Cryptology ePrint Archive: Report 2020/1327

On The Insider Security of MLS

JoŽl Alwen and Daniel Jost and Marta Mularczyk

Abstract: The Messaging Layer Security (MLS) protocol is a new complex open standard for end-to-end (E2E) secure group messaging being developed by the IETF. Its primary security goal is to provide E2E privacy and authenticity for messages in long lived sessions whenever possible. This, despite the participation (at times) of malicious insiders that can interact with the PKI at will, actively deviate from the protocol, leak honest parties' states, and fully control the network.

The cryptographic core of the MLS protocol (from which it inherits essentially all of its efficiency and security properties) is a Continuous Group Key Agreement (CGKA) protocol. CGKA protocols provide asynchronous E2E secure group management by allowing group members to agree on a fresh independent symmetric key after every change to the group's state (e.g. when someone joins/leaves the group).

In this work, we make progress towards a precise understanding of the insider security of MLS in the form of 3 contributions. On the theory side, we overcome several subtelties to formulate the first notion of insider security for a CGKA (or group messaging) protocol. Next, we isolate the core components of MLS to obtain a CGKA protocol we dubbed Insider Secure TreeKEM (ITK). Finally, we give a rigorous proof that ITK provides (adaptive) insider security. In particular, this work also initiates the study of insider secure CGKA protocols, a primitive of interest in its own right.

Category / Keywords: cryptographic protocols / Message Layer Security, MLS, TreeKEM, Secure Messaging

Date: received 22 Oct 2020

Contact author: jalwen at wickr com, daniel jost@cs nyu edu, mumarta@inf ethz ch

Available format(s): PDF | BibTeX Citation

Version: 20201023:084942 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]