One-Time Pads and Plausible Deniability

In a previous post I discussed one-time pads. The information for this post comes from Bruce Schneier's Applied Cryptography (section 10.8).

One-time pads are great for something called plausible deniability. With plausible deniability, when a person holding encrypted data is coerced into decrypting their data, the interrogator will not be able to tell if the person is complying with the decryption order or not. For example, the victim could provide an alternate key that decrypts the ciphertext into some harmless dummy plaintext. To make this more plausible, the plaintext would probably be something potentially embarrassing, such as pornography or secret love letters.

We have a one-time pad K, a plaintext P, a dummy plaintext (the pornography or love letters) D, a dummy key K', and a ciphertext C. Below, I denote XOR with ^.

To encrypt our plaintext, its the normal one-time pad algorithm,

P ^ K = C

Bob and Alice share K, so decryption works like,

C ^ K = P

However, the secret police come along with their thumbscrews and demand that Alice and Bob give them the one-time pad K. Instead, they will provide K'. How is K' defined? Like this,

K' = C ^ D

Because K is a one-time pad and is randomly generated, there is no way to prove that K' is not the real key. Alice and Bob give up K'. The secret police decrypt it,

C ^ K' = C ^ C ^ D = D

"See? We were just keeping our love affair a secret from our spouses!"

Have a comment on this article? Start a discussion in my public inbox by sending an email to ~skeeto/ [mailing list etiquette] , or see existing discussions.

This post has archived comments.

null program

Chris Wellons (PGP)
~skeeto/ (view)