{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,6]],"date-time":"2026-05-06T17:13:22Z","timestamp":1778087602618,"version":"3.51.4"},"publisher-location":"Cham","reference-count":44,"publisher":"Springer Nature Switzerland","isbn-type":[{"value":"9783032253163","type":"print"},{"value":"9783032253170","type":"electronic"}],"license":[{"start":{"date-parts":[[2026,1,1]],"date-time":"2026-01-01T00:00:00Z","timestamp":1767225600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"},{"start":{"date-parts":[[2026,1,1]],"date-time":"2026-01-01T00:00:00Z","timestamp":1767225600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2026]]},"DOI":"10.1007\/978-3-032-25317-0_1","type":"book-chapter","created":{"date-parts":[[2026,5,6]],"date-time":"2026-05-06T16:29:28Z","timestamp":1778084968000},"page":"3-33","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["ETK: External-Operations TreeKEM and\u00a0the\u00a0Security of\u00a0MLS in\u00a0$$\\text {RFC}$$ \u00a0$$\\text {9420}$$"],"prefix":"10.1007","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-0322-2293","authenticated-orcid":false,"given":"Cas","family":"Cremers","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6672-4253","authenticated-orcid":false,"given":"Esra","family":"G\u00fcnsay","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0002-8481-9103","authenticated-orcid":false,"given":"Vera","family":"Wesselkamp","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0002-4720-6551","authenticated-orcid":false,"given":"Mang","family":"Zhao","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2026,5,7]]},"reference":[{"key":"1_CR1","doi-asserted-by":"crossref","unstructured":"Alwen, J., Coretti, S., Dodis, Y., Tselekounis, Y.: Modular design of secure group messaging protocols and the security of MLS. In: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security. November 2021","DOI":"10.1145\/3460120.3484820"},{"key":"1_CR2","doi-asserted-by":"publisher","unstructured":"Alwen, J., Coretti, S., Dodis, Y., Tselekounis, Y.: Security Analysis and Improvements for the IETF MLS Standard for Group Messaging. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12170, pp. 248\u2013277. Springer, Cham (2020). https:\/\/doi.org\/10.1007\/978-3-030-56784-2_9","DOI":"10.1007\/978-3-030-56784-2_9"},{"key":"1_CR3","doi-asserted-by":"crossref","unstructured":"Alwen, J., Coretti, S., Jost, D., Mularczyk, M.: Continuous group key agreement with active security. In: Theory of Cryptography, vol. 12551. Springer, Cham (2020)","DOI":"10.1007\/978-3-030-64378-2_10"},{"key":"1_CR4","doi-asserted-by":"crossref","unstructured":"Alwen, J., Jost, D., Mularczyk, M.: On the Insider Security of MLS. In: Advances in Cryptology \u2013 CRYPTO 2022. Springer, Cham (2022)","DOI":"10.1007\/978-3-031-15979-4_2"},{"key":"1_CR5","doi-asserted-by":"crossref","unstructured":"Aranha, D.F., Novaes, F.R., Takahashi, A., Tibouchi, M., Yarom, Y.: LadderLeak: breaking ECDSA with less than one bit of nonce leakage. In: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security (2020)","DOI":"10.1145\/3372297.3417268"},{"key":"1_CR6","doi-asserted-by":"crossref","unstructured":"Auerbach, B., Noval, M.C., Erol, B., Pietrzak, K.: Continuous group-key agreement: concurrent updates without pruning. In: Advances in Cryptology - CRYPTO 2025. Springer (2025)","DOI":"10.1007\/978-3-032-01913-4_5"},{"key":"1_CR7","unstructured":"Barnes, R.: How Messaging Layer Security Enables Scalable End-to-End Security in Webex. https:\/\/blog.webex.com\/hybrid-work\/scalable-end-toend-security-in-webex\/. Accessed 1 Oct 2025. WebEx Blog"},{"key":"1_CR8","unstructured":"Barnes, R., Beurdouche, B., Millican, J., Omara, E., Cohn-Gordon, K., Robert, R.: The Messaging Layer Security (MLS) Protocol (Draft 07). Internet-Draft. Internet Engineering Task Force"},{"key":"1_CR9","volume-title":"The Messaging Layer Security (MLS) Protocol (Draft 08)","author":"R Barnes","year":"2019","unstructured":"Barnes, R., Beurdouche, B., Millican, J., Omara, E., Cohn-Gordon, K., Robert, R.: The Messaging Layer Security (MLS) Protocol (Draft 08). Internet-Draft, Internet Engineering Task Force (2019)"},{"key":"1_CR10","volume-title":"The Messaging Layer Security (MLS) Protocol (Draft 09)","author":"R Barnes","year":"2020","unstructured":"Barnes, R., Beurdouche, B., Millican, J., Omara, E., Cohn-Gordon, K., Robert, R.: The Messaging Layer Security (MLS) Protocol (Draft 09). Internet-Draft, Internet Engineering Task Force (2020a)"},{"key":"1_CR11","volume-title":"The Messaging Layer Security (MLS) Protocol (Draft 10)","author":"R Barnes","year":"2020","unstructured":"Barnes, R., Beurdouche, B., Millican, J., Omara, E., Cohn-Gordon, K., Robert, R.: The Messaging Layer Security (MLS) Protocol (Draft 10). Internet-Draft, Internet Engineering Task Force (2020b)"},{"key":"1_CR12","doi-asserted-by":"crossref","unstructured":"Barnes, R., Beurdouche, B., Robert, R., Millican, J., Omara, E., Cohn-Gordon, K.: The Messaging Layer Security (MLS) Protocol. https:\/\/www.rfc-editor.org\/info\/rfc9420 (RFC 9420), July 2023","DOI":"10.17487\/RFC9420"},{"key":"1_CR13","unstructured":"Barnes, R., Beurdouche, B., Robert, R., Millican, J., Omara, E., Cohn-Gordon, K.: The Messaging Layer Security (MLS) Protocol (Draft 12). Internet Engineering Task Force, 11 Oct 2021"},{"key":"1_CR14","volume-title":"The Messaging Layer Security (MLS) Protocol (Draft 13)","author":"R Barnes","year":"2022","unstructured":"Barnes, R., Beurdouche, B., Robert, R., Millican, J., Omara, E., Cohn-Gordon, K.: The Messaging Layer Security (MLS) Protocol (Draft 13). Internet-Draft, Internet Engineering Task Force (2022a)"},{"key":"1_CR15","doi-asserted-by":"crossref","unstructured":"Barnes, R., Beurdouche, B., Robert, R., Millican, J., Omara, E., Cohn-Gordon, K.: The Messaging Layer Security (MLS) Protocol (Draft 15). Internet-Draft. Internet Engineering Task Force, June 2022","DOI":"10.17487\/RFC9420"},{"key":"1_CR16","volume-title":"The Messaging Layer Security (MLS) Protocol (Draft 17)","author":"R Barnes","year":"2022","unstructured":"Barnes, R., Beurdouche, B., Robert, R., Millican, J., Omara, E., Cohn-Gordon, K.: The Messaging Layer Security (MLS) Protocol (Draft 17). Internet-Draft, Internet Engineering Task Force (2022c)"},{"key":"1_CR17","volume-title":"The Messaging Layer Security (MLS) Protocol (Draft 00)","author":"R Barnes","year":"2018","unstructured":"Barnes, R., Millican, J., Omara, E., Cohn-Gordon, K., Robert, R.: The Messaging Layer Security (MLS) Protocol (Draft 00). Tech. rep, Internet Engineering Task Force (2018a)"},{"key":"1_CR18","volume-title":"The Messaging Layer Security (MLS) Protocol (Draft 02)","author":"R Barnes","year":"2018","unstructured":"Barnes, R., Millican, J., Omara, E., Cohn-Gordon, K., Robert, R.: The Messaging Layer Security (MLS) Protocol (Draft 02). Tech. rep, Internet Engineering Task Force (2018b)"},{"key":"1_CR19","unstructured":"Bhargavan, K., Beurdouche, B., Naldurg, P.: Formal models and verified protocols for group messaging: attacks and proofs for IETF MLS. In: Doctoral dissertation, Inria Paris (2019)"},{"key":"1_CR20","unstructured":"Bhargavan, K., Beurdouche, B., Naldurg, P.: Formal Models and Verified Protocols for Group Messaging: Attacks and Proofs for IETF MLS. [Research Report] Inria Paris, ffhal-02425229f (2019). https:\/\/inria.hal.science\/hal-02425229v1\/file\/mls-treekem.pdf"},{"key":"1_CR21","doi-asserted-by":"crossref","unstructured":"Brendel, J., Cremers, C., Jackson, D., Zhao, M.: The Provable Security of Ed25519: Theory and Practice. Cryptology ePrint Archive, Paper 2020\/823 (2020)","DOI":"10.1109\/SP40001.2021.00042"},{"key":"1_CR22","doi-asserted-by":"crossref","unstructured":"Brzuska, C., Cornelissen, E., Kohbrok, K.: Security analysis of the MLS key derivation. In: 2022 IEEE Symposium on Security and Privacy (SP). 2022 IEEE Symposium on Security and Privacy (SP), May 2022","DOI":"10.1109\/SP46214.2022.9833678"},{"key":"1_CR23","doi-asserted-by":"crossref","unstructured":"Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: Proceedings 42nd IEEE Symposium on Foundations of Computer Science (2001)","DOI":"10.1109\/SFCS.2001.959888"},{"key":"1_CR24","doi-asserted-by":"crossref","unstructured":"Chevalier, C., Lebrun, G., Martinelli, A., Taleb, A.R.: Quarantined-TreeKEM: a continuous group key agreement for MLS, secure in presence of inactive users. In: Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security, CCS \u201924 (2024)","DOI":"10.1145\/3658644.3690265"},{"key":"1_CR25","unstructured":"Cisco. Cisco\/MLSPP. https:\/\/github.com\/cisco\/mlspp. Accessed 1 Oct 2025. Cisco Systems"},{"key":"1_CR26","doi-asserted-by":"crossref","unstructured":"Cohn-Gordon, K., Cremers, C., Garratt, L.: On post-compromise security. In: 2016 IEEE 29th Computer Security Foundations Symposium (CSF)","DOI":"10.1109\/CSF.2016.19"},{"key":"1_CR27","doi-asserted-by":"crossref","unstructured":"Cohn-Gordon, K., Cremers, C., Garratt, L., Millican, J., Milner, K.: On ends-to-ends encryption: asynchronous group messaging with strong security guarantees. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, 15 Oct 2018","DOI":"10.1145\/3243734.3243747"},{"key":"1_CR28","unstructured":"Cremers, C., G\u00fcnsay, E., Wesselkamp, V., Zhao, M.: ETK: External-Operations TreeKEM and the Security of MLS in RFC 9420. Cryptology ePrint Archive, Paper 2025\/229 (2025)"},{"key":"1_CR29","unstructured":"Cremers, C., Hale, B., Kohbrok, K.: The complexities of healing in secure group messaging: why cross-group effects matter. In: Proceedings of the 30th USENIX Security Symposium (2021)"},{"key":"1_CR30","doi-asserted-by":"crossref","unstructured":"Cremers, C., Jacomme, C., Lukert, P.: Subterm-based proof techniques for improving the automation and scope of security protocol analysis. In: 2023 IEEE 36th Computer Security Foundations Symposium (CSF) (2023)","DOI":"10.1109\/CSF57540.2023.00001"},{"key":"1_CR31","doi-asserted-by":"crossref","unstructured":"Cremers, C., Medinger, N., Naska, A.: Impossibility results for post-compromise security in real-world communication systems. In: 46th IEEE Symposium on Security and Privacy (2025)","DOI":"10.1109\/SP61157.2025.00229"},{"key":"1_CR32","unstructured":"Discord, S.B.: Meet DAVE: Discord\u2019s New End-to-End Encryption for Audio & Video (2025). https:\/\/discord.com\/blog\/meet-dave-e2ee-for-audio-video. Accessed 1 Oct 2025"},{"key":"1_CR33","unstructured":"Internet Engineering Task Force. MLS RFC 9420 Datatracker (2025). https:\/\/datatracker.ietf.org\/doc\/rfc9420\/"},{"key":"1_CR34","unstructured":"Tom Van Pelt (GSMA). RCS Encryption: A Leap Towards Secure and Interoperable Messaging, March 2025. https:\/\/www.gsma.com\/newsroom\/article\/rcs-encryption-a-leap-towards-secure-and-interoperable-messaging\/. Accessed 1 Oct 2025"},{"key":"1_CR35","unstructured":"Hodgson, M.: Chathi: a giant leap forwards for encryption with MLS, 18 July 2023. https:\/\/matrix.org\/blog\/2023\/07\/a-giant-leap-with-mls\/. Accessed 1 Oct 2025. [matrix]"},{"key":"1_CR36","doi-asserted-by":"crossref","unstructured":"Klein, K., et al.: Keep the dirt: tainted TreeKEM, adaptively and actively secure continuous group key agreement. In: 2021 IEEE Symposium on Security and Privacy (SP) (2021)","DOI":"10.1109\/SP40001.2021.00035"},{"key":"1_CR37","unstructured":"AWS Labs. Awslabs\/MLS-RS: An Implementation of Messaging Layer Security (RFC). https:\/\/github.com\/awslabs\/mls-rs\/tree\/main. Accessed 1 Oct 2025. GitHub (2023)"},{"key":"1_CR38","unstructured":"Mahy, R.: More Instant Messaging Interoperability (MIMI) Message Content (Draft 06). Internet Draft. https:\/\/datatracker.ietf.org\/doc\/draft-ietf-mimi-content. Internet Engineering Task Force (2024)"},{"key":"1_CR39","unstructured":"RingCentral. Security Features (2025). https:\/\/www.ringcentral.com\/trust-center\/secure-features.html. Accessed Oct. 2025"},{"key":"1_CR40","doi-asserted-by":"publisher","unstructured":"Stern, J., Pointcheval, D., Malone-Lee, J., Smart, N.P.: Flaws in Applying Proof Methodologies to Signature Schemes. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 93\u2013110. Springer, Heidelberg (2002).https:\/\/doi.org\/10.1007\/3-540-45708-9_7","DOI":"10.1007\/3-540-45708-9_7"},{"key":"1_CR41","unstructured":"Wallez, T., Jonathan, B.B., Bhargavan. K.: TreeSync: authenticated group management for messaging layer security. In: 32nd USENIX Security Symposium. (USENIX Security 23) (2023)"},{"key":"1_CR42","doi-asserted-by":"crossref","unstructured":"Wallez, T., Protzenko, J., Bhargavan, K.: TreeKEM: A Modular Machine-Checked Symbolic Security Analysis of Group Key Agreement in Messaging Layer Security. Cryptology ePrint Archive, Paper 2025\/410 (2025)","DOI":"10.1109\/SP61157.2025.00228"},{"key":"1_CR43","unstructured":"Wire. Messaging Layer Security (MLS) (2025). https:\/\/support.wire.com\/hc\/en-us\/articles\/12434725011485-Messaging-Layer-Security-MLS. Accessed 1 Oct 2025"},{"key":"1_CR44","unstructured":"XMTP. Messaging security properties with XMTP (2025). https:\/\/docs.xmtp.org\/protocol\/security. Accessed 1 Oct 2025"}],"container-title":["Lecture Notes in Computer Science","Advances in Cryptology \u2013 EUROCRYPT 2026"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-032-25317-0_1","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,5,6]],"date-time":"2026-05-06T16:29:46Z","timestamp":1778084986000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-032-25317-0_1"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026]]},"ISBN":["9783032253163","9783032253170"],"references-count":44,"URL":"https:\/\/doi.org\/10.1007\/978-3-032-25317-0_1","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026]]},"assertion":[{"value":"7 May 2026","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"EUROCRYPT","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Annual International Conference on the Theory and Applications of Cryptographic Techniques","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Rome","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Italy","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2026","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"10 May 2026","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"14 May 2026","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"45","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"eurocrypt2026","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/eurocrypt.iacr.org\/2026\/","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}}]}}