Doesn't MLS cover all bases?
Discussion
No, MLS is suitable for large-scale group chats but not for one-on-one chats and small group chats.
If MLS is used for one-on-one chats, in order to achieve forward secrecy and backward secrecy, MLS requires a special message to update the group key, and then the normal message can be sent.
However, in the Signal protocol, the content needed to update the encryption key is attached to the normal message.
That’s misleading. There is a “message” that is sent between clients to ratchet the group forward and provide forward secrecy between epochs (when the full ratchet tree is refreshed), however the user doesn’t have to think about that at all and happens on a regular basis in any normal 1-1 or group chat.
There is also another layer of forward secrecy that is provided by the message keys themselves (basically using the same mechanic as Signal).
Fact 1 :
In one-on-one chat mode, the Signal protocol does not require an additional message (regardless of what it is called, to the relay it's just a note) to operate the DH ratchet and achieve backward secrecy of messages.
Fact 2:
MLS protocol requires such a message (regardless of what it is called, to the relay it's just a note) to update the ratchet tree to achieve backward secrecy of messages.
Our opinion:
We believe this is a key difference, especially from the relay's perspective, as Signal is more efficient in one-on-one chat mode.
Signal protocol is designed ofor one-on-one chats, whereas the MLS protocol is designed for large-scale group chats.
Ok. We’ll just have to agree to disagree.
Do you all have a spec or draft NIP about what events you’re using and how they’re structured?
Yes. It does cover all three. In a highly efficient way, without any central coordinator or server.