Messaging Layer Security
Messaging Layer Security (MLS) is a cryptographic protocol that enables secure, end-to-end encrypted group messaging for asynchronous communication among participants in groups ranging from two to thousands, providing efficient key establishment with forward secrecy and post-compromise security.[1]
Developed by the Internet Engineering Task Force (IETF) MLS Working Group, MLS was standardized as RFC 9420 in July 2023, which specifies the core protocol, and RFC 9750 in April 2025, which outlines its architecture for integration into secure group messaging systems.[1][2]
At its heart, MLS employs a ratchet tree structure—a cryptographic mechanism using direct paths and copaths for key derivation—to manage group state across epochs, allowing members to update keys efficiently without requiring all participants to be online simultaneously.[1]
Key operations include handshake messages such as Proposals (for changes like adding or removing members), Commits (to apply those changes and advance the group state), and Welcome messages (to onboard new members via external joins), all protected by authenticated key exchange.[1]
Security properties encompass confidentiality and integrity of application messages, authentication via credentials and signatures issued by an Authentication Service, and resilience against eavesdropping, tampering, or forgery, even in dynamic environments.[2][1]
The protocol is transport-agnostic, designed to layer atop arbitrary delivery services for message distribution, and supports features like replay protection through unique identifiers, making it suitable for modern applications such as chat apps and collaborative tools.[1][2]
Implementations are available in languages like Rust and JavaScript, with production deployments including Wire's general availability in April 2025 and testing in Google Messages for RCS chats in July 2025, representing ongoing adoption by industry players to enhance group privacy beyond pairwise protocols like the Double Ratchet.[3][4][5]
Overview
Definition and Purpose
Messaging Layer Security (MLS) is a cryptographic protocol designed for secure group messaging in applications, enabling end-to-end encryption for communications among multiple participants. It operates as a continuous group authenticated key exchange (AKE) mechanism, using a ratchet tree structure to manage shared cryptographic keys efficiently across group members, even in asynchronous environments where clients may not be online simultaneously. Specified in RFC 9420, MLS supports dynamic groups ranging from two participants to hundreds of thousands, allowing seamless addition or removal of members without requiring all parties to be present.[2]
The primary purpose of MLS is to establish and maintain shared secret keys for encrypting and authenticating messages within groups, ensuring confidentiality, integrity, and authenticity against active adversaries. It addresses limitations in prior protocols, such as pairwise encryption schemes like the Double Ratchet algorithm, which do not scale well for large groups, and sender-key approaches that lack robust security properties. By leveraging asynchronous ratcheting trees (ART), MLS achieves logarithmic scaling in computational costs relative to group size, making it suitable for real-time applications like instant messaging, voice calls, and conferencing.[2]
MLS also incorporates key security goals, including forward secrecy (FS) to protect past messages if keys are compromised and post-compromise security (PCS) to recover from breaches through key rotation. These features mitigate risks from compromised clients, delivery services, or authentication services, providing a standardized foundation for interoperable secure group communication across diverse platforms.[2] The protocol's architecture, outlined in RFC 9750, emphasizes embedding MLS into higher-layer protocols like XMPP while preserving end-to-end protections.[2]
Design Principles
Messaging Layer Security (MLS) is designed as an asynchronous protocol for secure group messaging, enabling participants to communicate without requiring simultaneous online presence. This asynchronous model relies on a two-step process involving proposals and commits to evolve the group state across epochs, allowing members to propose changes that are later ratified by a commit message. The protocol assumes the presence of an Authentication Service (AS) for verifying identities and credentials, and a Delivery Service (DS) for routing messages, with the DS considered untrusted but reliable in delivery.[1][6]
A core design principle is the use of ratchet trees to represent group membership and manage shared secrets efficiently. These trees maintain a structure where each node holds a private key known only to members of its subtree, ensuring that encryption costs scale logarithmically with group size, from pairs to hundreds of thousands of participants. This tree-based approach facilitates dynamic operations like adding or removing members by updating keys along direct paths, while preserving the "tree invariant" for security. The design emphasizes forward secrecy (FS), where past messages remain protected even if current keys are compromised, through ephemeral key derivations and deletion of old material, and post-compromise security (PCS), enabling recovery via regular key updates.[1][6]
MLS prioritizes end-to-end security properties including message confidentiality, authentication, and integrity against external adversaries, while supporting flexible client-side operations such as multiple devices per user with independent cryptographic states. Access control is not enforced by the protocol itself but left to applications, allowing customization of policies. The design incorporates extensibility for cipher suites, credentials, and proposals, with a registry to balance interoperability and security evolution. Metadata exposure is minimized to protect privacy, though server fanout may reveal group sizes.[1][6]
Protocol Mechanics
Architecture
Messaging Layer Security (MLS) employs a client-server architecture designed to enable secure, scalable group messaging across diverse applications. At its core, the system consists of clients, which are cryptographic entities such as user devices that participate in groups; a Delivery Service (DS), which facilitates message routing and storage of initial keying material; and an Authentication Service (AS), which attests to the binding between clients' cryptographic identities and their human-readable identifiers. Clients form asynchronous groups where members share a common secret, evolving the group state through a series of epochs to handle additions, removals, and updates securely. This architecture separates concerns by delegating authentication to the AS and message delivery to the DS, allowing MLS to integrate with various existing infrastructure without relying on a single trusted server for all operations.[7]
The protocol's key management relies on a ratcheting tree structure, where each client is represented as a leaf in a binary tree that facilitates efficient asynchronous key agreement. To join or update a group, a client generates a KeyPackage, a self-contained bundle containing its public key, credentials, and initial secrets, which is stored by the DS for retrieval by other clients. Group state transitions occur via two primary message types: Proposals, which suggest changes like adding or removing members without immediately applying them, and Commits, which apply one or more proposals and update the group secret, often requiring a Welcome message to securely deliver the new state to added members. Application messages, such as private content or public announcements, are then encrypted or integrity-protected using derived keys from the current epoch's group secret. This asynchronous design ensures that members can update the group state independently, accommodating offline scenarios common in messaging applications.[7][8]
Security in the MLS architecture is achieved through forward secrecy (FS) and post-compromise security (PCS), where each epoch's secrets are derived via ratcheting to prevent past or future compromises from affecting other periods. The tree structure enables efficient computation of shared secrets using only the necessary subtrees, scaling to large groups while minimizing computational overhead. Credentials issued by the AS support various types, such as X.509 certificates or basic identifiers, allowing flexibility in identity verification, including out-of-band methods like QR codes for authentication secrets. By limiting server roles to delivery and attestation without access to group secrets, the architecture protects against eavesdropping and tampering while providing deniability options for senders.[7]
Group Management
In Messaging Layer Security (MLS), group management is handled through a structured protocol that enables asynchronous updates to group membership and cryptographic state while maintaining security properties such as forward secrecy and post-compromise security. The core mechanism revolves around proposals and commits: proposals suggest changes like adding or removing members or updating keys, while commits apply these changes, advancing the group's epoch and deriving new shared secrets. This process is facilitated by a ratchet tree data structure, which efficiently represents the group and allows members to compute shared keys without direct pairwise communication.[1][6]
Group creation begins with an initiator client establishing a single-member group state, assigning a unique group identifier, selecting a cipher suite, and configuring any extensions. The initial ratchet tree consists of a single leaf node representing the creator, with the epoch set to zero. Subsequent management operations build upon this by incorporating new members via external commitments or internal proposals. For instance, to add a member, an existing group member broadcasts an Add proposal containing a reference to the new member's KeyPackage—a self-contained bundle of public key material and credentials. This is followed by a Commit message that integrates the new leaf into the ratchet tree at the leftmost empty position or by extending the tree if necessary, potentially doubling its depth to accommodate growth. The committer then sends a Welcome message to the new member, providing the updated group secrets encrypted under the joiner's public key, allowing them to derive the current epoch's keys independently.[1][6]
Member removal is similarly proposal-driven: a Remove proposal identifies the target member by their index in the tree, and a subsequent Commit blanks the corresponding leaf node, excluding it from future key derivations and effectively revoking access. The tree may truncate its rightmost subtree if it becomes empty, halving the depth to optimize storage and computation. Self-removal is supported through external commits, where a leaving member uses a Group's public information to generate their own Commit without needing approval, enabling asynchronous exits. These operations ensure that removed members cannot decrypt future messages, upholding confidentiality.[1]
Key updates, crucial for post-compromise security, are managed via Update proposals that replace a member's leaf node with fresh key material, blanking the direct path to the root to prevent reuse of compromised secrets. A Commit incorporating this update includes an UpdatePath field, which encrypts the necessary path secrets using Hybrid Public Key Encryption (HPKE) for each remaining member, allowing them to recompute the tree's root secret. The ratchet tree's design— a full binary tree with recursive hashing from leaves to root—ensures O(log N) efficiency for these updates in groups of size N, as members only process secrets along their direct path and copath. Delivery services play a supporting role by storing KeyPackages and routing messages, with options for strongly consistent or eventually consistent models to handle asynchronous participation.[1][6]
Overall, MLS's group management prioritizes resilience to asynchrony and compromise: epoch advancement via commits rotates all group keys, while the tree's structure derives per-member and shared secrets from a joiner secret, preventing long-term key exposure. This approach supports scalable, secure evolution of groups without requiring all members to be online simultaneously.[1]
Key Derivation and Encryption
In the Messaging Layer Security (MLS) protocol, key derivation begins with the establishment of a group secret during the initialization or joining process, which serves as the foundational input for generating all subsequent cryptographic keys. This group secret is derived using a key derivation function (KDF), typically HKDF, from an initial secret combined with elements such as the joiner's secret or resumption pre-shared keys (PSKs). The process ensures that each member's view of the group state includes unique contributions of entropy, preventing any single participant from controlling the shared secrets.[9]
The core of MLS key management is the key schedule, which advances with each epoch—defined periods of group state stability triggered by Commit messages. At the start of an epoch, the key schedule takes the previous initialization secret (init_secret from the prior epoch), a fresh commit_secret (derived from the Commit message's path secrets), and the current group context to produce an epoch secret via the KDF's Extract and ExpandWithLabel functions:
intermediate = KDF.Extract(init_secret[n-1], commit_secret)
epoch_secret = ExpandWithLabel(intermediate, "epoch", GroupContext[n], KDF.Nh)
intermediate = KDF.Extract(init_secret[n-1], commit_secret)
epoch_secret = ExpandWithLabel(intermediate, "epoch", GroupContext[n], KDF.Nh)
From this epoch secret, specialized sub-secrets are derived using the DeriveSecret function with distinct labels, such as "encryption_secret" for message protection, "sender_data_secret" for sender-specific data, "confirmation_key" for authenticating commits, and "version" for protocol versioning. This modular derivation allows for targeted key usage while maintaining separation of concerns, with each DeriveSecret call expanding the input secret into a fixed-length output suitable for the intended purpose.[9][10]
To support scalability in large groups, MLS employs a secret tree structure, a binary tree where the root secret is the encryption_secret, and child secrets are derived recursively from parent secrets. For a parent node secret, the left and right child secrets are computed as:
left_secret = ExpandWithLabel(parent_secret, "left", "", KDF.Nh)
right_secret = ExpandWithLabel(parent_secret, "right", "", KDF.Nh)
left_secret = ExpandWithLabel(parent_secret, "left", "", KDF.Nh)
right_secret = ExpandWithLabel(parent_secret, "right", "", KDF.Nh)
This tree enables efficient derivation of shared secrets for subgroups without recomputing from scratch, with leaf node secrets corresponding to per-member keys. Path secrets, encrypted via Hybrid Public Key Encryption (HPKE) during joins or updates, further ratchet the tree forward, ensuring that compromised keys do not propagate. Epoch advancement ratchets the entire schedule, deleting prior secrets to enforce forward secrecy, where past messages remain secure even if long-term keys are exposed post-epoch.[11][12]
Encryption in MLS relies on Authenticated Encryption with Associated Data (AEAD) schemes, such as AES-128-GCM, with keys and nonces drawn from the key schedule. Application messages, handshake messages, and sender data are protected separately: sender data (metadata like timestamps) uses keys from a per-sender ratchet initialized by the sender_data_secret, while content is encrypted with epoch-specific keys from the secret tree or sender ratchets. For a message in epoch n, the encryption key ratchet_key for sender j is derived as:
ratchet_key[n][j] = DeriveTreeSecret(encryption_secret, j, "app-encrypted")
ratchet_key[n][j] = DeriveTreeSecret(encryption_secret, j, "app-encrypted")
Nonces are generated sequentially per sender to prevent reuse, with a reuse guard in the protocol to detect and reject violations. This design provides both confidentiality and integrity, with post-compromise security achieved through the ratcheting, allowing recovery from key compromises in logarithmic time relative to group size. Cipher suites, like MLS_128_DHKEMP256_AES128GCM_SHA256_Ed25519, specify the exact primitives to ensure interoperability and security.[13][14][15]
Security Properties
Core Guarantees
Messaging Layer Security (MLS) provides several fundamental security guarantees that ensure secure communication in group messaging scenarios. The core properties include confidentiality, message integrity, sender authentication, forward secrecy, and post-compromise security. These guarantees are achieved through a combination of cryptographic mechanisms, such as asynchronous ratcheting and tree-based key management, enabling efficient group key evolution without requiring all members to be online simultaneously.[16]
Confidentiality ensures that only current group members can access the content of application messages. This is enforced by deriving per-sender encryption keys from an epoch secret, which is confidential to the members in the current epoch and updated with each group state change. Messages are encrypted using these keys, preventing decryption by outsiders or former members, even if the delivery service is untrusted.[17] Message integrity protects against tampering, with each message including a signature over its content and metadata, allowing recipients to verify that the message has not been altered in transit. This integrity check is performed using the sender's signature key, which is bound to their identity in the group state.[18]
Sender authentication guarantees that messages originate from legitimate group members and cannot be forged by impostors. Authentication is provided via digital signatures on the message framing and content, using the sender's signature key associated with their leaf node in the ratchet tree structure. These signatures are verified against the expected public keys in the current group state, ensuring the sender's identity is authenticated within the group context.[18]
Forward secrecy (FS) protects past messages from exposure even if long-term keys are compromised later. MLS achieves this through periodic key updates via Commit messages, which inject fresh randomness and advance the epoch, rendering previous epoch secrets obsolete and unrecoverable. Compromised keys thus cannot decrypt messages from prior epochs, as the ratcheting process ensures one-way evolution of the key material.[19] Post-compromise security (PCS) complements FS by allowing recovery from key compromises without disbanding the group. When a member detects a compromise, they can issue an Update operation, which replaces their leaf node in the tree and propagates new keys, restoring security for all subsequent messages while excluding the effects of the prior compromise. This mechanism ensures that future communications remain protected, provided the compromised party performs timely updates.[20]
Advanced Security Features
Messaging Layer Security (MLS) extends beyond fundamental confidentiality and integrity assurances by incorporating forward secrecy (FS) and post-compromise security (PCS), which protect against long-term key exposures and enable recovery from breaches. These features leverage the protocol's ratchet tree structure for efficient key evolution across group epochs, ensuring that security degrades gracefully only for a limited window following a compromise.[8][7]
Forward secrecy in MLS guarantees that messages exchanged prior to a key compromise remain confidential, even if an adversary later obtains the long-term or session keys of communicating parties. This is achieved through ephemeral key derivations in the ratchet tree, where each epoch introduces fresh sub-group keys derived from sender ratchets, and old private keys are explicitly deleted after use. For instance, when a member issues an Update proposal via a Commit message, it resets its leaf node and path, invalidating prior keys without affecting ongoing secrecy for future messages. This mechanism scales logarithmically with group size, supporting large-scale deployments while maintaining FS against passive and active adversaries.[8][7]
Post-compromise security allows the group to restore confidentiality and integrity after a member's keys are exposed, limiting damage to messages sent during the compromise period. MLS facilitates this through asynchronous key updates: compromised members can initiate an empty Commit or regular leaf updates to refresh their ratchet, propagating new secrets via the tree's direct paths to other members in O(log N) operations, where N is the group size. Delivery services broadcast these updates, enabling rapid recovery without requiring synchronous participation from all members; security is reinstated for all subsequent epochs once the update is processed. This property is particularly robust against insider threats, as Remove operations can expel compromised members while updating group secrets.[8][7]
Authentication in MLS provides strong sender verification within groups, using credentials (such as X.509 certificates or opaque identifiers) bound to public keys via signatures on LeafNode objects. This ensures that messages and proposals are attributable only to authorized members, with the protocol supporting both repudiable (via basic signatures) and non-repudiable authentication depending on credential design. Group-wide authentication is enforced through parent hashes in the ratchet tree, which cryptographically bind the entire group state and prevent unauthorized alterations. Additionally, MLS offers limited deniability by avoiding persistent server-held secrets, allowing plausible off-record exchanges, though full deniability requires application-layer choices like ephemeral credentials.[8][7]
These advanced features collectively ensure that only current, honest group members can read or forge messages, with membership changes (adds, removes, or self-updates) triggering secret rotations to isolate past and future communications. Unlike pairwise protocols, MLS's tree-based approach provides entity authentication for the group context, mitigating risks from metadata leakage in unencrypted handshake messages through optional privacy enhancements like blinded paths.[8][7]
Development and Standardization
Historical Background
The development of Messaging Layer Security (MLS) originated from academic research addressing the limitations of existing end-to-end encryption protocols for asynchronous group messaging, particularly the lack of scalability and robust security guarantees in large, dynamic groups. In 2017, a seminal paper by Katriel Cohn-Gordon, Cas Cremers, and colleagues introduced Asynchronous Ratcheting Trees (ART), a tree-structured Diffie-Hellman key exchange protocol designed to enable forward secrecy and post-compromise security without requiring simultaneous online presence of all participants. This work, motivated by the growing need for secure group communications in applications like instant messaging, highlighted the inefficiencies of pairwise encryption in groups and proposed a ratcheting mechanism to update keys efficiently as members join or leave.
Building on ART and related concepts like TreeKEM, the Internet Engineering Task Force (IETF) established the MLS Working Group in April 2018 to standardize a unified protocol for secure, asynchronous group key establishment.[21] The initial individual draft for the MLS protocol (draft-barnes-mls-protocol-00) appeared in March 2018, followed by the first working group draft (draft-ietf-mls-protocol-00) in August 2018, authored by Richard Barnes, Jon Millican, Emad Omara, Katriel Cohn-Gordon, and others.[22] Early drafts incorporated ART for key management but evolved to use a simplified TreeKEM variant by draft-02 in October 2018, reflecting community feedback on implementation complexity and security proofs.[23]
The standardization process involved over 20 draft revisions through 2023, with extensive cryptographic analysis and interoperability testing to ensure properties like forward secrecy, post-compromise security, and deniability.[23] Key milestones included security reviews at conferences like Real World Crypto 2019 and Black Hat 2019, where prototypes demonstrated scalability for groups up to thousands of members.[24] The protocol achieved Proposed Standard status as RFC 9420 in July 2023, providing a comprehensive specification for tree-based asynchronous group keying.[1] Subsequently, the MLS architecture was formalized in RFC 9750 in April 2025, outlining integration with messaging infrastructures and additional security goals.[6] This progression from research prototype to IETF standard reflects collaborative efforts by industry (e.g., Cisco, Wire, Meta) and academia to address real-world deployment challenges in secure messaging.[21]
IETF Process and RFC
The development of Messaging Layer Security (MLS) began in 2016 through informal discussions among researchers and engineers from organizations including Wire, Mozilla, and Cisco, aimed at creating a standardized protocol for secure group messaging that addresses limitations in existing systems like pairwise encryption in large groups.[25] These efforts built on prior academic work, such as the TreeKEM key agreement protocol, to enable efficient asynchronous group key establishment with forward secrecy and post-compromise security.[26]
In April 2018, the Internet Engineering Task Force (IETF) chartered the MLS Working Group (WG) under the Security Area to formalize the protocol as an open standard, with the goal of producing a specification for efficient group keying supporting groups from two to thousands of members.[27] The WG adopted its initial Internet-Draft for the MLS protocol (draft-ietf-mls-protocol-00) in August 2018, marking the start of iterative development involving multiple revisions, formal verification, and interoperability testing.[23] Over the next four years, the WG conducted working group last calls (WGLC), with the first in May 2022 addressing design feedback and the second in June-July 2022 confirming readiness, followed by shepherd review in August 2022.[23]
The protocol specification advanced to Internet Engineering Steering Group (IESG) evaluation in January 2023, receiving approval on March 28, 2023, after community consensus and expert reviews ensured security properties like message secrecy, authentication, and denial-of-receipt protection.[28] It was published as RFC 9420, "The Messaging Layer Security (MLS) Protocol," on July 19, 2023, as a Proposed Standard on the IETF Standards Track, authored by a team including Richard Barnes, Benjamin Beurdouche, and others from industry and academia.[1] This RFC defines the core protocol mechanics, including tree-based key scheduling via Proposals and Commits, cipher suites, and extensions for custom functionality.[1]
Complementing the protocol, the MLS Architecture was separately developed and published as RFC 9750 on April 22, 2025, outlining integration with messaging infrastructures, security goals, and deployment considerations for end-to-end encrypted groups.[6] Authored by Benjamin Beurdouche, Eric Rescorla, and others, it emphasizes MLS's role in enabling scalable, asynchronous security without relying on online key servers.[6]
Following publication, the MLS WG was rechartered in October 2024 to maintain RFC 9420 and develop extensions, including support for the More Instant Messaging Interoperability (MIMI) WG, new credential types, quantum-resistant cryptography, and message loss detection, with milestones extending to 2026.[27] This ongoing process reflects the IETF's consensus-driven model, incorporating feedback from implementers and cryptographers to ensure MLS's robustness and interoperability across applications like RCS and Matrix.[28]
Implementations
Reference Implementations
The Messaging Layer Security (MLS) protocol, standardized in RFC 9420, relies on reference implementations to ensure interoperability, conformance to the specification, and practical adoption across diverse systems. These implementations are typically open-source libraries that fully realize the protocol's core mechanisms, including asynchronous group keying, forward secrecy, and post-compromise security, while supporting extensions for customization. They serve as foundational tools for developers building secure group messaging applications and for the IETF MLS working group's ongoing interoperability testing efforts.
A primary reference implementation is OpenMLS, an open-source Rust library developed and maintained by Phoenix R&D and Cryspen. OpenMLS provides a complete, production-ready realization of the MLS protocol, including support for binary tree structures, key packages, and message processing as defined in RFC 9420. It emphasizes memory safety through Rust's type system and offers flexible cryptographic backends, such as RustCrypto for standard algorithms and Evercrypt for high-assurance primitives. The library compiles to multiple targets, including native binaries for Linux, Windows, macOS, mobile platforms like Android and iOS, and WebAssembly for browser-based applications, enabling broad deployment scenarios. OpenMLS has been instrumental in formal verification efforts and passes all RFC test vectors, making it a benchmark for protocol compliance.[29][30][31]
Another key reference implementation is mls-rs, a Rust library created by AWS Labs. This project delivers a full-featured MLS implementation compliant with RFC 9420, with a focus on efficiency for large groups and asynchronous environments. It includes APIs for client-side operations like proposal handling, commit processing, and key derivation, alongside support for customizable credentials (e.g., X.509 certificates), protocol extensions, and storage backends. mls-rs integrates with both OpenSSL and native Rust cryptography providers for agility, and its WebAssembly compatibility facilitates integration into web and edge computing contexts. The library undergoes regular interoperability testing and is licensed under permissive terms (Apache-2.0 or MIT) to encourage widespread use.[32][33]
Cisco's go-mls serves as a notable reference in Go, implementing the core MLS handshake and encryption primitives for asynchronous, message-oriented group key establishment. Drawing from concepts in asynchronous ratchet trees, it supports essential features like forward secrecy and group evolution, though it is an experimental implementation that is incomplete and not fully compliant with post-RFC updates. This implementation aids in diversifying language options for MLS adoption, particularly in server-side and networked applications.[34]
The IETF MLS working group coordinates these and other implementations through the mlswg/mls-implementations repository, which tracks progress on conformance, test vectors, and cross-implementation compatibility. This effort ensures that reference libraries like OpenMLS and mls-rs can validate emerging projects, fostering a robust ecosystem for MLS deployment.[35]
Production Deployments
As of late 2025, Messaging Layer Security (MLS) has seen adoption in several production environments, primarily in enterprise communication platforms and consumer messaging applications, demonstrating its scalability for secure group interactions. Early deployments leveraged draft versions of the protocol prior to its standardization in RFC 9420 (July 2023), while more recent implementations incorporate the finalized specification to enable end-to-end encryption (E2EE) for messages, calls, and meetings. These deployments highlight MLS's efficiency in handling large groups, forward secrecy, and post-compromise security, often integrating with existing infrastructures like RCS for broader interoperability.[36][28]
Wire, a secure messaging service, has fully transitioned its protocol from Proteus to MLS for group communications, including text, audio, and video conferences supporting thousands of participants. The upgrade enhances performance in large-scale scenarios and ensures E2EE for features like channels and file sharing, complying with regulatory standards such as the EU's Digital Markets Act. Wire initiated MLS development in 2016 as a co-founder of the protocol and began rolling it out to users in March 2025, achieving general availability in April 2025 and broad migration by May 2025; by mid-2025, users reported seamless migrations in conversations.[37][25][38][4][39]
Cisco Webex integrates MLS for E2EE in meetings and real-time conversations, providing zero-trust security with identity verification via key packages. This deployment, serving millions of users, utilizes MLS's tree-based structure for efficient key management in dynamic groups, achieving high security levels including resistance to metadata leakage. Cisco adopted an early MLS draft in 2023 for its scalability over traditional pairwise encryption, enabling secure interactions in enterprise settings without compromising usability.[40][28]
RingCentral announced MLS-based E2EE across its messaging, video, and phone services in December 2022, with video generally available and messaging/phone in closed beta; full deployment across services followed, enabling E2EE for groups of varying sizes by 2023. The implementation supports asynchronous key exchanges and ciphersuite flexibility, protecting sensitive communications in business environments. This early production use validated MLS's robustness at scale, influencing its standardization.[41][42][28]
Google Messages is advancing toward full MLS integration within RCS chats to enable cross-platform E2EE, starting with one-on-one and expanding to groups. Announced in July 2023 with plans to open-source the implementation, testing began in July 2025, incorporating MLS into the Universal Profile 3.0 for Android-iOS interoperability. By October 2025, support was rolling out, positioning MLS to secure billions of RCS messages while maintaining compatibility with legacy systems. This integration into RCS Universal Profile 3.0 positions MLS to enable secure, cross-platform E2EE for billions of messages on hundreds of millions of devices as of 2025.[43][5][44][45]