Common use of Our Contribution Clause in Contracts

Our Contribution. The unsatisfactory situation described above has prompted this work aimed at designing an efficient and provably-secure key agreement scheme for a dynamic group where users commu- nicate over a high-delay network environment. We provide a rigorous proof of security of the scheme in the model of ▇▇▇▇▇▇▇ et al. [15, 12, 13] in which an adversary controls all commu- nication flows in the network. The concrete security reduction we exhibit in the ideal hash model is tight; breaking the semantic security of our scheme almost always leads to solving the well-established factoring problem, provided that the signature scheme used is existentially unforgeable. Our group key agreement scheme also provides perfect forward secrecy [18]; i.e., disclosure of long-term secret keys does not compromise the security of previously established session keys. In wide area network environments, the main source of delay is not the computational time needed for cryptographic operations, but the communication time spent in the network.1 Moreover, the power of computers continues to increase at a rapid pace. We refer the reader to the literature [2, 24] for detailed discussions of comparison between the communication latency in wide area networks and the computation time for modular exponentiation. As the experiment results of [2] also indicate, it is widely accepted that the number of communication rounds and the number of exchanged messages are two most important factors for efficient key agreement over a high-delay network. Table 1 compares the efficiency of our scheme given in Section 5 with other provably-secure 1For example, the computation of a modular exponentiation xy mod z with |x| = |y| = |z| = 1024 takes about 9 ms using the big number library in OpenSSL on a Athlon XP 2100+ PC, whereas a 100-300 ms round-trip delay in wide area networks is common. schemes that provide forward secrecy [12, 25]. As for computational costs, the table lists the total amount of computation that needs to be done by group members. As shown in the table, the scheme of [12] requires n communication rounds for initial key agreement which occurs at the time of group genesis, and j communication rounds for the rekeying operation that follows the joining of j new users. The protocol of [25], as already mentioned, requires n broadcast messages to be sent in each of three rounds, both for initial key agreement and for every group rekeying operation. In contrast, our scheme takes at most 2 communication rounds while maintaining low message complexity, in any of the three cases. Therefore, it is straightforward to see that our dynamic group key agreement scheme is well suited for network- ing environments with high communication latency. In particular, due to its computational asymmetry, our scheme is best suited for unbalanced networks consisting of mobile hosts with restricted computational resources and stationary hosts with relatively high computational capabilities. The remainder of this paper is organized as follows. We begin with some notations and background in Section 2. We continue with a description of the standard security model for group key agreement protocols in Section 3. Then, in Section 4, we define the security of an authenticated key agreement protocol for a dynamic group, and describe the underlying assumptions on which the security of our scheme is based. Finally, we introduce a dynamic group key agreement scheme in Section 5 and give a security proof for this scheme in the random oracle model in Section 6.