DISCLAMER & CITATIONS: J. R. R. Tolken is dead, but he was the one who wrote LOTR so he gets his credit. Darken Rahl is my idea. Marutukku is a program written by the founder of Wikileaks. This writing is protected under Fair Use. Don't like it? TOO BAD, IT'S THE LAW!

The following was posted onto a Cipherspace Board as the Marutukku Field Test was in progress.

Post by WAR10CK:
Marutukku (our rubber-hose proof file system) addresses most of these technical issues, but I'd like to just comment on the best strategy game-theory wise, for the person wielding the "rubber-hose".

In Marutukku the number of encrypted aspects (deniable "virtual" partitions) defaults to 16 (although is theoretically unlimited). As soon as you have over 4 pass-phrases, the excuse "I can't recall" or "there's nothing else there" starts to sound highly plausible.

Ordinarily best strategy for the Orcs is to keep on torturing keys out of Legolas indefinitely till there are no keys left. However, and importantly, in Marutukku, Legolas can never prove that he has handed over the last key. As Legolas hands over more and more keys, the Orcs can make observations like "the keys the elf has divulged correspond to 85% of the bits". However at no point can the Orcs prove that the remaining 15% don't simply pertain to unallocated space, and at no point can Legolas, even if he wants to, divulge keys to 100% of the bits, in order to bring the un-divulged portion down to 0%. An obvious point to make here is that fraction-of-total-data divulged is essentially meaningless, and both parties know it - the launch code aspect may only take up .01% of the total bit-space.

What I find interesting, is how this constraint on Legolas' behavior actually protects him from revealing his own keys, because each party,
at the outset can make the following observations:

Orcs: We will never be able to show that the elf has revealed the last of his keys. Further, even if the elf has co-operated fully and has revealed all of his keys, he will not be able to prove it. Therefor, we must assume that at every stage that the elf has kept secret information from us, and continue to torture him, even though he may have revealed the last of his keys. But the whole time we will wonder if is any use continuing the torture because the elf may have co-operated fully. The elf will have realized this though, and so presumably it's going to be very hard to get keys out of him at all.

Legolas: (Having realised the above) I can never prove that I have revealed the last of my keys. In the end I'm bound for continued torture, even if I can buy brief respites by coughing up keys from time to time. Therefor, it would be foolish to divulge my most sensitive keys, because (a) I'll be that much closer to the stage where I have nothing left to divulge at all (it's interesting to note that this seemingly illogical, yet entirely valid argument of Legolas' can protect the most sensitive of Legolas' keys the "whole way though", like a form mathematical induction), and (b) the taste of truly secret information will only serve to make the Orcs come to the view that there is even higher quality information yet to come, re-doubling their torturing efforts to get at it, even if I have revealed all. Therefor, my best strategy would be to (a) reveal no keys at all or (b) depending on the nature of the torturers, and the psychology of the situation, very slowly reveal my "duress" and other low-sensitivity keys.

Legolas certainly isn't in for a very nice time (although he's far more likely to protect his data).

On the individual level, you would have to question whether you might want to be able to prove that, yes, in fact you really have surrendered the last remaining key, at the cost of a far greater likelihood that you will.

It really depends on the nature of your opponents. Are they intelligent enough understand the deniable aspect of the cryptosystem and come up with the above strategy? Determined to the aspect they are willing to invest the time and effort in wresting the last key out of you? Ruthless - do they say "Please", hand you an order, or is it more of a Black Pits affair?

Post by ELFhash:
But there's more to the story.

Organizations and groups may have quite different strategic goals in terms of key retention vs torture relief to the individuals that comprise them, even if their views are otherwise co-aligned. A simple democratic union of two or more people will exhibit this behavior.

When a member of a group, who uses conventional cryptography to protect group secrets is tortured, they have two choices (1) defecting (by divulging keys) in order to save themselves, at the cost of selling the other individuals in the group down the river or (2) staying loyal, protecting the group and in the process subjugating themselves to continued torture.

With Rubberhose-style deniable cryptography, the benefits to a group member from choosing tactic 1 (defection). are subdued, because they will never be able to convince their interrogators that they have defected. Rational individuals that are `otherwise loyal'" to the group, will realize the minimal gains to be made in choosing defection and choose tactic 2 (loyalty), instead.

Presumably most people in the group do not want to be forced to give up their ability to choose defection. On the other hand, no one in the group wants anyone (other than themselves) in the group to be given the option of defecting against the group (and thus the person making the observation). Provided no individual is certain* they are to be tortured, every individual will support the adoption of a group-wide Rubberhose-style cryptographically deniable crypto-system. This property is communicative, while the individual's desire to be able to choose defection is not. The former every group member wants for every other group member, but not themselves. The latter each group member wants only for themself.

* "certain" is a little misleading. Each individual has a threshold which is not only proportional to the the perceived likely hood of being tortured over ones dislike of it, but also includes the number of individuals in the group, the damage caused by a typical defection to the other members of the group etc.