The Messaging Layer security (MLS) and its underlying Continuous Group Key Agreement (CGKA) protocol allows a group of users to share a cryptographic secret in a dynamic manner, such that the secret is modified in member insertions and deletions. Although this flexibility makes MLS ideal for implementations in distributed environments, a number of issues need to be overcome. Particularly, the use of digital certificates for authentication in a group goes against the group members' privacy. In this work we provide an alternative method of authentication in which the solicitors, instead of revealing their identity, only need to prove possession of certain attributes, dynamically defined by the group, to become a member. Instead of digital certificates, we employ Attribute-Based Credentials accompanied with Selective Disclosure in order to reveal the minimum required amount of information and to prevent attackers from linking the activity of a user through multiple groups. We formally define a CGKA variant named Attribute-Authenticated Continuous Group Key Agreement (AA-CGKA) and provide security proofs for its properties of Requirement Integrity, Unforgeability and Unlinkability. We also provide an implementation of our AA-CGKA scheme and show that it achieves performance similar to a trivial certificate-based solution.

翻译：消息层安全协议（MLS）及其底层连续群组密钥协商协议（CGKA）支持用户群组以动态方式共享加密密钥，使得密钥能在成员加入与退出时同步更新。尽管这一灵活性使MLS成为分布式环境中的理想实现方案，但仍需克服若干问题。具体而言，在群组中使用数字证书进行身份认证有损成员隐私性。本研究提出一种替代性认证方法：请求加入者无需暴露真实身份，仅需证明自身具备由群组动态定义的若干属性即可成为成员。我们采用具备选择性披露机制的基于属性凭证替代数字证书，从而仅披露最低必要信息量，并防止攻击者跨多个群组关联用户行为。本文正式定义了名为"属性认证连续群组密钥协商协议"（AA-CGKA）的CGKA变体，并为其需求完整性、不可伪造性和不可关联性提供了安全性证明。此外，我们实现了AA-CGKA方案，实验表明其性能与基于数字证书的基准方案相当。