Common use of Our Contribution Clause in Contracts

Our Contribution. Our group key agreement protocol is provably secure against a powerful active adversary who controls all communication flows in the network and even executes an unbounded number of concurrent instances of the protocol. We provide a rigorous proof of security under the well-known Decisional ▇▇▇▇▇▇-▇▇▇▇▇▇▇ (DDH) assumption in a formal security model which improves that of Bresson et al. [12]. Furthermore, in contrast with other asymmetric protocols [6, 11] with provable security, our group key agreement protocol provides perfect forward secrecy; i.e., disclosure of long-term secret keys does not compromise the security of previously established session keys. Despite meeting all these strong notions of security, our construction is surprisingly simple and provides a practical solution for group key agreement in a mobile environment similar to our setting. In a protocol execution involving mobile hosts, a bottleneck arises when the number of public-key cryptography operations that need to be performed by a mobile host increases accordingly as group size grows. It is therefore of prime importance for a group key agreement protocol to offer a low, fixed amount of computations to its mobile participants. To this end our protocol shifts much of the computational burden to the server with sufficient computational power. By allowing this computational asymmetry among protocol participants (as also can be observed in the previous works [6, 11]), the computational cost of a mobile participant of our protocol is reduced to two modular exponentiations (plus one signature generation and verification) without respect to the number of participants. In addition our group key agreement protocol is very efficient in terms of the number of communication rounds; it requires only three rounds of communication among participants. Keeping the number of communication rounds constant is critical for efficient and scalable group key agreement particularly over a wide area network, where the dominant source of delay is the communication time spent in the network rather than the computational time needed for cryptographic operations [1, 22]. As an additional contribution, we propose a refinement of the standard security model of Bresson et al. [12], which we believe to be an issue of independent interest. As shown in Section 5, our refinement greatly simplifies the security proof of the compiler presented by ▇▇▇▇ and Yung [23] even in the presence of a stronger adversary.

Our Contribution. Our group key agreement protocol is provably secure against a powerful active adversary who controls all communication flows in the network and even executes an unbounded number of concurrent instances of the protocol. We provide a rigorous proof of security under the well-known Decisional ▇▇▇▇▇▇-▇▇▇▇▇▇▇ (DDH) assumption in a formal security model which improves that of Bresson ▇▇▇▇▇▇▇ et al. [12]. Furthermore, in contrast with other asymmetric protocols [6, 11] with provable security, our group key agreement protocol provides perfect forward secrecy; i.e., disclosure of long-term secret keys does not compromise the security of previously established session keys. Despite meeting all these strong notions of security, our construction is surprisingly simple and provides a practical solution for group key agreement in a mobile environment similar to our setting. In a protocol execution involving mobile hosts, a bottleneck arises when the number of public-key cryptography operations that need to be performed by a mobile host increases accordingly as group size grows. It is therefore of prime importance for a group key agreement protocol to offer a low, fixed amount of computations to its mobile participants. To this end our protocol shifts much of the computational burden to the server with sufficient computational power. By allowing this computational asymmetry among protocol participants (as also can be observed in the previous works [6, 11]), the computational cost of a mobile participant of our protocol is reduced to two modular exponentiations (plus one signature generation and verification) without respect to the number of participants. In addition our group key agreement protocol is very efficient in terms of the number of communication rounds; it requires only three rounds of communication among participants. Keeping the number of communication rounds constant is critical for efficient and scalable group key agreement particularly over a wide area network, where the dominant source of delay is the communication time spent in the network rather than the computational time needed for cryptographic operations [1, 22]. As an additional contribution, we propose a refinement of the standard security model of Bresson ▇▇▇▇▇▇▇ et al. [12], which we believe to be an issue of independent interest. As shown in Section 5, our refinement greatly simplifies the security proof of the compiler presented by ▇▇▇▇ and Yung ▇▇▇▇ [23] even in the presence of a stronger adversary.