Paper 2021/137

Cryptographic Security of the MLS RFC, Draft 11

Chris Brzuska, Eric Cornelissen, and Konrad Kohbrok


Cryptographic communication protocols provide confidentiality, integrity and authentication properties for end-to- end communication under strong corruption attacks, including, notably, post-compromise security (PCS). Most protocols are designed for one-to-one communication. Protocols for group communication are less common, less efficient, and tend to provide weaker security guarantees. This is because group communication poses unique challenges, such as coordinated key updates, changes to group membership and complex post-compromise recovery procedures. We need to tackle this complex challenge as a community. Thus, the Internet Engineering Task Force (IETF) has created a working group with the goal of developing a sound standard for a continuous asynchronous key-exchange protocol for dynamic groups that is secure and remains efficient for large group sizes. The current version of the Messaging Layer Security (MLS) security protocol is in a feature freeze, i.e., no changes are made in order to provide a stable basis for cryptographic analysis. The key schedule and TreeKEM design are of particular concern since they are crucial to distribute and combine several keys to achieve PCS. In this work, we study the MLS continuous group key distribution (CGKD) which comprises the MLS key schedule, TreeKEM and their composition, as specified in Draft 11 of the MLS RFC, while abstracting away signatures, message flow and authentication guarantees. We establish the uniqueness and key indistinguishability properties of the MLS CGKD as computational security properties.

Note: Main changes: - added a discussion section on the proof methodology. - made a consistency pass as well as editorial changes. In particular, we moved the details of the MLS update, process and join functions to the appendix since understanding them is not (formally) required for stating the theorems (but it might still be nice to read them especially to get a better overview of MLS).

Available format(s)
Publication info
Preprint. MINOR revision.
secure messagingMLSkey derivationkey exchangeprotocolsstate-separating proofs
Contact author(s)
chris brzuska @ aalto fi
ericornelissen @ gmail com
konrad kohbrok @ aalto fi
2021-04-23: revised
2021-02-10: received
See all versions
Short URL
Creative Commons Attribution


      author = {Chris Brzuska and Eric Cornelissen and Konrad Kohbrok},
      title = {Cryptographic Security of the {MLS} {RFC}, Draft 11},
      howpublished = {Cryptology ePrint Archive, Paper 2021/137},
      year = {2021},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.