🌳 The Tree of Secret Keys

How MLS Manages Group Keys Efficiently

In 10 minutes: Understand ratchet trees - MLS's secret weapon
Prerequisite: None

🎯 The Simple Story

Remember how we said MLS encrypts once for the whole group?

How does everyone get the same key without sending it over and over?

The secret: A special tree called a ratchet tree

🧠 Mental Model

Hold this picture in your head:

Ratchet Tree (Horizontal Binary Tree):

Alice    Bob    Charlie    David
  │       │       │         │
  └── A ──┘       └── B ────┘
       │              │
       └─────── C ────┘
              │
         Group Secret

Each leaf = One person (Alice, Bob, Charlie, David)
Each node = Shared secret between descendants
C = Group secret (everyone can derive it)

Think of it like a family tree on its side:

Family Tree Metaphor:

👴 Grandpa C
 ├─ 👨 Dad A
 │  ├─ 👦 Alice
 │  └─ 👨 Bob
 └─ 👨 Dad B
    ├─ 👦 Charlie
    └─ 👨 David

Family secret at Grandpa:
Everyone in family knows Grandpa's secret
Alice can go up to Grandpa
Bob can go up to Grandpa
Charlie can go up to Grandpa
David can go up to Grandpa

📊 See How It Works

Let's watch how Alice sends to everyone:

Watch Alice send a message:

Step 1: Alice goes up the tree
Alice → A (her leaf)
A → AB (her parent)
AB → C (everyone's parent)

Step 2: Alice has Group Secret C
Alice encrypts message with C

Step 3: Everyone else gets C the same way
Bob → B → AB → C
Charlie → C → CD → C
David → D → CD → C

Step 4: Everyone can decrypt
All have C, so all can decrypt Alice's message

🎭 The Magic Path

Each person has a path to the root:

Alice's path: Alice → A → AB → C
Bob's path:   Bob → B → AB → C
Charlie's path: Charlie → C → CD → C
David's path: David → D → CD → C

The magic: Every path leads to the same group secret

🏗️ How MLS Builds the Tree

When Alice Creates the Group

Step 1: Alice creates ratchet tree
- She's the only one (leaf index 0)
- Her leaf node: A
- Tree root: C

Step 2: Bob joins
- New leaf added (leaf index 1)
- New parent node: AB
- Tree root updated: ABCD

Step 3: Charlie joins
- New leaf added (leaf index 2)
- New parent node: CD
- Tree root updated: ABCDEF

Step 4: David joins
- New leaf added (leaf index 3)
- Tree root updated (no new node needed)

🔄 Key Rotation with Ratchet Trees

What Happens When Someone Leaves?

David leaves the group:

Before David leaves:
Alice (0), Bob (1), Charlie (2), David (3)
Tree has 4 leaves

After David leaves:
Alice (0), Bob (1), Charlie (2)
Tree now has 3 leaves

MLS updates tree:
- Remove David's leaf (3)
- Update path: D → CD → ABCD
- Generate new secrets on the path
- New group secret at root

Alice sends a message after rotation:

Alice → A → AB → C (new)
Bob → B → AB → C (new)
Charlie → C → CD → C (new)

David:
→ D (deleted)
→ CD (deleted)
→ Can't get C (new)

Result: David can't decrypt any more messages

🎮 Try It Yourself

Question 1: In a ratchet tree, Alice (index 0) wants to send a message. What's her path to the root?

Show Answer

Tree layout:
Alice(0)  Bob(1)  Charlie(2)  David(3)
   │         │        │          │
   └─ A ──   ┘   └─ B ───────┘
        │           │
        └───── C ───┘

Alice's path:
Alice (leaf 0)
  ↓
A (parent)
  ↓
C (root/group secret)

Answer: Alice → A → C

Question 2: David (index 3) leaves the group. Can he still read messages?

Show Answer

When David leaves:

MLS removes David's leaf (3)
MLS updates secrets on David's path:
- D (David's new secret at leaf) → deleted
- CD (parent of C and D) → new secret
- ABCD (root) → new secret

David trying to decrypt:

David's leaf deleted → Can't start path
Old CD secret → Doesn't work (changed)
Old ABCD secret → Doesn't work (changed)

Answer: No, David can't read messages after key rotation

Question 3: Why use a binary tree instead of a list?

Show Answer This

Using a list (naive approach):

For 1000 people, need to update 999 nodes
Each update takes O(n) time

Using a binary tree (MLS approach):

For 1000 people, need to update log2(1000) = 10 nodes
Each update takes O(log n) time

Efficiency:

List: O(n) = slow
Tree: O(log n) = fast

Answer: Binary trees are MUCH faster for updates (O(log n) vs O(n))

💡 Why Ratchet Trees Work

Three Magic Properties

Everyone can reach the root
- Every leaf has a path to the root
- Path length: O(log n)
- Very efficient
Removing someone updates the path
- Only need to update O(log n) nodes
- Not O(n) nodes like a list
- Fast！
Adding someone updates the path
- Only need to update O(log n) nodes
- Scalable to thousands
- Efficient！

✅ Quick Check

Can you explain ratchet trees to a 5-year-old?

Try saying this out loud:

A ratchet tree is like a family tree on its side. Each person is a leaf at the bottom. The grandpa at the top has the family secret. Everyone can climb up to the grandpa and learn the secret. If someone leaves the family, we change the secret, so they can't learn new secrets!

🎓 Key Takeaways

✅ Ratchet tree = Family tree on its side
✅ Leaves = Group members
✅ Root = Group secret
✅ Path = How each person gets the group secret
✅ Efficiency = O(log n) for updates
✅ Rotation = Change secrets on path when someone leaves
✅ Scalability = Works for 2 to 1000+ people

🎉 What You'll Learn Next

Now you understand ratchet trees Next, we'll learn about MLS's concept of time:

⏰ Continue: Time Traveling Messages

We'll learn about epochs and how MLS manages message history

Now you understand how MLS manages keys with ratchet trees. Next: How MLS tracks time with epochs

How MLS Manages Group Keys Efficiently​

🎯 The Simple Story​

🧠 Mental Model​

📊 See How It Works​

🎭 The Magic Path​

🏗️ How MLS Builds the Tree​

When Alice Creates the Group​

🔄 Key Rotation with Ratchet Trees​

What Happens When Someone Leaves?​

🎮 Try It Yourself​

💡 Why Ratchet Trees Work​

Three Magic Properties​

✅ Quick Check​

🎓 Key Takeaways​

🎉 What You'll Learn Next​