OTP dual decryption

[nobody at eli-remailer]

-----BEGIN PGP SIGNED MESSAGE-----

Using a one-time pad for dual decryption might work like this.

I have a file, D (for Dangerous), which I want to conceal.  I construct
a random file of the same length, K (for Key), which will be my "encryption
key".  I xor K and D to produce E (for Encrypted), the encrypted file.  I
delete D and hide K somewhere.

Now, in case an intruder steals E and coerces a decryption out of me, I
prepare S (for Safe), a file containing some safe plaintext.  I xor
S and E to produce F (for Fake), the fake key file I will be able to
present.  I destroy S and hide F somewhere, but perhaps not as securely as
I hid K.

Now, if the intruder comes, he finds E, the encrypted file.  He demands
the key, and I explain that the file was encrypted with a one-time pad,
and here is the key, and I provide him F.  He xor's F and E to find
S, the safe plaintext, and I am protected.

This is all well and fine, but it depends on successfully hiding K, the
actual key file.  But if you can successfully hide files, it seems to me
that you might as well have just hidden D, the dangerous file, in the
first place, in whatever hiding place you were going to use for K.  Then
substitute S, the safe file, for D.  This is just the old idea of
having two sets of books for a crooked business, one innocent and public
and one incriminating but hidden.

So I'm not sure the one-time pad idea really helps much since if you can
meet the requirements to use it you might as well just hide your data the
old-fashioned way.  Are there any advantages that I'm overlooking?

Hal Finney
74076.1041 at compuserve.com

-----BEGIN PGP SIGNATURE-----
Version: 2.2

iQCVAgUBLCEucqgTA69YIUw3AQFBlAP/ZHeOKs71H2d0HD2vLwupRB/TwzuEy7dD
iE91swoYo8FK5a66DAi8f2kmDIqoiPai+jieI/506zWFuHJRiCW7PLs6v8ga4Aj6
WglBJ1ksOlY74X6qrlykw3kXMjX6x8t7lbp+e6R7Fy67n6gUSGaRozyniv3JusrY
c7wXxxh9rvs=
=AAV7
-----END PGP SIGNATURE-----