## One-Time Pads and Plausible Deniability

In a previous post I discussed one-time pads. The information for this post comes from Bruce Schneier's Applied Cryptography (section 10.8).

One-time pads are great for something called plausible deniability. With plausible deniability, when a person holding encrypted data is coerced into decrypting their data, the interrogator will not be able to tell if the person is complying with the decryption order or not. For example, the victim could provide an alternate key that decrypts the ciphertext into some harmless dummy plaintext. To make this more plausible, the plaintext would probably be something potentially embarrassing, such as pornography or secret love letters.

We have a one-time pad `K`

, a plaintext `P`

, a
dummy plaintext (the pornography or love letters) `D`

, a
dummy key `K'`

, and a ciphertext `C`

. Below, I
denote XOR with `^`

.

To encrypt our plaintext, its the normal one-time pad algorithm,

P ^ K = C

Bob and Alice share K, so decryption works like,

C ^ K = P

However, the secret police come along with
their
thumbscrews and demand that Alice and Bob give them the one-time
pad `K`

. Instead, they will provide `K'`

. How is
K' defined? Like this,

K' = C ^ D

Because `K`

is a one-time pad and is randomly generated,
there is no way to prove that `K'`

is *not* the real
key. Alice and Bob give up `K'`

. The secret police decrypt
it,

C ^ K' = C ^ C ^ D = D

"See? We were just keeping our love affair a secret from our spouses!"