{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,18]],"date-time":"2026-04-18T14:42:28Z","timestamp":1776523348045,"version":"3.51.2"},"publisher-location":"Cham","reference-count":36,"publisher":"Springer Nature Switzerland","isbn-type":[{"value":"9783031159787","type":"print"},{"value":"9783031159794","type":"electronic"}],"license":[{"start":{"date-parts":[[2022,1,1]],"date-time":"2022-01-01T00:00:00Z","timestamp":1640995200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springer.com\/tdm"},{"start":{"date-parts":[[2022,1,1]],"date-time":"2022-01-01T00:00:00Z","timestamp":1640995200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2022]]},"DOI":"10.1007\/978-3-031-15979-4_2","type":"book-chapter","created":{"date-parts":[[2022,10,12]],"date-time":"2022-10-12T16:25:31Z","timestamp":1665591931000},"page":"34-68","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":25,"title":["On the\u00a0Insider Security of\u00a0MLS"],"prefix":"10.1007","author":[{"given":"Jo\u00ebl","family":"Alwen","sequence":"first","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6562-9665","authenticated-orcid":false,"given":"Daniel","family":"Jost","sequence":"additional","affiliation":[]},{"given":"Marta","family":"Mularczyk","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2022,10,13]]},"reference":[{"key":"2_CR1","unstructured":"Messagying layer security (MLS) WG - meeting minutes for interim 2020-1, January 2020. https:\/\/datatracker.ietf.org\/doc\/minutes-interim-2020-mls-01-202001110900\/"},{"key":"2_CR2","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"222","DOI":"10.1007\/978-3-030-90456-2_8","volume-title":"Theory of Cryptography","author":"J Alwen","year":"2021","unstructured":"Alwen, J., et al.: Grafting key trees: efficient key management for overlapping groups. In: Nissim, K., Waters, B. (eds.) TCC 2021, Part III. LNCS, vol. 13044, pp. 222\u2013253. Springer, Cham (2021). https:\/\/doi.org\/10.1007\/978-3-030-90456-2_8"},{"key":"2_CR3","unstructured":"Alwen, J., Auerbach, B., Noval, M.C., Klein, K., Pascual-Perez, G., Pietrzak, K.: DeCAF: decentralizable continuous group key agreement with fast healing. Cryptology ePrint Archive, Report 2022\/559 (2022). https:\/\/eprint.iacr.org\/2022\/559"},{"key":"2_CR4","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"815","DOI":"10.1007\/978-3-031-07085-3_28","volume-title":"EUROCRYPT 2022","author":"J Alwen","year":"2022","unstructured":"Alwen, J., et al.: CoCoA: concurrent continuous group key agreement. In: Dunkelman, O., Dziembowski, S. (eds.) EUROCRYPT 2022, Part II. LNCS, vol. 13276, pp. 815\u2013844. Springer, Heidelberg (2022). https:\/\/doi.org\/10.1007\/978-3-031-07085-3_28"},{"key":"2_CR5","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"87","DOI":"10.1007\/978-3-030-77870-5_4","volume-title":"Advances in Cryptology \u2013 EUROCRYPT 2021","author":"J Alwen","year":"2021","unstructured":"Alwen, J., Blanchet, B., Hauck, E., Kiltz, E., Lipp, B., Riepel, D.: Analysing the HPKE standard. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12696, pp. 87\u2013116. Springer, Cham (2021). https:\/\/doi.org\/10.1007\/978-3-030-77870-5_4"},{"key":"2_CR6","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"248","DOI":"10.1007\/978-3-030-56784-2_9","volume-title":"Advances in Cryptology \u2013 CRYPTO 2020","author":"J Alwen","year":"2020","unstructured":"Alwen, J., Coretti, S., Dodis, Y., Tselekounis, Y.: Security analysis and improvements for the IETF MLS standard for group messaging. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020, Part I. LNCS, vol. 12170, pp. 248\u2013277. Springer, Cham (2020). https:\/\/doi.org\/10.1007\/978-3-030-56784-2_9"},{"key":"2_CR7","doi-asserted-by":"publisher","unstructured":"Alwen, J., Coretti, S., Dodis, Y., Tselekounis, Y.: Modular design of secure group messaging protocols and the security of MLS. In: Vigna, G., Shi, E. (eds.) ACM CCS 2021, pp. 1463\u20131483. ACM Press, November 2021. https:\/\/doi.org\/10.1145\/3460120.3484820","DOI":"10.1145\/3460120.3484820"},{"key":"2_CR8","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"261","DOI":"10.1007\/978-3-030-64378-2_10","volume-title":"Theory of Cryptography","author":"J Alwen","year":"2020","unstructured":"Alwen, J., Coretti, S., Jost, D., Mularczyk, M.: Continuous group key agreement with active security. In: Pass, R., Pietrzak, K. (eds.) TCC 2020, Part II. LNCS, vol. 12551, pp. 261\u2013290. Springer, Cham (2020). https:\/\/doi.org\/10.1007\/978-3-030-64378-2_10"},{"key":"2_CR9","unstructured":"Alwen, J., Hartmann, D., Kiltz, E., Mularczyk, M.: Server-aided continuous group key agreement. Cryptology ePrint Archive, Report 2021\/1456 (2021). https:\/\/eprint.iacr.org\/2021\/1456"},{"key":"2_CR10","doi-asserted-by":"publisher","unstructured":"Alwen, J., et al.: Keep the dirt: tainted treekem, adaptively and actively secure continuous group key agreement. In: 2021 IEEE Symposium on Security and Privacy, S &P, pp. 268\u2013284 (2021). https:\/\/doi.org\/10.1109\/SP40001.2021.00035. Full version: https:\/\/eprint.iacr.org\/2019\/1489","DOI":"10.1109\/SP40001.2021.00035"},{"key":"2_CR11","unstructured":"Alwen, J., Jost, D., Mularczyk, M.: On the insider security of MLS. Cryptology ePrint Archive, Paper 2020\/1327 (2020). https:\/\/eprint.iacr.org\/2020\/1327. Full version of this paper"},{"key":"2_CR12","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"424","DOI":"10.1007\/11863908_26","volume-title":"Computer Security \u2013 ESORICS 2006","author":"M Backes","year":"2006","unstructured":"Backes, M., D\u00fcrmuth, M., Hofheinz, D., K\u00fcsters, R.: Conditional reactive simulatability. In: Gollmann, D., Meier, J., Sabelfeld, A. (eds.) ESORICS 2006. LNCS, vol. 4189, pp. 424\u2013443. Springer, Heidelberg (2006). https:\/\/doi.org\/10.1007\/11863908_26"},{"key":"2_CR13","unstructured":"Barnes, R., Beurdouche, B., Millican, J., Omara, E., Cohn-Gordon, K., Robert, R.: The messaging layer security (MLS) protocol (draft-ietf-mls-protocol-12). Technical report, IETF, March 2020. https:\/\/datatracker.ietf.org\/doc\/draft-ietf-mls-protocol\/12\/"},{"key":"2_CR14","unstructured":"Barnes, R.: Subject: [MLS] Remove without double-join (in TreeKEM). MLS Mailing List, 06 August 2018. https:\/\/mailarchive.ietf.org\/arch\/msg\/mls\/Zzw2tqZC1FCbVZA9LKERsMIQXik"},{"key":"2_CR15","unstructured":"Barnes, R.: MLS Protocol Pull Requests #396: Authenticate group membership in MLSPlaintext, 18 August 2020. https:\/\/github.com\/mlswg\/mls-protocol\/pull\/396"},{"key":"2_CR16","unstructured":"Barnes, R.: MLS Protocol Pull Requests #416: Inlclude the signature in the confirmation tag, 18 August 2020. https:\/\/github.com\/mlswg\/mls-protocol\/pull\/416"},{"key":"2_CR17","unstructured":"Barnes, R.: Subject: [MLS] Proposal: Proposals (was: Laziness). MLS Mailing List, 22 August 2019. https:\/\/mailarchive.ietf.org\/arch\/msg\/mls\/5dmrkULQeyvNu5k3MV_sXreybj0\/"},{"key":"2_CR18","unstructured":"Bhargavan, K., Barnes, R., Rescorla, E.: TreeKEM: Asynchronous Decentralized Key Management for Large Dynamic Groups, May 2018. https:\/\/prosecco.inria.fr\/personal\/karthik\/pubs\/treekem.pdf. Published at https:\/\/mailarchive.ietf.org\/arch\/msg\/mls\/e3ZKNzPC7Gxrm3Wf0q96dsLZoD8"},{"key":"2_CR19","unstructured":"Bhargavan, K., Beurdouche, B., Naldurg, P.: Formal Models and Verified Protocols for Group Messaging: Attacks and Proofs for IETF MLS. Research report, Inria Paris, December 2019. https:\/\/hal.inria.fr\/hal-02425229"},{"key":"2_CR20","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"198","DOI":"10.1007\/978-3-030-64378-2_8","volume-title":"Theory of Cryptography","author":"A Bienstock","year":"2020","unstructured":"Bienstock, A., Dodis, Y., R\u00f6sler, P.: On the price of concurrency in group ratcheting protocols. In: Pass, R., Pietrzak, K. (eds.) TCC 2020, Part II. LNCS, vol. 12551, pp. 198\u2013228. Springer, Cham (2020). https:\/\/doi.org\/10.1007\/978-3-030-64378-2_8"},{"key":"2_CR21","doi-asserted-by":"publisher","unstructured":"Brzuska, C., Cornelissen, E., Kohbrok, K.: Security analysis of the MLS key derivation. In: 2022 IEEE Symposium on Security and Privacy, S &P, pp. 595\u2013613. IEEE Computer Society, Los Alamitos, May 2022. https:\/\/doi.org\/10.1109\/SP46214.2022.00035. https:\/\/doi.ieeecomputersociety.org\/10.1109\/SP46214.2022.00035","DOI":"10.1109\/SP46214.2022.00035"},{"key":"2_CR22","unstructured":"Bushing, Marcan, Segher, Sven: Console hacking 2010 \u2013 PS3 epic fail. In: 27th Chaos Communication Congress \u2013 27C3 (2010). https:\/\/fahrplan.events.ccc.de\/congress\/2010\/Fahrplan\/events\/4087.en.html"},{"key":"2_CR23","doi-asserted-by":"publisher","unstructured":"Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: 42nd FOCS, pp. 136\u2013145. IEEE Computer Society Press, October 2001. https:\/\/doi.org\/10.1109\/SFCS.2001.959888","DOI":"10.1109\/SFCS.2001.959888"},{"key":"2_CR24","doi-asserted-by":"publisher","unstructured":"Cohn-Gordon, K., Cremers, C., Garratt, L., Millican, J., Milner, K.: On ends-to-ends encryption: asynchronous group messaging with strong security guarantees. In: Lie, D., Mannan, M., Backes, M., Wang, X. (eds.) ACM CCS 2018, pp. 1802\u20131819. ACM Press, October 2018. https:\/\/doi.org\/10.1145\/3243734.3243747","DOI":"10.1145\/3243734.3243747"},{"key":"2_CR25","unstructured":"Cremers, C., Hale, B., Kohbrok, K.: The complexities of healing in secure group messaging: why cross-group effects matter. In: Bailey, M., Greenstadt, R. (eds.) USENIX Security 2021, pp. 1847\u20131864. USENIX Association, August 2021"},{"key":"2_CR26","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"587","DOI":"10.1007\/978-3-030-88428-4_29","volume-title":"Computer Security \u2013 ESORICS 2021","author":"J Devigne","year":"2021","unstructured":"Devigne, J., Duguey, C., Fouque, P.-A.: MLS group messaging: how zero-knowledge can secure updates. In: Bertino, E., Shulman, H., Waidner, M. (eds.) ESORICS 2021, Part II. LNCS, vol. 12973, pp. 587\u2013607. Springer, Cham (2021). https:\/\/doi.org\/10.1007\/978-3-030-88428-4_29"},{"key":"2_CR27","unstructured":"Emura, K., Kajita, K., Nojima, R., Ogawa, K., Ohtake, G.: Membership privacy for asynchronous group messaging. Cryptology ePrint Archive, Report 2022\/046 (2022). https:\/\/eprint.iacr.org\/2022\/046"},{"key":"2_CR28","doi-asserted-by":"crossref","unstructured":"Hashimoto, K., Katsumata, S., Postlethwaite, E., Prest, T., Westerbaan, B.: A concrete treatment of efficient continuous group key agreement via multi-recipient PKEs. In: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, pp. 1441\u20131462 (2021)","DOI":"10.1145\/3460120.3484817"},{"key":"2_CR29","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"159","DOI":"10.1007\/978-3-030-17653-2_6","volume-title":"Advances in Cryptology \u2013 EUROCRYPT 2019","author":"D Jost","year":"2019","unstructured":"Jost, D., Maurer, U., Mularczyk, M.: Efficient ratcheting: almost-optimal guarantees for secure messaging. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019, Part I. LNCS, vol. 11476, pp. 159\u2013188. Springer, Cham (2019). https:\/\/doi.org\/10.1007\/978-3-030-17653-2_6"},{"key":"2_CR30","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"180","DOI":"10.1007\/978-3-030-36033-7_7","volume-title":"Theory of Cryptography","author":"D Jost","year":"2019","unstructured":"Jost, D., Maurer, U., Mularczyk, M.: A unified and composable take on ratcheting. In: Hofheinz, D., Rosen, A. (eds.) TCC 2019, Part II. LNCS, vol. 11892, pp. 180\u2013210. Springer, Cham (2019). https:\/\/doi.org\/10.1007\/978-3-030-36033-7_7"},{"key":"2_CR31","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"310","DOI":"10.1007\/3-540-44647-8_19","volume-title":"Advances in Cryptology \u2014 CRYPTO 2001","author":"H Krawczyk","year":"2001","unstructured":"Krawczyk, H.: The order of encryption and authentication for protecting communications (or: how secure is SSL?). In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 310\u2013331. Springer, Heidelberg (2001). https:\/\/doi.org\/10.1007\/3-540-44647-8_19"},{"key":"2_CR32","unstructured":"Miller, M.A.: Messaging layer security (MLS) WG - meeting minutes for IETF105, August 2019. https:\/\/datatracker.ietf.org\/doc\/minutes-105-mls\/"},{"key":"2_CR33","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"21","DOI":"10.1007\/978-3-540-70936-7_2","volume-title":"Theory of Cryptography","author":"S Panjwani","year":"2007","unstructured":"Panjwani, S.: Tackling adaptive corruptions in multicast encryption protocols. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 21\u201340. Springer, Heidelberg (2007). https:\/\/doi.org\/10.1007\/978-3-540-70936-7_2"},{"key":"2_CR34","unstructured":"Rescorla, E.: Subject: [MLS] TreeKEM: An alternative to ART. MLS Mailing List, 03 May 2018. https:\/\/mailarchive.ietf.org\/arch\/msg\/mls\/WRdXVr8iUwibaQu0tH6sDnqU1no"},{"key":"2_CR35","unstructured":"Sullivan, N.: Subject: [MLS] Virtual interim minutes. MLS Mailing List, 29 January 2020. https:\/\/mailarchive.ietf.org\/arch\/msg\/mls\/ZZAz6tXj-jQ8nccf7SyIwSnhivQ\/"},{"key":"2_CR36","unstructured":"Weidner, M.: Group messaging for secure asynchronous collaboration. MPhil dissertation, 2019. Advisors: A. Beresford and M. Kleppmann (2019). https:\/\/mattweidner.com\/acs-dissertation.pdf"}],"container-title":["Lecture Notes in Computer Science","Advances in Cryptology \u2013 CRYPTO 2022"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-031-15979-4_2","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T22:02:28Z","timestamp":1760220148000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-031-15979-4_2"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022]]},"ISBN":["9783031159787","9783031159794"],"references-count":36,"URL":"https:\/\/doi.org\/10.1007\/978-3-031-15979-4_2","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2022]]},"assertion":[{"value":"13 October 2022","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"CRYPTO","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Annual International Cryptology Conference","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Santa Barbara, CA","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"USA","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2022","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"15 August 2022","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"18 August 2022","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"42","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"crypto2022","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/crypto.iacr.org\/2022\/","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}}]}}