> With plausible deniability scenario, you could have encrypted two wallets, one that you afford to lose. You can give it up and it's possible the attacker will be satisfied and you can keep the wallet that you care about.

The observation here is that there's a _very_ narrow slice of adversaries that satisfy the following constraints:

1. Are willing to force you to hand over private key material;

2. Are ignorant to the underlying thing they're looking for;

3. Are ignorant to the fact that your choice of encryption scheme allows for plausible deniability.

This model assumes all 3, when in reality almost any adversary that satisfies (1) is not going to satisfy (2) or (3) -- they almost always have a sense of what they're looking for (i.e., they know the wallet isn't empty or they wouldn't waste their time on you) and, given that, they aren't going to be fooled by a scheme that explicitly supports plausible deniability.

We can always contrive exceptions, of course. But part of secure design and threat modeling is having a reasonable conception of your adversary.

You are moving the goal posts. I didn't say the second wallet is empty, but such that you can afford to lose.

For instance you could have one wallet with £10m on it an another with £1.5m. You could certainly convince adversary that they got bad intel and £1.5m is what you have. It's better to lose £1.5m than £11.5m.

There are other scenarios like journalist taking compromising photos. They could have two sets of photos - one with key photo missing and another with key photo in the set. When questioned by adversary they could claim they have missed and didn't take the photo and show the set as evidence.

Someone in abusive relationship planning on leaving the partner. They could have a folder with properties they are interested in without the property they are actually going to rent. When caught they could convince the partner that they were just looking, but have not committed to anything.

If you are not in these kind of situations, sure this additional layer may not be to your interest and frankly you wouldn't have to use it! But for many people lack of such feature is a deal breaker.

The "empty wallet" isn't an operative part of the argument. The argument is that all three properties need to hold; this is true even in the 11.5m example.

Each of the scenarios above fails test (3). The most compelling of them is the abusive relationship one, since we can reasonably imagine a non-sophisticated adversary in that setting. But even then, you're relying on conflicting terms: what kind of abusive partner is sufficiently irrational to be abusive but also sufficiently rational to believe a cryptographic proof? Or, put another way: overwhelming evidence has not historically been a strong defense against abuse.

You are moving goal posts again.

Sorry my friend, but you are not discussing this in good faith.

I don't think I am, but I'm sorry that this hasn't been a productive conversation.

You are, his explanations are clear and logical. Yours are touching mysticism.

Plausible deniability works, in the real world, today. There's nothing contrived about it.