Re: multi-key encryption algorithm is meaningful?

chaeso proposed:
> D(key1,C) = plaintext1
> D(key2,C) = plaintext2

and later added:
> User choose both plaintexts,key arbitrarily. ... and ciphertext size
> is 2 times to the key size based on empirical test.

and Phil Carmody had mentioned:
> I think you're looking for "deniable encryption". My memory
> tells me that Naor has dabbled in that field. Often mentioned
> in the context of "rubber hose" crypto. ...

Noticing that C is so much longer than the plaintext you give, won't
the guy with the rubber hose keep using it until you reveal the rest of
the message?

A more useful scheme would be one in which the keys are NOT chosen
arbitrarily, but instead are computed from the plaintexts to find the
shortest C that can produce both plaintexts. Ideally C should be

Mxsmanic suggested:
> An example of a system that _will_ do this is the one-time pad. You
> can encrypt any plaintext with a random key, then XOR the ciphertext
> with a second plaintext to obtain a second key. The first key is used
> to obtain your original plaintext; the second can be used to decrypt
> the very same ciphertext to a completely different plaintext of your
> choice.

You don't have complete freedom of choice for your second plaintext.
It must have the same length as the first one.

chaeso also wrote:
> I found the paper

Could you post a reference to that paper?

Bob H
Received on Tue Jan 17 16:51:00 2006