Various attempts have been made to construct an efficient multiparty (known as group) authenticated key exchange protocol. OTR authors proposed a generalisation of two-party OTR to a multiparty use-case in [GUVGC09]. However, they did not specify the cryptographic primitives, neither did they give a formal definition of the adversaries nor the proof of the algorithm’s security (reduction). Although a more robust key exchange is proposed, some primary performance analysis of the implementation of the key agreement protocol has been shown to be impractically slow, especially on mobile devices [Gun13a][Git11].
[LVH13] proposes GOTR as an alternative to [GUVGC09] with a goal of improving on some of the its security and practical properties of [GUVGC09]. Most A notable change in GOTR compared to the original mpOTR proposal in [GUVGC09] is the use of p2p private channels to send message digest so as to establish transcript consistency and implicitly implicit message origin authenticity between users. GOTR also strives to imporve improve on repundibility and forgibility of the [GUVGC09]. It has been claimed that GOTR is to provide online repundibility (repudiability by considering deniability against an 'online judge), per message forgibility and and forging ' as well as forgeability for the entire transcript by a single party (the third seems this is possible by in [GUVGC09] as long as a deniable AKE is being used). The notation idea of online repundibilty repudiabilty relies on the judge controling controlling up to '''N-2''' parties while the two remaining "honest" parties are allowed to collude. This is an rather slightly unusual notion for both repundibility repudiability and honesty. [LVH13] also proposes an involved contributory BD based key agreement scheme, which disregard room consistancy consistency and turn turns GOTR into a broadcast scheme (c.f. [[#Appendix_B:_Other_design_possibilities|Appendix B]]).
=III. Design rationale =