Common use of Related Work Clause in Contracts

Related Work. The original idea of extending the 2-party Xxxxxx-Xxxxxxx scheme [15] to the multi-party setting dates back to the classical paper of Ingemarsson et al. [19], and is followed by many works [25, 13, 20, 3, 21, 26, 22] offering various levels of complexity. However, research on provably-secure group key agreement in concrete, realistic setting is fairly new. It is only recently that Bresson et al. [12, 8, 9] have presented the first group key agreement protocols proven secure in a well-defined security model which builds on earlier model of Xxxxxxx et al. [4]. The initial work [12] assumes that group membership is static, whereas later works [8, 9] focus on the dynamic case which we do not deal with here. But one drawback of their scheme is that its round complexity is linear in the number of group members. Consequently, as group size grows large, this scheme becomes impractical particularly in a wide area network with high communication latency. More recently, Xxxx and Yung [23] have proposed the first constant-round group key agreement protocol that has been proven secure in the security model of Bresson et al. [12]. They provide a formal proof of security for the two-round protocol of Xxxxxxxxx and Xxxxxxx [13], and introduce a one-round compiler that transforms any group key agree- ment protocol secure against a passive adversary into one that is secure against an active adversary. In this protocol all group members behave in a completely symmetric manner; in a group of size n, each member sends one broadcast message per round, and computes three modular exponentiations, O(n log n) modular multiplications, O(n) signature verifica- tions, and two signature generations. While this protocol is very efficient in general, the full symmetry negatively impacts on the overall performance of the protocol in our asymmetric setting; the computational cost of a mobile host is significant in a large group, due to the number of modular multiplications and signature verifications. Most recently, Bresson and Xxxxxxxx [7] have introduced another fully-symmetric proto- col which requires two rounds of communication. Interestingly, unlike previous approaches, they construct the protocol by combining the properties of the ElGamal encryption scheme [17] with standard secret sharing techniques [24]. However, with increasing number of par- ticipants, the complexity of the protocol becomes beyond the capabilities of a small mobile device. The protocol presented by Xxxx and Xxxxx [6] completes in only a single round of communication and is provably secure in the random oracle model [5]. But unfortunately, this protocol does not achieve forward secrecy even if its round complexity is optimal. Thus it still remains an open problem to find a one-round group key agreement protocol providing forward secrecy. Another constant-round protocol that does not achieve (perfect) forward secrecy has been shown in [11]. This protocol runs in two rounds of communication and is provably secure in the random oracle model. In common with our protocol, these protocols [6, 11] are computationally asymmetric; one distinct member performs O(n) computations whereas the other members perform only a constant amount of computation.

Related Work. The original idea of extending the 2-party Xxxxxx-Xxxxxxx scheme [1517] to the multi-party setting dates back to the classical paper of Ingemarsson Xxxxxxxxxxx et al. [1921], and is followed by many works [2527, 1316, 2022, 4, 23, 3, 2129, 2630, 2224] offering various levels of complexity. However, research regardless of whether they explicitly deal with the case where group membership is dynamic, all these approaches simply assume a passive adversary, or only provide an informal/non-standard security analysis for an active adversary. As a result, some of these protocols [3, 30] have been found to be flawed in [26] and [10], respectively. Research on provably-secure group key agreement in concrete, realistic setting a formal security model is fairly new. It is only recently that Bresson Xxxxxxx et al. [15, 12, 8, 913] have presented the first group key agreement protocols proven secure in a well-defined security model which builds on extends earlier model work of Xxxxxxx Bellare et al. [4]6, 8, 5] to the multi-party setting. The initial work [1215] assumes that group membership is static, whereas later works [812, 913] focus on the dynamic case which we do not deal with herecase. But one drawback of their scheme is that in case of initial key agreement, its round complexity is linear in the number of group members. Moreover, the simultaneous joining of multiple users also takes a linear number of rounds with respect to the number of new members. Consequently, as the group size grows large, this scheme becomes impractical particularly in a wide area network environment where the delays associated with high communication latencyare expected to dominate the cost for group key agreement. More recently, Xxxx and Yung Xxxx [2325] have proposed the first constant-round protocol for group key agreement protocol that has been proven secure against an active adversary; the protocol requires three rounds of communication and achieves provable security under the Decisional Xxxxxx-Xxxxxxx assumption in the security model of Bresson et alstandard model. [12]. They Specifically, they provide a formal proof of security for the two-round protocol of Xxxxxxxxx and Xxxxxxx [1316], and introduce a one-one- round compiler that transforms any group key agree- ment exchange protocol secure against a passive adversary into one that is secure against an active adversaryadversary with powerful capabilities. In this protocol all group members behave in a completely symmetric manner; in a group of size n, each member sends one broadcast message per round, and computes three modular exponentiations, O(n log n) modular multiplications, and O(n) signature verifica- tions, and two signature generationsverifications. While this the protocol is very efficient in general, the this full symmetry negatively impacts on the overall performance of the protocol performance in a scenario similar to our asymmetric setting; the computational cost of a mobile host communication overhead is significant in a large group, due to the number of modular multiplications and signature verifications. Most recently, Bresson and Xxxxxxxx [7] have introduced another fully-symmetric proto- col which requires two with three rounds of communication. Interestinglyn broadcasts, unlike previous approachesand furthermore, they construct the protocol by combining has to restart from scratch in the properties presence of the ElGamal encryption scheme any membership change. In [1710] with standard secret sharing techniques [24]. However, with increasing number of par- ticipants, the complexity of the protocol becomes beyond the capabilities of a small mobile device. The protocol presented by Xxxx and Xxxxx [6] completes in only have introduced a single one-round of communication and group key agreement protocol which is provably secure in the random oracle model [57]. This protocol is computationally asymmetric and thus, as is the case with other asymmetric protocols [29, 24, 12, 13], appears to be easily extended to address the dynamic case. But unfortunately, this protocol does not achieve forward secrecy even if its round complexity is optimal. Thus it still remains an open problem to find a oneforward-round secure group key exchange scheme running in a single round. Most recently, Xxxxxxx and Xxxxxxxx [11] have presented another provably-secure protocol Table 1: Complexity comparison among group key agreement protocol providing forward secrecy. Another constant-round protocol schemes that does not achieve (perfect) both provable security and forward secrecy has been shown in Communication Computation Rounds Messages Unicasts Broadcasts Exp. Ver. [11]. This protocol runs in two rounds of communication and is provably secure in the random oracle model. In common with our protocol, these protocols [6, 1112] are computationally asymmetric; one distinct member performs IKA n1) n n − 1 1 O(n2) O(n) computations whereas the other members perform only a constant amount of computation.Join j + 1 j + 1 j2) 1 O(jn) O(n) Leave 1 1 1 O(n) O(n) [25] 3 3n 3n O(n) + O(n2 log n)3) O(n2) Here IKA 2 n n − 1 1 O(n)4) O(n) Join 2 j + 1 j 1 O(n)4) O(n) Leave 1 1 1 O(n)4) O(n) IKA: Initial Key Agreement, Exp: Modular Exponentiation, Ver: Signature Verification

Related Work. The original idea of extending the 2-party Xxxxxx-Xxxxxxx scheme [15] to the multi-party setting dates back to the classical paper of Ingemarsson Xxxxxxxxxxx et al. [19], and is followed by many works [25, 13, 20, 3, 21, 26, 22] offering various levels of complexity. However, research on provably-secure group key agreement in concrete, realistic setting is fairly new. It is only recently that Bresson Xxxxxxx et al. [12, 8, 9] have presented the first group key agreement protocols proven secure in a well-defined security model which builds on earlier model of Xxxxxxx Bellare et al. [4]. The initial work [12] assumes that group membership is static, whereas later works [8, 9] focus on the dynamic case which we do not deal with here. But one drawback of their scheme is that its round complexity is linear in the number of group members. Consequently, as group size grows large, this scheme becomes impractical particularly in a wide area network with high communication latency. More recently, Xxxx and Yung Xxxx [23] have proposed the first constant-round group key agreement protocol that has been proven secure in the security model of Bresson Xxxxxxx et al. [12]. They provide a formal proof of security for the two-round protocol of Xxxxxxxxx and Xxxxxxx [13], and introduce a one-round compiler that transforms any group key agree- ment protocol secure against a passive adversary into one that is secure against an active adversary. In this protocol all group members behave in a completely symmetric manner; in a group of size n, each member sends one broadcast message per round, and computes three modular exponentiations, O(n log n) modular multiplications, O(n) signature verifica- tions, and two signature generations. While this protocol is very efficient in general, the full symmetry negatively impacts on the overall performance of the protocol in our asymmetric setting; the computational cost of a mobile host is significant in a large group, due to the number of modular multiplications and signature verifications. Most recently, Bresson Xxxxxxx and Xxxxxxxx [7] have introduced another fully-symmetric proto- col which requires two rounds of communication. Interestingly, unlike previous approaches, they construct the protocol by combining the properties of the ElGamal encryption scheme [17] with standard secret sharing techniques [24]. However, with increasing number of par- ticipants, the complexity of the protocol becomes beyond the capabilities of a small mobile device. The protocol presented by Xxxx and Xxxxx [6] completes in only a single round of communication and is provably secure in the random oracle model [5]. But unfortunately, this protocol does not achieve forward secrecy even if its round complexity is optimal. Thus it still remains an open problem to find a one-round group key agreement protocol providing forward secrecy. Another constant-round protocol that does not achieve (perfect) forward secrecy has been shown in [11]. This protocol runs in two rounds of communication and is provably secure in the random oracle model. In common with our protocol, these protocols [6, 11] are computationally asymmetric; one distinct member performs O(n) computations whereas the other members perform only a constant amount of computation.