Paper 2025/154

Shadowfax: A Deniability-Preserving AKEM Combiner

Phillip Gajland, Max Planck Institute for Security and Privacy, Ruhr University Bochum
Vincent Hwang, Max Planck Institute for Security and Privacy, Radboud University Nijmegen
Jonas Janneck, Ruhr University Bochum
Abstract

As cryptographic protocols transition to post-quantum security, most adopt hybrid solutions combining pre-quantum and post-quantum assumptions. However, this shift often introduces trade-offs in terms of efficiency, compactness, and in some cases, even security. One such example is deniability, which enables users, such as journalists or activists, to deny authorship of potentially incriminating messages. While deniability was once mainly of theoretical interest, protocols like X3DH, used in Signal and WhatsApp, provide it to billions of users. In the post-quantum setting, however, protocols like PQXDH, as well as others such as Apple’s iMessage with PQ3, do not support deniability. This work investigates how to efficiently preserve deniability in the post-quantum setting. To this end, we introduce two combiners for authenticated KEMs (AKEMs) at different levels of abstraction. First, at the highest level, we propose a black-box construction that combines two AKEMs, showing that deniability is preserved when both constituent schemes are deniable. Second, we present Shadowfax, a non-black-box combiner that integrates a pre-quantum NIKE, a post-quantum KEM, and a post-quantum ring signature. We demonstrate that Shadowfax ensures deniability in both dishonest and honest receiver settings. When instantiated, we rely on statistical security for the former, and on a pre- or post-quantum assumption in the latter. Finally, we provide an optimised, yet portable, implementation of a specific instantiation of Shadowfax yielding ciphertexts of 1 781 bytes and public keys of 1 449 bytes. Our implementation achieves competitive performance: encapsulation takes 1.9 million cycles and decapsulation takes 800 000 cycles on a Firestorm core running at 3GHz on an Apple M1 Pro.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Preprint.
Keywords
DeniabilityAuthenticated KEMCombiner
Contact author(s)
phillip gajland @ rub de
vincentvbh7 @ gmail com
jonas janneck @ rub de
History
2025-05-19: last of 4 revisions
2025-01-31: received
See all versions
Short URL
https://ia.cr/2025/154
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2025/154,
      author = {Phillip Gajland and Vincent Hwang and Jonas Janneck},
      title = {Shadowfax: A Deniability-Preserving {AKEM} Combiner},
      howpublished = {Cryptology {ePrint} Archive, Paper 2025/154},
      year = {2025},
      url = {https://eprint.iacr.org/2025/154}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.