We assume the group has users (), when the group communication system announces the arrival of a new member. Both the new member and the prior group receive this notification simultaneously. The new member broadcasts a join request message that contains its own blinded key . (which is the same as its blinded session random ) At the same time, the current group's sponsor() computes a blinded version of the current group key () and sends the current tree to with all blinded keys and blinded session randoms.
Next, each first increments and creates a new root key node with two children: the root node of the prior tree on the left and the new leaf node corresponding to the new member on the right. Note that every member can compute the group key (see Remark 2):
All existing members only need the new member's blinded session
random
The new member needs the blinded group key of the prior group
In a join operation, the sponsoris always the topmost leaf node, i.e., the most recent member in the current group.
As described, the join protocol takes one communication round and two cryptographic operations to compute the new group key (one before the message exchange and one after.)
The join protocol provides backward secrecy since a new member is only given a blinded key of the existing group. However, the protocol does not provide key independence since knowledge of a group key used before the join can be used to compute the group key used after the join. To remedy the situation, we can modify the protocol to require the sponsorto change its session random and the corresponding blinded value, .