Oddbean

Fact 1 : In one-on-one chat mode, the Signal protocol does not require an additional message (regardless of what it is called, to the relay it's just a note) to operate the DH ratchet and achieve backward secrecy of messages. Fact 2: MLS protocol requires such a message (regardless of what it is called, to the relay it's just a note) to update the ratchet tree to achieve backward secrecy of messages. Our opinion: We believe this is a key difference, especially from the relay's perspective, as Signal is more efficient in one-on-one chat mode. Signal protocol is designed ofor one-on-one chats, whereas the MLS protocol is designed for large-scale group chats.