Repository logo

Key Agreement for Decentralized Secure Group Messaging with Strong Security Guarantees

Published version

Change log


Weidner, M 
Hugenroth, D 
Beresford, AR 


Secure group messaging protocols, providing end-to-end encryption for group communication, need to handle mobile devices frequently being offline, group members being added or removed, and the possibility of device compromises during long-lived chat sessions. Existing work targets a centralized network model in which all messages are routed through a single server, which is trusted to provide a consistent total order on updates to the group state. In this paper we adapt secure group messaging for decentralized networks that have no central authority. Servers may still optionally be used, but they are trusted less. We define decentralized continuous group key agreement (DCGKA), a new cryptographic primitive encompassing the core of a decentralized secure group messaging protocol; we give a practical construction of a DCGKA protocol and prove its security; and we describe how to construct a full messaging protocol from DCGKA. In the face of device compromise our protocol achieves forward secrecy and post-compromise security. We evaluate the performance of a prototype implementation, and demonstrate that our protocol has practical efficiency.



Secure group messaging, decentralized systems, post-compromise security

Journal Title

Proceedings of the ACM Conference on Computer and Communications Security

Conference Name

CCS '21: 2021 ACM SIGSAC Conference on Computer and Communications Security

Journal ISSN


Volume Title


Isaac Newton Trust (19.08(m))
Leverhulme Trust (ECF-2019-028)
Engineering and Physical Sciences Research Council (EP/M020320/1)
Matthew Weidner is supported by a Churchill Scholarship from the Winston Churchill Foundation of the USA and an NDSEG Fellowship sponsored by the US Office of Naval Research. Martin Kleppmann is supported by a Leverhulme Trust Early Career Fellowship, the Isaac Newton Trust, and Nokia Bell Labs. Daniel Hugenroth is supported by a Nokia Bell Labs Scholarship and the Cambridge European Trust. Alastair R. Beresford is partially supported by EPSRC [grant number EP/M020320/1].