Paper 2024/746

The Art of Bonsai: How Well-Shaped Trees Improve the Communication Cost of MLS

Céline Chevalier, École Normale Supérieure - PSL, Paris-Panthéon Assas University
Guirec Lebrun, École Normale Supérieure - PSL, ANSSI, France
Ange Martinelli, ANSSI, France
Jérôme Plût, ANSSI, France
Abstract

Messaging Layer Security (MLS) is a Secure Group Messaging protocol that uses for its handshake a binary tree – called a Ratchet Tree – in order to reach a logarithmic communication cost in the number of group members. This Ratchet Tree represents users as its leaves; therefore any change in the group membership results in adding or removing a leaf in the tree. MLS consequently implements what we call a tree evolution mechanism, consisting of a user add algorithm – determining where to insert a new leaf – and a tree expansion process – stating how to increase the size of the tree when no space is available for a new user. The tree evolution mechanism currently used by MLS is designed so that it naturally left-balances the Ratchet Tree. However, such a tree structure is often quite inefficient in terms of communication cost. Furthermore, one may wonder whether the binary Ratchet Tree has a degree optimized for the features of MLS. Therefore, we study in this paper how to improve the communication cost of the handshake in MLS – realized through an operation called a commit – by considering both the tree evolution mechanism and the tree degree used for the Ratchet Tree. To do so, we determine the tree structure that optimizes its communication cost and we propose algorithms for both the user add and the tree expansion processes, that allow to remain close to that optimal structure and thus to have a communication cost as close as possible to the optimum. We also find out the Ratchet Tree degree that is best suited to a given set of parameters induced by the encryption scheme used by MLS. This study shows that when using classical (i.e. pre-quantum) ciphersuites, a binary tree is indeed the most appropriate Ratchet Tree; nevertheless, with post-quantum algorithms, it generally becomes more interesting to use instead a ternary tree. Our improvements do not change the TreeKEM protocol and are easy to implement. With parameter sets corresponding to practical ciphersuites, they reduce TreeKEM’s communication cost by 5 to 10%. In particular, the gain of 10% appears in the post-quantum setting – when both an optimized tree evolution mechanism and a ternary tree are necessary –, which is precisely the context where any optimization of the protocol’s communication cost is welcome, due to the large bandwidth of PQ encrypted communication.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Published elsewhere. IEEE EuroS&P 2025
Keywords
MLSTreeKEMCGKAKey TreeBinary TreeTernary Tree
Contact author(s)
celine chevalier @ ens fr
guirec lebrun @ ens fr
ange martinelli @ ssi gouv fr
jerome plut @ ssi gouv fr
History
2025-04-11: revised
2024-05-16: received
See all versions
Short URL
https://ia.cr/2024/746
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2024/746,
      author = {Céline Chevalier and Guirec Lebrun and Ange Martinelli and Jérôme Plût},
      title = {The Art of Bonsai: How Well-Shaped Trees Improve the Communication Cost of {MLS}},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/746},
      year = {2024},
      url = {https://eprint.iacr.org/2024/746}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.