ETK: External-Operations TreeKEM and the Security of MLS in RFC 9420

Cas Cremers; Esra Günsay; Vera Wesselkamp; Mang Zhao

Paper 2025/229

ETK: External-Operations TreeKEM and the Security of MLS in RFC 9420

Cas Cremers

, CISPA Helmholtz Center for Information Security

Esra Günsay, CISPA Helmholtz Center for Information Security

Vera Wesselkamp

Mang Zhao

Abstract

The Messaging Layer Security protocol MLS is standardized in IETF’s RFC 9420 and allows a group of parties to securely establish and evolve group keys even if the servers are malicious. Its core mechanism is based on the TreeKEM protocol, but has gained many additional features and modifications during the development of the MLS standard. Over the last years, several partial security analyses have appeared of incomplete drafts of the protocol. One of the major additions to the TreeKEM design in MLS RFC 9420 (the final version of the standard) are the external operations, i.e., external commits and proposals, which interact deeply with the core TreeKEM protocol. These operations have not been considered in any previous security analysis, leaving their impact on the protocol’s overall security unclear. In this work, we formalize ETK: External-Operations TreeKEM that includes external commits and proposals. We develop a corresponding ideal functionality and prove that ETK indeed realizes . Our work is the first cryptographic analysis that considers both the final changes to the standard’s version of TreeKEM as well as external proposals and external commits. Compared to previous works that considered MLS draft versions, our ETK protocol is by far the closest to the final MLS RFC 9420 standard. Our analysis implies that the core of MLS’s TreeKEM variant as defined in RFC 9420 is an ETK protocol that realizes , when used with an SUF-CMA secure signature scheme, such as the IETF variant of Ed25519. We show that contrary to previous claims, MLS does not realize [Crypto2022] when used with signature schemes that only guarantee EUF-CMA, such as ECDSA. Moreover, we show that the security of the protocol could be further strengthened by adding a functionality to insert PSKs, allowing another form of healing, and give a corresponding construction ETK-PSK and ideal functionality .

Note: Typofix.

Metadata

Available format(s): PDF
Category: Cryptographic protocols
Publication info: Preprint.
Keywords: Messaging Layer Security MLS TreeKEM CGKA post-compromise security PCS ETK
Contact author(s): cremers @ cispa de
esra guensay @ cispa de
vera wesselkamp @ t-online de
mang zhao @ hotmail com
History: 2025-02-19: revised; 2025-02-14: received; See all versions
Short URL: https://ia.cr/2025/229
License: CC BY

BibTeX

@misc{cryptoeprint:2025/229,
      author = {Cas Cremers and Esra Günsay and Vera Wesselkamp and Mang Zhao},
      title = {{ETK}: External-Operations {TreeKEM} and the Security of {MLS} in {RFC} 9420},
      howpublished = {Cryptology {ePrint} Archive, Paper 2025/229},
      year = {2025},
      url = {https://eprint.iacr.org/2025/229}
}