-----BEGIN PGP SIGNED MESSAGE----- Using a one-time pad for dual decryption might work like this. I have a file, D (for Dangerous), which I want to conceal. I construct a random file of the same length, K (for Key), which will be my "encryption key". I xor K and D to produce E (for Encrypted), the encrypted file. I delete D and hide K somewhere. Now, in case an intruder steals E and coerces a decryption out of me, I prepare S (for Safe), a file containing some safe plaintext. I xor S and E to produce F (for Fake), the fake key file I will be able to present. I destroy S and hide F somewhere, but perhaps not as securely as I hid K. Now, if the intruder comes, he finds E, the encrypted file. He demands the key, and I explain that the file was encrypted with a one-time pad, and here is the key, and I provide him F. He xor's F and E to find S, the safe plaintext, and I am protected. This is all well and fine, but it depends on successfully hiding K, the actual key file. But if you can successfully hide files, it seems to me that you might as well have just hidden D, the dangerous file, in the first place, in whatever hiding place you were going to use for K. Then substitute S, the safe file, for D. This is just the old idea of having two sets of books for a crooked business, one innocent and public and one incriminating but hidden. So I'm not sure the one-time pad idea really helps much since if you can meet the requirements to use it you might as well just hide your data the old-fashioned way. Are there any advantages that I'm overlooking? Hal Finney 74076.1041@compuserve.com -----BEGIN PGP SIGNATURE----- Version: 2.2 iQCVAgUBLCEucqgTA69YIUw3AQFBlAP/ZHeOKs71H2d0HD2vLwupRB/TwzuEy7dD iE91swoYo8FK5a66DAi8f2kmDIqoiPai+jieI/506zWFuHJRiCW7PLs6v8ga4Aj6 WglBJ1ksOlY74X6qrlykw3kXMjX6x8t7lbp+e6R7Fy67n6gUSGaRozyniv3JusrY c7wXxxh9rvs= =AAV7 -----END PGP SIGNATURE-----