Consistent Synchronous Group Off-The-Record Messaging with SYM-GOTR

Open access


We describe SYM-GOTR, a protocol for secure Group Off-The-Record (GOTR) messaging. In contrast to previous work, SYM-GOTR is the first protocol to offer confidential, authenticated, and repudiable conversations among a dynamic group with the additional properties of message unlinkability and the guarantee that all users see the same conversation, while providing efficient use of network and CPU resources. SYM-GOTR achieves these properties through the use of a novel optimistic consistency check protocol that either determines that all users agree on a transcript with constant-size messages or identifies at least one user that has not followed the protocol. We provide an implementation of SYM-GOTR as a Java library along with a plugin for the Jitsi instant messaging client. We analyze the performance of SYM-GOTR in a real world deployment scenario and discuss the challenges of providing a usable implementation without compromising the security of the conversation.

[1] N. Weaver, “A close look at the NSA’s most powerful internet attack tool.” Accessed: 19 May 2017.

[2] N. Borisov, I. Goldberg, and E. Brewer, “Off-the-record communication, or, why not to use pgp,” in Proceedings of the 2004 ACM Workshop on Privacy in the Electronic Society, WPES ’04, (New York, NY, USA), pp. 77-84, ACM, 2004.

[3] I. Goldberg, B. Ustaoglu, M. D. Van Gundy, and H. Chen, “Multi-party off-the-record messaging,” in Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS ’09, (New York, NY, USA), pp. 358- 368, ACM, 2009.

[4] H. Liu, E. Y. Vasserman, and N. Hopper, “Improved group off-the-record messaging,” in Proceedings of the 12th ACM Workshop on Workshop on Privacy in the Electronic Society, WPES ’13, (New York, NY, USA), pp. 249-254, ACM, 2013.

[5] O. W. Systems, Open Whisper Systems.

[6] M. Schliep, I. Kariniemi, and N. Hopper, “Is bob sending mixed signals?,” in Proceedings of the 2017 on Workshop on Privacy in the Electronic Society, WPES ’17, (New York, NY, USA), pp. 31-40, ACM, 2017.

[7] N. Unger, S. Dechand, J. Bonneau, S. Fahl, H. Perl, I. Goldberg, and M. Smith, “Sok: Secure messaging,” in Security and Privacy (SP), 2015 IEEE Symposium on, pp. 232-249, IEEE, 2015.

[8] M. Burmester and Y. Desmedt, “A secure and efficient conference ey distribution system,” in Advances in cryptology EUROCRYPT’94, pp. 275-286, Springer, 1994.

[9] M. Marlinspike and T. Perrin, “The x3dh key agreement protocol,” 2016.

[10] M. Marlinspike and T. Perrin, “The double ratchet algorithm,” 2016.

[11] T. Frosch, C. Mainka, C. Bader, F. Bergsma, J. Schwenk, and T. Holz, “How secure is textsecure?,” in Security and Privacy (EuroS&P), 2016 IEEE European Symposium on, pp. 457-472, IEEE, 2016.

[12] K. Cohn-Gordon, C. Cremers, B. Dowling, L. Garratt, and D. Stebila, “A formal security analysis of the signal messaging protocol,” in Security and Privacy (EuroS&P), 2017 IEEE European Symposium on, pp. 451-466, IEEE, 2017.

[13] N. Kobeissi, K. Bhargavan, and B. Blanchet, “Automated verification for secure messaging protocols and their implementations: A symbolic and computational approach,” in IEEE European Symposium on Security and Privacy (EuroS& P), 2017.

[14], (n+1)sec protocol specification - draft. https: // chat-encryption/.

[15] M. Abdalla, C. Chevalier, M. Manulis, and D. Pointcheval, “Flexible group key exchange with on-demand computation of subgroup keys.,” Africacrypt, vol. 10, pp. 351-368, 2010.

[16] M. Bellare and C. Namprempre, “Authenticated encryption: Relations among notions and analysis of the generic composition paradigm,” J. Cryptol., vol. 21, pp. 469-491, Sept. 2008.

[17] B. LaMacchia, K. Lauter, and A. Mityagin, “Stronger security of authenticated key exchange,” in Provable Security, pp. 1-16, Springer, 2007.

[18] C. Alexander and I. Goldberg, “Improved user authentication in off-the-record messaging,” in Proceedings of the 2007 ACM workshop on Privacy in electronic society, pp. 41-47, ACM, 2007.

[19] M. Di Raimondo, R. Gennaro, and H. Krawczyk, “Deniable authentication and key exchange,” in Proceedings of the 13th ACM conference on Computer and communications security, pp. 400-409, ACM, 2006.

[20] linode, linode.

[21] J. Ugander, B. Karrer, L. Backstrom, and C. Marlow, “The anatomy of the facebook social graph,” arXiv preprint arXiv:1111.4503, 2011.

[22] OpenStack IRC meetings.

[23] twitter, twitter.

[24] reddit, reddit.

[25] Facebook, Facebook.

[26] R. Canetti and H. Krawczyk, “Analysis of key-exchange protocols and their use for building secure channels,” in Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques: Advances in Cryptology, EUROCRYPT ’01, (London, UK, UK), pp. 453- 474, Springer-Verlag, 2001.

Journal Information


All Time Past Year Past 30 Days
Abstract Views 0 0 0
Full Text Views 237 237 21
PDF Downloads 95 95 13