Common use of Protocol Unification Clause in Contracts

Protocol Unification. Although described separately in the preceding sections, the four STR oper- ations: join, leave, merge and partition, actually represent different expression of a single protocol. We justify this claim with an informal argument below. Obviously, join and leave are special cases of merge and partition, respec- tively. It is less clear that merge and partition can be collapsed into a single protocol, because in either case, the key tree changes and the remaining group members lack some number (sometimes none) of blinded keys or blinded ses- sion randoms which prevents them from computing the new root key. When a partition occurs, the remaining members reconstruct the tree where some blinded keys are missing. In case of a merge, a shorter tree A is merged into a taller tree B. Any member in B now can compute the group key since it knows blinded session random of any member in A. The deepest member in A also can compute the group key since it knows the blinded session random of any other member in A and blinded group key of B. Using the broadcast message any member now can compute the new group key. We established that both partition and merge initially result in a new key tree with a number of missing blinded keys. In case of merge, the missing blinded keys can be distributed in two rounds. This is because a sponsor in both of A and B broadcasts its own subtree including all blinded keys. Any member in a given subtree can compute the new root key after receiving both broadcasts. The case of partition is very similar except that the missing blinded keys and the new group key can be distributed in one round. This apparent similarity between partition and merge allows us to lump the protocols stemming from all membership events into a single, unified protocol. The following figure shows the pseudocode. receive msg (msg type = membership event) construct new tree while there are missing blinded keys if (I can compute any missing keys and I am the sponsor) compute missing blinded keys broadcast new blinded keys endif receive msg (msg type = broadcast) update current tree endwhile The incentive for this is threefold. First, unification allows us to simplify the implementation and minimize its size. Second, the overall security and correctness are easier to demonstrate with a single protocol. Third, we can now claim that (with a slight modification) the STR protocol is self-stabilizing and fault-tolerant as discussed below.

Protocol Unification. Although described separately in the preceding sections, the four STR oper- ationsTGDH protocols: join, leave, merge and partition, actually represent different expression strands of a single protocol. We justify this claim with an informal argument below. Obviously, join and leave are special cases of merge and partition, respec- tivelyrespectively. It is less clear that merge and partition can be collapsed into a single protocol. To see why this is so we observe that, because in either case, the key tree changes and the remaining group members lack some number (sometimes none) of blinded keys or blinded ses- sion randoms which prevents them from computing the new root keykey unilaterally. When a partition occurs, the remaining members (in any surviving fragment) reconstruct the tree where some blinded keys are missing. In case of a merge, let us suppose that a shorter taller (deeper) tree A is merged into with a taller shorter (shallower) tree B. Any member Similar to a partition, all members formerly in A construct the new tree where some blinded keys – those in B now can compute – are missing. (This view is symmetric since the group key since it knows members in B see the same tree but with missing blinded session random of any member keys in A. The deepest member in A also can compute the group key since it knows the blinded session random of any other member in A and blinded group key of B. Using the broadcast message any member now can compute the new group key. subtree A.) We established that both partition and merge initially result in a new key tree with a number of missing blinded keys. In case of merge, the missing blinded keys can be distributed in two rounds. This is because a sponsor in both of A and B broadcasts its own subtree including all blinded keys. Any member in a given subtree can compute the new root key after receiving both broadcasts. The case of partition is very similar except that the missing blinded keys and are not concentrated in a new subtree (as in merge) but are, in the new group most general case, spread all around. As we discuss in section 5.4, every member reconstructs the key tree after a partition in at most h rounds, where h is the tree height. The merge scenario can be distributed viewed as a special case of partition that always completes in one round. This apparent similarity between partition and merge allows us to lump the protocols stemming from all membership events into a single, unified protocol. The following figure shows the pseudocodetwo rounds. receive msg (msg type = membership event) construct new tree while there are missing blinded keys if (I can compute any missing keys and I am the keys) /* sponsor) ? */ compute missing blinded keys /* as many as possible */ broadcast new blinded keys endif receive msg (msg type = broadcast) /* including own broadcast */ update current tree endwhile This apparent similarity between partition and merge allows us to lump the protocols stemming from all membership events into a single, unified protocol. (See figure 10 for the pseudocode.) The incentive for this is threefold. First, unification allows us to simplify the implementation and minimize its size. SecondFurthermore, the overall security and correctness are easier to demonstrate with a single protocol. ThirdMost importantly, however, we can now claim that (with a slight modification) the STR TGDH protocol is self-stabilizing and fault-tolerant as discussed below.