TreeKEM: Asynchronous Decentralized Key Management for Large Dynamic Groups A protocol proposal for Messaging Layer Security (MLS)

The Messaging Layer Security (MLS) architecture envisions a protocol that can establish a key shared by a group of members, where each member controls a number of clients (devices). Each client is identified by its own long-term key, and can participate in the protocol asynchronously, that is, without needing any other client to be online. Notably, each client can issue asynchronous group modification requests to add new members, remove members, and update its own keys, etc. The architecture document also states a series of security goals for the protocol. We begin this document by stating the desired functionality and security goals of MLS in our own notation. We then propose a new protocol that seeks to achieve the confidentiality goals of the MLS architecture. (This proposal was first posted on the IETF MLS Mailing List on May 3rd, 2019. See: https://mailarchive.ietf.org/arch/msg/mls/e3ZKNzPC7Gxrm3Wf0q96dsLZoD8)