Paper 2024/746

The Art of Bonsai: How Well-Shaped Trees Improve the Communication Cost of MLS

Céline Chevalier, École Normale Supérieure - PSL, Paris-Panthéon Assas University
Guirec Lebrun, École Normale Supérieure - PSL, ANSSI, France
Ange Martinelli, ANSSI, France
Jérôme Plût, ANSSI, France

Messaging Layer Security (MLS) is a Secure Group Messaging protocol that uses for its handshake a binary tree – called a Ratchet Tree – in order to reach a logarithmic communication cost w.r.t. the number of group members. This Ratchet Tree represents users as its leaves; therefore any change in the group membership results in adding or removing a leaf associated with that user. MLS consequently implements what we call a tree evolution mechanism, consisting in a user add algorithm – determining where to insert a new leaf – and a tree expansion process – stating how to increase the size of the tree when no space is available for a new user. The tree evolution mechanism currently used by MLS is de- signed so that it naturally left-balances the Ratchet Tree. However, such a Ratchet Tree structure is often quite inefficient in terms of communication cost. Furthermore, one may wonder whether the binary tree used in that Ratchet Tree has a degree optimized for the features of a handshake in MLS – called a commit. Therefore, we study in this paper how to improve the communication cost of a commit in MLS by considering both the tree evolution mechanism and the tree degree used for the Ratchet Tree. To do so, we determine the tree structure that optimizes its communication cost, and we propose optimized algorithms for both the user add and tree expansion processes, that allow to remain close to that optimal structure and thus to have a communication cost as close to optimal as possible. We also determine the Ratchet Tree degree that is best suited to a given set of parameters induced by the encryption scheme used by MLS. This study shows that when using classical (i.e. pre-quantum) ciphersuites, a binary tree is indeed the most appropriate Ratchet Tree; nevertheless, when it comes to post-quantum algorithms, it generally becomes more interesting to use instead a ternary tree. Our improvements do not change TreeKEM protocol and are easy to implement. With parameter sets corresponding to practical ciphersuites, they reduce TreeKEM’s communication cost by 5 to 10%. In particular, the 10% gain appears in the Post-Quantum setting – when both an optimized tree evolution mechanism and a ternary tree are necessary –, which is precisely the context where any optimization of the protocol’s communication cost is welcome, due to the important bandwidth of PQ encrypted communication.

Available format(s)
Cryptographic protocols
Publication info
MLSTreeKEMCGKAKey TreeBinary TreeTernary Tree
Contact author(s)
celine chevalier @ ens fr
guirec lebrun @ ens fr
ange martinelli @ ssi gouv fr
jerome plut @ ssi gouv fr
2024-05-20: approved
2024-05-16: received
See all versions
Short URL
Creative Commons Attribution


      author = {Céline Chevalier and Guirec Lebrun and Ange Martinelli and Jérôme Plût},
      title = {The Art of Bonsai: How Well-Shaped Trees Improve the Communication Cost of {MLS}},
      howpublished = {Cryptology ePrint Archive, Paper 2024/746},
      year = {2024},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.