Common use of Related Work Clause in Contracts

Related Work. Many GKA protocols [5, 11, 7, 4, 6, 3] have been pro- posed in literature, most being derived from the two-party Diffie-▇▇▇▇▇▇▇ (DH) key agreement protocol. While some are secure against passive adversaries only, others do not have a rigorous security proof. A security proof typically involves showing that an attack on a protocol can be used to solve a well-known hard problem under some standard assumptions. Provably secure protocols in a well-defined model of security were first provided by ▇▇▇▇▇▇▇ et al. [4]. Their security model extended the earlier work of ▇▇▇▇▇▇▇ et al. [ 1]. The number of rounds in these protocols is linear in the number of participants, thus making them unsuitable for large ad hoc networks. − ▇▇▇▇ et al. [6] proposed the first provably-secure con- stant round GKA protocol inspired from the works of ▇▇▇▇▇▇▇▇▇ et al. [5]. In the same work, they also pro- posed a scalable “compiler” to transform a GKA protocol, secure against a passive adversary, into one which is secure against an active adversary. But one round in their proto- col consists of 1 broadcast and n 1 simultaneous receives by each user. Achieving this is not possible in most net- works. Also it lacks procedures to handle group dynamism. ▇▇▇▇ et al. [3] proposed an efficient constant round pro- tocol where the bulk of the computation is done by one participant, thus making it efficient for heterogeneous ad hoc networks. It is provably secure in the Random Oracle model [1] but lacks perfect forward secrecy (i.e., compro- mise of long-term key compromises all past session1 keys). We propose a provably secure and efficient protocol which 1A session refers to one instance of GKA protocol execution in some group. Protocol Expo per Ui (Max Expo) Rounds (Messages) PS [11] 3 (m) m +1 (2m − 3) No [7] log2 m +1 log2 m (m) No [4] i +1 m (m) Yes [6] 3 2y (2m) Yes [9] 2 (2myy) 2y (m) Yes Ours 2 (m) 2y (m) Yes

Related Work. Many GKA protocols [5, 11, 7, 4, 6, 3] have been pro- posed in literature, most being derived from the two-party Diffie-▇▇▇▇▇▇-▇▇▇▇▇▇▇ (DH) key agreement protocol. While some are secure against passive adversaries only, others do not have a rigorous security proof. A security proof typically involves showing that an attack on a protocol can be used to solve a well-known hard problem under some standard assumptions. Provably secure protocols in a well-defined defined model of security were first first provided by ▇▇▇▇▇▇▇ et al. [4]. Their security model extended the earlier work of ▇▇▇▇▇▇▇ Bellare et al. [ 1]. The number of rounds in these protocols is linear in the number of participants, thus making them unsuitable for large ad hoc networks. − ▇▇▇▇ et al. [6] proposed the first first provably-secure con- stant round GKA protocol inspired from the works of ▇▇▇▇▇▇▇▇▇ et al. [5]. In the same work, they also pro- posed a scalable “compiler” to transform a GKA protocol, secure against a passive adversary, into one which is secure against an active adversary. But one round in their proto- col consists of 1 broadcast and n 1 simultaneous receives by each user. Achieving this is not possible in most net- works. Also it lacks procedures to handle group dynamism. ▇▇▇▇ et al. [3] proposed an efficient efficient constant round pro- tocol where the bulk of the computation is done by one participant, thus making it efficient efficient for heterogeneous ad hoc networks. It is provably secure in the Random Oracle model [1] but lacks perfect forward secrecy (i.e., compro- mise of long-term key compromises all past session1 keys). We propose a provably secure and efficient efficient protocol which 1A session refers to one instance of GKA protocol execution in some group. Protocol Expo per Ui (Max Expo) Rounds (Messages) PS [11] 3 (m) m +1 (2m − 3) No [7] log2 m +1 log2 m (m) No [4] i +1 m (m) Yes [6] 3 2y 2٨ (2m) Yes [9] 2 (2myy2m٨٨) 2y 2٨ (m) Yes Ours 2 (m) 2y 2٨ (m) YesYes m: Number of participants

Related Work. Many GKA protocols [5, 11, 7, 4, 6, 3] have been pro- posed in literature, most being derived from the two-party Diffie-▇▇▇▇▇-▇▇▇▇▇▇▇ (DH) key agreement protocol. While some are secure against passive adversaries only, others do not have a rigorous security proof. A security proof typically involves showing that an attack on a protocol can be used to solve a well-known hard problem under some standard assumptions. Provably secure protocols in a well-defined model of security were first provided by ▇▇▇▇▇▇▇ Bresson et al. [4]. Their security model extended the earlier work of ▇▇▇▇▇▇▇ et al. [ 1]. The number of rounds in these protocols is linear in the number of participants, thus making them unsuitable for large ad hoc networks. − ▇▇▇▇ Yung et al. [6] proposed the first provably-secure con- stant round GKA protocol inspired from the works of ▇▇▇▇▇▇▇▇▇ et al. [5]. In the same work, they also pro- posed a scalable “compiler” to transform a GKA protocol, secure against a passive adversary, into one which is secure against an active adversary. But one round in their proto- col consists of 1 broadcast and n 1 simultaneous receives by each user. Achieving this is not possible in most net- works. Also it lacks procedures to handle group dynamism. ▇▇▇▇ et al. [3] proposed an efficient constant round pro- tocol where the bulk of the computation is done by one participant, thus making it efficient for heterogeneous ad hoc networks. It is provably secure in the Random Oracle model [1] but lacks perfect forward secrecy (i.e., compro- mise of long-term key compromises all past session1 keys). We propose a provably secure and efficient protocol which 1A session refers to one instance of GKA protocol execution in some group. Protocol Expo per Ui (Max Expo) Rounds (Messages) PS [11] 3 (m) m +1 (2m − 3) No [7] log2 m +1 log2 m (m) No [4] i +1 m (m) Yes [6] 3 2y (2m) Yes [9] 2 (2myy) 2y (m) Yes Ours 2 (m) 2y (m) Yes

Related Work. Many GKA protocols [5, 11, 7, 4, 6, 3] have been pro- posed in literature, most being derived from the two-party Diffie-▇▇▇▇▇▇-▇▇▇▇▇▇▇ (DH) key agreement protocol. While some are secure against passive adversaries only, others do not have a rigorous security proof. A security proof typically involves showing that an attack on a protocol can be used to solve a well-known hard problem under some standard assumptions. Provably secure protocols in a well-defined defined model of security were first first provided by ▇▇▇▇▇▇▇ et al. [4]. Their security model extended the earlier work of ▇▇▇▇▇▇▇ et al. [ 1]. The number of rounds in these protocols is linear in the number of participants, thus making them unsuitable for large ad hoc networks. − ▇▇▇▇ et al. [6] proposed the first first provably-secure con- stant round GKA protocol inspired from the works of ▇▇▇▇▇▇▇▇▇ et al. [5]. In the same work, they also pro- posed a scalable “compiler” to transform a GKA protocol, secure against a passive adversary, into one which is secure against an active adversary. But one round in their proto- col consists of 1 broadcast and n 1 simultaneous receives by each user. Achieving this is not possible in most net- works. Also it lacks procedures to handle group dynamism. ▇▇▇▇ et al. [3] proposed an efficient efficient constant round pro- tocol where the bulk of the computation is done by one participant, thus making it efficient efficient for heterogeneous ad hoc networks. It is provably secure in the Random Oracle model [1] but lacks perfect forward secrecy (i.e., compro- mise of long-term key compromises all past session1 keys). We propose a provably secure and efficient efficient protocol which 1A session refers to one instance of GKA protocol execution in some group. Protocol Expo per Ui (Max Expo) Rounds (Messages) PS [11] 3 (m) m +1 (2m − 3) No [7] log2 m +1 log2 m (m) No [4] i +1 m (m) Yes [6] 3 2y 2٨ (2m) Yes [9] 2 (2myy2m٨٨) 2y 2٨ (m) Yes Ours 2 (m) 2y 2٨ (m) YesYes m: Number of participants

Related Work. Many GKA Group Key Agreement protocols [5, 11, 7, 4, 6, 315,19,4,2,32,22,23,1] have been pro- posed in literature, most being derived from the two-party Diffie-▇▇▇▇▇▇-▇▇▇▇▇▇▇ (DH) key agreement protocol. While Some have no formal proofs while some are secure against passive adversaries only, others do not have a rigorous security proof. A security proof typically involves showing that an attack on a protocol can be used to solve a well-known hard problem under some standard assumptionsonly (for instance [31,22]). Provably secure protocols in a well-defined defined model of security were first first provided by ▇▇▇▇▇▇▇ Bresson et al. [414,12,13]. Their security model extended the earlier work of ▇▇▇▇▇▇▇ et al. [ 16,5]. The number of rounds in these protocols is linear in the number of participants, thus making them unsuitable for large ad hoc networks. − Both TGDH [22] and Dutta [17] make use of key trees, but such protocols require special ordering of the group members which is not easily achieved in ad hoc networks and make the protocol less robust to message losses. They require O(height of tree) rounds of communication. ▇▇▇▇-▇▇▇▇ et al. [621] proposed the first first provably-secure con- stant constant-round GKA group key agreement protocol inspired from the works of ▇▇▇▇▇▇▇▇▇ et al. [515]. In the same work, they also pro- posed proposed a scalable “compiler” compiler to transform a any GKA protocol, protocol secure against a passive adversary, ad- versary into one which is secure against an active adversary. But one round in their proto- col consists of 1 with upto 3m broadcast and n 1 simultaneous receives by each user. Achieving this messages, the protocol is not possible quite expensive to implement in most net- worksad hoc networks. Also it It lacks procedures to handle group dynamismdynamism and again requires ordering of the members in a ring which is difficult to implement in ad hoc networks. ▇▇▇▇ et al. [310] proposed an efficient efficient constant round pro- tocol proto- col where the bulk of the computation is done by one participantparticipant (the current group leader), thus making it efficient highly efficient for heterogeneous ad hoc networksnet- works. It is provably secure in the Random Oracle model [1] 6], but lacks perfect forward secrecy (i.e., compro- mise i.e. compromise of long-term key compromises all past session1 session keys). We propose a provably secure and efficient protocol which 1A session refers to one instance Cata- Table 1 Efficiency Comparison of GKA protocol execution in some group. Protocol protocols Expo per Ui (Max Expo) Rounds (Messages) PS Messages Unicast Broadcast Security TGDH [22] log2 m + 1 log2 m 0 m Passive GDH.2 [13,2] i + 1 m m − 1 1 Active Dutta [17] log3 my log3 m 0 m Active ▇▇▇▇▇▇▇▇ [11] 3 (m) 3m +1 (2 0 2m − 3) No Active Won [7] log2 m +1 log2 m (m) No [4] i +1 m (m) Yes [6] 3 2y (2m) Yes [927] 2 (2myy2m† for leader) 2y (m) Yes 3 m − 1 m + 1 Active Ours 2 (mm for leader) 2y 3 m − 1 2 Active †: m inverse calculations or O(m2) multiplications apart from m exponentiations lano et. al [11] proposed a two-round protocol achieving security against active adversaries but with upto 3m exponentiations for each member, the protocol is way too expensive for ad hoc networks. Subsequent to the present work 1 , Won et al. [27] also solve this problem but their proposition turns out to be expensive computationally. Also they use the compiler of [21] which adds to its message complexity as well. In Table 1, we compare GKA protocols achiev- ing basic security goals of key secrecy, key independence and forward secrecy (msee Section 2.1). We compare the number of exponentiations performed by each member, the number of rounds (multiple independent messages can be sent in a single round) Yesas well as the total number of messages exchanged and mention the security level achieved by each protocol.

Related Work. Many GKA protocols [5, 11, 7, 4, 6, 3] have been pro- posed in literature, most being derived from the two-party Diffie-▇▇▇▇▇▇-▇▇▇▇▇▇▇ (DH) key agreement protocol. While some are secure against passive adversaries only, others do not have a rigorous security proof. A security proof typically involves showing that an attack on a protocol can be used to solve a well-known hard problem under some standard assumptions. Provably secure protocols in a well-defined defined model of security were first first provided by ▇▇▇▇▇▇▇ Bresson et al. [4]. Their security model extended the earlier work of ▇▇▇▇▇▇▇ et al. [ 1]. The number of rounds in these protocols is linear in the number of participants, thus making them unsuitable for large ad hoc networks. − ▇▇▇▇ Yung et al. [6] proposed the first first provably-secure con- stant round GKA protocol inspired from the works of ▇▇▇▇▇▇▇▇▇ et al. [5]. In the same work, they also pro- posed a scalable “compiler” to transform a GKA protocol, secure against a passive adversary, into one which is secure against an active adversary. But one round in their proto- col consists of 1 broadcast and n 1 simultaneous receives by each user. Achieving this is not possible in most net- works. Also it lacks procedures to handle group dynamism. ▇▇▇▇ et al. [3] proposed an efficient efficient constant round pro- tocol where the bulk of the computation is done by one participant, thus making it efficient efficient for heterogeneous ad hoc networks. It is provably secure in the Random Oracle model [1] but lacks perfect forward secrecy (i.e., compro- mise of long-term key compromises all past session1 keys). We propose a provably secure and efficient efficient protocol which 1A session refers to one instance of GKA protocol execution in some group. Protocol Expo per Ui (Max Expo) Rounds (Messages) PS [11] 3 (m) m +1 + 1 (2m − 3) No [7] log2 m +1 + 1 log2 m (m) No [4] i +1 + 1 m (m) Yes [6] 3 2y (2m) Yes [9] 2 (2myy) 2y (m) Yes Ours 2 (m) 2y (m) Yes