Papers
Topics
Authors
Recent
Search
2000 character limit reached

Chain-of-Authorization (CoA) Overview

Updated 3 July 2026
  • Chain-of-Authorization (CoA) is a security framework that creates digital, tamper-evident authorization chains via cryptographic logs and enforced reasoning trajectories.
  • It employs append-only Merkle trees and inclusion proofs to securely validate multi-hop delegations in distributed multi-agent systems.
  • CoA integrates with large language models by embedding explicit permission and reasoning trajectories to ensure output only follows proper authorization.

Chain-of-Authorization (CoA) designates a class of security frameworks and mechanisms that provide verifiable, causally complete histories (“chains”) of authorization events in multi-agent and AI systems. Prototypical CoA architectures cryptographically or operationally intertwine each delegation or resource request with a traceable authorization lineage, yielding end-to-end tamper-evidence and robust enforcement of access policies. In current research, CoA has emerged in two principal contexts: as a cryptographic foundation for governing non-human multi-agent interactions in critical infrastructure (Malkapuram et al., 22 Sep 2025), and as a security mechanism internalized into LLMs via explicit, causally enforced reasoning trajectories (Li et al., 24 Mar 2026).

1. CoA in Cryptographic Multi-Agent Systems

In distributed agent ecosystems—particularly those composed of non-human identities (NHIs)—secure and verifiable agent-to-agent (A2A) and multi-hop authorization present critical challenges. CoA addresses these by anchoring each authorization event as a digitally signed record in a dynamic, append-only Merkle tree, yielding a Lineage Store (LS) akin to Certificate Transparency logs. Each event, for example a delegation “A delegates to B,” encodes delegator and delegatee identifiers, action scope, timestamp, event identifier (e.g., UUID), and a digital signature by the delegator, all represented as canonical JSON and hashed for Merkle leaf creation.

The Merkle root after nn events, denoted RnR_n, is used to issue a Signed Tree Head (STH) containing (n,Rn,twall,cn,log_id)(n,\, R_n,\, t_{\text{wall}},\, c_n,\, \text{log\_id}), signed by the LS. Inclusion proofs (“audit paths”) and consistency proofs for forward secrecy and snapshot verification are provided per RFC 6962. This ensures both tamper-evidence and cryptographic verifiability of the entire authorization chain, across arbitrary agent call depths. A federated Proof Server (PS) aggregates these proofs, yielding compact, signed attestations that can be independently verified without granting external parties access to the full execution trace (Malkapuram et al., 22 Sep 2025).

2. CoA in LLMs via Reasoning Trajectories

In language-based AI systems, CoA reframes authorization not as an external check, but as a causal, intrinsic reasoning requirement. Here, model input is annotated with user, context, and tool permissions. The LLM must generate a structured output trajectory z=(zres,zid,zdec)\mathbf{z} = (z_{\text{res}}, z_{\text{id}}, z_{\text{dec}}), corresponding respectively to resource review (parsing required permissions), identity resolution (extracting the user's attributes), and decision making (authorization policy application). The model is trained on matched (permitted), mismatched (insufficient credentials), and public (no credentials) cases. The correct trajectory must be produced before the model is permitted to answer; if the decision step yields “reject,” generation collapses to a refusal distribution. This design internalizes policy causality: substantive output is only produced as a logical consequence of correct authorization reasoning (Li et al., 24 Mar 2026).

3. Formal Structures and Mechanisms

A. Cryptographic Logging: Merkle Trees and Proofs

  • Append-only Merkle Tree: Leaves Li=H(0x00cei)L_i = H(0x00 \| c_{e_i}) encode events. Internal nodes are computed as N=H(0x01xy)N = H(0x01 \| x \| y), for left/right children x,yx, y.
  • Inclusion Proofs: For each event, an audit path πi\pi_i supplies sibling hashes for verifying LiL_i against root RnR_n, with RnR_n0 hash operations.
  • Consistency Proofs: For two roots RnR_n1, RnR_n2 (RnR_n3), RnR_n4 demonstrates that RnR_n5 is a log extension of RnR_n6.
  • Federated Proof Server: Bundles proofs for multiple events, eliminates redundancy via multi-proofs, and generates a compact attestation RnR_n7 signed by the PS (Malkapuram et al., 22 Sep 2025).

B. LLM Internalization: Reasoning Trajectory

  • Input Representation: Permissions are embedded as dedicated vocabulary tags. Input is structured: RnR_n8 (user/tool), RnR_n9, and (n,Rn,twall,cn,log_id)(n,\, R_n,\, t_{\text{wall}},\, c_n,\, \text{log\_id})0 (query).
  • Output Structure: The generation prepends a “think” block with stepwise reasoning—review, identity, decision—before answer or refusal.
  • Training Objective: For dataset (n,Rn,twall,cn,log_id)(n,\, R_n,\, t_{\text{wall}},\, c_n,\, \text{log\_id})1, loss is (n,Rn,twall,cn,log_id)(n,\, R_n,\, t_{\text{wall}},\, c_n,\, \text{log\_id})2. No auxiliary heads or classifiers are required (Li et al., 24 Mar 2026).

4. Examples and Implementation

A. Multi-hop Delegation in Agent Systems

Consider the delegation chain (n,Rn,twall,cn,log_id)(n,\, R_n,\, t_{\text{wall}},\, c_n,\, \text{log\_id})3. Events are appended sequentially as leaves in the Merkle tree. For each link, downstream verifiers obtain event records, request attestations from the PS, validate PS signatures, check event inclusion, verify STH consistency, and authenticate signatures. This process yields a cryptographically authenticated and auditable delegation chain suitable for regulated or safety-critical domains (Malkapuram et al., 22 Sep 2025).

B. LLM Authorization-State Conditioning

Supervised datasets are constructed with explicit permission tags, supporting three states:

  • Matched ((n,Rn,twall,cn,log_id)(n,\, R_n,\, t_{\text{wall}},\, c_n,\, \text{log\_id})4): model emits correct trajectory and substantive answer.
  • Mismatched ((n,Rn,twall,cn,log_id)(n,\, R_n,\, t_{\text{wall}},\, c_n,\, \text{log\_id})5): model emits rejection at decision step.
  • Public ((n,Rn,twall,cn,log_id)(n,\, R_n,\, t_{\text{wall}},\, c_n,\, \text{log\_id})6): model consistently rejects.

Empirical results indicate near-optimal (~100%) refusal rates on unauthorized requests, attack success rates (n,Rn,twall,cn,log_id)(n,\, R_n,\, t_{\text{wall}},\, c_n,\, \text{log\_id})7, and output utility on par with vanilla SFT on authorized cases. t-SNE visualizations demonstrate clear, non-overlapping clusters for each authorization state after CoA fine-tuning, establishing that internal representations track authorization logic. Prefix intervention studies confirm the causal linkage between authorization reasoning and final output (Li et al., 24 Mar 2026).

5. Security, Privacy, and Performance Properties

A. Multi-Agent CoA Systems

  • Tamper-evidence: Any alteration of event history breaks Merkle-root or invalidates signatures.
  • Authenticity and Non-repudiation: Delegation events are signed and verifiable against agent cards anchored to public keys.
  • Privacy: Sensitive information can be committed as hashes; partial disclosure is possible via selective proofs or zero-knowledge protocols.
  • Efficiency: Proof generation and verification require (n,Rn,twall,cn,log_id)(n,\, R_n,\, t_{\text{wall}},\, c_n,\, \text{log\_id})8 hashes per event; multi-proofs are (n,Rn,twall,cn,log_id)(n,\, R_n,\, t_{\text{wall}},\, c_n,\, \text{log\_id})9 for z=(zres,zid,zdec)\mathbf{z} = (z_{\text{res}}, z_{\text{id}}, z_{\text{dec}})0 leaves.
  • Scalability: The federated PS deduplicates and batches proofs, eliminating need for full log replication by verifiers (Malkapuram et al., 22 Sep 2025).

B. LLM-Based CoA

  • Dynamic Fine-Grained Control: Explicit reasoning trajectory enforces fine-grained, case-sensitive policies.
  • Robustness: Models robustly refuse unauthorized queries, including manual and automated jailbreaking.
  • Causal Integrity: Failure at any explicit authorization step deterministically prevents leakage.
  • No Need for Structural Isolation: Avoids inefficiencies and scalability limits of permission-sharded submodels (Li et al., 24 Mar 2026).

6. Limitations and Open Directions

Both cryptographic and LLM-based CoA frameworks currently exhibit several limitations:

  • Dynamic Policy Updates: Efficiently supporting rapid permission-set changes without retraining (LLMs) or relogging (agent systems) remains challenging.
  • Generality to Multi-Modal or Hierarchical Contexts: Extending CoA architectures to image/text fusion or multi-level organizational permissions is an open area.
  • Privacy-Utility Trade-off: Achieving optimal access control while maintaining usability and minimizing leakage, potentially through differential privacy or machine unlearning, is an ongoing research direction.
  • Integration with RLHF and Other Learning Paradigms: Reducing dependence on fully supervised datasets, or leveraging reward modeling and human feedback, remains largely unexplored in the CoA regime (Li et al., 24 Mar 2026).

7. Context and Significance in Secure Systems

CoA represents a shift from passive and external (filter- or firewall-based) access control to intrinsic, verifiable, and causally complete authorization assurance. In cryptographic multi-agent settings, it provides non-repudiable lineage, delegation, and audit. In LLM domains, it transforms model information flow by embedding the policy as a causal precondition for task performance. As AI systems and multi-agent platforms evolve in scale and complexity, CoA frameworks are positioned to undergird both governance and proactive security in regulated, high-stakes environments (Malkapuram et al., 22 Sep 2025, Li et al., 24 Mar 2026).

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Chain-of-Authorization (CoA).