E-mail with deniable authentication

Mario Castelán Castro marioxcc.MT at yandex.com
Thu Aug 31 04:35:49 CEST 2017

Hello. Thanks for your reply. I am aware of the first method as well as
a variation of the second (it had not occurred to me that they both can
use the same key!; I had thought that each correspondent used one key of
his own with a meaningless ID and used only for communication with the
other correspondent). The problem is that these are an extra layer, not
currently implemented in GNU PG or any other software I know of.

I was hoping that OpenPGP had a feature of “deniable authentication of
[writer] to [recipient]”. It can be easily implemented with
Diffie-Hellman as follows.

Writer and recipient have a Diffie-Hellman key over the same group and
know each other's public key.

The writer computers the shared secret per the DH algorithm, and
processes it with a KDF. This is the key to a MAC algorithm (e.g.:
HMAC). The writer send the, the message (either encrypted or
unencrypted), the authentication code, and a nonce (if the KDF requires
it) to the recipient

To verify, the recipient computes the shared secret, the MAC key and the
authentication code of the message. The recipient knows (save for broken
algorithms or leaked private keys) that only the writer or him could
have computed the authentication code for the message. We assume that
the recipient remembers what he has written and what he has not written,
so he can discard himself, leaving the writer as the only option.

The recipient can divulge the message, but he can not prove that the
writer (as opposed to him) wrote the message, even if he is willing to
divulge his private key.

*Maybe* I will implement this scheme sometime in GNU PG as an OpenPGP
extension, if somebody doesn't do it in the meantime.

Alternatively, the writer can write an message encrypted to the
recipient public-key consisting of 3 parts: (1) A message signed by the
writer saying “I am sending *somebody* a secret message authenticated
with MAC algorithm ... and key ...”. (2) The authentication code. (3)
The message itself. The signed message (1) should not include the name
of the recipient. Obviously (3) should not be signed. (2) can be signed
without deniablity implications, but is not necessary.

The most the recipient can do is to prove that the writer wrote “I am
sending *somebody* a secret message authenticated with MAC algorithm ...
and key ...”, but he can not even prove that the writer wrote that to *him*.

Both of these methods require no prior agreement between sender and

On 29/08/17 15:00, vedaal at nym.hush.com wrote:
> There are workarounds to accomplish this:
> [1] Sender 1 sends a signed and encrypted pgp e-mail to Receiver 1, 
> giving Receiver 1 a 'passphrase'  which they will agree to use for the
> next encrypted messages.
> [2] Sender 1 and Receiver 1 now send conventionally encrypted messages
> with this passphrase, but without signatures.
> [3] They both know that only the person who knows the passphrase could
> have sent it.
> [4] If they want deniability, they can say that the passphrase 'leaked
> out' and anybody who it leaked to could have sent it.
> Alternatively,
> One can generate a keypair with a random name, and send it to the
> other one, and they can both sign with it, but encrypt to their own
> non-shared keys.

Do not eat animals; respect them as you respect people.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170830/f31af9c7/attachment.sig>

More information about the Gnupg-users mailing list