Changes
* <span>'''Participant list'''</span>'': <math>plist^S_i</math> is the list of participants which <math>U_i</math> believes are participating in the chat session ''S''.'' When there is no ambiguity in the underlying session, we simply use <math>plist_i</math> notation.
* <span>'''key id'' is the serial number given to the P2P keys generated during the process of key exchange, is computed as <math>Hash(U_i|y_i|U_j|y_j)</math>.
* <span>'''Ephemeral key list'''</span>'': <math>klist^S_i</math> is the list of ephemeral public key <math>y_j = g^{x_j}</math>'s of all participants which <math>U_i</math> believes they are using in the chat session ''S''.'' When there is no ambiguity in the underlying session, we simply use <math>klist_i</math> notation instead. We use the notaion of <math>plist_i|klist_i<\/math> to represent ordered concatenation of <math>U_i|y_i</math> pairs as in <math>U_1|y_1|\dots|U_n|y_n</math>. The order is assumed to be computable by all participants (lexicographically ordered using long term public key of participants, for example).
* <span>'''Session key of <math>\Pi^S_j</math> as seen by <math>U_i</math>'''</span>'': <math>sk^S_i</math> (or <math>sk_i</math>) is the session key of session ''S'' as computed by <math>\Pi_i</math>. It represents the cryptographic secret computed by AGKE, it can be a set of secrets. The essential defining factor is that it should become common knowledge for the session participants at the end of AGKE execution. Similarly we define <math>subk_i</math> to represent the subsession key''
* <span>'''Accepted state'''</span>'': A party enters the accepted state if it has computed <math>sk^S_i</math> and has detected no errors in the protocol.''
|align="center"|7
|align="right"|Generate secret shares
|align="center"|<math>z'_i := \leftarrow (H(k_{i,j}, sid_i) for j \in \{1,\dots,n\})</math>
|align="center"|Computation
|-
|-
|align="right"|Generate Triple Diffie-Hellman P2P keys
|align="center"|<math>k_{i,j} \leftarrow H({y_j}^{LSK_{U_i}},LPK{U_j}^{x_i},y_j^{x_i})</math>}}
|align="center"|Computation
|-
|align="right"|Generate key confirmations
|align="center"|<math>kc_i \leftarrow (H(k_{i,1}, U_1),\dots,H(k_{i,n}, U_n))</math>}}
|align="center"|Computation
|}
|-
|align="right"|Generate secret shares
|align="center"|<math>z'_i := \leftarrow (H(k_{i,j}, sid_i) for j \in \{1,\dots,n\})</math>
|align="center"|Computation
|-
|-
|align="right"| Receive other user(s)' key shares and confirmation of unauthenticated users or Time out
|align="center"|Wait to Receive (<math>U_j|z_j,\sigma_1,kc_{ji}) </math> for <math> U_j</math> unauthenticated or Timeout_byTimeout by(2BROADCAST_LATENCY2<math>\times</math>BROADCAST_LATENCY+INTERACTION_GRACE_INTERVAL, Drop inactive users, queue a new session request)
|align="center"|Receive
|-
|align="right"|Check validity of key confirmation of unauthenticated users
|align="center"|<math>kc_i[j] \stackrel{?}{=} H(k_{j,i}, U_j) \textrm{ </math> for } U_j \textrm{unauthenticated}<math> U_j</math>
|align="center"|Computation
|-
|align="right"|Check signatures
|align="center"|<math>Verify_{y_i}(\sigma_j) \textrm{ </math> for } ''j \'' in \{1,\dots...,''n\''}</math>
|align="center"|Computation
|-
|-
|align="right"| Send farewell message
|align="center"|<math>Send("Leaving!")</math>
|align="center"|Broadcast
|-
|align="right"| Wait to receive hashes of TranscriptChain or Timeout
|align="center"|Wait to Receive() or Timeout by((2*<math>\times</math>BROADCAST_LATENCY)+INTERACTION_GRACE_INTERVAL)
|align="center"|Receive
|}
|-
|align="right"| Send Hash of TranscriptChain of last message seen by leaving user
|align="center"|Send(<math>Send(H(TranscriptChain^S_i[Parent(m_{farewell})]))</math>)
|align="center"|Broadcast
|-
If meta_only flag is true then User message is ignored and client is informed not display anything
<math>ustate_i</math> flag = {0: sender has no key update from <math>U_i<\/math>, 1: sender has received a new ephemeral key from <math>U_i</math>, 2: user has received secret share from <math>U_i<\/math>}
current_load = (load_flag, load)
|-
|align="right"| Append the hash of the TranscriptChain, up to the parent of the message being sent
|align="center"|<math> m \leftarrow </math> (''m'', <math>H(H(parent(m)), H(TransciptChain^S_i[parent(m)-1]))</math>, <math>parent\_id(m)</math>, <math>own\_seq\_num) </math>)
|align="center"|Computation
|-
|-
|align="right"| Decrypt message
|align="center"|<math> sid_{rec}, sender_idsender\_id, m, s, h, parent\_id, sender\_seq\_num, sigma \leftarrow Dec_k(m) </math>
|align="center"|Computation
|-
|align="right"| Check signature
|align="center"|<math> Verify_{sender_idsender\_id}(m,\sigma) </math>
|align="center"|Computation
|-
|-
|align="right"| Verify session id and transcript consistency and sender sequence number, issue a warning in case of failure
|align="center"|<math> sid_i \stackrel{?}{=} sid_{rec} \; </math> and <math> \; h \stackrel{?}{=} H(H(parent(m)), H(TranscriptChain^S_i[parent(m)-1])) </math> and <math> sender\_seq\_num \stackrel{?}{>} last\_own\_seq\_nums[sender_idsender\_id] </math>
|align="center"|Computation
|-
|-
|align="right"| Update sender sequence number record
|align="center"|<math>last\_own\_seq\_nums[sender_idsender\_id] \leftarrow sender\_seq\_num </math>
|align="center"|Computation
|-
|-
|align="right"| Update rekey timeout timer
|align="center" ResetRekeyTimeOut|ResetRekeyTimeOut(<math>(sender_i)</math>)
|align="center"|Computation
|-
|-
|align="right" | If we are part of a session id in the room call ''Send''
|align="center"|<math> Send </math>
|align="center"| Broadcast
|-
|-
|align="right" | If ''m'' has session id call ''Receive''
|align="center"|<math> if ''m.'' has ''sid Call '' then Receive </math>
|align="center"| Computation
|-
|-
|align="right" | Prepend key id and sender id
|align="center"|<math> m \leftarrow (key_idkey\_id, U_i, m) </math>
|align="center"|Computation
|-
|-
|align="right"|Encrypt
|align="center"|<math>e \leftarrow Enc_{k_{key_idkey\_id}}(m)</math>
|align="center"|Computation
|-
|align="right"| Broadcast the message
|align="center"|<math>(key_idkey\_id, e)</math>
|align="center"|Broadcast
|}
|-
|align="right"| Decrypt message
|align="center"|<math> key_{id}, sender_idsender\_id, m, sigma \leftarrow Dec_{k_{key_idkey\_id}}(m) </math>
|align="center"|Computation
|-
|align="right"| Check signature
|align="center"|<math> Verify_{sender_idsender\_id}(m,\sigma) </math>
|align="center"|Computation
|-
|-
|align="right"| Receive ''m'' with parent ''p'' from <math>\Pi^S_j</math>
|align="center"|<math> m \leftarrow seqnum(M), p \leftarrow parentnum(m)</math>
|align="center"|Computation
|-
|-
|align="right"| Include the new ephemeral key if participant <math>U_j</math> has not receive it
|align="center"|<math> if If <math>ustate_i[j] \stackrel{?}{=} 0</math> meta\_data \leftarrow <math>y_{i_{new}}</math>
|align="center"|Computation
|-
|align="right"| If (all) participants have sent their ephemeral keys compute the shared secret
|align="center"|<math>if If <math>ustate_{j}[i] \stackrel{?}{=} 1</math> for all ''j''
in {1,...''n}, then <math> meta\_data \leftarrow (meta\_data, GroupEnc(k_{i_j} for j \in \{1,\dots,n\}, z'))</math>
|align="center"|Computation
