The one-time-pad (OTP) cryptosystem may take many forms. In its best known form, OTP uses a large non-repeating set of truly random key letters, written on sheets of paper and then glued together in a pad. The sender uses each key letter on the pad to encrypt exactly one plaintext (i.e., non-encrypted) character. The receiver of the message has an identical pad and uses in turn each key on the pad to decrypt each letter of the cyphertext (i.e., the encrypted message). The sender destroys the pad after encrypting the message, and the receiver destroys the pad after decrypting the message.
The OTP approach may be adapted to encrypt digital messages. In such an application, a random string of bits having a length equal to the length of a digital message are used to encrypt the digital message before the message is transmitted. FIG. 1 depicts a block diagram that illustrates operation of an OTP cryptosystem for transmitting digital messages in encrypted form. FIG. 2 is a flowchart that illustrates the steps that are performed in such an OTP cryptosystem. First, a sender 10 (i.e., a party that wishes to send an encrypted message) generates random bits for an encryption key 14 (step 22 in FIG. 2). The number of bits in the key equals the number of bits in the message that is to be encrypted. The random bits of the key 14 are then transmitted over a secure channel 16, that is presumed to be secure against eavesdroppers, to a receiver 12 (step 24 in FIG. 2). The sender 10 encrypts the message by exclusive ORing (XORing) the random bits of the key 14 with the message to produce cyphertext 18 (step 26 in FIG. 2). The cyphertext 18 is then transmitted over a publicly accessible channel 20 from the sender 10 to the receiver 12 (step 28 in FIG. 2). The receiver 12 has already received the random bits of the key 14 and uses the key to decipher (i.e., undo the XOR operation) the cyphertext (step 30 in FIG. 2).
There may be some circumstances under which it is necessary for communicating parties to be able to hide not only the contents of a message (such as by encryption of the message) but also evidence that a message was transmitted. Techniques for hiding messages are known as stegonographic methods. FIG. 3 is a flowchart that illustrates the steps that are performed in one popular, conventional stegonographic technique. First, a message is encrypted (step 32 in FIG. 3). The bits of the encrypted message are then distributed among the least significant bits of a media file, such as an audio or video file (step 34 in FIG. 3). The media file is transmitted from the sender to the receiver (step 36 in FIG. 3) and the receiver extracts the encrypted message from the media file (step 38 in FIG. 3). The receiver has knowledge of how the encrypted message is distributed amongst the least significant bits of the media file. The receiver also has knowledge of a key that may be used to decrypt the message and uses this key to decrypt the message (step 40 in FIG. 3).
One limitation of this and other conventional stegonographic techniques is that a party may be subject to coercion. For example, if an adversary learns that a message has been stegonographically hidden in a transmission, the party may be able to extract the encrypted message and apply duress to one of the parties who knows the decryption key to produce the unencrypted message. The party under duress is unable to mislead the adversary with incorrect information because the adversary can determine the validity of the purported key, simply by attempting to decrypt the message. If the resulting product is nonsense, the adversary knows that the key was not a proper one.