Detecting Presence Of Malicious Hub in MIMI Protocol for Cross-Platform Messaging Interoperability

Abstract

The IETF More Instant Messaging Interoperability (MIMI) protocol enables interoperable group messaging across otherwise isolated services such as WhatsApp, Signal, and Telegram. It routes every Messaging Layer Security (MLS) ciphertext through a central hub that timestamps the message and broadcasts it to all group participants. If the hub is compromised, it can silently drop, delay, or reorder messages, undermining order integrity while leaving end-to-end encryption intact. We introduce a lightweight, Merkle-tree-based audit layer that allows clients to detect such misbehavior. Each client stores every received message together with its hub-assigned timestamp in an ordered list. Clients periodically generate a Merkle proof from this list and broadcast it by embedding the proof in an encrypted application message. Because the hub cannot predict which messages carry proofs, it cannot selectively discard them. Upon receiving a proof, other clients verify it and broadcast their own proofs. Any inconsistency is then propagated to the entire room, creating a non-repudiable record of hub misconduct. A Rust prototype built on OpenMLS was evaluated on a 100-node emulated network. With a client sampling rate of 5%, and a hub attack probability of 10%, the scheme detected 95% of message-drop or reordering attacks within the first 40 messages, consumed only 3 kB of additional memory per client, and required less than 1 ms of client-side processing per proof. The audit’s memory requirement grows linearly with room size and requires no changes to the hub protocol, providing a practical, low-overhead path to verifiable message-order integrity in large interoperable messaging systems.