[galadran]

It depends what you consider to be non-repudiation!

With key substitution, you have a signature that can verify under multiple public keys. However, each key was either honestly generated and used to sign the message, or was maliciously generated and intended to appear to have signed the message.

In this sense, the party associated with each public is indisputably associated with the corresponding signature.

However, this gets a bit more confusing with message key substitution (two public keys, two messages, one signature) or colliding signature (one public key, any number of messages, one signature). For example, a malicious party might produce a signature which is valid for any message. Does the fact that they've "signed everything" mean they can repudiate having signed anything? (The connection between intent to sign and the signature has arguably been lost).

We do discuss these other properties in the paper, but we don't really delve into non-repudiation in the informal sense.

[nmadden]

It’s also worth pointing out that non-repudiation requires stronger properties than cryptography alone can guarantee. If I surreptitiously leak my private key onto the internet I can later plausible deny that I signed messages. (The Signal protocol deliberately leaks old MAC keys for this reason).

If you really want non-repudiation then you have to have hardware, legal, and procedural controls in place.