plus/minus epsilon

MLS with Hidden Members

17 Dec 2020

Recently I was asked about the possibility of using MLS in groups with “hidden members”. That is, groups where the creator is known to all participants but the participants don’t know each other. This is the use-case of broadcast TV, private Twitter accounts, Instagram stories. The answer is no, MLS doesn’t work here.

The main issue is that MLS isn’t secure against malicious insiders, and therefore isn't suitable for most broadcast use-cases. A lesser issue is that MLS is designed for homogeneous groups, and would be wasteful to use in a scenario where one member has special authority.

Which solution is more appropriate depends on how many receivers there are, and if it’s possible to interact with them all regularly.

If there are too many receivers to regularly process all their messages, then it's not possible to achieve MLS’s strong post-compromise security properties and the best solution is a Broadcast Encryption. With broadcast encryption, receivers are assigned a decryption key by the sender that allows them to decrypt messages, while also allowing the sender to efficiently revoke their access later. Delerablee's broadcast encryption has the special ability to handle an arbitrary number of new members and revocations with constant-size ciphertexts.

On the other hand, if it's possible to interact with all receivers regularly, the sender could establish one-on-one MLS groups with each receiver. The sender could use these groups to share a common symmetric key with all receivers, to which it would encrypt broadcasts. This approach is about as expensive as maintaining an MLS group between all receivers, but mitigates the risk of group sabotage.

Cryptography Message Layer Security