Paper 2022/1405

Subverting Deniability

Marcel Armour, Royal Holloway University of London
Elizabeth A. Quaglia, Royal Holloway University of London

Deniable public-key encryption (DPKE) is a cryptographic primitive that allows the sender of an encrypted message to later claim that they sent a different message. DPKE's threat model assumes powerful adversaries who can coerce users to reveal plaintexts; it is thus reasonable to consider other advanced capabilities, such as the ability to subvert algorithms in a so-called Algorithm Substitution Attack (ASA). An ASA replaces a trusted algorithm with a subverted version that undermines security from the point of view of the adversary while remaining undetected by users. ASAs have been considered against a number of primitives including digital signatures, symmetric encryption and pseudo-random generators. However, public-key encryption has presented a less fruitful target, as the sender's only secrets are plaintexts and ASA techniques generally do not provide sufficient bandwidth to leak these. In this work, we show that subversion attacks against deniable encryption schemes present an attractive opportunity for an adversary. We note that whilst the notion is widely accepted, there are as yet no practical deniable PKE schemes; we demonstrate the feasibility of ASAs targeting deniable encryption using a representative scheme as a proof of concept. We also provide a formal model and discuss how to mitigate ASAs targeting deniable PKE schemes. Our results strengthen the security model for deniable encryption and highlight the necessity of considering subversion in the design of practical schemes.

Available format(s)
Attacks and cryptanalysis
Publication info
Published elsewhere. Provable and Practical Security
Deniable Encryption Algorithm Substitution Attacks
Contact author(s)
marcel armour 2017 @ rhul ac uk
Elizabeth quaglia @ rhul ac uk
2022-10-23: approved
2022-10-16: received
See all versions
Short URL
Creative Commons Attribution


      author = {Marcel Armour and Elizabeth A. Quaglia},
      title = {Subverting Deniability},
      howpublished = {Cryptology ePrint Archive, Paper 2022/1405},
      year = {2022},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.