[triodan]

It means both the sender and the receiver of the message, if coerced, can without coordination have a degree plausible deniability for the contents of the message.

For example, I send you the message "CIA" encrypted using this scheme. Theoretically, it should be impossible for any third party to prove that I send "CIA", because I can give up a different decryption key that decodes the ciphertext to, say, "NSA". Similarly, on the receiving end, you can give up a different decryption key that decodes the ciphertext to, say, "FBI".

This scheme also means it is impossible for a third party to discover who is giving up the 'truth' in such scenarios (for example if I told the truth and decrypted the ciphertext into "CIA", while you lied and decrypted the ciphertext into "FBI", the third party has no way to know which one is correct, or if either of them are fake).

[josephg]

Can you make sure the 'alternate' decoded version of the messages will actually decode into something legible? Is there some way to explicitly craft the alternate decoded message, or is it random?

[tjpnz]

So it's effectively a duress code you might punch into a security system?

[logfromblammo]

Two duress codes--one for you, and one for your counterparty. Thus, the bi- in bi-deniable.

Mono-deniable gives a duress code only to the sender, or only to the recipient.

The paper claims an additional category of bi-deniability, such that your duress code and your counterparty's duress code produce different plaintexts, rather than the same plaintext. It is unclear from the abstract whether it is possible to have a bi-deniable scheme without this property (which does not also require prior coordination between parties).

[vinceguidry]

Aha, thanks!