Paper 2025/470
On Deniable Authentication against Malicious Verifiers
, ETH ZurichAbstract
Deniable authentication allows Alice to authenticate a message to Bob, while retaining deniability towards third parties. In particular, not even Bob can convince a third party that Alice authenticated that message. Clearly, in this setting Bob should not be considered trustworthy. Furthermore, deniable authentication is necessary for deniable key exchange, as explicitly desired by Signal and off-the-record (OTR) messaging. In this work we focus on (publicly verifiable) designated verifier signatures (DVS), which are a widely used primitive to achieve deniable authentication. We propose a definition of deniability against malicious verifiers for DVS. We give a construction that achieves this notion in the random oracle (RO) model. Moreover, we show that our notion is not achievable in the standard model with a concrete attack; thereby giving a non-contrived example of the RO heuristic failing. All previous protocols that claim to achieve deniable authentication against malicious verifiers (like Signal's initial handshake protocols X3DH and PQXDH) rely on the Extended Knowledge of Diffie–Hellman (EKDH) assumption. We show that this assumption is broken and that these protocols do not achieve deniability against malicious verifiers.
Metadata
- Available format(s)
-
PDF
- Category
- Public-key cryptography
- Publication info
- Preprint.
- Keywords
- DeniabilityRandom oracle modelRogue key attacks
- Contact author(s)
-
rune fiedler @ cryptoplexity de
roman langrehr @ inf ethz ch - History
- 2025-03-13: approved
- 2025-03-12: received
- See all versions
- Short URL
- https://ia.cr/2025/470
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2025/470,
author = {Rune Fiedler and Roman Langrehr},
title = {On Deniable Authentication against Malicious Verifiers},
howpublished = {Cryptology {ePrint} Archive, Paper 2025/470},
year = {2025},
url = {https://eprint.iacr.org/2025/470}
}
