From bc6114ce37aba2d4768eb14244442e3e974d4c75 Mon Sep 17 00:00:00 2001
From: Alula <6276139+alula@users.noreply.github.com>
Date: Wed, 13 Nov 2024 08:17:12 +0100
Subject: [PATCH 1/6] Update udpqueue-api

---
 ext-udpqueue/build.gradle | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/ext-udpqueue/build.gradle b/ext-udpqueue/build.gradle
index 1daaa62..a730e69 100644
--- a/ext-udpqueue/build.gradle
+++ b/ext-udpqueue/build.gradle
@@ -1,8 +1,6 @@
-def udpqueueVersion = '0.2.7'
-
 dependencies {
     compileOnly project(':core')
     implementation 'dev.arbjerg:lava-common:2.2.1'
-    implementation group: 'club.minnced', name: 'udpqueue-api', version: '0.1.1'
+    implementation group: 'club.minnced', name: 'udpqueue-api', version: '0.2.9'
     compileOnly group: 'org.jetbrains', name: 'annotations', version: '13.0'
 }

From 07c391c9bfda40b697f66a0c3cf1630037576a60 Mon Sep 17 00:00:00 2001
From: Alula <6276139+alula@users.noreply.github.com>
Date: Wed, 13 Nov 2024 08:17:54 +0100
Subject: [PATCH 2/6] Fix Koe TestBot and update libraries

---
 testbot/build.gradle                              |  6 +++---
 .../java/moe/kyokobot/koe/testbot/TestBot.java    | 15 ++++++++++-----
 2 files changed, 13 insertions(+), 8 deletions(-)

diff --git a/testbot/build.gradle b/testbot/build.gradle
index f1361fc..e543afe 100644
--- a/testbot/build.gradle
+++ b/testbot/build.gradle
@@ -1,8 +1,8 @@
 dependencies {
     implementation project(':core')
     implementation project(':ext-udpqueue')
-    implementation group: 'net.dv8tion', name: 'JDA', version: '5.0.2'
-    implementation group: 'dev.arbjerg', name: 'lavaplayer', version: '2.2.1'
-    implementation group: 'com.github.lavalink-devs', name: 'lavaplayer-youtube-source', version: '1.0.5'
+    implementation group: 'net.dv8tion', name: 'JDA', version: '5.2.1'
+    implementation group: 'dev.arbjerg', name: 'lavaplayer', version: '2.2.2'
+    implementation group: 'dev.lavalink.youtube', name: 'v2', version: '1.8.3'
     implementation group: 'ch.qos.logback', name: 'logback-classic', version: '1.4.14'
 }
diff --git a/testbot/src/main/java/moe/kyokobot/koe/testbot/TestBot.java b/testbot/src/main/java/moe/kyokobot/koe/testbot/TestBot.java
index 80d078b..c259412 100644
--- a/testbot/src/main/java/moe/kyokobot/koe/testbot/TestBot.java
+++ b/testbot/src/main/java/moe/kyokobot/koe/testbot/TestBot.java
@@ -11,6 +11,9 @@
 import com.sedmelluq.discord.lavaplayer.track.AudioTrack;
 import com.sedmelluq.discord.lavaplayer.track.playback.MutableAudioFrame;
 import dev.lavalink.youtube.YoutubeAudioSourceManager;
+import dev.lavalink.youtube.clients.AndroidMusic;
+import dev.lavalink.youtube.clients.AndroidTestsuite;
+import dev.lavalink.youtube.clients.WebEmbedded;
 import io.netty.buffer.ByteBuf;
 import moe.kyokobot.koe.*;
 import moe.kyokobot.koe.media.OpusAudioFrameProvider;
@@ -25,6 +28,7 @@
 import net.dv8tion.jda.api.hooks.ListenerAdapter;
 import net.dv8tion.jda.api.hooks.VoiceDispatchInterceptor;
 import net.dv8tion.jda.api.requests.GatewayIntent;
+import org.jetbrains.annotations.NotNull;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -50,7 +54,7 @@ public class TestBot extends ListenerAdapter implements VoiceDispatchInterceptor
     private Koe koe;
     private KoeClient koeClient;
     private AudioPlayerManager playerManager;
-    private Map<Guild, AudioPlayer> playerMap = new ConcurrentHashMap<>();
+    private final Map<Guild, AudioPlayer> playerMap = new ConcurrentHashMap<>();
 
     public TestBot(String token) {
         this.token = token;
@@ -66,7 +70,8 @@ public void start() {
     public void stop() {
         try {
             logger.info("Shutting down...");
-            koeClient.close();
+            if (koeClient != null)
+                koeClient.close();
             Thread.sleep(250);
             jda.shutdownNow();
             Thread.sleep(500);
@@ -89,14 +94,14 @@ public JDA createJDA() {
 
     public AudioPlayerManager createAudioPlayerManager() {
         var manager = new DefaultAudioPlayerManager();
-        manager.registerSourceManager(new YoutubeAudioSourceManager());
+        manager.registerSourceManager(new YoutubeAudioSourceManager(new AndroidMusic(), new AndroidTestsuite(), new WebEmbedded()));
         manager.registerSourceManager(SoundCloudAudioSourceManager.createDefault());
         manager.registerSourceManager(new HttpAudioSourceManager());
         return manager;
     }
 
     @Override
-    public void onReady(ReadyEvent event) {
+    public void onReady(@NotNull ReadyEvent event) {
         koeClient = koe.newClient(jda.getSelfUser().getIdLong());
     }
 
@@ -114,7 +119,7 @@ public void onVoiceServerUpdate(VoiceServerUpdate voiceServerUpdate) {
 
     @Override
     public boolean onVoiceStateUpdate(VoiceStateUpdate voiceStateUpdate) {
-        if (voiceStateUpdate.getVoiceState().getIdLong() == jda.getSelfUser().getIdLong() && voiceStateUpdate.getChannel().getIdLong() == 0) {
+        if (voiceStateUpdate.getVoiceState().getIdLong() == jda.getSelfUser().getIdLong() && voiceStateUpdate.getChannel() == null) {
             koeClient.destroyConnection(voiceStateUpdate.getGuildIdLong());
         }
         return true;

From e24ad2d7f9188f5cdd44e4b4b170f1a148c2e2c1 Mon Sep 17 00:00:00 2001
From: Alula <6276139+alula@users.noreply.github.com>
Date: Wed, 13 Nov 2024 08:37:15 +0100
Subject: [PATCH 3/6] Make V8 the default gateway version, update opcodes

---
 .../moe/kyokobot/koe/KoeOptionsBuilder.java   |  2 +-
 .../koe/gateway/MediaGatewayV4Connection.java |  4 ++--
 .../koe/gateway/MediaGatewayV5Connection.java |  6 +++---
 .../koe/gateway/MediaGatewayV8Connection.java |  6 +++---
 .../java/moe/kyokobot/koe/gateway/Op.java     | 21 ++++++++++++++++---
 5 files changed, 27 insertions(+), 12 deletions(-)

diff --git a/core/src/main/java/moe/kyokobot/koe/KoeOptionsBuilder.java b/core/src/main/java/moe/kyokobot/koe/KoeOptionsBuilder.java
index 2e33740..3b3bbea 100644
--- a/core/src/main/java/moe/kyokobot/koe/KoeOptionsBuilder.java
+++ b/core/src/main/java/moe/kyokobot/koe/KoeOptionsBuilder.java
@@ -39,7 +39,7 @@ public class KoeOptionsBuilder {
                 : NioDatagramChannel.class;
 
         this.byteBufAllocator = new PooledByteBufAllocator();
-        this.gatewayVersion = GatewayVersion.V4;
+        this.gatewayVersion = GatewayVersion.V8;
         this.framePollerFactory = new NettyFramePollerFactory();
         this.highPacketPriority = true;
     }
diff --git a/core/src/main/java/moe/kyokobot/koe/gateway/MediaGatewayV4Connection.java b/core/src/main/java/moe/kyokobot/koe/gateway/MediaGatewayV4Connection.java
index 50ba7ec..23ce0f4 100644
--- a/core/src/main/java/moe/kyokobot/koe/gateway/MediaGatewayV4Connection.java
+++ b/core/src/main/java/moe/kyokobot/koe/gateway/MediaGatewayV4Connection.java
@@ -116,7 +116,7 @@ protected void handlePayload(JsonObject object) {
                 logger.debug("Resumed successfully");
                 break;
             }
-            case Op.CLIENT_CONNECT: {
+            case Op.VIDEO: {
                 var data = object.getObject("d");
                 var user = data.getString("user_id");
                 var audioSsrc = data.getInt("audio_ssrc", 0);
@@ -195,7 +195,7 @@ private void selectProtocol(String protocol) {
                         .add("data", udpInfo)
                         .combine(udpInfo));
 
-                sendInternalPayload(Op.CLIENT_CONNECT, new JsonObject()
+                sendInternalPayload(Op.VIDEO, new JsonObject()
                         .add("audio_ssrc", ssrc)
                         .add("video_ssrc", 0)
                         .add("rtx_ssrc", 0));
diff --git a/core/src/main/java/moe/kyokobot/koe/gateway/MediaGatewayV5Connection.java b/core/src/main/java/moe/kyokobot/koe/gateway/MediaGatewayV5Connection.java
index 0bf6deb..3eb65c8 100644
--- a/core/src/main/java/moe/kyokobot/koe/gateway/MediaGatewayV5Connection.java
+++ b/core/src/main/java/moe/kyokobot/koe/gateway/MediaGatewayV5Connection.java
@@ -114,7 +114,7 @@ protected void handlePayload(JsonObject object) {
                 logger.debug("Resumed successfully");
                 break;
             }
-            case Op.CLIENT_CONNECT: {
+            case Op.VIDEO: {
                 var data = object.getObject("d");
                 var user = data.getString("user_id");
                 var audioSsrc = data.getInt("audio_ssrc", 0);
@@ -129,7 +129,7 @@ protected void handlePayload(JsonObject object) {
                 connection.getDispatcher().userDisconnected(user);
                 break;
             }
-            case Op.VIDEO_SINK_WANTS: {
+            case Op.MEDIA_SINK_WANTS: {
                 // Sent only if `video` flag was true while identifying. At time of writing this comment Discord forces
                 // it to false on bots (so.. user bot time? /s) due to voice server bug that broke clients or something.
                 // After receiving this opcode client can send op 12 with ssrcs for video (audio + 1)
@@ -211,7 +211,7 @@ private void selectProtocol(String protocol) {
 
                 this.updateSpeaking(0);
 
-                sendInternalPayload(Op.CLIENT_CONNECT, new JsonObject()
+                sendInternalPayload(Op.VIDEO, new JsonObject()
                         .add("audio_ssrc", ssrc)
                         .add("video_ssrc", 0)
                         .add("rtx_ssrc", 0));
diff --git a/core/src/main/java/moe/kyokobot/koe/gateway/MediaGatewayV8Connection.java b/core/src/main/java/moe/kyokobot/koe/gateway/MediaGatewayV8Connection.java
index 0f03c8d..04ae51e 100644
--- a/core/src/main/java/moe/kyokobot/koe/gateway/MediaGatewayV8Connection.java
+++ b/core/src/main/java/moe/kyokobot/koe/gateway/MediaGatewayV8Connection.java
@@ -120,7 +120,7 @@ protected void handlePayload(JsonObject object) {
                 logger.debug("Resumed successfully");
                 break;
             }
-            case Op.CLIENT_CONNECT: {
+            case Op.VIDEO: {
                 var data = object.getObject("d");
                 var user = data.getString("user_id");
                 var audioSsrc = data.getInt("audio_ssrc", 0);
@@ -135,7 +135,7 @@ protected void handlePayload(JsonObject object) {
                 connection.getDispatcher().userDisconnected(user);
                 break;
             }
-            case Op.VIDEO_SINK_WANTS: {
+            case Op.MEDIA_SINK_WANTS: {
                 // Sent only if `video` flag was true while identifying. At time of writing this comment Discord forces
                 // it to false on bots (so.. user bot time? /s) due to voice server bug that broke clients or something.
                 // After receiving this opcode client can send op 12 with ssrcs for video (audio + 1)
@@ -219,7 +219,7 @@ private void selectProtocol(String protocol) {
 
                 this.updateSpeaking(0);
 
-                sendInternalPayload(Op.CLIENT_CONNECT, new JsonObject()
+                sendInternalPayload(Op.VIDEO, new JsonObject()
                         .add("audio_ssrc", ssrc)
                         .add("video_ssrc", 0)
                         .add("rtx_ssrc", 0));
diff --git a/core/src/main/java/moe/kyokobot/koe/gateway/Op.java b/core/src/main/java/moe/kyokobot/koe/gateway/Op.java
index d9f0b9a..ea31ed9 100644
--- a/core/src/main/java/moe/kyokobot/koe/gateway/Op.java
+++ b/core/src/main/java/moe/kyokobot/koe/gateway/Op.java
@@ -16,9 +16,24 @@ private Op() {
     public static final int HELLO = 8;
     public static final int RESUMED = 9;
     // public static final int DUNNO = 10;
-    // public static final int DUNNO = 11;
-    public static final int CLIENT_CONNECT = 12; // thx b1nzy
+    public static final int CLIENT_CONNECT = 11;
+    public static final int VIDEO = 12;
     public static final int CLIENT_DISCONNECT = 13;
     public static final int CODECS = 14;
-    public static final int VIDEO_SINK_WANTS = 15;
+    public static final int MEDIA_SINK_WANTS = 15;
+    public static final int VOICE_BACKEND_VERSION = 16;
+    public static final int CHANNEL_OPTIONS_UPDATE = 17;
+    public static final int CLIENT_FLAGS = 18;
+    public static final int SPEED_TEST = 19;
+    public static final int PLATFORM = 20;
+    public static final int SECURE_FRAMES_PREPARE_PROTOCOL_TRANSITION = 21;
+    public static final int SECURE_FRAMES_EXECUTE_TRANSITION = 22;
+    public static final int SECURE_FRAMES_READY_FOR_TRANSITION = 23;
+    public static final int SECURE_FRAMES_PREPARE_EPOCH = 24;
+    public static final int MLS_EXTERNAL_SENDER_PACKAGE = 25;
+    public static final int MLS_KEY_PACKAGE = 26;
+    public static final int MLS_PROPOSALS = 27;
+    public static final int MLS_COMMIT_WELCOME = 28;
+    public static final int MLS_PREPARE_COMMIT_TRANSITION = 29;
+    public static final int MLS_WELCOME = 30;
 }

From 1a37ac19f622e1acb0116abfc39a2a7a8636f080 Mon Sep 17 00:00:00 2001
From: Alula <6276139+alula@users.noreply.github.com>
Date: Wed, 13 Nov 2024 11:22:39 +0100
Subject: [PATCH 4/6] Implement handling of binary websocket payloads

---
 .../AbstractMediaGatewayConnection.java       | 31 +++++++++++++++++--
 .../koe/gateway/MediaGatewayV8Connection.java | 12 ++++++-
 2 files changed, 39 insertions(+), 4 deletions(-)

diff --git a/core/src/main/java/moe/kyokobot/koe/gateway/AbstractMediaGatewayConnection.java b/core/src/main/java/moe/kyokobot/koe/gateway/AbstractMediaGatewayConnection.java
index ead302c..d36d946 100644
--- a/core/src/main/java/moe/kyokobot/koe/gateway/AbstractMediaGatewayConnection.java
+++ b/core/src/main/java/moe/kyokobot/koe/gateway/AbstractMediaGatewayConnection.java
@@ -1,6 +1,7 @@
 package moe.kyokobot.koe.gateway;
 
 import io.netty.bootstrap.Bootstrap;
+import io.netty.buffer.ByteBuf;
 import io.netty.channel.Channel;
 import io.netty.channel.ChannelHandlerContext;
 import io.netty.channel.ChannelInitializer;
@@ -16,8 +17,8 @@
 import io.netty.handler.ssl.SslHandler;
 import io.netty.util.concurrent.EventExecutor;
 import moe.kyokobot.koe.VoiceServerInfo;
-import moe.kyokobot.koe.internal.NettyBootstrapFactory;
 import moe.kyokobot.koe.internal.MediaConnectionImpl;
+import moe.kyokobot.koe.internal.NettyBootstrapFactory;
 import moe.kyokobot.koe.internal.json.JsonObject;
 import moe.kyokobot.koe.internal.json.JsonParser;
 import moe.kyokobot.koe.internal.util.NettyFutureWrapper;
@@ -116,6 +117,10 @@ public boolean isOpen() {
 
     protected abstract void handlePayload(JsonObject object);
 
+    protected void handleBinaryPayload(ByteBuf buffer) {
+        // no-op
+    }
+
     protected void onClose(int code, @Nullable String reason, boolean remote) {
         if (!closed) {
             closed = true;
@@ -148,14 +153,29 @@ public void sendInternalPayload(int op, Object d) {
         sendRaw(new JsonObject().add("op", op).add("d", d));
     }
 
+    public void sendBinaryInternalPayload(char op, ByteBuf buffer) {
+        var frame = channel.alloc().buffer(1 + buffer.readableBytes());
+        frame.writeByte(op);
+        frame.writeBytes(buffer);
+        sendRaw(frame);
+        buffer.release();
+    }
+
     protected void sendRaw(JsonObject object) {
         if (channel != null && channel.isOpen()) {
             var data = object.toString();
-            logger.trace("<- {}", data);
+            logger.trace("<-T {}", data);
             channel.writeAndFlush(new TextWebSocketFrame(data));
         }
     }
 
+    protected void sendRaw(ByteBuf buffer) {
+        if (channel != null && channel.isOpen()) {
+            logger.trace("<-B {}", buffer);
+            channel.writeAndFlush(new BinaryWebSocketFrame(buffer));
+        }
+    }
+
     private class WebSocketClientHandler extends SimpleChannelInboundHandler<Object> {
         private final WebSocketClientHandshaker handshaker;
 
@@ -210,9 +230,14 @@ protected void channelRead0(ChannelHandlerContext ctx, Object msg) throws Except
             if (msg instanceof TextWebSocketFrame) {
                 var frame = (TextWebSocketFrame) msg;
                 var object = JsonParser.object().from(frame.content());
-                logger.trace("-> {}", object);
+                logger.trace("->T {}", object);
                 frame.release();
                 handlePayload(object);
+            } else if (msg instanceof BinaryWebSocketFrame) {
+                var frame = (BinaryWebSocketFrame) msg;
+                logger.trace("->B {}", frame.content());
+                handleBinaryPayload(frame.content());
+                frame.release();
             } else if (msg instanceof CloseWebSocketFrame) {
                 var frame = (CloseWebSocketFrame) msg;
                 if (logger.isDebugEnabled()) {
diff --git a/core/src/main/java/moe/kyokobot/koe/gateway/MediaGatewayV8Connection.java b/core/src/main/java/moe/kyokobot/koe/gateway/MediaGatewayV8Connection.java
index 04ae51e..d38d08d 100644
--- a/core/src/main/java/moe/kyokobot/koe/gateway/MediaGatewayV8Connection.java
+++ b/core/src/main/java/moe/kyokobot/koe/gateway/MediaGatewayV8Connection.java
@@ -1,5 +1,6 @@
 package moe.kyokobot.koe.gateway;
 
+import io.netty.buffer.ByteBuf;
 import moe.kyokobot.koe.VoiceServerInfo;
 import moe.kyokobot.koe.codec.Codec;
 import moe.kyokobot.koe.codec.DefaultCodecs;
@@ -46,7 +47,9 @@ protected void identify() {
                 .addAsString("user_id", connection.getClient().getClientId())
                 .add("session_id", voiceServerInfo.getSessionId())
                 .add("token", voiceServerInfo.getToken())
-                .add("video", true));
+                .add("video", true)
+                .add("max_dave_protocol_version", 0)
+                .add("streams", new JsonArray()));
     }
 
     @Override
@@ -151,6 +154,13 @@ protected void handlePayload(JsonObject object) {
         }
     }
 
+    @Override
+    protected void handleBinaryPayload(ByteBuf buffer) {
+        sequence = buffer.readUnsignedShort();
+
+        var op = buffer.readUnsignedByte();
+    }
+
     @Override
     protected void onClose(int code, @Nullable String reason, boolean remote) {
         super.onClose(code, reason, remote);

From 36726d4fa191922ce36cb8884eb1b332743006e9 Mon Sep 17 00:00:00 2001
From: Alula <6276139+alula@users.noreply.github.com>
Date: Sun, 17 Nov 2024 13:47:56 +0100
Subject: [PATCH 5/6] Add our BouncyCastle MLS fork to the tree

---
 README.md                                     |    2 +
 build.gradle                                  |    8 +
 core/build.gradle                             |   12 +-
 dave/build.gradle                             |    6 +
 .../moe/kyokobot/koe/dave/mls/MLSSession.java |  665 +++++
 .../moe/kyokobot/koe/dave/util/MLSUtil.java   |   46 +
 ext-udpqueue/build.gradle                     |    2 +-
 mls/LICENSE                                   |   27 +
 mls/README.md                                 |   31 +
 mls/build.gradle                              |    6 +
 .../moe/kyokobot/koe/mls/GroupKeySet.java     |  308 +++
 .../moe/kyokobot/koe/mls/KeyGeneration.java   |   43 +
 .../kyokobot/koe/mls/KeyScheduleEpoch.java    |  486 ++++
 .../moe/kyokobot/koe/mls/TranscriptHash.java  |   88 +
 .../kyokobot/koe/mls/TreeKEM/LeafIndex.java   |  116 +
 .../kyokobot/koe/mls/TreeKEM/LeafNode.java    |  330 +++
 .../koe/mls/TreeKEM/LeafNodeHashInput.java    |   35 +
 .../koe/mls/TreeKEM/LeafNodeSource.java       |   29 +
 .../kyokobot/koe/mls/TreeKEM/LifeTime.java    |   52 +
 .../moe/kyokobot/koe/mls/TreeKEM/Node.java    |   84 +
 .../kyokobot/koe/mls/TreeKEM/NodeIndex.java   |  181 ++
 .../koe/mls/TreeKEM/OptionalNode.java         |   62 +
 .../koe/mls/TreeKEM/ParentHashInput.java      |   39 +
 .../kyokobot/koe/mls/TreeKEM/ParentNode.java  |   42 +
 .../koe/mls/TreeKEM/ParentNodeHashInput.java  |   41 +
 .../koe/mls/TreeKEM/TreeHashInput.java        |   64 +
 .../koe/mls/TreeKEM/TreeKEMPrivateKey.java    |  318 +++
 .../koe/mls/TreeKEM/TreeKEMPublicKey.java     |  871 ++++++
 .../moe/kyokobot/koe/mls/TreeKEM/Utils.java   |   16 +
 .../java/moe/kyokobot/koe/mls/TreeSize.java   |   35 +
 .../koe/mls/codec/AuthenticatedContent.java   |  168 ++
 .../kyokobot/koe/mls/codec/Capabilities.java  |   76 +
 .../kyokobot/koe/mls/codec/Certificate.java   |   22 +
 .../moe/kyokobot/koe/mls/codec/Commit.java    |   87 +
 .../kyokobot/koe/mls/codec/ContentType.java   |   33 +
 .../kyokobot/koe/mls/codec/Credential.java    |   84 +
 .../koe/mls/codec/CredentialType.java         |   51 +
 .../koe/mls/codec/EncryptedGroupSecrets.java  |   33 +
 .../moe/kyokobot/koe/mls/codec/Extension.java |  102 +
 .../kyokobot/koe/mls/codec/ExtensionType.java |   62 +
 .../koe/mls/codec/ExternalSender.java         |   46 +
 .../kyokobot/koe/mls/codec/FramedContent.java |  163 ++
 .../moe/kyokobot/koe/mls/codec/Grease.java    |   55 +
 .../kyokobot/koe/mls/codec/GroupContext.java  |   76 +
 .../moe/kyokobot/koe/mls/codec/GroupInfo.java |  133 +
 .../kyokobot/koe/mls/codec/GroupSecrets.java  |   40 +
 .../koe/mls/codec/HPKECiphertext.java         |   42 +
 .../kyokobot/koe/mls/codec/KeyPackage.java    |  116 +
 .../koe/mls/codec/MLSInputStream.java         |  246 ++
 .../kyokobot/koe/mls/codec/MLSMessage.java    |  512 ++++
 .../koe/mls/codec/MLSOutputStream.java        |  128 +
 .../moe/kyokobot/koe/mls/codec/NodeType.java  |   32 +
 .../moe/kyokobot/koe/mls/codec/PSKType.java   |   32 +
 .../kyokobot/koe/mls/codec/PathSecret.java    |   33 +
 .../koe/mls/codec/PreSharedKeyID.java         |  141 +
 .../koe/mls/codec/PrivateMessage.java         |  234 ++
 .../moe/kyokobot/koe/mls/codec/Proposal.java  |  418 +++
 .../kyokobot/koe/mls/codec/ProposalOrRef.java |   77 +
 .../koe/mls/codec/ProposalOrRefType.java      |   32 +
 .../kyokobot/koe/mls/codec/ProposalType.java  |   58 +
 .../koe/mls/codec/ProtocolVersion.java        |   27 +
 .../kyokobot/koe/mls/codec/PublicMessage.java |  119 +
 .../koe/mls/codec/ResumptionPSKUsage.java     |   33 +
 .../moe/kyokobot/koe/mls/codec/Sender.java    |   94 +
 .../kyokobot/koe/mls/codec/SenderType.java    |   27 +
 .../kyokobot/koe/mls/codec/UpdatePath.java    |   53 +
 .../koe/mls/codec/UpdatePathNode.java         |   46 +
 .../koe/mls/codec/ValidatedContent.java       |   13 +
 .../moe/kyokobot/koe/mls/codec/Varint.java    |   67 +
 .../moe/kyokobot/koe/mls/codec/Welcome.java   |  144 +
 .../kyokobot/koe/mls/codec/WireFormat.java    |   28 +
 .../moe/kyokobot/koe/mls/crypto/MlsAead.java  |   16 +
 .../koe/mls/crypto/MlsCipherSuite.java        |  227 ++
 .../moe/kyokobot/koe/mls/crypto/MlsKdf.java   |   20 +
 .../kyokobot/koe/mls/crypto/MlsSigner.java    |   32 +
 .../moe/kyokobot/koe/mls/crypto/Secret.java   |  141 +
 .../kyokobot/koe/mls/crypto/bc/BcMlsAead.java |  104 +
 .../kyokobot/koe/mls/crypto/bc/BcMlsKdf.java  |   64 +
 .../koe/mls/crypto/bc/BcMlsSigner.java        |  261 ++
 .../koe/mls/protocol/CachedProposal.java      |   18 +
 .../koe/mls/protocol/CachedUpdate.java        |   22 +
 .../moe/kyokobot/koe/mls/protocol/Group.java  | 2415 +++++++++++++++++
 settings.gradle                               |    2 +
 83 files changed, 11343 insertions(+), 7 deletions(-)
 create mode 100644 dave/build.gradle
 create mode 100644 dave/src/main/java/moe/kyokobot/koe/dave/mls/MLSSession.java
 create mode 100644 dave/src/main/java/moe/kyokobot/koe/dave/util/MLSUtil.java
 create mode 100644 mls/LICENSE
 create mode 100644 mls/README.md
 create mode 100644 mls/build.gradle
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/GroupKeySet.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/KeyGeneration.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/KeyScheduleEpoch.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/TranscriptHash.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/TreeKEM/LeafIndex.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/TreeKEM/LeafNode.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/TreeKEM/LeafNodeHashInput.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/TreeKEM/LeafNodeSource.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/TreeKEM/LifeTime.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/TreeKEM/Node.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/TreeKEM/NodeIndex.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/TreeKEM/OptionalNode.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/TreeKEM/ParentHashInput.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/TreeKEM/ParentNode.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/TreeKEM/ParentNodeHashInput.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/TreeKEM/TreeHashInput.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/TreeKEM/TreeKEMPrivateKey.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/TreeKEM/TreeKEMPublicKey.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/TreeKEM/Utils.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/TreeSize.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/codec/AuthenticatedContent.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/codec/Capabilities.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/codec/Certificate.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/codec/Commit.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/codec/ContentType.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/codec/Credential.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/codec/CredentialType.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/codec/EncryptedGroupSecrets.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/codec/Extension.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/codec/ExtensionType.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/codec/ExternalSender.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/codec/FramedContent.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/codec/Grease.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/codec/GroupContext.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/codec/GroupInfo.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/codec/GroupSecrets.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/codec/HPKECiphertext.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/codec/KeyPackage.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/codec/MLSInputStream.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/codec/MLSMessage.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/codec/MLSOutputStream.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/codec/NodeType.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/codec/PSKType.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/codec/PathSecret.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/codec/PreSharedKeyID.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/codec/PrivateMessage.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/codec/Proposal.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/codec/ProposalOrRef.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/codec/ProposalOrRefType.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/codec/ProposalType.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/codec/ProtocolVersion.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/codec/PublicMessage.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/codec/ResumptionPSKUsage.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/codec/Sender.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/codec/SenderType.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/codec/UpdatePath.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/codec/UpdatePathNode.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/codec/ValidatedContent.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/codec/Varint.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/codec/Welcome.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/codec/WireFormat.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/crypto/MlsAead.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/crypto/MlsCipherSuite.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/crypto/MlsKdf.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/crypto/MlsSigner.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/crypto/Secret.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/crypto/bc/BcMlsAead.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/crypto/bc/BcMlsKdf.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/crypto/bc/BcMlsSigner.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/protocol/CachedProposal.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/protocol/CachedUpdate.java
 create mode 100644 mls/src/main/java/moe/kyokobot/koe/mls/protocol/Group.java

diff --git a/README.md b/README.md
index 30b822c..dcd56ca 100644
--- a/README.md
+++ b/README.md
@@ -49,3 +49,5 @@ Koe includes modified/stripped-down parts based on following open-source project
 
 - [tweetnacl-java](https://github.com/InstantWebP2P/tweetnacl-java) (Poly1305, SecretBox)
 - [nanojson](https://github.com/mmastrac/nanojson) (modified for bytebuf support, changed the API a bit and etc.)
+- [BouncyCastle MLS](https://github.com/bcgit/bc-java/tree/1.79) (see README.md in mls module for more info)
+- [libdave](https://github.com/discord/libdave) (Koe's DAVE implementation is heavily based on reference C++ implementation)
diff --git a/build.gradle b/build.gradle
index 6c204e3..17876d2 100644
--- a/build.gradle
+++ b/build.gradle
@@ -21,6 +21,14 @@ def getGitVersion() {
     return [versionStr.toString().trim(), true]
 }
 
+ext {
+    nettyVersion = '4.1.112.Final'
+    slf4jVersion = '1.8.0-beta4'
+    tinkVersion = '1.15.0'
+    bouncyCastleVersion = '1.79'
+    jetbrainsAnnotationsVersion = '13.0'
+}
+
 subprojects {
     apply plugin: 'maven-publish'
     apply plugin: 'java-library'
diff --git a/core/build.gradle b/core/build.gradle
index 9b757c1..354155c 100644
--- a/core/build.gradle
+++ b/core/build.gradle
@@ -1,8 +1,8 @@
 dependencies {
-    api group: 'io.netty', name: 'netty-transport', version: '4.1.112.Final'
-    implementation group: 'io.netty', name: 'netty-codec-http', version: '4.1.112.Final'
-    implementation group: 'io.netty', name: 'netty-transport-native-epoll', version: '4.1.112.Final', classifier: 'linux-x86_64'
-    implementation group: 'org.slf4j', name: 'slf4j-api', version: '1.8.0-beta4'
-    implementation group: 'com.google.crypto.tink', name: 'tink', version: '1.14.1'
-    compileOnly group: 'org.jetbrains', name: 'annotations', version: '13.0'
+    api group: 'io.netty', name: 'netty-transport', version: "$nettyVersion"
+    implementation group: 'io.netty', name: 'netty-codec-http', version: "$nettyVersion"
+    implementation group: 'io.netty', name: 'netty-transport-native-epoll', version: "$nettyVersion", classifier: 'linux-x86_64'
+    implementation group: 'org.slf4j', name: 'slf4j-api', version: "$slf4jVersion"
+    implementation group: 'com.google.crypto.tink', name: 'tink', version: "$tinkVersion"
+    compileOnly group: 'org.jetbrains', name: 'annotations', version: "$jetbrainsAnnotationsVersion"
 }
diff --git a/dave/build.gradle b/dave/build.gradle
new file mode 100644
index 0000000..47d0327
--- /dev/null
+++ b/dave/build.gradle
@@ -0,0 +1,6 @@
+dependencies {
+    implementation project(':mls')
+    implementation group: 'org.slf4j', name: 'slf4j-api', version: "$slf4jVersion"
+    compileOnly group: 'org.jetbrains', name: 'annotations', version: "$jetbrainsAnnotationsVersion"
+}
+
diff --git a/dave/src/main/java/moe/kyokobot/koe/dave/mls/MLSSession.java b/dave/src/main/java/moe/kyokobot/koe/dave/mls/MLSSession.java
new file mode 100644
index 0000000..b163016
--- /dev/null
+++ b/dave/src/main/java/moe/kyokobot/koe/dave/mls/MLSSession.java
@@ -0,0 +1,665 @@
+package moe.kyokobot.koe.dave.mls;
+
+import moe.kyokobot.koe.dave.DAVEException;
+import moe.kyokobot.koe.dave.KeyRatchet;
+import moe.kyokobot.koe.dave.PersistentKeyManager;
+import moe.kyokobot.koe.dave.util.MLSUtil;
+import moe.kyokobot.koe.mls.TreeKEM.LeafNode;
+import moe.kyokobot.koe.mls.TreeKEM.LifeTime;
+import moe.kyokobot.koe.mls.codec.*;
+import moe.kyokobot.koe.mls.crypto.Secret;
+import moe.kyokobot.koe.mls.protocol.Group;
+import org.bouncycastle.crypto.AsymmetricCipherKeyPair;
+import org.bouncycastle.crypto.generators.SCrypt;
+import org.bouncycastle.util.encoders.Hex;
+import org.jetbrains.annotations.NotNull;
+import org.jetbrains.annotations.Nullable;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.IOException;
+import java.security.SecureRandom;
+import java.util.*;
+import java.util.function.Consumer;
+
+public class MLSSession {
+    private static final Logger logger = LoggerFactory.getLogger(MLSSession.class);
+
+    @Nullable
+    private final PersistentKeyManager persistentKeyManager;
+    private int protocolVersion;
+    private byte[] groupId = new byte[0];
+    private final String signingKeyId;
+    private String selfUserId = "";
+    private LeafNode selfLeafNode;
+    private AsymmetricCipherKeyPair selfSigPrivateKey;
+    private AsymmetricCipherKeyPair selfHPKEPrivateKey;
+
+    private AsymmetricCipherKeyPair joinInitPrivateKey;
+    private KeyPackage joinKeyPackage;
+
+    private ExternalSender externalSender;
+
+    private Group pendingGroupState;
+    private MLSMessage pendingGroupCommit;
+
+    private Group outboundCachedGroupState;
+
+    private Group currentState;
+    private Map<Long, byte[]> roster;
+
+    private Group stateWithProposals;
+    private final Deque<QueuedProposal> proposalQueue = new LinkedList<>();
+
+    /**
+     * Creates a new MLS session.
+     *
+     * @param signingKeyId         ID of a persistent key to use for this session.
+     * @param persistentKeyManager Optional instance of {@link PersistentKeyManager} if you want to use persistent keys.
+     */
+    public MLSSession(@Nullable String signingKeyId, @Nullable PersistentKeyManager persistentKeyManager) {
+        this.persistentKeyManager = persistentKeyManager;
+        this.signingKeyId = signingKeyId == null ? "" : signingKeyId;
+    }
+
+    public void init(int protocolVersion, long groupId, String selfUserId, AsymmetricCipherKeyPair transientKey) throws DAVEException {
+        this.selfUserId = selfUserId;
+        this.protocolVersion = protocolVersion;
+        this.groupId = MLSUtil.bigEndianBytesFrom(groupId);
+
+        logger.info("Initializing MLS session with protocol version {} and group ID {}", protocolVersion, groupId);
+
+        initLeafNode(selfUserId, transientKey);
+        createPendingGroup();
+    }
+
+    public void reset() {
+        logger.info("Resetting MLS session");
+
+        clearPendingState();
+
+        currentState = null;
+        outboundCachedGroupState = null;
+
+        protocolVersion = 0;
+        groupId = null;
+    }
+
+    public void setProtocolVersion(int version) {
+        if (protocolVersion != version) {
+            // when we need to retain backwards compatibility
+            // there may be some changes to the MLS objects required here
+            // until then we can just update the stored version
+            protocolVersion = version;
+        }
+    }
+
+    public int getProtocolVersion() {
+        return protocolVersion;
+    }
+
+    public byte[] getLastEpochAuthenticator() throws DAVEException {
+        if (currentState == null) {
+            throw new DAVEException("Cannot get epoch authenticator without an established MLS group");
+        }
+
+        return currentState.getEpochAuthenticator();
+    }
+
+    public void setExternalSender(byte[] marshalledExternalSender) throws DAVEException {
+        if (currentState != null) {
+            throw new DAVEException("Cannot set external sender after joining/creating an MLS group");
+        }
+
+        logger.info("Unmarshalling MLS external sender");
+        logger.info("Sender: {}", Hex.encode(marshalledExternalSender));
+
+        try {
+            externalSender = new ExternalSender(new MLSInputStream(marshalledExternalSender));
+
+            if (groupId != null && groupId.length > 0) {
+                createPendingGroup();
+            }
+        } catch (Exception e) {
+            throw new DAVEException("Failed to unmarshal external sender", e);
+        }
+    }
+
+    @Nullable
+    public byte[] processProposals(byte[] proposals, Set<String> recognizedUserIDs) throws DAVEException {
+        try {
+            if (pendingGroupState == null && currentState == null) {
+                throw new DAVEException("Cannot process proposals without any pending or established MLS group state");
+            }
+
+            if (stateWithProposals == null) {
+                stateWithProposals = (pendingGroupState != null ? pendingGroupState : currentState);
+            }
+
+            logger.info("Processing MLS proposals message of {} bytes", proposals.length);
+            logger.info("Proposals: {}", Hex.toHexString(proposals));
+
+            MLSInputStream inStream = new MLSInputStream(proposals);
+
+            boolean isRevoke = (boolean) inStream.read(boolean.class);
+            logger.info("Revoking: {}", isRevoke);
+
+            var suite = stateWithProposals.getSuite();
+
+            if (isRevoke) {
+                var refs = new ArrayList<byte[]>();
+                inStream.readList(refs, byte[].class);
+
+                for (byte[] ref : refs) {
+                    boolean found = false;
+                    for (var it = proposalQueue.iterator(); it.hasNext(); ) {
+                        var prop = it.next();
+                        if (Arrays.equals(prop.ref, ref)) {
+                            found = true;
+                            it.remove();
+                            break;
+                        }
+                    }
+
+                    if (!found) {
+                        throw new DAVEException("Cannot revoke unrecognized proposal ref");
+                    }
+                }
+
+                stateWithProposals = (pendingGroupState != null ? pendingGroupState : currentState);
+
+                for (QueuedProposal prop : proposalQueue) {
+                    stateWithProposals.handle(prop.content, null, null);
+                }
+            } else {
+                var messages = new ArrayList<MLSMessage>();
+                inStream.readList(messages, MLSMessage.class);
+
+                for (var proposalMessage : messages) {
+                    var validatedMessage = stateWithProposals.unwrap(proposalMessage);
+
+                    if (!validateProposalMessage(validatedMessage.getAuthenticatedContent(), stateWithProposals, recognizedUserIDs)) {
+                        return null;
+                    }
+
+                    stateWithProposals.handle(validatedMessage.getAuthenticatedContent(), null, null);
+
+                    var ref = suite.refHash(MLSOutputStream.encode(validatedMessage.getAuthenticatedContent()), "MLS 1.0 Proposal Reference");
+
+                    proposalQueue.add(new QueuedProposal(validatedMessage.getAuthenticatedContent(), ref));
+                }
+            }
+
+            // generate a commit
+            var commitSecret = new byte[suite.getKDF().getHashLength()];
+            SecureRandom random = new SecureRandom();
+            random.nextBytes(commitSecret);
+
+            // Commit the Add and PSK proposals
+            var commitOpts = new Group.CommitOptions(
+                    List.of(), // no extra proposals
+                    true, // inline tree in welcome
+                    false, // do not force path
+                    new Group.LeafNodeOptions()
+            );
+
+            var commit = stateWithProposals.commit(new Secret(commitSecret), commitOpts, new Group.MessageOptions(),
+                    new Group.CommitParameters(Group.NORMAL_COMMIT_PARAMS));
+
+            logger.info("Prepared commit/welcome/next state for MLS group from received proposals");
+
+            var outStream = new MLSOutputStream();
+            outStream.write(commit.message);
+
+            pendingGroupCommit = commit.message;
+
+            if (!commit.message.welcome.getSecrets().isEmpty()) {
+                outStream.write(commit.message.welcome);
+            }
+
+            outboundCachedGroupState = commit.group;
+
+            logger.info("Output: {}", Hex.toHexString(outStream.toByteArray()));
+
+            return outStream.toByteArray();
+        } catch (Exception e) {
+            throw new DAVEException("Failed to parse MLS proposals", e);
+        }
+    }
+
+    private boolean isRecognizedUserID(Credential cred, Set<String> recognizedUserIDs) {
+        String uid = UserCredential.userCredentialToString(cred, protocolVersion);
+        if (uid.isEmpty()) {
+            logger.error("Attempted to verify credential of unexpected type");
+            return false;
+        }
+
+        if (!recognizedUserIDs.contains(uid)) {
+            logger.error("Attempted to verify credential for unrecognized user ID: {}", uid);
+            return false;
+        }
+
+        return true;
+    }
+
+    private boolean validateProposalMessage(AuthenticatedContent message, Group targetGroup, Set<String> recognizedUserIds) {
+        if (message.getWireFormat() != WireFormat.mls_private_message) {
+            logger.error("MLS proposal message must be PublicMessage");
+            return false;
+        }
+
+        if (message.getContent().getEpoch() != targetGroup.getEpoch()) {
+            logger.error("MLS proposal message must be for current epoch ({}) != {}", message.getContent().getEpoch(), targetGroup.getEpoch());
+            return false;
+        }
+
+        if (message.getContent().getContentType() != ContentType.PROPOSAL) {
+            logger.error("ProcessProposals called with non-proposal message");
+            return false;
+        }
+
+        if (message.getContent().getSender().getSenderType() != SenderType.EXTERNAL) {
+            logger.error("MLS proposal must be from external sender");
+            return false;
+        }
+
+        var proposal = message.getContent().getProposal();
+        switch (proposal.getProposalType()) {
+            case ADD:
+                var credential = proposal.getAdd().keyPackage.getLeafNode().getCredential();
+                if (!isRecognizedUserID(credential, recognizedUserIds)) {
+                    logger.error("MLS add proposal must be for recognized user");
+                    return false;
+                }
+                break;
+            case REMOVE:
+                // Remove proposals are always allowed (mlspp will validate that it's a recognized user)
+                break;
+            default:
+                logger.error("MLS proposal must be add or remove");
+                return false;
+        }
+
+        return true;
+    }
+
+    private boolean canProcessCommit(MLSMessage commit) {
+        if (stateWithProposals == null) {
+            return false;
+        }
+
+        if (!Arrays.equals(commit.getGroupId(), groupId)) {
+            logger.error("MLS commit message was for unexpected group");
+            return false;
+        }
+
+        return true;
+    }
+
+    @NotNull
+    public RosterVariant processCommit(byte[] commit) {
+        try {
+            logger.info("Processing commit");
+            logger.info("Commit: {}", Hex.toHexString(commit));
+
+            var commitMessage = (MLSMessage) MLSInputStream.decode(commit, MLSMessage.class);
+
+            if (!canProcessCommit(commitMessage)) {
+                logger.error("ProcessCommit called with unprocessable MLS commit");
+                return new RosterVariant.Ignored();
+            }
+
+            Group optionalCachedGroup = null;
+            if (outboundCachedGroupState != null) {
+                optionalCachedGroup = outboundCachedGroupState;
+            }
+
+            var newState = stateWithProposals.handle(stateWithProposals.unwrap(commitMessage).getAuthenticatedContent(),
+                    optionalCachedGroup, null);
+
+            if (newState == null) {
+                logger.error("MLS commit handling did not produce a new state");
+                return new RosterVariant.Failed();
+            }
+
+            logger.info("Successfully processed MLS commit, updating state; our leaf index is {}; current epoch is {}",
+                    newState.getIndex().value(), newState.getEpoch());
+
+            var ret = replaceState(newState);
+            outboundCachedGroupState = null;
+            clearPendingState();
+
+            return ret;
+        } catch (Exception e) {
+            logger.error("Failed to process MLS commit: {}", e.getMessage());
+            return new RosterVariant.Failed();
+        }
+    }
+
+    @Nullable
+    public RosterVariant.RosterMap processWelcome(byte[] welcome, Set<String> recognizedUserIDs) {
+        try {
+            if (!hasCryptographicStateForWelcome()) {
+                logger.error("Missing local crypto state necessary to process MLS welcome");
+                return null;
+            }
+
+            if (externalSender == null) {
+                logger.error("Cannot process MLS welcome without an external sender");
+                return null;
+            }
+
+            if (currentState != null) {
+                logger.error("Cannot process MLS welcome after joining/creating an MLS group");
+                return null;
+            }
+
+            logger.info("Processing welcome: {}", Hex.toHexString(welcome));
+
+            var unmarshalledWelcome = (MLSMessage) MLSInputStream.decode(welcome, MLSMessage.class);
+            var suite = unmarshalledWelcome.welcome.getSuite();
+
+            // TODO: BC MLS does redundant serialization ;w;
+            var newState = new Group(suite.getHPKE().serializePrivateKey(joinInitPrivateKey.getPrivate()),
+                    selfHPKEPrivateKey,
+                    suite.getHPKE().serializePrivateKey(selfSigPrivateKey.getPrivate()),
+                    joinKeyPackage,
+                    unmarshalledWelcome.welcome,
+                    null,
+                    new HashMap<>(),
+                    new HashMap<>());
+
+            if (!verifyWelcomeState(newState, recognizedUserIDs)) {
+                logger.error("Group received in MLS welcome is not valid");
+                return null;
+            }
+
+            logger.info("Successfully welcomed to MLS Group, our leaf index is {}; current epoch is {}",
+                    newState.getIndex().value(), newState.getEpoch());
+
+            var ret = replaceState(newState);
+
+            clearPendingState();
+
+            return ret;
+        } catch (Exception e) {
+            logger.error("Failed to create group state from MLS welcome: {}", e.getMessage());
+            return null;
+        }
+    }
+
+    private RosterVariant.RosterMap replaceState(Group state) {
+        var newRoster = new HashMap<Long, byte[]>();
+        for (var node : state.roster()) {
+            if (node.getCredential().getCredentialType() == CredentialType.basic) {
+                newRoster.put(MLSUtil.fromBigEndianBytes(node.getCredential().getIdentity()), node.getSignatureKey());
+            }
+        }
+
+        var changeMap = new HashMap<Long, byte[]>();
+
+        newRoster.forEach((key, value) -> {
+            if (!roster.containsKey(key)) {
+                changeMap.put(key, new byte[0]);
+            }
+        });
+
+        roster.forEach((key, value) -> {
+            if (!newRoster.containsKey(key)) {
+                changeMap.put(key, new byte[0]);
+            }
+        });
+
+        roster = newRoster;
+        currentState = state;
+
+        return new RosterVariant.RosterMap(changeMap);
+    }
+
+    private boolean hasCryptographicStateForWelcome() {
+        return joinKeyPackage != null && joinInitPrivateKey != null && selfSigPrivateKey != null && selfHPKEPrivateKey != null;
+    }
+
+    private boolean verifyWelcomeState(Group state, Set<String> recognizedUserIDs) {
+        if (externalSender == null) {
+            logger.error("Cannot verify MLS welcome without an external sender");
+            return false;
+        }
+
+        var ext = state.getExtensions().stream().filter(extension -> extension.extensionType == ExtensionType.EXTERNAL_SENDERS).findFirst();
+        if (ext.isEmpty()) {
+            logger.error("MLS welcome missing external senders extension");
+            return false;
+        }
+
+        List<ExternalSender> senders;
+        try {
+            senders = ext.get().getSenders();
+        } catch (IOException e) {
+            logger.error("Failed to read external senders", e);
+            return false;
+        }
+
+        if (senders.size() != 1) {
+            logger.error("MLS welcome lists unexpected number of external senders: {}", senders.size());
+            return false;
+        }
+
+        if (!senders.get(0).equals(externalSender)) {
+            logger.error("MLS welcome lists unexpected external sender");
+            return false;
+        }
+
+        for (var leaf : state.roster()) {
+            if (!isRecognizedUserID(leaf.getCredential(), recognizedUserIDs)) {
+                logger.error("MLS welcome lists unrecognized user ID");
+                // TRACK_MLS_ERROR("Welcome message lists unrecognized user ID");
+                // return false;
+            }
+        }
+
+        return true;
+    }
+
+    private void initLeafNode(String selfUserId, @Nullable AsymmetricCipherKeyPair transientKey) throws DAVEException {
+        var cipherSuite = Parameters.ciphersuiteForProtocolVersion(protocolVersion);
+
+        if (transientKey == null) {
+            if (signingKeyId.isEmpty()) {
+                //Generate a new key pair
+                transientKey = cipherSuite.generateSignatureKeyPair();
+            } else if (persistentKeyManager != null) {
+                transientKey = persistentKeyManager.getKeyPair(signingKeyId, protocolVersion);
+            } else {
+                throw new DAVEException("Did not receive MLS signature private key!");
+            }
+        }
+
+        selfSigPrivateKey = transientKey;
+
+        var selfCredential = UserCredential.createUserCredential(selfUserId, protocolVersion);
+
+        selfHPKEPrivateKey = cipherSuite.getHPKE().generatePrivateKey();
+
+        try {
+            Objects.requireNonNull(selfSigPrivateKey);
+            Objects.requireNonNull(selfHPKEPrivateKey);
+
+            selfLeafNode = new LeafNode(cipherSuite,
+                    cipherSuite.getHPKE().serializePublicKey(selfHPKEPrivateKey.getPublic()),
+                    cipherSuite.serializeSignaturePublicKey(selfSigPrivateKey.getPublic()),
+                    selfCredential,
+                    Parameters.leafNodeCapabilitiesForProtocolVersion(protocolVersion),
+                    new LifeTime(),
+                    Parameters.leafNodeExtensionsForProtocolVersion(protocolVersion),
+                    cipherSuite.serializeSignaturePrivateKey(selfSigPrivateKey.getPrivate()));
+
+            logger.info("Created MLS leaf node");
+        } catch (Exception e) {
+            throw new DAVEException("Failed to initialize MLS leaf node", e);
+        }
+    }
+
+    private void resetJoinKeyPackage() throws DAVEException {
+        try {
+            if (selfLeafNode == null) {
+                throw new DAVEException("Cannot initialize join key package without a leaf node");
+            }
+
+            var cipherSuite = Parameters.ciphersuiteForProtocolVersion(protocolVersion);
+
+            joinInitPrivateKey = cipherSuite.getHPKE().generatePrivateKey();
+
+            joinKeyPackage = new KeyPackage(cipherSuite,
+                    cipherSuite.getHPKE().serializePublicKey(joinInitPrivateKey.getPublic()),
+                    selfLeafNode,
+                    Parameters.leafNodeExtensionsForProtocolVersion(protocolVersion),
+                    cipherSuite.serializeSignaturePrivateKey(selfSigPrivateKey.getPrivate()));
+
+            logger.info("Generated key package: {}", Hex.toHexString(MLSOutputStream.encode(joinKeyPackage)));
+        } catch (Exception e) {
+            throw new DAVEException("Failed to initialize join key package", e);
+        }
+    }
+
+    private void createPendingGroup() throws DAVEException {
+        try {
+            if (groupId == null || groupId.length == 0) {
+                throw new DAVEException("Cannot create MLS group without a group ID");
+            }
+
+            if (externalSender == null) {
+                throw new DAVEException("Cannot create MLS group without ExternalSender");
+            }
+
+            if (selfLeafNode == null) {
+                throw new DAVEException("Cannot create MLS group without self leaf node");
+            }
+
+            logger.info("Creating a pending MLS group");
+
+            var cipherSuite = Parameters.ciphersuiteForProtocolVersion(protocolVersion);
+
+            pendingGroupState = new Group(groupId, cipherSuite, selfHPKEPrivateKey,
+                    cipherSuite.serializeSignaturePrivateKey(selfSigPrivateKey.getPrivate()),
+                    selfLeafNode,
+                    Parameters.groupExtensionsForProtocolVersion(protocolVersion, externalSender));
+
+            logger.info("Created a pending MLS group");
+        } catch (Exception e) {
+            throw new DAVEException("Failed to create MLS group", e);
+        }
+    }
+
+    public byte[] getMarshalledKeyPackage() throws DAVEException {
+        try {
+            // key packages are not meant to be re-used
+            // so every time the client asks for a key package we create a new one
+            resetJoinKeyPackage();
+
+            if (joinKeyPackage == null) {
+                throw new DAVEException("Cannot marshal an uninitialized key package");
+            }
+
+            return MLSOutputStream.encode(joinKeyPackage);
+        } catch (Exception e) {
+            throw new DAVEException("Failed to marshal join key package", e);
+        }
+    }
+
+    public KeyRatchet getKeyRatchet(String userId) throws DAVEException {
+        try {
+            if (currentState == null) {
+                throw new DAVEException("Cannot get key ratchet without an established MLS group");
+            }
+
+            // change the string user ID to a little endian 64 bit user ID
+            byte[] userIdBytes = MLSUtil.littleEndianBytesFromString(userId);
+
+            // generate the base secret for the hash ratchet
+            byte[] baseSecret = currentState.getKeySchedule().MLSExporter("User Media Key Base Label", userIdBytes, 16);
+
+            // this assumes the MLS ciphersuite produces a 16 byte key
+            // would need to be updated to a different ciphersuite if there's a future mismatch
+            return new MLSKeyRatchet(currentState.getSuite(), baseSecret);
+        } catch (Exception e) {
+            throw new DAVEException("Failed to get key ratchet", e);
+        }
+    }
+
+    private static final byte[] SALT = Hex.decode("24cab17a7af8ec2b82b412b92dab192e");
+
+    public void getPairwiseFingerprint(int version, String userId, Consumer<byte[]> callback) throws DAVEException {
+        try {
+            if (currentState == null || selfSigPrivateKey == null) {
+                throw new DAVEException("Cannot get pairwise fingerprint without an established MLS group");
+            }
+
+            long u64RemoteUserId = Long.parseLong(userId);
+            long u64SelfUserId = Long.parseLong(selfUserId);
+
+            byte[] remoteUserIdBytes = MLSUtil.bigEndianBytesFrom(u64RemoteUserId);
+            byte[] selfUserIdBytes = MLSUtil.bigEndianBytesFrom(u64SelfUserId);
+
+            MLSOutputStream toHash1 = new MLSOutputStream();
+            MLSOutputStream toHash2 = new MLSOutputStream();
+
+            toHash1.write(version);
+            toHash1.write(remoteUserIdBytes);
+
+            toHash2.write(version);
+            toHash2.write(currentState.getSuite().serializeSignaturePublicKey(selfSigPrivateKey.getPublic()));
+            toHash2.write(selfUserIdBytes);
+
+            var keyData = new ArrayList<byte[]>();
+            keyData.add(toHash1.toByteArray());
+            keyData.add(toHash2.toByteArray());
+            keyData.sort(Arrays::compare);
+
+            var data = new byte[keyData.get(0).length + keyData.get(1).length];
+            System.arraycopy(keyData.get(0), 0, data, 0, keyData.get(0).length);
+            System.arraycopy(keyData.get(1), 0, data, keyData.get(0).length, keyData.get(1).length);
+
+            int N = 16384, r = 8, p = 2, maxMem = 32 * 1024 * 1024;
+            int hashLen = 64;
+
+            var out = SCrypt.generate(data, SALT, N, r, p, hashLen);
+            callback.accept(out);
+        } catch (Exception e) {
+            throw new DAVEException("Failed to generate pairwise fingerprint", e);
+        }
+    }
+
+    private void clearPendingState() {
+        pendingGroupState = null;
+        pendingGroupCommit = null;
+
+        joinInitPrivateKey = null;
+        joinKeyPackage = null;
+
+        selfHPKEPrivateKey = null;
+
+        selfLeafNode = null;
+
+        stateWithProposals = null;
+        proposalQueue.clear();
+    }
+
+    static class QueuedProposal {
+        private final AuthenticatedContent content;
+        private final byte[] ref;
+
+        public QueuedProposal(AuthenticatedContent content, byte[] ref) {
+            this.content = content;
+            this.ref = ref;
+        }
+
+        public AuthenticatedContent getContent() {
+            return content;
+        }
+
+        public byte[] getRef() {
+            return ref;
+        }
+    }
+}
diff --git a/dave/src/main/java/moe/kyokobot/koe/dave/util/MLSUtil.java b/dave/src/main/java/moe/kyokobot/koe/dave/util/MLSUtil.java
new file mode 100644
index 0000000..f96852a
--- /dev/null
+++ b/dave/src/main/java/moe/kyokobot/koe/dave/util/MLSUtil.java
@@ -0,0 +1,46 @@
+package moe.kyokobot.koe.dave.util;
+
+public class MLSUtil {
+    /**
+     * Turns a long into a byte array containing a big endian u64.
+     * @param value The long to convert.
+     * @return The byte array.
+     */
+    public static byte[] bigEndianBytesFrom(long value) {
+        byte[] bytes = new byte[8];
+        for (int i = 7; i >= 0; i--) {
+            bytes[i] = (byte) (value & 0xFF);
+            value >>= 8;
+        }
+        return bytes;
+    }
+
+    /**
+     * Turns a byte array containing a big endian u64 into a long.
+     * @param bytes The byte array to convert.
+     * @return The long.
+     */
+    public static long fromBigEndianBytes(byte[] bytes) {
+        long value = 0;
+        for (int i = 0; i < 8; i++) {
+            value <<= 8;
+            value |= bytes[i] & 0xFF;
+        }
+        return value;
+    }
+
+    /**
+     * Turns a String containing an unsigned long into a byte array containing a little endian u64.
+     * @param value The string to convert.
+     * @return The byte array.
+     */
+    public static byte[] littleEndianBytesFromString(String value) {
+        long longValue = Long.parseUnsignedLong(value);
+        byte[] bytes = new byte[8];
+        for (int i = 0; i < 8; i++) {
+            bytes[i] = (byte) (longValue & 0xFF);
+            longValue >>= 8;
+        }
+        return bytes;
+    }
+}
diff --git a/ext-udpqueue/build.gradle b/ext-udpqueue/build.gradle
index a730e69..a184267 100644
--- a/ext-udpqueue/build.gradle
+++ b/ext-udpqueue/build.gradle
@@ -2,5 +2,5 @@ dependencies {
     compileOnly project(':core')
     implementation 'dev.arbjerg:lava-common:2.2.1'
     implementation group: 'club.minnced', name: 'udpqueue-api', version: '0.2.9'
-    compileOnly group: 'org.jetbrains', name: 'annotations', version: '13.0'
+    compileOnly group: 'org.jetbrains', name: 'annotations', version: "$jetbrainsAnnotationsVersion"
 }
diff --git a/mls/LICENSE b/mls/LICENSE
new file mode 100644
index 0000000..e91af8e
--- /dev/null
+++ b/mls/LICENSE
@@ -0,0 +1,27 @@
+Please note the Bouncy Caste License should be read in the same way as the MIT license.
+
+Please also note this licensing model is made possible through funding from donations and the sale of support contracts.
+
+Bouncy Castle License
+
+Copyright (c) 2000 - 2024 The Legion of the Bouncy Castle Inc. (https://www.bouncycastle.org)
+Copyright (c) 2019 Alula
+
+
+Permission is hereby granted, free of charge, to any person obtaining a copy 
+of this software and associated documentation files (the "Software"), to deal 
+in the Software without restriction, including without limitation the rights 
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 
+copies of the Software, and to permit persons to whom the Software is 
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all 
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 
+SOFTWARE.
diff --git a/mls/README.md b/mls/README.md
new file mode 100644
index 0000000..dea6a2c
--- /dev/null
+++ b/mls/README.md
@@ -0,0 +1,31 @@
+# BouncyCastle MLS (Koe fork)
+
+This is a fork of [BouncyCastle's](https://www.bouncycastle.org/) MLS library.
+
+### Personal notes / changes
+
+- BC MLS lib seems to be a direct port of Cisco's MLS++ library (so what libdave uses) and most things map 1:1.
+    - https://github.com/bcgit/bc-java/issues/1317
+- When I noticed first roadblocks and realized I have to modify the source code, I first tried to port it to Tink.
+    - However Tink seems to be pretty badly documented. I had to heavily rely on the source code.
+    - It's missing certain HKDF functionality, so I had to either reimplement it using code from `internal` package
+      (which does not sound future-proof) or completely reinvent the wheel.
+    - I decided to give up and just stick with BouncyCastle and maybe replace Tink with it in Koe to reduce amount of
+      dependencies that do the same thing.
+- I've removed dependency on gRPC and Protobuf
+    - Why does BC MLS ship with these?
+    - It's only purpose seems to be interop testing apparently: https://github.com/bcgit/bc-java/pull/1565
+- `Capabilities` class doesn't expose any of it's fields, so I couldn't change extensions and supported suites to what
+  DAVE expects without parsing a serialized message...
+- `Group` was missing an equivalent of `State::unwrap` method.
+- `Welcome` has no clean way to access `secrets`, `EncryptedGroupSecrets` were private.
+- The library has many methods that only accept serialized messages and even does redundant re-serialization internally
+  in some places :(
+    - most notably key handling? (ctrl+f `serializePrivateKey`)
+- Added `TreeKEMPublicKey.allLeaves` method.
+- Added `equals` to `ExternalSender`.
+
+### Possible replacements
+
+- https://github.com/Traderjoe95/mls-kotlin (written in Kotlin, but requires Java 21)
+- write our own?
diff --git a/mls/build.gradle b/mls/build.gradle
new file mode 100644
index 0000000..975bbae
--- /dev/null
+++ b/mls/build.gradle
@@ -0,0 +1,6 @@
+dependencies {
+    implementation group: 'org.slf4j', name: 'slf4j-api', version: "$slf4jVersion"
+    implementation group: 'org.bouncycastle', name: 'bcutil-jdk18on', version: "$bouncyCastleVersion"
+    api group: 'org.bouncycastle', name: 'bcprov-jdk18on', version: "$bouncyCastleVersion"
+}
+
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/GroupKeySet.java b/mls/src/main/java/moe/kyokobot/koe/mls/GroupKeySet.java
new file mode 100644
index 0000000..81188c7
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/GroupKeySet.java
@@ -0,0 +1,308 @@
+package moe.kyokobot.koe.mls;
+
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.security.InvalidParameterException;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import moe.kyokobot.koe.mls.codec.ContentType;
+import moe.kyokobot.koe.mls.crypto.MlsCipherSuite;
+import moe.kyokobot.koe.mls.TreeKEM.LeafIndex;
+import moe.kyokobot.koe.mls.TreeKEM.NodeIndex;
+import moe.kyokobot.koe.mls.crypto.Secret;
+
+public class GroupKeySet
+{
+    final MlsCipherSuite suite;
+    final int secretSize;
+    // We store a commitment to the encryption secret that was used to create this structure, so that we can compare
+    // for  purposes of equivalence checking without violating forward secrecy.
+    final Secret encryptionSecretCommit;
+
+    public SecretTree secretTree;
+    Map<LeafIndex, HashRatchet> handshakeRatchets;
+    Map<LeafIndex, HashRatchet> applicationRatchets;
+
+
+    public GroupKeySet(MlsCipherSuite suite, TreeSize treeSize, Secret encryptionSecret)
+        throws IOException, IllegalAccessException
+    {
+        this.suite = suite;
+        this.secretSize = suite.getKDF().getHashLength();
+        this.encryptionSecretCommit = encryptionSecret.deriveSecret(suite, "commitment");
+        this.secretTree = new SecretTree(treeSize, encryptionSecret);
+        this.handshakeRatchets = new HashMap<LeafIndex, HashRatchet>();
+        this.applicationRatchets = new HashMap<LeafIndex, HashRatchet>();
+    }
+
+    @Override
+    public boolean equals(Object o)
+    {
+        if (this == o)
+        {
+            return true;
+        }
+        if (o == null || getClass() != o.getClass())
+        {
+            return false;
+        }
+        GroupKeySet that = (GroupKeySet)o;
+        return secretSize == that.secretSize && suite.equals(that.suite) && encryptionSecretCommit.equals(that.encryptionSecretCommit);
+    }
+
+    void initRatchets(LeafIndex sender)
+        throws IOException, IllegalAccessException
+    {
+        Secret leafSecret = secretTree.get(sender);
+
+        Secret handshakeRatchetSecret = leafSecret.expandWithLabel(suite, "handshake", new byte[]{}, secretSize);
+        Secret applicationRatchetSecret = leafSecret.expandWithLabel(suite, "application", new byte[]{}, secretSize);
+
+        HashRatchet handshakeRatchet = new HashRatchet(handshakeRatchetSecret);
+        HashRatchet applicationRatchet = new HashRatchet(applicationRatchetSecret);
+
+        handshakeRatchets.put(sender, handshakeRatchet);
+        applicationRatchets.put(sender, applicationRatchet);
+    }
+
+    public KeyGeneration get(ContentType contentType, LeafIndex sender, int generation, byte[] reuseGuard)
+        throws IOException, IllegalAccessException
+    {
+        HashRatchet chain;
+
+        switch (contentType)
+        {
+        case APPLICATION:
+            chain = applicationRatchet(sender);
+            break;
+        case PROPOSAL:
+        case COMMIT:
+            chain = handshakeRatchet(sender);
+            break;
+        default:
+            return null;
+        }
+
+        KeyGeneration keys = chain.get(generation);
+        ApplyReuseGuard(reuseGuard, keys.nonce);
+        return keys;
+    }
+
+    public KeyGeneration get(ContentType contentType, LeafIndex sender, byte[] reuseGuard)
+        throws IOException, IllegalAccessException
+    {
+        HashRatchet chain;
+
+        switch (contentType)
+        {
+        case APPLICATION:
+            chain = applicationRatchet(sender);
+            break;
+        case PROPOSAL:
+        case COMMIT:
+            chain = handshakeRatchet(sender);
+            break;
+        default:
+            return null;
+        }
+
+        KeyGeneration keys = chain.next();
+        ApplyReuseGuard(reuseGuard, keys.nonce);
+        return keys;
+    }
+
+    private void ApplyReuseGuard(byte[] guard, byte[] nonce)
+    {
+        for (int i = 0; i < guard.length; i++)
+        {
+            nonce[i] ^= guard[i];
+        }
+    }
+
+    public void erase(ContentType contentType, LeafIndex sender, int generation)
+        throws IOException, IllegalAccessException
+    {
+        switch (contentType)
+        {
+
+        case APPLICATION:
+            applicationRatchet(sender).erase(generation);
+            break;
+        case PROPOSAL:
+        case COMMIT:
+            handshakeRatchet(sender).erase(generation);
+            break;
+        }
+    }
+
+    public HashRatchet handshakeRatchet(LeafIndex sender)
+        throws IOException, IllegalAccessException
+    {
+        if (!handshakeRatchets.containsKey(sender))
+        {
+            initRatchets(sender);
+        }
+        return handshakeRatchets.get(sender);
+    }
+
+    public HashRatchet applicationRatchet(LeafIndex sender)
+        throws IOException, IllegalAccessException
+    {
+        if (!applicationRatchets.containsKey(sender))
+        {
+            initRatchets(sender);
+        }
+        return applicationRatchets.get(sender);
+    }
+
+    public boolean hasLeaf(LeafIndex sender)
+    {
+        return secretTree.hasLeaf(sender);
+    }
+
+    public class SecretTree
+    {
+        final TreeSize treeSize;
+        public Map<NodeIndex, Secret> secrets;
+
+        public SecretTree(TreeSize treeSizeIn, Secret encryptionSecret)
+        {
+            treeSize = treeSizeIn;
+            secrets = new HashMap<NodeIndex, Secret>();
+            secrets.put(NodeIndex.root(treeSize), encryptionSecret);
+        }
+
+        protected boolean hasLeaf(LeafIndex sender)
+        {
+            return sender.value() < treeSize.leafCount();
+        }
+
+        public Secret get(LeafIndex leaf)
+            throws IOException, IllegalAccessException
+        {
+
+            final byte[] leftLabel = "left".getBytes(StandardCharsets.UTF_8);
+            final byte[] rightLabel = "right".getBytes(StandardCharsets.UTF_8);
+
+            NodeIndex rootNode = NodeIndex.root(treeSize);
+            NodeIndex leafNode = new NodeIndex(leaf);
+
+            // Find an ancestor that is populated
+            List<NodeIndex> dirpath = leaf.directPath(treeSize);
+            dirpath.add(0, leafNode);
+            dirpath.add(rootNode);
+            int curr = 0;
+            for (; curr < dirpath.size(); curr++)
+            {
+                if (secrets.containsKey(dirpath.get(curr)))
+                {
+                    break;
+                }
+            }
+
+            if (curr > dirpath.size())
+            {
+                throw new InvalidParameterException("No secret found to derive leaf key");
+            }
+
+            // Derive down
+            for (; curr > 0; curr--)
+            {
+                NodeIndex currNode = dirpath.get(curr);
+                NodeIndex left = currNode.left();
+                NodeIndex right = currNode.right();
+
+                Secret secret = secrets.get(currNode);
+                secrets.put(left, secret.expandWithLabel(suite, "tree", leftLabel, secretSize));
+                secrets.put(right, secret.expandWithLabel(suite, "tree", rightLabel, secretSize));
+            }
+
+            // Get the leaf secret
+            Secret leafSecret = secrets.get(leafNode);
+
+            // Forget the secrets along the direct path
+            for (NodeIndex i : dirpath)
+            {
+                if (i.equals(leafNode))
+                {
+                    continue;
+                }
+
+                if (secrets.containsKey(i))
+                {
+                    secrets.get(i).consume();
+                    secrets.remove(i);
+                }
+            }
+
+            return leafSecret;
+        }
+    }
+
+    public class HashRatchet
+    {
+        final int keySize;
+        final int nonceSize;
+        Secret nextSecret;
+        int nextGeneration;
+        Map<Integer, KeyGeneration> cache;
+
+        HashRatchet(Secret baseSecret)
+        {
+            keySize = suite.getAEAD().getKeySize();
+            nonceSize = suite.getAEAD().getNonceSize();
+            nextGeneration = 0;
+            nextSecret = baseSecret;
+            cache = new HashMap<Integer, KeyGeneration>();
+        }
+
+        public KeyGeneration next()
+            throws IOException, IllegalAccessException
+        {
+            Secret key = nextSecret.deriveTreeSecret(suite, "key", nextGeneration, keySize);
+            Secret nonce = nextSecret.deriveTreeSecret(suite, "nonce", nextGeneration, nonceSize);
+            Secret secret = nextSecret.deriveTreeSecret(suite, "secret", nextGeneration, secretSize);
+
+            KeyGeneration generation = new KeyGeneration(nextGeneration, key, nonce);
+
+            nextGeneration += 1;
+            nextSecret.consume();
+            nextSecret = secret;
+
+            cache.put(generation.generation, generation);
+            return generation;
+        }
+
+        public KeyGeneration get(int generation)
+            throws IOException, IllegalAccessException
+        {
+            if (cache.containsKey(generation))
+            {
+                return cache.get(generation);
+            }
+
+            if (nextGeneration > generation)
+            {
+                throw new InvalidParameterException("Request for expired key");
+            }
+
+            while (nextGeneration < generation)
+            {
+                next();
+            }
+
+            return next();
+        }
+
+        public void erase(int generation)
+        {
+            if (cache.containsKey(generation))
+            {
+                cache.get(generation).consume();
+                cache.remove(generation);
+            }
+        }
+    }
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/KeyGeneration.java b/mls/src/main/java/moe/kyokobot/koe/mls/KeyGeneration.java
new file mode 100644
index 0000000..bddec7e
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/KeyGeneration.java
@@ -0,0 +1,43 @@
+package moe.kyokobot.koe.mls;
+
+import java.util.Arrays;
+
+import moe.kyokobot.koe.mls.crypto.Secret;
+
+public class KeyGeneration
+{
+    public final int generation;
+    public final byte[] key;
+    public final byte[] nonce;
+
+    public KeyGeneration(int generation, Secret key, Secret nonce)
+    {
+        this.generation = generation;
+        this.key = key.value().clone();
+        this.nonce = nonce.value().clone();
+
+        key.consume();
+        nonce.consume();
+    }
+
+    @Override
+    public boolean equals(Object o)
+    {
+        if (this == o)
+        {
+            return true;
+        }
+        if (o == null || getClass() != o.getClass())
+        {
+            return false;
+        }
+        KeyGeneration that = (KeyGeneration)o;
+        return generation == that.generation && Arrays.equals(key, that.key) && Arrays.equals(nonce, that.nonce);
+    }
+
+    void consume()
+    {
+        Arrays.fill(key, (byte)0);
+        Arrays.fill(nonce, (byte)0);
+    }
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/KeyScheduleEpoch.java b/mls/src/main/java/moe/kyokobot/koe/mls/KeyScheduleEpoch.java
new file mode 100644
index 0000000..f5b953c
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/KeyScheduleEpoch.java
@@ -0,0 +1,486 @@
+package moe.kyokobot.koe.mls;
+
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.security.SecureRandom;
+import java.util.ArrayList;
+import java.util.List;
+
+import moe.kyokobot.koe.mls.codec.MLSOutputStream;
+import moe.kyokobot.koe.mls.codec.PreSharedKeyID;
+import moe.kyokobot.koe.mls.crypto.MlsCipherSuite;
+import org.bouncycastle.crypto.AsymmetricCipherKeyPair;
+import org.bouncycastle.crypto.hpke.HPKEContext;
+import org.bouncycastle.crypto.hpke.HPKEContextWithEncapsulation;
+import org.bouncycastle.crypto.params.AsymmetricKeyParameter;
+import moe.kyokobot.koe.mls.crypto.Secret;
+import org.bouncycastle.util.Arrays;
+
+public class KeyScheduleEpoch
+{
+    public static class PSKWithSecret
+    {
+        public PreSharedKeyID id;
+        public Secret secret;
+
+        public PSKWithSecret(PreSharedKeyID id, Secret secret)
+        {
+            this.id = id;
+            this.secret = secret;
+        }
+    }
+
+    public byte[] receiveExternalInit(byte[] kemOut)
+        throws IOException
+    {
+        // do export (private key)
+        final int L = suite.getKDF().getHashLength();
+        final byte[] labelData = "MLS 1.0 external init secret".getBytes(StandardCharsets.UTF_8);
+        HPKEContext ctx = suite.getHPKE().setupBaseR(kemOut, externalKeyPair, new byte[0]);
+
+        return ctx.export(labelData, L);
+    }
+
+    public static class JoinSecrets
+    {
+        // Cached values
+        private final MlsCipherSuite suite;
+        // Public values
+        public final Secret joinerSecret;
+
+        public Secret welcomeSecret;
+        public Secret welcomeKey;
+        public Secret welcomeNonce;
+        private Secret memberSecret; // Held to derive further secrets
+
+        static class PSKLabel
+            implements MLSOutputStream.Writable
+        {
+            PreSharedKeyID id;
+            short index;
+            short count;
+
+            public PSKLabel(PreSharedKeyID id, short index, short count)
+            {
+                this.id = id;
+                this.index = index;
+                this.count = count;
+            }
+
+            @Override
+            public void writeTo(MLSOutputStream stream)
+                throws IOException
+            {
+                stream.write(id);
+                stream.write(index);
+                stream.write(count);
+            }
+        }
+
+        /*
+                         0                               0    = psk_secret_[0]
+                         |                               |
+                         V                               V
+        psk_[0]   --> Extract --> ExpandWithLabel --> Extract = psk_secret_[1]
+                                                         |
+                         0                               |
+                         |                               |
+                         V                               V
+        psk_[1]   --> Extract --> ExpandWithLabel --> Extract = psk_secret_[2]
+                                                         |
+                         0                              ...
+                         |                               |
+                         V                               V
+        psk_[n-1] --> Extract --> ExpandWithLabel --> Extract = psk_secret_[n]
+         */
+        public static Secret pskSecret(MlsCipherSuite suite, List<PSKWithSecret> psks)
+            throws IOException
+        {
+            Secret pskSecret = Secret.zero(suite);
+            if (psks == null || psks.isEmpty())
+            {
+                return pskSecret;
+            }
+
+            short index = 0;
+            short count = (short)psks.size();
+            for (PSKWithSecret psk : psks)
+            {
+                PSKLabel label = new PSKLabel(psk.id, index, count);
+                byte[] pskLabel = MLSOutputStream.encode(label);
+                index += 1;
+
+                Secret pskExtracted = Secret.extract(suite, Secret.zero(suite), psk.secret);
+                Secret pskInput = pskExtracted.expandWithLabel(suite, "derived psk", pskLabel, suite.getKDF().getHashLength());
+                pskSecret = Secret.extract(suite, pskInput, pskSecret);
+            }
+
+            return pskSecret;
+        }
+
+        /*
+                   init_secret_[n-1]
+                         |
+                         |
+                         V
+   commit_secret --> KDF.Extract
+                         |
+                         |
+                         V
+                 ExpandWithLabel(., "joiner", GroupContext_[n], KDF.Nh)
+                         |
+                         |
+                         V
+                    joiner_secret
+
+        */
+        public static JoinSecrets forMember(MlsCipherSuite suite, Secret initSecret, Secret commitSecret, Secret pskSecret, byte[] context)
+            throws IOException
+        {
+            Secret preJoinerSecret = Secret.extract(suite, initSecret, commitSecret);
+            Secret joinerSecret = preJoinerSecret.expandWithLabel(suite, "joiner", context, suite.getKDF().getHashLength());
+            return new JoinSecrets(suite, joinerSecret, pskSecret);
+        }
+
+        /*
+                     joiner_secret
+                          |
+                          |
+                          V
+psk_secret (or 0) --> KDF.Extract
+                          |
+                          |
+                          +--> DeriveSecret(., "welcome")
+                          |    = welcome_secret
+                          |
+                          V
+                  ExpandWithLabel(., "epoch", GroupContext_[n], KDF.Nh)
+                          |
+                          |
+                          V
+                     epoch_secret
+     */
+        public JoinSecrets(MlsCipherSuite suite, Secret joinerSecret, List<PSKWithSecret> psks)
+            throws IOException
+        {
+            this.suite = suite;
+            this.joinerSecret = joinerSecret;
+            this.memberSecret = Secret.extract(suite, joinerSecret, pskSecret(suite, psks));
+            // Carry-forward values
+            // Held to avoid consuming joinerSecret
+            this.welcomeSecret = memberSecret.deriveSecret(suite, "welcome");
+            this.welcomeKey = welcomeSecret.expand(suite, "key", suite.getAEAD().getKeySize());
+            this.welcomeNonce = welcomeSecret.expand(suite, "nonce", suite.getAEAD().getNonceSize());
+        }
+
+        public JoinSecrets(MlsCipherSuite suite, Secret joinerSecret, Secret pskSecret)
+            throws IOException
+        {
+            this.suite = suite;
+            this.joinerSecret = joinerSecret;
+            this.memberSecret = Secret.extract(suite, joinerSecret, pskSecret);
+            // Carry-forward values
+            // Held to avoid consuming joinerSecret
+            this.welcomeSecret = memberSecret.deriveSecret(suite, "welcome");
+            this.welcomeKey = welcomeSecret.expand(suite, "key", suite.getAEAD().getKeySize());
+            this.welcomeNonce = welcomeSecret.expand(suite, "nonce", suite.getAEAD().getNonceSize());
+        }
+
+        public void injectPskSecret(Secret pskSecret)
+            throws IOException
+        {
+            this.memberSecret = Secret.extract(suite, joinerSecret, pskSecret);
+            this.welcomeSecret = memberSecret.deriveSecret(suite, "welcome");
+            this.welcomeKey = welcomeSecret.expand(suite, "key", suite.getAEAD().getKeySize());
+            this.welcomeNonce = welcomeSecret.expand(suite, "nonce", suite.getAEAD().getNonceSize());
+        }
+
+
+        public KeyScheduleEpoch complete(TreeSize treeSize, byte[] context)
+            throws IOException, IllegalAccessException
+        {
+//            memberSecret = new Secret(suite.getKDF().extract(joinerSecret.value(), pskSecret(suite, null).value()));
+            Secret epochSecret = memberSecret.expandWithLabel(suite, "epoch", context, suite.getKDF().getHashLength());
+            KeyScheduleEpoch keySchedule = new KeyScheduleEpoch(suite, treeSize, epochSecret);
+            keySchedule.setJoinerSecret(joinerSecret);
+            return keySchedule;
+        }
+    }
+
+    public static class ExternalInitParams
+    {
+        public byte[] kemOutput;
+        public Secret initSecret;
+
+        public ExternalInitParams(MlsCipherSuite suite, AsymmetricKeyParameter externalPub)
+        {
+            final byte[] exportContext = "MLS 1.0 external init secret".getBytes(StandardCharsets.UTF_8);
+            final int L = suite.getKDF().getHashLength();
+
+            HPKEContextWithEncapsulation ctx = suite.getHPKE().setupBaseS(externalPub, null);
+            kemOutput = ctx.getEncapsulation();
+            initSecret = new Secret(ctx.export(exportContext, L));
+        }
+
+        public Secret getInitSecret()
+        {
+            return initSecret;
+        }
+
+        public byte[] getKEMOutput()
+        {
+            return kemOutput;
+        }
+    }
+
+
+    final MlsCipherSuite suite;
+
+    // Secrets derived from the epoch secret
+    public final Secret initSecret;
+    public Secret senderDataSecret;
+    public final Secret exporterSecret;
+    public final Secret confirmationKey;
+    public Secret membershipKey;
+    public final Secret resumptionPSK;
+    public final Secret epochAuthenticator;
+    public final Secret encryptionSecret;
+    public final Secret externalSecret;
+
+    // Further dervied products
+    final AsymmetricCipherKeyPair externalKeyPair;
+    public final GroupKeySet groupKeySet;
+    public Secret joinerSecret;
+
+    public Secret getJoinerSecret()
+    {
+        return joinerSecret;
+    }
+
+    public void setJoinerSecret(Secret joinerSecret)
+    {
+        this.joinerSecret = joinerSecret;
+    }
+
+    public GroupKeySet getEncryptionKeys(TreeSize size)
+        throws IOException, IllegalAccessException
+    {
+        return new GroupKeySet(suite, size, encryptionSecret);
+    }
+
+    public static KeyGeneration senderDataKeys(MlsCipherSuite suite, byte[] senderDataSecretBytes, byte[] ciphertext)
+        throws IOException
+    {
+        Secret senderDataSecret = new Secret(senderDataSecretBytes);
+        int sampleSize = suite.getKDF().getHashLength();
+        byte[] sample = Arrays.copyOf(ciphertext, sampleSize);
+        int keySize = suite.getAEAD().getKeySize();
+        int nonceSize = suite.getAEAD().getNonceSize();
+        Secret key = senderDataSecret.expandWithLabel(suite, "key", sample, keySize);
+        Secret nonce = senderDataSecret.expandWithLabel(suite, "nonce", sample, nonceSize);
+        return new KeyGeneration(0, key, nonce);
+    }
+
+
+    public static Secret welcomeSecret(MlsCipherSuite suite, byte[] joinerSecret, List<PSKWithSecret> psk)
+        throws IOException
+    {
+        Secret pskSecret = JoinSecrets.pskSecret(suite, psk);
+        Secret extract = new Secret(suite.getKDF().extract(joinerSecret, pskSecret.value()));
+        return extract.deriveSecret(suite, "welcome");
+    }
+
+    public static KeyScheduleEpoch forCreator(MlsCipherSuite suite, byte[] groupContext)
+        throws IOException, IllegalAccessException
+    {
+        SecureRandom random = new SecureRandom();
+        byte[] initSecret = new byte[suite.getKDF().getHashLength()];
+        random.nextBytes(initSecret);
+
+        JoinSecrets joinerSecret = JoinSecrets.forMember(suite, new Secret(initSecret), Secret.zero(suite), new Secret(new byte[0]), groupContext);
+//        TreeSize size = TreeSize.forLeaves(1);
+//        return joinerSecret.complete(size, groupContext);
+        return KeyScheduleEpoch.joiner(suite, joinerSecret.joinerSecret.value(), new ArrayList<PSKWithSecret>(), groupContext);
+    }
+
+    public static KeyScheduleEpoch forCreator(MlsCipherSuite suite)
+        throws IOException, IllegalAccessException
+    {
+        SecureRandom rng = new SecureRandom();
+        return forCreator(suite, rng);
+    }
+
+    public static KeyScheduleEpoch forCreator(MlsCipherSuite suite, SecureRandom rng)
+        throws IOException, IllegalAccessException
+    {
+        byte[] epochSecret = new byte[suite.getKDF().getHashLength()];
+        rng.nextBytes(epochSecret);
+        TreeSize treeSize = TreeSize.forLeaves(1);
+        return new KeyScheduleEpoch(suite, treeSize, new Secret(epochSecret));
+    }
+
+    public static KeyScheduleEpoch forExternalJoiner(MlsCipherSuite suite, TreeSize treeSize, ExternalInitParams externalInitParams, Secret commitSecret, List<PSKWithSecret> psks, byte[] context)
+        throws IOException, IllegalAccessException
+    {
+        return JoinSecrets.forMember(suite, externalInitParams.initSecret, commitSecret, JoinSecrets.pskSecret(suite, psks), context).complete(treeSize, context);
+    }
+
+    public JoinSecrets startCommit(Secret commitSecret, List<PSKWithSecret> psks, byte[] context)
+        throws IOException
+    {
+        return JoinSecrets.forMember(suite, initSecret, commitSecret, JoinSecrets.pskSecret(suite, psks), context);
+    }
+
+    /*
+                     epoch_secret
+                          |
+                          |
+                          +--> DeriveSecret(., <label>)
+                          |    = <secret>
+                          |
+                          V
+                    DeriveSecret(., "init")
+                          |
+                          |
+                          V
+                    init_secret_[n]
+     */
+
+    public byte[] confirmationTag(byte[] confirmedTranscriptHash)
+    {
+        return suite.getKDF().extract(confirmationKey.value(), confirmedTranscriptHash);
+    }
+
+    public KeyScheduleEpoch(MlsCipherSuite suite, Secret initSecret, Secret senderDataSecret, Secret exporterSecret, Secret confirmationKey, Secret membershipKey, Secret resumptionPSK, Secret epochAuthenticator, Secret encryptionSecret, Secret externalSecret, AsymmetricCipherKeyPair externalKeyPair, GroupKeySet groupKeySet, Secret joinerSecret)
+    {
+        this.suite = suite;
+        this.initSecret = new Secret(initSecret.value());
+        this.senderDataSecret = new Secret(senderDataSecret.value());
+        this.exporterSecret = new Secret(exporterSecret.value());
+        this.confirmationKey = new Secret(confirmationKey.value());
+        this.membershipKey = new Secret(membershipKey.value());
+        this.resumptionPSK = new Secret(resumptionPSK.value());
+        this.epochAuthenticator = new Secret(epochAuthenticator.value());
+        this.encryptionSecret = new Secret(encryptionSecret.value());
+        this.externalSecret = new Secret(externalSecret.value());
+        this.externalKeyPair = externalKeyPair;
+        this.groupKeySet = groupKeySet;
+        this.joinerSecret = new Secret(joinerSecret.value());
+    }
+
+    public KeyScheduleEpoch copy()
+    {
+        return new KeyScheduleEpoch(suite, initSecret, senderDataSecret, exporterSecret, confirmationKey, membershipKey, resumptionPSK, epochAuthenticator, encryptionSecret, externalSecret, externalKeyPair, groupKeySet, joinerSecret);
+    }
+
+    public static KeyScheduleEpoch joiner(MlsCipherSuite suite, byte[] joinerSecret, List<PSKWithSecret> psks, byte[] context)
+        throws IOException, IllegalAccessException
+    {
+        TreeSize size = TreeSize.forLeaves(1);
+        JoinSecrets joinSecrets = new JoinSecrets(suite, new Secret(joinerSecret), psks);
+        return joinSecrets.complete(size, context);
+
+    }
+
+    // ONLY USED BY EXTERNAL JOINER
+    public KeyScheduleEpoch(MlsCipherSuite suite)
+        throws IOException, IllegalAccessException
+    {
+        this.suite = suite;
+        this.initSecret = new Secret(new byte[0]);
+        this.senderDataSecret = new Secret(new byte[0]);
+        this.exporterSecret = new Secret(new byte[0]);
+        this.confirmationKey = null;
+        this.membershipKey = new Secret(new byte[0]);
+        this.resumptionPSK = new Secret(new byte[0]);
+        this.epochAuthenticator = new Secret(new byte[0]);
+        this.externalSecret = new Secret(new byte[0]);
+        this.externalKeyPair = null;
+        this.encryptionSecret = new Secret(new byte[0]);
+        this.groupKeySet = null;
+    }
+
+    public KeyScheduleEpoch(MlsCipherSuite suite, TreeSize treeSize, Secret epochSecret)
+        throws IOException, IllegalAccessException
+    {
+        this.suite = suite;
+        this.initSecret = epochSecret.deriveSecret(suite, "init");
+        this.senderDataSecret = epochSecret.deriveSecret(suite, "sender data");
+        this.exporterSecret = epochSecret.deriveSecret(suite, "exporter");
+        this.confirmationKey = epochSecret.deriveSecret(suite, "confirm");
+        this.membershipKey = epochSecret.deriveSecret(suite, "membership");
+        this.resumptionPSK = epochSecret.deriveSecret(suite, "resumption");
+        this.epochAuthenticator = epochSecret.deriveSecret(suite, "authentication");
+
+        this.externalSecret = epochSecret.deriveSecret(suite, "external");
+        this.externalKeyPair = suite.getHPKE().deriveKeyPair(externalSecret.value());
+
+        this.encryptionSecret = epochSecret.deriveSecret(suite, "encryption");
+        this.groupKeySet = new GroupKeySet(suite, treeSize, encryptionSecret);
+    }
+
+    public KeyScheduleEpoch(MlsCipherSuite suite, TreeSize treeSize, Secret joinerSecret, Secret pskSecret, byte[] context)
+        throws IOException, IllegalAccessException
+    {
+        this.suite = suite;
+
+        Secret memSecret = Secret.extract(suite, joinerSecret, pskSecret);
+        Secret epochSecret = memSecret.expandWithLabel(suite, "epoch", context, suite.getKDF().getHashLength());
+
+        this.senderDataSecret = epochSecret.deriveSecret(suite, "sender data");
+        this.encryptionSecret = epochSecret.deriveSecret(suite, "encryption");
+        this.exporterSecret = epochSecret.deriveSecret(suite, "exporter");
+        this.epochAuthenticator = epochSecret.deriveSecret(suite, "authentication");
+        this.externalSecret = epochSecret.deriveSecret(suite, "external");
+        this.confirmationKey = epochSecret.deriveSecret(suite, "confirm");
+        this.membershipKey = epochSecret.deriveSecret(suite, "membership");
+        this.resumptionPSK = epochSecret.deriveSecret(suite, "resumption");
+        this.initSecret = epochSecret.deriveSecret(suite, "init");
+
+        this.externalKeyPair = suite.getHPKE().deriveKeyPair(externalSecret.value());
+
+        this.groupKeySet = new GroupKeySet(suite, treeSize, encryptionSecret);
+    }
+
+
+    public KeyScheduleEpoch next(TreeSize treeSize, byte[] externalInit, Secret commitSecret, List<PSKWithSecret> psks, byte[] context)
+        throws IOException, IllegalAccessException
+    {
+        Secret currInitSecret = initSecret;
+        if (externalInit != null)
+        {
+            currInitSecret = new Secret(externalInit);
+        }
+
+        JoinSecrets joinSecrets = JoinSecrets.forMember(suite, currInitSecret, commitSecret, JoinSecrets.pskSecret(suite, psks), context);
+        return joinSecrets.complete(treeSize, context);
+    }
+
+    public byte[] MLSExporter(String label, byte[] context, int length)
+        throws IOException
+    {
+        return exporterSecret.deriveSecret(suite, label).expandWithLabel(suite, "exported", suite.hash(context), length).value();
+    }
+
+    @Override
+    public boolean equals(Object o)
+    {
+        if (this == o)
+        {
+            return true;
+        }
+        if (o == null || getClass() != o.getClass())
+        {
+            return false;
+        }
+        KeyScheduleEpoch that = (KeyScheduleEpoch)o;
+        // XXX(RLB): There no easy way to compare externalKeyPair values, so we skip that.
+        // XXX(RLB): In general, we could probably be more parsimonious here.
+        return suite.equals(that.suite) && initSecret.equals(that.initSecret) && senderDataSecret.equals(that.senderDataSecret) && exporterSecret.equals(that.exporterSecret) && confirmationKey.equals(that.confirmationKey) && membershipKey.equals(that.membershipKey) && resumptionPSK.equals(that.resumptionPSK) && epochAuthenticator.equals(that.epochAuthenticator) && groupKeySet.equals(that.groupKeySet);
+    }
+
+    public AsymmetricKeyParameter getExternalPublicKey()
+    {
+        return externalKeyPair.getPublic();
+    }
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/TranscriptHash.java b/mls/src/main/java/moe/kyokobot/koe/mls/TranscriptHash.java
new file mode 100644
index 0000000..ff8f96b
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/TranscriptHash.java
@@ -0,0 +1,88 @@
+package moe.kyokobot.koe.mls;
+
+import java.io.IOException;
+
+import moe.kyokobot.koe.mls.codec.AuthenticatedContent;
+import moe.kyokobot.koe.mls.codec.MLSOutputStream;
+import moe.kyokobot.koe.mls.crypto.MlsCipherSuite;
+import org.bouncycastle.util.Arrays;
+
+public class TranscriptHash
+{
+
+    private MlsCipherSuite suite;
+    byte[] confirmed;
+    byte[] interim;
+
+    public byte[] getConfirmed()
+    {
+        return confirmed;
+    }
+
+    public byte[] getInterim()
+    {
+        return interim;
+    }
+
+    public void setInterim(byte[] interim)
+    {
+        this.interim = interim;
+    }
+
+    public TranscriptHash(MlsCipherSuite suite)
+    {
+        this.suite = suite;
+        confirmed = new byte[0];
+    }
+
+    public TranscriptHash(MlsCipherSuite suite, byte[] confirmed, byte[] interim)
+    {
+        this.suite = suite;
+        this.confirmed = confirmed;
+        this.interim = interim;
+    }
+
+    static public TranscriptHash fromConfirmationTag(MlsCipherSuite suite, byte[] confirmed, byte[] confirmationTag)
+        throws IOException
+    {
+        TranscriptHash out = new TranscriptHash(suite, confirmed.clone(), new byte[0]);
+        out.updateInterim(confirmationTag);
+        return out;
+    }
+
+    public TranscriptHash copy()
+    {
+        return new TranscriptHash(suite, confirmed, interim);
+    }
+
+    public void update(AuthenticatedContent auth)
+        throws IOException
+    {
+        updateConfirmed(auth);
+        updateInterim(auth);
+    }
+
+    public void updateConfirmed(AuthenticatedContent auth)
+        throws IOException
+    {
+        byte[] transcript = Arrays.concatenate(interim, auth.getConfirmedTranscriptHashInput());
+        confirmed = suite.hash(transcript);
+    }
+
+    public void updateInterim(AuthenticatedContent auth)
+        throws IOException
+    {
+        byte[] transcript = Arrays.concatenate(confirmed, auth.getInterimTranscriptHashInput());
+        interim = suite.hash(transcript);
+
+    }
+
+    public void updateInterim(byte[] confirmationTag)
+        throws IOException
+    {
+        MLSOutputStream stream = new MLSOutputStream();
+        stream.writeOpaque(confirmationTag);
+        byte[] transcript = Arrays.concatenate(confirmed, stream.toByteArray());
+        interim = suite.hash(transcript);
+    }
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/TreeKEM/LeafIndex.java b/mls/src/main/java/moe/kyokobot/koe/mls/TreeKEM/LeafIndex.java
new file mode 100644
index 0000000..77ee4c7
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/TreeKEM/LeafIndex.java
@@ -0,0 +1,116 @@
+package moe.kyokobot.koe.mls.TreeKEM;
+
+import java.io.IOException;
+import java.util.List;
+import java.util.Objects;
+import java.util.Vector;
+
+import moe.kyokobot.koe.mls.TreeSize;
+import moe.kyokobot.koe.mls.codec.MLSInputStream;
+import moe.kyokobot.koe.mls.codec.MLSOutputStream;
+
+public class LeafIndex
+    implements MLSInputStream.Readable, MLSOutputStream.Writable
+{
+    protected int value;
+    public int value()
+    {
+        return value;
+    }
+
+    public LeafIndex(int valueIn)
+    {
+        value = valueIn;
+    }
+
+    public LeafIndex(NodeIndex valueIn)
+    {
+        value = (int)(valueIn.value() >>> 1);
+    }
+
+    @Override
+    public boolean equals(Object o)
+    {
+        if (this == o)
+        {
+            return true;
+        }
+
+        if (o == null || getClass() != o.getClass())
+        {
+            return false;
+        }
+
+        LeafIndex leafIndex = (LeafIndex)o;
+        return value == leafIndex.value;
+    }
+
+    @Override
+    public int hashCode()
+    {
+        return Objects.hash(value);
+    }
+
+    public NodeIndex commonAncestor(LeafIndex other)
+    {
+        if (this.equals(other))
+        {
+            return new NodeIndex(this);
+        }
+
+        long k = 0;
+        long xv = (new NodeIndex(this)).value();
+        long yv = (new NodeIndex(other)).value();
+        while (xv != yv)
+        {
+            xv >>= 1;
+            yv >>= 1;
+            k += 1;
+        }
+
+        long prefix = xv << k;
+        long stop = (1L << (k - 1));
+        return new NodeIndex(prefix + stop - 1);
+    }
+
+    public List<NodeIndex> directPath(TreeSize size)
+    {
+        List<NodeIndex> d = new Vector<NodeIndex>();
+
+        NodeIndex n = new NodeIndex(this);
+        NodeIndex r = NodeIndex.root(size);
+        if (n.equals(r))
+        {
+            return d;
+        }
+
+        NodeIndex p = n.parent();
+        while (!p.equals(r))
+        {
+            d.add(p);
+            p = p.parent();
+        }
+
+        // Include the root unless this is a one-member tree
+        if (!n.equals(r))
+        {
+            d.add(p);
+        }
+
+        return d;
+    }
+
+    @SuppressWarnings("unused")
+    public LeafIndex(MLSInputStream stream)
+        throws IOException
+    {
+        value = (int)stream.read(int.class);
+    }
+
+    @Override
+    public void writeTo(MLSOutputStream stream)
+        throws IOException
+    {
+        stream.write(value);
+    }
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/TreeKEM/LeafNode.java b/mls/src/main/java/moe/kyokobot/koe/mls/TreeKEM/LeafNode.java
new file mode 100644
index 0000000..08d6a9a
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/TreeKEM/LeafNode.java
@@ -0,0 +1,330 @@
+package moe.kyokobot.koe.mls.TreeKEM;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+
+import moe.kyokobot.koe.mls.crypto.MlsCipherSuite;
+import moe.kyokobot.koe.mls.protocol.Group;
+import moe.kyokobot.koe.mls.codec.Capabilities;
+import moe.kyokobot.koe.mls.codec.Credential;
+import moe.kyokobot.koe.mls.codec.CredentialType;
+import moe.kyokobot.koe.mls.codec.Extension;
+import moe.kyokobot.koe.mls.codec.MLSInputStream;
+import moe.kyokobot.koe.mls.codec.MLSOutputStream;
+
+public class LeafNode
+    implements MLSInputStream.Readable, MLSOutputStream.Writable
+{
+    MlsCipherSuite suite;
+    byte[] encryption_key;
+    byte[] signature_key;
+    Credential credential;
+    Capabilities capabilities;
+    LeafNodeSource leaf_node_source;
+
+    //in switch
+    LifeTime lifeTime;
+    byte[] parent_hash;
+
+    List<Extension> extensions;
+    /* SignWithLabel(., "LeafNodeTBS", LeafNodeTBS) */
+    byte[] signature; // not in TBS
+
+    public Capabilities getCapabilities()
+    {
+        return capabilities;
+    }
+
+    public CredentialType getCredentialType()
+    {
+        return credential.getCredentialType();
+    }
+
+    public MlsCipherSuite getSuite()
+    {
+        return suite;
+    }
+
+    public LifeTime getLifeTime()
+    {
+        return lifeTime;
+    }
+
+    public byte[] getEncryptionKey()
+    {
+        return encryption_key;
+    }
+
+    public byte[] getSignatureKey()
+    {
+        return signature_key;
+    }
+
+    public List<Extension> getExtensions()
+    {
+        return extensions;
+    }
+
+    public LeafNode(
+        MlsCipherSuite suite,
+        byte[] encryption_key,
+        byte[] signature_key,
+        Credential credential,
+        Capabilities capabilities,
+        LifeTime lifeTime,
+        List<Extension> extensions,
+        byte[] sigSk)
+        throws Exception
+    {
+        this.suite = suite;
+        this.encryption_key = encryption_key;
+        this.signature_key = signature_key;
+        this.credential = credential;
+        this.capabilities = capabilities; //TODO: grease
+        this.lifeTime = lifeTime;
+        this.extensions = new ArrayList<Extension>(extensions); //TODO: grease
+        this.leaf_node_source = LeafNodeSource.KEY_PACKAGE; //TODO: check
+
+        sign(suite, sigSk, toBeSigned(null, -1));
+    }
+
+    public LeafNode()
+    {
+    }
+
+    public LeafNode(MLSInputStream stream)
+        throws IOException
+    {
+        encryption_key = stream.readOpaque();
+        signature_key = stream.readOpaque();
+        credential = (Credential)stream.read(Credential.class);
+        capabilities = (Capabilities)stream.read(Capabilities.class);
+        leaf_node_source = LeafNodeSource.values()[(byte)stream.read(byte.class)];
+        switch (leaf_node_source)
+        {
+        case KEY_PACKAGE:
+            lifeTime = (LifeTime)stream.read(LifeTime.class);
+            break;
+        case UPDATE:
+            break;
+        case COMMIT:
+            parent_hash = stream.readOpaque();
+            break;
+        }
+        extensions = new ArrayList<Extension>();
+        stream.readList(extensions, Extension.class);
+        signature = stream.readOpaque();
+    }
+
+    @Override
+    public void writeTo(MLSOutputStream stream)
+        throws IOException
+    {
+        stream.writeOpaque(encryption_key);
+        stream.writeOpaque(signature_key);
+        stream.write(credential);
+        stream.write(capabilities);
+        stream.write(leaf_node_source);
+        switch (leaf_node_source)
+        {
+        case KEY_PACKAGE:
+            stream.write(lifeTime);
+            break;
+        case UPDATE:
+            break;
+        case COMMIT:
+            stream.writeOpaque(parent_hash);
+            break;
+        }
+        stream.writeList(extensions);
+        stream.writeOpaque(signature);
+    }
+
+    public LeafNodeSource getSource()
+    {
+        return leaf_node_source;
+    }
+
+    public Credential getCredential()
+    {
+        return credential;
+    }
+
+    public byte[] toBeSigned(byte[] groupId, int leafIndex)
+        throws IOException
+    {
+        MLSOutputStream stream = new MLSOutputStream();
+        stream.writeOpaque(encryption_key);
+        stream.writeOpaque(signature_key);
+        stream.write(credential);
+        stream.write(capabilities);
+        stream.write(leaf_node_source);
+        switch (leaf_node_source)
+        {
+        case KEY_PACKAGE:
+            stream.write(lifeTime);
+            break;
+        case UPDATE:
+            break;
+        case COMMIT:
+            stream.writeOpaque(parent_hash);
+            break;
+        }
+        stream.writeList(extensions);
+        switch (leaf_node_source)
+        {
+        case KEY_PACKAGE:
+            break;
+        case UPDATE:
+        case COMMIT:
+            stream.writeOpaque(groupId);
+            stream.write(leafIndex);
+            break;
+        }
+        return stream.toByteArray();
+    }
+
+    public boolean verifyExtensionSupport(List<Extension> extensions)
+    {
+        //TODO: Verify that extensions in the list are supported
+
+        //TODO: Verify Required Capability extension is supported (if there is one)
+
+        return true;
+    }
+
+    public boolean verifyLifetime()
+    {
+        if (leaf_node_source != LeafNodeSource.KEY_PACKAGE)
+        {
+            return true;
+        }
+
+        return lifeTime.verify();
+    }
+
+    public boolean verify(MlsCipherSuite suite, byte[] tbs)
+        throws IOException
+    {
+        if (getCredentialType() == CredentialType.x509)
+        {
+            //TODO: get credential and check if it's signature scheme matches the cipher suite signature scheme
+        }
+
+        return suite.verifyWithLabel(signature_key, "LeafNodeTBS", tbs, signature);
+    }
+
+    public LeafNode forCommit(MlsCipherSuite suite, byte[] groupId, LeafIndex leafIndex, byte[] encKeyIn, byte[] parentHash, Group.LeafNodeOptions options, byte[] sigPriv)
+        throws Exception
+    {
+        LeafNode clone = copyWithOptions(encKeyIn, options);
+        clone.leaf_node_source = LeafNodeSource.COMMIT;
+        clone.parent_hash = parentHash.clone();
+
+        clone.sign(suite, sigPriv, clone.toBeSigned(groupId, leafIndex.value));
+
+        return clone;
+    }
+
+    public LeafNode forUpdate(MlsCipherSuite suite, byte[] groupId, LeafIndex leafIndex, byte[] encKeyIn, Group.LeafNodeOptions options, byte[] sigPriv)
+        throws Exception
+    {
+        LeafNode clone = copyWithOptions(encKeyIn, options);
+        clone.leaf_node_source = LeafNodeSource.UPDATE;
+
+        clone.sign(suite, sigPriv, clone.toBeSigned(groupId, leafIndex.value));
+
+        return clone;
+    }
+
+    private void sign(MlsCipherSuite suite, byte[] sigPriv, byte[] tbs)
+        throws Exception
+    {
+        byte[] sigPub = suite.serializeSignaturePublicKey(suite.deserializeSignaturePrivateKey(sigPriv).getPublic());
+        if (!Arrays.equals(sigPub, signature_key))
+        {
+            throw new Exception("Signature key mismatch");
+        }
+
+        //TODO: check if credential is valid for signature key
+
+        signature = suite.signWithLabel(sigPriv, "LeafNodeTBS", tbs);
+    }
+
+
+    //TODO: add options to clone with credential/capabilities/extensions
+    public LeafNode copyWithOptions(byte[] encKeyIn, Group.LeafNodeOptions options)
+    {
+        LeafNode clone = copy(encKeyIn);
+        if (options.getCredential() != null)
+        {
+            clone.credential = options.getCredential();
+        }
+
+        if (options.getCapabilities() != null)
+        {
+            clone.capabilities = options.getCapabilities();
+        }
+
+        if (options.getExtensions() != null)
+        {
+            clone.extensions = options.getExtensions();
+        }
+
+        return clone;
+    }
+
+    public LeafNode copy(byte[] encKeyIn)
+    {
+        LeafNode clone = new LeafNode();
+        clone.encryption_key = encKeyIn.clone();
+        clone.signature_key = this.signature_key.clone();
+        clone.credential = this.credential;
+        clone.capabilities = this.capabilities;
+        clone.leaf_node_source = this.leaf_node_source;
+        switch (clone.leaf_node_source)
+        {
+        case KEY_PACKAGE:
+            clone.lifeTime = this.lifeTime;
+            break;
+        case UPDATE:
+            break;
+        case COMMIT:
+            clone.parent_hash = this.parent_hash.clone();
+            break;
+        }
+        clone.extensions = new ArrayList<Extension>(this.extensions);
+        clone.signature = this.signature.clone();
+        return clone;
+    }
+
+    @Override
+    public boolean equals(Object o)
+    {
+        if (this == o)
+        {
+            return true;
+        }
+        if (o == null || getClass() != o.getClass())
+        {
+            return false;
+        }
+
+        LeafNode leafNode = (LeafNode)o;
+
+        //TODO: check other variables?
+
+        if (!Arrays.equals(encryption_key, leafNode.encryption_key))
+        {
+            return false;
+        }
+        if (!Arrays.equals(signature_key, leafNode.signature_key))
+        {
+            return false;
+        }
+        return Arrays.equals(signature, leafNode.signature);
+    }
+}
+
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/TreeKEM/LeafNodeHashInput.java b/mls/src/main/java/moe/kyokobot/koe/mls/TreeKEM/LeafNodeHashInput.java
new file mode 100644
index 0000000..04772ee
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/TreeKEM/LeafNodeHashInput.java
@@ -0,0 +1,35 @@
+package moe.kyokobot.koe.mls.TreeKEM;
+
+import java.io.IOException;
+
+import moe.kyokobot.koe.mls.codec.MLSInputStream;
+import moe.kyokobot.koe.mls.codec.MLSOutputStream;
+
+public class LeafNodeHashInput
+    implements MLSInputStream.Readable, MLSOutputStream.Writable
+{
+    LeafIndex leafIndex;
+    LeafNode leafNode;
+
+    public LeafNodeHashInput(LeafIndex leafIndex, LeafNode leafNode)
+    {
+        this.leafIndex = leafIndex;
+        this.leafNode = leafNode;
+    }
+
+    @SuppressWarnings("unused")
+    public LeafNodeHashInput(MLSInputStream stream)
+        throws IOException
+    {
+        leafIndex = (LeafIndex)stream.read(LeafIndex.class);
+        leafNode = (LeafNode)stream.readOptional(LeafIndex.class);
+    }
+
+    @Override
+    public void writeTo(MLSOutputStream stream)
+        throws IOException
+    {
+        stream.write(leafIndex);
+        stream.writeOptional(leafNode);
+    }
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/TreeKEM/LeafNodeSource.java b/mls/src/main/java/moe/kyokobot/koe/mls/TreeKEM/LeafNodeSource.java
new file mode 100644
index 0000000..c1a9597
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/TreeKEM/LeafNodeSource.java
@@ -0,0 +1,29 @@
+package moe.kyokobot.koe.mls.TreeKEM;
+
+import java.io.IOException;
+
+import moe.kyokobot.koe.mls.codec.MLSInputStream;
+import moe.kyokobot.koe.mls.codec.MLSOutputStream;
+
+public enum LeafNodeSource
+    implements MLSInputStream.Readable, MLSOutputStream.Writable
+{
+    RESERVED((byte)0),
+    KEY_PACKAGE((byte)1),
+    UPDATE((byte)2),
+    COMMIT((byte)3);
+
+    final byte value;
+
+    LeafNodeSource(byte value)
+    {
+        this.value = value;
+    }
+
+    @Override
+    public void writeTo(MLSOutputStream stream)
+        throws IOException
+    {
+        stream.write(value);
+    }
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/TreeKEM/LifeTime.java b/mls/src/main/java/moe/kyokobot/koe/mls/TreeKEM/LifeTime.java
new file mode 100644
index 0000000..80449ba
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/TreeKEM/LifeTime.java
@@ -0,0 +1,52 @@
+package moe.kyokobot.koe.mls.TreeKEM;
+
+import java.io.IOException;
+import java.time.Instant;
+import java.time.temporal.ChronoField;
+
+import moe.kyokobot.koe.mls.codec.MLSInputStream;
+import moe.kyokobot.koe.mls.codec.MLSOutputStream;
+
+public class LifeTime
+    implements MLSInputStream.Readable, MLSOutputStream.Writable
+{
+    private final long not_before;
+    private final long not_after;
+
+    @SuppressWarnings("unused")
+    public LifeTime(MLSInputStream stream)
+        throws IOException
+    {
+        not_before = (long)stream.read(long.class);
+        not_after = (long)stream.read(long.class);
+    }
+
+    public LifeTime()
+    {
+        //TODO: should be Long.MAX_VALUE but this might interfere up testing with test vectors using unsigned long
+//        this.not_before = System.currentTimeMillis() / 1000L;
+//        this.not_after = not_before + 31536000; // one year
+
+        //TODO: remove after testing
+        this.not_before = 0;
+        this.not_after = -1;
+    }
+
+    @Override
+    public void writeTo(MLSOutputStream stream)
+        throws IOException
+    {
+        stream.write(not_before);
+        stream.write(not_after);
+    }
+
+    protected boolean verify()
+    {
+        long now = Instant.now().getLong(ChronoField.INSTANT_SECONDS);
+        if (not_after == -1)
+        {
+            return (now >= not_before) && (now < Long.MAX_VALUE);
+        }
+        return (now >= not_before) && (now < not_after);
+    }
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/TreeKEM/Node.java b/mls/src/main/java/moe/kyokobot/koe/mls/TreeKEM/Node.java
new file mode 100644
index 0000000..5b4c7f3
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/TreeKEM/Node.java
@@ -0,0 +1,84 @@
+package moe.kyokobot.koe.mls.TreeKEM;
+
+import java.io.IOException;
+
+import moe.kyokobot.koe.mls.codec.MLSInputStream;
+import moe.kyokobot.koe.mls.codec.MLSOutputStream;
+import moe.kyokobot.koe.mls.codec.NodeType;
+
+public class Node
+    implements MLSInputStream.Readable, MLSOutputStream.Writable
+{
+    NodeType nodeType;
+    LeafNode leafNode;
+    ParentNode parentNode;
+
+    public byte[] getParentHash()
+    {
+        switch (nodeType)
+        {
+        case leaf:
+            return leafNode.parent_hash;
+        case parent:
+            return parentNode.parentHash;
+        }
+        return null;
+    }
+
+    public byte[] getPublicKey()
+    {
+        switch (nodeType)
+        {
+        case leaf:
+            return leafNode.encryption_key;
+        case parent:
+            return parentNode.encryptionKey;
+        }
+        return null;
+    }
+
+    public Node(LeafNode leafNode)
+    {
+        nodeType = NodeType.leaf;
+        this.leafNode = leafNode;
+    }
+
+    public Node(ParentNode parentNode)
+    {
+        nodeType = NodeType.parent;
+        this.parentNode = parentNode;
+    }
+
+    @SuppressWarnings("unused")
+    public Node(MLSInputStream stream)
+        throws IOException
+    {
+        this.nodeType = NodeType.values()[(byte)stream.read(byte.class)];
+        switch (nodeType)
+        {
+        case leaf:
+            leafNode = (LeafNode)stream.read(LeafNode.class);
+            break;
+        case parent:
+            parentNode = (ParentNode)stream.read(ParentNode.class);
+            break;
+        }
+    }
+
+    @Override
+    public void writeTo(MLSOutputStream stream)
+        throws IOException
+    {
+        stream.write(nodeType);
+        switch (nodeType)
+        {
+        case leaf:
+            stream.write(leafNode);
+            break;
+        case parent:
+            stream.write(parentNode);
+            break;
+        }
+    }
+}
+
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/TreeKEM/NodeIndex.java b/mls/src/main/java/moe/kyokobot/koe/mls/TreeKEM/NodeIndex.java
new file mode 100644
index 0000000..e936fe5
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/TreeKEM/NodeIndex.java
@@ -0,0 +1,181 @@
+package moe.kyokobot.koe.mls.TreeKEM;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Objects;
+import java.util.Vector;
+
+import moe.kyokobot.koe.mls.TreeSize;
+
+public class NodeIndex
+{
+    private final long value;
+
+    public long value()
+    {
+        return value;
+    }
+
+    public NodeIndex(long valueIn)
+    {
+        value = valueIn;
+    }
+
+    public NodeIndex(LeafIndex leaf)
+    {
+        value = 2 * leaf.value();
+    }
+
+
+    @Override
+    public boolean equals(Object o)
+    {
+        if (this == o)
+        {
+            return true;
+        }
+
+        if (o == null || getClass() != o.getClass())
+        {
+            return false;
+        }
+
+        NodeIndex nodeIndex = (NodeIndex)o;
+        return value == nodeIndex.value;
+    }
+
+    public static NodeIndex root(TreeSize size)
+    {
+        return new NodeIndex((1L << size.depth()) - 1);
+    }
+
+    @Override
+    public int hashCode()
+    {
+        return Objects.hash(value);
+    }
+
+    public long level()
+    {
+        return Long.numberOfTrailingZeros(~value);
+    }
+
+    public boolean isLeaf()
+    {
+        return value % 2 == 0;
+    }
+
+    public boolean isBelow(NodeIndex other)
+    {
+        long lx = level();
+        long ly = other.level();
+        return (lx <= ly) && (value >> (ly + 1)) == (other.value >> (ly + 1));
+    }
+
+    public NodeIndex parent()
+    {
+        long k = level();
+        return new NodeIndex((value | (1L << k)) & ~(1L << (k + 1)));
+    }
+
+    public NodeIndex left()
+    {
+        if (isLeaf())
+        {
+            return this;
+        }
+
+        long k = level();
+        return new NodeIndex(value ^ (0x01L << (k - 1)));
+    }
+
+    public NodeIndex right()
+    {
+        if (isLeaf())
+        {
+            return this;
+        }
+
+        long k = level();
+        return new NodeIndex(value ^ (0x03L << (k - 1)));
+    }
+
+//    public NodeIndex sibling() {
+//        NodeIndex p = parent();
+//        NodeIndex l = p.left();
+//        if (!this.equals(l)) {
+//            return l;
+//        }
+//
+//        return p.right();
+//    }
+
+    public NodeIndex sibling()
+    {
+        return sibling(parent());
+    }
+
+    public NodeIndex sibling(NodeIndex ancestor)
+    {
+        NodeIndex l = ancestor.left();
+        NodeIndex r = ancestor.right();
+
+        if (isBelow(l))
+        {
+            return r;
+        }
+        return l;
+    }
+
+    public List<NodeIndex> copath(TreeSize size)
+        throws Exception
+    {
+        List<NodeIndex> d = directPath(size);
+
+        if (d.isEmpty())
+        {
+            return new ArrayList<NodeIndex>();
+        }
+
+        d.add(0, this);
+        d.remove(d.size() - 1);
+
+        List<NodeIndex> cp = new ArrayList<NodeIndex>();
+        for (NodeIndex n : d)
+        {
+            cp.add(n.sibling());
+        }
+
+        return cp;
+    }
+
+    private List<NodeIndex> directPath(TreeSize size)
+        throws Exception
+    {
+        if (value >= size.width())
+        {
+            throw new Exception("!!!Request for dirpath outside of tree!!!");
+        }
+
+        List<NodeIndex> d = new Vector<NodeIndex>();
+        NodeIndex r = NodeIndex.root(size);
+        if (this.equals(r))
+        {
+            return d;
+        }
+
+        NodeIndex p = parent();
+        while (!p.equals(r))
+        {
+            d.add(p);
+            p = p.parent();
+        }
+
+        if (!this.equals(r))
+        {
+            d.add(p);
+        }
+
+        return d;
+    }
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/TreeKEM/OptionalNode.java b/mls/src/main/java/moe/kyokobot/koe/mls/TreeKEM/OptionalNode.java
new file mode 100644
index 0000000..d02c753
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/TreeKEM/OptionalNode.java
@@ -0,0 +1,62 @@
+package moe.kyokobot.koe.mls.TreeKEM;
+
+import java.io.IOException;
+
+import moe.kyokobot.koe.mls.codec.MLSInputStream;
+import moe.kyokobot.koe.mls.codec.MLSOutputStream;
+import moe.kyokobot.koe.mls.codec.NodeType;
+
+public class OptionalNode
+    implements MLSInputStream.Readable, MLSOutputStream.Writable
+{
+    public static OptionalNode blankNode()
+    {
+        return new OptionalNode();
+    }
+
+    private OptionalNode()
+    {
+        this.node = null;
+    }
+
+    Node node;
+
+    public boolean isBlank()
+    {
+        return node == null;
+    }
+
+    public boolean isLeaf()
+    {
+        return !isBlank() && node.nodeType == NodeType.leaf;
+    }
+
+    public boolean isParent()
+    {
+        return !isBlank() && node.nodeType == NodeType.parent;
+    }
+
+    public LeafNode getLeafNode()
+    {
+        return node.leafNode;
+    }
+
+    public ParentNode getParentNode()
+    {
+        return node.parentNode;
+    }
+
+    @SuppressWarnings("unused")
+    public OptionalNode(MLSInputStream stream)
+        throws IOException
+    {
+        node = (Node)stream.readOptional(Node.class);
+    }
+
+    @Override
+    public void writeTo(MLSOutputStream stream)
+        throws IOException
+    {
+        stream.writeOptional(node);
+    }
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/TreeKEM/ParentHashInput.java b/mls/src/main/java/moe/kyokobot/koe/mls/TreeKEM/ParentHashInput.java
new file mode 100644
index 0000000..22e024a
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/TreeKEM/ParentHashInput.java
@@ -0,0 +1,39 @@
+package moe.kyokobot.koe.mls.TreeKEM;
+
+import java.io.IOException;
+
+import moe.kyokobot.koe.mls.codec.MLSInputStream;
+import moe.kyokobot.koe.mls.codec.MLSOutputStream;
+
+public class ParentHashInput
+    implements MLSInputStream.Readable, MLSOutputStream.Writable
+{
+    byte[] encryptionKey;
+    byte[] parentHash;
+    byte[] originalSiblingTreeHash;
+
+    @SuppressWarnings("unused")
+    public ParentHashInput(MLSInputStream stream)
+        throws IOException
+    {
+        encryptionKey = stream.readOpaque();
+        parentHash = stream.readOpaque();
+        originalSiblingTreeHash = stream.readOpaque();
+    }
+
+    public ParentHashInput(byte[] encryptionKey, byte[] parentHash, byte[] originalSiblingTreeHash)
+    {
+        this.encryptionKey = encryptionKey;
+        this.parentHash = parentHash;
+        this.originalSiblingTreeHash = originalSiblingTreeHash;
+    }
+
+    @Override
+    public void writeTo(MLSOutputStream stream)
+        throws IOException
+    {
+        stream.writeOpaque(encryptionKey);
+        stream.writeOpaque(parentHash);
+        stream.writeOpaque(originalSiblingTreeHash);
+    }
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/TreeKEM/ParentNode.java b/mls/src/main/java/moe/kyokobot/koe/mls/TreeKEM/ParentNode.java
new file mode 100644
index 0000000..8b72ad2
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/TreeKEM/ParentNode.java
@@ -0,0 +1,42 @@
+package moe.kyokobot.koe.mls.TreeKEM;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.List;
+
+import moe.kyokobot.koe.mls.codec.MLSInputStream;
+import moe.kyokobot.koe.mls.codec.MLSOutputStream;
+
+public class ParentNode
+    implements MLSInputStream.Readable, MLSOutputStream.Writable
+{
+    protected byte[] encryptionKey;
+    byte[] parentHash;
+    List<LeafIndex> unmerged_leaves;
+
+    public ParentNode(byte[] encryptionKey, byte[] parentHash, List<LeafIndex> unmerged_leaves)
+    {
+        this.encryptionKey = encryptionKey.clone();
+        this.parentHash = parentHash.clone();
+        this.unmerged_leaves = new ArrayList<LeafIndex>(unmerged_leaves);
+    }
+
+    @SuppressWarnings("unused")
+    public ParentNode(MLSInputStream stream)
+        throws IOException
+    {
+        encryptionKey = stream.readOpaque();
+        parentHash = stream.readOpaque();
+        unmerged_leaves = new ArrayList<LeafIndex>();
+        stream.readList(unmerged_leaves, LeafIndex.class);
+    }
+
+    @Override
+    public void writeTo(MLSOutputStream stream)
+        throws IOException
+    {
+        stream.writeOpaque(encryptionKey);
+        stream.writeOpaque(parentHash);
+        stream.writeList(unmerged_leaves);
+    }
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/TreeKEM/ParentNodeHashInput.java b/mls/src/main/java/moe/kyokobot/koe/mls/TreeKEM/ParentNodeHashInput.java
new file mode 100644
index 0000000..2ead470
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/TreeKEM/ParentNodeHashInput.java
@@ -0,0 +1,41 @@
+package moe.kyokobot.koe.mls.TreeKEM;
+
+import java.io.IOException;
+
+import moe.kyokobot.koe.mls.codec.MLSInputStream;
+import moe.kyokobot.koe.mls.codec.MLSOutputStream;
+
+public class ParentNodeHashInput
+    implements MLSInputStream.Readable, MLSOutputStream.Writable
+{
+    ParentNode parentNode;
+    byte[] leftHash;
+    byte[] rightHash;
+
+    public ParentNodeHashInput(ParentNode parentNode, byte[] leftHash, byte[] rightHash)
+    {
+        this.parentNode = parentNode;
+        this.leftHash = leftHash;
+        this.rightHash = rightHash;
+    }
+
+    @SuppressWarnings("unused")
+    public ParentNodeHashInput(MLSInputStream stream)
+        throws IOException
+    {
+        parentNode = (ParentNode)stream.readOptional(ParentNode.class);
+        leftHash = stream.readOpaque();
+        rightHash = stream.readOpaque();
+    }
+
+    @Override
+    public void writeTo(MLSOutputStream stream)
+        throws IOException
+    {
+        stream.writeOptional(parentNode);
+        stream.writeOpaque(leftHash);
+        stream.writeOpaque(rightHash);
+    }
+}
+
+
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/TreeKEM/TreeHashInput.java b/mls/src/main/java/moe/kyokobot/koe/mls/TreeKEM/TreeHashInput.java
new file mode 100644
index 0000000..d309db8
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/TreeKEM/TreeHashInput.java
@@ -0,0 +1,64 @@
+package moe.kyokobot.koe.mls.TreeKEM;
+
+import java.io.IOException;
+
+import moe.kyokobot.koe.mls.codec.MLSInputStream;
+import moe.kyokobot.koe.mls.codec.MLSOutputStream;
+import moe.kyokobot.koe.mls.codec.NodeType;
+
+public class TreeHashInput
+    implements MLSInputStream.Readable, MLSOutputStream.Writable
+{
+    NodeType nodeType;
+    LeafNodeHashInput leafNode;
+    ParentNodeHashInput parentNode;
+
+    private TreeHashInput(NodeType nodeType, LeafNodeHashInput leafNode, ParentNodeHashInput parentNode)
+    {
+        this.nodeType = nodeType;
+        this.leafNode = leafNode;
+        this.parentNode = parentNode;
+    }
+
+    public static TreeHashInput forLeafNode(LeafNodeHashInput leafNode)
+    {
+        return new TreeHashInput(NodeType.leaf, leafNode, null);
+    }
+
+    public static TreeHashInput forParentNode(ParentNodeHashInput parentNode)
+    {
+        return new TreeHashInput(NodeType.parent, null, parentNode);
+    }
+
+    @SuppressWarnings("unused")
+    public TreeHashInput(MLSInputStream stream)
+        throws IOException
+    {
+        nodeType = NodeType.values()[(byte)stream.read(byte.class)];
+        switch (nodeType)
+        {
+        case leaf:
+            leafNode = (LeafNodeHashInput)stream.read(LeafNodeHashInput.class);
+            break;
+        case parent:
+            parentNode = (ParentNodeHashInput)stream.read(ParentNodeHashInput.class);
+            break;
+        }
+    }
+
+    @Override
+    public void writeTo(MLSOutputStream stream)
+        throws IOException
+    {
+        stream.write(nodeType);
+        switch (nodeType)
+        {
+        case leaf:
+            stream.write(leafNode);
+            break;
+        case parent:
+            stream.write(parentNode);
+            break;
+        }
+    }
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/TreeKEM/TreeKEMPrivateKey.java b/mls/src/main/java/moe/kyokobot/koe/mls/TreeKEM/TreeKEMPrivateKey.java
new file mode 100644
index 0000000..ed0f02f
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/TreeKEM/TreeKEMPrivateKey.java
@@ -0,0 +1,318 @@
+package moe.kyokobot.koe.mls.TreeKEM;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import moe.kyokobot.koe.mls.TreeSize;
+import moe.kyokobot.koe.mls.codec.HPKECiphertext;
+import moe.kyokobot.koe.mls.codec.UpdatePath;
+import moe.kyokobot.koe.mls.crypto.MlsCipherSuite;
+import moe.kyokobot.koe.mls.crypto.Secret;
+import org.bouncycastle.crypto.AsymmetricCipherKeyPair;
+import org.bouncycastle.util.Strings;
+import org.bouncycastle.util.encoders.Hex;
+
+public class TreeKEMPrivateKey
+{
+    MlsCipherSuite suite;
+    LeafIndex index;
+    Secret updateSecret;
+    Map<NodeIndex, Secret> pathSecrets;
+    Map<NodeIndex, AsymmetricCipherKeyPair> privateKeyCache;
+
+    public Secret getUpdateSecret()
+    {
+        return updateSecret;
+    }
+
+    public void insertPathSecret(NodeIndex index, Secret secret)
+    {
+        pathSecrets.put(index, secret);
+    }
+
+    public void insertPrivateKey(NodeIndex index, AsymmetricCipherKeyPair keyPair)
+    {
+        privateKeyCache.put(index, keyPair);
+    }
+
+    public TreeKEMPrivateKey(MlsCipherSuite suite, LeafIndex index)
+    {
+        this.suite = suite;
+        this.index = index;
+        pathSecrets = new HashMap<NodeIndex, Secret>();
+        privateKeyCache = new HashMap<NodeIndex, AsymmetricCipherKeyPair>();
+    }
+
+    public TreeKEMPrivateKey copy()
+    {
+        TreeKEMPrivateKey clone = new TreeKEMPrivateKey(suite, index);
+        clone.pathSecrets.putAll(pathSecrets);
+        clone.privateKeyCache.putAll(privateKeyCache);
+        return clone;
+    }
+
+    public static TreeKEMPrivateKey solo(MlsCipherSuite suite, LeafIndex index, AsymmetricCipherKeyPair leafPriv)
+    {
+
+        TreeKEMPrivateKey priv = new TreeKEMPrivateKey(suite, index);
+        priv.privateKeyCache.put(new NodeIndex(index), leafPriv);
+        return priv;
+    }
+
+    public static TreeKEMPrivateKey create(TreeKEMPublicKey pub, LeafIndex from, Secret leafSecret)
+        throws Exception
+    {
+        TreeKEMPrivateKey priv = new TreeKEMPrivateKey(pub.suite, from);
+        priv.implant(pub, new NodeIndex(from), leafSecret);
+        return priv;
+    }
+
+    public static TreeKEMPrivateKey joiner(TreeKEMPublicKey pub, LeafIndex index, AsymmetricCipherKeyPair leafPriv,
+                                           NodeIndex intersect, Secret pathSecret)
+        throws Exception
+    {
+        TreeKEMPrivateKey priv = new TreeKEMPrivateKey(pub.suite, index);
+
+        priv.privateKeyCache.put(new NodeIndex(index), leafPriv);
+
+        if (pathSecret != null)
+        {
+            priv.implant(pub, intersect, pathSecret);
+        }
+        return priv;
+    }
+
+    public String dump()
+        throws IOException
+    {
+        StringBuilder sb = new StringBuilder();
+        for (NodeIndex node :
+            pathSecrets.keySet())
+        {
+            setPrivateKey(node, true);
+        }
+
+        sb.append("Tree (priv)").append(Strings.lineSeparator());
+        sb.append("  Index: ").append((new NodeIndex(index)).value()).append(Strings.lineSeparator());
+
+        sb.append("  Secrets: ").append(Strings.lineSeparator());
+        for (NodeIndex n : pathSecrets.keySet())
+        {
+            Secret pathSecret = pathSecrets.get(n);
+            Secret nodeSecret = pathSecret.deriveSecret(suite, "node");
+            AsymmetricCipherKeyPair sk = suite.getHPKE().deriveKeyPair(nodeSecret.value());
+
+            // -DM Hex.toHexString
+            // -DM Hex.toHexString
+            sb.append("    ").append(n.value())
+                    .append(" => ").append(Hex.toHexString(pathSecret.value(), 0, 4))
+                    .append(" => ").append(Hex.toHexString(suite.getHPKE().serializePublicKey(sk.getPublic()), 0, 4))
+                    .append(Strings.lineSeparator());
+        }
+
+        sb.append("  Cached key pairs: ").append(Strings.lineSeparator());
+        for (NodeIndex n : privateKeyCache.keySet())
+        {
+            AsymmetricCipherKeyPair sk = privateKeyCache.get(n);
+            // -DM Hex.toHexString
+            sb.append("    ").append(n.value()).append(" => ")
+                    .append(Hex.toHexString(suite.getHPKE().serializePublicKey(sk.getPublic()), 0, 4))
+                    .append(Strings.lineSeparator());
+        }
+        return sb.toString();
+    }
+
+    public void truncate(TreeSize size)
+    {
+        NodeIndex ni = new NodeIndex(new LeafIndex((int)(size.leafCount() - 1)));
+        List<NodeIndex> toRemove = new ArrayList<NodeIndex>();
+        for (NodeIndex n : pathSecrets.keySet())
+        {
+            if (n.value() > ni.value())
+            {
+                toRemove.add(n);
+            }
+        }
+
+        for (NodeIndex n : toRemove)
+        {
+            pathSecrets.remove(n);
+            privateKeyCache.remove(n);
+        }
+    }
+
+    public void setLeafKey(byte[] leafSkBytes)
+    {
+        NodeIndex n = new NodeIndex(index);
+        pathSecrets.remove(n);
+
+        AsymmetricCipherKeyPair leafSk = suite.getHPKE().deserializePrivateKey(leafSkBytes, null);
+        privateKeyCache.put(n, leafSk);
+    }
+
+    public void decap(LeafIndex from, TreeKEMPublicKey pub, byte[] context, UpdatePath path, List<LeafIndex> except)
+        throws Exception
+    {
+        // find decap target
+        NodeIndex ni = new NodeIndex(index);
+        FilteredDirectPath dp = pub.getFilteredDirectPath(new NodeIndex(from));
+        if (dp.parents.size() != path.getNodes().size())
+        {
+            throw new Exception("Malformed direct path");
+        }
+
+        int dpi = 0;
+        NodeIndex overlapNode = null;
+        ArrayList<NodeIndex> res = new ArrayList<NodeIndex>();
+        for (dpi = 0; dpi < dp.parents.size(); dpi++)
+        {
+            if (ni.isBelow(dp.parents.get(dpi)))
+            {
+                overlapNode = dp.parents.get(dpi);
+                res = dp.resolutions.get(dpi);
+                break;
+            }
+        }
+
+        if (dpi == dp.parents.size())
+        {
+            throw new Exception("No overlap in path");
+        }
+
+        // find target in resolution
+        Utils.removeLeaves(res, except);
+        if (res.size() != path.getNodes().get(dpi).getEncryptedPathSecret().size())
+        {
+            throw new Exception("Malformed direct path node");
+        }
+
+        int resi = 0;
+        for (resi = 0; resi < res.size(); resi++)
+        {
+            if (havePrivateKey(res.get(resi)))
+            {
+                break;
+            }
+        }
+
+        if (resi == res.size())
+        {
+            throw new Exception("No private key to decrypt path secret");
+        }
+
+        // decrypt and implant
+        AsymmetricCipherKeyPair priv = setPrivateKey(res.get(resi), false);
+        HPKECiphertext ct = path.getNodes().get(dpi).getEncryptedPathSecret().get(resi);
+
+        Secret pathSecret = new Secret(suite.decryptWithLabel(
+            suite.getHPKE().serializePrivateKey(priv.getPrivate()),
+            "UpdatePathNode",
+            context,
+            ct.getKemOutput(),
+            ct.getCiphertext())
+        );
+
+        implant(pub, overlapNode, pathSecret);
+
+        if (!consistent(pub))
+        {
+            throw new Exception("TreeKEMPublicKey inconsistant with TreeKEMPrivateKey");
+        }
+    }
+
+    private boolean havePrivateKey(NodeIndex n)
+    {
+        return pathSecrets.containsKey(n) || privateKeyCache.containsKey(n);
+    }
+
+    public final boolean consistent(TreeKEMPublicKey other)
+        throws IOException
+    {
+        if (suite.getSuiteID() != other.suite.getSuiteID())
+        {
+            return false;
+        }
+
+        for (NodeIndex node : pathSecrets.keySet())
+        {
+            setPrivateKey(node, true);
+        }
+
+        for (NodeIndex key : privateKeyCache.keySet())
+        {
+            Node optNode = other.nodeAt(key).node;
+            if (optNode == null)
+            {
+                continue;
+            }
+            byte[] pub = optNode.getPublicKey();
+            AsymmetricCipherKeyPair priv = privateKeyCache.get(key);
+            if (!Arrays.equals(pub, suite.getHPKE().serializePublicKey(priv.getPublic())))
+            {
+                return false;
+            }
+        }
+        return true;
+    }
+
+    protected AsymmetricCipherKeyPair setPrivateKey(NodeIndex n, boolean isConst)
+        throws IOException
+    {
+        AsymmetricCipherKeyPair priv = getPrivateKey(n);
+        if (priv != null && !isConst)
+        {
+            privateKeyCache.put(n, priv);
+        }
+        return priv;
+    }
+
+    private AsymmetricCipherKeyPair getPrivateKey(NodeIndex n)
+        throws IOException
+    {
+        if (privateKeyCache.containsKey(n))
+        {
+            return privateKeyCache.get(n);
+        }
+        if (!pathSecrets.containsKey(n))
+        {
+            return null;
+        }
+
+        Secret nodeSecret = pathSecrets.get(n).deriveSecret(suite, "node");
+        return suite.getHPKE().deriveKeyPair(nodeSecret.value());
+    }
+
+    private void implant(TreeKEMPublicKey pub, NodeIndex start, Secret pathSecret)
+        throws Exception
+    {
+        FilteredDirectPath fdp = pub.getFilteredDirectPath(start);
+        Secret secret = new Secret(pathSecret.value());
+
+        pathSecrets.put(start, secret);
+        privateKeyCache.remove(start);
+
+        for (NodeIndex n : fdp.parents)
+        {
+            secret = secret.deriveSecret(pub.suite, "path");
+            pathSecrets.put(n, secret);
+            privateKeyCache.remove(n);
+        }
+
+        updateSecret = secret.deriveSecret(pub.suite, "path");
+    }
+
+    public Secret getSharedPathSecret(LeafIndex to)
+    {
+        NodeIndex n = index.commonAncestor(to);
+        if (!pathSecrets.containsKey(n))
+        {
+            return new Secret(new byte[0]);
+        }
+        return pathSecrets.get(n);
+    }
+
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/TreeKEM/TreeKEMPublicKey.java b/mls/src/main/java/moe/kyokobot/koe/mls/TreeKEM/TreeKEMPublicKey.java
new file mode 100644
index 0000000..c5f713c
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/TreeKEM/TreeKEMPublicKey.java
@@ -0,0 +1,871 @@
+package moe.kyokobot.koe.mls.TreeKEM;
+
+import java.io.IOException;
+import java.security.InvalidParameterException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.function.Predicate;
+
+import moe.kyokobot.koe.mls.TreeSize;
+import moe.kyokobot.koe.mls.crypto.MlsCipherSuite;
+import moe.kyokobot.koe.mls.crypto.Secret;
+import moe.kyokobot.koe.mls.protocol.Group;
+import org.bouncycastle.crypto.AsymmetricCipherKeyPair;
+import moe.kyokobot.koe.mls.codec.HPKECiphertext;
+import moe.kyokobot.koe.mls.codec.MLSInputStream;
+import moe.kyokobot.koe.mls.codec.MLSOutputStream;
+import moe.kyokobot.koe.mls.codec.UpdatePath;
+import moe.kyokobot.koe.mls.codec.UpdatePathNode;
+import org.bouncycastle.util.Strings;
+import org.bouncycastle.util.encoders.Hex;
+
+class FilteredDirectPath
+{
+    ArrayList<NodeIndex> parents;
+    ArrayList<ArrayList<NodeIndex>> resolutions;
+
+    public FilteredDirectPath clone()
+    {
+        FilteredDirectPath fdp = new FilteredDirectPath();
+        fdp.parents = new ArrayList<>(parents);
+        fdp.resolutions = new ArrayList<>(resolutions);
+        return fdp;
+    }
+
+    public FilteredDirectPath()
+    {
+        this.parents = new ArrayList<>();
+        this.resolutions = new ArrayList<>();
+    }
+
+    public void reverse()
+    {
+        Collections.reverse(parents);
+        Collections.reverse(resolutions);
+    }
+
+}
+
+public class TreeKEMPublicKey
+    implements MLSInputStream.Readable, MLSOutputStream.Writable
+{
+    MlsCipherSuite suite;
+    TreeSize size;
+    Map<NodeIndex, byte[]> hashes;
+    private final Map<NodeIndex, byte[]> treeHashCache;
+    private final Map<NodeIndex, Integer> exceptCache;
+    ArrayList<OptionalNode> nodes;
+
+    public MlsCipherSuite getSuite()
+    {
+        return suite;
+    }
+
+    public TreeSize getSize()
+    {
+        return size;
+    }
+
+    public static TreeKEMPublicKey clone(TreeKEMPublicKey other)
+        throws IOException
+    {
+        TreeKEMPublicKey tree = (TreeKEMPublicKey)MLSInputStream.decode(MLSOutputStream.encode(other), TreeKEMPublicKey.class);
+        tree.setSuite(other.suite);
+        tree.setHashAll();
+        return tree;
+    }
+
+    public TreeKEMPublicKey(MlsCipherSuite suite)
+        throws IOException
+    {
+        this.suite = suite;
+        hashes = new HashMap<NodeIndex, byte[]>();
+        nodes = new ArrayList<OptionalNode>();
+        treeHashCache = new HashMap<NodeIndex, byte[]>();
+        exceptCache = new HashMap<NodeIndex, Integer>();
+
+        size = TreeSize.forLeaves(0);
+        while (size.width() < nodes.size())
+        {
+            size = TreeSize.forLeaves(size.leafCount() * 2);
+        }
+
+        while (nodes.size() < size.width())
+        {
+            nodes.add(OptionalNode.blankNode());
+        }
+    }
+
+    @SuppressWarnings("unused")
+    public TreeKEMPublicKey(MLSInputStream stream)
+        throws IOException
+    {
+        hashes = new HashMap<NodeIndex, byte[]>();
+        nodes = new ArrayList<OptionalNode>();
+        treeHashCache = new HashMap<NodeIndex, byte[]>();
+        exceptCache = new HashMap<NodeIndex, Integer>();
+        stream.readList(nodes, OptionalNode.class);
+
+        size = TreeSize.forLeaves(1);
+        while (size.width() < nodes.size())
+        {
+            size = TreeSize.forLeaves(size.leafCount() * 2);
+        }
+
+        while (nodes.size() < size.width())
+        {
+            nodes.add(OptionalNode.blankNode());
+        }
+    }
+
+    @Override
+    public void writeTo(MLSOutputStream stream)
+        throws IOException
+    {
+        LeafIndex cut = new LeafIndex((int)size.leafCount() - 1);
+        while (cut.value > 0 && nodeAt(cut).isBlank())
+        {
+            cut.value -= 1;
+        }
+        stream.writeList(nodes.subList(0, (int)(new NodeIndex(cut)).value() + 1));
+    }
+
+    public void setSuite(MlsCipherSuite suite)
+    {
+        this.suite = suite;
+    }
+
+    public String dumpHashes()
+    {
+        StringBuilder sb = new StringBuilder();
+        for (NodeIndex n : hashes.keySet())
+        {
+            sb.append(n.value()).append(" : ");
+            // -DM Hex.toHexString
+            sb.append(Hex.toHexString(hashes.get(n))).append(Strings.lineSeparator());
+        }
+        return sb.toString();
+    }
+
+    public String dump()
+    {
+        StringBuilder sb = new StringBuilder();
+        sb.append("Tree:").append(Strings.lineSeparator());
+        for (int i = 0; i < size.width(); i++)
+        {
+            NodeIndex index = new NodeIndex(i);
+            sb.append(String.format("  %03d : ", i));
+            if (!nodeAt(index).isBlank())
+            {
+                byte[] pkRm = nodeAt(index).node.getPublicKey();
+                // -DM Hex.toHexString
+                sb.append(Hex.toHexString(pkRm, 0, 4));
+            }
+            else
+            {
+                sb.append("        ");
+            }
+
+            sb.append("  | ");
+            for (int j = 0; j < index.level(); j++)
+            {
+                sb.append("  ");
+            }
+
+            if (!nodeAt(index).isBlank())
+            {
+                sb.append("X");
+
+                if (!index.isLeaf())
+                {
+                    ParentNode parent = nodeAt(index).getParentNode();
+                    sb.append(" [");
+                    for (LeafIndex u : parent.unmerged_leaves)
+                    {
+                        sb.append(u.value).append( ", ");
+                    }
+                    sb.append("]");
+                }
+            }
+            else
+            {
+                sb.append("_");
+            }
+            sb.append(Strings.lineSeparator());
+        }
+        sb.append("nodeCount: ").append(nodes.size()).append(Strings.lineSeparator());
+        return sb.toString();
+    }
+
+    public TreeKEMPrivateKey update(LeafIndex from, Secret leafSecret, byte[] groupId, byte[] sigPriv, Group.LeafNodeOptions options)
+        throws Exception
+    {
+        // Grab information about the sender
+        OptionalNode leafNode = nodeAt(from);
+        if (leafNode.isBlank())
+        {
+            throw new Exception("Cannot update from blank node");
+        }
+
+        // Generate path secrets
+        TreeKEMPrivateKey priv = TreeKEMPrivateKey.create(this, from, leafSecret);
+        FilteredDirectPath dp = getFilteredDirectPath(new NodeIndex(from));
+
+        // Encrypt path secrets to the copath, forming a stub UpdatePath with no
+        // encryptions
+        ArrayList<UpdatePathNode> pathNodes = new ArrayList<UpdatePathNode>();
+        for (NodeIndex n : dp.parents)
+        {
+            Secret pathSecret = priv.pathSecrets.get(n);
+            AsymmetricCipherKeyPair nodePriv = priv.setPrivateKey(n, false);
+
+            pathNodes.add(new UpdatePathNode(suite.getHPKE().serializePublicKey(nodePriv.getPublic()), new ArrayList<HPKECiphertext>()));
+        }
+
+        // Update and re-sign the leaf_node
+        byte[][] ph = parentHashes(from, dp, pathNodes);
+        byte[] ph0 = new byte[0];
+        if (ph.length != 0)
+        {
+            ph0 = ph[0];
+        }
+
+        byte[] leafPub = suite.getHPKE().serializePublicKey(priv.setPrivateKey(new NodeIndex(from), false).getPublic());
+        LeafNode newLeaf = leafNode.getLeafNode().forCommit(suite, groupId, from, leafPub, ph0, options, sigPriv);
+
+        // Merge the changes into the tree
+        merge(from, new UpdatePath(newLeaf, pathNodes));
+
+        return priv;
+    }
+
+    public UpdatePath encap(TreeKEMPrivateKey priv, byte[] context, List<LeafIndex> except)
+        throws Exception
+    {
+        FilteredDirectPath dp = getFilteredDirectPath(new NodeIndex(priv.index));
+        List<UpdatePathNode> pathNodes = new ArrayList<UpdatePathNode>();
+        for (int i = 0; i < dp.parents.size(); i++)
+        {
+            NodeIndex n = dp.parents.get(i);
+            List<NodeIndex> res = (List<NodeIndex>)dp.resolutions.get(i).clone();
+            Utils.removeLeaves(res, except);
+
+            Secret pathSecret = priv.pathSecrets.get(n);
+            AsymmetricCipherKeyPair nodePriv = priv.setPrivateKey(n, false);
+
+            List<HPKECiphertext> cts = new ArrayList<HPKECiphertext>();
+            for (NodeIndex nr : res)
+            {
+                byte[] nodePub = nodeAt(nr).node.getPublicKey();
+                byte[][] ctAndEnc = suite.encryptWithLabel(nodePub, "UpdatePathNode", context, pathSecret.value());
+                HPKECiphertext ct = new HPKECiphertext(ctAndEnc[1], ctAndEnc[0]);
+                cts.add(ct);
+            }
+            pathNodes.add(new UpdatePathNode(suite.getHPKE().serializePublicKey(nodePriv.getPublic()), cts));
+        }
+        LeafNode newLeaf = getLeafNode(priv.index);
+        return new UpdatePath(newLeaf, pathNodes);
+    }
+
+    public byte[] getRootHash()
+        throws Exception
+    {
+        NodeIndex r = NodeIndex.root(size);
+        if (!hashes.containsKey(r))
+        {
+            throw new Exception("Root hash not set");
+        }
+
+        return hashes.get(r);
+    }
+
+    public void merge(LeafIndex from, UpdatePath path)
+        throws Exception
+    {
+        nodeAt(from).node = new Node(path.getLeafNode());
+
+        FilteredDirectPath dp = getFilteredDirectPath(new NodeIndex(from));
+
+        if (dp.parents.size() != path.getNodes().size())
+        {
+            throw new Exception("Malformed direct path");
+        }
+
+        byte[][] ph = parentHashes(from, dp, path.getNodes());
+        for (int i = 0; i < dp.parents.size(); i++)
+        {
+            NodeIndex n = dp.parents.get(i);
+
+            byte[] parentHash = new byte[0];
+            if (i < dp.parents.size() - 1)
+            {
+                parentHash = ph[i + 1];
+            }
+
+            nodeAt(n).node = new Node(new ParentNode(path.getNodes().get(i).getEncryptionKey(), parentHash, new ArrayList<LeafIndex>()));
+        }
+
+        clearHashPath(from);
+        setHashAll();
+    }
+
+    public int find(LeafNode leaf)
+    {
+        for (int i = 0; i < size.leafCount(); i++)
+        {
+            LeafIndex index = new LeafIndex(i);
+            OptionalNode node = nodeAt(index);
+            if (!node.isBlank() && node.isLeaf() && node.getLeafNode().equals(leaf))
+            {
+                return i;
+            }
+        }
+        return -1;
+    }
+
+    public boolean hasLeaf(LeafIndex index)
+    {
+        return !nodeAt(index).isBlank();
+    }
+
+    protected FilteredDirectPath getFilteredCommonDirectPath(LeafIndex leaf1, LeafIndex leaf2)
+        throws Exception
+    {
+        FilteredDirectPath xPath = getFilteredDirectPath(new NodeIndex(leaf1));
+        FilteredDirectPath yPath = getFilteredDirectPath(new NodeIndex(leaf2));
+        xPath.reverse();
+        yPath.reverse();
+
+        FilteredDirectPath commonPath = new FilteredDirectPath();
+        for (int i = 0; i < xPath.parents.size(); i++)
+        {
+            if (xPath.parents.get(i).value() == yPath.parents.get(i).value())
+            {
+                commonPath.parents.add(xPath.parents.get(i));
+                commonPath.resolutions.add(yPath.resolutions.get(i));
+            }
+            else
+            {
+                break;
+            }
+        }
+        commonPath.reverse();
+        return commonPath;
+    }
+
+    protected FilteredDirectPath getFilteredDirectPath(NodeIndex index)
+        throws Exception
+    {
+        FilteredDirectPath fdp = new FilteredDirectPath();
+        List<NodeIndex> cp = index.copath(size);
+
+        for (NodeIndex n : cp)
+        {
+            NodeIndex p = n.parent();
+            ArrayList<NodeIndex> res = resolve(n);
+
+            if (res.isEmpty())
+            {
+                continue;
+            }
+
+            fdp.parents.add(p);
+            fdp.resolutions.add(res);
+        }
+        return fdp;
+    }
+
+    public LeafNode getLeafNode(LeafIndex index)
+    {
+        OptionalNode node = nodeAt(index);
+        if (!node.isLeaf())
+        {
+            return null;
+        }
+
+        return node.getLeafNode();
+    }
+
+    public ArrayList<NodeIndex> resolve(NodeIndex index)
+    {
+        boolean atLeaf = (index.level() == 0);
+        if (!nodeAt(index).isBlank())
+        {
+            ArrayList<NodeIndex> out = new ArrayList<NodeIndex>();
+            out.add(index);
+            if (index.isLeaf())
+            {
+                return out;
+            }
+
+            OptionalNode node = nodeAt(index);
+            List<LeafIndex> unmerged = node.getParentNode().unmerged_leaves;
+
+            for (LeafIndex lindex : unmerged)
+            {
+                out.add(new NodeIndex(lindex));
+            }
+            return out;
+        }
+
+        if (atLeaf)
+        {
+            return new ArrayList<NodeIndex>();
+        }
+
+        ArrayList<NodeIndex> l = resolve(index.left());
+        ArrayList<NodeIndex> r = resolve(index.right());
+
+        l.addAll(r);
+        return l;
+    }
+
+    public LeafIndex allocateLeaf()
+    {
+        LeafIndex index = new LeafIndex(0);
+        while (index.value < size.leafCount() && !nodeAt(index).isBlank())
+        {
+            index.value++;
+        }
+
+        // Update tree size
+        if (index.value >= size.leafCount())
+        {
+            if (size.leafCount() == 0)
+            {
+                size = TreeSize.forLeaves(1);
+            }
+            else
+            {
+                size = TreeSize.forLeaves(size.leafCount() * 2);
+            }
+        }
+        return index;
+    }
+
+    public LeafIndex addLeaf(LeafNode leaf)
+    {
+        LeafIndex index = new LeafIndex(0);
+        while (index.value < size.leafCount() && !nodeAt(index).isBlank())
+        {
+            index.value++;
+        }
+
+        // Update tree size
+        if (index.value >= size.leafCount())
+        {
+            if (size.leafCount() == 0)
+            {
+                size = TreeSize.forLeaves(1);
+            }
+            else
+            {
+                size = TreeSize.forLeaves(size.leafCount() * 2);
+            }
+        }
+        while (nodes.size() < size.width())
+        {
+            nodes.add(OptionalNode.blankNode());
+        }
+
+        // Set the leaf
+        nodeAt(index).node = new Node(leaf);
+
+        List<NodeIndex> dp = index.directPath(size);
+
+        // Update the unmerged list
+        for (NodeIndex n : dp)
+        {
+            if (nodeAt(n).node == null)
+            {
+                continue;
+            }
+            ParentNode parent = nodeAt(n).getParentNode();
+            int insertPoint = upperBound(parent.unmerged_leaves, index);
+            parent.unmerged_leaves.add(insertPoint, index);
+        }
+
+        clearHashPath(index);
+        return index;
+    }
+
+    private void clearHashPath(LeafIndex index)
+    {
+        hashes.remove(new NodeIndex(index));
+        for (NodeIndex n : index.directPath(size))
+        {
+            hashes.remove(n);
+        }
+    }
+
+    int upperBound(List<LeafIndex> list, LeafIndex index)
+    {
+        int lo = 0;
+        int hi = list.size() - 1;
+
+        while (lo <= hi)
+        {
+            int mid = (lo + hi) / 2;
+
+            if (list.get(mid).value <= index.value)
+            {
+                lo = mid + 1;
+            }
+            else
+            {
+                hi = mid - 1;
+            }
+        }
+
+        return lo;
+    }
+
+    public void updateLeaf(LeafIndex index, LeafNode leaf)
+    {
+        blankPath(index);
+        nodeAt(index).node = new Node(leaf);
+        clearHashPath(index);
+    }
+
+    public void blankPath(LeafIndex index)
+    {
+        if (nodes.isEmpty())
+        {
+            return;
+        }
+        NodeIndex ni = new NodeIndex(index);
+        nodeAt(ni).node = null;
+        for (NodeIndex n :
+            index.directPath(size))
+        {
+            nodeAt(n).node = null;
+        }
+
+        clearHashPath(index);
+    }
+
+    private OptionalNode nodeAt(LeafIndex n)
+    {
+        return nodeAt(new NodeIndex(n));
+    }
+
+    OptionalNode nodeAt(NodeIndex n)
+    {
+        long width = size.width();
+        if (n.value() >= width)
+        {
+            throw new InvalidParameterException("Node index not in tree");
+        }
+        if (n.value() >= nodes.size())
+        {
+            return OptionalNode.blankNode();
+        }
+        return nodes.get((int)n.value());
+    }
+
+    public void truncate()
+    {
+        long w = size.width();
+        if (size.leafCount() == 0)
+        {
+            return;
+        }
+
+        // clear the parent hashes across blank leaves
+        LeafIndex index = new LeafIndex((int)size.leafCount() - 1);
+        while (index.value > 0)
+        {
+            if (!nodeAt(index).isBlank())
+            {
+                break;
+            }
+            clearHashPath(index);
+            index.value--;
+        }
+
+        if (nodeAt(index).isBlank())
+        {
+            nodes.clear();
+            return;
+        }
+
+        // Remove the right subtree until the tree is of minimal size
+        while (size.leafCount() / 2 > index.value)
+        {
+            nodes.subList(nodes.size() / 2, nodes.size()).clear();
+            size = TreeSize.forLeaves(size.leafCount() / 2);
+        }
+    }
+
+    public void setHashAll()
+        throws IOException
+    {
+        NodeIndex r = NodeIndex.root(size);
+        getHash(r);
+    }
+
+    private byte[][] parentHashes(LeafIndex from, FilteredDirectPath fdp, List<UpdatePathNode> nodes)
+        throws Exception
+    {
+        NodeIndex fromNode = new NodeIndex(from);
+        FilteredDirectPath dp = fdp.clone();
+
+        // removing root from fdp
+        dp.parents.remove(dp.parents.size() - 1);
+        dp.resolutions.remove(dp.resolutions.size() - 1);
+
+        // special case of one-leaf tree
+        if (!fromNode.equals(NodeIndex.root(size)))
+        {
+            dp.parents.add(0, fromNode);
+            dp.resolutions.add(0, new ArrayList<NodeIndex>());
+        }
+
+        if (dp.parents.size() != nodes.size())
+        {
+            throw new Exception("Malformed UpdatePath");
+        }
+
+        // Parent hash for all the parents, starting from the root
+        NodeIndex last = NodeIndex.root(size);
+        byte[] lastHash = new byte[0];
+        byte[][] ph = new byte[dp.parents.size()][];
+
+        for (int i = dp.parents.size() - 1; i >= 0; i--)
+        {
+            NodeIndex n = dp.parents.get(i);
+            NodeIndex s = n.sibling(last);
+
+            ParentNode parentNode = new ParentNode(nodes.get(i).getEncryptionKey(), lastHash, new ArrayList<LeafIndex>());
+            lastHash = getParentHash(parentNode, s);
+            ph[i] = lastHash;
+
+            last = n;
+        }
+
+        return ph;
+    }
+
+    private byte[] getParentHash(ParentNode parent, NodeIndex cpChild)
+        throws Exception
+    {
+        if (!hashes.containsKey(cpChild))
+        {
+            throw new Exception("Child hash not set");
+        }
+
+        ParentHashInput hashInput = new ParentHashInput(
+            parent.encryptionKey,
+            parent.parentHash,
+            hashes.get(cpChild)
+        );
+
+        return suite.hash(MLSOutputStream.encode(hashInput));
+    }
+
+    public boolean verifyParentHash(LeafIndex from, UpdatePath path)
+        throws Exception
+    {
+        FilteredDirectPath fdp = getFilteredDirectPath(new NodeIndex(from));
+        byte[][] hashChain = parentHashes(from, fdp, path.getNodes());
+        if (hashChain.length == 0)
+        {
+            return path.getLeafNode().leaf_node_source != LeafNodeSource.COMMIT;
+        }
+        return Arrays.equals(path.getLeafNode().parent_hash, hashChain[0]);
+    }
+
+    public boolean verifyParentHash()
+        throws IOException
+    {
+        long width = size.width();
+        long height = NodeIndex.root(size).level();
+
+        for (int level = 1; level <= height; level++)
+        {
+            long stride = 2L << level;
+            int start = (int)((stride >>> 1) - 1);
+
+            for (int p = start; p < width; p += stride)
+            {
+                NodeIndex pIndex = new NodeIndex(p);
+                if (nodeAt(pIndex).isBlank())
+                {
+                    continue;
+                }
+
+                NodeIndex l = pIndex.left();
+                NodeIndex r = pIndex.right();
+
+                byte[] lh = originalParentHash(pIndex, r);
+                byte[] rh = originalParentHash(pIndex, l);
+
+                if (!hasParentHash(l, lh) && !hasParentHash(r, rh))
+                {
+                    dump();
+                    return false;
+                }
+            }
+        }
+        return true;
+    }
+
+    private boolean hasParentHash(NodeIndex child, byte[] targetParentHash)
+    {
+        ArrayList<NodeIndex> res = resolve(child);
+        for (NodeIndex n : res)
+        {
+            if (Arrays.equals(nodeAt(n).node.getParentHash(), targetParentHash))
+            {
+                return true;
+            }
+        }
+        return false;
+    }
+
+    private byte[] originalTreeHash(NodeIndex index, List<LeafIndex> parentExcept)
+        throws IOException
+    {
+        List<LeafIndex> except = new ArrayList<LeafIndex>();
+        for (LeafIndex i : parentExcept)
+        {
+            NodeIndex n = new NodeIndex(i);
+            if (n.isBelow(index))
+            {
+                except.add(i);
+            }
+        }
+        boolean haveLocalChanges = !except.isEmpty();
+
+        // If there are no local changes, then we can use the cached tree hash
+        if (!haveLocalChanges)
+        {
+            return hashes.get(index);
+        }
+
+        // If this method has been called before with the same number of excluded
+        // leaves (which implies the same set), then use the cached value.
+        if (treeHashCache.containsKey(index))
+        {
+            if (exceptCache.get(index) == except.size())
+            {
+                return treeHashCache.get(index);
+            }
+        }
+
+        // If there is no entry in either cache, recompute the value
+        byte[] hash;
+
+        if (index.isLeaf())
+        {
+            // A leaf node with local changes is by definition excluded from the parent
+            // hash.  So we return the hash of an empty leaf.
+            LeafNodeHashInput leafHashInput = new LeafNodeHashInput(new LeafIndex(index), null);
+            hash = suite.hash(MLSOutputStream.encode(TreeHashInput.forLeafNode(leafHashInput)));
+        }
+        else
+        {
+            // If there is no cached value, recalculate the child hashes with the
+            // specified `except` list, removing the `except` list from
+            // `unmerged_leaves`.
+            ParentNodeHashInput parentHashInput = new ParentNodeHashInput(
+                null,
+                originalTreeHash(index.left(), except),
+                originalTreeHash(index.right(), except)
+            );
+
+            if (!nodeAt(index).isBlank())
+            {
+                parentHashInput.parentNode = nodeAt(index).getParentNode();
+
+                List<LeafIndex> unmergedOriginal = new ArrayList<LeafIndex>(parentHashInput.parentNode.unmerged_leaves);
+                parentHashInput.parentNode.unmerged_leaves.removeAll(except);
+
+                hash = suite.hash(MLSOutputStream.encode(TreeHashInput.forParentNode(parentHashInput)));
+
+                // Revert the unmerged Array
+                parentHashInput.parentNode.unmerged_leaves = unmergedOriginal;
+            }
+            else
+            {
+                hash = suite.hash(MLSOutputStream.encode(TreeHashInput.forParentNode(parentHashInput)));
+            }
+
+
+        }
+
+        treeHashCache.put(index, hash);
+        exceptCache.put(index, except.size());
+        return hash;
+    }
+
+    private byte[] originalParentHash(NodeIndex parent, NodeIndex sibling)
+        throws IOException
+    {
+        ParentNode parentNode = nodeAt(parent).getParentNode();
+        byte[] siblingHash = originalTreeHash(sibling, parentNode.unmerged_leaves);
+        return suite.hash(MLSOutputStream.encode(new ParentHashInput(
+            parentNode.encryptionKey,
+            parentNode.parentHash,
+            siblingHash
+        )));
+    }
+
+    public byte[] getHash(NodeIndex index)
+        throws IOException
+    {
+        if (hashes.containsKey(index))
+        {
+            return hashes.get(index);
+        }
+
+        byte[] hashInput;
+        OptionalNode node = nodeAt(index);
+        if (index.level() == 0)
+        {
+            LeafNodeHashInput input = new LeafNodeHashInput(new LeafIndex(index), null);
+            if (!node.isBlank())
+            {
+                input.leafNode = node.getLeafNode();
+            }
+            hashInput = MLSOutputStream.encode(TreeHashInput.forLeafNode(input));
+        }
+        else
+        {
+            ParentNodeHashInput input = new ParentNodeHashInput(
+                null,
+                getHash(index.left()),
+                getHash(index.right())
+            );
+            if (!node.isBlank())
+            {
+                input.parentNode = node.getParentNode();
+            }
+
+            hashInput = MLSOutputStream.encode(TreeHashInput.forParentNode(input));
+        }
+
+        byte[] hash = suite.hash(hashInput);
+        hashes.put(index, hash);
+        return hashes.get(index);
+    }
+
+    public boolean allLeaves(Predicate<LeafNode> predicate) {
+        for (var i = new LeafIndex(0); i.value() < getSize().leafCount(); i.value++) {
+            var leaf = getLeafNode(i);
+            if (leaf == null) {
+                continue;
+            }
+
+            if (!predicate.test(leaf)) {
+                return false;
+            }
+        }
+
+        return true;
+    }
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/TreeKEM/Utils.java b/mls/src/main/java/moe/kyokobot/koe/mls/TreeKEM/Utils.java
new file mode 100644
index 0000000..eeedfed
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/TreeKEM/Utils.java
@@ -0,0 +1,16 @@
+package moe.kyokobot.koe.mls.TreeKEM;
+
+import java.util.List;
+
+public class Utils
+{
+
+    static protected void removeLeaves(List<NodeIndex> res, List<LeafIndex> except)
+    {
+        for (LeafIndex leaf : except)
+        {
+            res.remove(new NodeIndex(leaf));
+        }
+    }
+
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/TreeSize.java b/mls/src/main/java/moe/kyokobot/koe/mls/TreeSize.java
new file mode 100644
index 0000000..15d15d5
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/TreeSize.java
@@ -0,0 +1,35 @@
+package moe.kyokobot.koe.mls;
+
+public class TreeSize
+{
+    private final long leafCount;
+    private final long depth;
+
+    private TreeSize(long leafCount, long depth)
+    {
+        this.leafCount = leafCount;
+        this.depth = depth;
+    }
+
+    public static TreeSize forLeaves(long leafCount)
+    {
+        assert leafCount >= 0;
+        long depth = Long.SIZE - Long.numberOfLeadingZeros(leafCount - 1);
+        return new TreeSize(leafCount, depth);
+    }
+
+    public long depth()
+    {
+        return depth;
+    }
+
+    public long leafCount()
+    {
+        return leafCount;
+    }
+
+    public long width()
+    {
+        return (1L << (depth + 1)) - 1;
+    }
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/codec/AuthenticatedContent.java b/mls/src/main/java/moe/kyokobot/koe/mls/codec/AuthenticatedContent.java
new file mode 100644
index 0000000..a108e84
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/codec/AuthenticatedContent.java
@@ -0,0 +1,168 @@
+package moe.kyokobot.koe.mls.codec;
+
+import java.io.IOException;
+
+import moe.kyokobot.koe.mls.crypto.MlsCipherSuite;
+
+public class AuthenticatedContent
+    implements MLSInputStream.Readable, MLSOutputStream.Writable
+{
+    WireFormat wireFormat;
+
+    FramedContent content;
+    FramedContentAuthData auth;
+
+    public FramedContent getContent()
+    {
+        return content;
+    }
+
+    public WireFormat getWireFormat()
+    {
+        return wireFormat;
+    }
+
+    public void setConfirmationTag(byte[] tag)
+    {
+        auth.confirmation_tag = tag;
+    }
+
+    public byte[] getConfirmationTag()
+    {
+        return auth.confirmation_tag;
+    }
+
+    public byte[] getConfirmedTranscriptHashInput()
+        throws IOException
+    {
+        return MLSOutputStream.encode(new ConfirmedTranscriptHashInput(wireFormat, content, auth.signature));
+    }
+
+    public byte[] getInterimTranscriptHashInput()
+        throws IOException
+    {
+        return MLSOutputStream.encode(new InterimTranscriptHashInput(auth.confirmation_tag));
+    }
+
+    public AuthenticatedContent(WireFormat wireFormat, FramedContent content, FramedContentAuthData auth) throws Exception
+    {
+        this.wireFormat = wireFormat;
+        this.content = content;
+        this.auth = auth;
+
+        if (auth.contentType == ContentType.APPLICATION)
+        {
+            if (wireFormat != WireFormat.mls_private_message)
+            {
+                throw new Exception("Unencrypted application message");
+            }
+            else if (content.sender.senderType != SenderType.MEMBER)
+            {
+                throw new Exception("sender must be a member");
+            }
+        }
+    }
+
+    public static AuthenticatedContent sign(WireFormat wireFormat, FramedContent content, MlsCipherSuite suite, byte[] sigPriv, byte[] groupContext)
+        throws Exception
+    {
+        if (wireFormat == WireFormat.mls_public_message &&
+            content.contentType == ContentType.APPLICATION)
+        {
+            throw new Exception("Application data cannot be sent as PublicMessage");
+        }
+        FramedContentTBS tbs = new FramedContentTBS(wireFormat, content, groupContext);
+        byte[] signature = suite.signWithLabel(sigPriv, "FramedContentTBS", MLSOutputStream.encode(tbs));
+        FramedContentAuthData auth = new FramedContentAuthData(content.contentType, signature, null);
+        return new AuthenticatedContent(wireFormat, content, auth);
+    }
+
+    public boolean verify(MlsCipherSuite suite, byte[] sigPub, byte[] context)
+        throws IOException
+    {
+        if (wireFormat == WireFormat.mls_public_message &&
+            content.contentType == ContentType.APPLICATION)
+        {
+            return false;
+        }
+
+        FramedContentTBS tbs = new FramedContentTBS(wireFormat, content, context);
+        return suite.verifyWithLabel(sigPub, "FramedContentTBS", MLSOutputStream.encode(tbs), auth.signature);
+    }
+
+    @SuppressWarnings("unused")
+    public AuthenticatedContent(MLSInputStream stream)
+        throws IOException
+    {
+        this.wireFormat = WireFormat.values()[(short)stream.read(short.class)];
+        content = (FramedContent)stream.read(FramedContent.class);
+        auth = new FramedContentAuthData(stream, content.contentType);
+    }
+
+    @Override
+    public void writeTo(MLSOutputStream stream)
+        throws IOException
+    {
+        stream.write(wireFormat);
+        stream.write(content);
+        stream.write(auth);
+    }
+}
+
+class ConfirmedTranscriptHashInput
+    implements MLSInputStream.Readable, MLSOutputStream.Writable
+{
+    WireFormat wireFormat;
+    FramedContent content;
+    byte[] signature;
+
+    public ConfirmedTranscriptHashInput(WireFormat wireFormat, FramedContent content, byte[] signature)
+    {
+        this.wireFormat = wireFormat;
+        this.content = content;
+        this.signature = signature;
+    }
+
+    @SuppressWarnings("unused")
+    public ConfirmedTranscriptHashInput(MLSInputStream stream)
+        throws IOException
+    {
+        this.wireFormat = WireFormat.values()[(short)stream.read(short.class)];
+        content = (FramedContent)stream.read(FramedContent.class);
+        signature = stream.readOpaque();
+    }
+
+    @Override
+    public void writeTo(MLSOutputStream stream)
+        throws IOException
+    {
+        stream.write(wireFormat);
+        stream.write(content);
+        stream.writeOpaque(signature);
+    }
+}
+
+class InterimTranscriptHashInput
+    implements MLSInputStream.Readable, MLSOutputStream.Writable
+{
+    byte[] confirmation_tag;
+
+    public InterimTranscriptHashInput(byte[] confirmation_tag)
+    {
+        this.confirmation_tag = confirmation_tag;
+    }
+
+    @SuppressWarnings("unused")
+    public InterimTranscriptHashInput(MLSInputStream stream)
+        throws IOException
+    {
+        confirmation_tag = stream.readOpaque();
+    }
+
+    @Override
+    public void writeTo(MLSOutputStream stream)
+        throws IOException
+    {
+        stream.writeOpaque(confirmation_tag);
+    }
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/codec/Capabilities.java b/mls/src/main/java/moe/kyokobot/koe/mls/codec/Capabilities.java
new file mode 100644
index 0000000..425891a
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/codec/Capabilities.java
@@ -0,0 +1,76 @@
+package moe.kyokobot.koe.mls.codec;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+
+import moe.kyokobot.koe.mls.crypto.MlsCipherSuite;
+
+public class Capabilities
+        implements MLSInputStream.Readable, MLSOutputStream.Writable {
+    static private final Short[] DEFAULT_SUPPORTED_VERSIONS = {ProtocolVersion.mls10.value};
+    static private final short[] DEFAULT_SUPPORTED_CIPHERSUITES = MlsCipherSuite.ALL_SUPPORTED_SUITES;
+    static private final Short[] DEFAULT_SUPPORTED_CREDENTIALS = {CredentialType.basic.value, CredentialType.x509.value};
+    List<Short> versions;
+    List<Short> cipherSuites;
+    List<Short> extensions;
+    List<Short> proposals;
+    List<Short> credentials;
+
+    public Capabilities() {
+        versions = Arrays.asList(DEFAULT_SUPPORTED_VERSIONS);
+        cipherSuites = new ArrayList<>();
+        for (short suite : DEFAULT_SUPPORTED_CIPHERSUITES) {
+            cipherSuites.add(suite);
+        }
+        extensions = new ArrayList<>();
+        proposals = new ArrayList<>();
+        credentials = Arrays.asList(DEFAULT_SUPPORTED_CREDENTIALS);
+    }
+
+    public List<Short> getVersions() {
+        return versions;
+    }
+
+    public List<Short> getCipherSuites() {
+        return cipherSuites;
+    }
+
+    public List<Short> getExtensions() {
+        return extensions;
+    }
+
+    public List<Short> getProposals() {
+        return proposals;
+    }
+
+    public List<Short> getCredentials() {
+        return credentials;
+    }
+
+    @SuppressWarnings("unused")
+    Capabilities(MLSInputStream stream)
+            throws IOException {
+        versions = new ArrayList<>();
+        cipherSuites = new ArrayList<>();
+        extensions = new ArrayList<>();
+        proposals = new ArrayList<>();
+        credentials = new ArrayList<>();
+        stream.readList(versions, short.class);
+        stream.readList(cipherSuites, short.class);
+        stream.readList(extensions, short.class);
+        stream.readList(proposals, short.class);
+        stream.readList(credentials, short.class);
+    }
+
+    @Override
+    public void writeTo(MLSOutputStream stream)
+            throws IOException {
+        stream.writeList(versions);
+        stream.writeList(cipherSuites);
+        stream.writeList(extensions);
+        stream.writeList(proposals);
+        stream.writeList(credentials);
+    }
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/codec/Certificate.java b/mls/src/main/java/moe/kyokobot/koe/mls/codec/Certificate.java
new file mode 100644
index 0000000..5ca2236
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/codec/Certificate.java
@@ -0,0 +1,22 @@
+package moe.kyokobot.koe.mls.codec;
+
+import java.io.IOException;
+
+public class Certificate
+    implements MLSInputStream.Readable, MLSOutputStream.Writable
+{
+    byte[] cert_data;
+
+    Certificate(MLSInputStream stream)
+        throws IOException
+    {
+        cert_data = stream.readOpaque();
+    }
+
+    @Override
+    public void writeTo(MLSOutputStream stream)
+        throws IOException
+    {
+        stream.writeOpaque(cert_data);
+    }
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/codec/Commit.java b/mls/src/main/java/moe/kyokobot/koe/mls/codec/Commit.java
new file mode 100644
index 0000000..6d81da5
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/codec/Commit.java
@@ -0,0 +1,87 @@
+package moe.kyokobot.koe.mls.codec;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.List;
+
+public class Commit
+    implements MLSInputStream.Readable, MLSOutputStream.Writable
+{
+    List<ProposalOrRef> proposals;
+    UpdatePath updatePath;
+
+    public List<ProposalOrRef> getProposals()
+    {
+        return proposals;
+    }
+
+    public void setUpdatePath(UpdatePath updatePath)
+    {
+        this.updatePath = updatePath;
+    }
+
+    public UpdatePath getUpdatePath()
+    {
+        return updatePath;
+    }
+
+    public byte[] validityExternal()
+    {
+        // External Commits MUST contain a path field (and is therefore a "full"
+        // Commit). The joiner is added at the leftmost free leaf node (just as if
+        // they were added with an Add proposal), and the path is calculated relative
+        // to that leaf node.
+
+        // The Commit MUST NOT include any proposals by reference, since an external
+        // joiner cannot determine the validity of proposals sent within the group
+        for (ProposalOrRef p : proposals)
+        {
+            if (p.type == ProposalOrRefType.REFERENCE)
+            {
+                return null;
+            }
+        }
+        if (updatePath == null)
+        {
+            return null;
+        }
+
+        int extIndex;
+        for (extIndex = 0; extIndex < proposals.size(); extIndex++)
+        {
+            if (proposals.get(extIndex).proposal.getProposalType() == ProposalType.EXTERNAL_INIT)
+            {
+                break;
+            }
+        }
+        if (extIndex == proposals.size())
+        {
+            return null;
+        }
+
+        return proposals.get(extIndex).proposal.externalInit.kemOutput;
+    }
+
+    public Commit()
+    {
+        this.proposals = new ArrayList<ProposalOrRef>();
+    }
+
+    @SuppressWarnings("unused")
+    Commit(MLSInputStream stream)
+        throws IOException
+    {
+        proposals = new ArrayList<ProposalOrRef>();
+        stream.readList(proposals, ProposalOrRef.class);
+
+        updatePath = (UpdatePath)stream.readOptional(UpdatePath.class);
+    }
+
+    @Override
+    public void writeTo(MLSOutputStream stream)
+        throws IOException
+    {
+        stream.writeList(proposals);
+        stream.writeOptional(updatePath);
+    }
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/codec/ContentType.java b/mls/src/main/java/moe/kyokobot/koe/mls/codec/ContentType.java
new file mode 100644
index 0000000..aba1f22
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/codec/ContentType.java
@@ -0,0 +1,33 @@
+package moe.kyokobot.koe.mls.codec;
+
+import java.io.IOException;
+
+public enum ContentType
+    implements MLSInputStream.Readable, MLSOutputStream.Writable
+{
+    RESERVED((byte)0),
+    APPLICATION((byte)1),
+    PROPOSAL((byte)2),
+    COMMIT((byte)3);
+
+    final byte value;
+
+    ContentType(byte value)
+    {
+        this.value = value;
+    }
+
+    @SuppressWarnings("unused")
+    ContentType(MLSInputStream stream)
+        throws IOException
+    {
+        this.value = (byte)stream.read(byte.class);
+    }
+
+    @Override
+    public void writeTo(MLSOutputStream stream)
+        throws IOException
+    {
+        stream.write(value);
+    }
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/codec/Credential.java b/mls/src/main/java/moe/kyokobot/koe/mls/codec/Credential.java
new file mode 100644
index 0000000..8a04daf
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/codec/Credential.java
@@ -0,0 +1,84 @@
+package moe.kyokobot.koe.mls.codec;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.List;
+
+public class Credential
+    implements MLSInputStream.Readable, MLSOutputStream.Writable
+
+{
+    CredentialType credentialType;
+    byte[] identity;
+    List<Certificate> certificates;
+
+    public CredentialType getCredentialType()
+    {
+        return credentialType;
+    }
+
+    public byte[] getIdentity()
+    {
+        return identity;
+    }
+
+    static public Credential forBasic(byte[] identity)
+    {
+        return new Credential(CredentialType.basic, identity, new ArrayList<Certificate>());
+    }
+
+    public Credential(CredentialType credentialType, byte[] identity, List<Certificate> certificates)
+    {
+        this.credentialType = credentialType;
+        this.identity = identity;
+        this.certificates = certificates;
+    }
+
+    @SuppressWarnings("unused")
+    Credential(MLSInputStream stream)
+        throws IOException
+    {
+        short credType = (short)stream.read(short.class);
+        if (Grease.isGrease(credType) == -1)
+        {
+            this.credentialType = CredentialType.values()[credType];
+        }
+        else
+        {
+            this.credentialType = CredentialType.values()[3 + Grease.isGrease(credType)];
+        }
+        switch (credentialType)
+        {
+        case basic:
+            identity = stream.readOpaque();
+            break;
+        case x509:
+            certificates = new ArrayList<Certificate>();
+            stream.readList(certificates, Certificate.class);
+            break;
+        }
+    }
+
+    @Override
+    public void writeTo(MLSOutputStream stream)
+        throws IOException
+    {
+        if (Grease.isGrease(credentialType.value) == -1)
+        {
+            stream.write(credentialType);
+        }
+        else
+        {
+            //TODO: check if we write grease values or not
+        }
+        switch (credentialType)
+        {
+        case basic:
+            stream.writeOpaque(identity);
+            break;
+        case x509:
+            stream.writeList(certificates);
+            break;
+        }
+    }
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/codec/CredentialType.java b/mls/src/main/java/moe/kyokobot/koe/mls/codec/CredentialType.java
new file mode 100644
index 0000000..82c37d0
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/codec/CredentialType.java
@@ -0,0 +1,51 @@
+package moe.kyokobot.koe.mls.codec;
+
+import java.io.IOException;
+
+public enum CredentialType
+    implements MLSInputStream.Readable, MLSOutputStream.Writable
+{
+    RESERVED((short)0),
+    basic((short)1),
+    x509((short)2),
+    GREASE_0((short)0x0A0A),
+    GREASE_1((short)0x1A1A),
+    GREASE_2((short)0x2A2A),
+    GREASE_3((short)0x3A3A),
+    GREASE_4((short)0x4A4A),
+    GREASE_5((short)0x5A5A),
+    GREASE_6((short)0x6A6A),
+    GREASE_7((short)0x7A7A),
+    GREASE_8((short)0x8A8A),
+    GREASE_9((short)0x9A9A),
+    GREASE_A((short)0xAAAA),
+    GREASE_B((short)0xBABA),
+    GREASE_C((short)0xCACA),
+    GREASE_D((short)0xDADA),
+    GREASE_E((short)0xEAEA);
+
+    final short value;
+
+    CredentialType(short value)
+    {
+        this.value = value;
+    }
+
+    @SuppressWarnings("unused")
+    CredentialType(MLSInputStream stream)
+        throws IOException
+    {
+        this.value = (short)stream.read(short.class);
+    }
+
+    public short getValue() {
+        return value;
+    }
+
+    @Override
+    public void writeTo(MLSOutputStream stream)
+        throws IOException
+    {
+        stream.write(value);
+    }
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/codec/EncryptedGroupSecrets.java b/mls/src/main/java/moe/kyokobot/koe/mls/codec/EncryptedGroupSecrets.java
new file mode 100644
index 0000000..d330631
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/codec/EncryptedGroupSecrets.java
@@ -0,0 +1,33 @@
+package moe.kyokobot.koe.mls.codec;
+
+import java.io.IOException;
+
+public class EncryptedGroupSecrets
+    implements MLSInputStream.Readable, MLSOutputStream.Writable
+{
+
+    byte[] new_member; // KeyPackageRaf
+    HPKECiphertext encrypted_group_secrets;
+
+    public EncryptedGroupSecrets(byte[] new_member, HPKECiphertext encrypted_group_secrets)
+    {
+        this.new_member = new_member;
+        this.encrypted_group_secrets = encrypted_group_secrets;
+    }
+
+    @SuppressWarnings("unused")
+    EncryptedGroupSecrets(MLSInputStream stream)
+        throws IOException
+    {
+        new_member = stream.readOpaque();
+        encrypted_group_secrets = (HPKECiphertext)stream.read(HPKECiphertext.class);
+    }
+
+    @Override
+    public void writeTo(MLSOutputStream stream)
+        throws IOException
+    {
+        stream.writeOpaque(new_member);
+        stream.write(encrypted_group_secrets);
+    }
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/codec/Extension.java b/mls/src/main/java/moe/kyokobot/koe/mls/codec/Extension.java
new file mode 100644
index 0000000..a47fd27
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/codec/Extension.java
@@ -0,0 +1,102 @@
+package moe.kyokobot.koe.mls.codec;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.List;
+
+import moe.kyokobot.koe.mls.TreeKEM.TreeKEMPublicKey;
+
+public class Extension
+    implements MLSInputStream.Readable, MLSOutputStream.Writable
+{
+    public ExtensionType extensionType;
+    public byte[] extension_data;
+
+    public Extension(ExtensionType extensionType, byte[] extension_data)
+    {
+        this.extensionType = extensionType;
+        this.extension_data = extension_data;
+    }
+
+    public Extension(int extensionType, byte[] extension_data)
+    {
+        short extType = (short)extensionType;
+        if (Grease.isGrease(extType) == -1)
+        {
+            this.extensionType = ExtensionType.values()[extType];
+        }
+        else
+        {
+            this.extensionType = ExtensionType.values()[6 + Grease.isGrease(extType)];
+        }
+        this.extension_data = extension_data;
+    }
+
+    static public Extension externalSender(List<ExternalSender> list)
+        throws IOException
+    {
+        MLSOutputStream stream = new MLSOutputStream();
+        stream.writeList(list);
+        return new Extension(ExtensionType.EXTERNAL_SENDERS, stream.toByteArray());
+    }
+
+    public byte[] getExternalPub()
+        throws IOException
+    {
+        if (extensionType == ExtensionType.EXTERNAL_PUB)
+        {
+            MLSInputStream stream = new MLSInputStream(extension_data);
+            byte[] output = stream.readOpaque();
+            return output;
+        }
+        return null;
+    }
+
+    @SuppressWarnings("unused")
+    Extension(MLSInputStream stream)
+        throws IOException
+    {
+        short extType = (short)stream.read(short.class);
+        if (Grease.isGrease(extType) == -1)
+        {
+            this.extensionType = ExtensionType.values()[extType];
+        }
+        else
+        {
+            this.extensionType = ExtensionType.values()[6 + Grease.isGrease(extType)];
+        }
+        this.extension_data = stream.readOpaque();
+    }
+
+    public List<ExternalSender> getSenders()
+        throws IOException
+    {
+        if (extensionType == ExtensionType.EXTERNAL_SENDERS)
+        {
+            List<ExternalSender> senders = new ArrayList<ExternalSender>();
+            MLSInputStream stream = new MLSInputStream(extension_data);
+            stream.readList(senders, ExternalSender.class);
+            return senders;
+        }
+        return null;
+    }
+
+    public TreeKEMPublicKey getRatchetTree()
+        throws IOException
+    {
+        if (extensionType == ExtensionType.RATCHET_TREE)
+        {
+            return (TreeKEMPublicKey)MLSInputStream.decode(extension_data, TreeKEMPublicKey.class);
+        }
+        return null;
+    }
+
+
+    @Override
+    public void writeTo(MLSOutputStream stream)
+        throws IOException
+    {
+        stream.write(extensionType);
+        stream.writeOpaque(extension_data);
+    }
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/codec/ExtensionType.java b/mls/src/main/java/moe/kyokobot/koe/mls/codec/ExtensionType.java
new file mode 100644
index 0000000..8cf9e05
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/codec/ExtensionType.java
@@ -0,0 +1,62 @@
+package moe.kyokobot.koe.mls.codec;
+
+import java.io.IOException;
+
+public enum ExtensionType
+    implements MLSInputStream.Readable, MLSOutputStream.Writable
+{
+    RESERVED((short)0),
+    APPLICATION_ID((short)1),
+    RATCHET_TREE((short)2),
+    REQUIRED_CAPABILITIES((short)3),
+    EXTERNAL_PUB((short)4),
+    EXTERNAL_SENDERS((short)5),
+    GREASE_0((short)0x0A0A),
+    GREASE_1((short)0x1A1A),
+    GREASE_2((short)0x2A2A),
+    GREASE_3((short)0x3A3A),
+    GREASE_4((short)0x4A4A),
+    GREASE_5((short)0x5A5A),
+    GREASE_6((short)0x6A6A),
+    GREASE_7((short)0x7A7A),
+    GREASE_8((short)0x8A8A),
+    GREASE_9((short)0x9A9A),
+    GREASE_A((short)0xAAAA),
+    GREASE_B((short)0xBABA),
+    GREASE_C((short)0xCACA),
+    GREASE_D((short)0xDADA),
+    GREASE_E((short)0xEAEA);
+
+    final short value;
+
+    ExtensionType(short value)
+    {
+        this.value = value;
+    }
+
+    @SuppressWarnings("unused")
+    ExtensionType(MLSInputStream stream)
+        throws IOException
+    {
+        this.value = (short)stream.read(short.class);
+    }
+
+    @Override
+    public void writeTo(MLSOutputStream stream)
+        throws IOException
+    {
+//        if (value == GREASE.value)
+//        {
+//            stream.write(Grease.getGrease());
+//        }
+//        else
+//        {
+        stream.write(value);
+//        }
+    }
+
+    public short getValue()
+    {
+        return value;
+    }
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/codec/ExternalSender.java b/mls/src/main/java/moe/kyokobot/koe/mls/codec/ExternalSender.java
new file mode 100644
index 0000000..d1565ba
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/codec/ExternalSender.java
@@ -0,0 +1,46 @@
+package moe.kyokobot.koe.mls.codec;
+
+import java.io.IOException;
+import java.util.Arrays;
+
+public class ExternalSender
+        implements MLSInputStream.Readable, MLSOutputStream.Writable {
+    byte[] signatureKey;
+    Credential credential;
+
+    public byte[] getSignatureKey() {
+        return signatureKey;
+    }
+
+    public ExternalSender(byte[] signatureKey, Credential credential) {
+        this.signatureKey = signatureKey;
+        this.credential = credential;
+    }
+
+    public ExternalSender(MLSInputStream stream)
+            throws IOException {
+        signatureKey = stream.readOpaque();
+        credential = (Credential) stream.read(Credential.class);
+    }
+
+    @Override
+    public void writeTo(MLSOutputStream stream)
+            throws IOException {
+        stream.writeOpaque(signatureKey);
+        stream.write(credential);
+    }
+
+    @Override
+    public boolean equals(Object obj) {
+        if (this == obj) {
+            return true;
+        }
+
+        if (obj == null || getClass() != obj.getClass()) {
+            return false;
+        }
+
+        ExternalSender that = (ExternalSender) obj;
+        return Arrays.equals(signatureKey, that.signatureKey) && credential.equals(that.credential);
+    }
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/codec/FramedContent.java b/mls/src/main/java/moe/kyokobot/koe/mls/codec/FramedContent.java
new file mode 100644
index 0000000..7a421c7
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/codec/FramedContent.java
@@ -0,0 +1,163 @@
+package moe.kyokobot.koe.mls.codec;
+
+import java.io.IOException;
+
+public class FramedContent
+    implements MLSInputStream.Readable, MLSOutputStream.Writable
+{
+    byte[] group_id;
+    long epoch;
+    Sender sender;
+    byte[] authenticated_data;
+    byte[] application_data;
+
+    final ContentType contentType;
+
+    Proposal proposal;
+    Commit commit;
+
+    public Proposal getProposal()
+    {
+        return proposal;
+    }
+
+    public Commit getCommit()
+    {
+        return commit;
+    }
+
+    public Sender getSender()
+    {
+        return sender;
+    }
+
+    public byte[] getGroupID()
+    {
+        return group_id;
+    }
+
+    public long getEpoch()
+    {
+        return epoch;
+    }
+
+    public ContentType getContentType()
+    {
+        return contentType;
+    }
+
+    public byte[] getAuthenticated_data()
+    {
+        return authenticated_data;
+    }
+
+    public byte[] getContentBytes()
+        throws IOException
+    {
+        switch (contentType)
+        {
+
+        case APPLICATION:
+            return application_data;
+        case PROPOSAL:
+            return MLSOutputStream.encode(proposal);
+        case COMMIT:
+            return MLSOutputStream.encode(commit);
+        default:
+            return null;
+        }
+    }
+
+    @SuppressWarnings("unused")
+    public FramedContent(MLSInputStream stream)
+        throws IOException
+    {
+        group_id = stream.readOpaque();
+        epoch = (long)stream.read(long.class);
+        sender = (Sender)stream.read(Sender.class);
+        authenticated_data = stream.readOpaque();
+        contentType = ContentType.values()[(byte)stream.read(byte.class)];
+        switch (contentType)
+        {
+        case APPLICATION:
+            application_data = stream.readOpaque();
+            break;
+        case PROPOSAL:
+            proposal = (Proposal)stream.read(Proposal.class);
+            break;
+        case COMMIT:
+            commit = (Commit)stream.read(Commit.class);
+            break;
+        }
+    }
+
+    public FramedContent(byte[] group_id, long epoch, Sender sender, byte[] authenticated_data, byte[] application_data, ContentType content_type, Proposal proposal, Commit commit)
+    {
+        this.group_id = group_id;
+        this.epoch = epoch;
+        this.sender = sender;
+        this.authenticated_data = authenticated_data;
+        this.application_data = application_data;
+        this.contentType = content_type;
+        this.proposal = proposal;
+        this.commit = commit;
+    }
+
+    public static FramedContent rawContent(byte[] group_id, long epoch, Sender sender, byte[] authenticated_data, ContentType content_type, byte[] contentBytes)
+        throws IOException
+    {
+        switch (content_type)
+        {
+        case APPLICATION:
+            return application(group_id, epoch, sender, authenticated_data, contentBytes);
+        case PROPOSAL:
+            return proposal(group_id, epoch, sender, authenticated_data, contentBytes);
+        case COMMIT:
+            return commit(group_id, epoch, sender, authenticated_data, contentBytes);
+        }
+        return null;
+    }
+
+    public static FramedContent application(byte[] group_id, long epoch, Sender sender, byte[] authenticated_data, byte[] application_data)
+    {
+        return new FramedContent(group_id, epoch, sender, authenticated_data, application_data, ContentType.APPLICATION, null, null);
+    }
+
+    public static FramedContent proposal(byte[] group_id, long epoch, Sender sender, byte[] authenticated_data, byte[] proposal)
+        throws IOException
+    {
+        return new FramedContent(group_id, epoch, sender, authenticated_data, null, ContentType.PROPOSAL, (Proposal)MLSInputStream.decode(proposal, Proposal.class), null);
+    }
+
+    public static FramedContent commit(byte[] group_id, long epoch, Sender sender, byte[] authenticated_data, byte[] commit)
+        throws IOException
+    {
+        return new FramedContent(group_id, epoch, sender, authenticated_data, null, ContentType.COMMIT, null, (Commit)MLSInputStream.decode(commit, Commit.class));
+    }
+
+    @Override
+    public void writeTo(MLSOutputStream stream)
+        throws IOException
+    {
+        stream.writeOpaque(group_id);
+        stream.write(epoch);
+        stream.write(sender);
+        stream.writeOpaque(authenticated_data);
+        stream.write(contentType);
+
+        switch (contentType)
+        {
+        case RESERVED:
+            break;
+        case APPLICATION:
+            stream.writeOpaque(application_data);
+            break;
+        case PROPOSAL:
+            stream.write(proposal);
+            break;
+        case COMMIT:
+            stream.write(commit);
+            break;
+        }
+    }
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/codec/Grease.java b/mls/src/main/java/moe/kyokobot/koe/mls/codec/Grease.java
new file mode 100644
index 0000000..7e074c4
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/codec/Grease.java
@@ -0,0 +1,55 @@
+package moe.kyokobot.koe.mls.codec;
+
+import java.util.Random;
+
+public class Grease
+{
+    static short[] grease = new short[]{0x0A0A, 0x1A1A, 0x2A2A, 0x3A3A, 0x4A4A, 0x5A5A, 0x6A6A, 0x7A7A,
+        (short)0x8A8A, (short)0x9A9A, (short)0xAAAA, (short)0xBABA, (short)0xCACA, (short)0xDADA, (short)0xEAEA};
+
+    public static short getGrease()
+    {
+        Random random = new Random();
+        return grease[random.nextInt(15)];
+    }
+
+    public static short isGrease(short type)
+    {
+        switch (type)
+        {
+        case 0x0A0A:
+            return 0;
+        case 0x1A1A:
+            return 1;
+        case 0x2A2A:
+            return 2;
+        case 0x3A3A:
+            return 3;
+        case 0x4A4A:
+            return 4;
+        case 0x5A5A:
+            return 5;
+        case 0x6A6A:
+            return 6;
+        case 0x7A7A:
+            return 7;
+        case (short)0x8A8A:
+            return 8;
+        case (short)0x9A9A:
+            return 9;
+        case (short)0xAAAA:
+            return 10;
+        case (short)0xBABA:
+            return 11;
+        case (short)0xCACA:
+            return 12;
+        case (short)0xDADA:
+            return 13;
+        case (short)0xEAEA:
+            return 14;
+        default:
+            return -1;
+        }
+
+    }
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/codec/GroupContext.java b/mls/src/main/java/moe/kyokobot/koe/mls/codec/GroupContext.java
new file mode 100644
index 0000000..5690f9c
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/codec/GroupContext.java
@@ -0,0 +1,76 @@
+package moe.kyokobot.koe.mls.codec;
+
+import java.io.IOException;
+import java.util.ArrayList;
+
+import moe.kyokobot.koe.mls.crypto.MlsCipherSuite;
+
+public class GroupContext
+    implements MLSInputStream.Readable, MLSOutputStream.Writable
+{
+
+    ProtocolVersion version = ProtocolVersion.mls10;
+    short ciphersuite;
+    MlsCipherSuite suite;
+    byte[] groupID;
+    long epoch;
+    byte[] treeHash;
+    byte[] confirmedTranscriptHash;
+    ArrayList<Extension> extensions;
+
+    public byte[] getTreeHash()
+    {
+        return treeHash;
+    }
+
+    public byte[] getConfirmedTranscriptHash()
+    {
+        return confirmedTranscriptHash;
+    }
+
+    public ArrayList<Extension> getExtensions()
+    {
+        return extensions;
+    }
+
+    public GroupContext(MlsCipherSuite ciphersuite, byte[] groupID, long epoch, byte[] treeHash, byte[] confirmedTranscriptHash, ArrayList<Extension> extensions)
+    {
+        this.suite = ciphersuite;
+        this.ciphersuite = ciphersuite.getSuiteID();
+        this.groupID = groupID;
+        this.epoch = epoch;
+        this.treeHash = treeHash;
+        this.confirmedTranscriptHash = confirmedTranscriptHash;
+        this.extensions = new ArrayList<Extension>(extensions);
+    }
+
+    @SuppressWarnings("unused")
+    public GroupContext(MLSInputStream stream)
+        throws Exception
+    {
+        this.version = ProtocolVersion.values()[(short)stream.read(short.class)];
+        this.ciphersuite = (short)stream.read(short.class);
+        this.suite = MlsCipherSuite.getSuite(ciphersuite);
+        this.groupID = stream.readOpaque();
+        this.epoch = (long)stream.read(long.class);
+        this.treeHash = stream.readOpaque();
+        this.confirmedTranscriptHash = stream.readOpaque();
+        this.extensions = new ArrayList<Extension>();
+        stream.readList(extensions, Extension.class);
+    }
+
+
+    @Override
+    public void writeTo(MLSOutputStream stream)
+        throws IOException
+    {
+        stream.write(version);
+        stream.write(ciphersuite);
+        stream.writeOpaque(groupID);
+        stream.write(epoch);
+        stream.writeOpaque(treeHash);
+        stream.writeOpaque(confirmedTranscriptHash);
+        stream.writeList(extensions);
+
+    }
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/codec/GroupInfo.java b/mls/src/main/java/moe/kyokobot/koe/mls/codec/GroupInfo.java
new file mode 100644
index 0000000..949a248
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/codec/GroupInfo.java
@@ -0,0 +1,133 @@
+package moe.kyokobot.koe.mls.codec;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+
+import moe.kyokobot.koe.mls.crypto.MlsCipherSuite;
+import org.bouncycastle.crypto.AsymmetricCipherKeyPair;
+import moe.kyokobot.koe.mls.TreeKEM.LeafIndex;
+import moe.kyokobot.koe.mls.TreeKEM.LeafNode;
+import moe.kyokobot.koe.mls.TreeKEM.TreeKEMPublicKey;
+
+public class GroupInfo
+    implements MLSInputStream.Readable, MLSOutputStream.Writable
+{
+    GroupContext groupContext;
+    List<Extension> extensions;
+    byte[] confirmationTag;
+    LeafIndex signer;
+    byte[] signature;
+
+    public byte[] getConfirmationTag()
+    {
+        return confirmationTag;
+    }
+
+    public List<Extension> getExtensions()
+    {
+        return extensions;
+    }
+
+    public LeafIndex getSigner()
+    {
+        return signer;
+    }
+
+    public GroupContext getGroupContext()
+    {
+        return groupContext;
+    }
+
+    public byte[] getGroupID()
+    {
+        return groupContext.groupID;
+    }
+
+    public long getEpoch()
+    {
+        return groupContext.epoch;
+    }
+
+    public MlsCipherSuite getSuite()
+    {
+        return groupContext.suite;
+    }
+
+    public GroupInfo(GroupContext groupContext, List<Extension> extensions, byte[] confirmationTag)
+    {
+        this.groupContext = groupContext;
+        this.extensions = new ArrayList<Extension>(extensions);
+        this.confirmationTag = confirmationTag;
+    }
+
+    private byte[] toBeSigned()
+        throws IOException
+    {
+        MLSOutputStream stream = new MLSOutputStream();
+        stream.write(groupContext);
+        stream.writeList(extensions);
+        stream.writeOpaque(confirmationTag);
+        stream.write(signer);
+        return stream.toByteArray();
+    }
+
+    public boolean verify(MlsCipherSuite suite, TreeKEMPublicKey tree)
+        throws Exception
+    {
+        LeafNode leaf = tree.getLeafNode(signer);
+        if (leaf == null)
+        {
+            throw new Exception("Signer not found");
+        }
+        return verify(suite, leaf.getSignatureKey());
+    }
+
+    public boolean verify(MlsCipherSuite suite, byte[] pub)
+        throws IOException
+    {
+        return suite.verifyWithLabel(pub, "GroupInfoTBS", toBeSigned(), signature);
+    }
+
+    @SuppressWarnings("unused")
+    GroupInfo(MLSInputStream stream)
+        throws IOException
+    {
+        groupContext = (GroupContext)stream.read(GroupContext.class);
+        extensions = new ArrayList<Extension>();
+        stream.readList(extensions, Extension.class);
+        confirmationTag = stream.readOpaque();
+        signer = new LeafIndex((int)stream.read(int.class));
+        signature = stream.readOpaque();
+    }
+
+    @Override
+    public void writeTo(MLSOutputStream stream)
+        throws IOException
+    {
+        stream.write(groupContext);
+        stream.writeList(extensions);
+        stream.writeOpaque(confirmationTag);
+        stream.write(signer);
+        stream.writeOpaque(signature);
+    }
+
+    public void sign(TreeKEMPublicKey tree, LeafIndex signerIndex, AsymmetricCipherKeyPair sk)
+        throws Exception
+    {
+        LeafNode leaf = tree.getLeafNode(signerIndex);
+        if (leaf == null)
+        {
+            throw new Exception("Cannot sign from a blank leaf");
+        }
+
+        if (!Arrays.equals(tree.getSuite().serializeSignaturePublicKey(sk.getPublic()), leaf.getSignatureKey()))
+        {
+            throw new Exception("Bad key for index");
+        }
+
+        signer = signerIndex;
+        signature = tree.getSuite().signWithLabel(tree.getSuite().serializeSignaturePrivateKey(sk.getPrivate()), "GroupInfoTBS", toBeSigned());
+    }
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/codec/GroupSecrets.java b/mls/src/main/java/moe/kyokobot/koe/mls/codec/GroupSecrets.java
new file mode 100644
index 0000000..6d6004c
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/codec/GroupSecrets.java
@@ -0,0 +1,40 @@
+package moe.kyokobot.koe.mls.codec;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.List;
+
+public class GroupSecrets
+    implements MLSInputStream.Readable, MLSOutputStream.Writable
+{
+
+    public byte[] joiner_secret;
+    public PathSecret path_secret;
+    public List<PreSharedKeyID> psks;
+
+    public GroupSecrets(byte[] joiner_secret, PathSecret path_secret, List<PreSharedKeyID> psks)
+    {
+        this.joiner_secret = joiner_secret;
+        this.path_secret = path_secret;
+        this.psks = new ArrayList<PreSharedKeyID>(psks);
+    }
+
+    @SuppressWarnings("unused")
+    GroupSecrets(MLSInputStream stream)
+        throws IOException
+    {
+        joiner_secret = stream.readOpaque();
+        path_secret = (PathSecret)stream.readOptional(PathSecret.class);
+        psks = new ArrayList<PreSharedKeyID>();
+        stream.readList(psks, PreSharedKeyID.class);
+    }
+
+    @Override
+    public void writeTo(MLSOutputStream stream)
+        throws IOException
+    {
+        stream.writeOpaque(joiner_secret);
+        stream.writeOptional(path_secret);
+        stream.writeList(psks);
+    }
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/codec/HPKECiphertext.java b/mls/src/main/java/moe/kyokobot/koe/mls/codec/HPKECiphertext.java
new file mode 100644
index 0000000..1a2f687
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/codec/HPKECiphertext.java
@@ -0,0 +1,42 @@
+package moe.kyokobot.koe.mls.codec;
+
+import java.io.IOException;
+
+public class HPKECiphertext
+    implements MLSInputStream.Readable, MLSOutputStream.Writable
+{
+    byte[] kem_output;
+    byte[] ciphertext;
+
+    public byte[] getKemOutput()
+    {
+        return kem_output;
+    }
+
+    public byte[] getCiphertext()
+    {
+        return ciphertext;
+    }
+
+    public HPKECiphertext(byte[] kem_output, byte[] ciphertext)
+    {
+        this.kem_output = kem_output;
+        this.ciphertext = ciphertext;
+    }
+
+    @SuppressWarnings("unused")
+    HPKECiphertext(MLSInputStream stream)
+        throws IOException
+    {
+        kem_output = stream.readOpaque();
+        ciphertext = stream.readOpaque();
+    }
+
+    @Override
+    public void writeTo(MLSOutputStream stream)
+        throws IOException
+    {
+        stream.writeOpaque(kem_output);
+        stream.writeOpaque(ciphertext);
+    }
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/codec/KeyPackage.java b/mls/src/main/java/moe/kyokobot/koe/mls/codec/KeyPackage.java
new file mode 100644
index 0000000..01ad576
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/codec/KeyPackage.java
@@ -0,0 +1,116 @@
+package moe.kyokobot.koe.mls.codec;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.List;
+
+import moe.kyokobot.koe.mls.crypto.MlsCipherSuite;
+import org.bouncycastle.crypto.CryptoException;
+import moe.kyokobot.koe.mls.TreeKEM.LeafNode;
+import moe.kyokobot.koe.mls.TreeKEM.LeafNodeSource;
+
+public class KeyPackage
+    implements MLSInputStream.Readable, MLSOutputStream.Writable
+{
+    ProtocolVersion version;
+
+    MlsCipherSuite suite;
+    short cipher_suite;
+    byte[] init_key;
+    LeafNode leaf_node;
+    List<Extension> extensions;
+    /* SignWithLabel(., "KeyPackageTBS", KeyPackageTBS) */
+    byte[] signature; // KeyPackageTBS (without signature)
+
+    public LeafNode getLeafNode()
+    {
+        return leaf_node;
+    }
+
+    public byte[] getInitKey()
+    {
+        return init_key;
+    }
+
+    public MlsCipherSuite getSuite()
+    {
+        return suite;
+    }
+
+    public boolean verify()
+        throws IOException
+    {
+        // Verify the inner leaf node
+        if (!leaf_node.verify(suite, leaf_node.toBeSigned(new byte[0], -1)))
+        {
+            return false;
+        }
+
+        // Check that the inner leaf node is intended for use in a KeyPackage
+        if (leaf_node.getSource() != LeafNodeSource.KEY_PACKAGE)
+        {
+            return false;
+        }
+
+        // Verify the KeyPackage
+        if (leaf_node.getCredentialType() == CredentialType.x509)
+        {
+            //TODO: check if credential scheme is actually x509
+            // and the credential scheme doesn't equal to the tls signature scheme (given the signature id)
+        }
+
+        return suite.verifyWithLabel(leaf_node.getSignatureKey(), "KeyPackageTBS", toBeSigned(), signature);
+    }
+
+    private byte[] toBeSigned()
+        throws IOException
+    {
+        MLSOutputStream stream = new MLSOutputStream();
+        stream.write(version);
+        stream.write(cipher_suite);
+        stream.writeOpaque(init_key);
+        stream.write(leaf_node);
+        stream.writeList(extensions);
+        return stream.toByteArray();
+    }
+
+    public KeyPackage(MlsCipherSuite suite, byte[] init_key, LeafNode leaf_node, List<Extension> extensions, byte[] sigSk)
+        throws IOException, CryptoException
+    {
+        this.version = ProtocolVersion.mls10;
+        this.cipher_suite = suite.getSuiteID();
+        this.suite = suite;
+        this.init_key = init_key.clone();
+        this.leaf_node = leaf_node.copy(leaf_node.getEncryptionKey());
+        this.extensions = new ArrayList<Extension>(extensions);
+
+        //sign(sigSk)
+        this.signature = suite.signWithLabel(sigSk, "KeyPackageTBS", toBeSigned());
+    }
+
+    @SuppressWarnings("unused")
+    KeyPackage(MLSInputStream stream)
+        throws Exception
+    {
+        this.version = ProtocolVersion.values()[(short)stream.read(short.class)];
+        cipher_suite = (short)stream.read(short.class);
+        suite = MlsCipherSuite.getSuite(cipher_suite);
+        init_key = stream.readOpaque();
+        leaf_node = (LeafNode)stream.read(LeafNode.class);
+        extensions = new ArrayList<Extension>();
+        stream.readList(extensions, Extension.class);
+        signature = stream.readOpaque();
+    }
+
+    @Override
+    public void writeTo(MLSOutputStream stream)
+        throws IOException
+    {
+        stream.write(version);
+        stream.write(cipher_suite);
+        stream.writeOpaque(init_key);
+        stream.write(leaf_node);
+        stream.writeList(extensions);
+        stream.writeOpaque(signature);
+    }
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/codec/MLSInputStream.java b/mls/src/main/java/moe/kyokobot/koe/mls/codec/MLSInputStream.java
new file mode 100644
index 0000000..b355a32
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/codec/MLSInputStream.java
@@ -0,0 +1,246 @@
+package moe.kyokobot.koe.mls.codec;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.lang.reflect.Array;
+import java.lang.reflect.Constructor;
+import java.lang.reflect.InvocationTargetException;
+import java.util.List;
+
+public class MLSInputStream
+{
+    public interface Readable
+    {
+        /*
+        This interface is used as a marker, because Java interfaces cannot require
+        the presence of specific constructors or static factory methods.  An attempt
+        to read a Readable object will result in an attempt to find and invoke a
+        constructor that takes MLSInputStream as an argument.
+
+        You may want to apply @SuppressWarnings("unused") to this constructor, since
+        the compiler won't pick up uses via this class.
+         */
+    }
+
+    static class SliceableStream
+        extends ByteArrayInputStream
+    {
+        public SliceableStream(byte[] buf)
+        {
+            super(buf);
+        }
+
+        public SliceableStream(byte[] buf, int pos, int size)
+        {
+            super(buf, pos, size);
+        }
+
+        byte[] readAll(int size)
+            throws IOException
+        {
+            byte[] data = new byte[size];
+            if (size == 0)
+            {
+                return data;
+            }
+            int length = super.read(data);
+            if (length != data.length)
+            {
+                throw new IOException("Attempt to read beyond end of buffer");
+            }
+            return data;
+        }
+
+        byte peek()
+            throws IOException
+        {
+            mark(1);
+            int val = read();
+            reset();
+            if (val == -1)
+            {
+                throw new IOException("Attempt to peek past end of buffer");
+            }
+            return (byte)val;
+        }
+
+        SliceableStream slice(int size)
+            throws IOException
+        {
+            if (size > available())
+            {
+                throw new IOException("Attempt to read past end of buffer");
+            }
+
+            return new SliceableStream(buf, pos, size);
+        }
+    }
+
+    SliceableStream stream;
+
+    public MLSInputStream(byte[] data)
+    {
+        stream = new SliceableStream(data);
+    }
+
+    MLSInputStream(SliceableStream stream)
+    {
+        this.stream = stream;
+    }
+
+    public static Object decode(byte[] data, Class<?> targetClass)
+        throws IOException
+    {
+        MLSInputStream stream = new MLSInputStream(data);
+        return stream.read(targetClass);
+    }
+
+    public Object read(Class<?> targetClass)
+        throws IOException
+    {
+        if (targetClass == Boolean.class)
+        {
+            return readBoolean();
+        }
+        else if (targetClass == Byte.class || targetClass == byte.class)
+        {
+            return (byte)readInt(1);
+        }
+        else if (targetClass == Short.class || targetClass == short.class)
+        {
+            return (short)readInt(2);
+        }
+        else if (targetClass == Integer.class || targetClass == int.class)
+        {
+            return (int)readInt(4);
+        }
+        else if (targetClass == Long.class || targetClass == long.class)
+        {
+            return readInt(8);
+        }
+        else if (Readable.class.isAssignableFrom(targetClass))
+        {
+            return readReadable(targetClass);
+        }
+
+        throw new IllegalArgumentException("Target type cannot be decoded");
+    }
+
+    byte peek()
+        throws IOException
+    {
+        return stream.peek();
+    }
+
+    boolean readBoolean()
+        throws IOException
+    {
+        switch ((byte)readInt(1))
+        {
+        case 0:
+            return false;
+        case 1:
+            return true;
+        default:
+            throw new IOException("Invalid boolean value");
+        }
+    }
+
+    long readInt(byte[] data)
+    {
+        long out = 0;
+        for (byte b : data)
+        {
+            out <<= 8;
+            out |= (b & 0xff);
+        }
+        return out;
+    }
+
+    long readInt(int size)
+        throws IOException
+    {
+        return readInt(stream.readAll(size));
+    }
+
+    public Object readOptional(Class<?> targetClass)
+        throws IOException
+    {
+        boolean present = readBoolean();
+        if (!present)
+        {
+            return null;
+        }
+
+        return read(targetClass);
+    }
+
+    public Object readArray(Class<?> elemClass)
+        throws IOException
+    {
+
+        int length = (int)readInt(4);
+        // If this is a byte array, read directly
+        if (elemClass == Byte.class)
+        {
+            return stream.readAll(length);
+
+        }
+
+        // Otherwise, recursively decode entries
+        Object val = Array.newInstance(elemClass, length);
+        for (int i = 0; i < length; i++)
+        {
+            Object elem = read(elemClass);
+            Array.set(val, i, elem);
+        }
+        return val;
+    }
+
+    public byte[] readOpaque()
+        throws IOException
+    {
+        Varint size = (Varint)read(Varint.class);
+        return stream.readAll(size.value);
+    }
+
+    public <E> void readList(List<E> list, Class<E> elemClass)
+        throws IOException
+    {
+        Varint size = (Varint)read(Varint.class);
+        MLSInputStream dec = new MLSInputStream(stream.slice(size.value));
+
+        list.clear();
+        while (dec.stream.available() > 0)
+        {
+            list.add((E)dec.read(elemClass));
+        }
+        stream.skip(size.value);
+    }
+
+    private Object readReadable(Class<?> targetClass)
+        throws IOException
+    {
+        try
+        {
+            Constructor<?> constructor = targetClass.getDeclaredConstructor(MLSInputStream.class);
+            return constructor.newInstance(this);
+        }
+        catch (NoSuchMethodException e)
+        {
+            throw new IOException("Readable class does not have a public MLSInputStream constructor");
+        }
+        catch (IllegalAccessException e)
+        {
+            throw new IOException("Readable class does not have a public MLSInputStream constructor");
+        }
+        catch (InvocationTargetException e)
+        {
+            throw new IOException("InvocationTargetException: " + e.getCause().getMessage());
+        }
+        catch (InstantiationException e)
+        {
+            throw new IOException("InstantiationException: " + e.getMessage());
+        }
+    }
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/codec/MLSMessage.java b/mls/src/main/java/moe/kyokobot/koe/mls/codec/MLSMessage.java
new file mode 100644
index 0000000..294857d
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/codec/MLSMessage.java
@@ -0,0 +1,512 @@
+package moe.kyokobot.koe.mls.codec;
+
+import java.io.IOException;
+
+import moe.kyokobot.koe.mls.crypto.MlsCipherSuite;
+import moe.kyokobot.koe.mls.TreeKEM.LeafIndex;
+import org.bouncycastle.util.Pack;
+
+public class MLSMessage
+    implements MLSInputStream.Readable, MLSOutputStream.Writable
+{
+    public ProtocolVersion version;
+    public WireFormat wireFormat;
+    public PublicMessage publicMessage;
+    public PrivateMessage privateMessage;
+    public Welcome welcome;
+    public GroupInfo groupInfo;
+    public KeyPackage keyPackage;
+
+    public MLSMessage(WireFormat wireFormat)
+    {
+        version = ProtocolVersion.mls10;
+        this.wireFormat = wireFormat;
+    }
+
+    static public MLSMessage externalProposal(MlsCipherSuite suite, byte[] groupID, long epoch, Proposal proposal, int signerIndex, byte[] sigSk)
+        throws Exception
+    {
+        switch (proposal.getProposalType())
+        {
+        case ADD:
+        case REMOVE:
+        case PSK:
+        case REINIT:
+        case GROUP_CONTEXT_EXTENSIONS:
+            break;
+        case EXTERNAL_INIT:
+        case UPDATE:
+        default:
+            throw new Exception("External proposal has invalid type");
+        }
+
+        FramedContent content = FramedContent.proposal(
+            groupID,
+            epoch,
+            Sender.forExternal(signerIndex),
+            new byte[0],
+            MLSOutputStream.encode(proposal)
+        );
+        AuthenticatedContent auth = AuthenticatedContent.sign(
+            WireFormat.mls_public_message,
+            content,
+            suite,
+            sigSk,
+            new byte[0]
+        );
+        MLSMessage message = new MLSMessage(WireFormat.mls_public_message);
+        message.publicMessage = PublicMessage.protect(auth, suite, new byte[0], new byte[0]);
+        return message;
+    }
+
+    static public MLSMessage keyPackage(KeyPackage keyPackage)
+    {
+        MLSMessage message = new MLSMessage(WireFormat.mls_key_package);
+        message.version = ProtocolVersion.mls10;
+        message.wireFormat = WireFormat.mls_key_package;
+        message.keyPackage = keyPackage;
+        return message;
+    }
+
+    @SuppressWarnings("unused")
+    public MLSMessage(MLSInputStream stream)
+        throws IOException
+    {
+        this.version = ProtocolVersion.values()[(short)stream.read(short.class)];
+        this.wireFormat = WireFormat.values()[(short)stream.read(short.class)];
+
+        switch (wireFormat)
+        {
+        case RESERVED:
+            break;
+        case mls_public_message:
+            this.publicMessage = (PublicMessage)stream.read(PublicMessage.class);
+            break;
+        case mls_private_message:
+            this.privateMessage = (PrivateMessage)stream.read(PrivateMessage.class);
+            break;
+        case mls_welcome:
+            this.welcome = (Welcome)stream.read(Welcome.class);
+            break;
+        case mls_group_info:
+            this.groupInfo = (GroupInfo)stream.read(GroupInfo.class);
+            break;
+        case mls_key_package:
+            this.keyPackage = (KeyPackage)stream.read(KeyPackage.class);
+            break;
+        }
+    }
+
+    @Override
+    public void writeTo(MLSOutputStream stream)
+        throws IOException
+    {
+        stream.write(version);
+        stream.write(wireFormat);
+        switch (wireFormat)
+        {
+
+        case RESERVED:
+            break;
+        case mls_public_message:
+            stream.write(publicMessage);
+            break;
+        case mls_private_message:
+            stream.write(privateMessage);
+            break;
+        case mls_welcome:
+            stream.write(welcome);
+            break;
+        case mls_group_info:
+            stream.write(groupInfo);
+            break;
+        case mls_key_package:
+            stream.write(keyPackage);
+            break;
+        }
+    }
+
+    public ContentType getContentType()
+    {
+        switch (wireFormat)
+        {
+        case mls_public_message:
+            return publicMessage.content.getContentType();
+        case mls_private_message:
+            return privateMessage.content_type;
+        case mls_welcome:
+            break;
+        case mls_group_info:
+            break;
+        case mls_key_package:
+            break;
+        }
+        return null;
+    }
+
+    public MlsCipherSuite getCipherSuite()
+    {
+        switch (wireFormat)
+        {
+        case mls_public_message:
+        case mls_private_message:
+        case mls_group_info:
+            break;
+        case mls_welcome:
+            return welcome.suite;
+        case mls_key_package:
+            return keyPackage.suite;
+        }
+        return null;
+    }
+
+    public byte[] getGroupId()
+    {
+        switch (wireFormat)
+        {
+        case mls_public_message:
+            return publicMessage.content.group_id;
+        case mls_private_message:
+            return privateMessage.group_id;
+        case mls_group_info:
+            return groupInfo.getGroupID();
+        case mls_welcome:
+        case mls_key_package:
+        default:
+            //TODO: change and throw
+            return null;
+        }
+    }
+
+    public long getEpoch()
+    {
+        switch (wireFormat)
+        {
+
+        case mls_public_message:
+            return publicMessage.content.epoch;
+        case mls_private_message:
+            return privateMessage.epoch;
+        case mls_welcome:
+        case mls_group_info:
+        case mls_key_package:
+        default:
+            //TODO: change and throw
+            return -1;
+        }
+    }
+}
+
+class AuthenticatedContentTBM
+    implements MLSInputStream.Readable, MLSOutputStream.Writable
+{
+    FramedContentTBS contentTBS;
+    FramedContentAuthData auth;
+
+    public AuthenticatedContentTBM(FramedContentTBS contentTBS, FramedContentAuthData auth)
+    {
+        this.contentTBS = contentTBS;
+        this.auth = auth;
+    }
+
+    @SuppressWarnings("unused")
+    public AuthenticatedContentTBM(MLSInputStream stream)
+        throws IOException
+    {
+        contentTBS = (FramedContentTBS)stream.read(FramedContentTBS.class);
+        auth = (FramedContentAuthData)stream.read(FramedContentAuthData.class);
+    }
+
+    @Override
+    public void writeTo(MLSOutputStream stream)
+        throws IOException
+    {
+        stream.write(contentTBS);
+        stream.write(auth);
+    }
+}
+
+
+class FramedContentAuthData
+    implements MLSInputStream.Readable, MLSOutputStream.Writable
+{
+    byte[] signature;
+    byte[] confirmation_tag;
+    ContentType contentType;
+
+    public FramedContentAuthData(ContentType contentType, byte[] signature, byte[] confirmation_tag)
+    {
+        this.signature = signature;
+        this.contentType = contentType;
+        switch (contentType)
+        {
+
+        case RESERVED:
+        case APPLICATION:
+        case PROPOSAL:
+            break;
+        case COMMIT:
+            this.confirmation_tag = confirmation_tag;
+            break;
+        }
+    }
+
+    public FramedContentAuthData(MLSInputStream stream, ContentType contentType)
+        throws IOException
+    {
+        this.contentType = contentType;
+        signature = stream.readOpaque();
+        if (contentType == ContentType.COMMIT)
+        {
+            confirmation_tag = stream.readOpaque();
+        }
+    }
+
+    @Override
+    public void writeTo(MLSOutputStream stream)
+        throws IOException
+    {
+        stream.writeOpaque(signature);
+        if (contentType == ContentType.COMMIT)
+        {
+            stream.writeOpaque(confirmation_tag);
+        }
+    }
+}
+
+class FramedContentTBS
+    implements MLSInputStream.Readable, MLSOutputStream.Writable
+{
+    ProtocolVersion version = ProtocolVersion.mls10;
+    WireFormat wireFormat;
+    FramedContent content;
+    GroupContext context;
+
+    public FramedContentTBS(WireFormat wireFormat, FramedContent content, GroupContext context)
+    {
+        this.wireFormat = wireFormat;
+        this.content = content;
+        switch (content.sender.senderType)
+        {
+        case MEMBER:
+        case NEW_MEMBER_COMMIT:
+            this.context = context;
+            break;
+        }
+    }
+
+    public FramedContentTBS(WireFormat wireFormat, FramedContent content, byte[] context)
+        throws IOException
+    {
+        this.wireFormat = wireFormat;
+        this.content = content;
+        switch (content.sender.senderType)
+        {
+        case MEMBER:
+        case NEW_MEMBER_COMMIT:
+            this.context = (GroupContext)MLSInputStream.decode(context, GroupContext.class);
+            break;
+        default:
+            break;
+        }
+    }
+
+    @SuppressWarnings("unused")
+    public FramedContentTBS(MLSInputStream stream)
+        throws IOException
+    {
+        this.version = ProtocolVersion.values()[(short)stream.read(short.class)];
+        this.wireFormat = WireFormat.values()[(short)stream.read(short.class)];
+        this.content = (FramedContent)stream.read(FramedContent.class);
+        switch (content.sender.senderType)
+        {
+        case MEMBER:
+        case NEW_MEMBER_COMMIT:
+            this.context = (GroupContext)stream.read(GroupContext.class);
+            break;
+        case EXTERNAL:
+        case NEW_MEMBER_PROPOSAL:
+            break;
+        }
+    }
+
+    @Override
+    public void writeTo(MLSOutputStream stream)
+        throws IOException
+    {
+        stream.write(version);
+        stream.write(wireFormat);
+        stream.write(content);
+        switch (content.sender.senderType)
+        {
+        case MEMBER:
+        case NEW_MEMBER_COMMIT:
+            stream.write(context);
+            break;
+        default:
+            break;
+        }
+    }
+}
+
+
+class SenderData
+    implements MLSInputStream.Readable, MLSOutputStream.Writable
+{
+
+    LeafIndex sender;
+    int generation;
+    byte[] reuseGuard;
+
+    public SenderData(LeafIndex leafIndex, int generation, byte[] reuseGuard)
+    {
+        this.sender = leafIndex;
+        this.generation = generation;
+        this.reuseGuard = reuseGuard;
+    }
+
+    @SuppressWarnings("unused")
+    SenderData(MLSInputStream stream)
+        throws IOException
+    {
+        sender = (LeafIndex)stream.read(LeafIndex.class);
+        generation = (int)stream.read(int.class);
+        reuseGuard = Pack.intToBigEndian((int)stream.read(int.class));
+    }
+
+    @Override
+    public void writeTo(MLSOutputStream stream)
+        throws IOException
+    {
+        stream.write(sender);
+        stream.write(generation);
+        stream.write(Pack.bigEndianToInt(reuseGuard, 0));
+    }
+}
+
+class SenderDataAAD
+    implements MLSInputStream.Readable, MLSOutputStream.Writable
+{
+    byte[] group_id;
+    long epoch;
+    ContentType contentType;
+
+    public SenderDataAAD(byte[] group_id, long epoch, ContentType contentType)
+    {
+        this.group_id = group_id;
+        this.epoch = epoch;
+        this.contentType = contentType;
+    }
+
+    @SuppressWarnings("unused")
+    SenderDataAAD(MLSInputStream stream)
+        throws IOException
+    {
+        group_id = stream.readOpaque();
+        epoch = (long)stream.read(long.class);
+        this.contentType = ContentType.values()[(byte)stream.read(byte.class)];
+    }
+
+
+    @Override
+    public void writeTo(MLSOutputStream stream)
+        throws IOException
+    {
+        stream.writeOpaque(group_id);
+        stream.write(epoch);
+        stream.write(contentType);
+    }
+}
+
+class PrivateMessageContent
+    implements MLSInputStream.Readable, MLSOutputStream.Writable
+{
+    byte[] application_data;
+    Proposal proposal;
+    Commit commit;
+
+    ContentType contentType;
+
+    FramedContentAuthData auth;
+    byte[] padding;
+
+    PrivateMessageContent(MLSInputStream stream, ContentType contentType)
+        throws IOException
+    {
+        switch (contentType)
+        {
+        case APPLICATION:
+            application_data = stream.readOpaque();
+            break;
+        case PROPOSAL:
+            proposal = (Proposal)stream.read(Proposal.class);
+            break;
+        case COMMIT:
+            commit = (Commit)stream.read(Commit.class);
+            break;
+        }
+        auth = (FramedContentAuthData)stream.read(FramedContentAuthData.class);
+        padding = stream.readOpaque();
+    }
+
+
+    @Override
+    public void writeTo(MLSOutputStream stream)
+        throws IOException
+    {
+        switch (contentType)
+        {
+
+        case APPLICATION:
+            stream.writeOpaque(application_data);
+            break;
+        case PROPOSAL:
+            stream.write(proposal);
+            break;
+        case COMMIT:
+            stream.write(commit);
+            break;
+        }
+        stream.write(auth);
+        stream.writeOpaque(padding);
+    }
+}
+
+class PrivateContentAAD
+    implements MLSInputStream.Readable, MLSOutputStream.Writable
+{
+    byte[] group_id;
+    long epoch;
+    ContentType content_type;
+    byte[] authenticated_data;
+
+    public PrivateContentAAD(byte[] group_id, long epoch, ContentType content_type, byte[] authenticated_data)
+    {
+        this.group_id = group_id.clone();
+        this.epoch = epoch;
+        this.content_type = content_type;
+        this.authenticated_data = authenticated_data.clone();
+    }
+
+    @SuppressWarnings("unused")
+    PrivateContentAAD(MLSInputStream stream)
+        throws IOException
+    {
+        group_id = stream.readOpaque();
+        epoch = (long)stream.read(long.class);
+        content_type = ContentType.values()[(byte)stream.read(byte.class)];
+        authenticated_data = stream.readOpaque();
+    }
+
+    @Override
+    public void writeTo(MLSOutputStream stream)
+        throws IOException
+    {
+        stream.writeOpaque(group_id);
+        stream.write(epoch);
+        stream.write(content_type);
+        stream.writeOpaque(authenticated_data);
+    }
+}
+
+
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/codec/MLSOutputStream.java b/mls/src/main/java/moe/kyokobot/koe/mls/codec/MLSOutputStream.java
new file mode 100644
index 0000000..2d6d40b
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/codec/MLSOutputStream.java
@@ -0,0 +1,128 @@
+package moe.kyokobot.koe.mls.codec;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+
+public class MLSOutputStream
+{
+    public interface Writable
+    {
+        void writeTo(MLSOutputStream stream)
+            throws IOException;
+    }
+
+    final ByteArrayOutputStream stream;
+
+    public MLSOutputStream()
+    {
+        stream = new ByteArrayOutputStream();
+    }
+
+    public static byte[] encode(Object val)
+        throws IOException
+    {
+        MLSOutputStream stream = new MLSOutputStream();
+        stream.write(val);
+        return stream.toByteArray();
+    }
+
+    public void write(Object val)
+        throws IOException
+    {
+        Class<?> valClass = val.getClass();
+        if (valClass == Boolean.class)
+        {
+            writeBoolean((boolean)val);
+            return;
+        }
+        else if (valClass == Byte.class)
+        {
+            writeInt((byte)val, 1);
+            return;
+        }
+        else if (valClass == Short.class)
+        {
+            writeInt((short)val, 2);
+            return;
+        }
+        else if (valClass == Integer.class)
+        {
+            writeInt((int)val, 4);
+            return;
+        }
+        else if (valClass == Long.class)
+        {
+            writeInt((long)val, 8);
+            return;
+        }
+        else if (Writable.class.isAssignableFrom(valClass))
+        {
+            ((Writable)val).writeTo(this);
+            return;
+        }
+
+        throw new IllegalArgumentException("Target type cannot be encoded");
+    }
+
+    public byte[] toByteArray()
+    {
+        return stream.toByteArray();
+    }
+
+    void writeBoolean(boolean val)
+    {
+        writeInt((val) ? 1 : 0, 1);
+    }
+
+    private void writeInt(long val, int len)
+    {
+        for (int i = 0; i < len; i++)
+        {
+            byte b = (byte)(val >> (8 * (len - i - 1)));
+            stream.write(b);
+        }
+    }
+
+    public void writeOptional(Object val)
+        throws IOException
+    {
+        writeBoolean(val != null);
+        if (val != null)
+        {
+            write(val);
+        }
+    }
+
+    public <T> void writeArray(T[] val)
+        throws IOException
+    {
+        write(val.length);
+//        write(new Varint(val.length));
+        for (T x : val)
+        {
+            write(x);
+        }
+    }
+
+    public void writeOpaque(byte[] val)
+        throws IOException
+    {
+        write(new Varint(val.length));
+        stream.write(val);
+    }
+
+    public <T> void writeList(Iterable<T> val)
+        throws IOException
+    {
+        // Pre-encode content
+        MLSOutputStream content = new MLSOutputStream();
+        for (T x : val)
+        {
+            content.write(x);
+        }
+
+        // Write the header, then copy over the content
+        write(new Varint(content.stream.size()));
+        content.stream.writeTo(stream);
+    }
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/codec/NodeType.java b/mls/src/main/java/moe/kyokobot/koe/mls/codec/NodeType.java
new file mode 100644
index 0000000..abd571d
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/codec/NodeType.java
@@ -0,0 +1,32 @@
+package moe.kyokobot.koe.mls.codec;
+
+import java.io.IOException;
+
+public enum NodeType
+    implements MLSInputStream.Readable, MLSOutputStream.Writable
+{
+    RESERVED((byte)0),
+    leaf((byte)1),
+    parent((byte)2);
+
+    final byte value;
+
+    NodeType(byte value)
+    {
+        this.value = value;
+    }
+
+    @SuppressWarnings("unused")
+    NodeType(MLSInputStream stream)
+        throws IOException
+    {
+        this.value = (byte)stream.read(byte.class);
+    }
+
+    @Override
+    public void writeTo(MLSOutputStream stream)
+        throws IOException
+    {
+        stream.write(value);
+    }
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/codec/PSKType.java b/mls/src/main/java/moe/kyokobot/koe/mls/codec/PSKType.java
new file mode 100644
index 0000000..427a515
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/codec/PSKType.java
@@ -0,0 +1,32 @@
+package moe.kyokobot.koe.mls.codec;
+
+import java.io.IOException;
+
+public enum PSKType
+    implements MLSInputStream.Readable, MLSOutputStream.Writable
+{
+    REFERENCE((byte)0),
+    EXTERNAL((byte)1),
+    RESUMPTION((byte)2);
+
+    final byte value;
+
+    PSKType(byte value)
+    {
+        this.value = value;
+    }
+
+    @SuppressWarnings("unused")
+    PSKType(MLSInputStream stream)
+        throws IOException
+    {
+        this.value = (byte)stream.read(byte.class);
+    }
+
+    @Override
+    public void writeTo(MLSOutputStream stream)
+        throws IOException
+    {
+        stream.write(value);
+    }
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/codec/PathSecret.java b/mls/src/main/java/moe/kyokobot/koe/mls/codec/PathSecret.java
new file mode 100644
index 0000000..6edcc1a
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/codec/PathSecret.java
@@ -0,0 +1,33 @@
+package moe.kyokobot.koe.mls.codec;
+
+import java.io.IOException;
+
+public class PathSecret
+    implements MLSInputStream.Readable, MLSOutputStream.Writable
+{
+    byte[] path_secret;
+
+    public byte[] getPathSecret()
+    {
+        return path_secret;
+    }
+
+    public PathSecret(byte[] path_secret)
+    {
+        this.path_secret = path_secret;
+    }
+
+    @SuppressWarnings("unused")
+    PathSecret(MLSInputStream stream)
+        throws IOException
+    {
+        path_secret = stream.readOpaque();
+    }
+
+    @Override
+    public void writeTo(MLSOutputStream stream)
+        throws IOException
+    {
+        stream.writeOpaque(path_secret);
+    }
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/codec/PreSharedKeyID.java b/mls/src/main/java/moe/kyokobot/koe/mls/codec/PreSharedKeyID.java
new file mode 100644
index 0000000..00cb032
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/codec/PreSharedKeyID.java
@@ -0,0 +1,141 @@
+package moe.kyokobot.koe.mls.codec;
+
+import java.io.IOException;
+import java.util.Arrays;
+
+import moe.kyokobot.koe.mls.crypto.Secret;
+
+public class PreSharedKeyID
+    implements MLSInputStream.Readable, MLSOutputStream.Writable
+{
+
+    public static class External
+    {
+        public final Secret externalPSKID;
+
+        public External(byte[] externalPSKID)
+        {
+            this.externalPSKID = new Secret(externalPSKID);
+        }
+    }
+
+    public static class Resumption
+    {
+        public final ResumptionPSKUsage resumptionPSKUsage;
+        public final byte[] pskGroupID;
+        public final long pskEpoch;
+
+        public Resumption(ResumptionPSKUsage resumptionPSKUsage, byte[] pskGroupID, long pskEpoch)
+        {
+            this.resumptionPSKUsage = resumptionPSKUsage;
+            this.pskGroupID = pskGroupID;
+            this.pskEpoch = pskEpoch;
+        }
+    }
+
+    public final PSKType pskType;
+    public final External external;
+    public final Resumption resumption;
+    public final byte[] pskNonce;
+
+    PreSharedKeyID(PSKType pskType, External external, Resumption resumption, byte[] pskNonce)
+    {
+        this.pskType = pskType;
+        this.external = external;
+        this.resumption = resumption;
+        this.pskNonce = pskNonce;
+    }
+
+    public static PreSharedKeyID external(byte[] externalPSKID, byte[] pskNonce)
+    {
+        External external = new External(externalPSKID);
+        return new PreSharedKeyID(PSKType.EXTERNAL, external, null, pskNonce);
+    }
+
+    public static PreSharedKeyID resumption(ResumptionPSKUsage resumptionPSKUsage, byte[] pskGroupID, long pskEpoch, byte[] pskNonce)
+    {
+        Resumption resumptionVal = new Resumption(resumptionPSKUsage, pskGroupID, pskEpoch);
+        return new PreSharedKeyID(PSKType.RESUMPTION, null, resumptionVal, pskNonce);
+    }
+
+    @SuppressWarnings("unused")
+    public PreSharedKeyID(MLSInputStream stream)
+        throws IOException
+    {
+        this.pskType = PSKType.values()[(byte)stream.read(byte.class)];
+
+        switch (this.pskType)
+        {
+        case EXTERNAL:
+            byte[] externalPSKID = stream.readOpaque();
+            external = new External(externalPSKID);
+            resumption = null;
+            break;
+
+        case RESUMPTION:
+            ResumptionPSKUsage resumptionPSKUsage = ResumptionPSKUsage.values()[(byte)stream.read(byte.class)];
+            byte[] pskGroupID = stream.readOpaque();
+            long pskEpoch = (long)stream.read(long.class);
+
+            external = null;
+            resumption = new Resumption(resumptionPSKUsage, pskGroupID, pskEpoch);
+            break;
+
+        default:
+            throw new IOException("Invalid PSKType");
+        }
+
+        pskNonce = stream.readOpaque();
+    }
+
+    @Override
+    public void writeTo(MLSOutputStream stream)
+        throws IOException
+    {
+        stream.write(pskType);
+        switch (pskType)
+        {
+        case EXTERNAL:
+            stream.writeOpaque(external.externalPSKID.value());
+            break;
+
+        case RESUMPTION:
+            stream.write(resumption.resumptionPSKUsage);
+            stream.writeOpaque(resumption.pskGroupID);
+            stream.write(resumption.pskEpoch);
+            break;
+        }
+
+        stream.writeOpaque(pskNonce);
+    }
+
+    @Override
+    public boolean equals(Object o)
+    {
+        if (this == o)
+        {
+            return true;
+        }
+
+        if (o == null || getClass() != o.getClass())
+        {
+            return false;
+        }
+
+        PreSharedKeyID pskid = (PreSharedKeyID)o;
+        if (pskid.pskType != pskType)
+        {
+            return false;
+        }
+
+        switch (pskType)
+        {
+        case EXTERNAL:
+            return Arrays.equals(pskid.external.externalPSKID.value(), external.externalPSKID.value());
+        case RESUMPTION:
+            return Arrays.equals(pskid.resumption.pskGroupID, resumption.pskGroupID) && (pskid.resumption.pskEpoch == resumption.pskEpoch);
+        }
+
+        return false;
+    }
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/codec/PrivateMessage.java b/mls/src/main/java/moe/kyokobot/koe/mls/codec/PrivateMessage.java
new file mode 100644
index 0000000..7f623b3
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/codec/PrivateMessage.java
@@ -0,0 +1,234 @@
+package moe.kyokobot.koe.mls.codec;
+
+import java.io.IOException;
+
+import moe.kyokobot.koe.mls.crypto.MlsCipherSuite;
+import org.bouncycastle.crypto.InvalidCipherTextException;
+import moe.kyokobot.koe.mls.GroupKeySet;
+import moe.kyokobot.koe.mls.KeyGeneration;
+import moe.kyokobot.koe.mls.KeyScheduleEpoch;
+import moe.kyokobot.koe.mls.TreeKEM.LeafIndex;
+import org.bouncycastle.util.Arrays;
+
+public class PrivateMessage
+    implements MLSInputStream.Readable, MLSOutputStream.Writable
+{
+    byte[] group_id;
+    long epoch;
+    ContentType content_type;
+    byte[] authenticated_data;
+    byte[] encrypted_sender_data;
+    byte[] ciphertext;
+
+    public PrivateMessage(byte[] group_id, long epoch, ContentType content_type, byte[] authenticated_data, byte[] encrypted_sender_data, byte[] ciphertext)
+    {
+        this.group_id = group_id;
+        this.epoch = epoch;
+        this.content_type = content_type;
+        this.authenticated_data = authenticated_data;
+        this.encrypted_sender_data = encrypted_sender_data;
+        this.ciphertext = ciphertext;
+    }
+
+    @SuppressWarnings("unused")
+    PrivateMessage(MLSInputStream stream)
+        throws IOException
+    {
+        group_id = stream.readOpaque();
+        epoch = (long)stream.read(long.class);
+        content_type = ContentType.values()[(byte)stream.read(byte.class)];
+        authenticated_data = stream.readOpaque();
+        encrypted_sender_data = stream.readOpaque();
+        ciphertext = stream.readOpaque();
+    }
+
+    static public PrivateMessage protect(AuthenticatedContent auth, MlsCipherSuite suite, GroupKeySet keys, byte[] senderDataSecretBytes, int paddingSize)
+        throws IOException, IllegalAccessException, InvalidCipherTextException
+    {
+        // Get KeyGeneration from the secret tree
+        LeafIndex index = auth.content.sender.sender;
+        ContentType contentType = auth.content.contentType;
+        byte[] reuseGuard = new byte[4];
+        KeyGeneration keyGen = keys.get(contentType, index, reuseGuard);
+
+        // Encrypt the content
+        byte[] contentPt = serializeContentPt(auth.content, auth.auth, paddingSize);
+
+        PrivateContentAAD contentAAD = new PrivateContentAAD(
+            auth.content.group_id,
+            auth.content.epoch,
+            auth.content.contentType,
+            auth.content.authenticated_data
+        );
+
+        byte[] contentCt = suite.getAEAD().seal(
+            keyGen.key,
+            keyGen.nonce,
+            MLSOutputStream.encode(contentAAD),
+            contentPt
+        );
+
+        // Encrypt the sender data
+        LeafIndex senderIndex = auth.content.sender.sender;
+        SenderData senderDataPt = new SenderData(
+            senderIndex,
+            keyGen.generation,
+            reuseGuard
+        );
+        SenderDataAAD senderDataAAD = new SenderDataAAD(
+            auth.content.group_id,
+            auth.content.epoch,
+            auth.content.contentType
+        );
+
+        KeyGeneration senderDataKeys = KeyScheduleEpoch.senderDataKeys(suite, senderDataSecretBytes.clone(), contentCt);
+        byte[] senderDataCt = suite.getAEAD().seal(
+            senderDataKeys.key,
+            senderDataKeys.nonce,
+            MLSOutputStream.encode(senderDataAAD),
+            MLSOutputStream.encode(senderDataPt)
+        );
+
+        return new PrivateMessage(
+            auth.content.group_id,
+            auth.content.epoch,
+            auth.content.contentType,
+            auth.content.authenticated_data,
+            senderDataCt.clone(),
+            contentCt.clone()
+        );
+    }
+
+    public AuthenticatedContent unprotect(MlsCipherSuite suite, GroupKeySet keys, byte[] senderDataSecretBytes)
+            throws Exception
+    {
+        // Decrypt and parse the sender data
+
+        KeyGeneration senderKeys = KeyScheduleEpoch.senderDataKeys(suite, senderDataSecretBytes.clone(), ciphertext.clone());
+
+        SenderDataAAD senderDataAAD = new SenderDataAAD(group_id, epoch, content_type);
+
+        byte[] senderDataPt = suite.getAEAD().open(
+            senderKeys.key,
+            senderKeys.nonce,
+            MLSOutputStream.encode(senderDataAAD),
+            encrypted_sender_data
+        );
+
+        SenderData senderData = (SenderData)MLSInputStream.decode(senderDataPt, SenderData.class);
+
+        //Cannot Process Message from self!
+        if (!keys.hasLeaf(senderData.sender))
+        {
+            return null;
+        }
+
+        // Decrypt the content
+        KeyGeneration contentKeys = keys.get(content_type, senderData.sender, senderData.generation, senderData.reuseGuard);
+
+        PrivateContentAAD contentAAD = new PrivateContentAAD(group_id, epoch, content_type, authenticated_data);
+        byte[] contentPtBytes = suite.getAEAD().open(
+            contentKeys.key,
+            contentKeys.nonce,
+            MLSOutputStream.encode(contentAAD),
+            ciphertext
+        );
+
+        keys.erase(content_type, senderData.sender, senderData.generation);
+
+        // Parse Content
+        FramedContent content = new FramedContent(
+            group_id,
+            epoch,
+            Sender.forMember(senderData.sender),
+            authenticated_data,
+            null,
+            content_type,
+            null,
+            null
+        );
+
+        FramedContentAuthData auth = new FramedContentAuthData(
+            content_type,
+            null,
+            null
+        );
+        deserializeContentPt(contentPtBytes, content, auth);
+
+        return new AuthenticatedContent(
+            WireFormat.mls_private_message,
+            content,
+            auth
+        );
+    }
+
+    @Override
+    public void writeTo(MLSOutputStream stream)
+        throws IOException
+    {
+        stream.writeOpaque(group_id);
+        stream.write(epoch);
+        stream.write(content_type);
+        stream.writeOpaque(authenticated_data);
+        stream.writeOpaque(encrypted_sender_data);
+        stream.writeOpaque(ciphertext);
+    }
+
+    private void deserializeContentPt(byte[] contentPt, FramedContent content, FramedContentAuthData auth)
+        throws IOException
+    {
+        MLSInputStream stream = new MLSInputStream(contentPt);
+        switch (content_type)
+        {
+        case APPLICATION:
+            content.application_data = stream.readOpaque();
+            break;
+        case PROPOSAL:
+            content.proposal = (Proposal)stream.read(Proposal.class);
+            break;
+        case COMMIT:
+            content.commit = (Commit)stream.read(Commit.class);
+            break;
+        }
+        auth.signature = stream.readOpaque();
+        switch (content_type)
+        {
+        case APPLICATION:
+        case PROPOSAL:
+            break;
+        case COMMIT:
+            auth.confirmation_tag = stream.readOpaque();
+            break;
+        }
+        //TODO: read padding?
+    }
+
+    static private byte[] serializeContentPt(FramedContent content, FramedContentAuthData auth, int paddingSize)
+        throws IOException
+    {
+        MLSOutputStream stream = new MLSOutputStream();
+        switch (content.contentType)
+        {
+        case APPLICATION:
+            stream.writeOpaque(content.application_data);
+            break;
+        case PROPOSAL:
+            stream.write(content.proposal);
+            break;
+        case COMMIT:
+            stream.write(content.commit);
+            break;
+        }
+        stream.writeOpaque(auth.signature);
+        switch (content.contentType)
+        {
+        case APPLICATION:
+        case PROPOSAL:
+            break;
+        case COMMIT:
+            stream.writeOpaque(auth.confirmation_tag);
+            break;
+        }
+        return Arrays.concatenate(stream.toByteArray(), new byte[paddingSize]);
+    }
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/codec/Proposal.java b/mls/src/main/java/moe/kyokobot/koe/mls/codec/Proposal.java
new file mode 100644
index 0000000..03a3813
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/codec/Proposal.java
@@ -0,0 +1,418 @@
+package moe.kyokobot.koe.mls.codec;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.List;
+
+import moe.kyokobot.koe.mls.crypto.MlsCipherSuite;
+import moe.kyokobot.koe.mls.TreeKEM.LeafIndex;
+import moe.kyokobot.koe.mls.TreeKEM.LeafNode;
+
+public class Proposal
+    implements MLSInputStream.Readable, MLSOutputStream.Writable
+{
+    ProposalType proposalType;
+    Add add;
+    Update update;
+    Remove remove;
+    PreSharedKey preSharedKey;
+    ReInit reInit;
+    ExternalInit externalInit;
+    GroupContextExtensions groupContextExtensions;
+
+    public Add getAdd()
+    {
+        return add;
+    }
+
+    public Update getUpdate()
+    {
+        return update;
+    }
+
+    public Remove getRemove()
+    {
+        return remove;
+    }
+
+    public PreSharedKey getPreSharedKey()
+    {
+        return preSharedKey;
+    }
+
+    public ReInit getReInit()
+    {
+        return reInit;
+    }
+
+    public ExternalInit getExternalInit()
+    {
+        return externalInit;
+    }
+
+    public GroupContextExtensions getGroupContextExtensions()
+    {
+        return groupContextExtensions;
+    }
+
+    public LeafNode getLeafNode()
+    {
+        switch (proposalType)
+        {
+        case ADD:
+            return add.keyPackage.leaf_node;
+        case UPDATE:
+            return update.leafNode;
+        }
+        return null;
+    }
+
+    public ProposalType getProposalType()
+    {
+        return proposalType;
+    }
+
+    public Proposal(ProposalType proposalType, Add add, Update update, Remove remove, PreSharedKey preSharedKey, ReInit reInit, ExternalInit externalInit, GroupContextExtensions groupContextExtensions)
+    {
+        this.proposalType = proposalType;
+        this.add = add;
+        this.update = update;
+        this.remove = remove;
+        this.preSharedKey = preSharedKey;
+        this.reInit = reInit;
+        this.externalInit = externalInit;
+        this.groupContextExtensions = groupContextExtensions;
+    }
+
+    public Proposal(MLSInputStream stream)
+        throws IOException
+    {
+        short propType = (short)stream.read(short.class);
+        if (Grease.isGrease(propType) == -1)
+        {
+            proposalType = ProposalType.values()[propType];
+        }
+        else
+        {
+            proposalType = ProposalType.values()[8 + Grease.isGrease(propType)];
+        }
+        switch (proposalType)
+        {
+        case ADD:
+            add = (Add)stream.read(Add.class);
+            break;
+        case UPDATE:
+            update = (Update)stream.read(Update.class);
+            break;
+        case REMOVE:
+            remove = (Remove)stream.read(Remove.class);
+            break;
+        case PSK:
+            preSharedKey = (PreSharedKey)stream.read(PreSharedKey.class);
+            break;
+        case REINIT:
+            reInit = (ReInit)stream.read(ReInit.class);
+            break;
+        case EXTERNAL_INIT:
+            externalInit = (ExternalInit)stream.read(ExternalInit.class);
+            break;
+        case GROUP_CONTEXT_EXTENSIONS:
+            groupContextExtensions = (GroupContextExtensions)stream.read(GroupContextExtensions.class);
+            break;
+        }
+    }
+
+    public static Proposal add(KeyPackage newMember)
+        throws IOException
+    {
+        return new Proposal(ProposalType.ADD,
+            new Add(newMember), null, null, null, null, null, null);
+    }
+
+    public static Proposal update(LeafNode leafNode)
+    {
+        return new Proposal(ProposalType.UPDATE, null,
+            new Update(leafNode), null, null, null, null, null);
+    }
+
+    public static Proposal remove(LeafIndex removed)
+    {
+        return new Proposal(ProposalType.REMOVE, null, null,
+            new Remove(removed), null, null, null, null);
+    }
+
+    public static Proposal preSharedKey(PreSharedKeyID pskID)
+    {
+        return new Proposal(ProposalType.PSK, null, null, null,
+            new PreSharedKey(pskID), null, null, null);
+    }
+
+    public static Proposal reInit(byte[] group_id, ProtocolVersion version, MlsCipherSuite cipherSuite, List<Extension> extensions)
+    {
+        return new Proposal(ProposalType.REINIT, null, null, null, null,
+            new ReInit(group_id, version, cipherSuite, extensions), null, null);
+    }
+
+    public static Proposal externalInit(byte[] kemOutput)
+    {
+        return new Proposal(ProposalType.EXTERNAL_INIT, null, null, null, null, null,
+            new ExternalInit(kemOutput), null);
+    }
+
+    public static Proposal groupContextExtensions(List<Extension> extensions)
+    {
+        return new Proposal(ProposalType.GROUP_CONTEXT_EXTENSIONS, null, null, null, null, null, null,
+            new GroupContextExtensions(extensions));
+    }
+
+    @Override
+    public void writeTo(MLSOutputStream stream)
+        throws IOException
+    {
+        stream.write(proposalType);
+        switch (proposalType)
+        {
+        case ADD:
+            stream.write(add);
+            break;
+        case UPDATE:
+            stream.write(update);
+            break;
+        case REMOVE:
+            stream.write(remove);
+            break;
+        case PSK:
+            stream.write(preSharedKey);
+            break;
+        case REINIT:
+            stream.write(reInit);
+            break;
+        case EXTERNAL_INIT:
+            stream.write(externalInit);
+            break;
+        case GROUP_CONTEXT_EXTENSIONS:
+            stream.write(groupContextExtensions);
+            break;
+        }
+    }
+
+    public static class Add
+        implements MLSInputStream.Readable, MLSOutputStream.Writable
+    {
+        public KeyPackage keyPackage;
+
+        public Add(KeyPackage keyPackage)
+            throws IOException
+        {
+            this.keyPackage = (KeyPackage)MLSInputStream.decode(MLSOutputStream.encode(keyPackage), KeyPackage.class);
+        }
+
+        @SuppressWarnings("unused")
+        Add(MLSInputStream stream)
+            throws IOException
+        {
+            keyPackage = (KeyPackage)stream.read(KeyPackage.class);
+        }
+
+        @Override
+        public void writeTo(MLSOutputStream stream)
+            throws IOException
+        {
+            stream.write(keyPackage);
+        }
+    }
+
+    public static class Update
+        implements MLSInputStream.Readable, MLSOutputStream.Writable
+    {
+        LeafNode leafNode;
+
+        @SuppressWarnings("unused")
+        public Update(MLSInputStream stream)
+            throws IOException
+        {
+            leafNode = (LeafNode)stream.read(LeafNode.class);
+        }
+
+        @Override
+        public void writeTo(MLSOutputStream stream)
+            throws IOException
+        {
+            stream.write(leafNode);
+        }
+
+        public Update(LeafNode leafNode)
+        {
+            this.leafNode = leafNode;
+        }
+
+        public LeafNode getLeafNode()
+        {
+            return leafNode;
+        }
+    }
+
+    public static class Remove
+        implements MLSInputStream.Readable, MLSOutputStream.Writable
+    {
+        public LeafIndex removed;
+
+        public Remove(LeafIndex removed)
+        {
+            this.removed = removed;
+        }
+
+        @SuppressWarnings("unused")
+        public Remove(MLSInputStream stream)
+            throws IOException
+        {
+            removed = (LeafIndex)stream.read(LeafIndex.class);
+        }
+
+        @Override
+        public void writeTo(MLSOutputStream stream)
+            throws IOException
+        {
+            stream.write(removed);
+        }
+    }
+
+    public static class PreSharedKey
+        implements MLSInputStream.Readable, MLSOutputStream.Writable
+    {
+        public PreSharedKeyID psk;
+
+        @SuppressWarnings("unused")
+        PreSharedKey(MLSInputStream stream)
+            throws IOException
+        {
+            psk = (PreSharedKeyID)stream.read(PreSharedKeyID.class);
+        }
+
+        @Override
+        public void writeTo(MLSOutputStream stream)
+            throws IOException
+        {
+            stream.write(psk);
+        }
+
+        public PreSharedKey(PreSharedKeyID psk)
+        {
+            this.psk = psk;
+        }
+    }
+
+    public static class ReInit
+        implements MLSInputStream.Readable, MLSOutputStream.Writable
+    {
+        byte[] group_id;
+        ProtocolVersion version;
+        short cipherSuite;
+        MlsCipherSuite suite;
+        List<Extension> extensions;
+
+        public ProtocolVersion getVersion()
+        {
+            return version;
+        }
+
+        public byte[] getGroupID()
+        {
+            return group_id;
+        }
+
+        public MlsCipherSuite getSuite()
+        {
+            return suite;
+        }
+
+        public List<Extension> getExtensions()
+        {
+            return extensions;
+        }
+
+        public ReInit(byte[] group_id, ProtocolVersion version, MlsCipherSuite cipherSuite, List<Extension> extensions)
+        {
+            this.group_id = group_id;
+            this.version = version;
+            this.suite = cipherSuite;
+            this.cipherSuite = suite.getSuiteID();
+            this.extensions = extensions;
+        }
+
+        @SuppressWarnings("unused")
+        ReInit(MLSInputStream stream)
+            throws Exception
+        {
+            group_id = stream.readOpaque();
+            version = ProtocolVersion.values()[(short)stream.read(short.class)];
+            cipherSuite = (short)stream.read(short.class);
+            suite = MlsCipherSuite.getSuite(cipherSuite);
+            extensions = new ArrayList<Extension>();
+            stream.readList(extensions, Extension.class);
+        }
+
+        @Override
+        public void writeTo(MLSOutputStream stream)
+            throws IOException
+        {
+            stream.writeOpaque(group_id);
+            stream.write(version);
+            stream.write(cipherSuite);
+            stream.writeList(extensions);
+        }
+    }
+
+    public static class ExternalInit
+        implements MLSInputStream.Readable, MLSOutputStream.Writable
+    {
+        public byte[] kemOutput;
+
+        @SuppressWarnings("unused")
+        ExternalInit(MLSInputStream stream)
+            throws IOException
+        {
+            kemOutput = stream.readOpaque();
+        }
+
+        @Override
+        public void writeTo(MLSOutputStream stream)
+            throws IOException
+        {
+            stream.writeOpaque(kemOutput);
+        }
+
+        public ExternalInit(byte[] kemOutput)
+        {
+            this.kemOutput = kemOutput.clone();
+        }
+    }
+
+    public static class GroupContextExtensions
+        implements MLSInputStream.Readable, MLSOutputStream.Writable
+    {
+        public GroupContextExtensions(List<Extension> extensions)
+        {
+            this.extensions = new ArrayList<Extension>();
+            this.extensions.addAll(extensions);
+        }
+
+        public List<Extension> extensions;
+
+        @SuppressWarnings("unused")
+        GroupContextExtensions(MLSInputStream stream)
+            throws IOException
+        {
+            extensions = new ArrayList<Extension>();
+            stream.readList(extensions, Extension.class);
+        }
+
+        @Override
+        public void writeTo(MLSOutputStream stream)
+            throws IOException
+        {
+            stream.writeList(extensions);
+        }
+    }
+
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/codec/ProposalOrRef.java b/mls/src/main/java/moe/kyokobot/koe/mls/codec/ProposalOrRef.java
new file mode 100644
index 0000000..ec26f39
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/codec/ProposalOrRef.java
@@ -0,0 +1,77 @@
+package moe.kyokobot.koe.mls.codec;
+
+import java.io.IOException;
+
+public class ProposalOrRef
+    implements MLSInputStream.Readable, MLSOutputStream.Writable
+{
+    ProposalOrRefType type;
+    Proposal proposal;
+
+    byte[] reference;
+
+    public ProposalOrRefType getType()
+    {
+        return type;
+    }
+
+    public Proposal getProposal()
+    {
+        return proposal;
+    }
+
+    public byte[] getReference()
+    {
+        return reference;
+    }
+
+
+    static public ProposalOrRef forRef(byte[] ref)
+    {
+        return new ProposalOrRef(ProposalOrRefType.REFERENCE, null, ref);
+    }
+
+    static public ProposalOrRef forProposal(Proposal proposal)
+    {
+        return new ProposalOrRef(ProposalOrRefType.PROPOSAL, proposal, null);
+    }
+
+    public ProposalOrRef(ProposalOrRefType type, Proposal proposal, byte[] reference)
+    {
+        this.type = type;
+        this.proposal = proposal;
+        this.reference = reference;
+    }
+
+    @SuppressWarnings("unused")
+    ProposalOrRef(MLSInputStream stream)
+        throws IOException
+    {
+        this.type = ProposalOrRefType.values()[(byte)stream.read(byte.class)];
+        switch (type)
+        {
+        case PROPOSAL:
+            proposal = (Proposal)stream.read(Proposal.class);
+            break;
+        case REFERENCE:
+            reference = stream.readOpaque();
+            break;
+        }
+    }
+
+    @Override
+    public void writeTo(MLSOutputStream stream)
+        throws IOException
+    {
+        stream.write(type);
+        switch (type)
+        {
+        case PROPOSAL:
+            stream.write(proposal);
+            break;
+        case REFERENCE:
+            stream.writeOpaque(reference);
+            break;
+        }
+    }
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/codec/ProposalOrRefType.java b/mls/src/main/java/moe/kyokobot/koe/mls/codec/ProposalOrRefType.java
new file mode 100644
index 0000000..337471f
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/codec/ProposalOrRefType.java
@@ -0,0 +1,32 @@
+package moe.kyokobot.koe.mls.codec;
+
+import java.io.IOException;
+
+public enum ProposalOrRefType
+    implements MLSInputStream.Readable, MLSOutputStream.Writable
+{
+    RESERVED((byte)0),
+    PROPOSAL((byte)1),
+    REFERENCE((byte)2);
+
+    final byte value;
+
+    ProposalOrRefType(byte value)
+    {
+        this.value = value;
+    }
+
+    @SuppressWarnings("unused")
+    ProposalOrRefType(MLSInputStream stream)
+        throws IOException
+    {
+        this.value = (byte)stream.read(byte.class);
+    }
+
+    @Override
+    public void writeTo(MLSOutputStream stream)
+        throws IOException
+    {
+        stream.write(value);
+    }
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/codec/ProposalType.java b/mls/src/main/java/moe/kyokobot/koe/mls/codec/ProposalType.java
new file mode 100644
index 0000000..390f724
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/codec/ProposalType.java
@@ -0,0 +1,58 @@
+package moe.kyokobot.koe.mls.codec;
+
+import java.io.IOException;
+
+public enum ProposalType
+    implements MLSInputStream.Readable, MLSOutputStream.Writable
+{
+    RESERVED((short)0),
+    ADD((short)1),
+    UPDATE((short)2),
+    REMOVE((short)3),
+    PSK((short)4),
+    REINIT((short)5),
+    EXTERNAL_INIT((short)6),
+    GROUP_CONTEXT_EXTENSIONS((short)7),
+    GREASE_0((short)0x0A0A),
+    GREASE_1((short)0x1A1A),
+    GREASE_2((short)0x2A2A),
+    GREASE_3((short)0x3A3A),
+    GREASE_4((short)0x4A4A),
+    GREASE_5((short)0x5A5A),
+    GREASE_6((short)0x6A6A),
+    GREASE_7((short)0x7A7A),
+    GREASE_8((short)0x8A8A),
+    GREASE_9((short)0x9A9A),
+    GREASE_A((short)0xAAAA),
+    GREASE_B((short)0xBABA),
+    GREASE_C((short)0xCACA),
+    GREASE_D((short)0xDADA),
+    GREASE_E((short)0xEAEA);
+    final short value;
+
+    ProposalType(short value)
+    {
+        this.value = value;
+    }
+
+    @SuppressWarnings("unused")
+    ProposalType(MLSInputStream stream)
+        throws IOException
+    {
+        this.value = (short)stream.read(short.class);
+    }
+
+    @Override
+    public void writeTo(MLSOutputStream stream)
+        throws IOException
+    {
+//        if (value == GREASE.value)
+//        {
+//            stream.write(Grease.getGrease());
+//        }
+//        else
+        {
+            stream.write(value);
+        }
+    }
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/codec/ProtocolVersion.java b/mls/src/main/java/moe/kyokobot/koe/mls/codec/ProtocolVersion.java
new file mode 100644
index 0000000..ee6453c
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/codec/ProtocolVersion.java
@@ -0,0 +1,27 @@
+package moe.kyokobot.koe.mls.codec;
+
+import java.io.IOException;
+
+public enum ProtocolVersion
+    implements MLSInputStream.Readable, MLSOutputStream.Writable
+{
+    RESERVED((short)0),
+    mls10((short)1);
+    final short value;
+
+    ProtocolVersion(short value)
+    {
+        this.value = value;
+    }
+
+    public short getValue() {
+        return value;
+    }
+
+    @Override
+    public void writeTo(MLSOutputStream stream)
+        throws IOException
+    {
+        stream.write(value);
+    }
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/codec/PublicMessage.java b/mls/src/main/java/moe/kyokobot/koe/mls/codec/PublicMessage.java
new file mode 100644
index 0000000..71de666
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/codec/PublicMessage.java
@@ -0,0 +1,119 @@
+package moe.kyokobot.koe.mls.codec;
+
+import java.io.IOException;
+
+import moe.kyokobot.koe.mls.crypto.MlsCipherSuite;
+import moe.kyokobot.koe.mls.crypto.Secret;
+import org.bouncycastle.util.Arrays;
+
+public class PublicMessage
+    implements MLSInputStream.Readable, MLSOutputStream.Writable
+{
+    FramedContent content;
+    FramedContentAuthData auth;
+    byte[] membership_tag;
+
+    @SuppressWarnings("unused")
+    public PublicMessage(MLSInputStream stream)
+        throws IOException
+    {
+        content = (FramedContent)stream.read(FramedContent.class);
+        auth = new FramedContentAuthData(stream, content.contentType);
+
+        switch (content.sender.senderType)
+        {
+
+        case RESERVED:
+        case EXTERNAL:
+        case NEW_MEMBER_PROPOSAL:
+        case NEW_MEMBER_COMMIT:
+            break;
+        case MEMBER:
+            membership_tag = stream.readOpaque();
+            break;
+        }
+    }
+
+
+    @Override
+    public void writeTo(MLSOutputStream stream)
+        throws IOException
+    {
+        stream.write(content);
+        stream.write(auth);
+
+        switch (content.sender.senderType)
+        {
+
+        case RESERVED:
+        case EXTERNAL:
+        case NEW_MEMBER_PROPOSAL:
+        case NEW_MEMBER_COMMIT:
+            break;
+        case MEMBER:
+            stream.writeOpaque(membership_tag);
+            break;
+        }
+    }
+
+
+    public PublicMessage(FramedContent content, FramedContentAuthData auth, byte[] membership_tag)
+    {
+        this.content = content;
+        this.auth = auth;
+        switch (content.sender.senderType)
+        {
+        case RESERVED:
+        case NEW_MEMBER_COMMIT:
+        case EXTERNAL:
+        case NEW_MEMBER_PROPOSAL:
+            break;
+        case MEMBER:
+            this.membership_tag = membership_tag;
+            break;
+        }
+    }
+
+    static public PublicMessage protect(AuthenticatedContent authContent, MlsCipherSuite suite,
+                                        byte[] membershipKeyBytes, byte[] groupContextBytes)
+        throws IOException
+    {
+        PublicMessage pt = new PublicMessage(authContent.content, authContent.auth, null);
+        if (pt.content.sender.senderType == SenderType.MEMBER)
+        {
+            GroupContext context = (GroupContext)MLSInputStream.decode(groupContextBytes, GroupContext.class);
+            Secret membershipKey = new Secret(membershipKeyBytes);
+            pt.membership_tag = pt.membershipMac(suite, membershipKey, context);
+        }
+        return pt;
+    }
+
+    public AuthenticatedContent unprotect(MlsCipherSuite suite, Secret membership_key, GroupContext context)
+            throws Exception
+    {
+        if (content.sender.senderType == SenderType.MEMBER)
+        {
+            byte[] membershipTag = membershipMac(suite, membership_key, context);
+            if (!Arrays.areEqual(membershipTag, membership_tag))
+            {
+                // throw tagMisMatch error!
+                throw new IOException("incorrect membership tag");
+            }
+        }
+        return new AuthenticatedContent(WireFormat.mls_public_message, content, auth);
+    }
+
+    public byte[] membershipMac(MlsCipherSuite suite, Secret membershipKey, GroupContext context)
+        throws IOException
+    {
+        // MAC(membership_key, AuthenticatedContentTBM)
+        FramedContentTBS tbs = new FramedContentTBS(
+            WireFormat.mls_public_message,
+            content,
+            context);
+        AuthenticatedContentTBM tbm = new AuthenticatedContentTBM(tbs, auth);
+        Secret ikm = new Secret(MLSOutputStream.encode(tbm));
+        Secret membership_tag = Secret.extract(suite, membershipKey, ikm);
+        return membership_tag.value();
+    }
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/codec/ResumptionPSKUsage.java b/mls/src/main/java/moe/kyokobot/koe/mls/codec/ResumptionPSKUsage.java
new file mode 100644
index 0000000..f767e94
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/codec/ResumptionPSKUsage.java
@@ -0,0 +1,33 @@
+package moe.kyokobot.koe.mls.codec;
+
+import java.io.IOException;
+
+public enum ResumptionPSKUsage
+    implements MLSInputStream.Readable, MLSOutputStream.Writable
+{
+    RESERVED((byte)0),
+    APPLICATION((byte)1),
+    REINIT((byte)2),
+    BRANCH((byte)3);
+
+    final byte value;
+
+    ResumptionPSKUsage(byte value)
+    {
+        this.value = value;
+    }
+
+    @SuppressWarnings("unused")
+    ResumptionPSKUsage(MLSInputStream stream)
+        throws IOException
+    {
+        this.value = (byte)stream.read(byte.class);
+    }
+
+    @Override
+    public void writeTo(MLSOutputStream stream)
+        throws IOException
+    {
+        stream.write(value);
+    }
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/codec/Sender.java b/mls/src/main/java/moe/kyokobot/koe/mls/codec/Sender.java
new file mode 100644
index 0000000..04ee317
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/codec/Sender.java
@@ -0,0 +1,94 @@
+package moe.kyokobot.koe.mls.codec;
+
+import java.io.IOException;
+
+import moe.kyokobot.koe.mls.TreeKEM.LeafIndex;
+
+public class Sender
+    implements MLSInputStream.Readable, MLSOutputStream.Writable
+{
+    SenderType senderType;
+    LeafIndex sender;
+    int sender_index;
+
+    public SenderType getSenderType()
+    {
+        return senderType;
+    }
+
+    public LeafIndex getSender()
+    {
+        return sender;
+    }
+
+    public int getSenderIndex()
+    {
+        return sender_index;
+    }
+
+    public static Sender forNewMemberCommit()
+    {
+        return new Sender(SenderType.NEW_MEMBER_COMMIT, null, -1);
+    }
+
+    public static Sender forNewMemberProposal()
+    {
+        return new Sender(SenderType.NEW_MEMBER_PROPOSAL, null, -1);
+    }
+
+    public static Sender forMember(LeafIndex sender)
+    {
+        return new Sender(SenderType.MEMBER, sender, -1);
+    }
+
+    public static Sender forExternal(int senderIndex)
+    {
+        return new Sender(SenderType.EXTERNAL, null, senderIndex);
+    }
+
+    public Sender(SenderType senderType, LeafIndex sender, int sender_index)
+    {
+        this.senderType = senderType;
+        this.sender = sender;
+        this.sender_index = sender_index;
+    }
+
+    @SuppressWarnings("unused")
+    public Sender(MLSInputStream stream)
+        throws IOException
+    {
+        this.senderType = SenderType.values()[(byte)stream.read(byte.class)];
+        switch (senderType)
+        {
+
+        case MEMBER:
+            sender = (LeafIndex)stream.read(LeafIndex.class);
+            break;
+        case EXTERNAL:
+            sender_index = (int)stream.read(int.class);
+            break;
+        case NEW_MEMBER_PROPOSAL:
+        case NEW_MEMBER_COMMIT:
+            break;
+        }
+    }
+
+    @Override
+    public void writeTo(MLSOutputStream stream)
+        throws IOException
+    {
+        stream.write(senderType);
+        switch (senderType)
+        {
+        case MEMBER:
+            stream.write(sender);
+            break;
+        case EXTERNAL:
+            stream.write(sender_index);
+            break;
+        case NEW_MEMBER_PROPOSAL:
+        case NEW_MEMBER_COMMIT:
+            break;
+        }
+    }
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/codec/SenderType.java b/mls/src/main/java/moe/kyokobot/koe/mls/codec/SenderType.java
new file mode 100644
index 0000000..9b474e8
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/codec/SenderType.java
@@ -0,0 +1,27 @@
+package moe.kyokobot.koe.mls.codec;
+
+import java.io.IOException;
+
+public enum SenderType
+    implements MLSInputStream.Readable, MLSOutputStream.Writable
+{
+    RESERVED((byte)0),
+    MEMBER((byte)1),
+    EXTERNAL((byte)2),
+    NEW_MEMBER_PROPOSAL((byte)3),
+    NEW_MEMBER_COMMIT((byte)4);
+
+    final byte value;
+
+    SenderType(byte value)
+    {
+        this.value = value;
+    }
+
+    @Override
+    public void writeTo(MLSOutputStream stream)
+        throws IOException
+    {
+        stream.write(value);
+    }
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/codec/UpdatePath.java b/mls/src/main/java/moe/kyokobot/koe/mls/codec/UpdatePath.java
new file mode 100644
index 0000000..2f968d2
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/codec/UpdatePath.java
@@ -0,0 +1,53 @@
+package moe.kyokobot.koe.mls.codec;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.List;
+
+import moe.kyokobot.koe.mls.TreeKEM.LeafNode;
+
+public class UpdatePath
+    implements MLSInputStream.Readable, MLSOutputStream.Writable
+{
+    LeafNode leaf_node;
+    List<UpdatePathNode> nodes;
+
+    public LeafNode getLeafNode()
+    {
+        return leaf_node;
+    }
+
+    public List<UpdatePathNode> getNodes()
+    {
+        return nodes;
+    }
+
+    public UpdatePath clone()
+    {
+        return new UpdatePath(leaf_node, nodes);
+    }
+
+    public UpdatePath(LeafNode leaf_node, List<UpdatePathNode> nodes)
+    {
+//        this.leaf_node = leaf_node;
+        this.leaf_node = leaf_node.copy(leaf_node.getEncryptionKey());
+        this.nodes = new ArrayList<UpdatePathNode>(nodes);
+    }
+
+    @SuppressWarnings("unused")
+    UpdatePath(MLSInputStream stream)
+        throws IOException
+    {
+        leaf_node = (LeafNode)stream.read(LeafNode.class);
+        nodes = new ArrayList<UpdatePathNode>();
+        stream.readList(nodes, UpdatePathNode.class);
+    }
+
+    @Override
+    public void writeTo(MLSOutputStream stream)
+        throws IOException
+    {
+        stream.write(leaf_node);
+        stream.writeList(nodes);
+    }
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/codec/UpdatePathNode.java b/mls/src/main/java/moe/kyokobot/koe/mls/codec/UpdatePathNode.java
new file mode 100644
index 0000000..b0d732e
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/codec/UpdatePathNode.java
@@ -0,0 +1,46 @@
+package moe.kyokobot.koe.mls.codec;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.List;
+
+public class UpdatePathNode
+    implements MLSInputStream.Readable, MLSOutputStream.Writable
+{
+    byte[] encryption_key;
+
+    List<HPKECiphertext> encrypted_path_secret;
+
+    public byte[] getEncryptionKey()
+    {
+        return encryption_key;
+    }
+
+    public List<HPKECiphertext> getEncryptedPathSecret()
+    {
+        return encrypted_path_secret;
+    }
+
+    public UpdatePathNode(byte[] encryption_key, List<HPKECiphertext> encrypted_path_secret)
+    {
+        this.encryption_key = encryption_key;
+        this.encrypted_path_secret = encrypted_path_secret;
+    }
+
+    @SuppressWarnings("unused")
+    UpdatePathNode(MLSInputStream stream)
+        throws IOException
+    {
+        encryption_key = stream.readOpaque();
+        encrypted_path_secret = new ArrayList<HPKECiphertext>();
+        stream.readList(encrypted_path_secret, HPKECiphertext.class);
+    }
+
+    @Override
+    public void writeTo(MLSOutputStream stream)
+        throws IOException
+    {
+        stream.writeOpaque(encryption_key);
+        stream.writeList(encrypted_path_secret);
+    }
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/codec/ValidatedContent.java b/mls/src/main/java/moe/kyokobot/koe/mls/codec/ValidatedContent.java
new file mode 100644
index 0000000..1995728
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/codec/ValidatedContent.java
@@ -0,0 +1,13 @@
+package moe.kyokobot.koe.mls.codec;
+
+public class ValidatedContent {
+    private final AuthenticatedContent authenticatedContent;
+
+    public ValidatedContent(AuthenticatedContent authenticatedContent) {
+        this.authenticatedContent = authenticatedContent;
+    }
+
+    public AuthenticatedContent getAuthenticatedContent() {
+        return authenticatedContent;
+    }
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/codec/Varint.java b/mls/src/main/java/moe/kyokobot/koe/mls/codec/Varint.java
new file mode 100644
index 0000000..de93fdc
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/codec/Varint.java
@@ -0,0 +1,67 @@
+package moe.kyokobot.koe.mls.codec;
+
+import java.io.IOException;
+
+public class Varint
+    implements MLSInputStream.Readable, MLSOutputStream.Writable
+{
+    static final int HEADER_OFFSET = 6;
+    static final int HEADER_1 = 0x00;
+    static final int HEADER_2 = 0x4000;
+    static final int HEADER_4 = 0x80000000;
+    static final int MAX_1 = 0x3f;
+    static final int MAX_2 = 0x3fff;
+    static final int MAX_4 = 0x3fffffff;
+
+    public final int value;
+
+    public Varint(int value)
+    {
+        this.value = value;
+    }
+
+    @SuppressWarnings("unused")
+    public Varint(MLSInputStream stream)
+        throws IOException
+    {
+        int prefix = stream.peek() & 0xff;
+        int logSize = prefix >>> HEADER_OFFSET;
+        int size = 1 << logSize;
+        switch (size)
+        {
+        case 1:
+            value = HEADER_1 ^ (int)(byte)stream.read(byte.class);
+            break;
+        case 2:
+            value = HEADER_2 ^ (int)(short)stream.read(short.class);
+            break;
+        case 4:
+            value = HEADER_4 ^ (int)stream.read(int.class);
+            break;
+        default:
+            throw new IOException("Invalid varint header");
+        }
+    }
+
+    @Override
+    public void writeTo(MLSOutputStream stream)
+        throws IOException
+    {
+        if (value <= MAX_1)
+        {
+            stream.write((byte)(HEADER_1 | value));
+        }
+        else if (value <= MAX_2)
+        {
+            stream.write((short)(HEADER_2 | value));
+        }
+        else if (value <= Varint.MAX_4)
+        {
+            stream.write(HEADER_4 | value);
+        }
+        else
+        {
+            throw new IOException("Varint is too big to encode");
+        }
+    }
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/codec/Welcome.java b/mls/src/main/java/moe/kyokobot/koe/mls/codec/Welcome.java
new file mode 100644
index 0000000..7746b9d
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/codec/Welcome.java
@@ -0,0 +1,144 @@
+package moe.kyokobot.koe.mls.codec;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+
+import moe.kyokobot.koe.mls.crypto.MlsCipherSuite;
+import org.bouncycastle.crypto.InvalidCipherTextException;
+import moe.kyokobot.koe.mls.KeyGeneration;
+import moe.kyokobot.koe.mls.KeyScheduleEpoch;
+import moe.kyokobot.koe.mls.crypto.Secret;
+
+public class Welcome
+    implements MLSInputStream.Readable, MLSOutputStream.Writable
+{
+    short cipher_suite;
+
+    MlsCipherSuite suite;
+    List<EncryptedGroupSecrets> secrets;
+    byte[] encrypted_group_info;
+
+    //
+    private Secret joinerSecret;
+    private List<PreSharedKeyID> psks;
+
+    public MlsCipherSuite getSuite()
+    {
+        return suite;
+    }
+
+    public List<EncryptedGroupSecrets> getSecrets() {
+        return secrets;
+    }
+
+    public Welcome(MlsCipherSuite suite, byte[] joinerSecret, List<KeyScheduleEpoch.PSKWithSecret> psks, byte[] groupInfo)
+        throws IOException, InvalidCipherTextException
+    {
+        this.cipher_suite = suite.getSuiteID();
+        this.suite = suite;
+        this.joinerSecret = new Secret(joinerSecret);
+        // Cache the list of PSK IDs
+        this.psks = new ArrayList<>();
+        for (KeyScheduleEpoch.PSKWithSecret psk : psks)
+        {
+            this.psks.add(psk.id);
+        }
+
+        // Pre-encrypt the GroupInfo
+        KeyGeneration keyGen = getGroupInfoKeyNonce(joinerSecret, psks);
+        this.encrypted_group_info = suite.getAEAD().seal(
+            keyGen.key,
+            keyGen.nonce,
+            new byte[0],
+            groupInfo
+        );
+
+        this.secrets = new ArrayList<>();
+    }
+
+    public int find(KeyPackage kp)
+        throws IOException
+    {
+
+        byte[] ref = suite.refHash(MLSOutputStream.encode(kp), "MLS 1.0 KeyPackage Reference");
+        for (int i = 0; i < secrets.size(); i++)
+        {
+            if (Arrays.equals(ref, secrets.get(i).new_member))
+            {
+                return i;
+            }
+        }
+        return -1;
+    }
+
+    public void encrypt(KeyPackage kp, Secret pathSecret)
+        throws IOException, InvalidCipherTextException
+    {
+
+        GroupSecrets gs = new GroupSecrets(joinerSecret.value(), null, psks);
+        if (pathSecret != null)
+        {
+            gs.path_secret = new PathSecret(pathSecret.value());
+        }
+        byte[] gsBytes = MLSOutputStream.encode(gs);
+        MlsCipherSuite suite = kp.suite;
+        byte[][] ctAndEnc = suite.encryptWithLabel(kp.init_key, "Welcome", encrypted_group_info, gsBytes);
+        secrets.add(
+            new EncryptedGroupSecrets(
+                suite.refHash(MLSOutputStream.encode(kp), "MLS 1.0 KeyPackage Reference"),
+                new HPKECiphertext(ctAndEnc[1], ctAndEnc[0])
+            )
+        );
+    }
+
+    public GroupInfo decrypt(byte[] joinerSecret, List<KeyScheduleEpoch.PSKWithSecret> psks)
+        throws IOException, InvalidCipherTextException
+    {
+        KeyGeneration keyAndNonce = getGroupInfoKeyNonce(joinerSecret, psks);
+        byte[] groupInfoData = suite.getAEAD().open(
+            keyAndNonce.key,
+            keyAndNonce.nonce,
+            new byte[0],
+            encrypted_group_info);
+        return (GroupInfo)MLSInputStream.decode(groupInfoData, GroupInfo.class);
+    }
+
+    private KeyGeneration getGroupInfoKeyNonce(byte[] joinerSecret, List<KeyScheduleEpoch.PSKWithSecret> psks)
+        throws IOException
+    {
+        Secret welcomeSecret = KeyScheduleEpoch.welcomeSecret(suite, joinerSecret, psks);
+        Secret key = welcomeSecret.expandWithLabel(suite, "key", new byte[0], suite.getAEAD().getKeySize());
+        Secret nonce = welcomeSecret.expandWithLabel(suite, "nonce", new byte[0], suite.getAEAD().getNonceSize());
+        return new KeyGeneration(-1, key, nonce);
+    }
+
+    public GroupSecrets decryptSecrets(int kpIndex, byte[] initPrivKey)
+        throws InvalidCipherTextException, IOException
+    {
+        HPKECiphertext ct = secrets.get(kpIndex).encrypted_group_secrets;
+        byte[] secretsData = suite.decryptWithLabel(initPrivKey, "Welcome", encrypted_group_info, ct.kem_output, ct.ciphertext);
+        return (GroupSecrets)MLSInputStream.decode(secretsData, GroupSecrets.class);
+    }
+
+    @SuppressWarnings("unused")
+    Welcome(MLSInputStream stream)
+        throws Exception
+    {
+        cipher_suite = (short)stream.read(short.class);
+        suite = MlsCipherSuite.getSuite(cipher_suite);
+        secrets = new ArrayList<EncryptedGroupSecrets>();
+        stream.readList(secrets, EncryptedGroupSecrets.class);
+        encrypted_group_info = stream.readOpaque();
+    }
+
+    @Override
+    public void writeTo(MLSOutputStream stream)
+        throws IOException
+    {
+        stream.write(cipher_suite);
+        stream.writeList(secrets);
+        stream.writeOpaque(encrypted_group_info);
+    }
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/codec/WireFormat.java b/mls/src/main/java/moe/kyokobot/koe/mls/codec/WireFormat.java
new file mode 100644
index 0000000..6187f73
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/codec/WireFormat.java
@@ -0,0 +1,28 @@
+package moe.kyokobot.koe.mls.codec;
+
+import java.io.IOException;
+
+public enum WireFormat
+    implements MLSInputStream.Readable, MLSOutputStream.Writable
+{
+    RESERVED((short)0),
+    mls_public_message((short)1),
+    mls_private_message((short)2),
+    mls_welcome((short)3),
+    mls_group_info((short)4),
+    mls_key_package((short)5);
+
+    final short value;
+
+    WireFormat(short value)
+    {
+        this.value = value;
+    }
+
+    @Override
+    public void writeTo(MLSOutputStream stream)
+        throws IOException
+    {
+        stream.write(value);
+    }
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/crypto/MlsAead.java b/mls/src/main/java/moe/kyokobot/koe/mls/crypto/MlsAead.java
new file mode 100644
index 0000000..4ff5872
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/crypto/MlsAead.java
@@ -0,0 +1,16 @@
+package moe.kyokobot.koe.mls.crypto;
+
+import org.bouncycastle.crypto.InvalidCipherTextException;
+
+public interface MlsAead
+{
+    int getKeySize();
+
+    int getNonceSize();
+
+    byte[] open(byte[] key, byte[] nonce, byte[] aad, byte[] pt)
+        throws InvalidCipherTextException;
+
+    byte[] seal(byte[] key, byte[] nonce, byte[] aad, byte[] pt)
+        throws InvalidCipherTextException;
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/crypto/MlsCipherSuite.java b/mls/src/main/java/moe/kyokobot/koe/mls/crypto/MlsCipherSuite.java
new file mode 100644
index 0000000..74c0537
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/crypto/MlsCipherSuite.java
@@ -0,0 +1,227 @@
+package moe.kyokobot.koe.mls.crypto;
+
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+
+import org.bouncycastle.crypto.AsymmetricCipherKeyPair;
+import org.bouncycastle.crypto.CryptoException;
+import org.bouncycastle.crypto.Digest;
+import org.bouncycastle.crypto.InvalidCipherTextException;
+import org.bouncycastle.crypto.digests.SHA256Digest;
+import org.bouncycastle.crypto.digests.SHA384Digest;
+import org.bouncycastle.crypto.digests.SHA512Digest;
+import org.bouncycastle.crypto.hpke.HPKE;
+import org.bouncycastle.crypto.params.AsymmetricKeyParameter;
+import moe.kyokobot.koe.mls.codec.MLSOutputStream;
+import moe.kyokobot.koe.mls.crypto.bc.BcMlsAead;
+import moe.kyokobot.koe.mls.crypto.bc.BcMlsKdf;
+import moe.kyokobot.koe.mls.crypto.bc.BcMlsSigner;
+
+public class MlsCipherSuite
+{
+    public static class GenericContent
+        implements MLSOutputStream.Writable
+    {
+
+        private byte[] label;
+        private byte[] content;
+
+        public GenericContent(String label, byte[] content)
+        {
+            this.label = ("MLS 1.0 " + label).getBytes(StandardCharsets.UTF_8);
+            this.content = content;
+        }
+
+        @Override
+        public void writeTo(MLSOutputStream stream)
+            throws IOException
+        {
+            stream.writeOpaque(label);
+            stream.writeOpaque(content);
+        }
+    }
+
+    public static class RefHash
+        implements MLSOutputStream.Writable
+    {
+
+        public byte[] label;
+        public byte[] value;
+
+        public RefHash(byte[] label, byte[] value)
+        {
+            this.label = label;
+            this.value = value;
+        }
+
+        @Override
+        public void writeTo(MLSOutputStream stream)
+            throws IOException
+        {
+            stream.writeOpaque(label);
+            stream.writeOpaque(value);
+        }
+    }
+
+
+    public static final short MLS_128_DHKEMX25519_AES128GCM_SHA256_Ed25519 = 0x0001;
+    public static final short MLS_128_DHKEMP256_AES128GCM_SHA256_P256 = 0x0002;
+    public static final short MLS_128_DHKEMX25519_CHACHA20POLY1305_SHA256_Ed25519 = 0x0003;
+    public static final short MLS_256_DHKEMX448_AES256GCM_SHA512_Ed448 = 0x0004;
+    public static final short MLS_256_DHKEMP521_AES256GCM_SHA512_P521 = 0x0005;
+    public static final short MLS_256_DHKEMX448_CHACHA20POLY1305_SHA512_Ed448 = 0x0006;
+    public static final short MLS_256_DHKEMP384_AES256GCM_SHA384_P384 = 0x0007;
+
+    public static final MlsCipherSuite BCMLS_128_DHKEMX25519_AES128GCM_SHA256_Ed25519 = new MlsCipherSuite(MLS_128_DHKEMX25519_AES128GCM_SHA256_Ed25519, new BcMlsSigner(MlsSigner.ed25519), new BcMlsKdf(new SHA256Digest()), new BcMlsAead(HPKE.aead_AES_GCM128), new HPKE(HPKE.mode_base, HPKE.kem_X25519_SHA256, HPKE.kdf_HKDF_SHA256, HPKE.aead_AES_GCM128));
+    public static final MlsCipherSuite BCMLS_128_DHKEMP256_AES128GCM_SHA256_P256 = new MlsCipherSuite(MLS_128_DHKEMP256_AES128GCM_SHA256_P256, new BcMlsSigner(MlsSigner.ecdsa_secp256r1_sha256), new BcMlsKdf(new SHA256Digest()), new BcMlsAead(HPKE.aead_AES_GCM128), new HPKE(HPKE.mode_base, HPKE.kem_P256_SHA256, HPKE.kdf_HKDF_SHA256, HPKE.aead_AES_GCM128));
+    public static final MlsCipherSuite BCMLS_128_DHKEMX25519_CHACHA20POLY1305_SHA256_Ed25519 = new MlsCipherSuite(MLS_128_DHKEMX25519_CHACHA20POLY1305_SHA256_Ed25519, new BcMlsSigner(MlsSigner.ed25519), new BcMlsKdf(new SHA256Digest()), new BcMlsAead(HPKE.aead_CHACHA20_POLY1305), new HPKE(HPKE.mode_base, HPKE.kem_X25519_SHA256, HPKE.kdf_HKDF_SHA256, HPKE.aead_CHACHA20_POLY1305));
+    public static final MlsCipherSuite BCMLS_256_DHKEMX448_AES256GCM_SHA512_Ed448 = new MlsCipherSuite(MLS_256_DHKEMX448_AES256GCM_SHA512_Ed448, new BcMlsSigner(MlsSigner.ed448), new BcMlsKdf(new SHA512Digest()), new BcMlsAead(HPKE.aead_AES_GCM256), new HPKE(HPKE.mode_base, HPKE.kem_X448_SHA512, HPKE.kdf_HKDF_SHA512, HPKE.aead_AES_GCM256));
+    public static final MlsCipherSuite BCMLS_256_DHKEMP521_AES256GCM_SHA512_P521 = new MlsCipherSuite(MLS_256_DHKEMP521_AES256GCM_SHA512_P521, new BcMlsSigner(MlsSigner.ecdsa_secp521r1_sha512), new BcMlsKdf(new SHA512Digest()), new BcMlsAead(HPKE.aead_AES_GCM256), new HPKE(HPKE.mode_base, HPKE.kem_P521_SHA512, HPKE.kdf_HKDF_SHA512, HPKE.aead_AES_GCM256));
+    public static final MlsCipherSuite BCMLS_256_DHKEMX448_CHACHA20POLY1305_SHA512_Ed448 = new MlsCipherSuite(MLS_256_DHKEMX448_CHACHA20POLY1305_SHA512_Ed448, new BcMlsSigner(MlsSigner.ed448), new BcMlsKdf(new SHA512Digest()), new BcMlsAead(HPKE.aead_CHACHA20_POLY1305), new HPKE(HPKE.mode_base, HPKE.kem_X448_SHA512, HPKE.kdf_HKDF_SHA512, HPKE.aead_CHACHA20_POLY1305));
+    public static final MlsCipherSuite BCMLS_256_DHKEMP384_AES256GCM_SHA384_P384 = new MlsCipherSuite(MLS_256_DHKEMP384_AES256GCM_SHA384_P384, new BcMlsSigner(MlsSigner.ecdsa_secp384r1_sha384), new BcMlsKdf(new SHA384Digest()), new BcMlsAead(HPKE.aead_AES_GCM256), new HPKE(HPKE.mode_base, HPKE.kem_P384_SHA348, HPKE.kdf_HKDF_SHA384, HPKE.aead_AES_GCM256));
+
+    public static final short[] ALL_SUPPORTED_SUITES = {
+        MLS_128_DHKEMX25519_AES128GCM_SHA256_Ed25519,
+        MLS_128_DHKEMP256_AES128GCM_SHA256_P256,
+        MLS_128_DHKEMX25519_CHACHA20POLY1305_SHA256_Ed25519,
+        MLS_256_DHKEMX448_AES256GCM_SHA512_Ed448,
+        MLS_256_DHKEMP521_AES256GCM_SHA512_P521,
+        MLS_256_DHKEMX448_CHACHA20POLY1305_SHA512_Ed448,
+        MLS_256_DHKEMP384_AES256GCM_SHA384_P384
+    };
+
+    private final short suiteID;
+    private final MlsSigner signer;
+    private final MlsKdf kdf;
+    private final MlsAead aead;
+    private final Digest digest;
+    private final HPKE hpke;
+
+    public MlsCipherSuite(short id, MlsSigner signer, MlsKdf kdf, MlsAead aead, HPKE hpke)
+    {
+        this.suiteID = id;
+        this.signer = signer;
+        this.kdf = kdf;
+        this.aead = aead;
+        this.digest = kdf.getDigest();
+        this.hpke = hpke;
+    }
+
+    static public MlsCipherSuite getSuite(short id)
+        throws Exception
+    {
+        switch (id)
+        {
+        case MLS_128_DHKEMX25519_AES128GCM_SHA256_Ed25519:
+            return BCMLS_128_DHKEMX25519_AES128GCM_SHA256_Ed25519;
+        case MLS_128_DHKEMP256_AES128GCM_SHA256_P256:
+            return BCMLS_128_DHKEMP256_AES128GCM_SHA256_P256;
+        case MLS_128_DHKEMX25519_CHACHA20POLY1305_SHA256_Ed25519:
+            return BCMLS_128_DHKEMX25519_CHACHA20POLY1305_SHA256_Ed25519;
+        case MLS_256_DHKEMX448_AES256GCM_SHA512_Ed448:
+            return BCMLS_256_DHKEMX448_AES256GCM_SHA512_Ed448;
+        case MLS_256_DHKEMP521_AES256GCM_SHA512_P521:
+            return BCMLS_256_DHKEMP521_AES256GCM_SHA512_P521;
+        case MLS_256_DHKEMX448_CHACHA20POLY1305_SHA512_Ed448:
+            return BCMLS_256_DHKEMX448_CHACHA20POLY1305_SHA512_Ed448;
+        case MLS_256_DHKEMP384_AES256GCM_SHA384_P384:
+            return BCMLS_256_DHKEMP384_AES256GCM_SHA384_P384;
+        default:
+            throw new Exception("Unkown ciphersuite id");
+        }
+    }
+
+    public short getSuiteID()
+    {
+        return suiteID;
+    }
+
+    public AsymmetricCipherKeyPair generateSignatureKeyPair()
+    {
+        return signer.generateSignatureKeyPair();
+    }
+
+    public byte[] serializeSignaturePublicKey(AsymmetricKeyParameter key)
+    {
+        return signer.serializePublicKey(key);
+    }
+
+    public byte[] serializeSignaturePrivateKey(AsymmetricKeyParameter key)
+    {
+        return signer.serializePrivateKey(key);
+    }
+
+    public AsymmetricCipherKeyPair deserializeSignaturePrivateKey(byte[] priv)
+    {
+        return signer.deserializePrivateKey(priv);
+    }
+
+    public byte[] signWithLabel(byte[] priv, String label, byte[] content)
+        throws IOException, CryptoException
+    {
+        return signer.signWithLabel(priv, label, content);
+    }
+
+    public boolean verifyWithLabel(byte[] pub, String label, byte[] content, byte[] signature)
+        throws IOException
+    {
+        return signer.verifyWithLabel(pub, label, content, signature);
+    }
+
+    public byte[] refHash(byte[] value, String label)
+        throws IOException
+    {
+        RefHash refhash = new MlsCipherSuite.RefHash(label.getBytes(StandardCharsets.UTF_8), value);
+        byte[] refhashBytes = MLSOutputStream.encode(refhash);
+//            return expand(out, getHashLength());
+        byte[] out = new byte[kdf.getHashLength()];
+        digest.update(refhashBytes, 0, refhashBytes.length);
+        digest.doFinal(out, 0);
+        return out;
+    }
+
+    public byte[] hash(byte[] value)
+        throws IOException
+    {
+        byte[] out = new byte[kdf.getHashLength()];
+        digest.update(value, 0, value.length);
+        digest.doFinal(out, 0);
+        return out;
+    }
+
+    public byte[] decryptWithLabel(byte[] priv, String label, byte[] context, byte[] kem_output, byte[] ciphertext)
+        throws IOException, InvalidCipherTextException
+    {
+        GenericContent encryptContext = new GenericContent(label, context);
+        byte[] encryptContextBytes = MLSOutputStream.encode(encryptContext);
+
+        AsymmetricCipherKeyPair kp = hpke.deserializePrivateKey(priv, null);
+        return hpke.open(kem_output, kp, encryptContextBytes, "".getBytes(), ciphertext, null, null, null);
+    }
+
+    public byte[][] encryptWithLabel(byte[] pub, String label, byte[] context, byte[] plaintext)
+        throws IOException, InvalidCipherTextException
+    {
+        GenericContent encryptContext = new GenericContent(label, context);
+        byte[] encryptContextBytes = MLSOutputStream.encode(encryptContext);
+
+        AsymmetricKeyParameter pubKey = signer.deserializePublicKey(pub);
+
+        return hpke.seal(pubKey, encryptContextBytes, "".getBytes(), plaintext, null, null, null);
+    }
+
+    public HPKE getHPKE()
+    {
+        return hpke;
+    }
+
+    public MlsKdf getKDF()
+    {
+        return kdf;
+    }
+
+    public MlsAead getAEAD()
+    {
+        return aead;
+    }
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/crypto/MlsKdf.java b/mls/src/main/java/moe/kyokobot/koe/mls/crypto/MlsKdf.java
new file mode 100644
index 0000000..b61bde2
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/crypto/MlsKdf.java
@@ -0,0 +1,20 @@
+package moe.kyokobot.koe.mls.crypto;
+
+import java.io.IOException;
+
+import org.bouncycastle.crypto.Digest;
+
+public interface MlsKdf
+{
+    int getHashLength();
+
+    public Digest getDigest();
+
+    byte[] extract(byte[] salt, byte[] ikm);
+
+    byte[] expand(byte[] prk, byte[] info, int length);
+
+    byte[] expandWithLabel(byte[] secret, String label, byte[] context, int length)
+        throws IOException;
+
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/crypto/MlsSigner.java b/mls/src/main/java/moe/kyokobot/koe/mls/crypto/MlsSigner.java
new file mode 100644
index 0000000..8fd7f88
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/crypto/MlsSigner.java
@@ -0,0 +1,32 @@
+package moe.kyokobot.koe.mls.crypto;
+
+import java.io.IOException;
+
+import org.bouncycastle.crypto.AsymmetricCipherKeyPair;
+import org.bouncycastle.crypto.CryptoException;
+import org.bouncycastle.crypto.params.AsymmetricKeyParameter;
+
+public interface MlsSigner
+{
+    int ecdsa_secp256r1_sha256 = 3;
+    int ecdsa_secp521r1_sha512 = 4;
+    int ecdsa_secp384r1_sha384 = 5;
+    int ed25519 = 7;
+    int ed448 = 8;
+
+    AsymmetricCipherKeyPair generateSignatureKeyPair();
+
+    byte[] serializePublicKey(AsymmetricKeyParameter key);
+
+    byte[] serializePrivateKey(AsymmetricKeyParameter key);
+
+    byte[] signWithLabel(byte[] priv, String label, byte[] content)
+        throws IOException, CryptoException;
+
+    boolean verifyWithLabel(byte[] pub, String label, byte[] content, byte[] signature)
+        throws IOException;
+
+    AsymmetricCipherKeyPair deserializePrivateKey(byte[] priv);
+
+    AsymmetricKeyParameter deserializePublicKey(byte[] pub);
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/crypto/Secret.java b/mls/src/main/java/moe/kyokobot/koe/mls/crypto/Secret.java
new file mode 100644
index 0000000..879031f
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/crypto/Secret.java
@@ -0,0 +1,141 @@
+package moe.kyokobot.koe.mls.crypto;
+
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.util.Arrays;
+
+import moe.kyokobot.koe.mls.codec.MLSOutputStream;
+
+public class Secret
+{
+    byte[] value;
+    Secret[] parents;
+
+    public Secret(byte[] value)
+    {
+        this.value = value;
+        this.parents = null;
+    }
+
+    private Secret(byte[] value, Secret[] parents)
+    {
+        this.value = value;
+        this.parents = parents;
+    }
+
+    public static Secret zero(MlsCipherSuite suite)
+    {
+        return new Secret(new byte[suite.getKDF().getHashLength()]);
+    }
+
+    @Override
+    public boolean equals(Object o)
+    {
+        if (this == o)
+        {
+            return true;
+        }
+        if (o == null || getClass() != o.getClass())
+        {
+            return false;
+        }
+        Secret secret = (Secret)o;
+        return Arrays.equals(value, secret.value) && Arrays.equals(parents, secret.parents);
+    }
+
+    @Override
+    public int hashCode()
+    {
+        return Arrays.hashCode(value);
+    }
+
+    public final byte[] value()
+    {
+        return value;
+    }
+
+    public boolean isConsumed()
+    {
+        return value == null && parents == null;
+    }
+
+    public void consume()
+    {
+        if (isConsumed())
+        {
+            return;
+        }
+
+        // Zeroize this secret
+        Arrays.fill(value, (byte)0);
+        value = null;
+
+        // Consume any linked parents
+        if (parents != null)
+        {
+            for (Secret parent : parents)
+            {
+                parent.consume();
+            }
+            parents = null;
+        }
+    }
+
+    public static Secret extract(MlsCipherSuite suite, Secret salt, Secret ikm)
+    {
+        byte[] prk = suite.getKDF().extract(salt.value(), ikm.value());
+        return new Secret(prk, new Secret[]{salt, ikm});
+    }
+
+    public Secret expand(MlsCipherSuite suite, String label, int length)
+    {
+        byte[] labelData = label.getBytes(StandardCharsets.UTF_8);
+        byte[] derivedSecret = suite.getKDF().expand(value, labelData, length);
+        return new Secret(derivedSecret, new Secret[]{this});
+    }
+
+    public static class KDFLabel
+        implements MLSOutputStream.Writable
+    {
+        public short length;
+        public byte[] label;
+        public byte[] context;
+
+        KDFLabel(short length, String label, byte[] context)
+        {
+            this.length = length;
+            this.label = ("MLS 1.0 " + label).getBytes(StandardCharsets.UTF_8);
+            this.context = context;
+        }
+
+        @Override
+        public void writeTo(MLSOutputStream stream)
+            throws IOException
+        {
+            stream.write(length);
+            stream.writeOpaque(label);
+            stream.writeOpaque(context);
+        }
+    }
+
+    public Secret expandWithLabel(MlsCipherSuite suite, String label, byte[] context, int length)
+        throws IOException
+    {
+        KDFLabel kdfLabelStr = new KDFLabel((short)length, label, context);
+        byte[] kdfLabel = MLSOutputStream.encode(kdfLabelStr);
+        byte[] derivedSecret = suite.getKDF().expand(value, kdfLabel, length);
+        return new Secret(derivedSecret, new Secret[]{this});
+    }
+
+    public Secret deriveSecret(MlsCipherSuite suite, String label)
+        throws IOException
+    {
+        return expandWithLabel(suite, label, new byte[]{}, suite.getKDF().getHashLength());
+    }
+
+    public Secret deriveTreeSecret(MlsCipherSuite suite, String label, int generation, int length)
+        throws IOException
+    {
+        return expandWithLabel(suite, label, MLSOutputStream.encode(generation), length);
+    }
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/crypto/bc/BcMlsAead.java b/mls/src/main/java/moe/kyokobot/koe/mls/crypto/bc/BcMlsAead.java
new file mode 100644
index 0000000..7d303dd
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/crypto/bc/BcMlsAead.java
@@ -0,0 +1,104 @@
+package moe.kyokobot.koe.mls.crypto.bc;
+
+import moe.kyokobot.koe.mls.crypto.MlsAead;
+import org.bouncycastle.crypto.CipherParameters;
+import org.bouncycastle.crypto.InvalidCipherTextException;
+import org.bouncycastle.crypto.engines.AESEngine;
+import org.bouncycastle.crypto.hpke.HPKE;
+import org.bouncycastle.crypto.modes.AEADCipher;
+import org.bouncycastle.crypto.modes.ChaCha20Poly1305;
+import org.bouncycastle.crypto.modes.GCMBlockCipher;
+import org.bouncycastle.crypto.params.KeyParameter;
+import org.bouncycastle.crypto.params.ParametersWithIV;
+
+public class BcMlsAead
+    implements MlsAead
+{
+    AEADCipher cipher;
+    private final short aeadId;
+
+    public BcMlsAead(short aeadId)
+    {
+        this.aeadId = aeadId;
+
+        switch (aeadId)
+        {
+        case HPKE.aead_AES_GCM128:
+        case HPKE.aead_AES_GCM256:
+            cipher = GCMBlockCipher.newInstance(AESEngine.newInstance());
+            break;
+        case HPKE.aead_CHACHA20_POLY1305:
+            cipher = new ChaCha20Poly1305();
+            break;
+        case HPKE.aead_EXPORT_ONLY:
+            break;
+        }
+    }
+
+    public int getKeySize()
+    {
+        switch (aeadId)
+        {
+        case HPKE.aead_AES_GCM128:
+            return 16;
+        case HPKE.aead_AES_GCM256:
+        case HPKE.aead_CHACHA20_POLY1305:
+            return 32;
+        }
+        return -1;
+    }
+
+    private int getTagSize()
+    {
+        switch (aeadId)
+        {
+        case HPKE.aead_AES_GCM128:
+        case HPKE.aead_AES_GCM256:
+        case HPKE.aead_CHACHA20_POLY1305:
+            return 16;
+        }
+        return -1;
+    }
+
+    public int getNonceSize()
+    {
+        switch (aeadId)
+        {
+        case HPKE.aead_AES_GCM128:
+        case HPKE.aead_AES_GCM256:
+        case HPKE.aead_CHACHA20_POLY1305:
+            return 12;
+        }
+        return -1;
+    }
+
+    public byte[] open(byte[] key, byte[] nonce, byte[] aad, byte[] ct)
+        throws InvalidCipherTextException
+    {
+        CipherParameters params = new ParametersWithIV(new KeyParameter(key), nonce);
+        cipher.init(false, params);
+        if (aad != null)
+        {
+            cipher.processAADBytes(aad, 0, aad.length);
+        }
+
+        byte[] pt = new byte[cipher.getOutputSize(ct.length)];
+
+        int len = cipher.processBytes(ct, 0, ct.length, pt, 0);
+        len += cipher.doFinal(pt, len);
+        return pt;
+    }
+
+    public byte[] seal(byte[] key, byte[] nonce, byte[] aad, byte[] pt)
+        throws InvalidCipherTextException
+    {
+        CipherParameters params = new ParametersWithIV(new KeyParameter(key), nonce);
+        cipher.init(true, params);
+        cipher.processAADBytes(aad, 0, aad.length);
+
+        byte[] ct = new byte[cipher.getOutputSize(pt.length)];
+        int len = cipher.processBytes(pt, 0, pt.length, ct, 0);
+        cipher.doFinal(ct, len);
+        return ct;
+    }
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/crypto/bc/BcMlsKdf.java b/mls/src/main/java/moe/kyokobot/koe/mls/crypto/bc/BcMlsKdf.java
new file mode 100644
index 0000000..4aa3b7d
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/crypto/bc/BcMlsKdf.java
@@ -0,0 +1,64 @@
+package moe.kyokobot.koe.mls.crypto.bc;
+
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+
+import moe.kyokobot.koe.mls.codec.MLSOutputStream;
+import org.bouncycastle.crypto.Digest;
+import org.bouncycastle.crypto.generators.HKDFBytesGenerator;
+import org.bouncycastle.crypto.params.HKDFParameters;
+import moe.kyokobot.koe.mls.crypto.MlsKdf;
+
+public class BcMlsKdf
+    implements MlsKdf
+{
+    private final HKDFBytesGenerator kdf;
+
+    public BcMlsKdf(Digest digest)
+    {
+        kdf = new HKDFBytesGenerator(digest);
+    }
+
+    @Override
+    public Digest getDigest()
+    {
+        return kdf.getDigest();
+    }
+
+    @Override
+    public int getHashLength()
+    {
+        return kdf.getDigest().getDigestSize();
+    }
+
+    @Override
+    public byte[] extract(byte[] salt, byte[] ikm)
+    {
+        byte[] out = kdf.extractPRK(salt, ikm);
+        kdf.getDigest().reset();
+        return out;
+    }
+
+    @Override
+    public byte[] expand(byte[] prk, byte[] info, int length)
+    {
+        byte[] okm = new byte[length];
+        kdf.init(HKDFParameters.skipExtractParameters(prk, info));
+        kdf.generateBytes(okm, 0, okm.length);
+        kdf.getDigest().reset();
+        return okm;
+    }
+
+    @Override
+    public byte[] expandWithLabel(byte[] secret, String label, byte[] context, int length)
+        throws IOException
+    {
+        MLSOutputStream stream = new MLSOutputStream();
+        stream.write((short)length);
+        stream.writeOpaque(("MLS 1.0 " + label).getBytes(StandardCharsets.UTF_8));
+        stream.writeOpaque(context);
+        byte[] kdfLabel = stream.toByteArray();
+        return expand(secret, kdfLabel, length);
+    }
+
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/crypto/bc/BcMlsSigner.java b/mls/src/main/java/moe/kyokobot/koe/mls/crypto/bc/BcMlsSigner.java
new file mode 100644
index 0000000..475cc4e
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/crypto/bc/BcMlsSigner.java
@@ -0,0 +1,261 @@
+package moe.kyokobot.koe.mls.crypto.bc;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.security.SecureRandom;
+
+import moe.kyokobot.koe.mls.codec.MLSOutputStream;
+import moe.kyokobot.koe.mls.crypto.MlsCipherSuite;
+import moe.kyokobot.koe.mls.crypto.MlsSigner;
+import org.bouncycastle.crypto.AsymmetricCipherKeyPair;
+import org.bouncycastle.crypto.CryptoException;
+import org.bouncycastle.crypto.Signer;
+import org.bouncycastle.crypto.digests.SHA256Digest;
+import org.bouncycastle.crypto.digests.SHA384Digest;
+import org.bouncycastle.crypto.digests.SHA512Digest;
+import org.bouncycastle.crypto.generators.ECKeyPairGenerator;
+import org.bouncycastle.crypto.generators.Ed25519KeyPairGenerator;
+import org.bouncycastle.crypto.generators.Ed448KeyPairGenerator;
+import org.bouncycastle.crypto.params.AsymmetricKeyParameter;
+import org.bouncycastle.crypto.params.ECDomainParameters;
+import org.bouncycastle.crypto.params.ECKeyGenerationParameters;
+import org.bouncycastle.crypto.params.ECPrivateKeyParameters;
+import org.bouncycastle.crypto.params.ECPublicKeyParameters;
+import org.bouncycastle.crypto.params.Ed25519KeyGenerationParameters;
+import org.bouncycastle.crypto.params.Ed25519PrivateKeyParameters;
+import org.bouncycastle.crypto.params.Ed25519PublicKeyParameters;
+import org.bouncycastle.crypto.params.Ed448KeyGenerationParameters;
+import org.bouncycastle.crypto.params.Ed448PrivateKeyParameters;
+import org.bouncycastle.crypto.params.Ed448PublicKeyParameters;
+import org.bouncycastle.crypto.params.X25519PublicKeyParameters;
+import org.bouncycastle.crypto.params.X448PublicKeyParameters;
+import org.bouncycastle.crypto.signers.DSADigestSigner;
+import org.bouncycastle.crypto.signers.ECDSASigner;
+import org.bouncycastle.crypto.signers.Ed25519Signer;
+import org.bouncycastle.crypto.signers.Ed448Signer;
+import org.bouncycastle.math.ec.ECCurve;
+import org.bouncycastle.math.ec.ECPoint;
+import org.bouncycastle.math.ec.FixedPointCombMultiplier;
+import org.bouncycastle.math.ec.custom.sec.SecP256R1Curve;
+import org.bouncycastle.math.ec.custom.sec.SecP384R1Curve;
+import org.bouncycastle.math.ec.custom.sec.SecP521R1Curve;
+import org.bouncycastle.util.encoders.Hex;
+
+public class BcMlsSigner
+    implements MlsSigner
+{
+    Signer signer;
+    ECDomainParameters domainParams;
+    int sigID;
+
+    public BcMlsSigner(int sigID)
+    {
+        this.sigID = sigID;
+
+        ECCurve curve;
+        switch (sigID)
+        {
+        case ecdsa_secp256r1_sha256:
+            signer = new DSADigestSigner(new ECDSASigner(), new SHA256Digest());
+            curve = new SecP256R1Curve();
+            domainParams = new ECDomainParameters(
+                curve,
+                curve.createPoint(
+                    new BigInteger(1, Hex.decode("6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296")),
+                    new BigInteger(1, Hex.decode("4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5"))
+                ),
+                curve.getOrder(),
+                curve.getCofactor(),
+                Hex.decode("c49d360886e704936a6678e1139d26b7819f7e90")
+            );
+            break;
+        case ecdsa_secp521r1_sha512:
+            signer = new DSADigestSigner(new ECDSASigner(), new SHA512Digest());
+            curve = new SecP521R1Curve();
+            domainParams = new ECDomainParameters(
+                curve,
+                curve.createPoint(
+                    new BigInteger("c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66", 16),
+                    new BigInteger("11839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650", 16)
+                ),
+                curve.getOrder(),
+                curve.getCofactor(),
+                Hex.decode("d09e8800291cb85396cc6717393284aaa0da64ba")
+            );
+            break;
+        case ecdsa_secp384r1_sha384:
+            signer = new DSADigestSigner(new ECDSASigner(), new SHA384Digest());
+            curve = new SecP384R1Curve();
+            domainParams = new ECDomainParameters(
+                curve,
+                curve.createPoint(
+                    new BigInteger(1, Hex.decode("aa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab7")),
+                    new BigInteger(1, Hex.decode("3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5f"))
+                ),
+                curve.getOrder(),
+                curve.getCofactor(),
+                Hex.decode("a335926aa319a27a1d00896a6773a4827acdac73")
+            );
+            break;
+        case ed25519:
+            signer = new Ed25519Signer();
+            break;
+        case ed448:
+            signer = new Ed448Signer(new byte[0]);
+            break;
+        }
+    }
+
+    public AsymmetricCipherKeyPair generateSignatureKeyPair()
+    {
+        SecureRandom random = new SecureRandom();
+        switch (sigID)
+        {
+        case ecdsa_secp256r1_sha256:
+        case ecdsa_secp521r1_sha512:
+        case ecdsa_secp384r1_sha384:
+            ECKeyPairGenerator pGen = new ECKeyPairGenerator();
+            ECKeyGenerationParameters genParam = new ECKeyGenerationParameters(
+                domainParams,
+                random);
+            pGen.init(genParam);
+            return pGen.generateKeyPair();
+        case ed448:
+            Ed448KeyPairGenerator kpg448 = new Ed448KeyPairGenerator();
+            kpg448.init(new Ed448KeyGenerationParameters(random));
+            return kpg448.generateKeyPair();
+
+        case ed25519:
+            Ed25519KeyPairGenerator kpg25519 = new Ed25519KeyPairGenerator();
+            kpg25519.init(new Ed25519KeyGenerationParameters(random));
+            return kpg25519.generateKeyPair();
+        default:
+            throw new IllegalStateException("invalid sig algorithm");
+        }
+    }
+
+    public byte[] serializePublicKey(AsymmetricKeyParameter key)
+    {
+        switch (sigID)
+        {
+        case ecdsa_secp256r1_sha256:
+        case ecdsa_secp521r1_sha512:
+        case ecdsa_secp384r1_sha384:
+            return ((ECPublicKeyParameters)key).getQ().getEncoded(false);
+        case ed448:
+            return ((Ed448PublicKeyParameters)key).getEncoded();
+        case ed25519:
+            return ((Ed25519PublicKeyParameters)key).getEncoded();
+        default:
+            throw new IllegalStateException("invalid sig algorithm");
+        }
+    }
+
+    public byte[] serializePrivateKey(AsymmetricKeyParameter key)
+    {
+
+        switch (sigID)
+        {
+        case ecdsa_secp256r1_sha256:
+        case ecdsa_secp521r1_sha512:
+        case ecdsa_secp384r1_sha384:
+            return ((ECPrivateKeyParameters)key).getD().toByteArray();
+        case ed448:
+            return ((Ed448PrivateKeyParameters)key).getEncoded();
+        case ed25519:
+            return ((Ed25519PrivateKeyParameters)key).getEncoded();
+        default:
+            throw new IllegalStateException("invalid sig algorithm");
+        }
+    }
+
+    public AsymmetricKeyParameter deserializePublicKey(byte[] pub)
+    {
+        switch (sigID)
+        {
+        case ecdsa_secp256r1_sha256:
+        case ecdsa_secp521r1_sha512:
+        case ecdsa_secp384r1_sha384:
+            ECPoint G = domainParams.getCurve().decodePoint(pub);
+            return new ECPublicKeyParameters(G, domainParams);
+        case ed25519:
+            return new X25519PublicKeyParameters(pub);
+        case ed448:
+            return new X448PublicKeyParameters(pub);
+        default:
+            throw new IllegalStateException("Unknown mode");
+        }
+    }
+
+    public AsymmetricCipherKeyPair deserializePrivateKey(byte[] priv)
+    {
+        switch (sigID)
+        {
+        case ecdsa_secp256r1_sha256:
+        case ecdsa_secp521r1_sha512:
+        case ecdsa_secp384r1_sha384:
+            BigInteger d = new BigInteger(1, priv);
+            ECPrivateKeyParameters ec = new ECPrivateKeyParameters(d, domainParams);
+
+            ECPoint Q = new FixedPointCombMultiplier().multiply(domainParams.getG(), ec.getD());
+            return new AsymmetricCipherKeyPair(new ECPublicKeyParameters(Q, domainParams), ec);
+        case ed25519:
+            Ed25519PrivateKeyParameters ed25519 = new Ed25519PrivateKeyParameters(priv);
+            return new AsymmetricCipherKeyPair(ed25519.generatePublicKey(), ed25519);
+        case ed448:
+            Ed448PrivateKeyParameters ed448 = new Ed448PrivateKeyParameters(priv);
+            return new AsymmetricCipherKeyPair(ed448.generatePublicKey(), ed448);
+        default:
+            throw new IllegalStateException("invalid sig algorithm");
+        }
+    }
+
+    public byte[] signWithLabel(byte[] priv, String label, byte[] content)
+        throws IOException, CryptoException
+    {
+        MlsCipherSuite.GenericContent signContent = new MlsCipherSuite.GenericContent(label, content);
+        byte[] signContentBytes = MLSOutputStream.encode(signContent);
+        switch (sigID)
+        {
+        case ecdsa_secp256r1_sha256:
+        case ecdsa_secp521r1_sha512:
+        case ecdsa_secp384r1_sha384:
+            BigInteger d = new BigInteger(1, priv);
+            signer.init(true, new ECPrivateKeyParameters(d, domainParams));
+            break;
+        case ed25519:
+            signer.init(true, new Ed25519PrivateKeyParameters(priv));
+            break;
+        case ed448:
+            signer.init(true, new Ed448PrivateKeyParameters(priv));
+            break;
+        }
+        signer.update(signContentBytes, 0, signContentBytes.length);
+        return signer.generateSignature();
+
+    }
+
+    public boolean verifyWithLabel(byte[] pub, String label, byte[] content, byte[] signature)
+        throws IOException
+    {
+        MlsCipherSuite.GenericContent signContent = new MlsCipherSuite.GenericContent(label, content);
+        byte[] signContentBytes = MLSOutputStream.encode(signContent);
+        switch (sigID)
+        {
+        case ecdsa_secp256r1_sha256:
+        case ecdsa_secp521r1_sha512:
+        case ecdsa_secp384r1_sha384:
+            ECPoint G = domainParams.getCurve().decodePoint(pub);
+            signer.init(false, new ECPublicKeyParameters(G, domainParams));
+            break;
+        case ed25519:
+            signer.init(false, new Ed25519PublicKeyParameters(pub));
+            break;
+        case ed448:
+            signer.init(false, new Ed448PublicKeyParameters(pub));
+            break;
+        }
+        signer.update(signContentBytes, 0, signContentBytes.length);
+        return signer.verifySignature(signature);
+    }
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/protocol/CachedProposal.java b/mls/src/main/java/moe/kyokobot/koe/mls/protocol/CachedProposal.java
new file mode 100644
index 0000000..7204225
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/protocol/CachedProposal.java
@@ -0,0 +1,18 @@
+package moe.kyokobot.koe.mls.protocol;
+
+import moe.kyokobot.koe.mls.codec.Proposal;
+import moe.kyokobot.koe.mls.TreeKEM.LeafIndex;
+
+public class CachedProposal
+{
+    byte[] proposalRef;
+    Proposal proposal;
+    LeafIndex sender;
+
+    public CachedProposal(byte[] proposalRef, Proposal proposal, LeafIndex sender)
+    {
+        this.proposalRef = proposalRef;
+        this.proposal = proposal;
+        this.sender = sender;
+    }
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/protocol/CachedUpdate.java b/mls/src/main/java/moe/kyokobot/koe/mls/protocol/CachedUpdate.java
new file mode 100644
index 0000000..348f19e
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/protocol/CachedUpdate.java
@@ -0,0 +1,22 @@
+package moe.kyokobot.koe.mls.protocol;
+
+import moe.kyokobot.koe.mls.codec.Proposal;
+import org.bouncycastle.util.Arrays;
+
+public class CachedUpdate
+{
+    byte[] updateSk;
+    Proposal.Update update;
+
+    public CachedUpdate(byte[] updateSk, Proposal.Update update)
+    {
+        this.updateSk = updateSk;
+        this.update = update;
+    }
+
+    public void reset()
+    {
+        this.update = null;
+        Arrays.clear(this.updateSk);
+    }
+}
diff --git a/mls/src/main/java/moe/kyokobot/koe/mls/protocol/Group.java b/mls/src/main/java/moe/kyokobot/koe/mls/protocol/Group.java
new file mode 100644
index 0000000..5bcd581
--- /dev/null
+++ b/mls/src/main/java/moe/kyokobot/koe/mls/protocol/Group.java
@@ -0,0 +1,2415 @@
+package moe.kyokobot.koe.mls.protocol;
+
+import java.io.IOException;
+import java.security.SecureRandom;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+import moe.kyokobot.koe.mls.GroupKeySet;
+import moe.kyokobot.koe.mls.KeyScheduleEpoch;
+import moe.kyokobot.koe.mls.TranscriptHash;
+import moe.kyokobot.koe.mls.codec.*;
+import moe.kyokobot.koe.mls.crypto.MlsCipherSuite;
+import org.bouncycastle.crypto.AsymmetricCipherKeyPair;
+import moe.kyokobot.koe.mls.TreeKEM.LeafIndex;
+import moe.kyokobot.koe.mls.TreeKEM.LeafNode;
+import moe.kyokobot.koe.mls.TreeKEM.LeafNodeSource;
+import moe.kyokobot.koe.mls.TreeKEM.NodeIndex;
+import moe.kyokobot.koe.mls.TreeKEM.TreeKEMPrivateKey;
+import moe.kyokobot.koe.mls.TreeKEM.TreeKEMPublicKey;
+import moe.kyokobot.koe.mls.crypto.Secret;
+
+public class Group
+{
+
+    public class GroupWithMessage
+    {
+        public Group group;
+        public MLSMessage message;
+
+        public GroupWithMessage(Group group, MLSMessage message)
+        {
+            this.group = group;
+            this.message = message;
+        }
+    }
+
+    public class Tombstone
+    {
+        //const
+        final byte[] epochAuthenticator;
+        final Proposal.ReInit reinit;
+
+        //private
+        private byte[] priorGroupID;
+        private long priorEpoch;
+        private byte[] resumptionPsk;
+
+        public byte[] getEpochAuthenticator()
+        {
+            return epochAuthenticator;
+        }
+
+        public MlsCipherSuite getSuite()
+        {
+            return reinit.getSuite();
+        }
+
+        public Tombstone(Group group, Proposal.ReInit reinit)
+        {
+            epochAuthenticator = group.getEpochAuthenticator();
+            this.reinit = reinit;
+            priorGroupID = group.groupID;
+            priorEpoch = group.epoch;
+            resumptionPsk = group.keySchedule.resumptionPSK.value();
+        }
+
+        public GroupWithMessage createWelcome(AsymmetricCipherKeyPair encSk, byte[] sigSk, LeafNode leafNode, List<KeyPackage> keyPackages, byte[] leafSecret, CommitOptions options)
+            throws Exception
+        {
+            // Create new empty group with the appropriate PSK
+            Group newGroup = new Group(
+                reinit.getGroupID(),
+                reinit.getSuite(),
+                encSk,
+                sigSk,
+                leafNode,
+                reinit.getExtensions()
+            );
+            newGroup.resumptionPSKs.put(new EpochRef(priorGroupID, priorEpoch), resumptionPsk);
+
+            // Create Add proposals
+            List<Proposal> proposals = new ArrayList<Proposal>();
+            for (KeyPackage kp : keyPackages)
+            {
+                proposals.add(newGroup.addProposal(kp));
+            }
+
+            // Create PSK proposal
+            byte[] nonce = new byte[suite.getKDF().getHashLength()];
+            SecureRandom random = new SecureRandom();
+            random.nextBytes(nonce);
+            proposals.add(Proposal.preSharedKey(PreSharedKeyID.resumption(ResumptionPSKUsage.REINIT, priorGroupID, priorEpoch, nonce)));
+
+            // Commit the Add and PSK proposals
+            CommitOptions opts = new CommitOptions(
+                proposals,
+                options.inlineTree,
+                options.forcePath,
+                options.leafNodeOptions
+            );
+            GroupWithMessage gwm = newGroup.commit(new Secret(leafSecret), opts, new MessageOptions(), new CommitParameters(ResumptionPSKUsage.REINIT));
+            gwm.message.wireFormat = WireFormat.mls_welcome;
+            return gwm;
+
+        }
+
+        public Group handleWelcome(AsymmetricCipherKeyPair initSk, AsymmetricCipherKeyPair encSk, AsymmetricCipherKeyPair sigSk, KeyPackage keyPackage, MLSMessage welcome, TreeKEMPublicKey tree)
+            throws Exception
+        {
+            Map<EpochRef, byte[]> resumptionPsks = new HashMap<EpochRef, byte[]>();
+            resumptionPsks.put(new EpochRef(priorGroupID, priorEpoch), resumptionPsk);
+
+            MlsCipherSuite suite = welcome.getCipherSuite();
+            Group newGroup = new Group(
+                suite.getHPKE().serializePrivateKey(initSk.getPrivate()),
+                encSk,
+                suite.serializeSignaturePrivateKey(sigSk.getPrivate()),
+                keyPackage,
+                welcome.welcome,
+                tree,
+                new HashMap<Secret, byte[]>(),
+                resumptionPsks
+            );
+
+            if (newGroup.suite.getSuiteID() != reinit.getSuite().getSuiteID())
+            {
+                throw new Exception("Attempt to reinit with the wrong ciphersuite");
+            }
+
+            if (newGroup.epoch != 1)
+            {
+                throw new Exception("Reinit not done at the beginning of the group");
+            }
+
+            return newGroup;
+        }
+    }
+
+    public class TombstoneWithMessage
+        extends Tombstone
+    {
+
+        MLSMessage message;
+
+        public MLSMessage getMessage()
+        {
+            return message;
+        }
+
+        public TombstoneWithMessage(Group group, Proposal.ReInit reinit, MLSMessage message)
+        {
+            super(group, reinit);
+            this.message = message;
+        }
+    }
+
+    public static final short NORMAL_COMMIT_PARAMS = 0;
+    public static final short EXTERNAL_COMMIT_PARAMS = 1;
+    public static final short RESTART_COMMIT_PARAMS = 2;
+    public static final short REINIT_COMMIT_PARAMS = 3;
+
+    static public class CommitParameters
+    {
+        short paramID;
+        // External
+        KeyPackage joinerKeyPackage;
+        Secret forceInitSecret;
+
+        // Restart
+        ResumptionPSKUsage allowedUsage;
+
+        public CommitParameters(short paramID)
+        {
+            this.paramID = paramID;
+        }
+
+        public CommitParameters(KeyPackage joinerKeyPackage, Secret forceInitSecret)
+        {
+            this.paramID = EXTERNAL_COMMIT_PARAMS;
+            this.joinerKeyPackage = joinerKeyPackage;
+            this.forceInitSecret = forceInitSecret;
+        }
+
+        public CommitParameters(short paramID, KeyPackage joinerKeyPackage, Secret forceInitSecret, ResumptionPSKUsage allowedUsage)
+        {
+            this.paramID = paramID;
+            this.joinerKeyPackage = joinerKeyPackage;
+            this.forceInitSecret = forceInitSecret;
+            this.allowedUsage = allowedUsage;
+        }
+
+        public CommitParameters(ResumptionPSKUsage reinit)
+        {
+            paramID = RESTART_COMMIT_PARAMS;
+            allowedUsage = reinit;
+        }
+    }
+
+    public static class MessageOptions
+    {
+        boolean encrypt = false;
+        byte[] authenticatedData;
+        int paddingSize = 0;
+
+        public MessageOptions()
+        {
+            authenticatedData = new byte[0];
+        }
+
+        public MessageOptions(boolean encrypt, byte[] authenticatedData, int paddingSize)
+        {
+            this.encrypt = encrypt;
+            this.authenticatedData = authenticatedData;
+            this.paddingSize = paddingSize;
+        }
+    }
+
+    public static class LeafNodeOptions
+    {
+        Credential credential;
+        Capabilities capabilities;
+        List<Extension> extensions;
+
+        public Credential getCredential()
+        {
+            return credential;
+        }
+
+        public Capabilities getCapabilities()
+        {
+            return capabilities;
+        }
+
+        public List<Extension> getExtensions()
+        {
+            return extensions;
+        }
+
+        public LeafNodeOptions()
+        {
+        }
+
+        public LeafNodeOptions(Credential credential, Capabilities capabilities, List<Extension> extensions)
+        {
+            this.credential = credential;
+            this.capabilities = capabilities;
+            this.extensions = extensions;
+        }
+    }
+
+    public static class CommitOptions
+    {
+        List<Proposal> extraProposals;
+        boolean inlineTree;
+        boolean forcePath;
+        LeafNodeOptions leafNodeOptions;
+
+        public CommitOptions()
+        {
+            this.extraProposals = new ArrayList<Proposal>();
+            this.leafNodeOptions = new LeafNodeOptions();
+
+        }
+
+        public CommitOptions(List<Proposal> extraProposals, boolean inlineTree, boolean forcePath, LeafNodeOptions leafNodeOptions)
+        {
+            this.extraProposals = extraProposals;
+            this.inlineTree = inlineTree;
+            this.forcePath = forcePath;
+            if (leafNodeOptions == null)
+            {
+                this.leafNodeOptions = new LeafNodeOptions();
+            }
+            else
+            {
+                this.leafNodeOptions = leafNodeOptions;
+            }
+        }
+    }
+
+    class JoinersWithPSKS
+    {
+        List<LeafIndex> joiners;
+        List<KeyScheduleEpoch.PSKWithSecret> psks;
+
+        public JoinersWithPSKS(List<LeafIndex> joiners, List<KeyScheduleEpoch.PSKWithSecret> psks)
+        {
+            this.psks = psks;
+            this.joiners = joiners;
+        }
+    }
+
+    public class EpochRef
+    {
+        byte[] id;
+        long epoch;
+
+
+        public EpochRef(byte[] id, long epoch)
+        {
+            this.id = id.clone();
+            this.epoch = epoch;
+        }
+
+        @Override
+        public boolean equals(Object o)
+        {
+            if (this == o)
+            {
+                return true;
+            }
+            if (o == null || getClass() != o.getClass())
+            {
+                return false;
+            }
+
+            EpochRef epochRef = (EpochRef)o;
+
+            if (epoch != epochRef.epoch)
+            {
+                return false;
+            }
+            return Arrays.equals(id, epochRef.id);
+        }
+
+        @Override
+        public int hashCode()
+        {
+            int result = Arrays.hashCode(id);
+            result = 31 * result + Long.hashCode(epoch);
+            return result;
+        }
+    }
+
+    Map<Secret, byte[]> externalPSKs;
+    private Map<EpochRef, byte[]> resumptionPSKs;
+    private long epoch;
+    private byte[] groupID;
+    private TranscriptHash transcriptHash;
+    private ArrayList<Extension> extensions;
+    private KeyScheduleEpoch keySchedule;
+    private TreeKEMPublicKey tree;
+    private TreeKEMPrivateKey treePriv;
+    private GroupKeySet keys;
+    private MlsCipherSuite suite;
+    private LeafIndex index;
+    private byte[] identitySk;
+    private ArrayList<CachedProposal> pendingProposals;
+    private CachedUpdate cachedUpdate;
+
+
+    public void insertExternalPsk(Secret pskID, byte[] pskSecret)
+    {
+        externalPSKs.put(pskID, pskSecret);
+    }
+
+    public MlsCipherSuite getSuite()
+    {
+        return suite;
+    }
+
+    public ArrayList<Extension> getExtensions()
+    {
+        return extensions;
+    }
+
+    public KeyScheduleEpoch getKeySchedule()
+    {
+        return keySchedule;
+    }
+
+    public TreeKEMPublicKey getTree()
+    {
+        return tree;
+    }
+
+    public long getEpoch()
+    {
+        return epoch;
+    }
+
+    public byte[] getGroupID()
+    {
+        return groupID;
+    }
+
+    public LeafIndex getIndex()
+    {
+        return index;
+    }
+
+    public MLSMessage getGroupInfo(boolean inlineTree)
+        throws Exception
+    {
+        GroupInfo groupInfo = new GroupInfo(
+            new GroupContext(
+                suite,
+                groupID,
+                epoch,
+                tree.getRootHash(),
+                transcriptHash.getConfirmed(),
+                extensions
+            ),
+            new ArrayList<>(),
+            keySchedule.confirmationTag(transcriptHash.getConfirmed())
+        );
+
+        byte[] externalPub = suite.getHPKE().serializePublicKey(keySchedule.getExternalPublicKey());
+        MLSOutputStream stream = new MLSOutputStream();
+        stream.writeOpaque(externalPub);
+
+        groupInfo.getExtensions().add(new Extension(ExtensionType.EXTERNAL_PUB, stream.toByteArray()));
+
+        if (inlineTree)
+        {
+            groupInfo.getExtensions().add(new Extension(ExtensionType.RATCHET_TREE, MLSOutputStream.encode(tree)));
+        }
+
+        groupInfo.sign(tree, index, suite.deserializeSignaturePrivateKey(identitySk));
+        MLSMessage msg = new MLSMessage(WireFormat.mls_group_info);
+        msg.groupInfo = groupInfo;
+        return msg;
+    }
+
+    public Group()
+    {
+    }
+
+    public Group(AsymmetricCipherKeyPair sigSk, GroupInfo groupInfo, TreeKEMPublicKey tree)
+        throws Exception
+    {
+        this.suite = groupInfo.getSuite();
+        this.groupID = groupInfo.getGroupID().clone();
+        this.epoch = groupInfo.getEpoch();
+        this.tree = TreeKEMPublicKey.clone(importTree(groupInfo.getGroupContext().getTreeHash(), tree, groupInfo.getExtensions()));
+        this.treePriv = new TreeKEMPrivateKey(suite, new LeafIndex(0));// check this should be null
+        this.transcriptHash = TranscriptHash.fromConfirmationTag(this.suite, groupInfo.getGroupContext().getConfirmedTranscriptHash(), groupInfo.getConfirmationTag());
+        this.extensions = new ArrayList<Extension>(groupInfo.getGroupContext().getExtensions());
+        this.keySchedule = new KeyScheduleEpoch(this.suite);
+        this.index = new LeafIndex(0);
+        this.identitySk = suite.serializeSignaturePrivateKey(sigSk.getPrivate());
+        this.pendingProposals = new ArrayList<CachedProposal>();
+        this.resumptionPSKs = new HashMap<EpochRef, byte[]>();
+        this.externalPSKs = new HashMap<Secret, byte[]>();
+        this.keys = null;
+
+    }
+
+    // Create a new group
+    public Group(
+        byte[] groupID,
+        MlsCipherSuite suite,
+        AsymmetricCipherKeyPair encSk,
+        byte[] sigSk,
+        LeafNode leafNode,
+        List<Extension> extensions
+    )
+        throws Exception
+    {
+        this.suite = suite;
+        this.groupID = groupID.clone();
+        this.epoch = 0;
+        tree = new TreeKEMPublicKey(suite);
+        this.transcriptHash = new TranscriptHash(suite);
+        this.extensions = new ArrayList<Extension>();
+        this.extensions.addAll(extensions);
+        this.index = new LeafIndex(0);
+        this.identitySk = sigSk.clone();
+
+        this.pendingProposals = new ArrayList<CachedProposal>();
+        this.externalPSKs = new HashMap<Secret, byte[]>();
+        this.resumptionPSKs = new HashMap<EpochRef, byte[]>();
+
+        index = tree.addLeaf(leafNode);
+        tree.setHashAll();
+        treePriv = TreeKEMPrivateKey.solo(suite, index, encSk);
+        if (!treePriv.consistent(tree))
+        {
+            throw new Exception("LeafNode inconsistent with private key");
+        }
+
+        byte[] ctx = MLSOutputStream.encode(getGroupContext());
+        keySchedule = KeyScheduleEpoch.forCreator(suite, ctx);
+        this.keys = keySchedule.getEncryptionKeys(tree.getSize());
+
+        // Update the interim transcript hash with a virtual confirmation tag
+        transcriptHash.updateInterim(keySchedule.confirmationTag(transcriptHash.getConfirmed()));
+    }
+
+    // Creates a group from a welcome message
+
+    /**
+     * @param initSk         HPKE private key
+     * @param leafSk         HPKE private key for leaf node
+     * @param sigSk          signature private key
+     * @param keyPackage     key package
+     * @param welcome        welcome
+     * @param treeIn         public kem tree (optional)
+     * @param externalPsks   map of external psks
+     * @param resumptionPsks map of resumptions psks
+     * @throws Exception
+     */
+    public Group(
+        byte[] initSk,
+        AsymmetricCipherKeyPair leafSk,
+        byte[] sigSk,
+        KeyPackage keyPackage,
+        Welcome welcome,
+        TreeKEMPublicKey treeIn,
+        Map<Secret, byte[]> externalPsks,
+        Map<EpochRef, byte[]> resumptionPsks
+    )
+        throws Exception
+    {
+        pendingProposals = new ArrayList<CachedProposal>();
+        suite = welcome.getSuite();
+        epoch = 0;
+        identitySk = sigSk;
+        externalPSKs = new HashMap<Secret, byte[]>();
+        externalPSKs.putAll(externalPsks);
+        this.resumptionPSKs = new HashMap<EpochRef, byte[]>();
+        this.resumptionPSKs.putAll(resumptionPsks);
+
+        int kpi = welcome.find(keyPackage);
+        if (kpi == -1)
+        {
+            throw new Exception("Welcome not intended for key package");
+        }
+
+        if (keyPackage.getSuite().getSuiteID() != welcome.getSuite().getSuiteID())
+        {
+            throw new Exception("Ciphersuite mismatch");
+        }
+
+        // Decrypting GroupSecrets and checking PSKs
+        GroupSecrets secrets = welcome.decryptSecrets(kpi, initSk);
+        List<KeyScheduleEpoch.PSKWithSecret> psks = resolve(secrets.psks);
+
+        // Decrypting GroupInfo
+        GroupInfo groupInfo = welcome.decrypt(secrets.joiner_secret, psks);
+        if (groupInfo.getSuite().getSuiteID() != suite.getSuiteID())
+        {
+            throw new Exception("GroupInfo and Welcome ciphersuites disagree");
+        }
+
+        // Get tree from argument or from extension
+        tree = TreeKEMPublicKey.clone(importTree(groupInfo.getGroupContext().getTreeHash(), treeIn, groupInfo.getExtensions()));
+
+        // Verifying GroupInfo signature
+        if (!groupInfo.verify(suite, tree))
+        {
+            throw new Exception("Invalid GroupInfo");
+        }
+
+        // Set the GroupSecrets and GroupInfo
+        epoch = groupInfo.getEpoch();
+        groupID = groupInfo.getGroupID();
+
+        transcriptHash = new TranscriptHash(suite, groupInfo.getGroupContext().getConfirmedTranscriptHash().clone(), null);
+        transcriptHash.updateInterim(groupInfo.getConfirmationTag());
+
+        extensions = new ArrayList<Extension>();
+        extensions.addAll(groupInfo.getGroupContext().getExtensions());
+
+        // Create the TreeKEMPrivateKey
+        int i = tree.find(keyPackage.getLeafNode());
+        if (i == -1)
+        {
+            throw new Exception("New joiner not in tree");
+        }
+        index = new LeafIndex(i);
+
+        NodeIndex ancestor = index.commonAncestor(groupInfo.getSigner());
+        Secret pathSecret;
+        if (secrets.path_secret != null)
+        {
+            pathSecret = new Secret(secrets.path_secret.getPathSecret());
+        }
+        else
+        {
+            pathSecret = new Secret(new byte[0]);
+        }
+        treePriv = TreeKEMPrivateKey.joiner(tree, index, leafSk, ancestor, pathSecret);
+
+        // Ratchet forward into current epoch
+        byte[] groupCtx = MLSOutputStream.encode(getGroupContext());
+
+        keySchedule = KeyScheduleEpoch.joiner(suite, secrets.joiner_secret, psks, groupCtx);
+        keys = keySchedule.getEncryptionKeys(tree.getSize());
+
+        // Verify confirmation tag
+        byte[] confirmationTag = keySchedule.confirmationTag(transcriptHash.getConfirmed());
+        if (!Arrays.equals(confirmationTag, groupInfo.getConfirmationTag()))
+        {
+            throw new Exception("Confirmation failed to verify");
+        }
+    }
+
+    public ValidatedContent unwrap(MLSMessage msg)
+        throws Exception
+    {
+        if (msg.version != ProtocolVersion.mls10)
+        {
+            throw new Exception("Unsupported version");
+        }
+
+        AuthenticatedContent auth;
+        switch (msg.wireFormat)
+        {
+            case mls_public_message:
+                auth = msg.publicMessage.unprotect(suite, keySchedule.membershipKey, getGroupContext());
+                if (auth == null)
+                {
+                    throw new Exception("Membership tag failed to verify");
+                }
+                break;
+            case mls_private_message:
+                auth = msg.privateMessage.unprotect(suite, keys, keySchedule.senderDataSecret.value());
+                if (auth == null)
+                {
+                    throw new Exception("PrivateMessage decryption failure");
+                }
+                break;
+            default:
+                throw new Exception("Invalid wire format");
+        }
+        if (!verifyAuth(auth))
+        {
+            throw new Exception("Message signature failed to verify");
+        }
+
+        return new ValidatedContent(auth);
+    }
+
+    public Group handle(byte[] mlsMessageBytes, Group cachedGroup)
+        throws Exception
+    {
+        return handle(mlsMessageBytes, cachedGroup, null);
+    }
+
+    public Group handle(byte[] mlsMessageBytes, Group cachedGroup, CommitParameters expectedParams)
+        throws Exception
+    {
+        MLSMessage msg = (MLSMessage)MLSInputStream.decode(mlsMessageBytes, MLSMessage.class);
+        ValidatedContent valContent = unwrap(msg);
+        return handle(valContent.getAuthenticatedContent(), cachedGroup, expectedParams);
+    }
+
+    public Group handle(AuthenticatedContent auth, Group cachedGroup, CommitParameters expectedParams)
+        throws Exception
+    {
+        // Validate the GroupContent
+        FramedContent content = auth.getContent();
+        if (!Arrays.equals(content.getGroupID(), groupID))
+        {
+            throw new Exception("GroupID mismatch");
+        }
+
+        if (content.getEpoch() != epoch)
+        {
+            throw new Exception("epoch mismatch");
+        }
+
+        // Dispatch on content type
+        switch (content.getContentType())
+        {
+        case PROPOSAL:
+            // Proposals get queued, do not result in a state transition
+            cacheProposal(auth);
+            return null;
+        case COMMIT:
+            // Commits are handled in the remainder of this method
+            break;
+        default:
+            // Any other content type in this method is an error
+            throw new Exception("Invalid content type");
+        }
+
+        switch (content.getSender().getSenderType())
+        {
+        case MEMBER:
+        case NEW_MEMBER_COMMIT:
+            break;
+        default:
+            throw new Exception("Invalid commit sender type");
+        }
+
+        LeafIndex sender = null;
+        if (content.getSender().getSenderType() == SenderType.MEMBER)
+        {
+            sender = content.getSender().getSender();
+        }
+
+        if (index.equals(sender))
+        {
+            if (cachedGroup != null)
+            {
+                // Verify that the cached state is a plausible successor to this state
+                if (!Arrays.equals(cachedGroup.groupID, groupID) || cachedGroup.epoch != epoch + 1 || !cachedGroup.index.equals(index))
+                {
+                    throw new Exception("Invalid successor state");
+                }
+
+                return cachedGroup;
+            }
+
+            throw new Exception("Handle own commits with caching");
+        }
+
+        // Apply the commit
+        Commit commit = content.getCommit();
+        List<CachedProposal> proposals = mustResolve(commit.getProposals(), sender);
+
+        CommitParameters params = inferCommitType(sender, proposals, expectedParams);
+        boolean externalcommit = params.paramID == EXTERNAL_COMMIT_PARAMS;
+
+        // Check that a path is present when required
+        if (pathRequired(proposals) && commit.getUpdatePath() == null)
+        {
+            throw new Exception("Path required but not present");
+        }
+
+        // Apply the proposals
+        Group next = successor();
+        JoinersWithPSKS joinersWithPSKS = next.apply(proposals);
+
+        // If this is an external commit, add the joiner to the tree and note the
+        // location where they were added.  Also, compute the "externally forced"
+        // value that we will use for the init_secret (as opposed to the init_secret
+        // from the key schedule).
+
+        byte[] forceInitSecret = null;
+        LeafIndex senderLocation = new LeafIndex(0);
+        if (!externalcommit)
+        {
+            senderLocation = sender;
+        }
+        else
+        {
+            // Add the joiner
+            UpdatePath path = commit.getUpdatePath().clone();
+            senderLocation = next.tree.addLeaf(path.getLeafNode());
+
+            // Extract the forced init secret
+            byte[] kemOut = commit.validityExternal();
+            if (kemOut == null)
+            {
+                throw new Exception("Invalid external commit");
+            }
+            forceInitSecret = keySchedule.receiveExternalInit(kemOut);
+        }
+
+        // Decapsulate and apply the UpdatePath, if provided
+        byte[] commitSecret = new byte[suite.getKDF().getHashLength()];
+        if (commit.getUpdatePath() != null)
+        {
+            UpdatePath path = commit.getUpdatePath().clone();
+            if (!validateLeafNode(path.getLeafNode(), LeafNodeSource.COMMIT, senderLocation))
+            {
+                throw new Exception("Commit path has invalid leaf node");
+            }
+
+            if (!next.tree.verifyParentHash(senderLocation, path))
+            {
+                throw new Exception("Commit path has invalid parent hash");
+            }
+
+            next.tree.merge(senderLocation, path);
+
+            byte[] ctx = MLSOutputStream.encode(new GroupContext(
+                next.suite,
+                next.groupID,
+                next.epoch + 1,
+                next.tree.getRootHash(),
+                next.transcriptHash.getConfirmed(),
+                next.extensions
+            ));
+            next.treePriv.decap(
+                senderLocation,
+                next.tree,
+                ctx,
+                path,
+                joinersWithPSKS.joiners
+            );
+            commitSecret = next.treePriv.getUpdateSecret().value().clone();
+        }
+        // Update the transcripts and advance the key schedule
+
+        next.transcriptHash.update(auth);
+        next.epoch += 1;
+        next.updateEpochSecrets(commitSecret, joinersWithPSKS.psks, forceInitSecret);
+
+        // Verify the confirmation MAC
+        byte[] confirmationTag = next.keySchedule.confirmationTag(next.transcriptHash.getConfirmed());
+
+        if (!Arrays.equals(auth.getConfirmationTag(), confirmationTag))
+        {
+            throw new Exception("Confirmation failed to verify");
+        }
+
+        return next;
+
+    }
+
+    private CommitParameters inferCommitType(LeafIndex sender, List<CachedProposal> proposals, CommitParameters expectedParams)
+        throws Exception
+    {
+        // If an expected type was provided, validate against it
+        if (expectedParams != null)
+        {
+            boolean specifically = false;
+            switch (expectedParams.paramID)
+            {
+            case NORMAL_COMMIT_PARAMS:
+                specifically = (sender != null) && validateNormalCachedProposals(proposals, sender);
+                break;
+            case EXTERNAL_COMMIT_PARAMS:
+                specifically = (sender == null) && validateExternalCachedProposals(proposals);
+                break;
+            case RESTART_COMMIT_PARAMS:
+                specifically = (sender != null) && validateRestartCachedProposals(proposals, expectedParams.allowedUsage);
+                break;
+            case REINIT_COMMIT_PARAMS:
+                specifically = (sender != null) && validateReInitCachedProposals(proposals);
+                break;
+            }
+            if (!specifically)
+            {
+                throw new Exception("Invalid proposal list");
+            }
+
+            return expectedParams;
+        }
+
+        // Otherwise, check to see if this is a valid external or normal commit
+        if ((sender == null) && validateExternalCachedProposals(proposals))
+        {
+            return new CommitParameters(EXTERNAL_COMMIT_PARAMS);
+        }
+
+        if ((sender != null) && validateNormalCachedProposals(proposals, sender))
+        {
+            return new CommitParameters(NORMAL_COMMIT_PARAMS);
+        }
+
+        throw new Exception("Invalid proposal list");
+
+    }
+
+    public GroupWithMessage createBranch(byte[] groupID, AsymmetricCipherKeyPair encryptionKeyPair, AsymmetricCipherKeyPair signatureKeyPair, LeafNode leafNode, List<Extension> extList, List<KeyPackage> keyPackages, byte[] leafSecret, CommitOptions commitOptions)
+        throws Exception
+    {
+        // Create a new empty group with the appropriate PSK
+        Group newGroup = new Group(groupID, suite, encryptionKeyPair, suite.serializeSignaturePrivateKey(signatureKeyPair.getPrivate()), leafNode, extensions);
+        newGroup.resumptionPSKs.put(new EpochRef(this.groupID, this.epoch), this.keySchedule.resumptionPSK.value().clone());
+
+        // Create Add proposals
+        List<Proposal> proposals = new ArrayList<Proposal>();
+        for (KeyPackage kp : keyPackages)
+        {
+            proposals.add(newGroup.addProposal(kp));
+        }
+
+        // Create PSK Proposal
+        byte[] nonce = new byte[suite.getKDF().getHashLength()];
+        SecureRandom random = new SecureRandom();
+        random.nextBytes(nonce);
+        proposals.add(Proposal.preSharedKey(PreSharedKeyID.resumption(ResumptionPSKUsage.BRANCH, this.groupID, this.epoch, nonce)));
+
+        // Commit the Add and PSK proposals
+        CommitOptions opts = new CommitOptions(
+            proposals,
+            commitOptions.inlineTree,
+            commitOptions.forcePath,
+            commitOptions.leafNodeOptions
+        );
+        GroupWithMessage gwm = newGroup.commit(new Secret(leafSecret), opts, new MessageOptions(), new CommitParameters(ResumptionPSKUsage.BRANCH));
+        gwm.message.wireFormat = WireFormat.mls_welcome;
+        return gwm;
+    }
+
+    public Group handleBranch(AsymmetricCipherKeyPair initSk, AsymmetricCipherKeyPair encSk, AsymmetricCipherKeyPair sigSk, KeyPackage keyPackage, MLSMessage welcome, TreeKEMPublicKey tree)
+        throws Exception
+    {
+        Map<EpochRef, byte[]> resumptionPsks = new HashMap<EpochRef, byte[]>();
+        resumptionPsks.put(new EpochRef(this.groupID, this.epoch), this.keySchedule.resumptionPSK.value().clone());
+
+        Group branchGroup = new Group(
+            suite.getHPKE().serializePrivateKey(initSk.getPrivate()),
+            encSk,
+            suite.serializeSignaturePrivateKey(sigSk.getPrivate()),
+            keyPackage,
+            welcome.welcome,
+            tree,
+            new HashMap<Secret, byte[]>(),
+            resumptionPsks
+        );
+
+        if (branchGroup.suite.getSuiteID() != suite.getSuiteID())
+        {
+            throw new Exception("Attempt to branch with a different ciphersuite");
+        }
+        if (branchGroup.epoch != 1)
+        {
+            throw new Exception("Branch not done at the beginning of the group");
+        }
+
+        return branchGroup;
+    }
+
+
+    public Tombstone handleReinitCommit(MLSMessage commitMessage)
+        throws Exception
+    {
+        // Verify the signature and process the commit
+        AuthenticatedContent auth = unprotectToContentAuth(commitMessage);
+        if (!verifyAuth(auth))
+        {
+            throw new Exception("Message signature failed to verify");
+        }
+
+        Group newGroup = handle(auth, null, new CommitParameters(REINIT_COMMIT_PARAMS));
+
+        // Extract the reinit and create the tombstone
+        Commit commit = auth.getContent().getCommit();
+        List<CachedProposal> proposals = mustResolve(commit.getProposals(), null);
+        if (!validateReinitProposals(proposals))
+        {
+            throw new Exception("Invalid proposals for reinit");
+        }
+
+        CachedProposal reinitProposal = proposals.get(0);
+        return new Tombstone(newGroup, reinitProposal.proposal.getReInit());
+    }
+
+    public static GroupWithMessage externalJoin(Secret leafSecret,
+                                                AsymmetricCipherKeyPair sigSk,
+                                                KeyPackage keyPackage,
+                                                GroupInfo groupInfo,
+                                                TreeKEMPublicKey tree,
+                                                MessageOptions msgOptions,
+                                                LeafIndex removePrior,
+                                                Map<Secret, byte[]> psks)
+        throws Exception
+    {
+        // Create a preliminary group
+        Group initialGroup = new Group(sigSk, groupInfo, tree);
+        MlsCipherSuite suite = keyPackage.getSuite();
+
+        // Look up the external public key for the group
+        byte[] extPub = null;
+        for (Extension ext : groupInfo.getExtensions())
+        {
+            if (extPub != null)
+            {
+                break;
+            }
+            extPub = ext.getExternalPub();
+        }
+        if (extPub == null)
+        {
+            throw new Exception("No external pub in GroupInfo");
+        }
+
+        // Insert an ExternalInit proposal
+        CommitOptions options = new CommitOptions();
+        KeyScheduleEpoch.ExternalInitParams extParams = new KeyScheduleEpoch.ExternalInitParams(
+            suite, suite.getHPKE().deserializePublicKey(extPub));
+
+        options.extraProposals.add(Proposal.externalInit(extParams.getKEMOutput()));
+
+        // Evict a prior appearance if required
+        if (removePrior != null)
+        {
+            Proposal remove = initialGroup.removeProposal(removePrior);
+            options.extraProposals.add(remove);
+        }
+
+        // Inject PKSs
+        for (Secret id : psks.keySet())
+        {
+            initialGroup.externalPSKs.put(id, psks.get(id));
+            options.extraProposals.add(initialGroup.preSharedKeyProposal(id));
+        }
+
+        // Use the preliminary state to create a commit and advance to a real state
+        CommitParameters commitParameters = new CommitParameters(keyPackage, extParams.getInitSecret());
+        GroupWithMessage gwm = initialGroup.commit(leafSecret, options, msgOptions, commitParameters);
+        gwm.message.welcome = null;
+        return gwm;
+    }
+
+    public GroupWithMessage commit(Secret leafSecret, CommitOptions commitOptions, MessageOptions msgOptions, CommitParameters params)
+        throws Exception
+    {
+        Commit commit = new Commit();
+        List<KeyPackage> joiners = new ArrayList<KeyPackage>();
+        for (CachedProposal cached : pendingProposals)
+        {
+            if (cached.proposal.getProposalType() == ProposalType.ADD)
+            {
+                joiners.add(cached.proposal.getAdd().keyPackage);
+            }
+
+            commit.getProposals().add(ProposalOrRef.forRef(cached.proposalRef));
+        }
+
+        // add the extra proposals to those we had cached
+        if (commitOptions != null)
+        {
+            for (Proposal p : commitOptions.extraProposals)
+            {
+                if (p.getProposalType() == ProposalType.ADD)
+                {
+                    joiners.add(p.getAdd().keyPackage);
+                }
+
+                commit.getProposals().add(ProposalOrRef.forProposal(p));
+            }
+        }
+
+        // for external commit insert an external init proposal
+        byte[] forceInitSecret = null;
+        if (params.paramID == EXTERNAL_COMMIT_PARAMS)
+        {
+            forceInitSecret = params.forceInitSecret.value().clone();
+        }
+
+        // Apply proposals
+        Group next = successor();
+
+        List<CachedProposal> proposals = mustResolve(commit.getProposals(), index); // check should just send index.value()
+        if (!validateCachedProposals(proposals, index, params))
+        {
+            throw new Exception("Invalid proposal list");
+        }
+
+        JoinersWithPSKS joinersWithpsks = next.apply(proposals);
+        if (params.paramID == EXTERNAL_COMMIT_PARAMS)
+        {
+            next.index = next.tree.addLeaf(params.joinerKeyPackage.getLeafNode());
+        }
+
+        // If this is an external commit, indicate it in the sender field
+        Sender sender = Sender.forMember(index);
+        if (params.paramID == EXTERNAL_COMMIT_PARAMS)
+        {
+            sender = Sender.forNewMemberCommit();
+        }
+
+        // KEM new entropy to the group and the new joiners
+        Secret commitSecret = Secret.zero(suite);
+        List<Secret> pathSecrets = new ArrayList<Secret>();
+        for (int i = 0; i < joinersWithpsks.joiners.size(); i++)
+        {
+            pathSecrets.add(null);
+        }
+        boolean forcePath = (commitOptions != null) && commitOptions.forcePath;
+        if (forcePath || pathRequired(proposals))
+        {
+            LeafNodeOptions leafNodeOptions = new LeafNodeOptions();
+            if (commitOptions != null)
+            {
+                leafNodeOptions = commitOptions.leafNodeOptions;
+            }
+            TreeKEMPrivateKey newPriv = next.tree.update(next.index, leafSecret, next.groupID, identitySk, leafNodeOptions);
+            GroupContext ctx = new GroupContext(
+                next.suite,
+                next.groupID,
+                next.epoch + 1,
+                next.tree.getRootHash(),
+                next.transcriptHash.getConfirmed(),
+                next.extensions
+            );
+            byte[] ctxBytes = MLSOutputStream.encode(ctx);
+            UpdatePath path = next.tree.encap(newPriv, ctxBytes, joinersWithpsks.joiners);
+
+            next.treePriv = newPriv;
+            commit.setUpdatePath(path);
+            commitSecret = newPriv.getUpdateSecret();
+
+            for (int i = 0; i < joinersWithpsks.joiners.size(); i++)
+            {
+                pathSecrets.set(i, newPriv.getSharedPathSecret(joinersWithpsks.joiners.get(i)));
+            }
+            next.tree.setHashAll();
+        }
+
+        // Create the Commit message and advance the transcripts / key schedule
+        AuthenticatedContent commitContentAuth = sign(sender, commit, msgOptions.authenticatedData, msgOptions.encrypt);
+
+        next.transcriptHash.updateConfirmed(commitContentAuth);
+        next.epoch += 1;
+        next.updateEpochSecrets(commitSecret.value(), joinersWithpsks.psks, forceInitSecret);
+
+        byte[] confirmationTag = next.keySchedule.confirmationTag(next.transcriptHash.getConfirmed());
+        commitContentAuth.setConfirmationTag(confirmationTag);
+        next.transcriptHash.updateInterim(commitContentAuth);
+        MLSMessage commitMessage = protect(commitContentAuth, msgOptions.paddingSize);
+
+        // Complete the GroupInfo and form the Welcome
+        next.tree.setHashAll();
+        GroupInfo groupInfo = new GroupInfo(
+            new GroupContext(
+                next.suite,
+                next.groupID,
+                next.epoch,
+                next.tree.getRootHash(),
+                next.transcriptHash.getConfirmed(),
+                next.extensions
+            ),
+            new ArrayList<Extension>(),
+            confirmationTag
+        );
+        if (commitOptions != null && commitOptions.inlineTree)
+        {
+            groupInfo.getExtensions().add(new Extension(ExtensionType.RATCHET_TREE, MLSOutputStream.encode(next.tree)));
+        }
+        groupInfo.sign(next.tree, next.index, suite.deserializeSignaturePrivateKey(next.identitySk));
+
+        Welcome welcome = new Welcome(suite,
+            next.keySchedule.getJoinerSecret().value(),
+            joinersWithpsks.psks,
+            MLSOutputStream.encode(groupInfo));
+
+        for (int i = 0; i < joiners.size(); i++)
+        {
+            welcome.encrypt(joiners.get(i), pathSecrets.get(i));
+        }
+
+        commitMessage.welcome = welcome;
+        return new GroupWithMessage(next, commitMessage);
+    }
+
+    public TombstoneWithMessage reinitCommit(byte[] leafSecret, CommitOptions commitOptions, MessageOptions messageOptions)
+        throws Exception
+    {
+        Proposal reinitProposal = null;
+        if (pendingProposals.size() == 1)
+        {
+            reinitProposal = pendingProposals.get(0).proposal;
+        }
+        else if (commitOptions != null && commitOptions.extraProposals.size() == 1)
+        {
+            reinitProposal = commitOptions.extraProposals.get(0);
+        }
+        else
+        {
+            throw new Exception("Illegal proposals for reinitialization");
+        }
+
+        Proposal.ReInit reinit = reinitProposal.getReInit();
+
+        // Create the Commit
+        GroupWithMessage gwm = commit(new Secret(leafSecret), commitOptions, messageOptions, new CommitParameters(REINIT_COMMIT_PARAMS));
+        gwm.message.welcome = null;
+        return new TombstoneWithMessage(gwm.group, reinit, gwm.message);
+    }
+
+    static public MLSMessage newMemberAdd(byte[] groupID, long epoch, KeyPackage newMember, AsymmetricCipherKeyPair sigSk)
+        throws Exception
+    {
+        MlsCipherSuite suite = newMember.getSuite();
+        Proposal proposal = Proposal.add(newMember);
+        FramedContent content = FramedContent.proposal(
+            groupID,
+            epoch,
+            Sender.forNewMemberProposal(),
+            new byte[0],
+            MLSOutputStream.encode(proposal)
+        );
+        AuthenticatedContent contentAuth = AuthenticatedContent.sign(
+            WireFormat.mls_public_message,
+            content,
+            suite,
+            suite.serializeSignaturePrivateKey(sigSk.getPrivate()),
+            null
+        );
+
+        MLSMessage message = new MLSMessage(WireFormat.mls_public_message);
+        message.publicMessage = PublicMessage.protect(contentAuth, suite, new byte[0], new byte[0]);
+        return message;
+    }
+
+    public MLSMessage protect(byte[] applicationData, byte[] pt, int paddingSize)
+        throws Exception
+    {
+        Group.MessageOptions msgOptions = new Group.MessageOptions(true, applicationData, paddingSize);
+
+        AuthenticatedContent contentAuth = sign(
+            Sender.forMember(index),
+            pt,
+            msgOptions.authenticatedData,
+            msgOptions.encrypt
+        );
+        return protect(contentAuth, msgOptions.paddingSize);
+    }
+
+    public byte[][] unprotect(MLSMessage ct)
+        throws Exception
+    {
+        AuthenticatedContent auth = unprotectToContentAuth(ct);
+        if (!verifyAuth(auth))
+        {
+            throw new Exception("Message signature failed to verify");
+        }
+
+        if (auth.getContent().getContentType() != ContentType.APPLICATION)
+        {
+            throw new Exception("Unprotected of handshake message");
+        }
+
+        if (auth.getWireFormat() != WireFormat.mls_private_message)
+        {
+            throw new Exception("Application data not sent as PrivateMessage");
+        }
+        byte[][] authAndContent = new byte[2][];
+        authAndContent[0] = auth.getContent().getAuthenticated_data();
+        authAndContent[1] = auth.getContent().getContentBytes();
+        return authAndContent;
+    }
+
+    private boolean verifyAuth(AuthenticatedContent auth)
+        throws Exception
+    {
+        switch (auth.getContent().getSender().getSenderType())
+        {
+        case MEMBER:
+            return verifyInternal(auth);
+        case EXTERNAL:
+            return verifyExternal(auth);
+        case NEW_MEMBER_PROPOSAL:
+            return verifyNewMemberProposal(auth);
+        case NEW_MEMBER_COMMIT:
+            return verifyNewMemberCommit(auth);
+        default:
+            throw new Exception("Invalid sender type");
+        }
+    }
+
+    private boolean verifyInternal(AuthenticatedContent auth)
+        throws Exception
+    {
+        LeafNode leaf = tree.getLeafNode(auth.getContent().getSender().getSender());
+        if (leaf == null)
+        {
+            throw new Exception("Signature from blank node");
+        }
+        return auth.verify(suite, leaf.getSignatureKey(), MLSOutputStream.encode(getGroupContext()));
+    }
+
+    private boolean verifyExternal(AuthenticatedContent auth)
+        throws Exception
+    {
+        Sender extSender = auth.getContent().getSender();
+        Extension sendersExt = null;
+        for (Extension ext : extensions)
+        {
+            if (ext.extensionType == ExtensionType.EXTERNAL_SENDERS)
+            {
+                sendersExt = ext;
+            }
+        }
+        List<ExternalSender> senders = sendersExt.getSenders();
+
+        return auth.verify(suite,
+            senders.get(extSender.getSenderIndex()).getSignatureKey(),
+            MLSOutputStream.encode(getGroupContext()));
+    }
+
+    private boolean verifyNewMemberProposal(AuthenticatedContent auth)
+        throws Exception
+    {
+        Proposal proposal = auth.getContent().getProposal();
+        Proposal.Add add = proposal.getAdd();
+        byte[] pub = add.keyPackage.getLeafNode().getSignatureKey();
+        return auth.verify(suite, pub, MLSOutputStream.encode(getGroupContext()));
+    }
+
+    private boolean verifyNewMemberCommit(AuthenticatedContent auth)
+        throws Exception
+    {
+        Commit commit = auth.getContent().getCommit();
+        UpdatePath path = commit.getUpdatePath();
+        byte[] pub = path.getLeafNode().getSignatureKey();
+        return auth.verify(suite, pub, MLSOutputStream.encode(getGroupContext()));
+    }
+
+    private AuthenticatedContent unprotectToContentAuth(MLSMessage msg)
+        throws Exception
+    {
+        if (msg.version != ProtocolVersion.mls10)
+        {
+            throw new Exception("Unsupported version");
+        }
+        AuthenticatedContent auth = null;
+        switch (msg.wireFormat)
+        {
+        case mls_public_message:
+            auth = msg.publicMessage.unprotect(suite, keySchedule.membershipKey, getGroupContext());
+            if (auth == null)
+            {
+                throw new Exception("Membership tag failed to verify");
+            }
+            break;
+        case mls_private_message:
+            auth = msg.privateMessage.unprotect(suite, keys, keySchedule.senderDataSecret.value());
+            if (auth == null)
+            {
+                throw new Exception("PrivateMessage decryption failure");
+            }
+            break;
+        case mls_welcome:
+        case mls_group_info:
+        case mls_key_package:
+            throw new Exception("Invalid wire format");
+        }
+        return auth;
+    }
+
+    public MLSMessage add(KeyPackage keyPackage, MessageOptions msgOptions)
+        throws Exception
+    {
+        AuthenticatedContent contentAuth = sign(
+            Sender.forMember(index),
+            addProposal(keyPackage),
+            msgOptions.authenticatedData,
+            msgOptions.encrypt
+        );
+        return protect(contentAuth, msgOptions.paddingSize);
+    }
+
+    public MLSMessage update(Proposal update, MessageOptions msgOptions)
+        throws Exception
+    {
+        AuthenticatedContent contentAuth = sign(
+            Sender.forMember(index),
+            update,
+            msgOptions.authenticatedData,
+            msgOptions.encrypt
+        );
+        return protect(contentAuth, msgOptions.paddingSize);
+    }
+
+    public MLSMessage groupContextExtensions(List<Extension> extensions, MessageOptions msgOptions)
+        throws Exception
+    {
+        if (!extensionsSupported(extensions))
+        {
+            throw new Exception("Unsupported extensions");
+        }
+        AuthenticatedContent contentAuth = sign(
+            Sender.forMember(index),
+            Proposal.groupContextExtensions(extensions),
+            msgOptions.authenticatedData,
+            msgOptions.encrypt
+        );
+        return protect(contentAuth, msgOptions.paddingSize);
+    }
+
+    public MLSMessage remove(LeafIndex removeIndex, MessageOptions msgOptions)
+        throws Exception
+    {
+        // leaf for roster
+        Proposal remove = Proposal.remove(leafForRoster(removeIndex));
+
+        AuthenticatedContent contentAuth = sign(
+            Sender.forMember(index),
+            remove,
+            msgOptions.authenticatedData,
+            msgOptions.encrypt
+        );
+        return protect(contentAuth, msgOptions.paddingSize);
+    }
+
+
+    public MLSMessage reinit(byte[] groupID, ProtocolVersion version, MlsCipherSuite suite, List<Extension> extList, MessageOptions msgOptions)
+        throws Exception
+    {
+        // reinitProposal
+        Proposal reinit = Proposal.reInit(groupID, version, suite, extList);
+
+        AuthenticatedContent contentAuth = sign(
+            Sender.forMember(index),
+            reinit,
+            msgOptions.authenticatedData,
+            msgOptions.encrypt
+        );
+
+        return protect(contentAuth, msgOptions.paddingSize);
+    }
+
+    public MLSMessage preSharedKey(byte[] externalPskId, MessageOptions msgOptions)
+        throws Exception
+    {
+        if (!externalPSKs.containsKey(new Secret(externalPskId)))
+        {
+            throw new Exception("Unknown PSK");
+        }
+        SecureRandom random = new SecureRandom();
+        byte[] nonce = new byte[suite.getKDF().getHashLength()];
+        random.nextBytes(nonce);
+        PreSharedKeyID pskId = PreSharedKeyID.external(externalPskId, nonce);
+
+        AuthenticatedContent contentAuth = sign(
+            Sender.forMember(index),
+            Proposal.preSharedKey(pskId),
+            msgOptions.authenticatedData,
+            msgOptions.encrypt
+        );
+        return protect(contentAuth, msgOptions.paddingSize);
+    }
+
+    public MLSMessage preSharedKey(byte[] groupID, long epoch, MessageOptions msgOptions)
+        throws Exception
+    {
+        if (epoch != this.epoch && !resumptionPSKs.containsKey(new EpochRef(groupID, epoch)))
+        {
+            throw new Exception("Unknown PSK");
+        }
+        SecureRandom random = new SecureRandom();
+        byte[] nonce = new byte[suite.getKDF().getHashLength()];
+        random.nextBytes(nonce);
+        PreSharedKeyID pskId = PreSharedKeyID.resumption(ResumptionPSKUsage.APPLICATION, groupID, epoch, nonce);
+
+        AuthenticatedContent contentAuth = sign(
+            Sender.forMember(index),
+            Proposal.preSharedKey(pskId),
+            msgOptions.authenticatedData,
+            msgOptions.encrypt
+        );
+        return protect(contentAuth, msgOptions.paddingSize);
+    }
+
+    private LeafIndex leafForRoster(LeafIndex index)
+        throws Exception
+    {
+        int nonBlankLeaves = 0;
+        for (int i = 0; i < tree.getSize().leafCount(); i++)
+        {
+            LeafNode leaf = tree.getLeafNode(new LeafIndex(i));
+            if (leaf == null)
+            {
+                continue;
+            }
+            if (nonBlankLeaves == index.value())
+            {
+                return new LeafIndex(i);
+            }
+            nonBlankLeaves++;
+        }
+        throw new Exception("Invalid roster index");
+    }
+
+    public Proposal updateProposal(AsymmetricCipherKeyPair leafSk, LeafNodeOptions leafOptions)
+        throws Exception
+    {
+        LeafNode leaf = tree.getLeafNode(index);
+        LeafNode newLeaf = leaf.forUpdate(suite, groupID, index, suite.getHPKE().serializePublicKey(leafSk.getPublic()), leafOptions, identitySk);
+
+        Proposal update = Proposal.update(newLeaf);
+        cachedUpdate = new CachedUpdate(suite.getHPKE().serializePrivateKey(leafSk.getPrivate()), update.getUpdate());
+        return update;
+    }
+
+    private Proposal addProposal(KeyPackage keyPackage)
+        throws Exception
+    {
+        //TODO: Check that  validity of the signed key package
+        if (!keyPackage.verify())
+        {
+            throw new Exception("Invalid signature on key package");
+        }
+
+        //TODO: Check if the Key Package supports the group (capabilities)
+
+        //TODO: Check if the Key Package supports the group extensions
+
+        return Proposal.add(keyPackage);
+    }
+
+    private MLSMessage protect(AuthenticatedContent contentAuth, int paddingSize)
+        throws Exception
+    {
+        MLSMessage message = new MLSMessage(contentAuth.getWireFormat());
+        switch (contentAuth.getWireFormat())
+        {
+        case mls_public_message:
+            message.publicMessage = PublicMessage.protect(contentAuth, suite, keySchedule.membershipKey.value(), MLSOutputStream.encode(getGroupContext()));
+            return message;
+        case mls_private_message:
+            message.privateMessage = PrivateMessage.protect(contentAuth, suite, keys, keySchedule.senderDataSecret.value(), paddingSize);
+            return message;
+        default:
+            throw new Exception("Malformed AuthenticatedContent");
+        }
+    }
+
+    private AuthenticatedContent sign(Sender sender, Commit innerContent, byte[] authenticatedData, boolean encrypt)
+        throws Exception
+    {
+        FramedContent content = FramedContent.rawContent(groupID, epoch, sender, authenticatedData, ContentType.COMMIT, MLSOutputStream.encode(innerContent));
+        WireFormat wireFormat = encrypt ? WireFormat.mls_private_message : WireFormat.mls_public_message;
+        AuthenticatedContent authContent = AuthenticatedContent.sign(wireFormat, content, suite, identitySk, MLSOutputStream.encode(getGroupContext()));
+        return authContent;
+    }
+
+    private AuthenticatedContent sign(Sender sender, Proposal innerContent, byte[] authenticatedData, boolean encrypt)
+        throws Exception
+    {
+        FramedContent content = FramedContent.rawContent(groupID, epoch, sender, authenticatedData, ContentType.PROPOSAL, MLSOutputStream.encode(innerContent));
+        WireFormat wireFormat = encrypt ? WireFormat.mls_private_message : WireFormat.mls_public_message;
+        AuthenticatedContent authContent = AuthenticatedContent.sign(wireFormat, content, suite, identitySk, MLSOutputStream.encode(getGroupContext()));
+        return authContent;
+    }
+
+    private AuthenticatedContent sign(Sender sender, byte[] innerContent, byte[] authenticatedData, boolean encrypt)
+        throws Exception
+    {
+        FramedContent content = FramedContent.rawContent(groupID, epoch, sender, authenticatedData, ContentType.APPLICATION, innerContent);
+        WireFormat wireFormat = encrypt ? WireFormat.mls_private_message : WireFormat.mls_public_message;
+        AuthenticatedContent authContent = AuthenticatedContent.sign(wireFormat, content, suite, identitySk, MLSOutputStream.encode(getGroupContext()));
+        return authContent;
+    }
+
+    private Proposal preSharedKeyProposal(Secret externalPskID)
+        throws Exception
+    {
+        if (!externalPSKs.containsKey(externalPskID))
+        {
+            throw new Exception("Unknown PSK");
+        }
+        SecureRandom random = new SecureRandom();
+        byte[] nonce = new byte[suite.getKDF().getHashLength()];
+        random.nextBytes(nonce);
+
+        return Proposal.preSharedKey(PreSharedKeyID.external(externalPskID.value(), nonce));
+    }
+
+    private Proposal removeProposal(LeafIndex removed)
+        throws Exception
+    {
+        if (!tree.hasLeaf(removed))
+        {
+            throw new Exception("Removed on blank leaf");
+        }
+
+        return Proposal.remove(removed);
+    }
+
+    private void updateEpochSecrets(byte[] commitSecret, List<KeyScheduleEpoch.PSKWithSecret> psks, byte[] forceInitSecret)
+        throws Exception
+    {
+        byte[] ctx = MLSOutputStream.encode(new GroupContext(
+            suite,
+            groupID,
+            epoch,
+            tree.getRootHash(),
+            transcriptHash.getConfirmed(),
+            extensions
+        ));
+        keySchedule = keySchedule.next(tree.getSize(), forceInitSecret, new Secret(commitSecret), psks, ctx);
+        keys = keySchedule.getEncryptionKeys(tree.getSize());
+    }
+
+    private JoinersWithPSKS apply(List<CachedProposal> proposals)
+        throws Exception
+    {
+        applyUpdate(proposals);
+        applyRemove(proposals);
+        List<LeafIndex> joinerLocs = applyAdd(proposals);
+        applyGCE(proposals);
+        List<KeyScheduleEpoch.PSKWithSecret> psks = applyPSK(proposals);
+
+        tree.truncate();
+        treePriv.truncate(tree.getSize());
+        tree.setHashAll();
+
+        if (cachedUpdate != null)
+        {
+            cachedUpdate.reset();
+        }
+        return new JoinersWithPSKS(joinerLocs, psks);
+    }
+
+    private void applyUpdate(List<CachedProposal> proposals)
+        throws Exception
+    {
+        for (CachedProposal cached : proposals)
+        {
+            if (cached.proposal.getProposalType() != ProposalType.UPDATE)
+            {
+                continue;
+            }
+            if (cached.sender == null)
+            {
+                throw new Exception("Update without target leaf");
+            }
+            LeafIndex target = cached.sender;
+            if (!target.equals(index))
+            {
+                tree.updateLeaf(target, cached.proposal.getLeafNode());
+                continue;
+            }
+
+            if (cachedUpdate == null)
+            {
+                throw new Exception("Self-update with no cached secret");
+            }
+
+            if (!cached.proposal.getLeafNode().equals(cachedUpdate.update.getLeafNode()))
+            {
+                throw new Exception("Self-update does not match cached data");
+            }
+
+            tree.updateLeaf(target, cached.proposal.getLeafNode());
+            treePriv.setLeafKey(cachedUpdate.updateSk);
+        }
+
+        if (cachedUpdate != null)
+        {
+            cachedUpdate.reset();
+        }
+    }
+
+    private boolean extensionsSupported(List<Extension> exts)
+    {
+        for (int i = 0; i < tree.getSize().leafCount(); i++)
+        {
+            LeafIndex leafIndex = new LeafIndex(i);
+            LeafNode leaf = tree.getLeafNode(leafIndex);
+            if (leaf == null)
+            {
+                continue;
+            }
+
+            if (!leaf.verifyExtensionSupport(exts))
+            {
+                return false;
+            }
+        }
+        return true;
+    }
+
+    private void applyGCE(List<CachedProposal> proposals)
+        throws Exception
+    {
+        for (CachedProposal cached : proposals)
+        {
+            if (cached.proposal.getProposalType() != ProposalType.GROUP_CONTEXT_EXTENSIONS)
+            {
+                continue;
+            }
+
+            //TODO: check nex extension is compatible with all members
+            //
+
+            if (!extensionsSupported(cached.proposal.getGroupContextExtensions().extensions))
+            {
+                throw new Exception("Unsupported extensions in GroupContextExtensions");
+            }
+            extensions = new ArrayList<Extension>(cached.proposal.getGroupContextExtensions().extensions);
+        }
+    }
+
+    private List<KeyScheduleEpoch.PSKWithSecret> applyPSK(List<CachedProposal> proposals)
+        throws Exception
+    {
+        List<PreSharedKeyID> pskIDs = new ArrayList<PreSharedKeyID>();
+        for (CachedProposal cached : proposals)
+        {
+            if (cached.proposal.getProposalType() != ProposalType.PSK)
+            {
+                continue;
+            }
+
+            pskIDs.add(cached.proposal.getPreSharedKey().psk);
+        }
+        return resolve(pskIDs);
+    }
+
+    private List<LeafIndex> applyAdd(List<CachedProposal> proposals)
+    {
+        List<LeafIndex> locations = new ArrayList<LeafIndex>();
+        for (CachedProposal cached : proposals)
+        {
+            if (cached.proposal.getProposalType() != ProposalType.ADD)
+            {
+                continue;
+            }
+            locations.add(tree.addLeaf(cached.proposal.getLeafNode()));
+        }
+        return locations;
+    }
+
+    private void applyRemove(List<CachedProposal> proposals)
+        throws Exception
+    {
+        for (CachedProposal cached : proposals)
+        {
+            if (cached.proposal.getProposalType() != ProposalType.REMOVE)
+            {
+                continue;
+            }
+
+            if (!tree.hasLeaf(cached.proposal.getRemove().removed))
+            {
+                throw new Exception("Attempt to remove non-member");
+            }
+
+            tree.blankPath(cached.proposal.getRemove().removed);
+        }
+    }
+
+    private Group successor()
+        throws IOException
+    {
+        Group next = new Group();
+        next.externalPSKs = new HashMap<Secret, byte[]>(externalPSKs);
+        next.resumptionPSKs = new HashMap<EpochRef, byte[]>();
+        next.resumptionPSKs.putAll(resumptionPSKs);
+        next.epoch = epoch;
+        next.groupID = groupID.clone();
+        next.transcriptHash = transcriptHash.copy();
+        next.extensions = new ArrayList<Extension>();
+        next.extensions.addAll(extensions);
+        next.keySchedule = keySchedule;
+        next.tree = TreeKEMPublicKey.clone(tree);
+        next.treePriv = treePriv.copy();
+        next.keys = keys;
+        next.suite = suite;
+        next.index = index;
+        next.identitySk = identitySk.clone();
+        next.pendingProposals = new ArrayList<CachedProposal>();
+        next.cachedUpdate = cachedUpdate;
+
+        next.resumptionPSKs.put(new EpochRef(groupID, epoch), keySchedule.resumptionPSK.value().clone());
+
+        return next;
+    }
+
+    public ArrayList<LeafNode> roster() {
+        var leaves = new ArrayList<LeafNode>();
+        leaves.ensureCapacity((int)tree.getSize().leafCount());
+
+        tree.allLeaves(leaves::add);
+
+        return leaves;
+    }
+
+
+    private boolean pathRequired(List<CachedProposal> proposals)
+    {
+        if (proposals.isEmpty())
+        {
+            return true;
+        }
+        for (CachedProposal cached : proposals)
+        {
+            switch (cached.proposal.getProposalType())
+            {
+            case UPDATE:
+            case REMOVE:
+            case EXTERNAL_INIT:
+            case GROUP_CONTEXT_EXTENSIONS:
+                return true;
+            default:
+                break;
+            }
+        }
+        return false;
+    }
+
+    public byte[] getEpochAuthenticator()
+    {
+        return keySchedule.epochAuthenticator.value();
+    }
+
+    private void cacheProposal(AuthenticatedContent auth)
+        throws Exception
+    {
+        byte[] ref = suite.refHash(MLSOutputStream.encode(auth), "MLS 1.0 Proposal Reference");
+
+        // check if ref is already in the queue
+        for (CachedProposal cached : pendingProposals)
+        {
+            if (Arrays.equals(cached.proposalRef, ref))
+            {
+                return;
+            }
+        }
+//        Sender sender = null;
+        LeafIndex senderLocation = null;
+        if (auth.getContent().getSender().getSenderType() == SenderType.MEMBER)
+        {
+            senderLocation = auth.getContent().getSender().getSender();
+        }
+
+        Proposal proposal = auth.getContent().getProposal();
+        if (!validateProposal(senderLocation, proposal))
+        {
+            throw new Exception("Invalid proposal");
+        }
+        pendingProposals.add(new CachedProposal(ref, proposal, senderLocation));
+    }
+
+
+    private boolean validateProposal(LeafIndex sender, Proposal proposal)
+        throws IOException
+    {
+        switch (proposal.getProposalType())
+        {
+        case UPDATE:
+            return validateUpdate(sender, proposal.getUpdate());
+        case ADD:
+            return validateKeyPackage(proposal.getAdd().keyPackage);
+        case REMOVE:
+            return validateRemove(proposal.getRemove());
+        case PSK:
+            return validatePSK(proposal.getPreSharedKey());
+        case REINIT:
+            return validateReinit(proposal.getReInit());
+        case EXTERNAL_INIT:
+            return validateExternalInit(proposal.getExternalInit());
+        case GROUP_CONTEXT_EXTENSIONS:
+            return validateGCE(proposal.getGroupContextExtensions());
+        default:
+            return false;
+        }
+    }
+
+    private boolean validateGCE(Proposal.GroupContextExtensions gce)
+    {
+        // Verify that each extension is supported by all members
+        for (int i = 0; i < tree.getSize().leafCount(); i++)
+        {
+            LeafIndex index = new LeafIndex(i);
+            LeafNode leaf = tree.getLeafNode(index);
+            if (leaf == null)
+            {
+                continue;
+            }
+
+            if (!leaf.verifyExtensionSupport(gce.extensions))
+            {
+                return false;
+            }
+        }
+        return true;
+    }
+
+    private boolean validateExternalInit(Proposal.ExternalInit ext)
+    {
+        return ext.kemOutput.length == suite.getHPKE().getEncSize();
+    }
+
+    private boolean validateReinit(Proposal.ReInit reInit)
+    {
+        // Check that the version and CipherSuite are ones we support
+        boolean supportedVersion = (reInit.getVersion() == ProtocolVersion.mls10);
+        boolean supportedSuite = true; //TODO: make a list of supported cipher suites
+
+        return supportedSuite && supportedVersion;
+    }
+
+    private boolean validateReinitProposals(List<CachedProposal> proposals)
+    {
+        boolean hasReinit = false;
+        boolean hasDisallowed = false;
+        for (CachedProposal cached : proposals)
+        {
+            hasReinit = hasReinit || cached.proposal.getProposalType() == ProposalType.REINIT;
+            hasDisallowed = hasDisallowed || cached.proposal.getProposalType() != ProposalType.REINIT;
+        }
+        return hasReinit && !hasDisallowed;
+    }
+
+    private boolean validatePSK(Proposal.PreSharedKey psk)
+    {
+        switch (psk.psk.pskType)
+        {
+        case EXTERNAL:
+            // External PSKs are allowed if we have the corresponding secret
+            return externalPSKs.containsKey(psk.psk.external.externalPSKID);
+        case RESUMPTION:
+            // Resumption PSKs are allowed only with usage 'application', and only if we
+            // have the corresponding secret.
+            PreSharedKeyID.Resumption res = psk.psk.resumption;
+            if (res.resumptionPSKUsage != ResumptionPSKUsage.APPLICATION)
+            {
+                return false;
+            }
+            return (res.pskEpoch == epoch) || resumptionPSKs.containsKey(new EpochRef(res.pskGroupID, res.pskEpoch));
+        default:
+            return false;
+        }
+    }
+
+    private boolean validateRemove(Proposal.Remove remove)
+    {
+        // We mark self-removes invalid here even though a resync Commit will
+        // sometimes cause them.  This is OK because this method is only called from
+        // the normal proposal list validation method, not the external commit one.
+        boolean in_tree = (remove.removed.value() < tree.getSize().leafCount()) && tree.hasLeaf(remove.removed);
+        boolean not_me = remove.removed.value() != index.value();
+        return in_tree && not_me;
+    }
+
+    private boolean validateKeyPackage(KeyPackage keyPackage)
+        throws IOException
+    {
+        // Verify that the ciphersuite and protocol version of the KeyPackage match
+        // those in the GroupContext.
+        boolean correct_ciphersuite = (keyPackage.getSuite().getSuiteID() == suite.getSuiteID());
+
+        // Verify that the signature on the KeyPackage is valid using the public key
+        // in leaf_node.credential.
+        boolean valid_signature = keyPackage.verify();
+
+        // Verify that the leaf_node of the KeyPackage is valid for a KeyPackage
+        // according to Section 7.3.
+        boolean leaf_node_valid = validateLeafNode(keyPackage.getLeafNode(), LeafNodeSource.KEY_PACKAGE, null);
+
+        // Verify that the value of leaf_node.encryption_key is different from the
+        // value of the init_key field.
+        boolean distinct_keys = !Arrays.equals(keyPackage.getInitKey(), keyPackage.getLeafNode().getEncryptionKey());
+
+        return (correct_ciphersuite && valid_signature && leaf_node_valid && distinct_keys);
+    }
+
+    private boolean validateUpdate(LeafIndex sender, Proposal.Update update)
+        throws IOException
+    {
+        LeafNode leaf = tree.getLeafNode(sender);
+        if (leaf == null)
+        {
+            return false;
+        }
+
+        return validateLeafNode(update.getLeafNode(), LeafNodeSource.UPDATE, sender);
+    }
+
+    private boolean validateLeafNode(LeafNode leafNode, LeafNodeSource requiredSource, LeafIndex index)
+        throws IOException
+    {
+        //TODO: Check all verifications are covered in (https://www.ietf.org/archive/id/draft-ietf-mls-protocol-20.html#section-7.3)
+
+        //TODO: Validate the credential in the LeafNode is valid:
+        // (https://www.ietf.org/archive/id/draft-ietf-mls-protocol-20.html#name-credential-validation)
+
+        // Verify leaf node source
+        boolean isCorrectSource = (leafNode.getSource() == requiredSource);
+
+        // Verify LeafNode signature with signature key
+        byte[] tbs;
+        switch (requiredSource)
+        {
+        case UPDATE:
+        case COMMIT:
+            tbs = leafNode.toBeSigned(groupID, index.value());
+            break;
+        default:
+            tbs = leafNode.toBeSigned(null, -1);
+            break;
+        }
+        boolean isSignatureValid = leafNode.verify(suite, tbs);
+
+
+        //TODO:
+        // Verify that the LeafNode is compatible with the group's parameters. If the
+        // GroupContext has a required_capabilities extension, then the required
+        // extensions, proposals, and credential types MUST be listed in the
+        // LeafNode's capabilities field.
+        boolean supportsGroupExtensions = true;
+//                = leafNode.verifyExtensionSupport(extensions);
+
+        // Verify the lifetime
+        boolean isLifetimeValid = leafNode.verifyLifetime();
+
+
+        //TODO:
+        // Verify that the credential type is supported by all members of the group,
+        // as specified by the capabilities field of each member's LeafNode, and that
+        // the capabilities field of this LeafNode indicates support for all the
+        // credential types currently in use by other members.
+        boolean mutualCredentialSupport = true;
+
+        // Verify that the following fields are unique among the members of the group:
+        // signature_key
+        // encryption_key
+        boolean isUniqueSigKey = true;
+        boolean isUniqueEncKey = true;
+        byte[] sigKey = leafNode.getSignatureKey();
+        byte[] encKey = leafNode.getEncryptionKey();
+
+        for (int i = 0; i < tree.getSize().leafCount(); i++)
+        {
+            LeafNode leaf = tree.getLeafNode(new LeafIndex(i));
+            if (leaf == null)
+            {
+                continue;
+            }
+
+            isUniqueSigKey &= (index != null && ((i == index.value())) || (!Arrays.equals(sigKey, leaf.getSignatureKey())));
+            isUniqueEncKey &= !Arrays.equals(encKey, leaf.getEncryptionKey());
+            //TODO:
+//            mutualCredentialSupport &= leaf.capabilities.credentialSupported(leafNode.credential)
+//                    && leafNode.capabilities.credentialSupported(leaf.credential)
+        }
+
+
+        //TODO:
+        // Verify that the extensions in the LeafNode are supported
+        // by checking that the ID for each extension in the extensions field is listed in the
+        // capabilities.extensions field of the LeafNode.
+        boolean supportsAllExtensions = true;
+        for (Extension ext : leafNode.getExtensions())
+        {
+            supportsAllExtensions &= leafNode.getCapabilities().getExtensions().contains(ext.extensionType.getValue());
+        }
+
+        return (isCorrectSource && isSignatureValid && isLifetimeValid && supportsAllExtensions
+            && isUniqueSigKey && isUniqueEncKey && mutualCredentialSupport && supportsGroupExtensions);
+    }
+
+    private boolean validateCachedProposals(List<CachedProposal> proposals, LeafIndex commitSender, CommitParameters params)
+        throws IOException
+    {
+        switch (params.paramID)
+        {
+        case NORMAL_COMMIT_PARAMS:
+            return validateNormalCachedProposals(proposals, commitSender);
+        case EXTERNAL_COMMIT_PARAMS:
+            return validateExternalCachedProposals(proposals);
+        case RESTART_COMMIT_PARAMS:
+            return validateRestartCachedProposals(proposals, params.allowedUsage);
+        case REINIT_COMMIT_PARAMS:
+            return validateReInitCachedProposals(proposals);
+        }
+        return false;
+    }
+
+    private boolean validateReInitCachedProposals(List<CachedProposal> proposals)
+    {
+        // Check that the list contains a ReInit proposal
+        boolean has_reinit = false;
+
+        // Check whether the list contains any disallowed proposals
+        boolean has_disallowed = false;
+
+        for (CachedProposal cached : proposals)
+        {
+            has_reinit = has_reinit || (cached.proposal.getProposalType() == ProposalType.REINIT);
+            has_disallowed = has_disallowed || (cached.proposal.getProposalType() != ProposalType.REINIT);
+        }
+
+        return has_reinit && !has_disallowed;
+    }
+
+    private boolean validateRestartCachedProposals(List<CachedProposal> proposals, ResumptionPSKUsage allowedUsage)
+    {
+        // Check that the list has exactly one resumption PSK proposal with the
+        // allowed usage and any other PSKs are external
+        boolean foundAllowed = false;
+        boolean acceptable_psks = true;
+        for (CachedProposal cached : proposals)
+        {
+            if (cached.proposal.getProposalType() != ProposalType.PSK)
+            {
+                continue;
+            }
+
+            PreSharedKeyID psk = cached.proposal.getPreSharedKey().psk;
+            if (psk.pskType == PSKType.EXTERNAL)
+            {
+                continue;
+            }
+
+            boolean allowed = psk.resumption.resumptionPSKUsage == allowedUsage;
+            if (foundAllowed && allowed)
+            {
+                acceptable_psks = false;
+                continue;
+            }
+            foundAllowed = foundAllowed || allowed;
+        }
+        return acceptable_psks && foundAllowed;
+    }
+
+    private boolean validateNormalCachedProposals(List<CachedProposal> proposals, LeafIndex commitSender)
+        throws IOException
+    {
+        // It contains an individual proposal that is invalid as specified in Section
+        // 12.1.
+        boolean has_invalid_proposal = false;
+
+        // It contains an Update proposal generated by the committer.
+        boolean has_self_update = false;
+
+        // It contains a Remove proposal that removes the committer.
+        boolean has_self_remove = false;
+
+        for (CachedProposal cached : proposals)
+        {
+            has_invalid_proposal = has_invalid_proposal || !validateProposal(cached.sender, cached.proposal);
+            has_self_update = has_self_update || ((cached.proposal.getProposalType() == ProposalType.UPDATE) && cached.sender.equals(commitSender));
+            has_self_remove = has_self_remove || ((cached.proposal.getProposalType() == ProposalType.REMOVE) && (cached.proposal.getRemove().removed.equals(commitSender)));
+        }
+
+        // It contains multiple Update and/or Remove proposals that apply to the same
+        // leaf. If the committer has received multiple such proposals they SHOULD
+        // prefer any Remove received, or the most recent Update if there are no
+        // Removes.
+        Set<LeafIndex> updatedOrRemoved = new HashSet<LeafIndex>();
+        boolean has_dup_update_remove = false;
+        for (CachedProposal cached : proposals)
+        {
+            LeafIndex leafIndex;
+            switch (cached.proposal.getProposalType())
+            {
+            case UPDATE:
+                leafIndex = cached.sender;
+                break;
+            case REMOVE:
+                leafIndex = cached.proposal.getRemove().removed;
+                break;
+            default:
+                continue;
+            }
+            if (updatedOrRemoved.contains(leafIndex))
+            {
+                has_dup_update_remove = true;
+                continue;
+            }
+
+            updatedOrRemoved.add(leafIndex);
+        }
+
+        // It contains multiple Add proposals that contain KeyPackages that represent
+        // the same client according to the application (for example, identical
+        // signature keys).
+        List<byte[]> signatureKeys = new ArrayList<byte[]>();
+        boolean has_dup_signature_key = false;
+        for (CachedProposal cached : proposals)
+        {
+            if (cached.proposal.getProposalType() != ProposalType.ADD)
+            {
+                continue;
+            }
+            KeyPackage keyPackage = cached.proposal.getAdd().keyPackage;
+            byte[] signatureKey = keyPackage.getLeafNode().getSignatureKey();
+            boolean areEqual = false;
+            for (byte[] sig : signatureKeys)
+            {
+                if (Arrays.equals(sig, signatureKey))
+                {
+                    areEqual = true;
+                    break;
+                }
+            }
+            if (areEqual)
+            {
+                has_dup_signature_key = true;
+                continue;
+            }
+
+            signatureKeys.add(signatureKey);
+        }
+
+        //TODO
+        // It contains an Add proposal with a KeyPackage that represents a client
+        // already in the group according to the application, unless there is a Remove
+        // proposal in the list removing the matching client from the group.
+
+        // It contains multiple PreSharedKey proposals that reference the same
+        // PreSharedKeyID.
+        List<PreSharedKeyID> pskids = new ArrayList<PreSharedKeyID>();
+        boolean has_dup_psk_id = false;
+        for (CachedProposal cached : proposals)
+        {
+            if (cached.proposal.getProposalType() != ProposalType.PSK)
+            {
+                continue;
+            }
+            PreSharedKeyID pskid = cached.proposal.getPreSharedKey().psk;
+            if (pskids.contains(pskid))
+            {
+                has_dup_psk_id = true;
+                continue;
+            }
+
+            pskids.add(pskid);
+        }
+
+        // It contains multiple GroupContextExtensions proposals.
+        int gceCount = 0;
+        for (CachedProposal cached : proposals)
+        {
+            if (cached.proposal.getProposalType() == ProposalType.GROUP_CONTEXT_EXTENSIONS)
+            {
+                gceCount++;
+            }
+        }
+        boolean has_multiple_gce = (gceCount > 1);
+
+        // It contains a ReInit proposal together with any other proposal. If the
+        // committer has received other proposals during the epoch, they SHOULD prefer
+        // them over the ReInit proposal, allowing the ReInit to be resent and applied
+        // in a subsequent epoch.
+        boolean has_reinit = false;
+
+        // It contains an ExternalInit proposal.
+        boolean has_external_init = false;
+
+        for (CachedProposal cached : proposals)
+        {
+            has_reinit = has_reinit || (cached.proposal.getProposalType() == ProposalType.REINIT);
+            has_external_init = has_external_init || (cached.proposal.getProposalType() == ProposalType.EXTERNAL_INIT);
+        }
+
+        //TODO: check
+        // It contains a proposal with a non-default proposal type that is not
+        // supported by some members of the group that will process the Commit (i.e.,
+        // members being added or removed by the Commit do not need to support the
+        // proposal type).
+        // XXX(RLB): N/A, no non-default proposal types
+
+        // After processing the commit the ratchet tree is invalid, in particular, if
+        // it contains any leaf node that is invalid according to Section 7.3.
+        //
+        //TODO: check
+        // NB(RLB): Leaf nodes are already checked in the individual proposal check at
+        // the top.  So the focus here is key uniqueness. We check this by checking
+        // uniqueness of encryption keys across the Adds and Updates in this list of
+        // proposals.  The keys have already been checked to be distinct from any keys
+        // already in the tree.
+        List<byte[]> encKeys = new ArrayList<byte[]>();
+        boolean has_dup_enc_key = false;
+        for (CachedProposal cached : proposals)
+        {
+            byte[] encKey;
+            switch (cached.proposal.getProposalType())
+            {
+            case ADD:
+                encKey = cached.proposal.getAdd().keyPackage.getLeafNode().getEncryptionKey().clone();
+                break;
+            case UPDATE:
+                encKey = cached.proposal.getUpdate().getLeafNode().getEncryptionKey().clone();
+                break;
+            default:
+                continue;
+            }
+
+            boolean areEqual = false;
+            for (byte[] key : encKeys)
+            {
+                if (Arrays.equals(key, encKey))
+                {
+                    areEqual = true;
+                    break;
+                }
+            }
+            if (areEqual)
+            {
+                has_dup_enc_key = true;
+                continue;
+            }
+
+            encKeys.add(encKey);
+        }
+
+        return !(has_invalid_proposal || has_self_update || has_self_remove ||
+            has_dup_update_remove || has_dup_signature_key || has_dup_psk_id ||
+            has_multiple_gce || has_reinit || has_external_init ||
+            has_dup_enc_key);
+    }
+
+    private boolean validateExternalCachedProposals(List<CachedProposal> proposals)
+    {
+        int extInitCount = 0;
+        int removeCount = 0;
+        boolean noDisallowed = true;
+        for (CachedProposal cached : proposals)
+        {
+            switch (cached.proposal.getProposalType())
+            {
+
+            case EXTERNAL_INIT:
+                extInitCount++;
+                break;
+            case REMOVE:
+                removeCount++;
+                break;
+            case PSK:
+                noDisallowed = noDisallowed && validatePSK(cached.proposal.getPreSharedKey());
+                break;
+            default:
+                noDisallowed = false;
+                break;
+            }
+        }
+        boolean hasOneExtInit = (extInitCount == 1);
+        boolean noDupRemove = (removeCount <= 1);
+
+        return (hasOneExtInit && noDupRemove && noDisallowed);
+    }
+
+    private List<CachedProposal> mustResolve(List<ProposalOrRef> proposals, LeafIndex sender)
+    {
+        List<CachedProposal> out = new ArrayList<CachedProposal>();
+        for (ProposalOrRef id : proposals)
+        {
+            switch (id.getType())
+            {
+            case PROPOSAL:
+                out.add(new CachedProposal(new byte[0], id.getProposal(), sender));
+                break;
+            case REFERENCE:
+                for (CachedProposal cached : pendingProposals)
+                {
+                    if (Arrays.equals(cached.proposalRef, id.getReference()))
+                    {
+                        out.add(cached);
+                        break;
+                    }
+                }
+                break;
+            }
+        }
+        return out;
+    }
+
+    private GroupContext getGroupContext()
+        throws Exception
+    {
+        return new GroupContext(suite, groupID, epoch, tree.getRootHash(), transcriptHash.getConfirmed(), extensions);
+    }
+
+    private TreeKEMPublicKey importTree(byte[] treeHash, TreeKEMPublicKey external, List<Extension> extensions)
+        throws Exception
+    {
+        // Check if extensions contain a ratchet tree
+        TreeKEMPublicKey outTree = null;
+        for (Extension ext : extensions)
+        {
+            outTree = ext.getRatchetTree();
+            if (outTree != null)
+            {
+                break;
+            }
+        }
+        if (external != null)
+        {
+            outTree = external;
+        }
+        else if (outTree == null)
+        {
+            throw new Exception("No tree available");
+        }
+
+        outTree.setSuite(suite);
+        outTree.setHashAll();
+        if (!Arrays.equals(outTree.getRootHash(), treeHash))
+        {
+            throw new Exception("Tree does not match GroupInfo");
+        }
+
+        if (!outTree.verifyParentHash())
+        {
+            throw new Exception("Invalid tree");
+        }
+
+        return outTree;
+    }
+
+    private List<KeyScheduleEpoch.PSKWithSecret> resolve(List<PreSharedKeyID> psks)
+        throws Exception
+    {
+        List<KeyScheduleEpoch.PSKWithSecret> out = new ArrayList<KeyScheduleEpoch.PSKWithSecret>();
+        for (PreSharedKeyID psk : psks)
+        {
+            switch (psk.pskType)
+            {
+            case EXTERNAL:
+                if (!externalPSKs.containsKey(psk.external.externalPSKID))
+                {
+                    throw new Exception("Unknown external PSK");
+                }
+                out.add(new KeyScheduleEpoch.PSKWithSecret(psk, new Secret(externalPSKs.get(psk.external.externalPSKID).clone())));
+                break;
+            case RESUMPTION:
+                if (psk.resumption.pskEpoch == epoch)
+                {
+                    out.add(new KeyScheduleEpoch.PSKWithSecret(psk, keySchedule.resumptionPSK));
+                }
+                else
+                {
+                    EpochRef key = new EpochRef(psk.resumption.pskGroupID, psk.resumption.pskEpoch);
+                    if (!resumptionPSKs.containsKey(key))
+                    {
+                        throw new Exception("Unknown resumption PSK");
+                    }
+                    out.add(new KeyScheduleEpoch.PSKWithSecret(psk, new Secret(resumptionPSKs.get(key).clone())));
+                }
+                break;
+            }
+        }
+        return out;
+    }
+}
diff --git a/settings.gradle b/settings.gradle
index 7710d13..497d114 100644
--- a/settings.gradle
+++ b/settings.gradle
@@ -1,6 +1,8 @@
 rootProject.name = 'koe'
 
 include ':core'
+include ':dave'
 include ':ext-udpqueue'
+include ':mls'
 include ':testbot'
 

From c6e78a635b74331a9812dd18768010dac0c4885e Mon Sep 17 00:00:00 2001
From: Alula <6276139+alula@users.noreply.github.com>
Date: Sun, 17 Nov 2024 13:48:33 +0100
Subject: [PATCH 6/6] Add DAVE MLS shit

---
 .../handler/DiscordUDPConnection.java         |  2 +-
 .../moe/kyokobot/koe/dave/DAVEException.java  | 11 ++++
 .../moe/kyokobot/koe/dave/KeyRatchet.java     |  7 +++
 .../koe/dave/PersistentKeyManager.java        |  7 +++
 .../kyokobot/koe/dave/mls/MLSKeyRatchet.java  | 20 ++++++
 .../moe/kyokobot/koe/dave/mls/Parameters.java | 63 +++++++++++++++++++
 .../kyokobot/koe/dave/mls/RosterVariant.java  | 33 ++++++++++
 .../kyokobot/koe/dave/mls/UserCredential.java | 25 ++++++++
 8 files changed, 167 insertions(+), 1 deletion(-)
 create mode 100644 dave/src/main/java/moe/kyokobot/koe/dave/DAVEException.java
 create mode 100644 dave/src/main/java/moe/kyokobot/koe/dave/KeyRatchet.java
 create mode 100644 dave/src/main/java/moe/kyokobot/koe/dave/PersistentKeyManager.java
 create mode 100644 dave/src/main/java/moe/kyokobot/koe/dave/mls/MLSKeyRatchet.java
 create mode 100644 dave/src/main/java/moe/kyokobot/koe/dave/mls/Parameters.java
 create mode 100644 dave/src/main/java/moe/kyokobot/koe/dave/mls/RosterVariant.java
 create mode 100644 dave/src/main/java/moe/kyokobot/koe/dave/mls/UserCredential.java

diff --git a/core/src/main/java/moe/kyokobot/koe/internal/handler/DiscordUDPConnection.java b/core/src/main/java/moe/kyokobot/koe/internal/handler/DiscordUDPConnection.java
index 7845db9..d9a1cbc 100644
--- a/core/src/main/java/moe/kyokobot/koe/internal/handler/DiscordUDPConnection.java
+++ b/core/src/main/java/moe/kyokobot/koe/internal/handler/DiscordUDPConnection.java
@@ -86,7 +86,7 @@ public void handleSessionDescription(JsonObject object) {
 
         if (encryptionMode == null) {
             throw new IllegalStateException("Encryption mode selected by Discord is not supported by Koe or the " +
-                    "protocol changed! Open an issue at https://github.com/KyokoBot/koe");
+                    "protocol changed! Update to latest version or open an issue at https://github.com/KyokoBot/koe");
         }
 
         var keyArray = object.getArray("secret_key");
diff --git a/dave/src/main/java/moe/kyokobot/koe/dave/DAVEException.java b/dave/src/main/java/moe/kyokobot/koe/dave/DAVEException.java
new file mode 100644
index 0000000..d7da4ff
--- /dev/null
+++ b/dave/src/main/java/moe/kyokobot/koe/dave/DAVEException.java
@@ -0,0 +1,11 @@
+package moe.kyokobot.koe.dave;
+
+public class DAVEException extends Exception {
+    public DAVEException(String message) {
+        super(message);
+    }
+
+    public DAVEException(String message, Throwable cause) {
+        super(message, cause);
+    }
+}
diff --git a/dave/src/main/java/moe/kyokobot/koe/dave/KeyRatchet.java b/dave/src/main/java/moe/kyokobot/koe/dave/KeyRatchet.java
new file mode 100644
index 0000000..c8024ea
--- /dev/null
+++ b/dave/src/main/java/moe/kyokobot/koe/dave/KeyRatchet.java
@@ -0,0 +1,7 @@
+package moe.kyokobot.koe.dave;
+
+public interface KeyRatchet {
+    byte[] getKey(int keyGeneration);
+
+    void deleteKey(int keyGeneration);
+}
diff --git a/dave/src/main/java/moe/kyokobot/koe/dave/PersistentKeyManager.java b/dave/src/main/java/moe/kyokobot/koe/dave/PersistentKeyManager.java
new file mode 100644
index 0000000..11b8b9d
--- /dev/null
+++ b/dave/src/main/java/moe/kyokobot/koe/dave/PersistentKeyManager.java
@@ -0,0 +1,7 @@
+package moe.kyokobot.koe.dave;
+
+import org.bouncycastle.crypto.AsymmetricCipherKeyPair;
+
+public interface PersistentKeyManager {
+    AsymmetricCipherKeyPair getKeyPair(String signingKeyId, int protocolVersion);
+}
diff --git a/dave/src/main/java/moe/kyokobot/koe/dave/mls/MLSKeyRatchet.java b/dave/src/main/java/moe/kyokobot/koe/dave/mls/MLSKeyRatchet.java
new file mode 100644
index 0000000..da9ce4c
--- /dev/null
+++ b/dave/src/main/java/moe/kyokobot/koe/dave/mls/MLSKeyRatchet.java
@@ -0,0 +1,20 @@
+package moe.kyokobot.koe.dave.mls;
+
+import moe.kyokobot.koe.dave.KeyRatchet;
+import moe.kyokobot.koe.mls.crypto.MlsCipherSuite;
+
+public class MLSKeyRatchet implements KeyRatchet {
+    public MLSKeyRatchet(MlsCipherSuite suite, byte[] baseSecret) {
+
+    }
+
+    @Override
+    public byte[] getKey(int keyGeneration) {
+        return new byte[0];
+    }
+
+    @Override
+    public void deleteKey(int keyGeneration) {
+
+    }
+}
diff --git a/dave/src/main/java/moe/kyokobot/koe/dave/mls/Parameters.java b/dave/src/main/java/moe/kyokobot/koe/dave/mls/Parameters.java
new file mode 100644
index 0000000..367d092
--- /dev/null
+++ b/dave/src/main/java/moe/kyokobot/koe/dave/mls/Parameters.java
@@ -0,0 +1,63 @@
+package moe.kyokobot.koe.dave.mls;
+
+import moe.kyokobot.koe.mls.codec.Capabilities;
+import moe.kyokobot.koe.mls.codec.CredentialType;
+import moe.kyokobot.koe.mls.codec.Extension;
+import moe.kyokobot.koe.mls.codec.ExternalSender;
+import moe.kyokobot.koe.mls.crypto.MlsCipherSuite;
+
+import java.io.IOException;
+import java.util.List;
+
+public class Parameters {
+    public static short ciphersuiteIDForProtocolVersion(@SuppressWarnings("unused") int protocolVersion) {
+        return MlsCipherSuite.MLS_128_DHKEMP256_AES128GCM_SHA256_P256;
+    }
+
+    public static MlsCipherSuite ciphersuiteForProtocolVersion(int protocolVersion) {
+        try {
+            return MlsCipherSuite.getSuite(ciphersuiteIDForProtocolVersion(protocolVersion));
+        } catch (Exception e) {
+            // should never happen
+            throw new RuntimeException(e);
+        }
+    }
+
+    public static short ciphersuiteIDForSignatureVersion(@SuppressWarnings("unused") int signatureVersion) {
+        return MlsCipherSuite.MLS_128_DHKEMP256_AES128GCM_SHA256_P256;
+    }
+
+    public static MlsCipherSuite ciphersuiteForSignatureVersion(int signatureVersion) {
+        try {
+            return MlsCipherSuite.getSuite(ciphersuiteIDForSignatureVersion(signatureVersion));
+        } catch (Exception e) {
+            // should never happen
+            throw new RuntimeException(e);
+        }
+    }
+
+    public static Capabilities leafNodeCapabilitiesForProtocolVersion(int protocolVersion) {
+        var capabilities = new Capabilities();
+
+        var cipherSuites = capabilities.getCipherSuites();
+        var credentials = capabilities.getCredentials();
+
+        cipherSuites.clear();
+        cipherSuites.add(ciphersuiteIDForProtocolVersion(protocolVersion));
+
+        credentials.clear();
+        credentials.add(CredentialType.basic.getValue());
+
+        return capabilities;
+    }
+
+    public static List<Extension> leafNodeExtensionsForProtocolVersion(@SuppressWarnings("unused") int protocolVersion) {
+        return List.of();
+    }
+
+    public static List<Extension> groupExtensionsForProtocolVersion(
+            @SuppressWarnings("unused") int protocolVersion,
+            ExternalSender externalSender) throws IOException {
+        return List.of(Extension.externalSender(List.of(externalSender)));
+    }
+}
diff --git a/dave/src/main/java/moe/kyokobot/koe/dave/mls/RosterVariant.java b/dave/src/main/java/moe/kyokobot/koe/dave/mls/RosterVariant.java
new file mode 100644
index 0000000..b094583
--- /dev/null
+++ b/dave/src/main/java/moe/kyokobot/koe/dave/mls/RosterVariant.java
@@ -0,0 +1,33 @@
+package moe.kyokobot.koe.dave.mls;
+
+import java.util.HashMap;
+
+public interface RosterVariant {
+    class Failed implements RosterVariant {
+        public Failed() {
+
+        }
+    }
+
+    class Ignored implements RosterVariant {
+        public Ignored() {
+
+        }
+    }
+
+    class RosterMap implements RosterVariant {
+        private final HashMap<Long, byte[]> inner;
+
+        public RosterMap(HashMap<Long, byte[]> inner) {
+            this.inner = inner;
+        }
+
+        public HashMap<Long, byte[]> getInner() {
+            return inner;
+        }
+
+        public byte[] get(long key) {
+            return inner.get(key);
+        }
+    }
+}
diff --git a/dave/src/main/java/moe/kyokobot/koe/dave/mls/UserCredential.java b/dave/src/main/java/moe/kyokobot/koe/dave/mls/UserCredential.java
new file mode 100644
index 0000000..a004de8
--- /dev/null
+++ b/dave/src/main/java/moe/kyokobot/koe/dave/mls/UserCredential.java
@@ -0,0 +1,25 @@
+package moe.kyokobot.koe.dave.mls;
+
+import moe.kyokobot.koe.dave.util.MLSUtil;
+import moe.kyokobot.koe.mls.codec.Credential;
+import moe.kyokobot.koe.mls.codec.CredentialType;
+
+public class UserCredential {
+    public static Credential createUserCredential(String userId, @SuppressWarnings("unused") int protocolVersion) {
+        // convert the string user ID to a big endian uint64_t
+        var userID = Long.parseUnsignedLong(userId);
+        var credentialBytes = MLSUtil.bigEndianBytesFrom(userID);
+
+        return Credential.forBasic(credentialBytes);
+    }
+
+    public static String userCredentialToString(Credential cred, @SuppressWarnings("unused") int protocolVersion) {
+        if (cred.getCredentialType() != CredentialType.basic) {
+            return "";
+        }
+
+        var uidVal = MLSUtil.fromBigEndianBytes(cred.getIdentity());
+
+        return Long.toUnsignedString(uidVal);
+    }
+}