“Actually, it wouldn’t – thinking it through further, it would effectively generate a random message key (a single use megolm session) for each new message. This session key would then be shared over Olm, and so use the normal Double Ratchet of a combination of hash ratchet and 3DH to encrypt the keyshare. So in practice it would just fall back to being as good/bad as normal Olm/OMEMO.”

Ah, I thought you were talking about refreshing the Olm-level ratchets. Yes, resetting the session of the Megolm ratchet would effectively transform the encryption to plain Olm.

“In practice this would be Hard with MLS though, which requires a centralised application server to keep track of which devices are currently in the conversation, which is of course bad news for decentralised or bridged conversations.”

Ah, right, MLS has its own infrastructure, didn’t think of that.

Thank you for the discussion 🙂