Common use of Xxxxxx and X Clause in Contracts

Xxxxxx and X. Xxxxxxxxx. Key-agreement in ad-hoc networks. In Nordsec’99, 1999. [4] X. Xxxxxxxx, X. Xxxxxxx, and X. Xxxxxx. Authenticated Group Key Agreement and Friends. In 5th ACM Conference on Computer and Communications Security, pages 17–26. ACM, November 1998. [5] X. Xxxxxx and X. Xxxxx. Communication complexity of group key distribution. In 5th ACM Conference on Computer and Communications Security, November 1998. [6] X. Xxxxxxx and X. Xxxxxxx. Random oracles are practical: A paradigm for designing efficient protocols. In 1st ACM Conference on Computer and Communications Security, 1993. [7] Xxx Xxxxx. The Decision Xxxxxx-Xxxxxxx problem. In Third Algorithmic Number Theory Symposium, number 1423 in Lecture Notes in Computer Science, pages 48–63. Springer-Verlag, Berlin Germany, 1998. [8] Xxx Xxxxx and Xxxxx Xxxxxxxxxx. Applications of multilinear forms to cryptography. To appear in Contemporary Mathematics, American Mathematical Society. [9] Xxxxxxxx Xxxxxxx, Xxxxxxx Xxxxxxxxx, and Xxxxx Xxxxxxxxxxx. Provably authenticated group Xxxxxx-Xxxxxxx key exchange — the dynamic case. In Xxxxx Xxxx, editor, Advances in Cryptology – ASIACRYPT ’2001, Lecture Notes in Computer Science, Gold Coast, Australia, 2001. International Association for Cryptologic Research, Springer-Verlag, Berlin Germany. [10] Xxxxxxxx Xxxxxxx, Xxxxxxx Xxxxxxxxx, Xxxxx Xxxxxxxxxxx, and Xxxx-Xxxxxxx Xxxxxxxxxx. Provably authenticated group xxxxxx-xxxxxxx key exchange. In Xxxxxxxxxx Xxxxxxxx, editor, 8th ACM Conference on Computer and Communications Security, Philadelphia, PA, USA, November 2001. ACM Press. [11] Xxxx Xxxxxxxxx and Xxx Xxxxxxx. A secure and efficient conference key distribution system. In X. Xx Xxxxxx, editor, Advances in Cryptology – EUROCRYPT ’94, number 950 in Lecture Notes in Computer Science. International Association for Cryptologic Research, Springer-Verlag, Berlin Germany, 1995. final version of proceedings. [12] X. Xxxxxxx, X. Xxxxxxxxx, X. Xxx, X. Xxxxxx, and X. Xxxxxxxx. The VersaKey framework: Versatile group key management. IEEE Journal on Selected Areas in Communications, 17(9), September 1999. [13] Xxxxx Xxxxx. Zero-knowledge undeniable signatures. In X.X. Xxxxxxx, editor, Advances in Cryptology – EUROCRYPT ’90, number 473 in Lecture Notes in Computer Science, pages 458–464. Springer-Verlag, Berlin Germany, May 1991.

Xxxxxx and X. Xxxxxxxxx. Key-agreement in ad-hoc networks. In Nordsec’99, 1999. [4] X. Xxxxxxxx, X. Xxxxxxx, and X. Xxxxxx. Authenticated Group Key Agreement and Friends. In 5th ACM Conference on Computer and Communications Security, pages 17–26. ACM, November 1998. [5] X. Xxxxxx and X. Xxxxx. Communication complexity of group key distribution. In 5th ACM Conference on Computer and Communications Security, November 1998. [6] X. Xxxxxxx and X. Xxxxxxx. Random oracles are practical: A paradigm for designing efficient effi cient protocols. In 1st ACM Conference on Computer and Communications Security, 1993. [7] Xxx Xxxxx. The Decision XxxxxxDiffi e-Xxxxxxx problem. In Third Algorithmic Number Theory Symposium, number 1423 in Lecture Notes in Computer Science, pages 48–63. Springer-Verlag, Berlin Germany, 1998. [8] Xxx Xxxxx and Xxxxx Xxxxxxxxxx. Applications of multilinear forms to cryptography. To appear in Contemporary Mathematics, American Mathematical Society. [9] Xxxxxxxx Xxxxxxx, Xxxxxxx Xxxxxxxxx, and Xxxxx Xxxxxxxxxxx. Provably authenticated group XxxxxxDiffi e-Xxxxxxx key exchange — the dynamic case. In Xxxxx Xxxx, editor, Advances in Cryptology – ASIACRYPT ’2001, Lecture Notes in Computer Science, Gold Coast, Australia, 2001. International Association for Cryptologic Research, Springer-Verlag, Berlin Germany. [10] Xxxxxxxx Xxxxxxx, Xxxxxxx Xxxxxxxxx, Xxxxx Xxxxxxxxxxx, and Xxxx-Xxxxxxx Xxxxxxxxxx. Provably authenticated group xxxxxxdiffi e-xxxxxxx key exchange. In Xxxxxxxxxx Xxxxxxxx, editor, 8th ACM Conference on Computer and Communications Security, Philadelphia, PA, USA, November 2001. ACM Press. [11] Xxxx Xxxxxxxxx and Xxx Xxxxxxx. A secure and efficient effi cient conference key distribution system. In X. Xx Xxxxxx, editor, Advances in Cryptology – EUROCRYPT ’94, number 950 in Lecture Notes in Computer Science. International Association for Cryptologic Research, Springer-Verlag, Berlin Germany, 1995. final fi nal version of proceedings. [12] X. Xxxxxxx, X. Xxxxxxxxx, X. Xxx, X. Xxxxxx, and X. Xxxxxxxx. The VersaKey framework: Versatile group key management. IEEE Journal on Selected Areas in Communications, 17(9), September 1999. [13] Xxxxx Xxxxx. Zero-knowledge undeniable signatures. In X.X. Xxxxxxx, editor, Advances in Cryptology – EUROCRYPT ’90, number 473 in Lecture Notes in Computer Science, pages 458–464. Springer-Verlag, Berlin Germany, May 1991.

Xxxxxx and X. XxxxxxxxxXxxxxxx. KeyKey establishment in large dynamic groups using one-agreement in adway function trees. Manuscript, May 1998. [21] X. X. Xxxxxxx, X. X. xxx Xxxxxxxx, and X. X. Xxxxxxxx. Handbook of applied cryptography. CRC Press series on discrete mathematics and its applications. CRC Press, 1997. ISBN 0-hoc networks8493-8523-7. [22] X. Xxxxx, X. Xxxx, X. Xxxxxxx-Xxxxx, and X. Xxxxxxx. Extended virtual synchrony. In Nordsec’99IEEE International Conference on Distributed Computing Systems, pages 56–65, June 1994. [23] X. Xxxxxx. Effi cient collaborative key management protocols for secure autonomous group communication. In CrypTEC ’99, pages 192–202, 1999. [424] X. XxxxxxxxXxxxx, X. XxxxxxxXxxxxx, and X. Xxxxxx. Authenticated Group Key Agreement and Friends. In 5th ACM Conference on Computer and Communications Security, pages 17–26. ACM, November 1998. [5] X. Xxxxxx and X. Xxxxx. Communication complexity of Optimized rekey for group key distributioncommunication systems. In 5th ACM Conference Symposium on Computer Network and Communications SecurityDistributed Systems Security (NDSS ’00), November 1998pages 37–48, San Diego, CA, February 2000. Internet Society. [625] X. Xxxxxxx Xxxxxx Xxxxx. Lower bounds for discrete logarithms and X. Xxxxxxx. Random oracles are practical: A paradigm for designing efficient protocolsrelated problems. In 1st ACM Conference on Computer and Communications SecurityXxxxxx Xxxx, 1993. [7] Xxx Xxxxx. The Decision Xxxxxx-Xxxxxxx problem. In Third Algorithmic Number Theory Symposiumeditor, Advances in Cryptology – EUROCRYPT ’97, number 1423 1233 in Lecture Notes in Computer Science, pages 48–63256–266. International Association for Cryptologic Research, Springer-Verlag, Berlin Germany, 19981997. [826] Xxx Xxxxx and Xxxxx XxxxxxxxxxXxxxxx Xxxxx. Applications of multilinear forms to cryptography. To appear in Contemporary Mathematics, American Mathematical Society. [9] Xxxxxxxx Xxxxxxx, Xxxxxxx Xxxxxxxxx, and Xxxxx Xxxxxxxxxxx. Provably authenticated group Xxxxxx-Xxxxxxx key exchange — the dynamic caseUsing hash functions as a hedge against chosen ciphertext attacks. In Xxxxx XxxxXxxx Xxxxxxx, editor, Advances in Cryptology – EUROCRYPT ’2000, number 1807 in Lecture Notes in Computer Science, pages 275–288. International Association for Cryptologic Research, Springer-Verlag, Berlin Germany, 2000. [27] X. Xxxxx, X. Xxxxxxxxxxxx, X. Xxxxx e, and X. Xxxxxx. A secure audio teleconference system. In Advances in Cryptology – CRYPTO ’88, number 403 in Lecture Notes in Computer Science, pages 520–528, Santa Barbara, CA, USA, August 1988. LNCS 403. [28] X. Xxxxxxx, X. Xxxxxx, and X. Xxxxxxx. Cliques: A new approach to group key agreement. IEEE Transactions on Parallel and Distributed Systems, August 2000. [29] Xxx-Xxxx Xxxxx and Zhi-Xxx Xxxxx. Round-effi cient conference-key agreement protocols with provable security. In Advances in Cryptology – ASIACRYPT ’20012000, Lecture Notes in Computer Science, Gold CoastKyoto, AustraliaJapan, 2001December 2000. International Association for Cryptologic Research, Springer-Verlag, Berlin Germany. [10] Xxxxxxxx Xxxxxxx, Xxxxxxx Xxxxxxxxx, Xxxxx Xxxxxxxxxxx, and Xxxx-Xxxxxxx Xxxxxxxxxx. Provably authenticated group xxxxxx-xxxxxxx key exchange. In Xxxxxxxxxx Xxxxxxxx, editor, 8th ACM Conference on Computer and Communications Security, Philadelphia, PA, USA, November 2001. ACM Press. [11] Xxxx Xxxxxxxxx and Xxx Xxxxxxx. A secure and efficient conference key distribution system. In X. Xx Xxxxxx, editor, Advances in Cryptology – EUROCRYPT ’94, number 950 in Lecture Notes in Computer Science. International Association for Cryptologic Research, Springer-Verlag, Berlin Germany, 1995. final version of proceedings. [1230] X. XxxxxxxXxxx, X. Xxxxxxxxx, X. Xxx, X. XxxxxxXxxxx, and X. XxxxxxxxXxx. Secure group communications using key graphs. In Proceedings of the ACM SIGCOMM ’98 conference on Applications, technologies, architectures, and protocols for computer communication, pages 68–79, 1998. Appeared in ACM SIGCOMM Computer Communication Review, Vol. 28, No. 4 (Oct. 1998). Xxxxxxx Xxx is an Assistant Professor in Department of Computer Science and Engineering and a member of Digital Technology Center (DTC) at the University of Minnesota, Twin Cities, Minneapolis, MN. He received his PhD degree from the Computer Science Department at University of Southern California (USC) in May 2002. From 1993 to 1998, he was a research staff at Electronics and Telecommunication Research Institute (ETRI), Korea. From January 2001 until July 2002, he was working as a research scientist at the University of California at Irvine. His acdemic interests include network security and cryptography. More information about his research is available at xxxx://xxx.xx.xxx.xxx/˜kyd. Xxxxxx Xxxxxx is an Assistant Professor in Electrical and Computer Engineering, Engineering and Public Policy, and Computer Science at Carnegie Mellon University. He earned his PhD in Computer Science from Carnegie Mellon University, and spent three years during his PhD at University of California at Berkeley. He received his BS in Computer Engineering from the Swiss Federal Institute of Technology in Lausanne (EPFL). Xxxxxx’s research interests revolve around building secure systems and include network security, security for sensor networks and mobile applications. More information about his research is available at: xxxx://xxx.xxx.xxx.xxx/˜xxxxxx. Xxxx Xxxxxx is a Professor in the Computer Science Department, at the University of California, Irvine. He has been active in the area of internetworking, network security and applied cryptography since 1987. He obtained a Ph.D. in Computer Science from USC in 1991; his dissertation focused on access control in internetworks. Before coming to UC Irvine in 2000, he was a Project Leader at IBM Research, Zurich Laboratory (1991-1996) and USC Information Science Institute (1996-2000). Over the years, his research interests included: internetwork routing, fi rewalls, authentication, mobile network security, secure e-commerce, anonymity, secure group communication, digital signatures, key management, ad hoc network routing, and, more recently, database privacy and secure storage. Some of Xxxxxxxxx Xxxxxx’x notable research contributions include: Inter-Domain Policy Routing (IDPR), IBM Network Security Program (KryptoKnight), IBM Internet Keyed Payment (iKP) protocols, Peer Group Key Management (CLIQUES) and Mediated Cryptographic Services (SUCSES). Xxxxxxxxx Xxxxxx has over 80 refereed publications and 7 patents. He is currently serving as Associate Xxxx of Research and Graduate Studies in the School of Information and Computer Science at UCI. Appendix Decisional Imbalanced Group Xxxxxx-Xxxxxxx Problem A. 2-party Decision Xxxxxx-Xxxxxxx Problem Our proofs require a specific group setting. In this section, we introduce a specific group ( ) and define the 2-party Decision Xxxxxx-Xxxxxxx (DDH) problem on . Let be a security parameter and be an integer. All algorithm run in probabilistic polynomial time with and as inputs. For concreteness, we consider a specific group : On input , algorithm gen chooses at random a pair where is a -bit value7, and and are both prime. Before introducing , we first consider a group , which is a group of squares modulo prime . This group can be described more precisely as follows: Consider an element which is a square of a primitive element of multiplicative group , i.e. . (Without loss of generality, we may assume .) Then group can be represented as An attractive variation of this group is to represent the elements by the integers from 0 to . 7In order to achieve the security level , the group size should be at least [25]. The VersaKey frameworkgroup operation is slightly different: Versatile Let a function be defined as if if Using this function, we can introduce the group key managementas Group operation on group is defined as , where . IEEE Journal on Selected Areas in CommunicationsProposition 3: Let . Then the function is a bijection from to . Proof: To see this, 17(9), September 1999suppose . [13] Xxxxx XxxxxThen this can be written and where integer and . Zero-knowledge undeniable signatures. In X.X. Xxxxxxx, editor, Advances in Cryptology – EUROCRYPT ’90, number 473 in Lecture Notes in Computer Science, pages 458–464. Springer-Verlag, Berlin Germany, May 1991.Now we can have four different cases:

Xxxxxx and X. XxxxxxxxxXxxxxxx. KeyKey establishment in large dynamic groups using one-agreement in adway function trees. Manuscript, May 1998. [21] X. X. Xxxxxxx, X. X. xxx Xxxxxxxx, and X. X. Xxxxxxxx. Handbook of applied cryptography. CRC Press series on discrete mathematics and its applications. CRC Press, 1997. ISBN 0-hoc networks8493-8523-7. [22] X. Xxxxx, X. Xxxx, X. Xxxxxxx-Xxxxx, and X. Xxxxxxx. Extended virtual synchrony. In Nordsec’99IEEE International Conference on Distributed Computing Systems, pages 56–65, June 1994. [23] X. Xxxxxx. Efficient collaborative key management protocols for secure autonomous group communication. In CrypTEC ’99, pages 192–202, 1999. [424] X. XxxxxxxxXxxxx, X. XxxxxxxXxxxxx, and X. Xxxxxx. Authenticated Group Key Agreement and Friends. In 5th ACM Conference on Computer and Communications Security, pages 17–26. ACM, November 1998. [5] X. Xxxxxx and X. Xxxxx. Communication complexity of Optimized rekey for group key distributioncommunication systems. In 5th ACM Conference Symposium on Computer Network and Communications SecurityDistributed Systems Security (NDSS ’00), November 1998pages 37–48, San Diego, CA, February 2000. Internet Society. [625] X. Xxxxxxx Xxxxxx Xxxxx. Lower bounds for discrete logarithms and X. Xxxxxxx. Random oracles are practical: A paradigm for designing efficient protocolsrelated problems. In 1st ACM Conference on Computer and Communications SecurityXxxxxx Xxxx, 1993. [7] Xxx Xxxxx. The Decision Xxxxxx-Xxxxxxx problem. In Third Algorithmic Number Theory Symposiumeditor, Advances in Cryptology – EUROCRYPT ’97, number 1423 1233 in Lecture Notes in Computer Science, pages 48–63256–266. International Association for Cryptologic Research, Springer-Verlag, Berlin Germany, 19981997. [826] Xxx Xxxxx and Xxxxx XxxxxxxxxxXxxxxx Xxxxx. Applications of multilinear forms to cryptography. To appear in Contemporary Mathematics, American Mathematical Society. [9] Xxxxxxxx Xxxxxxx, Xxxxxxx Xxxxxxxxx, and Xxxxx Xxxxxxxxxxx. Provably authenticated group Xxxxxx-Xxxxxxx key exchange — the dynamic caseUsing hash functions as a hedge against chosen ciphertext attacks. In Xxxxx XxxxXxxx Xxxxxxx, editor, Advances in Cryptology – EUROCRYPT ’2000, number 1807 in Lecture Notes in Computer Science, pages 275–288. International Association for Cryptologic Research, Springer-Verlag, Berlin Germany, 2000. [27] X. Xxxxx, X. Xxxxxxxxxxxx, X. Xxxxxx, and X. Xxxxxx. A secure audio teleconference system. In Advances in Cryptology – CRYPTO ’88, number 403 in Lecture Notes in Computer Science, pages 520–528, Santa Barbara, CA, USA, August 1988. LNCS 403. [28] X. Xxxxxxx, X. Xxxxxx, and X. Xxxxxxx. Cliques: A new approach to group key agreement. IEEE Transactions on Parallel and Distributed Systems, August 2000. [29] Xxx-Xxxx Xxxxx and Zhi-Xxx Xxxxx. Round-efficient conference-key agreement protocols with provable security. In Advances in Cryptology – ASIACRYPT ’20012000, Lecture Notes in Computer Science, Gold CoastKyoto, AustraliaJapan, 2001December 2000. International Association for Cryptologic Research, Springer-Verlag, Berlin Germany. [10] Xxxxxxxx Xxxxxxx, Xxxxxxx Xxxxxxxxx, Xxxxx Xxxxxxxxxxx, and Xxxx-Xxxxxxx Xxxxxxxxxx. Provably authenticated group xxxxxx-xxxxxxx key exchange. In Xxxxxxxxxx Xxxxxxxx, editor, 8th ACM Conference on Computer and Communications Security, Philadelphia, PA, USA, November 2001. ACM Press. [11] Xxxx Xxxxxxxxx and Xxx Xxxxxxx. A secure and efficient conference key distribution system. In X. Xx Xxxxxx, editor, Advances in Cryptology – EUROCRYPT ’94, number 950 in Lecture Notes in Computer Science. International Association for Cryptologic Research, Springer-Verlag, Berlin Germany, 1995. final version of proceedings. [1230] X. XxxxxxxXxxx, X. Xxxxxxxxx, X. Xxx, X. XxxxxxXxxxx, and X. XxxxxxxxXxx. The VersaKey frameworkSecure group communications using key graphs. In Proceedings of the ACM SIGCOMM ’98 conference on Applications, technologies, architectures, and protocols for computer communication, pages 68–79, 1998. Appeared in ACM SIGCOMM Computer Communication Review, Vol. 28, No. 4 (Oct. 1998). Xxxxxxx Xxx is an Assistant Professor in Department of Computer Science and Engineering and a member of Digital Technology Center (DTC) at the University of Minnesota, Twin Cities, Minneapolis, MN. He received his PhD degree from the Computer Science Department at University of Southern California (USC) in May 2002. From 1993 to 1998, he was a research staff at Electronics and Telecommunication Research Institute (ETRI), Korea. From January 2001 until July 2002, he was working as a research scientist at the University of California at Irvine. His acdemic interests include network security and cryptography. More information about his research is available at xxxx://xxx.xx.xxx.xxx/˜kyd. Xxxxxx Xxxxxx is an Assistant Professor in Electrical and Computer Engineering, Engineering and Public Policy, and Computer Science at Carnegie Mellon University. He earned his PhD in Computer Science from Carnegie Mellon University, and spent three years during his PhD at University of California at Berkeley. He received his BS in Computer Engineering from the Swiss Federal Institute of Technology in Lausanne (EPFL). Xxxxxx’s research interests revolve around building secure systems and include network security, security for sensor networks and mobile applications. More information about his research is available at: Versatile xxxx://xxx.xxx.xxx.xxx/˜xxxxxx. Xxxx Xxxxxx is a Professor in the Computer Science Department, at the University of California, Irvine. He has been active in the area of internetworking, network security and applied cryptography since 1987. He obtained a Ph.D. in Computer Science from USC in 1991; his dissertation focused on access control in internetworks. Before coming to UC Irvine in 2000, he was a Project Leader at IBM Research, Zurich Laboratory (1991-1996) and USC Information Science Institute (1996-2000). Over the years, his research interests included: internetwork routing, firewalls, authentication, mobile network security, secure e-commerce, anonymity, secure group communication, digital signatures, key management, ad hoc network routing, and, more recently, database privacy and secure storage. IEEE Journal on Selected Areas in Communications, 17(9Some of Xxxxxxxxx Xxxxxx’x notable research contributions include: Inter-Domain Policy Routing (IDPR), September 1999IBM Network Security Program (KryptoKnight), IBM Internet Keyed Payment (iKP) protocols, Peer Group Key Management (CLIQUES) and Mediated Cryptographic Services (SUCSES). [13] Xxxxx XxxxxXxxxxxxxx Xxxxxx has over 80 refereed publications and 7 patents. ZeroHe is currently serving as Associate Xxxx of Research and Graduate Studies in the School of Information and Computer Science at UCI. APPENDIX DECISIONAL IMBALANCED GROUP XXXXXX-knowledge undeniable signatures. In X.X. Xxxxxxx, editor, Advances in Cryptology – EUROCRYPT ’90, number 473 in Lecture Notes in Computer Science, pages 458–464. Springer-Verlag, Berlin Germany, May 1991.XXXXXXX PROBLEM

Xxxxxx and X. XxxxxxxxxXxxxxxx. KeyKey establishment in large dynamic groups using one-agreement in adway function trees. Manuscript, May 1998. [21] X. X. Xxxxxxx, X. X. xxx Xxxxxxxx, and X. X. Xxxxxxxx. Handbook of applied cryptography. CRC Press series on discrete mathematics and its applications. CRC Press, 1997. ISBN 0-hoc networks8493-8523-7. [22] X. Xxxxx, X. Xxxx, X. Xxxxxxx-Xxxxx, and X. Xxxxxxx. Extended virtual synchrony. In Nordsec’99IEEE International Conference on Distributed Computing Systems, pages 56–65, June 1994. [23] X. Xxxxxx. Effi cient collaborative key management protocols for secure autonomous group communication. In CrypTEC ’99, pages 192–202, 1999. [424] X. XxxxxxxxXxxxx, X. XxxxxxxXxxxxx, and X. Xxxxxx. Authenticated Group Key Agreement and Friends. In 5th ACM Conference on Computer and Communications Security, pages 17–26. ACM, November 1998. [5] X. Xxxxxx and X. Xxxxx. Communication complexity of Optimized rekey for group key distributioncommunication systems. In 5th ACM Conference Symposium on Computer Network and Communications SecurityDistributed Systems Security (NDSS ’00), November 1998pages 37–48, San Diego, CA, February 2000. Internet Society. [625] X. Xxxxxxx Xxxxxx Xxxxx. Lower bounds for discrete logarithms and X. Xxxxxxx. Random oracles are practical: A paradigm for designing efficient protocolsrelated problems. In 1st ACM Conference on Computer and Communications SecurityXxxxxx Xxxx, 1993. [7] Xxx Xxxxx. The Decision Xxxxxx-Xxxxxxx problem. In Third Algorithmic Number Theory Symposiumeditor, Advances in Cryptology – EUROCRYPT ’97, number 1423 1233 in Lecture Notes in Computer Science, pages 48–63256–266. International Association for Cryptologic Research, Springer-Verlag, Berlin Germany, 19981997. [826] Xxx Xxxxx and Xxxxx XxxxxxxxxxXxxxxx Xxxxx. Applications of multilinear forms to cryptography. To appear in Contemporary Mathematics, American Mathematical Society. [9] Xxxxxxxx Xxxxxxx, Xxxxxxx Xxxxxxxxx, and Xxxxx Xxxxxxxxxxx. Provably authenticated group Xxxxxx-Xxxxxxx key exchange — the dynamic caseUsing hash functions as a hedge against chosen ciphertext attacks. In Xxxxx XxxxXxxx Xxxxxxx, editor, Advances in Cryptology – EUROCRYPT ’2000, number 1807 in Lecture Notes in Computer Science, pages 275–288. International Association for Cryptologic Research, Springer-Verlag, Berlin Germany, 2000. [27] X. Xxxxx, X. Xxxxxxxxxxxx, X. Xxxxx e, and X. Xxxxxx. A secure audio teleconference system. In Advances in Cryptology – CRYPTO ’88, number 403 in Lecture Notes in Computer Science, pages 520–528, Santa Barbara, CA, USA, August 1988. LNCS 403. [28] X. Xxxxxxx, X. Xxxxxx, and X. Xxxxxxx. Cliques: A new approach to group key agreement. IEEE Transactions on Parallel and Distributed Systems, August 2000. [29] Xxx-Xxxx Xxxxx and Zhi-Xxx Xxxxx. Round-effi cient conference-key agreement protocols with provable security. In Advances in Cryptology – ASIACRYPT ’20012000, Lecture Notes in Computer Science, Gold CoastKyoto, AustraliaJapan, 2001December 2000. International Association for Cryptologic Research, Springer-Verlag, Berlin Germany. [10] Xxxxxxxx Xxxxxxx, Xxxxxxx Xxxxxxxxx, Xxxxx Xxxxxxxxxxx, and Xxxx-Xxxxxxx Xxxxxxxxxx. Provably authenticated group xxxxxx-xxxxxxx key exchange. In Xxxxxxxxxx Xxxxxxxx, editor, 8th ACM Conference on Computer and Communications Security, Philadelphia, PA, USA, November 2001. ACM Press. [11] Xxxx Xxxxxxxxx and Xxx Xxxxxxx. A secure and efficient conference key distribution system. In X. Xx Xxxxxx, editor, Advances in Cryptology – EUROCRYPT ’94, number 950 in Lecture Notes in Computer Science. International Association for Cryptologic Research, Springer-Verlag, Berlin Germany, 1995. final version of proceedings. [1230] X. XxxxxxxXxxx, X. Xxxxxxxxx, X. Xxx, X. XxxxxxXxxxx, and X. XxxxxxxxXxx. The VersaKey frameworkSecure group communications using key graphs. In Proceedings of the ACM SIGCOMM ’98 conference on Applications, technologies, architectures, and protocols for computer communication, pages 68–79, 1998. Appeared in ACM SIGCOMM Computer Communication Review, Vol. 28, No. 4 (Oct. 1998). Xxxxxxx Xxx is an Assistant Professor in Department of Computer Science and Engineering and a member of Digital Technology Center (DTC) at the University of Minnesota, Twin Cities, Minneapolis, MN. He received his PhD degree from the Computer Science Department at University of Southern California (USC) in May 2002. From 1993 to 1998, he was a research staff at Electronics and Telecommunication Research Institute (ETRI), Korea. From January 2001 until July 2002, he was working as a research scientist at the University of California at Irvine. His acdemic interests include network security and cryptography. More information about his research is available at xxxx://xxx.xx.xxx.xxx/˜kyd. Xxxxxx Xxxxxx is an Assistant Professor in Electrical and Computer Engineering, Engineering and Public Policy, and Computer Science at Carnegie Mellon University. He earned his PhD in Computer Science from Carnegie Mellon University, and spent three years during his PhD at University of California at Berkeley. He received his BS in Computer Engineering from the Swiss Federal Institute of Technology in Lausanne (EPFL). Xxxxxx’s research interests revolve around building secure systems and include network security, security for sensor networks and mobile applications. More information about his research is available at: Versatile xxxx://xxx.xxx.xxx.xxx/˜xxxxxx. Xxxx Xxxxxx is a Professor in the Computer Science Department, at the University of California, Irvine. He has been active in the area of internetworking, network security and applied cryptography since 1987. He obtained a Ph.D. in Computer Science from USC in 1991; his dissertation focused on access control in internetworks. Before coming to UC Irvine in 2000, he was a Project Leader at IBM Research, Zurich Laboratory (1991-1996) and USC Information Science Institute (1996-2000). Over the years, his research interests included: internetwork routing, fi rewalls, authentication, mobile network security, secure e-commerce, anonymity, secure group communication, digital signatures, key management, ad hoc network routing, and, more recently, database privacy and secure storage. IEEE Journal on Selected Areas in Communications, 17(9Some of Xxxxxxxxx Xxxxxx’x notable research contributions include: Inter-Domain Policy Routing (IDPR), September 1999IBM Network Security Program (KryptoKnight), IBM Internet Keyed Payment (iKP) protocols, Peer Group Key Management (CLIQUES) and Mediated Cryptographic Services (SUCSES). [13] Xxxxx XxxxxXxxxxxxxx Xxxxxx has over 80 refereed publications and 7 patents. ZeroHe is currently serving as Associate Xxxx of Research and Graduate Studies in the School of Information and Computer Science at UCI. APPENDIX DECISIONAL IMBALANCED GROUP XXXXXX-knowledge undeniable signatures. In X.X. Xxxxxxx, editor, Advances in Cryptology – EUROCRYPT ’90, number 473 in Lecture Notes in Computer Science, pages 458–464. Springer-Verlag, Berlin Germany, May 1991.XXXXXXX PROBLEM

Xxxxxx and X. XxxxxxxxxXxxxxxx. KeyKey establishment in large dynamic groups using one-agreement in adway function trees. Manuscript, May 1998. [21] X. X. Xxxxxxx, X. X. xxx Xxxxxxxx, and X. X. Xxxxxxxx. Handbook of applied cryptography. CRC Press series on discrete mathematics and its applications. CRC Press, 1997. ISBN 0-hoc networks8493-8523-7. [22] X. Xxxxx, X. Xxxx, X. Xxxxxxx-Xxxxx, and X. Xxxxxxx. Extended virtual synchrony. In Nordsec’99IEEE International Conference on Distributed Computing Systems, pages 56–65, June 1994. [23] X. Xxxxxx. Efficient collaborative key management protocols for secure autonomous group communication. In CrypTEC ’99, pages 192–202, 1999. [424] X. XxxxxxxxXxxxx, X. XxxxxxxXxxxxx, and X. Xxxxxx. Authenticated Group Key Agreement and Friends. In 5th ACM Conference on Computer and Communications Security, pages 17–26. ACM, November 1998. [5] X. Xxxxxx and X. Xxxxx. Communication complexity of Optimized rekey for group key distributioncommunication systems. In 5th ACM Conference Symposium on Computer Network and Communications SecurityDistributed Systems Security (NDSS ’00), November 1998pages 37–48, San Diego, CA, February 2000. Internet Society. [625] X. Xxxxxxx Xxxxxx Xxxxx. Lower bounds for discrete logarithms and X. Xxxxxxx. Random oracles are practical: A paradigm for designing efficient protocolsrelated problems. In 1st ACM Conference on Computer and Communications SecurityXxxxxx Xxxx, 1993. [7] Xxx Xxxxx. The Decision Xxxxxx-Xxxxxxx problem. In Third Algorithmic Number Theory Symposiumeditor, Advances in Cryptology – EUROCRYPT ’97, number 1423 1233 in Lecture Notes in Computer Science, pages 48–63256–266. International Association for Cryptologic Research, Springer-Verlag, Berlin Germany, 19981997. [826] Xxx Xxxxx and Xxxxx XxxxxxxxxxXxxxxx Xxxxx. Applications of multilinear forms to cryptography. To appear in Contemporary Mathematics, American Mathematical Society. [9] Xxxxxxxx Xxxxxxx, Xxxxxxx Xxxxxxxxx, and Xxxxx Xxxxxxxxxxx. Provably authenticated group Xxxxxx-Xxxxxxx key exchange — the dynamic caseUsing hash functions as a hedge against chosen ciphertext attacks. In Xxxxx XxxxXxxx Xxxxxxx, editor, Advances in Cryptology – EUROCRYPT ’2000, number 1807 in Lecture Notes in Computer Science, pages 275–288. International Association for Cryptologic Research, Springer-Verlag, Berlin Germany, 2000. [27] X. Xxxxx, X. Xxxxxxxxxxxx, X. Xxxxxx, and X. Xxxxxx. A secure audio teleconference system. In Advances in Cryptology – CRYPTO ’88, number 403 in Lecture Notes in Computer Science, pages 520–528, Santa Barbara, CA, USA, August 1988. LNCS 403. [28] X. Xxxxxxx, X. Xxxxxx, and X. Xxxxxxx. Cliques: A new approach to group key agreement. IEEE Transactions on Parallel and Distributed Systems, August 2000. [29] Xxx-Xxxx Xxxxx and Zhi-Xxx Xxxxx. Round-efficient conference-key agreement protocols with provable security. In Advances in Cryptology – ASIACRYPT ’20012000, Lecture Notes in Computer Science, Gold CoastKyoto, AustraliaJapan, 2001December 2000. International Association for Cryptologic Research, Springer-Verlag, Berlin Germany. [10] Xxxxxxxx Xxxxxxx, Xxxxxxx Xxxxxxxxx, Xxxxx Xxxxxxxxxxx, and Xxxx-Xxxxxxx Xxxxxxxxxx. Provably authenticated group xxxxxx-xxxxxxx key exchange. In Xxxxxxxxxx Xxxxxxxx, editor, 8th ACM Conference on Computer and Communications Security, Philadelphia, PA, USA, November 2001. ACM Press. [11] Xxxx Xxxxxxxxx and Xxx Xxxxxxx. A secure and efficient conference key distribution system. In X. Xx Xxxxxx, editor, Advances in Cryptology – EUROCRYPT ’94, number 950 in Lecture Notes in Computer Science. International Association for Cryptologic Research, Springer-Verlag, Berlin Germany, 1995. final version of proceedings. [1230] X. XxxxxxxXxxx, X. Xxxxxxxxx, X. Xxx, X. XxxxxxXxxxx, and X. XxxxxxxxXxx. The VersaKey frameworkSecure group communications using key graphs. In Proceedings of the ACM SIGCOMM ’98 conference on Applications, technologies, architectures, and protocols for computer communication, pages 68–79, 1998. Appeared in ACM SIGCOMM Computer Communication Review, Vol. 28, No. 4 (Oct. 1998). Xxxxxxx Xxx is an Assistant Professor in Department of Computer Science and Engineering and a member of Digital Technology Center (DTC) at the University of Minnesota, Twin Cities, Minneapolis, MN. He received his PhD degree from the Computer Science Department at University of Southern California (USC) in May 2002. From 1993 to 1998, he was a research staff at Electronics and Telecommunication Research Institute (ETRI), Korea. From January 2001 until July 2002, he was working as a research scientist at the University of California at Irvine. His acdemic interests include network security and cryptography. More information about his research is available at xxxx://xxx.xx.xxx.xxx/˜kyd. Xxxxxx Xxxxxx is an Assistant Professor in Electrical and Computer Engineering, Engineering and Public Policy, and Computer Science at Carnegie Mellon University. He earned his PhD in Computer Science from Carnegie Mellon University, and spent three years during his PhD at University of California at Berkeley. He received his BS in Computer Engineering from the Swiss Federal Institute of Technology in Lausanne (EPFL). Xxxxxx’s research interests revolve around building secure systems and include network security, security for sensor networks and mobile applications. More information about his research is available at: Versatile xxxx://xxx.xxx.xxx.xxx/˜xxxxxx. Xxxx Xxxxxx is a Professor in the Computer Science Department, at the University of California, Irvine. He has been active in the area of internetworking, network security and applied cryptography since 1987. He obtained a Ph.D. in Computer Science from USC in 1991; his dissertation focused on access control in internetworks. Before coming to UC Irvine in 2000, he was a Project Leader at IBM Research, Zurich Laboratory (1991-1996) and USC Information Science Institute (1996-2000). Over the years, his research interests included: internetwork routing, firewalls, authentication, mobile network security, secure e-commerce, anonymity, secure group communication, digital signatures, key management, ad hoc network routing, and, more recently, database privacy and secure storage. IEEE Journal on Selected Areas in Communications, 17(9Some of Xxxxxxxxx Xxxxxx’x notable research contributions include: Inter-Domain Policy Routing (IDPR), September 1999IBM Network Security Program (KryptoKnight), IBM Internet Keyed Payment (iKP) protocols, Peer Group Key Management (CLIQUES) and Mediated Cryptographic Services (SUCSES). [13] Xxxxx XxxxxXxxxxxxxx Xxxxxx has over 80 refereed publications and 7 patents. ZeroHe is currently serving as Associate Xxxx of Research and Graduate Studies in the School of Information and Computer Science at UCI. Appendix Decisional Imbalanced Group Xxxxxx-knowledge undeniable signatures. In X.X. Xxxxxxx, editor, Advances in Cryptology – EUROCRYPT ’90, number 473 in Lecture Notes in Computer Science, pages 458–464. Springer-Verlag, Berlin Germany, May 1991.Xxxxxxx Problem

Xxxxxx and X. XxxxxxxxxXxxxxxx. KeyKey establishment in large dynamic groups using one-agreement in adway function trees. Manuscript, May 1998. [21] X. X. Xxxxxxx, X. X. xxx Xxxxxxxx, and X. X. Xxxxxxxx. Handbook of applied cryptography. CRC Press series on discrete mathematics and its applications. CRC Press, 1997. ISBN 0-hoc networks8493-8523-7. [22] X. Xxxxx, X. Xxxx, X. Xxxxxxx-Xxxxx, and X. Xxxxxxx. Extended virtual synchrony. In Nordsec’99IEEE International Conference on Distributed Computing Systems, pages 56–65, June 1994. [23] X. Xxxxxx. Efficient collaborative key management protocols for secure autonomous group communication. In CrypTEC ’99, pages 192–202, 1999. [424] X. XxxxxxxxXxxxx, X. XxxxxxxXxxxxx, and X. Xxxxxx. Authenticated Group Key Agreement and Friends. In 5th ACM Conference on Computer and Communications Security, pages 17–26. ACM, November 1998. [5] X. Xxxxxx and X. Xxxxx. Communication complexity of Optimized rekey for group key distributioncommunication systems. In 5th ACM Conference Symposium on Computer Network and Communications SecurityDistributed Systems Security (NDSS ’00), November 1998pages 37–48, San Diego, CA, February 2000. Internet Society. [625] X. Xxxxxxx Xxxxxx Xxxxx. Lower bounds for discrete logarithms and X. Xxxxxxx. Random oracles are practical: A paradigm for designing efficient protocolsrelated problems. In 1st ACM Conference on Computer and Communications SecurityXxxxxx Xxxx, 1993. [7] Xxx Xxxxx. The Decision Xxxxxx-Xxxxxxx problem. In Third Algorithmic Number Theory Symposiumeditor, Advances in Cryptology – EUROCRYPT ’97, number 1423 1233 in Lecture Notes in Computer Science, pages 48–63256–266. International Association for Cryptologic Research, Springer-Verlag, Berlin Germany, 19981997. [826] Xxx Xxxxx and Xxxxx XxxxxxxxxxXxxxxx Xxxxx. Applications of multilinear forms to cryptography. To appear in Contemporary Mathematics, American Mathematical Society. [9] Xxxxxxxx Xxxxxxx, Xxxxxxx Xxxxxxxxx, and Xxxxx Xxxxxxxxxxx. Provably authenticated group Xxxxxx-Xxxxxxx key exchange — the dynamic caseUsing hash functions as a hedge against chosen ciphertext attacks. In Xxxxx XxxxXxxx Xxxxxxx, editor, Advances in Cryptology – EUROCRYPT ’2000, number 1807 in Lecture Notes in Computer Science, pages 275–288. International Association for Cryptologic Research, Springer-Verlag, Berlin Germany, 2000. [27] X. Xxxxx, X. Xxxxxxxxxxxx, X. Diffie, and X. Xxxxxx. A secure audio teleconference system. In Advances in Cryptology – CRYPTO ’88, number 403 in Lecture Notes in Computer Science, pages 520–528, Santa Barbara, CA, USA, August 1988. LNCS 403. [28] X. Xxxxxxx, X. Xxxxxx, and X. Xxxxxxx. Cliques: A new approach to group key agreement. IEEE Transactions on Parallel and Distributed Systems, August 2000. [29] Xxx-Xxxx Xxxxx and Zhi-Xxx Xxxxx. Round-efficient conference-key agreement protocols with provable security. In Advances in Cryptology – ASIACRYPT ’20012000, Lecture Notes in Computer Science, Gold CoastKyoto, AustraliaJapan, 2001December 2000. International Association for Cryptologic Research, Springer-Verlag, Berlin Germany. [10] Xxxxxxxx Xxxxxxx, Xxxxxxx Xxxxxxxxx, Xxxxx Xxxxxxxxxxx, and Xxxx-Xxxxxxx Xxxxxxxxxx. Provably authenticated group xxxxxx-xxxxxxx key exchange. In Xxxxxxxxxx Xxxxxxxx, editor, 8th ACM Conference on Computer and Communications Security, Philadelphia, PA, USA, November 2001. ACM Press. [11] Xxxx Xxxxxxxxx and Xxx Xxxxxxx. A secure and efficient conference key distribution system. In X. Xx Xxxxxx, editor, Advances in Cryptology – EUROCRYPT ’94, number 950 in Lecture Notes in Computer Science. International Association for Cryptologic Research, Springer-Verlag, Berlin Germany, 1995. final version of proceedings. [1230] X. XxxxxxxXxxx, X. Xxxxxxxxx, X. Xxx, X. XxxxxxXxxxx, and X. XxxxxxxxXxx. Secure group communications using key graphs. In Proceedings of the ACM SIGCOMM ’98 conference on Applications, technologies, architectures, and protocols for computer communication, pages 68–79, 1998. Appeared in ACM SIGCOMM Computer Communication Review, Vol. 28, No. 4 (Oct. 1998). Xxxxxxx Xxx is an Assistant Professor in Department of Computer Science and Engineering and a member of Digital Technology Center (DTC) at the University of Minnesota, Twin Cities, Minneapolis, MN. He received his PhD degree from the Computer Science Department at University of Southern California (USC) in May 2002. From 1993 to 1998, he was a research staff at Electronics and Telecommunication Research Institute (ETRI), Korea. From January 2001 until July 2002, he was working as a research scientist at the University of California at Irvine. His acdemic interests include network security and cryptography. More information about his research is available at xxxx://xxx.xx.xxx.xxx/˜kyd. Xxxxxx Xxxxxx is an Assistant Professor in Electrical and Computer Engineering, Engineering and Public Policy, and Computer Science at Carnegie Mellon University. He earned his PhD in Computer Science from Carnegie Mellon University, and spent three years during his PhD at University of California at Berkeley. He received his BS in Computer Engineering from the Swiss Federal Institute of Technology in Lausanne (EPFL). Xxxxxx’s research interests revolve around building secure systems and include network security, security for sensor networks and mobile applications. More information about his research is available at: xxxx://xxx.xxx.xxx.xxx/˜xxxxxx. Xxxx Xxxxxx is a Professor in the Computer Science Department, at the University of California, Irvine. He has been active in the area of internetworking, network security and applied cryptography since 1987. He obtained a Ph.D. in Computer Science from USC in 1991; his dissertation focused on access control in internetworks. Before coming to UC Irvine in 2000, he was a Project Leader at IBM Research, Zurich Laboratory (1991-1996) and USC Information Science Institute (1996-2000). Over the years, his research interests included: internetwork routing, firewalls, authentication, mobile network security, secure e-commerce, anonymity, secure group communication, digital signatures, key management, ad hoc network routing, and, more recently, database privacy and secure storage. Some of Xxxxxxxxx Xxxxxx’x notable research contributions include: Inter-Domain Policy Routing (IDPR), IBM Network Security Program (KryptoKnight), IBM Internet Keyed Payment (iKP) protocols, Peer Group Key Management (CLIQUES) and Mediated Cryptographic Services (SUCSES). Xxxxxxxxx Xxxxxx has over 80 refereed publications and 7 patents. He is currently serving as Associate Xxxx of Research and Graduate Studies in the School of Information and Computer Science at UCI. Appendix Decisional Imbalanced Group Xxxxxx-Xxxxxxx Problem A. 2-party Decision Xxxxxx-Xxxxxxx Problem Our proofs require a specific group setting. In this section, we introduce a specific group (G) and define the 2-party Decision Xxxxxx-Xxxxxxx (DDH) problem on G. Let k be a security parameter and n be an integer. All algorithm run in probabilistic polynomial time with k and n as inputs. For concreteness, we consider a specific group G: On input k, algorithm gen chooses at random a pair (q, α) where q is a 2k-bit value7, and q and p = 2q + 1 are both prime. Before introducing G, we first consider a group G^, which ^ ^ ^ is a group of squares modulo prime p. This group can be described more precisely as follows: Consider an element α which is a square of a primitive element α of multiplicative group Z∗p, i.e. α = α2. (Without loss of generality, we may assume α < q.) Then group G can be represented as ^ G = αi mod p | i ∈ [1, q]} . An attractive variation of this group is to represent the elements by the integers from 0 to q − 1. 7In order to achieve the security level 2−k, the group size should be at least 22k [25]. The VersaKey frameworkgroup operation is slightly different: Versatile Let a function f be defined as   f (x) = x if x ≤ q p − x if q < x < p. Using this f function, we can introduce the group key managementG as G = f (αi mod p) | i ∈ Zq} . IEEE Journal Group operation on Selected Areas in Communications, 17(9group G is defined as a · b = f (a · b (mod p)), September 1999. [13] Xxxxx Xxxxx. Zero-knowledge undeniable signatures. In X.X. Xxxxxxxwhere a, editor, Advances in Cryptology – EUROCRYPT ’90, number 473 in Lecture Notes in Computer Science, pages 458–464. Springer-Verlag, Berlin Germany, May 1991.b ∈ G.