pith. sign in

arxiv: 2605.06933 · v2 · pith:4BMPDY5Nnew · submitted 2026-05-07 · 💻 cs.LG · cs.CR· cs.MA

MAGIQ: A Post-Quantum Multi-Agentic AI Governance System with Provable Security

Sepideh Avizheh , Tushin Mallick , Alina Oprea , Cristina Nita-Rotaru , Reihaneh Safavi-Naini This is my paper

Pith reviewed 2026-05-20 22:28 UTC · model grok-4.3

classification 💻 cs.LG cs.CRcs.MA
keywords post-quantum cryptographymulti-agent AIpolicy enforcementagent governancesecurity proofsaccountabilitysession management
0
0 comments X

The pith

MAGIQ enables users to define and enforce secure communication policies for AI agents using post-quantum cryptography.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper introduces a system that lets owners of AI agents set detailed rules about how their agents can communicate with others, including limits on messages and tasks. It uses special cryptographic techniques designed to remain secure even if quantum computers become powerful enough to break current encryption. The system also tracks messages so agents can be held responsible, and it includes mathematical proofs that these features work correctly. A reader might care because agent-based AI is growing fast and quantum computing threatens existing security, so this offers a way to build trustworthy multi-agent environments. It evaluates the performance overhead to show practicality.

Core claim

The central claim is that MAGIQ provides a framework for policy definition and enforcement in multi-agent AI systems using novel post-quantum cryptographic protocols, allowing rich communication and access-control policy budgets for sessions and tasks, with support for one-to-many interactions, message attribution for accountability, and formal proofs of correctness and security.

What carries the argument

Post-quantum cryptographic primitives that enforce policy budgets during agent-to-agent and group sessions while enabling message attribution.

If this is right

  • Agents can operate within defined budgets for communication and access control.
  • Security holds for both pairwise and one-to-many agent sessions.
  • Accountability is achieved through linking messages to specific agents and users.
  • The approach provides formal security guarantees against quantum threats.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • This approach could be extended to other types of AI interactions beyond the modeled sessions.
  • Integration with existing agent platforms might require adapting the policy definition interface.
  • Long-term, it points toward quantum-secure standards for governing autonomous AI systems in open environments.

Load-bearing premise

The new cryptographic protocols must be both efficient in practice and secure under assumptions that resist quantum attacks, while the formal model must fully capture real threats to agent accountability.

What would settle it

Discovery of an efficient attack breaking the post-quantum primitives or a flaw in the security proof that allows an adversary to violate the policy or accountability without detection.

Figures

Figures reproduced from arXiv: 2605.06933 by Alina Oprea, Cristina Nita-Rotaru, Reihaneh Safavi-Naini, Sepideh Avizheh, Tushin Mallick.

Figure 1
Figure 1. Figure 1: Example of a multi-agent coordination. 2 Background and Problem Statement 2.1 Governance for AI Agentic Systems An agentic AI system is a system composed of one or more au￾tonomous agents that perceive, reason, and act—individually or collaboratively—to achieve tasks with minimal human intervention (see [PITH_FULL_IMAGE:figures/full_fig_p002_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: User registration. The user specifies the agent’s device name device𝐴, IP address IP𝐴, and port port𝐴 , forming the agent’s endpoint descriptor: ED𝐴 = ⟨ device𝐴, IP𝐴, port𝐴 ⟩ (2) Generating cryptographic keys. The user generates the following keys for the agent: • PQ-TLS credentials (𝑠𝑘tls 𝐴 , 𝑝𝑘tls 𝐴 ) for establishing secure chan￾nels with other agents, with a CA-signed certificate: Certtls 𝐴 = GenCert𝑠𝑘… view at source ↗
Figure 4
Figure 4. Figure 4: Agent discovery Step 1: Retrieval. Agent𝐴𝐼 requests permission to contact agent 𝐴𝑅 by sending both identities, aid𝐴𝐼 and aid𝐴𝑅 , to the Provider. The Provider verifies mutual authorization between the two agents and checks that Counter[aid𝐴𝑅 ] [aid𝐴𝐼 ] > 0. If so, the Provider returns 𝐴𝑅’s access information together with a signature 𝜎 TA ac over both agents’ data. The returned access information includes:… view at source ↗
Figure 5
Figure 5. Figure 5: A-session establishment hash chain of length 𝑄𝑅,𝐼 = 𝑛: 𝑠0, 𝑠1 = 𝐻(𝑠0, 1, sid, aid𝐴𝐼 ), 𝑠2 = 𝐻(𝑠1, 2, sid, aid𝐴𝐼 ), . . . 𝑠𝑛 = 𝐻(𝑠𝑛−1, 𝑛, sid, aid𝐴𝐼 ) It also obtains the user’s signature on the root of the chain: 𝜎 𝑈𝑅 𝑅𝐶𝑃 = HS.Sign𝑠𝑘𝑈𝑅 (𝑠𝑛, 𝑄𝑅,𝐼) Next, 𝐴𝑅 generates a random value 𝑟2 and computes a session key 𝑘𝑠𝑒𝑠 = 𝐻(𝑟1, 𝑟2), used throughout all communications with 𝐴𝐼 during the A-session. It constructs t… view at source ↗
Figure 6
Figure 6. Figure 6: The modular model of MAGIQ in the hybrid and [PITH_FULL_IMAGE:figures/full_fig_p010_6.png] view at source ↗
Figure 8
Figure 8. Figure 8: Amortised protocol overhead across 𝐴𝐼 locations (US-West, US-East, EU, Asia) under varying 𝑄max for 𝑚 = 100 requests between 𝐴𝐼 and 𝐴𝑅. Shaded regions reflect the vari￾ability in overhead attributable to differences in network conditions across agent locations worldwide [PITH_FULL_IMAGE:figures/full_fig_p012_8.png] view at source ↗
Figure 7
Figure 7. Figure 7: Amortized protocol overhead across provider lo [PITH_FULL_IMAGE:figures/full_fig_p012_7.png] view at source ↗
Figure 9
Figure 9. Figure 9: plots 𝐶Provider for 𝑛 ∈ {1, 10, 100} agents across session lifetimes ranging from one minute to one day. Two structural ob￾servations follow directly from Equation 3. First, overhead scales linearly with agent count: the 100-agent curve lies exactly one order 1 min 3 min 6 min 12 min 1 hr 8 hrs 1 day A-Session Lifetime 0 50 100 150 200 250 300 350 400 Computational Overhead on Provider (s) Initiating Agent… view at source ↗
Figure 10
Figure 10. Figure 10: Daily computational overhead on 𝐴𝐼 as a function of 𝐴-session lifetime, for 𝑡 ∈ {1, 2, 5, 10, 15} receiving agents. Per-session cost follows Equation 4 using measured cryp￾tographic costs; daily overhead follows Equation 5. All 𝐴- sessions are assumed to share the same lifetime. 6.7 One-Agent to Many-Agents Overhead We evaluate the overhead borne by an orchestrator (𝐴𝐼 ) that co￾ordinates with 𝑡 receiving… view at source ↗
Figure 11
Figure 11. Figure 11: Global clock ideal functionality Gclk [12] E.3 Secure Communication Session Ideal Functionality FSCS This functionality captures the security requirements of the TLS channel and allows a secure communication between entities in a single protocol instance. TLS consists of two phases: handshake and message transmission. The handshake protocol aims at securely sharing uniformly distributed session keys, and … view at source ↗
Figure 12
Figure 12. Figure 12: The secure communication session ideal function [PITH_FULL_IMAGE:figures/full_fig_p020_12.png] view at source ↗
Figure 13
Figure 13. Figure 13: Global restricted programmable and observable [PITH_FULL_IMAGE:figures/full_fig_p020_13.png] view at source ↗
Figure 14
Figure 14. Figure 14: The certification authority ideal functionality, [PITH_FULL_IMAGE:figures/full_fig_p021_14.png] view at source ↗
Figure 15
Figure 15. Figure 15: Secure user and agent registration ideal function [PITH_FULL_IMAGE:figures/full_fig_p021_15.png] view at source ↗
Figure 17
Figure 17. Figure 17: The secure A-session ideal functionality, [PITH_FULL_IMAGE:figures/full_fig_p022_17.png] view at source ↗
Figure 18
Figure 18. Figure 18: The secure multi-agent composite session (C [PITH_FULL_IMAGE:figures/full_fig_p023_18.png] view at source ↗
Figure 20
Figure 20. Figure 20: The 𝐴-session in the two-agent MAGIQ protocol [PITH_FULL_IMAGE:figures/full_fig_p024_20.png] view at source ↗
Figure 21
Figure 21. Figure 21: The 𝐶-session in the multi-agent MAGIQ protocol uses the global clock ideal functionality Gclk and the global random oracle functionality Gclk as its subroutine (note that in our analysis, we only consider one protocol at a time, the entities that are in￾volved in that protocol and the ideal functionality F that captures the security of that protocol.) Parties receive their inputs from the environment Z a… view at source ↗
Figure 19
Figure 19. Figure 19: The secure multi-agent composite session (C [PITH_FULL_IMAGE:figures/full_fig_p024_19.png] view at source ↗
read the original abstract

Our computing ecosystem is being transformed by two emerging paradigms: the increased deployment of agentic AI systems and advancements in quantum computing. With respect to agentic AI systems, one of the most critical problems is creating secure governing architectures that ensure agents follow their owners' communication and interaction policies and can be held accountable for the messages they exchange with other agents. With respect to quantum computing, existing systems must be retrofitted and new cryptographic mechanisms must be designed to ensure long-term security and quantum resistance. In fact, NIST recommends that standard public-key cryptographic algorithms, including RSA, Diffie-Hellman (DH), and elliptic-curve constructions (ECC), be deprecated starting in 2030 and disallowed after 2035. In this paper, we present MAGIQ, a framework for policy definition and enforcement in multi-agent AI systems using novel, highly efficient, quantum-resistant cryptographic protocols with proven security guarantees. MAGIQ (i) allows users to define rich communication and access-control policy budgets for agent-to-agent sessions and tasks, including global budgets for one-to-many agent sessions; (ii) enforces such policies using post-quantum cryptographic primitives; (iii) supports session-based enforcement of policies for agent-to-agent and one-to-many agent sessions; and (iv) provides accountability of agents to their users through message attribution. We formally model and prove the correctness and security of the system using the Universal Composability (UC) framework. We evaluate the computation and communication overhead of our framework and compare it with the state-of-the-art agentic AI framework SAGA. MAGIQ is a first step toward post-quantum-secure solutions for agentic AI systems.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

1 major / 1 minor

Summary. The paper introduces MAGIQ, a framework for policy definition and enforcement in multi-agent AI systems that uses novel post-quantum cryptographic primitives. It supports rich communication and access-control policy budgets for agent-to-agent and one-to-many sessions, session-based enforcement, message attribution for accountability, and formal modeling plus proofs of correctness and security in the Universal Composability (UC) framework. The work also evaluates computation and communication overhead and compares results to the SAGA framework.

Significance. If the UC proofs are rigorous and the overhead numbers support the efficiency claims, the result would be significant for securing agentic AI against quantum threats. The explicit use of the UC framework to model policy enforcement and attribution, together with the comparison to prior work, provides a concrete foundation that aligns with NIST timelines for deprecating classical public-key cryptography.

major comments (1)
  1. [UC ideal functionality definition] The section defining the UC ideal functionality for agent sessions and policy enforcement: the functionality models only static message flows and classical adversaries, which does not capture adaptive message generation by autonomous AI agents or composition against quantum adversaries. This is load-bearing for the central security claim because the simulation argument cannot transfer to the dynamic multi-agent setting asserted in the abstract and introduction.
minor comments (1)
  1. [Evaluation section] The abstract and introduction assert 'highly efficient' protocols and concrete overhead reductions versus SAGA, but the evaluation section should include explicit parameter settings, key sizes, and timing tables to allow independent verification of those numbers.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We are grateful to the referee for their thorough review and valuable feedback on our manuscript. We have addressed the major comment point by point below, providing clarifications and indicating revisions where necessary.

read point-by-point responses

  1. Referee: [UC ideal functionality definition] The section defining the UC ideal functionality for agent sessions and policy enforcement: the functionality models only static message flows and classical adversaries, which does not capture adaptive message generation by autonomous AI agents or composition against quantum adversaries. This is load-bearing for the central security claim because the simulation argument cannot transfer to the dynamic multi-agent setting asserted in the abstract and introduction.

    Authors: We respectfully disagree that our UC ideal functionality is limited to static message flows. The functionality is defined to allow the adversary to initiate sessions and deliver messages in an adaptive manner, subject to the policy constraints defined by the users. This models the dynamic interactions in multi-agent systems, where autonomous agents can generate messages adaptively within their allocated budgets. The simulation argument accounts for this adaptivity by having the simulator respond to the adversary's choices in real-time. For quantum adversaries, our proofs leverage the post-quantum security of the cryptographic building blocks, ensuring resistance to quantum attacks. We will revise the manuscript to include a more explicit discussion of adaptivity in the UC model and clarify how the security extends to the quantum setting. revision: yes

Circularity Check

0 steps flagged

No significant circularity; derivation relies on standard UC framework and external post-quantum primitives

full rationale

The paper's core claims rest on defining policies, enforcing them via post-quantum primitives, and proving security/correctness in the UC framework. The abstract explicitly states reliance on the Universal Composability framework for formal modeling and proof, which is an independent, externally defined methodology not constructed from the paper's own inputs. Post-quantum primitives are referenced as coming from prior literature and NIST recommendations rather than self-derived or fitted quantities. No equations, self-citations, or ansatzes in the provided text reduce the security guarantees or policy enforcement to tautological redefinitions of the inputs. The derivation chain is therefore self-contained against external benchmarks.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Based solely on the abstract; no explicit free parameters, axioms, or invented entities are described. Security claims rest on unstated assumptions about the underlying post-quantum primitives and the fidelity of the UC model to agentic AI threats.

pith-pipeline@v0.9.0 · 5862 in / 1316 out tokens · 37679 ms · 2026-05-20T22:28:22.620838+00:00 · methodology

Review history (2 revisions) →

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

59 extracted references · 59 canonical work pages · 6 internal anchors

  1. [1]

    Matt Adorjan. 2025. cloudping.co: AWS Inter-Region Latency Monitoring. https: //github.com/mda590/cloudping.co Accessed: 2025-04-18

    work page 2025

  2. [2]

    Alfonso Amayuelas, Xianjun Yang, Antonis Antoniades, Wenyue Hua, Liang- ming Pan, and William Yang Wang. 2024. MultiAgent Collaboration Attack: Investigating Adversarial Attacks in Large Language Model Collaborations via Debate. InFindings of the Association for Computational Linguistics: EMNLP 2024. 6929–6948

    work page 2024

  3. [3]

    Zeynab Anbiaee, Mahdi Rabbani, Mansur Mirani, Gunjan Piya, Igor Opushnyev, Ali Ghorbani, and Sajjad Dadkhah. 2026. Security Threat Modeling for Emerging AI-Agent Protocols: A Comparative Analysis of MCP, A2A, Agora, and ANP. arXiv:2602.11327 [cs.CR] https://arxiv.org/abs/2602.11327

    work page internal anchor Pith review Pith/arXiv arXiv 2026

  4. [4]

    Sepideh Avizheh, Mahmudun Nabi, and Reihaneh Safavi-Naini. 2024. Refereed delegation of computation using smart contracts.IEEE Transactions on Dependable and Secure Computing21, 6 (2024), 5208–5227

    work page 2024

  5. [5]

    Varun Pratap Bhardwaj. 2026. Agent Behavioral Contracts: Formal Specification and Runtime Enforcement for Reliable Autonomous AI Agents. doi:10.5281/ ZENODO.18775393

    work page 2026

  6. [6]

    Johannes Buchmann, Erik Dahmen, Sarah Ereth, Andreas Hülsing, and Markus Rückert. 2013. On the security of the Winternitz one-time signature scheme. International Journal of Applied Cryptography3, 1 (2013), 84–96

    work page 2013

  7. [7]

    Johannes Buchmann, Erik Dahmen, and Andreas Hülsing. 2011. XMSS-a practical forward secure signature scheme based on minimal security assumptions. In International Workshop on Post-Quantum Cryptography. Springer, 117–129

    work page 2011

  8. [8]

    CAIDA. [n. d.]. The CAIDA Archipelago Monitor Statistics. https://www.caida. org/projects/ark/statistics/. Accessed April 2025

    work page 2025

  9. [9]

    Jan Camenisch, Manu Drijvers, Tommaso Gagliardoni, Anja Lehmann, and Gre- gory Neven. 2018. The wonderful world of global random oracles. InAnnual international conference on the theory and applications of cryptographic techniques. Springer, 280–312

    work page 2018

  10. [10]

    Ran Canetti. 2001. Universally composable security: A new paradigm for cryp- tographic protocols. InProceedings 42nd IEEE Symposium on Foundations of Computer Science. IEEE, 136–145

    work page 2001

  11. [11]

    Ran Canetti. 2004. Universally composable signature, certification, and authenti- cation. InProceedings. 17th IEEE Computer Security Foundations Workshop, 2004. IEEE, 219–233

    work page 2004

  12. [12]

    Ran Canetti, Kyle Hogan, Aanchal Malhotra, and Mayank Varia. 2017. A univer- sally composable treatment of network time. In2017 IEEE 30th Computer Security Foundations Symposium (CSF). IEEE, 360–375

    work page 2017

  13. [13]

    Ran Canetti, Pratik Sarkar, and Xiao Wang. 2020. Efficient and round-optimal oblivious transfer and commitment with adaptive security. InInternational Con- ference on the Theory and Application of Cryptology and Information Security. Springer, 277–308

    work page 2020

  14. [14]

    Alan Chan, Noam Kolt, Peter Wills, Usman Anwar, Christian Schroeder de Witt, Nitarshan Rajkumar, Lewis Hammond, David Krueger, Lennart Heim, and Markus Anderljung. 2024. IDs for AI Systems.arXiv preprint arXiv:2406.12137(2024)

    work page arXiv 2024

  15. [15]

    Hadfield, and Markus Anderljung

    Alan Chan, Kevin Wei, Sihao Huang, Nitarshan Rajkumar, Elija Perrier, Seth Lazar, Gillian K. Hadfield, and Markus Anderljung. 2025. Infrastructure for AI Agents.arXiv preprint arXiv:2501.10114(2025)

    work page arXiv 2025

  16. [16]

    Jianming Chen, Yawen Wang, Junjie Wang, Xiaofei Xie, Yuanzhe Hu, Qing Wang, and Fanjiang Xu. 2026. Adversarial Attack on Black-Box Multi-Agent by Adaptive Perturbation.Proceedings of the AAAI Conference on Artificial Intelligence40, 35 (Mar. 2026), 29359–29367. doi:10.1609/aaai.v40i35.40176

    work page doi:10.1609/aaai.v40i35.40176 2026

  17. [17]

    Zhaoliang Chen. 2026. AITH: A Post-Quantum Continuous Delegation Protocol for Human-AI Trust Establishment. arXiv:2604.07695 [cs.CR] https://arxiv.org/ abs/2604.07695

    work page internal anchor Pith review Pith/arXiv arXiv 2026

  18. [18]

    Model Context Protocol Contributors. 2025. Model Context Protocol Registry. https://github.com/modelcontextprotocol/registry. Accessed: 2025-12-11

    work page 2025

  19. [19]

    Edoardo Debenedetti, Ilia Shumailov, Tianqi Fan, Jamie Hayes, Nicholas Car- lini, Daniel Fabian, Christoph Kern, Chongyang Shi, Andreas Terzis, and Flo- rian Tramèr. 2026. Defeating Prompt Injections by Design. arXiv preprint arXiv:2503.18813. InIEEE Conference on Secure and Trustworthy Machine Learning (SaTML). https://arxiv.org/abs/2503.18813

    work page internal anchor Pith review Pith/arXiv arXiv 2026

  20. [20]

    Stefan Dziembowski, Lisa Eckey, and Sebastian Faust. 2018. Fairswap: How to fairly exchange digital goods. InProceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. 967–984

    work page 2018

  21. [21]

    Lisa Eckey, Sebastian Faust, and Benjamin Schlosser. 2020. Optiswap: Fast opti- mistic fair exchange. InProceedings of the 15th ACM Asia Conference on Computer and Communications Security. 543–557

    work page 2020

  22. [22]

    2020.Falcon: Fast-Fourier Lattice-based Compact Signa- tures over NTRU, Specification v1.2

    Pierre-Alain Fouque, Jeffrey Hoffstein, Paul Kirchner, Vadim Lyubashevsky, Thomas Pornin, Thomas Prest, Thomas Ricosset, Gregor Seiler, William Whyte, and Zhenfei Zhang. 2020.Falcon: Fast-Fourier Lattice-based Compact Signa- tures over NTRU, Specification v1.2. Cryptographic Specification. falcon-sign.info. https://falcon-sign.info/falcon.pdf Accessed: 2026-02-12

    work page 2020

  23. [23]

    Sebastian Gajek, Mark Manulis, Olivier Pereira, Ahmad-Reza Sadeghi, and Jörg Schwenk. 2008. Universally composable security analysis of TLS. InInternational Conference on Provable Security. Springer, 313–327

    work page 2008

  24. [24]

    Google Developer Blog. 2025. Announcing the Agent2Agent Proto- col (A2A). https://developers.googleblog.com/en/a2a-a-new-era-of-agent- interoperability/. Accessed: 2025-07-22

    work page 2025

  25. [25]

    Lov K. Grover. 1996. A fast quantum mechanical algorithm for database search. InProceedings of the Twenty-Eighth Annual ACM Symposium on Theory of Com- puting(Philadelphia, Pennsylvania, USA)(STOC ’96). Association for Computing Machinery, New York, NY, USA, 212–219. doi:10.1145/237814.237866

    work page doi:10.1145/237814.237866 1996

  26. [26]

    gsiros. 2024. saga. https://github.com/gsiros/saga

    work page 2024

  27. [27]

    Xiangming Gu, Xiaosen Zheng, Tianyu Pang, Chao Du, Qian Liu, Ye Wang, Jing Jiang, and Min Lin. 2024. Agent Smith: A Single Image Can Jailbreak One Million Multimodal LLM Agents Exponentially Fast

    work page 2024

  28. [28]

    Pengfei He, Yupin Lin, Shen Dong, Han Xu, Yue Xing, and Hui Liu. 2025. Red- teaming llm multi-agent systems via communication attacks.arXiv preprint arXiv:2502.14847(2025)

    work page arXiv 2025

  29. [29]

    Julia Hesse, Stanislaw Jarecki, Hugo Krawczyk, and Christopher Wood. 2023. Password-authenticated TLS via OPAQUE and post-handshake authentication. In Annual International Conference on the Theory and Applications of Cryptographic Techniques. Springer, 98–127

    work page 2023

  30. [30]

    Sirui Hong, Mingchen Zhuge, Jonathan Chen, Xiawu Zheng, Yuheng Cheng, Jinlin Wang, Ceyao Zhang, Zili Wang, Steven Ka Shing Yau, Zijuan Lin, Liyang Zhou, Chenyu Ran, Lingfeng Xiao, Chenglin Wu, and Jürgen Schmidhuber

    work page

  31. [31]

    InThe Twelfth International Conference on Learning Representations

    MetaGPT: Meta Programming for A Multi-Agent Collaborative Frame- work. InThe Twelfth International Conference on Learning Representations. https: //openreview.net/forum?id=VtmBAGCN7o

    work page

  32. [32]

    Andreas Huelsing, Denis Butin, Stefan-Lukas Gazdag, Joost Rijneveld, and Aziz Mohaisen. 2018. XMSS: eXtended Merkle Signature Scheme. RFC 8391. doi:10. 17487/RFC8391

    work page 2018

  33. [33]

    Andreas Hülsing, Denis Butin, Stefan-Lukas Gazdag, Joost Rijneveld, and Aziz Mohaisen. 2018. XMSS: eXtended Merkle Signature Scheme. RFC 8391. doi:10. 17487/RFC8391

    work page 2018

  34. [34]

    Rishi Jha, Harold Triedman, Justin Wagle, and Vitaly Shmatikov. 2026. Breaking and Fixing Defenses Against Control-Flow Hijacking in Multi-Agent Systems. arXiv:2510.17276 [cs.LG] https://arxiv.org/abs/2510.17276

    work page arXiv 2026

  35. [35]

    Maurits Kaptein, Vassilis-Javed Khan, and Andriy Podstavnychy. 2026. Runtime Governance for AI Agents: Policies on Paths. arXiv:2603.16586 [cs.AI] https: //arxiv.org/abs/2603.16586

    work page arXiv 2026

  36. [36]

    Naveen Kumar Krishnan. 2026. Beyond Context Sharing: A Unified Agent Com- munication Protocol (ACP) for Secure, Federated, and Autonomous Agent-to- Agent (A2A) Orchestration. arXiv:2602.15055 [cs.MA] https://arxiv.org/abs/2602. 15055

    work page arXiv 2026

  37. [37]

    Leslie Lamport. 1979. Constructing digital signatures from a one way function. Technical Report SRI-CSL-98(1979)

    work page 1979

  38. [38]

    Donghyun Lee and Mo Tiwari. 2024. Prompt infection: Llm-to-llm prompt injection within multi-agent systems.arXiv preprint arXiv:2410.07283(2024)

    work page internal anchor Pith review Pith/arXiv arXiv 2024

  39. [39]

    Evan Li, Tushin Mallick, Evan Rose, William Robertson, Alina Oprea, and Cristina Nita-Rotaru. 2026. ACE: A Security Architecture for LLM-Integrated App Systems. InProceedings of the Network and Distributed System Security Symposium (NDSS)

    work page 2026

  40. [40]

    Yedidel Louck, Ariel Stulman, and Amit Dvir. 2025. Improving Google A2A Protocol: Protecting Sensitive Data and Mitigating Unintended Harms in Multi- Agent Systems. arXiv:2505.12490 [cs.CR] https://arxiv.org/abs/2505.12490

    work page arXiv 2025

  41. [41]

    , year 2024

    Dustin Moody, Ray Perlner, Andrew Regenscheid, Angela Robinson, and David Cooper. 2024.Transition to Post-Quantum Cryptography Standards. Technical Conference’17, July 2017, Washington, DC, USA Report NIST IR 8547 (Initial Public Draft). National Institute of Standards and Technology, Gaithersburg, MD, USA. doi:10.6028/NIST.IR.8547.ipd Initial Public Draft

    work page doi:10.6028/nist.ir.8547.ipd 2024

  42. [42]

    Luca Muscariello, Vijoy Pandey, and Ramiz Polic. 2025. The AGNTCY Agent Directory Service: Architecture and Implementation. arXiv:2509.18787 [cs.AI] https://arxiv.org/abs/2509.18787

    work page arXiv 2025

  43. [43]

    August 13, 2024

    National Institute of Standards and Technology (NIST). August 13, 2024. FIPS 203 Module-Lattice-Based Key-Encapsulation Mechanism Standard. https://csrc. nist.gov/pubs/fips/203/final Available at https://csrc.nist.gov/pubs/fips/203/final

    work page 2024

  44. [44]

    August 13, 2024

    National Institute of Standards and Technology (NIST). August 13, 2024. FIPS 204 Module-Lattice-Based Digital Signature Standard. https://csrc.nist.gov/pubs/ fips/204/final Available at https://csrc.nist.gov/pubs/fips/204/final

    work page 2024

  45. [45]

    August 13, 2024

    National Institute of Standards and Technology (NIST). August 13, 2024. FIPS 205 Stateless Hash-Based Digital Signature Standard. https://csrc.nist.gov/pubs/ fips/205/final Available at https://csrc.nist.gov/pubs/fips/205/final

    work page 2024

  46. [46]

    Ramesh Raskar, Pradyumna Chari, Jared James Grogan, Mahesh Lambe, Robert Lincourt, Raghu Bala, Aditi Joshi, Abhishek Singh, Ayush Chopra, Rajesh Ranjan, Shailja Gupta, Dimitris Stripelis, Maria Gorskikh, and Sichao Wang. 2025. Up- grade or Switch: Do We Need a Next-Gen Trusted Architecture for the Internet of AI Agents? arXiv:2506.12003 [cs.NI] https://ar...

    work page arXiv 2025

  47. [47]

    Tirumaleswar Reddy and Hannes Tschofenig. 2025. Post-Quantum Cryptography Recommendations for TLS-based Applications. Internet-Draft, draft-ietf-uta-pqc- app-00. https://www.ietf.org/archive/id/draft-ietf-uta-pqc-app-00.html Work in progress

    work page 2025

  48. [48]

    Ronald L Rivest and Adi Shamir. 1996. PayWord and MicroMint: Two simple micropayment schemes. InInternational workshop on security protocols. Springer, 69–87

    work page 1996

  49. [49]

    Yonadav Shavit, Sandhini Agarwal, Miles Brundage, Steven Adler, Cullen O’Keefe, Rosie Campbell, Teddy Lee, Pamela Mishkin, Tyna Eloundou, Alan Hickey, et al

    work page

  50. [50]

    Practices for governing agentic AI systems.Research Paper, OpenAI(2023)

    work page 2023

  51. [51]

    P.W. Shor. 1994. Algorithms for quantum computation: discrete logarithms and factoring. InProceedings 35th Annual Symposium on Foundations of Computer Science. 124–134. doi:10.1109/SFCS.1994.365700

    work page doi:10.1109/sfcs.1994.365700 1994

  52. [52]

    Tobin South, Samuele Marro, Thomas Hardjono, Robert Mahari, Cedric Deslandes Whitney, Dazza Greenwood, Alan Chan, and Alex Pentland. 2025. Authenticated Delegation and Authorized AI Agents.arXiv preprint arXiv:2501.09674(2025)

    work page arXiv 2025

  53. [53]

    Rao Surapaneni, Miku Jha, Michael Vakoc, and Todd Segal. 2025. Announcing the Agent2Agent Protocol (A2A). Google Developers Blog. https://developers. googleblog.com/en/a2a-a-new-era-of-agent-interoperability/ Accessed: 2025- 04-10

    work page 2025

  54. [54]

    Georgios Syros, Anshuman Suri, Jacob Ginesin, Cristina Nita-Rotaru, and Alina Oprea. 2026. SAGA: A Security Architecture for Governing AI Agentic Systems. InProceedings of the Network and Distributed System Security Symposium (NDSS)

    work page 2026

  55. [55]

    Haochuan Kevin Wang and Zechen Zhang. 2026. Kill-Chain Canaries: Stage- Level Tracking of Prompt Injection Across Attack Surfaces and Model Safety Tiers. arXiv:2603.28013 [cs.CR] https://arxiv.org/abs/2603.28013

    work page internal anchor Pith review Pith/arXiv arXiv 2026

  56. [56]

    Qingyun Wu, Gagan Bansal, Jieyu Zhang, Yiran Wu, Beibin Li, Erkang Zhu, Li Jiang, Xiaoyun Zhang, Shaokun Zhang, Jiale Liu, Ahmed Hassan Awadallah, Ryen W White, Doug Burger, and Chi Wang. 2023. AutoGen: Enabling Next- Gen LLM Applications via Multi-Agent Conversation. arXiv:2308.08155 [cs.AI] https://arxiv.org/abs/2308.08155

    work page internal anchor Pith review Pith/arXiv arXiv 2023

  57. [57]

    Weichen Yu, Kai Hu, Tianyu Pang, Chao Du, Min Lin, and Matt Fredrikson. 2025. Infecting LLM Agents via Generalizable Adversarial Attack. InRed Teaming GenAI: What Can We Learn from Adversaries?https://openreview.net/forum? id=udsmFGMwlp

    work page 2025

  58. [58]

    Weibo Zhao, Jiahao Liu, Bonan Ruan, Shaofei Li, and Zhenkai Liang

    work page

  59. [59]

    When mcp servers attack: Taxonomy, feasibility, and mitigation,

    When MCP Servers Attack: Taxonomy, Feasibility, and Mitigation. arXiv:2509.24272 [cs.CR] https://arxiv.org/abs/2509.24272 A Ethical Considerations Our paper is not an attack paper, it does not use any public dataset, or human data collection, so we believe that there are no ethical concerns. B Notations We present the notations used throughout the paper i...

    work page arXiv 2017