Internet-Draft MLS UpdatePath Commitments January 2026
Mahy Expires 12 July 2026 [Page]
Workgroup:
Messaging Layer Security
Internet-Draft:
draft-mahy-mls-updatepath-commitment-latest
Published:
Intended Status:
Informational
Expires:
Author:
R. Mahy

Public Commitments to UpdatePath Path Secrets in Messaging Layer Security (MLS)

Abstract

TODO Abstract

About This Document

This note is to be removed before publishing as an RFC.

The latest revision of this draft can be found at https://rohanmahy.github.io/mls-updatepath-commitment/draft-mahy-mls-updatepath-commitment.html. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-mahy-mls-updatepath-commitment/.

Discussion of this document takes place on the Messaging Layer Security Working Group mailing list (mailto:mls@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/mls/. Subscribe at https://www.ietf.org/mailman/listinfo/mls/.

Source for this draft and an issue tracker can be found at https://github.com/rohanmahy/mls-updatepath-commitment.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 12 July 2026.

Table of Contents

1. Introduction

TODO Introduction

For a group of n members, the additional cost of using the extension is log(n) hashes and one signature operation per commit to send and verify.

2. Conventions and Definitions

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

3. UpdatePath Commitments

An UpdatePath Commitment is sent as an AAD component in any Commit messages with an UpdatePath. It contains a hash of each path_secret, and the Committer's signature over the commitment.

3.1. Including an UpdatePath Commitment

committer_signature_public_key is the Committer's LeafNode.signature_key. committer_signature_private_key is the private key corresponding to that public key.

The Committer calculates the path_secret hash and a hash of its own signature public key as follows:

path_secret_hash[n] = RefHash("MLS 1.0 path secret hash",
                              path_secret[n])

committer_signature_key_hash = Hash(committer_signature_public_key)

Then the Committer:

  • fills in the PathSecretCommitmentTBS data structure, and the PathSecretCommitment except its signature;

  • generates the signature in the PathSecretCommitment data structure;

  • and includes the PathSecretCommitment in an AAD component of the Commit.

struct {
  HashReference path_secret_hashes<V>;
  HashReference committer_signature_key_hash;
  /* SignWithLabel(committer_signature_private_key,               */
  /*  "PathSecretCommitmentTBS", PathSecretCommitmentTBS) */
  opaque signature<V>;
} PathSecretCommitment;

struct {
  Ciphersuite ciphersuite;
  opaque group_id<V>;
  uint64 epoch;
  opaque confirmed_transcript_hash<V>;
  Hash path_secret_hashes<V>;
  Hash signature_key_hash;
  uint32 sender_leaf_node;
} PathSecretCommitmentTBS;

3.2. Verification of PathSecretCommitment

After validating an incoming Commit, each member checks the PathSecretCommitment.signature.

VerifyWithLabel(committer_signature_public_key,
  "PathSecretCommitmentTBS", PathSecretCommitmentTBS,
   PathSecretCommitment.signature)

Next each member checks the hash of each path_secret decrypted from the UpdatePath. If the path_secret[i] is encrypted to the receiving member, it decrypts the path_secret using the private key for the node as usual. If the path_secret_hash[i] is equal to RefHash("MLS 1.0 path secret hash", path_secret[i]), then the member confirms that the commitment is consistent for that member.

If a member discovers that its path_secret does NOT match the hash provided, it has strong evidence that the Committer acted maliciously and can prove it.

3.3. Generating a Proof of a Malicious UpdatePath

To generate a proof, a member whose hashes did not match the relevant commitments provides the Commit message, and any path_secret that didn't match the commit hash, to the DS and/or the other members so the remaining honest parties can automatically recover.

The prover constructs the following structures as evidence.

struct {
  uint32 receiver_leaf_index;
  MLSMessage private_commit_message;
  MaliciousPathSecret malicious_path_secrets<V>;
  /* SignWithLabel(receiver_private_signature_key, */
  /*   "MaliciousUpdatePathProofTBS", MaliciousUpdatePathProofTBS) */
  opaque receiver_signature<V>;
} MaliciousUpdatePathProof

struct {
  uint32 receiver_leaf_index;
  MLSMessage commit_message;
  MaliciousPathSecret malicious_path_secrets<V>;
} MaliciousUpdatePathProofTBS;

struct {
  uint8 n;
  opaque presented_secret<V>;
} MaliciousPathSecret

3.4. Validating the Proof

The receiver of such a proof, validates the proof with the following steps.

  • First it verifies the committer's signature on the MaliciousUpdatePathProof.private_commit_message.

  • It locates the UpdatePath and finds the receiver_leaf_index in the path.

  • Then it extracts the PathSecretCommitment from the Commit message's AAD.

  • For each of the MaliciousUpdatePathProof.malicious_path_secrets, at level n:

    • verifies that the receiver_leaf_index should be privy to level n

    • checks that RefHash("MLS 1.0 path secret hash", presented_secret) is not the same as PathSecretCommitment.path_secret_hashes[n]

    • encrypts presented_secret with the previous epoch's public key at level n of the resolution covering receiver_leaf_index, and verifies that the cipher text matches the cipher text in the appropriate FramedContent.commit.path.nodes.encrypted_path_secret of MaliciousUpdatePathProof.commit_message.

  • It verifies the MaliciousPathSecret.signature and that the signature_public_key used to sign the MaliciousPathSecret.receiver_private_signature_key corresponds to the receiver_leaf_index.

4. Security Considerations

TODO Security

5. IANA Considerations

This document has no IANA actions.

6. Normative References

[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/rfc/rfc2119>.
[RFC8174]
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/rfc/rfc8174>.

Acknowledgments

TODO acknowledge.

Author's Address

Rohan Mahy