Paper 2023/1903

Quarantined-TreeKEM: a Continuous Group Key Agreement for MLS, Secure in Presence of Inactive Users

Céline Chevalier, École Normale Supérieure - PSL, Université Paris Panthéon-Assas
Guirec Lebrun, École Normale Supérieure - PSL, ANSSI, France
Ange Martinelli, ANSSI, France

The recently standardized secure group messaging protocol “Messaging Layer Security” (MLS) is designed to ensure asynchronous communication within large groups, with an almost-optimal communication cost and the same security level as point-to-point secure messaging protocols such as “Signal”. In particular, the core sub-protocol of MLS, a Continuous Group Key Agreement (CGKA) called TreeKEM, must generate a common group key that respects the fundamental security properties of “post-compromise security” and “forward secrecy” which mitigate the effects of user corruption over time. Most research on CGKAs has focused on how to improve these two security properties. However, post-compromise security and forward secrecy require the active participation of respectively all compromised users and all users within the group. Inactive users – who remain offline for long periods – do not update anymore their encryption keys and therefore represent a vulnerability for the entire group. This issue has already been identified in the MLS standard, but no solution, other than expelling these inactive users after some disconnection time, has been found. We propose here a CGKA protocol based on TreeKEM and fully compatible with the MLS standard, that implements a “quarantine” mechanism for the inactive users in order to mitigate the risk induced by these users during their inactivity period and before they are removed from the group. That mechanism indeed updates the inactive users’ encryption keys on their behalf and secures these keys with a secret sharing scheme. If some of the inactive users eventually reconnect, their quarantine stops and they are able to recover all the messages that were exchanged during their offline period. Our “Quarantined-TreeKEM” protocol thus increases the security of original TreeKEM, with a very limited – and sometimes negative – communication overhead.

Available format(s)
Cryptographic protocols
Publication info
MLSCGKATreeKEMSecure Group Messaging
Contact author(s)
celine chevalier @ ens fr
guirec lebrun @ ens fr
ange martinelli @ ssi gouv fr
2024-05-16: last of 2 revisions
2023-12-11: received
See all versions
Short URL
Creative Commons Attribution


      author = {Céline Chevalier and Guirec Lebrun and Ange Martinelli},
      title = {Quarantined-{TreeKEM}: a Continuous Group Key Agreement for {MLS}, Secure in Presence of Inactive Users},
      howpublished = {Cryptology ePrint Archive, Paper 2023/1903},
      year = {2023},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.