Common use of Related Work Clause in Contracts

Related Work. The original idea of extending the 2-party Xxxxxx-Xxxxxxx scheme [17] to the multi-party setting dates back to the classical paper of Xxxxxxxxxxx et al. [21], and is followed by many works [27, 16, 22, 4, 23, 3, 29, 30, 24] offering various levels of complexity. However, regardless of whether they explicitly deal with the case where group membership is dynamic, all these approaches simply assume a passive adversary, or only provide an informal/non-standard security analysis for an active adversary. As a result, some of these protocols [3, 30] have been found to be flawed in [26] and [10], respectively. Research on provably-secure group key agreement in a formal security model is fairly new. It is only recently that Xxxxxxx et al. [15, 12, 13] have presented the first group key agreement protocols proven secure in a well-defined security model which extends earlier work of Bellare et al. [6, 8, 5] to the multi-party setting. The initial work [15] assumes that group membership is static, whereas later works [12, 13] focus on the dynamic case. But one drawback of their scheme is that in case of initial key agreement, its round complexity is linear in the number of group members. Moreover, the simultaneous joining of multiple users also takes a linear number of rounds with respect to the number of new members. Consequently, as the group size grows large, this scheme becomes impractical particularly in a wide area network environment where the delays associated with communication are expected to dominate the cost for group key agreement. More recently, Xxxx and Xxxx [25] have proposed the first constant-round protocol for group key agreement that has been proven secure against an active adversary; the protocol requires three rounds of communication and achieves provable security under the Decisional Xxxxxx-Xxxxxxx assumption in the standard model. Specifically, they provide a formal proof of security for the two-round protocol of Xxxxxxxxx and Xxxxxxx [16], and introduce a one- round compiler that transforms any group key exchange protocol secure against a passive adversary into one that is secure against an active adversary with powerful capabilities. In this protocol all group members behave in a completely symmetric manner; in a group of size n, each member sends one broadcast message per round, and computes three modular exponentiations, O(n log n) modular multiplications, and O(n) signature verifications. While the protocol is very efficient in general, this full symmetry negatively impacts the protocol performance in a scenario similar to our setting; the communication overhead is significant with three rounds of n broadcasts, and furthermore, the protocol has to restart from scratch in the presence of any membership change. In [10] Xxxx and Xxxxx have introduced a one-round group key agreement protocol which is provably secure in the random oracle model [7]. This protocol is computationally asymmetric and thus, as is the case with other asymmetric protocols [29, 24, 12, 13], appears to be easily extended to address the dynamic case. But unfortunately, this protocol does not achieve forward secrecy even if its round complexity is optimal. Thus it still remains an open problem to find a forward-secure group key exchange scheme running in a single round. Most recently, Xxxxxxx and Xxxxxxxx [11] have presented another provably-secure protocol Table 1: Complexity comparison among group key agreement schemes that achieve both provable security and forward secrecy Communication Computation Rounds Messages Unicasts Broadcasts Exp. Ver. [12] IKA n1) n n − 1 1 O(n2) O(n) Join j + 1 j + 1 j2) 1 O(jn) O(n) Leave 1 1 1 O(n) O(n) [25] 3 3n 3n O(n) + O(n2 log n)3) O(n2) Here IKA 2 n n − 1 1 O(n)4) O(n) Join 2 j + 1 j 1 O(n)4) O(n) Leave 1 1 1 O(n)4) O(n) IKA: Initial Key Agreement, Exp: Modular Exponentiation, Ver: Signature Verification

Related Work. The original idea of extending the 2-party Xxxxxx-Xxxxxxx scheme [1715] to the multi-party setting dates back to the classical paper of Xxxxxxxxxxx Ingemarsson et al. [2119], and is followed by many works [2725, 1613, 22, 4, 2320, 3, 2921, 3026, 2422] offering various levels of complexity. However, regardless of whether they explicitly deal with the case where group membership is dynamic, all these approaches simply assume a passive adversary, or only provide an informal/non-standard security analysis for an active adversary. As a result, some of these protocols [3, 30] have been found to be flawed in [26] and [10], respectively. Research research on provably-secure group key agreement in a formal security model concrete, realistic setting is fairly new. It is only recently that Xxxxxxx Bresson et al. [15, 12, 138, 9] have presented the first group key agreement protocols proven secure in a well-defined security model which extends builds on earlier work model of Bellare Xxxxxxx et al. [6, 8, 5] to the multi-party setting4]. The initial work [1512] assumes that group membership is static, whereas later works [128, 139] focus on the dynamic casecase which we do not deal with here. But one drawback of their scheme is that in case of initial key agreement, its round complexity is linear in the number of group members. Moreover, the simultaneous joining of multiple users also takes a linear number of rounds with respect to the number of new members. Consequently, as the group size grows large, this scheme becomes impractical particularly in a wide area network environment where the delays associated with high communication are expected to dominate the cost for group key agreementlatency. More recently, Xxxx and Xxxx Yung [2523] have proposed the first constant-round protocol for group key agreement protocol that has been proven secure against an active adversary; the protocol requires three rounds of communication and achieves provable security under the Decisional Xxxxxx-Xxxxxxx assumption in the standard modelsecurity model of Bresson et al. Specifically, they [12]. They provide a formal proof of security for the two-round protocol of Xxxxxxxxx and Xxxxxxx [1613], and introduce a one- one-round compiler that transforms any group key exchange agree- ment protocol secure against a passive adversary into one that is secure against an active adversary with powerful capabilitiesadversary. In this protocol all group members behave in a completely symmetric manner; in a group of size n, each member sends one broadcast message per round, and computes three modular exponentiations, O(n log n) modular multiplications, and O(n) signature verificationsverifica- tions, and two signature generations. While the this protocol is very efficient in general, this the full symmetry negatively impacts on the overall performance of the protocol performance in a scenario similar to our asymmetric setting; the communication overhead computational cost of a mobile host is significant with three in a large group, due to the number of modular multiplications and signature verifications. Most recently, Bresson and Xxxxxxxx [7] have introduced another fully-symmetric proto- col which requires two rounds of n broadcastscommunication. Interestingly, and furthermoreunlike previous approaches, they construct the protocol by combining the properties of the ElGamal encryption scheme [17] with standard secret sharing techniques [24]. However, with increasing number of par- ticipants, the complexity of the protocol has to restart from scratch in becomes beyond the presence capabilities of any membership changea small mobile device. In [10] The protocol presented by Xxxx and Xxxxx have introduced [6] completes in only a one-single round group key agreement protocol which of communication and is provably secure in the random oracle model [75]. This protocol is computationally asymmetric and thus, as is the case with other asymmetric protocols [29, 24, 12, 13], appears to be easily extended to address the dynamic case. But unfortunately, this protocol does not achieve forward secrecy even if its round complexity is optimal. Thus it still remains an open problem to find a forwardone-secure group key exchange scheme running in a single round. Most recently, Xxxxxxx and Xxxxxxxx [11] have presented another provably-secure protocol Table 1: Complexity comparison among round group key agreement schemes protocol providing forward secrecy. Another constant-round protocol that does not achieve both provable security and (perfect) forward secrecy Communication Computation Rounds Messages Unicasts Broadcasts Exphas been shown in [11]. VerThis protocol runs in two rounds of communication and is provably secure in the random oracle model. In common with our protocol, these protocols [126, 11] IKA n1) n n − 1 1 O(n2) are computationally asymmetric; one distinct member performs O(n) Join j + 1 j + 1 j2) 1 O(jn) O(n) Leave 1 1 1 O(n) O(n) [25] 3 3n 3n O(n) + O(n2 log n)3) O(n2) Here IKA 2 n n − 1 1 O(n)4) O(n) Join 2 j + 1 j 1 O(n)4) O(n) Leave 1 1 1 O(n)4) O(n) IKA: Initial Key Agreement, Exp: Modular Exponentiation, Ver: Signature Verificationcomputations whereas the other members perform only a constant amount of computation.

Related Work. The original idea of extending the 2-party Xxxxxx-Xxxxxxx scheme [1715] to the multi-party setting dates back to the classical paper of Xxxxxxxxxxx et al. [2119], and is followed by many works [2725, 1613, 22, 4, 2320, 3, 2921, 3026, 2422] offering various levels of complexity. However, regardless of whether they explicitly deal with the case where group membership is dynamic, all these approaches simply assume a passive adversary, or only provide an informal/non-standard security analysis for an active adversary. As a result, some of these protocols [3, 30] have been found to be flawed in [26] and [10], respectively. Research research on provably-secure group key agreement in a formal security model concrete, realistic setting is fairly new. It is only recently that Xxxxxxx et al. [15, 12, 138, 9] have presented the first group key agreement protocols proven secure in a well-defined security model which extends builds on earlier work model of Bellare et al. [6, 8, 5] to the multi-party setting4]. The initial work [1512] assumes that group membership is static, whereas later works [128, 139] focus on the dynamic casecase which we do not deal with here. But one drawback of their scheme is that in case of initial key agreement, its round complexity is linear in the number of group members. Moreover, the simultaneous joining of multiple users also takes a linear number of rounds with respect to the number of new members. Consequently, as the group size grows large, this scheme becomes impractical particularly in a wide area network environment where the delays associated with high communication are expected to dominate the cost for group key agreementlatency. More recently, Xxxx and Xxxx [2523] have proposed the first constant-round protocol for group key agreement protocol that has been proven secure against an active adversary; the protocol requires three rounds of communication and achieves provable security under the Decisional Xxxxxx-Xxxxxxx assumption in the standard modelsecurity model of Xxxxxxx et al. Specifically, they [12]. They provide a formal proof of security for the two-round protocol of Xxxxxxxxx and Xxxxxxx [1613], and introduce a one- one-round compiler that transforms any group key exchange agree- ment protocol secure against a passive adversary into one that is secure against an active adversary with powerful capabilitiesadversary. In this protocol all group members behave in a completely symmetric manner; in a group of size n, each member sends one broadcast message per round, and computes three modular exponentiations, O(n log n) modular multiplications, and O(n) signature verificationsverifica- tions, and two signature generations. While the this protocol is very efficient in general, this the full symmetry negatively impacts on the overall performance of the protocol performance in a scenario similar to our asymmetric setting; the communication overhead computational cost of a mobile host is significant with three in a large group, due to the number of modular multiplications and signature verifications. Most recently, Xxxxxxx and Xxxxxxxx [7] have introduced another fully-symmetric proto- col which requires two rounds of n broadcastscommunication. Interestingly, and furthermoreunlike previous approaches, they construct the protocol by combining the properties of the ElGamal encryption scheme [17] with standard secret sharing techniques [24]. However, with increasing number of par- ticipants, the complexity of the protocol has to restart from scratch in becomes beyond the presence capabilities of any membership changea small mobile device. In [10] The protocol presented by Xxxx and Xxxxx have introduced [6] completes in only a one-single round group key agreement protocol which of communication and is provably secure in the random oracle model [75]. This protocol is computationally asymmetric and thus, as is the case with other asymmetric protocols [29, 24, 12, 13], appears to be easily extended to address the dynamic case. But unfortunately, this protocol does not achieve forward secrecy even if its round complexity is optimal. Thus it still remains an open problem to find a forwardone-secure group key exchange scheme running in a single round. Most recently, Xxxxxxx and Xxxxxxxx [11] have presented another provably-secure protocol Table 1: Complexity comparison among round group key agreement schemes protocol providing forward secrecy. Another constant-round protocol that does not achieve both provable security and (perfect) forward secrecy Communication Computation Rounds Messages Unicasts Broadcasts Exphas been shown in [11]. VerThis protocol runs in two rounds of communication and is provably secure in the random oracle model. In common with our protocol, these protocols [126, 11] IKA n1) n n − 1 1 O(n2) are computationally asymmetric; one distinct member performs O(n) Join j + 1 j + 1 j2) 1 O(jn) O(n) Leave 1 1 1 O(n) O(n) [25] 3 3n 3n O(n) + O(n2 log n)3) O(n2) Here IKA 2 n n − 1 1 O(n)4) O(n) Join 2 j + 1 j 1 O(n)4) O(n) Leave 1 1 1 O(n)4) O(n) IKA: Initial Key Agreement, Exp: Modular Exponentiation, Ver: Signature Verificationcomputations whereas the other members perform only a constant amount of computation.

Related Work. The original idea of extending the 2-party Xxxxxx-Xxxxxxx scheme [1715] to the multi-party setting dates back to the classical paper of Xxxxxxxxxxx et al. [2119], and is followed by many works [2725, 1613, 22, 4, 2320, 3, 2921, 3026, 2422] offering various levels of complexity. However, regardless of whether they explicitly deal with the case where group membership is dynamic, all these approaches simply assume a passive adversary, or only provide an informal/non-standard security analysis for an active adversary. As a result, some of these protocols [3, 30] have been found to be flawed in [26] and [10], respectively. Research research on provably-secure group key agreement in a formal security model concrete, realistic setting is fairly new. It is only recently that Xxxxxxx et al. [15, 12, 138, 9] have presented the first group key agreement protocols proven secure in a well-defined security model which extends builds on earlier work model of Bellare Xxxxxxx et al. [6, 8, 5] to the multi-party setting4]. The initial work [1512] assumes that group membership is static, whereas later works [128, 139] focus on the dynamic casecase which we do not deal with here. But one drawback of their scheme is that in case of initial key agreement, its round complexity is linear in the number of group members. Moreover, the simultaneous joining of multiple users also takes a linear number of rounds with respect to the number of new members. Consequently, as the group size grows large, this scheme becomes impractical particularly in a wide area network environment where the delays associated with high communication are expected to dominate the cost for group key agreementlatency. More recently, Xxxx and Xxxx [2523] have proposed the first constant-round protocol for group key agreement protocol that has been proven secure against an active adversary; the protocol requires three rounds of communication and achieves provable security under the Decisional Xxxxxx-Xxxxxxx assumption in the standard modelsecurity model of Xxxxxxx et al. Specifically, they [12]. They provide a formal proof of security for the two-round protocol of Xxxxxxxxx and Xxxxxxx [1613], and introduce a one- one-round compiler that transforms any group key exchange agree- ment protocol secure against a passive adversary into one that is secure against an active adversary with powerful capabilitiesadversary. In this protocol all group members behave in a completely symmetric manner; in a group of size n, each member sends one broadcast message per round, and computes three modular exponentiations, O(n log n) modular multiplications, and O(n) signature verificationsverifica- tions, and two signature generations. While the this protocol is very efficient in general, this the full symmetry negatively impacts on the overall performance of the protocol performance in a scenario similar to our asymmetric setting; the communication overhead computational cost of a mobile host is significant with three in a large group, due to the number of modular multiplications and signature verifications. Most recently, Xxxxxxx and Xxxxxxxx [7] have introduced another fully-symmetric proto- col which requires two rounds of n broadcastscommunication. Interestingly, and furthermoreunlike previous approaches, they construct the protocol by combining the properties of the ElGamal encryption scheme [17] with standard secret sharing techniques [24]. However, with increasing number of par- ticipants, the complexity of the protocol has to restart from scratch in becomes beyond the presence capabilities of any membership changea small mobile device. In [10] The protocol presented by Xxxx and Xxxxx have introduced [6] completes in only a one-single round group key agreement protocol which of communication and is provably secure in the random oracle model [75]. This protocol is computationally asymmetric and thus, as is the case with other asymmetric protocols [29, 24, 12, 13], appears to be easily extended to address the dynamic case. But unfortunately, this protocol does not achieve forward secrecy even if its round complexity is optimal. Thus it still remains an open problem to find a forwardone-secure group key exchange scheme running in a single round. Most recently, Xxxxxxx and Xxxxxxxx [11] have presented another provably-secure protocol Table 1: Complexity comparison among round group key agreement schemes protocol providing forward secrecy. Another constant-round protocol that does not achieve both provable security and (perfect) forward secrecy Communication Computation Rounds Messages Unicasts Broadcasts Exphas been shown in [11]. VerThis protocol runs in two rounds of communication and is provably secure in the random oracle model. In common with our protocol, these protocols [126, 11] IKA n1) n n − 1 1 O(n2) are computationally asymmetric; one distinct member performs O(n) Join j + 1 j + 1 j2) 1 O(jn) O(n) Leave 1 1 1 O(n) O(n) [25] 3 3n 3n O(n) + O(n2 log n)3) O(n2) Here IKA 2 n n − 1 1 O(n)4) O(n) Join 2 j + 1 j 1 O(n)4) O(n) Leave 1 1 1 O(n)4) O(n) IKA: Initial Key Agreement, Exp: Modular Exponentiation, Ver: Signature Verificationcomputations whereas the other members perform only a constant amount of computation.