Making MLS More Decentralized
25 days ago
- #Decentralization
- #MLS
- #Security
- Phoenix R&D supports the Messaging Layer Security (MLS) protocol, which is used for group key agreement and messaging in both asynchronous and real-time applications.
- MLS requires a Delivery Service (DS) to order commits, ensuring Forward Secrecy and Post-Compromise Security, but this centralization is problematic in decentralized systems.
- DMLS (Decentralized MLS) is proposed to address MLS's centralization issue by allowing group state forks, turning the commit history into a directed acyclic graph (DAG).
- Group forking in DMLS introduces challenges like managing forks and weakened Forward Secrecy, as key material must be retained to process concurrent commits.
- A solution from Alwen et al. involves puncturing retained key material to maintain Forward Secrecy while allowing forks, implemented in DMLS via a Puncturable Pseudorandom Function (PPRF).
- DMLS implementation in OpenMLS required adding PPRF, integrating it into the key schedule, and modifying the storage provider to handle multiple epochs.
- DMLS increases storage overhead due to retaining old group states and PPRF operations, but improves security in decentralized systems.
- Phoenix R&D invites feedback and collaboration on DMLS, with resources including a proof-of-concept implementation, AMT's paper, and an IETF draft.