Assume that the group of푛members establish a group key.
Step 1. Each member selects random푥푖∈Z푞and computes푋푖=푔푥푖modp.
푀푖→푀푠:푋푖(푖∈[1,푛],푖=푠̸)
Step 2.푀푠selects random푘inZ푞for group key sharing and computes key-locks.
푀푠⇒퐶푛:{(푋푖)푘|푖∈[1,푛],푖=푠}̸Box 1: Group key initialization.Assume thatmmembers are added to the group퐶푛.
Step 1. Each new member푀푗(푛+1≤푗≤푛+푚)selectsrandom푥푗∈Z푞and computes푋푗=푔푥푗modp.
푀푗→푀푠:푋푗(푗∈[푛+1,푛+푚])
Step 2.푀푠selects random푘耠inZ푞for new group key and computes key-locks.
푀푠⇒퐶푛:{(푋푖)푘耠
|푖∈[1,푛+푚],푖=푠}̸Box 2: Group rekeying for member join.Assume that a subset퐿푚of current group퐶푛is composed ofmleaving members in
the group and does not include the group master푀푠.
Step 1.푀푠selects random푘耠inZ푞for new group key and computes key-locks with updated locker list.
푀푠⇒퐶푛\퐿푚:{(푋푖)푘耠
|푖∈[1,푛]∧푀푖∉퐿푚,푖=푠}̸Box 3: Group rekeying for member leave.master, and then푀푠broadcasts locked new group key GK耠=
푔푘
耠
to all the group members in the same manner as second
round of initial phase, as inBox 2. All members, including
new members, can extract the new group key GK耠in the same
way as ( 6 ).
Unlike the join event, member leave process does not
require the first round for sending lockers to the master. Let a
subset of퐶푛for leaving members be퐿푚⊂퐶푛(푀푠∉퐿푚).
Groupmembersconductrekeyingoperationsforthenew
group key GK耠as inBox 3.
The leaving nodes cannot learn the new group key
because the broadcast message from푀푠does not contain
any locker푋푖for leaving members. Note that the set퐿푚for
the leaving node does not include the master. Leaving of the
master requires ‘delegation’ during which the master forwards
locker list푋퐿퐶for group퐶푛to new group master(푀푠耠)as
follows:
푀푠㨀→ 푀푠耠:푋퐿퐶={푋푗|푀푗∈퐶푛,푗=푠}.̸ (7)Thedelegationcanbeusedforanothercasewherethemaster
wishes to finish its master’s role for a reason such as network
topology change or resource exhaustion; that is, the master
turns to a group member not leaving the group. In this case,
the delegation message includes the former master’s locker
generated with new selected secret푥푠as follows:
푀푠㨀→ 푀푠耠:푋퐿퐶={푋푗|푀푗∈퐶푛,푥푠=푘,푥̸푠=푘̸耠}. (8)When group members detect unexpected disconnection
fromthemaster,theyrestartgroupkeyinitializationwithnew
master selection. At the worst case, members can suffer from
frequent connection failure with the master. In this case, the
first protocol should be slightly modified to make all of group
members have the locker list and any member be the group
master to proceedBox 3. For instance, a general member at
the first step ofBox 1broadcasts its locker to the group as
follows:푀푖㨐⇒ 퐶푛:푋푖(푖∈[1, 푛],푖=푠̸). (9)The group members continue secure communication with a
freshgroupkeyobtainedthroughgrouprekeying.Weprovide
formal security proofs inSection 5.3.4. Group Rekeying for Group Merging and Partition.There
are two ways to integrate two groups into one group com-
pletely:individual joinandgroup join.Theformeristhat
members of a group join another group individually. It is
similar to the mass joining process, saving that the joining
master should generate his lock-secret,푥푠, and locker,푔푥푠.
Thelatterwayisthatagroupisabsorbedintotheothergroup
via delegation process between both group masters.
Let two groups be merged퐶푛={푀 1 ,푀 2 ,...,푀푛}and
푅푚 ={푀 1 ,푀 2 ,...,푀푚}(푛≥푚). The master푀푠of퐶푛
survives after group merging, while the master푀푠耠of푅푚
becomes a member of the merged group. Smaller group
members (∈푅푚) become a member of퐶푛+푚;thatis,퐶푛+푚=
{푀 1 ,푀 2 ,...,푀푛,푀푛+1,...,푀푛+푚}and푀푠∈퐶푛after group
merging. Group merging process runs with delegation (in the
first round) as inBox 4.Figure 2represents an instance for a
merging process for a current group퐶 4 and a merged group