1) On the appearance of randomness Rubberhose places extreme demands on random number generators and ciphers. It is not enough for a generated stream to be merely irreversible. There must be no computationally feasible way to detect ANY (statistically significant) correlation between values in the stream. 1.1) hash streams As an example of a pseudo random number stream that does not fall within these expectations, consider a stream generated by a theoretically provably secure hash cipher, seeded with a true random number, where successive elements are generated by: s_n = h(s_{n-1}) This stream can be trivially shown to be the product of a particular hash cipher by performing the above calculation on the suspected stream, and comparing e_n. An example of a stream that is acceptable, given a strong hash cipher, consider: e_1 = h(true_random()) e_n = h(e_{n-1} where e is kept as private state s_n = h(e_n} 1.2) symmetric ciphers When non random data is encrypted with a theoretically perfect symmetric cipher the result can, depending on mode, be trivially detected as the result of a suspected cipher rather than a stochastic process. 1.2.1) ECB In ECB non-randomness can be detected simply by looking for identical ciphertext blocks with a prevalence greater than normal variation of the birthday paradox would otherwise lead one to expect. 1.2.2) CBC In a worst case scenario, uniform plaintext is being encrypted (e.g all zeros), where E is a family of encryption functions E_k is an individual within that family then c_n = E_k(c_{n-1}) of c_n bits where c_n is a ciphertext block if c_n is l bits wide, then E_k(c_n) is a transform l -> l' Since only c_{n-1} is variable, it fully predicts the output of E_k. If ever a cipher text block appears more than once, there is a cycle. Assuming an E_k that rarely produces cycles, this will occur on average in 2^(l/2) blocks. Detection of the cycle shows that the stream is not truly random, provided such detection is likely to be more frequent than chance. It is possible that cycles will occur much sooner. For example in some block ciphers, encrypting twice is the same as decrypting once. For such ciphers, the amount of repeating plaintext required to set off a cycle can be as low as three blocks. 1.3) Proof of the resistance of certain ciphers and ciphertexts Non-lossy, n->n bit ciphers, are completely resistant to random/non-random discrimination when the plaintext is truly random: There exists a function f (encryption), which when applied to a truly random sequence of bits of length n, produces another sequence of length n. i.e c = f(p) where len(c) <=> len(p) <=> n There also exists an inverse function f' (decryption), such that p = f'(c) Suppose c can be shown to be the result of some unspecified non-stochastic process. This fact can be expressed in no less than one bit of information, which must come at the expense of other information already in c. However as p is incompressible and fully recoverable from c via f' this is impossible. 2) On the application of symmetry The fundamental basis under which rubberhose aspects are kept deniable is the application of symmetry `that which I do to myself is indistinguishable from that which you do to me'. The application of this principle is likewise symmetric `that which I do to you is indistinguishable from that which you do to yourself'. It is impossible to overestimate the importance of this principle. It is the essence of rubberhose deniability. All other conclusions flow from it.