[MLS] Re: On the Efficiency of MLS
Richard Barnes <rlb@ipv.sx> Mon, 24 November 2025 13:47 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: mls@mail2.ietf.org
Delivered-To: mls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id D30058F7D770 for <mls@mail2.ietf.org>; Mon, 24 Nov 2025 05:47:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20230601.gappssmtp.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2vx3SORqr0GB for <mls@mail2.ietf.org>; Mon, 24 Nov 2025 05:47:19 -0800 (PST)
Received: from mail-il1-x136.google.com (mail-il1-x136.google.com [IPv6:2607:f8b0:4864:20::136]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 131878F7D769 for <mls@ietf.org>; Mon, 24 Nov 2025 05:47:18 -0800 (PST)
Received: by mail-il1-x136.google.com with SMTP id e9e14a558f8ab-4336f492d75so19608145ab.1 for <mls@ietf.org>; Mon, 24 Nov 2025 05:47:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20230601.gappssmtp.com; s=20230601; t=1763992032; x=1764596832; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=eEolcjk4p4udHc8A5s/Cg6BABrXtwHSZZJBPaB03FI0=; b=YT/l9pFyeUgYeTNq5Cu/FCNGWI7xs4U89HxRI40WlBsSBv4asJzgK6E1aCm1Hc3ugv P9ZZxHQXIvhTFhw5MYJ03HD/DXnDdilRchR87KvGIHgI4XvNs35RlL2E0M9g4//n39yw IEhi4looKzyOWm+ZErlnf2u5RUmDzu23Ex2wwio3VKFGZaa4ywe9pCpH6zduDygvNxwy hhMGAup4fFSfYX97eeW9NqS90hIL0SolYElgWSUEzg9RwkjebMxTbrUHahIDMYgs/QDq 4y7ZnVmNQxUJojEAOs0LDTgjLU4rZjxIXxFOf47ue2+otW/gpM70xJ77LyDpp4bQenFM oaOg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763992032; x=1764596832; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=eEolcjk4p4udHc8A5s/Cg6BABrXtwHSZZJBPaB03FI0=; b=PjsHkBYAaLXruw5FW7uASqw+onee8o4focsnZKy0jWfFa1K1ZqOGKNZwK2gdZm2Xby Eghhg/yeYSJXUf41qic59POjLVGT+8m/kDVTH/GvJEZH7+YtkUJJUithO6dleP/6DIQv 1X2hR/nfFikl1vKsgS5c24KlR/J85BGAw3K4seiJ2MXm7Z2+3cjNfxn/krBFtxs7ePE8 iEyNWVo0biXkFz7fhB/YW+6UZW8QQDHgcgrusOhewi5/0pPIERnsyGFk+JN1rAxJEh8e yK2aPdm1gQnrT5Eca2KSVewZTWJPCHQ7Yw/mDytaEAExjWmXzdAjWCIoWkno/YSp8e1V X4Ew==
X-Gm-Message-State: AOJu0YzdgXT1n7/45j/HWK8ACurzYo4VYa6srAXtIQe8pWaz4c9rYOz1 9YJhp6Pdw4NYGojanZ6J3B0kDCRMWi/XJHzo5KgQdKEX0Ty8HGt5eu0ftnegde2KfGKN5unqCZ7 9S6563Y1QhD7HhiWjGD3EYtsW4/GUg13G9UglsW+xbQ==
X-Gm-Gg: ASbGncscbkxTn4Q7P+K4owz/re+si1yeG/lj2vqXq++qmAb5NED6BYr+7gm+KqtRTB2 7XGoKVN0cTh9x3VAlBC7XHxHMdXqI/O9UzvpLFf/K7J6Tf8VL9URLh8TrBwUF1ShcbTU/I+9KAe FHRecUkFbr8wSlfWCoJ09ZZFGyRHF7U+tCKXFmULUHKg3eiKByyiuW1iVrwrfKcsPnKjcDZ8VGr i9mqYgSXY3xM2lNEGj7LpghOAhPK2GvoiAkzFlu9Q5AhLBDimUJ8ng3g6z/Zho7HqzFGmjzxXSo 6uAX/Q==
X-Google-Smtp-Source: AGHT+IFmnk5TtoNIdeK03zyjNaEB4adwoO2vZOPdPczf5qmC67P191JTQzStYs3JEsbTqMRL9evf5CZDFIdHIuif2Qs=
X-Received: by 2002:a05:6e02:3810:b0:433:51fd:4cda with SMTP id e9e14a558f8ab-435b98c5d10mr89890625ab.25.1763992032035; Mon, 24 Nov 2025 05:47:12 -0800 (PST)
MIME-Version: 1.0
References: <CAAb4y-Q_wmbKw6B2uxau206=JDgaiPFFRs8=ZWDahys89OFoDA@mail.gmail.com>
In-Reply-To: <CAAb4y-Q_wmbKw6B2uxau206=JDgaiPFFRs8=ZWDahys89OFoDA@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Mon, 24 Nov 2025 08:47:01 -0500
X-Gm-Features: AWmQ_bnqQBElKT1wOEuvJuxBP89T-QK1SC9EtHdcgeOBJkE3ObTcSW3FpoPqVw0
Message-ID: <CAL02cgTPvU8noziie+oYsMeepbtPtLCvzHoKP94yFEzfWP7gow@mail.gmail.com>
To: Miguel Cueto Noval <miguelcuetonoval@gmail.com>
Content-Type: multipart/alternative; boundary="00000000000074d63506445766c0"
Message-ID-Hash: WV3VEO2Q7P5UXOWP6ZVOEIBVXLVLSYDC
X-Message-ID-Hash: WV3VEO2Q7P5UXOWP6ZVOEIBVXLVLSYDC
X-MailFrom: rlb@ipv.sx
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-mls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: mls@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [MLS] Re: On the Efficiency of MLS
List-Id: Messaging Layer Security <mls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/pZ6588ZzxUlQfHckHoN6CfnbQc8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Owner: <mailto:mls-owner@ietf.org>
List-Post: <mailto:mls@ietf.org>
List-Subscribe: <mailto:mls-join@ietf.org>
List-Unsubscribe: <mailto:mls-leave@ietf.org>
Hi Miguel, (and Ben and Boran and Krzysztof) Thanks for sharing this work. Your point about "fair-weather" complexity matches what I expect is the intuition of most folks who have worked with MLS a bunch. For example, in our Real-World Crypto talk on MLS in 2019 [1], we talked about Update and Remove operations costing log(N) ~ N to give a sense of this spectrum. (As for the RFC text you quote... maybe that was a bit optimistic :) ) But it's still nice that this work adds some precision to that intuition. --Richard [1] https://www.youtube.com/watch?v=9xePC0Tyeuc&t=1810s On Thu, Nov 20, 2025 at 11:06 AM Miguel Cueto Noval < miguelcuetonoval@gmail.com> wrote: > Dear all, > > I am a PhD student at ISTA working in cryptography. At CRYPTO 25, Benedikt > Auerbach, Boran Erol and Krzysztof Pietrzak and I presented our work on the > efficiency of MLS 'Continuous Group-Key Agreement: Concurrent Updates > without Pruning'. > > In this paper (https://eprint.iacr.org/2025/1035) we study the > Propose-and-Commit paradigm used in TreeKEM and the impact it has on the > efficiency of the protocol, in particular the “update complexity” measured > by the number of ciphertexts that the committer must upload (per updated > party) as part of a commit. > > Depending on the number and distribution of proposals/commits, for > MLS/TreeKEM this complexity lies somewhere between log(N) and N (where N is > the number of parties). While we couldn’t find any concrete analysis or > claims about the exact complexity, some works suggested that under mild > assumptions about the online/offline behaviour of participants, the > complexity can be kept in the O(log(n)) range (aka. “Fair-weather” > complexity). The IETF document states “This mechanism allows the members of > the group to derive and update shared keys with costs that scale as the log > of the group size.”. > > In our work we show that this intuition is wrong. Already for the simple > and seemingly nice (i.e., “fair-weather”) case where we alternatingly pick > a random proposer and then a random committer, the complexity is around > N^(0.5), and the complexity converges fast towards N as the number of > proposers increase. > > On the positive side, we construct a new variant of Propose-and-Commit for > TreeKEM which for moderate amounts of update proposals per commit provably > achieves an update cost of $\Theta(\log(N))$. Moreover, the changes > required for this variant are relatively small meaning that an > implementation of MLS should be easily adapted to make use of this variant. > > Best, > Ben, Boran, Krzysztof and Miguel > > _______________________________________________ > MLS mailing list -- mls@ietf.org > To unsubscribe send an email to mls-leave@ietf.org >
- [MLS] On the Efficiency of MLS Miguel Cueto Noval
- [MLS] Re: On the Efficiency of MLS Richard Barnes