Since network disruptions are random and unpredictable, it is natural to consider the possibility of so-called cascaded membership events. (In fact, cascaded events and their impact on group protocols are often considered in group communication literature, but, alas, not often enough in the security literature.) A cascaded event occurs, in its simplest form, when one membership change occurs while another is being handled. Event here means any of: join, leave, partition, merge or a combination thereof. For example, a partition can occur while a prior partition is being dealt with, resulting in a cascade of size two. In principle, cascaded events of arbitrary size can occur if the underlying network is highly volatile.
We claim that the TGDHpartition protocol is self-stabilizing, i.e., robust against cascaded network events. This is quite rare as most multi-round cryptographic protocols are not geared towards handling of such events. In general, self-stabilization is a very desirable feature since lack thereof requires extensive and complicated protocol "coating" to either 1) shield the protocol from cascaded events, or 2) harden it sufficiently to make the protocol robust with respect to cascaded events (essentially, by making it re-entrant).
The high-level pseudocode for the self-stabilizing protocol is shown in figure 9. The changes from figure 8 are minimal.
Figure 9: Self-stabilizing protocol pseudocode
Figure 10: An Example of Cascaded Partition
Instead of providing a formal proof of self-stabilization (which we omit due to page limitations) we demonstrate it with an example. Figure 10 shows an example of a cascaded partition event. The first part of the figure depicts a partition of , , and from the prior group of ten members . This partition normally requires two rounds to complete the key agreement. As described in section 5.4, every member constructs the same tree after completing the initial round. The middle part shows the resulting tree. In it, all non-leaf nodes except must be recomputed as follows:
The only remaining issue is whether a broadcast from the first partition can be received after the notification of the second (cascaded) partition. Here we rely on the underlying group communication system to guarantee that all membership events are delivered in sequence after all outstanding messages are delivered. In other words, if a message is sent in one membership view and membership changes while the message is not yet delivered, the membership change must be postponed until the message is delivered to the (surviving) subset of the original membership. This is essentially a restatement of View Synchrony (as discussed in section 3).