nullprogram.com/blog/2008/07/11/
In a
previous post I discussed one-time pads. The information for this
post comes from Bruce
Schneier's
Applied Cryptography (section 10.8).
One-time pads are great for something
called
plausible deniability. With plausible deniability, when a person
holding encrypted data is coerced into decrypting their data, the
interrogator will not be able to tell if the person is complying with
the decryption order or not. For example, the victim could provide an
alternate key that decrypts the ciphertext into some harmless dummy
plaintext. To make this more plausible, the plaintext would probably
be something potentially embarrassing, such as pornography or secret
love letters.
We have a one-time pad K
, a plaintext P
, a
dummy plaintext (the pornography or love letters) D
, a
dummy key K'
, and a ciphertext C
. Below, I
denote XOR with ^
.
To encrypt our plaintext, its the normal one-time pad algorithm,
P ^ K = C
Bob and Alice share K, so decryption works like,
C ^ K = P
However, the secret police come along with
their
thumbscrews and demand that Alice and Bob give them the one-time
pad K
. Instead, they will provide K'
. How is
K' defined? Like this,
K' = C ^ D
Because K
is a one-time pad and is randomly generated,
there is no way to prove that K'
is not the real
key. Alice and Bob give up K'
. The secret police decrypt
it,
C ^ K' = C ^ C ^ D = D
"See? We were just keeping our love affair a secret from our spouses!"