Cryptology ePrint Archive: Report 2021/137

Cryptographic Security of the MLS RFC, Draft 11

Chris Brzuska and Eric Cornelissen and Konrad Kohbrok

Abstract: Abstract—Cryptographic communication protocols provide confidentiality, integrity and authentication properties for end-to- end communication under strong corruption attacks, including, notably, post-compromise security (PCS). Most protocols are designed for one-to-one communication. Protocols for group communication are less common, less efficient, and tend to provide weaker security guarantees. This is because group communication poses unique challenges, such as coordinated key updates, changes to group membership and complex post- compromise recovery procedures.

We need to tackle this complex challenge as a community. Thus, the Internet Engineering Task Force (IETF) has created a working group with the goal of developing a sound standard for a continuous asynchronous key-exchange protocol for dynamic groups that is secure and remains efficient for large group sizes. The current version of the Messaging Layer Security (MLS) security protocol is in a feature freeze, i.e., no changes are made in order to provide a stable basis for cryptographic analysis. The key schedule and TreeKEM design are of particular concern since they are crucial to distribute and combine several keys to achieve PCS.

In this work, we provide a computational analysis of the MLS key schedule, TreeKEM and their composition, as specified in Draft 11 of the MLS RFC. The analysis is carried out using the State Separating Proofs methodology [9], and showcases the flexibility of the approach, enabling us to provide a full computational analysis shortly after Draft 11 was published.

Category / Keywords: secure messaging, MLS, key derivation, key exchange, protocols, state-separating proofs

Date: received 7 Feb 2021

Contact author: chris brzuska at aalto fi,ericornelissen@gmail com,konrad kohbrok@aalto fi

Available format(s): PDF | BibTeX Citation

Version: 20210210:073352 (All versions of this report)

Short URL: ia.cr/2021/137


[ Cryptology ePrint archive ]