Paper 2025/154

Shadowfax: Combiners for Deniability

Phillip Gajland, Max Planck Institute for Security and Privacy, Ruhr University Bochum
Vincent Hwang, Max Planck Institute for Security and Privacy, Radboud University Nijmegen
Jonas Janneck, Ruhr University Bochum
Abstract

As cryptographic protocols transition to post-quantum security, most adopt hybrid solutions combining pre-quantum and post-quantum assumptions. However, this shift often introduces trade-offs in terms of efficiency, compactness, and in some cases, even security. One such example is deniability, which enables users, such as journalists or activists, to deny authorship of potentially incriminating messages. While deniability was once mainly of theoretical interest, protocols like X3DH, used in Signal and WhatsApp, provide it to billions of users. Recent work (Collins et al., PETS'25) has further bridged the gap between theory and real-world applicability. In the post-quantum setting, however, protocols like PQXDH, as well as others such as Apple’s iMessage with PQ3, do not support deniability. This work investigates how to preserve deniability in the post-quantum setting by leveraging unconditional (statistical) guarantees instead of computational assumptions - distinguishing deniability from confidentiality and authenticity. As a case study, we present a hybrid authenticated key encapsulation mechanism (AKEM) that provides statistical deniability, while maintaining authenticity and confidentiality through a combination of pre-quantum and post-quantum assumptions. To this end, we introduce two combiners at different levels of abstraction. First, at the highest level, we propose a black-box construction that combines two AKEMs, showing that deniability is preserved only when both constituent schemes are deniable. Second, we present Shadowfax, a non-black-box combiner that integrates a pre-quantum NIKE, a post-quantum KEM, and a post-quantum ring signature. We demonstrate that Shadowfax ensures deniability in both dishonest and honest receiver settings. When instantiated, we rely on statistical security for the former, and on a pre- or post-quantum assumption in the latter. Finally, we provide an optimised, yet portable, implementation of a specific instantiation of Shadowfax yielding ciphertexts of 1781 bytes and public keys of 1449 bytes. Our implementation achieves competitive performance: encapsulation takes 1.9 million cycles and decapsulation takes 800000 cycles on an Apple M1 Pro.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Preprint.
Keywords
DeniabilityAuthenticated KEMCombiner
Contact author(s)
phillip gajland @ rub de
vincentvbh7 @ gmail com
jonas janneck @ rub de
History
2025-02-02: last of 2 revisions
2025-01-31: received
See all versions
Short URL
https://ia.cr/2025/154
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2025/154,
      author = {Phillip Gajland and Vincent Hwang and Jonas Janneck},
      title = {Shadowfax: Combiners for Deniability},
      howpublished = {Cryptology {ePrint} Archive, Paper 2025/154},
      year = {2025},
      url = {https://eprint.iacr.org/2025/154}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.