Attribute-Based Authentication in Secure Group Messaging for Distributed Environments and Safer Online Spaces

(2) atlanTTic; A Coru\v{n}a; Ana Fern\'andez Vilas (2); Carlos Dafonte (1); David Soler (1); Francisco J. N\'ovoa (1) ((1) CITIC; Manuel Fern\'andez-Veiga (2); Spain; Spain); Universidade da Coru\v{n}a

arxiv: 2405.12042 · v3 · submitted 2024-05-20 · 💻 cs.CR

Attribute-Based Authentication in Secure Group Messaging for Distributed Environments and Safer Online Spaces

David Soler (1) , Carlos Dafonte (1) , Manuel Fern\'andez-Veiga (2) , Ana Fern\'andez Vilas (2) , Francisco J. N\'ovoa (1) ((1) CITIC , Universidade da Coru\v{n}a , A Coru\v{n}a , Spain

show 4 more authors

(2) atlanTTic Universidade de Vigo Vigo Spain)

This is my paper

Pith reviewed 2026-05-24 00:39 UTC · model grok-4.3

classification 💻 cs.CR

keywords attribute-based credentialscontinuous group key agreementsecure group messagingprivacy-preserving authenticationunlinkabilityunforgeabilityMLS

0 comments

The pith

A protocol lets groups authenticate new members by proving attributes rather than revealing identities while preserving unlinkability.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper defines Attribute-Authenticated Continuous Group Key Agreement (AA-CGKA) as a variant of the CGKA protocol used in MLS. It replaces certificate-based identity checks with attribute-based credentials that support selective disclosure, so a joining member reveals only the minimum attributes required by the group. Security proofs establish that AA-CGKA meets requirement integrity, unforgeability, and unlinkability provided the underlying credential scheme is secure. An implementation is given that incurs performance costs comparable to a standard certificate solution.

Core claim

We formally define a CGKA variant named Attribute-Authenticated Continuous Group Key Agreement (AA-CGKA) and provide security proofs for its properties of Requirement Integrity, Unforgeability and Unlinkability. We also provide an implementation of our AA-CGKA scheme and show that it achieves performance similar to a trivial certificate-based solution.

What carries the argument

Attribute-Authenticated Continuous Group Key Agreement (AA-CGKA), which integrates attribute-based credentials with selective disclosure into the CGKA protocol to replace identity authentication with attribute proofs.

If this is right

Groups can enforce dynamic, attribute-defined membership rules without exposing member identities.
User activity remains unlinkable across separate groups even when the same attributes are used.
The protocol can be deployed with computational and communication costs close to those of certificate-based CGKA.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

The approach could support attribute-based access in other dynamic key-agreement settings beyond the MLS protocol.
Selective disclosure may reduce the data exposed during membership changes in large distributed groups.

Load-bearing premise

The security proofs assume the underlying attribute-based credential scheme with selective disclosure itself provides unlinkability and unforgeability.

What would settle it

An attack that forges a valid attribute proof accepted by AA-CGKA or links two sessions of the same user across groups would falsify the claimed security properties.

Figures

Figures reproduced from arXiv: 2405.12042 by (2) atlanTTic, A Coru\v{n}a, Ana Fern\'andez Vilas (2), Carlos Dafonte (1), David Soler (1), Francisco J. N\'ovoa (1) ((1) CITIC, Manuel Fern\'andez-Veiga (2), Spain, Spain), Universidade da Coru\v{n}a, Universidade de Vigo, Vigo.

**Figure 1.** Figure 1: Overview of the Create and PublishInfo operations. 2. Solicitor : user who is trying to join an AA-CGKA group. To this end, the solicitor must obtain the Group Information Message, which contains relevant information about the group and then issue an External Join to directly enter the group without requiring invitation from an existing member. The solicitor must also include a Presentation in which she in… view at source ↗

**Figure 2.** Figure 2: Example of a set of requirements [PITH_FULL_IMAGE:figures/full_fig_p009_2.png] view at source ↗

**Figure 3.** Figure 3: Overview of the Present and External Join operations. CGKA scheme) but also includes an ABC Presentation containing the solicitor’s attributes. Solicitors generate a Presentation Package using the AA-CGKA function Present. The creation of a Presentation Package requires obtaining some information about the state of the group, including the current set of requirements. This information must be generated by … view at source ↗

**Figure 4.** Figure 4: Overview of the ProposeReqs, Commit and Process operations. signature keys are associated to any user’s identity. However, our model is slightly different since the ABCs that solicitors present do not always carry long-term key material. This is intentional: key material reuse would imply that a verifier could identify the same solicitor in different CGKA groups or other online activities, which would work… view at source ↗

**Figure 5.** Figure 5: AA-CGKA construction. 12 [PITH_FULL_IMAGE:figures/full_fig_p012_5.png] view at source ↗

**Figure 6.** Figure 6: Auxiliary functions for the AA-CGKA construction. [PITH_FULL_IMAGE:figures/full_fig_p013_6.png] view at source ↗

**Figure 7.** Figure 7: Abstract PKI functionality. 13 [PITH_FULL_IMAGE:figures/full_fig_p013_7.png] view at source ↗

**Figure 8.** Figure 8: Available queries for A in the security games of the AA-CGKA scheme. RIA(1λ, users) Setup(1λ, users) (id, C) ← AQ(1λ) if ∃(n, C′) ∈ comms s.t n = state[id] − 1 then assert C ̸= C′ end if reqs ← state[id].reqs (γ, ok) ← Process(state[id], C) if ok ∧ state[id].reqs ̸= reqs then A wins the game end if UnfA(1λ, users) Setup(1λ, users) (id, id′ , P PA, prop-type) ← AQ(1λ) prop ← Propose(state[id], prop-type, id… view at source ↗

**Figure 9.** Figure 9: Requirement Integrity, Unforgeability and Unlinkability Security games. [PITH_FULL_IMAGE:figures/full_fig_p016_9.png] view at source ↗

**Figure 9.** Figure 9: We model the two different methods by which the adversary could try [PITH_FULL_IMAGE:figures/full_fig_p017_9.png] view at source ↗

**Figure 10.** Figure 10: Generation and process time for different ABC schemes as the number of users [PITH_FULL_IMAGE:figures/full_fig_p020_10.png] view at source ↗

**Figure 11.** Figure 11: Message size for different ABC schemes as the number of users grow. [PITH_FULL_IMAGE:figures/full_fig_p021_11.png] view at source ↗

**Figure 12.** Figure 12: Mean latency for different ABC schemes as the number of users grow. [PITH_FULL_IMAGE:figures/full_fig_p022_12.png] view at source ↗

read the original abstract

The Messaging Layer security (MLS) and its underlying Continuous Group Key Agreement (CGKA) protocol allows a group of users to share a cryptographic secret in a dynamic manner, such that the secret is modified in member insertions and deletions. Although this flexibility makes MLS ideal for implementations in distributed environments, a number of issues need to be overcome. Particularly, the use of digital certificates for authentication in a group goes against the group members' privacy. In this work we provide an alternative method of authentication in which the solicitors, instead of revealing their identity, only need to prove possession of certain attributes, dynamically defined by the group, to become a member. Instead of digital certificates, we employ Attribute-Based Credentials accompanied with Selective Disclosure in order to reveal the minimum required amount of information and to prevent attackers from linking the activity of a user through multiple groups. We formally define a CGKA variant named Attribute-Authenticated Continuous Group Key Agreement (AA-CGKA) and provide security proofs for its properties of Requirement Integrity, Unforgeability and Unlinkability. We also provide an implementation of our AA-CGKA scheme and show that it achieves performance similar to a trivial certificate-based solution.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

AA-CGKA layers attribute-based credentials onto CGKA for privacy, with security by direct reduction to the ABC primitive and performance matching a basic certificate baseline.

read the letter

The main takeaway is that this paper defines AA-CGKA as CGKA authenticated via attribute-based credentials with selective disclosure instead of certificates. They prove Requirement Integrity, Unforgeability, and Unlinkability by reduction to the corresponding properties of the underlying ABC scheme, and they include an implementation that runs at similar speed to a trivial certificate solution. The combination addresses identity linking across groups in dynamic messaging, which is a real concern for MLS-style protocols in distributed settings. The definition and the way they map attribute checks into member operations are clearly laid out, and the performance data shows the approach is practical without major slowdowns. The proofs follow the standard reduction pattern used in this area. The central limitation is that the guarantees stand or fall with the ABC scheme's unlinkability and unforgeability under the selective-disclosure interface; no new hardness assumptions or independent analysis of the CGKA layer itself are added. The baseline comparison is to a simple certificate setup, so it confirms feasibility but does not demonstrate gains on other dimensions like communication cost. This is aimed at researchers extending secure group messaging with privacy mechanisms. A reader working on MLS variants or attribute-based auth for groups would get concrete value from the scheme definition and the reduction. It deserves a serious referee because the claims are specific and the implementation makes them testable, even though the contribution is incremental rather than foundational.

Referee Report

1 major / 1 minor

Summary. The paper introduces Attribute-Authenticated Continuous Group Key Agreement (AA-CGKA), a CGKA variant for protocols such as MLS that replaces certificate-based authentication with attribute-based credentials supporting selective disclosure. Group membership is granted upon proving possession of dynamically defined attributes rather than revealing identities, with the goal of preserving privacy and preventing cross-group linking. The manuscript formally defines AA-CGKA, supplies security proofs for Requirement Integrity, Unforgeability and Unlinkability, and reports an implementation whose performance is comparable to a trivial certificate-based baseline.

Significance. If the reductions are valid, the work supplies a privacy-oriented authentication layer for dynamic group key agreement that directly addresses identity leakage in distributed messaging. The explicit formal definition, the three security proofs, and the accompanying implementation constitute concrete, verifiable contributions that could be adopted in privacy-sensitive deployments.

major comments (1)

[Security proofs section] Security proofs section: the proofs of Requirement Integrity, Unforgeability and Unlinkability are obtained by direct reduction to the unlinkability and unforgeability properties of the underlying attribute-based credential scheme with selective disclosure. The manuscript must state the precise interface between the CGKA operations and the ABC selective-disclosure calls, together with any additional assumptions required for the reduction to go through; without this, the AA-CGKA guarantees are not self-contained.

minor comments (1)

The term 'Requirement Integrity' is introduced without an explicit definition or motivation in the abstract or early sections; a concise statement of the property (e.g., as an equation or game) should appear before the proof.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for the constructive comment on the security proofs. We address it point by point below and will incorporate the requested clarifications in the revised manuscript.

read point-by-point responses

Referee: [Security proofs section] Security proofs section: the proofs of Requirement Integrity, Unforgeability and Unlinkability are obtained by direct reduction to the unlinkability and unforgeability properties of the underlying attribute-based credential scheme with selective disclosure. The manuscript must state the precise interface between the CGKA operations and the ABC selective-disclosure calls, together with any additional assumptions required for the reduction to go through; without this, the AA-CGKA guarantees are not self-contained.

Authors: We agree that an explicit description of the interface is necessary for the reductions to be self-contained. In the revised manuscript we will add a dedicated subsection (in the security proofs section) that enumerates the exact ABC selective-disclosure calls invoked by each CGKA operation (Create, Join, Leave, Update) together with the concrete inputs and outputs passed between the CGKA state machine and the ABC oracle. We will also list the additional assumptions required for the reductions (e.g., that the underlying ABC scheme satisfies the stated unlinkability and unforgeability properties in the presence of adaptive attribute queries, and that the CGKA transcript is independent of the credential issuance transcript except through the explicit interface). These additions will make the AA-CGKA security statements fully rigorous without altering the existing proof structure. revision: yes

Circularity Check

0 steps flagged

No significant circularity; standard cryptographic reduction to external primitive

full rationale

The paper defines AA-CGKA and proves Requirement Integrity, Unforgeability and Unlinkability via reduction to the unlinkability/unforgeability properties of an underlying attribute-based credential scheme with selective disclosure. This is a conventional security reduction to an assumed-external primitive rather than a self-referential definition, fitted parameter renamed as prediction, or self-citation chain. No equations or steps in the provided abstract reduce the claimed properties to the paper's own inputs by construction. The implementation comparison is orthogonal to the proof structure. Per the hard rules, this receives score 0 as the derivation remains self-contained against the external benchmark primitive.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 1 invented entities

The central claim rests on the security of an external attribute-based credential primitive and on standard cryptographic assumptions; no free parameters or new invented entities beyond the protocol definition itself are introduced.

axioms (1)

domain assumption Security of the underlying attribute-based credential scheme with selective disclosure
Invoked to establish the three security properties of AA-CGKA.

invented entities (1)

AA-CGKA protocol no independent evidence
purpose: Variant of CGKA that replaces certificate authentication with attribute-based credentials
New protocol definition introduced by the paper; no independent evidence supplied beyond the definition itself.

pith-pipeline@v0.9.0 · 5806 in / 1193 out tokens · 19824 ms · 2026-05-24T00:39:05.477719+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

40 extracted references · 40 canonical work pages

[1]

Barnes, B

R. Barnes, B. Beurdouche, R. Robert, J. Millican, E. Omara, K. Cohn- Gordon, The Messaging Layer Security (MLS) Protocol, Request for Com- ments RFC 9420, Internet Engineering Task Force, num Pages: 132 (Jul. 2023). doi:10.17487/RFC9420

work page doi:10.17487/rfc9420 2023
[2]

Alwen, S

J. Alwen, S. Coretti, Y. Dodis, Y. Tselekounis, Modular design of secure group messaging protocols and the security of MLS, Cryptology ePrint Archive, Paper 2021/1083 (2021). URLhttps://eprint.iacr.org/2021/1083

work page 2021
[3]

Cohen, T

G. Cohen, T. Thibodeau, I. Herman, M. Sporny, M. Jones, Verifiable credentials data model v2.0, Candidate recommendation, W3C, https://www.w3.org/TR/2024/CRD-vc-data-model-2.0-20240207/ (Feb. 2024)

work page 2024
[4]

Soltani, U

R. Soltani, U. T. Nguyen, A. An, A survey of self-sovereign identity ecosys- tem, Security and Communication Networks 2021 (2021) 1–26

work page 2021
[5]

In: Fodor, P., Montali, M., Calvanese, D., Roman, D

J. Alwen, S. Coretti, Y. Dodis, Y. Tselekounis, Security Analysis and Im- provements for the IETF MLS Standard for Group Messaging, in: D. Mic- ciancio, T. Ristenpart (Eds.), Advances in Cryptology – CRYPTO 2020, Vol. 12170, Springer International Publishing, Cham, 2020, pp. 248–277, series Title: Lecture Notes in Computer Science. doi:10.1007/978-3-030- ...

work page doi:10.1007/978-3-030- 2020
[6]

Alwen, D

J. Alwen, D. Jost, M. Mularczyk, On the Insider Security of MLS, in: Y. Dodis, T. Shrimpton (Eds.), Advances in Cryptology – CRYPTO 2022, Vol. 13508, Springer Nature Switzerland, Cham, 2022, pp. 34–68, series Title: Lecture Notes in Computer Science. doi:10.1007/978-3-031-15979- 4_2

work page doi:10.1007/978-3-031-15979- 2022
[8]

Cohn-Gordon, C

K. Cohn-Gordon, C. Cremers, L. Garratt, J. Millican, K. Milner, On Ends- to-Ends Encryption: Asynchronous Group Messaging with Strong Security Guarantees, in: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, ACM, Toronto Canada, 2018, pp. 1802–1819. doi:10.1145/3243734.3243747

work page doi:10.1145/3243734.3243747 2018
[9]

Bhargavan, R

K. Bhargavan, R. Barnes, E. Rescorla, TreeKEM: Asynchronous Decen- tralized Key Management for Large Dynamic Groups, . (2018). 26

work page 2018
[10]

Alwen, M

J. Alwen, M. Mularczyk, Y. Tselekounis, Fork-Resilient Continuous Group Key Agreement, in: H. Handschuh, A. Lysyanskaya (Eds.), Advances in Cryptology – CRYPTO 2023, Vol. 14084, Springer Nature Switzerland, Cham, 2023, pp. 396–429, series Title: Lecture Notes in Computer Science. doi:10.1007/978-3-031-38551-3_13

work page doi:10.1007/978-3-031-38551-3_13 2023
[11]

Weidner, M

M. Weidner, M. Kleppmann, D. Hugenroth, A. R. Beresford, Key Agree- mentforDecentralizedSecureGroupMessagingwithStrongSecurityGuar- antees, in: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, ACM, Virtual Event Republic of Korea, 2021, pp. 2024–2045. doi:10.1145/3460120.3484542

work page doi:10.1145/3460120.3484542 2021
[12]

Alwen, B

J. Alwen, B. Auerbach, M. C. Noval, K. Klein, G. Pascual-Perez, K. Pietrzak, Decaf: Decentralizable continuous group key agreement with fast healing, Cryptology ePrint Archive, Paper 2022/559 (2022)

work page 2022
[13]

Alwen, D

J. Alwen, D. Hartmann, E. Kiltz, M. Mularczyk, Server-Aided Continuous Group Key Agreement, in: Proceedings of the 2022 ACM SIGSAC Confer- ence on Computer and Communications Security, ACM, Los Angeles CA USA, 2022, pp. 69–82. doi:10.1145/3548606.3560632

work page doi:10.1145/3548606.3560632 2022
[14]

Balbás, D

D. Balbás, D. Collins, S. Vaudenay, Cryptographic administration for se- cure group messaging, Cryptology ePrint Archive, Paper 2022/1411 (2022)

work page 2022
[15]

Emura, K

K. Emura, K. Kajita, R. Nojima, K. Ogawa, G. Ohtake, Membership Pri- vacy for Asynchronous Group Messaging, in: I. You, T.-Y. Youn (Eds.), Information Security Applications, Vol. 13720, Springer Nature Switzer- land, Cham, 2023, pp. 131–142, series Title: Lecture Notes in Computer Science. doi:10.1007/978-3-031-25659-2_10

work page doi:10.1007/978-3-031-25659-2_10 2023
[16]

Bobolz, F

J. Bobolz, F. Eidens, S. Krenn, S. Ramacher, K. Samelin, Issuer-Hiding Attribute-Based Credentials, in: M. Conti, M. Stevens, S. Krenn (Eds.), Cryptology and Network Security, Vol. 13099, Springer International Pub- lishing, Cham, 2021, pp. 158–178, series Title: Lecture Notes in Computer Science. doi:10.1007/978-3-030-92548-2_9

work page doi:10.1007/978-3-030-92548-2_9 2021
[17]

D. Fett, K. Yasuda, D. Campbell, Selective disclosure for JWTs (SD- JWT), Internet Draft draft-ietf-oauth-selective-disclosure-jwt-08, Internet Engineering Task Force, num Pages: 12 (Jul. 2023). URLhttps://datatracker.ietf.org/doc/ draft-ietf-oauth-selective-disclosure-jwt/

work page 2023
[18]

Looker, V

T. Looker, V. Kalos, A. Whitehead, M. Lodder, The BBS Signature Scheme, Internet Draft draft-irtf-cfrg-bbs-signatures-05, Internet Engi- neering Task Force, num Pages: 115 (Dec. 2023). URLhttps://datatracker.ietf.org/doc/ draft-irtf-cfrg-bbs-signatures 27

work page 2023
[19]

H. K. Maji, M. Prabhakaran, M. Rosulek, Attribute-based signatures, in: Cryptographers’ track at the RSA conference, Springer, 2011, pp. 376–392

work page 2011
[20]

Kaaniche, M

N. Kaaniche, M. Laurent, Attribute-based signatures for supporting anony- mous certification, in: European symposium on research in computer secu- rity, Springer, 2016, pp. 279–300

work page 2016
[21]

El Kaafarani, E

A. El Kaafarani, E. Ghadafi, Attribute-based signatures with user- controlled linkability without random oracles, in: IMA International Con- ference on Cryptography and Coding, Springer, 2017, pp. 161–184

work page 2017
[22]

Barnes, S

R. Barnes, S. Nandakumar, Additional MLS Credentials, Internet Draft draft-barnes-mls-addl-creds-00, Internet Engineering Task Force, num Pages: 12 (Jul. 2023)

work page 2023
[23]

Cremers, E

C. Cremers, E. Günsay, V. Wesselkamp, M. Zhao, ETK: External- operations TreeKEM and the security of MLS in RFC 9420, Cryptology ePrint Archive, Paper 2025/229 (2025). URLhttps://eprint.iacr.org/2025/229

work page 2025
[24]

Camenisch, M

J. Camenisch, M. Dubovitskaya, K. Haralambiev, M. Kohlweiss, Compos- able and modular anonymous credentials: Definitions and practical con- structions, in: Advances in Cryptology–ASIACRYPT 2015: 21st Interna- tional Conference on the Theory and Application of Cryptology and Infor- mation Security, Auckland, New Zealand, November 29–December 3, 2015, Proce...

work page 2015
[25]

Bangerter, J

E. Bangerter, J. Camenisch, A. Lysyanskaya, A cryptographic framework for the controlled release of certified data, in: Security Protocols: 12th In- ternational Workshop, Cambridge, UK, April 26-28, 2004. Revised Selected Papers 12, Springer, 2006, pp. 20–42

work page 2004
[26]

In: Proc

J. Camenisch, A. Lysyanskaya, Signature Schemes and Anonymous Cre- dentials from Bilinear Maps, in: D. Hutchison, T. Kanade, J. Kittler, J. M. Kleinberg, F. Mattern, J. C. Mitchell, M. Naor, O. Nierstrasz, C. Pandu Rangan, B. Steffen, M. Sudan, D. Terzopoulos, D. Tygar, M. Y. Vardi, G.Weikum, M.Franklin(Eds.), AdvancesinCryptology–CRYPTO 2004, Vol. 3152, ...

work page doi:10.1007/978- 2004
[27]

Q. Wang, D. Wang, Understanding failures in security proofs of multi- factor authentication for mobile devices, IEEE Transactions on Information Forensics and Security 18 (2023) 597–612. doi:10.1109/TIFS.2022.3227753

work page doi:10.1109/tifs.2022.3227753 2023
[28]

provable security

N. Koblitz, A. J. Menezes, Another look at “provable security”, Journal of Cryptology 20 (1) (2007) 3–37. doi:10.1007/s00145-005-0432-z. URLhttps://doi.org/10.1007/s00145-005-0432-z 28

work page doi:10.1007/s00145-005-0432-z 2007
[29]

Soler, C

D. Soler, C. Dafonte, M. Fernández-Veiga, A. F. Vilas, F. J. Nóvoa, Exper- imental analysis of efficiency of the messaging layer security for multiple delivery services (2025). arXiv:2502.18303. URLhttps://arxiv.org/abs/2502.18303

work page arXiv 2025
[30]

PhoenixR&D, Openmls,https://github.com/openmls/openmls(2024)

work page 2024
[31]

OpenWalletFoundation, SD-JWT rust reference implementation,https: //github.com/openwallet-foundation-labs/sd-jwt-rust(2024)

work page 2024
[32]

Bernstein, M

G. Bernstein, M. Sporny, Data integrity bbs cryptosuites v1.0, W3C rec- ommendation, W3C, https://www.w3.org/TR/vc-di-bbs/ (Mar. 2024)

work page 2024
[33]

SpruceID, Ssi,https://github.com/spruceid/ssi(2024)

work page 2024
[34]

Kiefer, K

F. Kiefer, K. Bhargavan, R. Barnes, J. Alwen, M. Mularczyk, Partial mls, Internet Draft draft-ietf-mls-partial-00, Internet Engineering Task Force, num Pages: 12 (Jul. 2023)

work page 2023
[35]

Rosenberg, J

M. Rosenberg, J. White, C. Garman, I. Miers, zk-creds: Flexible anony- mous credentials from zksnarks and existing identity infrastructure, in: 2023 IEEE Symposium on Security and Privacy (SP), IEEE, 2023, pp. 790–808

work page 2023
[36]

Paillat, C.-L

L. Paillat, C.-L. Ignat, D. Frey, M. Turuani, A. Ismail, Discreet: distributed delivery service with context-aware cooperation, Annals of Telecommuni- cations 80 (3) (2025) 357–374. doi:10.1007/s12243-024-01053-1

work page doi:10.1007/s12243-024-01053-1 2025
[37]

Albouy, D

T. Albouy, D. Frey, M. Gestin, M. Raynal, F. Taïani, Context adaptive cooperation (2024). arXiv:2311.08776. URLhttps://arxiv.org/abs/2311.08776

work page arXiv 2024
[38]

Kajita, K

K. Kajita, K. Emura, K. Ogawa, R. Nojima, G. Ohtake, Continu- ous Group Key Agreement with Flexible Authorization and Its Applica- tions, in: Proceedings of the 9th ACM International Workshop on Secu- rity and Privacy Analytics, ACM, Charlotte NC USA, 2023, pp. 3–13. doi:10.1145/3579987.3586570

work page doi:10.1145/3579987.3586570 2023
[39]

Insoll, V

T. Insoll, V. Soloveva, E. Díaz Bethencourt, A. Ovaska, N. Vaaranen-Valkonen, Tech platforms used by online child sexual abuse offenders: Research report with actionable recommendations for the tech industry, Research report, Protect Children / Suojellaan Lapsia ry, accessed: 25-09-2025 (2024)

work page 2025
[40]

Ashcroft, L

M. Ashcroft, L. Kaati, M. Meyer, A step towards detecting online grooming–identifying adults pretending to be children, in: 2015 European Intelligence and Security Informatics Conference, IEEE, 2015, pp. 98–104

work page 2015
[41]

Brendel, C

J. Brendel, C. Cremers, D. Jackson, M. Zhao, The provable security of ed25519: theory and practice, in: 2021 IEEE Symposium on Security and Privacy (SP), IEEE, 2021, pp. 1659–1676. 29 Appendix A. Security Games In this Appendix we include the security games for the cryptographic prim- itives we employ in our AA-CGKA scheme. They are specially relevant for...

work page 2021

[1] [1]

Barnes, B

R. Barnes, B. Beurdouche, R. Robert, J. Millican, E. Omara, K. Cohn- Gordon, The Messaging Layer Security (MLS) Protocol, Request for Com- ments RFC 9420, Internet Engineering Task Force, num Pages: 132 (Jul. 2023). doi:10.17487/RFC9420

work page doi:10.17487/rfc9420 2023

[2] [2]

Alwen, S

J. Alwen, S. Coretti, Y. Dodis, Y. Tselekounis, Modular design of secure group messaging protocols and the security of MLS, Cryptology ePrint Archive, Paper 2021/1083 (2021). URLhttps://eprint.iacr.org/2021/1083

work page 2021

[3] [3]

Cohen, T

G. Cohen, T. Thibodeau, I. Herman, M. Sporny, M. Jones, Verifiable credentials data model v2.0, Candidate recommendation, W3C, https://www.w3.org/TR/2024/CRD-vc-data-model-2.0-20240207/ (Feb. 2024)

work page 2024

[4] [4]

Soltani, U

R. Soltani, U. T. Nguyen, A. An, A survey of self-sovereign identity ecosys- tem, Security and Communication Networks 2021 (2021) 1–26

work page 2021

[5] [5]

In: Fodor, P., Montali, M., Calvanese, D., Roman, D

J. Alwen, S. Coretti, Y. Dodis, Y. Tselekounis, Security Analysis and Im- provements for the IETF MLS Standard for Group Messaging, in: D. Mic- ciancio, T. Ristenpart (Eds.), Advances in Cryptology – CRYPTO 2020, Vol. 12170, Springer International Publishing, Cham, 2020, pp. 248–277, series Title: Lecture Notes in Computer Science. doi:10.1007/978-3-030- ...

work page doi:10.1007/978-3-030- 2020

[6] [6]

Alwen, D

J. Alwen, D. Jost, M. Mularczyk, On the Insider Security of MLS, in: Y. Dodis, T. Shrimpton (Eds.), Advances in Cryptology – CRYPTO 2022, Vol. 13508, Springer Nature Switzerland, Cham, 2022, pp. 34–68, series Title: Lecture Notes in Computer Science. doi:10.1007/978-3-031-15979- 4_2

work page doi:10.1007/978-3-031-15979- 2022

[7] [8]

Cohn-Gordon, C

K. Cohn-Gordon, C. Cremers, L. Garratt, J. Millican, K. Milner, On Ends- to-Ends Encryption: Asynchronous Group Messaging with Strong Security Guarantees, in: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, ACM, Toronto Canada, 2018, pp. 1802–1819. doi:10.1145/3243734.3243747

work page doi:10.1145/3243734.3243747 2018

[8] [9]

Bhargavan, R

K. Bhargavan, R. Barnes, E. Rescorla, TreeKEM: Asynchronous Decen- tralized Key Management for Large Dynamic Groups, . (2018). 26

work page 2018

[9] [10]

Alwen, M

J. Alwen, M. Mularczyk, Y. Tselekounis, Fork-Resilient Continuous Group Key Agreement, in: H. Handschuh, A. Lysyanskaya (Eds.), Advances in Cryptology – CRYPTO 2023, Vol. 14084, Springer Nature Switzerland, Cham, 2023, pp. 396–429, series Title: Lecture Notes in Computer Science. doi:10.1007/978-3-031-38551-3_13

work page doi:10.1007/978-3-031-38551-3_13 2023

[10] [11]

Weidner, M

M. Weidner, M. Kleppmann, D. Hugenroth, A. R. Beresford, Key Agree- mentforDecentralizedSecureGroupMessagingwithStrongSecurityGuar- antees, in: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, ACM, Virtual Event Republic of Korea, 2021, pp. 2024–2045. doi:10.1145/3460120.3484542

work page doi:10.1145/3460120.3484542 2021

[11] [12]

Alwen, B

J. Alwen, B. Auerbach, M. C. Noval, K. Klein, G. Pascual-Perez, K. Pietrzak, Decaf: Decentralizable continuous group key agreement with fast healing, Cryptology ePrint Archive, Paper 2022/559 (2022)

work page 2022

[12] [13]

Alwen, D

J. Alwen, D. Hartmann, E. Kiltz, M. Mularczyk, Server-Aided Continuous Group Key Agreement, in: Proceedings of the 2022 ACM SIGSAC Confer- ence on Computer and Communications Security, ACM, Los Angeles CA USA, 2022, pp. 69–82. doi:10.1145/3548606.3560632

work page doi:10.1145/3548606.3560632 2022

[13] [14]

Balbás, D

D. Balbás, D. Collins, S. Vaudenay, Cryptographic administration for se- cure group messaging, Cryptology ePrint Archive, Paper 2022/1411 (2022)

work page 2022

[14] [15]

Emura, K

K. Emura, K. Kajita, R. Nojima, K. Ogawa, G. Ohtake, Membership Pri- vacy for Asynchronous Group Messaging, in: I. You, T.-Y. Youn (Eds.), Information Security Applications, Vol. 13720, Springer Nature Switzer- land, Cham, 2023, pp. 131–142, series Title: Lecture Notes in Computer Science. doi:10.1007/978-3-031-25659-2_10

work page doi:10.1007/978-3-031-25659-2_10 2023

[15] [16]

Bobolz, F

J. Bobolz, F. Eidens, S. Krenn, S. Ramacher, K. Samelin, Issuer-Hiding Attribute-Based Credentials, in: M. Conti, M. Stevens, S. Krenn (Eds.), Cryptology and Network Security, Vol. 13099, Springer International Pub- lishing, Cham, 2021, pp. 158–178, series Title: Lecture Notes in Computer Science. doi:10.1007/978-3-030-92548-2_9

work page doi:10.1007/978-3-030-92548-2_9 2021

[16] [17]

D. Fett, K. Yasuda, D. Campbell, Selective disclosure for JWTs (SD- JWT), Internet Draft draft-ietf-oauth-selective-disclosure-jwt-08, Internet Engineering Task Force, num Pages: 12 (Jul. 2023). URLhttps://datatracker.ietf.org/doc/ draft-ietf-oauth-selective-disclosure-jwt/

work page 2023

[17] [18]

Looker, V

T. Looker, V. Kalos, A. Whitehead, M. Lodder, The BBS Signature Scheme, Internet Draft draft-irtf-cfrg-bbs-signatures-05, Internet Engi- neering Task Force, num Pages: 115 (Dec. 2023). URLhttps://datatracker.ietf.org/doc/ draft-irtf-cfrg-bbs-signatures 27

work page 2023

[18] [19]

H. K. Maji, M. Prabhakaran, M. Rosulek, Attribute-based signatures, in: Cryptographers’ track at the RSA conference, Springer, 2011, pp. 376–392

work page 2011

[19] [20]

Kaaniche, M

N. Kaaniche, M. Laurent, Attribute-based signatures for supporting anony- mous certification, in: European symposium on research in computer secu- rity, Springer, 2016, pp. 279–300

work page 2016

[20] [21]

El Kaafarani, E

A. El Kaafarani, E. Ghadafi, Attribute-based signatures with user- controlled linkability without random oracles, in: IMA International Con- ference on Cryptography and Coding, Springer, 2017, pp. 161–184

work page 2017

[21] [22]

Barnes, S

R. Barnes, S. Nandakumar, Additional MLS Credentials, Internet Draft draft-barnes-mls-addl-creds-00, Internet Engineering Task Force, num Pages: 12 (Jul. 2023)

work page 2023

[22] [23]

Cremers, E

C. Cremers, E. Günsay, V. Wesselkamp, M. Zhao, ETK: External- operations TreeKEM and the security of MLS in RFC 9420, Cryptology ePrint Archive, Paper 2025/229 (2025). URLhttps://eprint.iacr.org/2025/229

work page 2025

[23] [24]

Camenisch, M

J. Camenisch, M. Dubovitskaya, K. Haralambiev, M. Kohlweiss, Compos- able and modular anonymous credentials: Definitions and practical con- structions, in: Advances in Cryptology–ASIACRYPT 2015: 21st Interna- tional Conference on the Theory and Application of Cryptology and Infor- mation Security, Auckland, New Zealand, November 29–December 3, 2015, Proce...

work page 2015

[24] [25]

Bangerter, J

E. Bangerter, J. Camenisch, A. Lysyanskaya, A cryptographic framework for the controlled release of certified data, in: Security Protocols: 12th In- ternational Workshop, Cambridge, UK, April 26-28, 2004. Revised Selected Papers 12, Springer, 2006, pp. 20–42

work page 2004

[25] [26]

In: Proc

J. Camenisch, A. Lysyanskaya, Signature Schemes and Anonymous Cre- dentials from Bilinear Maps, in: D. Hutchison, T. Kanade, J. Kittler, J. M. Kleinberg, F. Mattern, J. C. Mitchell, M. Naor, O. Nierstrasz, C. Pandu Rangan, B. Steffen, M. Sudan, D. Terzopoulos, D. Tygar, M. Y. Vardi, G.Weikum, M.Franklin(Eds.), AdvancesinCryptology–CRYPTO 2004, Vol. 3152, ...

work page doi:10.1007/978- 2004

[26] [27]

Q. Wang, D. Wang, Understanding failures in security proofs of multi- factor authentication for mobile devices, IEEE Transactions on Information Forensics and Security 18 (2023) 597–612. doi:10.1109/TIFS.2022.3227753

work page doi:10.1109/tifs.2022.3227753 2023

[27] [28]

provable security

N. Koblitz, A. J. Menezes, Another look at “provable security”, Journal of Cryptology 20 (1) (2007) 3–37. doi:10.1007/s00145-005-0432-z. URLhttps://doi.org/10.1007/s00145-005-0432-z 28

work page doi:10.1007/s00145-005-0432-z 2007

[28] [29]

Soler, C

D. Soler, C. Dafonte, M. Fernández-Veiga, A. F. Vilas, F. J. Nóvoa, Exper- imental analysis of efficiency of the messaging layer security for multiple delivery services (2025). arXiv:2502.18303. URLhttps://arxiv.org/abs/2502.18303

work page arXiv 2025

[29] [30]

PhoenixR&D, Openmls,https://github.com/openmls/openmls(2024)

work page 2024

[30] [31]

OpenWalletFoundation, SD-JWT rust reference implementation,https: //github.com/openwallet-foundation-labs/sd-jwt-rust(2024)

work page 2024

[31] [32]

Bernstein, M

G. Bernstein, M. Sporny, Data integrity bbs cryptosuites v1.0, W3C rec- ommendation, W3C, https://www.w3.org/TR/vc-di-bbs/ (Mar. 2024)

work page 2024

[32] [33]

SpruceID, Ssi,https://github.com/spruceid/ssi(2024)

work page 2024

[33] [34]

Kiefer, K

F. Kiefer, K. Bhargavan, R. Barnes, J. Alwen, M. Mularczyk, Partial mls, Internet Draft draft-ietf-mls-partial-00, Internet Engineering Task Force, num Pages: 12 (Jul. 2023)

work page 2023

[34] [35]

Rosenberg, J

M. Rosenberg, J. White, C. Garman, I. Miers, zk-creds: Flexible anony- mous credentials from zksnarks and existing identity infrastructure, in: 2023 IEEE Symposium on Security and Privacy (SP), IEEE, 2023, pp. 790–808

work page 2023

[35] [36]

Paillat, C.-L

L. Paillat, C.-L. Ignat, D. Frey, M. Turuani, A. Ismail, Discreet: distributed delivery service with context-aware cooperation, Annals of Telecommuni- cations 80 (3) (2025) 357–374. doi:10.1007/s12243-024-01053-1

work page doi:10.1007/s12243-024-01053-1 2025

[36] [37]

Albouy, D

T. Albouy, D. Frey, M. Gestin, M. Raynal, F. Taïani, Context adaptive cooperation (2024). arXiv:2311.08776. URLhttps://arxiv.org/abs/2311.08776

work page arXiv 2024

[37] [38]

Kajita, K

K. Kajita, K. Emura, K. Ogawa, R. Nojima, G. Ohtake, Continu- ous Group Key Agreement with Flexible Authorization and Its Applica- tions, in: Proceedings of the 9th ACM International Workshop on Secu- rity and Privacy Analytics, ACM, Charlotte NC USA, 2023, pp. 3–13. doi:10.1145/3579987.3586570

work page doi:10.1145/3579987.3586570 2023

[38] [39]

Insoll, V

T. Insoll, V. Soloveva, E. Díaz Bethencourt, A. Ovaska, N. Vaaranen-Valkonen, Tech platforms used by online child sexual abuse offenders: Research report with actionable recommendations for the tech industry, Research report, Protect Children / Suojellaan Lapsia ry, accessed: 25-09-2025 (2024)

work page 2025

[39] [40]

Ashcroft, L

M. Ashcroft, L. Kaati, M. Meyer, A step towards detecting online grooming–identifying adults pretending to be children, in: 2015 European Intelligence and Security Informatics Conference, IEEE, 2015, pp. 98–104

work page 2015

[40] [41]

Brendel, C

J. Brendel, C. Cremers, D. Jackson, M. Zhao, The provable security of ed25519: theory and practice, in: 2021 IEEE Symposium on Security and Privacy (SP), IEEE, 2021, pp. 1659–1676. 29 Appendix A. Security Games In this Appendix we include the security games for the cryptographic prim- itives we employ in our AA-CGKA scheme. They are specially relevant for...

work page 2021