Skip to main content

MLS Group Messaging: How Zero-Knowledge Can Secure Updates

Part of the Lecture Notes in Computer Science book series (LNSC,volume 12973)


The Messaging Layer Security (MLS) protocol currently developed by the Internet Engineering Task Force (IETF) aims at providing a secure group messaging solution. MLS aims for end-to-end security, including Forward Secrecy and Post Compromise Secrecy, properties well studied for one-to-one protocols. It proposes a tree-based regular asynchronous update of the group secrets, where a single user can alone perform a complete update. A main drawback is that a malicious user can create a denial of service attack by sending invalid update information.

In this work, we propose a solution to prevent this kind of attacks, giving a checkpoint role to the server that transmits the messages. In our solution, the user sends to the server a proof that the update has been computed correctly, without revealing any information about this update. We use a Zero-Knowledge (ZK) protocol together with verifiable encryption as building blocks. As a main contribution, we provide two different ZK protocols to prove knowledge of the input of a pseudo random function implemented as a circuit, given an algebraic commitment of the output and the input.


  • Cryptographic protocols
  • Messaging Layer Security - MLS
  • Secure messaging
  • Zero-knowledge

This is a preview of subscription content, access via your institution.

Buying options

USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-88428-4_29
  • Chapter length: 21 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
USD   89.00
Price excludes VAT (USA)
  • ISBN: 978-3-030-88428-4
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   119.99
Price excludes VAT (USA)
Fig. 1.
Fig. 2.
Fig. 3.
Fig. 4.


  1. Agrawal, S., Ganesh, C., Mohassel, P.: Non-interactive zero-knowledge proofs for composite statements. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10993, pp. 643–673. Springer, Cham (2018).

    CrossRef  Google Scholar 

  2. Alwen, J., et al.: Keep the dirt: tainted TreeKEM, adaptively and actively secure continuous group key agreement. Cryptology ePrint Archive, Report 2019/1489 (2019).

  3. Alwen, J., Coretti, S., Dodis, Y.: The double ratchet: security notions, proofs, and modularization for the signal protocol. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11476, pp. 129–158. Springer, Cham (2019).

    CrossRef  Google Scholar 

  4. Alwen, J., Coretti, S., Dodis, Y., Tselekounis, Y.: Security analysis and improvements for the IETF MLS standard for group messaging. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12170, pp. 248–277. Springer, Cham (2020).

    CrossRef  Google Scholar 

  5. Ames, S., Hazay, C., Ishai, Y., Venkitasubramaniam, M.: Ligero: lightweight sublinear arguments without a trusted setup. In: Thuraisingham, B.M., Evans, D., Malkin, T., Xu, D. (eds.) ACM CCS 2017, pp. 2087–2104. ACM Press, Oct/Nov 2017.

  6. Backes, M., Hanzlik, L., Herzberg, A., Kate, A., Pryvalov, I.: Efficient non-interactive zero-knowledge proofs in cross-domains without trusted setup. In: Lin, D., Sako, K. (eds.) PKC 2019. LNCS, vol. 11442, pp. 286–313. Springer, Cham (2019).

    CrossRef  Google Scholar 

  7. Barnes, R., Beurdouche, B., Millican, J., Omara, E., Cohn-Gordon, K., Robert, R.: The messaging layer security (MLS) protocol.

  8. Barnes, R., Bhargavan, K., Lipp, B., Wood, C.: Hybrid public key encryption (2021).

  9. Bellare, M., Singh, A.C., Jaeger, J., Nyayapati, M., Stepanovs, I.: Ratcheted encryption and key exchange: the security of messaging. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 619–650. Springer, Cham (2017).

    CrossRef  Google Scholar 

  10. Ben-Sasson, E., Bentov, I., Horesh, Y., Riabzev, M.: Scalable, transparent, and post-quantum secure computational integrity. Cryptology ePrint Archive, Report 2018/046 (2018).

  11. Bhargavan, K., Barnes, R., Rescorla, E.: TreeKEM: asynchronous decentralized key management for large dynamic groups (2018)

    Google Scholar 

  12. Brzuska, C., Cornelissen, E., Kohbrok, K.: Cryptographic security of the MLS RFC, Draft 11. Cryptology ePrint Archive, Report 2021/137 (2021).

  13. Camenisch, J., Damgård, I.: Verifiable encryption, group encryption, and their applications to separable group signatures and signature sharing schemes. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 331–345. Springer, Heidelberg (2000).

    CrossRef  Google Scholar 

  14. Camenish, J., Stadler, M.: Proof systems for general statements about discrete logarithms (1997)

    Google Scholar 

  15. Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited. Cryptology ePrint Archive, Report 1998/011 (1998).

  16. Castagnos, G., Catalano, D., Laguillaumie, F., Savasta, F., Tucker, I.: Two-party ECDSA from hash proof systems and efficient instantiations. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11694, pp. 191–221. Springer, Cham (2019).

    CrossRef  Google Scholar 

  17. Castagnos, G., Laguillaumie, F.: Linearly homomorphic encryption from \(\sf DDH\). In: Nyberg, K. (ed.) CT-RSA 2015. LNCS, vol. 9048, pp. 487–505. Springer, Cham (2015).

    CrossRef  Google Scholar 

  18. Chase, M., et al.: Post-quantum zero-knowledge and signatures from symmetric-key primitives. In: Thuraisingham, B.M., Evans, D., Malkin, T., Xu, D. (eds.) ACM CCS 2017, pp. 1825–1842. ACM Press, Oct/Nov 2017.

  19. Chase, M., Ganesh, C., Mohassel, P.: Efficient zero-knowledge proof of algebraic and non-algebraic statements with applications to privacy preserving credentials. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9816, pp. 499–530. Springer, Heidelberg (2016).

    CrossRef  Google Scholar 

  20. Chase, M., Perrin, T., Zaverucha, G.: The signal private group system and anonymous credentials supporting efficient verifiable encryption. Cryptology ePrint Archive, Report 2019/1416 (2019).

  21. Cohn-Gordon, K., Cremers, C., Garratt, L., Millican, J., Milner, K.: On ends-to-ends encryption: asynchronous group messaging with strong security guarantees. Cryptology ePrint Archive, Report 2017/666 (2017).

  22. Cohn-Gordon, K., Cremers, C.J.F., Dowling, B., Garratt, L., Stebila, D.: A formal security analysis of the signal messaging protocol. In: 2017 IEEE European Symposium on Security and Privacy, EuroS&P 2017, Paris, France, 26–28 April 2017, pp. 451–466 (2017).

  23. Damgård, I.: On sigma protocols (2010)

    Google Scholar 

  24. Bernstein, D.J.: A state-of-the-art Diffie Hellman function.

  25. Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987).

    CrossRef  Google Scholar 

  26. Gennaro, R., Gentry, C., Parno, B., Raykova, M.: Quadratic span programs and succinct NIZKs without PCPs. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 626–645. Springer, Heidelberg (2013).

    CrossRef  Google Scholar 

  27. Giacomelli, I., Madsen, J., Orlandi, C.: ZKBoo: faster zero-knowledge for Boolean circuits. In: Holz, T., Savage, S. (eds.) USENIX Security 2016, pp. 1069–1083. USENIX Association, August 2016

    Google Scholar 

  28. Groth, J.: Short pairing-based non-interactive zero-knowledge arguments. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 321–340. Springer, Heidelberg (2010).

    CrossRef  Google Scholar 

  29. Gvili, Y., Ha, J., Scheffler, S., Varia, M., Yang, Z., Zhang, X.: TurboIKOS: improved non-interactive zero knowledge and post-quantum signatures. Cryptology ePrint Archive, Report 2021/478 (2021).

  30. Ishai, Y., Kushilevitz, E., Ostrovsky, R., Sahai, A.: Zero-knowledge from secure multiparty computation. In: Johnson, D.S., Feige, U. (eds.) 39th ACM STOC, pp. 21–30. ACM Press, June 2007.

  31. Jaeger, J., Stepanovs, I.: Optimal channel security against fine-grained state compromise: the safety of messaging. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 33–62. Springer, Cham (2018).

    CrossRef  Google Scholar 

  32. Jawurek, M., Kerschbaum, F., Orlandi, C.: Zero-knowledge using garbled circuits: how to prove non-algebraic statements efficiently. In: Sadeghi, A.R., Gligor, V.D., Yung, M. (eds.) ACM CCS 2013, pp. 955–966. ACM Press, November 2013.

  33. Jost, D., Maurer, U., Mularczyk, M.: Efficient ratcheting: almost-optimal guarantees for secure messaging. Cryptology ePrint Archive, Report 2018/954 (2018).

  34. Katz, J., Kolesnikov, V., Wang, X.: Improved non-interactive zero knowledge with applications to post-quantum signatures. In: Lie, D., Mannan, M., Backes, M., Wang, X. (eds.) ACM CCS 2018, pp. 525–537. ACM Press, October 2018.

  35. Kilian, J.: A note on efficient zero-knowledge proofs and arguments (extended abstract). In: 24th ACM STOC, pp. 723–732. ACM Press, May 1992.

  36. Krawczyk, H.: Cryptographic extraction and key derivation: the HKDF scheme. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 631–648. Springer, Heidelberg (2010).

    CrossRef  Google Scholar 

  37. Marlinspike, M., Perrin, T.: The double ratchet algorithm. Signal’s web site (2016)

    Google Scholar 

  38. Pedersen, T.P.: Non-interactive and information-theoretic secure verifiable secret sharing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 129–140. Springer, Heidelberg (1992).

    CrossRef  Google Scholar 

  39. Poettering, B., Rösler, P.: Towards bidirectional ratcheted key exchange. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 3–32. Springer, Cham (2018).

    CrossRef  Google Scholar 

  40. Stadler, M.: Publicly verifiable secret sharing. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 190–199. Springer, Heidelberg (1996).

    CrossRef  Google Scholar 

Download references

Author information

Authors and Affiliations


Corresponding author

Correspondence to Céline Duguey .

Editor information

Editors and Affiliations


A Key Size and Group Orders in MLS Updates

In [7], several suitable cipher suites are described. We focus on one of them for a practical example, for a 128-bit security level. This suite uses X25519 for ECDH computation and SHA256 as a hash function (and base function for HKDF implementation). Following [24], the private key sk is obtained from a 256-bit string of secure random data \((sk[0], sk[1],\dots , sk[255])\) by applying the following transform: \( sk[0] \& =248\), \( sk[31] \& = 127\) and \(sk[31] |=64\). One obtains, when interpreted as an integer value in little endian, a scalar of the form \(2^{254}+8\cdot \ell , \ell \in \llbracket 0;2^{251}-1\rrbracket \). We design by \(\mathsf {deriveSK}\) the application of \(\mathsf {SHA256}\) followed by the above transformation such that for any 32-byte sequence of random data X, \(\mathsf {deriveSK(X)}\) is a valid secret key for X25519. This encoding can be integrated in the circuit computing the last derivation. The public key is obtained by multiplying the secret key by the base point of the curve: given a 32-byte secret X, \(\mathsf {DeriveKeyPair}(X) = (\mathsf {deriveSK}(X), \mathsf {deriveSK}(X)P)\). We adopt this notation independently from the curve targeted.

Group Order and Commitments. In our proofs, we consider commitments and discrete logarithm proofs in cyclic groups of order q, and circuits input and output that naturally lie in \(\mathsf {F}_q\). This may not be the case. Considering X25519 key derivation derived above, a new user’s secret \(ps_B'\) is a random element in \(\{0,1\}^{256}\), which, when interpreted as an integer, can be larger than q. As explained in [6], it is possible to consider \(ps_B' \mod q\) for the commitment and to include to a modular computation in the circuit. If q is close enough to \(2^{256}\) then it is a simple comparison and subtraction. This requires around 2 000 gates, which is negligible compared to our circuit size. Another solution is to directly sample \(ps_B'\) in \(\mathsf {F}_q\). This can be done by rejection sampling or as follow: sample X sufficiently big compared to \(\log _2(q)\) (\(\log _2(X)> \log _2(q)+64\) as advised by the NIST for instance), then simply considering \(X \mod q\) can be done with a negligible bias. For all the intermediate values in the tree, the first method can be applied. The last step is the commitment of the secret key \(sk = \mathsf {Encode}(X)\). For this element, we directly consider the encoding provided with the curve. The commitment \(C_{sk}\) of sk in a group of order q will result in the same implicit reduction modulo q than the computation of the public key. Then we can produce an AND ZK proof that the value committed to in \(C_{sk}\) is the discrete log of the pk: \(PK\{sk: C_{sk} = skP+rQ \wedge pk = skP\}\).

B Security of Our Zero-Knowledge Protocols

We present a sketch of proof for the security of \(\mathtt {CopraZK}\) given in Theorem 2. It is settled on two properties for the function family f. Firstly, we need its dual function \(\tilde{f}\) to be correlation intractable with respect to the family of relations \(\mathcal {R}_{a,b}:\{x,y: y=ax+b\}\) for ab random values. Correlation intractability was introduced in [15] and says that, for any relation in the family \(\mathcal {R}_{a,b}\), for any random key x, an adversary has a negligible probability to find an input m such that (m, f(xm)) satisfies the relation. Secondly, we need to be sure that the tag does not leak information on the key. We define a general linear input deviation resistant PRF (\(\mathsf {glider}\text {-}\mathsf {PRF}\)) as follows:

Definition 1

(\(\mathsf {glider}\text {-}\mathsf {PRF}\) security). A function family \(f \in \mathsf {FF}(\mathcal {K},\mathcal {D},\mathcal {R})\) (with appropriate domain and range) is said to be a \(\mathsf {glider}\text {-}\mathsf {PRF}\) if for all PPT adversary \(\mathcal {A}\), and a random , there exists a negligible function \(\mathsf {negl}\) such that:

As we use Fiat-Shamir to get an non interactive protocol, our proof is settled in the Random Oracle Model (ROM), which would satisfy our hypothesis. However, it seems contradictory to idealize as a random oracle the PRF f that is concretely described as a circuit in the ZKBoo part of the protocol. Hence, the ROM hypothesis only applies to the hash function \(\mathsf {h}\) that generates the challenge and the correlation intractability and \(\mathsf {glider}\text {-}\mathsf {PRF}\) properties provide a way to formalize a security proof when only some properties of the random oracle are needed. The correctness of the protocol follows by inspection.

3-Special Soundness. From the 2-special soundness of the Sigma protocol \(\varPi \), one extract \(\tilde{x},\tilde{y}, \tilde{r_x}, \tilde{r_y}\) such that \(C_x = \tilde{x}P+\tilde{r_x}Q, C_y = \tilde{y}P + \tilde{r_y}Q\) and \(t = \alpha \tilde{x} + \tilde{y}\). From the 3-special soundness of ZKBoo, one extracts \(x'\) such that \(t=f(x',m)+\alpha x'\), where t is a fixed value, the same as the one for the proof \(\varPi \). Correlation intractability of \(\tilde{f}\) ensures that \(x' \ne \tilde{x}\) happens with negligible probability. We note that the correlation intractability of \(\tilde{f}\) requires the input of f to be randomized. In MLS, this supposes considering a random value (for instance the hash of the tree view) instead of the constant 0.

Zero Knowledge. We build a simulator \(\mathcal {S}im\) as follows: \(\mathcal {S}im\) sample a random value . Then he calls the Simulator of ZKBoo, \(\mathcal {S}im_{ZKBoo}\), as a subroutine and obtains a transcript \((a_{ZKBoo, e, z_{ZKBoo}})\). Then he calls the simulator for the Sigma protocol \(\varPi \), \(\mathcal {S}im_\varPi \), as a second subroutine, on the challenge e and obtains a second transcript \((a_{\varPi }, e, z_{\varPi })\) (as \(\mathcal {S}im_\varPi \) shall work for any challenge). If f is \(\mathsf {glider}\text {-}\mathsf {PRF}\)-secure, then sampling a random t is indistinguishable from the real distribution of t and finally, the output distribution of \(\mathcal {S}im\) is indistinguishable from the real execution output. In the context of MLS, the tag t must be accessible to the server only. A user who would receive its valid update and access the tag could compute the secret of its child, which he should not.

Rights and permissions

Reprints and Permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Devigne, J., Duguey, C., Fouque, PA. (2021). MLS Group Messaging: How Zero-Knowledge Can Secure Updates. In: Bertino, E., Shulman, H., Waidner, M. (eds) Computer Security – ESORICS 2021. ESORICS 2021. Lecture Notes in Computer Science(), vol 12973. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-88427-7

  • Online ISBN: 978-3-030-88428-4

  • eBook Packages: Computer ScienceComputer Science (R0)