Keychat’s one-to-one messages and small-group messages are encrypted using the Signal protocol, while large-group messages are encrypted using the MLS protocol. Marmot (WhiteNoise), on the other hand, encrypts all messages—both one-to-one and group messages—using MLS.

It’s worth emphasizing that for one-to-one messaging, the Signal protocol is more efficient (and therefore more secure), because the new public key needed to advance the DH ratchet (which provides post-compromise security) is carried in the header of normal messages, without requiring extra messages to transmit a new public key. In Keychat, as long as the two parties exchange messages back and forth, the DH ratchet advances automatically.

By contrast, if MLS is used to encrypt one-to-one chats, advancing the ratchet responsible for post-compromise security is less efficient and requires separate messages to transmit new keys. This is largely because MLS was designed with large-group messaging as its primary use case.

MLS is built for large groups; one-to-one support is a byproduct rather than an optimization target.