Common use of Related Work Clause in Contracts

Related Work. Many GKA protocols [5, 11, 7, 4, 6, 3] have been pro- posed in literature, most being derived from the two-party Xxxxxx-Xxxxxxx (DH) key agreement protocol. While some are secure against passive adversaries only, others do not have a rigorous security proof. A security proof typically involves showing that an attack on a protocol can be used to solve a well-known hard problem under some standard assumptions. Provably secure protocols in a well-defined model of security were first provided by Xxxxxxx et al. [4]. Their security model extended the earlier work of Bellare et al. [1]. The number of rounds in these protocols is linear in the number of participants, thus making them unsuitable for large ad hoc networks. − Xxxx et al. [6] proposed the first provably-secure con- stant round GKA protocol inspired from the works of Xxxxxxxxx et al. [5]. In the same work, they also pro- posed a scalable “compiler” to transform a GKA protocol, secure against a passive adversary, into one which is secure against an active adversary. But one round in their proto- col consists of 1 broadcast and n 1 simultaneous receives by each user. Achieving this is not possible in most net- works. Also it lacks procedures to handle group dynamism. Xxxx et al. [3] proposed an efficient constant round pro- tocol where the bulk of the computation is done by one participant, thus making it efficient for heterogeneous ad hoc networks. It is provably secure in the Random Oracle model [1] but lacks perfect forward secrecy (i.e., compro- mise of long-term key compromises all past session1 keys). We propose a provably secure and efficient protocol which 1A session refers to one instance of GKA protocol execution in some group. Protocol Expo per Ui (Max Expo) Rounds (Messages) PS [11] 3 (m) m +1 (2m − 3) No [7] log2 m +1 log2 m (m) No [4] i +1 m (m) Yes [6] 3 2٨ (2m) Yes [9] 2 (2m٨٨) 2٨ (m) Yes Ours 2 (m) 2٨ (m) Yes m: Number of participants

Related Work. Many GKA protocols [5, 11, 7, 4, 6, 3] have been pro- posed in literature, most being derived from the two-party XxxxxxDiffie-Xxxxxxx (DH) key agreement protocol. While some are secure against passive adversaries only, others do not have a rigorous security proof. A security proof typically involves showing that an attack on a protocol can be used to solve a well-known hard problem under some standard assumptions. Provably secure protocols in a well-defined defined model of security were first first provided by Xxxxxxx et al. [4]. Their security model extended the earlier work of Bellare Xxxxxxx et al. [1]. The number of rounds in these protocols is linear in the number of participants, thus making them unsuitable for large ad hoc networks. − Xxxx et al. [6] proposed the first first provably-secure con- stant round GKA protocol inspired from the works of Xxxxxxxxx et al. [5]. In the same work, they also pro- posed a scalable “compiler” to transform a GKA protocol, secure against a passive adversary, into one which is secure against an active adversary. But one round in their proto- col consists of 1 broadcast and n 1 simultaneous receives by each user. Achieving this is not possible in most net- works. Also it lacks procedures to handle group dynamism. Xxxx et al. [3] proposed an efficient efficient constant round pro- tocol where the bulk of the computation is done by one participant, thus making it efficient efficient for heterogeneous ad hoc networks. It is provably secure in the Random Oracle model [1] but lacks perfect forward secrecy (i.e., compro- mise of long-term key compromises all past session1 keys). We propose a provably secure and efficient efficient protocol which 1A session refers to one instance of GKA protocol execution in some group. Protocol Expo per Ui (Max Expo) Rounds (Messages) PS [11] 3 (m) m +1 (2m − 3) No [7] log2 m +1 log2 m (m) No [4] i +1 m (m) Yes [6] 3 2٨ 2y (2m) Yes [9] 2 (2m٨٨2myy) 2٨ 2y (m) Yes Ours 2 (m) 2٨ 2y (m) Yes m: Number of participantsYes

Related Work. Many GKA protocols [5, 11, 7, 4, 6, 3] have been pro- posed in literature, most being derived from the two-party XxxxxxXxxxx-Xxxxxxx (DH) key agreement protocol. While some are secure against passive adversaries only, others do not have a rigorous security proof. A security proof typically involves showing that an attack on a protocol can be used to solve a well-known hard problem under some standard assumptions. Provably secure protocols in a well-defined defined model of security were first first provided by Xxxxxxx Bresson et al. [4]. Their security model extended the earlier work of Bellare Xxxxxxx et al. [1]. The number of rounds in these protocols is linear in the number of participants, thus making them unsuitable for large ad hoc networks. − Xxxx Yung et al. [6] proposed the first first provably-secure con- stant round GKA protocol inspired from the works of Xxxxxxxxx et al. [5]. In the same work, they also pro- posed a scalable “compiler” to transform a GKA protocol, secure against a passive adversary, into one which is secure against an active adversary. But one round in their proto- col consists of 1 broadcast and n 1 simultaneous receives by each user. Achieving this is not possible in most net- works. Also it lacks procedures to handle group dynamism. Xxxx et al. [3] proposed an efficient efficient constant round pro- tocol where the bulk of the computation is done by one participant, thus making it efficient efficient for heterogeneous ad hoc networks. It is provably secure in the Random Oracle model [1] but lacks perfect forward secrecy (i.e., compro- mise of long-term key compromises all past session1 keys). We propose a provably secure and efficient efficient protocol which 1A session refers to one instance of GKA protocol execution in some group. Protocol Expo per Ui (Max Expo) Rounds (Messages) PS [11] 3 (m) m +1 (2m − 3) No [7] log2 m +1 log2 m (m) No [4] i +1 m (m) Yes [6] 3 2٨ 2y (2m) Yes [9] 2 (2m٨٨2myy) 2٨ 2y (m) Yes Ours 2 (m) 2٨ 2y (m) Yes m: Number of participantsYes

Related Work. Many GKA protocols [5, 11, 7, 4, 6, 3] have been pro- posed in literature, most being derived from the two-party Xxxxxx-Xxxxxxx (DH) key agreement protocol. While some are secure against passive adversaries only, others do not have a rigorous security proof. A security proof typically involves showing that an attack on a protocol can be used to solve a well-known hard problem under some standard assumptions. Provably secure protocols in a well-defined model of security were first provided by Xxxxxxx Bresson et al. [4]. Their security model extended the earlier work of Bellare Xxxxxxx et al. [1]. The number of rounds in these protocols is linear in the number of participants, thus making them unsuitable for large ad hoc networks. − Xxxx Yung et al. [6] proposed the first provably-secure con- stant round GKA protocol inspired from the works of Xxxxxxxxx et al. [5]. In the same work, they also pro- posed a scalable “compiler” to transform a GKA protocol, secure against a passive adversary, into one which is secure against an active adversary. But one round in their proto- col consists of 1 broadcast and n 1 simultaneous receives by each user. Achieving this is not possible in most net- works. Also it lacks procedures to handle group dynamism. Xxxx et al. [3] proposed an efficient constant round pro- tocol where the bulk of the computation is done by one participant, thus making it efficient for heterogeneous ad hoc networks. It is provably secure in the Random Oracle model [1] but lacks perfect forward secrecy (i.e., compro- mise of long-term key compromises all past session1 keys). We propose a provably secure and efficient protocol which 1A session refers to one instance of GKA protocol execution in some group. Protocol Expo per Ui (Max Expo) Rounds (Messages) PS [11] 3 (m) m +1 + 1 (2m − 3) No [7] log2 m +1 + 1 log2 m (m) No [4] i +1 + 1 m (m) Yes [6] 3 2٨ (2m) Yes [9] 2 (2m٨٨) 2٨ (m) Yes Ours 2 (m) 2٨ (m) Yes m: Number of participants

Related Work. Many GKA protocols [5, 11, 7, 4, 6, 3] have been pro- posed in literature, most being derived from the two-party Xxxxxx-Xxxxxxx (DH) key agreement protocol. While some are secure against passive adversaries only, others do not have a rigorous security proof. A security proof typically involves showing that an attack on a protocol can be used to solve a well-known hard problem under some standard assumptions. Provably secure protocols in a well-defined model of security were first provided by Xxxxxxx Bresson et al. [4]. Their security model extended the earlier work of Bellare Xxxxxxx et al. [1]. The number of rounds in these protocols is linear in the number of participants, thus making them unsuitable for large ad hoc networks. − Xxxx Yung et al. [6] proposed the first provably-secure con- stant round GKA protocol inspired from the works of Xxxxxxxxx et al. [5]. In the same work, they also pro- posed a scalable “compiler” to transform a GKA protocol, secure against a passive adversary, into one which is secure against an active adversary. But one round in their proto- col consists of 1 broadcast and n 1 simultaneous receives by each user. Achieving this is not possible in most net- works. Also it lacks procedures to handle group dynamism. Xxxx et al. [3] proposed an efficient constant round pro- tocol where the bulk of the computation is done by one participant, thus making it efficient for heterogeneous ad hoc networks. It is provably secure in the Random Oracle model [1] but lacks perfect forward secrecy (i.e., compro- mise of long-term key compromises all past session1 keys). We propose a provably secure and efficient protocol which 1A session refers to one instance of GKA protocol execution in some group. Protocol Expo per Ui (Max Expo) Rounds (Messages) PS [11] 3 (m) m +1 (2m − 3) No [7] log2 m +1 log2 m (m) No [4] i +1 m (m) Yes [6] 3 2٨ (2m) Yes [9] 2 (2m٨٨) 2٨ (m) Yes Ours 2 (m) 2٨ (m) Yes m: Number of participants

Related Work. Many GKA protocols [5, 11, 7, 4, 6, 3] have been pro- posed in literature, most being derived from the two-party Xxxxxx-Xxxxxxx (DH) key agreement protocol. While some are secure against passive adversaries only, others do not have a rigorous security proof. A security proof typically involves showing that an attack on a protocol can be used to solve a well-known hard problem under some standard assumptions. Provably secure protocols in a well-defined model of security were first provided by Xxxxxxx Bresson et al. [4]. Their security model extended the earlier work of Bellare Xxxxxxx et al. [1]. The number of rounds in these protocols is linear in the number of participants, thus making them unsuitable for large ad hoc networks. − Xxxx Yung et al. [6] proposed the first provably-secure con- stant round GKA protocol inspired from the works of Xxxxxxxxx et al. [5]. In the same work, they also pro- posed a scalable “compiler” to transform a GKA protocol, secure against a passive adversary, into one which is secure against an active adversary. But one round in their proto- col consists of 1 broadcast and n 1 simultaneous receives by each user. Achieving this is not possible in most net- works. Also it lacks procedures to handle group dynamism. Xxxx et al. [3] proposed an efficient constant round pro- tocol where the bulk of the computation is done by one participant, thus making it efficient for heterogeneous ad hoc networks. It is provably secure in the Random Oracle model [1] but lacks perfect forward secrecy (i.e., compro- mise of long-term key compromises all past session1 keys). We propose a provably secure and efficient protocol which 1A session refers to one instance of GKA protocol execution in some group. Protocol Expo per Ui (Max Expo) Rounds (Messages) PS [11] 3 (m) m +1 + 1 (2m − 3) No [7] log2 m +1 + 1 log2 m (m) No [4] i +1 + 1 m (m) Yes [6] 3 2٨ 2y (2m) Yes [9] 2 (2m٨٨2myy) 2٨ 2y (m) Yes Ours 2 (m) 2٨ 2y (m) Yes m: Number of participantsYes

Related Work. Many GKA protocols [5, 11, 7, 4, 6, 3] have been pro- posed in literature, most being derived from the two-party Xxxxxx-Xxxxxxx (DH) key agreement protocol. While some are secure against passive adversaries only, others do not have a rigorous security proof. A security proof typically involves showing that an attack on a protocol can be used to solve a well-known hard problem under some standard assumptions. Provably secure protocols in a well-defined model of security were first provided by Xxxxxxx et al. [4]. Their security model extended the earlier work of Bellare Xxxxxxx et al. [1]. The number of rounds in these protocols is linear in the number of participants, thus making them unsuitable for large ad hoc networks. − Xxxx et al. [6] proposed the first provably-secure con- stant round GKA protocol inspired from the works of Xxxxxxxxx et al. [5]. In the same work, they also pro- posed a scalable “compiler” to transform a GKA protocol, secure against a passive adversary, into one which is secure against an active adversary. But one round in their proto- col consists of 1 broadcast and n 1 simultaneous receives by each user. Achieving this is not possible in most net- works. Also it lacks procedures to handle group dynamism. Xxxx et al. [3] proposed an efficient constant round pro- tocol where the bulk of the computation is done by one participant, thus making it efficient for heterogeneous ad hoc networks. It is provably secure in the Random Oracle model [1] but lacks perfect forward secrecy (i.e., compro- mise of long-term key compromises all past session1 keys). We propose a provably secure and efficient protocol which 1A session refers to one instance of GKA protocol execution in some group. Protocol Expo per Ui (Max Expo) Rounds (Messages) PS [11] 3 (m) m +1 (2m − 3) No [7] log2 m +1 log2 m (m) No [4] i +1 m (m) Yes [6] 3 2٨ (2m) Yes [9] 2 (2m٨٨) 2٨ (m) Yes Ours 2 (m) 2٨ (m) Yes m: Number of participants