Paper 2025/426

Exploring How to Authenticate Application Messages in MLS: More Efficient, Post-Quantum, and Anonymous Blocklistable

Keitaro Hashimoto, National Institute of Advanced Industrial Science and Technology (AIST)
Shuichi Katsumata, National Institute of Advanced Industrial Science and Technology, PQShield
Guillermo Pascual-Perez, Institute of Science and Technology Austria
Abstract

The Message Layer Security (MLS) protocol has recently been standardized by the IETF. MLS is a scalable secure group messaging protocol expected to run more efficiently compared to the Signal protocol at scale, while offering a similar level of strong security. Even though MLS has undergone extensive examination by researchers, the majority of the works have focused on confidentiality. In this work, we focus on the authenticity of the application messages exchanged in MLS. Currently, MLS authenticates every application message with an EdDSA signature and while manageable, the overhead is greatly amplified in the post-quantum setting as the NIST-recommended Dilithium signature results in a 40x increase in size. We view this as an invitation to explore new authentication modes that can be used instead. We start by taking a systematic view on how application messages are authenticated in MLS and categorize authenticity into four different security notions. We then propose several authentication modes, offering a range of different efficiency and security profiles. For instance, in one of our modes, COSMOS++, we replace signatures with one-time tokens and a MAC tag, offering roughly a 75x savings in the post-quantum communication overhead. While this comes at the cost of weakening security compared to the authentication mode used by MLS, the lower communication overhead seems to make it a worthwhile trade-off with security.

Note: Extended version with full appendices.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Published elsewhere. Major revision. Usenix Security 2025
Keywords
Secure group messagingMessaging Layer Security (MLS)Message authentication
Contact author(s)
keitaro hashimoto @ aist go jp
shuichi katsumata @ pqshield com
Guillermo PascualPerez @ ist ac at
History
2025-03-05: approved
2025-03-05: received
See all versions
Short URL
https://ia.cr/2025/426
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2025/426,
      author = {Keitaro Hashimoto and Shuichi Katsumata and Guillermo Pascual-Perez},
      title = {Exploring How to Authenticate Application Messages in {MLS}: More Efficient, Post-Quantum, and Anonymous Blocklistable},
      howpublished = {Cryptology {ePrint} Archive, Paper 2025/426},
      year = {2025},
      url = {https://eprint.iacr.org/2025/426}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.