pith. machine review for the scientific record. sign in

arxiv: 2605.06933 · v1 · submitted 2026-05-07 · 💻 cs.LG · cs.CR· cs.MA

Recognition: 2 theorem links

· Lean Theorem

MAGIQ: A Post-Quantum Multi-Agentic AI Governance System with Provable Security

Sepideh Avizeh , Tushin Mallick , Alina Oprea , Cristina Nita-Rotaru , Reihaneh Safavi-Naini
Authors on Pith no claims yet

Pith reviewed 2026-05-11 01:05 UTC · model grok-4.3

classification 💻 cs.LG cs.CRcs.MA
keywords post-quantum cryptographymulti-agent systemspolicy enforcementuniversal composabilityagentic AImessage attributionaccess controlquantum resistance
0
0 comments X

The pith

MAGIQ provides a post-quantum framework for defining and enforcing policies in multi-agent AI systems with formal security proofs.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper introduces MAGIQ to address the need for secure governance in agentic AI systems amid the rise of quantum computing. It enables users to set detailed policy budgets that control how AI agents communicate and interact, including limits on one-to-many sessions. The framework uses new cryptographic protocols designed to resist quantum attacks and proves the system's security and correctness through the universal composability model. This matters because current cryptographic standards will be phased out by 2035, leaving multi-agent AI vulnerable without updates. The approach also ensures that agents can be held accountable by attributing messages back to their owners.

Core claim

MAGIQ allows users to define rich communication and access-control policy budgets for agent-to-agent sessions and tasks, including global budgets for one-to-many agent sessions. It enforces such policies using post-quantum cryptographic primitives, supports session-based enforcement for agent-to-agent and one-to-many agent sessions, and provides accountability of agents to their users through message attribution. The system is formally modeled and its correctness and security are proven using the Universal Composability framework. Performance evaluations compare its computation and communication overhead to the SAGA framework, positioning it as an initial step toward post-quantum secureagent

What carries the argument

The MAGIQ framework, which integrates policy budget definitions with novel quantum-resistant cryptographic protocols for enforcement and message attribution in multi-agent sessions.

If this is right

  • Users gain the ability to impose global policy budgets across multiple agents in shared sessions.
  • Policy enforcement occurs securely for both direct agent pairs and group interactions.
  • Message attribution ensures agents remain accountable to their human owners.
  • The overall system maintains provable security guarantees against quantum threats.
  • Overhead remains comparable to existing frameworks while adding quantum resistance.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • This could allow safer integration of AI agents into collaborative environments where policy violations carry high stakes.
  • Future extensions might adapt the protocols for other distributed systems facing similar quantum risks.
  • Testing in real-world multi-agent deployments could reveal practical scalability limits not covered in the initial evaluation.
  • The formal UC proofs suggest potential for composing MAGIQ with other secure protocols in larger AI ecosystems.

Load-bearing premise

The proposed cryptographic protocols achieve high efficiency and quantum resistance while meeting the security properties established in the universal composability analysis.

What would settle it

A successful quantum algorithm that breaks one of the novel protocols or a concrete multi-agent scenario where an agent violates policies despite the enforcement mechanism would disprove the security claims.

Figures

Figures reproduced from arXiv: 2605.06933 by Alina Oprea, Cristina Nita-Rotaru, Reihaneh Safavi-Naini, Sepideh Avizeh, Tushin Mallick.

Figure 1
Figure 1. Figure 1: Example of a multi-agent coordination. 2 Background and Problem Statement 2.1 Governance for AI Agentic Systems An agentic AI system is a system composed of one or more au￾tonomous agents that perceive, reason, and act—individually or collaboratively—to achieve tasks with minimal human intervention (see [PITH_FULL_IMAGE:figures/full_fig_p002_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: User registration. The user specifies the agent’s device name device𝐴, IP address IP𝐴, and port port𝐴 , forming the agent’s endpoint descriptor: ED𝐴 = ⟨ device𝐴, IP𝐴, port𝐴 ⟩ (2) Generating cryptographic keys. The user generates the following keys for the agent: • PQ-TLS credentials (𝑠𝑘tls 𝐴 , 𝑝𝑘tls 𝐴 ) for establishing secure chan￾nels with other agents, with a CA-signed certificate: Certtls 𝐴 = GenCert𝑠𝑘… view at source ↗
Figure 4
Figure 4. Figure 4: Agent discovery Step 1: Retrieval. Agent𝐴𝐼 requests permission to contact agent 𝐴𝑅 by sending both identities, aid𝐴𝐼 and aid𝐴𝑅 , to the Provider. The Provider verifies mutual authorization between the two agents and checks that Counter[aid𝐴𝑅 ] [aid𝐴𝐼 ] > 0. If so, the Provider returns 𝐴𝑅’s access information together with a signature 𝜎 TA ac over both agents’ data. The returned access information includes:… view at source ↗
Figure 5
Figure 5. Figure 5: A-session establishment hash chain of length 𝑄𝑅,𝐼 = 𝑛: 𝑠0, 𝑠1 = 𝐻(𝑠0, 1, sid, aid𝐴𝐼 ), 𝑠2 = 𝐻(𝑠1, 2, sid, aid𝐴𝐼 ), . . . 𝑠𝑛 = 𝐻(𝑠𝑛−1, 𝑛, sid, aid𝐴𝐼 ) It also obtains the user’s signature on the root of the chain: 𝜎 𝑈𝑅 𝑅𝐶𝑃 = HS.Sign𝑠𝑘𝑈𝑅 (𝑠𝑛, 𝑄𝑅,𝐼) Next, 𝐴𝑅 generates a random value 𝑟2 and computes a session key 𝑘𝑠𝑒𝑠 = 𝐻(𝑟1, 𝑟2), used throughout all communications with 𝐴𝐼 during the A-session. It constructs t… view at source ↗
Figure 6
Figure 6. Figure 6: The modular model of MAGIQ in the hybrid and [PITH_FULL_IMAGE:figures/full_fig_p010_6.png] view at source ↗
Figure 8
Figure 8. Figure 8: Amortised protocol overhead across 𝐴𝐼 locations (US-West, US-East, EU, Asia) under varying 𝑄max for 𝑚 = 100 requests between 𝐴𝐼 and 𝐴𝑅. Shaded regions reflect the vari￾ability in overhead attributable to differences in network conditions across agent locations worldwide [PITH_FULL_IMAGE:figures/full_fig_p012_8.png] view at source ↗
Figure 7
Figure 7. Figure 7: Amortized protocol overhead across provider lo [PITH_FULL_IMAGE:figures/full_fig_p012_7.png] view at source ↗
Figure 9
Figure 9. Figure 9: plots 𝐶Provider for 𝑛 ∈ {1, 10, 100} agents across session lifetimes ranging from one minute to one day. Two structural ob￾servations follow directly from Equation 3. First, overhead scales linearly with agent count: the 100-agent curve lies exactly one order 1 min 3 min 6 min 12 min 1 hr 8 hrs 1 day A-Session Lifetime 0 50 100 150 200 250 300 350 400 Computational Overhead on Provider (s) Initiating Agent… view at source ↗
Figure 10
Figure 10. Figure 10: Daily computational overhead on 𝐴𝐼 as a function of 𝐴-session lifetime, for 𝑡 ∈ {1, 2, 5, 10, 15} receiving agents. Per-session cost follows Equation 4 using measured cryp￾tographic costs; daily overhead follows Equation 5. All 𝐴- sessions are assumed to share the same lifetime. 6.7 One-Agent to Many-Agents Overhead We evaluate the overhead borne by an orchestrator (𝐴𝐼 ) that co￾ordinates with 𝑡 receiving… view at source ↗
Figure 11
Figure 11. Figure 11: Global clock ideal functionality Gclk [12] E.3 Secure Communication Session Ideal Functionality FSCS This functionality captures the security requirements of the TLS channel and allows a secure communication between entities in a single protocol instance. TLS consists of two phases: handshake and message transmission. The handshake protocol aims at securely sharing uniformly distributed session keys, and … view at source ↗
Figure 12
Figure 12. Figure 12: The secure communication session ideal function [PITH_FULL_IMAGE:figures/full_fig_p020_12.png] view at source ↗
Figure 13
Figure 13. Figure 13: Global restricted programmable and observable [PITH_FULL_IMAGE:figures/full_fig_p020_13.png] view at source ↗
Figure 14
Figure 14. Figure 14: The certification authority ideal functionality, [PITH_FULL_IMAGE:figures/full_fig_p021_14.png] view at source ↗
Figure 15
Figure 15. Figure 15: Secure user and agent registration ideal function [PITH_FULL_IMAGE:figures/full_fig_p021_15.png] view at source ↗
Figure 17
Figure 17. Figure 17: The secure A-session ideal functionality, [PITH_FULL_IMAGE:figures/full_fig_p022_17.png] view at source ↗
Figure 18
Figure 18. Figure 18: The secure multi-agent composite session (C [PITH_FULL_IMAGE:figures/full_fig_p023_18.png] view at source ↗
Figure 20
Figure 20. Figure 20: The 𝐴-session in the two-agent MAGIQ protocol [PITH_FULL_IMAGE:figures/full_fig_p024_20.png] view at source ↗
Figure 21
Figure 21. Figure 21: The 𝐶-session in the multi-agent MAGIQ protocol uses the global clock ideal functionality Gclk and the global random oracle functionality Gclk as its subroutine (note that in our analysis, we only consider one protocol at a time, the entities that are in￾volved in that protocol and the ideal functionality F that captures the security of that protocol.) Parties receive their inputs from the environment Z a… view at source ↗
Figure 19
Figure 19. Figure 19: The secure multi-agent composite session (C [PITH_FULL_IMAGE:figures/full_fig_p024_19.png] view at source ↗
read the original abstract

Our computing ecosystem is being transformed by two emerging paradigms: the increased deployment of agentic AI systems and advancements in quantum computing. With respect to agentic AI systems, one of the most critical problems is creating secure governing architectures that ensure agents follow their owners' communication and interaction policies and can be held accountable for the messages they exchange with other agents. With respect to quantum computing, existing systems must be retrofitted and new cryptographic mechanisms must be designed to ensure long-term security and quantum resistance. In fact, NIST recommends that standard public-key cryptographic algorithms, including RSA, Diffie-Hellman (DH), and elliptic-curve constructions (ECC), be deprecated starting in 2030 and disallowed after 2035. In this paper, we present MAGIQ, a framework for policy definition and enforcement in multi-agent AI systems using novel, highly efficient, quantum-resistant cryptographic protocols with proven security guarantees. MAGIQ (i) allows users to define rich communication and access-control policy budgets for agent-to-agent sessions and tasks, including global budgets for one-to-many agent sessions; (ii) enforces such policies using post-quantum cryptographic primitives; (iii) supports session-based enforcement of policies for agent-to-agent and one-to-many agent sessions; and (iv) provides accountability of agents to their users through message attribution. We formally model and prove the correctness and security of the system using the Universal Composability (UC) framework. We evaluate the computation and communication overhead of our framework and compare it with the state-of-the-art agentic AI framework SAGA. MAGIQ is a first step toward post-quantum-secure solutions for agentic AI systems.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

3 major / 2 minor

Summary. The paper introduces MAGIQ, a framework for defining and enforcing rich communication and access-control policy budgets (including global one-to-many budgets) in multi-agent AI systems. It uses novel post-quantum cryptographic primitives for enforcement, supports session-based policy application, provides message attribution for accountability, and claims formal correctness and security proofs in the Universal Composability (UC) framework. The work also reports computational and communication overhead evaluations compared to the SAGA baseline, positioning MAGIQ as an initial post-quantum secure governance solution for agentic AI.

Significance. If the UC security proofs are rigorous and the protocols achieve the claimed efficiency and quantum resistance without hidden assumptions, the result would be significant: it would supply the first formally verified post-quantum governance layer for multi-agent systems, directly addressing NIST's deprecation timeline for classical public-key cryptography while handling policy budgets and attribution. The combination of UC modeling with practical overhead comparisons strengthens the case for deployability in quantum-threatened environments.

major comments (3)
  1. [§4] §4 (Ideal Functionality F_MAGIQ): The definition of F_MAGIQ does not explicitly model adaptive policy budget exhaustion, mid-session policy updates, or concurrent one-to-many agent sessions under adaptive corruption of multiple agents. This gap means the claimed UC emulation may not capture the full real-world behaviors asserted in the abstract, undermining the 'proven security guarantees' for the governance framework.
  2. [§5] §5 (UC Security Proof): The security reduction does not detail how the simulator handles quantum oracle access or adaptive scheduling of agent sessions. Without these, the proof that the real-world protocol UC-emulates F_MAGIQ cannot be verified as holding for the dynamic multi-agent setting described in the introduction.
  3. [Evaluation section] Evaluation section (comparison to SAGA): The reported overhead figures lack ablation on the cost of the novel post-quantum primitives versus the policy-enforcement logic; this prevents assessing whether the efficiency claims are load-bearing for the central contribution or merely baseline improvements.
minor comments (2)
  1. Notation for policy budgets (e.g., global vs. per-session) is introduced in the abstract but not consistently defined before use in the protocol descriptions.
  2. The abstract states 'highly efficient' protocols; the evaluation should include concrete cycle counts or asymptotic bounds to support this.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for their insightful comments and the recommendation for major revision. We address each of the major comments point by point below, providing clarifications and indicating the revisions we have made to the manuscript.

read point-by-point responses

  1. Referee: [§4] §4 (Ideal Functionality F_MAGIQ): The definition of F_MAGIQ does not explicitly model adaptive policy budget exhaustion, mid-session policy updates, or concurrent one-to-many agent sessions under adaptive corruption of multiple agents. This gap means the claimed UC emulation may not capture the full real-world behaviors asserted in the abstract, undermining the 'proven security guarantees' for the governance framework.

    Authors: We agree that a more comprehensive modeling of adaptive behaviors would strengthen the ideal functionality. In the revised manuscript, we have extended F_MAGIQ to explicitly include adaptive policy budget exhaustion through stateful budget tracking, support for mid-session policy updates via authenticated channels, and handling of concurrent one-to-many sessions under adaptive corruptions of multiple agents. The UC emulation proof has been updated to reflect these enhancements, ensuring that the security guarantees cover the dynamic scenarios described. revision: yes

  2. Referee: [§5] §5 (UC Security Proof): The security reduction does not detail how the simulator handles quantum oracle access or adaptive scheduling of agent sessions. Without these, the proof that the real-world protocol UC-emulates F_MAGIQ cannot be verified as holding for the dynamic multi-agent setting described in the introduction.

    Authors: The original proof sketch assumed a classical UC framework with post-quantum primitives, but we acknowledge the need for explicit details on quantum aspects. We have revised Section 5 to include a detailed description of the simulator's handling of quantum oracle queries (using the quantum random oracle model where appropriate) and adaptive scheduling of sessions. This includes how the simulator maintains consistency under adaptive corruptions and session scheduling, thereby making the reduction verifiable. revision: yes

  3. Referee: Evaluation section (comparison to SAGA): The reported overhead figures lack ablation on the cost of the novel post-quantum primitives versus the policy-enforcement logic; this prevents assessing whether the efficiency claims are load-bearing for the central contribution or merely baseline improvements.

    Authors: We appreciate this observation regarding the evaluation. To better isolate the contributions, we have added an ablation study in the revised evaluation section. This includes separate measurements for the overhead introduced by the post-quantum cryptographic primitives (such as lattice-based signatures and key exchanges) compared to the policy enforcement mechanisms. The updated figures demonstrate that the novel primitives contribute a moderate overhead while enabling the quantum resistance, supporting the central claims of the paper. revision: yes

Circularity Check

0 steps flagged

No circularity: MAGIQ security claims rest on independent UC modeling of novel protocols

full rationale

The paper introduces MAGIQ as a new framework for policy enforcement in multi-agent AI systems, using post-quantum cryptographic primitives and formally proving security and correctness via the standard Universal Composability (UC) framework. No steps reduce by construction to fitted parameters, self-definitions, or self-citation chains; the ideal functionality and protocol emulation are presented as independent formal artifacts. Evaluation against SAGA is comparative overhead measurement, not a predictive reduction. The derivation is self-contained against external benchmarks.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

Only abstract available; ledger reflects high-level claims with no concrete free parameters or invented entities detailed.

axioms (1)
  • standard math Universal Composability (UC) framework provides a sound model for proving security and correctness of cryptographic protocols in multi-agent settings
    Invoked explicitly for formal modeling and proof of the MAGIQ system.

pith-pipeline@v0.9.0 · 5631 in / 1244 out tokens · 52867 ms · 2026-05-11T01:05:46.371500+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

59 extracted references · 21 canonical work pages · 5 internal anchors

  1. [1]

    Matt Adorjan. 2025. cloudping.co: AWS Inter-Region Latency Monitoring. https: //github.com/mda590/cloudping.co Accessed: 2025-04-18

    2025

  2. [2]

    Alfonso Amayuelas, Xianjun Yang, Antonis Antoniades, Wenyue Hua, Liang- ming Pan, and William Yang Wang. 2024. MultiAgent Collaboration Attack: Investigating Adversarial Attacks in Large Language Model Collaborations via Debate. InFindings of the Association for Computational Linguistics: EMNLP 2024. 6929–6948

    2024

  3. [3]

    Zeynab Anbiaee, Mahdi Rabbani, Mansur Mirani, Gunjan Piya, Igor Opushnyev, Ali Ghorbani, and Sajjad Dadkhah. 2026. Security Threat Modeling for Emerging AI-Agent Protocols: A Comparative Analysis of MCP, A2A, Agora, and ANP. arXiv:2602.11327 [cs.CR] https://arxiv.org/abs/2602.11327

    work page internal anchor Pith review Pith/arXiv arXiv 2026

  4. [4]

    Sepideh Avizheh, Mahmudun Nabi, and Reihaneh Safavi-Naini. 2024. Refereed delegation of computation using smart contracts.IEEE Transactions on Dependable and Secure Computing21, 6 (2024), 5208–5227

    2024

  5. [5]

    Varun Pratap Bhardwaj. 2026. Agent Behavioral Contracts: Formal Specification and Runtime Enforcement for Reliable Autonomous AI Agents. doi:10.5281/ ZENODO.18775393

    2026

  6. [6]

    Johannes Buchmann, Erik Dahmen, Sarah Ereth, Andreas Hülsing, and Markus Rückert. 2013. On the security of the Winternitz one-time signature scheme. International Journal of Applied Cryptography3, 1 (2013), 84–96

    2013

  7. [7]

    Johannes Buchmann, Erik Dahmen, and Andreas Hülsing. 2011. XMSS-a practical forward secure signature scheme based on minimal security assumptions. In International Workshop on Post-Quantum Cryptography. Springer, 117–129

    2011

  8. [8]

    CAIDA. [n. d.]. The CAIDA Archipelago Monitor Statistics. https://www.caida. org/projects/ark/statistics/. Accessed April 2025

    2025

  9. [9]

    Jan Camenisch, Manu Drijvers, Tommaso Gagliardoni, Anja Lehmann, and Gre- gory Neven. 2018. The wonderful world of global random oracles. InAnnual international conference on the theory and applications of cryptographic techniques. Springer, 280–312

    2018

  10. [10]

    Ran Canetti. 2001. Universally composable security: A new paradigm for cryp- tographic protocols. InProceedings 42nd IEEE Symposium on Foundations of Computer Science. IEEE, 136–145

    2001

  11. [11]

    Ran Canetti. 2004. Universally composable signature, certification, and authenti- cation. InProceedings. 17th IEEE Computer Security Foundations Workshop, 2004. IEEE, 219–233

    2004

  12. [12]

    Ran Canetti, Kyle Hogan, Aanchal Malhotra, and Mayank Varia. 2017. A univer- sally composable treatment of network time. In2017 IEEE 30th Computer Security Foundations Symposium (CSF). IEEE, 360–375

    2017

  13. [13]

    Ran Canetti, Pratik Sarkar, and Xiao Wang. 2020. Efficient and round-optimal oblivious transfer and commitment with adaptive security. InInternational Con- ference on the Theory and Application of Cryptology and Information Security. Springer, 277–308

    2020

  14. [14]

    Alan Chan, Noam Kolt, Peter Wills, Usman Anwar, Christian Schroeder de Witt, Nitarshan Rajkumar, Lewis Hammond, David Krueger, Lennart Heim, and Markus Anderljung. 2024. IDs for AI Systems.arXiv preprint arXiv:2406.12137(2024)

    work page arXiv 2024

  15. [15]

    & Anderljung, M

    Alan Chan, Kevin Wei, Sihao Huang, Nitarshan Rajkumar, Elija Perrier, Seth Lazar, Gillian K. Hadfield, and Markus Anderljung. 2025. Infrastructure for AI Agents.arXiv preprint arXiv:2501.10114(2025)

    work page arXiv 2025

  16. [16]

    Jianming Chen, Yawen Wang, Junjie Wang, Xiaofei Xie, Yuanzhe Hu, Qing Wang, and Fanjiang Xu. 2026. Adversarial Attack on Black-Box Multi-Agent by Adaptive Perturbation.Proceedings of the AAAI Conference on Artificial Intelligence40, 35 (Mar. 2026), 29359–29367. doi:10.1609/aaai.v40i35.40176

    work page doi:10.1609/aaai.v40i35.40176 2026

  17. [17]

    Zhaoliang Chen. 2026. AITH: A Post-Quantum Continuous Delegation Protocol for Human-AI Trust Establishment. arXiv:2604.07695 [cs.CR] https://arxiv.org/ abs/2604.07695

    work page internal anchor Pith review Pith/arXiv arXiv 2026

  18. [18]

    Model Context Protocol Contributors. 2025. Model Context Protocol Registry. https://github.com/modelcontextprotocol/registry. Accessed: 2025-12-11

    2025

  19. [19]

    Edoardo Debenedetti, Ilia Shumailov, Tianqi Fan, Jamie Hayes, Nicholas Car- lini, Daniel Fabian, Christoph Kern, Chongyang Shi, Andreas Terzis, and Flo- rian Tramèr. 2026. Defeating Prompt Injections by Design. arXiv preprint arXiv:2503.18813. InIEEE Conference on Secure and Trustworthy Machine Learning (SaTML). https://arxiv.org/abs/2503.18813

    work page internal anchor Pith review arXiv 2026

  20. [20]

    Stefan Dziembowski, Lisa Eckey, and Sebastian Faust. 2018. Fairswap: How to fairly exchange digital goods. InProceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. 967–984

    2018

  21. [21]

    Lisa Eckey, Sebastian Faust, and Benjamin Schlosser. 2020. Optiswap: Fast opti- mistic fair exchange. InProceedings of the 15th ACM Asia Conference on Computer and Communications Security. 543–557

    2020

  22. [22]

    2020.Falcon: Fast-Fourier Lattice-based Compact Signa- tures over NTRU, Specification v1.2

    Pierre-Alain Fouque, Jeffrey Hoffstein, Paul Kirchner, Vadim Lyubashevsky, Thomas Pornin, Thomas Prest, Thomas Ricosset, Gregor Seiler, William Whyte, and Zhenfei Zhang. 2020.Falcon: Fast-Fourier Lattice-based Compact Signa- tures over NTRU, Specification v1.2. Cryptographic Specification. falcon-sign.info. https://falcon-sign.info/falcon.pdf Accessed: 2026-02-12

    2020

  23. [23]

    Sebastian Gajek, Mark Manulis, Olivier Pereira, Ahmad-Reza Sadeghi, and Jörg Schwenk. 2008. Universally composable security analysis of TLS. InInternational Conference on Provable Security. Springer, 313–327

    2008

  24. [24]

    Google Developer Blog. 2025. Announcing the Agent2Agent Proto- col (A2A). https://developers.googleblog.com/en/a2a-a-new-era-of-agent- interoperability/. Accessed: 2025-07-22

    2025

  25. [25]

    Lov K. Grover. 1996. A fast quantum mechanical algorithm for database search. InProceedings of the Twenty-Eighth Annual ACM Symposium on Theory of Com- puting(Philadelphia, Pennsylvania, USA)(STOC ’96). Association for Computing Machinery, New York, NY, USA, 212–219. doi:10.1145/237814.237866

    work page doi:10.1145/237814.237866 1996

  26. [26]

    gsiros. 2024. saga. https://github.com/gsiros/saga

    2024

  27. [27]

    Xiangming Gu, Xiaosen Zheng, Tianyu Pang, Chao Du, Qian Liu, Ye Wang, Jing Jiang, and Min Lin. 2024. Agent Smith: A Single Image Can Jailbreak One Million Multimodal LLM Agents Exponentially Fast

    2024

  28. [28]

    Pengfei He, Yupin Lin, Shen Dong, Han Xu, Yue Xing, and Hui Liu. 2025. Red- teaming llm multi-agent systems via communication attacks.arXiv preprint arXiv:2502.14847(2025)

    work page arXiv 2025

  29. [29]

    Julia Hesse, Stanislaw Jarecki, Hugo Krawczyk, and Christopher Wood. 2023. Password-authenticated TLS via OPAQUE and post-handshake authentication. In Annual International Conference on the Theory and Applications of Cryptographic Techniques. Springer, 98–127

    2023

  30. [30]

    Sirui Hong, Mingchen Zhuge, Jonathan Chen, Xiawu Zheng, Yuheng Cheng, Jinlin Wang, Ceyao Zhang, Zili Wang, Steven Ka Shing Yau, Zijuan Lin, Liyang Zhou, Chenyu Ran, Lingfeng Xiao, Chenglin Wu, and Jürgen Schmidhuber

  31. [31]

    InThe Twelfth International Conference on Learning Representations

    MetaGPT: Meta Programming for A Multi-Agent Collaborative Frame- work. InThe Twelfth International Conference on Learning Representations. https: //openreview.net/forum?id=VtmBAGCN7o

  32. [32]

    Andreas Huelsing, Denis Butin, Stefan-Lukas Gazdag, Joost Rijneveld, and Aziz Mohaisen. 2018. XMSS: eXtended Merkle Signature Scheme. RFC 8391. doi:10. 17487/RFC8391

    2018

  33. [33]

    Andreas Hülsing, Denis Butin, Stefan-Lukas Gazdag, Joost Rijneveld, and Aziz Mohaisen. 2018. XMSS: eXtended Merkle Signature Scheme. RFC 8391. doi:10. 17487/RFC8391

    2018

  34. [34]

    Rishi Jha, Harold Triedman, Justin Wagle, and Vitaly Shmatikov. 2026. Breaking and Fixing Defenses Against Control-Flow Hijacking in Multi-Agent Systems. arXiv:2510.17276 [cs.LG] https://arxiv.org/abs/2510.17276

    work page arXiv 2026

  35. [35]

    Maurits Kaptein, Vassilis-Javed Khan, and Andriy Podstavnychy. 2026. Runtime Governance for AI Agents: Policies on Paths. arXiv:2603.16586 [cs.AI] https: //arxiv.org/abs/2603.16586

    work page arXiv 2026

  36. [36]

    Naveen Kumar Krishnan. 2026. Beyond Context Sharing: A Unified Agent Com- munication Protocol (ACP) for Secure, Federated, and Autonomous Agent-to- Agent (A2A) Orchestration. arXiv:2602.15055 [cs.MA] https://arxiv.org/abs/2602. 15055

    work page arXiv 2026

  37. [37]

    Leslie Lamport. 1979. Constructing digital signatures from a one way function. Technical Report SRI-CSL-98(1979)

    1979

  38. [38]

    Donghyun Lee and Mo Tiwari. 2024. Prompt infection: Llm-to-llm prompt injection within multi-agent systems.arXiv preprint arXiv:2410.07283(2024)

    work page arXiv 2024

  39. [39]

    Evan Li, Tushin Mallick, Evan Rose, William Robertson, Alina Oprea, and Cristina Nita-Rotaru. 2026. ACE: A Security Architecture for LLM-Integrated App Systems. InProceedings of the Network and Distributed System Security Symposium (NDSS)

    2026

  40. [40]

    Yedidel Louck, Ariel Stulman, and Amit Dvir. 2025. Improving Google A2A Protocol: Protecting Sensitive Data and Mitigating Unintended Harms in Multi- Agent Systems. arXiv:2505.12490 [cs.CR] https://arxiv.org/abs/2505.12490

    work page arXiv 2025

  41. [41]

    2024.Transition to Post-Quantum Cryptography Standards

    Dustin Moody, Ray Perlner, Andrew Regenscheid, Angela Robinson, and David Cooper. 2024.Transition to Post-Quantum Cryptography Standards. Technical Conference’17, July 2017, Washington, DC, USA Report NIST IR 8547 (Initial Public Draft). National Institute of Standards and Technology, Gaithersburg, MD, USA. doi:10.6028/NIST.IR.8547.ipd Initial Public Draft

    work page doi:10.6028/nist.ir.8547.ipd 2024

  42. [42]

    Luca Muscariello, Vijoy Pandey, and Ramiz Polic. 2025. The AGNTCY Agent Directory Service: Architecture and Implementation. arXiv:2509.18787 [cs.AI] https://arxiv.org/abs/2509.18787

    work page arXiv 2025

  43. [43]

    August 13, 2024

    National Institute of Standards and Technology (NIST). August 13, 2024. FIPS 203 Module-Lattice-Based Key-Encapsulation Mechanism Standard. https://csrc. nist.gov/pubs/fips/203/final Available at https://csrc.nist.gov/pubs/fips/203/final

    2024

  44. [44]

    August 13, 2024

    National Institute of Standards and Technology (NIST). August 13, 2024. FIPS 204 Module-Lattice-Based Digital Signature Standard. https://csrc.nist.gov/pubs/ fips/204/final Available at https://csrc.nist.gov/pubs/fips/204/final

    2024

  45. [45]

    August 13, 2024

    National Institute of Standards and Technology (NIST). August 13, 2024. FIPS 205 Stateless Hash-Based Digital Signature Standard. https://csrc.nist.gov/pubs/ fips/205/final Available at https://csrc.nist.gov/pubs/fips/205/final

    2024

  46. [46]

    Ramesh Raskar, Pradyumna Chari, Jared James Grogan, Mahesh Lambe, Robert Lincourt, Raghu Bala, Aditi Joshi, Abhishek Singh, Ayush Chopra, Rajesh Ranjan, Shailja Gupta, Dimitris Stripelis, Maria Gorskikh, and Sichao Wang. 2025. Up- grade or Switch: Do We Need a Next-Gen Trusted Architecture for the Internet of AI Agents? arXiv:2506.12003 [cs.NI] https://ar...

    work page arXiv 2025

  47. [47]

    Tirumaleswar Reddy and Hannes Tschofenig. 2025. Post-Quantum Cryptography Recommendations for TLS-based Applications. Internet-Draft, draft-ietf-uta-pqc- app-00. https://www.ietf.org/archive/id/draft-ietf-uta-pqc-app-00.html Work in progress

    2025

  48. [48]

    Ronald L Rivest and Adi Shamir. 1996. PayWord and MicroMint: Two simple micropayment schemes. InInternational workshop on security protocols. Springer, 69–87

    1996

  49. [49]

    Yonadav Shavit, Sandhini Agarwal, Miles Brundage, Steven Adler, Cullen O’Keefe, Rosie Campbell, Teddy Lee, Pamela Mishkin, Tyna Eloundou, Alan Hickey, et al

  50. [50]

    Practices for governing agentic AI systems.Research Paper, OpenAI(2023)

    2023

  51. [51]

    P.W. Shor. 1994. Algorithms for quantum computation: discrete logarithms and factoring. InProceedings 35th Annual Symposium on Foundations of Computer Science. 124–134. doi:10.1109/SFCS.1994.365700

    work page doi:10.1109/sfcs.1994.365700 1994

  52. [52]

    Tobin South, Samuele Marro, Thomas Hardjono, Robert Mahari, Cedric Deslandes Whitney, Dazza Greenwood, Alan Chan, and Alex Pentland. 2025. Authenticated Delegation and Authorized AI Agents.arXiv preprint arXiv:2501.09674(2025)

    work page arXiv 2025

  53. [53]

    Rao Surapaneni, Miku Jha, Michael Vakoc, and Todd Segal. 2025. Announcing the Agent2Agent Protocol (A2A). Google Developers Blog. https://developers. googleblog.com/en/a2a-a-new-era-of-agent-interoperability/ Accessed: 2025- 04-10

    2025

  54. [54]

    Georgios Syros, Anshuman Suri, Jacob Ginesin, Cristina Nita-Rotaru, and Alina Oprea. 2026. SAGA: A Security Architecture for Governing AI Agentic Systems. InProceedings of the Network and Distributed System Security Symposium (NDSS)

    2026

  55. [55]

    Haochuan Kevin Wang and Zechen Zhang. 2026. Kill-Chain Canaries: Stage- Level Tracking of Prompt Injection Across Attack Surfaces and Model Safety Tiers. arXiv:2603.28013 [cs.CR] https://arxiv.org/abs/2603.28013

    work page internal anchor Pith review Pith/arXiv arXiv 2026

  56. [56]

    Qingyun Wu, Gagan Bansal, Jieyu Zhang, Yiran Wu, Beibin Li, Erkang Zhu, Li Jiang, Xiaoyun Zhang, Shaokun Zhang, Jiale Liu, Ahmed Hassan Awadallah, Ryen W White, Doug Burger, and Chi Wang. 2023. AutoGen: Enabling Next- Gen LLM Applications via Multi-Agent Conversation. arXiv:2308.08155 [cs.AI] https://arxiv.org/abs/2308.08155

    work page internal anchor Pith review Pith/arXiv arXiv 2023

  57. [57]

    Weichen Yu, Kai Hu, Tianyu Pang, Chao Du, Min Lin, and Matt Fredrikson. 2025. Infecting LLM Agents via Generalizable Adversarial Attack. InRed Teaming GenAI: What Can We Learn from Adversaries?https://openreview.net/forum? id=udsmFGMwlp

    2025

  58. [58]

    Weibo Zhao, Jiahao Liu, Bonan Ruan, Shaofei Li, and Zhenkai Liang

  59. [59]

    When mcp servers attack: Taxonomy, feasibility, and mitigation.arXiv preprint arXiv:2509.24272, 2025

    When MCP Servers Attack: Taxonomy, Feasibility, and Mitigation. arXiv:2509.24272 [cs.CR] https://arxiv.org/abs/2509.24272 A Ethical Considerations Our paper is not an attack paper, it does not use any public dataset, or human data collection, so we believe that there are no ethical concerns. B Notations We present the notations used throughout the paper i...

    work page arXiv 2017