Cryptographic Analysis of the Message Layer Security Protocol in the Static Corruption Model

Abstract

Existing cryptographic protocols achieve a range of security guarantees such as secrecy and authentication. However, most protocols are designed for one-to-one communication and protocols for group communication are less common, often less efficient, and typically provide fewer security guarantees. This is because group communication poses unique challenges, such as coordinated key updates and changes to group membership, that complicate the protocol design. Still, group communication is common in messaging applications and often security is sacrificed for efficiency. The IETF created a working group with the goal of bridging this gap by developing a standard for a continuous asynchronous key-exchange protocol for dynamic groups that is secure and remains efficient for large group sizes. This thesis provides a cryptographic analysis of TreeKEM and the key schedule present in draft 8 of the Message Layer Security (MLS) protocol RFC. The analysis is carried out using the State Separating Proofs methodology [BDLF+18]. We show that both the keys produced by TreeKEM and the key schedule of MLS are pseudorandom in the static adversarial model given standard assumptions on Pseudorandom Functions, Key Derivation Functions, and Public-Key Encryption, giving concrete security bounds for both.