Subverting Deniability

Marcel Armour, Elizabeth Quaglia

Research output: Contribution to conferencePaperpeer-review

12 Downloads (Pure)


Deniable public-key encryption (DPKE) is a cryptographic primitive that allows the sender of an encrypted message to later claim that they sent a different message. DPKE's threat model assumes powerful adversaries who can coerce users to reveal plaintexts; it is thus reasonable to consider other advanced capabilities, such as being able to subvert algorithms in a so-called Algorithm Substitution Attack (ASA). ASAs have been considered against a number of primitives including digital signatures, symmetric encryption and pseudo-random generators. However, public-key encryption has presented a less fruitful target, as the sender's only secrets are plaintexts and ASA techniques generally do not provide sufficient bandwidth to leak these.

In this article, we give a formal model of ASAs against DPKE, and argue that subversion attacks against DPKE schemes present an attractive opportunity for an adversary. Our results strengthen the security model for DPKE and highlight the necessity of considering subversion in the design of practical schemes.
Original languageEnglish
Number of pages8
Publication statusPublished - 7 Nov 2022
EventThe 16th Conference on Provable and Practical Security - Nanjing, China
Duration: 11 Nov 202212 Nov 2022
Conference number: 16


ConferenceThe 16th Conference on Provable and Practical Security
Abbreviated titleProvSec


  • cryptography
  • deniable encryption
  • algorithm substitution attacks

Cite this