 The title of our paper is on the Insider Security of MLS. This is a joint work with Joel Alven and Daniel Jost and I am Marta. The general area is that of secure group communication. Here the goal is for a dynamic group of parties to exchange confidential data over an insecure network. By dynamic I mean that the group properties such as the name, the set of parties, etc. can change dynamically within an execution. Examples are very well known that includes group chats, think WhatsApp, Telegram, Signal, whatever you use to communicate. Some of them might be secure and this is what we are talking about. Another example would be secure video or conference calls, etc. The core primitive that enables secure group communication in my opinion is something called continuous group key agreement or CGK. Here the goal is for a dynamic group of parties to exchange or agree on a sequence of shared symmetry group keys. The way to think about CGK executions is that they create a sequence of epochs. An epoch is simply a period of time when the group has a fixed set of properties, a fixed set of members, a fixed shared key, etc. At any point in time any group member can decide to change these properties, which means that they create a new epoch. For example Alice removes Charlie, this creates a new epoch with a new key unknown to Charlie. Then maybe she adds Dave. Another thing that can happen is that Bob simply decides to refresh his secrets because maybe they have been lying around for too long. One special thing about continuous group key agreement and group communication in general, as we mean it, is that it should be secure in the presence of continuous state corruptions and we won't find great security in this setting. This can be shown in a picture. For instance, if the state of a party, let's say Bob's, leaks in epoch 2, this makes some epochs inherently insecure. It will be 2 and 3 in this case. But past epochs in this case 1 are secure. This is a property sometimes called forward secrecy. Afterwards, when Bob actually refreshes his secrets, this restores security in epoch 4, which is sometimes called post compromise security. So a fine green security, meaning that some epochs are secure even when someone is corrupted in some other epoch. To summarize, CGKA is the core primitive for secure group communication. You can probably already see that many applications will bootstrap their security properties from the security properties of the shared group key. It will be used to encrypt messages, video stream, authenticate members, etc. And this is why we look at CGKA in this work, which brings me to our contribution, which is to prove that a particular CGKA construction in this case called ITK is a secure CGKA in the setting with malicious insiders. ITK is the CGKA construction of the messaging layer security, or MLS protocol. It's an upcoming RFC standard. And part of our contribution was actually to isolate the parts of the protocol that make up ITK. It's not that easy task when, if you know RFC standards, we also have pseudocode, which makes it a bit easier to understand. Our next contribution was to define this malicious insider model where we prove security of ITK. It's the strongest model considered so far. The adversary can fully control the network. And unlike in any other model, they also fully control the PKI. And we have very fine green guarantees depending on how PKI behaves. For example, one epoch can be secure if good PKI keys are used. Another epoch can be insecure because some parties use bad PKI, corrupt PKI keys, which destroys security. That would be it, except life is never that great. So actually we discovered real attacks on ITK during our analysis because of these attacks we couldn't prove it secure. But fortunately they could be easily fixed. The fixes are now incorporated into the standard. And after the fixes we proved security of ITK. So ITK is a security GKA. This is our result. Thank you and I invite you to look at the paper.