Cryptographic Deniability

Also known as: deniability, repudiability, deniable authentication, off-the-record

Cryptographic deniability is a property of a messaging protocol where conversation partners can verify each other's messages in real time, yet neither can later produce mathematical proof to a third party of what was said or even that the two communicated. Authentication relies on shared symmetric keys both sides hold, so any transcript could have been forged by either participant.

Most people assume an encrypted message proves who sent it. With a digital signature scheme like PGP or S/MIME, that intuition holds: only your private key can produce a valid signature, so a saved message becomes durable, court-admissible evidence that you wrote it. That is non-repudiation, and it is the opposite of what a private conversation should offer.

Deniable messaging flips this. Instead of signing each message with your long-term private key, the two parties first run an authenticated key exchange to agree on a shared symmetric key, then authenticate each message with a MAC computed from that shared key. Crucially, both parties know the key — so either one could have generated any valid MAC. During the live session each side trusts the messages because they assume the other did not leak the key. Afterward, that trust is non-transferable: a transcript anyone presents could equally have been fabricated by the recipient.

The idea was formalized in 2004 by Borisov, Goldberg, and Brewer in the Off-the-Record (OTR) protocol, which deliberately stripped the non-repudiation of PGP. Modern X3DH inherits a related guarantee: either party can construct a fake transcript using only their own keys, so the key agreement itself is deniable. This is why deniability and end-to-end encryption are different goals — one hides content, the other governs what a leaked transcript can prove.

How it works

Authentication is symmetric, not signature-based:

1. Two parties run a mutually authenticated key exchange (X3DH) to derive a shared secret. The agreement uses Diffie-Hellman, so either party could simulate it alone — no signature commits a long-term key to the conversation.

2. Each message is authenticated with a symmetric tag (an AEAD authentication tag / MAC) keyed by material both sides possess.

3. Because both endpoints hold the authentication key, any valid tag could have been produced by either of them. A third party who later sees the key and a transcript cannot attribute a message to one specific author.

4. Forward secrecy compounds this: once per-message keys are deleted, even the participants cannot reconstruct which side authored what.

How RVNT uses Cryptographic Deniability

RVNT authenticates messages with AES-256-GCM tags derived from the Double Ratchet, keyed by secrets both peers share — symmetric, not per-message signatures over content, which keeps the chat body deniable. The initial hybrid X3DH key agreement is itself deniable. Note the honest caveat below: RVNT's sealed sender certificate carries an Ed25519 signature over identity and timestamp (not message text), so RVNT does not advertise full content non-repudiation removal as a headline guarantee.

Honest limitations

RVNT does not market itself as a 'deniable messenger' the way OTR did. Its sealed-sender certificate is Ed25519-signed (over the sender's identity key and a timestamp, not message content), which authenticates the sender to the recipient — the message body's symmetric authentication remains deniable, but the architecture is not optimized to maximize repudiability.
Deniability is a cryptographic property, not a legal shield. A motivated adversary can still rely on device seizure, screenshots, witness testimony, or a compromised endpoint — none of which the math addresses.
Online (interactive) deniability against an adversary who participates in real time is strictly weaker than offline deniability; academic results show some deniability claims do not survive a judge who can interact with the protocol live.

Frequently asked questions

What is the difference between deniability and non-repudiation?

They are opposites. Non-repudiation (PGP, S/MIME digital signatures) produces durable proof that a specific person authored a message. Deniability removes that proof: messages are authenticated with keys both parties share, so neither can later demonstrate to a third party who wrote what.

Does end-to-end encryption give me deniability?

Not automatically. End-to-end encryption hides message content from outsiders, but a protocol could still sign each message with your private key, creating proof of authorship. Deniability is a separate design choice about how messages are authenticated — using shared symmetric keys instead of personal signatures.

If messages are deniable, how does the recipient know they are real?

During the live conversation, the recipient trusts the messages because the authentication key is shared only between the two of them and they assume the other party has not leaked it. That trust is real in the moment but cannot be transferred to anyone outside the conversation.

Every definition here describes something RVNT actually ships — a post-quantum, end-to-end-encrypted, peer-to-peer messenger with no phone number and no servers.

Get RVNT Browse the glossary