Common use of Implementation Issues Clause in Contracts

Implementation Issues. We will consider a given period T . To simplify, this period will be used both by the group leader and by the member of the group as a period to send their GKA messages. ≥ − A node can be in one of the following two states : member state or group leader state. A node in a member state will enter the process to become a group leader if it has not received an IGROUP message for a duration kT . A node which has not received any message from a group leader for a duration kT with k 2 will suppose that there is no group leader and starts the procedure to become a leader. Since a node may not have received a packet of the group leader because this packet has been lost, k must be selected so that the probability that k 1 successive transmissions of a GKA message are lost is small. Then, to become a group leader, the node selects a random integer ir between 1 and a given number l (backoff window size) and initializes a timer at irtrtd, where trtd is a predefined duration computed to be at least the round trip delay of a message throughout the ad hoc network. With such a figure for trtd we can be sure that if two nodes draw different integers ir and irr , the node having selected the larger integer will receive the IGROUP message of the other node and then will stop its election process. The backoff window size l must be chosen with respect to the total number of nodes in the network so that the probability of two nodes choosing the same integer is small. This back-off procedure is performed to avoid possibly multiple group leader candidates, for instance, when a group is set up or split into two subgroups. When the node in the member state sends its first IGROUP message, it is in the group leader xxxxx.Xx the group leader state, a node must collect IREPLY messages and form the related IGROUP message. When there is a change in the group (arrival or withdrawal) the group leader must change its contribution. Additionally, irrespective of the modification of the composition of the group, the group leader must change its contribution periodically, to maintain the security of the session key. When a group leader is elected, it may choose to wait additional periods before sending an IGROUP containing the contributions of the group members. In doing so, the group leader may avoid unnecessary changes to the session key due to not having received all the contributions in time. In the group leader state, a node will also look out for IGROUP messages from another group leader. If it receives such a message from another group leader holding a smaller node index, the node changes its state to the member state. In the member state, a node will have to send IREPLY messages periodically. Like the group leader, a group member must change its contribution periodically with a period P see figure

Implementation Issues. We will consider a given period T . To simplify, this period will be used both by the group leader and or by the member of the group as a period to send their GKA messages. ≥ − A node can be in one of the following two states : member state or group leader state. A node in a member state will enter the process to become a group leader if it has not received an IGROUP message for a duration kT . A node which has not received any message from a group leader for a duration kT with k 2 will suppose that there is no group leader and starts the procedure to become a leader. Since a node may not have received a packet of the group leader because this packet has been lost, k must be selected so that the probability that k 1 successive transmissions of a GKA message are lost is small. Then, to To become a group leader, the node selects a random integer ir between 1 and a given number l (backoff window size) and initializes a timer at irtrtd, where . trtd is a predefined duration computed to be at least the round trip delay of a message throughout the ad hoc network. With such a figure for trtd we can be sure that if two nodes draw different integers ir and irr , the node having selected the larger integer will receive the IGROUP message of the other node and then will stop its election process. The backoff window size l must be chosen with respect to the total number of nodes in the network so that the probability of that two nodes choosing choose the same integer is small. This back-off procedure is performed to avoid possibly multiple group leader candidates, for instance, when a group is set up or split into two subgroups. Figure 1: Transition between the member and the leader state When the node in the state member state sends its first IGROUP message, it is in the group leader xxxxx.Xx state, see Figure 1. In the group leader state, a node must collect IREPLY messages and form the related IGROUP message. When there is a change in the group (arrival or withdrawal) the group leader must change its contribution. Additionally, Additionally irrespective of the modification of the composition of the group, the group leader must change its contribution periodically, to maintain the security of the session key. When a group leader is elected, it the latter may choose to wait additional periods before sending an a IGROUP containing the contributions of the group members. In doing Doing so, the group leader may avoid unnecessary changes to the session key due to not having received the lack of receipt of all the contributions in time. In the group leader state, a node will also look out for IGROUP messages from another group leader. If it receives such a message from another group leader holding a smaller node index, the node changes its state to the member state. In the group member state, a node will have to send IREPLY messages periodically. Like the group leader, a group member must change its contribution periodically with a period P . We will assume that P is a large multiple of T . To simplify the procedure and to avoid unnecessary computations we can assume that the group leader does not instantly include a new contribution of a group member in the IGROUP message, instead it will wait for the change of its own contribution to take into account all new contributions of nodes. This is possible since the contribution of the node member is included in the IGROUP message, see figurefigure 2. Figure 2: Renewing members’ and the leader’s contribution Both IGROUP and IREPLY messages must be sent periodically for each interval T . To reduce the probability of collision of these messages, we add a jitter to times when the GKA messages shall be sent by the group members and the group leader. In the table 5, we have given examples of figures for our GKA protocol. We can notice that l and trtd will heavily depend of the number of nodes in the network and of the topology of the network. 5 Computational overhead To test the performance of this new GKA protocol (only the unauthenticated version), we incorpo- rated it in the group management protocol of [4]. The group management of [4] consists of three communication rounds: DISC, JOIN and GROU P . The DISC stage initiates the group for- mation by calling for interested participants. Each interested participant responds with a JOIN Parameter Value Constraint k 3 large enough to be sure the message is not simply lost

Implementation Issues. We will consider a given period T . To simplify, this period will be used both by the group leader and or by the member of the group as a period to send their GKA messages. ≥ − A node can be in one of the following two states : member state or group leader state. A node in a member state will enter the process to become a group leader if it has not received an IGROUP message for a duration kT . A node which has not received any message from a group leader for a duration kT with k 2 will suppose that there is no group leader and starts the procedure to become a leader. Since a node may not have received a packet of the group leader because this packet has been lost, k must be selected so that the probability that k 1 successive transmissions of a GKA message are lost is small. Then, to To become a group leader, the node selects a random integer ir between 1 and a given number l (backoff window size) and initializes a timer at irtrtd, where . trtd is a predefined duration computed to be at least the round trip delay of a message throughout the ad hoc network. With such a figure for trtd we can be sure that if two nodes draw different integers ir and irr ir' , the node having selected the larger integer will receive the IGROUP message of the other node and then will stop its election process. The backoff window size l must be chosen with respect to the total number of nodes in the network so that the probability of that two nodes choosing choose the same integer is small. This back-off procedure is performed to avoid possibly multiple group leader candidates, for instance, when a group is set up or split into two subgroups. Figure 1: Transition between the member and the leader state When the node in the state member state sends its first IGROUP message, it is in the group leader xxxxx.Xx state, see Figure 1. In the group leader state, a node must collect IREPLY messages and form the related IGROUP message. When there is a change in the group (arrival or withdrawal) the group leader must change its contribution. Additionally, Additionally irrespective of the modification of the composition of the group, the group leader must change its contribution periodically, to maintain the security of the session key. When a group leader is elected, it the latter may choose to wait additional periods before sending an a IGROUP containing the contributions of the group members. In doing Doing so, the group leader may avoid unnecessary changes to the session key due to not having received the lack of receipt of all the contributions in time. In the group leader state, a node will also look out for IGROUP messages from another group leader. If it receives such a message from another group leader holding a smaller node index, the node changes its state to the member state. In the group member state, a node will have to send IREPLY messages periodically. Like the group leader, a group member must change its contribution periodically with a period P . We will assume that P is a large multiple of T . To simplify the procedure and to avoid unnecessary computations we can assume that the group leader does not instantly include a new contribution of a group member in the IGROUP message, instead it will wait for the change of its own contribution to take into account all new contributions of nodes. This is possible since the contribution of the node member is included in the IGROUP message, see figurefigure 2. Figure 2: Renewing members’ and the leader’s contribution Both IGROUP and IREPLY messages must be sent periodically for each interval T . To reduce the probability of collision of these messages, we add a jitter to times when the GKA messages shall be sent by the group members and the group leader. In the table 5, we have given examples of figures for our GKA protocol. We can notice that l and trtd will heavily depend of the number of nodes in the network and of the topology of the network.

Implementation Issues. We will consider a given period T . To simplify, this period will be used both by the group leader and by the member of the group as a period to send their GKA messages. ≥ − A node can be in one of the following two states : member state or group leader state. A node in a member state will enter the process to become a group leader if it has not received an IGROUP message for a duration kT . A node which has not received any message from a group leader for a duration kT with k 2 will suppose that there is no group leader and starts the procedure to become a leader. Since a node may not have received a packet of the group leader because this packet has been lost, k must be selected so that the probability that k 1 successive transmissions of a GKA message are lost is small. Then, to become a group leader, the node selects a random integer ir between 1 and a given number l (backoff window size) and initializes a timer at irtrtd, where trtd is a predefined duration computed to be at least the round trip delay of a message throughout the ad hoc network. With such a figure for trtd we can be sure that if two nodes draw different integers ir and irr ir' , the node having selected the larger integer will receive the IGROUP message of the other node and then will stop its election process. The backoff window size l must be chosen with respect to the total number of nodes in the network so that the probability of two nodes choosing the same integer is small. This back-off procedure is performed to avoid possibly multiple group leader candidates, for instance, when a group is set up or split into two subgroups. When the node in the member state sends its first IGROUP message, it is in the group leader xxxxx.Xx the group leader state, a node must collect IREPLY messages and form the related IGROUP message. When there is a change in the group (arrival or withdrawal) the group leader must change its contribution. Additionally, irrespective of the modification of the composition of the group, the group leader must change its contribution periodically, to maintain the security of the session key. When a group leader is elected, it may choose to wait additional periods before sending an IGROUP containing the contributions of the group members. In doing so, the group leader may avoid unnecessary changes to the session key due to not having received all the contributions in time. In the group leader state, a node will also look out for IGROUP messages from another group leader. If it receives such a message from another group leader holding a smaller node index, the node changes its state to the member state. In the member state, a node will have to send IREPLY messages periodically. Like the group leader, a group member must change its contribution periodically with a period P see figure