usenix-2026-nested/main.bbl

\begin{thebibliography}{10}

\bibitem{Albrecht_Dowling_Jones}
Martin~R Albrecht, Benjamin Dowling, and Daniel Jones.
\newblock Device-oriented group messaging: A formal cryptographic analysis of
  matrix’ core.

\bibitem{Albrecht_2025}
Martin~R Albrecht, Benjamin Dowling, and Daniel Jones.
\newblock Formal analysis of multi-device group messaging in whatsapp.

\bibitem{alwen_doubleratchet}
Joël Alwen, Sandro Coretti, and Yevgeniy Dodis.
\newblock {\em The Double Ratchet: Security Notions, Proofs, and Modularization
  for the Signal Protocol}, volume 11476 of {\em Lecture Notes in Computer
  Science}, page 129–158.
\newblock Springer International Publishing, Cham, 2019.

\bibitem{Alwen_Coretti_Jost_Mularczyk_2020}
Joël Alwen, Sandro Coretti, Daniel Jost, and Marta Mularczyk.
\newblock {\em Continuous Group Key Agreement with Active Security}, volume
  12551 of {\em Lecture Notes in Computer Science}, page 261–290.
\newblock Springer International Publishing, Cham, 2020.

\bibitem{Balbas_SK}
David Balbás, Daniel Collins, and Phillip Gajland.
\newblock {\em WhatsUpp with Sender Keys? Analysis, Improvements and Security
  Proofs}, volume 14442 of {\em Lecture Notes in Computer Science}, page
  307–341.
\newblock Springer Nature Singapore, Singapore, 2023.

\bibitem{SoK_CAC}
Manuel Barbosa, Gilles Barthe, Karthik Bhargavan, Bruno Blanchet, Cas Cremers,
  Kevin Liao, and Bryan Parno.
\newblock Sok: Computer-aided cryptography.
\newblock In {\em 2021 IEEE Symposium on Security and Privacy (SP)}, page
  777–795, May 2021.

\bibitem{rfc9420}
Richard Barnes, Benjamin Beurdouche, Raphael Robert, Jon Millican, Emad Omara,
  and Katriel Cohn-Gordon.
\newblock {The Messaging Layer Security (MLS) Protocol}.
\newblock RFC 9420, July 2023.

\bibitem{rfc9180}
Richard Barnes, Karthikeyan Bhargavan, Benjamin Lipp, and Christopher~A. Wood.
\newblock {Hybrid Public Key Encryption}.
\newblock RFC 9180, February 2022.

\bibitem{Basin_Cremers_Dreier_Sasse_2022}
David Basin, Cas Cremers, Jannik Dreier, and Ralf Sasse.
\newblock Tamarin: Verification of large-scale, real-world, cryptographic
  protocols.
\newblock {\em IEEE Security \& Privacy}, 20(3):24–32, May 2022.

\bibitem{bhargavan_dy}
Karthikeyan Bhargavan, Abhishek Bichhawat, Quoc~Huy Do, Pedram Hosseyni, Ralf
  Küsters, Guido Schmitz, and Tim Würtele.
\newblock Dy*: A modular symbolic verification framework for executable
  cryptographic protocol code.

\bibitem{DY}
Karthikeyan Bhargavan, Abhishek Bichhawat, Quoc~Huy Do, Pedram Hosseyni, Ralf
  Küsters, Guido Schmitz, and Tim Würtele.
\newblock Dy*: A modular symbolic verification framework for executable
  cryptographic protocol code.

\bibitem{Bhargavan_PQXDH}
Karthikeyan Bhargavan, Charlie Jacomme, Franziskus Kiefer, and Rolfe Schmidt.
\newblock Formal verification of the pqxdh post-quantum key agreement protocol
  for end-to-end secure messaging.

\bibitem{Blanchet_2012}
Bruno Blanchet.
\newblock {\em Security Protocol Verification: Symbolic and Computational
  Models}, volume 7215 of {\em Lecture Notes in Computer Science}, page 3–29.
\newblock Springer Berlin Heidelberg, Berlin, Heidelberg, 2012.

\bibitem{Blanchet_2016}
Bruno Blanchet.
\newblock Modeling and verifying security protocols with the applied pi
  calculus and proverif.
\newblock {\em Foundations and Trends® in Privacy and Security},
  1(1–2):1–135, 2016.

\bibitem{Blanchet_Jacomme}
Bruno Blanchet and Charlie Jacomme.
\newblock Cryptoverif: a computationally-sound security protocol verifier.

\bibitem{ProverifManual}
Bruno Blanchet, Ben Smyth, Vincent Cheval, and Marc Sylvestre.
\newblock Proverif 2.05: Automatic cryptographic protocol verifier, user manual
  and tutorial.

\bibitem{Celi_Hoyland_Stebila_Wiggers_2022}
Sofía Celi, Jonathan Hoyland, Douglas Stebila, and Thom Wiggers.
\newblock {\em A Tale of Two Models: Formal Verification of KEMTLS via
  Tamarin}, volume 13556 of {\em Lecture Notes in Computer Science}, page
  63–83.
\newblock Springer Nature Switzerland, Cham, 2022.

\bibitem{Chase_Perrin_Zaverucha_2020}
Melissa Chase, Trevor Perrin, and Greg Zaverucha.
\newblock The signal private group system and anonymous credentials supporting
  efficient verifiable encryption.
\newblock In {\em Proceedings of the 2020 ACM SIGSAC Conference on Computer and
  Communications Security}, page 1445–1459, Virtual Event USA, October 2020.
  ACM.

\bibitem{cremers_signal}
Katriel Cohn-Gordon, Cas Cremers, Benjamin Dowling, Luke Garratt, and Douglas
  Stebila.
\newblock A formal security analysis of the signal messaging protocol.

\bibitem{Collins_Colombo_Huguenin-Dumittan_2025}
Daniel Collins, Simone Colombo, and Loïs Huguenin-Dumittan.
\newblock Real-world deniability in messaging.
\newblock {\em Proceedings on Privacy Enhancing Technologies},
  2025(1):320–340, January 2025.

\bibitem{auth}
Whitfield Diffie, Paul~C. Van~Oorschot, and Michael~J. Wiener.
\newblock Authentication and authenticated key exchanges.
\newblock {\em Designs, Codes and Cryptography}, 2(2):107–125, June 1992.

\bibitem{Dingledine_Mathewson_Syverson_2004}
Roger Dingledine, Nick Mathewson, and Paul Syverson.
\newblock Tor: The second-generation onion router:.
\newblock January 2004.

\bibitem{Dolev_1983}
Danny Dolev.
\newblock On the security of public key protocols.
\newblock {\em IEEE TRANSACTIONS ON INFORMATION THEORY}, (2), 1983.

\bibitem{Donenfeld_2017}
Jason~A. Donenfeld.
\newblock Wireguard: Next generation kernel network tunnel.
\newblock In {\em Proceedings 2017 Network and Distributed System Security
  Symposium}, San Diego, CA, 2017. Internet Society.

\bibitem{rfc9369}
Martin Duke.
\newblock {QUIC Version 2}.
\newblock RFC 9369, May 2023.

\bibitem{FiedlerPQXDHdeny}
Rune Fiedler and Christian Janson.
\newblock A deniability analysis of signal’s initial handshake pqxdh.
\newblock {\em Proceedings on Privacy Enhancing Technologies},
  2024(4):907–928, October 2024.

\bibitem{Gancher_2023}
Joshua Gancher, Sydney Gibson, Pratap Singh, Samvid Dharanikota, and Bryan
  Parno.
\newblock Owl: Compositional verification of security protocols via an
  information-flow type system.
\newblock In {\em 2023 IEEE Symposium on Security and Privacy (SP)}, page
  1130–1147, San Francisco, CA, USA, May 2023. IEEE.

\bibitem{pqwg}
Andreas Hülsing, Kai-Chun Ning, Peter Schwabe, Fiona~Johanna Weber, and
  Philip~R. Zimmermann.
\newblock Post-quantum wireguard.
\newblock In {\em 2021 IEEE Symposium on Security and Privacy (SP)}, page
  304–321, San Francisco, CA, USA, May 2021. IEEE.

\bibitem{Itkis_Reyzin_2001}
Gene Itkis and Leonid Reyzin.
\newblock {\em Forward-Secure Signatures with Optimal Signing and Verifying},
  volume 2139 of {\em Lecture Notes in Computer Science}, page 332–354.
\newblock Springer Berlin Heidelberg, Berlin, Heidelberg, 2001.

\bibitem{Jefferys2020SessionProtocol}
Kee Jefferys.
\newblock Session protocol: Technical implementation details.
\newblock Blog post on getSession.org, December 2020.
\newblock Accessed: 2025-08-08.

\bibitem{Kobeissi_Bhargavan_Blanchet_2017}
Nadim Kobeissi, Karthikeyan Bhargavan, and Bruno Blanchet.
\newblock Automated verification for secure messaging protocols and their
  implementations: A symbolic and computational approach.
\newblock In {\em 2017 IEEE European Symposium on Security and Privacy}, page
  435–450, Paris, April 2017. IEEE.

\bibitem{rfc5869}
Hugo Krawczyk and Pasi Eronen.
\newblock {HMAC-based Extract-and-Expand Key Derivation Function (HKDF)}.
\newblock RFC 5869, May 2010.

\bibitem{Kret_Schmidt_PQXDH}
Ehren Kret and Rolfe Schmidt.
\newblock The pqxdh key agreement protocol.
\newblock 2024.

\bibitem{Lafourcade_Mahmoud_Ruhault_Taleb}
Pascal Lafourcade, Dhekra Mahmoud, Sylvain Ruhault, and Abdul~Rahman Taleb.
\newblock A tale of two worlds, a formal story of wireguard hybridization.

\bibitem{Moxie_Sesame}
Moxie Marlinspike and Trevor Perrin.
\newblock The sesame algorithm: Session management for asynchronous message
  encryption.
\newblock 2016.

\bibitem{Marlinspike_Perrin_X3DH}
Moxie Marlinspike and Trevor Perrin.
\newblock The x3dh key agreement protocol.
\newblock 2016.

\bibitem{matrixorg_olm_repo}
{matrix-org}.
\newblock Olm.
\newblock \url{https://gitlab.matrix.org/matrix-org/olm}, April 2019.
\newblock GitLab repository implementing Olm and Megolm cryptographic ratchets.

\bibitem{matrixorg_megolm_doc}
{matrix-org}.
\newblock docs/megolm.md.
\newblock
  \url{https://gitlab.matrix.org/matrix-org/olm/-/blob/master/docs/megolm.md},
  September 2022.
\newblock Markdown file in \emph{Olm} repository.

\bibitem{mcmillion2025keytransparencyarchitecture}
Brendan McMillion.
\newblock Key transparency architecture.
\newblock Internet-Draft, IETF, July 2025.
\newblock draft-ietf-keytrans-architecture-04, Intended status: Informational.

\bibitem{mcMillion2025keytrans}
Brendan McMillion.
\newblock {Key Transparency Architecture}.
\newblock Internet-Draft draft-ietf-keytrans-architecture-04, IETF
  Internet-Draft, July 2025.
\newblock Intended status: Informational; Expires 8 January 2026.

\bibitem{MetaMessengerE2EE2023}
Jon Millican, Reed Riley, and Meta Platforms.
\newblock Messenger end-to-end encryption overview.
\newblock Technical White Paper Version 1M, Meta Platforms (Facebook
  Engineering), December 2023.
\newblock Published December 6, 2023 — describes core Signal-Protocol-based
  E2EE implementation for Messenger and Instagram Direct.

\bibitem{Moxie_DoubleRatchet}
Trevor Perrin and Moxie Marlinspike.
\newblock The double ratchet algorithm.
\newblock 2016.

\bibitem{rfc8446}
Eric Rescorla.
\newblock {The Transport Layer Security (TLS) Protocol Version 1.3}.
\newblock RFC 8446, August 2018.

\bibitem{Schwabe_Stebila_Wiggers_2020}
Peter Schwabe, Douglas Stebila, and Thom Wiggers.
\newblock Post-quantum tls without handshake signatures.
\newblock In {\em Proceedings of the 2020 ACM SIGSAC Conference on Computer and
  Communications Security}, page 1461–1480, Virtual Event USA, October 2020.
  ACM.

\bibitem{SignalSenderKeysRust}
{Signal Foundation}.
\newblock sender\_keys.rs — sender keys implementation (rust).
\newblock
  \url{https://github.com/signalapp/libsignal/blob/main/rust/protocol/src/sender\_keys.rs},
  2025.
\newblock Reference implementation of the Sender Keys protocol in libsignal’s
  Rust codebase.

\bibitem{Unger_Goldberg_2018}
Nik Unger and Ian Goldberg.
\newblock Improved strongly deniable authenticated key exchanges for secure
  messaging.
\newblock {\em Proceedings on Privacy Enhancing Technologies}, 2018(1):21–66,
  January 2018.

\bibitem{VatandasDeny}
Nihal Vatandas, Rosario Gennaro, Bertrand Ithurburn, and Hugo Krawczyk.
\newblock {\em On the Cryptographic Deniability of the Signal Protocol}, volume
  12147 of {\em Lecture Notes in Computer Science}, page 188–209.
\newblock Springer International Publishing, Cham, 2020.

\bibitem{Wallez_TreeKEM}
Theophile Wallez, Jonathan Protzenko, and Karthikeyan Bhargavan.
\newblock Treekem: A modular machine-checked symbolic security analysis of
  group key agreement in messaging layer security.

\bibitem{Wallez_TreeSync}
Théophile Wallez, Benjamin Beurdouche, and Karthikeyan Bhargavan.
\newblock Treesync: Authenticated group management for messaging layer
  security.

\bibitem{WhatsAppSecurity2024}
WhatsApp.
\newblock Whatsapp encryption overview: Technical white paper.
\newblock Technical White Paper Version 8, Meta (WhatsApp), August 2024.
\newblock Updated August 19, 2024.

\bibitem{openvpn}
James Yonan.
\newblock {\em OpenVPN: An Open Source VPN}, 2002.
\newblock Version 2.6.0 and later. Accessed: 2025-08-08.

\end{thebibliography}