The notion of a ratchet tree has changed somewhat over the development of the spec. Most recently, parent hashes and signing with KeyPackages in the leaves made the earlier API challenging. This PR proposes a new structure for TreeKEM, splitting the former RatchetTree structure into public and private halves.
This is incompatible with the protocol as it stands right now, because the Decap() operation takes place on the TreeKEMPrivateKey, which can't compute the required resolution. So the DirectPath (here TreeKEMPath) needs to specify which nodes are encrypted to.
The notion of a ratchet tree has changed somewhat over the development of the spec. Most recently, parent hashes and signing with KeyPackages in the leaves made the earlier API challenging. This PR proposes a new structure for TreeKEM, splitting the former RatchetTree structure into public and private halves.
This is incompatible with the protocol as it stands right now, because the
Decap()
operation takes place on the TreeKEMPrivateKey, which can't compute the required resolution. So the DirectPath (here TreeKEMPath) needs to specify which nodes are encrypted to.