient = Uses their public key
✅ Contains group secret = Enables group chat
✅ Contains ratchet tree = Builds group structure
✅ Out-of-band delivery = Any transport works
✅ One-way join = New member can join independently
🎉 What You'll Learn Next
Now you understand welcome messages Let's see how to use MLS in practice:
🏗️ Continue: Starting the Meeting
We'll learn how to create an MLS group with real code examples
Now you understand how welcome messages let new members join MLS groups. Next: Let's build an MLS group step by step