up:: Security Basics MOC
Non-repudiation
Non-repudiation is the assurance that a party cannot credibly deny having taken an action, such as signing a document or sending a message, because the cryptographic evidence binds that action to a private key that only they hold. It is delivered almost entirely by digital signatures: only the holder of a private key can produce a valid signature over a message, so a valid signature is evidence that this specific key holder produced it. That property turns a technical check into evidence, which is why non-repudiation underpins signed contracts, tamper-evident audit logs, and code-signing. The quantum threat matters here because once a large quantum computer running Shor’s algorithm recovers a private key from its public key, anyone can forge the signature, so the signature stops proving anything and non-repudiation collapses.
The short version:
- Non-repudiation means a signer can’t later claim they never signed, because a valid digital signature could only have come from their private key.
- It’s the property that makes a signature usable as evidence, which is what contracts, audit trails, and software signing rely on.
- A MAC can’t provide it. Both parties share the same secret, so either could have produced the tag, and neither can prove which one did.
- Non-repudiation is distinct from authentication (are you who you claim right now?) and integrity (was the data changed?). A signature happens to deliver all three at once.
- The quantum threat breaks non-repudiation by making forgery possible. Once Shor’s algorithm recovers a private key, anyone can produce a valid-looking signature, so the signature stops singling out one signer. The fix is post-quantum signatures like ML-DSA.
Picture a medieval seal pressed from a signet ring into wax. When a lord’s sealed order arrives, the recipient trusts it because only that lord holds the ring that presses that exact crest. If the lord later tries to say “I never sent that,” the seal itself argues back: the crest is his and his alone, so the order is his. Non-repudiation is the mathematical version of that seal. The private key is the ring, the signature is the impression in the wax, and the math is what makes the impression impossible to forge, so the signer can’t wriggle out of an action the seal records. The quantum problem is that Shor’s algorithm hands any forger a perfect copy of the ring, cut from the public crest alone, and once everyone can press the seal, the seal stops proving who pressed it.
What is non-repudiation?
Non-repudiation is the security guarantee that a party can’t successfully deny the authenticity or origin of something they produced, such as a message they sent or a document they signed. It’s one of the goals that sits on top of the CIA triad, alongside authentication, and it becomes essential the moment an action needs to hold up to a third party later. NIST’s control catalog frames it as protection against an individual falsely denying having performed a particular action, and gives the capability to determine whether a given individual took a particular action such as creating information, sending a message, or approving information.
There are actually two closely related senses of the word, and it helps to keep both in view:
- Non-repudiation of origin. The producer of a message or document can’t deny having created it. This is the sense that digital signatures deliver, and it’s the one that matters for contracts, code, and records.
- Non-repudiation of delivery or receipt. The recipient can’t deny having received something. Some NIST definitions frame non-repudiation around proof of delivery paired with proof of the sender’s identity, so neither side can later deny having handled the information.
Across standards bodies the definitions line up closely. NIST’s signature standards describe non-repudiation as a service that lets a third party verify that data originated from a specific entity in possession of the private key, and ISO/IEC 27000 defines it as the ability to prove the occurrence of a claimed event or action and its originating entities.
| Source | How it defines non-repudiation |
|---|---|
| NIST SP 800-53 Rev. 5 / CNSSI 4009-2015 | Protection against an individual falsely denying having performed a particular action; provides the capability to determine whether a given individual took a particular action |
| NIST FIPS 186-5, FIPS 204, FIPS 205 | A service used to provide assurance of the integrity and origin of data, verifiable by a third party as having originated from a specific entity in possession of the private key (the signatory) |
| NIST SP 800-60 Rev. 1 | Assurance that the sender is provided proof of delivery and the recipient proof of the sender’s identity, so neither can later deny having processed the information |
| ISO/IEC 27000 | The ability to prove the occurrence of a claimed event or action and its originating entities |
Source: NIST, “Security and Privacy Controls for Information Systems and Organizations,” SP 800-53 Rev. 5, September 2020, SP 800-53 Rev. 5.
NIST Computer Security Resource Center glossary, “non-repudiation,” CSRC glossary.
How do digital signatures provide non-repudiation?
A digital signature provides non-repudiation because it can only be produced with a private key that exactly one party holds, while it can be checked by anyone holding the matching public key. That asymmetry is the whole mechanism. The signer runs a signing operation over the message using their secret private key, and the resulting signature is a value that a verifier can confirm came from that private key without ever seeing it. Since the private key never leaves the signer’s control, a valid signature is evidence that points back to one specific key holder.
Walk the three properties a signature delivers together, because non-repudiation is the one that rests on the other two:
- Integrity first. The signature is computed over the message content (technically over a hash of it), so changing a single bit makes verification fail. A passing check means the content is exactly what was signed.
- Authentication next. A valid signature ties the message to the private key, and therefore to whoever controls it, so the verifier learns who produced it.
- Non-repudiation on top. Because only the private-key holder could have produced that signature, the binding to the signer is strong enough to argue against a later denial. Integrity and authentication establish “this came unchanged from this key”; non-repudiation is the consequence that the key holder can’t plausibly say otherwise.
One nuance keeps non-repudiation honest: it binds an action to a key, not directly to a human. The evidentiary chain holds only as far as the key was genuinely under the signer’s sole control. This is why key management, secure key storage, and the surrounding PKI that vouches for whose key it is are all part of the non-repudiation story. A stolen or poorly protected private key weakens the claim, because the signer can argue the key was compromised.
Source: NIST, “Digital Signature Standard (DSS),” FIPS 186-5, February 2023, FIPS 186-5.
Why can’t a MAC provide non-repudiation?
A Message Authentication Code can prove a message is authentic and unaltered, yet it can never provide non-repudiation, and the reason is structural. A MAC is symmetric: the sender and receiver share one identical secret key, and that same key both produces and checks the tag. Because both parties hold the same secret, either of them could have produced any given tag, so a MAC proves the message came from someone holding the key while leaving open which party it was. In a dispute, the sender can point at the receiver and say “you have the key too, you could have forged it,” and the math offers no way to rule that out.
A digital signature closes exactly that gap. The private key lives with one party only, so a valid signature singles that party out, and that single structural difference is what gives signatures non-repudiation and denies it to MACs.
| Property | Digital signature | MAC (e.g. HMAC) |
|---|---|---|
| Key model | Asymmetric (private signs, public verifies) | Symmetric (one shared secret) |
| Who can create a valid tag | Only the private-key holder | Either party holding the shared key |
| Singles out one producer | Yes | No, either party could have made it |
| Non-repudiation | Yes | No |
| Holds up as third-party evidence | Yes | No |
The practical read is that a MAC is the right tool when two already-trusting parties share a secret and just need speed and integrity inside a session, and a signature is the tool when the proof has to survive a later disagreement or convince someone who wasn’t there.
Source: NIST, “The Keyed-Hash Message Authentication Code (HMAC),” FIPS 198-1, July 2008, FIPS 198-1.
Where does non-repudiation matter most?
Non-repudiation matters wherever an action has to stay attributable after the fact, especially when money, safety, or a legal outcome depends on who did what. These are the surfaces where it does real work:
- Contracts and e-signatures. A digitally signed agreement binds each party to their commitment, and a reputable e-signature platform uses digital signatures underneath precisely so a party can’t later claim the document was altered or that they never signed it.
- Audit logs and records. Signed log entries and records let an auditor or investigator show that a specific system or person produced an entry and that it hasn’t been edited since, which is what makes the log admissible rather than merely suggestive.
- Code and firmware signing. When an operating system or a secure-boot chain verifies a signed update, non-repudiation ties that software back to the vendor’s signing key, so a malicious build can’t masquerade as a legitimate release and the vendor’s own key stands behind what runs.
- Financial and blockchain transactions. A signature authorizes a payment or a transfer, and non-repudiation is what stops the sender from disowning a transaction they signed. On a blockchain the private key is the account, and the signature is the spend authorization that no one can repudiate.
- Tokens and federated identity. Signed JWTs and SAML assertions let a relying service prove an identity provider issued a token, so neither side can deny the assertion that logged a user in.
Because this is the trust and evidence layer rather than the secrecy layer, a failure of non-repudiation is a forgery-and-deniability problem: actions that look attributable while the attribution has quietly dissolved.
How is non-repudiation different from authentication and integrity?
Non-repudiation, authentication, and integrity are three separate guarantees that a digital signature happens to deliver in one operation, and confusing them leads to real design mistakes. The clean way to separate them is by the question each one answers and the moment in time it applies to:
- Integrity answers “was this data changed?” It’s a property of the message itself, checkable by anyone, and it needs no notion of identity. A plain hash gives you integrity with no signer at all.
- Authentication answers “are you who you claim to be, right now?” It establishes identity, often as a live gate before access. Authentication can be ephemeral: a session proves who you are for the length of that session and nothing more.
- Non-repudiation answers “can you deny you did this, later?” It’s about durable, third-party-checkable attribution that outlives the moment. Authentication convinces me, now; non-repudiation convinces a third party, later.
The sharpest contrast is between authentication and non-repudiation. A symmetric MAC or a shared password can authenticate a party to a counterparty who already shares the secret, yet it provides no non-repudiation, because the shared secret means the verifier could have produced the same proof. Non-repudiation demands that the verifier be unable to have produced the evidence themselves, which is exactly why it requires the asymmetry of a private key.
| Property | Question it answers | Time frame | Delivered by |
|---|---|---|---|
| Integrity | Was the data changed? | Any time, by anyone | Hashes, MACs, signatures |
| Authentication | Are you who you claim, right now? | The moment of access | Passwords, MACs, signatures, certificates |
| Non-repudiation | Can you deny you did this, later? | Durable, checkable by a third party afterward | Digital signatures only |
What does the quantum threat do to non-repudiation?
The quantum threat dismantles non-repudiation by making digital signatures forgeable, which pulls out the one thing that made a signature attributable. A cryptographically relevant quantum computer running Shor’s algorithm efficiently solves integer factorization and the discrete logarithm problem, the hard problems under RSA and ECDSA. Feed it a public key, and it hands back the matching private key. The moment an attacker holds that private key, the private key stops being unique to one party, so a valid signature stops singling out the true signer. Anyone with the recovered key can produce a signature that verifies perfectly, which means the signature proves nothing about who signed. Non-repudiation depends on exactly one party being able to sign, and quantum forgery removes that exclusivity.
This lands differently from the confidentiality side of the quantum threat, and the distinction is worth holding:
- It’s a Non-HNDL threat, targeting trust rather than secrecy. The harvest-now-decrypt-later problem is about recording encrypted data today to decrypt later. Non-repudiation has nothing to harvest. The attack is real-time forgery once the machine exists.
- The attacker’s raw material is already public. Every verification key a forger would target sits out in the open by design, inside a certificate or a token. There’s no interception step, so the attacker needs only the machine.
- The worst case cascades. Breaking one root Certificate Authority key makes every certificate beneath it forgeable at once, a PKI collapse that turns arbitrary trust across a whole domain into something a forger can mint, and every non-repudiation claim resting on that hierarchy dissolves with it.
The reason this is a present-day concern even though the machine is years out is Mosca’s theorem: replacing signature infrastructure takes years, and it has to finish before the machine arrives, because a forgery after the fact is undetectable and there’s no clean recovery.
Source: P. Shor, “Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer,” SIAM J. Computing, 1997, quant-ph/9508027.
Why is long-lived non-repudiation especially hard under the quantum threat?
Long-lived non-repudiation is the hardest case, because a signature that must stay verifiable for decades has to survive the arrival of a quantum computer, and a classical signature won’t. Non-repudiation isn’t only about the moment of signing. Its whole value is that the evidence still holds up years later, when a contract is disputed, an archived record is questioned, or a firmware image signed today is still running in the field. That long verification horizon collides with the quantum timeline.
The subtle problem is this: a document RSA-signed or ECDSA-signed today may need to be trusted in 2040. If a quantum computer capable of forging that signature exists by then, a verifier in 2040 faces a genuine ambiguity. A signature that checks out could be the real one from today, or a forgery minted after the private key was recovered, and there’s no way from the signature alone to tell which. The mere existence of quantum forgery capability retroactively weakens the evidentiary strength of every classical signature still in play, even ones produced honestly years earlier, because deniability creeps back in the instant more than one party could have produced the signature.
Two mitigations address the long horizon, and both are structural rather than a bigger key:
- Trusted timestamping and notarization. A timestamp authority that records when a signature existed can establish that a signature predates any plausible quantum forgery capability, which preserves its evidentiary value. This is why archival and legal-record systems lean on timestamping alongside signing.
- Migrating to post-quantum signatures early, especially for anything durable. A signature that has to remain trustworthy for decades should be produced with a post-quantum algorithm now, so its trust doesn’t depend on a quantum computer never arriving.
The replacement signatures are the same ones that fix the rest of the signing world. ML-DSA is the general-purpose successor, and SLH-DSA is the deliberately conservative, hash-based option chosen exactly for long-lived roots of trust where the signing key must protect something for decades. NIST’s transition roadmap, NIST IR 8547, deprecates 112-bit-strength classical signatures by 2030 and disallows classical signatures for federal use by 2035, and the long-lived roots of trust are the ones to migrate first.
Source: NIST FIPS 205, “Stateless Hash-Based Digital Signature Standard,” August 2024, FIPS 205.
NIST IR 8547 (Initial Public Draft), “Transition to Post-Quantum Cryptography Standards,” November 2024, NIST IR 8547 ipd.
Has this happened before?
The value of non-repudiation shows up most clearly in a moment when it didn’t exist. In January 1917, British naval intelligence at Room 40 decrypted a telegram from German Foreign Secretary Arthur Zimmermann proposing a military alliance with Mexico against the United States. When the contents were made public, plenty of skeptics in America assumed the message was a British forgery designed to drag the US into the war, and Germany was fully free to disown it. There was no cryptographic mechanism binding the telegram to Zimmermann, so repudiation was genuinely on the table.
What closed the door was not math but a choice: on 3 March 1917, Zimmermann publicly confirmed the telegram was authentic rather than denying it. That confirmation removed the doubt and helped push the US toward war. The point for non-repudiation is the counterfactual. In 1917 the only thing standing between authenticity and deniability was the sender’s own candor, because nothing cryptographic forced the issue. Modern non-repudiation exists precisely to take that choice away: a valid digital signature binds the action to the signer whether or not they feel like admitting it, so a party can’t wait to see which way the wind blows before deciding to deny. Quantum forgery threatens to walk that back, returning the world to one where a signature can be disowned because more than one party could have produced it.
Source: Simon Singh, The Code Book, 1999 (Room 40 and the Zimmermann Telegram). Zimmermann’s public confirmation, 3 March 1917.
Common misconceptions
- “Non-repudiation and authentication are the same thing.” Authentication proves who you are at the moment of access; non-repudiation makes an action undeniable to a third party afterward. A shared-secret method can authenticate without providing any non-repudiation.
- “A MAC gives non-repudiation because it proves the message is authentic.” A MAC proves the message came from someone holding the shared secret, and since both parties hold it, either could have produced the tag. Only a private-key signature singles out one producer.
- “Non-repudiation binds an action to a person.” It binds an action to a key. It attributes the action to a human only as strongly as that key was under the human’s sole control, which is why key management and PKI are part of the guarantee.
- “A valid signature means the signer is trustworthy and acted willingly.” A valid signature proves the message came unaltered from that private key. It says nothing about whether the key holder is honest, or whether the key was stolen and used under duress.
- “Quantum only threatens the secrecy of encrypted data.” It also breaks the trust layer. Once Shor’s algorithm recovers a private key, signatures become forgeable, and non-repudiation and authentication fail alongside confidentiality.
- “A bigger RSA key will keep my signatures non-repudiable under quantum.” Increasing key size buys almost nothing against Shor’s algorithm. Preserving non-repudiation means moving to a post-quantum signature algorithm, not enlarging a classical one.
Questions people ask
What’s the difference between non-repudiation and authentication? Authentication establishes who you are, usually right now and often to a party you already share context with. Non-repudiation makes an action durably attributable to you so you can’t deny it to a third party later. A signature delivers both, but a shared-secret method can authenticate while providing no non-repudiation.
Why can’t a MAC or a shared password provide non-repudiation? Because both sides hold the same secret, so either could have produced the proof. Non-repudiation requires that the verifier be unable to have created the evidence themselves, which only a private key held by one party can guarantee.
Does non-repudiation prove a specific person signed, or just their key? Strictly, it proves the private key was used. It attributes the action to a person only as far as that key was genuinely under their sole control, which is why secure key storage, key management, and PKI all matter to the strength of the claim.
Is non-repudiation part of integrity or its own goal? NIST’s FIPS 199 folds non-repudiation and authenticity into its definition of integrity, so you’ll see it grouped there, while other frameworks list it as a distinct goal on top of the CIA triad. Either way, in practice it’s the specific property that lets a verifier say both “this wasn’t changed” and “you, and only you, produced it.”
How does the quantum threat break non-repudiation? A quantum computer running Shor’s algorithm can recover a private key from its public key. Once an attacker holds that key, they can forge valid signatures, so a signature stops singling out one signer and non-repudiation collapses into deniability.
Will signatures I make today still be non-repudiable in twenty years? Only if they were made with a quantum-safe algorithm, or if a trusted timestamp establishes they predate quantum forgery capability. A classical signature made today loses evidentiary strength once a quantum computer exists, because a verifier can’t tell an honest old signature from a later forgery.
What replaces classical signatures to preserve non-repudiation? ML-DSA for general-purpose signing and SLH-DSA for conservative, long-lived roots of trust. Both are NIST-standardized post-quantum signature algorithms whose security doesn’t fall to Shor’s algorithm.
Do timestamps help with long-lived non-repudiation? Yes. A trusted timestamp records when a signature existed, which can prove it predates any quantum forgery capability and preserves its value as evidence. Archival and legal systems pair signing with timestamping for exactly this reason.
Everything here is the map, given freely. When your team needs the signatures and certificates that carry your non-repudiation found, sized, and sequenced onto a post-quantum path, that’s the work I do. Request an alignment briefing.
Last verified 2026-07-09 · Maintained by Addie LaMarr, LaMarr Labs.