Group Membership Events

A comprehensive group key agreement solution must handle adjustments to group secrets subsequent to all membership change operations in the underlying group communication system.

We distinguish among single and multiple member operations. Single member changes include member addition or deletion. The former occurs when a prospective member wants to join a group and the latter occurs when a member wants to leave (or is forced to leave) a group. While there might be different reasons for member deletion - such as voluntary leave, involuntary disconnect or forced expulsion - we believe that group key agreement must only provide the tools to adjust the group secrets and leave the rest up to the higher-layer (application-dependent) security mechanisms.

Multiple member changes also include addition and deletion. We refer to the multiple addition operation as group merge, in which case two or more groups merge to form a single group. We refer to the multiple leave operation as group partition, whereby a group is split into smaller groups. A group partition can take place for several reasons of two of which are fairly common:

1. Network failure - this occurs when a network event causes disconnectivity within the group. Consequently, a group is split into fragments some of which are singletons while others (those that maintain mutual connectivity) are sub-groups.
2. Explicit (application-driven) partition - this occurs when the application decides to split the group into multiple components or simply exclude multiple members at once.

Similarly, a group merge be either voluntary or involuntary:

1. Network fault heal - this occurs when a network event causes previously disconnected network partitions to reconnect. Consequently, groups on all sides (and there might be more than two sides) of an erstwhile partition are merged into a single group.
2. Explicit (application-driven) merge - this occurs when the application decides to merge multiple pre-existing groups into a single group. (The case of simultaneous multiple-member addition is not covered.)

At the first glance, events such as network partitions and fault heals might appear infrequent and dealing with them might seem to be a purely academic exercise. In practice, however, such events are common owing to network misconfigurations and router failures. In addition, in the environment of ad hoc wireless communication, network partitions are both common and expected. In [11], Moser et al.offer some compelling arguments in support of these claims. Hence, dealing with group partitions and merges is a crucial component of group key agreement.

In addition to the aforementioned membership operations, periodic refreshes of group secrets are advisable so as to limit the amount of ciphertext generated with the same key and to recover from potential compromises of members' contributions or prior session keys. This is discussed in the next section.