{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,25]],"date-time":"2026-02-25T17:12:59Z","timestamp":1772039579384,"version":"3.50.1"},"reference-count":26,"publisher":"Privacy Enhancing Technologies Symposium Advisory Board","issue":"3","license":[{"start":{"date-parts":[[2018,4,28]],"date-time":"2018-04-28T00:00:00Z","timestamp":1524873600000},"content-version":"unspecified","delay-in-days":0,"URL":"http:\/\/creativecommons.org\/licenses\/by-nc-nd\/4.0"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2018,6,1]]},"abstract":"<jats:title>Abstract<\/jats:title>\n               <jats:p> We describe SYM-GOTR, a protocol for secure Group Off-The-Record (GOTR) messaging. In contrast to previous work, SYM-GOTR is the first protocol to offer confidential, authenticated, and repudiable conversations among a dynamic group with the additional properties of message unlinkability and the guarantee that all users see the same conversation, while providing efficient use of network and CPU resources. SYM-GOTR achieves these properties through the use of a novel optimistic consistency check protocol that either determines that all users agree on a transcript with constant-size messages or identifies at least one user that has not followed the protocol. We provide an implementation of SYM-GOTR as a Java library along with a plugin for the Jitsi instant messaging client. We analyze the performance of SYM-GOTR in a real world deployment scenario and discuss the challenges of providing a usable implementation without compromising the security of the conversation.<\/jats:p>","DOI":"10.1515\/popets-2018-0027","type":"journal-article","created":{"date-parts":[[2018,5,1]],"date-time":"2018-05-01T03:10:17Z","timestamp":1525144217000},"page":"181-202","source":"Crossref","is-referenced-by-count":5,"title":["Consistent Synchronous Group Off-The-Record Messaging with SYM-GOTR"],"prefix":"10.56553","volume":"2018","author":[{"given":"Michael","family":"Schliep","sequence":"first","affiliation":[{"name":"University of Minnesota, Minnesota , USA"}]},{"given":"Eugene","family":"Vasserman","sequence":"additional","affiliation":[{"name":"Kansas State University, Kansas , USA"}]},{"given":"Nicholas","family":"Hopper","sequence":"additional","affiliation":[{"name":"University of Minnesota, Minnesota , USA"}]}],"member":"35752","published-online":{"date-parts":[[2018,4,28]]},"reference":[{"key":"2021040814294972713_j_popets-2018-0027_ref_001_w2aab3b7c11b1b6b1ab1ab1Aa","unstructured":"[1] N. Weaver, \u201cA close look at the NSA\u2019s most powerful internet attack tool.\u201d http:\/\/www.wired.com\/2014\/03\/quantum\/. Accessed: 19 May 2017."},{"key":"2021040814294972713_j_popets-2018-0027_ref_002_w2aab3b7c11b1b6b1ab1ab2Aa","doi-asserted-by":"crossref","unstructured":"[2] N. Borisov, I. Goldberg, and E. Brewer, \u201cOff-the-record communication, or, why not to use pgp,\u201d in Proceedings of the 2004 ACM Workshop on Privacy in the Electronic Society, WPES \u201904, (New York, NY, USA), pp. 77-84, ACM, 2004.","DOI":"10.1145\/1029179.1029200"},{"key":"2021040814294972713_j_popets-2018-0027_ref_003_w2aab3b7c11b1b6b1ab1ab3Aa","doi-asserted-by":"crossref","unstructured":"[3] I. Goldberg, B. Ustaoglu, M. D. Van Gundy, and H. Chen, \u201cMulti-party off-the-record messaging,\u201d in Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS \u201909, (New York, NY, USA), pp. 358- 368, ACM, 2009.","DOI":"10.1145\/1653662.1653705"},{"key":"2021040814294972713_j_popets-2018-0027_ref_004_w2aab3b7c11b1b6b1ab1ab4Aa","doi-asserted-by":"crossref","unstructured":"[4] H. Liu, E. Y. Vasserman, and N. Hopper, \u201cImproved group off-the-record messaging,\u201d in Proceedings of the 12th ACM Workshop on Workshop on Privacy in the Electronic Society, WPES \u201913, (New York, NY, USA), pp. 249-254, ACM, 2013.","DOI":"10.1145\/2517840.2517867"},{"key":"2021040814294972713_j_popets-2018-0027_ref_005_w2aab3b7c11b1b6b1ab1ab5Aa","unstructured":"[5] O. W. Systems, Open Whisper Systems. https:\/\/whispersystems.org\/."},{"key":"2021040814294972713_j_popets-2018-0027_ref_006_w2aab3b7c11b1b6b1ab1ab6Aa","doi-asserted-by":"crossref","unstructured":"[6] M. Schliep, I. Kariniemi, and N. Hopper, \u201cIs bob sending mixed signals?,\u201d in Proceedings of the 2017 on Workshop on Privacy in the Electronic Society, WPES \u201917, (New York, NY, USA), pp. 31-40, ACM, 2017.","DOI":"10.1145\/3139550.3139568"},{"key":"2021040814294972713_j_popets-2018-0027_ref_007_w2aab3b7c11b1b6b1ab1ab7Aa","doi-asserted-by":"crossref","unstructured":"[7] N. Unger, S. Dechand, J. Bonneau, S. Fahl, H. Perl, I. Goldberg, and M. Smith, \u201cSok: Secure messaging,\u201d in Security and Privacy (SP), 2015 IEEE Symposium on, pp. 232-249, IEEE, 2015.","DOI":"10.1109\/SP.2015.22"},{"key":"2021040814294972713_j_popets-2018-0027_ref_008_w2aab3b7c11b1b6b1ab1ab8Aa","doi-asserted-by":"crossref","unstructured":"[8] M. Burmester and Y. Desmedt, \u201cA secure and efficient conference ey distribution system,\u201d in Advances in cryptology EUROCRYPT\u201994, pp. 275-286, Springer, 1994.","DOI":"10.1007\/BFb0053443"},{"key":"2021040814294972713_j_popets-2018-0027_ref_009_w2aab3b7c11b1b6b1ab1ab9Aa","unstructured":"[9] M. Marlinspike and T. Perrin, \u201cThe x3dh key agreement protocol,\u201d 2016."},{"key":"2021040814294972713_j_popets-2018-0027_ref_010_w2aab3b7c11b1b6b1ab1ac10Aa","unstructured":"[10] M. Marlinspike and T. Perrin, \u201cThe double ratchet algorithm,\u201d 2016."},{"key":"2021040814294972713_j_popets-2018-0027_ref_011_w2aab3b7c11b1b6b1ab1ac11Aa","doi-asserted-by":"crossref","unstructured":"[11] T. Frosch, C. Mainka, C. Bader, F. Bergsma, J. Schwenk, and T. Holz, \u201cHow secure is textsecure?,\u201d in Security and Privacy (EuroS&P), 2016 IEEE European Symposium on, pp. 457-472, IEEE, 2016.","DOI":"10.1109\/EuroSP.2016.41"},{"key":"2021040814294972713_j_popets-2018-0027_ref_012_w2aab3b7c11b1b6b1ab1ac12Aa","doi-asserted-by":"crossref","unstructured":"[12] K. Cohn-Gordon, C. Cremers, B. Dowling, L. Garratt, and D. Stebila, \u201cA formal security analysis of the signal messaging protocol,\u201d in Security and Privacy (EuroS&P), 2017 IEEE European Symposium on, pp. 451-466, IEEE, 2017.","DOI":"10.1109\/EuroSP.2017.27"},{"key":"2021040814294972713_j_popets-2018-0027_ref_013_w2aab3b7c11b1b6b1ab1ac13Aa","doi-asserted-by":"crossref","unstructured":"[13] N. Kobeissi, K. Bhargavan, and B. Blanchet, \u201cAutomated verification for secure messaging protocols and their implementations: A symbolic and computational approach,\u201d in IEEE European Symposium on Security and Privacy (EuroS& P), 2017.","DOI":"10.1109\/EuroSP.2017.38"},{"key":"2021040814294972713_j_popets-2018-0027_ref_014_w2aab3b7c11b1b6b1ab1ac14Aa","unstructured":"[14] eQualit.ie, (n+1)sec protocol specification - draft. https: \/\/equalit.ie\/introducing-n1sec-a-protocol-for-distributedmultiparty- chat-encryption\/."},{"key":"2021040814294972713_j_popets-2018-0027_ref_015_w2aab3b7c11b1b6b1ab1ac15Aa","doi-asserted-by":"crossref","unstructured":"[15] M. Abdalla, C. Chevalier, M. Manulis, and D. Pointcheval, \u201cFlexible group key exchange with on-demand computation of subgroup keys.,\u201d Africacrypt, vol. 10, pp. 351-368, 2010.","DOI":"10.1007\/978-3-642-12678-9_21"},{"key":"2021040814294972713_j_popets-2018-0027_ref_016_w2aab3b7c11b1b6b1ab1ac16Aa","doi-asserted-by":"crossref","unstructured":"[16] M. Bellare and C. Namprempre, \u201cAuthenticated encryption: Relations among notions and analysis of the generic composition paradigm,\u201d J. Cryptol., vol. 21, pp. 469-491, Sept. 2008.","DOI":"10.1007\/s00145-008-9026-x"},{"key":"2021040814294972713_j_popets-2018-0027_ref_017_w2aab3b7c11b1b6b1ab1ac17Aa","doi-asserted-by":"crossref","unstructured":"[17] B. LaMacchia, K. Lauter, and A. Mityagin, \u201cStronger security of authenticated key exchange,\u201d in Provable Security, pp. 1-16, Springer, 2007.","DOI":"10.1007\/978-3-540-75670-5_1"},{"key":"2021040814294972713_j_popets-2018-0027_ref_018_w2aab3b7c11b1b6b1ab1ac18Aa","doi-asserted-by":"crossref","unstructured":"[18] C. Alexander and I. Goldberg, \u201cImproved user authentication in off-the-record messaging,\u201d in Proceedings of the 2007 ACM workshop on Privacy in electronic society, pp. 41-47, ACM, 2007.","DOI":"10.1145\/1314333.1314340"},{"key":"2021040814294972713_j_popets-2018-0027_ref_019_w2aab3b7c11b1b6b1ab1ac19Aa","doi-asserted-by":"crossref","unstructured":"[19] M. Di Raimondo, R. Gennaro, and H. Krawczyk, \u201cDeniable authentication and key exchange,\u201d in Proceedings of the 13th ACM conference on Computer and communications security, pp. 400-409, ACM, 2006.","DOI":"10.1145\/1180405.1180454"},{"key":"2021040814294972713_j_popets-2018-0027_ref_020_w2aab3b7c11b1b6b1ab1ac20Aa","unstructured":"[20] linode, linode. https:\/\/linode.com\/."},{"key":"2021040814294972713_j_popets-2018-0027_ref_021_w2aab3b7c11b1b6b1ab1ac21Aa","unstructured":"[21] J. Ugander, B. Karrer, L. Backstrom, and C. Marlow, \u201cThe anatomy of the facebook social graph,\u201d arXiv preprint arXiv:1111.4503, 2011."},{"key":"2021040814294972713_j_popets-2018-0027_ref_022_w2aab3b7c11b1b6b1ab1ac22Aa","unstructured":"[22] OpenStack IRC meetings. http:\/\/eavesdrop.openstack.org\/."},{"key":"2021040814294972713_j_popets-2018-0027_ref_023_w2aab3b7c11b1b6b1ab1ac23Aa","unstructured":"[23] twitter, twitter. https:\/\/twitter.com\/."},{"key":"2021040814294972713_j_popets-2018-0027_ref_024_w2aab3b7c11b1b6b1ab1ac24Aa","unstructured":"[24] reddit, reddit. https:\/\/reddit.com\/."},{"key":"2021040814294972713_j_popets-2018-0027_ref_025_w2aab3b7c11b1b6b1ab1ac25Aa","unstructured":"[25] Facebook, Facebook. https:\/\/facebook.com\/."},{"key":"2021040814294972713_j_popets-2018-0027_ref_026_w2aab3b7c11b1b6b1ab1ac26Aa","doi-asserted-by":"crossref","unstructured":"[26] R. Canetti and H. Krawczyk, \u201cAnalysis of key-exchange protocols and their use for building secure channels,\u201d in Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques: Advances in Cryptology, EUROCRYPT \u201901, (London, UK, UK), pp. 453- 474, Springer-Verlag, 2001.","DOI":"10.1007\/3-540-44987-6_28"}],"container-title":["Proceedings on Privacy Enhancing Technologies"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/content.sciendo.com\/view\/journals\/popets\/2018\/3\/article-p181.xml","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.sciendo.com\/article\/10.1515\/popets-2018-0027","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,7,20]],"date-time":"2022-07-20T16:30:10Z","timestamp":1658334610000},"score":1,"resource":{"primary":{"URL":"https:\/\/petsymposium.org\/popets\/2018\/popets-2018-0027.php"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2018,4,28]]},"references-count":26,"journal-issue":{"issue":"3","published-online":{"date-parts":[[2018,4,28]]},"published-print":{"date-parts":[[2018,6,1]]}},"alternative-id":["10.1515\/popets-2018-0027"],"URL":"https:\/\/doi.org\/10.1515\/popets-2018-0027","relation":{},"ISSN":["2299-0984"],"issn-type":[{"value":"2299-0984","type":"electronic"}],"subject":[],"published":{"date-parts":[[2018,4,28]]}}}