470
March 2, 2013

TrueCrypt's Plausible Deniability is Theoretically Useless

When analyzed with game theory, it turns out that TrueCrypt's plausible deniability feature, which lets you hide a second encrypted volume inside the "outer" or normal volume, is useless.

Okay, that's a bit of an exaggeration, but let me explain.

Consider the following situation: You are a dissident under an oppressive government, and you want to encrypt your plans to overthrow the government. You are pretty sure that you will eventually get caught and your government will force you, by torture, to disclose your password. Suppose you decide to use TrueCrypt, and you're wondering whether or not to have a hidden volume.

The government will face a different choice when they catch you. Knowing that TrueCrypt has a hidden volume feature, they have to decide whether or not to continue torturing you (possibly until you die) after you reveal the normal volume's password (and you WILL reveal the password; if you don't believe me, read the ending of Nineteen Eighty Four).

When we write down all combinations of these decisions, we get something like this:

No Hidden VolumeHidden Volume
Stop Torturing Y: -10, G: 9 Y: 10, G: -10
Keep Torturing Y: -100, G: 10 Y: -50, G: 10

This table assigns a number to your (Y) "reward" and the government's (G) reward for all of the possible decisions:

It's important to note that the actual number's don't really matter here. All that matters is their ordering (greater than or less than). Using numbers is just a convenient way of expressing relative goodness/badness.

Now here's the interesting part. It is a strictly dominant strategy for you to use a hidden volume, and it's a strictly dominant strategy for the government to keep torturing you.

What is a strictly dominant strategy? It's a strategy that is optimal no matter what the other player does. For every move the other player can make, it is best for you to go with the strictly dominant strategy. You might be familiar with this concept from the prisoner's dilemma, where the strictly dominant strategy for both players in that game is to rat each other out.

To see why it's a strictly dominant strategy to use a hidden volume, consider both moves the government can make. If the government stops torturing you, then you get a reward of 10 for having a hidden volume and a reward of -10 for not having one. So if the government stops torturing you, it's best if you have a hidden volume. Likewise if the government keeps torturing you, you can either have a reward of -100 (no hidden) or of -50 (hidden). In both cases, no matter what the government chooses to do, it's best if you have a hidden volume.

It's also a strictly dominant strategy for the government to keep torturing you. If you're not using a hidden volume, they can get a reward of 9 (stop torturing) or 10 (keep torturing), so in that case, it's best to keep torturing. Similarly if you are using a hidden volume, they can get a reward of -10 (stop torturing) or 10 (keep torturing), so it's best to keep torturing in that case too. So no matter if you're using a hidden volume or not, the government gets the highest reward by continuing to torture you.

So if you and the government are both rational and self-interested, then you are going to use a hidden volume, and the government is going to keep torturing you.

So, at least in this situation (which arguably is why the feature exists), TrueCrypt's plausible deniability doesn't give dissidents any advantage. In fact, it could make things worse for the dissident if they don't know about the feature and end up being tortured for a password that doesn't even exist.

In other scenarios the feature can be useful. If the attacker has limited resources (i.e. can only torture you for 30 minutes), or if you are "innocent until proven guilty" under the law, then it can be advantageous to use a hidden volume. Just don't recommend TrueCrypt to your friends in North Korea, or at least make sure they use a hidden volume.