In cryptography, deniable encryption allows an encrypted message to be decrypted to different sensible plaintexts, depending on the key used, or otherwise makes it impossible to prove the existence of the real message without the proper encryption key. This allows the sender to have plausible deniability if compelled to give up his or her encryption key. The notion of "deniable encryption" was introduced by Julian Assange & Ralf Wiennmann in the Rubberhose filesystem^[1] and explored in detail in a paper by Ran Canetti, Cynthia Dwork, Moni Naor, and Rafail Ostrovsky^[2] in 1996. The German Lorenz cipher machine, used in World War II for encryption of very high-level general staff messages Cryptography (or cryptology; derived from Greek κρυπτός kryptós hidden, and the verb γράφω gráfo write) is the study of message secrecy. ... In cryptography, plaintext is information used as input to an encryption algorithm; the output is termed ciphertext. ... A key is a piece of information that controls the operation of a cryptography algorithm. ... Plausible deniability also Deniability is the term given to the creation of loose and informal chains of command in government, which allow controversial instructions given by high-ranking officials to be denied if they become public. ... Moni Naor is an Israeli computer scientist, currently a professor at the Weizmann Institute of Science. ... Rafail Ostrovsky, 2003 Rafail Ostrovsky (1963) is a Professor of Computer Science and Mathematics Departments at UCLA and a well-known researcher in Algorithms and Cryptography. ...

Scenario

Deniable encryption allows the sender of an encrypted message to deny sending that message. This requires a trusted third party. A possible scenario works like this: In a two-party system a third party is a party other than the two dominant ones. ...

1. Alice sends a pre-chosen key to Bob and a different pre-chosen key to Trent, the trusted third party. The keys are constructed for the purposes of deniable encryption.
2. Alice constructs a ciphertext (intended to be decrypted by a one-time pad), such that Bob's key will decrypt a harmful message (e.g. instructions on how and when to rob a bank, while Alice tells the bank that someone will try to rob them) and such that Trent's key will decrypt it to a harmless message.
3. Alice sends the ciphertext to Bob, who tries to rob the bank and gets arrested.
4. Bob claims that Alice told him to rob the bank, but Alice denies this. To prove her innocence, she can send Trent the same ciphertext (Bob can verify that it is the same ciphertext Alice sent him) and Trent will decrypt it to the harmless message. Trent, being a disinterested third party, is above suspicion, so an adjudicator will believe him over Bob.

Another possible scenario involves Alice sending the same ciphertext to Bob and Carol, to whom she has sent different keys. Bob's key could decrypt the ciphertext to a claim that Carol has maligned Bob, and Carol's key could decrypt the ciphertext to a claim that Bob has maligned Carol. Under the assumption that neither Bob nor Carol can find out each other's keys, Alice's ruse would never be discovered. The same is true of the bank-robbing scenario, except that Bob would understand that Alice had tricked him somehow, but no one would believe him over Trent. The names Alice and Bob are commonly used placeholders for archetypal characters in fields such as cryptography and physics. ... This article is about algorithms for encryption and decryption. ... Excerpt from a one-time pad. ...

Modern forms of deniable encryption

Other than one-time pads, there are currently no known cryptographic techniques that allow feasible construction of a ciphertext that results in two distinct, but predictable plaintexts depending on the key used. However, modern deniable encryption techniques exploit the pseudorandom permutation properties of existing block ciphers, making it cryptographically infeasible to prove that the ciphertext is not in fact random padding data generated by a cryptographically secure pseudorandom number generator. This is used in combination with some decoy data that the user would plausibly want to keep confidential that will be revealed to the attacker, claiming that this is all there is. This form of deniable encryption is sometimes referred to as "steganographic encryption". Excerpt from a one-time pad. ... In cryptography, a pseudorandom permutation, abbreviated PRP, is an idealized block cipher. ... Encryption Decryption In cryptography, a block cipher is a symmetric key cipher which operates on fixed-length groups of bits, termed blocks, with an unvarying transformation. ... A cryptographically secure pseudo-random number generator (CSPRNG) is a pseudo-random number generator (PRNG) with properties that make it suitable for use in cryptography. ... A decoy is usually a person, device or event meant as a distraction to conceal what an individual or a group might be looking for. ... Steganography is the art and science of writing hidden messages in such a way that no one apart from the intended recipient knows of the existence of the message; this is in contrast to cryptography, where the existence of the message itself is not disguised, but the content is obscured. ...

A prototypical example of deniable encryption is a cryptographic filesystem that employs a concept of abstract "layers", where each layer would be decrypted with a different encryption key. Additionally, special "chaff layers" are filled with random data in order to have plausible deniability of the existence of real layers and their encryption keys. The user will store decoy files on one or more layers while denying the existence of others, claiming that the rest of space is taken up by chaff layers. Physically, these types of filesystems are typically stored in a single directory consisting of equal-length files with filenames that are either randomized (in case they belong to chaff layers), or cryptographic hashes of strings identifying the blocks. The timestamps of these files are always randomized. Examples of this approach include Rubberhose filesystem and PhoneBookFS. Filesystem-level encryption, often called file or folder encryption, is a form of disk encryption where individual files or directories are encrypted by the file system itself. ... Modern US Navy RR-129 and RR-124 chaff countermeasures and containers Chaff, originally called Window by the British, and Düppel by the WWII era German Luftwaffe, is a radar countermeasure in which aircraft or other targets spread a cloud of small, thin pieces of aluminium, metallised glass fibre... Plausible deniability also Deniability is the term given to the creation of loose and informal chains of command in government, which allow controversial instructions given by high-ranking officials to be denied if they become public. ... The word random is used to express lack of order, purpose, cause, or predictability in non-scientific parlance. ... In cryptography, a cryptographic hash function is a hash function with certain additional security properties to make it suitable for use as a primitive in various information security applications, such as authentication and message integrity. ...

Another approach utilized by some conventional full disk encryption software suites is creating a second encrypted volume within a container volume. The container volume is first formatted by filling it with random data, and then initializing a filesystem on it. The user then fills some of the filesystem with legitimate, but plausible-looking decoy files that the user would seem to have an incentive to hide. Next, a new encrypted volume (the hidden volume) is allocated within the free space of the container filesystem which will be used for data the user actually wants to hide. Since an adversary cannot differentiate between encrypted data and the random data used to initialize the outer volume, this inner volume is now undetectable. Concerns have however been raised for the level of plausible deniability in hiding information this way – the contents of the "outer" container filesystem (in particular the access or modification timestamps on the data stored) could raise suspicions as a result of being frozen in its initial state to prevent the user from corrupting the hidden volume. Examples of this approach include FreeOTFE, TrueCrypt and BestCrypt. It has been suggested that OTFE be merged into this article or section. ... Introduction and Definition In the context of computer operating systems, volume is the term used to describe a single accessible storage area with a single filesystem, typically (though not necessarily) resident on a single partition of a hard disk. ... http://www. ... TrueCrypt is a free open source on-the-fly encryption (OTFE) program for Microsoft Windows XP/2000/2003 and Linux. ... BestCrypt is a commercial full disk encryption suite from Jetico for Windows and Linux. ...

Needless to say, insecure block ciphers or pseudorandom number generators can make it possible to compromise the deniability of such filesystems. To escape the assumption that the used pseudorandom number generation is cryptographically secure, it has been advised to instead fill the encrypted space with pseudorandom data, thus being protected by the encryption key.^[3] In addition to that, the flawed use of block cipher modes of operation can also compromise the cipher algorithm due to watermarking attacks.^[4] // A pseudorandom number generator (PRNG) is an algorithm that uses arithmetics to generate a sequence of numbers that approximate the properties of random numbers. ... In cryptography, a block cipher operates on blocks of fixed length, often 64 or 128 bits. ... In cryptography, a watermarking attack is an attack on disk encryption methods where the presence of a specially crafted piece of data (e. ...

Malleable encryption

Some in-transit encrypted messaging suites, such as Off-the-Record Messaging, offer malleable encryption which gives the participants plausible deniability of their conversations. While malleable encryption is not technically "deniable encryption" in that its ciphertexts do not decrypt into multiple plaintexts, its deniability refers to the inability of an adversary to prove that the participants had a conversation or said anything in particular. Off-the-record messaging is a technology which provides encryption and authentication for instant messenger conversations by using a public/private key system. ... Malleable is a term used in the analyses of cryptographic algorithms: A malleable encryption algorithm allows transformations on the ciphertext to produce meaningful changes in the plaintext. ... Plausible deniability also Deniability is the term given to the creation of loose and informal chains of command in government, which allow controversial instructions given by high-ranking officials to be denied if they become public. ...

This is achieved by the fact that all information necessary to forge messages is embedded within the encrypted messages – if an adversary is able to decrypt any messages in a conversation, he is also able to forge messages in the conversation. This is used in conjunction with perfect forward secrecy to assure that the compromise of encryption keys of individual messages does not compromise additional conversations or messages. Forgery is the process of making or adapting objects or documents (see false document), with the intention to deceive. ... In an authenticated key agreement protocol that uses public key cryptography, perfect forward secrecy (or PFS) is the property that disclosure of the long-term secret keying material that is used to derive an agreed ephemeral key does not compromise the secrecy of agreed keys from earlier runs. ...

Software

• FreeOTFE, opensource on-the-fly disk encryption for MS Windows and PocketPC PDAs that provides both deniable encryption and plausible deniability (see its documentation section on "Plausible Deniability"). Offers an extensive range of encryption options, and doesn't need to be installed before use.
• Off-the-Record Messaging, a cryptographic technique providing true deniability for instant messaging.
• PhoneBookFS, another cryptographic filesystem for Linux, providing plausible deniability through chaff and layers. A FUSE implementation. No longer maintained.
• rubberhose. Last version (alpha) released in 2000. Never released a Beta version. Not maintained. For the Linux 2.2 kernel which is also no longer supported by Linus Torvalds.
• BestCrypt
• TrueCrypt, which is free open-source on-the-fly disk encryption software for Windows and Linux that provides deniable encryption and plausible deniability, and doesn't need to be installed before use.
• StegFS, the current successor to the ideas embodied by the rubberhose and PhoneBookFS filesystems.

http://www. ... Plausible deniability also Deniability is the term given to the creation of loose and informal chains of command in government, which allow controversial instructions given by high-ranking officials to be denied if they become public. ... Off-the-record messaging is a technology which provides encryption and authentication for instant messenger conversations by using a public/private key system. ... Filesystem in Userspace (FUSE) is a Free (GPL and LGPLed) Unix kernel module that allows non-privileged users to create their own file systems without the need to write any kernel code. ... BestCrypt is a commercial full disk encryption suite from Jetico for Windows and Linux. ... TrueCrypt is a free open source on-the-fly encryption (OTFE) program for Microsoft Windows XP/2000/2003 and Linux. ... Plausible deniability also Deniability is the term given to the creation of loose and informal chains of command in government, which allow controversial instructions given by high-ranking officials to be denied if they become public. ... StegFS is a Free file system for Linux. ...

See also

Cryptography Portal

• Plausible deniability
• Deniable authentication
• Rubber-hose cryptanalysis
• Steganography

Image File history File links Portal. ... Plausible deniability also Deniability is the term given to the creation of loose and informal chains of command in government, which allow controversial instructions given by high-ranking officials to be denied if they become public. ... In cryptography, deniable authentication refers to authentication between a set of participants where the participants themselves can be confident in the authenticity of the messages, but it cannot be proved to a third party after the event. ... In cryptography, rubber-hose cryptanalysis is the extraction of cryptographic secrets from a person by torture, in contrast to a mathematical or technical cryptanalytic attack. ... Steganography is the art and science of writing hidden messages in such a way that no one apart from the intended recipient knows of the existence of the message; this is in contrast to cryptography, where the existence of the message itself is not disguised, but the content is obscured. ...

Notes and references

1. ^ See http://iq.org/~proff/rubberhose.org/. Retrieved on 2007-07-08.
2. ^ Ran Canetti, Cynthia Dwork, Moni Naor, Rafail Ostrovsky (1996-05-10). "Deniable Encryption" (PostScript). Lecture Notes in Computer Science volume 1294: pages 90–104. 
3. ^ FreeOTFE documentation on Plausible Deniability. Retrieved on 2006-08-23.
4. ^ Adal Chiriliuc (2003-10-23). "BestCrypt IV generation flaw". Retrieved on 2006-08-23.