When a group of people wants to communicate securely over an open network, they run a conference-key protocol to establish a common conference key K such that all their communications thereafter are encrypted with the key K. In this paper we propose a practical and provably secure fault-tolerant conference-key agreement protocol under the authenticated broadcast channel model. The adversary that attacks our protocol can be either active or passive. An active adversary (malicious participant) tries to disrupt establishment of a common conference key among the honest participants, while a passive adversary tries to learn the conference key by listening to the communication of participants. We show that a passive adversary gets no information (zero knowledge) about the conference key established by the honest participants under the assumption of a variant Diffie-Hellman decision problem. We also show that the honest participants can agree on a common conference key no matter how many participants are malicious.