To address privacy leakage—specifically, member identity exposure and cross-group behavioral linkage—caused by digital certificate-based authentication in distributed group messaging, this paper proposes an attribute-based identity authentication mechanism. We formally define and construct Attribute-Authenticated Continuous Group Key Agreement (AA-CGKA), the first protocol integrating Attribute-Based Credentials (ABC) with selective disclosure techniques. Under a rigorous formal security model, we prove its completeness, unforgeability, and unlinkability. The scheme supports dynamic group key updates, requires members to disclose only the minimal set of attributes necessary for authentication, and completely prevents cross-group identity tracking. Furthermore, it seamlessly integrates into the Messaging Layer Security (MLS) protocol stack. This work establishes the first authentication-enabled key agreement framework for privacy-sensitive distributed group communication that simultaneously achieves strong cryptographic security and practical deployability.

Messaging Layer security (MLS) and its underlying Continuous Group Key Agreement (CGKA) protocol allows a group of users to share a cryptographic secret in a dynamic manner, such that the secret is modified in member insertions and deletions. Although this flexibility makes MLS ideal for implementations in distributed environments, a number of issues need to be overcome. Particularly, the use of digital certificates for authentication in a group goes against the group members' privacy. In this work we provide an alternative method of authentication in which the solicitors, instead of revealing their identity, only need to prove possession of certain attributes, dynamically defined by the group, to become a member. Instead of digital certificates, we employ Attribute-Based Credentials accompanied with Selective Disclosure in order to reveal the minimum required amount of information and to prevent attackers from linking the activity of a user through multiple groups. We formally define a CGKA variant named Attribute-Authenticated Continuous Group Key Agreement (AA-CGKA) and provide security proofs for its properties of Requirement Integrity, Unforgeability and Unlinkability. We also provide guidelines for an integration of our construction in MLS.