Deniable Authentication

Deniable authentication is a cryptographic property that lets a recipient be confident who sent a message during a conversation, while ensuring that afterward no one, including the recipient, can prove to a third party who authored it. It threads a needle that ordinary digital signatures cannot: a signature authenticates a message but also creates permanent, transferable proof of authorship. For private conversation, that proof is a liability, and deniability is the antidote.

Why signatures are the wrong tool for chat

If every message in a private chat were digitally signed, any leaked transcript would come with cryptographic receipts proving exactly who said what. Off-the-Record Messaging (OTR) introduced the alternative now standard in secure messengers: instead of signatures, messages are authenticated with a Message Authentication Code (MAC) computed under a key shared by both parties. A MAC convinces the recipient, because only the two of them hold the key, but it proves nothing to an outsider, since the recipient could have forged the same MAC themselves.

Forgeability as a feature

OTR strengthens this by publishing old MAC keys after they are no longer needed, so that once a key is retired, literally anyone can forge messages that appear to come from a participant. Counterintuitively, this universal forgeability is the goal: if anyone could have produced a transcript, the transcript proves nothing about anyone. The Signal Protocol achieves an analogous deniability in its key agreement by authenticating through Diffie-Hellman exchanges rather than signatures.

This property is built into the handshake of X3DH and is one of the guarantees offered by the Signal Protocol.