Message Layer Security (MLS) is a cryptographic protocol standardized by the IETF to provide efficient, scalable end-to-end encryption for groups ranging from two to thousands of participants. Unlike legacy group chat protocols that rely on a central server to re-encrypt messages for each recipient, MLS uses an asynchronous ratcheting tree to enable members to derive shared group keys independently, drastically reducing computational overhead and eliminating the server as a single point of trust.
Glossary
Message Layer Security (MLS)

What is Message Layer Security (MLS)?
Message Layer Security (MLS) is an IETF standard (RFC 9420) for end-to-end encryption in group messaging, providing forward secrecy and post-compromise security for asynchronous communication.
MLS delivers critical security properties including Forward Secrecy (compromised keys cannot decrypt past messages) and Post-Compromise Security (a compromised member is healed out of the group automatically). By operating at the application layer, it is transport-agnostic, making it the foundational encryption layer for secure inter-agent communication in federated systems, WebRTC conferencing, and enterprise messaging platforms.
Core Cryptographic Properties of MLS
Message Layer Security (MLS) provides a modern, formally verified protocol for end-to-end encryption in groups, designed to overcome the scalability and security limitations of older schemes. Its architecture delivers critical cryptographic guarantees essential for secure inter-agent communication.
Asynchronous Operation
MLS is designed for asynchronous messaging, meaning participants do not need to be online simultaneously to exchange messages or perform key updates. This is achieved through a Delivery Service (DS) that stores and forwards handshake messages and ciphertexts. An agent can publish a cryptographic update to the DS, and other members process it when they next come online. This decouples communication from real-time coordination, making it ideal for autonomous agent meshes where agents operate on independent schedules and network connectivity is intermittent.
Forward Secrecy (FS)
MLS guarantees forward secrecy by continuously ratcheting the symmetric encryption keys used to protect messages. Each time a sender commits a new message, they derive a fresh symmetric key from an evolving key schedule. If an attacker later compromises a device's long-term identity key, they cannot retroactively decrypt previously recorded ciphertexts because the ephemeral key material used to encrypt those past messages has already been securely deleted. This property ensures that the confidentiality of historical agent communications remains intact even after a future key breach.
Post-Compromise Security (PCS)
Beyond forward secrecy, MLS provides post-compromise security (also known as future secrecy or self-healing). If an attacker compromises an agent's current keying material, they can decrypt subsequent messages only until the next honest agent performs a key update. When any group member sends a message with an UpdatePath, they inject new, uncompromised entropy into the group's shared secret state. This cryptographic action heals the group, permanently evicting the passive attacker and restoring confidentiality for all future messages without requiring a full group re-initialization.
Group Key Agreement via TreeKEM
MLS uses a TreeKEM (Tree-based Key Encapsulation Mechanism) for scalable group key agreement. Members are arranged as leaves in a ratchet tree, a binary tree structure where each node holds a public-private key pair. The root node's private key is the shared group secret. When membership changes, only log(n) nodes along the path to the root need to be updated, rather than the entire group. This logarithmic scaling allows MLS to efficiently handle groups with thousands of agents, making it suitable for large-scale agent swarms.
Formal Verification & Security Proofs
The MLS protocol was designed with formal security analysis as a core requirement. The specification includes a detailed, machine-verified proof of its security properties in the Universal Composability (UC) framework. This rigorous mathematical treatment provides high assurance that the protocol resists a wide range of attacks, including insider threats and complex key compromise scenarios. For security architects deploying agentic systems, this formal verification reduces the risk of subtle protocol flaws that have historically plagued custom or ad-hoc group messaging solutions.
Scalable Dynamic Groups
MLS natively supports highly dynamic groups with efficient member addition, removal, and update operations. Adding a new agent requires only O(log n) cryptographic operations, not O(n) as in many legacy protocols. Critically, member removal provides cryptographic eviction: a removed agent is cryptographically excluded from decrypting any future messages, even if they collude with other removed members. This is essential for agentic systems where compromised or decommissioned agents must be securely and permanently expelled from the communication mesh without re-keying the entire network.
Frequently Asked Questions
Clear, technical answers to the most common questions about the Message Layer Security (MLS) protocol, its cryptographic foundations, and its role in securing modern group communication.
Message Layer Security (MLS) is an IETF standard (RFC 9420) for end-to-end encryption in group messaging applications. It provides forward secrecy and post-compromise security for asynchronous communication. MLS operates by maintaining a shared, continuously evolving group state called a ratchet tree. When a member sends a message, they derive symmetric encryption keys from the tree's root secret. When membership changes—a user joins or leaves—the tree is updated via a commit operation, which distributes new public keys to the group. This process ensures that a new member cannot decrypt messages sent before they joined, and a removed member cannot decrypt messages sent after their removal. Unlike older protocols like Signal's Double Ratchet optimized for two parties, MLS scales efficiently to groups of thousands by using logarithmic tree operations, making it the modern standard for secure large-scale group chat, voice, and video calling.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Essential protocols and concepts that complement Message Layer Security in building a complete secure inter-agent communication architecture.
Mutual TLS (mTLS)
A transport-layer protocol where both client and server present X.509 certificates for bidirectional authentication. Unlike standard TLS, mTLS ensures each party cryptographically proves its identity before establishing an encrypted channel. This provides channel security below the application layer, while MLS operates at the messaging layer above. In agent mesh networks, mTLS secures the point-to-point transport, while MLS handles group key management and end-to-end encryption across multiple hops.
Forward Secrecy
A critical security property where compromise of a long-term key does not reveal past session keys. MLS achieves this through continuous ratcheting of ephemeral keys. Each message in an MLS group uses a unique symmetric key derived from a ratchet tree structure. If an attacker later compromises a node's private key, all previously encrypted messages remain secure. This is essential for asynchronous agent communication where messages may be stored or queued for extended periods before delivery.
Noise Protocol Framework
A framework for constructing cryptographic protocols from Diffie-Hellman key agreement primitives. Noise patterns define handshake sequences that provide forward secrecy, identity hiding, and mutual authentication. MLS draws conceptual lineage from Noise's approach to modular protocol composition. While Noise excels at point-to-point channels, MLS extends similar cryptographic principles to group settings. Understanding Noise helps architects appreciate the cryptographic foundations underlying MLS's group key ratcheting mechanisms.
AEAD Primitives
Authenticated Encryption with Associated Data is the cryptographic workhorse MLS uses for message protection. AEAD simultaneously provides:
- Confidentiality: message contents remain secret
- Integrity: tampering is detectable
- Authenticity: only group members can encrypt MLS implementations typically use AES-GCM or ChaCha20-Poly1305. The associated data binds ciphertext to group context, preventing cross-group replay attacks where an attacker might attempt to inject a valid message from one group into another.
Post-Compromise Security
A property where a compromised participant can be healed back into the secure group without requiring a complete restart. MLS achieves this through its Continuous Group Key Agreement protocol. When a member is compromised and subsequently updated, the group performs an update operation that generates new encryption keys excluding the attacker. This self-healing capability is vital for long-lived agent collectives where individual agents may be temporarily compromised but the group must continue operating securely.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us