Oddbean new post about | logout
Nathan Day | 3 months ago (raw) | root | parent | reply | flag 
 Doesn't MLS cover all bases?
keychat | 3 months ago (raw) | root | parent | reply | flag 
 No, MLS is suitable for large-scale group chats but not for one-on-one chats and small group chats. 

If MLS is used for one-on-one chats, in order to achieve forward secrecy and backward secrecy, MLS requires a special message to update the group key, and then the normal message can be sent. 

However, in the Signal protocol, the content needed to update the encryption key is attached to the normal message.
JeffG | 3 months ago (raw) | root | parent | reply | flag 
 That’s misleading. There is a “message” that is sent between clients to ratchet the group forward and provide forward secrecy between epochs (when the full ratchet tree is refreshed), however the user doesn’t have to think about that at all and happens on a regular basis in any normal 1-1 or group chat. 

There is also another layer of forward secrecy that is provided by the message keys themselves (basically using the same mechanic as Signal).
keychat | 3 months ago (raw) | root | parent | reply | flag 
 Fact 1 :

In one-on-one chat mode, the Signal protocol does not require an additional message (regardless of what it is called, to the relay it's just a note) to operate the DH ratchet and achieve backward secrecy of messages. 

Fact 2:

MLS protocol requires such a message (regardless of what it is called, to the relay it's just a note)  to update the ratchet tree to achieve backward secrecy of messages. 

Our opinion: 

We believe this is a key difference, especially from the relay's perspective, as Signal is more efficient in one-on-one chat mode. 

Signal protocol is designed ofor one-on-one chats, whereas the MLS protocol is designed for large-scale group chats.
JeffG | 3 months ago (raw) | root | parent | reply | flag 
 Ok. We’ll just have to agree to disagree. 

Do you all have a spec or draft NIP about what events you’re using and how they’re structured?
keychat | 3 months ago (raw) | root | parent | reply | flag 
 🤝

The reason we emphasize the additional message in MLS is because we use postage to solve spam issues, so an extra message means users have to pay for an extra stamp. 

The MLS protocol is very complex, and we need a lot of time to understand it; we haven’t started working on MLS groups yet. Next week, Keychat will support both small and medium groups. Perhaps the medium group will eventually be replaced by a large group based on MLS. Much of what we are doing now is experimental, since Keychat hasn’t been added to the app stores yet, and we can continue to experiment.
keychat | 3 months ago (raw) | root | parent | reply | flag 
 If you’re asking about the spec for Keychat’s one-on-one chats, we haven’t written it yet. However, the code has already been open-sourced. Regarding one-on-one messages, we want to emphasize that although the nostr protocol and Signal protocol use different encryption suites, when we encrypt messages using the Signal protocol, we do not alter any encryption suites.”
JeffG | 3 months ago (raw) | root | parent | reply | flag 
 Yes. It does cover all three. In a highly efficient way, without any central coordinator or server.