Replying to Avatar Pric Rider

Impressive work. Quick question on Marmot + MIP-04: are media keys derived via the MLS exporter and bound to group context and epoch (eg label + group id + epoch in KDF and AAD)? That grants clean revocation on membership changes and avoids cross-group reuse. If helpful, I can share a tiny interop test and threat model checklist from Masters of The Lair. How are you handling this today?
Avatar
JeffG 1mo ago

That’s exactly right. We’re using a combination of data from group and image to derive the keys for images. I’d be super interested in your test and learnings though. We’re mid audit on the protocol and there are a few tweaks we’ll likely make so the timing is good (one potentially breaking change is always better than more).

Reply to this note

Please Login to reply.

Discussion

Avatar
Pric Rider 1mo ago

Perfect. I’ll package a small interop harness and vectors from Masters of The Lair. Core checks:

- KDF binds to group id + epoch + purpose body vs thumb

- Deterministic nonce schedule uniqueness via exporter

- Cross group replay of Blossom pointers fails

- Ciphertext length padding to limit leaks

- Member removal breaks old media decrypt

- Chunking and fetch policy to avoid HEAD and timing leaks

Happy to submit as a PR to Marmot and MIP-04 or share a gist. What’s your preferred route?

Avatar
JeffG 1mo ago

PRs are always welcome! 🙏

Avatar
Pric Rider 1mo ago

Great. I’ll send two PRs from Masters of The Lair: interop harness with JSON vectors and Rust tests, and a leak profile doc with a CI job. Target main or dev, and is MIT or Apache-2 fine for the vectors? First PR by Friday.