Skip to content

Security: MerlijnWajer/rubberhose



1) On the appearance of randomness

Rubberhose places extreme demands on random number generators and
ciphers. It is not enough for a generated stream to be merely
irreversible. There must be no computationally feasible way to
detect ANY (statistically significant) correlation between values
in the stream.

1.1) hash streams

As an example of a pseudo random number stream that does not fall
within these expectations, consider a stream generated by a
theoretically provably secure hash cipher, seeded with a true random
number, where successive elements are generated by:

	s_n = h(s_{n-1})

This stream can be trivially shown to be the product of a
particular hash cipher by performing the above calculation on the
suspected stream, and comparing e_n.

An example of a stream that is acceptable, given a strong hash cipher,

	e_1 = h(true_random()) 
	e_n = h(e_{n-1} where e is kept as private state
	s_n = h(e_n}

1.2) symmetric ciphers

When non random data is encrypted with a theoretically perfect symmetric
cipher the result can, depending on mode, be trivially detected as the
result of a suspected cipher rather than a stochastic process.

1.2.1) ECB

In ECB non-randomness can be detected simply by looking for identical
ciphertext blocks with a prevalence greater than normal variation of
the birthday paradox would otherwise lead one to expect. 

1.2.2) CBC

In a worst case scenario, uniform plaintext is being encrypted
(e.g all zeros), where

	E is a family of encryption functions
	E_k is an individual within that family

	c_n = E_k(c_{n-1}) of c_n bits
	c_n is a ciphertext block

if c_n is l bits wide, then E_k(c_n) is a transform

	l -> l'

Since only c_{n-1} is variable, it fully predicts the output
of E_k. 

If ever a cipher text block appears more than once, there is a
cycle. Assuming an E_k that rarely produces cycles, this will occur on
average in 2^(l/2) blocks. Detection of the cycle shows that the
stream is not truly random, provided such detection is likely to be
more frequent than chance. It is possible that cycles will occur much
sooner. For example in some block ciphers, encrypting twice is the
same as decrypting once. For such ciphers, the amount of repeating
plaintext required to set off a cycle can be as low as three blocks.

1.3) Proof of the resistance of certain ciphers and ciphertexts

Non-lossy, n->n bit ciphers, are completely resistant to random/non-random
discrimination when the plaintext is truly random:

	There exists a function f (encryption), which when applied to a
	truly random sequence of bits of length n,
	produces another sequence of length n. i.e

		c = f(p) where len(c) <=> len(p) <=> n

	There also exists an inverse function f'
	(decryption), such that

		p = f'(c)

	Suppose c can be shown to be the result of some
	unspecified non-stochastic process. This fact can be
	expressed in no less than one bit of information,
	which must come at the expense of other information
	already in c. However as p is incompressible and
	fully recoverable from c via f' this is impossible.

2) On the application of symmetry

The fundamental basis under which rubberhose aspects are kept deniable
is the application of symmetry `that which I do to myself is
indistinguishable from that which you do to me'. The application of
this principle is likewise symmetric `that which I do to you is
indistinguishable from that which you do to yourself'. It is
impossible to overestimate the importance of this principle. It is the
essence of rubberhose deniability. All other conclusions flow from it.

There aren’t any published security advisories