From 14c5ea70d47d92818ebecc6c806354716cb307ff Mon Sep 17 00:00:00 2001
From: Denis Kasak <dkasak@termina.org.uk>
Date: Thu, 26 May 2022 14:10:28 +0200
Subject: [PATCH] Describe the session export format.

This is the Megolm session format used for `m.forwarded_room_key`, the
server-side room key backups and Megolm key file exports in the Matrix
specification and implementations.
---
 docs/megolm.md | 35 +++++++++++++++++++++++++++++++++--
 1 file changed, 33 insertions(+), 2 deletions(-)

diff --git a/docs/megolm.md b/docs/megolm.md
index c1016b4..a384786 100644
--- a/docs/megolm.md
+++ b/docs/megolm.md
@@ -182,9 +182,13 @@ but the decision of which ratchet states to cache is left to the application.
 
 ## Data exchange formats
 
-### Session-sharing format
+### Session sharing format
 
-The Megolm key-sharing format is as follows:
+This format is used for the initial sharing of a Megolm session with other
+group participants who need to be able to read messages encrypted by this
+session.
+
+The session sharing format is as follows:
 
 ```
 +---+----+--------+--------+--------+--------+------+-----------+
@@ -202,6 +206,33 @@ part of the Ed25519 keypair $`K`$.
 The data is then signed using the Ed25519 keypair, and the 64-byte signature is
 appended.
 
+### Session export format
+
+Once the session is initially shared with the group participants, each
+participant needs to retain a copy of the session if they want to maintain
+their ability to decrypt messages encrypted with that session.
+
+For forward-secrecy purposes, a participant may choose to store a ratcheted
+version of the session. But since the ratchet index is covered by the
+signature, this would invalidate the signature. So we define a similar format,
+called the *session export format*, which is identical to the [session sharing
+format](#session-sharing-format) except for dropping the signature.
+
+The Megolm session export format is thus as follows:
+
+```
++---+----+--------+--------+--------+--------+------+
+| V | i  | R(i,0) | R(i,1) | R(i,2) | R(i,3) | Kpub |
++---+----+--------+--------+--------+--------+------+
+0   1    5        37       69      101      133    165   bytes
+```
+
+The version byte, ``V``, is ``"\x02"``.
+
+This is followed by the ratchet index, $`i`$, which is encoded as a
+big-endian 32-bit integer; the ratchet values $`R_{i,j}`$; and the public
+part of the Ed25519 keypair $`K`$.
+
 ### Message format
 
 Megolm messages consist of a one byte version, followed by a variable length