JeffG on Nostr: Signal uses the signal protocol which has the famous “double ratchet” which is ...
Signal uses the signal protocol which has the famous “double ratchet” which is just two separate key derivation functions combined in a novel way.
Signal can only do groups by pair-wise encrypting each message to each participant. E.g. you send a message in a group of 5 people (incl you) and you have to individually encrypt your message to each of the other 4 participants (because you only have shared state with each group member) and send each message to relays.
MLS uses a binary tree structure of keys. In a sense, it has more than 2 ratchets but that's not really the point - more ratchets isn't necessarily better. The important part about MLS is that the group's shared state (incl who is in it) is cryptographically guaranteed at all times. And there are ways to use this shared group state (and keys) to encrypt group messages once that can be decrypted by the entire group. So it's SUPER efficient with very large groups. It also gives you that state guarantee.
The MLS protocol was designed several years after Signal (and is someone influenced by the Signal protocol's design).
I started out by trying to solve this with the signal protocol but the response on my initial NIP was that groups were critically important, so I went back to the drawing board and I'm happy I did.
Signal can only do groups by pair-wise encrypting each message to each participant. E.g. you send a message in a group of 5 people (incl you) and you have to individually encrypt your message to each of the other 4 participants (because you only have shared state with each group member) and send each message to relays.
MLS uses a binary tree structure of keys. In a sense, it has more than 2 ratchets but that's not really the point - more ratchets isn't necessarily better. The important part about MLS is that the group's shared state (incl who is in it) is cryptographically guaranteed at all times. And there are ways to use this shared group state (and keys) to encrypt group messages once that can be decrypted by the entire group. So it's SUPER efficient with very large groups. It also gives you that state guarantee.
The MLS protocol was designed several years after Signal (and is someone influenced by the Signal protocol's design).
I started out by trying to solve this with the signal protocol but the response on my initial NIP was that groups were critically important, so I went back to the drawing board and I'm happy I did.