Join Protocol. We assume the group has members: . The new member initiates the protocol by broadcasting a join request message that contains its own bkey . This message is distinct from any JOIN messages generated by the underlying group communication system, although, in practice, the two might be combined for efficiency’s sake. Each current member receives this message and determines the insertion point in the tree. The insertion point is the shallowest rightmost node, where the join does not increase the height of the key tree. Otherwise, if the key tree is fully balanced, the new member joins to the root node. The sponsor is the rightmost leaf in the subtree rooted at the insertion node. Next, each member creates a new intermediate node and a new member node, and promotes the new intermediate node to be the parent of both the insertion node and the new member node. After updating the tree, all members, except the sponsor, block. The sponsor proceeds to update its share and compute the new group key; it can do this since it knows all necessary bkeys. Next, the sponsor broadcasts the new tree which contains all bkeys. All other members update their trees accordingly and compute the new group key (see Proposition 2). It might appear wasteful to broadcast the entire tree to all members, since they already know most of the bkeys. However, since the sponsor needs to send a broadcast message to the group anyhow, it might as well include more information which is useful to the new member, thus saving one unicast message to the new member (which would have to contain the entire tree). Figure 3 shows an example of member joining a group where the sponsor ( ) performs the following actions:
1. renames node to
Step 1: The new member broadcasts request for join.
Step 2: Every member update key tree by adding new member node and new intermediate node, removes all keys and bkeys from the leaf node related to the sponsor to the root node. The sponsor additionally generates new share and computes all [ ] pairs on the key-path, broadcasts updated tree including only bkeys. Step 3: Every member computes the group key using .
Join Protocol. <0,0> New Intermediate Node <1,0> <1,1> New Member <2,0> M1 M2 X0 X0 Xxxx X0 Xxxx X0 <0,0> <1,0> <2,0> <2,1> <1,1> M3 Sponsor M1 M2
Join Protocol. The current group has n members, the new member is identified with Mn+1. The tree will be added a new intermediate node with two children: the root node of the prior tree on the left and the new leaf node on the right for new member. This node becomes the new root node. As mention in section 3.3.2, the director who is the maximum signal strength with joining member is selected from current group members. For simplicity, the protocol use n in the following to denote the number of group members before operation join. To deal with the join operation, a member is chosen as the director, because the new member detects the maximum signal strength. The new member Mn+1 sends a join request, JOIN_MESSAGE, to the director. Later the director refreshes the session random key, computes keys and blinded keys of intermediate nodes up to the root node and sends authenticated blinded keys in key tree to Mn+1. Next, the member Mn+1 computes the blinded keys in key tree and updates existing key tree in accordance with creates a new root node and a new member node. Next, the new member selects session random key and computes keys and blinded keys going up to the root. The blinded key of new member Mn+1 is BKn+1 = sn+1 βr βn+1 s-1 where βr is existing publish braid word at root node that the new member can find in existing key tree information. The new member unicasts the new key tree containing only authenticated blinded keys to all other members. Finally, each member computes blinded keys and group key. This join protocol provides key independence since director updates session random key that knowledge of a previous group key cannot be used to compute the new group key. Figure 4.1 shows the authenticated key tree what director, M1, sends to new member, M4. This instance, it means that the M1 is nearest with M4. Figure 4.2 shows the authenticated key tree that M2 received from new member, M4. Figure 4.3 shows key tree information after M1 computes keys and blinded keys. The summary process of protocol is illustrated as follows:
Join Protocol. We assume the group has n members: {M1, . . . , Mn}. The new member Mn+1 initiates the protocol by broadcasting a join request message that contains its own bkey BK(0,0). This message is distinct from any JOIN messages generated by the underlying group communication system, although, in practice, the two might be combined for efficiency’s sake.
Step 1: The new member broadcasts request for join BK(0,0)=αrn+1 Mn+1 Step 2: Every member − − − − − − −→ C = {M1, . . . , Mn} • update key tree by adding new member node and new intermediate node, • removes all keys and bkeys from the leaf node related to the sponsor to the root node, The sponsor Ms additionally • broadcasts updated tree T^s including only bkeys. • generates new share and computes all [key, bkey] pairs on the key path, C ∪ {Mn+1} = {M1, . . . , Mn+1} T (BK∗) Ms ^s s ←− − − − − − − Step 3: Every member computes the group key using T^s
Join Protocol. The join protocol is initiated when a potential member sends a valid join message to a sponsor member. The authentication server generates a ‘joining tag’ for new member 𝑁𝑗, as shown below. After receiving a valid join tag, 𝑁𝑗 multicasts the join request 𝐸𝑌(𝑛𝑗) 𝖣 𝑌 = {��𝑖} ), and the protocol proceeds as follows:
1. 𝑁𝑗 → (𝑋𝑁 − 𝑁𝑖+1): 𝐸𝑌 (𝑠𝑖𝑔(𝑛𝑗)) 𝖣 𝑌 = {𝑁𝑖} 𝐺 𝐺
2. ∀(𝑋𝑁 − 𝑁𝑖+1) ⊢ 𝐾𝑛𝑒𝑤 = 𝐻𝑎𝑠ℎ(𝐾𝑐𝑢𝑟𝑟𝑒𝑛𝑡, 𝑛𝑖) 𝐺
3. 𝑁𝑖 → 𝑁𝑗: 𝐸𝑌(𝐾𝑛𝑒𝑤) 𝖣 𝑌 = {𝑁𝑗} 𝐺
4. 𝑁��−1 → 𝑁𝑖+1: 𝐸𝑐𝑢𝑟𝑟𝑒𝑛𝑡 (𝑛𝑖) 𝐺 𝐺
5. 𝑁𝑗 ⊢ 𝐾𝑛𝑒𝑤 = 𝐻𝑎𝑠ℎ(𝐾𝑐𝑢𝑟𝑟𝑒𝑛𝑡, 𝑛𝑖)
1) In first step 𝑁𝑗 multicasts the join message encrypted with multicasting key 𝐾𝑌 derived from 𝑁𝑖 ’s secret nonce, which infers that all group members excluding 𝑁𝑖+1 receive 𝑛𝑗 . All
2) All group members, excluding 𝑁𝑗 and 𝑁𝑖+1, generate a new group key and update their state vectors by adding the secret of the new member 𝑁𝑗.
3) The sponsor node 𝑁𝑖 shares the new group key with the joining member 𝑁𝑗. At this point, the newly joining member 𝑁𝑗 can decrypt the first half of the join ticket to acquire
4) In parallel with message 3, the member 𝑁𝑖−1 shares the nonce of the sponsor node with member 𝑁𝑖+1. This sharing breaks the logical link between the sponsor member and 𝑁𝑖+1 and established a new logical connection between 𝑁𝑗 and 𝑁𝑖+1. 5) Finally, after receiving 𝑛𝑗, the member 𝑁𝑖+1 also generates a group key. 𝐸𝐺(Xx)||𝐸𝑌 (��𝑖𝑔(𝑛𝑗)) 𝖣 𝑌 = {𝑁𝑖} A valid joining tag consists of two parts. The first part 𝐸𝐺(Xx) is destined for new member 𝑁𝑗 only, whereas the second half 𝐸𝑌 (𝑠𝑖��(𝑛𝑗)) 𝖣 𝑌 = {𝑁𝑖} is used by new member 𝑁𝑗 to initiate the join protocol. Due to the encryption with unknown keys, the contents of the tag are hidden from the 𝐺 requesting member 𝑁𝑗 . The first half is encrypted with the updated group key 𝐾𝐺 = 𝐻𝑎𝑠ℎ(𝐾𝑐𝑢𝑟𝑟𝑒𝑛𝑡, 𝑛𝑖), where 𝑛𝑖 is the secret nonce of the current sponsor member of the group, which is the new member, who intends to join. This part of the tag consists of the vector state for member 𝑁𝑗 , as the state is encrypted with the updated group key 𝐾 , and the requesting We consider a group of three members, as shown in Figure 4, where 𝑁3 is the sponsor member and 𝑁4 sends a valid join request 𝐸𝑌(𝑠𝑖𝑔(𝑛4)) 𝖣 𝑌 = {𝑁3}, which infers that only 𝑁2 and 𝑁3 can decrypt the message using 𝐾𝑌 = 𝑓({𝑁3}) . For the given example the join protocol proceeds...
Join Protocol. To handle a join event, a group controller is needed. It can be any member in the group. The group controller has usually higher performance capability than other members. Let Mc be the group controller, and let Mi+1 be the potential member. In first step, Xx chooses a new random secret exponent Sc. The message will be sent by Mc to the new member Mi+1. Mi+1 generates randomly its secret Si+1 and embeds Si+1 in the message which it then broadcasts to all members in group. After running join protocol, all members compute the new group key.
Join Protocol. The current group has n members, the new member is identified with Mn+1. The tree will be updated by incrementing n = n + 1 and adding a new internal node INn with two children: the root node INn−1 of the prior tree Ti on the left and the new leaf node LNn on the right. This node becomes the new root node. Figure 2.11 gives an example of addition of a new member to a group with four members. For simplicity, it uses n in the following to denote the number of group members before operation join. To deal with the join operation, the member Mn is chosen as the sponsor. The new member Mn+1 broadcasts a join request containing its own blinded key bkn+1. All members Mi with 1 ≤ i ≤ n can compute the new group key. The sponsor unicasts all blinded keys to Mn+1. Equipped with this message the new member can also compute the new group key. However this join protocol does not provide key independence since knowledge of a previous group key can be used to compute the new group key. To remedy the situation, they suggest that the sponsor updates its session random. The changed information will then be broadcasted to all members. The process is illustrated as follows: random brn+1.
1) The new member broadcasts its own blinded session
2) The sponsor Ms(s = n) updates its session random ss and brs, computes new kn, bkn, and broadcasts the updated tree with all blinded keys and blinded session random.
3) Every member Mi updates the tree by inserting Mn+1, sets n = n + 1, and computes the keys: • if i = 1, · · · , n − 2, computes k = brkj-1 for j = n − 1, • if i = n (new member), computes k = bksn , • if i = s (sponsor), computes k = brkn-1 .
Join Protocol. Assume that the group has n members . The new member Mn+1 initiate the protocol by broadcasting a join request message that contains its own public key and the ip address. Each current member receives this message and determines the insertion point in Each group member contributes an equal share to the group key. The key is computed as a function of all current group members’ shares. Each share is secret (private to each group member) and is never revealed. After every membership change, all remaining members independently update the key tree structure. This protocol also requires each member to know all public keys in the entire key tree. As part of the protocol, a group member can take on a special sponsor role, which involves computing keys and broadcasting to the group. Each broadcasted message contains the sender’s view of the key tree, which contains each Public key known to the sender. Any member in the group can take on this responsibility, depending on the type of membership event. This makes the handling of future membership changes more efficient and robust. the tree. The insertion point is based on its ip address. The sponsor is the node at which the new member joins or the sibling of the new node.
Join Protocol. In the proposed scheme, when a new member needs to join a group, he will send a request to join a group message containing his published braid to a director. The director can be anyone in the existing group members. After the director receives the join request message, he sends a sequence of published braids of all members to the new member. Then the new member computes his public key and sends it back to the director. The director can generate a new key tree including the new member’s public key and new public group key in the tree and then broadcasts this new key tree to all members. The insertion point of a new member in a key tree is at a new root node. From section 3.2, the setup phase, an example is continued with the scenario when user D needs to join the group as shown in Figure 3.3. User C as a director sends a sequence of published braids of all existing members gAgBgC to a new member. User D can compute his public key and then send it back to the director. The director can compute a new group key KABCD = KABC PKD KABC -1and a new public group key PKABCD. The new member can also compute the new public group key after getting an updated key tree but he cannot compute the previous group key KABC or KAB because he does not know each user’s private key. Thus the proposed scheme complies with the concept of backward secrecy. Next is an example of join protocol that continued from the setup phase as the following. For user D: D’s private key: σ19σ17 D’s published braids: σ18σ16 D’s public key: (σ19σ17) σ2σ2σ9σ6σ11σ14σ18σ16 (σ19σ17)-1
Join Protocol. In the proposed scheme, we assume that each new member have already contacted a private key generator in order to get his private key. When the new member needs to join a group, he can send a request to join message to the group. This message contains the new member’s public key. Every member can compute a new group public key. From subsection 4.2.1, the setup phase, this example continues with the scenario when user named “Delta” needs to join the group as shown in the following. For Delta:
1) The private key generator encodes Delta’s identity IDD into a braid in group g4, then divides this braid into left and right braids; g4l and g4r
2) The private key generator prepares private keys SK1D and SK2D for Delta where SK1D = z1g4lz2 and SK2D = z4g4rz3 For Group: The group public key PKABCD = (g1) (g2) (g3) (g4) The total communication messages for join protocol are two unicast messages and one multicast message; these two unicast messages for obtaining a private key from private key generator, and one multicast message for sending a join request. The total computation cost are three serial numbers of braid group multiplication (one for generate new public group key and two for generate private keys for new member), and one encoding operation to convert identity into braid. The multiple join occurs when any m users want to join a group simultaneously. In this case the total communication messages are 2m unicast messages and m multicast messages, and the total computation cost is 2m+1 serial numbers of braid group multiplication, and m encoding operation.
