Editing Deniable encryption (section)

===Scenario===
In some jurisdictions, statutes assume that human operators have access to such things as encryption keys, and governments may enact [[key disclosure law]]s that compel individuals to relinquish keys upon request. Countries such as [[France]]<ref>Articles 30–31, {{cite French law|number or usual name=n<sup>o</sup> 2001-1062|date in French=15 novembre 2001|full name=relative à la sécurité quotidienne|language=French|lower case=yes|URL=http://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000000222052}}</ref> and [[Australia]]<ref>{{cite act |title=Cybercrime Act 2001 |at=ords 12, 28 |location=Cth |italics=y |url=https://rm.coe.int/cybercrime-act-2001/16808e70b4 |access-date=2025-05-31 |date=2004-09-06}}</ref> give prosecutors wide-ranging power to compel any person to surrender keys to make available any information encountered in the course of an investigation, and failure to comply incurs jail time and/or civil fines. Another example is the [[United Kingdom]]'s [[Regulation of Investigatory Powers Act 2000|Regulation of Investigatory Powers Act]],<ref name="Guardian Q&As">{{cite news |date=October 25, 2001 |title=The RIP Act |url=https://www.theguardian.com/world/2000/oct/24/qanda |work=[[The Guardian]] |location=London |access-date=March 19, 2024 |archive-date=March 28, 2023 |archive-url=https://web.archive.org/web/20230328104031/https://www.theguardian.com/world/2000/oct/24/qanda |url-status=live }}</ref><ref name="RIP online">{{cite web |date=9 May 2000 |title=Regulation of Investigatory Powers Bill; in Session 1999-2000, Internet Publications, Other Bills before Parliament |url=http://www.parliament.the-stationery-office.co.uk/pa/ld199900/ldbills/061/2000061.htm |url-status=dead |archive-url=https://web.archive.org/web/20111108020103/http://www.parliament.the-stationery-office.co.uk/pa/ld199900/ldbills/061/2000061.htm |archive-date=8 November 2011 |access-date=5 Jan 2011 |publisher=House of Lords}}</ref> which makes it a crime not to surrender [[Key (cryptography)|encryption keys]] on demand from a government official authorized by the act. According to the [[Home Office]], the burden of proof that an accused person is in possession of a key rests on the prosecution; moreover, the act contains a defense for operators who have lost or forgotten a key, and they are not liable if they are judged to have done what they can to recover a key.<ref name="Guardian Q&As" /><ref name="RIP online" /> Such laws are not universal, however - in the [[United States]], though the issue has never reached the [[Supreme Court of the United States|Supreme Court]], lower courts frequently view forced disclosure of [[password]]s as a form of [[self-incrimination]] and an unconstitutional abridgement of the [[Fifth Amendment to the United States Constitution|Fifth Amendment]].<ref>{{cite court |litigants=In RE: GRAND JURY SUBPOENA DUCES TECUM |opinion=Nos. 11-12268 & 11-15421 |court=11th Cir. |date=2012-02-23 |url=https://media.ca11.uscourts.gov/opinions/pub/files/201112268.pdf |quote=We hold that Doe properly invoked the Fifth Amendment privilege. In response, the Government chose not give him the immunity the Fifth Amendment and 18 U.S.C. § 6002 mandate, and the district court acquiesced. Stripped of Fifth Amendment protection, Doe refused to produce the unencrypted contents of the hard drives. The refusal was justified, and the district court erred in adjudging him in civil contempt. The district court’s judgment is accordingly REVERSED. }}</ref><ref>{{cite court |litigants=U.S. v Jeffrey Feldman |vol=THE DECRYPTION OF A SEIZED DATA STORAGE SYSTEM |court=E.D. Wis. |date=19 April 2013 |url=https://www.wired.com/images_blogs/threatlevel/2013/04/encryption-case.pdf |access-date=24 April 2013 |archive-url=https://web.archive.org/web/20210322102931/https://www.wired.com/images_blogs/threatlevel/2013/04/encryption-case.pdf |url-status=live }}</ref><ref>{{Cite web |title=State Court Docket Watch: State of Oregon v. Pittman |url=https://fedsoc.org/commentary/publications/state-court-docket-watch-state-of-oregon-v-pittman |access-date=2022-03-10 |website=fedsoc.org |date=23 April 2021 |archive-date=2021-06-05 |archive-url=https://web.archive.org/web/20210605152818/https://fedsoc.org/commentary/publications/state-court-docket-watch-state-of-oregon-v-pittman |url-status=live }}</ref>

{{anchor|rubber}}In [[cryptography]], [[rubber-hose cryptanalysis]] is a [[euphemism]] for the extraction of cryptographic secrets (e.g. the password to an encrypted file) from a person by [[coercion]] or [[torture]]<ref>{{cite web |last=Schneier |first=Bruce |author-link=Bruce Schneier |date=October 27, 2008 |title=Rubber-Hose Cryptanalysis |url=http://www.schneier.com/blog/archives/2008/10/rubber_hose_cry.html |access-date=August 29, 2009 |work=Schneier on Security |archive-date=August 30, 2009 |archive-url=https://web.archive.org/web/20090830073523/http://www.schneier.com/blog/archives/2008/10/rubber_hose_cry.html |url-status=live }}</ref>—such as beating that person with a rubber [[hose]], hence the name—in contrast to a mathematical or technical [[Cryptanalysis|cryptanalytic attack]]. An early use of the term was on the [[sci.crypt]] newsgroup, in a message posted 16 October 1990 by [[Marcus J. Ranum]], alluding to [[Foot whipping|corporal punishment]]:<blockquote>...the rubber-hose technique of cryptanalysis. (in which a rubber hose is applied forcefully and frequently to the soles of the feet until the key to the cryptosystem is discovered, a process that can take a surprisingly short time and is quite computationally inexpensive).<ref>{{cite newsgroup |url=http://groups.google.com/group/sci.crypt/msg/86404637e708d900?pli=1 |title=Re: Cryptography and the Law... |first=Marcus J. |last=Ranum |newsgroup=sci.crypt |message-id=1990Oct16.050000.4965@decuac.dec.com |date=October 16, 1990 |access-date=October 11, 2013 |archive-date=April 2, 2024 |archive-url=https://web.archive.org/web/20240402041852/https://groups.google.com/g/sci.crypt/c/W1VUQlC99LM/m/ANkI5zdGQIYJ?pli=1 |url-status=live }}</ref></blockquote> Such methods are also euphemistically referred to as "wrench attacks," in reference to an [[xkcd]] comic with a similar premise.<ref>{{cite web |url=https://apnews.com/article/crypto-bitcoin-kidnapping-wrench-attack-ddc7263c25ba590f85648e1682576971 |title=Why 'wrench attacks' on wealthy crypto holders are on the rise |last=Suderman |first=Alan |publisher=[[Associated Press]] |date=2025-05-28 }}</ref><ref>{{cite journal |title=Investigating Wrench Attacks: Physical Attacks Targeting Cryptocurrency Users |journal=6th Conference on Advances in Financial Technologies |year=2024 |last1=Ordekian |first1=Marilyne |last2=Atondo-Siu |first2=Gilberto |last3=Hutchings |first3=Alice |last4=Vasek |first4=Marie |series=Leibniz International Proceedings in Informatics (LIPIcs) |volume=316 |pages=24:1–24:24 |issn=1868-8969 |doi=10.4230/LIPIcs.AFT.2024.24 |url=https://drops.dagstuhl.de/storage/00lipics/lipics-vol316-aft2024/LIPIcs.AFT.2024.24/LIPIcs.AFT.2024.24.pdf |access-date=2025-05-31 |publisher=[[Dagstuhl#Leibniz-Zentrum für Informatik|Schloss Dagstuhl – Leibniz-Zentrum für Informatik]] |doi-access=free |isbn=978-3-95977-345-4 }}</ref>

Deniable encryption allows the sender of an encrypted message to deny sending that message. This requires a [[trusted third party]]. A possible scenario works like this:

#Bob suspects his wife [[Alice and Bob|Alice]] is engaged in adultery. That being the case, Alice wants to communicate with her secret lover Carl. She creates two keys, one intended to be kept secret, the other intended to be sacrificed. She passes the secret key (or both) to Carl.
#Alice constructs an innocuous message M1 for Carl (intended to be revealed to Bob in case of discovery) and an incriminating love letter M2 to Carl. She constructs a cipher-text C out of both messages, M1 and M2, and emails it to Carl.
#Carl uses his key to decrypt M2 (and possibly M1, in order to read the fake message, too).
#Bob finds out about the email to Carl, becomes suspicious and forces Alice to decrypt the message.
#Alice uses the sacrificial key and reveals the innocuous message M1 to Bob. Since it is impossible for Bob to know for sure that there might be other messages contained in C, he might assume that there ''are'' no other messages.

Another scenario involves Alice sending the same ciphertext (some secret instructions) to Bob and Carl, to whom she has handed different keys. Bob and Carl are to receive different instructions and must not be able to read each other's instructions. Bob will receive the message first and then forward it to Carl.

#Alice constructs the ciphertext out of both messages, M1 and M2, and emails it to Bob.
#Bob uses his key to decrypt M1 and isn't able to read M2.
#Bob forwards the ciphertext to Carl.
#Carl uses his key to decrypt M2 and isn't able to read M1.