Paper 2022/1768

Continuous Group Key Agreement with Flexible Authorization and Its Applications

Kaisei Kajita, Japan Broadcasting Corporation (Japan)
Keita Emura, National Institute of Information and Communications Technology
Kazuto Ogawa, National Institute of Information and Communications Technology
Ryo Nojima, National Institute of Information and Communications Technology
Go Ohtake, National Institute of Information and Communications Technology

Secure messaging (SM) protocols allow users to communicate securely over an untrusted infrastructure. The IETF currently works on the standardization of secure group messaging (SGM), which is SM done by a group of two or more people. Alwen et al. formally defined the key agreement protocol used in SGM as continuous group key agreement (CGKA) at CRYPTO 2020. In their CGKA protocol, all of the group members have the same rights and a trusted third party is needed. On the contrary, some SGM applications may have a user in the group who has the role of an administrator. When the administrator as the group manager (GM) is distinguished from other group members, i.e., in a one-to-many setting, it would be better for the GM and the other group members to have different authorities. We achieve this flexible autho-rization by incorporating a ratcheting digital signature scheme (Cremers et al. at USENIX Security 2021) into the existing CGKA protocol and demonstrate that such a simple modification allows us to provide flexible authorization. This one-to-many setting may be reminiscent of a multi-cast key agreement protocol proposed by Bienstock et al. at CT-RSA 2022, where GM has the role of adding and removing group members. Although the role of the GM is fixed in advance in the Bienstock et al. protocol, the GM can flexibly set the role depending on the application in our protocol. On the other hand, in Alwen et al.’s CGKA protocol, an external public key infrastructure (PKI) functionality as a trusted third party manages the confidential information of users, and the PKI can read all messages until all users update their own keys. In contrast, the GM in our protocol has the same role as the PKI functionality in the group, so no third party outside the group handles confidential informa-tion of users and thus no one except group members can read messages regardless of key updates. Our proposed protocol is useful in the creation of new applications such as broadcasting services.

Available format(s)
Cryptographic protocols
Publication info
Continuous Group Key AgreementSecure Group MessagingRatcheting Digital Signatures
Contact author(s)
kajita k-bu @ nhk or jp
2023-01-06: revised
2022-12-27: received
See all versions
Short URL
Creative Commons Attribution


      author = {Kaisei Kajita and Keita Emura and Kazuto Ogawa and Ryo Nojima and Go Ohtake},
      title = {Continuous Group Key Agreement with Flexible Authorization and Its Applications},
      howpublished = {Cryptology ePrint Archive, Paper 2022/1768},
      year = {2022},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.