This article has multiple issues. Please helpimprove it or discuss these issues on thetalk page.(Learn how and when to remove these messages) This articlerelies excessively onreferences toprimary sources. Please improve this article by addingsecondary or tertiary sources. Find sources: "Deniable encryption" – news ·newspapers ·books ·scholar ·JSTOR(March 2024) (Learn how and when to remove this message) This articleneeds additional citations forverification. Please helpimprove this article byadding citations to reliable sources. Unsourced material may be challenged and removed. Find sources: "Deniable encryption" – news ·newspapers ·books ·scholar ·JSTOR(March 2024) (Learn how and when to remove this message) (Learn how and when to remove this message)

Incryptography andsteganography, plausiblydeniable encryption describesencryption techniques where the existence of an encrypted file or message is deniable in the sense that an adversary cannot prove that theplaintext data exists.^[1]

The users mayconvincingly deny that a given piece of data is encrypted, or that they are able to decrypt a given piece of encrypted data, or that some specific encrypted data exists.^[2] Such denials may or may not be genuine. For example, it may be impossible to prove that the data is encrypted without the cooperation of the users. If the data is encrypted, the users genuinely may not be able to decrypt it. Deniable encryption serves to undermine an attacker's confidence either that data is encrypted, or that the person in possession of it can decrypt it and provide the associated plaintext.

In their pivotal 1996 paper,Ran Canetti,Cynthia Dwork,Moni Naor, andRafail Ostrovsky introduced the concept of deniable encryption, a cryptographic breakthrough that ensures privacy even under coercion. This concept allows encrypted communication participants to plausibly deny the true content of their messages. Their work lays the foundational principles of deniable encryption, illustrating its critical role in protecting privacy against forced disclosures. This research has become a cornerstone for future advancements in cryptography, emphasizing the importance of deniable encryption in maintaining communication security.^[3] The notion of deniable encryption was used byJulian Assange andRalf Weinmann in the Rubberhose filesystem.^[4][2]

Deniable encryption makes it impossible to prove the origin or existence of the plaintext message without the proper decryption key. This may be done by allowing an encrypted message to be decrypted to different sensible plaintexts, depending on thekey used. This allows the sender to haveplausible deniability if compelled to give up their encryption key.^[5]

In some jurisdictions, statutes assume that human operators have access to such things as encryption keys, and governments may enactkey disclosure laws that compel individuals to relinquish keys upon request. Countries such asFrance^[6] andAustralia^[7] give prosecutors wide-ranging power to compel any person to surrender keys to make available any information encountered in the course of an investigation, and failure to comply incurs jail time and/or civil fines. Another example is theUnited Kingdom'sRegulation of Investigatory Powers Act,^[8][9] which makes it a crime not to surrenderencryption keys on demand from a government official authorized by the act. According to theHome Office, the burden of proof that an accused person is in possession of a key rests on the prosecution; moreover, the act contains a defense for operators who have lost or forgotten a key, and they are not liable if they are judged to have done what they can to recover a key.^[8][9] Such laws are not universal, however - in theUnited States, though the issue has never reached theSupreme Court, lower courts frequently view forced disclosure ofpasswords as a form ofself-incrimination and an unconstitutional abridgement of theFifth Amendment.^[10][11][12]

Incryptography,rubber-hose cryptanalysis is aeuphemism for the extraction of cryptographic secrets (e.g. the password to an encrypted file) from a person bycoercion ortorture^[13]—such as beating that person with a rubberhose, hence the name—in contrast to a mathematical or technicalcryptanalytic attack. An early use of the term was on thesci.crypt newsgroup, in a message posted 16 October 1990 byMarcus J. Ranum, alluding tocorporal punishment:

...the rubber-hose technique of cryptanalysis. (in which a rubber hose is applied forcefully and frequently to the soles of the feet until the key to the cryptosystem is discovered, a process that can take a surprisingly short time and is quite computationally inexpensive).^[14]

Such methods are also euphemistically referred to as "wrench attacks," in reference to anxkcd comic with a similar premise.^[15][16]

Deniable encryption allows the sender of an encrypted message to deny sending that message. This requires atrusted third party. A possible scenario works like this:

1. Bob suspects his wifeAlice is engaged in adultery. That being the case, Alice wants to communicate with her secret lover Carl. She creates two keys, one intended to be kept secret, the other intended to be sacrificed. She passes the secret key (or both) to Carl.
2. Alice constructs an innocuous message M1 for Carl (intended to be revealed to Bob in case of discovery) and an incriminating love letter M2 to Carl. She constructs a cipher-text C out of both messages, M1 and M2, and emails it to Carl.
3. Carl uses his key to decrypt M2 (and possibly M1, in order to read the fake message, too).
4. Bob finds out about the email to Carl, becomes suspicious and forces Alice to decrypt the message.
5. Alice uses the sacrificial key and reveals the innocuous message M1 to Bob. Since it is impossible for Bob to know for sure that there might be other messages contained in C, he might assume that thereare no other messages.

Another scenario involves Alice sending the same ciphertext (some secret instructions) to Bob and Carl, to whom she has handed different keys. Bob and Carl are to receive different instructions and must not be able to read each other's instructions. Bob will receive the message first and then forward it to Carl.

1. Alice constructs the ciphertext out of both messages, M1 and M2, and emails it to Bob.
2. Bob uses his key to decrypt M1 and isn't able to read M2.
3. Bob forwards the ciphertext to Carl.
4. Carl uses his key to decrypt M2 and isn't able to read M1.

Normally, ciphertexts decrypt to a single plaintext that is intended to be kept secret. However, one form of deniable encryption allows its users to decrypt the ciphertext to produce a different (innocuous but plausible) plaintext and plausibly claim that it is what they encrypted. The holder of the ciphertext will not be able to differentiate between the true plaintext, and the bogus-claim plaintext. In general, oneciphertext cannot be decrypted to all possibleplaintexts unless the key is as large as theplaintext, so it is not practical in most cases for a ciphertext to reveal no information whatsoever about its plaintext.^[17] However, some schemes allow decryption to decoy plaintexts that are close to the original in some metric (such asedit distance).^[18]

Modern deniable encryption techniques exploit the fact that without the key, it is infeasible to distinguish between ciphertext fromblock ciphers and data generated by acryptographically secure pseudorandom number generator (the cipher'spseudorandom permutation properties).^[19]

This is used in combination with somedecoy data that the user would plausibly want to keep confidential that will be revealed to the attacker, claiming that this is all there is. This is a form ofsteganography.^{[citation needed]}

If the user does not supply the correct key for the truly secret data, decrypting it will result in apparently random data, indistinguishable from not having stored any particular data there.^{[citation needed]}

One example of deniable encryption is acryptographic filesystem that employs a concept of abstract "layers", where each layer can be decrypted with a different encryption key.^{[citation needed]} Additionally, special "chaff layers" are filled with random data in order to haveplausible deniability of the existence of real layers and their encryption keys.^{[citation needed]} The user can store decoy files on one or more layers while denying the existence of others, claiming that the rest of space is taken up by chaff layers.^{[citation needed]} Physically, these types of filesystems are typically stored in a single directory consisting of equal-length files with filenames that are eitherrandomized (in case they belong to chaff layers), orcryptographic hashes of strings identifying the blocks.^{[citation needed]} Thetimestamps of these files are always randomized.^{[citation needed]} Examples of this approach include Rubberhose filesystem.

Rubberhose (also known by its development codename Marutukku)^[20] is a deniable encryption program which encrypts data on a storage device and hides the encrypted data. The existence of the encrypted data can only be verified using the appropriate cryptographic key. It was created byJulian Assange as a tool for human rights workers who needed to protect sensitive data in the field and was initially released in 1997.^[20]

The name Rubberhose is a joking reference to thecypherpunks term rubber-hose cryptanalysis, in which encryption keys are obtained by means of violence.^{[citation needed]}

It was written forLinux kernel 2.2,NetBSD andFreeBSD in 1997–2000 byJulian Assange,Suelette Dreyfus, and Ralf Weinmann. The latest version available, still in alpha stage, is v0.8.3.^[21]

Another approach used by some conventionaldisk encryption software suites is creating a second encryptedvolume within a container volume. The container volume is first formatted by filling it with encrypted random data,^[22] and then initializing a filesystem on it. The user then fills some of the filesystem with legitimate, but plausible-looking decoy files that the user would seem to have an incentive to hide. Next, a new encrypted volume (the hidden volume) is allocated within the free space of the container filesystem which will be used for data the user actually wants to hide. Since an adversary cannot differentiate between encrypted data and the random data used to initialize the outer volume, this inner volume is now undetectable.LibreCrypt^[23] andBestCrypt can have many hidden volumes in a container;TrueCrypt is limited to one hidden volume.^[24]

• Cryptee, anopen-source,client-side encrypted,cross-platformproductivity suite andcloud storage service which offers its users the ability to hide (ghost) folders and photo albums forplausible deniability.

• LibreCrypt,open-sourcetransparent disk encryption for MS Windows and PocketPC PDAs that provides both deniable encryption andplausible deniability.^[22][25] Offers an extensive range of encryption options, and doesn't need to be installed before use as long as the user has administrator rights.

• Off-the-Record Messaging, a cryptographic technique providing true deniability forinstant messaging.

• OpenPuff, freeware semi-open-source steganography for MS Windows.

• StegFS, the current successor to the ideas embodied by the Rubberhose and PhoneBookFS filesystems.

• Vanish, a research prototype implementation of self-destructing data storage.

• VeraCrypt (a successor to a discontinuedTrueCrypt), anon-the-fly disk encryption software forWindows,Mac andLinux providing limited deniable encryption^[26] and to some extent (due to limitations on the number of hidden volumes which can be created^[24])plausible deniability, without needing to be installed before use as long as the user has full administrator rights.

The existence of hidden encrypted data may be revealed by flaws in the implementation.^{[27][self-published source]} It may also be revealed by a so-calledwatermarking attack if an inappropriate cipher mode is used.^[28]The existence of the data may be revealed by it 'leaking' into non-encrypted disk space^[29] where it can be detected byforensic tools.^{[30][self-published source]}

Doubts have been raised about the level of plausible deniability in 'hidden volumes'^{[31][self-published source]} – the contents of the "outer" container filesystem have to be 'frozen' in its initial state to prevent the user from corrupting the hidden volume (this can be detected from the access and modification timestamps), which could raise suspicion. This problem can be eliminated by instructing the system not to protect the hidden volume, although this could result in lost data.^{[citation needed]}

Possession of deniable encryption tools could lead attackers to continue torturing a user even after the user has revealed all their keys, because the attackers could not know whether the user had revealed their last key or not. However, knowledge of this fact can disincentivize users from revealing any keys to begin with, since they will never be able to prove to the attacker that they have revealed their last key.^[32]

This sectiondoes notcite anysources. Please helpimprove this section byadding citations to reliable sources. Unsourced material may be challenged andremoved. Find sources: "Deniable encryption" – news ·newspapers ·books ·scholar ·JSTOR(March 2024) (Learn how and when to remove this message)

Some in-transit encrypted messaging suites, such asOff-the-Record Messaging, offerdeniable authentication which gives the participantsplausible deniability of their conversations. While deniable authentication is not technically "deniable encryption" in that the encryption of the messages is not denied, its deniability refers to the inability of an adversary to prove that the participants had a conversation or said anything in particular.

This is achieved by the fact that all information necessary to forge messages is appended to the encrypted messages – if an adversary is able to create digitally authentic messages in a conversation (seehash-based message authentication code (HMAC)), they are also able toforge messages in the conversation. This is used in conjunction withperfect forward secrecy to assure that the compromise of encryption keys of individual messages does not compromise additional conversations or messages.

• Chaffing and winnowing – Cryptographic technique
• Deniable authentication – Message authentication verifiable only by participants
• dm-crypt – Disk encryption software
• Key disclosure law – Legislation that requires individuals to surrender cryptographic keys to law enforcement
• Plausible deniability – Ability to deny responsibility
• Steganography – Hiding messages in other messages
• Unicity distance – Length of ciphertext needed to unambiguously break a cipher

• Czeskis, A.; St. Hilaire, D. J.; Koscher, K.; Gribble, S. D.; Kohno, T.; Schneier, B. (2008)."Defeating Encrypted and Deniable File Systems: TrueCrypt v5.1a and the Case of the Tattling OS and Applications"(PDF).3rd Workshop on Hot Topics in Security. USENIX.
• Howlader, Jaydeep; Basu, Saikat (2009). "Sender-Side Public Key Deniable Encryption Scheme".Proceedings of the International Conference on Advances in Recent Technologies in Communication and Computing. IEEE.doi:10.1109/ARTCom.2009.107.
• Howlader, Jaydeep; Nair, Vivek; Basu, Saikat (2011). "Deniable Encryption in Replacement of Untappable Channel to Prevent Coercion".Proc. Advances in Networks and Communications. Communications in Computer and Information Science. Vol. 132. Springer. pp. 491–501.doi:10.1007/978-3-642-17878-8_50.

• Cryptography

• Webarchive template wayback links
• CS1 maint: multiple names: authors list
• CS1 errors: missing periodical
• Articles with short description
• Short description is different from Wikidata
• Articles lacking reliable references from March 2024
• All articles lacking reliable references
• Articles needing additional references from March 2024
• All articles needing additional references
• Articles with multiple maintenance issues
• All articles with unsourced statements
• Articles with unsourced statements from March 2024
• All articles with self-published sources
• Articles with self-published sources from March 2024