How are spoof decryptions prevented?

[Denis.Russell@ncl.ac.uk]

At 5:35 pm +0100 2/8/99, Tom.A.Parker@icl.com wrote:
>This may seem unduly simple minded, but in a situation where enforcement to
>provide clear text is imposed upon me, how would the LEA know that I did the
>decryption truly, rather than substitute some censored alternative?
>...
>Or is this a reason (not the only one, clearly!) why there is the option to
>get the decryption key itself?
...

Well, since for any arbitrary bag of bits C you can produce *any* second
arbitrary set of bits P by "xoring" it with a third set of bits K (where
all of these sets of bits are of the same length, and K is trivial to
derive from C and P) it is trivial to "comply" with any request for both
the supposed plaintext and key corresponding to a suspect message. All you
do is decide whatever plaintext P that you wish to produce, and then
generate the corresponding key K, call it "a one time pad" and hand it over.

I suspect this may not suffice. :-)

	Denis.